lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge branch 'development' into 'development-restricted'

Browse Source 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This commit is contained in:
Minos Galanakis
2024-03-19 22:24:00 +00:00
parent 4fc5b71cbb b2b9068264
commit b70f0fd9a9
87 changed files with 5816 additions and 2224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

132
tests/scripts/all.sh
View File

@ -1296,19 +1296,68 @@ component_build_psa_crypto_spm () {
check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a
}
component_test_psa_crypto_client () {
msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make"
# Get a list of library-wise undefined symbols and ensure that they only
# belong to psa_xxx() functions and not to mbedtls_yyy() ones.
# This function is a common helper used by both:
# - component_test_default_psa_crypto_client_without_crypto_provider
# - component_build_full_psa_crypto_client_without_crypto_provider.
common_check_mbedtls_missing_symbols() {
nm library/libmbedcrypto.a | grep ' [TRrDC] ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_def.txt
nm library/libmbedcrypto.a | grep ' U ' | grep -Eo '(mbedtls_|psa_).*' | sort -u > sym_undef.txt
comm sym_def.txt sym_undef.txt -13 > linking_errors.txt
not grep mbedtls_ linking_errors.txt
rm sym_def.txt sym_undef.txt linking_errors.txt
}
component_test_default_psa_crypto_client_without_crypto_provider () {
msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT"
scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT
scripts/config.py unset MBEDTLS_LMS_C
scripts/config.py unset MBEDTLS_LMS_PRIVATE
make
msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make"
msg "check missing symbols: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT"
common_check_mbedtls_missing_symbols
msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT"
make test
}
component_build_full_psa_crypto_client_without_crypto_provider () {
msg "build: full config - PSA_CRYPTO_C"
# Use full config which includes USE_PSA and CRYPTO_CLIENT.
scripts/config.py full
scripts/config.py unset MBEDTLS_PSA_CRYPTO_C
scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C
# Dynamic secure element support is a deprecated feature and it is not
# available when CRYPTO_C and PSA_CRYPTO_STORAGE_C are disabled.
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
# Since there is no crypto provider in this build it is not possible to
# build all the test executables and progrems due to missing PSA functions
# at link time. Therefore we will just build libraries and we'll check
# that symbols of interest are there.
make lib
msg "check missing symbols: full config - PSA_CRYPTO_C"
common_check_mbedtls_missing_symbols
# Ensure that desired functions are included into the build (extend the
# following list as required).
grep mbedtls_pk_get_psa_attributes library/libmbedcrypto.a
grep mbedtls_pk_import_into_psa library/libmbedcrypto.a
grep mbedtls_pk_copy_from_psa library/libmbedcrypto.a
}
component_test_psa_crypto_rsa_no_genprime() {
msg "build: default config minus MBEDTLS_GENPRIME"
scripts/config.py unset MBEDTLS_GENPRIME
@ -1565,6 +1614,23 @@ component_test_sw_inet_pton () {
make test
}
component_full_no_pkparse_pkwrite() {
msg "build: full without pkparse and pkwrite"
scripts/config.py crypto_full
scripts/config.py unset MBEDTLS_PK_PARSE_C
scripts/config.py unset MBEDTLS_PK_WRITE_C
make CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
# Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config).
not grep mbedtls_pk_parse_key library/pkparse.o
not grep mbedtls_pk_write_key_der library/pkwrite.o
msg "test: full without pkparse and pkwrite"
make test
}
component_test_crypto_full_md_light_only () {
msg "build: crypto_full with only the light subset of MD"
scripts/config.py crypto_full
@ -1789,6 +1855,8 @@ component_test_tls1_2_default_stream_cipher_only () {
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
@ -1815,6 +1883,8 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () {
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
@ -1840,6 +1910,8 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () {
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
@ -1867,6 +1939,8 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () {
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
@ -1893,6 +1967,8 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
@ -1920,6 +1996,8 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () {
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
scripts/config.py set MBEDTLS_CIPHER_MODE_CBC
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
@ -2214,6 +2292,9 @@ component_test_tsan () {
# Self-tests do not currently use multiple threads.
scripts/config.py unset MBEDTLS_SELF_TEST
# The deprecated MBEDTLS_PSA_CRYPTO_SE_C interface is not thread safe.
scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C
CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan .
make
@ -2552,7 +2633,6 @@ component_test_psa_crypto_config_accel_ecdsa () {
# Start from default config (no USE_PSA) + TLS 1.3
helper_libtestdriver1_adjust_config "default"
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
# Disable the module that's accelerated
scripts/config.py unset MBEDTLS_ECDSA_C
@ -2593,7 +2673,7 @@ component_test_psa_crypto_config_accel_ecdh () {
# Configure
# ---------
# Start from default config (no TLS 1.3, no USE_PSA)
# Start from default config (no USE_PSA)
helper_libtestdriver1_adjust_config "default"
# Disable the module that's accelerated
@ -3586,7 +3666,7 @@ component_test_psa_crypto_config_accel_hash () {
# Configure
# ---------
# Start from default config (no TLS 1.3, no USE_PSA)
# Start from default config (no USE_PSA)
helper_libtestdriver1_adjust_config "default"
# Disable the things that are being accelerated
@ -3630,7 +3710,7 @@ component_test_psa_crypto_config_accel_hash_keep_builtins () {
ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512 \
ALG_SHA3_224 ALG_SHA3_256 ALG_SHA3_384 ALG_SHA3_512"
# Start from default config (no TLS 1.3, no USE_PSA)
# Start from default config (no USE_PSA)
helper_libtestdriver1_adjust_config "default"
helper_libtestdriver1_make_drivers "$loc_accel_list"
@ -4125,7 +4205,6 @@ component_build_psa_accel_alg_hkdf() {
msg "build: full - MBEDTLS_USE_PSA_CRYPTO + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C"
scripts/config.py full
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py unset MBEDTLS_HKDF_C
# Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it.
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
@ -4588,6 +4667,7 @@ component_test_no_max_fragment_length () {
component_test_asan_remove_peer_certificate () {
msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)"
scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
@ -5803,8 +5883,24 @@ support_build_armcc () {
(check_tools "$armc5_cc" "$armc6_cc" > /dev/null 2>&1)
}
component_test_tls12_only () {
msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_3, cmake, gcc, ASan"
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: main suites (inc. selftests) (ASan build)"
make test
msg "test: ssl-opt.sh (ASan build)"
tests/ssl-opt.sh
msg "test: compat.sh (ASan build)"
tests/compat.sh
}
component_test_tls13_only () {
msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3, without MBEDTLS_SSL_PROTO_TLS1_2"
msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2"
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@ -5941,29 +6037,25 @@ component_test_tls13_only_ephemeral_all () {
tests/ssl-opt.sh
}
component_test_tls13 () {
msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
component_test_tls13_no_padding () {
msg "build: default config plus early data minus padding"
scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
msg "test: default config plus early data minus padding"
make test
msg "ssl-opt.sh (TLS 1.3)"
msg "ssl-opt.sh (TLS 1.3 no padding)"
tests/ssl-opt.sh
}
component_test_tls13_no_compatibility_mode () {
msg "build: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
msg "build: default config plus early data minus middlebox compatibility mode"
scripts/config.py unset MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: default config with MBEDTLS_SSL_PROTO_TLS1_3 enabled, without padding"
msg "test: default config plus early data minus middlebox compatibility mode"
make test
msg "ssl-opt.sh (TLS 1.3 no compatibility mode)"
tests/ssl-opt.sh

