Re-align some comments after running the reformat script.
This should be a one off operation (subsequent invokation of the script should not move them) This commit is for the 1.0.2 changes Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
parent
323d39e87f
commit
83975c80bb
@ -615,10 +615,10 @@ int MAIN(int argc, char **argv)
|
||||
|
||||
oid_bio = BIO_new_file(p, "r");
|
||||
if (oid_bio == NULL) {
|
||||
/*-
|
||||
BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
|
||||
ERR_print_errors(bio_err);
|
||||
*/
|
||||
/*-
|
||||
BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
|
||||
ERR_print_errors(bio_err);
|
||||
*/
|
||||
ERR_clear_error();
|
||||
} else {
|
||||
OBJ_create_objects(oid_bio);
|
||||
|
@ -122,8 +122,8 @@ int MAIN(int argc, char **argv)
|
||||
outfile = *(++argv);
|
||||
} else if (strcmp(*argv, "-2") == 0)
|
||||
g = 2;
|
||||
/*- else if (strcmp(*argv,"-3") == 0)
|
||||
g=3; */
|
||||
/*- else if (strcmp(*argv,"-3") == 0)
|
||||
g=3; */
|
||||
else if (strcmp(*argv, "-5") == 0)
|
||||
g = 5;
|
||||
# ifndef OPENSSL_NO_ENGINE
|
||||
|
@ -231,27 +231,27 @@ int main(int Argc, char *ARGV[])
|
||||
long errline;
|
||||
|
||||
#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
|
||||
/*-
|
||||
* 2011-03-22 SMS.
|
||||
* If we have 32-bit pointers everywhere, then we're safe, and
|
||||
* we bypass this mess, as on non-VMS systems. (See ARGV,
|
||||
* above.)
|
||||
* Problem 1: Compaq/HP C before V7.3 always used 32-bit
|
||||
* pointers for argv[].
|
||||
* Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
|
||||
* everywhere else, we always allocate and use a 64-bit
|
||||
* duplicate of argv[].
|
||||
* Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
|
||||
* to NULL-terminate a 64-bit argv[]. (As this was written, the
|
||||
* compiler ECO was available only on IA64.)
|
||||
* Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
|
||||
* 64-bit argv[argc] for NULL, and, if necessary, use a
|
||||
* (properly) NULL-terminated (64-bit) duplicate of argv[].
|
||||
* The same code is used in either case to duplicate argv[].
|
||||
* Some of these decisions could be handled in preprocessing,
|
||||
* but the code tends to get even uglier, and the penalty for
|
||||
* deciding at compile- or run-time is tiny.
|
||||
*/
|
||||
/*-
|
||||
* 2011-03-22 SMS.
|
||||
* If we have 32-bit pointers everywhere, then we're safe, and
|
||||
* we bypass this mess, as on non-VMS systems. (See ARGV,
|
||||
* above.)
|
||||
* Problem 1: Compaq/HP C before V7.3 always used 32-bit
|
||||
* pointers for argv[].
|
||||
* Fix 1: For a 32-bit argv[], when we're using 64-bit pointers
|
||||
* everywhere else, we always allocate and use a 64-bit
|
||||
* duplicate of argv[].
|
||||
* Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed
|
||||
* to NULL-terminate a 64-bit argv[]. (As this was written, the
|
||||
* compiler ECO was available only on IA64.)
|
||||
* Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a
|
||||
* 64-bit argv[argc] for NULL, and, if necessary, use a
|
||||
* (properly) NULL-terminated (64-bit) duplicate of argv[].
|
||||
* The same code is used in either case to duplicate argv[].
|
||||
* Some of these decisions could be handled in preprocessing,
|
||||
* but the code tends to get even uglier, and the penalty for
|
||||
* deciding at compile- or run-time is tiny.
|
||||
*/
|
||||
char **Argv = NULL;
|
||||
int free_Argv = 0;
|
||||
|
||||
|
@ -502,10 +502,10 @@ int MAIN(int argc, char **argv)
|
||||
|
||||
oid_bio = BIO_new_file(p, "r");
|
||||
if (oid_bio == NULL) {
|
||||
/*-
|
||||
BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
|
||||
ERR_print_errors(bio_err);
|
||||
*/
|
||||
/*-
|
||||
BIO_printf(bio_err,"problems opening %s for extra oid's\n",p);
|
||||
ERR_print_errors(bio_err);
|
||||
*/
|
||||
} else {
|
||||
OBJ_create_objects(oid_bio);
|
||||
BIO_free(oid_bio);
|
||||
|
34
apps/s_cb.c
34
apps/s_cb.c
@ -196,10 +196,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
|
||||
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
|
||||
{
|
||||
if (cert_file != NULL) {
|
||||
/*-
|
||||
SSL *ssl;
|
||||
X509 *x509;
|
||||
*/
|
||||
/*-
|
||||
SSL *ssl;
|
||||
X509 *x509;
|
||||
*/
|
||||
|
||||
if (SSL_CTX_use_certificate_file(ctx, cert_file,
|
||||
SSL_FILETYPE_PEM) <= 0) {
|
||||
@ -217,20 +217,20 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*-
|
||||
In theory this is no longer needed
|
||||
ssl=SSL_new(ctx);
|
||||
x509=SSL_get_certificate(ssl);
|
||||
/*-
|
||||
In theory this is no longer needed
|
||||
ssl=SSL_new(ctx);
|
||||
x509=SSL_get_certificate(ssl);
|
||||
|
||||
if (x509 != NULL) {
|
||||
EVP_PKEY *pktmp;
|
||||
pktmp = X509_get_pubkey(x509);
|
||||
EVP_PKEY_copy_parameters(pktmp,
|
||||
SSL_get_privatekey(ssl));
|
||||
EVP_PKEY_free(pktmp);
|
||||
}
|
||||
SSL_free(ssl);
|
||||
*/
|
||||
if (x509 != NULL) {
|
||||
EVP_PKEY *pktmp;
|
||||
pktmp = X509_get_pubkey(x509);
|
||||
EVP_PKEY_copy_parameters(pktmp,
|
||||
SSL_get_privatekey(ssl));
|
||||
EVP_PKEY_free(pktmp);
|
||||
}
|
||||
SSL_free(ssl);
|
||||
*/
|
||||
|
||||
/*
|
||||
* If we are using DSA, we can copy the parameters from the private
|
||||
|
@ -1733,8 +1733,8 @@ int MAIN(int argc, char **argv)
|
||||
openssl_fdset(SSL_get_fd(con), &writefds);
|
||||
}
|
||||
#endif
|
||||
/*- printf("mode tty(%d %d%d) ssl(%d%d)\n",
|
||||
tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
|
||||
/*- printf("mode tty(%d %d%d) ssl(%d%d)\n",
|
||||
tty_on,read_tty,write_tty,read_ssl,write_ssl);*/
|
||||
|
||||
/*
|
||||
* Note: under VMS with SOCKETSHR the second parameter is
|
||||
|
@ -429,13 +429,13 @@ static int do_accept(int acc_sock, int *sock, char **host)
|
||||
}
|
||||
|
||||
/*-
|
||||
ling.l_onoff=1;
|
||||
ling.l_linger=0;
|
||||
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
|
||||
if (i < 0) { perror("linger"); return(0); }
|
||||
i=0;
|
||||
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
|
||||
if (i < 0) { perror("keepalive"); return(0); }
|
||||
ling.l_onoff=1;
|
||||
ling.l_linger=0;
|
||||
i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
|
||||
if (i < 0) { perror("linger"); return(0); }
|
||||
i=0;
|
||||
i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
|
||||
if (i < 0) { perror("keepalive"); return(0); }
|
||||
*/
|
||||
|
||||
if (host == NULL)
|
||||
|
24
apps/ts.c
24
apps/ts.c
@ -1101,19 +1101,19 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file)
|
||||
|
||||
static int MS_CALLBACK verify_cb(int ok, X509_STORE_CTX *ctx)
|
||||
{
|
||||
/*-
|
||||
char buf[256];
|
||||
/*-
|
||||
char buf[256];
|
||||
|
||||
if (!ok)
|
||||
{
|
||||
X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
|
||||
buf, sizeof(buf));
|
||||
printf("%s\n", buf);
|
||||
printf("error %d at %d depth lookup: %s\n",
|
||||
ctx->error, ctx->error_depth,
|
||||
X509_verify_cert_error_string(ctx->error));
|
||||
}
|
||||
*/
|
||||
if (!ok)
|
||||
{
|
||||
X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
|
||||
buf, sizeof(buf));
|
||||
printf("%s\n", buf);
|
||||
printf("error %d at %d depth lookup: %s\n",
|
||||
ctx->error, ctx->error_depth,
|
||||
X509_verify_cert_error_string(ctx->error));
|
||||
}
|
||||
*/
|
||||
|
||||
return ok;
|
||||
}
|
||||
|
@ -252,13 +252,13 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
|
||||
rv = pkey->ameth->item_sign(ctx, it, asn, algor1, algor2, signature);
|
||||
if (rv == 1)
|
||||
outl = signature->length;
|
||||
/*-
|
||||
* Return value meanings:
|
||||
* <=0: error.
|
||||
* 1: method does everything.
|
||||
* 2: carry on as normal.
|
||||
* 3: ASN1 method sets algorithm identifiers: just sign.
|
||||
*/
|
||||
/*-
|
||||
* Return value meanings:
|
||||
* <=0: error.
|
||||
* 1: method does everything.
|
||||
* 2: carry on as normal.
|
||||
* 3: ASN1 method sets algorithm identifiers: just sign.
|
||||
*/
|
||||
if (rv <= 0)
|
||||
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
|
||||
if (rv <= 1)
|
||||
|
@ -534,13 +534,13 @@ int BIO_socket_ioctl(int fd, long type, void *arg)
|
||||
i = ioctlsocket(fd, type, (char *)arg);
|
||||
# else
|
||||
# if defined(OPENSSL_SYS_VMS)
|
||||
/*-
|
||||
* 2011-02-18 SMS.
|
||||
* VMS ioctl() can't tolerate a 64-bit "void *arg", but we
|
||||
* observe that all the consumers pass in an "unsigned long *",
|
||||
* so we arrange a local copy with a short pointer, and use
|
||||
* that, instead.
|
||||
*/
|
||||
/*-
|
||||
* 2011-02-18 SMS.
|
||||
* VMS ioctl() can't tolerate a 64-bit "void *arg", but we
|
||||
* observe that all the consumers pass in an "unsigned long *",
|
||||
* so we arrange a local copy with a short pointer, and use
|
||||
* that, instead.
|
||||
*/
|
||||
# if __INITIAL_POINTER_SIZE == 64
|
||||
# define ARG arg_32p
|
||||
# pragma pointer_size save
|
||||
|
@ -103,11 +103,11 @@ static int nullf_free(BIO *a)
|
||||
{
|
||||
if (a == NULL)
|
||||
return (0);
|
||||
/*-
|
||||
a->ptr=NULL;
|
||||
a->init=0;
|
||||
a->flags=0;
|
||||
*/
|
||||
/*-
|
||||
a->ptr=NULL;
|
||||
a->init=0;
|
||||
a->flags=0;
|
||||
*/
|
||||
return (1);
|
||||
}
|
||||
|
||||
|
@ -344,15 +344,15 @@ struct bio_st {
|
||||
DECLARE_STACK_OF(BIO)
|
||||
|
||||
typedef struct bio_f_buffer_ctx_struct {
|
||||
/*-
|
||||
* Buffers are setup like this:
|
||||
*
|
||||
* <---------------------- size ----------------------->
|
||||
* +---------------------------------------------------+
|
||||
* | consumed | remaining | free space |
|
||||
* +---------------------------------------------------+
|
||||
* <-- off --><------- len ------->
|
||||
*/
|
||||
/*-
|
||||
* Buffers are setup like this:
|
||||
*
|
||||
* <---------------------- size ----------------------->
|
||||
* +---------------------------------------------------+
|
||||
* | consumed | remaining | free space |
|
||||
* +---------------------------------------------------+
|
||||
* <-- off --><------- len ------->
|
||||
*/
|
||||
/*- BIO *bio; *//*
|
||||
* this is now in the BIO struct
|
||||
*/
|
||||
|
@ -421,12 +421,12 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
|
||||
ret = (long)data->bind_mode;
|
||||
break;
|
||||
case BIO_CTRL_DUP:
|
||||
/*- dbio=(BIO *)ptr;
|
||||
if (data->param_port) EAY EAY
|
||||
BIO_set_port(dbio,data->param_port);
|
||||
if (data->param_hostname)
|
||||
BIO_set_hostname(dbio,data->param_hostname);
|
||||
BIO_set_nbio(dbio,data->nbio); */
|
||||
/*- dbio=(BIO *)ptr;
|
||||
if (data->param_port) EAY EAY
|
||||
BIO_set_port(dbio,data->param_port);
|
||||
if (data->param_hostname)
|
||||
BIO_set_hostname(dbio,data->param_hostname);
|
||||
BIO_set_nbio(dbio,data->nbio); */
|
||||
break;
|
||||
|
||||
default:
|
||||
|
@ -69,12 +69,12 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
|
||||
bn_check_top(a);
|
||||
bn_check_top(b);
|
||||
|
||||
/*-
|
||||
* a + b a+b
|
||||
* a + -b a-b
|
||||
* -a + b b-a
|
||||
* -a + -b -(a+b)
|
||||
*/
|
||||
/*-
|
||||
* a + b a+b
|
||||
* a + -b a-b
|
||||
* -a + b b-a
|
||||
* -a + -b -(a+b)
|
||||
*/
|
||||
if (a_neg ^ b->neg) {
|
||||
/* only one is negative */
|
||||
if (a_neg) {
|
||||
@ -265,12 +265,12 @@ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
|
||||
bn_check_top(a);
|
||||
bn_check_top(b);
|
||||
|
||||
/*-
|
||||
* a - b a-b
|
||||
* a - -b a+b
|
||||
* -a - b -(a+b)
|
||||
* -a - -b b-a
|
||||
*/
|
||||
/*-
|
||||
* a - b a-b
|
||||
* a - -b a+b
|
||||
* -a - b -(a+b)
|
||||
* -a - -b b-a
|
||||
*/
|
||||
if (a->neg) {
|
||||
if (b->neg) {
|
||||
tmp = a;
|
||||
|
@ -203,36 +203,36 @@ int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
|
||||
bn_check_top(p);
|
||||
bn_check_top(m);
|
||||
|
||||
/*-
|
||||
* For even modulus m = 2^k*m_odd, it might make sense to compute
|
||||
* a^p mod m_odd and a^p mod 2^k separately (with Montgomery
|
||||
* exponentiation for the odd part), using appropriate exponent
|
||||
* reductions, and combine the results using the CRT.
|
||||
*
|
||||
* For now, we use Montgomery only if the modulus is odd; otherwise,
|
||||
* exponentiation using the reciprocal-based quick remaindering
|
||||
* algorithm is used.
|
||||
*
|
||||
* (Timing obtained with expspeed.c [computations a^p mod m
|
||||
* where a, p, m are of the same length: 256, 512, 1024, 2048,
|
||||
* 4096, 8192 bits], compared to the running time of the
|
||||
* standard algorithm:
|
||||
*
|
||||
* BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration]
|
||||
* 55 .. 77 % [UltraSparc processor, but
|
||||
* debug-solaris-sparcv8-gcc conf.]
|
||||
*
|
||||
* BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration]
|
||||
* 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]
|
||||
*
|
||||
* On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont
|
||||
* at 2048 and more bits, but at 512 and 1024 bits, it was
|
||||
* slower even than the standard algorithm!
|
||||
*
|
||||
* "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]
|
||||
* should be obtained when the new Montgomery reduction code
|
||||
* has been integrated into OpenSSL.)
|
||||
*/
|
||||
/*-
|
||||
* For even modulus m = 2^k*m_odd, it might make sense to compute
|
||||
* a^p mod m_odd and a^p mod 2^k separately (with Montgomery
|
||||
* exponentiation for the odd part), using appropriate exponent
|
||||
* reductions, and combine the results using the CRT.
|
||||
*
|
||||
* For now, we use Montgomery only if the modulus is odd; otherwise,
|
||||
* exponentiation using the reciprocal-based quick remaindering
|
||||
* algorithm is used.
|
||||
*
|
||||
* (Timing obtained with expspeed.c [computations a^p mod m
|
||||
* where a, p, m are of the same length: 256, 512, 1024, 2048,
|
||||
* 4096, 8192 bits], compared to the running time of the
|
||||
* standard algorithm:
|
||||
*
|
||||
* BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration]
|
||||
* 55 .. 77 % [UltraSparc processor, but
|
||||
* debug-solaris-sparcv8-gcc conf.]
|
||||
*
|
||||
* BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration]
|
||||
* 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]
|
||||
*
|
||||
* On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont
|
||||
* at 2048 and more bits, but at 512 and 1024 bits, it was
|
||||
* slower even than the standard algorithm!
|
||||
*
|
||||
* "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]
|
||||
* should be obtained when the new Montgomery reduction code
|
||||
* has been integrated into OpenSSL.)
|
||||
*/
|
||||
|
||||
#define MONT_MUL_MOD
|
||||
#define MONT_EXP_WORD
|
||||
|
@ -268,13 +268,13 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
|
||||
goto err;
|
||||
}
|
||||
sign = -1;
|
||||
/*-
|
||||
* From B = a mod |n|, A = |n| it follows that
|
||||
*
|
||||
* 0 <= B < A,
|
||||
* -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|).
|
||||
*/
|
||||
/*-
|
||||
* From B = a mod |n|, A = |n| it follows that
|
||||
*
|
||||
* 0 <= B < A,
|
||||
* -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|).
|
||||
*/
|
||||
|
||||
if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS <= 32 ? 450 : 2048))) {
|
||||
/*
|
||||
@ -286,12 +286,12 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
|
||||
int shift;
|
||||
|
||||
while (!BN_is_zero(B)) {
|
||||
/*-
|
||||
* 0 < B < |n|,
|
||||
* 0 < A <= |n|,
|
||||
* (1) -sign*X*a == B (mod |n|),
|
||||
* (2) sign*Y*a == A (mod |n|)
|
||||
*/
|
||||
/*-
|
||||
* 0 < B < |n|,
|
||||
* 0 < A <= |n|,
|
||||
* (1) -sign*X*a == B (mod |n|),
|
||||
* (2) sign*Y*a == A (mod |n|)
|
||||
*/
|
||||
|
||||
/*
|
||||
* Now divide B by the maximum possible power of two in the
|
||||
@ -337,18 +337,18 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*-
|
||||
* We still have (1) and (2).
|
||||
* Both A and B are odd.
|
||||
* The following computations ensure that
|
||||
*
|
||||
* 0 <= B < |n|,
|
||||
* 0 < A < |n|,
|
||||
* (1) -sign*X*a == B (mod |n|),
|
||||
* (2) sign*Y*a == A (mod |n|),
|
||||
*
|
||||
* and that either A or B is even in the next iteration.
|
||||
*/
|
||||
/*-
|
||||
* We still have (1) and (2).
|
||||
* Both A and B are odd.
|
||||
* The following computations ensure that
|
||||
*
|
||||
* 0 <= B < |n|,
|
||||
* 0 < A < |n|,
|
||||
* (1) -sign*X*a == B (mod |n|),
|
||||
* (2) sign*Y*a == A (mod |n|),
|
||||
*
|
||||
* and that either A or B is even in the next iteration.
