if (peer != NULL)
{
BIO_printf(bio,"Server certificate\n");
- if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */
+
+ /* Redundant if we showed the whole chain */
+ if (!(c_showcerts && got_a_chain))
PEM_write_bio_X509(bio,peer);
X509_NAME_oneline(X509_get_subject_name(peer),
buf,sizeof buf);
}
#undef g2
- return mktime(&tm)-offset*60; /* FIXME: mktime assumes the current timezone
- * instead of UTC, and unless we rewrite OpenSSL
- * in Lisp we cannot locally change the timezone
- * without possibly interfering with other parts
- * of the program. timegm, which uses UTC, is
- * non-standard.
- * Also time_t is inappropriate for general
- * UTC times because it may a 32 bit type. */
+ /*
+ * FIXME: mktime assumes the current timezone
+ * instead of UTC, and unless we rewrite OpenSSL
+ * in Lisp we cannot locally change the timezone
+ * without possibly interfering with other parts
+ * of the program. timegm, which uses UTC, is
+ * non-standard.
+ * Also time_t is inappropriate for general
+ * UTC times because it may a 32 bit type.
+ */
+ return mktime(&tm)-offset*60;
}
#endif
wmode,sizeof(wmode)/sizeof(wmode[0])) &&
(file=_wfopen(wfilename,wmode))==NULL &&
(errno==ENOENT || errno==EBADF)
- ) /* UTF-8 decode succeeded, but no file, filename
- * could still have been locale-ized... */
+ )
+ {
+ /*
+ * UTF-8 decode succeeded, but no file, filename
+ * could still have been locale-ized...
+ */
file = fopen(filename,mode);
+ }
}
else if (GetLastError()==ERROR_NO_UNICODE_TRANSLATION)
{
case LOG_DEBUG:
evtype = EVENTLOG_INFORMATION_TYPE;
break;
- default: /* Should never happen, but set it
- as error anyway. */
+ default:
+ /*
+ * Should never happen, but set it
+ * as error anyway.
+ */
evtype = EVENTLOG_ERROR_TYPE;
break;
}
#define BN_FLG_MALLOCED 0x01
#define BN_FLG_STATIC_DATA 0x02
-#define BN_FLG_CONSTTIME 0x04 /* avoid leaking exponent information through timing,
- * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
- * BN_div() will call BN_div_no_branch,
- * BN_mod_inverse() will call BN_mod_inverse_no_branch.
- */
+
+/*
+ * avoid leaking exponent information through timing,
+ * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
+ * BN_div() will call BN_div_no_branch,
+ * BN_mod_inverse() will call BN_mod_inverse_no_branch.
+ */
+#define BN_FLG_CONSTTIME 0x04
#ifdef OPENSSL_USE_DEPRECATED
-#define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */
- /* avoid leaking exponent information through timings
- * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */
+/* deprecated name for the flag */
+#define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME
+/*
+ * avoid leaking exponent information through timings
+ * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime)
+ */
#endif
#ifdef OPENSSL_USE_DEPRECATED
case 3: A[2]=B[2];
case 2: A[1]=B[1];
case 1: A[0]=B[0];
- case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does
- * the switch table by doing a=top&3; a--; goto jump_table[a];
- * which fails for top== 0 */
+ case 0:
+ /*
+ * workaround for ultrix cc: without 'case 0', the optimizer does
+ * the switch table by doing a=top&3; a--; goto jump_table[a];
+ * which fails for top== 0
+ */
;
}
}
#endif
#endif
-/* #define SIGACTION */ /* Define this if you have sigaction() */
+/* Define this if you have sigaction() */
+/* #define SIGACTION */
/* 06-Apr-92 Luke Brennan Support for VMS */
#include "des_locl.h"
#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
#define DH_FLAG_CACHE_MONT_P 0x01
-#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
- * implementation now uses constant time
- * modular exponentiation for secret exponents
- * by default. This flag causes the
- * faster variable sliding window method to
- * be used for all exponents.
- */
+
+/*
+ * new with 0.9.7h; the built-in DH
+ * implementation now uses constant time
+ * modular exponentiation for secret exponents
+ * by default. This flag causes the
+ * faster variable sliding window method to
+ * be used for all exponents.
+ */
+#define DH_FLAG_NO_EXP_CONSTTIME 0x02
/* If this flag is set the DH method is FIPS compliant and can be used
* in FIPS mode. This is set in the validated module method. If an
/* The following members are handled by the method functions,
* even if they appear generic */
- BIGNUM *field; /* Field specification.
- * For curves over GF(p), this is the modulus;
- * for curves over GF(2^m), this is the
- * irreducible polynomial defining the field.
- */
-
- int poly[6]; /* Field specification for curves over GF(2^m).
- * The irreducible f(t) is then of the form:
- * t^poly[0] + t^poly[1] + ... + t^poly[k]
- * where m = poly[0] > poly[1] > ... > poly[k] = 0.
