summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2014-07-12 10:06:04 +0000
committerjsing <>2014-07-12 10:06:04 +0000
commit21bd18026828ac44c0d2c01c55eb0727c2953a97 (patch)
treeb56f15ebd2f0752c4f88b4b1a86379d54d999ceb /src
parentfcdf1845eeec6286344b1c18b494447d35796329 (diff)
downloadopenbsd-21bd18026828ac44c0d2c01c55eb0727c2953a97.tar.gz
openbsd-21bd18026828ac44c0d2c01c55eb0727c2953a97.tar.bz2
openbsd-21bd18026828ac44c0d2c01c55eb0727c2953a97.zip
Place comments in a block above the if statement, rather than attempting
to interleave them within the conditions. Also fix wrapping and indentation.
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/d1_srvr.c50
-rw-r--r--src/lib/libssl/s3_srvr.c60
-rw-r--r--src/lib/libssl/src/ssl/d1_srvr.c50
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c60
4 files changed, 126 insertions, 94 deletions
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index d94c08a313..8531f2db2b 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.30 2014/07/11 09:24:44 beck Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.31 2014/07/12 10:06:04 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -484,24 +484,38 @@ dtls1_accept(SSL *s)
484 484
485 case SSL3_ST_SW_CERT_REQ_A: 485 case SSL3_ST_SW_CERT_REQ_A:
486 case SSL3_ST_SW_CERT_REQ_B: 486 case SSL3_ST_SW_CERT_REQ_B:
487 if (/* don't request cert unless asked for it: */ 487 /*
488 !(s->verify_mode & SSL_VERIFY_PEER) || 488 * Determine whether or not we need to request a
489 /* if SSL_VERIFY_CLIENT_ONCE is set, 489 * certificate.
490 * don't request cert during re-negotiation: */ 490 *
491 * Do not request a certificate if:
492 *
493 * - We did not ask for it (SSL_VERIFY_PEER is unset).
494 *
495 * - SSL_VERIFY_CLIENT_ONCE is set and we are
496 * renegotiating.
497 *
498 * - We are using an anonymous ciphersuites
499 * (see section "Certificate request" in SSL 3 drafts
500 * and in RFC 2246) ... except when the application
501 * insists on verification (against the specs, but
502 * s3_clnt.c accepts this for SSL 3).
503 *
504 * - We are using a Kerberos ciphersuite.
505 *
506 * - We are using normal PSK certificates and
507 * Certificate Requests are omitted
508 */
509 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
491 ((s->session->peer != NULL) && 510 ((s->session->peer != NULL) &&
492 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 511 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
493 /* never request cert in anonymous ciphersuites 512 ((s->s3->tmp.new_cipher->algorithm_auth &
494 * (see section "Certificate request" in SSL 3 drafts 513 SSL_aNULL) && !(s->verify_mode &
495 * and in RFC 2246): */ 514 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
496 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 515 (s->s3->tmp.new_cipher->algorithm_auth &
497 /* ... except when the application insists on verification 516 SSL_aKRB5) ||
498 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 517 (s->s3->tmp.new_cipher->algorithm_mkey &
499 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 518 SSL_kPSK)) {
500 /* never request cert in Kerberos ciphersuites */
501 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
502 /* With normal PSK Certificates and
503 * Certificate Requests are omitted */
504 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
505 /* no cert request */ 519 /* no cert request */
506 skip = 1; 520 skip = 1;
507 s->s3->tmp.cert_request = 0; 521 s->s3->tmp.cert_request = 0;
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 89325b7be9..2d1bee1723 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.75 2014/07/11 22:57:25 miod Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -447,36 +447,38 @@ ssl3_accept(SSL *s)
447 447
448 case SSL3_ST_SW_CERT_REQ_A: 448 case SSL3_ST_SW_CERT_REQ_A:
449 case SSL3_ST_SW_CERT_REQ_B: 449 case SSL3_ST_SW_CERT_REQ_B:
450 if (/* Don't request cert unless asked for it: */ 450 /*
451 !(s->verify_mode & SSL_VERIFY_PEER) || 451 * Determine whether or not we need to request a
452 /* 452 * certificate.
