lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Merge remote-tracking branch 'upstream-crypto/development' into psa-api-1.0-beta-merge_development_20190524

Browse Source 
Conflicts:
* library/ssl_cli.c, library/ssl_tls.c:
  Removed on the development branch. Keep them removed.
* include/psa/crypto_extra.h, library/psa_crypto_storage.c,
  tests/suites/test_suite_psa_crypto.data,
  tests/suites/test_suite_psa_crypto.function,
  tests/suites/test_suite_psa_crypto_persistent_key.data,
  tests/suites/test_suite_psa_crypto_slot_management.data,
  tests/suites/test_suite_psa_crypto_slot_management.function:
  Modified on the development branch only to implement the enrollment
  algorithm, which has been reimplemented on the API branch.
  Keep the API branch.
This commit is contained in:
Gilles Peskine
2019-05-29 09:57:29 +02:00
parent 6562dd32ee f479aaef9b
commit 2938268fb4
488 changed files with 1824 additions and 76113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

385
scripts/abi_check.py
View File

@ -9,10 +9,10 @@ Purpose
This script is a small wrapper around the abi-compliance-checker and
abi-dumper tools, applying them to compare the ABI and API of the library
files from two different Git revisions within an Mbed TLS repository.
The results of the comparison are formatted as HTML and stored at
a configurable location. Returns 0 on success, 1 on ABI/API non-compliance,
and 2 if there is an error while running the script.
Note: must be run from Mbed TLS root.
The results of the comparison are either formatted as HTML and stored at
a configurable location, or are given as a brief list of problems.
Returns 0 on success, 1 on ABI/API non-compliance, and 2 if there is an error
while running the script. Note: must be run from Mbed TLS root.
"""
import os
@ -23,188 +23,277 @@ import subprocess
import argparse
import logging
import tempfile
import fnmatch
from types import SimpleNamespace
import xml.etree.ElementTree as ET
class AbiChecker(object):
"""API and ABI checker."""
def __init__(self, report_dir, old_rev, new_rev, keep_all_reports):
def __init__(self, old_version, new_version, configuration):
"""Instantiate the API/ABI checker.
old_version: RepoVersion containing details to compare against
new_version: RepoVersion containing details to check
configuration.report_dir: directory for output files
configuration.keep_all_reports: if false, delete old reports
configuration.brief: if true, output shorter report to stdout
configuration.skip_file: path to file containing symbols and types to skip
"""
self.repo_path = "."
self.log = None
self.setup_logger()
self.report_dir = os.path.abspath(report_dir)
self.keep_all_reports = keep_all_reports
self.should_keep_report_dir = os.path.isdir(self.report_dir)
self.old_rev = old_rev
self.new_rev = new_rev
self.mbedtls_modules = ["libmbedcrypto", "libmbedtls", "libmbedx509"]
self.old_dumps = {}
self.new_dumps = {}
self.verbose = configuration.verbose
self._setup_logger()
self.report_dir = os.path.abspath(configuration.report_dir)
self.keep_all_reports = configuration.keep_all_reports
self.can_remove_report_dir = not (os.path.exists(self.report_dir) or
self.keep_all_reports)
self.old_version = old_version
self.new_version = new_version
self.skip_file = configuration.skip_file
self.brief = configuration.brief
self.git_command = "git"
self.make_command = "make"
def check_repo_path(self):
@staticmethod
def check_repo_path():
current_dir = os.path.realpath('.')
root_dir = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
if current_dir != root_dir:
raise Exception("Must be run from Mbed TLS root")
def setup_logger(self):
def _setup_logger(self):
self.log = logging.getLogger()
self.log.setLevel(logging.INFO)
if self.verbose:
self.log.setLevel(logging.DEBUG)
else:
self.log.setLevel(logging.INFO)
self.log.addHandler(logging.StreamHandler())
def check_abi_tools_are_installed(self):
@staticmethod
def check_abi_tools_are_installed():
for command in ["abi-dumper", "abi-compliance-checker"]:
if not shutil.which(command):
raise Exception("{} not installed, aborting".format(command))
def get_clean_worktree_for_git_revision(self, git_rev):
self.log.info(
"Checking out git worktree for revision {}".format(git_rev)
)
def _get_clean_worktree_for_git_revision(self, version):
"""Make a separate worktree with version.revision checked out.
Do not modify the current worktree."""
git_worktree_path = tempfile.mkdtemp()
