Commit graph

598 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
dd57b2f240
Merge pull request #4445 from TRodziewicz/remove_deprecated_things_-_remainder
Remove deprecated functions and constants.
2021-05-07 10:05:30 +02:00
Ronald Cron
98d00d06a0
Merge pull request #4426 from ronald-cron-arm/remove-enable-weak-ciphersuites
Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option
2021-05-04 17:20:36 +02:00
TRodziewicz
85dfc4de20 Applying current changes
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-30 00:07:04 +02:00
TRodziewicz
18efb73743 Remove deprecated functions and constants.
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-29 23:12:19 +02:00
Hanno Becker
612a2f1504 Rename MBEDTLS_X509_INFO to !MBEDTLS_X509_REMOVE_INFO
The introduction of positive options to control the presence
of pre-existing functionality breaks the build for users of
handwritten configurations.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-04-27 17:18:52 +01:00
Peter Kolbus
9a969b66c1 Reduce code size when mbedtls_x509_*_info() unused
Introduce MBEDTLS_X509_INFO to indicate the availability of the
mbedtls_x509_*_info() function and closely related APIs. When this is
not defined, also omit name and description from
mbedtls_oid_descriptor_t, and omit OID arrays, macros, and types that
are entirely unused. This saves several KB of code space.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-27 17:18:52 +01:00
Ronald Cron
cee427002b Remove MBEDTLS_ENABLE_WEAK_CIPHERSUITES configuration option
Fix 4416

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-04-27 09:34:14 +02:00
Dave Rodgman
12f93f4fc2
Merge pull request #4407 from ARMmbed/dev3_signoffs
Merge development_3.0 into development
2021-04-26 19:48:16 +01:00
Mateusz Starzyk
f9c7b3eb11 Remove PKCS#11 library wrapper.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-21 11:05:00 +02:00
Mateusz Starzyk
a58625f90d Remove optional SHA-1 in the default TLS configuration.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-16 18:39:10 +02:00
Steven Cooreman
6801f08973 Implement support for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
According to the design in psa-driver-interface.md. Compiles without
issue in test_psa_crypto_drivers.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-04-15 15:04:26 +02:00
Mateusz Starzyk
c301bd56f0 Merge branch 'development_3.0' into drop_old_tls_options 2021-04-15 13:55:20 +02:00
Chris Jones
9c6356881f Remove MBEDTLS_SSL_DEFAULT_TICKET_LIFETIME
This config option has been unused for >5 years and so should be removed.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-04-09 16:10:48 +01:00
Dave Rodgman
73e3e2cb1a Merge remote-tracking branch 'origin/development' into development_new
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

Conflicts:
        include/mbedtls/check_config.h: nearby edits
	library/entropy.c: nearby edits
	programs/random/gen_random_havege.c: modification vs. removal
	programs/ssl/ssl_test_lib.h: nearby edits
	programs/test/cpp_dummy_build.cpp: nearby edits
	visualc/VS2010/mbedTLS.vcxproj: automatically generated file,
            regenerated with scripts/generate_visualc_files.pl
2021-04-07 16:31:09 +01:00
Gilles Peskine
d5200371ec
Merge pull request #3512 from gilles-peskine-arm/ecp-alloc-202007
Reduce the number of allocations in ECP operations
2021-04-02 00:08:35 +02:00
Manuel Pégourié-Gonnard
4dfb83c0d7
Merge pull request #4164 from chris-jones-arm/move-internal-headers
Unify internal headers in library/
2021-03-29 11:18:54 +02:00
Mateusz Starzyk
a2d16b39bc Remove certs.h includes from test applications.
Tests should no longer consider certs.h as a part of public API.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-19 12:49:41 +01:00
Mateusz Starzyk
1aec64642c Remove certs module from mbedtls.
Certs will be used only by tests and programs.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 15:51:25 +01:00
Mateusz Starzyk
e204dbf272 Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:54 +01:00
Mateusz Starzyk
5224e29f0e Drop support for RC4 TLS ciphersuites.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:54 +01:00
Mateusz Starzyk
a3a9984a5d Drop support for TLS record-level compression.
Remove option MBEDTLS_ZLIB_SUPPORT.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:49:51 +01:00
Mateusz Starzyk
2012ed7560 Drop support for compatibility with our own previous buggy implementation of truncated HMAC (MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT).
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:19:09 +01:00
Mateusz Starzyk
06b07fb839 Drop support for SSLv3.
Remove options: MBEDTLS_SSL_MINOR_VERSION_0 and
MBEDTLS_SSL_PROTO_SSL3).

