From b555457d398c854821f9a0d73553c08db76ede5b Mon Sep 17 00:00:00 2001 From: Marcel Date: Wed, 20 Feb 2019 12:06:48 +0100 Subject: [PATCH 01/33] update .gitignore to include Visual Studio artifacts --- .gitignore | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.gitignore b/.gitignore index f40064d5b..104e72099 100644 --- a/.gitignore +++ b/.gitignore @@ -26,3 +26,10 @@ massif-* # CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those: *.dir/ + +# Visual Studio artifacts +/visualc/VS2010/.localhistory/ +/visualc/VS2010/.vs/ +/visualc/VS2010/Debug/ +/visualc/VS2010/Release/ +/visualc/VS2010/*.vcxproj.user From 97866573654bb5d920c5acc67420df4b5b6cd92c Mon Sep 17 00:00:00 2001 From: Marcel Date: Wed, 20 Feb 2019 13:52:02 +0100 Subject: [PATCH 02/33] add Visual Studio filters to .gitignore --- .gitignore | 71 +++++++++++++++++++++++++++--------------------------- 1 file changed, 36 insertions(+), 35 deletions(-) diff --git a/.gitignore b/.gitignore index 104e72099..bc4522fbe 100644 --- a/.gitignore +++ b/.gitignore @@ -1,35 +1,36 @@ -CMakeCache.txt -CMakeFiles -CTestTestfile.cmake -cmake_install.cmake -Testing -Coverage -*.gcno -*.gcda - -# generated by scripts/memory.sh -massif-* - -# MSVC files generated by CMake: -/*.sln -/*.vcxproj -/*.filters - -# MSVC build artifacts: -*.exe -*.pdb -*.ilk -*.lib - -# Python build artifacts: -*.pyc - -# CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those: -*.dir/ - -# Visual Studio artifacts -/visualc/VS2010/.localhistory/ -/visualc/VS2010/.vs/ -/visualc/VS2010/Debug/ -/visualc/VS2010/Release/ -/visualc/VS2010/*.vcxproj.user +CMakeCache.txt +CMakeFiles +CTestTestfile.cmake +cmake_install.cmake +Testing +Coverage +*.gcno +*.gcda + +# generated by scripts/memory.sh +massif-* + +# MSVC files generated by CMake: +/*.sln +/*.vcxproj +/*.filters + +# MSVC build artifacts: +*.exe +*.pdb +*.ilk +*.lib + +# Python build artifacts: +*.pyc + +# CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those: +*.dir/ + +# Visual Studio artifacts +/visualc/VS2010/.localhistory/ +/visualc/VS2010/.vs/ +/visualc/VS2010/Debug/ +/visualc/VS2010/Release/ +/visualc/VS2010/*.vcxproj.filters +/visualc/VS2010/*.vcxproj.user From a6ead983b379a8da03b65c6bcc8c4850469aa3e6 Mon Sep 17 00:00:00 2001 From: Marcel Date: Wed, 20 Feb 2019 14:20:05 +0100 Subject: [PATCH 03/33] mention .gitignore changes in ChangeLog --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 9ab0c03c6..34c738e5b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,7 @@ Changes Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). + * Extended .gitignore to ignore Visual Studio artifacts (ConfusedSushi) = mbed TLS 2.17.0 branch released 2019-03-19 From 8e6740f15d7b96643637cc3956be44ab1fb695bc Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 20 Feb 2019 15:51:32 +0100 Subject: [PATCH 04/33] Update ChangeLog Co-Authored-By: confusedsushi --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 34c738e5b..1b76a4e5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,7 +38,7 @@ Changes Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309. * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh. Contributed by Peter Kolbus (Garmin). - * Extended .gitignore to ignore Visual Studio artifacts (ConfusedSushi) + * Extended .gitignore to ignore Visual Studio artifacts. Fixed by ConfusedSushi. = mbed TLS 2.17.0 branch released 2019-03-19 From c709a00b7bae27c0ab6da504265c79de01df9ddb Mon Sep 17 00:00:00 2001 From: Marcel Date: Thu, 28 Feb 2019 17:57:07 +0100 Subject: [PATCH 05/33] change .gitignore line endings to UNIX --- .gitignore | 72 +++++++++++++++++++++++++++--------------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/.gitignore b/.gitignore index bc4522fbe..35d1d2ad3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,36 +1,36 @@ -CMakeCache.txt -CMakeFiles -CTestTestfile.cmake -cmake_install.cmake -Testing -Coverage -*.gcno -*.gcda - -# generated by scripts/memory.sh -massif-* - -# MSVC files generated by CMake: -/*.sln -/*.vcxproj -/*.filters - -# MSVC build artifacts: -*.exe -*.pdb -*.ilk -*.lib - -# Python build artifacts: -*.pyc - -# CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those: -*.dir/ - -# Visual Studio artifacts -/visualc/VS2010/.localhistory/ -/visualc/VS2010/.vs/ -/visualc/VS2010/Debug/ -/visualc/VS2010/Release/ -/visualc/VS2010/*.vcxproj.filters -/visualc/VS2010/*.vcxproj.user +CMakeCache.txt +CMakeFiles +CTestTestfile.cmake +cmake_install.cmake +Testing +Coverage +*.gcno +*.gcda + +# generated by scripts/memory.sh +massif-* + +# MSVC files generated by CMake: +/*.sln +/*.vcxproj +/*.filters + +# MSVC build artifacts: +*.exe +*.pdb +*.ilk +*.lib + +# Python build artifacts: +*.pyc + +# CMake generates *.dir/ folders for in-tree builds (used by MSVC projects), ignore all of those: +*.dir/ + +# Visual Studio artifacts +/visualc/VS2010/.localhistory/ +/visualc/VS2010/.vs/ +/visualc/VS2010/Debug/ +/visualc/VS2010/Release/ +/visualc/VS2010/*.vcxproj.filters +/visualc/VS2010/*.vcxproj.user From 6ad3fd105cfe446b47dc8f7fc96c054c48eec5a6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 4 May 2019 07:37:58 +0100 Subject: [PATCH 06/33] Adapt x509write_crt.c to coding style Avoid lines longer than 80 characters and fix indentation. --- library/x509write_crt.c | 183 +++++++++++++++++++++++++--------------- 1 file changed, 115 insertions(+), 68 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index b6cb745a3..6002a6605 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -64,39 +64,44 @@ void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx ) mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_cert ) ); } -void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version ) +void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, + int version ) { ctx->version = version; } -void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg ) +void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, + mbedtls_md_type_t md_alg ) { ctx->md_alg = md_alg; } -void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ) +void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, + mbedtls_pk_context *key ) { ctx->subject_key = key; } -void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key ) +void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, + mbedtls_pk_context *key ) { ctx->issuer_key = key; } int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx, - const char *subject_name ) + const char *subject_name ) { return mbedtls_x509_string_to_names( &ctx->subject, subject_name ); } int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx, - const char *issuer_name ) + const char *issuer_name ) { return mbedtls_x509_string_to_names( &ctx->issuer, issuer_name ); } -int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial ) +int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, + const mbedtls_mpi *serial ) { int ret; @@ -106,8 +111,9 @@ int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls return( 0 ); } -int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before, - const char *not_after ) +int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, + const char *not_before, + const char *not_after ) { if( strlen( not_before ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 || strlen( not_after ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ) @@ -127,12 +133,12 @@ int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx, int critical, const unsigned char *val, size_t val_len ) { - return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len, - critical, val, val_len ); + return( mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len, + critical, val, val_len ) ); } int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, - int is_ca, int max_pathlen ) + int is_ca, int max_pathlen ) { int ret; unsigned char buf[9]; @@ -148,18 +154,21 @@ int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx, { if( max_pathlen >= 0 ) { - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, + max_pathlen ) ); } MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) ); } MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); - return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS, - MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ), - 0, buf + sizeof(buf) - len, len ); + return( + mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS, + MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ), + 0, buf + sizeof(buf) - len, len ) ); } #if defined(MBEDTLS_SHA1_C) @@ -171,7 +180,8 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct size_t len = 0; memset( buf, 0, sizeof(buf) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) ); ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 ); @@ -181,11 +191,13 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct len = 20; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) ); - return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, - MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), - 0, buf + sizeof(buf) - len, len ); + return mbedtls_x509write_crt_set_extension( ctx, + MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER, + MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ), + 0, buf + sizeof(buf) - len, len ); } int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx ) @@ -196,7 +208,8 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * size_t len = 0; memset( buf, 0, sizeof(buf) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 ); @@ -206,15 +219,19 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * len = 20; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, buf, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); - return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, - MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), - 0, buf + sizeof( buf ) - len, len ); + return mbedtls_x509write_crt_set_extension( + ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER, + MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ), + 0, buf + sizeof( buf ) - len, len ); } #endif /* MBEDTLS_SHA1_C */ @@ -249,8 +266,8 @@ int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx, return( MBEDTLS_ERR_X509_INVALID_FORMAT ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE, - MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), - 1, c, (size_t)ret ); + MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ), + 1, c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -271,8 +288,8 @@ int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx, return( ret ); ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE, - MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), - 0, c, (size_t)ret ); + MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ), + 0, c, (size_t)ret ); if( ret != 0 ) return( ret ); @@ -294,7 +311,8 @@ static int x509_write_time( unsigned char **p, unsigned char *start, (const unsigned char *) t + 2, size - 2 ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_UTC_TIME ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, + MBEDTLS_ASN1_UTC_TIME ) ); } else { @@ -302,15 +320,17 @@ static int x509_write_time( unsigned char **p, unsigned char *start, (const unsigned char *) t, size ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_GENERALIZED_TIME ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, + MBEDTLS_ASN1_GENERALIZED_TIME ) ); } return( (int) len ); } -int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ) +int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, + unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; const char *sig_oid; @@ -352,27 +372,36 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, /* Only for v3 */ if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 ) { - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_x509_write_extensions( &c, + tmp_buf, ctx->extensions ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, tmp_buf, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 3 ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, tmp_buf, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 3 ) ); } /* * SubjectPublicKeyInfo */ - MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key, - tmp_buf, c - tmp_buf ) ); + MBEDTLS_ASN1_CHK_ADD( pub_len, + mbedtls_pk_write_pubkey_der( ctx->subject_key, + tmp_buf, c - tmp_buf ) ); c -= pub_len; len += pub_len; /* * Subject ::= Name */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_x509_write_names( &c, tmp_buf, + ctx->subject ) ); /* * Validity ::= SEQUENCE { @@ -381,32 +410,41 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, */ sub_len = 0; - MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after, - MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); + MBEDTLS_ASN1_CHK_ADD( sub_len, + x509_write_time( &c, tmp_buf, ctx->not_after, + MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); - MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before, - MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); + MBEDTLS_ASN1_CHK_ADD( sub_len, + x509_write_time( &c, tmp_buf, ctx->not_before, + MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); len += sub_len; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, tmp_buf, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); /* * Issuer ::= Name */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, + tmp_buf, + ctx->issuer ) ); /* * Signature ::= AlgorithmIdentifier */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf, - sig_oid, strlen( sig_oid ), 0 ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf, + sig_oid, strlen( sig_oid ), 0 ) ); /* * Serial ::= INTEGER */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, + tmp_buf, + &ctx->serial ) ); /* * Version ::= INTEGER { v1(0), v2(1), v3(2) } @@ -416,16 +454,22 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 ) { sub_len = 0; - MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) ); + MBEDTLS_ASN1_CHK_ADD( sub_len, + mbedtls_asn1_write_int( &c, tmp_buf, + ctx->version ) ); len += sub_len; - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, tmp_buf, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); } MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE ) ); + MBEDTLS_ASN1_CHK_ADD( len, + mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE ) ); /* * Make signature @@ -436,8 +480,9 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, return( ret ); } - if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len, - f_rng, p_rng ) ) != 0 ) + if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, + hash, 0, sig, &sig_len, + f_rng, p_rng ) ) != 0 ) { return( ret ); } @@ -457,7 +502,8 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, len += sig_and_oid_len; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); return( (int) len ); @@ -467,9 +513,10 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, #define PEM_END_CRT "-----END CERTIFICATE-----\n" #if defined(MBEDTLS_PEM_WRITE_C) -int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size, - int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng ) +int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, + unsigned char *buf, size_t size, + int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ) { int ret; unsigned char output_buf[4096]; From def43051688d9c08f689839233a829553477dbf1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 4 May 2019 07:54:36 +0100 Subject: [PATCH 07/33] Perform CRT writing in-place on the output buffer The CRT writing routine mbedtls_x509write_crt_der() prepares the TBS (to-be-signed) part of the CRT in a temporary stack-allocated buffer, copying it to the actual output buffer at the end of the routine. This comes at the cost of a very large stack buffer. Moreover, its size must be hardcoded to an upper bound for the lengths of all CRTs to be written through the routine. So far, this upper bound was set to 2Kb, which isn't sufficient some larger certificates, as was reported e.g. in #2631. This commit fixes this by changing mbedtls_x509write_crt_der() to write the certificate in-place in the output buffer, thereby avoiding the use of a statically sized stack buffer for the TBS. Fixes #2631. --- library/x509write_crt.c | 78 +++++++++++++++++++++++------------------ 1 file changed, 43 insertions(+), 35 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 6002a6605..fd6b52e2c 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -338,15 +338,14 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *c, *c2; unsigned char hash[64]; unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; - unsigned char tmp_buf[2048]; size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len; size_t len = 0; mbedtls_pk_type_t pk_alg; /* - * Prepare data to be signed in tmp_buf + * Prepare data to be signed at the end of the target buffer */ - c = tmp_buf + sizeof( tmp_buf ); + c = buf + size; /* Signature algorithm needed in TBS, and later for actual signature */ @@ -374,15 +373,15 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, { MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, - tmp_buf, ctx->extensions ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); + buf, ctx->extensions ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_tag( &c, tmp_buf, + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_tag( &c, tmp_buf, + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 3 ) ); } @@ -392,7 +391,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, */ MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key, - tmp_buf, c - tmp_buf ) ); + buf, c - buf ) ); c -= pub_len; len += pub_len; @@ -400,7 +399,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, * Subject ::= Name */ MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_x509_write_names( &c, tmp_buf, + mbedtls_x509_write_names( &c, buf, ctx->subject ) ); /* @@ -411,39 +410,37 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, sub_len = 0; MBEDTLS_ASN1_CHK_ADD( sub_len, - x509_write_time( &c, tmp_buf, ctx->not_after, + x509_write_time( &c, buf, ctx->not_after, MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); MBEDTLS_ASN1_CHK_ADD( sub_len, - x509_write_time( &c, tmp_buf, ctx->not_before, + x509_write_time( &c, buf, ctx->not_before, MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) ); len += sub_len; - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, sub_len ) ); MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_tag( &c, tmp_buf, + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); /* * Issuer ::= Name */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, - tmp_buf, + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf, ctx->issuer ) ); /* * Signature ::= AlgorithmIdentifier */ MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf, + mbedtls_asn1_write_algorithm_identifier( &c, buf, sig_oid, strlen( sig_oid ), 0 ) ); /* * Serial ::= INTEGER */ - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, - tmp_buf, + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, buf, &ctx->serial ) ); /* @@ -455,25 +452,26 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, { sub_len = 0; MBEDTLS_ASN1_CHK_ADD( sub_len, - mbedtls_asn1_write_int( &c, tmp_buf, - ctx->version ) ); + mbedtls_asn1_write_int( &c, buf, ctx->version ) ); len += sub_len; MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) ); + mbedtls_asn1_write_len( &c, buf, sub_len ) ); MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_tag( &c, tmp_buf, + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); } - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); MBEDTLS_ASN1_CHK_ADD( len, - mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED | + mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); /* * Make signature */ + + /* Compute hash of CRT. */ if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash ) ) != 0 ) { @@ -487,22 +485,32 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, return( ret ); } - /* - * Write data to output buffer - */ + /* Move CRT to the front of the buffer to have space + * for the signature. */ + memmove( buf, c, len ); + c = buf + len; + + /* Add signature at the end of the buffer, + * making sure that it doesn't underflow + * into the CRT buffer. */ c2 = buf + size; - MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf, + MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, c, sig_oid, sig_oid_len, sig, sig_len ) ); - if( len > (size_t)( c2 - buf ) ) - return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL ); + /* + * Memory layout after this step: + * + * buf c=buf+len c2 buf+size + * [CRT0,...,CRTn, UNUSED, ..., UNUSED, SIG0, ..., SIGm] + */ - c2 -= len; - memcpy( c2, c, len ); + /* Move raw CRT to just before the signature. */ + c = c2 - len; + memmove( c, buf, len ); len += sig_and_oid_len; - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) ); - MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); + MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ); From 4063ad22b39ca44e229f3499776a76cb3d6da2ae Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 4 May 2019 08:12:47 +0100 Subject: [PATCH 08/33] Improve documentation of mbedtls_pem_write_buffer() In particular, mention that it supports overlapping input and output buffers. --- include/mbedtls/pem.h | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h index a29e9ce30..b37f9873a 100644 --- a/include/mbedtls/pem.h +++ b/include/mbedtls/pem.h @@ -112,17 +112,27 @@ void mbedtls_pem_free( mbedtls_pem_context *ctx ); * \brief Write a buffer of PEM information from a DER encoded * buffer. * - * \param header header string to write - * \param footer footer string to write - * \param der_data DER data to write - * \param der_len length of the DER data - * \param buf buffer to write to - * \param buf_len length of output buffer - * \param olen total length written / required (if buf_len is not enough) + * \param header The header string to write. + * \param footer The footer string to write. + * \param der_data The DER data to encode. + * \param der_len The length of the DER data \p der_data in Bytes. + * \param buf The buffer to write to. + * \param buf_len The length of the output buffer \p buf in Bytes. + * \param olen The address at which to store the total length written + * or required (if \p buf_len is not enough). * - * \return 0 on success, or a specific PEM or BASE64 error code. On - * MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL olen is the required - * size. + * \note You may pass \c NULL for \p buf and \c 0 for \p buf_len + * to request the length of the resulting PEM buffer in + * `*olen`. + * + * \note This function may be called with overlapping \p der_data + * and \p buf buffers. + * + * \return \c 0 on success. + * \return #MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL if \p buf isn't large + * enough to hold the PEM buffer. In this case, `*olen` holds + * the required minimum size of \p buf. + * \return Another PEM or BASE64 error code on other kinds of failure. */ int mbedtls_pem_write_buffer( const char *header, const char *footer, const unsigned char *der_data, size_t der_len, From 67d42597a96d3c5b537fe6eecd760045bce417f7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 4 May 2019 08:13:23 +0100 Subject: [PATCH 09/33] Avoid use of large stack buffers in mbedtls_x509_write_crt_pem() This commit rewrites mbedtls_x509write_crt_pem() to not use a statically size stack buffer to temporarily store the DER encoded form of the certificate to be written. This is not necessary because the DER-to-PEM conversion accepts overlapping input and output buffers. --- library/x509write_crt.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index fd6b52e2c..3c2321403 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -527,18 +527,17 @@ int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, void *p_rng ) { int ret; - unsigned char output_buf[4096]; - size_t olen = 0; + size_t olen; - if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf), + if( ( ret = mbedtls_x509write_crt_der( crt, buf, size, f_rng, p_rng ) ) < 0 ) { return( ret ); } if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT, - output_buf + sizeof(output_buf) - ret, - ret, buf, size, &olen ) ) != 0 ) + buf + size - ret, ret, + buf, size, &olen ) ) != 0 ) { return( ret ); } From 73540c07771748fcf552755f55395d7cf7061695 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Sat, 4 May 2019 08:18:09 +0100 Subject: [PATCH 10/33] Adapt ChangeLog --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 58ff14734..c7154ba3a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,9 @@ Bugfix for the parameter. * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl sni entry parameter. Reported by inestlerode in #560. + * Avoid use of statically sized stack buffers for certificate writing. + This previously limited the maximum size of DER encoded certificates + in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631. Changes * Server's RSA certificate in certs.c was SHA-1 signed. In the default From 661d72504400c9fc2bc89ef1d1330e389ff68f93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Duquette?= Date: Sun, 23 Jun 2019 17:45:26 -0400 Subject: [PATCH 11/33] Deref pointer when using sizeof in x509_get_other_name Fix for #2716. --- ChangeLog | 1 + library/x509_crt.c | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a46100878..23b62b4e9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -74,6 +74,7 @@ Bugfix irwir. * Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev. + * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716. API Changes * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes, diff --git a/library/x509_crt.c b/library/x509_crt.c index d101bc748..b2c19db68 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1687,7 +1687,7 @@ static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name, if( p + len >= end ) { - mbedtls_platform_zeroize( other_name, sizeof( other_name ) ); + mbedtls_platform_zeroize( other_name, sizeof( *other_name ) ); return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); } @@ -1709,7 +1709,7 @@ static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name, if( p + len >= end ) { - mbedtls_platform_zeroize( other_name, sizeof( other_name ) ); + mbedtls_platform_zeroize( other_name, sizeof( *other_name ) ); return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); } @@ -1725,7 +1725,7 @@ static int x509_get_other_name( const mbedtls_x509_buf *subject_alt_name, if( p != end ) { mbedtls_platform_zeroize( other_name, - sizeof( other_name ) ); + sizeof( *other_name ) ); return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); } From 3278081428d3088f491e3639eedc1ce56b8730a8 Mon Sep 17 00:00:00 2001 From: Ashley Duncan Date: Mon, 29 Apr 2019 20:35:06 +1200 Subject: [PATCH 12/33] Remove use of CMAKE_SOURCE_DIR Remove use of CMAKE_SOURCE_DIR in case mbedtls is built from within another CMake project. Define MBEDTLS_DIR to ${CMAKE_CURRENT_SOURCE_DIR} in the main CMakeLists.txt file and refer to that when defining target include paths to enable mbedtls to be built as a sub project. Fixes #2609 Signed-off-by: Ashley Duncan Signed-off-by: Jaeden Amero --- CMakeLists.txt | 2 ++ library/CMakeLists.txt | 16 ++++++++-------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 38c800608..7bbfb201a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -5,6 +5,8 @@ else() project("mbed TLS" C) endif() +set(MBEDTLS_DIR ${CMAKE_CURRENT_SOURCE_DIR}) + option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library." OFF) option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 1004cb30b..7f0819ef6 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -151,15 +151,15 @@ if(USE_STATIC_MBEDTLS_LIBRARY) set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509) target_link_libraries(${mbedx509_static_target} ${libs} ${mbedcrypto_static_target}) target_include_directories(${mbedx509_static_target} - PUBLIC ${CMAKE_SOURCE_DIR}/include/ - PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) + PUBLIC ${MBEDTLS_DIR}/include/ + PUBLIC ${MBEDTLS_DIR}/crypto/include/) add_library(${mbedtls_static_target} STATIC ${src_tls}) set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls) target_link_libraries(${mbedtls_static_target} ${libs} ${mbedx509_static_target}) target_include_directories(${mbedtls_static_target} - PUBLIC ${CMAKE_SOURCE_DIR}/include/ - PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/ + PUBLIC ${MBEDTLS_DIR}/include/ + PUBLIC ${MBEDTLS_DIR}/crypto/include/ ) @@ -175,15 +175,15 @@ if(USE_SHARED_MBEDTLS_LIBRARY) set_target_properties(mbedx509 PROPERTIES VERSION 2.17.0 SOVERSION 0) target_link_libraries(mbedx509 ${libs} mbedcrypto) target_include_directories(mbedx509 - PUBLIC ${CMAKE_SOURCE_DIR}/include/ - PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) + PUBLIC ${MBEDTLS_DIR}/include/ + PUBLIC ${MBEDTLS_DIR}/crypto/include/) add_library(mbedtls SHARED ${src_tls}) set_target_properties(mbedtls PROPERTIES VERSION 2.17.0 SOVERSION 12) target_link_libraries(mbedtls ${libs} mbedx509) target_include_directories(mbedtls - PUBLIC ${CMAKE_SOURCE_DIR}/include/ - PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) + PUBLIC ${MBEDTLS_DIR}/include/ + PUBLIC ${MBEDTLS_DIR}/crypto/include/) install(TARGETS mbedtls mbedx509 DESTINATION ${LIB_INSTALL_DIR} From 33b6a99d4d57906e5b468c501f1f8697fabeae06 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Tue, 18 Jun 2019 17:27:20 +0100 Subject: [PATCH 13/33] ChangeLog: Enable builds as a CMake subproject --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index a46100878..7579b5b83 100644 --- a/ChangeLog +++ b/ChangeLog @@ -103,6 +103,8 @@ Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. + * Enable building of Mbed TLS as a CMake subproject. Suggested and fixed by + Ashley Duncan in #2609. = mbed TLS 2.17.0 branch released 2019-03-19 From 41421c47975c0899939990ff469f8e9b5fc60dc6 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 20 Jun 2019 17:26:29 +0100 Subject: [PATCH 14/33] README: Enable builds as a CMake subproject Update the README with information on a newly supported feature: the ability to build Mbed TLS as a subproject of another CMake project. --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 5b0160351..be26f56f8 100644 --- a/README.md +++ b/README.md @@ -146,6 +146,12 @@ Regarding variables, also note that if you set CFLAGS when invoking cmake, your value of CFLAGS doesn't override the content provided by cmake (depending on the build mode as seen above), it's merely prepended to it. +#### Mbed TLS as a subproject + +Mbed TLS, like Mbed Crypto, supports being built as a CMake subproject. One can +use `add_subdirectory()` from a parent CMake project to include Mbed TLS as a +subproject. + ### Microsoft Visual Studio The build files for Microsoft Visual Studio are generated for Visual Studio 2010. From ab83fdf944cab65d9eda3cc1d68223a33f9cff5a Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 20 Jun 2019 17:38:22 +0100 Subject: [PATCH 15/33] CMake: Add a subdirectory build regression test If we have a regression with the "build Mbed TLS as a subdirectory with CMake" feature and fail to build, fail the test. --- programs/test/cmake_subproject/.gitignore | 3 + programs/test/cmake_subproject/CMakeLists.txt | 19 +++++++ .../test/cmake_subproject/cmake_subproject.c | 56 +++++++++++++++++++ tests/scripts/all.sh | 18 ++++++ 4 files changed, 96 insertions(+) create mode 100644 programs/test/cmake_subproject/.gitignore create mode 100644 programs/test/cmake_subproject/CMakeLists.txt create mode 100644 programs/test/cmake_subproject/cmake_subproject.c diff --git a/programs/test/cmake_subproject/.gitignore b/programs/test/cmake_subproject/.gitignore new file mode 100644 index 000000000..464833b93 --- /dev/null +++ b/programs/test/cmake_subproject/.gitignore @@ -0,0 +1,3 @@ +build +Makefile +cmake_subproject diff --git a/programs/test/cmake_subproject/CMakeLists.txt b/programs/test/cmake_subproject/CMakeLists.txt new file mode 100644 index 000000000..f5f4191c2 --- /dev/null +++ b/programs/test/cmake_subproject/CMakeLists.txt @@ -0,0 +1,19 @@ +cmake_minimum_required(VERSION 2.6) + +# We use the parent Mbed TLS directory as the MBEDTLS_DIR for this test. Other +# projects that use Mbed TLS as a subproject are likely to add by their own +# relative paths. +set(MBEDTLS_DIR ../../../) + +# Add Mbed TLS as a subdirectory. +add_subdirectory(${MBEDTLS_DIR} build) + +# Link against all the Mbed TLS libraries. +set(libs + mbedtls + mbedcrypto + mbedx509 +) + +add_executable(cmake_subproject cmake_subproject.c) +target_link_libraries(cmake_subproject ${libs}) diff --git a/programs/test/cmake_subproject/cmake_subproject.c b/programs/test/cmake_subproject/cmake_subproject.c new file mode 100644 index 000000000..ca899bcaf --- /dev/null +++ b/programs/test/cmake_subproject/cmake_subproject.c @@ -0,0 +1,56 @@ +/* + * Simple program to test that CMake builds with Mbed TLS as a subdirectory + * work correctly. + * + * Copyright (C) 2006-2019, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_PLATFORM_C) +#include "mbedtls/platform.h" +#else +#include +#include +#define mbedtls_fprintf fprintf +#define mbedtls_printf printf +#define mbedtls_exit exit +#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS +#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE +#endif /* MBEDTLS_PLATFORM_C */ + +#include "mbedtls/version.h" + +/* The main reason to build this is for testing the CMake build, so the program + * doesn't need to do very much. It calls a single library function to ensure + * linkage works, but that is all. */ +int main() +{ + /* This version string is 18 bytes long, as advised by version.h. */ + char version[18]; + + mbedtls_version_get_string_full( version ); + + mbedtls_printf( "Built against %s\n", version ); + + return( 0 ); +} diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9d628f88c..d240ddb71 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -242,6 +242,11 @@ cleanup() git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile cd .. + # Remove any artifacts from the component_test_cmake_as_subdirectory test. + rm -rf programs/test/cmake_subproject/build + rm -f programs/test/cmake_subproject/Makefile + rm -f programs/test/cmake_subproject/cmake_subproject + if [ -f "$CONFIG_BAK" ]; then mv "$CONFIG_BAK" "$CONFIG_H" fi @@ -1219,6 +1224,19 @@ component_test_cmake_out_of_source () { unset MBEDTLS_ROOT_DIR } +component_test_cmake_as_subdirectory () { + msg "build: cmake 'as-subdirectory' build" + MBEDTLS_ROOT_DIR="$PWD" + + cd programs/test/cmake_subproject + cmake . + make + if_build_succeeded ./cmake_subproject + + cd "$MBEDTLS_ROOT_DIR" + unset MBEDTLS_ROOT_DIR +} + component_test_zeroize () { # Test that the function mbedtls_platform_zeroize() is not optimized away by # different combinations of compilers and optimization flags by using an From c2d56a4446a6ac74a94c20c5db9dfc2a3bae62e9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 25 Jun 2019 18:52:06 +0200 Subject: [PATCH 16/33] Allow declarations after statements We officially allow C99, so don't forbid this C99 feature. --- CMakeLists.txt | 4 ++-- library/Makefile | 2 +- programs/Makefile | 2 +- tests/Makefile | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 38c800608..b0e640160 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -127,7 +127,7 @@ if(CMAKE_COMPILER_IS_GNU) # note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion OUTPUT_VARIABLE GCC_VERSION) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wwrite-strings") if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op") endif() @@ -144,7 +144,7 @@ if(CMAKE_COMPILER_IS_GNU) endif(CMAKE_COMPILER_IS_GNU) if(CMAKE_COMPILER_IS_CLANG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") diff --git a/library/Makefile b/library/Makefile index 60f3ae0d3..098b11150 100644 --- a/library/Makefile +++ b/library/Makefile @@ -2,7 +2,7 @@ # Also see "include/mbedtls/config.h" CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement +WARNING_CFLAGS ?= -Wall -W LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 diff --git a/programs/Makefile b/programs/Makefile index 2cb736622..93bbb66e1 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -3,7 +3,7 @@ # To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement +WARNING_CFLAGS ?= -Wall -W WARNING_CXXFLAGS ?= -Wall -W LDFLAGS ?= diff --git a/tests/Makefile b/tests/Makefile index 27ce33895..40ff5b0a4 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -3,7 +3,7 @@ # To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -W -Wdeclaration-after-statement -Wunused +WARNING_CFLAGS ?= -Wall -W -Wunused LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 From 0069ab7d9646aa2d61041f85fbc63020e2d96035 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Mon, 24 Jun 2019 18:08:40 +0100 Subject: [PATCH 17/33] ChangeLog: Add ChangeLog entry for #2681 --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index a46100878..18de01521 100644 --- a/ChangeLog +++ b/ChangeLog @@ -103,6 +103,9 @@ Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. + * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable + test runs without variability. Contributed by Philippe Antoine (Catena + cyber) in #2681. = mbed TLS 2.17.0 branch released 2019-03-19 From e4e2d3a39628aef2af8113a3f55e4623e621f0a5 Mon Sep 17 00:00:00 2001 From: Peter Kolbus Date: Mon, 24 Dec 2018 09:04:54 -0600 Subject: [PATCH 18/33] Add docker-based test scripts Enable running tests under Docker. This makes it easier to spin up an environment with all dependencies (especially the multiple versions of openssl and gnutls needed). * tests/docker/xenial/Dockerfile: Definition for the docker image, including local builds for openssl and gnutls. * tests/scripts/docker_env.sh: New helper script that creates the Docker image and has a function to run a command in the Docker container. * tests/docker/all-in-docker.sh: Wrapper for all.sh under Docker. * tests/docker/basic-in-docker.sh: Script that runs the same commands as .travis.yml, in Docker. * tests/ssl-opt-in-docker.sh: Wrapper to run ssl-opt.sh in Docker. * tests/compat-in-docker.sh: Wrapper to run compat.sh in Docker. * tests/make-in-docker.sh: Wrapper to run make in Docker. Change-Id: Ie092b1deed24c24c3859754535589523ce1d0a58 --- ChangeLog | 3 + tests/compat-in-docker.sh | 52 +++++++++++ tests/docker/xenial/Dockerfile | 153 +++++++++++++++++++++++++++++++ tests/make-in-docker.sh | 18 ++++ tests/scripts/all-in-docker.sh | 24 +++++ tests/scripts/basic-in-docker.sh | 37 ++++++++ tests/scripts/docker_env.sh | 75 +++++++++++++++ tests/ssl-opt-in-docker.sh | 52 +++++++++++ 8 files changed, 414 insertions(+) create mode 100755 tests/compat-in-docker.sh create mode 100644 tests/docker/xenial/Dockerfile create mode 100755 tests/make-in-docker.sh create mode 100755 tests/scripts/all-in-docker.sh create mode 100755 tests/scripts/basic-in-docker.sh create mode 100755 tests/scripts/docker_env.sh create mode 100755 tests/ssl-opt-in-docker.sh diff --git a/ChangeLog b/ChangeLog index a46100878..33c4d8bb4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -103,6 +103,9 @@ Changes * Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671 * Make `make clean` clean all programs always. Fixes #1862. + * Add a Dockerfile and helper scripts (all-in-docker.sh, basic-in-docker.sh, + docker-env.sh) to simplify running test suites on a Linux host. Contributed + by Peter Kolbus (Garmin). = mbed TLS 2.17.0 branch released 2019-03-19 diff --git a/tests/compat-in-docker.sh b/tests/compat-in-docker.sh new file mode 100755 index 000000000..bbb860a3d --- /dev/null +++ b/tests/compat-in-docker.sh @@ -0,0 +1,52 @@ +#!