Merge branch 'mbedtls-1.3' into mbedtls-1.3-restricted
* mbedtls-1.3:
Remove %zu format string from ssl_client2 and ssl_server2
diff --git a/ChangeLog b/ChangeLog
index ad1f572..9778fbe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,22 +1,31 @@
mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS 1.3.x branch released xxxx-xx-xx
+= mbed TLS 1.3.20 released xxxx-xx-xx
Security
+ * Fixed unlimited overread of heap-based buffer in ssl_read().
+ The issue could only happen client-side with renegotiation enabled.
+ Could result in DoS (application crash) or information leak
+ (if the application layer sent data read from ssl_read()
+ back to the server or to a third party). Can be triggered remotely.
* Add exponent blinding to RSA private operations as a countermeasure
against side-channel attacks like the cache attack described in
https://arxiv.org/abs/1702.08719v2.
Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
Clémentine Maurice and Stefan Mangard.
+ * Wipe stack buffers in RSA private key operations
+ (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
+ Found by Laurent Simon.
+ * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
+ potential Bleichenbacher/BERserk-style attack.
+ * Remove support for X509 certificates signed with MD5.
+ Issue raised by Harm Verhagen
Bugfix
* Disable use of extensions for SSLv3, previously causing the
"SSLv3 with extensions" test from ssl-opt.sh to fail.
* Fix insufficient support for signature-hash-algorithm extension,
resulting in compatibility problems with Chrome. Found by hfloyrd. #823
- * Wipe stack buffers in RSA private key operations
- (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
- Found by Laurent Simon.
* Accept empty trusted CA chain in authentication mode
SSL_VERIFY_OPTIONAL. Fixes #864. Found by jethrogb.
* Fix implementation of ssl_parse_certificate
@@ -34,6 +43,9 @@
* Clarify ECDSA documentation and improve the sample code to avoid
misunderstandings and potentially dangerous use of the API. Pointed out
by Jean-Philippe Aumasson.
+ * Add new config.h flag POLARSSL_X509_MIN_VERIFY_MD_ALG to set the minimum
+ hash accepted when verifying certificate chains. Defaults to SHA1, which
+ means SHA1 is accepted but MD5 and below are rejected.
= mbed TLS 1.3.19 branch released 2017-03-08
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 498fc5b..60d96ec 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -2366,6 +2366,29 @@
/* X509 options */
//#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
+/**
+ * \def POLARSSL_X509_MIN_VERIFY_MD_ALG
+ *
+ * Minimal hash algorithm accepted in X.509 chain verification.
+ *
+ * The value should be one of the enumerations in md_type_t defined in md.h
+ * Only algorithms with a value equal or higher are accepted.
+ *
+ * typedef enum {
+ * POLARSSL_MD_NONE=0,
+ * POLARSSL_MD_MD2,
+ * POLARSSL_MD_MD4,
+ * POLARSSL_MD_MD5,
+ * POLARSSL_MD_SHA1,
+ * POLARSSL_MD_SHA224,
+ * POLARSSL_MD_SHA256,
+ * POLARSSL_MD_SHA384,
+ * POLARSSL_MD_SHA512,
+ * POLARSSL_MD_RIPEMD160,
+ * } md_type_t;
+ */
+//#define POLARSSL_X509_MIN_VERIFY_MD_ALG POLARSSL_MD_SHA1
+
/* \} name SECTION: Module configuration options */
#include "check_config.h"
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 74b1317..4a01bbf 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -846,7 +846,9 @@
size_t in_hslen; /*!< current handshake message length */
int nb_zero; /*!< # of 0-length encrypted messages */
- int record_read; /*!< record is already present */
+
+ int keep_current_message; /*!< drop or reuse current message
+ on next call to record layer? */
/*
* Record layer (outgoing data)
diff --git a/library/rsa.c b/library/rsa.c
index 1cdf0d6..ca8f688 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1472,7 +1472,7 @@
{
int ret;
size_t len, siglen, asn1_len;
- unsigned char *p, *end;
+ unsigned char *p, *p0, *end;
unsigned char buf[POLARSSL_MPI_MAX_SIZE];
md_type_t msg_md_alg;
const md_info_t *md_info;
@@ -1504,7 +1504,11 @@
return( POLARSSL_ERR_RSA_INVALID_PADDING );
p++;
}
- p++;
+ p++; /* skip 00 byte */
+
+ /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
+ if( p - buf < 11 )
+ return( POLARSSL_ERR_RSA_INVALID_PADDING );
len = siglen - ( p - buf );
@@ -1523,24 +1527,30 @@
end = p + len;
- // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
- //
+ /*
+ * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.
