From 7a2538ee38f6fde58bc6d3eb45624a5ac8eeaa30 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Fri, 2 Nov 2012 10:59:36 +0000 Subject: [PATCH 01/25] - Fixes for MSVC6 --- ChangeLog | 4 ++++ include/polarssl/bignum.h | 5 +++++ include/polarssl/gcm.h | 5 +++++ include/polarssl/ssl.h | 2 +- library/entropy_poll.c | 2 +- library/gcm.c | 4 ++-- library/x509parse.c | 39 +++++++++++++++++++++------------------ 7 files changed, 39 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index e9e9cd2fe5..dc68f04c2c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ PolarSSL ChangeLog += Version Trunk +Bugfixes + * Fixes for MSVC6 + = Version 1.2.0 released 2012-10-31 Features * Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak diff --git a/include/polarssl/bignum.h b/include/polarssl/bignum.h index e2d93476d8..3b8b1f6136 100644 --- a/include/polarssl/bignum.h +++ b/include/polarssl/bignum.h @@ -34,8 +34,13 @@ #ifdef _MSC_VER #include +#if (_MSC_VER <= 1200) +typedef signed short int16_t; +typedef unsigned short uint16_t; +#else typedef INT16 int16_t; typedef UINT16 uint16_t; +#endif typedef INT32 int32_t; typedef UINT32 uint32_t; typedef UINT64 uint64_t; diff --git a/include/polarssl/gcm.h b/include/polarssl/gcm.h index 2f88c70152..77baa17565 100644 --- a/include/polarssl/gcm.h +++ b/include/polarssl/gcm.h @@ -29,7 +29,12 @@ #include "aes.h" +#ifdef _MSC_VER +#include +typedef UINT64 uint64_t; +#else #include +#endif #define GCM_ENCRYPT 1 #define GCM_DECRYPT 0 diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index c7da8c4d5b..071288e922 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -682,7 +682,7 @@ void ssl_set_bio( ssl_context *ssl, * data) is cleared by the SSL/TLS layer when the connection is * terminated. It is recommended to add metadata to determine if * an entry is still valid in the future. Return 0 if - * successfully cached, return 0 otherwise. + * successfully cached, return 1 otherwise. * * \param ssl SSL context * \param f_get_cache session get callback diff --git a/library/entropy_poll.c b/library/entropy_poll.c index a0c9b7bc07..b5d9f787c0 100644 --- a/library/entropy_poll.c +++ b/library/entropy_poll.c @@ -40,10 +40,10 @@ #if !defined(POLARSSL_NO_PLATFORM_ENTROPY) #if defined(_WIN32) -#include #if !defined(_WIN32_WINNT) #define _WIN32_WINNT 0x0400 #endif +#include #include int platform_entropy_poll( void *data, unsigned char *output, size_t len, diff --git a/library/gcm.c b/library/gcm.c index 3faaa5d894..c91598cd28 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -148,7 +148,7 @@ void gcm_mult( gcm_context *ctx, const unsigned char x[16], unsigned char output if( i != 15 ) { - rem = zl & 0xf; + rem = (unsigned char) zl & 0xf; zl = ( zh << 60 ) | ( zl >> 4 ); zh = ( zh >> 4 ); zh ^= (uint64_t) last4[rem] << 48; @@ -157,7 +157,7 @@ void gcm_mult( gcm_context *ctx, const unsigned char x[16], unsigned char output } - rem = zl & 0xf; + rem = (unsigned char) zl & 0xf; zl = ( zh << 60 ) | ( zl >> 4 ); zh = ( zh >> 4 ); zh ^= (uint64_t) last4[rem] << 48; diff --git a/library/x509parse.c b/library/x509parse.c index ab633be99f..843dba7f57 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -60,9 +60,7 @@ #if defined(POLARSSL_FS_IO) #include -#if defined(_WIN32) -#include -#else +#if !defined(_WIN32) #include #include #endif @@ -1878,50 +1876,55 @@ int x509parse_crtpath( x509_cert *chain, const char *path ) WCHAR szDir[MAX_PATH]; char filename[MAX_PATH]; char *p; + int len = strlen( path ); WIN32_FIND_DATA file_data; HANDLE hFind; - DWORD dwError = 0; + + if( len > MAX_PATH - 3 ) + return( POLARSSL_ERR_X509_INVALID_INPUT ); memset( szDir, 0, sizeof(szDir) ); memset( filename, 0, MAX_PATH ); - memcpy( filename, path, strlen( path ) ); - filename[strlen( path )] = '\\'; - p = filename + strlen( path ) + 1; + memcpy( filename, path, len ); + filename[len++] = '\\'; + p = filename + len; + filename[len++] = '*'; - w_ret = MultiByteToWideChar( CP_ACP, 0, path, strlen(path), szDir, MAX_PATH - 3 ); - - StringCchCopyW(szDir, MAX_PATH, szDir); - StringCchCatW(szDir, MAX_PATH, TEXT("\\*")); + w_ret = MultiByteToWideChar( CP_ACP, 0, path, len, szDir, MAX_PATH - 3 ); hFind = FindFirstFile( szDir, &file_data ); if (hFind == INVALID_HANDLE_VALUE) return( POLARSSL_ERR_X509_FILE_IO_ERROR ); + len = MAX_PATH - len; do { - memset( p, 0, filename + MAX_PATH - p - 1 ); + memset( p, 0, len ); if( file_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY ) continue; w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName, lstrlenW(file_data.cFileName), - p, - filename + MAX_PATH - p - 2, NULL, NULL ); + p, len - 1, + NULL, NULL ); w_ret = x509parse_crtfile( chain, filename ); if( w_ret < 0 ) - return( w_ret ); + { + ret = w_ret; + goto cleanup; + } ret += w_ret; } while( FindNextFile( hFind, &file_data ) != 0 ); - dwError = GetLastError(); - if (dwError != ERROR_NO_MORE_FILES) - return( POLARSSL_ERR_X509_FILE_IO_ERROR ); + if (GetLastError() != ERROR_NO_MORE_FILES) + ret = POLARSSL_ERR_X509_FILE_IO_ERROR; +cleanup: FindClose( hFind ); #else int t_ret; From d9374b05d67ca1abcfe0f6b289b6583b6257eee3 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Fri, 2 Nov 2012 11:02:58 +0000 Subject: [PATCH 02/25] - Moved mpi_inv_mod() outside POLARSSL_GENPRIME --- ChangeLog | 1 + library/bignum.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc68f04c2c..a448acc4e8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ PolarSSL ChangeLog = Version Trunk Bugfixes * Fixes for MSVC6 + * Moved mpi_inv_mod() outside POLARSSL_GENPRIME = Version 1.2.0 released 2012-10-31 Features diff --git a/library/bignum.c b/library/bignum.c index a3201a6b1e..f2a49ecac3 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1652,8 +1652,6 @@ cleanup: return( ret ); } -#if defined(POLARSSL_GENPRIME) - /* * Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64) */ @@ -1749,6 +1747,8 @@ cleanup: return( ret ); } +#if defined(POLARSSL_GENPRIME) + static const int small_prime[] = { 3, 5, 7, 11, 13, 17, 19, 23, From fc975dc592c953246701b9d1c4a20e7a1ac94b2b Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Fri, 2 Nov 2012 12:51:23 +0000 Subject: [PATCH 03/25] - Small Windows VC6 fixes --- library/x509parse.