Merge remote-tracking branch 'upstream-public/development' into no-generated-files-3.0

Conflicts: generated files that are removed in this branch and have
changed in development. Resolved by keeping the files removed.
This commit is contained in:
Gilles Peskine 2021-05-20 10:40:48 +02:00
commit eb30b0cc39
30 changed files with 75 additions and 187 deletions

View file

@ -56,17 +56,6 @@ else()
endif() endif()
# Warning string - created as a list for compatibility with CMake 2.8 # Warning string - created as a list for compatibility with CMake 2.8
set(WARNING_BORDER "*******************************************************\n")
set(NULL_ENTROPY_WARN_L1 "**** WARNING! MBEDTLS_TEST_NULL_ENTROPY defined!\n")
set(NULL_ENTROPY_WARN_L2 "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES\n")
set(NULL_ENTROPY_WARN_L3 "**** AND IS *NOT* SUITABLE FOR PRODUCTION USE\n")
set(NULL_ENTROPY_WARNING "${WARNING_BORDER}"
"${NULL_ENTROPY_WARN_L1}"
"${NULL_ENTROPY_WARN_L2}"
"${NULL_ENTROPY_WARN_L3}"
"${WARNING_BORDER}")
set(CTR_DRBG_128_BIT_KEY_WARN_L1 "**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n") set(CTR_DRBG_128_BIT_KEY_WARN_L1 "**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n")
set(CTR_DRBG_128_BIT_KEY_WARN_L2 "**** Using 128-bit keys for CTR_DRBG limits the security of generated\n") set(CTR_DRBG_128_BIT_KEY_WARN_L2 "**** Using 128-bit keys for CTR_DRBG limits the security of generated\n")
set(CTR_DRBG_128_BIT_KEY_WARN_L3 "**** keys and operations that use random values generated to 128-bit security\n") set(CTR_DRBG_128_BIT_KEY_WARN_L3 "**** keys and operations that use random values generated to 128-bit security\n")
@ -99,26 +88,6 @@ if(MBEDTLS_PYTHON_EXECUTABLE)
message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING}) message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
endif() endif()
# If NULL Entropy is configured, display an appropriate warning
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
RESULT_VARIABLE result)
if(${result} EQUAL 0)
message(WARNING ${NULL_ENTROPY_WARNING})
if(NOT UNSAFE_BUILD)
message(FATAL_ERROR "\
\n\
Warning! You have enabled MBEDTLS_TEST_NULL_ENTROPY. \
This option is not safe for production use and negates all security \
It is intended for development use only. \
\n\
To confirm you want to build with this option, re-run cmake with the \
option: \n\
cmake -DUNSAFE_BUILD=ON ")
return()
endif()
endif()
endif() endif()
# If this is the root project add longer list of available CMAKE_BUILD_TYPE values # If this is the root project add longer list of available CMAKE_BUILD_TYPE values

View file

@ -0,0 +1,3 @@
Removals
* Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
previous action. Fixes #4361.

View file

@ -0,0 +1,3 @@
Changes
* When building the test suites with GNU make, invoke python3 or python, not
python2, which is no longer supported upstream.

View file

@ -0,0 +1,2 @@
Features
* Implement psa_sign_message() and psa_verify_message().

View file

@ -0,0 +1,2 @@
API changes
* Remove the MBEDTLS_TEST_NULL_ENTROPY config option. Fixes #4388.

View file

@ -0,0 +1,6 @@
API changes
* The output parameter of mbedtls_sha512_finish_ret, mbedtls_sha512_ret,
mbedtls_sha256_finish_ret and mbedtls_sha256_ret now has a pointer type
rather than array type. This removes spurious warnings in some compilers
when outputting a SHA-384 or SHA-224 hash into a buffer of exactly
the hash size.

