-
Notifications
You must be signed in to change notification settings - Fork 96
Merge development into psa-api-1.0-beta #130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge development into psa-api-1.0-beta #130
Conversation
It was failing to set the key in the ENCRYPT direction before encrypting. This just happened to work for GCM and CCM. After re-encrypting, compare the length to the expected ciphertext length not the plaintext length. Again this just happens to work for GCM and CCM since they do not perform any kind of padding.
Closes #2003 see also #1658
Add the Wisun extended key usage oid and tests.
Add checks in `ssl_server2` that `MBEDTLS_X509_CRL_PARSE_C` is defined to fix compilation issue. Fixes #560.
Adjusted generate_query_config.pl to have a configuration option of including the crypto config. Turned on by default.
Adjusted generate_features to have a configuration option of including crypto config. Turned on by default.
* origin/pr/2106: x509.c: Fix potential memory leak in X.509 self test
* origin/pr/2189: Remove Circle CI script
* origin/pr/2192: Increase okm_hex buffer to contain null character Minor modifications to hkdf test Add explanation for okm_string size Update ChangeLog Reduce buffer size of okm Reduce Stack usage of hkdf test function
* origin/pr/2366: Change Perl to Python in test builds
When doing ABI/API checking, its useful to have a list of all the identifiers that are defined in the internal header files, as we do not promise compatibility for them. This option allows for a simple method of getting them for use with the ABI checking script.
* origin/pr/2405: Fix ChangeLog entry ordering Fix typo Add non-regression test for buffer overflow Improve documentation of mbedtls_mpi_write_string() Adapt ChangeLog Fix 1-byte buffer overflow in mbedtls_mpi_write_string()
* origin/pr/2463: Fix a rebase error Wrap lines at 80 columns Add NIST keywrap as a cipher mode Fix errors in AEAD test function
017b013
to
f3bde03
Compare
…pi-1.0-beta-merge_development_20190524 Conflicts: * library/ssl_cli.c, library/ssl_tls.c: Removed on the development branch. Keep them removed. * include/psa/crypto_extra.h, library/psa_crypto_storage.c, tests/suites/test_suite_psa_crypto.data, tests/suites/test_suite_psa_crypto.function, tests/suites/test_suite_psa_crypto_persistent_key.data, tests/suites/test_suite_psa_crypto_slot_management.data, tests/suites/test_suite_psa_crypto_slot_management.function: Modified on the development branch only to implement the enrollment algorithm, which has been reimplemented on the API branch. Keep the API branch.
generate_psa_constants.py was accidentally declared with an implicitly-Python2 shebang.
* Rename internal methods and fields to start with an underscore. * Rename global constants to uppercase. * Change methods that don't use self to be class methods or static methods as appropriate. No behavior change in this commit.
Pass Pylint by cleaning up the code where possible and silencing Pylint where I know better. No behavior change.
20f72da
to
54f5445
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have one major question regarding "always use submodule PR", and a minor remark in the Pylint handling commit.
x509write_csr.c | ||
# For files generated by the parent project (Mbed TLS) when building Mbed | ||
# Crypto as a submodule, ensure that the parent project instance is used. | ||
if(USE_CRYPTO_SUBMODULE) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this supposed to be here? We have already merged the "always use crypto submodule" PR, so I would expect this option to no longer exist, but maybe at this stage the "always..." PR has not yet been taken into account?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've merged “always use crypto submodule” into Mbed TLS, but not yet dropped compatibility for previous Mbed TLS revisions in Mbed Crypto. In any case, that's out of scope here: the goal of this PR is solely to merge mbed-crypto/development
into psa-api-1.0-beta
, not to change anything that isn't affected by this merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so I would expect this option to no longer exist,
It'll continue to need to exist as long as Mbed Crypto can build both independently on its own, and as a submodule. Even if Mbed TLS always uses Mbed Crypto as a submodule, Mbed Crypto itself needs to support being built as a submodule or standalone.
@@ -23,6 +23,8 @@ def __init__(self, filename, line_number): | |||
self.line_number = line_number | |||
|
|||
class read_file_lines: | |||
# Dear Pylint, conventionally, a context manager class name is lowercase. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you consider using https://docs.python.org/3/library/contextlib.html#contextlib.contextmanager here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it help? This context manager doesn't the acquire/release pattern that is the typical use case of contextlib.contextmanager
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I presumed that could have silence the code style error, but I have just check, and it doesn't, so no, unfortunately it would not help. Please disregard my above comment.
@@ -179,6 +186,12 @@ | |||
''' | |||
|
|||
class MacroCollector: | |||
"""Collect PSA crypto macro definitions from C header files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strange indentation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it? What's strange about it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ending and beginning quotes are misaligned, and the comments from lines below start at the beginning of the line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's one of the valid indentation styles for docstrings. But I notice that other parts of the script use a different style, so I'll update this one to be consistent.
@gilles-peskine-arm - would you be able to list the exact conflicts you've encountered, or is this data lost now? If you don't have the time for it, I can re-create it by running the merge myself in that case. |
@AndrzejKurek I didn't keep a list of conflicts. I only checked that apart from the deletion of |
Use PEP 257 indented docstring style, mostly: always with """, with the terminating """ on a separate line if the docstring is more than one line, and with all lines indented to the opening """. This commit does not change the text to keep the first paragraph single-line.
API compatibility test is failing. This is because we are changing the API on purpose and is OK.
|
TLS tests with the API branch are expected to fail until TLS is updated to use the new API. |
I've performed the merge myself and ran into minimal differences: I had chose to keep using local variables to hold correctly typed parameters. I see your merge decided to inconsistently remove the typed local variables. Was this deliberate?
|
Just one question about typed argument locals, otherwise LGTM |
These were not conscious decisions: for this PR I systematically took the API branch where there was a conflict. Maybe I ended up with slightly inferior code when I ported the feature in #128. I'll look at the specific cases. |
As far as I can tell,
So 1. I don't see any reason why this isn't a correct merge (of two states that might each be flawed on their own); 2. I don't see any actual flaw in the result. |
CI is ok except for TLS (expected) and ABI checking (the script reported a pass but failed due to a known issue for which the fix isn't merged yet). @Patater Since this has two approvals and your reservations are minor, I'm merging this PR to unblock the follow-ups. |
Merge
development
intopsa-api-1.0-beta
. The conflicts fall into two buckets:development
could not be merged easily intopsa-api-1.0-beta
. I resolved these conflicts by taking the development done for the API branch in Implementation-specific extension: Keys may allow a second algorithm #128.development
. I resolved these conflicts by removing the files. The corresponding updates of PSA API usage will need to be made inmbedtls
.