Merge branch 'development'

2025-07-07 13:40:34 +00:00 · 2017-03-10 18:45:21 +00:00 · 2017-03-10 18:45:21 +00:00 · f8c45eb61a
parent b5ba28cbea 81cf88f6d7
commit f8c45eb61a
25 changed files with 412 additions and 104 deletions
--- a/45
+++ b/45
@ -1,8 +1,29 @@
 mbed TLS ChangeLog (Sorted per branch, date)
-= mbed TLS x.x.x branch released xxxx-xx-xx
+= mbed TLS 2.x.x branch released xxxx-xx-xx
 Security
   * Fixed potential livelock during the parsing of a CRL in PEM format in
     mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
     characters after the footer could result in the execution of an infinite
     loop. The issue can be triggered remotely. Found by Greg Zaverucha,
     Microsoft.
   * Removed MD5 from the allowed hash algorithms for CertificateRequest and
     CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
     Introduced by interoperability fix for #513.
   * Fixed a bug that caused freeing a buffer that was allocated on the stack,
     when verifying the validity of a key on secp224k1. This could be
     triggered remotely for example with a maliciously constructed certificate
     and potentially could lead to remote code execution on some platforms.
     Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
     team. #569 CVE-2017-2784
 Bugfix
   * Fix output certificate verification flags set by x509_crt_verify_top() when
     traversing a chain of trusted CA. The issue would cause both flags,
     MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
     set when the verification conditions are not met regardless of the cause.
     Found by Harm Verhagen and inestlerode. #665 #561
   * Fix the redefinition of macro ssl_set_bio to an undefined symbol
     mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
     Found by omlib-lin. #673
@ -14,11 +35,33 @@ Bugfix
     in RFC 6347 Section 4.3.1. This could cause the execution of the
     renegotiation routines at unexpected times when the protocol is DTLS. Found
     by wariua. #687
   * Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
     the input string in PEM format to extract the different components. Found
     by Eyal Itkin.
   * Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
   * Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
   * Fixed potential arithmetic overflow in mbedtls_md2_update() that could
     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
   * Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
     cause buffer bound checks to be bypassed. Found by Eyal Itkin.
   * Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
     Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
   * Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
     by missing calls to mbedtls_pem_free() in cases when a
     MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
     fix proposed by Guido Vranken. #722
   * Fixed the templates used to generate project and solution files for Visual
     Studio 2015 as well as the files themselves, to remove a build warning
     generated in Visual Studio 2015. Reported by Steve Valliere. #742
   * Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
     Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
   * Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
     number to write in hexadecimal is negative and requires an odd number of
     digits. Found and fixed by Guido Vranken.
   * Fix unlisted DES configuration dependency in some pkparse test cases. Found
     by inestlerode. #555
 = mbed TLS 2.4.1 branch released 2016-12-13
--- a/README.md
+++ b/README.md
@ -156,6 +156,15 @@ Configurations
 We provide some non-standard configurations focused on specific use cases in the `configs/` directory. You can read more about those in `configs/README.txt`
 Porting mbed TLS
 ----------------
 mbed TLS can be ported to many different architectures, OS's and platforms. Before starting a port, you may find the following knowledge base articles useful:
 -   [Porting mbed TLS to a new environment or OS](https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS)
 -   [What external dependencies does mbed TLS rely on?](https://tls.mbed.org/kb/development/what-external-dependencies-does-mbedtls-rely-on)
 -   [How do I configure mbed TLS](https://tls.mbed.org/kb/compiling-and-building/how-do-i-configure-mbedtls)
 Contributing
 ------------
--- a/library/base64.c
+++ b/library/base64.c
@ -192,7 +192,11 @@ int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
        return( 0 );
    }
-    n = ( ( n * 6 ) + 7 ) >> 3;
+    /* The following expression is to calculate the following formula without
     * risk of integer overflow in n:
     *     n = ( ( n * 6 ) + 7 ) >> 3;
     */
    n = ( 6 * ( n >> 3 ) ) + ( ( 6 * ( n & 0x7 ) + 7 ) >> 3 );
    n -= j;
    if( dst == NULL || dlen < n )
--- a/library/bignum.c
+++ b/library/bignum.c
@ -534,7 +534,12 @@ int mbedtls_mpi_write_string( const mbedtls_mpi *X, int radix,
    n = mbedtls_mpi_bitlen( X );
    if( radix >=  4 ) n >>= 1;
    if( radix >= 16 ) n >>= 1;
-    n += 3;
+    /*
     * Round up the buffer length to an even value to ensure that there is
     * enough room for hexadecimal values that can be represented in an odd
     * number of digits.
