Commit 577e006c authored by Paul Bakker's avatar Paul Bakker

Merged ECDSA-based key-exchange and ciphersuites into development

Conflicts:
	include/polarssl/config.h
	library/ssl_cli.c
	library/ssl_srv.c
	library/ssl_tls.c
parents a0f07478 70064fd7
......@@ -363,6 +363,28 @@
*/
#define POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED
/**
* \def POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
*
* Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS
*
* Requires: POLARSSL_ECDH_C, POLARSSL_ECDSA_C, POLARSSL_X509_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
* enabled as well):
* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
*/
#define POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
/**
* \def POLARSSL_ERROR_STRERROR_BC
*
......@@ -1128,6 +1150,21 @@
*/
#define POLARSSL_PEM_C
/**
* \def POLARSSL_PK_C
*
* Enable the generic public (asymetric) key layer.
*
* Module: library/pk.c
* Caller: library/x509parse.c
* library/ssl_tls.c
* library/ssl_cli.c
* library/ssl_srv.c
*
* Uncomment to enable generic public key wrappers.
*/
#define POLARSSL_PK_C
/**
* \def POLARSSL_PKCS5_C
*
......@@ -1146,11 +1183,10 @@
*
* Enable wrapper for PKCS#11 smartcard support.
*
* Module: library/ssl_srv.c
* Caller: library/ssl_cli.c
* library/ssl_srv.c
* Module: library/pkcs11.c
* Caller: library/pk.c
*
* Requires: POLARSSL_SSL_TLS_C
* Requires: POLARSSL_PK_C
*
* This module enables SSL/TLS PKCS #11 smartcard support.
* Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
......@@ -1283,8 +1319,8 @@
* Caller: library/ssl_cli.c
* library/ssl_srv.c
*
* Requires: POLARSSL_CIPHER_C and at least one of the
* POLARSSL_SSL_PROTO_* defines
* Requires: POLARSSL_CIPHER_C, POLARSSL_PK_C, POLARSSL_MD_C
* and at least one of the POLARSSL_SSL_PROTO_* defines
*
* This module is required for SSL/TLS.
*/
......@@ -1324,7 +1360,7 @@
* library/ssl_tls.c
*
* Requires: POLARSSL_ASN1_PARSE_C, POLARSSL_BIGNUM_C, POLARSSL_OID_C,
* POLARSSL_RSA_C
* POLARSSL_PK_C
*
* This module is required for X.509 certificate parsing.
*/
......@@ -1477,6 +1513,12 @@
#error "POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_ECDSA_C) || \
!defined(POLARSSL_X509_PARSE_C) )
#error "POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_PARSE_C) )
#error "POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
......@@ -1499,7 +1541,7 @@
#error "POLARSSL_PEM_C defined, but not all prerequisites"
#endif
#if defined(POLARSSL_PKCS11_C) && !defined(POLARSSL_SSL_TLS_C)
#if defined(POLARSSL_PKCS11_C) && !defined(POLARSSL_PK_C)
#error "POLARSSL_PKCS11_C defined, but not all prerequisites"
#endif
......@@ -1512,7 +1554,8 @@
#error "POLARSSL_SSL_CLI_C defined, but not all prerequisites"
#endif
#if defined(POLARSSL_SSL_TLS_C) && !defined(POLARSSL_CIPHER_C)
#if defined(POLARSSL_SSL_TLS_C) && ( !defined(POLARSSL_CIPHER_C) || \
!defined(POLARSSL_PK_C) || !defined(POLARSSL_MD_C) )
#error "POLARSSL_SSL_TLS_C defined, but not all prerequisites"
#endif
......@@ -1549,7 +1592,7 @@
#if defined(POLARSSL_X509_PARSE_C) && ( !defined(POLARSSL_BIGNUM_C) || \
!defined(POLARSSL_OID_C) || !defined(POLARSSL_ASN1_PARSE_C) || \
!defined(POLARSSL_RSA_C) )
!defined(POLARSSL_PK_C) )
#error "POLARSSL_X509_PARSE_C defined, but not all prerequisites"
#endif
......
