Adjust test case with invalid base64 Now that Base64 validates the number of trailing equals, adjust the PEM test case that has a Base64 payload with a wrong number of trailing equals, where `mbedtls_pem_read_buffer()` now returns a different error code. I'm not sure what the exact intent of the test was, so add a variant with trailing equals as well. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: 55d211388af1f5717f971d23e09837b93469c54d [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Tue Jun 10 09:42:03 2025 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Tue Jun 10 09:42:03 2025 +0200
tree: 3bce9f578478aa78cf1c83f7526ed8264d68bfbd
parent: 13cc0c2122acdcbf9309ef0762c891b4a86c640b [diff]
diff --git a/tests/suites/test_suite_pem.data b/tests/suites/test_suite_pem.data
index 1df9645..11c54b7 100644
--- a/tests/suites/test_suite_pem.data
+++ b/tests/suites/test_suite_pem.data

@@ -49,13 +49,21 @@
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC
 mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH:""
 
-PEM read (malformed PEM AES-128-CBC)
+PEM read (malformed PEM AES-128-CBC: 3-byte ciphertext)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
 mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,AA94892A169FA426AA94892A169FA426\n\nMAAA\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:""
 
-PEM read (malformed PEM AES-128-CBC with fewer than 4 base64 chars)
+PEM read (malformed PEM AES-128-CBC: 1-byte ciphertext)
 depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
-mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,7BA38DE00F67851E4207216809C3BB15\n\n8Q-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_PEM_INVALID_DATA:""
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,7BA38DE00F67851E4207216809C3BB15\n\n8Q==-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH:""
+
+PEM read (malformed PEM AES-128-CBC: empty ciphertext)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,7BA38DE00F67851E4207216809C3BB15\n\n-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_PEM_BAD_INPUT_DATA:""
+
+PEM read (malformed PEM AES-128-CBC: base64 with missing equals)
+depends_on:MBEDTLS_MD_CAN_MD5:MBEDTLS_AES_C:MBEDTLS_CIPHER_MODE_CBC
+mbedtls_pem_read_buffer:"-----BEGIN EC PRIVATE KEY-----":"-----END EC PRIVATE KEY-----":"-----BEGIN EC PRIVATE KEY-----\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-128-CBC,7BA38DE00F67851E4207216809C3BB15\n\n8Q-----END EC PRIVATE KEY-----":"pwd":MBEDTLS_ERR_PEM_INVALID_DATA + MBEDTLS_ERR_BASE64_INVALID_CHARACTER:""
 
 # The output sequence's length is not multiple of block size (16 bytes). This
 # proves that the pem_context->len value is properly updated based on the SEQUENCE

diff --git a/tests/suites/test_suite_pem.function b/tests/suites/test_suite_pem.function
index 091cbd1..342ca52 100644
--- a/tests/suites/test_suite_pem.function
+++ b/tests/suites/test_suite_pem.function

@@ -15,16 +15,16 @@
 
 
     ret = mbedtls_pem_write_buffer(start, end, buf->x, buf->len, NULL, 0, &olen);
-    TEST_ASSERT(ret == MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL);
+    TEST_EQUAL(ret, MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL);
 
     check_buf = (unsigned char *) mbedtls_calloc(1, olen);
     TEST_ASSERT(check_buf != NULL);
 
     ret = mbedtls_pem_write_buffer(start, end, buf->x, buf->len, check_buf, olen, &olen2);
 
-    TEST_ASSERT(olen2 <= olen);
-    TEST_ASSERT(olen > strlen((char *) result_str));
-    TEST_ASSERT(ret == 0);
+    TEST_LE_U(olen2, olen);
+    TEST_LE_U(strlen((char *) result_str) + 1, olen);
+    TEST_EQUAL(ret, 0);
     TEST_ASSERT(strncmp((char *) check_buf, (char *) result_str, olen) == 0);
 
 exit:
@@ -76,15 +76,14 @@
 
     ret = mbedtls_pem_read_buffer(&ctx, header, footer, (unsigned char *) data,
                                   (unsigned char *) pwd, pwd_len, &use_len);
-    TEST_ASSERT(ret == res);
+    TEST_EQUAL(ret, res);
     if (ret != 0) {
         goto exit;
     }
 
     use_len = 0;
     buf = mbedtls_pem_get_buffer(&ctx, &use_len);
-    TEST_EQUAL(use_len, out->len);
-    TEST_ASSERT(memcmp(out->x, buf, out->len) == 0);
+    TEST_MEMORY_COMPARE(out->x, out->len, buf, use_len);
 
 exit:
     mbedtls_pem_free(&ctx);
commit	55d211388af1f5717f971d23e09837b93469c54d	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Tue Jun 10 09:42:03 2025 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Tue Jun 10 09:42:03 2025 +0200
tree	3bce9f578478aa78cf1c83f7526ed8264d68bfbd
parent	13cc0c2122acdcbf9309ef0762c891b4a86c640b [diff]