Commit Graph

9093 Commits

Author SHA1 Message Date
Hanno Becker
b2c6383b7b Add missing !MBEDTLS_X509_REMOVE_INFO guards to ssl-opt.sh 2019-06-18 11:05:44 +01:00
Hanno Becker
c6043f2b75 Address review comments 2019-06-18 11:05:44 +01:00
Peter Kolbus
b1cb0bde72 all.sh: Add test for MBEDTLS_X509_REMOVE_INFO
Add a test scenario that runs make/make test with
MBEDTLS_X509_REMOVE_INFO enabled.
2019-06-18 11:05:44 +01:00
Hanno Becker
4a156fc854 Apply guards to make ssl-opt.sh work with MBEDTLS_X509_REMOVE_INFO
Multiple tests in ssl-opt.sh grep for debug output that's omitted
if MBEDTLS_X509_REMOVE_INFO is defined. This commit modifies ssl-opt.sh
to skip those tests in this case.
2019-06-18 11:05:44 +01:00
Hanno Becker
b4d967a0a2 Remove MBEDTLS_X509_REMOVE_INFO from scripts/config.pl full 2019-06-18 11:05:44 +01:00
Hanno Becker
98f85c8c25 Add missing dependencies on !MBEDTLS_X509_REMOVE_INFO 2019-06-18 11:05:44 +01:00
Hanno Becker
02a2193f60 Rename MBEDTLS_X509_INFO to !MBEDTLS_X509_REMOVE_INFO 2019-06-18 11:05:44 +01:00
Peter Kolbus
dc470ae8af Reduce code size when mbedtls_x509_*_info() unused
Introduce MBEDTLS_X509_INFO to indicate the availability of the
mbedtls_x509_*_info() function and closely related APIs. When this is
not defined, also omit name and description from
mbedtls_oid_descriptor_t, and omit OID arrays, macros, and types that
are entirely unused. This saves several KB of code space.

Change-Id: I056312613379890e0d70e1d08c34171287c0aa17
2019-06-18 11:05:37 +01:00
Manuel Pégourié-Gonnard
31ae7facb3 Add test for build warnings with baremetal.h 2019-06-18 12:03:51 +02:00
Manuel Pégourié-Gonnard
e83b2c2a50 Fix unused variable warnings in pkparse.c
In a reduced configuration without PEM, PKCS5 or PKCS12, armc5 found that ret
was set but not used. Fixing that lead to a new warning about the variable not
being used at all. Now the variable is only declared when it's needed.
2019-06-18 11:31:59 +02:00
Manuel Pégourié-Gonnard
070f107a61 Add --check option to scripts/baremetal.sh
Only effective together with --rom, makes two changes:
- abort in case of build warnings
- skip writing statistics

The goal is to make sure we build cleanly in the configuration used for
measuring code size, with all the compilers we use, both because we care about
that configuration and those compilers, and because any warnings would cast a
shadow on the code size measurements.

Currently the build fails with armc5 due to a pre-existing warning in PK, this
will be fixed in the next commit.

The next commit will also add an all.sh component to make sure we have no
regression in the future. (Which is the motivation for --check skipping
statistics: an all.sh component should probably not leave files around.)

While at it, fix two things:

1. The call to gcc --version was redundant with the echo line below
2. WARNING_CFLAGS shouldn't be overriden with armclang, as it would remove the
-Wall -Wextra and any directory-specific warning (such as
-Wdeclaration-after-statement in library). It's meant to be overriden only
with compilers that don't accept the default value (namely armc5 here).
2019-06-18 11:28:59 +02:00
Manuel Pégourié-Gonnard
889bbc70b6 Fix unreachable code warnings with armc5
Some TLS-only code paths were not protected by an #ifdef and while some
compiler are happy to just silently remove them, armc5 complains:

