Merge pull request #10422 from gilles-peskine-arm/migration-guide-20250926
Migration guide: header file comparison
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 12ddc27..659fd50 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -37,15 +37,20 @@
# is deprecated and will be removed in future versions.
cmake_policy(SET CMP0012 NEW)
+set(MBEDTLS_VERSION 4.0.0)
+set(MBEDTLS_CRYPTO_SOVERSION 17)
+set(MBEDTLS_X509_SOVERSION 8)
+set(MBEDTLS_TLS_SOVERSION 22)
+
if(TEST_CPP)
project("Mbed TLS"
LANGUAGES C CXX
- VERSION 4.0.0
+ VERSION ${MBEDTLS_VERSION}
)
else()
project("Mbed TLS"
LANGUAGES C
- VERSION 4.0.0
+ VERSION ${MBEDTLS_VERSION}
)
endif()
diff --git a/ChangeLog.d/replace_time_t.txt b/ChangeLog.d/replace_time_t.txt
new file mode 100644
index 0000000..ec0282a
--- /dev/null
+++ b/ChangeLog.d/replace_time_t.txt
@@ -0,0 +1,4 @@
+Bugfix
+ * Fix a build error or incorrect TLS session
+ lifetime on platforms where mbedtls_time_t
+ is not time_t. Fixes #10236.
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 6c2b6bb..6d8c788 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -107,13 +107,13 @@
${tls_error_headers}
)
- add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target
+ add_custom_target(${MBEDTLS_TARGET_PREFIX}libmbedx509_generated_files_target
DEPENDS
${CMAKE_CURRENT_BINARY_DIR}/error.c
${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}
)
- add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target
+ add_custom_target(${MBEDTLS_TARGET_PREFIX}libmbedtls_generated_files_target
DEPENDS
${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.c
${CMAKE_CURRENT_BINARY_DIR}/version_features.c
@@ -205,9 +205,9 @@
if(GEN_FILES)
add_dependencies(${mbedx509_static_target}
- ${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target)
+ ${MBEDTLS_TARGET_PREFIX}libmbedx509_generated_files_target)
add_dependencies(${mbedtls_static_target}
- ${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target)
+ ${MBEDTLS_TARGET_PREFIX}libmbedtls_generated_files_target)
endif()
endif(USE_STATIC_MBEDTLS_LIBRARY)
@@ -215,20 +215,20 @@
add_library(${mbedx509_target} SHARED ${src_x509})
set_base_compile_options(${mbedx509_target})
target_compile_options(${mbedx509_target} PRIVATE ${LIBS_C_FLAGS})
- set_target_properties(${mbedx509_target} PROPERTIES VERSION 4.0.0 SOVERSION 8)
+ set_target_properties(${mbedx509_target} PROPERTIES VERSION ${MBEDTLS_VERSION} SOVERSION ${MBEDTLS_X509_SOVERSION})
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${tfpsacrypto_target})
add_library(${mbedtls_target} SHARED ${src_tls})
set_base_compile_options(${mbedtls_target})
target_compile_options(${mbedtls_target} PRIVATE ${LIBS_C_FLAGS})
- set_target_properties(${mbedtls_target} PROPERTIES VERSION 4.0.0 SOVERSION 21)
+ set_target_properties(${mbedtls_target} PROPERTIES VERSION ${MBEDTLS_VERSION} SOVERSION ${MBEDTLS_TLS_SOVERSION})
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
if(GEN_FILES)
add_dependencies(${mbedx509_target}
- ${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target)
+ ${MBEDTLS_TARGET_PREFIX}libmbedx509_generated_files_target)
add_dependencies(${mbedtls_target}
- ${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target)
+ ${MBEDTLS_TARGET_PREFIX}libmbedtls_generated_files_target)
endif()
endif(USE_SHARED_MBEDTLS_LIBRARY)
@@ -268,22 +268,109 @@
get_target_property(target_type ${target} TYPE)
if (target_type STREQUAL STATIC_LIBRARY)
add_custom_command(
- TARGET ${mbedtls_target}
- POST_BUILD
- COMMAND ${CMAKE_COMMAND}
- ARGS -E copy $<TARGET_FILE:${target}> ${CMAKE_BINARY_DIR}/library)
+ TARGET ${mbedtls_target} POST_BUILD
+ COMMAND ${CMAKE_COMMAND} -E copy_if_different
+ $<TARGET_FILE:${target}>
+ $<TARGET_FILE_NAME:${target}>
+ COMMAND ${CMAKE_COMMAND} -E copy_if_different
+ $<TARGET_FILE:${target}>
+ "libmbedcrypto.a"
+ )
+ install(FILES $<TARGET_FILE:${target}>
+ DESTINATION ${CMAKE_INSTALL_LIBDIR}
+ RENAME "libmbedcrypto.a"
+ )
else()
+ # Copy the crypto shared library from tf-psa-crypto:
+ # - ".so.<VERSION>" on Unix
+ # - ".dylib" on macOS
+ # - ".dll" on Windows
+ # The full path to the file is given by $<TARGET_FILE:${target}>.
