From 9a73632fd9f4e08047b88230c24aa2133c8f880e Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 14 Nov 2012 12:39:52 +0000 Subject: [PATCH] - Merged changesets 1399 up to and including 1415 into 1.2 branch --- ChangeLog | 9 +++- Makefile | 12 ++++++ doxygen/input/doc_mainpage.h | 4 +- doxygen/polarssl.doxyfile | 2 +- include/polarssl/aes.h | 2 +- include/polarssl/arc4.h | 2 +- include/polarssl/bignum.h | 4 +- include/polarssl/blowfish.h | 2 +- include/polarssl/camellia.h | 2 +- include/polarssl/config.h | 6 +-- include/polarssl/des.h | 2 +- include/polarssl/dhm.h | 2 +- include/polarssl/pkcs11.h | 4 +- include/polarssl/rsa.h | 3 ++ include/polarssl/ssl.h | 14 ++++--- include/polarssl/version.h | 8 ++-- include/polarssl/x509.h | 4 +- include/polarssl/xtea.h | 2 +- library/CMakeLists.txt | 2 +- library/Makefile | 8 +++- library/bignum.c | 6 +-- library/ctr_drbg.c | 2 +- library/error.c | 4 +- library/pkcs11.c | 2 +- library/rsa.c | 3 ++ library/x509parse.c | 49 +++++++++++++--------- library/x509write.c | 2 - programs/x509/cert_app.c | 4 +- scripts/check_doxy_blocks.pl | 57 ++++++++++++++++++++++++++ scripts/data_files/error.fmt | 4 +- tests/suites/test_suite_mpi.function | 10 ++--- tests/suites/test_suite_pkcs1_v21.data | 9 ++++ tests/suites/test_suite_version.data | 4 +- 33 files changed, 178 insertions(+), 72 deletions(-) create mode 100644 scripts/check_doxy_blocks.pl diff --git a/ChangeLog b/ChangeLog index a448acc4e..6b2c96996 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,9 +1,16 @@ PolarSSL ChangeLog -= Version Trunk += Version 1.2.1 released 2012-11-13 +Changes + * Depth that the certificate verify callback receives is now numbered + bottom-up (Peer cert depth is 0) + Bugfixes * Fixes for MSVC6 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME + * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel + Pégourié-Gonnard) + * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 = Version 1.2.0 released 2012-10-31 Features diff --git a/Makefile b/Makefile index 4713cfeb7..d29d830f6 100644 --- a/Makefile +++ b/Makefile @@ -32,6 +32,18 @@ install: fi \ done +uninstall: + rm -rf $(DESTDIR)/include/polarssl + rm -f $(DESTDIR)/lib/libpolarssl.* + + for p in programs/*/* ; do \ + if [ -x $$p ] && [ ! -d $$p ] ; \ + then \ + f=$(PREFIX)`basename $$p` ; \ + rm -f $(DESTDIR)/bin/$$f ; \ + fi \ + done + clean: cd library && $(MAKE) clean && cd .. cd programs && $(MAKE) clean && cd .. diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index c44084055..07dfdc2e1 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -4,7 +4,7 @@ */ /** - * @mainpage PolarSSL v1.2.0 source code documentation + * @mainpage PolarSSL v1.2.1 source code documentation * * This documentation describes the internal structure of PolarSSL. It was * automatically generated from specially formatted comment blocks in @@ -21,7 +21,7 @@ * * @section mainpage_modules Modules * - * PolarSSL supports SSLv3 up to TLSv1.1 communication by providing the + * PolarSSL supports SSLv3 up to TLSv1.2 communication by providing the * following: * - TCP/IP communication functions: listen, connect, accept, read/write. * - SSL/TLS communication functions: init, handshake, read/write. diff --git a/doxygen/polarssl.doxyfile b/doxygen/polarssl.doxyfile index 90fd2a3eb..008364eeb 100644 --- a/doxygen/polarssl.doxyfile +++ b/doxygen/polarssl.doxyfile @@ -25,7 +25,7 @@ DOXYFILE_ENCODING = UTF-8 # The PROJECT_NAME tag is a single word (or a sequence of words surrounded # by quotes) that should identify the project. -PROJECT_NAME = "PolarSSL v1.2.0" +PROJECT_NAME = "PolarSSL v1.2.1" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/polarssl/aes.h b/include/polarssl/aes.h index 5f6c198e6..b79894c02 100644 --- a/include/polarssl/aes.h +++ b/include/polarssl/aes.h @@ -141,7 +141,7 @@ int aes_crypt_cfb128( aes_context *ctx, const unsigned char *input, unsigned