worktree_process = subprocess.Popen(
[self.git_command, "worktree", "add", "--detach", git_worktree_path, git_rev],
if version.repository:
self.log.debug(
"Checking out git worktree for revision {} from {}".format(
version.revision, version.repository
)
)
fetch_output = subprocess.check_output(
[self.git_command, "fetch",
version.repository, version.revision],
cwd=self.repo_path,
stderr=subprocess.STDOUT
)
self.log.debug(fetch_output.decode("utf-8"))
worktree_rev = "FETCH_HEAD"
else:
self.log.debug("Checking out git worktree for revision {}".format(
version.revision
))
worktree_rev = version.revision
worktree_output = subprocess.check_output(
[self.git_command, "worktree", "add", "--detach",
git_worktree_path, worktree_rev],
cwd=self.repo_path,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT
)
worktree_output, _ = worktree_process.communicate()
self.log.info(worktree_output.decode("utf-8"))
if worktree_process.returncode != 0:
raise Exception("Checking out worktree failed, aborting")
self.log.debug(worktree_output.decode("utf-8"))
return git_worktree_path
def update_git_submodules(self, git_worktree_path):
process = subprocess.Popen(
def _update_git_submodules(self, git_worktree_path, version):
"""If the crypto submodule is present, initialize it.
if version.crypto_revision exists, update it to that revision,
otherwise update it to the default revision"""
update_output = subprocess.check_output(
[self.git_command, "submodule", "update", "--init", '--recursive'],
cwd=git_worktree_path,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT
)
output, _ = process.communicate()
self.log.info(output.decode("utf-8"))
if process.returncode != 0:
raise Exception("git submodule update failed, aborting")
self.log.debug(update_output.decode("utf-8"))
if not (os.path.exists(os.path.join(git_worktree_path, "crypto"))
and version.crypto_revision):
return
def build_shared_libraries(self, git_worktree_path):
if version.crypto_repository:
fetch_output = subprocess.check_output(
[self.git_command, "fetch", version.crypto_repository,
version.crypto_revision],
cwd=os.path.join(git_worktree_path, "crypto"),
stderr=subprocess.STDOUT
)
self.log.debug(fetch_output.decode("utf-8"))
crypto_rev = "FETCH_HEAD"
else:
crypto_rev = version.crypto_revision
checkout_output = subprocess.check_output(
[self.git_command, "checkout", crypto_rev],
cwd=os.path.join(git_worktree_path, "crypto"),
stderr=subprocess.STDOUT
)
self.log.debug(checkout_output.decode("utf-8"))
def _build_shared_libraries(self, git_worktree_path, version):
"""Build the shared libraries in the specified worktree."""
my_environment = os.environ.copy()
my_environment["CFLAGS"] = "-g -Og"
my_environment["SHARED"] = "1"
make_process = subprocess.Popen(
self.make_command,
if os.path.exists(os.path.join(git_worktree_path, "crypto")):
my_environment["USE_CRYPTO_SUBMODULE"] = "1"
make_output = subprocess.check_output(
[self.make_command, "lib"],
env=my_environment,
cwd=git_worktree_path,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT
)
make_output, _ = make_process.communicate()
self.log.info(make_output.decode("utf-8"))
if make_process.returncode != 0:
raise Exception("make failed, aborting")
self.log.debug(make_output.decode("utf-8"))
for root, _dirs, files in os.walk(git_worktree_path):
for file in fnmatch.filter(files, "*.so"):
version.modules[os.path.splitext(file)[0]] = (
os.path.join(root, file)
)
def get_abi_dumps_from_shared_libraries(self, git_ref, git_worktree_path):
abi_dumps = {}
for mbed_module in self.mbedtls_modules:
def _get_abi_dumps_from_shared_libraries(self, version):
"""Generate the ABI dumps for the specified git revision.
The shared libraries must have been built and the module paths
present in version.modules."""
for mbed_module, module_path in version.modules.items():
output_path = os.path.join(
self.report_dir, "{}-{}.dump".format(mbed_module, git_ref)
self.report_dir, "{}-{}-{}.dump".format(
mbed_module, version.revision, version.version
)
)
abi_dump_command = [
"abi-dumper",
os.path.join(
git_worktree_path, "library", mbed_module + ".so"),
module_path,
"-o", output_path,
"-lver", git_ref
"-lver", version.revision
]
abi_dump_process = subprocess.Popen(
abi_dump_output = subprocess.check_output(
abi_dump_command,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT
)
abi_dump_output, _ = abi_dump_process.communicate()
self.log.info(abi_dump_output.decode("utf-8"))
