| @@ -120,8 +120,8 @@ int MAIN(int argc, char **argv) | ||||
|             outfile = *(++argv); | ||||
|         } else if (strcmp(*argv, "-2") == 0) | ||||
|             g = 2; | ||||
|         /*-     else if (strcmp(*argv,"-3") == 0) | ||||
|                         g=3; */ | ||||
| /*-     else if (strcmp(*argv,"-3") == 0) | ||||
|                 g=3; */ | ||||
|         else if (strcmp(*argv, "-5") == 0) | ||||
|             g = 5; | ||||
| # ifndef OPENSSL_NO_ENGINE | ||||
|   | ||||
| @@ -200,10 +200,10 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) | ||||
| int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) | ||||
| { | ||||
|     if (cert_file != NULL) { | ||||
|                 /*- | ||||
|                 SSL *ssl; | ||||
|                 X509 *x509; | ||||
|                 */ | ||||
|         /*- | ||||
|         SSL *ssl; | ||||
|         X509 *x509; | ||||
|         */ | ||||
|  | ||||
|         if (SSL_CTX_use_certificate_file(ctx, cert_file, | ||||
|                                          SSL_FILETYPE_PEM) <= 0) { | ||||
|   | ||||
| @@ -1749,8 +1749,8 @@ int MAIN(int argc, char **argv) | ||||
|                     openssl_fdset(SSL_get_fd(con), &writefds); | ||||
|             } | ||||
| #endif | ||||
| /*-                     printf("mode tty(%d %d%d) ssl(%d%d)\n", | ||||
|                                 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ | ||||
| /*-         printf("mode tty(%d %d%d) ssl(%d%d)\n", | ||||
|                     tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ | ||||
|  | ||||
|             /* | ||||
|              * Note: under VMS with SOCKETSHR the second parameter is | ||||
|   | ||||
| @@ -529,13 +529,13 @@ int BIO_socket_ioctl(int fd, long type, void *arg) | ||||
|     i = ioctlsocket(fd, type, (char *)arg); | ||||
| #  else | ||||
| #   if defined(OPENSSL_SYS_VMS) | ||||
| 	/*- | ||||
| 	 * 2011-02-18 SMS. | ||||
| 	 * VMS ioctl() can't tolerate a 64-bit "void *arg", but we | ||||
| 	 * observe that all the consumers pass in an "unsigned long *", | ||||
| 	 * so we arrange a local copy with a short pointer, and use | ||||
| 	 * that, instead. | ||||
| 	 */ | ||||
|     /*- | ||||
|      * 2011-02-18 SMS. | ||||
|      * VMS ioctl() can't tolerate a 64-bit "void *arg", but we | ||||
|      * observe that all the consumers pass in an "unsigned long *", | ||||
|      * so we arrange a local copy with a short pointer, and use | ||||
|      * that, instead. | ||||
|      */ | ||||
| #    if __INITIAL_POINTER_SIZE == 64 | ||||
| #     define ARG arg_32p | ||||
| #     pragma pointer_size save | ||||
|   | ||||
| @@ -103,11 +103,11 @@ static int nullf_free(BIO *a) | ||||
| { | ||||
|     if (a == NULL) | ||||
|         return (0); | ||||
| 	/*- | ||||
| 	a->ptr=NULL; | ||||
| 	a->init=0; | ||||
| 	a->flags=0; | ||||
| 	*/ | ||||
|     /*- | ||||
|     a->ptr=NULL; | ||||
|     a->init=0; | ||||
|     a->flags=0; | ||||
|     */ | ||||
|     return (1); | ||||
| } | ||||
|  | ||||
|   | ||||
| @@ -415,12 +415,12 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr) | ||||
|         ret = (long)data->bind_mode; | ||||
|         break; | ||||
|     case BIO_CTRL_DUP: | ||||
| /*-             dbio=(BIO *)ptr; | ||||
|                 if (data->param_port) EAY EAY | ||||
|                         BIO_set_port(dbio,data->param_port); | ||||
|                 if (data->param_hostname) | ||||
|                         BIO_set_hostname(dbio,data->param_hostname); | ||||
|                 BIO_set_nbio(dbio,data->nbio); */ | ||||
| /*-     dbio=(BIO *)ptr; | ||||
|         if (data->param_port) EAY EAY | ||||
|                 BIO_set_port(dbio,data->param_port); | ||||
|         if (data->param_hostname) | ||||
|                 BIO_set_hostname(dbio,data->param_hostname); | ||||
|         BIO_set_nbio(dbio,data->nbio); */ | ||||
|         break; | ||||
|  | ||||
|     default: | ||||
|   | ||||
| @@ -66,13 +66,13 @@ int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) | ||||
|     int ret = -2;               /* avoid 'uninitialized' warning */ | ||||
|     int err = 0; | ||||
|     BIGNUM *A, *B, *tmp; | ||||
|         /*- | ||||
|          * In 'tab', only odd-indexed entries are relevant: | ||||
|          * For any odd BIGNUM n, | ||||
|          *     tab[BN_lsw(n) & 7] | ||||
|          * is $(-1)^{(n^2-1)/8}$ (using TeX notation). | ||||
|          * Note that the sign of n does not matter. | ||||
|          */ | ||||
|     /*- | ||||
|      * In 'tab', only odd-indexed entries are relevant: | ||||
|      * For any odd BIGNUM n, | ||||
|      *     tab[BN_lsw(n) & 7] | ||||
|      * is $(-1)^{(n^2-1)/8}$ (using TeX notation). | ||||
|      * Note that the sign of n does not matter. | ||||
|      */ | ||||
|     static const int tab[8] = { 0, 1, 0, -1, 0, -1, 0, 1 }; | ||||
|  | ||||
|     bn_check_top(a); | ||||
|   | ||||
| @@ -106,12 +106,12 @@ char *BN_bn2dec(const BIGNUM *a) | ||||
|     BIGNUM *t = NULL; | ||||
|     BN_ULONG *bn_data = NULL, *lp; | ||||
|  | ||||
|         /*- | ||||
|          * get an upper bound for the length of the decimal integer | ||||
|          * num <= (BN_num_bits(a) + 1) * log(2) | ||||
|          *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error) | ||||
|          *     <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1 | ||||
|          */ | ||||
|     /*- | ||||
|      * get an upper bound for the length of the decimal integer | ||||
|      * num <= (BN_num_bits(a) + 1) * log(2) | ||||
|      *     <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1     (rounding error) | ||||
|      *     <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1 | ||||
|      */ | ||||
|     i = BN_num_bits(a) * 3; | ||||
|     num = (i / 10 + i / 1000 + 1) + 1; | ||||
|     bn_data = | ||||
|   | ||||
| @@ -152,32 +152,32 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) | ||||
|     } | ||||
|  | ||||
|     if (e == 2) { | ||||
|                 /*- | ||||
|                  * |p| == 5  (mod 8) | ||||
|                  * | ||||
|                  * In this case  2  is always a non-square since | ||||
|                  * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime. | ||||
|                  * So if  a  really is a square, then  2*a  is a non-square. | ||||
|                  * Thus for | ||||
|                  *      b := (2*a)^((|p|-5)/8), | ||||
|                  *      i := (2*a)*b^2 | ||||
|                  * we have | ||||
|                  *     i^2 = (2*a)^((1 + (|p|-5)/4)*2) | ||||
|                  *         = (2*a)^((p-1)/2) | ||||
|                  *         = -1; | ||||
|                  * so if we set | ||||
|                  *      x := a*b*(i-1), | ||||
|                  * then | ||||
|                  *     x^2 = a^2 * b^2 * (i^2 - 2*i + 1) | ||||
|                  *         = a^2 * b^2 * (-2*i) | ||||
|                  *         = a*(-i)*(2*a*b^2) | ||||
|                  *         = a*(-i)*i | ||||
|                  *         = a. | ||||
|                  * | ||||
|                  * (This is due to A.O.L. Atkin, | ||||
|                  * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>, | ||||
|                  * November 1992.) | ||||
|                  */ | ||||
|         /*- | ||||
|          * |p| == 5  (mod 8) | ||||
|          * | ||||
|          * In this case  2  is always a non-square since | ||||
|          * Legendre(2,p) = (-1)^((p^2-1)/8)  for any odd prime. | ||||
|          * So if  a  really is a square, then  2*a  is a non-square. | ||||
|          * Thus for | ||||
|          *      b := (2*a)^((|p|-5)/8), | ||||
