indent has problems with comments that are on the right hand side of a line.
Sometimes it fails to format them very well, and sometimes it corrupts them! This commit moves some particularly problematic ones. Conflicts: crypto/bn/bn.h crypto/ec/ec_lcl.h crypto/rsa/rsa.h demos/engines/ibmca/hw_ibmca.c ssl/ssl.h ssl/ssl3.h Conflicts: crypto/ec/ec_lcl.h ssl/tls1.h Conflicts: crypto/ec/ecp_nistp224.c crypto/evp/evp.h ssl/d1_both.c ssl/ssl.h ssl/ssl_lib.c Conflicts: crypto/bio/bss_file.c crypto/ec/ec_lcl.h crypto/evp/evp.h crypto/store/str_mem.c crypto/whrlpool/wp_block.c crypto/x509/x509_vfy.h ssl/ssl.h ssl/ssl3.h ssl/ssltest.c ssl/t1_lib.c ssl/tls1.h Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
		| @@ -1464,7 +1464,9 @@ static void print_stuff(BIO *bio, SSL *s, int full) | |||||||
| 		if (peer != NULL) | 		if (peer != NULL) | ||||||
| 			{ | 			{ | ||||||
| 			BIO_printf(bio,"Server certificate\n"); | 			BIO_printf(bio,"Server certificate\n"); | ||||||
| 			if (!(c_showcerts && got_a_chain)) /* Redundant if we showed the whole chain */ |  | ||||||
|  | 			/* Redundant if we showed the whole chain */ | ||||||
|  | 			if (!(c_showcerts && got_a_chain)) | ||||||
| 				PEM_write_bio_X509(bio,peer); | 				PEM_write_bio_X509(bio,peer); | ||||||
| 			X509_NAME_oneline(X509_get_subject_name(peer), | 			X509_NAME_oneline(X509_get_subject_name(peer), | ||||||
| 				buf,sizeof buf); | 				buf,sizeof buf); | ||||||
|   | |||||||
| @@ -291,13 +291,16 @@ time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s) | |||||||
| 		} | 		} | ||||||
| #undef g2 | #undef g2 | ||||||
|  |  | ||||||
| 	return mktime(&tm)-offset*60; /* FIXME: mktime assumes the current timezone | 	/* | ||||||
| 	                               * instead of UTC, and unless we rewrite OpenSSL | 	 * FIXME: mktime assumes the current timezone | ||||||
| 				       * in Lisp we cannot locally change the timezone | 	 * instead of UTC, and unless we rewrite OpenSSL | ||||||
| 				       * without possibly interfering with other parts | 	 * in Lisp we cannot locally change the timezone | ||||||
| 	                               * of the program. timegm, which uses UTC, is | 	 * without possibly interfering with other parts | ||||||
| 				       * non-standard. | 	 * of the program. timegm, which uses UTC, is | ||||||
| 	                               * Also time_t is inappropriate for general | 	 * non-standard. | ||||||
| 	                               * UTC times because it may a 32 bit type. */ | 	 * Also time_t is inappropriate for general | ||||||
|  | 	 * UTC times because it may a 32 bit type. | ||||||
|  | 	 */ | ||||||
|  | 	return mktime(&tm)-offset*60;  | ||||||
| 	} | 	} | ||||||
| #endif | #endif | ||||||
|   | |||||||
| @@ -295,8 +295,11 @@ static void xsyslog(BIO *bp, int priority, const char *string) | |||||||
| 	case LOG_DEBUG: | 	case LOG_DEBUG: | ||||||
| 		evtype = EVENTLOG_INFORMATION_TYPE; | 		evtype = EVENTLOG_INFORMATION_TYPE; | ||||||
| 		break; | 		break; | ||||||
| 	default:		/* Should never happen, but set it | 	default: | ||||||
| 				   as error anyway. */ | 		/* | ||||||
|  | 		 * Should never happen, but set it | ||||||
|  | 		 * as error anyway. | ||||||
|  | 		 */ | ||||||
| 		evtype = EVENTLOG_ERROR_TYPE; | 		evtype = EVENTLOG_ERROR_TYPE; | ||||||
| 		break; | 		break; | ||||||
| 		} | 		} | ||||||
|   | |||||||
| @@ -245,16 +245,22 @@ extern "C" { | |||||||
|  |  | ||||||
| #define BN_FLG_MALLOCED		0x01 | #define BN_FLG_MALLOCED		0x01 | ||||||
| #define BN_FLG_STATIC_DATA	0x02 | #define BN_FLG_STATIC_DATA	0x02 | ||||||
| #define BN_FLG_CONSTTIME	0x04 /* avoid leaking exponent information through timing, |  | ||||||
|                                       * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime, |  | ||||||
|                                       * BN_div() will call BN_div_no_branch, |  | ||||||
|                                       * BN_mod_inverse() will call BN_mod_inverse_no_branch. |  | ||||||
|                                       */ |  | ||||||
|  |  | ||||||
| #ifndef OPENSSL_NO_DEPRECATED | /* | ||||||
| #define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */ |  * avoid leaking exponent information through timing, | ||||||
|                                       /* avoid leaking exponent information through timings |  * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime, | ||||||
|                                       * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */ |  * BN_div() will call BN_div_no_branch, | ||||||
|  |  * BN_mod_inverse() will call BN_mod_inverse_no_branch. | ||||||
|  |  */ | ||||||
|  | #define BN_FLG_CONSTTIME	0x04  | ||||||
|  |  | ||||||
|  | #ifdef OPENSSL_NO_DEPRECATED | ||||||
|  | /* deprecated name for the flag */ | ||||||
|  | #define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME  | ||||||
|  | /* | ||||||
|  |  * avoid leaking exponent information through timings | ||||||
|  |  * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) | ||||||
|  |  */ | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
| #ifndef OPENSSL_NO_DEPRECATED | #ifndef OPENSSL_NO_DEPRECATED | ||||||
|   | |||||||
| @@ -355,9 +355,12 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) | |||||||
| 		case 3:	A[2]=B[2]; | 		case 3:	A[2]=B[2]; | ||||||
| 		case 2:	A[1]=B[1]; | 		case 2:	A[1]=B[1]; | ||||||
| 		case 1:	A[0]=B[0]; | 		case 1:	A[0]=B[0]; | ||||||
| 		case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does | 		case 0: | ||||||
| 		         * the switch table by doing a=top&3; a--; goto jump_table[a]; | 			/* | ||||||
| 		         * which fails for top== 0 */ | 			 * workaround for ultrix cc: without 'case 0', the optimizer does | ||||||
|  | 			 * the switch table by doing a=top&3; a--; goto jump_table[a]; | ||||||
|  | 			 * which fails for top== 0 | ||||||
|  | 			 */ | ||||||
| 			; | 			; | ||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
|   | |||||||
| @@ -75,7 +75,8 @@ | |||||||
| #endif | #endif | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
| /* #define SIGACTION */ /* Define this if you have sigaction() */ | /* Define this if you have sigaction() */ | ||||||
|  | /* #define SIGACTION */ | ||||||
|  |  | ||||||
| #ifdef WIN16TTY | #ifdef WIN16TTY | ||||||
