crl_file is a test argument and can't be null. Besides the code above
already assumes that it's non-null.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The official spelling of the trade mark changed from all-lowercase "mbed"
to normal proper noun capitalization "Mbed" a few years ago. We've been
using the new spelling in new text but still have the old spelling in a
lot of text. This commit updates most occurrences of "mbed TLS":
```
sed -i -e 's/mbed TLS/Mbed TLS/g' $(git ls-files ':!ChangeLog' ':!tests/data_files/**' ':!tests/suites/*.data' ':!programs/x509/*' ':!configs/tfm*')
```
Justification for the omissions:
* `ChangeLog`: historical text.
* `test/data_files/**`, `tests/suites/*.data`, `programs/x509/*`: many
occurrences are significant names in certificates and such. Changing
the spelling would invalidate many signatures and tests.
* `configs/tfm*`: this is an imported file. We'll follow the upstream
updates.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The hardware module name otherName SAN contains 2 OIDs:
OtherName ::= SEQUENCE {
type-id OBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
HardwareModuleName ::= SEQUENCE {
hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING }
The first, type-id, is the one that identifies the otherName as a
HardwareModuleName. The second, hwType, identifies the type of hardware.
This change fixes 2 issues:
1. We were erroneously trying to identify HardwareModuleNames by looking
at hwType, not type-id.
2. We accidentally inverted the check so that we were checking that
hwType did NOT match HardwareModuleName.
This fix ensures that type-id is correctly checked to make sure that it
matches the OID for HardwareModuleName.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
The parse_path tests are known to fail when compiled for a 32-btt architecture
and run via qemu-user on Linux on a 64-bit host. This is due to a known
bug in Qemu: https://gitlab.com/qemu-project/qemu/-/issues/263
Document this, and add test cases to parse the files involved to confirm
that the problem is only with parse_path.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Check the number of certificates found, as was done in the test of
mbedtls_x509_crt_parse_path().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Introduce a unit test to test mbedtls_x509_get_name() and add a testcase
with a corrupt DER-encoded name that causes mbedtls_x509_get_name() to
have to cleanup things it is allocated. If it fails to do this, a memory
leak is detected under Asan builds.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Replace all occurences of error code addition in the library with the new
MBEDTLS_ERROR_ADD macro.
Signed-off-by: Chris Jones <christopher.jones@arm.com>
Some functions were not deinitializing the PSA subsystem. This could
lead to resource leaks at the level of individual test cases, and
possibly at the level of the whole test suite depending on the order
and selection of test cases.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Make USE_PSA_INIT() and USE_PSA_DONE() available in all test suites in
all cases, doing nothing if MBEDTLS_USE_PSA_CRYPTO is disabled. Use
those in preference to having explicit
defined(MBEDTLS_USE_PSA_CRYPTO) checks (but there may still be places
left where using the new macros would be better).
Also provide PSA_INIT() by symmetry with PSA_DONE(), functional
whenver MBEDTLS_PSA_CRYPTO_C is enabled, but currently unused.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Remove `hex` in name of variables of type data_t to reserve it
for variables of type char* that are the hexadecimal
representation of a data buffer.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Pass the "certificate policies" extension to the callback supplied to
mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
policies. This allows the callback to fully replicate the behaviour
of the deprecated MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
configuration.
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Make `mbedtls_x509_subject_alternative_name` to be a single item
rather than a list. Adapt the subject alternative name parsing function,
to receive a signle `mbedtls_x509_buf` item from the subject_alt_names
sequence of the certificate.
Don't unconditionally enable PSA Crypto for all tests. Only enable it in
tests that require it. This allows crypto tests to check that
psa_crypto_init() fails when it is supposed to fail, since we want to
perform some action in a test, and then call psa_crypto_init() and check
the result without it having been called previously.
The existing test `x509parse_crt()` for X.509 CRT parsing
so far used the generic parsing API `mbedtls_x509_crt_parse()`
capable of parsing both PEM encoded and DER encoded certficates,
but was actually only used with DER encoded input data. Moreover,
as the purpose of the test is the testing of the core DER X.509 parsing
functionality, not the PEM vs. DER dispatch (which is now already tested
in the various `x509_crt_info()` tests), the call can be replaced with a
direct call to `mbedtls_x509_parse_crt_der()`.
This commit does that, and further adds to the test an analogous
call to the new API `mbedtls_x509_parse_crt_der_nocopy()` to test
copyless parsing of X.509 certificates.
* development-restricted: (578 commits)
Update library version number to 2.13.1
Don't define _POSIX_C_SOURCE in header file
Don't declare and define gmtime()-mutex on Windows platforms
Correct preprocessor guards determining use of gmtime()
Correct documentation of mbedtls_platform_gmtime_r()
Correct typo in documentation of mbedtls_platform_gmtime_r()
Correct POSIX version check to determine presence of gmtime_r()
Improve documentation of mbedtls_platform_gmtime_r()
platform_utils.{c/h} -> platform_util.{c/h}
Don't include platform_time.h if !MBEDTLS_HAVE_TIME
Improve wording of documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
Fix typo in documentation of MBEDTLS_PLATFORM_GMTIME_R_ALT
Replace 'thread safe' by 'thread-safe' in the documentation
Improve documentation of MBEDTLS_HAVE_TIME_DATE
ChangeLog: Add missing renamings gmtime -> gmtime_r
Improve documentation of MBEDTLS_HAVE_TIME_DATE
Minor documentation improvements
Style: Add missing period in documentation in threading.h
Rename mbedtls_platform_gmtime() to mbedtls_platform_gmtime_r()
Guard decl and use of gmtime mutex by HAVE_TIME_DATE and !GMTIME_ALT
...