View file

@ -91,12 +91,6 @@ uninstall:
done done
endif endif
WARNING_BORDER =*******************************************************\n
NULL_ENTROPY_WARN_L1=**** WARNING! MBEDTLS_TEST_NULL_ENTROPY defined! ****\n
NULL_ENTROPY_WARN_L2=**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES ****\n
NULL_ENTROPY_WARN_L3=**** AND IS *NOT* SUITABLE FOR PRODUCTION USE ****\n
NULL_ENTROPY_WARNING=\n$(WARNING_BORDER)$(NULL_ENTROPY_WARN_L1)$(NULL_ENTROPY_WARN_L2)$(NULL_ENTROPY_WARN_L3)$(WARNING_BORDER)
WARNING_BORDER_LONG =**********************************************************************************\n WARNING_BORDER_LONG =**********************************************************************************\n
CTR_DRBG_128_BIT_KEY_WARN_L1=**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined! ****\n CTR_DRBG_128_BIT_KEY_WARN_L1=**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined! ****\n
@ -113,9 +107,6 @@ ifndef WINDOWS
-scripts/config.py get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \ -scripts/config.py get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \
echo '$(CTR_DRBG_128_BIT_KEY_WARNING)' echo '$(CTR_DRBG_128_BIT_KEY_WARNING)'
# If NULL Entropy is configured, display an appropriate warning
-scripts/config.py get MBEDTLS_TEST_NULL_ENTROPY && ([ $$? -eq 0 ]) && \
echo '$(NULL_ENTROPY_WARNING)'
endif endif
clean: clean_more_on_top clean: clean_more_on_top

View file

@ -0,0 +1,11 @@
Remove the option to build the library without any entropy sources
------------------------------------------------------------------
This does not affect users who use the default `config.h`, as this option was
already off by default.
If you were using the `MBEDTLS_TEST_NULL_ENTROPY` option and your platform
doesn't have any entropy source, you should use `MBEDTLS_ENTROPY_NV_SEED`
and make sure your device is provisioned with a strong random seed.
Alternatively, for testing purposes only, you can create and register a fake
entropy function.

View file

@ -0,0 +1,13 @@
Remove MBEDTLS_SSL_RECORD_CHECKING option and enable its action by default
--------------------------------------------------------------------------
This change does not affect users who use the default config.h, as the
option MBEDTLS_SSL_RECORD_CHECKING was already on by default.
This option was added only to control compilation of one function,
mbedtls_ssl_check_record(), which is only useful in some specific cases, so it
was made optional to allow users who don't need it to save some code space.
However, the same effect can be achieve by using link-time garbage collection.
Users who changed the default setting of the option need to change the config/
build system to remove that change.

View file

@ -0,0 +1,8 @@
SHA-512 and SHA-256 output type change
--------------------------
The output parameter of `mbedtls_sha256_finish_ret()`, `mbedtls_sha256_ret()`, `mbedtls_sha512_finish_ret()`, `mbedtls_sha512_ret()` now has a pointer type rather than array type. This makes no difference in terms of C semantics, but removes spurious warnings in some compilers when outputting a SHA-384 hash into a 48-byte buffer or a SHA-224 hash into a 28-byte buffer.
This makes no difference to a vast majority of applications. If your code takes a pointer to one of these functions, you may need to change the type of the pointer.
Alternative implementations of the SHA256 and SHA512 modules must adjust their functions' prototype accordingly.

View file

@ -201,15 +201,6 @@
#endif #endif
#undef MBEDTLS_HAS_MEMSAN #undef MBEDTLS_HAS_MEMSAN
#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
#error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
( defined(MBEDTLS_ENTROPY_NV_SEED) || defined(MBEDTLS_ENTROPY_HARDWARE_ALT) )
#error "MBEDTLS_TEST_NULL_ENTROPY defined, but entropy sources too"
#endif
#if defined(MBEDTLS_GCM_C) && ( \ #if defined(MBEDTLS_GCM_C) && ( \
!defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) ) !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) )
#error "MBEDTLS_GCM_C defined, but not all prerequisites" #error "MBEDTLS_GCM_C defined, but not all prerequisites"

