diff options
| author |   mcbride <mcbride@openbsd.org> | 2014-04-24 12:21:26 +0000 |
|---|---|---|
| committer | mcbride <mcbride@openbsd.org> | 2014-04-24 12:21:26 +0000 |
| commit | 64b912a0579ce827150e4ab2f1675a7b70d7a665 (patch) | |
| tree | 0876492f03bc1a2e918b5431a0ea382b21f51976 /lib/libssl/src/ssl/s3_lib.c | |
| parent | Remove more FIPS tenticles. (diff) | |
| download | wireguard-openbsd-64b912a0579ce827150e4ab2f1675a7b70d7a665.tar.xz wireguard-openbsd-64b912a0579ce827150e4ab2f1675a7b70d7a665.zip | |
KNF
Diffstat (limited to 'lib/libssl/src/ssl/s3_lib.c')
| -rw-r--r-- | lib/libssl/src/ssl/s3_lib.c | 280 |
1 files changed, 181 insertions, 99 deletions
diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c index c79464da55a..28a3d51b9e5 100644 --- a/lib/libssl/src/ssl/s3_lib.c +++ b/lib/libssl/src/ssl/s3_lib.c @@ -2743,9 +2743,11 @@ SSL3_ENC_METHOD SSLv3_enc_data = { long ssl3_default_timeout(void) { - /* 2 hours, the 24 hours mentioned in the SSLv3 spec - * is way too long for http, the cache would over fill */ - return (60*60*2); + /* + * 2 hours, the 24 hours mentioned in the SSLv3 spec + * is way too long for http, the cache would over fill + */ + return (60 * 60 * 2); } int @@ -2769,13 +2771,14 @@ ssl3_pending(const SSL *s) if (s->rstate == SSL_ST_READ_BODY) return 0; - return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; + return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? + s->s3->rrec.length : 0; } int ssl3_new(SSL *s) { - SSL3_STATE *s3; + SSL3_STATE *s3; if ((s3 = calloc(1, sizeof *s3)) == NULL) goto err; @@ -2840,9 +2843,9 @@ ssl3_free(SSL *s) void ssl3_clear(SSL *s) { - unsigned char *rp, *wp; - size_t rlen, wlen; - int init_extra; + unsigned char *rp, *wp; + size_t rlen, wlen; + int init_extra; #ifdef TLSEXT_TYPE_opaque_prf_input if (s->s3->client_opaque_prf_input != NULL) @@ -2932,7 +2935,8 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) { if (!ssl_cert_inst(&s->cert)) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_MALLOC_FAILURE); return (0); } } @@ -2959,18 +2963,21 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_NEED_TMP_RSA: if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || - (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512 / 8)))) + (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) + > (512 / 8)))) ret = 1; break; case SSL_CTRL_SET_TMP_RSA: { RSA *rsa = (RSA *)parg; if (rsa == NULL) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_PASSED_NULL_PARAMETER); return (ret); } if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_RSA_LIB); return (ret); } if (s->cert->rsa_tmp != NULL) @@ -2981,7 +2988,8 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; case SSL_CTRL_SET_TMP_RSA_CB: { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (ret); } break; @@ -2990,17 +2998,20 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { DH *dh = (DH *)parg; if (dh == NULL) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_PASSED_NULL_PARAMETER); return (ret); } if ((dh = DHparams_dup(dh)) == NULL) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_DH_LIB); return (ret); } if (!(s->options & SSL_OP_SINGLE_DH_USE)) { if (!DH_generate_key(dh)) { DH_free(dh); - SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_DH_LIB); return (ret); } } @@ -3012,7 +3023,8 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; case SSL_CTRL_SET_TMP_DH_CB: { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (ret); } break; @@ -3023,18 +3035,21 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EC_KEY *ecdh = NULL; if (parg == NULL) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_PASSED_NULL_PARAMETER); return (ret); } if (!EC_KEY_up_ref((EC_KEY *)parg)) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_ECDH_LIB); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_ECDH_LIB); return (ret); } ecdh = (EC_KEY *)parg; if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) { if (!EC_KEY_generate_key(ecdh)) { EC_KEY_free(ecdh); - SSLerr(SSL_F_SSL3_CTRL, ERR_R_ECDH_LIB); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_ECDH_LIB); return (ret); } } @@ -3046,7 +3061,8 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) break; case