diff --git a/.gitignore b/.gitignore index 789f57ee0..0f95b4c79 100644 --- a/.gitignore +++ b/.gitignore @@ -31,6 +31,17 @@ massif-* # Python build artifacts: *.pyc +# CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those: +*.dir/ + +# Visual Studio artifacts +/visualc/VS2010/.localhistory/ +/visualc/VS2010/.vs/ +/visualc/VS2010/Debug/ +/visualc/VS2010/Release/ +/visualc/VS2010/*.vcxproj.filters +/visualc/VS2010/*.vcxproj.user + # Generated documentation: /apidoc diff --git a/CMakeLists.txt b/CMakeLists.txt index 38c800608..67ec7ccee 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -5,6 +5,8 @@ else() project("mbed TLS" C) endif() +set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR}) + option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF) option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF) @@ -127,7 +129,10 @@ if(CMAKE_COMPILER_IS_GNU) # note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion OUTPUT_VARIABLE GCC_VERSION) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings") + if (GCC_VERSION VERSION_GREATER 4.3 OR GCC_VERSION VERSION_EQUAL 4.3) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wvla") + endif() if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op") endif() @@ -144,7 +149,7 @@ if(CMAKE_COMPILER_IS_GNU) endif(CMAKE_COMPILER_IS_GNU) if(CMAKE_COMPILER_IS_CLANG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla") set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") diff --git a/ChangeLog b/ChangeLog index b627d0910..20491edcb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -75,6 +75,10 @@ Bugfix * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. * Fix misuse of signed arithmetic in the HAVEGE module. #2598 + * Avoid use of statically sized stack buffers for certificate writing. + This previously limited the maximum size of DER encoded certificates + in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631. + * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716. API Changes * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, @@ -105,6 +109,25 @@ Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. + * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh, + docker-env.sh) to simplify running test suites on a Linux host. Contributed + by Peter Kolbus (Garmin). + * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by + Ashley Duncan in #2609. + * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable + test runs without variability. Contributed by Philippe Antoine (Catena + cyber) in #2681. + * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi. + * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by + Ashley Duncan in #2609. + * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable + test runs without variability. Contributed by Philippe Antoine (Catena + cyber) in #2681. + * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by + Ashley Duncan in #2609. + * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable + test runs without variability. Contributed by Philippe Antoine (Catena + cyber) in #2681. = mbed TLS 2.17.0 branch released 2019-03-19 diff --git a/README.md b/README.md index 5b0160351..83b32347e 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ In order to build for a Windows platform, you should use `WINDOWS_BUILD=1` if th Setting the variable `SHARED` in your environment will build shared libraries in addition to the static libraries. Setting `DEBUG` gives you a debug build. You can override `CFLAGS` and `LDFLAGS` by setting them in your environment or on the make command line; compiler warning options may be overridden separately using `WARNING_CFLAGS`. Some directory-specific options (for example, `-I` directives) are still preserved. -Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -W`), so if you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overridden from the command line. +Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -Wextra`), so if you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overridden from the command line. Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the Mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue. @@ -146,6 +146,12 @@ Regarding variables, also note that if you set CFLAGS when invoking cmake, your value of CFLAGS doesn't override the content provided by cmake (depending on the build mode as seen above), it's merely prepended to it. +#### Mbed TLS as a subproject + +Mbed TLS, like Mbed Crypto, supports being built as a CMake subproject. One can +use `add_subdirectory()` from a parent CMake project to include Mbed TLS as a +subproject. + ### Microsoft Visual Studio The build files for Microsoft Visual Studio are generated for Visual Studio 2010. diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h index a29e9ce30..b37f9873a 100644 --- a/include/mbedtls/pem.h +++ b/include/mbedtls/pem.h @@ -112,17 +112,27 @@ void mbedtls_pem_free( mbedtls_pem_context *ctx ); * \brief Write a buffer of PEM information from a DER encoded * buffer. * - * \param header header string to write - * \param footer footer string to write - * \param der_data DER data to write - * \param der_len length of the DER data - * \param buf buffer to write to - * \param buf_len length of output buffer - * \param olen total length written / required (if buf_len is not enough) + * \param header The header string to write. + * \param footer The footer string to write. + * \param der_data The DER data to encode. + * \param der_len The length of the DER data \p der_data in Bytes. + * \param buf The buffer to write to. + * \param buf_len The length of the output buffer \p buf in Bytes. + * \param olen The address at which to store the total length written + * or required (if \p buf_len is not enough). * - * \return 0 on success, or a specific PEM or BASE64 error code. On - * MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL olen is the required - * size. + * \note You may pass \c NULL for \p buf and \c 0 for \p buf_len + * to request the length of the resulting PEM buffer in + * `*olen`. + * + * \note This function may be called with overlapping \p der_data + * and \p buf buffers. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL if \p buf isn't large + * enough to hold the PEM buffer. In this case, `*olen` holds + * the required minimum size of \p buf. + * \return Another PEM or BASE64 error code on other kinds of failure. */ int mbedtls_pem_write_buffer( const char *header, const char *footer, const unsigned char *der_data, size_t der_len, diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 1004cb30b..7f0819ef6 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -151,15 +151,15 @@ if(USE_STATIC_MBEDTLS_LIBRARY) set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509) target_link_libraries(${mbedx509_static_target} ${libs} ${mbedcrypto_static_target}) target_include_directories(${mbedx509_static_target} - PUBLIC ${CMAKE_SOURCE_DIR}/include/ - PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) + PUBLIC ${MBEDTLS_DIR}/include/ + PUBLIC ${MBEDTLS_DIR}/crypto/include/) add_library(${mbedtls_static_target} STATIC ${src_tls}) set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls) target_link_libraries(${mbedtls_static_target} ${libs} ${mbedx509_static_target}) target_include_directories(${mbedtls_static_target} - PUBLIC ${CMAKE_SOURCE_DIR}/include/ - PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/ + PUBLIC ${MBEDTLS_DIR}/include/ + PUBLIC ${MBEDTLS_DIR}/crypto/include/ ) @@ -175,15 +175,15 @@ if(USE_SHARED_MBEDTLS_LIBRARY) set_target_properties(mbedx509 PROPERTIES VERSION 2.17.0 SOVERSION 0) target_link_libraries(mbedx509 ${libs} mbedcrypto) target_include_directories(mbedx509 - PUBLIC ${CMAKE_SOURCE_DIR}/include/ - PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) + PUBLIC ${MBEDTLS_DIR}/include/ + PUBLIC ${MBEDTLS_DIR}/crypto/include/) add_library(mbedtls SHARED ${src_tls}) set_target_properties(mbedtls PROPERTIES VERSION 2.17.0 SOVERSION 12) target_link_libraries(mbedtls ${libs} mbedx509) target_include_directories(mbedtls - PUBLIC ${CMAKE_SOURCE_DIR}/include/ - PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) + PUBLIC ${MBEDTLS_DIR}/include/ + PUBLIC ${MBEDTLS_DIR}/crypto/include/) install(TARGETS mbedtls mbedx509 DESTINATION ${LIB_INSTALL_DIR} diff --git a/library/Makefile b/library/Makefile index 60f3ae0d3..8b2e572aa 100644 --- a/library/Makefile +++ b/library/Makefile @@ -2,7 +2,7 @@ # Also see "include/mbedtls/config.h" CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement +WARNING_CFLAGS ?= -Wall -Wextra LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 diff --git a/library/x509_crt.c b/library/x509_crt.c index d101bc748..b2c19db68 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1687,7 +1687,7 @@ static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name, if( p + len >= end ) { - mbedtls_platform_zeroize( other_name, sizeof( other_name ) ); + mbedtls_platform_zeroize( other_name, sizeof( *other_name ) ); return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); } @@ -1709,7 +1709,7 @@ static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name, if( p + len >= end ) { - mbedtls_platform_zeroize( other_name, sizeof( other_name ) ); + mbedtls_platform_zeroize( other_name, sizeof( *other_name ) ); return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); } @@ -1725,7 +1725,7 @@ static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name, if( p != end ) { mbedtls_platform_zeroize( other_name, - sizeof( other_name ) ); + sizeof( *other_name ) ); return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); } diff --git a/library/x509write_crt.c b/library/x509write_crt.c index e237cb8ab..03fb3fd94 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -74,39 +74,44 @@ void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ) mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_cert ) ); } -void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ) +void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, + int version ) { ctx->version = version; } -void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg ) +void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, + mbedtls_md_type_t md_alg ) { ctx->md_alg = md_alg; } -void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ) +void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, + mbedtls_pk_context *key ) { ctx->subject_key = key; } -void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ) +void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, + mbedtls_pk_context *key ) { ctx->issuer_key = key; } int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx, - const char *subject_name ) + const char *subject_name ) { return mbedtls_x509_string_to_names( &ctx->subject, subject_name ); } int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx, - const char *issuer_name ) + const char *issuer_name ) { return mbedtls_x509_string_to_names( &ctx->issuer, issuer_name ); } -int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial ) +int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, + const mbedtls_mpi *serial ) { int ret; @@ -116,8 +121,9 @@ int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls return( 0 ); } -int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before, - const char *not_after ) +int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, + const char *not_before, + const char *not_after ) { if( strlen( not_before ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 || strlen( not_after ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ) @@ -137,12 +143,12 @@ int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx, int critical, const unsigned char *val, size_t val_len ) { - return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len, - critical, val, val_len ); + return( mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len, + critical, val, val_len ) ); } int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, - int is_ca, int max_pathlen ) + int is_ca, int max_pathlen ) { int ret; unsigned char buf[9]; @@ -158,18 +164,21 @@ int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, { if( max_pathlen >= 0 ) { - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, + max_pathlen ) ); } MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) ); } MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); - return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS, - MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ), - 0, buf + sizeof(buf) - len, len ); + return( + mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS, + MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ), + 0, buf + sizeof(buf) - len, len ) ); } #if defined(MBEDTLS_SHA1_C) @@ -181,7 +190,8 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct size_t len = 0; memset( buf, 0, sizeof(buf) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) ); ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 ); @@ -191,11 +201,13 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct len = 20; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) ); - return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, - MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), - 0, buf + sizeof(buf) - len, len ); + return mbedtls_x509write_crt_set_extension( ctx, + MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, + MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), + 0, buf + sizeof(buf) - len, len ); } int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ) @@ -206,7 +218,8 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * size_t len = 0; memset( buf, 0, sizeof(buf) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 ); @@ -216,15 +229,19 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * len = 20; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); - return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, - MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), - 0, buf + sizeof( buf ) - len, len ); + return mbedtls_x509write_crt_set_extension( + ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, + MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), + 0, buf + sizeof( buf ) - len, len ); } #endif /* MBEDTLS_SHA1_C */ @@ -259,8 +276,8 @@ int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, return( MBEDTLS_ERR_X509_INVALID_FORMAT ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, - MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - 1, c, (size_t)ret ); + MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), + 1, c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -281,8 +298,8 @@ int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, return( ret ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, - MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - 0, c, (size_t)ret ); + MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), + 0, c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -304,7 +321,8 @@ static int x509_write_time( unsigned char **p, unsigned char *start, (const unsigned char *) t + 2, size - 2 ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_UTC_TIME ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, + MBEDTLS_ASN1_UTC_TIME ) ); } else { @@ -312,15 +330,17 @@ static int x509_write_time( unsigned char **p, unsigned char *start, (const unsigned char *) t, size ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_GENERALIZED_TIME ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, + MBEDTLS_ASN1_GENERALIZED_TIME ) ); } return( (int) len ); } -int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ) +int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, + unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; const char *sig_oid; @@ -328,15 +348,14 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, unsigned char *c, *c2; unsigned char hash[64]; unsigned char sig[SIGNATURE_MAX_SIZE]; - unsigned char tmp_buf[2048]; size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len; size_t len = 0; mbedtls_pk_type_t pk_alg; /* - * Prepare data to be signed in tmp_buf + * Prepare data to be signed at the end of the target buffer */ - c = tmp_buf + sizeof( tmp_buf ); + c = buf + size; /* Signature algorithm needed in TBS, and later for actual signature */ @@ -362,27 +381,36 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, /* Only for v3 */ if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 ) { - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 3 ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_x509_write_extensions( &c, + buf, ctx->extensions ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 3 ) ); } /* * SubjectPublicKeyInfo */ - MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key, - tmp_buf, c - tmp_buf ) ); + MBEDTLS_ASN1_CHK_ADD( pub_len, + mbedtls_pk_write_pubkey_der( ctx->subject_key, + buf, c - buf ) ); c -= pub_len; len += pub_len; /* * Subject ::= Name */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_x509_write_names( &c, buf, + ctx->subject ) ); /* * Validity ::= SEQUENCE { @@ -391,32 +419,39 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, */ sub_len = 0; - MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after, - MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); + MBEDTLS_ASN1_CHK_ADD( sub_len, + x509_write_time( &c, buf, ctx->not_after, + MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); - MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before, - MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); + MBEDTLS_ASN1_CHK_ADD( sub_len, + x509_write_time( &c, buf, ctx->not_before, + MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); len += sub_len; - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, sub_len ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); /* * Issuer ::= Name */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf, + ctx->issuer ) ); /* * Signature ::= AlgorithmIdentifier */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf, - sig_oid, strlen( sig_oid ), 0 ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_algorithm_identifier( &c, buf, + sig_oid, strlen( sig_oid ), 0 ) ); /* * Serial ::= INTEGER */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, buf, + &ctx->serial ) ); /* * Version ::= INTEGER { v1(0), v2(1), v3(2) } @@ -426,48 +461,67 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 ) { sub_len = 0; - MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) ); + MBEDTLS_ASN1_CHK_ADD( sub_len, + mbedtls_asn1_write_int( &c, buf, ctx->version ) ); len += sub_len; - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_len( &c, buf, sub_len ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); } - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); /* * Make signature */ + + /* Compute hash of CRT. */ if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash ) ) != 0 ) { return( ret ); } - if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len, - f_rng, p_rng ) ) != 0 ) + if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, + hash, 0, sig, &sig_len, + f_rng, p_rng ) ) != 0 ) { return( ret ); } - /* - * Write data to output buffer - */ + /* Move CRT to the front of the buffer to have space + * for the signature. */ + memmove( buf, c, len ); + c = buf + len; + + /* Add signature at the end of the buffer, + * making sure that it doesn't underflow + * into the CRT buffer. */ c2 = buf + size; - MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf, + MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, c, sig_oid, sig_oid_len, sig, sig_len ) ); - if( len > (size_t)( c2 - buf ) ) - return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + /* + * Memory layout after this step: + * + * buf c=buf+len c2 buf+size + * [CRT0,...,CRTn, UNUSED, ..., UNUSED, SIG0, ..., SIGm] + */ - c2 -= len; - memcpy( c2, c, len ); + /* Move raw CRT to just before the signature. */ + c = c2 - len; + memmove( c, buf, len ); len += sig_and_oid_len; - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); return( (int) len ); @@ -477,23 +531,23 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, #define PEM_END_CRT "-----END CERTIFICATE-----\n" #if defined(MBEDTLS_PEM_WRITE_C) -int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ) +int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, + unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; - unsigned char output_buf[4096]; - size_t olen = 0; + size_t olen; - if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf), + if( ( ret = mbedtls_x509write_crt_der( crt, buf, size, f_rng, p_rng ) ) < 0 ) { return( ret ); } if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT, - output_buf + sizeof(output_buf) - ret, - ret, buf, size, &olen ) ) != 0 ) + buf + size - ret, ret, + buf, size, &olen ) ) != 0 ) { return( ret ); } diff --git a/programs/Makefile b/programs/Makefile index 2cb736622..4c05d915a 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -3,8 +3,8 @@ # To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement -WARNING_CXXFLAGS ?= -Wall -W +WARNING_CFLAGS ?= -Wall -Wextra +WARNING_CXXFLAGS ?= -Wall -Wextra LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 diff --git a/programs/test/cmake_subproject/.gitignore b/programs/test/cmake_subproject/.gitignore new file mode 100644 index 000000000..464833b93 --- /dev/null +++ b/programs/test/cmake_subproject/.gitignore @@ -0,0 +1,3 @@ +build +Makefile +cmake_subproject diff --git a/programs/test/cmake_subproject/CMakeLists.txt b/programs/test/cmake_subproject/CMakeLists.txt new file mode 100644 index 000000000..f5f4191c2 --- /dev/null +++ b/programs/test/cmake_subproject/CMakeLists.txt @@ -0,0 +1,19 @@ +cmake_minimum_required(VERSION 2.6) + +# We use the parent Mbed TLS directory as the MBEDTLS_DIR for this test. Other +# projects that use Mbed TLS as a subproject are likely to add by their own +# relative paths. +set(MBEDTLS_DIR ../../../) + +# Add Mbed TLS as a subdirectory. +add_subdirectory(${MBEDTLS_DIR} build) + +# Link against all the Mbed TLS libraries. +set(libs + mbedtls + mbedcrypto + mbedx509 +) + +add_executable(cmake_subproject cmake_subproject.c) +target_link_libraries(cmake_subproject ${libs}) diff --git a/programs/test/cmake_subproject/cmake_subproject.c b/programs/test/cmake_subproject/cmake_subproject.c new file mode 100644 index 000000000..ca899bcaf --- /dev/null +++ b/programs/test/cmake_subproject/cmake_subproject.c @@ -0,0 +1,56 @@ +/* + * Simple program to test that CMake builds with Mbed TLS as a subdirectory + * work correctly. + * + * Copyright (C) 2006-2019, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#include +#include +#define mbedtls_fprintf fprintf +#define mbedtls_printf printf +#define mbedtls_exit exit +#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS +#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE +#endif /* MBEDTLS_PLATFORM_C */ + +#include "mbedtls/version.h" + +/* The main reason to build this is for testing the CMake build, so the program + * doesn't need to do very much. It calls a single library function to ensure + * linkage works, but that is all. */ +int main() +{ + /* This version string is 18 bytes long, as advised by version.h. */ + char version[18]; + + mbedtls_version_get_string_full( version ); + + mbedtls_printf( "Built against %s\n", version ); + + return( 0 ); +} diff --git a/scripts/abi_check.py b/scripts/abi_check.py index 502c7ae02..533aaea3d 100755 --- a/scripts/abi_check.py +++ b/scripts/abi_check.py @@ -59,9 +59,7 @@ class AbiChecker(object): @staticmethod def check_repo_path(): - current_dir = os.path.realpath('.') - root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) - if current_dir != root_dir: + if not all(os.path.isdir(d) for d in ["include", "library", "tests"]): raise Exception("Must be run from Mbed TLS root") def _setup_logger(self): @@ -108,6 +106,12 @@ class AbiChecker(object): stderr=subprocess.STDOUT ) self.log.debug(worktree_output.decode("utf-8")) + version.commit = subprocess.check_output( + [self.git_command, "rev-parse", worktree_rev], + cwd=git_worktree_path, + stderr=subprocess.STDOUT + ).decode("ascii").rstrip() + self.log.debug("Commit is {}".format(version.commit)) return git_worktree_path def _update_git_submodules(self, git_worktree_path, version): @@ -163,6 +167,13 @@ class AbiChecker(object): os.path.join(root, file) ) + @staticmethod + def _pretty_revision(version): + if version.revision == version.commit: + return version.revision + else: + return "{} ({})".format(version.revision, version.commit) + def _get_abi_dumps_from_shared_libraries(self, version): """Generate the ABI dumps for the specified git revision. The shared libraries must have been built and the module paths @@ -177,7 +188,7 @@ class AbiChecker(object): "abi-dumper", module_path, "-o", output_path, - "-lver", version.revision + "-lver", self._pretty_revision(version), ] abi_dump_output = subprocess.check_output( abi_dump_command, @@ -222,70 +233,84 @@ class AbiChecker(object): if not problems.getchildren(): report.remove(problems) + def _abi_compliance_command(self, mbed_module, output_path): + """Build the command to run to analyze the library mbed_module. + The report will be placed in output_path.""" + abi_compliance_command = [ + "abi-compliance-checker", + "-l", mbed_module, + "-old", self.old_version.abi_dumps[mbed_module], + "-new", self.new_version.abi_dumps[mbed_module], + "-strict", + "-report-path", output_path, + ] + if self.skip_file: + abi_compliance_command += ["-skip-symbols", self.skip_file, + "-skip-types", self.skip_file] + if self.brief: + abi_compliance_command += ["-report-format", "xml", + "-stdout"] + return abi_compliance_command + + def _is_library_compatible(self, mbed_module, compatibility_report): + """Test if the library mbed_module has remained compatible. + Append a message regarding compatibility to compatibility_report.""" + output_path = os.path.join( + self.report_dir, "{}-{}-{}.html".format( + mbed_module, self.old_version.revision, + self.new_version.revision + ) + ) + try: + subprocess.check_output( + self._abi_compliance_command(mbed_module, output_path), + stderr=subprocess.STDOUT + ) + except subprocess.CalledProcessError as err: + if err.returncode != 1: + raise err + if self.brief: + self.log.info( + "Compatibility issues found for {}".format(mbed_module) + ) + report_root = ET.fromstring(err.output.decode("utf-8")) + self._remove_extra_detail_from_report(report_root) + self.log.info(ET.tostring(report_root).decode("utf-8")) + else: + self.can_remove_report_dir = False + compatibility_report.append( + "Compatibility issues found for {}, " + "for details see {}".format(mbed_module, output_path) + ) + return False + compatibility_report.append( + "No compatibility issues for {}".format(mbed_module) + ) + if not (self.keep_all_reports or self.brief): + os.remove(output_path) + return True + def get_abi_compatibility_report(self): """Generate a report of the differences between the reference ABI and the new ABI. ABI dumps from self.old_version and self.new_version must be available.""" - compatibility_report = "" + compatibility_report = ["Checking evolution from {} to {}".format( + self._pretty_revision(self.old_version), + self._pretty_revision(self.new_version) + )] compliance_return_code = 0 shared_modules = list(set(self.old_version.modules.keys()) & set(self.new_version.modules.keys())) for mbed_module in shared_modules: - output_path = os.path.join( - self.report_dir, "{}-{}-{}.html".format( - mbed_module, self.old_version.revision, - self.new_version.revision - ) - ) - abi_compliance_command = [ - "abi-compliance-checker", - "-l", mbed_module, - "-old", self.old_version.abi_dumps[mbed_module], - "-new", self.new_version.abi_dumps[mbed_module], - "-strict", - "-report-path", output_path, - ] - if self.skip_file: - abi_compliance_command += ["-skip-symbols", self.skip_file, - "-skip-types", self.skip_file] - if self.brief: - abi_compliance_command += ["-report-format", "xml", - "-stdout"] - try: - subprocess.check_output( - abi_compliance_command, - stderr=subprocess.STDOUT - ) - except subprocess.CalledProcessError as err: - if err.returncode == 1: - compliance_return_code = 1 - if self.brief: - self.log.info( - "Compatibility issues found for {}".format(mbed_module) - ) - report_root = ET.fromstring(err.output.decode("utf-8")) - self._remove_extra_detail_from_report(report_root) - self.log.info(ET.tostring(report_root).decode("utf-8")) - else: - self.can_remove_report_dir = False - compatibility_report += ( - "Compatibility issues found for {}, " - "for details see {}\n".format(mbed_module, output_path) - ) - else: - raise err - else: - compatibility_report += ( - "No compatibility issues for {}\n".format(mbed_module) - ) - if not (self.keep_all_reports or self.brief): - os.remove(output_path) + if not self._is_library_compatible(mbed_module, + compatibility_report): + compliance_return_code = 1 for version in [self.old_version, self.new_version]: for mbed_module, mbed_module_dump in version.abi_dumps.items(): os.remove(mbed_module_dump) if self.can_remove_report_dir: os.rmdir(self.report_dir) - self.log.info(compatibility_report) + self.log.info("\n".join(compatibility_report)) return compliance_return_code def check_for_abi_changes(self): @@ -357,7 +382,9 @@ def run_main(): ) parser.add_argument( "-s", "--skip-file", type=str, - help="path to file containing symbols and types to skip" + help=("path to file containing symbols and types to skip " + "(typically \"-s identifiers\" after running " + "\"tests/scripts/list-identifiers.sh --internal\")") ) parser.add_argument( "-b", "--brief", action="store_true", @@ -371,6 +398,7 @@ def run_main(): version="old", repository=abi_args.old_repo, revision=abi_args.old_rev, + commit=None, crypto_repository=abi_args.old_crypto_repo, crypto_revision=abi_args.old_crypto_rev, abi_dumps={}, @@ -380,6 +408,7 @@ def run_main(): version="new", repository=abi_args.new_repo, revision=abi_args.new_rev, + commit=None, crypto_repository=abi_args.new_crypto_repo, crypto_revision=abi_args.new_crypto_rev, abi_dumps={}, diff --git a/tests/Makefile b/tests/Makefile index 27ce33895..1679ee40b 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -3,7 +3,7 @@ # To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement -Wunused +WARNING_CFLAGS ?