From 9fb3f1eaf24add428118993d06ee222306843a24 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 19 Jul 2019 16:55:35 +0100 Subject: [PATCH 01/18] Add all.sh test for hardcoded SSL version --- tests/scripts/all.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a77fe1310..412207fb1 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -792,6 +792,25 @@ component_test_hardcoded_timer_callback_cmake_clang() { if_build_succeeded tests/ssl-opt.sh -f '^Default$\|^Default, DTLS$' } +component_test_hardcoded_version_cmake_clang() { + msg "build: cmake, full config + hardcoded version, clang" # ~ 50s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE + scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.pl set MBEDTLS_SSL_CONF_MIN_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3 + scripts/config.pl set MBEDTLS_SSL_CONF_MAX_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3 + scripts/config.pl set MBEDTLS_SSL_CONF_MIN_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3 + scripts/config.pl set MBEDTLS_SSL_CONF_MAX_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3 + CC=clang cmake -D LINK_WITH_PTHREAD=1 -D CMAKE_BUILD_TYPE:String=ASanDbg -D ENABLE_TESTING=On . + make + + msg "test: main suites (full config + hardcoded version)" # ~ 5s + make test + + msg "test: ssl-opt.sh default (full config + hardcoded version)" # ~ 5s + if_build_succeeded tests/ssl-opt.sh -f '^Default$\|^Default, DTLS$' +} + component_build_deprecated () { msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s scripts/config.pl full From 2a0cd5a031acdba55a6178abff210df175eaabc8 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 19 Jul 2019 17:07:20 +0100 Subject: [PATCH 02/18] Add all.sh test for hardcoded IO callbacks --- tests/scripts/all.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 412207fb1..5dbe25cd1 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -811,6 +811,24 @@ component_test_hardcoded_version_cmake_clang() { if_build_succeeded tests/ssl-opt.sh -f '^Default$\|^Default, DTLS$' } +component_test_hardcoded_io_callbacks_cmake_clang() { + msg "build: cmake, full config + hardcoded IO callbacks, clang" # ~ 50s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE + scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.pl set MBEDTLS_SSL_CONF_RECV mbedtls_net_recv + scripts/config.pl set MBEDTLS_SSL_CONF_SEND mbedtls_net_send + scripts/config.pl set MBEDTLS_SSL_CONF_RECV_TIMEOUT mbedtls_net_recv_timeout + CC=clang cmake -D LINK_WITH_PTHREAD=1 -D CMAKE_BUILD_TYPE:String=ASanDbg -D ENABLE_TESTING=On . + make + + msg "test: main suites (full config + hardcoded IO callbacks)" # ~ 5s + make test + + msg "test: ssl-opt.sh default (full config + hardcoded IO callbacks)" # ~ 5s + if_build_succeeded tests/ssl-opt.sh -f '^Default$\|^Default, DTLS$' +} + component_build_deprecated () { msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s scripts/config.pl full From 41e5a6871d76b1ac6e6c28ca3466050224121f7c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 19 Jul 2019 17:07:30 +0100 Subject: [PATCH 03/18] Example apps: Don't use runtime IO config API if CBs are hardcoded Multiple example applications still use mbedtls_ssl_set_bio() even if the I/O callbacks are hardcoded. This commit fixes this. --- programs/ssl/dtls_server.c | 11 +++++++++-- programs/ssl/ssl_client1.c | 9 ++++++++- programs/ssl/ssl_client2.c | 6 ++++++ programs/ssl/ssl_fork_server.c | 9 ++++++++- programs/ssl/ssl_mail_client.c | 9 ++++++++- programs/ssl/ssl_pthread_server.c | 9 ++++++++- programs/ssl/ssl_server.c | 9 ++++++++- programs/ssl/ssl_server2.c | 13 ++++++++++--- programs/x509/cert_app.c | 9 ++++++++- 9 files changed, 73 insertions(+), 11 deletions(-) diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index f2dcd2f88..ad3a70aa2 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -305,8 +305,15 @@ reset: goto exit; } - mbedtls_ssl_set_bio( &ssl, &client_fd, - mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout ); +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) + mbedtls_ssl_set_bio( &ssl, &client_fd, + mbedtls_net_send, mbedtls_net_recv, + mbedtls_net_recv_timeout ); +#else + mbedtls_ssl_set_bio_ctx( &ssl, &client_fd ); +#endif printf( " ok\n" ); diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 2554946a8..6a4bf5e0a 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -196,7 +196,14 @@ int main( void ) goto exit; } - mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) + mbedtls_ssl_set_bio( &ssl, &server_fd, + mbedtls_net_send, mbedtls_net_recv, NULL ); +#else + mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); +#endif /* * 4. Handshake diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index f6bdc567d..1beb17cc7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2681,8 +2681,14 @@ send_request: goto exit; } +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) mbedtls_ssl_set_bio( &ssl, &io_ctx, send_cb, recv_cb, opt.nbio == 0 ? recv_timeout_cb : NULL ); +#else + mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); +#endif #if defined(MBEDTLS_TIMING_C) #if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && \ diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index c716ca9ef..098761cc9 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -300,7 +300,14 @@ int main( void ) goto exit; } - mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) + mbedtls_ssl_set_bio( &ssl, &client_fd, + mbedtls_net_send, mbedtls_net_recv, NULL ); +#else + mbedtls_ssl_set_bio_ctx( &ssl, &client_fd ); +#endif mbedtls_printf( "pid %d: SSL setup ok\n", pid ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 11b682cad..3812dd332 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -649,7 +649,14 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) + mbedtls_ssl_set_bio( &ssl, &server_fd, + mbedtls_net_send, mbedtls_net_recv, NULL ); +#else + mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); +#endif mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 6ce4faaca..fd6ca2613 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -149,7 +149,14 @@ static void *handle_ssl_connection( void *data ) goto thread_exit; } - mbedtls_ssl_set_bio( &ssl, client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) + mbedtls_ssl_set_bio( &ssl, &client_fd, + mbedtls_net_send, mbedtls_net_recv, NULL ); +#else + mbedtls_ssl_set_bio_ctx( &ssl, &client_fd ); +#endif /* * 5. Handshake diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 849c14d95..bf502a5a3 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -265,7 +265,14 @@ reset: goto exit; } - mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) + mbedtls_ssl_set_bio( &ssl, &client_fd, + mbedtls_net_send, mbedtls_net_recv, NULL ); +#else + mbedtls_ssl_set_bio_ctx( &ssl, &client_fd ); +#endif mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 2cd00fa39..cb62b528c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3714,12 +3714,19 @@ data_exchange: /* * This illustrates the minimum amount of things you need to set - * up, however you could set up much more if desired, for example - * if you want to share your set up code between the case of - * establishing a new connection and this case. + * up: I/O and timer callbacks/contexts; however you could set up + * much more if desired, for example if you want to share your set + * up code between the case of establishing a new connection and + * this case. */ +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) mbedtls_ssl_set_bio( &ssl, &io_ctx, send_cb, recv_cb, opt.nbio == 0 ? recv_timeout_cb : NULL ); +#else + mbedtls_ssl_set_bio_ctx( &ssl, &client_fd ); +#endif #if defined(MBEDTLS_TIMING_C) #if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && \ diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 0656ce768..cdd77f273 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -441,7 +441,14 @@ int main( int argc, char *argv[] ) goto ssl_exit; } - mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) + mbedtls_ssl_set_bio( &ssl, &server_fd, + mbedtls_net_send, mbedtls_net_recv, NULL ); +#else + mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); +#endif /* * 4. Handshake From 6dd8e1c54d1a2896a6d1e6ede68c303773ce76aa Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 22 Jul 2019 11:04:12 +0100 Subject: [PATCH 04/18] Add