diff --git a/ChangeLog b/ChangeLog index 82871cd0b..426613e9d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,7 +38,9 @@ Changes * Moved all examples programs to use the new entropy and CTR_DRBG * Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on - encountering a parse-error + encountering a parse-error. Beware that the meaning of return values has + changed! + * All error codes are now negative. Even on mermory failures and IO errors. Bugfix * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes diff --git a/include/polarssl/asn1.h b/include/polarssl/asn1.h index fc86fc812..82145c334 100644 --- a/include/polarssl/asn1.h +++ b/include/polarssl/asn1.h @@ -52,6 +52,7 @@ #define POLARSSL_ERR_ASN1_INVALID_LENGTH -0x0018 /**< Error when trying to determine the length or invalid length. */ #define POLARSSL_ERR_ASN1_LENGTH_MISMATCH -0x001A /**< Actual length differs from expected length. */ #define POLARSSL_ERR_ASN1_INVALID_DATA -0x001C /**< Data is invalid. (not used) */ +#define POLARSSL_ERR_ASN1_MALLOC_FAILED -0x001E /**< Memory allocation failed */ /* \} name */ /** diff --git a/include/polarssl/base64.h b/include/polarssl/base64.h index 90711550b..883215dd4 100644 --- a/include/polarssl/base64.h +++ b/include/polarssl/base64.h @@ -29,8 +29,8 @@ #include -#define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL -0x0010 /**< Output buffer too small. */ -#define POLARSSL_ERR_BASE64_INVALID_CHARACTER -0x0012 /**< Invalid character in input. */ +#define POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL -0x002A /**< Output buffer too small. */ +#define POLARSSL_ERR_BASE64_INVALID_CHARACTER -0x002C /**< Invalid character in input. */ #ifdef __cplusplus extern "C" { diff --git a/include/polarssl/bignum.h b/include/polarssl/bignum.h index b4496b847..f830c087f 100644 --- a/include/polarssl/bignum.h +++ b/include/polarssl/bignum.h @@ -33,10 +33,11 @@ #define POLARSSL_ERR_MPI_FILE_IO_ERROR -0x0002 /**< An error occurred while reading from or writing to a file. */ #define POLARSSL_ERR_MPI_BAD_INPUT_DATA -0x0004 /**< Bad input parameters to function. */ #define POLARSSL_ERR_MPI_INVALID_CHARACTER -0x0006 /**< There is an invalid character in the digit string. */ -#define POLARSSL_ERR_MPI_BUFFER_TOO_SMALL -0x0008 /**< The buffer is too small to write too. */ +#define POLARSSL_ERR_MPI_BUFFER_TOO_SMALL -0x0008 /**< The buffer is too small to write to. */ #define POLARSSL_ERR_MPI_NEGATIVE_VALUE -0x000A /**< The input arguments are negative or result in illegal output. */ #define POLARSSL_ERR_MPI_DIVISION_BY_ZERO -0x000C /**< The input argument for division is zero, which is not allowed. */ #define POLARSSL_ERR_MPI_NOT_ACCEPTABLE -0x000E /**< The input arguments are not acceptable. */ +#define POLARSSL_ERR_MPI_MALLOC_FAILED -0x0010 /**< Memory allocation failed. */ #define MPI_CHK(f) if( ( ret = f ) != 0 ) goto cleanup @@ -145,7 +146,7 @@ void mpi_free( mpi *X ); * \param nblimbs The target number of limbs * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_grow( mpi *X, size_t nblimbs ); @@ -156,7 +157,7 @@ int mpi_grow( mpi *X, size_t nblimbs ); * \param Y Source MPI * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_copy( mpi *X, const mpi *Y ); @@ -175,7 +176,7 @@ void mpi_swap( mpi *X, mpi *Y ); * \param z Value to use * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_lset( mpi *X, t_sint z ); @@ -200,7 +201,7 @@ int mpi_get_bit( mpi *X, size_t pos ); * \param val The value to set the bit to (0 or 1) * * \return 0 if successful, - * 1 if memory allocation failed, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed, * POLARSSL_ERR_MPI_BAD_INPUT_DATA if val is not 0 or 1 */ int mpi_set_bit( mpi *X, size_t pos, unsigned char val ); @@ -289,7 +290,7 @@ int mpi_write_file( const char *p, const mpi *X, int radix, FILE *fout ); * \param buflen Input buffer size * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_read_binary( mpi *X, const unsigned char *buf, size_t buflen ); @@ -312,7 +313,7 @@ int mpi_write_binary( const mpi *X, unsigned char *buf, size_t buflen ); * \param count Amount to shift * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_shift_l( mpi *X, size_t count ); @@ -323,7 +324,7 @@ int mpi_shift_l( mpi *X, size_t count ); * \param count Amount to shift * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_shift_r( mpi *X, size_t count ); @@ -371,7 +372,7 @@ int mpi_cmp_int( const mpi *X, t_sint z ); * \param B Right-hand MPI * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_add_abs( mpi *X, const mpi *A, const mpi *B ); @@ -395,7 +396,7 @@ int mpi_sub_abs( mpi *X, const mpi *A, const mpi *B ); * \param B Right-hand MPI * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B ); @@ -407,7 +408,7 @@ int mpi_add_mpi( mpi *X, const mpi *A, const mpi *B ); * \param B Right-hand MPI * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B ); @@ -419,7 +420,7 @@ int mpi_sub_mpi( mpi *X, const mpi *A, const mpi *B ); * \param b The integer value to add * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_add_int( mpi *X, const mpi *A, t_sint b ); @@ -431,7 +432,7 @@ int mpi_add_int( mpi *X, const mpi *A, t_sint b ); * \param b The integer value to subtract * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_sub_int( mpi *X, const mpi *A, t_sint b ); @@ -443,7 +444,7 @@ int mpi_sub_int( mpi *X, const mpi *A, t_sint b ); * \param B Right-hand MPI * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B ); @@ -457,7 +458,7 @@ int mpi_mul_mpi( mpi *X, const mpi *A, const mpi *B ); * \param b The integer value to multiply with * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_mul_int( mpi *X, const mpi *A, t_sint b ); @@ -470,7 +471,7 @@ int mpi_mul_int( mpi *X, const mpi *A, t_sint b ); * \param B Right-hand MPI * * \return 0 if successful, - * 1 if memory allocation