| #undef OPENSSL_SYS_WIN16 | #undef OPENSSL_SYS_WIN16 | ||||||
|   | |||||||
| @@ -80,13 +80,16 @@ | |||||||
| #define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 | #define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 | ||||||
|  |  | ||||||
| #define DH_FLAG_CACHE_MONT_P     0x01 | #define DH_FLAG_CACHE_MONT_P     0x01 | ||||||
| #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH |  | ||||||
|                                        * implementation now uses constant time | /* | ||||||
|                                        * modular exponentiation for secret exponents |  * new with 0.9.7h; the built-in DH | ||||||
|                                        * by default. This flag causes the |  * implementation now uses constant time | ||||||
|                                        * faster variable sliding window method to |  * modular exponentiation for secret exponents | ||||||
|                                        * be used for all exponents. |  * by default. This flag causes the | ||||||
|                                        */ |  * faster variable sliding window method to | ||||||
|  |  * be used for all exponents. | ||||||
|  |  */ | ||||||
|  | #define DH_FLAG_NO_EXP_CONSTTIME 0x02 | ||||||
|  |  | ||||||
| #ifdef  __cplusplus | #ifdef  __cplusplus | ||||||
| extern "C" { | extern "C" { | ||||||
|   | |||||||
| @@ -200,34 +200,41 @@ struct ec_group_st { | |||||||
| 	/* The following members are handled by the method functions, | 	/* The following members are handled by the method functions, | ||||||
| 	 * even if they appear generic */ | 	 * even if they appear generic */ | ||||||
| 	 | 	 | ||||||
| 	BIGNUM field; /* Field specification. | 	/* Field specification. | ||||||
| 	               * For curves over GF(p), this is the modulus; | 	 * For curves over GF(p), this is the modulus; | ||||||
| 	               * for curves over GF(2^m), this is the  | 	 * for curves over GF(2^m), this is the  | ||||||
| 	               * irreducible polynomial defining the field. | 	 * irreducible polynomial defining the field. | ||||||
| 	               */ | 	 */ | ||||||
|  | 	BIGNUM field; | ||||||
|  |  | ||||||
| 	unsigned int poly[5]; /* Field specification for curves over GF(2^m). | 	/* Field specification for curves over GF(2^m). | ||||||
| 	                       * The irreducible f(t) is then of the form: | 	 * The irreducible f(t) is then of the form: | ||||||
| 	                       *     t^poly[0] + t^poly[1] + ... + t^poly[k] | 	 *     t^poly[0] + t^poly[1] + ... + t^poly[k] | ||||||
| 	                       * where m = poly[0] > poly[1] > ... > poly[k] = 0. | 	 * where m = poly[0] > poly[1] > ... > poly[k] = 0. | ||||||
| 	                       */ | 	 */ | ||||||
|  | 	unsigned int poly[5]; | ||||||
|  |  | ||||||
| 	BIGNUM a, b; /* Curve coefficients. | 	/* Curve coefficients. | ||||||
| 	              * (Here the assumption is that BIGNUMs can be used | 	 * (Here the assumption is that BIGNUMs can be used | ||||||
| 	              * or abused for all kinds of fields, not just GF(p).) | 	 * or abused for all kinds of fields, not just GF(p).) | ||||||
| 	              * For characteristic  > 3,  the curve is defined | 	 * For characteristic  > 3,  the curve is defined | ||||||
| 	              * by a Weierstrass equation of the form | 	 * by a Weierstrass equation of the form | ||||||
| 	              *     y^2 = x^3 + a*x + b. | 	 *     y^2 = x^3 + a*x + b. | ||||||
| 	              * For characteristic  2,  the curve is defined by | 	 * For characteristic  2,  the curve is defined by | ||||||
| 	              * an equation of the form | 	 * an equation of the form | ||||||
| 	              *     y^2 + x*y = x^3 + a*x^2 + b. | 	 *     y^2 + x*y = x^3 + a*x^2 + b. | ||||||
| 	              */ | 	 */ | ||||||
|  | 	BIGNUM a, b; | ||||||
|  |  | ||||||
| 	int a_is_minus3; /* enable optimized point arithmetics for special case */ | 	/* enable optimized point arithmetics for special case */ | ||||||
|  | 	int a_is_minus3; | ||||||
|  |  | ||||||
| 	void *field_data1; /* method-specific (e.g., Montgomery structure) */ | 	/* method-specific (e.g., Montgomery structure) */ | ||||||
| 	void *field_data2; /* method-specific */ | 	void *field_data1; | ||||||
| 	int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *,	BN_CTX *); /* method-specific */ | 	/* method-specific */ | ||||||
|  | 	void *field_data2; | ||||||
|  | 	/* method-specific */ | ||||||
|  | 	int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *,	BN_CTX *); | ||||||
| } /* EC_GROUP */; | } /* EC_GROUP */; | ||||||
|  |  | ||||||
| struct ec_key_st { | struct ec_key_st { | ||||||
|   | |||||||
| @@ -260,10 +260,11 @@ typedef struct | |||||||
| 	void *key; | 	void *key; | ||||||
| 	} EVP_MD_SVCTX; | 	} EVP_MD_SVCTX; | ||||||
|  |  | ||||||
| #define EVP_MD_FLAG_ONESHOT	0x0001 /* digest can only handle a single | /* digest can only handle a single block */ | ||||||
| 					* block */ | #define EVP_MD_FLAG_ONESHOT	0x0001 | ||||||
|  |  | ||||||
| #define EVP_MD_FLAG_FIPS	0x0400 /* Note if suitable for use in FIPS mode */ | /* Note if suitable for use in FIPS mode */ | ||||||
|  | #define EVP_MD_FLAG_FIPS	0x0400 | ||||||
|  |  | ||||||
| #define EVP_MD_FLAG_SVCTX	0x0800 /* pass EVP_MD_SVCTX to sign/verify */ | #define EVP_MD_FLAG_SVCTX	0x0800 /* pass EVP_MD_SVCTX to sign/verify */ | ||||||
|  |  | ||||||
| @@ -333,19 +334,33 @@ struct evp_cipher_st | |||||||
| 	{ | 	{ | ||||||
| 	int nid; | 	int nid; | ||||||
| 	int block_size; | 	int block_size; | ||||||
| 	int key_len;		/* Default value for variable length ciphers */ |  | ||||||
|  | 	/* Default value for variable length ciphers */ | ||||||
|  | 	int key_len; | ||||||
| 	int iv_len; | 	int iv_len; | ||||||
| 	unsigned long flags;	/* Various flags */ |  | ||||||
|  | 	/* Various flags */ | ||||||
|  | 	unsigned long flags; | ||||||
|  | 	 | ||||||
|  | 	/* init key */ | ||||||
| 	int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, | 	int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, | ||||||
| 		    const unsigned char *iv, int enc);	/* init key */ | 		    const unsigned char *iv, int enc); | ||||||
|  | 		     | ||||||
|  | 	/* encrypt/decrypt data */ | ||||||
| 	int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, | 	int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, | ||||||
