- Added Doxygen source code documentation parts (donated by Fox-IT)

CMakeLists.txt

@@ -19,5 +19,5 @@ add_subdirectory(tests)
 add_subdirectory(programs)
 
 ADD_CUSTOM_TARGET(apidoc
-                  COMMAND doxygen Doxyfile
+                  COMMAND doxygen doxygen/polarssl.doxyfile
                   WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR})

ChangeLog

 PolarSSL ChangeLog
 
+= Version Trunk
+Features
+   * Added Doxygen source code documentation parts donated
+     by Fox-IT
+
 = Version 0.14.0 released on 2010-08-16
 Features
    * Added support for SSL_EDH_RSA_AES_128_SHA and

Doxyfile

-PROJECT_NAME    = PolarSSL
-INPUT           = include/polarssl
-HTML_OUTPUT     = apidoc
-GENERATE_LATEX  = NO

Makefile

@@ -32,3 +32,13 @@ clean:
 
 check:
 	( cd tests && $(MAKE) check )
+
+apidoc:
+	mkdir -p apidoc
+	doxygen doxygen/polarssl.doxyfile
+
+apidoc_clean:
+	if [ -d apidoc ] ;			\
+	then				    	\
+		rm -rf apidoc ;			\
+	fi

doxygen/input/doc_encdec.h

+/**
+ * @file
+ * Encryption/decryption module documentation file.
+ */
+
+/**
+ * @addtogroup encdec_module Encryption/decryption module
+ * 
+ * The Encryption/decryption module provides encryption/decryption functions. 
+ * One can differtiate between symmetric and asymetric algorithms; the 
+ * symmetric ones are mostly used for message confidentiality and the asymmetric 
+ * ones for key exchange and message integrity.
+ * Some symmetric algorithms provide different block cipher modes, mainly 
+ * Electronic Code Book (ECB) which is used for short (64-bit) messages and 
+ * Cipher Block Chaining (CBC) which provides the randomness needed for longer 
+ * messages. 
+ * Sometimes the same functions are used for encryption and decryption.
+ * The following algorithms are provided:
+ * - Symmetric:
+ *   - AES (see \c aes_crypt_ecb() and\c aes_crypt_cbc()).
+ *   - ARCFOUR (see \c arc4_crypt()).
+ *   - Camellia (see \c camellia_crypt_ecb() and\c camellia_crypt_cbc()).
+ *   - DES/3DES (see \c des_crypt_ecb(),\c des_crypt_cbc(),\c des3_crypt_ecb() 
+ *     and\c des3_crypt_cbc()).
+ *   - XTEA (see \c xtea_crypt_ecb()).
+ * - Asymmetric:
+ *   - Diffie-Hellman-Merkle (see \c dhm_read_public(),\c dhm_make_public() 
+ *     and \c dhm_calc_secret()).
+ *   - RSA (see \c rsa_public() and\c rsa_private()).
+ *
+ * This module provides encryption/decryption which can be used to provide 
+ * secrecy.
+ * It also provides asymmetric key functions which can be used for 
+ * confidentiality, integrity, authentication and non-repudiation. 
+ */

doxygen/input/doc_hashing.h

+/**
+ * @file
+ * Hashing module documentation file.
+ */
+
+/**
+ * @addtogroup hashing_module Hashing module
+ * 
+ * The Hashing module provides one-way hashing functions. Such functions can be
+ * used for creating a hash message authentication code (HMAC) when sending a 
+ * message. Such a HMAC can be used in combination with a private key
+ * for authentication, which is a message integrity control. 
+ * The following hashing-algorithms are provided:
+ * - MD2, MD4, MD5 128-bit one-way hash functions by Ron Rivest (see 
+ *   \c md2_hmac(),\c md4_hmac() and\c md5_hmac()).
+ * - SHA-1, SHA-256, SHA-384/512 160-bit or more one-way hash functions by 
+ *   NIST and NSA (see\c sha1_hmac(),\c sha2_hmac() and\c sha4_hmac()).
+ *
+ * This module provides one-way hashing which can be used for authentication.
+ */