if abi_dump_process.returncode != 0:
raise Exception("abi-dumper failed, aborting")
abi_dumps[mbed_module] = output_path
return abi_dumps
self.log.debug(abi_dump_output.decode("utf-8"))
version.abi_dumps[mbed_module] = output_path
def cleanup_worktree(self, git_worktree_path):
def _cleanup_worktree(self, git_worktree_path):
"""Remove the specified git worktree."""
shutil.rmtree(git_worktree_path)
worktree_process = subprocess.Popen(
worktree_output = subprocess.check_output(
[self.git_command, "worktree", "prune"],
cwd=self.repo_path,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT
)
worktree_output, _ = worktree_process.communicate()
self.log.info(worktree_output.decode("utf-8"))
if worktree_process.returncode != 0:
raise Exception("Worktree cleanup failed, aborting")
self.log.debug(worktree_output.decode("utf-8"))
def get_abi_dump_for_ref(self, git_rev):
git_worktree_path = self.get_clean_worktree_for_git_revision(git_rev)
self.update_git_submodules(git_worktree_path)
self.build_shared_libraries(git_worktree_path)
abi_dumps = self.get_abi_dumps_from_shared_libraries(
git_rev, git_worktree_path
)
self.cleanup_worktree(git_worktree_path)
return abi_dumps
def _get_abi_dump_for_ref(self, version):
"""Generate the ABI dumps for the specified git revision."""
git_worktree_path = self._get_clean_worktree_for_git_revision(version)
self._update_git_submodules(git_worktree_path, version)
self._build_shared_libraries(git_worktree_path, version)
self._get_abi_dumps_from_shared_libraries(version)
self._cleanup_worktree(git_worktree_path)
def _remove_children_with_tag(self, parent, tag):
children = parent.getchildren()
for child in children:
if child.tag == tag:
parent.remove(child)
else:
self._remove_children_with_tag(child, tag)
def _remove_extra_detail_from_report(self, report_root):
for tag in ['test_info', 'test_results', 'problem_summary',
'added_symbols', 'removed_symbols', 'affected']:
self._remove_children_with_tag(report_root, tag)
for report in report_root:
for problems in report.getchildren()[:]:
if not problems.getchildren():
report.remove(problems)
def get_abi_compatibility_report(self):
"""Generate a report of the differences between the reference ABI
and the new ABI. ABI dumps from self.old_version and self.new_version
must be available."""
compatibility_report = ""
compliance_return_code = 0
for mbed_module in self.mbedtls_modules:
shared_modules = list(set(self.old_version.modules.keys()) &
set(self.new_version.modules.keys()))
for mbed_module in shared_modules:
output_path = os.path.join(
self.report_dir, "{}-{}-{}.html".format(
mbed_module, self.old_rev, self.new_rev
mbed_module, self.old_version.revision,
self.new_version.revision
)
)
abi_compliance_command = [
"abi-compliance-checker",
"-l", mbed_module,
"-old", self.old_dumps[mbed_module],
"-new", self.new_dumps[mbed_module],
"-old", self.old_version.abi_dumps[mbed_module],
"-new", self.new_version.abi_dumps[mbed_module],
"-strict",
"-report-path", output_path
"-report-path", output_path,
]
abi_compliance_process = subprocess.Popen(
abi_compliance_command,
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT
)
abi_compliance_output, _ = abi_compliance_process.communicate()
self.log.info(abi_compliance_output.decode("utf-8"))
if abi_compliance_process.returncode == 0:
if self.skip_file:
abi_compliance_command += ["-skip-symbols", self.skip_file,
"-skip-types", self.skip_file]
if self.brief:
abi_compliance_command += ["-report-format", "xml",
"-stdout"]
try:
subprocess.check_output(
abi_compliance_command,
stderr=subprocess.STDOUT
)
except subprocess.CalledProcessError as err:
if err.returncode == 1:
compliance_return_code = 1
if self.brief:
self.log.info(
"Compatibility issues found for {}".format(mbed_module)
)
report_root = ET.fromstring(err.output.decode("utf-8"))
self._remove_extra_detail_from_report(report_root)
self.log.info(ET.tostring(report_root).decode("utf-8"))
else:
self.can_remove_report_dir = False
compatibility_report += (
"Compatibility issues found for {}, "
"for details see {}\n".format(mbed_module, output_path)
)
else:
raise err
else:
compatibility_report += (
"No compatibility issues for {}\n".format(mbed_module)
)
if not self.keep_all_reports:
if not (self.keep_all_reports or self.brief):
os.remove(output_path)
elif abi_compliance_process.returncode == 1:
compliance_return_code = 1
self.should_keep_report_dir = True
compatibility_report += (