View file

@ -527,23 +527,6 @@
//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT //#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT //#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
/**
* \def MBEDTLS_TEST_NULL_ENTROPY
*
* Enables testing and use of mbed TLS without any configured entropy sources.
* This permits use of the library on platforms before an entropy source has
* been integrated (see for example the MBEDTLS_ENTROPY_HARDWARE_ALT or the
* MBEDTLS_ENTROPY_NV_SEED switches).
*
* WARNING! This switch MUST be disabled in production builds, and is suitable
* only for development.
* Enabling the switch negates any security provided by the library.
*
* Requires MBEDTLS_ENTROPY_C, MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
*
*/
//#define MBEDTLS_TEST_NULL_ENTROPY
/** /**
* \def MBEDTLS_ENTROPY_HARDWARE_ALT * \def MBEDTLS_ENTROPY_HARDWARE_ALT
* *
@ -1467,20 +1450,6 @@
*/ */
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
/**
* \def MBEDTLS_SSL_RECORD_CHECKING
*
* Enable the function mbedtls_ssl_check_record() which can be used to check
* the validity and authenticity of an incoming record, to verify that it has
* not been seen before. These checks are performed without modifying the
* externally visible state of the SSL context.
*
* See mbedtls_ssl_check_record() for more information.
*
* Uncomment to enable support for record checking.
*/
#define MBEDTLS_SSL_RECORD_CHECKING
/** /**
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID * \def MBEDTLS_SSL_DTLS_CONNECTION_ID
* *

View file

@ -127,13 +127,14 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
* \param ctx The SHA-256 context. This must be initialized * \param ctx The SHA-256 context. This must be initialized
* and have a hash operation started. * and have a hash operation started.
* \param output The SHA-224 or SHA-256 checksum result. * \param output The SHA-224 or SHA-256 checksum result.
* This must be a writable buffer of length \c 32 Bytes. * This must be a writable buffer of length \c 32 bytes
* for SHA-256, \c 28 bytes for SHA-224.
* *
* \return \c 0 on success. * \return \c 0 on success.
* \return A negative error code on failure. * \return A negative error code on failure.
*/ */
int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
unsigned char output[32] ); unsigned char *output );
/** /**
* \brief This function processes a single data block within * \brief This function processes a single data block within
@ -163,14 +164,15 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
* \param input The buffer holding the data. This must be a readable * \param input The buffer holding the data. This must be a readable
* buffer of length \p ilen Bytes. * buffer of length \p ilen Bytes.
* \param ilen The length of the input data in Bytes. * \param ilen The length of the input data in Bytes.
* \param output The SHA-224 or SHA-256 checksum result. This must * \param output The SHA-224 or SHA-256 checksum result.
* be a writable buffer of length \c 32 Bytes. * This must be a writable buffer of length \c 32 bytes
* for SHA-256, \c 28 bytes for SHA-224.
* \param is224 Determines which function to use. This must be * \param is224 Determines which function to use. This must be
* either \c 0 for SHA-256, or \c 1 for SHA-224. * either \c 0 for SHA-256, or \c 1 for SHA-224.
*/ */
int mbedtls_sha256_ret( const unsigned char *input, int mbedtls_sha256_ret( const unsigned char *input,
size_t ilen, size_t ilen,
unsigned char output[32], unsigned char *output,
int is224 ); int is224 );
#if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_SELF_TEST)