|
||||
*/
|
||||
if (BN_ucmp(B, A) >= 0) {
|
||||
/* -sign*(X + Y)*a == B - A (mod |n|) */
|
||||
if (!BN_uadd(X, X, Y))
|
||||
@ -377,11 +377,11 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
|
||||
while (!BN_is_zero(B)) {
|
||||
BIGNUM *tmp;
|
||||
|
||||
/*-
|
||||
* 0 < B < A,
|
||||
* (*) -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|)
|
||||
*/
|
||||
/*-
|
||||
* 0 < B < A,
|
||||
* (*) -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|)
|
||||
*/
|
||||
|
||||
/* (D, M) := (A/B, A%B) ... */
|
||||
if (BN_num_bits(A) == BN_num_bits(B)) {
|
||||
@ -428,12 +428,12 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*-
|
||||
* Now
|
||||
* A = D*B + M;
|
||||
* thus we have
|
||||
* (**) sign*Y*a == D*B + M (mod |n|).
|
||||
*/
|
||||
/*-
|
||||
* Now
|
||||
* A = D*B + M;
|
||||
* thus we have
|
||||
* (**) sign*Y*a == D*B + M (mod |n|).
|
||||
*/
|
||||
|
||||
tmp = A; /* keep the BIGNUM object, the value does not
|
||||
* matter */
|
||||
@ -443,25 +443,25 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
|
||||
B = M;
|
||||
/* ... so we have 0 <= B < A again */
|
||||
|
||||
/*-
|
||||
* Since the former M is now B and the former B is now A,
|
||||
* (**) translates into
|
||||
* sign*Y*a == D*A + B (mod |n|),
|
||||
* i.e.
|
||||
* sign*Y*a - D*A == B (mod |n|).
|
||||
* Similarly, (*) translates into
|
||||
* -sign*X*a == A (mod |n|).
|
||||
*
|
||||
* Thus,
|
||||
* sign*Y*a + D*sign*X*a == B (mod |n|),
|
||||
* i.e.
|
||||
* sign*(Y + D*X)*a == B (mod |n|).
|
||||
*
|
||||
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
|
||||
* -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|).
|
||||
* Note that X and Y stay non-negative all the time.
|
||||
*/
|
||||
/*-
|
||||
* Since the former M is now B and the former B is now A,
|
||||
* (**) translates into
|
||||
* sign*Y*a == D*A + B (mod |n|),
|
||||
* i.e.
|
||||
* sign*Y*a - D*A == B (mod |n|).
|
||||
* Similarly, (*) translates into
|
||||
* -sign*X*a == A (mod |n|).
|
||||
*
|
||||
* Thus,
|
||||
* sign*Y*a + D*sign*X*a == B (mod |n|),
|
||||
* i.e.
|
||||
* sign*(Y + D*X)*a == B (mod |n|).
|
||||
*
|
||||
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
|
||||
* -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|).
|
||||
* Note that X and Y stay non-negative all the time.
|
||||
*/
|
||||
|
||||
/*
|
||||
* most of the time D is very small, so we can optimize tmp :=
|
||||
@ -498,13 +498,13 @@ BIGNUM *BN_mod_inverse(BIGNUM *in,
|
||||
}
|
||||
}
|
||||
|
||||
/*-
|
||||
* The while loop (Euclid's algorithm) ends when
|
||||
* A == gcd(a,n);
|
||||
* we have
|
||||
* sign*Y*a == A (mod |n|),
|
||||
* where Y is non-negative.
|
||||
*/
|
||||
/*-
|
||||
* The while loop (Euclid's algorithm) ends when
|
||||
* A == gcd(a,n);
|
||||
* we have
|
||||
* sign*Y*a == A (mod |n|),
|
||||
* where Y is non-negative.
|
||||
*/
|
||||
|
||||
if (sign < 0) {
|
||||
if (!BN_sub(Y, n, Y))
|
||||
@ -588,22 +588,22 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
|
||||
goto err;
|
||||
}
|
||||
sign = -1;
|
||||
/*-
|
||||
* From B = a mod |n|, A = |n| it follows that
|
||||
*
|
||||
* 0 <= B < A,
|
||||
* -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|).
|
||||
*/
|
||||
/*-
|
||||
* From B = a mod |n|, A = |n| it follows that
|
||||
*
|
||||
* 0 <= B < A,
|
||||
* -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|).
|
||||
*/
|
||||
|
||||
while (!BN_is_zero(B)) {
|
||||
BIGNUM *tmp;
|
||||
|
||||
/*-
|
||||
* 0 < B < A,
|
||||
* (*) -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|)
|
||||
*/
|
||||
/*-
|
||||
* 0 < B < A,
|
||||
* (*) -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|)
|
||||
*/
|
||||
|
||||
/*
|
||||
* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
|
||||
@ -616,12 +616,12 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
|
||||
if (!BN_div(D, M, pA, B, ctx))
|
||||
goto err;
|
||||
|
||||
/*-
|
||||
* Now
|
||||
* A = D*B + M;
|
||||
* thus we have
|
||||
* (**) sign*Y*a == D*B + M (mod |n|).
|
||||
*/
|
||||
/*-
|
||||
* Now
|
||||
* A = D*B + M;
|
||||
* thus we have
|
||||
* (**) sign*Y*a == D*B + M (mod |n|).
|
||||
*/
|
||||
|
||||
tmp = A; /* keep the BIGNUM object, the value does not
|
||||
* matter */
|
||||
@ -631,25 +631,25 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
|
||||
B = M;
|
||||
/* ... so we have 0 <= B < A again */
|
||||
|
||||
/*-
|
||||
* Since the former M is now B and the former B is now A,
|
||||
* (**) translates into
|
||||
* sign*Y*a == D*A + B (mod |n|),
|
||||
* i.e.
|
||||
* sign*Y*a - D*A == B (mod |n|).
|
||||
* Similarly, (*) translates into
|
||||
* -sign*X*a == A (mod |n|).
|
||||
*
|
||||
* Thus,
|
||||
* sign*Y*a + D*sign*X*a == B (mod |n|),
|
||||
* i.e.
|
||||
* sign*(Y + D*X)*a == B (mod |n|).
|
||||
*
|
||||
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
|
||||
* -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|).
|
||||
* Note that X and Y stay non-negative all the time.
|
||||
*/
|
||||
/*-
|
||||
* Since the former M is now B and the former B is now A,
|
||||
* (**) translates into
|
||||
* sign*Y*a == D*A + B (mod |n|),
|
||||
* i.e.
|
||||
* sign*Y*a - D*A == B (mod |n|).
|
||||
* Similarly, (*) translates into
|
||||
* -sign*X*a == A (mod |n|).
|
||||
*
|
||||
* Thus,
|
||||
* sign*Y*a + D*sign*X*a == B (mod |n|),
|
||||
* i.e.
|
||||
* sign*(Y + D*X)*a == B (mod |n|).
|
||||
*
|
||||
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
|
||||
* -sign*X*a == B (mod |n|),
|
||||
* sign*Y*a == A (mod |n|).
|
||||
* Note that X and Y stay non-negative all the time.
|
||||
*/
|
||||
|
||||
if (!BN_mul(tmp, D, X, ctx))
|
||||
goto err;
|
||||
@ -663,13 +663,13 @@ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
|
||||
sign = -sign;
|
||||
}
|
||||
|
||||
/*-
|
||||
* The while loop (Euclid's algorithm) ends when
|
||||
* A == gcd(a,n);
|
||||
* we have
|
||||
* sign*Y*a == A (mod |n|),
|
||||
* where Y is non-negative.
|
||||
*/
|
||||
/*-
|
||||
* The while loop (Euclid's algorithm) ends when
|
||||
* A == gcd(a,n);
|
||||
* we have
|
||||
* sign*Y*a == A (mod |n|),
|
||||
* where Y is non-negative.
|
||||
*/
|
||||
|
||||
if (sign < 0) {
|
||||
if (!BN_sub(Y, n, Y))
|
||||
|
@ -66,13 +66,13 @@ int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
|
||||
int ret = -2; /* avoid 'uninitialized' warning */
|
||||
int err = 0;
|
||||
BIGNUM *A, *B, *tmp;
|
||||
/*-
|
||||
* In 'tab', only odd-indexed entries are relevant:
|
||||
* For any odd BIGNUM n,
|
||||
* tab[BN_lsw(n) & 7]
|
||||
* is $(-1)^{(n^2-1)/8}$ (using TeX notation).
|
||||
* Note that the sign of n does not matter.
|
||||
*/
|
||||
/*-
|
||||
* In 'tab', only odd-indexed entries are relevant:
|
||||
* For any odd BIGNUM n,
|
||||
* tab[BN_lsw(n) & 7]
|
||||
* is $(-1)^{(n^2-1)/8}$ (using TeX notation).
|
||||
* Note that the sign of n does not matter.
|
||||
*/
|
||||
static const int tab[8] = { 0, 1, 0, -1, 0, -1, 0, 1 };
|
||||
|
||||
bn_check_top(a);
|
||||
|
@ -527,11 +527,11 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
|
||||
bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
|
||||
}
|
||||
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
*/
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
*/
|
||||
|
||||
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
|
||||
|
||||
@ -542,12 +542,12 @@ void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
|
||||
c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
|
||||
}
|
||||
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
* c1 holds the carry bits
|
||||
*/
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
* c1 holds the carry bits
|
||||
*/
|
||||
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
|
||||
if (c1) {
|
||||
p = &(r[n + n2]);
|
||||
@ -689,11 +689,11 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
|
||||
}
|
||||
}
|
||||
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
*/
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
*/
|
||||
|
||||
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
|
||||
|
||||
@ -704,12 +704,12 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
|
||||
c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
|
||||
}
|
||||
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
* c1 holds the carry bits
|
||||
*/
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
* c1 holds the carry bits
|
||||
*/
|
||||
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
|
||||
if (c1) {
|
||||
p = &(r[n + n2]);
|
||||
@ -828,13 +828,13 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
|
||||
bn_mul_recursive(r, &(a[n]), &(b[n]), n, 0, 0, &(t[n2]));
|
||||
}
|
||||
|
||||
/*-
|
||||
* s0 == low(al*bl)
|
||||
* s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
|
||||
* We know s0 and s1 so the only unknown is high(al*bl)
|
||||
* high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
|
||||
* high(al*bl) == s1 - (r[0]+l[0]+t[0])
|
||||
*/
|
||||
/*-
|
||||
* s0 == low(al*bl)
|
||||
* s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl)
|
||||
* We know s0 and s1 so the only unknown is high(al*bl)
|
||||
* high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl))
|
||||
* high(al*bl) == s1 - (r[0]+l[0]+t[0])
|
||||
*/
|
||||
if (l != NULL) {
|
||||
lp = &(t[n2 + n]);
|
||||
c1 = (int)(bn_add_words(lp, &(r[0]), &(l[0]), n));
|
||||
@ -859,22 +859,22 @@ void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2,
|
||||
lp[i] = ((~mp[i]) + 1) & BN_MASK2;
|
||||
}
|
||||
|
||||
/*-
|
||||
* s[0] = low(al*bl)
|
||||
* t[3] = high(al*bl)
|
||||
* t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
|
||||
* r[10] = (a[1]*b[1])
|
||||
*/
|
||||
/*-
|
||||
* R[10] = al*bl
|
||||
* R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
|
||||
* R[32] = ah*bh
|
||||
*/
|
||||
/*-
|
||||
* R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
|
||||
* R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
|
||||
* R[3]=r[1]+(carry/borrow)
|
||||
*/
|
||||
/*-
|
||||
* s[0] = low(al*bl)
|
||||
* t[3] = high(al*bl)
|
||||
* t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign
|
||||
* r[10] = (a[1]*b[1])
|
||||
*/
|
||||
/*-
|
||||
* R[10] = al*bl
|
||||
* R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0])
|
||||
* R[32] = ah*bh
|
||||
*/
|
||||
/*-
|
||||
* R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow)
|
||||
* R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow)
|
||||
* R[3]=r[1]+(carry/borrow)
|
||||
*/
|
||||
if (l != NULL) {
|
||||
lp = &(t[n2]);
|
||||
c1 = (int)(bn_add_words(lp, &(t[n2 + n]), &(l[0]), n));
|
||||
|
@ -106,12 +106,12 @@ char *BN_bn2dec(const BIGNUM *a)
|
||||
BIGNUM *t = NULL;
|
||||
BN_ULONG *bn_data = NULL, *lp;
|
||||
|
||||
/*-
|
||||
* get an upper bound for the length of the decimal integer
|
||||
* num <= (BN_num_bits(a) + 1) * log(2)
|
||||
* <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1 (rounding error)
|
||||
* <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1
|
||||
*/
|
||||
/*-
|
||||
* get an upper bound for the length of the decimal integer
|
||||
* num <= (BN_num_bits(a) + 1) * log(2)
|
||||
* <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1 (rounding error)
|
||||
* <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1
|
||||
*/
|
||||
i = BN_num_bits(a) * 3;
|
||||
num = (i / 10 + i / 1000 + 1) + 1;
|
||||
bn_data =
|
||||
|
@ -249,23 +249,23 @@ void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
|
||||
bn_sqr_recursive(r, a, n, p);
|
||||
bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
|
||||
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
*/
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
|
||||
* r[10] holds (a[0]*b[0])
|
||||
* r[32] holds (b[1]*b[1])
|
||||
*/
|
||||
|
||||
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
|
||||
|
||||
/* t[32] is negative */
|
||||
c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
|
||||
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
|
||||
* r[10] holds (a[0]*a[0])
|
||||
* r[32] holds (a[1]*a[1])
|
||||
* c1 holds the carry bits
|
||||
*/
|
||||
/*-
|
||||
* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
|
||||
* r[10] holds (a[0]*a[0])
|
||||
* r[32] holds (a[1]*a[1])
|
||||
* c1 holds the carry bits
|
||||
*/
|
||||
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
|
||||
if (c1) {
|
||||
p = &(r[n + n2]);
|
||||
|
@ -132,14 +132,14 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||
/* we'll set q later (if needed) */
|
||||
|
||||
if (e == 1) {
|
||||
/*-
|
||||
* The easy case: (|p|-1)/2 is odd, so 2 has an inverse
|
||||
* modulo (|p|-1)/2, and square roots can be computed
|
||||
* directly by modular exponentiation.
|
||||
* We have
|
||||
* 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
|
||||
* so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
|
||||
*/
|
||||
/*-
|
||||
* The easy case: (|p|-1)/2 is odd, so 2 has an inverse
|
||||
* modulo (|p|-1)/2, and square roots can be computed
|
||||
* directly by modular exponentiation.
|
||||
* We have
|
||||
* 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
|
||||
* so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
|
||||
*/
|
||||
if (!BN_rshift(q, p, 2))
|
||||
goto end;
|
||||
q->neg = 0;
|
||||
@ -152,32 +152,32 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||
}
|
||||
|
||||
if (e == 2) {
|
||||
/*-
|
||||
* |p| == 5 (mod 8)
|
||||
*
|
||||
* In this case 2 is always a non-square since
|
||||
* Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.
|
||||
* So if a really is a square, then 2*a is a non-square.
|
||||
* Thus for
|
||||
* b := (2*a)^((|p|-5)/8),
|
||||
* i := (2*a)*b^2
|
||||
* we have
|
||||
* i^2 = (2*a)^((1 + (|p|-5)/4)*2)
|
||||
* = (2*a)^((p-1)/2)
|
||||
* = -1;
|
||||
* so if we set
|
||||
* x := a*b*(i-1),
|
||||
* then
|
||||
* x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
|
||||
* = a^2 * b^2 * (-2*i)
|
||||
* = a*(-i)*(2*a*b^2)
|
||||
* = a*(-i)*i
|
||||
* = a.
|
||||
*
|
||||
* (This is due to A.O.L. Atkin,
|
||||
* <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
|
||||
* November 1992.)
|
||||
*/
|
||||
/*-
|
||||
* |p| == 5 (mod 8)
|
||||
*
|
||||
* In this case 2 is always a non-square since
|
||||
* Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.
|
||||
* So if a really is a square, then 2*a is a non-square.
|
||||
* Thus for
|
||||
* b := (2*a)^((|p|-5)/8),
|
||||
* i := (2*a)*b^2
|
||||
* we have
|
||||
* i^2 = (2*a)^((1 + (|p|-5)/4)*2)
|
||||
* = (2*a)^((p-1)/2)
|
||||
* = -1;
|
||||
* so if we set
|
||||
* x := a*b*(i-1),
|
||||
* then
|
||||
* x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
|
||||
* = a^2 * b^2 * (-2*i)
|
||||
* = a*(-i)*(2*a*b^2)
|
||||
* = a*(-i)*i
|
||||
* = a.
|
||||
*
|
||||
* (This is due to A.O.L. Atkin,
|
||||
* <URL: http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
|
||||
* November 1992.)
|
||||
*/
|
||||
|
||||
/* t := 2*a */
|
||||
if (!BN_mod_lshift1_quick(t, A, p))
|
||||
@ -277,24 +277,24 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||
goto end;
|
||||
}
|
||||
|
||||
/*-
|
||||
* Now we know that (if p is indeed prime) there is an integer
|
||||
* k, 0 <= k < 2^e, such that
|
||||
*
|
||||
* a^q * y^k == 1 (mod p).
|
||||
*
|
||||
* As a^q is a square and y is not, k must be even.
|
||||
* q+1 is even, too, so there is an element
|
||||
*
|
||||
* X := a^((q+1)/2) * y^(k/2),
|
||||
*
|
||||
* and it satisfies
|
||||
*
|
||||
* X^2 = a^q * a * y^k
|
||||
* = a,
|
||||
*
|
||||
* so it is the square root that we are looking for.
|
||||
*/
|
||||
/*-
|
||||
* Now we know that (if p is indeed prime) there is an integer
|
||||
* k, 0 <= k < 2^e, such that
|
||||
*
|
||||
* a^q * y^k == 1 (mod p).
|
||||
*
|
||||
* As a^q is a square and y is not, k must be even.
|
||||
* q+1 is even, too, so there is an element
|
||||
*
|
||||
* X := a^((q+1)/2) * y^(k/2),
|
||||
*
|
||||
* and it satisfies
|
||||
*
|
||||
* X^2 = a^q * a * y^k
|
||||
* = a,
|
||||
*
|
||||
* so it is the square root that we are looking for.
|
||||
*/
|
||||
|
||||
/* t := (q-1)/2 (note that q is odd) */
|
||||
if (!BN_rshift1(t, q))
|
||||
@ -333,15 +333,15 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
|
||||
goto end;
|
||||
|
||||
while (1) {
|
||||
/*-
|
||||
* Now b is a^q * y^k for some even k (0 <= k < 2^E
|
||||
* where E refers to the original value of e, which we
|
||||
* don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
|
||||
*
|
||||
* We have a*b = x^2,
|
||||
* y^2^(e-1) = -1,
|
||||
* b^2^(e-1) = 1.
|
||||
*/
|
||||
/*-
|
||||
* Now b is a^q * y^k for some even k (0 <= k < 2^E
|
||||
* where E refers to the original value of e, which we
|
||||
* don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
|
||||
*
|
||||
* We have a*b = x^2,
|
||||
* y^2^(e-1) = -1,
|
||||
* b^2^(e-1) = 1.
