diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index d832853ee..5042d9fc3 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -797,9 +797,9 @@ int mbedtls_mock_tcp_recv_msg( void *ctx, unsigned char *buf, size_t buf_len ) */ typedef struct mbedtls_endpoint_certificate { - mbedtls_x509_crt ca_cert; - mbedtls_x509_crt cert; - mbedtls_pk_context pkey; + mbedtls_x509_crt* ca_cert; + mbedtls_x509_crt* cert; + mbedtls_pk_context* pkey; } mbedtls_endpoint_certificate; /* @@ -814,6 +814,42 @@ typedef struct mbedtls_endpoint mbedtls_endpoint_certificate cert; } mbedtls_endpoint; +/* + * Deinitializes certificates from endpoint represented by \p ep. + */ +void mbedtls_endpoint_certificate_free( mbedtls_endpoint *ep ) +{ + mbedtls_endpoint_certificate *cert = &( ep->cert ); + if( cert != NULL ) + { + if( cert->ca_cert != NULL ) + { + mbedtls_x509_crt_free( cert->ca_cert ); + mbedtls_free( cert->ca_cert ); + cert->ca_cert = NULL; + } + if( cert->cert != NULL ) + { + mbedtls_x509_crt_free( cert->cert ); + mbedtls_free( cert->cert ); + cert->cert = NULL; + } + if( cert->pkey != NULL ) + { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( mbedtls_pk_get_type( cert->pkey ) == MBEDTLS_PK_OPAQUE ) + { + mbedtls_svc_key_id_t *key_slot = cert->pkey->pk_ctx; + psa_destroy_key( *key_slot ); + } +#endif + mbedtls_pk_free( cert->pkey ); + mbedtls_free( cert->pkey ); + cert->pkey = NULL; + } + } +} + /* * Initializes \p ep_cert structure and assigns it to endpoint * represented by \p ep. @@ -826,7 +862,7 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, { int i = 0; int ret = -1; - mbedtls_endpoint_certificate *cert; + mbedtls_endpoint_certificate *cert = NULL; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; #endif @@ -837,15 +873,19 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, } cert = &( ep->cert ); - mbedtls_x509_crt_init( &( cert->ca_cert ) ); - mbedtls_x509_crt_init( &( cert->cert ) ); - mbedtls_pk_init( &( cert->pkey ) ); + cert->ca_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); + cert->cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); + cert->pkey = mbedtls_calloc( 1, sizeof(mbedtls_pk_context) ); + + mbedtls_x509_crt_init( cert->ca_cert ); + mbedtls_x509_crt_init( cert->cert ); + mbedtls_pk_init( cert->pkey ); /* Load the trusted CA */ for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse_der( &( cert->ca_cert ), + ret = mbedtls_x509_crt_parse_der( cert->ca_cert, (const unsigned char *) mbedtls_test_cas_der[i], mbedtls_test_cas_der_len[i] ); TEST_ASSERT( ret == 0 ); @@ -857,12 +897,12 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, { if( pk_alg == MBEDTLS_PK_RSA ) { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char*) mbedtls_test_srv_crt_rsa_sha256_der, mbedtls_test_srv_crt_rsa_sha256_der_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char*) mbedtls_test_srv_key_rsa_der, mbedtls_test_srv_key_rsa_der_len, NULL, 0, mbedtls_test_rnd_std_rand, NULL ); @@ -870,12 +910,12 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, } else { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char*) mbedtls_test_srv_crt_ec_der, mbedtls_test_srv_crt_ec_der_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char*) mbedtls_test_srv_key_ec_der, mbedtls_test_srv_key_ec_der_len, NULL, 0, mbedtls_test_rnd_std_rand, NULL ); @@ -886,12 +926,12 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, { if( pk_alg == MBEDTLS_PK_RSA ) { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char *) mbedtls_test_cli_crt_rsa_der, mbedtls_test_cli_crt_rsa_der_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char *) mbedtls_test_cli_key_rsa_der, mbedtls_test_cli_key_rsa_der_len, NULL, 0, mbedtls_test_rnd_std_rand, NULL ); @@ -899,12 +939,12 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, } else { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char *) mbedtls_test_cli_crt_ec_der, mbedtls_test_cli_crt_ec_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char *) mbedtls_test_cli_key_ec_der, mbedtls_test_cli_key_ec_der_len, NULL, 0, mbedtls_test_rnd_std_rand, NULL ); @@ -915,7 +955,7 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, #if defined(MBEDTLS_USE_PSA_CRYPTO) if( opaque_alg != 0 ) { - TEST_EQUAL( mbedtls_pk_wrap_as_opaque( &( cert->pkey ), &key_slot, + TEST_EQUAL( mbedtls_pk_wrap_as_opaque( cert->pkey, &key_slot, opaque_alg, opaque_usage, opaque_alg2 ), 0 ); } @@ -925,10 +965,10 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, (void) opaque_usage; #endif - mbedtls_ssl_conf_ca_chain( &( ep->conf ), &( cert->ca_cert ), NULL ); + mbedtls_ssl_conf_ca_chain( &( ep->conf ), cert->ca_cert, NULL ); - ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ), - &( cert->pkey ) ); + ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), cert->cert, + cert->pkey ); TEST_ASSERT( ret == 0 ); TEST_ASSERT( ep->conf.key_cert != NULL ); @@ -936,20 +976,14 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg, TEST_ASSERT( ret == 0 ); TEST_ASSERT( ep->conf.key_cert == NULL ); - ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ), - &( cert->pkey ) ); + ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), cert->cert, + cert->pkey ); TEST_ASSERT( ret == 0 ); exit: if( ret != 0 ) { - mbedtls_x509_crt_free( &( cert->ca_cert ) ); - mbedtls_x509_crt_free( &( cert->cert ) ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( opaque_alg != 0 ) - psa_destroy_key( key_slot ); -#endif - mbedtls_pk_free( &( cert->pkey ) ); + mbedtls_endpoint_certificate_free( ep ); } return ret; @@ -1075,25 +1109,6 @@ exit: return ret; } -/* - * Deinitializes certificates from endpoint represented by \p ep. - */ -void mbedtls_endpoint_certificate_free( mbedtls_endpoint *ep ) -{ - mbedtls_endpoint_certificate *cert = &( ep->cert ); - mbedtls_x509_crt_free( &( cert->ca_cert ) ); - mbedtls_x509_crt_free( &( cert->cert ) ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - if( mbedtls_pk_get_type( &( cert->pkey ) ) == MBEDTLS_PK_OPAQUE ) - { - mbedtls_svc_key_id_t *key_slot = cert->pkey.pk_ctx; - - psa_destroy_key( *key_slot ); - } -#endif - mbedtls_pk_free( &( cert->pkey ) ); -} - /* * Deinitializes endpoint represented by \p ep. */ @@ -2077,7 +2092,8 @@ void perform_handshake( handshake_test_options *options ) int expected_handshake_result = options->expected_handshake_result; USE_PSA_INIT( ); - + mbedtls_platform_zeroize( &client, sizeof(client) ); + mbedtls_platform_zeroize( &server, sizeof(server) ); mbedtls_test_message_queue server_queue, client_queue; mbedtls_test_message_socket_context server_context, client_context; mbedtls_message_socket_init( &server_context ); @@ -5122,6 +5138,8 @@ void move_handshake_to_state(int endpoint_type, int state, int need_pass) options.pk_alg = MBEDTLS_PK_RSA; USE_PSA_INIT( ); + mbedtls_platform_zeroize( &base_ep, sizeof(base_ep) ); + mbedtls_platform_zeroize( &second_ep, sizeof(second_ep) ); ret = mbedtls_endpoint_init( &base_ep, endpoint_type, &options, NULL, NULL, NULL, NULL ); @@ -5827,6 +5845,8 @@ void force_bad_session_id_len( ) options.srv_log_fun = log_analyzer; USE_PSA_INIT( ); + mbedtls_platform_zeroize( &client, sizeof(client) ); + mbedtls_platform_zeroize( &server, sizeof(server) ); mbedtls_message_socket_init( &server_context ); mbedtls_message_socket_init( &client_context ); @@ -6007,6 +6027,8 @@ void raw_key_agreement_fail( int bad_server_ecdhe_key ) uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; USE_PSA_INIT( ); + mbedtls_platform_zeroize( &client, sizeof(client) ); + mbedtls_platform_zeroize( &server, sizeof(server) ); init_handshake_options( &options ); options.pk_alg = MBEDTLS_PK_ECDSA; @@ -6081,6 +6103,8 @@ void tls13_server_certificate_msg_invalid_vector_len( ) * Test set-up */ USE_PSA_INIT( ); + mbedtls_platform_zeroize( &client_ep, sizeof(client_ep) ); + mbedtls_platform_zeroize( &server_ep, sizeof(server_ep) ); init_handshake_options( &client_options ); client_options.pk_alg = MBEDTLS_PK_ECDSA;