failed, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed, * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if B == 0 * * \note Either Q or R can be NULL. @@ -486,7 +487,7 @@ int mpi_div_mpi( mpi *Q, mpi *R, const mpi *A, const mpi *B ); * \param b Integer to divide by * * \return 0 if successful, - * 1 if memory allocation failed, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed, * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0 * * \note Either Q or R can be NULL. @@ -501,7 +502,7 @@ int mpi_div_int( mpi *Q, mpi *R, const mpi *A, t_sint b ); * \param B Right-hand MPI * * \return 0 if successful, - * 1 if memory allocation failed, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed, * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if B == 0, * POLARSSL_ERR_MPI_NEGATIVE_VALUE if B < 0 */ @@ -515,7 +516,7 @@ int mpi_mod_mpi( mpi *R, const mpi *A, const mpi *B ); * \param b Integer to divide by * * \return 0 if successful, - * 1 if memory allocation failed, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed, * POLARSSL_ERR_MPI_DIVISION_BY_ZERO if b == 0, * POLARSSL_ERR_MPI_NEGATIVE_VALUE if b < 0 */ @@ -531,7 +532,7 @@ int mpi_mod_int( t_uint *r, const mpi *A, t_sint b ); * \param _RR Speed-up MPI used for recalculations * * \return 0 if successful, - * 1 if memory allocation failed, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed, * POLARSSL_ERR_MPI_BAD_INPUT_DATA if N is negative or even * * \note _RR is used to avoid re-computing R*R mod N across @@ -549,7 +550,7 @@ int mpi_exp_mod( mpi *X, const mpi *A, const mpi *E, const mpi *N, mpi *_RR ); * \param p_rng RNG parameter * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_fill_random( mpi *X, size_t size, int (*f_rng)(void *, unsigned char *, size_t), @@ -563,7 +564,7 @@ int mpi_fill_random( mpi *X, size_t size, * \param B Right-hand MPI * * \return 0 if successful, - * 1 if memory allocation failed + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed */ int mpi_gcd( mpi *G, const mpi *A, const mpi *B ); @@ -575,7 +576,7 @@ int mpi_gcd( mpi *G, const mpi *A, const mpi *B ); * \param N Right-hand MPI * * \return 0 if successful, - * 1 if memory allocation failed, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed, * POLARSSL_ERR_MPI_BAD_INPUT_DATA if N is negative or nil POLARSSL_ERR_MPI_NOT_ACCEPTABLE if A has no inverse mod N */ @@ -589,7 +590,7 @@ int mpi_inv_mod( mpi *X, const mpi *A, const mpi *N ); * \param p_rng RNG parameter * * \return 0 if successful (probably prime), - * 1 if memory allocation failed, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed, * POLARSSL_ERR_MPI_NOT_ACCEPTABLE if X is not prime */ int mpi_is_prime( mpi *X, @@ -606,7 +607,7 @@ int mpi_is_prime( mpi *X, * \param p_rng RNG parameter * * \return 0 if successful (probably prime), - * 1 if memory allocation failed, + * POLARSSL_ERR_MPI_MALLOC_FAILED if memory allocation failed, * POLARSSL_ERR_MPI_BAD_INPUT_DATA if nbits is < 3 */ int mpi_gen_prime( mpi *X, size_t nbits, int dh_flag, diff --git a/include/polarssl/ctr_drbg.h b/include/polarssl/ctr_drbg.h index 5b20d4965..83861a91c 100644 --- a/include/polarssl/ctr_drbg.h +++ b/include/polarssl/ctr_drbg.h @@ -34,6 +34,7 @@ #define POLARSSL_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED -0x0034 /**< The entropy source failed. */ #define POLARSSL_ERR_CTR_DRBG_REQUEST_TOO_BIG -0x0036 /**< Too many random requested in single call. */ #define POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG -0x0038 /**< Input too large (Entropy + additional). */ +#define POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR -0x003A /**< Read/write error in file. */ #define CTR_DRBG_BLOCKSIZE 16 /**< Block size used by the cipher */ #define CTR_DRBG_KEYSIZE 32 /**< Key size used by the cipher */ diff --git a/include/polarssl/entropy.h b/include/polarssl/entropy.h index 0c1f13fa9..aeec8b25d 100644 --- a/include/polarssl/entropy.h +++ b/include/polarssl/entropy.h @@ -31,8 +31,8 @@ #include "sha4.h" -#define POLARSSL_ERR_ENTROPY_SOURCE_FAILED -0x003A /**< Critical entropy source failure. */ -#define POLARSSL_ERR_ENTROPY_MAX_SOURCES -0x003C /**< No more sources can be added. */ +#define POLARSSL_ERR_ENTROPY_SOURCE_FAILED -0x003C /**< Critical entropy source failure. */ +#define POLARSSL_ERR_ENTROPY_MAX_SOURCES -0x003E /**< No more sources can be added. */ #define ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ #define ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */ diff --git a/include/polarssl/error.h b/include/polarssl/error.h index 69e7b0488..f167a7b83 100644 --- a/include/polarssl/error.h +++ b/include/polarssl/error.h @@ -48,27 +48,33 @@ * Low-level module errors (0x007E-0x0002) * * Module Nr Codes assigned - * MPI 7 0x0002-0x000E - * BASE64 2 0x0010-0x0012 - * ASN1 5 0x0014-0x001C + * MPI 7 0x0002-0x0010 + * ASN1 6 0x0014-0x001E * AES 2 0x0020-0x0022 * CAMELLIA 2 0x0024-0x0026 * XTEA 1 0x0028-0x0028 + * BASE64 2 0x002A-0x002C * PADLOCK 1 0x0030-0x0030 * DES 1 0x0032-0x0032 * NET 11 0x0040-0x0054 - * CTR_DBRG 3 0x0034-0x0038 - * ENTROPY 2 0x003A-0x003C + * CTR_DBRG 3 0x0034-0x003A + * ENTROPY 2 0x003C-0x003E + * MD2 1 0x0070-0x0070 + * MD4 1 0x0072-0x0072 + * MD5 1 0x0074-0x0074 + * SHA1 1 0x0076-0x0076 + * SHA2 1 0x0078-0x0078 + * SHA4 1 0x007A-0x007A * * High-level module nr (3 bits - 0x1...-0x8...) * Name ID Nr of Errors * PEM 1 8 - * X509 2 20 + * X509 2 21 * DHM 3 6 * RSA 4 9 * MD 5 1 * CIPER 6 1 - * SSL 7 27 + * SSL 7 30 * * Module dependent error code (5 bits 0x.08.