| 			 const unsigned char *in, unsigned int inl);/* encrypt/decrypt data */ | 			 const unsigned char *in, unsigned int inl); | ||||||
| 	int (*cleanup)(EVP_CIPHER_CTX *); /* cleanup ctx */ | 	/* cleanup ctx */ | ||||||
| 	int ctx_size;		/* how big ctx->cipher_data needs to be */ | 	int (*cleanup)(EVP_CIPHER_CTX *); | ||||||
| 	int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Populate a ASN1_TYPE with parameters */ | 	/* how big ctx->cipher_data needs to be */ | ||||||
| 	int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); /* Get parameters from a ASN1_TYPE */ | 	int ctx_size; | ||||||
| 	int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); /* Miscellaneous operations */ | 	/* Populate a ASN1_TYPE with parameters */ | ||||||
| 	void *app_data;		/* Application data */ | 	int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); | ||||||
|  | 	/* Get parameters from a ASN1_TYPE */ | ||||||
|  | 	int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *); | ||||||
|  | 	/* Miscellaneous operations */ | ||||||
|  | 	int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr); | ||||||
|  | 	/* Application data */ | ||||||
|  | 	void *app_data; | ||||||
| 	} /* EVP_CIPHER */; | 	} /* EVP_CIPHER */; | ||||||
|  |  | ||||||
| /* Values for cipher flags */ | /* Values for cipher flags */ | ||||||
| @@ -420,14 +435,22 @@ struct evp_cipher_ctx_st | |||||||
|  |  | ||||||
| typedef struct evp_Encode_Ctx_st | typedef struct evp_Encode_Ctx_st | ||||||
| 	{ | 	{ | ||||||
| 	int num;	/* number saved in a partial encode/decode */ | 	/* number saved in a partial encode/decode */ | ||||||
| 	int length;	/* The length is either the output line length | 	int num; | ||||||
| 			 * (in input bytes) or the shortest input line |  | ||||||
| 			 * length that is ok.  Once decoding begins, | 	/* The length is either the output line length | ||||||
| 			 * the length is adjusted up each time a longer | 	 * (in input bytes) or the shortest input line | ||||||
| 			 * line is decoded */ | 	 * length that is ok.  Once decoding begins, | ||||||
| 	unsigned char enc_data[80];	/* data to encode */ | 	 * the length is adjusted up each time a longer | ||||||
| 	int line_num;	/* number read on current line */ | 	 * line is decoded | ||||||
|  | 	 */ | ||||||
|  | 	int length; | ||||||
|  |  | ||||||
|  | 	/* data to encode */ | ||||||
|  | 	unsigned char enc_data[80]; | ||||||
|  |  | ||||||
|  | 	/* number read on current line */ | ||||||
|  | 	int line_num; | ||||||
| 	int expect_nl; | 	int expect_nl; | ||||||
| 	} EVP_ENCODE_CTX; | 	} EVP_ENCODE_CTX; | ||||||
|  |  | ||||||
|   | |||||||
| @@ -177,12 +177,13 @@ typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32); | |||||||
|  |  | ||||||
| #include <lmcons.h> | #include <lmcons.h> | ||||||
| #include <lmstats.h> | #include <lmstats.h> | ||||||
| #if 1 /* The NET API is Unicode only.  It requires the use of the UNICODE | #if 1 | ||||||
|        * macro.  When UNICODE is defined LPTSTR becomes LPWSTR.  LMSTR was | /* The NET API is Unicode only.  It requires the use of the UNICODE | ||||||
|        * was added to the Platform SDK to allow the NET API to be used in |  * macro.  When UNICODE is defined LPTSTR becomes LPWSTR.  LMSTR was | ||||||
|        * non-Unicode applications provided that Unicode strings were still |  * was added to the Platform SDK to allow the NET API to be used in | ||||||
|        * used for input.  LMSTR is defined as LPWSTR. |  * non-Unicode applications provided that Unicode strings were still | ||||||
|        */ |  * used for input.  LMSTR is defined as LPWSTR. | ||||||
|  |  */ | ||||||
| typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) | typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) | ||||||
|         (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*); |         (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*); | ||||||
| typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); | typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); | ||||||
|   | |||||||
| @@ -188,7 +188,9 @@ struct rsa_st | |||||||
| # define OPENSSL_RSA_SMALL_MODULUS_BITS	3072 | # define OPENSSL_RSA_SMALL_MODULUS_BITS	3072 | ||||||
| #endif | #endif | ||||||
| #ifndef OPENSSL_RSA_MAX_PUBEXP_BITS | #ifndef OPENSSL_RSA_MAX_PUBEXP_BITS | ||||||
| # define OPENSSL_RSA_MAX_PUBEXP_BITS	64 /* exponent limit enforced for "large" modulus only */ |  | ||||||
|  | /* exponent limit enforced for "large" modulus only */ | ||||||
|  | # define OPENSSL_RSA_MAX_PUBEXP_BITS	64 | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
| #define RSA_3	0x3L | #define RSA_3	0x3L | ||||||
| @@ -211,30 +213,36 @@ struct rsa_st | |||||||
|  */ |  */ | ||||||
| #define RSA_FLAG_SIGN_VER		0x0040 | #define RSA_FLAG_SIGN_VER		0x0040 | ||||||
|  |  | ||||||
| #define RSA_FLAG_NO_BLINDING		0x0080 /* new with 0.9.6j and 0.9.7b; the built-in | /* | ||||||
|                                                 * RSA implementation now uses blinding by |  * new with 0.9.6j and 0.9.7b; the built-in | ||||||
|                                                 * default (ignoring RSA_FLAG_BLINDING), |  * RSA implementation now uses blinding by | ||||||
|                                                 * but other engines might not need it |  * default (ignoring RSA_FLAG_BLINDING), | ||||||
|                                                 */ |  * but other engines might not need it | ||||||
| #define RSA_FLAG_NO_CONSTTIME		0x0100 /* new with 0.9.8f; the built-in RSA |  */ | ||||||
| 						* implementation now uses constant time | #define RSA_FLAG_NO_BLINDING		0x0080 | ||||||
| 						* operations by default in private key operations, | /* | ||||||
| 						* e.g., constant time modular exponentiation,  |  * new with 0.9.8f; the built-in RSA | ||||||
|                                                 * modular inverse without leaking branches,  |  * implementation now uses constant time | ||||||
|                                                 * division without leaking branches. This  |  * operations by default in private key operations, | ||||||
|                                                 * flag disables these constant time  |  * e.g., constant time modular exponentiation,  | ||||||