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-16 12:19:05 +01:00
Mateusz Starzyk
9e9ca1a738 Drop support for parsing SSLv2 ClientHello.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-15 11:40:28 +01:00
Chris Jones
a1df4949b9 Remove internal file references in programs/
`entropy_poll.h` and `md_wrap.h` were still being used in some of the
example programs. As these headers are now internal, remove their
references and replace them with publicly available functions.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-11 17:44:43 +00:00
Chris Jones
ea0a865c69 Move entropy_poll.h to library
`entropy_poll.h` is not supposed to be used by application code and
is therefore being made internal.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Chris Jones
16dbaeb9eb Move padlock.h to library
`padlock.h` is actually an internal header and is moved accordingly.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Chris Jones
187782f41e Move aesni.h to library
`aesni.h` is an internal header and is moved accordingly.

Also removes some references to internal headers in scripts with
only public headers.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Chris Jones
84a773f8e6 Rename ssl_internal.h to ssl_misc.h
Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Chris Jones
4c5819c318 Move bn_mul.h to library/
Move `include/mbedtls/bn_mul.h` to `library/bn_mul.h`.

Update includes and references to `bn_mul.h` to new location.

Also remove internal headers from `cpp_dummy_build.cpp` as it should only
test public headers in the library.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Chris Jones
e2191cd789 Update includes to use library/ instead of include/mbedtls/
Simple find and replace using `#include (<|")mbedtls/(.*)_internal.h(>|")`
and `#include $1$2_internal.h$3`.

Also re-generated visualc files by running
`scripts/generate_visualc_files.pl`.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Chris Jones
7b9f33cc8c Move include/mbedtls/rsa_internal.h to library/rsa_internal.h
Only move `rsa_internal.h` for now to test dependancies. Other internal
headers will be moved in following commits.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:45:52 +00:00
Mateusz Starzyk
7d48b28218 Remove 1.3 to 2.0 transition helpers files.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-03-03 11:00:34 +01:00
David Brown
5fd5747402 Add missing header to cpp_dummy_build.cpp test
Part of build_default_make_gcc_and_cxx compares the list of headers
included by `programs/test/cpp_dummy_build.cpp` and the actual headers
present.  Add in the missing `mbedtls/psa_config.h` file to this list so
that this test passes.

Signed-off-by: David Brown <david.brown@linaro.org>
2021-02-19 14:19:51 -07:00
Gilles Peskine
bb86d0c61c
Merge pull request #3995 from stevew817/feature/psa_configurable_static_ram_usage
Allow tweaking PSA_KEY_SLOT_COUNT
2021-02-16 12:52:24 +01:00
Steven Cooreman
ea8d387406 Fix config query file
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-02-15 14:26:47 +01:00
Manuel Pégourié-Gonnard
4dad303e99
Merge pull request #4089 from mstarzyk-mobica/remove_havege
Remove Havege module.
2021-02-12 10:02:15 +01:00
Mateusz Starzyk
0fdcc8eee9 Remove Havege module.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-02-11 14:17:07 +01:00
Ronald Cron
3768ac12a8 Add MBEDTLS_PSA_CRYPTO_CLIENT configuration option
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-02-01 13:16:01 +01:00
Gilles Peskine
53943ca434
Merge pull request #3992 from stevew817/feature/ecp_no_fallback
Add a flag for disabling software fallback in ecp.c
2021-01-29 16:08:51 +01:00
Ronald Cron
ddb3bd57d3
Merge pull request #3897 from d3zd3z/fix-cmake28
cmake: Fix added sources to targets
2021-01-26 13:35:56 +01:00
paul-elliott-arm
2427d15ea3
Merge pull request #3986 from gilles-peskine-arm/ssl_test_lib-create
Unify common code of ssl_client2.c and ssl_server2.c
2021-01-13 15:30:00 +00:00
Gilles Peskine
c772b1822a Move the declaration of query_config() to a dedicated header file
Declaring query_config() belongs with the query_config program, not in
ssl_test_lib.h, so move the declaration to a new header file
query_config.h.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-13 14:19:43 +01:00
Steven Cooreman
97b4984657 Add a flag for disabling fallback in ecp.c
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2021-01-08 16:43:43 +01:00
Gilles Peskine
a51e1dbe76
Merge pull request #3895 from gilles-peskine-arm/psa-external-random
Alternative random generator support for PSA
2021-01-06 17:09:11 +01:00
Manuel Pégourié-Gonnard
a27a4e2f18
Merge pull request #3929 from gilles-peskine-arm/psa-driver-remove-old-accel
Remove old proposed accelerator interfaces
2020-12-10 11:31:47 +01:00
Gilles Peskine
28f62f6212 Support running the benchmark with a single curve
If you pass a curve name to the benchmark program, the ECDH and ECDSA
benchmarks will only run for that particular curve. By default, all
curves are benchmarked.

