From 89361c9471dd7d54897d16204b3222a3d5d2ddde Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 28 Apr 2020 10:19:18 +0200 Subject: [PATCH 01/10] Remove obsolete options from config.pl These options haven't existed for a long time. Signed-off-by: Gilles Peskine --- scripts/config.pl | 6 ------ 1 file changed, 6 deletions(-) diff --git a/scripts/config.pl b/scripts/config.pl index 3de8093fe554..dd80989bcfd6 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -23,9 +23,6 @@ # MBEDTLS_DEPRECATED_REMOVED # MBEDTLS_HAVE_SSE2 # MBEDTLS_PLATFORM_NO_STD_FUNCTIONS -# MBEDTLS_ECP_DP_M221_ENABLED -# MBEDTLS_ECP_DP_M383_ENABLED -# MBEDTLS_ECP_DP_M511_ENABLED # MBEDTLS_MEMORY_BACKTRACE # MBEDTLS_MEMORY_BUFFER_ALLOC_C # MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES @@ -87,9 +84,6 @@ MBEDTLS_DEPRECATED_REMOVED MBEDTLS_HAVE_SSE2 MBEDTLS_PLATFORM_NO_STD_FUNCTIONS -MBEDTLS_ECP_DP_M221_ENABLED -MBEDTLS_ECP_DP_M383_ENABLED -MBEDTLS_ECP_DP_M511_ENABLED MBEDTLS_MEMORY_DEBUG MBEDTLS_MEMORY_BACKTRACE MBEDTLS_MEMORY_BUFFER_ALLOC_C From 165d1bb37984afd7a613ab8dbf505915cac7421f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 12 Apr 2020 14:21:30 +0200 Subject: [PATCH 02/10] Enable X509_ALLOW_EXTENSIONS_NON_V3 in config full Enable MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 in the full config. There's no reason to keep it out. We weren't testing it at all on the CI. Signed-off-by: Gilles Peskine --- scripts/config.pl | 2 -- 1 file changed, 2 deletions(-) diff --git a/scripts/config.pl b/scripts/config.pl index dd80989bcfd6..fed235cea08c 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -31,7 +31,6 @@ # MBEDTLS_REMOVE_3DES_CIPHERSUITES # MBEDTLS_SSL_HW_RECORD_ACCEL # MBEDTLS_RSA_NO_CRT -# MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 # MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION # - this could be enabled if the respective tests were adapted # MBEDTLS_ZLIB_SUPPORT @@ -93,7 +92,6 @@ MBEDTLS_REMOVE_ARC4_CIPHERSUITES MBEDTLS_REMOVE_3DES_CIPHERSUITES MBEDTLS_SSL_HW_RECORD_ACCEL -MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_ZLIB_SUPPORT MBEDTLS_PKCS11_C From f48d468111a5576e4521320b1da97dce3892e2f9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 28 Apr 2020 10:26:43 +0200 Subject: [PATCH 03/10] Explain the rationale for inclusion in "full" and "baremetal" Remove the duplicated, and often out-of-date, list in the comments. Instead explain in a comment, and have a single copy of the list which is in the code. Signed-off-by: Gilles Peskine --- scripts/config.pl | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/scripts/config.pl b/scripts/config.pl index fed235cea08c..8f16abe8be47 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -19,26 +19,17 @@ # # The following options are disabled instead of enabled with "full". # -# MBEDTLS_TEST_NULL_ENTROPY -# MBEDTLS_DEPRECATED_REMOVED -# MBEDTLS_HAVE_SSE2 -# MBEDTLS_PLATFORM_NO_STD_FUNCTIONS -# MBEDTLS_MEMORY_BACKTRACE -# MBEDTLS_MEMORY_BUFFER_ALLOC_C -# MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES -# MBEDTLS_NO_PLATFORM_ENTROPY -# MBEDTLS_REMOVE_ARC4_CIPHERSUITES -# MBEDTLS_REMOVE_3DES_CIPHERSUITES -# MBEDTLS_SSL_HW_RECORD_ACCEL -# MBEDTLS_RSA_NO_CRT -# MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION -# - this could be enabled if the respective tests were adapted -# MBEDTLS_ZLIB_SUPPORT -# MBEDTLS_PKCS11_C -# MBEDTLS_NO_UDBL_DIVISION -# MBEDTLS_NO_64BIT_MULTIPLICATION -# and any symbol beginning _ALT +# * Options that require additional build dependencies or unusual hardware. +# * Options that make testing less effective. +# * Options that are incompatible with other options, or more generally that +# interact with other parts of the code in such a way that a bulk enabling +# is not a good way to test them. +# * Options that remove features. # +# The baremetal configuration excludes options that require a library or +# operating system feature that is typically not present on bare metal +# systems. Features that are excluded from "full" won't be in "baremetal" +# either. use warnings; use strict; From ba5dbae9744d9d10f19375e774613b489d8360b3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 28 Apr 2020 10:28:14 +0200 Subject: [PATCH 04/10] Sort lists for easier maintenance Signed-off-by: Gilles Peskine --- scripts/config.pl | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/scripts/config.pl b/scripts/config.pl index 8f16abe8be47..32eebd6f828f 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -70,42 +70,42 @@ EOU my @excluded = qw( -MBEDTLS_TEST_NULL_ENTROPY MBEDTLS_DEPRECATED_REMOVED MBEDTLS_HAVE_SSE2 -MBEDTLS_PLATFORM_NO_STD_FUNCTIONS -MBEDTLS_MEMORY_DEBUG MBEDTLS_MEMORY_BACKTRACE MBEDTLS_MEMORY_BUFFER_ALLOC_C +MBEDTLS_MEMORY_DEBUG MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES MBEDTLS_NO_PLATFORM_ENTROPY -MBEDTLS_RSA_NO_CRT -MBEDTLS_REMOVE_ARC4_CIPHERSUITES +MBEDTLS_NO_UDBL_DIVISION +MBEDTLS_PKCS11_C +MBEDTLS_PLATFORM_NO_STD_FUNCTIONS MBEDTLS_REMOVE_3DES_CIPHERSUITES +MBEDTLS_REMOVE_ARC4_CIPHERSUITES +MBEDTLS_RSA_NO_CRT MBEDTLS_SSL_HW_RECORD_ACCEL +MBEDTLS_TEST_NULL_ENTROPY MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_ZLIB_SUPPORT -MBEDTLS_PKCS11_C -MBEDTLS_NO_UDBL_DIVISION _ALT\s*$ ); # Things that should be disabled in "baremetal" my @excluded_baremetal = qw( -MBEDTLS_NET_C -MBEDTLS_TIMING_C -MBEDTLS_FS_IO +MBEDTLS_DEPRECATED_WARNING MBEDTLS_ENTROPY_NV_SEED +MBEDTLS_FS_IO +MBEDTLS_HAVEGE_C MBEDTLS_HAVE_TIME MBEDTLS_HAVE_TIME_DATE -MBEDTLS_DEPRECATED_WARNING -MBEDTLS_HAVEGE_C -MBEDTLS_THREADING_C -MBEDTLS_THREADING_PTHREAD MBEDTLS_MEMORY_BACKTRACE MBEDTLS_MEMORY_BUFFER_ALLOC_C -MBEDTLS_PLATFORM_TIME_ALT +MBEDTLS_NET_C MBEDTLS_PLATFORM_FPRINTF_ALT +MBEDTLS_PLATFORM_TIME_ALT +MBEDTLS_THREADING_C +MBEDTLS_THREADING_PTHREAD +MBEDTLS_TIMING_C ); # Things that should be enabled in "full" even if they match @excluded From a21c5e99880198c75a11f5e6f10c67391c5b23a7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 28 Apr 2020 10:41:20 +0200 Subject: [PATCH 05/10] Document and fix the MBEDTLS_xxx_ALT logic for the full config The intended logic around MBEDTLS_xxx_ALT is to exclude them from full because they require the alternative implementation of one or more library functions, except that MBEDTLS_PLATFORM_xxx_ALT are different: they're alternative implementations of a platform function and they have a built-in default, so they should be included in full. Document this. Fix a bug whereby MBEDTLS_PLATFORM_xxx_ALT didn't catch symbols where xxx contains an underscore. As a consequence, MBEDTLS_PLATFORM_NV_SEED_ALT is now enabled in the full config. Explicitly exclude MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT because it behaves like the non-platform ones, requiring an extra build-time dependency. Explicitly exclude MBEDTLS_PLATFORM_NV_SEED_ALT from baremetal because it requires MBEDTLS_ENTROPY_NV_SEED, and likewise explicitly unset it from builds that unset MBEDTLS_ENTROPY_NV_SEED. Signed-off-by: Gilles Peskine --- scripts/config.pl | 9 +++++++-- tests/scripts/all.sh | 3 +++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/scripts/config.pl b/scripts/config.pl index 32eebd6f828f..208a02a3f668 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -102,15 +102,20 @@ MBEDTLS_MEMORY_BUFFER_ALLOC_C MBEDTLS_NET_C MBEDTLS_PLATFORM_FPRINTF_ALT +MBEDTLS_PLATFORM_NV_SEED_ALT MBEDTLS_PLATFORM_TIME_ALT MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD MBEDTLS_TIMING_C ); -# Things that should be enabled in "full" even if they match @excluded +# Things that should be enabled in "full" even if they match @excluded. +# Platform ALTs enable global variables that allow configuring the behavior +# but default to the default behavior, except for PLATFORM_SETUP_TEARDOWN_ALT +# which requires the application to provide relevant functions like +# non-platform ALTs. my @non_excluded = qw( -PLATFORM_[A-Z0-9]+_ALT +PLATFORM_(?!SETUP_TEARDOWN_)[A-Z_0-9]+_ALT ); # Things that should be enabled in "baremetal" diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 2fc0c83f315a..ab28a613090f 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -827,6 +827,7 @@ component_test_no_platform () { scripts/config.pl unset MBEDTLS_PLATFORM_SNPRINTF_ALT scripts/config.pl unset MBEDTLS_PLATFORM_TIME_ALT scripts/config.pl unset MBEDTLS_PLATFORM_EXIT_ALT + scripts/config.pl unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED scripts/config.pl unset MBEDTLS_FS_IO # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19, @@ -841,6 +842,7 @@ component_build_no_std_function () { scripts/config.pl full scripts/config.pl set MBEDTLS_PLATFORM_NO_STD_FUNCTIONS scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.pl unset MBEDTLS_PLATFORM_NV_SEED_ALT make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' } @@ -912,6 +914,7 @@ component_test_null_entropy () { scripts/config.pl set MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES scripts/config.pl set MBEDTLS_ENTROPY_C scripts/config.pl unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.pl unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.pl unset MBEDTLS_ENTROPY_HARDWARE_ALT scripts/config.pl unset MBEDTLS_HAVEGE_C CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan -D UNSAFE_BUILD=ON . From 2717eaf1e0a71ac773c07e4a34907bcf61892810 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 14 Apr 2020 21:28:42 +0200 Subject: [PATCH 06/10] Fix build failure with MBEDTLS_PLATFORM_NV_SEED_ALT An earlier botched backport (d56ca658ab8bd49cbbde8790240ec4074c0a7622) had the wrong name for a variable and a missing header inclusion. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_entropy.function | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function index 3b87244d0261..cb5e20462be3 100644 --- a/tests/suites/test_suite_entropy.function +++ b/tests/suites/test_suite_entropy.function @@ -1,6 +1,7 @@ /* BEGIN_HEADER */ #include "mbedtls/entropy.h" #include "mbedtls/entropy_poll.h" +#include "mbedtls/md.h" /* * Number of calls made to entropy_dummy_source() @@ -346,7 +347,7 @@ void entropy_nv_seed( char *read_seed_str ) // Set the initial NV seed to read. // Get