Commit Graph

2737 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
98a879a806 Improve some test names in ssl-opt.sh
- "Default" should only be used for tests that actually use the defaults (ie,
  not passing options on the command line, except maybe debug/dtls)
- All tests in the "Encrypt then MAC" group should start with that string as a
  common prefix

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-24 10:57:23 +01:00
Simon Butcher
47f728718f Change the use of pylint to optionally use pylint3
Pylint when installed as a distro package can be installed as pylint3, whilst as
a PEP egg, it can be installed as pylint.

This commit changes the scripts to first use pylint if installed, and optionally
look for pylint3 if not installed. This is to allow a preference for the PEP
version over the distro version, assuming the PEP one is more likely to be
the correct one.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-16 13:53:06 +00:00
Manuel Pégourié-Gonnard
acfa36890c
Merge pull request #2439 from andresag01/mbedtls-2.16-iotssl-2544-deprecate-record-accel
Backport 2.16: Fix compilation failure when MBEDTLS_SSL_HW_RECORD_ACCEL is enabled
2020-03-16 10:37:24 +01:00
Andres Amaya Garcia
9f3bdb87e5 Add test for MBEDTLS_SSL_HW_RECORD_ACCEL in all.sh
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 10:14:28 +01:00
Manuel Pégourié-Gonnard
498e632b08 Fix possible close_notify/ClientHello confusion
The ssl-opt.sh test cases using session resumption tend to fail occasionally
on the CI due to a race condition in how ssl_server2 and ssl_client2 handle
the reconnection cycle.

The server does the following in order:
- S1 send application data
- S2 send a close_notify alert
- S3 close the client socket
- S4 wait for a "new connection" (actually a new datagram)
- S5 start a handshake

The client does the following in order:
- C1 wait for and read application data from the server
- C2 send a close_notify alert
- C3 close the server socket
- C4 reset session data and re-open a server socket
- C5 start a handshake

If the client has been able to send the close_notify (C2) and if has been
delivered to the server before if closes the client socket (S3), when the
server reaches S4, the datagram that we start the new connection will be the
ClientHello and everything will be fine.

However if S3 wins the race and happens before the close_notify is delivered,
in S4 the close_notify is what will be seen as the first datagram in a new
connection, and then in S5 this will rightfully be rejected as not being a
valid ClientHello and the server will close the connection (and go wait for
another one). The client will then fail to read from the socket and exit
non-zero and the ssl-opt.sh harness will correctly report this as a failure.

In order to avoid this race condition in test using ssl_client2 and
ssl_server2, this commits introduces a new command-line option
skip_close_notify to ssl_client2 and uses it in all ssl-opt.sh tests that use
session resumption with DTLS and ssl_server2.

This works because ssl_server2 knows how many messages it expects in each
direction and in what order, and closes the connection after that rather than
relying on close_notify (which is also why there was a race in the first
place).

Tests that use another server (in practice there are two of them, using
OpenSSL as a server) wouldn't work with skip_close_notify, as the server won't
close the connection until the client sends a close_notify, but for the same
reason they don't need it (there is no race between receiving close_notify and
closing as the former is the cause of the later).

An alternative approach would be to make ssl_server2 keep the connection open
until it receives a close_notify. Unfortunately it creates problems for tests
where we simulate a lossy network, as the close_notify could be lost (and the
client can't retransmit it). We could modify udp_proxy with an option to never
drop alert messages, but when TLS 1.3 comes that would no longer work as the
type of messages will be encrypted.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 09:33:05 +01:00
Janos Follath
334cf59930 Bump version to Mbed TLS 2.16.5 2020-02-19 12:03:00 +00:00
Manuel Pégourié-Gonnard
96ed13e21b Test each failure mode of pk_parse_key_pkcs1_der()
(Only the top-level ones, ie, for each call to eg asn1_get_mpi(), ensure
there's at least one test case that makes this call fail in one way, but don't
test the various ways to make asn1_get_mpi fail - that should be covered
elsewhere.)

- the new checks added by the previous commits needed exercising
- existing tests sometimes had wrong descriptions or where passing for the
  wrong reason (eg with the "length mismatch" test, the function actually
failed before reaching the length check)
- while at it, add tests for the rest as well

The valid minimal-size key was generated with:

openssl genrsa 128 2>/dev/null | openssl rsa -outform der 2>/dev/null | xxd -p
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
12fb9c383d Clean up test function pk_parse_key
- remove incorrect compile-time dependency (the individual cases already have
  correct run-time dependency information)
- remove unused argument
- remove unused stack buffer
- remove useless code block
2020-02-18 10:49:06 +01:00
Manuel Pégourié-Gonnard
a59988e197
Merge pull request #3029 from gilles-peskine-arm/test-opt-all-2.16
Backport 2.16: Fix and test the full config with gcc and clang
2020-02-11 09:17:09 +01:00
Manuel Pégourié-Gonnard
8d9b1c471c
Merge pull request #3027 from gilles-peskine-arm/mpi_copy_shrink-2.16
Backport 2.16: Improve robustness and testing of mbedtls_mpi_copy
2020-02-06 09:52:11 +01:00
Janos Follath
82ebf511e9
Merge pull request #3019 from mpg/fix-ssl-opt-gnutls-no-sha1-2.16
[backport 2.16] Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
2020-02-04 11:18:30 +00:00
Gilles Peskine
0fe92c2f4f Test GCC and Clang with common build options
Goals:
* Build with common compilers with common options, so that we don't
  miss a (potentially useful) warning only triggered with certain
  build options.
* A previous commit removed -O0 test jobs, leaving only the one with
  -m32. We have inline assembly that is disabled with -O0, falling
  back to generic C code. This commit restores a test that runs the
  generic C code on a 64-bit platform.
2020-02-03 20:03:39 +01:00
Gilles Peskine
99d70d8cb1 Replace -O0 by -O1 or -Os in most components
Gcc skips some analyses when compiling with -O0, so we may miss
warnings about things like uninitialized variables.
2020-02-03 20:03:39 +01:00
Gilles Peskine
8ece8572b2 shrink tests: clearer description 2020-02-03 16:21:32 +01:00
Gilles Peskine
e0ced3a3d6 Move test functions from Lilliput to Blefuscu
We normally represent bignums in big-endian order and there is no
reason to deviate here.
2020-02-03 16:21:31 +01:00
Gilles Peskine
8fe3b79cdb Better coverage for copy and swap
Cover more cases: different signs, different zeronesses, repeated
argument.
2020-02-03 16:21:31 +01:00
Gilles Peskine
e6cca7c937 Bignum copy/shrink: More precise test case descriptions 2020-02-03 16:21:31 +01:00
Manuel Pégourié-Gonnard
a7b9007d60
Merge pull request #2972 from mpg/add-zlib-tests-2.16
[2.16] Add zlib tests
2020-01-31 09:22:30 +01:00
Manuel Pégourié-Gonnard
d20ae896ea De-duplicate SHA1-independent test in ssl-opt.sh
The splitting of this test into two versions depending on whether SHA-1 was
allowed by the server was a mistake in
5d2511c4d4 - the test has nothing to do with
SHA-1 in the first place, as the server doesn't request a certificate from
the client so it doesn't matter if the server accepts SHA-1 or not.
2020-01-30 12:48:46 +01:00
Manuel Pégourié-Gonnard
7c9add2f64 Fix ssl-opt.sh for GnuTLS versions rejecting SHA-1
While the whole script makes (often implicit) assumptions about the version of
GnuTLS used, generally speaking it should work out of the box with the version
packaged on our reference testing platform, which is Ubuntu 16.04 so far.