To simplify the implementation, if you pass multiple curves, only the
last one will be benchmarked.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-12-07 22:51:25 +01:00
Gilles Peskine
db6b03b4f2 Remove old-style accelerator and entropy driver interfaces
The driver interfaces described in crypto_accel_driver.h and
crypto_entropy_driver.h are no longer being worked on. We do not
intend to finish the design of these interfaces or to implement them
in Mbed TLS. They have been superseded by the unified driver
interface (docs/proposed/psa-driver-interface.md), which is being
actively worked on both to finalize the specification and to implement
it in Mbed TLS.

The partially implemented dynamic secure element interface is staying
for now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-30 17:37:14 +01:00
Rodrigo Dias Correa
80448aae2c Fix GCC warning about test_snprintf
GCC 11 generated the warnings because the parameter `ret_buf`
was declared as `const char[10]`, but some of the arguments
provided in `run_test_snprintf` are shorter literals, like "".

Now the type of `ret_buf` is `const char *`.
Both implementations of `test_snprintf` were fixed.

Signed-off-by: Rodrigo Dias Correa <rodrigo@correas.us>
2020-11-25 01:13:12 -03:00
Gilles Peskine
ed03890281 PSA: allow the configuration to favor HMAC_DRBG
Allow the user to configure PSA to use HMAC_DRBG even if CTR_DRBG is
available, or to explicitly select the hash algorithm to use for
HMAC_DRBG, by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE in config.h.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 17:42:54 +01:00
Gilles Peskine
f08b3f8624 Autonomous random driver: create configuration option
Create a configuration option for autonomous random drivers, i.e. PSA
crypto drivers that provide a random generator, that have their own
entropy source and do not support injecting entropy from another
source.

This commit only creates the configuration option. Subsequent commits
will add the implementation and tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-23 16:28:09 +01:00
David Brown
a8e309e01d cmake: Fix added sources to targets
In cmake version < 3.0, the SOURCES property on targets cannot be
modified after the target is defined.  There are several instances in
the code that were using `target_properties()`, which is not available
in the older versions of cmake.  Unfortunately, the workaround in #3801
(381c1078fc) assumes that this SOURCES property can be modified.

Work around this by building up any necessary sources before declaring
the target.  This is more awkward, but needed to continue to be able to
support the old versions of cmake.

Fixes #3788.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-11-18 16:28:00 -07:00
David Brown
381c1078fc cmake: Avoid using target_properties for old cmake
CMake versions less than 3.0 do not support the `target_sources`
command.  In order to be able to support v2.8.12.2 of cmake, directly
set the SOURCES property instead of using the target_sources command.

A future patch could reverse this, if the project decides to forgo
support for cmake versions less than 3.0.

Fixes #3801

Signed-off-by: David Brown <david.brown@linaro.org>
2020-11-03 15:38:38 -07:00
Ron Eldor
8f284c1b05 Add the SRTP configuration to query_config
Add the DTLS_SRTP configuration to `query_config`.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Gilles Peskine
935b4f96f9
Merge pull request #3407 from RcColes/development
Increase compatibility with external cmake
2020-10-28 12:29:14 +01:00
Gilles Peskine
2d0b7231f7
Merge pull request #3712 from jdurkop/psa-crypto-config-ecdsa-3670
Introduce MBEDTLS_PSA_CRYPTO_CONFIG and use it for ECDSA
2020-10-27 17:40:04 +01:00
Steven Cooreman
88ebb2d7d0 Include public and public-ish PSA headers in CPP check
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-22 11:55:50 +02:00
Raef Coles
995c66f702 Build: Add MBEDTLS_TARGET_PREFIX
Allows required targets to have prefixes added to them, so that external
projects can avoid target names clashing.