Warning:  #111-D: statement is unreachable

Let's make armc5 happy.
2019-06-18 10:56:09 +02:00
Manuel Pégourié-Gonnard
19e8132e1e Add NO_TLS to configs/baremetal.h
Was missed for some reason in commit ba8b1eb5d9
2019-06-18 10:54:25 +02:00
Jarno Lamsa
8b2608b6c2 Fix style issues 2019-06-18 11:50:11 +03:00
Jarno Lamsa
29a15c2de5 Set timer callbacks with serialization 2019-06-18 11:50:11 +03:00
Jarno Lamsa
85c238018e Fix spacing 2019-06-18 11:50:11 +03:00
Jarno Lamsa
034ae84601 Fix compiler warnings 2019-06-18 11:50:11 +03:00
Jarno Lamsa
8a91c0650a Add tests for re-init flow for context serialization 2019-06-18 11:50:11 +03:00
Jarno Lamsa
b5ff6a4ced Add option for ssl-context re-initialization flow 2019-06-18 11:50:11 +03:00
Jarno Lamsa
bff4a91827 Fix spacing 2019-06-18 11:50:11 +03:00
Jarno Lamsa
f4f8ed7e82 Allow stub implementation of the context_save for now 2019-06-18 11:50:11 +03:00
Jarno Lamsa
5737ec97a6 Address review comments for code-style issues 2019-06-18 11:50:11 +03:00
Jarno Lamsa
38061f4a17 Remove mbedtls_ssl_free() and mbedtls_ssl_init() from serialization flow in test 2019-06-18 11:50:11 +03:00
Jarno Lamsa
cc281b8a54 ssl-opt.sh tests for serialization are currently using stub implementation 2019-06-18 11:50:11 +03:00
Jarno Lamsa
dcfc2a7364 Add missing slashes to tests 2019-06-18 11:50:11 +03:00
Jarno Lamsa
fa45e6005e Add serialization tests to ssl-opt.sh 2019-06-18 11:50:11 +03:00
Jarno Lamsa
cf1b6724c9 Use MBEDTLS_SSL_CONTEXT_SERIALIZATION flag 2019-06-18 11:50:11 +03:00
Jarno Lamsa
f457293b57 Serialize/deserialize for ssl_server2 2019-06-18 11:50:11 +03:00
Jarno Lamsa
654e8de163 Rely on opt.exchanges for sending after serialization 2019-06-18 11:50:11 +03:00
Jarno Lamsa
d736d08618 Serialization/deserialization in ssl_client2 2019-06-18 11:50:11 +03:00
Jarno Lamsa
0ea3cfe5bf Add option for serialization in ssl_client/server2 2019-06-18 11:50:11 +03:00
Manuel Pégourié-Gonnard
11d3282f5a Add a ChangeLog entry. 2019-06-18 10:34:15 +02:00
Manuel Pégourié-Gonnard
c84511fb1f Add check for undocumented positive option 2019-06-18 10:32:25 +02:00
Manuel Pégourié-Gonnard
41efa2109e Improve documentation of PROTO_NO_TLS 2019-06-18 10:28:52 +02:00
Manuel Pégourié-Gonnard
7667afd4fc Clarify documentation of mbedtls_ssl_context_load() 2019-06-18 10:09:27 +02:00
Manuel Pégourié-Gonnard
cc71c77b5d Fix typos, grammar and wording in documentation 2019-06-18 10:09:27 +02:00
Manuel Pégourié-Gonnard
d87601e3ef Declare and document ssl_context_save()/load()
Also introduce stub definitions so that things compile and link.
2019-06-18 10:09:27 +02:00
Manuel Pégourié-Gonnard
91fa5bade3 Add new config MBEDTLS_SSL_CONTEXT_SERIALIZATION
This is enabled by default as we generally enable things by default unless
there's a reason not to (experimental, deprecated, security risk).

