lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-07 06:42:56 +03:00
Code Activity

Merge miscellaneous fixes into development

Browse Source
This commit is contained in:
Paul Bakker
2015-01-13 16:04:38 +01:00
parent 8b9bcecaae d94232389e
commit d7e2483bfc
57 changed files with 1292 additions and 369 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
library/CMakeLists.txt
View File

@@ -78,12 +78,11 @@ set(libs ws2_32)
endif(WIN32)
if(CMAKE_COMPILER_IS_GNUCC)
set(CMAKE_C_FLAGS_CHECK "${CMAKE_C_FLAGS_CHECK} -Wmissing-declarations -Wmissing-prototypes")
set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes")
endif(CMAKE_COMPILER_IS_GNUCC)
if(CMAKE_COMPILER_IS_CLANG)
set(CMAKE_C_FLAGS_CHECK "${CMAKE_C_FLAGS_CHECK} -Wmissing-declarations -Wmissing-prototypes")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wunreachable-code")
endif(CMAKE_COMPILER_IS_CLANG)
if (NOT USE_STATIC_POLARSSL_LIBRARY AND NOT USE_SHARED_POLARSSL_LIBRARY)

2
library/asn1parse.c
View File

@@ -278,6 +278,8 @@ int asn1_get_sequence_of( unsigned char **p,
if( cur->next == NULL )
return( POLARSSL_ERR_ASN1_MALLOC_FAILED );
memset( cur->next, 0, sizeof( asn1_sequence ) );
cur = cur->next;
}
}

4
library/asn1write.c
View File

@@ -327,6 +327,8 @@ asn1_named_data *asn1_store_named_data( asn1_named_data **head,
return( NULL );
}
memcpy( cur->oid.p, oid, oid_len );
cur->val.len = val_len;
cur->val.p = polarssl_malloc( val_len );
if( cur->val.p == NULL )
@@ -336,8 +338,6 @@ asn1_named_data *asn1_store_named_data( asn1_named_data **head,
return( NULL );
}
memcpy( cur->oid.p, oid, oid_len );
cur->next = *head;
*head = cur;
}

16
library/camellia.c
View File

@@ -304,14 +304,14 @@ static void camellia_feistel( const uint32_t x[2], const uint32_t k[2],
I0 = x[0] ^ k[0];
I1 = x[1] ^ k[1];
I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
(SBOX2((I0 >> 16) & 0xFF) << 16) |
(SBOX3((I0 >> 8) & 0xFF) << 8) |
(SBOX4((I0 ) & 0xFF) );
I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
(SBOX3((I1 >> 16) & 0xFF) << 16) |
(SBOX4((I1 >> 8) & 0xFF) << 8) |
(SBOX1((I1 ) & 0xFF) );
I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
((uint32_t) SBOX4((I0 ) & 0xFF) );
I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
((uint32_t) SBOX1((I1 ) & 0xFF) );
I0 ^= (I1 << 8) | (I1 >> 24);
I1 ^= (I0 << 16) | (I0 >> 16);

12
library/debug.c
View File

@@ -123,6 +123,7 @@ void debug_print_buf( const ssl_context *ssl, int level,
unsigned char *buf, size_t len )
{
char str[512];
char txt[17];
size_t i, maxlen = sizeof( str ) - 1, idx = 0;
if( ssl->f_dbg == NULL || level > debug_threshold )
@@ -138,6 +139,7 @@ void debug_print_buf( const ssl_context *ssl, int level,
ssl->f_dbg( ssl->p_dbg, level, str );
idx = 0;
memset( txt, 0, sizeof( txt ) );
for( i = 0; i < len; i++ )
{
if( i >= 4096 )
@@ -147,9 +149,11 @@ void debug_print_buf( const ssl_context *ssl, int level,
{
if( i > 0 )
{
snprintf( str + idx, maxlen - idx, "\n" );
snprintf( str + idx, maxlen - idx, " %s\n", txt );
ssl->f_dbg( ssl->p_dbg, level, str );
idx = 0;
memset( txt, 0, sizeof( txt ) );
}
if( debug_log_mode == POLARSSL_DEBUG_LOG_FULL )
@@ -162,11 +166,15 @@ void debug_print_buf( const ssl_context *ssl, int level,
idx += snprintf( str + idx, maxlen - idx, " %02x",
(unsigned int) buf[i] );
txt[i % 16] = ( buf[i] > 31 && buf[i] < 127 ) ? buf[i] : '.' ;
}
if( len > 0 )
{
snprintf( str + idx, maxlen - idx, "\n" );
for( /* i = i */; i % 16 != 0; i++ )
idx += snprintf( str + idx, maxlen - idx, " " );
snprintf( str + idx, maxlen - idx, " %s\n", txt );
ssl->f_dbg( ssl->p_dbg, level, str );
}
}