With the update from Jan 8 2020 (3.4.10-4ubuntu1.6), the patches for rejecting
SHA-1 in certificate signatures were backported, so we should avoid presenting
SHA-1 signed certificates to a GnuTLS peer in ssl-opt.sh.
2020-01-30 11:25:22 +01:00
Janos Follath
bac9f1bfb0 Merge pull request #3001 from from gilles-peskine-arm/coverity-20200115-2.16 into mbedtls-2.16 2020-01-29 14:49:23 +00:00
Manuel Pégourié-Gonnard
114d339756 Add detection for zlib headers to all.sh 2020-01-29 09:50:54 +01:00
Gilles Peskine
75aab5276f Add missing return code check on calls to mbedtls_md() 2020-01-27 15:16:16 +01:00
Gilles Peskine
1a30fbbd3b Check that mbedtls_mpi_grow succeeds 2020-01-27 15:16:16 +01:00
Janos Follath
32b0216dd7 Bump version to Mbed TLS 2.16.4 2020-01-20 14:32:57 +00:00
Jaeden Amero
39e2c0eeb6 Merge remote-tracking branch 'origin/mbedtls-2.16' into mbedtls-2.16-restricted
* origin/mbedtls-2.16:
  Fix some pylint warnings
  Enable more test cases without MBEDTLS_MEMORY_DEBUG
  More accurate test case description
  Clarify that the "FATAL" message is expected
  Note that mbedtls_ctr_drbg_seed() must not be called twice
  Fix CTR_DRBG benchmark
  Changelog entry for xxx_drbg_set_entropy_len before xxx_drbg_seed
  CTR_DRBG: support set_entropy_len() before seed()
  CTR_DRBG: Don't use functions before they're defined
  HMAC_DRBG: support set_entropy_len() before seed()
2020-01-15 16:59:41 +00:00
Manuel Pégourié-Gonnard
95a17fbe17 Add test for record compression in ssl-opt.sh
Deprecated but still needs to be tested.
2020-01-03 10:03:15 +01:00
Manuel Pégourié-Gonnard
4ef189df49 Add all.sh components with ZLIB enabled
ZLIB support is deprecated, but until it's removed it should still be tested.
2020-01-03 10:03:15 +01:00
Darryl Green
349a079f2d Fix some pylint warnings
Fix a too-long line to meet PEP8 standards
2019-12-20 13:01:08 +00:00
Jaeden Amero
c0546439c4
Merge pull request #2894 from gilles-peskine-arm/drbg-set_entropy_len-2.16
Backport 2.16: Allow xxx_drbg_set_entropy_len before xxx_drbg_seed
2019-11-29 16:17:34 +00:00
Gilles Peskine
554d5d598f Enable more test cases without MBEDTLS_MEMORY_DEBUG
None of the test cases in tests_suite_memory_buffer_alloc actually
need MBEDTLS_MEMORY_DEBUG. Some have additional checks when
MBEDTLS_MEMORY_DEBUG but all are useful even without it. So enable
them all and #ifdef out the parts that require DEBUG.
2019-11-26 18:45:00 +01:00
Gilles Peskine
4a55e7c736 More accurate test case description 2019-11-26 18:44:55 +01:00
Gilles Peskine
19baefa04f Clarify that the "FATAL" message is expected
The test case "Memory buffer small buffer" emits a message
"FATAL: verification of first header failed". In this test case, it's
actually expected, but it looks weird to see this message from a
passing test. Add a comment that states this explicitly, and modify
the test description to indicate that the failure is expected, and
change the test function name to be more accurate.

Fix #309
2019-11-26 18:44:50 +01:00
Janos Follath
b159ae8409 mpi_lt_mpi_ct: Add further tests
The existing tests did not catch a failure that came up at integration
testing. Adding the missing test cases to trigger the bug.
2019-11-11 12:32:12 +00:00
Janos Follath
b2fddfd3f1 mpi_lt_mpi_ct: Fix test numbering 2019-11-11 12:32:12 +00:00
Janos Follath
14528628c8 mpi_lt_mpi_ct perform tests for both limb size
The corner case tests were designed for 32 and 64 bit limbs
independently and performed only on the target platform. On the other
platform they are not corner cases anymore, but we can still exercise
them.
2019-11-11 12:32:12 +00:00
Janos Follath
798e394943 mbedtls_mpi_lt_mpi_ct: add tests for 32 bit limbs
The corner case tests were designed for 64 bit limbs and failed on 32
bit platforms because the numbers in the test ended up being stored in a
different number of limbs and the function (correctly) returnd an error
upon receiving them.
2019-11-11 12:32:12 +00:00
Janos Follath
e1bf02ae26 Add more tests for mbedtls_mpi_lt_mpi_ct 2019-11-11 12:32:12 +00:00
Janos Follath
27d221a1aa mpi_lt_mpi_ct test: hardcode base 16 2019-11-11 12:32:12 +00:00
Janos Follath
867a3abff5 Change mbedtls_mpi_cmp_mpi_ct to check less than
The signature of mbedtls_mpi_cmp_mpi_ct() meant to support using it in
place of mbedtls_mpi_cmp_mpi(). This meant full comparison functionality
and a signed result.

To make the function more universal and friendly to constant time
coding, we change the result type to unsigned. Theoretically, we could
encode the comparison result in an unsigned value, but it would be less
intuitive.

Therefore we won't be able to represent the result as unsigned anymore
and the functionality will be constrained to checking if the first
operand is less than the second. This is sufficient to support the
current use case and to check any relationship between MPIs.

The only drawback is that we need to call the function twice when
checking for equality, but this can be optimised later if an when it is
needed.
2019-11-11 12:32:12 +00:00
Janos Follath
e9ae6305ea Add tests to constant time mpi comparison 2019-11-11 12:32:12 +00:00
Gilles Peskine
912ffe414e CTR_DRBG: support set_entropy_len() before seed()
mbedtls_ctr_drbg_seed() always set the entropy length to the default,
so a call to mbedtls_ctr_drbg_set_entropy_len() before seed() had no
effect. Change this to the more intuitive behavior that
set_entropy_len() sets the entropy length and seed() respects that and
only uses the default entropy length if there was no call to
set_entropy_len().

The former test-only function mbedtls_ctr_drbg_seed_entropy_len() is
no longer used, but keep it for strict ABI compatibility.
2019-10-23 18:00:03 +02:00
Jaeden Amero
ec904e4b57
Merge pull request #2899 from gilles-peskine-arm/asan-test-fail-2.16
Backport 2.16: Make sure Asan failures are detected in 'make test'
2019-10-22 16:30:45 +01:00
Jaeden Amero
8fedeaacd5
Merge pull request #2871 from gilles-peskine-arm/test_malloc_0_null-2.16
Backport 2.16: Test the library when malloc(0) returns NULL
2019-10-22 13:41:48 +01:00
Gilles Peskine
33685f51f3 'make test' must fail if Asan fails
When running 'make test' with GNU make, if a test suite program
displays "PASSED", this was automatically counted as a pass. This
would in particular count as passing:
* A test suite with the substring "PASSED" in a test description.
* A test suite where all the test cases succeeded, but the final
  cleanup failed, in particular if a sanitizer reported a memory leak.

Use the test executable's return status instead to determine whether
the test suite passed. It's always 0 on PASSED unless the executable's
cleanup code fails, and it's never 0 on any failure.

Fix ARMmbed/mbed-crypto#303
2019-10-21 20:48:05 +02:00
Gilles Peskine
ac479065f0 Asan make builds: avoid sanitizer recovery
Some sanitizers default to displaying an error message and recovering.
This could result in a test being recorded as passing despite a
complaint from the sanitizer. Turn off sanitizer recovery to avoid
this risk.
2019-10-21 20:48:05 +02:00
Gilles Peskine
b1478e8ebc Use UBsan in addition to Asan with 'make test'
When building with make with the address sanitizer enabled, also
enable the undefined behavior sanitizer.
2019-10-21 20:48:05 +02:00
Gilles Peskine
ff26b04fe3 Unify ASan options in make builds
Use a common set of options when building with Asan without CMake.
2019-10-21 20:48:02 +02:00
Jaeden Amero
b9fc0798d2 Merge remote-tracking branch 'origin/pr/2864' into mbedtls-2.16
* origin/pr/2864:
  Fix compilation error
  Add const to variable
  Fix endianity issue when reading uint32
  Increase test suite timeout
  Reduce stack usage of test_suite_pkcs1_v15
  Reduce stack usage of test_suite_pkcs1_v21
  Reduce stack usage of test_suite_rsa
  Reduce stack usage of test_suite_pk
2019-10-02 18:00:31 +01:00
Jaeden Amero
b0328ba8a3 Merge remote-tracking branch 'origin/pr/2323' into mbedtls-2.16
* origin/pr/2323:
  Add missing dependencies in test_suite_cipher.gcm
  Adapt ChangeLog
  Add NIST AES GCM test vectors to single-step cipher API test suite
2019-10-02 17:57:37 +01:00
Gilles Peskine
c6b098655e Add a test component with malloc(0) returning NULL
Exercise the library functions with calloc returning NULL for a size
of 0. Make this a separate job with UBSan (and ASan) to detect
places where we try to dereference the result of calloc(0) or to do
things like

    buf = calloc(size, 1);
    if (buf == NULL && size != 0) return INSUFFICIENT_MEMORY;
    memcpy(buf, source, size);

which has undefined behavior when buf is NULL at the memcpy call even
if size is 0.

This is needed because other test components jobs either use the system
malloc which returns non-NULL on Linux and FreeBSD, or the
memory_buffer_alloc malloc which returns NULL but does not give as
useful feedback with ASan (because the whole heap is a single C
object).
2019-09-30 13:58:12 +02:00
Ron Eldor
ae9f2a2acc Fix compilation error
Change test_info.failed to test_info.result,
as it was previously changed.
2019-09-25 15:04:21 +03:00
Ron Eldor
39512b4b8a Add const to variable
Add const type that was accidently removed.
2019-09-25 14:53:42 +03:00
Ron Eldor
6e76108e15 Fix endianity issue when reading uint32
The uint32 is given as a bigendian stream, in the tests, however,
the char buffer that collected the stream read it as is,
without converting it. Add a temporary buffer, to call `greentea_getc()`
8 times, and then put it in the correct endianity for input to `unhexify()`.
2019-09-25 14:53:35 +03:00
Ron Eldor
2ad73aa388 Increase test suite timeout
Increase the test suite timeouit from 180 seconds, to 800 seconds,
since some tests consume more time, even if all tests are skipped.
2019-09-25 14:53:26 +03:00
Ron Eldor
3adb981383 Reduce stack usage of test_suite_pkcs1_v15
Reduce the stack usage of the `test_suite_pkcs1_v15` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-09-25 14:53:15 +03:00
Ron Eldor
5d7254a091 Reduce stack usage of test_suite_pkcs1_v21
Reduce the stack usage of the `test_suite_pkcs1_v21` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the size sent to the API to sizeof output.
2019-09-25 14:53:04 +03:00
Ron Eldor
e4c5fa74b8 Reduce stack usage of test_suite_rsa
Reduce the stack usage of the `test_suite_rsa` by reducing the
size of the buffers used in the tests, to a reasonable big enough size,
and change the data size to decrypt in the data file.
2019-09-25 14:51:19 +03:00
Ron Eldor
5533f4aff1 Reduce stack usage of test_suite_pk
Reduce the stack usage of the `test_suite_pk` by reducing the
size of the buffers used in the tests, to a reasonable big enough size.
2019-09-25 14:51:12 +03:00
Andrzej Kurek
60ebd98a50 Enable MBEDTLS_MEMORY_DEBUG in memory buffer alloc test in all.sh 2019-09-10 03:07:44 -04:00
Andrzej Kurek
c73f857217 Remove unnecessary memory buffer alloc and memory backtrace unsets
Also unify the sanitization LDFLAGS with development
2019-09-10 03:07:29 -04:00
Andrzej Kurek
1f5a596fe2 Disable DTLS proxy tests for MEMORY_BUFFER_ALLOC test 2019-09-09 05:29:02 -04:00
Andrzej Kurek
1d0708215b all.sh: restructure memory allocator tests
Run basic tests and ssl-opt with memory backtrace disabled, then
run basic tests only with it enabled.
2019-09-09 05:28:53 -04:00
Hanno Becker
d130b98c68 Add missing dependency in memory buffer alloc set in all.sh 2019-09-09 05:28:42 -04:00
Hanno Becker
f8799e8b84 Add all.sh run with full config and ASan enabled 2019-09-09 05:25:33 -04:00
Hanno Becker
74b5e34d1b Add all.sh run with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled
With the removal of MBEDTLS_MEMORY_BUFFER_ALLOC_C from the
full config, there are no tests for it remaining in all.sh.
This commit adds a build as well as runs of `make test` and
`ssl-opt.sh` with MBEDTLS_MEMORY_BUFFER_ALLOC_C enabled to all.sh.
2019-09-09 05:25:21 -04:00
Andrzej Kurek
a9c2a3b244 Adapt all.sh to removal of buffer allocator from full config
Previously, numerous all.sh tests manually disabled the buffer allocator
or memory backtracting after setting a full config as the starting point.

With the removal of MBEDTLS_MEMORY_BACKTRACE and MBEDTLS_MEMORY_BUFFER_ALLOC_C
from full configs, this is no longer necessary.
2019-09-09 05:22:39 -04:00
Jaeden Amero
fcb8711f6f Bump version to Mbed TLS 2.16.3 2019-09-06 13:27:00 +01:00
Jaeden Amero
89408672eb Merge remote-tracking branch 'origin/mbedtls-2.16' into mbedtls-2.16-restricted
* origin/mbedtls-2.16:
  Changelog entry
  Check for zero length and NULL buffer pointer
  ssl-opt.sh: wait for proxy to start before running the script further
  Adapt ChangeLog
  Fix mpi_bigendian_to_host() on bigendian systems
2019-09-05 18:14:55 +01:00
Unknown
43dc0d6a8f ssl-opt.sh: wait for proxy to start before running the script further 2019-09-04 06:06:46 -04:00
Gilles Peskine
6d079baba8 Merge remote-tracking branch 'upstream-restricted/mbedtls-2.16-proposed' into mbedtls-2.16-restricted 2019-08-14 16:39:36 +02:00
Gilles Peskine
4d7c74811b Merge remote-tracking branch 'upstream-restricted/pr/503' into mbedtls-2.16-restricted 2019-08-14 16:39:24 +02:00
Gilles Peskine
33f66ba6fd Merge remote-tracking branch 'upstream-restricted/pr/556' into mbedtls-2.16-restricted 2019-08-14 16:38:26 +02:00
Gilles Peskine
3a930650c8 Merge remote-tracking branch 'upstream-restricted/pr/613' into mbedtls-2.16-restricted 2019-08-14 16:36:30 +02:00
Gilles Peskine
376d0d9e4a Merge remote-tracking branch 'upstream-public/pr/2736' into mbedtls-2.16 2019-08-14 16:00:53 +02:00
Gilles Peskine
c1b621c5cb Merge remote-tracking branch 'upstream-public/pr/2754' into mbedtls-2.16 2019-08-14 16:00:01 +02:00
Gilles Peskine
7a93214f15 Merge remote-tracking branch 'upstream-public/pr/2778' into mbedtls-2.16 2019-08-14 15:58:47 +02:00
Gilles Peskine
e30c09198c Exclude DTLS 1.2 only with older OpenSSL
compat.sh used to skip OpenSSL altogether for DTLS 1.2, because older
versions of OpenSSL didn't support it. But these days it is supported.

We don't want to use DTLS 1.2 with OpenSSL unconditionally, because we
still use legacy versions of OpenSSL to test with legacy ciphers. So
check whether the version we're using supports it.
2019-08-13 11:44:04 +02:00
Gilles Peskine
560f332dd2 Document the rationale for the armel build
Call the component xxx_arm5vte, because that's what it does. Explain
"armel", and more generally why this component exists, in a comment.
2019-08-09 16:06:27 +02:00
Gilles Peskine
e07b9ff2d9 Switch armel build to -Os
Without any -O option, the default is -O0, and then the assembly code
is not used, so this would not be a non-regression test for the
assembly code that doesn't build.
2019-08-08 16:12:46 +02:00
Gilles Peskine
0bd284dc51 Add a build on ARMv5TE in ARM mode
Non-regression test for
"bn_mul.h: require at least ARMv6 to enable the ARM DSP code"
2019-08-05 11:34:25 +02:00
Gilles Peskine
c3c738e0fe
Merge pull request #639 from ARMmbed/mbedtls-2.16-proposed
Merge mbedtls-2.16 into mbedtls-2.16-restricted
2019-08-05 11:06:37 +02:00
Gilles Peskine
a60dc25e9f
Merge pull request #2419 from RonEld/Backport2.16_2734
Backport 2.16: Update soon to be expired crl
2019-08-03 13:38:20 +02:00
Gilles Peskine
1e3eb28ae3
Merge pull request #2735 from hanno-arm/skip_test-2.16
2.16: Add TEST_ASSUME macro to allow skipping tests at runtime
2019-08-03 13:37:59 +02:00
Gilles Peskine
756b3f2c25 entropy_nv_seed: cope with SHA-256
This test case was only executed if the SHA-512 module was enabled and
MBEDTLS_ENTROPY_FORCE_SHA256 was not enabled, so "config.pl full"
didn't have a chance to reach it even if that enabled
MBEDTLS_PLATFORM_NV_SEED_ALT.

Now all it takes to enable this test is MBEDTLS_PLATFORM_NV_SEED_ALT
and its requirements, and the near-ubiquitous MD module.
2019-07-19 17:43:03 +02:00
Gilles Peskine
0450eecfae entropy_nv_seed: clean up properly
Call mbedtls_entropy_free on test failure.

Restore the previous NV seed functions which the call to
mbedtls_platform_set_nv_seed() changed. This didn't break anything,
but only because the NV seed functions used for these tests happened
to work for the tests that got executed later in the .data file.
2019-07-19 17:43:03 +02:00
Gilles Peskine
fc41bd7f35 Don't call memset after calloc
memset has undefined behavior when either pointer can be NULL, which
is the case when it's the result of malloc/calloc with a size of 0.
The memset calls here are useless anyway since they come immediately
after calloc.
2019-07-19 17:42:47 +02:00
Jaeden Amero
af4578f14b Merge remote-tracking branch 'origin/mbedtls-2.16' into mbedtls-2.16-restricted
* origin/mbedtls-2.16:
  Fix parsing issue when int parameter is in base 16
  Refactor receive_uint32()
  Refactor get_byte function
  Make the script portable to both pythons
  Update the test encoding to support python3
  update the test script
  tests: Limit each log to 10 GiB
2019-07-12 10:16:11 +01:00
Jaeden Amero
cb686a1b6b Merge remote-tracking branch 'origin/pr/2743' into mbedtls-2.16
* origin/pr/2743:
  tests: Limit each log to 10 GiB
2019-07-11 16:19:21 +01:00
Ron Eldor
7c52e229d5 Fix parsing issue when int parameter is in base 16
Fix error `ValueError: invalid literal for int() with base 10:` that
is caused when a parameter is given in base 16. Use relevant base
when calling `int()` function.
2019-07-11 14:36:50 +03:00
Ron Eldor
e81ff54881 Refactor receive_uint32()
Call `greentea_getc()` 8 times, and then `unhexify` once, instead of
calling `receive_byte()`, which inside calls `greentea_getc()` twice,
for every hex digit.
2019-07-11 14:36:34 +03:00
Ron Eldor
3dd77909d3 Refactor get_byte function
Change implementation of `get_byte()` to call `unhexify()`.
2019-07-11 14:36:27 +03:00
Ron Eldor
9d40da275d Make the script portable to both pythons
Make the script work for python3 and for python2
2019-07-11 14:36:20 +03:00
Ron Eldor
b43fe57d34 Update the test encoding to support python3
Since Python3 handles encoding differently than Python2,
a change in the way the data is encoded and sent to the target is needed.
1. Change the test data to be sent as hex string
2. Convert the characters to binary bytes.

This is done because the mbed tools translate the encoding differently
(mbed-greentea, and mbed-htrunner)
2019-07-11 14:36:13 +03:00
Ron Eldor
56b6e523fa update the test script
Update `mbedtls_test.py` script to work with Python 3.7.
resolves #2653
2019-07-11 14:36:06 +03:00
Ron Eldor
36503922a0 Update certificates to expire in 2029
Update certificates that expire on 2021, to prolong their validity,
to make tests pass three years ahead.
2019-07-10 18:35:10 +03:00
Ron Eldor
9647bc56da Update soon to be expired crl
Update crl.pem, as it will expire on November 25 2019.
Resolves #2357.
2019-07-10 17:26:39 +03:00
Jaeden Amero
a258ccd368 tests: Limit each log to 10 GiB
Limit log output in compat.sh and ssl-opt.sh, in case of failures with
these scripts where they may output seemingly unlimited length error
logs.

Note that ulimit -f uses units of 512 bytes, so we use 10 * 1024 * 1024
* 2 to get 10 GiB.
2019-07-10 08:51:56 +01:00
Jaeden Amero
d7ec086e04 Merge remote-tracking branch 'origin/mbedtls-2.16' into mbedtls-2.16-restricted
* origin/mbedtls-2.16:
  Split _abi_compliance_command into smaller functions
  Record the commits that were compared
  Document how to build the typical argument for -s
  Allow running /somewhere/else/path/to/abi_check.py
  Allow TODO in code
  Use the docstring in the command line help
2019-07-10 08:47:43 +01:00
k-stachowiak
ad1836af58 Add a test for mlaformed ECJPAKE context 2019-07-08 15:44:37 +02:00
Gilles Peskine
dc25c32663 Test that a shared library build produces a dynamically linked executable 2019-07-05 15:48:03 +02:00
Gilles Peskine
2c47ffc37f Test that the shared library build with CMake works 2019-07-05 15:46:46 +02:00
Gilles Peskine
87bf1b5cf4 Add a test of MBEDTLS_CONFIG_FILE
configs/README.txt documents that you can use an alternative
configuration file by defining the preprocessor symbol
MBEDTLS_CONFIG_FILE. Test this.
2019-07-05 15:46:46 +02:00
Hanno Becker
d3369f6d01 Add TEST_ASSUME macro to allow skipping tests at runtime
This commit adds a macro TEST_ASSUME to the test infrastructure
which allows to skip tests based on unmet conditions determined
at runtime.
2019-07-05 13:41:08 +01:00
Gilles Peskine
47d7c2d7cb Allow TODO in code
Don't reject TODO in code. Fix #2587
2019-07-05 10:55:53 +02:00
Gilles Peskine
79cfef02d9 Use the docstring in the command line help 2019-07-05 10:55:53 +02:00
Jaeden Amero
7b03e87fbc Merge remote-tracking branch 'restricted/pr/582' into mbedtls-2.16-restricted
* restricted/pr/582:
  Add a test for signing content with a long ECDSA key
  Add documentation notes about the required size of the signature buffers
  Add missing MBEDTLS_ECP_C dependencies in check_config.h
  Change size of preallocated buffer for pk_sign() calls
2019-06-24 11:40:59 +01:00
Jaeden Amero
5ecbd14fdd Merge remote-tracking branch 'origin/pr/2701' into mbedtls-2.16
* origin/pr/2701:
  Add all.sh component that exercises invalid_param checks
  Remove mbedtls_param_failed from programs
  Make it easier to define MBEDTLS_PARAM_FAILED as assert
  Make test suites compatible with #include <assert.h>
  Pass -m32 to the linker as well
2019-06-21 16:00:06 +01:00
Jaeden Amero
a5ebd5fe10 Merge remote-tracking branch 'origin/pr/2615' into mbedtls-2.16
* origin/pr/2615:
  Use 'config.pl baremetal' in all.sh
2019-06-21 15:59:34 +01:00
Jaeden Amero
096bccf204 Merge remote-tracking branch 'origin/pr/2450' into mbedtls-2.16
* origin/pr/2450:
  Fix #2370, minor typos and spelling mistakes
2019-06-21 15:59:29 +01:00
Jaeden Amero
f580d43bad Merge remote-tracking branch 'origin/pr/2053' into mbedtls-2.16
* origin/pr/2053:
  Clarify ChangeLog entry for fix to #1628
  Add Changelog entry for clang test-ref-configs.pl fix
  Enable more compiler warnings in tests/Makefile
  Change file scoping of test helpers.function
2019-06-21 15:59:16 +01:00
Jaeden Amero
d81c11b8ab Merge remote-tracking branch 'origin/pr/2687' into mbedtls-2.16
* origin/pr/2687:
  Update library to 2.16.2
2019-06-18 14:23:28 +01:00
Gilles Peskine
dcab202368 Add all.sh component that exercises invalid_param checks
With the change to the full config, there were no longer any tests
that exercise invalid-parameter behavior. The test suite exercises
invalid-parameter behavior by calling TEST_INVALID_PARAM and friends,
relying on the test suite's mbedtls_check_param function. This
function is only enabled if MBEDTLS_CHECK_PARAMS is defined but not
MBEDTLS_CHECK_PARAMS_ASSERT.

Add a component to all.sh that enables MBEDTLS_CHECK_PARAMS but
disables MBEDTLS_CHECK_PARAMS_ASSERT and doesn't define
MBEDTLS_PARAM_FAILED. This way, the xxx_invalid_param() tests do run.
Since sample programs don't provide a mbedtls_check_param function,
this component doesn't build the sample programs.
2019-06-17 19:11:35 +02:00
Gilles Peskine
137d31bf5a Make test suites compatible with #include <assert.h>
Don't use the macro name assert. It's technically permitted as long as
<assert.h> is not included, but it's fragile, because it means the
code and any header that it includes must not include <assert.h>.
2019-06-17 19:06:52 +02:00
Gilles Peskine
8118e4672e Pass -m32 to the linker as well
For unit tests and sample programs, CFLAGS=-m32 is enough to get a
32-bit build, because these programs are all compiled directly
from *.c to the executable in one shot. But with makefile rules that
first build object files and then link them, LDFLAGS=-m32 is also
needed.
2019-06-17 19:06:28 +02:00
Jaeden Amero
418e7611f6 Merge remote-tracking branch 'origin/pr/2484' into mbedtls-2.16
* origin/pr/2484:
  Correct placement of ChangeLog entry
  Improve documentation of mbedtls_x509_get_ext()
  Adapt ChangeLog
  Always return a high-level error code from X.509 module
  Obey bounds of ASN.1 substructures
2019-06-14 15:28:42 +01:00
Jaeden Amero
7aed01c0dc Merge remote-tracking branch 'origin/pr/2481' into mbedtls-2.16
* origin/pr/2481:
  Document support for MD2 and MD4 in programs/x509/cert_write
  Correct name of X.509 parsing test for well-formed, ill-signed CRT
  Add test cases exercising successful verification of MD2/MD4/MD5 CRT
  Add test case exercising verification of valid MD2 CRT
  Add MD[245] test CRTs to tree
  Add instructions for MD[245] test CRTs to tests/data_files/Makefile
  Add suppport for MD2 to CSR and CRT writing example programs
  Convert further x509parse tests to use lower-case hex data
  Correct placement of ChangeLog entry
  Adapt ChangeLog
  Use SHA-256 instead of MD2 in X.509 CRT parsing tests
  Consistently use lower case hex data in X.509 parsing tests
2019-06-14 08:50:47 +01:00
Jaeden Amero
1adf212a1b Merge remote-tracking branch 'origin/pr/2497' into mbedtls-2.16
* origin/pr/2497:
  Re-generate library/certs.c from script
  Add new line at the end of test-ca2.key.enc
  Use strict syntax to annotate origin of test data in certs.c
  Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO
  Allow DHM self test to run without MBEDTLS_PEM_PARSE_C
  ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
  Document origin of hardcoded certificates in library/certs.c
  Adapt ChangeLog
  Rename server1.der to server1.crt.der
  Add DER encoded files to git tree
  Add build instructions to generate DER versions of CRTs and keys
  Document "none" value for ca_path/ca_file in ssl_client2/ssl_server2
  ssl_server2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  ssl_client2: Skip CA setup if `ca_path` or `ca_file` argument "none"
  Correct white spaces in ssl_server2 and ssl_client2
  Adapt ssl_client2 to parse DER encoded test CRTs if PEM is disabled
  Adapt ssl_server2 to parse DER encoded test CRTs if PEM is disabled
2019-06-14 08:48:54 +01:00
Jaeden Amero
ff36cdaa84 Update library to 2.16.2 2019-06-11 17:27:32 +01:00
k-stachowiak
11f38e2f61 Add a test for signing content with a long ECDSA key
Due to the way the current PK API works, it may have not been clear
for the library clients, how big output buffers they should pass
to the signing functions. Depending on the key type they depend on
MPI or EC specific compile-time constants.

Inside the library, there were places, where it was assumed that
the MPI size will always be enough, even for ECDSA signatures.
However, for very small sizes of the MBEDTLS_MPI_MAX_SIZE and
sufficiently large key, the EC signature could exceed the MPI size
and cause a stack overflow.

This test establishes both conditions -- small MPI size and the use
of a long ECDSA key -- and attempts to sign an arbitrary file.
This can cause a stack overvlow if the signature buffers are not
big enough, therefore the test is performed for an ASan build.
2019-06-10 11:49:54 +02:00
Jaeden Amero
adffe39fdb test: Remove redundant 0-byte decryption test
Remove the "Decrypt empty buffer" test, as ChaCha20 is a stream cipher
and 0 bytes encrypted is identical to a 0 length buffer. The "ChaCha20
Encrypt and decrypt 0 bytes" test will test decryption of a 0 length
buffer.
2019-06-06 12:04:13 +01:00
Jaeden Amero
4e47aa0120 test: Check empty buffer decryption for chachapoly
Previously, even in the Chacha20 and Chacha20-Poly1305 tests, we would
test that decryption of an empty buffer would work with
MBEDTLS_CIPHER_AES_128_CBC.