......@@ -34,8 +34,9 @@
*/
#define POLARSSL_ERR_ECP_BAD_INPUT_DATA -0x4F80 /**< Bad input parameters to function. */
#define POLARSSL_ERR_ECP_BUFFER_TOO_SMALL -0x4F00 /**< The buffer is too small to write to. */
#define POLARSSL_ERR_ECP_GENERIC -0x4E80 /**< Generic ECP error */
#define POLARSSL_ERR_ECP_GENERIC -0x4E80 /**< Generic ECP error. */
#define POLARSSL_ERR_ECP_FEATURE_UNAVAILABLE -0x4E00 /**< Requested curve not available. */
#define POLARSSL_ERR_ECP_VERIFY_FAILED -0x4E00 /**< The signature is not valid. */
#ifdef __cplusplus
extern "C" {
......
......@@ -82,6 +82,7 @@ typedef enum {
POLARSSL_PK_ECKEY,
POLARSSL_PK_ECKEY_DH,
POLARSSL_PK_ECDSA,
POLARSSL_PK_RSA_ALT,
} pk_type_t;
/**
......@@ -129,6 +130,25 @@ typedef struct
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len );
/** Make signature */
int (*sign_func)( void *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/** Decrypt message */
int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/** Encrypt message */
int (*encrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/** Allocate a new context */
void * (*ctx_alloc_func)( void );
......@@ -149,6 +169,18 @@ typedef struct
void * pk_ctx; /**< Underlying public key context */
} pk_context;
/**
* \brief Types for RSA-alt abstraction
*/
typedef int (*pk_rsa_alt_decrypt_func)( void *ctx, int mode, size_t *olen,
const unsigned char *input, unsigned char *output,
size_t output_max_len );
typedef int (*pk_rsa_alt_sign_func)( void *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
int mode, int hash_id, unsigned int hashlen,
const unsigned char *hash, unsigned char *sig );
typedef size_t (*pk_rsa_alt_key_len_func)( void *ctx );
/**
* \brief Return information associated with the given PK type
*
......@@ -163,6 +195,11 @@ const pk_info_t *pk_info_from_type( pk_type_t pk_type );
*/
void pk_init( pk_context *ctx );
/**
* \brief Free a pk_context
*/
void pk_free( pk_context *ctx );
/**
* \brief Initialize a PK context with the information given
* and allocates the type-specific PK subcontext.
......@@ -173,13 +210,30 @@ void pk_init( pk_context *ctx );
* \return 0 on success,
* POLARSSL_ERR_PK_BAD_INPUT_DATA on invalid input,
* POLARSSL_ERR_PK_MALLOC_FAILED on allocation failure.
*
* \note For contexts holding an RSA-alt key, use
* \c pk_init_ctx_rsa_alt() instead.
*/
int pk_init_ctx( pk_context *ctx, const pk_info_t *info );
/**
* \brief Free a pk_context
* \brief Initialiaze an RSA-alt context
*
* \param ctx Context to initialize. Must be empty (type NONE).
* \param key RSA key pointer
* \param decrypt_func Decryption function
* \param sign_func Signing function
* \param key_len_func Function returning key length
*
* \return 0 on success, or POLARSSL_ERR_PK_BAD_INPUT_DATA if the
* context wasn't already initialized as RSA_ALT.
*
* \note This function replaces \c pk_init_ctx() for RSA-alt.
