Merged the revamped test framework into development
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 41013d8..119dc67 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -735,7 +735,7 @@
* Enable the generic cipher layer.
*
* Module: library/cipher.c
- * Caller:
+ * Caller: library/ssl_tls.c
*
* Uncomment to enable generic cipher wrappers.
*/
@@ -1226,7 +1226,7 @@
* Caller: library/ssl_cli.c
* library/ssl_srv.c
*
- * Requires: POLARSSL_MD5_C, POLARSSL_SHA1_C
+ * Requires: POLARSSL_MD5_C, POLARSSL_SHA1_C, POLARSSL_CIPHER_C
*
* This module is required for SSL/TLS.
*/
@@ -1443,7 +1443,7 @@
#endif
#if defined(POLARSSL_SSL_TLS_C) && ( !defined(POLARSSL_MD5_C) || \
- !defined(POLARSSL_SHA1_C) )
+ !defined(POLARSSL_SHA1_C) || !defined(POLARSSL_CIPHER_C) )
#error "POLARSSL_SSL_TLS_C defined, but not all prerequisites"
#endif
@@ -1451,6 +1451,11 @@
#error "POLARSSL_SSL_SRV_C defined, but not all prerequisites"
#endif
+#if defined(POLARSSL_SSL_SESSION_TICKETS) && defined(POLARSSL_SSL_TLS_C) && \
+ ( !defined(POLARSSL_AES_C) || !defined(POLARSSL_SHA256_C) )
+#error "POLARSSL_SSL_SESSION_TICKETS_C defined, but not all prerequisites"
+#endif
+
#if defined(POLARSSL_X509_PARSE_C) && ( !defined(POLARSSL_BIGNUM_C) || \
!defined(POLARSSL_OID_C) || !defined(POLARSSL_ASN1_PARSE_C) || \
!defined(POLARSSL_RSA_C) )
diff --git a/include/polarssl/ecdsa.h b/include/polarssl/ecdsa.h
index e709b40..bc1afbb 100644
--- a/include/polarssl/ecdsa.h
+++ b/include/polarssl/ecdsa.h
@@ -39,7 +39,6 @@
ecp_point Q; /*!< public signature key */
mpi r; /*!< first integer from signature */
mpi s; /*!< second integer from signature */
- int point_format; /*!< format for point export */
}
ecdsa_context;
diff --git a/include/polarssl/oid.h b/include/polarssl/oid.h
index 0c3dab2..ebb5bad 100644
--- a/include/polarssl/oid.h
+++ b/include/polarssl/oid.h
@@ -315,6 +315,7 @@
*/
typedef struct {
const char *asn1; /*!< OID ASN.1 representation */
+ size_t asn1_len; /*!< length of asn1 */
const char *name; /*!< official name (e.g. from RFC) */
const char *description; /*!< human friendly description */
} oid_descriptor_t;
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 8f72710..7a468c4 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -428,9 +428,8 @@
#if defined(POLARSSL_ECDH_C)
ecdh_context ecdh_ctx; /*!< ECDH key exchange */
#endif
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
int ec_curve; /*!< Selected elliptic curve */
-#if defined(POLARSSL_ECP_C)
- int ec_point_format; /*!< Client supported format */
#endif
/*
diff --git a/library/asn1parse.c b/library/asn1parse.c
index f6b79ef..ff566c9 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@@ -220,7 +220,7 @@
if( ( ret = asn1_get_tag( p, end, len, ASN1_BIT_STRING ) ) != 0 )
return( ret );
- if( --*len < 1 || *(*p)++ != 0 )
+ if( (*len)-- < 2 || *(*p)++ != 0 )
return( POLARSSL_ERR_ASN1_INVALID_DATA );
return( 0 );
@@ -292,8 +292,11 @@
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
return( ret );
- end = *p + len;
+ if( ( end - *p ) < 1 )
+ return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
+
alg->tag = **p;
+ end = *p + len;
if( ( ret = asn1_get_tag( p, end, &alg->len, ASN1_OID ) ) != 0 )
return( ret );
diff --git a/library/ecdh.c b/library/ecdh.c
index 301275a..d76596e 100644
--- a/library/ecdh.c
+++ b/library/ecdh.c
@@ -155,8 +155,6 @@
{
int ret;
- ecdh_init( ctx );
-
if( ( ret = ecp_tls_read_group( &ctx->grp, buf, end - *buf ) ) != 0 )
return( ret );
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 1074850..e87bc65 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -197,8 +197,6 @@
ecp_point_init( &ctx->Q );
mpi_init( &ctx->r );
mpi_init( &ctx->s );
- mpi_init( &ctx->d );
- ctx->point_format = POLARSSL_ECP_PF_UNCOMPRESSED;
}
/*
@@ -211,8 +209,6 @@
ecp_point_free( &ctx->Q );
mpi_free( &ctx->r );
mpi_free( &ctx->s );
- mpi_free( &ctx->d );
- ctx->point_format = POLARSSL_ECP_PF_UNCOMPRESSED;
}
#if defined(POLARSSL_SELF_TEST)
diff --git a/library/oid.c b/library/oid.c
index 750ece8..c5608c3 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -35,6 +35,11 @@
#include <stdio.h>
/*
+ * Macro to automatically add the size of #define'd OIDs
+ */
+#define ADD_LEN(s) s, OID_SIZE(s)
+
+/*
* Macro to generate an internal function for oid_XXX_from_asn1() (used by
* the other functions)
*/
@@ -135,7 +140,7 @@
cur = (const oid_descriptor_t *) p;
while( cur->asn1 != NULL )
{
- if( strlen( cur->asn1 ) == len &&
+ if( cur->asn1_len == len &&
memcmp( cur->asn1, oid, len ) == 0 )
{
return( cur );
@@ -159,35 +164,35 @@
static const oid_x520_attr_t oid_x520_attr_type[] =
{
{
- { OID_AT_CN, "id-at-commonName", "Common Name" },
+ { ADD_LEN( OID_AT_CN ), "id-at-commonName", "Common Name" },
"CN",
},
{
- { OID_AT_COUNTRY, "id-at-countryName", "Country" },
+ { ADD_LEN( OID_AT_COUNTRY ), "id-at-countryName", "Country" },
"C",
},
{
- { OID_AT_LOCALITY, "id-at-locality", "Locality" },
+ { ADD_LEN( OID_AT_LOCALITY ), "id-at-locality", "Locality" },
"L",
},
{
- { OID_AT_STATE, "id-at-state", "State" },
+ { ADD_LEN( OID_AT_STATE ), "id-at-state", "State" },
"ST",
},
{
- { OID_AT_ORGANIZATION,"id-at-organizationName", "Organization" },
+ { ADD_LEN( OID_AT_ORGANIZATION ),"id-at-organizationName", "Organization" },
"O",
},
{
- { OID_AT_ORG_UNIT, "id-at-organizationalUnitName", "Org Unit" },
+ { ADD_LEN( OID_AT_ORG_UNIT ), "id-at-organizationalUnitName", "Org Unit" },
"OU",
},
{
- { OID_PKCS9_EMAIL, "emailAddress", "E-mail address" },
+ { ADD_LEN( OID_PKCS9_EMAIL ), "emailAddress", "E-mail address" },
"emailAddress",
},
{
- { NULL, NULL, NULL },
+ { NULL, 0, NULL, NULL },
NULL,
}
};
@@ -207,27 +212,27 @@
static const oid_x509_ext_t oid_x509_ext[] =
{
{
- { OID_BASIC_CONSTRAINTS, "id-ce-basicConstraints", "Basic Constraints" },
+ { ADD_LEN( OID_BASIC_CONSTRAINTS ), "id-ce-basicConstraints", "Basic Constraints" },
EXT_BASIC_CONSTRAINTS,
},
{
- { OID_KEY_USAGE, "id-ce-keyUsage", "Key Usage" },
+ { ADD_LEN( OID_KEY_USAGE ), "id-ce-keyUsage", "Key Usage" },
EXT_KEY_USAGE,
},
{
- { OID_EXTENDED_KEY_USAGE, "id-ce-keyUsage", "Extended Key Usage" },
+ { ADD_LEN( OID_EXTENDED_KEY_USAGE ), "id-ce-keyUsage", "Extended Key Usage" },
EXT_EXTENDED_KEY_USAGE,
},
{
- { OID_SUBJECT_ALT_NAME, "id-ce-subjectAltName", "Subject Alt Name" },
+ { ADD_LEN( OID_SUBJECT_ALT_NAME ), "id-ce-subjectAltName", "Subject Alt Name" },
EXT_SUBJECT_ALT_NAME,
},
{
- { OID_NS_CERT_TYPE, "id-netscape-certtype", "Netscape Certificate Type" },
+ { ADD_LEN( OID_NS_CERT_TYPE ), "id-netscape-certtype", "Netscape Certificate Type" },
EXT_NS_CERT_TYPE,
},
{
- { NULL, NULL, NULL },
+ { NULL, 0, NULL, NULL },
0,
},
};
@@ -237,13 +242,13 @@
static const oid_descriptor_t oid_ext_key_usage[] =
{
- { OID_SERVER_AUTH, "id-kp-serverAuth", "TLS Web Server Authentication" },
- { OID_CLIENT_AUTH, "id-kp-clientAuth", "TLS Web Client Authentication" },
- { OID_CODE_SIGNING, "id-kp-codeSigning", "Code Signing" },
- { OID_EMAIL_PROTECTION, "id-kp-emailProtection", "E-mail Protection" },
- { OID_TIME_STAMPING, "id-kp-timeStamping", "Time Stamping" },
- { OID_OCSP_SIGNING, "id-kp-OCSPSigning", "OCSP Signing" },
- { NULL, NULL, NULL },
+ { ADD_LEN( OID_SERVER_AUTH ), "id-kp-serverAuth", "TLS Web Server Authentication" },
+ { ADD_LEN( OID_CLIENT_AUTH ), "id-kp-clientAuth", "TLS Web Client Authentication" },
+ { ADD_LEN( OID_CODE_SIGNING ), "id-kp-codeSigning", "Code Signing" },
+ { ADD_LEN( OID_EMAIL_PROTECTION ), "id-kp-emailProtection", "E-mail Protection" },
+ { ADD_LEN( OID_TIME_STAMPING ), "id-kp-timeStamping", "Time Stamping" },
+ { ADD_LEN( OID_OCSP_SIGNING ), "id-kp-OCSPSigning", "OCSP Signing" },
+ { NULL, 0, NULL, NULL },
};
FN_OID_TYPED_FROM_ASN1(oid_descriptor_t, ext_key_usage, oid_ext_key_usage);
@@ -263,63 +268,63 @@
static const oid_sig_alg_t oid_sig_alg[] =
{
{
- { OID_PKCS1_MD2, "md2WithRSAEncryption", "RSA with MD2" },
+ { ADD_LEN( OID_PKCS1_MD2 ), "md2WithRSAEncryption", "RSA with MD2" },
POLARSSL_MD_MD2, POLARSSL_PK_RSA,
},
{
- { OID_PKCS1_MD4, "md4WithRSAEncryption", "RSA with MD4" },
+ { ADD_LEN( OID_PKCS1_MD4 ), "md4WithRSAEncryption", "RSA with MD4" },
POLARSSL_MD_MD4, POLARSSL_PK_RSA,
},
{
- { OID_PKCS1_MD5, "md5WithRSAEncryption", "RSA with MD5" },
+ { ADD_LEN( OID_PKCS1_MD5 ), "md5WithRSAEncryption", "RSA with MD5" },
POLARSSL_MD_MD5, POLARSSL_PK_RSA,
},
{
- { OID_PKCS1_SHA1, "sha-1WithRSAEncryption", "RSA with SHA1" },
+ { ADD_LEN( OID_PKCS1_SHA1 ), "sha-1WithRSAEncryption", "RSA with SHA1" },
POLARSSL_MD_SHA1, POLARSSL_PK_RSA,
},
{
- { OID_PKCS1_SHA224, "sha224WithRSAEncryption", "RSA with SHA-224" },
+ { ADD_LEN( OID_PKCS1_SHA224 ), "sha224WithRSAEncryption", "RSA with SHA-224" },
POLARSSL_MD_SHA224, POLARSSL_PK_RSA,
},
{
- { OID_PKCS1_SHA256, "sha256WithRSAEncryption", "RSA with SHA-256" },
+ { ADD_LEN( OID_PKCS1_SHA256 ), "sha256WithRSAEncryption", "RSA with SHA-256" },
POLARSSL_MD_SHA256, POLARSSL_PK_RSA,
},
{
- { OID_PKCS1_SHA384, "sha384WithRSAEncryption", "RSA with SHA-384" },
+ { ADD_LEN( OID_PKCS1_SHA384 ), "sha384WithRSAEncryption", "RSA with SHA-384" },
POLARSSL_MD_SHA384, POLARSSL_PK_RSA,
},
{
- { OID_PKCS1_SHA512, "sha512WithRSAEncryption", "RSA with SHA-512" },
+ { ADD_LEN( OID_PKCS1_SHA512 ), "sha512WithRSAEncryption", "RSA with SHA-512" },
POLARSSL_MD_SHA512, POLARSSL_PK_RSA,
},
{
- { OID_RSA_SHA_OBS, "sha-1WithRSAEncryption", "RSA with SHA1" },
+ { ADD_LEN( OID_RSA_SHA_OBS ), "sha-1WithRSAEncryption", "RSA with SHA1" },
POLARSSL_MD_SHA1, POLARSSL_PK_RSA,
},
{
- { OID_ECDSA_SHA1, "ecdsa-with-SHA1", "ECDSA with SHA1" },
+ { ADD_LEN( OID_ECDSA_SHA1 ), "ecdsa-with-SHA1", "ECDSA with SHA1" },
POLARSSL_MD_SHA1, POLARSSL_PK_ECDSA,
},
{
- { OID_ECDSA_SHA224, "ecdsa-with-SHA224", "ECDSA with SHA224" },
+ { ADD_LEN( OID_ECDSA_SHA224 ), "ecdsa-with-SHA224", "ECDSA with SHA224" },
POLARSSL_MD_SHA224, POLARSSL_PK_ECDSA,
},
{
- { OID_ECDSA_SHA256, "ecdsa-with-SHA256", "ECDSA with SHA256" },
+ { ADD_LEN( OID_ECDSA_SHA256 ), "ecdsa-with-SHA256", "ECDSA with SHA256" },
POLARSSL_MD_SHA256, POLARSSL_PK_ECDSA,
},
{
- { OID_ECDSA_SHA384, "ecdsa-with-SHA384", "ECDSA with SHA384" },
+ { ADD_LEN( OID_ECDSA_SHA384 ), "ecdsa-with-SHA384", "ECDSA with SHA384" },
POLARSSL_MD_SHA384, POLARSSL_PK_ECDSA,
},
{
- { OID_ECDSA_SHA512, "ecdsa-with-SHA512", "ECDSA with SHA512" },
+ { ADD_LEN( OID_ECDSA_SHA512 ), "ecdsa-with-SHA512", "ECDSA with SHA512" },
POLARSSL_MD_SHA512, POLARSSL_PK_ECDSA,
},
{
- { NULL, NULL, NULL },
+ { NULL, 0, NULL, NULL },
0, 0,
},
};
@@ -341,19 +346,19 @@
static const oid_pk_alg_t oid_pk_alg[] =
{
{
- { OID_PKCS1_RSA, "rsaEncryption", "RSA" },
+ { ADD_LEN( OID_PKCS1_RSA ), "rsaEncryption", "RSA" },
POLARSSL_PK_RSA,
},
{
- { OID_EC_ALG_UNRESTRICTED, "id-ecPublicKey", "Generic EC key" },
+ { ADD_LEN( OID_EC_ALG_UNRESTRICTED ), "id-ecPublicKey", "Generic EC key" },
POLARSSL_PK_ECKEY,
},
{
- { OID_EC_ALG_ECDH, "id-ecDH", "EC key for ECDH" },
+ { ADD_LEN( OID_EC_ALG_ECDH ), "id-ecDH", "EC key for ECDH" },
POLARSSL_PK_ECKEY_DH,
},
{
- { NULL, NULL, NULL },
+ { NULL, 0, NULL, NULL },
0,
},
};
@@ -372,27 +377,27 @@
static const oid_ecp_grp_t oid_ecp_grp[] =
{
{
- { OID_EC_GRP_SECP192R1, "secp192r1", "secp192r1" },
+ { ADD_LEN( OID_EC_GRP_SECP192R1 ), "secp192r1", "secp192r1" },
POLARSSL_ECP_DP_SECP192R1,
},
{
- { OID_EC_GRP_SECP224R1, "secp224r1", "secp224r1" },
+ { ADD_LEN( OID_EC_GRP_SECP224R1 ), "secp224r1", "secp224r1" },
POLARSSL_ECP_DP_SECP224R1,
},
{
- { OID_EC_GRP_SECP256R1, "secp256r1", "secp256r1" },
+ { ADD_LEN( OID_EC_GRP_SECP256R1 ), "secp256r1", "secp256r1" },
POLARSSL_ECP_DP_SECP256R1,
},
{
- { OID_EC_GRP_SECP384R1, "secp384r1", "secp384r1" },
+ { ADD_LEN( OID_EC_GRP_SECP384R1 ), "secp384r1", "secp384r1" },
POLARSSL_ECP_DP_SECP384R1,
},
{
- { OID_EC_GRP_SECP521R1, "secp521r1", "secp521r1" },
+ { ADD_LEN( OID_EC_GRP_SECP521R1 ), "secp521r1", "secp521r1" },
POLARSSL_ECP_DP_SECP521R1,
},
{
- { NULL, NULL, NULL },
+ { NULL, 0, NULL, NULL },
0,
},
};
@@ -412,15 +417,15 @@
static const oid_cipher_alg_t oid_cipher_alg[] =
{
{
- { OID_DES_CBC, "desCBC", "DES-CBC" },
+ { ADD_LEN( OID_DES_CBC ), "desCBC", "DES-CBC" },
POLARSSL_CIPHER_DES_CBC,
},
{
- { OID_DES_EDE3_CBC, "des-ede3-cbc", "DES-EDE3-CBC" },
+ { ADD_LEN( OID_DES_EDE3_CBC ), "des-ede3-cbc", "DES-EDE3-CBC" },
POLARSSL_CIPHER_DES_EDE3_CBC,
},
{
- { NULL, NULL, NULL },
+ { NULL, 0, NULL, NULL },
0,
},
};
@@ -441,43 +446,43 @@
static const oid_md_alg_t oid_md_alg[] =
{
{
- { OID_DIGEST_ALG_MD2, "id-md2", "MD2" },
+ { ADD_LEN( OID_DIGEST_ALG_MD2 ), "id-md2", "MD2" },
POLARSSL_MD_MD2,
},
{
- { OID_DIGEST_ALG_MD4, "id-md4", "MD4" },
+ { ADD_LEN( OID_DIGEST_ALG_MD4 ), "id-md4", "MD4" },
POLARSSL_MD_MD4,
},
{
- { OID_DIGEST_ALG_MD5, "id-md5", "MD5" },
+ { ADD_LEN( OID_DIGEST_ALG_MD5 ), "id-md5", "MD5" },
POLARSSL_MD_MD5,
},
{
- { OID_DIGEST_ALG_SHA1, "id-sha1", "SHA-1" },
+ { ADD_LEN( OID_DIGEST_ALG_SHA1 ), "id-sha1", "SHA-1" },
POLARSSL_MD_SHA1,
},
{
- { OID_DIGEST_ALG_SHA1, "id-sha1", "SHA-1" },
+ { ADD_LEN( OID_DIGEST_ALG_SHA1 ), "id-sha1", "SHA-1" },
POLARSSL_MD_SHA1,
},
{
- { OID_DIGEST_ALG_SHA224, "id-sha224", "SHA-224" },
+ { ADD_LEN( OID_DIGEST_ALG_SHA224 ), "id-sha224", "SHA-224" },
POLARSSL_MD_SHA224,
},
{
- { OID_DIGEST_ALG_SHA256, "id-sha256", "SHA-256" },
+ { ADD_LEN( OID_DIGEST_ALG_SHA256 ), "id-sha256", "SHA-256" },
POLARSSL_MD_SHA256,
},
{
- { OID_DIGEST_ALG_SHA384, "id-sha384", "SHA-384" },
+ { ADD_LEN( OID_DIGEST_ALG_SHA384 ), "id-sha384", "SHA-384" },
POLARSSL_MD_SHA384,
},
{
- { OID_DIGEST_ALG_SHA512, "id-sha512", "SHA-512" },
+ { ADD_LEN( OID_DIGEST_ALG_SHA512 ), "id-sha512", "SHA-512" },
POLARSSL_MD_SHA512,
},
{
- { NULL, NULL, NULL },
+ { NULL, 0, NULL, NULL },
0,
},
};
@@ -500,15 +505,15 @@
static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
{
{
- { OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, "pbeWithSHAAnd3-KeyTripleDES-CBC", "PBE with SHA1 and 3-Key 3DES" },
+ { ADD_LEN( OID_PKCS12_PBE_SHA1_DES3_EDE_CBC ), "pbeWithSHAAnd3-KeyTripleDES-CBC", "PBE with SHA1 and 3-Key 3DES" },
POLARSSL_MD_SHA1, POLARSSL_CIPHER_DES_EDE3_CBC,
},
{
- { OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, "pbeWithSHAAnd2-KeyTripleDES-CBC", "PBE with SHA1 and 2-Key 3DES" },
+ { ADD_LEN( OID_PKCS12_PBE_SHA1_DES2_EDE_CBC ), "pbeWithSHAAnd2-KeyTripleDES-CBC", "PBE with SHA1 and 2-Key 3DES" },
POLARSSL_MD_SHA1, POLARSSL_CIPHER_DES_EDE_CBC,
},
{
- { NULL, NULL, NULL },
+ { NULL, 0, NULL, NULL },
0, 0,
},
};
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index a80a769..6674348 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -199,7 +199,7 @@
*olen = 6 + sig_alg_len;
}
-#if defined(POLARSSL_ECDH_C)
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
unsigned char *buf,
size_t *olen )
@@ -266,15 +266,14 @@
*p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
*p++ = 0x00;
- *p++ = 3;
-
*p++ = 2;
- *p++ = POLARSSL_ECP_PF_COMPRESSED;
+
+ *p++ = 1;
*p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
- *olen = 7;
+ *olen = 6;
}
-#endif
+#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
@@ -542,7 +541,7 @@
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
-#if defined(POLARSSL_ECDH_C)
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
@@ -687,6 +686,40 @@
}
#endif /* POLARSSL_SSL_SESSION_TICKETS */
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
+static int ssl_parse_supported_point_formats_ext( ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len )
+{
+ size_t list_size;
+ const unsigned char *p;
+
+ list_size = buf[0];
+ if( list_size + 1 != len )
+ {
+ SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
+ return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
+ }
+
+ p = buf + 2;
+ while( list_size > 0 )
+ {
+ if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
+ p[0] == POLARSSL_ECP_PF_COMPRESSED )
+ {
+ ssl->handshake->ecdh_ctx.point_format = p[0];
+ SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
+ return( 0 );
+ }
+
+ list_size--;
+ p++;
+ }
+
+ return( 0 );
+}
+#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
+
static int ssl_parse_server_hello( ssl_context *ssl )
{
uint32_t t;
@@ -942,6 +975,19 @@
break;
#endif /* POLARSSL_SSL_SESSION_TICKETS */
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
+ case TLS_EXT_SUPPORTED_POINT_FORMATS:
+ SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
+
+ if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
+ ext + 4, ext_size ) ) != 0 )
+ {
+ return( ret );
+ }
+
+ break;
+#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
+
default:
SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
ext_id ) );
@@ -1367,6 +1413,7 @@
md_update( &ctx, ssl->handshake->randbytes, 64 );
md_update( &ctx, ssl->in_msg + 4, n );
md_finish( &ctx, hash );
+ md_free_ctx( &ctx );
}
SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 2b6f06f..36c4f2f 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -470,7 +470,7 @@
return( 0 );
}
-#if defined(POLARSSL_ECP_C)
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -552,7 +552,8 @@
if( p[0] == POLARSSL_ECP_PF_UNCOMPRESSED ||
p[0] == POLARSSL_ECP_PF_COMPRESSED )
{
- ssl->handshake->ec_point_format = p[0];
+ ssl->handshake->ecdh_ctx.point_format = p[0];
+ SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) );
return( 0 );
}
@@ -562,7 +563,7 @@
return( 0 );
}
-#endif /* POLARSSL_ECP_C */
+#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
@@ -1160,7 +1161,7 @@
return( ret );
break;
-#if defined(POLARSSL_ECP_C)
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
@@ -1176,7 +1177,7 @@
if( ret != 0 )
return( ret );
break;
-#endif /* POLARSSL_ECP_C */
+#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
case TLS_EXT_MAX_FRAGMENT_LENGTH:
@@ -1288,9 +1289,11 @@
ciphersuite_info->max_minor_ver < ssl->minor_ver )
continue;
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) &&
ssl->handshake->ec_curve == 0 )
continue;
+#endif
goto have_ciphersuite;
}
@@ -1423,6 +1426,31 @@
}
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
+static void ssl_write_supported_point_formats_ext( ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen )
+{
+ unsigned char *p = buf;
+ ((void) ssl);
+
+ *olen = 0;
+
+ SSL_DEBUG_MSG( 3, ( "server hello, supported_point_formats extension" ) );
+
+ *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
+
+ *p++ = 0x00;
+ *p++ = 2;
+
+ *p++ = 1;
+ *p++ = POLARSSL_ECP_PF_UNCOMPRESSED;
+
+ *olen = 6;
+}
+#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
+
static int ssl_write_server_hello( ssl_context *ssl )
{
#if defined(POLARSSL_HAVE_TIME)
@@ -1578,6 +1606,11 @@
ext_len += olen;
#endif
+#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
+ ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
+ ext_len += olen;
+#endif
+
SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 039b536..9c1e53a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1011,6 +1011,7 @@
switch( ssl->transform_out->ciphersuite_info->cipher )
{
+#if defined(POLARSSL_DES_C)
case POLARSSL_CIPHER_DES_CBC:
des_crypt_cbc( (des_context *) ssl->transform_out->ctx_enc,
DES_ENCRYPT, enc_msglen,
@@ -1022,20 +1023,25 @@
DES_ENCRYPT, enc_msglen,
ssl->transform_out->iv_enc, enc_msg, enc_msg );
break;
+#endif
+#if defined(POLARSSL_AES_C)
case POLARSSL_CIPHER_AES_128_CBC:
case POLARSSL_CIPHER_AES_256_CBC:
aes_crypt_cbc( (aes_context *) ssl->transform_out->ctx_enc,
AES_ENCRYPT, enc_msglen,
ssl->transform_out->iv_enc, enc_msg, enc_msg );
break;
+#endif
+#if defined(POLARSSL_CAMELLIA_C)
case POLARSSL_CIPHER_CAMELLIA_128_CBC:
case POLARSSL_CIPHER_CAMELLIA_256_CBC:
camellia_crypt_cbc( (camellia_context *) ssl->transform_out->ctx_enc,
CAMELLIA_ENCRYPT, enc_msglen,
ssl->transform_out->iv_enc, enc_msg, enc_msg );
break;
+#endif
default:
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
@@ -1188,6 +1194,7 @@
switch( ssl->transform_in->ciphersuite_info->cipher )
{
+#if defined(POLARSSL_DES_C)
case POLARSSL_CIPHER_DES_CBC:
des_crypt_cbc( (des_context *) ssl->transform_in->ctx_dec,
DES_DECRYPT, dec_msglen,
@@ -1199,20 +1206,25 @@
DES_DECRYPT, dec_msglen,
ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
break;
+#endif
+#if defined(POLARSSL_AES_C)
case POLARSSL_CIPHER_AES_128_CBC:
case POLARSSL_CIPHER_AES_256_CBC:
aes_crypt_cbc( (aes_context *) ssl->transform_in->ctx_dec,
AES_DECRYPT, dec_msglen,
ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
break;
+#endif
+#if defined(POLARSSL_CAMELLIA_C)
case POLARSSL_CIPHER_CAMELLIA_128_CBC:
case POLARSSL_CIPHER_CAMELLIA_256_CBC:
camellia_crypt_cbc( (camellia_context *) ssl->transform_in->ctx_dec,
CAMELLIA_DECRYPT, dec_msglen,
ssl->transform_in->iv_dec, dec_msg, dec_msg_result );
break;
+#endif
default:
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
@@ -3208,6 +3220,10 @@
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
ssl->hostname_len = strlen( hostname );
+
+ if( ssl->hostname_len + 1 == 0 )
+ return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
+
ssl->hostname = (unsigned char *) polarssl_malloc( ssl->hostname_len + 1 );
if( ssl->hostname == NULL )
diff --git a/library/x509parse.c b/library/x509parse.c
index ace7fe8..08dc4d0 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -287,6 +287,10 @@
ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
return( POLARSSL_ERR_X509_CERT_INVALID_NAME + ret );
+ if( ( end - *p ) < 1 )
+ return( POLARSSL_ERR_X509_CERT_INVALID_NAME +
+ POLARSSL_ERR_ASN1_OUT_OF_DATA );
+
oid = &cur->oid;
oid->tag = **p;
@@ -514,6 +518,10 @@
( ret = asn1_get_mpi( p, end, &rsa->E ) ) != 0 )
return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + ret );
+ if( *p != end )
+ return( POLARSSL_ERR_X509_CERT_INVALID_PUBKEY +
+ POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
+
if( ( ret = rsa_check_pubkey( rsa ) ) != 0 )
return( ret );
@@ -1909,15 +1917,23 @@
static int load_file( const char *path, unsigned char **buf, size_t *n )
{
FILE *f;
+ long size;
if( ( f = fopen( path, "rb" ) ) == NULL )
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