     */
    n += 3 + ( ( n + 1 ) & 1 );
    if( buflen < n )
    {
--- a/library/cipher.c
+++ b/library/cipher.c
@ -326,9 +326,9 @@ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *i
         * If there is not enough data for a full block, cache it.
         */
        if( ( ctx->operation == MBEDTLS_DECRYPT &&
-                ilen + ctx->unprocessed_len <= block_size ) ||
+                ilen <= block_size - ctx->unprocessed_len ) ||
             ( ctx->operation == MBEDTLS_ENCRYPT &&
-                ilen + ctx->unprocessed_len < block_size ) )
+                ilen < block_size - ctx->unprocessed_len ) )
        {
            memcpy( &( ctx->unprocessed_data[ctx->unprocessed_len] ), input,
                    ilen );
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@ -290,7 +290,8 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx,
    unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT];
    size_t seedlen = 0;
-    if( ctx->entropy_len + len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
+    if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ||
        len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len )
        return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
    memset( seed, 0, MBEDTLS_CTR_DRBG_MAX_SEED_INPUT );
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@ -1213,7 +1213,7 @@ static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t
    int ret;
    size_t i;
    mbedtls_mpi M, R;
-    mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R];
+    mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
    if( N->n < p_limbs )
        return( 0 );
@ -1235,7 +1235,7 @@ static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t
    memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
    if( shift != 0 )
        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
-    M.n += R.n - adjust; /* Make room for multiplication by R */
+    M.n += R.n; /* Make room for multiplication by R */
    /* N = A0 */
    if( mask != 0 )
@ -1257,7 +1257,7 @@ static inline int ecp_mod_koblitz( mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t
    memcpy( Mp, N->p + p_limbs - adjust, M.n * sizeof( mbedtls_mpi_uint ) );
    if( shift != 0 )
        MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &M, shift ) );
-    M.n += R.n - adjust; /* Make room for multiplication by R */
+    M.n += R.n; /* Make room for multiplication by R */
    /* N = A0 */
    if( mask != 0 )
--- a/library/md2.c
+++ b/library/md2.c
@ -158,7 +158,7 @@ void mbedtls_md2_update( mbedtls_md2_context *ctx, const unsigned char *input, s
    while( ilen > 0 )
    {
-        if( ctx->left + ilen > 16 )
+        if( ilen > 16 - ctx->left )
            fill = 16 - ctx->left;
        else
            fill = ilen;
--- a/library/pem.c
+++ b/library/pem.c
@ -249,7 +249,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
    enc = 0;
-    if( memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
+    if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
    {
 #if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) &&         \
    ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
@ -262,22 +262,22 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
 #if defined(MBEDTLS_DES_C)
-        if( memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
+        if( s2 - s1 >= 23 && memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
        {
            enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
            s1 += 23;
-            if( pem_get_iv( s1, pem_iv, 8 ) != 0 )
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8 ) != 0 )
                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
            s1 += 16;
        }
-        else if( memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
+        else if( s2 - s1 >= 18 && memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
        {
            enc_alg = MBEDTLS_CIPHER_DES_CBC;
            s1 += 18;
-            if( pem_get_iv( s1, pem_iv, 8) != 0 )
+            if( s2 - s1 < 16 || pem_get_iv( s1, pem_iv, 8) != 0 )
                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
            s1 += 16;
@ -285,9 +285,11 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
 #endif /* MBEDTLS_DES_C */
 #if defined(MBEDTLS_AES_C)
-        if( memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
+        if( s2 - s1 >= 14 && memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
        {
-            if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
+            if( s2 - s1 < 22 )
                return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
            else if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
                enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
            else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
                enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
@ -297,7 +299,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
                return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
            s1 += 22;
-            if( pem_get_iv( s1, pem_iv, 16 ) != 0 )
+            if( s2 - s1 < 32 || pem_get_iv( s1, pem_iv, 16 ) != 0 )
                return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
            s1 += 32;
@ -316,7 +318,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
          ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
    }
-    if( s1 == s2 )
+    if( s1 >= s2 )
        return( MBEDTLS_ERR_PEM_INVALID_DATA );
    ret = mbedtls_base64_decode( NULL, 0, &len, s1, s2 - s1 );
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -7653,8 +7653,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
 #if defined(MBEDTLS_MD5_C)
        case MBEDTLS_SSL_HASH_MD5:
-            ssl->handshake->calc_verify = ssl_calc_verify_tls;
+            return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
            break;
 #endif
 #if defined(MBEDTLS_SHA1_C)
        case MBEDTLS_SSL_HASH_SHA1:
--- a/library/x509.c
+++ b/library/x509.c
@ -480,14 +480,20 @@ int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
    }
 }
-static int x509_parse_int(unsigned char **p, unsigned n, int *res){
+static int x509_parse_int( unsigned char **p, size_t n, int *res )
 {
    *res = 0;
-    for( ; n > 0; --n ){
+
-        if( ( **p < '0') || ( **p > '9' ) ) return MBEDTLS_ERR_X509_INVALID_DATE;
+    for( ; n > 0; --n )
    {
        if( ( **p < '0') || ( **p > '9' ) )
            return ( MBEDTLS_ERR_X509_INVALID_DATE );
        *res *= 10;
-        *res += (*(*p)++ - '0');
+        *res += ( *(*p)++ - '0' );
    }
-    return 0;
+
    return( 0 );
 }
 static int x509_date_is_valid(const mbedtls_x509_time *time)
@ -517,6 +523,70 @@ static int x509_date_is_valid(const mbedtls_x509_time *time)
    return( 0 );
 }
 /*
 * Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4)
 * field.
 */
 static int x509_parse_time( unsigned char **p, size_t len, size_t yearlen,
        mbedtls_x509_time *time )
 {
    int ret;
    /*
     * Minimum length is 10 or 12 depending on yearlen
     */
    if ( len < yearlen + 8 )
        return ( MBEDTLS_ERR_X509_INVALID_DATE );
    len -= yearlen + 8;
    /*
     * Parse year, month, day, hour, minute
     */
    CHECK( x509_parse_int( p, yearlen, &time->year ) );
    if ( 2 == yearlen )
    {
        if ( time->year < 50 )
            time->year += 100;
        time->year += 1900;
    }
    CHECK( x509_parse_int( p, 2, &time->mon ) );
    CHECK( x509_parse_int( p, 2, &time->day ) );
    CHECK( x509_parse_int( p, 2, &time->hour ) );
    CHECK( x509_parse_int( p, 2, &time->min ) );
    /*
     * Parse seconds if present
     */
    if ( len >= 2 )
    {
        CHECK( x509_parse_int( p, 2, &time->sec ) );
        len -= 2;
    }
    else
        return ( MBEDTLS_ERR_X509_INVALID_DATE );
    /*
     * Parse trailing 'Z' if present
     */
    if ( 1 == len && 'Z' == **p )
    {
        (*p)++;
        len--;
    }
    /*
     * We should have parsed all characters at this point
     */
    if ( 0 != len )
        return ( MBEDTLS_ERR_X509_INVALID_DATE );
    CHECK( x509_date_is_valid( time ) );
    return ( 0 );
 }
 /*
 *  Time ::= CHOICE {
 *       utcTime        UTCTime,
@ -526,7 +596,7 @@ int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
                   mbedtls_x509_time *time )
 {
    int ret;
-    size_t len;
+    size_t len, year_len;
    unsigned char tag;
    if( ( end - *p ) < 1 )
@ -536,55 +606,20 @@ int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