"Compatibility issues found for {}, "
"for details see {}\n".format(mbed_module, output_path)
)
else:
raise Exception(
"abi-compliance-checker failed with a return code of {},"
" aborting".format(abi_compliance_process.returncode)
)
os.remove(self.old_dumps[mbed_module])
os.remove(self.new_dumps[mbed_module])
if not self.should_keep_report_dir and not self.keep_all_reports:
os.remove(self.old_version.abi_dumps[mbed_module])
os.remove(self.new_version.abi_dumps[mbed_module])
if self.can_remove_report_dir:
os.rmdir(self.report_dir)
self.log.info(compatibility_report)
return compliance_return_code
def check_for_abi_changes(self):
"""Generate a report of ABI differences
between self.old_rev and self.new_rev."""
self.check_repo_path()
self.check_abi_tools_are_installed()
self.old_dumps = self.get_abi_dump_for_ref(self.old_rev)
self.new_dumps = self.get_abi_dump_for_ref(self.new_rev)
self._get_abi_dump_for_ref(self.old_version)
self._get_abi_dump_for_ref(self.new_version)
return self.get_abi_compatibility_report()
@ -216,12 +305,17 @@ def run_main():
abi-compliance-checker and abi-dumper tools, applying them
to compare the ABI and API of the library files from two
different Git revisions within an Mbed TLS repository.
The results of the comparison are formatted as HTML and stored
at a configurable location. Returns 0 on success, 1 on ABI/API
non-compliance, and 2 if there is an error while running the
script. Note: must be run from Mbed TLS root."""
The results of the comparison are either formatted as HTML and
stored at a configurable location, or are given as a brief list
of problems. Returns 0 on success, 1 on ABI/API non-compliance,
and 2 if there is an error while running the script.
Note: must be run from Mbed TLS root."""
)
)
parser.add_argument(
"-v", "--verbose", action="store_true",
help="set verbosity level",
)
parser.add_argument(
"-r", "--report-dir", type=str, default="reports",
help="directory where reports are stored, default is reports",
@ -231,21 +325,78 @@ def run_main():
help="keep all reports, even if there are no compatibility issues",
)
parser.add_argument(
"-o", "--old-rev", type=str, help="revision for old version",
required=True
"-o", "--old-rev", type=str, help="revision for old version.",
required=True,
)
parser.add_argument(
"-or", "--old-repo", type=str, help="repository for old version."
)
parser.add_argument(
"-oc", "--old-crypto-rev", type=str,
help="revision for old crypto submodule."
)
parser.add_argument(
"-ocr", "--old-crypto-repo", type=str,
help="repository for old crypto submodule."
)
parser.add_argument(
"-n", "--new-rev", type=str, help="revision for new version",
required=True
required=True,
)
parser.add_argument(
"-nr", "--new-repo", type=str, help="repository for new version."
)
parser.add_argument(
"-nc", "--new-crypto-rev", type=str,
help="revision for new crypto version"
)
parser.add_argument(
"-ncr", "--new-crypto-repo", type=str,
help="repository for new crypto submodule."
)
parser.add_argument(
"-s", "--skip-file", type=str,
help="path to file containing symbols and types to skip"
)
parser.add_argument(
"-b", "--brief", action="store_true",
help="output only the list of issues to stdout, instead of a full report",
)
abi_args = parser.parse_args()
abi_check = AbiChecker(
abi_args.report_dir, abi_args.old_rev,
abi_args.new_rev, abi_args.keep_all_reports
if os.path.isfile(abi_args.report_dir):
print("Error: {} is not a directory".format(abi_args.report_dir))
parser.exit()
old_version = SimpleNamespace(
version="old",
repository=abi_args.old_repo,
revision=abi_args.old_rev,
crypto_repository=abi_args.old_crypto_repo,
crypto_revision=abi_args.old_crypto_rev,
abi_dumps={},
modules={}
)
new_version = SimpleNamespace(
version="new",
repository=abi_args.new_repo,
revision=abi_args.new_rev,
crypto_repository=abi_args.new_crypto_repo,
crypto_revision=abi_args.new_crypto_rev,
abi_dumps={},
modules={}
)
configuration = SimpleNamespace(
verbose=abi_args.verbose,
report_dir=abi_args.report_dir,
keep_all_reports=abi_args.keep_all_reports,
brief=abi_args.brief,
skip_file=abi_args.skip_file
)
abi_check = AbiChecker(old_version, new_version, configuration)
return_code = abi_check.check_for_abi_changes()
sys.exit(return_code)
except Exception:
except Exception: # pylint: disable=broad-except
# Print the backtrace and exit explicitly so as to exit with
# status 2, not 1.
traceback.print_exc()
sys.exit(2)

33
scripts/bump_version.sh
View File

@ -9,7 +9,6 @@
# Sets the version numbers in the source code to those given.
#
# Usage: bump_version.sh [ --version <version> ] [ --so-crypto <version>]
# [ --so-x509 <version> ] [ --so-tls <version> ]
# [ -v | --verbose ] [ -h | --help ]
#
@ -30,14 +29,6 @@ do
shift
SO_CRYPTO=$1
;;
--so-x509)
shift
SO_X509=$1
;;
--so-tls)
shift
SO_TLS=$1
;;
-v|--verbose)
# Be verbose
VERBOSE="1"
@ -48,8 +39,6 @@ do
echo -e " -h|--help\t\tPrint this help."
echo -e " --version <version>\tVersion to bump to."
echo -e " --so-crypto <version>\tSO version to bump libmbedcrypto to."
echo -e " --so-x509 <version>\tSO version to bump libmbedx509 to."
echo -e " --so-tls <version>\tSO version to bump libmbedtls to."
echo -e " -v|--verbose\t\tVerbose."
exit 1
;;
@ -83,28 +72,6 @@ then
mv tmp library/Makefile
fi
if [ "X" != "X$SO_X509" ];
then
[ $VERBOSE ] && echo "Bumping SOVERSION for libmbedx509 in library/CMakeLists.txt"
sed -e "/mbedx509/ s/ SOVERSION [0-9]\{1,\}/ SOVERSION $SO_X509/g" < library/CMakeLists.txt > tmp
mv tmp library/CMakeLists.txt
[ $VERBOSE ] && echo "Bumping SOVERSION for libmbedx509 in library/Makefile"
sed -e "s/SOEXT_X509=so.[0-9]\{1,\}/SOEXT_X509=so.$SO_X509/g" < library/Makefile > tmp
mv tmp library/Makefile
fi
if [ "X" != "X$SO_TLS" ];
then
[ $VERBOSE ] && echo "Bumping SOVERSION for libmbedtls in library/CMakeLists.txt"
sed -e "/mbedtls/ s/ SOVERSION [0-9]\{1,\}/ SOVERSION $SO_TLS/g" < library/CMakeLists.txt > tmp
mv tmp library/CMakeLists.txt
[ $VERBOSE ] && echo "Bumping SOVERSION for libmbedtls in library/Makefile"
sed -e "s/SOEXT_TLS=so.[0-9]\{1,\}/SOEXT_TLS=so.$SO_TLS/g" < library/Makefile > tmp
mv tmp library/Makefile
fi
[ $VERBOSE ] && echo "Bumping VERSION in include/mbedtls/version.h"
read MAJOR MINOR PATCH <<<$(IFS="."; echo $VERSION)
VERSION_NR="$( printf "0x%02X%02X%02X00" $MAJOR $MINOR $PATCH )"