all.sh test for hardcoded miscellaneous SSL config options --- tests/scripts/all.sh | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 5dbe25cd1..1437af160 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -829,6 +829,29 @@ component_test_hardcoded_io_callbacks_cmake_clang() { if_build_succeeded tests/ssl-opt.sh -f '^Default$\|^Default, DTLS$' } +component_test_hardcoded_misc_options_cmake_clang() { + msg "build: cmake, full config + hardcode various SSL config options, clang" # ~ 50s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE + scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.pl set MBEDTLS_SSL_CONF_READ_TIMEOUT 0 + scripts/config.pl set MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN + scripts/config.pl set MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX + scripts/config.pl set MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED + scripts/config.pl set MBEDTLS_SSL_CONF_ANTI_REPLAY MBEDTLS_SSL_ANTI_REPLAY_ENABLED + scripts/config.pl set MBEDTLS_SSL_CONF_BADMAC_LIMIT 0 + scripts/config.pl set MBEDTLS_SSL_CONF_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED + scripts/config.pl set MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION + CC=clang cmake -D LINK_WITH_PTHREAD=1 -D CMAKE_BUILD_TYPE:String=ASanDbg -D ENABLE_TESTING=On . + make + + msg "test: main suites (full config + hardcode various SSL config options)" # ~ 5s + make test + + msg "test: ssl-opt.sh default (full config + hardcode various SSL config options)" # ~ 5s + if_build_succeeded tests/ssl-opt.sh -f '^Default$\|^Default, DTLS$' +} + component_build_deprecated () { msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s scripts/config.pl full From 7cedd8bed2948e60816d9bea4e6384d62d5aefd3 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 22 Jul 2019 11:04:16 +0100 Subject: [PATCH 05/18] Remove overly strict guard in ssl_server2 get_auth_mode() is needed for a change of authmode through SNI, which is possible even if the original authmode is hardcoded. --- programs/ssl/ssl_server2.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index cb62b528c..bc97149ef 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -791,7 +791,6 @@ static int send_cb( void *ctx, unsigned char const *buf, size_t len ) return( mbedtls_net_send( io_ctx->net, buf, len ) ); } -#if !defined(MBEDTLS_SSL_CONF_AUTHMODE) /* * Return authmode from string, or -1 on error */ @@ -806,7 +805,6 @@ static int get_auth_mode( const char *s ) return( -1 ); } -#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */ /* * Used by sni_parse and psk_parse to handle coma-separated lists From fe1bd781de89d0a36ead0990acfaefb58b2af96d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 19 Jul 2019 17:32:14 +0100 Subject: [PATCH 06/18] Add all.sh test for hardcoded elliptic curve --- tests/scripts/all.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1437af160..2f9ff52a3 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -852,6 +852,24 @@ component_test_hardcoded_misc_options_cmake_clang() { if_build_succeeded tests/ssl-opt.sh -f '^Default$\|^Default, DTLS$' } +component_test_hardcoded_elliptic_curve_cmake_clang() { + msg "build: cmake, full config + hardcode elliptic curve, clang" # ~ 50s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE + scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_EC + scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_EC_GRP_ID MBEDTLS_ECP_DP_SECP256R1 + scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID 23 + CC=clang cmake -D LINK_WITH_PTHREAD=1 -D CMAKE_BUILD_TYPE:String=ASanDbg -D ENABLE_TESTING=On . + make + + msg "test: main suites (full config + hardcode elliptic curve)" # ~ 5s + make test + + msg "test: ssl-opt.sh default (full config + hardcode elliptic curve)" # ~ 5s + if_build_succeeded tests/ssl-opt.sh -f '^Default$\|^Default, DTLS$' +} + component_build_deprecated () { msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s scripts/config.pl full From a1f3c521e74be25ff4dd663ea23123e6278f7c5a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 22 Jul 2019 12:37:21 +0100 Subject: [PATCH 07/18] Add --build-only option to baremetal.sh --ram This option builds the library, tests and example programs in a minimally modified baremetal.h configuration (modifications from baremetal_test.h) but doesn't execute any tests. --- scripts/baremetal.