diff --git a/ChangeLog b/ChangeLog index 82c9a88c2..b0354d5c4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ Features * Support for DTLS 1.0 and 1.2 (RFC 6347). API Changes + * Test certificates in cert.s are no longer guaranteed to be nul-terminated + strings; use the new *_len variables instead of strlen(). * md_init_ctx() is deprecated in favour of md_setup(), that adds a third argument (allowing memory savings if HMAC is not used) * Removed individual mdX_hmac and shaX_hmac functions (use generic diff --git a/include/mbedtls/certs.h b/include/mbedtls/certs.h index 7b00a8bbc..e2e9f7715 100644 --- a/include/mbedtls/certs.h +++ b/include/mbedtls/certs.h @@ -24,47 +24,72 @@ #ifndef POLARSSL_CERTS_H #define POLARSSL_CERTS_H +#include + #ifdef __cplusplus extern "C" { #endif /* Concatenation of all available CA certificates */ -extern const char test_ca_list[]; +extern const char test_ca_list[]; +extern const size_t test_ca_list_len; /* * Convenience for users who just want a certificate: * RSA by default, or ECDSA if RSA is not available */ -extern const char *test_ca_crt; -extern const char *test_ca_key; -extern const char *test_ca_pwd; -extern const char *test_srv_crt; -extern const char *test_srv_key; -extern const char *test_cli_crt; -extern const char *test_cli_key; +extern const char * test_ca_crt; +extern const size_t test_ca_crt_len; +extern const char * test_ca_key; +extern const size_t test_ca_key_len; +extern const char * test_ca_pwd; +extern const size_t test_ca_pwd_len; +extern const char * test_srv_crt; +extern const size_t test_srv_crt_len; +extern const char * test_srv_key; +extern const size_t test_srv_key_len; +extern const char * test_cli_crt; +extern const size_t test_cli_crt_len; +extern const char * test_cli_key; +extern const size_t test_cli_key_len; #if defined(POLARSSL_ECDSA_C) -extern const char test_ca_crt_ec[]; -extern const char test_ca_key_ec[]; -extern const char test_ca_pwd_ec[]; -extern const char test_srv_crt_ec[]; -extern const char test_srv_key_ec[]; -extern const char test_cli_crt_ec[]; -extern const char test_cli_key_ec[]; +extern const char test_ca_crt_ec[]; +extern const size_t test_ca_crt_ec_len; +extern const char test_ca_key_ec[]; +extern const size_t test_ca_key_ec_len; +extern const char test_ca_pwd_ec[]; +extern const size_t test_ca_pwd_ec_len; +extern const char test_srv_crt_ec[]; +extern const size_t test_srv_crt_ec_len; +extern const char test_srv_key_ec[]; +extern const size_t test_srv_key_ec_len; +extern const char test_cli_crt_ec[]; +extern const size_t test_cli_crt_ec_len; +extern const char test_cli_key_ec[]; +extern const size_t test_cli_key_ec_len; #endif #if defined(POLARSSL_RSA_C) -extern const char test_ca_crt_rsa[]; -extern const char test_ca_key_rsa[]; -extern const char test_ca_pwd_rsa[]; -extern const char test_srv_crt_rsa[]; -extern const char test_srv_key_rsa[]; -extern const char test_cli_crt_rsa[]; -extern const char test_cli_key_rsa[]; +extern const char test_ca_crt_rsa[]; +extern const size_t test_ca_crt_rsa_len; +extern const char test_ca_key_rsa[]; +extern const size_t test_ca_key_rsa_len; +extern const char test_ca_pwd_rsa[]; +extern const size_t test_ca_pwd_rsa_len; +extern const char test_srv_crt_rsa[]; +extern const size_t test_srv_crt_rsa_len; +extern const char test_srv_key_rsa[]; +extern const size_t test_srv_key_rsa_len; +extern const char test_cli_crt_rsa[]; +extern const size_t test_cli_crt_rsa_len; +extern const char test_cli_key_rsa[]; +extern const size_t test_cli_key_rsa_len; #endif #if defined(POLARSSL_DHM_C) -extern const char test_dhm_params[]; +extern const char test_dhm_params[]; +extern const size_t test_dhm_params_len; #endif #ifdef __cplusplus diff --git a/library/certs.c b/library/certs.c index bf12f77ca..f0435e13e 100644 --- a/library/certs.c +++ b/library/certs.c @@ -26,6 +26,8 @@ #include POLARSSL_CONFIG_FILE #endif +#include "mbedtls/certs.h" + #if defined(POLARSSL_CERTS_C) #if defined(POLARSSL_ECDSA_C) @@ -105,6 +107,14 @@ const char test_cli_key_ec[] = "AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n" "wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n" "-----END EC PRIVATE KEY-----\r\n"; + +const size_t test_ca_crt_ec_len = sizeof( test_ca_crt_ec ); +const size_t test_ca_key_ec_len = sizeof( test_ca_key_ec ); +const size_t test_ca_pwd_ec_len = sizeof( test_ca_pwd_ec ) - 1; +const size_t test_srv_crt_ec_len = sizeof( test_srv_crt_ec ); +const size_t test_srv_key_ec_len = sizeof( test_srv_key_ec ); +const size_t test_cli_crt_ec_len = sizeof( test_cli_crt_ec ); +const size_t test_cli_key_ec_len = sizeof( test_cli_key_ec ); #else #define TEST_CA_CRT_EC #endif /* POLARSSL_ECDSA_C */ @@ -219,7 +229,6 @@ const char test_srv_key_rsa[] = "TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n" "-----END RSA PRIVATE KEY-----\r\n"; - const char test_cli_crt_rsa[] = "-----BEGIN CERTIFICATE-----\r\n" "MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" @@ -270,6 +279,14 @@ const char test_cli_key_rsa[] = "bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n" "8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n" "-----END RSA PRIVATE KEY-----\r\n"; + +const size_t test_ca_crt_rsa_len = sizeof( test_ca_crt_rsa ); +const size_t test_ca_key_rsa_len = sizeof( test_ca_key_rsa ); +const size_t test_ca_pwd_rsa_len = sizeof( test_ca_pwd_rsa ) - 1; +const size_t test_srv_crt_rsa_len = sizeof( test_srv_crt_rsa ); +const size_t test_srv_key_rsa_len = sizeof( test_srv_key_rsa ); +const size_t test_cli_crt_rsa_len = sizeof( test_cli_crt_rsa ); +const size_t test_cli_key_rsa_len = sizeof( test_cli_key_rsa ); #else #define TEST_CA_CRT_RSA #endif /* POLARSSL_RSA_C */ @@ -281,27 +298,43 @@ const char test_dhm_params[] = "1sa18fyfR9OiVEMYglOpkqVoGLN7qd5aQNNi5W7/C+VBdHTBJcGZJyyP5B3qcz32\r\n" "9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n" "-----END DH PARAMETERS-----\r\n"; +const size_t test_dhm_params_len = sizeof( test_dhm_params ); #endif /* Concatenation of all available CA certificates */ const char test_ca_list[] = TEST_CA_CRT_RSA TEST_CA_CRT_EC; +const size_t test_ca_list_len = sizeof( test_ca_list ); #if defined(POLARSSL_RSA_C) -const char *test_ca_crt = test_ca_crt_rsa; -const char *test_ca_key = test_ca_key_rsa; -const char *test_ca_pwd = test_ca_pwd_rsa; +const char *test_ca_crt = test_ca_crt_rsa; +const char *test_ca_key = test_ca_key_rsa; +const char *test_ca_pwd = test_ca_pwd_rsa; const char *test_srv_crt = test_srv_crt_rsa; const char *test_srv_key = test_srv_key_rsa; const char *test_cli_crt = test_cli_crt_rsa; const char *test_cli_key = test_cli_key_rsa; +const size_t test_ca_crt_len = test_ca_crt_rsa_len; +const size_t test_ca_key_len = test_ca_key_rsa_len; +const size_t test_ca_pwd_len = test_ca_pwd_rsa_len; +const size_t test_srv_crt_len = test_srv_crt_rsa_len; +const size_t test_srv_key_len = test_srv_key_rsa_len; +const size_t test_cli_crt_len = test_cli_crt_rsa_len; +const size_t test_cli_key_len = test_cli_key_rsa_len; #else /* ! POLARSSL_RSA_C, so POLARSSL_ECDSA_C */ -const char *test_ca_crt = test_ca_crt_ec; -const char *test_ca_key = test_ca_key_ec; -const char *test_ca_pwd = test_ca_pwd_ec; +const char *test_ca_crt = test_ca_crt_ec; +const char *test_ca_key = test_ca_key_ec; +const char *test_ca_pwd = test_ca_pwd_ec; const char *test_srv_crt = test_srv_crt_ec; const char *test_srv_key = test_srv_key_ec; const char *test_cli_crt = test_cli_crt_ec; const char *test_cli_key = test_cli_key_ec; +const size_t test_ca_crt_len = test_ca_crt_ec_len; +const size_t test_ca_key_len = test_ca_key_ec_len; +const size_t test_ca_pwd_len = test_ca_pwd_ec_len; +const size_t test_srv_crt_len = test_srv_crt_ec_len; +const size_t test_srv_key_len = test_srv_key_ec_len; +const size_t test_cli_crt_len = test_cli_crt_ec_len; +const size_t test_cli_key_len = test_cli_key_ec_len; #endif /* POLARSSL_RSA_C */ #endif /* POLARSSL_CERTS_C */ diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 4a1961858..44d2175dc 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -130,7 +130,7 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, - strlen( test_ca_list ) ); + test_ca_list_len ); #else ret = 1; polarssl_printf("POLARSSL_CERTS_C not defined."); diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 46c2a334f..31216c603 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -128,7 +128,7 @@ int main( void ) * server and CA certificates, as well as pk_parse_keyfile(). */ ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); + test_srv_crt_len ); if( ret != 0 ) { printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); @@ -136,7 +136,7 @@ int main( void ) } ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list, - strlen( test_ca_list ) ); + test_ca_list_len ); if( ret != 0 ) { printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); @@ -144,7 +144,7 @@ int main( void ) } ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, - strlen( test_srv_key ), NULL, 0 ); + test_srv_key_len, NULL, 0 ); if( ret != 0 ) { printf( " failed\n ! pk_parse_key returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index c7eb3bdc9..184f2bd98 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -121,7 +121,7 @@ int main( void ) #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, - strlen( test_ca_list ) ); + test_ca_list_len ); #else ret = 1; polarssl_printf("POLARSSL_CERTS_C not defined."); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index f0e6781d4..5088cc647 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -947,7 +947,7 @@ int main( int argc, char *argv[] ) #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, - strlen( test_ca_list ) ); + test_ca_list_len ); #else { ret = 1; @@ -980,7 +980,7 @@ int main( int argc, char *argv[] ) #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt, - strlen( test_cli_crt ) ); + test_cli_crt_len ); #else { ret = 1; @@ -1003,7 +1003,7 @@ int main( int argc, char *argv[] ) #endif #if defined(POLARSSL_CERTS_C) ret = pk_parse_key( &pkey, (const unsigned char *) test_cli_key, - strlen( test_cli_key ), NULL, 0 ); + test_cli_key_len, NULL, 0 ); #else { ret = 1; diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 217851f53..87379e56e 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -154,7 +154,7 @@ int main( void ) * server and CA certificates, as well as pk_parse_keyfile(). */ ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); + test_srv_crt_len ); if( ret != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); @@ -162,7 +162,7 @@ int main( void ) } ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list, - strlen( test_ca_list ) ); + test_ca_list_len ); if( ret != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); @@ -170,7 +170,7 @@ int main( void ) } ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, - strlen( test_srv_key ), NULL, 0 ); + test_srv_key_len, NULL, 0 ); if( ret != 0 ) { polarssl_printf( " failed\n ! pk_parse_key returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index a68af7536..eaaaa2c32 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -508,7 +508,7 @@ int main( int argc, char *argv[] ) #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, - strlen( test_ca_list ) ); + test_ca_list_len ); #else { ret = 1; @@ -538,7 +538,7 @@ int main( int argc, char *argv[] ) #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &clicert, (const unsigned char *) test_cli_crt, - strlen( test_cli_crt ) ); + test_cli_crt_len ); #else { ret = -1; @@ -558,7 +558,7 @@ int main( int argc, char *argv[] ) #endif #if defined(POLARSSL_CERTS_C) ret = pk_parse_key( &pkey, (const unsigned char *) test_cli_key, - strlen( test_cli_key ), NULL, 0 ); + test_cli_key_len, NULL, 0 ); #else { ret = -1; diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 56b30564a..6a0ce3508 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -417,7 +417,7 @@ int main( void ) * server and CA certificates, as well as pk_parse_keyfile(). */ ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); + test_srv_crt_len ); if( ret != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); @@ -425,7 +425,7 @@ int main( void ) } ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list, - strlen( test_ca_list ) ); + test_ca_list_len ); if( ret != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); @@ -434,7 +434,7 @@ int main( void ) pk_init( &pkey ); ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, - strlen( test_srv_key ), NULL, 0 ); + test_srv_key_len, NULL, 0 ); if( ret != 0 ) { polarssl_printf( " failed\n ! pk_parse_key returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 6932221fd..64f6c4e72 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -132,7 +132,7 @@ int main( void ) * server and CA certificates, as well as pk_parse_keyfile(). */ ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); + test_srv_crt_len ); if( ret != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); @@ -140,7 +140,7 @@ int main( void ) } ret = x509_crt_parse( &srvcert, (const unsigned char *) test_ca_list, - strlen( test_ca_list ) ); + test_ca_list_len ); if( ret != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse returned %d\n\n", ret ); @@ -148,7 +148,7 @@ int main( void ) } ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key, - strlen( test_srv_key ), NULL, 0 ); + test_srv_key_len, NULL, 0 ); if( ret != 0 ) { polarssl_printf( " failed\n ! pk_parse_key returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d513ca73c..0afe42b79 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1328,7 +1328,7 @@ int main( int argc, char *argv[] ) #endif #if defined(POLARSSL_CERTS_C) ret = x509_crt_parse( &cacert, (const unsigned char *) test_ca_list, - strlen( test_ca_list ) ); + test_ca_list_len ); #else { ret = 1; @@ -1416,14 +1416,14 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_RSA_C) if( ( ret = x509_crt_parse( &srvcert, (const unsigned char *) test_srv_crt_rsa, - strlen( test_srv_crt_rsa ) ) ) != 0 ) + test_srv_crt_rsa_len ) ) != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse returned -0x%x\n\n", -ret ); goto exit; } if( ( ret = pk_parse_key( &pkey, (const unsigned char *) test_srv_key_rsa, - strlen( test_srv_key_rsa ), NULL, 0 ) ) != 0 ) + test_srv_key_rsa_len, NULL, 0 ) ) != 0 ) { polarssl_printf( " failed\n ! pk_parse_key returned -0x%x\n\n", -ret ); goto exit; @@ -1433,14 +1433,14 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_ECDSA_C) if( ( ret = x509_crt_parse( &srvcert2, (const unsigned char *) test_srv_crt_ec, - strlen( test_srv_crt_ec ) ) ) != 0 ) + test_srv_crt_ec_len ) ) != 0 ) { polarssl_printf( " failed\n ! x509_crt_parse2 returned -0x%x\n\n", -ret ); goto exit; } if( ( ret = pk_parse_key( &pkey2, (const unsigned char *) test_srv_key_ec, - strlen( test_srv_key_ec ), NULL, 0 ) ) != 0 ) + test_srv_key_ec_len, NULL, 0 ) ) != 0 ) { polarssl_printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n", -ret ); goto exit;