Documentation fix
Added more elaborate descriptions, fixed minor issues.
diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
index 826ee64..782764d 100644
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@@ -227,7 +227,7 @@
#define MBEDTLS_OID_HMAC_SHA1 MBEDTLS_OID_RSA_COMPANY "\x02\x07" /**< id-hmacWithSHA1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 7 } */
-#define MBEDTLS_MD_OID_MAX_SIZE 10 /**< Maximum length of an OID of a supported digest algorithm*/
+#define MBEDTLS_MD_OID_MAX_SIZE 10 /**< Maximum length of an OID of a supported digest algorithm */
/*
* Encryption algorithms
diff --git a/include/mbedtls/pkcs11_client.h b/include/mbedtls/pkcs11_client.h
index 83aed51..6d314a9 100644
--- a/include/mbedtls/pkcs11_client.h
+++ b/include/mbedtls/pkcs11_client.h
@@ -56,7 +56,9 @@
#include "pk.h"
/**
- * \brief Set up a PK context for a key pair in a PKCS#11 token
+ * \brief Set up a PK context from a key pair in a PKCS#11 token.
+ * This allows to access the token's cryptographic
+ * functionality through the PK interface.
*
* \param ctx PK context to fill, which must have been initialized
* with mbedtls_pk_init().
@@ -84,7 +86,7 @@
*
* This function imports a PK object containing a
* public key or a private-public key pair into a
- * PKCS#11 token.
+ * PKCS#11 token.
*
* \param ctx PK context, which must contain a transparent pk
* object (type \c MBEDTLS_PK_RSA,
@@ -113,10 +115,12 @@
* will be authorized for encryption.
*
* \param hSession Cryptoki session.
- * \param hPublicKey If non-null, on output, Cryptoki handle of the public
- * key. If null, the public key is not imported.
- * \param hPrivateKey If non-null, on output, Cryptoki handle of the private
- * key. If null, the private key is not imported.
+ * \param hPublicKey If not NULL, receives the Cryptoki handle of the public
+ * key on success. If NULL, the public key is not
+ * imported.
+ * \param hPrivateKey If not NULL, receives the Cryptoki handle of the
+ * private key on success. If NULL, the private key is
+ * not imported.
*
* \return 0 on success,
* or MBEDTLS_ERR_PK_XXX error code.
diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h
index 046bfc5..90a5907 100644
--- a/include/mbedtls/rsa.h
+++ b/include/mbedtls/rsa.h
@@ -738,7 +738,7 @@
/**
* \brief Encode a hash into a DigestInfo structure as specified
- * by PKCS#1(RFC 8017, EMSA-PKCS1-v1_5-ENCODE step 2).
+ * by PKCS#1 (RFC 8017, EMSA-PKCS1-v1_5-ENCODE step 2).
* Note: function works backwards in data buffer.
*
* \param p Reference to the current position pointer
diff --git a/library/pkcs11_client.c b/library/pkcs11_client.c
index 2e97d0e..82cc0e1 100644
--- a/library/pkcs11_client.c
+++ b/library/pkcs11_client.c
@@ -111,7 +111,7 @@
static int pkcs11_pk_can_do( const void *ctx_arg, mbedtls_pk_type_t type )
{
const mbedtls_pk_pkcs11_context_t *ctx = ctx_arg;
- return ctx->key_type == mbedtls_pk_representation_type( type );
+ return( ctx->key_type == mbedtls_pk_representation_type( type ) );
}
static void *pkcs11_pk_alloc( )
@@ -138,6 +138,7 @@
}
}
+#if defined(MBEDTLS_RSA_C)
static int pkcs11_sign_core( mbedtls_pk_pkcs11_context_t *ctx,
CK_MECHANISM_TYPE mechanism_type,
const unsigned char *payload, size_t payload_len,
@@ -145,7 +146,7 @@
size_t sig_size )
{
CK_ULONG ck_sig_len = sig_size;
- CK_MECHANISM mechanism = {mechanism_type, NULL_PTR, 0};
+ CK_MECHANISM mechanism = { mechanism_type, NULL_PTR, 0 };
CK_RV rv;
rv = C_SignInit( ctx->hSession, &mechanism, ctx->hPrivateKey );
if( rv != CKR_OK )
@@ -158,6 +159,7 @@
exit:
return( pkcs11_err_to_mbedtls_pk_err( rv ) );
}
+#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_RSA_C)
static int pkcs11_sign_rsa( mbedtls_pk_pkcs11_context_t *ctx,
@@ -234,7 +236,7 @@
const unsigned char *payload, size_t payload_len,
const unsigned char *sig, size_t sig_len )
{
- CK_MECHANISM mechanism = {mechanism_type, NULL_PTR, 0};
+ CK_MECHANISM mechanism = { mechanism_type, NULL_PTR, 0 };
CK_RV rv;
rv = C_VerifyInit( ctx->hSession, &mechanism, ctx->hPublicKey );
diff --git a/library/rsa.c b/library/rsa.c
index 7f1a745..5268013 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1538,7 +1538,7 @@
if( md_alg == MBEDTLS_MD_NONE )
{
- if( *p < start + hashlen )
+ if( *p - start < (ptrdiff_t) hashlen )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
*p -= hashlen;
memcpy( *p, hash, hashlen );
@@ -1550,7 +1550,7 @@
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( hashlen == 0 )
hashlen = mbedtls_md_get_size( md_info );
- else if ( hashlen != mbedtls_md_get_size( md_info ) )
+ else if( hashlen != mbedtls_md_get_size( md_info ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
@@ -1570,7 +1570,7 @@
* - Need hashlen bytes for hash
* - Need oid_size bytes for hash alg OID.
