Merge remote-tracking branch 'upstream-restricted/pr/351' into development-restricted-proposed
Move the added ChangeLog entry to the bottom so that the list remains
in merge order.
diff --git a/ChangeLog b/ChangeLog
index f403051..439f1a8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,12 +13,12 @@
Applied Sciences).
Security
- * Verify results of RSA private key operations to defend
- against Bellcore glitch attack.
* Fix implementation of the truncated HMAC extension. The previous
implementation allowed an offline 2^80 brute force attack on the
HMAC key of a single, uninterrupted connection (with no
resumption of the session).
+ * Verify results of RSA private key operations to defend
+ against Bellcore glitch attack.
Features
* Extend PKCS#8 interface by introducing support for the entire SHA
@@ -37,6 +37,18 @@
In the context of SSL, this resulted in handshake failure. Reported by
daniel in the Mbed TLS forum. #1351
* Fix Windows x64 builds with the included mbedTLS.sln file. #1347
+ * Fix setting version TLSv1 as minimal version, even if TLS 1
+ is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION
+ and MBEDTLS_SSL_MIN_MINOR_VERSION instead of
+ MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664
+ * Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE
+ only if __MINGW32__ not defined. Fix suggested by Thomas Glanzmann and
+ Nick Wilson on issue #355
+ * In test_suite_pk, pass valid parameters when testing for hash length
+ overflow. #1179
+ * Fix memory allocation corner cases in memory_buffer_alloc.c module. Found
+ by Guido Vranken. #639
+ * Log correct number of ciphersuites used in Client Hello message. #918
Changes
* Fix tag lengths and value ranges in the documentation of CCM encryption.
@@ -45,6 +57,9 @@
* Remove support for the library reference configuration for picocoin.
* MD functions deprecated in 2.7.0 are no longer inline, to provide
a migration path for those depending on the library's ABI.
+ * Clarify the documentation of mbedtls_ssl_setup.
+ * Use (void) when defining functions with no parameters. Contributed by
+ Joris Aerts. #678
= mbed TLS 2.7.0 branch released 2018-02-03
diff --git a/README.md b/README.md
index 4270e80..a2c3c6f 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,9 @@
In order to build for a Windows platform, you should use `WINDOWS_BUILD=1` if the target is Windows but the build environment is Unix-like (for instance when cross-compiling, or compiling from an MSYS shell), and `WINDOWS=1` if the build environment is a Windows shell (for instance using mingw32-make) (in that case some targets will not be available).
-Setting the variable `SHARED` in your environment will build shared libraries in addition to the static libraries. Setting `DEBUG` gives you a debug build. You can override `CFLAGS` and `LDFLAGS` by setting them in your environment or on the make command line; if you do so, essential parts such as `-I` will still be preserved. Warning options may be overridden separately using `WARNING_CFLAGS`.
+Setting the variable `SHARED` in your environment will build shared libraries in addition to the static libraries. Setting `DEBUG` gives you a debug build. You can override `CFLAGS` and `LDFLAGS` by setting them in your environment or on the make command line; compiler warning options may be overridden separately using `WARNING_CFLAGS`. Some directory-specific options (for example, `-I` directives) are still preserved.
+
+Please note that setting `CFLAGS` overrides its default value of `-O2` and setting `WARNING_CFLAGS` overrides its default value (starting with `-Wall -W`), so it you just want to add some warning options to the default ones, you can do so by setting `CFLAGS=-O2 -Werror` for example. Setting `WARNING_CFLAGS` is useful when you want to get rid of its default content (for example because your compiler doesn't accept `-Wall` as an option). Directory-specific options cannot be overriden from the command line.
Depending on your platform, you might run into some issues. Please check the Makefiles in `library/`, `programs/` and `tests/` for options to manually add or remove for specific platforms. You can also check [the Mbed TLS Knowledge Base](https://tls.mbed.org/kb) for articles on your platform or issue.
@@ -84,9 +86,10 @@
### CMake
-In order to build the source using CMake, just enter at the command line:
+In order to build the source using CMake in a separate directory (recommended), just enter at the command line:
- cmake .
+ mkdir /path/to/build_dir && cd /path/to/build_dir
+ cmake /path/to/mbedtls_source
make
In order to run the tests, enter:
@@ -95,7 +98,7 @@
The test suites need Perl to be built. If you don't have Perl installed, you'll want to disable the test suites with:
- cmake -DENABLE_TESTING=Off .