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/baremetal.sh b/scripts/baremetal.sh index 2fd8b6c96..d6b63722f 100755 --- a/scripts/baremetal.sh +++ b/scripts/baremetal.sh @@ -338,7 +338,7 @@ baremetal_ram_stack() { } show_usage() { - echo "Usage: $0 [--rom [--check] [--gcc] [--armc5] [--armc6]|--ram [--stack] [--heap]]" + echo "Usage: $0 [--rom [--check] [--gcc] [--armc5] [--armc6]|--ram [--build-only] [--stack] [--heap]]" } test_build=0 @@ -362,6 +362,7 @@ while [ $# -gt 0 ]; do --armc6) build_armc6=1;; --ram) test_build=1;; --rom) raw_build=1;; + --build-only) build_only=1;; --heap) measure_heap=1;; --stack) measure_stack=1;; --check) check=1;; @@ -385,8 +386,9 @@ fi if [ "$test_build" -eq 1 ]; then if [ "$measure_heap" -eq 0 ] && - [ "$measure_stack" -eq 0 ]; then - echo "Need to set either --heap or --stack with --ram" + [ "$measure_stack" -eq 0 ] && + [ "$build_only" -eq 0 ]; then + echo "Need to set either --build-only, --heap or --stack with --ram" show_usage exit 1 fi From e7895aae2c7287421f37cf2c0eedad98ee172258 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 22 Jul 2019 12:47:20 +0100 Subject: [PATCH 08/18] Add all.sh test for baremetal.h runtime test --- tests/scripts/all.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 2f9ff52a3..5ba531b86 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1341,11 +1341,20 @@ component_build_armcc () { } # need _armcc in the name for pre_check_tools() -component_build_baremetal_script_gcc_armcc () { +component_baremetal_raw_build () { msg "build: scripts/baremetal.sh gcc/armc5/armc6" scripts/baremetal.sh --rom --gcc --armc5 --armc6 --check } +component_baremetal_test_build () { + msg "build: lib+test+programs for baremetal.h + baremetal_test.h" + record_status scripts/baremetal.sh --ram --build-only + + msg "test: baremetal.h + baremetal_test.h" + if_build_succeeded make test + if_build_succeeded tests/ssl-opt.sh --filter "^Default, DTLS$" +} + component_build_armcc_tinycrypt_baremetal () { msg "build: ARM Compiler 5, make with tinycrypt and baremetal" scripts/config.pl baremetal From 28d2a881735cdcfe6abe8066d85fb3b49a514cc9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 16:01:38 +0100 Subject: [PATCH 09/18] Fix indentation in three example programs --- programs/ssl/dtls_server.c | 8 ++++---- programs/ssl/ssl_client1.c | 6 +++--- programs/ssl/ssl_mail_client.c | 6 +++--- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index ad3a70aa2..84b905d70 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -308,11 +308,11 @@ reset: #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) - mbedtls_ssl_set_bio( &ssl, &client_fd, - mbedtls_net_send, mbedtls_net_recv, - mbedtls_net_recv_timeout ); + mbedtls_ssl_set_bio( &ssl, &client_fd, + mbedtls_net_send, mbedtls_net_recv, + mbedtls_net_recv_timeout ); #else - mbedtls_ssl_set_bio_ctx( &ssl, &client_fd ); + mbedtls_ssl_set_bio_ctx( &ssl, &client_fd ); #endif printf( " ok\n" ); diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 6a4bf5e0a..5f453dcb5 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -199,10 +199,10 @@ int main( void ) #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) - mbedtls_ssl_set_bio( &ssl, &server_fd, - mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &server_fd, + mbedtls_net_send, mbedtls_net_recv, NULL ); #else - mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); + mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); #endif /* diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 3812dd332..b2e4f7f39 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -652,10 +652,10 @@ int main( int argc, char *argv[] ) #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) - mbedtls_ssl_set_bio( &ssl, &server_fd, - mbedtls_net_send, mbedtls_net_recv, NULL ); + mbedtls_ssl_set_bio( &ssl, &server_fd, + mbedtls_net_send, mbedtls_net_recv, NULL ); #else - mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); + mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); #endif mbedtls_printf( " ok\n" ); From c4296a3bbb6d353e7568db9dab9f83f5ed907e2c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jul 2019 16:02:53 +0100 Subject: [PATCH 10/18] Modify all.sh test names to reflect use of ARMCC --- tests/scripts/all.