fseek( f, 0, SEEK_END );
- *n = (size_t) ftell( f );
+ if( ( size = ftell( f ) ) == -1 )
+ {
+ fclose( f );
+ return( POLARSSL_ERR_X509_FILE_IO_ERROR );
+ }
fseek( f, 0, SEEK_SET );
- if( ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
+ *n = (size_t) size;
+
+ if( *n + 1 == 0 ||
+ ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
{
fclose( f );
return( POLARSSL_ERR_X509_MALLOC_FAILED );
@@ -3445,6 +3461,7 @@
/*
* Cannot check 'unknown' hash
*/
+ trust_ca = trust_ca->next;
continue;
}
@@ -3903,7 +3920,6 @@
ret = x509parse_verify( &clicert, &cacert, NULL, "PolarSSL Client 2", &flags, NULL, NULL );
if( ret != 0 )
{
- printf("%02x", flags);
if( verbose != 0 )
printf( "failed\n" );
diff --git a/tests/data_files/ec_224_prv.pem b/tests/data_files/ec_224_prv.pem
new file mode 100644
index 0000000..ebb83a0
--- /dev/null
+++ b/tests/data_files/ec_224_prv.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MGgCAQEEHGhJ+X0QZvaZd1ljfH44mUZM7j7HrJcGU6C+B0KgBwYFK4EEACGhPAM6
+AAQWk6KQ9/C1cf4rQdXYSwEydjH0qGD5lfozLAl/VBkrsQ8AET8q/7E8GiTORJFF
+calUQK4BSgDL9w==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_224_pub.pem b/tests/data_files/ec_224_pub.pem
new file mode 100644
index 0000000..d2da54a
--- /dev/null
+++ b/tests/data_files/ec_224_pub.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+ME4wEAYHKoZIzj0CAQYFK4EEACEDOgAEFpOikPfwtXH+K0HV2EsBMnYx9Khg+ZX6
+MywJf1QZK7EPABE/Kv+xPBokzkSRRXGpVECuAUoAy/c=
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_256_prv.pem b/tests/data_files/ec_256_prv.pem
new file mode 100644
index 0000000..e42dd4a
--- /dev/null
+++ b/tests/data_files/ec_256_prv.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIEnJqMGMS4hWOMQxzx3xyZQTFgm1gNT9Q6DKsX2y8T7uoAoGCCqGSM49
+AwEHoUQDQgAEd3Jlb4FLOZJ51eHxeB+sbwmaPFyhsONTUYNLCLZeC1clkM2vj3aT
+YbzzSs/BHl4HToQmvd4Evm5lOUVElhfeRQ==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_256_pub.pem b/tests/data_files/ec_256_pub.pem
new file mode 100644
index 0000000..701da02
--- /dev/null
+++ b/tests/data_files/ec_256_pub.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEd3Jlb4FLOZJ51eHxeB+sbwmaPFyh
+sONTUYNLCLZeC1clkM2vj3aTYbzzSs/BHl4HToQmvd4Evm5lOUVElhfeRQ==
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_384_prv.pem b/tests/data_files/ec_384_prv.pem
new file mode 100644
index 0000000..7890759
--- /dev/null
+++ b/tests/data_files/ec_384_prv.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDA/XY2b4oC1aWzFzJ+Uz4r35rYd1lkrKrKzpMYHRQQX7DJ9zcrtfBAF
+PXGaBXTwp2qgBwYFK4EEACKhZANiAATZxmK1C6KcpHmQRQ4EOur08MabFWdtES9i
+KnHJMFmvmZaRxWgNK0TREVedsS9KQTou1cRfz7Z7W2PgC5Hr5Z0JprGsLAxCgqoS
+MX7VkU+Zm8SIuxMug0LMNvLKXjN5x0c=
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_384_pub.pem b/tests/data_files/ec_384_pub.pem
new file mode 100644
index 0000000..de95382
--- /dev/null
+++ b/tests/data_files/ec_384_pub.pem
@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE2cZitQuinKR5kEUOBDrq9PDGmxVnbREv
+YipxyTBZr5mWkcVoDStE0RFXnbEvSkE6LtXEX8+2e1tj4AuR6+WdCaaxrCwMQoKq
+EjF+1ZFPmZvEiLsTLoNCzDbyyl4zecdH
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_521_prv.pem b/tests/data_files/ec_521_prv.pem
new file mode 100644
index 0000000..144bb44
--- /dev/null
+++ b/tests/data_files/ec_521_prv.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBsbatB7t55zINpZhg6ijgVShPYFjyed5mbgbUNdKve9oo2Z+ke33Q
+lj4WsAcweO6LijjZZqWC9G0Z/5XfOtloWq6gBwYFK4EEACOhgYkDgYYABAAd4ULV
+T2nrA47kt6+dPKB3Nv2c9xnrNU1ph57n88E2+w+/nwj4a+X6Eo7BoFHT5sZD6Fra
+j/rPNmPCYL0shEtvVgDO6OSKnmXQnK3YnyNd7gXzuKZGvnFfH2fVtDTg/yOh/Afv
+d0AZPkDu/287zf12WqkVUDNST+TyBfVETiksTC9qwQ==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_521_pub.pem b/tests/data_files/ec_521_pub.pem
