Merge remote-tracking branch 'origin/development' into development-restricted

* origin/development:
  Remove unused test data file
  Remove component designed to test MAX_SIGNATURE_SIZE
  Use MBEDTLS_PK_SIGNATURE_MAX_SIZE in pkey sample programs
  Use MBEDTLS_PK_SIGNATURE_MAX_SIZE in X.509
  Update crypto submodule
  x509write_csr: Reduce stack usage of mbedtls_x509write_csr_pem()
  Fix mbedtls_ssl_check_record usage with ext buf
  Shorter version of mbedtls_ssl_send_fatal_handshake_failure
  Resolve #2801 - remove repetitive assignment to ssl->in_msg (the first value was never used)
  Resolve #2800 - move declaration to avoid unused variable warning in case MBEDTLS_SSL_PROTO_DTLS was undefined
  Resolve #2717 - remove erroneous sizeof (the operator was applied to constant integer number)
  Fix potential resource leak in sslserver2 example
  X.509: Add numerous negative parsing tests for CertificatePolicy ext
  X.509: Adapt negative parsing test for no data in CrtPolicy ext
  X.509: Move negative tests for CertificatePolicy parsing
  X.509: Remove CRT policy parsing test 'bool len missing'

ChangeLog

@@ -1,5 +1,15 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
+= mbed TLS 2.20.0 branch released xxxx-xx-xx
+
+Bugfix
+   * Fix an incorrect size in a debugging message. Reported and fix
+     submitted by irwir. Fixes #2717.
+   * Fix an unused variable warning when compiling without DTLS.
+     Reported and fix submitted by irwir. Fixes #2800.
+   * Remove a useless assignment. Reported and fix submitted by irwir.
+     Fixes #2801.
+
 = mbed TLS 2.19.1 branch released 2019-09-16
 
 Features

crypto

@@ -1 +1 @@
-Subproject commit 3cdb3da3a0c1631e14434a219dfa787513a915a7
+Subproject commit 0b3dd8d0249adb54abc7ad46303f3c22e44aefb7

library/ssl_tls.c

@@ -120,7 +120,6 @@ int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
                               size_t buflen )
 {
     int ret = 0;
-    mbedtls_record rec;
     MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
     MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
 
@@ -137,6 +136,8 @@ int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     else
     {
+        mbedtls_record rec;
+
         ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
         if( ret != 0 )
         {
@@ -4878,6 +4879,25 @@ static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
             ( (uint64_t) buf[5]       ) );
 }
 
+static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
+{
+    int ret;
+    unsigned char *original_in_ctr;
+
+    // save original in_ctr
+    original_in_ctr = ssl->in_ctr;
+
+    // use counter from record
+    ssl->in_ctr = record_in_ctr;
+
+    ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl );
+
+    // restore the counter
+    ssl->in_ctr = original_in_ctr;
+
+    return ret;
+}
+
 /*
  * Return 0 if sequence number is acceptable, -1 otherwise
  */
@@ -5383,7 +5403,8 @@ static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
         /* For records from the correct epoch, check whether their
          * sequence number has been seen before. */
-        else if( mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
+        else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl,
+            &rec->ctr[0] ) != 0 )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
@@ -6432,7 +6453,7 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
     ssl->in_len = ssl->in_cid + rec.cid_len;
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
-    ssl->in_iv  = ssl->in_msg = ssl->in_len + 2;
+    ssl->in_iv  = ssl->in_len + 2;
 
     /* The record content type may change during decryption,
      * so re-read it. */
@@ -6586,16 +6607,9 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
 
 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
 {
-    int ret;
+    return( mbedtls_ssl_send_alert_message( ssl,
-
-    if( ( ret = mbedtls_ssl_send_alert_message( ssl,
                   MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                    MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
+                  MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) );
-    {
-        return( ret );
-    }
-
-    return( 0 );
 }
 
 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
@@ -7283,7 +7297,7 @@ static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
     if( ssl->session_negotiate->peer_cert_digest == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
-                                    sizeof( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) ) );
+                                    MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) );
         mbedtls_ssl_send_alert_message( ssl,
                                         MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                         MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );

library/x509write_crt.c

@@ -45,16 +45,6 @@
 #include "mbedtls/pem.h"
 #endif /* MBEDTLS_PEM_WRITE_C */
 
-/*
- * For the currently used signature algorithms the buffer to store any signature
- * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
- */
-#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
-#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
-#else
-#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
-#endif
-
 void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
 {
     memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
@@ -347,7 +337,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx,
     size_t sig_oid_len = 0;
     unsigned char *c, *c2;
     unsigned char hash[64];
-    unsigned char sig[SIGNATURE_MAX_SIZE];
+    unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
     size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
     size_t len = 0;
     mbedtls_pk_type_t pk_alg;