/bin/bash -eu + +# compat-in-docker.sh +# +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2019, ARM Limited, All Rights Reserved +# +# Purpose +# ------- +# This runs compat.sh in a Docker container. +# +# Notes for users +# --------------- +# If OPENSSL_CMD, GNUTLS_CLI, or GNUTLS_SERV are specified the path must +# correspond to an executable inside the Docker container. The special +# values "next" (OpenSSL only) and "legacy" are also allowed as shorthand +# for the installations inside the container. +# +# See also: +# - scripts/docker_env.sh for general Docker prerequisites and other information. +# - compat.sh for notes about invocation of that script. + +source tests/scripts/docker_env.sh + +case "${OPENSSL_CMD:-default}" in + "legacy") export OPENSSL_CMD="/usr/local/openssl-1.0.1j/bin/openssl";; + "next") export OPENSSL_CMD="/usr/local/openssl-1.1.1a/bin/openssl";; + *) ;; +esac + +case "${GNUTLS_CLI:-default}" in + "legacy") export GNUTLS_CLI="/usr/local/gnutls-3.3.8/bin/gnutls-cli";; + "next") export GNUTLS_CLI="/usr/local/gnutls-3.6.5/bin/gnutls-cli";; + *) ;; +esac + +case "${GNUTLS_SERV:-default}" in + "legacy") export GNUTLS_SERV="/usr/local/gnutls-3.3.8/bin/gnutls-serv";; + "next") export GNUTLS_SERV="/usr/local/gnutls-3.6.5/bin/gnutls-serv";; + *) ;; +esac + +run_in_docker \ + -e M_CLI \ + -e M_SRV \ + -e GNUTLS_CLI \ + -e GNUTLS_SERV \ + -e OPENSSL_CMD \ + -e OSSL_NO_DTLS \ + tests/compat.sh \ + $@ diff --git a/tests/docker/xenial/Dockerfile b/tests/docker/xenial/Dockerfile new file mode 100644 index 000000000..4573af9ed --- /dev/null +++ b/tests/docker/xenial/Dockerfile @@ -0,0 +1,153 @@ +# +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2018-2019, ARM Limited, All Rights Reserved +# +# Purpose +# +# Defines a Docker container suitable to build and run all tests (all.sh), +# except for those that use a proprietary toolchain. + +FROM ubuntu:xenial + +ARG MAKEFLAGS_PARALLEL="" + +ENV DEBIAN_FRONTEND noninteractive + +RUN apt update \ + && apt -y install software-properties-common \ + && rm -rf /var/lib/apt/lists + +RUN add-apt-repository -y ppa:team-gcc-arm-embedded/ppa + +RUN apt-get update \ + && apt-get -y install \ + # mbedtls build/test dependencies + build-essential \ + clang \ + cmake \ + doxygen \ + gcc-arm-none-eabi \ + gcc-mingw-w64-i686 \ + gcc-multilib \ + g++-multilib \ + gdb \ + git \ + graphviz \ + lsof \ + python \ + python3-pip \ + python3 \ + pylint3 \ + valgrind \ + wget \ + # libnettle build dependencies + libgmp-dev \ + m4 \ + pkg-config \ + && rm -rf /var/lib/apt/lists/* + +# Build a static, legacy openssl from sources with sslv3 enabled +# Based on https://gist.github.com/bmaupin/8caca3a1e8c3c5686141 (build-openssl.sh) +# Note: openssl-1.0.2 and earlier has known build issues with parallel make. +RUN cd /tmp \ + && wget https://www.openssl.org/source/old/1.0.1/openssl-1.0.1j.tar.gz -qO- | tar xz \ + && cd openssl-1.0.1j \ + && ./config --openssldir=/usr/local/openssl-1.0.1j no-shared \ + && (make ${MAKEFLAGS_PARALLEL} || make -j 1) \ + && make install_sw \ + && rm -rf /tmp/openssl* +ENV OPENSSL_LEGACY=/usr/local/openssl-1.0.1j/bin/openssl + +# Build OPENSSL as 1.0.2g +RUN cd /tmp \ + && wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2g.tar.gz -qO- | tar xz \ + && cd openssl-1.0.2g \ + && ./config --openssldir=/usr/local/openssl-1.0.2g no-shared \ + && (make ${MAKEFLAGS_PARALLEL} || make -j 1) \ + && make install_sw \ + && rm -rf /tmp/openssl* +ENV OPENSSL=/usr/local/openssl-1.0.2g/bin/openssl + +# Build a new openssl binary for ARIA/CHACHA20 support +# Based on https://gist.github.com/bmaupin/8caca3a1e8c3c5686141 (build-openssl.sh) +RUN cd /tmp \ + && wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz -qO- | tar xz \ + && cd openssl-1.1.1a \ + && ./config --prefix=/usr/local/openssl-1.1.1a -Wl,--enable-new-dtags,-rpath,'${LIBRPATH}' no-shared \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install_sw \ + && rm -rf /tmp/openssl* +ENV OPENSSL_NEXT=/usr/local/openssl-1.1.1a/bin/openssl + +# Build libnettle 2.7.1 (needed by legacy gnutls) +RUN cd /tmp \ + && wget https://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz -qO- | tar xz \ + && cd nettle-2.7.1 \ + && ./configure --disable-documentation \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && /sbin/ldconfig \ + && rm -rf /tmp/nettle* + +# Build legacy gnutls (3.3.8) +RUN cd /tmp \ + && wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.3/gnutls-3.3.8.tar.xz -qO- | tar xJ \ + && cd gnutls-3.3.8 \ + && ./configure --prefix=/usr/local/gnutls-3.3.8 --exec_prefix=/usr/local/gnutls-3.3.8 --disable-shared --disable-guile --disable-doc \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && rm -rf /tmp/gnutls* +ENV GNUTLS_LEGACY_CLI=/usr/local/gnutls-3.3.8/bin/gnutls-cli +ENV GNUTLS_LEGACY_SERV=/usr/local/gnutls-3.3.8/bin/gnutls-serv + +# Build libnettle 3.1 (needed by gnutls) +RUN cd /tmp \ + && wget https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz -qO- | tar xz \ + && cd nettle-3.1 \ + && ./configure --disable-documentation \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && /sbin/ldconfig \ + && rm -rf /tmp/nettle* + +# Build gnutls (3.4.10) +RUN cd /tmp \ + && wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.4/gnutls-3.4.10.tar.xz -qO- | tar xJ \ + && cd gnutls-3.4.10 \ + && ./configure --prefix=/usr/local/gnutls-3.4.10 --exec_prefix=/usr/local/gnutls-3.4.10 \ + --with-included-libtasn1 --without-p11-kit \ + --disable-shared --disable-guile --disable-doc \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && rm -rf /tmp/gnutls* +ENV GNUTLS_CLI=/usr/local/gnutls-3.4.10/bin/gnutls-cli +ENV GNUTLS_SERV=/usr/local/gnutls-3.4.10/bin/gnutls-serv + +# Build libnettle 3.4 (needed by gnutls next) +RUN cd /tmp \ + && wget https://ftp.gnu.org/gnu/nettle/nettle-3.4.1.tar.gz -qO- | tar xz \ + && cd nettle-3.4.1 \ + && ./configure --disable-documentation \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && /sbin/ldconfig \ + && rm -rf /tmp/nettle* + +# Build gnutls next (3.6.5) +RUN cd /tmp \ + && wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.5.tar.xz -qO- | tar xJ \ + && cd gnutls-3.6.5 \ + && ./configure --prefix=/usr/local/gnutls-3.6.5 --exec_prefix=/usr/local/gnutls-3.6.5 \ + --with-included-libtasn1 --with-included-unistring --without-p11-kit \ + --disable-shared --disable-guile --disable-doc \ + && make ${MAKEFLAGS_PARALLEL} \ + && make install \ + && rm -rf /tmp/gnutls* + +ENV GNUTLS_NEXT_CLI=/usr/local/gnutls-3.6.5/bin/gnutls-cli +ENV GNUTLS_NEXT_SERV=/usr/local/gnutls-3.6.5/bin/gnutls-serv + +RUN pip3 install --no-cache-dir \ + mbed-host-tests \ + mock diff --git a/tests/make-in-docker.sh b/tests/make-in-docker.sh new file mode 100755 index 000000000..2f8b90109 --- /dev/null +++ b/tests/make-in-docker.sh @@ -0,0 +1,18 @@ +#!/bin/bash -eu + +# make-in-docker.sh +# +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2019, ARM Limited, All Rights Reserved +# +# Purpose +# ------- +# This runs make in a Docker container. +# +# See also: +# - scripts/docker_env.sh for general Docker prerequisites and other information. + +source tests/scripts/docker_env.sh + +run_in_docker make $@ diff --git a/tests/scripts/all-in-docker.sh b/tests/scripts/all-in-docker.sh new file mode 100755 index 000000000..3d5dbf2a8 --- /dev/null +++ b/tests/scripts/all-in-docker.sh @@ -0,0 +1,24 @@ +#!/bin/bash -eu + +# all-in-docker.sh +# +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2018-2019, ARM Limited, All Rights Reserved +# +# Purpose +# ------- +# This runs all.sh (except for armcc) in a Docker container. +# +# Notes for users +# --------------- +# See docker_env.sh for prerequisites and other information. +# +# See also all.sh for notes about invocation of that script. + +source tests/scripts/docker_env.sh + +# Run tests that are possible with openly available compilers +run_in_docker tests/scripts/all.sh \ + --no-armcc \ + $@ diff --git a/tests/scripts/basic-in-docker.sh b/tests/scripts/basic-in-docker.sh new file mode 100755 index 000000000..cfb72f4cc --- /dev/null +++ b/tests/scripts/basic-in-docker.sh @@ -0,0 +1,37 @@ +#!/bin/bash -eu + +# basic-in-docker.sh +# +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2018-2019, ARM Limited, All Rights Reserved +# +# Purpose +# ------- +# This runs a rough equivalent of the travis.yml in a Docker container. +# The tests are run for both clang and gcc. +# +# Notes for users +# --------------- +# See docker_env.sh for prerequisites and other information. + +source tests/scripts/docker_env.sh + +run_in_docker tests/scripts/recursion.pl library/*.c +run_in_docker tests/scripts/check-generated-files.sh +run_in_docker tests/scripts/check-doxy-blocks.pl +run_in_docker tests/scripts/check-names.sh +run_in_docker tests/scripts/check-files.py +run_in_docker tests/scripts/doxygen.sh + +for compiler in clang gcc; do + run_in_docker -e CC=${compiler} cmake -D CMAKE_BUILD_TYPE:String="Check" . + run_in_docker -e CC=${compiler} make + run_in_docker -e CC=${compiler} make test + run_in_docker programs/test/selftest + run_in_docker -e OSSL_NO_DTLS=1 tests/compat.sh + run_in_docker tests/ssl-opt.sh -e '\(DTLS\|SCSV\).*openssl' + run_in_docker tests/scripts/test-ref-configs.pl + run_in_docker tests/scripts/curves.pl + run_in_docker tests/scripts/key-exchanges.pl +done diff --git a/tests/scripts/docker_env.sh b/tests/scripts/docker_env.sh new file mode 100755 index 000000000..3e1ce6125 --- /dev/null +++ b/tests/scripts/docker_env.sh @@ -0,0 +1,75 @@ +#!/bin/bash -eu + +# docker_env.sh +# +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2018-2019, ARM Limited, All Rights Reserved +# +# Purpose +# ------- +# +# This is a helper script to enable running tests under a Docker container, +# thus making it easier to get set up as well as isolating test dependencies +# (which include legacy/insecure configurations of openssl and gnutls). +# +# Notes for users +# --------------- +# This script expects a Linux x86_64 system with a recent version of Docker +# installed and available for use, as well as http/https access. If a proxy +# server must be used, invoke this script with the usual environment variables +# (http_proxy and https_proxy) set appropriately. +# +# Running this script directly will check for Docker availability and set up +# the Docker image. + + +# default values, can be overridden by the environment +: ${MBEDTLS_DOCKER_GUEST:=xenial} + + +DOCKER_IMAGE_TAG="armmbed/mbedtls-test:${MBEDTLS_DOCKER_GUEST}" + +# Make sure docker is available +if ! which docker > /dev/null; then + echo "Docker is required but doesn't seem to be installed. See https://www.docker.com/ to get started" + exit 1 +fi + +# Figure out if we need to 'sudo docker' +if groups | grep docker > /dev/null; then + DOCKER="docker" +else + echo "Using sudo to invoke docker since you're not a member of the docker group..." + DOCKER="sudo docker" +fi + +# Build the Docker image +echo "Getting docker image up to date (this may take a few minutes)..." +${DOCKER} image build \ + -t ${DOCKER_IMAGE_TAG} \ + --cache-from=${DOCKER_IMAGE_TAG} \ + --build-arg MAKEFLAGS_PARALLEL="-j $(nproc)" \ + ${http_proxy+--build-arg http_proxy=${http_proxy}} \ + ${https_proxy+--build-arg https_proxy=${https_proxy}} \ + tests/docker/${MBEDTLS_DOCKER_GUEST} + +run_in_docker() +{ + ENV_ARGS="" + while [ "$1" == "-e" ]; do + ENV_ARGS="${ENV_ARGS} $1 $2" + shift 2 + done + + ${DOCKER} container run -it --rm \ + --cap-add SYS_PTRACE \ + --user "$(id -u):$(id -g)" \ + --volume $PWD:$PWD \ + --workdir $PWD \ + -e MAKEFLAGS \ + -e PYLINTHOME=/tmp/.pylintd \ + ${ENV_ARGS} \ + ${DOCKER_IMAGE_TAG} \ + $@ +} diff --git a/tests/ssl-opt-in-docker.sh b/tests/ssl-opt-in-docker.sh new file mode 100755 index 000000000..b3a23fb32 --- /dev/null +++ b/tests/ssl-opt-in-docker.sh @@ -0,0 +1,52 @@ +#!/bin/bash -eu + +# ssl-opt-in-docker.sh +# +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2019, ARM Limited, All Rights Reserved +# +# Purpose +# ------- +# This runs ssl-opt.sh in a Docker container. +# +# Notes for users +# --------------- +# If OPENSSL_CMD, GNUTLS_CLI, or GNUTLS_SERV are specified the path must +# correspond to an executable inside the Docker container. The special +# values "next" and "legacy" are also allowed as shorthand for the +# installations inside the container. +# +# See also: +# - scripts/docker_env.sh for general Docker prerequisites and other information. +# - ssl-opt.sh for notes about invocation of that script. + +source tests/scripts/docker_env.sh + +case "${OPENSSL_CMD:-default}" in + "legacy") export OPENSSL_CMD="/usr/local/openssl-1.0.1j/bin/openssl";; + "next") export OPENSSL_CMD="/usr/local/openssl-1.1.1a/bin/openssl";; + *) ;; +esac + +case "${GNUTLS_CLI:-default}" in + "legacy") export GNUTLS_CLI="/usr/local/gnutls-3.3.8/bin/gnutls-cli";; + "next") export GNUTLS_CLI="/usr/local/gnutls-3.6.5/bin/gnutls-cli";; + *) ;; +esac + +case "${GNUTLS_SERV:-default}" in + "legacy") export GNUTLS_SERV="/usr/local/gnutls-3.3.8/bin/gnutls-serv";; + "next") export GNUTLS_SERV="/usr/local/gnutls-3.6.5/bin/gnutls-serv";; + *) ;; +esac + +run_in_docker \ + -e P_SRV \ + -e P_CLI \ + -e P_PXY \ + -e GNUTLS_CLI \ + -e GNUTLS_SERV \ + -e OPENSSL_CMD \ + tests/ssl-opt.sh \ + $@ From 4225b1a966622c9d33b3e757f61b50ee34839d69 Mon Sep 17 00:00:00 2001 From: Peter Kolbus Date: Fri, 31 May 2019 06:38:06 -0500 Subject: [PATCH 19/33] Clean up file prologue comments Update new files to include the same legalese as in aes.h. Editorial touchups in Dockerfile and ssl-opt-in-docker.sh. --- tests/compat-in-docker.sh | 21 +++++++++++++++++---- tests/docker/xenial/Dockerfile | 24 +++++++++++++++++++----- tests/make-in-docker.sh | 21 +++++++++++++++++---- tests/scripts/all-in-docker.sh | 21 +++++++++++++++++---- tests/scripts/basic-in-docker.sh | 21 +++++++++++++++++---- tests/scripts/docker_env.sh | 21 +++++++++++++++++---- tests/ssl-opt-in-docker.sh | 23 ++++++++++++++++++----- 7 files changed, 122 insertions(+), 30 deletions(-) diff --git a/tests/compat-in-docker.sh b/tests/compat-in-docker.sh index bbb860a3d..67a0807b3 100755 --- a/tests/compat-in-docker.sh +++ b/tests/compat-in-docker.sh @@ -2,10 +2,6 @@ # compat-in-docker.sh # -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2019, ARM Limited, All Rights Reserved -# # Purpose # ------- # This runs compat.sh in a Docker container. @@ -21,6 +17,23 @@ # - scripts/docker_env.sh for general Docker prerequisites and other information. # - compat.sh for notes about invocation of that script. +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + source tests/scripts/docker_env.sh case "${OPENSSL_CMD:-default}" in diff --git a/tests/docker/xenial/Dockerfile b/tests/docker/xenial/Dockerfile index 4573af9ed..f16ae752c 100644 --- a/tests/docker/xenial/Dockerfile +++ b/tests/docker/xenial/Dockerfile @@ -1,13 +1,27 @@ -# -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2018-2019, ARM Limited, All Rights Reserved +# Dockerfile # # Purpose -# +# ------- # Defines a Docker container suitable to build and run all tests (all.sh), # except for those that use a proprietary toolchain. +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + FROM ubuntu:xenial ARG MAKEFLAGS_PARALLEL="" diff --git a/tests/make-in-docker.sh b/tests/make-in-docker.sh index 2f8b90109..4fbfe1ccb 100755 --- a/tests/make-in-docker.sh +++ b/tests/make-in-docker.sh @@ -2,10 +2,6 @@ # make-in-docker.sh # -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2019, ARM Limited, All Rights Reserved -# # Purpose # ------- # This runs make in a Docker container. @@ -13,6 +9,23 @@ # See also: # - scripts/docker_env.sh for general Docker prerequisites and other information. +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + source tests/scripts/docker_env.sh run_in_docker make $@ diff --git a/tests/scripts/all-in-docker.sh b/tests/scripts/all-in-docker.sh index 3d5dbf2a8..ee9a09290 100755 --- a/tests/scripts/all-in-docker.sh +++ b/tests/scripts/all-in-docker.sh @@ -2,10 +2,6 @@ # all-in-docker.sh # -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2018-2019, ARM Limited, All Rights Reserved -# # Purpose # ------- # This runs all.sh (except for armcc) in a Docker container. @@ -16,6 +12,23 @@ # # See also all.sh for notes about invocation of that script. +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + source tests/scripts/docker_env.sh # Run tests that are possible with openly available compilers diff --git a/tests/scripts/basic-in-docker.sh b/tests/scripts/basic-in-docker.sh index cfb72f4cc..37ed5ea50 100755 --- a/tests/scripts/basic-in-docker.sh +++ b/tests/scripts/basic-in-docker.sh @@ -2,10 +2,6 @@ # basic-in-docker.sh # -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2018-2019, ARM Limited, All Rights Reserved -# # Purpose # ------- # This runs a rough equivalent of the travis.yml in a Docker container. @@ -15,6 +11,23 @@ # --------------- # See docker_env.sh for prerequisites and other information. +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + source tests/scripts/docker_env.sh run_in_docker tests/scripts/recursion.pl library/*.c diff --git a/tests/scripts/docker_env.sh b/tests/scripts/docker_env.sh index 3e1ce6125..6b65b034e 100755 --- a/tests/scripts/docker_env.sh +++ b/tests/scripts/docker_env.sh @@ -2,10 +2,6 @@ # docker_env.sh # -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2018-2019, ARM Limited, All Rights Reserved -# # Purpose # ------- # @@ -23,6 +19,23 @@ # Running this script directly will check for Docker availability and set up # the Docker image. +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + # default values, can be overridden by the environment : ${MBEDTLS_DOCKER_GUEST:=xenial} diff --git a/tests/ssl-opt-in-docker.sh b/tests/ssl-opt-in-docker.sh index b3a23fb32..e6e469d82 100755 --- a/tests/ssl-opt-in-docker.sh +++ b/tests/ssl-opt-in-docker.sh @@ -2,17 +2,13 @@ # ssl-opt-in-docker.sh # -# This file is part of mbed TLS (https://tls.mbed.org) -# -# Copyright (c) 2019, ARM Limited, All Rights Reserved -# # Purpose # ------- # This runs ssl-opt.sh in a Docker container. # # Notes for users # --------------- -# If OPENSSL_CMD, GNUTLS_CLI, or GNUTLS_SERV are specified the path must +# If OPENSSL_CMD, GNUTLS_CLI, or GNUTLS_SERV are specified, the path must # correspond to an executable inside the Docker container. The special # values "next" and "legacy" are also allowed as shorthand for the # installations inside the container. @@ -21,6 +17,23 @@ # - scripts/docker_env.sh for general Docker prerequisites and other information. # - ssl-opt.sh for notes about invocation of that script. +# Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This file is part of Mbed TLS (https://tls.mbed.org) + source tests/scripts/docker_env.sh case "${OPENSSL_CMD:-default}" in From 49c2435a40850fdeeb39cb888306816a9959c1d1 Mon Sep 17 00:00:00 2001 From: Peter Kolbus Date: Sat, 1 Jun 2019 08:44:30 -0500 Subject: [PATCH 20/33] Change Docker container to bionic Commit 117b8a45164bdb5ad2ab9e6809cbc923cffa338e requires version 6+ of i686-w64-mingw32-gcc to run the mingw builds, but Ubuntu Xenial (16.04) supplies 5.3.1. Change the Docker container to Ubuntu Bionic (18.04) to pick up a version that will run the tests. --- tests/docker/{xenial => bionic}/Dockerfile | 2 +- tests/scripts/docker_env.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename tests/docker/{xenial => bionic}/Dockerfile (99%) diff --git a/tests/docker/xenial/Dockerfile b/tests/docker/bionic/Dockerfile similarity index 99% rename from tests/docker/xenial/Dockerfile rename to tests/docker/bionic/Dockerfile index f16ae752c..1d9618432 100644 --- a/tests/docker/xenial/Dockerfile +++ b/tests/docker/bionic/Dockerfile @@ -22,7 +22,7 @@ # # This file is part of Mbed TLS (https://tls.mbed.org) -FROM ubuntu:xenial +FROM ubuntu:bionic ARG MAKEFLAGS_PARALLEL="" diff --git a/tests/scripts/docker_env.sh b/tests/scripts/docker_env.sh index 6b65b034e..04efa82e4 100755 --- a/tests/scripts/docker_env.sh +++ b/tests/scripts/docker_env.sh @@ -38,7 +38,7 @@ # default values, can be overridden by the environment -: ${MBEDTLS_DOCKER_GUEST:=xenial} +: ${MBEDTLS_DOCKER_GUEST:=bionic} DOCKER_IMAGE_TAG="armmbed/mbedtls-test:${MBEDTLS_DOCKER_GUEST}" From be54358fa7779c151693ff66a381b172503e8783 Mon Sep 17 00:00:00 2001 From: Peter Kolbus Date: Sat, 29 Jun 2019 11:09:01 -0500 Subject: [PATCH 21/33] Dockerfile: apt -> apt-get Dockerfile commands should be using apt-get, not apt. --- tests/docker/bionic/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/docker/bionic/Dockerfile b/tests/docker/bionic/Dockerfile index 1d9618432..948e50679 100644 --- a/tests/docker/bionic/Dockerfile +++ b/tests/docker/bionic/Dockerfile @@ -28,8 +28,8 @@ ARG MAKEFLAGS_PARALLEL="" ENV DEBIAN_FRONTEND noninteractive -RUN apt update \ - && apt -y install software-properties-common \ +RUN apt-get update \ + && apt-get -y install software-properties-common \ && rm -rf /var/lib/apt/lists RUN add-apt-repository -y ppa:team-gcc-arm-embedded/ppa From 718c74ca858984711694e7e2c6443cf0895b306f Mon Sep 17 00:00:00 2001 From: Peter Kolbus Date: Sat, 29 Jun 2019 11:26:51 -0500 Subject: [PATCH 22/33] Improve compatibility with firewalled networks * Allow specifying MBEDTLS_DOCKER_REGISTRY for organizations that have a mirroring proxy of Docker Hub * Specify "--network host" during build to ensure use of the host's DNS resolution. --- tests/docker/bionic/Dockerfile | 7 ++++--- tests/scripts/docker_env.sh | 7 ++++++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/tests/docker/bionic/Dockerfile b/tests/docker/bionic/Dockerfile index 948e50679..1b2d40f28 100644 --- a/tests/docker/bionic/Dockerfile +++ b/tests/docker/bionic/Dockerfile @@ -21,10 +21,11 @@ # limitations under the License. # # This file is part of Mbed TLS (https://tls.mbed.org) - -FROM ubuntu:bionic - ARG MAKEFLAGS_PARALLEL="" +ARG MY_REGISTRY= + +FROM ${MY_REGISTRY}ubuntu:bionic + ENV DEBIAN_FRONTEND noninteractive diff --git a/tests/scripts/docker_env.sh b/tests/scripts/docker_env.sh index 04efa82e4..8bdc42579 100755 --- a/tests/scripts/docker_env.sh +++ b/tests/scripts/docker_env.sh @@ -14,7 +14,10 @@ # This script expects a Linux x86_64 system with a recent version of Docker # installed and available for use, as well as http/https access. If a proxy # server must be used, invoke this script with the usual environment variables -# (http_proxy and https_proxy) set appropriately. +# (http_proxy and https_proxy) set appropriately. If an alternate Docker +# registry is needed, specify MBEDTLS_DOCKER_REGISTRY to point at the +# host name. +# # # Running this script directly will check for Docker availability and set up # the Docker image. @@ -63,8 +66,10 @@ ${DOCKER} image build \ -t ${DOCKER_IMAGE_TAG} \ --cache-from=${DOCKER_IMAGE_TAG} \ --build-arg MAKEFLAGS_PARALLEL="-j $(nproc)" \ + --network host \ ${http_proxy+--build-arg http_proxy=${http_proxy}} \ ${https_proxy+--build-arg https_proxy=${https_proxy}} \ + ${MBEDTLS_DOCKER_REGISTRY+--build-arg MY_REGISTRY="${MBEDTLS_DOCKER_REGISTRY}/"} \ tests/docker/${MBEDTLS_DOCKER_GUEST} run_in_docker() From a4b94c460d6e21f1200bc1ac8f0fc483b3e854ab Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Tue, 18 Jun 2019 17:31:57 +0100 Subject: [PATCH 23/33] Update Mbed Crypto to contain mbed-crypto#152 Update Mbed Crypto to a commit on its development branch that contains the merged [mbed-crypto#152 PR](https://github.com/ARMmbed/mbed-crypto/pull/152). --- crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto b/crypto index 86268e1d3..ee6f9b2a9 160000 --- a/crypto +++ b/crypto @@ -1 +1 @@ -Subproject commit 86268e1d302355ad8fd8e5ca5f1a7c7af8640678 +Subproject commit ee6f9b2a9fc3b4d9b7d3189ec1e4f81a593e658b From 85aba477156922deb8f93d918c4fef125bda7a80 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jul 2019 20:03:01 +0200 Subject: [PATCH 24/33] Consistently spell -Wextra -W is a deprecated alias of -Wextra. Consistently use the new name. --- CMakeLists.txt | 4 ++-- README.md | 2 +- library/Makefile | 2 +- programs/Makefile | 4 ++-- tests/Makefile | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index b0e640160..19801e843 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -127,7 +127,7 @@ if(CMAKE_COMPILER_IS_GNU) # note: starting with CMake 2.8 we could use CMAKE_C_COMPILER_VERSION execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion OUTPUT_VARIABLE GCC_VERSION) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wwrite-strings") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings") if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op") endif() @@ -144,7 +144,7 @@ if(CMAKE_COMPILER_IS_GNU) endif(CMAKE_COMPILER_IS_GNU) if(CMAKE_COMPILER_IS_CLANG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") diff --git a/README.md b/README.md index 5b0160351..b7eca8920 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ In order to build for a Windows platform, you should use `WINDOWS_BUILD=1` if th Setting the variable `SHARED` in your environment will build shared libraries in addition to the static libraries. Setting `DEBUG` gives you a debug build. You can override `CFLAGS` and `LDFLAGS` by setting them in your environment or on the make command line; compiler warning options may be overridden separately using `WARNING_CFLAGS`. Some directory-specific options (for example, `-I` directives) are still preserved. -Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -W`), so if you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overridden from the command line. +Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -Wextra`), so if you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overridden from the command line. Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the Mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue. diff --git a/library/Makefile b/library/Makefile index 098b11150..8b2e572aa 100644 --- a/library/Makefile +++ b/library/Makefile @@ -2,7 +2,7 @@ # Also see "include/mbedtls/config.h" CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -W +WARNING_CFLAGS ?= -Wall -Wextra LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 diff --git a/programs/Makefile b/programs/Makefile index 93bbb66e1..4c05d915a 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -3,8 +3,8 @@ # To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -W -WARNING_CXXFLAGS ?= -Wall -W +WARNING_CFLAGS ?= -Wall -Wextra +WARNING_CXXFLAGS ?= -Wall -Wextra LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 diff --git a/tests/Makefile b/tests/Makefile index 40ff5b0a4..d0d9d99dc 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -3,7 +3,7 @@ # To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -W -Wunused +WARNING_CFLAGS ?= -Wall -Wextra -Wunused LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 From 1e65771ba397a160c17de31efcf31585df3013f6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jul 2019 20:05:20 +0200 Subject: [PATCH 25/33] Remove redundant compiler flag `-Wunused' is included in `-Wall -Wextra'. --- tests/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Makefile b/tests/Makefile index d0d9d99dc..1679ee40b 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -3,7 +3,7 @@ # To compile with PKCS11: add "-lpkcs11-helper" to LDFLAGS CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -Wextra -Wunused +WARNING_CFLAGS ?= -Wall -Wextra LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64 From be517164d23134bcd53f7223924b395e9615e280 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jul 2019 20:22:11 +0200 Subject: [PATCH 26/33] Warn if VLAs are used We don't intend to use C99 variable-length arrays, so make the compiler complain about them. --- CMakeLists.txt | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 19801e843..157a903c6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -128,6 +128,9 @@ if(CMAKE_COMPILER_IS_GNU) execute_process(COMMAND ${CMAKE_C_COMPILER} -dumpversion OUTPUT_VARIABLE GCC_VERSION) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings") + if (GCC_VERSION VERSION_GREATER 4.3 OR GCC_VERSION VERSION_EQUAL 4.3) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wvla") + endif() if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op") endif() @@ -144,7 +147,7 @@ if(CMAKE_COMPILER_IS_GNU) endif(CMAKE_COMPILER_IS_GNU) if(CMAKE_COMPILER_IS_CLANG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla") set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") From 6aa32ccfae6a7840df9886182ba49c147b441f56 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 4 Jul 2019 18:59:36 +0200 Subject: [PATCH 27/33] Allow running /somewhere/else/path/to/abi_check.py Don't require abi_check.py to be the one in scripts/ under the current directory. --- scripts/abi_check.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/scripts/abi_check.py b/scripts/abi_check.py index 502c7ae02..6edc54fde 100755 --- a/scripts/abi_check.py +++ b/scripts/abi_check.py @@ -59,9 +59,7 @@ class AbiChecker(object): @staticmethod def check_repo_path(): - current_dir = os.path.realpath('.') - root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) - if current_dir != root_dir: + if not all(os.path.isdir(d) for d in ["include", "library", "tests"]): raise Exception("Must be run from Mbed TLS root") def _setup_logger(self): From b6ce234c57ea9369d1c5a92af96f6b993330f262 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 4 Jul 2019 19:00:31 +0200 Subject: [PATCH 28/33] Document how to build the typical argument for -s --- scripts/abi_check.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/abi_check.py b/scripts/abi_check.py index 6edc54fde..e8ab1cb79 100755 --- a/scripts/abi_check.py +++ b/scripts/abi_check.py @@ -355,7 +355,9 @@ def run_main(): ) parser.add_argument( "-s", "--skip-file", type=str, - help="path to file containing symbols and types to skip" + help=("path to file containing symbols and types to skip " + "(typically \"-s identifiers\" after running " + "\"tests/scripts/list-identifiers.sh --internal\")") ) parser.add_argument( "-b", "--brief", action="store_true", From 3e2da4acf20b41d31fb3fe64e0e7a4e1b75078bc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 4 Jul 2019 19:01:22 +0200 Subject: [PATCH 29/33] Record the commits that were compared Record the commit ID in addition to the symbolic name of the version being tested. This makes it easier to figure out what has been compared when reading logs that don't always indicate explicitly what things like HEAD are. This makes the title of HTML reports somewhat verbose, but I think that's a small price to pay. --- scripts/abi_check.py | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/scripts/abi_check.py b/scripts/abi_check.py index e8ab1cb79..6aef9924f 100755 --- a/scripts/abi_check.py +++ b/scripts/abi_check.py @@ -106,6 +106,12 @@ class AbiChecker(object): stderr=subprocess.STDOUT ) self.log.debug(worktree_output.decode("utf-8")) + version.commit = subprocess.check_output( + [self.git_command, "rev-parse", worktree_rev], + cwd=git_worktree_path, + stderr=subprocess.STDOUT + ).decode("ascii").rstrip() + self.log.debug("Commit is {}".format(version.commit)) return git_worktree_path def _update_git_submodules(self, git_worktree_path, version): @@ -161,6 +167,13 @@ class AbiChecker(object): os.path.join(root, file) ) + @staticmethod + def _pretty_revision(version): + if version.revision == version.commit: + return version.revision + else: + return "{} ({})".format(version.revision, version.commit) + def _get_abi_dumps_from_shared_libraries(self, version): """Generate the ABI dumps for the specified git revision. The shared libraries must have been built and the module paths @@ -175,7 +188,7 @@ class AbiChecker(object): "abi-dumper", module_path, "-o", output_path, - "-lver", version.revision + "-lver", self._pretty_revision(version), ] abi_dump_output = subprocess.check_output( abi_dump_command, @@ -224,7 +237,10 @@ class AbiChecker(object): """Generate a report of the differences between the reference ABI and the new ABI. ABI dumps from self.old_version and self.new_version must be available.""" - compatibility_report = "" + compatibility_report = ("Checking evolution from {} to {}\n".format( + self._pretty_revision(self.old_version), + self._pretty_revision(self.new_version) + )) compliance_return_code = 0 shared_modules = list(set(self.old_version.modules.keys()) & set(self.new_version.modules.keys())) @@ -371,6 +387,7 @@ def run_main(): version="old", repository=abi_args.old_repo, revision=abi_args.old_rev, + commit=None, crypto_repository=abi_args.old_crypto_repo, crypto_revision=abi_args.old_crypto_rev, abi_dumps={}, @@ -380,6 +397,7 @@ def run_main(): version="new", repository=abi_args.new_repo, revision=abi_args.new_rev, + commit=None, crypto_repository=abi_args.new_crypto_repo, crypto_revision=abi_args.new_crypto_rev, abi_dumps={}, From ada828f36a1caa64ce0fc4d3d5a9dba475bcd02f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 4 Jul 2019 19:17:40 +0200 Subject: [PATCH 30/33] Split _abi_compliance_command into smaller functions This makes the code easier to read and pacifies pylint. --- scripts/abi_check.py | 115 ++++++++++++++++++++++++------------------- 1 file changed, 63 insertions(+), 52 deletions(-) diff --git a/scripts/abi_check.py b/scripts/abi_check.py index 6aef9924f..533aaea3d 100755 --- a/scripts/abi_check.py +++ b/scripts/abi_check.py @@ -233,73 +233,84 @@ class AbiChecker(object): if not problems.getchildren(): report.remove(problems) + def _abi_compliance_command(self, mbed_module, output_path): + """Build the command to run to analyze the library mbed_module. + The report will be placed in output_path.""" + abi_compliance_command = [ + "abi-compliance-checker", + "-l", mbed_module, + "-old", self.old_version.abi_dumps[mbed_module], + "-new", self.new_version.abi_dumps[mbed_module], + "-strict", + "-report-path", output_path, + ] + if self.skip_file: + abi_compliance_command += ["-skip-symbols", self.skip_file, + "-skip-types", self.skip_file] + if self.brief: + abi_compliance_command += ["-report-format", "xml", + "-stdout"] + return abi_compliance_command + + def _is_library_compatible(self, mbed_module, compatibility_report): + """Test if the library mbed_module has remained compatible. + Append a message regarding compatibility to compatibility_report.""" + output_path = os.path.join( + self.report_dir, "{}-{}-{}.html".format( + mbed_module, self.old_version.revision, + self.new_version.revision + ) + ) + try: + subprocess.check_output( + self._abi_compliance_command(mbed_module, output_path), + stderr=subprocess.STDOUT + ) + except subprocess.CalledProcessError as err: + if err.returncode != 1: + raise err + if self.brief: + self.log.info( + "Compatibility issues found for {}".format(mbed_module) + ) + report_root = ET.fromstring(err.output.decode("utf-8")) + self._remove_extra_detail_from_report(report_root) + self.log.info(ET.tostring(report_root).decode("utf-8")) + else: + self.can_remove_report_dir = False + compatibility_report.append( + "Compatibility issues found for {}, " + "for details see {}".format(mbed_module, output_path) + ) + return False + compatibility_report.append( + "No compatibility issues for {}".format(mbed_module) + ) + if not (self.keep_all_reports or self.brief): + os.remove(output_path) + return True + def get_abi_compatibility_report(self): """Generate a report of the differences between the reference ABI and the new ABI. ABI dumps from self.old_version and self.new_version must be available.""" - compatibility_report = ("Checking evolution from {} to {}\n".format( + compatibility_report = ["Checking evolution from {} to {}".format( self._pretty_revision(self.old_version), self._pretty_revision(self.new_version) - )) + )] compliance_return_code = 0 shared_modules = list(set(self.old_version.modules.keys()) & set(self.new_version.modules.keys())) for mbed_module in shared_modules: - output_path = os.path.join( - self.report_dir, "{}-{}-{}.html".format( - mbed_module, self.old_version.revision, - self.new_version.revision - ) - ) - abi_compliance_command = [ - "abi-compliance-checker", - "-l", mbed_module, - "-old", self.old_version.abi_dumps[mbed_module], - "-new", self.new_version.abi_dumps[mbed_module], - "-strict", - "-report-path", output_path, - ] - if self.skip_file: - abi_compliance_command += ["-skip-symbols", self.skip_file, - "-skip-types", self.skip_file] - if self.brief: - abi_compliance_command += ["-report-format", "xml", - "-stdout"] - try: - subprocess.check_output( - abi_compliance_command, - stderr=subprocess.STDOUT - ) - except subprocess.CalledProcessError as err: - if err.returncode == 1: - compliance_return_code = 1 - if self.brief: - self.log.info( - "Compatibility issues found for {}".format(mbed_module) - ) - report_root = ET.fromstring(err.output.decode("utf-8")) - self._remove_extra_detail_from_report(report_root) - self.log.info(ET.tostring(report_root).decode("utf-8")) - else: - self.can_remove_report_dir = False - compatibility_report += ( - "Compatibility issues found for {}, " - "for details see {}\n".format(mbed_module, output_path) - ) - else: - raise err - else: - compatibility_report += ( - "No compatibility issues for {}\n".format(mbed_module) - ) - if not (self.keep_all_reports or self.brief): - os.remove(output_path) + if not self._is_library_compatible(mbed_module, + compatibility_report): + compliance_return_code = 1 for version in [self.old_version, self.new_version]: for mbed_module, mbed_module_dump in version.abi_dumps.items(): os.remove(mbed_module_dump) if self.can_remove_report_dir: os.rmdir(self.report_dir) - self.log.info(compatibility_report) + self.log.info("\n".join(compatibility_report)) return compliance_return_code def check_for_abi_changes(self): From 7dfcfceb490d1c222fa312f70a57c0e79e9071c0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 4 Jul 2019 19:31:02 +0200 Subject: [PATCH 31/33] Use the docstring in the command line help --- tests/scripts/check-files.py | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/tests/scripts/check-files.py b/tests/scripts/check-files.py index 00fd0edfb..a658415dc 100755 --- a/tests/scripts/check-files.py +++ b/tests/scripts/check-files.py @@ -1,11 +1,9 @@ #!/usr/bin/env python3 + +# This file is part of Mbed TLS (https://tls.mbed.org) +# Copyright (c) 2018, Arm Limited, All Rights Reserved + """ -This file is part of Mbed TLS (https://tls.mbed.org) - -Copyright (c) 2018, Arm Limited, All Rights Reserved - -Purpose - This script checks the current state of the source code for minor issues, including incorrect file permissions, presence of tabs, non-Unix line endings, trailing whitespace, presence of UTF-8 BOM, and TODO comments. @@ -257,15 +255,7 @@ class IntegrityChecker(object): def run_main(): - parser = argparse.ArgumentParser( - description=( - "This script checks the current state of the source code for " - "minor issues, including incorrect file permissions, " - "presence of tabs, non-Unix line endings, trailing whitespace, " - "presence of UTF-8 BOM, and TODO comments. " - "Note: requires python 3, must be run from Mbed TLS root." - ) - ) + parser = argparse.ArgumentParser(description=__doc__) parser.add_argument( "-l", "--log_file", type=str, help="path to optional output log", ) From 55b49ee10fe2029cd29b62693dd677b2ec070735 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 4 Jul 2019 19:31:33 +0200 Subject: [PATCH 32/33] Allow TODO in code Don't reject TODO in code. Fix #2587 --- tests/scripts/check-files.py | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/tests/scripts/check-files.py b/tests/scripts/check-files.py index a658415dc..255bed8b9 100755 --- a/tests/scripts/check-files.py +++ b/tests/scripts/check-files.py @@ -6,7 +6,7 @@ """ This script checks the current state of the source code for minor issues, including incorrect file permissions, presence of tabs, non-Unix line endings, -trailing whitespace, presence of UTF-8 BOM, and TODO comments. +trailing whitespace, and presence of UTF-8 BOM. Note: requires python 3, must be run from Mbed TLS root. """ @@ -168,19 +168,6 @@ class MergeArtifactIssueTracker(LineIssueTracker): return True return False -class TodoIssueTracker(LineIssueTracker): - """Track lines containing ``TODO``.""" - - heading = "TODO present:" - files_exemptions = frozenset([ - os.path.basename(__file__), - "benchmark.c", - "pull_request_template.md", - ]) - - def issue_with_line(self, line, _filepath): - return b"todo" in line.lower() - class IntegrityChecker(object): """Sanity-check files under the current directory.""" @@ -209,7 +196,6 @@ class IntegrityChecker(object): TrailingWhitespaceIssueTracker(), TabIssueTracker(), MergeArtifactIssueTracker(), - TodoIssueTracker(), ] @staticmethod From 0f220ec73bd538a9a3e0a6043ba615057a86003f Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 5 Jul 2019 15:03:40 +0100 Subject: [PATCH 33/33] Test with MBEDTLS_ECP_RESTARTABLE We accidentally disabled testing with MBEDTLS_ECP_RESTARTABLE. Re-enable testing with restartable ECP when MBEDTLS_USE_PSA_CRYPTO is not set. Fixes 971dea37453c ("Enable USE_PSA_CRYPTO with config.pl full") --- tests/scripts/all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9d628f88c..e5c6e4322 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -819,7 +819,7 @@ component_test_no_use_psa_crypto_full_cmake_asan() { msg "build: cmake, full config + MBEDTLS_USE_PSA_CRYPTO, ASan" scripts/config.pl full scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests - scripts/config.pl unset MBEDTLS_ECP_RESTARTABLE # restartable ECC not supported through PSA + scripts/config.pl set MBEDTLS_ECP_RESTARTABLE # not using PSA, so enable restartable ECC scripts/config.pl set MBEDTLS_PSA_CRYPTO_C scripts/config.pl unset MBEDTLS_USE_PSA_CRYPTO scripts/config.pl unset MBEDTLS_PSA_ITS_FILE_C