release: Zephyr v1.7.1

Signed-off-by: Anas Nashif <anas.nashif@intel.com>

Makefile

@@ -1,6 +1,6 @@
 VERSION_MAJOR 	   = 1
 VERSION_MINOR 	   = 7
-PATCHLEVEL 	   = 0
+PATCHLEVEL 	   = 1
 VERSION_RESERVED   = 0
 EXTRAVERSION       =
 NAME 		   = Zephyr Kernel

doc/release-notes.rst

@@ -1,6 +1,15 @@
 Release Notes
 #############
 
+.. _zephyr_1.7.1:
+
+Zephyr Kernel 1.7.1
+********************
+
+* [ZEP-1800] Updated TinyCrypt to latest version: 0.2.6
+* [ZEP-749] Updated mbedTLS to 2.4.2
+* [ZEP-1470] ARM: Increase idle stack size to fix corruption by FP_SHARING
+
 .. _zephyr_1.7:
 
 Zephyr Kernel 1.7.0

ext/lib/crypto/mbedtls/README

@@ -1,9 +1,9 @@
 The mbed TLS library in Zephyr is a downstream of an externally maintained
 open source project.  The original upstream code can be found at:
 
-https://tls.mbed.org/download/start/mbedtls-2.4.0-apache.tgz
+https://tls.mbed.org/download/start/mbedtls-2.4.2-apache.tgz
 
-At version  2.4.0
+At version 2.4.2
 
 The following is the license information for this code:
 

ext/lib/crypto/mbedtls/include/mbedtls/cmac.h

@@ -58,9 +58,13 @@ struct mbedtls_cmac_context_t
 /**
  * \brief               Set the CMAC key and prepare to authenticate the input
  *                      data.
- *                      Should be called with an initialised cipher context.
+ *                      Should be called with an initialized cipher context.
  *
- * \param ctx           Cipher context
+ * \param ctx           Cipher context. This should be a cipher context,
+ *                      initialized to be one of the following types:
+ *                      MBEDTLS_CIPHER_AES_128_ECB, MBEDTLS_CIPHER_AES_192_ECB,
+ *                      MBEDTLS_CIPHER_AES_256_ECB or
+ *                      MBEDTLS_CIPHER_DES_EDE3_ECB.
  * \param key           CMAC key
  * \param keybits       length of the CMAC key in bits
  *                      (must be acceptable by the cipher)
@@ -115,7 +119,7 @@ int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
 int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
 
 /**
- * \brief               Output = Generic_CMAC( hmac key, input buffer )
+ * \brief               Output = Generic_CMAC( cmac key, input buffer )
  *
  * \param cipher_info   message digest info
  * \param key           CMAC key

ext/lib/crypto/mbedtls/include/mbedtls/compat-1.3.h

@@ -2453,7 +2453,6 @@
 #define ssl_set_arc4_support mbedtls_ssl_conf_arc4_support
 #define ssl_set_authmode mbedtls_ssl_conf_authmode
 #define ssl_set_bio mbedtls_ssl_set_bio
-#define ssl_set_bio mbedtls_ssl_set_bio_timeout
 #define ssl_set_ca_chain mbedtls_ssl_conf_ca_chain
 #define ssl_set_cbc_record_splitting mbedtls_ssl_conf_cbc_record_splitting
 #define ssl_set_ciphersuites mbedtls_ssl_conf_ciphersuites

ext/lib/crypto/mbedtls/include/mbedtls/config.h

@@ -1525,7 +1525,7 @@
  *          library/pkwrite.c
  *          library/x509_create.c
  *          library/x509write_crt.c
- *          library/mbedtls_x509write_csr.c
+ *          library/x509write_csr.c
  */
 #define MBEDTLS_ASN1_WRITE_C
 
@@ -1886,7 +1886,7 @@
  *
  * Enable the generic message digest layer.
  *
- * Module:  library/mbedtls_md.c
+ * Module:  library/md.c
  * Caller:
  *
  * Uncomment to enable generic message digest wrappers.
@@ -1898,7 +1898,7 @@
  *
  * Enable the MD2 hash algorithm.
  *
- * Module:  library/mbedtls_md2.c
+ * Module:  library/md2.c
  * Caller:
  *
  * Uncomment to enable support for (rare) MD2-signed X.509 certs.
@@ -1910,7 +1910,7 @@
  *
  * Enable the MD4 hash algorithm.
  *
- * Module:  library/mbedtls_md4.c
+ * Module:  library/md4.c
  * Caller:
  *
  * Uncomment to enable support for (rare) MD4-signed X.509 certs.
@@ -1922,8 +1922,8 @@
  *
  * Enable the MD5 hash algorithm.
  *
- * Module:  library/mbedtls_md5.c
- * Caller:  library/mbedtls_md.c
+ * Module:  library/md5.c
+ * Caller:  library/md.c
  *          library/pem.c
  *          library/ssl_tls.c
  *
@@ -1980,11 +1980,11 @@
  *          library/rsa.c
  *          library/x509.c
  *          library/x509_create.c
- *          library/mbedtls_x509_crl.c
- *          library/mbedtls_x509_crt.c
- *          library/mbedtls_x509_csr.c
+ *          library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
  *          library/x509write_crt.c
- *          library/mbedtls_x509write_csr.c
+ *          library/x509write_csr.c
  *
  * This modules translates between OIDs and internal values.
  */
@@ -2012,9 +2012,9 @@
  * Module:  library/pem.c
  * Caller:  library/dhm.c
  *          library/pkparse.c
- *          library/mbedtls_x509_crl.c
- *          library/mbedtls_x509_crt.c
- *          library/mbedtls_x509_csr.c
+ *          library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
  *
  * Requires: MBEDTLS_BASE64_C
  *
@@ -2030,7 +2030,7 @@
  * Module:  library/pem.c
  * Caller:  library/pkwrite.c
  *          library/x509write_crt.c
- *          library/mbedtls_x509write_csr.c
+ *          library/x509write_csr.c
  *
  * Requires: MBEDTLS_BASE64_C
  *
@@ -2060,8 +2060,8 @@
  * Enable the generic public (asymetric) key parser.
  *
  * Module:  library/pkparse.c
- * Caller:  library/mbedtls_x509_crt.c
- *          library/mbedtls_x509_csr.c
+ * Caller:  library/x509_crt.c
+ *          library/x509_csr.c
  *
  * Requires: MBEDTLS_PK_C
  *
@@ -2152,8 +2152,8 @@
  *
  * Enable the RIPEMD-160 hash algorithm.
  *
- * Module:  library/mbedtls_ripemd160.c
- * Caller:  library/mbedtls_md.c
+ * Module:  library/ripemd160.c
+ * Caller:  library/md.c
  *
  */
 #define MBEDTLS_RIPEMD160_C
@@ -2181,8 +2181,8 @@
  *
  * Enable the SHA1 cryptographic hash algorithm.
  *
- * Module:  library/mbedtls_sha1.c
- * Caller:  library/mbedtls_md.c
+ * Module:  library/sha1.c
+ * Caller:  library/md.c
  *          library/ssl_cli.c
  *          library/ssl_srv.c
  *          library/ssl_tls.c
@@ -2197,9 +2197,9 @@
  *
  * Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
  *
- * Module:  library/mbedtls_sha256.c
+ * Module:  library/sha256.c
  * Caller:  library/entropy.c
- *          library/mbedtls_md.c
+ *          library/md.c
  *          library/ssl_cli.c
  *          library/ssl_srv.c
  *          library/ssl_tls.c
@@ -2214,9 +2214,9 @@
  *
  * Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
  *
- * Module:  library/mbedtls_sha512.c
+ * Module:  library/sha512.c
  * Caller:  library/entropy.c
- *          library/mbedtls_md.c
+ *          library/md.c
  *          library/ssl_cli.c
  *          library/ssl_srv.c
  *
@@ -2364,9 +2364,9 @@
  * Enable X.509 core for using certificates.
  *
  * Module:  library/x509.c
- * Caller:  library/mbedtls_x509_crl.c
- *          library/mbedtls_x509_crt.c
- *          library/mbedtls_x509_csr.c
+ * Caller:  library/x509_crl.c
+ *          library/x509_crt.c
+ *          library/x509_csr.c
  *
  * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
  *           MBEDTLS_PK_PARSE_C
@@ -2380,7 +2380,7 @@
  *
  * Enable X.509 certificate parsing.
  *
- * Module:  library/mbedtls_x509_crt.c
+ * Module:  library/x509_crt.c
  * Caller:  library/ssl_cli.c
  *          library/ssl_srv.c
  *          library/ssl_tls.c
@@ -2396,8 +2396,8 @@
  *
  * Enable X.509 CRL parsing.
  *
- * Module:  library/mbedtls_x509_crl.c
- * Caller:  library/mbedtls_x509_crt.c
+ * Module:  library/x509_crl.c
+ * Caller:  library/x509_crt.c
  *
  * Requires: MBEDTLS_X509_USE_C
  *
@@ -2410,7 +2410,7 @@
  *
  * Enable X.509 Certificate Signing Request (CSR) parsing.
  *
- * Module:  library/mbedtls_x509_csr.c
+ * Module:  library/x509_csr.c
  * Caller:  library/x509_crt_write.c
  *
  * Requires: MBEDTLS_X509_USE_C

ext/lib/crypto/mbedtls/include/mbedtls/rsa.h

@@ -206,7 +206,7 @@ int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rs
  * \return         0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
  *
  * \note           This function does NOT take care of message
- *                 padding. Also, be sure to set input[0] = 0 or assure that
+ *                 padding. Also, be sure to set input[0] = 0 or ensure that
  *                 input is smaller than N.
  *
  * \note           The input and output buffers must be large

ext/lib/crypto/mbedtls/include/mbedtls/ssl.h

@@ -1146,7 +1146,7 @@ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
  *
  * \note           See the documentation of \c mbedtls_ssl_set_timer_t and
  *                 \c mbedtls_ssl_get_timer_t for the conventions this pair of
- *                 callbacks must fallow.
+ *                 callbacks must follow.
  *
  * \note           On some platforms, timing.c provides
  *                 \c mbedtls_timing_set_delay() and
@@ -2183,7 +2183,7 @@ void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_
 
 /**
  * \brief          Set record counter threshold for periodic renegotiation.
- *                 (Default: 2^64 - 256.)
+ *                 (Default: 2^48 - 1)
  *
  *                 Renegotiation is automatically triggered when a record
  *                 counter (outgoing or ingoing) crosses the defined
@@ -2194,9 +2194,17 @@ void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_
  *                 Lower values can be used to enforce policies such as "keys
  *                 must be refreshed every N packets with cipher X".
  *
+ *                 The renegotiation period can be disabled by setting
+ *                 conf->disable_renegotiation to
+ *                 MBEDTLS_SSL_RENEGOTIATION_DISABLED.
+ *
+ * \note           When the configured transport is
+ *                 MBEDTLS_SSL_TRANSPORT_DATAGRAM the maximum renegotiation
+ *                 period is 2^48 - 1, and for MBEDTLS_SSL_TRANSPORT_STREAM,
+ *                 the maximum renegotiation period is 2^64 - 1.
+ *
  * \param conf     SSL configuration
  * \param period   The threshold value: a big-endian 64-bit number.
- *                 Set to 2^64 - 1 to disable periodic renegotiation
  */
 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
                                    const unsigned char period[8] );
@@ -2428,7 +2436,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
  * \param len      how many bytes must be written
  *
  * \return         the number of bytes actually written (may be less than len),
- *                 or MBEDTLS_ERR_SSL_WANT_WRITE of MBEDTLS_ERR_SSL_WANT_READ,
+ *                 or MBEDTLS_ERR_SSL_WANT_WRITE or MBEDTLS_ERR_SSL_WANT_READ,
  *                 or another negative error code.
  *
  * \note           If this function returns something other than a positive
@@ -2513,7 +2521,6 @@ void mbedtls_ssl_config_init( mbedtls_ssl_config *conf );
  * \param transport MBEDTLS_SSL_TRANSPORT_STREAM for TLS, or
  *                  MBEDTLS_SSL_TRANSPORT_DATAGRAM for DTLS
  * \param preset   a MBEDTLS_SSL_PRESET_XXX value
- *                 (currently unused).
  *
  * \note           See \c mbedtls_ssl_conf_transport() for notes on DTLS.
  *

ext/lib/crypto/mbedtls/include/mbedtls/version.h

@@ -39,16 +39,16 @@
  */
 #define MBEDTLS_VERSION_MAJOR  2
 #define MBEDTLS_VERSION_MINOR  4
-#define MBEDTLS_VERSION_PATCH  0
+#define MBEDTLS_VERSION_PATCH  2
 