2
library/ecdsa.c
View File

@@ -333,7 +333,7 @@ cleanup:
#if POLARSSL_ECP_MAX_BYTES > 124
#error "POLARSSL_ECP_MAX_BYTES bigger than expected, please fix MAX_SIG_LEN"
#endif
#define MAX_SIG_LEN ( 3 + 2 * ( 2 + POLARSSL_ECP_MAX_BYTES ) )
#define MAX_SIG_LEN ( 3 + 2 * ( 3 + POLARSSL_ECP_MAX_BYTES ) )
/*
* Convert a signature (given by context) to ASN.1

42
library/ecp.c
View File

@@ -1897,6 +1897,48 @@ int ecp_gen_key( ecp_group_id grp_id, ecp_keypair *key,
return( ecp_gen_keypair( &key->grp, &key->d, &key->Q, f_rng, p_rng ) );
}
/*
* Check a public-private key pair
*/
int ecp_check_pub_priv( const ecp_keypair *pub, const ecp_keypair *prv )
{
int ret;
ecp_point Q;
ecp_group grp;
if( pub->grp.id == POLARSSL_ECP_DP_NONE ||
pub->grp.id != prv->grp.id ||
mpi_cmp_mpi( &pub->Q.X, &prv->Q.X ) ||
mpi_cmp_mpi( &pub->Q.Y, &prv->Q.Y ) ||
mpi_cmp_mpi( &pub->Q.Z, &prv->Q.Z ) )
{
return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
}
ecp_point_init( &Q );
ecp_group_init( &grp );
/* ecp_mul() needs a non-const group... */
ecp_group_copy( &grp, &prv->grp );
/* Also checks d is valid */
MPI_CHK( ecp_mul( &grp, &Q, &prv->d, &prv->grp.G, NULL, NULL ) );
if( mpi_cmp_mpi( &Q.X, &prv->Q.X ) ||
mpi_cmp_mpi( &Q.Y, &prv->Q.Y ) ||
mpi_cmp_mpi( &Q.Z, &prv->Q.Z ) )
{
ret = POLARSSL_ERR_ECP_BAD_INPUT_DATA;
goto cleanup;
}
cleanup:
ecp_point_free( &Q );
ecp_group_free( &grp );
return( ret );
}
#if defined(POLARSSL_SELF_TEST)
/*

6
library/net.c
View File

@@ -496,12 +496,12 @@ int net_set_nonblock( int fd )
void net_usleep( unsigned long usec )
{
struct timeval tv;
tv.tv_sec = 0;
tv.tv_sec = usec / 1000000;
#if !defined(_WIN32) && ( defined(__unix__) || defined(__unix) || \
( defined(__APPLE__) && defined(__MACH__) ) )
tv.tv_usec = (suseconds_t) usec;
tv.tv_usec = (suseconds_t) usec % 1000000;
#else
tv.tv_usec = usec;
tv.tv_usec = usec % 1000000;
#endif
select( 0, NULL, NULL, NULL, &tv );
}

26
library/pk.c
View File

@@ -300,6 +300,32 @@ int pk_encrypt( pk_context *ctx,
output, olen, osize, f_rng, p_rng ) );
}
/*
* Check public-private key pair
*/
int pk_check_pair( const pk_context *pub, const pk_context *prv )
{
if( pub == NULL || pub->pk_info == NULL ||
prv == NULL || prv->pk_info == NULL ||
prv->pk_info->check_pair_func == NULL )
{
return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
}
if( prv->pk_info->type == POLARSSL_PK_RSA_ALT )
{
if( pub->pk_info->type != POLARSSL_PK_RSA )
return( POLARSSL_ERR_PK_TYPE_MISMATCH );
}
else
{
if( pub->pk_info != prv->pk_info )
return( POLARSSL_ERR_PK_TYPE_MISMATCH );
}
return( prv->pk_info->check_pair_func( pub->pk_ctx, prv->pk_ctx ) );
}
/*
* Get key size in bits
*/

56
library/pk_wrap.c
View File

@@ -117,14 +117,21 @@ static int rsa_encrypt_wrap( void *ctx,
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
((void) osize);
*olen = ((rsa_context *) ctx)->len;
if( *olen > osize )
return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
return( rsa_pkcs1_encrypt( (rsa_context *) ctx,
f_rng, p_rng, RSA_PUBLIC, ilen, input, output ) );
}
static int rsa_check_pair_wrap( const void *pub, const void *prv )
{
return( rsa_check_pub_priv( (const rsa_context *) pub,
(const rsa_context *) prv ) );
}
static void *rsa_alloc_wrap( void )
{
void *ctx = polarssl_malloc( sizeof( rsa_context ) );
@@ -163,6 +170,7 @@ const pk_info_t rsa_info = {
rsa_sign_wrap,
rsa_decrypt_wrap,
rsa_encrypt_wrap,
rsa_check_pair_wrap,
rsa_alloc_wrap,
rsa_free_wrap,
rsa_debug,
@@ -234,6 +242,12 @@ static int eckey_sign_wrap( void *ctx, md_type_t md_alg,
#endif /* POLARSSL_ECDSA_C */
static int eckey_check_pair( const void *pub, const void *prv )
{
return( ecp_check_pub_priv( (const ecp_keypair *) pub,
(const ecp_keypair *) prv ) );
}
static void *eckey_alloc_wrap( void )
{
void *ctx = polarssl_malloc( sizeof( ecp_keypair ) );
@@ -271,6 +285,7 @@ const pk_info_t eckey_info = {
#endif
NULL,
NULL,
eckey_check_pair,
eckey_alloc_wrap,
eckey_free_wrap,
eckey_debug,
@@ -294,6 +309,7 @@ const pk_info_t eckeydh_info = {
NULL,
NULL,
NULL,
eckey_check_pair,
eckey_alloc_wrap, /* Same underlying key structure */
eckey_free_wrap, /* Same underlying key structure */
eckey_debug, /* Same underlying key structure */
@@ -367,6 +383,7 @@ const pk_info_t ecdsa_info = {
ecdsa_sign_wrap,
NULL,
NULL,
eckey_check_pair, /* Compatible key structures */
ecdsa_alloc_wrap,
ecdsa_free_wrap,
eckey_debug, /* Compatible key structures */
@@ -419,6 +436,36 @@ static int rsa_alt_decrypt_wrap( void *ctx,
RSA_PRIVATE, olen, input, output, osize ) );
}
#if defined(POLARSSL_RSA_C)
static int rsa_alt_check_pair( const void *pub, const void *prv )
{
unsigned char sig[POLARSSL_MPI_MAX_SIZE];
unsigned char hash[32];
size_t sig_len = 0;
int ret;
if( rsa_alt_get_size( prv ) != rsa_get_size( pub ) )
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
memset( hash, 0x2a, sizeof( hash ) );
if( ( ret = rsa_alt_sign_wrap( (void *) prv, POLARSSL_MD_NONE,
hash, sizeof( hash ),
sig, &sig_len, NULL, NULL ) ) != 0 )
{
return( ret );
}
if( rsa_verify_wrap( (void *) pub, POLARSSL_MD_NONE,
hash, sizeof( hash ), sig, sig_len ) != 0 )
{
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
}
return( 0 );
}
#endif /* POLARSSL_RSA_C */
static void *rsa_alt_alloc_wrap( void )
{
void *ctx = polarssl_malloc( sizeof( rsa_alt_context ) );
@@ -444,6 +491,11 @@ const pk_info_t rsa_alt_info = {
rsa_alt_sign_wrap,
rsa_alt_decrypt_wrap,
NULL,
#if defined(POLARSSL_RSA_C)
rsa_alt_check_pair,
#else
NULL,
#endif
rsa_alt_alloc_wrap,
rsa_alt_free_wrap,
NULL,

6
library/pkparse.c
View File

@@ -71,7 +71,7 @@ static void polarssl_zeroize( void *v, size_t n ) {
/*
* Load all data from a file into a given buffer.
*/
static int load_file( const char *path, unsigned char **buf, size_t *n )
int pk_load_file( const char *path, unsigned char **buf, size_t *n )
{
FILE *f;
long size;
@@ -120,7 +120,7 @@ int pk_parse_keyfile( pk_context *ctx,
size_t n;
unsigned char *buf;
if( ( ret = load_file( path, &buf, &n ) ) != 0 )
if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
if( pwd == NULL )
@@ -144,7 +144,7 @@ int pk_parse_public_keyfile( pk_context *ctx, const char *path )
size_t n;
unsigned char *buf;
if( ( ret = load_file( path, &buf, &n ) ) != 0 )
if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
ret = pk_parse_public_key( ctx, buf, n );

40
library/rsa.c
View File

@@ -240,6 +240,26 @@ cleanup:
return( 0 );
}
/*
* Check if contexts holding a public and private key match
*/
int rsa_check_pub_priv( const rsa_context *pub, const rsa_context *prv )
{
if( rsa_check_pubkey( pub ) != 0 ||
rsa_check_privkey( prv ) != 0 )
{
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
}
if( mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
{
return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
}
return( 0 );
}
/*
* Do an RSA public key operation
*/
@@ -275,7 +295,6 @@ cleanup:
return( 0 );
}
#if !defined(POLARSSL_RSA_NO_CRT)
/*
* Generate or update blinding values, see section 10 of:
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
@@ -329,7 +348,6 @@ cleanup:
return( ret );
}
#endif /* !POLARSSL_RSA_NO_CRT */
/*
* Do an RSA private key operation
@@ -343,7 +361,6 @@ int rsa_private( rsa_context *ctx,
int ret;
size_t olen;
mpi T, T1, T2;
#if !defined(POLARSSL_RSA_NO_CRT)
mpi *Vi, *Vf;
/*
@@ -361,7 +378,6 @@ int rsa_private( rsa_context *ctx,
Vi = &ctx->Vi;
Vf = &ctx->Vf;
#endif
#endif /* !POLARSSL_RSA_NO_CRT */
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
@@ -372,11 +388,6 @@ int rsa_private( rsa_context *ctx,
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
}
#if defined(POLARSSL_RSA_NO_CRT)
((void) f_rng);
((void) p_rng);
MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
#else
if( f_rng != NULL )
{
/*
@@ -388,6 +399,9 @@ int rsa_private( rsa_context *ctx,
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
#if defined(POLARSSL_RSA_NO_CRT)
MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
#else
/*
* faster decryption using the CRT
*
@@ -409,6 +423,7 @@ int rsa_private( rsa_context *ctx,
*/
MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
#endif /* POLARSSL_RSA_NO_CRT */
if( f_rng != NULL )
{
@@ -419,14 +434,13 @@ int rsa_private( rsa_context *ctx,
MPI_CHK( mpi_mul_mpi( &T, &T, Vf ) );
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
#endif /* POLARSSL_RSA_NO_CRT */
olen = ctx->len;
MPI_CHK( mpi_write_binary( &T, output, olen ) );
cleanup:
mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
#if !defined(POLARSSL_RSA_NO_CRT) && defined(POLARSSL_THREADING_C)
#if defined(POLARSSL_THREADING_C)
mpi_free( &Vi_copy ); mpi_free( &Vf_copy );
#endif
@@ -1425,10 +1439,8 @@ int rsa_copy( rsa_context *dst, const rsa_context *src )
MPI_CHK( mpi_copy( &dst->RP, &src->RP ) );
MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) );
#if !defined(POLARSSL_RSA_NO_CRT)
MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) );
MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) );
#endif
dst->padding = src->padding;
dst->hash_id = src->hash_id;
@@ -1445,9 +1457,7 @@ cleanup:
*/
void rsa_free( rsa_context *ctx )
{
#if !defined(POLARSSL_RSA_NO_CRT)
mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
#endif
mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );

13
library/ssl_cache.c
View File

@@ -105,10 +105,8 @@ int ssl_cache_get( void *data, ssl_session *session )
*/
if( entry->peer_cert.p != NULL )
{
session->peer_cert =
(x509_crt *) polarssl_malloc( sizeof(x509_crt) );
if( session->peer_cert == NULL )
if( ( session->peer_cert = (x509_crt *) polarssl_malloc(
sizeof(x509_crt) ) ) == NULL )
{
ret = 1;
goto exit;
@@ -226,8 +224,7 @@ int ssl_cache_set( void *data, const ssl_session *session )
/*
* max_entries not reached, create new entry
*/
cur = (ssl_cache_entry *)
polarssl_malloc( sizeof(ssl_cache_entry) );
cur = (ssl_cache_entry *) polarssl_malloc( sizeof(ssl_cache_entry) );
if( cur == NULL )
{
ret = 1;
@@ -264,8 +261,8 @@ int ssl_cache_set( void *data, const ssl_session *session )
*/
if( session->peer_cert != NULL )
{
cur->peer_cert.p = (unsigned char *)
polarssl_malloc( session->peer_cert->raw.len );
cur->peer_cert.p = (unsigned char *) polarssl_malloc(
session->peer_cert->raw.len );
if( cur->peer_cert.p == NULL )
{
ret = 1;

12
library/ssl_cli.c
View File

@@ -142,7 +142,11 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
*olen = 5 + ssl->verify_data_len;
}
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
/*
* Only if we handle at least one key exchange that needs signatures.
*/
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
unsigned char *buf,
size_t *olen )
@@ -236,7 +240,8 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
*olen = 6 + sig_alg_len;
}
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
@@ -691,7 +696,8 @@ static int ssl_write_client_hello( ssl_context *ssl )
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif

12
library/ssl_srv.c
View File

@@ -465,7 +465,8 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
return( 0 );
}
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -509,7 +510,8 @@ have_sig_alg:
return( 0 );
}
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
@@ -1495,7 +1497,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
return( ret );
break;
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
case TLS_EXT_SIG_ALG:
SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
if( ssl->renegotiation == SSL_RENEGOTIATION )
@@ -1505,7 +1508,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
if( ret != 0 )
return( ret );
break;
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:

89
library/ssl_tls.c
View File

@@ -647,6 +647,7 @@ int ssl_derive_keys( ssl_context *ssl )
/*
* Finally setup the cipher contexts, IVs and MAC secrets.
*/
#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
{
key1 = keyblk + transform->maclen * 2;
@@ -665,6 +666,9 @@ int ssl_derive_keys( ssl_context *ssl )
iv_copy_len );
}
else
#endif /* POLARSSL_SSL_CLI_C */
#if defined(POLARSSL_SSL_SRV_C)
if( ssl->endpoint == SSL_IS_SERVER )
{
key1 = keyblk + transform->maclen * 2 + transform->keylen;
key2 = keyblk + transform->maclen * 2;
@@ -681,6 +685,12 @@ int ssl_derive_keys( ssl_context *ssl )
memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
iv_copy_len );
}
else
#endif /* POLARSSL_SSL_SRV_C */
{
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
@@ -1096,6 +1106,9 @@ static int ssl_encrypt_buf( ssl_context *ssl )
mode = cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
SSL_DEBUG_BUF( 4, "before encrypt: output payload",
ssl->out_msg, ssl->out_msglen );
/*
* Add MAC before if needed
*/
@@ -1157,9 +1170,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
"including %d bytes of padding",
ssl->out_msglen, 0 ) );
SSL_DEBUG_BUF( 4, "before encrypt: output payload",
ssl->out_msg, ssl->out_msglen );
if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
ssl->transform_out->iv_enc,
ssl->transform_out->ivlen,
@@ -1202,6 +1212,7 @@ static int ssl_encrypt_buf( ssl_context *ssl )
/*
* Generate IV
*/
#if defined(POLARSSL_SSL_AEAD_RANDOM_IV)
ret = ssl->f_rng( ssl->p_rng,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
@@ -1211,6 +1222,18 @@ static int ssl_encrypt_buf( ssl_context *ssl )
memcpy( ssl->out_iv,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
#else
if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
{
/* Reminder if we ever add an AEAD mode with a different size */
SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->out_ctr, 8 );
memcpy( ssl->out_iv, ssl->out_ctr, 8 );
#endif
SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
@@ -1227,9 +1250,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
"including %d bytes of padding",
ssl->out_msglen, 0 ) );
SSL_DEBUG_BUF( 4, "before encrypt: output payload",
ssl->out_msg, ssl->out_msglen );
/*
* Encrypt and authenticate
*/
@@ -1311,9 +1331,6 @@ static int ssl_encrypt_buf( ssl_context *ssl )
ssl->out_msglen, ssl->transform_out->ivlen,
padlen + 1 ) );
SSL_DEBUG_BUF( 4, "before encrypt: output payload",
ssl->out_iv, ssl->out_msglen );
if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
ssl->transform_out->iv_enc,
ssl->transform_out->ivlen,
@@ -2522,6 +2539,7 @@ int ssl_write_certificate( ssl_context *ssl )
return( 0 );
}
#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
{
if( ssl->client_auth == 0 )
@@ -2549,7 +2567,9 @@ int ssl_write_certificate( ssl_context *ssl )
}
#endif /* POLARSSL_SSL_PROTO_SSL3 */
}
else /* SSL_IS_SERVER */
#endif /* POLARSSL_SSL_CLI_C */
#if defined(POLARSSL_SSL_SRV_C)
if( ssl->endpoint == SSL_IS_SERVER )
{
if( ssl_own_cert( ssl ) == NULL )
{
@@ -2557,6 +2577,7 @@ int ssl_write_certificate( ssl_context *ssl )
return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
}
}
#endif
SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
@@ -2632,6 +2653,7 @@ int ssl_parse_certificate( ssl_context *ssl )
return( 0 );
}
#if defined(POLARSSL_SSL_SRV_C)
if( ssl->endpoint == SSL_IS_SERVER &&
( ssl->authmode == SSL_VERIFY_NONE ||
ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
@@ -2641,6 +2663,7 @@ int ssl_parse_certificate( ssl_context *ssl )
ssl->state++;
return( 0 );
}
#endif
if( ( ret = ssl_read_record( ssl ) ) != 0 )
{
@@ -2650,6 +2673,7 @@ int ssl_parse_certificate( ssl_context *ssl )
ssl->state++;
#if defined(POLARSSL_SSL_SRV_C)
#if defined(POLARSSL_SSL_PROTO_SSL3)
/*
* Check if the client sent an empty certificate
@@ -2694,6 +2718,7 @@ int ssl_parse_certificate( ssl_context *ssl )
}
#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
POLARSSL_SSL_PROTO_TLS1_2 */
#endif /* POLARSSL_SSL_SRV_C */
if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
{
@@ -2772,6 +2797,7 @@ int ssl_parse_certificate( ssl_context *ssl )
* On client, make sure the server cert doesn't change during renego to
* avoid "triple handshake" attack: https://secure-resumption.com/
*/
#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT &&
ssl->renegotiation == SSL_RENEGOTIATION )
{
@@ -2791,6 +2817,7 @@ int ssl_parse_certificate( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
}
}
#endif /* POLARSSL_SSL_CLI_C */
if( ssl->authmode != SSL_VERIFY_NONE )
{
@@ -3315,10 +3342,14 @@ int ssl_write_finished( ssl_context *ssl )
*/
if( ssl->handshake->resume != 0 )
{
#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
ssl->state = SSL_HANDSHAKE_WRAPUP;
else
#endif
#if defined(POLARSSL_SSL_SRV_C)
if( ssl->endpoint == SSL_IS_SERVER )
ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
#endif
}
else
ssl->state++;
@@ -3428,11 +3459,14 @@ int ssl_parse_finished( ssl_context *ssl )
if( ssl->handshake->resume != 0 )
{
#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
#endif
#if defined(POLARSSL_SSL_SRV_C)
if( ssl->endpoint == SSL_IS_SERVER )
ssl->state = SSL_HANDSHAKE_WRAPUP;
#endif
}
else
ssl->state++;
@@ -3507,14 +3541,14 @@ static int ssl_handshake_init( ssl_context *ssl )
*/
if( ssl->transform_negotiate == NULL )
{
ssl->transform_negotiate =
(ssl_transform *) polarssl_malloc( sizeof(ssl_transform) );
ssl->transform_negotiate = (ssl_transform *) polarssl_malloc(
sizeof(ssl_transform) );
}
if( ssl->session_negotiate == NULL )
{
ssl->session_negotiate =
(ssl_session *) polarssl_malloc( sizeof(ssl_session) );
ssl->session_negotiate = (ssl_session *) polarssl_malloc(
sizeof(ssl_session) );
}
if( ssl->handshake == NULL )
@@ -3778,7 +3812,8 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint )
{
ssl->endpoint = endpoint;
#if defined(POLARSSL_SSL_SESSION_TICKETS)
#if defined(POLARSSL_SSL_SESSION_TICKETS) && \
defined(POLARSSL_SSL_CLI_C)
if( endpoint == SSL_IS_CLIENT )
ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
#endif
@@ -3825,6 +3860,7 @@ void ssl_set_bio( ssl_context *ssl,
ssl->p_send = p_send;
}
#if defined(POLARSSL_SSL_SRV_C)
void ssl_set_session_cache( ssl_context *ssl,
int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
@@ -3834,7 +3870,9 @@ void ssl_set_session_cache( ssl_context *ssl,
ssl->f_set_cache = f_set_cache;
ssl->p_set_cache = p_set_cache;
}
#endif /* POLARSSL_SSL_SRV_C */
#if defined(POLARSSL_SSL_CLI_C)
int ssl_set_session( ssl_context *ssl, const ssl_session *session )
{
int ret;
@@ -3854,6 +3892,7 @@ int ssl_set_session( ssl_context *ssl, const ssl_session *session )
return( 0 );
}
#endif /* POLARSSL_SSL_CLI_C */
void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
{
@@ -3925,7 +3964,7 @@ int ssl_set_own_cert( ssl_context *ssl, x509_crt *own_cert,
key_cert->cert = own_cert;
key_cert->key = pk_key;
return( 0 );
return( pk_check_pair( &key_cert->cert->pk, key_cert->key ) );
}
#if defined(POLARSSL_RSA_C)
@@ -3954,7 +3993,7 @@ int ssl_set_own_cert_rsa( ssl_context *ssl, x509_crt *own_cert,
key_cert->cert = own_cert;
key_cert->key_own_alloc = 1;
return( 0 );
return( pk_check_pair( &key_cert->cert->pk, key_cert->key ) );
}
#endif /* POLARSSL_RSA_C */
@@ -3983,7 +4022,7 @@ int ssl_set_own_cert_alt( ssl_context *ssl, x509_crt *own_cert,
key_cert->cert = own_cert;
key_cert->key_own_alloc = 1;
return( 0 );
return( pk_check_pair( &key_cert->cert->pk, key_cert->key ) );
}
#endif /* POLARSSL_X509_CRT_PARSE_C */
@@ -4232,8 +4271,13 @@ int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
{
ssl->session_tickets = use_tickets;
#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
return( 0 );
#endif
if( use_tickets == SSL_SESSION_TICKETS_DISABLED )
return( 0 );
if( ssl->f_rng == NULL )
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
@@ -4300,6 +4344,7 @@ const x509_crt *ssl_get_peer_cert( const ssl_context *ssl )
}
#endif /* POLARSSL_X509_CRT_PARSE_C */
#if defined(POLARSSL_SSL_CLI_C)
int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
{
if( ssl == NULL ||
@@ -4312,6 +4357,7 @@ int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
return( ssl_session_copy( dst, ssl->session ) );
}
#endif /* POLARSSL_SSL_CLI_C */
/*
* Perform a single step of the SSL handshake
@@ -4324,7 +4370,6 @@ int ssl_handshake_step( ssl_context *ssl )
if( ssl->endpoint == SSL_IS_CLIENT )
ret = ssl_handshake_client_step( ssl );
#endif
#if defined(POLARSSL_SSL_SRV_C)
if( ssl->endpoint == SSL_IS_SERVER )
ret = ssl_handshake_server_step( ssl );
@@ -4525,6 +4570,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
{
SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT &&
( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
ssl->in_hslen != 4 ) )
@@ -4532,6 +4578,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
}
#endif
if( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&

90
library/x509.c
View File

@@ -421,35 +421,39 @@ int x509_get_name( unsigned char **p, const unsigned char *end,
size_t set_len;
const unsigned char *end_set;
/*
* parse first SET, restricted to 1 element
*/
if( ( ret = asn1_get_tag( p, end, &set_len,
ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
return( POLARSSL_ERR_X509_INVALID_NAME + ret );
/* don't use recursion, we'd risk stack overflow if not optimized */
while( 1 )
{
/*
* parse first SET, restricted to 1 element
*/
if( ( ret = asn1_get_tag( p, end, &set_len,
ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
return( POLARSSL_ERR_X509_INVALID_NAME + ret );
end_set = *p + set_len;
end_set = *p + set_len;
if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
return( ret );
if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
return( ret );
if( *p != end_set )
return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
if( *p != end_set )
return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
/*
* recurse until end of SEQUENCE is reached
*/
if( *p == end )
return( 0 );
/*
* continue until end of SEQUENCE is reached
*/
if( *p == end )
return( 0 );
cur->next = (x509_name *) polarssl_malloc( sizeof( x509_name ) );
cur->next = (x509_name *) polarssl_malloc( sizeof( x509_name ) );
if( cur->next == NULL )
return( POLARSSL_ERR_X509_MALLOC_FAILED );
if( cur->next == NULL )
return( POLARSSL_ERR_X509_MALLOC_FAILED );
memset( cur->next, 0, sizeof( x509_name ) );
memset( cur->next, 0, sizeof( x509_name ) );
return( x509_get_name( p, end, cur->next ) );
cur = cur->next;
}
}
/*
@@ -632,50 +636,6 @@ int x509_get_ext( unsigned char **p, const unsigned char *end,
return( 0 );
}
#if defined(POLARSSL_FS_IO)
/*
* Load all data from a file into a given buffer.
*/
int x509_load_file( const char *path, unsigned char **buf, size_t *n )
{
FILE *f;
long size;
if( ( f = fopen( path, "rb" ) ) == NULL )
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
fseek( f, 0, SEEK_END );
if( ( size = ftell( f ) ) == -1 )
{
fclose( f );
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
}
fseek( f, 0, SEEK_SET );
*n = (size_t) size;
if( *n + 1 == 0 ||
( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
{
fclose( f );
return( POLARSSL_ERR_X509_MALLOC_FAILED );
}
if( fread( *buf, 1, *n, f ) != *n )
{
fclose( f );
polarssl_free( *buf );
return( POLARSSL_ERR_X509_FILE_IO_ERROR );
}
fclose( f );
(*buf)[*n] = '\0';
return( 0 );
}
#endif /* POLARSSL_FS_IO */
#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
!defined(EFI32)
#include <stdarg.h>

154
library/x509_crl.c
View File

@@ -243,8 +243,8 @@ static int x509_get_entries( unsigned char **p,
if( cur_entry->next == NULL )
return( POLARSSL_ERR_X509_MALLOC_FAILED );
memset( cur_entry->next, 0, sizeof( x509_crl_entry ) );
cur_entry = cur_entry->next;
memset( cur_entry, 0, sizeof( x509_crl_entry ) );
}
}
@@ -252,25 +252,16 @@ static int x509_get_entries( unsigned char **p,
}
/*
* Parse one or more CRLs and add them to the chained list
* Parse one CRLs in DER format and append it to the chained list
*/
int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
int x509_crl_parse_der( x509_crl *chain,
const unsigned char *buf, size_t buflen )
{
int ret;
size_t len;
unsigned char *p, *end;
x509_crl *crl;
x509_buf sig_params1, sig_params2;
#if defined(POLARSSL_PEM_PARSE_C)
size_t use_len;
pem_context pem;
#endif
memset( &sig_params1, 0, sizeof( x509_buf ) );
memset( &sig_params2, 0, sizeof( x509_buf ) );
crl = chain;
x509_crl *crl = chain;
/*
* Check for valid input
@@ -278,12 +269,15 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
if( crl == NULL || buf == NULL )
return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
while( crl->version != 0 && crl->next != NULL )
crl = crl->next;
memset( &sig_params1, 0, sizeof( x509_buf ) );
memset( &sig_params2, 0, sizeof( x509_buf ) );
/*
* Add new CRL on the end of the chain if needed.
*/
while( crl->version != 0 && crl->next != NULL )
crl = crl->next;
if( crl->version != 0 && crl->next == NULL )
{
crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
@@ -294,57 +288,22 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
return( POLARSSL_ERR_X509_MALLOC_FAILED );
}
x509_crl_init( crl->next );
crl = crl->next;
x509_crl_init( crl );
}
#if defined(POLARSSL_PEM_PARSE_C)
pem_init( &pem );
ret = pem_read_buffer( &pem,
"-----BEGIN X509 CRL-----",
"-----END X509 CRL-----",
buf, NULL, 0, &use_len );
/*
* Copy raw DER-encoded CRL
*/
if( ( p = polarssl_malloc( buflen ) ) == NULL )
return( POLARSSL_ERR_X509_MALLOC_FAILED );
if( ret == 0 )
{
/*
* Was PEM encoded
*/
buflen -= use_len;
buf += use_len;
/*
* Steal PEM buffer
*/
p = pem.buf;
pem.buf = NULL;
len = pem.buflen;
pem_free( &pem );
}
else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
{
pem_free( &pem );
return( ret );
}
else
#endif /* POLARSSL_PEM_PARSE_C */
{
/*
* nope, copy the raw DER data
*/
p = (unsigned char *) polarssl_malloc( len = buflen );
if( p == NULL )
return( POLARSSL_ERR_X509_MALLOC_FAILED );
memcpy( p, buf, buflen );
buflen = 0;
}
memcpy( p, buf, buflen );
crl->raw.p = p;
crl->raw.len = len;
end = p + len;
crl->raw.len = buflen;
end = p + buflen;
/*
* CertificateList ::= SEQUENCE {
@@ -522,25 +481,64 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
}
if( buflen > 0 )
{
crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
if( crl->next == NULL )
{
x509_crl_free( crl );
return( POLARSSL_ERR_X509_MALLOC_FAILED );
}
crl = crl->next;
x509_crl_init( crl );
return( x509_crl_parse( crl, buf, buflen ) );
}
return( 0 );
}
/*
* Parse one or more CRLs and add them to the chained list
*/
int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
{
#if defined(POLARSSL_PEM_PARSE_C)
int ret;
size_t use_len;
pem_context pem;
int is_pem = 0;
if( chain == NULL || buf == NULL )
return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
do
{
pem_init( &pem );
ret = pem_read_buffer( &pem,
"-----BEGIN X509 CRL-----",
"-----END X509 CRL-----",
buf, NULL, 0, &use_len );
if( ret == 0 )
{
/*
* Was PEM encoded
*/
is_pem = 1;
buflen -= use_len;
buf += use_len;
if( ( ret = x509_crl_parse_der( chain,
pem.buf, pem.buflen ) ) != 0 )
{
return( ret );
}
pem_free( &pem );
}
else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
{
pem_free( &pem );
return( ret );
}
}
while( is_pem && buflen > 0 );
if( is_pem )
return( 0 );
else
#endif /* POLARSSL_PEM_PARSE_C */
return( x509_crl_parse_der( chain, buf, buflen ) );
}
#if defined(POLARSSL_FS_IO)
/*
* Load one or more CRLs and add them to the chained list
@@ -551,7 +549,7 @@ int x509_crl_parse_file( x509_crl *chain, const char *path )
size_t n;
unsigned char *buf;
if( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
ret = x509_crl_parse( chain, buf, n );

55
library/x509_crt.c
View File

@@ -359,6 +359,9 @@ static int x509_get_subject_alt_name( unsigned char **p,
/* Allocate and assign next pointer */
if( cur->buf.p != NULL )
{
if( cur->next != NULL )
return( POLARSSL_ERR_X509_INVALID_EXTENSIONS );
cur->next = (asn1_sequence *) polarssl_malloc(
sizeof( asn1_sequence ) );
@@ -478,6 +481,10 @@ static int x509_get_crt_ext( unsigned char **p,
continue;
}
/* Forbid repeated extensions */
if( ( crt->ext_types & ext_type ) != 0 )
return( POLARSSL_ERR_X509_INVALID_EXTENSIONS );
crt->ext_types |= ext_type;
switch( ext_type )
@@ -812,8 +819,8 @@ int x509_crt_parse_der( x509_crt *chain, const unsigned char *buf,
return( POLARSSL_ERR_X509_MALLOC_FAILED );
prev = crt;
x509_crt_init( crt->next );
crt = crt->next;
x509_crt_init( crt );
}
if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 )
@@ -946,7 +953,7 @@ int x509_crt_parse_file( x509_crt *chain, const char *path )
size_t n;
unsigned char *buf;
if( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
ret = x509_crt_parse( chain, buf, n );
@@ -1629,25 +1636,30 @@ static int x509_string_cmp( const x509_buf *a, const x509_buf *b )
*/
static int x509_name_cmp( const x509_name *a, const x509_name *b )
{
if( a == NULL && b == NULL )
return( 0 );
if( a == NULL || b == NULL )
return( -1 );
/* type */
if( a->oid.tag != b->oid.tag ||
a->oid.len != b->oid.len ||
memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
/* Avoid recursion, it might not be optimised by the compiler */
while( a != NULL || b != NULL )
{
return( -1 );
if( a == NULL || b == NULL )
return( -1 );
/* type */
if( a->oid.tag != b->oid.tag ||
a->oid.len != b->oid.len ||
memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
{
return( -1 );
}
/* value */
if( x509_string_cmp( &a->val, &b->val ) != 0 )
return( -1 );
a = a->next;
b = b->next;
}
/* value */
if( x509_string_cmp( &a->val, &b->val ) != 0 )
return( -1 );
return( x509_name_cmp( a->next, b->next ) );
/* a == NULL == b */
return( 0 );
}
/*
@@ -1822,6 +1834,13 @@ static int x509_crt_verify_child(
x509_crt *grandparent;
const md_info_t *md_info;
/* path_cnt is 0 for the first intermediate CA */
if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
{
*flags |= BADCERT_NOT_TRUSTED;
return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
}
if( x509_time_expired( &child->valid_to ) )
*flags |= BADCERT_EXPIRED;

2
library/x509_csr.c
View File

@@ -310,7 +310,7 @@ int x509_csr_parse_file( x509_csr *csr, const char *path )
size_t n;
unsigned char *buf;
if( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
ret = x509_csr_parse( csr, buf, n );