Merge miscellaneous fixes into development
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a509614..91041b6 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -4,26 +4,30 @@
string(REGEX MATCH "Clang" CMAKE_COMPILER_IS_CLANG "${CMAKE_C_COMPILER_ID}")
if(CMAKE_COMPILER_IS_GNUCC)
- set(CMAKE_C_FLAGS "-Wall -Wextra -W -Wdeclaration-after-statement -Wlogical-op -Wwrite-strings")
- set(CMAKE_C_FLAGS_RELEASE "-O2")
- set(CMAKE_C_FLAGS_DEBUG "-g3 -O0")
- set(CMAKE_C_FLAGS_COVERAGE "-g3 -O0 --coverage")
- set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-omit-frame-pointer -g3 -O1 -Werror")
- set(CMAKE_C_FLAGS_CHECK "-O1 -Werror")
- set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wlogical-op")
+ set(CMAKE_C_FLAGS_RELEASE "-O2")
+ set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
+ set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
+ set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common -O3")
+ set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
+ set(CMAKE_C_FLAGS_CHECK "-Werror -O1")
+ set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
endif(CMAKE_COMPILER_IS_GNUCC)
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wpointer-arith -Wwrite-strings -Wdocumentation -Wunreachable-code")
- set(CMAKE_C_FLAGS_RELEASE "-O2")
- set(CMAKE_C_FLAGS_DEBUG "-g3 -O0")
- set(CMAKE_C_FLAGS_COVERAGE "-g3 -O0 --coverage")
- set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-omit-frame-pointer -g3 -O1 -Werror")
- set(CMAKE_C_FLAGS_CHECK "-O1 -Werror")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith")
+ set(CMAKE_C_FLAGS_RELEASE "-O2")
+ set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
+ set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
+ set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O3")
+ set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
+ set(CMAKE_C_FLAGS_MEMSAN "-Werror -fsanitize=memory -O3")
+ set(CMAKE_C_FLAGS_MEMSANDBG "-Werror -fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
+ set(CMAKE_C_FLAGS_CHECK "-Werror -O1")
endif(CMAKE_COMPILER_IS_CLANG)
set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
- CACHE STRING "Choose the type of build: None Debug Release Coverage ASan Check CheckFull"
+ CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
FORCE)
if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
diff --git a/ChangeLog b/ChangeLog
index 85b5652..aa36db2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,16 +4,29 @@
Reminder: bump SONAME for ABI change (FALLBACK_SCSV, session-hash, EtM)
-Features
- * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv)
- * Add support for Extended Master Secret (draft-ietf-tls-session-hash)
- * Add support for Encrypt-then-MAC (RFC 7366)
-
Security
* NULL pointer dereference in the buffer-based allocator when the buffer is
full and polarssl_free() is called (found by Jean-Philippe Aumasson)
(only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
not by default).
+ * Fix remotely-triggerable uninitialised pointer dereference caused by
+ crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
+ client certificate) (found using Codenomicon Defensics).
+ * Fix remotely-triggerable memory leak caused by crafted X.509 certificates
+ (TLS server is not affected if it doesn't ask for a client certificate)
+ (found using Codenomicon Defensics).
+ * Fix potential stack overflow while parsing crafted X.509 certificates
+ (TLS server is not affected if it doesn't ask for a client certificate)
+ (found using Codenomicon Defensics).
+
+Features
+ * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv)
+ * Add support for Extended Master Secret (draft-ietf-tls-session-hash)
+ * Add support for Encrypt-then-MAC (RFC 7366)
+ * Add function pk_check_pair() to test if public and private keys match.
+ * Add x509_crl_parse_der().
+ * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
+ length of an X.509 verification chain.
Bugfix
* Stack buffer overflow if ctr_drbg_update() is called with too large
@@ -21,6 +34,21 @@
* Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
if memory_buffer_alloc_init() was called with buf not aligned and len not
a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE.
+ * User set CFLAGS were ignore by Cmake with gcc (introduced in 1.3.9, found
+ by Julian Ospald).
+ * Fix potential undefined behaviour in Camellia.
+ * Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
+ multiple of 8 (found by Gergely Budai).
+
+Changes
+ * Use deterministic nonces for AEAD ciphers in TLS by default (possible to
+ switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
+ * Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
+ * ssl_set_own_cert() now returns an error on key-certificate mismatch.
+ * Forbid repeated extensions in X.509 certificates.
+ * debug_print_buf() now prints a text view in addition to hexadecimal.
+ * Skip writing and parsing signature_algorithm extension if none of the
+ key exchanges enabled needs certificates.
= PolarSSL 1.3.9 released 2014-10-20
Security
diff --git a/README.rst b/README.rst
index 8dd823c..6d18f54 100644
--- a/README.rst
+++ b/README.rst
@@ -2,6 +2,15 @@
README for PolarSSL
===================
+Configuration
+=============
+
+PolarSSL should build out of the box on most systems. Some platform specific options are available in the fully-documented configuration file *include/polarssl/config.h*, which is also the place where features can be selected.
+This file can be edited manually, or in a more programmatic way using the Perl
+script *scripts/config.pl* (use *--help* for usage instructions).
+
+Compiler options can be set using standard variables such as *CC* and *CFLAGS* when using the Make and CMake build system (see below).
+
Compiling
=========
@@ -39,7 +48,7 @@
make
-There are 5 different active build modes specified within the CMake buildsystem:
+There are many different build modes available within the CMake buildsystem. Most of them are available for gcc and clang, though some are compiler-specific:
- Release.
This generates the default code without any unnecessary information in the binary files.
@@ -49,13 +58,30 @@
This generates code coverage information in addition to debug information.
- ASan.
This instruments the code with AddressSanitizer to check for memory errors.
+ (This includes LeakSanitizer, with recent version of gcc and clang.)
+ (With recent version of clang, this mode also intruments the code with
+ UndefinedSanitizer to check for undefined behaviour.)
+- ASanDbg.
+ Same as ASan but slower, with debug information and better stack traces.
+- MemSan.
+ This intruments the code with MemorySanitizer to check for uninitialised
+ memory reads. Experimental, needs recent clang on Linux/x86_64.
+- MemSanDbg.
+ Same as ASan but slower, with debug information, better stack traces and
+ origin tracking.
- Check.
- This activates more compiler warnings and treats them as errors.
+ This activates the compiler warnings that depend on optimisation and treats
+ all warnings as errors.
Switching build modes in CMake is simple. For debug mode, enter at the command line:
cmake -D CMAKE_BUILD_TYPE:String="Debug" .
+Note that, with CMake, if you want to change the compiler or its options after you already ran CMake, you need to clear its cache first, eg (using GNU find)::
+
+ find . -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} +
+ CC=gcc CFLAGS='-fstack-protector-strong -Wa,--noexecstack' cmake .
+
In order to run the tests, enter::
make test
@@ -77,6 +103,13 @@
PolarSSL includes an elaborate test suite in *tests/* that initially requires Perl to generate the tests files (e.g. *test_suite_mpi.c*). These files are generates from a **function file** (e.g. *suites/test_suite_mpi.function*) and a **data file** (e.g. *suites/test_suite_mpi.data*). The **function file** contains the template for each test function. The **data file** contains the test cases, specified as parameters that should be pushed into a template function.
+For machines with a Unix shell and OpenSSL (and optionnally GnuTLS) installed, additional test scripts are available:
+
+- *tests/ssl-opt.sh* runs integration tests for various TLS options (renegotiation, resumption, etc.) and tests interoperability of these options with other implementations.
+- *tests/compat.sh* tests interoperability of every ciphersuite with other implementations.
+- *tests/scripts/test-ref-configs.pl* test builds in various reduced configurations.
+- *tests/scripts/all.sh* runs a combination of the above tests with various build options (eg ASan).
+
Configurations
==============
diff --git a/configs/README.txt b/configs/README.txt
index bab500d..f543002 100644
--- a/configs/README.txt
+++ b/configs/README.txt
@@ -18,7 +18,7 @@
Or, using cmake:
- rm CMakeCache.txt
+ find . -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} +
CFLAGS="-I$PWD/configs -DPOLARSSL_CONFIG_FILE='<foo.h>'" cmake .
make
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 6e736e2..c99b448 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -782,6 +782,18 @@
#define POLARSSL_SELF_TEST
/**
+ * \def POLARSSL_SSL_AEAD_RANDOM_IV
+ *
+ * Generate a random IV rather than using the record sequence number as a
+ * nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
+ *
+ * Using the sequence number is generally recommended.
+ *
+ * Uncomment this macro to always use random IVs with AEAD ciphersuites.
+ */
+//#define POLARSSL_SSL_AEAD_RANDOM_IV
+
+/**
* \def POLARSSL_SSL_ALL_ALERT_MESSAGES
*
* Enable sending of alert messages in case of encountered errors as per RFC.
@@ -954,8 +966,7 @@
/**
* \def POLARSSL_SSL_ALPN
*
- * Enable support for Application Layer Protocol Negotiation.
- * draft-ietf-tls-applayerprotoneg-05
+ * Enable support for RFC 7301 Application Layer Protocol Negotiation.
*
* Comment this macro to disable support for ALPN.
*/
@@ -2226,6 +2237,9 @@
/* Debug options */
//#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */
+/* X509 options */
+//#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8 /**< Maximum number of intermediate CAs in a verification chain. */
+
/* \} name SECTION: Module configuration options */
#include "check_config.h"
diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h
index 7192f1e..6dec5bd 100644
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -413,6 +413,8 @@
* \param buf $(Start of input buffer)
* \param len Buffer length
*
+ * \note buf is updated to point right after the ECPoint on exit
+ *
* \return O if successful,
* POLARSSL_ERR_MPI_XXX if initialization failed
* POLARSSL_ERR_ECP_BAD_INPUT_DATA if input is invalid
@@ -479,6 +481,8 @@
* \param buf &(Start of input buffer)
* \param len Buffer length
*
+ * \note buf is updated to point right after ECParameters on exit
+ *
* \return O if successful,
* POLARSSL_ERR_MPI_XXX if initialization failed
* POLARSSL_ERR_ECP_BAD_INPUT_DATA if input is invalid
@@ -635,6 +639,18 @@
int ecp_gen_key( ecp_group_id grp_id, ecp_keypair *key,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
+/**
+ * \brief Check a public-private key pair
+ *
+ * \param pub Keypair structure holding a public key
+ * \param prv Keypair structure holding a private (plus public) key
+ *
+ * \return 0 if successfull (keys are valid and match), or
+ * POLARSSL_ERR_ECP_BAD_INPUT_DATA, or
+ * a POLARSSL_ERR_ECP_XXX or POLARSSL_ERR_MPI_XXX code.
+ */
+int ecp_check_pub_priv( const ecp_keypair *pub, const ecp_keypair *prv );
+
#if defined(POLARSSL_SELF_TEST)
/**
* \brief Checkup routine
diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h
index 754dda2..b29eb74 100644
--- a/include/polarssl/pk.h
+++ b/include/polarssl/pk.h
@@ -177,6 +177,9 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
+ /** Check public-private key pair */
+ int (*check_pair_func)( const void *pub, const void *prv );
+
/** Allocate a new context */
void * (*ctx_alloc_func)( void );
@@ -427,6 +430,16 @@
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
+ * \brief Check if a public-private pair of keys matches.
+ *
+ * \param pub Context holding a public key.
+ * \param prv Context holding a private (and public) key.
+ *
+ * \return 0 on success or POLARSSL_ERR_PK_BAD_INPUT_DATA
+ */
+int pk_check_pair( const pk_context *pub, const pk_context *prv );
+
+/**
* \brief Export debug information
*
* \param ctx Context to use
@@ -625,6 +638,14 @@
const pk_context *key );
#endif /* POLARSSL_PK_WRITE_C */
+/*
+ * Internal module functions. You probably do not want to use these unless you
+ * know you do.
+ */
+#if defined(POLARSSL_FS_IO)
+int pk_load_file( const char *path, unsigned char **buf, size_t *n );
+#endif
+
#ifdef __cplusplus
}
#endif
diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h
index c06c7d5..e636c80 100644
--- a/include/polarssl/rsa.h
+++ b/include/polarssl/rsa.h
@@ -99,10 +99,8 @@
mpi RP; /*!< cached R^2 mod P */
mpi RQ; /*!< cached R^2 mod Q */
-#if !defined(POLARSSL_RSA_NO_CRT)
mpi Vi; /*!< cached blinding value */
mpi Vf; /*!< cached un-blinding value */
-#endif
int padding; /*!< RSA_PKCS_V15 for 1.5 padding and
RSA_PKCS_v21 for OAEP/PSS */
@@ -192,6 +190,17 @@
int rsa_check_privkey( const rsa_context *ctx );
/**
+ * \brief Check a public-private RSA key pair.
+ * Check each of the contexts, and make sure they match.
+ *
+ * \param pub RSA context holding the public key
+ * \param prv RSA context holding the private key
+ *
+ * \return 0 if successful, or an POLARSSL_ERR_RSA_XXX error code
+ */
+int rsa_check_pub_priv( const rsa_context *pub, const rsa_context *prv );
+
+/**
* \brief Do an RSA public key operation
*
* \param ctx RSA context
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 82ed04e..63ec314 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -458,7 +458,7 @@
#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
unsigned char _pms_rsa_psk[52 + POLARSSL_PSK_MAX_LEN]; /* RFC 4279 4 */
#endif
-#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
unsigned char _pms_ecdhe_psk[4 + POLARSSL_ECP_MAX_BYTES
+ POLARSSL_PSK_MAX_LEN]; /* RFC 5489 2 */
#endif
@@ -1055,9 +1055,11 @@
int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
int (*f_send)(void *, const unsigned char *, size_t), void *p_send );
+#if defined(POLARSSL_SSL_SRV_C)
/**
* \brief Set the session cache callbacks (server-side only)
- * If not set, no session resuming is done.
+ * If not set, no session resuming is done (except if session
+ * tickets are enabled too).
*
* The session cache has the responsibility to check for stale
* entries based on timeout. See RFC 5246 for recommendations.
@@ -1095,7 +1097,9 @@
void ssl_set_session_cache( ssl_context *ssl,
int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache );
+#endif /* POLARSSL_SSL_SRV_C */
+#if defined(POLARSSL_SSL_CLI_C)
/**
* \brief Request resumption of session (client-side only)
* Session data is copied from presented session structure.
@@ -1111,6 +1115,7 @@
* \sa ssl_get_session()
*/
int ssl_set_session( ssl_context *ssl, const ssl_session *session );
+#endif /* POLARSSL_SSL_CLI_C */
/**
* \brief Set the list of allowed ciphersuites and the preference
@@ -1661,6 +1666,7 @@
const x509_crt *ssl_get_peer_cert( const ssl_context *ssl );
#endif /* POLARSSL_X509_CRT_PARSE_C */
+#if defined(POLARSSL_SSL_CLI_C)
/**
* \brief Save session in order to resume it later (client-side only)
* Session data is copied to presented session structure.
@@ -1678,6 +1684,7 @@
* \sa ssl_set_session()
*/
int ssl_get_session( const ssl_context *ssl, ssl_session *session );
+#endif /* POLARSSL_SSL_CLI_C */
/**
* \brief Perform the SSL handshake
diff --git a/include/polarssl/ssl_ciphersuites.h b/include/polarssl/ssl_ciphersuites.h
index c4f1ffe..191596f 100644
--- a/include/polarssl/ssl_ciphersuites.h
+++ b/include/polarssl/ssl_ciphersuites.h
@@ -233,7 +233,9 @@
#define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE /**< TLS 1.2 */
#define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */
-/* Reminder: update _ssl_premaster_secret when adding a new key exchange */
+/* Reminder: update _ssl_premaster_secret when adding a new key exchange.
+ * Reminder: update POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED below.
