external/boringssl: Sync to f21650709a6f76e829ddcc77fe221c9d6a5c12de.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/348f0d8db9c2a0eca0503ba654020209c579d552..f21650709a6f76e829ddcc77fe221c9d6a5c12de
Test: BoringSSL CTS Presubmits.
Change-Id: Ie6e99c3315c552068b5ea57e31b1af7ff94f9b0f
diff --git a/src/BUILDING.md b/src/BUILDING.md
index 6dfeddb..eab61e2 100644
--- a/src/BUILDING.md
+++ b/src/BUILDING.md
@@ -33,7 +33,7 @@
executable may be configured explicitly by setting `GO_EXECUTABLE`.
* To build the x86 and x86\_64 assembly, your assembler must support AVX2
- instructions and MOVBE. If using GNU binutils, you must have 2.22 or later.
+ instructions and MOVBE. If using GNU binutils, you must have 2.22 or later
## Building
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index dc6e0d2..c32b707 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -125,6 +125,9 @@
set(CMAKE_C_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
set(CMAKE_CXX_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
set(CMAKE_ASM_NASM_FLAGS "-g cv8")
+endif()
+
+if(WIN32)
add_definitions(-D_HAS_EXCEPTIONS=0)
add_definitions(-DWIN32_LEAN_AND_MEAN)
add_definitions(-DNOMINMAX)
diff --git a/src/PORTING.md b/src/PORTING.md
index ca9f6a4..e2fdb3a 100644
--- a/src/PORTING.md
+++ b/src/PORTING.md
@@ -130,6 +130,17 @@
* If a HelloRequest is received while `SSL_write` has unsent application data,
the renegotiation is rejected.
+* Renegotiation does not participate in session resumption. The client will
+ not offer a session on renegotiation or resume any session established by a
+ renegotiation handshake.
+
+* The server may not change its certificate in the renegotiation. This mitigates
+ the [triple handshake attack](https://mitls.org/pages/attacks/3SHAKE). Any new
+ stapled OCSP response and SCT list will be ignored. As no authentication state
+ may change, BoringSSL will not re-verify the certificate on a renegotiation.
+ Callbacks such as `SSL_CTX_set_custom_verify` will only run on the initial
+ handshake.
+
### Lowercase hexadecimal
BoringSSL's `BN_bn2hex` function uses lowercase hexadecimal digits instead of
diff --git a/src/crypto/CMakeLists.txt b/src/crypto/CMakeLists.txt
index 651793f..8541bbb 100644
--- a/src/crypto/CMakeLists.txt
+++ b/src/crypto/CMakeLists.txt
@@ -47,7 +47,7 @@
endforeach()
endif()
else()
- if (CMAKE_CL_64)
+ if (${ARCH} STREQUAL "x86_64")
set(PERLASM_STYLE nasm)
else()
set(PERLASM_STYLE win32n)
diff --git a/src/crypto/base64/base64.c b/src/crypto/base64/base64.c
index d5450fc..b701b0d 100644
--- a/src/crypto/base64/base64.c
+++ b/src/crypto/base64/base64.c
@@ -65,29 +65,29 @@
#include "../internal.h"
-/* constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|
- * arguments for a slightly simpler implementation. */
+// constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|
+// arguments for a slightly simpler implementation.
static inline uint8_t constant_time_lt_args_8(uint8_t a, uint8_t b) {
crypto_word_t aw = a;
crypto_word_t bw = b;
- /* |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same
- * MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1. */
+ // |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same
+ // MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1.
return constant_time_msb_w(aw - bw);
}
-/* constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|
- * and |CONSTTIME_FALSE_8| otherwise. */
+// constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|
+// and |CONSTTIME_FALSE_8| otherwise.
static inline uint8_t constant_time_in_range_8(uint8_t a, uint8_t min,
uint8_t max) {
a -= min;
return constant_time_lt_args_8(a, max - min + 1);
}
-/* Encoding. */
+// Encoding.
static uint8_t conv_bin2ascii(uint8_t a) {
- /* Since PEM is sometimes used to carry private keys, we encode base64 data
- * itself in constant-time. */
+ // Since PEM is sometimes used to carry private keys, we encode base64 data
+ // itself in constant-time.
a &= 0x3f;
uint8_t ret = constant_time_select_8(constant_time_eq_8(a, 62), '+', '/');
ret =
@@ -183,8 +183,8 @@
ctx->data_used = (unsigned)in_len;
if (total > INT_MAX) {
- /* We cannot signal an error, but we can at least avoid making *out_len
- * negative. */
+ // We cannot signal an error, but we can at least avoid making *out_len
+ // negative.
total = 0;
}
*out_len = (int)total;
@@ -201,8 +201,8 @@
out[encoded] = '\0';
ctx->data_used = 0;
- /* ctx->data_used is bounded by sizeof(ctx->data), so this does not
- * overflow. */
+ // ctx->data_used is bounded by sizeof(ctx->data), so this does not
+ // overflow.
assert(encoded <= INT_MAX);
*out_len = (int)encoded;
}
@@ -240,7 +240,7 @@
}
-/* Decoding. */
+// Decoding.
int EVP_DecodedLength(size_t *out_len, size_t len) {
if (len % 4 != 0) {
@@ -256,8 +256,8 @@
}
static uint8_t base64_ascii_to_bin(uint8_t a) {
- /* Since PEM is sometimes used to carry private keys, we decode base64 data
- * itself in constant-time. */
+ // Since PEM is sometimes used to carry private keys, we decode base64 data
+ // itself in constant-time.
const uint8_t is_upper = constant_time_in_range_8(a, 'A', 'Z');
const uint8_t is_lower = constant_time_in_range_8(a, 'a', 'z');
const uint8_t is_digit = constant_time_in_range_8(a, '0', '9');
@@ -265,21 +265,21 @@
const uint8_t is_slash = constant_time_eq_8(a, '/');
const uint8_t is_equals = constant_time_eq_8(a, '=');
- uint8_t ret = 0xff; /* 0xff signals invalid. */
- ret = constant_time_select_8(is_upper, a - 'A', ret); /* [0,26) */
- ret = constant_time_select_8(is_lower, a - 'a' + 26, ret); /* [26,52) */
- ret = constant_time_select_8(is_digit, a - '0' + 52, ret); /* [52,62) */
+ uint8_t ret = 0xff; // 0xff signals invalid.
+ ret = constant_time_select_8(is_upper, a - 'A', ret); // [0,26)
+ ret = constant_time_select_8(is_lower, a - 'a' + 26, ret); // [26,52)
+ ret = constant_time_select_8(is_digit, a - '0' + 52, ret); // [52,62)
ret = constant_time_select_8(is_plus, 62, ret);
ret = constant_time_select_8(is_slash, 63, ret);
- /* Padding maps to zero, to be further handled by the caller. */
+ // Padding maps to zero, to be further handled by the caller.
ret = constant_time_select_8(is_equals, 0, ret);
return ret;
}
-/* base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
- * data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
- * number of bytes written, which will be less than three if the quad ended
- * with padding. It returns one on success or zero on error. */
+// base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
+// data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
+// number of bytes written, which will be less than three if the quad ended
+// with padding. It returns one on success or zero on error.
static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,
const uint8_t *in) {
const uint8_t a = base64_ascii_to_bin(in[0]);
@@ -300,20 +300,20 @@
switch (padding_pattern) {
case 0:
- /* The common case of no padding. */
+ // The common case of no padding.
*out_num_bytes = 3;
out[0] = v >> 16;
out[1] = v >> 8;
out[2] = v;
break;
- case 1: /* xxx= */
+ case 1: // xxx=
*out_num_bytes = 2;
out[0] = v >> 16;
out[1] = v >> 8;
break;
- case 3: /* xx== */
+ case 3: // xx==
*out_num_bytes = 1;
out[0] = v >> 16;
break;
@@ -424,7 +424,7 @@
}
int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
- /* Trim spaces and tabs from the beginning of the input. */
+ // Trim spaces and tabs from the beginning of the input.
while (src_len > 0) {
if (src[0] != ' ' && src[0] != '\t') {
break;
@@ -434,7 +434,7 @@
src_len--;
}
- /* Trim newlines, spaces and tabs from the end of the line. */
+ // Trim newlines, spaces and tabs from the end of the line.
while (src_len > 0) {
switch (src[src_len-1]) {
case ' ':
@@ -455,8 +455,8 @@
return -1;
}
- /* EVP_DecodeBlock does not take padding into account, so put the
- * NULs back in... so the caller can strip them back out. */
+ // EVP_DecodeBlock does not take padding into account, so put the
+ // NULs back in... so the caller can strip them back out.
while (dst_len % 3 != 0) {
dst[dst_len++] = '\0';
}
diff --git a/src/crypto/base64/base64_test.cc b/src/crypto/base64/base64_test.cc
index 108c782..28b5c8e 100644
--- a/src/crypto/base64/base64_test.cc
+++ b/src/crypto/base64/base64_test.cc
@@ -280,9 +280,9 @@
out_len += bytes_written;
if (i == encoded_len ||
(i + 1 == encoded_len && t.encoded[i] == '\n') ||
- /* If there was an '-' in the input (which means “EOF”) then
- * this loop will continue to test that |EVP_DecodeUpdate| will
- * ignore the remainder of the input. */
+ // If there was an '-' in the input (which means “EOF”) then
+ // this loop will continue to test that |EVP_DecodeUpdate| will
+ // ignore the remainder of the input.
strchr(t.encoded, '-') != nullptr) {
break;
}
diff --git a/src/crypto/bio/bio.c b/src/crypto/bio/bio.c
index 5cab843..4e88966 100644
--- a/src/crypto/bio/bio.c
+++ b/src/crypto/bio/bio.c
@@ -96,13 +96,6 @@
return 0;
}
- if (bio->callback != NULL) {
- int i = (int)bio->callback(bio, BIO_CB_FREE, NULL, 0, 0, 1);
- if (i <= 0) {
- return i;
- }
- }
-
next_bio = BIO_pop(bio);
if (bio->method != NULL && bio->method->destroy != NULL) {
@@ -127,64 +120,61 @@
BIO_free(bio);
}
-static int bio_io(BIO *bio, void *buf, int len, size_t method_offset,
- int callback_flags, size_t *num) {
- int i;
- typedef int (*io_func_t)(BIO *, char *, int);
- io_func_t io_func = NULL;
-
- if (bio != NULL && bio->method != NULL) {
- io_func =
- *((const io_func_t *)(((const uint8_t *)bio->method) + method_offset));
- }
-
- if (io_func == NULL) {
+int BIO_read(BIO *bio, void *buf, int len) {
+ if (bio == NULL || bio->method == NULL || bio->method->bread == NULL) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
return -2;
}
-
- if (bio->callback != NULL) {
- i = (int) bio->callback(bio, callback_flags, buf, len, 0L, 1L);
- if (i <= 0) {
- return i;
- }
- }
-
if (!bio->init) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
return -2;
}
-
- i = 0;
- if (buf != NULL && len > 0) {
- i = io_func(bio, buf, len);
+ if (len <= 0) {
+ return 0;
}
-
- if (i > 0) {
- *num += i;
+ int ret = bio->method->bread(bio, buf, len);
+ if (ret > 0) {
+ bio->num_read += ret;
}
-
- if (bio->callback != NULL) {
- i = (int)(bio->callback(bio, callback_flags | BIO_CB_RETURN, buf, len, 0L,
- (long)i));
- }
-
- return i;
-}
-
-int BIO_read(BIO *bio, void *buf, int len) {
- return bio_io(bio, buf, len, offsetof(BIO_METHOD, bread), BIO_CB_READ,
- &bio->num_read);
+ return ret;
}
int BIO_gets(BIO *bio, char *buf, int len) {
- return bio_io(bio, buf, len, offsetof(BIO_METHOD, bgets), BIO_CB_GETS,
- &bio->num_read);
+ if (bio == NULL || bio->method == NULL || bio->method->bgets == NULL) {
+ OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
+ return -2;
+ }
+ if (!bio->init) {
+ OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
+ return -2;
+ }
+ if (len <= 0) {
+ return 0;
+ }
+ int ret = bio->method->bgets(bio, buf, len);
+ if (ret > 0) {
+ bio->num_read += ret;
+ }
+ return ret;
}
int BIO_write(BIO *bio, const void *in, int inl) {
- return bio_io(bio, (char *)in, inl, offsetof(BIO_METHOD, bwrite),
- BIO_CB_WRITE, &bio->num_write);
+ if (bio == NULL || bio->method == NULL || bio->method->bwrite == NULL) {
+ OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
+ return -2;
+ }
+ if (!bio->init) {
+ OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
+ return -2;
+ }
+ if (inl <= 0) {
+ return 0;
+ }
+ int ret = bio->method->bwrite(bio, in, inl);
+ if (ret > 0) {
+ bio->num_write += ret;
+ }
+ return ret;
}
int BIO_puts(BIO *bio, const char *in) {
@@ -196,8 +186,6 @@
}
long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) {
- long ret;
-
if (bio == NULL) {
return 0;
}
@@ -207,20 +195,7 @@
return -2;
}
- if (bio->callback != NULL) {
- ret = bio->callback(bio, BIO_CB_CTRL, parg, cmd, larg, 1);
- if (ret <= 0) {
- return ret;
- }
- }
-
- ret = bio->method->ctrl(bio, cmd, larg, parg);
-
- if (bio->callback != NULL) {
- ret = bio->callback(bio, BIO_CB_CTRL | BIO_CB_RETURN, parg, cmd, larg, ret);
- }
-
- return ret;
+ return bio->method->ctrl(bio, cmd, larg, parg);
}
char *BIO_ptr_ctrl(BIO *b, int cmd, long larg) {
@@ -305,9 +280,6 @@
}
long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
- long ret;
- bio_info_cb cb;
-
if (bio == NULL) {
return 0;
}
@@ -317,22 +289,7 @@
return 0;
}
- cb = bio->callback;
-
- if (cb != NULL) {
- ret = cb(bio, BIO_CB_CTRL, (void *)&fp, cmd, 0, 1L);
- if (ret <= 0) {
- return ret;
- }
- }
-
- ret = bio->method->callback_ctrl(bio, cmd, fp);
-
- if (cb != NULL) {
- ret = cb(bio, BIO_CB_CTRL | BIO_CB_RETURN, (void *)&fp, cmd, 0, ret);
- }
-
- return ret;
+ return bio->method->callback_ctrl(bio, cmd, fp);
}
size_t BIO_pending(const BIO *bio) {
@@ -363,18 +320,6 @@
return BIO_ctrl(bio, BIO_CTRL_SET_CLOSE, close_flag, NULL);
}
-void BIO_set_callback(BIO *bio, bio_info_cb callback_func) {
- bio->callback = callback_func;
-}
-
-void BIO_set_callback_arg(BIO *bio, char *arg) {
- bio->cb_arg = arg;
-}
-
-char *BIO_get_callback_arg(const BIO *bio) {
- return bio->cb_arg;
-}
-
OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio) {
return bio->num_read;
}
@@ -464,14 +409,14 @@
ERR_print_errors_cb(print_bio, bio);
}
-/* bio_read_all reads everything from |bio| and prepends |prefix| to it. On
- * success, |*out| is set to an allocated buffer (which should be freed with
- * |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
- * buffer will contain |prefix| followed by the contents of |bio|. On failure,
- * zero is returned.
- *
- * The function will fail if the size of the output would equal or exceed
- * |max_len|. */
+// bio_read_all reads everything from |bio| and prepends |prefix| to it. On
+// success, |*out| is set to an allocated buffer (which should be freed with
+// |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
+// buffer will contain |prefix| followed by the contents of |bio|. On failure,
+// zero is returned.
+//
+// The function will fail if the size of the output would equal or exceed
+// |max_len|.
static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
const uint8_t *prefix, size_t prefix_len,
size_t max_len) {
@@ -535,20 +480,20 @@
const uint8_t length_byte = header[1];
if ((tag & 0x1f) == 0x1f) {
- /* Long form tags are not supported. */
+ // Long form tags are not supported.
return 0;
}
size_t len, header_len;
if ((length_byte & 0x80) == 0) {
- /* Short form length. */
+ // Short form length.
len = length_byte;
header_len = kInitialHeaderLen;
} else {
const size_t num_bytes = length_byte & 0x7f;
if ((tag & 0x20 /* constructed */) != 0 && num_bytes == 0) {
- /* indefinite length. */
+ // indefinite length.
return bio_read_all(bio, out, out_len, header, kInitialHeaderLen,
max_len);
}
@@ -571,12 +516,12 @@
}
if (len32 < 128) {
- /* Length should have used short-form encoding. */
+ // Length should have used short-form encoding.
return 0;
}
if ((len32 >> ((num_bytes-1)*8)) == 0) {
- /* Length should have been at least one byte shorter. */
+ // Length should have been at least one byte shorter.
return 0;
}
diff --git a/src/crypto/bio/bio_mem.c b/src/crypto/bio/bio_mem.c
index 1cba8a8..08dd6e9 100644
--- a/src/crypto/bio/bio_mem.c
+++ b/src/crypto/bio/bio_mem.c
@@ -82,16 +82,16 @@
}
b = (BUF_MEM *)ret->ptr;
- /* BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to. */
+ // BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to.
b->data = (void *)buf;
b->length = size;
b->max = size;
ret->flags |= BIO_FLAGS_MEM_RDONLY;
- /* |num| is used to store the value that this BIO will return when it runs
- * out of data. If it's negative then the retry flags will also be set. Since
- * this is static data, retrying wont help */
+ // |num| is used to store the value that this BIO will return when it runs
+ // out of data. If it's negative then the retry flags will also be set. Since
+ // this is static data, retrying wont help
ret->num = 0;
return ret;
@@ -105,8 +105,8 @@
return 0;
}
- /* |shutdown| is used to store the close flag: whether the BIO has ownership
- * of the BUF_MEM. */
+ // |shutdown| is used to store the close flag: whether the BIO has ownership
+ // of the BUF_MEM.
bio->shutdown = 1;
bio->init = 1;
bio->num = -1;
@@ -214,8 +214,8 @@
}
}
- /* i is now the max num of bytes to copy, either j or up to and including the
- * first newline */
+ // i is now the max num of bytes to copy, either j or up to and including the
+ // first newline
i = mem_read(bio, buf, i);
if (i > 0) {
@@ -233,7 +233,7 @@
switch (cmd) {
case BIO_CTRL_RESET:
if (b->data != NULL) {
- /* For read only case reset to the start again */
+ // For read only case reset to the start again
if (bio->flags & BIO_FLAGS_MEM_RDONLY) {
b->data -= b->max - b->length;
b->length = b->max;
diff --git a/src/crypto/bio/connect.c b/src/crypto/bio/connect.c
index d40dd53..0b60f6a 100644
--- a/src/crypto/bio/connect.c
+++ b/src/crypto/bio/connect.c
@@ -98,12 +98,12 @@
struct sockaddr_storage them;
socklen_t them_length;
- /* the file descriptor is kept in bio->num in order to match the socket
- * BIO. */
+ // the file descriptor is kept in bio->num in order to match the socket
+ // BIO.