View file

@ -134,13 +134,14 @@ int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
* \param ctx The SHA-512 context. This must be initialized * \param ctx The SHA-512 context. This must be initialized
* and have a hash operation started. * and have a hash operation started.
* \param output The SHA-384 or SHA-512 checksum result. * \param output The SHA-384 or SHA-512 checksum result.
* This must be a writable buffer of length \c 64 Bytes. * This must be a writable buffer of length \c 64 bytes
* for SHA-512, \c 48 bytes for SHA-384.
* *
* \return \c 0 on success. * \return \c 0 on success.
* \return A negative error code on failure. * \return A negative error code on failure.
*/ */
int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx, int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
unsigned char output[64] ); unsigned char *output );
/** /**
* \brief This function processes a single data block within * \brief This function processes a single data block within
@ -171,7 +172,8 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
* a readable buffer of length \p ilen Bytes. * a readable buffer of length \p ilen Bytes.
* \param ilen The length of the input data in Bytes. * \param ilen The length of the input data in Bytes.
* \param output The SHA-384 or SHA-512 checksum result. * \param output The SHA-384 or SHA-512 checksum result.
* This must be a writable buffer of length \c 64 Bytes. * This must be a writable buffer of length \c 64 bytes
* for SHA-512, \c 48 bytes for SHA-384.
* \param is384 Determines which function to use. This must be either * \param is384 Determines which function to use. This must be either
* \c 0 for SHA-512, or \c 1 for SHA-384. * \c 0 for SHA-512, or \c 1 for SHA-384.
* *
@ -184,7 +186,7 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
*/ */
int mbedtls_sha512_ret( const unsigned char *input, int mbedtls_sha512_ret( const unsigned char *input,
size_t ilen, size_t ilen,
unsigned char output[64], unsigned char *output,
int is384 ); int is384 );
#if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_SELF_TEST)

View file

@ -1791,7 +1791,6 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
*/ */
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
/** /**
* \brief Check whether a buffer contains a valid and authentic record * \brief Check whether a buffer contains a valid and authentic record
* that has not been seen before. (DTLS only). * that has not been seen before. (DTLS only).
@ -1839,7 +1838,6 @@ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
unsigned char *buf, unsigned char *buf,
size_t buflen ); size_t buflen );
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
/** /**
* \brief Set the timer callbacks (Mandatory for DTLS.) * \brief Set the timer callbacks (Mandatory for DTLS.)

View file

@ -21,12 +21,6 @@
#if defined(MBEDTLS_ENTROPY_C) #if defined(MBEDTLS_ENTROPY_C)
#if defined(MBEDTLS_TEST_NULL_ENTROPY)
#warning "**** WARNING! MBEDTLS_TEST_NULL_ENTROPY defined! "
#warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES "
#warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE "
#endif
#include "mbedtls/entropy.h" #include "mbedtls/entropy.h"
#include "entropy_poll.h" #include "entropy_poll.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
@ -73,11 +67,6 @@ void mbedtls_entropy_init( mbedtls_entropy_context *ctx )
/* Reminder: Update ENTROPY_HAVE_STRONG in the test files /* Reminder: Update ENTROPY_HAVE_STRONG in the test files
* when adding more strong entropy sources here. */ * when adding more strong entropy sources here. */
#if defined(MBEDTLS_TEST_NULL_ENTROPY)
mbedtls_entropy_add_source( ctx, mbedtls_null_entropy_poll, NULL,
1, MBEDTLS_ENTROPY_SOURCE_STRONG );
#endif
#if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) #if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY) #if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
mbedtls_entropy_add_source( ctx, mbedtls_platform_entropy_poll, NULL, mbedtls_entropy_add_source( ctx, mbedtls_platform_entropy_poll, NULL,
@ -524,7 +513,6 @@ int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *
#endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_FS_IO */
#if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_SELF_TEST)
#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
/* /*
* Dummy source function * Dummy source function
*/ */
@ -538,7 +526,6 @@ static int entropy_dummy_source( void *data, unsigned char *output,
return( 0 ); return( 0 );
} }
#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
#if defined(MBEDTLS_ENTROPY_HARDWARE_ALT) #if defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
@ -646,17 +633,14 @@ cleanup:
int mbedtls_entropy_self_test( int verbose ) int mbedtls_entropy_self_test( int verbose )
{ {
int ret = 1; int ret = 1;
#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
mbedtls_entropy_context ctx; mbedtls_entropy_context ctx;
unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 }; unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
unsigned char acc[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 }; unsigned char acc[MBEDTLS_ENTROPY_BLOCK_SIZE] = { 0 };
size_t i, j; size_t i, j;
#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
if( verbose != 0 ) if( verbose != 0 )
mbedtls_printf( " ENTROPY test: " ); mbedtls_printf( " ENTROPY test: " );
#if !defined(MBEDTLS_TEST_NULL_ENTROPY)
mbedtls_entropy_init( &ctx ); mbedtls_entropy_init( &ctx );
/* First do a gather to make sure we have default sources */ /* First do a gather to make sure we have default sources */
@ -704,7 +688,6 @@ int mbedtls_entropy_self_test( int verbose )
cleanup: cleanup:
mbedtls_entropy_free( &ctx ); mbedtls_entropy_free( &ctx );
#endif /* !MBEDTLS_TEST_NULL_ENTROPY */
if( verbose != 0 ) if( verbose != 0 )
{ {