 /**
  * The single version number has the following structure:
  *    MMNNPP00
  *    Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER         0x02040000
-#define MBEDTLS_VERSION_STRING         "2.4.0"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.4.0"
+#define MBEDTLS_VERSION_NUMBER         0x02040200
+#define MBEDTLS_VERSION_STRING         "2.4.2"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.4.2"
 
 #if defined(MBEDTLS_VERSION_C)
 

ext/lib/crypto/mbedtls/include/mbedtls/x509.h

@@ -157,7 +157,7 @@
 #define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY          (1 << 13)
 #define MBEDTLS_X509_EXT_FRESHEST_CRL                (1 << 14)
 
-#define MBEDTLS_X509_EXT_NS_CERT_TYPE                (1 << 16)   /* Parsed (and then ?) */
+#define MBEDTLS_X509_EXT_NS_CERT_TYPE                (1 << 16)
 
 /*
  * Storage format identifiers

ext/lib/crypto/mbedtls/library/base64.c

@@ -192,7 +192,11 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
         return( 0 );
     }
 
-    n = ( ( n * 6 ) + 7 ) >> 3;
+    /* The following expression is to calculate the following formula without
+     * risk of integer overflow in n:
+     *     n = ( ( n * 6 ) + 7 ) >> 3;
+     */
+    n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
     n -= j;
 
     if( dst == NULL || dlen < n )

ext/lib/crypto/mbedtls/library/bignum.c

@@ -534,7 +534,12 @@ int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
     n = mbedtls_mpi_bitlen( X );
     if( radix >=  4 ) n >>= 1;
     if( radix >= 16 ) n >>= 1;
-    n += 3;
+    /*
+     * Round up the buffer length to an even value to ensure that there is
+     * enough room for hexadecimal values that can be represented in an odd
+     * number of digits.
+     */
+    n += 3 + ( ( n + 1 ) & 1 );
 
     if( buflen < n )
     {

ext/lib/crypto/mbedtls/library/cipher.c

@@ -326,9 +326,9 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
          * If there is not enough data for a full block, cache it.
          */
         if( ( ctx->operation == MBEDTLS_DECRYPT &&
-                ilen + ctx->unprocessed_len <= block_size ) ||
+                ilen <= block_size - ctx->unprocessed_len ) ||
              ( ctx->operation == MBEDTLS_ENCRYPT &&
-                ilen + ctx->unprocessed_len < block_size ) )
+                ilen < block_size - ctx->unprocessed_len ) )
         {
             memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
                     ilen );

ext/lib/crypto/mbedtls/library/cmac.c

@@ -26,7 +26,7 @@
  *
  * - NIST SP 800-38B Recommendation for Block Cipher Modes of Operation: The
  *      CMAC Mode for Authentication
- *   http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38b.pdf
+ *   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
  *
  * - RFC 4493 - The AES-CMAC Algorithm
  *   https://tools.ietf.org/html/rfc4493
@@ -62,7 +62,7 @@
 #if defined(MBEDTLS_SELF_TEST)
 #include <stdio.h>
 #define mbedtls_printf     printf
-#endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C || MBEDTLS_DES_C */
+#endif /* MBEDTLS_SELF_TEST */
 #endif /* MBEDTLS_PLATFORM_C */
 
 /* Implementation that should never be optimized out by the compiler */
@@ -80,7 +80,7 @@ static void mbedtls_zeroize( void *v, size_t n ) {
  *   with R_64 = 0x1B and  R_128 = 0x87
  *
  * Input and output MUST NOT point to the same buffer
- * Block size must be 8 byes or 16 bytes - the block sizes for DES and AES.
+ * Block size must be 8 bytes or 16 bytes - the block sizes for DES and AES.
  */
 static int cmac_multiply_by_u( unsigned char *output,
                                const unsigned char *input,
@@ -105,7 +105,7 @@ static int cmac_multiply_by_u( unsigned char *output,
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
     }
 
-    for( i = blocksize - 1; i >= 0; i-- )
+    for( i = (int)blocksize - 1; i >= 0; i-- )
     {
         output[i] = input[i] << 1 | overflow;
         overflow = input[i] >> 7;
@@ -209,7 +209,7 @@ int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
     if( ctx == NULL || ctx->cipher_info == NULL || key == NULL )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
-    if( ( retval = mbedtls_cipher_setkey( ctx, key, keybits,
+    if( ( retval = mbedtls_cipher_setkey( ctx, key, (int)keybits,
                                           MBEDTLS_ENCRYPT ) ) != 0 )
         return( retval );
 
@@ -244,8 +244,8 @@ int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
 {
     mbedtls_cmac_context_t* cmac_ctx;
     unsigned char *state;
-    int n, j, ret = 0;
-    size_t olen, block_size;
+    int ret = 0;
+    size_t n, j, olen, block_size;
 
     if( ctx == NULL || ctx->cipher_info == NULL || input == NULL ||
         ctx->cmac_ctx == NULL )
@@ -280,8 +280,9 @@ int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
     /* n is the number of blocks including any final partial block */
     n = ( ilen + block_size - 1 ) / block_size;
 
-   /* Iterate across the input data in block sized chunks */
-    for( j = 0; j < n - 1; j++ )
+    /* Iterate across the input data in block sized chunks, excluding any
+     * final partial or complete block */
+    for( j = 1; j < n; j++ )
     {
         cmac_xor_block( state, input, state, block_size );
 
@@ -469,8 +470,9 @@ exit:
 
 #if defined(MBEDTLS_SELF_TEST)
 /*
- * CMAC test data from SP800-38B Appendix D.1 (corrected)
- * http://csrc.nist.gov/publications/nistpubs/800-38B/Updated_CMAC_Examples.pdf
+ * CMAC test data for SP800-38B
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/AES_CMAC.pdf
+ * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/TDES_CMAC.pdf
  *
  * AES-CMAC-PRF-128 test data from RFC 4615
  * https://tools.ietf.org/html/rfc4615#page-4
@@ -482,128 +484,148 @@ exit:
 #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C)
 /* All CMAC test inputs are truncated from the same 64 byte buffer. */
 static const unsigned char test_message[] = {
-    0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
-    0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
-    0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
-    0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
-    0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
-    0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
-    0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
-    0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10
+    /* PT */
+    0x6b, 0xc1, 0xbe, 0xe2,     0x2e, 0x40, 0x9f, 0x96,
+    0xe9, 0x3d, 0x7e, 0x11,     0x73, 0x93, 0x17, 0x2a,
+    0xae, 0x2d, 0x8a, 0x57,     0x1e, 0x03, 0xac, 0x9c,
+    0x9e, 0xb7, 0x6f, 0xac,     0x45, 0xaf, 0x8e, 0x51,
+    0x30, 0xc8, 0x1c, 0x46,     0xa3, 0x5c, 0xe4, 0x11,
+    0xe5, 0xfb, 0xc1, 0x19,     0x1a, 0x0a, 0x52, 0xef,
+    0xf6, 0x9f, 0x24, 0x45,     0xdf, 0x4f, 0x9b, 0x17,
+    0xad, 0x2b, 0x41, 0x7b,     0xe6, 0x6c, 0x37, 0x10
 };
 #endif /* MBEDTLS_AES_C || MBEDTLS_DES_C */
 
 #if defined(MBEDTLS_AES_C)
 /* Truncation point of message for AES CMAC tests  */
 static const  unsigned int  aes_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
+    /* Mlen */
     0,
     16,
-    40,
+    20,
     64
 };
 
-/* AES 128 CMAC Test Data */
+/* CMAC-AES128 Test Data */
 static const unsigned char aes_128_key[16] = {
-    0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
-    0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c
+    0x2b, 0x7e, 0x15, 0x16,     0x28, 0xae, 0xd2, 0xa6,
+    0xab, 0xf7, 0x15, 0x88,     0x09, 0xcf, 0x4f, 0x3c
 };
 static const unsigned char aes_128_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
     {
-        0xfb, 0xee, 0xd6, 0x18, 0x35, 0x71, 0x33, 0x66,
-        0x7c, 0x85, 0xe0, 0x8f, 0x72, 0x36, 0xa8, 0xde
+        /* K1 */
+        0xfb, 0xee, 0xd6, 0x18,     0x35, 0x71, 0x33, 0x66,
+        0x7c, 0x85, 0xe0, 0x8f,     0x72, 0x36, 0xa8, 0xde
     },
     {
-        0xf7, 0xdd, 0xac, 0x30, 0x6a, 0xe2, 0x66, 0xcc,
-        0xf9, 0x0b, 0xc1, 0x1e, 0xe4, 0x6d, 0x51, 0x3b
+        /* K2 */
+        0xf7, 0xdd, 0xac, 0x30,     0x6a, 0xe2, 0x66, 0xcc,
+        0xf9, 0x0b, 0xc1, 0x1e,     0xe4, 0x6d, 0x51, 0x3b
     }
 };
 static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
     {
-        0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
-        0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46
+        /* Example #1 */
+        0xbb, 0x1d, 0x69, 0x29,     0xe9, 0x59, 0x37, 0x28,
+        0x7f, 0xa3, 0x7d, 0x12,     0x9b, 0x75, 0x67, 0x46
     },
     {
-        0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
-        0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c
+        /* Example #2 */
+        0x07, 0x0a, 0x16, 0xb4,     0x6b, 0x4d, 0x41, 0x44,
+        0xf7, 0x9b, 0xdd, 0x9d,     0xd0, 0x4a, 0x28, 0x7c
     },
     {
-        0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
-        0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27
+        /* Example #3 */
+        0x7d, 0x85, 0x44, 0x9e,     0xa6, 0xea, 0x19, 0xc8,
+        0x23, 0xa7, 0xbf, 0x78,     0x83, 0x7d, 0xfa, 0xde
     },
     {
-        0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
-        0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe
+        /* Example #4 */
+        0x51, 0xf0, 0xbe, 0xbf,     0x7e, 0x3b, 0x9d, 0x92,
+        0xfc, 0x49, 0x74, 0x17,     0x79, 0x36, 0x3c, 0xfe
     }
 };
 
-/* AES 192 CMAC Test Data */
+/* CMAC-AES192 Test Data */
 static const unsigned char aes_192_key[24] = {
-    0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
-    0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
-    0x62, 0xf8, 0xea, 0xd2, 0x52, 0x2c, 0x6b, 0x7b
+    0x8e, 0x73, 0xb0, 0xf7,     0xda, 0x0e, 0x64, 0x52,
+    0xc8, 0x10, 0xf3, 0x2b,     0x80, 0x90, 0x79, 0xe5,
+    0x62, 0xf8, 0xea, 0xd2,     0x52, 0x2c, 0x6b, 0x7b
 };
 static const unsigned char aes_192_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
     {
-        0x44, 0x8a, 0x5b, 0x1c, 0x93, 0x51, 0x4b, 0x27,
-        0x3e, 0xe6, 0x43, 0x9d, 0xd4, 0xda, 0xa2, 0x96
+        /* K1 */
+        0x44, 0x8a, 0x5b, 0x1c,     0x93, 0x51, 0x4b, 0x27,
+        0x3e, 0xe6, 0x43, 0x9d,     0xd4, 0xda, 0xa2, 0x96
     },
     {
-        0x89, 0x14, 0xb6, 0x39, 0x26, 0xa2, 0x96, 0x4e,
-        0x7d, 0xcc, 0x87, 0x3b, 0xa9, 0xb5, 0x45, 0x2c
+        /* K2 */
+        0x89, 0x14, 0xb6, 0x39,     0x26, 0xa2, 0x96, 0x4e,
+        0x7d, 0xcc, 0x87, 0x3b,     0xa9, 0xb5, 0x45, 0x2c
     }
 };
 static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
     {
-        0xd1, 0x7d, 0xdf, 0x46, 0xad, 0xaa, 0xcd, 0xe5,
-        0x31, 0xca, 0xc4, 0x83, 0xde, 0x7a, 0x93, 0x67
+        /* Example #1 */
+        0xd1, 0x7d, 0xdf, 0x46,     0xad, 0xaa, 0xcd, 0xe5,
+        0x31, 0xca, 0xc4, 0x83,     0xde, 0x7a, 0x93, 0x67
     },
     {
-        0x9e, 0x99, 0xa7, 0xbf, 0x31, 0xe7, 0x10, 0x90,
-        0x06, 0x62, 0xf6, 0x5e, 0x61, 0x7c, 0x51, 0x84
+        /* Example #2 */
+        0x9e, 0x99, 0xa7, 0xbf,     0x31, 0xe7, 0x10, 0x90,
+        0x06, 0x62, 0xf6, 0x5e,     0x61, 0x7c, 0x51, 0x84
     },
     {
-        0x8a, 0x1d, 0xe5, 0xbe, 0x2e, 0xb3, 0x1a, 0xad,
-        0x08, 0x9a, 0x82, 0xe6, 0xee, 0x90, 0x8b, 0x0e
+        /* Example #3 */
+        0x3d, 0x75, 0xc1, 0x94,     0xed, 0x96, 0x07, 0x04,
+        0x44, 0xa9, 0xfa, 0x7e,     0xc7, 0x40, 0xec, 0xf8
     },
     {
-        0xa1, 0xd5, 0xdf, 0x0e, 0xed, 0x79, 0x0f, 0x79,
-        0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
+        /* Example #4 */
+        0xa1, 0xd5, 0xdf, 0x0e,     0xed, 0x79, 0x0f, 0x79,
+        0x4d, 0x77, 0x58, 0x96,     0x59, 0xf3, 0x9a, 0x11
     }
 };
 