|                                                 * operations and results in faster RSA  |  * modular inverse without leaking branches,  | ||||||
|                                                 * private key operations. |  * division without leaking branches. This  | ||||||
|                                                 */  |  * flag disables these constant time  | ||||||
| #ifndef OPENSSL_NO_DEPRECATED |  * operations and results in faster RSA  | ||||||
| #define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME /* deprecated name for the flag*/ |  * private key operations. | ||||||
|                                                 /* new with 0.9.7h; the built-in RSA |  */  | ||||||
|                                                 * implementation now uses constant time | #define RSA_FLAG_NO_CONSTTIME		0x0100 | ||||||
|                                                 * modular exponentiation for secret exponents | #ifdef OPENSSL_USE_DEPRECATED | ||||||
|                                                 * by default. This flag causes the | /* deprecated name for the flag*/ | ||||||
|                                                 * faster variable sliding window method to | /* | ||||||
|                                                 * be used for all exponents. |  * new with 0.9.7h; the built-in RSA | ||||||
|                                                 */ |  * implementation now uses constant time | ||||||
|  |  * modular exponentiation for secret exponents | ||||||
|  |  * by default. This flag causes the | ||||||
|  |  * faster variable sliding window method to | ||||||
|  |  * be used for all exponents. | ||||||
|  |  */ | ||||||
|  | #define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME  | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
|  |  | ||||||
|   | |||||||
| @@ -283,11 +283,12 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx) | |||||||
| 		{ | 		{ | ||||||
| 		/* resort to rsa->mt_blinding instead */ | 		/* resort to rsa->mt_blinding instead */ | ||||||
|  |  | ||||||
| 		*local = 0; /* instructs rsa_blinding_convert(), rsa_blinding_invert() | 		/* instructs rsa_blinding_convert(), rsa_blinding_invert() | ||||||
| 		             * that the BN_BLINDING is shared, meaning that accesses | 		 * that the BN_BLINDING is shared, meaning that accesses | ||||||
| 		             * require locks, and that the blinding factor must be | 		 * require locks, and that the blinding factor must be | ||||||
| 		             * stored outside the BN_BLINDING | 		 * stored outside the BN_BLINDING | ||||||
| 		             */ | 		 */ | ||||||
|  | 		*local = 0; | ||||||
|  |  | ||||||
| 		if (rsa->mt_blinding == NULL) | 		if (rsa->mt_blinding == NULL) | ||||||
| 			{ | 			{ | ||||||
|   | |||||||
| @@ -158,9 +158,12 @@ void SHA256_Transform(SHA256_CTX *c, const unsigned char *data); | |||||||
|  * being exactly 64-bit wide. See Implementation Notes in sha512.c |  * being exactly 64-bit wide. See Implementation Notes in sha512.c | ||||||
|  * for further details. |  * for further details. | ||||||
|  */ |  */ | ||||||
| #define SHA512_CBLOCK	(SHA_LBLOCK*8)	/* SHA-512 treats input data as a | /* | ||||||
| 					 * contiguous array of 64 bit |  * SHA-512 treats input data as a | ||||||
| 					 * wide big-endian values. */ |  * contiguous array of 64 bit | ||||||
|  |  * wide big-endian values. | ||||||
|  |  */ | ||||||
|  | #define SHA512_CBLOCK	(SHA_LBLOCK*8) | ||||||
| #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) | #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__) | ||||||
| #define SHA_LONG64 unsigned __int64 | #define SHA_LONG64 unsigned __int64 | ||||||
| #define U64(C)     C##UI64 | #define U64(C)     C##UI64 | ||||||
|   | |||||||
| @@ -80,7 +80,8 @@ STACK_OF(type) \ | |||||||
|     STACK stack; \ |     STACK stack; \ | ||||||
|     }; |     }; | ||||||
|  |  | ||||||
| #define IMPLEMENT_STACK_OF(type) /* nada (obsolete in new safestack approach)*/ | /* nada (obsolete in new safestack approach)*/ | ||||||
|  | #define IMPLEMENT_STACK_OF(type) | ||||||
|  |  | ||||||
| /* SKM_sk_... stack macros are internal to safestack.h: | /* SKM_sk_... stack macros are internal to safestack.h: | ||||||
|  * never use them directly, use sk_<type>_... instead */ |  * never use them directly, use sk_<type>_... instead */ | ||||||
|   | |||||||
| @@ -85,21 +85,34 @@ struct mem_object_data_st | |||||||
|  |  | ||||||
| struct mem_data_st | struct mem_data_st | ||||||
| 	{ | 	{ | ||||||
| 	STACK *data;		/* A stack of mem_object_data_st, | 	/* | ||||||
| 				   sorted with STORE_ATTR_INFO_compare(). */ | 	 * A stack of mem_object_data_st, | ||||||
| 	unsigned int compute_components : 1; /* Currently unused, but can | 	 * sorted with STORE_ATTR_INFO_compare(). | ||||||
| 						be used to add attributes | 	 */ | ||||||
| 						from parts of the data. */ | 	STACK *data; | ||||||
|  | 	/* Currently unused, but can | ||||||
|  | 	 * be used to add attributes | ||||||
|  | 	 * from parts of the data. | ||||||
|  | 	 */ | ||||||
|  | 	unsigned int compute_components : 1; | ||||||
| 	}; | 	}; | ||||||
|  |  | ||||||
| struct mem_ctx_st | struct mem_ctx_st | ||||||
| 	{ | 	{ | ||||||
| 	int type;		/* The type we're searching for */ | 	/* The type we're searching for */ | ||||||
| 	STACK *search_attributes; /* Sets of attributes to search for. | 	int type; | ||||||
| 				     Each element is a STORE_ATTR_INFO. */ | 	/* | ||||||
| 	int search_index;	/* which of the search attributes we found a match | 	 * Sets of attributes to search for. | ||||||
| 				   for, -1 when we still haven't found any */ | 	 * Each element is a STORE_ATTR_INFO. | ||||||
| 	int index;		/* -1 as long as we're searching for the first */ | 	 */ | ||||||
|  | 	STACK *search_attributes; | ||||||
|  | 	/* | ||||||
|  | 	 *  which of the search attributes we found a match | ||||||
|  | 	 * for, -1 when we still haven't found any | ||||||
|  | 	 */ | ||||||
|  | 	int search_index; | ||||||
|  | 	/* -1 as long as we're searching for the first */ | ||||||
|  | 	int index; | ||||||
| 	}; | 	}; | ||||||
|  |  | ||||||
| static int mem_init(STORE *s); | static int mem_init(STORE *s); | ||||||
|   | |||||||
| @@ -190,14 +190,22 @@ struct x509_store_st | |||||||
