Merge branch 'development-restricted' into iotssl-1306-rsa-is-vulnerable-to-bellcore-glitch-attack

scripts/config.pl

@@ -46,7 +46,7 @@ my $config_file = "include/mbedtls/config.h";
 my $usage = <<EOU;
 $0 [-f <file> | --file <file>] [-o | --force]
                    [set <symbol> <value> | unset <symbol> | get <symbol> |
-                        full | realfull]
+                        full | realfull | baremetal]
 
 Commands
     set <symbol> [<value>]  - Uncomments or adds a #define for the <symbol> to
@@ -57,13 +57,14 @@ Commands
     unset <symbol>          - Comments out the #define for the given symbol if
                               present in the configuration file.
     get <symbol>            - Finds the #define for the given symbol, returning
-                              an exitcode of 0 if the symbol is found, and -1 if
+                              an exitcode of 0 if the symbol is found, and 1 if
                               not. The value of the symbol is output if one is
                               specified in the configuration file.
     full                    - Uncomments all #define's in the configuration file
                               excluding some reserved symbols, until the
                               'Module configuration options' section
     realfull                - Uncomments all #define's with no exclusions
+    baremetal               - Sets full configuration suitable for baremetal build.
 
 Options
     -f | --file <filename>  - The file or file path for the configuration file
@@ -93,14 +94,38 @@ MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 MBEDTLS_ZLIB_SUPPORT
 MBEDTLS_PKCS11_C
+MBEDTLS_NO_UDBL_DIVISION
 _ALT\s*$
 );
 
+# Things that should be disabled in "baremetal"
+my @excluded_baremetal = qw(
+MBEDTLS_NET_C
+MBEDTLS_TIMING_C
+MBEDTLS_FS_IO
+MBEDTLS_ENTROPY_NV_SEED
+MBEDTLS_HAVE_TIME
+MBEDTLS_HAVE_TIME_DATE
+MBEDTLS_DEPRECATED_WARNING
+MBEDTLS_HAVEGE_C
+MBEDTLS_THREADING_C
+MBEDTLS_THREADING_PTHREAD
+MBEDTLS_MEMORY_BACKTRACE
+MBEDTLS_MEMORY_BUFFER_ALLOC_C
+MBEDTLS_PLATFORM_TIME_ALT
+MBEDTLS_PLATFORM_FPRINTF_ALT
+);
+
 # Things that should be enabled in "full" even if they match @excluded
 my @non_excluded = qw(
 PLATFORM_[A-Z0-9]+_ALT
 );
 
+# Things that should be enabled in "baremetal"
+my @non_excluded_baremetal = qw(
+MBEDTLS_NO_PLATFORM_ENTROPY
+);
+
 # Process the command line arguments
 
 my $force_option = 0;
@@ -125,7 +150,7 @@ while ($arg = shift) {
         # ...else assume it's a command
         $action = $arg;
 
-        if ($action eq "full" || $action eq "realfull") {
+        if ($action eq "full" || $action eq "realfull" || $action eq "baremetal" ) {
             # No additional parameters
             die $usage if @ARGV;
 
@@ -168,7 +193,12 @@ open my $config_read, '<', $config_file or die "read $config_file: $!\n";
 my @config_lines = <$config_read>;
 close $config_read;
 
-my ($exclude_re, $no_exclude_re);
+# Add required baremetal symbols to the list that is included.
+if ( $action eq "baremetal" ) {
+    @non_excluded = ( @non_excluded, @non_excluded_baremetal );
+}
+
+my ($exclude_re, $no_exclude_re, $exclude_baremetal_re);
 if ($action eq "realfull") {
     $exclude_re = qr/^$/;
     $no_exclude_re = qr/./;
@@ -176,22 +206,30 @@ if ($action eq "realfull") {
     $exclude_re = join '|', @excluded;
     $no_exclude_re = join '|', @non_excluded;
 }
+if ( $action eq "baremetal" ) {
+    $exclude_baremetal_re = join '|', @excluded_baremetal;
+}
 
-open my $config_write, '>', $config_file or die "write $config_file: $!\n";
+my $config_write = undef;
+if ($action ne "get") {
+    open $config_write, '>', $config_file or die "write $config_file: $!\n";
+}
 
 my $done;
 for my $line (@config_lines) {
-    if ($action eq "full" || $action eq "realfull") {
+    if ($action eq "full" || $action eq "realfull" || $action eq "baremetal" ) {
         if ($line =~ /name SECTION: Module configuration options/) {
             $done = 1;
         }
 
         if (!$done && $line =~ m!^//\s?#define! &&
-                ( $line !~ /$exclude_re/ || $line =~ /$no_exclude_re/ ) ) {
+                ( $line !~ /$exclude_re/ || $line =~ /$no_exclude_re/ ) &&
+                ( $action ne "baremetal" || ( $line !~ /$exclude_baremetal_re/ ) ) ) {
             $line =~ s!^//\s?!!;
         }
         if (!$done && $line =~ m!^\s?#define! &&
-                ! ( $line !~ /$exclude_re/ || $line =~ /$no_exclude_re/ ) ) {
+                ! ( ( $line !~ /$exclude_re/ || $line =~ /$no_exclude_re/ ) &&
+                    ( $action ne "baremetal" || ( $line !~ /$exclude_baremetal_re/ ) ) ) ) {
             $line =~ s!^!//!;
         }
     } elsif ($action eq "unset") {
@@ -207,17 +245,19 @@ for my $line (@config_lines) {
             $done = 1;
         }
     } elsif (!$done && $action eq "get") {
-        if ($line =~ /^\s*#define\s*$name\s*(.*)\s*\b/) {
+        if ($line =~ /^\s*#define\s*$name(?:\s+(.*?))\s*(?:$|\/\*|\/\/)/) {
             $value = $1;
             $done = 1;
         }
     }
 
-    print $config_write $line;
+    if (defined $config_write) {
+        print $config_write $line or die "write $config_file: $!\n";
+    }
 }
 
 # Did the set command work?
-if ($action eq "set"&& $force_option && !$done) {
+if ($action eq "set" && $force_option && !$done) {
 
     # If the force option was set, append the symbol to the end of the file
     my $line = "#define $name";
@@ -225,20 +265,22 @@ if ($action eq "set"&& $force_option && !$done) {
     $line .= "\n";
     $done = 1;
 
-    print $config_write $line;
+    print $config_write $line or die "write $config_file: $!\n";
 }
 
-close $config_write;
+if (defined $config_write) {
+    close $config_write or die "close $config_file: $!\n";
+}
 
 if ($action eq "get") {
-    if($done) {
+    if ($done) {
         if ($value ne '') {
-            print $value;
+            print "$value\n";
         }
         exit 0;
     } else {
         # If the symbol was not found, return an error
-        exit -1;
+        exit 1;
     }
 }