From 560fea3767bba0f5ea314bb82024155e59cdc608 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 1 Sep 2015 11:59:24 +0200 Subject: [PATCH 1/4] Add tests for verify callback As we're about to change the chain construction logic, we want to make sure the callback will still be called exactly when it should, and not on the (upcoming) ignored certs in the chain. --- tests/data_files/Readme-x509.txt | 13 +- tests/data_files/server10.key | 5 + tests/data_files/server10_int3_int-ca2.crt | 80 +++++++++ tests/data_files/server10_int3_int-ca2_ca.crt | 160 ++++++++++++++++++ tests/data_files/server1_ca.crt | 41 +++++ tests/data_files/server7_int-ca_ca2.crt | 62 +++++++ tests/data_files/test-int-ca3.crt | 12 ++ tests/data_files/test-int-ca3.key | 8 + tests/suites/test_suite_x509parse.data | 36 ++++ tests/suites/test_suite_x509parse.function | 69 ++++++++ 10 files changed, 483 insertions(+), 3 deletions(-) create mode 100644 tests/data_files/server10.key create mode 100644 tests/data_files/server10_int3_int-ca2.crt create mode 100644 tests/data_files/server10_int3_int-ca2_ca.crt create mode 100644 tests/data_files/server1_ca.crt create mode 100644 tests/data_files/server7_int-ca_ca2.crt create mode 100644 tests/data_files/test-int-ca3.crt create mode 100644 tests/data_files/test-int-ca3.key diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt index 2cf0c66e9..680d61230 100644 --- a/tests/data_files/Readme-x509.txt +++ b/tests/data_files/Readme-x509.txt @@ -17,6 +17,9 @@ Two intermediate CAs are signed by them: - test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA" uses an EC key with NIST P-256, signed by test-ca +A third intermediate CA is signed by test-int-ca2.crt: +- test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3" + Finally, other CAs for specific purposes: - enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert enco-cert-utf8str.pem has its issuer's CN encoded as a UTF-8 string. @@ -35,11 +38,12 @@ Short information fields: 2 -> test-ca2.crt I1 -> test-int-ca.crt I2 -> test-int-ca2.crt + I3 -> test-int-ca3.crt O -> other - key type: R -> RSA, E -> EC - C -> there is a CRL revoking this cert (see below) - L -> CN=localhost (useful for local test servers) -- P1, P2 if the file include parent (resp. parent + grandparent) +- P1, P2 if the file includes parent (resp. parent + grandparent) - free-form comments List of certificates: @@ -50,8 +54,9 @@ List of certificates: - cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal) - cli2.crt: 2 E: basic - enco-cert-utf8str.pem: see enco-ca-prstr.pem above -- server1*.crt: 1* R C*: misc *(server1-v1 see test-ca-v1.crt above) +- server1*.crt: 1* R C* P1*: misc *(server1-v1 see test-ca-v1.crt above) *CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt + P1 only for _ca.crt - server2-v1*.crt: O R: see test-ca-v1.crt above - server2*.crt: 1 R L: misc - server3.crt: 1 E L: EC cert signed by RSA CA @@ -62,11 +67,13 @@ List of certificates: -ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement) - server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned - server6.crt, server6.pem: 2 E L C: revoked -- server7*.crt: I1 E L P1*: EC signed by RSA signed by EC *(except 7.crt) +- server7*.crt: I1 E L P1*: EC signed by RSA signed by EC + *P1 except 7.crt, P2 _int-ca_ca2.crt *_space: with PEM error(s) - server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2) - server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS *CRL for: 9.crt, -badsign, -with-ca (P1) +- server10*.crt: I3 E L P2/P3 Certificate revocation lists ---------------------------- diff --git a/tests/data_files/server10.key b/tests/data_files/server10.key new file mode 100644 index 000000000..0088331ea --- /dev/null +++ b/tests/data_files/server10.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEILBDMs7bRVxVg6ovTpf2zB9m+22jY7R3LNKRvCPfa6YJoAoGCCqGSM49 +AwEHoUQDQgAEHG336dql6qGcsnIZqAkcc63eFbvepuOzTwXobRAuOmk3l4A5wXX/ +vs5wAawLX1wUTUM/AESHmAZrJK9tq5So8g== +-----END EC PRIVATE KEY----- diff --git a/tests/data_files/server10_int3_int-ca2.crt b/tests/data_files/server10_int3_int-ca2.crt new file mode 100644 index 000000000..dfe889a70 --- /dev/null +++ b/tests/data_files/server10_int3_int-ca2.crt @@ -0,0 +1,80 @@ +-----BEGIN CERTIFICATE----- +MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G +A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp +YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD +VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq +oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY +Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io +rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ +AzO3pJx7WJAApZuBX1Q= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBwjCCAUegAwIBAgIBSTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMB4XDTE1MDkwMTEzNDIxOFoXDTI1MDgyOTEzNDIxOFowSjELMAkG +A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU +ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9 +2J/utoHyjUtVpQOzdTrbsaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCB4Aw +CgYIKoZIzj0EAwIDaQAwZgIxAJ9RX38bht+RNsQI2GUpNhC/Y+Tb1OU74O4iEa6+ +CkjBWTpLtHRKVdZq7ST0wk1LsQIxAIUi8L1Vx4DuUP0bJxIX/nuJqlBnBG+qRhSf +VgHKgSyHidpZAJpaRi4IkY504CY/Yg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl +WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8 +ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW +BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV +D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw +FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6 +yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M +ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf +7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M +CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut +ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G +A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp +YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD +VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq +oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY +Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io +rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ +AzO3pJx7WJAApZuBX1Q= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG +A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU +ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9 +2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo +ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt +Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt +pz590JvGWfM= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl +WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8 +ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW +BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV +D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw +FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6 +yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M +ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf +7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M +CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut +ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw= +-----END CERTIFICATE----- diff --git a/tests/data_files/server10_int3_int-ca2_ca.crt b/tests/data_files/server10_int3_int-ca2_ca.crt new file mode 100644 index 000000000..e85cc4a2b --- /dev/null +++ b/tests/data_files/server10_int3_int-ca2_ca.crt @@ -0,0 +1,160 @@ +-----BEGIN CERTIFICATE----- +MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G +A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp +YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD +VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq +oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY +Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io +rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ +AzO3pJx7WJAApZuBX1Q= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBwjCCAUegAwIBAgIBSTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMB4XDTE1MDkwMTEzNDIxOFoXDTI1MDgyOTEzNDIxOFowSjELMAkG +A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU +ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9 +2J/utoHyjUtVpQOzdTrbsaMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCB4Aw +CgYIKoZIzj0EAwIDaQAwZgIxAJ9RX38bht+RNsQI2GUpNhC/Y+Tb1OU74O4iEa6+ +CkjBWTpLtHRKVdZq7ST0wk1LsQIxAIUi8L1Vx4DuUP0bJxIX/nuJqlBnBG+qRhSf +VgHKgSyHidpZAJpaRi4IkY504CY/Yg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl +WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8 +ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW +BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV +D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw +FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6 +yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M +ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf +7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M +CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut +ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBWjCCAQCgAwIBAgIBSzAKBggqhkjOPQQDAjBKMQswCQYDVQQGEwJVSzERMA8G +A1UEChMIbWJlZCBUTFMxKDAmBgNVBAMTH21iZWQgVExTIFRlc3QgaW50ZXJtZWRp +YXRlIENBIDMwHhcNMTUwOTAxMTM0NzU1WhcNMjUwODI5MTM0NzU1WjAUMRIwEAYD +VQQDEwlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXq +oZyychmoCRxzrd4Vu96m47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeY +Bmskr22rlKjyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMCA0gAMEUCIQDLc+Io +rg8VxEbCgVv8iH+kOIEn9MjhpvKzvwUoV+6rjQIgZU/RXAyc1a+H2+soGfNEIOBQ +AzO3pJx7WJAApZuBX1Q= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG +A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU +ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9 +2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo +ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt +Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt +pz590JvGWfM= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC6TCCAdGgAwIBAgIBDzANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTMwOTI0MTYwODQyWhcNMjMwOTIyMTYwODQyWjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8Oih3fX5SLeN1dmFncQl +WMw9+Y6sXblhlrXBxhXxjwdwpCHENn+foUVdrqYVYa7Suv3QVeO6nJ19H3QNixW8 +ik1P+hxsbaq8bta78vAyHmC4EmXQLg1w7oxb9Q82qX1Yo4GVMIGSMB0GA1UdDgQW +BBQPib1jQevLXhco/2gwPcGI0JxYOTBjBgNVHSMEXDBagBS0WuSls97SUva51aaV +D+s+vMf9/6E/pD0wOzELMAkGA1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRkw +FwYDVQQDExBQb2xhclNTTCBUZXN0IENBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAAjeaTUaCBiXT1CYLVr6UFSeRNZBrDPnj6PwqUQTvgB5I5n6 +yXqoE4RYDaEL0Lg24juFxI26itBuypto6vscgGq77cfrP/avSdxU+xeZ4bCWvh3M +ddj9lmko2U8I8GhBcHpSuIiTvgKDB8eKkjeq3AsLGchHDvip8pB3IhcNfL7W94Zf +7/lH9VQiE3/px7amD32cidoPvWLA9U3f1FsPmJESUz0wwNfINpDjmPr8dGbkCN+M +CFhxo6sCfK8KLYG4nYX8FwxVR86kpSrO9e84AX0YYbdzxprbc2XOaebJ8+BDmzut +ARkD7DTXrodN1wV7jQJkrUuEwPj9Rhvk+MFRkaw= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 0 (0x0) + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=NL, O=PolarSSL, CN=PolarSSL Test CA + Validity + Not Before: Feb 12 14:44:00 2011 GMT + Not After : Feb 12 14:44:00 2021 GMT + Subject: C=NL, O=PolarSSL, CN=PolarSSL Test CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c0:df:37:fc:17:bb:e0:96:9d:3f:86:de:96:32: + 7d:44:a5:16:a0:cd:21:f1:99:d4:ec:ea:cb:7c:18: + 58:08:94:a5:ec:9b:c5:8b:df:1a:1e:99:38:99:87: + 1e:7b:c0:8d:39:df:38:5d:70:78:07:d3:9e:d9:93: + e8:b9:72:51:c5:ce:a3:30:52:a9:f2:e7:40:70:14: + cb:44:a2:72:0b:c2:e5:40:f9:3e:e5:a6:0e:b3:f9: + ec:4a:63:c0:b8:29:00:74:9c:57:3b:a8:a5:04:90: + 71:f1:bd:83:d9:3f:d6:a5:e2:3c:2a:8f:ef:27:60: + c3:c6:9f:cb:ba:ec:60:7d:b7:e6:84:32:be:4f:fb: + 58:26:22:03:5b:d4:b4:d5:fb:f5:e3:96:2e:70:c0: + e4:2e:bd:fc:2e:ee:e2:41:55:c0:34:2e:7d:24:72: + 69:cb:47:b1:14:40:83:7d:67:f4:86:f6:31:ab:f1: + 79:a4:b2:b5:2e:12:f9:84:17:f0:62:6f:27:3e:13: + 58:b1:54:0d:21:9a:73:37:a1:30:cf:6f:92:dc:f6: + e9:fc:ac:db:2e:28:d1:7e:02:4b:23:a0:15:f2:38: + 65:64:09:ea:0c:6e:8e:1b:17:a0:71:c8:b3:9b:c9: + ab:e9:c3:f2:cf:87:96:8f:80:02:32:9e:99:58:6f: + a2:d5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF + X509v3 Authority Key Identifier: + keyid:B4:5A:E4:A5:B3:DE:D2:52:F6:B9:D5:A6:95:0F:EB:3E:BC:C7:FD:FF + DirName:/C=NL/O=PolarSSL/CN=PolarSSL Test CA + serial:00 + + Signature Algorithm: sha1WithRSAEncryption + b8:fd:54:d8:00:54:90:8b:25:b0:27:dd:95:cd:a2:f7:84:07: + 1d:87:89:4a:c4:78:11:d8:07:b5:d7:22:50:8e:48:eb:62:7a: + 32:89:be:63:47:53:ff:b6:be:f1:2e:8c:54:c0:99:3f:a0:b9: + 37:23:72:5f:0d:46:59:8f:d8:47:cd:97:4c:9f:07:0c:12:62: + 09:3a:24:e4:36:d9:e9:2c:da:38:d0:73:75:61:d7:c1:6c:26: + 8b:9b:e0:d5:dc:67:ed:8c:6b:33:d7:74:22:3c:4c:db:b5:8d: + 2a:ce:2c:0d:08:59:05:09:05:a6:39:9f:b3:67:1b:e2:83:e5: + e1:8f:53:f6:67:93:c7:f9:6f:76:44:58:12:e8:3a:d4:97:e7: + e9:c0:3e:a8:7a:72:3d:87:53:1f:e5:2c:84:84:e7:9a:9e:7f: + 66:d9:1f:9b:f5:13:48:b0:4d:14:d1:de:b2:24:d9:78:7d:f5: + 35:cc:58:19:d1:d2:99:ef:4d:73:f8:1f:89:d4:5a:d0:52:ce: + 09:f5:b1:46:51:6a:00:8e:3b:cc:6f:63:01:00:99:ed:9d:a6: + 08:60:cd:32:18:d0:73:e0:58:71:d9:e5:d2:53:d7:8d:d0:ca: + e9:5d:2a:0a:0d:5d:55:ec:21:50:17:16:e6:06:4a:cd:5e:de: + f7:e0:e9:54 +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx +mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny +50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n +YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL +R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu +KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj +gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH +/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV +BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz +dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ +SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H +DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF +pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf +m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ +7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA== +-----END CERTIFICATE----- diff --git a/tests/data_files/server1_ca.crt b/tests/data_files/server1_ca.crt new file mode 100644 index 000000000..748d94457 --- /dev/null +++ b/tests/data_files/server1_ca.crt @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIDPzCCAiegAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGjAYBgNVBAMTEVBvbGFyU1NMIFNlcnZlciAxMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQIfPUBq1VVTi/027oJlLhVhXom/ +uOhFkNvuiBZS0/FDUEeWEllkh2v9K+BG+XO+3c+S4ZFb7Wagb4kpeUWA0INq1UFD +d185fAkER4KwVzlw7aPsFRkeqDMIR8EFQqn9TMO0390GH00QUUBncxMPQPhtgSVf +CrFTxjB+FTms+Vruf5KepgVb5xOXhbUjktnUJAbVCSWJdQfdphqPPwkZvq1lLGTr +lZvc/kFeF6babFtpzAK6FCwWJJxK3M3Q91Jnc/EtoCP9fvQxyi1wyokLBNsupk9w +bp7OvViJ4lNZnm5akmXiiD8MlBmj3eXonZUT7Snbq3AS3FrKaxerUoJUsQIDAQAB +o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQfdNY/KcF0dEU7BRIsPai9Q1kCpjAf +BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQUFAAOC +AQEAvc+WwZUemsJu2IiI2Cp6liA+UAvIx98dQe3kZs2zAoF9VwQbXcYzWQ/BILkj +NImKbPL9x0g2jIDn4ZvGYFywMwIO/d++YbwYiQw42/v7RiMy94zBPnzeHi86dy/0 +jpOOJUx3IXRsGLdyjb/1T11klcFqGnARiK+8VYolMPP6afKvLXX7K4kiUpsFQhUp +E5VeM5pV1Mci2ETOJau2cO40FJvI/C9W/wR+GAArMaw2fxG77E3laaa0LAOlexM6 +A4KOb5f5cGTM5Ih6tEF5FVq3/9vzNIYMa1FqzacBLZF8zSHYLEimXBdzjBoN4qDU +/WzRyYRBRjAI49mzHX6raleqnw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN +MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx +mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny +50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n +YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL +R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu +KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj +gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH +/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV +BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz +dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ +SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H +DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF +pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf +m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ +7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA== +-----END CERTIFICATE----- diff --git a/tests/data_files/server7_int-ca_ca2.crt b/tests/data_files/server7_int-ca_ca2.crt new file mode 100644 index 000000000..c289c0aad --- /dev/null +++ b/tests/data_files/server7_int-ca_ca2.crt @@ -0,0 +1,62 @@ +-----BEGIN CERTIFICATE----- +MIIDwjCCAaqgAwIBAgIBEDANBgkqhkiG9w0BAQsFADBIMQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTEzMDkyNDE2MTIyNFoXDTIzMDkyMjE2MTIyNFowNDELMAkG +A1UEBhMCTkwxETAPBgNVBAoTCFBvbGFyU1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcbffp2qXqoZyychmoCRxzrd4Vu96m +47NPBehtEC46aTeXgDnBdf++znABrAtfXBRNQz8ARIeYBmskr22rlKjyo4GVMIGS +MAkGA1UdEwQCMAAwHQYDVR0OBBYEFNIK06V3H85VsFxGoo5zbL+hYCa7MGYGA1Ud +IwRfMF2AFDh32Gt3nCh3gotO2BupHveUFrcOoUKkQDA+MQswCQYDVQQGEwJOTDER +MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC +AQ4wDQYJKoZIhvcNAQELBQADggIBADRoQ5fHKw+vkl0D3aqLX1XrZidb+25AWbhr +FYXdaskN219PrXBL3cV8x5tK6qsPKSyyw1lue80OmhXs/w7PJkOHHUSWRnmTv7lr +8Us3Zr/yOF/VVqzdGs7DlOTpyzEBdugI9uar/aCqHDoltN8wOduOoQB9aojYpROj ++gjlEO0mgt/87XpjYOig1o0jv44QYDQZQzpj1zeIn6WMe6xk9YDwCLMjRIpg++c7 +QyxvcEJTn80wX1SaEBM2gau97G7bORLMwBVkMT4oSY+iKYgpPpawOnMJbqUP73Dm +yfJExDdrW/BbWZ/vKIcSqSZIbkHdkNjUDVHczyVwQxZxzvLFw/B1k9s7jYFsi5eK +TNAdXFa4et1H2sd+uhu24GxsjmJioDrftixcgzPVBjDCjH8QWkBEX292WJ58on0e +deWLpZUnzPdE1B4rsiPw1Vg28mGgr2O1xgBQr/fx6A+8ItNTzAXbZfEcult9ypwM +0b6YDNe5IvdKk8iwz3mof0VNy47K6xoCaE/fxxWkjoXK8x2wfswGeP2QgUzQE93b +OtjdHpsG1c7gIVFQmKATyAPUz4vqmezgNRleXU0oL0PYtoCmKQ51UjNMUfmO9xCj +VJaNa2iTQ5Dgic+CW4TYAgj5/9g9X3WfwnDNxrZ0UxxawGElczHXqbrNleTtPaKp +a8Si6UK5 +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEATCCA4egAwIBAgIBDjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN +MTMwOTI0MTU1NTE0WhcNMjMwOTIyMTU1NTE0WjBIMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxJjAkBgNVBAMTHVBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo1Oc8nr6fMTq +vowV+CpC55i5BZGFGc50Eb4RLBSRTH1e7JepdFjAVbBtyQRJSiY1ja0tgLQDDKZR +wfEI+b4azse460InPHv7C1TN0upXlxuj6m9B1IlP+sBaM7WBC6dVfPO+jVMIxgkF +CaBCLhhdK1Fjf8HjkT/PkctWnho8NTwivc9+nqRZjXe/eIcqm5HwjDDhu+gz+o0g +Vz9MfZNi1JyCrOyNZcy+cr2QeNnNVGnFq8xTxtu6dLunhpmLFj2mm0Vjwa7Ypj5q +AjpqTMtDvqbRuToyoyzajhMNcCAf7gwzIupJJFVdjdtgYAcQwzikwF5HoITJzzJ2 +qgxF7CmvGZNb7G99mLdLdhtclH3wAQKHYwEGJo7XKyNEuHPQgB+e0cg1SD1HqlAM +uCfGGTWQ6me7Bjan3t0NzoTdDq6IpKTesbaY+/9e2xn8DCrhBKLXQMZFDZqUoLYA +kGPOEGgvlPnIIXAawouxCaNYEh5Uw871YMSPT28rLdFr49dwYOtDg9foA8hDIW2P +d6KXbrZteesvA1nYzEOs+3AjrbT79Md2W8Bz9bqBVNlNOESSqm4kiCJFmslm/6br +Np0MSQd+o22PQ4xRtmP6UsTfU0ueiMpYc8TYYhMbfnfFyo4m707ebcflPbBEN2dg +updQ66cvfCJB0QJt9upafY0lpdV1qUkCAwEAAaOBoDCBnTAdBgNVHQ4EFgQUOHfY +a3ecKHeCi07YG6ke95QWtw4wbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7 +NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE +AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w +CgYIKoZIzj0EAwIDaAAwZQIxAPyE+u+eP7gRrSFjQicmpYg8jiFUCYEowWY2zuOG +i1HXYwmpDHfasQ3rNSuf/gHvjwIwbSSjumDk+uYNci/KMELDsD0MFHxZhhBc9Hp9 +Af5cNR8KhzegznL6amRObGGKmX1F +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT +Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF +QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT +Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF +QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu +ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy +aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g +JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7 +NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE +AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w +CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56 +t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv +uCjn8pwUOkABXK8Mss90fzCfCEOtIA== +-----END CERTIFICATE----- diff --git a/tests/data_files/test-int-ca3.crt b/tests/data_files/test-int-ca3.crt new file mode 100644 index 000000000..7e724b241 --- /dev/null +++ b/tests/data_files/test-int-ca3.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBtDCCATqgAwIBAgIBTTAKBggqhkjOPQQDAjBLMQswCQYDVQQGEwJOTDERMA8G +A1UEChMIUG9sYXJTU0wxKTAnBgNVBAMTIFBvbGFyU1NMIFRlc3QgSW50ZXJtZWRp +YXRlIEVDIENBMB4XDTE1MDkwMTE0MDg0M1oXDTI1MDgyOTE0MDg0M1owSjELMAkG +A1UEBhMCVUsxETAPBgNVBAoTCG1iZWQgVExTMSgwJgYDVQQDEx9tYmVkIFRMUyBU +ZXN0IGludGVybWVkaWF0ZSBDQSAzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9hhP7X/5js/DX9 +2J/utoHyjUtVpQOzdTrbsaMQMA4wDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNo +ADBlAjAJRxbGRas3NBmk9MnGWXg7PT1xnRELHRWWIvfLdVQt06l1/xFg3ZuPdQdt +Qh7CK80CMQD7wa1o1a8qyDKBfLN636uKmKGga0E+vYXBeFCy9oARBangGCB0B2vt +pz590JvGWfM= +-----END CERTIFICATE----- diff --git a/tests/data_files/test-int-ca3.key b/tests/data_files/test-int-ca3.key new file mode 100644 index 000000000..1bcc7116b --- /dev/null +++ b/tests/data_files/test-int-ca3.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIC9zTt8jgjBlbq+qCsGj6uclaKLYBqxYSmUiuBdM1KG9oAoGCCqGSM49 +AwEHoUQDQgAE732fWHLNPMPsP1U1ibXvb55erlEVMlpXBGsj+KYwVqU1XCmW9Z9h +hP7X/5js/DX92J/utoHyjUtVpQOzdTrbsQ== +-----END EC PRIVATE KEY----- diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 5bd2af4c5..e28839407 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -699,6 +699,42 @@ X509 Certificate verification #81 (multiple CRLs, none relevant) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_BAD_KEY:"NULL" +X509 Certificate verification callback: trusted EE cert +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED +x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL\n" + +X509 Certificate verification callback: simple +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +x509_verify_callback:"data_files/server1.crt":"data_files/test-ca.crt":0:"depth 1 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1\n" + +X509 Certificate verification callback: two trusted roots +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat12.crt":0:"depth 1 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1\n" + +X509 Certificate verification callback: two trusted roots, reversed order +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +x509_verify_callback:"data_files/server1.crt":"data_files/test-ca_cat21.crt":0:"depth 1 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1\n" + +X509 Certificate verification callback: root included +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED +x509_verify_callback:"data_files/server1_ca.crt":"data_files/test-ca_cat21.crt":0:"depth 1 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 0 - serial 01 - subject C=NL, O=PolarSSL, CN=PolarSSL Server 1\n" + +X509 Certificate verification callback: intermediate ca +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +x509_verify_callback:"data_files/server7_int-ca.crt":"data_files/test-ca_cat12.crt":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost\n" + +X509 Certificate verification callback: intermediate ca, root included +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-ca_cat12.crt":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost\n" + +X509 Certificate verification callback: two intermediates +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-ca_cat21.crt":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n" + +X509 Certificate verification callback: two intermediates, root included +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca_cat21.crt":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n" + X509 Parse Selftest depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CERTS_C x509_selftest: diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 1061d0305..95fc287be 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -26,6 +26,46 @@ int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32 return 0; } +#if defined(MBEDTLS_X509_CRT_PARSE_C) +typedef struct { + char buf[512]; + char *p; +} verify_print_context; + +void verify_print_init( verify_print_context *ctx ) +{ + memset( ctx, 0, sizeof( verify_print_context ) ); + ctx->p = ctx->buf; +} + +int verify_print( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) +{ + int ret; + verify_print_context *ctx = (verify_print_context *) data; + char *p = ctx->p; + size_t n = ctx->buf + sizeof( ctx->buf ) - ctx->p; + ((void) flags); + + ret = mbedtls_snprintf( p, n, "depth %d - serial ", certificate_depth ); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_x509_serial_gets( p, n, &crt->serial ); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_snprintf( p, n, " - subject " ); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_x509_dn_gets( p, n, &crt->subject ); + MBEDTLS_X509_SAFE_SNPRINTF; + + ret = mbedtls_snprintf( p, n, "\n" ); + MBEDTLS_X509_SAFE_SNPRINTF; + + ctx->p = p; + + return( 0 ); +} +#endif /* MBEDTLS_X509_CRT_PARSE_C */ /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -163,6 +203,35 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ +void x509_verify_callback( char *crt_file, char *ca_file, + int exp_ret, char *exp_vrfy_out ) +{ + int ret; + mbedtls_x509_crt crt; + mbedtls_x509_crt ca; + uint32_t flags = 0; + verify_print_context vrfy_ctx; + + mbedtls_x509_crt_init( &crt ); + mbedtls_x509_crt_init( &ca ); + verify_print_init( &vrfy_ctx ); + + TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); + TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); + + ret = mbedtls_x509_crt_verify( &crt, &ca, NULL, NULL, &flags, + verify_print, &vrfy_ctx ); + + TEST_ASSERT( ret == exp_ret ); + TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 ); + +exit: + mbedtls_x509_crt_free( &crt ); + mbedtls_x509_crt_free( &ca ); +} +/* END_CASE */ + /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_x509_dn_gets( char *crt_file, char *entity, char *result_str ) { From fdbdd72b8b7f072414876ec63aec9900fcd47784 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 1 Sep 2015 16:35:00 +0200 Subject: [PATCH 2/4] Skip to trusted certs early in the chain This helps in the case where an intermediate certificate is directly trusted. In that case we want to ignore what comes after it in the chain, not only for performance but also to avoid false negatives (eg an old root being no longer trusted while the newer intermediate is directly trusted). closes #220 --- library/x509_crt.c | 73 ++++++++++++++++++++------ tests/suites/test_suite_x509parse.data | 12 +++++ 2 files changed, 68 insertions(+), 17 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 1d13223e9..6666e5588 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2062,8 +2062,8 @@ static int x509_crt_verify_child( *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile ); #endif - /* Look for a grandparent upwards the chain */ - for( grandparent = parent->next; + /* Look for a grandparent in trusted CAs */ + for( grandparent = trust_ca; grandparent != NULL; grandparent = grandparent->next ) { @@ -2072,20 +2072,42 @@ static int x509_crt_verify_child( break; } - /* Is our parent part of the chain or at the top? */ if( grandparent != NULL ) { - ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl, profile, + ret = x509_crt_verify_top( parent, grandparent, ca_crl, profile, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } else { - ret = x509_crt_verify_top( parent, trust_ca, ca_crl, profile, - path_cnt + 1, &parent_flags, f_vrfy, p_vrfy ); - if( ret != 0 ) - return( ret ); + /* Look for a grandparent upwards the chain */ + for( grandparent = parent->next; + grandparent != NULL; + grandparent = grandparent->next ) + { + if( x509_crt_check_parent( parent, grandparent, + 0, path_cnt == 0 ) == 0 ) + break; + } + + /* Is our parent part of the chain or at the top? */ + if( grandparent != NULL ) + { + ret = x509_crt_verify_child( parent, grandparent, trust_ca, ca_crl, + profile, path_cnt + 1, &parent_flags, + f_vrfy, p_vrfy ); + if( ret != 0 ) + return( ret ); + } + else + { + ret = x509_crt_verify_top( parent, trust_ca, ca_crl, profile, + path_cnt + 1, &parent_flags, + f_vrfy, p_vrfy ); + if( ret != 0 ) + return( ret ); + } } /* child is verified to be a child of the parent, call verify callback */ @@ -2188,27 +2210,44 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, } } - /* Look for a parent upwards the chain */ - for( parent = crt->next; parent != NULL; parent = parent->next ) + /* Look for a parent in trusted CAs */ + for( parent = trust_ca; parent != NULL; parent = parent->next ) { if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 ) break; } - /* Are we part of the chain or at the top? */ if( parent != NULL ) { - ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile, - pathlen, flags, f_vrfy, p_vrfy ); + ret = x509_crt_verify_top( crt, parent, ca_crl, profile, + pathlen, flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } else { - ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile, - pathlen, flags, f_vrfy, p_vrfy ); - if( ret != 0 ) - return( ret ); + /* Look for a parent upwards the chain */ + for( parent = crt->next; parent != NULL; parent = parent->next ) + { + if( x509_crt_check_parent( crt, parent, 0, pathlen == 0 ) == 0 ) + break; + } + + /* Are we part of the chain or at the top? */ + if( parent != NULL ) + { + ret = x509_crt_verify_child( crt, parent, trust_ca, ca_crl, profile, + pathlen, flags, f_vrfy, p_vrfy ); + if( ret != 0 ) + return( ret ); + } + else + { + ret = x509_crt_verify_top( crt, trust_ca, ca_crl, profile, + pathlen, flags, f_vrfy, p_vrfy ); + if( ret != 0 ) + return( ret ); + } } if( *flags != 0 ) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index e28839407..e25258ff8 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -727,6 +727,10 @@ X509 Certificate verification callback: intermediate ca, root included depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-ca_cat12.crt":0:"depth 2 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA\ndepth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost\n" +X509 Certificate verification callback: intermediate ca trusted +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +x509_verify_callback:"data_files/server7_int-ca_ca2.crt":"data_files/test-int-ca.crt":0:"depth 1 - serial 0E - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA\ndepth 0 - serial 10 - subject C=NL, O=PolarSSL, CN=localhost\n" + X509 Certificate verification callback: two intermediates depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-ca_cat21.crt":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n" @@ -735,6 +739,14 @@ X509 Certificate verification callback: two intermediates, root included depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-ca_cat21.crt":0:"depth 3 - serial 00 - subject C=NL, O=PolarSSL, CN=PolarSSL Test CA\ndepth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n" +X509 Certificate verification callback: two intermediates, top int trusted +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +x509_verify_callback:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:"depth 2 - serial 0F - subject C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA\ndepth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n" + +X509 Certificate verification callback: two intermediates, low int trusted +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SHA256_C +x509_verify_callback:"data_files/server10_int3_int-ca2_ca.crt":"data_files/test-int-ca3.crt":0:"depth 1 - serial 4D - subject C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3\ndepth 0 - serial 4B - subject CN=localhost\n" + X509 Parse Selftest depends_on:MBEDTLS_SHA1_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_CERTS_C x509_selftest: From b2beb84be6837ab88a94b6ac5f54eb8a17e3349e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 1 Sep 2015 19:37:32 +0200 Subject: [PATCH 3/4] Changelog entry fro the previous commit --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index e318bcb65..a997b8871 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,9 @@ Changes * It is now possible to #include a user-provided configuration file at the end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the compiler's command line. + * When verifying a certificate chain, if an intermediate certificate is + trusted, no later cert is checked. (suggested by hannes-landeholm) + (#220). = mbed TLS 2.0.0 released 2015-07-13 From 52754594b6729c8bc6d1c25a2335949e74b81ed4 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 3 Sep 2015 13:06:01 +0100 Subject: [PATCH 4/4] Merging iotssl-457-badtail with development branch --- CMakeLists.txt | 5 +- ChangeLog | 11 ++++ include/mbedtls/ssl.h | 41 ++++++++++++--- library/debug.c | 49 ++++++++++++----- library/entropy_poll.c | 6 +-- library/md2.c | 4 +- library/md4.c | 4 +- library/md5.c | 4 +- library/sha1.c | 4 +- library/sha256.c | 4 +- library/sha512.c | 4 +- library/ssl_cli.c | 22 ++++++++ library/ssl_tls.c | 73 +++++++++++++++++++------- programs/pkey/dh_client.c | 2 +- programs/pkey/dh_server.c | 2 +- programs/pkey/pk_decrypt.c | 7 ++- programs/pkey/pk_encrypt.c | 7 ++- programs/pkey/pk_sign.c | 11 ++-- programs/pkey/pk_verify.c | 17 +++--- programs/pkey/rsa_genkey.c | 2 +- programs/pkey/rsa_sign.c | 12 +++-- programs/pkey/rsa_sign_pss.c | 4 +- programs/pkey/rsa_verify.c | 20 +++---- programs/pkey/rsa_verify_pss.c | 10 ++-- programs/ssl/ssl_client2.c | 5 ++ programs/ssl/ssl_server2.c | 7 ++- programs/test/benchmark.c | 38 +++++++------- programs/test/udp_proxy.c | 2 +- tests/ssl-opt.sh | 13 +++++ tests/suites/test_suite_debug.function | 5 ++ yotta/data/module.json | 2 +- 31 files changed, 280 insertions(+), 117 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 867372923..094d9069b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -29,6 +29,9 @@ if(CMAKE_COMPILER_IS_GNUCC) if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op") endif() + if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow") + endif() set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") @@ -39,7 +42,7 @@ if(CMAKE_COMPILER_IS_GNUCC) endif(CMAKE_COMPILER_IS_GNUCC) if(CMAKE_COMPILER_IS_CLANG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") diff --git a/ChangeLog b/ChangeLog index a997b8871..ef290e7c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,13 @@ Bugfix * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could result trying to unlock an unlocked mutex on invalid input (found by Fredrik Axelsson) (#257) + * Fix -Wshadow warnings (found by hnrkp) (#240) + * Fix memory corruption on client with overlong PSK identity, around + SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by + Aleksandrs Saveljevs) (#238) + * Fix unused function warning when using MBEDTLS_MDx_ALT or + MBEDTLS_SHAxxx_ALT (found by Henrik) (#239) + * Fix memory corruption in pkey programs (found by yankuncheng) (#210) Changes * The PEM parser now accepts a trailing space at end of lines (#226). @@ -38,6 +45,10 @@ Changes * When verifying a certificate chain, if an intermediate certificate is trusted, no later cert is checked. (suggested by hannes-landeholm) (#220). + * Prepend a "thread identifier" to debug messages (issue pointed out by + Hugo Leisink) (#210). + * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment + length. = mbed TLS 2.0.0 released 2015-07-13 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 288627bf1..d051035fc 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2027,6 +2027,26 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ); */ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) +/** + * \brief Return the maximum fragment length (payload, in bytes). + * This is the value negotiated with peer if any, + * or the locally configured value. + * + * \note With DTLS, \c mbedtls_ssl_write() will return an error if + * called with a larger length value. + * With TLS, \c mbedtls_ssl_write() will fragment the input if + * necessary and return the number of bytes written; it is up + * to the caller to call \c mbedtls_ssl_write() again in + * order to send the remaining bytes if any. + * + * \param ssl SSL context + * + * \return Current maximum fragment length. + */ +size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ); +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Return the peer certificate from the current connection @@ -2124,26 +2144,33 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ); int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ); /** - * \brief Write exactly 'len' application data bytes + * \brief Try to write exactly 'len' application data bytes + * + * \warning This function will do partial writes in some cases. If the + * return value is non-negative but less than length, the + * function must be called again with updated arguments: + * buf + ret, len - ret (if ret is the return value) until + * it returns a value equal to the last 'len' argument. * * \param ssl SSL context * \param buf buffer holding the data * \param len how many bytes must be written * - * \return the number of bytes written, - * or a negative error code. + * \return the number of bytes actually written (may be less than len), + * or MBEDTLS_ERR_SSL_WANT_WRITE of MBEDTLS_ERR_SSL_WANT_READ, + * or another negative error code. * - * \note When this function returns MBEDTLS_ERR_SSL_WANT_WRITE, + * \note When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, * it must be called later with the *same* arguments, * until it returns a positive value. * * \note If the requested length is greater than the maximum * fragment length (either the built-in limit or the one set * or negotiated with the peer), then: - * - with TLS, less bytes than requested are written. (In - * order to write larger messages, this function should be - * called in a loop.) + * - with TLS, less bytes than requested are written. * - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned. + * \c mbedtls_ssl_get_max_frag_len() may be used to query the + * active maximum fragment length. */ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ); diff --git a/library/debug.c b/library/debug.c index 2220e3317..f9b822971 100644 --- a/library/debug.c +++ b/library/debug.c @@ -43,6 +43,10 @@ #define mbedtls_snprintf snprintf #endif +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && !defined(inline) +#define inline __inline +#endif + #define DEBUG_BUF_SIZE 512 static int debug_threshold = 0; @@ -52,6 +56,27 @@ void mbedtls_debug_set_threshold( int threshold ) debug_threshold = threshold; } +/* + * All calls to f_dbg must be made via this function + */ +static inline void debug_send_line( const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + const char *str ) +{ + /* + * If in a threaded environment, we need a thread identifier. + * Since there is no portable way to get one, use the address of the ssl + * context instead, as it shouldn't be shared between threads. + */ +#if defined(MBEDTLS_THREADING_C) + char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */ + mbedtls_snprintf( idstr, sizeof( idstr ), "%p: %s", ssl, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, idstr ); +#else + ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); +#endif +} + void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level, const char *file, int line, const char *format, ... ) @@ -86,7 +111,7 @@ void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level, str[ret + 1] = '\0'; } - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); } void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, @@ -109,7 +134,7 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, mbedtls_snprintf( str, sizeof( str ), "%s() returned %d (-0x%04x)\n", text, ret, -ret ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); } void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, @@ -126,7 +151,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n", text, (unsigned int) len ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); idx = 0; memset( txt, 0, sizeof( txt ) ); @@ -140,7 +165,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, if( i > 0 ) { mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %s\n", txt ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); idx = 0; memset( txt, 0, sizeof( txt ) ); @@ -162,7 +187,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " " ); mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %s\n", txt ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); } } @@ -207,7 +232,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n", text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); idx = 0; for( i = n + 1, j = 0; i > 0; i-- ) @@ -227,7 +252,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, if( j > 0 ) { mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); idx = 0; } } @@ -244,7 +269,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" ); mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); } #endif /* MBEDTLS_BIGNUM_C */ @@ -261,7 +286,7 @@ static void debug_print_pk( const mbedtls_ssl_context *ssl, int level, if( mbedtls_pk_debug( pk, items ) != 0 ) { - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, + debug_send_line( ssl, level, file, line, "invalid PK context\n" ); return; } @@ -282,7 +307,7 @@ static void debug_print_pk( const mbedtls_ssl_context *ssl, int level, mbedtls_debug_print_ecp( ssl, level, file, line, name, items[i].value ); else #endif - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, + debug_send_line( ssl, level, file, line, "should not happen\n" ); } } @@ -305,7 +330,7 @@ static void debug_print_line_by_line( const mbedtls_ssl_context *ssl, int level, memcpy( str, start, len ); str[len] = '\0'; - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); start = cur + 1; } @@ -327,7 +352,7 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level, char buf[1024]; mbedtls_snprintf( str, sizeof( str ), "%s #%d:\n", text, ++i ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); debug_print_line_by_line( ssl, level, file, line, buf ); diff --git a/library/entropy_poll.c b/library/entropy_poll.c index 42b02e79a..6b3ad3501 100644 --- a/library/entropy_poll.c +++ b/library/entropy_poll.c @@ -140,7 +140,7 @@ int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len, size_t *olen ) { FILE *file; - size_t ret; + size_t read_len; ((void) data); #if defined(HAVE_GETRANDOM) @@ -165,8 +165,8 @@ int mbedtls_platform_entropy_poll( void *data, if( file == NULL ) return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED ); - ret = fread( output, 1, len, file ); - if( ret != len ) + read_len = fread( output, 1, len, file ); + if( read_len != len ) { fclose( file ); return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED ); diff --git a/library/md2.c b/library/md2.c index 3263a2230..88d679f47 100644 --- a/library/md2.c +++ b/library/md2.c @@ -47,13 +47,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_MD2_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_MD2_ALT) - static const unsigned char PI_SUBST[256] = { 0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01, 0x3D, 0x36, diff --git a/library/md4.c b/library/md4.c index 563c65317..dcd9313d6 100644 --- a/library/md4.c +++ b/library/md4.c @@ -47,13 +47,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_MD4_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_MD4_ALT) - /* * 32-bit integer manipulation macros (little endian) */ diff --git a/library/md5.c b/library/md5.c index d8f216366..42c7c343c 100644 --- a/library/md5.c +++ b/library/md5.c @@ -46,13 +46,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_MD5_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_MD5_ALT) - /* * 32-bit integer manipulation macros (little endian) */ diff --git a/library/sha1.c b/library/sha1.c index 14331b3ac..ffad2287b 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -46,13 +46,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_SHA1_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_SHA1_ALT) - /* * 32-bit integer manipulation macros (big endian) */ diff --git a/library/sha256.c b/library/sha256.c index 28f09e5ae..4d8c868e9 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -46,13 +46,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_SHA256_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_SHA256_ALT) - /* * 32-bit integer manipulation macros (big endian) */ diff --git a/library/sha512.c b/library/sha512.c index 9e3e0e0a9..d1dc8faac 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -52,13 +52,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_SHA512_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_SHA512_ALT) - /* * 64-bit integer manipulation macros (big endian) */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index c6f810cd7..75983d19e 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1748,6 +1748,12 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; unsigned char *p = ssl->handshake->premaster + pms_offset; + if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + /* * Generate (part of) the pre-master as * struct { @@ -2522,6 +2528,14 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) i = 4; n = ssl->conf->psk_identity_len; + + if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " + "SSL buffer too short" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + ssl->out_msg[i++] = (unsigned char)( n >> 8 ); ssl->out_msg[i++] = (unsigned char)( n ); @@ -2550,6 +2564,14 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) * ClientDiffieHellmanPublic public (DHM send G^X mod P) */ n = ssl->handshake->dhm_ctx.len; + + if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" + " or SSL buffer too short" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + ssl->out_msg[i++] = (unsigned char)( n >> 8 ); ssl->out_msg[i++] = (unsigned char)( n ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9007562fb..bff1b63b8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -694,8 +694,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } else { - int ret; - /* Initialize HMAC contexts */ if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 ) @@ -1455,7 +1453,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) /* * Generate IV */ - int ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, + ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, ssl->transform_out->ivlen ); if( ret != 0 ) return( ret ); @@ -3718,6 +3716,9 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, { int ret; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; @@ -5459,6 +5460,13 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, if( psk_len > MBEDTLS_PSK_MAX_LEN ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + /* Identity len will be encoded on two bytes */ + if( ( psk_identity_len >> 16 ) != 0 || + psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + if( conf->psk != NULL || conf->psk_identity != NULL ) { mbedtls_free( conf->psk ); @@ -5862,6 +5870,29 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) ); } +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) +size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) +{ + size_t max_len; + + /* + * Assume mfl_code is correct since it was checked when set + */ + max_len = mfl_code_to_length[ssl->conf->mfl_code]; + + /* + * Check if a smaller max length was negotiated + */ + if( ssl->session_out != NULL && + mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) + { + max_len = mfl_code_to_length[ssl->session_out->mfl_code]; + } + + return max_len; +} +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) { @@ -5894,6 +5925,9 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ret = mbedtls_ssl_handshake_client_step( ssl ); @@ -5913,6 +5947,9 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) { int ret = 0; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) @@ -6008,6 +6045,9 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + #if defined(MBEDTLS_SSL_SRV_C) /* On server, just send the request */ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) @@ -6085,6 +6125,9 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) int ret, record_read = 0; size_t n; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -6339,23 +6382,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, { int ret; #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - unsigned int max_len; -#endif - -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - /* - * Assume mfl_code is correct since it was checked when set - */ - max_len = mfl_code_to_length[ssl->conf->mfl_code]; - - /* - * Check if a smaller max length was negotiated - */ - if( ssl->session_out != NULL && - mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) - { - max_len = mfl_code_to_length[ssl->session_out->mfl_code]; - } + size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); if( len > max_len ) { @@ -6444,6 +6471,9 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + #if defined(MBEDTLS_SSL_RENEGOTIATION) if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) { @@ -6479,6 +6509,9 @@ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) { int ret; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); if( ssl->out_left != 0 ) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index 10b9b7a48..2909d1dda 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -75,7 +75,7 @@ int main( void ) unsigned char *p, *end; unsigned char buf[2048]; - unsigned char hash[20]; + unsigned char hash[32]; const char *pers = "dh_client"; mbedtls_entropy_context entropy; diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 6ce1da23d..53a299a49 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -74,7 +74,7 @@ int main( void ) mbedtls_net_context listen_fd, client_fd; unsigned char buf[2048]; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf2[2]; const char *pers = "dh_server"; diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c index bcfb2c690..2ccbf3b9e 100644 --- a/programs/pkey/pk_decrypt.c +++ b/programs/pkey/pk_decrypt.c @@ -151,8 +151,11 @@ exit: mbedtls_entropy_free( &entropy ); #if defined(MBEDTLS_ERROR_C) - mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); - mbedtls_printf( " ! Last error was: %s\n", buf ); + if( ret != 0 ) + { + mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); + mbedtls_printf( " ! Last error was: %s\n", buf ); + } #endif #if defined(_WIN32) diff --git a/programs/pkey/pk_encrypt.c b/programs/pkey/pk_encrypt.c index 300cb77fa..fe84aee77 100644 --- a/programs/pkey/pk_encrypt.c +++ b/programs/pkey/pk_encrypt.c @@ -151,8 +151,11 @@ exit: mbedtls_entropy_free( &entropy ); #if defined(MBEDTLS_ERROR_C) - mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); - mbedtls_printf( " ! Last error was: %s\n", buf ); + if( ret != 0 ) + { + mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); + mbedtls_printf( " ! Last error was: %s\n", buf ); + } #endif #if defined(_WIN32) diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c index 9efa89709..ce2520975 100644 --- a/programs/pkey/pk_sign.c +++ b/programs/pkey/pk_sign.c @@ -64,7 +64,7 @@ int main( int argc, char *argv[] ) mbedtls_pk_context pk; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; const char *pers = "mbedtls_pk_sign"; @@ -129,7 +129,7 @@ int main( int argc, char *argv[] ) } /* - * Write the signature into -sig.txt + * Write the signature into .sig */ mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[2] ); @@ -156,8 +156,11 @@ exit: mbedtls_entropy_free( &entropy ); #if defined(MBEDTLS_ERROR_C) - mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); - mbedtls_printf( " ! Last error was: %s\n", buf ); + if( ret != 0 ) + { + mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); + mbedtls_printf( " ! Last error was: %s\n", buf ); + } #endif #if defined(_WIN32) diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c index 8ab5c9372..a1a2389aa 100644 --- a/programs/pkey/pk_verify.c +++ b/programs/pkey/pk_verify.c @@ -59,7 +59,7 @@ int main( int argc, char *argv[] ) int ret = 1; size_t i; mbedtls_pk_context pk; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; @@ -86,7 +86,7 @@ int main( int argc, char *argv[] ) } /* - * Extract the signature from the text file + * Extract the signature from the file */ ret = 1; mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[2] ); @@ -103,8 +103,8 @@ int main( int argc, char *argv[] ) fclose( f ); /* - * Compute the SHA-256 hash of the input file and compare - * it with the hash decrypted from the signature. + * Compute the SHA-256 hash of the input file and + * verify the signature */ mbedtls_printf( "\n . Verifying the SHA-256 signature" ); fflush( stdout ); @@ -124,7 +124,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_printf( "\n . OK (the decrypted SHA-256 hash matches)\n\n" ); + mbedtls_printf( "\n . OK (the signature is valid)\n\n" ); ret = 0; @@ -132,8 +132,11 @@ exit: mbedtls_pk_free( &pk ); #if defined(MBEDTLS_ERROR_C) - mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); - mbedtls_printf( " ! Last error was: %s\n", buf ); + if( ret != 0 ) + { + mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); + mbedtls_printf( " ! Last error was: %s\n", buf ); + } #endif #if defined(_WIN32) diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c index d0b1f4d97..f691871ea 100644 --- a/programs/pkey/rsa_genkey.c +++ b/programs/pkey/rsa_genkey.c @@ -46,7 +46,7 @@ #include #endif -#define KEY_SIZE 1024 +#define KEY_SIZE 2048 #define EXPONENT 65537 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \ diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index d86fe3a7f..54f60c55e 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -32,6 +32,7 @@ #include #define mbedtls_fprintf fprintf #define mbedtls_printf printf +#define mbedtls_snprintf snprintf #endif #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \ @@ -58,8 +59,9 @@ int main( int argc, char *argv[] ) int ret; size_t i; mbedtls_rsa_context rsa; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; + char filename[512]; ret = 1; @@ -135,11 +137,11 @@ int main( int argc, char *argv[] ) } /* - * Write the signature into -sig.txt + * Write the signature into .sig */ - memcpy( argv[1] + strlen( argv[1] ), ".sig", 5 ); + mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[1] ); - if( ( f = fopen( argv[1], "wb+" ) ) == NULL ) + if( ( f = fopen( filename, "wb+" ) ) == NULL ) { ret = 1; mbedtls_printf( " failed\n ! Could not create %s\n\n", argv[1] ); @@ -152,7 +154,7 @@ int main( int argc, char *argv[] ) fclose( f ); - mbedtls_printf( "\n . Done (created \"%s\")\n\n", argv[1] ); + mbedtls_printf( "\n . Done (created \"%s\")\n\n", filename ); exit: diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c index 0b3cfbbb7..2b358c16c 100644 --- a/programs/pkey/rsa_sign_pss.c +++ b/programs/pkey/rsa_sign_pss.c @@ -65,7 +65,7 @@ int main( int argc, char *argv[] ) mbedtls_pk_context pk; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; const char *pers = "rsa_sign_pss"; @@ -140,7 +140,7 @@ int main( int argc, char *argv[] ) } /* - * Write the signature into -sig.txt + * Write the signature into .sig */ mbedtls_snprintf( filename, 512, "%s.sig", argv[2] ); diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index fefc6e0ff..85892fe17 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -31,6 +31,7 @@ #else #include #define mbedtls_printf printf +#define mbedtls_snprintf snprintf #endif #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \ @@ -57,8 +58,9 @@ int main( int argc, char *argv[] ) int ret, c; size_t i; mbedtls_rsa_context rsa; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; + char filename[512]; ret = 1; if( argc != 2 ) @@ -99,17 +101,15 @@ int main( int argc, char *argv[] ) * Extract the RSA signature from the text file */ ret = 1; - i = strlen( argv[1] ); - memcpy( argv[1] + i, ".sig", 5 ); + mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[1] ); - if( ( f = fopen( argv[1], "rb" ) ) == NULL ) + if( ( f = fopen( filename, "rb" ) ) == NULL ) { - mbedtls_printf( "\n ! Could not open %s\n\n", argv[1] ); + mbedtls_printf( "\n ! Could not open %s\n\n", filename ); goto exit; } - argv[1][i] = '\0', i = 0; - + i = 0; while( fscanf( f, "%02X", &c ) > 0 && i < (int) sizeof( buf ) ) buf[i++] = (unsigned char) c; @@ -123,8 +123,8 @@ int main( int argc, char *argv[] ) } /* - * Compute the SHA-256 hash of the input file and compare - * it with the hash decrypted from the RSA signature. + * Compute the SHA-256 hash of the input file and + * verify the signature */ mbedtls_printf( "\n . Verifying the RSA/SHA-256 signature" ); fflush( stdout ); @@ -144,7 +144,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_printf( "\n . OK (the decrypted SHA-256 hash matches)\n\n" ); + mbedtls_printf( "\n . OK (the signature is valid)\n\n" ); ret = 0; diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c index 50d333b00..0d51be522 100644 --- a/programs/pkey/rsa_verify_pss.c +++ b/programs/pkey/rsa_verify_pss.c @@ -63,7 +63,7 @@ int main( int argc, char *argv[] ) int ret = 1; size_t i; mbedtls_pk_context pk; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; @@ -100,7 +100,7 @@ int main( int argc, char *argv[] ) mbedtls_rsa_set_padding( mbedtls_pk_rsa( pk ), MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256 ); /* - * Extract the RSA signature from the text file + * Extract the RSA signature from the file */ ret = 1; mbedtls_snprintf( filename, 512, "%s.sig", argv[2] ); @@ -117,8 +117,8 @@ int main( int argc, char *argv[] ) fclose( f ); /* - * Compute the SHA-256 hash of the input file and compare - * it with the hash decrypted from the RSA signature. + * Compute the SHA-256 hash of the input file and + * verify the signature */ mbedtls_printf( "\n . Verifying the RSA/SHA-256 signature" ); fflush( stdout ); @@ -138,7 +138,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_printf( "\n . OK (the decrypted SHA-256 hash matches)\n\n" ); + mbedtls_printf( "\n . OK (the signature is valid)\n\n" ); ret = 0; diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2e0ac1edc..c60e7100f 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1240,6 +1240,11 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " [ Record expansion is unknown (compression) ]\n" ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + mbedtls_printf( " [ Maximum fragment length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_frag_len( &ssl ) ); +#endif + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 3aa05d5f1..86b744eff 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1925,7 +1925,7 @@ reset: if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) { char vrfy_buf[512]; - uint32_t flags = mbedtls_ssl_get_verify_result( &ssl ); + flags = mbedtls_ssl_get_verify_result( &ssl ); mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); @@ -1946,6 +1946,11 @@ reset: else mbedtls_printf( " [ Record expansion is unknown (compression) ]\n" ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + mbedtls_printf( " [ Maximum fragment length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_frag_len( &ssl ) ); +#endif + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index a3c256845..3665df69b 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -108,31 +108,31 @@ int main( void ) #define TIME_AND_TSC( TITLE, CODE ) \ do { \ - unsigned long i, j, tsc; \ + unsigned long ii, jj, tsc; \ \ - mbedtls_printf( HEADER_FORMAT, TITLE ); \ + mbedtls_printf( HEADER_FORMAT, TITLE ); \ fflush( stdout ); \ \ - mbedtls_set_alarm( 1 ); \ - for( i = 1; ! mbedtls_timing_alarmed; i++ ) \ + mbedtls_set_alarm( 1 ); \ + for( ii = 1; ! mbedtls_timing_alarmed; ii++ ) \ { \ CODE; \ } \ \ - tsc = mbedtls_timing_hardclock(); \ - for( j = 0; j < 1024; j++ ) \ + tsc = mbedtls_timing_hardclock(); \ + for( jj = 0; jj < 1024; jj++ ) \ { \ CODE; \ } \ \ - mbedtls_printf( "%9lu Kb/s, %9lu cycles/byte\n", \ - i * BUFSIZE / 1024, \ - ( mbedtls_timing_hardclock() - tsc ) / ( j * BUFSIZE ) ); \ + mbedtls_printf( "%9lu Kb/s, %9lu cycles/byte\n", \ + ii * BUFSIZE / 1024, \ + ( mbedtls_timing_hardclock() - tsc ) / ( jj * BUFSIZE ) ); \ } while( 0 ) #if defined(MBEDTLS_ERROR_C) #define PRINT_ERROR \ - mbedtls_strerror( ret, ( char * )tmp, sizeof( tmp ) ); \ + mbedtls_strerror( ret, ( char * )tmp, sizeof( tmp ) ); \ mbedtls_printf( "FAILED: %s\n", tmp ); #else #define PRINT_ERROR \ @@ -144,12 +144,12 @@ do { \ #define MEMORY_MEASURE_INIT \ size_t max_used, max_blocks, max_bytes; \ size_t prv_used, prv_blocks; \ - mbedtls_memory_buffer_alloc_cur_get( &prv_used, &prv_blocks ); \ + mbedtls_memory_buffer_alloc_cur_get( &prv_used, &prv_blocks ); \ mbedtls_memory_buffer_alloc_max_reset( ); #define MEMORY_MEASURE_PRINT( title_len ) \ - mbedtls_memory_buffer_alloc_max_get( &max_used, &max_blocks ); \ - for( i = 12 - title_len; i != 0; i-- ) mbedtls_printf( " " ); \ + mbedtls_memory_buffer_alloc_max_get( &max_used, &max_blocks ); \ + for( ii = 12 - title_len; ii != 0; ii-- ) mbedtls_printf( " " ); \ max_used -= prv_used; \ max_blocks -= prv_blocks; \ max_bytes = max_used + MEM_BLOCK_OVERHEAD * max_blocks; \ @@ -162,16 +162,16 @@ do { \ #define TIME_PUBLIC( TITLE, TYPE, CODE ) \ do { \ - unsigned long i; \ + unsigned long ii; \ int ret; \ MEMORY_MEASURE_INIT; \ \ - mbedtls_printf( HEADER_FORMAT, TITLE ); \ + mbedtls_printf( HEADER_FORMAT, TITLE ); \ fflush( stdout ); \ - mbedtls_set_alarm( 3 ); \ + mbedtls_set_alarm( 3 ); \ \ ret = 0; \ - for( i = 1; ! mbedtls_timing_alarmed && ! ret ; i++ ) \ + for( ii = 1; ! mbedtls_timing_alarmed && ! ret ; ii++ ) \ { \ CODE; \ } \ @@ -182,9 +182,9 @@ do { \ } \ else \ { \ - mbedtls_printf( "%6lu " TYPE "/s", i / 3 ); \ + mbedtls_printf( "%6lu " TYPE "/s", ii / 3 ); \ MEMORY_MEASURE_PRINT( sizeof( TYPE ) + 1 ); \ - mbedtls_printf( "\n" ); \ + mbedtls_printf( "\n" ); \ } \ } while( 0 ) diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index 645f94d85..c49c46c1e 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -389,7 +389,7 @@ void update_dropped( const packet *p ) while( cur < end ) { - size_t len = ( ( cur[11] << 8 ) | cur[12] ) + 13; + len = ( ( cur[11] << 8 ) | cur[12] ) + 13; id = len % sizeof( dropped ); ++dropped[id]; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bd36e227b..77db588db 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1085,6 +1085,8 @@ run_test "Max fragment length: not used, reference" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ + -c "Maximum fragment length is 16384" \ + -s "Maximum fragment length is 16384" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -1094,6 +1096,8 @@ run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ + -c "Maximum fragment length is 4096" \ + -s "Maximum fragment length is 4096" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -1103,6 +1107,8 @@ run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3" \ 0 \ + -c "Maximum fragment length is 16384" \ + -s "Maximum fragment length is 4096" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -1113,6 +1119,7 @@ run_test "Max fragment length: gnutls server" \ "$G_SRV" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ + -c "Maximum fragment length is 4096" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" @@ -1120,6 +1127,8 @@ run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \ 0 \ + -c "Maximum fragment length is 2048" \ + -s "Maximum fragment length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -1131,6 +1140,8 @@ run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \ 0 \ + -c "Maximum fragment length is 2048" \ + -s "Maximum fragment length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -1143,6 +1154,8 @@ run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \ 1 \ + -c "Maximum fragment length is 2048" \ + -s "Maximum fragment length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 3c77ca56b..98f98b061 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -25,6 +25,11 @@ void string_debug(void *data, int level, const char *file, int line, const char *p++ = ':'; *p++ = ' '; +#if defined(MBEDTLS_THREADING_C) + /* Skip "thread ID" (up to the first space) as it is not predictable */ + while( *str++ != ' ' ); +#endif + memcpy( p, str, strlen( str ) ); p += strlen( str ); diff --git a/yotta/data/module.json b/yotta/data/module.json index 6ed20ffdc..6add3936d 100644 --- a/yotta/data/module.json +++ b/yotta/data/module.json @@ -1,6 +1,6 @@ { "name": "mbedtls", - "version": "2.0.5", + "version": "2.0.6", "description": "The mbed TLS crypto/SSL/TLS library", "private": true, "license": "GPL-2.0",