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/library/x509parse.c b/library/x509parse.c index 843dba7f57..d7bfc05a11 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -1878,7 +1878,7 @@ int x509parse_crtpath( x509_cert *chain, const char *path ) char *p; int len = strlen( path ); - WIN32_FIND_DATA file_data; + WIN32_FIND_DATAW file_data; HANDLE hFind; if( len > MAX_PATH - 3 ) @@ -1893,7 +1893,7 @@ int x509parse_crtpath( x509_cert *chain, const char *path ) w_ret = MultiByteToWideChar( CP_ACP, 0, path, len, szDir, MAX_PATH - 3 ); - hFind = FindFirstFile( szDir, &file_data ); + hFind = FindFirstFileW( szDir, &file_data ); if (hFind == INVALID_HANDLE_VALUE) return( POLARSSL_ERR_X509_FILE_IO_ERROR ); @@ -1919,7 +1919,7 @@ int x509parse_crtpath( x509_cert *chain, const char *path ) ret += w_ret; } - while( FindNextFile( hFind, &file_data ) != 0 ); + while( FindNextFileW( hFind, &file_data ) != 0 ); if (GetLastError() != ERROR_NO_MORE_FILES) ret = POLARSSL_ERR_X509_FILE_IO_ERROR; @@ -1943,7 +1943,10 @@ cleanup: snprintf( entry_name, sizeof(entry_name), "%s/%s", path, entry->d_name ); t_ret = x509parse_crtfile( chain, entry_name ); if( t_ret < 0 ) - return( t_ret ); + { + ret = t_ret; + break; + } ret += t_ret; } From 7c900780d939a0378abe4d881fdcf6fd62a4bff2 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Sun, 4 Nov 2012 16:29:08 +0000 Subject: [PATCH 04/25] - Default to disabled renegotiation --- include/polarssl/ssl.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 071288e922..3db7c4adea 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -116,8 +116,8 @@ #define SSL_LEGACY_RENEGOTIATION 0 #define SSL_SECURE_RENEGOTIATION 1 -#define SSL_RENEGOTIATION_ENABLED 0 -#define SSL_RENEGOTIATION_DISABLED 1 +#define SSL_RENEGOTIATION_DISABLED 0 +#define SSL_RENEGOTIATION_ENABLED 1 #define SSL_LEGACY_NO_RENEGOTIATION 0 #define SSL_LEGACY_ALLOW_RENEGOTIATION 1 @@ -852,7 +852,8 @@ void ssl_set_min_version( ssl_context *ssl, int major, int minor ); * (Default: SSL_RENEGOTIATION_DISABLED) * * Note: A server with support enabled is more vulnerable for a - * resource DoS by a malicious client. + * resource DoS by a malicious client. You should enable this on + * a client to enable server-initiated renegotiation. * * \param ssl SSL context * \param renegotiation Enable or disable (SSL_RENEGOTIATION_ENABLED or From 6831c4a1a86f5adab85778fb3f6936a65b8dbc27 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 7 Nov 2012 19:46:27 +0000 Subject: [PATCH 05/25] - Fixed typos --- include/polarssl/ssl.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 3db7c4adea..5a1e7fc08c 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -884,8 +884,9 @@ void ssl_set_renegotiation( ssl_context *ssl, int renegotiation ); * (Most secure option, interoperability issues) * * \param ssl SSL context - * \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION or - * SSL_ALLOW_LEGACY_RENEGOTIATION) + * \param allow_legacy Prevent or allow (SSL_NO_LEGACY_RENEGOTIATION, + * SSL_ALLOW_LEGACY_RENEGOTIATION or + * SSL_LEGACY_BREAK_HANDSHAKE) */ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy ); @@ -1000,7 +1001,7 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len ); * (SSL_ALERT_LEVEL_WARNING or SSL_ALERT_LEVEL_FATAL) * \param message The alert message (SSL_ALERT_MSG_*) * - * \return 1 if successful, or a specific SSL error code. + * \return 0 if successful, or a specific SSL error code. */ int ssl_send_alert_message( ssl_context *ssl, unsigned char level, From 77db6ce3481ad610ee786d5ab171d5d10c1cb59d Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 7 Nov 2012 19:57:39 +0000 Subject: [PATCH 06/25] - Fixed doxygen blocks --- include/polarssl/aes.h | 2 +- include/polarssl/arc4.h | 2 +- include/polarssl/bignum.h | 4 ++-- include/polarssl/blowfish.h | 2 +- include/polarssl/camellia.h | 2 +- include/polarssl/config.h | 2 +- include/polarssl/des.h | 2 +- include/polarssl/dhm.h | 2 +- include/polarssl/x509.h | 2 +- include/polarssl/xtea.h | 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/polarssl/aes.h b/include/polarssl/aes.h index 5f6c198e64..b79894c02f 100644 --- a/include/polarssl/aes.h +++ b/include/polarssl/aes.h @@ -141,7 +141,7 @@ int aes_crypt_cfb128( aes_context *ctx, const unsigned char *input, unsigned char *output ); -/* +/** * \brief AES-CTR buffer encryption/decryption * * Warning: You have to keep the maximum use of your counter in mind! diff --git a/include/polarssl/arc4.h b/include/polarssl/arc4.h index 48ad60b267..7233384b27 100644 --- a/include/polarssl/arc4.h +++ b/include/polarssl/arc4.h @@ -66,7 +66,7 @@ void arc4_setup( arc4_context *ctx, const unsigned char *key, unsigned int keyle int arc4_crypt( arc4_context *ctx, size_t length, const unsigned char *input, unsigned char *output ); -/* +/** * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed diff --git a/include/polarssl/bignum.h b/include/polarssl/bignum.h index 3b8b1f6136..ce29ca3706 100644 --- a/include/polarssl/bignum.h +++ b/include/polarssl/bignum.h @@ -223,7 +223,7 @@ void mpi_swap( mpi *X, mpi *Y ); */ int mpi_lset( mpi *X, t_sint z ); -/* +/** * \brief Get a specific bit from X * * \param X MPI to use @@ -233,7 +233,7 @@ int mpi_lset( mpi *X, t_sint z ); */ int mpi_get_bit( const mpi *X, size_t pos ); -/* +/** * \brief Set a bit of X to a specific value of 0 or 1 * * \note Will grow X if necessary to set a bit to 1 in a not yet diff --git a/include/polarssl/blowfish.h b/include/polarssl/blowfish.h index 7139c18d4f..313d898bb1 100644 --- a/include/polarssl/blowfish.h +++ b/include/polarssl/blowfish.h @@ -129,7 +129,7 @@ int blowfish_crypt_cfb64( blowfish_context *ctx, const unsigned char *input, unsigned char *output ); -/* +/** * \brief Blowfish-CTR buffer encryption/decryption * * Warning: You have to keep the maximum use of your counter in mind! diff --git a/include/polarssl/camellia.h b/include/polarssl/camellia.h index b2b12945f4..f073d469a6 100644 --- a/include/polarssl/camellia.h +++ b/include/polarssl/camellia.h @@ -139,7 +139,7 @@ int camellia_crypt_cfb128( camellia_context *ctx, const unsigned char *input, unsigned char *output ); -/* +/** * \brief CAMELLIA-CTR buffer encryption/decryption * * Warning: You have to keep the maximum use of your counter in mind! diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 09b10c2933..f7dbc64b41 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -738,7 +738,7 @@ */ #define POLARSSL_SSL_CLI_C -/* +/** * \def POLARSSL_SSL_SRV_C * * Enable the SSL/TLS server code. diff --git a/include/polarssl/des.h b/include/polarssl/des.h index b649ccf207..5eee7ac156 100644 --- a/include/polarssl/des.h +++ b/include/polarssl/des.h @@ -220,7 +220,7 @@ int des3_crypt_cbc( des3_context *ctx, const unsigned char *input, unsigned char *output ); -/* +/** * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed diff --git a/include/polarssl/dhm.h b/include/polarssl/dhm.h index ba6e424948..48d926856d 100644 --- a/include/polarssl/dhm.h +++ b/include/polarssl/dhm.h @@ -225,7 +225,7 @@ int dhm_make_public( dhm_context *ctx, int x_size, int dhm_calc_secret( dhm_context *ctx, unsigned char *output, size_t *olen ); -/* +/** * \brief Free the components