Merged Public Key framwork tests
diff --git a/ChangeLog b/ChangeLog
index d9f3edb..3f07469 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,14 @@
PolarSSL ChangeLog (Sorted per branch, date)
+= PolarSSL 1.3 branch
+Features
+ * PK tests added to test framework
+
+Bugfix
+ * Server does not send out extensions not advertised by client
+ * Prevent possible alignment warnings on casting from char * to 'aligned *'
+ * Misc fixes and additions to dependency checks
+
= PolarSSL 1.3.1 released on 2013-10-15
Features
* Support for Brainpool curves and TLS ciphersuites (RFC 7027)
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 4973ea4..5406583 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -658,7 +658,7 @@
*
* Enable support for TLS 1.2.
*
- * Requires: POLARSSL_SHA256_C or POLARSSL_SHA512_C
+ * Requires: POLARSSL_SHA1_C or POLARSSL_SHA256_C or POLARSSL_SHA512_C
* (Depends on ciphersuites)
*
* Comment this macro to disable support for TLS 1.2
@@ -916,6 +916,8 @@
* Module: library/certs.c
* Caller:
*
+ * Requires: POLARSSL_PEM_PARSE_C
+ *
* This module is used for testing (ssl_client/server).
*/
#define POLARSSL_CERTS_C
@@ -1721,14 +1723,18 @@
/*
* Sanity checks on defines and dependencies
*/
-#if defined(POLARSSL_DHM_C) && !defined(POLARSSL_BIGNUM_C)
-#error "POLARSSL_DHM_C defined, but not all prerequisites"
+#if defined(POLARSSL_CERTS_C) && !defined(POLARSSL_PEM_PARSE_C)
+#error "POLARSSL_CERTS_C defined, but not all prerequisites"
#endif
#if defined(POLARSSL_CTR_DRBG_C) && !defined(POLARSSL_AES_C)
#error "POLARSSL_CTR_DRBG_C defined, but not all prerequisites"
#endif
+#if defined(POLARSSL_DHM_C) && !defined(POLARSSL_BIGNUM_C)
+#error "POLARSSL_DHM_C defined, but not all prerequisites"
+#endif
+
#if defined(POLARSSL_ECDH_C) && !defined(POLARSSL_ECP_C)
#error "POLARSSL_ECDH_C defined, but not all prerequisites"
#endif
@@ -1740,15 +1746,15 @@
#error "POLARSSL_ECDSA_C defined, but not all prerequisites"
#endif
-#if defined(POLARSSL_ECP_C) && !defined(POLARSSL_BIGNUM_C) || ( \
- !defined(POLARSSL_ECP_DP_SECP192R1_ENABLED) && \
- !defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) && \
- !defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) && \
- !defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) && \
- !defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) && \
- !defined(POLARSSL_ECP_DP_BP256R1_ENABLED) && \
- !defined(POLARSSL_ECP_DP_BP384R1_ENABLED) && \
- !defined(POLARSSL_ECP_DP_BP512R1_ENABLED) )
+#if defined(POLARSSL_ECP_C) && ( !defined(POLARSSL_BIGNUM_C) || ( \
+ !defined(POLARSSL_ECP_DP_SECP192R1_ENABLED) && \
+ !defined(POLARSSL_ECP_DP_SECP224R1_ENABLED) && \
+ !defined(POLARSSL_ECP_DP_SECP256R1_ENABLED) && \
+ !defined(POLARSSL_ECP_DP_SECP384R1_ENABLED) && \
+ !defined(POLARSSL_ECP_DP_SECP521R1_ENABLED) && \
+ !defined(POLARSSL_ECP_DP_BP256R1_ENABLED) && \
+ !defined(POLARSSL_ECP_DP_BP384R1_ENABLED) && \
+ !defined(POLARSSL_ECP_DP_BP512R1_ENABLED) ) )
#error "POLARSSL_ECP_C defined, but not all prerequisites"
#endif
@@ -1845,6 +1851,26 @@
#error "POLARSSL_RSA_C defined, but not all prerequisites"
#endif
+#if defined(POLARSSL_SSL_PROTO_SSL3) && ( !defined(POLARSSL_MD5_C) || \
+ !defined(POLARSSL_SHA1_C) )
+#error "POLARSSL_SSL_PROTO_SSL3 defined, but not all prerequisites"
+#endif
+
+#if defined(POLARSSL_SSL_PROTO_TLS1) && ( !defined(POLARSSL_MD5_C) || \
+ !defined(POLARSSL_SHA1_C) )
+#error "POLARSSL_SSL_PROTO_TLS1 defined, but not all prerequisites"
+#endif
+
+#if defined(POLARSSL_SSL_PROTO_TLS1_1) && ( !defined(POLARSSL_MD5_C) || \
+ !defined(POLARSSL_SHA1_C) )
+#error "POLARSSL_SSL_PROTO_TLS1_1 defined, but not all prerequisites"
+#endif
+
+#if defined(POLARSSL_SSL_PROTO_TLS1_2) && ( !defined(POLARSSL_SHA1_C) && \
+ !defined(POLARSSL_SHA256_C) && !defined(POLARSSL_SHA512_C) )
+#error "POLARSSL_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
+#endif
+
#if defined(POLARSSL_SSL_CLI_C) && !defined(POLARSSL_SSL_TLS_C)
#error "POLARSSL_SSL_CLI_C defined, but not all prerequisites"
#endif
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index c682c0a..6654998 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -343,6 +343,13 @@
#define TLS_EXT_RENEGOTIATION_INFO 0xFF01
/*
+ * TLS extension flags (for extensions with outgoing ServerHello content
+ * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
+ * of state of the renegotiation flag, so no indicator is required)
+ */
+#define TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
+
+/*
* Size defines
*/
#if !defined(POLARSSL_MPI_MAX_SIZE)
@@ -546,6 +553,7 @@
int resume; /*!< session resume indicator*/
int max_major_ver; /*!< max. major version client*/
int max_minor_ver; /*!< max. minor version client*/
+ int cli_exts; /*!< client extension presence*/
#if defined(POLARSSL_SSL_SESSION_TICKETS)
int new_session_ticket; /*!< use NewSessionTicket? */
diff --git a/include/polarssl/ssl_ciphersuites.h b/include/polarssl/ssl_ciphersuites.h
index cbea298..8f126b2 100644
--- a/include/polarssl/ssl_ciphersuites.h
+++ b/include/polarssl/ssl_ciphersuites.h
@@ -215,6 +215,7 @@
#endif
int ssl_ciphersuite_uses_ec( const ssl_ciphersuite_t *info );
+int ssl_ciphersuite_uses_psk( const ssl_ciphersuite_t *info );
#ifdef __cplusplus
}
diff --git a/include/polarssl/x509_crt.h b/include/polarssl/x509_crt.h
index 0c1b9e1..a556676 100644
--- a/include/polarssl/x509_crt.h
+++ b/include/polarssl/x509_crt.h
@@ -400,6 +400,7 @@
int x509write_crt_set_basic_constraints( x509write_cert *ctx,
int is_ca, int max_pathlen );
+#if defined(POLARSSL_SHA1_C)
/**
* \brief Set the subjectKeyIdentifier extension for a CRT
* Requires that x509write_crt_set_subject_key() has been
@@ -421,6 +422,7 @@
* \return 0 if successful, or a POLARSSL_ERR_X509WRITE_MALLOC_FAILED
*/
int x509write_crt_set_authority_key_identifier( x509write_cert *ctx );
+#endif /* POLARSSL_SHA1_C */
/**
* \brief Set the Key Usage Extension flags
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 91777ec..f653748 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -291,12 +291,14 @@
*/
int ecdsa_from_keypair( ecdsa_context *ctx, const ecp_keypair *key )
{
- int ret = ecp_group_copy( &ctx->grp, &key->grp ) ||
- mpi_copy( &ctx->d, &key->d ) ||
- ecp_copy( &ctx->Q, &key->Q );
+ int ret;
- if( ret != 0 )
+ if( ( ret = ecp_group_copy( &ctx->grp, &key->grp ) ) != 0 ||
+ ( ret = mpi_copy( &ctx->d, &key->d ) ) != 0 ||
+ ( ret = ecp_copy( &ctx->Q, &key->Q ) ) != 0 )
+ {
ecdsa_free( ctx );
+ }
return( ret );
}
diff --git a/library/oid.c b/library/oid.c