- /* info_callback is called when the connection is initially made
- * callback(BIO,state,ret); The callback should return 'ret', state is for
- * compatibility with the SSL info_callback. */
+ // info_callback is called when the connection is initially made
+ // callback(BIO,state,ret); The callback should return 'ret', state is for
+ // compatibility with the SSL info_callback.
int (*info_callback)(const BIO *bio, int state, int ret);
} BIO_CONNECT;
@@ -113,9 +113,9 @@
}
#endif
-/* split_host_and_port sets |*out_host| and |*out_port| to the host and port
- * parsed from |name|. It returns one on success or zero on error. Even when
- * successful, |*out_port| may be NULL on return if no port was specified. */
+// split_host_and_port sets |*out_host| and |*out_port| to the host and port
+// parsed from |name|. It returns one on success or zero on error. Even when
+// successful, |*out_port| may be NULL on return if no port was specified.
static int split_host_and_port(char **out_host, char **out_port, const char *name) {
const char *host, *port = NULL;
size_t host_len = 0;
@@ -123,24 +123,24 @@
*out_host = NULL;
*out_port = NULL;
- if (name[0] == '[') { /* bracketed IPv6 address */
+ if (name[0] == '[') { // bracketed IPv6 address
const char *close = strchr(name, ']');
if (close == NULL) {
return 0;
}
host = name + 1;
host_len = close - host;
- if (close[1] == ':') { /* [IP]:port */
+ if (close[1] == ':') { // [IP]:port
port = close + 2;
} else if (close[1] != 0) {
return 0;
}
} else {
const char *colon = strchr(name, ':');
- if (colon == NULL || strchr(colon + 1, ':') != NULL) { /* IPv6 address */
+ if (colon == NULL || strchr(colon + 1, ':') != NULL) { // IPv6 address
host = name;
host_len = strlen(name);
- } else { /* host:port */
+ } else { // host:port
host = name;
host_len = colon - name;
port = colon + 1;
@@ -175,9 +175,9 @@
for (;;) {
switch (c->state) {
case BIO_CONN_S_BEFORE:
- /* If there's a hostname and a port, assume that both are
- * exactly what they say. If there is only a hostname, try
- * (just once) to split it into a hostname and port. */
+ // If there's a hostname and a port, assume that both are
+ // exactly what they say. If there is only a hostname, try
+ // (just once) to split it into a hostname and port.
if (c->param_hostname == NULL) {
OPENSSL_PUT_ERROR(BIO, BIO_R_NO_HOSTNAME_SPECIFIED);
@@ -330,7 +330,7 @@
return;
}
- /* Only do a shutdown if things were established */
+ // Only do a shutdown if things were established
if (c->state == BIO_CONN_S_OK) {
shutdown(bio->num, 2);
}
@@ -415,7 +415,7 @@
bio->flags = 0;
break;
case BIO_C_DO_STATE_MACHINE:
- /* use this one to start the connection */
+ // use this one to start the connection
if (data->state != BIO_CONN_S_OK) {
ret = (long)conn_state(bio, data);
} else {
diff --git a/src/crypto/bio/fd.c b/src/crypto/bio/fd.c
index 4e9eeac..37840a7 100644
--- a/src/crypto/bio/fd.c
+++ b/src/crypto/bio/fd.c
@@ -138,7 +138,7 @@
}
static int fd_new(BIO *bio) {
- /* num is used to store the file descriptor. */
+ // num is used to store the file descriptor.
bio->num = -1;
return 1;
}
diff --git a/src/crypto/bio/file.c b/src/crypto/bio/file.c
index 3580cd1..25c1dbd 100644
--- a/src/crypto/bio/file.c
+++ b/src/crypto/bio/file.c
@@ -55,18 +55,17 @@
* [including the GNU Public Licence.] */
#if defined(__linux) || defined(__sun) || defined(__hpux)
-/* Following definition aliases fopen to fopen64 on above mentioned
- * platforms. This makes it possible to open and sequentially access
- * files larger than 2GB from 32-bit application. It does not allow to
- * traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
- * 32-bit platform permits that, not with fseek/ftell. Not to mention
- * that breaking 2GB limit for seeking would require surgery to *our*
- * API. But sequential access suffices for practical cases when you
- * can run into large files, such as fingerprinting, so we can let API
- * alone. For reference, the list of 32-bit platforms which allow for
- * sequential access of large files without extra "magic" comprise *BSD,
- * Darwin, IRIX...
- */
+// Following definition aliases fopen to fopen64 on above mentioned
+// platforms. This makes it possible to open and sequentially access
+// files larger than 2GB from 32-bit application. It does not allow to
+// traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
+// 32-bit platform permits that, not with fseek/ftell. Not to mention
+// that breaking 2GB limit for seeking would require surgery to *our*
+// API. But sequential access suffices for practical cases when you
+// can run into large files, such as fingerprinting, so we can let API
+// alone. For reference, the list of 32-bit platforms which allow for
+// sequential access of large files without extra "magic" comprise *BSD,
+// Darwin, IRIX...
#ifndef _FILE_OFFSET_BITS
#define _FILE_OFFSET_BITS 64
#endif
@@ -157,7 +156,7 @@
return -1;
}
- /* fread reads at most |outl| bytes, so |ret| fits in an int. */
+ // fread reads at most |outl| bytes, so |ret| fits in an int.
return (int)ret;
}
@@ -232,7 +231,7 @@
b->init = 1;
break;
case BIO_C_GET_FILE_PTR:
- /* the ptr parameter is actually a FILE ** in this case. */
+ // the ptr parameter is actually a FILE ** in this case.
if (ptr != NULL) {
fpp = (FILE **)ptr;
*fpp = (FILE *)b->ptr;
diff --git a/src/crypto/bio/hexdump.c b/src/crypto/bio/hexdump.c
index d55df62..6d928bc 100644
--- a/src/crypto/bio/hexdump.c
+++ b/src/crypto/bio/hexdump.c
@@ -62,12 +62,12 @@
#include "../internal.h"
-/* hexdump_ctx contains the state of a hexdump. */
+// hexdump_ctx contains the state of a hexdump.
struct hexdump_ctx {
BIO *bio;
- char right_chars[18]; /* the contents of the right-hand side, ASCII dump. */
- unsigned used; /* number of bytes in the current line. */
- size_t n; /* number of bytes total. */
+ char right_chars[18]; // the contents of the right-hand side, ASCII dump.
+ unsigned used; // number of bytes in the current line.
+ size_t n; // number of bytes total.
unsigned indent;
};
@@ -84,21 +84,20 @@
return b;
}
-/* hexdump_write adds |len| bytes of |data| to the current hex dump described by
- * |ctx|. */
+// hexdump_write adds |len| bytes of |data| to the current hex dump described by
+// |ctx|.
static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
size_t len) {
char buf[10];
unsigned l;
- /* Output lines look like:
- * 00000010 2e 2f 30 31 32 33 34 35 36 37 38 ... 3c 3d // |./0123456789:;<=|
- * ^ offset ^ extra space ^ ASCII of line
- */
+ // Output lines look like:
+ // 00000010 2e 2f 30 31 32 33 34 35 36 37 38 ... 3c 3d // |./0123456789:;<=|
+ // ^ offset ^ extra space ^ ASCII of line
for (size_t i = 0; i < len; i++) {
if (ctx->used == 0) {
- /* The beginning of a line. */
+ // The beginning of a line.
BIO_indent(ctx->bio, ctx->indent, UINT_MAX);
hexbyte(&buf[0], ctx->n >> 24);
@@ -115,12 +114,12 @@
buf[2] = ' ';
l = 3;
if (ctx->used == 7) {
- /* There's an additional space after the 8th byte. */
+ // There's an additional space after the 8th byte.
buf[3] = ' ';
l = 4;
} else if (ctx->used == 15) {
- /* At the end of the line there's an extra space and the bar for the
- * right column. */
+ // At the end of the line there's an extra space and the bar for the
+ // right column.
buf[3] = ' ';
buf[4] = '|';
l = 5;
@@ -145,9 +144,9 @@
return 1;
}
-/* finish flushes any buffered data in |ctx|. */
+// finish flushes any buffered data in |ctx|.
static int finish(struct hexdump_ctx *ctx) {
- /* See the comments in |hexdump| for the details of this format. */
+ // See the comments in |hexdump| for the details of this format.
const unsigned n_bytes = ctx->used;
unsigned l;
char buf[5];
diff --git a/src/crypto/bio/internal.h b/src/crypto/bio/internal.h
index 4ec77fa..8ed27da 100644
--- a/src/crypto/bio/internal.h
+++ b/src/crypto/bio/internal.h
@@ -61,7 +61,7 @@
#if !defined(OPENSSL_WINDOWS)
#if defined(OPENSSL_PNACL)
-/* newlib uses u_short in socket.h without defining it. */
+// newlib uses u_short in socket.h without defining it.
typedef unsigned short u_short;
#endif
#include <sys/types.h>
@@ -78,34 +78,34 @@
#endif
-/* BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
- * and |*out_addr_length| with the correct values for connecting to |hostname|
- * on |port_str|. It returns one on success or zero on error. */
+// BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
+// and |*out_addr_length| with the correct values for connecting to |hostname|
+// on |port_str|. It returns one on success or zero on error.
int bio_ip_and_port_to_socket_and_addr(int *out_sock,
struct sockaddr_storage *out_addr,
socklen_t *out_addr_length,
const char *hostname,
const char *port_str);
-/* BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
- * success and zero otherwise. */
+// BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
+// success and zero otherwise.
int bio_socket_nbio(int sock, int on);
-/* BIO_clear_socket_error clears the last system socket error.
- *
- * TODO(fork): remove all callers of this. */
+// BIO_clear_socket_error clears the last system socket error.
+//
+// TODO(fork): remove all callers of this.
void bio_clear_socket_error(void);
-/* BIO_sock_error returns the last socket error on |sock|. */
+// BIO_sock_error returns the last socket error on |sock|.
int bio_sock_error(int sock);
-/* BIO_fd_should_retry returns non-zero if |return_value| indicates an error
- * and |errno| indicates that it's non-fatal. */
+// BIO_fd_should_retry returns non-zero if |return_value| indicates an error
+// and |errno| indicates that it's non-fatal.
int bio_fd_should_retry(int return_value);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_BIO_INTERNAL_H */
+#endif // OPENSSL_HEADER_BIO_INTERNAL_H
diff --git a/src/crypto/bio/pair.c b/src/crypto/bio/pair.c
index 8ba382d..f5057ed 100644
--- a/src/crypto/bio/pair.c
+++ b/src/crypto/bio/pair.c
@@ -63,22 +63,22 @@
struct bio_bio_st {
- BIO *peer; /* NULL if buf == NULL.
- * If peer != NULL, then peer->ptr is also a bio_bio_st,
- * and its "peer" member points back to us.
- * peer != NULL iff init != 0 in the BIO. */
+ BIO *peer; // NULL if buf == NULL.
+ // If peer != NULL, then peer->ptr is also a bio_bio_st,
+ // and its "peer" member points back to us.
+ // peer != NULL iff init != 0 in the BIO.
- /* This is for what we write (i.e. reading uses peer's struct): */
- int closed; /* valid iff peer != NULL */
- size_t len; /* valid iff buf != NULL; 0 if peer == NULL */
- size_t offset; /* valid iff buf != NULL; 0 if len == 0 */
+ // This is for what we write (i.e. reading uses peer's struct):
+ int closed; // valid iff peer != NULL
+ size_t len; // valid iff buf != NULL; 0 if peer == NULL
+ size_t offset; // valid iff buf != NULL; 0 if len == 0
size_t size;
- uint8_t *buf; /* "size" elements (if != NULL) */
+ uint8_t *buf; // "size" elements (if != NULL)
- size_t request; /* valid iff peer != NULL; 0 if len != 0,
- * otherwise set by peer to number of bytes
- * it (unsuccessfully) tried to read,
- * never more than buffer space (size-len) warrants. */
+ size_t request; // valid iff peer != NULL; 0 if len != 0,
+ // otherwise set by peer to number of bytes
+ // it (unsuccessfully) tried to read,
+ // never more than buffer space (size-len) warrants.
};
static int bio_new(BIO *bio) {
@@ -90,7 +90,7 @@
}
OPENSSL_memset(b, 0, sizeof(struct bio_bio_st));
- b->size = 17 * 1024; /* enough for one TLS record (just a default) */
+ b->size = 17 * 1024; // enough for one TLS record (just a default)
bio->ptr = b;
return 1;
}
@@ -165,7 +165,7 @@
assert(peer_b != NULL);
assert(peer_b->buf != NULL);
- peer_b->request = 0; /* will be set in "retry_read" situation */
+ peer_b->request = 0; // will be set in "retry_read" situation
if (buf == NULL || size == 0) {
return 0;
@@ -173,30 +173,30 @@
if (peer_b->len == 0) {
if (peer_b->closed) {
- return 0; /* writer has closed, and no data is left */
+ return 0; // writer has closed, and no data is left
} else {
- BIO_set_retry_read(bio); /* buffer is empty */
+ BIO_set_retry_read(bio); // buffer is empty
if (size <= peer_b->size) {
peer_b->request = size;
} else {
- /* don't ask for more than the peer can
- * deliver in one write */
+ // don't ask for more than the peer can
+ // deliver in one write
peer_b->request = peer_b->size;
}
return -1;
}
}
- /* we can read */
+ // we can read
if (peer_b->len < size) {
size = peer_b->len;
}
- /* now read "size" bytes */
+ // now read "size" bytes
rest = size;
assert(rest > 0);
- /* one or two iterations */
+ // one or two iterations
do {
size_t chunk;
@@ -204,7 +204,7 @@
if (peer_b->offset + rest <= peer_b->size) {
chunk = rest;
} else {
- /* wrap around ring buffer */
+ // wrap around ring buffer
chunk = peer_b->size - peer_b->offset;
}
assert(peer_b->offset + chunk <= peer_b->size);
@@ -220,7 +220,7 @@
}
buf += chunk;
} else {
- /* buffer now empty, no need to advance "buf" */
+ // buffer now empty, no need to advance "buf"
assert(chunk == rest);
peer_b->offset = 0;
}
@@ -248,7 +248,7 @@
b->request = 0;
if (b->closed) {
- /* we already closed */
+ // we already closed
OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
return -1;
}
@@ -256,20 +256,20 @@
assert(b->len <= b->size);
if (b->len == b->size) {
- BIO_set_retry_write(bio); /* buffer is full */
+ BIO_set_retry_write(bio); // buffer is full
return -1;
}
- /* we can write */
+ // we can write
if (num > b->size - b->len) {
num = b->size - b->len;
}
- /* now write "num" bytes */
+ // now write "num" bytes
rest = num;
assert(rest > 0);
- /* one or two iterations */
+ // one or two iterations
do {
size_t write_offset;
size_t chunk;
@@ -280,12 +280,12 @@
if (write_offset >= b->size) {
write_offset -= b->size;
}
- /* b->buf[write_offset] is the first byte we can write to. */
+ // b->buf[write_offset] is the first byte we can write to.
if (write_offset + rest <= b->size) {
chunk = rest;
} else {
- /* wrap around ring buffer */
+ // wrap around ring buffer
chunk = b->size - write_offset;
}
@@ -363,15 +363,15 @@
assert(b != NULL);
switch (cmd) {
- /* specific CTRL codes */
+ // specific CTRL codes
case BIO_C_GET_WRITE_BUF_SIZE:
ret = (long)b->size;
break;
case BIO_C_GET_WRITE_GUARANTEE:
- /* How many bytes can the caller feed to the next write
- * without having to keep any? */
+ // How many bytes can the caller feed to the next write
+ // without having to keep any?
if (b->peer == NULL || b->closed) {
ret = 0;
} else {
@@ -380,28 +380,28 @@
break;
case BIO_C_GET_READ_REQUEST:
- /* If the peer unsuccessfully tried to read, how many bytes
- * were requested? (As with BIO_CTRL_PENDING, that number
- * can usually be treated as boolean.) */
+ // If the peer unsuccessfully tried to read, how many bytes
+ // were requested? (As with BIO_CTRL_PENDING, that number
+ // can usually be treated as boolean.)
ret = (long)b->request;
break;
case BIO_C_RESET_READ_REQUEST:
- /* Reset request. (Can be useful after read attempts
- * at the other side that are meant to be non-blocking,
- * e.g. when probing SSL_read to see if any data is
- * available.) */
+ // Reset request. (Can be useful after read attempts
+ // at the other side that are meant to be non-blocking,
+ // e.g. when probing SSL_read to see if any data is
+ // available.)