of a DHM key */ void dhm_free( dhm_context *ctx ); diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 32aad72748..45a8229f13 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -641,7 +641,7 @@ int x509parse_crl_info( char *buf, size_t size, const char *prefix, */ const char *x509_oid_get_description( x509_buf *oid ); -/* +/** * \brief Give an OID, return a string version of its OID number. * * \param buf Buffer to write to diff --git a/include/polarssl/xtea.h b/include/polarssl/xtea.h index e2adb87881..0db7bc8ebb 100644 --- a/include/polarssl/xtea.h +++ b/include/polarssl/xtea.h @@ -97,7 +97,7 @@ int xtea_crypt_cbc( xtea_context *ctx, unsigned char *input, unsigned char *output); -/* +/** * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed From 096348fa7984bb86201c50d8e8e030059af2fb6d Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 7 Nov 2012 20:05:38 +0000 Subject: [PATCH 07/25] - Fixed comments / typos --- include/polarssl/config.h | 4 ++-- library/bignum.c | 4 ---- library/error.c | 4 ++-- library/x509parse.c | 2 -- library/x509write.c | 2 -- scripts/data_files/error.fmt | 4 ++-- 6 files changed, 6 insertions(+), 14 deletions(-) diff --git a/include/polarssl/config.h b/include/polarssl/config.h index f7dbc64b41..1ce28e51c3 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -150,7 +150,7 @@ * * Enable weak ciphersuites in SSL / TLS * Warning: Only do so when you know what you are doing. This allows for - * channels without virtually no security at all! + * channels with virtually no security at all! * * This enables the following ciphersuites: * TLS_RSA_WITH_DES_CBC_SHA @@ -345,7 +345,7 @@ /** * \def POLARSSL_BIGNUM_C * - * Enable the multo-precision integer library. + * Enable the multi-precision integer library. * * Module: library/bignum.c * Caller: library/dhm.c diff --git a/library/bignum.c b/library/bignum.c index f2a49ecac3..94e8eb3e26 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1212,10 +1212,6 @@ cleanup: /* * Division by int: A = Q * b + R - * - * Returns 0 if successful - * 1 if memory allocation failed - * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0 */ int mpi_div_int( mpi *Q, mpi *R, const mpi *A, t_sint b ) { diff --git a/library/error.c b/library/error.c index a5eaaba35d..03abc32653 100644 --- a/library/error.c +++ b/library/error.c @@ -1,7 +1,7 @@ /* * Error message information * - * Copyright (C) 2006-2010, Brainspark B.V. + * Copyright (C) 2006-2012, Brainspark B.V. * * This file is part of PolarSSL (http://www.polarssl.org) * Lead Maintainer: Paul Bakker @@ -553,4 +553,4 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret ); } -#endif /* POLARSSL_VERBOSE_ERROR */ +#endif /* POLARSSL_ERROR_C */ diff --git a/library/x509parse.c b/library/x509parse.c index d7bfc05a11..c56451129c 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -2984,8 +2984,6 @@ int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ) /* * Wrapper for x509 hashes. - * - * \param out Buffer to receive the hash (Should be at least 64 bytes) */ static void x509_hash( const unsigned char *in, size_t len, int alg, unsigned char *out ) diff --git a/library/x509write.c b/library/x509write.c index 400ffa0e65..9f5a91009b 100644 --- a/library/x509write.c +++ b/library/x509write.c @@ -146,8 +146,6 @@ int x509_write_name( unsigned char **p, unsigned char *start, char *oid, /* * Wrapper for x509 hashes. - * - * \param out Buffer to receive the hash (Should be at least 64 bytes) */ static void x509_hash( const unsigned char *in, size_t len, int alg, unsigned char *out ) diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt index 9f83681267..535effc60e 100644 --- a/scripts/data_files/error.fmt +++ b/scripts/data_files/error.fmt @@ -1,7 +1,7 @@ /* * Error message information * - * Copyright (C) 2006-2010, Brainspark B.V. + * Copyright (C) 2006-2012, Brainspark B.V. * * This file is part of PolarSSL (http://www.polarssl.org) * Lead Maintainer: Paul Bakker @@ -86,4 +86,4 @@ LOW_LEVEL_CODE_CHECKS snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret ); } -#endif /* POLARSSL_VERBOSE_ERROR */ +#endif /* POLARSSL_ERROR_C */ From f0171bc93cdaee6bb56400dde17fa7f9a07eb8f2 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 7 Nov 2012 20:06:27 +0000 Subject: [PATCH 08/25] - Added donated script for checking for non-doxygen blocks with directives --- scripts/check_doxy_blocks.pl | 57 ++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 scripts/check_doxy_blocks.pl diff --git a/scripts/check_doxy_blocks.pl b/scripts/check_doxy_blocks.pl new file mode 100644 index 0000000000..c90143bf24 --- /dev/null +++ b/scripts/check_doxy_blocks.pl @@ -0,0 +1,57 @@ +#!/usr/bin/perl + +# Detect comment blocks that are likely meant to be doxygen blocks but aren't. +# +# More precisely, look for normal comment block containing '\'. +# Of course one could use doxygen warnings, eg with: +# sed -e '/EXTRACT/s/YES/NO/' doxygen/polarssl.doxyfile | doxygen - +# but that would warn about any undocumented item, while our goal is to find +# items that are documented, but not marked as such by mistake. + +use warnings; +use strict; +use File::Basename; + +# header files in the following directories will be checked +my @directories = qw(include/polarssl library doxygen/input); + +# very naive pattern to find directives: +# everything with a backslach except '\0' +my $doxy_re = qr/\\(?!0)/; + +sub check_file { + my ($fname) = @_; + open my $fh, '<', $fname or die "Failed to open '$fname': $!\n"; + + # first line of the last normal comment block, + # or 0 if not in a normal comment block + my $block_start = 0; + while (my $line = <$fh>) { + $block_start = $. if $line =~ m/\/\*(?![*!])/; + $block_start = 0 if $line =~ m/\*\//; + if ($block_start and $line =~ m/$doxy_re/) { + print "$fname:$block_start: directive on line $.\n"; + $block_start = 0; # report only one directive per block + } + } + + close $fh; +} + +sub check_dir { + my ($dirname) = @_; + for my $file (<$dirname/*.[ch]>) { + check_file($file); + } +} + +# locate root directory based on invocation name +my $root = dirname($0) . '/..'; +chdir $root or die "Can't chdir to '$root': $!\n"; + +# just do it +for my $dir (@directories) { + check_dir($dir) +} + +__END__ From c893e0257f82b565cbd821db1497c1aabb7f76d9 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 7 Nov 2012 20:41:16 +0000 Subject: [PATCH 09/25] - Added extra documentation --- include/polarssl/rsa.