+ */
typedef enum {
POLARSSL_KEY_EXCHANGE_NONE = 0,
POLARSSL_KEY_EXCHANGE_RSA,
@@ -248,6 +250,17 @@
POLARSSL_KEY_EXCHANGE_ECDH_ECDSA,
} key_exchange_type_t;
+#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) || \
+ defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+ defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+ defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
+ defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
+ defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+ defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
+ defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED
+#endif
+
typedef struct _ssl_ciphersuite_t ssl_ciphersuite_t;
#define POLARSSL_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */
diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 9b0bcb7..5f71881 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -45,6 +45,18 @@
* \{
*/
+#if !defined(POLARSSL_X509_MAX_INTERMEDIATE_CA)
+/**
+ * Maximum number of intermediate CAs in a verification chain.
+ * That is, maximum length of the chain, excluding the end-entity certificate
+ * and the trusted root certificate.
+ *
+ * Set this to a low value to prevent an adversary from making you waste
+ * resources verifying an overlong certificate chain.
+ */
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA 8
+#endif
+
/**
* \name X509 Error codes
* \{
@@ -295,7 +307,6 @@
x509_buf *serial );
int x509_get_ext( unsigned char **p, const unsigned char *end,
x509_buf *ext, int tag );
-int x509_load_file( const char *path, unsigned char **buf, size_t *n );
int x509_sig_alg_gets( char *buf, size_t size, const x509_buf *sig_oid,
pk_type_t pk_alg, md_type_t md_alg,
const void *sig_opts );
diff --git a/include/polarssl/x509_crl.h b/include/polarssl/x509_crl.h
index 9f597a8..4ddbafc 100644
--- a/include/polarssl/x509_crl.h
+++ b/include/polarssl/x509_crl.h
@@ -100,11 +100,23 @@
x509_crl;
/**
- * \brief Parse one or more CRLs and add them
- * to the chained list
+ * \brief Parse a DER-encoded CRL and append it to the chained list
*
* \param chain points to the start of the chain
- * \param buf buffer holding the CRL data
+ * \param buf buffer holding the CRL data in DER format
+ * \param buflen size of the buffer
+ *
+ * \return 0 if successful, or a specific X509 or PEM error code
+ */
+int x509_crl_parse_der( x509_crl *chain,
+ const unsigned char *buf, size_t buflen );
+/**
+ * \brief Parse one or more CRLs and append them to the chained list
+ *
+ * \note Mutliple CRLs are accepted only if using PEM format
+ *
+ * \param chain points to the start of the chain
+ * \param buf buffer holding the CRL data in PEM or DER format
* \param buflen size of the buffer
*
* \return 0 if successful, or a specific X509 or PEM error code
@@ -113,11 +125,12 @@
#if defined(POLARSSL_FS_IO)
/**
- * \brief Load one or more CRLs and add them
- * to the chained list
+ * \brief Load one or more CRLs and append them to the chained list
+ *
+ * \note Mutliple CRLs are accepted only if using PEM format
*
* \param chain points to the start of the chain
- * \param path filename to read the CRLs from
+ * \param path filename to read the CRLs from (in PEM or DER encoding)
*
* \return 0 if successful, or a specific X509 or PEM error code
*/
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 33d96b4..f562ca6 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -78,12 +78,11 @@
endif(WIN32)
if(CMAKE_COMPILER_IS_GNUCC)
- set(CMAKE_C_FLAGS_CHECK "${CMAKE_C_FLAGS_CHECK} -Wmissing-declarations -Wmissing-prototypes")
- set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes")
endif(CMAKE_COMPILER_IS_GNUCC)
if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS_CHECK "${CMAKE_C_FLAGS_CHECK} -Wmissing-declarations -Wmissing-prototypes")
+ set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wmissing-declarations -Wmissing-prototypes -Wdocumentation -Wunreachable-code")
endif(CMAKE_COMPILER_IS_CLANG)
if (NOT USE_STATIC_POLARSSL_LIBRARY AND NOT USE_SHARED_POLARSSL_LIBRARY)
diff --git a/library/asn1parse.c b/library/asn1parse.c
index a3a2b56..e2117bf 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@@ -278,6 +278,8 @@
if( cur->next == NULL )
return( POLARSSL_ERR_ASN1_MALLOC_FAILED );
+ memset( cur->next, 0, sizeof( asn1_sequence ) );
+
cur = cur->next;
}
}
diff --git a/library/asn1write.c b/library/asn1write.c
index ebc0e97..d3ece60 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -327,6 +327,8 @@
return( NULL );
}
+ memcpy( cur->oid.p, oid, oid_len );
+
cur->val.len = val_len;
cur->val.p = polarssl_malloc( val_len );
if( cur->val.p == NULL )
@@ -336,8 +338,6 @@
return( NULL );
}
- memcpy( cur->oid.p, oid, oid_len );
-
cur->next = *head;
*head = cur;
}
diff --git a/library/camellia.c b/library/camellia.c
index a4968f4..3956a40 100644
--- a/library/camellia.c
+++ b/library/camellia.c
@@ -304,14 +304,14 @@
I0 = x[0] ^ k[0];
I1 = x[1] ^ k[1];
- I0 = (SBOX1((I0 >> 24) & 0xFF) << 24) |
- (SBOX2((I0 >> 16) & 0xFF) << 16) |
- (SBOX3((I0 >> 8) & 0xFF) << 8) |
- (SBOX4((I0 ) & 0xFF) );
- I1 = (SBOX2((I1 >> 24) & 0xFF) << 24) |
- (SBOX3((I1 >> 16) & 0xFF) << 16) |
- (SBOX4((I1 >> 8) & 0xFF) << 8) |
- (SBOX1((I1 ) & 0xFF) );
+ I0 = ((uint32_t) SBOX1((I0 >> 24) & 0xFF) << 24) |
+ ((uint32_t) SBOX2((I0 >> 16) & 0xFF) << 16) |
+ ((uint32_t) SBOX3((I0 >> 8) & 0xFF) << 8) |
+ ((uint32_t) SBOX4((I0 ) & 0xFF) );
+ I1 = ((uint32_t) SBOX2((I1 >> 24) & 0xFF) << 24) |
+ ((uint32_t) SBOX3((I1 >> 16) & 0xFF) << 16) |
+ ((uint32_t) SBOX4((I1 >> 8) & 0xFF) << 8) |
+ ((uint32_t) SBOX1((I1 ) & 0xFF) );
I0 ^= (I1 << 8) | (I1 >> 24);
I1 ^= (I0 << 16) | (I0 >> 16);
diff --git a/library/debug.c b/library/debug.c
index a81f502..865bd54 100644
--- a/library/debug.c
+++ b/library/debug.c
@@ -123,6 +123,7 @@
unsigned char *buf, size_t len )
{
char str[512];
+ char txt[17];
size_t i, maxlen = sizeof( str ) - 1, idx = 0;
if( ssl->f_dbg == NULL || level > debug_threshold )
@@ -138,6 +139,7 @@
ssl->f_dbg( ssl->p_dbg, level, str );
idx = 0;
+ memset( txt, 0, sizeof( txt ) );
for( i = 0; i < len; i++ )
{
if( i >= 4096 )
@@ -147,9 +149,11 @@
{
if( i > 0 )
{
- snprintf( str + idx, maxlen - idx, "\n" );
+ snprintf( str + idx, maxlen - idx, " %s\n", txt );
ssl->f_dbg( ssl->p_dbg, level, str );
+
idx = 0;
+ memset( txt, 0, sizeof( txt ) );
}
if( debug_log_mode == POLARSSL_DEBUG_LOG_FULL )
@@ -162,11 +166,15 @@
idx += snprintf( str + idx, maxlen - idx, " %02x",
(unsigned int) buf[i] );
+ txt[i % 16] = ( buf[i] > 31 && buf[i] < 127 ) ? buf[i] : '.' ;
}
if( len > 0 )
{
- snprintf( str + idx, maxlen - idx, "\n" );
+ for( /* i = i */; i % 16 != 0; i++ )
+ idx += snprintf( str + idx, maxlen - idx, " " );
+
+ snprintf( str + idx, maxlen - idx, " %s\n", txt );
ssl->f_dbg( ssl->p_dbg, level, str );
}
}
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 5af7f6b..e9880ef 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -333,7 +333,7 @@
#if POLARSSL_ECP_MAX_BYTES > 124
#error "POLARSSL_ECP_MAX_BYTES bigger than expected, please fix MAX_SIG_LEN"
#endif
-#define MAX_SIG_LEN ( 3 + 2 * ( 2 + POLARSSL_ECP_MAX_BYTES ) )
+#define MAX_SIG_LEN ( 3 + 2 * ( 3 + POLARSSL_ECP_MAX_BYTES ) )
/*
* Convert a signature (given by context) to ASN.1
diff --git a/library/ecp.c b/library/ecp.c
index ece781d..41e25e9 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -1897,6 +1897,48 @@
return( ecp_gen_keypair( &key->grp, &key->d, &key->Q, f_rng, p_rng ) );
}
+/*
+ * Check a public-private key pair
+ */
+int ecp_check_pub_priv( const ecp_keypair *pub, const ecp_keypair *prv )
+{
+ int ret;
+ ecp_point Q;
+ ecp_group grp;
+
+ if( pub->grp.id == POLARSSL_ECP_DP_NONE ||
+ pub->grp.id != prv->grp.id ||
+ mpi_cmp_mpi( &pub->Q.X, &prv->Q.X ) ||
+ mpi_cmp_mpi( &pub->Q.Y, &prv->Q.Y ) ||
+ mpi_cmp_mpi( &pub->Q.Z, &prv->Q.Z ) )
+ {
+ return( POLARSSL_ERR_ECP_BAD_INPUT_DATA );
+ }
+
+ ecp_point_init( &Q );
+ ecp_group_init( &grp );
+
+ /* ecp_mul() needs a non-const group... */
+ ecp_group_copy( &grp, &prv->grp );
+
+ /* Also checks d is valid */
+ MPI_CHK( ecp_mul( &grp, &Q, &prv->d, &prv->grp.G, NULL, NULL ) );
+
+ if( mpi_cmp_mpi( &Q.X, &prv->Q.X ) ||
+ mpi_cmp_mpi( &Q.Y, &prv->Q.Y ) ||
+ mpi_cmp_mpi( &Q.Z, &prv->Q.Z ) )
+ {
+ ret = POLARSSL_ERR_ECP_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
+cleanup:
+ ecp_point_free( &Q );
+ ecp_group_free( &grp );
+
+ return( ret );
+}
+
#if defined(POLARSSL_SELF_TEST)
/*
diff --git a/library/net.c b/library/net.c
index 3f0e448..2c77138 100644
--- a/library/net.c
+++ b/library/net.c
@@ -496,12 +496,12 @@
void net_usleep( unsigned long usec )
{
struct timeval tv;
- tv.tv_sec = 0;
+ tv.tv_sec = usec / 1000000;
#if !defined(_WIN32) && ( defined(__unix__) || defined(__unix) || \
( defined(__APPLE__) && defined(__MACH__) ) )
- tv.tv_usec = (suseconds_t) usec;
+ tv.tv_usec = (suseconds_t) usec % 1000000;
#else
- tv.tv_usec = usec;
+ tv.tv_usec = usec % 1000000;
#endif
select( 0, NULL, NULL, NULL, &tv );
}
diff --git a/library/pk.c b/library/pk.c
index 4aba3aa..a37f58e 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -301,6 +301,32 @@
}
/*
+ * Check public-private key pair
+ */
+int pk_check_pair( const pk_context *pub, const pk_context *prv )
+{
+ if( pub == NULL || pub->pk_info == NULL ||
+ prv == NULL || prv->pk_info == NULL ||
+ prv->pk_info->check_pair_func == NULL )
+ {
+ return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
+ }
+
+ if( prv->pk_info->type == POLARSSL_PK_RSA_ALT )
+ {
+ if( pub->pk_info->type != POLARSSL_PK_RSA )
+ return( POLARSSL_ERR_PK_TYPE_MISMATCH );
+ }
+ else
+ {
+ if( pub->pk_info != prv->pk_info )
+ return( POLARSSL_ERR_PK_TYPE_MISMATCH );
+ }
+
+ return( prv->pk_info->check_pair_func( pub->pk_ctx, prv->pk_ctx ) );
+}
+
+/*
* Get key size in bits
*/
size_t pk_get_size( const pk_context *ctx )
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 5e9ff60..7776f01 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -117,14 +117,21 @@
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- ((void) osize);
-
*olen = ((rsa_context *) ctx)->len;
+ if( *olen > osize )
+ return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
+
return( rsa_pkcs1_encrypt( (rsa_context *) ctx,
f_rng, p_rng, RSA_PUBLIC, ilen, input, output ) );
}
+static int rsa_check_pair_wrap( const void *pub, const void *prv )
+{
+ return( rsa_check_pub_priv( (const rsa_context *) pub,
+ (const rsa_context *) prv ) );
+}
+
static void *rsa_alloc_wrap( void )
{
void *ctx = polarssl_malloc( sizeof( rsa_context ) );
@@ -163,6 +170,7 @@
rsa_sign_wrap,
rsa_decrypt_wrap,
rsa_encrypt_wrap,
+ rsa_check_pair_wrap,
rsa_alloc_wrap,
rsa_free_wrap,
rsa_debug,
@@ -234,6 +242,12 @@
#endif /* POLARSSL_ECDSA_C */
+static int eckey_check_pair( const void *pub, const void *prv )
+{
+ return( ecp_check_pub_priv( (const ecp_keypair *) pub,
+ (const ecp_keypair *) prv ) );
+}
+
static void *eckey_alloc_wrap( void )
{
void *ctx = polarssl_malloc( sizeof( ecp_keypair ) );
@@ -271,6 +285,7 @@
#endif
NULL,
NULL,
+ eckey_check_pair,
eckey_alloc_wrap,
eckey_free_wrap,
eckey_debug,
@@ -294,6 +309,7 @@
NULL,
NULL,
NULL,
+ eckey_check_pair,
eckey_alloc_wrap, /* Same underlying key structure */
eckey_free_wrap, /* Same underlying key structure */
eckey_debug, /* Same underlying key structure */
@@ -367,6 +383,7 @@
ecdsa_sign_wrap,
NULL,
NULL,
+ eckey_check_pair, /* Compatible key structures */
ecdsa_alloc_wrap,
ecdsa_free_wrap,
eckey_debug, /* Compatible key structures */
@@ -419,6 +436,36 @@
RSA_PRIVATE, olen, input, output, osize ) );
}
+#if defined(POLARSSL_RSA_C)
+static int rsa_alt_check_pair( const void *pub, const void *prv )
+{
+ unsigned char sig[POLARSSL_MPI_MAX_SIZE];
+ unsigned char hash[32];
+ size_t sig_len = 0;
+ int ret;
+
+ if( rsa_alt_get_size( prv ) != rsa_get_size( pub ) )
+ return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
+
+ memset( hash, 0x2a, sizeof( hash ) );
+
+ if( ( ret = rsa_alt_sign_wrap( (void *) prv, POLARSSL_MD_NONE,
+ hash, sizeof( hash ),
+ sig, &sig_len, NULL, NULL ) ) != 0 )
+ {
+ return( ret );
+ }
+
+ if( rsa_verify_wrap( (void *) pub, POLARSSL_MD_NONE,
+ hash, sizeof( hash ), sig, sig_len ) != 0 )
+ {
+ return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
+ }
+
+ return( 0 );
+}
+#endif /* POLARSSL_RSA_C */
+
static void *rsa_alt_alloc_wrap( void )
{
void *ctx = polarssl_malloc( sizeof( rsa_alt_context ) );
@@ -444,6 +491,11 @@
rsa_alt_sign_wrap,
rsa_alt_decrypt_wrap,
NULL,
+#if defined(POLARSSL_RSA_C)
+ rsa_alt_check_pair,
+#else
+ NULL,
+#endif
rsa_alt_alloc_wrap,
rsa_alt_free_wrap,
NULL,
diff --git a/library/pkparse.c b/library/pkparse.c
index 29217a2..6cfab8b 100644
--- a/library/pkparse.c
+++ b/library/pkparse.c
@@ -71,7 +71,7 @@
/*
* Load all data from a file into a given buffer.