- * The array is terminated with poly[k+1]=-1.
- * All elliptic curve irreducibles have at most 5
- * non-zero terms.
- */
-
- BIGNUM *a, *b; /* Curve coefficients.
- * (Here the assumption is that BIGNUMs can be used
- * or abused for all kinds of fields, not just GF(p).)
- * For characteristic > 3, the curve is defined
- * by a Weierstrass equation of the form
- * y^2 = x^3 + a*x + b.
- * For characteristic 2, the curve is defined by
- * an equation of the form
- * y^2 + x*y = x^3 + a*x^2 + b.
- */
-
- int a_is_minus3; /* enable optimized point arithmetics for special case */
-
- void *field_data1; /* method-specific (e.g., Montgomery structure) */
- void *field_data2; /* method-specific */
- int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); /* method-specific */
-
- BN_MONT_CTX *mont_data; /* data for ECDSA inverse */
+ /* Field specification.
+ * For curves over GF(p), this is the modulus;
+ * for curves over GF(2^m), this is the
+ * irreducible polynomial defining the field.
+ */
+ BIGNUM *field;
+
+ /* Field specification for curves over GF(2^m).
+ * The irreducible f(t) is then of the form:
+ * t^poly[0] + t^poly[1] + ... + t^poly[k]
+ * where m = poly[0] > poly[1] > ... > poly[k] = 0.
+ * The array is terminated with poly[k+1]=-1.
+ * All elliptic curve irreducibles have at most 5
+ * non-zero terms.
+ */
+ int poly[6];
+
+ /* Curve coefficients.
+ * (Here the assumption is that BIGNUMs can be used
+ * or abused for all kinds of fields, not just GF(p).)
+ * For characteristic > 3, the curve is defined
+ * by a Weierstrass equation of the form
+ * y^2 = x^3 + a*x + b.
+ * For characteristic 2, the curve is defined by
+ * an equation of the form
+ * y^2 + x*y = x^3 + a*x^2 + b.
+ */
+ BIGNUM *a, *b;
+
+ /* enable optimized point arithmetics for special case */
+ int a_is_minus3;
+
+ /* method-specific (e.g., Montgomery structure) */
+ void *field_data1;
+
+ /* method-specific */
+ void *field_data2;
+
+ /* method-specific */
+ int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *);
+
+ /* data for ECDSA inverse */
+ BN_MONT_CTX *mont_data;
} /* EC_GROUP */;
struct ec_key_st {
felem_assign(z3, z_out);
}
-/* select_point selects the |idx|th point from a precomputation table and
- * copies it to out. */
-static void select_point(const u64 idx, unsigned int size, const felem pre_comp[/*size*/][3], felem out[3])
+/*
+ * select_point selects the |idx|th point from a precomputation table and
+ * copies it to out.
+ * The pre_comp array argument should be size of |size| argument
+ */
+static void select_point(const u64 idx, unsigned int size, const felem pre_comp[][3], felem out[3])
{
unsigned i, j;
limb *outlimbs = &out[0][0];
unsigned int m_length,const unsigned char *sigbuf,
unsigned int siglen, void *key);
-#define EVP_MD_FLAG_ONESHOT 0x0001 /* digest can only handle a single
- * block */
-
-#define EVP_MD_FLAG_PKEY_DIGEST 0x0002 /* digest is a "clone" digest used
- * which is a copy of an existing
- * one for a specific public key type.
- * EVP_dss1() etc */
+/* digest can only handle a single block */
+#define EVP_MD_FLAG_ONESHOT 0x0001
+
+/*
+ * digest is a "clone" digest used
+ * which is a copy of an existing
+ * one for a specific public key type.