|
||||
*/
|
||||
|
||||
if (BN_is_one(b)) {
|
||||
if (!BN_copy(ret, x))
|
||||
|
@ -134,9 +134,9 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE] = {
|
||||
0x59, 0xD8, 0xE2, 0x65, 0x00, 0x58, 0x6C, 0x3F,
|
||||
0x2C, 0x17, 0x25, 0xD0, 0x1A, 0x38, 0xB7, 0x2A,
|
||||
0x39, 0x61, 0x37, 0xDC, 0x79, 0xFB, 0x9F, 0x45
|
||||
/*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
|
||||
0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
|
||||
0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
|
||||
/*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
|
||||
0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
|
||||
0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
|
||||
};
|
||||
# endif
|
||||
|
||||
|
@ -567,16 +567,16 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
|
||||
}
|
||||
e++;
|
||||
}
|
||||
/*-
|
||||
* So at this point we have
|
||||
* np which is the start of the name string which is
|
||||
* '\0' terminated.
|
||||
* cp which is the start of the section string which is
|
||||
* '\0' terminated.
|
||||
* e is the 'next point after'.
|
||||
* r and rr are the chars replaced by the '\0'
|
||||
* rp and rrp is where 'r' and 'rr' came from.
|
||||
*/
|
||||
/*-
|
||||
* So at this point we have
|
||||
* np which is the start of the name string which is
|
||||
* '\0' terminated.
|
||||
* cp which is the start of the section string which is
|
||||
* '\0' terminated.
|
||||
* e is the 'next point after'.
|
||||
* r and rr are the chars replaced by the '\0'
|
||||
* rp and rrp is where 'r' and 'rr' came from.
|
||||
*/
|
||||
p = _CONF_get_string(conf, cp, np);
|
||||
if (rrp != NULL)
|
||||
*rrp = rr;
|
||||
|
@ -228,14 +228,14 @@ int main(int argc, char **argv)
|
||||
}
|
||||
if (error)
|
||||
usage();
|
||||
/*-
|
||||
* We either
|
||||
* do checksum or
|
||||
* do encrypt or
|
||||
* do decrypt or
|
||||
* do decrypt then ckecksum or
|
||||
* do checksum then encrypt
|
||||
*/
|
||||
/*-
|
||||
* We either
|
||||
* do checksum or
|
||||
* do encrypt or
|
||||
* do decrypt or
|
||||
* do decrypt then ckecksum or
|
||||
* do checksum then encrypt
|
||||
*/
|
||||
if (((eflag + dflag) == 1) || cflag) {
|
||||
if (eflag)
|
||||
do_encrypt = DES_ENCRYPT;
|
||||
|
@ -404,13 +404,13 @@ int main(int argc, char *argv[])
|
||||
DES_ENCRYPT);
|
||||
DES_ede3_cbcm_encrypt(&cbc_data[16], &cbc_out[16], i - 16, &ks, &ks2,
|
||||
&ks3, &iv3, &iv2, DES_ENCRYPT);
|
||||
/*- if (memcmp(cbc_out,cbc3_ok,
|
||||
(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
|
||||
{
|
||||
printf("des_ede3_cbc_encrypt encrypt error\n");
|
||||
err=1;
|
||||
}
|
||||
*/
|
||||
/*- if (memcmp(cbc_out,cbc3_ok,
|
||||
(unsigned int)(strlen((char *)cbc_data)+1+7)/8*8) != 0)
|
||||
{
|
||||
printf("des_ede3_cbc_encrypt encrypt error\n");
|
||||
err=1;
|
||||
}
|
||||
*/
|
||||
memcpy(iv3, cbc_iv, sizeof(cbc_iv));
|
||||
memset(iv2, '\0', sizeof iv2);
|
||||
DES_ede3_cbcm_encrypt(cbc_out, cbc_in, i, &ks, &ks2, &ks3, &iv3, &iv2,
|
||||
|
@ -205,12 +205,12 @@ int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
|
||||
*/
|
||||
num = len;
|
||||
} else {
|
||||
/*-
|
||||
* >output is a multiple of 8 byes, if len < rnum
|
||||
* >we must be careful. The user must be aware that this
|
||||
* >routine will write more bytes than he asked for.
|
||||
* >The length of the buffer must be correct.
|
||||
* FIXED - Should be ok now 18-9-90 - eay */
|
||||
/*-
|
||||
* >output is a multiple of 8 byes, if len < rnum
|
||||
* >we must be careful. The user must be aware that this
|
||||
* >routine will write more bytes than he asked for.
|
||||
* >The length of the buffer must be correct.
|
||||
* FIXED - Should be ok now 18-9-90 - eay */
|
||||
if (len < rnum) {
|
||||
|
||||
if (DES_rw_mode & DES_PCBC_MODE)
|
||||
|
@ -102,8 +102,8 @@ void DES_ede3_ofb64_encrypt(register const unsigned char *in,
|
||||
n = (n + 1) & 0x07;
|
||||
}
|
||||
if (save) {
|
||||
/*- v0=ti[0];
|
||||
v1=ti[1];*/
|
||||
/*- v0=ti[0];
|
||||
v1=ti[1];*/
|
||||
iv = &(*ivec)[0];
|
||||
l2c(v0, iv);
|
||||
l2c(v1, iv);
|
||||
|
@ -200,11 +200,11 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
|
||||
goto decerr;
|
||||
if (sk_ASN1_TYPE_num(ndsa) != 2)
|
||||
goto decerr;
|
||||
/*-
|
||||
* Handle Two broken types:
|
||||
* SEQUENCE {parameters, priv_key}
|
||||
* SEQUENCE {pub_key, priv_key}
|
||||
*/
|
||||
/*-
|
||||
* Handle Two broken types:
|
||||
* SEQUENCE {parameters, priv_key}
|
||||
* SEQUENCE {pub_key, priv_key}
|
||||
*/
|
||||
|
||||
t1 = sk_ASN1_TYPE_value(ndsa, 0);
|
||||
t2 = sk_ASN1_TYPE_value(ndsa, 1);
|
||||
|
@ -178,23 +178,23 @@ static int vms_load(DSO *dso)
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*-
|
||||
* A file specification may look like this:
|
||||
*
|
||||
* node::dev:[dir-spec]name.type;ver
|
||||
*
|
||||
* or (for compatibility with TOPS-20):
|
||||
*
|
||||
* node::dev:<dir-spec>name.type;ver
|
||||
*
|
||||
* and the dir-spec uses '.' as separator. Also, a dir-spec
|
||||
* may consist of several parts, with mixed use of [] and <>:
|
||||
*
|
||||
* [dir1.]<dir2>
|
||||
*
|
||||
* We need to split the file specification into the name and
|
||||
* the rest (both before and after the name itself).
|
||||
*/
|
||||
/*-
|
||||
* A file specification may look like this:
|
||||
*
|
||||
* node::dev:[dir-spec]name.type;ver
|
||||
*
|
||||
* or (for compatibility with TOPS-20):
|
||||
*
|
||||
* node::dev:<dir-spec>name.type;ver
|
||||
*
|
||||
* and the dir-spec uses '.' as separator. Also, a dir-spec
|
||||
* may consist of several parts, with mixed use of [] and <>:
|
||||
*
|
||||
* [dir1.]<dir2>
|
||||
*
|
||||
* We need to split the file specification into the name and
|
||||
* the rest (both before and after the name itself).
|
||||
*/
|
||||
/*
|
||||
* Start with trying to find the end of a dir-spec, and save the position
|
||||
* of the byte after in sp1
|
||||
|
@ -116,14 +116,14 @@ typedef enum {
|
||||
typedef struct ec_method_st EC_METHOD;
|
||||
|
||||
typedef struct ec_group_st
|
||||
/*-
|
||||
EC_METHOD *meth;
|
||||
-- field definition
|
||||
-- curve coefficients
|
||||
-- optional generator with associated information (order, cofactor)
|
||||
-- optional extra data (precomputed table for fast computation of multiples of generator)
|
||||
-- ASN1 stuff
|
||||
*/
|
||||
/*-
|
||||
EC_METHOD *meth;
|
||||
-- field definition
|
||||
-- curve coefficients
|
||||
-- optional generator with associated information (order, cofactor)
|
||||
-- optional extra data (precomputed table for fast computation of multiples of generator)
|
||||
-- ASN1 stuff
|
||||
*/
|
||||
EC_GROUP;
|
||||
|
||||
typedef struct ec_point_st EC_POINT;
|
||||
|
@ -632,12 +632,12 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
|
||||
if (lh == NULL)
|
||||
goto err;
|
||||
|
||||
/*-
|
||||
* We have a curve defined by a Weierstrass equation
|
||||
* y^2 + x*y = x^3 + a*x^2 + b.
|
||||
* <=> x^3 + a*x^2 + x*y + b + y^2 = 0
|
||||
* <=> ((x + a) * x + y ) * x + b + y^2 = 0
|
||||
*/
|
||||
/*-
|
||||
* We have a curve defined by a Weierstrass equation
|
||||
* y^2 + x*y = x^3 + a*x^2 + b.
|
||||
* <=> x^3 + a*x^2 + x*y + b + y^2 = 0
|
||||
* <=> ((x + a) * x + y ) * x + b + y^2 = 0
|
||||
*/
|
||||
if (!BN_GF2m_add(lh, &point->X, &group->a))
|
||||
goto err;
|
||||
if (!field_mul(group, lh, lh, &point->X, ctx))
|
||||
|
@ -120,14 +120,14 @@ struct ec_method_st {
|
||||
void (*point_finish) (EC_POINT *);
|
||||
void (*point_clear_finish) (EC_POINT *);
|
||||
int (*point_copy) (EC_POINT *, const EC_POINT *);
|
||||
/*-
|
||||
* used by EC_POINT_set_to_infinity,
|
||||
* EC_POINT_set_Jprojective_coordinates_GFp,
|
||||
* EC_POINT_get_Jprojective_coordinates_GFp,
|
||||
* EC_POINT_set_affine_coordinates_GFp, ..._GF2m,
|
||||
* EC_POINT_get_affine_coordinates_GFp, ..._GF2m,
|
||||
* EC_POINT_set_compressed_coordinates_GFp, ..._GF2m:
|
||||
*/
|
||||
/*-
|
||||
* used by EC_POINT_set_to_infinity,
|
||||
* EC_POINT_set_Jprojective_coordinates_GFp,
|
||||
* EC_POINT_get_Jprojective_coordinates_GFp,
|
||||
* EC_POINT_set_affine_coordinates_GFp, ..._GF2m,
|
||||
* EC_POINT_get_affine_coordinates_GFp, ..._GF2m,
|
||||
* EC_POINT_set_compressed_coordinates_GFp, ..._GF2m:
|
||||
*/
|
||||
int (*point_set_to_infinity) (const EC_GROUP *, EC_POINT *);
|
||||
int (*point_set_Jprojective_coordinates_GFp) (const EC_GROUP *,
|
||||
EC_POINT *, const BIGNUM *x,
|
||||
|
@ -602,13 +602,13 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
|
||||
if (!(tmp = EC_POINT_new(group)))
|
||||
goto err;
|
||||
|
||||
/*-
|
||||
* prepare precomputed values:
|
||||
* val_sub[i][0] := points[i]
|
||||
* val_sub[i][1] := 3 * points[i]
|
||||
* val_sub[i][2] := 5 * points[i]
|
||||
* ...
|
||||
*/
|
||||
/*-
|
||||
* prepare precomputed values:
|
||||
* val_sub[i][0] := points[i]
|
||||
* val_sub[i][1] := 3 * points[i]
|
||||
* val_sub[i][2] := 5 * points[i]
|
||||
* ...
|
||||
*/
|
||||
for (i = 0; i < num + num_scalar; i++) {
|
||||
if (i < num) {
|
||||
if (!EC_POINT_copy(val_sub[i][0], points[i]))
|
||||
|
@ -618,11 +618,11 @@ static void felem_reduce(felem out, const widefelem in)
|
||||
/* output[3] <= 2^56 + 2^16 */
|
||||
out[2] = output[2] & 0x00ffffffffffffff;
|
||||
|
||||
/*-
|
||||
* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
|
||||
* out[3] <= 2^56 + 2^16 (due to final carry),
|
||||
* so out < 2*p
|
||||
*/
|
||||
/*-
|
||||
* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
|
||||
* out[3] <= 2^56 + 2^16 (due to final carry),
|
||||
* so out < 2*p
|
||||
*/
|
||||
out[3] = output[3];
|
||||
}
|
||||
|
||||
@ -1048,10 +1048,10 @@ static void point_add(felem x3, felem y3, felem z3,
|
||||
felem_scalar(ftmp5, 2);
|
||||
/* ftmp5[i] < 2 * 2^57 = 2^58 */
|
||||
|
||||
/*-
|
||||
* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
|
||||
* 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2
|
||||
*/
|
||||
/*-
|
||||
* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
|
||||
* 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2
|
||||
*/
|
||||
felem_diff_128_64(tmp2, ftmp5);
|
||||
/* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
|
||||
felem_reduce(x_out, tmp2);
|
||||
@ -1066,10 +1066,10 @@ static void point_add(felem x3, felem y3, felem z3,
|
||||
felem_mul(tmp2, ftmp3, ftmp2);
|
||||
/* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
|
||||
|
||||
/*-
|
||||
* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
|
||||
* z2^3*y1*(z1^2*x2 - z2^2*x1)^3
|
||||
*/
|
||||
/*-
|
||||
* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
|
||||
* z2^3*y1*(z1^2*x2 - z2^2*x1)^3
|
||||
*/
|
||||
widefelem_diff(tmp2, tmp);
|
||||
/* tmp2[i] < 2^118 + 2^120 < 2^121 */
|
||||
felem_reduce(y_out, tmp2);
|
||||
|
@ -437,25 +437,25 @@ static void felem_shrink(smallfelem out, const felem in)
|
||||
/* As tmp[3] < 2^65, high is either 1 or 0 */
|
||||
high <<= 63;
|
||||
high >>= 63;
|
||||
/*-
|
||||
* high is:
|
||||
* all ones if the high word of tmp[3] is 1
|
||||
* all zeros if the high word of tmp[3] if 0 */
|
||||
/*-
|
||||
* high is:
|
||||
* all ones if the high word of tmp[3] is 1
|
||||
* all zeros if the high word of tmp[3] if 0 */
|
||||
low = tmp[3];
|
||||
mask = low >> 63;
|
||||
/*-
|
||||
* mask is:
|
||||
* all ones if the MSB of low is 1
|
||||
* all zeros if the MSB of low if 0 */
|
||||
/*-
|
||||
* mask is:
|
||||
* all ones if the MSB of low is 1
|
||||
* all zeros if the MSB of low if 0 */
|
||||
low &= bottom63bits;
|
||||
low -= kPrime3Test;
|
||||
/* if low was greater than kPrime3Test then the MSB is zero */
|
||||
low = ~low;
|
||||
low >>= 63;
|
||||
/*-
|
||||
* low is:
|
||||
* all ones if low was > kPrime3Test
|
||||
* all zeros if low was <= kPrime3Test */
|
||||
/*-
|
||||
* low is:
|
||||
* all ones if low was > kPrime3Test
|
||||
* all zeros if low was <= kPrime3Test */
|
||||
mask = (mask & low) | high;
|
||||
tmp[0] -= mask & kPrime[0];
|
||||
tmp[1] -= mask & kPrime[1];
|
||||
@ -795,17 +795,17 @@ static void felem_reduce(felem out, const longfelem in)
|
||||
|
||||
felem_reduce_(out, in);
|
||||
|
||||
/*-
|
||||
* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
|
||||
* out[1] > 2^100 - 2^64 - 7*2^96 > 0
|
||||
* out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
|
||||
* out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
|
||||
*
|
||||
* out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101
|
||||
* out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101
|
||||
* out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101
|
||||
* out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101
|
||||
*/
|
||||
/*-
|
||||
* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
|
||||
* out[1] > 2^100 - 2^64 - 7*2^96 > 0
|
||||
* out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
|
||||
* out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
|
||||
*
|
||||
* out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101
|
||||
* out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101
|
||||
* out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101
|
||||
* out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101
|
||||
*/
|
||||
}
|
||||
|
||||
/*-
|
||||
@ -824,17 +824,17 @@ static void felem_reduce_zero105(felem out, const longfelem in)
|
||||
|
||||
felem_reduce_(out, in);
|
||||
|
||||
/*-
|
||||
* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
|
||||
* out[1] > 2^105 - 2^71 - 2^103 > 0
|
||||
* out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
|
||||
* out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
|
||||
*
|
||||
* out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
|
||||
* out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
|
||||
* out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106
|
||||
* out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106
|
||||
*/
|
||||
/*-
|
||||
* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
|
||||
* out[1] > 2^105 - 2^71 - 2^103 > 0
|
||||
* out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
|
||||
* out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
|
||||
*
|
||||
* out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
|
||||
* out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
|
||||
* out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106
|
||||
* out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106
|
||||
*/
|
||||
}
|
||||
|
||||
/*
|
||||
@ -1099,7 +1099,8 @@ static void smallfelem_inv_contract(smallfelem out, const smallfelem in)
|
||||
*
|
||||
* Building on top of the field operations we have the operations on the
|
||||
* elliptic curve group itself. Points on the curve are represented in Jacobian
|
||||
* coordinates */
|
||||
* coordinates
|
||||
*/
|
||||
|
||||
/*-
|
||||
* point_double calculates 2*(x_in, y_in, z_in)
|
||||
@ -1108,7 +1109,8 @@ static void smallfelem_inv_contract(smallfelem out, const smallfelem in)
|
||||
* http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
|
||||
*
|
||||
* Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
|
||||
* while x_out == y_in is not (maybe this works, but it's not tested). */
|
||||
* while x_out == y_in is not (maybe this works, but it's not tested).
|
||||
*/
|
||||
static void
|
||||
point_double(felem x_out, felem y_out, felem z_out,
|
||||
const felem x_in, const felem y_in, const felem z_in)
|
||||
@ -1239,7 +1241,8 @@ static void copy_small_conditional(felem out, const smallfelem in, limb mask)
|
||||
* This function includes a branch for checking whether the two input points
|
||||
* are equal, (while not equal to the point at infinity). This case never
|
||||
* happens during single point multiplication, so there is no timing leak for
|
||||
* ECDH or ECDSA signing. */
|
||||
* ECDH or ECDSA signing.
