indent has problems with comments that are on the right hand side of a line.

Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Matt Caswell 2015-01-21 11:09:58 +00:00
parent 0107079e5f
commit dbd87ffc21
35 changed files with 539 additions and 298 deletions

View file

@ -2209,7 +2209,9 @@ static void print_stuff(BIO *bio, SSL *s, int full)
if (peer != NULL) if (peer != NULL)
{ {
BIO_printf(bio,"Server certificate\n"); BIO_printf(bio,"Server certificate\n");
if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
/* Redundant if we showed the whole chain */
if (!(c_showcerts && got_a_chain))
PEM_write_bio_X509(bio,peer); PEM_write_bio_X509(bio,peer);
X509_NAME_oneline(X509_get_subject_name(peer), X509_NAME_oneline(X509_get_subject_name(peer),
buf,sizeof buf); buf,sizeof buf);

View file

@ -346,13 +346,16 @@ time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s)
} }
#undef g2 #undef g2
return mktime(&tm)-offset*60; /* FIXME: mktime assumes the current timezone /*
* instead of UTC, and unless we rewrite OpenSSL * FIXME: mktime assumes the current timezone
* in Lisp we cannot locally change the timezone * instead of UTC, and unless we rewrite OpenSSL
* without possibly interfering with other parts * in Lisp we cannot locally change the timezone
* of the program. timegm, which uses UTC, is * without possibly interfering with other parts
* non-standard. * of the program. timegm, which uses UTC, is
* Also time_t is inappropriate for general * non-standard.
* UTC times because it may a 32 bit type. */ * Also time_t is inappropriate for general
* UTC times because it may a 32 bit type.
*/
return mktime(&tm)-offset*60;
} }
#endif #endif

View file

@ -153,9 +153,14 @@ BIO *BIO_new_file(const char *filename, const char *mode)
wmode,sizeof(wmode)/sizeof(wmode[0])) && wmode,sizeof(wmode)/sizeof(wmode[0])) &&
(file=_wfopen(wfilename,wmode))==NULL && (file=_wfopen(wfilename,wmode))==NULL &&
(errno==ENOENT || errno==EBADF) (errno==ENOENT || errno==EBADF)
) /* UTF-8 decode succeeded, but no file, filename )
* could still have been locale-ized... */ {
/*
* UTF-8 decode succeeded, but no file, filename
* could still have been locale-ized...
*/
file = fopen(filename,mode); file = fopen(filename,mode);
}
} }
else if (GetLastError()==ERROR_NO_UNICODE_TRANSLATION) else if (GetLastError()==ERROR_NO_UNICODE_TRANSLATION)
{ {

View file

@ -276,8 +276,11 @@ static void xsyslog(BIO *bp, int priority, const char *string)
case LOG_DEBUG: case LOG_DEBUG:
evtype = EVENTLOG_INFORMATION_TYPE; evtype = EVENTLOG_INFORMATION_TYPE;
break; break;
default: /* Should never happen, but set it default:
as error anyway. */ /*
* Should never happen, but set it
* as error anyway.
*/
evtype = EVENTLOG_ERROR_TYPE; evtype = EVENTLOG_ERROR_TYPE;
break; break;
} }

View file

@ -257,16 +257,22 @@ extern "C" {
#define BN_FLG_MALLOCED 0x01 #define BN_FLG_MALLOCED 0x01
#define BN_FLG_STATIC_DATA 0x02 #define BN_FLG_STATIC_DATA 0x02
#define BN_FLG_CONSTTIME 0x04 /* avoid leaking exponent information through timing,
* BN_mod_exp_mont() will call BN_mod_exp_mont_consttime, /*
* BN_div() will call BN_div_no_branch, * avoid leaking exponent information through timing,
* BN_mod_inverse() will call BN_mod_inverse_no_branch. * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
*/ * BN_div() will call BN_div_no_branch,
* BN_mod_inverse() will call BN_mod_inverse_no_branch.
*/
#define BN_FLG_CONSTTIME 0x04
#ifdef OPENSSL_USE_DEPRECATED #ifdef OPENSSL_USE_DEPRECATED
#define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */ /* deprecated name for the flag */
/* avoid leaking exponent information through timings #define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME
* (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */ /*
* avoid leaking exponent information through timings
* (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime)
*/
#endif #endif
#ifdef OPENSSL_USE_DEPRECATED #ifdef OPENSSL_USE_DEPRECATED

View file

@ -356,9 +356,12 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words)
case 3: A[2]=B[2]; case 3: A[2]=B[2];
case 2: A[1]=B[1]; case 2: A[1]=B[1];
case 1: A[0]=B[0]; case 1: A[0]=B[0];
case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does case 0:
* the switch table by doing a=top&3; a--; goto jump_table[a]; /*
* which fails for top== 0 */ * workaround for ultrix cc: without 'case 0', the optimizer does
* the switch table by doing a=top&3; a--; goto jump_table[a];
* which fails for top== 0
*/
; ;
} }
} }

View file

@ -75,7 +75,8 @@
#endif #endif
#endif #endif
/* #define SIGACTION */ /* Define this if you have sigaction() */ /* Define this if you have sigaction() */
/* #define SIGACTION */
/* 06-Apr-92 Luke Brennan Support for VMS */ /* 06-Apr-92 Luke Brennan Support for VMS */
#include "des_locl.h" #include "des_locl.h"

View file

@ -80,13 +80,16 @@
#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 #define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
#define DH_FLAG_CACHE_MONT_P 0x01 #define DH_FLAG_CACHE_MONT_P 0x01
#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
* implementation now uses constant time /*
* modular exponentiation for secret exponents * new with 0.9.7h; the built-in DH
* by default. This flag causes the * implementation now uses constant time
* faster variable sliding window method to * modular exponentiation for secret exponents
* be used for all exponents. * by default. This flag causes the
*/ * faster variable sliding window method to
* be used for all exponents.
*/
#define DH_FLAG_NO_EXP_CONSTTIME 0x02
/* If this flag is set the DH method is FIPS compliant and can be used /* If this flag is set the DH method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an * in FIPS mode. This is set in the validated module method. If an