Signed-off-by: Raef Coles <raef.coles@arm.com>
2020-10-20 13:44:44 +01:00
John Durkop
2542c21ba8 Add MBEDTLS_PSA_CRYPTO_CONFIG to test program
Since the recent changes required the addition of a new definition
in mbedtls/config.h, we also need to update query_config.c to account
for the new MBEDTLS_PSA_CRYPTO_CONFIG setting.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-09-24 21:06:35 -07:00
Gilles Peskine
dc57c25e30
Merge pull request #3527 from ronald-cron-arm/key-extended-id
PSA key identifiers rework
2020-09-15 16:06:06 +02:00
Steven Cooreman
0d59f7b092 Add configuration flag MBEDTLS_PSA_CRYPTO_DRIVERS
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-09-04 14:22:26 +02:00
Ronald Cron
71016a9ea7 psa: Rename psa_key_file_id_t to mbedtls_svc_key_id_t
With PSA crypto v1.0.0, a volatile key identifier may
contain a owner identifier but no file is associated
to it. Thus rename the type psa_key_file_id_t to
mbedtls_svc_key_id_t to avoid a direct link with a
file when a key identifier involves an owner
identifier.

The new type name is prefixed by mbedtls to highlight
that the type is specific to Mbed TLS implementation
and not defined in the PSA Cryptography API
specification.

The svc in the type name stands for service as this
is the key identifier type from the point of view of
the service providing the Cryptography services.
The service can be completely provided by the present
library or partially in case of a multi-client service.

As a consequence rename as well:
. MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER to
  MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
. PSA_KEY_ID_INIT to MBEDTLS_SVC_KEY_ID_INIT
. PSA_KEY_FILE_GET_KEY_ID to MBEDTLS_SVC_KEY_ID_GET_KEY_ID
. psa_key_file_id_make to mbedtls_svc_key_id_make

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-09-02 14:27:07 +02:00
Janos Follath
d4ac4e037b
Merge pull request #736 from mpg/cf-varpos-copy-dev-restricted
Constant-flow copy of HMAC from variable position
2020-08-25 14:35:55 +01:00
Dan Handley
abccfc1684 Merge development into development-restricted
* development:
  Update copyright notices to use Linux Foundation guidance
  Undef ASSERT before defining it to ensure that no previous definition has sneaked in through included files.
  Add ChangeLog entry for X.509 CN-type vulnerability
  Improve documentation of cn in x509_crt_verify()
  Fix comparison between different name types
  Add test: DNS names should not match IP addresses
  Remove obsolete buildbot reference in compat.sh
  Fix misuse of printf in shell script
  Fix added proxy command when IPv6 is used
  Simplify test syntax
  Fix logic error in setting client port
  ssl-opt.sh: include test name in log files
  ssl-opt.sh: remove old buildbot-specific condition
  ssl-opt.sh: add proxy to all DTLS tests

Signed-off-by: Dan Handley <dan.handley@arm.com>
2020-08-20 11:07:12 +01:00
Manuel Pégourié-Gonnard
73afa37507 Add option to test constant-flow with valgrind
Currently the new component in all.sh fails because
mbedtls_ssl_cf_memcpy_offset() is not actually constant flow - this is on
purpose to be able to verify that the new test works.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-08-20 10:22:41 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Manuel Pégourié-Gonnard
6240defd17 Add MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN
This option allows to test the constant-flow nature of selected code, using
MemSan and the fundamental observation behind ctgrind that the set of
operations allowed on undefined memory by dynamic analysers is the same as the
set of operations allowed on secret data to avoid leaking it to a local
attacker via side channels, namely, any operation except branching and
dereferencing.

(This isn't the full story, as on some CPUs some instructions have variable
execution depending on the inputs, most notably division and on some cores
multiplication. However, testing that no branch or memory access depends on
secret data is already a good start.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-07-15 12:26:22 +02:00
Janos Follath
be9a5752c2 Merge tag 'mbedtls-2.23.0' into merge-2.23.0-release-to-development
Mbed TLS 2.23.0
2020-07-01 11:23:17 +01:00
Ronald Cron
8dc0af2d4b programs: Link to tests common code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:45:16 +02:00
Ronald Cron
bfd45f1f11 programs: cmake: Use list of executables
Use list of executables to:
- factorize the code to define executables
- highlight the similarities and differences of the executable definitions
- avoid list duplication

Use alphabetic order for executables in lists.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:34:35 +02:00
Ronald Cron
0b90c9d747 programs: cmake: Fix relative path warnings
The path to source files were relative which triggered
warnings when generating the build system.