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 5ba531b86..8cedfda2b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1341,12 +1341,13 @@ component_build_armcc () { } # need _armcc in the name for pre_check_tools() -component_baremetal_raw_build () { +component_baremetal_raw_build_armcc () { msg "build: scripts/baremetal.sh gcc/armc5/armc6" scripts/baremetal.sh --rom --gcc --armc5 --armc6 --check } -component_baremetal_test_build () { +# need _armcc in the name for pre_check_tools() +component_baremetal_test_build_armcc () { msg "build: lib+test+programs for baremetal.h + baremetal_test.h" record_status scripts/baremetal.sh --ram --build-only From b7769e4fc0f464b974af45fa7677eaa8264096e0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 25 Jul 2019 12:38:03 +0100 Subject: [PATCH 11/18] Remove wrong reference to ARMCC in all.sh test name --- tests/scripts/all.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8cedfda2b..da0bb60c4 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1346,8 +1346,7 @@ component_baremetal_raw_build_armcc () { scripts/baremetal.sh --rom --gcc --armc5 --armc6 --check } -# need _armcc in the name for pre_check_tools() -component_baremetal_test_build_armcc () { +component_baremetal_test_build () { msg "build: lib+test+programs for baremetal.h + baremetal_test.h" record_status scripts/baremetal.sh --ram --build-only From 93de2965d09b24421715200eb9b10f3eb187d8d2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 25 Jul 2019 12:38:18 +0100 Subject: [PATCH 12/18] Fix rebase slip --- library/ssl_srv.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 573f32769..937ee0b52 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1098,10 +1098,15 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); } +#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER) ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3; +#endif + +#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER) ssl->minor_ver = ( buf[4] <= mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) ? buf[4] : mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ); +#endif if( mbedtls_ssl_get_minor_ver( ssl ) < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) { From 62daad3b9a7beb61e030932d305e287cb60e46de Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 25 Jul 2019 12:41:40 +0100 Subject: [PATCH 13/18] all.sh: Adhere to convention that build_ prefixes build-only tests --- tests/scripts/all.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index da0bb60c4..2415cdd60 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1341,12 +1341,12 @@ component_build_armcc () { } # need _armcc in the name for pre_check_tools() -component_baremetal_raw_build_armcc () { +component_build_baremetal_raw_armcc () { msg "build: scripts/baremetal.sh gcc/armc5/armc6" scripts/baremetal.sh --rom --gcc --armc5 --armc6 --check } -component_baremetal_test_build () { +component_test_baremetal () { msg "build: lib+test+programs for baremetal.h + baremetal_test.h" record_status scripts/baremetal.sh --ram --build-only From 0d1db20490633e53ebcf9eadc6fce9b1eb2f5f4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 30 Jul 2019 14:11:25 +0200 Subject: [PATCH 14/18] Fix bug in skip_date() (MBEDTLS_X509_CRT_REMOVE_TIME) Asserting `*p == end` right after setting `end = *p + len` will always fail unless `len == 0`, which is never the case with properly-formed certificates. The function x509_skip_dates() is modelled after x509_get_dates() which between setting `end` and comparing it to `*p` calls mbedtls_x509_get_time() which advances `*p` to the expected value, which is why this test works in get_dates(). Since `skip_dates()` has `skip`, not `validate` in its name, and the entire point of `MBEDTLS_X509_CRT_REMOVE_TIME` is to save code, we don't want to call the relatively large functions needed to properly parse (and validate) dates before throwing the parsed dates away, we can just fast-forward to the end of the sequence. This makes updating `end` and comparing it to `*p` after the fast-forward redundant, as the comparison will always be true (unlike the case where we actually parse the contents of the sequence). This bug was found by `all.sh test_baremetal` - no need for a new test. --- library/x509_crt.