Merge pull request #6901 from gilles-peskine-arm/check-files-unicode-2.28
Backport 2.28: Reject bad characters in source code
diff --git a/ChangeLog.d/fix-iar-warnings.txt b/ChangeLog.d/fix-iar-warnings.txt
new file mode 100644
index 0000000..244e863
--- /dev/null
+++ b/ChangeLog.d/fix-iar-warnings.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Fix IAR compiler warnings. Contributed by Glenn Strauss in #3835.
diff --git a/ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt b/ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt
new file mode 100644
index 0000000..e7643b7
--- /dev/null
+++ b/ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix a bug in the build where directory names containing spaces were
+ causing generate_errors.pl to error out resulting in a build failure.
+ Fixes issue #6879.
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 4df4fe4..a9fddb7 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -57,6 +57,13 @@
* value, check with the Arm PSA framework group to pick one that other
* domains aren't already using. */
+/* Tell uncrustify not to touch the constant definitions, otherwise
+ * it might change the spacing to something that is not PSA-compliant
+ * (e.g. adding a space after casts).
+ *
+ * *INDENT-OFF*
+ */
+
/** The action was completed successfully. */
#define PSA_SUCCESS ((psa_status_t)0)
@@ -327,6 +334,8 @@
*/
#define PSA_ERROR_DATA_INVALID ((psa_status_t)-153)
+/* *INDENT-ON* */
+
/**@}*/
/** \defgroup crypto_types Key and algorithm types
@@ -819,7 +828,9 @@
(((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_DERIVATION)
/** An invalid algorithm identifier value. */
+/* *INDENT-OFF* (https://github.com/ARM-software/psa-arch-tests/issues/337) */
#define PSA_ALG_NONE ((psa_algorithm_t)0)
+/* *INDENT-ON* */
#define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff)
/** MD2 */
@@ -2085,7 +2096,9 @@
/** The null key identifier.
*/
+/* *INDENT-OFF* (https://github.com/ARM-software/psa-arch-tests/issues/337) */
#define PSA_KEY_ID_NULL ((psa_key_id_t)0)
+/* *INDENT-ON* */
/** The minimum value for a key identifier chosen by the application.
*/
#define PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001)
diff --git a/library/bignum.c b/library/bignum.c
index 37193f5..32038f8 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1559,9 +1559,9 @@
*/
if( 0 == d || u1 >= d )
{
- if (r != NULL) *r = ~0;
+ if (r != NULL) *r = ~(mbedtls_mpi_uint)0u;
- return ( ~0 );
+ return ( ~(mbedtls_mpi_uint)0u );
}
#if defined(MBEDTLS_HAVE_UDBL)
@@ -1700,7 +1700,7 @@
for( i = n; i > t ; i-- )
{
if( X.p[i] >= Y.p[t] )
- Z.p[i - t - 1] = ~0;
+ Z.p[i - t - 1] = ~(mbedtls_mpi_uint)0u;
else
{
Z.p[i - t - 1] = mbedtls_int_div_int( X.p[i], X.p[i - 1],
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index 65383fa..e950bc5 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -60,11 +60,11 @@
my $error_format = <FORMAT_FILE>;
close(FORMAT_FILE);
-my @files = <$include_dir/*.h>;
+my @files = glob qq("$include_dir/*.h");
my @necessary_include_files;
my @matches;
foreach my $file (@files) {
- open(FILE, "$file");
+ open(FILE, '<:crlf', $file) or die("$0: $file: $!");
my $content = <FILE>;
close FILE;
my $found = 0;
