1 files changed, 648 insertions, 583 deletions
diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c
index c041588160..610b4f9cf2 100644
--- a/demos/easy_tls/easy-tls.c
+++ b/demos/easy_tls/easy-tls.c
@@ -21,10 +21,10 @@
  *
  * 1. Redistributions qualify as "freeware" or "Open Source Software" under
  *    one of the following terms:
- * 
+ *
  *    (a) Redistributions are made at no charge beyond the reasonable cost of
  *        materials and delivery.
- * 
+ *
  *    (b) Redistributions are accompanied by a copy of the Source Code
  *        or by an irrevocable offer to provide a copy of the Source Code
  *        for up to three years at the cost of materials and delivery.
@@ -33,7 +33,7 @@
  *        terms as this license.
  *
  * 2. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
  *
  * 3. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
@@ -73,7 +73,7 @@
  */
 
 static char const rcsid[] =
-"$Id: easy-tls.c,v 1.4 2002/03/05 09:07:16 bodo Exp $";
+    "$Id: easy-tls.c,v 1.4 2002/03/05 09:07:16 bodo Exp $";
 
 #include <assert.h>
 #include <errno.h>
@@ -99,7 +99,7 @@ static char const rcsid[] =
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 #ifndef NO_RSA
- #include <openssl/rsa.h>
+# include <openssl/rsa.h>
 #endif
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
@@ -109,11 +109,12 @@ static char const rcsid[] =
 # error "This program needs OpenSSL 0.9.4 or later."
 #endif
 
-#include "easy-tls.h" /* include after <openssl/ssl.h> if both are needed */
+#include "easy-tls.h"           /* include after <openssl/ssl.h> if both are
+                                 * needed */
 
 #if TLS_INFO_SIZE > PIPE_BUF
 # if PIPE_BUF < 512
-#  error "PIPE_BUF < 512" /* non-POSIX */
+#  error "PIPE_BUF < 512"       /* non-POSIX */
 # endif
 # error "TLS_INFO_SIZE > PIPE_BUF"
 #endif
@@ -127,7 +128,7 @@ static char const rcsid[] =
 /*-
  * Applications can define:
  *   TLS_APP_PROCESS_INIT -- void ...(int fd, int client_p, void *apparg)
- *   TLS_CUMULATE_ERRORS 
+ *   TLS_CUMULATE_ERRORS
  *   TLS_ERROR_BUFSIZ
  *   TLS_APP_ERRFLUSH -- void ...(int child_p, char *, size_t, void *apparg)
  */
@@ -139,7 +140,7 @@ static char const rcsid[] =
 #ifndef TLS_ERROR_BUFSIZ
 # define TLS_ERROR_BUFSIZ (10*160)
 #endif
-#if TLS_ERROR_BUFSIZ < 2 /* {'\n',0} */
+#if TLS_ERROR_BUFSIZ < 2        /* {'\n',0} */
 # error "TLS_ERROR_BUFSIZE is too small."
 #endif
 
@@ -165,15 +166,14 @@ static int tls_select_count = 0;
 #endif
 
 static void tls_rand_seed_uniquely(void);
-static void tls_proxy(int clear_fd, int tls_fd, int info_fd, SSL_CTX *ctx, int client_p);
+static void tls_proxy(int clear_fd, int tls_fd, int info_fd, SSL_CTX *ctx,
+                      int client_p);
 static int tls_socket_nonblocking(int fd);
 
 static int tls_child_p = 0;
 static void *tls_child_apparg;
 
-
-struct tls_start_proxy_args
-tls_start_proxy_defaultargs(void)
+struct tls_start_proxy_args tls_start_proxy_defaultargs(void)
 {
     struct tls_start_proxy_args ret;
 
@@ -182,11 +182,11 @@ tls_start_proxy_defaultargs(void)
     ret.ctx = NULL;
     ret.pid = NULL;
     ret.infofd = NULL;
-    
+
     return ret;
 }
 
-/*- 
+/*-
  * Slice in TLS proxy process at fd.
  * Return value:
  *   0    ok  (*pid is set to child's PID if pid != NULL),
@@ -195,11 +195,10 @@ tls_start_proxy_defaultargs(void)
  *   (return value encodes place of error)
  *
  */
-int
-tls_start_proxy(struct tls_start_proxy_args a, void *apparg)
+int tls_start_proxy(struct tls_start_proxy_args a, void *apparg)
 {
-    int fds[2] = {-1, -1};
-    int infofds[2] = {-1, -1};
+    int fds[2] = { -1, -1 };
+    int infofds[2] = { -1, -1 };
     int r, getfd, getfl;
     int ret;
 