*/
void pk_free( pk_context *ctx );
int pk_init_ctx_rsa_alt( pk_context *ctx, void * key,
pk_rsa_alt_decrypt_func decrypt_func,
pk_rsa_alt_sign_func sign_func,
pk_rsa_alt_key_len_func key_len_func );
/**
* \brief Get the size in bits of the underlying key
......@@ -190,6 +244,17 @@ void pk_free( pk_context *ctx );
*/
size_t pk_get_size( const pk_context *ctx );
/**
* \brief Get the length in bytes of the underlying key
* \param ctx Context to use
*
* \return Key lenght in bytes, or 0 on error
*/
static inline size_t pk_get_len( const pk_context *ctx )
{
return( ( pk_get_size( ctx ) + 7 ) / 8 );
}
/**
* \brief Tell if a context can do the operation given by type
*
......@@ -205,19 +270,82 @@ int pk_can_do( pk_context *ctx, pk_type_t type );
* \brief Verify signature
*
* \param ctx PK context to use
* \param md_alg Hash algorithm used
* \param md_alg Hash algorithm used (see notes)
* \param hash Hash of the message to sign
* \param hash_len Hash length
* \param hash_len Hash length or 0 (see notes)
* \param sig Signature to verify
* \param sig_len Signature length
*
* \return 0 on success (signature is valid),
* or a specific error code.
*
* \note If hash_len is 0, then the length associated with md_alg
* is used instead, or an error returned if it is invalid.
*
* \note md_alg may be POLARSSL_MD_NONE, only if hash_len != 0
*/
int pk_verify( pk_context *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len );
/**
* \brief Make signature
*
* \param ctx PK context to use
* \param md_alg Hash algorithm used (see notes)
* \param hash Hash of the message to sign
* \param hash_len Hash length or 0 (see notes)
* \param sig Place to write the signature
* \param sig_len Number of bytes written
* \param f_rng RNG function
* \param p_rng RNG parameter
*
* \return 0 on success, or a specific error code.
*
* \note If hash_len is 0, then the length associated with md_alg
* is used instead, or an error returned if it is invalid.
*
* \note md_alg may be POLARSSL_MD_NONE, only if hash_len != 0
*/
int pk_sign( pk_context *ctx, md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
* \brief Decrypt message
*
* \param ctx PK context to use
* \param input Input to decrypt
* \param ilen Input size
* \param output Decrypted output
* \param olen Decrypted message lenght
* \param osize Size of the output buffer
*
* \return 0 on success, or a specific error code.
*/
int pk_decrypt( pk_context *ctx,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
* \brief Encrypt message
*
* \param ctx PK context to use
* \param input Message to encrypt
* \param ilen Message size
* \param output Encrypted output
* \param olen Encrypted output length
* \param osize Size of the output buffer
*
* \return 0 on success, or a specific error code.
*/
int pk_encrypt( pk_context *ctx,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
/**
* \brief Export debug information
*
......
......@@ -32,6 +32,15 @@
#include "pk.h"
/* Container for RSA-alt */
typedef struct
{
void *key;
pk_rsa_alt_decrypt_func decrypt_func;
pk_rsa_alt_sign_func sign_func;
pk_rsa_alt_key_len_func key_len_func;
} rsa_alt_context;
#if defined(POLARSSL_RSA_C)
extern const pk_info_t rsa_info;
#endif
......@@ -45,4 +54,6 @@ extern const pk_info_t eckeydh_info;
extern const pk_info_t ecdsa_info;
#endif
extern const pk_info_t rsa_alt_info;
#endif /* POLARSSL_PK_WRAP_H */
......@@ -29,8 +29,6 @@
#include "config.h"
#if defined(POLARSSL_RSA_C)
#include "bignum.h"
#include "md.h"
......@@ -59,6 +57,12 @@
#define RSA_SIGN 1
#define RSA_CRYPT 2
/*
* The above constants may be used even if the RSA module is compile out,
* eg for alternative (PKCS#11) RSA implemenations in the PK layers.
*/
#if defined(POLARSSL_RSA_C)
#ifdef __cplusplus
extern "C" {
#endif
......
