Merge pull request #8480 from yuhaoth/backports/7649/add-command-for-server9-bad-saltlen
Backports for #7649 : add command for server9-bad-saltlen
diff --git a/BRANCHES.md b/BRANCHES.md
index 57d4027..6711cb9 100644
--- a/BRANCHES.md
+++ b/BRANCHES.md
@@ -76,6 +76,6 @@
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until at least the end of 2024, see
- <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5>.
+ <https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.6>.
Users are urged to always use the latest version of a maintained branch.
diff --git a/ChangeLog b/ChangeLog
index 27b5820..a856275 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
Mbed TLS ChangeLog (Sorted per branch, date)
+= Mbed TLS 2.28.6 branch released 2023-11-06
+
+Changes
+ * Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
+ license. Users may choose which license they take the code under.
+
= Mbed TLS 2.28.5 branch released 2023-10-05
Features
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index 1a4cc41..c2343a6 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -10,7 +10,7 @@
*/
/**
- * @mainpage Mbed TLS v2.28.5 API Documentation
+ * @mainpage Mbed TLS v2.28.6 API Documentation
*
* This documentation describes the internal structure of Mbed TLS. It was
* automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index f6f160d..1939ac9 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -1,4 +1,4 @@
-PROJECT_NAME = "Mbed TLS v2.28.5"
+PROJECT_NAME = "Mbed TLS v2.28.6"
OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index d844bfa..ac2146e 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -851,6 +851,9 @@
* contexts and therefore is a compatibility break for applications that access
* fields of a mbedtls_ecdh_context structure directly. See also
* MBEDTLS_ECDH_LEGACY_CONTEXT in include/mbedtls/ecdh.h.
+ *
+ * The Everest code is provided under the Apache 2.0 license only; therefore enabling this
+ * option is not compatible with taking the library under the GPL v2.0-or-later license.
*/
//#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index 21348d2..ae91a09 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -26,16 +26,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 28
-#define MBEDTLS_VERSION_PATCH 5
+#define MBEDTLS_VERSION_PATCH 6
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x021C0500
-#define MBEDTLS_VERSION_STRING "2.28.5"
-#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.5"
+#define MBEDTLS_VERSION_NUMBER 0x021C0600
+#define MBEDTLS_VERSION_STRING "2.28.6"
+#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.6"
#if defined(MBEDTLS_VERSION_C)
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 8d88101..c7105a1 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -204,15 +204,15 @@
if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto})
- set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.5 SOVERSION 7)
+ set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.6 SOVERSION 7)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
add_library(${mbedx509_target} SHARED ${src_x509})
- set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.5 SOVERSION 1)
+ set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.6 SOVERSION 1)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
- set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.5 SOVERSION 14)
+ set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.6 SOVERSION 14)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)
diff --git a/scripts/config.py b/scripts/config.py
index 4658931..604f8a8 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -345,6 +345,22 @@
return adapter(name, active, section)
return continuation
+def no_platform_adapter(adapter):
+ """Modify an adapter to disable platform symbols.
+
+ ``no_platform_adapter(adapter)(name, active, section)`` is like
+ ``adapter(name, active, section)``, but unsets all platform symbols other
+ ``than MBEDTLS_PLATFORM_C.
+ """
+ def continuation(name, active, section):
+ # Allow MBEDTLS_PLATFORM_C but remove all other platform symbols.
+ if name.startswith('MBEDTLS_PLATFORM_') and name != 'MBEDTLS_PLATFORM_C':
+ return False
+ if adapter is None:
+ return active
+ return adapter(name, active, section)
+ return continuation
+
class ConfigFile(Config):
"""Representation of the Mbed TLS configuration read for a file.
@@ -517,6 +533,10 @@
"""Uncomment most non-deprecated features.
Like "full", but without deprecated features.
""")
+ add_adapter('full_no_platform', no_platform_adapter(full_adapter),
+ """Uncomment most non-platform features.
+ Like "full", but without platform features.
+ """)
add_adapter('realfull', realfull_adapter,
"""Uncomment all boolean #defines.
Suitable for generating documentation, but not for building.""")
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 06a8bc5..69f141f 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -2555,22 +2555,14 @@
# This should catch missing mbedtls_printf definitions, and by disabling file
# IO, it should catch missing '#include <stdio.h>'
msg "build: full config except platform/fsio/net, make, gcc, C99" # ~ 30s
- scripts/config.py full
+ scripts/config.py full_no_platform
scripts/config.py unset MBEDTLS_PLATFORM_C
scripts/config.py unset MBEDTLS_NET_C
- scripts/config.py unset MBEDTLS_PLATFORM_MEMORY
- scripts/config.py unset MBEDTLS_PLATFORM_PRINTF_ALT
- scripts/config.py unset MBEDTLS_PLATFORM_FPRINTF_ALT
- scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT
- scripts/config.py unset MBEDTLS_PLATFORM_VSNPRINTF_ALT
- scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT
- scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT
- scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
- scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.py unset MBEDTLS_FS_IO
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
+ scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
# Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
# to re-enable platform integration features otherwise disabled in C99 builds
make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs
diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py
index 68871ef..a2a9dfa 100755
--- a/tests/scripts/check_files.py
+++ b/tests/scripts/check_files.py
@@ -10,10 +10,11 @@
Note: requires python 3, must be run from Mbed TLS root.
"""
-import os
import argparse
-import logging
import codecs
+import inspect
+import logging
+import os
import re
import subprocess
import sys
@@ -345,6 +346,100 @@
return False
+def this_location():
+ frame = inspect.currentframe()
+ assert frame is not None
+ info = inspect.getframeinfo(frame)
+ return os.path.basename(info.filename), info.lineno
+THIS_FILE_BASE_NAME, LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER = this_location()
+
+class LicenseIssueTracker(LineIssueTracker):
+ """Check copyright statements and license indications.
+
+ This class only checks that statements are correct if present. It does
+ not enforce the presence of statements in each file.
+ """
+
+ heading = "License issue:"
+
+ LICENSE_EXEMPTION_RE_LIST = [
+ # Third-party code, other than whitelisted third-party modules,
+ # may be under a different license.
+ r'3rdparty/(?!(p256-m)/.*)',
+ # Documentation explaining the license may have accidental
+ # false positives.
+ r'(ChangeLog|LICENSE|[-0-9A-Z_a-z]+\.md)\Z',
+ # Files imported from TF-M, and not used except in test builds,
+ # may be under a different license.
+ r'configs/crypto_config_profile_medium\.h\Z',
+ r'configs/tfm_mbedcrypto_config_profile_medium\.h\Z',
+ # Third-party file.
+ r'dco\.txt\Z',
+ ]
+ path_exemptions = re.compile('|'.join(BINARY_FILE_PATH_RE_LIST +
+ LICENSE_EXEMPTION_RE_LIST))
+
+ COPYRIGHT_HOLDER = rb'The Mbed TLS Contributors'
+ # Catch "Copyright foo", "Copyright (C) foo", "Copyright © foo", etc.
+ COPYRIGHT_RE = re.compile(rb'.*\bcopyright\s+((?:\w|\s|[()]|[^ -~])*\w)', re.I)
+
+ SPDX_HEADER_KEY = b'SPDX-License-Identifier'
+ LICENSE_IDENTIFIER = b'Apache-2.0 OR GPL-2.0-or-later'
+ SPDX_RE = re.compile(br'.*?(' +
+ re.escape(SPDX_HEADER_KEY) +
+ br')(:\s*(.*?)\W*\Z|.*)', re.I)
+
+ LICENSE_MENTION_RE = re.compile(rb'.*(?:' + rb'|'.join([
+ rb'Apache License',
+ rb'General Public License',
+ ]) + rb')', re.I)
+
+ def __init__(self):
+ super().__init__()
+ # Record what problem was caused. We can't easily report it due to
+ # the structure of the script. To be fixed after
+ # https://github.com/Mbed-TLS/mbedtls/pull/2506
+ self.problem = None
+
+ def issue_with_line(self, line, filepath, line_number):
+ #pylint: disable=too-many-return-statements
+
+ # Use endswith() rather than the more correct os.path.basename()
+ # because experimentally, it makes a significant difference to
+ # the running time.
+ if filepath.endswith(THIS_FILE_BASE_NAME) and \
+ line_number > LINE_NUMBER_BEFORE_LICENSE_ISSUE_TRACKER:
+ # Avoid false positives from the code in this class.
+ # Also skip the rest of this file, which is highly unlikely to
+ # contain any problematic statements since we put those near the
+ # top of files.
+ return False
+
+ m = self.COPYRIGHT_RE.match(line)
+ if m and m.group(1) != self.COPYRIGHT_HOLDER:
+ self.problem = 'Invalid copyright line'
+ return True
+
+ m = self.SPDX_RE.match(line)
+ if m:
+ if m.group(1) != self.SPDX_HEADER_KEY:
+ self.problem = 'Misspelled ' + self.SPDX_HEADER_KEY.decode()
+ return True
+ if not m.group(3):
+ self.problem = 'Improperly formatted SPDX license identifier'
+ return True
+ if m.group(3) != self.LICENSE_IDENTIFIER:
+ self.problem = 'Wrong SPDX license identifier'
+ return True
+
+ m = self.LICENSE_MENTION_RE.match(line)
+ if m:
+ self.problem = 'Suspicious license mention'
+ return True
+
+ return False
+
+
class IntegrityChecker:
"""Sanity-check files under the current directory."""
@@ -365,6 +460,7 @@
TrailingWhitespaceIssueTracker(),
TabIssueTracker(),
MergeArtifactIssueTracker(),
+ LicenseIssueTracker(),
]
def setup_logger(self, log_file, level=logging.INFO):
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 25974db..c1b81a4 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
Check compile time library version
-check_compiletime_version:"2.28.5"
+check_compiletime_version:"2.28.6"
Check runtime library version
-check_runtime_version:"2.28.5"
+check_runtime_version:"2.28.6"
Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0