library/x509write_csr.c

@@ -49,16 +49,6 @@
 #include "mbedtls/pem.h"
 #endif
 
-/*
- * For the currently used signature algorithms the buffer to store any signature
- * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
- */
-#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
-#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
-#else
-#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
-#endif
-
 void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
 {
     memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
@@ -148,7 +138,7 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
     size_t sig_oid_len = 0;
     unsigned char *c, *c2;
     unsigned char hash[64];
-    unsigned char sig[SIGNATURE_MAX_SIZE];
+    unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
     unsigned char tmp_buf[2048];
     size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
     size_t len = 0;
@@ -274,17 +264,16 @@ int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, s
                        void *p_rng )
 {
     int ret;
-    unsigned char output_buf[4096];
     size_t olen = 0;
 
-    if( ( ret = mbedtls_x509write_csr_der( ctx, output_buf, sizeof(output_buf),
+    if( ( ret = mbedtls_x509write_csr_der( ctx, buf, size,
                                    f_rng, p_rng ) ) < 0 )
     {
         return( ret );
     }
 
     if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
-                                  output_buf + sizeof(output_buf) - ret,
+                                  buf + size - ret,
                                   ret, buf, size, &olen ) ) != 0 )
     {
         return( ret );

programs/pkey/pk_sign.c

@@ -60,17 +60,6 @@ int main( void )
 #include <stdio.h>
 #include <string.h>
 
-
-/*
- * For the currently used signature algorithms the buffer to store any signature
- * must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
- */
-#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
-#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
-#else
-#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
-#endif
-
 int main( int argc, char *argv[] )
 {
     FILE *f;
@@ -80,7 +69,7 @@ int main( int argc, char *argv[] )
     mbedtls_entropy_context entropy;
     mbedtls_ctr_drbg_context ctr_drbg;
     unsigned char hash[32];
-    unsigned char buf[SIGNATURE_MAX_SIZE];
+    unsigned char buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
     char filename[512];
     const char *pers = "mbedtls_pk_sign";
     size_t olen = 0;

programs/pkey/pk_verify.c

@@ -65,7 +65,7 @@ int main( int argc, char *argv[] )
     size_t i;
     mbedtls_pk_context pk;
     unsigned char hash[32];
-    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
+    unsigned char buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
     char filename[512];
 
     mbedtls_pk_init( &pk );

programs/ssl/ssl_server2.c

@@ -721,6 +721,7 @@ static int nss_keylog_export( void *p_expkey,
         if( fwrite( nss_keylog_line, 1, len, f ) != len )
         {
             ret = -1;
+            fclose( f );
             goto exit;
         }
 

tests/data_files/Makefile

@@ -869,14 +869,6 @@ ec_prv.pk8param.pem: ec_prv.pk8param.der
 	$(OPENSSL) pkey -in $< -inform DER -out $@
 all_final += ec_prv.pk8param.pem
 
-###
-### A generic SECP521R1 private key
-###
-
-secp521r1_prv.der:
-	$(OPENSSL) ecparam -genkey -name secp521r1 -noout -out secp521r1_prv.der
-all_final += secp521r1_prv.der
-
 ################################################################
 ### Generate CSRs for X.509 write test suite
 ################################################################

tests/scripts/all.sh

@@ -649,23 +649,6 @@ component_check_doxygen_warnings () {
 #### Build and test many configurations and targets
 ################################################################
 
-component_test_large_ecdsa_key_signature () {
-
-    SMALL_MPI_MAX_SIZE=136 # Small enough to interfere with the EC signatures
-
-    msg "build: cmake + MBEDTLS_MPI_MAX_SIZE=${SMALL_MPI_MAX_SIZE}, gcc, ASan" # ~ 1 min 50s
-    scripts/config.py set MBEDTLS_MPI_MAX_SIZE $SMALL_MPI_MAX_SIZE
-    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
-    make
-
-    INEVITABLY_PRESENT_FILE=Makefile
-    SIGNATURE_FILE="${INEVITABLY_PRESENT_FILE}.sig" # Warning, this is rm -f'ed below
-
-    msg "test: pk_sign secp521r1_prv.der for MBEDTLS_MPI_MAX_SIZE=${SMALL_MPI_MAX_SIZE} (ASan build)" # ~ 5s
-    if_build_succeeded programs/pkey/pk_sign tests/data_files/secp521r1_prv.der $INEVITABLY_PRESENT_FILE
-    rm -f $SIGNATURE_FILE
-}
-
 component_test_default_out_of_box () {
     msg "build: make, default config (out-of-box)" # ~1min
     make

