Merged support for the ALPN extension
diff --git a/ChangeLog b/ChangeLog
index 6d4228f..f667bf6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,12 @@
Security
* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
(Found by Watson Ladd.)
+ * The notAfter date of some certificates was no longer checked since 1.3.5.
+ This affects certificates in the user-supplied chain except the top
+ certificate. If the user-supplied chain contains only one certificates,
+ it is not affected (ie, its notAfter date is properly checked).
+ * Prevent potential NULL pointer dereference in ssl_read_record() (found by
+ TrustInSoft)
Bugfix
* The length of various ClientKeyExchange messages was not properly checked.
@@ -24,6 +30,8 @@
Gergely Budai).
* Fix #include path in ecdsa.h which wasn't accepted by some compilers.
(found by Gergely Budai)
+ * Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
+ Shuo Chen).
= PolarSSL 1.3.5 released on 2014-03-26
Features
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 223fce3..c2c2708 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -645,7 +645,7 @@
* Do not add default entropy sources. These are the platform specific,
* hardclock and HAVEGE based poll functions.
*
- * This is useful to have more control over the added entropy sources in an
+ * This is useful to have more control over the added entropy sources in an
* application.
*
* Uncomment this macro to prevent loading of default entropy functions.
@@ -1376,7 +1376,7 @@
* Module: library/error.c
* Caller:
*
- * This module enables err_strerror().
+ * This module enables polarssl_strerror().
*/
#define POLARSSL_ERROR_C
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0365b92..38843a3 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2087,7 +2087,8 @@
return( POLARSSL_ERR_SSL_INVALID_RECORD );
}
- ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
+ if( ssl->state != SSL_HANDSHAKE_OVER )
+ ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
return( 0 );
}
diff --git a/library/x509_crt.c b/library/x509_crt.c
index d4ef82e..d9f25ed 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1647,6 +1647,9 @@
x509_crt *grandparent;
const md_info_t *md_info;
+ if( x509_time_expired( &child->valid_to ) )
+ *flags |= BADCERT_EXPIRED;
+
if( x509_time_future( &child->valid_from ) )
*flags |= BADCERT_FUTURE;
diff --git a/programs/util/pem2der.c b/programs/util/pem2der.c
index f1da438..a755694 100644
--- a/programs/util/pem2der.c
+++ b/programs/util/pem2der.c
@@ -220,7 +220,7 @@
if( ret != 0 )
{
#ifdef POLARSSL_ERROR_C
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
#endif
printf( " failed\n ! load_file returned %d - %s\n\n", ret, buf );
goto exit;
@@ -237,7 +237,7 @@
if( ( ret = convert_pem_to_der( pem_buffer, pem_size, der_buffer, &der_size ) ) != 0 )
{
#ifdef POLARSSL_ERROR_C
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
#endif
printf( " failed\n ! convert_pem_to_der %d - %s\n\n", ret, buf );
goto exit;
@@ -256,7 +256,7 @@
if( ret != 0 )
{
#ifdef POLARSSL_ERROR_C
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
#endif
printf( " failed\n ! write_file returned %d - %s\n\n", ret, buf );
goto exit;
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index a2f2656..952d17c 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -367,7 +367,7 @@
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! ctr_drbg_init returned %d - %s\n", ret, buf );
goto exit;
}
@@ -381,7 +381,7 @@
if( ( ret = mpi_read_string( &serial, 10, opt.serial ) ) != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! mpi_read_string returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -400,7 +400,7 @@
if( ( ret = x509_crt_parse_file( &issuer_crt, opt.issuer_crt ) ) != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509_crt_parse_file returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -409,7 +409,7 @@
&issuer_crt.issuer );
if( ret < 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -432,7 +432,7 @@
if( ( ret = x509_csr_parse_file( &csr, opt.request_file ) ) != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509_csr_parse_file returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -441,7 +441,7 @@
&csr.subject );
if( ret < 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509_dn_gets returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -465,7 +465,7 @@
opt.subject_pwd );
if( ret != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! pk_parse_keyfile returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -480,7 +480,7 @@
opt.issuer_pwd );
if( ret != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! pk_parse_keyfile returned -x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -517,14 +517,14 @@
*/
if( ( ret = x509write_crt_set_subject_name( &crt, opt.subject_name ) ) != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509write_crt_set_subject_name returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
if( ( ret = x509write_crt_set_issuer_name( &crt, opt.issuer_name ) ) != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509write_crt_set_issuer_name returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -535,7 +535,7 @@
ret = x509write_crt_set_serial( &crt, &serial );
if( ret != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509write_crt_set_serial returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -543,7 +543,7 @@
ret = x509write_crt_set_validity( &crt, opt.not_before, opt.not_after );
if( ret != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509write_crt_set_validity returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -557,7 +557,7 @@
opt.max_pathlen );
if( ret != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509write_crt_set_basic_contraints returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -571,7 +571,7 @@
ret = x509write_crt_set_subject_key_identifier( &crt );
if( ret != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509write_crt_set_subject_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -584,7 +584,7 @@
ret = x509write_crt_set_authority_key_identifier( &crt );
if( ret != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509write_crt_set_authority_key_identifier returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -600,7 +600,7 @@
ret = x509write_crt_set_key_usage( &crt, opt.key_usage );
if( ret != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509write_crt_set_key_usage returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -616,7 +616,7 @@
ret = x509write_crt_set_ns_cert_type( &crt, opt.ns_cert_type );
if( ret != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! x509write_crt_set_ns_cert_type returned -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
@@ -633,7 +633,7 @@
if( ( ret = write_certificate( &crt, opt.output_file,
ctr_drbg_random, &ctr_drbg ) ) != 0 )
{
- error_strerror( ret, buf, 1024 );
+ polarssl_strerror( ret, buf, 1024 );
printf( " failed\n ! write_certifcate -0x%02x - %s\n\n", -ret, buf );
goto exit;
}
diff --git a/tests/compat.sh b/tests/compat.sh
index e29d29f..bf52847 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -1018,7 +1018,7 @@
echo "------------------------------------------------------------------------"
-if (( failed != 0 && srvmem != 0 ));
+if (( failed != 0 || srvmem != 0 ));
then
echo -n "FAILED"
else