Merge pull request #3190 from gilles-peskine-arm/config-full-clarify-development
Clarify that the full config enables everything that can be tested together
diff --git a/library/psa_crypto_se.c b/library/psa_crypto_se.c
index b7fa0c5..b9f186a 100644
--- a/library/psa_crypto_se.c
+++ b/library/psa_crypto_se.c
@@ -64,7 +64,7 @@
uintptr_t transient_data;
} psa_drv_se_internal_context_t;
-typedef struct psa_se_drv_table_entry_s
+struct psa_se_drv_table_entry_s
{
psa_key_lifetime_t lifetime;
const psa_drv_se_t *methods;
@@ -72,8 +72,8 @@
{
psa_drv_se_internal_context_t internal;
psa_drv_se_context_t context;
- };
-} psa_se_drv_table_entry_t;
+ } u;
+};
static psa_se_drv_table_entry_t driver_table[PSA_MAX_SE_DRIVERS];
@@ -104,7 +104,7 @@
psa_drv_se_context_t *psa_get_se_driver_context(
psa_se_drv_table_entry_t *driver )
{
- return( &driver->context );
+ return( &driver->u.context );
}
int psa_get_se_driver( psa_key_lifetime_t lifetime,
@@ -115,7 +115,7 @@
if( p_methods != NULL )
*p_methods = ( driver ? driver->methods : NULL );
if( p_drv_context != NULL )
- *p_drv_context = ( driver ? &driver->context : NULL );
+ *p_drv_context = ( driver ? &driver->u.context : NULL );
return( driver != NULL );
}
@@ -134,7 +134,7 @@
#if SIZE_MAX > UINT32_MAX
/* ITS file sizes are limited to 32 bits. */
- if( driver->internal.persistent_data_size > UINT32_MAX )
+ if( driver->u.internal.persistent_data_size > UINT32_MAX )
return( PSA_ERROR_NOT_SUPPORTED );
#endif
@@ -162,8 +162,8 @@
* persistent_data_size is in range, but compilers don't know that,
* so cast to reassure them. */
return( psa_its_get( uid, 0,
- (uint32_t) driver->internal.persistent_data_size,
- driver->internal.persistent_data,
+ (uint32_t) driver->u.internal.persistent_data_size,
+ driver->u.internal.persistent_data,
&length ) );
}
@@ -181,8 +181,8 @@
* persistent_data_size is in range, but compilers don't know that,
* so cast to reassure them. */
return( psa_its_set( uid,
- (uint32_t) driver->internal.persistent_data_size,
- driver->internal.persistent_data,
+ (uint32_t) driver->u.internal.persistent_data_size,
+ driver->u.internal.persistent_data,
0 ) );
}
@@ -221,8 +221,8 @@
driver->methods->key_management->p_validate_slot_number;
if( p_validate_slot_number == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
- status = p_validate_slot_number( &driver->context,
- driver->internal.persistent_data,
+ status = p_validate_slot_number( &driver->u.context,
+ driver->u.internal.persistent_data,
attributes, method,
*slot_number );
}
@@ -240,8 +240,8 @@
driver->methods->key_management->p_allocate;
if( p_allocate == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
- status = p_allocate( &driver->context,
- driver->internal.persistent_data,
+ status = p_allocate( &driver->u.context,
+ driver->u.internal.persistent_data,
attributes, method,
slot_number );
}
@@ -265,8 +265,8 @@
driver->methods->key_management->p_destroy == NULL )
return( PSA_ERROR_NOT_PERMITTED );
status = driver->methods->key_management->p_destroy(
- &driver->context,
- driver->internal.persistent_data,
+ &driver->u.context,
+ driver->u.internal.persistent_data,
slot_number );
storage_status = psa_save_se_persistent_data( driver );
return( status == PSA_SUCCESS ? storage_status : status );
@@ -284,8 +284,8 @@
if( methods->p_init != NULL )
{
psa_status_t status = methods->p_init(
- &driver->context,
- driver->internal.persistent_data,
+ &driver->u.context,
+ driver->u.internal.persistent_data,
driver->lifetime );
if( status != PSA_SUCCESS )
return( status );
@@ -341,14 +341,14 @@
driver_table[i].lifetime = lifetime;
driver_table[i].methods = methods;
- driver_table[i].internal.persistent_data_size =
+ driver_table[i].u.internal.persistent_data_size =
methods->persistent_data_size;
if( methods->persistent_data_size != 0 )
{
- driver_table[i].internal.persistent_data =