exactly MBEDTLS_ENTROPY_BLOCK_SIZE bytes from read_str. - TEST_ASSERT( strlen( read_seed ) / 2 >= MBEDTLS_ENTROPY_BLOCK_SIZE ); + TEST_ASSERT( strlen( read_seed_str ) / 2 >= MBEDTLS_ENTROPY_BLOCK_SIZE ); read_seed_str[MBEDTLS_ENTROPY_BLOCK_SIZE * 2] = '\0'; unhexify( read_seed, read_seed_str ); memcpy( buffer_seed, read_seed, MBEDTLS_ENTROPY_BLOCK_SIZE ); From 3aba3f48f8604ffb51491851a245afcb08a8cb5d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 14 Apr 2020 19:34:19 +0200 Subject: [PATCH 07/10] Strict C99: don't use a signed* when an unsigned* is expected It works in practice on almost every platform, given that we're only using the wrong type in cases where the value is guaranteed to stay within the value bits of a signed int. But even in this case it may or may not be strictly conforming. Anyway `gcc -std=c99 -pedantic` rejects it. Signed-off-by: Gilles Peskine --- programs/aes/crypt_and_hash.c | 3 ++- programs/pkey/pk_decrypt.c | 3 ++- programs/pkey/rsa_decrypt.c | 2 +- programs/pkey/rsa_verify.c | 3 ++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c index 5024f4a6f178..8433ef83e58f 100644 --- a/programs/aes/crypt_and_hash.c +++ b/programs/aes/crypt_and_hash.c @@ -82,7 +82,8 @@ static void mbedtls_zeroize( void *v, size_t n ) { int main( int argc, char *argv[] ) { - int ret = 1, i, n; + int ret = 1, i; + unsigned n; int exit_code = MBEDTLS_EXIT_FAILURE; int mode; size_t keylen, ilen, olen; diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c index 1d8c959a09fc..1876ef30d216 100644 --- a/programs/pkey/pk_decrypt.c +++ b/programs/pkey/pk_decrypt.c @@ -62,7 +62,8 @@ int main( void ) int main( int argc, char *argv[] ) { FILE *f; - int ret = 1, c; + int ret = 1; + unsigned c; int exit_code = MBEDTLS_EXIT_FAILURE; size_t i, olen = 0; mbedtls_pk_context pk; diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c index 0a252d2ada0b..bc37c7457054 100644 --- a/programs/pkey/rsa_decrypt.c +++ b/programs/pkey/rsa_decrypt.c @@ -63,7 +63,7 @@ int main( int argc, char *argv[] ) FILE *f; int ret = 1; int exit_code = MBEDTLS_EXIT_FAILURE; - int c; + unsigned c; size_t i; mbedtls_rsa_context rsa; mbedtls_mpi N, P, Q, D, E, DP, DQ, QP; diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index 6f88345f2ece..a7875009e33f 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -57,7 +57,8 @@ int main( void ) int main( int argc, char *argv[] ) { FILE *f; - int ret = 1, c; + int ret = 1; + unsigned c; int exit_code = MBEDTLS_EXIT_FAILURE; size_t i; mbedtls_rsa_context rsa; From 63d92c6633159c96e21fd84c1a26488e1bb6c52d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 14 Apr 2020 19:41:01 +0200 Subject: [PATCH 08/10] Strict C99: don't use extremely large string literals Don't use string literals that are longer than 4095 bytes, which is the minimum that C99 compilers are required to support. Compilers are extremely likely to support longer literals, but `gcc -std=c99 -pedantic` complains. Signed-off-by: Gilles Peskine --- programs/ssl/ssl_client2.c | 22 +++++++++++++++------- programs/ssl/ssl_server2.c | 18 +++++++++++++----- 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 08b6c8ea315e..6e895c3bc825 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -239,7 +239,9 @@ int main( void ) #define USAGE_ECJPAKE "" #endif -#define USAGE \ +/* USAGE is arbitrarily split to stay under the portable string literal + * length limit: 4095 bytes in C99. */ +#define USAGE1 \ "\n usage: ssl_client2 param=<>...\n" \ "\n acceptable parameters:\n" \ " server_name=%%s default: localhost\n" \ @@ -260,15 +262,17 @@ int main( void ) " skip_close_notify=%%d default: 0 (send close_notify)\n" \ "\n" \ USAGE_DTLS \ - "\n" \ - " auth_mode=%%s default: (library default: none)\n" \ + "\n" +#define USAGE2 \ + " auth_mode=%%s default: (library default: none)\n" \ " options: none, optional, required\n" \ USAGE_IO \ "\n" \ USAGE_PSK \ USAGE_ECJPAKE \ - "\n" \ - " allow_legacy=%%d default: (library default: no)\n" \ + "\n" +#define USAGE3 \ + " allow_legacy=%%d default: (library default: no)\n" \ USAGE_RENEGO \ " exchanges=%%d default: 1\n" \ " reconnect=%%d default: 0 (disabled)\n" \ @@ -284,7 +288,8 @@ int main( void ) USAGE_CURVES \ USAGE_RECSPLIT \ USAGE_DHMLEN \ - "\n" \ + "\n" +#define USAGE4 \ " arc4=%%d default: (library default: 0)\n" \ " allow_sha1=%%d default: 0\n" \ " min_version=%%s default: (library default: tls1)\n" \ @@ -507,7 +512,10 @@ int main( int argc, char *argv[] ) if( ret == 0 ) ret = 1; - mbedtls_printf( USAGE ); + mbedtls_printf( USAGE1 ); + mbedtls_printf( USAGE2 ); + mbedtls_printf( USAGE3 ); + mbedtls_printf( USAGE4 ); list = mbedtls_ssl_list_ciphersuites(); while( *list ) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index ae57f1fda04f..148dd08475f9 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -338,7 +338,9 @@ int main( void ) #define USAGE_CURVES "" #endif -#define USAGE \ +/* USAGE is arbitrarily split to stay under the portable string literal + * length limit: 4095 bytes in C99. */ +#define USAGE1 \ "\n usage: ssl_server2 param=<>...\n" \ "\n acceptable parameters:\n" \ " server_addr=%%s default: (all interfaces)\n" \ @@ -357,7 +359,8 @@ int main( void ) USAGE_COOKIES \ USAGE_ANTI_REPLAY \ USAGE_BADMAC_LIMIT \ - "\n" \ + "\n" +#define USAGE2 \ " auth_mode=%%s default: (library default: none)\n" \ " options: none, optional, required\n" \ " cert_req_ca_list=%%d default: 1 (send ca list)\n" \ @@ -367,7 +370,8 @@ int main( void ) "\n" \ USAGE_PSK \ USAGE_ECJPAKE \ - "\n" \ + "\n" +#define USAGE3 \ " allow_legacy=%%d default: (library default: no)\n" \ USAGE_RENEGO \ " exchanges=%%d default: 1\n" \ @@ -380,7 +384,8 @@ int main( void ) USAGE_EMS \ USAGE_ETM \ USAGE_CURVES \ - "\n" \ + "\n" +#define USAGE4 \ " arc4=%%d default: (library default: 0)\n" \ " allow_sha1=%%d default: 0\n" \ " min_version=%%s default: (library default: tls1)\n" \ @@ -979,7 +984,10 @@ int main( int argc, char *argv[] ) if( ret == 0 ) ret = 1; - mbedtls_printf( USAGE ); + mbedtls_printf( USAGE1 ); + mbedtls_printf( USAGE2 ); + mbedtls_printf( USAGE3 ); + mbedtls_printf( USAGE4 ); list = mbedtls_ssl_list_ciphersuites(); while( *list ) From 457351afbdc693265d16c0fb464d5f8a08f64f46 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 29 Apr 2020 15:44:00 +0200 Subject: [PATCH 09/10] Exclude DEPRECATED_WARNING in config full In the full config, don't set MBEDTLS_DEPRECATED_WARNING. This is debatable: the full config does not enable deprecated features in this branch, so MBEDTLS_DEPRECATED_WARNING is compatible with the other features. Exclude it to keep LTS branches closer to development. In any case, baremetal and full should have the same settings regarding deprecated features, so don't do anything about DEPRECATED_xxx in baremetal. Signed-off-by: Gilles Peskine --- scripts/config.