View file

@ -205,39 +205,49 @@ struct ec_group_st {
/* The following members are handled by the method functions, /* The following members are handled by the method functions,
* even if they appear generic */ * even if they appear generic */
BIGNUM *field; /* Field specification. /* Field specification.
* For curves over GF(p), this is the modulus; * For curves over GF(p), this is the modulus;
* for curves over GF(2^m), this is the * for curves over GF(2^m), this is the
* irreducible polynomial defining the field. * irreducible polynomial defining the field.
*/ */
BIGNUM *field;
int poly[6]; /* Field specification for curves over GF(2^m). /* Field specification for curves over GF(2^m).
* The irreducible f(t) is then of the form: * The irreducible f(t) is then of the form:
* t^poly[0] + t^poly[1] + ... + t^poly[k] * t^poly[0] + t^poly[1] + ... + t^poly[k]
* where m = poly[0] > poly[1] > ... > poly[k] = 0. * where m = poly[0] > poly[1] > ... > poly[k] = 0.
* The array is terminated with poly[k+1]=-1. * The array is terminated with poly[k+1]=-1.
* All elliptic curve irreducibles have at most 5 * All elliptic curve irreducibles have at most 5
* non-zero terms. * non-zero terms.
*/ */
int poly[6];
BIGNUM *a, *b; /* Curve coefficients. /* Curve coefficients.
* (Here the assumption is that BIGNUMs can be used * (Here the assumption is that BIGNUMs can be used
* or abused for all kinds of fields, not just GF(p).) * or abused for all kinds of fields, not just GF(p).)
* For characteristic > 3, the curve is defined * For characteristic > 3, the curve is defined
* by a Weierstrass equation of the form * by a Weierstrass equation of the form
* y^2 = x^3 + a*x + b. * y^2 = x^3 + a*x + b.
* For characteristic 2, the curve is defined by * For characteristic 2, the curve is defined by
* an equation of the form * an equation of the form
* y^2 + x*y = x^3 + a*x^2 + b. * y^2 + x*y = x^3 + a*x^2 + b.
*/ */
BIGNUM *a, *b;
int a_is_minus3; /* enable optimized point arithmetics for special case */ /* enable optimized point arithmetics for special case */
int a_is_minus3;
void *field_data1; /* method-specific (e.g., Montgomery structure) */ /* method-specific (e.g., Montgomery structure) */
void *field_data2; /* method-specific */ void *field_data1;
int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); /* method-specific */
BN_MONT_CTX *mont_data; /* data for ECDSA inverse */ /* method-specific */
void *field_data2;
/* method-specific */
int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
/* data for ECDSA inverse */
BN_MONT_CTX *mont_data;
} /* EC_GROUP */; } /* EC_GROUP */;
struct ec_key_st { struct ec_key_st {

View file

@ -1017,9 +1017,12 @@ static void point_add(felem x3, felem y3, felem z3,
felem_assign(z3, z_out); felem_assign(z3, z_out);
} }
/* select_point selects the |idx|th point from a precomputation table and /*
* copies it to out. */ * select_point selects the |idx|th point from a precomputation table and
static void select_point(const u64 idx, unsigned int size, const felem pre_comp[/*size*/][3], felem out[3]) * copies it to out.
* The pre_comp array argument should be size of |size| argument
*/
static void select_point(const u64 idx, unsigned int size, const felem pre_comp[][3], felem out[3])
{ {
unsigned i, j; unsigned i, j;
limb *outlimbs = &out[0][0]; limb *outlimbs = &out[0][0];

View file

@ -190,13 +190,16 @@ typedef int evp_verify_method(int type,const unsigned char *m,
unsigned int m_length,const unsigned char *sigbuf, unsigned int m_length,const unsigned char *sigbuf,
unsigned int siglen, void *key); unsigned int siglen, void *key);
#define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single /* digest can only handle a single block */
* block */ #define EVP_MD_FLAG_ONESHOT 0x0001
#define EVP_MD_FLAG_PKEY_DIGEST 0x0002 /* digest is a "clone" digest used /*
* which is a copy of an existing * digest is a "clone" digest used
* one for a specific public key type. * which is a copy of an existing
* EVP_dss1() etc */ * one for a specific public key type.
* EVP_dss1() etc
*/
#define EVP_MD_FLAG_PKEY_DIGEST 0x0002
/* Digest uses EVP_PKEY_METHOD for signing instead of MD specific signing */ /* Digest uses EVP_PKEY_METHOD for signing instead of MD specific signing */
@ -218,7 +221,8 @@ typedef int evp_verify_method(int type,const unsigned char *m,
#define EVP_MD_FLAG_DIGALGID_CUSTOM 0x0018 #define EVP_MD_FLAG_DIGALGID_CUSTOM 0x0018
#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */ /* Note if suitable for use in FIPS mode */
#define EVP_MD_FLAG_FIPS 0x0400
/* Digest ctrls */ /* Digest ctrls */
@ -311,19 +315,39 @@ struct evp_cipher_st
{ {
int nid; int nid;
int block_size; int block_size;
int key_len; /* Default value for variable length ciphers */
/* Default value for variable length ciphers */
int key_len;
int iv_len; int iv_len;
unsigned long flags; /* Various flags */
/* Various flags */
unsigned long flags;
/* init key */
int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc); /* init key */ const unsigned char *iv, int enc);
/* encrypt/decrypt data */
int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t inl);/* encrypt/decrypt data */ const unsigned char *in, size_t inl);
int (*cleanup)(EVP_CIPHER_CTX *); /* cleanup ctx */
int ctx_size; /* how big ctx->cipher_data needs to be */ /* cleanup ctx */
int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Populate a ASN1_TYPE with parameters */ int (*cleanup)(EVP_CIPHER_CTX *);
int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Get parameters from a ASN1_TYPE */
int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); /* Miscellaneous operations */ /* how big ctx->cipher_data needs to be */
void *app_data; /* Application data */ int ctx_size;
/* Populate a ASN1_TYPE with parameters */
int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *);
/* Get parameters from a ASN1_TYPE */
int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *);
/* Miscellaneous operations */
int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
/* Application data */
void *app_data;
} /* EVP_CIPHER */; } /* EVP_CIPHER */;
/* Values for cipher flags */ /* Values for cipher flags */
@ -466,14 +490,22 @@ struct evp_cipher_ctx_st
typedef struct evp_Encode_Ctx_st typedef struct evp_Encode_Ctx_st
{ {
int num; /* number saved in a partial encode/decode */ /* number saved in a partial encode/decode */
int length; /* The length is either the output line length int num;
* (in input bytes) or the shortest input line
* length that is ok. Once decoding begins, /* The length is either the output line length
* the length is adjusted up each time a longer * (in input bytes) or the shortest input line
* line is decoded */ * length that is ok. Once decoding begins,
unsigned char enc_data[80]; /* data to encode */ * the length is adjusted up each time a longer
int line_num; /* number read on current line */ * line is decoded
*/
int length;
/* data to encode */
unsigned char enc_data[80];
/* number read on current line */
int line_num;
int expect_nl; int expect_nl;
} EVP_ENCODE_CTX; } EVP_ENCODE_CTX;

