diff options
| author |   jsing <jsing@openbsd.org> | 2014-07-12 10:06:04 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2014-07-12 10:06:04 +0000 |
| commit | 2a4553efbd9e6b8c6e0a1cde559410e60af9e397 (patch) | |
| tree | a134eeaaa61ee602bacefc4596acbc721c256fa2 /lib/libssl/s3_srvr.c | |
| parent | Pull in more atomic functions to avoid <sys/atomic.h> trying to use gcc4 (diff) | |
| download | wireguard-openbsd-2a4553efbd9e6b8c6e0a1cde559410e60af9e397.tar.xz wireguard-openbsd-2a4553efbd9e6b8c6e0a1cde559410e60af9e397.zip | |
Place comments in a block above the if statement, rather than attempting
to interleave them within the conditions. Also fix wrapping and
indentation.
Diffstat (limited to 'lib/libssl/s3_srvr.c')
| -rw-r--r-- | lib/libssl/s3_srvr.c | 60 |
1 files changed, 31 insertions, 29 deletions
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 89325b7be90..2d1bee1723d 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.75 2014/07/11 22:57:25 miod Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -447,36 +447,38 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_REQ_A: case SSL3_ST_SW_CERT_REQ_B: - if (/* Don't request cert unless asked for it: */ - !(s->verify_mode & SSL_VERIFY_PEER) || - /* - * If SSL_VERIFY_CLIENT_ONCE is set, - * don't request cert during re-negotiation: - */ + /* + * Determine whether or not we need to request a + * certificate. + * + * Do not request a certificate if: + * + * - We did not ask for it (SSL_VERIFY_PEER is unset). + * + * - SSL_VERIFY_CLIENT_ONCE is set and we are + * renegotiating. + * + * - We are using an anonymous ciphersuites + * (see section "Certificate request" in SSL 3 drafts + * and in RFC 2246) ... except when the application + * insists on verification (against the specs, but + * s3_clnt.c accepts this for SSL 3). + * + * - We are using a Kerberos ciphersuite. + * + * - We are using normal PSK certificates and + * Certificate Requests are omitted + */ + if (!(s->verify_mode & SSL_VERIFY_PEER) || ((s->session->peer != NULL) && - (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - /* - * Never request cert in anonymous ciphersuites - * (see section "Certificate request" in SSL 3 - * drafts and in RFC 2246): - */ + (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || ((s->s3->tmp.new_cipher->algorithm_auth & - SSL_aNULL) && - /* - * ... except when the application insists on - * verification (against the specs, but - * s3_clnt.c accepts this for SSL 3) - */ - !(s->verify_mode & - SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || - /* never request cert in Kerberos ciphersuites */ - (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) - /* - * With normal PSK Certificates and - * Certificate Requests are omitted - */ - || (s->s3->tmp.new_cipher->algorithm_mkey & - SSL_kPSK)) { + SSL_aNULL) && !(s->verify_mode & + SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || + (s->s3->tmp.new_cipher->algorithm_auth & + SSL_aKRB5) || + (s->s3->tmp.new_cipher->algorithm_mkey & + SSL_kPSK)) { /* No cert request */ skip = 1; s->s3->tmp.cert_request = 0; |