Merged support for Brainpool curves and ciphersuites
diff --git a/ChangeLog b/ChangeLog
index 79484cb..8e3b0a9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,20 @@
PolarSSL ChangeLog (Sorted per branch, date)
+= Branch 1.3
+Features
+ * Support for Brainpool curves and TLS ciphersuites (RFC 7027)
+
+Changes
+ * RSA blinding locks for a smaller amount of time
+ * TLS compression only allocates working buffer once
+
+Bugfix
+ * Missing MSVC defines added
+ * Compile errors with POLARSSL_RSA_NO_CRT
+ * Header files with 'polarssl/'
+ * Const correctness
+ * Possible naming collision in dhm_context
+
= PolarSSL-1.3.0 released on 2013-10-01
Features
* Elliptic Curve Cryptography module added
@@ -62,6 +77,15 @@
* RSA blinding on CRT operations to counter timing attacks
(found by Cyril Arnaud and Pierre-Alain Fouque)
+= Version 1.2.10 released 2013-10-07
+Changes
+ * Changed RSA blinding to a slower but thread-safe version
+
+Bugfix
+ * Fixed memory leak in RSA as a result of introduction of blinding
+ * Fixed ssl_pkcs11_decrypt() prototype
+ * Fixed MSVC project files
+
= Version 1.2.9 released 2013-10-01
Changes
* x509_verify() now case insensitive for cn (RFC 6125 6.4)
diff --git a/include/polarssl/dhm.h b/include/polarssl/dhm.h
index 75dff19..4665ff9 100644
--- a/include/polarssl/dhm.h
+++ b/include/polarssl/dhm.h
@@ -152,7 +152,7 @@
mpi RP; /*!< cached R^2 mod P */
mpi Vi; /*!< blinding value */
mpi Vf; /*!< un-blinding value */
- mpi _X; /*!< previous X */
+ mpi pX; /*!< previous X */
}
dhm_context;
diff --git a/include/polarssl/ecdh.h b/include/polarssl/ecdh.h
index 81c8f93..4c82f25 100644
--- a/include/polarssl/ecdh.h
+++ b/include/polarssl/ecdh.h
@@ -27,7 +27,7 @@
#ifndef POLARSSL_ECDH_H
#define POLARSSL_ECDH_H
-#include "polarssl/ecp.h"
+#include "ecp.h"
#ifdef __cplusplus
extern "C" {
diff --git a/include/polarssl/ecdsa.h b/include/polarssl/ecdsa.h
index 4a29ac6..ee60d26 100644
--- a/include/polarssl/ecdsa.h
+++ b/include/polarssl/ecdsa.h
@@ -27,7 +27,7 @@
#ifndef POLARSSL_ECDSA_H
#define POLARSSL_ECDSA_H
-#include "polarssl/ecp.h"
+#include "ecp.h"
/**
* \brief ECDSA context structure
diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h
index 90fa09b..7940b32 100644
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -27,7 +27,7 @@
#ifndef POLARSSL_ECP_H
#define POLARSSL_ECP_H
-#include "polarssl/bignum.h"
+#include "bignum.h"
/*
* ECP error codes
diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h
index b08f5e3..251c690 100644
--- a/include/polarssl/pk.h
+++ b/include/polarssl/pk.h
@@ -112,7 +112,7 @@
typedef struct
{
pk_debug_type type;
- char *name;
+ const char *name;
void *value;
} pk_debug_item;
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index cf18ea7..3e3ace3 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -667,6 +667,9 @@
size_t out_msglen; /*!< record header: message length */
size_t out_left; /*!< amount of data not yet written */
+#if defined(POLARSSL_ZLIB_SUPPORT)
+ unsigned char *compress_buf; /*!< zlib data buffer */
+#endif
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
unsigned char mfl_code; /*!< MaxFragmentLength chosen by us */
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
diff --git a/library/dhm.c b/library/dhm.c
index dc815d9..e8aa819 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -276,9 +276,9 @@
* Don't use any blinding the first time a particular X is used,
* but remember it to use blinding next time.
