Merge pull request #7806 from paul-elliott-arm/fix_32bit_builds
[Bignum] Fix 32 bit unreachable code build failure
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index df6d762..b7da185 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -500,6 +500,23 @@
int mbedtls_x509_info_key_usage(char **buf, size_t *size,
unsigned int key_usage);
+/**
+ * \brief This function parses a CN string as an IP address.
+ *
+ * \param cn The CN string to parse. CN string MUST be null-terminated.
+ * \param dst The target buffer to populate with the binary IP address.
+ * The buffer MUST be 16 bytes to save IPv6, and should be
+ * 4-byte aligned if the result will be used as struct in_addr.
+ * e.g. uint32_t dst[4]
+ *
+ * \note \p cn is parsed as an IPv6 address if string contains ':',
+ * else \p cn is parsed as an IPv4 address.
+ *
+ * \return Length of binary IP address; num bytes written to target.
+ * \return \c 0 on failure to parse CN string as an IP address.
+ */
+size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst);
+
#define MBEDTLS_X509_SAFE_SNPRINTF \
do { \
if (ret < 0 || (size_t) ret >= n) \
diff --git a/library/psa_crypto_ffdh.h b/library/psa_crypto_ffdh.h
index 5d7d951..5298f5a 100644
--- a/library/psa_crypto_ffdh.h
+++ b/library/psa_crypto_ffdh.h
@@ -47,8 +47,8 @@
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key_buffer_size, \p peer_key_length, \p shared_secret_size
* do not match
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_key_agreement_ffdh(
const psa_key_attributes_t *attributes,
@@ -73,9 +73,9 @@
* \retval #PSA_SUCCESS The public key was exported successfully.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of \p key_buffer is too small.
- * \retval #PSA_ERROR_NOT_PERMITTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_export_ffdh_public_key(
const psa_key_attributes_t *attributes,
@@ -103,8 +103,8 @@
* Key size in bits is invalid.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of \p key_buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_ffdh_generate_key(
const psa_key_attributes_t *attributes,
diff --git a/library/psa_crypto_pake.h b/library/psa_crypto_pake.h
index 001c987..f21b0e6 100644
--- a/library/psa_crypto_pake.h
+++ b/library/psa_crypto_pake.h
@@ -43,8 +43,8 @@
* compatible with the PAKE algorithm, or the hash algorithm in
* \p cipher_suite is not supported or not compatible with the PAKE
* algorithm and primitive.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
const psa_crypto_driver_pake_inputs_t *inputs);
@@ -78,10 +78,10 @@
* Success.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
*/
psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
psa_crypto_driver_pake_step_t step,
@@ -116,10 +116,10 @@
* \retval #PSA_ERROR_NOT_SUPPORTED
* the \p input is not supported for the \p operation's algorithm, cipher
* suite or \p step.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
*/
psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
psa_crypto_driver_pake_step_t step,
@@ -143,10 +143,10 @@
* \retval #PSA_ERROR_NOT_SUPPORTED
* Input from a PAKE is not supported by the algorithm in the \p output
* key derivation operation.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
*/
psa_status_t mbedtls_psa_pake_get_implicit_key(
mbedtls_psa_pake_operation_t *operation,
@@ -164,7 +164,7 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation);
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 9b3414a..380b1fd 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -49,7 +49,6 @@
#include "mbedtls/psa_util.h"
#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#include "x509_invasive.h"
#include "pk_internal.h"
#include "mbedtls/platform.h"
@@ -2862,7 +2861,6 @@
#endif /* !AF_INET6 || MBEDTLS_TEST_SW_INET_PTON */ //no-check-names
-MBEDTLS_STATIC_TESTABLE
size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst)
{
return strchr(cn, ':') == NULL
diff --git a/library/x509_invasive.h b/library/x509_invasive.h
deleted file mode 100644
index d8fd74b..0000000
--- a/library/x509_invasive.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/**
- * \file x509_invasive.h
- *
- * \brief x509 module: interfaces for invasive testing only.
- *
- * The interfaces in this file are intended for testing purposes only.
- * They SHOULD NOT be made available in library integrations except when
- * building the library for testing.
- */
-/*
- * Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef MBEDTLS_X509_INVASIVE_H
-#define MBEDTLS_X509_INVASIVE_H
-
-#include "common.h"
-
-#if defined(MBEDTLS_TEST_HOOKS)
-
-/**
- * \brief This function parses a CN string as an IP address.
- *
- * \param cn The CN string to parse. CN string MUST be NUL-terminated.
- * \param dst The target buffer to populate with the binary IP address.
- * The buffer MUST be 16 bytes to save IPv6, and should be
- * 4-byte aligned if the result will be used as struct in_addr.
- * e.g. uint32_t dst[4]
- *
- * \note \cn is parsed as an IPv6 address if string contains ':',
- * else \cn is parsed as an IPv4 address.
- *
- * \return Length of binary IP address; num bytes written to target.
- * \return \c 0 on failure to parse CN string as an IP address.