Move to absolute paths based on CMAKE_CURRENT_SOURCE_DIR.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:34:35 +02:00
Janos Follath
4d1884916b Merge branch 'development-restricted' into mbedtls-2.23.0r0 2020-06-25 09:17:25 +01:00
Bence Szépkúti
c7da1fe381 Add Apache-2.0 headers to all scripts
This commit was generated using the following script:

# ========================
#!/bin/sh

# Find scripts
find -path './.git' -prune -o '(' -name '*.gdb' -o -name '*.pl' -o -name '*.py' -o -name '*.sh' ')' -print | xargs sed -i '

# Remove Mbed TLS declaration if it occurs before the copyright line
1,/Copyright.*Arm/I {
  /This file is part of/,$ {
    /Copyright.*Arm/I! d
  }
}

# Convert non-standard header in scripts/abi_check.py to the format used in the other scripts
/"""/,/"""/ {

  # Cut copyright declaration
  /Copyright.*Arm/I {
    h
    N
    d
  }

  # Paste copyright declaration
  /"""/ {
    x
    /./ {
      s/^/# /    # Add #
      x          # Replace orignal buffer with Copyright declaration
      p          # Print original buffer, insert newline
      i\

      s/.*//     # Clear original buffer
    }
    x
  }
}

/Copyright.*Arm/I {

  # Print copyright declaration
  p

  # Read the two lines immediately following the copyright declaration
  N
  N

  # Insert Apache header if it is missing
  /SPDX/! {
    i\
# SPDX-License-Identifier: Apache-2.0\
#\
# Licensed under the Apache License, Version 2.0 (the "License"); you may\
# not use this file except in compliance with the License.\
# You may obtain a copy of the License at\
#\
# http://www.apache.org/licenses/LICENSE-2.0\
#\
# Unless required by applicable law or agreed to in writing, software\
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\
# See the License for the specific language governing permissions and\
# limitations under the License.

    # Insert Mbed TLS declaration if it is missing
    /This file is part of/! i\
#\
# This file is part of Mbed TLS (https://tls.mbed.org)
  }

  # Clear copyright declaration from buffer
  D
}
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-15 12:05:47 +02:00
Bence Szépkúti
700ee44545 Add missing copyright dates to scripts and sources
To find any files with a missing copyright declaration, use the following script:

# ========================
#!/bin/sh

# Find files with copyright declarations, and list their file extensions
exts=$(grep -Ril --exclude-dir .git --exclude-dir 3rdparty\
                 --exclude-dir programs/fuzz 'Copyright.*Arm' | sed '
  s/.*\///
  s/.*\./*./
  s/.*/-name "&"/
' | sort -u | sed -n '
  :l
    N
    $!bl
  s/\n/ -o /gp
')

# Find files with file extensions that ususally include copyright extensions,
# but don't include a copyright declaration themselves.
eval "find\
  '(' -path './.git' -o -path './3rdparty' -o -path './programs/fuzz' ')' -prune\
  -o ! -path './tests/data_files/format_pkcs12.fmt'\
     ! -path './programs/psa/psa_constant_names_generated.c'\
     '(' $exts ')' -print" | xargs grep -Li 'Copyright.*Arm'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-15 12:05:46 +02:00
danh-arm
15fee93121
Merge pull request #3363 from bensze01/zeroize
Remove hardcoded line number from the zeroize test
2020-06-10 11:31:38 +01:00
Bence Szépkúti
5620d71d58 Remove hardcoded line number from the zeroize test
Instead, we insert a comment containing GDB_BREAK_HERE in the line we
want to break at, and let the gdb script search for it.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-06-09 12:52:04 +02:00
Manuel Pégourié-Gonnard
1a3f9edc08 Add config.h option MBEDTLS_ECP_NO_INTERNAL_RNG
No effect so far, except on dependency checking, as the feature it's meant to
disable isn't implemented yet (so the descriptions in config.h and the
ChangeLog entry are anticipation for now).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-06-08 09:09:20 +02:00
Janos Follath
bba4c17b7a
Merge pull request #3315 from hanno-arm/tls13-experimental-macro
Add support for TLS 1.3 record protection routines
2020-06-04 15:51:54 +01:00
Gilles Peskine
d6916d74c5
Merge pull request #3121 from gilles-peskine-arm/invasive_testing_strategy-crypto
Invasive testing strategy

Create a new header `common.h`.

