From 2947af32a0ec6666efd5b287ac4609ba3a984f0d Mon Sep 17 00:00:00 2001 From: Beat Bolli Date: Sat, 19 Nov 2016 00:10:05 +0100 Subject: [PATCH] doc/man3: use the documented coding style in the example code Adjust brace placement, whitespace after keywords, indentation and empty lines after variable declarations according to https://www.openssl.org/policies/codingstyle.html. Indent literal sections by exactly one space. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/1956) --- doc/man3/ASN1_TIME_set.pod | 8 +- doc/man3/ASYNC_start_job.pod | 14 +- doc/man3/BIO_connect.pod | 2 +- doc/man3/BIO_f_base64.pod | 4 +- doc/man3/BIO_f_md.pod | 26 +- doc/man3/BIO_f_ssl.pod | 10 +- doc/man3/BIO_find_type.pod | 11 +- doc/man3/BIO_s_connect.pod | 2 +- doc/man3/BIO_s_file.pod | 15 +- doc/man3/BIO_set_callback.pod | 9 +- doc/man3/BN_CTX_new.pod | 3 +- doc/man3/BN_generate_prime.pod | 3 +- doc/man3/CONF_modules_load_file.pod | 46 +-- doc/man3/CRYPTO_THREAD_run_once.pod | 76 ++--- doc/man3/ECDSA_SIG_new.pod | 41 ++- doc/man3/ENGINE_add.pod | 28 +- doc/man3/ERR_load_strings.pod | 4 +- doc/man3/EVP_DigestInit.pod | 62 ++-- doc/man3/EVP_EncryptInit.pod | 172 ++++++------ doc/man3/EVP_PKEY_CTX_set_hkdf_md.pod | 12 +- doc/man3/EVP_PKEY_CTX_set_tls1_prf_md.pod | 10 +- doc/man3/EVP_PKEY_decrypt.pod | 15 +- doc/man3/EVP_PKEY_derive.pod | 12 +- doc/man3/EVP_PKEY_encrypt.pod | 15 +- doc/man3/EVP_PKEY_keygen.pod | 43 +-- doc/man3/EVP_PKEY_sign.pod | 14 +- doc/man3/EVP_PKEY_verify.pod | 14 +- doc/man3/EVP_PKEY_verify_recover.pod | 17 +- doc/man3/OBJ_nid2obj.pod | 2 +- doc/man3/OCSP_REQUEST_new.pod | 2 +- doc/man3/PEM_read_bio_PrivateKey.pod | 22 +- doc/man3/PKCS12_newpass.pod | 64 ++--- doc/man3/RAND_set_rand_method.pod | 12 +- doc/man3/RSA_set_method.pod | 54 ++-- doc/man3/SCT_new.pod | 18 +- doc/man3/SCT_validate.pod | 12 +- doc/man3/SSL_CTX_config.pod | 7 +- doc/man3/SSL_CTX_dane_enable.pod | 264 +++++++++--------- doc/man3/SSL_CTX_load_verify_locations.pod | 2 +- doc/man3/SSL_CTX_set1_sigalgs.pod | 6 +- doc/man3/SSL_CTX_set_client_CA_list.pod | 2 +- doc/man3/SSL_CTX_set_default_passwd_cb.pod | 6 +- doc/man3/SSL_CTX_set_generate_session_id.pod | 40 ++- doc/man3/SSL_CTX_set_info_callback.pod | 62 ++-- doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod | 93 +++--- doc/man3/SSL_CTX_set_tmp_dh_callback.pod | 24 +- doc/man3/SSL_CTX_set_verify.pod | 122 ++++---- doc/man3/SSL_load_client_CA_file.pod | 4 +- doc/man3/SSL_set1_host.pod | 31 +- doc/man3/X509_NAME_add_entry_by_txt.pod | 14 +- doc/man3/X509_NAME_get_index_by_NID.pod | 24 +- doc/man3/X509_STORE_CTX_get_error.pod | 2 +- doc/man3/X509_STORE_CTX_set_verify_cb.pod | 139 +++++---- doc/man3/X509_VERIFY_PARAM_set_flags.pod | 10 +- 54 files changed, 857 insertions(+), 869 deletions(-) diff --git a/doc/man3/ASN1_TIME_set.pod b/doc/man3/ASN1_TIME_set.pod index 457b7218d4..b6acd730b7 100644 --- a/doc/man3/ASN1_TIME_set.pod +++ b/doc/man3/ASN1_TIME_set.pod @@ -100,14 +100,14 @@ Determine if one time is later or sooner than the current time: int day, sec; if (!ASN1_TIME_diff(&day, &sec, NULL, to)) - /* Invalid time format */ + /* Invalid time format */ if (day > 0 || sec > 0) - printf("Later\n"); + printf("Later\n"); else if (day < 0 || sec < 0) - printf("Sooner\n"); + printf("Sooner\n"); else - printf("Same\n"); + printf("Same\n"); =head1 RETURN VALUES diff --git a/doc/man3/ASYNC_start_job.pod b/doc/man3/ASYNC_start_job.pod index cb0229543f..e6ccf55c4d 100644 --- a/doc/man3/ASYNC_start_job.pod +++ b/doc/man3/ASYNC_start_job.pod @@ -262,17 +262,17 @@ The following example demonstrates how to use most of the core async APIs: } for (;;) { - switch(ASYNC_start_job(&job, ctx, &ret, jobfunc, msg, sizeof(msg))) { + switch (ASYNC_start_job(&job, ctx, &ret, jobfunc, msg, sizeof(msg))) { case ASYNC_ERR: case ASYNC_NO_JOBS: - printf("An error occurred\n"); - goto end; + printf("An error occurred\n"); + goto end; case ASYNC_PAUSE: - printf("Job was paused\n"); - break; + printf("Job was paused\n"); + break; case ASYNC_FINISH: - printf("Job finished with return value %d\n", ret); - goto end; + printf("Job finished with return value %d\n", ret); + goto end; } /* Wait for the job to be woken */ diff --git a/doc/man3/BIO_connect.pod b/doc/man3/BIO_connect.pod index 5194033feb..bb1047a347 100644 --- a/doc/man3/BIO_connect.pod +++ b/doc/man3/BIO_connect.pod @@ -73,7 +73,7 @@ and not IPv4 addresses mapped to IPv6. These flags are bit flags, so they are to be combined with the C<|> operator, for example: - BIO_connect(sock, addr, BIO_SOCK_KEEPALIVE | BIO_SOCK_NONBLOCK); + BIO_connect(sock, addr, BIO_SOCK_KEEPALIVE | BIO_SOCK_NONBLOCK); =head1 RETURN VALUES diff --git a/doc/man3/BIO_f_base64.pod b/doc/man3/BIO_f_base64.pod index 1740dad57f..5097c2849b 100644 --- a/doc/man3/BIO_f_base64.pod +++ b/doc/man3/BIO_f_base64.pod @@ -65,8 +65,8 @@ data to standard output: bio = BIO_new_fp(stdin, BIO_NOCLOSE); bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); BIO_push(b64, bio); - while((inlen = BIO_read(b64, inbuf, 512)) > 0) - BIO_write(bio_out, inbuf, inlen); + while ((inlen = BIO_read(b64, inbuf, 512)) > 0) + BIO_write(bio_out, inbuf, inlen); BIO_flush(bio_out); BIO_free_all(b64); diff --git a/doc/man3/BIO_f_md.pod b/doc/man3/BIO_f_md.pod index dede0cc84c..3c8d4311ae 100644 --- a/doc/man3/BIO_f_md.pod +++ b/doc/man3/BIO_f_md.pod @@ -82,7 +82,8 @@ checking has been omitted for clarity. bio = BIO_new(BIO_s_null()); mdtmp = BIO_new(BIO_f_md()); BIO_set_md(mdtmp, EVP_sha1()); - /* For BIO_push() we want to append the sink BIO and keep a note of + /* + * For BIO_push() we want to append the sink BIO and keep a note of * the start of the chain. */ bio = BIO_push(mdtmp, bio); @@ -105,8 +106,8 @@ The next example digests data by reading through a chain instead: BIO_set_md(mdtmp, EVP_md5()); bio = BIO_push(mdtmp, bio); do { - rdlen = BIO_read(bio, buf, sizeof(buf)); - /* Might want to do something with the data here */ + rdlen = BIO_read(bio, buf, sizeof(buf)); + /* Might want to do something with the data here */ } while (rdlen > 0); This next example retrieves the message digests from a BIO chain and @@ -118,15 +119,16 @@ outputs them. This could be used with the examples above. int i; mdtmp = bio; /* Assume bio has previously been set up */ do { - EVP_MD *md; - mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD); - if (!mdtmp) break; - BIO_get_md(mdtmp, &md); - printf("%s digest", OBJ_nid2sn(EVP_MD_type(md))); - mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE); - for (i = 0; i < mdlen; i++) printf(":%02X", mdbuf[i]); - printf("\n"); - mdtmp = BIO_next(mdtmp); + EVP_MD *md; + mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD); + if (!mdtmp) + break; + BIO_get_md(mdtmp, &md); + printf("%s digest", OBJ_nid2sn(EVP_MD_type(md))); + mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE); + for (i = 0; i < mdlen; i++) printf(":%02X", mdbuf[i]); + printf("\n"); + mdtmp = BIO_next(mdtmp); } while (mdtmp); BIO_free_all(bio); diff --git a/doc/man3/BIO_f_ssl.pod b/doc/man3/BIO_f_ssl.pod index d2046f2e6d..2bc9afea6f 100644 --- a/doc/man3/BIO_f_ssl.pod +++ b/doc/man3/BIO_f_ssl.pod @@ -170,15 +170,15 @@ unencrypted example in L. exit(1); } if (BIO_do_handshake(sbio) <= 0) { - fprintf(stderr, "Error establishing SSL connection\n"); - ERR_print_errors_fp(stderr); - exit(1); + fprintf(stderr, "Error establishing SSL connection\n"); + ERR_print_errors_fp(stderr); + exit(1); } /* XXX Could examine ssl here to get connection info */ BIO_puts(sbio, "GET / HTTP/1.0\n\n"); - for ( ; ; ) { + for (;;) { len = BIO_read(sbio, tmpbuf, 1024); if (len <= 0) break; @@ -261,7 +261,7 @@ a client and also echoes the request to standard output. BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n"); BIO_puts(sbio, "--------------------------------------------------\r\n"); - for ( ; ; ) { + for (;;) { len = BIO_gets(sbio, tmpbuf, 1024); if (len <= 0) break; diff --git a/doc/man3/BIO_find_type.pod b/doc/man3/BIO_find_type.pod index ff7b488609..08ec161349 100644 --- a/doc/man3/BIO_find_type.pod +++ b/doc/man3/BIO_find_type.pod @@ -48,12 +48,13 @@ Traverse a chain looking for digest BIOs: btmp = in_bio; /* in_bio is chain to search through */ do { - btmp = BIO_find_type(btmp, BIO_TYPE_MD); - if (btmp == NULL) break; /* Not found */ - /* btmp is a digest BIO, do something with it ...*/ - ... + btmp = BIO_find_type(btmp, BIO_TYPE_MD); + if (btmp == NULL) + break; /* Not found */ + /* btmp is a digest BIO, do something with it ...*/ + ... - btmp = BIO_next(btmp); + btmp = BIO_next(btmp); } while (btmp); diff --git a/doc/man3/BIO_s_connect.pod b/doc/man3/BIO_s_connect.pod index 2143acd099..be2f4e5002 100644 --- a/doc/man3/BIO_s_connect.pod +++ b/doc/man3/BIO_s_connect.pod @@ -174,7 +174,7 @@ to retrieve a page and copy the result to standard output. exit(1); } BIO_puts(cbio, "GET / HTTP/1.0\n\n"); - for ( ; ; ) { + for (;;) { len = BIO_read(cbio, tmpbuf, 1024); if (len <= 0) break; diff --git a/doc/man3/BIO_s_file.pod b/doc/man3/BIO_s_file.pod index abbcdb0e53..fa3016f950 100644 --- a/doc/man3/BIO_s_file.pod +++ b/doc/man3/BIO_s_file.pod @@ -92,15 +92,18 @@ Alternative technique: BIO *bio_out; bio_out = BIO_new(BIO_s_file()); - if (bio_out == NULL) /* Error ... */ - if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) /* Error ... */ + if (bio_out == NULL) + /* Error */ + if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) + /* Error */ BIO_printf(bio_out, "Hello World\n"); Write to a file: BIO *out; out = BIO_new_file("filename.txt", "w"); - if (!out) /* Error occurred */ + if (!out) + /* Error */ BIO_printf(out, "Hello World\n"); BIO_free(out); @@ -108,8 +111,10 @@ Alternative technique: BIO *out; out = BIO_new(BIO_s_file()); - if (out == NULL) /* Error ... */ - if (!BIO_write_filename(out, "filename.txt")) /* Error ... */ + if (out == NULL) + /* Error */ + if (!BIO_write_filename(out, "filename.txt")) + /* Error */ BIO_printf(out, "Hello World\n"); BIO_free(out); diff --git a/doc/man3/BIO_set_callback.pod b/doc/man3/BIO_set_callback.pod index 3d15859406..ac017e7243 100644 --- a/doc/man3/BIO_set_callback.pod +++ b/doc/man3/BIO_set_callback.pod @@ -122,7 +122,8 @@ or is called before the read and - callback_ex(b, BIO_CB_READ | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, readbytes) + callback_ex(b, BIO_CB_READ | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, + readbytes) or @@ -140,7 +141,8 @@ or is called before the write and - callback_ex(b, BIO_CB_WRITE | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, written) + callback_ex(b, BIO_CB_WRITE | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, + written) or @@ -158,7 +160,8 @@ or is called before the operation and - callback_ex(b, BIO_CB_GETS | BIO_CB_RETURN, buf, size, 0, 0L, retvalue, readbytes) + callback_ex(b, BIO_CB_GETS | BIO_CB_RETURN, buf, size, 0, 0L, retvalue, + readbytes) or diff --git a/doc/man3/BN_CTX_new.pod b/doc/man3/BN_CTX_new.pod index 623fcd5692..4cf3634e9b 100644 --- a/doc/man3/BN_CTX_new.pod +++ b/doc/man3/BN_CTX_new.pod @@ -51,7 +51,8 @@ replace use of BN_CTX_init with BN_CTX_new instead: BN_CTX *ctx; ctx = BN_CTX_new(); - if(!ctx) /* Handle error */ + if (!ctx) + /* error */ ... BN_CTX_free(ctx); diff --git a/doc/man3/BN_generate_prime.pod b/doc/man3/BN_generate_prime.pod index c97536b5c4..fb492feb77 100644 --- a/doc/man3/BN_generate_prime.pod +++ b/doc/man3/BN_generate_prime.pod @@ -169,7 +169,8 @@ Instead applications should create a BN_GENCB structure using BN_GENCB_new: BN_GENCB *callback; callback = BN_GENCB_new(); - if(!callback) /* handle error */ + if (!callback) + /* error */ ... BN_GENCB_free(callback); diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod index 4f02f52f6a..a752c2ff82 100644 --- a/doc/man3/CONF_modules_load_file.pod +++ b/doc/man3/CONF_modules_load_file.pod @@ -65,9 +65,9 @@ Load a configuration file and print out any errors and exit (missing file considered fatal): if (CONF_modules_load_file(NULL, NULL, 0) <= 0) { - fprintf(stderr, "FATAL: error loading configuration file\n"); - ERR_print_errors_fp(stderr); - exit(1); + fprintf(stderr, "FATAL: error loading configuration file\n"); + ERR_print_errors_fp(stderr); + exit(1); } Load default configuration file using the section indicated by "myapp", @@ -75,9 +75,9 @@ tolerate missing files, but exit on other errors: if (CONF_modules_load_file(NULL, "myapp", CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) { - fprintf(stderr, "FATAL: error loading configuration file\n"); - ERR_print_errors_fp(stderr); - exit(1); + fprintf(stderr, "FATAL: error loading configuration file\n"); + ERR_print_errors_fp(stderr); + exit(1); } Load custom configuration file and section, only print warnings on error, @@ -85,8 +85,8 @@ missing configuration file ignored: if (CONF_modules_load_file("/something/app.cnf", "myapp", CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) { - fprintf(stderr, "WARNING: error loading configuration file\n"); - ERR_print_errors_fp(stderr); + fprintf(stderr, "WARNING: error loading configuration file\n"); + ERR_print_errors_fp(stderr); } Load and parse configuration file manually, custom error handling: @@ -96,22 +96,22 @@ Load and parse configuration file manually, custom error handling: long eline; fp = fopen("/somepath/app.cnf", "r"); if (fp == NULL) { - fprintf(stderr, "Error opening configuration file\n"); - /* Other missing configuration file behaviour */ + fprintf(stderr, "Error opening configuration file\n"); + /* Other missing configuration file behaviour */ } else { - cnf = NCONF_new(NULL); - if (NCONF_load_fp(cnf, fp, &eline) == 0) { - fprintf(stderr, "Error on line %ld of configuration file\n", eline); - ERR_print_errors_fp(stderr); - /* Other malformed configuration file behaviour */ - } else if (CONF_modules_load(cnf, "appname", 0) <= 0) { - fprintf(stderr, "Error configuring application\n"); - ERR_print_errors_fp(stderr); - /* Other configuration error behaviour */ - } - fclose(fp); - NCONF_free(cnf); - } + cnf = NCONF_new(NULL); + if (NCONF_load_fp(cnf, fp, &eline) == 0) { + fprintf(stderr, "Error on line %ld of configuration file\n", eline); + ERR_print_errors_fp(stderr); + /* Other malformed configuration file behaviour */ + } else if (CONF_modules_load(cnf, "appname", 0) <= 0) { + fprintf(stderr, "Error configuring application\n"); + ERR_print_errors_fp(stderr); + /* Other configuration error behaviour */ + } + fclose(fp); + NCONF_free(cnf); + } =head1 RETURN VALUES diff --git a/doc/man3/CRYPTO_THREAD_run_once.pod b/doc/man3/CRYPTO_THREAD_run_once.pod index b256a18637..072790dc31 100644 --- a/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/doc/man3/CRYPTO_THREAD_run_once.pod @@ -100,42 +100,42 @@ crypto.h where use of CRYPTO_THREAD_* types and functions is required. This example safely initializes and uses a lock. - #ifdef _WIN32 - # include - #endif - #include - - static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT; - static CRYPTO_RWLOCK *lock; - - static void myinit(void) - { - lock = CRYPTO_THREAD_lock_new(); - } - - static int mylock(void) - { - if (!CRYPTO_THREAD_run_once(&once, void init) || lock == NULL) - return 0; - return CRYPTO_THREAD_write_lock(lock); - } - - static int myunlock(void) - { - return CRYPTO_THREAD_unlock(lock); - } - - int serialized(void) - { - int ret = 0; - - if (mylock()) { - /* Your code here, do not return without releasing the lock! */ - ret = ... ; - } - myunlock(); - return ret; - } + #ifdef _WIN32 + # include + #endif + #include + + static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT; + static CRYPTO_RWLOCK *lock; + + static void myinit(void) + { + lock = CRYPTO_THREAD_lock_new(); + } + + static int mylock(void) + { + if (!CRYPTO_THREAD_run_once(&once, void init) || lock == NULL) + return 0; + return CRYPTO_THREAD_write_lock(lock); + } + + static int myunlock(void) + { + return CRYPTO_THREAD_unlock(lock); + } + + int serialized(void) + { + int ret = 0; + + if (mylock()) { + /* Your code here, do not return without releasing the lock! */ + ret = ... ; + } + myunlock(); + return ret; + } Finalization of locks is an advanced topic, not covered in this example. This can only be done at process exit or when a dynamically loaded library is @@ -149,9 +149,9 @@ You can find out if OpenSSL was configured with thread support: #include #if defined(OPENSSL_THREADS) - // thread support enabled + // thread support enabled #else - // no thread support + // no thread support #endif =head1 SEE ALSO diff --git a/doc/man3/ECDSA_SIG_new.pod b/doc/man3/ECDSA_SIG_new.pod index 9e1f662c62..8d35c9e5f9 100644 --- a/doc/man3/ECDSA_SIG_new.pod +++ b/doc/man3/ECDSA_SIG_new.pod @@ -136,35 +136,31 @@ named curve prime256v1 (aka P-256). First step: create an EC_KEY object (note: this part is B ECDSA specific) - int ret; + int ret; ECDSA_SIG *sig; - EC_KEY *eckey; + EC_KEY *eckey; eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (eckey == NULL) { - /* error */ - } - if (EC_KEY_generate_key(eckey) == 0) { - /* error */ - } + if (eckey == NULL) + /* error */ + if (EC_KEY_generate_key(eckey) == 0) + /* error */ Second step: compute the ECDSA signature of a SHA-256 hash value using ECDSA_do_sign(): sig = ECDSA_do_sign(digest, 32, eckey); - if (sig == NULL) { - /* error */ - } + if (sig == NULL) + /* error */ or using ECDSA_sign(): unsigned char *buffer, *pp; - int buf_len; + int buf_len; buf_len = ECDSA_size(eckey); - buffer = OPENSSL_malloc(buf_len); + buffer = OPENSSL_malloc(buf_len); pp = buffer; - if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0) { - /* error */ - } + if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0) + /* error */ Third step: verify the created ECDSA signature using ECDSA_do_verify(): @@ -176,13 +172,12 @@ or using ECDSA_verify(): and finally evaluate the return value: - if (ret == 1) { - /* signature ok */ - } else if (ret == 0) { - /* incorrect signature */ - } else { - /* error */ - } + if (ret == 1) + /* signature ok */ + else if (ret == 0) + /* incorrect signature */ + else + /* error */ =head1 CONFORMING TO diff --git a/doc/man3/ENGINE_add.pod b/doc/man3/ENGINE_add.pod index c9181df3b5..5346fd4d98 100644 --- a/doc/man3/ENGINE_add.pod +++ b/doc/man3/ENGINE_add.pod @@ -385,17 +385,19 @@ illustrates how to approach this; const char *engine_id = "ACME"; ENGINE_load_builtin_engines(); e = ENGINE_by_id(engine_id); - if(!e) + if (!e) /* the engine isn't available */ return; - if(!ENGINE_init(e)) { + if (!ENGINE_init(e)) { /* the engine couldn't initialise, release 'e' */ ENGINE_free(e); return; } - if(!ENGINE_set_default_RSA(e)) - /* This should only happen when 'e' can't initialise, but the previous - * statement suggests it did. */ + if (!ENGINE_set_default_RSA(e)) + /* + * This should only happen when 'e' can't initialise, but the previous + * statement suggests it did. + */ abort(); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e); @@ -474,9 +476,9 @@ boolean success or failure. ENGINE *e = ENGINE_by_id(engine_id); if (!e) return 0; while (pre_num--) { - if(!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) { + if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) { fprintf(stderr, "Failed command (%s - %s:%s)\n", engine_id, - pre_cmds[0], pre_cmds[1] ? pre_cmds[1] : "(NULL)"); + pre_cmds[0], pre_cmds[1] ? pre_cmds[1] : "(NULL)"); ENGINE_free(e); return 0; } @@ -487,13 +489,15 @@ boolean success or failure. ENGINE_free(e); return 0; } - /* ENGINE_init() returned a functional reference, so free the structural - * reference from ENGINE_by_id(). */ + /* + * ENGINE_init() returned a functional reference, so free the structural + * reference from ENGINE_by_id(). + */ ENGINE_free(e); - while(post_num--) { - if(!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) { + while (post_num--) { + if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) { fprintf(stderr, "Failed command (%s - %s:%s)\n", engine_id, - post_cmds[0], post_cmds[1] ? post_cmds[1] : "(NULL)"); + post_cmds[0], post_cmds[1] ? post_cmds[1] : "(NULL)"); ENGINE_finish(e); return 0; } diff --git a/doc/man3/ERR_load_strings.pod b/doc/man3/ERR_load_strings.pod index ee8de2c9dc..b82e778cf9 100644 --- a/doc/man3/ERR_load_strings.pod +++ b/doc/man3/ERR_load_strings.pod @@ -23,8 +23,8 @@ B is an array of error string data: typedef struct ERR_string_data_st { - unsigned long error; - char *string; + unsigned long error; + char *string; } ERR_STRING_DATA; The error code is generated from the library number and a function and diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index 7d283fa7d3..26f0b6e8bb 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -203,37 +203,37 @@ digest name passed on the command line. main(int argc, char *argv[]) { - EVP_MD_CTX *mdctx; - const EVP_MD *md; - char mess1[] = "Test Message\n"; - char mess2[] = "Hello World\n"; - unsigned char md_value[EVP_MAX_MD_SIZE]; - int md_len, i; - - if (argv[1] == NULL) { - printf("Usage: mdtest digestname\n"); - exit(1); - } - - md = EVP_get_digestbyname(argv[1]); - if (md == NULL) { - printf("Unknown message digest %s\n", argv[1]); - exit(1); - } - - mdctx = EVP_MD_CTX_new(); - EVP_DigestInit_ex(mdctx, md, NULL); - EVP_DigestUpdate(mdctx, mess1, strlen(mess1)); - EVP_DigestUpdate(mdctx, mess2, strlen(mess2)); - EVP_DigestFinal_ex(mdctx, md_value, &md_len); - EVP_MD_CTX_free(mdctx); - - printf("Digest is: "); - for (i = 0; i < md_len; i++) - printf("%02x", md_value[i]); - printf("\n"); - - exit(0); + EVP_MD_CTX *mdctx; + const EVP_MD *md; + char mess1[] = "Test Message\n"; + char mess2[] = "Hello World\n"; + unsigned char md_value[EVP_MAX_MD_SIZE]; + int md_len, i; + + if (argv[1] == NULL) { + printf("Usage: mdtest digestname\n"); + exit(1); + } + + md = EVP_get_digestbyname(argv[1]); + if (md == NULL) { + printf("Unknown message digest %s\n", argv[1]); + exit(1); + } + + mdctx = EVP_MD_CTX_new(); + EVP_DigestInit_ex(mdctx, md, NULL); + EVP_DigestUpdate(mdctx, mess1, strlen(mess1)); + EVP_DigestUpdate(mdctx, mess2, strlen(mess2)); + EVP_DigestFinal_ex(mdctx, md_value, &md_len); + EVP_MD_CTX_free(mdctx); + + printf("Digest is: "); + for (i = 0; i < md_len; i++) + printf("%02x", md_value[i]); + printf("\n"); + + exit(0); } =head1 SEE ALSO diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index 012acfd2bc..bf93a2b6d2 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -540,101 +540,101 @@ for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode. Encrypt a string using IDEA: int do_crypt(char *outfile) - { - unsigned char outbuf[1024]; - int outlen, tmplen; - /* Bogus key and IV: we'd normally set these from - * another source. - */ - unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; - unsigned char iv[] = {1,2,3,4,5,6,7,8}; - char intext[] = "Some Crypto Text"; - EVP_CIPHER_CTX *ctx; - FILE *out; - - ctx = EVP_CIPHER_CTX_new(); - EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv); - - if(!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) - { - /* Error */ - return 0; - } - /* Buffer passed to EVP_EncryptFinal() must be after data just - * encrypted to avoid overwriting it. - */ - if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) - { - /* Error */ - return 0; - } - outlen += tmplen; - EVP_CIPHER_CTX_free(ctx); - /* Need binary mode for fopen because encrypted data is - * binary data. Also cannot use strlen() on it because - * it won't be null terminated and may contain embedded - * nulls. - */ - out = fopen(outfile, "wb"); - fwrite(outbuf, 1, outlen, out); - fclose(out); - return 1; - } + { + unsigned char outbuf[1024]; + int outlen, tmplen; + /* + * Bogus key and IV: we'd normally set these from + * another source. + */ + unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; + unsigned char iv[] = {1,2,3,4,5,6,7,8}; + char intext[] = "Some Crypto Text"; + EVP_CIPHER_CTX *ctx; + FILE *out; + + ctx = EVP_CIPHER_CTX_new(); + EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv); + + if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) { + /* Error */ + return 0; + } + /* + * Buffer passed to EVP_EncryptFinal() must be after data just + * encrypted to avoid overwriting it. + */ + if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) { + /* Error */ + return 0; + } + outlen += tmplen; + EVP_CIPHER_CTX_free(ctx); + /* + * Need binary mode for fopen because encrypted data is + * binary data. Also cannot use strlen() on it because + * it won't be NUL terminated and may contain embedded + * NULs. + */ + out = fopen(outfile, "wb"); + fwrite(outbuf, 1, outlen, out); + fclose(out); + return 1; + } The ciphertext from the above example can be decrypted using the B utility with the command line (shown on two lines for clarity): - openssl idea -d : Check if an object is B if (OBJ_obj2nid(obj) == NID_commonName) - /* Do something */ + /* Do something */ Create a new NID and initialize an object from it: diff --git a/doc/man3/OCSP_REQUEST_new.pod b/doc/man3/OCSP_REQUEST_new.pod index becdd458bf..a382b16ed3 100644 --- a/doc/man3/OCSP_REQUEST_new.pod +++ b/doc/man3/OCSP_REQUEST_new.pod @@ -93,7 +93,7 @@ B: if (OCSP_REQUEST_add0_id(req, cid) == NULL) /* error */ - /* Do something with req, e.g. query responder */ + /* Do something with req, e.g. query responder */ OCSP_REQUEST_free(req); diff --git a/doc/man3/PEM_read_bio_PrivateKey.pod b/doc/man3/PEM_read_bio_PrivateKey.pod index fbfe975be0..f736545cf2 100644 --- a/doc/man3/PEM_read_bio_PrivateKey.pod +++ b/doc/man3/PEM_read_bio_PrivateKey.pod @@ -306,43 +306,38 @@ Read a certificate in PEM format from a BIO: X509 *x; x = PEM_read_bio_X509(bp, NULL, 0, NULL); - if (x == NULL) { + if (x == NULL) /* Error */ - } Alternative method: X509 *x = NULL; - if (!PEM_read_bio_X509(bp, &x, 0, NULL)) { + if (!PEM_read_bio_X509(bp, &x, 0, NULL)) /* Error */ - } Write a certificate to a BIO: - if (!PEM_write_bio_X509(bp, x)) { + if (!PEM_write_bio_X509(bp, x)) /* Error */ - } Write a private key (using traditional format) to a BIO using triple DES encryption, the pass phrase is prompted for: - if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL)) { + if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL)) /* Error */ - } Write a private key (using PKCS#8 format) to a BIO using triple DES encryption, using the pass phrase "hello": - if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, "hello")) { + if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(), + NULL, 0, 0, "hello")) /* Error */ - } Read a private key from a BIO using a pass phrase callback: key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key"); - if (key == NULL) { + if (key == NULL) /* Error */ - } Skeleton pass phrase callback: @@ -432,9 +427,8 @@ The pseudo code to derive the key would look similar to: memcpy(iv, HexToBin("3F17F5316E2BAC89"), niv); rc = EVP_BytesToKey(cipher, md, iv /*salt*/, pword, plen, 1, key, NULL /*iv*/); - if (rc != nkey) { + if (rc != nkey) /* Error */ - } /* On success, use key and iv to initialize the cipher */ diff --git a/doc/man3/PKCS12_newpass.pod b/doc/man3/PKCS12_newpass.pod index 6b22fd7280..5c8eaf79ac 100644 --- a/doc/man3/PKCS12_newpass.pod +++ b/doc/man3/PKCS12_newpass.pod @@ -47,38 +47,38 @@ the result to a new file. int main(int argc, char **argv) { - FILE *fp; - PKCS12 *p12; - if (argc != 5) { - fprintf(stderr, "Usage: pkread p12file password newpass opfile\n"); - return 1; - } - if ((fp = fopen(argv[1], "rb")) == NULL) { - fprintf(stderr, "Error opening file %s\n", argv[1]); - return 1; - } - p12 = d2i_PKCS12_fp(fp, NULL); - fclose(fp); - if (p12 == NULL) { - fprintf(stderr, "Error reading PKCS#12 file\n"); - ERR_print_errors_fp(stderr); - return 1; - } - if (PKCS12_newpass(p12, argv[2], argv[3]) == 0) { - fprintf(stderr, "Error changing password\n"); - ERR_print_errors_fp(stderr); - PKCS12_free(p12); - return 1; - } - if ((fp = fopen(argv[4], "wb")) == NULL) { - fprintf(stderr, "Error opening file %s\n", argv[4]); - PKCS12_free(p12); - return 1; - } - i2d_PKCS12_fp(fp, p12); - PKCS12_free(p12); - fclose(fp); - return 0; + FILE *fp; + PKCS12 *p12; + if (argc != 5) { + fprintf(stderr, "Usage: pkread p12file password newpass opfile\n"); + return 1; + } + if ((fp = fopen(argv[1], "rb")) == NULL) { + fprintf(stderr, "Error opening file %s\n", argv[1]); + return 1; + } + p12 = d2i_PKCS12_fp(fp, NULL); + fclose(fp); + if (p12 == NULL) { + fprintf(stderr, "Error reading PKCS#12 file\n"); + ERR_print_errors_fp(stderr); + return 1; + } + if (PKCS12_newpass(p12, argv[2], argv[3]) == 0) { + fprintf(stderr, "Error changing password\n"); + ERR_print_errors_fp(stderr); + PKCS12_free(p12); + return 1; + } + if ((fp = fopen(argv[4], "wb")) == NULL) { + fprintf(stderr, "Error opening file %s\n", argv[4]); + PKCS12_free(p12); + return 1; + } + i2d_PKCS12_fp(fp, p12); + PKCS12_free(p12); + fclose(fp); + return 0; } diff --git a/doc/man3/RAND_set_rand_method.pod b/doc/man3/RAND_set_rand_method.pod index 02a8e02789..7ebb72c1b3 100644 --- a/doc/man3/RAND_set_rand_method.pod +++ b/doc/man3/RAND_set_rand_method.pod @@ -37,12 +37,12 @@ API is being used, so this function is no longer recommended. typedef struct rand_meth_st { - void (*seed)(const void *buf, int num); - int (*bytes)(unsigned char *buf, int num); - void (*cleanup)(void); - void (*add)(const void *buf, int num, int entropy); - int (*pseudorand)(unsigned char *buf, int num); - int (*status)(void); + void (*seed)(const void *buf, int num); + int (*bytes)(unsigned char *buf, int num); + void (*cleanup)(void); + void (*add)(const void *buf, int num, int entropy); + int (*pseudorand)(unsigned char *buf, int num); + int (*status)(void); } RAND_METHOD; The components point to method implementations used by (or called by), in order, diff --git a/doc/man3/RSA_set_method.pod b/doc/man3/RSA_set_method.pod index f34aac668a..4bb63962cf 100644 --- a/doc/man3/RSA_set_method.pod +++ b/doc/man3/RSA_set_method.pod @@ -81,56 +81,56 @@ the default method is used. typedef struct rsa_meth_st { /* name of the implementation */ - const char *name; + const char *name; /* encrypt */ - int (*rsa_pub_enc)(int flen, unsigned char *from, - unsigned char *to, RSA *rsa, int padding); + int (*rsa_pub_enc)(int flen, unsigned char *from, + unsigned char *to, RSA *rsa, int padding); /* verify arbitrary data */ - int (*rsa_pub_dec)(int flen, unsigned char *from, - unsigned char *to, RSA *rsa, int padding); + int (*rsa_pub_dec)(int flen, unsigned char *from, + unsigned char *to, RSA *rsa, int padding); /* sign arbitrary data */ - int (*rsa_priv_enc)(int flen, unsigned char *from, - unsigned char *to, RSA *rsa, int padding); + int (*rsa_priv_enc)(int flen, unsigned char *from, + unsigned char *to, RSA *rsa, int padding); /* decrypt */ - int (*rsa_priv_dec)(int flen, unsigned char *from, - unsigned char *to, RSA *rsa, int padding); + int (*rsa_priv_dec)(int flen, unsigned char *from, + unsigned char *to, RSA *rsa, int padding); - /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some - implementations) */ - int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa); + /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some implementations) */ + int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa); /* compute r = a ^ p mod m (May be NULL for some implementations) */ - int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); + int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* called at RSA_new */ - int (*init)(RSA *rsa); + int (*init)(RSA *rsa); /* called at RSA_free */ - int (*finish)(RSA *rsa); + int (*finish)(RSA *rsa); - /* RSA_FLAG_EXT_PKEY - rsa_mod_exp is called for private key + /* + * RSA_FLAG_EXT_PKEY - rsa_mod_exp is called for private key * operations, even if p,q,dmp1,dmq1,iqmp * are NULL * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match */ - int flags; + int flags; - char *app_data; /* ?? */ + char *app_data; /* ?? */ - int (*rsa_sign)(int type, - const unsigned char *m, unsigned int m_length, - unsigned char *sigret, unsigned int *siglen, const RSA *rsa); - int (*rsa_verify)(int dtype, - const unsigned char *m, unsigned int m_length, - const unsigned char *sigbuf, unsigned int siglen, - const RSA *rsa); + int (*rsa_sign)(int type, + const unsigned char *m, unsigned int m_length, + unsigned char *sigret, unsigned int *siglen, const RSA *rsa); + int (*rsa_verify)(int dtype, + const unsigned char *m, unsigned int m_length, + const unsigned char *sigbuf, unsigned int siglen, + const RSA *rsa); /* keygen. If NULL builtin RSA key generation will be used */ - int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); + int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); } RSA_METHOD; diff --git a/doc/man3/SCT_new.pod b/doc/man3/SCT_new.pod index d1d537c176..8da7f6adf2 100644 --- a/doc/man3/SCT_new.pod +++ b/doc/man3/SCT_new.pod @@ -18,21 +18,21 @@ SCT_get_source, SCT_set_source #include typedef enum { - CT_LOG_ENTRY_TYPE_NOT_SET = -1, - CT_LOG_ENTRY_TYPE_X509 = 0, - CT_LOG_ENTRY_TYPE_PRECERT = 1 + CT_LOG_ENTRY_TYPE_NOT_SET = -1, + CT_LOG_ENTRY_TYPE_X509 = 0, + CT_LOG_ENTRY_TYPE_PRECERT = 1 } ct_log_entry_type_t; typedef enum { - SCT_VERSION_NOT_SET = -1, - SCT_VERSION_V1 = 0 + SCT_VERSION_NOT_SET = -1, + SCT_VERSION_V1 = 0 } sct_version_t; typedef enum { - SCT_SOURCE_UNKNOWN, - SCT_SOURCE_TLS_EXTENSION, - SCT_SOURCE_X509V3_EXTENSION, - SCT_SOURCE_OCSP_STAPLED_RESPONSE + SCT_SOURCE_UNKNOWN, + SCT_SOURCE_TLS_EXTENSION, + SCT_SOURCE_X509V3_EXTENSION, + SCT_SOURCE_OCSP_STAPLED_RESPONSE } sct_source_t; SCT *SCT_new(void); diff --git a/doc/man3/SCT_validate.pod b/doc/man3/SCT_validate.pod index 5ff0e8c459..fa7e2a8ba2 100644 --- a/doc/man3/SCT_validate.pod +++ b/doc/man3/SCT_validate.pod @@ -10,12 +10,12 @@ checks Signed Certificate Timestamps (SCTs) are valid #include typedef enum { - SCT_VALIDATION_STATUS_NOT_SET, - SCT_VALIDATION_STATUS_UNKNOWN_LOG, - SCT_VALIDATION_STATUS_VALID, - SCT_VALIDATION_STATUS_INVALID, - SCT_VALIDATION_STATUS_UNVERIFIED, - SCT_VALIDATION_STATUS_UNKNOWN_VERSION + SCT_VALIDATION_STATUS_NOT_SET, + SCT_VALIDATION_STATUS_UNKNOWN_LOG, + SCT_VALIDATION_STATUS_VALID, + SCT_VALIDATION_STATUS_INVALID, + SCT_VALIDATION_STATUS_UNVERIFIED, + SCT_VALIDATION_STATUS_UNKNOWN_VERSION } sct_validation_status_t; int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); diff --git a/doc/man3/SSL_CTX_config.pod b/doc/man3/SSL_CTX_config.pod index 2dad9b68b0..2506dd597e 100644 --- a/doc/man3/SSL_CTX_config.pod +++ b/doc/man3/SSL_CTX_config.pod @@ -41,15 +41,12 @@ If the file "config.cnf" contains the following: [test_sect] # list of confuration modules - ssl_conf = ssl_sect [ssl_sect] - server = server_section [server_section] - RSA.Certificate = server-rsa.pem ECDSA.Certificate = server-ecdsa.pem Ciphers = ALL:!RC4 @@ -57,8 +54,8 @@ If the file "config.cnf" contains the following: An application could call: if (CONF_modules_load_file("config.cnf", "testapp", 0) <= 0) { - fprintf(stderr, "Error processing config file\n"); - goto err; + fprintf(stderr, "Error processing config file\n"); + goto err; } ctx = SSL_CTX_new(TLS_server_method()); diff --git a/doc/man3/SSL_CTX_dane_enable.pod b/doc/man3/SSL_CTX_dane_enable.pod index cb71d3aafe..9415065b2d 100644 --- a/doc/man3/SSL_CTX_dane_enable.pod +++ b/doc/man3/SSL_CTX_dane_enable.pod @@ -190,139 +190,137 @@ The actual name matched in the certificate (which might be a wildcard) is retrieved, and must be copied by the application if it is to be retained beyond the lifetime of the SSL connection. - SSL_CTX *ctx; - SSL *ssl; - int (*verify_cb)(int ok, X509_STORE_CTX *sctx) = NULL; - int num_usable = 0; - const char *nexthop_domain = "example.com"; - const char *dane_tlsa_domain = "smtp.example.com"; - uint8_t usage, selector, mtype; - - if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) - /* handle error */ - if (SSL_CTX_dane_enable(ctx) <= 0) - /* handle error */ - - if ((ssl = SSL_new(ctx)) == NULL) - /* handle error */ - - if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0) - /* handle error */ - - /* - * For many applications it is safe to skip DANE-EE(3) namechecks. Do not - * disable the checks unless "unknown key share" attacks pose no risk for - * your application. - */ - SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS); - - if (!SSL_add1_host(ssl, nexthop_domain)) - /* handle error */ - SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); - - for (... each TLSA record ...) { - unsigned char *data; - size_t len; - int ret; - - /* set usage, selector, mtype, data, len */ - - /* - * Opportunistic DANE TLS clients support only DANE-TA(2) or DANE-EE(3). - * They treat all other certificate usages, and in particular PKIX-TA(0) - * and PKIX-EE(1), as unusable. - */ - switch (usage) { - default: - case 0: /* PKIX-TA(0) */ - case 1: /* PKIX-EE(1) */ - continue; - case 2: /* DANE-TA(2) */ - case 3: /* DANE-EE(3) */ - break; - } - - ret = SSL_dane_tlsa_add(ssl, usage, selector, mtype, data, len); - /* free data as appropriate */ - - if (ret < 0) - /* handle SSL library internal error */ - else if (ret == 0) - /* handle unusable TLSA record */ - else - ++num_usable; - } - - /* - * At this point, the verification mode is still the default SSL_VERIFY_NONE. - * Opportunistic DANE clients use unauthenticated TLS when all TLSA records - * are unusable, so continue the handshake even if authentication fails. - */ - if (num_usable == 0) { - /* Log all records unusable? */ - - /* Optionally set verify_cb to a suitable non-NULL callback. */ - SSL_set_verify(ssl, SSL_VERIFY_NONE, verify_cb); - } else { - /* At least one usable record. We expect to verify the peer */ - - /* Optionally set verify_cb to a suitable non-NULL callback. */ - - /* - * Below we elect to fail the handshake when peer verification fails. - * Alternatively, use the permissive SSL_VERIFY_NONE verification mode, - * complete the handshake, check the verification status, and if not - * verified disconnect gracefully at the application layer, especially if - * application protocol supports informing the server that authentication - * failed. - */ - SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb); - } - - /* - * Load any saved session for resumption, making sure that the previous - * session applied the same security and authentication requirements that - * would be expected of a fresh connection. - */ - - /* Perform SSL_connect() handshake and handle errors here */ - - if (SSL_session_reused(ssl)) { - if (SSL_get_verify_result(ssl) == X509_V_OK) { - /* - * Resumed session was originally verified, this connection is - * authenticated. - */ - } else { - /* - * Resumed session was not originally verified, this connection is not - * authenticated. - */ - } - } else if (SSL_get_verify_result(ssl) == X509_V_OK) { - const char *peername = SSL_get0_peername(ssl); - EVP_PKEY *mspki = NULL; - - int depth = SSL_get0_dane_authority(ssl, NULL, &mspki); - if (depth >= 0) { - (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL); - printf("DANE TLSA %d %d %d %s at depth %d\n", usage, selector, mtype, - (mspki != NULL) ? "TA public key verified certificate" : - depth ? "matched TA certificate" : "matched EE certificate", - depth); - } - if (peername != NULL) { - /* Name checks were in scope and matched the peername */ - printf("Verified peername: %s\n", peername); - } - } else { - /* - * Not authenticated, presumably all TLSA rrs unusable, but possibly a - * callback suppressed connection termination despite the presence of - * usable TLSA RRs none of which matched. Do whatever is appropriate for - * fresh unauthenticated connections. - */ - } + SSL_CTX *ctx; + SSL *ssl; + int (*verify_cb)(int ok, X509_STORE_CTX *sctx) = NULL; + int num_usable = 0; + const char *nexthop_domain = "example.com"; + const char *dane_tlsa_domain = "smtp.example.com"; + uint8_t usage, selector, mtype; + + if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) + /* error */ + if (SSL_CTX_dane_enable(ctx) <= 0) + /* error */ + if ((ssl = SSL_new(ctx)) == NULL) + /* error */ + if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0) + /* error */ + + /* + * For many applications it is safe to skip DANE-EE(3) namechecks. Do not + * disable the checks unless "unknown key share" attacks pose no risk for + * your application. + */ + SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS); + + if (!SSL_add1_host(ssl, nexthop_domain)) + /* error */ + SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + + for (... each TLSA record ...) { + unsigned char *data; + size_t len; + int ret; + + /* set usage, selector, mtype, data, len */ + + /* + * Opportunistic DANE TLS clients support only DANE-TA(2) or DANE-EE(3). + * They treat all other certificate usages, and in particular PKIX-TA(0) + * and PKIX-EE(1), as unusable. + */ + switch (usage) { + default: + case 0: /* PKIX-TA(0) */ + case 1: /* PKIX-EE(1) */ + continue; + case 2: /* DANE-TA(2) */ + case 3: /* DANE-EE(3) */ + break; + } + + ret = SSL_dane_tlsa_add(ssl, usage, selector, mtype, data, len); + /* free data as appropriate */ + + if (ret < 0) + /* handle SSL library internal error */ + else if (ret == 0) + /* handle unusable TLSA record */ + else + ++num_usable; + } + + /* + * At this point, the verification mode is still the default SSL_VERIFY_NONE. + * Opportunistic DANE clients use unauthenticated TLS when all TLSA records + * are unusable, so continue the handshake even if authentication fails. + */ + if (num_usable == 0) { + /* Log all records unusable? */ + + /* Optionally set verify_cb to a suitable non-NULL callback. */ + SSL_set_verify(ssl, SSL_VERIFY_NONE, verify_cb); + } else { + /* At least one usable record. We expect to verify the peer */ + + /* Optionally set verify_cb to a suitable non-NULL callback. */ + + /* + * Below we elect to fail the handshake when peer verification fails. + * Alternatively, use the permissive SSL_VERIFY_NONE verification mode, + * complete the handshake, check the verification status, and if not + * verified disconnect gracefully at the application layer, especially if + * application protocol supports informing the server that authentication + * failed. + */ + SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb); + } + + /* + * Load any saved session for resumption, making sure that the previous + * session applied the same security and authentication requirements that + * would be expected of a fresh connection. + */ + + /* Perform SSL_connect() handshake and handle errors here */ + + if (SSL_session_reused(ssl)) { + if (SSL_get_verify_result(ssl) == X509_V_OK) { + /* + * Resumed session was originally verified, this connection is + * authenticated. + */ + } else { + /* + * Resumed session was not originally verified, this connection is not + * authenticated. + */ + } + } else if (SSL_get_verify_result(ssl) == X509_V_OK) { + const char *peername = SSL_get0_peername(ssl); + EVP_PKEY *mspki = NULL; + + int depth = SSL_get0_dane_authority(ssl, NULL, &mspki); + if (depth >= 0) { + (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL); + printf("DANE TLSA %d %d %d %s at depth %d\n", usage, selector, mtype, + (mspki != NULL) ? "TA public key verified certificate" : + depth ? "matched TA certificate" : "matched EE certificate", + depth); + } + if (peername != NULL) { + /* Name checks were in scope and matched the peername */ + printf("Verified peername: %s\n", peername); + } + } else { + /* + * Not authenticated, presumably all TLSA rrs unusable, but possibly a + * callback suppressed connection termination despite the presence of + * usable TLSA RRs none of which matched. Do whatever is appropriate for + * fresh unauthenticated connections. + */ + } =head1 NOTES diff --git a/doc/man3/SSL_CTX_load_verify_locations.pod b/doc/man3/SSL_CTX_load_verify_locations.pod index db1e7f0293..a96aafed5f 100644 --- a/doc/man3/SSL_CTX_load_verify_locations.pod +++ b/doc/man3/SSL_CTX_load_verify_locations.pod @@ -108,7 +108,7 @@ ca1.pem ca2.pem ca3.pem: #!/bin/sh rm CAfile.pem for i in ca1.pem ca2.pem ca3.pem ; do - openssl x509 -in $i -text >> CAfile.pem + openssl x509 -in $i -text >> CAfile.pem done Prepare the directory /some/where/certs containing several CA certificates diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod index 7795388295..40c4211257 100644 --- a/doc/man3/SSL_CTX_set1_sigalgs.pod +++ b/doc/man3/SSL_CTX_set1_sigalgs.pod @@ -86,14 +86,14 @@ The use of MD5 as a digest is strongly discouraged due to security weaknesses. Set supported signature algorithms to SHA256 with ECDSA and SHA256 with RSA using an array: - const int slist[] = {NID_sha256, EVP_PKEY_EC, NID_sha256, EVP_PKEY_RSA}; + const int slist[] = {NID_sha256, EVP_PKEY_EC, NID_sha256, EVP_PKEY_RSA}; - SSL_CTX_set1_sigalgs(ctx, slist, 4); + SSL_CTX_set1_sigalgs(ctx, slist, 4); Set supported signature algorithms to SHA256 with ECDSA and SHA256 with RSA using a string: - SSL_CTX_set1_sigalgs_list(ctx, "ECDSA+SHA256:RSA+SHA256"); + SSL_CTX_set1_sigalgs_list(ctx, "ECDSA+SHA256:RSA+SHA256"); =head1 RETURN VALUES diff --git a/doc/man3/SSL_CTX_set_client_CA_list.pod b/doc/man3/SSL_CTX_set_client_CA_list.pod index 4192ab721a..76fd65e6fc 100644 --- a/doc/man3/SSL_CTX_set_client_CA_list.pod +++ b/doc/man3/SSL_CTX_set_client_CA_list.pod @@ -82,7 +82,7 @@ The operation succeeded. Scan all certificates in B and list them as acceptable CAs: - SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); + SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); =head1 SEE ALSO diff --git a/doc/man3/SSL_CTX_set_default_passwd_cb.pod b/doc/man3/SSL_CTX_set_default_passwd_cb.pod index 82d322b951..c7bdc9b92a 100644 --- a/doc/man3/SSL_CTX_set_default_passwd_cb.pod +++ b/doc/man3/SSL_CTX_set_default_passwd_cb.pod @@ -85,9 +85,9 @@ truncated. int my_cb(char *buf, int size, int rwflag, void *u) { - strncpy(buf, (char *)u, size); - buf[size - 1] = '\0'; - return strlen(buf); + strncpy(buf, (char *)u, size); + buf[size - 1] = '\0'; + return strlen(buf); } =head1 HISTORY diff --git a/doc/man3/SSL_CTX_set_generate_session_id.pod b/doc/man3/SSL_CTX_set_generate_session_id.pod index 1b1171fe18..90f768da47 100644 --- a/doc/man3/SSL_CTX_set_generate_session_id.pod +++ b/doc/man3/SSL_CTX_set_generate_session_id.pod @@ -91,28 +91,26 @@ server id given, and will fill the rest with pseudo random bytes: #define MAX_SESSION_ID_ATTEMPTS 10 static int generate_session_id(const SSL *ssl, unsigned char *id, - unsigned int *id_len) + unsigned int *id_len) { - unsigned int count = 0; - do { - RAND_pseudo_bytes(id, *id_len); - /* - * Prefix the session_id with the required prefix. NB: If our - * prefix is too long, clip it - but there will be worse effects - * anyway, eg. the server could only possibly create 1 session - * ID (ie. the prefix!) so all future session negotiations will - * fail due to conflicts. - */ - memcpy(id, session_id_prefix, - (strlen(session_id_prefix) < *id_len) ? - strlen(session_id_prefix) : *id_len); - } - while (SSL_has_matching_session_id(ssl, id, *id_len) && - (++count < MAX_SESSION_ID_ATTEMPTS)); - if (count >= MAX_SESSION_ID_ATTEMPTS) - return 0; - return 1; - } + unsigned int count = 0; + do { + RAND_pseudo_bytes(id, *id_len); + /* + * Prefix the session_id with the required prefix. NB: If our + * prefix is too long, clip it - but there will be worse effects + * anyway, eg. the server could only possibly create 1 session + * ID (ie. the prefix!) so all future session negotiations will + * fail due to conflicts. + */ + memcpy(id, session_id_prefix, strlen(session_id_prefix) < *id_len ? + strlen(session_id_prefix) : *id_len); + } while (SSL_has_matching_session_id(ssl, id, *id_len) + && ++count < MAX_SESSION_ID_ATTEMPTS); + if (count >= MAX_SESSION_ID_ATTEMPTS) + return 0; + return 1; + } =head1 RETURN VALUES diff --git a/doc/man3/SSL_CTX_set_info_callback.pod b/doc/man3/SSL_CTX_set_info_callback.pod index 6c14f3ab12..f4d91283fd 100644 --- a/doc/man3/SSL_CTX_set_info_callback.pod +++ b/doc/man3/SSL_CTX_set_info_callback.pod @@ -110,40 +110,34 @@ The following example callback function prints state strings, information about alerts being handled and error messages to the B BIO. void apps_ssl_info_callback(SSL *s, int where, int ret) - { - const char *str; - int w; - - w = where & ~SSL_ST_MASK; - - if (w & SSL_ST_CONNECT) str = "SSL_connect"; - else if (w & SSL_ST_ACCEPT) str = "SSL_accept"; - else str = "undefined"; - - if (where & SSL_CB_LOOP) - { - BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s)); - } - else if (where & SSL_CB_ALERT) - { - str = (where & SSL_CB_READ) ? "read" : "write"; - BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n", - str, - SSL_alert_type_string_long(ret), - SSL_alert_desc_string_long(ret)); - } - else if (where & SSL_CB_EXIT) - { - if (ret == 0) - BIO_printf(bio_err, "%s:failed in %s\n", - str, SSL_state_string_long(s)); - else if (ret < 0) - { - BIO_printf(bio_err, "%s:error in %s\n", - str, SSL_state_string_long(s)); - } - } - } + { + const char *str; + int w = where & ~SSL_ST_MASK; + + if (w & SSL_ST_CONNECT) + str = "SSL_connect"; + else if (w & SSL_ST_ACCEPT) + str = "SSL_accept"; + else + str = "undefined"; + + if (where & SSL_CB_LOOP) { + BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s)); + } else if (where & SSL_CB_ALERT) { + str = (where & SSL_CB_READ) ? "read" : "write"; + BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n", str, + SSL_alert_type_string_long(ret), + SSL_alert_desc_string_long(ret)); + } else if (where & SSL_CB_EXIT) { + if (ret == 0) { + BIO_printf(bio_err, "%s:failed in %s\n", + str, SSL_state_string_long(s)); + } else if (ret < 0) { + BIO_printf(bio_err, "%s:error in %s\n", + str, SSL_state_string_long(s)); + } + } + } =head1 SEE ALSO diff --git a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod index 3c0761d095..5c11089acd 100644 --- a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod @@ -124,51 +124,56 @@ enable an attacker to obtain the session keys. =head1 EXAMPLES Reference Implementation: - SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb); - .... - - static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) - { - if (enc) { /* create new session */ - if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) - return -1; /* insufficient random */ - - key = currentkey(); /* something that you need to implement */ - if ( key == NULL ) { - /* current key doesn't exist or isn't valid */ - key = createkey(); /* something that you need to implement. - * createkey needs to initialise, a name, - * an aes_key, a hmac_key and optionally - * an expire time. */ - if ( key == NULL ) /* key couldn't be created */ - return 0; - } - memcpy(key_name, key->name, 16); - - EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv); - HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); - - return 1; - - } else { /* retrieve session */ - key = findkey(name); - - if (key == NULL || key->expire < now() ) - return 0; - - HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); - EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv ); - - if (key->expire < ( now() - RENEW_TIME ) ) - /* return 2 - this session will get a new ticket even though the current is still valid */ - return 2; - - return 1; - - } - } - + SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb); + ... + + static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], + unsigned char *iv, EVP_CIPHER_CTX *ctx, + HMAC_CTX *hctx, int enc) + { + if (enc) { /* create new session */ + if (RAND_bytes(iv, EVP_MAX_IV_LENGTH)) + return -1; /* insufficient random */ + + key = currentkey(); /* something that you need to implement */ + if (key == NULL) { + /* current key doesn't exist or isn't valid */ + key = createkey(); /* + * Something that you need to implement. + * createkey needs to initialise a name, + * an aes_key, a hmac_key and optionally + * an expire time. + */ + if (key == NULL) /* key couldn't be created */ + return 0; + } + memcpy(key_name, key->name, 16); + + EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv); + HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); + + return 1; + + } else { /* retrieve session */ + key = findkey(name); + + if (key == NULL || key->expire < now()) + return 0; + + HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); + EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv); + + if (key->expire < now() - RENEW_TIME) { + /* + * return 2 - This session will get a new ticket even though the + * current one is still valid. + */ + return 2; + } + return 1; + } + } =head1 RETURN VALUES diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod index ee62d85445..a0f74572ed 100644 --- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod +++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod @@ -84,31 +84,27 @@ supply at least 2048-bit parameters in the callback. Setup DH parameters with a key length of 2048 bits. (Error handling partly left out.) - Command-line parameter generation: +Command-line parameter generation: + $ openssl dhparam -out dh_param_2048.pem 2048 - Code for setting up parameters during server initialization: +Code for setting up parameters during server initialization: - ... SSL_CTX ctx = SSL_CTX_new(); - ... - /* Set up ephemeral DH parameters. */ DH *dh_2048 = NULL; FILE *paramfile; paramfile = fopen("dh_param_2048.pem", "r"); if (paramfile) { - dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); - fclose(paramfile); + dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); + fclose(paramfile); } else { - /* Error. */ - } - if (dh_2048 == NULL) { - /* Error. */ - } - if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { - /* Error. */ + /* Error. */ } + if (dh_2048 == NULL) + /* Error. */ + if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) + /* Error. */ ... =head1 RETURN VALUES diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod index 799349892c..53615b5281 100644 --- a/doc/man3/SSL_CTX_set_verify.pod +++ b/doc/man3/SSL_CTX_set_verify.pod @@ -190,65 +190,63 @@ L). int always_continue; } mydata_t; int mydata_index; + ... static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) { - char buf[256]; - X509 *err_cert; - int err, depth; - SSL *ssl; - mydata_t *mydata; - - err_cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); - depth = X509_STORE_CTX_get_error_depth(ctx); - - /* - * Retrieve the pointer to the SSL of the connection currently treated - * and the application specific data stored into the SSL object. - */ - ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); - mydata = SSL_get_ex_data(ssl, mydata_index); - - X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); - - /* - * Catch a too long certificate chain. The depth limit set using - * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so - * that whenever the "depth>verify_depth" condition is met, we - * have violated the limit and want to log this error condition. - * We must do it here, because the CHAIN_TOO_LONG error would not - * be found explicitly; only errors introduced by cutting off the - * additional certificates would be logged. - */ - if (depth > mydata->verify_depth) { - preverify_ok = 0; - err = X509_V_ERR_CERT_CHAIN_TOO_LONG; - X509_STORE_CTX_set_error(ctx, err); - } - if (!preverify_ok) { - printf("verify error:num=%d:%s:depth=%d:%s\n", err, - X509_verify_cert_error_string(err), depth, buf); - } - else if (mydata->verbose_mode) - { - printf("depth=%d:%s\n", depth, buf); - } - - /* - * At this point, err contains the last verification error. We can use - * it for something special - */ - if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) - { - X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256); - printf("issuer= %s\n", buf); - } - - if (mydata->always_continue) - return 1; - else - return preverify_ok; + char buf[256]; + X509 *err_cert; + int err, depth; + SSL *ssl; + mydata_t *mydata; + + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + + /* + * Retrieve the pointer to the SSL of the connection currently treated + * and the application specific data stored into the SSL object. + */ + ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + mydata = SSL_get_ex_data(ssl, mydata_index); + + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); + + /* + * Catch a too long certificate chain. The depth limit set using + * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so + * that whenever the "depth>verify_depth" condition is met, we + * have violated the limit and want to log this error condition. + * We must do it here, because the CHAIN_TOO_LONG error would not + * be found explicitly; only errors introduced by cutting off the + * additional certificates would be logged. + */ + if (depth > mydata->verify_depth) { + preverify_ok = 0; + err = X509_V_ERR_CERT_CHAIN_TOO_LONG; + X509_STORE_CTX_set_error(ctx, err); + } + if (!preverify_ok) { + printf("verify error:num=%d:%s:depth=%d:%s\n", err, + X509_verify_cert_error_string(err), depth, buf); + } else if (mydata->verbose_mode) { + printf("depth=%d:%s\n", depth, buf); + } + + /* + * At this point, err contains the last verification error. We can use + * it for something special + */ + if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) { + X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256); + printf("issuer= %s\n", buf); + } + + if (mydata->always_continue) + return 1; + else + return preverify_ok; } ... @@ -258,7 +256,7 @@ L). mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); ... - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_callback); /* @@ -276,12 +274,10 @@ L). ... SSL_accept(ssl); /* check of success left out for clarity */ - if (peer = SSL_get_peer_certificate(ssl)) - { - if (SSL_get_verify_result(ssl) == X509_V_OK) - { - /* The client sent a certificate which verified OK */ - } + if (peer = SSL_get_peer_certificate(ssl)) { + if (SSL_get_verify_result(ssl) == X509_V_OK) { + /* The client sent a certificate which verified OK */ + } } =head1 SEE ALSO diff --git a/doc/man3/SSL_load_client_CA_file.pod b/doc/man3/SSL_load_client_CA_file.pod index 782329b51d..412b1a098c 100644 --- a/doc/man3/SSL_load_client_CA_file.pod +++ b/doc/man3/SSL_load_client_CA_file.pod @@ -33,9 +33,9 @@ Load names of CAs from file and use it as a client CA list: ... cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); if (cert_names != NULL) - SSL_CTX_set_client_CA_list(ctx, cert_names); + SSL_CTX_set_client_CA_list(ctx, cert_names); else - error_handling(); + /* error */ ... =head1 RETURN VALUES diff --git a/doc/man3/SSL_set1_host.pod b/doc/man3/SSL_set1_host.pod index 3339a0e803..9e0210d062 100644 --- a/doc/man3/SSL_set1_host.pod +++ b/doc/man3/SSL_set1_host.pod @@ -81,23 +81,20 @@ matched in the certificate (which might be a wildcard) is retrieved, and must be copied by the application if it is to be retained beyond the lifetime of the SSL connection. - SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); - if (!SSL_set1_host(ssl, "smtp.example.com")) { - /* handle error */ - } - if (!SSL_add1_host(ssl, "example.com")) { - /* handle error */ - } - - /* XXX: Perform SSL_connect() handshake and handle errors here */ - - if (SSL_get_verify_result(ssl) == X509_V_OK) { - const char *peername = SSL_get0_peername(ssl); - - if (peername != NULL) { - /* Name checks were in scope and matched the peername */ - } - } + SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + if (!SSL_set1_host(ssl, "smtp.example.com")) + /* error */ + if (!SSL_add1_host(ssl, "example.com")) + /* error */ + + /* XXX: Perform SSL_connect() handshake and handle errors here */ + + if (SSL_get_verify_result(ssl) == X509_V_OK) { + const char *peername = SSL_get0_peername(ssl); + + if (peername != NULL) + /* Name checks were in scope and matched the peername */ + } =head1 SEE ALSO diff --git a/doc/man3/X509_NAME_add_entry_by_txt.pod b/doc/man3/X509_NAME_add_entry_by_txt.pod index 27e5baf856..9aa03659c0 100644 --- a/doc/man3/X509_NAME_add_entry_by_txt.pod +++ b/doc/man3/X509_NAME_add_entry_by_txt.pod @@ -80,16 +80,16 @@ Create an B structure: X509_NAME *nm; nm = X509_NAME_new(); if (nm == NULL) - /* Some error */ + /* Some error */ if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC, - "UK", -1, -1, 0)) - /* Error */ + "UK", -1, -1, 0)) + /* Error */ if (!X509_NAME_add_entry_by_txt(nm, "O", MBSTRING_ASC, - "Disorganized Organization", -1, -1, 0)) - /* Error */ + "Disorganized Organization", -1, -1, 0)) + /* Error */ if (!X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, - "Joe Bloggs", -1, -1, 0)) - /* Error */ + "Joe Bloggs", -1, -1, 0)) + /* Error */ =head1 RETURN VALUES diff --git a/doc/man3/X509_NAME_get_index_by_NID.pod b/doc/man3/X509_NAME_get_index_by_NID.pod index 2d6713ba29..be68b265eb 100644 --- a/doc/man3/X509_NAME_get_index_by_NID.pod +++ b/doc/man3/X509_NAME_get_index_by_NID.pod @@ -75,25 +75,23 @@ Process all entries: int i; X509_NAME_ENTRY *e; - for (i = 0; i < X509_NAME_entry_count(nm); i++) - { - e = X509_NAME_get_entry(nm, i); - /* Do something with e */ - } + for (i = 0; i < X509_NAME_entry_count(nm); i++) { + e = X509_NAME_get_entry(nm, i); + /* Do something with e */ + } Process all commonName entries: int lastpos = -1; X509_NAME_ENTRY *e; - for (;;) - { - lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); - if (lastpos == -1) - break; - e = X509_NAME_get_entry(nm, lastpos); - /* Do something with e */ - } + for (;;) { + lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); + if (lastpos == -1) + break; + e = X509_NAME_get_entry(nm, lastpos); + /* Do something with e */ + } =head1 RETURN VALUES diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod index 105e051a1d..f166b0832d 100644 --- a/doc/man3/X509_STORE_CTX_get_error.pod +++ b/doc/man3/X509_STORE_CTX_get_error.pod @@ -70,7 +70,7 @@ is B successful the returned chain may be incomplete or invalid. The returned chain persists after the B structure is freed, when it is no longer needed it should be free up using: - sk_X509_pop_free(chain, X509_free); + sk_X509_pop_free(chain, X509_free); X509_verify_cert_error_string() returns a human readable error string for verification error B. diff --git a/doc/man3/X509_STORE_CTX_set_verify_cb.pod b/doc/man3/X509_STORE_CTX_set_verify_cb.pod index 3be256dc74..f8e5501bbc 100644 --- a/doc/man3/X509_STORE_CTX_set_verify_cb.pod +++ b/doc/man3/X509_STORE_CTX_set_verify_cb.pod @@ -100,93 +100,88 @@ X509_STORE_CTX_set_verify_cb() does not return a value. Default callback operation: - int verify_callback(int ok, X509_STORE_CTX *ctx) - { - return ok; - } + int verify_callback(int ok, X509_STORE_CTX *ctx) { + return ok; + } Simple example, suppose a certificate in the chain is expired and we wish to continue after this error: - int verify_callback(int ok, X509_STORE_CTX *ctx) - { - /* Tolerate certificate expiration */ - if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) - return 1; - /* Otherwise don't override */ - return ok; - } + int verify_callback(int ok, X509_STORE_CTX *ctx) { + /* Tolerate certificate expiration */ + if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) + return 1; + /* Otherwise don't override */ + return ok; + } More complex example, we don't wish to continue after B certificate has expired just one specific case: int verify_callback(int ok, X509_STORE_CTX *ctx) - { - int err = X509_STORE_CTX_get_error(ctx); - X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); - if (err == X509_V_ERR_CERT_HAS_EXPIRED) - { - if (check_is_acceptable_expired_cert(err_cert) - return 1; - } - return ok; - } + { + int err = X509_STORE_CTX_get_error(ctx); + X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); + if (err == X509_V_ERR_CERT_HAS_EXPIRED) { + if (check_is_acceptable_expired_cert(err_cert) + return 1; + } + return ok; + } Full featured logging callback. In this case the B is assumed to be a global logging B, an alternative would to store a BIO in B using B. int verify_callback(int ok, X509_STORE_CTX *ctx) - { - X509 *err_cert; - int err, depth; - - err_cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); - depth = X509_STORE_CTX_get_error_depth(ctx); - - BIO_printf(bio_err, "depth=%d ", depth); - if (err_cert) - { - X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), - 0, XN_FLAG_ONELINE); - BIO_puts(bio_err, "\n"); - } - else - BIO_puts(bio_err, "\n"); - if (!ok) - BIO_printf(bio_err, "verify error:num=%d:%s\n", err, - X509_verify_cert_error_string(err)); - switch (err) - { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - BIO_puts(bio_err, "issuer= "); - X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), - 0, XN_FLAG_ONELINE); - BIO_puts(bio_err, "\n"); - break; - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - BIO_printf(bio_err, "notBefore="); - ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert)); - BIO_printf(bio_err, "\n"); - break; - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - BIO_printf(bio_err, "notAfter="); - ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert)); - BIO_printf(bio_err, "\n"); - break; - case X509_V_ERR_NO_EXPLICIT_POLICY: - policies_print(bio_err, ctx); - break; - } - if (err == X509_V_OK && ok == 2) - /* print out policies */ - - BIO_printf(bio_err, "verify return:%d\n", ok); - return(ok); - } + { + X509 *err_cert; + int err, depth; + + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + + BIO_printf(bio_err, "depth=%d ", depth); + if (err_cert) { + X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + } + else + BIO_puts(bio_err, "\n"); + if (!ok) + BIO_printf(bio_err, "verify error:num=%d:%s\n", err, + X509_verify_cert_error_string(err)); + switch (err) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + BIO_puts(bio_err, "issuer= "); + X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + BIO_printf(bio_err, "notBefore="); + ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert)); + BIO_printf(bio_err, "\n"); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + BIO_printf(bio_err, "notAfter="); + ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert)); + BIO_printf(bio_err, "\n"); + break; + case X509_V_ERR_NO_EXPLICIT_POLICY: + policies_print(bio_err, ctx); + break; + } + if (err == X509_V_OK && ok == 2) + /* print out policies */ + + BIO_printf(bio_err, "verify return:%d\n", ok); + return(ok); + } =head1 SEE ALSO diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index d081d98b1e..2ea4895338 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -310,11 +310,11 @@ CRLs from the CRL distribution points extension. Enable CRL checking when performing certificate verification during SSL connections associated with an B structure B: - X509_VERIFY_PARAM *param; - param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); - SSL_CTX_set1_param(ctx, param); - X509_VERIFY_PARAM_free(param); + X509_VERIFY_PARAM *param; + param = X509_VERIFY_PARAM_new(); + X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); + SSL_CTX_set1_param(ctx, param); + X509_VERIFY_PARAM_free(param); =head1 SEE ALSO -- 2.25.1