|          *      i := (2*a)*b^2 | ||||
|          * we have | ||||
|          *     i^2 = (2*a)^((1 + (|p|-5)/4)*2) | ||||
|          *         = (2*a)^((p-1)/2) | ||||
|          *         = -1; | ||||
|          * so if we set | ||||
|          *      x := a*b*(i-1), | ||||
|          * then | ||||
|          *     x^2 = a^2 * b^2 * (i^2 - 2*i + 1) | ||||
|          *         = a^2 * b^2 * (-2*i) | ||||
|          *         = a*(-i)*(2*a*b^2) | ||||
|          *         = a*(-i)*i | ||||
|          *         = a. | ||||
|          * | ||||
|          * (This is due to A.O.L. Atkin, | ||||
|          * <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>, | ||||
|          * November 1992.) | ||||
|          */ | ||||
|  | ||||
|         /* t := 2*a */ | ||||
|         if (!BN_mod_lshift1_quick(t, A, p)) | ||||
|   | ||||
| @@ -134,9 +134,9 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE] = { | ||||
|     0x59, 0xD8, 0xE2, 0x65, 0x00, 0x58, 0x6C, 0x3F, | ||||
|     0x2C, 0x17, 0x25, 0xD0, 0x1A, 0x38, 0xB7, 0x2A, | ||||
|     0x39, 0x61, 0x37, 0xDC, 0x79, 0xFB, 0x9F, 0x45 | ||||
| /*-     0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38, | ||||
|         0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9, | ||||
|         0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/ | ||||
| /*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38, | ||||
|     0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9, | ||||
|     0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/ | ||||
| }; | ||||
| # endif | ||||
|  | ||||
|   | ||||
| @@ -397,7 +397,7 @@ int main(int argc, char *argv[]) | ||||
|                           DES_ENCRYPT); | ||||
|     DES_ede3_cbcm_encrypt(&cbc_data[16], &cbc_out[16], i - 16, &ks, &ks2, | ||||
|                           &ks3, &iv3, &iv2, DES_ENCRYPT); | ||||
| /*-     if (memcmp(cbc_out,cbc3_ok, | ||||
| /*- if (memcmp(cbc_out,cbc3_ok, | ||||
|         (unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0) | ||||
|         { | ||||
|         printf("des_ede3_cbc_encrypt encrypt error\n"); | ||||
|   | ||||
| @@ -205,12 +205,12 @@ int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched, | ||||
|          */ | ||||
|         num = len; | ||||
|     } else { | ||||
|                 /*- | ||||
|                  * >output is a multiple of 8 byes, if len < rnum | ||||
|                  * >we must be careful.  The user must be aware that this | ||||
|                  * >routine will write more bytes than he asked for. | ||||
|                  * >The length of the buffer must be correct. | ||||
|                  * FIXED - Should be ok now 18-9-90 - eay */ | ||||
|         /*- | ||||
|          * >output is a multiple of 8 byes, if len < rnum | ||||
|          * >we must be careful.  The user must be aware that this | ||||
|          * >routine will write more bytes than he asked for. | ||||
|          * >The length of the buffer must be correct. | ||||
|          * FIXED - Should be ok now 18-9-90 - eay */ | ||||
|         if (len < rnum) { | ||||
|  | ||||
|             if (DES_rw_mode & DES_PCBC_MODE) | ||||
|   | ||||
| @@ -102,8 +102,8 @@ void DES_ede3_ofb64_encrypt(register const unsigned char *in, | ||||
|         n = (n + 1) & 0x07; | ||||
|     } | ||||
|     if (save) { | ||||
| /*-             v0=ti[0]; | ||||
|                 v1=ti[1];*/ | ||||
| /*-     v0=ti[0]; | ||||
|         v1=ti[1];*/ | ||||
|         iv = &(*ivec)[0]; | ||||
|         l2c(v0, iv); | ||||
|         l2c(v1, iv); | ||||
|   | ||||
| @@ -432,25 +432,25 @@ static void felem_shrink(smallfelem out, const felem in) | ||||
|     /* As tmp[3] < 2^65, high is either 1 or 0 */ | ||||
|     high <<= 63; | ||||
|     high >>= 63; | ||||
| 	/*- | ||||
| 	 * high is: | ||||
| 	 *   all ones   if the high word of tmp[3] is 1 | ||||
| 	 *   all zeros  if the high word of tmp[3] if 0 */ | ||||
|     /*- | ||||
|      * high is: | ||||
|      *   all ones   if the high word of tmp[3] is 1 | ||||
|      *   all zeros  if the high word of tmp[3] if 0 */ | ||||
|     low = tmp[3]; | ||||
|     mask = low >> 63; | ||||
| 	/*- | ||||
| 	 * mask is: | ||||
| 	 *   all ones   if the MSB of low is 1 | ||||
| 	 *   all zeros  if the MSB of low if 0 */ | ||||
|     /*- | ||||
|      * mask is: | ||||
|      *   all ones   if the MSB of low is 1 | ||||
|      *   all zeros  if the MSB of low if 0 */ | ||||
|     low &= bottom63bits; | ||||
|     low -= kPrime3Test; | ||||
|     /* if low was greater than kPrime3Test then the MSB is zero */ | ||||
|     low = ~low; | ||||
|     low >>= 63; | ||||
| 	/*- | ||||
| 	 * low is: | ||||
| 	 *   all ones   if low was > kPrime3Test | ||||
| 	 *   all zeros  if low was <= kPrime3Test */ | ||||
|     /*- | ||||
|      * low is: | ||||
|      *   all ones   if low was > kPrime3Test | ||||
|      *   all zeros  if low was <= kPrime3Test */ | ||||
|     mask = (mask & low) | high; | ||||
|     tmp[0] -= mask & kPrime[0]; | ||||
|     tmp[1] -= mask & kPrime[1]; | ||||
| @@ -790,17 +790,17 @@ static void felem_reduce(felem out, const longfelem in) | ||||
|  | ||||
|     felem_reduce_(out, in); | ||||
|  | ||||
| 	/*- | ||||
| 	 * out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0 | ||||
| 	 * out[1] > 2^100 - 2^64 - 7*2^96 > 0 | ||||
| 	 * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0 | ||||
| 	 * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0 | ||||
| 	 * | ||||
| 	 * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101 | ||||
| 	 * out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101 | ||||
| 	 * out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101 | ||||
| 	 * out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101 | ||||
| 	 */ | ||||
|     /*- | ||||
|      * out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0 | ||||
|      * out[1] > 2^100 - 2^64 - 7*2^96 > 0 | ||||
|      * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0 | ||||
|      * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0 | ||||
|      * | ||||
|      * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101 | ||||
|      * out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101 | ||||
|      * out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101 | ||||
|      * out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101 | ||||
|      */ | ||||
| } | ||||
|  | ||||
| /*- | ||||
| @@ -819,17 +819,17 @@ static void felem_reduce_zero105(felem out, const longfelem in) | ||||
|  | ||||
|     felem_reduce_(out, in); | ||||
|  | ||||
| 	/*- | ||||
| 	 * out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0 | ||||
| 	 * out[1] > 2^105 - 2^71 - 2^103 > 0 | ||||
| 	 * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0 | ||||
| 	 * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0 | ||||
| 	 * | ||||
| 	 * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 | ||||
| 	 * out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 | ||||
| 	 * out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106 | ||||
| 	 * out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106 | ||||
| 	 */ | ||||
|     /*- | ||||
|      * out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0 | ||||
|      * out[1] > 2^105 - 2^71 - 2^103 > 0 | ||||
|      * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0 | ||||
|      * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0 | ||||
|      * | ||||
|      * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 | ||||
|      * out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 | ||||
|      * out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106 | ||||
|      * out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106 | ||||
|      */ | ||||
| } | ||||
|  | ||||
| /* | ||||
| @@ -1094,7 +1094,8 @@ static void smallfelem_inv_contract(smallfelem out, const smallfelem in) | ||||
|  * | ||||
|  * Building on top of the field operations we have the operations on the | ||||
|  * elliptic curve group itself. Points on the curve are represented in Jacobian | ||||
|  * coordinates */ | ||||
|  * coordinates | ||||
|  */ | ||||
|  | ||||
| /*- | ||||
|  * point_double calculates 2*(x_in, y_in, z_in) | ||||
| @@ -1103,7 +1104,8 @@ static void smallfelem_inv_contract(smallfelem out, const smallfelem in) | ||||
|  *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b | ||||
|  * | ||||
|  * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed. | ||||
|  * while x_out == y_in is not (maybe this works, but it's not tested). */ | ||||
|  * while x_out == y_in is not (maybe this works, but it's not tested). | ||||
|  */ | ||||
| static void | ||||
| point_double(felem x_out, felem y_out, felem z_out, | ||||
|              const felem x_in, const felem y_in, const felem z_in) | ||||
| @@ -1234,7 +1236,8 @@ static void copy_small_conditional(felem out, const smallfelem in, limb mask) | ||||
|  * This function includes a branch for checking whether the two input points | ||||
|  * are equal, (while not equal to the point at infinity). This case never | ||||
|  * happens during single point multiplication, so there is no timing leak for | ||||
|  * ECDH or ECDSA signing. */ | ||||
|  * ECDH or ECDSA signing. | ||||
|  */ | ||||
| static void point_add(felem x3, felem y3, felem z3, | ||||
|                       const felem x1, const felem y1, const felem z1, | ||||
|                       const int mixed, const smallfelem x2, | ||||
|   | ||||
| @@ -414,15 +414,16 @@ static void felem_square(largefelem out, const felem in) | ||||
|     felem_scalar(inx2, in, 2); | ||||
|     felem_scalar(inx4, in, 4); | ||||
|  | ||||
| 	/*- | ||||
| 	 * We have many cases were we want to do | ||||
| 	 *   in[x] * in[y] + | ||||
| 	 *   in[y] * in[x] | ||||
| 	 * This is obviously just | ||||
| 	 *   2 * in[x] * in[y] | ||||
| 	 * However, rather than do the doubling on the 128 bit result, we | ||||
| 	 * double one of the inputs to the multiplication by reading from | ||||
| 	 * |inx2| */ | ||||
|     /*- | ||||
|      * We have many cases were we want to do | ||||
|      *   in[x] * in[y] + | ||||
|      *   in[y] * in[x] | ||||
|      * This is obviously just | ||||
|      *   2 * in[x] * in[y] | ||||
|      * However, rather than do the doubling on the 128 bit result, we | ||||
|      * double one of the inputs to the multiplication by reading from | ||||
|      * |inx2| | ||||
|      */ | ||||
|  | ||||
|     out[0] = ((uint128_t) in[0]) * in[0]; | ||||
|     out[1] = ((uint128_t) in[0]) * inx2[1]; | ||||
| @@ -610,10 +611,10 @@ static void felem_reduce(felem out, const largefelem in) | ||||
|  | ||||
|     out[1] += ((limb) in[0]) >> 58; | ||||
|     out[1] += (((limb) (in[0] >> 64)) & bottom52bits) << 6; | ||||
|         /*- | ||||
|          * out[1] < 2^58 + 2^6 + 2^58 | ||||
|          *        = 2^59 + 2^6 | ||||
|          */ | ||||
|     /*- | ||||
|      * out[1] < 2^58 + 2^6 + 2^58 | ||||
|      *        = 2^59 + 2^6 | ||||
|      */ | ||||
|     out[2] += ((limb) (in[0] >> 64)) >> 52; | ||||
|  | ||||
|     out[2] += ((limb) in[1]) >> 58; | ||||
| @@ -642,10 +643,10 @@ static void felem_reduce(felem out, const largefelem in) | ||||
|  | ||||
|     out[8] += ((limb) in[7]) >> 58; | ||||
|     out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6; | ||||
|         /*- | ||||
|          * out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12 | ||||
|          *            < 2^59 + 2^13 | ||||
|          */ | ||||
|     /*- | ||||
|      * out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12 | ||||
|      *            < 2^59 + 2^13 | ||||
|      */ | ||||
|     overflow1 = ((limb) (in[7] >> 64)) >> 52; | ||||
|  | ||||
|     overflow1 += ((limb) in[8]) >> 58; | ||||
| @@ -660,11 +661,11 @@ static void felem_reduce(felem out, const largefelem in) | ||||
|  | ||||
|     out[1] += out[0] >> 58; | ||||
|     out[0] &= bottom58bits; | ||||
|         /*- | ||||
|          * out[0] < 2^58 | ||||
|          * out[1] < 2^59 + 2^6 + 2^13 + 2^2 | ||||
|          *        < 2^59 + 2^14 | ||||
|          */ | ||||
|     /*- | ||||
|      * out[0] < 2^58 | ||||
|      * out[1] < 2^59 + 2^6 + 2^13 + 2^2 | ||||
|      *        < 2^59 + 2^14 | ||||
|      */ | ||||
| } | ||||
|  | ||||
| static void felem_square_reduce(felem out, const felem in) | ||||
|   | ||||
| @@ -96,11 +96,11 @@ int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, | ||||
|     if (y == NULL) | ||||
|         goto err; | ||||
|  | ||||
|         /*- | ||||
|          * Recover y.  We have a Weierstrass equation | ||||
|          *     y^2 = x^3 + a*x + b, | ||||
|          * so  y  is one of the square roots of  x^3 + a*x + b. | ||||
|          */ | ||||
|     /*- | ||||
|      * Recover y.  We have a Weierstrass equation | ||||
|      *     y^2 = x^3 + a*x + b, | ||||
|      * so  y  is one of the square roots of  x^3 + a*x + b. | ||||
|      */ | ||||
|  | ||||
|     /* tmp1 := x^3 */ | ||||
|     if (!BN_nnmod(x, x_, group->field, ctx)) | ||||
|   | ||||
| @@ -909,10 +909,10 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, | ||||
|             goto err; | ||||
|         if (!BN_mod_add_quick(n1, n0, n1, p)) | ||||
|             goto err; | ||||
|                 /*- | ||||
|                  * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) | ||||
|                  *    = 3 * X_a^2 - 3 * Z_a^4 | ||||
|                  */ | ||||
|         /*- | ||||
|          * n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2) | ||||
|          *    = 3 * X_a^2 - 3 * Z_a^4 | ||||
|          */ | ||||
|     } else { | ||||
|         if (!field_sqr(group, n0, a->X, ctx)) | ||||
|             goto err; | ||||
| @@ -1033,15 +1033,15 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, | ||||
|     if (Z6 == NULL) | ||||
|         goto err; | ||||
|  | ||||
| 	/*- | ||||
| 	 * We have a curve defined by a Weierstrass equation | ||||
| 	 *      y^2 = x^3 + a*x + b. | ||||
| 	 * The point to consider is given in Jacobian projective coordinates | ||||
| 	 * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3). | ||||
| 	 * Substituting this and multiplying by  Z^6  transforms the above equation into | ||||
| 	 *      Y^2 = X^3 + a*X*Z^4 + b*Z^6. | ||||
| 	 * To test this, we add up the right-hand side in 'rh'. | ||||
| 	 */ | ||||
|     /*- | ||||
|      * We have a curve defined by a Weierstrass equation | ||||
|      *      y^2 = x^3 + a*x + b. | ||||
|      * The point to consider is given in Jacobian projective coordinates | ||||
|      * where  (X, Y, Z)  represents  (x, y) = (X/Z^2, Y/Z^3). | ||||
|      * Substituting this and multiplying by  Z^6  transforms the above equation into | ||||
|      *      Y^2 = X^3 + a*X*Z^4 + b*Z^6. | ||||
|      * To test this, we add up the right-hand side in 'rh'. | ||||
|      */ | ||||
|  | ||||
|     /* rh := X^2 */ | ||||
|     if (!field_sqr(group, rh, point->X, ctx)) | ||||
| @@ -1108,12 +1108,12 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, | ||||
| int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, | ||||
|                       const EC_POINT *b, BN_CTX *ctx) | ||||
| { | ||||
|         /*- | ||||
|          * return values: | ||||
|          *  -1   error | ||||
|          *   0   equal (in affine coordinates) | ||||
|          *   1   not equal | ||||
|          */ | ||||
|     /*- | ||||
|      * return values: | ||||
|      *  -1   error | ||||
|      *   0   equal (in affine coordinates) | ||||
|      *   1   not equal | ||||
|      */ | ||||
|  | ||||
|     int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, | ||||
|                       const BIGNUM *, BN_CTX *); | ||||
| @@ -1151,12 +1151,12 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, | ||||
|     if (Zb23 == NULL) | ||||
|         goto end; | ||||
|  | ||||
| 	/*- | ||||
| 	 * We have to decide whether | ||||
| 	 *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3), | ||||
| 	 * or equivalently, whether | ||||
| 	 *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3). | ||||
| 	 */ | ||||
|     /*- | ||||
|      * We have to decide whether | ||||
|      *     (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3), | ||||
|      * or equivalently, whether | ||||
|      *     (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3). | ||||
|      */ | ||||
|  | ||||
|     if (!b->Z_is_one) { | ||||
|         if (!field_sqr(group, Zb23, b->Z, ctx)) | ||||
|   | ||||
| @@ -102,9 +102,9 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE] = { | ||||
|     0x59, 0xD8, 0xE2, 0x65, 0x00, 0x58, 0x6C, 0x3F, | ||||
|     0x2C, 0x17, 0x25, 0xD0, 0x1A, 0x38, 0xB7, 0x2A, | ||||
|     0x39, 0x61, 0x37, 0xDC, 0x79, 0xFB, 0x9F, 0x45 | ||||
| /*-     0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38, | ||||
|         0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9, | ||||
|         0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/ | ||||
| /*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38, | ||||
|     0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9, | ||||
|     0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/ | ||||
| }; | ||||
|  | ||||
| static int cfb64_test(unsigned char *cfb_cipher); | ||||
|   | ||||
| @@ -434,9 +434,9 @@ unsigned long lh_strhash(const char *c) | ||||
|     if ((c == NULL) || (*c == '\0')) | ||||
|         return (ret); | ||||
| /*- | ||||
|         unsigned char b[16]; | ||||
|         MD5(c,strlen(c),b); | ||||
|         return(b[0]|(b[1]<<8)|(b[2]<<16)|(b[3]<<24)); | ||||
|     unsigned char b[16]; | ||||
|     MD5(c,strlen(c),b); | ||||
|     return(b[0]|(b[1]<<8)|(b[2]<<16)|(b[3]<<24)); | ||||
| */ | ||||
|  | ||||
|     n = 0x100; | ||||
|   | ||||
| @@ -174,8 +174,8 @@ typedef struct pem_ctx_st { | ||||
|     struct { | ||||
|         int cipher; | ||||
|         /*- | ||||
|            unused, and wrong size | ||||
|            unsigned char iv[8]; */ | ||||
|         unused, and wrong size | ||||
|         unsigned char iv[8]; */ | ||||
|     } DEK_info; | ||||
|  | ||||
|     PEM_USER *originator; | ||||
| @@ -195,9 +195,9 @@ typedef struct pem_ctx_st { | ||||
|     EVP_CIPHER *dec;            /* date encryption cipher */ | ||||
|     int key_len;                /* key length */ | ||||
|     unsigned char *key;         /* key */ | ||||
| 	/*- | ||||
| 		unused, and wrong size | ||||
| 	   unsigned char iv[8]; */ | ||||
|   /*- | ||||
|     unused, and wrong size | ||||
|     unsigned char iv[8]; */ | ||||
|  | ||||
|     int data_enc;               /* is the data encrypted */ | ||||
|     int data_len; | ||||
|   | ||||
| @@ -113,10 +113,10 @@ static FILE *(*const vms_fopen)(const char *, const char *, ...) = | ||||
|  | ||||
| int RAND_load_file(const char *file, long bytes) | ||||
| { | ||||
|         /*- | ||||
|          * If bytes >= 0, read up to 'bytes' bytes. | ||||
|          * if bytes == -1, read complete file. | ||||
|          */ | ||||
|     /*- | ||||
|      * If bytes >= 0, read up to 'bytes' bytes. | ||||
|      * if bytes == -1, read complete file. | ||||
|      */ | ||||
|  | ||||
|     MS_STATIC unsigned char buf[BUFSIZE]; | ||||
| #ifndef OPENSSL_NO_POSIX_IO | ||||
|   | ||||
| @@ -134,9 +134,9 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE] = { | ||||
|     0x59, 0xD8, 0xE2, 0x65, 0x00, 0x58, 0x6C, 0x3F, | ||||
|     0x2C, 0x17, 0x25, 0xD0, 0x1A, 0x38, 0xB7, 0x2A, | ||||
|     0x39, 0x61, 0x37, 0xDC, 0x79, 0xFB, 0x9F, 0x45 | ||||
| /*-     0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38, | ||||
|         0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9, | ||||
|         0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/ | ||||
| /*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38, | ||||
|     0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9, | ||||
|     0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/ | ||||
| }; | ||||
|  | ||||
| /* | ||||
|   | ||||
| @@ -798,23 +798,23 @@ void solaris_locking_callback(int mode, int type, char *file, int line) | ||||
|             (type & CRYPTO_READ) ? "r" : "w", file, line); | ||||
| # endif | ||||
|  | ||||
| 	/*- | ||||
| 	if (CRYPTO_LOCK_SSL_CERT == type) | ||||
| 	fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n", | ||||
| 			CRYPTO_thread_id(), | ||||
| 			mode,file,line); | ||||
| 	*/ | ||||
|     /*- | ||||
|     if (CRYPTO_LOCK_SSL_CERT == type) | ||||
|     fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n", | ||||
|             CRYPTO_thread_id(), | ||||
|             mode,file,line); | ||||
|     */ | ||||
|     if (mode & CRYPTO_LOCK) { | ||||
|         /*- | ||||
|                 if (mode & CRYPTO_READ) | ||||
|                         rw_rdlock(&(lock_cs[type])); | ||||
|                 else | ||||
|                         rw_wrlock(&(lock_cs[type])); */ | ||||
|         if (mode & CRYPTO_READ) | ||||
|                 rw_rdlock(&(lock_cs[type])); | ||||
|         else | ||||
|                 rw_wrlock(&(lock_cs[type])); */ | ||||
|  | ||||
|         mutex_lock(&(lock_cs[type])); | ||||
|         lock_count[type]++; | ||||
|     } else { | ||||
| /*              rw_unlock(&(lock_cs[type]));  */ | ||||
| /*      rw_unlock(&(lock_cs[type]));  */ | ||||
|         mutex_unlock(&(lock_cs[type])); | ||||
|     } | ||||
| } | ||||
| @@ -984,10 +984,10 @@ void pthreads_locking_callback(int mode, int type, char *file, int line) | ||||
|             (type & CRYPTO_READ) ? "r" : "w", file, line); | ||||
| # endif | ||||
| /*- | ||||
|         if (CRYPTO_LOCK_SSL_CERT == type) | ||||
|                 fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n", | ||||
|                 CRYPTO_thread_id(), | ||||
|                 mode,file,line); | ||||
|     if (CRYPTO_LOCK_SSL_CERT == type) | ||||
|             fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n", | ||||
|             CRYPTO_thread_id(), | ||||
|             mode,file,line); | ||||
| */ | ||||
|     if (mode & CRYPTO_LOCK) { | ||||
|         pthread_mutex_lock(&(lock_cs[type])); | ||||
|   | ||||
| @@ -430,8 +430,8 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, | ||||
|              * If we were going to up the reference count, we would need to | ||||
|              * do it on a perl 'type' basis | ||||
|              */ | ||||
|         /*-             CRYPTO_add(&tmp->data.x509->references,1, | ||||
|                                 CRYPTO_LOCK_X509);*/ | ||||
|         /*- CRYPTO_add(&tmp->data.x509->references,1, | ||||
|                     CRYPTO_LOCK_X509);*/ | ||||
|             goto finish; | ||||
|         } | ||||
|     } | ||||
|   | ||||
| @@ -323,8 +323,8 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, | ||||
|             return 0; | ||||
|     } | ||||
|  | ||||
| /*-     if (ret->data.ptr != NULL) | ||||
|                 X509_OBJECT_free_contents(ret); */ | ||||
| /*- if (ret->data.ptr != NULL) | ||||
|             X509_OBJECT_free_contents(ret); */ | ||||
|  | ||||
|     ret->type = tmp->type; | ||||
|     ret->data.ptr = tmp->data.ptr; | ||||
|   | ||||
| @@ -84,8 +84,8 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) | ||||
|             goto err; | ||||
|         if (!ASN1_INTEGER_set(xi->version, 2)) | ||||
|             goto err; | ||||
| /*-             xi->extensions=ri->attributes; <- bad, should not ever be done | ||||
|                 ri->attributes=NULL; */ | ||||
| /*-     xi->extensions=ri->attributes; <- bad, should not ever be done | ||||
|         ri->attributes=NULL; */ | ||||
|     } | ||||
|  | ||||
|     xn = X509_REQ_get_subject_name(r); | ||||
|   | ||||
| @@ -549,15 +549,15 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) | ||||
|     int allow_proxy_certs; | ||||
|     cb = ctx->verify_cb; | ||||
|  | ||||
|         /*- | ||||
|          *  must_be_ca can have 1 of 3 values: | ||||
|          * -1: we accept both CA and non-CA certificates, to allow direct | ||||
|          *     use of self-signed certificates (which are marked as CA). | ||||
|          * 0:  we only accept non-CA certificates.  This is currently not | ||||
|          *     used, but the possibility is present for future extensions. | ||||
|          * 1:  we only accept CA certificates.  This is currently used for | ||||
|          *     all certificates in the chain except the leaf certificate. | ||||
|          */ | ||||
|     /*- | ||||
|      *  must_be_ca can have 1 of 3 values: | ||||
|      * -1: we accept both CA and non-CA certificates, to allow direct | ||||
|      *     use of self-signed certificates (which are marked as CA). | ||||
|      * 0:  we only accept non-CA certificates.  This is currently not | ||||
|      *     used, but the possibility is present for future extensions. | ||||
|      * 1:  we only accept CA certificates.  This is currently used for | ||||
|      *     all certificates in the chain except the leaf certificate. | ||||
|      */ | ||||
|     must_be_ca = -1; | ||||
|  | ||||
|     /* CRL path validation */ | ||||
|   | ||||
| @@ -162,16 +162,16 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) | ||||
|         set_prev = ret->set - 1; | ||||
|     set_next = sk_X509_NAME_ENTRY_value(sk, loc)->set; | ||||
|  | ||||
|         /*- | ||||
|          * set_prev is the previous set | ||||
|          * set is the current set | ||||
|          * set_next is the following | ||||
|          * prev  1 1    1 1     1 1     1 1 | ||||
|          * set   1      1       2       2 | ||||
|          * next  1 1    2 2     2 2     3 2 | ||||
|          * so basically only if prev and next differ by 2, then | ||||
|          * re-number down by 1 | ||||
|          */ | ||||
|     /*- | ||||
|      * set_prev is the previous set | ||||
|      * set is the current set | ||||
|      * set_next is the following | ||||
|      * prev  1 1    1 1     1 1     1 1 | ||||
|      * set   1      1       2       2 | ||||
|      * next  1 1    2 2     2 2     3 2 | ||||
|      * so basically only if prev and next differ by 2, then | ||||
|      * re-number down by 1 | ||||
|      */ | ||||
|     if (set_prev + 1 < set_next) | ||||
|         for (i = loc; i < n; i++) | ||||
|             sk_X509_NAME_ENTRY_value(sk, i)->set--; | ||||
|   | ||||
| @@ -808,11 +808,11 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len, | ||||
|         if (p[i] == '*') { | ||||
|             int atstart = (state & LABEL_START); | ||||
|             int atend = (i == len - 1 || p[i + i] == '.'); | ||||
|                         /*- | ||||
|                          * At most one wildcard per pattern. | ||||
|                          * No wildcards in IDNA labels. | ||||
|                          * No wildcards after the first label. | ||||
|                          */ | ||||
|             /*- | ||||
|              * At most one wildcard per pattern. | ||||
|              * No wildcards in IDNA labels. | ||||
|              * No wildcards after the first label. | ||||
|              */ | ||||
|             if (star != NULL || (state & LABEL_IDNA) != 0 || dots) | ||||
|                 return NULL; | ||||
|             /* Only full-label '*.example.com' wildcards? */ | ||||
|   | ||||
| @@ -106,14 +106,14 @@ extern "C" { | ||||
|     /* | ||||
|      * Functions for Digest (MD5, SHA1) stuff | ||||
|      */ | ||||
| /* output : output data buffer */ | ||||
| /* input : input data buffer */ | ||||
| /* algo : hash algorithm, MD5 or SHA1 */ | ||||
| /*- | ||||
|  * typedef int t_zencod_hash ( KEY *output, const KEY *input, int algo ) ; | ||||
|  * typedef int t_zencod_sha_hash ( KEY *output, const KEY *input, int algo ) ; | ||||
|  */ | ||||
| /* For now separate this stuff that mad it easier to test */ | ||||
|     /* output : output data buffer */ | ||||
|     /* input : input data buffer */ | ||||
|     /* algo : hash algorithm, MD5 or SHA1 */ | ||||
|     /*- | ||||
|      * typedef int t_zencod_hash ( KEY *output, const KEY *input, int algo ) ; | ||||
|      * typedef int t_zencod_sha_hash ( KEY *output, const KEY *input, int algo ) ; | ||||
|      */ | ||||
|     /* For now separate this stuff that mad it easier to test */ | ||||
|     typedef int t_zencod_md5_init(ZEN_MD_DATA *data); | ||||
|     typedef int t_zencod_md5_update(ZEN_MD_DATA *data, const KEY * input); | ||||
|     typedef int t_zencod_md5_do_final(ZEN_MD_DATA *data, KEY * output); | ||||
|   | ||||
| @@ -18,20 +18,20 @@ static char *gost_params[GOST_PARAM_MAX + 1] = { NULL }; | ||||
| static const char *gost_envnames[] = { "CRYPT_PARAMS" }; | ||||
|  | ||||
| const ENGINE_CMD_DEFN gost_cmds[] = { | ||||
| /*-     { GOST_CTRL_RNG, | ||||
|         "RNG", | ||||
|         "Type of random number generator to use", | ||||
|         ENGINE_CMD_FLAG_STRING | ||||
|         }, | ||||
|         { GOST_CTRL_RNG_PARAMS, | ||||
|         "RNG_PARAMS", | ||||
|         "Parameter for random number generator", | ||||
|         ENGINE_CMD_FLAG_STRING | ||||
|         }, | ||||
| /*- { GOST_CTRL_RNG, | ||||
|     "RNG", | ||||
|     "Type of random number generator to use", | ||||
|     ENGINE_CMD_FLAG_STRING | ||||
|     }, | ||||
|     { GOST_CTRL_RNG_PARAMS, | ||||
|     "RNG_PARAMS", | ||||
|     "Parameter for random number generator", | ||||
|     ENGINE_CMD_FLAG_STRING | ||||
|     }, | ||||
| */ {GOST_CTRL_CRYPT_PARAMS, | ||||
|                "CRYPT_PARAMS", | ||||
|                "OID of default GOST 28147-89 parameters", | ||||
|                ENGINE_CMD_FLAG_STRING}, | ||||
|            "CRYPT_PARAMS", | ||||
|            "OID of default GOST 28147-89 parameters", | ||||
|            ENGINE_CMD_FLAG_STRING}, | ||||
|     {0, NULL, NULL, 0} | ||||
| }; | ||||
|  | ||||
|   | ||||
| @@ -1037,11 +1037,11 @@ static int cswift_rand_bytes(unsigned char *buf, int num) | ||||
|     while (num >= (int)sizeof(buf32)) { | ||||
|         largenum.value = buf; | ||||
|         largenum.nbytes = sizeof(buf32); | ||||
|                 /*- | ||||
|                  * tell CryptoSwift how many bytes we want and where we want it. | ||||
|                  * Note: - CryptoSwift cannot do more than 4096 bytes at a time. | ||||
|                  *       - CryptoSwift can only do multiple of 32-bits. | ||||
|                  */ | ||||
|         /*- | ||||
|          * tell CryptoSwift how many bytes we want and where we want it. | ||||
|          * Note: - CryptoSwift cannot do more than 4096 bytes at a time. | ||||
|          *       - CryptoSwift can only do multiple of 32-bits. | ||||
|          */ | ||||
|         swrc = | ||||
|             p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1); | ||||
|         if (swrc != SW_OK) { | ||||
|   | ||||
							
								
								
									
										22
									
								
								ssl/d1_pkt.c
									
									
									
									
									
								
							
							
						
						
									
										22
									
								
								ssl/d1_pkt.c
									
									
									
									
									
								
							| @@ -433,12 +433,12 @@ static int dtls1_process_record(SSL *s) | ||||
|     rr->orig_len = rr->length; | ||||
|  | ||||
|     enc_err = s->method->ssl3_enc->enc(s, 0); | ||||
|         /*- | ||||
|          * enc_err is: | ||||
|          *    0: (in non-constant time) if the record is publically invalid. | ||||
|          *    1: if the padding is valid | ||||
|          *   -1: if the padding is invalid | ||||
|          */ | ||||
|     /*- | ||||
|      * enc_err is: | ||||
|      *    0: (in non-constant time) if the record is publically invalid. | ||||
|      *    1: if the padding is valid | ||||
|      *   -1: if the padding is invalid | ||||
|      */ | ||||
|     if (enc_err == 0) { | ||||
|         /* For DTLS we simply ignore bad packets. */ | ||||
|         rr->length = 0; | ||||
| @@ -1046,11 +1046,11 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) | ||||
|         } | ||||
|     } | ||||
|  | ||||
|         /*- | ||||
|          * s->d1->handshake_fragment_len == 12  iff  rr->type == SSL3_RT_HANDSHAKE; | ||||
|          * s->d1->alert_fragment_len == 7      iff  rr->type == SSL3_RT_ALERT. | ||||
|          * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) | ||||
|          */ | ||||
|     /*- | ||||
|      * s->d1->handshake_fragment_len == 12  iff  rr->type == SSL3_RT_HANDSHAKE; | ||||
|      * s->d1->alert_fragment_len == 7      iff  rr->type == SSL3_RT_ALERT. | ||||
|      * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) | ||||
|      */ | ||||
|  | ||||
|     /* If we are a client, check for an incoming 'Hello Request': */ | ||||
|     if ((!s->server) && | ||||
|   | ||||
							
								
								
									
										38
									
								
								ssl/s3_cbc.c
									
									
									
									
									
								
							
							
						
						
									
										38
									
								
								ssl/s3_cbc.c
									
									
									
									
									
								
							| @@ -754,25 +754,25 @@ void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx, | ||||
|     if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) | ||||
|         return; | ||||
|     block_size = EVP_MD_CTX_block_size(mac_ctx); | ||||
| 	/*- | ||||
| 	 * We are in FIPS mode if we get this far so we know we have only SHA* | ||||
| 	 * digests and TLS to deal with. | ||||
| 	 * Minimum digest padding length is 17 for SHA384/SHA512 and 9 | ||||
| 	 * otherwise. | ||||
| 	 * Additional header is 13 bytes. To get the number of digest blocks | ||||
| 	 * processed round up the amount of data plus padding to the nearest | ||||
| 	 * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. | ||||
| 	 * So we have: | ||||
| 	 * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size | ||||
| 	 * equivalently: | ||||
| 	 * blocks = (payload_len + digest_pad + 12)/block_size + 1 | ||||
| 	 * HMAC adds a constant overhead. | ||||
| 	 * We're ultimately only interested in differences so this becomes | ||||
| 	 * blocks = (payload_len + 29)/128 | ||||
| 	 * for SHA384/SHA512 and | ||||
| 	 * blocks = (payload_len + 21)/64 | ||||
| 	 * otherwise. | ||||
| 	 */ | ||||
|     /*- | ||||
|      * We are in FIPS mode if we get this far so we know we have only SHA* | ||||
|      * digests and TLS to deal with. | ||||
|      * Minimum digest padding length is 17 for SHA384/SHA512 and 9 | ||||
|      * otherwise. | ||||
|      * Additional header is 13 bytes. To get the number of digest blocks | ||||
|      * processed round up the amount of data plus padding to the nearest | ||||
|      * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. | ||||
|      * So we have: | ||||
|      * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size | ||||
|      * equivalently: | ||||
|      * blocks = (payload_len + digest_pad + 12)/block_size + 1 | ||||
|      * HMAC adds a constant overhead. | ||||
|      * We're ultimately only interested in differences so this becomes | ||||
|      * blocks = (payload_len + 29)/128 | ||||
|      * for SHA384/SHA512 and | ||||
|      * blocks = (payload_len + 21)/64 | ||||
|      * otherwise. | ||||
|      */ | ||||
|     digest_pad = block_size == 64 ? 21 : 29; | ||||
|     blocks_orig = (orig_len + digest_pad) / block_size; | ||||
|     blocks_data = (data_len + digest_pad) / block_size; | ||||
|   | ||||
| @@ -725,36 +725,36 @@ int ssl3_client_hello(SSL *s) | ||||
|         /* Do the message type and length last */ | ||||
|         d = p = ssl_handshake_start(s); | ||||
|  | ||||
| 		/*- | ||||
| 		 * version indicates the negotiated version: for example from | ||||
| 		 * an SSLv2/v3 compatible client hello). The client_version | ||||
| 		 * field is the maximum version we permit and it is also | ||||
| 		 * used in RSA encrypted premaster secrets. Some servers can | ||||
| 		 * choke if we initially report a higher version then | ||||
| 		 * renegotiate to a lower one in the premaster secret. This | ||||
| 		 * didn't happen with TLS 1.0 as most servers supported it | ||||
| 		 * but it can with TLS 1.1 or later if the server only supports | ||||
| 		 * 1.0. | ||||
| 		 * | ||||
| 		 * Possible scenario with previous logic: | ||||
| 		 *      1. Client hello indicates TLS 1.2 | ||||
| 		 *      2. Server hello says TLS 1.0 | ||||
| 		 *      3. RSA encrypted premaster secret uses 1.2. | ||||
| 		 *      4. Handhaked proceeds using TLS 1.0. | ||||
| 		 *      5. Server sends hello request to renegotiate. | ||||
| 		 *      6. Client hello indicates TLS v1.0 as we now | ||||
| 		 *         know that is maximum server supports. | ||||
| 		 *      7. Server chokes on RSA encrypted premaster secret | ||||
| 		 *         containing version 1.0. | ||||
| 		 * | ||||
| 		 * For interoperability it should be OK to always use the | ||||
| 		 * maximum version we support in client hello and then rely | ||||
| 		 * on the checking of version to ensure the servers isn't | ||||
| 		 * being inconsistent: for example initially negotiating with | ||||
| 		 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using | ||||
| 		 * client_version in client hello and not resetting it to | ||||
| 		 * the negotiated version. | ||||
| 		 */ | ||||
|         /*- | ||||
|          * version indicates the negotiated version: for example from | ||||
|          * an SSLv2/v3 compatible client hello). The client_version | ||||
|          * field is the maximum version we permit and it is also | ||||
|          * used in RSA encrypted premaster secrets. Some servers can | ||||
|          * choke if we initially report a higher version then | ||||
|          * renegotiate to a lower one in the premaster secret. This | ||||
|          * didn't happen with TLS 1.0 as most servers supported it | ||||
|          * but it can with TLS 1.1 or later if the server only supports | ||||
|          * 1.0. | ||||
|          * | ||||
|          * Possible scenario with previous logic: | ||||
|          *      1. Client hello indicates TLS 1.2 | ||||
|          *      2. Server hello says TLS 1.0 | ||||
|          *      3. RSA encrypted premaster secret uses 1.2. | ||||
|          *      4. Handhaked proceeds using TLS 1.0. | ||||
|          *      5. Server sends hello request to renegotiate. | ||||
|          *      6. Client hello indicates TLS v1.0 as we now | ||||
|          *         know that is maximum server supports. | ||||
|          *      7. Server chokes on RSA encrypted premaster secret | ||||
|          *         containing version 1.0. | ||||
|          * | ||||
|          * For interoperability it should be OK to always use the | ||||
|          * maximum version we support in client hello and then rely | ||||
|          * on the checking of version to ensure the servers isn't | ||||
|          * being inconsistent: for example initially negotiating with | ||||
|          * TLS 1.0 and renegotiating with TLS 1.2. We do this by using | ||||
|          * client_version in client hello and not resetting it to | ||||
|          * the negotiated version. | ||||
|          */ | ||||
| #if 0 | ||||
|         *(p++) = s->version >> 8; | ||||
|         *(p++) = s->version & 0xff; | ||||
| @@ -2514,13 +2514,13 @@ int ssl3_send_client_key_exchange(SSL *s) | ||||
|             if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) | ||||
|                 goto err; | ||||
|  | ||||
| 			/*- | ||||
| 			 * 20010420 VRS.  Tried it this way; failed. | ||||
| 			 *      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); | ||||
| 			 *      EVP_CIPHER_CTX_set_key_length(&ciph_ctx, | ||||
| 			 *                              kssl_ctx->length); | ||||
| 			 *      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); | ||||
| 			 */ | ||||
|             /*- | ||||
|              * 20010420 VRS.  Tried it this way; failed. | ||||
|              *      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); | ||||
|              *      EVP_CIPHER_CTX_set_key_length(&ciph_ctx, | ||||
|              *                              kssl_ctx->length); | ||||
|              *      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); | ||||
|              */ | ||||
|  | ||||
|             memset(iv, 0, sizeof iv); /* per RFC 1510 */ | ||||
|             EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv); | ||||
|   | ||||
							
								
								
									
										15
									
								
								ssl/s3_enc.c
									
									
									
									
									
								
							
							
						
						
									
										15
									
								
								ssl/s3_enc.c
									
									
									
									
									
								
							| @@ -748,13 +748,14 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) | ||||
|          * are hashing because that gives an attacker a timing-oracle. | ||||
|          */ | ||||
|  | ||||
|                 /*- | ||||
|                  * npad is, at most, 48 bytes and that's with MD5: | ||||
|                  *   16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. | ||||
|                  * | ||||
|                  * With SHA-1 (the largest hash speced for SSLv3) the hash size | ||||
|                  * goes up 4, but npad goes down by 8, resulting in a smaller | ||||
|                  * total size. */ | ||||
|         /*- | ||||
|          * npad is, at most, 48 bytes and that's with MD5: | ||||
|          *   16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. | ||||
|          * | ||||
|          * With SHA-1 (the largest hash speced for SSLv3) the hash size | ||||
|          * goes up 4, but npad goes down by 8, resulting in a smaller | ||||
|          * total size. | ||||
|          */ | ||||
|         unsigned char header[75]; | ||||
|         unsigned j = 0; | ||||
|         memcpy(header + j, mac_sec, md_size); | ||||
|   | ||||
| @@ -1913,11 +1913,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) | ||||
|     ret->references = 1; | ||||
|     ret->quiet_shutdown = 0; | ||||
|  | ||||
| /*      ret->cipher=NULL;*/ | ||||
| /*  ret->cipher=NULL;*/ | ||||
| /*- | ||||
|         ret->s2->challenge=NULL; | ||||
|         ret->master_key=NULL; | ||||
|         ret->s2->conn_id=NULL; */ | ||||
|     ret->s2->challenge=NULL; | ||||
|     ret->master_key=NULL; | ||||
|     ret->s2->conn_id=NULL; */ | ||||
|  | ||||
|     ret->info_callback = NULL; | ||||
|  | ||||
|   | ||||
| @@ -325,21 +325,21 @@ int ssl_get_new_session(SSL *s, int session) | ||||
|             return (0); | ||||
|         } | ||||
| #ifndef OPENSSL_NO_TLSEXT | ||||
| 		/*- | ||||
| 		 * If RFC5077 ticket, use empty session ID (as server). | ||||
| 		 * Note that: | ||||
| 		 * (a) ssl_get_prev_session() does lookahead into the | ||||
| 		 *     ClientHello extensions to find the session ticket. | ||||
| 		 *     When ssl_get_prev_session() fails, s3_srvr.c calls | ||||
| 		 *     ssl_get_new_session() in ssl3_get_client_hello(). | ||||
| 		 *     At that point, it has not yet parsed the extensions, | ||||
| 		 *     however, because of the lookahead, it already knows | ||||
| 		 *     whether a ticket is expected or not. | ||||
| 		 * | ||||
| 		 * (b) s3_clnt.c calls ssl_get_new_session() before parsing | ||||
| 		 *     ServerHello extensions, and before recording the session | ||||
| 		 *     ID received from the server, so this block is a noop. | ||||
| 		 */ | ||||
|         /*- | ||||
|          * If RFC5077 ticket, use empty session ID (as server). | ||||
|          * Note that: | ||||
|          * (a) ssl_get_prev_session() does lookahead into the | ||||
|          *     ClientHello extensions to find the session ticket. | ||||
|          *     When ssl_get_prev_session() fails, s3_srvr.c calls | ||||
|          *     ssl_get_new_session() in ssl3_get_client_hello(). | ||||
|          *     At that point, it has not yet parsed the extensions, | ||||
|          *     however, because of the lookahead, it already knows | ||||
|          *     whether a ticket is expected or not. | ||||
|          * | ||||
|          * (b) s3_clnt.c calls ssl_get_new_session() before parsing | ||||
|          *     ServerHello extensions, and before recording the session | ||||
|          *     ID received from the server, so this block is a noop. | ||||
|          */ | ||||
|         if (s->tlsext_ticket_expected) { | ||||
|             ss->session_id_length = 0; | ||||
|             goto sess_id_done; | ||||
|   | ||||
| @@ -288,8 +288,8 @@ int doit(io_channel chan, SSL_CTX *s_ctx) | ||||
|     if ((s_to_c == NULL) || (c_to_s == NULL)) | ||||
|         goto err; | ||||
| /*- original, DRM 24-SEP-1997 | ||||
|         BIO_set_fd ( c_to_s, "", chan ); | ||||
|         BIO_set_fd ( s_to_c, "", chan ); | ||||
|     BIO_set_fd ( c_to_s, "", chan ); | ||||
|     BIO_set_fd ( s_to_c, "", chan ); | ||||
| */ | ||||
|     BIO_set_fd(c_to_s, 0, chan); | ||||
|     BIO_set_fd(s_to_c, 0, chan); | ||||
|   | ||||
| @@ -1845,40 +1845,40 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, | ||||
|     (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); | ||||
|  | ||||
|     do { | ||||
| 		/*- | ||||
| 		 * c_ssl_bio:          SSL filter BIO | ||||
| 		 * | ||||
| 		 * client:             pseudo-I/O for SSL library | ||||
| 		 * | ||||
| 		 * client_io:          client's SSL communication; usually to be | ||||
| 		 *                     relayed over some I/O facility, but in this | ||||
| 		 *                     test program, we're the server, too: | ||||
| 		 * | ||||
| 		 * server_io:          server's SSL communication | ||||
| 		 * | ||||
| 		 * server:             pseudo-I/O for SSL library | ||||
| 		 * | ||||
| 		 * s_ssl_bio:          SSL filter BIO | ||||
| 		 * | ||||
| 		 * The client and the server each employ a "BIO pair": | ||||
| 		 * client + client_io, server + server_io. | ||||
| 		 * BIO pairs are symmetric.  A BIO pair behaves similar | ||||
| 		 * to a non-blocking socketpair (but both endpoints must | ||||
| 		 * be handled by the same thread). | ||||
| 		 * [Here we could connect client and server to the ends | ||||
| 		 * of a single BIO pair, but then this code would be less | ||||
| 		 * suitable as an example for BIO pairs in general.] | ||||
| 		 * | ||||
| 		 * Useful functions for querying the state of BIO pair endpoints: | ||||
| 		 * | ||||
| 		 * BIO_ctrl_pending(bio)              number of bytes we can read now | ||||
| 		 * BIO_ctrl_get_read_request(bio)     number of bytes needed to fulfil | ||||
| 		 *                                      other side's read attempt | ||||
| 		 * BIO_ctrl_get_write_guarantee(bio)   number of bytes we can write now | ||||
| 		 * | ||||
| 		 * ..._read_request is never more than ..._write_guarantee; | ||||
| 		 * it depends on the application which one you should use. | ||||
| 		 */ | ||||
|         /*- | ||||
|          * c_ssl_bio:          SSL filter BIO | ||||
|          * | ||||
|          * client:             pseudo-I/O for SSL library | ||||
|          * | ||||
|          * client_io:          client's SSL communication; usually to be | ||||
|          *                     relayed over some I/O facility, but in this | ||||
|          *                     test program, we're the server, too: | ||||
|          * | ||||
|          * server_io:          server's SSL communication | ||||
|          * | ||||
|          * server:             pseudo-I/O for SSL library | ||||
|          * | ||||
|          * s_ssl_bio:          SSL filter BIO | ||||
|          * | ||||
|          * The client and the server each employ a "BIO pair": | ||||
|          * client + client_io, server + server_io. | ||||
|          * BIO pairs are symmetric.  A BIO pair behaves similar | ||||
|          * to a non-blocking socketpair (but both endpoints must | ||||
|          * be handled by the same thread). | ||||
|          * [Here we could connect client and server to the ends | ||||
|          * of a single BIO pair, but then this code would be less | ||||
|          * suitable as an example for BIO pairs in general.] | ||||
|          * | ||||
|          * Useful functions for querying the state of BIO pair endpoints: | ||||
|          * | ||||
|          * BIO_ctrl_pending(bio)              number of bytes we can read now | ||||
|          * BIO_ctrl_get_read_request(bio)     number of bytes needed to fulfil | ||||
|          *                                      other side's read attempt | ||||
|          * BIO_ctrl_get_write_guarantee(bio)   number of bytes we can write now | ||||
|          * | ||||
|          * ..._read_request is never more than ..._write_guarantee; | ||||
|          * it depends on the application which one you should use. | ||||
|          */ | ||||
|  | ||||
|         /* | ||||
|          * We have non-blocking behaviour throughout this test program, but | ||||
| @@ -2266,10 +2266,10 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) | ||||
|                 printf("server waiting in SSL_accept - %s\n", | ||||
|                        SSL_state_string_long(s_ssl)); | ||||
| /*- | ||||
|                         else if (s_write) | ||||
|                                 printf("server:SSL_write()\n"); | ||||
|                         else | ||||
|                                 printf("server:SSL_read()\n"); */ | ||||
|             else if (s_write) | ||||
|                 printf("server:SSL_write()\n"); | ||||
|             else | ||||
|                 printf("server:SSL_read()\n"); */ | ||||
|         } | ||||
|  | ||||
|         if (do_client && debug) { | ||||
| @@ -2277,10 +2277,10 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) | ||||
|                 printf("client waiting in SSL_connect - %s\n", | ||||
|                        SSL_state_string_long(c_ssl)); | ||||
| /*- | ||||
|                         else if (c_write) | ||||
|                                 printf("client:SSL_write()\n"); | ||||
|                         else | ||||
|                                 printf("client:SSL_read()\n"); */ | ||||
|             else if (c_write) | ||||
|                 printf("client:SSL_write()\n"); | ||||
|             else | ||||
|                 printf("client:SSL_read()\n"); */ | ||||
|         } | ||||
|  | ||||
|         if (!do_client && !do_server) { | ||||
|   | ||||
| @@ -86,13 +86,13 @@ char *argv[]; | ||||
|     METH_arg(tmp2, METH_TYPE_DIR, "/usr/local/ssl/certs"); | ||||
|     METH_push(top, METH_X509_CA_BY_SUBJECT, tmp2); | ||||
|  | ||||
| /*-     tmp=METH_new(x509_by_issuer_dir); | ||||
|         METH_arg(tmp,METH_TYPE_DIR,"/home/eay/.mycerts"); | ||||
|         METH_push(top,METH_X509_BY_ISSUER,tmp); | ||||
| /*- tmp=METH_new(x509_by_issuer_dir); | ||||
|     METH_arg(tmp,METH_TYPE_DIR,"/home/eay/.mycerts"); | ||||
|     METH_push(top,METH_X509_BY_ISSUER,tmp); | ||||
|  | ||||
|         tmp=METH_new(x509_by_issuer_primary); | ||||
|         METH_arg(tmp,METH_TYPE_FILE,"/home/eay/.mycerts/primary.pem"); | ||||
|         METH_push(top,METH_X509_BY_ISSUER,tmp); | ||||
|     tmp=METH_new(x509_by_issuer_primary); | ||||
|     METH_arg(tmp,METH_TYPE_FILE,"/home/eay/.mycerts/primary.pem"); | ||||
|     METH_push(top,METH_X509_BY_ISSUER,tmp); | ||||
| */ | ||||
|  | ||||
|     METH_init(top); | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Matt Caswell
					Matt Caswell