| 	X509_VERIFY_PARAM *param; | 	X509_VERIFY_PARAM *param; | ||||||
|  |  | ||||||
| 	/* Callbacks for various operations */ | 	/* Callbacks for various operations */ | ||||||
| 	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */ | 	/* called to verify a certificate */ | ||||||
| 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);	/* error callback */ | 	int (*verify)(X509_STORE_CTX *ctx); | ||||||
| 	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */ | 	/* error callback */ | ||||||
| 	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ | 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx); | ||||||
| 	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ | 	/* get issuers cert from ctx */ | ||||||
| 	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ | 	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); | ||||||
| 	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ | 	/* check issued */ | ||||||
| 	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ | 	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); | ||||||
|  | 	/* Check revocation status of chain */ | ||||||
|  | 	int (*check_revocation)(X509_STORE_CTX *ctx); | ||||||
|  | 	/* retrieve CRL */ | ||||||
|  | 	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); | ||||||
|  | 	/* Check CRL validity */ | ||||||
|  | 	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); | ||||||
|  | 	/* Check certificate against CRL */ | ||||||
|  | 	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); | ||||||
| 	int (*cleanup)(X509_STORE_CTX *ctx); | 	int (*cleanup)(X509_STORE_CTX *ctx); | ||||||
|  |  | ||||||
| 	CRYPTO_EX_DATA ex_data; | 	CRYPTO_EX_DATA ex_data; | ||||||
| @@ -226,42 +234,62 @@ struct x509_lookup_st | |||||||
| struct x509_store_ctx_st      /* X509_STORE_CTX */ | struct x509_store_ctx_st      /* X509_STORE_CTX */ | ||||||
| 	{ | 	{ | ||||||
| 	X509_STORE *ctx; | 	X509_STORE *ctx; | ||||||
| 	int current_method;	/* used when looking up certs */ | 	/* used when looking up certs */ | ||||||
|  | 	int current_method; | ||||||
|  |  | ||||||
| 	/* The following are set by the caller */ | 	/* The following are set by the caller */ | ||||||
| 	X509 *cert;		/* The cert to check */ | 	/* The cert to check */ | ||||||
| 	STACK_OF(X509) *untrusted;	/* chain of X509s - untrusted - passed in */ | 	X509 *cert; | ||||||
| 	STACK_OF(X509_CRL) *crls;	/* set of CRLs passed in */ | 	/* chain of X509s - untrusted - passed in */ | ||||||
|  | 	STACK_OF(X509) *untrusted; | ||||||
|  | 	/* set of CRLs passed in */ | ||||||
|  | 	STACK_OF(X509_CRL) *crls; | ||||||
|  |  | ||||||
| 	X509_VERIFY_PARAM *param; | 	X509_VERIFY_PARAM *param; | ||||||
| 	void *other_ctx;	/* Other info for use with get_issuer() */ | 	/* Other info for use with get_issuer() */ | ||||||
|  | 	void *other_ctx; | ||||||
|  |  | ||||||
| 	/* Callbacks for various operations */ | 	/* Callbacks for various operations */ | ||||||
| 	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */ | 	/* called to verify a certificate */ | ||||||
| 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);		/* error callback */ | 	int (*verify)(X509_STORE_CTX *ctx); | ||||||
| 	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */ | 	/* error callback */ | ||||||
| 	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */ | 	int (*verify_cb)(int ok,X509_STORE_CTX *ctx); | ||||||
| 	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */ | 	/* get issuers cert from ctx */ | ||||||
| 	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */ | 	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); | ||||||
| 	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */ | 	/* check issued */ | ||||||
| 	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */ | 	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); | ||||||
|  | 	/* Check revocation status of chain */ | ||||||
|  | 	int (*check_revocation)(X509_STORE_CTX *ctx); | ||||||
|  | 	/* retrieve CRL */ | ||||||
|  | 	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); | ||||||
|  | 	/* Check CRL validity */ | ||||||
|  | 	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); | ||||||
|  | 	/* Check certificate against CRL */ | ||||||
|  | 	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); | ||||||
| 	int (*check_policy)(X509_STORE_CTX *ctx); | 	int (*check_policy)(X509_STORE_CTX *ctx); | ||||||
| 	int (*cleanup)(X509_STORE_CTX *ctx); | 	int (*cleanup)(X509_STORE_CTX *ctx); | ||||||
|  |  | ||||||
| 	/* The following is built up */ | 	/* The following is built up */ | ||||||
| 	int valid;		/* if 0, rebuild chain */ | 	/* if 0, rebuild chain */ | ||||||
| 	int last_untrusted;	/* index of last untrusted cert */ | 	int valid; | ||||||
| 	STACK_OF(X509) *chain; 		/* chain of X509s - built up and trusted */ | 	/* index of last untrusted cert */ | ||||||
| 	X509_POLICY_TREE *tree;	/* Valid policy tree */ | 	int last_untrusted; | ||||||
|  | 	/* chain of X509s - built up and trusted */ | ||||||
|  | 	STACK_OF(X509) *chain; | ||||||
|  | 	/* Valid policy tree */ | ||||||
|  | 	X509_POLICY_TREE *tree; | ||||||
|  |  | ||||||
| 	int explicit_policy;	/* Require explicit policy value */ | 	/* Require explicit policy value */ | ||||||
|  | 	int explicit_policy; | ||||||
|  |  | ||||||
| 	/* When something goes wrong, this is why */ | 	/* When something goes wrong, this is why */ | ||||||
| 	int error_depth; | 	int error_depth; | ||||||
| 	int error; | 	int error; | ||||||
| 	X509 *current_cert; | 	X509 *current_cert; | ||||||
| 	X509 *current_issuer;	/* cert currently being tested as valid issuer */ | 	/* cert currently being tested as valid issuer */ | ||||||
| 	X509_CRL *current_crl;	/* current CRL */ | 	X509 *current_issuer; | ||||||
|  | 	/* current CRL */ | ||||||
|  | 	X509_CRL *current_crl; | ||||||
|  |  | ||||||
| 	CRYPTO_EX_DATA ex_data; | 	CRYPTO_EX_DATA ex_data; | ||||||
| 	} /* X509_STORE_CTX */; | 	} /* X509_STORE_CTX */; | ||||||
|   | |||||||
| @@ -112,8 +112,8 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) | |||||||
| 		break; | 		break; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 	if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look | 	/* /8 because it's 1024 bits we look for, not bytes */ | ||||||
| 					   for, not bytes */ | 	if (EVP_PKEY_size(pk) <= 1024/8) | ||||||
| 		ret|=EVP_PKT_EXP; | 		ret|=EVP_PKT_EXP; | ||||||
| 	if(pkey==NULL) EVP_PKEY_free(pk); | 	if(pkey==NULL) EVP_PKEY_free(pk); | ||||||
| 	return(ret); | 	return(ret); | ||||||
|   | |||||||
| @@ -708,7 +708,9 @@ tls_create_ctx(struct tls_create_ctx_args a, void *apparg) | |||||||
| 	    SSL_CTX_set_verify_depth(ret, a.verify_depth); | 	    SSL_CTX_set_verify_depth(ret, a.verify_depth); | ||||||
| 	 | 	 | ||||||
| 	if (a.ca_file != NULL) { | 	if (a.ca_file != NULL) { | ||||||
| 	    r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL /* no CA-directory */); /* does not report failure if file does not exist ... */ | 	    /* does not report failure if file does not exist ... */ | ||||||
|  | 	    /* NULL argument means no CA-directory */ | ||||||
|  | 	    r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL);  | ||||||
| 	    if (!r) { | 	    if (!r) { | ||||||
| 		err_pref_1 = " while processing certificate file "; | 		err_pref_1 = " while processing certificate file "; | ||||||
| 		err_pref_2 = a.ca_file; | 		err_pref_2 = a.ca_file; | ||||||
|   | |||||||
| @@ -46,9 +46,12 @@ extern "C" { | |||||||
| __declspec(dllexport) | __declspec(dllexport) | ||||||
| void ** | void ** | ||||||
| #if defined(__BORLANDC__) | #if defined(__BORLANDC__) | ||||||
| __stdcall	/* __stdcall appears to be the only way to get the name | /* | ||||||
| 		 * decoration right with Borland C. Otherwise it works |  * __stdcall appears to be the only way to get the name | ||||||
| 		 * purely incidentally, as we pass no parameters. */ |  * decoration right with Borland C. Otherwise it works | ||||||
|  |  * purely incidentally, as we pass no parameters. | ||||||
|  |  */ | ||||||
|  | __stdcall | ||||||
| #else | #else | ||||||
| __cdecl | __cdecl | ||||||
| #endif | #endif | ||||||
|   | |||||||
| @@ -436,10 +436,15 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) | |||||||
| again: | again: | ||||||
| 	i = dtls1_get_message_fragment(s, st1, stn, max, ok); | 	i = dtls1_get_message_fragment(s, st1, stn, max, ok); | ||||||
| 	if ( i == DTLS1_HM_BAD_FRAGMENT || | 	if ( i == DTLS1_HM_BAD_FRAGMENT || | ||||||
| 		i == DTLS1_HM_FRAGMENT_RETRY)  /* bad fragment received */ | 		i == DTLS1_HM_FRAGMENT_RETRY) | ||||||
|  | 		{ | ||||||
|  | 		/* bad fragment received */ | ||||||
| 		goto again; | 		goto again; | ||||||
|  | 		} | ||||||
| 	else if ( i <= 0 && !*ok) | 	else if ( i <= 0 && !*ok) | ||||||
|  | 		{ | ||||||
| 		return i; | 		return i; | ||||||
|  | 		} | ||||||
|  |  | ||||||
| 	p = (unsigned char *)s->init_buf->data; | 	p = (unsigned char *)s->init_buf->data; | ||||||
| 	msg_len = msg_hdr->msg_len; | 	msg_len = msg_hdr->msg_len; | ||||||
| @@ -1121,7 +1126,8 @@ int dtls1_read_failed(SSL *s, int code) | |||||||
| 		return code; | 		return code; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 	if ( ! SSL_in_init(s))  /* done, no need to send a retransmit */ | 	/* done, no need to send a retransmit */ | ||||||
|  | 	if ( ! SSL_in_init(s)) | ||||||
| 		{ | 		{ | ||||||
| 		BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); | 		BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); | ||||||
| 		return code; | 		return code; | ||||||
|   | |||||||
| @@ -289,8 +289,8 @@ dtls1_get_buffered_record(SSL *s) | |||||||
| 		(((PQ_64BIT)s->d1->handshake_read_seq) << 32) |  | 		(((PQ_64BIT)s->d1->handshake_read_seq) << 32) |  | ||||||
| 		((PQ_64BIT)s->d1->r_msg_hdr.frag_off); | 		((PQ_64BIT)s->d1->r_msg_hdr.frag_off); | ||||||
| 	 | 	 | ||||||
| 	if ( ! SSL_in_init(s))  /* if we're not (re)negotiating,  |     /* if we're not (re)negotiating, nothing buffered */ | ||||||
| 							   nothing buffered */ | 	if ( ! SSL_in_init(s)) | ||||||
| 		return 0; | 		return 0; | ||||||
|  |  | ||||||
|  |  | ||||||
|   | |||||||
| @@ -232,19 +232,21 @@ end: | |||||||
|  |  | ||||||
| int ssl23_get_client_hello(SSL *s) | int ssl23_get_client_hello(SSL *s) | ||||||
| 	{ | 	{ | ||||||
| 	char buf_space[11]; /* Request this many bytes in initial read. |     /*- | ||||||
| 	                     * We can detect SSL 3.0/TLS 1.0 Client Hellos |      * Request this many bytes in initial read. | ||||||
| 	                     * ('type == 3') correctly only when the following |      * We can detect SSL 3.0/TLS 1.0 Client Hellos | ||||||
| 	                     * is in a single record, which is not guaranteed by |      * ('type == 3') correctly only when the following | ||||||
| 	                     * the protocol specification: |      * is in a single record, which is not guaranteed by | ||||||
| 	                     * Byte  Content |      * the protocol specification: | ||||||
| 	                     *  0     type            \ |      * Byte  Content | ||||||
| 	                     *  1/2   version          > record header |      *  0     type            \ | ||||||
| 	                     *  3/4   length          / |      *  1/2   version          > record header | ||||||
| 	                     *  5     msg_type        \ |      *  3/4   length          / | ||||||
| 	                     *  6-8   length           > Client Hello message |      *  5     msg_type        \ | ||||||
| 	                     *  9/10  client_version  / |      *  6-8   length           > Client Hello message | ||||||
| 	                     */ |      *  9/10  client_version  / | ||||||
|  |      */ | ||||||
|  | 	char buf_space[11];  | ||||||
| 	char *buf= &(buf_space[0]); | 	char *buf= &(buf_space[0]); | ||||||
| 	unsigned char *p,*d,*d_len,*dd; | 	unsigned char *p,*d,*d_len,*dd; | ||||||
| 	unsigned int i; | 	unsigned int i; | ||||||
|   | |||||||
| @@ -214,11 +214,12 @@ int ssl3_get_finished(SSL *s, int a, int b) | |||||||
| 	 * change cipher spec message and is in s->s3->tmp.peer_finish_md | 	 * change cipher spec message and is in s->s3->tmp.peer_finish_md | ||||||
| 	 */  | 	 */  | ||||||
|  |  | ||||||
|  | 	/* 64 argument should actually be 36+4 :-) */ | ||||||
| 	n=s->method->ssl_get_message(s, | 	n=s->method->ssl_get_message(s, | ||||||
| 		a, | 		a, | ||||||
| 		b, | 		b, | ||||||
| 		SSL3_MT_FINISHED, | 		SSL3_MT_FINISHED, | ||||||
| 		64, /* should actually be 36+4 :-) */ | 		64, | ||||||
| 		&ok); | 		&ok); | ||||||
|  |  | ||||||
| 	if (!ok) return((int)n); | 	if (!ok) return((int)n); | ||||||
|   | |||||||
							