View file

@ -179,12 +179,13 @@ typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32);
#include <lmcons.h> #include <lmcons.h>
#include <lmstats.h> #include <lmstats.h>
#if 1 /* The NET API is Unicode only. It requires the use of the UNICODE #if 1
* macro. When UNICODE is defined LPTSTR becomes LPWSTR. LMSTR was /* The NET API is Unicode only. It requires the use of the UNICODE
* was added to the Platform SDK to allow the NET API to be used in * macro. When UNICODE is defined LPTSTR becomes LPWSTR. LMSTR was
* non-Unicode applications provided that Unicode strings were still * was added to the Platform SDK to allow the NET API to be used in
* used for input. LMSTR is defined as LPWSTR. * non-Unicode applications provided that Unicode strings were still
*/ * used for input. LMSTR is defined as LPWSTR.
*/
typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET)
(LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*); (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*);
typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE);

View file

@ -170,7 +170,9 @@ struct rsa_st
# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072 # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
#endif #endif
#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS #ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
/* exponent limit enforced for "large" modulus only */
# define OPENSSL_RSA_MAX_PUBEXP_BITS 64
#endif #endif
#define RSA_3 0x3L #define RSA_3 0x3L
@ -193,30 +195,36 @@ struct rsa_st
*/ */
#define RSA_FLAG_SIGN_VER 0x0040 #define RSA_FLAG_SIGN_VER 0x0040
#define RSA_FLAG_NO_BLINDING 0x0080 /* new with 0.9.6j and 0.9.7b; the built-in /*
* RSA implementation now uses blinding by * new with 0.9.6j and 0.9.7b; the built-in
* default (ignoring RSA_FLAG_BLINDING), * RSA implementation now uses blinding by
* but other engines might not need it * default (ignoring RSA_FLAG_BLINDING),
*/ * but other engines might not need it
#define RSA_FLAG_NO_CONSTTIME 0x0100 /* new with 0.9.8f; the built-in RSA */
* implementation now uses constant time #define RSA_FLAG_NO_BLINDING 0x0080
* operations by default in private key operations, /*
* e.g., constant time modular exponentiation, * new with 0.9.8f; the built-in RSA
* modular inverse without leaking branches, * implementation now uses constant time
* division without leaking branches. This * operations by default in private key operations,
* flag disables these constant time * e.g., constant time modular exponentiation,
* operations and results in faster RSA * modular inverse without leaking branches,
* private key operations. * division without leaking branches. This
*/ * flag disables these constant time
* operations and results in faster RSA
* private key operations.
*/
#define RSA_FLAG_NO_CONSTTIME 0x0100
#ifdef OPENSSL_USE_DEPRECATED #ifdef OPENSSL_USE_DEPRECATED
#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/ /* deprecated name for the flag*/
/* new with 0.9.7h; the built-in RSA /*
* implementation now uses constant time * new with 0.9.7h; the built-in RSA
* modular exponentiation for secret exponents * implementation now uses constant time
* by default. This flag causes the * modular exponentiation for secret exponents
* faster variable sliding window method to * by default. This flag causes the
* be used for all exponents. * faster variable sliding window method to
*/ * be used for all exponents.
*/
#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME
#endif #endif

View file

@ -286,11 +286,12 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
{ {
/* resort to rsa->mt_blinding instead */ /* resort to rsa->mt_blinding instead */
*local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() /* instructs rsa_blinding_convert(), rsa_blinding_invert()
* that the BN_BLINDING is shared, meaning that accesses * that the BN_BLINDING is shared, meaning that accesses
* require locks, and that the blinding factor must be * require locks, and that the blinding factor must be
* stored outside the BN_BLINDING * stored outside the BN_BLINDING
*/ */
*local = 0;
if (rsa->mt_blinding == NULL) if (rsa->mt_blinding == NULL)
{ {

View file

@ -151,9 +151,12 @@ void SHA256_Transform(SHA256_CTX *c, const unsigned char *data);
* being exactly 64-bit wide. See Implementation Notes in sha512.c * being exactly 64-bit wide. See Implementation Notes in sha512.c
* for further details. * for further details.
*/ */
#define SHA512_CBLOCK (SHA_LBLOCK*8) /* SHA-512 treats input data as a /*
* contiguous array of 64 bit * SHA-512 treats input data as a
* wide big-endian values. */ * contiguous array of 64 bit
* wide big-endian values.
*/
#define SHA512_CBLOCK (SHA_LBLOCK*8)
#if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
#define SHA_LONG64 unsigned __int64 #define SHA_LONG64 unsigned __int64
#define U64(C) C##UI64 #define U64(C) C##UI64