doxygen/input/doc_mainpage.h

+l/**
+ * @file
+ * Main page documentation file.
+ */
+
+/**
+ * @mainpage PolarSSL v0.14.0 source code documentation
+ * 
+ * This documentation describes the internal structure of PolarSSL.  It was
+ * automatically generated from specially formatted comment blocks in
+ * PolarSSL's source code using Doxygen.  (See
+ * http://www.stack.nl/~dimitri/doxygen/ for more information on Doxygen)
+ * 
+ * PolarSSL has a simple setup: it provides the ingredients for an SSL/TLS 
+ * implementation. These ingredients are listed as modules in the 
+ * \ref mainpage_modules "Modules section". This "Modules section" introduces 
+ * the high-level module concepts used throughout this documentation.\n 
+ * Some examples of PolarSSL usage can be found in the \ref mainpage_examples
+ * "Examples section".
+ * 
+ * 
+ * @section mainpage_modules Modules
+ * 
+ * PolarSSL supports SSLv3 up to TLSv1.1 communication by providing the 
+ * following:
+ * - TCP/IP communication functions: listen, connect, accept, read/write.
+ * - SSL/TLS communication functions: init, handshake, read/write.
+ * - X.509 functions: CRT, CRL and key handling
+ * - Random number generation
+ * - Hashing
+ * - Encryption/decryption
+ *
+ * Above functions are split up neatly into logical interfaces. These can be 
+ * used separately to provide any of the above functions or to mix-and-match 
+ * into an SSL server/client solution that utilises a X.509 PKI. Examples of 
+ * such implementations are amply provided with the source code. Note that 
+ * there is also an OpenSSL wrapper provided.\n
+ * Note that PolarSSL does not provide a control channel or (multiple) session
+ * handling. 
+ *
+ * @section mainpage_examples Examples
+ * 
+ * Example server setup:
+ *
+ * \b Prerequisites: 
+ * - X.509 certificate and private key
+ * - session handling functions
+ *
+ * \b Setup:
+ * - Load your certificate and your private RSA key (X.509 interface)
+ * - Setup the listening TCP socket (TCP/IP interface)
+ * - Accept incoming client connection (TCP/IP interface)
+ * - Initialise as an SSL-server (SSL/TLS interface)
+ *   - Set parameters, e.g. authentication, ciphers, CA-chain, key exchange
+ *   - Set callback functions RNG, IO, session handling
+ * - Perform an SSL-handshake (SSL/TLS interface)
+ * - Read/write data (SSL/TLS interface)
+ * - Close and cleanup (all interfaces)
+ *
+ *
+ * Example client setup:
+ *
+ * \b Prerequisites:
+ * - X.509 certificate and private key
+ * - X.509 trusted CA certificates
+ *
+ * \b Setup:
+ * - Load the trusted CA certificates (X.509 interface)
+ * - Load your certificate and your private RSA key (X.509 interface)
+ * - Setup a TCP/IP connection (TCP/IP interface)
+ * - Initialise as an SSL-client (SSL/TLS interface)
+ *   - Set parameters, e.g. authentication mode, ciphers, CA-chain, session
+ *   - Set callback functions RNG, IO
+ * - Perform an SSL-handshake (SSL/TLS interface)
+ * - Verify the server certificate (SSL/TLS interface)
+ * - Write/read data (SSL/TLS interface)
+ * - Close and cleanup (all interfaces)
+ *
+ * 
+ */

doxygen/input/doc_rng.h

+/**
+ * @file
+ * Random number generator (RNG) module documentation file.
+ */
+
+/**
+ * @addtogroup rng_module Random number generator (RNG) module
+ * 
+ * The Random number generator (RNG) module provides random number
+ * generation, see \c havege_rand(). It uses the HAVEGE (HArdware Volatile 
+ * Entropy Gathering and Expansion) software heuristic which is claimed 
+ * to be an unpredictable or empirically strong* random number generation.
+ *
+ * \* Meaning that there seems to be no practical algorithm that can guess
+ * the next bit with a probability larger than 1/2 in an output sequence.
+ *
+ * This module can be used to generate random numbers.
+ */

