generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Re-align some comments after running the reformat script.

Browse Source 
This should be a one off operation (subsequent invokation of the
script should not move them)

Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Matt Caswell 2015-01-05 11:30:03 +00:00
parent 739a5eee61
commit 50e735f9e5
50 changed files with 1113 additions and 1113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apps/ca.c
View File

@ -615,10 +615,10 @@ int MAIN(int argc, char **argv)
oid_bio = BIO_new_file(p, "r"); oid_bio = BIO_new_file(p, "r");
if (oid_bio == NULL) { if (oid_bio == NULL) {
/*- /*-
BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
*/ */
ERR_clear_error(); ERR_clear_error();
} else { } else {
OBJ_create_objects(oid_bio); OBJ_create_objects(oid_bio);

42
apps/openssl.c
View File

@ -231,27 +231,27 @@ int main(int Argc, char *ARGV[])
long errline; long errline;
#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) #if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
/*- /*-
* 2011-03-22 SMS. * 2011-03-22 SMS.
* If we have 32-bit pointers everywhere, then we're safe, and * If we have 32-bit pointers everywhere, then we're safe, and
* we bypass this mess, as on non-VMS systems. (See ARGV, * we bypass this mess, as on non-VMS systems. (See ARGV,
* above.) * above.)
* Problem 1: Compaq/HP C before V7.3 always used 32-bit * Problem 1: Compaq/HP C before V7.3 always used 32-bit
* pointers for argv[]. * pointers for argv[].
* Fix 1: For a 32-bit argv[], when we're using 64-bit pointers * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
* everywhere else, we always allocate and use a 64-bit * everywhere else, we always allocate and use a 64-bit
* duplicate of argv[]. * duplicate of argv[].
* Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
* to NULL-terminate a 64-bit argv[]. (As this was written, the * to NULL-terminate a 64-bit argv[]. (As this was written, the
* compiler ECO was available only on IA64.) * compiler ECO was available only on IA64.)
* Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
* 64-bit argv[argc] for NULL, and, if necessary, use a * 64-bit argv[argc] for NULL, and, if necessary, use a
* (properly) NULL-terminated (64-bit) duplicate of argv[]. * (properly) NULL-terminated (64-bit) duplicate of argv[].
* The same code is used in either case to duplicate argv[]. * The same code is used in either case to duplicate argv[].
* Some of these decisions could be handled in preprocessing, * Some of these decisions could be handled in preprocessing,
* but the code tends to get even uglier, and the penalty for * but the code tends to get even uglier, and the penalty for
* deciding at compile- or run-time is tiny. * deciding at compile- or run-time is tiny.
*/ */
char **Argv = NULL; char **Argv = NULL;
int free_Argv = 0; int free_Argv = 0;

8
apps/req.c
View File

@ -491,10 +491,10 @@ int MAIN(int argc, char **argv)
oid_bio = BIO_new_file(p, "r"); oid_bio = BIO_new_file(p, "r");
if (oid_bio == NULL) { if (oid_bio == NULL) {
/*- /*-
BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
*/ */
} else { } else {
OBJ_create_objects(oid_bio); OBJ_create_objects(oid_bio);
BIO_free(oid_bio); BIO_free(oid_bio);

26
apps/s_cb.c
View File

@ -221,20 +221,20 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
return (0); return (0);
} }
/*- /*-
In theory this is no longer needed In theory this is no longer needed
ssl=SSL_new(ctx); ssl=SSL_new(ctx);
x509=SSL_get_certificate(ssl); x509=SSL_get_certificate(ssl);
if (x509 != NULL) { if (x509 != NULL) {
EVP_PKEY *pktmp; EVP_PKEY *pktmp;
pktmp = X509_get_pubkey(x509); pktmp = X509_get_pubkey(x509);
EVP_PKEY_copy_parameters(pktmp, EVP_PKEY_copy_parameters(pktmp,
SSL_get_privatekey(ssl)); SSL_get_privatekey(ssl));
EVP_PKEY_free(pktmp); EVP_PKEY_free(pktmp);
} }
SSL_free(ssl); SSL_free(ssl);
*/ */
/* /*
* If we are using DSA, we can copy the parameters from the private * If we are using DSA, we can copy the parameters from the private

14
apps/s_socket.c
View File

@ -504,13 +504,13 @@ static int do_accept(int acc_sock, int *sock, char **host)
} }
/*- /*-
ling.l_onoff=1; ling.l_onoff=1;
ling.l_linger=0; ling.l_linger=0;
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling)); i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
if (i < 0) { perror("linger"); return(0); } if (i < 0) { perror("linger"); return(0); }
i=0; i=0;
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
if (i < 0) { perror("keepalive"); return(0); } if (i < 0) { perror("keepalive"); return(0); }
*/ */
if (host == NULL) if (host == NULL)

24
apps/ts.c
View File

@ -1102,19 +1102,19 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file)
static int verify_cb(int ok, X509_STORE_CTX *ctx) static int verify_cb(int ok, X509_STORE_CTX *ctx)
{ {
/*- /*-
char buf[256]; char buf[256];
if (!ok) if (!ok)
{ {
X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
buf, sizeof(buf)); buf, sizeof(buf));
printf("%s\n", buf); printf("%s\n", buf);
printf("error %d at %d depth lookup: %s\n", printf("error %d at %d depth lookup: %s\n",
ctx->error, ctx->error_depth, ctx->error, ctx->error_depth,
X509_verify_cert_error_string(ctx->error)); X509_verify_cert_error_string(ctx->error));
} }
*/ */
return ok; return ok;
} }

14
crypto/asn1/a_sign.c
View File

@ -252,13 +252,13 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
rv = pkey->ameth->item_sign(ctx, it, asn, algor1, algor2, signature); rv = pkey->ameth->item_sign(ctx, it, asn, algor1, algor2, signature);
if (rv == 1) if (rv == 1)
outl = signature->length; outl = signature->length;
/*- /*-
* Return value meanings: * Return value meanings:
* <=0: error. * <=0: error.
* 1: method does everything. * 1: method does everything.
* 2: carry on as normal. * 2: carry on as normal.
* 3: ASN1 method sets algorithm identifiers: just sign. * 3: ASN1 method sets algorithm identifiers: just sign.
*/ */
if (rv <= 0) if (rv <= 0)
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB); ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
if (rv <= 1) if (rv <= 1)

14
crypto/bio/b_sock.c
View File

@ -529,13 +529,13 @@ int BIO_socket_ioctl(int fd, long type, void *arg)
i = ioctlsocket(fd, type, (char *)arg); i = ioctlsocket(fd, type, (char *)arg);
# else # else
# if defined(OPENSSL_SYS_VMS) # if defined(OPENSSL_SYS_VMS)
/*- /*-
* 2011-02-18 SMS. * 2011-02-18 SMS.
* VMS ioctl() can't tolerate a 64-bit "void *arg", but we * VMS ioctl() can't tolerate a 64-bit "void *arg", but we
* observe that all the consumers pass in an "unsigned long *", * observe that all the consumers pass in an "unsigned long *",
* so we arrange a local copy with a short pointer, and use * so we arrange a local copy with a short pointer, and use
* that, instead. * that, instead.
*/ */
# if __INITIAL_POINTER_SIZE == 64 # if __INITIAL_POINTER_SIZE == 64
# define ARG arg_32p # define ARG arg_32p
# pragma pointer_size save # pragma pointer_size save

10
crypto/bio/bf_null.c
View File

@ -103,11 +103,11 @@ static int nullf_free(BIO *a)
{ {
if (a == NULL) if (a == NULL)
return (0); return (0);
/*- /*-
a->ptr=NULL; a->ptr=NULL;
a->init=0; a->init=0;
a->flags=0; a->flags=0;
*/ */
return (1); return (1);
} }

18
crypto/bio/bio.h
View File

@ -344,15 +344,15 @@ struct bio_st {
DECLARE_STACK_OF(BIO) DECLARE_STACK_OF(BIO)
typedef struct bio_f_buffer_ctx_struct { typedef struct bio_f_buffer_ctx_struct {
/*- /*-
* Buffers are setup like this: * Buffers are setup like this:
* *
* <---------------------- size -----------------------> * <---------------------- size ----------------------->
* +---------------------------------------------------+ * +---------------------------------------------------+
* | consumed | remaining | free space | * | consumed | remaining | free space |
* +---------------------------------------------------+ * +---------------------------------------------------+
* <-- off --><------- len -------> * <-- off --><------- len ------->
*/ */
/*- BIO *bio; *//* /*- BIO *bio; *//*
* this is now in the BIO struct * this is now in the BIO struct
*/ */

24
crypto/bn/bn_add.c
View File

@ -68,12 +68,12 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
bn_check_top(a); bn_check_top(a);
bn_check_top(b); bn_check_top(b);
/*- /*-
* a + b a+b * a + b a+b
* a + -b a-b * a + -b a-b
* -a + b b-a * -a + b b-a
* -a + -b -(a+b) * -a + -b -(a+b)
*/ */
if (a_neg ^ b->neg) { if (a_neg ^ b->neg) {
/* only one is negative */ /* only one is negative */
if (a_neg) { if (a_neg) {
@ -260,12 +260,12 @@ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
bn_check_top(a); bn_check_top(a);
bn_check_top(b); bn_check_top(b);
/*- /*-
* a - b a-b * a - b a-b
* a - -b a+b * a - -b a+b
* -a - b -(a+b) * -a - b -(a+b)
* -a - -b b-a * -a - -b b-a
*/ */
if (a->neg) { if (a->neg) {
if (b->neg) { if (b->neg) {
tmp = a; tmp = a;

60
crypto/bn/bn_exp.c
View File

@ -203,36 +203,36 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
bn_check_top(p); bn_check_top(p);
bn_check_top(m); bn_check_top(m);
/*- /*-
* For even modulus m = 2^k*m_odd, it might make sense to compute * For even modulus m = 2^k*m_odd, it might make sense to compute
* a^p mod m_odd and a^p mod 2^k separately (with Montgomery * a^p mod m_odd and a^p mod 2^k separately (with Montgomery
* exponentiation for the odd part), using appropriate exponent * exponentiation for the odd part), using appropriate exponent
* reductions, and combine the results using the CRT. * reductions, and combine the results using the CRT.
* *
* For now, we use Montgomery only if the modulus is odd; otherwise, * For now, we use Montgomery only if the modulus is odd; otherwise,
* exponentiation using the reciprocal-based quick remaindering * exponentiation using the reciprocal-based quick remaindering
* algorithm is used. * algorithm is used.
* *
* (Timing obtained with expspeed.c [computations a^p mod m * (Timing obtained with expspeed.c [computations a^p mod m
* where a, p, m are of the same length: 256, 512, 1024, 2048, * where a, p, m are of the same length: 256, 512, 1024, 2048,
* 4096, 8192 bits], compared to the running time of the * 4096, 8192 bits], compared to the running time of the
* standard algorithm: * standard algorithm:
* *
* BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration] * BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration]
* 55 .. 77 % [UltraSparc processor, but * 55 .. 77 % [UltraSparc processor, but
* debug-solaris-sparcv8-gcc conf.] * debug-solaris-sparcv8-gcc conf.]
* *
* BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration] * BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration]
* 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc] * 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]
* *
* On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont
* at 2048 and more bits, but at 512 and 1024 bits, it was * at 2048 and more bits, but at 512 and 1024 bits, it was
* slower even than the standard algorithm! * slower even than the standard algorithm!
* *
* "Real" timings [linux-elf, solaris-sparcv9-gcc configurations] * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]
* should be obtained when the new Montgomery reduction code * should be obtained when the new Montgomery reduction code
* has been integrated into OpenSSL.) * has been integrated into OpenSSL.)
*/ */
#define MONT_MUL_MOD #define MONT_MUL_MOD
#define MONT_EXP_WORD #define MONT_EXP_WORD