- */
-size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst);
-
-#endif /* MBEDTLS_TEST_HOOKS */
-
-#endif /* MBEDTLS_X509_INVASIVE_H */
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index fe060f3..23e816b 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -116,18 +116,6 @@
mbedtls_md_type_t md_alg; /* Hash algorithm used for signature. */
} opt;
-static void ip_string_to_bytes(const char *str, uint8_t *bytes, int maxBytes)
-{
- for (int i = 0; i < maxBytes; i++) {
- bytes[i] = (uint8_t) strtoul(str, NULL, 10);
- str = strchr(str, '.');
- if (str == NULL || *str == '\0') {
- break;
- }
- str++;
- }
-}
-
int write_certificate_request(mbedtls_x509write_csr *req, const char *output_file,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
@@ -165,13 +153,15 @@
mbedtls_pk_context key;
char buf[1024];
int i;
- char *p, *q, *r, *r2;
+ char *p, *q, *r, *subtype_value;
mbedtls_x509write_csr req;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
const char *pers = "csr example app";
mbedtls_x509_san_list *cur, *prev;
-
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ uint8_t ip[4] = { 0 };
+#endif
/*
* Set to sane values
*/
@@ -231,8 +221,6 @@
prev = NULL;
while (q != NULL) {
- uint8_t ip[4] = { 0 };
-
if ((r = strchr(q, ';')) != NULL) {
*r++ = '\0';
}
@@ -245,8 +233,8 @@
cur->next = NULL;
- if ((r2 = strchr(q, ':')) != NULL) {
- *r2++ = '\0';
+ if ((subtype_value = strchr(q, ':')) != NULL) {
+ *subtype_value++ = '\0';
}
if (strcmp(q, "URI") == 0) {
@@ -254,18 +242,31 @@
} else if (strcmp(q, "DNS") == 0) {
cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
} else if (strcmp(q, "IP") == 0) {
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ size_t ip_len = 0;
cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
- ip_string_to_bytes(r2, ip, 4);
+ ip_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip);
+ if (ip_len == 0) {
+ mbedtls_printf("mbedtls_x509_crt_parse_cn_inet_pton failed to parse %s\n",
+ subtype_value);
+ goto exit;
+ }
+#else
+ mbedtls_printf("IP SAN parsing requires MBEDTLS_X509_CRT_PARSE_C to be defined");
+ goto exit;
+#endif
} else {
mbedtls_free(cur);
goto usage;
}
if (strcmp(q, "IP") == 0) {
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
cur->node.san.unstructured_name.p = (unsigned char *) ip;
cur->node.san.unstructured_name.len = sizeof(ip);
+#endif
} else {
- q = r2;
+ q = subtype_value;
cur->node.san.unstructured_name.p = (unsigned char *) q;
cur->node.san.unstructured_name.len = strlen(q);
}
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index e4f8886..e58f528 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -216,18 +216,6 @@
int format; /* format */
} opt;
-static void ip_string_to_bytes(const char *str, uint8_t *bytes, int maxBytes)
-{
- for (int i = 0; i < maxBytes; i++) {
- bytes[i] = (uint8_t) strtoul(str, NULL, 10);
- str = strchr(str, '.');
- if (str == NULL || *str == '\0') {
- break;
- }
- str++;
- }
-}
-
int write_certificate(mbedtls_x509write_cert *crt, const char *output_file,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
@@ -601,8 +589,14 @@
} else if (strcmp(q, "DNS") == 0) {
cur->node.type = MBEDTLS_X509_SAN_DNS_NAME;
} else if (strcmp(q, "IP") == 0) {
+ size_t ip_len = 0;
cur->node.type = MBEDTLS_X509_SAN_IP_ADDRESS;
- ip_string_to_bytes(subtype_value, ip, 4);
+ ip_len = mbedtls_x509_crt_parse_cn_inet_pton(subtype_value, ip);
+ if (ip_len == 0) {
+ mbedtls_printf("mbedtls_x509_crt_parse_cn_inet_pton failed to parse %s\n",
+ subtype_value);
+ goto exit;
+ }
cur->node.san.unstructured_name.p = (unsigned char *) ip;
cur->node.san.unstructured_name.len = sizeof(ip);
} else if (strcmp(q, "DN") == 0) {
@@ -625,8 +619,9 @@
if (cur->node.type == MBEDTLS_X509_SAN_RFC822_NAME ||
cur->node.type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER ||
cur->node.type == MBEDTLS_X509_SAN_DNS_NAME) {
- cur->node.san.unstructured_name.p = (unsigned char *) subtype_value;
- cur->node.san.unstructured_name.len = strlen(subtype_value);
+ q = subtype_value;
+ cur->node.san.unstructured_name.p = (unsigned char *) q;
+ cur->node.san.unstructured_name.len = strlen(q);
}
if (prev == NULL) {
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index c936443..101b80d 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -11,8 +11,6 @@
#include "mbedtls/pk.h"
#include "string.h"
-#include "x509_invasive.h"
-
#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19
#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \
than the current threshold 19. To test larger values, please \