doxygen/input/doc_ssltls.h

+/**
+ * @file
+ * SSL/TLS communication module documentation file.
+ */
+
+/**
+ * @addtogroup ssltls_communication_module SSL/TLS communication module
+ * 
+ * The SSL/TLS communication module provides the means to create an SSL/TLS
+ * communication channel. 
+ * The basic provisions are:
+ * - initialise an SSL/TLS context (see \c ssl_init()).
+ * - perform an SSL/TLS handshake (see \c ssl_handshake()).
+ * - read/write (see \c ssl_read() and\c ssl_write()).
+ * - notify a peer that conection is being closed (see \c ssl_close_notify()).
+ *
+ *
+ * Many aspects of such a channel are set through parameters and callback
+ * functions:
+ * - the endpoint role: client or server.
+ * - the authentication mode. Should verification take place.
+ * - the Host-to-host communication channel. A TCP/IP module is provided.
+ * - the random number generator (RNG).
+ * - the ciphers to use for encryption/decryption.
+ * - session control functions.
+ * - X.509 parameters for certificate-handling and key exchange.
+ * 
+ *
+ * This module can be used to create an SSL/TLS server and client and to provide a basic
+ * framework to setup and communicate through an SSL/TLS communication channel.\n
+ * Note that you need to provide for several aspects yourself as mentioned above.
+ */

doxygen/input/doc_tcpip.h

+/**
+ * @file
+ * TCP/IP communication module documentation file.
+ */
+
+/**
+ * @addtogroup tcpip_communication_module TCP/IP communication module
+ * 
+ * The TCP/IP communication module provides for a channel of
+ * communication for the \link ssltls_communication_module SSL/TLS communication 
+ * module\endlink to use. 
+ * In the TCP/IP-model it provides for communication up to the Transport 
+ * (or Host-to-host) layer. 
+ * SSL/TLS resides on top of that, in the Application layer, and makes use of
+ * its basic provisions:
+ * - listening on a port (see \c net_bind()).
+ * - accepting a connection (through \c net_accept()).
+ * - read/write (through \c net_recv/\c net_send()).
+ * - close a connection (through \c net_close()).
+ *
+ * This way you have the means to, for example, implement and use an UDP or 
+ * IPSec communication solution as a basis.
+ * 
+ * This module can be used at server- and clientside to provide a basic
+ * means of communication over the internet.
+ */

doxygen/input/doc_x509.h

+/**
+ * @file
+ * X.509 module documentation file.
+ */
+
+/**
+ * @addtogroup x509_module X.509 module
+ * 
+ * The X.509 module provides X.509 support which includes:
+ * - X.509 certificate (CRT) reading (see \c x509parse_crt() and
+ *   \c x509parse_crtfile()).
+ * - X.509 certificate revocation list (CRL) reading (see \c x509parse_crl()
+ *   and\c x509parse_crlfile()).
+ * - X.509 (RSA) private key reading (see \c x509parse_key() and
+ *   \c x509parse_keyfile()).
+ * - X.509 certificate signature verification (see \c x509parse_verify())
+ *
+ * This module can be used to build a certificate authority (CA) chain and
+ * verify its signature. It is also used to get a (RSA) private key for signing
+ * and decryption.
+ */

include/polarssl/aes.h

 /**
  * \file aes.h
  *
+ * \brief AES block cipher encryption
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/arc4.h

 /**
  * \file arc4.h
  *
+ * \brief The ARCFOUR stream cipher
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/base64.h

 /**
  * \file base64.h
  *
+ * \brief RFC 1521 base64 encoding/decoding
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/bignum.h

 /**
  * \file bignum.h
  *
+ * \brief  Multi-precision integer library
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/bn_mul.h

 /**
  * \file bn_mul.h
  *
+ * \brief  Multi-precision integer library
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/camellia.h

 /**
  * \file camellia.h
  *
+ * \brief Camellia block cipher
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/certs.h

 /**
  * \file certs.h
  *
+ * \brief Camellia block cipher
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/config.h

 /**
  * \file config.h
  *
+ * \brief Configuration options (set of defines)
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/debug.h

 /**
  * \file debug.h
  *
+ * \brief Debug functions
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/des.h

 /**
  * \file des.h
  *
+ * \brief Debug functions
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/dhm.h