2
tests/scripts/check-generated-files.sh
View File

@ -142,7 +142,7 @@ if in_mbedtls_repo; then
# generate_visualc_files enumerates source files (library/*.c). It doesn't
# care about their content, but the files must exist. So it must run after
# the step that creates or updates these files.
check scripts/generate_visualc_files.pl visualc/VS2013
check scripts/generate_visualc_files.pl visualc/VS2017
fi
# Generated files that are present in the repository even in the development

17
tests/scripts/check_files.py
View File

@ -323,6 +323,7 @@ class TabIssueTracker(LineIssueTracker):
".make",
".pem", # some openssl dumps have tabs
".sln",
"/.gitmodules",
"/Makefile",
"/Makefile.inc",
"/generate_visualc_files.pl",
@ -469,6 +470,7 @@ class IntegrityChecker:
]
def setup_logger(self, log_file, level=logging.INFO):
"""Log to log_file if provided, or to stderr if None."""
self.logger = logging.getLogger()
self.logger.setLevel(level)
if log_file:
@ -480,9 +482,19 @@ class IntegrityChecker:
@staticmethod
def collect_files():
"""Return the list of files to check.
These are the regular files commited into Git.
"""
bytes_output = subprocess.check_output(['git', 'ls-files', '-z'])
bytes_filepaths = bytes_output.split(b'\0')[:-1]
ascii_filepaths = map(lambda fp: fp.decode('ascii'), bytes_filepaths)
# Filter out directories. Normally Git doesn't list directories
# (it only knows about the files inside them), but there is
# at least one case where 'git ls-files' includes a directory:
# submodules. Just skip submodules (and any other directories).
ascii_filepaths = [fp for fp in ascii_filepaths
if os.path.isfile(fp)]
# Prepend './' to files in the top-level directory so that
# something like `'/Makefile' in fp` matches in the top-level
# directory as well as in subdirectories.
@ -490,12 +502,17 @@ class IntegrityChecker:
for fp in ascii_filepaths]
def check_files(self):
"""Check all files for all issues."""
for issue_to_check in self.issues_to_check:
for filepath in self.collect_files():
if issue_to_check.should_check_file(filepath):
issue_to_check.check_file_for_issue(filepath)
def output_issues(self):
"""Log the issues found and their locations.
Return 1 if there were issues, 0 otherwise.
"""
integrity_return_code = 0
for issue_to_check in self.issues_to_check:
if issue_to_check.files_with_issues:

43
tests/scripts/check_test_cases.py
View File

@ -16,6 +16,23 @@ import re
import subprocess
import sys
class ScriptOutputError(ValueError):
"""A kind of ValueError that indicates we found
the script doesn't list test cases in an expected
pattern.
"""
@property
def script_name(self):
return super().args[0]
@property
def idx(self):
return super().args[1]
@property
def line(self):
return super().args[2]
class Results:
"""Store file and line information about errors or warnings in test suites."""
@ -86,19 +103,27 @@ state may override this method.
data_file_name, line_number, line)
in_paragraph = True
def collect_from_script(self, file_name):
def collect_from_script(self, script_name):
"""Collect the test cases in a script by calling its listing test cases
option"""
descriptions = self.new_per_file_state() # pylint: disable=assignment-from-none
listed = subprocess.check_output(['sh', file_name, '--list-test-cases'])
listed = subprocess.check_output(['sh', script_name, '--list-test-cases'])
# Assume test file is responsible for printing identical format of
# test case description between --list-test-cases and its OUTCOME.CSV
#
# idx indicates the number of test case since there is no line number
# in the script for each test case.
for idx, description in enumerate(listed.splitlines()):
for idx, line in enumerate(listed.splitlines()):
# We are expecting the script to list the test cases in
# `<suite_name>;<description>` pattern.
script_outputs = line.split(b';', 1)
if len(script_outputs) == 2:
suite_name, description = script_outputs
else:
raise ScriptOutputError(script_name, idx, line.decode("utf-8"))
self.process_test_case(descriptions,
file_name,
suite_name.decode('utf-8'),
idx,
description.rstrip())
@ -124,8 +149,7 @@ option"""
for sh_file in ['ssl-opt.sh', 'compat.sh']:
sh_file = os.path.join(directory, sh_file)
if os.path.exists(sh_file):
self.collect_from_script(sh_file)
self.collect_from_script(sh_file)
class TestDescriptions(TestDescriptionExplorer):
"""Collect the available test cases."""
@ -202,7 +226,12 @@ def main():
return
results = Results(options)
checker = DescriptionChecker(results)
checker.walk_all()
try:
checker.walk_all()
except ScriptOutputError as e:
results.error(e.script_name, e.idx,
'"{}" should be listed as "<suite_name>;<description>"',
e.line)
if (results.warnings or results.errors) and not options.quiet:
sys.stderr.write('{}: {} errors, {} warnings\n'
.format(sys.argv[0], results.errors, results.warnings))

6
tests/scripts/quiet/cmake
View File

@ -12,8 +12,8 @@
# export VERBOSE_LOGS=1
# don't silence invocations containing these arguments
export NO_SILENCE=" --version "
NO_SILENCE=" --version "
export TOOL="cmake"
TOOL="cmake"
exec "$(dirname "$0")/quiet.sh" "$@"
. "$(dirname "$0")/quiet.sh"

6
tests/scripts/quiet/make
View File

@ -12,8 +12,8 @@
# export VERBOSE_LOGS=1
# don't silence invocations containing these arguments
export NO_SILENCE=" --version | test "
NO_SILENCE=" --version | test "
export TOOL="make"
TOOL="make"
exec "$(dirname "$0")/quiet.sh" "$@"
. "$(dirname "$0")/quiet.sh"

10
tests/scripts/quiet/quiet.sh Executable file → Normal file
View File

@ -22,9 +22,13 @@
# be silenced, e.g. " --version | test ". In this example, "make lib test" will
# not be silent, but "make lib" will be.
# Locate original tool
TOOL_WITH_PATH=$(dirname "$0")/$TOOL
ORIGINAL_TOOL=$(type -ap "${TOOL}" | grep -v -Fx "$TOOL_WITH_PATH" | head -n1)
# Identify path to original tool. There is an edge-case here where the quiet wrapper is on the path via
# a symlink or relative path, but "type -ap" yields the wrapper with it's normalised path. We use
# the -ef operator to compare paths, to avoid picking the wrapper in this case (to avoid infinitely
# recursing).
while IFS= read -r ORIGINAL_TOOL; do
if ! [[ $ORIGINAL_TOOL -ef "$0" ]]; then break; fi
done < <(type -ap -- "$TOOL")
print_quoted_args() {
# similar to printf '%q' "$@"