-/* AES 256 CMAC Test Data */
+/* CMAC-AES256 Test Data */
 static const unsigned char aes_256_key[32] = {
-    0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
-    0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
-    0x1f, 0x35, 0x2c, 0x07, 0x3b, 0x61, 0x08, 0xd7,
-    0x2d, 0x98, 0x10, 0xa3, 0x09, 0x14, 0xdf, 0xf4
+    0x60, 0x3d, 0xeb, 0x10,     0x15, 0xca, 0x71, 0xbe,
+    0x2b, 0x73, 0xae, 0xf0,     0x85, 0x7d, 0x77, 0x81,
+    0x1f, 0x35, 0x2c, 0x07,     0x3b, 0x61, 0x08, 0xd7,
+    0x2d, 0x98, 0x10, 0xa3,     0x09, 0x14, 0xdf, 0xf4
 };
 static const unsigned char aes_256_subkeys[2][MBEDTLS_AES_BLOCK_SIZE] = {
     {
-        0xca, 0xd1, 0xed, 0x03, 0x29, 0x9e, 0xed, 0xac,
-        0x2e, 0x9a, 0x99, 0x80, 0x86, 0x21, 0x50, 0x2f
+        /* K1 */
+        0xca, 0xd1, 0xed, 0x03,     0x29, 0x9e, 0xed, 0xac,
+        0x2e, 0x9a, 0x99, 0x80,     0x86, 0x21, 0x50, 0x2f
     },
     {
-        0x95, 0xa3, 0xda, 0x06, 0x53, 0x3d, 0xdb, 0x58,
-        0x5d, 0x35, 0x33, 0x01, 0x0c, 0x42, 0xa0, 0xd9
+        /* K2 */
+        0x95, 0xa3, 0xda, 0x06,     0x53, 0x3d, 0xdb, 0x58,
+        0x5d, 0x35, 0x33, 0x01,     0x0c, 0x42, 0xa0, 0xd9
     }
 };
 static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_AES_BLOCK_SIZE] = {
     {
-        0x02, 0x89, 0x62, 0xf6, 0x1b, 0x7b, 0xf8, 0x9e,
-        0xfc, 0x6b, 0x55, 0x1f, 0x46, 0x67, 0xd9, 0x83
+        /* Example #1 */
+        0x02, 0x89, 0x62, 0xf6,     0x1b, 0x7b, 0xf8, 0x9e,
+        0xfc, 0x6b, 0x55, 0x1f,     0x46, 0x67, 0xd9, 0x83
     },
     {
-        0x28, 0xa7, 0x02, 0x3f, 0x45, 0x2e, 0x8f, 0x82,
-        0xbd, 0x4b, 0xf2, 0x8d, 0x8c, 0x37, 0xc3, 0x5c
+        /* Example #2 */
+        0x28, 0xa7, 0x02, 0x3f,     0x45, 0x2e, 0x8f, 0x82,
+        0xbd, 0x4b, 0xf2, 0x8d,     0x8c, 0x37, 0xc3, 0x5c
     },
     {
-        0xaa, 0xf3, 0xd8, 0xf1, 0xde, 0x56, 0x40, 0xc2,
-        0x32, 0xf5, 0xb1, 0x69, 0xb9, 0xc9, 0x11, 0xe6
+        /* Example #3 */
+        0x15, 0x67, 0x27, 0xdc,     0x08, 0x78, 0x94, 0x4a,
+        0x02, 0x3c, 0x1f, 0xe0,     0x3b, 0xad, 0x6d, 0x93
     },
     {
-        0xe1, 0x99, 0x21, 0x90, 0x54, 0x9f, 0x6e, 0xd5,
-        0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
+        /* Example #4 */
+        0xe1, 0x99, 0x21, 0x90,     0x54, 0x9f, 0x6e, 0xd5,
+        0x69, 0x6a, 0x2c, 0x05,     0x6c, 0x31, 0x54, 0x10
     }
 };
 #endif /* MBEDTLS_AES_C */
@@ -612,66 +634,84 @@ static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTL
 /* Truncation point of message for 3DES CMAC tests  */
 static const unsigned int des3_message_lengths[NB_CMAC_TESTS_PER_KEY] = {
     0,
-    8,
+    16,
     20,
     32
 };
 
-/* 3DES 2 Key CMAC Test Data */
+/* CMAC-TDES (Generation) - 2 Key Test Data */
 static const unsigned char des3_2key_key[24] = {
-    0x4c, 0xf1, 0x51, 0x34, 0xa2, 0x85, 0x0d, 0xd5,
-    0x8a, 0x3d, 0x10, 0xba, 0x80, 0x57, 0x0d, 0x38,
-    0x4c, 0xf1, 0x51, 0x34, 0xa2, 0x85, 0x0d, 0xd5
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xEF, 0x01,
+    /* Key3 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xab, 0xcd, 0xef
 };
 static const unsigned char des3_2key_subkeys[2][8] = {
     {
-        0x8e, 0xcf, 0x37, 0x3e, 0xd7, 0x1a, 0xfa, 0xef
+        /* K1 */
+        0x0d, 0xd2, 0xcb, 0x7a,     0x3d, 0x88, 0x88, 0xd9
     },
     {
-        0x1d, 0x9e, 0x6e, 0x7d, 0xae, 0x35, 0xf5, 0xc5
+        /* K2 */
+        0x1b, 0xa5, 0x96, 0xf4,     0x7b, 0x11, 0x11, 0xb2
     }
 };
 static const unsigned char des3_2key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
     {
-        0xbd, 0x2e, 0xbf, 0x9a, 0x3b, 0xa0, 0x03, 0x61
+        /* Sample #1 */
+        0x79, 0xce, 0x52, 0xa7,     0xf7, 0x86, 0xa9, 0x60
     },
     {
-        0x4f, 0xf2, 0xab, 0x81, 0x3c, 0x53, 0xce, 0x83
+        /* Sample #2 */
+        0xcc, 0x18, 0xa0, 0xb7,     0x9a, 0xf2, 0x41, 0x3b
     },
     {
-        0x62, 0xdd, 0x1b, 0x47, 0x19, 0x02, 0xbd, 0x4e
+        /* Sample #3 */
+        0xc0, 0x6d, 0x37, 0x7e,     0xcd, 0x10, 0x19, 0x69
     },
     {
-        0x31, 0xb1, 0xe4, 0x31, 0xda, 0xbc, 0x4e, 0xb8
+        /* Sample #4 */
+        0x9c, 0xd3, 0x35, 0x80,     0xf9, 0xb6, 0x4d, 0xfb
     }
 };
 
-/* 3DES 3 Key CMAC Test Data */
+/* CMAC-TDES (Generation) - 3 Key Test Data */
 static const unsigned char des3_3key_key[24] = {
-    0x8a, 0xa8, 0x3b, 0xf8, 0xcb, 0xda, 0x10, 0x62,
-    0x0b, 0xc1, 0xbf, 0x19, 0xfb, 0xb6, 0xcd, 0x58,
-    0xbc, 0x31, 0x3d, 0x4a, 0x37, 0x1c, 0xa8, 0xb5
+    /* Key1 */
+    0x01, 0x23, 0x45, 0x67,     0x89, 0xaa, 0xcd, 0xef,
+    /* Key2 */
+    0x23, 0x45, 0x67, 0x89,     0xab, 0xcd, 0xef, 0x01,
+    /* Key3 */
+    0x45, 0x67, 0x89, 0xab,     0xcd, 0xef, 0x01, 0x23
 };
 static const unsigned char des3_3key_subkeys[2][8] = {
     {
-        0x91, 0x98, 0xe9, 0xd3, 0x14, 0xe6, 0x53, 0x5f
+        /* K1 */
+        0x9d, 0x74, 0xe7, 0x39,     0x33, 0x17, 0x96, 0xc0
     },
     {
-        0x23, 0x31, 0xd3, 0xa6, 0x29, 0xcc, 0xa6, 0xa5
+        /* K2 */
+        0x3a, 0xe9, 0xce, 0x72,     0x66, 0x2f, 0x2d, 0x9b
     }
 };
 static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTLS_DES3_BLOCK_SIZE] = {
     {
-        0xb7, 0xa6, 0x88, 0xe1, 0x22, 0xff, 0xaf, 0x95
+        /* Sample #1 */
+        0x7d, 0xb0, 0xd3, 0x7d,     0xf9, 0x36, 0xc5, 0x50
     },
     {
-        0x8e, 0x8f, 0x29, 0x31, 0x36, 0x28, 0x37, 0x97
+        /* Sample #2 */
+        0x30, 0x23, 0x9c, 0xf1,     0xf5, 0x2e, 0x66, 0x09
     },
     {
-        0x74, 0x3d, 0xdb, 0xe0, 0xce, 0x2d, 0xc2, 0xed
+        /* Sample #3 */
+        0x6c, 0x9f, 0x3e, 0xe4,     0x92, 0x3f, 0x6b, 0xe2
     },
     {
-        0x33, 0xe6, 0xb1, 0x09, 0x24, 0x00, 0xea, 0xe5
+        /* Sample #4 */
+        0x99, 0x42, 0x9b, 0xd0,     0xbF, 0x79, 0x04, 0xe5
     }
 };
 
@@ -680,8 +720,9 @@ static const unsigned char des3_3key_expected_result[NB_CMAC_TESTS_PER_KEY][MBED
 #if defined(MBEDTLS_AES_C)
 /* AES AES-CMAC-PRF-128 Test Data */
 static const unsigned char PRFK[] = {
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    /* Key */
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
     0xed, 0xcb
 };
 
@@ -692,25 +733,25 @@ static const size_t PRFKlen[NB_PRF_TESTS] = {
     10
 };
 
-/* PRF M */
+/* Message */
 static const unsigned char PRFM[] = {
-    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-    0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+    0x00, 0x01, 0x02, 0x03,     0x04, 0x05, 0x06, 0x07,
+    0x08, 0x09, 0x0a, 0x0b,     0x0c, 0x0d, 0x0e, 0x0f,
     0x10, 0x11, 0x12, 0x13
 };
 
 static const unsigned char PRFT[NB_PRF_TESTS][16] = {
     {
-        0x84, 0xa3, 0x48, 0xa4, 0xa4, 0x5d, 0x23, 0x5b,
-        0xab, 0xff, 0xfc, 0x0d, 0x2b, 0x4d, 0xa0, 0x9a
+        0x84, 0xa3, 0x48, 0xa4,     0xa4, 0x5d, 0x23, 0x5b,
+        0xab, 0xff, 0xfc, 0x0d,     0x2b, 0x4d, 0xa0, 0x9a
     },
     {
-        0x98, 0x0a, 0xe8, 0x7b, 0x5f, 0x4c, 0x9c, 0x52,
-        0x14, 0xf5, 0xb6, 0xa8, 0x45, 0x5e, 0x4c, 0x2d
+        0x98, 0x0a, 0xe8, 0x7b,     0x5f, 0x4c, 0x9c, 0x52,
+        0x14, 0xf5, 0xb6, 0xa8,     0x45, 0x5e, 0x4c, 0x2d
     },
     {
-        0x29, 0x0d, 0x9e, 0x11, 0x2e, 0xdb, 0x09, 0xee,
-        0x14, 0x1f, 0xcf, 0x64, 0xc0, 0xb7, 0x2f, 0x3d
+        0x29, 0x0d, 0x9e, 0x11,     0x2e, 0xdb, 0x09, 0xee,
+        0x14, 0x1f, 0xcf, 0x64,     0xc0, 0xb7, 0x2f, 0x3d
     }
 };
 #endif /* MBEDTLS_AES_C */

ext/lib/crypto/mbedtls/library/ctr_drbg.c

@@ -290,7 +290,8 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
     unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
     size_t seedlen = 0;
 