b->request = 0;
ret = 1;
break;
case BIO_C_SHUTDOWN_WR:
- /* similar to shutdown(..., SHUT_WR) */
+ // similar to shutdown(..., SHUT_WR)
b->closed = 1;
ret = 1;
break;
- /* standard CTRL codes follow */
+ // standard CTRL codes follow
case BIO_CTRL_GET_CLOSE:
ret = bio->shutdown;
@@ -453,7 +453,7 @@
static const BIO_METHOD methods_biop = {
BIO_TYPE_BIO, "BIO pair", bio_write, bio_read, NULL /* puts */,
- NULL /* gets */, bio_ctrl, bio_new, bio_free, NULL /* callback_ctrl */
+ NULL /* gets */, bio_ctrl, bio_new, bio_free, NULL /* callback_ctrl */,
};
static const BIO_METHOD *bio_s_bio(void) { return &methods_biop; }
diff --git a/src/crypto/bio/printf.c b/src/crypto/bio/printf.c
index 3709fcb..28162e6 100644
--- a/src/crypto/bio/printf.c
+++ b/src/crypto/bio/printf.c
@@ -55,7 +55,7 @@
* [including the GNU Public Licence.] */
#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L /* for snprintf, vprintf etc */
+#define _POSIX_C_SOURCE 201410L // for snprintf, vprintf etc
#endif
#include <openssl/bio.h>
@@ -77,13 +77,13 @@
va_end(args);
#if defined(OPENSSL_WINDOWS)
- /* On Windows, vsnprintf returns -1 rather than the requested length on
- * truncation */
+ // On Windows, vsnprintf returns -1 rather than the requested length on
+ // truncation
if (out_len < 0) {
va_start(args, format);
out_len = _vscprintf(format, args);
va_end(args);
- assert(out_len >= sizeof(buf));
+ assert(out_len >= (int)sizeof(buf));
}
#endif
@@ -93,9 +93,9 @@
if ((size_t) out_len >= sizeof(buf)) {
const int requested_len = out_len;
- /* The output was truncated. Note that vsnprintf's return value
- * does not include a trailing NUL, but the buffer must be sized
- * for it. */
+ // The output was truncated. Note that vsnprintf's return value
+ // does not include a trailing NUL, but the buffer must be sized
+ // for it.
out = OPENSSL_malloc(requested_len + 1);
out_malloced = 1;
if (out == NULL) {
diff --git a/src/crypto/bn_extra/bn_asn1.c b/src/crypto/bn_extra/bn_asn1.c
index efb2335..8b939da 100644
--- a/src/crypto/bn_extra/bn_asn1.c
+++ b/src/crypto/bn_extra/bn_asn1.c
@@ -31,7 +31,7 @@
return 0;
}
- /* INTEGERs must be minimal. */
+ // INTEGERs must be minimal.
if (CBS_data(&child)[0] == 0x00 &&
CBS_len(&child) > 1 &&
!(CBS_data(&child)[1] & 0x80)) {
@@ -50,16 +50,16 @@
return 0;
}
- /* This function intentionally does not reject negative numbers or non-minimal
- * encodings. Estonian IDs issued between September 2014 to September 2015 are
- * broken. See https://crbug.com/532048 and https://crbug.com/534766.
- *
- * TODO(davidben): Remove this code and callers in March 2016. */
+ // This function intentionally does not reject negative numbers or non-minimal
+ // encodings. Estonian IDs issued between September 2014 to September 2015 are
+ // broken. See https://crbug.com/532048 and https://crbug.com/534766.
+ //
+ // TODO(davidben): Remove this code and callers in March 2016.
return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
}
int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {
- /* Negative numbers are unsupported. */
+ // Negative numbers are unsupported.
if (BN_is_negative(bn)) {
OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
return 0;
@@ -67,8 +67,8 @@
CBB child;
if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER) ||
- /* The number must be padded with a leading zero if the high bit would
- * otherwise be set or if |bn| is zero. */
+ // The number must be padded with a leading zero if the high bit would
+ // otherwise be set or if |bn| is zero.
(BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) ||
!BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) ||
!CBB_flush(cbb)) {
diff --git a/src/crypto/bn_extra/convert.c b/src/crypto/bn_extra/convert.c
index b48a971..6f3a062 100644
--- a/src/crypto/bn_extra/convert.c
+++ b/src/crypto/bn_extra/convert.c
@@ -96,7 +96,7 @@
int z = 0;
for (int i = bn->top - 1; i >= 0; i--) {
for (int j = BN_BITS2 - 8; j >= 0; j -= 8) {
- /* strip leading zeros */
+ // strip leading zeros
int v = ((int)(bn->d[i] >> (long)j)) & 0xff;
if (z || v != 0) {
*(p++) = hextable[v >> 4];
@@ -110,20 +110,20 @@
return buf;
}
-/* decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|. */
+// decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|.
static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
if (in_len > INT_MAX/4) {
OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
return 0;
}
- /* |in_len| is the number of hex digits. */
+ // |in_len| is the number of hex digits.
if (!bn_expand(bn, in_len * 4)) {
return 0;
}
int i = 0;
while (in_len > 0) {
- /* Decode one |BN_ULONG| at a time. */
+ // Decode one |BN_ULONG| at a time.
int todo = BN_BYTES * 2;
if (todo > in_len) {
todo = in_len;
@@ -143,7 +143,7 @@
hex = c - 'A' + 10;
} else {
hex = 0;
- /* This shouldn't happen. The caller checks |isxdigit|. */
+ // This shouldn't happen. The caller checks |isxdigit|.
assert(0);
}
word = (word << 4) | hex;
@@ -157,12 +157,12 @@
return 1;
}
-/* decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|. */
+// decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|.
static int decode_dec(BIGNUM *bn, const char *in, int in_len) {
int i, j;
BN_ULONG l = 0;
- /* Decode |BN_DEC_NUM| digits at a time. */
+ // Decode |BN_DEC_NUM| digits at a time.
j = BN_DEC_NUM - (in_len % BN_DEC_NUM);
if (j == BN_DEC_NUM) {
j = 0;
@@ -207,7 +207,7 @@
return num;
}
- /* in is the start of the hex digits, and it is 'i' long */
+ // in is the start of the hex digits, and it is 'i' long
if (*outp == NULL) {
ret = BN_new();
if (ret == NULL) {
@@ -243,8 +243,8 @@
}
char *BN_bn2dec(const BIGNUM *a) {
- /* It is easier to print strings little-endian, so we assemble it in reverse
- * and fix at the end. */
+ // It is easier to print strings little-endian, so we assemble it in reverse
+ // and fix at the end.
BIGNUM *copy = NULL;
CBB cbb;
if (!CBB_init(&cbb, 16) ||
@@ -290,7 +290,7 @@
goto cbb_err;
}
- /* Reverse the buffer. */
+ // Reverse the buffer.
for (size_t i = 0; i < len/2; i++) {
uint8_t tmp = data[i];
data[i] = data[len - 1 - i];
@@ -349,7 +349,7 @@
for (i = a->top - 1; i >= 0; i--) {
for (j = BN_BITS2 - 4; j >= 0; j -= 4) {
- /* strip leading zeros */
+ // strip leading zeros
v = ((int)(a->d[i] >> (long)j)) & 0x0f;
if (z || v != 0) {
if (BIO_write(bp, &hextable[v], 1) != 1) {
@@ -384,8 +384,8 @@
size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
const size_t bits = BN_num_bits(in);
const size_t bytes = (bits + 7) / 8;
- /* If the number of bits is a multiple of 8, i.e. if the MSB is set,
- * prefix with a zero byte. */
+ // If the number of bits is a multiple of 8, i.e. if the MSB is set,
+ // prefix with a zero byte.
int extend = 0;
if (bytes != 0 && (bits & 0x07) == 0) {
extend = 1;
@@ -395,8 +395,8 @@
if (len < bytes ||
4 + len < len ||
(len & 0xffffffff) != len) {
- /* If we cannot represent the number then we emit zero as the interface
- * doesn't allow an error to be signalled. */
+ // If we cannot represent the number then we emit zero as the interface
+ // doesn't allow an error to be signalled.
if (out) {
OPENSSL_memset(out, 0, 4);
}
diff --git a/src/crypto/buf/buf.c b/src/crypto/buf/buf.c
index f1fcae6..1305c58 100644
--- a/src/crypto/buf/buf.c
+++ b/src/crypto/buf/buf.c
@@ -97,14 +97,14 @@
size_t n = cap + 3;
if (n < cap) {
- /* overflow */
+ // overflow
OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
return 0;
}
n = n / 3;
size_t alloc_size = n * 4;
if (alloc_size / 4 != n) {
- /* overflow */
+ // overflow
OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -185,7 +185,7 @@
alloc_size = size + 1;
if (alloc_size < size) {
- /* overflow */
+ // overflow
OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
return NULL;
}
diff --git a/src/crypto/bytestring/ber.c b/src/crypto/bytestring/ber.c
index 54bac59..4dc94f6 100644
--- a/src/crypto/bytestring/ber.c
+++ b/src/crypto/bytestring/ber.c
@@ -21,13 +21,13 @@
#include "../internal.h"
-/* kMaxDepth is a just a sanity limit. The code should be such that the length
- * of the input being processes always decreases. None the less, a very large
- * input could otherwise cause the stack to overflow. */
+// kMaxDepth is a just a sanity limit. The code should be such that the length
+// of the input being processes always decreases. None the less, a very large
+// input could otherwise cause the stack to overflow.
static const unsigned kMaxDepth = 2048;
-/* is_string_type returns one if |tag| is a string type and zero otherwise. It
- * ignores the constructed bit. */
+// is_string_type returns one if |tag| is a string type and zero otherwise. It
+// ignores the constructed bit.
static int is_string_type(unsigned tag) {
if ((tag & 0xc0) != 0) {
return 0;
@@ -52,10 +52,10 @@
}
}
-/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
- * depending on whether an indefinite length element or constructed string was
- * found. The value of |orig_in| is not changed. It returns one on success (i.e.
- * |*ber_found| was set) and zero on error. */
+// cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
+// depending on whether an indefinite length element or constructed string was
+// found. The value of |orig_in| is not changed. It returns one on success (i.e.
+// |*ber_found| was set) and zero on error.
static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
CBS in;
@@ -77,13 +77,13 @@
if (CBS_len(&contents) == header_len &&
header_len > 0 &&
CBS_data(&contents)[header_len-1] == 0x80) {
- /* Found an indefinite-length element. */
+ // Found an indefinite-length element.
*ber_found = 1;
return 1;
}
if (tag & CBS_ASN1_CONSTRUCTED) {
if (is_string_type(tag)) {
- /* Constructed strings are only legal in BER and require conversion. */
+ // Constructed strings are only legal in BER and require conversion.
*ber_found = 1;
return 1;
}
@@ -97,20 +97,20 @@
return 1;
}
-/* is_eoc returns true if |header_len| and |contents|, as returned by
- * |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value. */
+// is_eoc returns true if |header_len| and |contents|, as returned by
+// |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value.
static char is_eoc(size_t header_len, CBS *contents) {
return header_len == 2 && CBS_len(contents) == 2 &&
OPENSSL_memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
}
-/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
- * |string_tag| is non-zero, then all elements must match |string_tag| up to the
- * constructed bit and primitive element bodies are written to |out| without
- * element headers. This is used when concatenating the fragments of a
- * constructed string. If |looking_for_eoc| is set then any EOC elements found
- * will cause the function to return after consuming it. It returns one on
- * success and zero on error. */
+// cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
+// |string_tag| is non-zero, then all elements must match |string_tag| up to the
+// constructed bit and primitive element bodies are written to |out| without
+// element headers. This is used when concatenating the fragments of a
+// constructed string. If |looking_for_eoc| is set then any EOC elements found
+// will cause the function to return after consuming it. It returns one on
+// success and zero on error.
static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
char looking_for_eoc, unsigned depth) {
assert(!(string_tag & CBS_ASN1_CONSTRUCTED));
@@ -134,9 +134,9 @@
}
if (string_tag != 0) {
- /* This is part of a constructed string. All elements must match
- * |string_tag| up to the constructed bit and get appended to |out|
- * without a child element. */
+ // This is part of a constructed string. All elements must match
+ // |string_tag| up to the constructed bit and get appended to |out|
+ // without a child element.
if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) {
return 0;
}
@@ -144,8 +144,8 @@
} else {
unsigned out_tag = tag;
if ((tag & CBS_ASN1_CONSTRUCTED) && is_string_type(tag)) {
- /* If a constructed string, clear the constructed bit and inform
- * children to concatenate bodies. */
+ // If a constructed string, clear the constructed bit and inform
+ // children to concatenate bodies.
out_tag &= ~CBS_ASN1_CONSTRUCTED;
child_string_tag = out_tag;
}
@@ -157,7 +157,7 @@
if (CBS_len(&contents) == header_len && header_len > 0 &&
CBS_data(&contents)[header_len - 1] == 0x80) {
- /* This is an indefinite length element. */
+ // This is an indefinite length element.
if (!cbs_convert_ber(in, out_contents, child_string_tag,
1 /* looking for eoc */, depth + 1) ||
!CBB_flush(out)) {
@@ -171,13 +171,13 @@
}
if (tag & CBS_ASN1_CONSTRUCTED) {
- /* Recurse into children. */
+ // Recurse into children.
if (!cbs_convert_ber(&contents, out_contents, child_string_tag,
0 /* not looking for eoc */, depth + 1)) {
return 0;
}
} else {
- /* Copy primitive contents as-is. */
+ // Copy primitive contents as-is.
if (!CBB_add_bytes(out_contents, CBS_data(&contents),
CBS_len(&contents))) {
return 0;
@@ -195,8 +195,8 @@
int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {
CBB cbb;
- /* First, do a quick walk to find any indefinite-length elements. Most of the
- * time we hope that there aren't any and thus we can quickly return. */
+ // First, do a quick walk to find any indefinite-length elements. Most of the
+ // time we hope that there aren't any and thus we can quickly return.
char conversion_needed;
if (!cbs_find_ber(in, &conversion_needed, 0)) {
return 0;
@@ -225,14 +225,14 @@
assert(is_string_type(inner_tag));
if (CBS_peek_asn1_tag(in, outer_tag)) {
- /* Normal implicitly-tagged string. */
+ // Normal implicitly-tagged string.
*out_storage = NULL;
return CBS_get_asn1(in, out, outer_tag);
}
- /* Otherwise, try to parse an implicitly-tagged constructed string.
- * |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
- * of nesting. */
+ // Otherwise, try to parse an implicitly-tagged constructed string.
+ // |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
+ // of nesting.
CBB result;
CBS child;
if (!CBB_init(&result, CBS_len(in)) ||
diff --git a/src/crypto/bytestring/cbb.c b/src/crypto/bytestring/cbb.c
index 14116be..5576fa9 100644
--- a/src/crypto/bytestring/cbb.c
+++ b/src/crypto/bytestring/cbb.c
@@ -27,7 +27,7 @@
}
static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
- /* This assumes that |cbb| has already been zeroed. */
+ // This assumes that |cbb| has already been zeroed.
struct cbb_buffer_st *base;
base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
@@ -75,8 +75,8 @@
void CBB_cleanup(CBB *cbb) {
if (cbb->base) {
- /* Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
- * are implicitly discarded when the parent is flushed or cleaned up. */
+ // Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
+ // are implicitly discarded when the parent is flushed or cleaned up.
assert(cbb->is_top_level);
if (cbb->base->can_resize) {
@@ -97,7 +97,7 @@
newlen = base->len + len;
if (newlen < base->len) {
- /* Overflow */
+ // Overflow
goto err;
}
@@ -137,7 +137,7 @@
if (!cbb_buffer_reserve(base, out, len)) {
return 0;
}
- /* This will not overflow or |cbb_buffer_reserve| would have failed. */
+ // This will not overflow or |cbb_buffer_reserve| would have failed.
base->len += len;
return 1;
}
@@ -176,7 +176,7 @@
}
if (cbb->base->can_resize && (out_data == NULL || out_len == NULL)) {
- /* |out_data| and |out_len| can only be NULL if the CBB is fixed. */
+ // |out_data| and |out_len| can only be NULL if the CBB is fixed.
return 0;
}
@@ -191,15 +191,15 @@
return 1;
}
-/* CBB_flush recurses and then writes out any pending length prefix. The
- * current length of the underlying base is taken to be the length of the
- * length-prefixed data. */
+// CBB_flush recurses and then writes out any pending length prefix. The
+// current length of the underlying base is taken to be the length of the
+// length-prefixed data.
int CBB_flush(CBB *cbb) {
size_t child_start, i, len;
- /* If |cbb->base| has hit an error, the buffer is in an undefined state, so
- * fail all following calls. In particular, |cbb->child| may point to invalid
- * memory. */
+ // If |cbb->base| has hit an error, the buffer is in an undefined state, so
+ // fail all following calls. In particular, |cbb->child| may point to invalid
+ // memory.
if (cbb->base == NULL || cbb->base->error) {
return 0;
}
@@ -219,16 +219,16 @@
len = cbb->base->len - child_start;
if (cbb->child->pending_is_asn1) {
- /* For ASN.1 we assume that we'll only need a single byte for the length.
- * If that turned out to be incorrect, we have to move the contents along
- * in order to make space. */
+ // For ASN.1 we assume that we'll only need a single byte for the length.