+ driver_table[i].u.internal.persistent_data =
mbedtls_calloc( 1, methods->persistent_data_size );
- if( driver_table[i].internal.persistent_data == NULL )
+ if( driver_table[i].u.internal.persistent_data == NULL )
{
status = PSA_ERROR_INSUFFICIENT_MEMORY;
goto error;
@@ -373,8 +373,8 @@
size_t i;
for( i = 0; i < PSA_MAX_SE_DRIVERS; i++ )
{
- if( driver_table[i].internal.persistent_data != NULL )
- mbedtls_free( driver_table[i].internal.persistent_data );
+ if( driver_table[i].u.internal.persistent_data != NULL )
+ mbedtls_free( driver_table[i].u.internal.persistent_data );
}
memset( driver_table, 0, sizeof( driver_table ) );
}
diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index e2949f2..6edb196 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -85,7 +85,8 @@
int main( int argc, char *argv[] )
{
- int ret = 1, i, n;
+ int ret = 1, i;
+ unsigned n;
int exit_code = MBEDTLS_EXIT_FAILURE;
int mode;
size_t keylen, ilen, olen;
diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c
index bccfde0..44d094e 100644
--- a/programs/pkey/pk_decrypt.c
+++ b/programs/pkey/pk_decrypt.c
@@ -64,7 +64,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int ret = 1, c;
+ int ret = 1;
+ unsigned c;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i, olen = 0;
mbedtls_pk_context pk;
diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c
index 3327909..4cfe400 100644
--- a/programs/pkey/rsa_decrypt.c
+++ b/programs/pkey/rsa_decrypt.c
@@ -65,7 +65,7 @@
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
- int c;
+ unsigned c;
size_t i;
mbedtls_rsa_context rsa;
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index b531775..74248f9 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -59,7 +59,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int ret = 1, c;
+ int ret = 1;
+ unsigned c;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 6b09a89..2a4df13 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -377,7 +377,9 @@
#define USAGE_SERIALIZATION ""
#endif
-#define USAGE \
+/* USAGE is arbitrarily split to stay under the portable string literal
+ * length limit: 4095 bytes in C99. */
+#define USAGE1 \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
" server_name=%%s default: localhost\n" \
@@ -401,7 +403,8 @@
"\n" \
USAGE_DTLS \
USAGE_CID \
- "\n" \
+ "\n"
+#define USAGE2 \
" auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n" \
USAGE_IO \
@@ -411,7 +414,8 @@
USAGE_PSK \
USAGE_ECJPAKE \
USAGE_ECRESTART \
- "\n" \
+ "\n"
+#define USAGE3 \
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
@@ -434,7 +438,8 @@
USAGE_CURVES \
USAGE_RECSPLIT \
USAGE_DHMLEN \
- "\n" \
+ "\n"
+#define USAGE4 \
" arc4=%%d default: (library default: 0)\n" \
" allow_sha1=%%d default: 0\n" \
" min_version=%%s default: (library default: tls1)\n" \
@@ -1244,7 +1249,10 @@
if( ret == 0 )
ret = 1;
- mbedtls_printf( USAGE );
+ mbedtls_printf( USAGE1 );
+ mbedtls_printf( USAGE2 );
+ mbedtls_printf( USAGE3 );
+ mbedtls_printf( USAGE4 );
list = mbedtls_ssl_list_ciphersuites();
while( *list )
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index ca557ca..40f328e 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -463,7 +463,9 @@
#define USAGE_SERIALIZATION ""
#endif
-#define USAGE \
+/* USAGE is arbitrarily split to stay under the portable string literal
+ * length limit: 4095 bytes in C99. */
+#define USAGE1 \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
" server_addr=%%s default: (all interfaces)\n" \
@@ -484,7 +486,8 @@
USAGE_COOKIES \
USAGE_ANTI_REPLAY \
USAGE_BADMAC_LIMIT \
- "\n" \
+ "\n"
+#define USAGE2 \
" auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n" \
" cert_req_ca_list=%%d default: 1 (send ca list)\n" \
@@ -496,7 +499,8 @@
USAGE_PSK \
USAGE_CA_CALLBACK \
USAGE_ECJPAKE \
- "\n" \
+ "\n"
+#define USAGE3 \
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
@@ -513,7 +517,8 @@