16
scripts/config.pl
View File

@ -28,15 +28,7 @@
# MBEDTLS_ECP_DP_M511_ENABLED
# MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
# MBEDTLS_NO_PLATFORM_ENTROPY
# MBEDTLS_REMOVE_ARC4_CIPHERSUITES
# MBEDTLS_REMOVE_3DES_CIPHERSUITES
# MBEDTLS_SSL_HW_RECORD_ACCEL
# MBEDTLS_RSA_NO_CRT
# MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
# MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
# - this could be enabled if the respective tests were adapted
# MBEDTLS_ZLIB_SUPPORT
# MBEDTLS_PKCS11_C
# MBEDTLS_USE_PSA_CRYPTO
# - experimental, and more an alternative implementation than a feature
# and any symbol beginning _ALT
@ -91,13 +83,6 @@ MBEDTLS_ECP_DP_M511_ENABLED
MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
MBEDTLS_NO_PLATFORM_ENTROPY
MBEDTLS_RSA_NO_CRT
MBEDTLS_REMOVE_ARC4_CIPHERSUITES
MBEDTLS_REMOVE_3DES_CIPHERSUITES
MBEDTLS_SSL_HW_RECORD_ACCEL
MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
MBEDTLS_ZLIB_SUPPORT
MBEDTLS_PKCS11_C
MBEDTLS_NO_UDBL_DIVISION
MBEDTLS_NO_64BIT_MULTIPLICATION
MBEDTLS_PSA_CRYPTO_SPM
@ -109,7 +94,6 @@ _ALT\s*$
# Things that should be disabled in "baremetal"
my @excluded_baremetal = qw(
MBEDTLS_NET_C
MBEDTLS_TIMING_C
MBEDTLS_FS_IO
MBEDTLS_ENTROPY_NV_SEED

13
scripts/data_files/query_config.fmt
View File

@ -53,7 +53,6 @@
#include "mbedtls/cipher.h"
#include "mbedtls/cmac.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/debug.h"
#include "mbedtls/des.h"
#include "mbedtls/dhm.h"
#include "mbedtls/ecdh.h"
@ -72,13 +71,11 @@
#include "mbedtls/md4.h"
#include "mbedtls/md5.h"
#include "mbedtls/memory_buffer_alloc.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/nist_kw.h"
#include "mbedtls/oid.h"
#include "mbedtls/padlock.h"
#include "mbedtls/pem.h"
#include "mbedtls/pk.h"
#include "mbedtls/pkcs11.h"
#include "mbedtls/pkcs12.h"
#include "mbedtls/pkcs5.h"
#include "mbedtls/platform_time.h"
@ -89,19 +86,9 @@
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
#include "mbedtls/ssl.h"
#include "mbedtls/ssl_cache.h"
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/ssl_cookie.h"
#include "mbedtls/ssl_internal.h"
#include "mbedtls/ssl_ticket.h"
#include "mbedtls/threading.h"
#include "mbedtls/timing.h"
#include "mbedtls/version.h"
#include "mbedtls/x509.h"
#include "mbedtls/x509_crl.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_csr.h"
#include "mbedtls/xtea.h"
#include <string.h>

1
scripts/footprint.sh
View File

@ -62,7 +62,6 @@ doit()
fi
{
scripts/config.pl unset MBEDTLS_NET_C || true
scripts/config.pl unset MBEDTLS_TIMING_C || true
scripts/config.pl unset MBEDTLS_FS_IO || true
scripts/config.pl --force set MBEDTLS_NO_PLATFORM_ENTROPY || true

24
scripts/generate_errors.pl
View File

@ -32,11 +32,11 @@ my $error_format_file = $data_dir.'/error.fmt';
my @low_level_modules = qw( AES ARC4 ARIA ASN1 BASE64 BIGNUM BLOWFISH
CAMELLIA CCM CHACHA20 CHACHAPOLY CMAC CTR_DRBG DES
ENTROPY GCM HKDF HMAC_DRBG MD2 MD4 MD5
NET OID PADLOCK PBKDF2 PLATFORM POLY1305 RIPEMD160
OID PADLOCK PBKDF2 PLATFORM POLY1305 RIPEMD160
SHA1 SHA256 SHA512 THREADING XTEA );
my @high_level_modules = qw( CIPHER DHM ECP MD
PEM PK PKCS12 PKCS5
RSA SSL X509 );
RSA );
my $line_separator = $/;
undef $/;
@ -90,18 +90,13 @@ foreach my $line (@matches)
$module_name = "HMAC_DRBG" if ($module_name eq "HMAC");
my $define_name = $module_name;
$define_name = "X509_USE,X509_CREATE" if ($define_name eq "X509");
$define_name = "ASN1_PARSE" if ($define_name eq "ASN1");
$define_name = "SSL_TLS" if ($define_name eq "SSL");
$define_name = "PEM_PARSE,PEM_WRITE" if ($define_name eq "PEM");
my $include_name = $module_name;
$include_name =~ tr/A-Z/a-z/;
$include_name = "" if ($include_name eq "asn1");
# Fix faulty ones
$include_name = "net_sockets" if ($module_name eq "NET");
my $found_ll = grep $_ eq $module_name, @low_level_modules;
my $found_hl = grep $_ eq $module_name, @high_level_modules;
if (!$found_ll && !$found_hl)
@ -160,19 +155,8 @@ foreach my $line (@matches)
${$old_define} = $define_name;
}
if ($error_name eq "MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE")
{
${$code_check} .= "${white_space}if( use_ret == -($error_name) )\n".
"${white_space}\{\n".
"${white_space} mbedtls_snprintf( buf, buflen, \"$module_name - $description\" );\n".
"${white_space} return;\n".
"${white_space}}\n"
}
else
{
${$code_check} .= "${white_space}if( use_ret == -($error_name) )\n".
"${white_space} mbedtls_snprintf( buf, buflen, \"$module_name - $description\" );\n"
}
${$code_check} .= "${white_space}if( use_ret == -($error_name) )\n".
"${white_space} mbedtls_snprintf( buf, buflen, \"$module_name - $description\" );\n"
};
if ($ll_old_define ne "")