+ #
+ # On systems that use .so versioning, also create the symbolic links
+ # ".so.<SOVERSION>" and ".so", which correspond to
+ # $<TARGET_SONAME_FILE_NAME:${target}> and $<TARGET_LINKER_FILE_NAME:${target}>,
+ # respectively.
+ #
+ # On Windows, also copy the ".lib" file, whose full path is
+ # $<TARGET_LINKER_FILE:${target}>.
+ #
+ # Provide also the crypto libraries under their historical names:
+ # "libmbedcrypto.*"
add_custom_command(
- TARGET ${mbedtls_target}
- POST_BUILD
- COMMAND ${CMAKE_COMMAND}
- ARGS -E copy $<TARGET_FILE:${target}>
- ${CMAKE_BINARY_DIR}/library/$<TARGET_FILE_NAME:${target}>)
- add_custom_command(
- TARGET ${mbedtls_target}
- POST_BUILD
- COMMAND ${CMAKE_COMMAND}
- ARGS -E copy $<TARGET_LINKER_FILE:${target}>
- ${CMAKE_BINARY_DIR}/library/$<TARGET_LINKER_FILE_NAME:${target}>)
+ TARGET ${mbedtls_target} POST_BUILD
+ COMMAND ${CMAKE_COMMAND} -E copy_if_different
+ $<TARGET_FILE:${target}>
+ $<TARGET_FILE_NAME:${target}>
+ )
+ if(APPLE)
+ add_custom_command(
+ TARGET ${mbedtls_target} POST_BUILD
+ COMMAND ${CMAKE_COMMAND} -E create_symlink
+ $<TARGET_FILE_NAME:${target}>
+ libmbedcrypto.dylib
+ )
+ install(FILES $<TARGET_FILE:${target}>
+ DESTINATION ${CMAKE_INSTALL_LIBDIR}
+ RENAME "libmbedcrypto.dylib"
+ )
+ elseif(WIN32 AND NOT CYGWIN)
+ add_custom_command(
+ TARGET ${mbedtls_target} POST_BUILD
+ COMMAND ${CMAKE_COMMAND} -E copy_if_different
+ $<TARGET_FILE:${target}>
+ libmbedcrypto.dll
+ )
+ add_custom_command(
+ TARGET ${mbedtls_target} POST_BUILD
+ COMMAND ${CMAKE_COMMAND} -E copy_if_different
+ $<TARGET_LINKER_FILE:${target}>
+ $<TARGET_LINKER_FILE_NAME:${target}>
+ COMMAND ${CMAKE_COMMAND} -E copy_if_different
+ $<TARGET_LINKER_FILE:${target}>
+ libmbedcrypto.lib
+ )
+ install(FILES $<TARGET_FILE:${target}>
+ DESTINATION ${CMAKE_INSTALL_BINDIR}
+ RENAME "libmbedcrypto.dll"
+ )
+ install(FILES $<TARGET_LINKER_FILE:${target}>
+ DESTINATION ${CMAKE_INSTALL_LIBDIR}
+ RENAME "libmbedcrypto.lib"
+ )
+ else()
+ add_custom_command(
+ TARGET ${mbedtls_target} POST_BUILD
+ COMMAND ${CMAKE_COMMAND} -E create_symlink
+ $<TARGET_FILE_NAME:${target}>
+ $<TARGET_SONAME_FILE_NAME:${target}>
+ COMMAND ${CMAKE_COMMAND} -E create_symlink
+ $<TARGET_SONAME_FILE_NAME:${target}>
+ $<TARGET_LINKER_FILE_NAME:${target}>
+ COMMAND ${CMAKE_COMMAND} -E create_symlink
+ $<TARGET_FILE_NAME:${target}>
+ libmbedcrypto.so.${MBEDTLS_VERSION}
+ COMMAND ${CMAKE_COMMAND} -E create_symlink
+ libmbedcrypto.so.${MBEDTLS_VERSION}
+ libmbedcrypto.so.${MBEDTLS_CRYPTO_SOVERSION}
+ COMMAND ${CMAKE_COMMAND} -E create_symlink
+ libmbedcrypto.so.${MBEDTLS_CRYPTO_SOVERSION}
+ libmbedcrypto.so
+ )
+ install(FILES $<TARGET_FILE:${target}>
+ DESTINATION ${CMAKE_INSTALL_LIBDIR}
+ RENAME "libmbedcrypto.so.${MBEDTLS_VERSION}"
+ )
+ install(CODE "
+ set(_libdir \"\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR}\")
+
+ execute_process(COMMAND \"\${CMAKE_COMMAND}\" -E create_symlink
+ \"libmbedcrypto.so.${MBEDTLS_VERSION}\"
+ \${_libdir}/libmbedcrypto.so.${MBEDTLS_CRYPTO_SOVERSION})
+ execute_process(COMMAND \"\${CMAKE_COMMAND}\" -E create_symlink
+ \"libmbedcrypto.so.${MBEDTLS_CRYPTO_SOVERSION}\"
+ \${_libdir}/libmbedcrypto.so)