......@@ -244,6 +244,7 @@
/*
* Supported Signature and Hash algorithms (For TLS 1.2)
* RFC 5246 section 7.4.1.4.1
*/
#define SSL_HASH_NONE 0
#define SSL_HASH_MD5 1
......@@ -253,12 +254,16 @@
#define SSL_HASH_SHA384 5
#define SSL_HASH_SHA512 6
#define SSL_SIG_ANON 0
#define SSL_SIG_RSA 1
#define SSL_SIG_ECDSA 3
/*
* Client Certificate Types
* RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
*/
#define SSL_CERT_TYPE_RSA_SIGN 1
#define SSL_CERT_TYPE_ECDSA_SIGN 64
/*
* Message, alert and handshake types
......@@ -453,9 +458,9 @@ struct _ssl_transform
md_context_t md_ctx_enc; /*!< MAC (encryption) */
md_context_t md_ctx_dec; /*!< MAC (decryption) */
/* 151 == 604 bytes is size of gcm_context (largest context in PolarSSL) */
uint32_t ctx_enc[151]; /*!< encryption context */
uint32_t ctx_dec[151]; /*!< decryption context */
/* 154 == 616 bytes is size of gcm_context (largest context in PolarSSL) */
uint32_t ctx_enc[154]; /*!< encryption context */
uint32_t ctx_dec[154]; /*!< decryption context */
/*
* Session specific compression layer
......@@ -638,12 +643,8 @@ struct _ssl_context
/*
* PKI layer
*/
#if defined(POLARSSL_RSA_C)
void *rsa_key; /*!< own RSA private key */
rsa_decrypt_func rsa_decrypt; /*!< function for RSA decrypt*/
rsa_sign_func rsa_sign; /*!< function for RSA sign */
rsa_key_len_func rsa_key_len; /*!< function for RSA key len*/
#endif /* POLARSSL_RSA_C */
pk_context *pk_key; /*!< own private key */
int pk_key_own_alloc; /*!< did we allocate pk_key? */
#if defined(POLARSSL_X509_PARSE_C)
x509_cert *own_cert; /*!< own X.509 certificate */
......@@ -965,13 +966,31 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
*
* \param ssl SSL context
* \param own_cert own public certificate chain
* \param rsa_key own private RSA key
* \param pk_key own private key
*/
void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
rsa_context *rsa_key );
pk_context *pk_key );
#if defined(POLARSSL_RSA_C)
/**
* \brief Set own certificate and alternate non-PolarSSL private
* \brief Set own certificate chain and private RSA key
*
* Note: own_cert should contain IN order from the bottom
* up your certificate chain. The top certificate (self-signed)
* can be omitted.
*
* \param ssl SSL context
* \param own_cert own public certificate chain
* \param rsa_key own private RSA key
*
* \return 0 on success, or a specific error code.
*/
int ssl_set_own_cert_rsa( ssl_context *ssl, x509_cert *own_cert,
rsa_context *rsa_key );
#endif /* POLARSSL_RSA_C */
/**
* \brief Set own certificate and alternate non-PolarSSL RSA private
* key and handling callbacks, such as the PKCS#11 wrappers
* or any other external private key handler.
* (see the respective RSA functions in rsa.h for documentation
......@@ -988,12 +1007,14 @@ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
* \param rsa_decrypt_func alternate implementation of \c rsa_pkcs1_decrypt()
* \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign()
* \param rsa_key_len_func function returning length of RSA key in bytes
*
* \return 0 on success, or a specific error code.