 /**
  * \file dhm.h
  *
+ * \brief Diffie-Hellman-Merkle key exchange
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)
@@ -108,7 +110,7 @@ int dhm_read_public( dhm_context *ctx,
  *
  * \return         0 if successful, or an POLARSSL_ERR_DHM_XXX error code
  */
-int dhm_make_public( dhm_context *ctx, int s_size,
+int dhm_make_public( dhm_context *ctx, int x_size,
                      unsigned char *output, int olen,
                      int (*f_rng)(void *), void *p_rng );
 

include/polarssl/havege.h

 /**
  * \file havege.h
  *
+ * \brief Diffie-Hellman-Merkle key exchange
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/md2.h

 /**
  * \file md2.h
  *
+ * \brief MD2 message digest algorithm (hash function)
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/md4.h

 /**
  * \file md4.h
  *
+ * \brief MD4 message digest algorithm (hash function)
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/md5.h

 /**
  * \file md5.h
  *
+ * \brief MD5 message digest algorithm (hash function)
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/net.h

 /**
  * \file net.h
  *
+ * \brief MD5 message digest algorithm (hash function)
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/openssl.h

 /**
  * \file openssl.h
  *
+ * \brief OpenSSL wrapper (definitions, inline functions).
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/padlock.h

 /**
  * \file padlock.h
  *
+ * \brief VIA PadLock ACE for HW encryption/decryption supported by some processors
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/rsa.h

 /**
  * \file rsa.h
  *
+ * \brief The RSA public-key cryptosystem
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/sha1.h

 /**
  * \file sha1.h
  *
+ * \brief SHA-1 cryptographic hash function
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/sha2.h

 /**
  * \file sha2.h
  *
+ * \brief SHA-256 cryptographic hash function
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/sha4.h

 /**
  * \file sha4.h
  *
+ * \brief SHA-384/512 cryptographic hash function
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)

include/polarssl/ssl.h

 /**
  * \file ssl.h
  *
+ * \brief SSL/TLS functions.
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)
@@ -336,7 +338,7 @@ void ssl_set_endpoint( ssl_context *ssl, int endpoint );
  * \brief          Set the certificate verification mode
  *
  * \param ssl      SSL context
- * \param mode     can be:
+ * \param authmode can be:
  *
  *  SSL_VERIFY_NONE:      peer certificate is not checked (default),
  *                        this is insecure and SHOULD be avoided.

include/polarssl/timing.h

 /**
  * \file timing.h
  *
+ * \brief Portable interface to the CPU cycle counter
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)
@@ -62,7 +64,7 @@ void set_alarm( int seconds );
 /**
  * \brief          Sleep for a certain amount of time
  *
- * \param          Delay in milliseconds
+ * \param milliseconds  delay in milliseconds
  */
 void m_sleep( int milliseconds );
 

include/polarssl/x509.h

 /**
  * \file x509.h
  *
+ * \brief X.509 certificate and private key decoding
+ *
  *  Copyright (C) 2006-2010, Brainspark B.V.
  *
  *  This file is part of PolarSSL (http://www.polarssl.org)
@@ -27,59 +29,80 @@
 
 #include "polarssl/rsa.h"
 