View file

@ -211,23 +211,6 @@ int mbedtls_platform_entropy_poll( void *data,
#endif /* _WIN32 && !EFIX64 && !EFI32 */ #endif /* _WIN32 && !EFIX64 && !EFI32 */
#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */ #endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
#if defined(MBEDTLS_TEST_NULL_ENTROPY)
int mbedtls_null_entropy_poll( void *data,
unsigned char *output, size_t len, size_t *olen )
{
((void) data);
((void) output);
*olen = 0;
if( len < sizeof(unsigned char) )
return( 0 );
output[0] = 0;
*olen = sizeof(unsigned char);
return( 0 );
}
#endif
#if defined(MBEDTLS_TIMING_C) #if defined(MBEDTLS_TIMING_C)
int mbedtls_hardclock_poll( void *data, int mbedtls_hardclock_poll( void *data,
unsigned char *output, size_t len, size_t *olen ) unsigned char *output, size_t len, size_t *olen )

View file

@ -43,14 +43,6 @@ extern "C" {
#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Minimum for the hardware source */ #define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Minimum for the hardware source */
#endif #endif
/**
* \brief Entropy poll callback that provides 0 entropy.
*/
#if defined(MBEDTLS_TEST_NULL_ENTROPY)
int mbedtls_null_entropy_poll( void *data,
unsigned char *output, size_t len, size_t *olen );
#endif
#if !defined(MBEDTLS_NO_PLATFORM_ENTROPY) #if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
/** /**
* \brief Platform-specific entropy poll callback * \brief Platform-specific entropy poll callback

View file

@ -71,7 +71,7 @@ extern "C" {
* *
* \param feature The feature to detect * \param feature The feature to detect
* *
* \return 1 if CPU has support for the feature, 0 otherwise * \return non-zero if CPU has support for the feature, 0 otherwise
*/ */
int mbedtls_padlock_has_support( int feature ); int mbedtls_padlock_has_support( int feature );

View file

@ -332,7 +332,7 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
* SHA-256 final digest * SHA-256 final digest
*/ */
int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
unsigned char output[32] ) unsigned char *output )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
uint32_t used; uint32_t used;
@ -401,7 +401,7 @@ int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx,
*/ */
int mbedtls_sha256_ret( const unsigned char *input, int mbedtls_sha256_ret( const unsigned char *input,
size_t ilen, size_t ilen,
unsigned char output[32], unsigned char *output,
int is224 ) int is224 )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

View file

@ -380,7 +380,7 @@ int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
* SHA-512 final digest * SHA-512 final digest
*/ */
int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx, int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
unsigned char output[64] ) unsigned char *output )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned used; unsigned used;
@ -453,7 +453,7 @@ int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx,
*/ */
int mbedtls_sha512_ret( const unsigned char *input, int mbedtls_sha512_ret( const unsigned char *input,
size_t ilen, size_t ilen,
unsigned char output[64], unsigned char *output,
int is384 ) int is384 )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

View file

@ -86,7 +86,6 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
return( 0 ); return( 0 );
} }
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
unsigned char *buf, unsigned char *buf,
size_t len, size_t len,
@ -150,7 +149,6 @@ exit:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
return( ret ); return( ret );
} }
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
#define SSL_DONT_FORCE_FLUSH 0 #define SSL_DONT_FORCE_FLUSH 0
#define SSL_FORCE_FLUSH 1 #define SSL_FORCE_FLUSH 1

View file

@ -2898,8 +2898,6 @@ static void ssl_calc_finished_tls_sha256(
#if defined(MBEDTLS_SHA512_C) #if defined(MBEDTLS_SHA512_C)
typedef int (*finish_sha384_t)(mbedtls_sha512_context*, unsigned char*);
static void ssl_calc_finished_tls_sha384( static void ssl_calc_finished_tls_sha384(
mbedtls_ssl_context *ssl, unsigned char *buf, int from ) mbedtls_ssl_context *ssl, unsigned char *buf, int from )
{ {
@ -2958,13 +2956,7 @@ static void ssl_calc_finished_tls_sha384(
MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *) MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
sha512.state, sizeof( sha512.state ) ); sha512.state, sizeof( sha512.state ) );
#endif #endif
/* mbedtls_sha512_finish_ret( &sha512, padbuf );
* For SHA-384, we can save 16 bytes by keeping padbuf 48 bytes long.
* However, to avoid stringop-overflow warning in gcc, we have to cast
* mbedtls_sha512_finish_ret().
*/
finish_sha384_t finish = (finish_sha384_t)mbedtls_sha512_finish_ret;
finish( &sha512, padbuf );
mbedtls_sha512_free( &sha512 ); mbedtls_sha512_free( &sha512 );
#endif #endif

View file

@ -20,8 +20,6 @@ endif
DLEXT ?= so DLEXT ?= so
EXEXT= EXEXT=
SHARED_SUFFIX= SHARED_SUFFIX=
# python2 for POSIX since FreeBSD has only python2 as default.
PYTHON ?= python2
ifdef FUZZINGENGINE ifdef FUZZINGENGINE
LOCAL_LDFLAGS += -lFuzzingEngine LOCAL_LDFLAGS += -lFuzzingEngine

View file

@ -159,7 +159,6 @@ int dtls_srtp_key_derivation( void *p_expkey,
#endif /* MBEDTLS_SSL_EXPORT_KEYS */ #endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
int ssl_check_record( mbedtls_ssl_context const *ssl, int ssl_check_record( mbedtls_ssl_context const *ssl,
unsigned char const *buf, size_t len ) unsigned char const *buf, size_t len )
{ {
@ -220,7 +219,6 @@ int ssl_check_record( mbedtls_ssl_context const *ssl,
return( 0 ); return( 0 );
} }
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
int recv_cb( void *ctx, unsigned char *buf, size_t len ) int recv_cb( void *ctx, unsigned char *buf, size_t len )
{ {
@ -241,10 +239,8 @@ int recv_cb( void *ctx, unsigned char *buf, size_t len )
/* Here's the place to do any datagram/record checking /* Here's the place to do any datagram/record checking
* in between receiving the packet from the underlying * in between receiving the packet from the underlying
* transport and passing it on to the TLS stack. */ * transport and passing it on to the TLS stack. */
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 ) if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
return( -1 ); return( -1 );
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
} }
return( (int) recv_len ); return( (int) recv_len );
@ -267,10 +263,8 @@ int recv_timeout_cb( void *ctx, unsigned char *buf, size_t len,
/* Here's the place to do any datagram/record checking /* Here's the place to do any datagram/record checking
* in between receiving the packet from the underlying * in between receiving the packet from the underlying
* transport and passing it on to the TLS stack. */ * transport and passing it on to the TLS stack. */
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 ) if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
return( -1 ); return( -1 );
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
} }
return( (int) recv_len ); return( (int) recv_len );

View file

@ -194,7 +194,6 @@ EXCLUDE_FROM_FULL = frozenset([
'MBEDTLS_SHA512_NO_SHA384', # removes a feature 'MBEDTLS_SHA512_NO_SHA384', # removes a feature
'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan)
'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers) 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
'MBEDTLS_TEST_NULL_ENTROPY', # removes a feature
'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', # influences the use of X.509 in TLS 'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', # influences the use of X.509 in TLS
'MBEDTLS_X509_REMOVE_INFO', # removes a feature 'MBEDTLS_X509_REMOVE_INFO', # removes a feature
]) ])