+ // If that turned out to be incorrect, we have to move the contents along
+ // in order to make space.
uint8_t len_len;
uint8_t initial_length_byte;
assert (cbb->child->pending_len_len == 1);
if (len > 0xfffffffe) {
- /* Too large. */
+ // Too large.
goto err;
} else if (len > 0xffffff) {
len_len = 5;
@@ -249,7 +249,7 @@
}
if (len_len != 1) {
- /* We need to move the contents along in order to make space. */
+ // We need to move the contents along in order to make space.
size_t extra_bytes = len_len - 1;
if (!cbb_buffer_add(cbb->base, NULL, extra_bytes)) {
goto err;
@@ -331,14 +331,14 @@
int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
if (tag > 0xff ||
(tag & 0x1f) == 0x1f) {
- /* Long form identifier octets are not supported. Further, all current valid
- * tag serializations are 8 bits. */
+ // Long form identifier octets are not supported. Further, all current valid
+ // tag serializations are 8 bits.
cbb->base->error = 1;
return 0;
}
if (!CBB_flush(cbb) ||
- /* |tag|'s representation matches the DER encoding. */
+ // |tag|'s representation matches the DER encoding.
!CBB_add_u8(cbb, (uint8_t)tag)) {
return 0;
}
@@ -451,11 +451,11 @@
uint8_t byte = (value >> 8*(7-i)) & 0xff;
if (!started) {
if (byte == 0) {
- /* Don't encode leading zeros. */
+ // Don't encode leading zeros.
continue;
}
- /* If the high bit is set, add a padding byte to make it
- * unsigned. */
+ // If the high bit is set, add a padding byte to make it
+ // unsigned.
if ((byte & 0x80) && !CBB_add_u8(&child, 0)) {
return 0;
}
@@ -466,7 +466,7 @@
}
}
- /* 0 is encoded as a single 0, not the empty string. */
+ // 0 is encoded as a single 0, not the empty string.
if (!started && !CBB_add_u8(&child, 0)) {
return 0;
}
diff --git a/src/crypto/bytestring/cbs.c b/src/crypto/bytestring/cbs.c
index 8328b7f..ec495d2 100644
--- a/src/crypto/bytestring/cbs.c
+++ b/src/crypto/bytestring/cbs.c
@@ -190,13 +190,13 @@
return 0;
}
- /* ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
- * number no greater than 30.
- *
- * If the number portion is 31 (0x1f, the largest value that fits in the
- * allotted bits), then the tag is more than one byte long and the
- * continuation bytes contain the tag number. This parser only supports tag
- * numbers less than 31 (and thus single-byte tags). */
+ // ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
+ // number no greater than 30.
+ //
+ // If the number portion is 31 (0x1f, the largest value that fits in the
+ // allotted bits), then the tag is more than one byte long and the
+ // continuation bytes contain the tag number. This parser only supports tag
+ // numbers less than 31 (and thus single-byte tags).
if ((tag & 0x1f) == 0x1f) {
return 0;
}
@@ -206,52 +206,51 @@
}
size_t len;
- /* The format for the length encoding is specified in ITU-T X.690 section
- * 8.1.3. */
+ // The format for the length encoding is specified in ITU-T X.690 section
+ // 8.1.3.
if ((length_byte & 0x80) == 0) {
- /* Short form length. */
+ // Short form length.
len = ((size_t) length_byte) + 2;
if (out_header_len != NULL) {
*out_header_len = 2;
}
} else {
- /* The high bit indicate that this is the long form, while the next 7 bits
- * encode the number of subsequent octets used to encode the length (ITU-T
- * X.690 clause 8.1.3.5.b). */
+ // The high bit indicate that this is the long form, while the next 7 bits
+ // encode the number of subsequent octets used to encode the length (ITU-T
+ // X.690 clause 8.1.3.5.b).
const size_t num_bytes = length_byte & 0x7f;
uint32_t len32;
if (ber_ok && (tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
- /* indefinite length */
+ // indefinite length
if (out_header_len != NULL) {
*out_header_len = 2;
}
return CBS_get_bytes(cbs, out, 2);
}
- /* ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
- * used as the first byte of the length. If this parser encounters that
- * value, num_bytes will be parsed as 127, which will fail the check below.
- */
+ // ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
+ // used as the first byte of the length. If this parser encounters that
+ // value, num_bytes will be parsed as 127, which will fail the check below.
if (num_bytes == 0 || num_bytes > 4) {
return 0;
}
if (!cbs_get_u(&header, &len32, num_bytes)) {
return 0;
}
- /* ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
- * with the minimum number of octets. */
+ // ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
+ // with the minimum number of octets.
if (len32 < 128) {
- /* Length should have used short-form encoding. */
+ // Length should have used short-form encoding.
return 0;
}
if ((len32 >> ((num_bytes-1)*8)) == 0) {
- /* Length should have been at least one byte shorter. */
+ // Length should have been at least one byte shorter.
return 0;
}
len = len32;
if (len + 2 + num_bytes < len) {
- /* Overflow. */
+ // Overflow.
return 0;
}
len += 2 + num_bytes;
@@ -338,23 +337,23 @@
size_t len = CBS_len(&bytes);
if (len == 0) {
- /* An INTEGER is encoded with at least one octet. */
+ // An INTEGER is encoded with at least one octet.
return 0;
}
if ((data[0] & 0x80) != 0) {
- /* Negative number. */
+ // Negative number.
return 0;
}
if (data[0] == 0 && len > 1 && (data[1] & 0x80) == 0) {
- /* Extra leading zeros. */
+ // Extra leading zeros.
return 0;
}
for (size_t i = 0; i < len; i++) {
if ((*out >> 56) != 0) {
- /* Too large to represent as a uint64_t. */
+ // Too large to represent as a uint64_t.
return 0;
}
*out <<= 8;
@@ -462,7 +461,7 @@
return 1;
}
- /* All num_unused_bits bits must exist and be zeros. */
+ // All num_unused_bits bits must exist and be zeros.
uint8_t last;
if (!CBS_get_last_u8(&in, &last) ||
(last & ((1 << num_unused_bits) - 1)) != 0) {
@@ -480,9 +479,9 @@
const unsigned byte_num = (bit >> 3) + 1;
const unsigned bit_num = 7 - (bit & 7);
- /* Unused bits are zero, and this function does not distinguish between
- * missing and unset bits. Thus it is sufficient to do a byte-level length
- * check. */
+ // Unused bits are zero, and this function does not distinguish between
+ // missing and unset bits. Thus it is sufficient to do a byte-level length
+ // check.
return byte_num < CBS_len(cbs) &&
(CBS_data(cbs)[byte_num] & (1 << bit_num)) != 0;
}
diff --git a/src/crypto/bytestring/internal.h b/src/crypto/bytestring/internal.h
index 2fed413..f6ac32c 100644
--- a/src/crypto/bytestring/internal.h
+++ b/src/crypto/bytestring/internal.h
@@ -22,54 +22,54 @@
#endif
-/* CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
- * indefinite-length elements or constructed strings then it converts the BER
- * data to DER and sets |*out| and |*out_length| to describe a malloced buffer
- * containing the DER data. Additionally, |*in| will be advanced over the BER
- * element.
- *
- * If it doesn't find any indefinite-length elements or constructed strings then
- * it sets |*out| to NULL and |*in| is unmodified.
- *
- * This function should successfully process any valid BER input, however it
- * will not convert all of BER's deviations from DER. BER is ambiguous between
- * implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
- * strings. Implicitly-tagged strings must be parsed with
- * |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
- * must also account for BER variations in the contents of a primitive.
- *
- * It returns one on success and zero otherwise. */
+// CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
+// indefinite-length elements or constructed strings then it converts the BER
+// data to DER and sets |*out| and |*out_length| to describe a malloced buffer
+// containing the DER data. Additionally, |*in| will be advanced over the BER
+// element.
+//
+// If it doesn't find any indefinite-length elements or constructed strings then
+// it sets |*out| to NULL and |*in| is unmodified.
+//
+// This function should successfully process any valid BER input, however it
+// will not convert all of BER's deviations from DER. BER is ambiguous between
+// implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
+// strings. Implicitly-tagged strings must be parsed with
+// |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
+// must also account for BER variations in the contents of a primitive.
+//
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len);
-/* CBS_get_asn1_implicit_string parses a BER string of primitive type
- * |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
- * contents. If concatenation was needed, it sets |*out_storage| to a buffer
- * which the caller must release with |OPENSSL_free|. Otherwise, it sets
- * |*out_storage| to NULL.
- *
- * This function does not parse all of BER. It requires the string be
- * definite-length. Constructed strings are allowed, but all children of the
- * outermost element must be primitive. The caller should use
- * |CBS_asn1_ber_to_der| before running this function.
- *
- * It returns one on success and zero otherwise. */
+// CBS_get_asn1_implicit_string parses a BER string of primitive type
+// |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
+// contents. If concatenation was needed, it sets |*out_storage| to a buffer
+// which the caller must release with |OPENSSL_free|. Otherwise, it sets
+// |*out_storage| to NULL.
+//
+// This function does not parse all of BER. It requires the string be
+// definite-length. Constructed strings are allowed, but all children of the
+// outermost element must be primitive. The caller should use
+// |CBS_asn1_ber_to_der| before running this function.
+//
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out,
uint8_t **out_storage,
unsigned outer_tag,
unsigned inner_tag);
-/* CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
- * with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
- * and |*outp| is advanced just past the output. It returns the number of bytes
- * in the result, whether written or not, or a negative value on error. On
- * error, it calls |CBB_cleanup| on |cbb|.
- *
- * This function may be used to help implement legacy i2d ASN.1 functions. */
+// CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
+// with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
+// and |*outp| is advanced just past the output. It returns the number of bytes
+// in the result, whether written or not, or a negative value on error. On
+// error, it calls |CBB_cleanup| on |cbb|.
+//
+// This function may be used to help implement legacy i2d ASN.1 functions.
int CBB_finish_i2d(CBB *cbb, uint8_t **outp);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_BYTESTRING_INTERNAL_H */
+#endif // OPENSSL_HEADER_BYTESTRING_INTERNAL_H
diff --git a/src/crypto/chacha/chacha.c b/src/crypto/chacha/chacha.c
index fe32596..646ef7a 100644
--- a/src/crypto/chacha/chacha.c
+++ b/src/crypto/chacha/chacha.c
@@ -12,7 +12,7 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* Adapted from the public domain, estream code by D. Bernstein. */
+// Adapted from the public domain, estream code by D. Bernstein.
#include <openssl/chacha.h>
@@ -32,7 +32,7 @@
(defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
-/* ChaCha20_ctr32 is defined in asm/chacha-*.pl. */
+// ChaCha20_ctr32 is defined in asm/chacha-*.pl.
void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
const uint32_t key[8], const uint32_t counter[4]);
@@ -48,7 +48,7 @@
const uint32_t *key_ptr = (const uint32_t *)key;
#if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64)
- /* The assembly expects the key to be four-byte aligned. */
+ // The assembly expects the key to be four-byte aligned.
uint32_t key_u32[8];
if ((((uintptr_t)key) & 3) != 0) {
key_u32[0] = U8TO32_LITTLE(key + 0);
@@ -69,7 +69,7 @@
#else
-/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
+// sigma contains the ChaCha constants, which happen to be an ASCII string.
static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
'2', '-', 'b', 'y', 't', 'e', ' ', 'k' };
@@ -83,15 +83,15 @@
(p)[3] = (v >> 24) & 0xff; \
}
-/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
+// QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round.
#define QUARTERROUND(a, b, c, d) \
x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \
x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \
x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 8); \
x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 7);
-/* chacha_core performs 20 rounds of ChaCha on the input words in
- * |input| and writes the 64 output bytes to |output|. */
+// chacha_core performs 20 rounds of ChaCha on the input words in
+// |input| and writes the 64 output bytes to |output|.
static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
uint32_t x[16];
int i;
diff --git a/src/crypto/cipher_extra/aead_test.cc b/src/crypto/cipher_extra/aead_test.cc
index a699890..a40d673 100644
--- a/src/crypto/cipher_extra/aead_test.cc
+++ b/src/crypto/cipher_extra/aead_test.cc
@@ -393,14 +393,14 @@
9999 /* a silly tag length to trigger an error */, NULL /* ENGINE */));
ERR_clear_error();
- /* Running a second, failed _init should not cause a memory leak. */
+ // Running a second, failed _init should not cause a memory leak.
ASSERT_FALSE(EVP_AEAD_CTX_init(
&ctx, aead(), key, key_len,
9999 /* a silly tag length to trigger an error */, NULL /* ENGINE */));
ERR_clear_error();
- /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
- * no-op. */
+ // Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
+ // no-op.
EVP_AEAD_CTX_cleanup(&ctx);
}
diff --git a/src/crypto/cipher_extra/e_aesctrhmac.c b/src/crypto/cipher_extra/e_aesctrhmac.c
index 3034b8f..9c357f4 100644
--- a/src/crypto/cipher_extra/e_aesctrhmac.c
+++ b/src/crypto/cipher_extra/e_aesctrhmac.c
@@ -66,13 +66,13 @@
if (key_len < hmac_key_len) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
const size_t aes_key_len = key_len - hmac_key_len;
if (aes_key_len != 16 && aes_key_len != 32) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
@@ -131,7 +131,7 @@
SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
SHA256_Update(&sha256, ad, ad_len);
- /* Pad with zeros to the end of the SHA-256 block. */
+ // Pad with zeros to the end of the SHA-256 block.
const unsigned num_padding =
(SHA256_CBLOCK - ((sizeof(uint64_t)*2 +
EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN + ad_len) %
@@ -154,8 +154,8 @@
static void aead_aes_ctr_hmac_sha256_crypt(
const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, uint8_t *out,
const uint8_t *in, size_t len, const uint8_t *nonce) {
- /* Since the AEAD operation is one-shot, keeping a buffer of unused keystream
- * bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it. */
+ // Since the AEAD operation is one-shot, keeping a buffer of unused keystream
+ // bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it.
uint8_t partial_block_buffer[AES_BLOCK_SIZE];
unsigned partial_block_offset = 0;
OPENSSL_memset(partial_block_buffer, 0, sizeof(partial_block_buffer));
@@ -184,7 +184,7 @@
const uint64_t in_len_64 = in_len;
if (in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) {
- /* This input is so large it would overflow the 32-bit block counter. */
+ // This input is so large it would overflow the 32-bit block counter.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
@@ -242,10 +242,10 @@
static const EVP_AEAD aead_aes_128_ctr_hmac_sha256 = {
16 /* AES key */ + 32 /* HMAC key */,
- 12, /* nonce length */
- EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* overhead */
- EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 12, // nonce length
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // overhead
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_ctr_hmac_sha256_init,
NULL /* init_with_direction */,
@@ -259,10 +259,10 @@
static const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {
32 /* AES key */ + 32 /* HMAC key */,
- 12, /* nonce length */
- EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* overhead */
- EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 12, // nonce length
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // overhead
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_ctr_hmac_sha256_init,
NULL /* init_with_direction */,
diff --git a/src/crypto/cipher_extra/e_aesgcmsiv.c b/src/crypto/cipher_extra/e_aesgcmsiv.c
index 6adcf17..8c6589d 100644
--- a/src/crypto/cipher_extra/e_aesgcmsiv.c
+++ b/src/crypto/cipher_extra/e_aesgcmsiv.c
@@ -29,20 +29,20 @@
#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
-/* Optimised AES-GCM-SIV */
+// Optimised AES-GCM-SIV
struct aead_aes_gcm_siv_asm_ctx {
alignas(16) uint8_t key[16*15];
int is_128_bit;
};
-/* aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
- * |out_expanded_key|. */
+// aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
+// |out_expanded_key|.
extern void aes128gcmsiv_aes_ks(
const uint8_t key[16], uint8_t out_expanded_key[16*15]);
-/* aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
- * |out_expanded_key|. */
+// aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
+// |out_expanded_key|.
extern void aes256gcmsiv_aes_ks(
const uint8_t key[16], uint8_t out_expanded_key[16*15]);
@@ -52,7 +52,7 @@
if (key_bits != 128 && key_bits != 256) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
@@ -70,7 +70,7 @@
return 0;
}
- /* malloc should return a 16-byte-aligned address. */
+ // malloc should return a 16-byte-aligned address.
assert((((uintptr_t)gcm_siv_ctx) & 15) == 0);
if (key_bits == 128) {
@@ -92,123 +92,123 @@
OPENSSL_free(gcm_siv_asm_ctx);
}
-/* aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to
- * include a number (|in_blocks|) of 16-byte blocks of data from |in|, given
- * the POLYVAL key in |key|. */
+// aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to
+// include a number (|in_blocks|) of 16-byte blocks of data from |in|, given
+// the POLYVAL key in |key|.
extern void aesgcmsiv_polyval_horner(const uint8_t in_out_poly[16],
const uint8_t key[16], const uint8_t *in,
size_t in_blocks);
-/* aesgcmsiv_htable_init writes powers 1..8 of |auth_key| to |out_htable|. */
+// aesgcmsiv_htable_init writes powers 1..8 of |auth_key| to |out_htable|.
extern void aesgcmsiv_htable_init(uint8_t out_htable[16 * 8],
const uint8_t auth_key[16]);
-/* aesgcmsiv_htable6_init writes powers 1..6 of |auth_key| to |out_htable|. */
+// aesgcmsiv_htable6_init writes powers 1..6 of |auth_key| to |out_htable|.
extern void aesgcmsiv_htable6_init(uint8_t out_htable[16 * 6],
const uint8_t auth_key[16]);
-/* aesgcmsiv_htable_polyval updates the POLYVAL value in |in_out_poly| to
- * include |in_len| bytes of data from |in|. (Where |in_len| must be a multiple
- * of 16.) It uses the precomputed powers of the key given in |htable|. */
+// aesgcmsiv_htable_polyval updates the POLYVAL value in |in_out_poly| to
+// include |in_len| bytes of data from |in|. (Where |in_len| must be a multiple
+// of 16.) It uses the precomputed powers of the key given in |htable|.
extern void aesgcmsiv_htable_polyval(const uint8_t htable[16 * 8],
const uint8_t *in, size_t in_len,
uint8_t in_out_poly[16]);
-/* aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to
- * |in|. (The full value of |in_len| is still used to find the authentication
- * tag appended to the ciphertext, however, so must not be pre-masked.)