= -Wall -Wextra LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 diff --git a/tests/compat-in-docker.sh b/tests/compat-in-docker.sh new file mode 100755 index 000000000..67a0807b3 --- /dev/null +++ b/tests/compat-in-docker.sh @@ -0,0 +1,65 @@ +#!/bin/bash -eu + +# compat-in-docker.sh +# +# Purpose +# ------- +# This runs compat.sh in a Docker container. +# +# Notes for users +# --------------- +# If OPENSSL_CMD, GNUTLS_CLI, or GNUTLS_SERV are specified the path must +# correspond to an executable inside the Docker container. The special +# values "next" (OpenSSL only) and "legacy" are also allowed as shorthand +# for the installations inside the container. +# +# See also: +# - scripts/docker_env.sh for general Docker prerequisites and other information. +# - compat.sh for notes about invocation of that script. + +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + +source tests/scripts/docker_env.sh + +case "${OPENSSL_CMD:-default}" in + "legacy") export OPENSSL_CMD="/usr/local/openssl-1.0.1j/bin/openssl";; + "next") export OPENSSL_CMD="/usr/local/openssl-1.1.1a/bin/openssl";; + *) ;; +esac + +case "${GNUTLS_CLI:-default}" in + "legacy") export GNUTLS_CLI="/usr/local/gnutls-3.3.8/bin/gnutls-cli";; + "next") export GNUTLS_CLI="/usr/local/gnutls-3.6.5/bin/gnutls-cli";; + *) ;; +esac + +case "${GNUTLS_SERV:-default}" in + "legacy") export GNUTLS_SERV="/usr/local/gnutls-3.3.8/bin/gnutls-serv";; + "next") export GNUTLS_SERV="/usr/local/gnutls-3.6.5/bin/gnutls-serv";; + *) ;; +esac + +run_in_docker \ + -e M_CLI \ + -e M_SRV \ + -e GNUTLS_CLI \ + -e GNUTLS_SERV \ + -e OPENSSL_CMD \ + -e OSSL_NO_DTLS \ + tests/compat.sh \ + $@ diff --git a/tests/docker/bionic/Dockerfile b/tests/docker/bionic/Dockerfile new file mode 100644 index 000000000..1b2d40f28 --- /dev/null +++ b/tests/docker/bionic/Dockerfile @@ -0,0 +1,168 @@ +# Dockerfile +# +# Purpose +# ------- +# Defines a Docker container suitable to build and run all tests (all.sh), +# except for those that use a proprietary toolchain. + +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) +ARG MAKEFLAGS_PARALLEL="" +ARG MY_REGISTRY= + +FROM ${MY_REGISTRY}ubuntu:bionic + + +ENV DEBIAN_FRONTEND noninteractive + +RUN apt-get update \ + && apt-get -y install software-properties-common \ + && rm -rf /var/lib/apt/lists + +RUN add-apt-repository -y ppa:team-gcc-arm-embedded/ppa + +RUN apt-get update \ + && apt-get -y install \ + # mbedtls build/test dependencies + build-essential \ + clang \ + cmake \ + doxygen \ + gcc-arm-none-eabi \ + gcc-mingw-w64-i686 \ + gcc-multilib \ + g++-multilib \ + gdb \ + git \ + graphviz \ + lsof \ + python \ + python3-pip \ + python3 \ + pylint3 \ + valgrind \ + wget \ + # libnettle build dependencies + libgmp-dev \ + m4 \ + pkg-config \ + && rm -rf /var/lib/apt/lists/* + +# Build a static, legacy openssl from sources with sslv3 enabled +# Based on https://gist.github.com/bmaupin/8caca3a1e8c3c5686141 (build-openssl.sh) +# Note: openssl-1.0.2 and earlier has known build issues with parallel make. +RUN cd /tmp \ + && wget https://www.openssl.org/source/old/1.0.1/openssl-1.0.1j.tar.gz -qO- | tar xz \ + && cd openssl-1.0.1j \ + && ./config --openssldir=/usr/local/openssl-1.0.1j no-shared \ + && (make ${MAKEFLAGS_PARALLEL} || make -j 1) \ + && make install_sw \ + && rm -rf /tmp/openssl* +ENV OPENSSL_LEGACY=/usr/local/openssl-1.0.1j/bin/openssl + +# Build OPENSSL as 1.0.2g +RUN cd /tmp \ + && wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2g.tar.gz -qO- | tar xz \ + && cd openssl-1.0.2g \ + && ./config --openssldir=/usr/local/openssl-1.0.2g no-shared \ + && (make ${MAKEFLAGS_PARALLEL} || make -j 1) \ + && make install_sw \ + && rm -rf /tmp/openssl* +ENV OPENSSL=/usr/local/openssl-1.0.2g/bin/openssl + +# Build a new openssl binary for ARIA/CHACHA20 support +# Based on https://gist.github.com/bmaupin/8caca3a1e8c3c5686141 (build-openssl.sh) +RUN cd /tmp \ + && wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz -qO- | tar xz \ + && cd openssl-1.1.1a \ + && ./config --prefix=/usr/local/openssl-1.1.1a -Wl,--enable-new-dtags,-rpath,'${LIBRPATH}' no-shared \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install_sw \ + && rm -rf /tmp/openssl* +ENV OPENSSL_NEXT=/usr/local/openssl-1.1.1a/bin/openssl + +# Build libnettle 2.7.1 (needed by legacy gnutls) +RUN cd /tmp \ + && wget https://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz -qO- | tar xz \ + && cd nettle-2.7.1 \ + && ./configure --disable-documentation \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && /sbin/ldconfig \ + && rm -rf /tmp/nettle* + +# Build legacy gnutls (3.3.8) +RUN cd /tmp \ + && wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.3/gnutls-3.3.8.tar.xz -qO- | tar xJ \ + && cd gnutls-3.3.8 \ + && ./configure --prefix=/usr/local/gnutls-3.3.8 --exec_prefix=/usr/local/gnutls-3.3.8 --disable-shared --disable-guile --disable-doc \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && rm -rf /tmp/gnutls* +ENV GNUTLS_LEGACY_CLI=/usr/local/gnutls-3.3.8/bin/gnutls-cli +ENV GNUTLS_LEGACY_SERV=/usr/local/gnutls-3.3.8/bin/gnutls-serv + +# Build libnettle 3.1 (needed by gnutls) +RUN cd /tmp \ + && wget https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz -qO- | tar