|
||||
*/
|
||||
static void point_add(felem x3, felem y3, felem z3,
|
||||
const felem x1, const felem y1, const felem z1,
|
||||
const int mixed, const smallfelem x2,
|
||||
|
@ -414,15 +414,16 @@ static void felem_square(largefelem out, const felem in)
|
||||
felem_scalar(inx2, in, 2);
|
||||
felem_scalar(inx4, in, 4);
|
||||
|
||||
/*-
|
||||
* We have many cases were we want to do
|
||||
* in[x] * in[y] +
|
||||
* in[y] * in[x]
|
||||
* This is obviously just
|
||||
* 2 * in[x] * in[y]
|
||||
* However, rather than do the doubling on the 128 bit result, we
|
||||
* double one of the inputs to the multiplication by reading from
|
||||
* |inx2| */
|
||||
/*-
|
||||
* We have many cases were we want to do
|
||||
* in[x] * in[y] +
|
||||
* in[y] * in[x]
|
||||
* This is obviously just
|
||||
* 2 * in[x] * in[y]
|
||||
* However, rather than do the doubling on the 128 bit result, we
|
||||
* double one of the inputs to the multiplication by reading from
|
||||
* |inx2|
|
||||
*/
|
||||
|
||||
out[0] = ((uint128_t) in[0]) * in[0];
|
||||
out[1] = ((uint128_t) in[0]) * inx2[1];
|
||||
@ -610,10 +611,10 @@ static void felem_reduce(felem out, const largefelem in)
|
||||
|
||||
out[1] += ((limb) in[0]) >> 58;
|
||||
out[1] += (((limb) (in[0] >> 64)) & bottom52bits) << 6;
|
||||
/*-
|
||||
* out[1] < 2^58 + 2^6 + 2^58
|
||||
* = 2^59 + 2^6
|
||||
*/
|
||||
/*-
|
||||
* out[1] < 2^58 + 2^6 + 2^58
|
||||
* = 2^59 + 2^6
|
||||
*/
|
||||
out[2] += ((limb) (in[0] >> 64)) >> 52;
|
||||
|
||||
out[2] += ((limb) in[1]) >> 58;
|
||||
@ -642,10 +643,10 @@ static void felem_reduce(felem out, const largefelem in)
|
||||
|
||||
out[8] += ((limb) in[7]) >> 58;
|
||||
out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6;
|
||||
/*-
|
||||
* out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12
|
||||
* < 2^59 + 2^13
|
||||
*/
|
||||
/*-
|
||||
* out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12
|
||||
* < 2^59 + 2^13
|
||||
*/
|
||||
overflow1 = ((limb) (in[7] >> 64)) >> 52;
|
||||
|
||||
overflow1 += ((limb) in[8]) >> 58;
|
||||
@ -660,11 +661,11 @@ static void felem_reduce(felem out, const largefelem in)
|
||||
|
||||
out[1] += out[0] >> 58;
|
||||
out[0] &= bottom58bits;
|
||||
/*-
|
||||
* out[0] < 2^58
|
||||
* out[1] < 2^59 + 2^6 + 2^13 + 2^2
|
||||
* < 2^59 + 2^14
|
||||
*/
|
||||
/*-
|
||||
* out[0] < 2^58
|
||||
* out[1] < 2^59 + 2^6 + 2^13 + 2^2
|
||||
* < 2^59 + 2^14
|
||||
*/
|
||||
}
|
||||
|
||||
static void felem_square_reduce(felem out, const felem in)
|
||||
@ -1055,13 +1056,13 @@ point_double(felem x_out, felem y_out, felem z_out,
|
||||
felem_scalar64(ftmp2, 3);
|
||||
/* ftmp2[i] < 3*2^60 + 3*2^15 */
|
||||
felem_mul(tmp, ftmp, ftmp2);
|
||||
/*-
|
||||
* tmp[i] < 17(3*2^121 + 3*2^76)
|
||||
* = 61*2^121 + 61*2^76
|
||||
* < 64*2^121 + 64*2^76
|
||||
* = 2^127 + 2^82
|
||||
* < 2^128
|
||||
*/
|
||||
/*-
|
||||
* tmp[i] < 17(3*2^121 + 3*2^76)
|
||||
* = 61*2^121 + 61*2^76
|
||||
* < 64*2^121 + 64*2^76
|
||||
* = 2^127 + 2^82
|
||||
* < 2^128
|
||||
*/
|
||||
felem_reduce(alpha, tmp);
|
||||
|
||||
/* x' = alpha^2 - 8*beta */
|
||||
@ -1096,30 +1097,30 @@ point_double(felem x_out, felem y_out, felem z_out,
|
||||
felem_diff64(beta, x_out);
|
||||
/* beta[i] < 2^61 + 2^60 + 2^16 */
|
||||
felem_mul(tmp, alpha, beta);
|
||||
/*-
|
||||
* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
|
||||
* = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30)
|
||||
* = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
|
||||
* < 2^128
|
||||
*/
|
||||
/*-
|
||||
* tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
|
||||
* = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30)
|
||||
* = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
|
||||
* < 2^128
|
||||
*/
|
||||
felem_square(tmp2, gamma);
|
||||
/*-
|
||||
* tmp2[i] < 17*(2^59 + 2^14)^2
|
||||
* = 17*(2^118 + 2^74 + 2^28)
|
||||
*/
|
||||
/*-
|
||||
* tmp2[i] < 17*(2^59 + 2^14)^2
|
||||
* = 17*(2^118 + 2^74 + 2^28)
|
||||
*/
|
||||
felem_scalar128(tmp2, 8);
|
||||
/*-
|
||||
* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
|
||||
* = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31
|
||||
* < 2^126
|
||||
*/
|
||||
/*-
|
||||
* tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
|
||||
* = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31
|
||||
* < 2^126
|
||||
*/
|
||||
felem_diff128(tmp, tmp2);
|
||||
/*-
|
||||
* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
|
||||
* = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 +
|
||||
* 2^74 + 2^69 + 2^34 + 2^30
|
||||
* < 2^128
|
||||
*/
|
||||
/*-
|
||||
* tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
|
||||
* = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 +
|
||||
* 2^74 + 2^69 + 2^34 + 2^30
|
||||
* < 2^128
|
||||
*/
|
||||
felem_reduce(y_out, tmp);
|
||||
}
|
||||
|
||||
|
@ -96,11 +96,11 @@ int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
|
||||
if (y == NULL)
|
||||
goto err;
|
||||
|
||||
/*-
|
||||
* Recover y. We have a Weierstrass equation
|
||||
* y^2 = x^3 + a*x + b,
|
||||
* so y is one of the square roots of x^3 + a*x + b.
|
||||
*/
|
||||
/*-
|
||||
* Recover y. We have a Weierstrass equation
|
||||
* y^2 = x^3 + a*x + b,
|
||||
* so y is one of the square roots of x^3 + a*x + b.
|
||||
*/
|
||||
|
||||
/* tmp1 := x^3 */
|
||||
if (!BN_nnmod(x, x_, &group->field, ctx))
|
||||
|
@ -320,11 +320,11 @@ int ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx)
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*-
|
||||
* check the discriminant:
|
||||
* y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
|
||||
* 0 =< a, b < p
|
||||
*/
|
||||
/*-
|
||||
* check the discriminant:
|
||||
* y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
|
||||
* 0 =< a, b < p
|
||||
*/
|
||||
if (BN_is_zero(a)) {
|
||||
if (BN_is_zero(b))
|
||||
goto err;
|
||||
@ -900,10 +900,10 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
|
||||
goto err;
|
||||
if (!BN_mod_add_quick(n1, n0, n1, p))
|
||||
goto err;
|
||||
/*-
|
||||
* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
|
||||
* = 3 * X_a^2 - 3 * Z_a^4
|
||||
*/
|
||||
/*-
|
||||
* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
|
||||
* = 3 * X_a^2 - 3 * Z_a^4
|
||||
*/
|
||||
} else {
|
||||
if (!field_sqr(group, n0, &a->X, ctx))
|
||||
goto err;
|
||||
@ -1024,15 +1024,15 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
|
||||
if (Z6 == NULL)
|
||||
goto err;
|
||||
|
||||
/*-
|
||||
* We have a curve defined by a Weierstrass equation
|
||||
* y^2 = x^3 + a*x + b.
|
||||
* The point to consider is given in Jacobian projective coordinates
|
||||
* where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
|
||||
* Substituting this and multiplying by Z^6 transforms the above equation into
|
||||
* Y^2 = X^3 + a*X*Z^4 + b*Z^6.
|
||||
* To test this, we add up the right-hand side in 'rh'.
|
||||
*/
|
||||
/*-
|
||||
* We have a curve defined by a Weierstrass equation
|
||||
* y^2 = x^3 + a*x + b.
|
||||
* The point to consider is given in Jacobian projective coordinates
|
||||
* where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
|
||||
* Substituting this and multiplying by Z^6 transforms the above equation into
|
||||
* Y^2 = X^3 + a*X*Z^4 + b*Z^6.
|
||||
* To test this, we add up the right-hand side in 'rh'.
|
||||
*/
|
||||
|
||||
/* rh := X^2 */
|
||||
if (!field_sqr(group, rh, &point->X, ctx))
|
||||
@ -1099,12 +1099,12 @@ int ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
|
||||
int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
|
||||
const EC_POINT *b, BN_CTX *ctx)
|
||||
{
|
||||
/*-
|
||||
* return values:
|
||||
* -1 error
|
||||
* 0 equal (in affine coordinates)
|
||||
* 1 not equal
|
||||
*/
|
||||
/*-
|
||||
* return values:
|
||||
* -1 error
|
||||
* 0 equal (in affine coordinates)
|
||||
* 1 not equal
|
||||
*/
|
||||
|
||||
int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *,
|
||||
const BIGNUM *, BN_CTX *);
|
||||
@ -1143,12 +1143,12 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
|
||||
if (Zb23 == NULL)
|
||||
goto end;
|
||||
|
||||
/*-
|
||||
* We have to decide whether
|
||||
* (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
|
||||
* or equivalently, whether
|
||||
* (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
|
||||
*/
|
||||
/*-
|
||||
* We have to decide whether
|
||||
* (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
|
||||
* or equivalently, whether
|
||||
* (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
|
||||
*/
|
||||
|
||||
if (!b->Z_is_one) {
|
||||
if (!field_sqr(group, Zb23, &b->Z, ctx))
|
||||
|
@ -102,9 +102,9 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE] = {
|
||||
0x59, 0xD8, 0xE2, 0x65, 0x00, 0x58, 0x6C, 0x3F,
|
||||
0x2C, 0x17, 0x25, 0xD0, 0x1A, 0x38, 0xB7, 0x2A,
|
||||
0x39, 0x61, 0x37, 0xDC, 0x79, 0xFB, 0x9F, 0x45
|
||||
/*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
|
||||
0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
|
||||
0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
|
||||
/*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
|
||||
0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
|
||||
0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
|
||||
};
|
||||
|
||||
static int cfb64_test(unsigned char *cfb_cipher);
|
||||
|
@ -434,9 +434,9 @@ unsigned long lh_strhash(const char *c)
|
||||
if ((c == NULL) || (*c == '\0'))
|
||||
return (ret);
|
||||
/*-
|
||||
unsigned char b[16];
|
||||
MD5(c,strlen(c),b);
|
||||
return(b[0]|(b[1]<<8)|(b[2]<<16)|(b[3]<<24));
|
||||
unsigned char b[16];
|
||||
MD5(c,strlen(c),b);
|
||||
return(b[0]|(b[1]<<8)|(b[2]<<16)|(b[3]<<24));
|
||||
*/
|
||||
|
||||
n = 0x100;
|
||||
|
@ -159,30 +159,30 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
|
||||
* do it the hard way.
|
||||
*/
|
||||
{
|
||||
/*-
|
||||
* The VMS epoch is the astronomical Smithsonian date,
|
||||
if I remember correctly, which is November 17, 1858.
|
||||
Furthermore, time is measure in thenths of microseconds
|
||||
and stored in quadwords (64 bit integers). unix_epoch
|
||||
below is January 1st 1970 expressed as a VMS time. The
|
||||
following code was used to get this number:
|
||||
/*-
|
||||
* The VMS epoch is the astronomical Smithsonian date,
|
||||
if I remember correctly, which is November 17, 1858.
|
||||
Furthermore, time is measure in thenths of microseconds
|
||||
and stored in quadwords (64 bit integers). unix_epoch
|
||||
below is January 1st 1970 expressed as a VMS time. The
|
||||
following code was used to get this number:
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <lib$routines.h>
|
||||
#include <starlet.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <lib$routines.h>
|
||||
#include <starlet.h>
|
||||
|
||||
main()
|
||||
{
|
||||
unsigned long systime[2];
|
||||
unsigned short epoch_values[7] =
|
||||
{ 1970, 1, 1, 0, 0, 0, 0 };
|
||||
main()
|
||||
{
|
||||
unsigned long systime[2];
|
||||
unsigned short epoch_values[7] =
|
||||
{ 1970, 1, 1, 0, 0, 0, 0 };
|
||||
|
||||
lib$cvt_vectim(epoch_values, systime);
|
||||
lib$cvt_vectim(epoch_values, systime);
|
||||
|
||||
printf("%u %u", systime[0], systime[1]);
|
||||
}
|
||||
*/
|
||||
printf("%u %u", systime[0], systime[1]);
|
||||
}
|
||||
*/
|
||||
unsigned long unix_epoch[2] = { 1273708544, 8164711 };
|
||||
unsigned long deltatime[2];
|
||||
unsigned long systime[2];
|
||||
|
@ -174,18 +174,17 @@ typedef struct pem_ctx_st {
|
||||
struct {
|
||||
int cipher;
|
||||
/*-
|
||||
unused, and wrong size
|
||||
unsigned char iv[8]; */
|
||||
unused, and wrong size
|
||||
unsigned char iv[8]; */
|
||||
} DEK_info;
|
||||
|
||||
PEM_USER *originator;
|
||||
|
||||
int num_recipient;
|
||||
PEM_USER **recipient;
|
||||
|
||||
/*-
|
||||
XXX(ben): don#t think this is used!
|
||||
STACK *x509_chain; / * certificate chain */
|
||||
/*-
|
||||
XXX(ben): don#t think this is used!
|
||||
STACK *x509_chain; / * certificate chain */
|
||||
EVP_MD *md; /* signature type */
|
||||
|
||||
int md_enc; /* is the md encrypted or not? */
|
||||
@ -195,9 +194,9 @@ typedef struct pem_ctx_st {
|
||||
EVP_CIPHER *dec; /* date encryption cipher */
|
||||
int key_len; /* key length */
|
||||
unsigned char *key; /* key */
|
||||
/*-
|
||||
unused, and wrong size
|
||||
unsigned char iv[8]; */
|
||||
/*-
|
||||
unused, and wrong size
|
||||
unsigned char iv[8]; */
|
||||
|
||||
int data_enc; /* is the data encrypted */
|
||||
int data_len;
|
||||
|
@ -112,10 +112,10 @@ static FILE *(*const vms_fopen)(const char *, const char *, ...) =
|
||||
|
||||
int RAND_load_file(const char *file, long bytes)
|
||||
{
|
||||
/*-
|
||||
* If bytes >= 0, read up to 'bytes' bytes.
|
||||
* if bytes == -1, read complete file.
|
||||
*/
|
||||
/*-
|
||||
* If bytes >= 0, read up to 'bytes' bytes.
|
||||
* if bytes == -1, read complete file.
|
||||
*/
|
||||
|
||||
MS_STATIC unsigned char buf[BUFSIZE];
|
||||
#ifndef OPENSSL_NO_POSIX_IO
|
||||
|
@ -134,9 +134,9 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE] = {
|
||||
0x59, 0xD8, 0xE2, 0x65, 0x00, 0x58, 0x6C, 0x3F,
|
||||
0x2C, 0x17, 0x25, 0xD0, 0x1A, 0x38, 0xB7, 0x2A,
|
||||
0x39, 0x61, 0x37, 0xDC, 0x79, 0xFB, 0x9F, 0x45
|
||||
/*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
|
||||
0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
|
||||
0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
|
||||
/*- 0xF9,0x78,0x32,0xB5,0x42,0x1A,0x6B,0x38,
|
||||
0x9A,0x44,0xD6,0x04,0x19,0x43,0xC4,0xD9,
|
||||
0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/
|
||||
};
|
||||
|
||||
/*
|
||||
|
@ -80,36 +80,36 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
|
||||
d = key->data;
|
||||
|
||||
#if defined(RC4_CHUNK) && !defined(PEDANTIC)
|
||||
/*-
|
||||
* The original reason for implementing this(*) was the fact that
|
||||
* pre-21164a Alpha CPUs don't have byte load/store instructions
|
||||
* and e.g. a byte store has to be done with 64-bit load, shift,
|
||||
* and, or and finally 64-bit store. Peaking data and operating
|
||||
* at natural word size made it possible to reduce amount of
|
||||
* instructions as well as to perform early read-ahead without
|
||||
* suffering from RAW (read-after-write) hazard. This resulted
|
||||
* in ~40%(**) performance improvement on 21064 box with gcc.
|
||||
* But it's not only Alpha users who win here:-) Thanks to the
|
||||
* early-n-wide read-ahead this implementation also exhibits
|
||||
* >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
|
||||
* on sizeof(RC4_INT)).
|
||||
*
|
||||
* (*) "this" means code which recognizes the case when input
|
||||
* and output pointers appear to be aligned at natural CPU
|
||||
* word boundary
|
||||
* (**) i.e. according to 'apps/openssl speed rc4' benchmark,
|
||||
* crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
|
||||
*
|
||||
* Cavets.
|
||||
*
|
||||
* - RC4_CHUNK="unsigned long long" should be a #1 choice for
|
||||
* UltraSPARC. Unfortunately gcc generates very slow code
|
||||
* (2.5-3 times slower than one generated by Sun's WorkShop
|
||||
* C) and therefore gcc (at least 2.95 and earlier) should
|
||||
* always be told that RC4_CHUNK="unsigned long".
|
||||
*
|
||||
* <appro@fy.chalmers.se>
|
||||
*/
|
||||
/*-
|
||||
* The original reason for implementing this(*) was the fact that
|
||||
* pre-21164a Alpha CPUs don't have byte load/store instructions
|
||||
* and e.g. a byte store has to be done with 64-bit load, shift,
|
||||
* and, or and finally 64-bit store. Peaking data and operating
|
||||
* at natural word size made it possible to reduce amount of
|
||||
* instructions as well as to perform early read-ahead without
|
||||
* suffering from RAW (read-after-write) hazard. This resulted
|
||||
* in ~40%(**) performance improvement on 21064 box with gcc.
|
||||
* But it's not only Alpha users who win here:-) Thanks to the
|
||||
* early-n-wide read-ahead this implementation also exhibits
|
||||
* >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
|
||||
* on sizeof(RC4_INT)).
|
||||
*
|
||||
* (*) "this" means code which recognizes the case when input
|
||||
* and output pointers appear to be aligned at natural CPU
|
||||
* word boundary
|
||||
* (**) i.e. according to 'apps/openssl speed rc4' benchmark,
|
||||
* crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
|
||||
*
|
||||
* Cavets.
|
||||
*
|
||||
* - RC4_CHUNK="unsigned long long" should be a #1 choice for
|
||||
* UltraSPARC. Unfortunately gcc generates very slow code
|
||||
* (2.5-3 times slower than one generated by Sun's WorkShop
|
||||
* C) and therefore gcc (at least 2.95 and earlier) should
|
||||
* always be told that RC4_CHUNK="unsigned long".
|
||||
*
|
||||
* <appro@fy.chalmers.se>
|
||||
*/
|
||||
|
||||
# define RC4_STEP ( \
|
||||
x=(x+1) &0xff, \
|
||||
@ -131,34 +131,34 @@ void RC4(RC4_KEY *key, size_t len, const unsigned char *indata,
|
||||
1
|
||||
};
|
||||
|
||||
/*-
|
||||
* I reckon we can afford to implement both endian
|
||||
* cases and to decide which way to take at run-time
|
||||
* because the machine code appears to be very compact
|
||||
* and redundant 1-2KB is perfectly tolerable (i.e.
|
||||
* in case the compiler fails to eliminate it:-). By
|
||||
* suggestion from Terrel Larson <terr@terralogic.net>
|
||||
* who also stands for the is_endian union:-)
|
||||
*
|
||||
* Special notes.
|
||||
*
|
||||
* - is_endian is declared automatic as doing otherwise
|
||||
* (declaring static) prevents gcc from eliminating
|
||||
* the redundant code;
|
||||
* - compilers (those I've tried) don't seem to have
|
||||
* problems eliminating either the operators guarded
|
||||
* by "if (sizeof(RC4_CHUNK)==8)" or the condition
|
||||
* expressions themselves so I've got 'em to replace
|
||||
* corresponding #ifdefs from the previous version;
|
||||
* - I chose to let the redundant switch cases when
|
||||
* sizeof(RC4_CHUNK)!=8 be (were also #ifdefed
|
||||
* before);
|
||||
* - in case you wonder "&(sizeof(RC4_CHUNK)*8-1)" in
|
||||
* [LB]ESHFT guards against "shift is out of range"
|
||||
* warnings when sizeof(RC4_CHUNK)!=8
|
||||
*
|
||||
* <appro@fy.chalmers.se>
|
||||
*/
|
||||
/*-
|
||||
* I reckon we can afford to implement both endian
|
||||
* cases and to decide which way to take at run-time
|
||||
* because the machine code appears to be very compact
|
||||
* and redundant 1-2KB is perfectly tolerable (i.e.
|
||||
* in case the compiler fails to eliminate it:-). By
|
||||
* suggestion from Terrel Larson <terr@terralogic.net>
|
||||
* who also stands for the is_endian union:-)
|
||||
*
|
||||
* Special notes.
|
||||
*
|
||||
* - is_endian is declared automatic as doing otherwise
|
||||
* (declaring static) prevents gcc from eliminating
|
||||
* the redundant code;
|
||||
* - compilers (those I've tried) don't seem to have
|
||||
* problems eliminating either the operators guarded
|
||||
* by "if (sizeof(RC4_CHUNK)==8)" or the condition
|
||||
* expressions themselves so I've got 'em to replace
|
||||
* corresponding #ifdefs from the previous version;
|
||||
* - I chose to let the redundant switch cases when
|
||||
* sizeof(RC4_CHUNK)!=8 be (were also #ifdefed
|
||||
* before);
|
||||
* - in case you wonder "&(sizeof(RC4_CHUNK)*8-1)" in
|
||||
* [LB]ESHFT guards against "shift is out of range"
|
||||
* warnings when sizeof(RC4_CHUNK)!=8
|
||||
*
|
||||
* <appro@fy.chalmers.se>
|
||||
*/
|
||||
if (!is_endian.little) { /* BIG-ENDIAN CASE */
|
||||
# define BESHFT(c) (((sizeof(RC4_CHUNK)-(c)-1)*8)&(sizeof(RC4_CHUNK)*8-1))
|
||||
for (; len & (0 - sizeof(RC4_CHUNK)); len -= sizeof(RC4_CHUNK)) {
|
||||
|
@ -97,12 +97,12 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
|
||||
hLen = EVP_MD_size(Hash);
|
||||
if (hLen < 0)
|
||||
goto err;
|
||||
/*-
|
||||
* Negative sLen has special meanings:
|
||||
* -1 sLen == hLen
|
||||
* -2 salt length is autorecovered from signature
|
||||
* -N reserved
|
||||
*/
|
||||
/*-
|
||||
* Negative sLen has special meanings:
|
||||
* -1 sLen == hLen
|
||||
* -2 salt length is autorecovered from signature
|
||||
* -N reserved
|
||||
*/
|
||||
if (sLen == -1)
|
||||
sLen = hLen;
|
||||
else if (sLen == -2)
|
||||
@ -201,12 +201,12 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
|
||||
hLen = EVP_MD_size(Hash);
|
||||
if (hLen < 0)
|
||||
goto err;
|
||||
/*-
|
||||
* Negative sLen has special meanings:
|
||||
* -1 sLen == hLen
|
||||
* -2 salt length is maximized
|
||||
* -N reserved
|
||||
*/
|
||||
/*-
|
||||
* Negative sLen has special meanings:
|
||||
* -1 sLen == hLen
|
||||
* -2 salt length is maximized
|
||||
* -N reserved
|
||||
*/
|
||||
if (sLen == -1)
|
||||
sLen = hLen;
|
||||
else if (sLen == -2)
|
||||
|
@ -333,8 +333,8 @@ int main(int argc, char *argv[])
|
||||
fprintf(stderr, "-----\n");
|
||||
lh_stats(SSL_CTX_sessions(s_ctx), stderr);
|
||||
fprintf(stderr, "-----\n");
|
||||
/*- lh_node_stats(SSL_CTX_sessions(s_ctx),stderr);
|
||||
fprintf(stderr,"-----\n"); */
|
||||
/*- lh_node_stats(SSL_CTX_sessions(s_ctx),stderr);
|
||||
fprintf(stderr,"-----\n"); */
|
||||
lh_node_usage_stats(SSL_CTX_sessions(s_ctx), stderr);
|
||||
fprintf(stderr, "-----\n");
|
||||
}
|
||||
@ -369,11 +369,11 @@ int ndoit(SSL_CTX *ssl_ctx[2])
|
||||
|
||||
fprintf(stdout, "started thread %lu\n", CRYPTO_thread_id());
|
||||
for (i = 0; i < number_of_loops; i++) {
|
||||
/*- fprintf(stderr,"%4d %2d ctx->ref (%3d,%3d)\n",
|
||||
CRYPTO_thread_id(),i,
|
||||
ssl_ctx[0]->references,
|
||||
ssl_ctx[1]->references); */
|
||||
/* pthread_delay_np(&tm); */
|
||||
/*- fprintf(stderr,"%4d %2d ctx->ref (%3d,%3d)\n",
|
||||
CRYPTO_thread_id(),i,
|
||||
ssl_ctx[0]->references,
|
||||
ssl_ctx[1]->references); */
|
||||
/* pthread_delay_np(&tm); */
|
||||
|
||||
ret = doit(ctx);
|
||||
if (ret != 0) {
|
||||
@ -801,23 +801,23 @@ void solaris_locking_callback(int mode, int type, char *file, int line)
|
||||
(type & CRYPTO_READ) ? "r" : "w", file, line);
|
||||
# endif
|
||||
|
||||
/*-
|
||||
if (CRYPTO_LOCK_SSL_CERT == type)
|
||||
fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
|
||||
CRYPTO_thread_id(),
|
||||
mode,file,line);
|
||||
*/
|
||||
/*-
|
||||
if (CRYPTO_LOCK_SSL_CERT == type)
|
||||
fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
|
||||
CRYPTO_thread_id(),
|
||||
mode,file,line);
|
||||
*/
|
||||
if (mode & CRYPTO_LOCK) {
|
||||
/*-
|
||||
if (mode & CRYPTO_READ)
|
||||
rw_rdlock(&(lock_cs[type]));
|
||||
else
|
||||
rw_wrlock(&(lock_cs[type])); */
|
||||
if (mode & CRYPTO_READ)
|
||||
rw_rdlock(&(lock_cs[type]));
|
||||
else
|
||||
rw_wrlock(&(lock_cs[type])); */
|
||||
|
||||
mutex_lock(&(lock_cs[type]));
|
||||
lock_count[type]++;
|
||||
} else {
|
||||
/* rw_unlock(&(lock_cs[type])); */
|
||||
/* rw_unlock(&(lock_cs[type])); */
|
||||
mutex_unlock(&(lock_cs[type]));
|
||||
}
|
||||
}
|
||||
@ -987,10 +987,10 @@ void pthreads_locking_callback(int mode, int type, char *file, int line)
|
||||
(type & CRYPTO_READ) ? "r" : "w", file, line);
|
||||
# endif
|
||||
/*-
|
||||
if (CRYPTO_LOCK_SSL_CERT == type)
|
||||
fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
|
||||
CRYPTO_thread_id(),
|
||||
mode,file,line);
|
||||
if (CRYPTO_LOCK_SSL_CERT == type)
|
||||
fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
|
||||
CRYPTO_thread_id(),
|
||||
mode,file,line);
|
||||
*/
|
||||
if (mode & CRYPTO_LOCK) {
|
||||
pthread_mutex_lock(&(lock_cs[type]));
|
||||
|
@ -132,18 +132,18 @@ void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c, const void *_inp, size_t bits)
|
||||
} else /* bit-oriented loop */
|
||||
#endif
|
||||
{
|
||||
/*-
|
||||
inp
|
||||
|
|
||||
+-------+-------+-------
|
||||
|||||||||||||||||||||
|
||||
+-------+-------+-------
|
||||
+-------+-------+-------+-------+-------
|
||||
|||||||||||||| c->data
|
||||
+-------+-------+-------+-------+-------
|
||||
|
|
||||
c->bitoff/8
|
||||
*/
|
||||
/*-
|
||||
inp
|
||||
|
|
||||
+-------+-------+-------
|
||||
|||||||||||||||||||||
|
||||
+-------+-------+-------
|
||||
+-------+-------+-------+-------+-------
|
||||
|||||||||||||| c->data
|
||||
+-------+-------+-------+-------+-------
|
||||
|
|
||||
c->bitoff/8
|
||||
*/
|
||||
while (bits) {
|
||||
unsigned int byteoff = bitoff / 8;
|
||||
unsigned char b;
|
||||
|
@ -424,8 +424,8 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
|
||||
* If we were going to up the reference count, we would need to
|
||||
* do it on a perl 'type' basis
|
||||
*/
|
||||
/*- CRYPTO_add(&tmp->data.x509->references,1,
|
||||
CRYPTO_LOCK_X509);*/
|
||||
/*- CRYPTO_add(&tmp->data.x509->references,1,
|
||||
CRYPTO_LOCK_X509);*/
|
||||
goto finish;
|
||||
}
|
||||
}
|
||||
|
@ -322,8 +322,8 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*- if (ret->data.ptr != NULL)
|
||||
X509_OBJECT_free_contents(ret); */
|
||||
/*- if (ret->data.ptr != NULL)
|
||||
X509_OBJECT_free_contents(ret); */
|
||||
|
||||
ret->type = tmp->type;
|
||||
ret->data.ptr = tmp->data.ptr;
|
||||
|
@ -84,8 +84,8 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
|
||||
goto err;
|
||||
if (!ASN1_INTEGER_set(xi->version, 2))
|
||||
goto err;
|
||||
/*- xi->extensions=ri->attributes; <- bad, should not ever be done
|
||||
ri->attributes=NULL; */
|
||||
/*- xi->extensions=ri->attributes; <- bad, should not ever be done
|
||||
ri->attributes=NULL; */
|
||||
}
|
||||
|
||||
xn = X509_REQ_get_subject_name(r);
|
||||
|
@ -528,15 +528,15 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
|
||||
int allow_proxy_certs;
|
||||
cb = ctx->verify_cb;
|
||||
|
||||
/*-
|
||||
* must_be_ca can have 1 of 3 values:
|
||||
* -1: we accept both CA and non-CA certificates, to allow direct
|
||||
* use of self-signed certificates (which are marked as CA).
|
||||
* 0: we only accept non-CA certificates. This is currently not
|
||||
* used, but the possibility is present for future extensions.
|
||||
* 1: we only accept CA certificates. This is currently used for
|
||||
* all certificates in the chain except the leaf certificate.
|
||||
*/
|
||||
/*-
|
||||
* must_be_ca can have 1 of 3 values:
|
||||
* -1: we accept both CA and non-CA certificates, to allow direct
|
||||
* use of self-signed certificates (which are marked as CA).
|
||||
* 0: we only accept non-CA certificates. This is currently not
|
||||
* used, but the possibility is present for future extensions.
|
||||
* 1: we only accept CA certificates. This is currently used for
|
||||
* all certificates in the chain except the leaf certificate.
|
||||
*/
|
||||
must_be_ca = -1;
|
||||
|
||||
/* CRL path validation */
|
||||
|
@ -162,16 +162,16 @@ X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc)
|
||||
set_prev = ret->set - 1;
|
||||
set_next = sk_X509_NAME_ENTRY_value(sk, loc)->set;
|
||||
|
||||
/*-
|
||||
* set_prev is the previous set
|
||||
* set is the current set
|
||||
* set_next is the following
|
||||
* prev 1 1 1 1 1 1 1 1
|
||||
* set 1 1 2 2
|
||||
* next 1 1 2 2 2 2 3 2
|
||||
* so basically only if prev and next differ by 2, then
|
||||
* re-number down by 1
|
||||
*/
|
||||
/*-
|
||||
* set_prev is the previous set
|
||||
* set is the current set
|
||||
* set_next is the following
|
||||
* prev 1 1 1 1 1 1 1 1
|
||||
* set 1 1 2 2
|
||||
* next 1 1 2 2 2 2 3 2
|
||||
* so basically only if prev and next differ by 2, then
|
||||
* re-number down by 1
|
||||
*/
|
||||
if (set_prev + 1 < set_next)
|
||||
for (i = loc; i < n; i++)
|
||||
sk_X509_NAME_ENTRY_value(sk, i)->set--;
|
||||
|
@ -222,14 +222,14 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
|
||||
|
||||
sct->version = *p2++;
|
||||
if (sct->version == 0) { /* SCT v1 */
|
||||
/*-
|
||||
* Fixed-length header:
|
||||
* struct {
|
||||
* (1 byte) Version sct_version;
|
||||
* (32 bytes) LogID id;
|
||||
* (8 bytes) uint64 timestamp;
|
||||
* (2 bytes + ?) CtExtensions extensions;
|
||||
*/
|
||||
/*-
|
||||
* Fixed-length header:
|
||||
* struct {
|
||||
* (1 byte) Version sct_version;
|
||||
* (32 bytes) LogID id;
|
||||
* (8 bytes) uint64 timestamp;
|
||||
* (2 bytes + ?) CtExtensions extensions;
|
||||
*/
|
||||
if (sctlen < 43)
|
||||
goto err;
|
||||
sctlen -= 43;
|
||||
@ -248,12 +248,12 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
|
||||
p2 += fieldlen;
|
||||
sctlen -= fieldlen;
|
||||
|
||||
/*-
|
||||
* digitally-signed struct header:
|
||||
* (1 byte) Hash algorithm
|
||||
* (1 byte) Signature algorithm
|
||||
* (2 bytes + ?) Signature
|
||||
*/
|
||||
/*-
|
||||
* digitally-signed struct header:
|
||||
* (1 byte) Hash algorithm
|
||||
* (1 byte) Signature algorithm
|
||||
* (2 bytes + ?) Signature
|
||||
*/
|
||||
if (sctlen < 4)
|
||||
goto err;
|
||||
sctlen -= 4;
|
||||
|
@ -808,11 +808,11 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len,
|
||||
if (p[i] == '*') {
|
||||
int atstart = (state & LABEL_START);
|
||||
int atend = (i == len - 1 || p[i + i] == '.');
|
||||
/*-
|
||||
* At most one wildcard per pattern.
|
||||
* No wildcards in IDNA labels.
|
||||
* No wildcards after the first label.
|
||||
*/
|
||||
/*-
|
||||
* At most one wildcard per pattern.
|
||||
* No wildcards in IDNA labels.
|
||||
* No wildcards after the first label.
|
||||
*/
|
||||
if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
|
||||
return NULL;
|
||||
/* Only full-label '*.example.com' wildcards? */
|
||||
|
@ -106,14 +106,14 @@ extern "C" {
|
||||
/*
|
||||
* Functions for Digest (MD5, SHA1) stuff
|
||||
*/
|
||||
/* output : output data buffer */
|
||||
/* input : input data buffer */
|
||||
/* algo : hash algorithm, MD5 or SHA1 */
|
||||
/*-
|
||||
* typedef int t_zencod_hash ( KEY *output, const KEY *input, int algo ) ;
|
||||
* typedef int t_zencod_sha_hash ( KEY *output, const KEY *input, int algo ) ;
|
||||
*/
|
||||
/* For now separate this stuff that mad it easier to test */
|
||||
/* output : output data buffer */
|
||||
/* input : input data buffer */
|
||||
/* algo : hash algorithm, MD5 or SHA1 */
|
||||
/*-
|
||||
* typedef int t_zencod_hash ( KEY *output, const KEY *input, int algo ) ;
|
||||
* typedef int t_zencod_sha_hash ( KEY *output, const KEY *input, int algo ) ;
|
||||
*/
|
||||
/* For now separate this stuff that mad it easier to test */
|
||||
typedef int t_zencod_md5_init(ZEN_MD_DATA *data);
|
||||
typedef int t_zencod_md5_update(ZEN_MD_DATA *data, const KEY * input);
|
||||
typedef int t_zencod_md5_do_final(ZEN_MD_DATA *data, KEY * output);
|
||||
|
@ -18,20 +18,20 @@ static char *gost_params[GOST_PARAM_MAX + 1] = { NULL };
|
||||
static const char *gost_envnames[] = { "CRYPT_PARAMS" };
|
||||
|
||||
const ENGINE_CMD_DEFN gost_cmds[] = {
|
||||
/*- { GOST_CTRL_RNG,
|
||||
"RNG",
|
||||
"Type of random number generator to use",
|
||||
ENGINE_CMD_FLAG_STRING
|
||||
},
|
||||
{ GOST_CTRL_RNG_PARAMS,
|
||||
"RNG_PARAMS",
|
||||
"Parameter for random number generator",
|
||||
ENGINE_CMD_FLAG_STRING
|
||||
},
|
||||
/*- { GOST_CTRL_RNG,
|
||||
"RNG",
|
||||
"Type of random number generator to use",
|
||||
ENGINE_CMD_FLAG_STRING
|
||||
},
|
||||
{ GOST_CTRL_RNG_PARAMS,
|
||||
"RNG_PARAMS",
|
||||
"Parameter for random number generator",
|
||||
ENGINE_CMD_FLAG_STRING
|
||||
},
|
||||
*/ {GOST_CTRL_CRYPT_PARAMS,
|
||||
"CRYPT_PARAMS",
|
||||
"OID of default GOST 28147-89 parameters",
|
||||
ENGINE_CMD_FLAG_STRING},
|
||||
"CRYPT_PARAMS",
|
||||
"OID of default GOST 28147-89 parameters",
|
||||
ENGINE_CMD_FLAG_STRING},
|
||||
{0, NULL, NULL, 0}
|
||||
};
|
||||
|
||||
|
@ -1037,11 +1037,11 @@ static int cswift_rand_bytes(unsigned char *buf, int num)
|
||||
while (num >= (int)sizeof(buf32)) {
|
||||
largenum.value = buf;
|
||||
largenum.nbytes = sizeof(buf32);
|
||||
/*-
|
||||
* tell CryptoSwift how many bytes we want and where we want it.
|
||||
* Note: - CryptoSwift cannot do more than 4096 bytes at a time.
|
||||
* - CryptoSwift can only do multiple of 32-bits.
|
||||
*/
|
||||
/*-
|
||||
* tell CryptoSwift how many bytes we want and where we want it.
|
||||
* Note: - CryptoSwift cannot do more than 4096 bytes at a time.
|
||||
* - CryptoSwift can only do multiple of 32-bits.
|
||||
*/
|
||||
swrc =
|
||||
p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1);
|
||||
if (swrc != SW_OK) {
|
||||
|
@ -214,12 +214,12 @@ typedef struct {
|
||||
int (*mutex_acquire) (HWCryptoHook_Mutex *);
|
||||
void (*mutex_release) (HWCryptoHook_Mutex *);
|
||||
void (*mutex_destroy) (HWCryptoHook_Mutex *);
|
||||
/*-
|
||||
* For greater efficiency, can use condition vars internally for
|
||||
* synchronisation. In this case maxsimultaneous is ignored, but
|
||||
* the other mutex stuff must be available. In singlethreaded
|
||||
* programs, set everything to 0.
|
||||
*/
|
||||
/*-
|
||||
* For greater efficiency, can use condition vars internally for
|
||||
* synchronisation. In this case maxsimultaneous is ignored, but
|
||||
* the other mutex stuff must be available. In singlethreaded
|
||||
* programs, set everything to 0.