453 * If SSL_VERIFY_CLIENT_ONCE is set, 453 *
454 * don't request cert during re-negotiation: 454 * Do not request a certificate if:
455 */ 455 *
456 * - We did not ask for it (SSL_VERIFY_PEER is unset).
457 *
458 * - SSL_VERIFY_CLIENT_ONCE is set and we are
459 * renegotiating.
460 *
461 * - We are using an anonymous ciphersuites
462 * (see section "Certificate request" in SSL 3 drafts
463 * and in RFC 2246) ... except when the application
464 * insists on verification (against the specs, but
465 * s3_clnt.c accepts this for SSL 3).
466 *
467 * - We are using a Kerberos ciphersuite.
468 *
469 * - We are using normal PSK certificates and
470 * Certificate Requests are omitted
471 */
472 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
456 ((s->session->peer != NULL) && 473 ((s->session->peer != NULL) &&
457 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 474 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
458 /*
459 * Never request cert in anonymous ciphersuites
460 * (see section "Certificate request" in SSL 3
461 * drafts and in RFC 2246):
462 */
463 ((s->s3->tmp.new_cipher->algorithm_auth & 475 ((s->s3->tmp.new_cipher->algorithm_auth &
464 SSL_aNULL) && 476 SSL_aNULL) && !(s->verify_mode &
465 /* 477 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
466 * ... except when the application insists on 478 (s->s3->tmp.new_cipher->algorithm_auth &
467 * verification (against the specs, but 479 SSL_aKRB5) ||
468 * s3_clnt.c accepts this for SSL 3) 480 (s->s3->tmp.new_cipher->algorithm_mkey &
469 */ 481 SSL_kPSK)) {
470 !(s->verify_mode &
471 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
472 /* never request cert in Kerberos ciphersuites */
473 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
474 /*
475 * With normal PSK Certificates and
476 * Certificate Requests are omitted
477 */
478 || (s->s3->tmp.new_cipher->algorithm_mkey &
479 SSL_kPSK)) {
480 /* No cert request */ 482 /* No cert request */
481 skip = 1; 483 skip = 1;
482 s->s3->tmp.cert_request = 0; 484 s->s3->tmp.cert_request = 0;
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index d94c08a313..8531f2db2b 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.30 2014/07/11 09:24:44 beck Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.31 2014/07/12 10:06:04 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -484,24 +484,38 @@ dtls1_accept(SSL *s)
484 484
485 case SSL3_ST_SW_CERT_REQ_A: 485 case SSL3_ST_SW_CERT_REQ_A:
486 case SSL3_ST_SW_CERT_REQ_B: 486 case SSL3_ST_SW_CERT_REQ_B:
487 if (/* don't request cert unless asked for it: */ 487 /*
488 !(s->verify_mode & SSL_VERIFY_PEER) || 488 * Determine whether or not we need to request a
489 /* if SSL_VERIFY_CLIENT_ONCE is set, 489 * certificate.
490 * don't request cert during re-negotiation: */ 490 *
491 * Do not request a certificate if:
492 *
493 * - We did not ask for it (SSL_VERIFY_PEER is unset).
494 *
495 * - SSL_VERIFY_CLIENT_ONCE is set and we are
496 * renegotiating.
497 *
498 * - We are using an anonymous ciphersuites
499 * (see section "Certificate request" in SSL 3 drafts
500 * and in RFC 2246) ... except when the application
501 * insists on verification (against the specs, but
502 * s3_clnt.c accepts this for SSL 3).
503 *
504 * - We are using a Kerberos ciphersuite.
