Merge pull request #3295 from gilles-peskine-arm/config-full-clarify-2.7
Backport 2.7: Clarify that the full config enables everything that can be tested together
diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index 5024f4a..8433ef8 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -82,7 +82,8 @@
int main( int argc, char *argv[] )
{
- int ret = 1, i, n;
+ int ret = 1, i;
+ unsigned n;
int exit_code = MBEDTLS_EXIT_FAILURE;
int mode;
size_t keylen, ilen, olen;
diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c
index 1d8c959..1876ef3 100644
--- a/programs/pkey/pk_decrypt.c
+++ b/programs/pkey/pk_decrypt.c
@@ -62,7 +62,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int ret = 1, c;
+ int ret = 1;
+ unsigned c;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i, olen = 0;
mbedtls_pk_context pk;
diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c
index 0a252d2..bc37c74 100644
--- a/programs/pkey/rsa_decrypt.c
+++ b/programs/pkey/rsa_decrypt.c
@@ -63,7 +63,7 @@
FILE *f;
int ret = 1;
int exit_code = MBEDTLS_EXIT_FAILURE;
- int c;
+ unsigned c;
size_t i;
mbedtls_rsa_context rsa;
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index 6f88345..a787500 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -57,7 +57,8 @@
int main( int argc, char *argv[] )
{
FILE *f;
- int ret = 1, c;
+ int ret = 1;
+ unsigned c;
int exit_code = MBEDTLS_EXIT_FAILURE;
size_t i;
mbedtls_rsa_context rsa;
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 08b6c8e..6e895c3 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -239,7 +239,9 @@
#define USAGE_ECJPAKE ""
#endif
-#define USAGE \
+/* USAGE is arbitrarily split to stay under the portable string literal
+ * length limit: 4095 bytes in C99. */
+#define USAGE1 \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
" server_name=%%s default: localhost\n" \
@@ -260,15 +262,17 @@
" skip_close_notify=%%d default: 0 (send close_notify)\n" \
"\n" \
USAGE_DTLS \
- "\n" \
- " auth_mode=%%s default: (library default: none)\n" \
+ "\n"
+#define USAGE2 \
+ " auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n" \
USAGE_IO \
"\n" \
USAGE_PSK \
USAGE_ECJPAKE \
- "\n" \
- " allow_legacy=%%d default: (library default: no)\n" \
+ "\n"
+#define USAGE3 \
+ " allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
" reconnect=%%d default: 0 (disabled)\n" \
@@ -284,7 +288,8 @@
USAGE_CURVES \
USAGE_RECSPLIT \
USAGE_DHMLEN \
- "\n" \
+ "\n"
+#define USAGE4 \
" arc4=%%d default: (library default: 0)\n" \
" allow_sha1=%%d default: 0\n" \
" min_version=%%s default: (library default: tls1)\n" \
@@ -507,7 +512,10 @@
if( ret == 0 )
ret = 1;
- mbedtls_printf( USAGE );
+ mbedtls_printf( USAGE1 );
+ mbedtls_printf( USAGE2 );
+ mbedtls_printf( USAGE3 );
+ mbedtls_printf( USAGE4 );
list = mbedtls_ssl_list_ciphersuites();
while( *list )
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index ae57f1f..148dd08 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -338,7 +338,9 @@
#define USAGE_CURVES ""
#endif
-#define USAGE \
+/* USAGE is arbitrarily split to stay under the portable string literal
+ * length limit: 4095 bytes in C99. */
+#define USAGE1 \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
" server_addr=%%s default: (all interfaces)\n" \
@@ -357,7 +359,8 @@
USAGE_COOKIES \
USAGE_ANTI_REPLAY \
USAGE_BADMAC_LIMIT \
- "\n" \
+ "\n"
+#define USAGE2 \
" auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n" \
" cert_req_ca_list=%%d default: 1 (send ca list)\n" \
@@ -367,7 +370,8 @@
"\n" \
USAGE_PSK \
USAGE_ECJPAKE \
- "\n" \
+ "\n"
+#define USAGE3 \
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
@@ -380,7 +384,8 @@
USAGE_EMS \
USAGE_ETM \
USAGE_CURVES \
- "\n" \
+ "\n"
+#define USAGE4 \
" arc4=%%d default: (library default: 0)\n" \
" allow_sha1=%%d default: 0\n" \
" min_version=%%s default: (library default: tls1)\n" \
@@ -979,7 +984,10 @@
if( ret == 0 )
ret = 1;
- mbedtls_printf( USAGE );
+ mbedtls_printf( USAGE1 );
+ mbedtls_printf( USAGE2 );
+ mbedtls_printf( USAGE3 );
+ mbedtls_printf( USAGE4 );
list = mbedtls_ssl_list_ciphersuites();
while( *list )
diff --git a/scripts/config.pl b/scripts/config.pl
index 3de8093..2f04d91 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -19,30 +19,17 @@
#
# The following options are disabled instead of enabled with "full".
#
-# MBEDTLS_TEST_NULL_ENTROPY
-# MBEDTLS_DEPRECATED_REMOVED
-# MBEDTLS_HAVE_SSE2
-# MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-# MBEDTLS_ECP_DP_M221_ENABLED
-# MBEDTLS_ECP_DP_M383_ENABLED
-# MBEDTLS_ECP_DP_M511_ENABLED
-# MBEDTLS_MEMORY_BACKTRACE
-# MBEDTLS_MEMORY_BUFFER_ALLOC_C
-# MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-# MBEDTLS_NO_PLATFORM_ENTROPY
-# MBEDTLS_REMOVE_ARC4_CIPHERSUITES
-# MBEDTLS_REMOVE_3DES_CIPHERSUITES
-# MBEDTLS_SSL_HW_RECORD_ACCEL
-# MBEDTLS_RSA_NO_CRT
-# MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-# MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
-# - this could be enabled if the respective tests were adapted
-# MBEDTLS_ZLIB_SUPPORT
-# MBEDTLS_PKCS11_C
-# MBEDTLS_NO_UDBL_DIVISION
-# MBEDTLS_NO_64BIT_MULTIPLICATION
-# and any symbol beginning _ALT
+# * Options that require additional build dependencies or unusual hardware.
+# * Options that make testing less effective.
+# * Options that are incompatible with other options, or more generally that
+# interact with other parts of the code in such a way that a bulk enabling
+# is not a good way to test them.
+# * Options that remove features.
#
+# The baremetal configuration excludes options that require a library or
+# operating system feature that is typically not present on bare metal
+# systems. Features that are excluded from "full" won't be in "baremetal"
+# either.
use warnings;
use strict;
@@ -83,51 +70,52 @@
EOU
my @excluded = qw(
-MBEDTLS_TEST_NULL_ENTROPY
MBEDTLS_DEPRECATED_REMOVED
+MBEDTLS_DEPRECATED_WARNING
MBEDTLS_HAVE_SSE2
-MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-MBEDTLS_ECP_DP_M221_ENABLED
-MBEDTLS_ECP_DP_M383_ENABLED
-MBEDTLS_ECP_DP_M511_ENABLED
-MBEDTLS_MEMORY_DEBUG
MBEDTLS_MEMORY_BACKTRACE
MBEDTLS_MEMORY_BUFFER_ALLOC_C
+MBEDTLS_MEMORY_DEBUG
MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
MBEDTLS_NO_PLATFORM_ENTROPY
-MBEDTLS_RSA_NO_CRT
-MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+MBEDTLS_NO_UDBL_DIVISION
+MBEDTLS_PKCS11_C
+MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
MBEDTLS_REMOVE_3DES_CIPHERSUITES
+MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+MBEDTLS_RSA_NO_CRT
MBEDTLS_SSL_HW_RECORD_ACCEL
-MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
+MBEDTLS_TEST_NULL_ENTROPY
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
MBEDTLS_ZLIB_SUPPORT
-MBEDTLS_PKCS11_C
-MBEDTLS_NO_UDBL_DIVISION
_ALT\s*$
);
# Things that should be disabled in "baremetal"
my @excluded_baremetal = qw(
-MBEDTLS_NET_C
-MBEDTLS_TIMING_C
-MBEDTLS_FS_IO
MBEDTLS_ENTROPY_NV_SEED
+MBEDTLS_FS_IO
+MBEDTLS_HAVEGE_C
MBEDTLS_HAVE_TIME
MBEDTLS_HAVE_TIME_DATE
-MBEDTLS_DEPRECATED_WARNING
-MBEDTLS_HAVEGE_C
-MBEDTLS_THREADING_C
-MBEDTLS_THREADING_PTHREAD
MBEDTLS_MEMORY_BACKTRACE
MBEDTLS_MEMORY_BUFFER_ALLOC_C
-MBEDTLS_PLATFORM_TIME_ALT
+MBEDTLS_NET_C
MBEDTLS_PLATFORM_FPRINTF_ALT
+MBEDTLS_PLATFORM_NV_SEED_ALT
+MBEDTLS_PLATFORM_TIME_ALT
+MBEDTLS_THREADING_C
+MBEDTLS_THREADING_PTHREAD
+MBEDTLS_TIMING_C
);
-# Things that should be enabled in "full" even if they match @excluded
+# Things that should be enabled in "full" even if they match @excluded.
+# Platform ALTs enable global variables that allow configuring the behavior
+# but default to the default behavior, except for PLATFORM_SETUP_TEARDOWN_ALT
+# which requires the application to provide relevant functions like
+# non-platform ALTs.
my @non_excluded = qw(
-PLATFORM_[A-Z0-9]+_ALT
+PLATFORM_(?!SETUP_TEARDOWN_)[A-Z_0-9]+_ALT
);
# Things that should be enabled in "baremetal"
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 2fc0c83..9df3207 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -770,22 +770,31 @@
if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR'
}
-component_build_deprecated () {
- msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
- scripts/config.pl full
- scripts/config.pl set MBEDTLS_DEPRECATED_WARNING
- # Build with -O -Wextra to catch a maximum of issues.
- make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' lib programs
- make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
-
- msg "build: make, full config + DEPRECATED_REMOVED, clang -O" # ~ 30s
- # No cleanup, just tweak the configuration and rebuild
- make clean
- scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING
+component_test_default_no_deprecated () {
+ # Test that removing the deprecated features from the default
+ # configuration leaves something consistent.
+ msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s
scripts/config.pl set MBEDTLS_DEPRECATED_REMOVED
- # Build with -O -Wextra to catch a maximum of issues.
- make CC=clang CFLAGS='-O -Werror -Wall -Wextra' lib programs
- make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests
+ make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
+
+ msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s
+ make test
+}
+
+component_test_full_deprecated_warning () {
+ # Test that there is nothing deprecated in the full configuraration.
+ # A deprecated feature would trigger a warning (made fatal) from
+ # MBEDTLS_DEPRECATED_WARNING.
+ msg "build: make, full + MBEDTLS_DEPRECATED_WARNING" # ~ 30s
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_DEPRECATED_REMOVED
+ scripts/config.pl set MBEDTLS_DEPRECATED_WARNING
+ # There are currently no tests for any deprecated feature.
+ # If some are added, 'make test' would trigger warnings here.
+ make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
+
+ msg "test: make, full + MBEDTLS_DEPRECATED_WARNING" # ~ 5s
+ make test
}
component_test_depends_curves () {
@@ -827,6 +836,7 @@
scripts/config.pl unset MBEDTLS_PLATFORM_SNPRINTF_ALT
scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT
scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT
+ scripts/config.pl unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.pl unset MBEDTLS_FS_IO
# Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
@@ -841,6 +851,7 @@
scripts/config.pl full
scripts/config.pl set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+ scripts/config.pl unset MBEDTLS_PLATFORM_NV_SEED_ALT
make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os'
}
@@ -912,6 +923,7 @@
scripts/config.pl set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
scripts/config.pl set MBEDTLS_ENTROPY_C
scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED
+ scripts/config.pl unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.pl unset MBEDTLS_ENTROPY_HARDWARE_ALT
scripts/config.pl unset MBEDTLS_HAVEGE_C
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan -D UNSAFE_BUILD=ON .
diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function
index 3b87244..cb5e204 100644
--- a/tests/suites/test_suite_entropy.function
+++ b/tests/suites/test_suite_entropy.function
@@ -1,6 +1,7 @@
/* BEGIN_HEADER */
#include "mbedtls/entropy.h"
#include "mbedtls/entropy_poll.h"
+#include "mbedtls/md.h"
/*
* Number of calls made to entropy_dummy_source()
@@ -346,7 +347,7 @@
// Set the initial NV seed to read.
// Get exactly MBEDTLS_ENTROPY_BLOCK_SIZE bytes from read_str.
- TEST_ASSERT( strlen( read_seed ) / 2 >= MBEDTLS_ENTROPY_BLOCK_SIZE );
+ TEST_ASSERT( strlen( read_seed_str ) / 2 >= MBEDTLS_ENTROPY_BLOCK_SIZE );
read_seed_str[MBEDTLS_ENTROPY_BLOCK_SIZE * 2] = '\0';
unhexify( read_seed, read_seed_str );
memcpy( buffer_seed, read_seed, MBEDTLS_ENTROPY_BLOCK_SIZE );