Merge remote-tracking branch 'upstream-restricted/development-proposed' into development-restricted-proposed

2019-08-14 18:38:42 +02:00 · 2019-08-14 18:38:42 +02:00 · 4017d882dd
commit 4017d882dd
parent 60b29d6bfd 61fc108d25
6 changed files with 57 additions and 11 deletions
--- a/8
+++ b/8
@ -95,6 +95,14 @@ Bugfix
     This previously limited the maximum size of DER encoded certificates
     in mbedtls_x509write_crt_der() to 2Kb. Reported by soccerGB in #2631.
   * Fix partial zeroing in x509_get_other_name. Found and fixed by ekse, #2716.
+   * Update test certificates that were about to expire. Reported by
+     Bernhard M. Wiedemann in #2357.
+   * Fix the build on ARMv5TE in ARM mode to not use assembly instructions
+     that are only available in Thumb mode. Fix contributed by Aurelien Jarno
+     in #2169.
+   * Fix propagation of restart contexts in restartable EC operations.
+     This could previously lead to segmentation faults in builds using an
+     address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.

 Changes
   * Server's RSA certificate in certs.c was SHA-1 signed. In the default
--- a/include/mbedtls/bn_mul.h
+++ b/include/mbedtls/bn_mul.h
@ -642,7 +642,8 @@
           "r6", "r7", "r8", "r9", "cc"         \
         );

-#elif defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
+#elif (__ARM_ARCH >= 6) && \
+    defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)

 #define MULADDC_INIT                            \
    asm(
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@ -172,11 +172,11 @@ static void ecdsa_restart_det_free( mbedtls_ecdsa_restart_det_ctx *ctx )
 }
 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */

-#define ECDSA_RS_ECP    &rs_ctx->ecp
+#define ECDSA_RS_ECP    ( rs_ctx == NULL ? NULL : &rs_ctx->ecp )

 /* Utility macro for checking and updating ops budget */
 #define ECDSA_BUDGET( ops )   \
-    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, &rs_ctx->ecp, ops ) );
+    MBEDTLS_MPI_CHK( mbedtls_ecp_check_budget( grp, ECDSA_RS_ECP, ops ) );

 /* Call this when entering a function that needs its own sub-context */
 #define ECDSA_RS_ENTER( SUB )   do {                                 \
--- a/programs/fuzz/onefile.c
+++ b/programs/fuzz/onefile.c
@ -1,8 +1,15 @@
 #include <stdint.h>
 #include <stdlib.h>
 #include <stdio.h>
-// Get platform-specific definition
+
+/* This file doesn't use any Mbed TLS function, but grab config.h anyway
+ * in case it contains platform-specific #defines related to malloc or
+ * stdio functions. */
+#if !defined(MBEDTLS_CONFIG_FILE)
 #include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif

 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);

--- a/tests/compat.sh
+++ b/tests/compat.sh
@ -216,14 +216,13 @@ filter_ciphersuites()
        G_CIPHERS=$( filter "$G_CIPHERS" )
    fi

-    # OpenSSL 1.0.1h doesn't support DTLS 1.2
-    if [ `minor_ver "$MODE"` -ge 3 ] && is_dtls "$MODE"; then
+    # OpenSSL <1.0.2 doesn't support DTLS 1.2. Check what OpenSSL
+    # supports from the s_server help. (The s_client help isn't
+    # accurate as of 1.0.2g: it supports DTLS 1.2 but doesn't list it.
+    # But the s_server help seems to be accurate.)
+    if ! $OPENSSL_CMD s_server -help 2>&1 | grep -q "^ *-$MODE "; then
+        M_CIPHERS=""
        O_CIPHERS=""
-        case "$PEER" in
-            [Oo]pen*)
-                M_CIPHERS=""
-                ;;
-        esac
    fi

    # For GnuTLS client -> mbed TLS server,
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -1047,6 +1047,26 @@ component_test_platform_calloc_macro () {
 component_test_make_shared () {
    msg "build/test: make shared" # ~ 40s
    make SHARED=1 all check -j1
+    ldd programs/util/strerror | grep libmbedcrypto
+}
+
+component_test_cmake_shared () {
+    msg "build/test: cmake shared" # ~ 2min
+    cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On .
+    make
+    ldd programs/util/strerror | grep libmbedcrypto
+    make test
+}
+
+component_build_mbedtls_config_file () {
+    msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s
+    # Use the full config so as to catch a maximum of places where
+    # the check of MBEDTLS_CONFIG_FILE might be missing.
+    scripts/config.pl full
+    sed 's!"check_config.h"!"mbedtls/check_config.h"!' <"$CONFIG_H" >full_config.h
+    echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H"
+    make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'"
+    rm -f full_config.h
 }

 component_test_m32_o0 () {
@ -1105,6 +1125,17 @@ component_build_arm_none_eabi_gcc () {
    make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar LD=arm-none-eabi-ld CFLAGS='-Werror -Wall -Wextra' lib
 }

+component_build_arm_none_eabi_gcc_arm5vte () {
+    msg "build: arm-none-eabi-gcc -march=arm5vte, make" # ~ 10s
+    scripts/config.pl baremetal
+    # Build for a target platform that's close to what Debian uses
+    # for its "armel" distribution (https://wiki.debian.org/ArmEabiPort).
+    # See https://github.com/ARMmbed/mbedtls/pull/2169 and comments.
+    # It would be better to build with arm-linux-gnueabi-gcc but
+    # we don't have that on our CI at this time.
+    make CC=arm-none-eabi-gcc AR=arm-none-eabi-ar CFLAGS='-Werror -Wall -Wextra -march=armv5te -O1' LDFLAGS='-march=armv5te' SHELL='sh -x' lib
+}
+
 component_build_arm_none_eabi_gcc_no_udbl_division () {
    msg "build: arm-none-eabi-gcc -DMBEDTLS_NO_UDBL_DIVISION, make" # ~ 10s
    scripts/config.pl baremetal