View file

@ -98,7 +98,8 @@ STACK_OF(type) \
_STACK stack; \ _STACK stack; \
}; };
#define IMPLEMENT_STACK_OF(type) /* nada (obsolete in new safestack approach)*/ /* nada (obsolete in new safestack approach)*/
#define IMPLEMENT_STACK_OF(type)
/*- /*-

View file

@ -86,25 +86,38 @@ typedef struct mem_object_data_st
DECLARE_STACK_OF(MEM_OBJECT_DATA) DECLARE_STACK_OF(MEM_OBJECT_DATA)
struct mem_data_st struct mem_data_st
{ {
STACK_OF(MEM_OBJECT_DATA) *data; /* sorted with /*
* STORE_ATTR_INFO_compare(). */ * sorted with
unsigned int compute_components : 1; /* Currently unused, but can * STORE_ATTR_INFO_compare().
be used to add attributes */
from parts of the data. */ STACK_OF(MEM_OBJECT_DATA) *data;
/*
* Currently unused, but can
* be used to add attributes
* from parts of the data.
*/
unsigned int compute_components : 1;
}; };
DECLARE_STACK_OF(STORE_ATTR_INFO) DECLARE_STACK_OF(STORE_ATTR_INFO)
struct mem_ctx_st struct mem_ctx_st
{ {
int type; /* The type we're searching for */ /* The type we're searching for */
STACK_OF(STORE_ATTR_INFO) *search_attributes; /* Sets of int type;
attributes to search for. Each /*
element is a STORE_ATTR_INFO. */ * Sets of
int search_index; /* which of the search attributes we * attributes to search for. Each
found a match for, -1 when we still * element is a STORE_ATTR_INFO.
haven't found any */ */
int index; /* -1 as long as we're searching for STACK_OF(STORE_ATTR_INFO) *search_attributes;
the first */ /*
* which of the search attributes we
* found a match for, -1 when we still
* haven't found any
*/
int search_index;
/* -1 as long as we're searching for the first */
int index;
}; };
static int mem_init(STORE *s); static int mem_init(STORE *s);

View file

@ -64,8 +64,11 @@ typedef unsigned long long u64;
# define SMALL_REGISTER_BANK # define SMALL_REGISTER_BANK
# if defined(WHIRLPOOL_ASM) # if defined(WHIRLPOOL_ASM)
# ifndef OPENSSL_SMALL_FOOTPRINT # ifndef OPENSSL_SMALL_FOOTPRINT
# define OPENSSL_SMALL_FOOTPRINT /* it appears that for elder non-MMX /*
CPUs this is actually faster! */ * it appears that for elder non-MMX
* CPUs this is actually faster!
*/
# define OPENSSL_SMALL_FOOTPRINT
# endif # endif
# define GO_FOR_MMX(ctx,inp,num) do { \ # define GO_FOR_MMX(ctx,inp,num) do { \
extern unsigned long OPENSSL_ia32cap_P[]; \ extern unsigned long OPENSSL_ia32cap_P[]; \

View file

@ -195,14 +195,22 @@ struct x509_store_st
X509_VERIFY_PARAM *param; X509_VERIFY_PARAM *param;
/* Callbacks for various operations */ /* Callbacks for various operations */
int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ /* called to verify a certificate */
int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ int (*verify)(X509_STORE_CTX *ctx);
int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ /* error callback */
int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ int (*verify_cb)(int ok,X509_STORE_CTX *ctx);
int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ /* get issuers cert from ctx */
int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ /* check issued */
int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
/* Check revocation status of chain */
int (*check_revocation)(X509_STORE_CTX *ctx);
/* retrieve CRL */
int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
/* Check CRL validity */
int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl);
/* Check certificate against CRL */
int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
int (*cleanup)(X509_STORE_CTX *ctx); int (*cleanup)(X509_STORE_CTX *ctx);
@ -233,49 +241,72 @@ struct x509_lookup_st
struct x509_store_ctx_st /* X509_STORE_CTX */ struct x509_store_ctx_st /* X509_STORE_CTX */
{ {
X509_STORE *ctx; X509_STORE *ctx;
int current_method; /* used when looking up certs */ /* used when looking up certs */
int current_method;
/* The following are set by the caller */ /* The following are set by the caller */
X509 *cert; /* The cert to check */ /* The cert to check */
STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ X509 *cert;
STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */ /* chain of X509s - untrusted - passed in */
STACK_OF(X509) *untrusted;
/* set of CRLs passed in */
STACK_OF(X509_CRL) *crls;
X509_VERIFY_PARAM *param; X509_VERIFY_PARAM *param;
void *other_ctx; /* Other info for use with get_issuer() */ /* Other info for use with get_issuer() */
void *other_ctx;
/* Callbacks for various operations */ /* Callbacks for various operations */
int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ /* called to verify a certificate */
int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */ int (*verify)(X509_STORE_CTX *ctx);
int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */ /* error callback */
int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ int (*verify_cb)(int ok,X509_STORE_CTX *ctx);
int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ /* get issuers cert from ctx */
int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ /* check issued */
int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
/* Check revocation status of chain */
int (*check_revocation)(X509_STORE_CTX *ctx);
/* retrieve CRL */
int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
/* Check CRL validity */
int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl);
/* Check certificate against CRL */
int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
int (*check_policy)(X509_STORE_CTX *ctx); int (*check_policy)(X509_STORE_CTX *ctx);
STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm); STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm); STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
int (*cleanup)(X509_STORE_CTX *ctx); int (*cleanup)(X509_STORE_CTX *ctx);
/* The following is built up */ /* The following is built up */
int valid; /* if 0, rebuild chain */ /* if 0, rebuild chain */
int last_untrusted; /* index of last untrusted cert */ int valid;
STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ /* index of last untrusted cert */
X509_POLICY_TREE *tree; /* Valid policy tree */ int last_untrusted;
/* chain of X509s - built up and trusted */
STACK_OF(X509) *chain;
/* Valid policy tree */
X509_POLICY_TREE *tree;
int explicit_policy; /* Require explicit policy value */ /* Require explicit policy value */
int explicit_policy;
/* When something goes wrong, this is why */ /* When something goes wrong, this is why */
int error_depth; int error_depth;
int error; int error;
X509 *current_cert; X509 *current_cert;
X509 *current_issuer; /* cert currently being tested as valid issuer */ /* cert currently being tested as valid issuer */
X509_CRL *current_crl; /* current CRL */ X509 *current_issuer;
/* current CRL */
X509_CRL *current_crl;
int current_crl_score; /* score of current CRL */ /* score of current CRL */
unsigned int current_reasons; /* Reason mask */ int current_crl_score;
/* Reason mask */
unsigned int current_reasons;
X509_STORE_CTX *parent; /* For CRL path validation: parent context */ /* For CRL path validation: parent context */
X509_STORE_CTX *parent;
CRYPTO_EX_DATA ex_data; CRYPTO_EX_DATA ex_data;
} /* X509_STORE_CTX */; } /* X509_STORE_CTX */;

View file

@ -122,8 +122,8 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
} }
} }
if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look /* /8 because it's 1024 bits we look for, not bytes */
for, not bytes */ if (EVP_PKEY_size(pk) <= 1024/8)
ret|=EVP_PKT_EXP; ret|=EVP_PKT_EXP;
if(pkey==NULL) EVP_PKEY_free(pk); if(pkey==NULL) EVP_PKEY_free(pk);
return(ret); return(ret);

View file

@ -708,7 +708,9 @@ tls_create_ctx(struct tls_create_ctx_args a, void *apparg)
SSL_CTX_set_verify_depth(ret, a.verify_depth); SSL_CTX_set_verify_depth(ret, a.verify_depth);
if (a.ca_file != NULL) { if (a.ca_file != NULL) {
r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL /* no CA-directory */); /* does not report failure if file does not exist ... */ /* does not report failure if file does not exist ... */
/* NULL argument means no CA-directory */
r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL);
if (!r) { if (!r) {
err_pref_1 = " while processing certificate file "; err_pref_1 = " while processing certificate file ";
err_pref_2 = a.ca_file; err_pref_2 = a.ca_file;

View file

@ -776,8 +776,8 @@ they could cause potential side affects on either the card or the result */
/* Prepare the argument and response */ /* Prepare the argument and response */
outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2; /* Correct endianess is used /* Correct endianess is used because the fields were converted above */
because the fields were converted above */ outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2;
if (outLen > 256) { if (outLen > 256) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,IBMCA_R_OUTLEN_TO_LARGE); IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,IBMCA_R_OUTLEN_TO_LARGE);

View file

@ -46,9 +46,12 @@ extern "C" {
__declspec(dllexport) __declspec(dllexport)
void ** void **
#if defined(__BORLANDC__) #if defined(__BORLANDC__)
__stdcall /* __stdcall appears to be the only way to get the name /*
* decoration right with Borland C. Otherwise it works * __stdcall appears to be the only way to get the name
* purely incidentally, as we pass no parameters. */ * decoration right with Borland C. Otherwise it works
* purely incidentally, as we pass no parameters.
*/
__stdcall
#else #else
__cdecl __cdecl
#endif #endif

View file

@ -481,10 +481,15 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
again: again:
i = dtls1_get_message_fragment(s, st1, stn, max, ok); i = dtls1_get_message_fragment(s, st1, stn, max, ok);
if ( i == DTLS1_HM_BAD_FRAGMENT || if ( i == DTLS1_HM_BAD_FRAGMENT ||
i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ i == DTLS1_HM_FRAGMENT_RETRY)
{
/* bad fragment received */
goto again; goto again;
}
else if ( i <= 0 && !*ok) else if ( i <= 0 && !*ok)
{
return i; return i;
}
p = (unsigned char *)s->init_buf->data; p = (unsigned char *)s->init_buf->data;
msg_len = msg_hdr->msg_len; msg_len = msg_hdr->msg_len;
@ -1022,9 +1027,11 @@ int dtls1_read_failed(SSL *s, int code)
} }
#ifndef OPENSSL_NO_HEARTBEATS #ifndef OPENSSL_NO_HEARTBEATS
if (!SSL_in_init(s) && !s->tlsext_hb_pending) /* done, no need to send a retransmit */ /* done, no need to send a retransmit */
if (!SSL_in_init(s) && !s->tlsext_hb_pending)
#else #else
if (!SSL_in_init(s)) /* done, no need to send a retransmit */ /* done, no need to send a retransmit */
if (!SSL_in_init(s))
#endif #endif
{ {
BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);

View file

@ -343,8 +343,8 @@ dtls1_get_buffered_record(SSL *s)
(((PQ_64BIT)s->d1->handshake_read_seq) << 32) | (((PQ_64BIT)s->d1->handshake_read_seq) << 32) |
((PQ_64BIT)s->d1->r_msg_hdr.frag_off); ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
if ( ! SSL_in_init(s)) /* if we're not (re)negotiating, /* if we're not (re)negotiating, nothing buffered */
nothing buffered */ if ( ! SSL_in_init(s))
return 0; return 0;

View file

@ -232,19 +232,21 @@ end:
int ssl23_get_client_hello(SSL *s) int ssl23_get_client_hello(SSL *s)
{ {
char buf_space[11]; /* Request this many bytes in initial read. /*-
* We can detect SSL 3.0/TLS 1.0 Client Hellos * Request this many bytes in initial read.
* ('type == 3') correctly only when the following * We can detect SSL 3.0/TLS 1.0 Client Hellos
* is in a single record, which is not guaranteed by * ('type == 3') correctly only when the following
* the protocol specification: * is in a single record, which is not guaranteed by
* Byte Content * the protocol specification:
* 0 type \ * Byte Content
* 1/2 version > record header * 0 type \
* 3/4 length / * 1/2 version > record header
* 5 msg_type \ * 3/4 length /
* 6-8 length > Client Hello message * 5 msg_type \
* 9/10 client_version / * 6-8 length > Client Hello message
*/ * 9/10 client_version /
*/
char buf_space[11];
char *buf= &(buf_space[0]); char *buf= &(buf_space[0]);
unsigned char *p,*d,*d_len,*dd; unsigned char *p,*d,*d_len,*dd;
unsigned int i; unsigned int i;

View file

@ -230,11 +230,12 @@ int ssl3_get_finished(SSL *s, int a, int b)
*/ */
#endif #endif
/* 64 argument should actually be 36+4 :-) */
n=s->method->ssl_get_message(s, n=s->method->ssl_get_message(s,
a, a,
b, b,
SSL3_MT_FINISHED, SSL3_MT_FINISHED,
64, /* should actually be 36+4 :-) */ 64,
&ok); &ok);
if (!ok) return((int)n); if (!ok) return((int)n);

138
ssl/ssl.h
View file

@ -994,7 +994,8 @@ struct ssl_ctx_st
int verify_mode; int verify_mode;
unsigned int sid_ctx_length; unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ /* called 'verify_callback' in the SSL */
int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
/* Default generate session ID callback. */ /* Default generate session ID callback. */
GEN_SESSION_CB generate_session_id; GEN_SESSION_CB generate_session_id;
@ -1288,22 +1289,28 @@ struct ssl_st
* (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
*/ */
int version; int version;
int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
int type;
const SSL_METHOD *method; /* SSLv3 */ /* SSLv3 */
const SSL_METHOD *method;
/* There are 2 BIO's even though they are normally both the /* There are 2 BIO's even though they are normally both the
* same. This is so data can be read and written to different * same. This is so data can be read and written to different
* handlers */ * handlers */
#ifndef OPENSSL_NO_BIO #ifndef OPENSSL_NO_BIO
BIO *rbio; /* used by SSL_read */ /* used by SSL_read */
BIO *wbio; /* used by SSL_write */ BIO *rbio;
BIO *bbio; /* used during session-id reuse to concatenate /* used by SSL_write */
* messages */ BIO *wbio;
/* used during session-id reuse to concatenate messages */
BIO *bbio;
#else #else
char *rbio; /* used by SSL_read */ /* used by SSL_read */
char *wbio; /* used by SSL_write */ char *rbio;
/* used by SSL_write */
char *wbio;
char *bbio; char *bbio;
#endif #endif
/* This holds a variable that indicates what we were doing /* This holds a variable that indicates what we were doing
@ -1324,17 +1331,24 @@ struct ssl_st
* test instead of an "init" member. * test instead of an "init" member.
*/ */
int server; /* are we the server side? - mostly used by SSL_clear*/ /* are we the server side? - mostly used by SSL_clear*/
int server;
int new_session;/* Generate a new session or reuse an old one. /*
* NB: For servers, the 'new' session may actually be a previously * Generate a new session or reuse an old one.
* cached session or even the previous session unless * NB: For servers, the 'new' session may actually be a previously
* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ * cached session or even the previous session unless
int quiet_shutdown;/* don't send shutdown packets */ * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set
int shutdown; /* we have shut things down, 0x01 sent, 0x02 */
* for received */ int new_session;
int state; /* where we are */ /* don't send shutdown packets */
int rstate; /* where we are when reading */ int quiet_shutdown;
/* we have shut things down, 0x01 sent, 0x02 for received */
int shutdown;
/* where we are */
int state;
/* where we are when reading */
int rstate;
BUF_MEM *init_buf; /* buffer used during init */ BUF_MEM *init_buf; /* buffer used during init */
void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */ void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */
@ -1405,17 +1419,25 @@ struct ssl_st
GEN_SESSION_CB generate_session_id; GEN_SESSION_CB generate_session_id;
/* Used in SSL3 */ /* Used in SSL3 */
int verify_mode; /* 0 don't care about verify failure. /*
* 1 fail if verify fails */ * 0 don't care about verify failure.
int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ * 1 fail if verify fails
*/
int verify_mode;
/* fail if callback returns 0 */
int (*verify_callback)(int ok,X509_STORE_CTX *ctx);
void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ /* optional informational callback */
void (*info_callback)(const SSL *ssl,int type,int val);
int error; /* error bytes to be written */ /* error bytes to be written */
int error_code; /* actual code */ int error;
/* actual code */
int error_code;
#ifndef OPENSSL_NO_KRB5 #ifndef OPENSSL_NO_KRB5
KSSL_CTX *kssl_ctx; /* Kerberos 5 context */ /* Kerberos 5 context */
KSSL_CTX *kssl_ctx;
#endif /* OPENSSL_NO_KRB5 */ #endif /* OPENSSL_NO_KRB5 */
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
@ -1439,12 +1461,14 @@ struct ssl_st
STACK_OF(X509_NAME) *client_CA; STACK_OF(X509_NAME) *client_CA;
int references; int references;
unsigned long options; /* protocol behaviour */ /* protocol behaviour */
unsigned long mode; /* API behaviour */ unsigned long options;
/* API behaviour */
unsigned long mode;
long max_cert_list; long max_cert_list;
int first_packet; int first_packet;
int client_version; /* what was passed, used for /* what was passed, used for SSLv3/TLS rollback check */
* SSLv3/TLS rollback check */ int client_version;
unsigned int max_send_fragment; unsigned int max_send_fragment;
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
/* TLS extension debug callback */ /* TLS extension debug callback */
@ -1453,11 +1477,13 @@ struct ssl_st
void *arg); void *arg);
void *tlsext_debug_arg; void *tlsext_debug_arg;
char *tlsext_hostname; char *tlsext_hostname;
int servername_done; /* no further mod of servername /*-
0 : call the servername extension callback. * no further mod of servername
1 : prepare 2, allow last ack just after in server callback. * 0 : call the servername extension callback.
2 : don't call servername callback, no ack in server hello * 1 : prepare 2, allow last ack just after in server callback.
*/ * 2 : don't call servername callback, no ack in server hello
*/
int servername_done;
/* certificate status request info */ /* certificate status request info */
/* Status type or -1 if no status type */ /* Status type or -1 if no status type */
int tlsext_status_type; int tlsext_status_type;
@ -1474,9 +1500,11 @@ struct ssl_st
int tlsext_ticket_expected; int tlsext_ticket_expected;
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
size_t tlsext_ecpointformatlist_length; size_t tlsext_ecpointformatlist_length;
unsigned char *tlsext_ecpointformatlist; /* our list */ /* our list */
unsigned char *tlsext_ecpointformatlist;
size_t tlsext_ellipticcurvelist_length; size_t tlsext_ellipticcurvelist_length;
unsigned char *tlsext_ellipticcurvelist; /* our list */ /* our list */
unsigned char *tlsext_ellipticcurvelist;
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
/* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */ /* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */
@ -1510,16 +1538,22 @@ struct ssl_st
#define session_ctx initial_ctx #define session_ctx initial_ctx
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */ /* What we'll do */
SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
/* What's been chosen */
SRTP_PROTECTION_PROFILE *srtp_profile;
unsigned int tlsext_heartbeat; /* Is use of the Heartbeat extension negotiated? /*-
0: disabled * Is use of the Heartbeat extension negotiated?
1: enabled * 0: disabled
2: enabled, but not allowed to send Requests * 1: enabled
*/ * 2: enabled, but not allowed to send Requests
unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */ */
unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */ unsigned int tlsext_heartbeat;
/* Indicates if a HeartbeatRequest is in flight */
unsigned int tlsext_hb_pending;
/* HeartbeatRequest sequence number */
unsigned int tlsext_hb_seq;
/* For a client, this contains the list of supported protocols in wire /* For a client, this contains the list of supported protocols in wire
* format. */ * format. */
@ -1529,12 +1563,16 @@ struct ssl_st
#define session_ctx ctx #define session_ctx ctx
#endif /* OPENSSL_NO_TLSEXT */ #endif /* OPENSSL_NO_TLSEXT */
int renegotiate;/* 1 if we are renegotiating. /*-
* 2 if we are a server and are inside a handshake * 1 if we are renegotiating.
* (i.e. not just sending a HelloRequest) */ * 2 if we are a server and are inside a handshake
* (i.e. not just sending a HelloRequest)
*/
int renegotiate;
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
SRP_CTX srp_ctx; /* ctx for SRP authentication */ /* ctx for SRP authentication */
SRP_CTX srp_ctx;
#endif #endif
/* Callback for disabling session caching and ticket support /* Callback for disabling session caching and ticket support

View file

@ -388,27 +388,39 @@ extern "C" {
typedef struct ssl3_record_st typedef struct ssl3_record_st
{ {
/*r */ int type; /* type of record */ /* type of record */
/*rw*/ unsigned int length; /* How many bytes available */ /*r */ int type;
/*rw*/ unsigned int orig_len; /* How many bytes were available before padding /* How many bytes available */
was removed? This is used to implement the /*rw*/ unsigned int length;
MAC check in constant time for CBC records. /* How many bytes were available before padding
*/ * was removed? This is used to implement the
/*r */ unsigned int off; /* read/write offset into 'buf' */ * MAC check in constant time for CBC records.
/*rw*/ unsigned char *data; /* pointer to the record data */ */
/*rw*/ unsigned char *input; /* where the decode bytes are */ /*rw*/ unsigned int orig_len;
/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */ /* read/write offset into 'buf' */
/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ /*r */ unsigned int off;
/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ /* pointer to the record data */
/*rw*/ unsigned char *data;
/* where the decode bytes are */
/*rw*/ unsigned char *input;
/* only used with decompression - malloc()ed */
/*r */ unsigned char *comp;
/* epoch number, needed by DTLS1 */
/*r */ unsigned long epoch;
/* sequence number, needed by DTLS1 */
/*r */ unsigned char seq_num[8];
} SSL3_RECORD; } SSL3_RECORD;
typedef struct ssl3_buffer_st typedef struct ssl3_buffer_st
{ {
unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, /* at least SSL3_RT_MAX_PACKET_SIZE bytes, see ssl3_setup_buffers() */
* see ssl3_setup_buffers() */ unsigned char *buf;
size_t len; /* buffer size */ /* buffer size */
int offset; /* where to 'copy from' */ size_t len;
int left; /* how many bytes left */ /* where to 'copy from' */
int offset;
/* how many bytes left */
int left;
} SSL3_BUFFER; } SSL3_BUFFER;
#endif #endif

View file

@ -201,10 +201,15 @@ int SSL_clear(SSL *s)
s->hit=0; s->hit=0;
s->shutdown=0; s->shutdown=0;
#if 0 /* Disabled since version 1.10 of this file (early return not #if 0
* needed because SSL_clear is not called when doing renegotiation) */ /*
/* This is set if we are doing dynamic renegotiation so keep * Disabled since version 1.10 of this file (early return not
* the old cipher. It is sort of a SSL_clear_lite :-) */ * needed because SSL_clear is not called when doing renegotiation)
*/
/*
* This is set if we are doing dynamic renegotiation so keep
* the old cipher. It is sort of a SSL_clear_lite :-)
*/
if (s->renegotiate) return(1); if (s->renegotiate) return(1);
#else #else
if (s->renegotiate) if (s->renegotiate)

View file

@ -566,9 +566,12 @@ typedef struct {
typedef struct cert_st typedef struct cert_st
{ {
/* Current active set */ /* Current active set */
CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array /*
* Probably it would make more sense to store * ALWAYS points to an element of the pkeys array
* an index, not a pointer. */ * Probably it would make more sense to store
* an index, not a pointer.
*/
CERT_PKEY *key;
/* For servers the following masks are for the key and auth /* For servers the following masks are for the key and auth
* algorithms that are supported by the certs below. * algorithms that are supported by the certs below.

View file

@ -1009,9 +1009,11 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
if ((s->next == NULL) || (s->prev == NULL)) return; if ((s->next == NULL) || (s->prev == NULL)) return;
if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
{ /* last element in list */ {
/* last element in list */
if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
{ /* only one element in list */ {
/* only one element in list */
ctx->session_cache_head=NULL; ctx->session_cache_head=NULL;
ctx->session_cache_tail=NULL; ctx->session_cache_tail=NULL;
} }
@ -1024,12 +1026,14 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s)
else else
{ {
if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
{ /* first element in list */ {
/* first element in list */
ctx->session_cache_head=s->next; ctx->session_cache_head=s->next;
s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head); s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
} }
else else
{ /* middle of list */ {
/* middle of list */
s->next->prev=s->prev; s->next->prev=s->prev;
s->prev->next=s->next; s->prev->next=s->next;
} }

View file

@ -140,8 +140,8 @@
* OTHERWISE. * OTHERWISE.
*/ */
#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly /* Or gethostname won't be declared properly on Linux and GNU platforms. */
on Linux and GNU platforms. */ #define _BSD_SOURCE 1
#include <assert.h> #include <assert.h>
#include <errno.h> #include <errno.h>
@ -155,8 +155,8 @@
#include "e_os.h" #include "e_os.h"
#ifdef OPENSSL_SYS_VMS #ifdef OPENSSL_SYS_VMS
#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on /* Or isascii won't be declared properly on VMS (at least with DECompHP C). */
VMS (at least with DECompHP C). */ #define _XOPEN_SOURCE 500
#endif #endif
#include <ctype.h> #include <ctype.h>
@ -186,11 +186,13 @@
#endif #endif
#include <openssl/bn.h> #include <openssl/bn.h>
#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly /*
on Compaq platforms (at least with DEC C). * Or gethostname won't be declared properly
Do not try to put it earlier, or IPv6 includes * on Compaq platforms (at least with DEC C).
get screwed... * Do not try to put it earlier, or IPv6 includes
*/ * get screwed...
*/
#define _XOPEN_SOURCE_EXTENDED 1
#ifdef OPENSSL_SYS_WINDOWS #ifdef OPENSSL_SYS_WINDOWS
#include <winsock.h> #include <winsock.h>

View file

@ -2264,8 +2264,11 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
return 0; return 0;
} }
if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ if (s->s3->client_opaque_prf_input != NULL)
{
/* shouldn't really happen */
OPENSSL_free(s->s3->client_opaque_prf_input); OPENSSL_free(s->s3->client_opaque_prf_input);
}
/* dummy byte just to get non-NULL */ /* dummy byte just to get non-NULL */
if (s->s3->client_opaque_prf_input_len == 0) if (s->s3->client_opaque_prf_input_len == 0)
@ -2695,12 +2698,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char
return 0; return 0;
} }
if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ if (s->s3->server_opaque_prf_input != NULL)
{
/* shouldn't really happen */
OPENSSL_free(s->s3->server_opaque_prf_input); OPENSSL_free(s->s3->server_opaque_prf_input);
}
if (s->s3->server_opaque_prf_input_len == 0) if (s->s3->server_opaque_prf_input_len == 0)
s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ {
/* dummy byte just to get non-NULL */
s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
}
else else
{
s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
}
if (s->s3->server_opaque_prf_input == NULL) if (s->s3->server_opaque_prf_input == NULL)
{ {
@ -2915,13 +2926,21 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
if (s->tlsext_opaque_prf_input != NULL) if (s->tlsext_opaque_prf_input != NULL)
{ {
if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ if (s->s3->client_opaque_prf_input != NULL)
{
/* shouldn't really happen */
OPENSSL_free(s->s3->client_opaque_prf_input); OPENSSL_free(s->s3->client_opaque_prf_input);
}
if (s->tlsext_opaque_prf_input_len == 0) if (s->tlsext_opaque_prf_input_len == 0)
s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ {
/* dummy byte just to get non-NULL */
s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
}
else else
{
s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
}
if (s->s3->client_opaque_prf_input == NULL) if (s->s3->client_opaque_prf_input == NULL)
{ {
SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
@ -2983,8 +3002,11 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
} }
} }
if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ if (s->s3->server_opaque_prf_input != NULL)
{
/* shouldn't really happen */
OPENSSL_free(s->s3->server_opaque_prf_input); OPENSSL_free(s->s3->server_opaque_prf_input);
}
s->s3->server_opaque_prf_input = NULL; s->s3->server_opaque_prf_input = NULL;
if (s->tlsext_opaque_prf_input != NULL) if (s->tlsext_opaque_prf_input != NULL)
@ -2996,9 +3018,14 @@ static int ssl_check_clienthello_tlsext_early(SSL *s)
* of the same length as the client opaque PRF input! */ * of the same length as the client opaque PRF input! */
if (s->tlsext_opaque_prf_input_len == 0) if (s->tlsext_opaque_prf_input_len == 0)
s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ {
/* dummy byte just to get non-NULL */
s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
}
else else
{
s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
}
if (s->s3->server_opaque_prf_input == NULL) if (s->s3->server_opaque_prf_input == NULL)
{ {
ret = SSL_TLSEXT_ERR_ALERT_FATAL; ret = SSL_TLSEXT_ERR_ALERT_FATAL;

View file

@ -253,9 +253,12 @@ extern "C" {
#define TLSEXT_TYPE_session_ticket 35 #define TLSEXT_TYPE_session_ticket 35
/* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */ /* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */
#if 0 /* will have to be provided externally for now , #if 0
* i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183 /*
* using whatever extension number you'd like to try */ * will have to be provided externally for now ,
* i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183
* using whatever extension number you'd like to try
*/
# define TLSEXT_TYPE_opaque_prf_input ?? # define TLSEXT_TYPE_opaque_prf_input ??
#endif #endif