tests/suites/test_suite_x509parse.data

@@ -1566,22 +1566,6 @@ X509 CRT ASN1 (TBS, valid IssuerID, inv SubjectID, inv tag)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
 x509parse_crt:"30819a308184a0030201008204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa1000500300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
-X509 CRT ASN1 (TBSCertificate v3, ext CertificatePolicies tag, bool len missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300730050603551d2001010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
-
-X509 CRT ASN1 (TBSCertificate v3, ext CertificatePolicies tag, data missing)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30b300930070603551d20040001010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
-
-X509 CRT ASN1 (TBSCertificate v3, ext CertificatePolicies tag, data not oid)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509parse_crt:"3081bc3081b9a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba32e302c30290603551d2004223020301ea01c06082b06010505070804a010300e06082b060104010901030402022201010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
-
-X509 CRT ASN1 (TBSCertificate v3, ext CertificatePolicies tag, qualifier not complete)
-depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
-x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a301f0603551d2004183020301f0603551d200418301630140604551d2000300c300a06082b0601050507020101010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
-
 X509 CRT ASN1 (TBSCertificate v3, ext SubjectAlternativeName malformed)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
 x509parse_crt:"30820220308201ffa0030201020209202020202020202020300d06092a864886f70d01010505003045310b30090603202020130220203113301106032020200c0a202020202020202020203121301f06032020200c18202020202020202020202020202020202020202020202020301e170d3134303432333230353034305a170d3137303432323230353034305a3045310b30090603202020130220203113301106032020200c0a202020202020202020203121301f06032020200c1820202020202020202020202020202020202020202020202030819f300d06092a864886f70d010101050003818d003081890281812020202020202020ff20202020202020202020202020202020202020ff202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020ff020320ffffa350304e301d0603202020041620202020202020202020202020202020202020202020301f0603551d11041830169104202020208000be002020202020202020202020202020202020202020202020202020202020202020ff20202020202020202020202020202020202020ff2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020ff2020ff202020202020202020202020202020ff2020202020202020202020202020202020202020202020202020":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
@@ -1730,6 +1714,86 @@ X509 CRT ASN1 (TBS, inv v3Ext, data remaining after extnValue)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
 x509parse_crt:"3081a9308193a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30d300b3009060001010004000500300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
 
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, data missing)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081a7308191a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30b300930070603551d200400300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, invalid outer tag)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081a9308193a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30d300b30090603551d2004020500300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, outer length missing)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081a8308192a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30c300a30080603551d20040130300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, outer length inv encoding)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081a9308193a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30d300b30090603551d2004023085300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, outer length out of bounds)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081a9308193a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30d300b30090603551d2004023001300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, no policies)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081a9308193a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30d300b30090603551d2004023000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy invalid tag)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081ab308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30f300d300b0603551d20040430020500300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy length missing)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081aa308194a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30e300c300a0603551d200403300130300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy length inv encoding)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081ab308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30f300d300b0603551d20040430023085300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy length out of bounds)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081ab308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30f300d300b0603551d20040430023001300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, empty policy)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081ab308195a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a30f300d300b0603551d20040430023000300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy invalid OID tag)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081ad308197a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a311300f300d0603551d200406300430020500300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy no OID length)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081ac308196a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a310300e300c0603551d2004053003300106300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy OID length inv encoding)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081ad308197a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a311300f300d0603551d200406300430020685300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy OID length out of bounds)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081ad308197a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a311300f300d0603551d200406300430020601300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, unknown critical policy)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C:!MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+x509parse_crt:"3081b130819ba0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a315301330110603551d20010101040730053003060100300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy qualifier invalid tag)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081b030819aa0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a314301230100603551d200409300730050601000500300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy qualifier no length)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081af308199a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a3133011300f0603551d2004083006300406010030300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy qualifier inv length encoding)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081b030819aa0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a314301230100603551d200409300730050601003085300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_INVALID_LENGTH
+
+X509 CRT ASN1 (TBSCertificate v3, inv CertificatePolicies, policy qualifier length out of bounds)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
+x509parse_crt:"3081b030819aa0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092a864886f70d010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a314301230100603551d200409300730050601003001300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
 X509 CRT ASN1 (TBS, inv extBasicConstraint, no pathlen length)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
 x509parse_crt:"3081b030819aa0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a314301230100603551d130101010406300402010102300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA