Commit Graph

626 Commits

Author SHA1 Message Date
Gilles Peskine
3a584aecca Enable SSLv3 in the full config
It's deprecated, but not otherwise counter-indicated for the full
config: it doesn't conflict with anything and enabling it doesn't make
testing harder (especially since it defaults off in compat.sh).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-20 15:39:36 +02:00
Gilles Peskine
be1d609c19 New config: full_non_deprecated
Enable everything that can be tested together and isn't deprecated.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-20 15:39:36 +02:00
Gilles Peskine
90581ee629 Turn off DEPRECATED_WARNING in full and baremetal
MBEDTLS_DEPRECATED_REMOVED is turned off in full since we don't want
to turn off deprecated features. Also turn off
MBEDTLS_DEPRECATED_WARNING since we wouldn't want expected warnings:
we're aware that we're enabling deprecated modules.

Since MBEDTLS_DEPRECATED_WARNING is excluded from full, it doesn't
need to be excluded from baremetal explicitly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-20 15:39:36 +02:00
Gilles Peskine
dc6d838a73 Enable MBEDTLS_PSA_CRYPTO_SE_C in config full
It started out as be experimental, but it is now robust enough not to
break the rest, so there's no reason to leave it out.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-20 15:39:32 +02:00
Gilles Peskine
5a2710e9af
Merge pull request #3120 from gilles-peskine-arm/check-windows-files
Check Windows files for sanity as well
2020-04-20 13:59:27 +02:00
irwir
96b45a4370 Merge remote-tracking branch 'upstream/development' into fix_vcxproj
Signed-off-by: irwir <irwir@users.noreply.github.com>
2020-04-20 13:21:46 +03:00
irwir
febf8802d7 Merge remote-tracking branch 'upstream/development' into fix_vcxproj
Signed-off-by: irwir <irwir@users.noreply.github.com>
2020-04-20 13:20:06 +03:00
Gilles Peskine
5c34ee14d3
Merge pull request #3118 from gilles-peskine-arm/pylint-up-to-2.4-development
Pass Pylint up to 2.4
2020-04-20 09:47:40 +02:00
irwir
49d46a7473 Finalize fixing the issue #1430.
The previous PRs had correct template project, but somehow it was not merged.

Signed-off-by: irwir <irwir@users.noreply.github.com>
2020-04-19 16:25:54 +03:00
Gilles Peskine
6710e15921 Enable X509_ALLOW_EXTENSIONS_NON_V3 in config full and fix tests
Enable MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 in the full config. There's
no reason to keep it out. We weren't testing it at all on the CI.

Add a missing dependency on !MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 to
some test cases that either were testing that v3 extensions are only
accepted in v3 certificates, or where parsing returns a different
error when MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 is enabled.

Add a few positive and negative test cases with
MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 enabled.

Fix one test case with MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 where the
intended output of mbedtls_x509_crt_info had changed in
890819a597 but the test case was missed
because it was never executed.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-14 21:32:53 +02:00
Gilles Peskine
32e889dfc3 Document and fix the MBEDTLS_xxx_ALT logic for the full config
The intended logic around MBEDTLS_xxx_ALT is to exclude them from full
because they require the alternative implementation of one or more
library functions, except that MBEDTLS_PLATFORM_xxx_ALT are different:
they're alternative implementations of a platform function and they
have a built-in default, so they should be included in full. Document
this.

Fix a bug whereby MBEDTLS_PLATFORM_xxx_ALT didn't catch symbols where
xxx contains an underscore. As a consequence,
MBEDTLS_PLATFORM_GMTIME_R_ALT and MBEDTLS_PLATFORM_NV_SEED_ALT are now
enabled in the full config. Explicitly exclude
MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT because it behaves like the
non-platform ones, requiring an extra build-time dependency.
Explicitly exclude MBEDTLS_PLATFORM_NV_SEED_ALT from baremetal
because it requires MBEDTLS_ENTROPY_NV_SEED, and likewise explicitly
unset it from builds that unset MBEDTLS_ENTROPY_NV_SEED.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-14 21:23:48 +02:00
Gilles Peskine
cfffc28a80 Document the full and baremetal configurations
For each excluded symbol, explain why it's excluded.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-14 12:16:30 +02:00
Gilles Peskine
bbaa2b784a Move long lists out of functions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-12 14:12:59 +02:00
Gaurav Aggarwal
3d02db23e8 Add auto-generated code markers
The presence of these markers in the original code was helpful to me in
figuring out that this portion of the code is auto-generated.
Therefore, I think those are useful and should be present.

Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
2020-04-11 17:14:03 -07:00
Gilles Peskine
184c096e95 Pylint: abide by useless-object-inheritance warnings
Inheriting from object is a remainder of Python 2 habits and is just
clutter in Python 3.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-11 20:23:22 +02:00
Gaurav Aggarwal
a4a2aa5169 Address review comments
- Use switch case instead of loop to generate faster code
- Add #if defined to address compiler error

Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
2020-04-09 11:58:24 -07:00
Gaurav Aggarwal
a9f64006ea Add support for const error description strings
Problem
-------
mbedtls_strerror is a utility function which converts an mbedTLS error code
into a human readable string. It requires the caller to allocate a buffer every
time an error code needs to be converted to a string. It is an overkill and a
waste of RAM for resource constrained microcontrollers - where the most common
use case is to use these strings for logging.

Solution
--------
The proposed commit adds two functions:

* const char * mbedtls_high_level_strerr( int error_code );
* const char * mbedtls_low_level_strerr( int error_code );

The above two functions convert the high level and low level parts of an mbedTLS
error code to human readable strings. They return a const pointer to an
unmodifiable string which is not supposed to be modified by the caller and only
to be used for logging purposes. The caller no longer needs to allocate a
buffer.

Backward Compatibility
----------------------
The proposed change is completely backward compatible as it does not change
the existing mbedtls_strerror function and ensures that it continues to behave
the same way.

Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
2020-04-09 01:44:52 -07:00
Gilles Peskine
2ae678d238 Systematically use Windows line endings in Windows files
Don't mix Windows and Unix line endings, it's the worst of both worlds.

Update the Visual Studio templates and regenerate the generated files.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-01 13:42:24 +02:00
Gilles Peskine
0f3f9c3c73 Fix a stray CR inside a line
Use CRLF consistently instead of cobbling a \r here and a \n there.