+ * EVP_dss1() etc
+ */
+#define EVP_MD_FLAG_PKEY_DIGEST 0x0002
/* Digest uses EVP_PKEY_METHOD for signing instead of MD specific signing */
#define EVP_MD_FLAG_DIGALGID_CUSTOM 0x0018
-#define EVP_MD_FLAG_FIPS 0x0400 /* Note if suitable for use in FIPS mode */
+/* Note if suitable for use in FIPS mode */
+#define EVP_MD_FLAG_FIPS 0x0400
/* Digest ctrls */
{
int nid;
int block_size;
- int key_len; /* Default value for variable length ciphers */
+
+ /* Default value for variable length ciphers */
+ int key_len;
int iv_len;
- unsigned long flags; /* Various flags */
+
+ /* Various flags */
+ unsigned long flags;
+
+ /* init key */
int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key,
- const unsigned char *iv, int enc); /* init key */
+ const unsigned char *iv, int enc);
+
+ /* encrypt/decrypt data */
int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out,
- const unsigned char *in, size_t inl);/* encrypt/decrypt data */
- int (*cleanup)(EVP_CIPHER_CTX *); /* cleanup ctx */
- int ctx_size; /* how big ctx->cipher_data needs to be */
- int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Populate a ASN1_TYPE with parameters */
- int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Get parameters from a ASN1_TYPE */
- int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); /* Miscellaneous operations */
- void *app_data; /* Application data */
+ const unsigned char *in, size_t inl);
+
+ /* cleanup ctx */
+ int (*cleanup)(EVP_CIPHER_CTX *);
+
+ /* how big ctx->cipher_data needs to be */
+ int ctx_size;
+
+ /* Populate a ASN1_TYPE with parameters */
+ int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *);
+
+ /* Get parameters from a ASN1_TYPE */
+ int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *);
+
+ /* Miscellaneous operations */
+ int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
+
+ /* Application data */
+ void *app_data;
} /* EVP_CIPHER */;
/* Values for cipher flags */
typedef struct evp_Encode_Ctx_st
{
- int num; /* number saved in a partial encode/decode */
- int length; /* The length is either the output line length
- * (in input bytes) or the shortest input line
- * length that is ok. Once decoding begins,
- * the length is adjusted up each time a longer
- * line is decoded */
- unsigned char enc_data[80]; /* data to encode */
- int line_num; /* number read on current line */
+ /* number saved in a partial encode/decode */
+ int num;
+
+ /* The length is either the output line length
+ * (in input bytes) or the shortest input line
+ * length that is ok. Once decoding begins,
+ * the length is adjusted up each time a longer
+ * line is decoded
+ */
+ int length;
+
+ /* data to encode */
+ unsigned char enc_data[80];
+
+ /* number read on current line */
+ int line_num;
int expect_nl;
} EVP_ENCODE_CTX;
#include <lmcons.h>
#include <lmstats.h>
-#if 1 /* The NET API is Unicode only. It requires the use of the UNICODE
- * macro. When UNICODE is defined LPTSTR becomes LPWSTR. LMSTR was
- * was added to the Platform SDK to allow the NET API to be used in
- * non-Unicode applications provided that Unicode strings were still
- * used for input. LMSTR is defined as LPWSTR.
- */
+#if 1
+/* The NET API is Unicode only. It requires the use of the UNICODE
+ * macro. When UNICODE is defined LPTSTR becomes LPWSTR. LMSTR was
+ * was added to the Platform SDK to allow the NET API to be used in
+ * non-Unicode applications provided that Unicode strings were still
+ * used for input. LMSTR is defined as LPWSTR.
+ */
typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET)
(LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*);
typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE);
# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
#endif
#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
-# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
+
+/* exponent limit enforced for "large" modulus only */
+# define OPENSSL_RSA_MAX_PUBEXP_BITS 64
#endif
#define RSA_3 0x3L
*/
#define RSA_FLAG_SIGN_VER 0x0040
-#define RSA_FLAG_NO_BLINDING 0x0080 /* new with 0.9.6j and 0.9.7b; the built-in
- * RSA implementation now uses blinding by
- * default (ignoring RSA_FLAG_BLINDING),
- * but other engines might not need it
- */
-#define RSA_FLAG_NO_CONSTTIME 0x0100 /* new with 0.9.8f; the built-in RSA
- * implementation now uses constant time
- * operations by default in private key operations,
- * e.g., constant time modular exponentiation,
- * modular inverse without leaking branches,
- * division without leaking branches. This
- * flag disables these constant time
- * operations and results in faster RSA
- * private key operations.
- */
+/*
+ * new with 0.9.6j and 0.9.7b; the built-in
+ * RSA implementation now uses blinding by
+ * default (ignoring RSA_FLAG_BLINDING),
+ * but other engines might not need it
+ */
+#define RSA_FLAG_NO_BLINDING 0x0080
+/*
+ * new with 0.9.8f; the built-in RSA
+ * implementation now uses constant time
+ * operations by default in private key operations,
+ * e.g., constant time modular exponentiation,
+ * modular inverse without leaking branches,
+ * division without leaking branches. This
+ * flag disables these constant time
+ * operations and results in faster RSA
+ * private key operations.
+ */
+#define RSA_FLAG_NO_CONSTTIME 0x0100
#ifdef OPENSSL_USE_DEPRECATED
-#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/
- /* new with 0.9.7h; the built-in RSA
- * implementation now uses constant time
- * modular exponentiation for secret exponents
- * by default. This flag causes the
- * faster variable sliding window method to
- * be used for all exponents.
- */
+/* deprecated name for the flag*/
+/*
+ * new with 0.9.7h; the built-in RSA
+ * implementation now uses constant time
+ * modular exponentiation for secret exponents
+ * by default. This flag causes the
+ * faster variable sliding window method to
+ * be used for all exponents.
+ */
+#define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME
#endif
{
/* resort to rsa->mt_blinding instead */
- *local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert()
- * that the BN_BLINDING is shared, meaning that accesses
- * require locks, and that the blinding factor must be
- * stored outside the BN_BLINDING
- */
+ /* instructs rsa_blinding_convert(), rsa_blinding_invert()
+ * that the BN_BLINDING is shared, meaning that accesses
+ * require locks, and that the blinding factor must be
+ * stored outside the BN_BLINDING
+ */
+ *local = 0;
if (rsa->mt_blinding == NULL)
{
* being exactly 64-bit wide. See Implementation Notes in sha512.c
* for further details.