+ * Insist on 2-byte length tags, to protect against variants of
+ * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.
+ */
+ p0 = p;
if( ( ret = asn1_get_tag( &p, end, &asn1_len,
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-
- if( asn1_len + 2 != len )
+ if( p != p0 + 2 || asn1_len + 2 != len )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
+ p0 = p;
if( ( ret = asn1_get_tag( &p, end, &asn1_len,
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-
- if( asn1_len + 6 + hashlen != len )
+ if( p != p0 + 2 || asn1_len + 6 + hashlen != len )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
+ p0 = p;
if( ( ret = asn1_get_tag( &p, end, &oid.len, ASN1_OID ) ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
+ if( p != p0 + 2 )
+ return( POLARSSL_ERR_RSA_VERIFY_FAILED );
oid.p = p;
p += oid.len;
@@ -1554,13 +1564,16 @@
/*
* assume the algorithm parameters must be NULL
*/
+ p0 = p;
if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_NULL ) ) != 0 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-
- if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
+ if( p != p0 + 2 )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
- if( asn1_len != hashlen )
+ p0 = p;
+ if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
+ return( POLARSSL_ERR_RSA_VERIFY_FAILED );
+ if( p != p0 + 2 || asn1_len != hashlen )
return( POLARSSL_ERR_RSA_VERIFY_FAILED );
if( memcmp( p, hash, hashlen ) != 0 )
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 34ab7e0..5f5beec 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1195,6 +1195,8 @@
}
SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
+
+ ssl->keep_current_message = 1;
return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
}
#endif /* POLARSSL_SSL_RENEGOTIATION */
@@ -1943,7 +1945,9 @@
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK ||
ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK )
{
- ssl->record_read = 1;
+ /* Current message is probably either
+ * CertificateRequest or ServerHelloDone */
+ ssl->keep_current_message = 1;
goto exit;
}
@@ -2260,36 +2264,31 @@
* n+4 .. ... Distinguished Name #1
* ... .. ... length of DN 2, etc.
*/
- if( ssl->record_read == 0 )
+
+ if( ( ret = ssl_read_record( ssl ) ) != 0 )
{
- if( ( ret = ssl_read_record( ssl ) ) != 0 )
- {
- SSL_DEBUG_RET( 1, "ssl_read_record", ret );
- return( ret );
- }
-
- if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
- {
- SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
- return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
- }
-
- ssl->record_read = 1;
+ SSL_DEBUG_RET( 1, "ssl_read_record", ret );
+ return( ret );
}
- ssl->client_auth = 0;
- ssl->state++;
+ if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
+ {
+ SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
+ return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+ }
- if( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST )
- ssl->client_auth++;
+ ssl->state++;
+ ssl->client_auth = ( ssl->in_msg[0] == SSL_HS_CERTIFICATE_REQUEST );
SSL_DEBUG_MSG( 3, ( "got %s certificate request",
ssl->client_auth ? "a" : "no" ) );
if( ssl->client_auth == 0 )
+ {
+ /* Current message is probably the ServerHelloDone */
+ ssl->keep_current_message = 1;
goto exit;
-
- ssl->record_read = 0;
+ }
// TODO: handshake_failure alert for an anonymous server to request
// client authentication
@@ -2386,21 +2385,17 @@
SSL_DEBUG_MSG( 2, ( "=> parse server hello done" ) );
- if( ssl->record_read == 0 )
+ if( ( ret = ssl_read_record( ssl ) ) != 0 )
{
- if( ( ret = ssl_read_record( ssl ) ) != 0 )
- {
- SSL_DEBUG_RET( 1, "ssl_read_record", ret );
- return( ret );
- }
-
- if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
- {
- SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
- return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
- }
+ SSL_DEBUG_RET( 1, "ssl_read_record", ret );
+ return( ret );
}
- ssl->record_read = 0;
+
+ if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
+ {
+ SSL_DEBUG_MSG( 1, ( "bad server hello done message" ) );
+ return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+ }
if( ssl->in_hslen != 4 ||
ssl->in_msg[0] != SSL_HS_SERVER_HELLO_DONE )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5779229..bae8433 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2169,47 +2169,82 @@
SSL_DEBUG_MSG( 2, ( "=> read record" ) );
- if( ssl->in_hslen != 0 &&
- ssl->in_hslen < ssl->in_msglen )
+ if( ssl->keep_current_message == 1 )
{
- /*
- * Get next Handshake message in the current record
- */
- ssl->in_msglen -= ssl->in_hslen;
-
- memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
- ssl->in_msglen );
-
- ssl->in_hslen = 4;
- ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
-
- SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
- " %d, type = %d, hslen = %d",
- ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
-
- if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
- {
- SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
- return( POLARSSL_ERR_SSL_INVALID_RECORD );
- }
-
- if( ssl->in_msglen < ssl->in_hslen )
- {
- SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
- return( POLARSSL_ERR_SSL_INVALID_RECORD );
- }
-
- if( ssl->state != SSL_HANDSHAKE_OVER )
- ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
+ SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
+ SSL_DEBUG_MSG( 2, ( "<= read record" ) );
+ ssl->keep_current_message = 0;
return( 0 );
}
- ssl->in_hslen = 0;
+ if( ssl->in_hslen != 0 )
+ {
+ if( ssl->in_offt != NULL )
+ {
+ SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ /*
+ * Get next Handshake message in the current record
+ */
+
+ if( ssl->in_hslen < ssl->in_msglen )
+ {
+ ssl->in_msglen -= ssl->in_hslen;
+ memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
+ ssl->in_msglen );
+
+ ssl->in_hslen = 4;
+ ssl->in_hslen += ( ssl->in_msg[2] << 8 ) | ssl->in_msg[3];
+
+ SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
+ " %d, type = %d, hslen = %d",
+ ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
+
+ if( ssl->in_msglen < 4 || ssl->in_msg[1] != 0 )
+ {
+ SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
+ return( POLARSSL_ERR_SSL_INVALID_RECORD );
+ }
+
+ if( ssl->in_msglen < ssl->in_hslen )
+ {
+ SSL_DEBUG_MSG( 1, ( "bad handshake length" ) );
+ return( POLARSSL_ERR_SSL_INVALID_RECORD );
+ }
+
+ if( ssl->state != SSL_HANDSHAKE_OVER )
+ ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
+
+ return( 0 );
+ }
+
+ ssl->in_msglen = 0;
+ ssl->in_hslen = 0;
+ }
+ else if( ssl->in_offt != NULL )
+ {
+ return( 0 );
+ }
+ else
+ {
+ ssl->in_msglen = 0;
+ }
/*
- * Read the record header and validate it
+ * Fetch and decode new record if current one is fully consumed.
*/
+
+ if( ssl->in_msglen > 0 )
+ {
+ /* There's something left to be processed in the current record. */
+ return( 0 );
+ }
+
+ /* Need to fetch a new record */
+
read_record_header:
if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
{
@@ -3750,7 +3785,7 @@
ssl->in_hslen = 0;
ssl->nb_zero = 0;
- ssl->record_read = 0;
+ ssl->keep_current_message = 0;
ssl->out_msg = ssl->out_ctr + 13;
ssl->out_msgtype = 0;
@@ -4642,13 +4677,15 @@
*/
int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
{
- int ret, record_read = 0;
+ int ret;
size_t n;
SSL_DEBUG_MSG( 2, ( "=> read" ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
- if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
+ ret = ssl_check_ctr_renegotiate( ssl );
+ if( ret != POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+ ret != 0 )
{
SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
return( ret );
@@ -4658,11 +4695,8 @@
if( ssl->state != SSL_HANDSHAKE_OVER )
{
ret = ssl_handshake( ssl );
- if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
- {
- record_read = 1;
- }
- else if( ret != 0 )
+ if( ret != POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+ ret != 0 )
{
SSL_DEBUG_RET( 1, "ssl_handshake", ret );
return( ret );
@@ -4671,16 +4705,13 @@
if( ssl->in_offt == NULL )
{
- if( ! record_read )
+ if( ( ret = ssl_read_record( ssl ) ) != 0 )
{
- if( ( ret = ssl_read_record( ssl ) ) != 0 )
- {
- if( ret == POLARSSL_ERR_SSL_CONN_EOF )
- return( 0 );
+ if( ret == POLARSSL_ERR_SSL_CONN_EOF )
+ return( 0 );
- SSL_DEBUG_RET( 1, "ssl_read_record", ret );
- return( ret );
- }
+ SSL_DEBUG_RET( 1, "ssl_read_record", ret );
+ return( ret );
}
if( ssl->in_msglen == 0 &&
@@ -4754,21 +4785,15 @@
else
{
ret = ssl_start_renegotiation( ssl );
- if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
- {
- record_read = 1;
- }
- else if( ret != 0 )
+ if( ret != POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
+ ret != 0 )
{
SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
return( ret );
}
}
- /* If a non-handshake record was read during renego, fallthrough,
- * else tell the user they should call ssl_read() again */
- if( ! record_read )
- return( POLARSSL_ERR_NET_WANT_READ );
+ return( POLARSSL_ERR_NET_WANT_READ );
}
else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
{
@@ -4807,8 +4832,11 @@
ssl->in_msglen -= n;
if( ssl->in_msglen == 0 )
+ {
/* all bytes consumed */
ssl->in_offt = NULL;
+ ssl->keep_current_message = 0;
+ }
else
/* more data available */
ssl->in_offt += n;
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 16a29b5..0bf4dea 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -76,6 +76,10 @@
#endif /* !_WIN32 || EFIX64 || EFI32 */
#endif
+#if !defined(POLARSSL_X509_MIN_VERIFY_MD_ALG)
+#define POLARSSL_X509_MIN_VERIFY_MD_ALG POLARSSL_MD_SHA1
+#endif
+
/* Implementation that should never be optimized out by the compiler */
static void polarssl_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
@@ -1435,6 +1439,18 @@
return( (int) ( size - n ) );
}
+/*
+ * Check md_alg against profile
+ * Return 0 if md_alg acceptable for this profile, -1 otherwise
+ */
+static int x509_check_md_alg( md_type_t md_alg )
+{
+ if( md_alg >= POLARSSL_X509_MIN_VERIFY_MD_ALG )
+ return( 0 );
+
+ return( -1 );
+}
+
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
int x509_crt_check_key_usage( const x509_crt *crt, int usage )
{
@@ -1543,6 +1559,15 @@
#endif
/*
+ * Check if CRL is signed with a valid MD
+ */
+ if( x509_check_md_alg( crl_list->sig_md ) != 0 )
+ {
+ flags |= BADCRL_NOT_TRUSTED;
+ break;
+ }
+
+ /*
* Check if CRL is correctly signed by the trusted CA
*/
md_info = md_info_from_type( crl_list->sig_md );
@@ -1789,6 +1814,18 @@
*/
*flags |= BADCERT_NOT_TRUSTED;
+ /*
+ * Check if certificate is signed with a valid MD
+ */
+ if( x509_check_md_alg( child->sig_md ) != 0 )
+ {
+ *flags |= BADCERT_NOT_TRUSTED;
+ /*
+ * not signed with a valid MD, no need to check trust_ca
+ */
+ trust_ca = NULL;
+ }
+
md_info = md_info_from_type( child->sig_md );
if( md_info == NULL )
{
@@ -1926,6 +1963,12 @@
if( x509_time_future( &child->valid_from ) )
*flags |= BADCERT_FUTURE;
+ /*
+ * Check if certificate is signed with a valid MD
+ */
+ if( x509_check_md_alg( child->sig_md ) != 0 )
+ *flags |= BADCERT_NOT_TRUSTED;
+
md_info = md_info_from_type( child->sig_md );
if( md_info == NULL )
{
diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data
index e4bc89e..57843e3 100644
--- a/tests/suites/test_suite_rsa.data
+++ b/tests/suites/test_suite_rsa.data
@@ -134,6 +134,10 @@
depends_on:POLARSSL_SHA512_C:POLARSSL_PKCS1_V15
rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":RSA_PKCS_V15:POLARSSL_MD_SHA512:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"11":"0b4d96f411c727a262d6d0ade34195b78603551061917d060f89add47b09dfe8715f4f9147d327dc25e91fe457e5d1a2f22cd8fe6fe8e29d2060658307c87a40640650fef3d4b289a6c3febc5a100b29a8b56623afb29fd3c13ea372bf3c638c1db25f8bd8c74c821beec7b5affcace1d05d056a6c2d3035926c7a268df4751a54bc20a6b8cfd729a7cba309ae817daccbef9950a482cf23950a8ca1d3a13ddb7d8d0f87ad5587d4d9ebe19fe93457597a7bdd056c2fd4cea7d31e4a0e595a7b":0
+RSA PKCS1 Verify v1.5 padding too short
+depends_on:POLARSSL_SHA1_C:POLARSSL_PKCS1_V15
+rsa_pkcs1_verify:"AABBCC03020100FFFFFFFFFF1122330A0B0CCCDDDDDDDDDD":RSA_PKCS_V15:POLARSSL_MD_SHA1:1024:16:"9292758453063D803DD603D5E777D7888ED1D5BF35786190FA2F23EBC0848AEADDA92CA6C3D80B32C4D109BE0F36D6AE7130B9CED7ACDF54CFC7555AC14EEBAB93A89813FBF3C4F8066D2D800F7C38A81AE31942917403FF4946B0A83D3D3E05EE57C6F5F5606FB5D4BC6CD34EE0801A5E94BB77B07507233A0BC7BAC8F90F79":16:"10001":"6edd56f397d9bc6d176bbe3d80946fc352ad6127b85b1d67d849c0a38cbde7222c5fafbb18dcef791178a8e15f5c8cd91869f8ca4b758c46ce3e229bf666d2e3e296544351bcb5db7e0004f6c0800f76a432071297e405759d4324d1cf1c412758be93a39f834e03dee59e28ac571ce2b0b3c8fe639979f516223b54027340a5":POLARSSL_ERR_RSA_INVALID_PADDING
+
RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)
depends_on:POLARSSL_SHA512_C:POLARSSL_PKCS1_V15
rsa_pkcs1_sign:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":RSA_PKCS_V15:POLARSSL_MD_SHA512:1536:16:"c8c67df894c882045ede26a9008ab09ea0672077d7bc71d412511cd93981ddde8f91b967da404056c39f105f7f239abdaff92923859920f6299e82b95bd5b8c959948f4a035cbd693ad83014294d349813d1ad57911a6355d0731fe3a034e9db":16:"f15147d0e7c04a1e3f37adde802cdc610999bf7ab0088434aaeda0c0ab3910b14d2ce56cb66bffd97552195fae8b061077e03920814d8b9cfb5a3958b3a82c2a7fc97e55db5978b47a922156eb8a3e55c06a54a45d1670abdfb995489c4d0051":16:"bd429bb7c3b00bbea19ba664c0f8172d1a73c3cfa05e2ed656d570c1590918bb7e372ed25e2cd71395ba0a9b1a30f3ee012ffb0546cab8e3581fe3e23f44ab57a8aee9717e71a936a580fa8572d450fb00339a6f6704b717df0c149a465bab768c61500cd93b61113ff3e4389167f7b2c8e3c0da2d4765286bee555b0bcb4998f59b14fad03180a17c8b4f69bcd1234f4ae85950137665ac2ba80b55cc9b1aafb454b83771aa755acd2a00e93ddb65e696dbed8bdca69fb5e0c5c2097b9cfe4b":16:"3":"93b6fa99485c116ca6efdd4202ea1cf49f4c6345fae692584413743ce5b65510e8e4690aee9a19ea1ff10d57f22aa3548d839f28a8525a34354e9e58e0f3947e056ce2554e21bf287e220b98db3b551258cd42b495e5d1a3bbc83c9d1a02f2a300ef6d866ea75108e44ebb3e16b47df2f6de28feb2be3874dbbf21599451082d86e9f2f462575a8185c69aa1f1fcb6a363c5d71aeba2103449eaf3845285291148d5f78d1646b8dc95cbcc4082f987d948b0e7d4e80b60595f8a7517584e1643":0
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 717cd6f..7920fc6 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -417,11 +417,11 @@
X509 Certificate verification #12 (Valid Cert MD4 Digest)
depends_on:POLARSSL_MD4_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
-x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
X509 Certificate verification #13 (Valid Cert MD5 Digest)
depends_on:POLARSSL_MD5_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
-x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
X509 Certificate verification #14 (Valid Cert SHA1 Digest)
depends_on:POLARSSL_SHA1_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
@@ -723,6 +723,14 @@
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_SHA1_C:POLARSSL_SHA256_C
x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_EXPIRED:"NULL"
+X509 Certificate verification #88 (MD4 CRL)
+depends_on:POLARSSL_SHA256_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
+x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl_md4.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
+
+X509 Certificate verification #89 (MD5 CRL)
+depends_on:POLARSSL_SHA256_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
+x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl_md5.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
+
X509 Certificate verification callback: trusted EE cert
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL\n"