212
crypto/bn/bn_gcd.c
View File

@ -283,13 +283,13 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
goto err; goto err;
} }
sign = -1; sign = -1;
/*- /*-
* From B = a mod |n|, A = |n| it follows that * From B = a mod |n|, A = |n| it follows that
* *
* 0 <= B < A, * 0 <= B < A,
* -sign*X*a == B (mod |n|), * -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|). * sign*Y*a == A (mod |n|).
*/ */
if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) { if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) {
/* /*
@ -301,12 +301,12 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
int shift; int shift;
while (!BN_is_zero(B)) { while (!BN_is_zero(B)) {
/*- /*-
* 0 < B < |n|, * 0 < B < |n|,
* 0 < A <= |n|, * 0 < A <= |n|,
* (1) -sign*X*a == B (mod |n|), * (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|) * (2) sign*Y*a == A (mod |n|)
*/ */
/* /*
* Now divide B by the maximum possible power of two in the * Now divide B by the maximum possible power of two in the
@ -352,18 +352,18 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
goto err; goto err;
} }
/*- /*-
* We still have (1) and (2). * We still have (1) and (2).
* Both A and B are odd. * Both A and B are odd.
* The following computations ensure that * The following computations ensure that
* *
* 0 <= B < |n|, * 0 <= B < |n|,
* 0 < A < |n|, * 0 < A < |n|,
* (1) -sign*X*a == B (mod |n|), * (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|), * (2) sign*Y*a == A (mod |n|),
* *
* and that either A or B is even in the next iteration. * and that either A or B is even in the next iteration.
*/ */
if (BN_ucmp(B, A) >= 0) { if (BN_ucmp(B, A) >= 0) {
/* -sign*(X + Y)*a == B - A (mod |n|) */ /* -sign*(X + Y)*a == B - A (mod |n|) */
if (!BN_uadd(X, X, Y)) if (!BN_uadd(X, X, Y))
@ -392,11 +392,11 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
while (!BN_is_zero(B)) { while (!BN_is_zero(B)) {
BIGNUM *tmp; BIGNUM *tmp;
/*- /*-
* 0 < B < A, * 0 < B < A,
* (*) -sign*X*a == B (mod |n|), * (*) -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|) * sign*Y*a == A (mod |n|)
*/ */
/* (D, M) := (A/B, A%B) ... */ /* (D, M) := (A/B, A%B) ... */
if (BN_num_bits(A) == BN_num_bits(B)) { if (BN_num_bits(A) == BN_num_bits(B)) {
@ -443,12 +443,12 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
goto err; goto err;
} }
/*- /*-
* Now * Now
* A = D*B + M; * A = D*B + M;
* thus we have * thus we have
* (**) sign*Y*a == D*B + M (mod |n|). * (**) sign*Y*a == D*B + M (mod |n|).
*/ */
tmp = A; /* keep the BIGNUM object, the value does not tmp = A; /* keep the BIGNUM object, the value does not
* matter */ * matter */
@ -458,25 +458,25 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
B = M; B = M;
/* ... so we have 0 <= B < A again */ /* ... so we have 0 <= B < A again */
/*- /*-
* Since the former M is now B and the former B is now A, * Since the former M is now B and the former B is now A,
* (**) translates into * (**) translates into
* sign*Y*a == D*A + B (mod |n|), * sign*Y*a == D*A + B (mod |n|),
* i.e. * i.e.
* sign*Y*a - D*A == B (mod |n|). * sign*Y*a - D*A == B (mod |n|).
* Similarly, (*) translates into * Similarly, (*) translates into
* -sign*X*a == A (mod |n|). * -sign*X*a == A (mod |n|).
* *
* Thus, * Thus,
* sign*Y*a + D*sign*X*a == B (mod |n|), * sign*Y*a + D*sign*X*a == B (mod |n|),
* i.e. * i.e.
* sign*(Y + D*X)*a == B (mod |n|). * sign*(Y + D*X)*a == B (mod |n|).
* *
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
* -sign*X*a == B (mod |n|), * -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|). * sign*Y*a == A (mod |n|).
* Note that X and Y stay non-negative all the time. * Note that X and Y stay non-negative all the time.
*/ */
/* /*
* most of the time D is very small, so we can optimize tmp := * most of the time D is very small, so we can optimize tmp :=
@ -513,13 +513,13 @@ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
} }
} }
/*- /*-
* The while loop (Euclid's algorithm) ends when * The while loop (Euclid's algorithm) ends when
* A == gcd(a,n); * A == gcd(a,n);
* we have * we have
* sign*Y*a == A (mod |n|), * sign*Y*a == A (mod |n|),
* where Y is non-negative. * where Y is non-negative.
*/ */
if (sign < 0) { if (sign < 0) {
if (!BN_sub(Y, n, Y)) if (!BN_sub(Y, n, Y))
@ -604,22 +604,22 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
goto err; goto err;
} }
sign = -1; sign = -1;
/*- /*-
* From B = a mod |n|, A = |n| it follows that * From B = a mod |n|, A = |n| it follows that
* *
* 0 <= B < A, * 0 <= B < A,
* -sign*X*a == B (mod |n|), * -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|). * sign*Y*a == A (mod |n|).
*/ */
while (!BN_is_zero(B)) { while (!BN_is_zero(B)) {
BIGNUM *tmp; BIGNUM *tmp;
/*- /*-
* 0 < B < A, * 0 < B < A,
* (*) -sign*X*a == B (mod |n|), * (*) -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|) * sign*Y*a == A (mod |n|)
*/ */
/* /*
* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
@ -632,12 +632,12 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
if (!BN_div(D, M, pA, B, ctx)) if (!BN_div(D, M, pA, B, ctx))
goto err; goto err;
/*- /*-
* Now * Now
* A = D*B + M; * A = D*B + M;
* thus we have * thus we have
* (**) sign*Y*a == D*B + M (mod |n|). * (**) sign*Y*a == D*B + M (mod |n|).
*/ */
tmp = A; /* keep the BIGNUM object, the value does not tmp = A; /* keep the BIGNUM object, the value does not
* matter */ * matter */
@ -647,25 +647,25 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
B = M; B = M;
/* ... so we have 0 <= B < A again */ /* ... so we have 0 <= B < A again */
/*- /*-
* Since the former M is now B and the former B is now A, * Since the former M is now B and the former B is now A,
* (**) translates into * (**) translates into
* sign*Y*a == D*A + B (mod |n|), * sign*Y*a == D*A + B (mod |n|),
* i.e. * i.e.
* sign*Y*a - D*A == B (mod |n|). * sign*Y*a - D*A == B (mod |n|).
* Similarly, (*) translates into * Similarly, (*) translates into
* -sign*X*a == A (mod |n|). * -sign*X*a == A (mod |n|).
* *
* Thus, * Thus,
* sign*Y*a + D*sign*X*a == B (mod |n|), * sign*Y*a + D*sign*X*a == B (mod |n|),
* i.e. * i.e.
* sign*(Y + D*X)*a == B (mod |n|). * sign*(Y + D*X)*a == B (mod |n|).
* *
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
* -sign*X*a == B (mod |n|), * -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|). * sign*Y*a == A (mod |n|).
* Note that X and Y stay non-negative all the time. * Note that X and Y stay non-negative all the time.
*/ */
if (!BN_mul(tmp, D, X, ctx)) if (!BN_mul(tmp, D, X, ctx))
goto err; goto err;
@ -679,13 +679,13 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
sign = -sign; sign = -sign;
} }
/*- /*-
* The while loop (Euclid's algorithm) ends when * The while loop (Euclid's algorithm) ends when
* A == gcd(a,n); * A == gcd(a,n);
* we have * we have
* sign*Y*a == A (mod |n|), * sign*Y*a == A (mod |n|),
* where Y is non-negative. * where Y is non-negative.
*/ */
if (sign < 0) { if (sign < 0) {
if (!BN_sub(Y, n, Y)) if (!BN_sub(Y, n, Y))

90
crypto/bn/bn_mul.c
View File

@ -484,11 +484,11 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p); bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
} }
/*- /*-
* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
* r[10] holds (a[0]*b[0]) * r[10] holds (a[0]*b[0])
* r[32] holds (b[1]*b[1]) * r[32] holds (b[1]*b[1])
*/ */
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2)); c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
@ -499,12 +499,12 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2)); c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
} }
/*- /*-
* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1]) * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
* r[10] holds (a[0]*b[0]) * r[10] holds (a[0]*b[0])
* r[32] holds (b[1]*b[1]) * r[32] holds (b[1]*b[1])
* c1 holds the carry bits * c1 holds the carry bits
*/ */
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2)); c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) { if (c1) {
p = &(r[n + n2]); p = &(r[n + n2]);
@ -642,11 +642,11 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
} }
} }
/*- /*-
* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign * t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
* r[10] holds (a[0]*b[0]) * r[10] holds (a[0]*b[0])
* r[32] holds (b[1]*b[1]) * r[32] holds (b[1]*b[1])
*/ */
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2)); c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
@ -657,12 +657,12 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2)); c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
} }
/*- /*-
* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1]) * t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
* r[10] holds (a[0]*b[0]) * r[10] holds (a[0]*b[0])
* r[32] holds (b[1]*b[1]) * r[32] holds (b[1]*b[1])
* c1 holds the carry bits * c1 holds the carry bits
*/ */
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2)); c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) { if (c1) {
p = &(r[n + n2]); p = &(r[n + n2]);
@ -774,13 +774,13 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
bn_mul_recursive(r, &(a[n]), &(b[n]), n, 0, 0, &(t[n2])); bn_mul_recursive(r, &(a[n]), &(b[n]), n, 0, 0, &(t[n2]));
} }
/*- /*-
* s0 == low(al*bl) * s0 == low(al*bl)
* s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl) * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
* We know s0 and s1 so the only unknown is high(al*bl) * We know s0 and s1 so the only unknown is high(al*bl)
* high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl)) * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
* high(al*bl) == s1 - (r[0]+l[0]+t[0]) * high(al*bl) == s1 - (r[0]+l[0]+t[0])
*/ */
if (l != NULL) { if (l != NULL) {
lp = &(t[n2 + n]); lp = &(t[n2 + n]);
c1 = (int)(bn_add_words(lp, &(r[0]), &(l[0]), n)); c1 = (int)(bn_add_words(lp, &(r[0]), &(l[0]), n));
@ -805,22 +805,22 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
lp[i] = ((~mp[i]) + 1) & BN_MASK2; lp[i] = ((~mp[i]) + 1) & BN_MASK2;
} }
/*- /*-
* s[0] = low(al*bl) * s[0] = low(al*bl)
* t[3] = high(al*bl) * t[3] = high(al*bl)
* t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
* r[10] = (a[1]*b[1]) * r[10] = (a[1]*b[1])
*/ */
/*- /*-
* R[10] = al*bl * R[10] = al*bl
* R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0]) * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
* R[32] = ah*bh * R[32] = ah*bh
*/ */
/*- /*-
* R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow) * R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
* R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow) * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
* R[3]=r[1]+(carry/borrow) * R[3]=r[1]+(carry/borrow)
*/ */
if (l != NULL) { if (l != NULL) {
lp = &(t[n2]); lp = &(t[n2]);
c1 = (int)(bn_add_words(lp, &(t[n2 + n]), &(l[0]), n)); c1 = (int)(bn_add_words(lp, &(t[n2 + n]), &(l[0]), n));

22
crypto/bn/bn_prime.c
View File

@ -527,17 +527,17 @@ static int probable_prime(BIGNUM *rnd, int bits)
if (is_single_word) { if (is_single_word) {
BN_ULONG rnd_word = BN_get_word(rnd); BN_ULONG rnd_word = BN_get_word(rnd);
/*- /*-
* In the case that the candidate prime is a single word then * In the case that the candidate prime is a single word then
* we check that: * we check that:
* 1) It's greater than primes[i] because we shouldn't reject * 1) It's greater than primes[i] because we shouldn't reject
* 3 as being a prime number because it's a multiple of * 3 as being a prime number because it's a multiple of
* three. * three.
* 2) That it's not a multiple of a known prime. We don't * 2) That it's not a multiple of a known prime. We don't
* check that rnd-1 is also coprime to all the known * check that rnd-1 is also coprime to all the known
* primes because there aren't many small primes where * primes because there aren't many small primes where
* that's true. * that's true.
*/ */
for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) { for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
if ((mods[i] + delta) % primes[i] == 0) { if ((mods[i] + delta) % primes[i] == 0) {
delta += 2; delta += 2;

22
crypto/bn/bn_sqr.c
View File

@ -242,23 +242,23 @@ void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
bn_sqr_recursive(r, a, n, p); bn_sqr_recursive(r, a, n, p);
bn_sqr_recursive(&(r[n2]), &(a[n]), n, p); bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
/*- /*-
* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero * t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
* r[10] holds (a[0]*b[0]) * r[10] holds (a[0]*b[0])
* r[32] holds (b[1]*b[1]) * r[32] holds (b[1]*b[1])
*/ */
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2)); c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
/* t[32] is negative */ /* t[32] is negative */
c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2)); c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
/*- /*-
* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1]) * t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
* r[10] holds (a[0]*a[0]) * r[10] holds (a[0]*a[0])
* r[32] holds (a[1]*a[1]) * r[32] holds (a[1]*a[1])
* c1 holds the carry bits * c1 holds the carry bits
*/ */
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2)); c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) { if (c1) {
p = &(r[n + n2]); p = &(r[n + n2]);