xz \ + && cd nettle-3.1 \ + && ./configure --disable-documentation \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && /sbin/ldconfig \ + && rm -rf /tmp/nettle* + +# Build gnutls (3.4.10) +RUN cd /tmp \ + && wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.4/gnutls-3.4.10.tar.xz -qO- | tar xJ \ + && cd gnutls-3.4.10 \ + && ./configure --prefix=/usr/local/gnutls-3.4.10 --exec_prefix=/usr/local/gnutls-3.4.10 \ + --with-included-libtasn1 --without-p11-kit \ + --disable-shared --disable-guile --disable-doc \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && rm -rf /tmp/gnutls* +ENV GNUTLS_CLI=/usr/local/gnutls-3.4.10/bin/gnutls-cli +ENV GNUTLS_SERV=/usr/local/gnutls-3.4.10/bin/gnutls-serv + +# Build libnettle 3.4 (needed by gnutls next) +RUN cd /tmp \ + && wget https://ftp.gnu.org/gnu/nettle/nettle-3.4.1.tar.gz -qO- | tar xz \ + && cd nettle-3.4.1 \ + && ./configure --disable-documentation \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && /sbin/ldconfig \ + && rm -rf /tmp/nettle* + +# Build gnutls next (3.6.5) +RUN cd /tmp \ + && wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.5.tar.xz -qO- | tar xJ \ + && cd gnutls-3.6.5 \ + && ./configure --prefix=/usr/local/gnutls-3.6.5 --exec_prefix=/usr/local/gnutls-3.6.5 \ + --with-included-libtasn1 --with-included-unistring --without-p11-kit \ + --disable-shared --disable-guile --disable-doc \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && rm -rf /tmp/gnutls* + +ENV GNUTLS_NEXT_CLI=/usr/local/gnutls-3.6.5/bin/gnutls-cli +ENV GNUTLS_NEXT_SERV=/usr/local/gnutls-3.6.5/bin/gnutls-serv + +RUN pip3 install --no-cache-dir \ + mbed-host-tests \ + mock diff --git a/tests/make-in-docker.sh b/tests/make-in-docker.sh new file mode 100755 index 000000000..4fbfe1ccb --- /dev/null +++ b/tests/make-in-docker.sh @@ -0,0 +1,31 @@ +#!/bin/bash -eu + +# make-in-docker.sh +# +# Purpose +# ------- +# This runs make in a Docker container. +# +# See also: +# - scripts/docker_env.sh for general Docker prerequisites and other information. + +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + +source tests/scripts/docker_env.sh + +run_in_docker make $@ diff --git a/tests/scripts/all-in-docker.sh b/tests/scripts/all-in-docker.sh new file mode 100755 index 000000000..ee9a09290 --- /dev/null +++ b/tests/scripts/all-in-docker.sh @@ -0,0 +1,37 @@ +#!/bin/bash -eu + +# all-in-docker.sh +# +# Purpose +# ------- +# This runs all.sh (except for armcc) in a Docker container. +# +# Notes for users +# --------------- +# See docker_env.sh for prerequisites and other information. +# +# See also all.sh for notes about invocation of that script. + +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + +source tests/scripts/docker_env.sh + +# Run tests that are possible with openly available compilers +run_in_docker tests/scripts/all.sh \ + --no-armcc \ + $@ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b1dd4301c..42e00a1d0 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -242,6 +242,11 @@ cleanup() git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile cd .. + # Remove any artifacts from the component_test_cmake_as_subdirectory test. + rm -rf programs/test/cmake_subproject/build + rm -f programs/test/cmake_subproject/Makefile + rm -f programs/test/cmake_subproject/cmake_subproject + if [ -f "$CONFIG_BAK" ]; then mv "$CONFIG_BAK" "$CONFIG_H" fi @@ -836,7 +841,7 @@ component_test_no_use_psa_crypto_full_cmake_asan() { msg "build: cmake, full config + MBEDTLS_USE_PSA_CRYPTO, ASan" scripts/config.pl full scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests - scripts/config.pl unset MBEDTLS_ECP_RESTARTABLE # restartable ECC not supported through PSA + scripts/config.pl set MBEDTLS_ECP_RESTARTABLE # not using PSA, so enable restartable ECC scripts/config.pl set MBEDTLS_PSA_CRYPTO_C scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C @@ -1236,6 +1241,19 @@ component_test_cmake_out_of_source () { unset MBEDTLS_ROOT_DIR } +component_test_cmake_as_subdirectory () { + msg "build: cmake 'as-subdirectory' build" + MBEDTLS_ROOT_DIR="$PWD" + + cd programs/test/cmake_subproject + cmake . + make + if_build_succeeded ./cmake_subproject + + cd "$MBEDTLS_ROOT_DIR" + unset MBEDTLS_ROOT_DIR +} + component_test_zeroize () { # Test that the function mbedtls_platform_zeroize() is not optimized away by # different combinations of compilers and optimization flags by using an diff --git a/tests/scripts/basic-in-docker.sh b/tests/scripts/basic-in-docker.sh new file mode 100755 index 000000000..37ed5ea50 --- /dev/null +++ b/tests/scripts/basic-in-docker.sh @@ -0,0 +1,50 @@ +#!/bin/bash -eu + +# basic-in-docker.sh +# +# Purpose +# ------- +# This runs a rough equivalent of the travis.yml in a Docker container. +# The tests are run for both clang and gcc. +# +# Notes for users +# --------------- +# See docker_env.sh for prerequisites and other information. + +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + +source tests/scripts/docker_env.sh + +run_in_docker tests/scripts/recursion.pl library/*.c +run_in_docker tests/scripts/check-generated-files.sh +run_in_docker tests/scripts/check-doxy-blocks.pl +run_in_docker tests/scripts/check-names.sh +run_in_docker tests/scripts/check-files.py +run_in_docker tests/scripts/doxygen.sh + +for compiler in clang gcc; do + run_in_docker -e CC=${compiler} cmake -D CMAKE_BUILD_TYPE:String="Check" . + run_in_docker -e CC=${compiler} make + run_in_docker -e CC=${compiler} make test + run_in_docker programs/test/selftest + run_in_docker -e OSSL_NO_DTLS=1 tests/compat.sh + run_in_docker tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl' + run_in_docker tests/scripts/test-ref-configs.pl + run_in_docker tests/scripts/curves.pl + run_in_docker tests/scripts/key-exchanges.pl +done diff --git a/tests/scripts/check-files.py b/tests/scripts/check-files.py index 00fd0edfb..255bed8b9 100755 --- a/tests/scripts/check-files.py +++ b/tests/scripts/check-files.py @@ -1,14 +1,12 @@ #!