Merge remote-tracking branch 'origin/pr/2332' into mbedtls-2.16

This commit is contained in:
Jaeden Amero 2019-01-30 15:52:26 +00:00
commit 462dfc5068
4 changed files with 253 additions and 241 deletions

View file

@ -98,6 +98,12 @@ if(CMAKE_COMPILER_IS_CLANG)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wno-documentation-deprecated-sync -Wunreachable-code")
endif(CMAKE_COMPILER_IS_CLANG)
if(UNSAFE_BUILD)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-error")
set(CMAKE_C_FLAGS_ASAN "${CMAKE_C_FLAGS_ASAN} -Wno-error")
set(CMAKE_C_FLAGS_ASANDBG "${CMAKE_C_FLAGS_ASANDBG} -Wno-error")
endif(UNSAFE_BUILD)
if(WIN32)
set(libs ${libs} ws2_32)
endif(WIN32)

View file

@ -59,27 +59,42 @@
# following naming conventions:
# * pre_XXX: things to do before running the tests, in order.
# * component_XXX: independent components. They can be run in any order.
# * component_check_XXX: quick tests that aren't worth parallelizing
# * component_build_XXX: build things but don't run them
# * component_test_XXX: build and test
# * component_check_XXX: quick tests that aren't worth parallelizing.
# * component_build_XXX: build things but don't run them.
# * component_test_XXX: build and test.
# * support_XXX: if support_XXX exists and returns false then
# component_XXX is not run by default.
# * post_XXX: things to do after running the tests.
# * other: miscellaneous support functions.
#
# Each component must start by invoking `msg` with a short informative message.
#
# The framework performs some cleanup tasks after each component. This
# means that components can assume that the working directory is in a
# cleaned-up state, and don't need to perform the cleanup themselves.
# * Run `make clean`.
# * Restore `include/mbedtks/config.h` from a backup made before running
# the component.
# * Check out `Makefile`, `library/Makefile`, `programs/Makefile` and
# `tests/Makefile` from git. This cleans up after an in-tree use of
# CMake.
#
# Any command that is expected to fail must be protected so that the
# script keeps running in --keep-going mode despite `set -e`. In keep-going
# mode, if a protected command fails, this is logged as a failure and the
# script will exit with a failure status once it has run all components.
# Commands can be protected in any of the following ways:
# * `make` is a function which runs the `make` command with protection.
# Note that you must write `make VAR=value`, not `VAR=value make`,
# because the `VAR=value make` syntax doesn't work with functions.
# * Put `report_status` before the command to protect it.
# * Put `if_build_successful` before a command. This protects it, and
# additionally skips it if a prior invocation of `make` in the same
# component failed.
#
# The tests are roughly in order from fastest to slowest. This doesn't
# have to be exact, but in general you should add slower tests towards
# the end and fast checks near the beginning.
#
# Sanity checks have the following form:
# 1. msg "short description of what is about to be done"
# 2. run sanity check (failure stops the script)
#
# Build or build-and-test steps have the following form:
# 1. msg "short description of what is about to be done"
# 2. cleanup
# 3. preparation (config.pl, cmake, ...) (failure stops the script)
# 4. make
# 5. Run tests if relevant. All tests must be prefixed with
# if_build_successful for the sake of --keep-going.
@ -91,10 +106,7 @@
set -eu
pre_check_environment () {
if [ "$( uname )" != "Linux" ]; then
echo "This script only works in Linux" >&2
exit 1
elif [ -d library -a -d include -a -d tests ]; then :; else
if [ -d library -a -d include -a -d tests ]; then :; else
echo "Must be run from mbed TLS root" >&2
exit 1
fi
@ -104,13 +116,9 @@ pre_initialize_variables () {
CONFIG_H='include/mbedtls/config.h'
CONFIG_BAK="$CONFIG_H.bak"
COMPONENTS=
ALL_EXCEPT=0
MEMORY=0
FORCE=0
INTROSPECTION_MODE=
KEEP_GOING=0
RUN_ARMCC=1
# Default commands, can be overriden by the environment
: ${OPENSSL:="openssl"}
@ -125,17 +133,32 @@ pre_initialize_variables () {
: ${ARMC6_BIN_DIR:=/usr/bin}
# if MAKEFLAGS is not set add the -j option to speed up invocations of make
if [ -n "${MAKEFLAGS+set}" ]; then
if [ -z "${MAKEFLAGS+set}" ]; then
export MAKEFLAGS="-j"
fi
# Gather the list of available components. These are the functions
# defined in this script whose name starts with "component_".
# Parse the script with sed, because in sh there is no way to list
# defined functions.
ALL_COMPONENTS=$(sed -n 's/^ *component_\([0-9A-Z_a-z]*\) *().*/\1/p' <"$0")
# Exclude components that are not supported on this platform.
SUPPORTED_COMPONENTS=
for component in $ALL_COMPONENTS; do
case $(type "support_$component" 2>&1) in
*' function'*)
if ! support_$component; then continue; fi;;
esac
SUPPORTED_COMPONENTS="$SUPPORTED_COMPONENTS $component"
done
}
# Test whether $1 is excluded via $COMPONENTS (a space-separated list of
# wildcard patterns).
component_is_excluded()
# Test whether the component $1 is included in the command line patterns.
is_component_included()
{
set -f
for pattern in $COMPONENTS; do
for pattern in $COMMAND_LINE_COMPONENTS; do
set +f
case ${1#component_} in $pattern) return 0;; esac
done
@ -149,21 +172,26 @@ usage()
Usage: $0 [OPTION]... [COMPONENT]...
Run mbedtls release validation tests.
By default, run all tests. With one or more COMPONENT, run only those.
COMPONENT can be the name of a component or a shell wildcard pattern.
Examples:
$0 "check_*"
Run all sanity checks.
$0 --no-armcc --except test_memsan
Run everything except builds that require armcc and MemSan.
Special options:
-h|--help Print this help and exit.
--list-components List available test components and exit.
--list-all-components List all available test components and exit.
--list-components List components supported on this platform and exit.
General options:
-f|--force Force the tests to overwrite any modified files.
-k|--keep-going Run all tests and report errors at the end.
-m|--memory Additional optional memory tests.
--armcc Run ARM Compiler builds (on by default).
--except If some components are passed on the command line,
run all the tests except for these components. In
this mode, you can pass shell wildcard patterns as
component names, e.g. "$0 --except 'test_*'" to
exclude all components that run tests.
--except Exclude the COMPONENTs listed on the command line,
instead of running only those.
--no-armcc Skip ARM Compiler builds.
--no-force Refuse to overwrite modified files (default).
--no-keep-going Stop at the first error (default).
@ -275,12 +303,16 @@ check_headers_in_cpp () {
}
pre_parse_command_line () {
COMMAND_LINE_COMPONENTS=
all_except=0
no_armcc=
while [ $# -gt 0 ]; do
case "$1" in
--armcc) RUN_ARMCC=1;;
--armcc) no_armcc=;;
--armc5-bin-dir) shift; ARMC5_BIN_DIR="$1";;
--armc6-bin-dir) shift; ARMC6_BIN_DIR="$1";;
--except) ALL_EXCEPT=1;;
--except) all_except=1;;
--force|-f) FORCE=1;;
--gnutls-cli) shift; GNUTLS_CLI="$1";;
--gnutls-legacy-cli) shift; GNUTLS_LEGACY_CLI="$1";;
@ -288,9 +320,10 @@ pre_parse_command_line () {
--gnutls-serv) shift; GNUTLS_SERV="$1";;
--help|-h) usage; exit;;
--keep-going|-k) KEEP_GOING=1;;
--list-components) INTROSPECTION_MODE=list_components;;
--list-all-components) printf '%s\n' $ALL_COMPONENTS; exit;;
--list-components) printf '%s\n' $SUPPORTED_COMPONENTS; exit;;
--memory|-m) MEMORY=1;;
--no-armcc) RUN_ARMCC=0;;
--no-armcc) no_armcc=1;;
--no-force) FORCE=0;;
--no-keep-going) KEEP_GOING=0;;
--no-memory) MEMORY=0;;
@ -306,15 +339,37 @@ pre_parse_command_line () {
echo >&2 "Run $0 --help for usage."
exit 120
;;
*)
COMPONENTS="$COMPONENTS $1";;
*) COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS $1";;
esac
shift
done
# With no list of components, run everything.
if [ -z "$COMMAND_LINE_COMPONENTS" ]; then
all_except=1
fi
# --no-armcc is a legacy option. The modern way is --except '*_armcc*'.
# Ignore it if components are listed explicitly on the command line.
if [ -n "$no_armcc" ] && [ $all_except -eq 1 ]; then
COMMAND_LINE_COMPONENTS="$COMMAND_LINE_COMPONENTS *_armcc*"
fi
# Build the list of components to run.
RUN_COMPONENTS=
for component in $SUPPORTED_COMPONENTS; do
if is_component_included "$component"; [ $? -eq $all_except ]; then
RUN_COMPONENTS="$RUN_COMPONENTS $component"
fi
done
unset all_except
unset no_armcc
}
pre_check_git () {
if [ $FORCE -eq 1 ]; then
rm -rf "$OUT_OF_SOURCE_DIR"
git checkout-index -f -q $CONFIG_H
cleanup
else
@ -326,7 +381,7 @@ pre_check_git () {
exit 1
fi
if ! git diff-files --quiet include/mbedtls/config.h; then
if ! git diff --quiet include/mbedtls/config.h; then
err_msg "Warning - the configuration file 'include/mbedtls/config.h' has been edited. "
echo "You can either delete or preserve your work, or force the test by rerunning the"
echo "script as: $0 --force"
@ -419,34 +474,71 @@ pre_print_configuration () {
echo "ARMC6_BIN_DIR: $ARMC6_BIN_DIR"
}
# Make sure the tools we need are available.
pre_check_tools () {
ARMC5_CC="$ARMC5_BIN_DIR/armcc"
ARMC5_AR="$ARMC5_BIN_DIR/armar"
ARMC6_CC="$ARMC6_BIN_DIR/armclang"
ARMC6_AR="$ARMC6_BIN_DIR/armar"
# Build the list of variables to pass to output_env.sh.
set env
# To avoid setting OpenSSL and GnuTLS for each call to compat.sh and ssl-opt.sh
# we just export the variables they require
case " $RUN_COMPONENTS " in
# Require OpenSSL and GnuTLS if running any tests (as opposed to
# only doing builds). Not all tests run OpenSSL and GnuTLS, but this
# is a good enough approximation in practice.
*" test_"*)
# To avoid setting OpenSSL and GnuTLS for each call to compat.sh
# and ssl-opt.sh, we just export the variables they require.
export OPENSSL_CMD="$OPENSSL"
export GNUTLS_CLI="$GNUTLS_CLI"
export GNUTLS_SERV="$GNUTLS_SERV"
# Avoid passing --seed flag in every call to ssl-opt.sh
if [ -n "${SEED-}" ]; then
export SEED
fi
# Make sure the tools we need are available.
set "$@" OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY"
set "$@" GNUTLS_CLI="$GNUTLS_CLI" GNUTLS_SERV="$GNUTLS_SERV"
set "$@" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI"
set "$@" GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV"
check_tools "$OPENSSL" "$OPENSSL_LEGACY" "$OPENSSL_NEXT" \
"$GNUTLS_CLI" "$GNUTLS_SERV" \
"$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV" "doxygen" "dot" \
"arm-none-eabi-gcc" "i686-w64-mingw32-gcc" "gdb"
if [ $RUN_ARMCC -ne 0 ]; then
check_tools "$ARMC5_CC" "$ARMC5_AR" "$ARMC6_CC" "$ARMC6_AR"
fi
"$GNUTLS_LEGACY_CLI" "$GNUTLS_LEGACY_SERV"
;;
esac
case " $RUN_COMPONENTS " in
*_doxygen[_\ ]*) check_tools "doxygen" "dot";;
esac
case " $RUN_COMPONENTS " in
*_arm_none_eabi_gcc[_\ ]*) check_tools "arm-none-eabi-gcc";;
esac
case " $RUN_COMPONENTS " in
*_mingw[_\ ]*) check_tools "i686-w64-mingw32-gcc";;
esac
case " $RUN_COMPONENTS " in
*" test_zeroize "*) check_tools "gdb";;
esac
case " $RUN_COMPONENTS " in
*_armcc*)
ARMC5_CC="$ARMC5_BIN_DIR/armcc"
ARMC5_AR="$ARMC5_BIN_DIR/armar"
ARMC6_CC="$ARMC6_BIN_DIR/armclang"
ARMC6_AR="$ARMC6_BIN_DIR/armar"
check_tools "$ARMC5_CC" "$ARMC5_AR" "$ARMC6_CC" "$ARMC6_AR";;
esac
msg "info: output_env.sh"
case $RUN_COMPONENTS in
*_armcc*)
set "$@" ARMC5_CC="$ARMC5_CC" ARMC6_CC="$ARMC6_CC" RUN_ARMCC=1;;
*) set "$@" RUN_ARMCC=0;;
esac
"$@" scripts/output_env.sh
}
################################################################
#### Basic checks
################################################################
@ -462,14 +554,6 @@ pre_check_tools () {
#
# Indicative running times are given for reference.
pre_print_tools () {
msg "info: output_env.sh"
OPENSSL="$OPENSSL" OPENSSL_LEGACY="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_CLI" \
GNUTLS_SERV="$GNUTLS_SERV" GNUTLS_LEGACY_CLI="$GNUTLS_LEGACY_CLI" \
GNUTLS_LEGACY_SERV="$GNUTLS_LEGACY_SERV" ARMC5_CC="$ARMC5_CC" \
ARMC6_CC="$ARMC6_CC" RUN_ARMCC="$RUN_ARMCC" scripts/output_env.sh
}
component_check_recursion () {
msg "test: recursion.pl" # < 1s
record_status tests/scripts/recursion.pl library/*.c
@ -796,7 +880,7 @@ component_test_null_entropy () {
scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.pl unset MBEDTLS_ENTROPY_HARDWARE_ALT
scripts/config.pl unset MBEDTLS_HAVEGE_C
CC=gcc cmake -D UNSAFE_BUILD=ON -D CMAKE_C_FLAGS:String="-fsanitize=address -fno-common -O3" .
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan -D UNSAFE_BUILD=ON .
make
msg "test: MBEDTLS_TEST_NULL_ENTROPY - main suites (inc. selftests) (ASan build)"
@ -857,6 +941,12 @@ component_test_m32_o0 () {
msg "test: i386, make, gcc -O0 (ASan build)"
make test
}
support_test_m32_o0 () {
case $(uname -m) in
*64*) true;;
*) false;;
esac
}
component_test_m32_o1 () {
# Build again with -O1, to compile in the i386 specific inline assembly
@ -867,6 +957,9 @@ component_test_m32_o1 () {
msg "test: i386, make, gcc -O1 (ASan build)"
make test
}
support_test_m32_o1 () {
support_test_m32_o0 "$@"
}
component_test_mx32 () {
msg "build: 64-bit ILP32, make, gcc" # ~ 30s
@ -876,6 +969,12 @@ component_test_mx32 () {
msg "test: 64-bit ILP32, make, gcc"
make test
}
support_test_mx32 () {
case $(uname -m) in
amd64|x86_64) true;;
*) false;;
esac
}
component_test_have_int32 () {
msg "build: gcc, force 32-bit bignum limbs"
@ -997,7 +1096,6 @@ component_build_armcc () {
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # calls exit
scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT # depends on MBEDTLS_HAVE_TIME
if [ $RUN_ARMCC -ne 0 ]; then
make CC="$ARMC5_CC" AR="$ARMC5_AR" WARNING_CFLAGS='--strict --c99' lib
make clean
@ -1015,7 +1113,6 @@ component_build_armcc () {
# ARM Compiler 6 - Target ARMv8-A - AArch64
armc6_build_test "--target=aarch64-arm-none-eabi -march=armv8.2-a"
fi
}
component_test_allow_sha1 () {
@ -1061,7 +1158,7 @@ component_test_memsan () {
fi
}
component_test_memcheck () {
component_test_valgrind () {
msg "build: Release (clang)"
CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
make
@ -1117,17 +1214,27 @@ component_test_zeroize () {
# system in all cases that the script fails, so we must manually search the
# output to check whether the pass string is present and no failure strings
# were printed.
# Don't try to disable ASLR. We don't care about ASLR here. We do care
# about a spurious message if Gdb tries and fails, so suppress that.
gdb_disable_aslr=
if [ -z "$(gdb -batch -nw -ex 'set disable-randomization off' 2>&1)" ]; then
gdb_disable_aslr='set disable-randomization off'
fi
for optimization_flag in -O2 -O3 -Ofast -Os; do
for compiler in clang gcc; do
msg "test: $compiler $optimization_flag, mbedtls_platform_zeroize()"
make programs CC="$compiler" DEBUG=1 CFLAGS="$optimization_flag"
if_build_succeeded gdb -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log
if_build_succeeded gdb -ex "$gdb_disable_aslr" -x tests/scripts/test_zeroize.gdb -nw -batch -nx 2>&1 | tee test_zeroize.log
if_build_succeeded grep "The buffer was correctly zeroized" test_zeroize.log
if_build_succeeded not grep -i "error" test_zeroize.log
rm -f test_zeroize.log
make clean
done
done
unset gdb_disable_aslr
}
component_check_python_files () {
@ -1157,83 +1264,8 @@ post_report () {
#### Run all the things
################################################################
run_all_components () {
# Small things
run_component component_check_recursion
run_component component_check_generated_files
run_component component_check_doxy_blocks
run_component component_check_files
run_component component_check_names
run_component component_check_doxygen_warnings
# Test many different configurations
run_component component_test_default_cmake_gcc_asan
run_component component_test_ref_configs
run_component component_test_sslv3
run_component component_test_no_renegotiation
run_component component_test_rsa_no_crt
run_component component_test_small_ssl_out_content_len
run_component component_test_small_ssl_in_content_len
run_component component_test_small_ssl_dtls_max_buffering
run_component component_test_small_mbedtls_ssl_dtls_max_buffering
run_component component_test_full_cmake_clang
run_component component_build_deprecated
run_component component_test_depends_curves
run_component component_test_depends_hashes
run_component component_test_depends_pkalgs
run_component component_build_key_exchanges
run_component component_build_default_make_gcc_and_cxx
run_component component_test_check_params_without_platform
run_component component_test_check_params_silent
run_component component_test_no_platform
run_component component_build_no_std_function
run_component component_build_no_ssl_srv
run_component component_build_no_ssl_cli
run_component component_build_no_sockets
run_component component_test_no_max_fragment_length
run_component component_test_no_max_fragment_length_small_ssl_out_content_len
run_component component_test_null_entropy
run_component component_test_platform_calloc_macro
run_component component_test_aes_fewer_tables
run_component component_test_aes_rom_tables
run_component component_test_aes_fewer_tables_and_rom_tables
if uname -a | grep -F Linux >/dev/null; then
run_component component_test_make_shared
fi
if uname -a | grep -F x86_64 >/dev/null; then
run_component component_test_m32_o0
run_component component_test_m32_o1
run_component component_test_mx32
fi
run_component component_test_have_int32
run_component component_test_have_int64
run_component component_test_no_udbl_division
run_component component_test_no_64bit_multiplication
run_component component_build_arm_none_eabi_gcc
run_component component_build_arm_none_eabi_gcc_no_udbl_division
run_component component_build_arm_none_eabi_gcc_no_64bit_multiplication
run_component component_build_armcc
run_component component_test_allow_sha1
run_component component_build_mingw
# MemSan currently only available on Linux 64 bits
if uname -a | grep 'Linux.*x86_64' >/dev/null; then
run_component component_test_memsan
else # no MemSan
run_component component_test_memcheck
fi
run_component component_test_cmake_out_of_source
# More small things
run_component component_test_zeroize
run_component component_check_python_files
run_component component_check_generate_test_code
}
# Run one component and clean up afterwards.
run_component () {
if [ $ALL_EXCEPT -ne 0 ] && component_is_excluded "$1"; then
return
fi
# Back up the configuration in case the component modifies it.
# The cleanup function will restore it.
cp -p "$CONFIG_H" "$CONFIG_BAK"
@ -1247,17 +1279,6 @@ pre_check_environment
pre_initialize_variables
pre_parse_command_line "$@"
case "$INTROSPECTION_MODE" in
list_components)
components=
newline='
'
run_component () {
components="${components}${newline}${1#component_}"
}
;;
*)
pre_check_git
build_status=0
if [ $KEEP_GOING -eq 1 ]; then
@ -1269,25 +1290,12 @@ case "$INTROSPECTION_MODE" in
fi
pre_print_configuration
pre_check_tools
pre_print_tools
cleanup
;;
esac
if [ -n "$COMPONENTS" ] && [ $ALL_EXCEPT -eq 0 ]; then
for component in $COMPONENTS; do
# Run the requested tests.
for component in $RUN_COMPONENTS; do
run_component "component_$component"
done
else
run_all_components
fi
# We're done.
case "$INTROSPECTION_MODE" in
list_components)
echo "$components" | sort
;;
*)
post_report
;;
esac

View file

@ -41,8 +41,6 @@
# number does not need to be updated often.
set confirm off
# We don't need to turn off ASLR, so don't try.
set disable-randomization off
file ./programs/test/zeroize
break zeroize.c:100

View file

@ -167,7 +167,7 @@ requires_config_disabled() {
get_config_value_or_default() {
NAME="$1"
DEF_VAL=$( grep ".*#define.*${NAME}" ../include/mbedtls/config.h |
sed 's/^.*\s\([0-9]*\)$/\1/' )
sed 's/^.* \([0-9]*\)$/\1/' )
../scripts/config.pl get $NAME || echo "$DEF_VAL"
}