								
								
									
										100
									
								
								ssl/ssl.h
									
									
									
									
									
								
							
							
						
						
									
										100
									
								
								ssl/ssl.h
									
									
									
									
									
								
							| @@ -773,7 +773,8 @@ struct ssl_ctx_st | |||||||
| 	int verify_mode; | 	int verify_mode; | ||||||
| 	unsigned int sid_ctx_length; | 	unsigned int sid_ctx_length; | ||||||
| 	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; | 	unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; | ||||||
| 	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ | 	/* called 'verify_callback' in the SSL */ | ||||||
|  | 	int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); | ||||||
|  |  | ||||||
| 	/* Default generate session ID callback. */ | 	/* Default generate session ID callback. */ | ||||||
| 	GEN_SESSION_CB generate_session_id; | 	GEN_SESSION_CB generate_session_id; | ||||||
| @@ -885,22 +886,28 @@ struct ssl_st | |||||||
| 	 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) | 	 * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) | ||||||
| 	 */ | 	 */ | ||||||
| 	int version; | 	int version; | ||||||
| 	int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ | 	/* SSL_ST_CONNECT or SSL_ST_ACCEPT */ | ||||||
|  | 	int type; | ||||||
|  |  | ||||||
| 	SSL_METHOD *method; /* SSLv3 */ | 	/* SSLv3 */ | ||||||
|  | 	SSL_METHOD *method; | ||||||
|  |  | ||||||
| 	/* There are 2 BIO's even though they are normally both the | 	/* There are 2 BIO's even though they are normally both the | ||||||
| 	 * same.  This is so data can be read and written to different | 	 * same.  This is so data can be read and written to different | ||||||
| 	 * handlers */ | 	 * handlers */ | ||||||
|  |  | ||||||
| #ifndef OPENSSL_NO_BIO | #ifndef OPENSSL_NO_BIO | ||||||
| 	BIO *rbio; /* used by SSL_read */ | 	/* used by SSL_read */ | ||||||
| 	BIO *wbio; /* used by SSL_write */ | 	BIO *rbio; | ||||||
| 	BIO *bbio; /* used during session-id reuse to concatenate | 	/* used by SSL_write */ | ||||||
| 		    * messages */ | 	BIO *wbio; | ||||||
|  | 	/* used during session-id reuse to concatenate messages */ | ||||||
|  | 	BIO *bbio; | ||||||
| #else | #else | ||||||
| 	char *rbio; /* used by SSL_read */ | 	/* used by SSL_read */ | ||||||
| 	char *wbio; /* used by SSL_write */ | 	char *rbio; | ||||||
|  | 	/* used by SSL_write */ | ||||||
|  | 	char *wbio; | ||||||
| 	char *bbio; | 	char *bbio; | ||||||
| #endif | #endif | ||||||
| 	/* This holds a variable that indicates what we were doing | 	/* This holds a variable that indicates what we were doing | ||||||
| @@ -921,19 +928,26 @@ struct ssl_st | |||||||
| 	 * test instead of an "init" member. | 	 * test instead of an "init" member. | ||||||
| 	 */ | 	 */ | ||||||
|  |  | ||||||
| 	int server;	/* are we the server side? - mostly used by SSL_clear*/ | 	/* are we the server side? - mostly used by SSL_clear*/ | ||||||
|  | 	int server; | ||||||
|  |  | ||||||
| 	int new_session;/* 1 if we are to use a new session. | 	/* | ||||||
| 	                 * 2 if we are a server and are inside a handshake | 	 * 1 if we are to use a new session. | ||||||
| 	                 *   (i.e. not just sending a HelloRequest) | 	 * 2 if we are a server and are inside a handshake | ||||||
| 	                 * NB: For servers, the 'new' session may actually be a previously | 	 *   (i.e. not just sending a HelloRequest) | ||||||
| 	                 * cached session or even the previous session unless | 	 * NB: For servers, the 'new' session may actually be a previously | ||||||
| 	                 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ | 	 * cached session or even the previous session unless | ||||||
| 	int quiet_shutdown;/* don't send shutdown packets */ | 	 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set | ||||||
| 	int shutdown;	/* we have shut things down, 0x01 sent, 0x02 | 	 */ | ||||||
| 			 * for received */ | 	int new_session; | ||||||
| 	int state;	/* where we are */ | 	/* don't send shutdown packets */ | ||||||
| 	int rstate;	/* where we are when reading */ | 	int quiet_shutdown; | ||||||
|  | 	/* we have shut things down, 0x01 sent, 0x02 for received */ | ||||||
|  | 	int shutdown; | ||||||
|  | 	/* where we are */ | ||||||
|  | 	int state; | ||||||
|  | 	/* where we are when reading */ | ||||||
|  | 	int rstate; | ||||||
|  |  | ||||||
| 	BUF_MEM *init_buf;	/* buffer used during init */ | 	BUF_MEM *init_buf;	/* buffer used during init */ | ||||||
| 	void *init_msg;   	/* pointer to handshake message body, set by ssl3_get_message() */ | 	void *init_msg;   	/* pointer to handshake message body, set by ssl3_get_message() */ | ||||||
| @@ -1005,17 +1019,25 @@ struct ssl_st | |||||||
| 	GEN_SESSION_CB generate_session_id; | 	GEN_SESSION_CB generate_session_id; | ||||||
|  |  | ||||||
| 	/* Used in SSL2 and SSL3 */ | 	/* Used in SSL2 and SSL3 */ | ||||||
| 	int verify_mode;	/* 0 don't care about verify failure. | 	/* | ||||||
| 				 * 1 fail if verify fails */ | 	 * 0 don't care about verify failure. | ||||||
| 	int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ | 	 * 1 fail if verify fails | ||||||
|  | 	 */ | ||||||
|  | 	int verify_mode; | ||||||
|  | 	/* fail if callback returns 0 */ | ||||||
|  | 	int (*verify_callback)(int ok,X509_STORE_CTX *ctx); | ||||||
|  |  | ||||||
| 	void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ | 	/* optional informational callback */ | ||||||
|  | 	void (*info_callback)(const SSL *ssl,int type,int val); | ||||||
|  |  | ||||||
| 	int error;		/* error bytes to be written */ | 	/* error bytes to be written */ | ||||||
| 	int error_code;		/* actual code */ | 	int error; | ||||||
|  | 	/* actual code */ | ||||||
|  | 	int error_code; | ||||||
|  |  | ||||||
| #ifndef OPENSSL_NO_KRB5 | #ifndef OPENSSL_NO_KRB5 | ||||||
| 	KSSL_CTX *kssl_ctx;     /* Kerberos 5 context */ | 	/* Kerberos 5 context */ | ||||||
|  | 	KSSL_CTX *kssl_ctx; | ||||||
| #endif	/* OPENSSL_NO_KRB5 */ | #endif	/* OPENSSL_NO_KRB5 */ | ||||||
|  |  | ||||||
| 	SSL_CTX *ctx; | 	SSL_CTX *ctx; | ||||||
| @@ -1031,12 +1053,14 @@ struct ssl_st | |||||||
| 	STACK_OF(X509_NAME) *client_CA; | 	STACK_OF(X509_NAME) *client_CA; | ||||||
|  |  | ||||||
| 	int references; | 	int references; | ||||||
| 	unsigned long options; /* protocol behaviour */ | 	/* protocol behaviour */ | ||||||
| 	unsigned long mode; /* API behaviour */ | 	unsigned long options; | ||||||
|  | 	/* API behaviour */ | ||||||
|  | 	unsigned long mode; | ||||||
| 	long max_cert_list; | 	long max_cert_list; | ||||||
| 	int first_packet; | 	int first_packet; | ||||||
| 	int client_version;	/* what was passed, used for | 	/* what was passed, used for SSLv3/TLS rollback check */ | ||||||
| 				 * SSLv3/TLS rollback check */ | 	int client_version; | ||||||
| #ifndef OPENSSL_NO_TLSEXT | #ifndef OPENSSL_NO_TLSEXT | ||||||
| 	/* TLS extension debug callback */ | 	/* TLS extension debug callback */ | ||||||
| 	void (*tlsext_debug_cb)(SSL *s, int client_server, int type, | 	void (*tlsext_debug_cb)(SSL *s, int client_server, int type, | ||||||
| @@ -1044,11 +1068,13 @@ struct ssl_st | |||||||
| 					void *arg); | 					void *arg); | ||||||
| 	void *tlsext_debug_arg; | 	void *tlsext_debug_arg; | ||||||
| 	char *tlsext_hostname; | 	char *tlsext_hostname; | ||||||
| 	int servername_done;   /* no further mod of servername  |     /*- | ||||||
| 	                          0 : call the servername extension callback. |      * no further mod of servername  | ||||||
| 	                          1 : prepare 2, allow last ack just after in server callback. |      * 0 : call the servername extension callback. | ||||||
| 	                          2 : don't call servername callback, no ack in server hello |      * 1 : prepare 2, allow last ack just after in server callback. | ||||||
| 	                       */ |      * 2 : don't call servername callback, no ack in server hello | ||||||
|  |      */ | ||||||
|  | 	int servername_done; | ||||||
| 	/* certificate status request info */ | 	/* certificate status request info */ | ||||||
| 	/* Status type or -1 if no status type */ | 	/* Status type or -1 if no status type */ | ||||||
| 	int tlsext_status_type; | 	int tlsext_status_type; | ||||||
|   | |||||||
							
								
								
									
										37
									
								
								ssl/ssl3.h
									
									
									
									
									
								
							
							
						
						
									
										37
									
								
								ssl/ssl3.h
									
									
									
									
									