SSL_CTRL_SET_TMP_ECDH_CB: { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (ret); } break; @@ -3062,15 +3078,19 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) if (parg == NULL) break; if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { - SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); + SSLerr(SSL_F_SSL3_CTRL, + SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } - if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) { - SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); + if ((s->tlsext_hostname = BUF_strdup((char *)parg)) + == NULL) { + SSLerr(SSL_F_SSL3_CTRL, + ERR_R_INTERNAL_ERROR); return 0; } } else { - SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); + SSLerr(SSL_F_SSL3_CTRL, + SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); return 0; } break; @@ -3082,9 +3102,13 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #ifdef TLSEXT_TYPE_opaque_prf_input case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT: if (larg > 12288) { - /* actual internal limit is 2^16 for the complete hello message - * (including the cert chain and everything) */ - SSLerr(SSL_F_SSL3_CTRL, SSL_R_OPAQUE_PRF_INPUT_TOO_LONG); + /* + * Actual internal limit is 2^16 for the complete + * hello message (including the cert chain and + * everything) + */ + SSLerr(SSL_F_SSL3_CTRL, + SSL_R_OPAQUE_PRF_INPUT_TOO_LONG); break; } if (s->tlsext_opaque_prf_input != NULL) @@ -3148,11 +3172,12 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) { - int ret = 0; + int ret = 0; if (cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) { if (!ssl_cert_inst(&s->cert)) { - SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_SSL3_CALLBACK_CTRL, + ERR_R_MALLOC_FAILURE); return (0); } } @@ -3173,14 +3198,15 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) #ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_TMP_ECDH_CB: { - s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; + s->cert->ecdh_tmp_cb = + (EC_KEY *(*)(SSL *, int, int))fp; } break; #endif #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_DEBUG_CB: s->tlsext_debug_cb = (void (*)(SSL *, int , int, - unsigned char *, int, void *))fp; + unsigned char *, int, void *))fp; break; #endif default: @@ -3192,7 +3218,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { - CERT *cert; + CERT *cert; cert = ctx->cert; @@ -3200,7 +3226,8 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_NEED_TMP_RSA: if ((cert->rsa_tmp == NULL) && ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || - (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512 / 8)))) + (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > + (512 / 8)))) return (1); else return (0); @@ -3219,7 +3246,8 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) i = 0; } if (!i) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_RSA_LIB); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_RSA_LIB); return (0); } else { if (cert->rsa_tmp != NULL) @@ -3231,7 +3259,8 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) /* break; */ case SSL_CTRL_SET_TMP_RSA_CB: { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } break; @@ -3242,12 +3271,14 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) dh = (DH *)parg; if ((new = DHparams_dup(dh)) == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_DH_LIB); return 0; } if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) { if (!DH_generate_key(new)) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_DH_LIB); DH_free(new); return 0; } @@ -3260,7 +3291,8 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) /*break; */ case SSL_CTRL_SET_TMP_DH_CB: { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } break; @@ -3271,18 +3303,21 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) EC_KEY *ecdh = NULL; if (parg == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_ECDH_LIB); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_ECDH_LIB); return 0; } ecdh = EC_KEY_dup((EC_KEY *)parg); if (ecdh == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_EC_LIB); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_EC_LIB); return 0; } if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) { if (!EC_KEY_generate_key(ecdh)) { EC_KEY_free(ecdh); - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_ECDH_LIB); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_ECDH_LIB); return 0; } } @@ -3296,7 +3331,8 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) /* break; */ case SSL_CTRL_SET_TMP_ECDH_CB: { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } break; @@ -3312,17 +3348,21 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) if (!keys) return 48; if (larg != 48) { - SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH); + SSLerr(SSL_F_SSL3_CTX_CTRL, + SSL_R_INVALID_TICKET_KEYS_LENGTH); return 0; } if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) { memcpy(ctx->tlsext_tick_key_name, keys, 16); - memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); + memcpy(ctx->tlsext_tick_hmac_key, + keys + 16, 16); memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); } else { memcpy(keys, ctx->tlsext_tick_key_name, 16); - memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); - memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); + memcpy(keys + 16, + ctx->tlsext_tick_hmac_key, 16); + memcpy(keys + 32, + ctx->tlsext_tick_aes_key, 16); } return 1; } @@ -3346,17 +3386,21 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) ctx->srp_ctx.login = NULL; if (parg == NULL) break; - if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1) { - SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME); + if (strlen((const char *)parg) > 255 || + strlen((const char *)parg) < 1) { + SSLerr(SSL_F_SSL3_CTX_CTRL, + SSL_R_INVALID_SRP_USERNAME); return 0; } if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_CTX_CTRL, + ERR_R_INTERNAL_ERROR); return 0; } break; case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD: - ctx->srp_ctx.SRP_give_srp_client_pwd_callback = srp_password_from_info_cb; + ctx->srp_ctx.SRP_give_srp_client_pwd_callback = + srp_password_from_info_cb; ctx->srp_ctx.info = parg; break; case SSL_CTRL_SET_SRP_ARG: @@ -3399,7 +3443,7 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) { - CERT *cert; + CERT *cert; cert = ctx->cert; @@ -3425,12 +3469,14 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) #endif #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: - ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; + ctx->tlsext_servername_callback = + (int (*)(SSL *, int *, void *))fp; break; #ifdef TLSEXT_TYPE_opaque_prf_input case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB: - ctx->tlsext_opaque_prf_input_callback = (int (*)(SSL *, void *, size_t, void *))fp; + ctx->tlsext_opaque_prf_input_callback = + (int (*)(SSL *, void *, size_t, void *))fp; break; #endif @@ -3472,9 +3518,9 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) const SSL_CIPHER * ssl3_get_cipher_by_char(const unsigned char *p) { - SSL_CIPHER c; - const SSL_CIPHER *cp; - unsigned long id; + SSL_CIPHER c; + const SSL_CIPHER *cp; + unsigned long id; id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1]; c.id = id; @@ -3492,7 +3538,7 @@ ssl3_get_cipher_by_char(const unsigned char *p) int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) { - long l; + long l; if (p != NULL) { l = c->id; @@ -3507,9 +3553,9 @@ ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr) { - SSL_CIPHER *c, *ret = NULL; - STACK_OF(SSL_CIPHER) *prio, *allow; - int i, ii, ok; + SSL_CIPHER *c, *ret = NULL; + STACK_OF(SSL_CIPHER) *prio, *allow; + int i, ii, ok; #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_EC) unsigned int j; int ec_ok, ec_nid; @@ -3522,7 +3568,8 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, cert = s->cert; #if 0 - /* Do not set the compare functions, because this may lead to a + /* + * Do not set the compare functions, because this may lead to a * reordering by "id". We want to keep the original ordering. * We may pay a price in performance during sk_SSL_CIPHER_find(), * but would have to pay with the price of sk_SSL_CIPHER_dup(). @@ -3532,12 +3579,14 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif #ifdef CIPHER_DEBUG - printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr); + printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), + (void *)srvr); for (i = 0; i < sk_SSL_CIPHER_num(srvr); ++i) { c = sk_SSL_CIPHER_value(srvr, i); printf("%p:%s\n",(void *)c, c->name); } - printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt); + printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), + (void *)clnt); for (i = 0; i < sk_SSL_CIPHER_num(clnt); ++i) { c = sk_SSL_CIPHER_value(clnt, i); printf("%p:%s\n",(void *)c, c->name); @@ -3592,26 +3641,35 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, if (SSL_C_IS_EXPORT(c)) { ok = (alg_k & emask_k) && (alg_a & emask_a); #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n", ok, alg_k, alg_a, emask_k, emask_a, - (void *)c, c->name); + printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n", + ok, alg_k, alg_a, emask_k, emask_a, (void *)c, + c->name); #endif } else { ok = (alg_k & mask_k) && (alg_a & mask_a); #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k, alg_a, mask_k, mask_a,(void *)c, - c->name); + printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", + ok, alg_k, alg_a, mask_k, mask_a,(void *)c, + c->name); #endif } #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_EC if ( - /* if we are considering an ECC cipher suite that uses our certificate */ + /* + * if we are considering an ECC cipher suite that uses our + * certificate + */ (alg_a & SSL_aECDSA || alg_a & SSL_aECDH) /* and we have an ECC certificate */ && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL) - /* and the client specified a Supported Point Formats extension */ - && ((s->session->tlsext_ecpointformatlist_length > 0) && (s->session->tlsext_ecpointformatlist != NULL)) + /* + * and the client specified a Supported Point Formats + * extension + */ + && ((s->session->tlsext_ecpointformatlist_length > 0) && + (s->session->tlsext_ecpointformatlist != NULL)) /* and our certificate's point is compressed */ && ( (s->cert->pkeys[SSL_PKEY_ECC].x509->cert_info != NULL) @@ -3625,8 +3683,11 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ) ) { ec_ok = 0; - /* if our certificate's curve is over a field type that the client does not support - * then do not allow this cipher suite to be negotiated */ + /* + * If our certificate's curve is over a field type + * that the client does not support then do not allow + * this cipher suite to be negotiated + */ if ( (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec != NULL) && (s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec->group != NULL) @@ -3650,7 +3711,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ok = ok && ec_ok; } if ( - /* if we are considering an ECC cipher suite that uses our certificate */ + /* + * If we are considering an ECC cipher suite that uses our + * certificate + */ (alg_a & SSL_aECDSA || alg_a & SSL_aECDH) /* and we have an ECC certificate */ && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL) @@ -3689,7 +3753,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ok = ok && ec_ok; } if ( - /* if we are considering an ECC cipher suite that uses an ephemeral EC key */ + /* + * if we are considering an ECC cipher suite that uses an + * ephemeral EC key + */ (alg_k & SSL_kEECDH) /* and we have an ephemeral EC key */ && (s->cert->ecdh_tmp != NULL) @@ -3732,7 +3799,8 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ii = sk_SSL_CIPHER_find(allow, c); if (ii >= 0) { #if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT) - if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) { + if ((alg_k & SSL_kEECDH) && + (alg_a & SSL_aECDSA) && s->s3->is_probably_safari) { if (!ret) ret = sk_SSL_CIPHER_value(allow, ii); continue; @@ -3748,8 +3816,8 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, int ssl3_get_req_cert_type(SSL *s, unsigned char *p) { - int ret = 0; - unsigned long alg_k; + int ret = 0; + unsigned long alg_k; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; @@ -3784,7 +3852,8 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) #endif #ifndef OPENSSL_NO_ECDSA - /* ECDSA certs can be used with RSA cipher suites as well + /* + * ECDSA certs can be used with RSA cipher suites as well * so we don't need to check for SSL_kECDH or SSL_kEECDH */ if (s->version >= TLS1_VERSION) { @@ -3797,10 +3866,12 @@ ssl3_get_req_cert_type(SSL *s, unsigned char *p) int ssl3_shutdown(SSL *s) { - int ret; + int ret; - /* Don't do anything much if we have not done the handshake or - * we don't want to send messages :-) */ + /* + * Don't do anything much if we have not done the handshake or + * we don't want to send messages :-) + */ if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE)) { s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); return (1); @@ -3811,8 +3882,10 @@ ssl3_shutdown(SSL *s) #if 1 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); #endif - /* our shutdown alert has been sent now, and if it still needs - * to be written, s->s3->alert_dispatch will be true */ + /* + * Our shutdown alert has been sent now, and if it still needs + * to be written, s->s3->alert_dispatch will be true + */ if (s->s3->alert_dispatch) return(-1); /* return WANT_WRITE */ } else if (s->s3->alert_dispatch) { @@ -3820,10 +3893,12 @@ ssl3_shutdown(SSL *s) #if 1 ret = s->method->ssl_dispatch_alert(s); if (ret == -1) { - /* we only get to return -1 here the 2nd/Nth + /* + * We only get to return -1 here the 2nd/Nth * invocation, we must have already signalled * return 0 upon a previous invoation, - * return WANT_WRITE */ + * return WANT_WRITE + */ return (ret); } #endif @@ -3845,7 +3920,7 @@ ssl3_shutdown(SSL *s) int ssl3_write(SSL *s, const void *buf, int len) { - int ret, n; + int ret, n; #if 0 if (s->shutdown & SSL_SEND_SHUTDOWN) { @@ -3857,16 +3932,18 @@ ssl3_write(SSL *s, const void *buf, int len) if (s->s3->renegotiate) ssl3_renegotiate_check(s); - /* This is an experimental flag that sends the + /* + * This is an experimental flag that sends the * last handshake message in the same packet as the first * use data - used to see if it helps the TCP protocol during - * session-id reuse */ + * session-id reuse + */ /* The second test is because the buffer may have been removed */ if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) { /* First time through, we write into the buffer */ if (s->s3->delay_buf_pop_ret == 0) { ret = ssl3_write_bytes(s, SSL3_RT_APPLICATION_DATA, - buf, len); + buf, len); if (ret <= 0) return (ret); @@ -3887,7 +3964,7 @@ ssl3_write(SSL *s, const void *buf, int len) s->s3->delay_buf_pop_ret = 0; } else { ret = s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, - buf, len); + buf, len); if (ret <= 0) return (ret); } @@ -3898,21 +3975,25 @@ ssl3_write(SSL *s, const void *buf, int len) static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) { - int ret; + int ret; errno = 0; if (s->s3->renegotiate) ssl3_renegotiate_check(s); s->s3->in_read_app_data = 1; - ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek); + ret = s->method->ssl_read_bytes(s, + SSL3_RT_APPLICATION_DATA, buf, len, peek); if ((ret == -1) && (s->s3->in_read_app_data == 2)) { - /* ssl3_read_bytes decided to call s->handshake_func, which + /* + * ssl3_read_bytes decided to call s->handshake_func, which * called ssl3_read_bytes to read handshake data. * However, ssl3_read_bytes actually found application data * and thinks that application data makes sense here; so disable - * handshake processing and try to read application data again. */ + * handshake processing and try to read application data again. + */ s->in_handshake++; - ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek); + ret = s->method->ssl_read_bytes(s, + SSL3_RT_APPLICATION_DATA, buf, len, peek); s->in_handshake--; } else s->s3->in_read_app_data = 0; @@ -3948,7 +4029,7 @@ ssl3_renegotiate(SSL *s) int ssl3_renegotiate_check(SSL *s) { - int ret = 0; + int ret = 0; if (s->s3->renegotiate) { if ((s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) && @@ -3968,13 +4049,14 @@ ssl3_renegotiate_check(SSL *s) } return (ret); } -/* If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch +/* + * If we are using TLS v1.2 or later and default SHA1+MD5 algorithms switch * to new SHA256 PRF and handshake macs */ long ssl_get_algorithm2(SSL *s) { - long alg2 = s->s3->tmp.new_cipher->algorithm2; + long alg2 = s->s3->tmp.new_cipher->algorithm2; if (s->method->version == TLS1_2_VERSION && alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) |