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/polarssl/rsa.h b/include/polarssl/rsa.h index 513b0379f6..3a822cb2a2 100644 --- a/include/polarssl/rsa.h +++ b/include/polarssl/rsa.h @@ -167,6 +167,9 @@ extern "C" { /** * \brief Initialize an RSA context * + * Note: Set padding to RSA_PKCS_V21 for the RSAES-OAEP + * encryption scheme and the RSASSA-PSS signature scheme. + * * \param ctx RSA context to be initialized * \param padding RSA_PKCS_V15 or RSA_PKCS_V21 * \param hash_id RSA_PKCS_V21 hash identifier From 36c4a678a646d8446f243e9197ba358f3899cfdf Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Fri, 9 Nov 2012 15:30:07 +0000 Subject: [PATCH 10/25] - Fixed off-by-one loop --- library/ctr_drbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 1de7f05e94..8cf03712e0 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -194,7 +194,7 @@ int ctr_drbg_update_internal( ctr_drbg_context *ctx, /* * Increase counter */ - for( i = CTR_DRBG_BLOCKSIZE; i >= 0; i-- ) + for( i = CTR_DRBG_BLOCKSIZE; i > 0; i-- ) if( ++ctx->counter[i - 1] != 0 ) break; From f02c5642d0f19281e7c30d849bf8cd94703a9bd5 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 13 Nov 2012 10:25:21 +0000 Subject: [PATCH 11/25] - Allow R and A to point to same mpi in mpi_div_mpi --- ChangeLog | 2 ++ library/bignum.c | 2 +- tests/suites/test_suite_mpi.function | 10 +++++----- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index a448acc4e8..85e7a060fb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ PolarSSL ChangeLog Bugfixes * Fixes for MSVC6 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME + * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel + Pégourié-Gonnard) = Version 1.2.0 released 2012-10-31 Features diff --git a/library/bignum.c b/library/bignum.c index 94e8eb3e26..23feb6a915 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -1195,9 +1195,9 @@ int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B ) if( R != NULL ) { mpi_shift_r( &X, k ); + X.s = A->s; mpi_copy( R, &X ); - R->s = A->s; if( mpi_cmp_int( R, 0 ) == 0 ) R->s = 1; } diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index 1b328c43d5..6635392590 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -514,21 +514,21 @@ END_CASE BEGIN_CASE mpi_mod_mpi:radix_X:input_X:radix_Y:input_Y:radix_A:input_A:div_result { - mpi X, Y, Z, A; + mpi X, Y, A; int res; - mpi_init( &X ); mpi_init( &Y ); mpi_init( &Z ); mpi_init( &A ); + mpi_init( &X ); mpi_init( &Y ); mpi_init( &A ); TEST_ASSERT( mpi_read_string( &X, {radix_X}, {input_X} ) == 0 ); TEST_ASSERT( mpi_read_string( &Y, {radix_Y}, {input_Y} ) == 0 ); TEST_ASSERT( mpi_read_string( &A, {radix_A}, {input_A} ) == 0 ); - res = mpi_mod_mpi( &Z, &X, &Y ); + res = mpi_mod_mpi( &X, &X, &Y ); TEST_ASSERT( res == {div_result} ); if( res == 0 ) { - TEST_ASSERT( mpi_cmp_mpi( &Z, &A ) == 0 ); + TEST_ASSERT( mpi_cmp_mpi( &X, &A ) == 0 ); } - mpi_free( &X ); mpi_free( &Y ); mpi_free( &Z ); mpi_free( &A ); + mpi_free( &X ); mpi_free( &Y ); mpi_free( &A ); } END_CASE From f6bdf8d86c2e9926deb19205c502ffcf126d3be5 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 13 Nov 2012 10:28:43 +0000 Subject: [PATCH 12/25] - Added uninstall target --- Makefile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Makefile b/Makefile index 4713cfeb7d..d29d830f6d 100644 --- a/Makefile +++ b/Makefile @@ -32,6 +32,18 @@ install: fi \ done +uninstall: + rm -rf $(DESTDIR)/include/polarssl + rm -f $(DESTDIR)/lib/libpolarssl.* + + for p in programs/*/* ; do \ + if [ -x $$p ] && [ ! -d $$p ] ; \ + then \ + f=$(PREFIX)`basename $$p` ; \ + rm -f $(DESTDIR)/bin/$$f ; \ + fi \ + done + clean: cd library && $(MAKE) clean && cd .. cd programs && $(MAKE) clean && cd .. From 644db3893a28a7a70a3e07d4a20a3d5dd40ecdc5 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 13 Nov 2012 10:35:00 +0000 Subject: [PATCH 13/25] - Added SHARED define for building with -fPIC --- library/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/Makefile b/library/Makefile index 7983f7b531..f9e5062d9b 100644 --- a/library/Makefile +++ b/library/Makefile @@ -18,7 +18,9 @@ endif # CFLAGS += -D_BSD_EXTENSION # To compile as a shared library: -# CFLAGS += -fPIC +ifdef SHARED +CFLAGS += -fPIC +endif SONAME=libpolarssl.so.0 From 96c4ed8134afc4976606238b995b3f34f9ce1b61 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 13 Nov 2012 10:37:52 +0000 Subject: [PATCH 14/25] - Proper building of shared lib when SHARED defined --- library/Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/Makefile b/library/Makefile index f9e5062d9b..603f5d16ec 100644 --- a/library/Makefile +++ b/library/Makefile @@ -53,7 +53,11 @@ OBJS= aes.o arc4.o asn1parse.o \ .SILENT: +ifndef SHARED all: static +else +all: shared +endif static: libpolarssl.a From 9daf0d0651d6346f6f21b6bce9797c626c88f24f Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 13 Nov 2012 12:13:27 +0000 Subject: [PATCH 15/25] - Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 --- ChangeLog | 1 + library/rsa.c | 3 +++ tests/suites/test_suite_pkcs1_v21.data | 9 +++++++++ 3 files changed, 13 insertions(+) diff --git a/ChangeLog b/ChangeLog index 85e7a060fb..e815715d08 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ Bugfixes * Moved mpi_inv_mod() outside POLARSSL_GENPRIME * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel Pégourié-Gonnard) + * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 = Version 1.2.0 released 2012-10-31 Features diff --git a/library/rsa.c b/library/rsa.c index 191bfe8687..637c23a115 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -794,6 +794,9 @@ int rsa_pkcs1_sign( rsa_context *ctx, hlen = md_get_size( md_info ); slen = hlen; + if( olen < hlen + slen + 2 ) + return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); + memset( sig, 0, olen ); memset( &md_ctx, 0, sizeof( md_context_t ) ); diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data index d5c85c66a9..8812c9e8af 100644 --- a/tests/suites/test_suite_pkcs1_v21.data +++ b/tests/suites/test_suite_pkcs1_v21.data @@ -1,6 +1,12 @@ RSAES-OAEP Encryption Test Vector Int pkcs1_rsaes_oaep_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49":"aafd12f659cae63489b479e5076ddec2f06cb58f":"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":0 +RSAES-OAEP Encryption Test Vector Data just fits +pkcs1_rsaes_oaep_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd":"aafd12f659cae63489b479e5076ddec2f06cb58f":"3082f2288fff275213d53168f0a272573cff81837c249dc1f380a12ac124c8f217b700708a1ce7dce154265f31a126ebdd9ed3ef9145ae29124a25f4e65aa52c5a9ff34f6cf4de9ba937ae406dc7d1f277af4f6fb7ea73bfbab2bd397b6b2c53570e173ffcf3b9f0bb96837623a4f87bd81b41446c59e681a2f3da81239e9bdf":0 + +RSAES-OAEP Encryption Test Vector Data too long +pkcs1_rsaes_oaep_encrypt:1024:16:"bbf82f090682ce9c2338ac2b9da871f7368d07eed41043a440d6b6f07454f51fb8dfbaaf035c02ab61ea48ceeb6fcd4876ed520d60e1ec4619719d8a5b8b807fafb8e0a3dfc737723ee6b4b7d93a2584ee6a649d060953748834b2454598394ee0aab12d7b61a51f527a9a41f6c1687fe2537298ca2a8f5946f8e5fd091dbdcb":16:"11":POLARSSL_MD_SHA1:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd00":"aafd12f659cae63489b479e5076ddec2f06cb58f":"1253e04dc0a5397bb44a7ab87e9bf2a039a33d1e996fc82a94ccd30074c95df763722017069e5268da5d1c0b4f872cf653c11df82314a67968dfeae28def04bb6d84b1c31d654a1970e5783bd6eb96a024c2ca2f4a90fe9f2ef5c9c140e5bb48da9536ad8700c84fc9130adea74e558d51a74ddf85d8b50de96838d6063e0955":POLARSSL_ERR_RSA_BAD_INPUT_DATA + RSAES-OAEP Encryption Test Vector 1_1 pkcs1_rsaes_oaep_encrypt:1024:16:"a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0cbc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bdbf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb":16:"010001":POLARSSL_MD_SHA1:"6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34":"18b776ea21069d69776a33e96bad48e1dda0a5ef":"354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a":0 @@ -370,6 +376,9 @@ pkcs1_rsassa_pss_sign:1024:16:"d17f655bf27c8b16d35462c905cc04a26f37e2a67fa9c0ce0 RSASSA-PSS Verification Test Vector Int pkcs1_rsassa_pss_verify:1024:16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":SIG_RSA_SHA1:POLARSSL_MD_SHA1:"859eef2fd78aca00308bdc471193bf55bf9d78db8f8a672b484634f3c9c26e6478ae10260fe0dd8c082e53a5293af2173cd50c6d5d354febf78b26021c25c02712e78cd4694c9f469777e451e7f8e9e04cd3739c6bbfedae487fb55644e9ca74ff77a53cb729802f6ed4a5ffa8ba159890fc":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"8daa627d3de7595d63056c7ec659e54406f10610128baae821c8b2a0f3936d54dc3bdce46689f6b7951bb18e840542769718d5715d210d85efbb596192032c42be4c29972c856275eb6d5a45f05f51876fc6743deddd28caec9bb30ea99e02c3488269604fe497f74ccd7c7fca1671897123cbd30def5d54a2b5536ad90a747e":0 +RSASSA-PSS Signing Test Vector Hash too large +pkcs1_rsassa_pss_sign:1024:16:"d17f655bf27c8b16d35462c905cc04a26f37e2a67fa9c0ce0dced472394a0df743fe7f929e378efdb368eddff453cf007af6d948e0ade757371f8a711e278f6b":16:"c6d92b6fee7414d1358ce1546fb62987530b90bd15e0f14963a5e2635adb69347ec0c01b2ab1763fd8ac1a592fb22757463a982425bb97a3a437c5bf86d03f2f":16:"a2ba40ee07e3b2bd2f02ce227f36a195024486e49c19cb41bbbdfbba98b22b0e577c2eeaffa20d883a76e65e394c69d4b3c05a1e8fadda27edb2a42bc000fe888b9b32c22d15add0cd76b3e7936e19955b220dd17d4ea904b1ec102b2e4de7751222aa99151024c7cb41cc5ea21d00eeb41f7c800834d2c6e06bce3bce7ea9a5":16:"010001":SIG_RSA_SHA1:POLARSSL_MD_SHA512:"d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd32a7c8a05bbc90d32c49d436e99569fd00":"e3b5d5d002c1bce50c2b65ef88a188d83bce7e61":"":POLARSSL_ERR_RSA_BAD_INPUT_DATA + RSASSA-PSS Signature Example 1_1 pkcs1_rsassa_pss_sign:1024:16:"e7e8942720a877517273a356053ea2a1bc0c94aa72d55c6e86296b2dfc967948c0a72cbccca7eacb35706e09a1df55a1535bd9b3cc34160b3b6dcd3eda8e6443":16:"b69dca1cf7d4d7ec81e75b90fcca874abcde123fd2700180aa90479b6e48de8d67ed24f9f19d85ba275874f542cd20dc723e6963364a1f9425452b269a6799fd":16:"a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a2137":16:"010001":SIG_RSA_SHA1:POLARSSL_MD_SHA1:"cdc87da223d786df3b45e0bbbc721326d1ee2af806cc315475cc6f0d9c66e1b62371d45ce2392e1ac92844c310102f156a0d8d52c1f4c40ba3aa65095786cb769757a6563ba958fed0bcc984e8b517a3d5f515b23b8a41e74aa867693f90dfb061a6e86dfaaee64472c00e5f20945729cbebe77f06ce78e08f4098fba41f9d6193c0317e8b60d4b6084acb42d29e3808a3bc372d85e331170fcbf7cc72d0b71c296648b3a4d10f416295d0807aa625cab2744fd9ea8fd223c42537029828bd16be02546f130fd2e33b936d2676e08aed1b73318b750a0167d0":"dee959c7e06411361420ff80185ed57f3e6776af":"9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c":0 From b815682a485e70f0b7cfbe111b8ac7190404bf3d Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 13 Nov 2012 12:52:17 +0000 Subject: [PATCH 16/25] - Updated Changelog for 1.2.1 --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e815715d08..13847a8347 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,6 @@ PolarSSL ChangeLog -= Version Trunk += Version 1.2.1 released 2012-11-13 Bugfixes * Fixes for MSVC6 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME From e0f41f3086a3ca692ea2c9ecf85ce57cb3407497 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 13 Nov 2012 12:55:02 +0000 Subject: [PATCH 17/25] - Updated version to 1.2.1 --- doxygen/input/doc_mainpage.h | 4 ++-- doxygen/polarssl.doxyfile | 2 +- include/polarssl/version.h | 8 ++++---- library/CMakeLists.txt | 2 +- tests/suites/test_suite_version.data | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index c440840557..07dfdc2e17 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -4,7 +4,7 @@ */ /** - * @mainpage PolarSSL v1.2.0 source code documentation + * @mainpage PolarSSL v1.2.1 source code documentation * * This documentation describes the internal structure of PolarSSL. It was * automatically generated from specially formatted comment blocks in @@ -21,7 +21,7 @@ * * @section mainpage_modules Modules * - * PolarSSL supports SSLv3 up to TLSv1.1 communication by providing the + * PolarSSL supports SSLv3 up to TLSv1.2 communication by providing the * following: * - TCP/IP communication functions: listen, connect, accept, read/write. * - SSL/TLS communication functions: init, handshake, read/write. diff --git a/doxygen/polarssl.doxyfile b/doxygen/polarssl.doxyfile index 90fd2a3eb0..008364eeb4 100644 --- a/doxygen/polarssl.doxyfile +++ b/doxygen/polarssl.doxyfile @@ -25,7 +25,7 @@ DOXYFILE_ENCODING = UTF-8 # The PROJECT_NAME tag is a single word (or a sequence of words surrounded # by quotes) that should identify the project. -PROJECT_NAME = "PolarSSL v1.2.0" +PROJECT_NAME = "PolarSSL v1.2.1" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/polarssl/version.h b/include/polarssl/version.h index 159c95acb8..4fe84a9397 100644 --- a/include/polarssl/version.h +++ b/include/polarssl/version.h @@ -39,16 +39,16 @@ */ #define POLARSSL_VERSION_MAJOR 1 #define POLARSSL_VERSION_MINOR 2 -#define POLARSSL_VERSION_PATCH 0 +#define POLARSSL_VERSION_PATCH 1 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define POLARSSL_VERSION_NUMBER 0x01020000 -#define POLARSSL_VERSION_STRING "1.2.0" -#define POLARSSL_VERSION_STRING_FULL "PolarSSL 1.2.0" +#define POLARSSL_VERSION_NUMBER 0x01020100 +#define POLARSSL_VERSION_STRING "1.2.1" +#define POLARSSL_VERSION_STRING_FULL "PolarSSL 1.2.1" #if defined(POLARSSL_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 9995859b56..640cf82fb5 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -57,7 +57,7 @@ add_library(polarssl STATIC ${src}) else(NOT USE_SHARED_POLARSSL_LIBRARY) add_library(polarssl SHARED ${src}) -set_target_properties(polarssl PROPERTIES VERSION 1.2.0 SOVERSION 2) +set_target_properties(polarssl PROPERTIES VERSION 1.2.1 SOVERSION 2) endif(NOT