@@ -207,52 +206,52 @@ tls_start_proxy(struct tls_start_proxy_args a, void *apparg)
     DEBUG_MSG2("tls_start_proxy client_p", a.client_p);
 
     if (a.fd == -1 || a.client_p == -1 || a.ctx == NULL)
-	return 1;
+        return 1;
 
     if (a.pid != NULL) {
-	*a.pid = 0;
+        *a.pid = 0;
     }
     if (a.infofd != NULL) {
-	*a.infofd = -1;
+        *a.infofd = -1;
     }
 
     r = socketpair(AF_UNIX, SOCK_STREAM, 0, fds);
     if (r == -1)
-	return -1;
+        return -1;
     if (a.fd >= FD_SETSIZE || fds[0] >= FD_SETSIZE) {
-	ret = 2;
-	goto err;
+        ret = 2;
+        goto err;
     }
     if (a.infofd != NULL) {
-	r = pipe(infofds);
-	if (r == -1) {
-	    ret = -3;
-	    goto err;
-	}
+        r = pipe(infofds);
+        if (r == -1) {
+            ret = -3;
+            goto err;
+        }
     }
 
     r = fork();
     if (r == -1) {
-	ret = -4;
-	goto err;
+        ret = -4;
+        goto err;
     }
     if (r == 0) {
-	DEBUG_MSG("fork");
-	tls_child_p = 1;
-	tls_child_apparg = apparg;
-	close(fds[1]);
-	if (infofds[0] != -1)
-	    close(infofds[0]);
-	TLS_APP_PROCESS_INIT(a.fd, a.client_p, apparg);
-	DEBUG_MSG("TLS_APP_PROCESS_INIT");
-	tls_proxy(fds[0], a.fd, infofds[1], a.ctx, a.client_p);
-	exit(0);
+        DEBUG_MSG("fork");
+        tls_child_p = 1;
+        tls_child_apparg = apparg;
+        close(fds[1]);
+        if (infofds[0] != -1)
+            close(infofds[0]);
+        TLS_APP_PROCESS_INIT(a.fd, a.client_p, apparg);
+        DEBUG_MSG("TLS_APP_PROCESS_INIT");
+        tls_proxy(fds[0], a.fd, infofds[1], a.ctx, a.client_p);
+        exit(0);
     }
     if (a.pid != NULL)
-	*a.pid = r;
+        *a.pid = r;
     if (infofds[1] != -1) {
-	close(infofds[1]);
-	infofds[1] = -1;
+        close(infofds[1]);
+        infofds[1] = -1;
     }
     /* install fds[1] in place of fd: */
     close(fds[0]);
@@ -263,26 +262,26 @@ tls_start_proxy(struct tls_start_proxy_args a, void *apparg)
     close(fds[1]);
     fds[1] = -1;
     if (r == -1) {
-	ret = -5;
-	goto err;
+        ret = -5;
+        goto err;
     }
     if (getfd != 1)
-	fcntl(a.fd, F_SETFD, getfd);
+        fcntl(a.fd, F_SETFD, getfd);
     if (getfl & O_NONBLOCK)
-	(void)tls_socket_nonblocking(a.fd);
+        (void)tls_socket_nonblocking(a.fd);
     if (a.infofd != NULL)
-	*a.infofd = infofds[0];
+        *a.infofd = infofds[0];
     return 0;
-    
-  err:
+
+ err:
     if (fds[0] != -1)
-	close(fds[0]);
+        close(fds[0]);
     if (fds[1] != -1)
-	close(fds[1]);
+        close(fds[1]);
     if (infofds[0] != -1)
-	close(infofds[0]);
+        close(infofds[0]);
     if (infofds[1] != -1)
-	close(infofds[1]);
+        close(infofds[1]);
     return ret;
 }
 
@@ -291,62 +290,64 @@ tls_start_proxy(struct tls_start_proxy_args a, void *apparg)
 static char errbuf[TLS_ERROR_BUFSIZ];
 static size_t errbuf_i = 0;
 
-static void
-tls_errflush(void *apparg)
+static void tls_errflush(void *apparg)
 {
     if (errbuf_i == 0)
-	return;
-    
+        return;
+
     assert(errbuf_i < sizeof errbuf);
     assert(errbuf[errbuf_i] == 0);
     if (errbuf_i == sizeof errbuf - 1) {
-	/* make sure we have a newline, even if string has been truncated */
-	errbuf[errbuf_i - 1] = '\n';
+        /* make sure we have a newline, even if string has been truncated */
+        errbuf[errbuf_i - 1] = '\n';
     }
 
-    /* TLS_APP_ERRFLUSH may modify the string as needed,
-     * e.g. substitute other characters for \n for convenience */
+    /*
+     * TLS_APP_ERRFLUSH may modify the string as needed, e.g. substitute
+     * other characters for \n for convenience
+     */
     TLS_APP_ERRFLUSH(tls_child_p, errbuf, errbuf_i, apparg);
 
     errbuf_i = 0;
 }
 
-static void
-tls_errprintf(int flush, void *apparg, const char *fmt, ...)
+static void tls_errprintf(int flush, void *apparg, const char *fmt, ...)
 {
     va_list args;
     int r;
-    
+
     if (errbuf_i < sizeof errbuf - 1) {
-	size_t n;
-
-	va_start(args, fmt);
-	n = (sizeof errbuf) - errbuf_i;
-	r = vsnprintf(errbuf + errbuf_i, n, fmt, args);
-	if (r >= n)
-	    r = n - 1;
-	if (r >= 0) {
-	    errbuf_i += r;
-	} else {
-	    errbuf_i = sizeof errbuf - 1;
-	    errbuf[errbuf_i] = '\0';
-	}
-	assert(errbuf_i < sizeof errbuf);
-	assert(errbuf[errbuf_i] == 0);
+        size_t n;
+
+        va_start(args, fmt);
+        n = (sizeof errbuf) - errbuf_i;
+        r = vsnprintf(errbuf + errbuf_i, n, fmt, args);
+        if (r >= n)
+            r = n - 1;
+        if (r >= 0) {
+            errbuf_i += r;
+        } else {
+            errbuf_i = sizeof errbuf - 1;
+            errbuf[errbuf_i] = '\0';
+        }
+        assert(errbuf_i < sizeof errbuf);
+        assert(errbuf[errbuf_i] == 0);
     }
 #ifndef TLS_CUMULATE_ERRORS
     tls_errflush(apparg);
 #else
     if (flush)
-	tls_errflush(apparg);
+        tls_errflush(apparg);
 #endif
 }
 
-/* app_prefix.. are for additional information provided by caller.
- * If OpenSSL error queue is empty, print default_text ("???" if NULL).
+/*
+ * app_prefix.. are for additional information provided by caller. If OpenSSL
+ * error queue is empty, print default_text ("???" if NULL).
  */
-static char *
-tls_openssl_errors(const char *app_prefix_1, const char *app_prefix_2, const char *default_text, void *apparg)
+static char *tls_openssl_errors(const char *app_prefix_1,
+                                const char *app_prefix_2,
+                                const char *default_text, void *apparg)
 {
     static char reasons[255];
     size_t reasons_i;
@@ -357,45 +358,49 @@ tls_openssl_errors(const char *app_prefix_1, const char *app_prefix_2, const cha
     int flags;
     char *errstring;
     int printed_something = 0;
-    
+
     reasons_i = 0;
 
     assert(app_prefix_1 != NULL);
     assert(app_prefix_2 != NULL);
 
     if (default_text == NULL)
-	default_text = "?""?""?";
-    
-    while ((err = ERR_get_error_line_data(&file,&line,&data,&flags)) != 0) {
-	if (reasons_i < sizeof reasons) {
-	    size_t n;
-	    int r;
-
-	    n = (sizeof reasons) - reasons_i;
-	    r = snprintf(reasons + reasons_i, n, "%s%s", (reasons_i > 0 ? ", " : ""), ERR_reason_error_string(err));
-	    if (r >= n)
-		r = n - 1;
-	    if (r >= 0) {
-		reasons_i += r;
-	    } else {
-		reasons_i = sizeof reasons;
-	    }
-	    assert(reasons_i <= sizeof reasons);
-	}
-	
-	errstring = ERR_error_string(err, NULL);
-	assert(errstring != NULL);
-	tls_errprintf(0, apparg, "OpenSSL error%s%s: %s:%s:%d:%s\n", app_prefix_1, app_prefix_2, errstring, file, line, (flags & ERR_TXT_STRING) ? data : "");
-	printed_something = 1;
+        default_text = "?" "?" "?";
+
+    while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
+        if (reasons_i < sizeof reasons) {
+            size_t n;
+            int r;
+
+            n = (sizeof reasons) - reasons_i;
+            r = snprintf(reasons + reasons_i, n, "%s%s",
+                         (reasons_i > 0 ? ", " : ""),
+                         ERR_reason_error_string(err));
+            if (r >= n)
+                r = n - 1;
+            if (r >= 0) {
+                reasons_i += r;
+            } else {
+                reasons_i = sizeof reasons;
+            }
+            assert(reasons_i <= sizeof reasons);
+        }
+
+        errstring = ERR_error_string(err, NULL);
+        assert(errstring != NULL);
+        tls_errprintf(0, apparg, "OpenSSL error%s%s: %s:%s:%d:%s\n",
+                      app_prefix_1, app_prefix_2, errstring, file, line,
+                      (flags & ERR_TXT_STRING) ? data : "");
+        printed_something = 1;
     }
 
     if (!printed_something) {
-	assert(reasons_i == 0);
-	snprintf(reasons, sizeof reasons, "%s", default_text);
-	tls_errprintf(0, apparg, "OpenSSL error%s%s: %s\n", app_prefix_1, app_prefix_2, default_text);
+        assert(reasons_i == 0);
+        snprintf(reasons, sizeof reasons, "%s", default_text);
+        tls_errprintf(0, apparg, "OpenSSL error%s%s: %s\n", app_prefix_1,
+                      app_prefix_2, default_text);
     }
-
-#ifdef TLS_CUMULATE_ERRORS    
+#ifdef TLS_CUMULATE_ERRORS
     tls_errflush(apparg);
 #endif
     assert(errbuf_i == 0);
@@ -407,16 +412,15 @@ tls_openssl_errors(const char *app_prefix_1, const char *app_prefix_2, const cha
 
 static int tls_init_done = 0;
 
-static int
-tls_init(void *apparg)
+static int tls_init(void *apparg)
 {
     if (tls_init_done)
-	return 0;
-    
+        return 0;
+
     SSL_load_error_strings();
     if (!SSL_library_init() /* aka SSLeay_add_ssl_algorithms() */ ) {
-	tls_errprintf(1, apparg, "SSL_library_init failed.\n");
-	return -1;
+        tls_errprintf(1, apparg, "SSL_library_init failed.\n");
+        return -1;
     }
     tls_init_done = 1;
     tls_rand_seed();
@@ -425,13 +429,12 @@ tls_init(void *apparg)
 
 /*****************************************************************************/
 
-static void
-tls_rand_seed_uniquely(void)
+static void tls_rand_seed_uniquely(void)
 {
     struct {
-	pid_t pid;
-	time_t time;
-	void *stack;
+        pid_t pid;
+        time_t time;
+        void *stack;
     } data;
 
     data.pid = getpid();
@@ -441,80 +444,84 @@ tls_rand_seed_uniquely(void)
     RAND_seed((const void *)&data, sizeof data);
 }
 
-void
-tls_rand_seed(void)
+void tls_rand_seed(void)
 {
     struct {
-	struct utsname uname;
-	int uname_1;
-	int uname_2;
-	uid_t uid;
-	uid_t euid;
-	gid_t gid;
-	gid_t egid;
+        struct utsname uname;
+        int uname_1;
+        int uname_2;
+        uid_t uid;
+        uid_t euid;
+        gid_t gid;
+        gid_t egid;
     } data;
-    
+
     data.uname_1 = uname(&data.uname);
-    data.uname_2 = errno; /* Let's hope that uname fails randomly :-) */
+    data.uname_2 = errno;       /* Let's hope that uname fails randomly :-) */
 
     data.uid = getuid();
     data.euid = geteuid();
     data.gid = getgid();
     data.egid = getegid();
-    
+
     RAND_seed((const void *)&data, sizeof data);
     tls_rand_seed_uniquely();
 }
 
 static int tls_rand_seeded_p = 0;
 
-#define my_MIN_SEED_BYTES 256 /* struct stat can be larger than 128 */
-int
-tls_rand_seed_from_file(const char *filename, size_t n, void *apparg)
+#define my_MIN_SEED_BYTES 256   /* struct stat can be larger than 128 */
+int tls_rand_seed_from_file(const char *filename, size_t n, void *apparg)
 {
-    /* Seed OpenSSL's random number generator from file.
-       Try to read n bytes if n > 0, whole file if n == 0. */
+    /*
+     * Seed OpenSSL's random number generator from file. Try to read n bytes
+     * if n > 0, whole file if n == 0.
+     */
 
     int r;
 
     if (tls_init(apparg) == -1)
-	return -1;
+        return -1;
     tls_rand_seed();
 
-    r = RAND_load_file(filename, (n > 0 && n < LONG_MAX) ? (long)n : LONG_MAX);
-    /* r is the number of bytes filled into the random number generator,
-     * which are taken from "stat(filename, ...)" in addition to the
-     * file contents.
+    r = RAND_load_file(filename,
+                       (n > 0 && n < LONG_MAX) ? (long)n : LONG_MAX);
+    /*
+     * r is the number of bytes filled into the random number generator,
+     * which are taken from "stat(filename, ...)" in addition to the file
+     * contents.
      */
     assert(1 < my_MIN_SEED_BYTES);
-    /* We need to detect at least those cases when the file does not exist
-     * at all.  With current versions of OpenSSL, this should do it: */
+    /*
+     * We need to detect at least those cases when the file does not exist at
+     * all.  With current versions of OpenSSL, this should do it:
+     */
     if (n == 0)
-	n = my_MIN_SEED_BYTES;
+        n = my_MIN_SEED_BYTES;
     if (r < n) {
-	tls_errprintf(1, apparg, "rand_seed_from_file: could not read %d bytes from %s.\n", n, filename);
-	return -1;
+        tls_errprintf(1, apparg,
+                      "rand_seed_from_file: could not read %d bytes from %s.\n",
+                      n, filename);
+        return -1;
     } else {
-	tls_rand_seeded_p = 1;
-	return 0;
+        tls_rand_seeded_p = 1;
+        return 0;
     }
 }
 
-void
-tls_rand_seed_from_memory(const void *buf, size_t n)
+void tls_rand_seed_from_memory(const void *buf, size_t n)
 {
     size_t i = 0;
-    
+
     while (i < n) {
-	size_t rest = n - i;
-	int chunk = rest < INT_MAX ? (int)rest : INT_MAX;
-	RAND_seed((const char *)buf + i, chunk);
-	i += chunk;
+        size_t rest = n - i;
+        int chunk = rest < INT_MAX ? (int)rest : INT_MAX;
+        RAND_seed((const char *)buf + i, chunk);
+        i += chunk;
     }
     tls_rand_seeded_p = 1;
 }
 
-
 /*****************************************************************************/
 
 struct tls_x509_name_string {
@@ -522,344 +529,367 @@ struct tls_x509_name_string {
 };
 
 static void
-tls_get_x509_subject_name_oneline(X509 *cert, struct tls_x509_name_string *namestring)
+tls_get_x509_subject_name_oneline(X509 *cert,
+                                  struct tls_x509_name_string *namestring)
 {
     X509_NAME *name;
 
     if (cert == NULL) {
-	namestring->str[0] = '\0';
-	return;
+        namestring->str[0] = '\0';
+        return;
     }
-    
-    name = X509_get_subject_name(cert); /* does not increment any reference counter */
+
+    name = X509_get_subject_name(cert); /* does not increment any reference
+                                         * counter */
 
     assert(sizeof namestring->str >= 4); /* "?" or "...", plus 0 */
-    
+
     if (name == NULL) {
-	namestring->str[0] = '?';
-	namestring->str[1] = 0;
+        namestring->str[0] = '?';
+        namestring->str[1] = 0;
     } else {
-	size_t len;
-
-	X509_NAME_oneline(name, namestring->str, sizeof namestring->str);
-	len = strlen(namestring->str);
-	assert(namestring->str[len] == 0);
-	assert(len < sizeof namestring->str);
-
-	if (len+1 == sizeof namestring->str) {
-	    /* (Probably something was cut off.)
-	     * Does not really work -- X509_NAME_oneline truncates after
-	     * name components, we cannot tell from the result whether
-	     * anything is missing. */
-
-	    assert(namestring->str[len] == 0);
-	    namestring->str[--len] = '.';
-	    namestring->str[--len] = '.';
-	    namestring->str[--len] = '.';
-	}
+        size_t len;
+
+        X509_NAME_oneline(name, namestring->str, sizeof namestring->str);
+        len = strlen(namestring->str);
+        assert(namestring->str[len] == 0);
+        assert(len < sizeof namestring->str);
+
+        if (len + 1 == sizeof namestring->str) {
+            /*
+             * (Probably something was cut off.) Does not really work --
+             * X509_NAME_oneline truncates after name components, we cannot
+             * tell from the result whether anything is missing.
+             */
+
+            assert(namestring->str[len] == 0);
+            namestring->str[--len] = '.';
+            namestring->str[--len] = '.';
+            namestring->str[--len] = '.';
+        }
     }
 }
 
 /*****************************************************************************/
 
 /* to hinder OpenSSL from asking for passphrases */
-static int
-no_passphrase_callback(char *buf, int num, int w, void *arg)
+static int no_passphrase_callback(char *buf, int num, int w, void *arg)
 {
     return -1;
 }
 
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
-static int
-verify_dont_fail_cb(X509_STORE_CTX *c, void *unused_arg)
+static int verify_dont_fail_cb(X509_STORE_CTX *c, void *unused_arg)
 #else
-static int
-verify_dont_fail_cb(X509_STORE_CTX *c)
+static int verify_dont_fail_cb(X509_STORE_CTX *c)
 #endif
 {
     int i;
-    
-    i = X509_verify_cert(c); /* sets c->error */
+
+    i = X509_verify_cert(c);    /* sets c->error */
 #if OPENSSL_VERSION_NUMBER >= 0x00905000L /* don't allow unverified
-					   * certificates -- they could
-					   * survive session reuse, but
-					   * OpenSSL < 0.9.5-dev does not
-					   * preserve their verify_result */
+                                           * certificates -- they could
+                                           * survive session reuse, but
+                                           * OpenSSL < 0.9.5-dev does not
+                                           * preserve their verify_result */
     if (i == 0)
-	return 1;
+        return 1;
     else
 #endif
-	return i;
+        return i;
 }
 
-static DH *tls_dhe1024 = NULL; /* generating these takes a while, so do it just once */
+static DH *tls_dhe1024 = NULL;  /* generating these takes a while, so do it
+                                 * just once */
 
-void
-tls_set_dhe1024(int i, void *apparg)
+void tls_set_dhe1024(int i, void *apparg)
 {
     DSA *dsaparams;
     DH *dhparams;
     const char *seed[] = { ";-)  :-(  :-)  :-(  ",
-			   ";-)  :-(  :-)  :-(  ",
-			   "Random String no. 12",
-			   ";-)  :-(  :-)  :-(  ",
-			   "hackers have even mo", /* from jargon file */
+        ";-)  :-(  :-)  :-(  ",
+        "Random String no. 12",
+        ";-)  :-(  :-)  :-(  ",
+        "hackers have even mo", /* from jargon file */
     };
     unsigned char seedbuf[20];
-    
+
     tls_init(apparg);
     if (i >= 0) {
-	i %= sizeof seed / sizeof seed[0];
-	assert(strlen(seed[i]) == 20);
-	memcpy(seedbuf, seed[i], 20);
-	dsaparams = DSA_generate_parameters(1024, seedbuf, 20, NULL, NULL, 0, NULL);
+        i %= sizeof seed / sizeof seed[0];
+        assert(strlen(seed[i]) == 20);
+        memcpy(seedbuf, seed[i], 20);
+        dsaparams =
+            DSA_generate_parameters(1024, seedbuf, 20, NULL, NULL, 0, NULL);
     } else {
-	/* random parameters (may take a while) */
-	dsaparams = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, 0, NULL);
+        /* random parameters (may take a while) */
+        dsaparams =
+            DSA_generate_parameters(1024, NULL, 0, NULL, NULL, 0, NULL);
     }
-    
+
     if (dsaparams == NULL) {
-	tls_openssl_errors("", "", NULL, apparg);
-	return;
+        tls_openssl_errors("", "", NULL, apparg);
+        return;
     }
     dhparams = DSA_dup_DH(dsaparams);
     DSA_free(dsaparams);
     if (dhparams == NULL) {
-	tls_openssl_errors("", "", NULL, apparg);
-	return;
+        tls_openssl_errors("", "", NULL, apparg);
+        return;
     }
     if (tls_dhe1024 != NULL)
-	DH_free(tls_dhe1024);
+        DH_free(tls_dhe1024);
     tls_dhe1024 = dhparams;
 }
 
-struct tls_create_ctx_args
-tls_create_ctx_defaultargs(void)
+struct tls_create_ctx_args tls_create_ctx_defaultargs(void)
 {
-	struct tls_create_ctx_args ret;
+    struct tls_create_ctx_args ret;
 
-	ret.client_p = 0;
-	ret.certificate_file = NULL;
-	ret.key_file = NULL;
-	ret.ca_file = NULL;
-	ret.verify_depth = -1;
-	ret.fail_unless_verified = 0;
-	ret.export_p = 0;
+    ret.client_p = 0;
+    ret.certificate_file = NULL;
+    ret.key_file = NULL;
+    ret.ca_file = NULL;
+    ret.verify_depth = -1;
+    ret.fail_unless_verified = 0;
+    ret.export_p = 0;
 
-	return ret;
+    return ret;
 }
 
-SSL_CTX *
-tls_create_ctx(struct tls_create_ctx_args a, void *apparg)
+SSL_CTX *tls_create_ctx(struct tls_create_ctx_args a, void *apparg)
 {
     int r;
     static long context_num = 0;
     SSL_CTX *ret;
     const char *err_pref_1 = "", *err_pref_2 = "";
-    
+
     if (tls_init(apparg) == -1)
-	return NULL;
+        return NULL;
 
-    ret = SSL_CTX_new((a.client_p? SSLv23_client_method:SSLv23_server_method)());
+    ret =
+        SSL_CTX_new((a.client_p ? SSLv23_client_method :
+                     SSLv23_server_method) ());
 
     if (ret == NULL)
-	goto err;
+        goto err;
 
     SSL_CTX_set_default_passwd_cb(ret, no_passphrase_callback);
     SSL_CTX_set_mode(ret, SSL_MODE_ENABLE_PARTIAL_WRITE);
-    
+
     if ((a.certificate_file != NULL) || (a.key_file != NULL)) {
-	if (a.key_file == NULL) {
-	    tls_errprintf(1, apparg, "Need a key file.\n");
-	    goto err_return;
-	}
-	if (a.certificate_file == NULL) {
-	    tls_errprintf(1, apparg, "Need a certificate chain file.\n");
-	    goto err_return;
-	}
-	
-	if (!SSL_CTX_use_PrivateKey_file(ret, a.key_file, SSL_FILETYPE_PEM))
-	    goto err;
-	if (!tls_rand_seeded_p) {
-	    /* particularly paranoid people may not like this --
-	     * so provide your own random seeding before calling this */
-	    if (tls_rand_seed_from_file(a.key_file, 0, apparg) == -1)
-		goto err_return;
-	}
-	if (!SSL_CTX_use_certificate_chain_file(ret, a.certificate_file))
-	    goto err;
-	if (!SSL_CTX_check_private_key(ret)) {
-	    tls_errprintf(1, apparg, "Private key \"%s\" does not match certificate \"%s\".\n", a.key_file, a.certificate_file);
-	    goto err_peek;
-	}
+        if (a.key_file == NULL) {
+            tls_errprintf(1, apparg, "Need a key file.\n");
+            goto err_return;
+        }
+        if (a.certificate_file == NULL) {
+            tls_errprintf(1, apparg, "Need a certificate chain file.\n");
+            goto err_return;
+        }
+
+        if (!SSL_CTX_use_PrivateKey_file(ret, a.key_file, SSL_FILETYPE_PEM))
+            goto err;
+        if (!tls_rand_seeded_p) {
+            /*
+             * particularly paranoid people may not like this -- so provide
+             * your own random seeding before calling this
+             */
+            if (tls_rand_seed_from_file(a.key_file, 0, apparg) == -1)
+                goto err_return;
+        }
+        if (!SSL_CTX_use_certificate_chain_file(ret, a.certificate_file))
+            goto err;
+        if (!SSL_CTX_check_private_key(ret)) {
+            tls_errprintf(1, apparg,
+                          "Private key \"%s\" does not match certificate \"%s\".\n",
+                          a.key_file, a.certificate_file);
+            goto err_peek;
+        }
     }
-    
+
     if ((a.ca_file != NULL) || (a.verify_depth > 0)) {
-	context_num++;
-	r = SSL_CTX_set_session_id_context(ret, (const void *)&context_num, (unsigned int)sizeof context_num);
-	if (!r)
-	    goto err;
-	
-	SSL_CTX_set_verify(ret, SSL_VERIFY_PEER | (a.fail_unless_verified ? SSL_VERIFY_FAIL_IF_NO_PEER_CERT : 0), 0);
-	if (!a.fail_unless_verified)
-	    SSL_CTX_set_cert_verify_callback(ret, verify_dont_fail_cb, NULL);
-	    
-	if (a.verify_depth > 0)
-	    SSL_CTX_set_verify_depth(ret, a.verify_depth);
-	
-	if (a.ca_file != NULL) {
-	    /* does not report failure if file does not exist ... */
-	    /* NULL argument means no CA-directory */
-	    r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL); 
-	    if (!r) {
-		err_pref_1 = " while processing certificate file ";
-		err_pref_2 = a.ca_file;
-		goto err;
-	    }
-	    
-	    if (!a.client_p) {
-		/* SSL_load_client_CA_file is a misnomer, it just creates a list of CNs. */
-		SSL_CTX_set_client_CA_list(ret, SSL_load_client_CA_file(a.ca_file));
-		/* SSL_CTX_set_client_CA_list does not have a return value;
-		 * it does not really need one, but make sure
-		 * (we really test if SSL_load_client_CA_file worked) */
-		if (SSL_CTX_get_client_CA_list(ret) == NULL) {
-		    tls_errprintf(1, apparg, "Could not set client CA list from \"%s\".\n", a.ca_file);
-		    goto err_peek;
-		}
-	    }
-	}
+        context_num++;
+        r = SSL_CTX_set_session_id_context(ret, (const void *)&context_num,
+                                           (unsigned int)sizeof context_num);
+        if (!r)
+            goto err;
+
+        SSL_CTX_set_verify(ret,
+                           SSL_VERIFY_PEER | (a.fail_unless_verified ?
+                                              SSL_VERIFY_FAIL_IF_NO_PEER_CERT
+                                              : 0), 0);
+        if (!a.fail_unless_verified)
+            SSL_CTX_set_cert_verify_callback(ret, verify_dont_fail_cb, NULL);
+
+        if (a.verify_depth > 0)
+            SSL_CTX_set_verify_depth(ret, a.verify_depth);
+
+        if (a.ca_file != NULL) {
+            /* does not report failure if file does not exist ... */
+            /* NULL argument means no CA-directory */
+            r = SSL_CTX_load_verify_locations(ret, a.ca_file, NULL);
+            if (!r) {
+                err_pref_1 = " while processing certificate file ";
+                err_pref_2 = a.ca_file;
+                goto err;
+            }
+
+            if (!a.client_p) {
+                /*
+                 * SSL_load_client_CA_file is a misnomer, it just creates a
+                 * list of CNs.
+                 */
+                SSL_CTX_set_client_CA_list(ret,
+                                           SSL_load_client_CA_file
+                                           (a.ca_file));
+                /*
+                 * SSL_CTX_set_client_CA_list does not have a return value;
+                 * it does not really need one, but make sure (we really test
+                 * if SSL_load_client_CA_file worked)
+                 */
+                if (SSL_CTX_get_client_CA_list(ret) == NULL) {
+                    tls_errprintf(1, apparg,
+                                  "Could not set client CA list from \"%s\".\n",
+                                  a.ca_file);
+                    goto err_peek;
+                }
+            }
+        }
     }
-    
+
     if (!a.client_p) {
-	if (tls_dhe1024 == NULL) {
-	    int i;
-
-	    RAND_bytes((unsigned char *) &i, sizeof i);
-	    /* make sure that i is non-negative -- pick one of the provided
-	     * seeds */
-	    if (i < 0)
-		i = -i;
-	    if (i < 0)
-		i = 0;
-	    tls_set_dhe1024(i, apparg);
-	    if (tls_dhe1024 == NULL)
-		goto err_return;
-	}
-	
-	if (!SSL_CTX_set_tmp_dh(ret, tls_dhe1024))
-	    goto err;
-
-	/* avoid small subgroup attacks: */
-	SSL_CTX_set_options(ret, SSL_OP_SINGLE_DH_USE);
+        if (tls_dhe1024 == NULL) {
+            int i;
+
+            RAND_bytes((unsigned char *)&i, sizeof i);
+            /*
+             * make sure that i is non-negative -- pick one of the provided
+             * seeds
+             */
+            if (i < 0)
+                i = -i;
+            if (i < 0)
+                i = 0;
+            tls_set_dhe1024(i, apparg);
+            if (tls_dhe1024 == NULL)
+                goto err_return;
+        }
+
+        if (!SSL_CTX_set_tmp_dh(ret, tls_dhe1024))
+            goto err;
+
+        /* avoid small subgroup attacks: */
+        SSL_CTX_set_options(ret, SSL_OP_SINGLE_DH_USE);
     }
-	
 #ifndef NO_RSA
     if (!a.client_p && a.export_p) {
-	RSA *tmpkey;
-
-	tmpkey = RSA_generate_key(512, RSA_F4, 0, NULL);
-	if (tmpkey == NULL)
-	    goto err;
-	if (!SSL_CTX_set_tmp_rsa(ret, tmpkey)) {
-	    RSA_free(tmpkey);
-	    goto err;
-	}
-	RSA_free(tmpkey); /* SSL_CTX_set_tmp_rsa uses a duplicate. */
+        RSA *tmpkey;
+
+        tmpkey = RSA_generate_key(512, RSA_F4, 0, NULL);
+        if (tmpkey == NULL)
+            goto err;
+        if (!SSL_CTX_set_tmp_rsa(ret, tmpkey)) {
+            RSA_free(tmpkey);
+            goto err;
+        }
+        RSA_free(tmpkey);       /* SSL_CTX_set_tmp_rsa uses a duplicate. */
     }
 #endif
-	
+
     return ret;
-    
+
  err_peek:
     if (!ERR_peek_error())
-	goto err_return;
+        goto err_return;
  err:
     tls_openssl_errors(err_pref_1, err_pref_2, NULL, apparg);
  err_return:
     if (ret != NULL)
-	SSL_CTX_free(ret);
+        SSL_CTX_free(ret);
     return NULL;
 }
 
-
 /*****************************************************************************/
 
-static int
-tls_socket_nonblocking(int fd)
+static int tls_socket_nonblocking(int fd)
 {
     int v, r;
 
     v = fcntl(fd, F_GETFL, 0);
     if (v == -1) {
-	if (errno == EINVAL)
-	    return 0; /* already shut down -- ignore */
-	return -1;
+        if (errno == EINVAL)
+            return 0;           /* already shut down -- ignore */
+        return -1;
     }
     r = fcntl(fd, F_SETFL, v | O_NONBLOCK);
     if (r == -1) {
-	if (errno == EINVAL)
-	    return 0; /* already shut down -- ignore */
-	return -1;
+        if (errno == EINVAL)
+            return 0;           /* already shut down -- ignore */
+        return -1;
     }
     return 0;
 }
 
-static int
-max(int a, int b)
+static int max(int a, int b)
 {
     return a > b ? a : b;
 }
 
 /* timeout, -1 means no timeout */
 static void
-tls_sockets_select(int read_select_1, int read_select_2, int write_select_1, int write_select_2, int seconds)
+tls_sockets_select(int read_select_1, int read_select_2, int write_select_1,
+                   int write_select_2, int seconds)
 {
     int maxfd, n;
     fd_set reads, writes;
     struct timeval timeout;
     struct timeval *timeout_p;
-    
-    assert(read_select_1 >= -1 && read_select_2 >= -1 && write_select_1 >= -1 && write_select_2 >= -1);
-    assert(read_select_1 < FD_SETSIZE && read_select_2 < FD_SETSIZE -1 && write_select_1 < FD_SETSIZE -1 && write_select_2 < FD_SETSIZE -1);
 
-    maxfd = max(max(read_select_1, read_select_2), max(write_select_1, write_select_2));
+    assert(read_select_1 >= -1 && read_select_2 >= -1 && write_select_1 >= -1
+           && write_select_2 >= -1);
+    assert(read_select_1 < FD_SETSIZE && read_select_2 < FD_SETSIZE - 1
+           && write_select_1 < FD_SETSIZE - 1
+           && write_select_2 < FD_SETSIZE - 1);
+
+    maxfd =
+        max(max(read_select_1, read_select_2),
+            max(write_select_1, write_select_2));
     assert(maxfd >= 0);
 
     FD_ZERO(&reads);
     FD_ZERO(&writes);
-    
-    for(n = 0; n < 4; ++n) {
-	int i = n % 2;
-	int w = n >= 2;
-	/* lo