diff options
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/d1_both.c | 13 | ||||
| -rw-r--r-- | ssl/d1_pkt.c | 4 | ||||
| -rw-r--r-- | ssl/s23_srvr.c | 28 | ||||
| -rw-r--r-- | ssl/s3_both.c | 3 | ||||
| -rw-r--r-- | ssl/ssl.h | 138 | ||||
| -rw-r--r-- | ssl/ssl3.h | 37 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 13 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 9 | ||||
| -rw-r--r-- | ssl/ssl_sess.c | 12 | ||||
| -rw-r--r-- | ssl/ssltest.c | 20 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 41 | ||||
| -rw-r--r-- | ssl/tls1.h | 9 |
12 files changed, 215 insertions, 112 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c index ea42b8488b..99a067cbe9 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -481,10 +481,15 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) again: i = dtls1_get_message_fragment(s, st1, stn, max, ok); if ( i == DTLS1_HM_BAD_FRAGMENT || - i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ + i == DTLS1_HM_FRAGMENT_RETRY) + { + /* bad fragment received */ goto again; + } else if ( i <= 0 && !*ok) + { return i; + } p = (unsigned char *)s->init_buf->data; msg_len = msg_hdr->msg_len; @@ -1022,9 +1027,11 @@ int dtls1_read_failed(SSL *s, int code) } #ifndef OPENSSL_NO_HEARTBEATS - if (!SSL_in_init(s) && !s->tlsext_hb_pending) /* done, no need to send a retransmit */ + /* done, no need to send a retransmit */ + if (!SSL_in_init(s) && !s->tlsext_hb_pending) #else - if (!SSL_in_init(s)) /* done, no need to send a retransmit */ + /* done, no need to send a retransmit */ + if (!SSL_in_init(s)) #endif { BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 9c5a1246b4..298e6ec3bc 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -343,8 +343,8 @@ dtls1_get_buffered_record(SSL *s) (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | ((PQ_64BIT)s->d1->r_msg_hdr.frag_off); - if ( ! SSL_in_init(s)) /* if we're not (re)negotiating, - nothing buffered */ + /* if we're not (re)negotiating, nothing buffered */ + if ( ! SSL_in_init(s)) return 0; diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 512fc8f7fc..63c3d60286 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -240,19 +240,21 @@ end: int ssl23_get_client_hello(SSL *s) { - char buf_space[11]; /* Request this many bytes in initial read. - * We can detect SSL 3.0/TLS 1.0 Client Hellos - * ('type == 3') correctly only when the following - * is in a single record, which is not guaranteed by - * the protocol specification: - * Byte Content - * 0 type \ - * 1/2 version > record header - * 3/4 length / - * 5 msg_type \ - * 6-8 length > Client Hello message - * 9/10 client_version / - */ + /*- + * Request this many bytes in initial read. + * We can detect SSL 3.0/TLS 1.0 Client Hellos + * ('type == 3') correctly only when the following + * is in a single record, which is not guaranteed by + * the protocol specification: + * Byte Content + * 0 type \ + * 1/2 version > record header + * 3/4 length / + * 5 msg_type \ + * 6-8 length > Client Hello message + * 9/10 client_version / + */ + char buf_space[11]; char *buf= &(buf_space[0]); unsigned char *p,*d,*d_len,*dd; unsigned int i; diff --git a/ssl/s3_both.c b/ssl/s3_both.c index bf990bf3cf..6218545fc4 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -236,11 +236,12 @@ int ssl3_get_finished(SSL *s, int a, int b) */ #endif + /* 64 argument should actually be 36+4 :-) */ n=s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, - 64, /* should actually be 36+4 :-) */ + 64, &ok); if (!ok) return((int)n); @@ -1015,7 +1015,8 @@ struct ssl_ctx_st int verify_mode; unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ + /* called 'verify_callback' in the SSL */ + int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* Default generate session ID callback. */ GEN_SESSION_CB generate_session_id; @@ -1306,22 +1307,28 @@ struct ssl_st * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) */ int version; - int type; /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ + /* SSL_ST_CONNECT or SSL_ST_ACCEPT */ + int type; - const SSL_METHOD *method; /* SSLv3 */ + /* SSLv3 */ + const SSL_METHOD *method; /* There are 2 BIO's even though they are normally both the * same. This is so data can be read and written to different * handlers */ #ifndef OPENSSL_NO_BIO - BIO *rbio; /* used by SSL_read */ - BIO *wbio; /* used by SSL_write */ - BIO *bbio; /* used during session-id reuse to concatenate - * messages */ + /* used by SSL_read */ + BIO *rbio; + /* used by SSL_write */ + BIO *wbio; + /* used during session-id reuse to concatenate messages */ + BIO *bbio; #else - char *rbio; /* used by SSL_read */ - char *wbio; /* used by SSL_write */ + /* used by SSL_read */ + char *rbio; + /* used by SSL_write */ + char *wbio; char *bbio; #endif /* This holds a variable that indicates what we were doing @@ -1342,17 +1349,24 @@ struct ssl_st * test instead of an "init" member. */ - int server; /* are we the server side? - mostly used by SSL_clear*/ + /* are we the server side? - mostly used by SSL_clear*/ + int server; - int new_session;/* Generate a new session or reuse an old one. - * NB: For servers, the 'new' session may actually be a previously - * cached session or even the previous session unless - * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ - int quiet_shutdown;/* don't send shutdown packets */ - int shutdown; /* we have shut things down, 0x01 sent, 0x02 - * for received */ - int state; /* where we are */ - int rstate; /* where we are when reading */ + /* + * Generate a new session or reuse an old one. + * NB: For servers, the 'new' session may actually be a previously + * cached session or even the previous session unless + * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set + */ + int new_session; + /* don't send shutdown packets */ + int quiet_shutdown; + /* we have shut things down, 0x01 sent, 0x02 for received */ + int shutdown; + /* where we are */ + int state; + /* where we are when reading */ + int rstate; BUF_MEM *init_buf; /* buffer used during init */ void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */ @@ -1424,17 +1438,25 @@ struct ssl_st GEN_SESSION_CB generate_session_id; /* Used in SSL2 and SSL3 */ - int verify_mode; /* 0 don't care about verify failure. - * 1 fail if verify fails */ - int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ + /* + * 0 don't care about verify failure. + * 1 fail if verify fails + */ + int verify_mode; + /* fail if callback returns 0 */ + int (*verify_callback)(int ok,X509_STORE_CTX *ctx); - void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ + /* optional informational callback */ + void (*info_callback)(const SSL *ssl,int type,int val); - int error; /* error bytes to be written */ - int error_code; /* actual code */ + /* error bytes to be written */ + int error; + /* actual code */ + int error_code; #ifndef OPENSSL_NO_KRB5 - KSSL_CTX *kssl_ctx; /* Kerberos 5 context */ + /* Kerberos 5 context */ + KSSL_CTX *kssl_ctx; #endif /* OPENSSL_NO_KRB5 */ #ifndef OPENSSL_NO_PSK @@ -1458,12 +1480,14 @@ struct ssl_st STACK_OF(X509_NAME) *client_CA; int references; - unsigned long options; /* protocol behaviour */ - unsigned long mode; /* API behaviour */ + /* protocol behaviour */ + unsigned long options; + /* API behaviour */ + unsigned long mode; long max_cert_list; int first_packet; - int client_version; /* what was passed, used for - * SSLv3/TLS rollback check */ + /* what was passed, used for SSLv3/TLS rollback check */ + int client_version; unsigned int max_send_fragment; #ifndef OPENSSL_NO_TLSEXT /* TLS extension debug callback */ @@ -1472,11 +1496,13 @@ struct ssl_st void *arg); void *tlsext_debug_arg; char *tlsext_hostname; - int servername_done; /* no further mod of servername - 0 : call the servername extension callback. - 1 : prepare 2, allow last ack just after in server callback. - 2 : don't call servername callback, no ack in server hello - */ + /*- + * no further mod of servername + * 0 : call the servername extension callback. + * 1 : prepare 2, allow last ack just after in server callback. + * 2 : don't call servername callback, no ack in server hello + */ + int servername_done; /* certificate status request info */ /* Status type or -1 if no status type */ int tlsext_status_type; @@ -1493,9 +1519,11 @@ struct ssl_st int tlsext_ticket_expected; #ifndef OPENSSL_NO_EC size_t tlsext_ecpointformatlist_length; - unsigned char *tlsext_ecpointformatlist; /* our list */ + /* our list */ + unsigned char *tlsext_ecpointformatlist; size_t tlsext_ellipticcurvelist_length; - unsigned char *tlsext_ellipticcurvelist; /* our list */ + /* our list */ + unsigned char *tlsext_ellipticcurvelist; #endif /* OPENSSL_NO_EC */ /* draft-rescorla-tls-opaque-prf-input-00.txt information to be used for handshakes */ @@ -1529,26 +1557,36 @@ struct ssl_st #define session_ctx initial_ctx - STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; /* What we'll do */ - SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ + /* What we'll do */ + STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; + /* What's been chosen */ + SRTP_PROTECTION_PROFILE *srtp_profile; - unsigned int tlsext_heartbeat; /* Is use of the Heartbeat extension negotiated? - 0: disabled - 1: enabled - 2: enabled, but not allowed to send Requests - */ - unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */ - unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */ + /*- + * Is use of the Heartbeat extension negotiated? + * 0: disabled + * 1: enabled + * 2: enabled, but not allowed to send Requests + */ + unsigned int tlsext_heartbeat; + /* Indicates if a HeartbeatRequest is in flight */ + unsigned int tlsext_hb_pending; + /* HeartbeatRequest sequence number */ + unsigned int tlsext_hb_seq; #else #define session_ctx ctx #endif /* OPENSSL_NO_TLSEXT */ - int renegotiate;/* 1 if we are renegotiating. - * 2 if we are a server and are inside a handshake - * (i.e. not just sending a HelloRequest) */ + /*- + * 1 if we are renegotiating. + * 2 if we are a server and are inside a handshake + * (i.e. not just sending a HelloRequest) + */ + int renegotiate; #ifndef OPENSSL_NO_SRP - SRP_CTX srp_ctx; /* ctx for SRP authentication */ + /* ctx for SRP authentication */ + SRP_CTX srp_ctx; #endif #ifndef OPENSSL_NO_TLSEXT /* For a client, this contains the list of supported protocols in wire diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 6525efeeb3..fb1a860c94 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -388,23 +388,34 @@ extern "C" { typedef struct ssl3_record_st { -/*r */ int type; /* type of record */ -/*rw*/ unsigned int length; /* How many bytes available */ -/*r */ unsigned int off; /* read/write offset into 'buf' */ -/*rw*/ unsigned char *data; /* pointer to the record data */ -/*rw*/ unsigned char *input; /* where the decode bytes are */ -/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */ -/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ -/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ + /* type of record */ +/*r */ int type; + /* How many bytes available */ +/*rw*/ unsigned int length; + /* read/write offset into 'buf' */ +/*r */ unsigned int off; + /* pointer to the record data */ +/*rw*/ unsigned char *data; + /* where the decode bytes are */ +/*rw*/ unsigned char *input; + /* only used with decompression - malloc()ed */ +/*r */ unsigned char *comp; + /* epoch number, needed by DTLS1 */ +/*r */ unsigned long epoch; + /* sequence number, needed by DTLS1 */ +/*r */ unsigned char seq_num[8]; } SSL3_RECORD; typedef struct ssl3_buffer_st { - unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, - * see ssl3_setup_buffers() */ - size_t len; /* buffer size */ - int offset; /* where to 'copy from' */ - int left; /* how many bytes left */ + /* at least SSL3_RT_MAX_PACKET_SIZE bytes, see ssl3_setup_buffers() */ + unsigned char *buf; + /* buffer size */ + size_t len; + /* where to 'copy from' */ + int offset; + /* how many bytes left */ + int left; } SSL3_BUFFER; #endif diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index df51a77cce..569f57e341 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -201,10 +201,15 @@ int SSL_clear(SSL *s) s->hit=0; s->shutdown=0; -#if 0 /* Disabled since version 1.10 of this file (early return not - * needed because SSL_clear is not called when doing renegotiation) */ - /* This is set if we are doing dynamic renegotiation so keep - * the old cipher. It is sort of a SSL_clear_lite :-) */ +#if 0 + /* + * Disabled since version 1.10 of this file (early return not + * needed because SSL_clear is not called when doing renegotiation) + */ + /* + * This is set if we are doing dynamic renegotiation so keep + * the old cipher. It is sort of a SSL_clear_lite :-) + */ if (s->renegotiate) return(1); #else if (s->renegotiate) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index bd85110b8a..2fd822a796 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -563,9 +563,12 @@ typedef struct { typedef struct cert_st { /* Current active set */ - CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array - * Probably it would make more sense to store - * an index, not a pointer. */ + /* + * ALWAYS points to an element of the pkeys array + * Probably it would make more sense to store + * an index, not a pointer. + */ + CERT_PKEY *key; /* For servers the following masks are for the key and auth * algorithms that are supported by the certs below. diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index a8856209d0..52bf5464a1 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -1014,9 +1014,11 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) if ((s->next == NULL) || (s->prev == NULL)) return; if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) - { /* last element in list */ + { + /* last element in list */ if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) - { /* only one element in list */ + { + /* only one element in list */ ctx->session_cache_head=NULL; ctx->session_cache_tail=NULL; } @@ -1029,12 +1031,14 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) else { if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) - { /* first element in list */ + { + /* first element in list */ ctx->session_cache_head=s->next; s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head); } else - { /* middle of list */ + { + /* middle of list */ s->next->prev=s->prev; s->prev->next=s->next; } diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 5802ee1d30..0bb9fa8731 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -140,8 +140,8 @@ * OTHERWISE. */ -#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly - on Linux and GNU platforms. */ +/* Or gethostname won't be declared properly on Linux and GNU platforms. */ +#define _BSD_SOURCE 1 #include <assert.h> #include <errno.h> @@ -155,8 +155,8 @@ #include "e_os.h" #ifdef OPENSSL_SYS_VMS -#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on - VMS (at least with DECompHP C). */ +/* Or isascii won't be declared properly on VMS (at least with DECompHP C). */ +#define _XOPEN_SOURCE 500 #endif #include <ctype.h> @@ -186,11 +186,13 @@ #endif #include <openssl/bn.h> -#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly - on Compaq platforms (at least with DEC C). - Do not try to put it earlier, or IPv6 includes - get screwed... - */ +/* + * Or gethostname won't be declared properly + * on Compaq platforms (at least with DEC C). + * Do not try to put it earlier, or IPv6 includes + * get screwed... +*/ +#define _XOPEN_SOURCE_EXTENDED 1 #ifdef OPENSSL_SYS_WINDOWS #include <winsock.h> diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 8b8c9cd71f..fb49b13321 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2281,8 +2281,11 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char return 0; } - if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ + if (s->s3->client_opaque_prf_input != NULL) + { + /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); + } /* dummy byte just to get non-NULL */ if (s->s3->client_opaque_prf_input_len == 0) @@ -2740,12 +2743,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char return 0; } - if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ + if (s->s3->server_opaque_prf_input != NULL) + { + /* shouldn't really happen */ OPENSSL_free(s->s3->server_opaque_prf_input); + } if (s->s3->server_opaque_prf_input_len == 0) - s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + { + /* dummy byte just to get non-NULL */ + s->s3->server_opaque_prf_input = OPENSSL_malloc(1); + } else + { s->s3->server_opaque_prf_input = BUF_memdup(sdata, s->s3->server_opaque_prf_input_len); + } if (s->s3->server_opaque_prf_input == NULL) { @@ -2958,13 +2969,21 @@ int ssl_prepare_clienthello_tlsext(SSL *s) if (s->tlsext_opaque_prf_input != NULL) { - if (s->s3->client_opaque_prf_input != NULL) /* shouldn't really happen */ + if (s->s3->client_opaque_prf_input != NULL) + { + /* shouldn't really happen */ OPENSSL_free(s->s3->client_opaque_prf_input); + } if (s->tlsext_opaque_prf_input_len == 0) - s->s3->client_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + { + /* dummy byte just to get non-NULL */ + s->s3->client_opaque_prf_input = OPENSSL_malloc(1); + } else + { s->s3->client_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); + } if (s->s3->client_opaque_prf_input == NULL) { SSLerr(SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT,ERR_R_MALLOC_FAILURE); @@ -3026,8 +3045,11 @@ static int ssl_check_clienthello_tlsext_early(SSL *s) } } - if (s->s3->server_opaque_prf_input != NULL) /* shouldn't really happen */ + if (s->s3->server_opaque_prf_input != NULL) + { + /* shouldn't really happen */ OPENSSL_free(s->s3->server_opaque_prf_input); + } s->s3->server_opaque_prf_input = NULL; if (s->tlsext_opaque_prf_input != NULL) @@ -3039,9 +3061,14 @@ static int ssl_check_clienthello_tlsext_early(SSL *s) * of the same length as the client opaque PRF input! */ if (s->tlsext_opaque_prf_input_len == 0) - s->s3->server_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + { + /* dummy byte just to get non-NULL */ + s->s3->server_opaque_prf_input = OPENSSL_malloc(1); + } else + { s->s3->server_opaque_prf_input = BUF_memdup(s->tlsext_opaque_prf_input, s->tlsext_opaque_prf_input_len); + } if (s->s3->server_opaque_prf_input == NULL) { ret = SSL_TLSEXT_ERR_ALERT_FATAL; diff --git a/ssl/tls1.h b/ssl/tls1.h index 910de40eed..ddf205d80b 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -244,9 +244,12 @@ extern "C" { #define TLSEXT_TYPE_session_ticket 35 /* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */ -#if 0 /* will have to be provided externally for now , - * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183 - * using whatever extension number you'd like to try */ +#if 0 +/* + * will have to be provided externally for now , + * i.e. build with -DTLSEXT_TYPE_opaque_prf_input=38183 + * using whatever extension number you'd like to try + */ # define TLSEXT_TYPE_opaque_prf_input ?? #endif |