View file

@ -2093,21 +2093,6 @@ component_test_when_no_ciphersuites_have_mac () {
if_build_succeeded tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM' if_build_succeeded tests/ssl-opt.sh -f 'Default\|EtM' -e 'without EtM'
} }
component_test_null_entropy () {
msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)"
scripts/config.py set MBEDTLS_TEST_NULL_ENTROPY
scripts/config.py set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
scripts/config.py set MBEDTLS_ENTROPY_C
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.py unset MBEDTLS_ENTROPY_HARDWARE_ALT
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan -D UNSAFE_BUILD=ON .
make
msg "test: MBEDTLS_TEST_NULL_ENTROPY - main suites (inc. selftests) (ASan build)"
make test
}
component_test_no_date_time () { component_test_no_date_time () {
msg "build: default config without MBEDTLS_HAVE_TIME_DATE" msg "build: default config without MBEDTLS_HAVE_TIME_DATE"
scripts/config.py unset MBEDTLS_HAVE_TIME_DATE scripts/config.py unset MBEDTLS_HAVE_TIME_DATE

View file

@ -87,11 +87,10 @@ jmp_buf jmp_tmp;
/* Indicates whether we expect mbedtls_entropy_init /* Indicates whether we expect mbedtls_entropy_init
* to initialize some strong entropy source. */ * to initialize some strong entropy source. */
#if defined(MBEDTLS_TEST_NULL_ENTROPY) || \ #if !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) && \
( !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) && \
( !defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \ ( !defined(MBEDTLS_NO_PLATFORM_ENTROPY) || \
defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \ defined(MBEDTLS_ENTROPY_HARDWARE_ALT) || \
defined(ENTROPY_NV_SEED) ) ) defined(ENTROPY_NV_SEED) )
#define ENTROPY_HAVE_STRONG #define ENTROPY_HAVE_STRONG
#endif #endif

View file

@ -83,9 +83,4 @@ Check NV seed manually #3
entropy_nv_seed:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" entropy_nv_seed:"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
Entropy self test Entropy self test
depends_on:!MBEDTLS_TEST_NULL_ENTROPY
entropy_selftest:0 entropy_selftest:0
Entropy self test (MBEDTLS_TEST_NULL_ENTROPY)
depends_on:MBEDTLS_TEST_NULL_ENTROPY
entropy_selftest:1

View file

@ -18,7 +18,7 @@
/* END_HEADER */ /* END_HEADER */
/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_C:!MBEDTLS_TEST_NULL_ENTROPY:MBEDTLS_CTR_DRBG_C */ /* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void random_twice_with_ctr_drbg( ) void random_twice_with_ctr_drbg( )
{ {
mbedtls_entropy_context entropy; mbedtls_entropy_context entropy;
@ -57,7 +57,7 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_C:!MBEDTLS_TEST_NULL_ENTROPY:MBEDTLS_HMAC_DRBG_C */ /* BEGIN_CASE depends_on:MBEDTLS_ENTROPY_C:MBEDTLS_HMAC_DRBG_C */
void random_twice_with_hmac_drbg( int md_type ) void random_twice_with_hmac_drbg( int md_type )
{ {
mbedtls_entropy_context entropy; mbedtls_entropy_context entropy;
@ -97,7 +97,7 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:!MBEDTLS_TEST_NULL_ENTROPY:!MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:!MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
void random_twice_with_psa_from_classic( ) void random_twice_with_psa_from_classic( )
{ {
unsigned char output1[OUTPUT_SIZE]; unsigned char output1[OUTPUT_SIZE];
@ -123,7 +123,7 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:!MBEDTLS_TEST_NULL_ENTROPY:!MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:!MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
void random_twice_with_psa_from_psa( ) void random_twice_with_psa_from_psa( )
{ {
unsigned char output1[OUTPUT_SIZE]; unsigned char output1[OUTPUT_SIZE];