diff --git a/tests/compat-in-docker.sh b/tests/compat-in-docker.sh
index 6b3cd2d..090c6ce 100755
--- a/tests/compat-in-docker.sh
+++ b/tests/compat-in-docker.sh
@@ -12,7 +12,7 @@
#
# Notes for users
# ---------------
-# If OPENSSL_CMD, GNUTLS_CLI, or GNUTLS_SERV are specified the path must
+# If OPENSSL, GNUTLS_CLI, or GNUTLS_SERV are specified the path must
# correspond to an executable inside the Docker container. The special
# values "next" (OpenSSL only) and "legacy" are also allowed as shorthand
# for the installations inside the container.
@@ -38,9 +38,9 @@
source tests/scripts/docker_env.sh
-case "${OPENSSL_CMD:-default}" in
- "legacy") export OPENSSL_CMD="/usr/local/openssl-1.0.1j/bin/openssl";;
- "next") export OPENSSL_CMD="/usr/local/openssl-1.1.1a/bin/openssl";;
+case "${OPENSSL:-default}" in
+ "legacy") export OPENSSL="/usr/local/openssl-1.0.1j/bin/openssl";;
+ "next") export OPENSSL="/usr/local/openssl-1.1.1a/bin/openssl";;
*) ;;
esac
@@ -61,7 +61,7 @@
-e M_SRV \
-e GNUTLS_CLI \
-e GNUTLS_SERV \
- -e OPENSSL_CMD \
+ -e OPENSSL \
-e OSSL_NO_DTLS \
tests/compat.sh \
$@
diff --git a/tests/compat.sh b/tests/compat.sh
index 6791c55..c06694e 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -39,10 +39,21 @@
# default commands, can be overridden by the environment
: ${M_SRV:=../programs/ssl/ssl_server2}
: ${M_CLI:=../programs/ssl/ssl_client2}
-: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
+: ${OPENSSL:=openssl}
: ${GNUTLS_CLI:=gnutls-cli}
: ${GNUTLS_SERV:=gnutls-serv}
+# The OPENSSL variable used to be OPENSSL_CMD for historical reasons.
+# To help the migration, error out if the old variable is set,
+# but only if it has a different value than the new one.
+if [ "${OPENSSL_CMD+set}" = set ]; then
+ # the variable is set, we can now check its value
+ if [ "$OPENSSL_CMD" != "$OPENSSL" ]; then
+ echo "Please use OPENSSL instead of OPENSSL_CMD." >&2
+ exit 125
+ fi
+fi
+
# do we have a recent enough GnuTLS?
if ( which $GNUTLS_CLI && which $GNUTLS_SERV ) >/dev/null 2>&1; then
G_VER="$( $GNUTLS_CLI --version | head -n1 )"
@@ -916,7 +927,7 @@
# Mbed TLS wants >=1024, so force that for older versions. Don't force
# it for newer versions, which reject a 1024-bit prime. Indifferently
# force it or not for intermediate versions.
- case $($OPENSSL_CMD version) in
+ case $($OPENSSL version) in
"OpenSSL 1.0"*)
O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem"
;;
@@ -940,7 +951,7 @@
# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
# a way to discover it from -help, so check the openssl version.
- case $($OPENSSL_CMD version) in
+ case $($OPENSSL version) in
"OpenSSL 0"*|"OpenSSL 1.0"*) :;;
*)
O_CLIENT_ARGS="$O_CLIENT_ARGS -cipher ALL@SECLEVEL=0"
@@ -1059,7 +1070,7 @@
start_server() {
case $1 in
[Oo]pen*)
- SERVER_CMD="$OPENSSL_CMD s_server $O_SERVER_ARGS"
+ SERVER_CMD="$OPENSSL s_server $O_SERVER_ARGS"
;;
[Gg]nu*)
SERVER_CMD="$GNUTLS_SERV $G_SERVER_ARGS --priority $G_SERVER_PRIO"
@@ -1149,7 +1160,7 @@
# run the command and interpret result
case $1 in
[Oo]pen*)
- CLIENT_CMD="$OPENSSL_CMD s_client $O_CLIENT_ARGS -cipher $2"
+ CLIENT_CMD="$OPENSSL s_client $O_CLIENT_ARGS -cipher $2"
log "$CLIENT_CMD"
echo "$CLIENT_CMD" > $CLI_OUT
printf 'GET HTTP/1.0\r\n\r\n' | $CLIENT_CMD >> $CLI_OUT 2>&1 &
@@ -1284,8 +1295,8 @@
fi
if echo "$PEERS" | grep -i openssl > /dev/null; then
- if which "$OPENSSL_CMD" >/dev/null 2>&1; then :; else
- echo "Command '$OPENSSL_CMD' not found" >&2
+ if which "$OPENSSL" >/dev/null 2>&1; then :; else
+ echo "Command '$OPENSSL' not found" >&2
exit 1
fi
fi
@@ -1348,7 +1359,7 @@
# help isn't accurate as of 1.0.2g: it supports DTLS 1.2
# but doesn't list it. But the s_server help seems to be
# accurate.)
- if ! $OPENSSL_CMD s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
+ if ! $OPENSSL s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
continue;
fi
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 1a2b10a..061ec8b 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -713,7 +713,7 @@
*" test_"*)
# To avoid setting OpenSSL and GnuTLS for each call to compat.sh
# and ssl-opt.sh, we just export the variables they require.
- export OPENSSL_CMD="$OPENSSL"
+ export OPENSSL="$OPENSSL"
export GNUTLS_CLI="$GNUTLS_CLI"
export GNUTLS_SERV="$GNUTLS_SERV"
# Avoid passing --seed flag in every call to ssl-opt.sh
@@ -1018,7 +1018,7 @@
msg "build: SSLv3 - compat.sh (ASan build)" # ~ 6 min
tests/compat.sh -m 'tls1 tls1_1 tls12 dtls1 dtls12'
- env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
+ env OPENSSL="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3'
msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min
tests/ssl-opt.sh
@@ -1550,10 +1550,10 @@
tests/ssl-opt.sh -f 'Default\|ECJPAKE\|SSL async private'
msg "test: compat.sh RC4, DES, 3DES & NULL (full config)" # ~ 2 min
- env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
+ env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
msg "test: compat.sh ARIA + ChachaPoly"
- env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
+ env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
skip_suites_without_constant_flow () {
@@ -1829,10 +1829,10 @@
tests/compat.sh
msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)"
- env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
+ env OPENSSL="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'
msg "test: compat.sh ARIA + ChachaPoly (full minus MBEDTLS_USE_PSA_CRYPTO)"
- env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
+ env OPENSSL="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
component_test_psa_crypto_config_accel_ecdsa () {
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index 7c0fe5a..abc4a2f 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -69,7 +69,7 @@
# To avoid setting OpenSSL and GnuTLS for each call to compat.sh and ssl-opt.sh
# we just export the variables they require
-export OPENSSL_CMD="$OPENSSL"
+export OPENSSL="$OPENSSL"
export GNUTLS_CLI="$GNUTLS_CLI"
export GNUTLS_SERV="$GNUTLS_SERV"
@@ -125,17 +125,17 @@
echo
echo '#### compat.sh: legacy (SSLv3)'
- OPENSSL_CMD="$OPENSSL_LEGACY" sh compat.sh -m 'ssl3'
+ OPENSSL="$OPENSSL_LEGACY" sh compat.sh -m 'ssl3'
echo
echo '#### compat.sh: legacy (null, DES, RC4)'
- OPENSSL_CMD="$OPENSSL_LEGACY" \
+ OPENSSL="$OPENSSL_LEGACY" \
GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" \
sh compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
echo
echo '#### compat.sh: next (ARIA, ChaCha)'
- OPENSSL_CMD="$OPENSSL_NEXT" sh compat.sh -e '^$' -f 'ARIA\|CHACHA'
+ OPENSSL="$OPENSSL_NEXT" sh compat.sh -e '^$' -f 'ARIA\|CHACHA'
echo
} | tee compat-test-$TEST_OUTPUT
echo '^^^^^^^^^^^^^^^^ compat.sh ^^^^^^^^^^^^^^^^'