USAGE_EMS \
USAGE_ETM \
USAGE_CURVES \
- "\n" \
+ "\n"
+#define USAGE4 \
" arc4=%%d default: (library default: 0)\n" \
" allow_sha1=%%d default: 0\n" \
" min_version=%%s default: (library default: tls1)\n" \
@@ -1910,7 +1915,10 @@
if( ret == 0 )
ret = 1;
- mbedtls_printf( USAGE );
+ mbedtls_printf( USAGE1 );
+ mbedtls_printf( USAGE2 );
+ mbedtls_printf( USAGE3 );
+ mbedtls_printf( USAGE4 );
list = mbedtls_ssl_list_ciphersuites();
while( *list )
diff --git a/scripts/config.py b/scripts/config.py
index 20521a5..7f94587 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -159,45 +159,68 @@
return active
return True
+# The goal of the full configuration is to have everything that can be tested
+# together. This includes deprecated or insecure options. It excludes:
+# * Options that require additional build dependencies or unusual hardware.
+# * Options that make testing less effective.
+# * Options that are incompatible with other options, or more generally that
+# interact with other parts of the code in such a way that a bulk enabling
+# is not a good way to test them.
+# * Options that remove features.
+EXCLUDE_FROM_FULL = frozenset([
+ #pylint: disable=line-too-long
+ 'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY', # interacts with ENTROPY_FORCE_SHA256
+ 'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options
+ 'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options
+ 'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED', # influences the use of ECDH in TLS
+ 'MBEDTLS_ECP_RESTARTABLE', # incompatible with USE_PSA_CRYPTO
+ 'MBEDTLS_ENTROPY_FORCE_SHA256', # interacts with CTR_DRBG_128_BIT_KEY
+ 'MBEDTLS_HAVE_SSE2', # hardware dependency
+ 'MBEDTLS_MEMORY_BACKTRACE', # depends on MEMORY_BUFFER_ALLOC_C
+ 'MBEDTLS_MEMORY_BUFFER_ALLOC_C', # makes sanitizers (e.g. ASan) less effective
+ 'MBEDTLS_MEMORY_DEBUG', # depends on MEMORY_BUFFER_ALLOC_C
+ 'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum
+ 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature
+ 'MBEDTLS_NO_PLATFORM_ENTROPY', # removes a feature
+ 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum
+ 'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper)
+ 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature
+ 'MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER', # platform dependency (PSA SPM) (at this time)
+ 'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM)
+ 'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions)
+ 'MBEDTLS_REMOVE_3DES_CIPHERSUITES', # removes a feature
+ 'MBEDTLS_REMOVE_ARC4_CIPHERSUITES', # removes a feature
+ 'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS
+ 'MBEDTLS_SHA512_NO_SHA384', # removes a feature
+ 'MBEDTLS_SSL_HW_RECORD_ACCEL', # build dependency (hook functions)
+ 'MBEDTLS_TEST_NULL_ENTROPY', # removes a feature
+ 'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', # influences the use of X.509 in TLS
+ 'MBEDTLS_ZLIB_SUPPORT', # build dependency (libz)
+])
+
+def is_seamless_alt(name):
+ """Whether the xxx_ALT symbol should be included in the full configuration.
+
+ Include alternative implementations of platform functions, which are
+ configurable function pointers that default to the built-in function.
+ This way we test that the function pointers exist and build correctly
+ without changing the behavior, and tests can verify that the function
+ pointers are used by modifying those pointers.
+
+ Exclude alternative implementations of library functions since they require
+ an implementation of the relevant functions and an xxx_alt.h header.
+ """
+ if name == 'MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT':
+ # Similar to non-platform xxx_ALT, requires platform_alt.h
+ return False
+ return name.startswith('MBEDTLS_PLATFORM_')
+
def include_in_full(name):
"""Rules for symbols in the "full" configuration."""