70
crypto/bn/bn_sqrt.c
View File

@ -132,14 +132,14 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/* we'll set q later (if needed) */ /* we'll set q later (if needed) */
if (e == 1) { if (e == 1) {
/*- /*-
* The easy case: (|p|-1)/2 is odd, so 2 has an inverse * The easy case: (|p|-1)/2 is odd, so 2 has an inverse
* modulo (|p|-1)/2, and square roots can be computed * modulo (|p|-1)/2, and square roots can be computed
* directly by modular exponentiation. * directly by modular exponentiation.
* We have * We have
* 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2), * 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
* so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1. * so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
*/ */
if (!BN_rshift(q, p, 2)) if (!BN_rshift(q, p, 2))
goto end; goto end;
q->neg = 0; q->neg = 0;
@ -277,24 +277,24 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto end; goto end;
} }
/*- /*-
* Now we know that (if p is indeed prime) there is an integer * Now we know that (if p is indeed prime) there is an integer
* k, 0 <= k < 2^e, such that * k, 0 <= k < 2^e, such that
* *
* a^q * y^k == 1 (mod p). * a^q * y^k == 1 (mod p).
* *
* As a^q is a square and y is not, k must be even. * As a^q is a square and y is not, k must be even.
* q+1 is even, too, so there is an element * q+1 is even, too, so there is an element
* *
* X := a^((q+1)/2) * y^(k/2), * X := a^((q+1)/2) * y^(k/2),
* *
* and it satisfies * and it satisfies
* *
* X^2 = a^q * a * y^k * X^2 = a^q * a * y^k
* = a, * = a,
* *
* so it is the square root that we are looking for. * so it is the square root that we are looking for.
*/ */
/* t := (q-1)/2 (note that q is odd) */ /* t := (q-1)/2 (note that q is odd) */
if (!BN_rshift1(t, q)) if (!BN_rshift1(t, q))
@ -333,15 +333,15 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto end; goto end;
while (1) { while (1) {
/*- /*-
* Now b is a^q * y^k for some even k (0 <= k < 2^E * Now b is a^q * y^k for some even k (0 <= k < 2^E
* where E refers to the original value of e, which we * where E refers to the original value of e, which we
* don't keep in a variable), and x is a^((q+1)/2) * y^(k/2). * don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
* *
* We have a*b = x^2, * We have a*b = x^2,
* y^2^(e-1) = -1, * y^2^(e-1) = -1,
* b^2^(e-1) = 1. * b^2^(e-1) = 1.
*/ */
if (BN_is_one(b)) { if (BN_is_one(b)) {
if (!BN_copy(ret, x)) if (!BN_copy(ret, x))

20
crypto/conf/conf_def.c
View File

@ -567,16 +567,16 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
} }
e++; e++;
} }
/*- /*-
* So at this point we have * So at this point we have
* np which is the start of the name string which is * np which is the start of the name string which is
* '\0' terminated. * '\0' terminated.
* cp which is the start of the section string which is * cp which is the start of the section string which is
* '\0' terminated. * '\0' terminated.
* e is the 'next point after'. * e is the 'next point after'.
* r and rr are the chars replaced by the '\0' * r and rr are the chars replaced by the '\0'
* rp and rrp is where 'r' and 'rr' came from. * rp and rrp is where 'r' and 'rr' came from.
*/ */
p = _CONF_get_string(conf, cp, np); p = _CONF_get_string(conf, cp, np);
if (rrp != NULL) if (rrp != NULL)
*rrp = rr; *rrp = rr;

14
crypto/des/destest.c
View File

@ -397,13 +397,13 @@ int main(int argc, char *argv[])
DES_ENCRYPT); DES_ENCRYPT);
DES_ede3_cbcm_encrypt(&cbc_data[16], &cbc_out[16], i - 16, &ks, &ks2, DES_ede3_cbcm_encrypt(&cbc_data[16], &cbc_out[16], i - 16, &ks, &ks2,
&ks3, &iv3, &iv2, DES_ENCRYPT); &ks3, &iv3, &iv2, DES_ENCRYPT);
/*- if (memcmp(cbc_out,cbc3_ok, /*- if (memcmp(cbc_out,cbc3_ok,
(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0) (unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
{ {
printf("des_ede3_cbc_encrypt encrypt error\n"); printf("des_ede3_cbc_encrypt encrypt error\n");
err=1; err=1;
} }
*/ */
memcpy(iv3, cbc_iv, sizeof(cbc_iv)); memcpy(iv3, cbc_iv, sizeof(cbc_iv));
memset(iv2, '\0', sizeof iv2); memset(iv2, '\0', sizeof iv2);
DES_ede3_cbcm_encrypt(cbc_out, cbc_in, i, &ks, &ks2, &ks3, &iv3, &iv2, DES_ede3_cbcm_encrypt(cbc_out, cbc_in, i, &ks, &ks2, &ks3, &iv3, &iv2,

10
crypto/dsa/dsa_ameth.c
View File

@ -200,11 +200,11 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
goto decerr; goto decerr;
if (sk_ASN1_TYPE_num(ndsa) != 2) if (sk_ASN1_TYPE_num(ndsa) != 2)
goto decerr; goto decerr;
/*- /*-
* Handle Two broken types: * Handle Two broken types:
* SEQUENCE {parameters, priv_key} * SEQUENCE {parameters, priv_key}
* SEQUENCE {pub_key, priv_key} * SEQUENCE {pub_key, priv_key}
*/ */
t1 = sk_ASN1_TYPE_value(ndsa, 0); t1 = sk_ASN1_TYPE_value(ndsa, 0);
t2 = sk_ASN1_TYPE_value(ndsa, 1); t2 = sk_ASN1_TYPE_value(ndsa, 1);

34
crypto/dso/dso_vms.c
View File

@ -178,23 +178,23 @@ static int vms_load(DSO *dso)
goto err; goto err;
} }
/*- /*-
* A file specification may look like this: * A file specification may look like this:
* *
* node::dev:[dir-spec]name.type;ver * node::dev:[dir-spec]name.type;ver
* *
* or (for compatibility with TOPS-20): * or (for compatibility with TOPS-20):
* *
* node::dev:<dir-spec>name.type;ver * node::dev:<dir-spec>name.type;ver
* *
* and the dir-spec uses '.' as separator. Also, a dir-spec * and the dir-spec uses '.' as separator. Also, a dir-spec
* may consist of several parts, with mixed use of [] and <>: * may consist of several parts, with mixed use of [] and <>:
* *
* [dir1.]<dir2> * [dir1.]<dir2>
* *
* We need to split the file specification into the name and * We need to split the file specification into the name and
* the rest (both before and after the name itself). * the rest (both before and after the name itself).
*/ */
/* /*
* Start with trying to find the end of a dir-spec, and save the position * Start with trying to find the end of a dir-spec, and save the position
* of the byte after in sp1 * of the byte after in sp1

16
crypto/ec/ec.h
View File

@ -116,14 +116,14 @@ typedef enum {
typedef struct ec_method_st EC_METHOD; typedef struct ec_method_st EC_METHOD;
typedef struct ec_group_st typedef struct ec_group_st
/*- /*-
EC_METHOD *meth; EC_METHOD *meth;
-- field definition -- field definition
-- curve coefficients -- curve coefficients
-- optional generator with associated information (order, cofactor) -- optional generator with associated information (order, cofactor)
-- optional extra data (precomputed table for fast computation of multiples of generator) -- optional extra data (precomputed table for fast computation of multiples of generator)
-- ASN1 stuff -- ASN1 stuff
*/ */
EC_GROUP; EC_GROUP;
typedef struct ec_point_st EC_POINT; typedef struct ec_point_st EC_POINT;

12
crypto/ec/ec2_smpl.c
View File

@ -639,12 +639,12 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
if (lh == NULL) if (lh == NULL)
goto err; goto err;
/*- /*-
* We have a curve defined by a Weierstrass equation * We have a curve defined by a Weierstrass equation
* y^2 + x*y = x^3 + a*x^2 + b. * y^2 + x*y = x^3 + a*x^2 + b.
* <=> x^3 + a*x^2 + x*y + b + y^2 = 0 * <=> x^3 + a*x^2 + x*y + b + y^2 = 0
* <=> ((x + a) * x + y ) * x + b + y^2 = 0 * <=> ((x + a) * x + y ) * x + b + y^2 = 0
*/ */
if (!BN_GF2m_add(lh, point->X, group->a)) if (!BN_GF2m_add(lh, point->X, group->a))
goto err; goto err;
if (!field_mul(group, lh, lh, point->X, ctx)) if (!field_mul(group, lh, lh, point->X, ctx))

16
crypto/ec/ec_lcl.h
View File

@ -120,14 +120,14 @@ struct ec_method_st {
void (*point_finish) (EC_POINT *); void (*point_finish) (EC_POINT *);
void (*point_clear_finish) (EC_POINT *); void (*point_clear_finish) (EC_POINT *);
int (*point_copy) (EC_POINT *, const EC_POINT *); int (*point_copy) (EC_POINT *, const EC_POINT *);
/*- /*-
* used by EC_POINT_set_to_infinity, * used by EC_POINT_set_to_infinity,
* EC_POINT_set_Jprojective_coordinates_GFp, * EC_POINT_set_Jprojective_coordinates_GFp,
* EC_POINT_get_Jprojective_coordinates_GFp, * EC_POINT_get_Jprojective_coordinates_GFp,
* EC_POINT_set_affine_coordinates_GFp, ..._GF2m, * EC_POINT_set_affine_coordinates_GFp, ..._GF2m,
* EC_POINT_get_affine_coordinates_GFp, ..._GF2m, * EC_POINT_get_affine_coordinates_GFp, ..._GF2m,
* EC_POINT_set_compressed_coordinates_GFp, ..._GF2m: * EC_POINT_set_compressed_coordinates_GFp, ..._GF2m:
*/ */
int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *); int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *);
int (*point_set_Jprojective_coordinates_GFp) (const EC_GROUP *, int (*point_set_Jprojective_coordinates_GFp) (const EC_GROUP *,
EC_POINT *, const BIGNUM *x, EC_POINT *, const BIGNUM *x,

14
crypto/ec/ec_mult.c
View File

@ -469,13 +469,13 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
if (!(tmp = EC_POINT_new(group))) if (!(tmp = EC_POINT_new(group)))
goto err; goto err;
/*- /*-
* prepare precomputed values: * prepare precomputed values:
* val_sub[i][0] := points[i] * val_sub[i][0] := points[i]
* val_sub[i][1] := 3 * points[i] * val_sub[i][1] := 3 * points[i]
* val_sub[i][2] := 5 * points[i] * val_sub[i][2] := 5 * points[i]
* ... * ...
*/ */
for (i = 0; i < num + num_scalar; i++) { for (i = 0; i < num + num_scalar; i++) {
if (i < num) { if (i < num) {
if (!EC_POINT_copy(val_sub[i][0], points[i])) if (!EC_POINT_copy(val_sub[i][0], points[i]))

26
crypto/ec/ecp_nistp224.c
View File

@ -613,11 +613,11 @@ static void felem_reduce(felem out, const widefelem in)
/* output[3] <= 2^56 + 2^16 */ /* output[3] <= 2^56 + 2^16 */
out[2] = output[2] & 0x00ffffffffffffff; out[2] = output[2] & 0x00ffffffffffffff;
/*- /*-
* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, * out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
* out[3] <= 2^56 + 2^16 (due to final carry), * out[3] <= 2^56 + 2^16 (due to final carry),
* so out < 2*p * so out < 2*p
*/ */
out[3] = output[3]; out[3] = output[3];
} }
@ -1043,10 +1043,10 @@ static void point_add(felem x3, felem y3, felem z3,
felem_scalar(ftmp5, 2); felem_scalar(ftmp5, 2);
/* ftmp5[i] < 2 * 2^57 = 2^58 */ /* ftmp5[i] < 2 * 2^57 = 2^58 */
/*- /*-
* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 - * x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
* 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 * 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2
*/ */
felem_diff_128_64(tmp2, ftmp5); felem_diff_128_64(tmp2, ftmp5);
/* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */ /* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
felem_reduce(x_out, tmp2); felem_reduce(x_out, tmp2);
@ -1061,10 +1061,10 @@ static void point_add(felem x3, felem y3, felem z3,
felem_mul(tmp2, ftmp3, ftmp2); felem_mul(tmp2, ftmp3, ftmp2);
/* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */ /* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
/*- /*-
* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) - * y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
* z2^3*y1*(z1^2*x2 - z2^2*x1)^3 * z2^3*y1*(z1^2*x2 - z2^2*x1)^3
*/ */
widefelem_diff(tmp2, tmp); widefelem_diff(tmp2, tmp);
/* tmp2[i] < 2^118 + 2^120 < 2^121 */ /* tmp2[i] < 2^118 + 2^120 < 2^121 */
felem_reduce(y_out, tmp2); felem_reduce(y_out, tmp2);

68
crypto/ec/ecp_nistp256.c
View File

@ -432,25 +432,25 @@ static void felem_shrink(smallfelem out, const felem in)
/* As tmp[3] < 2^65, high is either 1 or 0 */ /* As tmp[3] < 2^65, high is either 1 or 0 */
high <<= 63; high <<= 63;
high >>= 63; high >>= 63;
/*- /*-
* high is: * high is:
* all ones if the high word of tmp[3] is 1 * all ones if the high word of tmp[3] is 1
* all zeros if the high word of tmp[3] if 0 */ * all zeros if the high word of tmp[3] if 0 */
low = tmp[3]; low = tmp[3];
mask = low >> 63; mask = low >> 63;
/*- /*-
* mask is: * mask is:
* all ones if the MSB of low is 1 * all ones if the MSB of low is 1
* all zeros if the MSB of low if 0 */ * all zeros if the MSB of low if 0 */
low &= bottom63bits; low &= bottom63bits;
low -= kPrime3Test; low -= kPrime3Test;
/* if low was greater than kPrime3Test then the MSB is zero */ /* if low was greater than kPrime3Test then the MSB is zero */
low = ~low; low = ~low;
low >>= 63; low >>= 63;
/*- /*-
* low is: * low is:
* all ones if low was > kPrime3Test * all ones if low was > kPrime3Test
* all zeros if low was <= kPrime3Test */ * all zeros if low was <= kPrime3Test */
mask = (mask & low) | high; mask = (mask & low) | high;
tmp[0] -= mask & kPrime[0]; tmp[0] -= mask & kPrime[0];
tmp[1] -= mask & kPrime[1]; tmp[1] -= mask & kPrime[1];
@ -790,17 +790,17 @@ static void felem_reduce(felem out, const longfelem in)
felem_reduce_(out, in); felem_reduce_(out, in);
/*- /*-
* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0 * out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
* out[1] > 2^100 - 2^64 - 7*2^96 > 0 * out[1] > 2^100 - 2^64 - 7*2^96 > 0
* out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0 * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
* out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0 * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
* *
* out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101 * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101
* out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101 * out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101
* out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101 * out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101
* out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101 * out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101
*/ */
} }
/*- /*-
@ -819,17 +819,17 @@ static void felem_reduce_zero105(felem out, const longfelem in)
felem_reduce_(out, in); felem_reduce_(out, in);
/*- /*-
* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0 * out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
* out[1] > 2^105 - 2^71 - 2^103 > 0 * out[1] > 2^105 - 2^71 - 2^103 > 0
* out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0 * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
* out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0 * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
* *
* out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
* out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106 * out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
* out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106 * out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106
* out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106 * out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106
*/ */
} }
/* /*

74
crypto/ec/ecp_nistp521.c
View File

@ -414,15 +414,15 @@ static void felem_square(largefelem out, const felem in)
felem_scalar(inx2, in, 2); felem_scalar(inx2, in, 2);
felem_scalar(inx4, in, 4); felem_scalar(inx4, in, 4);
/*- /*-
* We have many cases were we want to do * We have many cases were we want to do
* in[x] * in[y] + * in[x] * in[y] +
* in[y] * in[x] * in[y] * in[x]
* This is obviously just * This is obviously just
* 2 * in[x] * in[y] * 2 * in[x] * in[y]
* However, rather than do the doubling on the 128 bit result, we * However, rather than do the doubling on the 128 bit result, we
* double one of the inputs to the multiplication by reading from * double one of the inputs to the multiplication by reading from
* |inx2| */ * |inx2| */
out[0] = ((uint128_t) in[0]) * in[0]; out[0] = ((uint128_t) in[0]) * in[0];
out[1] = ((uint128_t) in[0]) * inx2[1]; out[1] = ((uint128_t) in[0]) * inx2[1];
@ -1055,13 +1055,13 @@ point_double(felem x_out, felem y_out, felem z_out,
felem_scalar64(ftmp2, 3); felem_scalar64(ftmp2, 3);
/* ftmp2[i] < 3*2^60 + 3*2^15 */ /* ftmp2[i] < 3*2^60 + 3*2^15 */
felem_mul(tmp, ftmp, ftmp2); felem_mul(tmp, ftmp, ftmp2);
/*- /*-
* tmp[i] < 17(3*2^121 + 3*2^76) * tmp[i] < 17(3*2^121 + 3*2^76)
* = 61*2^121 + 61*2^76 * = 61*2^121 + 61*2^76
* < 64*2^121 + 64*2^76 * < 64*2^121 + 64*2^76
* = 2^127 + 2^82 * = 2^127 + 2^82
* < 2^128 * < 2^128
*/ */
felem_reduce(alpha, tmp); felem_reduce(alpha, tmp);
/* x' = alpha^2 - 8*beta */ /* x' = alpha^2 - 8*beta */
@ -1096,30 +1096,30 @@ point_double(felem x_out, felem y_out, felem z_out,
felem_diff64(beta, x_out); felem_diff64(beta, x_out);
/* beta[i] < 2^61 + 2^60 + 2^16 */ /* beta[i] < 2^61 + 2^60 + 2^16 */
felem_mul(tmp, alpha, beta); felem_mul(tmp, alpha, beta);
/*- /*-
* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16)) * tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
* = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30) * = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30)
* = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30) * = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
* < 2^128 * < 2^128
*/ */
felem_square(tmp2, gamma); felem_square(tmp2, gamma);
/*- /*-
* tmp2[i] < 17*(2^59 + 2^14)^2 * tmp2[i] < 17*(2^59 + 2^14)^2
* = 17*(2^118 + 2^74 + 2^28) * = 17*(2^118 + 2^74 + 2^28)
*/ */
felem_scalar128(tmp2, 8); felem_scalar128(tmp2, 8);
/*- /*-
* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28) * tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
* = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31 * = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31
* < 2^126 * < 2^126
*/ */
felem_diff128(tmp, tmp2); felem_diff128(tmp, tmp2);
/*- /*-
* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30) * tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
* = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 + * = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 +
* 2^74 + 2^69 + 2^34 + 2^30 * 2^74 + 2^69 + 2^34 + 2^30
* < 2^128 * < 2^128
*/ */
felem_reduce(y_out, tmp); felem_reduce(y_out, tmp);
} }

40
crypto/ec/ecp_smpl.c
View File

@ -320,11 +320,11 @@ int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
goto err; goto err;
} }
/*- /*-
* check the discriminant: * check the discriminant:
* y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p) * y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
* 0 =< a, b < p * 0 =< a, b < p
*/ */
if (BN_is_zero(a)) { if (BN_is_zero(a)) {
if (BN_is_zero(b)) if (BN_is_zero(b))
goto err; goto err;
@ -1033,15 +1033,15 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
if (Z6 == NULL) if (Z6 == NULL)
goto err; goto err;
/*- /*-
* We have a curve defined by a Weierstrass equation * We have a curve defined by a Weierstrass equation
* y^2 = x^3 + a*x + b. * y^2 = x^3 + a*x + b.
* The point to consider is given in Jacobian projective coordinates * The point to consider is given in Jacobian projective coordinates
* where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3). * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
* Substituting this and multiplying by Z^6 transforms the above equation into * Substituting this and multiplying by Z^6 transforms the above equation into
* Y^2 = X^3 + a*X*Z^4 + b*Z^6. * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
* To test this, we add up the right-hand side in 'rh'. * To test this, we add up the right-hand side in 'rh'.
*/ */
/* rh := X^2 */ /* rh := X^2 */
if (!field_sqr(group, rh, point->X, ctx)) if (!field_sqr(group, rh, point->X, ctx))
@ -1151,12 +1151,12 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
if (Zb23 == NULL) if (Zb23 == NULL)
goto end; goto end;
/*- /*-
* We have to decide whether * We have to decide whether
* (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3), * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
* or equivalently, whether * or equivalently, whether
* (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3). * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
*/ */
if (!b->Z_is_one) { if (!b->Z_is_one) {
if (!field_sqr(group, Zb23, b->Z, ctx)) if (!field_sqr(group, Zb23, b->Z, ctx))

40
crypto/o_time.c
View File

@ -159,30 +159,30 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
* do it the hard way. * do it the hard way.
*/ */
{ {
/*- /*-
* The VMS epoch is the astronomical Smithsonian date, * The VMS epoch is the astronomical Smithsonian date,
if I remember correctly, which is November 17, 1858. if I remember correctly, which is November 17, 1858.
Furthermore, time is measure in thenths of microseconds Furthermore, time is measure in thenths of microseconds
and stored in quadwords (64 bit integers). unix_epoch and stored in quadwords (64 bit integers). unix_epoch
below is January 1st 1970 expressed as a VMS time. The below is January 1st 1970 expressed as a VMS time. The
following code was used to get this number: following code was used to get this number:
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <lib$routines.h> #include <lib$routines.h>
#include <starlet.h> #include <starlet.h>
main() main()
{ {
unsigned long systime[2]; unsigned long systime[2];
unsigned short epoch_values[7] = unsigned short epoch_values[7] =
{ 1970, 1, 1, 0, 0, 0, 0 }; { 1970, 1, 1, 0, 0, 0, 0 };
lib$cvt_vectim(epoch_values, systime); lib$cvt_vectim(epoch_values, systime);
printf("%u %u", systime[0], systime[1]); printf("%u %u", systime[0], systime[1]);
} }
*/ */
unsigned long unix_epoch[2] = { 1273708544, 8164711 }; unsigned long unix_epoch[2] = { 1273708544, 8164711 };
unsigned long deltatime[2]; unsigned long deltatime[2];
unsigned long systime[2]; unsigned long systime[2];

12
crypto/pem/pem.h
View File

@ -183,9 +183,9 @@ typedef struct pem_ctx_st {
int num_recipient; int num_recipient;
PEM_USER **recipient; PEM_USER **recipient;
/*- /*-
XXX(ben): don#t think this is used! XXX(ben): don#t think this is used!
STACK *x509_chain; / * certificate chain */ STACK *x509_chain; / * certificate chain */
EVP_MD *md; /* signature type */ EVP_MD *md; /* signature type */
int md_enc; /* is the md encrypted or not? */ int md_enc; /* is the md encrypted or not? */
@ -195,9 +195,9 @@ typedef struct pem_ctx_st {
EVP_CIPHER *dec; /* date encryption cipher */ EVP_CIPHER *dec; /* date encryption cipher */
int key_len; /* key length */ int key_len; /* key length */
unsigned char *key; /* key */ unsigned char *key; /* key */
/*- /*-
unused, and wrong size unused, and wrong size
unsigned char iv[8]; */ unsigned char iv[8]; */
int data_enc; /* is the data encrypted */ int data_enc; /* is the data encrypted */
int data_len; int data_len;