*/
void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
void *rsa_key,
rsa_decrypt_func rsa_decrypt,
rsa_sign_func rsa_sign,
rsa_key_len_func rsa_key_len );
int ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
void *rsa_key,
rsa_decrypt_func rsa_decrypt,
rsa_sign_func rsa_sign,
rsa_key_len_func rsa_key_len );
#endif /* POLARSSL_X509_PARSE_C */
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
......@@ -1435,6 +1456,10 @@ int ssl_write_finished( ssl_context *ssl );
void ssl_optimize_checksum( ssl_context *ssl, const ssl_ciphersuite_t *ciphersuite_info );
unsigned char ssl_sig_from_pk( pk_context *pk );
pk_type_t ssl_pk_alg_from_sig( unsigned char sig );
md_type_t ssl_md_alg_from_hash( unsigned char hash );
#ifdef __cplusplus
}
#endif
......
......@@ -27,6 +27,7 @@
#ifndef POLARSSL_SSL_CIPHERSUITES_H
#define POLARSSL_SSL_CIPHERSUITES_H
#include "pk.h"
#include "cipher.h"
#include "md.h"
......@@ -119,18 +120,33 @@ extern "C" {
#define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC0 /**< TLS 1.2 */
#define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 /**< TLS 1.2 */
#define TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 /**< Weak! */
#define TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007 /**< Not in SSL3! */
#define TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008 /**< Not in SSL3! */
#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 /**< Not in SSL3! */
#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A /**< Not in SSL3! */
#define TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 /**< Weak! */
#define TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011 /**< Not in SSL3! */
#define TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012 /**< Not in SSL3! */
#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 /**< Not in SSL3! */
#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 /**< Not in SSL3! */
#define TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 /**< TLS 1.2 */
#define TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 /**< TLS 1.2 */
#define TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 /**< TLS 1.2 */
#define TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 /**< TLS 1.2 */
#define TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B /**< TLS 1.2 */
#define TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C /**< TLS 1.2 */
#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F /**< TLS 1.2 */
#define TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 /**< TLS 1.2 */
#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< TLS 1.2 */
#define TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< TLS 1.2 */
#define TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC076 /**< TLS 1.2 */
#define TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC077 /**< TLS 1.2 */
......@@ -146,6 +162,7 @@ typedef enum {
POLARSSL_KEY_EXCHANGE_RSA,
POLARSSL_KEY_EXCHANGE_DHE_RSA,
POLARSSL_KEY_EXCHANGE_ECDHE_RSA,
POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA,
POLARSSL_KEY_EXCHANGE_PSK,
POLARSSL_KEY_EXCHANGE_DHE_PSK,
POLARSSL_KEY_EXCHANGE_RSA_PSK,
......@@ -181,6 +198,8 @@ const int *ssl_ciphersuites_list( void );
const ssl_ciphersuite_t *ssl_ciphersuite_from_string( const char *ciphersuite_name );
const ssl_ciphersuite_t *ssl_ciphersuite_from_id( int ciphersuite_id );
pk_type_t ssl_get_ciphersuite_sig_pk_alg( const ssl_ciphersuite_t *info );
#ifdef __cplusplus
}
#endif
......
......@@ -1980,7 +1980,7 @@ cleanup:
return( ret );
}
#endif
#endif /* POLARSSL_GENPRIME */
#if defined(POLARSSL_SELF_TEST)
......@@ -2092,7 +2092,6 @@ int mpi_self_test( int verbose )
if( verbose != 0 )
printf( "passed\n" );
#if defined(POLARSSL_GENPRIME)
MPI_CHK( mpi_inv_mod( &X, &A, &N ) );
MPI_CHK( mpi_read_string( &U, 16,
......@@ -2113,7 +2112,6 @@ int mpi_self_test( int verbose )
if( verbose != 0 )
printf( "passed\n" );
#endif
if( verbose != 0 )
printf( " MPI test #5 (simple gcd): " );
......