char *output ); -/* +/** * \brief AES-CTR buffer encryption/decryption * * Warning: You have to keep the maximum use of your counter in mind! diff --git a/include/polarssl/arc4.h b/include/polarssl/arc4.h index 48ad60b26..7233384b2 100644 --- a/include/polarssl/arc4.h +++ b/include/polarssl/arc4.h @@ -66,7 +66,7 @@ void arc4_setup( arc4_context *ctx, const unsigned char *key, unsigned int keyle int arc4_crypt( arc4_context *ctx, size_t length, const unsigned char *input, unsigned char *output ); -/* +/** * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed diff --git a/include/polarssl/bignum.h b/include/polarssl/bignum.h index 3b8b1f613..ce29ca370 100644 --- a/include/polarssl/bignum.h +++ b/include/polarssl/bignum.h @@ -223,7 +223,7 @@ void mpi_swap( mpi *X, mpi *Y ); */ int mpi_lset( mpi *X, t_sint z ); -/* +/** * \brief Get a specific bit from X * * \param X MPI to use @@ -233,7 +233,7 @@ int mpi_lset( mpi *X, t_sint z ); */ int mpi_get_bit( const mpi *X, size_t pos ); -/* +/** * \brief Set a bit of X to a specific value of 0 or 1 * * \note Will grow X if necessary to set a bit to 1 in a not yet diff --git a/include/polarssl/blowfish.h b/include/polarssl/blowfish.h index 7139c18d4..313d898bb 100644 --- a/include/polarssl/blowfish.h +++ b/include/polarssl/blowfish.h @@ -129,7 +129,7 @@ int blowfish_crypt_cfb64( blowfish_context *ctx, const unsigned char *input, unsigned char *output ); -/* +/** * \brief Blowfish-CTR buffer encryption/decryption * * Warning: You have to keep the maximum use of your counter in mind! diff --git a/include/polarssl/camellia.h b/include/polarssl/camellia.h index b2b12945f..f073d469a 100644 --- a/include/polarssl/camellia.h +++ b/include/polarssl/camellia.h @@ -139,7 +139,7 @@ int camellia_crypt_cfb128( camellia_context *ctx, const unsigned char *input, unsigned char *output ); -/* +/** * \brief CAMELLIA-CTR buffer encryption/decryption * * Warning: You have to keep the maximum use of your counter in mind! diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 09b10c293..1ce28e51c 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -150,7 +150,7 @@ * * Enable weak ciphersuites in SSL / TLS * Warning: Only do so when you know what you are doing. This allows for - * channels without virtually no security at all! + * channels with virtually no security at all! * * This enables the following ciphersuites: * TLS_RSA_WITH_DES_CBC_SHA @@ -345,7 +345,7 @@ /** * \def POLARSSL_BIGNUM_C * - * Enable the multo-precision integer library. + * Enable the multi-precision integer library. * * Module: library/bignum.c * Caller: library/dhm.c @@ -738,7 +738,7 @@ */ #define POLARSSL_SSL_CLI_C -/* +/** * \def POLARSSL_SSL_SRV_C * * Enable the SSL/TLS server code. diff --git a/include/polarssl/des.h b/include/polarssl/des.h index b649ccf20..5eee7ac15 100644 --- a/include/polarssl/des.h +++ b/include/polarssl/des.h @@ -220,7 +220,7 @@ int des3_crypt_cbc( des3_context *ctx, const unsigned char *input, unsigned char *output ); -/* +/** * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed diff --git a/include/polarssl/dhm.h b/include/polarssl/dhm.h index ba6e42494..48d926856 100644 --- a/include/polarssl/dhm.h +++ b/include/polarssl/dhm.h @@ -225,7 +225,7 @@ int dhm_make_public( dhm_context *ctx, int x_size, int dhm_calc_secret( dhm_context *ctx, unsigned char *output, size_t *olen ); -/* +/** * \brief Free the components of a DHM key */ void dhm_free( dhm_context *ctx ); diff --git a/include/polarssl/pkcs11.h b/include/polarssl/pkcs11.h index ddfae3017..003d3f52d 100644 --- a/include/polarssl/pkcs11.h +++ b/include/polarssl/pkcs11.h @@ -104,7 +104,7 @@ int pkcs11_decrypt( pkcs11_context *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, - unsigned int output_max_len ); + size_t output_max_len ); /** * \brief Do a private RSA to sign a message digest @@ -134,7 +134,7 @@ int pkcs11_sign( pkcs11_context *ctx, */ static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, - unsigned int output_max_len ) + size_t output_max_len ) { return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output, output_max_len ); diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h index 513b0379f..3a822cb2a 100644 --- a/include/polarssl/rsa.h +++ b/include/polarssl/rsa.h @@ -167,6 +167,9 @@ extern "C" { /** * \brief Initialize an RSA context * + * Note: Set padding to RSA_PKCS_V21 for the RSAES-OAEP + * encryption scheme and the RSASSA-PSS signature scheme. + * * \param ctx RSA context to be initialized * \param padding RSA_PKCS_V15 or RSA_PKCS_V21 * \param hash_id RSA_PKCS_V21 hash identifier diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 071288e92..5a1e7fc08 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -116,8 +116,8 @@ #define SSL_LEGACY_RENEGOTIATION 0 #define SSL_SECURE_RENEGOTIATION 1 -#define SSL_RENEGOTIATION_ENABLED 0 -#define SSL_RENEGOTIATION_DISABLED 1 +#define SSL_RENEGOTIATION_DISABLED 0 +#define SSL_RENEGOTIATION_ENABLED 1 #define SSL_LEGACY_NO_RENEGOTIATION 0 #define SSL_LEGACY_ALLOW_RENEGOTIATION 1 @@ -852,7 +852,8 @@ void ssl_set_min_version( ssl_context *ssl, int major, int minor ); * (Default: SSL_RENEGOTIATION_DISABLED) * * Note: A server with support enabled is more vulnerable for a - * resource DoS by a malicious client. + * resource DoS by a malicious client. You should enable this on + * a client to enable server-initiated renegotiation. * * \param ssl SSL context * \param renegotiation Enable or disable (SSL_RENEGOTIATION_ENABLED or @@ -883,8 +884,9 @@ void ssl_set_renegotiation( ssl_context *ssl, int renegotiation ); * (Most secure option, interoperability issues) * * \param ssl SSL context - * \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION or - * SSL_ALLOW_LEGACY_RENEGOTIATION) + * \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION, + * SSL_ALLOW_LEGACY_RENEGOTIATION or + * SSL_LEGACY_BREAK_HANDSHAKE) */ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy ); @@ -999,7 +1001,7 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len ); * (SSL_ALERT_LEVEL_WARNING or SSL_ALERT_LEVEL_FATAL) * \param message The alert message (SSL_ALERT_MSG_*) * - * \return 1 if successful, or a specific SSL error code. + * \return 0 if successful, or a specific SSL error code. */ int ssl_send_alert_message( ssl_context *ssl, unsigned char level, diff --git a/include/polarssl/version.h b/include/polarssl/version.h index 159c95acb..4fe84a939 100644 --- a/include/polarssl/version.h +++ b/include/polarssl/version.h @@ -39,16 +39,16 @@ */ #define POLARSSL_VERSION_MAJOR 1 #define POLARSSL_VERSION_MINOR 2 -#define POLARSSL_VERSION_PATCH 0 +#define POLARSSL_VERSION_PATCH 1 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define POLARSSL_VERSION_NUMBER 0x01020000 -#define POLARSSL_VERSION_STRING "1.2.0" -#define POLARSSL_VERSION_STRING_FULL "PolarSSL 1.2.0" +#define POLARSSL_VERSION_NUMBER 0x01020100 +#define POLARSSL_VERSION_STRING "1.2.1" +#define POLARSSL_VERSION_STRING_FULL "PolarSSL 1.2.1" #if defined(POLARSSL_VERSION_C) diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 32aad7274..87151c927 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -641,7 +641,7 @@ int x509parse_crl_info( char *buf, size_t size, const char *prefix, */ const char *x509_oid_get_description( x509_buf *oid ); -/* +/** * \brief Give an OID, return a string version of its OID number. * * \param buf Buffer to write to @@ -680,7 +680,7 @@ int x509parse_time_expired( const x509_time *time ); * (void *parameter, x509_cert *crt, int certificate_depth, * int *flags). With the flags representing current flags for * that specific certificate and the certificate depth from - * the top (Trust CA depth = 0). + * the bottom (Peer cert depth = 0). * * All flags left after returning from the callback * are also returned to the application. The function should diff --git a/include/polarssl/xtea.h b/include/polarssl/xtea.h index e2adb8788..0db7bc8eb 100644 --- a/include/polarssl/xtea.h +++ b/include/polarssl/xtea.h @@ -97,7 +97,7 @@ int xtea_crypt_cbc( xtea_context *ctx, unsigned char *input, unsigned char *output); -/* +/** * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 9995859b5..640cf82fb 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -57,7 +57,7 @@ add_library(polarssl STATIC ${src}) else(NOT USE_SHARED_POLARSSL_LIBRARY) add_library(polarssl SHARED ${src}) -set_target_properties(polarssl PROPERTIES VERSION 1.2.0 SOVERSION 2) +set_target_properties(polarssl PROPERTIES VERSION 1.2.1 SOVERSION 2) endif(NOT USE_SHARED_POLARSSL_LIBRARY) diff --git a/library/Makefile b/library/Makefile index 7983f7b53..603f5d16e 100644 --- a/library/Makefile +++ b/library/Makefile @@ -18,7 +18,9 @@ endif # CFLAGS += -D_BSD_EXTENSION # To compile as a shared library: -# CFLAGS += -fPIC +ifdef SHARED +CFLAGS += -fPIC +endif SONAME=libpolarssl.so.0 @@ -51,7 +53,11 @@ OBJS= aes.o arc4.o asn1parse.o \ .SILENT: +ifndef SHARED all: static +else +all: shared +endif static: libpolarssl.a diff --git a/library/bignum.c b/library/bignum.c index f2a49ecac..23feb6a91 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1195,9 +1195,9 @@ int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B ) if( R != NULL ) { mpi_shift_r( &X, k ); + X.s = A->s; mpi_copy( R, &X ); - R->s = A->s; if( mpi_cmp_int( R, 0 ) == 0 ) R->s = 1; } @@ -1212,10 +1212,6 @@ cleanup: /* * Division by int: A = Q * b + R - * - * Returns 0 if successful - * 1 if memory allocation failed - * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0 */ int mpi_div_int( mpi *Q, mpi *R, const mpi *A, t_sint b ) { diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 1de7f05e9..8cf03712e 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -194,7 +194,7 @@ int ctr_drbg_update_internal( ctr_drbg_context *ctx, /* * Increase counter */ - for( i = CTR_DRBG_BLOCKSIZE; i >= 0; i-- ) + for( i = CTR_DRBG_BLOCKSIZE; i > 0; i-- ) if( ++ctx->counter[i - 1] != 0 ) break; diff --git a/library/error.c b/library/error.c index a5eaaba35..03abc3265 100644 --- a/library/error.c +++ b/library/error.c @@ -1,7 +1,7 @@ /* * Error message information * - * Copyright (C) 2006-2010, Brainspark B.V. + * Copyright (C) 2006-2012, Brainspark B.V. * * This file is part of PolarSSL (http://www.polarssl.org) * Lead Maintainer: Paul Bakker @@ -553,4 +553,4 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret ); } -#endif /* POLARSSL_VERBOSE_ERROR */ +#endif /* POLARSSL_ERROR_C */ diff --git a/library/pkcs11.c b/library/pkcs11.c index b71415a41..b68d6881d 100644 --- a/library/pkcs11.c +++ b/library/pkcs11.c @@ -115,7 +115,7 @@ int pkcs11_decrypt( pkcs11_context *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, - unsigned int output_max_len ) + size_t output_max_len ) { size_t input_len, output_len; diff --git a/library/rsa.c b/library/rsa.c index 191bfe868..637c23a11 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -794,6 +794,9 @@ int rsa_pkcs1_sign( rsa_context *ctx, hlen = md_get_size( md_info ); slen = hlen; + if( olen < hlen + slen + 2 ) + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + memset( sig, 0, olen ); memset( &md_ctx, 0, sizeof( md_context_t ) ); diff --git a/library/x509parse.c b/library/x509parse.c index d7bfc05a1..e54e0b78d 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -2984,8 +2984,6 @@ int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ) /* * Wrapper for x509 hashes. - * - * \param out Buffer to receive the hash (Should be at least 64 bytes) */ static void x509_hash( const unsigned char *in, size_t len, int alg, unsigned char *out ) @@ -3116,12 +3114,12 @@ int x509_wildcard_verify( const char *cn, x509_buf *name ) static int x509parse_verify_top( x509_cert *child, x509_cert *trust_ca, - x509_crl *ca_crl, int *path_cnt, int *flags, + x509_crl *ca_crl, int path_cnt, int *flags, int (*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy ) { int hash_id, ret; - int ca_flags = 0; + int ca_flags = 0, check_path_cnt = path_cnt + 1; unsigned char hash[64]; if( x509parse_time_expired( &child->valid_to ) ) @@ -3143,8 +3141,19 @@ static int x509parse_verify_top( continue; } + /* + * Reduce path_len to check against if top of the chain is + * the same as the trusted CA + */ + if( child->subject_raw.len == trust_ca->subject_raw.len && + memcmp( child->subject_raw.p, trust_ca->subject_raw.p, + child->issuer_raw.len ) == 0 ) + { + check_path_cnt--; + } + if( trust_ca->max_pathlen > 0 && - trust_ca->max_pathlen < *path_cnt ) + trust_ca->max_pathlen < check_path_cnt ) { trust_ca = trust_ca->next; continue; @@ -3168,7 +3177,13 @@ static int x509parse_verify_top( break; } - if( trust_ca != NULL ) + /* + * If top of chain is not the same as the trusted CA + */ + if( trust_ca != NULL && + ( child->subject_raw.len != trust_ca->subject_raw.len || + memcmp( child->subject_raw.p, trust_ca->subject_raw.p, + child->issuer_raw.len ) != 0 ) ) { /* Check trusted CA's CRL for then chain's top crt */ *flags |= x509parse_verifycrl( child, trust_ca, ca_crl ); @@ -3188,7 +3203,7 @@ static int x509parse_verify_top( if( NULL != f_vrfy ) { - if( ( ret = f_vrfy( p_vrfy, trust_ca, 0, &ca_flags ) ) != 0 ) + if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 ) return( ret ); } } @@ -3196,12 +3211,10 @@ static int x509parse_verify_top( /* Call callback on top cert */ if( NULL != f_vrfy ) { - if( ( ret = f_vrfy(p_vrfy, child, 1, flags ) ) != 0 ) + if( ( ret = f_vrfy(p_vrfy, child, path_cnt, flags ) ) != 0 ) return( ret ); } - *path_cnt = 2; - *flags |= ca_flags; return( 0 ); @@ -3209,7 +3222,7 @@ static int x509parse_verify_top( static int x509parse_verify_child( x509_cert *child, x509_cert *parent, x509_cert *trust_ca, - x509_crl *ca_crl, int *path_cnt, int *flags, + x509_crl *ca_crl, int path_cnt, int *flags, int (*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy ) { @@ -3248,28 +3261,26 @@ static int x509parse_verify_child( break; } - (*path_cnt)++; if( grandparent != NULL ) { /* * Part of the chain */ - ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt, &parent_flags, f_vrfy, p_vrfy ); + ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } else { - ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt, &parent_flags, f_vrfy, p_vrfy ); + ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } /* child is verified to be a child of the parent, call verify callback */ if( NULL != f_vrfy ) - if( ( ret = f_vrfy( p_vrfy, child, *path_cnt, flags ) ) != 0 ) + if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 ) return( ret ); - (*path_cnt)++; *flags |= parent_flags; @@ -3288,7 +3299,7 @@ int x509parse_verify( x509_cert *crt, { size_t cn_len; int ret; - int pathlen = 1; + int pathlen = 0; x509_cert *parent; x509_name *name; x509_sequence *cur = NULL; @@ -3370,13 +3381,13 @@ int x509parse_verify( x509_cert *crt, /* * Part of the chain */ - ret = x509parse_verify_child( crt, parent, trust_ca, ca_crl, &pathlen, flags, f_vrfy, p_vrfy ); + ret = x509parse_verify_child( crt, parent, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } else { - ret = x509parse_verify_top( crt, trust_ca, ca_crl, &pathlen, flags, f_vrfy, p_vrfy ); + ret = x509parse_verify_top( crt, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } diff --git a/library/x509write.c b/library/x509write.c index 400ffa0e6..9f5a91009 100644 --- a/library/x509write.c +++ b/library/x509write.c @@ -146,8 +146,6 @@ int x509_write_name( unsigned char **p, unsigned char *start, char *oid, /* * Wrapper for x509 hashes. - * - * \param out Buffer to receive the hash (Should be at least 64 bytes) */ static void x509_hash( const unsigned char *in, size_t len, int alg, unsigned char *out ) diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index a0610b370..2fb0c854e 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -298,6 +298,7 @@ int main( int argc, char *argv[] ) if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned %d\n\n", ret ); + ssl_free( &ssl ); goto exit; } } @@ -313,12 +314,14 @@ int main( int argc, char *argv[] ) if( ret == -1 ) { printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret ); + ssl_free( &ssl ); goto exit; } printf( "%s\n", buf ); ssl_close_notify( &ssl ); + ssl_free( &ssl ); } else goto usage; @@ -329,7 +332,6 @@ exit: net_close( server_fd ); x509_free( &clicert ); rsa_free( &rsa ); - ssl_free( &ssl ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); diff --git a/scripts/check_doxy_blocks.pl b/scripts/check_doxy_blocks.pl new file mode 100644 index 000000000..c90143bf2 --- /dev/null +++ b/scripts/check_doxy_blocks.pl @@ -0,0 +1,57 @@ +#!/usr/bin/perl + +# Detect comment blocks that are likely meant to be doxygen blocks but aren't. +# +# More precisely, look for normal comment block containing '\'. +# Of course one could use doxygen warnings, eg with: +# sed -e '/EXTRACT/s/YES/NO/' doxygen/polarssl.doxyfile | doxygen - +# but that would warn about any undocumented item, while our goal is to find +# items that are documented, but not marked as such by mistake. + +use warnings; +use strict; +use File::Basename; + +# header files in the following directories will be checked +my @directories = qw(include/polarssl library doxygen/input); + +# very naive pattern to find directives: +# everything with a backslach except '\0' +my $doxy_re = qr/\\(?!0)/; + +sub check_file { + my ($fname) = @_; + open my $fh, '<', $fname or die "Failed to open '$fname': $!\n"; + + # first line of the last normal comment block, + # or 0 if not in a normal comment block + my $block_start = 0; + while (my $line = <$fh>) { + $block_start = $. if $line =~ m/\/\*(?![*!])/; + $block_start = 0 if $line =~ m/\*\//; + if ($block_start and $line =~ m/$doxy_re/) { + print "$fname:$block_start: directive on line $.\n"; + $block_start = 0; # report only one directive per block + } + } + + close $fh; +} + +sub check_dir { + my ($dirname) = @_; + for my $file (<$dirname/*.[ch]>) { + check_file($file); + } +} + +# locate root directory based on invocation name +my $root = dirname($0) . '/..'; +chdir $root or die "Can't chdir to '$root': $!\n"; + +# just do it +for my $dir (@directories) { + check_dir($dir) +} + +__END__ diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt index 9f8368126..535effc60 100644 --- a/scripts/data_files/error.fmt +++ b/scripts/data_files/error.fmt @@ -1,7 +1,7 @@ /* * Error message information * - * Copyright (C) 2006-2010, Brainspark B.V. + * Copyright (C) 2006-2012, Brainspark B.V. * * This file is part of PolarSSL (http://www.polarssl.org) * Lead Maintainer: Paul Bakker @@ -86,4 +86,4 @@ LOW_LEVEL_CODE_CHECKS snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret ); } -#endif /* POLARSSL_VERBOSE_ERROR */ +#endif /* POLARSSL_ERROR_C */ diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index 1b328c43d..663539259 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -514,21 +514,21 @@ END_CASE BEGIN_CASE mpi_mod_mpi:radix_X:input_X:radix_Y:input_Y:radix_A:input_A:div_result { - mpi X, Y, Z, A; + mpi X, Y, A; int res; - mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z ); mpi_init( &A ); + mpi_init( &X ); mpi_init( &Y ); mpi_init( &A ); TEST_ASSERT( mpi_read_string( &X, {radix_X}, {input_X} ) == 0 ); TEST_ASSERT( mpi_read_string( &Y, {radix_Y}, {input_Y} ) == 0 ); TEST_ASSERT( mpi_read_string( &A, {radix_A}, {input_A} ) == 0 ); - res = mpi_mod_mpi( &Z, &X, &Y ); + res = mpi_mod_mpi( &X, &X, &Y ); TEST_ASSERT( res == {div_result} ); if( res == 0 ) { - TEST_ASSERT( mpi_cmp_mpi( &Z, &A ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &X, &A ) == 0 ); } - mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z ); mpi_free( &A ); + mpi_free( &X ); mpi_free( &Y ); mpi_free( &A ); } END_CASE diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data index d5c85c66a..8812c9e8a 100644 --- a/tests/suites/test_suite_pkcs1_v21.data +++ b/tests/suites/test_suite_pkcs1_v21.data @@ -1,6 +1,12 @@ RSAES-OAEP Encryption Test Vector Int pkcs1_rsaes_oaep_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":0 +RSAES-OAEP Encryption Test Vector Data just fits +pkcs1_rsaes_oaep_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd":"aafd12f659cae63489b479e5076ddec2f06cb58f":"3082f2288fff275213d53168f0a272573cff81837c249dc1f380a12ac124c8f217b700708a1ce7dce154265f31a126ebdd9ed3ef9145ae29124a25f4e65aa52c5a9ff34f6cf4de9ba937ae406dc7d1f277af4f6fb7ea73bfbab2bd397b6b2c53570e173ffcf3b9f0bb96837623a4f87bd81b41446c59e681a2f3da81239e9bdf":0 + +RSAES-OAEP Encryption Test Vector Data too long +pkcs1_rsaes_oaep_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd00":"aafd12f659cae63489b479e5076ddec2f06cb58f":"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":POLARSSL_ERR_RSA_BAD_INPUT_DATA + RSAES-OAEP Encryption Test Vector 1_1 pkcs1_rsaes_oaep_encrypt:1024:16:"a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0cbc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bdbf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb":16:"010001":POLARSSL_MD_SHA1:"6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34":"18b776ea21069d69776a33e96bad48e1dda0a5ef":"354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a":0 @@ -370,6 +376,9 @@ pkcs1_rsassa_pss_sign:1024:16:"d17f655bf27c8b16d35462c905cc04a26f37e2a67fa9c0ce0 RSASSA-PSS Verification Test Vector Int pkcs1_rsassa_pss_verify:1024:16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":SIG_RSA_SHA1:POLARSSL_MD_SHA1:"859eef2fd78aca00308bdc471193bf55bf9d78db8f8a672b484634f3c9c26e6478ae10260fe0dd8c082e53a5293af2173cd50c6d5d354febf78b26021c25c02712e78cd4694c9f469777e451e7f8e9e04cd3739c6bbfedae487fb55644e9ca74ff77a53cb729802f6ed4a5ffa8ba159890fc":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":0 +RSASSA-PSS Signing Test Vector Hash too large +pkcs1_rsassa_pss_sign:1024:16:"d17f655bf27c8b16d35462c905cc04a26f37e2a67fa9c0ce0dced472394a0df743fe7f929e378efdb368eddff453cf007af6d948e0ade757371f8a711e278f6b":16:"c6d92b6fee7414d1358ce1546fb62987530b90bd15e0f14963a5e2635adb69347ec0c01b2ab1763fd8ac1a592fb22757463a982425bb97a3a437c5bf86d03f2f":16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":SIG_RSA_SHA1:POLARSSL_MD_SHA512:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd00":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"":POLARSSL_ERR_RSA_BAD_INPUT_DATA + RSASSA-PSS Signature Example 1_1 pkcs1_rsassa_pss_sign:1024:16:"e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443":16:"b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd":16:"a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137":16:"010001":SIG_RSA_SHA1:POLARSSL_MD_SHA1:"cdc87da223d786df3b45e0bbbc721326d1ee2af806cc315475cc6f0d9c66e1b62371d45ce2392e1ac92844c310102f156a0d8d52c1f4c40ba3aa65095786cb769757a6563ba958fed0bcc984e8b517a3d5f515b23b8a41e74aa867693f90dfb061a6e86dfaaee64472c00e5f20945729cbebe77f06ce78e08f4098fba41f9d6193c0317e8b60d4b6084acb42d29e3808a3bc372d85e331170fcbf7cc72d0b71c296648b3a4d10f416295d0807aa625cab2744fd9ea8fd223c42537029828bd16be02546f130fd2e33b936d2676e08aed1b73318b750a0167d0":"dee959c7e06411361420ff80185ed57f3e6776af":"9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c":0 diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index b6baca3b4..c795cf9d8 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,5 +1,5 @@ Check compiletime library version -check_compiletime_version:"1.2.0" +check_compiletime_version:"1.2.1" Check runtime library version -check_runtime_version:"1.2.0" +check_runtime_version:"1.2.1"