Merge branch 'development' into dtls
* development:
Fix error code description.
generate_errors.pl now errors on duplicate codes
Avoid nested if's without braces.
Move renego SCSV after actual ciphersuites
Fix send_close_notify usage.
Rename variable for clarity
Improve script portability
Conflicts:
library/ssl_srv.c
programs/ssl/ssl_client2.c
programs/ssl/ssl_server2.c
tests/ssl-opt.sh
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 15cd288..7aa4ba7 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -124,7 +124,7 @@
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 /**< The server has no ciphersuites in common with the client. */
#define POLARSSL_ERR_SSL_NO_RNG -0x7400 /**< No RNG was provided to the SSL module. */
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */
-#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message.*/
+#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message. */
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 /**< The own certificate is not set, but needed by the server. */
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 /**< The own private key or pre-shared key is not set, but needed. */
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 /**< No CA Chain is set, but required to operate. */
diff --git a/library/error.c b/library/error.c
index b3c2153..068c84d 100644
--- a/library/error.c
+++ b/library/error.c
@@ -386,7 +386,7 @@
if( use_ret == -(POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE) )
snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE) )
- snprintf( buf, buflen, "SSL - DESCRIPTION MISSING" );
+ snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED) )
snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
if( use_ret == -(POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED) )
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 774cce4..c002cc5 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -635,16 +635,18 @@
*/
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-#endif
- if( ssl->session_negotiate->ticket != NULL &&
- ssl->session_negotiate->ticket_len != 0 )
{
- ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
+#endif
+ if( ssl->session_negotiate->ticket != NULL &&
+ ssl->session_negotiate->ticket_len != 0 )
+ {
+ ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
- if( ret != 0 )
- return( ret );
+ if( ret != 0 )
+ return( ret );
- ssl->session_negotiate->length = n = 32;
+ ssl->session_negotiate->length = n = 32;
+ }
}
#endif /* POLARSSL_SSL_SESSION_TICKETS */
@@ -691,18 +693,6 @@
q = p;
p += 2;
- /*
- * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
- */
-#if defined(POLARSSL_SSL_RENEGOTIATION)
- if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
-#endif
- {
- *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
- *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
- n++;
- }
-
for( i = 0; ciphersuites[i] != 0; i++ )
{
ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
@@ -732,6 +722,18 @@
*p++ = (unsigned char)( ciphersuites[i] );
}
+ /*
+ * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+ */
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+ if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
+#endif
+ {
+ *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
+ *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
+ n++;
+ }
+
/* Some versions of OpenSSL don't handle it correctly if not at end */
#if defined(POLARSSL_SSL_FALLBACK_SCSV)
if( ssl->fallback == SSL_IS_FALLBACK )
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index e6948ef..fc86809 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1294,10 +1294,12 @@
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
- if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
{
- SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
- return( ret );
+ if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
+ {
+ SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
+ return( ret );
+ }
}
buf = ssl->in_hdr;
@@ -1351,8 +1353,11 @@
/* For DTLS if this is the initial handshake, remember the client sequence
* number to use it in our next message (RFC 6347 4.2.1) */
#if defined(POLARSSL_SSL_PROTO_DTLS)
- if( ssl->transport == SSL_TRANSPORT_DATAGRAM &&
- ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
+ if( ssl->transport == SSL_TRANSPORT_DATAGRAM
+#if defined(POLARSSL_SSL_RENEGOTIATION)
+ && ssl->renegotiation == SSL_INITIAL_HANDSHAKE
+#endif
+ )
{
/* Epoch should be 0 for initial handshakes */
if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 3aca8e6..b399c45 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1487,8 +1487,7 @@
printf( " . Closing the connection..." );
/* No error checking, the connection might be closed already */
- do
- ret = ssl_close_notify( &ssl );
+ do ret = ssl_close_notify( &ssl );
while( ret == POLARSSL_ERR_NET_WANT_WRITE );
ret = 0;
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 025ac89..6ea01a8 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -687,7 +687,7 @@
int main( int argc, char *argv[] )
{
- int ret = 0, len, written, frags, exchanges;
+ int ret = 0, len, written, frags, exchanges_left;
int version_suites[4][2];
unsigned char buf[IO_BUF_LEN];
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1902,7 +1902,7 @@
if( opt.exchanges == 0 )
goto close_notify;
- exchanges = opt.exchanges;
+ exchanges_left = opt.exchanges;
data_exchange:
/*
* 6. Read the HTTP Request
@@ -2042,7 +2042,7 @@
* (only on the first exchange, to be able to test retransmission)
*/
#if defined(POLARSSL_SSL_RENEGOTIATION)
- if( opt.renegotiate && exchanges == opt.exchanges )
+ if( opt.renegotiate && exchanges_left == opt.exchanges )
{
printf( " . Requestion renegotiation..." );
fflush( stdout );
@@ -2115,7 +2115,7 @@
/*
* 7b. Continue doing data exchanges?
*/
- if( --exchanges > 0 )
+ if( --exchanges_left > 0 )
goto data_exchange;
/*
@@ -2125,8 +2125,7 @@
printf( " . Closing the connection..." );
/* No error checking, the connection might be closed already */
- do
- ret = ssl_close_notify( &ssl );
+ do ret = ssl_close_notify( &ssl );
while( ret == POLARSSL_ERR_NET_WANT_WRITE );
ret = 0;
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index b9a8e9c..b25e99a 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -56,13 +56,22 @@
my $headers = "";
+my %error_codes_seen;
+
while (my $line = <GREP>)
{
next if ($line =~ /compat-1.2.h/);
my ($error_name, $error_code) = $line =~ /(POLARSSL_ERR_\w+)\s+\-(0x\w+)/;
my ($description) = $line =~ /\/\*\*< (.*?)\.? \*\//;
+
+ die "Duplicated error code: $error_code ($error_name)\n"
+ if( $error_codes_seen{$error_code}++ );
+
$description =~ s/\\/\\\\/g;
- $description = "DESCRIPTION MISSING" if ($description eq "");
+ if ($description eq "") {
+ $description = "DESCRIPTION MISSING";
+ warn "Missing description for $error_name\n";
+ }
my ($module_name) = $error_name =~ /^POLARSSL_ERR_([^_]+)/;
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 4e28378..86a29d1 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -495,7 +495,7 @@
# Pick a "unique" server port in the range 10000-19999, and a proxy port
PORT_BASE="0000$$"
-PORT_BASE="$( echo -n $PORT_BASE | tail -c 5 )"
+PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
SRV_PORT="1$PORT_BASE"
PXY_PORT="2$PORT_BASE"
unset PORT_BASE