We need a compile-time option because, even though the functions themselves
can be easily garbage-collected by the linker, implementing them will require
saving 64 bytes of Client/ServerHello.random values after the handshake, that
would otherwise not be needed, and people who don't need this feature
shouldn't have to pay the price of increased RAM usage.
2019-06-18 10:09:27 +02:00
Hanno Becker
1abb159e90 Merge branch 'mbedtls-2.16' into baremetal 2019-06-18 09:00:37 +01:00
Simon Butcher
c725e4b34e Merge remote-tracking branch 'origin/pr/590' into baremetal 2019-06-17 17:57:26 +01:00
Simon Butcher
01a8eb21d3 Merge remote-tracking branch 'origin/pr/585' into baremetal 2019-06-17 17:53:41 +01:00
Simon Butcher
c107850c2c Merge remote-tracking branch 'origin/pr/580' into baremetal 2019-06-17 17:48:06 +01:00
Simon Butcher
62d03b2779 Merge remote-tracking branch 'origin/pr/577' into baremetal 2019-06-17 17:46:32 +01:00
Manuel Pégourié-Gonnard
ba8b1eb5d9 Use negated option for controlling TLS support.
A positive option looks better, but comes with the following compatibility
issue: people using a custom config.h that is not based on the default
config.h and need TLS support would need to manually change their config in
order to still get TLS.

Work around that by making the public option negative. Internally the positive
option is used, though.

In the future (when preparing the next major version), we might want to switch
back to a positive option as this would be more consistent with other options
we have.
2019-06-17 15:26:34 +02:00
Jaeden Amero
418e7611f6 Merge remote-tracking branch 'origin/pr/2484' into mbedtls-2.16
* origin/pr/2484:
  Correct placement of ChangeLog entry
  Improve documentation of mbedtls_x509_get_ext()
  Adapt ChangeLog
  Always return a high-level error code from X.509 module
  Obey bounds of ASN.1 substructures
2019-06-14 15:28:42 +01:00
Jaeden Amero
8f27b4455c Merge remote-tracking branch 'origin/pr/2695' into mbedtls-2.16
* origin/pr/2695:
  UDP proxy: Don't attempt to dissect dgram into records when dropping
2019-06-14 08:55:47 +01:00
Jaeden Amero
342223e72c Merge remote-tracking branch 'origin/pr/2676' into mbedtls-2.16
* origin/pr/2676:
  Show removed symbols in abi check
2019-06-14 08:54:50 +01:00
Jaeden Amero
cfb0454b1c Merge remote-tracking branch 'origin/pr/2673' into mbedtls-2.16
* origin/pr/2673:
  Remove all abi dumps, not just ones shared between versions
2019-06-14 08:54:04 +01:00
Jaeden Amero
7aed01c0dc Merge remote-tracking branch 'origin/pr/2481' into mbedtls-2.16
* origin/pr/2481:
  Document support for MD2 and MD4 in programs/x509/cert_write
  Correct name of X.509 parsing test for well-formed, ill-signed CRT
  Add test cases exercising successful verification of MD2/MD4/MD5 CRT
  Add test case exercising verification of valid MD2 CRT
  Add MD[245] test CRTs to tree
  Add instructions for MD[245] test CRTs to tests/data_files/Makefile
  Add suppport for MD2 to CSR and CRT writing example programs
  Convert further x509parse tests to use lower-case hex data
  Correct placement of ChangeLog entry
  Adapt ChangeLog
  Use SHA-256 instead of MD2 in X.509 CRT parsing tests
  Consistently use lower case hex data in X.509 parsing tests
2019-06-14 08:50:47 +01:00
Jaeden Amero
1adf212a1b Merge remote-tracking branch 'origin/pr/2497' into mbedtls-2.16
* origin/pr/2497:
  Re-generate library/certs.c from script
  Add new line at the end of test-ca2.key.enc
  Use strict syntax to annotate origin of test data in certs.c
  Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO
  Allow DHM self test to run without MBEDTLS_PEM_PARSE_C
  ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
  Document origin of hardcoded certificates in library/certs.c
  Adapt ChangeLog
  Rename server1.der to server1.crt.der
  Add DER encoded files to git tree
  Add build instructions to generate DER versions of CRTs and keys
  Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2
  ssl_server2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  ssl_client2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  Correct white spaces in ssl_server2 and ssl_client2
  Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled
  Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled
2019-06-14 08:48:54 +01:00