Merged trunk changes for 1.2
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..07374ec
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+CMakeCache.txt
+CMakeFiles
+CTestTestfile.cmake
+cmake_install.cmake
+Testing
diff --git a/ChangeLog b/ChangeLog
index 6b2c969..63eb30f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,8 @@
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
Pégourié-Gonnard)
+ * Fixed possible segfault in mpi_shift_r() (found by Manuel
+ Pégourié-Gonnard)
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
= Version 1.2.0 released 2012-10-31
diff --git a/include/.gitignore b/include/.gitignore
new file mode 100644
index 0000000..f3c7a7c
--- /dev/null
+++ b/include/.gitignore
@@ -0,0 +1 @@
+Makefile
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 5a1e7fc..2020d31 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -720,20 +720,22 @@
* \brief Set the data required to verify peer certificate
*
* \param ssl SSL context
- * \param ca_chain trusted CA chain
+ * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
* \param ca_crl trusted CA CRLs
* \param peer_cn expected peer CommonName (or NULL)
- *
- * \note TODO: add two more parameters: depth and crl
*/
void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
x509_crl *ca_crl, const char *peer_cn );
/**
- * \brief Set own certificate and private key
+ * \brief Set own certificate chain and private key
+ *
+ * Note: own_cert should contain IN order from the bottom
+ * up your certificate chain. The top certificate (self-signed)
+ * can be omitted.
*
* \param ssl SSL context
- * \param own_cert own public certificate
+ * \param own_cert own public certificate chain
* \param rsa_key own private RSA key
*/
void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
@@ -747,8 +749,12 @@
* of the callback parameters, with the only change being
* that the rsa_context * is a void * in the callbacks)
*
+ * Note: own_cert should contain IN order from the bottom
+ * up your certificate chain. The top certificate (self-signed)
+ * can be omitted.
+ *
* \param ssl SSL context
- * \param own_cert own public certificate
+ * \param own_cert own public certificate chain
* \param rsa_key alternate implementation private RSA key
* \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt()
* \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign()
diff --git a/library/.gitignore b/library/.gitignore
new file mode 100644
index 0000000..9d80fa4
--- /dev/null
+++ b/library/.gitignore
@@ -0,0 +1,2 @@
+*.o
+libpolarssl*
diff --git a/library/bignum.c b/library/bignum.c
index 23feb6a..f2608c1 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -611,6 +611,9 @@
v0 = count / biL;
v1 = count & (biL - 1);
+ if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
+ return mpi_lset( X, 0 );
+
/*
* shift by count / limb_size
*/
diff --git a/programs/.gitignore b/programs/.gitignore
new file mode 100644
index 0000000..d6d9efc
--- /dev/null
+++ b/programs/.gitignore
@@ -0,0 +1,39 @@
+*/Makefile
+aes/aescrypt2
+aes/crypt_and_hash
+hash/generic_sum
+hash/hello
+hash/md5sum
+hash/sha1sum
+hash/sha2sum
+pkey/dh_client
+pkey/dh_genprime
+pkey/dh_server
+pkey/key_app
+pkey/key_app_writer
+pkey/mpi_demo
+pkey/rsa_decrypt
+pkey/rsa_encrypt
+pkey/rsa_genkey
+pkey/rsa_sign
+pkey/rsa_sign_pss
+pkey/rsa_verify
+pkey/rsa_verify_pss
+random/gen_entropy
+random/gen_random_ctr_drbg
+random/gen_random_havege
+ssl/ssl_client1
+ssl/ssl_client2
+ssl/ssl_fork_server
+ssl/ssl_mail_client
+ssl/ssl_server
+ssl/ssl_server2
+test/benchmark
+test/o_p_test
+test/selftest
+test/ssl_cert_test
+test/ssl_test
+util/strerror
+x509/cert_app
+x509/cert_req
+x509/crl_app
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 7631a22..78ad43e 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -37,6 +37,7 @@
#include "polarssl/entropy.h"
#include "polarssl/ctr_drbg.h"
#include "polarssl/error.h"
+#include "polarssl/certs.h"
#define SERVER_PORT 4433
#define SERVER_NAME "localhost"
@@ -78,6 +79,7 @@
entropy_context entropy;
ctr_drbg_context ctr_drbg;
ssl_context ssl;
+ x509_cert cacert;
((void) argc);
((void) argv);
@@ -86,6 +88,7 @@
* 0. Initialize the RNG and the session data
*/
memset( &ssl, 0, sizeof( ssl_context ) );
+ memset( &cacert, 0, sizeof( x509_cert ) );
printf( "\n . Seeding the random number generator..." );
fflush( stdout );
@@ -101,6 +104,28 @@
printf( " ok\n" );
/*
+ * 0. Initialize certificates
+ */
+ printf( " . Loading the CA root certificate ..." );
+ fflush( stdout );
+
+#if defined(POLARSSL_CERTS_C)
+ ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
+ strlen( test_ca_crt ) );
+#else
+ ret = 1;
+ printf("POLARSSL_CERTS_C not defined.");
+#endif
+
+ if( ret < 0 )
+ {
+ printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
+ goto exit;
+ }
+
+ printf( " ok (%d skipped)\n", ret );
+
+ /*
* 1. Start the connection
*/
printf( " . Connecting to tcp/%s/%4d...", SERVER_NAME,
@@ -131,7 +156,8 @@
printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
- ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
+ ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
+ ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout );
@@ -139,6 +165,49 @@
net_send, &server_fd );
/*
+ * 4. Handshake
+ */
+ printf( " . Performing the SSL/TLS handshake..." );
+ fflush( stdout );
+
+ while( ( ret = ssl_handshake( &ssl ) ) != 0 )
+ {
+ if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
+ {
+ printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
+ goto exit;
+ }
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 5. Verify the server certificate
+ */
+ printf( " . Verifying peer X.509 certificate..." );
+
+ if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
+ {
+ printf( " failed\n" );
+
+ if( ( ret & BADCERT_EXPIRED ) != 0 )
+ printf( " ! server certificate has expired\n" );
+
+ if( ( ret & BADCERT_REVOKED ) != 0 )
+ printf( " ! server certificate has been revoked\n" );
+
+ if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
+ printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
+
+ if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
+ printf( " ! self-signed or not signed by a trusted CA\n" );
+
+ printf( "\n" );
+ }
+ else
+ printf( " ok\n" );
+
+ /*
* 3. Write the GET request
*/
printf( " > Write to server:" );
@@ -206,6 +275,7 @@
}
#endif
+ x509_free( &cacert );
net_close( server_fd );
ssl_free( &ssl );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 6e047dc..0d7a418 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -127,9 +127,12 @@
#if defined(POLARSSL_FS_IO)
#define USAGE_IO \
- " ca_file=%%s default: \"\" (pre-loaded)\n" \
- " ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \
- " crt_file=%%s default: \"\" (pre-loaded)\n" \
+ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \
+ " default: \"\" (pre-loaded)\n" \
+ " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \
+ " default: \"\" (pre-loaded) (overrides ca_file)\n" \
+ " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \
+ " default: \"\" (pre-loaded)\n" \
" key_file=%%s default: \"\" (pre-loaded)\n"
#else
#define USAGE_IO \
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index f6cf487..cc94e5c 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -184,9 +184,12 @@
#if defined(POLARSSL_FS_IO)
#define USAGE_IO \
- " ca_file=%%s default: \"\" (pre-loaded)\n" \
- " ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \
- " crt_file=%%s default: \"\" (pre-loaded)\n" \
+ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \
+ " default: \"\" (pre-loaded)\n" \
+ " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \
+ " default: \"\" (pre-loaded) (overrides ca_file)\n" \
+ " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \
+ " default: \"\" (pre-loaded)\n" \
" key_file=%%s default: \"\" (pre-loaded)\n"
#else
#define USAGE_IO \
diff --git a/tests/.gitignore b/tests/.gitignore
new file mode 100644
index 0000000..084f664
--- /dev/null
+++ b/tests/.gitignore
@@ -0,0 +1,2 @@
+test_suite*
+data_files/mpi_write
diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data
index 67fa9c3..7197b63 100644
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@@ -309,6 +309,18 @@
Test mpi_shift_r #2
mpi_shift_r:10:"120815570979701484704906977000760567182871429114712069861589084706550626575967516787438008593490722779337547394120718248995900363209947025063336882559539208430319216688889117222633155838468458047056355241515415159736436403445579777425189969":45:10:"3433785053053426415343295076376096153094051405637175942660777670498379921354157795219578264137985649407981651226029903483433269093721578004287291678324982297860947730012217028349628999378309630601971640587504883789518896817457"
+Test mpi_shift_r #4
+mpi_shift_r:16:"FFFFFFFFFFFFFFFF":63:16:"01"
+
+Test mpi_shift_r #4
+mpi_shift_r:16:"FFFFFFFFFFFFFFFF":64:16:"00"
+
+Test mpi_shift_r #6
+mpi_shift_r:16:"FFFFFFFFFFFFFFFF":65:16:"00"
+
+Test mpi_shift_r #7
+mpi_shift_r:16:"FFFFFFFFFFFFFFFF":128:16:"00"
+
Base test mpi_mul_mpi #1
mpi_mul_mpi:10:"5":10:"7":10:"35"
diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function
index 6635392..70d9b4f 100644
--- a/tests/suites/test_suite_mpi.function
+++ b/tests/suites/test_suite_mpi.function
@@ -162,7 +162,7 @@
TEST_ASSERT( mpi_set_bit( &X, {pos}, {val} ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &X, &Y ) == 0 );
- mpi_free( &X );
+ mpi_free( &X ); mpi_free( &Y );
}
END_CASE