- if re.search(r'PLATFORM_[A-Z0-9]+_ALT', name):
- return True
- if name in [
- 'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY',
- 'MBEDTLS_DEPRECATED_REMOVED',
- 'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED',
- 'MBEDTLS_ECP_RESTARTABLE',
- 'MBEDTLS_ENTROPY_FORCE_SHA256', # Variant toggle, tested separately
- 'MBEDTLS_HAVE_SSE2',
- 'MBEDTLS_MEMORY_BACKTRACE',
- 'MBEDTLS_MEMORY_BUFFER_ALLOC_C',
- 'MBEDTLS_MEMORY_DEBUG',
- 'MBEDTLS_NO_64BIT_MULTIPLICATION',
- 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES',
- 'MBEDTLS_NO_PLATFORM_ENTROPY',
- 'MBEDTLS_NO_UDBL_DIVISION',
- 'MBEDTLS_PKCS11_C',
- 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS',
- 'MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER',
- 'MBEDTLS_PSA_CRYPTO_SE_C',
- 'MBEDTLS_PSA_CRYPTO_SPM',
- 'MBEDTLS_PSA_INJECT_ENTROPY',
- 'MBEDTLS_REMOVE_3DES_CIPHERSUITES',
- 'MBEDTLS_REMOVE_ARC4_CIPHERSUITES',
- 'MBEDTLS_RSA_NO_CRT',
- 'MBEDTLS_SHA512_NO_SHA384',
- 'MBEDTLS_SSL_HW_RECORD_ACCEL',
- 'MBEDTLS_SSL_PROTO_SSL3',
- 'MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO',
- 'MBEDTLS_TEST_NULL_ENTROPY',
- 'MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3',
- 'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION',
- 'MBEDTLS_ZLIB_SUPPORT',
- ]:
+ if name in EXCLUDE_FROM_FULL:
return False
if name.endswith('_ALT'):
- return False
+ return is_seamless_alt(name)
return True
def full_adapter(name, active, section):
@@ -206,25 +229,33 @@
return active
return include_in_full(name)
+# The baremetal configuration excludes options that require a library or
+# operating system feature that is typically not present on bare metal
+# systems. Features that are excluded from "full" won't be in "baremetal"
+# either (unless explicitly turned on in baremetal_adapter) so they don't
+# need to be repeated here.
+EXCLUDE_FROM_BAREMETAL = frozenset([
+ #pylint: disable=line-too-long
+ 'MBEDTLS_ENTROPY_NV_SEED', # requires a filesystem and FS_IO or alternate NV seed hooks
+ 'MBEDTLS_FS_IO', # requires a filesystem
+ 'MBEDTLS_HAVEGE_C', # requires a clock
+ 'MBEDTLS_HAVE_TIME', # requires a clock
+ 'MBEDTLS_HAVE_TIME_DATE', # requires a clock
+ 'MBEDTLS_NET_C', # requires POSIX-like networking
+ 'MBEDTLS_PLATFORM_FPRINTF_ALT', # requires FILE* from stdio.h
+ 'MBEDTLS_PLATFORM_NV_SEED_ALT', # requires a filesystem and ENTROPY_NV_SEED
+ 'MBEDTLS_PLATFORM_TIME_ALT', # requires a clock and HAVE_TIME
+ 'MBEDTLS_PSA_CRYPTO_SE_C', # requires a filesystem and PSA_CRYPTO_STORAGE_C
+ 'MBEDTLS_PSA_CRYPTO_STORAGE_C', # requires a filesystem
+ 'MBEDTLS_PSA_ITS_FILE_C', # requires a filesystem
+ 'MBEDTLS_THREADING_C', # requires a threading interface
+ 'MBEDTLS_THREADING_PTHREAD', # requires pthread
+ 'MBEDTLS_TIMING_C', # requires a clock
+])
+
def keep_in_baremetal(name):
"""Rules for symbols in the "baremetal" configuration."""