*/
- if( mpi_cmp_mpi( &ctx->X, &ctx->_X ) != 0 )
+ if( mpi_cmp_mpi( &ctx->X, &ctx->pX ) != 0 )
{
- MPI_CHK( mpi_copy( &ctx->_X, &ctx->X ) );
+ MPI_CHK( mpi_copy( &ctx->pX, &ctx->X ) );
MPI_CHK( mpi_lset( &ctx->Vi, 1 ) );
MPI_CHK( mpi_lset( &ctx->Vf, 1 ) );
@@ -384,7 +384,7 @@
*/
void dhm_free( dhm_context *ctx )
{
- mpi_free( &ctx->_X); mpi_free( &ctx->Vf ); mpi_free( &ctx->Vi );
+ mpi_free( &ctx->pX); mpi_free( &ctx->Vf ); mpi_free( &ctx->Vi );
mpi_free( &ctx->RP ); mpi_free( &ctx->K ); mpi_free( &ctx->GY );
mpi_free( &ctx->GX ); mpi_free( &ctx->X ); mpi_free( &ctx->G );
mpi_free( &ctx->P );
diff --git a/library/pkwrite.c b/library/pkwrite.c
index a3e9c57..fcebd48 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -312,7 +312,7 @@
{
int ret;
unsigned char output_buf[4096];
- char *begin, *end;
+ const char *begin, *end;
size_t olen = 0;
if( ( ret = pk_write_key_der( key, output_buf, sizeof(output_buf) ) ) < 0 )
diff --git a/library/rsa.c b/library/rsa.c
index 1784379..2713b5c 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -264,10 +264,14 @@
* DSS, and other systems. In : Advances in Cryptology—CRYPTO’96. Springer
* Berlin Heidelberg, 1996. p. 104-113.
*/
-static int rsa_prepare_blinding( rsa_context *ctx,
+static int rsa_prepare_blinding( rsa_context *ctx, mpi *Vi, mpi *Vf,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- int ret;
+ int ret, count = 0;
+
+#if defined(POLARSSL_THREADING_C)
+ polarssl_mutex_lock( &ctx->mutex );
+#endif
if( ctx->Vf.p != NULL )
{
@@ -277,17 +281,34 @@
MPI_CHK( mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &ctx->Vf ) );
MPI_CHK( mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->N ) );
- return( 0 );
+ goto done;
}
- /* Unblinding value: Vf = random number */
- MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
+ /* Unblinding value: Vf = random number, invertible mod N */
+ do {
+ if( count++ > 10 )
+ return( POLARSSL_ERR_RSA_RNG_FAILED );
+
+ MPI_CHK( mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
+ MPI_CHK( mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
+ } while( mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
/* Blinding value: Vi = Vf^(-e) mod N */
MPI_CHK( mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
MPI_CHK( mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
+done:
+ if( Vi != &ctx->Vi )
+ {
+ MPI_CHK( mpi_copy( Vi, &ctx->Vi ) );
+ MPI_CHK( mpi_copy( Vf, &ctx->Vf ) );
+ }
+
cleanup:
+#if defined(POLARSSL_THREADING_C)
+ polarssl_mutex_unlock( &ctx->mutex );
+#endif
+
return( ret );
}
#endif
@@ -302,11 +323,27 @@
unsigned char *output )
{
int ret;
-#if defined(POLARSSL_THREADING_C)
- int locked = 0;
-#endif
size_t olen;
mpi T, T1, T2;
+#if !defined(POLARSSL_RSA_NO_CRT)
+ mpi *Vi, *Vf;
+
+ /*
+ * When using the Chinese Remainder Theorem, we use blinding values.
+ * Without threading, we just read them directly from the context,
+ * otherwise we make a local copy in order to reduce locking contention.
+ */
+#if defined(POLARSSL_THREADING_C)
+ mpi Vi_copy, Vf_copy;
+
+ mpi_init( &Vi_copy ); mpi_init( &Vf_copy );
+ Vi = &Vi_copy;
+ Vf = &Vf_copy;
+#else
+ Vi = &ctx->Vi;
+ Vf = &ctx->Vf;
+#endif
+#endif
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
@@ -318,20 +355,18 @@
}
#if defined(POLARSSL_RSA_NO_CRT)
+ ((void) f_rng);
+ ((void) p_rng);
MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
#else
if( f_rng != NULL )
{
-#if defined(POLARSSL_THREADING_C)
- polarssl_mutex_lock( &ctx->mutex );
- locked = 1;
-#endif
/*
* Blinding
* T = T * Vi mod N
*/
- MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) );
- MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vi ) );
+ MPI_CHK( rsa_prepare_blinding( ctx, Vi, Vf, f_rng, p_rng ) );
+ MPI_CHK( mpi_mul_mpi( &T, &T, Vi ) );
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
@@ -363,7 +398,7 @@
* Unblind
* T = T * Vf mod N
*/
- MPI_CHK( mpi_mul_mpi( &T, &T, &ctx->Vf ) );
+ MPI_CHK( mpi_mul_mpi( &T, &T, Vf ) );
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
#endif
@@ -372,11 +407,10 @@
MPI_CHK( mpi_write_binary( &T, output, olen ) );
cleanup:
-#if defined(POLARSSL_THREADING_C)
- if( locked )
- polarssl_mutex_unlock( &ctx->mutex );
-#endif
mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
+#if !defined(POLARSSL_RSA_NO_CRT) && defined(POLARSSL_THREADING_C)
+ mpi_free( &Vi_copy ); mpi_free( &Vf_copy );
+#endif
if( ret != 0 )
return( POLARSSL_ERR_RSA_PRIVATE_FAILED + ret );
@@ -1321,8 +1355,10 @@
MPI_CHK( mpi_copy( &dst->RP, &src->RP ) );
MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) );
+#if !defined(POLARSSL_RSA_NO_CRT)
MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) );
MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) );
+#endif
dst->padding = src->padding;
dst->hash_id = src->padding;
@@ -1339,7 +1375,9 @@
*/
void rsa_free( rsa_context *ctx )
{
+#if !defined(POLARSSL_RSA_NO_CRT)
mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
+#endif
mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 71094fa..ba28b3f 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -34,6 +34,10 @@
#include <stdlib.h>
+#if defined _MSC_VER && !defined strcasecmp
+#define strcasecmp _stricmp
+#endif
+
/*
* Ordered from most preferred to least preferred in terms of security.
