diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2014-07-12 10:06:05 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-07-12 10:06:05 +0000 |
commit | c0d9cd17385cff9cd5fe57009517bc9a17bcfa82 (patch) | |
tree | 81b2c8496f7ac6b5e329bcee54a4277577c75a4b /lib/libssl | |
parent | 5e4c921bb00711a78d41b6725e5f04769c5abcfb (diff) |
Place comments in a block above the if statement, rather than attempting
to interleave them within the conditions. Also fix wrapping and
indentation.
Diffstat (limited to 'lib/libssl')
-rw-r--r-- | lib/libssl/d1_srvr.c | 50 | ||||
-rw-r--r-- | lib/libssl/s3_srvr.c | 60 |
2 files changed, 63 insertions, 47 deletions
diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c index d94c08a313a..8531f2db2b9 100644 --- a/lib/libssl/d1_srvr.c +++ b/lib/libssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.30 2014/07/11 09:24:44 beck Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.31 2014/07/12 10:06:04 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -484,24 +484,38 @@ dtls1_accept(SSL *s) case SSL3_ST_SW_CERT_REQ_A: case SSL3_ST_SW_CERT_REQ_B: - if (/* don't request cert unless asked for it: */ - !(s->verify_mode & SSL_VERIFY_PEER) || - /* if SSL_VERIFY_CLIENT_ONCE is set, - * don't request cert during re-negotiation: */ + /* + * Determine whether or not we need to request a + * certificate. + * + * Do not request a certificate if: + * + * - We did not ask for it (SSL_VERIFY_PEER is unset). + * + * - SSL_VERIFY_CLIENT_ONCE is set and we are + * renegotiating. + * + * - We are using an anonymous ciphersuites + * (see section "Certificate request" in SSL 3 drafts + * and in RFC 2246) ... except when the application + * insists on verification (against the specs, but + * s3_clnt.c accepts this for SSL 3). + * + * - We are using a Kerberos ciphersuite. + * + * - We are using normal PSK certificates and + * Certificate Requests are omitted + */ + if (!(s->verify_mode & SSL_VERIFY_PEER) || ((s->session->peer != NULL) && - (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - /* never request cert in anonymous ciphersuites - * (see section "Certificate request" in SSL 3 drafts - * and in RFC 2246): */ - ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && - /* ... except when the application insists on verification - * (against the specs, but s3_clnt.c accepts this for SSL 3) */ - !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || - /* never request cert in Kerberos ciphersuites */ - (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) - /* With normal PSK Certificates and - * Certificate Requests are omitted */ - || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { + (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || + ((s->s3->tmp.new_cipher->algorithm_auth & + SSL_aNULL) && !(s->verify_mode & + SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || + (s->s3->tmp.new_cipher->algorithm_auth & + SSL_aKRB5) || + (s->s3->tmp.new_cipher->algorithm_mkey & + SSL_kPSK)) { /* no cert request */ skip = 1; s->s3->tmp.cert_request = 0; diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index 89325b7be90..2d1bee1723d 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_srvr.c,v 1.75 2014/07/11 22:57:25 miod Exp $ */ +/* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -447,36 +447,38 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_REQ_A: case SSL3_ST_SW_CERT_REQ_B: - if (/* Don't request cert unless asked for it: */ - !(s->verify_mode & SSL_VERIFY_PEER) || - /* - * If SSL_VERIFY_CLIENT_ONCE is set, - * don't request cert during re-negotiation: - */ + /* + * Determine whether or not we need to request a + * certificate. + * + * Do not request a certificate if: + * + * - We did not ask for it (SSL_VERIFY_PEER is unset). + * + * - SSL_VERIFY_CLIENT_ONCE is set and we are + * renegotiating. + * + * - We are using an anonymous ciphersuites + * (see section "Certificate request" in SSL 3 drafts + * and in RFC 2246) ... except when the application + * insists on verification (against the specs, but + * s3_clnt.c accepts this for SSL 3). + * + * - We are using a Kerberos ciphersuite. + * + * - We are using normal PSK certificates and + * Certificate Requests are omitted + */ + if (!(s->verify_mode & SSL_VERIFY_PEER) || ((s->session->peer != NULL) && - (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || - /* - * Never request cert in anonymous ciphersuites - * (see section "Certificate request" in SSL 3 - * drafts and in RFC 2246): - */ + (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || ((s->s3->tmp.new_cipher->algorithm_auth & - SSL_aNULL) && - /* - * ... except when the application insists on - * verification (against the specs, but - * s3_clnt.c accepts this for SSL 3) - */ - !(s->verify_mode & - SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || - /* never request cert in Kerberos ciphersuites */ - (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) - /* - * With normal PSK Certificates and - * Certificate Requests are omitted - */ - || (s->s3->tmp.new_cipher->algorithm_mkey & - SSL_kPSK)) { + SSL_aNULL) && !(s->verify_mode & + SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || + (s->s3->tmp.new_cipher->algorithm_auth & + SSL_aKRB5) || + (s->s3->tmp.new_cipher->algorithm_mkey & + SSL_kPSK)) { /* No cert request */ skip = 1; s->s3->tmp.cert_request = 0; |