+ cmake -DENABLE_TESTING=Off /path/to/mbedtls_source
If you disabled the test suites, but kept the programs enabled, you can still run a much smaller set of tests with:
@@ -103,31 +106,59 @@
To configure CMake for building shared libraries, use:
- cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On .
+ cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On /path/to/mbedtls_source
There are many different build modes available within the CMake buildsystem. Most of them are available for gcc and clang, though some are compiler-specific:
-- Release. This generates the default code without any unnecessary information in the binary files.
-- Debug. This generates debug information and disables optimization of the code.
-- Coverage. This generates code coverage information in addition to debug information.
-- ASan. This instruments the code with AddressSanitizer to check for memory errors. (This includes LeakSanitizer, with recent version of gcc and clang.) (With recent version of clang, this mode also instruments the code with UndefinedSanitizer to check for undefined behaviour.)
-- ASanDbg. Same as ASan but slower, with debug information and better stack traces.
-- MemSan. This instruments the code with MemorySanitizer to check for uninitialised memory reads. Experimental, needs recent clang on Linux/x86\_64.
-- MemSanDbg. Same as MemSan but slower, with debug information, better stack traces and origin tracking.
-- Check. This activates the compiler warnings that depend on optimization and treats all warnings as errors.
+- `Release`. This generates the default code without any unnecessary information in the binary files.
+- `Debug`. This generates debug information and disables optimization of the code.
+- `Coverage`. This generates code coverage information in addition to debug information.
+- `ASan`. This instruments the code with AddressSanitizer to check for memory errors. (This includes LeakSanitizer, with recent version of gcc and clang.) (With recent version of clang, this mode also instruments the code with UndefinedSanitizer to check for undefined behaviour.)
+- `ASanDbg`. Same as ASan but slower, with debug information and better stack traces.
+- `MemSan`. This instruments the code with MemorySanitizer to check for uninitialised memory reads. Experimental, needs recent clang on Linux/x86\_64.
+- `MemSanDbg`. Same as MemSan but slower, with debug information, better stack traces and origin tracking.
+- `Check`. This activates the compiler warnings that depend on optimization and treats all warnings as errors.
Switching build modes in CMake is simple. For debug mode, enter at the command line:
- cmake -D CMAKE_BUILD_TYPE=Debug .
+ cmake -D CMAKE_BUILD_TYPE=Debug /path/to/mbedtls_source
To list other available CMake options, use:
cmake -LH
-Note that, with CMake, if you want to change the compiler or its options after you already ran CMake, you need to clear its cache first, e.g. (using GNU find):
+Note that, with CMake, you can't adjust the compiler or its flags after the
+initial invocation of cmake. This means that `CC=your_cc make` and `make
+CC=your_cc` will *not* work (similarly with `CFLAGS` and other variables).
+These variables need to be adjusted when invoking cmake for the first time,
+for example:
+
+ CC=your_cc cmake /path/to/mbedtls_source
+
+If you already invoked cmake and want to change those settings, you need to
+remove the build directory and create it again.
+
+Note that it is possible to build in-place; this will however overwrite the
+provided Makefiles (see `scripts/tmp_ignore_makefiles.sh` if you want to
+prevent `git status` from showing them as modified). In order to do so, from
+the Mbed TLS source directory, use:
+
+ cmake .
+ make
+
+If you want to change `CC` or `CFLAGS` afterwards, you will need to remove the
+CMake cache. This can be done with the following command using GNU find:
find . -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} +
- CC=gcc CFLAGS='-fstack-protector-strong -Wa,--noexecstack' cmake .
+
+You can now make the desired change:
+
+ CC=your_cc cmake .
+ make
+
+Regarding variables, also note that if you set CFLAGS when invoking cmake,
+your value of CFLAGS doesn't override the content provided by cmake (depending
+on the build mode as seen above), it's merely prepended to it.
### Microsoft Visual Studio
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 51e843a..5ee9e9d 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -971,8 +971,13 @@
* \note No copy of the configuration context is made, it can be
* shared by many mbedtls_ssl_context structures.
*
- * \warning Modifying the conf structure after it has been used in this
- * function is unsupported!
+ * \warning The conf structure will be accessed during the session.
+ * It must not be modified or freed as long as the session
+ * is active.
+ *
+ * \warning This function must be called exactly once per context.
+ * Calling mbedtls_ssl_setup again is not supported, even
+ * if no session is active.
*
* \param ssl SSL context
* \param conf SSL configuration to use
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 9f583a8..60b431a 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -71,6 +71,9 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1 */
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
+#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
+
/* Determine maximum supported version */
#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
diff --git a/library/debug.c b/library/debug.c
index f9229b3..db3924a 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -91,7 +91,7 @@
va_start( argp, format );
#if defined(_WIN32)
-#if defined(_TRUNCATE)
+#if defined(_TRUNCATE) && !defined(__MINGW32__)
ret = _vsnprintf_s( str, DEBUG_BUF_SIZE, _TRUNCATE, format, argp );
#else
ret = _vsnprintf( str, DEBUG_BUF_SIZE, format, argp );
diff --git a/library/memory_buffer_alloc.c b/library/memory_buffer_alloc.c
index 545d5a2..821ae2c 100644
--- a/library/memory_buffer_alloc.c
+++ b/library/memory_buffer_alloc.c
@@ -113,7 +113,7 @@
#endif
}
-static void debug_chain()
+static void debug_chain( void )
{
memory_header *cur = heap.first;
@@ -180,11 +180,11 @@
return( 0 );
}
-static int verify_chain()
+static int verify_chain( void )
{
- memory_header *prv = heap.first, *cur = heap.first->next;
+ memory_header *prv = heap.first, *cur;
- if( verify_header( heap.first ) != 0 )
+ if( prv == NULL || verify_header( prv ) != 0 )
{
#if defined(MBEDTLS_MEMORY_DEBUG)
mbedtls_fprintf( stderr, "FATAL: verification of first header "
@@ -202,6 +202,8 @@
return( 1 );
}
+ cur = heap.first->next;
+
while( cur != NULL )
{
if( verify_header( cur ) != 0 )
@@ -245,7 +247,9 @@
original_len = len = n * size;
- if( n != 0 && len / n != size )
+ if( n == 0 || size == 0 || len / n != size )
+ return( NULL );
+ else if( len > (size_t)-MBEDTLS_MEMORY_ALIGN_MULTIPLE )
return( NULL );
if( len % MBEDTLS_MEMORY_ALIGN_MULTIPLE )
@@ -386,7 +390,7 @@
if( ptr == NULL || heap.buf == NULL || heap.first == NULL )
return;
- if( p < heap.buf || p > heap.buf + heap.len )
+ if( p < heap.buf || p >= heap.buf + heap.len )
{
#if defined(MBEDTLS_MEMORY_DEBUG)
mbedtls_fprintf( stderr, "FATAL: mbedtls_free() outside of managed "
@@ -500,13 +504,13 @@
heap.verify = verify;
}
-int mbedtls_memory_buffer_alloc_verify()
+int mbedtls_memory_buffer_alloc_verify( void )
{
return verify_chain();
}
#if defined(MBEDTLS_MEMORY_DEBUG)
-void mbedtls_memory_buffer_alloc_status()
+void mbedtls_memory_buffer_alloc_status( void )
{
mbedtls_fprintf( stderr,
"Current use: %zu blocks / %zu bytes, max: %zu blocks / "
@@ -570,8 +574,7 @@
void mbedtls_memory_buffer_alloc_init( unsigned char *buf, size_t len )
{
- memset( &heap, 0, sizeof(buffer_alloc_ctx) );
- memset( buf, 0, len );
+ memset( &heap, 0, sizeof( buffer_alloc_ctx ) );
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_init( &heap.mutex );
@@ -581,26 +584,30 @@
mbedtls_platform_set_calloc_free( buffer_alloc_calloc, buffer_alloc_free );
#endif
- if( (size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+ if( len < sizeof( memory_header ) + MBEDTLS_MEMORY_ALIGN_MULTIPLE )
+ return;
+ else if( (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE )
{
/* Adjust len first since buf is used in the computation */
len -= MBEDTLS_MEMORY_ALIGN_MULTIPLE
- - (size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+ - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
buf += MBEDTLS_MEMORY_ALIGN_MULTIPLE
- - (size_t) buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
+ - (size_t)buf % MBEDTLS_MEMORY_ALIGN_MULTIPLE;
}
+ memset( buf, 0, len );
+
heap.buf = buf;
heap.len = len;
- heap.first = (memory_header *) buf;
- heap.first->size = len - sizeof(memory_header);
+ heap.first = (memory_header *)buf;
+ heap.first->size = len - sizeof( memory_header );
heap.first->magic1 = MAGIC1;
heap.first->magic2 = MAGIC2;
heap.first_free = heap.first;