Make the cipher used with the dec_empty_buf() test configurable, so that
Chacha20 and Chacha20-Poly1305 empty buffer tests can use ciphers other
than AES CBC. Then, make the Chacha20 and Chacha20-Poly1305 empty buffer
tests use the MBEDTLS_CIPHER_CHACHA20 and
MBEDTLS_CIPHER_CHACHA20_POLY1305 cipher suites.
2019-06-06 12:04:13 +01:00
Hanno Becker
2f472140f9 Always return a high-level error code from X.509 module
Some functions within the X.509 module return an ASN.1 low level
error code where instead this error code should be wrapped by a
high-level X.509 error code as in the bulk of the module.

Specifically, the following functions are affected:
- mbedtls_x509_get_ext()
- x509_get_version()
- x509_get_uid()

This commit modifies these functions to always return an
X.509 high level error code.

Care has to be taken when adapting `mbetls_x509_get_ext()`:
Currently, the callers `mbedtls_x509_crt_ext()` treat the
return code `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG` specially to
gracefully detect and continue if the extension structure is not
present. Wrapping the ASN.1 error with
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and adapting the check
accordingly would mean that an unexpected tag somewhere
down the extension parsing would be ignored by the caller.

The way out of this is the following: Luckily, the extension
structure is always the last field in the surrounding structure,
so if there is some data remaining, it must be an Extension
structure, so we don't need to deal with a tag mismatch gracefully
in the first place.

We may therefore wrap the return code from the initial call to
`mbedtls_asn1_get_tag()` in `mbedtls_x509_get_ext()` by
`MBEDTLS_ERR_X509_INVALID_EXTENSIONS` and simply remove
the special treatment of `MBEDTLS_ERR_ASN1_UNEXPECTED_TAG`
in the callers `x509_crl_get_ext()` and `x509_crt_get_ext()`.

This renders `mbedtls_x509_get_ext()` unsuitable if it ever
happened that an Extension structure is optional and does not
occur at the end of its surrounding structure, but for CRTs
and CRLs, it's fine.

The following tests need to be adapted:
- "TBSCertificate v3, issuerID wrong tag"
  The issuerID is optional, so if we look for its presence
  but find a different tag, we silently continue and try
  parsing the subjectID, and then the extensions. The tag '00'
  used in this test doesn't match either of these, and the
  previous code would hence return LENGTH_MISMATCH after
  unsucessfully trying issuerID, subjectID and Extensions.
  With the new code, any data remaining after issuerID and
  subjectID _must_ be Extension data, so we fail with
  UNEXPECTED_TAG when trying to parse the Extension data.
- "TBSCertificate v3, UIDs, invalid length"
  The test hardcodes the expectation of
  MBEDTLS_ERR_ASN1_INVALID_LENGTH, which needs to be
  wrapped in MBEDTLS_ERR_X509_INVALID_FORMAT now.

Fixes #2431.
2019-06-04 14:01:10 +01:00
Hanno Becker
4e1bfc19cc Obey bounds of ASN.1 substructures
When parsing a substructure of an ASN.1 structure, no field within
the substructure must exceed the bounds of the substructure.
Concretely, the `end` pointer passed to the ASN.1 parsing routines
must be updated to point to the end of the substructure while parsing
the latter.

This was previously not the case for the routines
- x509_get_attr_type_and_value(),
- mbedtls_x509_get_crt_ext(),
- mbedtls_x509_get_crl_ext().
These functions kept using the end of the parent structure as the
`end` pointer and would hence allow substructure fields to cross
the substructure boundary. This could lead to successful parsing
of ill-formed X.509 CRTs.

This commit fixes this.

Care has to be taken when adapting `mbedtls_x509_get_crt_ext()`
and `mbedtls_x509_get_crl_ext()`, as the underlying function
`mbedtls_x509_get_ext()` returns `0` if no extensions are present
but doesn't set the variable which holds the bounds of the Extensions
structure in case the latter is present. This commit addresses
this by returning early from `mbedtls_x509_get_crt_ext()` and
`mbedtls_x509_get_crl_ext()` if parsing has reached the end of
the input buffer.

The following X.509 parsing tests need to be adapted:
- "TBSCertificate, issuer two inner set datas"
  This test exercises the X.509 CRT parser with a Subject name
  which has two empty `AttributeTypeAndValue` structures.
  This is supposed to fail with `MBEDTLS_ERR_ASN1_OUT_OF_DATA`
  because the parser should attempt to parse the first structure
  and fail because of a lack of data. Previously, it failed to
  obey the (0-length) bounds of the first AttributeTypeAndValue
  structure and would try to interpret the beginning of the second
  AttributeTypeAndValue structure as the first field of the first
  AttributeTypeAndValue structure, returning an UNEXPECTED_TAG error.
- "TBSCertificate, issuer, no full following string"
  This test exercises the parser's behaviour on an AttributeTypeAndValue
  structure which contains more data than expected; it should therefore
  fail with MBEDTLS_ERR_ASN1_LENGTH_MISMATCH. Because of the missing bounds
  check, it previously failed with UNEXPECTED_TAG because it interpreted
  the remaining byte in the first AttributeTypeAndValue structure as the
  first byte in the second AttributeTypeAndValue structure.
- "SubjectAltName repeated"
  This test should exercise two SubjectAltNames extensions in succession,
  but a wrong length values makes the second SubjectAltNames extension appear
  outside of the Extensions structure. With the new bounds in place, this
  therefore fails with a LENGTH_MISMATCH error. This commit adapts the test
  data to put the 2nd SubjectAltNames extension inside the Extensions
  structure, too.
2019-06-04 14:01:10 +01:00
Hanno Becker
bdf2035710 Correct name of X.509 parsing test for well-formed, ill-signed CRT 2019-06-03 16:20:05 +01:00
Hanno Becker
cfa341844f Add test cases exercising successful verification of MD2/MD4/MD5 CRT 2019-06-03 16:20:02 +01:00
Hanno Becker
4d7210c23c Add test case exercising verification of valid MD2 CRT
The X.509 parsing test suite test_suite_x509parse contains a test
exercising X.509 verification for a valid MD4/MD5 certificate in a
profile which doesn't allow MD4/MD5. This commit adds an analogous
test for MD2.
2019-06-03 16:19:59 +01:00
Hanno Becker
8d59f250bc Add MD[245] test CRTs to tree 2019-06-03 16:19:46 +01:00
Hanno Becker
928f617747 Add instructions for MD[245] test CRTs to tests/data_files/Makefile 2019-06-03 16:19:39 +01:00
Hanno Becker
8b3bcbab79 Convert further x509parse tests to use lower-case hex data
With emacs: `replace-regexp "\([a-fA-F0-9]*\)" "\,(downcase \1)"`
2019-06-03 16:17:58 +01:00
Jaeden Amero
ada38317dd test: Always use make clean by itself
When running make with parallelization, running both "clean" and "lib"
with a single make invocation can lead to each target building in
parallel. It's bad if lib is partially done building something, and then
clean deletes what was built. This can lead to errors later on in the
lib target.