- *
- * |in| and |out| may be equal, but must not otherwise overlap.
- *
- * While decrypting, it updates the POLYVAL value found at the beginning of
- * |in_out_calculated_tag_and_scratch| and writes the updated value back before
- * return. During executation, it may use the whole of this space for other
- * purposes. In order to decrypt and update the POLYVAL value, it uses the
- * expanded key from |key| and the table of powers in |htable|. */
+// aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to
+// |in|. (The full value of |in_len| is still used to find the authentication
+// tag appended to the ciphertext, however, so must not be pre-masked.)
+//
+// |in| and |out| may be equal, but must not otherwise overlap.
+//
+// While decrypting, it updates the POLYVAL value found at the beginning of
+// |in_out_calculated_tag_and_scratch| and writes the updated value back before
+// return. During executation, it may use the whole of this space for other
+// purposes. In order to decrypt and update the POLYVAL value, it uses the
+// expanded key from |key| and the table of powers in |htable|.
extern void aes128gcmsiv_dec(const uint8_t *in, uint8_t *out,
uint8_t in_out_calculated_tag_and_scratch[16 * 8],
const uint8_t htable[16 * 6],
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes256gcmsiv_dec acts like |aes128gcmsiv_dec|, but for AES-256. */
+// aes256gcmsiv_dec acts like |aes128gcmsiv_dec|, but for AES-256.
extern void aes256gcmsiv_dec(const uint8_t *in, uint8_t *out,
uint8_t in_out_calculated_tag_and_scratch[16 * 8],
const uint8_t htable[16 * 6],
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes128gcmsiv_kdf performs the AES-GCM-SIV KDF given the expanded key from
- * |key_schedule| and the nonce in |nonce|. Note that, while only 12 bytes of
- * the nonce are used, 16 bytes are read and so the value must be
- * right-padded. */
+// aes128gcmsiv_kdf performs the AES-GCM-SIV KDF given the expanded key from
+// |key_schedule| and the nonce in |nonce|. Note that, while only 12 bytes of
+// the nonce are used, 16 bytes are read and so the value must be
+// right-padded.
extern void aes128gcmsiv_kdf(const uint8_t nonce[16],
uint64_t out_key_material[8],
const uint8_t *key_schedule);
-/* aes256gcmsiv_kdf acts like |aes128gcmsiv_kdf|, but for AES-256. */
+// aes256gcmsiv_kdf acts like |aes128gcmsiv_kdf|, but for AES-256.
extern void aes256gcmsiv_kdf(const uint8_t nonce[16],
uint64_t out_key_material[12],
const uint8_t *key_schedule);
-/* aes128gcmsiv_aes_ks_enc_x1 performs a key expansion of the AES-128 key in
- * |key|, writes the expanded key to |out_expanded_key| and encrypts a single
- * block from |in| to |out|. */
+// aes128gcmsiv_aes_ks_enc_x1 performs a key expansion of the AES-128 key in
+// |key|, writes the expanded key to |out_expanded_key| and encrypts a single
+// block from |in| to |out|.
extern void aes128gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16],
uint8_t out_expanded_key[16 * 15],
const uint64_t key[2]);
-/* aes256gcmsiv_aes_ks_enc_x1 acts like |aes128gcmsiv_aes_ks_enc_x1|, but for
- * AES-256. */
+// aes256gcmsiv_aes_ks_enc_x1 acts like |aes128gcmsiv_aes_ks_enc_x1|, but for
+// AES-256.
extern void aes256gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16],
uint8_t out_expanded_key[16 * 15],
const uint64_t key[4]);
-/* aes128gcmsiv_ecb_enc_block encrypts a single block from |in| to |out| using
- * the expanded key in |expanded_key|. */
+// aes128gcmsiv_ecb_enc_block encrypts a single block from |in| to |out| using
+// the expanded key in |expanded_key|.
extern void aes128gcmsiv_ecb_enc_block(
const uint8_t in[16], uint8_t out[16],
const struct aead_aes_gcm_siv_asm_ctx *expanded_key);
-/* aes256gcmsiv_ecb_enc_block acts like |aes128gcmsiv_ecb_enc_block|, but for
- * AES-256. */
+// aes256gcmsiv_ecb_enc_block acts like |aes128gcmsiv_ecb_enc_block|, but for
+// AES-256.
extern void aes256gcmsiv_ecb_enc_block(
const uint8_t in[16], uint8_t out[16],
const struct aead_aes_gcm_siv_asm_ctx *expanded_key);
-/* aes128gcmsiv_enc_msg_x4 encrypts |in_len| bytes from |in| to |out| using the
- * expanded key from |key|. (The value of |in_len| must be a multiple of 16.)
- * The |in| and |out| buffers may be equal but must not otherwise overlap. The
- * initial counter is constructed from the given |tag| as required by
- * AES-GCM-SIV. */
+// aes128gcmsiv_enc_msg_x4 encrypts |in_len| bytes from |in| to |out| using the
+// expanded key from |key|. (The value of |in_len| must be a multiple of 16.)
+// The |in| and |out| buffers may be equal but must not otherwise overlap. The
+// initial counter is constructed from the given |tag| as required by
+// AES-GCM-SIV.
extern void aes128gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out,
const uint8_t *tag,
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes256gcmsiv_enc_msg_x4 acts like |aes128gcmsiv_enc_msg_x4|, but for
- * AES-256. */
+// aes256gcmsiv_enc_msg_x4 acts like |aes128gcmsiv_enc_msg_x4|, but for
+// AES-256.
extern void aes256gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out,
const uint8_t *tag,
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes128gcmsiv_enc_msg_x8 acts like |aes128gcmsiv_enc_msg_x4|, but is
- * optimised for longer messages. */
+// aes128gcmsiv_enc_msg_x8 acts like |aes128gcmsiv_enc_msg_x4|, but is
+// optimised for longer messages.
extern void aes128gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out,
const uint8_t *tag,
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes256gcmsiv_enc_msg_x8 acts like |aes256gcmsiv_enc_msg_x4|, but is
- * optimised for longer messages. */
+// aes256gcmsiv_enc_msg_x8 acts like |aes256gcmsiv_enc_msg_x4|, but is
+// optimised for longer messages.
extern void aes256gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out,
const uint8_t *tag,
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* gcm_siv_asm_polyval evaluates POLYVAL at |auth_key| on the given plaintext
- * and AD. The result is written to |out_tag|. */
+// gcm_siv_asm_polyval evaluates POLYVAL at |auth_key| on the given plaintext
+// and AD. The result is written to |out_tag|.
static void gcm_siv_asm_polyval(uint8_t out_tag[16], const uint8_t *in,
size_t in_len, const uint8_t *ad, size_t ad_len,
const uint8_t auth_key[16],
@@ -268,10 +268,10 @@
out_tag[15] &= 0x7f;
}
-/* aead_aes_gcm_siv_asm_crypt_last_block handles the encryption/decryption
- * (same thing in CTR mode) of the final block of a plaintext/ciphertext. It
- * writes |in_len| & 15 bytes to |out| + |in_len|, based on an initial counter
- * derived from |tag|. */
+// aead_aes_gcm_siv_asm_crypt_last_block handles the encryption/decryption
+// (same thing in CTR mode) of the final block of a plaintext/ciphertext. It
+// writes |in_len| & 15 bytes to |out| + |in_len|, based on an initial counter
+// derived from |tag|.
static void aead_aes_gcm_siv_asm_crypt_last_block(
int is_128_bit, uint8_t *out, const uint8_t *in, size_t in_len,
const uint8_t tag[16],
@@ -299,8 +299,8 @@
}
}
-/* aead_aes_gcm_siv_kdf calculates the record encryption and authentication
- * keys given the |nonce|. */
+// aead_aes_gcm_siv_kdf calculates the record encryption and authentication
+// keys given the |nonce|.
static void aead_aes_gcm_siv_kdf(
int is_128_bit, const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx,
uint64_t out_record_auth_key[2], uint64_t out_record_enc_key[4],
@@ -433,8 +433,8 @@
} else {
aes256gcmsiv_aes_ks((const uint8_t *) record_enc_key, &expanded_key.key[0]);
}
- /* calculated_tag is 16*8 bytes, rather than 16 bytes, because
- * aes[128|256]gcmsiv_dec uses the extra as scratch space. */
+ // calculated_tag is 16*8 bytes, rather than 16 bytes, because
+ // aes[128|256]gcmsiv_dec uses the extra as scratch space.
alignas(16) uint8_t calculated_tag[16 * 8] = {0};
OPENSSL_memset(calculated_tag, 0, EVP_AEAD_AES_GCM_SIV_TAG_LEN);
@@ -507,11 +507,11 @@
}
static const EVP_AEAD aead_aes_128_gcm_siv_asm = {
- 16, /* key length */
- EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 16, // key length
+ EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_gcm_siv_asm_init,
NULL /* init_with_direction */,
@@ -524,11 +524,11 @@
};
static const EVP_AEAD aead_aes_256_gcm_siv_asm = {
- 32, /* key length */
- EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 32, // key length
+ EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_gcm_siv_asm_init,
NULL /* init_with_direction */,
@@ -540,7 +540,7 @@
NULL /* tag_len */,
};
-#endif /* X86_64 && !NO_ASM */
+#endif // X86_64 && !NO_ASM
struct aead_aes_gcm_siv_ctx {
union {
@@ -557,7 +557,7 @@
if (key_bits != 128 && key_bits != 256) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
@@ -590,13 +590,13 @@
OPENSSL_free(gcm_siv_ctx);
}
-/* gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from
- * |in| to |out|, using the block function |enc_block| with |key| in counter
- * mode, starting at |initial_counter|. This differs from the traditional
- * counter mode code in that the counter is handled little-endian, only the
- * first four bytes are used and the GCM-SIV tweak to the final byte is
- * applied. The |in| and |out| pointers may be equal but otherwise must not
- * alias. */
+// gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from
+// |in| to |out|, using the block function |enc_block| with |key| in counter
+// mode, starting at |initial_counter|. This differs from the traditional
+// counter mode code in that the counter is handled little-endian, only the
+// first four bytes are used and the GCM-SIV tweak to the final byte is
+// applied. The |in| and |out| pointers may be equal but otherwise must not
+// alias.
static void gcm_siv_crypt(uint8_t *out, const uint8_t *in, size_t in_len,
const uint8_t initial_counter[AES_BLOCK_SIZE],
block128_f enc_block, const AES_KEY *key) {
@@ -626,8 +626,8 @@
}
}
-/* gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and
- * AD. The result is written to |out_tag|. */
+// gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and
+// AD. The result is written to |out_tag|.
static void gcm_siv_polyval(
uint8_t out_tag[16], const uint8_t *in, size_t in_len, const uint8_t *ad,
size_t ad_len, const uint8_t auth_key[16],
@@ -671,7 +671,7 @@
out_tag[15] &= 0x7f;
}
-/* gcm_siv_record_keys contains the keys used for a specific GCM-SIV record. */
+// gcm_siv_record_keys contains the keys used for a specific GCM-SIV record.
struct gcm_siv_record_keys {
uint8_t auth_key[16];
union {
@@ -681,8 +681,8 @@
block128_f enc_block;
};
-/* gcm_siv_keys calculates the keys for a specific GCM-SIV record with the
- * given nonce and writes them to |*out_keys|. */
+// gcm_siv_keys calculates the keys for a specific GCM-SIV record with the
+// given nonce and writes them to |*out_keys|.
static void gcm_siv_keys(
const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx,
struct gcm_siv_record_keys *out_keys,
@@ -793,11 +793,11 @@
}
static const EVP_AEAD aead_aes_128_gcm_siv = {
- 16, /* key length */
- EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 16, // key length
+ EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_gcm_siv_init,
NULL /* init_with_direction */,
@@ -810,11 +810,11 @@
};
static const EVP_AEAD aead_aes_256_gcm_siv = {
- 32, /* key length */
- EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 32, // key length
+ EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_gcm_siv_init,
NULL /* init_with_direction */,
@@ -859,4 +859,4 @@
return &aead_aes_256_gcm_siv;
}
-#endif /* X86_64 && !NO_ASM */
+#endif // X86_64 && !NO_ASM
diff --git a/src/crypto/cipher_extra/e_chacha20poly1305.c b/src/crypto/cipher_extra/e_chacha20poly1305.c
index 8946f1f..d80a910 100644
--- a/src/crypto/cipher_extra/e_chacha20poly1305.c
+++ b/src/crypto/cipher_extra/e_chacha20poly1305.c
@@ -120,7 +120,7 @@
}
if (key_len != sizeof(c20_ctx->key)) {
- return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */
+ return 0; // internal error - EVP_AEAD_CTX_init should catch this.
}
c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
@@ -152,7 +152,7 @@
CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
}
-/* calc_tag fills |tag| with the authentication tag for the given inputs. */
+// calc_tag fills |tag| with the authentication tag for the given inputs.
static void calc_tag(uint8_t tag[POLY1305_TAG_LEN],
const struct aead_chacha20_poly1305_ctx *c20_ctx,
const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,
@@ -164,7 +164,7 @@
CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
c20_ctx->key, nonce, 0);
- static const uint8_t padding[16] = { 0 }; /* Padding is all zeros. */
+ static const uint8_t padding[16] = { 0 }; // Padding is all zeros.
poly1305_state ctx;
CRYPTO_poly1305_init(&ctx, poly1305_key);
CRYPTO_poly1305_update(&ctx, ad, ad_len);
@@ -203,12 +203,12 @@
return 0;
}
- /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
- * individual operations that work on more than 256GB at a time.
- * |in_len_64| is needed because, on 32-bit platforms, size_t is only
- * 32-bits and this produces a warning because it's always false.
- * Casting to uint64_t inside the conditional is not sufficient to stop
- * the warning. */
+ // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
+ // individual operations that work on more than 256GB at a time.
+ // |in_len_64| is needed because, on 32-bit platforms, size_t is only
+ // 32-bits and this produces a warning because it's always false.
+ // Casting to uint64_t inside the conditional is not sufficient to stop
+ // the warning.
const uint64_t in_len_64 = in_len;
if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
@@ -220,8 +220,8 @@
return 0;
}
- /* The the extra input is given, it is expected to be very short and so is
- * encrypted byte-by-byte first. */
+ // The the extra input is given, it is expected to be very short and so is
+ // encrypted byte-by-byte first.
if (extra_in_len) {
static const size_t kChaChaBlockSize = 64;
uint32_t block_counter = 1 + (in_len / kChaChaBlockSize);
@@ -275,12 +275,12 @@
return 0;
}
- /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
- * individual operations that work on more than 256GB at a time.
- * |in_len_64| is needed because, on 32-bit platforms, size_t is only
- * 32-bits and this produces a warning because it's always false.
- * Casting to uint64_t inside the conditional is not sufficient to stop
- * the warning. */
+ // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
+ // individual operations that work on more than 256GB at a time.
+ // |in_len_64| is needed because, on 32-bit platforms, size_t is only
+ // 32-bits and this produces a warning because it's always false.
+ // Casting to uint64_t inside the conditional is not sufficient to stop
+ // the warning.
const uint64_t in_len_64 = in_len;
if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
@@ -307,20 +307,20 @@
}
static const EVP_AEAD aead_chacha20_poly1305 = {
- 32, /* key len */
- 12, /* nonce len */
- POLY1305_TAG_LEN, /* overhead */
- POLY1305_TAG_LEN, /* max tag length */
- 1, /* seal_scatter_supports_extra_in */
+ 32, // key len
+ 12, // nonce len
+ POLY1305_TAG_LEN, // overhead
+ POLY1305_TAG_LEN, // max tag length
+ 1, // seal_scatter_supports_extra_in
aead_chacha20_poly1305_init,
- NULL, /* init_with_direction */
+ NULL, // init_with_direction
aead_chacha20_poly1305_cleanup,
NULL /* open */,
aead_chacha20_poly1305_seal_scatter,
aead_chacha20_poly1305_open_gather,
- NULL, /* get_iv */
- NULL, /* tag_len */
+ NULL, // get_iv
+ NULL, // tag_len
};
const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
diff --git a/src/crypto/cipher_extra/e_rc2.c b/src/crypto/cipher_extra/e_rc2.c
index a18229c..dc42dd5 100644
--- a/src/crypto/cipher_extra/e_rc2.c
+++ b/src/crypto/cipher_extra/e_rc2.c
@@ -317,7 +317,7 @@
unsigned int c, d;
k = (uint8_t *)&key->data[0];
- *k = 0; /* for if there is a zero length key */
+ *k = 0; // for if there is a zero length key
if (len > 128) {
len = 128;
@@ -333,7 +333,7 @@
k[i] = data[i];
}
- /* expand table */
+ // expand table
d = k[len - 1];
j = 0;
for (i = len; i < 128; i++, j++) {
@@ -341,7 +341,7 @@
k[i] = d;
}
- /* hmm.... key reduction to 'bits' bits */
+ // hmm.... key reduction to 'bits' bits
j = (bits + 7) >> 3;
i = 128 - j;
@@ -354,7 +354,7 @@
k[i] = d;
}
- /* copy from bytes into uint16_t's */
+ // copy from bytes into uint16_t's
ki = &(key->data[63]);
for (i = 127; i >= 0; i -= 2) {
*(ki--) = ((k[i] << 8) | k[i - 1]) & 0xffff;
@@ -362,8 +362,8 @@
}
typedef struct {
- int key_bits; /* effective key bits */
- RC2_KEY ks; /* key schedule */
+ int key_bits; // effective key bits
+ RC2_KEY ks; // key schedule
} EVP_RC2_KEY;
static int rc2_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
@@ -399,8 +399,8 @@
key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
return 1;
case EVP_CTRL_SET_RC2_KEY_BITS:
- /* Should be overridden by later call to |EVP_CTRL_INIT|, but
- * people call it, so it may as well work. */
+ // Should be overridden by later call to |EVP_CTRL_INIT|, but
+ // people call it, so it may as well work.
key->key_bits = arg;
return 1;
diff --git a/src/crypto/cipher_extra/e_ssl3.c b/src/crypto/cipher_extra/e_ssl3.c
index dc43713..61f25ca 100644
--- a/src/crypto/cipher_extra/e_ssl3.c
+++ b/src/crypto/cipher_extra/e_ssl3.c
@@ -40,8 +40,8 @@
size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
size_t pad_len = (md_size == 20) ? 40 : 48;
- /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
- * length for legacy ciphers. */
+ // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+ // length for legacy ciphers.
uint8_t ad_extra[2];
ad_extra[0] = (uint8_t)(in_len >> 8);
ad_extra[1] = (uint8_t)(in_len & 0xff);
@@ -135,8 +135,8 @@
}
const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
- /* An overflow of |in_len + digest_len| doesn't affect the result mod
- * |block_size|, provided that |block_size| is a smaller power of two. */
+ // An overflow of |in_len + digest_len| doesn't affect the result mod
+ // |block_size|, provided that |block_size| is a smaller power of two.
assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
const size_t pad_len = block_size - ((in_len + digest_len) % block_size);
return digest_len + pad_len;
@@ -153,13 +153,13 @@
AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
if (!ssl3_ctx->cipher_ctx.encrypt) {
- /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+ // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
return 0;
}
if (in_len > INT_MAX) {
- /* EVP_CIPHER takes int as input. */
+ // EVP_CIPHER takes int as input.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
@@ -179,15 +179,15 @@
return 0;
}
- /* Compute the MAC. This must be first in case the operation is being done
- * in-place. */
+ // Compute the MAC. This must be first in case the operation is being done
+ // in-place.
uint8_t mac[EVP_MAX_MD_SIZE];
unsigned mac_len;
if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) {
return 0;
}
- /* Encrypt the input. */
+ // Encrypt the input.
int len;
if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in,
(int)in_len)) {
@@ -196,9 +196,9 @@
const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
- /* Feed the MAC into the cipher in two steps. First complete the final partial
- * block from encrypting the input and split the result between |out| and
- * |out_tag|. Then encrypt the remainder. */
+ // Feed the MAC into the cipher in two steps. First complete the final partial
+ // block from encrypting the input and split the result between |out| and
+ // |out_tag|. Then encrypt the remainder.
size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
if (early_mac_len != 0) {
@@ -225,7 +225,7 @@
assert(block_size <= 256);
assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
- /* Compute padding and feed that into the cipher. */
+ // Compute padding and feed that into the cipher.
uint8_t padding[256];
size_t padding_len = block_size - ((in_len + mac_len) % block_size);
OPENSSL_memset(padding, 0, padding_len - 1);
@@ -255,7 +255,7 @@
AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
if (ssl3_ctx->cipher_ctx.encrypt) {
- /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+ // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
return 0;
}
@@ -267,8 +267,8 @@
}
if (max_out_len < in_len) {
- /* This requires that the caller provide space for the MAC, even though it
- * will always be removed on return. */
+ // This requires that the caller provide space for the MAC, even though it
+ // will always be removed on return.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
@@ -284,12 +284,12 @@
}
if (in_len > INT_MAX) {
- /* EVP_CIPHER takes int as input. */
+ // EVP_CIPHER takes int as input.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
- /* Decrypt to get the plaintext + MAC + padding. */
+ // Decrypt to get the plaintext + MAC + padding.
size_t total = 0;
int len;
if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
@@ -302,9 +302,9 @@
total += len;
assert(total == in_len);
- /* Remove CBC padding and MAC. This would normally be timing-sensitive, but
- * SSLv3 CBC ciphers are already broken. Support will be removed eventually.
- * https://www.openssl.org/~bodo/ssl-poodle.pdf */
+ // Remove CBC padding and MAC. This would normally be timing-sensitive, but
+ // SSLv3 CBC ciphers are already broken. Support will be removed eventually.
+ // https://www.openssl.org/~bodo/ssl-poodle.pdf
size_t data_len;
if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
unsigned padding_length = out[total - 1];
@@ -312,7 +312,7 @@
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
}
- /* The padding must be minimal. */
+ // The padding must be minimal.
if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
@@ -322,7 +322,7 @@
data_len = total - mac_len;
}
- /* Compute the MAC and compare against the one in the record. */
+ // Compute the MAC and compare against the one in the record.
uint8_t mac[EVP_MAX_MD_SIZE];
if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) {
return 0;
@@ -378,70 +378,70 @@
}
static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
- SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
- 0, /* nonce len */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 16 + 16, // key len (SHA1 + AES128 + IV)
+ 0, // nonce len
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_128_cbc_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_open,
aead_ssl3_seal_scatter,
- NULL, /* open_gather */
+ NULL, // open_gather
aead_ssl3_get_iv,
aead_ssl3_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
- SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
- 0, /* nonce len */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 32 + 16, // key len (SHA1 + AES256 + IV)
+ 0, // nonce len
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_open,
aead_ssl3_seal_scatter,
- NULL, /* open_gather */
+ NULL, // open_gather
aead_ssl3_get_iv,
aead_ssl3_tag_len,
};
static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
- SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
- 0, /* nonce len */
- 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 24 + 8, // key len (SHA1 + 3DES + IV)
+ 0, // nonce len
+ 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_des_ede3_cbc_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_open,
aead_ssl3_seal_scatter,
- NULL, /* open_gather */
+ NULL, // open_gather
aead_ssl3_get_iv,
aead_ssl3_tag_len,
};
static const EVP_AEAD aead_null_sha1_ssl3 = {
- SHA_DIGEST_LENGTH, /* key len */
- 0, /* nonce len */
- SHA_DIGEST_LENGTH, /* overhead (SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH, // key len
+ 0, // nonce len
+ SHA_DIGEST_LENGTH, // overhead (SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_null_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_open,
aead_ssl3_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_ssl3_tag_len,
};
diff --git a/src/crypto/cipher_extra/e_tls.c b/src/crypto/cipher_extra/e_tls.c
index ca206ab..4b87983 100644
--- a/src/crypto/cipher_extra/e_tls.c
+++ b/src/crypto/cipher_extra/e_tls.c
@@ -33,12 +33,12 @@
typedef struct {
EVP_CIPHER_CTX cipher_ctx;
HMAC_CTX hmac_ctx;
- /* mac_key is the portion of the key used for the MAC. It is retained
- * separately for the constant-time CBC code. */
+ // mac_key is the portion of the key used for the MAC. It is retained
+ // separately for the constant-time CBC code.
uint8_t mac_key[EVP_MAX_MD_SIZE];
uint8_t mac_key_len;
- /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
- * IV. */
+ // implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
+ // IV.
char implicit_iv;
} AEAD_TLS_CTX;
@@ -111,8 +111,8 @@
}
const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
- /* An overflow of |in_len + hmac_len| doesn't affect the result mod
- * |block_size|, provided that |block_size| is a smaller power of two. */
+ // An overflow of |in_len + hmac_len| doesn't affect the result mod
+ // |block_size|, provided that |block_size| is a smaller power of two.
assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
const size_t pad_len = block_size - (in_len + hmac_len) % block_size;
return hmac_len + pad_len;
@@ -129,13 +129,13 @@
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
if (!tls_ctx->cipher_ctx.encrypt) {
- /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+ // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
return 0;
}
if (in_len > INT_MAX) {
- /* EVP_CIPHER takes int as input. */
+ // EVP_CIPHER takes int as input.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
@@ -155,14 +155,14 @@
return 0;
}
- /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
- * length for legacy ciphers. */
+ // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+ // length for legacy ciphers.
uint8_t ad_extra[2];
ad_extra[0] = (uint8_t)(in_len >> 8);
ad_extra[1] = (uint8_t)(in_len & 0xff);
- /* Compute the MAC. This must be first in case the operation is being done
- * in-place. */
+ // Compute the MAC. This must be first in case the operation is being done
+ // in-place.
uint8_t mac[EVP_MAX_MD_SIZE];
unsigned mac_len;
if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
@@ -173,14 +173,14 @@
return 0;
}
- /* Configure the explicit IV. */
+ // Configure the explicit IV.
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
!tls_ctx->implicit_iv &&
!EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
return 0;
}
- /* Encrypt the input. */
+ // Encrypt the input.
int len;
if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
return 0;
@@ -188,9 +188,9 @@
unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
- /* Feed the MAC into the cipher in two steps. First complete the final partial
- * block from encrypting the input and split the result between |out| and
- * |out_tag|. Then feed the rest. */
+ // Feed the MAC into the cipher in two steps. First complete the final partial
+ // block from encrypting the input and split the result between |out| and
+ // |out_tag|. Then feed the rest.
const size_t early_mac_len =
(block_size - (in_len % block_size) % block_size);
@@ -218,7 +218,7 @@
assert(block_size <= 256);
assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
- /* Compute padding and feed that into the cipher. */
+ // Compute padding and feed that into the cipher.
uint8_t padding[256];
unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
OPENSSL_memset(padding, padding_len - 1, padding_len);
@@ -232,7 +232,7 @@
if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) {
return 0;
}
- assert(len == 0); /* Padding is explicit. */
+ assert(len == 0); // Padding is explicit.
assert(tag_len == aead_tls_tag_len(ctx, in_len, extra_in_len));
*out_tag_len = tag_len;
@@ -246,7 +246,7 @@
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
if (tls_ctx->cipher_ctx.encrypt) {
- /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+ // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
return 0;
}
@@ -257,8 +257,8 @@
}
if (max_out_len < in_len) {
- /* This requires that the caller provide space for the MAC, even though it
- * will always be removed on return. */
+ // This requires that the caller provide space for the MAC, even though it
+ // will always be removed on return.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
@@ -274,19 +274,19 @@
}
if (in_len > INT_MAX) {
- /* EVP_CIPHER takes int as input. */
+ // EVP_CIPHER takes int as input.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
- /* Configure the explicit IV. */
+ // Configure the explicit IV.
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
!tls_ctx->implicit_iv &&
!EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
return 0;
}
- /* Decrypt to get the plaintext + MAC + padding. */
+ // Decrypt to get the plaintext + MAC + padding.
size_t total = 0;
int len;
if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
@@ -299,8 +299,8 @@
total += len;
assert(total == in_len);
- /* Remove CBC padding. Code from here on is timing-sensitive with respect to
- * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */
+ // Remove CBC padding. Code from here on is timing-sensitive with respect to
+ // |padding_ok| and |data_plus_mac_len| for CBC ciphers.
size_t data_plus_mac_len;
crypto_word_t padding_ok;
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
@@ -308,32 +308,32 @@
&padding_ok, &data_plus_mac_len, out, total,
EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
HMAC_size(&tls_ctx->hmac_ctx))) {
- /* Publicly invalid. This can be rejected in non-constant time. */
+ // Publicly invalid. This can be rejected in non-constant time.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
}
} else {
padding_ok = CONSTTIME_TRUE_W;
data_plus_mac_len = total;
- /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
- * already been checked against the MAC size at the top of the function. */
+ // |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
+ // already been checked against the MAC size at the top of the function.
assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
}
size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
- /* At this point, if the padding is valid, the first |data_plus_mac_len| bytes
- * after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
- * still large enough to extract a MAC, but it will be irrelevant. */
+ // At this point, if the padding is valid, the first |data_plus_mac_len| bytes
+ // after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
+ // still large enough to extract a MAC, but it will be irrelevant.
- /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
- * length for legacy ciphers. */
+ // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+ // length for legacy ciphers.
uint8_t ad_fixed[13];
OPENSSL_memcpy(ad_fixed, ad, 11);
ad_fixed[11] = (uint8_t)(data_len >> 8);
ad_fixed[12] = (uint8_t)(data_len & 0xff);
ad_len += 2;
- /* Compute the MAC and extract the one in the record. */
+ // Compute the MAC and extract the one in the record.
uint8_t mac[EVP_MAX_MD_SIZE];
size_t mac_len;
uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
@@ -351,8 +351,8 @@
record_mac = record_mac_tmp;
EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
} else {
- /* We should support the constant-time path for all CBC-mode ciphers
- * implemented. */
+ // We should support the constant-time path for all CBC-mode ciphers
+ // implemented.
assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);
unsigned mac_len_u;
@@ -368,10 +368,10 @@
record_mac = &out[data_len];
}
- /* Perform the MAC check and the padding check in constant-time. It should be
- * safe to simply perform the padding check first, but it would not be under a
- * different choice of MAC location on padding failure. See
- * EVP_tls_cbc_remove_padding. */
+ // Perform the MAC check and the padding check in constant-time. It should be
+ // safe to simply perform the padding check first, but it would not be under a
+ // different choice of MAC location on padding failure. See
+ // EVP_tls_cbc_remove_padding.
crypto_word_t good =
constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);
good &= padding_ok;
@@ -380,7 +380,7 @@
return 0;
}
- /* End of timing-sensitive code. */
+ // End of timing-sensitive code.
*out_len = data_len;
return 1;
@@ -474,172 +474,172 @@
}
static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
- SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */
- 16, /* nonce len (IV) */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 16, // key len (SHA1 + AES128)
+ 16, // nonce len (IV)
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_128_cbc_sha1_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
- SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
- 0, /* nonce len */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 16 + 16, // key len (SHA1 + AES128 + IV)
+ 0, // nonce len
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_128_cbc_sha1_tls_implicit_iv_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- aead_tls_get_iv, /* get_iv */
+ NULL, // open_gather
+ aead_tls_get_iv, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
- SHA256_DIGEST_LENGTH + 16, /* key len (SHA256 + AES128) */
- 16, /* nonce len (IV) */
- 16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
- SHA256_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA256_DIGEST_LENGTH + 16, // key len (SHA256 + AES128)
+ 16, // nonce len (IV)
+ 16 + SHA256_DIGEST_LENGTH, // overhead (padding + SHA256)
+ SHA256_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_128_cbc_sha256_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
- SHA_DIGEST_LENGTH + 32, /* key len (SHA1 + AES256) */
- 16, /* nonce len (IV) */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 32, // key len (SHA1 + AES256)
+ 16, // nonce len (IV)
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha1_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
- SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
- 0, /* nonce len */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 32 + 16, // key len (SHA1 + AES256 + IV)
+ 0, // nonce len
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha1_tls_implicit_iv_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- aead_tls_get_iv, /* get_iv */
+ NULL, // open_gather
+ aead_tls_get_iv, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
- SHA256_DIGEST_LENGTH + 32, /* key len (SHA256 + AES256) */
- 16, /* nonce len (IV) */
- 16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
- SHA256_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA256_DIGEST_LENGTH + 32, // key len (SHA256 + AES256)
+ 16, // nonce len (IV)
+ 16 + SHA256_DIGEST_LENGTH, // overhead (padding + SHA256)
+ SHA256_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha256_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
- SHA384_DIGEST_LENGTH + 32, /* key len (SHA384 + AES256) */
- 16, /* nonce len (IV) */
- 16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */
- SHA384_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA384_DIGEST_LENGTH + 32, // key len (SHA384 + AES256)
+ 16, // nonce len (IV)
+ 16 + SHA384_DIGEST_LENGTH, // overhead (padding + SHA384)
+ SHA384_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha384_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
- SHA_DIGEST_LENGTH + 24, /* key len (SHA1 + 3DES) */
- 8, /* nonce len (IV) */
- 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 24, // key len (SHA1 + 3DES)
+ 8, // nonce len (IV)
+ 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_des_ede3_cbc_sha1_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
- SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
- 0, /* nonce len */
- 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 24 + 8, // key len (SHA1 + 3DES + IV)
+ 0, // nonce len
+ 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- aead_tls_get_iv, /* get_iv */
+ NULL, // open_gather
+ aead_tls_get_iv, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_null_sha1_tls = {
- SHA_DIGEST_LENGTH, /* key len */
- 0, /* nonce len */
- SHA_DIGEST_LENGTH, /* overhead (SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH, // key len
+ 0, // nonce len
+ SHA_DIGEST_LENGTH, // overhead (SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_null_sha1_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
diff --git a/src/crypto/cipher_extra/internal.h b/src/crypto/cipher_extra/internal.h
index 7136195..1d2c4e1 100644
--- a/src/crypto/cipher_extra/internal.h
+++ b/src/crypto/cipher_extra/internal.h
@@ -66,53 +66,53 @@
#endif
-/* EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
- * record in |in|. This decrypted record should not include any "decrypted"
- * explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
- * it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
- * padding is valid and zero otherwise. It then sets |*out_len| to the length
- * with the padding removed or |in_len| if invalid.
- *
- * If the function returns one, it runs in time independent of the contents of
- * |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
- * |EVP_tls_cbc_copy_mac|'s precondition. */
+// EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
+// record in |in|. This decrypted record should not include any "decrypted"
+// explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
+// it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
+// padding is valid and zero otherwise. It then sets |*out_len| to the length
+// with the padding removed or |in_len| if invalid.
+//
+// If the function returns one, it runs in time independent of the contents of
+// |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
+// |EVP_tls_cbc_copy_mac|'s precondition.
int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
const uint8_t *in, size_t in_len,
size_t block_size, size_t mac_size);
-/* EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
- * |in_len| bytes of |in| to |out| in constant time (independent of the concrete
- * value of |in_len|, which may vary within a 256-byte window). |in| must point
- * to a buffer of |orig_len| bytes.
- *
- * On entry:
- * orig_len >= in_len >= md_size
- * md_size <= EVP_MAX_MD_SIZE */
+// EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
+// |in_len| bytes of |in| to |out| in constant time (independent of the concrete
+// value of |in_len|, which may vary within a 256-byte window). |in| must point
+// to a buffer of |orig_len| bytes.