......@@ -27,6 +27,77 @@
#if defined(POLARSSL_CERTS_C)
#if defined(POLARSSL_ECDSA_C)
const char test_ca_crt[] =
"-----BEGIN CERTIFICATE-----\r\n"
"MIICEjCCAbmgAwIBAgIJAK1CeXaecvbhMAkGByqGSM49BAEwPjELMAkGA1UEBhMC\r\n"
"TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD\r\n"
"IENBMB4XDTEzMDgwOTA3NDk0NloXDTIzMDgwNzA3NDk0NlowPjELMAkGA1UEBhMC\r\n"
"TkwxETAPBgNVBAoTCFBvbGFyU1NMMRwwGgYDVQQDExNQb2xhcnNzbCBUZXN0IEVD\r\n"
"IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElrizLPspIX2+kNvC+BOpJnw1\r\n"
"9tnAi5nsUnt8r6N+KDybdaVUWmLIqZCrjuaGKwOdOZtl/bBp8KOpLZ4UDujV/qOB\r\n"
"oDCBnTAdBgNVHQ4EFgQUvEDvue6auzY54S2porosu6a9EHEwbgYDVR0jBGcwZYAU\r\n"
"vEDvue6auzY54S2porosu6a9EHGhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQK\r\n"
"EwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAK1CeXae\r\n"
"cvbhMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQNIADBFAiBs5rd9NzQs/wQZVS6D\r\n"
"rjpOpzFteqBkqe6YgKWkG5kDVwIhAKr4Lr4v+MU1G5D5oSZXYxvUPBa4yARcD7QM\r\n"
"espQnlFX\r\n"
"-----END CERTIFICATE-----\r\n";
const char test_ca_key[] =
"-----BEGIN EC PRIVATE KEY-----\r\n"
"Proc-Type: 4,ENCRYPTED\r\n"
"DEK-Info: AES-128-CBC,2A7435F5137D68C6402DB35E5BFD277A\r\n"
"\r\n"
"Sw5YgGVvNxXMvnGKYPuUqiDfjXhK/VTQ6dE9+33jwobKJvqR4pIrelw5QbJ5MCi2\r\n"
"dRGEMi4hT+EiS1UZtagqYUQyYZegZB48eoSRySsfW3kqQ4aG99+4iDLCY+JhICs9\r\n"
"aZdJhyUSOy2KRnFN/ZUy/Hvlsy10dw/Cp73TpJZmTz4=\r\n"
"-----END EC PRIVATE KEY-----\r\n";
const char test_ca_pwd[] = "PolarSSLTest";
const char test_srv_crt[] =
"-----BEGIN CERTIFICATE-----\r\n"
"MIIB7TCCAZSgAwIBAgIBAzAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYD\r\n"
"VQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0x\r\n"
"MzA4MDkwNzU3NDBaFw0yMzA4MDcwNzU3NDBaMDQxCzAJBgNVBAYTAk5MMREwDwYD\r\n"
"VQQKEwhQb2xhclNTTDESMBAGA1UEAxMJbG9jYWxob3N0MEkwEwYHKoZIzj0CAQYI\r\n"
"KoZIzj0DAQEDMgAEy0Lh3ZfhEwBiC8jmJfEg8NGxCDqHEtz+hPgYs37hDz9wTOoY\r\n"
"+CJDtEUcDedgFCpqo4GdMIGaMAkGA1UdEwQCMAAwHQYDVR0OBBYEFKItALYotNzi\r\n"
"cfBPd7LwETtkYmdBMG4GA1UdIwRnMGWAFLxA77numrs2OeEtqaK6LLumvRBxoUKk\r\n"
"QDA+MQswCQYDVQQGEwJOTDERMA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1Bv\r\n"
"bGFyc3NsIFRlc3QgRUMgQ0GCCQCtQnl2nnL24TAJBgcqhkjOPQQBA0gAMEUCIE/J\r\n"
"rb3TrYL+z1OsZ2rtCmji7hrPj570X4Qkm1Pb5QEvAiEAiq46sM0+1DSAU0u8FcuL\r\n"
"jbRvSP9W7EJjb9QR3zNYbX4=\r\n"
"-----END CERTIFICATE-----\r\n";
const char test_srv_key[] =
"-----BEGIN EC PRIVATE KEY-----\r\n"
"MF8CAQEEGO82j8OXBoUhVyauCA8XZ288l595u7BXWqAKBggqhkjOPQMBAaE0AzIA\r\n"
"BMtC4d2X4RMAYgvI5iXxIPDRsQg6hxLc/oT4GLN+4Q8/cEzqGPgiQ7RFHA3nYBQq\r\n"
"ag==\r\n"
"-----END EC PRIVATE KEY-----\r\n";
const char test_cli_crt[] =
"-----BEGIN CERTIFICATE-----\r\n"
"MIIBUjCB+gIBEjAJBgcqhkjOPQQBMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ\r\n"
"b2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQTAeFw0xMzA4MjIx\r\n"
"NDQyMTdaFw0yMzA4MjAxNDQyMTdaMD8xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQ\r\n"
"b2xhclNTTDEdMBsGA1UEAxMUUG9sYXJTU0wgVGVzdCBDbGllbnQwSTATBgcqhkjO\r\n"
"PQIBBggqhkjOPQMBAQMyAATnnXkhKuPh1tou3B+DV9lyE4IlISuYVm86E776WBm5\r\n"
"+hNTqK0AaV6gqEL/XdLEGVwwCQYHKoZIzj0EAQNIADBFAiEA/xaze0PZk51nJJSR\r\n"
"Z5SmN9VlzqgN2aSmL4JQRPzjDr0CIFOmuwP8WRdPUJvXh7NQgvl4kW3xkcrmfd6a\r\n"
"zJbBMLxH\r\n"
"-----END CERTIFICATE-----\r\n";
const char test_cli_key[] =
"-----BEGIN EC PRIVATE KEY-----\r\n"
"MF8CAQEEGCTQxP5vTfEwCWdeLdPqgGQ4AuxGG3gPA6AKBggqhkjOPQMBAaE0AzIA\r\n"
"BOedeSEq4+HW2i7cH4NX2XITgiUhK5hWbzoTvvpYGbn6E1OorQBpXqCoQv9d0sQZ\r\n"
"XA==\r\n"
"-----END EC PRIVATE KEY-----\r\n";
#else /* !POLARSSL_ECDSA_C, so POLARSSL_RSA_C */
const char test_ca_crt[] =
"-----BEGIN CERTIFICATE-----\r\n"
"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n"
......@@ -123,7 +194,7 @@ const char test_srv_key[] =
"oArQJGgkAdaq0pcTyOIjtTQVMFygdVmCEJmxh/3RutPcTeydqW9fphKDMej32J8e\r\n"
"GniGmNGiclbcfNOS8E5TGp445yZb9P1+7AHng16bGg3Ykj5EA4G+HCcCgYEAyHAl\r\n"
"//ekk8YjQElm+8izLtFkymIK0aCtEe9C/RIRhFYBeFaotC5dStNhBOncn4ovMAPD\r\n"
"lX/92yDi9OP8PPLN3a4B9XpW3k/SS5GrbT5cwOivBHNllZSmu/2qz5WPGcjVCOrB\r\n"
"Lx/92YdI9op8ppln3a4B9XpW3k/SS5GrbT5cwOivBHNllZSmu/2qz5WPGcjVCOrB\r\n"
"LYl3YWr2h3EGKICT03kEoTkiDBvCeOpW7cCGl2cCgYBD5whoXHz1+ptPlI4YVjZt\r\n"
"Xh86aU+ajpVPiEyJ84I6xXmO4SZXv8q6LaycR0ZMbcL+zBelMb4Z2nBv7jNrtuR7\r\n"
"ZF28cdPv+YVr3esaybZE/73VjXup4SQPH6r3l7qKTVi+y6+FeJ4b2Xn8/MwgnT23\r\n"
......@@ -185,6 +256,7 @@ const char test_cli_key[] =
"bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"
"8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"
"-----END RSA PRIVATE KEY-----\r\n";
#endif /* !POLARSSL_ECDSA_C, so POLARSSL_RSA_C */
const char test_dhm_params[] =
"-----BEGIN DH PARAMETERS-----\r\n"
......@@ -193,4 +265,4 @@ const char test_dhm_params[] =