-0x.F8.) */ diff --git a/include/polarssl/md2.h b/include/polarssl/md2.h index 2726ca3ef..1f60470fd 100644 --- a/include/polarssl/md2.h +++ b/include/polarssl/md2.h @@ -29,6 +29,8 @@ #include +#define POLARSSL_ERR_MD2_FILE_IO_ERROR -0x0070 /**< Read/write error in file. */ + /** * \brief MD2 context structure */ @@ -87,8 +89,7 @@ void md2( const unsigned char *input, size_t ilen, unsigned char output[16] ); * \param path input file name * \param output MD2 checksum result * - * \return 0 if successful, 1 if fopen failed, - * or 2 if fread failed + * \return 0 if successful, or POLARSSL_ERR_MD2_FILE_IO_ERROR */ int md2_file( const char *path, unsigned char output[16] ); diff --git a/include/polarssl/md4.h b/include/polarssl/md4.h index 5a796ae32..2bd35ea16 100644 --- a/include/polarssl/md4.h +++ b/include/polarssl/md4.h @@ -29,6 +29,8 @@ #include +#define POLARSSL_ERR_MD4_FILE_IO_ERROR -0x0072 /**< Read/write error in file. */ + /** * \brief MD4 context structure */ @@ -86,8 +88,7 @@ void md4( const unsigned char *input, size_t ilen, unsigned char output[16] ); * \param path input file name * \param output MD4 checksum result * - * \return 0 if successful, 1 if fopen failed, - * or 2 if fread failed + * \return 0 if successful, or POLARSSL_ERR_MD4_FILE_IO_ERROR */ int md4_file( const char *path, unsigned char output[16] ); diff --git a/include/polarssl/md5.h b/include/polarssl/md5.h index cf0459d06..936e9c958 100644 --- a/include/polarssl/md5.h +++ b/include/polarssl/md5.h @@ -29,6 +29,8 @@ #include +#define POLARSSL_ERR_MD5_FILE_IO_ERROR -0x0074 /**< Read/write error in file. */ + /** * \brief MD5 context structure */ @@ -86,8 +88,7 @@ void md5( const unsigned char *input, size_t ilen, unsigned char output[16] ); * \param path input file name * \param output MD5 checksum result * - * \return 0 if successful, 1 if fopen failed, - * or 2 if fread failed + * \return 0 if successful, or POLARSSL_ERR_MD5_FILE_IO_ERROR */ int md5_file( const char *path, unsigned char output[16] ); diff --git a/include/polarssl/sha1.h b/include/polarssl/sha1.h index 76b369a5d..0d5e67eb2 100644 --- a/include/polarssl/sha1.h +++ b/include/polarssl/sha1.h @@ -29,6 +29,8 @@ #include +#define POLARSSL_ERR_SHA1_FILE_IO_ERROR -0x0076 /**< Read/write error in file. */ + /** * \brief SHA-1 context structure */ @@ -86,8 +88,7 @@ void sha1( const unsigned char *input, size_t ilen, unsigned char output[20] ); * \param path input file name * \param output SHA-1 checksum result * - * \return 0 if successful, 1 if fopen failed, - * or 2 if fread failed + * \return 0 if successful, or POLARSSL_ERR_SHA1_FILE_IO_ERROR */ int sha1_file( const char *path, unsigned char output[20] ); diff --git a/include/polarssl/sha2.h b/include/polarssl/sha2.h index c963ca1e1..811b0fd61 100644 --- a/include/polarssl/sha2.h +++ b/include/polarssl/sha2.h @@ -29,6 +29,8 @@ #include +#define POLARSSL_ERR_SHA2_FILE_IO_ERROR -0x0078 /**< Read/write error in file. */ + /** * \brief SHA-256 context structure */ @@ -91,8 +93,7 @@ void sha2( const unsigned char *input, size_t ilen, * \param output SHA-224/256 checksum result * \param is224 0 = use SHA256, 1 = use SHA224 * - * \return 0 if successful, 1 if fopen failed, - * or 2 if fread failed + * \return 0 if successful, or POLARSSL_ERR_SHA2_FILE_IO_ERROR */ int sha2_file( const char *path, unsigned char output[32], int is224 ); diff --git a/include/polarssl/sha4.h b/include/polarssl/sha4.h index 06a85f10d..dafebec22 100644 --- a/include/polarssl/sha4.h +++ b/include/polarssl/sha4.h @@ -29,6 +29,8 @@ #include +#define POLARSSL_ERR_SHA4_FILE_IO_ERROR -0x007A /**< Read/write error in file. */ + #if defined(_MSC_VER) || defined(__WATCOMC__) #define UL64(x) x##ui64 #define long64 __int64 @@ -99,8 +101,7 @@ void sha4( const unsigned char *input, size_t ilen, * \param output SHA-384/512 checksum result * \param is384 0 = use SHA512, 1 = use SHA384 * - * \return 0 if successful, 1 if fopen failed, - * or 2 if fread failed + * \return 0 if successful, or POLARSSL_ERR_SHA4_FILE_IO_ERROR */ int sha4_file( const char *path, unsigned char output[64], int is384 ); diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 02d75c7db..c897a1e3e 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -81,6 +81,7 @@ #define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY -0x7D80 /**< Processing of the CertificateVerify handshake message failed. */ #define POLARSSL_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC -0x7E00 /**< Processing of the ChangeCipherSpec handshake message failed. */ #define POLARSSL_ERR_SSL_BAD_HS_FINISHED -0x7E80 /**< Processing of the Finished handshake message failed. */ +#define POLARSSL_ERR_SSL_MALLOC_FAILED -0x7F00 /**< Memory allocation failed */ /* * Various constants @@ -373,7 +374,8 @@ int ssl_get_ciphersuite_id( const char *ciphersuite_name ); * * \param ssl SSL context * - * \return 0 if successful, or 1 if memory allocation failed + * \return 0 if successful, or POLARSSL_ERR_SSL_MALLOC_FAILED if + * memory allocation failed */ int ssl_init( ssl_context *ssl ); diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 11f1a3108..cd0dc84a6 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -59,7 +59,9 @@ #define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 /**< Unsupported RSA key version */ #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 /**< Invalid RSA key tag or value. */ #define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 /**< Format not recognized as DER or PEM. */ -#define POLARSSL_ERR_X509_VALUE_TO_LENGTH -0x2A00 /**< Not used. */ +#define POLARSSL_ERR_X509_INVALID_INPUT -0x2A00 /**< Input invalid. */ +#define POLARSSL_ERR_X509_MALLOC_FAILED -0x2A80 /**< Allocation of memory failed. */ +#define POLARSSL_ERR_X509_FILE_IO_ERROR -0x2B00 /**< Read/write of file failed. */ /* \} name */ @@ -227,10 +229,6 @@ #define X509_FORMAT_DER 1 #define X509_FORMAT_PEM 2 -#define X509_NON_PERMISSIVE 0 -#define X509_PERMISSIVE 1 - - /** * \addtogroup x509_module * \{ */ @@ -420,34 +418,35 @@ extern "C" { /** \ingroup x509_module */ /** * \brief Parse one or more certificates and add them - * to the chained list. With permissive parsing enabled - * all certificates that cannot be parsed are ignored. - * If none complete correctly, the first error is returned. + * to the chained list. Parses permissively. If some + * certificates can be parsed, the result is the number + * of failed certificates it encountered. If none complete + * correctly, the first error is returned. * * \param chain points to the start of the chain * \param buf buffer holding the certificate data * \param buflen size of the buffer - * \param permissive X509_PERMISSIVE or X509_NON_PERMISSIVE * - * \return 0 if successful, or a specific X509 or PEM error code + * \return 0 if all certificates parsed successfully, a positive number + * if partly successful or a specific X509 or PEM error code */ -int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, - int permissive ); +int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ); /** \ingroup x509_module */ /** * \brief Load one or more certificates and add them - * to the chained list. With permissive parsing enabled - * all certificates that cannot be parsed are ignored. - * If none complete correctly, the first error is returned. + * to the chained list. Parses permissively. If some + * certificates can be parsed, the result is the number + * of failed certificates it encountered. If none complete + * correctly, the first error is returned. * * \param chain points to the start of the chain * \param path filename to read the certificates from - * \param permissive X509_PERMISSIVE or X509_NON_PERMISSIVE * - * \return 0 if successful, or a specific X509 or PEM error code + * \return 0 if all certificates parsed successfully, a positive number + * if partly successful or a specific X509 or PEM error code */ -int x509parse_crtfile( x509_cert *chain, const char *path, int permissive ); +int x509parse_crtfile( x509_cert *chain, const char *path ); /** \ingroup x509_module */ /** @@ -552,8 +551,6 @@ int x509parse_dhmfile( dhm_context *dhm, const char *path ); /** \} name Functions to read in DHM parameters, a certificate, CRL or private RSA key */ - - /** * \brief Store the certificate DN in printable form into buf; * no more than size characters will be written. diff --git a/library/asn1parse.c b/library/asn1parse.c index 09f67fa11..2584774a7 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -242,7 +242,7 @@ int asn1_get_sequence_of( unsigned char **p, sizeof( asn1_sequence ) ); if( cur->next == NULL ) - return( 1 ); + return( POLARSSL_ERR_ASN1_MALLOC_FAILED ); cur = cur->next; } diff --git a/library/bignum.c b/library/bignum.c index 59209563c..9dff9914d 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -89,12 +89,12 @@ int mpi_grow( mpi *X, size_t nblimbs ) t_uint *p; if( nblimbs > POLARSSL_MPI_MAX_LIMBS ) - return( 1 ); + return( POLARSSL_ERR_MPI_MALLOC_FAILED ); if( X->n < nblimbs ) { if( ( p = (t_uint *) malloc( nblimbs * ciL ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_MPI_MALLOC_FAILED ); memset( p, 0, nblimbs * ciL ); diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 478304e56..5b610a20f 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -244,7 +244,7 @@ int ctr_drbg_reseed( ctr_drbg_context *ctx, memset( seed, 0, CTR_DRBG_MAX_SEED_INPUT ); /* - * Gather POLARSSL_CTR_DRBG_ENTROPYLEN bytes of entropy to seed state + * Gather enropy_len bytes of entropy to seed state */ if( 0 != ctx->f_entropy( ctx->p_entropy, seed, ctx->entropy_len ) ) @@ -357,7 +357,7 @@ int ctr_drbg_write_seed_file( ctr_drbg_context *ctx, const char *path ) unsigned char buf[ CTR_DRBG_MAX_INPUT ]; if( ( f = fopen( path, "wb" ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR ); if( ( ret = ctr_drbg_random( ctx, buf, CTR_DRBG_MAX_INPUT ) ) != 0 ) return( ret ); @@ -365,7 +365,7 @@ int ctr_drbg_write_seed_file( ctr_drbg_context *ctx, const char *path ) if( fwrite( buf, 1, CTR_DRBG_MAX_INPUT, f ) != CTR_DRBG_MAX_INPUT ) { fclose( f ); - return( 1 ); + return( POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR ); } fclose( f ); @@ -379,7 +379,7 @@ int ctr_drbg_update_seed_file( ctr_drbg_context *ctx, const char *path ) unsigned char buf[ CTR_DRBG_MAX_INPUT ]; if( ( f = fopen( path, "rb" ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR ); fseek( f, 0, SEEK_END ); n = (size_t) ftell( f ); @@ -391,7 +391,7 @@ int ctr_drbg_update_seed_file( ctr_drbg_context *ctx, const char *path ) if( fread( buf, 1, n, f ) != n ) { fclose( f ); - return( 1 ); + return( POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR ); } ctr_drbg_update( ctx, buf, n ); diff --git a/library/error.c b/library/error.c index 33fad8518..05e84e72c 100644 --- a/library/error.c +++ b/library/error.c @@ -67,6 +67,18 @@ #include "polarssl/md.h" #endif +#if defined(POLARSSL_MD2_C) +#include "polarssl/md2.h" +#endif + +#if defined(POLARSSL_MD4_C) +#include "polarssl/md4.h" +#endif + +#if defined(POLARSSL_MD5_C) +#include "polarssl/md5.h" +#endif + #if defined(POLARSSL_NET_C) #include "polarssl/net.h" #endif @@ -83,6 +95,18 @@ #include "polarssl/rsa.h" #endif +#if defined(POLARSSL_SHA1_C) +#include "polarssl/sha1.h" +#endif + +#if defined(POLARSSL_SHA2_C) +#include "polarssl/sha2.h" +#endif + +#if defined(POLARSSL_SHA4_C) +#include "polarssl/sha4.h" +#endif + #if defined(POLARSSL_SSL_TLS_C) #include "polarssl/ssl.h" #endif @@ -258,6 +282,8 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "SSL - Processing of the ChangeCipherSpec handshake message failed" ); if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_FINISHED) ) snprintf( buf, buflen, "SSL - Processing of the Finished handshake message failed" ); + if( use_ret == -(POLARSSL_ERR_SSL_MALLOC_FAILED) ) + snprintf( buf, buflen, "SSL - Memory allocation failed" ); #endif /* POLARSSL_SSL_TLS_C */ #if defined(POLARSSL_X509_PARSE_C) @@ -299,8 +325,12 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "X509 - Invalid RSA key tag or value" ); if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT) ) snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" ); - if( use_ret == -(POLARSSL_ERR_X509_VALUE_TO_LENGTH) ) - snprintf( buf, buflen, "X509 - Not used" ); + if( use_ret == -(POLARSSL_ERR_X509_INVALID_INPUT) ) + snprintf( buf, buflen, "X509 - Input invalid" ); + if( use_ret == -(POLARSSL_ERR_X509_MALLOC_FAILED) ) + snprintf( buf, buflen, "X509 - Allocation of memory failed" ); + if( use_ret == -(POLARSSL_ERR_X509_FILE_IO_ERROR) ) + snprintf( buf, buflen, "X509 - Read/write of file failed" ); #endif /* POLARSSL_X509_PARSE_C */ if( strlen( buf ) == 0 ) @@ -348,6 +378,8 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "ASN1 - Actual length differs from expected length" ); if( use_ret == -(POLARSSL_ERR_ASN1_INVALID_DATA) ) snprintf( buf, buflen, "ASN1 - Data is invalid. (not used)" ); + if( use_ret == -(POLARSSL_ERR_ASN1_MALLOC_FAILED) ) + snprintf( buf, buflen, "ASN1 - Memory allocation failed" ); #endif /* POLARSSL_ASN1_PARSE_C */ #if defined(POLARSSL_BASE64_C) @@ -365,13 +397,15 @@ void error_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(POLARSSL_ERR_MPI_INVALID_CHARACTER) ) snprintf( buf, buflen, "BIGNUM - There is an invalid character in the digit string" ); if( use_ret == -(POLARSSL_ERR_MPI_BUFFER_TOO_SMALL) ) - snprintf( buf, buflen, "BIGNUM - The output buffer is too small to write too" ); + snprintf( buf, buflen, "BIGNUM - The buffer is too small to write to" ); if( use_ret == -(POLARSSL_ERR_MPI_NEGATIVE_VALUE) ) snprintf( buf, buflen, "BIGNUM - The input arguments are negative or result in illegal output" ); if( use_ret == -(POLARSSL_ERR_MPI_DIVISION_BY_ZERO) ) snprintf( buf, buflen, "BIGNUM - The input argument for division is zero, which is not allowed" ); if( use_ret == -(POLARSSL_ERR_MPI_NOT_ACCEPTABLE) ) snprintf( buf, buflen, "BIGNUM - The input arguments are not acceptable" ); + if( use_ret == -(POLARSSL_ERR_MPI_MALLOC_FAILED) ) + snprintf( buf, buflen, "BIGNUM - Memory allocation failed" ); #endif /* POLARSSL_BIGNUM_C */ #if defined(POLARSSL_CAMELLIA_C) @@ -388,6 +422,8 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "CTR_DRBG - Too many random requested in single call" ); if( use_ret == -(POLARSSL_ERR_CTR_DRBG_INPUT_TOO_BIG) ) snprintf( buf, buflen, "CTR_DRBG - Input too large (Entropy + additional)" ); + if( use_ret == -(POLARSSL_ERR_CTR_DRBG_FILE_IO_ERROR) ) + snprintf( buf, buflen, "CTR_DRBG - Read/write error in file" ); #endif /* POLARSSL_CTR_DRBG_C */ #if defined(POLARSSL_DES_C) @@ -402,6 +438,21 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "ENTROPY - No more sources can be added" ); #endif /* POLARSSL_ENTROPY_C */ +#if defined(POLARSSL_MD2_C) + if( use_ret == -(POLARSSL_ERR_MD2_FILE_IO_ERROR) ) + snprintf( buf, buflen, "MD2 - Read/write error in file" ); +#endif /* POLARSSL_MD2_C */ + +#if defined(POLARSSL_MD4_C) + if( use_ret == -(POLARSSL_ERR_MD4_FILE_IO_ERROR) ) + snprintf( buf, buflen, "MD4 - Read/write error in file" ); +#endif /* POLARSSL_MD4_C */ + +#if defined(POLARSSL_MD5_C) + if( use_ret == -(POLARSSL_ERR_MD5_FILE_IO_ERROR) ) + snprintf( buf, buflen, "MD5 - Read/write error in file" ); +#endif /* POLARSSL_MD5_C */ + #if defined(POLARSSL_NET_C) if( use_ret == -(POLARSSL_ERR_NET_UNKNOWN_HOST) ) snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" ); @@ -432,6 +483,21 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "PADLOCK - Input data should be aligned" ); #endif /* POLARSSL_PADLOCK_C */ +#if defined(POLARSSL_SHA1_C) + if( use_ret == -(POLARSSL_ERR_SHA1_FILE_IO_ERROR) ) + snprintf( buf, buflen, "SHA1 - Read/write error in file" ); +#endif /* POLARSSL_SHA1_C */ + +#if defined(POLARSSL_SHA2_C) + if( use_ret == -(POLARSSL_ERR_SHA2_FILE_IO_ERROR) ) + snprintf( buf, buflen, "SHA2 - Read/write error in file" ); +#endif /* POLARSSL_SHA2_C */ + +#if defined(POLARSSL_SHA4_C) + if( use_ret == -(POLARSSL_ERR_SHA4_FILE_IO_ERROR) ) + snprintf( buf, buflen, "SHA4 - Read/write error in file" ); +#endif /* POLARSSL_SHA4_C */ + #if defined(POLARSSL_XTEA_C) if( use_ret == -(POLARSSL_ERR_XTEA_INVALID_INPUT_LENGTH) ) snprintf( buf, buflen, "XTEA - The data input has an invalid length" ); diff --git a/library/md2.c b/library/md2.c index ff1b5aa23..954aa07be 100644 --- a/library/md2.c +++ b/library/md2.c @@ -189,7 +189,7 @@ int md2_file( const char *path, unsigned char output[16] ) unsigned char buf[1024]; if( ( f = fopen( path, "rb" ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_MD2_FILE_IO_ERROR ); md2_starts( &ctx ); @@ -203,7 +203,7 @@ int md2_file( const char *path, unsigned char output[16] ) if( ferror( f ) != 0 ) { fclose( f ); - return( 2 ); + return( POLARSSL_ERR_MD2_FILE_IO_ERROR ); } fclose( f ); diff --git a/library/md4.c b/library/md4.c index a1c82447b..ad52e5e4a 100644 --- a/library/md4.c +++ b/library/md4.c @@ -285,7 +285,7 @@ int md4_file( const char *path, unsigned char output[16] ) unsigned char buf[1024]; if( ( f = fopen( path, "rb" ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_MD4_FILE_IO_ERROR ); md4_starts( &ctx ); @@ -299,7 +299,7 @@ int md4_file( const char *path, unsigned char output[16] ) if( ferror( f ) != 0 ) { fclose( f ); - return( 2 ); + return( POLARSSL_ERR_MD4_FILE_IO_ERROR ); } fclose( f ); diff --git a/library/md5.c b/library/md5.c index 1c5b397b6..7a449b246 100644 --- a/library/md5.c +++ b/library/md5.c @@ -304,7 +304,7 @@ int md5_file( const char *path, unsigned char output[16] ) unsigned char buf[1024]; if( ( f = fopen( path, "rb" ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_MD5_FILE_IO_ERROR ); md5_starts( &ctx ); @@ -318,7 +318,7 @@ int md5_file( const char *path, unsigned char output[16] ) if( ferror( f ) != 0 ) { fclose( f ); - return( 2 ); + return( POLARSSL_ERR_MD5_FILE_IO_ERROR ); } fclose( f ); diff --git a/library/sha1.c b/library/sha1.c index 56028fe4c..72ca06338 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -339,7 +339,7 @@ int sha1_file( const char *path, unsigned char output[20] ) unsigned char buf[1024]; if( ( f = fopen( path, "rb" ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_SHA1_FILE_IO_ERROR ); sha1_starts( &ctx ); @@ -353,7 +353,7 @@ int sha1_file( const char *path, unsigned char output[20] ) if( ferror( f ) != 0 ) { fclose( f ); - return( 2 ); + return( POLARSSL_ERR_SHA1_FILE_IO_ERROR ); } fclose( f ); diff --git a/library/sha2.c b/library/sha2.c index 9cc88e820..4b5e6962f 100644 --- a/library/sha2.c +++ b/library/sha2.c @@ -341,7 +341,7 @@ int sha2_file( const char *path, unsigned char output[32], int is224 ) unsigned char buf[1024]; if( ( f = fopen( path, "rb" ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_SHA2_FILE_IO_ERROR ); sha2_starts( &ctx, is224 ); @@ -355,7 +355,7 @@ int sha2_file( const char *path, unsigned char output[32], int is224 ) if( ferror( f ) != 0 ) { fclose( f ); - return( 2 ); + return( POLARSSL_ERR_SHA2_FILE_IO_ERROR ); } fclose( f ); diff --git a/library/sha4.c b/library/sha4.c index ee6cf902a..cf54d114c 100644 --- a/library/sha4.c +++ b/library/sha4.c @@ -339,7 +339,7 @@ int sha4_file( const char *path, unsigned char output[64], int is384 ) unsigned char buf[1024]; if( ( f = fopen( path, "rb" ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_SHA4_FILE_IO_ERROR ); sha4_starts( &ctx, is384 ); @@ -353,7 +353,7 @@ int sha4_file( const char *path, unsigned char output[64], int is384 ) if( ferror( f ) != 0 ) { fclose( f ); - return( 2 ); + return( POLARSSL_ERR_SHA4_FILE_IO_ERROR ); } fclose( f ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 26e7dfa65..545317ab8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1376,7 +1376,7 @@ int ssl_parse_certificate( ssl_context *ssl ) { SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", sizeof( x509_cert ) ) ); - return( 1 ); + return( POLARSSL_ERR_SSL_MALLOC_FAILED ); } memset( ssl->peer_cert, 0, sizeof( x509_cert ) ); @@ -1401,8 +1401,7 @@ int ssl_parse_certificate( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); } - ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n, - X509_NON_PERMISSIVE ); + ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n ); if( ret != 0 ) { SSL_DEBUG_RET( 1, " x509parse_crt", ret ); @@ -1707,7 +1706,7 @@ int ssl_init( ssl_context *ssl ) if( ssl->in_ctr == NULL ) { SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) ); - return( 1 ); + return( POLARSSL_ERR_SSL_MALLOC_FAILED ); } ssl->out_ctr = (unsigned char *) malloc( len ); @@ -1718,7 +1717,7 @@ int ssl_init( ssl_context *ssl ) { SSL_DEBUG_MSG( 1, ( "malloc(%d bytes) failed", len ) ); free( ssl-> in_ctr ); - return( 1 ); + return( POLARSSL_ERR_SSL_MALLOC_FAILED ); } memset( ssl-> in_ctr, 0, SSL_BUFFER_LEN ); diff --git a/library/x509parse.c b/library/x509parse.c index d7da8c46e..f561754eb 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -284,7 +284,7 @@ static int x509_get_name( unsigned char **p, sizeof( x509_name ) ); if( use->next == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); memset( use->next, 0, sizeof( x509_name ) ); @@ -303,7 +303,7 @@ static int x509_get_name( unsigned char **p, sizeof( x509_name ) ); if( cur->next == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); return( x509_get_name( p, end2, cur->next ) ); } @@ -1018,12 +1018,12 @@ int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen ) * Check for valid input */ if( crt == NULL || buf == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_INVALID_INPUT ); p = (unsigned char *) malloc( len = buflen ); if( p == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); memcpy( p, buf, buflen ); @@ -1259,10 +1259,9 @@ int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen ) /* * Parse one or more PEM certificates from a buffer and add them to the chained list */ -int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, - int permissive ) +int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ) { - int ret, success = 0, first_error = 0; + int ret, success = 0, first_error = 0, total_failed = 0; x509_cert *crt, *prev = NULL; int buf_format = X509_FORMAT_DER; @@ -1272,7 +1271,7 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, * Check for valid input */ if( crt == NULL || buf == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_INVALID_INPUT ); while( crt->version != 0 && crt->next != NULL ) { @@ -1288,7 +1287,7 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, crt->next = (x509_cert *) malloc( sizeof( x509_cert ) ); if( crt->next == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); prev = crt; crt = crt->next; @@ -1349,9 +1348,9 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, if( ret != 0 ) { /* - * quit parsing on a memory error or if in non-permissive parsing mode + * quit parsing on a memory error */ - if( ret == 1 || permissive != 1 ) + if( ret == POLARSSL_ERR_X509_MALLOC_FAILED ) { if( prev ) prev->next = NULL; @@ -1364,6 +1363,8 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, if( first_error == 0 ) first_error = ret; + + total_failed++; memset( crt, 0, sizeof( x509_cert ) ); continue; @@ -1377,7 +1378,7 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, crt->next = (x509_cert *) malloc( sizeof( x509_cert ) ); if( crt->next == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); prev = crt; crt = crt->next; @@ -1396,7 +1397,7 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, } if( success ) - return( 0 ); + return( total_failed ); else if( first_error ) return( first_error ); else @@ -1423,7 +1424,7 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) * Check for valid input */ if( crl == NULL || buf == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_INVALID_INPUT ); while( crl->version != 0 && crl->next != NULL ) crl = crl->next; @@ -1438,7 +1439,7 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) if( crl->next == NULL ) { x509_crl_free( crl ); - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); } crl = crl->next; @@ -1481,7 +1482,7 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) p = (unsigned char *) malloc( len = buflen ); if( p == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); memcpy( p, buf, buflen ); @@ -1491,7 +1492,7 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) p = (unsigned char *) malloc( len = buflen ); if( p == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); memcpy( p, buf, buflen ); @@ -1680,7 +1681,7 @@ int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) if( crl->next == NULL ) { x509_crl_free( crl ); - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); } crl = crl->next; @@ -1701,20 +1702,20 @@ int load_file( const char *path, unsigned char **buf, size_t *n ) FILE *f; if( ( f = fopen( path, "rb" ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_FILE_IO_ERROR ); fseek( f, 0, SEEK_END ); *n = (size_t) ftell( f ); fseek( f, 0, SEEK_SET ); if( ( *buf = (unsigned char *) malloc( *n + 1 ) ) == NULL ) - return( 1 ); + return( POLARSSL_ERR_X509_MALLOC_FAILED ); if( fread( *buf, 1, *n, f ) != *n ) { fclose( f ); free( *buf ); - return( 1 ); + return( POLARSSL_ERR_X509_FILE_IO_ERROR ); } fclose( f ); @@ -1727,16 +1728,16 @@ int load_file( const char *path, unsigned char **buf, size_t *n ) /* * Load one or more certificates and add them to the chained list */ -int x509parse_crtfile( x509_cert *chain, const char *path, int permissive ) +int x509parse_crtfile( x509_cert *chain, const char *path ) { int ret; size_t n; unsigned char *buf; - if ( load_file( path, &buf, &n ) ) - return( 1 ); + if ( (ret = load_file( path, &buf, &n ) ) != 0 ) + return( ret ); - ret = x509parse_crt( chain, buf, n, permissive ); + ret = x509parse_crt( chain, buf, n ); memset( buf, 0, n + 1 ); free( buf ); @@ -1753,8 +1754,8 @@ int x509parse_crlfile( x509_crl *chain, const char *path ) size_t n; unsigned char *buf; - if ( load_file( path, &buf, &n ) ) - return( 1 ); + if ( (ret = load_file( path, &buf, &n ) ) != 0 ) + return( ret ); ret = x509parse_crl( chain, buf, n ); @@ -1773,8 +1774,8 @@ int x509parse_keyfile( rsa_context *rsa, const char *path, const char *pwd ) size_t n; unsigned char *buf; - if ( load_file( path, &buf, &n ) ) - return( 1 ); + if ( (ret = load_file( path, &buf, &n ) ) != 0 ) + return( ret ); if( pwd == NULL ) ret = x509parse_key( rsa, buf, n, NULL, 0 ); @@ -1797,8 +1798,8 @@ int x509parse_public_keyfile( rsa_context *rsa, const char *path ) size_t n; unsigned char *buf; - if ( load_file( path, &buf, &n ) ) - return( 1 ); + if ( (ret = load_file( path, &buf, &n ) ) != 0 ) + return( ret ); ret = x509parse_public_key( rsa, buf, n ); @@ -2250,8 +2251,8 @@ int x509parse_dhmfile( dhm_context *dhm, const char *path ) size_t n; unsigned char *buf; - if ( load_file( path, &buf, &n ) ) - return( 1 ); + if ( ( ret = load_file( path, &buf, &n ) ) != 0 ) + return( ret ); ret = x509parse_dhm( dhm, buf, n ); @@ -3155,7 +3156,7 @@ int x509_self_test( int verbose ) memset( &clicert, 0, sizeof( x509_cert ) ); ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, - strlen( test_cli_crt ), X509_NON_PERMISSIVE ); + strlen( test_cli_crt ) ); if( ret != 0 ) { if( verbose != 0 ) @@ -3167,7 +3168,7 @@ int x509_self_test( int verbose ) memset( &cacert, 0, sizeof( x509_cert ) ); ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ), X509_NON_PERMISSIVE ); + strlen( test_ca_crt ) ); if( ret != 0 ) { if( verbose != 0 ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 39d69aceb..f5bbe856d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -241,12 +241,12 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_file ) ) - ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE ); + ret = x509parse_crtfile( &cacert, opt.ca_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ), X509_NON_PERMISSIVE ); + strlen( test_ca_crt ) ); #else { ret = 1; @@ -271,12 +271,12 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) - ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE ); + ret = x509parse_crtfile( &clicert, opt.crt_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, - strlen( test_cli_crt ), X509_NON_PERMISSIVE ); + strlen( test_cli_crt ) ); #else { ret = 1; diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index d24ae00f7..881a68e40 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -250,7 +250,7 @@ int main( int argc, char *argv[] ) * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt, - strlen( test_srv_crt ), X509_NON_PERMISSIVE ); + strlen( test_srv_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); @@ -258,7 +258,7 @@ int main( int argc, char *argv[] ) } ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ), X509_NON_PERMISSIVE ); + strlen( test_ca_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index eb223b0b3..2f442c994 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -493,12 +493,12 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_file ) ) - ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE ); + ret = x509parse_crtfile( &cacert, opt.ca_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ), X509_NON_PERMISSIVE ); + strlen( test_ca_crt ) ); #else { ret = 1; @@ -523,15 +523,15 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) - ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE ); + ret = x509parse_crtfile( &clicert, opt.crt_file ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, - strlen( test_cli_crt ), X509_NON_PERMISSIVE ); + strlen( test_cli_crt ) ); #else { - ret = 1; + ret = -1; printf("POLARSSL_CERTS_C not defined."); } #endif @@ -551,7 +551,7 @@ int main( int argc, char *argv[] ) strlen( test_cli_key ), NULL, 0 ); #else { - ret = 1; + ret = -1; printf("POLARSSL_CERTS_C not defined."); } #endif diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index f43e8b4c5..5ee2f633f 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -220,7 +220,7 @@ int main( int argc, char *argv[] ) * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt, - strlen( test_srv_crt ), X509_NON_PERMISSIVE ); + strlen( test_srv_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); @@ -228,7 +228,7 @@ int main( int argc, char *argv[] ) } ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ), X509_NON_PERMISSIVE ); + strlen( test_ca_crt ) ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c index 2e4e6c532..57ea32c8f 100644 --- a/programs/test/ssl_cert_test.c +++ b/programs/test/ssl_cert_test.c @@ -100,7 +100,7 @@ int main( int argc, char *argv[] ) * Alternatively, you may load the CA certificates from a .pem or * .