|
||||
*/
|
||||
size_t condvarsize;
|
||||
int (*condvar_init) (HWCryptoHook_CondVar *,
|
||||
HWCryptoHook_CallerContext * cactx);
|
||||
@ -227,103 +227,103 @@ typedef struct {
|
||||
void (*condvar_signal) (HWCryptoHook_CondVar *);
|
||||
void (*condvar_broadcast) (HWCryptoHook_CondVar *);
|
||||
void (*condvar_destroy) (HWCryptoHook_CondVar *);
|
||||
/*-
|
||||
* The semantics of acquiring and releasing mutexes and broadcasting
|
||||
* and waiting on condition variables are expected to be those from
|
||||
* POSIX threads (pthreads). The mutexes may be (in pthread-speak)
|
||||
* fast mutexes, recursive mutexes, or nonrecursive ones.
|
||||
*
|
||||
* The _release/_signal/_broadcast and _destroy functions must
|
||||
* always succeed when given a valid argument; if they are given an
|
||||
* invalid argument then the program (crypto plugin + application)
|
||||
* has an internal error, and they should abort the program.
|
||||
*/
|
||||
/*-
|
||||
* The semantics of acquiring and releasing mutexes and broadcasting
|
||||
* and waiting on condition variables are expected to be those from
|
||||
* POSIX threads (pthreads). The mutexes may be (in pthread-speak)
|
||||
* fast mutexes, recursive mutexes, or nonrecursive ones.
|
||||
*
|
||||
* The _release/_signal/_broadcast and _destroy functions must
|
||||
* always succeed when given a valid argument; if they are given an
|
||||
* invalid argument then the program (crypto plugin + application)
|
||||
* has an internal error, and they should abort the program.
|
||||
*/
|
||||
int (*getpassphrase) (const char *prompt_info,
|
||||
int *len_io, char *buf,
|
||||
HWCryptoHook_PassphraseContext * ppctx,
|
||||
HWCryptoHook_CallerContext * cactx);
|
||||
/*-
|
||||
* Passphrases and the prompt_info, if they contain high-bit-set
|
||||
* characters, are UTF-8. The prompt_info may be a null pointer if
|
||||
* no prompt information is available (it should not be an empty
|
||||
* string). It will not contain text like `enter passphrase';
|
||||
* instead it might say something like `Operator Card for John
|
||||
* Smith' or `SmartCard in nFast Module #1, Slot #1'.
|
||||
*
|
||||
* buf points to a buffer in which to return the passphrase; on
|
||||
* entry *len_io is the length of the buffer. It should be updated
|
||||
* by the callback. The returned passphrase should not be
|
||||
* null-terminated by the callback.
|
||||
*/
|
||||
/*-
|
||||
* Passphrases and the prompt_info, if they contain high-bit-set
|
||||
* characters, are UTF-8. The prompt_info may be a null pointer if
|
||||
* no prompt information is available (it should not be an empty
|
||||
* string). It will not contain text like `enter passphrase';
|
||||
* instead it might say something like `Operator Card for John
|
||||
* Smith' or `SmartCard in nFast Module #1, Slot #1'.
|
||||
*
|
||||
* buf points to a buffer in which to return the passphrase; on
|
||||
* entry *len_io is the length of the buffer. It should be updated
|
||||
* by the callback. The returned passphrase should not be
|
||||
* null-terminated by the callback.
|
||||
*/
|
||||
int (*getphystoken) (const char *prompt_info,
|
||||
const char *wrong_info,
|
||||
HWCryptoHook_PassphraseContext * ppctx,
|
||||
HWCryptoHook_CallerContext * cactx);
|
||||
/*-
|
||||
* Requests that the human user physically insert a different
|
||||
* smartcard, DataKey, etc. The plugin should check whether the
|
||||
* currently inserted token(s) are appropriate, and if they are it
|
||||
* should not make this call.
|
||||
*
|
||||
* prompt_info is as before. wrong_info is a description of the
|
||||
* currently inserted token(s) so that the user is told what
|
||||
* something is. wrong_info, like prompt_info, may be null, but
|
||||
* should not be an empty string. Its contents should be
|
||||
* syntactically similar to that of prompt_info.
|
||||
*/
|
||||
/*-
|
||||
* Note that a single LoadKey operation might cause several calls to
|
||||
* getpassphrase and/or requestphystoken. If requestphystoken is
|
||||
* not provided (ie, a null pointer is passed) then the plugin may
|
||||
* not support loading keys for which authorisation by several cards
|
||||
* is required. If getpassphrase is not provided then cards with
|
||||
* passphrases may not be supported.
|
||||
*
|
||||
* getpassphrase and getphystoken do not need to check that the
|
||||
* passphrase has been entered correctly or the correct token
|
||||
* inserted; the crypto plugin will do that. If this is not the
|
||||
* case then the crypto plugin is responsible for calling these
|
||||
* routines again as appropriate until the correct token(s) and
|
||||
* passphrase(s) are supplied as required, or until any retry limits
|
||||
* implemented by the crypto plugin are reached.
|
||||
*
|
||||
* In either case, the application must allow the user to say `no'
|
||||
* or `cancel' to indicate that they do not know the passphrase or
|
||||
* have the appropriate token; this should cause the callback to
|
||||
* return nonzero indicating error.
|
||||
*/
|
||||
/*-
|
||||
* Requests that the human user physically insert a different
|
||||
* smartcard, DataKey, etc. The plugin should check whether the
|
||||
* currently inserted token(s) are appropriate, and if they are it
|
||||
* should not make this call.
|
||||
*
|
||||
* prompt_info is as before. wrong_info is a description of the
|
||||
* currently inserted token(s) so that the user is told what
|
||||
* something is. wrong_info, like prompt_info, may be null, but
|
||||
* should not be an empty string. Its contents should be
|
||||
* syntactically similar to that of prompt_info.
|
||||
*/
|
||||
/*-
|
||||
* Note that a single LoadKey operation might cause several calls to
|
||||
* getpassphrase and/or requestphystoken. If requestphystoken is
|
||||
* not provided (ie, a null pointer is passed) then the plugin may
|
||||
* not support loading keys for which authorisation by several cards
|
||||
* is required. If getpassphrase is not provided then cards with
|
||||
* passphrases may not be supported.
|
||||
*
|
||||
* getpassphrase and getphystoken do not need to check that the
|
||||
* passphrase has been entered correctly or the correct token
|
||||
* inserted; the crypto plugin will do that. If this is not the
|
||||
* case then the crypto plugin is responsible for calling these
|
||||
* routines again as appropriate until the correct token(s) and
|
||||
* passphrase(s) are supplied as required, or until any retry limits
|
||||
* implemented by the crypto plugin are reached.
|
||||
*
|
||||
* In either case, the application must allow the user to say `no'
|
||||
* or `cancel' to indicate that they do not know the passphrase or
|
||||
* have the appropriate token; this should cause the callback to
|
||||
* return nonzero indicating error.
|
||||
*/
|
||||
void (*logmessage) (void *logstream, const char *message);
|
||||
/*-
|
||||
* A log message will be generated at least every time something goes
|
||||
* wrong and an ErrMsgBuf is filled in (or would be if one was
|
||||
* provided). Other diagnostic information may be written there too,
|
||||
* including more detailed reasons for errors which are reported in an
|
||||
* ErrMsgBuf.
|
||||
*
|
||||
* When a log message is generated, this callback is called. It
|
||||
* should write a message to the relevant logging arrangements.
|
||||
*
|
||||
* The message string passed will be null-terminated and may be of arbitrary
|
||||
* length. It will not be prefixed by the time and date, nor by the
|
||||
* name of the library that is generating it - if this is required,
|
||||
* the logmessage callback must do it. The message will not have a
|
||||
* trailing newline (though it may contain internal newlines).
|
||||
*
|
||||
* If a null pointer is passed for logmessage a default function is
|
||||
* used. The default function treats logstream as a FILE* which has
|
||||
* been converted to a void*. If logstream is 0 it does nothing.
|
||||
* Otherwise it prepends the date and time and library name and
|
||||
* writes the message to logstream. Each line will be prefixed by a
|
||||
* descriptive string containing the date, time and identity of the
|
||||
* crypto plugin. Errors on the logstream are not reported
|
||||
* anywhere, and the default function doesn't flush the stream, so
|
||||
* the application must set the buffering how it wants it.
|
||||
*
|
||||
* The crypto plugin may also provide a facility to have copies of
|
||||
* log messages sent elsewhere, and or for adjusting the verbosity
|
||||
* of the log messages; any such facilities will be configured by
|
||||
* external means.
|
||||
*/
|
||||
/*-
|
||||
* A log message will be generated at least every time something goes
|
||||
* wrong and an ErrMsgBuf is filled in (or would be if one was
|
||||
* provided). Other diagnostic information may be written there too,
|
||||
* including more detailed reasons for errors which are reported in an
|
||||
* ErrMsgBuf.
|
||||
*
|
||||
* When a log message is generated, this callback is called. It
|
||||
* should write a message to the relevant logging arrangements.
|
||||
*
|
||||
* The message string passed will be null-terminated and may be of arbitrary
|
||||
* length. It will not be prefixed by the time and date, nor by the
|
||||
* name of the library that is generating it - if this is required,
|
||||
* the logmessage callback must do it. The message will not have a
|
||||
* trailing newline (though it may contain internal newlines).
|
||||
*
|
||||
* If a null pointer is passed for logmessage a default function is
|
||||
* used. The default function treats logstream as a FILE* which has
|
||||
* been converted to a void*. If logstream is 0 it does nothing.
|
||||
* Otherwise it prepends the date and time and library name and
|
||||
* writes the message to logstream. Each line will be prefixed by a
|
||||
* descriptive string containing the date, time and identity of the
|
||||
* crypto plugin. Errors on the logstream are not reported
|
||||
* anywhere, and the default function doesn't flush the stream, so
|
||||
* the application must set the buffering how it wants it.
|
||||
*
|
||||
* The crypto plugin may also provide a facility to have copies of
|
||||
* log messages sent elsewhere, and or for adjusting the verbosity
|
||||
* of the log messages; any such facilities will be configured by
|
||||
* external means.
|
||||
*/
|
||||
} HWCryptoHook_InitInfo;
|
||||
|
||||
typedef
|
||||
|
@ -573,12 +573,12 @@ static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr,
|
||||
|
||||
static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
|
||||
{
|
||||
/*-
|
||||
* (0) check whether the desired fragment is available
|
||||
* if so:
|
||||
* (1) copy over the fragment to s->init_buf->data[]
|
||||
* (2) update s->init_num
|
||||
*/
|
||||
/*-
|
||||
* (0) check whether the desired fragment is available
|
||||
* if so:
|
||||
* (1) copy over the fragment to s->init_buf->data[]
|
||||
* (2) update s->init_num
|
||||
*/
|
||||
pitem *item;
|
||||
hm_fragment *frag;
|
||||
int al;
|
||||
@ -1167,10 +1167,10 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
|
||||
struct dtls1_retransmit_state saved_state;
|
||||
unsigned char save_write_sequence[8];
|
||||
|
||||
/*-
|
||||
OPENSSL_assert(s->init_num == 0);
|
||||
OPENSSL_assert(s->init_off == 0);
|
||||
*/
|
||||
/*-
|
||||
OPENSSL_assert(s->init_num == 0);
|
||||
OPENSSL_assert(s->init_off == 0);
|
||||
*/
|
||||
|
||||
/* XDTLS: the requested message ought to be found, otherwise error */
|
||||
memset(seq64be, 0, sizeof(seq64be));
|
||||
@ -1481,16 +1481,16 @@ int dtls1_heartbeat(SSL *s)
|
||||
*/
|
||||
OPENSSL_assert(payload + padding <= 16381);
|
||||
|
||||
/*-
|
||||
* Create HeartBeat message, we just use a sequence number
|
||||
* as payload to distuingish different messages and add
|
||||
* some random stuff.
|
||||
* - Message Type, 1 byte
|
||||
* - Payload Length, 2 bytes (unsigned int)
|
||||
* - Payload, the sequence number (2 bytes uint)
|
||||
* - Payload, random bytes (16 bytes uint)
|
||||
* - Padding
|
||||
*/
|
||||
/*-
|
||||
* Create HeartBeat message, we just use a sequence number
|
||||
* as payload to distuingish different messages and add
|
||||
* some random stuff.
|
||||
* - Message Type, 1 byte
|
||||
* - Payload Length, 2 bytes (unsigned int)
|
||||
* - Payload, the sequence number (2 bytes uint)
|
||||
* - Payload, random bytes (16 bytes uint)
|
||||
* - Padding
|
||||
*/
|
||||
buf = OPENSSL_malloc(1 + 2 + payload + padding);
|
||||
p = buf;
|
||||
/* Message Type */
|
||||
|
50
ssl/d1_pkt.c
50
ssl/d1_pkt.c
@ -432,12 +432,12 @@ static int dtls1_process_record(SSL *s)
|
||||
rr->data = rr->input;
|
||||
|
||||
enc_err = s->method->ssl3_enc->enc(s, 0);
|
||||
/*-
|
||||
* enc_err is:
|
||||
* 0: (in non-constant time) if the record is publically invalid.
|
||||
* 1: if the padding is valid
|
||||
* -1: if the padding is invalid
|
||||
*/
|
||||
/*-
|
||||
* enc_err is:
|
||||
* 0: (in non-constant time) if the record is publically invalid.
|
||||
* 1: if the padding is valid
|
||||
* -1: if the padding is invalid
|
||||
*/
|
||||
if (enc_err == 0) {
|
||||
/* For DTLS we simply ignore bad packets. */
|
||||
rr->length = 0;
|
||||
@ -540,14 +540,14 @@ static int dtls1_process_record(SSL *s)
|
||||
}
|
||||
|
||||
rr->off = 0;
|
||||
/*-
|
||||
* So at this point the following is true
|
||||
* ssl->s3->rrec.type is the type of record
|
||||
* ssl->s3->rrec.length == number of bytes in record
|
||||
* ssl->s3->rrec.off == offset to first valid byte
|
||||
* ssl->s3->rrec.data == where to take bytes from, increment
|
||||
* after use :-).
|
||||
*/
|
||||
/*-
|
||||
* So at this point the following is true
|
||||
* ssl->s3->rrec.type is the type of record
|
||||
* ssl->s3->rrec.length == number of bytes in record
|
||||
* ssl->s3->rrec.off == offset to first valid byte
|
||||
* ssl->s3->rrec.data == where to take bytes from, increment
|
||||
* after use :-).
|
||||
*/
|
||||
|
||||
/* we have pulled in a full packet so zero things */
|
||||
s->packet_length = 0;
|
||||
@ -824,12 +824,12 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
|
||||
start:
|
||||
s->rwstate = SSL_NOTHING;
|
||||
|
||||
/*-
|
||||
* s->s3->rrec.type - is the type of record
|
||||
* s->s3->rrec.data, - data
|
||||
* s->s3->rrec.off, - offset into 'data' for next read
|
||||
* s->s3->rrec.length, - number of bytes.
|
||||
*/
|
||||
/*-
|
||||
* s->s3->rrec.type - is the type of record
|
||||
* s->s3->rrec.data, - data
|
||||
* s->s3->rrec.off, - offset into 'data' for next read
|
||||
* s->s3->rrec.length, - number of bytes.
|
||||
*/
|
||||
rr = &(s->s3->rrec);
|
||||
|
||||
/*
|
||||
@ -1051,11 +1051,11 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
|
||||
}
|
||||
}
|
||||
|
||||
/*-
|
||||
* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
|
||||
* s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
|
||||
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
|
||||
*/
|
||||
/*-
|
||||
* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
|
||||
* s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
|
||||
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
|
||||
*/
|
||||
|
||||
/* If we are a client, check for an incoming 'Hello Request': */
|
||||
if ((!s->server) &&
|
||||
|
26
ssl/kssl.c
26
ssl/kssl.c
@ -1391,20 +1391,20 @@ krb5_error_code kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
/*- Actual Kerberos5 krb5_recvauth() has initial conversation here
|
||||
* o check KRB5_SENDAUTH_BADAUTHVERS
|
||||
* unless KRB5_RECVAUTH_SKIP_VERSION
|
||||
* o check KRB5_SENDAUTH_BADAPPLVERS
|
||||
* o send "0" msg if all OK
|
||||
*/
|
||||
/*- Actual Kerberos5 krb5_recvauth() has initial conversation here
|
||||
* o check KRB5_SENDAUTH_BADAUTHVERS
|
||||
* unless KRB5_RECVAUTH_SKIP_VERSION
|
||||
* o check KRB5_SENDAUTH_BADAPPLVERS
|
||||
* o send "0" msg if all OK
|
||||
*/
|
||||
|
||||
/*-
|
||||
* 20010411 was using AP_REQ instead of true KerberosWrapper
|
||||
*
|
||||
* if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
|
||||
* &krb5in_data, krb5server, krb5keytab,
|
||||
* &ap_option, &krb5ticket)) != 0) { Error }
|
||||
*/
|
||||
/*-
|
||||
* 20010411 was using AP_REQ instead of true KerberosWrapper
|
||||
*
|
||||
* if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
|
||||
* &krb5in_data, krb5server, krb5keytab,
|
||||
* &ap_option, &krb5ticket)) != 0) { Error }
|
||||
*/
|
||||
|
||||
p = (unsigned char *)indata->data;
|
||||
if ((asn1ticket = (KRB5_TKTBODY *)d2i_KRB5_TICKET(NULL, &p,
|
||||
|
@ -426,19 +426,19 @@ int ssl23_get_client_hello(SSL *s)
|
||||
v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
|
||||
v[1] = p[4];
|
||||
|
||||
/*-
|
||||
* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
|
||||
* header is sent directly on the wire, not wrapped as a TLS
|
||||
* record. It's format is:
|
||||
* Byte Content
|
||||
* 0-1 msg_length
|
||||
* 2 msg_type
|
||||
* 3-4 version
|
||||
* 5-6 cipher_spec_length
|
||||
* 7-8 session_id_length
|
||||
* 9-10 challenge_length
|
||||
* ... ...
|
||||
*/
|
||||
/*-
|
||||
* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
|
||||
* header is sent directly on the wire, not wrapped as a TLS
|
||||
* record. It's format is:
|
||||
* Byte Content
|
||||
* 0-1 msg_length
|
||||
* 2 msg_type
|
||||
* 3-4 version
|
||||
* 5-6 cipher_spec_length
|
||||
* 7-8 session_id_length
|
||||
* 9-10 challenge_length
|
||||
* ... ...
|
||||
*/
|
||||
n = ((p[0] & 0x7f) << 8) | p[1];
|
||||
if (n > (1024 * 4)) {
|
||||
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_TOO_LARGE);
|
||||
|
30
ssl/s2_pkt.c
30
ssl/s2_pkt.c
@ -535,19 +535,19 @@ static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
|
||||
s->s2->three_byte_header = 0;
|
||||
p = 0;
|
||||
} else if ((bs <= 1) && (!s->s2->escape)) {
|
||||
/*-
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
|
||||
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
|
||||
*/
|
||||
/*-
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
|
||||
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
|
||||
*/
|
||||
s->s2->three_byte_header = 0;
|
||||
p = 0;
|
||||
} else { /* we may have to use a 3 byte header */
|
||||
|
||||
/*-
|
||||
* If s->s2->escape is not set, then
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
|
||||
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER.
|
||||
*/
|
||||
/*-
|
||||
* If s->s2->escape is not set, then
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
|
||||
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER.
|
||||
*/
|
||||
p = (j % bs);
|
||||
p = (p == 0) ? 0 : (bs - p);
|
||||
if (s->s2->escape) {
|
||||
@ -559,12 +559,12 @@ static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
|
||||
}
|
||||
}
|
||||
|
||||
/*-
|
||||
* Now
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
|
||||
* holds, and if s->s2->three_byte_header is set, then even
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
|
||||
*/
|
||||
/*-
|
||||
* Now
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
|
||||
* holds, and if s->s2->three_byte_header is set, then even
|
||||
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
|
||||
*/
|
||||
|
||||
/*
|
||||
* mac_size is the number of MAC bytes len is the number of data bytes we
|
||||
|
38
ssl/s3_cbc.c
38
ssl/s3_cbc.c
@ -761,25 +761,25 @@ void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
|
||||
if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
|
||||
return;
|
||||
block_size = EVP_MD_CTX_block_size(mac_ctx);
|
||||
/*-
|
||||
* We are in FIPS mode if we get this far so we know we have only SHA*
|
||||
* digests and TLS to deal with.
|
||||
* Minimum digest padding length is 17 for SHA384/SHA512 and 9
|
||||
* otherwise.
|
||||
* Additional header is 13 bytes. To get the number of digest blocks
|
||||
* processed round up the amount of data plus padding to the nearest
|
||||
* block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
|
||||
* So we have:
|
||||
* blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
|
||||
* equivalently:
|
||||
* blocks = (payload_len + digest_pad + 12)/block_size + 1
|
||||
* HMAC adds a constant overhead.
|
||||
* We're ultimately only interested in differences so this becomes
|
||||
* blocks = (payload_len + 29)/128
|
||||
* for SHA384/SHA512 and
|
||||
* blocks = (payload_len + 21)/64
|
||||
* otherwise.
|
||||
*/
|
||||
/*-
|
||||
* We are in FIPS mode if we get this far so we know we have only SHA*
|
||||
* digests and TLS to deal with.
|
||||
* Minimum digest padding length is 17 for SHA384/SHA512 and 9
|
||||
* otherwise.
|
||||
* Additional header is 13 bytes. To get the number of digest blocks
|
||||
* processed round up the amount of data plus padding to the nearest
|
||||
* block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
|
||||
* So we have:
|
||||
* blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
|
||||
* equivalently:
|
||||
* blocks = (payload_len + digest_pad + 12)/block_size + 1
|
||||
* HMAC adds a constant overhead.
|
||||
* We're ultimately only interested in differences so this becomes
|
||||
* blocks = (payload_len + 29)/128
|
||||
* for SHA384/SHA512 and
|
||||
* blocks = (payload_len + 21)/64
|
||||
* otherwise.
|
||||
*/
|
||||
digest_pad = block_size == 64 ? 21 : 29;
|
||||
blocks_orig = (orig_len + digest_pad) / block_size;
|
||||
blocks_data = (data_len + digest_pad) / block_size;
|
||||
|
152
ssl/s3_clnt.c
152
ssl/s3_clnt.c
@ -723,36 +723,36 @@ int ssl3_client_hello(SSL *s)
|
||||
/* Do the message type and length last */
|
||||
d = p = ssl_handshake_start(s);
|
||||
|
||||
/*-
|
||||
* version indicates the negotiated version: for example from
|
||||
* an SSLv2/v3 compatible client hello). The client_version
|
||||
* field is the maximum version we permit and it is also
|
||||
* used in RSA encrypted premaster secrets. Some servers can
|
||||
* choke if we initially report a higher version then
|
||||
* renegotiate to a lower one in the premaster secret. This
|
||||
* didn't happen with TLS 1.0 as most servers supported it
|
||||
* but it can with TLS 1.1 or later if the server only supports
|
||||
* 1.0.
|
||||
*
|
||||
* Possible scenario with previous logic:
|
||||
* 1. Client hello indicates TLS 1.2
|
||||
* 2. Server hello says TLS 1.0
|
||||
* 3. RSA encrypted premaster secret uses 1.2.
|
||||
* 4. Handhaked proceeds using TLS 1.0.
|
||||
* 5. Server sends hello request to renegotiate.
|
||||
* 6. Client hello indicates TLS v1.0 as we now
|
||||
* know that is maximum server supports.
|
||||
* 7. Server chokes on RSA encrypted premaster secret
|
||||
* containing version 1.0.
|
||||
*
|
||||
* For interoperability it should be OK to always use the
|
||||
* maximum version we support in client hello and then rely
|
||||
* on the checking of version to ensure the servers isn't
|
||||
* being inconsistent: for example initially negotiating with
|
||||
* TLS 1.0 and renegotiating with TLS 1.2. We do this by using
|
||||
* client_version in client hello and not resetting it to
|
||||
* the negotiated version.
|
||||
*/
|
||||
/*-
|
||||
* version indicates the negotiated version: for example from
|
||||
* an SSLv2/v3 compatible client hello). The client_version
|
||||
* field is the maximum version we permit and it is also
|
||||
* used in RSA encrypted premaster secrets. Some servers can
|
||||
* choke if we initially report a higher version then
|
||||
* renegotiate to a lower one in the premaster secret. This
|
||||
* didn't happen with TLS 1.0 as most servers supported it
|
||||
* but it can with TLS 1.1 or later if the server only supports
|
||||
* 1.0.
|
||||
*
|
||||
* Possible scenario with previous logic:
|
||||
* 1. Client hello indicates TLS 1.2
|
||||
* 2. Server hello says TLS 1.0
|
||||
* 3. RSA encrypted premaster secret uses 1.2.
|
||||
* 4. Handhaked proceeds using TLS 1.0.
|
||||
* 5. Server sends hello request to renegotiate.
|
||||
* 6. Client hello indicates TLS v1.0 as we now
|
||||
* know that is maximum server supports.
|
||||
* 7. Server chokes on RSA encrypted premaster secret
|
||||
* containing version 1.0.
|
||||
*
|
||||
* For interoperability it should be OK to always use the
|
||||
* maximum version we support in client hello and then rely
|
||||
* on the checking of version to ensure the servers isn't
|
||||
* being inconsistent: for example initially negotiating with
|
||||
* TLS 1.0 and renegotiating with TLS 1.2. We do this by using
|
||||
* client_version in client hello and not resetting it to
|
||||
* the negotiated version.
|
||||
*/
|
||||
#if 0
|
||||
*(p++) = s->version >> 8;
|
||||
*(p++) = s->version & 0xff;
|
||||
@ -2449,25 +2449,25 @@ int ssl3_send_client_key_exchange(SSL *s)
|
||||
goto err;
|
||||
}
|
||||
|
||||
/*-
|
||||
* 20010406 VRS - Earlier versions used KRB5 AP_REQ
|
||||
* in place of RFC 2712 KerberosWrapper, as in:
|
||||
*
|
||||
* Send ticket (copy to *p, set n = length)
|
||||
* n = krb5_ap_req.length;
|
||||
* memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
|
||||
* if (krb5_ap_req.data)
|
||||
* kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
|
||||
*
|
||||
* Now using real RFC 2712 KerberosWrapper
|
||||
* (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
|
||||
* Note: 2712 "opaque" types are here replaced
|
||||
* with a 2-byte length followed by the value.
|
||||
* Example:
|
||||
* KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
|
||||
* Where "xx xx" = length bytes. Shown here with
|
||||
* optional authenticator omitted.
|
||||
*/
|
||||
/*-
|
||||
* 20010406 VRS - Earlier versions used KRB5 AP_REQ
|
||||
* in place of RFC 2712 KerberosWrapper, as in:
|
||||
*
|
||||
* Send ticket (copy to *p, set n = length)
|
||||
* n = krb5_ap_req.length;
|
||||
* memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
|
||||
* if (krb5_ap_req.data)
|
||||
* kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
|
||||
*
|
||||
* Now using real RFC 2712 KerberosWrapper
|
||||
* (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
|
||||
* Note: 2712 "opaque" types are here replaced
|
||||
* with a 2-byte length followed by the value.
|
||||
* Example:
|
||||
* KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
|
||||
* Where "xx xx" = length bytes. Shown here with
|
||||
* optional authenticator omitted.
|
||||
*/
|
||||
|
||||
/* KerberosWrapper.Ticket */
|
||||
s2n(enc_ticket->length, p);
|
||||
@ -2495,13 +2495,13 @@ int ssl3_send_client_key_exchange(SSL *s)
|
||||
if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
|
||||
goto err;
|
||||
|
||||
/*-
|
||||
* 20010420 VRS. Tried it this way; failed.
|
||||
* EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
|
||||
* EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
|
||||
* kssl_ctx->length);
|
||||
* EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
|
||||
*/
|
||||
/*-
|
||||
* 20010420 VRS. Tried it this way; failed.
|
||||
* EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
|
||||
* EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
|
||||
* kssl_ctx->length);
|
||||
* EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
|
||||
*/
|
||||
|
||||
memset(iv, 0, sizeof iv); /* per RFC 1510 */
|
||||
EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv);
|
||||
@ -2648,26 +2648,26 @@ int ssl3_send_client_key_exchange(SSL *s)
|
||||
* ecdh_clnt_cert to 1.
|
||||
*/
|
||||
if ((alg_k & (SSL_kECDHr | SSL_kECDHe)) && (s->cert != NULL)) {
|
||||
/*-
|
||||
* XXX: For now, we do not support client
|
||||
* authentication using ECDH certificates.
|
||||
* To add such support, one needs to add
|
||||
* code that checks for appropriate
|
||||
* conditions and sets ecdh_clnt_cert to 1.
|
||||
* For example, the cert have an ECC
|
||||
* key on the same curve as the server's
|
||||
* and the key should be authorized for
|
||||
* key agreement.
|
||||
*
|
||||
* One also needs to add code in ssl3_connect
|
||||
* to skip sending the certificate verify
|
||||
* message.
|
||||
*
|
||||
* if ((s->cert->key->privatekey != NULL) &&
|
||||
* (s->cert->key->privatekey->type ==
|
||||
* EVP_PKEY_EC) && ...)
|
||||
* ecdh_clnt_cert = 1;
|
||||
*/
|
||||
/*-
|
||||
* XXX: For now, we do not support client
|
||||
* authentication using ECDH certificates.
|
||||
* To add such support, one needs to add
|
||||
* code that checks for appropriate
|
||||
* conditions and sets ecdh_clnt_cert to 1.
|
||||
* For example, the cert have an ECC
|
||||
* key on the same curve as the server's
|
||||
* and the key should be authorized for
|
||||
* key agreement.
|
||||
*
|
||||
* One also needs to add code in ssl3_connect
|
||||
* to skip sending the certificate verify
|
||||
* message.
|
||||
*
|
||||
* if ((s->cert->key->privatekey != NULL) &&
|
||||
* (s->cert->key->privatekey->type ==
|
||||
* EVP_PKEY_EC) && ...)
|
||||
* ecdh_clnt_cert = 1;
|
||||
*/
|
||||
}
|
||||
|
||||
if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
|
||||
|
15
ssl/s3_enc.c
15
ssl/s3_enc.c
@ -754,13 +754,14 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
|
||||
* are hashing because that gives an attacker a timing-oracle.
|
||||
*/
|
||||
|
||||
/*-
|
||||
* npad is, at most, 48 bytes and that's with MD5:
|
||||
* 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
|
||||
*
|
||||
* With SHA-1 (the largest hash speced for SSLv3) the hash size
|
||||
* goes up 4, but npad goes down by 8, resulting in a smaller
|
||||
* total size. */
|
||||
/*-
|
||||
* npad is, at most, 48 bytes and that's with MD5:
|
||||
* 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
|
||||
*
|
||||
* With SHA-1 (the largest hash speced for SSLv3) the hash size
|
||||
* goes up 4, but npad goes down by 8, resulting in a smaller
|
||||
* total size.
|
||||
*/
|
||||
unsigned char header[75];
|
||||
unsigned j = 0;
|
||||
memcpy(header + j, mac_sec, md_size);
|
||||
|
50
ssl/s3_pkt.c
50
ssl/s3_pkt.c
@ -429,12 +429,12 @@ static int ssl3_get_record(SSL *s)
|
||||
rr->data = rr->input;
|
||||
|
||||
enc_err = s->method->ssl3_enc->enc(s, 0);
|
||||
/*-
|
||||
* enc_err is:
|
||||
* 0: (in non-constant time) if the record is publically invalid.
|
||||
* 1: if the padding is valid
|
||||
* -1: if the padding is invalid
|
||||
*/
|
||||
/*-
|
||||
* enc_err is:
|
||||
* 0: (in non-constant time) if the record is publically invalid.
|
||||
* 1: if the padding is valid
|
||||
* -1: if the padding is invalid
|
||||
*/
|
||||
if (enc_err == 0) {
|
||||
al = SSL_AD_DECRYPTION_FAILED;
|
||||
SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
|
||||
@ -542,14 +542,14 @@ static int ssl3_get_record(SSL *s)
|
||||
}
|
||||
|
||||
rr->off = 0;
|
||||
/*-
|
||||
* So at this point the following is true
|
||||
* ssl->s3->rrec.type is the type of record
|
||||
* ssl->s3->rrec.length == number of bytes in record
|
||||
* ssl->s3->rrec.off == offset to first valid byte
|
||||
* ssl->s3->rrec.data == where to take bytes from, increment
|
||||
* after use :-).
|
||||
*/
|
||||
/*-
|
||||
* So at this point the following is true
|
||||
* ssl->s3->rrec.type is the type of record
|
||||
* ssl->s3->rrec.length == number of bytes in record
|
||||
* ssl->s3->rrec.off == offset to first valid byte
|
||||
* ssl->s3->rrec.data == where to take bytes from, increment
|
||||
* after use :-).
|
||||
*/
|
||||
|
||||
/* we have pulled in a full packet so zero things */
|
||||
s->packet_length = 0;
|
||||
@ -1198,12 +1198,12 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
|
||||
start:
|
||||
s->rwstate = SSL_NOTHING;
|
||||
|
||||
/*-
|
||||
* s->s3->rrec.type - is the type of record
|
||||
* s->s3->rrec.data, - data
|
||||
* s->s3->rrec.off, - offset into 'data' for next read
|
||||
* s->s3->rrec.length, - number of bytes.
|
||||
*/
|
||||
/*-
|
||||
* s->s3->rrec.type - is the type of record
|
||||
* s->s3->rrec.data, - data
|
||||
* s->s3->rrec.off, - offset into 'data' for next read
|
||||
* s->s3->rrec.length, - number of bytes.
|
||||
*/
|
||||
rr = &(s->s3->rrec);
|
||||
|
||||
/* get new packet if necessary */
|
||||
@ -1321,11 +1321,11 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
|
||||
}
|
||||
}
|
||||
|
||||
/*-
|
||||
* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
|
||||
* s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
|
||||
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
|
||||
*/
|
||||
/*-
|
||||
* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
|
||||
* s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
|
||||
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
|
||||
*/
|
||||
|
||||
/* If we are a client, check for an incoming 'Hello Request': */
|
||||
if ((!s->server) &&
|
||||
|
106
ssl/s3_srvr.c
106
ssl/s3_srvr.c
@ -1399,17 +1399,17 @@ int ssl3_get_client_hello(SSL *s)
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
/*-
|
||||
* we now have the following setup.
|
||||
* client_random
|
||||
* cipher_list - our prefered list of ciphers
|
||||
* ciphers - the clients prefered list of ciphers
|
||||
* compression - basically ignored right now
|
||||
* ssl version is set - sslv3
|
||||
* s->session - The ssl session has been setup.
|
||||
* s->hit - session reuse flag
|
||||
* s->tmp.new_cipher - the new cipher to use.
|
||||
*/
|
||||
/*-
|
||||
* we now have the following setup.
|
||||
* client_random
|
||||
* cipher_list - our prefered list of ciphers
|
||||
* ciphers - the clients prefered list of ciphers
|
||||
* compression - basically ignored right now
|
||||
* ssl version is set - sslv3
|
||||
* s->session - The ssl session has been setup.
|
||||
* s->hit - session reuse flag
|
||||
* s->tmp.new_cipher - the new cipher to use.
|
||||
*/
|
||||
|
||||
/* Handles TLS extensions that we couldn't check earlier */
|
||||
if (s->version >= SSL3_VERSION) {
|
||||
@ -1456,22 +1456,22 @@ int ssl3_send_server_hello(SSL *s)
|
||||
memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
|
||||
p += SSL3_RANDOM_SIZE;
|
||||
|
||||
/*-
|
||||
* There are several cases for the session ID to send
|
||||
* back in the server hello:
|
||||
* - For session reuse from the session cache,
|
||||
* we send back the old session ID.
|
||||
* - If stateless session reuse (using a session ticket)
|
||||
* is successful, we send back the client's "session ID"
|
||||
* (which doesn't actually identify the session).
|
||||
* - If it is a new session, we send back the new
|
||||
* session ID.
|
||||
* - However, if we want the new session to be single-use,
|
||||
* we send back a 0-length session ID.
|
||||
* s->hit is non-zero in either case of session reuse,
|
||||
* so the following won't overwrite an ID that we're supposed
|
||||
* to send back.
|
||||
*/
|
||||
/*-
|
||||
* There are several cases for the session ID to send
|
||||
* back in the server hello:
|
||||
* - For session reuse from the session cache,
|
||||
* we send back the old session ID.
|
||||
* - If stateless session reuse (using a session ticket)
|
||||
* is successful, we send back the client's "session ID"
|
||||
* (which doesn't actually identify the session).
|
||||
* - If it is a new session, we send back the new
|
||||
* session ID.
|
||||
* - However, if we want the new session to be single-use,
|
||||
* we send back a 0-length session ID.
|
||||
* s->hit is non-zero in either case of session reuse,
|
||||
* so the following won't overwrite an ID that we're supposed
|
||||
* to send back.
|
||||
*/
|
||||
if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
|
||||
&& !s->hit)
|
||||
s->session->session_id_length = 0;
|
||||
@ -2505,11 +2505,11 @@ int ssl3_get_client_key_exchange(SSL *s)
|
||||
}
|
||||
}
|
||||
|
||||
/*- Was doing kssl_ctx_free() here,
|
||||
* but it caused problems for apache.
|
||||
* kssl_ctx = kssl_ctx_free(kssl_ctx);
|
||||
* if (s->kssl_ctx) s->kssl_ctx = NULL;
|
||||
*/
|
||||
/*- Was doing kssl_ctx_free() here,
|
||||
* but it caused problems for apache.
|
||||
* kssl_ctx = kssl_ctx_free(kssl_ctx);
|
||||
* if (s->kssl_ctx) s->kssl_ctx = NULL;
|
||||
*/
|
||||
} else
|
||||
#endif /* OPENSSL_NO_KRB5 */
|
||||
|
||||
@ -3306,14 +3306,14 @@ int ssl3_send_newsession_ticket(SSL *s)
|
||||
i2d_SSL_SESSION(sess, &p);
|
||||
SSL_SESSION_free(sess);
|
||||
|
||||
/*-
|
||||
* Grow buffer if need be: the length calculation is as
|
||||
* follows handshake_header_length +
|
||||
* 4 (ticket lifetime hint) + 2 (ticket length) +
|
||||
* 16 (key name) + max_iv_len (iv length) +
|
||||
* session_length + max_enc_block_size (max encrypted session
|
||||
* length) + max_md_size (HMAC).
|
||||
*/
|
||||
/*-
|
||||
* Grow buffer if need be: the length calculation is as
|
||||
* follows handshake_header_length +
|
||||
* 4 (ticket lifetime hint) + 2 (ticket length) +
|
||||
* 16 (key name) + max_iv_len (iv length) +
|
||||
* session_length + max_enc_block_size (max encrypted session
|
||||
* length) + max_md_size (HMAC).