The generated files don't change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-01 13:42:12 +02:00
Gilles Peskine
dba4de0a12 Clarify extract_top_version when creating a new section
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-30 11:37:26 +02:00
Gilles Peskine
b695d5e30a Add guidance on writing and maintaining changelog entries
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:14:19 +01:00
Gilles Peskine
4d977a4f40 Complain if there is junk before the first category title
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:14:19 +01:00
Gilles Peskine
e248e83f9f Start numbering lines at 1
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:14:19 +01:00
Gilles Peskine
eebf24f7a8 Create a new version section if the top version has a release date
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:14:17 +01:00
Gilles Peskine
6e97c43959 Switch to the classic Mbed TLS ChangeLog format
Instead of working with Markdown format, keep the classic Mbed TLS
ChangeLog format, with the classic category names. Keep the classic
file name as well. This way there's no risk of breaking third-party
scripts that may copy or even parse the changelog file.

Accordingly, expect ChangeLog/*.txt files instead of ChangeLog/*.md.

This commit completely rewrites the parsing and output code.

This commit systematically appends to the existing top version. A
subsequent commit will restore the capability of creating a new
version.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 20:13:45 +01:00
Gilles Peskine
c68c7c8864 Add a missing space in help text
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 19:09:18 +01:00
Gilles Peskine
ac0f0860f1 Reformatting to pacify pylint
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 10:56:45 +01:00
Gilles Peskine
42f384c186 Mbed Crypto isn't a separate project anymore
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-27 09:23:38 +01:00
Gilles Peskine
98a53aa399 Follow renames when looking for the creation of a file
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 22:50:11 +01:00
Gilles Peskine
13dc634282 Simplify the matching of the last line
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 22:49:44 +01:00
Gilles Peskine
7fa3eb7d44 Simplify sorting
Calling sort_key explicitly is marginally faster, but less readable.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 22:41:32 +01:00
Gilles Peskine
28af958ea4 Documentation improvements
Document that git is needed.

Be clearer about the entry sort key being an entry sort key, not just
a merge order. Be clearer about what "merge order" means.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 22:39:18 +01:00
Gilles Peskine
8f46bbf46f Sort changelog entries by their merge date
Changelog entry files were listed in reverse alphabetical order of the
file name, by happenstance. Now, changelog entry files are listed in
the order in which the changes were merged. More precisely: look for
the git commit where the entry file was created, and look where this
commit was merged into the current branch. List older merges first.
List never-merged commits in date order after all the merged ones.
List never-committed files in file timestamp order after all the
committed ones.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 11:58:00 +01:00
Gilles Peskine
27a1facd48 Factor out list_files_to_merge
No behavior changes.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-26 11:57:54 +01:00
Gilles Peskine
5d324b203a Merge remote-tracking branch 'upstream-crypto/development' into HEAD
Conflicts:
* .github/issue_template.md, .github/pull_request_template.md:
  The changes in Mbed Crypto are not relevant to Mbed TLS. Keep the
  mbedtls versions.
2020-03-25 15:47:43 +01:00
Gilles Peskine
8bad3ab45f
Merge pull request #300 from gilles-peskine-arm/assemble-changelog
Changelog assembly script
2020-03-25 15:17:04 +01:00
Gilles Peskine
e22a4dacf7 Explicit return value from main
Rather than sometimes returning an integer, sometimes a boolean and
sometimes implicitly returning None, always return 0 for success and 1
for failure.

No behavior change for the program as a whole, since the None/True/False
values were implicitly converted to the desired numerical value.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 19:36:17 +01:00
Gilles Peskine
ce674a90c5 Clearer code to search for config.h
Don't use a function argument as a for loop variable. It worked (mostly) but
Pylint frowns on it (redefined-argument-from-local) and I think Pylint has a
point.

If the configuration file is not found, raise an exception mentioning the
search path rather than just its last element.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 19:25:34 +01:00
Gilles Peskine
5e7d6fd240 Merge 'mbedtls/development' into merge-crypto-unremoved-20200304
Merge the latest state of the target branch (mbedtls/development) into the
pull request to merge mbed-crypto into mbedtls.

Conflicts:

* ChangeLog: add/add conflict. Resolve by using the usual section order.
2020-03-23 18:02:07 +01:00
Gilles Peskine
eccd888717 Rename identifiers containing double-underscore
Rename identifiers containing double-underscore (`__`) to avoid `__`.
The reason to avoid double-underscore is that all identifiers
containing double-underscore are reserved in C++. Rename all such
identifiers that appear in any public header, including ssl_internal.h
which is in principle private but in practice is installed with the
public headers.

This commit makes check-names.sh pass.

```
perl -i -pe 's/\bMBEDTLS_SSL__ECP_RESTARTABLE\b/MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED/g; s/\bMBEDTLS_KEY_EXCHANGE_(_\w+)_(_\w+)\b/MBEDTLS_KEY_EXCHANGE${1}${2}/g' include/mbedtls/*.h library/*.c programs/*/*.c scripts/data_files/rename-1.3-2.0.txt tests/suites/*.function
```
2020-03-23 17:55:32 +01:00
Gilles Peskine
b99bd39b4e Merge mbed-crypto into mbedtls: the merge commit
Merge `unremove-non-crypto` into `mbedtls/development`. The branch
`unremove-non-crypto` was obtained by starting from `mbed-crypto/development`,
then reverting many commits that removed X.509 and TLS functionality when Mbed
Crypto forked from Mbed TLS (the “unremoval”), then make a few tweaks to
facilitate the merge.

The unremoval step restored old versions of some tls files. If a file doesn't
exist in mbed-crypto, check out the mbedtls version, regardless of what
happened during the unremoval of tls files in the crypto tree. Also
unconditionally take the mbedtls version of a few files where the
modifications are completely project-specific and are not relevant in
mbed-crypto:

* `.github/issue_template.md`: completely different. We may want to reconcile
  them independently as a follow-up.
* `.travis.yml`: would only be reverted to an earlier tls version.
* `README.md`: completely different. We may want to reconcile them
  independently as a follow-up.
* `doxygen/input/doc_mainpage.h`: the changes in crypto were minimal and not
  relevant except as a stopgap as mbed-crypto did not have its own product
  versioning in the Doxygen documentation.
* `tests/.jenkins/Jenkinsfile`: completely different.
* `tests/data_files/Makefile`: there were no changes in mbed-crypto,
  but the unremoval step restored an old version.

Shell script for everything to do after the merge apart from the conflict
resolution:
```
tls_files=($(comm -23 <(git ls-tree -r --name-only HEAD) <(git ls-tree -r --name-only $(git merge-base upstream-crypto/development MERGE_HEAD))))
tls_files+=($tls_files .github/issue_template.md .travis.yml README.md doxygen/input/doc_mainpage.h tests/.jenkins/Jenkinsfile tests/data_files/Makefile)
git checkout --theirs HEAD -- $tls_files
git add -- $tls_files
```

Resolve the remaining conflicts:

* `library/CMakeLists.txt`:
    * Keep the TLS definition of `src_crypto`
    * `USE_SHARED_MBEDTLS_LIBRARY`: keep all three libraries, with both
      `include` and `crypto/include` in `target_include_directories`, all with
      version `2.21.0`.
* `programs/Makefile`:
    * Reconcile the APPS lists (add/add from a differently-formatted common
      ancestor): insert the `psa/*` from crypto into the tls list.
    * Keep the `fuzz` target defined only in tls version.
    * Keep the recipe (only in tls version) cleaning `ssl_pthread_server`
      stuff for the `clean` target.
* `scripts/config.py`:
    * `include_in_full`: add/add conflict. Keep both.
* `tests/scripts/all.sh`:
    * `component_test_no_use_psa_crypto_full_cmake_asan`: partially old
      version in crypto. Take the tls version.
    * `component_test_malloc_0_null` and more: take
      `component_test_malloc_0_null` from crypto (with `config.py` rather than
      `config.pl`, and with `$ASAN_FLAGS` rather than an explicit list), but
      add the call to `ssl-opt.sh` from tls. Take the other components from
      crypto.

With this commit, building and running the unit tests with both `make ` and
`cmake` work in the default configuration on Linux. Other platforms, build
systems and configurations are likely not to work, and there is some
regression in test coverage.

There is some loss of functionality because the unremoval step restored older
versions of tls content. This commit contains the latest tls version of
tls-only files, but some changes from the tls side in files that existed on
both sides have regressed. Most problematic changes are hunks that remove some
tls-specific feature and contain either a C preprocessor symbol identifying a
tls-specific module or option, or the name of a tls-specific file. Hunks
that remove a tls-specific preprocessor symbol can be identified with the
regular expression `^-.*MBEDTLS_(ERR_)?(PKCS11|X509|NET|SSL)_`.

Subsequent commits will revert a few parts of the patch from this merge commit
in order to restore the tls functionality that it removes, ensure that the
test coverage includes what was covered in either branch, and fix test
failures.
2020-03-23 17:54:46 +01:00
Gilles Peskine
3b46cd3f15 Invoke config.py instead of config.pl in reverted content
perl -i -pe 's/\bconfig\.pl/config.py/g' $(git grep -l -Fw config.pl
-- . '#!tests/scripts/test_config_script.py')
2020-03-19 14:23:45 +01:00
Gilles Peskine
7dc97048d6 Revert "Remove tests that depend on TLS or X.509"
This reverts commit 9afb2e9921.

Conflicts:
* include/CMakeLists.txt
  * "Make config.h available" comment: there has been a change
    adjacent to where it was removed. Just re-add what was removed.
* tests/CMakeLists.txt:
  * compat.sh: there has been a change immediately before where it was
    removed. Just re-add what was removed.
2020-03-19 14:17:54 +01:00
Gilles Peskine
722a7e6940 Revert "Only build libmbedcrypto"
This reverts commit 8298d70bee.

Conflicts:
* library/Makefile: removal of SOEXT_X509 and SOEXT_TLS vs change of
  value of SOEXT_CRYPTO. Keep all, with the new value of SOEXT_CRYPTO.
2020-03-19 14:07:55 +01:00
Gilles Peskine
4e1174967a Revert "config: Remove TLS and NET options"
This reverts commit 1c66e48670.

Conflicts:
* include/mbedtls/check_config.h:
    * MBEDTLS_SSL_PROTO_SSL3: there has been an addition (of
      MBEDTLS_SHA512_NO_SHA384) at the place where it was removed. Re-add it
      after (alphabetical order).
    * MBEDTLS_ENABLE_WEAK_CIPHERSUITES: there has been an addition (of
      MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) at the place where it was removed.
      Re-add it after (alphabetical order).
    * MBEDTLS_SSL_ALL_ALERT_MESSAGES: there has been an addition (of
      MBEDTLS_SHA512_SMALLER) at the place where it was removed. Re-add it
      after (alphabetical order).
* include/mbedtls/config.h:
    * MBEDTLS_ENABLE_WEAK_CIPHERSUITES: there has been an addition (of
      MBEDTLS_CTR_DRBG_USE_128_BIT_KEY) at the place where it was removed.
      Re-add it after (alphabetical order).
    * MBEDTLS_SSL_ALL_ALERT_MESSAGES: there has been an addition (of
      MBEDTLS_SHA512_SMALLER) at the place where it was removed. Re-add it
      after (alphabetical order).
* library/version_features.c: re-generate by running
  scripts/generate_features.pl.
* programs/test/query_config.c: re-generate by running
  scripts/generate_query_config.pl.
* scripts/config.pl: this file has been replaced by config.py. Port
  the reversed changes to config.py:
    * Revert removing three symbols from the list of symbols to
      exclude from full.
    * Revert removing one symbol (MBEDTLS_NET_C) from the list of symbols
      to exclude from baremetal.
* scripts/footprint.sh:
    * Re-add the line to unset MBEDTLS_NET_C, but with config.py instead of
      config.pl.
* tests/scripts/all.sh:
    * component_test_no_platform: re-add the line to unset MBEDTLS_NET_C, but
      with config.py instead of config.pl.
    * component_build_arm_none_eabi_gcc,
    component_build_arm_none_eabi_gcc_no_udbl_division,
    component_build_arm_none_eabi_gcc_no_64bit_multiplication,
    component_build_armcc: these components now use the baremetal
    configuration, so they do not need to turn off MBEDTLS_NET_C explicitly.
2020-03-19 13:55:04 +01:00
Gilles Peskine
252e391cca Revert "config: Remove X.509 options"
This reverts commit bb1f701212.

* include/mbedtls/check_config.h:
    * MBEDTLS_X509_RSASSA_PSS_SUPPORT: there has been an addition (of
      MBEDTLS_SHA512_NO_SHA384) at the place where it was removed.
      Re-add it before MBEDTLS_SHA512_NO_SHA384 to keep it grouped
      with MBEDTLS_RSA_C.

Conflicts:
* scripts/config.pl: this file has been replaced by config.py. Port
  the reversed changes to config.py:
    * Revert removing three symbols from the list of symbols to
      exclude from full.
2020-03-19 13:53:18 +01:00
Gilles Peskine
458b8f2a59 Revert "Remove unused TLS, NET, and X.509 files"
This reverts commit a4308b29a4.
2020-03-19 13:36:33 +01:00
Gilles Peskine
314bc89b36 Revert "scripts: Remove dependency on TLS"
This reverts commit b58ff9541b.
2020-03-19 13:36:33 +01:00
Gilles Peskine
1bf45e1980 Revert "scripts: Remove dependency on X.509"
This reverts commit 43a450c858.
2020-03-19 13:36:33 +01:00
Gilles Peskine
1fcf721e11 Revert "scripts: Remove dependency on NET"
This reverts commit 356acc82ad.

Conflicts:
* scripts/generate_errors.pl: a line adjacent to a changed line has
  independently changed in the meantime. Just revert the change done
  in the commit that's being reverted.
2020-03-19 13:36:12 +01:00
Simon Butcher
e30d03e4f4 Change the use of pylint to optionally use pylint3
Pylint when installed as a distro package can be installed as pylint3, whilst as
a PEP egg, it can be installed as pylint.

This commit changes the scripts to first use pylint if installed, and optionally
look for pylint3 if not installed. This is to allow a preference for the PEP
version over the distro version, assuming the PEP one is more likely to be
the correct one.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-16 11:38:02 +00:00
Simon Butcher
9693ea2490 Fix output_env.sh for varying pylint3 output
`pylint3 --version` will output to stderr the status of the config file it's
using. This can be "No config file found" or "Using config file" or nothing.
This means the pylint version may or may not be on the first line.

Therefore this commit changes the filters on the pylint3 version output to first
strip out the config line, and then to select only the pylint line.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-06 15:06:14 +00:00
Simon Butcher
6910122469 Add Python, Perl and Pylint to output_env.sh
Add the versions of Python, Perl, and Pylint to the version dump provided by
the output_env.sh script.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-03-06 15:06:14 +00:00
Gilles Peskine
302e43f122 Revert "scripts: Remove unneeded scripts"
This reverts commit ed05b29ea3.
2020-03-04 15:39:14 +01:00
Gilles Peskine
40f17dc803 Revert "Remove certs.h"
This reverts commit b8e4ae18cf.
2020-03-04 15:39:14 +01:00
Simon Butcher
7bfeb66d1a Make minor fixes to output_env.sh after review
A number of clean-up improvements following review.
 * removal of redundant `` quotes
 * removal of non-portable echo "\n", in favour of additional echo commands
 * change to use of uname to detemine if the platform is Linux or not
 * revised formatting of output
 * change to dpkg-query from dpkg to find installed libasan variants

Co-Authored-By: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-02-27 15:19:58 +00:00
Simon Butcher
07d5a47bd8 Enhance the output_env.sh script
This commit adds additional information to the output_env.sh script of:
  * Linux distribution version (if available)
  * GDB version (if available)

It also makes some information clearer:
  * the type of OpenSSL/GNUTLS version (legacy/default/next)
  * and whether certain versions are not installed, or not configured

And it simplifies the error messages for absent tools.

Signed-off-by: Simon Butcher <simon.butcher@arm.com>
2020-02-26 15:58:52 +00:00
Gilles Peskine
d362d0bf86 Tweak spacing in Visual Studio files
Tweak the code to be slightly simpler and closer to mbedtls. This
changes non-significant whitespace in the generated files.
2020-02-26 14:37:17 +01:00
Gilles Peskine
7156d8cda9 Don't hard-code include paths in templates
generate_visualc_files.pl has a list of directories that it pulls
headers from, so it knows what directories to put on the include path.
Make it inject the include path into the output files, rather than
hard-coding the include paths in template files.

A similar change (but with different code) was made in Mbed TLS in
commit b78cf2b261
"Adjust visual studio file generation to always use the crypto submodule".

No semantic change: this commit does not change the generated files.
2020-02-26 14:37:07 +01:00
Gilles Peskine
b41f88f47a Simplify the code around the call to gen_main_file
There's no need to keep the directory lists separated until the last
minute.

No semantic change. The generated files change slightly because there
was one directory list where slashes were not changed to backslashes
like in the other five. This does not affect their semantics.
2020-02-26 14:36:50 +01:00
Gilles Peskine
13fac98aca Generalize everest support to generic 3rdparty support
Other third-party components can now be added by just adding lines to
the definitions of @thirdparty_header_dirs and
@thirdparty_source_dirs.

No semantic change. The output does not change at all.
2020-02-19 20:13:29 +01:00
Jaeden Amero
7cb47de12a query_config: Move to programs/test
As the SSL programs, like ssl_client2 and ssl_server2, are dependent on
SSL and therefore about to be removed, the only consumer of query_config
is the query_compile_time_config test. As such, it makes sense to move
query_config to be next to what uses it.
2020-02-11 19:26:27 +01:00
Gilles Peskine
5da20cc569
Merge pull request #3023 from gilles-peskine-arm/config-crypto
Add crypto-only preset configurations
2020-02-05 11:17:56 +01:00
Gilles Peskine
2579675935 Merge remote-tracking branch 'upstream-public/development' into development
Files deleted by us: keep them deleted.

```
git rm $(git status -s | sed -n 's/^DU //p')
```

Individual files with conflicts:

* `README.md`: keep the crypto version.
* `doxygen/input/doc_mainpage.h`: keep the crypto version (with an obsolete Mbed Crypto version number).
* `include/mbedtls/error.h`:
    * `ERROR`: similar additions made through parallel commits, with only whitespace differences. Align with the tls version.
* `library/CMakeLists.txt`: keep the crypto version.
* `library/Makefile`: keep the crypto version.
* `scripts/generate_errors.pl`: keep the crypto version (the relevant changes were made through parallel commits).
* `tests/scripts/check-test-cases.py`:
    * `Results`: keep the crypto version, which has both the new argument to the constructor (added in crypto only) and the class docstring (added through parallel commits).
* `tests/suites/helpers.function`:
    * `ARRAY_LENGTH`, `ASSERT_ALLOC`: additions in the same location. Keep both, in indifferent order.
* `tests/suites/target_test.function`:
    * `receive_uint32`: keep the crypto version which has an additional bug fix. The tls changes made in tls are irrelevant after this bug fix.
* `visualc/VS2010/mbedTLS.vcxproj`: run `scripts/generate_visualc_files.pl`.

Review of non-conflicting changes:

* `all.sh`: 1 change.
    * zlib test components: don't add them.
* `include/CMakeLists.txt`: 1 change.
    * `target_include_directories`: doesn't work as is (different target name). Don't take the change.
* All other non-conflicting changes: take them.
2020-02-03 18:52:36 +01:00
Gilles Peskine
31987c6b88 Add config presets with only crypto
Add config presets with only the crypto parts of the default
configuration, of "full" and of "baremetal".
2020-01-31 15:14:18 +01:00
Gilles Peskine
f65ed6f254 Change key types to a 16-bit encoding
All key types now have an encoding on 32 bits where the bottom 16 bits
are zero. Change to using 16 bits only.

Keep 32 bits for key types in storage, but move the significant
half-word from the top to the bottom.

Likewise, change EC curve and DH group families from 32 bits out of
which the top 8 and bottom 16 bits are zero, to 8 bits only.

Reorder psa_core_key_attributes_t to avoid padding.
2020-01-31 10:24:21 +01:00
Gilles Peskine
afc9db8bb7 Fix version number recognition heuristics
The regexp was wrong, for example it matched "2.20x" but failed to
match "3.1".

Some test cases:
>>> def f(title):
...  version_number = re.search(_version_number_re, title)
...  if version_number:
...      return not re.search(_incomplete_version_number_re,
...                                  version_number.group(0))
...  else:
...   return False
...
>>> [(s, f(s.encode('ascii'))) for s in ['foo', 'foo 3', 'foo 3.', 'foo 3.1', 'foo 3.14', 'foo 3.2.1', 'foo 3.2.1alpha', 'foo 3.1.a', 'foo 3.a', 'foo 3.x.1']]
[('foo', False), ('foo 3', False), ('foo 3.', False), ('foo 3.1', True), ('foo 3.14', True), ('foo 3.2.1', True), ('foo 3.2.1alpha', True), ('foo 3.1.a', False), ('foo 3.a', False), ('foo 3.x.1', False)]
2020-01-30 11:38:01 +01:00
Manuel Pégourié-Gonnard
2b9ebce4e1 Remove deprecated modules from config.py full 2020-01-30 10:16:15 +01:00
Gilles Peskine
a26079613a Create a new level-2 section if needed
Automatically create a level-2 section for unreleased changes if needed.
2020-01-28 19:58:17 +01:00
Gilles Peskine
da14e8225e Remove useless blank line removal in ChangeLog.write
The parsing functions eliminate blank lines, so there shouldn't be any
at this stage.
2020-01-28 19:27:54 +01:00
Gilles Peskine
37d670a1e1 Document read_main_file and simplify the logic a little 2020-01-28 19:27:54 +01:00
Gilles Peskine
974349d40e Style: follow PEP8 2020-01-28 19:00:59 +01:00
Gilles Peskine
d8b6c77388 Use OrderedDict instead of reinventing it 2020-01-28 18:57:47 +01:00
Gilles Peskine
2b242495e1 Add a sanity check on the output
Check that no line from any of the input files was lost.

This is not perfect for several reasons.
It doesn't check that the content goes to the desired location.
It doesn't check that sections are created as necessary.
It doesn't support whitespace normalization that the parsing code does.
But it's a good start.
2020-01-22 15:59:12 +01:00
Gilles Peskine
6e91009cfe Split strings on some very long lines 2020-01-22 15:59:12 +01:00
Gilles Peskine
566407d6f6 Simpler definition of a custom exception class 2020-01-22 15:59:12 +01:00
Gilles Peskine
8c4a84c5de Split read_main_file out of the ChangeLog constructor
Keep the constructor code simple.

No behavior change.
2020-01-22 15:48:58 +01:00
Gilles Peskine
5e39c9e94f Actually remove files
Minor rework of how files are removed. Actually do remove the
files (earlier I accidentally committed a debug version with removal
commented out).
2020-01-22 15:48:45 +01:00
Gilles Peskine
974232f045 Minor documentation improvements 2020-01-22 12:43:29 +01:00
Manuel Pégourié-Gonnard
ad6cb11461 Declare new config.h option MBEDTLS_SHA512_NO_SHA384 2020-01-06 11:40:23 +01:00
Gilles Peskine
180850a229
Merge pull request #291 from gilles-peskine-arm/ctr_drbg-test_aes_128
Test MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
2019-12-20 10:43:44 +01:00
Janos Follath
df587ee6d6 Remove duplicate include statement
Now that the Error module has error codes as well and is processed by
the generate_errors script like any other module, we don't need to
include the header manually.
2019-12-19 10:27:57 +00:00
Jaeden Amero
795c6bab62
Merge pull request #323 from yanesca/iotcrypt-942-initialise-return-values
Initialise return values to an error
2019-12-19 10:24:22 +00:00
Janos Follath
2d20567122 Add two error codes to the Error module
One of the error codes was already reserved, this commit just makes it
explicit. The other one is a new error code for initializing return
values in the library: `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` should
not be returned by the library. If it is returned, then it is surely a
bug in the library or somebody is tampering with the device.
2019-12-16 15:15:16 +00:00
Gilles Peskine
49af2d3a4f Support non-ASCII characters in headers
Filter out non-ASCII characters in automatically processed headers.

Do this in a way that minimizes the code change: keep manipulating
strings, but strip off non-ASCII characters when reading lines, which
should only remove characters in comments that we don't parse anyway.
2019-12-11 11:03:07 +01:00
Janos Follath
60f6b64b8f Add two error codes to the Error module
One of the error codes was already reserved, this commit just makes it
explicit. The other one is a new error code for initializing return
values in the library: `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` should
not be returned by the library. If it is returned, then it is surely a
bug in the library or somebody is tampering with the device.
2019-12-03 16:01:06 +00:00
Gilles Peskine
987e271b16 If python3 fails, make it clear that this isn't fatal 2019-11-26 13:30:16 +01:00
Gilles Peskine
df78e496b7 Error out rather than call python on the perl script 2019-11-26 13:30:00 +01:00
Gilles Peskine
80a607171a config.pl full: exclude MBEDTLS_ENTROPY_FORCE_SHA256
This is a variant toggle, not an extra feature, so it should be tested
separately.

We test most of the effect of MBEDTLS_ENTROPY_FORCE_SHA256 (namely,
using SHA-256 in the entropy module) when we test the library with the
SHA512 module disabled (which we do at least via depends-hashes.pl).
This commit removes testing of the MBEDTLS_ENTROPY_FORCE_SHA256 option
itself, which should be added separately.
2019-11-21 13:52:09 +01:00
Gilles Peskine
24600e8290 Disable memory_buffer_alloc in the full config
Enabling MBEDTLS_MEMORY_BUFFER_ALLOC_C module together with
MBEDTLS_PLATFORM_MEMORY causes the library to use its own malloc
replacement. This makes memory management analyzers such as ASan
largely ineffective. We now test MBEDTLS_MEMORY_BUFFER_ALLOC_C
separately. Disable it in the "full" config.

This mirrors a change that was made in Mbed TLS on config.pl and had
not been ported to Mbed Crypto yet.

With this commit, config.py is aligned in Mbed Crypto and Mbed TLS.
2019-11-15 11:53:42 +01:00
Gilles Peskine
baf15df251 Compatibility redirect: add copyright notice 2019-11-13 14:33:34 +00:00
Gilles Peskine
518ce0beb3 Compatibility redirect: if python3 is not available, try python 2019-11-13 14:33:34 +00:00
Gilles Peskine
261742bd59 Fix config.py output when a symbol has acquired or lost a value
Normally a valueless symbol remains valueless and a symbol with a
value keeps having one. But just in case a symbol does get changed
from valueless to having a value, make sure there's a space between
the symbol and the value. And if a symbol gets changed from having a
value to valueless, strip trailing whitespace.

Add corresponding tests.

Also fix the case of a valueless symbol added with the set method,
which would have resulted in attempting to use None as a string. This
only happened with the Python API, not with the command line API.
2019-11-13 14:33:34 +00:00
Gilles Peskine
7f04013099 Documentation improvements 2019-11-13 14:33:34 +00:00
Gilles Peskine
2552bc73d4 Fix "#define ... not found" error when using the default file name
Also make that error message end with a newline.
2019-11-13 14:33:34 +00:00
Gilles Peskine
63cdb2855f Fix "--force set" without a value sneaking a None in 2019-11-13 14:33:34 +00:00
Gilles Peskine
a52f97d5a5 Fix --force requiring an argument 2019-11-13 14:33:34 +00:00
Gilles Peskine
b6fa7970a6 Fix Config.unset() making the name known 2019-11-13 14:33:34 +00:00
Gilles Peskine
812f185bc8 Also search config.h near the script
By default, this script looks for include/mbedtls/config.h relative to
the current directory. This allows running config.py from outside the
build tree.

To support out-of-tree builds where config.h and config.py are in the
source tree and the current directory is in the build tree, also try
DIRECTORY_CONTAINING_SCRIPT/../include/mbedtls/config.h, and the
equivalent with symbolic links traversed.
2019-11-13 14:33:34 +00:00
Gilles Peskine
1854ec45af Report an error if switching to Python fails 2019-11-13 14:33:34 +00:00
Gilles Peskine
5d650c86b4 Fix 'config.py set' without --force
The `set` command can act on any known symbol.
2019-11-13 14:33:34 +00:00
Gilles Peskine
a26ea87dde Fix encoding errors
config.h is encoded in UTF-8.
2019-11-13 14:33:34 +00:00
Gilles Peskine
a47ab22852 Print help when invoked with no arguments 2019-11-13 14:33:34 +00:00
Gilles Peskine
04362a0ad6 Replace config.pl by a redirection to config.py
Keep config.pl in Perl in case people are running "perl config.pl".
2019-11-13 14:33:34 +00:00
Gilles Peskine
3bdd412d09 Invoke config.py instead of config.pl
git grep -Fl /config.pl | xargs sed -i -e 's!/config\.pl!/config.py!g'

Also:
* Change one comment in include/mbedtls/check_config.h.
* Change PERL to PYTHON in CMakeLists.txt.
2019-11-13 14:33:33 +00:00
Gilles Peskine
4efaeba48b Support writing to a different file 2019-11-13 14:32:04 +00:00
Gilles Peskine
651a64de7d Sort symbol lists in alphabetical order
They're easier to maintain that way. The old lists were partly
alphabetized, partly based on config.h order, and partly in the order
in which symbols had been added to config.pl.
2019-11-13 14:32:04 +00:00
Gilles Peskine
f6f5ea21b5 Remove obsolete options from config.py
These options haven't existed for a long time.
2019-11-13 14:32:04 +00:00
Gilles Peskine
61f3c0ce85 Implement the 'full' and 'baremetal' configurations
Also fix 'realfull' to only affect the appropriate sections.

Tested to produce the same results as config.pl on the default
configuration. This commit deliberately contains a direct copy the
lists of symbol names from config.pl.
2019-11-13 14:32:04 +00:00
Gilles Peskine
39bd5e7f9e Mbed TLS configuration file manipulation library and tool
This is meant to be a drop-in replacement for config.pl which can
additionally be used as a library in a Python script.

So far this script supports the commands 'get', 'set' and 'realfull'
but not the other built-in configurations.
2019-11-13 14:32:04 +00:00
Gilles Peskine
40b3f411ec Changelog merging script
assemble_changelog.py reads changelog entries from ChangeLog.d/*.md
and merges them into ChangeLog.md.

The changelog entries are merged into the first version in
ChangeLog.md. The script does not yet support creating a new version
in ChangeLog.md.

The changelog entries are merged in alphabetical order of the file
names. Future versions of this script are likely to adopt a different
order that reflects the git history of the entries.
2019-10-13 21:44:25 +02:00
Gilles Peskine
e249c0e6b3 config.pl full: exclude MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
This is a variant toggle, not an extra feature, so it should be tested
separately.
2019-10-07 15:57:50 +02:00
Gilles Peskine
0409bcdef0 Compatibility redirect: add copyright notice 2019-09-13 15:17:47 +02:00
Gilles Peskine
a103c18032 Compatibility redirect: if python3 is not available, try python 2019-09-13 11:04:24 +02:00
Gilles Peskine
f686042554 Fix config.py output when a symbol has acquired or lost a value
Normally a valueless symbol remains valueless and a symbol with a
value keeps having one. But just in case a symbol does get changed
from valueless to having a value, make sure there's a space between
the symbol and the value. And if a symbol gets changed from having a
value to valueless, strip trailing whitespace.

Add corresponding tests.

Also fix the case of a valueless symbol added with the set method,
which would have resulted in attempting to use None as a string. This
only happened with the Python API, not with the command line API.
2019-09-13 11:04:24 +02:00
Gilles Peskine
c190c90889 Documentation improvements 2019-09-13 11:04:24 +02:00
Gilles Peskine
221df1e0ef Fix "#define ... not found" error when using the default file name
Also make that error message end with a newline.
2019-09-13 11:04:24 +02:00
Gilles Peskine
0c7fcd210f Fix "--force set" without a value sneaking a None in 2019-09-13 11:04:24 +02:00
Gilles Peskine
435ce22920 Fix --force requiring an argument 2019-09-13 11:04:23 +02:00
Gilles Peskine
55cc4dbb5c Fix Config.unset() making the name known 2019-09-13 11:04:23 +02:00
Gilles Peskine
208e4ec5d3 Also search config.h near the script
By default, this script looks for include/mbedtls/config.h relative to
the current directory. This allows running config.py from outside the
build tree.

To support out-of-tree builds where config.h and config.py are in the
source tree and the current directory is in the build tree, also try
DIRECTORY_CONTAINING_SCRIPT/../include/mbedtls/config.h, and the
equivalent with symbolic links traversed.
2019-09-13 11:04:23 +02:00
Gilles Peskine
6cf3127527 Report an error if switching to Python fails 2019-09-13 11:04:23 +02:00
Gilles Peskine
98eb36557d Fix 'config.py set' without --force
The `set` command can act on any known symbol.
2019-09-13 11:04:23 +02:00
Gilles Peskine
0fa5efb7ce Fix encoding errors
config.h is encoded in UTF-8.
2019-09-13 11:04:23 +02:00
Gilles Peskine
90b30b618b Print help when invoked with no arguments 2019-09-13 11:04:23 +02:00
Gilles Peskine
bf359c7fc4 Replace config.pl by a redirection to config.py
Keep config.pl in Perl in case people are running "perl config.pl".
2019-09-13 11:04:23 +02:00
Gilles Peskine
5d46f6a89b Invoke config.py instead of config.pl
git grep -Fl /config.pl | xargs sed -i -e 's!/config\.pl!/config.py!g'

Also:
* Change one comment in include/mbedtls/check_config.h.
* Change PERL to PYTHON in CMakeLists.txt.
2019-09-13 11:04:23 +02:00
Gilles Peskine
40f103cea2 Support writing to a different file 2019-09-13 11:04:23 +02:00
Gilles Peskine
2d89ccced5 Sort symbol lists in alphabetical order
They're easier to maintain that way. The old lists were partly
alphabetized, partly based on config.h order, and partly in the order
in which symbols had been added to config.pl.
2019-09-13 11:04:21 +02:00
Gilles Peskine
6c2d078935 Remove obsolete options from config.py
These options haven't existed for a long time.
2019-09-13 10:56:03 +02:00
Gilles Peskine
53d41ae872 Implement the 'full' and 'baremetal' configurations
Also fix 'realfull' to only affect the appropriate sections.

Tested to produce the same results as config.pl on the default
configuration. This commit deliberately contains a direct copy the
lists of symbol names from config.pl.
2019-09-13 10:55:25 +02:00
Gilles Peskine
b4063890e8 Mbed TLS configuration file manipulation library and tool
This is meant to be a drop-in replacement for config.pl which can
additionally be used as a library in a Python script.

So far this script supports the commands 'get', 'set' and 'realfull'
but not the other built-in configurations.
2019-09-13 10:49:20 +02:00
Gilles Peskine
33b84f4db7 Omit all deprecated definitions rather than a hard-coded list
Rather than hard-coding a list of deprecated aliases, assume that
anything that's deprecated is an alias or otherwise not desired.
2019-09-06 17:48:56 +02:00
Gilles Peskine
f30d4d9b34 More accurate parsing of #define directives
Support continuation lines and remove comments.
2019-09-06 17:44:04 +02:00
Gilles Peskine
5c196fb599 Readability improvements
No indented semantic change.
2019-09-06 17:35:51 +02:00
Hanno Becker
dc54953229 Don't set MBEDTLS_MEMORY_DEBUG through scripts/config.pl full 2019-09-06 07:44:37 -04:00
Hanno Becker
2ea2f053c5 Update documentation of exceptions for config.pl full 2019-09-06 07:44:37 -04:00
Hanno Becker
909e68d45a Disable memory buffer allocator in full config
This commit modifies `config.pl` to not set MBEDTLS_MEMORY_BUFFER_ALLOC
with the `full` option.
2019-09-06 07:40:26 -04:00
Christoph M. Wintersteiger
6cddd30beb ECDH: Disable Everest by default 2019-08-29 16:12:38 +01:00
Christoph M. Wintersteiger
c14dd845ad ECDH: Add Everest Curve25519 to VS project files
This being the first 3rdparty-contribution, we may want to consider the
structure of the project file generation scripts. Perhaps add small,
constribution-specific scripts to each directory in 3rdparty instead of adding
all constraints to generate_visualc_files.pl?
2019-08-29 16:12:38 +01:00
Christoph M. Wintersteiger
6ea2dea1c5 3rdparty: Add additional build facilities for 3rd-party code 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
78450a3dd1 ECDH: Disables MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED by default 2019-08-19 13:37:46 +01:00
Christoph M. Wintersteiger
48d26c21c6 ECDH: Add Everest Curve25519 to VS project files
This being the first 3rdparty-contribution, we may want to consider the
structure of the project file generation scripts. Perhaps add small,
constribution-specific scripts to each directory in 3rdparty instead of adding
all constraints to generate_visualc_files.pl?
2019-08-19 13:36:44 +01:00
Janos Follath
8aa7e9bc56 Merge branch 'psa-api-1.0-beta' into merge-psa-api-branch-into-development 2019-08-08 14:40:23 +01:00
Gilles Peskine
3963993e2a Merge 'mbedtls/development' into merge-crypto-development-20190806
Conflicts and changes:
* Files that do not exist in Mbed Crypto and have changed in Mbed TLS:
  These files should not exist in Mbed Crypto. Keep them deleted.
* tests/data_files/test-ca.server1.db: new file in Mbed TLS, don't create
  it in Mbed Crypto.
* tests/data_files/rsa_pkcs1_1024_clear.pem: do create this file in
  Mbed Crypto. I don't see why it would be kept out.
* tests/data_files/Makefile: don't take any of the changes in sections
  that have been removed in Crypto. Do take in the certificate
  expiration date updates and the extra .crt.der rules (even if Crypto
  doesn't actually use those certificates: removing them would be out
  of scope of the present merge).
* tests/suites/helpers.function: consecutive additions, take
  both (order indifferent).
2019-08-06 19:09:55 +02:00
Gilles Peskine
72c8c5b352 Merge remote-tracking branch 'upstream-crypto/development' into psa-api-1.0-beta-merge_development_20190801
Conflict resolution:
* `scripts/config.pl`:
  Take the exclusion of `MBEDTLS_PSA_CRYPTO_SE_C` from the API branch.
  Take the removal of `MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C` (obsolete) from
  the development branch.
* `tests/scripts/all.sh`:
  Multiple instances of factoring a sequence of `config.pl` calls into
  a mere `config.pl baremetal` in the development branch, and a change in
  the composition of `baremetal` in the API branch. In each case, take the
  version from development.
* `tests/suites/test_suite_psa_crypto_slot_management.function`:
  A function became non-static in development and disappeared in the API
  branch. Keep the version from the API branch. Functions need to be
  non-static if they're defined but unused in some configurations,
  which is not the case for any function in this file at the moment.
* `tests/suites/test_suite_psa_crypto.function`:
  Consecutive changes in the two branches, reconciled.
2019-07-31 17:47:49 +02:00
Jaeden Amero
8dd1690993 Merge remote-tracking branch 'tls/development' into development
Resolve conflicts by performing the following operations:
- Reject changes related to building a crypto submodule, since Mbed
  Crypto is the crypto submodule.
- Reject X.509, NET, and SSL changes.
- Reject changes to README, as Mbed Crypto is a different project from
  Mbed TLS, with a different README.
- Avoid adding mention of ssl-opt.sh in a comment near some modified
  code in include/CMakeLists.txt (around where ENABLE_TESTING as added).
- Align config.pl in Mbed TLS with config.pl in Mbed Crypto where PSA
  options are concerned, to make future merging easier. There is no
  reason for the two to be different in this regard, now that Mbed TLS
  always depends on Mbed Crypto. Remaining differences are only the
  PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER option and the absence of X.509,
  NET, and SSL related options in Mbed Crypto's config.pl.
- Align config.h in Mbed Crypto with Mbed TLS's copy, with a few notable
  exceptions:
  - Leave CMAC on by default.
  - Leave storage on by default (including ITS emulation).
  - Avoid documenting the PSA Crypto API as is in beta stage in
    documentation for MBEDTLS_PSA_CRYPTO_C.
  The only remaining differences are a lack of X.509, NET, and SSL
  options in Mbed Crypto's config.h, as well as an additional
  Mbed-Crypto-specific PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER option.
  Documentation for the check params feature and related macros is also
  updated to match Mbed TLS's description.
- Reject tests/data_files/Makefile changes to generate DER versions of
  CRTs and keys, as none of those are used by Mbed Crypto tests.
- Add the "no PEM and no filesystem" test to all.sh, without ssl-opt.sh
  run, as Mbed Crypto doesn't have ssl-opt.sh. Also remove use of PSA
  Crypto storage and ITS emulation, since those depend on filesystem
  support.
- Reject addition of test when no ciphersuites have MAC to all.sh, as
  the option being tested, MBEDTLS_SSL_SOME_MODES_USE_MAC, is not
  present in Mbed Crypto.
- Use baremetal config in all.sh, as Mbed Crypto's baremetal
  configuration does exclude the net module (as it doesn't exist in Mbed
  Crypto)
- Reject cmake_subproject_build changes, continuing to link only
  libmbedcrypto.
- Reject changes to visualc and associated templates. Mbed Crypto
  doesn't need additional logic to handle submodule-sourced headers.
- Avoid adding fuzzers from Mbed TLS. The only relevant fuzzers are the
  privkey and pubkey fuzzers, but non-trivial work would be required to
  integrate those into Mbed Crypto (more than is comfortable in a merge
  commit).
- Reject addition of Docker wrappers for compat.sh and ssl-opt.sh, as
  those are not present in Mbed Crypto.
- Remove calls to SSL-related scripts from basic-in-docker.sh

Fix test errors by performing the following:
- Avoid using a link that Doxygen can't seem to resolve in Mbed Crypto,
  but can resolve in Mbed TLS. In documentation for
  MBEDTLS_CHECK_PARAMS, don't attempt to link to MBEDTLS_PARAM_FAILED.

* origin/development: (339 commits)
  Do not build fuzz on windows
  No booleans and import config
  Removing space before opening parenthesis
  Style corrections
  Syntax fix
  Fixes warnings from MSVC
  Add a linker flag to enable gcov in basic-build-test.sh
  Update crypto submodule to a revision with the HAVEGE header changes
  Test with MBEDTLS_ECP_RESTARTABLE
  Allow TODO in code
  Use the docstring in the command line help
  Split _abi_compliance_command into smaller functions
  Record the commits that were compared
  Document how to build the typical argument for -s
  Allow running /somewhere/else/path/to/abi_check.py
  tests: Limit each log to 10 GiB
  Warn if VLAs are used
  Remove redundant compiler flag
  Consistently spell -Wextra
  Fix parsing issue when int parameter is in base 16
  ...
2019-07-31 10:37:53 +01:00
Darryl Green
762351be1b Change worktree_rev to HEAD for rev-parse
Due to how the checking script is run in docker, worktree_rev is
ambiguous when running rev-parse. We're running it in the checked
out worktree, so we can use HEAD instead, which is unambiguous.
2019-07-25 14:33:33 +01:00
Gilles Peskine
d0e66b00fb Turn off secure element support by default
Secure element support is not yet usable in the real world. Only part
of the feature is implemented and the part that's implemented is not
sufficient for real-world uses. A lot of error handling is missing,
and there are no tests.

This commit should be reverted once the feature has stabilized.
2019-07-24 13:52:51 +02:00
Jaeden Amero
b8e4ae18cf Remove certs.h
certs.h is not needed in Mbed Crypto. No programs or other library code
use it.
2019-07-15 15:52:25 +01:00