USE_SHARED_POLARSSL_LIBRARY) diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index b6baca3b4c..c795cf9d80 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,5 +1,5 @@ Check compiletime library version -check_compiletime_version:"1.2.0" +check_compiletime_version:"1.2.1" Check runtime library version -check_runtime_version:"1.2.0" +check_runtime_version:"1.2.1" From 34d8dbcc6d256cc6fbdc0266dbc80ae8d9f7d77f Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 14 Nov 2012 12:11:38 +0000 Subject: [PATCH 18/25] - Depth that the certificate verify callback receives is now numbered bottom-up (Peer cert depth is 0) --- ChangeLog | 4 ++++ include/polarssl/x509.h | 2 +- library/x509parse.c | 47 ++++++++++++++++++++++++++--------------- 3 files changed, 35 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index 13847a8347..6b2c969960 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ PolarSSL ChangeLog = Version 1.2.1 released 2012-11-13 +Changes + * Depth that the certificate verify callback receives is now numbered + bottom-up (Peer cert depth is 0) + Bugfixes * Fixes for MSVC6 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 45a8229f13..87151c927e 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -680,7 +680,7 @@ int x509parse_time_expired( const x509_time *time ); * (void *parameter, x509_cert *crt, int certificate_depth, * int *flags). With the flags representing current flags for * that specific certificate and the certificate depth from - * the top (Trust CA depth = 0). + * the bottom (Peer cert depth = 0). * * All flags left after returning from the callback * are also returned to the application. The function should diff --git a/library/x509parse.c b/library/x509parse.c index c56451129c..e54e0b78d3 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3114,12 +3114,12 @@ int x509_wildcard_verify( const char *cn, x509_buf *name ) static int x509parse_verify_top( x509_cert *child, x509_cert *trust_ca, - x509_crl *ca_crl, int *path_cnt, int *flags, + x509_crl *ca_crl, int path_cnt, int *flags, int (*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy ) { int hash_id, ret; - int ca_flags = 0; + int ca_flags = 0, check_path_cnt = path_cnt + 1; unsigned char hash[64]; if( x509parse_time_expired( &child->valid_to ) ) @@ -3141,8 +3141,19 @@ static int x509parse_verify_top( continue; } + /* + * Reduce path_len to check against if top of the chain is + * the same as the trusted CA + */ + if( child->subject_raw.len == trust_ca->subject_raw.len && + memcmp( child->subject_raw.p, trust_ca->subject_raw.p, + child->issuer_raw.len ) == 0 ) + { + check_path_cnt--; + } + if( trust_ca->max_pathlen > 0 && - trust_ca->max_pathlen < *path_cnt ) + trust_ca->max_pathlen < check_path_cnt ) { trust_ca = trust_ca->next; continue; @@ -3166,7 +3177,13 @@ static int x509parse_verify_top( break; } - if( trust_ca != NULL ) + /* + * If top of chain is not the same as the trusted CA + */ + if( trust_ca != NULL && + ( child->subject_raw.len != trust_ca->subject_raw.len || + memcmp( child->subject_raw.p, trust_ca->subject_raw.p, + child->issuer_raw.len ) != 0 ) ) { /* Check trusted CA's CRL for then chain's top crt */ *flags |= x509parse_verifycrl( child, trust_ca, ca_crl ); @@ -3186,7 +3203,7 @@ static int x509parse_verify_top( if( NULL != f_vrfy ) { - if( ( ret = f_vrfy( p_vrfy, trust_ca, 0, &ca_flags ) ) != 0 ) + if( ( ret = f_vrfy( p_vrfy, trust_ca, path_cnt + 1, &ca_flags ) ) != 0 ) return( ret ); } } @@ -3194,12 +3211,10 @@ static int x509parse_verify_top( /* Call callback on top cert */ if( NULL != f_vrfy ) { - if( ( ret = f_vrfy(p_vrfy, child, 1, flags ) ) != 0 ) + if( ( ret = f_vrfy(p_vrfy, child, path_cnt, flags ) ) != 0 ) return( ret ); } - *path_cnt = 2; - *flags |= ca_flags; return( 0 ); @@ -3207,7 +3222,7 @@ static int x509parse_verify_top( static int x509parse_verify_child( x509_cert *child, x509_cert *parent, x509_cert *trust_ca, - x509_crl *ca_crl, int *path_cnt, int *flags, + x509_crl *ca_crl, int path_cnt, int *flags, int (*f_vrfy)(void *, x509_cert *, int, int *), void *p_vrfy ) { @@ -3246,28 +3261,26 @@ static int x509parse_verify_child( break; } - (*path_cnt)++; if( grandparent != NULL ) { /* * Part of the chain */ - ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt, &parent_flags, f_vrfy, p_vrfy ); + ret = x509parse_verify_child( parent, grandparent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } else { - ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt, &parent_flags, f_vrfy, p_vrfy ); + ret = x509parse_verify_top( parent, trust_ca, ca_crl, path_cnt + 1, &parent_flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } /* child is verified to be a child of the parent, call verify callback */ if( NULL != f_vrfy ) - if( ( ret = f_vrfy( p_vrfy, child, *path_cnt, flags ) ) != 0 ) + if( ( ret = f_vrfy( p_vrfy, child, path_cnt, flags ) ) != 0 ) return( ret ); - (*path_cnt)++; *flags |= parent_flags; @@ -3286,7 +3299,7 @@ int x509parse_verify( x509_cert *crt, { size_t cn_len; int ret; - int pathlen = 1; + int pathlen = 0; x509_cert *parent; x509_name *name; x509_sequence *cur = NULL; @@ -3368,13 +3381,13 @@ int x509parse_verify( x509_cert *crt, /* * Part of the chain */ - ret = x509parse_verify_child( crt, parent, trust_ca, ca_crl, &pathlen, flags, f_vrfy, p_vrfy ); + ret = x509parse_verify_child( crt, parent, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } else { - ret = x509parse_verify_top( crt, trust_ca, ca_crl, &pathlen, flags, f_vrfy, p_vrfy ); + ret = x509parse_verify_top( crt, trust_ca, ca_crl, pathlen, flags, f_vrfy, p_vrfy ); if( ret != 0 ) return( ret ); } From 43ae2984109d414b7072c3a83ff25c82f7fd2294 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 14 Nov 2012 12:14:19 +0000 Subject: [PATCH 19/25] - Fixed argument types --- include/polarssl/pkcs11.h | 4 ++-- library/pkcs11.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/include/polarssl/pkcs11.h b/include/polarssl/pkcs11.h index ddfae30176..003d3f52df 100644 --- a/include/polarssl/pkcs11.h +++ b/include/polarssl/pkcs11.h @@ -104,7 +104,7 @@ int pkcs11_decrypt( pkcs11_context *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, - unsigned int output_max_len ); + size_t output_max_len ); /** * \brief Do a private RSA to sign a message digest @@ -134,7 +134,7 @@ int pkcs11_sign( pkcs11_context *ctx, */ static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, - unsigned int output_max_len ) + size_t output_max_len ) { return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output, output_max_len ); diff --git a/library/pkcs11.c b/library/pkcs11.c index b71415a41d..b68d6881db 100644 --- a/library/pkcs11.c +++ b/library/pkcs11.c @@ -115,7 +115,7 @@ int pkcs11_decrypt( pkcs11_context *ctx, int mode, size_t *olen, const unsigned char *input, unsigned char *output, - unsigned int output_max_len ) + size_t output_max_len ) { size_t input_len, output_len; From 580153573b2a21cbe4c0d6595e3550e0393b5a94 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Wed, 14 Nov 2012 12:15:41 +0000 Subject: [PATCH 20/25] - Do not free uninitialized ssl context --- programs/x509/cert_app.