mbedtls_asn1_write_mpi() correctly handles the sign bit, so there's no
reason not to test that it's handled correctly.
Fix copypasta in test data that was commented out.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix a null pointer dereference when performing some operations on zero
represented with 0 limbs: mbedtls_mpi_mod_int() dividing by 2, or
mbedtls_mpi_write_string() in base 2.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If the key agreement or the public key export in
ssl_write_client_key_exchange() fails, the handshake enters a failed state.
The only valid thing you can do in a failed handshake is to abort it, which
calls mbedtls_ssl_handshake_free(), which destroys ecdh_psa_privey. While
it's good hygiene to destroy the key in the function that creates it, it
would have been cleaned up a little later in the normal course of things
anyway, so there wasn't an actual bug.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The entry for “Fix several bugs…” already covers this. This is borderline an
internal detail anyway.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Consolidate the entries for SHA512 and SHA256 since they are being released
together.
List the algorithms generically as SHA-2 since this also applies to SHA224
and SHA384.
Clearly state that the instructions are only supported when building for
Aarch64 (64-bit ARMv8+) and not for Aarch32 (32-bit ARMv8+).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
That way the concerned tests are also run in the
TLS 1.3 only configuration where a TLS 1.3
handshake is performed.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The endpoint initialization function was setting up
a certificate but the client certificate was not
used because client authentication was not enabled
(not enabled in the default SSL server configuration).
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This could lead to a potential buffer overread with small
MBEDTLS_SSL_IN_CONTENT_LEN.
Change the bound calculations so that it is apparent
what lengths and sizes are used.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
When executing eval in the background, the next "$!" gives the
eval PID, not the ssl-client2 pid. This causes problems when
a client times out and the script tries to kill it. Instead, it
kills the parent eval call.
This caused problems with subsequent proxy tests receiving
old packets from a client from a previous test.
Moving the "&" to inside the eval call fixes the problem.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Functions called within the test mean that MBEDTLS_X509_CRT_PARSE_C
is a test dependency and so is declared in this commit.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Move the definition of the accessor so that it is not defined
within the MBEDTLS_X509_CRT_WRITE_C guards. Thus remove the
dependency from the test and test cases.
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