*/
-static int load_file( const char *path, unsigned char **buf, size_t *n )
+int pk_load_file( const char *path, unsigned char **buf, size_t *n )
{
FILE *f;
long size;
@@ -120,7 +120,7 @@
size_t n;
unsigned char *buf;
- if( ( ret = load_file( path, &buf, &n ) ) != 0 )
+ if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
if( pwd == NULL )
@@ -144,7 +144,7 @@
size_t n;
unsigned char *buf;
- if( ( ret = load_file( path, &buf, &n ) ) != 0 )
+ if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
ret = pk_parse_public_key( ctx, buf, n );
diff --git a/library/rsa.c b/library/rsa.c
index 958085c..54babb5 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -241,6 +241,26 @@
}
/*
+ * Check if contexts holding a public and private key match
+ */
+int rsa_check_pub_priv( const rsa_context *pub, const rsa_context *prv )
+{
+ if( rsa_check_pubkey( pub ) != 0 ||
+ rsa_check_privkey( prv ) != 0 )
+ {
+ return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
+ }
+
+ if( mpi_cmp_mpi( &pub->N, &prv->N ) != 0 ||
+ mpi_cmp_mpi( &pub->E, &prv->E ) != 0 )
+ {
+ return( POLARSSL_ERR_RSA_KEY_CHECK_FAILED );
+ }
+
+ return( 0 );
+}
+
+/*
* Do an RSA public key operation
*/
int rsa_public( rsa_context *ctx,
@@ -275,7 +295,6 @@
return( 0 );
}
-#if !defined(POLARSSL_RSA_NO_CRT)
/*
* Generate or update blinding values, see section 10 of:
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
@@ -329,7 +348,6 @@
return( ret );
}
-#endif /* !POLARSSL_RSA_NO_CRT */
/*
* Do an RSA private key operation
@@ -343,7 +361,6 @@
int ret;
size_t olen;
mpi T, T1, T2;
-#if !defined(POLARSSL_RSA_NO_CRT)
mpi *Vi, *Vf;
/*
@@ -361,7 +378,6 @@
Vi = &ctx->Vi;
Vf = &ctx->Vf;
#endif
-#endif /* !POLARSSL_RSA_NO_CRT */
mpi_init( &T ); mpi_init( &T1 ); mpi_init( &T2 );
@@ -372,11 +388,6 @@
return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
}
-#if defined(POLARSSL_RSA_NO_CRT)
- ((void) f_rng);
- ((void) p_rng);
- MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
-#else
if( f_rng != NULL )
{
/*
@@ -388,6 +399,9 @@
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
+#if defined(POLARSSL_RSA_NO_CRT)
+ MPI_CHK( mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) );
+#else
/*
* faster decryption using the CRT
*
@@ -409,6 +423,7 @@
*/
MPI_CHK( mpi_mul_mpi( &T1, &T, &ctx->Q ) );
MPI_CHK( mpi_add_mpi( &T, &T2, &T1 ) );
+#endif /* POLARSSL_RSA_NO_CRT */
if( f_rng != NULL )
{
@@ -419,14 +434,13 @@
MPI_CHK( mpi_mul_mpi( &T, &T, Vf ) );
MPI_CHK( mpi_mod_mpi( &T, &T, &ctx->N ) );
}
-#endif /* POLARSSL_RSA_NO_CRT */
olen = ctx->len;
MPI_CHK( mpi_write_binary( &T, output, olen ) );
cleanup:
mpi_free( &T ); mpi_free( &T1 ); mpi_free( &T2 );
-#if !defined(POLARSSL_RSA_NO_CRT) && defined(POLARSSL_THREADING_C)
+#if defined(POLARSSL_THREADING_C)
mpi_free( &Vi_copy ); mpi_free( &Vf_copy );
#endif
@@ -1425,10 +1439,8 @@
MPI_CHK( mpi_copy( &dst->RP, &src->RP ) );
MPI_CHK( mpi_copy( &dst->RQ, &src->RQ ) );
-#if !defined(POLARSSL_RSA_NO_CRT)
MPI_CHK( mpi_copy( &dst->Vi, &src->Vi ) );
MPI_CHK( mpi_copy( &dst->Vf, &src->Vf ) );
-#endif
dst->padding = src->padding;
dst->hash_id = src->hash_id;
@@ -1445,9 +1457,7 @@
*/
void rsa_free( rsa_context *ctx )
{
-#if !defined(POLARSSL_RSA_NO_CRT)
mpi_free( &ctx->Vi ); mpi_free( &ctx->Vf );
-#endif
mpi_free( &ctx->RQ ); mpi_free( &ctx->RP ); mpi_free( &ctx->RN );
mpi_free( &ctx->QP ); mpi_free( &ctx->DQ ); mpi_free( &ctx->DP );
mpi_free( &ctx->Q ); mpi_free( &ctx->P ); mpi_free( &ctx->D );
diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index 836b685..5868e69 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -105,10 +105,8 @@
*/
if( entry->peer_cert.p != NULL )
{
- session->peer_cert =
- (x509_crt *) polarssl_malloc( sizeof(x509_crt) );
-
- if( session->peer_cert == NULL )
+ if( ( session->peer_cert = (x509_crt *) polarssl_malloc(
+ sizeof(x509_crt) ) ) == NULL )
{
ret = 1;
goto exit;
@@ -226,8 +224,7 @@
/*
* max_entries not reached, create new entry
*/
- cur = (ssl_cache_entry *)
- polarssl_malloc( sizeof(ssl_cache_entry) );
+ cur = (ssl_cache_entry *) polarssl_malloc( sizeof(ssl_cache_entry) );
if( cur == NULL )
{
ret = 1;
@@ -264,8 +261,8 @@
*/
if( session->peer_cert != NULL )
{
- cur->peer_cert.p = (unsigned char *)
- polarssl_malloc( session->peer_cert->raw.len );
+ cur->peer_cert.p = (unsigned char *) polarssl_malloc(
+ session->peer_cert->raw.len );
if( cur->peer_cert.p == NULL )
{
ret = 1;
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index fd0a811..0db9e23 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -142,7 +142,11 @@
*olen = 5 + ssl->verify_data_len;
}
-#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+/*
+ * Only if we handle at least one key exchange that needs signatures.
+ */
+#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
+ defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
unsigned char *buf,
size_t *olen )
@@ -236,7 +240,8 @@
*olen = 6 + sig_alg_len;
}
-#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
+#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
+ POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
@@ -691,7 +696,8 @@
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
-#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
+ defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 6d8626c..7bcec57 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -465,7 +465,8 @@
return( 0 );
}
-#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
+ defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
const unsigned char *buf,
size_t len )
@@ -509,7 +510,8 @@
return( 0 );
}
-#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
+#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
+ POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
@@ -1495,7 +1497,8 @@
return( ret );
break;
-#if defined(POLARSSL_SSL_PROTO_TLS1_2)
+#if defined(POLARSSL_SSL_PROTO_TLS1_2) && \
+ defined(POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED)
case TLS_EXT_SIG_ALG:
SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
if( ssl->renegotiation == SSL_RENEGOTIATION )
@@ -1505,7 +1508,8 @@
if( ret != 0 )
return( ret );
break;
-#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
+#endif /* POLARSSL_SSL_PROTO_TLS1_2 &&
+ POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index cc6a356..7eec364 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -647,6 +647,7 @@
/*
* Finally setup the cipher contexts, IVs and MAC secrets.
*/
+#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
{
key1 = keyblk + transform->maclen * 2;
@@ -665,6 +666,9 @@
iv_copy_len );
}
else
+#endif /* POLARSSL_SSL_CLI_C */
+#if defined(POLARSSL_SSL_SRV_C)
+ if( ssl->endpoint == SSL_IS_SERVER )
{
key1 = keyblk + transform->maclen * 2 + transform->keylen;
key2 = keyblk + transform->maclen * 2;
@@ -681,6 +685,12 @@
memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
iv_copy_len );
}
+ else
+#endif /* POLARSSL_SSL_SRV_C */
+ {
+ SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+ }
#if defined(POLARSSL_SSL_PROTO_SSL3)
if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
@@ -1096,6 +1106,9 @@
mode = cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
+ SSL_DEBUG_BUF( 4, "before encrypt: output payload",
+ ssl->out_msg, ssl->out_msglen );
+
/*
* Add MAC before if needed
*/
@@ -1157,9 +1170,6 @@
"including %d bytes of padding",
ssl->out_msglen, 0 ) );
- SSL_DEBUG_BUF( 4, "before encrypt: output payload",
- ssl->out_msg, ssl->out_msglen );
-
if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
ssl->transform_out->iv_enc,
ssl->transform_out->ivlen,
@@ -1202,6 +1212,7 @@
/*
* Generate IV
*/
+#if defined(POLARSSL_SSL_AEAD_RANDOM_IV)
ret = ssl->f_rng( ssl->p_rng,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
@@ -1211,6 +1222,18 @@
memcpy( ssl->out_iv,
ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
+#else
+ if( ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen != 8 )
+ {
+ /* Reminder if we ever add an AEAD mode with a different size */
+ SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ memcpy( ssl->transform_out->iv_enc + ssl->transform_out->fixed_ivlen,
+ ssl->out_ctr, 8 );
+ memcpy( ssl->out_iv, ssl->out_ctr, 8 );
+#endif
SSL_DEBUG_BUF( 4, "IV used", ssl->out_iv,
ssl->transform_out->ivlen - ssl->transform_out->fixed_ivlen );
@@ -1227,9 +1250,6 @@
"including %d bytes of padding",
ssl->out_msglen, 0 ) );
- SSL_DEBUG_BUF( 4, "before encrypt: output payload",
- ssl->out_msg, ssl->out_msglen );
-
/*
* Encrypt and authenticate
*/
@@ -1311,9 +1331,6 @@
ssl->out_msglen, ssl->transform_out->ivlen,
padlen + 1 ) );
- SSL_DEBUG_BUF( 4, "before encrypt: output payload",
- ssl->out_iv, ssl->out_msglen );
-
if( ( ret = cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
ssl->transform_out->iv_enc,
ssl->transform_out->ivlen,
@@ -2522,6 +2539,7 @@
return( 0 );
}
+#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
{
if( ssl->client_auth == 0 )
@@ -2549,7 +2567,9 @@
}
#endif /* POLARSSL_SSL_PROTO_SSL3 */
}
- else /* SSL_IS_SERVER */
+#endif /* POLARSSL_SSL_CLI_C */
+#if defined(POLARSSL_SSL_SRV_C)
+ if( ssl->endpoint == SSL_IS_SERVER )
{
if( ssl_own_cert( ssl ) == NULL )
{
@@ -2557,6 +2577,7 @@
return( POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED );
}
}
+#endif
SSL_DEBUG_CRT( 3, "own certificate", ssl_own_cert( ssl ) );
@@ -2632,6 +2653,7 @@
return( 0 );
}
+#if defined(POLARSSL_SSL_SRV_C)
if( ssl->endpoint == SSL_IS_SERVER &&
( ssl->authmode == SSL_VERIFY_NONE ||
ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_RSA_PSK ) )
@@ -2641,6 +2663,7 @@
ssl->state++;
return( 0 );
}
+#endif
if( ( ret = ssl_read_record( ssl ) ) != 0 )
{
@@ -2650,6 +2673,7 @@
ssl->state++;
+#if defined(POLARSSL_SSL_SRV_C)
#if defined(POLARSSL_SSL_PROTO_SSL3)
/*
* Check if the client sent an empty certificate
@@ -2694,6 +2718,7 @@
}
#endif /* POLARSSL_SSL_PROTO_TLS1 || POLARSSL_SSL_PROTO_TLS1_1 || \
POLARSSL_SSL_PROTO_TLS1_2 */
+#endif /* POLARSSL_SSL_SRV_C */
if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
{
@@ -2772,6 +2797,7 @@
* On client, make sure the server cert doesn't change during renego to
* avoid "triple handshake" attack: https://secure-resumption.com/
*/
+#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT &&
ssl->renegotiation == SSL_RENEGOTIATION )
{
@@ -2791,6 +2817,7 @@
return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
}
}
+#endif /* POLARSSL_SSL_CLI_C */
if( ssl->authmode != SSL_VERIFY_NONE )
{
@@ -3315,10 +3342,14 @@
*/
if( ssl->handshake->resume != 0 )
{
+#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
ssl->state = SSL_HANDSHAKE_WRAPUP;
- else
+#endif
+#if defined(POLARSSL_SSL_SRV_C)
+ if( ssl->endpoint == SSL_IS_SERVER )
ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
+#endif
}
else
ssl->state++;
@@ -3428,11 +3459,14 @@
if( ssl->handshake->resume != 0 )
{
+#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
ssl->state = SSL_CLIENT_CHANGE_CIPHER_SPEC;
-
+#endif
+#if defined(POLARSSL_SSL_SRV_C)
if( ssl->endpoint == SSL_IS_SERVER )
ssl->state = SSL_HANDSHAKE_WRAPUP;
+#endif
}
else
ssl->state++;
@@ -3507,14 +3541,14 @@
*/
if( ssl->transform_negotiate == NULL )
{
- ssl->transform_negotiate =
- (ssl_transform *) polarssl_malloc( sizeof(ssl_transform) );
+ ssl->transform_negotiate = (ssl_transform *) polarssl_malloc(
+ sizeof(ssl_transform) );
}
if( ssl->session_negotiate == NULL )
{
- ssl->session_negotiate =
- (ssl_session *) polarssl_malloc( sizeof(ssl_session) );
+ ssl->session_negotiate = (ssl_session *) polarssl_malloc(
+ sizeof(ssl_session) );
}
if( ssl->handshake == NULL )
@@ -3778,7 +3812,8 @@
{
ssl->endpoint = endpoint;
-#if defined(POLARSSL_SSL_SESSION_TICKETS)
+#if defined(POLARSSL_SSL_SESSION_TICKETS) && \
+ defined(POLARSSL_SSL_CLI_C)
if( endpoint == SSL_IS_CLIENT )
ssl->session_tickets = SSL_SESSION_TICKETS_ENABLED;
#endif
@@ -3825,6 +3860,7 @@
ssl->p_send = p_send;
}
+#if defined(POLARSSL_SSL_SRV_C)
void ssl_set_session_cache( ssl_context *ssl,
int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache )
@@ -3834,7 +3870,9 @@
ssl->f_set_cache = f_set_cache;
ssl->p_set_cache = p_set_cache;
}
+#endif /* POLARSSL_SSL_SRV_C */
+#if defined(POLARSSL_SSL_CLI_C)
int ssl_set_session( ssl_context *ssl, const ssl_session *session )
{
int ret;
@@ -3854,6 +3892,7 @@
return( 0 );
}
+#endif /* POLARSSL_SSL_CLI_C */
void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
{
@@ -3925,7 +3964,7 @@
key_cert->cert = own_cert;
key_cert->key = pk_key;
- return( 0 );
+ return( pk_check_pair( &key_cert->cert->pk, key_cert->key ) );
}
#if defined(POLARSSL_RSA_C)
@@ -3954,7 +3993,7 @@
key_cert->cert = own_cert;
key_cert->key_own_alloc = 1;
- return( 0 );
+ return( pk_check_pair( &key_cert->cert->pk, key_cert->key ) );
}
#endif /* POLARSSL_RSA_C */
@@ -3983,7 +4022,7 @@
key_cert->cert = own_cert;
key_cert->key_own_alloc = 1;
- return( 0 );
+ return( pk_check_pair( &key_cert->cert->pk, key_cert->key ) );
}
#endif /* POLARSSL_X509_CRT_PARSE_C */
@@ -4232,8 +4271,13 @@
{
ssl->session_tickets = use_tickets;
+#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT )
return( 0 );
+#endif
+
+ if( use_tickets == SSL_SESSION_TICKETS_DISABLED )
+ return( 0 );
if( ssl->f_rng == NULL )
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
@@ -4300,6 +4344,7 @@
}
#endif /* POLARSSL_X509_CRT_PARSE_C */
+#if defined(POLARSSL_SSL_CLI_C)
int ssl_get_session( const ssl_context *ssl, ssl_session *dst )
{
if( ssl == NULL ||
@@ -4312,6 +4357,7 @@
return( ssl_session_copy( dst, ssl->session ) );
}
+#endif /* POLARSSL_SSL_CLI_C */
/*
* Perform a single step of the SSL handshake
@@ -4324,7 +4370,6 @@
if( ssl->endpoint == SSL_IS_CLIENT )
ret = ssl_handshake_client_step( ssl );
#endif
-
#if defined(POLARSSL_SSL_SRV_C)
if( ssl->endpoint == SSL_IS_SERVER )
ret = ssl_handshake_server_step( ssl );
@@ -4525,6 +4570,7 @@
{
SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
+#if defined(POLARSSL_SSL_CLI_C)
if( ssl->endpoint == SSL_IS_CLIENT &&
( ssl->in_msg[0] != SSL_HS_HELLO_REQUEST ||
ssl->in_hslen != 4 ) )
@@ -4532,6 +4578,7 @@
SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
}
+#endif
if( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
diff --git a/library/x509.c b/library/x509.c
index 941472c..78cf02d 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -421,35 +421,39 @@
size_t set_len;
const unsigned char *end_set;
- /*
- * parse first SET, restricted to 1 element
- */
- if( ( ret = asn1_get_tag( p, end, &set_len,
- ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
- return( POLARSSL_ERR_X509_INVALID_NAME + ret );
+ /* don't use recursion, we'd risk stack overflow if not optimized */
+ while( 1 )
+ {
+ /*
+ * parse first SET, restricted to 1 element
+ */
+ if( ( ret = asn1_get_tag( p, end, &set_len,
+ ASN1_CONSTRUCTED | ASN1_SET ) ) != 0 )
+ return( POLARSSL_ERR_X509_INVALID_NAME + ret );
- end_set = *p + set_len;
+ end_set = *p + set_len;
- if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
- return( ret );
+ if( ( ret = x509_get_attr_type_value( p, end_set, cur ) ) != 0 )
+ return( ret );
- if( *p != end_set )
- return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
+ if( *p != end_set )
+ return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE );
- /*
- * recurse until end of SEQUENCE is reached
- */
- if( *p == end )
- return( 0 );
+ /*
+ * continue until end of SEQUENCE is reached
+ */
+ if( *p == end )
+ return( 0 );
- cur->next = (x509_name *) polarssl_malloc( sizeof( x509_name ) );
+ cur->next = (x509_name *) polarssl_malloc( sizeof( x509_name ) );
- if( cur->next == NULL )
- return( POLARSSL_ERR_X509_MALLOC_FAILED );
+ if( cur->next == NULL )
+ return( POLARSSL_ERR_X509_MALLOC_FAILED );
- memset( cur->next, 0, sizeof( x509_name ) );
+ memset( cur->next, 0, sizeof( x509_name ) );
- return( x509_get_name( p, end, cur->next ) );
+ cur = cur->next;
+ }
}
/*
@@ -632,50 +636,6 @@
return( 0 );
}
-#if defined(POLARSSL_FS_IO)
-/*
- * Load all data from a file into a given buffer.