Introduce a configuration option `MBEDTLS_TEST_HOOKS` for test-specific code, to be used in accordance with the invasive testing strategy.
2020-06-02 16:55:48 +02:00
Hanno Becker
ceef848eb6 Rename TLS 1.3 padding granularity macro
This is to avoid confusion with the class of macros

MBEDTLS_SSL_PROTO_TLS1_X

which have an underscore between major and minor version number.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-06-02 06:16:00 +01:00
Hanno Becker
3427f1dad2 Update query_config.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-31 08:51:29 +01:00
Hanno Becker
81f3662ae8 Update query_config.c
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-05-28 10:32:23 +01:00
danh-arm
4850263bb5
Merge pull request #3319 from Kxuan/development
Fix typo in program benchmark.
2020-05-18 10:10:25 +01:00
Gilles Peskine
e24fc7b0a1
Merge pull request #2595 from k-stachowiak/unified-exit-in-examples
Unify the example programs' termination
2020-05-12 10:46:47 +02:00
k-stachowiak
297896e6db Remove obsolete comment 2020-05-11 22:11:10 +02:00
Zhai Zhaoxuan
e22da99224
Fix typo in program benchmark.
Signed-off-by: Zhai Zhaoxuan <kxuanobj@gmail.com>
2020-05-09 23:50:32 +08:00
Kenneth Soerensen
518d435e7b Fix GCC format-signedness warnings
Signed-off-by: Kenneth Soerensen <knnthsrnsn@gmail.com>
2020-04-22 16:01:48 +02:00
Manuel Pégourié-Gonnard
5edd388da0 Get rid of a magic value in benchmark.c
Also update its value while at it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-04-17 11:28:25 +02:00
Manuel Pégourié-Gonnard
e52fd3fa55 Fix integer overflow in benchmark program
When building with MBEDTLS_MEMORY_DEBUG enabled, and running the ecdh part,
the benchmark program would start writing a very large number of space
characters on stdout, and would have to be killed because it never seemed to
terminate.

This was due to an integer overflow in computing how many space to leave after
the title in order to get memory measurements aligned, which resulted in up
to SIZE_MAX spaces being printed.

This commit just fixes the overflow, the next commit is going to fix the magic
number (12).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-04-09 10:11:17 +02:00
Manuel Pégourié-Gonnard
f4563b4c8b Fix some style issues in udp_proxy
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-31 12:07:13 +02:00
Manuel Pégourié-Gonnard
baad2de6d8 Add negative test for hard reconnect cookie check
The server must check client reachability (we chose to do that by checking a
cookie) before destroying the existing association (RFC 6347 section 4.2.8).
Let's make sure we do, by having a proxy-in-the-middle inject a ClientHello -
the server should notice, but not destroy the connection.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-03-27 10:50:05 +01:00
Gilles Peskine
fea6eaf5e3 Declare MBEDTLS_TEST_HOOKS in config.h
When this option is enabled, the product includes additional
interfaces that enable additional tests. This option should not be
enabled in production, but is included in the "full" build to enable
the extra tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-03-24 22:56:45 +01:00
Gilles Peskine
3ed2de9f54 Refresh generated files 2020-03-23 21:54:07 +01:00
Gilles Peskine
5e7d6fd240 Merge 'mbedtls/development' into merge-crypto-unremoved-20200304
Merge the latest state of the target branch (mbedtls/development) into the
pull request to merge mbed-crypto into mbedtls.

Conflicts:

* ChangeLog: add/add conflict. Resolve by using the usual section order.
2020-03-23 18:02:07 +01:00
Gilles Peskine
37940d923e Restore linking against all libraries in the cmake_subproject test 2020-03-23 17:55:31 +01:00
Gilles Peskine
b22d0cfa99 Re-generate automatically generated files
```
scripts/generate_features.pl
scripts/generate_errors.pl
scripts/generate_query_config.pl
scripts/generate_visualc_files.pl
```
2020-03-23 17:55:31 +01:00
Gilles Peskine
b99bd39b4e Merge mbed-crypto into mbedtls: the merge commit
Merge `unremove-non-crypto` into `mbedtls/development`. The branch
`unremove-non-crypto` was obtained by starting from `mbed-crypto/development`,
then reverting many commits that removed X.509 and TLS functionality when Mbed
Crypto forked from Mbed TLS (the “unremoval”), then make a few tweaks to
facilitate the merge.