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index a0610b3709..2fb0c854e2 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -298,6 +298,7 @@ int main( int argc, char *argv[] ) if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) { printf( " failed\n ! ssl_handshake returned %d\n\n", ret ); + ssl_free( &ssl ); goto exit; } } @@ -313,12 +314,14 @@ int main( int argc, char *argv[] ) if( ret == -1 ) { printf( " failed\n ! x509parse_cert_info returned %d\n\n", ret ); + ssl_free( &ssl ); goto exit; } printf( "%s\n", buf ); ssl_close_notify( &ssl ); + ssl_free( &ssl ); } else goto usage; @@ -329,7 +332,6 @@ exit: net_close( server_fd ); x509_free( &clicert ); rsa_free( &rsa ); - ssl_free( &ssl ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" ); From 75242c30fb616d93f30d3c63ac640684e87916c4 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Sat, 17 Nov 2012 00:03:46 +0100 Subject: [PATCH 21/25] Added checking of CA peer cert to ssl_client1 as sane default --- programs/ssl/ssl_client1.c | 72 +++++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 7631a226b3..78ad43e72d 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -37,6 +37,7 @@ #include "polarssl/entropy.h" #include "polarssl/ctr_drbg.h" #include "polarssl/error.h" +#include "polarssl/certs.h" #define SERVER_PORT 4433 #define SERVER_NAME "localhost" @@ -78,6 +79,7 @@ int main( int argc, char *argv[] ) entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; + x509_cert cacert; ((void) argc); ((void) argv); @@ -86,6 +88,7 @@ int main( int argc, char *argv[] ) * 0. Initialize the RNG and the session data */ memset( &ssl, 0, sizeof( ssl_context ) ); + memset( &cacert, 0, sizeof( x509_cert ) ); printf( "\n . Seeding the random number generator..." ); fflush( stdout ); @@ -100,6 +103,28 @@ int main( int argc, char *argv[] ) printf( " ok\n" ); + /* + * 0. Initialize certificates + */ + printf( " . Loading the CA root certificate ..." ); + fflush( stdout ); + +#if defined(POLARSSL_CERTS_C) + ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, + strlen( test_ca_crt ) ); +#else + ret = 1; + printf("POLARSSL_CERTS_C not defined."); +#endif + + if( ret < 0 ) + { + printf( " failed\n ! x509parse_crt returned -0x%x\n\n", -ret ); + goto exit; + } + + printf( " ok (%d skipped)\n", ret ); + /* * 1. Start the connection */ @@ -131,13 +156,57 @@ int main( int argc, char *argv[] ) printf( " ok\n" ); ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); - ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); + ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL ); + ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); ssl_set_dbg( &ssl, my_debug, stdout ); ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); + /* + * 4. Handshake + */ + printf( " . Performing the SSL/TLS handshake..." ); + fflush( stdout ); + + while( ( ret = ssl_handshake( &ssl ) ) != 0 ) + { + if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE ) + { + printf( " failed\n ! ssl_handshake returned -0x%x\n\n", -ret ); + goto exit; + } + } + + printf( " ok\n" ); + + /* + * 5. Verify the server certificate + */ + printf( " . Verifying peer X.509 certificate..." ); + + if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) + { + printf( " failed\n" ); + + if( ( ret & BADCERT_EXPIRED ) != 0 ) + printf( " ! server certificate has expired\n" ); + + if( ( ret & BADCERT_REVOKED ) != 0 ) + printf( " ! server certificate has been revoked\n" ); + + if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) + printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" ); + + if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) + printf( " ! self-signed or not signed by a trusted CA\n" ); + + printf( "\n" ); + } + else + printf( " ok\n" ); + /* * 3. Write the GET request */ @@ -206,6 +275,7 @@ exit: } #endif + x509_free( &cacert ); net_close( server_fd ); ssl_free( &ssl ); From 90f309ffe784daa69568ac688b0bd6c118d4e2e0 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Sat, 17 Nov 2012 00:04:49 +0100 Subject: [PATCH 22/25] Added proper gitignores for linux compilation --- library/.gitignore | 2 ++ programs/.gitignore | 37 +++++++++++++++++++++++++++++++++++++ tests/.gitignore | 2 ++ 3 files changed, 41 insertions(+) create mode 100644 library/.gitignore create mode 100644 programs/.gitignore create mode 100644 tests/.gitignore diff --git a/library/.gitignore b/library/.gitignore new file mode 100644 index 0000000000..9d80fa47a8 --- /dev/null +++ b/library/.gitignore @@ -0,0 +1,2 @@ +*.o +libpolarssl* diff --git a/programs/.gitignore b/programs/.gitignore new file mode 100644 index 0000000000..8fbc2d56ba --- /dev/null +++ b/programs/.gitignore @@ -0,0 +1,37 @@ +aes/aescrypt2 +aes/crypt_and_hash +hash/generic_sum +hash/hello +hash/md5sum +hash/sha1sum +hash/sha2sum +pkey/dh_client +pkey/dh_genprime +pkey/dh_server +pkey/key_app +pkey/key_app_writer +pkey/mpi_demo +pkey/rsa_decrypt +pkey/rsa_encrypt +pkey/rsa_genkey +pkey/rsa_sign +pkey/rsa_sign_pss +pkey/rsa_verify +pkey/rsa_verify_pss +random/gen_entropy +random/gen_random_ctr_drbg +random/gen_random_havege +ssl/ssl_client1 +ssl/ssl_client2 +ssl/ssl_fork_server +ssl/ssl_mail_client +ssl/ssl_server +ssl/ssl_server2 +test/benchmark +test/selftest +test/ssl_cert_test +test/ssl_test +util/strerror +x509/cert_app +x509/cert_req +x509/crl_app diff --git a/tests/.gitignore b/tests/.gitignore new file mode 100644 index 0000000000..084f664cc2 --- /dev/null +++ b/tests/.gitignore @@ -0,0 +1,2 @@ +test_suite* +data_files/mpi_write From 25338d74aca14571ad1bb7c549071544a86d466b Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Sun, 18 Nov 2012 22:56:39 +0100 Subject: [PATCH 23/25] Added proper gitignores for Linux CMake use --- .gitignore | 5 +++++ include/.gitignore | 1 + programs/.gitignore | 2 ++ 3 files changed, 8 insertions(+) create mode 100644 .gitignore create mode 100644 include/.gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000000..07374ec899 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +CMakeCache.txt +CMakeFiles +CTestTestfile.cmake +cmake_install.cmake +Testing diff --git a/include/.gitignore b/include/.gitignore new file mode 100644 index 0000000000..f3c7a7c5da --- /dev/null +++ b/include/.gitignore @@ -0,0 +1 @@ +Makefile diff --git a/programs/.gitignore b/programs/.gitignore index 