-/*
- * ASN1 Error codes
- *
- * These error codes will be OR'ed to X509 error codes for
- * higher error granularity.
+/** 
+ * @addtogroup x509_module
+ * @{ 
  */
-#define POLARSSL_ERR_ASN1_OUT_OF_DATA                      0x0014
-#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG                   0x0016
-#define POLARSSL_ERR_ASN1_INVALID_LENGTH                   0x0018
-#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH                  0x001A
-#define POLARSSL_ERR_ASN1_INVALID_DATA                     0x001C
-
-/*
- * X509 Error codes
+ 
+/**
+ * @name ASN1 Error codes
+ * These error codes are OR'ed to X509 error codes for
+ * higher error granularity. 
+ * ASN1 is a standard to specify data structures.
+ * @{
  */
-#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE              -0x0020
-#define POLARSSL_ERR_X509_CERT_INVALID_PEM                 -0x0040
-#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT              -0x0060
-#define POLARSSL_ERR_X509_CERT_INVALID_VERSION             -0x0080
-#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL              -0x00A0
-#define POLARSSL_ERR_X509_CERT_INVALID_ALG                 -0x00C0
-#define POLARSSL_ERR_X509_CERT_INVALID_NAME                -0x00E0
-#define POLARSSL_ERR_X509_CERT_INVALID_DATE                -0x0100
-#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY              -0x0120
-#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE           -0x0140
-#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS          -0x0160
-#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION             -0x0180
-#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG             -0x01A0
-#define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG              -0x01C0
-#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH                -0x01E0
-#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED               -0x0200
-#define POLARSSL_ERR_X509_KEY_INVALID_PEM                  -0x0220
-#define POLARSSL_ERR_X509_KEY_INVALID_VERSION              -0x0240
-#define POLARSSL_ERR_X509_KEY_INVALID_FORMAT               -0x0260
-#define POLARSSL_ERR_X509_KEY_INVALID_ENC_IV               -0x0280
-#define POLARSSL_ERR_X509_KEY_UNKNOWN_ENC_ALG              -0x02A0
-#define POLARSSL_ERR_X509_KEY_PASSWORD_REQUIRED            -0x02C0
-#define POLARSSL_ERR_X509_KEY_PASSWORD_MISMATCH            -0x02E0
-#define POLARSSL_ERR_X509_POINT_ERROR                      -0x0300
-#define POLARSSL_ERR_X509_VALUE_TO_LENGTH                  -0x0320
+#define POLARSSL_ERR_ASN1_OUT_OF_DATA                      0x0014   /**< Out of data when parsing an ASN1 data structure. */
+#define POLARSSL_ERR_ASN1_UNEXPECTED_TAG                   0x0016   /**< ASN1 tag was of an unexpected value. */
+#define POLARSSL_ERR_ASN1_INVALID_LENGTH                   0x0018   /**< Error when trying to determine the length or invalid length. */
+#define POLARSSL_ERR_ASN1_LENGTH_MISMATCH                  0x001A   /**< Actual length differs from expected length. */
+#define POLARSSL_ERR_ASN1_INVALID_DATA                     0x001C   /**< Data is invalid. (not used) */
+/* @} name */
+
+/** 
+ * @name X509 Error codes
+ * @{
+ */
+#define POLARSSL_ERR_X509_FEATURE_UNAVAILABLE              -0x0020  /**< Unavailable feature, e.g. RSA hashing/encryption combination. */
+#define POLARSSL_ERR_X509_CERT_INVALID_PEM                 -0x0040  /**< The PEM-encoded certificate contains invalid elements, e.g. invalid character. */ 
+#define POLARSSL_ERR_X509_CERT_INVALID_FORMAT              -0x0060  /**< The certificate format is invalid, e.g. different type expected. */
+#define POLARSSL_ERR_X509_CERT_INVALID_VERSION             -0x0080  /**< The certificate version element is invalid. */
+#define POLARSSL_ERR_X509_CERT_INVALID_SERIAL              -0x00A0  /**< The serial tag or value is invalid. */
+#define POLARSSL_ERR_X509_CERT_INVALID_ALG                 -0x00C0  /**< The algorithm tag or value is invalid. */
+#define POLARSSL_ERR_X509_CERT_INVALID_NAME                -0x00E0  /**< The name tag or value is invalid. */
+#define POLARSSL_ERR_X509_CERT_INVALID_DATE                -0x0100  /**< The date tag or value is invalid. */
+#define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY              -0x0120  /**< The pubkey tag or value is invalid (only RSA is supported). */
+#define POLARSSL_ERR_X509_CERT_INVALID_SIGNATURE           -0x0140  /**< The signature tag or value invalid. */
+#define POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS          -0x0160  /**< The extension tag or value is invalid. */
+#define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION             -0x0180  /**< Certificate or CRL has an unsupported version number. */
+#define POLARSSL_ERR_X509_CERT_UNKNOWN_SIG_ALG             -0x01A0  /**< Signature algorithm (oid) is unsupported. */
+#define POLARSSL_ERR_X509_CERT_UNKNOWN_PK_ALG              -0x01C0  /**< Public key algorithm is unsupported (only RSA is supported). */
+#define POLARSSL_ERR_X509_CERT_SIG_MISMATCH                -0x01E0  /**< Certificate signature algorithms do not match. (see \c ::x509_cert sig_oid) */
+#define POLARSSL_ERR_X509_CERT_VERIFY_FAILED               -0x0200  /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */