提交 2947af32 编写于 作者: B Beat Bolli 提交者: Matt Caswell

doc/man3: use the documented coding style in the example code

Adjust brace placement, whitespace after keywords, indentation and empty
lines after variable declarations according to
https://www.openssl.org/policies/codingstyle.html.

Indent literal sections by exactly one space.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
上级 52df25cf
...@@ -262,7 +262,7 @@ The following example demonstrates how to use most of the core async APIs: ...@@ -262,7 +262,7 @@ The following example demonstrates how to use most of the core async APIs:
} }
for (;;) { for (;;) {
switch(ASYNC_start_job(&job, ctx, &ret, jobfunc, msg, sizeof(msg))) { switch (ASYNC_start_job(&job, ctx, &ret, jobfunc, msg, sizeof(msg))) {
case ASYNC_ERR: case ASYNC_ERR:
case ASYNC_NO_JOBS: case ASYNC_NO_JOBS:
printf("An error occurred\n"); printf("An error occurred\n");
......
...@@ -65,7 +65,7 @@ data to standard output: ...@@ -65,7 +65,7 @@ data to standard output:
bio = BIO_new_fp(stdin, BIO_NOCLOSE); bio = BIO_new_fp(stdin, BIO_NOCLOSE);
bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
BIO_push(b64, bio); BIO_push(b64, bio);
while((inlen = BIO_read(b64, inbuf, 512)) > 0) while ((inlen = BIO_read(b64, inbuf, 512)) > 0)
BIO_write(bio_out, inbuf, inlen); BIO_write(bio_out, inbuf, inlen);
BIO_flush(bio_out); BIO_flush(bio_out);
......
...@@ -82,7 +82,8 @@ checking has been omitted for clarity. ...@@ -82,7 +82,8 @@ checking has been omitted for clarity.
bio = BIO_new(BIO_s_null()); bio = BIO_new(BIO_s_null());
mdtmp = BIO_new(BIO_f_md()); mdtmp = BIO_new(BIO_f_md());
BIO_set_md(mdtmp, EVP_sha1()); BIO_set_md(mdtmp, EVP_sha1());
/* For BIO_push() we want to append the sink BIO and keep a note of /*
* For BIO_push() we want to append the sink BIO and keep a note of
* the start of the chain. * the start of the chain.
*/ */
bio = BIO_push(mdtmp, bio); bio = BIO_push(mdtmp, bio);
...@@ -120,7 +121,8 @@ outputs them. This could be used with the examples above. ...@@ -120,7 +121,8 @@ outputs them. This could be used with the examples above.
do { do {
EVP_MD *md; EVP_MD *md;
mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD); mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD);
if (!mdtmp) break; if (!mdtmp)
break;
BIO_get_md(mdtmp, &md); BIO_get_md(mdtmp, &md);
printf("%s digest", OBJ_nid2sn(EVP_MD_type(md))); printf("%s digest", OBJ_nid2sn(EVP_MD_type(md)));
mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE); mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE);
......
...@@ -178,7 +178,7 @@ unencrypted example in L<BIO_s_connect(3)>. ...@@ -178,7 +178,7 @@ unencrypted example in L<BIO_s_connect(3)>.
/* XXX Could examine ssl here to get connection info */ /* XXX Could examine ssl here to get connection info */
BIO_puts(sbio, "GET / HTTP/1.0\n\n"); BIO_puts(sbio, "GET / HTTP/1.0\n\n");
for ( ; ; ) { for (;;) {
len = BIO_read(sbio, tmpbuf, 1024); len = BIO_read(sbio, tmpbuf, 1024);
if (len <= 0) if (len <= 0)
break; break;
...@@ -261,7 +261,7 @@ a client and also echoes the request to standard output. ...@@ -261,7 +261,7 @@ a client and also echoes the request to standard output.
BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n"); BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n");
BIO_puts(sbio, "--------------------------------------------------\r\n"); BIO_puts(sbio, "--------------------------------------------------\r\n");
for ( ; ; ) { for (;;) {
len = BIO_gets(sbio, tmpbuf, 1024); len = BIO_gets(sbio, tmpbuf, 1024);
if (len <= 0) if (len <= 0)
break; break;
......
...@@ -49,7 +49,8 @@ Traverse a chain looking for digest BIOs: ...@@ -49,7 +49,8 @@ Traverse a chain looking for digest BIOs:
do { do {
btmp = BIO_find_type(btmp, BIO_TYPE_MD); btmp = BIO_find_type(btmp, BIO_TYPE_MD);
if (btmp == NULL) break; /* Not found */ if (btmp == NULL)
break; /* Not found */
/* btmp is a digest BIO, do something with it ...*/ /* btmp is a digest BIO, do something with it ...*/
... ...
......
...@@ -174,7 +174,7 @@ to retrieve a page and copy the result to standard output. ...@@ -174,7 +174,7 @@ to retrieve a page and copy the result to standard output.
exit(1); exit(1);
} }
BIO_puts(cbio, "GET / HTTP/1.0\n\n"); BIO_puts(cbio, "GET / HTTP/1.0\n\n");
for ( ; ; ) { for (;;) {
len = BIO_read(cbio, tmpbuf, 1024); len = BIO_read(cbio, tmpbuf, 1024);
if (len <= 0) if (len <= 0)
break; break;
......
...@@ -92,15 +92,18 @@ Alternative technique: ...@@ -92,15 +92,18 @@ Alternative technique:
BIO *bio_out; BIO *bio_out;
bio_out = BIO_new(BIO_s_file()); bio_out = BIO_new(BIO_s_file());
if (bio_out == NULL) /* Error ... */ if (bio_out == NULL)
if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) /* Error ... */ /* Error */
if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE))
/* Error */
BIO_printf(bio_out, "Hello World\n"); BIO_printf(bio_out, "Hello World\n");
Write to a file: Write to a file:
BIO *out; BIO *out;
out = BIO_new_file("filename.txt", "w"); out = BIO_new_file("filename.txt", "w");
if (!out) /* Error occurred */ if (!out)
/* Error */
BIO_printf(out, "Hello World\n"); BIO_printf(out, "Hello World\n");
BIO_free(out); BIO_free(out);
...@@ -108,8 +111,10 @@ Alternative technique: ...@@ -108,8 +111,10 @@ Alternative technique:
BIO *out; BIO *out;
out = BIO_new(BIO_s_file()); out = BIO_new(BIO_s_file());
if (out == NULL) /* Error ... */ if (out == NULL)
if (!BIO_write_filename(out, "filename.txt")) /* Error ... */ /* Error */
if (!BIO_write_filename(out, "filename.txt"))
/* Error */
BIO_printf(out, "Hello World\n"); BIO_printf(out, "Hello World\n");
BIO_free(out); BIO_free(out);
......
...@@ -122,7 +122,8 @@ or ...@@ -122,7 +122,8 @@ or
is called before the read and is called before the read and
callback_ex(b, BIO_CB_READ | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, readbytes) callback_ex(b, BIO_CB_READ | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue,
readbytes)
or or
...@@ -140,7 +141,8 @@ or ...@@ -140,7 +141,8 @@ or
is called before the write and is called before the write and
callback_ex(b, BIO_CB_WRITE | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, written) callback_ex(b, BIO_CB_WRITE | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue,
written)
or or
...@@ -158,7 +160,8 @@ or ...@@ -158,7 +160,8 @@ or
is called before the operation and is called before the operation and
callback_ex(b, BIO_CB_GETS | BIO_CB_RETURN, buf, size, 0, 0L, retvalue, readbytes) callback_ex(b, BIO_CB_GETS | BIO_CB_RETURN, buf, size, 0, 0L, retvalue,
readbytes)
or or
......
...@@ -51,7 +51,8 @@ replace use of BN_CTX_init with BN_CTX_new instead: ...@@ -51,7 +51,8 @@ replace use of BN_CTX_init with BN_CTX_new instead:
BN_CTX *ctx; BN_CTX *ctx;
ctx = BN_CTX_new(); ctx = BN_CTX_new();
if(!ctx) /* Handle error */ if (!ctx)
/* error */
... ...
BN_CTX_free(ctx); BN_CTX_free(ctx);
......
...@@ -169,7 +169,8 @@ Instead applications should create a BN_GENCB structure using BN_GENCB_new: ...@@ -169,7 +169,8 @@ Instead applications should create a BN_GENCB structure using BN_GENCB_new:
BN_GENCB *callback; BN_GENCB *callback;
callback = BN_GENCB_new(); callback = BN_GENCB_new();
if(!callback) /* handle error */ if (!callback)
/* error */
... ...
BN_GENCB_free(callback); BN_GENCB_free(callback);
......
...@@ -140,20 +140,17 @@ specific) ...@@ -140,20 +140,17 @@ specific)
ECDSA_SIG *sig; ECDSA_SIG *sig;
EC_KEY *eckey; EC_KEY *eckey;
eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (eckey == NULL) { if (eckey == NULL)
/* error */ /* error */
} if (EC_KEY_generate_key(eckey) == 0)
if (EC_KEY_generate_key(eckey) == 0) {
/* error */ /* error */
}
Second step: compute the ECDSA signature of a SHA-256 hash value Second step: compute the ECDSA signature of a SHA-256 hash value
using ECDSA_do_sign(): using ECDSA_do_sign():
sig = ECDSA_do_sign(digest, 32, eckey); sig = ECDSA_do_sign(digest, 32, eckey);
if (sig == NULL) { if (sig == NULL)
/* error */ /* error */
}
or using ECDSA_sign(): or using ECDSA_sign():
...@@ -162,9 +159,8 @@ or using ECDSA_sign(): ...@@ -162,9 +159,8 @@ or using ECDSA_sign():
buf_len = ECDSA_size(eckey); buf_len = ECDSA_size(eckey);
buffer = OPENSSL_malloc(buf_len); buffer = OPENSSL_malloc(buf_len);
pp = buffer; pp = buffer;
if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0) { if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
/* error */ /* error */
}
Third step: verify the created ECDSA signature using ECDSA_do_verify(): Third step: verify the created ECDSA signature using ECDSA_do_verify():
...@@ -176,13 +172,12 @@ or using ECDSA_verify(): ...@@ -176,13 +172,12 @@ or using ECDSA_verify():
and finally evaluate the return value: and finally evaluate the return value:
if (ret == 1) { if (ret == 1)
/* signature ok */ /* signature ok */
} else if (ret == 0) { else if (ret == 0)
/* incorrect signature */ /* incorrect signature */
} else { else
/* error */ /* error */
}
=head1 CONFORMING TO =head1 CONFORMING TO
......
...@@ -385,17 +385,19 @@ illustrates how to approach this; ...@@ -385,17 +385,19 @@ illustrates how to approach this;
const char *engine_id = "ACME"; const char *engine_id = "ACME";
ENGINE_load_builtin_engines(); ENGINE_load_builtin_engines();
e = ENGINE_by_id(engine_id); e = ENGINE_by_id(engine_id);
if(!e) if (!e)
/* the engine isn't available */ /* the engine isn't available */
return; return;
if(!ENGINE_init(e)) { if (!ENGINE_init(e)) {
/* the engine couldn't initialise, release 'e' */ /* the engine couldn't initialise, release 'e' */
ENGINE_free(e); ENGINE_free(e);
return; return;
} }
if(!ENGINE_set_default_RSA(e)) if (!ENGINE_set_default_RSA(e))
/* This should only happen when 'e' can't initialise, but the previous /*
* statement suggests it did. */ * This should only happen when 'e' can't initialise, but the previous
* statement suggests it did.
*/
abort(); abort();
ENGINE_set_default_DSA(e); ENGINE_set_default_DSA(e);
ENGINE_set_default_ciphers(e); ENGINE_set_default_ciphers(e);
...@@ -474,7 +476,7 @@ boolean success or failure. ...@@ -474,7 +476,7 @@ boolean success or failure.
ENGINE *e = ENGINE_by_id(engine_id); ENGINE *e = ENGINE_by_id(engine_id);
if (!e) return 0; if (!e) return 0;
while (pre_num--) { while (pre_num--) {
if(!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) { if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
fprintf(stderr, "Failed command (%s - %s:%s)\n", engine_id, fprintf(stderr, "Failed command (%s - %s:%s)\n", engine_id,
pre_cmds[0], pre_cmds[1] ? pre_cmds[1] : "(NULL)"); pre_cmds[0], pre_cmds[1] ? pre_cmds[1] : "(NULL)");
ENGINE_free(e); ENGINE_free(e);
...@@ -487,11 +489,13 @@ boolean success or failure. ...@@ -487,11 +489,13 @@ boolean success or failure.
ENGINE_free(e); ENGINE_free(e);
return 0; return 0;
} }
/* ENGINE_init() returned a functional reference, so free the structural /*
* reference from ENGINE_by_id(). */ * ENGINE_init() returned a functional reference, so free the structural
* reference from ENGINE_by_id().
*/
ENGINE_free(e); ENGINE_free(e);
while(post_num--) { while (post_num--) {
if(!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) { if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
fprintf(stderr, "Failed command (%s - %s:%s)\n", engine_id, fprintf(stderr, "Failed command (%s - %s:%s)\n", engine_id,
post_cmds[0], post_cmds[1] ? post_cmds[1] : "(NULL)"); post_cmds[0], post_cmds[1] ? post_cmds[1] : "(NULL)");
ENGINE_finish(e); ENGINE_finish(e);
......
...@@ -543,7 +543,8 @@ Encrypt a string using IDEA: ...@@ -543,7 +543,8 @@ Encrypt a string using IDEA:
{ {
unsigned char outbuf[1024]; unsigned char outbuf[1024];
int outlen, tmplen; int outlen, tmplen;
/* Bogus key and IV: we'd normally set these from /*
* Bogus key and IV: we'd normally set these from
* another source. * another source.
*/ */
unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
...@@ -555,25 +556,25 @@ Encrypt a string using IDEA: ...@@ -555,25 +556,25 @@ Encrypt a string using IDEA:
ctx = EVP_CIPHER_CTX_new(); ctx = EVP_CIPHER_CTX_new();
EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv); EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv);
if(!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) {
{
/* Error */ /* Error */
return 0; return 0;
} }
/* Buffer passed to EVP_EncryptFinal() must be after data just /*
* Buffer passed to EVP_EncryptFinal() must be after data just
* encrypted to avoid overwriting it. * encrypted to avoid overwriting it.
*/ */
if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) {
{
/* Error */ /* Error */
return 0; return 0;
} }
outlen += tmplen; outlen += tmplen;
EVP_CIPHER_CTX_free(ctx); EVP_CIPHER_CTX_free(ctx);
/* Need binary mode for fopen because encrypted data is /*
* Need binary mode for fopen because encrypted data is
* binary data. Also cannot use strlen() on it because * binary data. Also cannot use strlen() on it because
* it won't be null terminated and may contain embedded * it won't be NUL terminated and may contain embedded
* nulls. * NULs.
*/ */
out = fopen(outfile, "wb"); out = fopen(outfile, "wb");
fwrite(outbuf, 1, outlen, out); fwrite(outbuf, 1, outlen, out);
...@@ -584,8 +585,8 @@ Encrypt a string using IDEA: ...@@ -584,8 +585,8 @@ Encrypt a string using IDEA:
The ciphertext from the above example can be decrypted using the B<openssl> The ciphertext from the above example can be decrypted using the B<openssl>
utility with the command line (shown on two lines for clarity): utility with the command line (shown on two lines for clarity):
openssl idea -d <filename openssl idea -d \
-K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 <filename
General encryption and decryption function example using FILE I/O and AES128 General encryption and decryption function example using FILE I/O and AES128
with a 128-bit key: with a 128-bit key:
...@@ -596,7 +597,8 @@ with a 128-bit key: ...@@ -596,7 +597,8 @@ with a 128-bit key:
unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH]; unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
int inlen, outlen; int inlen, outlen;
EVP_CIPHER_CTX *ctx; EVP_CIPHER_CTX *ctx;
/* Bogus key and IV: we'd normally set these from /*
* Bogus key and IV: we'd normally set these from
* another source. * another source.
*/ */
unsigned char key[] = "0123456789abcdeF"; unsigned char key[] = "0123456789abcdeF";
...@@ -612,20 +614,18 @@ with a 128-bit key: ...@@ -612,20 +614,18 @@ with a 128-bit key:
/* Now we can set key and IV */ /* Now we can set key and IV */
EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt); EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt);
for(;;) for (;;) {
{
inlen = fread(inbuf, 1, 1024, in); inlen = fread(inbuf, 1, 1024, in);
if (inlen <= 0) break; if (inlen <= 0)
if(!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) break;
{ if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) {
/* Error */ /* Error */
EVP_CIPHER_CTX_free(ctx); EVP_CIPHER_CTX_free(ctx);
return 0; return 0;
} }
fwrite(outbuf, 1, outlen, out); fwrite(outbuf, 1, outlen, out);
} }
if(!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) if (!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) {
{
/* Error */ /* Error */
EVP_CIPHER_CTX_free(ctx); EVP_CIPHER_CTX_free(ctx);
return 0; return 0;
......
...@@ -52,7 +52,8 @@ Decrypt data using OAEP (for RSA keys): ...@@ -52,7 +52,8 @@ Decrypt data using OAEP (for RSA keys):
unsigned char *out, *in; unsigned char *out, *in;
size_t outlen, inlen; size_t outlen, inlen;
EVP_PKEY *key; EVP_PKEY *key;
/* NB: assumes key in, inlen are already set up /*
* NB: assumes key in, inlen are already set up
* and that key is an RSA private key * and that key is an RSA private key
*/ */
ctx = EVP_PKEY_CTX_new(key); ctx = EVP_PKEY_CTX_new(key);
......
...@@ -56,7 +56,8 @@ set 'eng = NULL;' to start with the default OpenSSL RSA implementation: ...@@ -56,7 +56,8 @@ set 'eng = NULL;' to start with the default OpenSSL RSA implementation:
unsigned char *out, *in; unsigned char *out, *in;
size_t outlen, inlen; size_t outlen, inlen;
EVP_PKEY *key; EVP_PKEY *key;
/* NB: assumes eng, key, in, inlen are already set up, /*
* NB: assumes eng, key, in, inlen are already set up,
* and that key is an RSA public key * and that key is an RSA public key
*/ */
ctx = EVP_PKEY_CTX_new(key, eng); ctx = EVP_PKEY_CTX_new(key, eng);
......
...@@ -138,12 +138,15 @@ Example of generation callback for OpenSSL public key implementations: ...@@ -138,12 +138,15 @@ Example of generation callback for OpenSSL public key implementations:
{ {
char c = '*'; char c = '*';
BIO *b = EVP_PKEY_CTX_get_app_data(ctx); BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
int p; int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); if (p == 0)
if (p == 0) c = '.'; c = '.';
if (p == 1) c = '+'; if (p == 1)
if (p == 2) c = '*'; c = '+';
if (p == 3) c = '\n'; if (p == 2)
c = '*';
if (p == 3)
c = '\n';
BIO_write(b, &c, 1); BIO_write(b, &c, 1);
(void)BIO_flush(b); (void)BIO_flush(b);
return 1; return 1;
......
...@@ -55,7 +55,8 @@ Verify signature using PKCS#1 and SHA256 digest: ...@@ -55,7 +55,8 @@ Verify signature using PKCS#1 and SHA256 digest:
unsigned char *md, *sig; unsigned char *md, *sig;
size_t mdlen, siglen; size_t mdlen, siglen;
EVP_PKEY *verify_key; EVP_PKEY *verify_key;
/* NB: assumes verify_key, sig, siglen md and mdlen are already set up /*
* NB: assumes verify_key, sig, siglen md and mdlen are already set up
* and that verify_key is an RSA public key * and that verify_key is an RSA public key
*/ */
ctx = EVP_PKEY_CTX_new(verify_key); ctx = EVP_PKEY_CTX_new(verify_key);
...@@ -71,7 +72,8 @@ Verify signature using PKCS#1 and SHA256 digest: ...@@ -71,7 +72,8 @@ Verify signature using PKCS#1 and SHA256 digest:
/* Perform operation */ /* Perform operation */
ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen); ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen);
/* ret == 1 indicates success, 0 verify failure and < 0 for some /*
* ret == 1 indicates success, 0 verify failure and < 0 for some
* other error. * other error.
*/ */
......
...@@ -60,7 +60,8 @@ Recover digest originally signed using PKCS#1 and SHA256 digest: ...@@ -60,7 +60,8 @@ Recover digest originally signed using PKCS#1 and SHA256 digest:
unsigned char *rout, *sig; unsigned char *rout, *sig;
size_t routlen, siglen; size_t routlen, siglen;
EVP_PKEY *verify_key; EVP_PKEY *verify_key;
/* NB: assumes verify_key, sig and siglen are already set up /*
* NB: assumes verify_key, sig and siglen are already set up
* and that verify_key is an RSA public key * and that verify_key is an RSA public key
*/ */
ctx = EVP_PKEY_CTX_new(verify_key); ctx = EVP_PKEY_CTX_new(verify_key);
......
...@@ -306,43 +306,38 @@ Read a certificate in PEM format from a BIO: ...@@ -306,43 +306,38 @@ Read a certificate in PEM format from a BIO:
X509 *x; X509 *x;
x = PEM_read_bio_X509(bp, NULL, 0, NULL); x = PEM_read_bio_X509(bp, NULL, 0, NULL);
if (x == NULL) { if (x == NULL)
/* Error */ /* Error */
}
Alternative method: Alternative method:
X509 *x = NULL; X509 *x = NULL;
if (!PEM_read_bio_X509(bp, &x, 0, NULL)) { if (!PEM_read_bio_X509(bp, &x, 0, NULL))
/* Error */ /* Error */
}
Write a certificate to a BIO: Write a certificate to a BIO:
if (!PEM_write_bio_X509(bp, x)) { if (!PEM_write_bio_X509(bp, x))
/* Error */ /* Error */
}
Write a private key (using traditional format) to a BIO using Write a private key (using traditional format) to a BIO using
triple DES encryption, the pass phrase is prompted for: triple DES encryption, the pass phrase is prompted for:
if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL)) { if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL))
/* Error */ /* Error */
}
Write a private key (using PKCS#8 format) to a BIO using triple Write a private key (using PKCS#8 format) to a BIO using triple
DES encryption, using the pass phrase "hello": DES encryption, using the pass phrase "hello":
if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, "hello")) { if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(),
NULL, 0, 0, "hello"))
/* Error */ /* Error */
}
Read a private key from a BIO using a pass phrase callback: Read a private key from a BIO using a pass phrase callback:
key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key"); key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key");
if (key == NULL) { if (key == NULL)
/* Error */ /* Error */
}
Skeleton pass phrase callback: Skeleton pass phrase callback:
...@@ -432,9 +427,8 @@ The pseudo code to derive the key would look similar to: ...@@ -432,9 +427,8 @@ The pseudo code to derive the key would look similar to:
memcpy(iv, HexToBin("3F17F5316E2BAC89"), niv); memcpy(iv, HexToBin("3F17F5316E2BAC89"), niv);
rc = EVP_BytesToKey(cipher, md, iv /*salt*/, pword, plen, 1, key, NULL /*iv*/); rc = EVP_BytesToKey(cipher, md, iv /*salt*/, pword, plen, 1, key, NULL /*iv*/);
if (rc != nkey) { if (rc != nkey)
/* Error */ /* Error */
}
/* On success, use key and iv to initialize the cipher */ /* On success, use key and iv to initialize the cipher */
......
...@@ -99,8 +99,7 @@ the default method is used. ...@@ -99,8 +99,7 @@ the default method is used.
int (*rsa_priv_dec)(int flen, unsigned char *from, int (*rsa_priv_dec)(int flen, unsigned char *from,
unsigned char *to, RSA *rsa, int padding); unsigned char *to, RSA *rsa, int padding);
/* compute r0 = r0 ^ I mod rsa->n (May be NULL for some /* compute r0 = r0 ^ I mod rsa->n (May be NULL for some implementations) */
implementations) */
int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa); int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
/* compute r = a ^ p mod m (May be NULL for some implementations) */ /* compute r = a ^ p mod m (May be NULL for some implementations) */
...@@ -113,7 +112,8 @@ the default method is used. ...@@ -113,7 +112,8 @@ the default method is used.
/* called at RSA_free */ /* called at RSA_free */
int (*finish)(RSA *rsa); int (*finish)(RSA *rsa);
/* RSA_FLAG_EXT_PKEY - rsa_mod_exp is called for private key /*
* RSA_FLAG_EXT_PKEY - rsa_mod_exp is called for private key
* operations, even if p,q,dmp1,dmq1,iqmp * operations, even if p,q,dmp1,dmq1,iqmp
* are NULL * are NULL
* RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match * RSA_METHOD_FLAG_NO_CHECK - don't check pub/private match
......
...@@ -41,15 +41,12 @@ If the file "config.cnf" contains the following: ...@@ -41,15 +41,12 @@ If the file "config.cnf" contains the following:
[test_sect] [test_sect]
# list of confuration modules # list of confuration modules
ssl_conf = ssl_sect ssl_conf = ssl_sect
[ssl_sect] [ssl_sect]
server = server_section server = server_section
[server_section] [server_section]
RSA.Certificate = server-rsa.pem RSA.Certificate = server-rsa.pem
ECDSA.Certificate = server-ecdsa.pem ECDSA.Certificate = server-ecdsa.pem
Ciphers = ALL:!RC4 Ciphers = ALL:!RC4
......
...@@ -199,15 +199,13 @@ the lifetime of the SSL connection. ...@@ -199,15 +199,13 @@ the lifetime of the SSL connection.
uint8_t usage, selector, mtype; uint8_t usage, selector, mtype;
if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL)
/* handle error */ /* error */
if (SSL_CTX_dane_enable(ctx) <= 0) if (SSL_CTX_dane_enable(ctx) <= 0)
/* handle error */ /* error */
if ((ssl = SSL_new(ctx)) == NULL) if ((ssl = SSL_new(ctx)) == NULL)
/* handle error */ /* error */
if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0) if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0)
/* handle error */ /* error */
/* /*
* For many applications it is safe to skip DANE-EE(3) namechecks. Do not * For many applications it is safe to skip DANE-EE(3) namechecks. Do not
...@@ -217,7 +215,7 @@ the lifetime of the SSL connection. ...@@ -217,7 +215,7 @@ the lifetime of the SSL connection.
SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS); SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
if (!SSL_add1_host(ssl, nexthop_domain)) if (!SSL_add1_host(ssl, nexthop_domain))
/* handle error */ /* error */
SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
for (... each TLSA record ...) { for (... each TLSA record ...) {
......
...@@ -103,12 +103,10 @@ server id given, and will fill the rest with pseudo random bytes: ...@@ -103,12 +103,10 @@ server id given, and will fill the rest with pseudo random bytes:
* ID (ie. the prefix!) so all future session negotiations will * ID (ie. the prefix!) so all future session negotiations will
* fail due to conflicts. * fail due to conflicts.
*/ */
memcpy(id, session_id_prefix, memcpy(id, session_id_prefix, strlen(session_id_prefix) < *id_len ?
(strlen(session_id_prefix) < *id_len) ?
strlen(session_id_prefix) : *id_len); strlen(session_id_prefix) : *id_len);
} } while (SSL_has_matching_session_id(ssl, id, *id_len)
while (SSL_has_matching_session_id(ssl, id, *id_len) && && ++count < MAX_SESSION_ID_ATTEMPTS);
(++count < MAX_SESSION_ID_ATTEMPTS));
if (count >= MAX_SESSION_ID_ATTEMPTS) if (count >= MAX_SESSION_ID_ATTEMPTS)
return 0; return 0;
return 1; return 1;
......
...@@ -112,33 +112,27 @@ about alerts being handled and error messages to the B<bio_err> BIO. ...@@ -112,33 +112,27 @@ about alerts being handled and error messages to the B<bio_err> BIO.
void apps_ssl_info_callback(SSL *s, int where, int ret) void apps_ssl_info_callback(SSL *s, int where, int ret)
{ {
const char *str; const char *str;
int w; int w = where & ~SSL_ST_MASK;
w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT)
str = "SSL_connect";
else if (w & SSL_ST_ACCEPT)
str = "SSL_accept";
else
str = "undefined";
if (w & SSL_ST_CONNECT) str = "SSL_connect"; if (where & SSL_CB_LOOP) {
else if (w & SSL_ST_ACCEPT) str = "SSL_accept";
else str = "undefined";
if (where & SSL_CB_LOOP)
{
BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s)); BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s));
} } else if (where & SSL_CB_ALERT) {
else if (where & SSL_CB_ALERT)
{
str = (where & SSL_CB_READ) ? "read" : "write"; str = (where & SSL_CB_READ) ? "read" : "write";
BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n", BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n", str,
str,
SSL_alert_type_string_long(ret), SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret)); SSL_alert_desc_string_long(ret));
} } else if (where & SSL_CB_EXIT) {
else if (where & SSL_CB_EXIT) if (ret == 0) {
{
if (ret == 0)
BIO_printf(bio_err, "%s:failed in %s\n", BIO_printf(bio_err, "%s:failed in %s\n",
str, SSL_state_string_long(s)); str, SSL_state_string_long(s));
else if (ret < 0) } else if (ret < 0) {
{
BIO_printf(bio_err, "%s:error in %s\n", BIO_printf(bio_err, "%s:error in %s\n",
str, SSL_state_string_long(s)); str, SSL_state_string_long(s));
} }
......
...@@ -124,23 +124,28 @@ enable an attacker to obtain the session keys. ...@@ -124,23 +124,28 @@ enable an attacker to obtain the session keys.
=head1 EXAMPLES =head1 EXAMPLES
Reference Implementation: Reference Implementation:
SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb); SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb);
.... ...
static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16],
unsigned char *iv, EVP_CIPHER_CTX *ctx,
HMAC_CTX *hctx, int enc)
{ {
if (enc) { /* create new session */ if (enc) { /* create new session */
if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) if (RAND_bytes(iv, EVP_MAX_IV_LENGTH))
return -1; /* insufficient random */ return -1; /* insufficient random */
key = currentkey(); /* something that you need to implement */ key = currentkey(); /* something that you need to implement */
if ( key == NULL ) { if (key == NULL) {
/* current key doesn't exist or isn't valid */ /* current key doesn't exist or isn't valid */
key = createkey(); /* something that you need to implement. key = createkey(); /*
* createkey needs to initialise, a name, * Something that you need to implement.
* createkey needs to initialise a name,
* an aes_key, a hmac_key and optionally * an aes_key, a hmac_key and optionally
* an expire time. */ * an expire time.
if ( key == NULL ) /* key couldn't be created */ */
if (key == NULL) /* key couldn't be created */
return 0; return 0;
} }
memcpy(key_name, key->name, 16); memcpy(key_name, key->name, 16);
...@@ -153,23 +158,23 @@ Reference Implementation: ...@@ -153,23 +158,23 @@ Reference Implementation:
} else { /* retrieve session */ } else { /* retrieve session */
key = findkey(name); key = findkey(name);
if (key == NULL || key->expire < now() ) if (key == NULL || key->expire < now())
return 0; return 0;
HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv ); EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv);
if (key->expire < ( now() - RENEW_TIME ) ) if (key->expire < now() - RENEW_TIME) {
/* return 2 - this session will get a new ticket even though the current is still valid */ /*
* return 2 - This session will get a new ticket even though the
* current one is still valid.
*/
return 2; return 2;
}
return 1; return 1;
} }
} }
=head1 RETURN VALUES =head1 RETURN VALUES
returns 0 to indicate the callback function was set. returns 0 to indicate the callback function was set.
......
...@@ -84,16 +84,14 @@ supply at least 2048-bit parameters in the callback. ...@@ -84,16 +84,14 @@ supply at least 2048-bit parameters in the callback.
Setup DH parameters with a key length of 2048 bits. (Error handling Setup DH parameters with a key length of 2048 bits. (Error handling
partly left out.) partly left out.)
Command-line parameter generation: Command-line parameter generation:
$ openssl dhparam -out dh_param_2048.pem 2048 $ openssl dhparam -out dh_param_2048.pem 2048
Code for setting up parameters during server initialization: Code for setting up parameters during server initialization:
...
SSL_CTX ctx = SSL_CTX_new(); SSL_CTX ctx = SSL_CTX_new();
...
/* Set up ephemeral DH parameters. */
DH *dh_2048 = NULL; DH *dh_2048 = NULL;
FILE *paramfile; FILE *paramfile;
paramfile = fopen("dh_param_2048.pem", "r"); paramfile = fopen("dh_param_2048.pem", "r");
...@@ -103,12 +101,10 @@ partly left out.) ...@@ -103,12 +101,10 @@ partly left out.)
} else { } else {
/* Error. */ /* Error. */
} }
if (dh_2048 == NULL) { if (dh_2048 == NULL)
/* Error. */ /* Error. */
} if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1)
if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) {
/* Error. */ /* Error. */
}
... ...
=head1 RETURN VALUES =head1 RETURN VALUES
......
...@@ -190,6 +190,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). ...@@ -190,6 +190,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
int always_continue; int always_continue;
} mydata_t; } mydata_t;
int mydata_index; int mydata_index;
... ...
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{ {
...@@ -229,9 +230,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). ...@@ -229,9 +230,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
if (!preverify_ok) { if (!preverify_ok) {
printf("verify error:num=%d:%s:depth=%d:%s\n", err, printf("verify error:num=%d:%s:depth=%d:%s\n", err,
X509_verify_cert_error_string(err), depth, buf); X509_verify_cert_error_string(err), depth, buf);
} } else if (mydata->verbose_mode) {
else if (mydata->verbose_mode)
{
printf("depth=%d:%s\n", depth, buf); printf("depth=%d:%s\n", depth, buf);
} }
...@@ -239,8 +238,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). ...@@ -239,8 +238,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
* At this point, err contains the last verification error. We can use * At this point, err contains the last verification error. We can use
* it for something special * it for something special
*/ */
if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
{
X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256); X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256);
printf("issuer= %s\n", buf); printf("issuer= %s\n", buf);
} }
...@@ -258,7 +256,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). ...@@ -258,7 +256,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
... ...
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
verify_callback); verify_callback);
/* /*
...@@ -276,10 +274,8 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). ...@@ -276,10 +274,8 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
... ...
SSL_accept(ssl); /* check of success left out for clarity */ SSL_accept(ssl); /* check of success left out for clarity */
if (peer = SSL_get_peer_certificate(ssl)) if (peer = SSL_get_peer_certificate(ssl)) {
{ if (SSL_get_verify_result(ssl) == X509_V_OK) {
if (SSL_get_verify_result(ssl) == X509_V_OK)
{
/* The client sent a certificate which verified OK */ /* The client sent a certificate which verified OK */
} }
} }
......
...@@ -35,7 +35,7 @@ Load names of CAs from file and use it as a client CA list: ...@@ -35,7 +35,7 @@ Load names of CAs from file and use it as a client CA list:
if (cert_names != NULL) if (cert_names != NULL)
SSL_CTX_set_client_CA_list(ctx, cert_names); SSL_CTX_set_client_CA_list(ctx, cert_names);
else else
error_handling(); /* error */
... ...
=head1 RETURN VALUES =head1 RETURN VALUES
......
...@@ -82,22 +82,19 @@ and must be copied by the application if it is to be retained beyond ...@@ -82,22 +82,19 @@ and must be copied by the application if it is to be retained beyond
the lifetime of the SSL connection. the lifetime of the SSL connection.
SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
if (!SSL_set1_host(ssl, "smtp.example.com")) { if (!SSL_set1_host(ssl, "smtp.example.com"))
/* handle error */ /* error */
} if (!SSL_add1_host(ssl, "example.com"))
if (!SSL_add1_host(ssl, "example.com")) { /* error */
/* handle error */
}
/* XXX: Perform SSL_connect() handshake and handle errors here */ /* XXX: Perform SSL_connect() handshake and handle errors here */
if (SSL_get_verify_result(ssl) == X509_V_OK) { if (SSL_get_verify_result(ssl) == X509_V_OK) {
const char *peername = SSL_get0_peername(ssl); const char *peername = SSL_get0_peername(ssl);
if (peername != NULL) { if (peername != NULL)
/* Name checks were in scope and matched the peername */ /* Name checks were in scope and matched the peername */
} }
}
=head1 SEE ALSO =head1 SEE ALSO
......
...@@ -75,8 +75,7 @@ Process all entries: ...@@ -75,8 +75,7 @@ Process all entries:
int i; int i;
X509_NAME_ENTRY *e; X509_NAME_ENTRY *e;
for (i = 0; i < X509_NAME_entry_count(nm); i++) for (i = 0; i < X509_NAME_entry_count(nm); i++) {
{
e = X509_NAME_get_entry(nm, i); e = X509_NAME_get_entry(nm, i);
/* Do something with e */ /* Do something with e */
} }
...@@ -86,8 +85,7 @@ Process all commonName entries: ...@@ -86,8 +85,7 @@ Process all commonName entries:
int lastpos = -1; int lastpos = -1;
X509_NAME_ENTRY *e; X509_NAME_ENTRY *e;
for (;;) for (;;) {
{
lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
if (lastpos == -1) if (lastpos == -1)
break; break;
......
...@@ -100,16 +100,14 @@ X509_STORE_CTX_set_verify_cb() does not return a value. ...@@ -100,16 +100,14 @@ X509_STORE_CTX_set_verify_cb() does not return a value.
Default callback operation: Default callback operation:
int verify_callback(int ok, X509_STORE_CTX *ctx) int verify_callback(int ok, X509_STORE_CTX *ctx) {
{
return ok; return ok;
} }
Simple example, suppose a certificate in the chain is expired and we wish Simple example, suppose a certificate in the chain is expired and we wish
to continue after this error: to continue after this error:
int verify_callback(int ok, X509_STORE_CTX *ctx) int verify_callback(int ok, X509_STORE_CTX *ctx) {
{
/* Tolerate certificate expiration */ /* Tolerate certificate expiration */
if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
return 1; return 1;
...@@ -124,8 +122,7 @@ expired just one specific case: ...@@ -124,8 +122,7 @@ expired just one specific case:
{ {
int err = X509_STORE_CTX_get_error(ctx); int err = X509_STORE_CTX_get_error(ctx);
X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
if (err == X509_V_ERR_CERT_HAS_EXPIRED) if (err == X509_V_ERR_CERT_HAS_EXPIRED) {
{
if (check_is_acceptable_expired_cert(err_cert) if (check_is_acceptable_expired_cert(err_cert)
return 1; return 1;
} }
...@@ -146,8 +143,7 @@ B<ex_data>. ...@@ -146,8 +143,7 @@ B<ex_data>.
depth = X509_STORE_CTX_get_error_depth(ctx); depth = X509_STORE_CTX_get_error_depth(ctx);
BIO_printf(bio_err, "depth=%d ", depth); BIO_printf(bio_err, "depth=%d ", depth);
if (err_cert) if (err_cert) {
{
X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
0, XN_FLAG_ONELINE); 0, XN_FLAG_ONELINE);
BIO_puts(bio_err, "\n"); BIO_puts(bio_err, "\n");
...@@ -157,8 +153,7 @@ B<ex_data>. ...@@ -157,8 +153,7 @@ B<ex_data>.
if (!ok) if (!ok)
BIO_printf(bio_err, "verify error:num=%d:%s\n", err, BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
X509_verify_cert_error_string(err)); X509_verify_cert_error_string(err));
switch (err) switch (err) {
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
BIO_puts(bio_err, "issuer= "); BIO_puts(bio_err, "issuer= ");
X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册