}
-void mbedtls_memory_buffer_alloc_free()
+void mbedtls_memory_buffer_alloc_free( void )
{
#if defined(MBEDTLS_THREADING_C)
mbedtls_mutex_free( &heap.mutex );
@@ -620,7 +627,7 @@
return( 0 );
}
-static int check_all_free( )
+static int check_all_free( void )
{
if(
#if defined(MBEDTLS_MEMORY_DEBUG)
diff --git a/library/pem.c b/library/pem.c
index c09651f..ac86d7e 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -442,7 +442,7 @@
unsigned char *buf, size_t buf_len, size_t *olen )
{
int ret;
- unsigned char *encode_buf, *c, *p = buf;
+ unsigned char *encode_buf = NULL, *c, *p = buf;
size_t len = 0, use_len, add_len = 0;
mbedtls_base64_encode( NULL, 0, &use_len, der_data, der_len );
@@ -454,7 +454,8 @@
return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
}
- if( ( encode_buf = mbedtls_calloc( 1, use_len ) ) == NULL )
+ if( use_len != 0 &&
+ ( ( encode_buf = mbedtls_calloc( 1, use_len ) ) == NULL ) )
return( MBEDTLS_ERR_PEM_ALLOC_FAILED );
if( ( ret = mbedtls_base64_encode( encode_buf, use_len, &use_len, der_data,
diff --git a/library/pkparse.c b/library/pkparse.c
index aae1785..a0f7779 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -1277,6 +1277,9 @@
{
unsigned char *key_copy;
+ if( keylen == 0 )
+ return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
+
if( ( key_copy = mbedtls_calloc( 1, keylen ) ) == NULL )
return( MBEDTLS_ERR_PK_ALLOC_FAILED );
diff --git a/library/platform.c b/library/platform.c
index 76df7fa..a295f9b 100644
--- a/library/platform.c
+++ b/library/platform.c
@@ -82,7 +82,7 @@
return( -1 );
va_start( argp, fmt );
-#if defined(_TRUNCATE)
+#if defined(_TRUNCATE) && !defined(__MINGW32__)
ret = _vsnprintf_s( s, n, _TRUNCATE, fmt, argp );
#else
ret = _vsnprintf( s, n, fmt, argp );
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 2534346..5367fdd 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -902,6 +902,8 @@
*p++ = (unsigned char)( ciphersuites[i] );
}
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
+
/*
* Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*/
@@ -909,6 +911,7 @@
if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
#endif
{
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
n++;
@@ -928,8 +931,6 @@
*q++ = (unsigned char)( n >> 7 );
*q++ = (unsigned char)( n << 1 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) );
-
#if defined(MBEDTLS_ZLIB_SUPPORT)
offer_compress = 1;
#else
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ff52104..236e52d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7685,8 +7685,14 @@
* Default
*/
default:
- conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
- conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_1; /* TLS 1.0 */
+ conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
+ MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
+ MBEDTLS_SSL_MIN_MAJOR_VERSION :
+ MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
+ conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
+ MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
+ MBEDTLS_SSL_MIN_MINOR_VERSION :
+ MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
diff --git a/library/version.c b/library/version.c
index 6ca80d4..fd96750 100644
--- a/library/version.c
+++ b/library/version.c
@@ -30,7 +30,7 @@
#include "mbedtls/version.h"
#include <string.h>
-unsigned int mbedtls_version_get_number()
+unsigned int mbedtls_version_get_number( void )
{
return( MBEDTLS_VERSION_NUMBER );
}
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 55d12ac..0bb7236 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -257,7 +257,7 @@
{
int ret;
size_t len;
- unsigned char *p, *end;
+ unsigned char *p = NULL, *end = NULL;
mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
mbedtls_x509_crl *crl = chain;
@@ -294,7 +294,11 @@
/*
* Copy raw DER-encoded CRL
*/
- if( ( p = mbedtls_calloc( 1, buflen ) ) == NULL )
+ if( buflen == 0 )
+ return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+ p = mbedtls_calloc( 1, buflen );
+ if( p == NULL )
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
memcpy( p, buf, buflen );
diff --git a/scripts/footprint.sh b/scripts/footprint.sh
index d38e50a..c08ef1c 100755
--- a/scripts/footprint.sh
+++ b/scripts/footprint.sh
@@ -11,7 +11,6 @@
#
# Configurations included:
# default include/mbedtls/config.h
-# yotta yotta/module/mbedtls/config.h
# thread configs/config-thread.h
# suite-b configs/config-suite-b.h
# psk configs/config-ccm-psk-tls1_2.h
@@ -102,11 +101,7 @@
log "$( arm-none-eabi-gcc --version | head -n1 )"
log "CFLAGS=$ARMGCC_FLAGS"
-# creates the yotta config
-yotta/create-module.sh >/dev/null
-
doit default include/mbedtls/config.h
-doit yotta yotta/module/mbedtls/config.h
doit thread configs/config-thread.h
doit suite-b configs/config-suite-b.h
doit psk configs/config-ccm-psk-tls1_2.h
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index e60530f..fdb99be 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -328,7 +328,7 @@
start_red=
end_color=
if [ -t 1 ]; then
- case "$TERM" in
+ case "${TERM:-}" in
*color*|cygwin|linux|rxvt*|screen|[Eex]term*)
start_red=$(printf '\033[31m')
end_color=$(printf '\033[0m')
diff --git a/tests/suites/test_suite_memory_buffer_alloc.data b/tests/suites/test_suite_memory_buffer_alloc.data
index 8d3813a..d59f113 100644
--- a/tests/suites/test_suite_memory_buffer_alloc.data
+++ b/tests/suites/test_suite_memory_buffer_alloc.data
@@ -16,3 +16,8 @@
Memory buffer alloc - Out of Memory test
memory_buffer_alloc_oom_test:
+Memory buffer small buffer
+memory_buffer_small_buffer:
+
+Memory buffer underalloc
+memory_buffer_underalloc:
diff --git a/tests/suites/test_suite_memory_buffer_alloc.function b/tests/suites/test_suite_memory_buffer_alloc.function
index a0c70d8..09684c1 100644
--- a/tests/suites/test_suite_memory_buffer_alloc.function
+++ b/tests/suites/test_suite_memory_buffer_alloc.function
@@ -232,3 +232,31 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */
+void memory_buffer_small_buffer( )
+{
+ unsigned char buf[1];
+
+ mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() != 0 );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_MEMORY_DEBUG */
+void memory_buffer_underalloc( )
+{
+ unsigned char buf[100];
+ size_t i;
+
+ mbedtls_memory_buffer_alloc_init( buf, sizeof( buf ) );
+ for( i = 1; i < MBEDTLS_MEMORY_ALIGN_MULTIPLE; i++ )
+ {
+ TEST_ASSERT( mbedtls_calloc( 1,
+ (size_t)-( MBEDTLS_MEMORY_ALIGN_MULTIPLE - i ) ) == NULL );
+ TEST_ASSERT( mbedtls_memory_buffer_alloc_verify() == 0 );
+ }
+
+exit:
+ mbedtls_memory_buffer_alloc_free();
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 3182727..c0c987d 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -421,11 +421,15 @@
void pk_rsa_overflow( )
{
mbedtls_pk_context pk;
- size_t hash_len = SIZE_MAX;
+ size_t hash_len = SIZE_MAX, sig_len = SIZE_MAX;
+ unsigned char hash[50], sig[100];
if( SIZE_MAX <= UINT_MAX )
return;
+ memset( hash, 0x2a, sizeof hash );
+ memset( sig, 0, sizeof sig );
+
mbedtls_pk_init( &pk );
TEST_ASSERT( mbedtls_pk_setup( &pk,
@@ -433,14 +437,14 @@
#if defined(MBEDTLS_PKCS1_V21)
TEST_ASSERT( mbedtls_pk_verify_ext( MBEDTLS_PK_RSASSA_PSS, NULL, &pk,
- MBEDTLS_MD_NONE, NULL, hash_len, NULL, 0 ) ==
+ MBEDTLS_MD_NONE, hash, hash_len, sig, sig_len ) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA );
#endif /* MBEDTLS_PKCS1_V21 */
- TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_NONE, NULL, hash_len,
- NULL, 0 ) == MBEDTLS_ERR_PK_BAD_INPUT_DATA );
+ TEST_ASSERT( mbedtls_pk_verify( &pk, MBEDTLS_MD_NONE, hash, hash_len,
+ sig, sig_len ) == MBEDTLS_ERR_PK_BAD_INPUT_DATA );
- TEST_ASSERT( mbedtls_pk_sign( &pk, MBEDTLS_MD_NONE, NULL, hash_len, NULL, 0,
+ TEST_ASSERT( mbedtls_pk_sign( &pk, MBEDTLS_MD_NONE, hash, hash_len, sig, &sig_len,
rnd_std_rand, NULL ) == MBEDTLS_ERR_PK_BAD_INPUT_DATA );
exit: