Merged trunk changes for 1.2

This commit is contained in:
Paul Bakker 2012-11-20 10:55:17 +01:00
commit d10ff14355
13 changed files with 162 additions and 14 deletions

5
.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
CMakeCache.txt
CMakeFiles
CTestTestfile.cmake
cmake_install.cmake
Testing

View File

@ -10,6 +10,8 @@ Bugfixes
* Moved mpi_inv_mod() outside POLARSSL_GENPRIME * Moved mpi_inv_mod() outside POLARSSL_GENPRIME
* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
Pégourié-Gonnard) Pégourié-Gonnard)
* Fixed possible segfault in mpi_shift_r() (found by Manuel
Pégourié-Gonnard)
* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
= Version 1.2.0 released 2012-10-31 = Version 1.2.0 released 2012-10-31

1
include/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
Makefile

View File

@ -720,20 +720,22 @@ void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites );
* \brief Set the data required to verify peer certificate * \brief Set the data required to verify peer certificate
* *
* \param ssl SSL context * \param ssl SSL context
* \param ca_chain trusted CA chain * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs)
* \param ca_crl trusted CA CRLs * \param ca_crl trusted CA CRLs
* \param peer_cn expected peer CommonName (or NULL) * \param peer_cn expected peer CommonName (or NULL)
*
* \note TODO: add two more parameters: depth and crl
*/ */
void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
x509_crl *ca_crl, const char *peer_cn ); x509_crl *ca_crl, const char *peer_cn );
/** /**
* \brief Set own certificate and private key * \brief Set own certificate chain and private key
*
* Note: own_cert should contain IN order from the bottom
* up your certificate chain. The top certificate (self-signed)
* can be omitted.
* *
* \param ssl SSL context * \param ssl SSL context
* \param own_cert own public certificate * \param own_cert own public certificate chain
* \param rsa_key own private RSA key * \param rsa_key own private RSA key
*/ */
void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
@ -747,8 +749,12 @@ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
* of the callback parameters, with the only change being * of the callback parameters, with the only change being
* that the rsa_context * is a void * in the callbacks) * that the rsa_context * is a void * in the callbacks)
* *
* Note: own_cert should contain IN order from the bottom
* up your certificate chain. The top certificate (self-signed)
* can be omitted.
*
* \param ssl SSL context * \param ssl SSL context
* \param own_cert own public certificate * \param own_cert own public certificate chain
* \param rsa_key alternate implementation private RSA key * \param rsa_key alternate implementation private RSA key
* \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt() * \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt()
* \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign() * \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign()

2
library/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
*.o
libpolarssl*

View File

@ -611,6 +611,9 @@ int mpi_shift_r( mpi *X, size_t count )
v0 = count / biL; v0 = count / biL;
v1 = count & (biL - 1); v1 = count & (biL - 1);
if( v0 > X->n || ( v0 == X->n && v1 > 0 ) )
return mpi_lset( X, 0 );
/* /*
* shift by count / limb_size * shift by count / limb_size
*/ */

39
programs/.gitignore vendored Normal file
View File

@ -0,0 +1,39 @@
*/Makefile
aes/aescrypt2
aes/crypt_and_hash
hash/generic_sum
hash/hello
hash/md5sum
hash/sha1sum
hash/sha2sum
pkey/dh_client
pkey/dh_genprime
pkey/dh_server
pkey/key_app
pkey/key_app_writer
pkey/mpi_demo
pkey/rsa_decrypt
pkey/rsa_encrypt
pkey/rsa_genkey
pkey/rsa_sign
pkey/rsa_sign_pss
pkey/rsa_verify
pkey/rsa_verify_pss
random/gen_entropy
random/gen_random_ctr_drbg
random/gen_random_havege
ssl/ssl_client1
ssl/ssl_client2
ssl/ssl_fork_server
ssl/ssl_mail_client
ssl/ssl_server
ssl/ssl_server2
test/benchmark
test/o_p_test
test/selftest
test/ssl_cert_test
test/ssl_test
util/strerror
x509/cert_app
x509/cert_req
x509/crl_app

View File

@ -37,6 +37,7 @@
#include "polarssl/entropy.h" #include "polarssl/entropy.h"
#include "polarssl/ctr_drbg.h" #include "polarssl/ctr_drbg.h"
#include "polarssl/error.h" #include "polarssl/error.h"
#include "polarssl/certs.h"
#define SERVER_PORT 4433 #define SERVER_PORT 4433
#define SERVER_NAME "localhost" #define SERVER_NAME "localhost"
@ -78,6 +79,7 @@ int main( int argc, char *argv[] )
entropy_context entropy; entropy_context entropy;
ctr_drbg_context ctr_drbg; ctr_drbg_context ctr_drbg;
ssl_context ssl; ssl_context ssl;
x509_cert cacert;
((void) argc); ((void) argc);
((void) argv); ((void) argv);
@ -86,6 +88,7 @@ int main( int argc, char *argv[] )
* 0. Initialize the RNG and the session data * 0. Initialize the RNG and the session data
*/ */
memset( &ssl, 0, sizeof( ssl_context ) ); memset( &ssl, 0, sizeof( ssl_context ) );
memset( &cacert, 0, sizeof( x509_cert ) );
printf( "\n . Seeding the random number generator..." ); printf( "\n . Seeding the random number generator..." );
fflush( stdout ); fflush( stdout );
@ -100,6 +103,28 @@ int main( int argc, char *argv[] )
printf( " ok\n" ); printf( " ok\n" );
/*
* 0. Initialize certificates
*/
printf( " . Loading the CA root certificate ..." );
fflush( stdout );
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
strlen( test_ca_crt ) );
#else
ret = 1;
printf("POLARSSL_CERTS_C not defined.");
#endif
if( ret < 0 )
{
printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret );
goto exit;
}
printf( " ok (%d skipped)\n", ret );
/* /*
* 1. Start the connection * 1. Start the connection
*/ */
@ -131,13 +156,57 @@ int main( int argc, char *argv[] )
printf( " ok\n" ); printf( " ok\n" );
ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_dbg( &ssl, my_debug, stdout );
ssl_set_bio( &ssl, net_recv, &server_fd, ssl_set_bio( &ssl, net_recv, &server_fd,
net_send, &server_fd ); net_send, &server_fd );
/*
* 4. Handshake
*/
printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
while( ( ret = ssl_handshake( &ssl ) ) != 0 )
{
if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
{
printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret );
goto exit;
}
}
printf( " ok\n" );
/*
* 5. Verify the server certificate
*/
printf( " . Verifying peer X.509 certificate..." );
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{
printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 )
printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
printf( " ! self-signed or not signed by a trusted CA\n" );
printf( "\n" );
}
else
printf( " ok\n" );
/* /*
* 3. Write the GET request * 3. Write the GET request
*/ */
@ -206,6 +275,7 @@ exit:
} }
#endif #endif
x509_free( &cacert );
net_close( server_fd ); net_close( server_fd );
ssl_free( &ssl ); ssl_free( &ssl );

View File

@ -127,9 +127,12 @@ int my_verify( void *data, x509_cert *crt, int depth, int *flags )
#if defined(POLARSSL_FS_IO) #if defined(POLARSSL_FS_IO)
#define USAGE_IO \ #define USAGE_IO \
" ca_file=%%s default: \"\" (pre-loaded)\n" \ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \
" ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \ " default: \"\" (pre-loaded)\n" \
" crt_file=%%s default: \"\" (pre-loaded)\n" \ " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \
" default: \"\" (pre-loaded) (overrides ca_file)\n" \
" crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \
" default: \"\" (pre-loaded)\n" \
" key_file=%%s default: \"\" (pre-loaded)\n" " key_file=%%s default: \"\" (pre-loaded)\n"
#else #else
#define USAGE_IO \ #define USAGE_IO \

View File

@ -184,9 +184,12 @@ int my_ciphersuites[] =
#if defined(POLARSSL_FS_IO) #if defined(POLARSSL_FS_IO)
#define USAGE_IO \ #define USAGE_IO \
" ca_file=%%s default: \"\" (pre-loaded)\n" \ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \
" ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \ " default: \"\" (pre-loaded)\n" \
" crt_file=%%s default: \"\" (pre-loaded)\n" \ " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \
" default: \"\" (pre-loaded) (overrides ca_file)\n" \
" crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \
" default: \"\" (pre-loaded)\n" \
" key_file=%%s default: \"\" (pre-loaded)\n" " key_file=%%s default: \"\" (pre-loaded)\n"
#else #else
#define USAGE_IO \ #define USAGE_IO \

2
tests/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
test_suite*
data_files/mpi_write

View File

@ -309,6 +309,18 @@ mpi_shift_r:10:"128":1:10:"64"
Test mpi_shift_r #2 Test mpi_shift_r #2
mpi_shift_r:10:"120815570979701484704906977000760567182871429114712069861589084706550626575967516787438008593490722779337547394120718248995900363209947025063336882559539208430319216688889117222633155838468458047056355241515415159736436403445579777425189969":45:10:"3433785053053426415343295076376096153094051405637175942660777670498379921354157795219578264137985649407981651226029903483433269093721578004287291678324982297860947730012217028349628999378309630601971640587504883789518896817457" mpi_shift_r:10:"120815570979701484704906977000760567182871429114712069861589084706550626575967516787438008593490722779337547394120718248995900363209947025063336882559539208430319216688889117222633155838468458047056355241515415159736436403445579777425189969":45:10:"3433785053053426415343295076376096153094051405637175942660777670498379921354157795219578264137985649407981651226029903483433269093721578004287291678324982297860947730012217028349628999378309630601971640587504883789518896817457"
Test mpi_shift_r #4
mpi_shift_r:16:"FFFFFFFFFFFFFFFF":63:16:"01"
Test mpi_shift_r #4
mpi_shift_r:16:"FFFFFFFFFFFFFFFF":64:16:"00"
Test mpi_shift_r #6
mpi_shift_r:16:"FFFFFFFFFFFFFFFF":65:16:"00"
Test mpi_shift_r #7
mpi_shift_r:16:"FFFFFFFFFFFFFFFF":128:16:"00"
Base test mpi_mul_mpi #1 Base test mpi_mul_mpi #1
mpi_mul_mpi:10:"5":10:"7":10:"35" mpi_mul_mpi:10:"5":10:"7":10:"35"

View File

@ -162,7 +162,7 @@ mpi_set_bit:radix_X:input_X:pos:val:radix_Y:output_Y
TEST_ASSERT( mpi_set_bit( &X, {pos}, {val} ) == 0 ); TEST_ASSERT( mpi_set_bit( &X, {pos}, {val} ) == 0 );
TEST_ASSERT( mpi_cmp_mpi( &X, &Y ) == 0 ); TEST_ASSERT( mpi_cmp_mpi( &X, &Y ) == 0 );
mpi_free( &X ); mpi_free( &X ); mpi_free( &Y );
} }
END_CASE END_CASE