The unremoval step restored old versions of some tls files. If a file doesn't
exist in mbed-crypto, check out the mbedtls version, regardless of what
happened during the unremoval of tls files in the crypto tree. Also
unconditionally take the mbedtls version of a few files where the
modifications are completely project-specific and are not relevant in
mbed-crypto:

* `.github/issue_template.md`: completely different. We may want to reconcile
  them independently as a follow-up.
* `.travis.yml`: would only be reverted to an earlier tls version.
* `README.md`: completely different. We may want to reconcile them
  independently as a follow-up.
* `doxygen/input/doc_mainpage.h`: the changes in crypto were minimal and not
  relevant except as a stopgap as mbed-crypto did not have its own product
  versioning in the Doxygen documentation.
* `tests/.jenkins/Jenkinsfile`: completely different.
* `tests/data_files/Makefile`: there were no changes in mbed-crypto,
  but the unremoval step restored an old version.

Shell script for everything to do after the merge apart from the conflict
resolution:
```
tls_files=($(comm -23 <(git ls-tree -r --name-only HEAD) <(git ls-tree -r --name-only $(git merge-base upstream-crypto/development MERGE_HEAD))))
tls_files+=($tls_files .github/issue_template.md .travis.yml README.md doxygen/input/doc_mainpage.h tests/.jenkins/Jenkinsfile tests/data_files/Makefile)
git checkout --theirs HEAD -- $tls_files
git add -- $tls_files
```

Resolve the remaining conflicts:

* `library/CMakeLists.txt`:
    * Keep the TLS definition of `src_crypto`
    * `USE_SHARED_MBEDTLS_LIBRARY`: keep all three libraries, with both
      `include` and `crypto/include` in `target_include_directories`, all with
      version `2.21.0`.
* `programs/Makefile`:
    * Reconcile the APPS lists (add/add from a differently-formatted common
      ancestor): insert the `psa/*` from crypto into the tls list.
    * Keep the `fuzz` target defined only in tls version.
    * Keep the recipe (only in tls version) cleaning `ssl_pthread_server`
      stuff for the `clean` target.
* `scripts/config.py`:
    * `include_in_full`: add/add conflict. Keep both.
* `tests/scripts/all.sh`:
    * `component_test_no_use_psa_crypto_full_cmake_asan`: partially old
      version in crypto. Take the tls version.
    * `component_test_malloc_0_null` and more: take
      `component_test_malloc_0_null` from crypto (with `config.py` rather than
      `config.pl`, and with `$ASAN_FLAGS` rather than an explicit list), but
      add the call to `ssl-opt.sh` from tls. Take the other components from
      crypto.

With this commit, building and running the unit tests with both `make ` and
`cmake` work in the default configuration on Linux. Other platforms, build
systems and configurations are likely not to work, and there is some
regression in test coverage.

There is some loss of functionality because the unremoval step restored older
versions of tls content. This commit contains the latest tls version of
tls-only files, but some changes from the tls side in files that existed on
both sides have regressed. Most problematic changes are hunks that remove some
tls-specific feature and contain either a C preprocessor symbol identifying a
tls-specific module or option, or the name of a tls-specific file. Hunks
that remove a tls-specific preprocessor symbol can be identified with the
regular expression `^-.*MBEDTLS_(ERR_)?(PKCS11|X509|NET|SSL)_`.

Subsequent commits will revert a few parts of the patch from this merge commit
in order to restore the tls functionality that it removes, ensure that the
test coverage includes what was covered in either branch, and fix test
failures.
2020-03-23 17:54:46 +01:00
Gilles Peskine
7e771c767f Link test programs that only use platform functions with mbedcrypto
Even if other higher-level libraries were added, these programs would
only link with the crypto library, which is the one that contains
platform functions.
2020-03-19 14:23:45 +01:00
Gilles Peskine
1bc9c135b3 Revert "selftest: Remove X.509 selftest"
This reverts commit 47a3635fc7.
2020-03-19 14:23:45 +01:00
Gilles Peskine
9e277f4408 Revert "cpp_dummy_build: Remove X.509 dependency"
This reverts commit 4c1fdb5129.
2020-03-19 14:23:45 +01:00