+//
+// On entry:
+// orig_len >= in_len >= md_size
+// md_size <= EVP_MAX_MD_SIZE
void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
size_t in_len, size_t orig_len);
-/* EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
- * which EVP_tls_cbc_digest_record supports. */
+// EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
+// which EVP_tls_cbc_digest_record supports.
int EVP_tls_cbc_record_digest_supported(const EVP_MD *md);
-/* EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
- * record.
- *
- * md: the hash function used in the HMAC.
- * EVP_tls_cbc_record_digest_supported must return true for this hash.
- * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
- * md_out_size: the number of output bytes is written here.
- * header: the 13-byte, TLS record header.
- * data: the record data itself
- * data_plus_mac_size: the secret, reported length of the data and MAC
- * once the padding has been removed.
- * data_plus_mac_plus_padding_size: the public length of the whole
- * record, including padding.
- *
- * On entry: by virtue of having been through one of the remove_padding
- * functions, above, we know that data_plus_mac_size is large enough to contain
- * a padding byte and MAC. (If the padding was invalid, it might contain the
- * padding too. ) */
+// EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
+// record.
+//
+// md: the hash function used in the HMAC.
+// EVP_tls_cbc_record_digest_supported must return true for this hash.
+// md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
+// md_out_size: the number of output bytes is written here.
+// header: the 13-byte, TLS record header.
+// data: the record data itself
+// data_plus_mac_size: the secret, reported length of the data and MAC
+// once the padding has been removed.
+// data_plus_mac_plus_padding_size: the public length of the whole
+// record, including padding.
+//
+// On entry: by virtue of having been through one of the remove_padding
+// functions, above, we know that data_plus_mac_size is large enough to contain
+// a padding byte and MAC. (If the padding was invalid, it might contain the
+// padding too. )
int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
size_t *md_out_size, const uint8_t header[13],
const uint8_t *data, size_t data_plus_mac_size,
@@ -122,7 +122,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H */
+#endif // OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H
diff --git a/src/crypto/cipher_extra/tls_cbc.c b/src/crypto/cipher_extra/tls_cbc.c
index 2372c5c..6f95130 100644
--- a/src/crypto/cipher_extra/tls_cbc.c
+++ b/src/crypto/cipher_extra/tls_cbc.c
@@ -62,13 +62,13 @@
#include "../fipsmodule/cipher/internal.h"
-/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
- * field. (SHA-384/512 have 128-bit length.) */
+// MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
+// field. (SHA-384/512 have 128-bit length.)
#define MAX_HASH_BIT_COUNT_BYTES 16
-/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
- * Currently SHA-384/512 has a 128-byte block size and that's the largest
- * supported by TLS.) */
+// MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
+// Currently SHA-384/512 has a 128-byte block size and that's the largest
+// supported by TLS.)
#define MAX_HASH_BLOCK_SIZE 128
int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
@@ -76,7 +76,7 @@
size_t block_size, size_t mac_size) {
const size_t overhead = 1 /* padding length byte */ + mac_size;
- /* These lengths are all public so we can test them in non-constant time. */
+ // These lengths are all public so we can test them in non-constant time.
if (overhead > in_len) {
return 0;
}
@@ -84,16 +84,16 @@
size_t padding_length = in[in_len - 1];
crypto_word_t good = constant_time_ge_w(in_len, overhead + padding_length);
- /* The padding consists of a length byte at the end of the record and
- * then that many bytes of padding, all with the same value as the
- * length byte. Thus, with the length byte included, there are i+1
- * bytes of padding.
- *
- * We can't check just |padding_length+1| bytes because that leaks
- * decrypted information. Therefore we always have to check the maximum
- * amount of padding possible. (Again, the length of the record is
- * public information so we can use it.) */
- size_t to_check = 256; /* maximum amount of padding, inc length byte. */
+ // The padding consists of a length byte at the end of the record and
+ // then that many bytes of padding, all with the same value as the
+ // length byte. Thus, with the length byte included, there are i+1
+ // bytes of padding.
+ //
+ // We can't check just |padding_length+1| bytes because that leaks
+ // decrypted information. Therefore we always have to check the maximum
+ // amount of padding possible. (Again, the length of the record is
+ // public information so we can use it.)
+ size_t to_check = 256; // maximum amount of padding, inc length byte.
if (to_check > in_len) {
to_check = in_len;
}
@@ -101,19 +101,19 @@
for (size_t i = 0; i < to_check; i++) {
uint8_t mask = constant_time_ge_8(padding_length, i);
uint8_t b = in[in_len - 1 - i];
- /* The final |padding_length+1| bytes should all have the value
- * |padding_length|. Therefore the XOR should be zero. */
+ // The final |padding_length+1| bytes should all have the value
+ // |padding_length|. Therefore the XOR should be zero.
good &= ~(mask & (padding_length ^ b));
}
- /* If any of the final |padding_length+1| bytes had the wrong value,
- * one or more of the lower eight bits of |good| will be cleared. */
+ // If any of the final |padding_length+1| bytes had the wrong value,
+ // one or more of the lower eight bits of |good| will be cleared.
good = constant_time_eq_w(0xff, good & 0xff);
- /* Always treat |padding_length| as zero on error. If, assuming block size of
- * 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16
- * and returned -1, distinguishing good MAC and bad padding from bad MAC and
- * bad padding would give POODLE's padding oracle. */
+ // Always treat |padding_length| as zero on error. If, assuming block size of
+ // 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16
+ // and returned -1, distinguishing good MAC and bad padding from bad MAC and
+ // bad padding would give POODLE's padding oracle.
padding_length = good & (padding_length + 1);
*out_len = in_len - padding_length;
*out_padding_ok = good;
@@ -126,7 +126,7 @@
uint8_t *rotated_mac = rotated_mac1;
uint8_t *rotated_mac_tmp = rotated_mac2;
- /* mac_end is the index of |in| just after the end of the MAC. */
+ // mac_end is the index of |in| just after the end of the MAC.
size_t mac_end = in_len;
size_t mac_start = mac_end - md_size;
@@ -134,10 +134,10 @@
assert(in_len >= md_size);
assert(md_size <= EVP_MAX_MD_SIZE);
- /* scan_start contains the number of bytes that we can ignore because
- * the MAC's position can only vary by 255 bytes. */
+ // scan_start contains the number of bytes that we can ignore because
+ // the MAC's position can only vary by 255 bytes.
size_t scan_start = 0;
- /* This information is public so it's safe to branch based on it. */
+ // This information is public so it's safe to branch based on it.
if (orig_len > md_size + 255 + 1) {
scan_start = orig_len - (md_size + 255 + 1);
}
@@ -153,15 +153,15 @@
mac_started |= is_mac_start;
uint8_t mac_ended = constant_time_ge_8(i, mac_end);
rotated_mac[j] |= in[i] & mac_started & ~mac_ended;
- /* Save the offset that |mac_start| is mapped to. */
+ // Save the offset that |mac_start| is mapped to.
rotate_offset |= j & is_mac_start;
}
- /* Now rotate the MAC. We rotate in log(md_size) steps, one for each bit
- * position. */
+ // Now rotate the MAC. We rotate in log(md_size) steps, one for each bit
+ // position.
for (size_t offset = 1; offset < md_size; offset <<= 1, rotate_offset >>= 1) {
- /* Rotate by |offset| iff the corresponding bit is set in
- * |rotate_offset|, placing the result in |rotated_mac_tmp|. */
+ // Rotate by |offset| iff the corresponding bit is set in
+ // |rotate_offset|, placing the result in |rotated_mac_tmp|.
const uint8_t skip_rotate = (rotate_offset & 1) - 1;
for (size_t i = 0, j = offset; i < md_size; i++, j++) {
if (j >= md_size) {
@@ -171,9 +171,9 @@
constant_time_select_8(skip_rotate, rotated_mac[i], rotated_mac[j]);
}
- /* Swap pointers so |rotated_mac| contains the (possibly) rotated value.
- * Note the number of iterations and thus the identity of these pointers is
- * public information. */
+ // Swap pointers so |rotated_mac| contains the (possibly) rotated value.
+ // Note the number of iterations and thus the identity of these pointers is
+ // public information.
uint8_t *tmp = rotated_mac;
rotated_mac = rotated_mac_tmp;
rotated_mac_tmp = tmp;
@@ -182,8 +182,8 @@
OPENSSL_memcpy(out, rotated_mac, md_size);
}
-/* u32toBE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
- * big-endian order. The value of p is advanced by four. */
+// u32toBE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
+// big-endian order. The value of p is advanced by four.
#define u32toBE(n, p) \
do { \
*((p)++) = (uint8_t)((n) >> 24); \
@@ -192,8 +192,8 @@
*((p)++) = (uint8_t)((n)); \
} while (0)
-/* u64toBE serialises an unsigned, 64-bit number (n) as eight bytes at (p) in
- * big-endian order. The value of p is advanced by eight. */
+// u64toBE serialises an unsigned, 64-bit number (n) as eight bytes at (p) in
+// big-endian order. The value of p is advanced by eight.
#define u64toBE(n, p) \
do { \
*((p)++) = (uint8_t)((n) >> 56); \
@@ -224,9 +224,9 @@
SHA512_Transform(&ctx->sha512, block);
}
-/* These functions serialize the state of a hash and thus perform the standard
- * "final" operation without adding the padding and length that such a function
- * typically does. */
+// These functions serialize the state of a hash and thus perform the standard
+// "final" operation without adding the padding and length that such a function
+// typically does.
static void tls1_sha1_final_raw(HASH_CTX *ctx, uint8_t *md_out) {
SHA_CTX *sha1 = &ctx->sha1;
u32toBE(sha1->h[0], md_out);
@@ -272,13 +272,13 @@
void (*md_final_raw)(HASH_CTX *ctx, uint8_t *md_out);
void (*md_transform)(HASH_CTX *ctx, const uint8_t *block);
unsigned md_size, md_block_size = 64;
- /* md_length_size is the number of bytes in the length field that terminates
- * the hash. */
+ // md_length_size is the number of bytes in the length field that terminates
+ // the hash.
unsigned md_length_size = 8;
- /* Bound the acceptable input so we can forget about many possible overflows
- * later in this function. This is redundant with the record size limits in
- * TLS. */
+ // Bound the acceptable input so we can forget about many possible overflows
+ // later in this function. This is redundant with the record size limits in
+ // TLS.
if (data_plus_mac_plus_padding_size >= 1024 * 1024) {
assert(0);
return 0;
@@ -309,8 +309,8 @@
break;
default:
- /* EVP_tls_cbc_record_digest_supported should have been called first to
- * check that the hash function is supported. */
+ // EVP_tls_cbc_record_digest_supported should have been called first to
+ // check that the hash function is supported.
assert(0);
*md_out_size = 0;
return 0;
@@ -322,45 +322,45 @@
static const size_t kHeaderLength = 13;
- /* kVarianceBlocks is the number of blocks of the hash that we have to
- * calculate in constant time because they could be altered by the
- * padding value.
- *
- * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
- * required to be minimal. Therefore we say that the final six blocks
- * can vary based on the padding. */
+ // kVarianceBlocks is the number of blocks of the hash that we have to
+ // calculate in constant time because they could be altered by the
+ // padding value.
+ //
+ // TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
+ // required to be minimal. Therefore we say that the final six blocks
+ // can vary based on the padding.
static const size_t kVarianceBlocks = 6;
- /* From now on we're dealing with the MAC, which conceptually has 13
- * bytes of `header' before the start of the data. */
+ // From now on we're dealing with the MAC, which conceptually has 13
+ // bytes of `header' before the start of the data.
size_t len = data_plus_mac_plus_padding_size + kHeaderLength;
- /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
- * |header|, assuming that there's no padding. */
+ // max_mac_bytes contains the maximum bytes of bytes in the MAC, including
+ // |header|, assuming that there's no padding.
size_t max_mac_bytes = len - md_size - 1;
- /* num_blocks is the maximum number of hash blocks. */
+ // num_blocks is the maximum number of hash blocks.
size_t num_blocks =
(max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
- /* In order to calculate the MAC in constant time we have to handle
- * the final blocks specially because the padding value could cause the
- * end to appear somewhere in the final |kVarianceBlocks| blocks and we
- * can't leak where. However, |num_starting_blocks| worth of data can
- * be hashed right away because no padding value can affect whether
- * they are plaintext. */
+ // In order to calculate the MAC in constant time we have to handle
+ // the final blocks specially because the padding value could cause the
+ // end to appear somewhere in the final |kVarianceBlocks| blocks and we
+ // can't leak where. However, |num_starting_blocks| worth of data can
+ // be hashed right away because no padding value can affect whether
+ // they are plaintext.
size_t num_starting_blocks = 0;
- /* k is the starting byte offset into the conceptual header||data where
- * we start processing. */
+ // k is the starting byte offset into the conceptual header||data where
+ // we start processing.
size_t k = 0;
- /* mac_end_offset is the index just past the end of the data to be
- * MACed. */
+ // mac_end_offset is the index just past the end of the data to be
+ // MACed.
size_t mac_end_offset = data_plus_mac_size + kHeaderLength - md_size;
- /* c is the index of the 0x80 byte in the final hash block that
- * contains application data. */
+ // c is the index of the 0x80 byte in the final hash block that
+ // contains application data.
size_t c = mac_end_offset % md_block_size;
- /* index_a is the hash block number that contains the 0x80 terminating
- * value. */
+ // index_a is the hash block number that contains the 0x80 terminating
+ // value.
size_t index_a = mac_end_offset / md_block_size;
- /* index_b is the hash block number that contains the 64-bit hash
- * length, in bits. */
+ // index_b is the hash block number that contains the 64-bit hash
+ // length, in bits.
size_t index_b = (mac_end_offset + md_length_size) / md_block_size;
if (num_blocks > kVarianceBlocks) {
@@ -368,13 +368,13 @@
k = md_block_size * num_starting_blocks;
}
- /* bits is the hash-length in bits. It includes the additional hash
- * block for the masked HMAC key. */
- size_t bits = 8 * mac_end_offset; /* at most 18 bits to represent */
+ // bits is the hash-length in bits. It includes the additional hash
+ // block for the masked HMAC key.
+ size_t bits = 8 * mac_end_offset; // at most 18 bits to represent
- /* Compute the initial HMAC block. */
+ // Compute the initial HMAC block.
bits += 8 * md_block_size;
- /* hmac_pad is the masked HMAC key. */
+ // hmac_pad is the masked HMAC key.
uint8_t hmac_pad[MAX_HASH_BLOCK_SIZE];
OPENSSL_memset(hmac_pad, 0, md_block_size);
assert(mac_secret_length <= sizeof(hmac_pad));
@@ -385,7 +385,7 @@
md_transform(&md_state, hmac_pad);
- /* The length check means |bits| fits in four bytes. */
+ // The length check means |bits| fits in four bytes.
uint8_t length_bytes[MAX_HASH_BIT_COUNT_BYTES];
OPENSSL_memset(length_bytes, 0, md_length_size - 4);
length_bytes[md_length_size - 4] = (uint8_t)(bits >> 24);
@@ -394,7 +394,7 @@
length_bytes[md_length_size - 1] = (uint8_t)bits;
if (k > 0) {
- /* k is a multiple of md_block_size. */
+ // k is a multiple of md_block_size.
uint8_t first_block[MAX_HASH_BLOCK_SIZE];
OPENSSL_memcpy(first_block, header, 13);
OPENSSL_memcpy(first_block + 13, data, md_block_size - 13);
@@ -407,10 +407,10 @@
uint8_t mac_out[EVP_MAX_MD_SIZE];
OPENSSL_memset(mac_out, 0, sizeof(mac_out));
- /* We now process the final hash blocks. For each block, we construct
- * it in constant time. If the |i==index_a| then we'll include the 0x80
- * bytes and zero pad etc. For each block we selectively copy it, in
- * constant time, to |mac_out|. */
+ // We now process the final hash blocks. For each block, we construct
+ // it in constant time. If the |i==index_a| then we'll include the 0x80
+ // bytes and zero pad etc. For each block we selectively copy it, in
+ // constant time, to |mac_out|.
for (size_t i = num_starting_blocks;
i <= num_starting_blocks + kVarianceBlocks; i++) {
uint8_t block[MAX_HASH_BLOCK_SIZE];
@@ -427,24 +427,24 @@
uint8_t is_past_c = is_block_a & constant_time_ge_8(j, c);
uint8_t is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1);
- /* If this is the block containing the end of the
- * application data, and we are at the offset for the
- * 0x80 value, then overwrite b with 0x80. */
+ // If this is the block containing the end of the
+ // application data, and we are at the offset for the
+ // 0x80 value, then overwrite b with 0x80.
b = constant_time_select_8(is_past_c, 0x80, b);
- /* If this the the block containing the end of the
- * application data and we're past the 0x80 value then
- * just write zero. */
+ // If this the the block containing the end of the
+ // application data and we're past the 0x80 value then
+ // just write zero.
b = b & ~is_past_cp1;
- /* If this is index_b (the final block), but not
- * index_a (the end of the data), then the 64-bit
- * length didn't fit into index_a and we're having to
- * add an extra block of zeros. */
+ // If this is index_b (the final block), but not
+ // index_a (the end of the data), then the 64-bit
+ // length didn't fit into index_a and we're having to
+ // add an extra block of zeros.
b &= ~is_block_b | is_block_a;
- /* The final bytes of one of the blocks contains the
- * length. */
+ // The final bytes of one of the blocks contains the
+ // length.
if (j >= md_block_size - md_length_size) {
- /* If this is index_b, write a length byte. */
+ // If this is index_b, write a length byte.
b = constant_time_select_8(
is_block_b, length_bytes[j - (md_block_size - md_length_size)], b);
}
@@ -453,7 +453,7 @@
md_transform(&md_state, block);
md_final_raw(&md_state, block);
- /* If this is index_b, copy the hash value to |mac_out|. */
+ // If this is index_b, copy the hash value to |mac_out|.
for (size_t j = 0; j < md_size; j++) {
mac_out[j] |= block[j] & is_block_b;
}
@@ -466,7 +466,7 @@
return 0;
}
- /* Complete the HMAC in the standard manner. */
+ // Complete the HMAC in the standard manner.
for (size_t i = 0; i < md_block_size; i++) {
hmac_pad[i] ^= 0x6a;
}
diff --git a/src/crypto/cmac/cmac.c b/src/crypto/cmac/cmac.c
index a9a527d..fb4e69c 100644
--- a/src/crypto/cmac/cmac.c
+++ b/src/crypto/cmac/cmac.c
@@ -60,13 +60,13 @@
struct cmac_ctx_st {
EVP_CIPHER_CTX cipher_ctx;
- /* k1 and k2 are the CMAC subkeys. See
- * https://tools.ietf.org/html/rfc4493#section-2.3 */
+ // k1 and k2 are the CMAC subkeys. See
+ // https://tools.ietf.org/html/rfc4493#section-2.3
uint8_t k1[AES_BLOCK_SIZE];
uint8_t k2[AES_BLOCK_SIZE];
- /* Last (possibly partial) scratch */
+ // Last (possibly partial) scratch
uint8_t block[AES_BLOCK_SIZE];
- /* block_used contains the number of valid bytes in |block|. */
+ // block_used contains the number of valid bytes in |block|.
unsigned block_used;
};
@@ -124,20 +124,20 @@
OPENSSL_free(ctx);
}
-/* binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)
- * with a hard-coded reduction polynomial and sets |out| as x times the
- * input.