*/
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 39291fa..edcc1c8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -706,6 +706,18 @@
//
if( session->compression == SSL_COMPRESS_DEFLATE )
{
+ if( ssl->compress_buf == NULL )
+ {
+ SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
+ ssl->compress_buf = polarssl_malloc( SSL_BUFFER_LEN );
+ if( ssl->compress_buf == NULL )
+ {
+ SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed",
+ SSL_BUFFER_LEN ) );
+ return( POLARSSL_ERR_SSL_MALLOC_FAILED );
+ }
+ }
+
SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
@@ -1662,20 +1674,13 @@
int ret;
unsigned char *msg_post = ssl->out_msg;
size_t len_pre = ssl->out_msglen;
- unsigned char *msg_pre;
+ unsigned char *msg_pre = ssl->compress_buf;
SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
if( len_pre == 0 )
return( 0 );
- msg_pre = (unsigned char*) polarssl_malloc( len_pre );
- if( msg_pre == NULL )
- {
- SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
- return( POLARSSL_ERR_SSL_MALLOC_FAILED );
- }
-
memcpy( msg_pre, ssl->out_msg, len_pre );
SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
@@ -1698,8 +1703,6 @@
ssl->out_msglen = SSL_BUFFER_LEN - ssl->transform_out->ctx_deflate.avail_out;
- polarssl_free( msg_pre );
-
SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
ssl->out_msglen ) );
@@ -1716,20 +1719,13 @@
int ret;
unsigned char *msg_post = ssl->in_msg;
size_t len_pre = ssl->in_msglen;
- unsigned char *msg_pre;
+ unsigned char *msg_pre = ssl->compress_buf;
SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
if( len_pre == 0 )
return( 0 );
- msg_pre = (unsigned char*) polarssl_malloc( len_pre );
- if( msg_pre == NULL )
- {
- SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len_pre ) );
- return( POLARSSL_ERR_SSL_MALLOC_FAILED );
- }
-
memcpy( msg_pre, ssl->in_msg, len_pre );
SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
@@ -1752,8 +1748,6 @@
ssl->in_msglen = SSL_MAX_CONTENT_LEN - ssl->transform_in->ctx_inflate.avail_out;
- polarssl_free( msg_pre );
-
SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
ssl->in_msglen ) );
@@ -4228,6 +4222,14 @@
polarssl_free( ssl->in_ctr );
}
+#if defined(POLARSSL_ZLIB_SUPPORT)
+ if( ssl->compress_buf != NULL )
+ {
+ memset( ssl->compress_buf, 0, SSL_BUFFER_LEN );
+ polarssl_free( ssl->compress_buf );
+ }
+#endif
+
#if defined(POLARSSL_DHM_C)
mpi_free( &ssl->dhm_P );
mpi_free( &ssl->dhm_G );
diff --git a/library/x509_create.c b/library/x509_create.c
index d7a1fee..d3d5851 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -36,7 +36,7 @@
int ret = 0;
char *s = name, *c = s;
char *end = s + strlen( s );
- char *oid = NULL;
+ const char *oid = NULL;
int in_tag = 1;
asn1_named_data *cur;
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index 4cebd14..4d5a06b 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -49,6 +49,10 @@
#include "polarssl/ecdsa.h"
#include "polarssl/ecdh.h"
+#if defined _MSC_VER && !defined snprintf
+#define snprintf _snprintf
+#endif
+
#define BUFSIZE 1024
#define HEADER_FORMAT " %-18s : "
#define TITLE_LEN 19