8fbc2d56ba..d6d9efcf6e 100644 --- a/programs/.gitignore +++ b/programs/.gitignore @@ -1,3 +1,4 @@ +*/Makefile aes/aescrypt2 aes/crypt_and_hash hash/generic_sum @@ -28,6 +29,7 @@ ssl/ssl_mail_client ssl/ssl_server ssl/ssl_server2 test/benchmark +test/o_p_test test/selftest test/ssl_cert_test test/ssl_test From e44ec108bea03837fa72714ca33e6dc557c1189b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sat, 17 Nov 2012 12:42:51 +0100 Subject: [PATCH 24/25] Fixed segfault in mpi_shift_r() Fixed memory leak in test_suite_mpi Amended ChangeLog --- ChangeLog | 2 ++ library/bignum.c | 3 +++ tests/suites/test_suite_mpi.data | 12 ++++++++++++ tests/suites/test_suite_mpi.function | 2 +- 4 files changed, 18 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 6b2c969960..63eb30f5d7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,8 @@ Bugfixes * Moved mpi_inv_mod() outside POLARSSL_GENPRIME * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel Pégourié-Gonnard) + * Fixed possible segfault in mpi_shift_r() (found by Manuel + Pégourié-Gonnard) * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 = Version 1.2.0 released 2012-10-31 diff --git a/library/bignum.c b/library/bignum.c index 23feb6a915..f2608c1df7 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -611,6 +611,9 @@ int mpi_shift_r( mpi *X, size_t count ) v0 = count / biL; v1 = count & (biL - 1); + if( v0 > X->n || ( v0 == X->n && v1 > 0 ) ) + return mpi_lset( X, 0 ); + /* * shift by count / limb_size */ diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data index 67fa9c3b57..7197b63011 100644 --- a/tests/suites/test_suite_mpi.data +++ b/tests/suites/test_suite_mpi.data @@ -309,6 +309,18 @@ mpi_shift_r:10:"128":1:10:"64" Test mpi_shift_r #2 mpi_shift_r:10:"120815570979701484704906977000760567182871429114712069861589084706550626575967516787438008593490722779337547394120718248995900363209947025063336882559539208430319216688889117222633155838468458047056355241515415159736436403445579777425189969":45:10:"3433785053053426415343295076376096153094051405637175942660777670498379921354157795219578264137985649407981651226029903483433269093721578004287291678324982297860947730012217028349628999378309630601971640587504883789518896817457" +Test mpi_shift_r #4 +mpi_shift_r:16:"FFFFFFFFFFFFFFFF":63:16:"01" + +Test mpi_shift_r #4 +mpi_shift_r:16:"FFFFFFFFFFFFFFFF":64:16:"00" + +Test mpi_shift_r #6 +mpi_shift_r:16:"FFFFFFFFFFFFFFFF":65:16:"00" + +Test mpi_shift_r #7 +mpi_shift_r:16:"FFFFFFFFFFFFFFFF":128:16:"00" + Base test mpi_mul_mpi #1 mpi_mul_mpi:10:"5":10:"7":10:"35" diff --git a/tests/suites/test_suite_mpi.function b/tests/suites/test_suite_mpi.function index 6635392590..70d9b4f189 100644 --- a/tests/suites/test_suite_mpi.function +++ b/tests/suites/test_suite_mpi.function @@ -162,7 +162,7 @@ mpi_set_bit:radix_X:input_X:pos:val:radix_Y:output_Y TEST_ASSERT( mpi_set_bit( &X, {pos}, {val} ) == 0 ); TEST_ASSERT( mpi_cmp_mpi( &X, &Y ) == 0 ); - mpi_free( &X ); + mpi_free( &X ); mpi_free( &Y ); } END_CASE From 1f9d02dc90c6c69ff34ce7250a5c8b47de28b850 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Tue, 20 Nov 2012 10:30:55 +0100 Subject: [PATCH 25/25] Added more notes / comments on own_cert, trust_ca purposes --- include/polarssl/ssl.h | 18 ++++++++++++------ programs/ssl/ssl_client2.c | 9 ++++++--- programs/ssl/ssl_server2.c | 9 ++++++--- 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 5a1e7fc08c..2020d3168f 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -720,20 +720,22 @@ void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites ); * \brief Set the data required to verify peer certificate * * \param ssl SSL context - * \param ca_chain trusted CA chain + * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs) * \param ca_crl trusted CA CRLs * \param peer_cn expected peer CommonName (or NULL) - * - * \note TODO: add two more parameters: depth and crl */ void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, x509_crl *ca_crl, const char *peer_cn ); /** - * \brief Set own certificate and private key + * \brief Set own certificate chain and private key + * + * Note: own_cert should contain IN order from the bottom + * up your certificate chain. The top certificate (self-signed) + * can be omitted. * * \param ssl SSL context - * \param own_cert own public certificate + * \param own_cert own public certificate chain * \param rsa_key own private RSA key */ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, @@ -747,8 +749,12 @@ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, * of the callback parameters, with the only change being * that the rsa_context * is a void * in the callbacks) * + * Note: own_cert should contain IN order from the bottom + * up your certificate chain. The top certificate (self-signed) + * can be omitted. + * * \param ssl SSL context - * \param own_cert own public certificate + * \param own_cert own public certificate chain * \param rsa_key alternate implementation private RSA key * \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt() * \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign() diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 6e047dcc06..0d7a4180f7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -127,9 +127,12 @@ int my_verify( void *data, x509_cert *crt, int depth, int *flags ) #if defined(POLARSSL_FS_IO) #define USAGE_IO \ - " ca_file=%%s default: \"\" (pre-loaded)\n" \ - " ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \ - " crt_file=%%s default: \"\" (pre-loaded)\n" \ + " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ + " default: \"\" (pre-loaded)\n" \ + " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \ + " default: \"\" (pre-loaded) (overrides ca_file)\n" \ + " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \ + " default: \"\" (pre-loaded)\n" \ " key_file=%%s default: \"\" (pre-loaded)\n" #else #define USAGE_IO \ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index f6cf4870af..cc94e5ca7d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -184,9 +184,12 @@ int my_ciphersuites[] = #if defined(POLARSSL_FS_IO) #define USAGE_IO \ - " ca_file=%%s default: \"\" (pre-loaded)\n" \ - " ca_path=%%s default: \"\" (pre-loaded) (overrides ca_file)\n" \ - " crt_file=%%s default: \"\" (pre-loaded)\n" \ + " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ + " default: \"\" (pre-loaded)\n" \ + " ca_path=%%s The path containing the top-level CA(s) you fully trust\n" \ + " default: \"\" (pre-loaded) (overrides ca_file)\n" \ + " crt_file=%%s Your own cert and chain (in bottom to top order, top may be omitted)\n" \ + " default: \"\" (pre-loaded)\n" \ " key_file=%%s default: \"\" (pre-loaded)\n" #else #define USAGE_IO \