index c9cfe48..a4f2c0c 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -47,9 +47,22 @@
* Macro to generate an internal function for oid_XXX_from_asn1() (used by
* the other functions)
*/
-#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST ) \
-static const TYPE_T * oid_ ## NAME ## _from_asn1( const asn1_buf *oid ) \
-{ return (const TYPE_T *) oid_descriptor_from_buf(LIST, sizeof(TYPE_T), oid->p, oid->len ); }
+#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST ) \
+static const TYPE_T * oid_ ## NAME ## _from_asn1( const asn1_buf *oid ) \
+{ \
+ const TYPE_T *p = LIST; \
+ const oid_descriptor_t *cur = (const oid_descriptor_t *) p; \
+ if( p == NULL || oid == NULL ) return( NULL ); \
+ while( cur->asn1 != NULL ) { \
+ if( cur->asn1_len == oid->len && \
+ memcmp( cur->asn1, oid->p, oid->len ) == 0 ) { \
+ return( p ); \
+ } \
+ p++; \
+ cur = (const oid_descriptor_t *) p; \
+ } \
+ return( NULL ); \
+}
/*
* Macro to generate a function for retrieving a single attribute from the
@@ -133,34 +146,6 @@
}
/*
- * Core generic function
- */
-static const oid_descriptor_t *oid_descriptor_from_buf( const void *struct_set,
- size_t struct_size, const unsigned char *oid, size_t len )
-{
- const unsigned char *p = (const unsigned char *) struct_set;
- const oid_descriptor_t *cur;
-
- if( struct_set == NULL || oid == NULL )
- return( NULL );
-
- cur = (const oid_descriptor_t *) p;
- while( cur->asn1 != NULL )
- {
- if( cur->asn1_len == len &&
- memcmp( cur->asn1, oid, len ) == 0 )
- {
- return( cur );
- }
-
- p += struct_size;
- cur = (const oid_descriptor_t *) p;
- }
-
- return( NULL );
-}
-
-/*
* For X520 attribute types
*/
typedef struct {
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 781edb2..9186cc4 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1210,4 +1210,19 @@
}
}
+int ssl_ciphersuite_uses_psk( const ssl_ciphersuite_t *info )
+{
+ switch( info->key_exchange )
+ {
+ case POLARSSL_KEY_EXCHANGE_PSK:
+ case POLARSSL_KEY_EXCHANGE_RSA_PSK:
+ case POLARSSL_KEY_EXCHANGE_DHE_PSK:
+ case POLARSSL_KEY_EXCHANGE_ECDHE_PSK:
+ return( 1 );
+
+ default:
+ return( 0 );
+ }
+}
+
#endif
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 5b35b94..7d81fc9 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -74,8 +74,6 @@
left -= sizeof( ssl_session );
#if defined(POLARSSL_X509_CRT_PARSE_C)
- ((ssl_session *) buf)->peer_cert = NULL;
-
if( session->peer_cert == NULL )
cert_len = 0;
else
@@ -1270,6 +1268,7 @@
case TLS_EXT_SUPPORTED_POINT_FORMATS:
SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
+ ssl->handshake->cli_exts |= TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
if( ret != 0 )
@@ -1395,6 +1394,16 @@
continue;
#endif
+#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
+ /* If the ciphersuite requires a pre-shared key and we don't
+ * have one, skip it now rather than failing later */
+ if( ssl_ciphersuite_uses_psk( ciphersuite_info ) &&
+ ssl->f_psk == NULL &&
+ ( ssl->psk == NULL || ssl->psk_identity == NULL ||
+ ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
+ continue;
+#endif
+
#if defined(POLARSSL_X509_CRT_PARSE_C)
/*
* Final check: if ciphersuite requires us to have a
@@ -1546,7 +1555,12 @@
unsigned char *p = buf;
((void) ssl);
- *olen = 0;
+ if( ( ssl->handshake->cli_exts &
+ TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT ) == 0 )
+ {
+ *olen = 0;
+ return;
+ }
SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index c3db3c4..86b4034 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -156,6 +156,7 @@
0, buf + sizeof(buf) - len, len );
}
+#if defined(POLARSSL_SHA1_C)
int x509write_crt_set_subject_key_identifier( x509write_cert *ctx )
{
int ret;
@@ -202,6 +203,7 @@
OID_SIZE( OID_AUTHORITY_KEY_IDENTIFIER ),
0, buf + sizeof(buf) - len, len );
}
+#endif /* POLARSSL_SHA1_C */
int x509write_crt_set_key_usage( x509write_cert *ctx, unsigned char key_usage )
{
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index 94dfa1d..8e4951e 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -571,6 +571,7 @@
printf( " ok\n" );
+#if defined(POLARSSL_SHA1_C)
printf( " . Adding the Subject Key Identifier ..." );
fflush( stdout );
@@ -596,6 +597,7 @@
}
printf( " ok\n" );
+#endif /* POLARSSL_SHA1_C */
if( opt.key_usage )
{
diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function
index 881a0ac..b334954 100644
--- a/tests/suites/helpers.function
+++ b/tests/suites/helpers.function
@@ -2,6 +2,14 @@
#include "polarssl/memory.h"
#endif
+#if defined(WANT_NOT_RND_MPI)
+#if defined(POLARSSL_BIGNUM_C)
+#include "polarssl/bignum.h"
+#else
+#error "not_rnd_mpi() need bignum.c"
+#endif
+#endif
+
#ifdef _MSC_VER
#include <basetsd.h>
typedef UINT32 uint32_t;
@@ -225,48 +233,36 @@
return( 0 );
}
+#if defined(WANT_NOT_RND_MPI)
/**
- * This function returns a buffer given as a hex string.
+ * NOT random function, to match test vectors.
*
- * The buffer is reversed so that the following are equivalent:
- * mpi_fill_random( x, len, not_rnd, str );
+ * The following are equivalent:
+ * mpi_fill_random( x, strlen( str ) / 2, not_rnd, str );
* mpi_read_string( x, 16, str );
- * (So, not random at all. Usefull to match test vectors.)
- * Based on unhexify(), just reversed (changes marked by "sic")
+ * Warning: no other use is supported!
*/
-static int not_rnd( void *in, unsigned char *out, size_t len )
+#define ciL (sizeof(t_uint)) /* chars in limb */
+#define CHARS_TO_LIMBS(i) (((i) + ciL - 1) / ciL)
+static int not_rnd_mpi( void *in, unsigned char *out, size_t len )
{
- unsigned char *obuf;
- const char *ibuf = in;
- unsigned char c, c2;
- assert( len == strlen(ibuf) / 2 );
- assert(!(strlen(ibuf) %1)); // must be even number of bytes
+ char *str = (char *) in;
+ mpi X;
- obuf = out + (len - 1); // sic
- while (*ibuf != 0)
- {
- c = *ibuf++;
- if( c >= '0' && c <= '9' )
- c -= '0';
- else if( c >= 'a' && c <= 'f' )
- c -= 'a' - 10;
- else if( c >= 'A' && c <= 'F' )
- c -= 'A' - 10;
- else
- assert( 0 );
+ /*
+ * The 'in' pointer we get is from an MPI prepared by mpi_fill_random(),
+ * just reconstruct the rest in order to be able to call mpi_read_string()
+ */
+ X.s = 1;
+ X.p = (t_uint *) out;
+ X.n = CHARS_TO_LIMBS( len );
- c2 = *ibuf++;
- if( c2 >= '0' && c2 <= '9' )
- c2 -= '0';
- else if( c2 >= 'a' && c2 <= 'f' )
- c2 -= 'a' - 10;
- else if( c2 >= 'A' && c2 <= 'F' )
- c2 -= 'A' - 10;
- else
- assert( 0 );
+ /*
+ * If str is too long, mpi_read_string() will try to allocate a new buffer
+ * for X.p, which we want to avoid at all costs.
+ */
+ assert( strlen( str ) / 2 == len );
- *obuf-- = ( c << 4 ) | c2; // sic
- }
-
- return( 0 );
+ return( mpi_read_string( &X, 16, str ) );
}
+#endif /* WANT_NOT_RND_MPI */
diff --git a/tests/suites/test_suite_ecdh.function b/tests/suites/test_suite_ecdh.function
index ba35c76..63917d7 100644
--- a/tests/suites/test_suite_ecdh.function
+++ b/tests/suites/test_suite_ecdh.function
@@ -1,5 +1,6 @@
/* BEGIN_HEADER */
#include <polarssl/ecdh.h>
+#define WANT_NOT_RND_MPI
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -57,14 +58,14 @@
TEST_ASSERT( ecp_use_known_dp( &grp, id ) == 0 );
- TEST_ASSERT( ecdh_gen_public( &grp, &dA, &qA, ¬_rnd, dA_str ) == 0 );
+ TEST_ASSERT( ecdh_gen_public( &grp, &dA, &qA, ¬_rnd_mpi, dA_str ) == 0 );
TEST_ASSERT( ! ecp_is_zero( &qA ) );
TEST_ASSERT( mpi_read_string( &check, 16, xA_str ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &qA.X, &check ) == 0 );
TEST_ASSERT( mpi_read_string( &check, 16, yA_str ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &qA.Y, &check ) == 0 );
- TEST_ASSERT( ecdh_gen_public( &grp, &dB, &qB, ¬_rnd, dB_str ) == 0 );
+ TEST_ASSERT( ecdh_gen_public( &grp, &dB, &qB, ¬_rnd_mpi, dB_str ) == 0 );
TEST_ASSERT( ! ecp_is_zero( &qB ) );
TEST_ASSERT( mpi_read_string( &check, 16, xB_str ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &qB.X, &check ) == 0 );
diff --git a/tests/suites/test_suite_ecdsa.function b/tests/suites/test_suite_ecdsa.function
index 5ccb39d..34307ca 100644
--- a/tests/suites/test_suite_ecdsa.function
+++ b/tests/suites/test_suite_ecdsa.function
@@ -1,5 +1,6 @@
/* BEGIN_HEADER */
#include <polarssl/ecdsa.h>
+#define WANT_NOT_RND_MPI
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -63,7 +64,7 @@
len = unhexify(buf, hash_str);
TEST_ASSERT( ecdsa_sign( &grp, &r, &s, &d, buf, len,
- ¬_rnd, k_str ) == 0 );
+ ¬_rnd_mpi, k_str ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &r, &r_check ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &s, &s_check ) == 0 );
diff --git a/tests/suites/test_suite_error.function b/tests/suites/test_suite_error.function
index 4129f3d..a514cee 100644
--- a/tests/suites/test_suite_error.function
+++ b/tests/suites/test_suite_error.function
@@ -12,7 +12,7 @@
{
char buf[500];
- error_strerror( code, buf, 500 );
+ polarssl_strerror( code, buf, 500 );
TEST_ASSERT( strcmp( buf, result_str ) == 0 );
}
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index 3233617..8b57f8c 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -53,7 +53,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:POLARSSL_PEM_WRITE_C:POLARSSL_X509_CRT_WRITE_C */
+/* BEGIN_CASE depends_on:POLARSSL_PEM_WRITE_C:POLARSSL_X509_CRT_WRITE_C:POLARSSL_SHA1_C */
void x509_crt_check( char *subject_key_file, char *subject_pwd,
char *subject_name, char *issuer_key_file,
char *issuer_pwd, char *issuer_name,