-    if( ctx->entropy_len + len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
+    if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
+        len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
         return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
 
     memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );

ext/lib/crypto/mbedtls/library/debug.c

@@ -71,7 +71,7 @@ static inline void debug_send_line( const mbedtls_ssl_context *ssl, int level,
      */
 #if defined(MBEDTLS_THREADING_C)
     char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */
-    mbedtls_snprintf( idstr, sizeof( idstr ), "%p: %s", ssl, str );
+    mbedtls_snprintf( idstr, sizeof( idstr ), "%p: %s", (void*)ssl, str );
     ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, idstr );
 #else
     ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str );

ext/lib/crypto/mbedtls/library/ecp_curves.c

@@ -1213,7 +1213,7 @@ static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t
     int ret;
     size_t i;
     mbedtls_mpi M, R;
-    mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R];
+    mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
 
     if( N->n < p_limbs )
         return( 0 );
@@ -1235,7 +1235,7 @@ static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t
     memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
     if( shift != 0 )
         MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
-    M.n += R.n - adjust; /* Make room for multiplication by R */
+    M.n += R.n; /* Make room for multiplication by R */
 
     /* N = A0 */
     if( mask != 0 )
@@ -1257,7 +1257,7 @@ static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t
     memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
     if( shift != 0 )
         MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
-    M.n += R.n - adjust; /* Make room for multiplication by R */
+    M.n += R.n; /* Make room for multiplication by R */
 
     /* N = A0 */
     if( mask != 0 )

ext/lib/crypto/mbedtls/library/md2.c

@@ -158,7 +158,7 @@ void mbedtls_md2_update( mbedtls_md2_context *ctx, const unsigned char *input, s
 
     while( ilen > 0 )
     {
-        if( ctx->left + ilen > 16 )
+        if( ilen > 16 - ctx->left )
             fill = 16 - ctx->left;
         else
             fill = ilen;

ext/lib/crypto/mbedtls/library/net_sockets.c

@@ -133,7 +133,8 @@ void mbedtls_net_init( mbedtls_net_context *ctx )
 /*
  * Initiate a TCP connection with host:port and the given protocol
  */
-int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char *port, int proto )
+int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host,
+                         const char *port, int proto )
 {
     int ret;
     struct addrinfo hints, *addr_list, *cur;
@@ -238,7 +239,7 @@ int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char
             }
         }
 
-        /* I we ever get there, it's a success */
+        /* Bind was successful */
         ret = 0;
         break;
     }
@@ -322,7 +323,7 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
     {
         /* TCP: actual accept() */
         ret = client_ctx->fd = (int) accept( bind_ctx->fd,
-                                         (struct sockaddr *) &client_addr, &n );
+                                             (struct sockaddr *) &client_addr, &n );
     }
     else
     {

ext/lib/crypto/mbedtls/library/pem.c

@@ -44,12 +44,12 @@
 #define mbedtls_free       free
 #endif
 
+#if defined(MBEDTLS_PEM_PARSE_C)
 /* Implementation that should never be optimized out by the compiler */
 static void mbedtls_zeroize( void *v, size_t n ) {
     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
 }
 
-#if defined(MBEDTLS_PEM_PARSE_C)
 void mbedtls_pem_init( mbedtls_pem_context *ctx )
 {
     memset( ctx, 0, sizeof( mbedtls_pem_context ) );
@@ -249,7 +249,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
 
     enc = 0;
 
-    if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
+    if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
     {
 #if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
     ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
@@ -262,22 +262,22 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
 
 
 #if defined(MBEDTLS_DES_C)
-        if( memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
+        if( s2 - s1 >= 23 && memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
         {
             enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
 
             s1 += 23;
-            if( pem_get_iv( s1, pem_iv, 8 ) != 0 )
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8 ) != 0 )
                 return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
 
             s1 += 16;
         }
-        else if( memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
+        else if( s2 - s1 >= 18 && memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
         {
             enc_alg = MBEDTLS_CIPHER_DES_CBC;
 
             s1 += 18;
-            if( pem_get_iv( s1, pem_iv, 8) != 0 )
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8) != 0 )
                 return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
 
             s1 += 16;
@@ -285,9 +285,11 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
 #endif /* MBEDTLS_DES_C */
 
 #if defined(MBEDTLS_AES_C)
-        if( memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
+        if( s2 - s1 >= 14 && memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
         {
-            if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
+            if( s2 - s1 < 22 )
+                return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
+            else if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
                 enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
             else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
                 enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
@@ -297,7 +299,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
                 return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
 
             s1 += 22;
-            if( pem_get_iv( s1, pem_iv, 16 ) != 0 )
+            if( s2 - s1 < 32 || pem_get_iv( s1, pem_iv, 16 ) != 0 )
                 return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
 
             s1 += 32;
@@ -316,7 +318,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
           ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
     }
 
-    if( s1 == s2 )
+    if( s1 >= s2 )
         return( MBEDTLS_ERR_PEM_INVALID_DATA );
 
     ret = mbedtls_base64_decode( NULL, 0, &len, s1, s2 - s1 );

ext/lib/crypto/mbedtls/library/pk.c

@@ -29,6 +29,8 @@
 #include "mbedtls/pk.h"
 #include "mbedtls/pk_internal.h"
 
+#include "mbedtls/bignum.h"
+
 #if defined(MBEDTLS_RSA_C)
 #include "mbedtls/rsa.h"
 #endif
@@ -39,6 +41,8 @@
 #include "mbedtls/ecdsa.h"
 #endif
 
+#include <limits.h>
+
 /* Implementation that should never be optimized out by the compiler */
 static void mbedtls_zeroize( void *v, size_t n ) {
     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
@@ -209,6 +213,11 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
         int ret;
         const mbedtls_pk_rsassa_pss_options *pss_opts;
 
+#if defined(MBEDTLS_HAVE_INT64)
+        if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+            return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* MBEDTLS_HAVE_INT64 */
+
         if( options == NULL )
             return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
 
@@ -232,7 +241,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
         return( 0 );
 #else
         return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
-#endif
+#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
     }
 
     /* General case: no options */

ext/lib/crypto/mbedtls/library/pk_wrap.c

@@ -30,6 +30,7 @@
 
 /* Even if RSA not activated, for the sake of RSA-alt */
 #include "mbedtls/rsa.h"
+#include "mbedtls/bignum.h"
 
 #include <string.h>
 
@@ -49,6 +50,8 @@
 #define mbedtls_free       free
 #endif
 
+#include <limits.h>
+
 #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
 /* Implementation that should never be optimized out by the compiler */
 static void mbedtls_zeroize( void *v, size_t n ) {
@@ -74,6 +77,11 @@ static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
 {
     int ret;
 
+#if defined(MBEDTLS_HAVE_INT64)
+    if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* MBEDTLS_HAVE_INT64 */
+
     if( sig_len < ((mbedtls_rsa_context *) ctx)->len )
         return( MBEDTLS_ERR_RSA_VERIFY_FAILED );
 
@@ -93,6 +101,11 @@ static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
                    unsigned char *sig, size_t *sig_len,
                    int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
 {
+#if defined(MBEDTLS_HAVE_INT64)
+    if( md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* MBEDTLS_HAVE_INT64 */
+
     *sig_len = ((mbedtls_rsa_context *) ctx)->len;
 
     return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,
@@ -402,6 +415,11 @@ static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
 {
     mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
 
+#if defined(MBEDTLS_HAVE_INT64)
+    if( UINT_MAX < hash_len )
+        return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+#endif /* MBEDTLS_HAVE_INT64 */
+
     *sig_len = rsa_alt->key_len_func( rsa_alt->key );
 
     return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE,

ext/lib/crypto/mbedtls/library/pkparse.c

@@ -1187,12 +1187,12 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
 #endif /* MBEDTLS_PEM_PARSE_C */
 
     /*
-    * At this point we only know it's not a PEM formatted key. Could be any
-    * of the known DER encoded private key formats
-    *
-    * We try the different DER format parsers to see if one passes without
-    * error
-    */
+     * At this point we only know it's not a PEM formatted key. Could be any
+     * of the known DER encoded private key formats
+     *
+     * We try the different DER format parsers to see if one passes without
+     * error
+     */
 #if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
     if( ( ret = pk_parse_key_pkcs8_encrypted_der( pk, key, keylen,
                                                   pwd, pwdlen ) ) == 0 )

ext/lib/crypto/mbedtls/library/platform.c

@@ -237,7 +237,7 @@ int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len )
     }
 
     fclose( file );
-    return( n );
+    return( (int)n );
 }
 
 int mbedtls_platform_std_nv_seed_write( unsigned char *buf, size_t buf_len )
@@ -255,7 +255,7 @@ int mbedtls_platform_std_nv_seed_write( unsigned char *buf, size_t buf_len )
     }
 
     fclose( file );
-    return( n );
+    return( (int)n );
 }
 #endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
 

ext/lib/crypto/mbedtls/library/ssl_cookie.c

@@ -98,7 +98,7 @@ void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx )
     mbedtls_md_free( &ctx->hmac_ctx );
 
 #if defined(MBEDTLS_THREADING_C)
-    mbedtls_mutex_init( &ctx->mutex );
+    mbedtls_mutex_free( &ctx->mutex );
 #endif
 
     mbedtls_zeroize( ctx, sizeof( mbedtls_ssl_cookie_ctx ) );

ext/lib/crypto/mbedtls/library/ssl_tls.c

@@ -3428,7 +3428,7 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
 
     if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
     {
-        /* Dont check write errors as we can't do anything here.
+        /* Don't check write errors as we can't do anything here.
          * If the error is permanent we'll catch it later,
          * if it's not, then hopefully it'll work next time. */
         (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );
@@ -6006,8 +6006,9 @@ int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **prot
     const char **p;
 
     /*
-     * "Empty strings MUST NOT be included and byte strings MUST NOT be
-     * truncated". Check lengths now rather than later.
+     * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
+     * MUST NOT be truncated."
+     * We check lengths now rather than later.
      */
     tot_len = 0;
     for( p = protos; *p != NULL; p++ )
@@ -6481,6 +6482,10 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
  */
 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
 {
+    size_t ep_len = ssl_ep_len( ssl );
+    int in_ctr_cmp;
+    int out_ctr_cmp;
+
     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
         ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
         ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
@@ -6488,8 +6493,12 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
         return( 0 );
     }
 
-    if( memcmp( ssl->in_ctr,  ssl->conf->renego_period, 8 ) <= 0 &&
-        memcmp( ssl->out_ctr, ssl->conf->renego_period, 8 ) <= 0 )
+    in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
+                        ssl->conf->renego_period + ep_len, 8 - ep_len );
+    out_ctr_cmp = memcmp( ssl->out_ctr + ep_len,
+                          ssl->conf->renego_period + ep_len, 8 - ep_len );
+
+    if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
     {
         return( 0 );
     }
@@ -7230,8 +7239,8 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
 
 #if defined(MBEDTLS_SSL_RENEGOTIATION)
     conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
-    memset( conf->renego_period, 0xFF, 7 );
-    conf->renego_period[7] = 0x00;
+    memset( conf->renego_period,     0x00, 2 );
+    memset( conf->renego_period + 2, 0xFF, 6 );
 #endif
 
 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
@@ -7585,7 +7594,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
  * and, for DTLS, to/from TLS equivalent.
  *
  * For TLS this is the identity.
- * For DTLS, use one complement (v -> 255 - v, and then map as follows:
+ * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
  * 1.0 <-> 3.2      (DTLS 1.0 is based on TLS 1.1)
  * 1.x <-> 3.x+1    for x != 0 (DTLS 1.2 based on TLS 1.2)
  */
@@ -7644,8 +7653,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
 #if defined(MBEDTLS_MD5_C)
         case MBEDTLS_SSL_HASH_MD5:
-            ssl->handshake->calc_verify = ssl_calc_verify_tls;
-            break;
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
 #endif
 #if defined(MBEDTLS_SHA1_C)
         case MBEDTLS_SSL_HASH_SHA1:

ext/lib/crypto/mbedtls/library/x509.c

@@ -480,14 +480,20 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
     }
 }
 
-static int x509_parse_int(unsigned char **p, unsigned n, int *res){
+static int x509_parse_int( unsigned char **p, size_t n, int *res )
+{
     *res = 0;
-    for( ; n > 0; --n ){
-        if( ( **p < '0') || ( **p > '9' ) ) return MBEDTLS_ERR_X509_INVALID_DATE;
+
+    for( ; n > 0; --n )
+    {
+        if( ( **p < '0') || ( **p > '9' ) )
+            return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
         *res *= 10;
-        *res += (*(*p)++ - '0');
+        *res += ( *(*p)++ - '0' );
     }
-    return 0;
+
+    return( 0 );
 }
 
 static int x509_date_is_valid(const mbedtls_x509_time *time)
@@ -517,6 +523,70 @@ static int x509_date_is_valid(const mbedtls_x509_time *time)
     return( 0 );
 }
 
+/*
+ * Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4)
+ * field.
+ */
+static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
+        mbedtls_x509_time *time )
+{
+    int ret;
+
+    /*
+     * Minimum length is 10 or 12 depending on yearlen
+     */
+    if ( len < yearlen + 8 )
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+    len -= yearlen + 8;
+
+    /*
+     * Parse year, month, day, hour, minute
+     */
+    CHECK( x509_parse_int( p, yearlen, &time->year ) );
+    if ( 2 == yearlen )
+    {
+        if ( time->year < 50 )
+            time->year += 100;
+
+        time->year += 1900;
+    }
+
+    CHECK( x509_parse_int( p, 2, &time->mon ) );
+    CHECK( x509_parse_int( p, 2, &time->day ) );
+    CHECK( x509_parse_int( p, 2, &time->hour ) );
+    CHECK( x509_parse_int( p, 2, &time->min ) );
+
+    /*
+     * Parse seconds if present
+     */
+    if ( len >= 2 )
+    {
+        CHECK( x509_parse_int( p, 2, &time->sec ) );
+        len -= 2;
+    }
+    else
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+    /*
+     * Parse trailing 'Z' if present
+     */
+    if ( 1 == len && 'Z' == **p )
+    {
+        (*p)++;
+        len--;
+    }
+
+    /*
+     * We should have parsed all characters at this point
+     */
+    if ( 0 != len )
+        return ( MBEDTLS_ERR_X509_INVALID_DATE );
+
+    CHECK( x509_date_is_valid( time ) );
+
+    return ( 0 );
+}
+
 /*
  *  Time ::= CHOICE {
  *       utcTime        UTCTime,
@@ -526,7 +596,7 @@ int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
                    mbedtls_x509_time *time )
 {
     int ret;
-    size_t len;
+    size_t len, year_len;
     unsigned char tag;
 
     if( ( end - *p ) < 1 )
@@ -536,55 +606,20 @@ int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
     tag = **p;
 
     if( tag == MBEDTLS_ASN1_UTC_TIME )
-    {
-        (*p)++;
-        ret = mbedtls_asn1_get_len( p, end, &len );
-
-        if( ret != 0 )
-            return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
-
-        CHECK( x509_parse_int( p, 2, &time->year ) );
-        CHECK( x509_parse_int( p, 2, &time->mon ) );
-        CHECK( x509_parse_int( p, 2, &time->day ) );
-        CHECK( x509_parse_int( p, 2, &time->hour ) );
-        CHECK( x509_parse_int( p, 2, &time->min ) );
-        if( len > 10 )
-            CHECK( x509_parse_int( p, 2, &time->sec ) );
-        if( len > 12 && *(*p)++ != 'Z' )
-            return( MBEDTLS_ERR_X509_INVALID_DATE );
-
-        time->year +=  100 * ( time->year < 50 );
-        time->year += 1900;
-
-        CHECK( x509_date_is_valid( time ) );
-
-        return( 0 );
-    }
+        year_len = 2;
     else if( tag == MBEDTLS_ASN1_GENERALIZED_TIME )
-    {
-        (*p)++;
-        ret = mbedtls_asn1_get_len( p, end, &len );
-
-        if( ret != 0 )
-            return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
-
-        CHECK( x509_parse_int( p, 4, &time->year ) );
-        CHECK( x509_parse_int( p, 2, &time->mon ) );
-        CHECK( x509_parse_int( p, 2, &time->day ) );
-        CHECK( x509_parse_int( p, 2, &time->hour ) );
-        CHECK( x509_parse_int( p, 2, &time->min ) );
-        if( len > 12 )
-            CHECK( x509_parse_int( p, 2, &time->sec ) );
-        if( len > 14 && *(*p)++ != 'Z' )
-            return( MBEDTLS_ERR_X509_INVALID_DATE );
-
-        CHECK( x509_date_is_valid( time ) );
-
-        return( 0 );
-    }
+        year_len = 4;
     else
         return( MBEDTLS_ERR_X509_INVALID_DATE +
                 MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+
+    (*p)++;
+    ret = mbedtls_asn1_get_len( p, end, &len );
+
+    if( ret != 0 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+
+    return x509_parse_time( p, len, year_len, time );
 }
 
 int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig )
@@ -661,7 +696,7 @@ int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x50
 
 /*
  * X.509 Extensions (No parsing of extensions, pointer should
- * be either manually updated or extensions should be parsed!
+ * be either manually updated or extensions should be parsed!)
  */
 int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
                   mbedtls_x509_buf *ext, int tag )

ext/lib/crypto/mbedtls/library/x509_crl.c

@@ -525,16 +525,17 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s
             if( ( ret = mbedtls_x509_crl_parse_der( chain,
                                             pem.buf, pem.buflen ) ) != 0 )
             {
+                mbedtls_pem_free( &pem );
                 return( ret );
             }
-
-            mbedtls_pem_free( &pem );
         }
-        else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        else if( is_pem )
         {
             mbedtls_pem_free( &pem );
             return( ret );
         }
+
+        mbedtls_pem_free( &pem );
     }
     /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
      * And a valid CRL cannot be less than 1 byte anyway. */

ext/lib/crypto/mbedtls/library/x509_crt.c

@@ -969,8 +969,8 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain, const unsigned char *bu
  */
 int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen )
 {
-    int success = 0, first_error = 0, total_failed = 0;
 #if defined(MBEDTLS_PEM_PARSE_C)
+    int success = 0, first_error = 0, total_failed = 0;
     int buf_format = MBEDTLS_X509_FORMAT_DER;
 #endif
 
@@ -1122,7 +1122,7 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path )
     p = filename + len;
     filename[len++] = '*';
 
-    w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir,
+    w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int)len, szDir,
                                  MAX_PATH - 3 );
     if( w_ret == 0 )
         return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
@@ -1904,6 +1904,7 @@ static int x509_crt_verify_top(
     int check_path_cnt;
     unsigned char hash[MBEDTLS_MD_MAX_SIZE];
     const mbedtls_md_info_t *md_info;
+    mbedtls_x509_crt *future_past_ca = NULL;
 
     if( mbedtls_x509_time_is_past( &child->valid_to ) )
         *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
@@ -1958,16 +1959,6 @@ static int x509_crt_verify_top(
             continue;
         }
 
-        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
-        {
-            continue;
-        }
-
-        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
-        {
-            continue;
-        }
-
         if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
                            child->sig_md, hash, mbedtls_md_get_size( md_info ),
                            child->sig.p, child->sig.len ) != 0 )
@@ -1975,6 +1966,20 @@ static int x509_crt_verify_top(
             continue;
         }
 
+        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ||
+            mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+        {
+            if ( future_past_ca == NULL )
+                future_past_ca = trust_ca;
+
+            continue;
+        }
+
+        break;
+    }
+
+    if( trust_ca != NULL || ( trust_ca = future_past_ca ) != NULL )
+    {
         /*
          * Top of chain is signed by a trusted CA
          */
@@ -1982,8 +1987,6 @@ static int x509_crt_verify_top(
 
         if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
             *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
-
-        break;
     }
 
     /*
@@ -2003,6 +2006,12 @@ static int x509_crt_verify_top(
         ((void) ca_crl);
 #endif
 
+        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
+            ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
+
+        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
+            ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
+
         if( NULL != f_vrfy )
         {
             if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,

ext/lib/crypto/mbedtls/library/x509_csr.c

@@ -265,8 +265,8 @@ int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
  */
 int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen )
 {
-    int ret;
 #if defined(MBEDTLS_PEM_PARSE_C)
+    int ret;
     size_t use_len;
     mbedtls_pem_context pem;
 #endif

ext/lib/crypto/tinycrypt/README

@@ -3,7 +3,7 @@ open source project.  The original upstream code can be found at:
 
 https://github.com/01org/tinycrypt
 
-At revision c7b1dca2b27070dfb5f92e56dab7a91a7afee18c, version 0.2.5
+At revision e6cffb820b91578d9816fc0bcc8f72f32f6ee76b, version 0.2.6
 
 Any changes to the local version should include Zephyr's TinyCrypt
 maintainer in the review.  That can be found via the git history.

ext/lib/crypto/tinycrypt/include/tinycrypt/constants.h

@@ -47,10 +47,6 @@ extern "C" {
 #define NULL ((void *)0)
 #endif
 
-#ifndef bool
-enum {false, true} bool;
-#endif
-
 #define TC_CRYPTO_SUCCESS 1
 #define TC_CRYPTO_FAIL 0
 

ext/lib/crypto/tinycrypt/include/tinycrypt/ecc.h

@@ -79,10 +79,12 @@
 extern "C" {
 #endif
 
+/* Word size (4 bytes considering 32-bits architectures) */
+#define WORD_SIZE 4
 /* Number of words of 32 bits to represent an element of the the curve p-256: */
 #define NUM_ECC_DIGITS 8
 /* Number of bytes to represent an element of the the curve p-256: */
-#define NUM_ECC_BYTES (4*NUM_ECC_DIGITS)
+#define NUM_ECC_BYTES (WORD_SIZE*NUM_ECC_DIGITS)
 
 /* struct to represent a point of the curve (uses X and Y coordinates): */
 typedef struct EccPoint {
@@ -218,6 +220,8 @@ void vli_modSquare_fast(uint32_t *p_result, uint32_t *p_left);
  * @param p_right IN -- buffer p_right in (p_left * p_right) % p_mod.
  * @param p_mod IN -- module.
  * @param p_barrett IN -- used for Barrett reduction.
+ * @note Side-channel countermeasure: algorithm strengthened against timing
+ * attack.
  */
 void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
 		uint32_t *p_mod, uint32_t *p_barrett);
@@ -229,10 +233,27 @@ void vli_modMult(uint32_t *p_result, uint32_t *p_left, uint32_t *p_right,
  * @param p_input IN -- buffer p_input in (1/p_intput) % p_mod.
  * @param p_mod IN -- module.
  * @param p_barrett IN -- used for Barrett reduction.
+ * @note Side-channel countermeasure: algorithm strengthened against timing
+ * attack.
  */
 void vli_modInv(uint32_t *p_result, uint32_t *p_input,
 		uint32_t *p_mod, uint32_t *p_barrett);
 
+/*
+ * @brief modular reduction based on Barrett's method
+ * @param p_result OUT -- p_product % p_mod.
+ * @param p_product IN -- buffer p_product in (p_product % p_mod).
+ * @param p_mod IN -- buffer p_mod in (p_product % p_mod).
+ * @param p_barrett -- used for Barrett reduction.
+ * @note Side-channel countermeasure: algorithm strengthened against timing
+ * attack.
+ */
+void vli_mmod_barrett(
+    uint32_t *p_result,
+    uint32_t *p_product,
+    uint32_t *p_mod,
+    uint32_t *p_barrett);
+
 /*
  * @brief Check if a point is zero.
  * @return Returns 1 if p_point is the point at infinity, 0 otherwise.
@@ -271,10 +292,26 @@ void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2);
  * @param p_result OUT -- Product of p_point by p_scalar.
  * @param p_point IN -- Elliptic curve point
  * @param p_scalar IN -- Scalar integer
+ * @note Side-channel countermeasure: algorithm strengthened against timing
+ * attack.
  */
-void EccPoint_mult(EccPointJacobi *p_result, EccPoint *p_point,
+void EccPoint_mult_safe(EccPointJacobi *p_result, EccPoint *p_point,
 		uint32_t *p_scalar);
 
+/*
+ * @brief Fast elliptic curve scalar multiplication with result in Jacobi
+ * coordinates
+ * @note non constant time
+ * @param p_result OUT -- Product of p_point by p_scalar.
+ * @param p_point IN -- Elliptic curve point
+ * @param p_scalar IN -- Scalar integer
+ * @note algorithm NOT strengthened against timing attack.
+ */
+void EccPoint_mult_unsafe(
+    EccPointJacobi *p_result,
+    EccPoint *p_point,
+    uint32_t *p_scalar);
+
 /*
  * @brief Convert an integer in standard octet representation to native format.
  * @return returns TC_CRYPTO_SUCCESS (1)

ext/lib/crypto/tinycrypt/include/tinycrypt/ecc_dh.h

@@ -80,7 +80,7 @@ extern "C" {
 
 /**
  * @brief Create a public/private key pair.
- * @return returns TC_CRYPTO_SUCCESS (1) if the key pair was generated successfully
+ * @return returns TC_CRYPTO_SUCCESS (1) if key pair was generated successfully
  *         returns TC_CRYPTO_FAIL (0) if:
  *                the private key is 0
  *
@@ -90,13 +90,15 @@ extern "C" {
  *
  * @note You must use a new non-predictable random number to generate each
  * new key pair.
+ * @note p_random must have NUM_ECC_DIGITS*2 bits of entropy to eliminate
+ * bias in keys.
  *
  * @note side-channel countermeasure: algorithm strengthened against timing
  * attack.
  */
 int32_t ecc_make_key(EccPoint *p_publicKey,
 		     uint32_t p_privateKey[NUM_ECC_DIGITS],
-		     uint32_t p_random[NUM_ECC_DIGITS]);
+		     uint32_t p_random[2 * NUM_ECC_DIGITS]);
 
 /**
  * @brief Determine whether or not a given point is on the chosen elliptic curve
@@ -106,7 +108,8 @@ int32_t ecc_make_key(EccPoint *p_publicKey,
  *         returns -2 if:  curve_p - p_publicKey->x != 1 or
  *                            curve_p - p_publicKey->y != 1
  *         returns -3 if: y^2 != x^3 + ax + b
-
+ *         returns -4 if: public key is the group generator
+ *
  * @param p_publicKey IN -- The point to be checked.
  */
 int32_t ecc_valid_public_key(EccPoint *p_publicKey);
@@ -114,7 +117,7 @@ int32_t ecc_valid_public_key(EccPoint *p_publicKey);
 /**
  * @brief Compute a shared secret given your secret key and someone else's
  * public key.
- * @return returns TC_CRYPTO_SUCCESS (1) if the shared secret was computed successfully
+ * @return returns TC_CRYPTO_SUCCESS (1) if the secret was computed successfully
  *         returns TC_CRYPTO_FAIL (0) otherwise
  *
  * @param p_secret OUT -- The shared secret value.
@@ -125,12 +128,9 @@ int32_t ecc_valid_public_key(EccPoint *p_publicKey);
  * attacks. The random multiplier should probably be different for each
  * invocation of ecdh_shared_secret().
  *
- * @note It is recommended that you hash the result of ecdh_shared_secret before
- * using it for symmetric encryption or HMAC. If you do not hash the shared
- * secret, you must call ecc_valid_public_key() to verify that the remote side's
- * public key is valid. If this is not done, an attacker could create a public
- * key that would cause your use of the shared secret to leak information about
- * the private key.
+ * @warning It is recommended to use the output of ecdh_shared_secret() as the
+ * input of a recommended Key Derivation Function (see NIST SP 800-108) in
+ * order to produce a symmetric key.
  */
 int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS], EccPoint *p_publicKey,
 			   uint32_t p_privateKey[NUM_ECC_DIGITS]);

ext/lib/crypto/tinycrypt/include/tinycrypt/hmac.h

@@ -125,6 +125,7 @@ int32_t tc_hmac_update(TCHmacState_t ctx,
  *                ctx == NULL or
  *                key == NULL or
  *                taglen != TC_SHA256_DIGEST_SIZE
+ *  @note 'ctx' is erased before exiting (this must never be changed/removed).
  *  @note Assumes the tag bufer is at least sizeof(hmac_tag_size(state)) bytes
  *  state has been initialized by tc_hmac_init
  *  @param tag IN/OUT -- buffer to receive computed HMAC tag

ext/lib/crypto/tinycrypt/source/ecc.c

@@ -97,7 +97,9 @@ static void vli_clear(uint32_t *p_vli)
 	}
 }
 
-/* Returns nonzero if bit p_bit of p_vli is set. */
+/* Returns nonzero if bit p_bit of p_vli is set.
+ * It is assumed that the value provided in 'bit' is within
+ * the boundaries of the word-array 'p_vli'.*/
 static uint32_t vli_testBit(uint32_t *p_vli, uint32_t p_bit)
 {
 	return (p_vli[p_bit / 32] & (1 << (p_bit % 32)));
@@ -235,7 +237,7 @@ static void vli_square(uint32_t *p_result, uint32_t *p_left)
 }
 
 /* Computes p_result = p_product % curve_p using Barrett reduction. */
-static void vli_mmod_barrett(uint32_t *p_result, uint32_t *p_product,
+void vli_mmod_barrett(uint32_t *p_result, uint32_t *p_product,
 			     uint32_t *p_mod, uint32_t *p_barrett)
 {
 	uint32_t i;
@@ -547,7 +549,7 @@ void EccPoint_add(EccPointJacobi *P1, EccPointJacobi *P2)
  *
  * p_result = p_scalar * p_point.
  */
-void EccPoint_mult(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar)
+void EccPoint_mult_safe(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar)
 {
 
 	int32_t i;
@@ -568,6 +570,25 @@ void EccPoint_mult(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scal
 	}
 }
 
+/* Ellptic curve scalar multiplication with result in Jacobi coordinates */
+/* p_result = p_scalar * p_point */
+void EccPoint_mult_unsafe(EccPointJacobi *p_result, EccPoint *p_point, uint32_t *p_scalar)
+{
+  int i;
+  EccPointJacobi p_point_jacobi;
+  EccPoint_fromAffine(p_result, p_point);
+  EccPoint_fromAffine(&p_point_jacobi, p_point);
+
+  for(i = vli_numBits(p_scalar) - 2; i >= 0; i--)
+  {
+    EccPoint_double(p_result);
+    if (vli_testBit(p_scalar, i))
+    {
+      EccPoint_add(p_result, &p_point_jacobi);
+    }
+  }
+}
+
 /* -------- Conversions between big endian and little endian: -------- */
 
 void ecc_bytes2native(uint32_t p_native[NUM_ECC_DIGITS],

ext/lib/crypto/tinycrypt/source/ecc_dh.c

@@ -35,31 +35,36 @@
 extern uint32_t curve_p[NUM_ECC_DIGITS];
 extern uint32_t curve_b[NUM_ECC_DIGITS];
 extern uint32_t curve_n[NUM_ECC_DIGITS];
+extern uint32_t curve_pb[NUM_ECC_DIGITS + 1];
 extern EccPoint curve_G;
 
 int32_t ecc_make_key(EccPoint *p_publicKey, uint32_t p_privateKey[NUM_ECC_DIGITS],
-		     uint32_t p_random[NUM_ECC_DIGITS])
+			 uint32_t p_random[NUM_ECC_DIGITS * 2])
 {
+  /* computing modular reduction of p_random (see FIPS 186.4 B.4.1): */
+  vli_mmod_barrett(p_privateKey, p_random, curve_p, curve_pb);
 
 	/* Make sure the private key is in the range [1, n-1].
 	 * For the supported curve, n is always large enough
 	 * that we only need to subtract once at most.
 	 */
 	uint32_t p_tmp[NUM_ECC_DIGITS];
-
-	vli_set(p_privateKey, p_random);
 	vli_sub(p_tmp, p_privateKey, curve_n, NUM_ECC_DIGITS);
 
 	vli_cond_set(p_privateKey, p_privateKey, p_tmp,
 		     vli_cmp(curve_n, p_privateKey, NUM_ECC_DIGITS) == 1);
 
+  /* erasing temporary buffer used to store secret: */
+  for (uint32_t i = 0; i < NUM_ECC_DIGITS; i++)
+    p_tmp[i] = 0;
+
 	if (vli_isZero(p_privateKey)) {
 		return TC_CRYPTO_FAIL; /* The private key cannot be 0 (mod p). */
 	}
 
 	EccPointJacobi P;
 
-	EccPoint_mult(&P, &curve_G, p_privateKey);
+	EccPoint_mult_safe(&P, &curve_G, p_privateKey);
 	EccPoint_toAffine(p_publicKey, &P);
 
 	return TC_CRYPTO_SUCCESS;
@@ -102,6 +107,10 @@ int32_t ecc_valid_public_key(EccPoint *p_publicKey)
 		return -3;
 	}
 
+	if (vli_cmp(p_publicKey->x, curve_G.x, NUM_ECC_DIGITS) == 0 &&
+	   vli_cmp(p_publicKey->y, curve_G.y, NUM_ECC_DIGITS) == 0 )
+		return -4;
+
 	return 0;
 }
 
@@ -112,7 +121,7 @@ int32_t ecdh_shared_secret(uint32_t p_secret[NUM_ECC_DIGITS],
 	EccPoint p_point;
 	EccPointJacobi P;
 
-	EccPoint_mult(&P, p_publicKey, p_privateKey);
+	EccPoint_mult_safe(&P, p_publicKey, p_privateKey);
 	if (EccPointJacobi_isZero(&P)) {
 		return TC_CRYPTO_FAIL;
 	}

ext/lib/crypto/tinycrypt/source/ecc_dsa.c

@@ -56,7 +56,7 @@ int32_t ecdsa_sign(uint32_t r[NUM_ECC_DIGITS], uint32_t s[NUM_ECC_DIGITS],
 	vli_cond_set(k, k, tmp, vli_cmp(curve_n, k, NUM_ECC_DIGITS) == 1);
 
 	/* tmp = k * G */
-	EccPoint_mult(&P, &curve_G, k);
+	EccPoint_mult_safe(&P, &curve_G, k);
 	EccPoint_toAffine(&p_point, &P);
 
 	/* r = x1 (mod n) */
@@ -101,17 +101,15 @@ int32_t ecdsa_verify(EccPoint *p_publicKey, uint32_t p_hash[NUM_ECC_DIGITS],
 	vli_modMult(u2, r, z, curve_n, curve_nb); /* u2 = r/s */
 
 	/* calculate P = u1*G + u2*Q */
-	EccPoint_mult(&P, &curve_G, u1);
-	EccPoint_mult(&R, p_publicKey, u2);
+	EccPoint_mult_unsafe(&P, &curve_G, u1);
+	EccPoint_mult_unsafe(&R, p_publicKey, u2);
 	EccPoint_add(&P, &R);
 	EccPoint_toAffine(&p_point, &P);
 
 	/* Accept only if P.x == r. */
-	vli_cond_set(
-		p_point.x,
-		p_point.x,
-		z,
-		vli_sub(z, p_point.x, curve_n, NUM_ECC_DIGITS));
+	if (!vli_sub(z, p_point.x, curve_n, NUM_ECC_DIGITS)) {
+	  vli_set(p_point.x, z);
+	}
 
 	return (vli_cmp(p_point.x, r, NUM_ECC_DIGITS) == 0);
 }

ext/lib/crypto/tinycrypt/source/utils.c

@@ -55,14 +55,11 @@ void _set(void *to, uint8_t val, uint32_t len)
 }
 
 /*
- * Doubles the value of a byte for values up to 127. Original 'return
- * ((a<<1) ^ ((a>>7) * 0x1b))' re-written to avoid extra multiplication which
- * the compiler won't be able to optimize
+ * Doubles the value of a byte for values up to 127.
  */
 uint8_t _double_byte(uint8_t a)
 {
-	return (a & MASK_MOST_SIG_BIT) ?
-		((a << 1) ^ MASK_TWENTY_SEVEN) : (a << 1);
+	return ((a<<1) ^ ((a>>7) * MASK_TWENTY_SEVEN));
 }
 
 int32_t _compare(const uint8_t *a, const uint8_t *b, size_t size)

kernel/Kconfig

@@ -121,7 +121,7 @@ config IDLE_STACK_SIZE
 	int
 	prompt "Size of stack for idle thread"
 	default 256
-	default 320 if ARC
+	default 320 if ARC || (ARM && CPU_HAS_FPU)
 	default 512 if RISCV32
 	default 1024 if XTENSA
 	help

subsys/bluetooth/controller/ll/ctrl.c

@@ -2978,7 +2978,7 @@ static void mayfly_xtal_stop(void *params)
 }
 
 #if XTAL_ADVANCED
-static void mayfly_xtal_retain(uint8_t retain)
+static void mayfly_xtal_retain(uint8_t caller_id, uint8_t retain)
 {
 	static uint8_t s_xtal_retained;
 
@@ -2989,25 +2989,45 @@ static void mayfly_xtal_retain(uint8_t retain)
 				0, mayfly_xtal_start};
 			uint32_t retval;
 
+			/* Only user id job will try to retain the XTAL. */
+			LL_ASSERT(caller_id == RADIO_TICKER_USER_ID_JOB);
+
 			s_xtal_retained = 1;
 
-			retval = mayfly_enqueue(RADIO_TICKER_USER_ID_WORKER,
+			retval = mayfly_enqueue(caller_id,
 						RADIO_TICKER_USER_ID_WORKER, 0,
 						&s_mfy_xtal_start);
 			LL_ASSERT(!retval);
 		}
 	} else {
 		if (s_xtal_retained) {
-			static void *s_link[2];
-			static struct mayfly s_mfy_xtal_stop = {0, 0, s_link,
-				0, mayfly_xtal_stop};
+			static void *s_link[2][2];
+			static struct mayfly s_mfy_xtal_stop[2] = {
+				{0, 0, s_link[0], NULL, mayfly_xtal_stop},
+				{0, 0, s_link[1], NULL, mayfly_xtal_stop}
+			};
+			struct mayfly *p_mfy_xtal_stop = NULL;
 			uint32_t retval;
 
 			s_xtal_retained = 0;
 
-			retval = mayfly_enqueue(RADIO_TICKER_USER_ID_WORKER,
+			switch (caller_id) {
+			case RADIO_TICKER_USER_ID_WORKER:
+				p_mfy_xtal_stop = &s_mfy_xtal_stop[0];
+				break;
+
+			case RADIO_TICKER_USER_ID_JOB:
+				p_mfy_xtal_stop = &s_mfy_xtal_stop[1];
+				break;
+
+			default:
+				LL_ASSERT(0);
+				break;
+			}
+
+			retval = mayfly_enqueue(caller_id,
 						RADIO_TICKER_USER_ID_WORKER, 0,
-						&s_mfy_xtal_stop);
+						p_mfy_xtal_stop);
 			LL_ASSERT(!retval);
 		}
 	}
@@ -3073,7 +3093,7 @@ static uint32_t preempt_calc(struct shdr *hdr, uint8_t ticker_id,
 
 	diff += 3;
 	if (diff > TICKER_US_TO_TICKS(RADIO_TICKER_START_PART_US)) {
-		mayfly_xtal_retain(0);
+		mayfly_xtal_retain(RADIO_TICKER_USER_ID_WORKER, 0);
 
 		prepare_normal_set(hdr, RADIO_TICKER_USER_ID_WORKER, ticker_id);
 
@@ -3100,29 +3120,31 @@ static uint32_t preempt_calc(struct shdr *hdr, uint8_t ticker_id,
  */
 static void mayfly_xtal_stop_calc(void *params)
 {
-	uint32_t volatile ticker_status;
-	uint8_t ticker_id;
-	uint32_t ticks_current;
+	uint32_t volatile ret_cb = TICKER_STATUS_BUSY;
 	uint32_t ticks_to_expire;
+	uint32_t ticks_current;
+	uint8_t ticker_id;
+	uint32_t ret;
 
 	ticker_id = 0xff;
 	ticks_to_expire = 0;
-	ticker_status =
-		ticker_next_slot_get(RADIO_TICKER_INSTANCE_ID_RADIO,
-				     RADIO_TICKER_USER_ID_JOB, &ticker_id,
-				     &ticks_current, &ticks_to_expire,
-				     ticker_if_done, (void *)&ticker_status);
+	ret = ticker_next_slot_get(RADIO_TICKER_INSTANCE_ID_RADIO,
+				   RADIO_TICKER_USER_ID_JOB, &ticker_id,
+				   &ticks_current, &ticks_to_expire,
+				   ticker_if_done, (void *)&ret_cb);
 
-	while (ticker_status == TICKER_STATUS_BUSY) {
-		ticker_job_sched(RADIO_TICKER_INSTANCE_ID_RADIO,
-				 RADIO_TICKER_USER_ID_JOB);
+	if (ret == TICKER_STATUS_BUSY) {
+		while (ret_cb == TICKER_STATUS_BUSY) {
+			ticker_job_sched(RADIO_TICKER_INSTANCE_ID_RADIO,
+					 RADIO_TICKER_USER_ID_JOB);
+		}
 	}
 
-	LL_ASSERT(ticker_status == TICKER_STATUS_SUCCESS);
+	LL_ASSERT(ret_cb == TICKER_STATUS_SUCCESS);
 
 	if ((ticker_id != 0xff) &&
 	    (ticks_to_expire < TICKER_US_TO_TICKS(10000))) {
-		mayfly_xtal_retain(1);
+		mayfly_xtal_retain(RADIO_TICKER_USER_ID_JOB, 1);
 
 		if (ticker_id >= RADIO_TICKER_ID_ADV) {
 #if SCHED_ADVANCED
@@ -3169,6 +3191,7 @@ static void mayfly_xtal_stop_calc(void *params)
 					uint32_t ticks_drift_plus =
 						hdr->ticks_xtal_to_start -
 						ticks_prepare_to_start;
+					uint32_t ticker_status;
 
 					ticker_status =
 						ticker_update(
@@ -3260,7 +3283,7 @@ static void mayfly_xtal_stop_calc(void *params)
 #endif /* SCHED_ADVANCED */
 		}
 	} else {
-		mayfly_xtal_retain(0);
+		mayfly_xtal_retain(RADIO_TICKER_USER_ID_JOB, 0);
 
 		if ((ticker_id != 0xff) && (ticker_id >= RADIO_TICKER_ID_ADV)) {
 			struct shdr *hdr = NULL;
@@ -3306,21 +3329,23 @@ static void sched_after_mstr_free_slot_get(uint8_t user_id,
 	ticks_to_expire = ticks_to_expire_prev = *us_offset = 0;
 	ticks_slot_prev_abs = 0;
 	while (1) {
-		uint32_t volatile ticker_status;
+		uint32_t volatile ret_cb = TICKER_STATUS_BUSY;
 		struct connection *conn;
+		uint32_t ret;
 
-		ticker_status =
-			ticker_next_slot_get(RADIO_TICKER_INSTANCE_ID_RADIO,
-					     user_id, &ticker_id, ticks_anchor,
-					     &ticks_to_expire, ticker_if_done,
-					     (void *)&ticker_status);
+		ret = ticker_next_slot_get(RADIO_TICKER_INSTANCE_ID_RADIO,
+					   user_id, &ticker_id, ticks_anchor,
+					   &ticks_to_expire, ticker_if_done,
+					   (void *)&ret_cb);
 
-		while (ticker_status == TICKER_STATUS_BUSY) {
-			ticker_job_sched(RADIO_TICKER_INSTANCE_ID_RADIO,
-					 user_id);
+		if (ret == TICKER_STATUS_BUSY) {
+			while (ret_cb == TICKER_STATUS_BUSY) {
+				ticker_job_sched(RADIO_TICKER_INSTANCE_ID_RADIO,
+						 user_id);
+			}
 		}
 
-		LL_ASSERT(ticker_status == TICKER_STATUS_SUCCESS);
+		LL_ASSERT(ret_cb == TICKER_STATUS_SUCCESS);
 
 		if (ticker_id == 0xff) {
 			break;
@@ -3458,23 +3483,24 @@ static void sched_free_win_offset_calc(struct connection *conn_curr,
 		ticks_anchor_prev = offset_index = _win_offset = 0;
 	ticks_slot_prev_abs = 0;
 	do {
-		uint32_t volatile ticker_status;
+		uint32_t volatile ret_cb = TICKER_STATUS_BUSY;
 		struct connection *conn;
+		uint32_t ret;
 
-		ticker_status =
-			ticker_next_slot_get(
-					     RADIO_TICKER_INSTANCE_ID_RADIO,
-					     RADIO_TICKER_USER_ID_JOB,
-					     &ticker_id, &ticks_anchor,
-					     &ticks_to_expire, ticker_if_done,
-					     (void *)&ticker_status);
+		ret = ticker_next_slot_get(RADIO_TICKER_INSTANCE_ID_RADIO,
+					   RADIO_TICKER_USER_ID_JOB,
+					   &ticker_id, &ticks_anchor,
+					   &ticks_to_expire, ticker_if_done,
+					   (void *)&ret_cb);
 
-		while (ticker_status == TICKER_STATUS_BUSY) {
-			ticker_job_sched(RADIO_TICKER_INSTANCE_ID_RADIO,
-					 RADIO_TICKER_USER_ID_JOB);
+		if (ret == TICKER_STATUS_BUSY) {
+			while (ret_cb == TICKER_STATUS_BUSY) {
+				ticker_job_sched(RADIO_TICKER_INSTANCE_ID_RADIO,
+						 RADIO_TICKER_USER_ID_JOB);
+			}
 		}
 
-		LL_ASSERT(ticker_status == TICKER_STATUS_SUCCESS);
+		LL_ASSERT(ret_cb == TICKER_STATUS_SUCCESS);
 
 		if (ticker_id == 0xff) {
 			break;
@@ -6827,45 +6853,44 @@ static inline void role_active_disable(uint8_t ticker_id_stop,
 	static void *s_link[2];
 	static struct mayfly s_mfy_radio_inactive = {0, 0, s_link, 0,
 		mayfly_radio_inactive};
-	uint32_t volatile ticker_status_event;
+	uint32_t volatile ret_cb = TICKER_STATUS_BUSY;
+	uint32_t ret;
 
 	/* Step 2: Is caller before Event? Stop Event */
-	ticker_status_event =
-		ticker_stop(RADIO_TICKER_INSTANCE_ID_RADIO,
-			    RADIO_TICKER_USER_ID_APP, RADIO_TICKER_ID_EVENT,
-			    ticker_if_done, (void *)&ticker_status_event);
+	ret = ticker_stop(RADIO_TICKER_INSTANCE_ID_RADIO,
+			  RADIO_TICKER_USER_ID_APP, RADIO_TICKER_ID_EVENT,
+			  ticker_if_done, (void *)&ret_cb);
 
-	if (ticker_status_event == TICKER_STATUS_BUSY) {
-		mayfly_enable(RADIO_TICKER_USER_ID_JOB,
+	if (ret == TICKER_STATUS_BUSY) {
+		mayfly_enable(RADIO_TICKER_USER_ID_APP,
 			      RADIO_TICKER_USER_ID_JOB, 1);
 
-		LL_ASSERT(ticker_status_event != TICKER_STATUS_BUSY);
+		LL_ASSERT(ret_cb != TICKER_STATUS_BUSY);
 	}
 
-	if (ticker_status_event == TICKER_STATUS_SUCCESS) {
+	if (ret_cb == TICKER_STATUS_SUCCESS) {
 		static void *s_link[2];
 		static struct mayfly s_mfy_xtal_stop = {0, 0, s_link, 0,
 			mayfly_xtal_stop};
-		uint32_t volatile ticker_status_pre_event;
+		uint32_t volatile ret_cb = TICKER_STATUS_BUSY;
+		uint32_t ret;
 
 		/* Step 2.1: Is caller between Primary and Marker0?
 		 * Stop the Marker0 event
 		 */
-		ticker_status_pre_event =
-			ticker_stop(RADIO_TICKER_INSTANCE_ID_RADIO,
-				    RADIO_TICKER_USER_ID_APP,
-				    RADIO_TICKER_ID_MARKER_0,
-				    ticker_if_done,
-				    (void *)&ticker_status_pre_event);
+		ret = ticker_stop(RADIO_TICKER_INSTANCE_ID_RADIO,
+				  RADIO_TICKER_USER_ID_APP,
+				  RADIO_TICKER_ID_MARKER_0,
+				  ticker_if_done, (void *)&ret_cb);
 
-		if (ticker_status_pre_event == TICKER_STATUS_BUSY) {
-			mayfly_enable(RADIO_TICKER_USER_ID_JOB,
+		if (ret == TICKER_STATUS_BUSY) {
+			mayfly_enable(RADIO_TICKER_USER_ID_APP,
 				      RADIO_TICKER_USER_ID_JOB, 1);
 
-			LL_ASSERT(ticker_status_event != TICKER_STATUS_BUSY);
+			LL_ASSERT(ret_cb != TICKER_STATUS_BUSY);
 		}
 
-		if (ticker_status_pre_event == TICKER_STATUS_SUCCESS) {
+		if (ret_cb == TICKER_STATUS_SUCCESS) {
 			/* Step 2.1.1: Check and deassert Radio Active or XTAL
 			 * start
 			 */
@@ -6876,7 +6901,7 @@ static inline void role_active_disable(uint8_t ticker_id_stop,
 				 * here
 				 */
 				retval = mayfly_enqueue(
-						RADIO_TICKER_USER_ID_JOB,
+						RADIO_TICKER_USER_ID_APP,
 						RADIO_TICKER_USER_ID_WORKER, 0,
 						&s_mfy_radio_inactive);
 				LL_ASSERT(!retval);
@@ -6885,32 +6910,33 @@ static inline void role_active_disable(uint8_t ticker_id_stop,
 
 				/* XTAL started, handle XTAL stop here */
 				retval = mayfly_enqueue(
-						RADIO_TICKER_USER_ID_JOB,
+						RADIO_TICKER_USER_ID_APP,
 						RADIO_TICKER_USER_ID_WORKER, 0,
 						&s_mfy_xtal_stop);
 				LL_ASSERT(!retval);
 			}
-		} else if (ticker_status_pre_event == TICKER_STATUS_FAILURE) {
+		} else if (ret_cb == TICKER_STATUS_FAILURE) {
 			uint32_t retval;
 
 			/* Step 2.1.2: Deassert Radio Active and XTAL start */
 
 			/* radio active asserted, handle deasserting here */
-			retval = mayfly_enqueue(RADIO_TICKER_USER_ID_JOB,
+			retval = mayfly_enqueue(RADIO_TICKER_USER_ID_APP,
 						RADIO_TICKER_USER_ID_WORKER, 0,
 						&s_mfy_radio_inactive);
 			LL_ASSERT(!retval);
 
 			/* XTAL started, handle XTAL stop here */
-			retval = mayfly_enqueue(RADIO_TICKER_USER_ID_JOB,
+			retval = mayfly_enqueue(RADIO_TICKER_USER_ID_APP,
 						RADIO_TICKER_USER_ID_WORKER, 0,
 						&s_mfy_xtal_stop);
 			LL_ASSERT(!retval);
 		} else {
 			LL_ASSERT(0);
 		}
-	} else if (ticker_status_event == TICKER_STATUS_FAILURE) {
-		uint32_t volatile ticker_status_stop;
+	} else if (ret_cb == TICKER_STATUS_FAILURE) {
+		uint32_t volatile ret_cb = TICKER_STATUS_BUSY;
+		uint32_t ret;
 
 		/* Step 3: Caller inside Event, handle graceful stop of Event
 		 * (role dependent)
@@ -6918,21 +6944,19 @@ static inline void role_active_disable(uint8_t ticker_id_stop,
 		/* Stop ticker "may" be in use for direct adv or observer,
 		 * hence stop may fail if ticker not used.
 		 */
-		ticker_status_stop =
-			ticker_stop(RADIO_TICKER_INSTANCE_ID_RADIO,
-				    RADIO_TICKER_USER_ID_APP, ticker_id_stop,
-				    ticker_if_done,
-				    (void *)&ticker_status_stop);
+		ret = ticker_stop(RADIO_TICKER_INSTANCE_ID_RADIO,
+				  RADIO_TICKER_USER_ID_APP, ticker_id_stop,
+				  ticker_if_done, (void *)&ret_cb);
 
-		if (ticker_status_stop == TICKER_STATUS_BUSY) {
-			mayfly_enable(RADIO_TICKER_USER_ID_JOB,
+		if (ret == TICKER_STATUS_BUSY) {
+			mayfly_enable(RADIO_TICKER_USER_ID_APP,
 				      RADIO_TICKER_USER_ID_JOB, 1);
 
-			LL_ASSERT(ticker_status_event != TICKER_STATUS_BUSY);
+			LL_ASSERT(ret_cb != TICKER_STATUS_BUSY);
 		}
 
-		LL_ASSERT((ticker_status_stop == TICKER_STATUS_SUCCESS) ||
-			  (ticker_status_stop == TICKER_STATUS_FAILURE));
+		LL_ASSERT((ret_cb == TICKER_STATUS_SUCCESS) ||
+			  (ret_cb == TICKER_STATUS_FAILURE));
 
 		if (_radio.role != ROLE_NONE) {
 			static void *s_link[2];
@@ -6944,7 +6968,7 @@ static inline void role_active_disable(uint8_t ticker_id_stop,
 			s_mfy_radio_stop.param = (void *)STATE_STOP;
 
 			/* Stop Radio Tx/Rx */
-			retval = mayfly_enqueue(RADIO_TICKER_USER_ID_JOB,
+			retval = mayfly_enqueue(RADIO_TICKER_USER_ID_APP,
 						RADIO_TICKER_USER_ID_WORKER, 0,
 						&s_mfy_radio_stop);
 			LL_ASSERT(!retval);
@@ -6957,15 +6981,15 @@ static inline void role_active_disable(uint8_t ticker_id_stop,
 	} else {
 		LL_ASSERT(0);
 	}
-
 }
 
 static uint32_t role_disable(uint8_t ticker_id_primary,
 			     uint8_t ticker_id_stop)
 {
-	uint32_t volatile ticker_status;
-	uint32_t ticks_xtal_to_start = 0;
+	uint32_t volatile ret_cb = TICKER_STATUS_BUSY;
 	uint32_t ticks_active_to_start = 0;
+	uint32_t ticks_xtal_to_start = 0;
+	uint32_t ret;
 
 	switch (ticker_id_primary) {
 	case RADIO_TICKER_ID_ADV:
@@ -7008,26 +7032,24 @@ static uint32_t role_disable(uint8_t ticker_id_primary,
 	_radio.ticker_id_stop = ticker_id_primary;
 
 	/* Step 1: Is Primary started? Stop the Primary ticker */
-	ticker_status =
-		ticker_stop(RADIO_TICKER_INSTANCE_ID_RADIO,
-			    RADIO_TICKER_USER_ID_APP,
-			    ticker_id_primary, ticker_if_done,
-			    (void *)&ticker_status);
+	ret = ticker_stop(RADIO_TICKER_INSTANCE_ID_RADIO,
+			  RADIO_TICKER_USER_ID_APP, ticker_id_primary,
+			  ticker_if_done, (void *)&ret_cb);
 
-	if (ticker_status == TICKER_STATUS_BUSY) {
+	if (ret == TICKER_STATUS_BUSY) {
 		/* if inside our event, enable Job. */
 		if (_radio.ticker_id_event == ticker_id_primary) {
-			mayfly_enable(RADIO_TICKER_USER_ID_JOB,
+			mayfly_enable(RADIO_TICKER_USER_ID_APP,
 				      RADIO_TICKER_USER_ID_JOB, 1);
 		}
 
-		/** @todo design to avoid this wait */
-		while (ticker_status == TICKER_STATUS_BUSY) {
+		/* wait for ticker to be stopped */
+		while (ret_cb == TICKER_STATUS_BUSY) {
 			cpu_sleep();
 		}
 	}
 
-	if (ticker_status != TICKER_STATUS_SUCCESS) {
+	if (ret_cb != TICKER_STATUS_SUCCESS) {
 		goto role_disable_cleanup;
 	}
 
@@ -7040,22 +7062,23 @@ static uint32_t role_disable(uint8_t ticker_id_primary,
 	}
 
 	if (!_radio.ticker_id_stop) {
-		ticker_status = TICKER_STATUS_FAILURE;
+		ret_cb = TICKER_STATUS_FAILURE;
 	}
 
 role_disable_cleanup:
 	_radio.ticker_id_stop = 0;
 
-	return ticker_status;
+	return ret_cb;
 }
 
 uint32_t radio_adv_enable(uint16_t interval, uint8_t chl_map,
 			  uint8_t filter_policy)
 {
-	struct connection *conn;
-	uint32_t volatile ticker_status;
+	uint32_t volatile ret_cb = TICKER_STATUS_BUSY;
 	uint32_t ticks_slot_offset;
+	struct connection *conn;
 	struct pdu_adv *pdu_adv;
+	uint32_t ret;
 
 	pdu_adv = (struct pdu_adv *)
 		&_radio.advertiser.adv_data.data[_radio.advertiser.adv_data.last][0];
@@ -7178,28 +7201,28 @@ uint32_t radio_adv_enable(uint16_t interval, uint8_t chl_map,
 	if (pdu_adv->type == PDU_ADV_TYPE_DIRECT_IND) {
 		uint32_t ticks_now = ticker_ticks_now_get();
 
-		ticker_status =
-			ticker_start(RADIO_TICKER_INSTANCE_ID_RADIO,
-				     RADIO_TICKER_USER_ID_APP,
-				     RADIO_TICKER_ID_ADV, ticks_now, 0,
-				     (ticks_slot_offset +
-				      _radio.advertiser.hdr.ticks_slot),
-				     TICKER_NULL_REMAINDER, TICKER_NULL_LAZY,
-				     (ticks_slot_offset +
-				      _radio.advertiser.hdr.ticks_slot),
-				     radio_event_adv_prepare, 0,
-				     ticker_if_done, (void *)&ticker_status);
+		ret = ticker_start(RADIO_TICKER_INSTANCE_ID_RADIO,
+				   RADIO_TICKER_USER_ID_APP,
+				   RADIO_TICKER_ID_ADV, ticks_now, 0,
+				   (ticks_slot_offset +
+				    _radio.advertiser.hdr.ticks_slot),
+				   TICKER_NULL_REMAINDER, TICKER_NULL_LAZY,
+				   (ticks_slot_offset +
+				    _radio.advertiser.hdr.ticks_slot),
+				   radio_event_adv_prepare, NULL,
+				   ticker_if_done, (void *)&ret_cb);
 
-		/** @todo design to avoid this wait */
-		while (ticker_status == TICKER_STATUS_BUSY) {
-			cpu_sleep();
+		if (ret == TICKER_STATUS_BUSY) {
+			while (ret_cb == TICKER_STATUS_BUSY) {
+				cpu_sleep();
+			}
 		}
 
-		if (ticker_status != TICKER_STATUS_SUCCESS) {
+		if (ret_cb != TICKER_STATUS_SUCCESS) {
 			goto failure_cleanup;
 		}
 
-		ticker_status =
+		ret =
 			ticker_start(RADIO_TICKER_INSTANCE_ID_RADIO,
 				     RADIO_TICKER_USER_ID_APP,
 				     RADIO_TICKER_ID_ADV_STOP, ticks_now,
@@ -7207,10 +7230,10 @@ uint32_t radio_adv_enable(uint16_t interval, uint8_t chl_map,
 							RADIO_TICKER_XTAL_OFFSET_US),
 				     TICKER_NULL_PERIOD, TICKER_NULL_REMAINDER,
 				     TICKER_NULL_LAZY, TICKER_NULL_SLOT,
-				     event_adv_stop, 0, ticker_if_done,
-				     (void *)&ticker_status);
+				     event_adv_stop, NULL, ticker_if_done,
+				     (void *)&ret_cb);
 	} else {
-		ticker_status =
+		ret =
 			ticker_start(RADIO_TICKER_INSTANCE_ID_RADIO,
 				     RADIO_TICKER_USER_ID_APP,
 				     RADIO_TICKER_ID_ADV,
@@ -7219,16 +7242,17 @@ uint32_t radio_adv_enable(uint16_t interval, uint8_t chl_map,
 				     TICKER_NULL_REMAINDER, TICKER_NULL_LAZY,
 				     (ticks_slot_offset +
 				      _radio.advertiser.hdr.ticks_slot),
-				     radio_event_adv_prepare, 0, ticker_if_done,
-				     (void *)&ticker_status);
+				     radio_event_adv_prepare, NULL,
+				     ticker_if_done, (void *)&ret_cb);
 	}
 
-	/** @todo design to avoid this wait */
-	while (ticker_status == TICKER_STATUS_BUSY) {
-		cpu_sleep();
+	if (ret == TICKER_STATUS_BUSY) {
+		while (ret_cb == TICKER_STATUS_BUSY) {
+			cpu_sleep();
+		}
 	}
 
-	if (ticker_status == TICKER_STATUS_SUCCESS) {
+	if (ret_cb == TICKER_STATUS_SUCCESS) {
 		return 0;
 	}
 
@@ -7269,11 +7293,12 @@ uint32_t radio_scan_enable(uint8_t scan_type, uint8_t init_addr_type,
 			   uint8_t *init_addr, uint16_t interval,
 			   uint16_t window, uint8_t filter_policy)
 {
-	uint32_t volatile ticker_status;
+	uint32_t volatile ret_cb = TICKER_STATUS_BUSY;
+	uint32_t ticks_slot_offset;
+	uint32_t ticks_interval;
 	uint32_t ticks_anchor;
 	uint32_t us_offset;
-	uint32_t ticks_interval;
-	uint32_t ticks_slot_offset;
+	uint32_t ret;
 
 	_radio.observer.scan_type = scan_type;
 	_radio.observer.init_addr_type = init_addr_type;
@@ -7328,24 +7353,25 @@ uint32_t radio_scan_enable(uint8_t scan_type, uint8_t init_addr_type,
 	}
 #endif
 
-	ticker_status =
-		ticker_start(RADIO_TICKER_INSTANCE_ID_RADIO,
-			     RADIO_TICKER_USER_ID_APP, RADIO_TICKER_ID_OBS,
-			     (ticks_anchor + TICKER_US_TO_TICKS(us_offset)), 0,
-			     ticks_interval,
-			     TICKER_REMAINDER((uint64_t) interval * 625),
-			     TICKER_NULL_LAZY,
-			     (ticks_slot_offset +
-			      _radio.observer.hdr.ticks_slot),
-			     event_obs_prepare, 0, ticker_if_done,
-			     (void *)&ticker_status);
+	ret = ticker_start(RADIO_TICKER_INSTANCE_ID_RADIO,
+			   RADIO_TICKER_USER_ID_APP, RADIO_TICKER_ID_OBS,
+			   (ticks_anchor + TICKER_US_TO_TICKS(us_offset)), 0,
+			   ticks_interval,
+			   TICKER_REMAINDER((uint64_t) interval * 625),
+			   TICKER_NULL_LAZY,
+			   (ticks_slot_offset +
+			    _radio.observer.hdr.ticks_slot),
+			   event_obs_prepare, NULL, ticker_if_done,
+			   (void *)&ret_cb);
 
-	/** @todo design to avoid this wait */
-	while (ticker_status == TICKER_STATUS_BUSY) {
-		cpu_sleep();
+	if (ret == TICKER_STATUS_BUSY) {
+		while (ret_cb == TICKER_STATUS_BUSY) {
+			cpu_sleep();
+		}
 	}
 
-	return ((ticker_status == TICKER_STATUS_SUCCESS) ? 0 : 1);
+
+	return ((ret_cb == TICKER_STATUS_SUCCESS) ? 0 : 1);
 }
 
 uint32_t radio_scan_disable(void)