new file mode 100644
index 0000000..26bc5c5
--- /dev/null
+++ b/tests/data_files/ec_521_pub.pem
@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAHeFC1U9p6wOO5LevnTygdzb9nPcZ
+6zVNaYee5/PBNvsPv58I+Gvl+hKOwaBR0+bGQ+ha2o/6zzZjwmC9LIRLb1YAzujk
+ip5l0Jyt2J8jXe4F87imRr5xXx9n1bQ04P8jofwH73dAGT5A7v9vO839dlqpFVAz
+Uk/k8gX1RE4pLEwvasE=
+-----END PUBLIC KEY-----
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 49d3f22..2a3e1c8 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -194,6 +194,22 @@
depends_on:POLARSSL_PEM_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP192R1_ENABLED:POLARSSL_FS_IO
x509parse_public_keyfile_ec:"data_files/ec_pub.pem":0
+X509 Parse Public EC Key #3 (RFC 5480, secp224r1)
+depends_on:POLARSSL_PEM_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP224R1_ENABLED:POLARSSL_FS_IO
+x509parse_public_keyfile_ec:"data_files/ec_224_pub.pem":0
+
+X509 Parse Public EC Key #4 (RFC 5480, secp256r1)
+depends_on:POLARSSL_PEM_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_FS_IO
+x509parse_public_keyfile_ec:"data_files/ec_256_pub.pem":0
+
+X509 Parse Public EC Key #5 (RFC 5480, secp384r1)
+depends_on:POLARSSL_PEM_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_FS_IO
+x509parse_public_keyfile_ec:"data_files/ec_384_pub.pem":0
+
+X509 Parse Public EC Key #6 (RFC 5480, secp521r1)
+depends_on:POLARSSL_PEM_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP521R1_ENABLED:POLARSSL_FS_IO
+x509parse_public_keyfile_ec:"data_files/ec_521_pub.pem":0
+
X509 Parse EC Key #1 (SEC1 DER)
depends_on:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP192R1_ENABLED
x509parse_keyfile_ec:"data_files/ec_prv.sec1.der":"NULL":0
@@ -222,6 +238,22 @@
depends_on:POLARSSL_DES_C:POLARSSL_SHA1_C:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP192R1_ENABLED
x509parse_keyfile_ec:"data_files/ec_prv.pk8.pw.pem":"polar":0
+X509 Parse EC Key #8 (SEC1 PEM, secp224r1)
+depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP224R1_ENABLED
+x509parse_keyfile_ec:"data_files/ec_224_prv.pem":NULL:0
+
+X509 Parse EC Key #9 (SEC1 PEM, secp256r1)
+depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
+x509parse_keyfile_ec:"data_files/ec_256_prv.pem":NULL:0
+
+X509 Parse EC Key #10 (SEC1 PEM, secp384r1)
+depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP384R1_ENABLED
+x509parse_keyfile_ec:"data_files/ec_384_prv.pem":NULL:0
+
+X509 Parse EC Key #11 (SEC1 PEM, secp521r1)
+depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP521R1_ENABLED
+x509parse_keyfile_ec:"data_files/ec_521_prv.pem":NULL:0
+
X509 Get Distinguished Name #1
depends_on:POLARSSL_PEM_C:POLARSSL_FS_IO
x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"
@@ -520,7 +552,7 @@
x509parse_crt:"30673065a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374300f300d06092A864886F70D0101010500":"":POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 Certificate ASN1 (TBSCertificate, pubkey, no bitstring data)
-x509parse_crt:"30693067a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743011300d06092A864886F70D01010105000300":"":POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + POLARSSL_ERR_ASN1_OUT_OF_DATA
+x509parse_crt:"30693067a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743011300d06092A864886F70D01010105000300":"":POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + POLARSSL_ERR_ASN1_INVALID_DATA
X509 Certificate ASN1 (TBSCertificate, pubkey, invalid bitstring start)
x509parse_crt:"306a3068a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a300806001304546573743012300d06092A864886F70D0101010500030101":"":POLARSSL_ERR_X509_CERT_INVALID_PUBKEY + POLARSSL_ERR_ASN1_INVALID_DATA