    $ make -j9 clean lib
      CC    aes.c
      CC    aesni.c
      CC    arc4.c
      CC    aria.c
      CC    asn1parse.c
      CC    ./library/error.c
      CC    ./library/version.c
      CC    ./library/version_features.c
      AR    libmbedcrypto.a
    ar: aes.o: No such file or directory
    Makefile:120: recipe for target 'libmbedcrypto.a' failed
    make[2]: *** [libmbedcrypto.a] Error 1
    Makefile:152: recipe for target 'libmbedcrypto.a' failed
    make[1]: *** [libmbedcrypto.a] Error 2
    Makefile:19: recipe for target 'lib' failed
    make: *** [lib] Error 2
    make: *** Waiting for unfinished jobs....

To avoid this sort of trouble, always invoke clean by itself without
other targets throughout the library. Don't run clean in parallel with
other rules. The only place where clean was run in parallel with other
targets was in list-symbols.sh.
2019-05-31 17:49:25 +01:00
Hanno Becker
67d1848ed0 Use SHA-256 instead of MD2 in X.509 CRT parsing tests
- Replace 'RSA with MD2' OID '2a864886f70d010102' by
  'RSA with SHA-256' OID '2a864886f70d01010b':
  Only the last byte determines the hash, and
  `MBEDTLS_OID_PKCS1_MD2 == MBEDTLS_OID_PKCS1 "\x02"`
  `MBEDTLS_OID_PKCS1_SHA256 == MBEDTLS_OID_PKCS1 "\x0b"`
  See oid.h.
- Replace MD2 dependency by SHA256 dependency.
- Adapt expected CRT info output.
2019-05-30 11:19:08 +01:00
Hanno Becker
556e6d84ea Consistently use lower case hex data in X.509 parsing tests 2019-05-30 11:19:08 +01:00
Hanno Becker
dd7e193f49 Add new line at the end of test-ca2.key.enc 2019-05-30 10:58:12 +01:00
Hanno Becker
e562e7dbeb Add run to all.sh exercising !MBEDTLS_PEM_PARSE_C + !MBEDTLS_FS_IO 2019-05-30 10:58:12 +01:00
Hanno Becker
7a11e72a4f ssl-opt.sh: Auto-skip tests that use files if MBEDTLS_FS_IO unset
This should allow to run ssl-opt.sh successfully in the default
configuration minus MBEDTLS_PEM_PARSE_C minus MBEDTLS_FS_IO.
2019-05-30 10:58:07 +01:00
Hanno Becker
f8b0b15c90 Rename server1.der to server1.crt.der 2019-05-30 10:27:49 +01:00
Hanno Becker
389ee9b40b Add DER encoded files to git tree 2019-05-30 10:27:14 +01:00
Hanno Becker
5895a2db7b Add build instructions to generate DER versions of CRTs and keys 2019-05-30 10:27:14 +01:00
Gilles Peskine
39d7c58db5 list-symbols.sh: if the build fails, print the build transcript
If "make clean lib" fails in list-symbols.sh, print the transcript
from running make.
2019-05-22 19:07:36 +02:00
Gilles Peskine
902a1f3f7f Document "check-names.sh -v" 2019-05-22 19:07:36 +02:00
Gilles Peskine
473f2d4ec2 all.sh: invoke check-names.sh in print-trace-on-exit mode 2019-05-15 17:55:06 +02:00
Gilles Peskine
5e525fb6e5 Print a command trace if the check-names.sh exits unexpectedly
We've observed that sometimes check-names.sh exits unexpectedly with
status 2 and no error message. The failure is not reproducible. This
commits makes the script print a trace if it exits unexpectedly.
2019-05-15 17:40:58 +02:00
Manuel Pégourié-Gonnard
6e6ae9b2e8 Use 'config.pl baremetal' in all.sh 2019-04-29 12:48:21 +02:00
Darryl Green
3997a6cd25 Document the scripts behaviour further 2019-04-18 13:18:22 +01:00
Darryl Green
3ef06d5bf7 Add --internal option to list-identifiers.sh
When doing ABI/API checking, its useful to have a list of all the
identifiers that are defined in the internal header files, as we
do not promise compatibility for them. This option allows for a
simple method of getting them for use with the ABI checking script.
2019-04-18 12:02:49 +01:00
Jaeden Amero
20d707dd3e Merge remote-tracking branch 'origin/pr/2571' into mbedtls-2.16
* origin/pr/2571:
  Clarify comment mangled by an earlier refactoring
  Add an "out-of-box" component
  Run ssl-opt.sh on 32-bit runtime
2019-04-16 15:10:18 +01:00
Gilles Peskine
0a47c4ffbb Clarify comment mangled by an earlier refactoring 2019-04-10 18:47:51 +02:00
Gilles Peskine
99a3310fba Add an "out-of-box" component
Just run `make` and `make test`. And `selftest` for good measure.
2019-04-10 18:47:51 +02:00
Gilles Peskine
7dd44b28f1 Run ssl-opt.sh on 32-bit runtime
Run ssl-opt.sh on x86_32 with ASan. This may detect bugs that only
show up on 32-bit platforms, for example due to size_t overflow.

For this component, turn off some memory management features that are
not useful, potentially slow, and may reduce ASan's effectiveness at
catching buffer overflows.
2019-04-10 18:47:50 +02:00