+ ")
+ endif()
endif()
endforeach(target)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 37e4259..75c59a9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3178,7 +3178,7 @@
start = MBEDTLS_GET_UINT64_BE(p, 0);
p += 8;
- session->start = (time_t) start;
+ session->start = (mbedtls_time_t) start;
#endif /* MBEDTLS_HAVE_TIME */
/*
diff --git a/programs/test/cmake_package_install/CMakeLists.txt b/programs/test/cmake_package_install/CMakeLists.txt
index 60a4481..723538f 100644
--- a/programs/test/cmake_package_install/CMakeLists.txt
+++ b/programs/test/cmake_package_install/CMakeLists.txt
@@ -17,6 +17,7 @@
"-DENABLE_TESTING=NO"
# Turn on generated files explicitly in case this is a release
"-DGEN_FILES=ON"
+ "-DUSE_SHARED_MBEDTLS_LIBRARY=ON"
"-DCMAKE_INSTALL_PREFIX=${MbedTLS_INSTALL_DIR}")
execute_process(
diff --git a/programs/test/dlopen.c b/programs/test/dlopen.c
index 58a6af5..2a67635 100644
--- a/programs/test/dlopen.c
+++ b/programs/test/dlopen.c
@@ -84,13 +84,13 @@
#if defined(MBEDTLS_MD_C)
const char *crypto_so_filename = NULL;
- void *crypto_so = dlopen(MBEDCRYPTO_SO_FILENAME, RTLD_NOW);
+ void *crypto_so = dlopen(TFPSACRYPTO_SO_FILENAME, RTLD_NOW);
if (dlerror() == NULL) {
- crypto_so_filename = MBEDCRYPTO_SO_FILENAME;
- } else {
- crypto_so = dlopen(TFPSACRYPTO_SO_FILENAME, RTLD_NOW);
- CHECK_DLERROR("dlopen", TFPSACRYPTO_SO_FILENAME);
crypto_so_filename = TFPSACRYPTO_SO_FILENAME;
+ } else {
+ crypto_so = dlopen(MBEDCRYPTO_SO_FILENAME, RTLD_NOW);
+ CHECK_DLERROR("dlopen", MBEDCRYPTO_SO_FILENAME);
+ crypto_so_filename = MBEDCRYPTO_SO_FILENAME;
}
#pragma GCC diagnostic push
/* dlsym() returns an object pointer which is meant to be used as a
diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c
index c80a3f5..efa003d 100644
--- a/programs/test/udp_proxy.c
+++ b/programs/test/udp_proxy.c
@@ -17,15 +17,14 @@
#include "mbedtls/build_info.h"
#include <limits.h>
+#include <stdlib.h>
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
-#include <stdlib.h>
#if defined(MBEDTLS_HAVE_TIME)
#include <time.h>
#define mbedtls_time time
-#define mbedtls_time_t time_t
#endif
#define mbedtls_printf printf
#define mbedtls_calloc calloc
diff --git a/scripts/bump_version.sh b/scripts/bump_version.sh
index 62939e3..9966dea 100755
--- a/scripts/bump_version.sh
+++ b/scripts/bump_version.sh
@@ -70,18 +70,14 @@
fi
[ $VERBOSE ] && echo "Bumping VERSION in CMakeLists.txt"
-sed -e "s/ VERSION [0-9.]\{1,\}/ VERSION $VERSION/g" < CMakeLists.txt > tmp
+sed -e "s/(MBEDTLS_VERSION [0-9.]\{1,\})/(MBEDTLS_VERSION $VERSION)/g" < CMakeLists.txt > tmp
mv tmp CMakeLists.txt
-[ $VERBOSE ] && echo "Bumping VERSION in library/CMakeLists.txt"
-sed -e "s/ VERSION [0-9.]\{1,\}/ VERSION $VERSION/g" < library/CMakeLists.txt > tmp
-mv tmp library/CMakeLists.txt
-
if [ "X" != "X$SO_CRYPTO" ];
then
- [ $VERBOSE ] && echo "Bumping SOVERSION for libmbedcrypto in library/CMakeLists.txt"
- sed -e "/mbedcrypto/ s/ SOVERSION [0-9]\{1,\}/ SOVERSION $SO_CRYPTO/g" < library/CMakeLists.txt > tmp
- mv tmp library/CMakeLists.txt
+ [ $VERBOSE ] && echo "Bumping SOVERSION for libmbedcrypto in CMakeLists.txt"