- if name in [
- 'MBEDTLS_DEPRECATED_WARNING',
- 'MBEDTLS_ENTROPY_NV_SEED',
- 'MBEDTLS_FS_IO',
- 'MBEDTLS_HAVEGE_C',
- 'MBEDTLS_HAVE_TIME',
- 'MBEDTLS_HAVE_TIME_DATE',
- 'MBEDTLS_NET_C',
- 'MBEDTLS_PLATFORM_FPRINTF_ALT',
- 'MBEDTLS_PLATFORM_TIME_ALT',
- 'MBEDTLS_PSA_CRYPTO_SE_C',
- 'MBEDTLS_PSA_CRYPTO_STORAGE_C',
- 'MBEDTLS_PSA_ITS_FILE_C',
- 'MBEDTLS_THREADING_C',
- 'MBEDTLS_THREADING_PTHREAD',
- 'MBEDTLS_TIMING_C',
- ]:
+ if name in EXCLUDE_FROM_BAREMETAL:
return False
return True
@@ -233,6 +264,7 @@
if not is_full_section(section):
return active
if name == 'MBEDTLS_NO_PLATFORM_ENTROPY':
+ # No OS-provided entropy source
return True
return include_in_full(name) and keep_in_baremetal(name)
@@ -243,10 +275,10 @@
name.startswith('MBEDTLS_KEY_EXCHANGE_'):
return False
if name in [
- 'MBEDTLS_CERTS_C',
- 'MBEDTLS_DEBUG_C',
- 'MBEDTLS_NET_C',
- 'MBEDTLS_PKCS11_C',
+ 'MBEDTLS_CERTS_C', # part of libmbedx509
+ 'MBEDTLS_DEBUG_C', # part of libmbedtls
+ 'MBEDTLS_NET_C', # part of libmbedtls
+ 'MBEDTLS_PKCS11_C', # part of libmbedx509
]:
return False
return True
@@ -265,6 +297,28 @@
return adapter(name, active, section)
return continuation
+DEPRECATED = frozenset([
+ 'MBEDTLS_SSL_PROTO_SSL3',
+ 'MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO',
+])
+
+def no_deprecated_adapter(adapter):
+ """Modify an adapter to disable deprecated symbols.
+
+ ``no_deprecated_adapter(adapter)(name, active, section)`` is like
+ ``adapter(name, active, section)``, but unsets all deprecated symbols
+ and sets ``MBEDTLS_DEPRECATED_REMOVED``.
+ """
+ def continuation(name, active, section):
+ if name == 'MBEDTLS_DEPRECATED_REMOVED':
+ return True
+ if name in DEPRECATED:
+ return False
+ if adapter is None:
+ return active
+ return adapter(name, active, section)
+ return continuation
+
class ConfigFile(Config):
"""Representation of the Mbed TLS configuration read for a file.
@@ -430,6 +484,10 @@
Exclude alternative implementations and platform support
options, as well as some options that are awkward to test.
""")
+ add_adapter('full_no_deprecated', no_deprecated_adapter(full_adapter),
+ """Uncomment most non-deprecated features.
+ Like "full", but without deprecated features.
+ """)
add_adapter('realfull', realfull_adapter,
"""Uncomment all boolean #defines.
Suitable for generating documentation, but not for building.""")
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index f5e0a87..5ea1c35 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -927,26 +927,58 @@
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
-component_build_deprecated () {
- msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
+component_test_default_no_deprecated () {
+ # Test that removing the deprecated features from the default
+ # configuration leaves something consistent.
+ msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s
+ scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
+ make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
+
+ msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s
+ make test
+}
+
+component_test_full_no_deprecated () {
+ msg "build: make, full_no_deprecated config" # ~ 30s
+ scripts/config.py full_no_deprecated
+ make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
+
+ msg "test: make, full_no_deprecated config" # ~ 5s
+ make test
+}
+
+component_test_full_no_deprecated_deprecated_warning () {
+ # Test that there is nothing deprecated in "full_no_deprecated".
+ # A deprecated feature would trigger a warning (made fatal) from
+ # MBEDTLS_DEPRECATED_WARNING.
+ msg "build: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 30s
+ scripts/config.py full_no_deprecated
+ scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED
+ scripts/config.py set MBEDTLS_DEPRECATED_WARNING
+ make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
+
+ msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s
+ make test
+}
+
+component_test_full_deprecated_warning () {
+ # Test that when MBEDTLS_DEPRECATED_WARNING is enabled, the build passes
+ # with only certain whitelisted types of warnings.
