Commit graph

504 commits

Author SHA1 Message Date
Jaeden Amero 7b03e87fbc Merge remote-tracking branch 'restricted/pr/582' into mbedtls-2.16-restricted
* restricted/pr/582:
  Add a test for signing content with a long ECDSA key
  Add documentation notes about the required size of the signature buffers
  Add missing MBEDTLS_ECP_C dependencies in check_config.h
  Change size of preallocated buffer for pk_sign() calls
2019-06-24 11:40:59 +01:00
Jaeden Amero 5ecbd14fdd Merge remote-tracking branch 'origin/pr/2701' into mbedtls-2.16
* origin/pr/2701:
  Add all.sh component that exercises invalid_param checks
  Remove mbedtls_param_failed from programs
  Make it easier to define MBEDTLS_PARAM_FAILED as assert
  Make test suites compatible with #include <assert.h>
  Pass -m32 to the linker as well
2019-06-21 16:00:06 +01:00
Jaeden Amero a5ebd5fe10 Merge remote-tracking branch 'origin/pr/2615' into mbedtls-2.16
* origin/pr/2615:
  Use 'config.pl baremetal' in all.sh
2019-06-21 15:59:34 +01:00
Jaeden Amero 096bccf204 Merge remote-tracking branch 'origin/pr/2450' into mbedtls-2.16
* origin/pr/2450:
  Fix #2370, minor typos and spelling mistakes
2019-06-21 15:59:29 +01:00
Gilles Peskine dcab202368 Add all.sh component that exercises invalid_param checks
With the change to the full config, there were no longer any tests
that exercise invalid-parameter behavior. The test suite exercises
invalid-parameter behavior by calling TEST_INVALID_PARAM and friends,
relying on the test suite's mbedtls_check_param function. This
function is only enabled if MBEDTLS_CHECK_PARAMS is defined but not
MBEDTLS_CHECK_PARAMS_ASSERT.

Add a component to all.sh that enables MBEDTLS_CHECK_PARAMS but
disables MBEDTLS_CHECK_PARAMS_ASSERT and doesn't define
MBEDTLS_PARAM_FAILED. This way, the xxx_invalid_param() tests do run.
Since sample programs don't provide a mbedtls_check_param function,
this component doesn't build the sample programs.
2019-06-17 19:11:35 +02:00
Gilles Peskine 8118e4672e Pass -m32 to the linker as well
For unit tests and sample programs, CFLAGS=-m32 is enough to get a
32-bit build, because these programs are all compiled directly
from *.c to the executable in one shot. But with makefile rules that
first build object files and then link them, LDFLAGS=-m32 is also
needed.
2019-06-17 19:06:28 +02:00
Jaeden Amero 1adf212a1b Merge remote-tracking branch 'origin/pr/2497' into mbedtls-2.16
* origin/pr/2497:
  Re-generate library/certs.c from script
  Add new line at the end of test-ca2.key.enc
  Use strict syntax to annotate origin of test data in certs.c
  Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO
  Allow DHM self test to run without MBEDTLS_PEM_PARSE_C
  ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
  Document origin of hardcoded certificates in library/certs.c
  Adapt ChangeLog
  Rename server1.der to server1.crt.der
  Add DER encoded files to git tree
  Add build instructions to generate DER versions of CRTs and keys
  Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2
  ssl_server2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  ssl_client2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  Correct white spaces in ssl_server2 and ssl_client2
  Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled
  Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled
2019-06-14 08:48:54 +01:00
k-stachowiak 11f38e2f61 Add a test for signing content with a long ECDSA key
Due to the way the current PK API works, it may have not been clear
for the library clients, how big output buffers they should pass
to the signing functions. Depending on the key type they depend on
MPI or EC specific compile-time constants.

Inside the library, there were places, where it was assumed that
the MPI size will always be enough, even for ECDSA signatures.
However, for very small sizes of the MBEDTLS_MPI_MAX_SIZE and
sufficiently large key, the EC signature could exceed the MPI size
and cause a stack overflow.

This test establishes both conditions -- small MPI size and the use
of a long ECDSA key -- and attempts to sign an arbitrary file.
This can cause a stack overvlow if the signature buffers are not
big enough, therefore the test is performed for an ASan build.
2019-06-10 11:49:54 +02:00
Jaeden Amero ada38317dd test: Always use make clean by itself
When running make with parallelization, running both "clean" and "lib"
with a single make invocation can lead to each target building in
parallel. It's bad if lib is partially done building something, and then
clean deletes what was built. This can lead to errors later on in the
lib target.

    $ make -j9 clean lib
      CC    aes.c
      CC    aesni.c
      CC    arc4.c
      CC    aria.c
      CC    asn1parse.c
      CC    ./library/error.c
      CC    ./library/version.c
      CC    ./library/version_features.c
      AR    libmbedcrypto.a
    ar: aes.o: No such file or directory
    Makefile:120: recipe for target 'libmbedcrypto.a' failed
    make[2]: *** [libmbedcrypto.a] Error 1
    Makefile:152: recipe for target 'libmbedcrypto.a' failed
    make[1]: *** [libmbedcrypto.a] Error 2
    Makefile:19: recipe for target 'lib' failed
    make: *** [lib] Error 2
    make: *** Waiting for unfinished jobs....

To avoid this sort of trouble, always invoke clean by itself without
other targets throughout the library. Don't run clean in parallel with
other rules. The only place where clean was run in parallel with other
targets was in list-symbols.sh.
2019-05-31 17:49:25 +01:00
Hanno Becker e562e7dbeb Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO 2019-05-30 10:58:12 +01:00
Gilles Peskine 39d7c58db5 list-symbols.sh: if the build fails, print the build transcript
If "make clean lib" fails in list-symbols.sh, print the transcript
from running make.
2019-05-22 19:07:36 +02:00
Gilles Peskine 902a1f3f7f Document "check-names.sh -v" 2019-05-22 19:07:36 +02:00
Gilles Peskine 473f2d4ec2 all.sh: invoke check-names.sh in print-trace-on-exit mode 2019-05-15 17:55:06 +02:00
Gilles Peskine 5e525fb6e5 Print a command trace if the check-names.sh exits unexpectedly
We've observed that sometimes check-names.sh exits unexpectedly with
status 2 and no error message. The failure is not reproducible. This
commits makes the script print a trace if it exits unexpectedly.
2019-05-15 17:40:58 +02:00
Manuel Pégourié-Gonnard 6e6ae9b2e8 Use 'config.pl baremetal' in all.sh 2019-04-29 12:48:21 +02:00
Darryl Green 3997a6cd25 Document the scripts behaviour further 2019-04-18 13:18:22 +01:00
Darryl Green 3ef06d5bf7 Add --internal option to list-identifiers.sh
When doing ABI/API checking, its useful to have a list of all the
identifiers that are defined in the internal header files, as we
do not promise compatibility for them. This option allows for a
simple method of getting them for use with the ABI checking script.
2019-04-18 12:02:49 +01:00
Gilles Peskine 0a47c4ffbb Clarify comment mangled by an earlier refactoring 2019-04-10 18:47:51 +02:00
Gilles Peskine 99a3310fba Add an "out-of-box" component
Just run `make` and `make test`. And `selftest` for good measure.
2019-04-10 18:47:51 +02:00
Gilles Peskine 7dd44b28f1 Run ssl-opt.sh on 32-bit runtime
Run ssl-opt.sh on x86_32 with ASan. This may detect bugs that only
show up on 32-bit platforms, for example due to size_t overflow.

For this component, turn off some memory management features that are
not useful, potentially slow, and may reduce ASan's effectiveness at
catching buffer overflows.
2019-04-10 18:47:50 +02:00
Jaeden Amero db8821cb7e Merge remote-tracking branch 'origin/pr/2470' into mbedtls-2.16
* origin/pr/2470:
  Silence pylint
  check-files.py: readability improvement in permission check
  check-files.py: use class fields for class-wide constants
  check-files.py: clean up class structure
  abi_check.py: Document more methods
  check-files.py: document some classes and methods
  Fix pylint errors going uncaught
  Call pylint3, not pylint
  New, documented pylint configuration
2019-04-05 14:20:00 +01:00
Jaeden Amero b0abd1c84f Merge remote-tracking branch 'origin/pr/2388' into mbedtls-2.16
* origin/pr/2388:
  Update change log
  all.sh: Test MBEDTLS_MPI_WINDOW_SIZE=1
  Fix DEADCODE in mbedtls_mpi_exp_mod()
2019-03-05 16:34:40 +00:00
Jaeden Amero 6b79a1115e Merge remote-tracking branch 'origin/pr/2293' into mbedtls-2.16
* origin/pr/2293:
  Declare test_suite_aes.ofb to CMake
  Add a facility to skip running some test suites
  run-test-suites: update the documentation
2019-03-05 16:31:02 +00:00
Andres Amaya Garcia 37e0a8c455 Adjust DES exclude lists in test scripts 2019-03-01 10:30:11 +01:00
Andres Amaya Garcia ac9c5221c5 Exclude 3DES tests in test scripts 2019-03-01 10:29:49 +01:00
Gilles Peskine afd19dd9b6 Silence pylint
Silence pylint in specific places where we're doing slightly unusual
or dodgy, but correct.
2019-02-25 21:42:32 +01:00
Gilles Peskine 6fc5215831 check-files.py: readability improvement in permission check 2019-02-25 21:42:32 +01:00
Gilles Peskine 21e85f78b8 check-files.py: use class fields for class-wide constants
In an issue tracker, heading and files_exemptions are class-wide
constants, so make them so instead of being per-instance fields.
2019-02-25 21:42:32 +01:00
Gilles Peskine d5240ec4c7 check-files.py: clean up class structure
Line issue trackers are conceptually a subclass of file issue
trackers: they're file issue trackers where issues arise from checking
each line independently. So make it an actual subclass.

Pylint pointed out the design smell: there was an abstract method that
wasn't always overridden in concrete child classes.
2019-02-25 21:42:32 +01:00
Gilles Peskine 7660549187 check-files.py: document some classes and methods
Document all classes and longer methods.

Declare a static method as such. Pointed out by pylint.
2019-02-25 21:42:32 +01:00
Gilles Peskine 7b9fcdc2d5 Fix pylint errors going uncaught
Make check-python-files.sh run pylint on all *.py files (in
directories where they are known to be present), rather than list
files explicitly.

Fix a bug whereby the return status of check-python-files.sh was only
based on the last file passing, i.e. errors in other files were
effectively ignored.

Make check-python-files.sh run pylint unconditionally. Since pylint3
is not critical, make all.sh to skip running check-python-files.sh if
pylint3 is not available.
2019-02-25 21:42:32 +01:00
Gilles Peskine e70c6dcee0 Call pylint3, not pylint
We use Python 3, so call Pylint for Python 3, not for Python 2.
2019-02-25 21:42:32 +01:00
Gilles Peskine 5612a9372b New, documented pylint configuration
The pylint configuration in .pylint was a modified version of the
output of `pylint --generate-rcfile` from an unknown version of
pylint. Replace it with a file that only contains settings that are
modified from the default, with an explanation of why each setting is
modified.

The new .pylintrc was written from scratch, based on the output of
pylint on the current version of the files and on a judgement of what
to silence generically, what to silence on a case-by-case basis and
what to fix.
2019-02-25 21:42:32 +01:00
Jaeden Amero c5b57ef9e0 Merge remote-tracking branch 'origin/pr/2412' into mbedtls-2.16 2019-02-21 12:01:50 +00:00
Antonin Décimo d5f4759594 Fix #2370, minor typos and spelling mistakes 2019-02-18 14:50:57 +00:00
Andres Amaya Garcia e144b4130c Add gen_query_config.pl to check-gen-files and bump_version 2019-02-07 10:32:31 +00:00
Peter Kolbus 1e2aa72b57 all.sh: Test MBEDTLS_MPI_WINDOW_SIZE=1
There were no tests for a non-default MPI window size. Add one.

Change-Id: Ic08fbc9161d0b3ee67eb3c91f9baf602646c9dfe
2019-02-05 16:44:13 +01:00
Peter Kolbus 3098707188 all.sh: Fix check_headers_in_cpp
When all.sh invokes check_headers_in_cpp, a backup config.h exists. This
causes a stray difference vs cpp_dummy_build.cpp. Fix by only collecting
the *.h files in include/mbedtls.

Change-Id: Ifd415027e856858579a6699538f06fc49c793570
2019-02-04 17:14:02 +00:00
Jaeden Amero 462dfc5068 Merge remote-tracking branch 'origin/pr/2332' into mbedtls-2.16 2019-01-30 15:52:26 +00:00
Jaeden Amero 36c2c73263 Merge remote-tracking branch 'origin/pr/2325' into mbedtls-2.16 2019-01-30 15:36:57 +00:00
Jaeden Amero a82b436bc2 Merge remote-tracking branch 'origin/pr/2322' into mbedtls-2.16 2019-01-30 15:29:41 +00:00
Jaeden Amero 5677eab235 Merge remote-tracking branch 'origin/pr/2207' into mbedtls-2.16 2019-01-30 14:57:30 +00:00
Jaeden Amero 484d883a1d Merge remote-tracking branch 'origin/pr/2191' into mbedtls-2.16 2019-01-30 14:56:38 +00:00
Gilles Peskine 69f190e8dd Rename test_memcheck to test_valgrind
Valgrind is what it does. `memcheck` is how it's implemented.
2019-01-10 18:29:15 +01:00
Gilles Peskine a28db923d9 Support wildcard patterns with a positive list of components to run
Wildcard patterns now work with command line COMPONENT arguments
without --except as well as with. You can now run e.g.
`all.sh "check_*` to run all the sanity checks.
2019-01-10 18:29:15 +01:00
Gilles Peskine 53190e6160 Delete $OUT_OF_SOURCE_DIR under --force
The deletion of "$OUT_OF_SOURCE_DIR" had mistakenly been lumped
together with Yotta and then removed when Yotta support was removed.
Bring it back.
2019-01-10 18:29:15 +01:00
Gilles Peskine d1174cf015 Fix sometimes-spurious warning about changed config.h
After backing up and restoring config.h, `git diff-files` may report
it as potentially-changed because it isn't sure whether the index is
up to date. Use `git diff` instead: it actually reads the file.
2019-01-10 18:29:15 +01:00
Gilles Peskine c70637a5f0 all.sh: Update the maintainer documentation 2019-01-10 18:29:12 +01:00
Gilles Peskine cc9f0b956e Merge the code to call output_env.sh into pre_check_tools
It's all about tool detection.
2019-01-10 18:27:38 +01:00
Gilles Peskine 879642663a all.sh: only check tools that are going to be used
Don't require openssl, mingw, etc. if we aren't going to run a
component that uses them.
2019-01-10 18:27:38 +01:00