505 *
506 * - We are using normal PSK certificates and
507 * Certificate Requests are omitted
508 */
509 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
491 ((s->session->peer != NULL) && 510 ((s->session->peer != NULL) &&
492 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 511 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
493 /* never request cert in anonymous ciphersuites 512 ((s->s3->tmp.new_cipher->algorithm_auth &
494 * (see section "Certificate request" in SSL 3 drafts 513 SSL_aNULL) && !(s->verify_mode &
495 * and in RFC 2246): */ 514 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
496 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 515 (s->s3->tmp.new_cipher->algorithm_auth &
497 /* ... except when the application insists on verification 516 SSL_aKRB5) ||
498 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 517 (s->s3->tmp.new_cipher->algorithm_mkey &
499 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 518 SSL_kPSK)) {
500 /* never request cert in Kerberos ciphersuites */
501 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
502 /* With normal PSK Certificates and
503 * Certificate Requests are omitted */
504 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
505 /* no cert request */ 519 /* no cert request */
506 skip = 1; 520 skip = 1;
507 s->s3->tmp.cert_request = 0; 521 s->s3->tmp.cert_request = 0;
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 89325b7be9..2d1bee1723 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_srvr.c,v 1.75 2014/07/11 22:57:25 miod Exp $ */ 1/* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -447,36 +447,38 @@ ssl3_accept(SSL *s)
447 447
448 case SSL3_ST_SW_CERT_REQ_A: 448 case SSL3_ST_SW_CERT_REQ_A:
449 case SSL3_ST_SW_CERT_REQ_B: 449 case SSL3_ST_SW_CERT_REQ_B:
450 if (/* Don't request cert unless asked for it: */ 450 /*
451 !(s->verify_mode & SSL_VERIFY_PEER) || 451 * Determine whether or not we need to request a
452 /* 452 * certificate.
453 * If SSL_VERIFY_CLIENT_ONCE is set, 453 *
454 * don't request cert during re-negotiation: 454 * Do not request a certificate if:
455 */ 455 *
456 * - We did not ask for it (SSL_VERIFY_PEER is unset).
457 *
458 * - SSL_VERIFY_CLIENT_ONCE is set and we are
459 * renegotiating.
460 *
461 * - We are using an anonymous ciphersuites
462 * (see section "Certificate request" in SSL 3 drafts
463 * and in RFC 2246) ... except when the application
464 * insists on verification (against the specs, but
465 * s3_clnt.c accepts this for SSL 3).
466 *
467 * - We are using a Kerberos ciphersuite.
468 *
469 * - We are using normal PSK certificates and
470 * Certificate Requests are omitted
471 */
472 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
456 ((s->session->peer != NULL) && 473 ((s->session->peer != NULL) &&
457 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 474 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
458 /*
459 * Never request cert in anonymous ciphersuites
460 * (see section "Certificate request" in SSL 3
461 * drafts and in RFC 2246):
462 */
463 ((s->s3->tmp.new_cipher->algorithm_auth & 475 ((s->s3->tmp.new_cipher->algorithm_auth &
464 SSL_aNULL) && 476 SSL_aNULL) && !(s->verify_mode &
465 /* 477 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
466 * ... except when the application insists on 478 (s->s3->tmp.new_cipher->algorithm_auth &
467 * verification (against the specs, but 479 SSL_aKRB5) ||
468 * s3_clnt.c accepts this for SSL 3) 480 (s->s3->tmp.new_cipher->algorithm_mkey &
469 */ 481 SSL_kPSK)) {
470 !(s->verify_mode &
471 SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
472 /* never request cert in Kerberos ciphersuites */
473 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
474 /*
475 * With normal PSK Certificates and
476 * Certificate Requests are omitted
477 */
478 || (s->s3->tmp.new_cipher->algorithm_mkey &
479 SSL_kPSK)) {
480 /* No cert request */ 482 /* No cert request */
481 skip = 1; 483 skip = 1;
482 s->s3->tmp.cert_request = 0; 484 s->s3->tmp.cert_request = 0;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 15:58:48 +0000