diff --git a/tests/ssl-opt-in-docker.sh b/tests/ssl-opt-in-docker.sh
index 0b76440..ce900e6 100755
--- a/tests/ssl-opt-in-docker.sh
+++ b/tests/ssl-opt-in-docker.sh
@@ -12,7 +12,7 @@
#
# Notes for users
# ---------------
-# If OPENSSL_CMD, GNUTLS_CLI, or GNUTLS_SERV are specified, the path must
+# If OPENSSL, GNUTLS_CLI, or GNUTLS_SERV are specified, the path must
# correspond to an executable inside the Docker container. The special
# values "next" and "legacy" are also allowed as shorthand for the
# installations inside the container.
@@ -38,9 +38,9 @@
source tests/scripts/docker_env.sh
-case "${OPENSSL_CMD:-default}" in
- "legacy") export OPENSSL_CMD="/usr/local/openssl-1.0.1j/bin/openssl";;
- "next") export OPENSSL_CMD="/usr/local/openssl-1.1.1a/bin/openssl";;
+case "${OPENSSL:-default}" in
+ "legacy") export OPENSSL="/usr/local/openssl-1.0.1j/bin/openssl";;
+ "next") export OPENSSL="/usr/local/openssl-1.1.1a/bin/openssl";;
*) ;;
esac
@@ -62,6 +62,6 @@
-e P_PXY \
-e GNUTLS_CLI \
-e GNUTLS_SERV \
- -e OPENSSL_CMD \
+ -e OPENSSL \
tests/ssl-opt.sh \
$@
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 9e5dc6c..94c339e 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -46,11 +46,22 @@
: ${P_CLI:=../programs/ssl/ssl_client2}
: ${P_PXY:=../programs/test/udp_proxy}
: ${P_QUERY:=../programs/test/query_compile_time_config}
-: ${OPENSSL_CMD:=openssl} # OPENSSL would conflict with the build system
+: ${OPENSSL:=openssl}
: ${GNUTLS_CLI:=gnutls-cli}
: ${GNUTLS_SERV:=gnutls-serv}
: ${PERL:=perl}
+# The OPENSSL variable used to be OPENSSL_CMD for historical reasons.
+# To help the migration, error out if the old variable is set,
+# but only if it has a different value than the new one.
+if [ "${OPENSSL_CMD+set}" = set ]; then
+ # the variable is set, we can now check its value
+ if [ "$OPENSSL_CMD" != "$OPENSSL" ]; then
+ echo "Please use OPENSSL instead of OPENSSL_CMD." >&2
+ exit 125
+ fi
+fi
+
guess_config_name() {
if git diff --quiet ../include/mbedtls/config.h 2>/dev/null; then
echo "default"
@@ -62,8 +73,8 @@
: ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"}
: ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"}
-O_SRV="$OPENSSL_CMD s_server -www -cert data_files/server5.crt -key data_files/server5.key"
-O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_CMD s_client"
+O_SRV="$OPENSSL s_server -www -cert data_files/server5.crt -key data_files/server5.key"
+O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL s_client"
G_SRV="$GNUTLS_SERV --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
G_CLI="echo 'GET / HTTP/1.0' | $GNUTLS_CLI --x509cafile data_files/test-ca_cat12.crt"
TCP_CLIENT="$PERL scripts/tcp_client.pl"
@@ -404,7 +415,7 @@
# skip next test if OpenSSL doesn't support FALLBACK_SCSV
requires_openssl_with_fallback_scsv() {
if [ -z "${OPENSSL_HAS_FBSCSV:-}" ]; then
- if $OPENSSL_CMD s_client -help 2>&1 | grep fallback_scsv >/dev/null
+ if $OPENSSL s_client -help 2>&1 | grep fallback_scsv >/dev/null
then
OPENSSL_HAS_FBSCSV="YES"
else
@@ -1443,8 +1454,8 @@
exit 1
fi
fi
-if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
- echo "Command '$OPENSSL_CMD' not found"
+if which $OPENSSL >/dev/null 2>&1; then :; else
+ echo "Command '$OPENSSL' not found"
exit 1
fi
@@ -1499,7 +1510,7 @@
# OpenSSL 1.1.1f from Ubuntu 20.04. The syntax was only introduced in
# OpenSSL 1.1.0 (21e0c1d23afff48601eb93135defddae51f7e2e3) and I can't find
# a way to discover it from -help, so check the openssl version.
-case $($OPENSSL_CMD version) in
+case $($OPENSSL version) in
"OpenSSL 0"*|"OpenSSL 1.0"*) :;;
*)
O_CLI="$O_CLI -cipher ALL@SECLEVEL=0"