+ sed -e "s/(MBEDTLS_CRYPTO_SOVERSION [0-9]\{1,\})/(MBEDTLS_CRYPTO_SOVERSION $SO_CRYPTO)/g" < CMakeLists.txt > tmp
+ mv tmp CMakeLists.txt
[ $VERBOSE ] && echo "Bumping SOVERSION for libmbedcrypto in library/Makefile"
sed -e "s/SOEXT_CRYPTO?=so.[0-9]\{1,\}/SOEXT_CRYPTO?=so.$SO_CRYPTO/g" < library/Makefile > tmp
@@ -90,9 +86,9 @@
if [ "X" != "X$SO_X509" ];
then
- [ $VERBOSE ] && echo "Bumping SOVERSION for libmbedx509 in library/CMakeLists.txt"
- sed -e "/mbedx509/ s/ SOVERSION [0-9]\{1,\}/ SOVERSION $SO_X509/g" < library/CMakeLists.txt > tmp
- mv tmp library/CMakeLists.txt
+ [ $VERBOSE ] && echo "Bumping SOVERSION for libmbedx509 in CMakeLists.txt"
+ sed -e "s/(MBEDTLS_X509_SOVERSION [0-9]\{1,\})/(MBEDTLS_X509_SOVERSION $SO_X509)/g" < CMakeLists.txt > tmp
+ mv tmp CMakeLists.txt
[ $VERBOSE ] && echo "Bumping SOVERSION for libmbedx509 in library/Makefile"
sed -e "s/SOEXT_X509?=so.[0-9]\{1,\}/SOEXT_X509?=so.$SO_X509/g" < library/Makefile > tmp
@@ -101,9 +97,9 @@
if [ "X" != "X$SO_TLS" ];
then
- [ $VERBOSE ] && echo "Bumping SOVERSION for libmbedtls in library/CMakeLists.txt"
- sed -e "/mbedtls/ s/ SOVERSION [0-9]\{1,\}/ SOVERSION $SO_TLS/g" < library/CMakeLists.txt > tmp
- mv tmp library/CMakeLists.txt
+ [ $VERBOSE ] && echo "Bumping SOVERSION for libmbedtls in CMakeLists.txt"
+ sed -e "s/(MBEDTLS_TLS_SOVERSION [0-9]\{1,\})/(MBEDTLS_TLS_SOVERSION $SO_TLS)/g" < CMakeLists.txt > tmp
+ mv tmp CMakeLists.txt
[ $VERBOSE ] && echo "Bumping SOVERSION for libmbedtls in library/Makefile"
sed -e "s/SOEXT_TLS?=so.[0-9]\{1,\}/SOEXT_TLS?=so.$SO_TLS/g" < library/Makefile > tmp
diff --git a/tests/psa-client-server/psasim/include/util.h b/tests/psa-client-server/psasim/include/util.h
index 5eb8238..dfc9a32 100644
--- a/tests/psa-client-server/psasim/include/util.h
+++ b/tests/psa-client-server/psasim/include/util.h
@@ -7,6 +7,8 @@
#include "service.h"
+#include <stdio.h>
+
#define PRINT(fmt, ...) \
fprintf(stdout, fmt "\n", ##__VA_ARGS__)
diff --git a/tests/scripts/components-build-system.sh b/tests/scripts/components-build-system.sh
index 8a84911..ce923b5 100644
--- a/tests/scripts/components-build-system.sh
+++ b/tests/scripts/components-build-system.sh
@@ -138,6 +138,16 @@
cd programs/test/cmake_package_install
cmake .
make
+
+ if ! cmp -s "mbedtls/lib/libtfpsacrypto.a" "mbedtls/lib/libmbedcrypto.a"; then
+ echo "Error: Crypto static libraries are different or one of them is missing/unreadable." >&2
+ exit 1
+ fi
+ if ! cmp -s "mbedtls/lib/libtfpsacrypto.so" "mbedtls/lib/libmbedcrypto.so"; then
+ echo "Error: Crypto shared libraries are different or one of them is missing/unreadable." >&2
+ exit 1
+ fi
+
./cmake_package_install
}
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index c9c6a13..0551e6a 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -100,6 +100,7 @@
# tests in 'test_suite_psa_crypto_op_fail' that would never be executed.
scripts/config.py set PSA_WANT_ECC_SECP_K1_192
scripts/config.py set PSA_WANT_ECC_SECP_R1_192
+ scripts/config.py set TF_PSA_CRYPTO_ALLOW_REMOVED_MECHANISMS || true
# Accelerate all PSA features (which are still enabled in CRYPTO_CONFIG_H).
PSA_SYM_LIST=$(./scripts/config.py get-all-enabled PSA_WANT)