Merge miscellaneous fixes into development

include/polarssl/config.h

@@ -781,6 +781,18 @@
  */
 #define POLARSSL_SELF_TEST
 
+/**
+ * \def POLARSSL_SSL_AEAD_RANDOM_IV
+ *
+ * Generate a random IV rather than using the record sequence number as a
+ * nonce for ciphersuites using and AEAD algorithm (GCM or CCM).
+ *
+ * Using the sequence number is generally recommended.
+ *
+ * Uncomment this macro to always use random IVs with AEAD ciphersuites.
+ */
+//#define POLARSSL_SSL_AEAD_RANDOM_IV
+
 /**
  * \def POLARSSL_SSL_ALL_ALERT_MESSAGES
  *
@@ -954,8 +966,7 @@
 /**
  * \def POLARSSL_SSL_ALPN
  *
- * Enable support for Application Layer Protocol Negotiation.
- * draft-ietf-tls-applayerprotoneg-05
+ * Enable support for RFC 7301 Application Layer Protocol Negotiation.
  *
  * Comment this macro to disable support for ALPN.
  */
@@ -2226,6 +2237,9 @@
 /* Debug options */
 //#define POLARSSL_DEBUG_DFL_MODE POLARSSL_DEBUG_LOG_FULL /**< Default log: Full or Raw */
 
+/* X509 options */
+//#define POLARSSL_X509_MAX_INTERMEDIATE_CA   8   /**< Maximum number of intermediate CAs in a verification chain. */
+
 /* \} name SECTION: Module configuration options */
 
 #include "check_config.h"

include/polarssl/ecp.h

@@ -413,6 +413,8 @@ int ecp_point_read_binary( const ecp_group *grp, ecp_point *P,
  * \param buf       $(Start of input buffer)
  * \param len       Buffer length
  *
+ * \note            buf is updated to point right after the ECPoint on exit
+ *
  * \return          O if successful,
  *                  POLARSSL_ERR_MPI_XXX if initialization failed
  *                  POLARSSL_ERR_ECP_BAD_INPUT_DATA if input is invalid
@@ -479,6 +481,8 @@ int ecp_use_known_dp( ecp_group *grp, ecp_group_id index );
  * \param buf       &(Start of input buffer)
  * \param len       Buffer length
  *
+ * \note            buf is updated to point right after ECParameters on exit
+ *
  * \return          O if successful,
  *                  POLARSSL_ERR_MPI_XXX if initialization failed
  *                  POLARSSL_ERR_ECP_BAD_INPUT_DATA if input is invalid
@@ -635,6 +639,18 @@ int ecp_gen_keypair( ecp_group *grp, mpi *d, ecp_point *Q,
 int ecp_gen_key( ecp_group_id grp_id, ecp_keypair *key,
                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
 
+/**
+ * \brief           Check a public-private key pair
+ *
+ * \param pub       Keypair structure holding a public key
+ * \param prv       Keypair structure holding a private (plus public) key
+ *
+ * \return          0 if successfull (keys are valid and match), or
+ *                  POLARSSL_ERR_ECP_BAD_INPUT_DATA, or
+ *                  a POLARSSL_ERR_ECP_XXX or POLARSSL_ERR_MPI_XXX code.
+ */
+int ecp_check_pub_priv( const ecp_keypair *pub, const ecp_keypair *prv );
+
 #if defined(POLARSSL_SELF_TEST)
 /**
  * \brief          Checkup routine

include/polarssl/pk.h

@@ -177,6 +177,9 @@ typedef struct
                          int (*f_rng)(void *, unsigned char *, size_t),
                          void *p_rng );
 
+    /** Check public-private key pair */
+    int (*check_pair_func)( const void *pub, const void *prv );
+
     /** Allocate a new context */
     void * (*ctx_alloc_func)( void );
 
@@ -426,6 +429,16 @@ int pk_encrypt( pk_context *ctx,
                 unsigned char *output, size_t *olen, size_t osize,
                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
 
+/**
+ * \brief           Check if a public-private pair of keys matches.
+ *
+ * \param pub       Context holding a public key.
+ * \param prv       Context holding a private (and public) key.
+ *
+ * \return          0 on success or POLARSSL_ERR_PK_BAD_INPUT_DATA
+ */
+int pk_check_pair( const pk_context *pub, const pk_context *prv );
+
 /**
  * \brief           Export debug information
  *
@@ -625,6 +638,14 @@ int pk_write_pubkey( unsigned char **p, unsigned char *start,
                      const pk_context *key );
 #endif /* POLARSSL_PK_WRITE_C */
 
+/*
+ * Internal module functions. You probably do not want to use these unless you
+ * know you do.
+ */
+#if defined(POLARSSL_FS_IO)
+int pk_load_file( const char *path, unsigned char **buf, size_t *n );
+#endif
+
 #ifdef __cplusplus
 }
 #endif

include/polarssl/rsa.h

@@ -99,10 +99,8 @@ typedef struct
     mpi RP;                     /*!<  cached R^2 mod P  */
     mpi RQ;                     /*!<  cached R^2 mod Q  */
 
-#if !defined(POLARSSL_RSA_NO_CRT)
     mpi Vi;                     /*!<  cached blinding value     */
     mpi Vf;                     /*!<  cached un-blinding value  */
-#endif
 
     int padding;                /*!<  RSA_PKCS_V15 for 1.5 padding and
                                       RSA_PKCS_v21 for OAEP/PSS         */
@@ -191,6 +189,17 @@ int rsa_check_pubkey( const rsa_context *ctx );
  */
 int rsa_check_privkey( const rsa_context *ctx );
 
+/**
+ * \brief          Check a public-private RSA key pair.
+ *                 Check each of the contexts, and make sure they match.
+ *
+ * \param pub      RSA context holding the public key
+ * \param prv      RSA context holding the private key
+ *
+ * \return         0 if successful, or an POLARSSL_ERR_RSA_XXX error code
+ */
+int rsa_check_pub_priv( const rsa_context *pub, const rsa_context *prv );
+
 /**
  * \brief          Do an RSA public key operation
  *

include/polarssl/ssl.h

@@ -458,7 +458,7 @@ union _ssl_premaster_secret
 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)
     unsigned char _pms_rsa_psk[52 + POLARSSL_PSK_MAX_LEN];      /* RFC 4279 4 */
 #endif
-#if defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
     unsigned char _pms_ecdhe_psk[4 + POLARSSL_ECP_MAX_BYTES
                                    + POLARSSL_PSK_MAX_LEN];     /* RFC 5489 2 */
 #endif
@@ -1055,9 +1055,11 @@ void ssl_set_bio( ssl_context *ssl,
         int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
         int (*f_send)(void *, const unsigned char *, size_t), void *p_send );
 
+#if defined(POLARSSL_SSL_SRV_C)
 /**
  * \brief          Set the session cache callbacks (server-side only)
- *                 If not set, no session resuming is done.
+ *                 If not set, no session resuming is done (except if session
+ *                 tickets are enabled too).
  *
  *                 The session cache has the responsibility to check for stale
  *                 entries based on timeout. See RFC 5246 for recommendations.
@@ -1095,7 +1097,9 @@ void ssl_set_bio( ssl_context *ssl,
 void ssl_set_session_cache( ssl_context *ssl,
         int (*f_get_cache)(void *, ssl_session *), void *p_get_cache,
         int (*f_set_cache)(void *, const ssl_session *), void *p_set_cache );
+#endif /* POLARSSL_SSL_SRV_C */
 
+#if defined(POLARSSL_SSL_CLI_C)
 /**
  * \brief          Request resumption of session (client-side only)
  *                 Session data is copied from presented session structure.
@@ -1111,6 +1115,7 @@ void ssl_set_session_cache( ssl_context *ssl,
  * \sa             ssl_get_session()
  */
 int ssl_set_session( ssl_context *ssl, const ssl_session *session );
+#endif /* POLARSSL_SSL_CLI_C */
 
 /**
  * \brief               Set the list of allowed ciphersuites and the preference
@@ -1661,6 +1666,7 @@ const char *ssl_get_version( const ssl_context *ssl );
 const x509_crt *ssl_get_peer_cert( const ssl_context *ssl );
 #endif /* POLARSSL_X509_CRT_PARSE_C */
 
+#if defined(POLARSSL_SSL_CLI_C)
 /**
  * \brief          Save session in order to resume it later (client-side only)
  *                 Session data is copied to presented session structure.
@@ -1678,6 +1684,7 @@ const x509_crt *ssl_get_peer_cert( const ssl_context *ssl );
  * \sa             ssl_set_session()
  */
 int ssl_get_session( const ssl_context *ssl, ssl_session *session );
+#endif /* POLARSSL_SSL_CLI_C */
 
 /**
  * \brief          Perform the SSL handshake

include/polarssl/ssl_ciphersuites.h

@@ -233,7 +233,9 @@ extern "C" {
 #define TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8      0xC0AE  /**< TLS 1.2 */
 #define TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8      0xC0AF  /**< TLS 1.2 */
 
-/* Reminder: update _ssl_premaster_secret when adding a new key exchange */
+/* Reminder: update _ssl_premaster_secret when adding a new key exchange.
+ * Reminder: update POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED below.
+ */
 typedef enum {
     POLARSSL_KEY_EXCHANGE_NONE = 0,
     POLARSSL_KEY_EXCHANGE_RSA,
@@ -248,6 +250,17 @@ typedef enum {
     POLARSSL_KEY_EXCHANGE_ECDH_ECDSA,
 } key_exchange_type_t;
 
+#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)          || \
+    defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)      || \
+    defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)    || \
+    defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)  || \
+    defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED)      || \
+    defined(POLARSSL_KEY_EXCHANGE_ECDHE_PSK_ENABLED)    || \
+    defined(POLARSSL_KEY_EXCHANGE_ECDH_RSA_ENABLED)     || \
+    defined(POLARSSL_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define POLARSSL_KEY_EXCHANGE__WITH_CERT__ENABLED
+#endif
+
 typedef struct _ssl_ciphersuite_t ssl_ciphersuite_t;
 
 #define POLARSSL_CIPHERSUITE_WEAK       0x01    /**< Weak ciphersuite flag  */

include/polarssl/x509.h

@@ -45,6 +45,18 @@
  * \{
  */
 
+#if !defined(POLARSSL_X509_MAX_INTERMEDIATE_CA)
+/**
+ * Maximum number of intermediate CAs in a verification chain.
+ * That is, maximum length of the chain, excluding the end-entity certificate
+ * and the trusted root certificate.
+ *
+ * Set this to a low value to prevent an adversary from making you waste
+ * resources verifying an overlong certificate chain.
+ */
+#define POLARSSL_X509_MAX_INTERMEDIATE_CA   8
+#endif
+
 /**
  * \name X509 Error codes
  * \{
@@ -295,7 +307,6 @@ int x509_get_serial( unsigned char **p, const unsigned char *end,
                      x509_buf *serial );
 int x509_get_ext( unsigned char **p, const unsigned char *end,
                   x509_buf *ext, int tag );
-int x509_load_file( const char *path, unsigned char **buf, size_t *n );
 int x509_sig_alg_gets( char *buf, size_t size, const x509_buf *sig_oid,
                        pk_type_t pk_alg, md_type_t md_alg,
                        const void *sig_opts );

include/polarssl/x509_crl.h

@@ -100,11 +100,23 @@ typedef struct _x509_crl
 x509_crl;
 
 /**
- * \brief          Parse one or more CRLs and add them
- *                 to the chained list
+ * \brief          Parse a DER-encoded CRL and append it to the chained list
  *
  * \param chain    points to the start of the chain
- * \param buf      buffer holding the CRL data
+ * \param buf      buffer holding the CRL data in DER format
+ * \param buflen   size of the buffer
+ *
+ * \return         0 if successful, or a specific X509 or PEM error code
+ */
+int x509_crl_parse_der( x509_crl *chain,
+                        const unsigned char *buf, size_t buflen );
+/**
+ * \brief          Parse one or more CRLs and append them to the chained list
+ *
+ * \note           Mutliple CRLs are accepted only if using PEM format
+ *
+ * \param chain    points to the start of the chain
+ * \param buf      buffer holding the CRL data in PEM or DER format
  * \param buflen   size of the buffer
  *
  * \return         0 if successful, or a specific X509 or PEM error code
@@ -113,11 +125,12 @@ int x509_crl_parse( x509_crl *chain, const unsigned char *buf, size_t buflen );
 
 #if defined(POLARSSL_FS_IO)
 /**
- * \brief          Load one or more CRLs and add them
- *                 to the chained list
+ * \brief          Load one or more CRLs and append them to the chained list
+ *
+ * \note           Mutliple CRLs are accepted only if using PEM format
  *
  * \param chain    points to the start of the chain
- * \param path     filename to read the CRLs from
+ * \param path     filename to read the CRLs from (in PEM or DER encoding)
  *
  * \return         0 if successful, or a specific X509 or PEM error code
  */