- */
-int x509_load_file( const char *path, unsigned char **buf, size_t *n )
-{
- FILE *f;
- long size;
-
- if( ( f = fopen( path, "rb" ) ) == NULL )
- return( POLARSSL_ERR_X509_FILE_IO_ERROR );
-
- fseek( f, 0, SEEK_END );
- if( ( size = ftell( f ) ) == -1 )
- {
- fclose( f );
- return( POLARSSL_ERR_X509_FILE_IO_ERROR );
- }
- fseek( f, 0, SEEK_SET );
-
- *n = (size_t) size;
-
- if( *n + 1 == 0 ||
- ( *buf = (unsigned char *) polarssl_malloc( *n + 1 ) ) == NULL )
- {
- fclose( f );
- return( POLARSSL_ERR_X509_MALLOC_FAILED );
- }
-
- if( fread( *buf, 1, *n, f ) != *n )
- {
- fclose( f );
- polarssl_free( *buf );
- return( POLARSSL_ERR_X509_FILE_IO_ERROR );
- }
-
- fclose( f );
-
- (*buf)[*n] = '\0';
-
- return( 0 );
-}
-#endif /* POLARSSL_FS_IO */
-
#if defined(_MSC_VER) && !defined snprintf && !defined(EFIX64) && \
!defined(EFI32)
#include <stdarg.h>
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 7dd53c2..a0bf9f4 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -243,8 +243,8 @@
if( cur_entry->next == NULL )
return( POLARSSL_ERR_X509_MALLOC_FAILED );
+ memset( cur_entry->next, 0, sizeof( x509_crl_entry ) );
cur_entry = cur_entry->next;
- memset( cur_entry, 0, sizeof( x509_crl_entry ) );
}
}
@@ -252,25 +252,16 @@
}
/*
- * Parse one or more CRLs and add them to the chained list
+ * Parse one CRLs in DER format and append it to the chained list
*/
-int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
+int x509_crl_parse_der( x509_crl *chain,
+ const unsigned char *buf, size_t buflen )
{
int ret;
size_t len;
unsigned char *p, *end;
- x509_crl *crl;
x509_buf sig_params1, sig_params2;
-
-#if defined(POLARSSL_PEM_PARSE_C)
- size_t use_len;
- pem_context pem;
-#endif
-
- memset( &sig_params1, 0, sizeof( x509_buf ) );
- memset( &sig_params2, 0, sizeof( x509_buf ) );
-
- crl = chain;
+ x509_crl *crl = chain;
/*
* Check for valid input
@@ -278,12 +269,15 @@
if( crl == NULL || buf == NULL )
return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
- while( crl->version != 0 && crl->next != NULL )
- crl = crl->next;
+ memset( &sig_params1, 0, sizeof( x509_buf ) );
+ memset( &sig_params2, 0, sizeof( x509_buf ) );
/*
* Add new CRL on the end of the chain if needed.
*/
+ while( crl->version != 0 && crl->next != NULL )
+ crl = crl->next;
+
if( crl->version != 0 && crl->next == NULL )
{
crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
@@ -294,57 +288,22 @@
return( POLARSSL_ERR_X509_MALLOC_FAILED );
}
+ x509_crl_init( crl->next );
crl = crl->next;
- x509_crl_init( crl );
}
-#if defined(POLARSSL_PEM_PARSE_C)
- pem_init( &pem );
- ret = pem_read_buffer( &pem,
- "-----BEGIN X509 CRL-----",
- "-----END X509 CRL-----",
- buf, NULL, 0, &use_len );
+ /*
+ * Copy raw DER-encoded CRL
+ */
+ if( ( p = polarssl_malloc( buflen ) ) == NULL )
+ return( POLARSSL_ERR_X509_MALLOC_FAILED );
- if( ret == 0 )
- {
- /*
- * Was PEM encoded
- */
- buflen -= use_len;
- buf += use_len;
-
- /*
- * Steal PEM buffer
- */
- p = pem.buf;
- pem.buf = NULL;
- len = pem.buflen;
- pem_free( &pem );
- }
- else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
- {
- pem_free( &pem );
- return( ret );
- }
- else
-#endif /* POLARSSL_PEM_PARSE_C */
- {
- /*
- * nope, copy the raw DER data
- */
- p = (unsigned char *) polarssl_malloc( len = buflen );
-
- if( p == NULL )
- return( POLARSSL_ERR_X509_MALLOC_FAILED );
-
- memcpy( p, buf, buflen );
-
- buflen = 0;
- }
+ memcpy( p, buf, buflen );
crl->raw.p = p;
- crl->raw.len = len;
- end = p + len;
+ crl->raw.len = buflen;
+
+ end = p + buflen;
/*
* CertificateList ::= SEQUENCE {
@@ -522,25 +481,64 @@
POLARSSL_ERR_ASN1_LENGTH_MISMATCH );
}
- if( buflen > 0 )
- {
- crl->next = (x509_crl *) polarssl_malloc( sizeof( x509_crl ) );
-
- if( crl->next == NULL )
- {
- x509_crl_free( crl );
- return( POLARSSL_ERR_X509_MALLOC_FAILED );
- }
-
- crl = crl->next;
- x509_crl_init( crl );
-
- return( x509_crl_parse( crl, buf, buflen ) );
- }
-
return( 0 );
}
+/*
+ * Parse one or more CRLs and add them to the chained list
+ */
+int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen )
+{
+#if defined(POLARSSL_PEM_PARSE_C)
+ int ret;
+ size_t use_len;
+ pem_context pem;
+ int is_pem = 0;
+
+ if( chain == NULL || buf == NULL )
+ return( POLARSSL_ERR_X509_BAD_INPUT_DATA );
+
+ do
+ {
+ pem_init( &pem );
+ ret = pem_read_buffer( &pem,
+ "-----BEGIN X509 CRL-----",
+ "-----END X509 CRL-----",
+ buf, NULL, 0, &use_len );
+
+ if( ret == 0 )
+ {
+ /*
+ * Was PEM encoded
+ */
+ is_pem = 1;
+
+ buflen -= use_len;
+ buf += use_len;
+
+ if( ( ret = x509_crl_parse_der( chain,
+ pem.buf, pem.buflen ) ) != 0 )
+ {
+ return( ret );
+ }
+
+ pem_free( &pem );
+ }
+ else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
+ {
+ pem_free( &pem );
+ return( ret );
+ }
+ }
+ while( is_pem && buflen > 0 );
+
+ if( is_pem )
+ return( 0 );
+ else
+#endif /* POLARSSL_PEM_PARSE_C */
+ return( x509_crl_parse_der( chain, buf, buflen ) );
+}
+
#if defined(POLARSSL_FS_IO)
/*
* Load one or more CRLs and add them to the chained list
@@ -551,7 +549,7 @@
size_t n;
unsigned char *buf;
- if( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
+ if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
ret = x509_crl_parse( chain, buf, n );
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 88d7f04..aba9c69 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -359,6 +359,9 @@
/* Allocate and assign next pointer */
if( cur->buf.p != NULL )
{
+ if( cur->next != NULL )
+ return( POLARSSL_ERR_X509_INVALID_EXTENSIONS );
+
cur->next = (asn1_sequence *) polarssl_malloc(
sizeof( asn1_sequence ) );
@@ -478,6 +481,10 @@
continue;
}
+ /* Forbid repeated extensions */
+ if( ( crt->ext_types & ext_type ) != 0 )
+ return( POLARSSL_ERR_X509_INVALID_EXTENSIONS );
+
crt->ext_types |= ext_type;
switch( ext_type )
@@ -812,8 +819,8 @@
return( POLARSSL_ERR_X509_MALLOC_FAILED );
prev = crt;
+ x509_crt_init( crt->next );
crt = crt->next;
- x509_crt_init( crt );
}
if( ( ret = x509_crt_parse_der_core( crt, buf, buflen ) ) != 0 )
@@ -946,7 +953,7 @@
size_t n;
unsigned char *buf;
- if( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
+ if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
ret = x509_crt_parse( chain, buf, n );
@@ -1629,25 +1636,30 @@
*/
static int x509_name_cmp( const x509_name *a, const x509_name *b )
{
- if( a == NULL && b == NULL )
- return( 0 );
-
- if( a == NULL || b == NULL )
- return( -1 );
-
- /* type */
- if( a->oid.tag != b->oid.tag ||
- a->oid.len != b->oid.len ||
- memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
+ /* Avoid recursion, it might not be optimised by the compiler */
+ while( a != NULL || b != NULL )
{
- return( -1 );
+ if( a == NULL || b == NULL )
+ return( -1 );
+
+ /* type */
+ if( a->oid.tag != b->oid.tag ||
+ a->oid.len != b->oid.len ||
+ memcmp( a->oid.p, b->oid.p, b->oid.len ) != 0 )
+ {
+ return( -1 );
+ }
+
+ /* value */
+ if( x509_string_cmp( &a->val, &b->val ) != 0 )
+ return( -1 );
+
+ a = a->next;
+ b = b->next;
}
- /* value */
- if( x509_string_cmp( &a->val, &b->val ) != 0 )
- return( -1 );
-
- return( x509_name_cmp( a->next, b->next ) );
+ /* a == NULL == b */
+ return( 0 );
}
/*
@@ -1822,6 +1834,13 @@
x509_crt *grandparent;
const md_info_t *md_info;
+ /* path_cnt is 0 for the first intermediate CA */
+ if( 1 + path_cnt > POLARSSL_X509_MAX_INTERMEDIATE_CA )
+ {
+ *flags |= BADCERT_NOT_TRUSTED;
+ return( POLARSSL_ERR_X509_CERT_VERIFY_FAILED );
+ }
+
if( x509_time_expired( &child->valid_to ) )
*flags |= BADCERT_EXPIRED;
diff --git a/library/x509_csr.c b/library/x509_csr.c
index 0b4f771..5831121 100644
--- a/library/x509_csr.c
+++ b/library/x509_csr.c
@@ -310,7 +310,7 @@
size_t n;
unsigned char *buf;
- if( ( ret = x509_load_file( path, &buf, &n ) ) != 0 )
+ if( ( ret = pk_load_file( path, &buf, &n ) ) != 0 )
return( ret );
ret = x509_csr_parse( csr, buf, n );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index cbca810..3457828 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1293,8 +1293,8 @@
goto exit;
}
- if( ( ret = net_connect( &server_fd, opt.server_name,
- opt.server_port ) ) != 0 )
+ if( ( ret = net_connect( &server_fd, opt.server_addr,
+ opt.server_port ) ) != 0 )
{
printf( " failed\n ! net_connect returned -0x%x\n\n", -ret );
goto exit;
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 08f2ff8..9d4443f 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -592,7 +592,7 @@
}
#endif /* POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED */
-static int listen_fd;
+static int listen_fd, client_fd = -1;
/* Interruption handler to ensure clean exit (for valgrind testing) */
#if !defined(_WIN32)
@@ -602,13 +602,13 @@
((void) sig);
received_sigterm = 1;
net_close( listen_fd ); /* causes net_accept() to abort */
+ net_close( client_fd ); /* causes net_read() to abort */
}
#endif
int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags, exchanges;
- int client_fd = -1;
int version_suites[4][2];
unsigned char buf[IO_BUF_LEN];
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -676,8 +676,9 @@
#endif
#if !defined(_WIN32)
- /* Abort cleanly on SIGTERM */
+ /* Abort cleanly on SIGTERM and SIGINT */
signal( SIGTERM, term_handler );
+ signal( SIGINT, term_handler );
#endif
if( argc == 0 )
@@ -1435,6 +1436,15 @@
printf( " ok\n" );
reset:
+#if !defined(_WIN32)
+ if( received_sigterm )
+ {
+ printf( " interrupted by SIGTERM\n" );
+ ret = 0;
+ goto exit;
+ }
+#endif
+
#ifdef POLARSSL_ERROR_C
if( ret != 0 )
{
@@ -1462,7 +1472,7 @@
#if !defined(_WIN32)
if( received_sigterm )
{
- printf( " interrupted by SIGTERM\n" );
+ printf( " interrupted by signal\n" );
ret = 0;
goto exit;
}
@@ -1750,6 +1760,9 @@
}
#endif
+ printf( " . Cleaning up..." );
+ fflush( stdout );
+
if( client_fd != -1 )
net_close( client_fd );
@@ -1788,6 +1801,8 @@
memory_buffer_alloc_free();
#endif
+ printf( " done.\n" );
+
#if defined(_WIN32)
printf( " + Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index 5f8636b..1ab7cc7 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -188,6 +188,7 @@
{
usage:
printf( USAGE );
+ ret = 2;
goto exit;
}
@@ -500,6 +501,9 @@
fflush( stdout ); getchar();
#endif
+ if( ret < 0 )
+ ret = 1;
+
return( ret );
}
#endif /* POLARSSL_BIGNUM_C && POLARSSL_ENTROPY_C && POLARSSL_SSL_TLS_C &&
diff --git a/scripts/config.pl b/scripts/config.pl
index d04be59..8998fd6 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -6,10 +6,11 @@
use strict;
my $usage = <<EOU;
-$0 [-f <file>] full
$0 [-f <file>] unset <name>
$0 [-f <file>] set <name> [<value>]
EOU
+# for our eyes only:
+# $0 [-f <file>] full
# Things that shouldn't be enabled with "full".
# Notes:
diff --git a/scripts/malloc-init.pl b/scripts/malloc-init.pl
new file mode 100755
index 0000000..1fa1cf3
--- /dev/null
+++ b/scripts/malloc-init.pl
@@ -0,0 +1,70 @@
+#!/usr/bin/perl
+
+# Check for malloc calls not shortly followed by initialisation.
+#
+# Known limitations:
+# - false negative: can't see allocations spanning more than one line
+# - possible false negatives, see patterns
+# - false positive: malloc-malloc-init-init is not accepted
+# - false positives: "non-standard" init functions (eg, the things being
+# initialised is not the first arg, or initialise struct members)
+#
+# Since false positives are expected, the results must be manually reviewed.
+#
+# Typical usage: scripts/malloc-init.pl library/*.c
+
+use warnings;
+use strict;
+
+use utf8;
+use open qw(:std utf8);
+
+my $limit = 7;
+my $inits = qr/memset|memcpy|_init|fread|base64_..code/;
+
+# cases to bear in mind:
+#
+# 0. foo = malloc(...); memset( foo, ... );
+# 1. *foo = malloc(...); memset( *foo, ... );
+# 2. type *foo = malloc(...); memset( foo, ...);
+# 3. foo = malloc(...); foo_init( (type *) foo );
+# 4. foo = malloc(...); for(i=0..n) { init( &foo[i] ); }
+#
+# The chosen patterns are a bit relaxed, but unlikely to cause false positives
+# in real code (initialising *foo or &foo instead of foo will likely be caught
+# by functional tests).
+#
+my $id = qr/([a-zA-Z-0-9_\->\.]*)/;
+my $prefix = qr/\s(?:\*?|\&?|\([a-z_]* \*\))\s*/;
+
+my $name;
+my $line;
+my @bad;
+
+die "Usage: $0 file.c [...]\n" unless @ARGV;
+
+while (my $file = shift @ARGV)
+{
+ open my $fh, "<", $file or die "read $file failed: $!\n";
+ while (<$fh>)
+ {
+ if( /polarssl_malloc\(/ ) {
+ if( /$id\s*=.*polarssl_malloc\(/ ) {
+ push @bad, "$file:$line:$name" if $name;
+ $name = $1;
+ $line = $.;
+ } else {
+ push @bad, "$file:$.:???" unless /return polarssl_malloc/;
+ }
+ } elsif( $name && /(?:$inits)\($prefix\Q$name\E\b/ ) {
+ undef $name;
+ } elsif( $name && $. - $line > $limit ) {
+ push @bad, "$file:$line:$name";
+ undef $name;
+ undef $line;
+ }
+ }
+ close $fh or die;
+}
+
+print "$_\n" for @bad;
diff --git a/scripts/recursion.pl b/scripts/recursion.pl
new file mode 100755
index 0000000..2c39c14
--- /dev/null
+++ b/scripts/recursion.pl
@@ -0,0 +1,44 @@
+#!/usr/bin/perl
+
+# Find functions making recursive calls to themselves.
+# (Multiple recursion where a() calls b() which calls a() not covered.)
+#
+# When the recursion depth might depend on data controlled by the attacker in
+# an unbounded way, those functions should use interation instead.
+#
+# Typical usage: scripts/recursion.pl library/*.c
+
+use warnings;
+use strict;
+
+use utf8;
+use open qw(:std utf8);
+
+# exclude functions that are ok:
+# - mpi_write_hlp: bounded by size of mpi, a compile-time constant
+# - x509_crt_verify_child: bounded by POLARSSL_X509_MAX_INTERMEDIATE_CA
+my $known_ok = qr/mpi_write_hlp|x509_crt_verify_child/;
+
+my $cur_name;
+my $inside;
+my @funcs;
+
+die "Usage: $0 file.c [...]\n" unless @ARGV;
+
+while (<>)
+{
+ if( /^[^\/#{}\s]/ && ! /\[.*]/ ) {
+ chomp( $cur_name = $_ ) unless $inside;
+ } elsif( /^{/ && $cur_name ) {
+ $inside = 1;
+ $cur_name =~ s/.* ([^ ]*)\(.*/$1/;
+ } elsif( /^}/ && $inside ) {
+ undef $inside;
+ undef $cur_name;
+ } elsif( $inside && /\b\Q$cur_name\E\([^)]/ ) {
+ push @funcs, $cur_name unless /$known_ok/;
+ }
+}
+
+print "$_\n" for @funcs;
+exit @funcs;
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index ab6c59f..3cd7e37 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -29,11 +29,7 @@
add_test(${data_name}-suite test_suite_${data_name})
endfunction(add_test_suite)
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-unused-function -Wno-unused-value")
-set(CMAKE_C_FLAGS_CHECK "${CMAKE_C_FLAGS_CHECK} -Wno-unused-function -Wno-unused-value")
-if(CMAKE_COMPILER_IS_CLANG)
- set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-unreachable-code")
-endif(CMAKE_COMPILER_IS_CLANG)
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-unused-function")
add_test_suite(aes aes.ecb)
add_test_suite(aes aes.cbc)
diff --git a/tests/data_files/Readme-x509.txt b/tests/data_files/Readme-x509.txt
new file mode 100644
index 0000000..3022aae
--- /dev/null
+++ b/tests/data_files/Readme-x509.txt
@@ -0,0 +1,85 @@
+This documents the X.509 CAs, certificates, and CRLS used for testing.
+
+Certification authorities
+-------------------------
+
+There are two main CAs for use as trusted roots:
+- test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA"
+ uses a RSA-2048 key
+- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
+ uses an EC key with NIST P-384 (aka secp384r1)
+ variants used to test the keyUsage extension
+The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
+
+Two intermediate CAs are signed by them:
+- test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA"
+ uses RSA-4096, signed by test-ca2
+- test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA"
+ uses an EC key with NIST P-256, signed by test-ca
+
+Finally, other CAs for specific purposes:
+- enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert
+ enco-cert-utf8str.pem has its issuer's CN encoded as a UTF-8 string.
+- test-ca-v1.crt: v1 "CA", signs
+ server1-v1.crt: v1 "intermediate CA", signs
+ server2-v1*.crt: EE cert (without of with chain in same file)
+
+End-entity certificates
+-----------------------
+
+Short information fields:
+
+- name or pattern
+- issuing CA: 1 -> test-ca.crt
+ 2 -> test-ca2.crt
+ I1 -> test-int-ca.crt
+ I2 -> test-int-ca2.crt
+ O -> other
+- key type: R -> RSA, E -> EC
+- C -> there is a CRL revoking this cert (see below)
+- L -> CN=localhost (useful for local test servers)
+- P1, P2 if the file include parent (resp. parent + grandparent)
+- free-form comments
+
+List of certificates:
+
+- cert_example_multi*.crt: 1/O R: subjectAltName
+- cert_example_wildcard.crt: 1 R: wildcard in subject's CN
+- cert_md*.crt, cert_sha*.crt: 1 R: signature hash
+- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
+- cli2.crt: 2 E: basic
+- enco-cert-utf8str.pem: see enco-ca-prstr.pem above
+- server1*.crt: 1* R C*: misc *(server1-v1 see test-ca-v1.crt above)
+ *CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt
+- server2-v1*.crt: O R: see test-ca-v1.crt above
+- server2*.crt: 1 R L: misc
+- server3.crt: 1 E L: EC cert signed by RSA CA
+- server4.crt: 2 R L: RSA cert signed by EC CA
+- server5*.crt: 2* E L: misc *(except server5-selfsigned)
+ -sha*: hashes
+ -eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc)
+ -ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement)
+- server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned
+- server6.crt, server6.pem: 2 E L C: revoked
+- server7*.crt: I1 E L P1*: EC signed by RSA signed by EC *(except 7.crt)
+ *_space: with PEM error(s)
+- server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2)
+- server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS
+ *CRL for: 9.crt, -badsign, -with-ca (P1)
+
+Certificate revocation lists
+----------------------------
+
+Signing CA in parentheses (same meaning as certificates).
+
+- crl-ec-sha*: (2) server6.crt
+- crl-future.pem: (2) server6.crt + unkown
+- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
+- crl.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
+- crl_md*.pem: crl_sha*.pem: (1) same as crl.pem
+- crt_cat_*.pem: (1+2) concatenations in various orders:
+ ec = crl-ec-sha256.pem, ecfut = crl-future.pem
+ rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem
+
+Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1
+ crl-rsa-pss* would revoke server6.crt if signed by CA 2
diff --git a/tests/data_files/crl_cat_ec-rsa.pem b/tests/data_files/crl_cat_ec-rsa.pem
new file mode 100644
index 0000000..3cda8ff
--- /dev/null
+++ b/tests/data_files/crl_cat_ec-rsa.pem
@@ -0,0 +1,21 @@
+-----BEGIN X509 CRL-----
+MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
+MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
+BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
+TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
+IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
+S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
+g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
+-----END X509 CRL-----
+-----BEGIN X509 CRL-----
+MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjI1
+OVoXDTE5MTEyNTEwMjI1OVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
+MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAJYuWdKPdblMVWCnxpMnchuL
+dqWzK2BA0RelCaGjpxuwX3NmLDm+5hKja/DJxaRqTOf4RSC3kcX8CdIldsLO96dz
+//wAQdFPDhy6AFT5vKTO8ItPHDb7qFOqFqpeJi5XN1yoZGTB1ei0mgD3xBaKbp6U
+yCOZJSIFomt7piT4GcgWVHLUmpyHDDeodNhYPrN0jf2mr+ECd9fQJYdz1qm0Xx+Q
+NbKXDiPRmPX0qVleCZSeSp1JAmU4GoCO+96qQUpjgll+6xWya3UNj61f9sh0Zzr7
+5ug2LZo5uBM/LpNR1K3TLxNCcg7uUPTn9r143d7ivJhPl3tEJn4PXjv6mlLoOgU=
+-----END X509 CRL-----
diff --git a/tests/data_files/crl_cat_ecfut-rsa.pem b/tests/data_files/crl_cat_ecfut-rsa.pem
new file mode 100644
index 0000000..87b8c29
--- /dev/null
+++ b/tests/data_files/crl_cat_ecfut-rsa.pem
@@ -0,0 +1,22 @@
+-----BEGIN X509 CRL-----
+MIIBgzCCAQoCAQEwCQYHKoZIzj0EATA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTMyMDMxMDEx
+MDUxNVoXDTQyMDMwODExMDUxNVowKDASAgEKFw0xMzA5MjQxNjI4MzhaMBICARYX
+DTE0MDEyMDEzNDMwNVqgcjBwMG4GA1UdIwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb
++zZ8oUKkQDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNV
+BAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GCCQDBQ+J+YkPM6DAJBgcqhkjOPQQBA2gA
+MGUCMQCmsvNsOQdbGpmzpeZlKU9lDP6yyWenrI/89swZYogE3cSPob4tOzeYg38i
+or91IPgCMD7N/0Qz6Nq2IgBtZORLgsA0ltK+W6AOS+/EIhvGuXV8uguUyYknl4vb
++cE+lWxhCQ==
+-----END X509 CRL-----
+-----BEGIN X509 CRL-----
+MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjI1
+OVoXDTE5MTEyNTEwMjI1OVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
+MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAJYuWdKPdblMVWCnxpMnchuL
+dqWzK2BA0RelCaGjpxuwX3NmLDm+5hKja/DJxaRqTOf4RSC3kcX8CdIldsLO96dz
+//wAQdFPDhy6AFT5vKTO8ItPHDb7qFOqFqpeJi5XN1yoZGTB1ei0mgD3xBaKbp6U
+yCOZJSIFomt7piT4GcgWVHLUmpyHDDeodNhYPrN0jf2mr+ECd9fQJYdz1qm0Xx+Q
+NbKXDiPRmPX0qVleCZSeSp1JAmU4GoCO+96qQUpjgll+6xWya3UNj61f9sh0Zzr7
+5ug2LZo5uBM/LpNR1K3TLxNCcg7uUPTn9r143d7ivJhPl3tEJn4PXjv6mlLoOgU=
+-----END X509 CRL-----
diff --git a/tests/data_files/crl_cat_rsa-ec.pem b/tests/data_files/crl_cat_rsa-ec.pem
new file mode 100644
index 0000000..ded369d
--- /dev/null
+++ b/tests/data_files/crl_cat_rsa-ec.pem
@@ -0,0 +1,21 @@
+-----BEGIN X509 CRL-----
+MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjI1
+OVoXDTE5MTEyNTEwMjI1OVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
+MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAJYuWdKPdblMVWCnxpMnchuL
+dqWzK2BA0RelCaGjpxuwX3NmLDm+5hKja/DJxaRqTOf4RSC3kcX8CdIldsLO96dz
+//wAQdFPDhy6AFT5vKTO8ItPHDb7qFOqFqpeJi5XN1yoZGTB1ei0mgD3xBaKbp6U
+yCOZJSIFomt7piT4GcgWVHLUmpyHDDeodNhYPrN0jf2mr+ECd9fQJYdz1qm0Xx+Q
+NbKXDiPRmPX0qVleCZSeSp1JAmU4GoCO+96qQUpjgll+6xWya3UNj61f9sh0Zzr7
+5ug2LZo5uBM/LpNR1K3TLxNCcg7uUPTn9r143d7ivJhPl3tEJn4PXjv6mlLoOgU=
+-----END X509 CRL-----
+-----BEGIN X509 CRL-----
+MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
+MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
+BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
+TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
+IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
+S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
+g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
+-----END X509 CRL-----
diff --git a/tests/data_files/crl_cat_rsabadpem-ec.pem b/tests/data_files/crl_cat_rsabadpem-ec.pem
new file mode 100644
index 0000000..a035e18
--- /dev/null
+++ b/tests/data_files/crl_cat_rsabadpem-ec.pem
@@ -0,0 +1,21 @@
+-----BEGIN X509 CRL-----
+MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjI1
+OVoXDTE5MTEyNTEwMjI1OVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
+MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAJYuWdKPdblMVWCnxpMnchuL
+dqWzK2BA0RelCaGjpxuwX3NmLDm+5hKja/DJxaRqTOf4RSC3kcX8CdIldsLO96dz
+//wAQdFPDhy6AFT5vKTO8ItPHDb7qFOqFqpeJi5XN1yoZGTB1ei0mgD3xBaKbp6U
+yCOZJSIFomt7piT4GcgWVHLUmpyHDDeodNhYPrN0jf2mr+ECd9fQJYdz1qm0Xx+Q
+NbKXDiPRmPX0qVleCZSeSp1JAmU4GoCO+96qQUpjgll+6xWya3UNj61f9sh0Zzr7
+5ug2LZo5uBM/LpNR1K3TLxNCcg7uUPTn9r143d7ivJhPl3tEJn4PXjv6mlLoOgU
+-----END X509 CRL-----
+-----BEGIN X509 CRL-----
+MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
+MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
+BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
+TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
+IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
+S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
+g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
+-----END X509 CRL-----
diff --git a/tests/data_files/crt_cat_rsaexp-ec.pem b/tests/data_files/crt_cat_rsaexp-ec.pem
new file mode 100644
index 0000000..4f74c9a
--- /dev/null
+++ b/tests/data_files/crt_cat_rsaexp-ec.pem
@@ -0,0 +1,21 @@
+-----BEGIN X509 CRL-----
+MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EXDTExMDIyMDEwMjQx
+OVoXDTExMDIyMDExMjQxOVowKDASAgEBFw0xMTAyMTIxNDQ0MDdaMBICAQMXDTEx
+MDIxMjE0NDQwN1owDQYJKoZIhvcNAQEFBQADggEBAKgP1XmCIPbfY1/UO+SVFQir
+jArZ94QnQdoan4tJ29d8DmTxJ+z9/KyWNoGeOwc9P/2GQQaZahQOBr0f6lYd67Ct
+wFVh/Q2zF8FgRcrQV7u/vJM33Q2yEsQkMGlM7rE5lC972vUKWu/NKq8bN9W/tWxZ
+SFbvTXpv024aI0IRudpOCALnIy8SFhVb2/52IN2uR6qrFizDexMEdSckgpHuJzGS
+IiANhIMn5LdQYJFjPgBzQU12tDdgzcpxtGhT10y4uQre+UbSjw+iVyml3issw59k
+OSmkWFb06LamRC215JAMok3YQO5RnxCR8EjqPcJr+7+O9a1O1++yiaitg4bUjEA=
+-----END X509 CRL-----
+-----BEGIN X509 CRL-----
+MIIBcTCB9wIBATAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMI
+UG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EXDTEzMDkyNDE2
+MzEwOFoXDTIzMDkyMjE2MzEwOFowFDASAgEKFw0xMzA5MjQxNjI4MzhaoHIwcDBu
+BgNVHSMEZzBlgBSdbSAkSQE/K8t4tRm8fiTJ2/s2fKFCpEAwPjELMAkGA1UEBhMC
+TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD
+IENBggkAwUPifmJDzOgwCgYIKoZIzj0EAwIDaQAwZgIxAKuQ684s7gyhtxKJr6Ln
+S2BQ02f1jjPHrZVdXaZvm3C5tGi2cKkoK1aMiyC3LsRCuAIxAIMhj0TmcuIZr5fX
+g5RByD7zUnZBpoEAdgxFy4JPJ2IViWOPekSGh8b/JY1VNS6Zbw==
+-----END X509 CRL-----
diff --git a/tests/data_files/server6.pem b/tests/data_files/server6.pem
deleted file mode 100644
index f78cb10..0000000
--- a/tests/data_files/server6.pem
+++ /dev/null
@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB3TCCAZSgAwIBAgIBGDAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJTU0wgVGVzdCBFQyBDQTAeFw0x
-MzA4MDgxNjQ0MTBaFw0yMzA4MDYxNjQ0MTBaMDQxCzAJBgNVBAYTAk5MMREwDwYD
-VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI
-KoZIzj0DAQEDMgAEE2sIbSZOSEinZM3q2MMOy8egM8Y9BAcsuwxO9UpS1B8nT9u1
-1bvjTh5VQAgJAU+Oo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFDYreWnU1s1J
-AG49ALPOQliFaJahMG4GA1UdIwRnMGWAFNCkRpkIZ/H0utlW6GcwC/zvJRZjoUKk
-QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv
-bGFyU1NMIFRlc3QgRUMgQ0GCCQClZwiM/hcKsjAJBgcqhkjOPQQBAzgAMDUCGQDq
-PIUaCr8u28R7V0G/TEOklXgPawdiY4ICGDzmBegZHs7BcNwENa1fn4JYUdTPqKwl
-LA==
------END CERTIFICATE-----
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 14cd9cf..30c19d5 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -6,8 +6,8 @@
# CMake configuration. After this script is run, the CMake cache is lost and
# CMake is not initialised any more!
#
-# Assumes gcc and clang (recent enough for using ASan) are available,
-# as well as cmake and valgrind.
+# Assumes gcc and clang (recent enough for using ASan with gcc and MemSen with
+# clang) are available, as well as cmake and GNU find.
# Abort on errors (and uninitiliased variables)
set -eu
@@ -24,12 +24,9 @@
while [ $# -gt 0 ]; do
case "$1" in
- -m1)
+ -m*)
MEMORY=1
;;
- -m2)
- MEMORY=2
- ;;
*)
echo "Unknown argument: '$1'" >&2
echo "Use the source, Luke!" >&2
@@ -60,94 +57,103 @@
{
echo ""
echo "******************************************************************"
- echo "* $1"
+ echo "* $1 "
+ echo -n "* "; date
echo "******************************************************************"
}
# The test ordering tries to optimize for the following criteria:
-# 1. Catch possible problems early, by running first test that run quickly
+# 1. Catch possible problems early, by running first tests that run quickly
# and/or are more likely to fail than others (eg I use Clang most of the
# time, so start with a GCC build).
# 2. Minimize total running time, by avoiding useless rebuilds
#
# Indicative running times are given for reference.
-msg "build: cmake, -Werror (gcc)" # ~ 1 min
+msg "test: recursion.pl" # < 1s
+scripts/recursion.pl library/*.c
+
+msg "build: cmake, gcc, ASan" # ~ 1 min 50s
cleanup
-CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Check .
+CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
-msg "test: main suites with valgrind" # ~ 2 min 10s
-make memcheck
+msg "test: main suites and selftest (ASan build)" # ~ 50s
+make test
+programs/test/selftest
-msg "build: with ASan (clang)" # ~ 1 min
-cleanup
-CC=clang cmake -D CMAKE_BUILD_TYPE:String=ASan .
-make
-
-msg "test: ssl-opt.sh (ASan build)" # ~ 1 min 10s
+msg "test: ssl-opt.sh (ASan build)" # ~ 1 min
cd tests
./ssl-opt.sh
cd ..
-msg "test: main suites and selftest (ASan build)" # ~ 10s + 30s
-make test
-programs/test/selftest
-
-msg "test: ref-configs (ASan build)" # ~ 4 min 45 s
+msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s
tests/scripts/test-ref-configs.pl
-# Most issues are likely to be caught at this point
+# Most frequent issues are likely to be caught at this point
msg "build: with ASan (rebuild after ref-configs)" # ~ 1 min
make
-msg "test: compat.sh (ASan build)" # ~ 7 min 30s
+msg "test: compat.sh (ASan build)" # ~ 6 min
cd tests
./compat.sh
cd ..
-msg "build: cmake, full config" # ~ 40s
+msg "build: cmake, full config, clang" # ~ 50s
cleanup
cp "$CONFIG_H" "$CONFIG_BAK"
scripts/config.pl full
scripts/config.pl unset POLARSSL_MEMORY_BACKTRACE # too slow for tests
-cmake -D CMAKE_BUILD_TYPE:String=Check .
+CC=clang cmake -D CMAKE_BUILD_TYPE:String=Check .
make
-msg "test: main suites (full config)"
+msg "test: main suites (full config)" # ~ 5s
make test
-msg "test: ssl-opt.sh default (full config)"
+msg "test: ssl-opt.sh default (full config)" # ~ 1s
cd tests
./ssl-opt.sh -f Default
cd ..
-msg "test: compat.sh 3DES & NULL (full config)"
+msg "test: compat.sh DES & NULL (full config)" # ~ 2 min
cd tests
./compat.sh -e '^$' -f 'NULL\|3DES-EDE-CBC\|DES-CBC3'
cd ..
+msg "test/build: curves.pl (gcc)" # ~ 5 min (?)
+cleanup
+cmake -D CMAKE_BUILD_TYPE:String=Debug .
+tests/scripts/curves.pl
+
msg "build: Unix make, -O2 (gcc)" # ~ 30s
cleanup
CC=gcc make
-# Optional parts that take a long time to run
+msg "build: MSan (clang)" # ~ 1 min 20s
+cleanup
+cp "$CONFIG_H" "$CONFIG_BAK"
+scripts/config.pl unset POLARSSL_AESNI_C # memsan doesn't grok asm
+CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan .
+make
-if [ "$MEMORY" -ge 1 ]; then
- msg "test: ssl-opt --memcheck (-02 build)" # ~ 8 min
+msg "test: main suites (MSan)" # ~ 10s
+make test
+
+msg "test: ssl-opt.sh (MSan)" # ~ 1 min
+cd tests
+./ssl-opt.sh
+cd ..
+
+# Optional part(s)
+
+if [ "$MEMORY" -gt 0 ]; then
+ msg "test: compat.sh (MSan)" # ~ 6 min 20s
cd tests
- ./ssl-opt.sh --memcheck
+ ./compat.sh
cd ..
-
- if [ "$MEMORY" -ge 2 ]; then
- msg "test: compat --memcheck (-02 build)" # ~ 42 min
- cd tests
- ./compat.sh --memcheck
- cd ..
- fi
fi
-echo "Done."
+msg "Done, cleaning up"
cleanup
diff --git a/tests/scripts/curves.pl b/tests/scripts/curves.pl
new file mode 100755
index 0000000..1f489a3
--- /dev/null
+++ b/tests/scripts/curves.pl
@@ -0,0 +1,45 @@
+#!/usr/bin/perl
+
+# test dependencies on individual curves in tests
+# - build
+# - run test suite
+#
+# Usage: tests/scripts/curves.pl
+
+use warnings;
+use strict;
+
+-d 'library' && -d 'include' && -d 'tests' or die "Must be run from root\n";
+
+my $sed_cmd = 's/^#define \(POLARSSL_ECP_DP.*_ENABLED\)/\1/p';
+my $config_h = 'include/polarssl/config.h';
+my @curves = split( /\s+/, `sed -n -e '$sed_cmd' $config_h` );
+
+my $test = system( "grep -i cmake Makefile >/dev/null" ) ? 'check' : 'test';
+
+system( "cp $config_h $config_h.bak" ) and die;
+sub abort {
+ system( "mv $config_h.bak $config_h" ) and warn "$config_h not restored\n";
+ die $_[0];
+}
+
+for my $curve (@curves) {
+ system( "cp $config_h.bak $config_h" ) and die "$config_h not restored\n";
+ system( "make clean" ) and die;
+
+ print "\n******************************************\n";
+ print "* Testing without curve: $curve\n";
+ print "******************************************\n";
+
+ system( "scripts/config.pl unset $curve" )
+ and abort "Failed to disable $curve\n";
+
+ system( "make polarssl" ) and abort "Failed to build lib: $curve\n";
+ system( "cd tests && make" ) and abort "Failed to build tests: $curve\n";
+ system( "make $test" ) and abort "Failed test suite: $curve\n";
+
+}
+
+system( "mv $config_h.bak $config_h" ) and die "$config_h not restored\n";
+system( "make clean" ) and die;
+exit 0;
diff --git a/tests/suites/test_suite_debug.data b/tests/suites/test_suite_debug.data
index 9b49f6a..e0b3bd6 100644
--- a/tests/suites/test_suite_debug.data
+++ b/tests/suites/test_suite_debug.data
@@ -32,19 +32,19 @@
debug_print_buf:POLARSSL_DEBUG_LOG_FULL:"MyFile":999:"Test return value":"":"MyFile(0999)\: dumping 'Test return value' (0 bytes)\n"
Debug print buffer #2
-debug_print_buf:POLARSSL_DEBUG_LOG_FULL:"MyFile":999:"Test return value":"00":"MyFile(0999)\: dumping 'Test return value' (1 bytes)\nMyFile(0999)\: 0000\: 00\n"
+debug_print_buf:POLARSSL_DEBUG_LOG_FULL:"MyFile":999:"Test return value":"00":"MyFile(0999)\: dumping 'Test return value' (1 bytes)\nMyFile(0999)\: 0000\: 00 .\n"
Debug print buffer #3
-debug_print_buf:POLARSSL_DEBUG_LOG_FULL:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F":"MyFile(0999)\: dumping 'Test return value' (16 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\n"
+debug_print_buf:POLARSSL_DEBUG_LOG_FULL:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F":"MyFile(0999)\: dumping 'Test return value' (16 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\n"
Debug print buffer #4
-debug_print_buf:POLARSSL_DEBUG_LOG_FULL:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F00":"MyFile(0999)\: dumping 'Test return value' (17 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\nMyFile(0999)\: 0010\: 00\n"
+debug_print_buf:POLARSSL_DEBUG_LOG_FULL:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F00":"MyFile(0999)\: dumping 'Test return value' (17 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\nMyFile(0999)\: 0010\: 00 .\n"
Debug print buffer #5
-debug_print_buf:POLARSSL_DEBUG_LOG_FULL:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"MyFile(0999)\: dumping 'Test return value' (49 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\nMyFile(0999)\: 0010\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\nMyFile(0999)\: 0020\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\nMyFile(0999)\: 0030\: 00\n"
+debug_print_buf:POLARSSL_DEBUG_LOG_FULL:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F30":"MyFile(0999)\: dumping 'Test return value' (49 bytes)\nMyFile(0999)\: 0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\nMyFile(0999)\: 0010\: 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................\nMyFile(0999)\: 0020\: 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./\nMyFile(0999)\: 0030\: 30 0\n"
Debug print buffer #5 (raw)
-debug_print_buf:POLARSSL_DEBUG_LOG_RAW:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F000102030405060708090A0B0C0D0E0F00":"dumping 'Test return value' (49 bytes)\n0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\n0010\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\n0020\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\n0030\: 00\n"
+debug_print_buf:POLARSSL_DEBUG_LOG_RAW:"MyFile":999:"Test return value":"000102030405060708090A0B0C0D0E0F707172737475767778797A7B7C7D7E7F8081828384858687F8F9FAFBFCFDFEFF00":"dumping 'Test return value' (49 bytes)\n0000\: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ................\n0010\: 70 71 72 73 74 75 76 77 78 79 7a 7b 7c 7d 7e 7f pqrstuvwxyz{|}~.\n0020\: 80 81 82 83 84 85 86 87 f8 f9 fa fb fc fd fe ff ................\n0030\: 00 .\n"
Debug print certificate #1 (RSA)
depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_BASE64_C:POLARSSL_RSA_C
@@ -55,11 +55,11 @@
debug_print_crt:POLARSSL_DEBUG_LOG_RAW:"data_files/server1.crt":"MyFile":999:"PREFIX_":"PREFIX_ #1\:\ncert. version \: 3\nserial number \: 01\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2011-02-12 14\:44\:06\nexpires on \: 2021-02-12 14\:44\:06\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nvalue of 'crt->rsa.N' (2048 bits) is\:\n a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\n 15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\n 43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\n dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\n 83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\n 70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\n 4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\n f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\n ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\n 24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\n ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\n 69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\n 73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\n db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\n 5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\n ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nvalue of 'crt->rsa.E' (17 bits) is\:\n 01 00 01\n"
Debug print certificate #2 (EC)
-depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_BASE64_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP192R1_ENABLED
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_BASE64_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP384R1_ENABLED
debug_print_crt:POLARSSL_DEBUG_LOG_FULL:"data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2013-09-24 15\:49\:48\nMyFile(0999)\: expires on \: 2023-09-22 15\:49\:48\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (384 bits) is\:\nMyFile(0999)\: c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\nMyFile(0999)\: 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\nMyFile(0999)\: 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (384 bits) is\:\nMyFile(0999)\: 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\nMyFile(0999)\: b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\nMyFile(0999)\: 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n"
Debug print certificate #2 (EC, raw)
-depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_BASE64_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP192R1_ENABLED
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_BASE64_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP384R1_ENABLED
debug_print_crt:POLARSSL_DEBUG_LOG_RAW:"data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"PREFIX_ #1\:\ncert. version \: 3\nserial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nissuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nsubject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nissued on \: 2013-09-24 15\:49\:48\nexpires on \: 2023-09-22 15\:49\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 384 bits\nbasic constraints \: CA=true\nvalue of 'crt->eckey.Q(X)' (384 bits) is\:\n c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\n 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\n 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nvalue of 'crt->eckey.Q(Y)' (384 bits) is\:\n 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\n b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\n 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n"
Debug print mpi #1
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index d871a8d..a5dc528 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -324,6 +324,33 @@
depends_on:POLARSSL_ECP_DP_M255_ENABLED
ecp_check_privkey:POLARSSL_ECP_DP_M255:"7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8":0
+ECP check public-private #1 (OK)
+depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
+ecp_check_pub_priv:POLARSSL_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":0
+
+ECP check public-private #2 (group none)
+ecp_check_pub_priv:POLARSSL_ECP_DP_NONE:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ECP_DP_NONE:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ERR_ECP_BAD_INPUT_DATA
+
+ECP check public-private #3 (group mismatch)
+depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED
+ecp_check_pub_priv:POLARSSL_ECP_DP_SECP384R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ERR_ECP_BAD_INPUT_DATA
+
+ECP check public-private #4 (Qx mismatch)
+depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
+ecp_check_pub_priv:POLARSSL_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596293":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ERR_ECP_BAD_INPUT_DATA
+
+ECP check public-private #5 (Qy mismatch)
+depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
+ecp_check_pub_priv:POLARSSL_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edfe":POLARSSL_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ERR_ECP_BAD_INPUT_DATA
+
+ECP check public-private #6 (wrong Qx)
+depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
+ecp_check_pub_priv:POLARSSL_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596293":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596293":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edff":POLARSSL_ERR_ECP_BAD_INPUT_DATA
+
+ECP check public-private #7 (wrong Qy)
+depends_on:POLARSSL_ECP_DP_SECP256R1_ENABLED
+ecp_check_pub_priv:POLARSSL_ECP_DP_SECP256R1:"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edfe":POLARSSL_ECP_DP_SECP256R1:"00f12a1320760270a83cbffd53f6031ef76a5d86c8a204f2c30ca9ebf51f0f0ea7":"37cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f76822596292":"4ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edfe":POLARSSL_ERR_ECP_BAD_INPUT_DATA
+
ECP gen keypair
depends_on:POLARSSL_ECP_DP_SECP192R1_ENABLED
ecp_gen_keypair:POLARSSL_ECP_DP_SECP192R1
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index 62dc606..1c22a84 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -599,6 +599,32 @@
/* END_CASE */
/* BEGIN_CASE */
+void ecp_check_pub_priv( int id_pub, char *Qx_pub, char *Qy_pub,
+ int id, char *d, char *Qx, char *Qy, int ret )
+{
+ ecp_keypair pub, prv;
+
+ ecp_keypair_init( &pub );
+ ecp_keypair_init( &prv );
+
+ if( id_pub != POLARSSL_ECP_DP_NONE )
+ TEST_ASSERT( ecp_use_known_dp( &pub.grp, id_pub ) == 0 );
+ TEST_ASSERT( ecp_point_read_string( &pub.Q, 16, Qx_pub, Qy_pub ) == 0 );
+
+ if( id != POLARSSL_ECP_DP_NONE )
+ TEST_ASSERT( ecp_use_known_dp( &prv.grp, id ) == 0 );
+ TEST_ASSERT( ecp_point_read_string( &prv.Q, 16, Qx, Qy ) == 0 );
+ TEST_ASSERT( mpi_read_string( &prv.d, 16, d ) == 0 );
+
+ TEST_ASSERT( ecp_check_pub_priv( &pub, &prv ) == ret );
+
+exit:
+ ecp_keypair_free( &pub );
+ ecp_keypair_free( &prv );
+}
+/* END_CASE */
+
+/* BEGIN_CASE */
void ecp_gen_keypair( int id )
{
ecp_group grp;
diff --git a/tests/suites/test_suite_pk.data b/tests/suites/test_suite_pk.data
index 47640a6..73694d2 100644
--- a/tests/suites/test_suite_pk.data
+++ b/tests/suites/test_suite_pk.data
@@ -130,3 +130,23 @@
depends_on:POLARSSL_SHA1_C:POLARSSL_PKCS1_V15
pk_rsa_verify_ext_test_vec:"206ef4bf396c6087f8229ef196fd35f37ccb8de5efcdb238f20d556668f114257a11fbe038464a67830378e62ae9791453953dac1dbd7921837ba98e84e856eb80ed9487e656d0b20c28c8ba5e35db1abbed83ed1c7720a97701f709e3547a4bfcabca9c89c57ad15c3996577a0ae36d7c7b699035242f37954646c1cd5c08ac":POLARSSL_MD_SHA1:1024:16:"e28a13548525e5f36dccb24ecb7cc332cc689dfd64012604c9c7816d72a16c3f5fcdc0e86e7c03280b1c69b586ce0cd8aec722cc73a5d3b730310bf7dfebdc77ce5d94bbc369dc18a2f7b07bd505ab0f82224aef09fdc1e5063234255e0b3c40a52e9e8ae60898eb88a766bdd788fe9493d8fd86bcdd2884d5c06216c65469e5":16:"3":"5abc01f5de25b70867ff0c24e222c61f53c88daf42586fddcd56f3c4588f074be3c328056c063388688b6385a8167957c6e5355a510e005b8a851d69c96b36ec6036644078210e5d7d326f96365ee0648882921492bc7b753eb9c26cdbab37555f210df2ca6fec1b25b463d38b81c0dcea202022b04af5da58aa03d77be949b7":POLARSSL_PK_RSA:-1:RSA_SALT_LEN_ANY:0
+Check pair #1 (EC, OK)
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
+pk_check_pair:"data_files/ec_256_pub.pem":"data_files/ec_256_prv.pem":0
+
+Check pair #2 (EC, bad)
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
+pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server5.key":POLARSSL_ERR_ECP_BAD_INPUT_DATA
+
+Check pair #3 (RSA, OK)
+depends_on:POLARSSL_RSA_C
+pk_check_pair:"data_files/server1.pubkey":"data_files/server1.key":0
+
+Check pair #4 (RSA, bad)
+depends_on:POLARSSL_RSA_C
+pk_check_pair:"data_files/server1.pubkey":"data_files/server2.key":POLARSSL_ERR_RSA_KEY_CHECK_FAILED
+
+Check pair #5 (RSA vs EC)
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_RSA_C
+pk_check_pair:"data_files/ec_256_pub.pem":"data_files/server1.key":POLARSSL_ERR_PK_TYPE_MISMATCH
+
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index dc7dee9..fb86c99 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -1,6 +1,10 @@
/* BEGIN_HEADER */
#include <polarssl/pk.h>
+/* For error codes */
+#include <polarssl/ecp.h>
+#include <polarssl/rsa.h>
+
static int rnd_std_rand( void *rng_state, unsigned char *output, size_t len );
#define RSA_KEY_SIZE 512
@@ -80,6 +84,35 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:POLARSSL_PK_PARSE_C:POLARSSL_FS_IO */
+void pk_check_pair( char *pub_file, char *prv_file, int ret )
+{
+ pk_context pub, prv, alt;
+
+ pk_init( &pub );
+ pk_init( &prv );
+ pk_init( &alt );
+
+ TEST_ASSERT( pk_parse_public_keyfile( &pub, pub_file ) == 0 );
+ TEST_ASSERT( pk_parse_keyfile( &prv, prv_file, NULL ) == 0 );
+
+ TEST_ASSERT( pk_check_pair( &pub, &prv ) == ret );
+
+#if defined(POLARSSL_RSA_C)
+ if( pk_get_type( &prv ) == POLARSSL_PK_RSA )
+ {
+ TEST_ASSERT( pk_init_ctx_rsa_alt( &alt, pk_rsa( prv ),
+ rsa_decrypt_func, rsa_sign_func, rsa_key_len_func ) == 0 );
+ TEST_ASSERT( pk_check_pair( &pub, &alt ) == ret );
+ }
+#endif
+
+ pk_free( &pub );
+ pk_free( &prv );
+ pk_free( &alt );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:POLARSSL_RSA_C */
void pk_rsa_verify_test_vec( char *message_hex_string, int digest,
int mod, int radix_N, char *input_N, int radix_E,
diff --git a/tests/suites/test_suite_pkwrite.data b/tests/suites/test_suite_pkwrite.data
index a4d49e7..d1738ac 100644
--- a/tests/suites/test_suite_pkwrite.data
+++ b/tests/suites/test_suite_pkwrite.data
@@ -35,5 +35,5 @@
pk_write_key_check:"data_files/ec_521_prv.pem"
Private key write check EC Brainpool 512 bits
-depends_on:POLARSSL_ECP_C:POLARSSL_BASE64_C:POLARSSL_ECP_DP_SECP192R1_ENABLED
+depends_on:POLARSSL_ECP_C:POLARSSL_BASE64_C:POLARSSL_ECP_DP_BP512R1_ENABLED
pk_write_key_check:"data_files/ec_bp512_prv.pem"
diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data
index 131e273..c76e5a0 100644
--- a/tests/suites/test_suite_rsa.data
+++ b/tests/suites/test_suite_rsa.data
@@ -318,6 +318,21 @@
RSA Check Public key #10 (E has size N)
rsa_check_pubkey:16:"00b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034fb38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"00b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034fb38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":POLARSSL_ERR_RSA_KEY_CHECK_FAILED
+RSA Check Public-Private key #1 (Correct)
+rsa_check_pubpriv:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":16:"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":16:"9A66CF76572A71A17475794FA1C8C70D987E581E990D772BB27C77C53FF1ECBB31260E9EDAFAEBC79991807E48918EAB8C3A5F03A600F30C69511546AE788EDF53168E2D035D300EDCD5E4BF3AA2A6D603EA0A7BD11E1C1089657306DF8A64E7F1BC6B266B825C1A6C5F0FC85775F4CF7ACD63367E42EAFE46511D58AD6DFE0F":16:"844DBDD20925D9164F9A1E2F707076C261CCA8337D0241392B38AE3C12342F3AC14F8FD6DF4A1C36839662BD0D227344CD55A32AE5DBD2309A9A2B8A2C82BE6DDDDCE81D1B694775D9047AA765CA0C6E1BB8E61C8B7BE27ED711E8EE2FEAD87F3491F76A6D2262C14189EACDFD4CEFE0BF9D0A5B49857E0ED22CBEB98DC8D45B":16:"4951A7B174DF972C37BADCC38457B5EDD1F078BC613E75CE25E08814E12461C7A1C189A70EB8138294298D141244C7A9DE31AB4F6D38B40B04D6353CD30F77ADBF66BBDE41C7BE463C5E30AAA3F7BAD6CEE99506DEAAFA2F335C1B1C5C88B8ABB0D0387EE0D1B4E7027F7F085A025CEDB5CCE18B88C0462F1C3C910D47C0D4AB":0
+
+RSA Check Public-Private key #2 (Public no N)
+rsa_check_pubpriv:2048:16:"":16:"3":16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":16:"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":16:"9A66CF76572A71A17475794FA1C8C70D987E581E990D772BB27C77C53FF1ECBB31260E9EDAFAEBC79991807E48918EAB8C3A5F03A600F30C69511546AE788EDF53168E2D035D300EDCD5E4BF3AA2A6D603EA0A7BD11E1C1089657306DF8A64E7F1BC6B266B825C1A6C5F0FC85775F4CF7ACD63367E42EAFE46511D58AD6DFE0F":16:"844DBDD20925D9164F9A1E2F707076C261CCA8337D0241392B38AE3C12342F3AC14F8FD6DF4A1C36839662BD0D227344CD55A32AE5DBD2309A9A2B8A2C82BE6DDDDCE81D1B694775D9047AA765CA0C6E1BB8E61C8B7BE27ED711E8EE2FEAD87F3491F76A6D2262C14189EACDFD4CEFE0BF9D0A5B49857E0ED22CBEB98DC8D45B":16:"4951A7B174DF972C37BADCC38457B5EDD1F078BC613E75CE25E08814E12461C7A1C189A70EB8138294298D141244C7A9DE31AB4F6D38B40B04D6353CD30F77ADBF66BBDE41C7BE463C5E30AAA3F7BAD6CEE99506DEAAFA2F335C1B1C5C88B8ABB0D0387EE0D1B4E7027F7F085A025CEDB5CCE18B88C0462F1C3C910D47C0D4AB":POLARSSL_ERR_RSA_KEY_CHECK_FAILED
+
+RSA Check Public-Private key #3 (Private no N)
+rsa_check_pubpriv:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"":16:"3":16:"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":16:"9A66CF76572A71A17475794FA1C8C70D987E581E990D772BB27C77C53FF1ECBB31260E9EDAFAEBC79991807E48918EAB8C3A5F03A600F30C69511546AE788EDF53168E2D035D300EDCD5E4BF3AA2A6D603EA0A7BD11E1C1089657306DF8A64E7F1BC6B266B825C1A6C5F0FC85775F4CF7ACD63367E42EAFE46511D58AD6DFE0F":16:"844DBDD20925D9164F9A1E2F707076C261CCA8337D0241392B38AE3C12342F3AC14F8FD6DF4A1C36839662BD0D227344CD55A32AE5DBD2309A9A2B8A2C82BE6DDDDCE81D1B694775D9047AA765CA0C6E1BB8E61C8B7BE27ED711E8EE2FEAD87F3491F76A6D2262C14189EACDFD4CEFE0BF9D0A5B49857E0ED22CBEB98DC8D45B":16:"4951A7B174DF972C37BADCC38457B5EDD1F078BC613E75CE25E08814E12461C7A1C189A70EB8138294298D141244C7A9DE31AB4F6D38B40B04D6353CD30F77ADBF66BBDE41C7BE463C5E30AAA3F7BAD6CEE99506DEAAFA2F335C1B1C5C88B8ABB0D0387EE0D1B4E7027F7F085A025CEDB5CCE18B88C0462F1C3C910D47C0D4AB":POLARSSL_ERR_RSA_KEY_CHECK_FAILED
+
+RSA Check Public-Private key #4 (N mismatch)
+rsa_check_pubpriv:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034e":16:"3":16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":16:"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":16:"9A66CF76572A71A17475794FA1C8C70D987E581E990D772BB27C77C53FF1ECBB31260E9EDAFAEBC79991807E48918EAB8C3A5F03A600F30C69511546AE788EDF53168E2D035D300EDCD5E4BF3AA2A6D603EA0A7BD11E1C1089657306DF8A64E7F1BC6B266B825C1A6C5F0FC85775F4CF7ACD63367E42EAFE46511D58AD6DFE0F":16:"844DBDD20925D9164F9A1E2F707076C261CCA8337D0241392B38AE3C12342F3AC14F8FD6DF4A1C36839662BD0D227344CD55A32AE5DBD2309A9A2B8A2C82BE6DDDDCE81D1B694775D9047AA765CA0C6E1BB8E61C8B7BE27ED711E8EE2FEAD87F3491F76A6D2262C14189EACDFD4CEFE0BF9D0A5B49857E0ED22CBEB98DC8D45B":16:"4951A7B174DF972C37BADCC38457B5EDD1F078BC613E75CE25E08814E12461C7A1C189A70EB8138294298D141244C7A9DE31AB4F6D38B40B04D6353CD30F77ADBF66BBDE41C7BE463C5E30AAA3F7BAD6CEE99506DEAAFA2F335C1B1C5C88B8ABB0D0387EE0D1B4E7027F7F085A025CEDB5CCE18B88C0462F1C3C910D47C0D4AB":POLARSSL_ERR_RSA_KEY_CHECK_FAILED
+
+RSA Check Public-Private key #5 (E mismatch)
+rsa_check_pubpriv:2048:16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"17":16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":16:"77B1D99300D6A54E864962DA09AE10CF19A7FB888456BC2672B72AEA52B204914493D16C184AD201EC3F762E1FBD8702BA796EF953D9EA2F26300D285264F11B0C8301D0207FEB1E2C984445C899B0ACEBAA74EF014DD1D4BDDB43202C08D2FF9692D8D788478DEC829EB52AFB5AE068FBDBAC499A27FACECC391E75C936D55F07BB45EE184DAB45808E15722502F279F89B38C1CB292557E5063597F52C75D61001EDC33F4739353E33E56AD273B067C1A2760208529EA421774A5FFFCB3423B1E0051E7702A55D80CBF2141569F18F87BFF538A1DA8EDBB2693A539F68E0D62D77743F89EACF3B1723BDB25CE2F333FA63CACF0E67DF1A431893BB9B352FCB":16:"9A66CF76572A71A17475794FA1C8C70D987E581E990D772BB27C77C53FF1ECBB31260E9EDAFAEBC79991807E48918EAB8C3A5F03A600F30C69511546AE788EDF53168E2D035D300EDCD5E4BF3AA2A6D603EA0A7BD11E1C1089657306DF8A64E7F1BC6B266B825C1A6C5F0FC85775F4CF7ACD63367E42EAFE46511D58AD6DFE0F":16:"844DBDD20925D9164F9A1E2F707076C261CCA8337D0241392B38AE3C12342F3AC14F8FD6DF4A1C36839662BD0D227344CD55A32AE5DBD2309A9A2B8A2C82BE6DDDDCE81D1B694775D9047AA765CA0C6E1BB8E61C8B7BE27ED711E8EE2FEAD87F3491F76A6D2262C14189EACDFD4CEFE0BF9D0A5B49857E0ED22CBEB98DC8D45B":16:"4951A7B174DF972C37BADCC38457B5EDD1F078BC613E75CE25E08814E12461C7A1C189A70EB8138294298D141244C7A9DE31AB4F6D38B40B04D6353CD30F77ADBF66BBDE41C7BE463C5E30AAA3F7BAD6CEE99506DEAAFA2F335C1B1C5C88B8ABB0D0387EE0D1B4E7027F7F085A025CEDB5CCE18B88C0462F1C3C910D47C0D4AB":POLARSSL_ERR_RSA_KEY_CHECK_FAILED
+
RSA Private (Correct)
rsa_private:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":2048:16:"e79a373182bfaa722eb035f772ad2a9464bd842de59432c18bbab3a7dfeae318c9b915ee487861ab665a40bd6cda560152578e8579016c929df99fea05b4d64efca1d543850bc8164b40d71ed7f3fa4105df0fb9b9ad2a18ce182c8a4f4f975bea9aa0b9a1438a27a28e97ac8330ef37383414d1bd64607d6979ac050424fd17":16:"c6749cbb0db8c5a177672d4728a8b22392b2fc4d3b8361d5c0d5055a1b4e46d821f757c24eef2a51c561941b93b3ace7340074c058c9bb48e7e7414f42c41da4cccb5c2ba91deb30c586b7fb18af12a52995592ad139d3be429add6547e044becedaf31fa3b39421e24ee034fbf367d11f6b8f88ee483d163b431e1654ad3e89":16:"b38ac65c8141f7f5c96e14470e851936a67bf94cc6821a39ac12c05f7c0b06d9e6ddba2224703b02e25f31452f9c4a8417b62675fdc6df46b94813bc7b9769a892c482b830bfe0ad42e46668ace68903617faf6681f4babf1cc8e4b0420d3c7f61dc45434c6b54e2c3ee0fc07908509d79c9826e673bf8363255adb0add2401039a7bcd1b4ecf0fbe6ec8369d2da486eec59559dd1d54c9b24190965eafbdab203b35255765261cd0909acf93c3b8b8428cbb448de4715d1b813d0c94829c229543d391ce0adab5351f97a3810c1f73d7b1458b97daed4209c50e16d064d2d5bfda8c23893d755222793146d0a78c3d64f35549141486c3b0961a7b4c1a2034f":16:"3":"48ce62658d82be10737bd5d3579aed15bc82617e6758ba862eeb12d049d7bacaf2f62fce8bf6e980763d1951f7f0eae3a493df9890d249314b39d00d6ef791de0daebf2c50f46e54aeb63a89113defe85de6dbe77642aae9f2eceb420f3a47a56355396e728917f17876bb829fabcaeef8bf7ef6de2ff9e84e6108ea2e52bbb62b7b288efa0a3835175b8b08fac56f7396eceb1c692d419ecb79d80aef5bc08a75d89de9f2b2d411d881c0e3ffad24c311a19029d210d3d3534f1b626f982ea322b4d1cfba476860ef20d4f672f38c371084b5301b429b747ea051a619e4430e0dac33c12f9ee41ca4d81a4f6da3e495aa8524574bdc60d290dd1f7a62e90a67":0
diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function
index 9b3d05a..bafacac 100644
--- a/tests/suites/test_suite_rsa.function
+++ b/tests/suites/test_suite_rsa.function
@@ -590,6 +590,74 @@
}
/* END_CASE */
+/* BEGIN_CASE */
+void rsa_check_pubpriv( int mod, int radix_Npub, char *input_Npub,
+ int radix_Epub, char *input_Epub,
+ int radix_P, char *input_P, int radix_Q,
+ char *input_Q, int radix_N, char *input_N,
+ int radix_E, char *input_E, int radix_D, char *input_D,
+ int radix_DP, char *input_DP, int radix_DQ,
+ char *input_DQ, int radix_QP, char *input_QP,
+ int result )
+{
+ rsa_context pub, prv;
+
+ rsa_init( &pub, RSA_PKCS_V15, 0 );
+ rsa_init( &prv, RSA_PKCS_V15, 0 );
+
+ pub.len = mod / 8;
+ prv.len = mod / 8;
+
+ if( strlen( input_Npub ) )
+ {
+ TEST_ASSERT( mpi_read_string( &pub.N, radix_Npub, input_Npub ) == 0 );
+ }
+ if( strlen( input_Epub ) )
+ {
+ TEST_ASSERT( mpi_read_string( &pub.E, radix_Epub, input_Epub ) == 0 );
+ }
+
+ if( strlen( input_P ) )
+ {
+ TEST_ASSERT( mpi_read_string( &prv.P, radix_P, input_P ) == 0 );
+ }
+ if( strlen( input_Q ) )
+ {
+ TEST_ASSERT( mpi_read_string( &prv.Q, radix_Q, input_Q ) == 0 );
+ }
+ if( strlen( input_N ) )
+ {
+ TEST_ASSERT( mpi_read_string( &prv.N, radix_N, input_N ) == 0 );
+ }
+ if( strlen( input_E ) )
+ {
+ TEST_ASSERT( mpi_read_string( &prv.E, radix_E, input_E ) == 0 );
+ }
+ if( strlen( input_D ) )
+ {
+ TEST_ASSERT( mpi_read_string( &prv.D, radix_D, input_D ) == 0 );
+ }
+ if( strlen( input_DP ) )
+ {
+ TEST_ASSERT( mpi_read_string( &prv.DP, radix_DP, input_DP ) == 0 );
+ }
+ if( strlen( input_DQ ) )
+ {
+ TEST_ASSERT( mpi_read_string( &prv.DQ, radix_DQ, input_DQ ) == 0 );
+ }
+ if( strlen( input_QP ) )
+ {
+ TEST_ASSERT( mpi_read_string( &prv.QP, radix_QP, input_QP ) == 0 );
+ }
+
+ TEST_ASSERT( rsa_check_pub_priv( &pub, &prv ) == result );
+
+exit:
+ rsa_free( &pub );
+ rsa_free( &prv );
+}
+/* END_CASE */
+
/* BEGIN_CASE depends_on:POLARSSL_CTR_DRBG_C:POLARSSL_ENTROPY_C */
void rsa_gen_key( int nrbits, int exponent, int result)
{
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 4cc924f..072a667 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -219,23 +219,23 @@
x509_csr_info:"data_files/server1.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nsigned using \: RSA with SHA-512\nRSA key size \: 2048 bits\n"
X509 CSR Information EC with SHA1
-depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C
+depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_info:"data_files/server5.req.sha1":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n"
X509 CSR Information EC with SHA224
-depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C
+depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_info:"data_files/server5.req.sha224":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA224\nEC key size \: 256 bits\n"
X509 CSR Information EC with SHA256
-depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C
+depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_info:"data_files/server5.req.sha256":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n"
X509 CSR Information EC with SHA384
-depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C
+depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_info:"data_files/server5.req.sha384":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA384\nEC key size \: 256 bits\n"
X509 CSR Information EC with SHA512
-depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C
+depends_on:POLARSSL_ECP_C:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_info:"data_files/server5.req.sha512":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA512\nEC key size \: 256 bits\n"
X509 CSR Information RSA-PSS with SHA1
@@ -607,7 +607,7 @@
x509_verify:"data_files/server9-badsign.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
X509 Certificate verification #66 (RSASSA-PSS, SHA1, no RSA CA)
-depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_X509_RSASSA_PSS_SUPPORT:POLARSSL_SHA1_C:POLARSSL_ECP_C
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_X509_RSASSA_PSS_SUPPORT:POLARSSL_SHA1_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP384R1_ENABLED
x509_verify:"data_files/server9.crt":"data_files/test-ca2.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
X509 Certificate verification #67 (Valid, RSASSA-PSS, all defaults)
@@ -635,17 +635,41 @@
x509_verify:"data_files/server2-v1-chain.crt":"data_files/test-ca-v1.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
X509 Certificate verification #73 (selfsigned trusted without CA bit)
-depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_verify:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
X509 Certificate verification #74 (signed by selfsigned trusted without CA bit)
-depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_verify:"data_files/server6-ss-child.crt":"data_files/server5-selfsigned.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
X509 Certificate verification #75 (encoding mismatch)
depends_on:POLARSSL_PEM_PARSE_C
x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl.pem":"NULL":0:0:"NULL"
+X509 Certificate verification #76 (multiple CRLs, not revoked)
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_SHA256_C:POLARSSL_RSA_C
+x509_verify:"data_files/server5.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":0:0:"NULL"
+
+X509 Certificate verification #77 (multiple CRLs, revoked)
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_SHA256_C:POLARSSL_RSA_C
+x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ec-rsa.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL"
+
+X509 Certificate verification #78 (multiple CRLs, revoked by second)
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_SHA256_C:POLARSSL_RSA_C
+x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_rsa-ec.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL"
+
+X509 Certificate verification #79 (multiple CRLs, revoked by future)
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_SHA256_C:POLARSSL_RSA_C
+x509_verify:"data_files/server6.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED|BADCRL_FUTURE:"NULL"
+
+X509 Certificate verification #80 (multiple CRLs, first future, revoked by second)
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_SHA256_C:POLARSSL_RSA_C
+x509_verify:"data_files/server1.crt":"data_files/test-ca_cat12.crt":"data_files/crl_cat_ecfut-rsa.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_REVOKED:"NULL"
+
+X509 Certificate verification #81 (multiple CRLs, none relevant)
+depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_SHA256_C:POLARSSL_RSA_C
+x509_verify:"data_files/enco-cert-utf8str.pem":"data_files/enco-ca-prstr.pem":"data_files/crl_cat_rsa-ec.pem":"NULL":0:0:"NULL"
+
X509 Parse Selftest
depends_on:POLARSSL_SHA1_C:POLARSSL_PEM_PARSE_C:POLARSSL_CERTS_C
x509_selftest:
@@ -869,6 +893,18 @@
depends_on:POLARSSL_RSA_C
x509parse_crt:"3081a230819fa0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba317301530130603551d130101010409300702010102010100":"":POLARSSL_ERR_X509_INVALID_EXTENSIONS + POLARSSL_ERR_ASN1_LENGTH_MISMATCH
+X509 Certificate ASN1 (ExtKeyUsage, bad second tag)
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
+x509parse_crt:"3081de3081dba003020102020900ebdbcd14105e1839300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313230353935345a170d3234313130383230353935345a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d250416301406082b0601050507030107082b06010505070302":"":POLARSSL_ERR_X509_INVALID_EXTENSIONS + POLARSSL_ERR_ASN1_UNEXPECTED_TAG
+
+X509 Certificate ASN1 (SubjectAltName repeated)
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
+x509parse_crt:"3081fd3081faa003020102020900a8b31ff37d09a37f300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313231333731365a170d3234313130383231333731365a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":POLARSSL_ERR_X509_INVALID_EXTENSIONS
+
+X509 Certificate ASN1 (ExtKeyUsage repeated)
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
+x509parse_crt:"3081fd3081faa003020102020900ebdbcd14105e1839300906072a8648ce3d0401300f310d300b0603550403130454657374301e170d3134313131313230353935345a170d3234313130383230353935345a300f310d300b06035504031304546573743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa340303e301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d250416301406082b0601050507030106082b06010505070302":"":POLARSSL_ERR_X509_INVALID_EXTENSIONS
+
X509 Certificate ASN1 (correct pubkey, no sig_alg)
depends_on:POLARSSL_RSA_C
x509parse_crt:"308183308180a0030201008204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffff":"":POLARSSL_ERR_X509_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA
@@ -1190,7 +1226,7 @@
x509_parse_rsassa_pss_params:"A303020102":ASN1_CONSTRUCTED | ASN1_SEQUENCE:POLARSSL_MD_SHA1:POLARSSL_MD_SHA1:20:POLARSSL_ERR_X509_INVALID_ALG
X509 CSR ASN.1 (OK)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"308201183081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010349003046022100B49FD8C8F77ABFA871908DFBE684A08A793D0F490A43D86FCF2086E4F24BB0C2022100F829D5CCD3742369299E6294394717C4B723A0F68B44E831B6E6C3BCABF97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n":0
X509 CSR ASN.1 (bad first tag)
@@ -1236,51 +1272,51 @@
x509_csr_parse:"30173014020100300D310B3009060355040613024E4C300100":"":POLARSSL_ERR_PK_KEY_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (bad attributes: missing)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"3081973081940201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (bad attributes: bad tag)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"3081993081960201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFF0500":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (bad attributes: overlong)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"30819A3081960201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA00100":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (bad sigAlg: missing)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"3081C23081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0":"":POLARSSL_ERR_X509_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (bad sigAlg: not a sequence)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"3081C43081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E03100":"":POLARSSL_ERR_X509_INVALID_ALG + POLARSSL_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (bad sigAlg: overlong)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"3081C43081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E03001":"":POLARSSL_ERR_X509_INVALID_ALG + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (bad sigAlg: unknown)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"3081CD3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04FF":"":POLARSSL_ERR_X509_UNKNOWN_SIG_ALG
X509 CSR ASN.1 (bad sig: missing)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"3081CD3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D0401":"":POLARSSL_ERR_X509_INVALID_SIGNATURE + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (bad sig: not a bit string)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"3081CF3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010400":"":POLARSSL_ERR_X509_INVALID_SIGNATURE + POLARSSL_ERR_ASN1_UNEXPECTED_TAG
X509 CSR ASN.1 (bad sig: overlong)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"3081CF3081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010301":"":POLARSSL_ERR_X509_INVALID_SIGNATURE + POLARSSL_ERR_ASN1_OUT_OF_DATA
X509 CSR ASN.1 (extra data after signature)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509_csr_parse:"308201193081BF0201003034310B3009060355040613024E4C3111300F060355040A1308506F6C617253534C31123010060355040313096C6F63616C686F73743059301306072A8648CE3D020106082A8648CE3D0301070342000437CC56D976091E5A723EC7592DFF206EEE7CF9069174D0AD14B5F768225962924EE500D82311FFEA2FD2345D5D16BD8A88C26B770D55CD8A2A0EFA01C8B4EDFFA029302706092A864886F70D01090E311A301830090603551D1304023000300B0603551D0F0404030205E0300906072A8648CE3D04010349003046022100B49FD8C8F77ABFA871908DFBE684A08A793D0F490A43D86FCF2086E4F24BB0C2022100F829D5CCD3742369299E6294394717C4B723A0F68B44E831B6E6C3BCABF9724300":"":POLARSSL_ERR_X509_INVALID_FORMAT + POLARSSL_ERR_ASN1_LENGTH_MISMATCH
X509 File parse (no issues)
-depends_on:POLARSSL_ECP_C
+depends_on:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
x509parse_crt_file:"data_files/server7_int-ca.crt":0
X509 File parse (extra space in one certificate)