"9mLJKudlVudV0Qxk5qUJaPZ/xupz0NyoVpviuiBOI1gNi8ovSXWzAgEC\r\n"
"-----END DH PARAMETERS-----\r\n";
#endif
#endif /* POLARSSL_CERTS_C */
......@@ -134,7 +134,7 @@ int ecdsa_verify( const ecp_group *grp,
if( mpi_cmp_int( r, 1 ) < 0 || mpi_cmp_mpi( r, &grp->N ) >= 0 ||
mpi_cmp_int( s, 1 ) < 0 || mpi_cmp_mpi( s, &grp->N ) >= 0 )
{
ret = POLARSSL_ERR_ECP_BAD_INPUT_DATA;
ret = POLARSSL_ERR_ECP_VERIFY_FAILED;
goto cleanup;
}
......@@ -168,7 +168,7 @@ int ecdsa_verify( const ecp_group *grp,
if( ecp_is_zero( &R ) )
{
ret = POLARSSL_ERR_ECP_BAD_INPUT_DATA;
ret = POLARSSL_ERR_ECP_VERIFY_FAILED;
goto cleanup;
}
......@@ -177,7 +177,7 @@ int ecdsa_verify( const ecp_group *grp,
*/
if( mpi_cmp_mpi( &R.X, r ) != 0 )
{
ret = POLARSSL_ERR_ECP_BAD_INPUT_DATA;
ret = POLARSSL_ERR_ECP_VERIFY_FAILED;
goto cleanup;
}
......
......@@ -251,7 +251,7 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
if( use_ret == -(POLARSSL_ERR_PK_MALLOC_FAILED) )
snprintf( buf, buflen, "PK - Memory alloation failed" );
if( use_ret == -(POLARSSL_ERR_PK_TYPE_MISMATCH) )
snprintf( buf, buflen, "PK - Type mismatch, eg attempt to use a RSA key as EC, or to modify key type" );
snprintf( buf, buflen, "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" );
if( use_ret == -(POLARSSL_ERR_PK_BAD_INPUT_DATA) )
snprintf( buf, buflen, "PK - Bad input parameters to function" );
#endif /* POLARSSL_PK_C */
......
......@@ -25,6 +25,8 @@
#include "polarssl/config.h"
#if defined(POLARSSL_PK_C)
#include "polarssl/pk.h"
#include "polarssl/pk_wrap.h"
......@@ -84,6 +86,7 @@ const pk_info_t * pk_info_from_type( pk_type_t pk_type )
case POLARSSL_PK_ECDSA:
return &ecdsa_info;
#endif
/* POLARSSL_PK_RSA_ALT ommited on purpose */
default:
return NULL;
}
......@@ -105,6 +108,35 @@ int pk_init_ctx( pk_context *ctx, const pk_info_t *info )
return( 0 );
}
/*
* Initialize an RSA-alt context
*/
int pk_init_ctx_rsa_alt( pk_context *ctx, void * key,
pk_rsa_alt_decrypt_func decrypt_func,
pk_rsa_alt_sign_func sign_func,
pk_rsa_alt_key_len_func key_len_func )
{
rsa_alt_context *rsa_alt;
const pk_info_t *info = &rsa_alt_info;
if( ctx == NULL || ctx->pk_info != NULL )
return( POLARSSL_ERR_PK_BAD_INPUT_DATA );
if( ( ctx->pk_ctx = info->ctx_alloc_func() ) == NULL )
return( POLARSSL_ERR_PK_MALLOC_FAILED );
ctx->pk_info = info;
rsa_alt = (rsa_alt_context