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 4e5ff43bd..7a667cdee 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -743,11 +743,8 @@ static int x509_skip_dates( unsigned char **p, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) return( MBEDTLS_ERR_X509_INVALID_DATE + ret ); - end = *p + len; - - if( *p != end ) - return( MBEDTLS_ERR_X509_INVALID_DATE + - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ); + /* skip contents of the sequence */ + *p += len; return( 0 ); } From d64a2f72e6b8ab5c56373a6cc1d01ff6ec7c9425 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 30 Jul 2019 14:54:50 +0200 Subject: [PATCH 15/18] Fix wrong ifdef in ssl_server2 & add test for it This was found as a warning when running scripts/baremetal.sh --ram --build-only manually, but it should have been found in a more automated way. Adding -Werror so that future such issues will be caught by all.sh (component_test_baremetal already invokes baremetal.sh --ram --build-only). --- programs/ssl/ssl_server2.c | 2 ++ scripts/baremetal.sh | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index bc97149ef..6d81626b4 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -791,6 +791,7 @@ static int send_cb( void *ctx, unsigned char const *buf, size_t len ) return( mbedtls_net_send( io_ctx->net, buf, len ) ); } +#if defined(SNI_OPTION) || !defined(MBEDTLS_SSL_CONF_AUTHMODE) /* * Return authmode from string, or -1 on error */ @@ -805,6 +806,7 @@ static int get_auth_mode( const char *s ) return( -1 ); } +#endif /* SNI_OPTION || !MBEDTLS_SSL_CONF_AUTHMODE */ /* * Used by sni_parse and psk_parse to handle coma-separated lists diff --git a/scripts/baremetal.sh b/scripts/baremetal.sh index d6b63722f..813307a9c 100755 --- a/scripts/baremetal.sh +++ b/scripts/baremetal.sh @@ -214,6 +214,9 @@ baremetal_ram_build() { make clean CFLAGS="$BASE_CFLAGS $CFLAGS_CONFIG $CFLAGS_USER_CONFIG" + if [ "$build_only" -eq 1 ]; then + CFLAGS="$CFLAGS -Werror" + fi echo "Modifications: $BAREMETAL_USER_CONFIG" cat $BAREMETAL_USER_CONFIG | grep "^#define" | awk '{print "* " $0 }' @@ -352,7 +355,7 @@ measure_heap=0 measure_stack=0 check=0 - +build_only=0 debug=0 while [ $# -gt 0 ]; do From 80eaddfc36444ccc8fff73b98e6a7f9a86dceafd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 30 Jul 2019 14:59:54 +0200 Subject: [PATCH 16/18] Clean generated *.su file and gitignore them --- .gitignore | 3 +++ library/Makefile | 4 ++-- programs/Makefile | 3 ++- tests/Makefile | 4 ++-- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 789f57ee0..11d91ee53 100644 --- a/.gitignore +++ b/.gitignore @@ -22,6 +22,9 @@ Coverage # generated by scripts/memory.sh massif-* +# scripts/baremetal.sh --ram build artefacts: +*.su + # MSVC build artifacts: *.exe *.pdb diff --git a/library/Makefile b/library/Makefile index 45ed1485a..50faed9ca 100644 --- a/library/Makefile +++ b/library/Makefile @@ -200,7 +200,7 @@ libmbedcrypto.dll: $(OBJS_CRYPTO) clean: ifndef WINDOWS - rm -f *.o libmbed* + rm -f *.o *.su libmbed* else - del /Q /F *.o libmbed* + del /Q /F *.o *.su libmbed* endif diff --git a/programs/Makefile b/programs/Makefile index d09949bbf..9b01e45cd 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -298,8 +298,9 @@ ifndef WINDOWS rm -f $(APPS) -rm -f ssl/ssl_pthread_server$(EXEXT) -rm -f test/cpp_dummy_build$(EXEXT) + -rm -f *.su else - del /S /Q /F *.o *.exe + del /S /Q /F *.o *.su *.exe endif list: diff --git a/tests/Makefile b/tests/Makefile index 0db496320..20a3fe4b7 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -114,9 +114,9 @@ $(BINARIES): %$(EXEXT): %.c $(DEP) clean: ifndef WINDOWS - rm -rf $(BINARIES) *.c *.datax TESTS + rm -rf $(BINARIES) *.c *.su *.datax TESTS else - del /Q /F *.c *.exe *.datax + del /Q /F *.c *.su *.exe *.datax ifneq ($(wildcard TESTS/.*),) rmdir /Q /S TESTS endif From f1358acdc7747e95b7fba86c0ad19558fb03d518 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 30 Jul 2019 16:03:06 +0200 Subject: [PATCH 17/18] Fix bug in MBEDTLS_X509_CRT_REMOVE_TIME When looking for a parent, all candidates were considered time-invalid due to the #ifdef incorrectly including the `parent_valid = 1` line. When MBEDTLS_HAVE_TIME_DATE is unset the time-validity of certificates is never checked and always treated as valid. This is usually achieved by proper usage of mbedtls_x509_time_is_past() and mbedtls_x509_time_is_future() (and their definition when we don't HAVE_TIME_DATE). Here the calls to these functions needs to be guarded by MBEDTLS_X509_CRT_REMOVE_TIME as they access struct members whose presence is controlled by this option. But the "valid" branch should still always be taken. (Note: MBEDTLS_X509_CRT_REMOVE_TIME being set forces MBEDTLS_HAVE_TIME_DATE to be unset, as enforce by check_config.h.) This bug was found by `all.sh test_baremetal` - no need for a new test. --- library/x509_crt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 7a667cdee..0c158f836 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2972,10 +2972,10 @@ check_signature: #if !defined(MBEDTLS_X509_CRT_REMOVE_TIME) if( !mbedtls_x509_time_is_past( &parent->valid_to ) && !mbedtls_x509_time_is_future( &parent->valid_from ) ) +#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */ { parent_valid = 1; } -#endif /* !MBEDTLS_X509_CRT_REMOVE_TIME */ /* basic parenting skills (name, CA bit, key usage) */ if( x509_crt_check_parent( child_sig, parent, top ) == 0 ) From 2b29a37c916c1765dd8975ba335d39701f79dd22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 30 Jul 2019 17:07:38 +0200 Subject: [PATCH 18/18] Fix compile bugs in examples with hardcoded I/O callbacks These were found by `all.sh test_baremetal`, so no need for a new test. --- programs/ssl/ssl_client2.c | 10 +++++++--- programs/ssl/ssl_server2.c | 10 +++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 1beb17cc7..716263b1a 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -524,9 +524,6 @@ static int delayed_send( void *ctx, const unsigned char *buf, size_t len ) first_try = 1; /* Next call will be a new operation */ return( ret ); } -#endif /* MBEDTLS_SSL_CONF_RECV && - MBEDTLS_SSL_CONF_SEND && - MBEDTLS_SSL_CONF_RECV_TIMEOUT */ typedef struct { @@ -658,6 +655,9 @@ static int send_cb( void *ctx, unsigned char const *buf, size_t len ) return( mbedtls_net_send( io_ctx->net, buf, len ) ); } +#endif /* !MBEDTLS_SSL_CONF_RECV && + !MBEDTLS_SSL_CONF_SEND && + !MBEDTLS_SSL_CONF_RECV_TIMEOUT */ #if defined(MBEDTLS_X509_CRT_PARSE_C) static unsigned char peer_crt_info[1024]; @@ -893,7 +893,11 @@ int main( int argc, char *argv[] ) { int ret = 0, len, tail_len, i, written, frags, retry_left; mbedtls_net_context server_fd; +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) io_ctx_t io_ctx; +#endif unsigned char buf[MAX_REQUEST_SIZE + 1]; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 6d81626b4..3fa2b1502 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -654,9 +654,6 @@ static int delayed_send( void *ctx, const unsigned char *buf, size_t len ) first_try = 1; /* Next call will be a new operation */ return( ret ); } -#endif /* MBEDTLS_SSL_CONF_RECV && - MBEDTLS_SSL_CONF_SEND && - MBEDTLS_SSL_CONF_RECV_TIMEOUT */ typedef struct { @@ -790,6 +787,9 @@ static int send_cb( void *ctx, unsigned char const *buf, size_t len ) return( mbedtls_net_send( io_ctx->net, buf, len ) ); } +#endif /* !MBEDTLS_SSL_CONF_RECV && + !MBEDTLS_SSL_CONF_SEND && + !MBEDTLS_SSL_CONF_RECV_TIMEOUT */ #if defined(SNI_OPTION) || !defined(MBEDTLS_SSL_CONF_AUTHMODE) /* @@ -1509,7 +1509,11 @@ int main( int argc, char *argv[] ) { int ret = 0, len, written, frags, exchanges_left; int version_suites[4][2]; +#if !defined(MBEDTLS_SSL_CONF_RECV) && \ + !defined(MBEDTLS_SSL_CONF_SEND) && \ + !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) io_ctx_t io_ctx; +#endif unsigned char* buf = 0; #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[MBEDTLS_PSK_MAX_LEN];