126
scripts/memory.sh
View File

@ -1,126 +0,0 @@
#!/bin/sh
# Measure memory usage of a minimal client using a small configuration
# Currently hardwired to ccm-psk and suite-b, may be expanded later
#
# Use different build options for measuring executable size and memory usage,
# since for memory we want debug information.
set -eu
CONFIG_H='include/mbedtls/config.h'
CLIENT='mini_client'
CFLAGS_EXEC='-fno-asynchronous-unwind-tables -Wl,--gc-section -ffunction-sections -fdata-sections'
CFLAGS_MEM=-g3
if [ -r $CONFIG_H ]; then :; else
echo "$CONFIG_H not found" >&2
exit 1
fi
if grep -i cmake Makefile >/dev/null; then
echo "Not compatible with CMake" >&2
exit 1
fi
if [ $( uname ) != Linux ]; then
echo "Only work on Linux" >&2
exit 1
fi
if git status | grep -F $CONFIG_H >/dev/null 2>&1; then
echo "config.h not clean" >&2
exit 1
fi
# make measurements with one configuration
# usage: do_config <name> <unset-list> <server-args>
do_config()
{
NAME=$1
UNSET_LIST=$2
SERVER_ARGS=$3
echo ""
echo "config-$NAME:"
cp configs/config-$NAME.h $CONFIG_H
scripts/config.pl unset MBEDTLS_SSL_SRV_C
for FLAG in $UNSET_LIST; do
scripts/config.pl unset $FLAG
done
grep -F SSL_MAX_CONTENT_LEN $CONFIG_H || echo 'SSL_MAX_CONTENT_LEN=16384'
printf " Executable size... "
make clean
CFLAGS=$CFLAGS_EXEC make OFLAGS=-Os lib >/dev/null 2>&1
cd programs
CFLAGS=$CFLAGS_EXEC make OFLAGS=-Os ssl/$CLIENT >/dev/null
strip ssl/$CLIENT
stat -c '%s' ssl/$CLIENT
cd ..
printf " Peak ram usage... "
make clean
CFLAGS=$CFLAGS_MEM make OFLAGS=-Os lib >/dev/null 2>&1
cd programs
CFLAGS=$CFLAGS_MEM make OFLAGS=-Os ssl/$CLIENT >/dev/null
cd ..
./ssl_server2 $SERVER_ARGS >/dev/null &
SRV_PID=$!
sleep 1;
if valgrind --tool=massif --stacks=yes programs/ssl/$CLIENT >/dev/null 2>&1
then
FAILED=0
else
echo "client failed" >&2
FAILED=1
fi
kill $SRV_PID
wait $SRV_PID
scripts/massif_max.pl massif.out.*
mv massif.out.* massif-$NAME.$$
}
# preparation
CONFIG_BAK=${CONFIG_H}.bak
cp $CONFIG_H $CONFIG_BAK
rm -f massif.out.*
printf "building server... "
make clean
make lib >/dev/null 2>&1
(cd programs && make ssl/ssl_server2) >/dev/null
cp programs/ssl/ssl_server2 .
echo "done"
# actual measurements
do_config "ccm-psk-tls1_2" \
"" \
"psk=000102030405060708090A0B0C0D0E0F"
do_config "suite-b" \
"MBEDTLS_BASE64_C MBEDTLS_PEM_PARSE_C MBEDTLS_CERTS_C" \
""
# cleanup
mv $CONFIG_BAK $CONFIG_H
make clean
rm ssl_server2
exit $FAILED