*/
-#define SHA512_CBLOCK (SHA_LBLOCK*8) /* SHA-512 treats input data as a
- * contiguous array of 64 bit
- * wide big-endian values. */
+/*
+ * SHA-512 treats input data as a
+ * contiguous array of 64 bit
+ * wide big-endian values.
+ */
+#define SHA512_CBLOCK (SHA_LBLOCK*8)
#if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
#define SHA_LONG64 unsigned __int64
#define U64(C) C##UI64
_STACK stack; \
};
-#define IMPLEMENT_STACK_OF(type) /* nada (obsolete in new safestack approach)*/
+/* nada (obsolete in new safestack approach)*/
+#define IMPLEMENT_STACK_OF(type)
/*-
DECLARE_STACK_OF(MEM_OBJECT_DATA)
struct mem_data_st
{
- STACK_OF(MEM_OBJECT_DATA) *data; /* sorted with
- * STORE_ATTR_INFO_compare(). */
- unsigned int compute_components : 1; /* Currently unused, but can
- be used to add attributes
- from parts of the data. */
+ /*
+ * sorted with
+ * STORE_ATTR_INFO_compare().
+ */
+ STACK_OF(MEM_OBJECT_DATA) *data;
+ /*
+ * Currently unused, but can
+ * be used to add attributes
+ * from parts of the data.
+ */
+ unsigned int compute_components : 1;
};
DECLARE_STACK_OF(STORE_ATTR_INFO)
struct mem_ctx_st
{
- int type; /* The type we're searching for */
- STACK_OF(STORE_ATTR_INFO) *search_attributes; /* Sets of
- attributes to search for. Each
- element is a STORE_ATTR_INFO. */
- int search_index; /* which of the search attributes we
- found a match for, -1 when we still
- haven't found any */
- int index; /* -1 as long as we're searching for
- the first */
+ /* The type we're searching for */
+ int type;
+ /*
+ * Sets of
+ * attributes to search for. Each
+ * element is a STORE_ATTR_INFO.
+ */
+ STACK_OF(STORE_ATTR_INFO) *search_attributes;
+ /*
+ * which of the search attributes we
+ * found a match for, -1 when we still
+ * haven't found any
+ */
+ int search_index;
+ /* -1 as long as we're searching for the first */
+ int index;
};
static int mem_init(STORE *s);
# define SMALL_REGISTER_BANK
# if defined(WHIRLPOOL_ASM)
# ifndef OPENSSL_SMALL_FOOTPRINT
-# define OPENSSL_SMALL_FOOTPRINT /* it appears that for elder non-MMX
- CPUs this is actually faster! */
+/*
+ * it appears that for elder non-MMX
+ * CPUs this is actually faster!
+ */
+# define OPENSSL_SMALL_FOOTPRINT
# endif
# define GO_FOR_MMX(ctx,inp,num) do { \
extern unsigned long OPENSSL_ia32cap_P[]; \
X509_VERIFY_PARAM *param;
/* Callbacks for various operations */
- int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
- int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
- int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
- int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
- int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
- int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
- int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
- int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+ /* called to verify a certificate */
+ int (*verify)(X509_STORE_CTX *ctx);
+ /* error callback */
+ int (*verify_cb)(int ok,X509_STORE_CTX *ctx);
+ /* get issuers cert from ctx */
+ int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+ /* check issued */
+ int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+ /* Check revocation status of chain */
+ int (*check_revocation)(X509_STORE_CTX *ctx);
+ /* retrieve CRL */
+ int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
+ /* Check CRL validity */
+ int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl);
+ /* Check certificate against CRL */
+ int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
int (*cleanup)(X509_STORE_CTX *ctx);
struct x509_store_ctx_st /* X509_STORE_CTX */
{
X509_STORE *ctx;
- int current_method; /* used when looking up certs */
+ /* used when looking up certs */
+ int current_method;
/* The following are set by the caller */
- X509 *cert; /* The cert to check */
- STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */
- STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */
+ /* The cert to check */
+ X509 *cert;
+ /* chain of X509s - untrusted - passed in */
+ STACK_OF(X509) *untrusted;
+ /* set of CRLs passed in */
+ STACK_OF(X509_CRL) *crls;
X509_VERIFY_PARAM *param;
- void *other_ctx; /* Other info for use with get_issuer() */
+ /* Other info for use with get_issuer() */
+ void *other_ctx;
/* Callbacks for various operations */
- int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */
- int (*verify_cb)(int ok,X509_STORE_CTX *ctx); /* error callback */
- int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); /* get issuers cert from ctx */
- int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
- int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
- int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
- int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
- int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+ /* called to verify a certificate */
+ int (*verify)(X509_STORE_CTX *ctx);
+ /* error callback */
+ int (*verify_cb)(int ok,X509_STORE_CTX *ctx);
+ /* get issuers cert from ctx */
+ int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+ /* check issued */
+ int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+ /* Check revocation status of chain */
+ int (*check_revocation)(X509_STORE_CTX *ctx);
+ /* retrieve CRL */
+ int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x);
+ /* Check CRL validity */
+ int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl);
+ /* Check certificate against CRL */
+ int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
int (*check_policy)(X509_STORE_CTX *ctx);
STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
int (*cleanup)(X509_STORE_CTX *ctx);
/* The following is built up */
- int valid; /* if 0, rebuild chain */
- int last_untrusted; /* index of last untrusted cert */
- STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */
- X509_POLICY_TREE *tree; /* Valid policy tree */
-
- int explicit_policy; /* Require explicit policy value */
+ /* if 0, rebuild chain */
+ int valid;
+ /* index of last untrusted cert */
+ int last_untrusted;
+ /* chain of X509s - built up and trusted */
+ STACK_OF(X509) *chain;
+ /* Valid policy tree */
+ X509_POLICY_TREE *tree;
+
+ /* Require explicit policy value */
+ int explicit_policy;
/* When something goes wrong, this is why */
int error_depth;
int error;
X509 *current_cert;
- X509 *current_issuer; /* cert currently being tested as valid issuer */
- X509_CRL *current_crl; /* current CRL */
-
- int current_crl_score; /* score of current CRL */
- unsigned int current_reasons; /* Reason mask */
-
- X509_STORE_CTX *parent; /* For CRL path validation: parent context */
+ /* cert currently being tested as valid issuer */
+ X509 *current_issuer;
+ /* current CRL */
+ X509_CRL *current_crl;
+
+ /* score of current CRL */
+ int current_crl_score;
+ /* Reason mask */
+ unsigned int current_reasons;
+
+ /* For CRL path validation: parent context */
+ X509_STORE_CTX *parent;
CRYPTO_EX_DATA ex_data;
} /* X509_STORE_CTX */;
}
}
- if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
- for, not bytes */
+ /* /8 because it's 1024 bits we look for, not bytes */
+ if (EVP_PKEY_size(pk) <= 1024/8)
ret|=EVP_PKT_EXP;
if(pkey==NULL) EVP_PKEY_free(pk);
return(ret);
SSL_CTX_set_verify_depth(ret, a.verify_depth);
if (a.ca_file != NULL) {
- r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL /* no CA-directory */); /* does not report failure if file does not exist ... */
+ /* does not report failure if file does not exist ... */
+ /* NULL argument means no CA-directory */
+ r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL);
if (!r) {
err_pref_1 = " while processing certificate file ";
err_pref_2 = a.ca_file;
/* Prepare the argument and response */
- outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2; /* Correct endianess is used
- because the fields were converted above */
+ /* Correct endianess is used because the fields were converted above */
+ outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2;
if (outLen > 256) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT,IBMCA_R_OUTLEN_TO_LARGE);
__declspec(dllexport)
void **
#if defined(__BORLANDC__)
-__stdcall /* __stdcall appears to be the only way to get the name
- * decoration right with Borland C. Otherwise it works
- * purely incidentally, as we pass no parameters. */
+/*
+ * __stdcall appears to be the only way to get the name
+ * decoration right with Borland C. Otherwise it works
+ * purely incidentally, as we pass no parameters.
+ */
+__stdcall
#else
__cdecl
#endif
again:
i = dtls1_get_message_fragment(s, st1, stn, max, ok);
if ( i == DTLS1_HM_BAD_FRAGMENT ||
- i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */
+ i == DTLS1_HM_FRAGMENT_RETRY)
+ {
+ /* bad fragment received */
goto again;
+ }
else if ( i <= 0 && !*ok)
+ {
return i;
+ }
p = (unsigned char *)s->init_buf->data;
msg_len = msg_hdr->msg_len;
}
#ifndef OPENSSL_NO_HEARTBEATS
- if (!SSL_in_init(s) && !s->tlsext_hb_pending) /* done, no need to send a retransmit */
+ /* done, no need to send a retransmit */
+ if (!SSL_in_init(s) && !s->tlsext_hb_pending)
#else
- if (!SSL_in_init(s)) /* done, no need to send a retransmit */
+ /* done, no need to send a retransmit */
+ if (!SSL_in_init(s))
#endif
{
BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
(((PQ_64BIT)s->d1->handshake_read_seq) << 32) |
((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
- if ( ! SSL_in_init(s)) /* if we're not (re)negotiating,
- nothing buffered */
+ /* if we're not (re)negotiating, nothing buffered */
+ if ( ! SSL_in_init(s))
return 0;
int ssl23_get_client_hello(SSL *s)
{
- char buf_space[11]; /* Request this many bytes in initial read.
- * We can detect SSL 3.0/TLS 1.0 Client Hellos
- * ('type == 3') correctly only when the following
- * is in a single record, which is not guaranteed by
- * the protocol specification:
- * Byte Content
- * 0 type \
- * 1/2 version > record header
- * 3/4 length /
- * 5 msg_type \
- * 6-8 length > Client Hello message
- * 9/10 client_version /
- */
+ /*-
+ * Request this many bytes in initial read.
+ * We can detect SSL 3.0/TLS 1.0 Client Hellos
+ * ('type == 3') correctly only when the following
+ * is in a single record, which is not guaranteed by
+ * the protocol specification:
+ * Byte Content
+ * 0 type \
+ * 1/2 version > record header
+ * 3/4 length /
+ * 5 msg_type \
+ * 6-8 length > Client Hello message
+ * 9/10 client_version /
+ */
+ char buf_space[11];
char *buf= &(buf_space[0]);
unsigned char *p,*d,*d_len,*dd;
unsigned int i;
*/
#endif
+ /* 64 argument should actually be 36+4 :-) */
n=s->method->ssl_get_message(s,
a,
b,
SSL3_MT_FINISHED,
- 64, /* should actually be 36+4 :-) */
+ 64,
&ok);
if (!ok) return((int)n);
int verify_mode;
unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
- int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
+ /* called 'verify_callback' in the SSL */
+ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
/* Default generate session ID callback. */
GEN_SESSION_CB generate_session_id;
* (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION)
*/
int version;
- int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
+ /* SSL_ST_CONNECT or SSL_ST_ACCEPT */
+ int type;
- const SSL_METHOD *method; /* SSLv3 */
+ /* SSLv3 */
+ const SSL_METHOD *method;
/* There are 2 BIO's even though they are normally both the
* same. This is so data can be read and written to different
* handlers */
#ifndef OPENSSL_NO_BIO
- BIO *rbio; /* used by SSL_read */
- BIO *wbio; /* used by SSL_write */
- BIO *bbio; /* used during session-id reuse to concatenate
- * messages */
+ /* used by SSL_read */
+ BIO *rbio;
+ /* used by SSL_write */
+ BIO *wbio;
+ /* used during session-id reuse to concatenate messages */
+ BIO *bbio;
#else
- char *rbio; /* used by SSL_read */
- char *wbio; /* used by SSL_write */
+ /* used by SSL_read */
+ char *rbio;
+ /* used by SSL_write */
+ char *wbio;
char *bbio;
#endif
/* This holds a variable that indicates what we were doing
* test instead of an "init" member.
*/
- int server; /* are we the server side? - mostly used by SSL_clear*/
+ /* are we the server side? - mostly used by SSL_clear*/
+ int server;
- int new_session;/* Generate a new session or reuse an old one.
- * NB: For servers, the 'new' session may actually be a previously
- * cached session or even the previous session unless
- * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
- int quiet_shutdown;/* don't send shutdown packets */
- int shutdown; /* we have shut things down, 0x01 sent, 0x02
- * for received */
- int state; /* where we are */
- int rstate; /* where we are when reading */
+ /*
+ * Generate a new session or reuse an old one.
+ * NB: For servers, the 'new' session may actually be a previously
+ * cached session or even the previous session unless
+ * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set
+ */
+ int new_session;
+ /* don't send shutdown packets */
+ int quiet_shutdown;
+ /* we have shut things down, 0x01 sent, 0x02 for received */
+ int shutdown;
+ /* where we are */
+ int state;
+ /* where we are when reading */
+ int rstate;
BUF_MEM *init_buf; /* buffer used during init */
void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */
GEN_SESSION_CB generate_session_id;
/* Used in SSL3 */
- int verify_mode; /* 0 don't care about verify failure.
- * 1 fail if verify fails */
- int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
+ /*
+ * 0 don't care about verify failure.
+ * 1 fail if verify fails
+ */
+ int verify_mode;
+ /* fail if callback returns 0 */
+ int (*verify_callback)(int ok,X509_STORE_CTX *ctx);
- void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
+ /* optional informational callback */
+ void (*info_callback)(const SSL *ssl,int type,int val);
- int error; /* error bytes to be written */
- int error_code; /* actual code */
+ /* error bytes to be written */
+ int error;
+ /* actual code */
+ int error_code;
#ifndef OPENSSL_NO_KRB5
- KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
+ /* Kerberos 5 context */
+ KSSL_CTX *kssl_ctx;
#endif /* OPENSSL_NO_KRB5 */
#ifndef OPENSSL_NO_PSK
STACK_OF(X509_NAME) *client_CA;
int references;
- unsigned long options; /* protocol behaviour */
- unsigned long mode; /* API behaviour */
+ /* protocol behaviour */
+ unsigned long options;
+ /* API behaviour */
+ unsigned long mode;
long max_cert_list;
int first_packet;
- int client_version; /* what was passed, used for
- * SSLv3/TLS rollback check */
+ /* what was passed, used for SSLv3/TLS rollback check */
+ int client_version;
unsigned int max_send_fragment;
#ifndef OPENSSL_NO_TLSEXT
/* TLS extension debug callback */
void *arg);
void *tlsext_debug_arg;
char *tlsext_hostname;
- int servername_done; /* no further mod of servername
- 0 : call the servername extension callback.
- 1 : prepare 2, allow last ack just after in server callback.
- 2 : don't call servername callback, no ack in server hello
- */
+ /*-
+ * no further mod of servername
+ * 0 : call the servername extension callback.
+ * 1 : prepare 2, allow last ack just after in server callback.
+ * 2 : don't call servername callback, no ack in server hello
+ */
+ int servername_done;
/* certificate status request info */
/* Status type or -1 if no status type */
int tlsext_status_type;
int tlsext_ticket_expected;
#ifndef OPENSSL_NO_EC
size_t tlsext_ecpointformatlist_length;
- unsigned char *tlsext_ecpointformatlist; /* our list */
+ /* our list */
+ unsigned char *tlsext_ecpointformatlist;
size_t tlsext_ellipticcurvelist_length;
- unsigned char *tlsext_ellipticcurvelist; /* our list */
+ /* our list */
+ unsigned char *tlsext_ellipticcurvelist;
#endif /* OPENSSL_NO_EC */
/* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */
#define session_ctx initial_ctx
- STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */
- SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */
+ /* What we'll do */
+ STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+ /* What's been chosen */
+ SRTP_PROTECTION_PROFILE *srtp_profile;
- unsigned int tlsext_heartbeat; /* Is use of the Heartbeat extension negotiated?
- 0: disabled
- 1: enabled
- 2: enabled, but not allowed to send Requests
- */
- unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
- unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */
+ /*-
+ * Is use of the Heartbeat extension negotiated?
+ * 0: disabled
+ * 1: enabled
+ * 2: enabled, but not allowed to send Requests
+ */
+ unsigned int tlsext_heartbeat;
+ /* Indicates if a HeartbeatRequest is in flight */
+ unsigned int tlsext_hb_pending;
+ /* HeartbeatRequest sequence number */
+ unsigned int tlsext_hb_seq;
/* For a client, this contains the list of supported protocols in wire
* format. */
#define session_ctx ctx
#endif /* OPENSSL_NO_TLSEXT */
- int renegotiate;/* 1 if we are renegotiating.
- * 2 if we are a server and are inside a handshake
- * (i.e. not just sending a HelloRequest) */
+ /*-
+ * 1 if we are renegotiating.
+ * 2 if we are a server and are inside a handshake
+ * (i.e. not just sending a HelloRequest)
+ */
+ int renegotiate;
#ifndef OPENSSL_NO_SRP
- SRP_CTX srp_ctx; /* ctx for SRP authentication */
+ /* ctx for SRP authentication */
+ SRP_CTX srp_ctx;
#endif
/* Callback for disabling session caching and ticket support
typedef struct ssl3_record_st
{
-/*r */ int type; /* type of record */
-/*rw*/ unsigned int length; /* How many bytes available */
-/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
- was removed? This is used to implement the
- MAC check in constant time for CBC records.
- */
-/*r */ unsigned int off; /* read/write offset into 'buf' */
-/*rw*/ unsigned char *data; /* pointer to the record data */
-/*rw*/ unsigned char *input; /* where the decode bytes are */
-/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
-/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
-/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
+ /* type of record */
+/*r */ int type;
+ /* How many bytes available */
+/*rw*/ unsigned int length;
+ /* How many bytes were available before padding
+ * was removed? This is used to implement the
+ * MAC check in constant time for CBC records.
+ */
+/*rw*/ unsigned int orig_len;
+ /* read/write offset into 'buf' */
+/*r */ unsigned int off;
+ /* pointer to the record data */
+/*rw*/ unsigned char *data;
+ /* where the decode bytes are */
+/*rw*/ unsigned char *input;
+ /* only used with decompression - malloc()ed */
+/*r */ unsigned char *comp;
+ /* epoch number, needed by DTLS1 */
+/*r */ unsigned long epoch;
+ /* sequence number, needed by DTLS1 */
+/*r */ unsigned char seq_num[8];
} SSL3_RECORD;
typedef struct ssl3_buffer_st
{
- unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
- * see ssl3_setup_buffers() */
- size_t len; /* buffer size */
- int offset; /* where to 'copy from' */
- int left; /* how many bytes left */
+ /* at least SSL3_RT_MAX_PACKET_SIZE bytes, see ssl3_setup_buffers() */
+ unsigned char *buf;
+ /* buffer size */
+ size_t len;
+ /* where to 'copy from' */
+ int offset;
+ /* how many bytes left */
+ int left;
} SSL3_BUFFER;
#endif
s->hit=0;
s->shutdown=0;
-#if 0 /* Disabled since version 1.10 of this file (early return not
- * needed because SSL_clear is not called when doing renegotiation) */
- /* This is set if we are doing dynamic renegotiation so keep
- * the old cipher. It is sort of a SSL_clear_lite :-) */
+#if 0
+ /*
+ * Disabled since version 1.10 of this file (early return not
+ * needed because SSL_clear is not called when doing renegotiation)
+ */
+ /*
+ * This is set if we are doing dynamic renegotiation so keep
+ * the old cipher. It is sort of a SSL_clear_lite :-)
+ */
if (s->renegotiate) return(1);
#else
if (s->renegotiate)
typedef struct cert_st
{
/* Current active set */
- CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
- * Probably it would make more sense to store
- * an index, not a pointer. */
+ /*
+ * ALWAYS points to an element of the pkeys array
+ * Probably it would make more sense to store
+ * an index, not a pointer.