|
||||
*/
|
||||
if (!BUF_MEM_grow(s->init_buf,
|
||||
SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH +
|
||||
EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
|
||||
@ -3387,12 +3387,12 @@ int ssl3_send_cert_status(SSL *s)
|
||||
{
|
||||
if (s->state == SSL3_ST_SW_CERT_STATUS_A) {
|
||||
unsigned char *p;
|
||||
/*-
|
||||
* Grow buffer if need be: the length calculation is as
|
||||
* follows 1 (message type) + 3 (message length) +
|
||||
* 1 (ocsp response type) + 3 (ocsp response length)
|
||||
* + (ocsp response)
|
||||
*/
|
||||
/*-
|
||||
* Grow buffer if need be: the length calculation is as
|
||||
* follows 1 (message type) + 3 (message length) +
|
||||
* 1 (ocsp response type) + 3 (ocsp response length)
|
||||
* + (ocsp response)
|
||||
*/
|
||||
if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
|
||||
return -1;
|
||||
|
||||
@ -3464,13 +3464,13 @@ int ssl3_get_next_proto(SSL *s)
|
||||
|
||||
p = (unsigned char *)s->init_msg;
|
||||
|
||||
/*-
|
||||
* The payload looks like:
|
||||
* uint8 proto_len;
|
||||
* uint8 proto[proto_len];
|
||||
* uint8 padding_len;
|
||||
* uint8 padding[padding_len];
|
||||
*/
|
||||
/*-
|
||||
* The payload looks like:
|
||||
* uint8 proto_len;
|
||||
* uint8 proto[proto_len];
|
||||
* uint8 padding_len;
|
||||
* uint8 padding[padding_len];
|
||||
*/
|
||||
proto_len = p[0];
|
||||
if (proto_len + 2 > s->init_num)
|
||||
return 0;
|
||||
|
20
ssl/ssl.h
20
ssl/ssl.h
@ -1149,16 +1149,16 @@ struct ssl_ctx_st {
|
||||
* ALPN.)
|
||||
*/
|
||||
|
||||
/*-
|
||||
* For a server, this contains a callback function that allows the
|
||||
* server to select the protocol for the connection.
|
||||
* out: on successful return, this must point to the raw protocol
|
||||
* name (without the length prefix).
|
||||
* outlen: on successful return, this contains the length of |*out|.
|
||||
* in: points to the client's list of supported protocols in
|
||||
* wire-format.
|
||||
* inlen: the length of |in|.
|
||||
*/
|
||||
/*-
|
||||
* For a server, this contains a callback function that allows the
|
||||
* server to select the protocol for the connection.
|
||||
* out: on successful return, this must point to the raw protocol
|
||||
* name (without the length prefix).
|
||||
* outlen: on successful return, this contains the length of |*out|.
|
||||
* in: points to the client's list of supported protocols in
|
||||
* wire-format.
|
||||
* inlen: the length of |in|.
|
||||
*/
|
||||
int (*alpn_select_cb) (SSL *s,
|
||||
const unsigned char **out,
|
||||
unsigned char *outlen,
|
||||
|
@ -1970,14 +1970,14 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
|
||||
if (cm == NULL || cm->type == NID_undef)
|
||||
return 1;
|
||||
|
||||
/*-
|
||||
* According to draft-ietf-tls-compression-04.txt, the
|
||||
* compression number ranges should be the following:
|
||||
*
|
||||
* 0 to 63: methods defined by the IETF
|
||||
* 64 to 192: external party methods assigned by IANA
|
||||
* 193 to 255: reserved for private use
|
||||
*/
|
||||
/*-
|
||||
* According to draft-ietf-tls-compression-04.txt, the
|
||||
* compression number ranges should be the following:
|
||||
*
|
||||
* 0 to 63: methods defined by the IETF
|
||||
* 64 to 192: external party methods assigned by IANA
|
||||
* 193 to 255: reserved for private use
|
||||
*/
|
||||
if (id < 193 || id > 255) {
|
||||
SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
|
||||
SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
|
||||
|
@ -1904,12 +1904,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
ret->references = 1;
|
||||
ret->quiet_shutdown = 0;
|
||||
|
||||
/* ret->cipher=NULL;*/
|
||||
/* ret->cipher=NULL;*/
|
||||
/*-
|
||||
ret->s2->challenge=NULL;
|
||||
ret->master_key=NULL;
|
||||
ret->key_arg=NULL;
|
||||
ret->s2->conn_id=NULL; */
|
||||
ret->s2->challenge=NULL;
|
||||
ret->master_key=NULL;
|
||||
ret->key_arg=NULL;
|
||||
ret->s2->conn_id=NULL; */
|
||||
|
||||
ret->info_callback = NULL;
|
||||
|
||||
|
@ -534,13 +534,13 @@ typedef struct cert_pkey_st {
|
||||
/* Chain for this certificate */
|
||||
STACK_OF(X509) *chain;
|
||||
# ifndef OPENSSL_NO_TLSEXT
|
||||
/*-
|
||||
* serverinfo data for this certificate. The data is in TLS Extension
|
||||
* wire format, specifically it's a series of records like:
|
||||
* uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension)
|
||||
* uint16_t length;
|
||||
* uint8_t data[length];
|
||||
*/
|
||||
/*-
|
||||
* serverinfo data for this certificate. The data is in TLS Extension
|
||||
* wire format, specifically it's a series of records like:
|
||||
* uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension)
|
||||
* uint16_t length;
|
||||
* uint8_t data[length];
|
||||
*/
|
||||
unsigned char *serverinfo;
|
||||
size_t serverinfo_length;
|
||||
# endif
|
||||
|
@ -329,21 +329,21 @@ int ssl_get_new_session(SSL *s, int session)
|
||||
return (0);
|
||||
}
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
/*-
|
||||
* If RFC5077 ticket, use empty session ID (as server).
|
||||
* Note that:
|
||||
* (a) ssl_get_prev_session() does lookahead into the
|
||||
* ClientHello extensions to find the session ticket.
|
||||
* When ssl_get_prev_session() fails, s3_srvr.c calls
|
||||
* ssl_get_new_session() in ssl3_get_client_hello().
|
||||
* At that point, it has not yet parsed the extensions,
|
||||
* however, because of the lookahead, it already knows
|
||||
* whether a ticket is expected or not.
|
||||
*
|
||||
* (b) s3_clnt.c calls ssl_get_new_session() before parsing
|
||||
* ServerHello extensions, and before recording the session
|
||||
* ID received from the server, so this block is a noop.
|
||||
*/
|
||||
/*-
|
||||
* If RFC5077 ticket, use empty session ID (as server).
|
||||
* Note that:
|
||||
* (a) ssl_get_prev_session() does lookahead into the
|
||||
* ClientHello extensions to find the session ticket.
|
||||
* When ssl_get_prev_session() fails, s3_srvr.c calls
|
||||
* ssl_get_new_session() in ssl3_get_client_hello().
|
||||
* At that point, it has not yet parsed the extensions,
|
||||
* however, because of the lookahead, it already knows
|
||||
* whether a ticket is expected or not.
|
||||
*
|
||||
* (b) s3_clnt.c calls ssl_get_new_session() before parsing
|
||||
* ServerHello extensions, and before recording the session
|
||||
* ID received from the server, so this block is a noop.
|
||||
*/
|
||||
if (s->tlsext_ticket_expected) {
|
||||
ss->session_id_length = 0;
|
||||
goto sess_id_done;
|
||||
|
@ -292,8 +292,8 @@ int doit(io_channel chan, SSL_CTX *s_ctx)
|
||||
if ((s_to_c == NULL) || (c_to_s == NULL))
|
||||
goto err;
|
||||
/*- original, DRM 24-SEP-1997
|
||||
BIO_set_fd ( c_to_s, "", chan );
|
||||
BIO_set_fd ( s_to_c, "", chan );
|
||||
BIO_set_fd ( c_to_s, "", chan );
|
||||
BIO_set_fd ( s_to_c, "", chan );
|
||||
*/
|
||||
BIO_set_fd(c_to_s, 0, chan);
|
||||
BIO_set_fd(s_to_c, 0, chan);
|
||||
|
@ -1628,40 +1628,40 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
|
||||
(void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
|
||||
|
||||
do {
|
||||
/*-
|
||||
* c_ssl_bio: SSL filter BIO
|
||||
*
|
||||
* client: pseudo-I/O for SSL library
|
||||
*
|
||||
* client_io: client's SSL communication; usually to be
|
||||
* relayed over some I/O facility, but in this
|
||||
* test program, we're the server, too:
|
||||
*
|
||||
* server_io: server's SSL communication
|
||||
*
|
||||
* server: pseudo-I/O for SSL library
|
||||
*
|
||||
* s_ssl_bio: SSL filter BIO
|
||||
*
|
||||
* The client and the server each employ a "BIO pair":
|
||||
* client + client_io, server + server_io.
|
||||
* BIO pairs are symmetric. A BIO pair behaves similar
|
||||
* to a non-blocking socketpair (but both endpoints must
|
||||
* be handled by the same thread).
|
||||
* [Here we could connect client and server to the ends
|
||||
* of a single BIO pair, but then this code would be less
|
||||
* suitable as an example for BIO pairs in general.]
|
||||
*
|
||||
* Useful functions for querying the state of BIO pair endpoints:
|
||||
*
|
||||
* BIO_ctrl_pending(bio) number of bytes we can read now
|
||||
* BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
|
||||
* other side's read attempt
|
||||
* BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
|
||||
*
|
||||
* ..._read_request is never more than ..._write_guarantee;
|
||||
* it depends on the application which one you should use.
|
||||
*/
|
||||
/*-
|
||||
* c_ssl_bio: SSL filter BIO
|
||||
*
|
||||
* client: pseudo-I/O for SSL library
|
||||
*
|
||||
* client_io: client's SSL communication; usually to be
|
||||
* relayed over some I/O facility, but in this
|
||||
* test program, we're the server, too:
|
||||
*
|
||||
* server_io: server's SSL communication
|
||||
*
|
||||
* server: pseudo-I/O for SSL library
|
||||
*
|
||||
* s_ssl_bio: SSL filter BIO
|
||||
*
|
||||
* The client and the server each employ a "BIO pair":
|
||||
* client + client_io, server + server_io.
|
||||
* BIO pairs are symmetric. A BIO pair behaves similar
|
||||
* to a non-blocking socketpair (but both endpoints must
|
||||
* be handled by the same thread).
|
||||
* [Here we could connect client and server to the ends
|
||||
* of a single BIO pair, but then this code would be less
|
||||
* suitable as an example for BIO pairs in general.]
|
||||
*
|
||||
* Useful functions for querying the state of BIO pair endpoints:
|
||||
*
|
||||
* BIO_ctrl_pending(bio) number of bytes we can read now
|
||||
* BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
|
||||
* other side's read attempt
|
||||
* BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
|
||||
*
|
||||
* ..._read_request is never more than ..._write_guarantee;
|
||||
* it depends on the application which one you should use.
|
||||
*/
|
||||
|
||||
/*
|
||||
* We have non-blocking behaviour throughout this test program, but
|
||||
@ -2053,10 +2053,10 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
|
||||
printf("server waiting in SSL_accept - %s\n",
|
||||
SSL_state_string_long(s_ssl));
|
||||
/*-
|
||||
else if (s_write)
|
||||
printf("server:SSL_write()\n");
|
||||
else
|
||||
printf("server:SSL_read()\n"); */
|
||||
else if (s_write)
|
||||
printf("server:SSL_write()\n");
|
||||
else
|
||||
printf("server:SSL_read()\n"); */
|
||||
}
|
||||
|
||||
if (do_client && debug) {
|
||||
@ -2064,10 +2064,10 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
|
||||
printf("client waiting in SSL_connect - %s\n",
|
||||
SSL_state_string_long(c_ssl));
|
||||
/*-
|
||||
else if (c_write)
|
||||
printf("client:SSL_write()\n");
|
||||
else
|
||||
printf("client:SSL_read()\n"); */
|
||||
else if (c_write)
|
||||
printf("client:SSL_write()\n");
|
||||
else
|
||||
printf("client:SSL_read()\n"); */
|
||||
}
|
||||
|
||||
if (!do_client && !do_server) {
|
||||
|
114
ssl/t1_lib.c
114
ssl/t1_lib.c
@ -1212,14 +1212,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
||||
unsigned long size_str;
|
||||
long lenmax;
|
||||
|
||||
/*-
|
||||
* check for enough space.
|
||||
* 4 for the servername type and entension length
|
||||
* 2 for servernamelist length
|
||||
* 1 for the hostname type
|
||||
* 2 for hostname length
|
||||
* + hostname length
|
||||
*/
|
||||
/*-
|
||||
* check for enough space.
|
||||
* 4 for the servername type and entension length
|
||||
* 2 for servernamelist length
|
||||
* 1 for the hostname type
|
||||
* 2 for hostname length
|
||||
* + hostname length
|
||||
*/
|
||||
|
||||
if ((lenmax = limit - ret - 9) < 0
|
||||
|| (size_str =
|
||||
@ -1273,12 +1273,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*-
|
||||
* check for enough space.
|
||||
* 4 for the srp type type and entension length
|
||||
* 1 for the srp user identity
|
||||
* + srp user identity length
|
||||
*/
|
||||
/*-
|
||||
* check for enough space.
|
||||
* 4 for the srp type type and entension length
|
||||
* 1 for the srp user identity
|
||||
* + srp user identity length
|
||||
*/
|
||||
if ((limit - ret - 5 - login_len) < 0)
|
||||
return NULL;
|
||||
|
||||
@ -1453,11 +1453,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
|
||||
return NULL;
|
||||
s2n(TLSEXT_TYPE_heartbeat, ret);
|
||||
s2n(1, ret);
|
||||
/*-
|
||||
* Set mode:
|
||||
* 1: peer may send requests
|
||||
* 2: peer not allowed to send requests
|
||||
*/
|
||||
/*-
|
||||
* Set mode:
|
||||
* 1: peer may send requests
|
||||
* 2: peer not allowed to send requests
|
||||
*/
|
||||
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
|
||||
*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
|
||||
else
|
||||
@ -1709,11 +1709,11 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
|
||||
return NULL;
|
||||
s2n(TLSEXT_TYPE_heartbeat, ret);
|
||||
s2n(1, ret);
|
||||
/*-
|
||||
* Set mode:
|
||||
* 1: peer may send requests
|
||||
* 2: peer not allowed to send requests
|
||||
*/
|
||||
/*-
|
||||
* Set mode:
|
||||
* 1: peer may send requests
|
||||
* 2: peer not allowed to send requests
|
||||
*/
|
||||
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
|
||||
*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
|
||||
else
|
||||
@ -2344,23 +2344,23 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
|
||||
else if (type == TLSEXT_TYPE_next_proto_neg &&
|
||||
s->s3->tmp.finish_md_len == 0 &&
|
||||
s->s3->alpn_selected == NULL) {
|
||||
/*-
|
||||
* We shouldn't accept this extension on a
|
||||
* renegotiation.
|
||||
*
|
||||
* s->new_session will be set on renegotiation, but we
|
||||
* probably shouldn't rely that it couldn't be set on
|
||||
* the initial renegotation too in certain cases (when
|
||||
* there's some other reason to disallow resuming an
|
||||
* earlier session -- the current code won't be doing
|
||||
* anything like that, but this might change).
|
||||
*
|
||||
* A valid sign that there's been a previous handshake
|
||||
* in this connection is if s->s3->tmp.finish_md_len >
|
||||
* 0. (We are talking about a check that will happen
|
||||
* in the Hello protocol round, well before a new
|
||||
* Finished message could have been computed.)
|
||||
*/
|
||||
/*-
|
||||
* We shouldn't accept this extension on a
|
||||
* renegotiation.
|
||||
*
|
||||
* s->new_session will be set on renegotiation, but we
|
||||
* probably shouldn't rely that it couldn't be set on
|
||||
* the initial renegotation too in certain cases (when
|
||||
* there's some other reason to disallow resuming an
|
||||
* earlier session -- the current code won't be doing
|
||||
* anything like that, but this might change).
|
||||
*
|
||||
* A valid sign that there's been a previous handshake
|
||||
* in this connection is if s->s3->tmp.finish_md_len >
|
||||
* 0. (We are talking about a check that will happen
|
||||
* in the Hello protocol round, well before a new
|
||||
* Finished message could have been computed.)
|
||||
*/
|
||||
s->s3->next_proto_neg_seen = 1;
|
||||
}
|
||||
# endif
|
||||
@ -2682,12 +2682,12 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
|
||||
*al = TLS1_AD_DECODE_ERROR;
|
||||
return 0;
|
||||
}
|
||||
/*-
|
||||
* The extension data consists of:
|
||||
* uint16 list_length
|
||||
* uint8 proto_length;
|
||||
* uint8 proto[proto_length];
|
||||
*/
|
||||
/*-
|
||||
* The extension data consists of:
|
||||
* uint16 list_length
|
||||
* uint8 proto_length;
|
||||
* uint8 proto[proto_length];
|
||||
*/
|
||||
len = data[0];
|
||||
len <<= 8;
|
||||
len |= data[1];
|
||||
@ -3895,16 +3895,16 @@ int tls1_heartbeat(SSL *s)
|
||||
*/
|
||||
OPENSSL_assert(payload + padding <= 16381);
|
||||
|
||||
/*-
|
||||
* Create HeartBeat message, we just use a sequence number
|
||||
* as payload to distuingish different messages and add
|
||||
* some random stuff.
|
||||
* - Message Type, 1 byte
|
||||
* - Payload Length, 2 bytes (unsigned int)
|
||||
* - Payload, the sequence number (2 bytes uint)
|
||||
* - Payload, random bytes (16 bytes uint)
|
||||
* - Padding
|
||||
*/
|
||||
/*-
|
||||
* Create HeartBeat message, we just use a sequence number
|
||||
* as payload to distuingish different messages and add
|
||||
* some random stuff.
|
||||
* - Message Type, 1 byte
|
||||
* - Payload Length, 2 bytes (unsigned int)
|
||||
* - Payload, the sequence number (2 bytes uint)
|
||||
* - Payload, random bytes (16 bytes uint)
|
||||
* - Padding
|
||||
*/
|
||||
buf = OPENSSL_malloc(1 + 2 + payload + padding);
|
||||
p = buf;
|
||||
/* Message Type */
|
||||
|
@ -86,13 +86,13 @@ char *argv[];
|
||||
METH_arg(tmp2, METH_TYPE_DIR, "/usr/local/ssl/certs");
|
||||
METH_push(top, METH_X509_CA_BY_SUBJECT, tmp2);
|
||||
|
||||
/*- tmp=METH_new(x509_by_issuer_dir);
|
||||
METH_arg(tmp,METH_TYPE_DIR,"/home/eay/.mycerts");
|
||||
METH_push(top,METH_X509_BY_ISSUER,tmp);
|
||||
/*- tmp=METH_new(x509_by_issuer_dir);
|
||||
METH_arg(tmp,METH_TYPE_DIR,"/home/eay/.mycerts");
|
||||
METH_push(top,METH_X509_BY_ISSUER,tmp);
|
||||
|
||||
tmp=METH_new(x509_by_issuer_primary);
|
||||
METH_arg(tmp,METH_TYPE_FILE,"/home/eay/.mycerts/primary.pem");
|
||||
METH_push(top,METH_X509_BY_ISSUER,tmp);
|
||||
tmp=METH_new(x509_by_issuer_primary);
|
||||
METH_arg(tmp,METH_TYPE_FILE,"/home/eay/.mycerts/primary.pem");
|
||||
METH_push(top,METH_X509_BY_ISSUER,tmp);
|
||||
*/
|
||||
|
||||
METH_init(top);
|
||||
|
Loading…
Reference in New Issue
Block a user