diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 15cd28802..7aa4ba71f 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -124,7 +124,7 @@ #define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 /**< The server has no ciphersuites in common with the client. */ #define POLARSSL_ERR_SSL_NO_RNG -0x7400 /**< No RNG was provided to the SSL module. */ #define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */ -#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message.*/ +#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message. */ #define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 /**< The own certificate is not set, but needed by the server. */ #define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 /**< The own private key or pre-shared key is not set, but needed. */ #define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 /**< No CA Chain is set, but required to operate. */ diff --git a/library/error.c b/library/error.c index b3c21530a..068c84d45 100644 --- a/library/error.c +++ b/library/error.c @@ -386,7 +386,7 @@ void polarssl_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE) ) snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" ); if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE) ) - snprintf( buf, buflen, "SSL - DESCRIPTION MISSING" ); + snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" ); if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED) ) snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" ); if( use_ret == -(POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED) ) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 774cce4ff..c002cc5a5 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -635,16 +635,18 @@ static int ssl_write_client_hello( ssl_context *ssl ) */ #if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) -#endif - if( ssl->session_negotiate->ticket != NULL && - ssl->session_negotiate->ticket_len != 0 ) { - ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 ); +#endif + if( ssl->session_negotiate->ticket != NULL && + ssl->session_negotiate->ticket_len != 0 ) + { + ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 ); - if( ret != 0 ) - return( ret ); + if( ret != 0 ) + return( ret ); - ssl->session_negotiate->length = n = 32; + ssl->session_negotiate->length = n = 32; + } } #endif /* POLARSSL_SSL_SESSION_TICKETS */ @@ -691,18 +693,6 @@ static int ssl_write_client_hello( ssl_context *ssl ) q = p; p += 2; - /* - * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV - */ -#if defined(POLARSSL_SSL_RENEGOTIATION) - if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) -#endif - { - *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); - *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO ); - n++; - } - for( i = 0; ciphersuites[i] != 0; i++ ) { ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] ); @@ -732,6 +722,18 @@ static int ssl_write_client_hello( ssl_context *ssl ) *p++ = (unsigned char)( ciphersuites[i] ); } + /* + * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV + */ +#if defined(POLARSSL_SSL_RENEGOTIATION) + if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) +#endif + { + *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); + *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO ); + n++; + } + /* Some versions of OpenSSL don't handle it correctly if not at end */ #if defined(POLARSSL_SSL_FALLBACK_SCSV) if( ssl->fallback == SSL_IS_FALLBACK ) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e6948ef7a..fc868096a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1294,10 +1294,12 @@ read_record_header: #if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) #endif - if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 ) { - SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); - return( ret ); + if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 ) + { + SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); + return( ret ); + } } buf = ssl->in_hdr; @@ -1351,8 +1353,11 @@ read_record_header: /* For DTLS if this is the initial handshake, remember the client sequence * number to use it in our next message (RFC 6347 4.2.1) */ #if defined(POLARSSL_SSL_PROTO_DTLS) - if( ssl->transport == SSL_TRANSPORT_DATAGRAM && - ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) + if( ssl->transport == SSL_TRANSPORT_DATAGRAM +#if defined(POLARSSL_SSL_RENEGOTIATION) + && ssl->renegotiation == SSL_INITIAL_HANDSHAKE +#endif + ) { /* Epoch should be 0 for initial handshakes */ if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 3aca8e675..b399c4510 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1487,8 +1487,7 @@ close_notify: printf( " . Closing the connection..." ); /* No error checking, the connection might be closed already */ - do - ret = ssl_close_notify( &ssl ); + do ret = ssl_close_notify( &ssl ); while( ret == POLARSSL_ERR_NET_WANT_WRITE ); ret = 0; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 025ac8967..6ea01a8b6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -687,7 +687,7 @@ void term_handler( int sig ) int main( int argc, char *argv[] ) { - int ret = 0, len, written, frags, exchanges; + int ret = 0, len, written, frags, exchanges_left; int version_suites[4][2]; unsigned char buf[IO_BUF_LEN]; #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -1902,7 +1902,7 @@ reset: if( opt.exchanges == 0 ) goto close_notify; - exchanges = opt.exchanges; + exchanges_left = opt.exchanges; data_exchange: /* * 6. Read the HTTP Request @@ -2042,7 +2042,7 @@ data_exchange: * (only on the first exchange, to be able to test retransmission) */ #if defined(POLARSSL_SSL_RENEGOTIATION) - if( opt.renegotiate && exchanges == opt.exchanges ) + if( opt.renegotiate && exchanges_left == opt.exchanges ) { printf( " . Requestion renegotiation..." ); fflush( stdout ); @@ -2115,7 +2115,7 @@ data_exchange: /* * 7b. Continue doing data exchanges? */ - if( --exchanges > 0 ) + if( --exchanges_left > 0 ) goto data_exchange; /* @@ -2125,8 +2125,7 @@ close_notify: printf( " . Closing the connection..." ); /* No error checking, the connection might be closed already */ - do - ret = ssl_close_notify( &ssl ); + do ret = ssl_close_notify( &ssl ); while( ret == POLARSSL_ERR_NET_WANT_WRITE ); ret = 0; diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index b9a8e9c0f..b25e99af8 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -56,13 +56,22 @@ my $hl_code_check = ""; my $headers = ""; +my %error_codes_seen; + while (my $line = ) { next if ($line =~ /compat-1.2.h/); my ($error_name, $error_code) = $line =~ /(POLARSSL_ERR_\w+)\s+\-(0x\w+)/; my ($description) = $line =~ /\/\*\*< (.*?)\.? \*\//; + + die "Duplicated error code: $error_code ($error_name)\n" + if( $error_codes_seen{$error_code}++ ); + $description =~ s/\\/\\\\/g; - $description = "DESCRIPTION MISSING" if ($description eq ""); + if ($description eq "") { + $description = "DESCRIPTION MISSING"; + warn "Missing description for $error_name\n"; + } my ($module_name) = $error_name =~ /^POLARSSL_ERR_([^_]+)/; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 4e2837869..86a29d102 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -495,7 +495,7 @@ CLI_DELAY_FACTOR=1 # Pick a "unique" server port in the range 10000-19999, and a proxy port PORT_BASE="0000$$" -PORT_BASE="$( echo -n $PORT_BASE | tail -c 5 )" +PORT_BASE="$( printf $PORT_BASE | tail -c 4 )" SRV_PORT="1$PORT_BASE" PXY_PORT="2$PORT_BASE" unset PORT_BASE