+ */
+ CERT_PKEY *key;
/* For servers the following masks are for the key and auth
* algorithms that are supported by the certs below.
if ((s->next == NULL) || (s->prev == NULL)) return;
if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail))
- { /* last element in list */
+ {
+ /* last element in list */
if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
- { /* only one element in list */
+ {
+ /* only one element in list */
ctx->session_cache_head=NULL;
ctx->session_cache_tail=NULL;
}
else
{
if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head))
- { /* first element in list */
+ {
+ /* first element in list */
ctx->session_cache_head=s->next;
s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head);
}
else
- { /* middle of list */
+ {
+ /* middle of list */
s->next->prev=s->prev;
s->prev->next=s->next;
}
* OTHERWISE.
*/
-#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
- on Linux and GNU platforms. */
+/* Or gethostname won't be declared properly on Linux and GNU platforms. */
+#define _BSD_SOURCE 1
#include <assert.h>
#include <errno.h>
#include "e_os.h"
#ifdef OPENSSL_SYS_VMS
-#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
- VMS (at least with DECompHP C). */
+/* Or isascii won't be declared properly on VMS (at least with DECompHP C). */
+#define _XOPEN_SOURCE 500
#endif
#include <ctype.h>
#endif
#include <openssl/bn.h>
-#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
- on Compaq platforms (at least with DEC C).
- Do not try to put it earlier, or IPv6 includes
- get screwed...
- */
+/*
+ * Or gethostname won't be declared properly
+ * on Compaq platforms (at least with DEC C).
+ * Do not try to put it earlier, or IPv6 includes
+ * get screwed...
+*/
+#define _XOPEN_SOURCE_EXTENDED 1
#ifdef OPENSSL_SYS_WINDOWS
#include <winsock.h>
return 0;
}
- if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
+ if (s->s3->client_opaque_prf_input != NULL)
+ {
+ /* shouldn't really happen */
OPENSSL_free(s->s3->client_opaque_prf_input);
+ }
/* dummy byte just to get non-NULL */
if (s->s3->client_opaque_prf_input_len == 0)
return 0;
}
- if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
+ if (s->s3->server_opaque_prf_input != NULL)
+ {
+ /* shouldn't really happen */
OPENSSL_free(s->s3->server_opaque_prf_input);
+ }
if (s->s3->server_opaque_prf_input_len == 0)
- s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
+ {
+ /* dummy byte just to get non-NULL */
+ s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
+ }
else
+ {
s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len);
+ }
if (s->s3->server_opaque_prf_input == NULL)
{
if (s->tlsext_opaque_prf_input != NULL)
{
- if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */
+ if (s->s3->client_opaque_prf_input != NULL)
+ {
+ /* shouldn't really happen */
OPENSSL_free(s->s3->client_opaque_prf_input);
+ }
if (s->tlsext_opaque_prf_input_len == 0)
- s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
+ {
+ /* dummy byte just to get non-NULL */
+ s->s3->client_opaque_prf_input = OPENSSL_malloc(1);
+ }
else
+ {
s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
+ }
if (s->s3->client_opaque_prf_input == NULL)
{
SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE);
}
}
- if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */
+ if (s->s3->server_opaque_prf_input != NULL)
+ {
+ /* shouldn't really happen */
OPENSSL_free(s->s3->server_opaque_prf_input);
+ }
s->s3->server_opaque_prf_input = NULL;
if (s->tlsext_opaque_prf_input != NULL)
* of the same length as the client opaque PRF input! */
if (s->tlsext_opaque_prf_input_len == 0)
- s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */
+ {
+ /* dummy byte just to get non-NULL */
+ s->s3->server_opaque_prf_input = OPENSSL_malloc(1);
+ }
else
+ {
s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len);
+ }
if (s->s3->server_opaque_prf_input == NULL)
{
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
#define TLSEXT_TYPE_session_ticket 35
/* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */
-#if 0 /* will have to be provided externally for now ,
- * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183
- * using whatever extension number you'd like to try */
+#if 0
+/*
+ * will have to be provided externally for now ,
+ * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183
+ * using whatever extension number you'd like to try
+ */
# define TLSEXT_TYPE_opaque_prf_input ??
#endif