    tag = **p;
    if( tag == MBEDTLS_ASN1_UTC_TIME )
-    {
+        year_len = 2;
        (*p)++;
        ret = mbedtls_asn1_get_len( p, end, &len );
        if( ret != 0 )
            return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
        CHECK( x509_parse_int( p, 2, &time->year ) );
        CHECK( x509_parse_int( p, 2, &time->mon ) );
        CHECK( x509_parse_int( p, 2, &time->day ) );
        CHECK( x509_parse_int( p, 2, &time->hour ) );
        CHECK( x509_parse_int( p, 2, &time->min ) );
        if( len > 10 )
            CHECK( x509_parse_int( p, 2, &time->sec ) );
        if( len > 12 && *(*p)++ != 'Z' )
            return( MBEDTLS_ERR_X509_INVALID_DATE );
        time->year +=  100 * ( time->year < 50 );
        time->year += 1900;
        CHECK( x509_date_is_valid( time ) );
        return( 0 );
    }
    else if( tag == MBEDTLS_ASN1_GENERALIZED_TIME )
-    {
+        year_len = 4;
        (*p)++;
        ret = mbedtls_asn1_get_len( p, end, &len );
        if( ret != 0 )
            return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
        CHECK( x509_parse_int( p, 4, &time->year ) );
        CHECK( x509_parse_int( p, 2, &time->mon ) );
        CHECK( x509_parse_int( p, 2, &time->day ) );
        CHECK( x509_parse_int( p, 2, &time->hour ) );
        CHECK( x509_parse_int( p, 2, &time->min ) );
        if( len > 12 )
            CHECK( x509_parse_int( p, 2, &time->sec ) );
        if( len > 14 && *(*p)++ != 'Z' )
            return( MBEDTLS_ERR_X509_INVALID_DATE );
        CHECK( x509_date_is_valid( time ) );
        return( 0 );
    }
    else
        return( MBEDTLS_ERR_X509_INVALID_DATE +
                MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
    (*p)++;
    ret = mbedtls_asn1_get_len( p, end, &len );
    if( ret != 0 )
        return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
    return x509_parse_time( p, len, year_len, time );
 }
 int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig )
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@ -525,16 +525,17 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s
            if( ( ret = mbedtls_x509_crl_parse_der( chain,
                                            pem.buf, pem.buflen ) ) != 0 )
            {
                mbedtls_pem_free( &pem );
                return( ret );
            }
            mbedtls_pem_free( &pem );
        }
-        else if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+        else if( is_pem )
        {
            mbedtls_pem_free( &pem );
            return( ret );
        }
        mbedtls_pem_free( &pem );
    }
    /* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
     * And a valid CRL cannot be less than 1 byte anyway. */
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -1904,6 +1904,7 @@ static int x509_crt_verify_top(
    int check_path_cnt;
    unsigned char hash[MBEDTLS_MD_MAX_SIZE];
    const mbedtls_md_info_t *md_info;
    mbedtls_x509_crt *future_past_ca = NULL;
    if( mbedtls_x509_time_is_past( &child->valid_to ) )
        *flags |= MBEDTLS_X509_BADCERT_EXPIRED;
@ -1958,16 +1959,6 @@ static int x509_crt_verify_top(
            continue;
        }
        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
        {
            continue;
        }
        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
        {
            continue;
        }
        if( mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &trust_ca->pk,
                           child->sig_md, hash, mbedtls_md_get_size( md_info ),
                           child->sig.p, child->sig.len ) != 0 )
@ -1975,6 +1966,20 @@ static int x509_crt_verify_top(
            continue;
        }
        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) ||
            mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
        {
            if ( future_past_ca == NULL )
                future_past_ca = trust_ca;
            continue;
        }
        break;
    }
    if( trust_ca != NULL || ( trust_ca = future_past_ca ) != NULL )
    {
        /*
         * Top of chain is signed by a trusted CA
         */
@ -1982,8 +1987,6 @@ static int x509_crt_verify_top(
        if( x509_profile_check_key( profile, child->sig_pk, &trust_ca->pk ) != 0 )
            *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
        break;
    }
    /*
@ -2003,6 +2006,12 @@ static int x509_crt_verify_top(
        ((void) ca_crl);
 #endif
        if( mbedtls_x509_time_is_past( &trust_ca->valid_to ) )
            ca_flags |= MBEDTLS_X509_BADCERT_EXPIRED;
        if( mbedtls_x509_time_is_future( &trust_ca->valid_from ) )
            ca_flags |= MBEDTLS_X509_BADCERT_FUTURE;
        if( NULL != f_vrfy )
        {
            if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1,
--- a/tests/data_files/crl-malformed-trailing-spaces.pem
+++ b/tests/data_files/crl-malformed-trailing-spaces.pem
@ -0,0 +1,20 @@
 -----BEGIN X509 CRL-----
 MIIBbzCB9gIBATAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ
 b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQRcNMTMwOTI0MTYz
 MTA4WhcNMjMwOTIyMTYzMTA4WjAUMBICAQoXDTEzMDkyNDE2MjgzOFqgcjBwMG4G
 A1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJO
 TDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMg
 Q0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2kAMGYCMQDVG95rrSSl4dJgbJ5vR1GW
 svEuEsAh35EhF1WrcadMuCeMQVX9cUPupFfQUpHyMfoCMQCKf0yv8pN9BAoi3FVm
 56meWPhUekgLKKMAobt2oJJY6feuiFU2YFGs1aF0rV6Bj+U=
 -----END X509 CRL-----
 -----BEGIN X509 CRL-----
 MIIBcTCB9wIBATAKBggqhkjOPQQDBDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
 UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
 MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
 BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
 TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
 IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwQDaQAwZgIxAL/VFrDIYUECsS0rVpAy
 6zt/CqeAZ1sa/l5LTaG1XW286n2Kibipr6EpkYZNYIQILgIxAI0wb3Py1DHPWpYf
 /BFBH7C3KYq+nWTrLeEnhrjU1LzG/CiQ8lnuskya6lw/P3lJ/A==
 -----END X509 CRL-----      
--- a/tests/data_files/test-ca2_cat-future-invalid.crt
+++ b/tests/data_files/test-ca2_cat-future-invalid.crt
@ -0,0 +1,27 @@
 -----BEGIN CERTIFICATE-----
 MIICIDCCAaWgAwIBAgIBCjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
 A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
 MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
 A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
 CCqGSM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJ
 H0M3jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjgZ0wgZowCQYDVR0TBAIwADAd
 BgNVHQ4EFgQUfmWPPjMDFOXhvmCy4IV/jOdgK3swbgYDVR0jBGcwZYAUnW0gJEkB
 PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
 clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
 CCqGSM49BAMCA2kAMGYCMQCsYTyleBFuI4nizuxo/ie5dxJnD0ynwCnRJ+84PZP4
 AQA3HdUz0qNYs4CZ2am9Gz0CMQDr2TNLFA3C3S3pmgXMT0eKzR1Ca1/Nulf0llQZ
 Xj09kLboxuemP40IIqhQnpYptMg=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIB+zCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
 DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
 Fw0yMzA5MjIxNTQ5NDlaFw0zMDEyMzEyMzU5NTlaMD4xCzAJBgNVBAYTAk5MMREw
 DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
 MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
 WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
 w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
 FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
 vH4kydv7NnwwDAYIKoZIzj0EAwIFAANnADBkAjB1ZNdOM7KRJiPo45hP17A1sJSH
 qHFPEJbml6KdNevoVZ1HqvP8AoFGcPJRpQVtzC0CMDa7JEqn0dOss8EmW9pVF/N2
 +XvzNczj89mWMgPhJJlT+MONQx3LFQO+TMSI9hLdkw==
 -----END CERTIFICATE-----
--- a/tests/data_files/test-ca2_cat-past-invalid.crt
+++ b/tests/data_files/test-ca2_cat-past-invalid.crt
@ -0,0 +1,27 @@
 -----BEGIN CERTIFICATE-----
 MIIB/TCCAYCgAwIBAgIBATAMBggqhkjOPQQDAgUAMD4xCzAJBgNVBAYTAk5MMREw
 DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAe
 Fw0wMzA5MjQxNTQ5NDhaFw0xMzA5MjQxNTQ5NDhaMD4xCzAJBgNVBAYTAk5MMREw
 DwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTB2
 MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBuww5XUzM5
 WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiyaY7zQa0p
 w7RfdadHb9UZKVVpmlM7ILRmFmAzHqNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4E
 FgQUnW0gJEkBPyvLeLUZvH4kydv7NnwwHwYDVR0jBBgwFoAUnW0gJEkBPyvLeLUZ
 vH4kydv7NnwwDAYIKoZIzj0EAwIFAANpADBmAjEAvQ/49lXXrLYdOIGtTaYWjpZP
 tRBXQiGPMzUvmKBk7gM7bF4iFPsdJikyXHmuwv3RAjEA8vtUX8fAAB3fbh5dEXRm
 l7tz0Sw/RW6AHFtaIauGkhHqeKIaKIi6WSgHu6x97uyg
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICIDCCAaWgAwIBAgIBCjAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G
 A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN
 MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G
 A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG
 CCqGSM49AwEHA0IABIFZMXZJJPoVraugMW4O7TMR+pElVcGwwZwDcj6Yui2kcjeJ
 H0M3jR+OOtjwV+gvT8kApPfbcw+yxgSU0UA7OOOjgZ0wgZowCQYDVR0TBAIwADAd
 BgNVHQ4EFgQUfmWPPjMDFOXhvmCy4IV/jOdgK3swbgYDVR0jBGcwZYAUnW0gJEkB
 PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh
 clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG
 CCqGSM49BAMCA2kAMGYCMQCsYTyleBFuI4nizuxo/ie5dxJnD0ynwCnRJ+84PZP4
 AQA3HdUz0qNYs4CZ2am9Gz0CMQDr2TNLFA3C3S3pmgXMT0eKzR1Ca1/Nulf0llQZ
 Xj09kLboxuemP40IIqhQnpYptMg=
 -----END CERTIFICATE-----
--- a/tests/scripts/generate_code.pl
+++ b/tests/scripts/generate_code.pl
@ -256,7 +256,7 @@ while($test_cases =~ /\/\* BEGIN_CASE *([\w:]*) \*\/\n(.*?)\n\/\* END_CASE \*\//
            $param_defs .= "    char *param$i = params[$i];\n";
            $param_checks .= "    if( verify_string( &param$i ) != 0 ) return( DISPATCH_INVALID_TEST_DATA );\n";
            push @dispatch_params, "param$i";
-            $mapping_regex .= ":[^:\n]+";
+            $mapping_regex .= ":(?:\\\\.|[^:\n])+";
        }
        else
        {
--- a/tests/suites/test_suite_ctr_drbg.function
+++ b/tests/suites/test_suite_ctr_drbg.function
@ -39,6 +39,11 @@ void ctr_drbg_special_behaviours( )
    TEST_ASSERT( mbedtls_ctr_drbg_reseed( &ctx, additional,
                        MBEDTLS_CTR_DRBG_MAX_SEED_INPUT + 1 ) ==
                        MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
    mbedtls_ctr_drbg_set_entropy_len( &ctx, ~0 );
    TEST_ASSERT( mbedtls_ctr_drbg_reseed( &ctx, additional,
                        MBEDTLS_CTR_DRBG_MAX_SEED_INPUT ) ==
                        MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG );
 exit:
    mbedtls_ctr_drbg_free( &ctx );
 }
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@ -32,11 +32,19 @@ mbedtls_ecp_curve_info:MBEDTLS_ECP_DP_SECP192R1:19:192:"secp192r1"
 ECP check pubkey Montgomery #1 (too big)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-ecp_check_pub_mx:MBEDTLS_ECP_DP_CURVE25519:"010000000000000000000000000000000000000000000000000000000000000000":MBEDTLS_ERR_ECP_INVALID_KEY
+ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"010000000000000000000000000000000000000000000000000000000000000000":"0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
 ECP check pubkey Montgomery #2 (biggest)
 depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
-ecp_check_pub_mx:MBEDTLS_ECP_DP_CURVE25519:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":0
+ecp_check_pub:MBEDTLS_ECP_DP_CURVE25519:"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF":"0":"1":0
 ECP check pubkey Koblitz #1 (point not on curve)
 depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
 ecp_check_pub:MBEDTLS_ECP_DP_SECP224K1:"E2000000000000BB3A13D43B323337383935321F0603551D":"100101FF040830060101FF02010A30220603551D0E041B04636FC0C0":"1":MBEDTLS_ERR_ECP_INVALID_KEY
 ECP check pubkey Koblitz #2 (coordinate not affine)
 depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
 ecp_check_pub:MBEDTLS_ECP_DP_SECP224K1:"E2000000000000BB3A13D43B323337383935321F0603551D":"100101FF040830060101FF02010A30220603551D0E041B04636FC0C0":"101":MBEDTLS_ERR_ECP_INVALID_KEY
 ECP write binary #0 (zero, bad format)
 depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@ -29,7 +29,7 @@ void mbedtls_ecp_curve_info( int id, int tls_id, int size, char *name )
 /* END_CASE */
 /* BEGIN_CASE */
-void ecp_check_pub_mx( int grp_id, char *key_hex, int ret )
+void ecp_check_pub( int grp_id, char *x_hex, char *y_hex, char *z_hex, int ret )
 {
    mbedtls_ecp_group grp;
    mbedtls_ecp_point P;
@ -39,8 +39,9 @@ void ecp_check_pub_mx( int grp_id, char *key_hex, int ret )
    TEST_ASSERT( mbedtls_ecp_group_load( &grp, grp_id ) == 0 );
-    TEST_ASSERT( mbedtls_mpi_read_string( &P.X, 16, key_hex ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &P.X, 16, x_hex ) == 0 );
-    TEST_ASSERT( mbedtls_mpi_lset( &P.Z, 1 ) == 0 );
+    TEST_ASSERT( mbedtls_mpi_read_string( &P.Y, 16, y_hex ) == 0 );
    TEST_ASSERT( mbedtls_mpi_read_string( &P.Z, 16, z_hex ) == 0 );
    TEST_ASSERT( mbedtls_ecp_check_pubkey( &grp, &P ) == ret );
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@ -46,6 +46,9 @@ mpi_read_write_string:16:"":16:"00":4:0:0
 Test mpi_read_write_string #9 (Empty MPI -> dec)
 mpi_read_write_string:16:"":10:"0":4:0:0
 Test mpi_write_string #10 (Negative hex with odd number of digits)
 mpi_read_write_string:16:"-1":16:"":3:0:MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL
 Base test mbedtls_mpi_read_binary #1
 mbedtls_mpi_read_binary:"0941379d00fed1491fe15df284dfde4a142f68aa8d412023195cee66883e6290ffe703f4ea5963bf212713cee46b107c09182b5edcd955adac418bf4918e2889af48e1099d513830cec85c26ac1e158b52620e33ba8692f893efbb2f958b4424":10:"56125680981752282334141896320372489490613963693556392520816017892111350604111697682705498319512049040516698827829292076808006940873974979584527073481012636016353913462376755556720019831187364993587901952757307830896531678727717924"
--- a/tests/suites/test_suite_pem.data
+++ b/tests/suites/test_suite_pem.data
@ -15,3 +15,13 @@ mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102
 PEM write (exactly two lines + 1)
 mbedtls_pem_write_buffer:"-----START TEST-----\n":"-----END TEST-----\n":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"-----START TEST-----\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAAECAwQFBgcICQoLDA0ODwABAgMEBQYHCAkKCwwNDg8AAQIDBAUGBwgJCgsMDQ4P\nAA==\n-----END TEST-----\n"
 PEM read (DES-EDE3-CBC + invalid iv)
 mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-EDE3-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV
 PEM read (DES-CBC + invalid iv)
 mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: DES-CBC,00$":MBEDTLS_ERR_PEM_INVALID_ENC_IV
 PEM read (unknown encryption algorithm)
 mbedtls_pem_read_buffer:"^":"$":"^\nProc-Type\: 4,ENCRYPTED\nDEK-Info\: AES-,00$":MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG
--- a/tests/suites/test_suite_pem.function
+++ b/tests/suites/test_suite_pem.function
@ -3,12 +3,7 @@
 #include "mbedtls/pem.h"
 /* END_HEADER */
-/* BEGIN_DEPENDENCIES
+/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C */
 * depends_on:MBEDTLS_PEM_WRITE_C
 * END_DEPENDENCIES
 */
 /* BEGIN_CASE */
 void mbedtls_pem_write_buffer( char *start, char *end, char *buf_str, char *result_str )
 {
    unsigned char buf[5000];
@ -38,3 +33,20 @@ exit:
    mbedtls_free( check_buf );
 }
 /* END_CASE */
 /* BEGIN_CASE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_AES_C:MBEDTLS_DES_C:MBEDTLS_MD5_C:MBEDTLS_CIPHER_MODE_CBC */
 void mbedtls_pem_read_buffer( char *header, char *footer, char *data, int ret )
 {
    mbedtls_pem_context ctx;
    size_t use_len = 0;
    mbedtls_pem_init( &ctx );
    TEST_ASSERT( mbedtls_pem_read_buffer( &ctx, header, footer,
                                          (const unsigned char *)data, NULL, 0,
                                          &use_len ) == ret );
 exit:
    mbedtls_pem_free( &ctx );
 }
 /* END_CASE */
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@ -198,6 +198,10 @@ X509 CRL Information EC, SHA512 Digest
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA512_C
 mbedtls_x509_crl_info:"data_files/crl-ec-sha512.pem":"CRL version   \: 2\nissuer name   \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nthis update   \: 2013-09-24 16\:31\:08\nnext update   \: 2023-09-22 16\:31\:08\nRevoked certificates\:\nserial number\: 0A revocation date\: 2013-09-24 16\:28\:38\nsigned using  \: ECDSA with SHA512\n"
 X509 CRL Malformed Input (trailing spaces at end of file)
 depends_on:MBEDTLS_PEM_PARSE_C
 mbedtls_x509_crl_parse:"data_files/crl-malformed-trailing-spaces.pem":MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
 X509 CSR Information RSA with MD4
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_MD4_C
 mbedtls_x509_csr_info:"data_files/server1.req.md4":"CSR version   \: 1\nsubject name  \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using  \: RSA with MD4\nRSA key size  \: 2048 bits\n"
@ -715,6 +719,14 @@ X509 Certificate verification #85 (Not yet valid CA and valid CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
 x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-present.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"NULL"
 X509 Certificate verification #86 (Not yet valid CA and invalid CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
 x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-future-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_FUTURE:"NULL"
 X509 Certificate verification #87 (Expired CA and invalid CA)
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
 x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_EXPIRED:"NULL"
 X509 Certificate verification callback: trusted EE cert
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
 x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL\n"
@ -1562,3 +1574,64 @@ x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130236012Z":MBEDTLS_ERR_X509_INVALID_DAT
 X509 Get time (UTC invalid sec)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001130235960Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC without time zone)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121212":0:2000:2:29:12:12:12
 X509 Get time (UTC with invalid time zone #1)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121212J":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC with invalid time zone #2)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121212+0300":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (Date with invalid tag)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_CONTEXT_SPECIFIC:"000229121212":MBEDTLS_ERR_X509_INVALID_DATE+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG:0:0:0:0:0:0
 X509 Get time (UTC, truncated)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"000229121":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (Generalized Time, truncated)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_GENERALIZED_TIME:"20000229121":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC without seconds)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0002291212":MBEDTLS_ERR_X509_INVALID_DATE:2000:2:29:12:12:0
 X509 Get time (UTC without seconds and with invalid time zone #1)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0002291212J":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC without second and with invalid time zone #2)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0002291212+0300":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC invalid character in year)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0\1130231212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC invalid character in month)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"001%30231212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC invalid character in day)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011`0231212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC invalid character in hour)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011302h1212Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC invalid character in min)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"00113023u012Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
 X509 Get time (UTC invalid character in sec)
 depends_on:MBEDTLS_X509_USE_C
 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"0011302359n0Z":MBEDTLS_ERR_X509_INVALID_DATE:0:0:0:0:0:0
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@ -163,6 +163,22 @@ exit:
 }
 /* END_CASE */
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRL_PARSE_C */
 void mbedtls_x509_crl_parse( char *crl_file, int result )
 {
    mbedtls_x509_crl   crl;
    char buf[2000];
    mbedtls_x509_crl_init( &crl );
    memset( buf, 0, 2000 );
    TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == result );
 exit:
    mbedtls_x509_crl_free( &crl );
 }
 /* END_CASE */
 /* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CSR_PARSE_C */
 void mbedtls_x509_csr_info( char *csr_file, char *result_str )
 {
@ -597,16 +613,14 @@ void x509_get_time( int tag,  char *time_str, int ret,
                    int hour, int min, int sec )
 {
    mbedtls_x509_time time;
-    unsigned char buf[17];
+    unsigned char buf[21];
    unsigned char* start = buf;
    unsigned char* end = buf;
    memset( &time, 0x00, sizeof( time ) );
    *end = (unsigned char)tag; end++;
-    if( tag == MBEDTLS_ASN1_UTC_TIME )
+    *end = strlen( time_str );
-        *end = 13;
+    TEST_ASSERT( *end < 20 );
    else
        *end = 15;
    end++;
    memcpy( end, time_str, (size_t)*(end - 1) );
    end += *(end - 1);