+ msg "build: make, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s
scripts/config.py full
scripts/config.py set MBEDTLS_DEPRECATED_WARNING
- # Build with -O -Wextra to catch a maximum of issues.
- make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' lib programs
- make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
+ # Expect warnings from '#warning' directives in check_config.h.
+ make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=cpp' lib programs
- msg "test: make, full config + DEPRECATED_WARNING, expect warnings" # ~ 30s
- make -C tests clean
- make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -DMBEDTLS_TEST_DEPRECATED' tests
+ msg "build: make tests, full config + MBEDTLS_DEPRECATED_WARNING, expect warnings" # ~ 30s
+ # Set MBEDTLS_TEST_DEPRECATED to enable tests for deprecated features.
+ # By default those are disabled when MBEDTLS_DEPRECATED_WARNING is set.
+ # Expect warnings from '#warning' directives in check_config.h and
+ # from the use of deprecated functions in test suites.
+ make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' tests
- msg "build: make, full config + DEPRECATED_REMOVED, clang -O" # ~ 30s
- # No cleanup, just tweak the configuration and rebuild
- make clean
- scripts/config.py unset MBEDTLS_DEPRECATED_WARNING
- scripts/config.py set MBEDTLS_DEPRECATED_REMOVED
- # Build with -O -Wextra to catch a maximum of issues.
- make CC=clang CFLAGS='-O -Werror -Wall -Wextra' lib programs
- make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
+ msg "test: full config + MBEDTLS_TEST_DEPRECATED" # ~ 30s
+ make test
}
# Check that the specified libraries exist and are empty.
@@ -1015,6 +1047,7 @@
scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
+ scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
@@ -1053,6 +1086,7 @@
scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT
scripts/config.py unset MBEDTLS_PLATFORM_FPRINTF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_MEMORY
+ scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.py unset MBEDTLS_PLATFORM_PRINTF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
@@ -1082,6 +1116,7 @@
scripts/config.py unset MBEDTLS_PLATFORM_SNPRINTF_ALT
scripts/config.py unset MBEDTLS_PLATFORM_TIME_ALT
scripts/config.py unset MBEDTLS_PLATFORM_EXIT_ALT
+ scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.py unset MBEDTLS_FS_IO
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
@@ -1099,6 +1134,7 @@
scripts/config.py full
scripts/config.py set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
+ scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os'
}
@@ -1288,6 +1324,7 @@
scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
scripts/config.py set MBEDTLS_ENTROPY_C
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
+ scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.py unset MBEDTLS_ENTROPY_HARDWARE_ALT
scripts/config.py unset MBEDTLS_HAVEGE_C
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan -D UNSAFE_BUILD=ON .
@@ -1405,16 +1442,6 @@
make test
}
-component_test_se_full () {
- msg "build: full config + MBEDTLS_PSA_CRYPTO_SE_C"
- scripts/config.py full
- scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C
- make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
-
- msg "test: full config + MBEDTLS_PSA_CRYPTO_SE_C"
- make test
-}
-
component_test_make_shared () {
msg "build/test: make shared" # ~ 40s
make SHARED=1 all check
@@ -1433,7 +1460,7 @@
info=$1 cc=$2; shift 2
for opt in "$@"; do
msg "build/test: $cc $opt, $info" # ~ 30s
- make CC="$cc" CFLAGS="$opt -Wall -Wextra -Werror"
+ make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror"
# We're confident enough in compilers to not run _all_ the tests,
# but at least run the unit tests. In particular, runs with
# optimizations use inline assembly whereas runs with -O0
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index aca2f11..08c1410 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -68,10 +68,6 @@
make clean
cp "$CONFIG_H" "$CONFIG_BAK"
scripts/config.py full
-# Enable some deprecated or experimental features that are not in the
-# full config, but are compatible with it and have tests.
-scripts/config.py set MBEDTLS_SSL_PROTO_SSL3
-scripts/config.py set MBEDTLS_PSA_CRYPTO_SE_C
make -j
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index 5986758..ff4cf20 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -19,6 +19,12 @@
* This file is part of Mbed TLS (https://tls.mbed.org)
*/
+#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 1 // for fileno() from <stdio.h>
+#endif
+#endif
+
#if !defined(MBEDTLS_CONFIG_FILE)
#include <mbedtls/config.h>
#else
diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function
index 9f10a90..d9ea441 100644
--- a/tests/suites/test_suite_entropy.function
+++ b/tests/suites/test_suite_entropy.function
@@ -1,6 +1,7 @@
/* BEGIN_HEADER */
#include "mbedtls/entropy.h"
#include "mbedtls/entropy_poll.h"
+#include "mbedtls/md.h"
#include "string.h"
typedef enum
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 7012e8e..23a9932 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -176,7 +176,7 @@
X509 certificate v1 with extension
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C
-x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \:\n dNSName \: identity-check.org\n dNSName \: www.identity-check.org\n"
+x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \:\n dNSName \: identity-check.org\n dNSName \: www.identity-check.org\n <unsupported>\n"
X509 SAN parsing otherName
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C
@@ -1563,7 +1563,7 @@
x509parse_crt:"308198308182a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa201300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CRT ASN1 (TBS, valid IssuerID, inv SubjectID, inv tag)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+depends_on:!MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crt:"30819a308184a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa1000500300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
X509 CRT ASN1 (TBSCertificate v3, ext SubjectAlternativeName malformed)
@@ -1583,13 +1583,21 @@
x509parse_crt:"30819a308184a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a201300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_OUT_OF_DATA
X509 CRT ASN1 (TBS, IssuerID unsupported in v1 CRT)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+depends_on:!MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crt:"30819a308184a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a201300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+X509 CRT ASN1 (TBS, IssuerID unsupported in v1 CRT, ALLOW_EXTENSIONS_NON_V3)
+depends_on:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30819a308184a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a201300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
X509 CRT ASN1 (TBS, SubjectID unsupported in v1 CRT)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+depends_on:!MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crt:"30819a308184a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa200a201300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+X509 CRT ASN1 (TBS, SubjectID unsupported in v1 CRT, ALLOW_EXTENSIONS_NON_V3)
+depends_on:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"30819a308184a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa200a201300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
X509 CRT ASN1 (TBS, inv v3Ext, inv tag)
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crt:"30819c308186a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a2000500300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
@@ -1838,12 +1846,24 @@
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crt:"3081dc3081c6a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
-X509 CRT ASN1 (TBS, valid v3Ext in v1 CRT)
+X509 CRT (TBS, valid v3Ext in v1 CRT, ALLOW_EXTENSIONS_NON_V3)
+depends_on:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081b93081a3a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374300d06092a864886f70d01010b0500030200ff":"cert. version \: 1\nserial number \: DE\:AD\:BE\:EF\nissuer name \: ??=Test\nsubject name \: ??=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 128 bits\nsubject alt name \:\n dNSName \: foo.test\n dNSName \: bar.test\n":0
+
+X509 CRT (TBS, valid v3Ext in v2 CRT, ALLOW_EXTENSIONS_NON_V3)
+depends_on:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081b93081a3a0030201018204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374300d06092a864886f70d01010b0500030200ff":"cert. version \: 2\nserial number \: DE\:AD\:BE\:EF\nissuer name \: ??=Test\nsubject name \: ??=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 128 bits\nsubject alt name \:\n dNSName \: foo.test\n dNSName \: bar.test\n":0
+
+X509 CRT (TBS, valid v3Ext in v3 CRT)
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081b93081a3a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374300d06092a864886f70d01010b0500030200ff":"cert. version \: 3\nserial number \: DE\:AD\:BE\:EF\nissuer name \: ??=Test\nsubject name \: ??=Test\nissued on \: 2009-01-01 00\:00\:00\nexpires on \: 2009-12-31 23\:59\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 128 bits\nsubject alt name \:\n dNSName \: foo.test\n dNSName \: bar.test\n":0
+
+X509 CRT ASN1 (TBS, valid v3Ext in v1 CRT)
+depends_on:!MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crt:"3081b93081a3a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
X509 CRT ASN1 (TBS, valid v3Ext in v2 CRT)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+depends_on:!MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crt:"3081b93081a3a0030201018204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
X509 CRT ASN1 (TBS, valid SubjectID, valid IssuerID, inv v3Ext, SubjectAltName repeated outside Extensions, inv SubjectAltNames tag)