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config.pl b/scripts/config.pl index 208a02a3f668..2f04d91a1b68 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -71,6 +71,7 @@ my @excluded = qw( MBEDTLS_DEPRECATED_REMOVED +MBEDTLS_DEPRECATED_WARNING MBEDTLS_HAVE_SSE2 MBEDTLS_MEMORY_BACKTRACE MBEDTLS_MEMORY_BUFFER_ALLOC_C @@ -92,7 +93,6 @@ # Things that should be disabled in "baremetal" my @excluded_baremetal = qw( -MBEDTLS_DEPRECATED_WARNING MBEDTLS_ENTROPY_NV_SEED MBEDTLS_FS_IO MBEDTLS_HAVEGE_C From adaaddbe3bc199f961089581d8d6e69cd76d70af Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 28 Apr 2020 14:04:28 +0200 Subject: [PATCH 10/10] all.sh: reorganize testing around deprecated features build_deprecated combined the testing of deprecated features, and testing of the build without deprecated features. Also, it violated the component naming convention by being called build_xxx but running tests. Replace it by: * test_default_no_deprecated: check that you can remove deprecated features from the default build. * test_full_deprecated_warning: check that enabling DEPRECATED_WARNING doesn't cause any warning from our own code. Signed-off-by: Gilles Peskine --- tests/scripts/all.sh | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index ab28a613090f..9df320790e75 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -770,22 +770,31 @@ component_test_full_cmake_clang () { if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '^$' -f 'NULL\|DES\|RC4\|ARCFOUR' } -component_build_deprecated () { - msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s +component_test_default_no_deprecated () { + # Test that removing the deprecated features from the default + # configuration leaves something consistent. + msg "build: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 30s + scripts/config.pl set MBEDTLS_DEPRECATED_REMOVED + make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' + + msg "test: make, default + MBEDTLS_DEPRECATED_REMOVED" # ~ 5s + make test +} + +component_test_full_deprecated_warning () { + # Test that there is nothing deprecated in the full configuraration. + # A deprecated feature would trigger a warning (made fatal) from + # MBEDTLS_DEPRECATED_WARNING. + msg "build: make, full + MBEDTLS_DEPRECATED_WARNING" # ~ 30s scripts/config.pl full + scripts/config.pl unset MBEDTLS_DEPRECATED_REMOVED scripts/config.pl set MBEDTLS_DEPRECATED_WARNING - # Build with -O -Wextra to catch a maximum of issues. - make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' lib programs - make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests + # There are currently no tests for any deprecated feature. + # If some are added, 'make test' would trigger warnings here. + make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' - msg "build: make, full config + DEPRECATED_REMOVED, clang -O" # ~ 30s - # No cleanup, just tweak the configuration and rebuild - make clean - scripts/config.pl unset MBEDTLS_DEPRECATED_WARNING - scripts/config.pl set MBEDTLS_DEPRECATED_REMOVED - # Build with -O -Wextra to catch a maximum of issues. - make CC=clang CFLAGS='-O -Werror -Wall -Wextra' lib programs - make CC=clang CFLAGS='-O -Werror -Wall -Wextra -Wno-unused-function' tests + msg "test: make, full + MBEDTLS_DEPRECATED_WARNING" # ~ 5s + make test } component_test_depends_curves () {