/usr/bin/env python3 + +# This file is part of Mbed TLS (https://tls.mbed.org) +# Copyright (c) 2018, Arm Limited, All Rights Reserved + """ -This file is part of Mbed TLS (https://tls.mbed.org) - -Copyright (c) 2018, Arm Limited, All Rights Reserved - -Purpose - This script checks the current state of the source code for minor issues, including incorrect file permissions, presence of tabs, non-Unix line endings, -trailing whitespace, presence of UTF-8 BOM, and TODO comments. +trailing whitespace, and presence of UTF-8 BOM. Note: requires python 3, must be run from Mbed TLS root. """ @@ -170,19 +168,6 @@ class MergeArtifactIssueTracker(LineIssueTracker): return True return False -class TodoIssueTracker(LineIssueTracker): - """Track lines containing ``TODO``.""" - - heading = "TODO present:" - files_exemptions = frozenset([ - os.path.basename(__file__), - "benchmark.c", - "pull_request_template.md", - ]) - - def issue_with_line(self, line, _filepath): - return b"todo" in line.lower() - class IntegrityChecker(object): """Sanity-check files under the current directory.""" @@ -211,7 +196,6 @@ class IntegrityChecker(object): TrailingWhitespaceIssueTracker(), TabIssueTracker(), MergeArtifactIssueTracker(), - TodoIssueTracker(), ] @staticmethod @@ -257,15 +241,7 @@ class IntegrityChecker(object): def run_main(): - parser = argparse.ArgumentParser( - description=( - "This script checks the current state of the source code for " - "minor issues, including incorrect file permissions, " - "presence of tabs, non-Unix line endings, trailing whitespace, " - "presence of UTF-8 BOM, and TODO comments. " - "Note: requires python 3, must be run from Mbed TLS root." - ) - ) + parser = argparse.ArgumentParser(description=__doc__) parser.add_argument( "-l", "--log_file", type=str, help="path to optional output log", ) diff --git a/tests/scripts/docker_env.sh b/tests/scripts/docker_env.sh new file mode 100755 index 000000000..8bdc42579 --- /dev/null +++ b/tests/scripts/docker_env.sh @@ -0,0 +1,93 @@ +#!/bin/bash -eu + +# docker_env.sh +# +# Purpose +# ------- +# +# This is a helper script to enable running tests under a Docker container, +# thus making it easier to get set up as well as isolating test dependencies +# (which include legacy/insecure configurations of openssl and gnutls). +# +# Notes for users +# --------------- +# This script expects a Linux x86_64 system with a recent version of Docker +# installed and available for use, as well as http/https access. If a proxy +# server must be used, invoke this script with the usual environment variables +# (http_proxy and https_proxy) set appropriately. If an alternate Docker +# registry is needed, specify MBEDTLS_DOCKER_REGISTRY to point at the +# host name. +# +# +# Running this script directly will check for Docker availability and set up +# the Docker image. + +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + + +# default values, can be overridden by the environment +: ${MBEDTLS_DOCKER_GUEST:=bionic} + + +DOCKER_IMAGE_TAG="armmbed/mbedtls-test:${MBEDTLS_DOCKER_GUEST}" + +# Make sure docker is available +if ! which docker > /dev/null; then + echo "Docker is required but doesn't seem to be installed. See https://www.docker.com/ to get started" + exit 1 +fi + +# Figure out if we need to 'sudo docker' +if groups | grep docker > /dev/null; then + DOCKER="docker" +else + echo "Using sudo to invoke docker since you're not a member of the docker group..." + DOCKER="sudo docker" +fi + +# Build the Docker image +echo "Getting docker image up to date (this may take a few minutes)..." +${DOCKER} image build \ + -t ${DOCKER_IMAGE_TAG} \ + --cache-from=${DOCKER_IMAGE_TAG} \ + --build-arg MAKEFLAGS_PARALLEL="-j $(nproc)" \ + --network host \ + ${http_proxy+--build-arg http_proxy=${http_proxy}} \ + ${https_proxy+--build-arg https_proxy=${https_proxy}} \ + ${MBEDTLS_DOCKER_REGISTRY+--build-arg MY_REGISTRY="${MBEDTLS_DOCKER_REGISTRY}/"} \ + tests/docker/${MBEDTLS_DOCKER_GUEST} + +run_in_docker() +{ + ENV_ARGS="" + while [ "$1" == "-e" ]; do + ENV_ARGS="${ENV_ARGS} $1 $2" + shift 2 + done + + ${DOCKER} container run -it --rm \ + --cap-add SYS_PTRACE \ + --user "$(id -u):$(id -g)" \ + --volume $PWD:$PWD \ + --workdir $PWD \ + -e MAKEFLAGS \ + -e PYLINTHOME=/tmp/.pylintd \ + ${ENV_ARGS} \ + ${DOCKER_IMAGE_TAG} \ + $@ +} diff --git a/tests/ssl-opt-in-docker.sh b/tests/ssl-opt-in-docker.sh new file mode 100755 index 000000000..e6e469d82 --- /dev/null +++ b/tests/ssl-opt-in-docker.sh @@ -0,0 +1,65 @@ +#!/bin/bash -eu + +# ssl-opt-in-docker.sh +# +# Purpose +# ------- +# This runs ssl-opt.sh in a Docker container. +# +# Notes for users +# --------------- +# If OPENSSL_CMD, GNUTLS_CLI, or GNUTLS_SERV are specified, the path must +# correspond to an executable inside the Docker container. The special +# values "next" and "legacy" are also allowed as shorthand for the +# installations inside the container. +# +# See also: +# - scripts/docker_env.sh for general Docker prerequisites and other information. +# - ssl-opt.sh for notes about invocation of that script. + +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + +source tests/scripts/docker_env.sh + +case "${OPENSSL_CMD:-default}" in + "legacy") export OPENSSL_CMD="/usr/local/openssl-1.0.1j/bin/openssl";; + "next") export OPENSSL_CMD="/usr/local/openssl-1.1.1a/bin/openssl";; + *) ;; +esac + +case "${GNUTLS_CLI:-default}" in + "legacy") export GNUTLS_CLI="/usr/local/gnutls-3.3.8/bin/gnutls-cli";; + "next") export GNUTLS_CLI="/usr/local/gnutls-3.6.5/bin/gnutls-cli";; + *) ;; +esac + +case "${GNUTLS_SERV:-default}" in + "legacy") export GNUTLS_SERV="/usr/local/gnutls-3.3.8/bin/gnutls-serv";; + "next") export GNUTLS_SERV="/usr/local/gnutls-3.6.5/bin/gnutls-serv";; + *) ;; +esac + +run_in_docker \ + -e P_SRV \ + -e P_CLI \ + -e P_PXY \ + -e GNUTLS_CLI \ + -e GNUTLS_SERV \ + -e OPENSSL_CMD \ + tests/ssl-opt.sh \ + $@