*/
- if( *p < start + 10 + oid_size + hashlen )
+ if( *p - start < (ptrdiff_t) ( 10 + oid_size + hashlen) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
*p -= 10 + oid_size + hashlen;
start = *p;
@@ -1657,7 +1657,7 @@
unsigned char *p = dst + dst_len;
/* Ignore hashlen if a hash algorithm is specified. This is
- * fragile, but documented, bhavior. */
+ * fragile, but documented, behavior. */
if( md_alg != MBEDTLS_MD_NONE )
hashlen = 0;
diff --git a/tests/suites/test_suite_pkcs11_client.data b/tests/suites/test_suite_pkcs11_client.data
index ba47f95..32a8882 100644
--- a/tests/suites/test_suite_pkcs11_client.data
+++ b/tests/suites/test_suite_pkcs11_client.data
@@ -1,5 +1,5 @@
PKCS#11 RSA import and sign
-depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
+depends_on:MBEDTLS_PK_C:MBEDTLS_RSA_C
pk_import_sign:"data_files/server1.key"
PKCS#11 RSA generate and sign
@@ -10,7 +10,7 @@
depends_on:MBEDTLS_PK_C:MBEDTLS_RSA_C
pk_import_sign_verify:"data_files/server1.key"
-PKCS#11 RSA import, sign with MbedTLS and verify with Cryptoki
+PKCS#11 RSA import, sign with Mbed TLS and verify with Cryptoki
depends_on:MBEDTLS_PK_C:MBEDTLS_RSA_C
pk_import_verify_signed:"data_files/server1.key"
diff --git a/tests/suites/test_suite_pkcs11_client.function b/tests/suites/test_suite_pkcs11_client.function
index d972336..e43a0e4 100644
--- a/tests/suites/test_suite_pkcs11_client.function
+++ b/tests/suites/test_suite_pkcs11_client.function
@@ -111,8 +111,6 @@
{CKA_SIGN, &ck_true, sizeof( ck_true )},
};
CK_ULONG ck_rsa_key_size = RSA_KEY_SIZE_BITS;
- unsigned char ecParams[16];
- size_t ecParams_length;
switch( key_type )
{
@@ -136,10 +134,6 @@
private_attributes,
ARRAY_LENGTH( private_attributes ),
phPublicKey, phPrivateKey ) );
-exit:
- /* Shouldn't happen except if there's a test error (e.g. trying to
- use a curve that isn't compiled in). */
- return( -1 );
}
@@ -298,7 +292,7 @@
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
void pk_import_sign_verify( char *file )
{
- /* Sign with cryptoki, convert to mbedTLS format and save,
+ /* Sign with cryptoki, convert to Mbed TLS format and save,
verify by cryptoki with a conversion to a raw, concatenated
format by the engine. */
mbedtls_pk_context pkcs11_ctx;
@@ -344,14 +338,14 @@
sig_buffer, sig_length ) == 0 );
exit:
+ mbedtls_pk_free( &pkcs11_ctx );
+ mbedtls_pk_free( &transparent_ctx );
if( hPublicKey != CK_INVALID_HANDLE )
C_DestroyObject( hSession, hPublicKey );
if( hPrivateKey != CK_INVALID_HANDLE )
C_DestroyObject( hSession, hPrivateKey );
C_CloseSession( hSession );
C_Finalize( NULL_PTR );
- mbedtls_pk_free( &pkcs11_ctx );
- mbedtls_pk_free( &transparent_ctx );
}
/* END_CASE */
@@ -380,7 +374,6 @@
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
- MBEDTLS_PK_FLAG_SIGN |
MBEDTLS_PK_FLAG_VERIFY,
hSession,
&hPublicKey,
@@ -413,7 +406,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_RSA_C */
+/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_RSA_C */
void pk_rsa_hardcoded_verify( char *message_hex_string, int digest,
int mod, int radix_N, char *input_N, int radix_E,
char *input_E, char *result_hex_str, int result )