116
crypto/rc4/rc4_enc.c
View File

@ -80,36 +80,36 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
d = key->data; d = key->data;
#if defined(RC4_CHUNK) && !defined(PEDANTIC) #if defined(RC4_CHUNK) && !defined(PEDANTIC)
/*- /*-
* The original reason for implementing this(*) was the fact that * The original reason for implementing this(*) was the fact that
* pre-21164a Alpha CPUs don't have byte load/store instructions * pre-21164a Alpha CPUs don't have byte load/store instructions
* and e.g. a byte store has to be done with 64-bit load, shift, * and e.g. a byte store has to be done with 64-bit load, shift,
* and, or and finally 64-bit store. Peaking data and operating * and, or and finally 64-bit store. Peaking data and operating
* at natural word size made it possible to reduce amount of * at natural word size made it possible to reduce amount of
* instructions as well as to perform early read-ahead without * instructions as well as to perform early read-ahead without
* suffering from RAW (read-after-write) hazard. This resulted * suffering from RAW (read-after-write) hazard. This resulted
* in ~40%(**) performance improvement on 21064 box with gcc. * in ~40%(**) performance improvement on 21064 box with gcc.
* But it's not only Alpha users who win here:-) Thanks to the * But it's not only Alpha users who win here:-) Thanks to the
* early-n-wide read-ahead this implementation also exhibits * early-n-wide read-ahead this implementation also exhibits
* >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending * >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
* on sizeof(RC4_INT)). * on sizeof(RC4_INT)).
* *
* (*) "this" means code which recognizes the case when input * (*) "this" means code which recognizes the case when input
* and output pointers appear to be aligned at natural CPU * and output pointers appear to be aligned at natural CPU
* word boundary * word boundary
* (**) i.e. according to 'apps/openssl speed rc4' benchmark, * (**) i.e. according to 'apps/openssl speed rc4' benchmark,
* crypto/rc4/rc4speed.c exhibits almost 70% speed-up... * crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
* *
* Cavets. * Cavets.
* *
* - RC4_CHUNK="unsigned long long" should be a #1 choice for * - RC4_CHUNK="unsigned long long" should be a #1 choice for
* UltraSPARC. Unfortunately gcc generates very slow code * UltraSPARC. Unfortunately gcc generates very slow code
* (2.5-3 times slower than one generated by Sun's WorkShop * (2.5-3 times slower than one generated by Sun's WorkShop
* C) and therefore gcc (at least 2.95 and earlier) should * C) and therefore gcc (at least 2.95 and earlier) should
* always be told that RC4_CHUNK="unsigned long". * always be told that RC4_CHUNK="unsigned long".
* *
* <appro@fy.chalmers.se> * <appro@fy.chalmers.se>
*/ */
# define RC4_STEP ( \ # define RC4_STEP ( \
x=(x+1) &0xff, \ x=(x+1) &0xff, \
@ -131,34 +131,34 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
1 1
}; };
/*- /*-
* I reckon we can afford to implement both endian * I reckon we can afford to implement both endian
* cases and to decide which way to take at run-time * cases and to decide which way to take at run-time
* because the machine code appears to be very compact * because the machine code appears to be very compact
* and redundant 1-2KB is perfectly tolerable (i.e. * and redundant 1-2KB is perfectly tolerable (i.e.
* in case the compiler fails to eliminate it:-). By * in case the compiler fails to eliminate it:-). By
* suggestion from Terrel Larson <terr@terralogic.net> * suggestion from Terrel Larson <terr@terralogic.net>
* who also stands for the is_endian union:-) * who also stands for the is_endian union:-)
* *
* Special notes. * Special notes.
* *
* - is_endian is declared automatic as doing otherwise * - is_endian is declared automatic as doing otherwise
* (declaring static) prevents gcc from eliminating * (declaring static) prevents gcc from eliminating
* the redundant code; * the redundant code;
* - compilers (those I've tried) don't seem to have * - compilers (those I've tried) don't seem to have
* problems eliminating either the operators guarded * problems eliminating either the operators guarded
* by "if (sizeof(RC4_CHUNK)==8)" or the condition * by "if (sizeof(RC4_CHUNK)==8)" or the condition
* expressions themselves so I've got 'em to replace * expressions themselves so I've got 'em to replace
* corresponding #ifdefs from the previous version; * corresponding #ifdefs from the previous version;
* - I chose to let the redundant switch cases when * - I chose to let the redundant switch cases when
* sizeof(RC4_CHUNK)!=8 be (were also #ifdefed * sizeof(RC4_CHUNK)!=8 be (were also #ifdefed
* before); * before);
* - in case you wonder "&(sizeof(RC4_CHUNK)*8-1)" in * - in case you wonder "&(sizeof(RC4_CHUNK)*8-1)" in
* [LB]ESHFT guards against "shift is out of range" * [LB]ESHFT guards against "shift is out of range"
* warnings when sizeof(RC4_CHUNK)!=8 * warnings when sizeof(RC4_CHUNK)!=8
* *
* <appro@fy.chalmers.se> * <appro@fy.chalmers.se>
*/ */
if (!is_endian.little) { /* BIG-ENDIAN CASE */ if (!is_endian.little) { /* BIG-ENDIAN CASE */
# define BESHFT(c) (((sizeof(RC4_CHUNK)-(c)-1)*8)&(sizeof(RC4_CHUNK)*8-1)) # define BESHFT(c) (((sizeof(RC4_CHUNK)-(c)-1)*8)&(sizeof(RC4_CHUNK)*8-1))
for (; len & (0 - sizeof(RC4_CHUNK)); len -= sizeof(RC4_CHUNK)) { for (; len & (0 - sizeof(RC4_CHUNK)); len -= sizeof(RC4_CHUNK)) {

24
crypto/rsa/rsa_pss.c
View File

@ -98,12 +98,12 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
hLen = M_EVP_MD_size(Hash); hLen = M_EVP_MD_size(Hash);
if (hLen < 0) if (hLen < 0)
goto err; goto err;
/*- /*-
* Negative sLen has special meanings: * Negative sLen has special meanings:
* -1 sLen == hLen * -1 sLen == hLen
* -2 salt length is autorecovered from signature * -2 salt length is autorecovered from signature
* -N reserved * -N reserved
*/ */
if (sLen == -1) if (sLen == -1)
sLen = hLen; sLen = hLen;
else if (sLen == -2) else if (sLen == -2)
@ -202,12 +202,12 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
hLen = M_EVP_MD_size(Hash); hLen = M_EVP_MD_size(Hash);
if (hLen < 0) if (hLen < 0)
goto err; goto err;
/*- /*-
* Negative sLen has special meanings: * Negative sLen has special meanings:
* -1 sLen == hLen * -1 sLen == hLen
* -2 salt length is maximized * -2 salt length is maximized
* -N reserved * -N reserved
*/ */
if (sLen == -1) if (sLen == -1)
sLen = hLen; sLen = hLen;
else if (sLen == -2) else if (sLen == -2)

12
crypto/threads/mttest.c
View File

@ -798,12 +798,12 @@ void solaris_locking_callback(int mode, int type, char *file, int line)
(type & CRYPTO_READ) ? "r" : "w", file, line); (type & CRYPTO_READ) ? "r" : "w", file, line);
# endif # endif
/*- /*-
if (CRYPTO_LOCK_SSL_CERT == type) if (CRYPTO_LOCK_SSL_CERT == type)
fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n", fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
CRYPTO_thread_id(), CRYPTO_thread_id(),
mode,file,line); mode,file,line);
*/ */
if (mode & CRYPTO_LOCK) { if (mode & CRYPTO_LOCK) {
/*- /*-
if (mode & CRYPTO_READ) if (mode & CRYPTO_READ)

24
crypto/whrlpool/wp_dgst.c
View File

@ -131,18 +131,18 @@ void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c, const void *_inp, size_t bits)
} else /* bit-oriented loop */ } else /* bit-oriented loop */
#endif #endif
{ {
/*- /*-
inp inp
| |
+-------+-------+------- +-------+-------+-------
||||||||||||||||||||| |||||||||||||||||||||
+-------+-------+------- +-------+-------+-------
+-------+-------+-------+-------+------- +-------+-------+-------+-------+-------
|||||||||||||| c->data |||||||||||||| c->data
+-------+-------+-------+-------+------- +-------+-------+-------+-------+-------
| |
c->bitoff/8 c->bitoff/8
*/ */
while (bits) { while (bits) {
unsigned int byteoff = bitoff / 8; unsigned int byteoff = bitoff / 8;
unsigned char b; unsigned char b;

28
crypto/x509v3/v3_scts.c
View File

@ -222,14 +222,14 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
sct->version = *p2++; sct->version = *p2++;
if (sct->version == 0) { /* SCT v1 */ if (sct->version == 0) { /* SCT v1 */
/*- /*-
* Fixed-length header: * Fixed-length header:
* struct { * struct {
* (1 byte) Version sct_version; * (1 byte) Version sct_version;
* (32 bytes) LogID id; * (32 bytes) LogID id;
* (8 bytes) uint64 timestamp; * (8 bytes) uint64 timestamp;
* (2 bytes + ?) CtExtensions extensions; * (2 bytes + ?) CtExtensions extensions;
*/ */
if (sctlen < 43) if (sctlen < 43)
goto err; goto err;
sctlen -= 43; sctlen -= 43;
@ -248,12 +248,12 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
p2 += fieldlen; p2 += fieldlen;
sctlen -= fieldlen; sctlen -= fieldlen;
/*- /*-
* digitally-signed struct header: * digitally-signed struct header:
* (1 byte) Hash algorithm * (1 byte) Hash algorithm
* (1 byte) Signature algorithm * (1 byte) Signature algorithm
* (2 bytes + ?) Signature * (2 bytes + ?) Signature
*/ */
if (sctlen < 4) if (sctlen < 4)
goto err; goto err;
sctlen -= 4; sctlen -= 4;

240
engines/vendor_defns/hwcryptohook.h
View File

@ -180,32 +180,32 @@ typedef struct {
* be power of 2 */ * be power of 2 */
int mslimbfirst; /* 0 or 1 */ int mslimbfirst; /* 0 or 1 */
int msbytefirst; /* 0 or 1; -1 = native */ int msbytefirst; /* 0 or 1; -1 = native */
/*- /*-
* All the callback functions should return 0 on success, or a * All the callback functions should return 0 on success, or a
* nonzero integer (whose value will be visible in the error message * nonzero integer (whose value will be visible in the error message
* put in the buffer passed to the call). * put in the buffer passed to the call).
* *
* If a callback is not available pass a null function pointer. * If a callback is not available pass a null function pointer.
* *
* The callbacks may not call down again into the crypto plugin. * The callbacks may not call down again into the crypto plugin.
*/ */
/*- /*-
* For thread-safety. Set everything to 0 if you promise only to be * For thread-safety. Set everything to 0 if you promise only to be
* singlethreaded. maxsimultaneous is the number of calls to * singlethreaded. maxsimultaneous is the number of calls to
* ModExp[Crt]/RSAImmed{Priv,Pub}/RSA. If you don't know what to * ModExp[Crt]/RSAImmed{Priv,Pub}/RSA. If you don't know what to
* put there then say 0 and the hook library will use a default. * put there then say 0 and the hook library will use a default.
* *
* maxmutexes is a small limit on the number of simultaneous mutexes * maxmutexes is a small limit on the number of simultaneous mutexes
* which will be requested by the library. If there is no small * which will be requested by the library. If there is no small
* limit, set it to 0. If the crypto plugin cannot create the * limit, set it to 0. If the crypto plugin cannot create the
* advertised number of mutexes the calls to its functions may fail. * advertised number of mutexes the calls to its functions may fail.
* If a low number of mutexes is advertised the plugin will try to * If a low number of mutexes is advertised the plugin will try to
* do the best it can. Making larger numbers of mutexes available * do the best it can. Making larger numbers of mutexes available
* may improve performance and parallelism by reducing contention * may improve performance and parallelism by reducing contention
* over critical sections. Unavailability of any mutexes, implying * over critical sections. Unavailability of any mutexes, implying
* single-threaded operation, should be indicated by the setting * single-threaded operation, should be indicated by the setting
* mutex_init et al to 0. * mutex_init et al to 0.
*/ */
int maxmutexes; int maxmutexes;
int maxsimultaneous; int maxsimultaneous;
size_t mutexsize; size_t mutexsize;
@ -214,12 +214,12 @@ typedef struct {
int (*mutex_acquire) (HWCryptoHook_Mutex *); int (*mutex_acquire) (HWCryptoHook_Mutex *);
void (*mutex_release) (HWCryptoHook_Mutex *); void (*mutex_release) (HWCryptoHook_Mutex *);
void (*mutex_destroy) (HWCryptoHook_Mutex *); void (*mutex_destroy) (HWCryptoHook_Mutex *);
/*- /*-
* For greater efficiency, can use condition vars internally for * For greater efficiency, can use condition vars internally for
* synchronisation. In this case maxsimultaneous is ignored, but * synchronisation. In this case maxsimultaneous is ignored, but
* the other mutex stuff must be available. In singlethreaded * the other mutex stuff must be available. In singlethreaded
* programs, set everything to 0. * programs, set everything to 0.
*/ */
size_t condvarsize; size_t condvarsize;
int (*condvar_init) (HWCryptoHook_CondVar *, int (*condvar_init) (HWCryptoHook_CondVar *,
HWCryptoHook_CallerContext * cactx); HWCryptoHook_CallerContext * cactx);
@ -227,103 +227,103 @@ typedef struct {
void (*condvar_signal) (HWCryptoHook_CondVar *); void (*condvar_signal) (HWCryptoHook_CondVar *);
void (*condvar_broadcast) (HWCryptoHook_CondVar *); void (*condvar_broadcast) (HWCryptoHook_CondVar *);
void (*condvar_destroy) (HWCryptoHook_CondVar *); void (*condvar_destroy) (HWCryptoHook_CondVar *);
/*- /*-
* The semantics of acquiring and releasing mutexes and broadcasting * The semantics of acquiring and releasing mutexes and broadcasting
* and waiting on condition variables are expected to be those from * and waiting on condition variables are expected to be those from
* POSIX threads (pthreads). The mutexes may be (in pthread-speak) * POSIX threads (pthreads). The mutexes may be (in pthread-speak)
* fast mutexes, recursive mutexes, or nonrecursive ones. * fast mutexes, recursive mutexes, or nonrecursive ones.
* *
* The _release/_signal/_broadcast and _destroy functions must * The _release/_signal/_broadcast and _destroy functions must
* always succeed when given a valid argument; if they are given an * always succeed when given a valid argument; if they are given an
* invalid argument then the program (crypto plugin + application) * invalid argument then the program (crypto plugin + application)
* has an internal error, and they should abort the program. * has an internal error, and they should abort the program.
*/ */
int (*getpassphrase) (const char *prompt_info, int (*getpassphrase) (const char *prompt_info,
int *len_io, char *buf, int *len_io, char *buf,
HWCryptoHook_PassphraseContext * ppctx, HWCryptoHook_PassphraseContext * ppctx,
HWCryptoHook_CallerContext * cactx); HWCryptoHook_CallerContext * cactx);
/*- /*-
* Passphrases and the prompt_info, if they contain high-bit-set * Passphrases and the prompt_info, if they contain high-bit-set
* characters, are UTF-8. The prompt_info may be a null pointer if * characters, are UTF-8. The prompt_info may be a null pointer if
* no prompt information is available (it should not be an empty * no prompt information is available (it should not be an empty
* string). It will not contain text like `enter passphrase'; * string). It will not contain text like `enter passphrase';
* instead it might say something like `Operator Card for John * instead it might say something like `Operator Card for John
* Smith' or `SmartCard in nFast Module #1, Slot #1'. * Smith' or `SmartCard in nFast Module #1, Slot #1'.
* *
* buf points to a buffer in which to return the passphrase; on * buf points to a buffer in which to return the passphrase; on
* entry *len_io is the length of the buffer. It should be updated * entry *len_io is the length of the buffer. It should be updated
* by the callback. The returned passphrase should not be * by the callback. The returned passphrase should not be
* null-terminated by the callback. * null-terminated by the callback.
*/ */
int (*getphystoken) (const char *prompt_info, int (*getphystoken) (const char *prompt_info,
const char *wrong_info, const char *wrong_info,
HWCryptoHook_PassphraseContext * ppctx, HWCryptoHook_PassphraseContext * ppctx,
HWCryptoHook_CallerContext * cactx); HWCryptoHook_CallerContext * cactx);
/*- /*-
* Requests that the human user physically insert a different * Requests that the human user physically insert a different
* smartcard, DataKey, etc. The plugin should check whether the * smartcard, DataKey, etc. The plugin should check whether the
* currently inserted token(s) are appropriate, and if they are it * currently inserted token(s) are appropriate, and if they are it
* should not make this call. * should not make this call.
* *
* prompt_info is as before. wrong_info is a description of the * prompt_info is as before. wrong_info is a description of the
* currently inserted token(s) so that the user is told what * currently inserted token(s) so that the user is told what
* something is. wrong_info, like prompt_info, may be null, but * something is. wrong_info, like prompt_info, may be null, but
* should not be an empty string. Its contents should be * should not be an empty string. Its contents should be
* syntactically similar to that of prompt_info. * syntactically similar to that of prompt_info.
*/ */
/*- /*-
* Note that a single LoadKey operation might cause several calls to * Note that a single LoadKey operation might cause several calls to
* getpassphrase and/or requestphystoken. If requestphystoken is * getpassphrase and/or requestphystoken. If requestphystoken is
* not provided (ie, a null pointer is passed) then the plugin may * not provided (ie, a null pointer is passed) then the plugin may
* not support loading keys for which authorisation by several cards * not support loading keys for which authorisation by several cards
* is required. If getpassphrase is not provided then cards with * is required. If getpassphrase is not provided then cards with
* passphrases may not be supported. * passphrases may not be supported.
* *
* getpassphrase and getphystoken do not need to check that the * getpassphrase and getphystoken do not need to check that the
* passphrase has been entered correctly or the correct token * passphrase has been entered correctly or the correct token
* inserted; the crypto plugin will do that. If this is not the * inserted; the crypto plugin will do that. If this is not the
* case then the crypto plugin is responsible for calling these * case then the crypto plugin is responsible for calling these
* routines again as appropriate until the correct token(s) and * routines again as appropriate until the correct token(s) and
* passphrase(s) are supplied as required, or until any retry limits * passphrase(s) are supplied as required, or until any retry limits
* implemented by the crypto plugin are reached. * implemented by the crypto plugin are reached.
* *
* In either case, the application must allow the user to say `no' * In either case, the application must allow the user to say `no'
* or `cancel' to indicate that they do not know the passphrase or * or `cancel' to indicate that they do not know the passphrase or
* have the appropriate token; this should cause the callback to * have the appropriate token; this should cause the callback to
* return nonzero indicating error. * return nonzero indicating error.
*/ */
void (*logmessage) (void *logstream, const char *message); void (*logmessage) (void *logstream, const char *message);
/*- /*-
* A log message will be generated at least every time something goes * A log message will be generated at least every time something goes
* wrong and an ErrMsgBuf is filled in (or would be if one was * wrong and an ErrMsgBuf is filled in (or would be if one was
* provided). Other diagnostic information may be written there too, * provided). Other diagnostic information may be written there too,
* including more detailed reasons for errors which are reported in an * including more detailed reasons for errors which are reported in an
* ErrMsgBuf. * ErrMsgBuf.
* *
* When a log message is generated, this callback is called. It * When a log message is generated, this callback is called. It
* should write a message to the relevant logging arrangements. * should write a message to the relevant logging arrangements.
* *
* The message string passed will be null-terminated and may be of arbitrary * The message string passed will be null-terminated and may be of arbitrary
* length. It will not be prefixed by the time and date, nor by the * length. It will not be prefixed by the time and date, nor by the
* name of the library that is generating it - if this is required, * name of the library that is generating it - if this is required,
* the logmessage callback must do it. The message will not have a * the logmessage callback must do it. The message will not have a
* trailing newline (though it may contain internal newlines). * trailing newline (though it may contain internal newlines).
* *
* If a null pointer is passed for logmessage a default function is * If a null pointer is passed for logmessage a default function is
* used. The default function treats logstream as a FILE* which has * used. The default function treats logstream as a FILE* which has
* been converted to a void*. If logstream is 0 it does nothing. * been converted to a void*. If logstream is 0 it does nothing.
* Otherwise it prepends the date and time and library name and * Otherwise it prepends the date and time and library name and
* writes the message to logstream. Each line will be prefixed by a * writes the message to logstream. Each line will be prefixed by a
* descriptive string containing the date, time and identity of the * descriptive string containing the date, time and identity of the
* crypto plugin. Errors on the logstream are not reported * crypto plugin. Errors on the logstream are not reported
* anywhere, and the default function doesn't flush the stream, so * anywhere, and the default function doesn't flush the stream, so
* the application must set the buffering how it wants it. * the application must set the buffering how it wants it.
* *
* The crypto plugin may also provide a facility to have copies of * The crypto plugin may also provide a facility to have copies of
* log messages sent elsewhere, and or for adjusting the verbosity * log messages sent elsewhere, and or for adjusting the verbosity
* of the log messages; any such facilities will be configured by * of the log messages; any such facilities will be configured by
* external means. * external means.
*/ */
} HWCryptoHook_InitInfo; } HWCryptoHook_InitInfo;
typedef typedef

40
ssl/d1_both.c
View File

@ -573,12 +573,12 @@ static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr,
static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
{ {
/*- /*-
* (0) check whether the desired fragment is available * (0) check whether the desired fragment is available
* if so: * if so:
* (1) copy over the fragment to s->init_buf->data[] * (1) copy over the fragment to s->init_buf->data[]
* (2) update s->init_num * (2) update s->init_num
*/ */
pitem *item; pitem *item;
hm_fragment *frag; hm_fragment *frag;
int al; int al;
@ -1167,10 +1167,10 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
struct dtls1_retransmit_state saved_state; struct dtls1_retransmit_state saved_state;
unsigned char save_write_sequence[8]; unsigned char save_write_sequence[8];
/*- /*-
OPENSSL_assert(s->init_num == 0); OPENSSL_assert(s->init_num == 0);
OPENSSL_assert(s->init_off == 0); OPENSSL_assert(s->init_off == 0);
*/ */
/* XDTLS: the requested message ought to be found, otherwise error */ /* XDTLS: the requested message ought to be found, otherwise error */
memset(seq64be, 0, sizeof(seq64be)); memset(seq64be, 0, sizeof(seq64be));
@ -1483,16 +1483,16 @@ int dtls1_heartbeat(SSL *s)
*/ */
OPENSSL_assert(payload + padding <= 16381); OPENSSL_assert(payload + padding <= 16381);
/*- /*-
* Create HeartBeat message, we just use a sequence number * Create HeartBeat message, we just use a sequence number
* as payload to distuingish different messages and add * as payload to distuingish different messages and add
* some random stuff. * some random stuff.
* - Message Type, 1 byte * - Message Type, 1 byte
* - Payload Length, 2 bytes (unsigned int) * - Payload Length, 2 bytes (unsigned int)
* - Payload, the sequence number (2 bytes uint) * - Payload, the sequence number (2 bytes uint)
* - Payload, random bytes (16 bytes uint) * - Payload, random bytes (16 bytes uint)
* - Padding * - Padding
*/ */
buf = OPENSSL_malloc(1 + 2 + payload + padding); buf = OPENSSL_malloc(1 + 2 + payload + padding);
if (buf == NULL) { if (buf == NULL) {
SSLerr(SSL_F_DTLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_DTLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);

28
ssl/d1_pkt.c
View File

@ -536,14 +536,14 @@ static int dtls1_process_record(SSL *s)
} }
rr->off = 0; rr->off = 0;
/*- /*-
* So at this point the following is true * So at this point the following is true
* ssl->s3->rrec.type is the type of record * ssl->s3->rrec.type is the type of record
* ssl->s3->rrec.length == number of bytes in record * ssl->s3->rrec.length == number of bytes in record
* ssl->s3->rrec.off == offset to first valid byte * ssl->s3->rrec.off == offset to first valid byte
* ssl->s3->rrec.data == where to take bytes from, increment * ssl->s3->rrec.data == where to take bytes from, increment
* after use :-). * after use :-).
*/ */
/* we have pulled in a full packet so zero things */ /* we have pulled in a full packet so zero things */
s->packet_length = 0; s->packet_length = 0;
@ -819,12 +819,12 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
start: start:
s->rwstate = SSL_NOTHING; s->rwstate = SSL_NOTHING;
/*- /*-
* s->s3->rrec.type - is the type of record * s->s3->rrec.type - is the type of record
* s->s3->rrec.data, - data * s->s3->rrec.data, - data
* s->s3->rrec.off, - offset into 'data' for next read * s->s3->rrec.off, - offset into 'data' for next read
* s->s3->rrec.length, - number of bytes. * s->s3->rrec.length, - number of bytes.
*/ */
rr = &(s->s3->rrec); rr = &(s->s3->rrec);
/* /*

26
ssl/kssl.c
View File

@ -1391,20 +1391,20 @@ krb5_error_code kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
} }
} }
/*- Actual Kerberos5 krb5_recvauth() has initial conversation here /*- Actual Kerberos5 krb5_recvauth() has initial conversation here
* o check KRB5_SENDAUTH_BADAUTHVERS * o check KRB5_SENDAUTH_BADAUTHVERS
* unless KRB5_RECVAUTH_SKIP_VERSION * unless KRB5_RECVAUTH_SKIP_VERSION
* o check KRB5_SENDAUTH_BADAPPLVERS * o check KRB5_SENDAUTH_BADAPPLVERS
* o send "0" msg if all OK * o send "0" msg if all OK
*/ */
/*- /*-
* 20010411 was using AP_REQ instead of true KerberosWrapper * 20010411 was using AP_REQ instead of true KerberosWrapper
* *
* if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, * if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
* &krb5in_data, krb5server, krb5keytab, * &krb5in_data, krb5server, krb5keytab,
* &ap_option, &krb5ticket)) != 0) { Error } * &ap_option, &krb5ticket)) != 0) { Error }
*/ */
p = (unsigned char *)indata->data; p = (unsigned char *)indata->data;
if ((asn1ticket = (KRB5_TKTBODY *)d2i_KRB5_TICKET(NULL, &p, if ((asn1ticket = (KRB5_TKTBODY *)d2i_KRB5_TICKET(NULL, &p,

26
ssl/s23_srvr.c
View File

@ -417,19 +417,19 @@ int ssl23_get_client_hello(SSL *s)
v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
v[1] = p[4]; v[1] = p[4];
/*- /*-
* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
* header is sent directly on the wire, not wrapped as a TLS * header is sent directly on the wire, not wrapped as a TLS
* record. It's format is: * record. It's format is:
* Byte Content * Byte Content
* 0-1 msg_length * 0-1 msg_length
* 2 msg_type * 2 msg_type
* 3-4 version * 3-4 version
* 5-6 cipher_spec_length * 5-6 cipher_spec_length
* 7-8 session_id_length * 7-8 session_id_length
* 9-10 challenge_length * 9-10 challenge_length
* ... ... * ... ...
*/ */
n = ((p[0] & 0x7f) << 8) | p[1]; n = ((p[0] & 0x7f) << 8) | p[1];
if (n > (1024 * 4)) { if (n > (1024 * 4)) {
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE); SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE);

38
ssl/s3_cbc.c
View File

@ -754,25 +754,25 @@ void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
return; return;
block_size = EVP_MD_CTX_block_size(mac_ctx); block_size = EVP_MD_CTX_block_size(mac_ctx);
/*- /*-
* We are in FIPS mode if we get this far so we know we have only SHA* * We are in FIPS mode if we get this far so we know we have only SHA*
* digests and TLS to deal with. * digests and TLS to deal with.
* Minimum digest padding length is 17 for SHA384/SHA512 and 9 * Minimum digest padding length is 17 for SHA384/SHA512 and 9
* otherwise. * otherwise.
* Additional header is 13 bytes. To get the number of digest blocks * Additional header is 13 bytes. To get the number of digest blocks
* processed round up the amount of data plus padding to the nearest * processed round up the amount of data plus padding to the nearest
* block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
* So we have: * So we have:
* blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
* equivalently: * equivalently:
* blocks = (payload_len + digest_pad + 12)/block_size + 1 * blocks = (payload_len + digest_pad + 12)/block_size + 1
* HMAC adds a constant overhead. * HMAC adds a constant overhead.
* We're ultimately only interested in differences so this becomes * We're ultimately only interested in differences so this becomes
* blocks = (payload_len + 29)/128 * blocks = (payload_len + 29)/128
* for SHA384/SHA512 and * for SHA384/SHA512 and
* blocks = (payload_len + 21)/64 * blocks = (payload_len + 21)/64
* otherwise. * otherwise.
*/ */
digest_pad = block_size == 64 ? 21 : 29; digest_pad = block_size == 64 ? 21 : 29;
blocks_orig = (orig_len + digest_pad) / block_size; blocks_orig = (orig_len + digest_pad) / block_size;
blocks_data = (data_len + digest_pad) / block_size; blocks_data = (data_len + digest_pad) / block_size;

152
ssl/s3_clnt.c
View File

@ -725,36 +725,36 @@ int ssl3_client_hello(SSL *s)
/* Do the message type and length last */ /* Do the message type and length last */
d = p = ssl_handshake_start(s); d = p = ssl_handshake_start(s);
/*- /*-
* version indicates the negotiated version: for example from * version indicates the negotiated version: for example from
* an SSLv2/v3 compatible client hello). The client_version * an SSLv2/v3 compatible client hello). The client_version
* field is the maximum version we permit and it is also * field is the maximum version we permit and it is also
* used in RSA encrypted premaster secrets. Some servers can * used in RSA encrypted premaster secrets. Some servers can
* choke if we initially report a higher version then * choke if we initially report a higher version then
* renegotiate to a lower one in the premaster secret. This * renegotiate to a lower one in the premaster secret. This
* didn't happen with TLS 1.0 as most servers supported it * didn't happen with TLS 1.0 as most servers supported it
* but it can with TLS 1.1 or later if the server only supports * but it can with TLS 1.1 or later if the server only supports
* 1.0. * 1.0.
* *
* Possible scenario with previous logic: * Possible scenario with previous logic:
* 1. Client hello indicates TLS 1.2 * 1. Client hello indicates TLS 1.2
* 2. Server hello says TLS 1.0 * 2. Server hello says TLS 1.0
* 3. RSA encrypted premaster secret uses 1.2. * 3. RSA encrypted premaster secret uses 1.2.
* 4. Handhaked proceeds using TLS 1.0. * 4. Handhaked proceeds using TLS 1.0.
* 5. Server sends hello request to renegotiate. * 5. Server sends hello request to renegotiate.
* 6. Client hello indicates TLS v1.0 as we now * 6. Client hello indicates TLS v1.0 as we now
* know that is maximum server supports. * know that is maximum server supports.
* 7. Server chokes on RSA encrypted premaster secret * 7. Server chokes on RSA encrypted premaster secret
* containing version 1.0. * containing version 1.0.
* *
* For interoperability it should be OK to always use the * For interoperability it should be OK to always use the
* maximum version we support in client hello and then rely * maximum version we support in client hello and then rely
* on the checking of version to ensure the servers isn't * on the checking of version to ensure the servers isn't
* being inconsistent: for example initially negotiating with * being inconsistent: for example initially negotiating with
* TLS 1.0 and renegotiating with TLS 1.2. We do this by using * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
* client_version in client hello and not resetting it to * client_version in client hello and not resetting it to
* the negotiated version. * the negotiated version.
*/ */
#if 0 #if 0
*(p++) = s->version >> 8; *(p++) = s->version >> 8;
*(p++) = s->version & 0xff; *(p++) = s->version & 0xff;
@ -2468,25 +2468,25 @@ int ssl3_send_client_key_exchange(SSL *s)
goto err; goto err;
} }
/*- /*-
* 20010406 VRS - Earlier versions used KRB5 AP_REQ * 20010406 VRS - Earlier versions used KRB5 AP_REQ
* in place of RFC 2712 KerberosWrapper, as in: * in place of RFC 2712 KerberosWrapper, as in:
* *
* Send ticket (copy to *p, set n = length) * Send ticket (copy to *p, set n = length)
* n = krb5_ap_req.length; * n = krb5_ap_req.length;
* memcpy(p, krb5_ap_req.data, krb5_ap_req.length); * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
* if (krb5_ap_req.data) * if (krb5_ap_req.data)
* kssl_krb5_free_data_contents(NULL,&krb5_ap_req); * kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
* *
* Now using real RFC 2712 KerberosWrapper * Now using real RFC 2712 KerberosWrapper
* (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) * (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
* Note: 2712 "opaque" types are here replaced * Note: 2712 "opaque" types are here replaced
* with a 2-byte length followed by the value. * with a 2-byte length followed by the value.
* Example: * Example:
* KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
* Where "xx xx" = length bytes. Shown here with * Where "xx xx" = length bytes. Shown here with
* optional authenticator omitted. * optional authenticator omitted.
*/ */
/* KerberosWrapper.Ticket */ /* KerberosWrapper.Ticket */
s2n(enc_ticket->length, p); s2n(enc_ticket->length, p);
@ -2514,13 +2514,13 @@ int ssl3_send_client_key_exchange(SSL *s)
if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
goto err; goto err;
/*- /*-
* 20010420 VRS. Tried it this way; failed. * 20010420 VRS. Tried it this way; failed.
* EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
* EVP_CIPHER_CTX_set_key_length(&ciph_ctx, * EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
* kssl_ctx->length); * kssl_ctx->length);
* EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
*/ */
memset(iv, 0, sizeof iv); /* per RFC 1510 */ memset(iv, 0, sizeof iv); /* per RFC 1510 */
EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv); EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv);
@ -2667,26 +2667,26 @@ int ssl3_send_client_key_exchange(SSL *s)
* ecdh_clnt_cert to 1. * ecdh_clnt_cert to 1.
*/ */
if ((alg_k & (SSL_kECDHr | SSL_kECDHe)) && (s->cert != NULL)) { if ((alg_k & (SSL_kECDHr | SSL_kECDHe)) && (s->cert != NULL)) {
/*- /*-
* XXX: For now, we do not support client * XXX: For now, we do not support client
* authentication using ECDH certificates. * authentication using ECDH certificates.
* To add such support, one needs to add * To add such support, one needs to add
* code that checks for appropriate * code that checks for appropriate
* conditions and sets ecdh_clnt_cert to 1. * conditions and sets ecdh_clnt_cert to 1.
* For example, the cert have an ECC * For example, the cert have an ECC
* key on the same curve as the server's * key on the same curve as the server's
* and the key should be authorized for * and the key should be authorized for
* key agreement. * key agreement.
* *
* One also needs to add code in ssl3_connect * One also needs to add code in ssl3_connect
* to skip sending the certificate verify * to skip sending the certificate verify
* message. * message.
* *
* if ((s->cert->key->privatekey != NULL) && * if ((s->cert->key->privatekey != NULL) &&
* (s->cert->key->privatekey->type == * (s->cert->key->privatekey->type ==
* EVP_PKEY_EC) && ...) * EVP_PKEY_EC) && ...)
* ecdh_clnt_cert = 1; * ecdh_clnt_cert = 1;
*/ */
} }
if (s->session->sess_cert->peer_ecdh_tmp != NULL) { if (s->session->sess_cert->peer_ecdh_tmp != NULL) {

50
ssl/s3_pkt.c
View File

@ -453,12 +453,12 @@ static int ssl3_get_record(SSL *s)
} }
enc_err = s->method->ssl3_enc->enc(s, 0); enc_err = s->method->ssl3_enc->enc(s, 0);
/*- /*-
* enc_err is: * enc_err is:
* 0: (in non-constant time) if the record is publically invalid. * 0: (in non-constant time) if the record is publically invalid.
* 1: if the padding is valid * 1: if the padding is valid
* -1: if the padding is invalid * -1: if the padding is invalid
*/ */
if (enc_err == 0) { if (enc_err == 0) {
al = SSL_AD_DECRYPTION_FAILED; al = SSL_AD_DECRYPTION_FAILED;
SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
@ -562,14 +562,14 @@ static int ssl3_get_record(SSL *s)
} }
rr->off = 0; rr->off = 0;
/*- /*-
* So at this point the following is true * So at this point the following is true
* ssl->s3->rrec.type is the type of record * ssl->s3->rrec.type is the type of record
* ssl->s3->rrec.length == number of bytes in record * ssl->s3->rrec.length == number of bytes in record
* ssl->s3->rrec.off == offset to first valid byte * ssl->s3->rrec.off == offset to first valid byte
* ssl->s3->rrec.data == where to take bytes from, increment * ssl->s3->rrec.data == where to take bytes from, increment
* after use :-). * after use :-).
*/ */
/* we have pulled in a full packet so zero things */ /* we have pulled in a full packet so zero things */
s->packet_length = 0; s->packet_length = 0;
@ -1284,12 +1284,12 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
start: start:
s->rwstate = SSL_NOTHING; s->rwstate = SSL_NOTHING;
/*- /*-
* s->s3->rrec.type - is the type of record * s->s3->rrec.type - is the type of record
* s->s3->rrec.data, - data * s->s3->rrec.data, - data
* s->s3->rrec.off, - offset into 'data' for next read * s->s3->rrec.off, - offset into 'data' for next read
* s->s3->rrec.length, - number of bytes. * s->s3->rrec.length, - number of bytes.
*/ */
rr = &(s->s3->rrec); rr = &(s->s3->rrec);
/* get new packet if necessary */ /* get new packet if necessary */
@ -1407,11 +1407,11 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
} }
} }
/*- /*-
* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE; * s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
* s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT. * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.) * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
*/ */
/* If we are a client, check for an incoming 'Hello Request': */ /* If we are a client, check for an incoming 'Hello Request': */
if ((!s->server) && if ((!s->server) &&

106
ssl/s3_srvr.c
View File

@ -1412,17 +1412,17 @@ int ssl3_get_client_hello(SSL *s)
goto f_err; goto f_err;
} }
/*- /*-
* we now have the following setup. * we now have the following setup.
* client_random * client_random
* cipher_list - our prefered list of ciphers * cipher_list - our prefered list of ciphers
* ciphers - the clients prefered list of ciphers * ciphers - the clients prefered list of ciphers
* compression - basically ignored right now * compression - basically ignored right now
* ssl version is set - sslv3 * ssl version is set - sslv3
* s->session - The ssl session has been setup. * s->session - The ssl session has been setup.
* s->hit - session reuse flag * s->hit - session reuse flag
* s->s3->tmp.new_cipher- the new cipher to use. * s->s3->tmp.new_cipher- the new cipher to use.
*/ */
/* Handles TLS extensions that we couldn't check earlier */ /* Handles TLS extensions that we couldn't check earlier */
if (s->version >= SSL3_VERSION) { if (s->version >= SSL3_VERSION) {
@ -1469,22 +1469,22 @@ int ssl3_send_server_hello(SSL *s)
memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE; p += SSL3_RANDOM_SIZE;
/*- /*-
* There are several cases for the session ID to send * There are several cases for the session ID to send
* back in the server hello: * back in the server hello:
* - For session reuse from the session cache, * - For session reuse from the session cache,
* we send back the old session ID. * we send back the old session ID.
* - If stateless session reuse (using a session ticket) * - If stateless session reuse (using a session ticket)
* is successful, we send back the client's "session ID" * is successful, we send back the client's "session ID"
* (which doesn't actually identify the session). * (which doesn't actually identify the session).
* - If it is a new session, we send back the new * - If it is a new session, we send back the new
* session ID. * session ID.
* - However, if we want the new session to be single-use, * - However, if we want the new session to be single-use,
* we send back a 0-length session ID. * we send back a 0-length session ID.
* s->hit is non-zero in either case of session reuse, * s->hit is non-zero in either case of session reuse,
* so the following won't overwrite an ID that we're supposed * so the following won't overwrite an ID that we're supposed
* to send back. * to send back.
*/ */
if (s->session->not_resumable || if (s->session->not_resumable ||
(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
&& !s->hit)) && !s->hit))
@ -2540,11 +2540,11 @@ int ssl3_get_client_key_exchange(SSL *s)
} }
} }
/*- Was doing kssl_ctx_free() here, /*- Was doing kssl_ctx_free() here,
* but it caused problems for apache. * but it caused problems for apache.
* kssl_ctx = kssl_ctx_free(kssl_ctx); * kssl_ctx = kssl_ctx_free(kssl_ctx);
* if (s->kssl_ctx) s->kssl_ctx = NULL; * if (s->kssl_ctx) s->kssl_ctx = NULL;
*/ */
} else } else
#endif /* OPENSSL_NO_KRB5 */ #endif /* OPENSSL_NO_KRB5 */
@ -3355,14 +3355,14 @@ int ssl3_send_newsession_ticket(SSL *s)
i2d_SSL_SESSION(sess, &p); i2d_SSL_SESSION(sess, &p);
SSL_SESSION_free(sess); SSL_SESSION_free(sess);
/*- /*-
* Grow buffer if need be: the length calculation is as * Grow buffer if need be: the length calculation is as
* follows handshake_header_length + * follows handshake_header_length +
* 4 (ticket lifetime hint) + 2 (ticket length) + * 4 (ticket lifetime hint) + 2 (ticket length) +
* 16 (key name) + max_iv_len (iv length) + * 16 (key name) + max_iv_len (iv length) +
* session_length + max_enc_block_size (max encrypted session * session_length + max_enc_block_size (max encrypted session
* length) + max_md_size (HMAC). * length) + max_md_size (HMAC).
*/ */
if (!BUF_MEM_grow(s->init_buf, if (!BUF_MEM_grow(s->init_buf,
SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH + SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH +
EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen)) EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
@ -3436,12 +3436,12 @@ int ssl3_send_cert_status(SSL *s)
{ {
if (s->state == SSL3_ST_SW_CERT_STATUS_A) { if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
unsigned char *p; unsigned char *p;
/*- /*-
* Grow buffer if need be: the length calculation is as * Grow buffer if need be: the length calculation is as
* follows 1 (message type) + 3 (message length) + * follows 1 (message type) + 3 (message length) +
* 1 (ocsp response type) + 3 (ocsp response length) * 1 (ocsp response type) + 3 (ocsp response length)
* + (ocsp response) * + (ocsp response)
*/ */
if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
return -1; return -1;
@ -3513,13 +3513,13 @@ int ssl3_get_next_proto(SSL *s)
p = (unsigned char *)s->init_msg; p = (unsigned char *)s->init_msg;
/*- /*-
* The payload looks like: * The payload looks like:
* uint8 proto_len; * uint8 proto_len;
* uint8 proto[proto_len]; * uint8 proto[proto_len];
* uint8 padding_len; * uint8 padding_len;
* uint8 padding[padding_len]; * uint8 padding[padding_len];
*/ */
proto_len = p[0]; proto_len = p[0];
if (proto_len + 2 > s->init_num) if (proto_len + 2 > s->init_num)
return 0; return 0;

16
ssl/ssl_ciph.c
View File

@ -1972,14 +1972,14 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
if (cm == NULL || cm->type == NID_undef) if (cm == NULL || cm->type == NID_undef)
return 1; return 1;
/*- /*-
* According to draft-ietf-tls-compression-04.txt, the * According to draft-ietf-tls-compression-04.txt, the
* compression number ranges should be the following: * compression number ranges should be the following:
* *
* 0 to 63: methods defined by the IETF * 0 to 63: methods defined by the IETF
* 64 to 192: external party methods assigned by IANA * 64 to 192: external party methods assigned by IANA
* 193 to 255: reserved for private use * 193 to 255: reserved for private use
*/ */
if (id < 193 || id > 255) { if (id < 193 || id > 255) {
SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE); SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);

14
ssl/ssl_locl.h
View File

@ -537,13 +537,13 @@ typedef struct cert_pkey_st {
/* Chain for this certificate */ /* Chain for this certificate */
STACK_OF(X509) *chain; STACK_OF(X509) *chain;
# ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_TLSEXT
/*- /*-
* serverinfo data for this certificate. The data is in TLS Extension * serverinfo data for this certificate. The data is in TLS Extension
* wire format, specifically it's a series of records like: * wire format, specifically it's a series of records like:
* uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension) * uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension)
* uint16_t length; * uint16_t length;
* uint8_t data[length]; * uint8_t data[length];
*/ */
unsigned char *serverinfo; unsigned char *serverinfo;
size_t serverinfo_length; size_t serverinfo_length;
# endif # endif

30
ssl/ssl_sess.c
View File

@ -325,21 +325,21 @@ int ssl_get_new_session(SSL *s, int session)
return (0); return (0);
} }
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
/*- /*-
* If RFC5077 ticket, use empty session ID (as server). * If RFC5077 ticket, use empty session ID (as server).
* Note that: * Note that:
* (a) ssl_get_prev_session() does lookahead into the * (a) ssl_get_prev_session() does lookahead into the
* ClientHello extensions to find the session ticket. * ClientHello extensions to find the session ticket.
* When ssl_get_prev_session() fails, s3_srvr.c calls * When ssl_get_prev_session() fails, s3_srvr.c calls
* ssl_get_new_session() in ssl3_get_client_hello(). * ssl_get_new_session() in ssl3_get_client_hello().
* At that point, it has not yet parsed the extensions, * At that point, it has not yet parsed the extensions,
* however, because of the lookahead, it already knows * however, because of the lookahead, it already knows
* whether a ticket is expected or not. * whether a ticket is expected or not.
* *
* (b) s3_clnt.c calls ssl_get_new_session() before parsing * (b) s3_clnt.c calls ssl_get_new_session() before parsing
* ServerHello extensions, and before recording the session * ServerHello extensions, and before recording the session
* ID received from the server, so this block is a noop. * ID received from the server, so this block is a noop.
*/ */
if (s->tlsext_ticket_expected) { if (s->tlsext_ticket_expected) {
ss->session_id_length = 0; ss->session_id_length = 0;
goto sess_id_done; goto sess_id_done;

68
ssl/ssltest.c
View File

@ -1845,40 +1845,40 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
(void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
do { do {
/*- /*-
* c_ssl_bio: SSL filter BIO * c_ssl_bio: SSL filter BIO
* *
* client: pseudo-I/O for SSL library * client: pseudo-I/O for SSL library
* *
* client_io: client's SSL communication; usually to be * client_io: client's SSL communication; usually to be
* relayed over some I/O facility, but in this * relayed over some I/O facility, but in this
* test program, we're the server, too: * test program, we're the server, too:
* *
* server_io: server's SSL communication * server_io: server's SSL communication
* *
* server: pseudo-I/O for SSL library * server: pseudo-I/O for SSL library
* *
* s_ssl_bio: SSL filter BIO * s_ssl_bio: SSL filter BIO
* *
* The client and the server each employ a "BIO pair": * The client and the server each employ a "BIO pair":
* client + client_io, server + server_io. * client + client_io, server + server_io.
* BIO pairs are symmetric. A BIO pair behaves similar * BIO pairs are symmetric. A BIO pair behaves similar
* to a non-blocking socketpair (but both endpoints must * to a non-blocking socketpair (but both endpoints must
* be handled by the same thread). * be handled by the same thread).
* [Here we could connect client and server to the ends * [Here we could connect client and server to the ends
* of a single BIO pair, but then this code would be less * of a single BIO pair, but then this code would be less
* suitable as an example for BIO pairs in general.] * suitable as an example for BIO pairs in general.]
* *
* Useful functions for querying the state of BIO pair endpoints: * Useful functions for querying the state of BIO pair endpoints:
* *
* BIO_ctrl_pending(bio) number of bytes we can read now * BIO_ctrl_pending(bio) number of bytes we can read now
* BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
* other side's read attempt * other side's read attempt
* BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
* *
* ..._read_request is never more than ..._write_guarantee; * ..._read_request is never more than ..._write_guarantee;
* it depends on the application which one you should use. * it depends on the application which one you should use.
*/ */
/* /*
* We have non-blocking behaviour throughout this test program, but * We have non-blocking behaviour throughout this test program, but

114
ssl/t1_lib.c
View File

@ -1170,14 +1170,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
unsigned long size_str; unsigned long size_str;
long lenmax; long lenmax;
/*- /*-
* check for enough space. * check for enough space.
* 4 for the servername type and entension length * 4 for the servername type and entension length
* 2 for servernamelist length * 2 for servernamelist length
* 1 for the hostname type * 1 for the hostname type
* 2 for hostname length * 2 for hostname length
* + hostname length * + hostname length
*/ */
if ((lenmax = limit - ret - 9) < 0 if ((lenmax = limit - ret - 9) < 0
|| (size_str = || (size_str =
@ -1208,12 +1208,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
return NULL; return NULL;
} }
/*- /*-
* check for enough space. * check for enough space.
* 4 for the srp type type and entension length * 4 for the srp type type and entension length
* 1 for the srp user identity * 1 for the srp user identity
* + srp user identity length * + srp user identity length
*/ */
if ((limit - ret - 5 - login_len) < 0) if ((limit - ret - 5 - login_len) < 0)
return NULL; return NULL;
@ -1405,11 +1405,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
return NULL; return NULL;
s2n(TLSEXT_TYPE_heartbeat, ret); s2n(TLSEXT_TYPE_heartbeat, ret);
s2n(1, ret); s2n(1, ret);
/*- /*-
* Set mode: * Set mode:
* 1: peer may send requests * 1: peer may send requests
* 2: peer not allowed to send requests * 2: peer not allowed to send requests
*/ */
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
else else
@ -1666,11 +1666,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
return NULL; return NULL;
s2n(TLSEXT_TYPE_heartbeat, ret); s2n(TLSEXT_TYPE_heartbeat, ret);
s2n(1, ret); s2n(1, ret);
/*- /*-
* Set mode: * Set mode:
* 1: peer may send requests * 1: peer may send requests
* 2: peer not allowed to send requests * 2: peer not allowed to send requests
*/ */
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS) if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS; *(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
else else
@ -2324,23 +2324,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
else if (type == TLSEXT_TYPE_next_proto_neg && else if (type == TLSEXT_TYPE_next_proto_neg &&
s->s3->tmp.finish_md_len == 0 && s->s3->tmp.finish_md_len == 0 &&
s->s3->alpn_selected == NULL) { s->s3->alpn_selected == NULL) {
/*- /*-
* We shouldn't accept this extension on a * We shouldn't accept this extension on a
* renegotiation. * renegotiation.
* *
* s->new_session will be set on renegotiation, but we * s->new_session will be set on renegotiation, but we
* probably shouldn't rely that it couldn't be set on * probably shouldn't rely that it couldn't be set on
* the initial renegotation too in certain cases (when * the initial renegotation too in certain cases (when
* there's some other reason to disallow resuming an * there's some other reason to disallow resuming an
* earlier session -- the current code won't be doing * earlier session -- the current code won't be doing
* anything like that, but this might change). * anything like that, but this might change).
* *
* A valid sign that there's been a previous handshake * A valid sign that there's been a previous handshake
* in this connection is if s->s3->tmp.finish_md_len > * in this connection is if s->s3->tmp.finish_md_len >
* 0. (We are talking about a check that will happen * 0. (We are talking about a check that will happen
* in the Hello protocol round, well before a new * in the Hello protocol round, well before a new
* Finished message could have been computed.) * Finished message could have been computed.)
*/ */
s->s3->next_proto_neg_seen = 1; s->s3->next_proto_neg_seen = 1;
} }
# endif # endif
@ -2635,12 +2635,12 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
*al = TLS1_AD_DECODE_ERROR; *al = TLS1_AD_DECODE_ERROR;
return 0; return 0;
} }
/*- /*-
* The extension data consists of: * The extension data consists of:
* uint16 list_length * uint16 list_length
* uint8 proto_length; * uint8 proto_length;
* uint8 proto[proto_length]; * uint8 proto[proto_length];
*/ */
len = data[0]; len = data[0];
len <<= 8; len <<= 8;
len |= data[1]; len |= data[1];
@ -3944,16 +3944,16 @@ int tls1_heartbeat(SSL *s)
*/ */
OPENSSL_assert(payload + padding <= 16381); OPENSSL_assert(payload + padding <= 16381);
/*- /*-
* Create HeartBeat message, we just use a sequence number * Create HeartBeat message, we just use a sequence number
* as payload to distuingish different messages and add * as payload to distuingish different messages and add
* some random stuff. * some random stuff.
* - Message Type, 1 byte * - Message Type, 1 byte
* - Payload Length, 2 bytes (unsigned int) * - Payload Length, 2 bytes (unsigned int)
* - Payload, the sequence number (2 bytes uint) * - Payload, the sequence number (2 bytes uint)
* - Payload, random bytes (16 bytes uint) * - Payload, random bytes (16 bytes uint)
* - Padding * - Padding
*/ */
buf = OPENSSL_malloc(1 + 2 + payload + padding); buf = OPENSSL_malloc(1 + 2 + payload + padding);
if (buf == NULL) { if (buf == NULL) {
SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_MALLOC_FAILURE);