								
							| @@ -301,23 +301,34 @@ extern "C" { | |||||||
|  |  | ||||||
| typedef struct ssl3_record_st | typedef struct ssl3_record_st | ||||||
| 	{ | 	{ | ||||||
| /*r */	int type;               /* type of record */ | 		/* type of record */ | ||||||
| /*rw*/	unsigned int length;    /* How many bytes available */ | /*r */	int type; | ||||||
| /*r */	unsigned int off;       /* read/write offset into 'buf' */ | 		/* How many bytes available */ | ||||||
| /*rw*/	unsigned char *data;    /* pointer to the record data */ | /*rw*/	unsigned int length; | ||||||
| /*rw*/	unsigned char *input;   /* where the decode bytes are */ | 		/* read/write offset into 'buf' */ | ||||||
| /*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */ | /*r */	unsigned int off; | ||||||
| /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */ | 		/* pointer to the record data */ | ||||||
| /*r */  PQ_64BIT seq_num;       /* sequence number, needed by DTLS1 */ | /*rw*/	unsigned char *data; | ||||||
|  | 		/* where the decode bytes are */ | ||||||
|  | /*rw*/	unsigned char *input; | ||||||
|  | 		/* only used with decompression - malloc()ed */ | ||||||
|  | /*r */	unsigned char *comp; | ||||||
|  | 		/* epoch number, needed by DTLS1 */ | ||||||
|  | /*r */  unsigned long epoch; | ||||||
|  | 		/* sequence number, needed by DTLS1 */ | ||||||
|  | /*r */  PQ_64BIT seq_num; | ||||||
| 	} SSL3_RECORD; | 	} SSL3_RECORD; | ||||||
|  |  | ||||||
| typedef struct ssl3_buffer_st | typedef struct ssl3_buffer_st | ||||||
| 	{ | 	{ | ||||||
| 	unsigned char *buf;     /* at least SSL3_RT_MAX_PACKET_SIZE bytes, | 	/* at least SSL3_RT_MAX_PACKET_SIZE bytes, see ssl3_setup_buffers() */ | ||||||
| 	                         * see ssl3_setup_buffers() */ | 	unsigned char *buf; | ||||||
| 	size_t len;             /* buffer size */ | 	/* buffer size */ | ||||||
| 	int offset;             /* where to 'copy from' */ | 	size_t len; | ||||||
| 	int left;               /* how many bytes left */ | 	/* where to 'copy from' */ | ||||||
|  | 	int offset; | ||||||
|  | 	/* how many bytes left */ | ||||||
|  | 	int left; | ||||||
| 	} SSL3_BUFFER; | 	} SSL3_BUFFER; | ||||||
|  |  | ||||||
| #define SSL3_CT_RSA_SIGN			1 | #define SSL3_CT_RSA_SIGN			1 | ||||||
|   | |||||||
| @@ -172,10 +172,15 @@ int SSL_clear(SSL *s) | |||||||
| 	s->hit=0; | 	s->hit=0; | ||||||
| 	s->shutdown=0; | 	s->shutdown=0; | ||||||
|  |  | ||||||
| #if 0 /* Disabled since version 1.10 of this file (early return not | #if 0 | ||||||
|        * needed because SSL_clear is not called when doing renegotiation) */ | 	/* | ||||||
| 	/* This is set if we are doing dynamic renegotiation so keep | 	 * Disabled since version 1.10 of this file (early return not | ||||||
| 	 * the old cipher.  It is sort of a SSL_clear_lite :-) */ |      * needed because SSL_clear is not called when doing renegotiation) | ||||||
|  |      */ | ||||||
|  | 	/* | ||||||
|  | 	 * This is set if we are doing dynamic renegotiation so keep | ||||||
|  | 	 * the old cipher.  It is sort of a SSL_clear_lite :-) | ||||||
|  | 	 */ | ||||||
| 	if (s->new_session) return(1); | 	if (s->new_session) return(1); | ||||||
| #else | #else | ||||||
| 	if (s->new_session) | 	if (s->new_session) | ||||||
|   | |||||||
| @@ -420,9 +420,12 @@ typedef struct cert_pkey_st | |||||||
| typedef struct cert_st | typedef struct cert_st | ||||||
| 	{ | 	{ | ||||||
| 	/* Current active set */ | 	/* Current active set */ | ||||||
| 	CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array | 	/* | ||||||
| 			 * Probably it would make more sense to store | 	 * ALWAYS points to an element of the pkeys array | ||||||
| 			 * an index, not a pointer. */ | 	 * Probably it would make more sense to store | ||||||
|  | 	 * an index, not a pointer. | ||||||
|  | 	 */ | ||||||
|  | 	CERT_PKEY *key; | ||||||
|   |   | ||||||
| 	/* The following masks are for the key and auth | 	/* The following masks are for the key and auth | ||||||
| 	 * algorithms that are supported by the certs below */ | 	 * algorithms that are supported by the certs below */ | ||||||
|   | |||||||
| @@ -772,9 +772,11 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) | |||||||
| 	if ((s->next == NULL) || (s->prev == NULL)) return; | 	if ((s->next == NULL) || (s->prev == NULL)) return; | ||||||
|  |  | ||||||
| 	if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) | 	if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) | ||||||
| 		{ /* last element in list */ | 		{ | ||||||
|  | 		/* last element in list */ | ||||||
| 		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) | 		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) | ||||||
| 			{ /* only one element in list */ | 			{ | ||||||
|  | 			/* only one element in list */ | ||||||
| 			ctx->session_cache_head=NULL; | 			ctx->session_cache_head=NULL; | ||||||
| 			ctx->session_cache_tail=NULL; | 			ctx->session_cache_tail=NULL; | ||||||
| 			} | 			} | ||||||
| @@ -787,12 +789,14 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) | |||||||
| 	else | 	else | ||||||
| 		{ | 		{ | ||||||
| 		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) | 		if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) | ||||||
| 			{ /* first element in list */ | 			{ | ||||||
|  | 			/* first element in list */ | ||||||
| 			ctx->session_cache_head=s->next; | 			ctx->session_cache_head=s->next; | ||||||
| 			s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head); | 			s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head); | ||||||
| 			} | 			} | ||||||
| 		else | 		else | ||||||
| 			{ /* middle of list */ | 			{ | ||||||
|  | 			/* middle of list */ | ||||||
| 			s->next->prev=s->prev; | 			s->next->prev=s->prev; | ||||||
| 			s->prev->next=s->next; | 			s->prev->next=s->next; | ||||||
| 			} | 			} | ||||||
|   | |||||||
| @@ -114,8 +114,8 @@ | |||||||
|  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. |  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. | ||||||
|  */ |  */ | ||||||
|  |  | ||||||
| #define _BSD_SOURCE 1		/* Or gethostname won't be declared properly | /* Or gethostname won't be declared properly on Linux and GNU platforms. */ | ||||||
| 				   on Linux and GNU platforms. */ | #define _BSD_SOURCE 1 | ||||||
|  |  | ||||||
| #include <assert.h> | #include <assert.h> | ||||||
| #include <errno.h> | #include <errno.h> | ||||||
| @@ -128,8 +128,8 @@ | |||||||
| #define USE_SOCKETS | #define USE_SOCKETS | ||||||
| #include "e_os.h" | #include "e_os.h" | ||||||
|  |  | ||||||
| #define _XOPEN_SOURCE 500	/* Or isascii won't be declared properly on | /* Or isascii won't be declared properly on VMS (at least with DECompHP C).  */ | ||||||
| 				   VMS (at least with DECompHP C).  */ | #define _XOPEN_SOURCE 500 | ||||||
| #include <ctype.h> | #include <ctype.h> | ||||||
|  |  | ||||||
| #include <openssl/bio.h> | #include <openssl/bio.h> | ||||||
| @@ -154,11 +154,13 @@ | |||||||
| #endif | #endif | ||||||
| #include <openssl/bn.h> | #include <openssl/bn.h> | ||||||
|  |  | ||||||
| #define _XOPEN_SOURCE_EXTENDED	1 /* Or gethostname won't be declared properly | /* | ||||||
| 				     on Compaq platforms (at least with DEC C). |  * Or gethostname won't be declared properly | ||||||
| 				     Do not try to put it earlier, or IPv6 includes |  * on Compaq platforms (at least with DEC C). | ||||||
| 				     get screwed... |  * Do not try to put it earlier, or IPv6 includes | ||||||
| 				  */ |  * get screwed... | ||||||
|  | */ | ||||||
|  | #define _XOPEN_SOURCE_EXTENDED	1  | ||||||
|  |  | ||||||
| #ifdef OPENSSL_SYS_WINDOWS | #ifdef OPENSSL_SYS_WINDOWS | ||||||
| #include <winsock.h> | #include <winsock.h> | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Matt Caswell
					Matt Caswell