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ). */ - ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt", X509_NON_PERMISSIVE ); + ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt" ); if( ret != 0 ) { printf( " failed\n ! x509parse_crtfile returned %d\n\n", ret ); @@ -148,7 +148,7 @@ int main( int argc, char *argv[] ) printf( " . Loading the client certificate %s...", name ); fflush( stdout ); - ret = x509parse_crtfile( &clicert, name, X509_NON_PERMISSIVE ); + ret = x509parse_crtfile( &clicert, name ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c index 333754075..59fab01a7 100644 --- a/programs/test/ssl_test.c +++ b/programs/test/ssl_test.c @@ -214,7 +214,7 @@ static int ssl_test( struct options *opt ) goto exit; #else ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt, - strlen( test_srv_crt ), X509_NON_PERMISSIVE ); + strlen( test_srv_crt ) ); if( ret != 0 ) { printf( " ! x509parse_crt returned %d\n\n", ret ); @@ -222,7 +222,7 @@ static int ssl_test( struct options *opt ) } ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ), X509_NON_PERMISSIVE ); + strlen( test_ca_crt ) ); if( ret != 0 ) { printf( " ! x509parse_crt returned %d\n\n", ret ); diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index a041a47ef..08d1b9a47 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -200,17 +200,25 @@ int main( int argc, char *argv[] ) printf( "\n . Loading the certificate(s) ..." ); fflush( stdout ); - ret = x509parse_crtfile( &crt, opt.filename, opt.permissive ); + ret = x509parse_crtfile( &crt, opt.filename ); - if( ret != 0 ) + if( ret < 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); x509_free( &crt ); goto exit; } + if( opt.permissive == 0 && ret > 0 ) + { + printf( " failed\n ! x509parse_crt failed to parse %d certificates\n\n", ret ); + x509_free( &crt ); + goto exit; + } + printf( " ok\n" ); + /* * 1.2 Print the certificate(s) */ diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index e07200fcc..ef5e45f07 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -9,7 +9,8 @@ my $error_file = shift or die "Missing destination file"; my $error_format_file = $data_dir.'/error.fmt'; my @low_level_modules = ( "AES", "ASN1", "CAMELLIA", "BIGNUM", "BASE64", "XTEA", - "PADLOCK", "DES", "NET", "CTR_DRBG", "ENTROPY" ); + "PADLOCK", "DES", "NET", "CTR_DRBG", "ENTROPY", + "MD2", "MD4", "MD5", "SHA1", "SHA2", "SHA4" ); my @high_level_modules = ( "PEM", "X509", "DHM", "RSA", "MD", "CIPHER", "SSL" ); my $line_separator = $/; diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function index 7349517a4..155bfc520 100644 --- a/tests/suites/test_suite_ctr_drbg.function +++ b/tests/suites/test_suite_ctr_drbg.function @@ -2,8 +2,9 @@ BEGIN_HEADER #include int test_offset; -int entropy_func( void *p, unsigned char *buf, size_t len ) +int entropy_func( void *data, unsigned char *buf, size_t len ) { + unsigned char *p = (unsigned char *) data; memcpy( buf, p + test_offset, len ); test_offset += 32; return( 0 ); diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 950c7ea4b..02381ca95 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -35,7 +35,7 @@ debug_print_crt:crt_file:file:line:prefix:result_str ssl_set_dbg(&ssl, string_debug, &buffer); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); debug_print_crt( &ssl, 0, {file}, {line}, {prefix}, &crt); TEST_ASSERT( strcmp( buffer.buf, {result_str} ) == 0 ); diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index deac249b0..18e1c41f3 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -38,7 +38,7 @@ x509_cert_info:crt_file:result_str memset( &crt, 0, sizeof( x509_cert ) ); memset( buf, 0, 2000 ); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); res = x509parse_cert_info( buf, 2000, "", &crt ); TEST_ASSERT( res != -1 ); @@ -81,8 +81,8 @@ x509_verify:crt_file:ca_file:crl_file:cn_name:result:flags:verify_callback memset( &ca, 0, sizeof( x509_cert ) ); memset( &crl, 0, sizeof( x509_crl ) ); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); - TEST_ASSERT( x509parse_crtfile( &ca, {ca_file}, X509_NON_PERMISSIVE ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &ca, {ca_file} ) == 0 ); TEST_ASSERT( x509parse_crlfile( &crl, {crl_file} ) == 0 ); res = x509parse_verify( &crt, &ca, &crl, {cn_name}, &flags, {verify_callback}, NULL ); @@ -102,7 +102,7 @@ x509_dn_gets:crt_file:entity:result_str memset( &crt, 0, sizeof( x509_cert ) ); memset( buf, 0, 2000 ); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); res = x509parse_dn_gets( buf, 2000, &crt.{entity} ); TEST_ASSERT( res != -1 ); @@ -119,7 +119,7 @@ x509_time_expired:crt_file:entity:result memset( &crt, 0, sizeof( x509_cert ) ); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); TEST_ASSERT( x509parse_time_expired( &crt.{entity} ) == {result} ); } END_CASE @@ -176,7 +176,7 @@ x509parse_crt:crt_data:result_str:result data_len = unhexify( buf, {crt_data} ); - TEST_ASSERT( x509parse_crt( &crt, buf, data_len, X509_NON_PERMISSIVE ) == ( {result} ) ); + TEST_ASSERT( x509parse_crt( &crt, buf, data_len ) == ( {result} ) ); if( ( {result} ) == 0 ) { res = x509parse_cert_info( (char *) output, 2000, "", &crt );