- *
- * See https://tools.ietf.org/html/rfc4493#section-2.3 */
+// binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)
+// with a hard-coded reduction polynomial and sets |out| as x times the
+// input.
+//
+// See https://tools.ietf.org/html/rfc4493#section-2.3
static void binary_field_mul_x(uint8_t out[16], const uint8_t in[16]) {
unsigned i;
- /* Shift |in| to left, including carry. */
+ // Shift |in| to left, including carry.
for (i = 0; i < 15; i++) {
out[i] = (in[i] << 1) | (in[i+1] >> 7);
}
- /* If MSB set fixup with R. */
+ // If MSB set fixup with R.
const uint8_t carry = in[0] >> 7;
out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);
}
@@ -152,7 +152,7 @@
EVP_CIPHER_key_length(cipher) != key_len ||
!EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL, key, kZeroIV) ||
!EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, AES_BLOCK_SIZE) ||
- /* Reset context again ready for first data. */
+ // Reset context again ready for first data.
!EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {
return 0;
}
@@ -183,11 +183,11 @@
in_len -= todo;
ctx->block_used += todo;
- /* If |in_len| is zero then either |ctx->block_used| is less than
- * |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|
- * is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the
- * latter case we don't want to process this block now because it might be
- * the last block and that block is treated specially. */
+ // If |in_len| is zero then either |ctx->block_used| is less than
+ // |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|
+ // is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the
+ // latter case we don't want to process this block now because it might be
+ // the last block and that block is treated specially.
if (in_len == 0) {
return 1;
}
@@ -199,7 +199,7 @@
}
}
- /* Encrypt all but one of the remaining blocks. */
+ // Encrypt all but one of the remaining blocks.
while (in_len > AES_BLOCK_SIZE) {
if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, AES_BLOCK_SIZE)) {
return 0;
@@ -223,8 +223,8 @@
const uint8_t *mask = ctx->k1;
if (ctx->block_used != AES_BLOCK_SIZE) {
- /* If the last block is incomplete, terminate it with a single 'one' bit
- * followed by zeros. */
+ // If the last block is incomplete, terminate it with a single 'one' bit
+ // followed by zeros.
ctx->block[ctx->block_used] = 0x80;
OPENSSL_memset(ctx->block + ctx->block_used + 1, 0,
AES_BLOCK_SIZE - (ctx->block_used + 1));
diff --git a/src/crypto/conf/conf.c b/src/crypto/conf/conf.c
index 00172f5..f8ff613 100644
--- a/src/crypto/conf/conf.c
+++ b/src/crypto/conf/conf.c
@@ -69,8 +69,8 @@
#include "../internal.h"
-/* The maximum length we can grow a value to after variable expansion. 64k
- * should be more than enough for all reasonable uses. */
+// The maximum length we can grow a value to after variable expansion. 64k
+// should be more than enough for all reasonable uses.
#define MAX_CONF_VALUE_LENGTH 65536
static uint32_t conf_value_hash(const CONF_VALUE *v) {
@@ -263,7 +263,7 @@
} else if (IS_EOF(conf, *from)) {
break;
} else if (*from == '$') {
- /* try to expand it */
+ // try to expand it
rrp = NULL;
s = &(from[1]);
if (*s == '{') {
@@ -303,14 +303,14 @@
}
e++;
}
- /* So at this point we have
- * np which is the start of the name string which is
- * '\0' terminated.
- * cp which is the start of the section string which is
- * '\0' terminated.
- * e is the 'next point after'.
- * r and rr are the chars replaced by the '\0'
- * rp and rrp is where 'r' and 'rr' came from. */
+ // So at this point we have
+ // np which is the start of the name string which is
+ // '\0' terminated.
+ // cp which is the start of the section string which is
+ // '\0' terminated.
+ // e is the 'next point after'.
+ // r and rr are the chars replaced by the '\0'
+ // rp and rrp is where 'r' and 'rr' came from.
p = NCONF_get_string(conf, cp, np);
if (rrp != NULL) {
*rrp = rr;
@@ -566,25 +566,25 @@
i--;
}
}
- /* we removed some trailing stuff so there is a new
- * line on the end. */
+ // we removed some trailing stuff so there is a new
+ // line on the end.
if (ii && i == ii) {
- again = 1; /* long line */
+ again = 1; // long line
} else {
p[i] = '\0';
- eline++; /* another input line */
+ eline++; // another input line
}
- /* we now have a line with trailing \r\n removed */
+ // we now have a line with trailing \r\n removed
- /* i is the number of bytes */
+ // i is the number of bytes
bufnum += i;
v = NULL;
- /* check for line continuation */
+ // check for line continuation
if (bufnum >= 1) {
- /* If we have bytes and the last char '\\' and
- * second last char is not '\\' */
+ // If we have bytes and the last char '\\' and
+ // second last char is not '\\'
p = &(buff->data[bufnum - 1]);
if (IS_ESC(conf, p[0]) && ((bufnum <= 1) || !IS_ESC(conf, p[-1]))) {
bufnum--;
@@ -600,7 +600,7 @@
clear_comments(conf, buf);
s = eat_ws(conf, buf);
if (IS_EOF(conf, *s)) {
- continue; /* blank line */
+ continue; // blank line
}
if (*s == '[') {
char *ss;
diff --git a/src/crypto/conf/internal.h b/src/crypto/conf/internal.h
index 03d1a8f..3e0e57d 100644
--- a/src/crypto/conf/internal.h
+++ b/src/crypto/conf/internal.h
@@ -20,12 +20,12 @@
#endif
-/* CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|. */
+// CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|.
CONF_VALUE *CONF_VALUE_new(void);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CRYPTO_CONF_INTERNAL_H */
+#endif // OPENSSL_HEADER_CRYPTO_CONF_INTERNAL_H
diff --git a/src/crypto/cpu-aarch64-linux.c b/src/crypto/cpu-aarch64-linux.c
index 1b0f395..f9fa6c5 100644
--- a/src/crypto/cpu-aarch64-linux.c
+++ b/src/crypto/cpu-aarch64-linux.c
@@ -28,8 +28,8 @@
void OPENSSL_cpuid_setup(void) {
unsigned long hwcap = getauxval(AT_HWCAP);
- /* See /usr/include/asm/hwcap.h on an aarch64 installation for the source of
- * these values. */
+ // See /usr/include/asm/hwcap.h on an aarch64 installation for the source of
+ // these values.
static const unsigned long kNEON = 1 << 1;
static const unsigned long kAES = 1 << 3;
static const unsigned long kPMULL = 1 << 4;
@@ -37,8 +37,8 @@
static const unsigned long kSHA256 = 1 << 6;
if ((hwcap & kNEON) == 0) {
- /* Matching OpenSSL, if NEON is missing, don't report other features
- * either. */
+ // Matching OpenSSL, if NEON is missing, don't report other features
+ // either.
return;
}
@@ -58,4 +58,4 @@
}
}
-#endif /* OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP */
+#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP
diff --git a/src/crypto/cpu-arm-linux.c b/src/crypto/cpu-arm-linux.c
index 95bb5ee..a5f1f8a 100644
--- a/src/crypto/cpu-arm-linux.c
+++ b/src/crypto/cpu-arm-linux.c
@@ -34,15 +34,15 @@
#define HWCAP_NEON (1 << 12)
-/* See /usr/include/asm/hwcap.h on an ARM installation for the source of
- * these values. */
+// See /usr/include/asm/hwcap.h on an ARM installation for the source of
+// these values.
#define HWCAP2_AES (1 << 0)
#define HWCAP2_PMULL (1 << 1)
#define HWCAP2_SHA1 (1 << 2)
#define HWCAP2_SHA2 (1 << 3)
-/* |getauxval| is not available on Android until API level 20. Link it as a weak
- * symbol and use other methods as fallback. */
+// |getauxval| is not available on Android until API level 20. Link it as a weak
+// symbol and use other methods as fallback.
unsigned long getauxval(unsigned long type) __attribute__((weak));
static int open_eintr(const char *path, int flags) {
@@ -61,8 +61,8 @@
return ret;
}
-/* read_full reads exactly |len| bytes from |fd| to |out|. On error or end of
- * file, it returns zero. */
+// read_full reads exactly |len| bytes from |fd| to |out|. On error or end of
+// file, it returns zero.
static int read_full(int fd, void *out, size_t len) {
char *outp = out;
while (len > 0) {
@@ -76,9 +76,9 @@
return 1;
}
-/* read_file opens |path| and reads until end-of-file. On success, it returns
- * one and sets |*out_ptr| and |*out_len| to a newly-allocated buffer with the
- * contents. Otherwise, it returns zero. */
+// read_file opens |path| and reads until end-of-file. On success, it returns
+// one and sets |*out_ptr| and |*out_len| to a newly-allocated buffer with the
+// contents. Otherwise, it returns zero.
static int read_file(char **out_ptr, size_t *out_len, const char *path) {
int fd = open_eintr(path, O_RDONLY);
if (fd < 0) {
@@ -128,7 +128,7 @@
return ret;
}
-/* getauxval_proc behaves like |getauxval| but reads from /proc/self/auxv. */
+// getauxval_proc behaves like |getauxval| but reads from /proc/self/auxv.
static unsigned long getauxval_proc(unsigned long type) {
int fd = open_eintr("/proc/self/auxv", O_RDONLY);
if (fd < 0) {
@@ -164,16 +164,16 @@
return a->len == b_len && OPENSSL_memcmp(a->data, b, b_len) == 0;
}
-/* STRING_PIECE_split finds the first occurence of |sep| in |in| and, if found,
- * sets |*out_left| and |*out_right| to |in| split before and after it. It
- * returns one if |sep| was found and zero otherwise. */
+// STRING_PIECE_split finds the first occurence of |sep| in |in| and, if found,
+// sets |*out_left| and |*out_right| to |in| split before and after it. It
+// returns one if |sep| was found and zero otherwise.
static int STRING_PIECE_split(STRING_PIECE *out_left, STRING_PIECE *out_right,
const STRING_PIECE *in, char sep) {
const char *p = OPENSSL_memchr(in->data, sep, in->len);
if (p == NULL) {
return 0;
}
- /* |out_left| or |out_right| may alias |in|, so make a copy. */
+ // |out_left| or |out_right| may alias |in|, so make a copy.
STRING_PIECE in_copy = *in;
out_left->data = in_copy.data;
out_left->len = p - in_copy.data;
@@ -182,7 +182,7 @@
return 1;
}
-/* STRING_PIECE_trim removes leading and trailing whitespace from |s|. */
+// STRING_PIECE_trim removes leading and trailing whitespace from |s|.
static void STRING_PIECE_trim(STRING_PIECE *s) {
while (s->len != 0 && (s->data[0] == ' ' || s->data[0] == '\t')) {
s->data++;
@@ -194,12 +194,12 @@
}
}
-/* extract_cpuinfo_field extracts a /proc/cpuinfo field named |field| from
- * |in|. If found, it sets |*out| to the value and returns one. Otherwise, it
- * returns zero. */
+// extract_cpuinfo_field extracts a /proc/cpuinfo field named |field| from
+// |in|. If found, it sets |*out| to the value and returns one. Otherwise, it
+// returns zero.
static int extract_cpuinfo_field(STRING_PIECE *out, const STRING_PIECE *in,
const char *field) {
- /* Process |in| one line at a time. */
+ // Process |in| one line at a time.
STRING_PIECE remaining = *in, line;
while (STRING_PIECE_split(&line, &remaining, &remaining, '\n')) {
STRING_PIECE key, value;
@@ -224,8 +224,8 @@
STRING_PIECE_equals(&extracted, value);
}
-/* has_list_item treats |list| as a space-separated list of items and returns
- * one if |item| is contained in |list| and zero otherwise. */
+// has_list_item treats |list| as a space-separated list of items and returns
+// one if |item| is contained in |list| and zero otherwise.
static int has_list_item(const STRING_PIECE *list, const char *item) {
STRING_PIECE remaining = *list, feature;
while (STRING_PIECE_split(&feature, &remaining, &remaining, ' ')) {
@@ -238,11 +238,11 @@
static unsigned long get_hwcap_cpuinfo(const STRING_PIECE *cpuinfo) {
if (cpuinfo_field_equals(cpuinfo, "CPU architecture", "8")) {
- /* This is a 32-bit ARM binary running on a 64-bit kernel. NEON is always
- * available on ARMv8. Linux omits required features, so reading the
- * "Features" line does not work. (For simplicity, use strict equality. We
- * assume everything running on future ARM architectures will have a
- * working |getauxval|.) */
+ // This is a 32-bit ARM binary running on a 64-bit kernel. NEON is always
+ // available on ARMv8. Linux omits required features, so reading the
+ // "Features" line does not work. (For simplicity, use strict equality. We
+ // assume everything running on future ARM architectures will have a
+ // working |getauxval|.)
return HWCAP_NEON;
}
@@ -276,8 +276,8 @@
return ret;
}
-/* has_broken_neon returns one if |in| matches a CPU known to have a broken
- * NEON unit. See https://crbug.com/341598. */
+// has_broken_neon returns one if |in| matches a CPU known to have a broken
+// NEON unit. See https://crbug.com/341598.
static int has_broken_neon(const STRING_PIECE *cpuinfo) {
return cpuinfo_field_equals(cpuinfo, "CPU implementer", "0x51") &&
cpuinfo_field_equals(cpuinfo, "CPU architecture", "7") &&
@@ -300,13 +300,13 @@
cpuinfo.data = cpuinfo_data;
cpuinfo.len = cpuinfo_len;
- /* |getauxval| is not available on Android until API level 20. If it is
- * unavailable, read from /proc/self/auxv as a fallback. This is unreadable
- * on some versions of Android, so further fall back to /proc/cpuinfo.
- *
- * See
- * https://android.googlesource.com/platform/ndk/+/882ac8f3392858991a0e1af33b4b7387ec856bd2
- * and b/13679666 (Google-internal) for details. */
+ // |getauxval| is not available on Android until API level 20. If it is
+ // unavailable, read from /proc/self/auxv as a fallback. This is unreadable
+ // on some versions of Android, so further fall back to /proc/cpuinfo.
+ //
+ // See
+ // https://android.googlesource.com/platform/ndk/+/882ac8f3392858991a0e1af33b4b7387ec856bd2
+ // and b/13679666 (Google-internal) for details.
unsigned long hwcap = 0;
if (getauxval != NULL) {
hwcap = getauxval(AT_HWCAP);
@@ -318,18 +318,18 @@
hwcap = get_hwcap_cpuinfo(&cpuinfo);
}
- /* Clear NEON support if known broken. */
+ // Clear NEON support if known broken.
g_has_broken_neon = has_broken_neon(&cpuinfo);
if (g_has_broken_neon) {
hwcap &= ~HWCAP_NEON;
}
- /* Matching OpenSSL, only report other features if NEON is present. */
+ // Matching OpenSSL, only report other features if NEON is present.
if (hwcap & HWCAP_NEON) {
OPENSSL_armcap_P |= ARMV7_NEON;
- /* Some ARMv8 Android devices don't expose AT_HWCAP2. Fall back to
- * /proc/cpuinfo. See https://crbug.com/596156. */
+ // Some ARMv8 Android devices don't expose AT_HWCAP2. Fall back to
+ // /proc/cpuinfo. See https://crbug.com/596156.
unsigned long hwcap2 = 0;
if (getauxval != NULL) {
hwcap2 = getauxval(AT_HWCAP2);
@@ -357,4 +357,4 @@
int CRYPTO_has_broken_NEON(void) { return g_has_broken_neon; }
-#endif /* OPENSSL_ARM && !OPENSSL_STATIC_ARMCAP */
+#endif // OPENSSL_ARM && !OPENSSL_STATIC_ARMCAP
diff --git a/src/crypto/cpu-intel.c b/src/crypto/cpu-intel.c
index ef327df..127fa57 100644
--- a/src/crypto/cpu-intel.c
+++ b/src/crypto/cpu-intel.c
@@ -68,7 +68,7 @@
#include <stdlib.h>
#include <string.h>
-#if defined(OPENSSL_WINDOWS)
+#if defined(_MSC_VER)
OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <immintrin.h>
#include <intrin.h>
@@ -78,12 +78,12 @@
#include "internal.h"
-/* OPENSSL_cpuid runs the cpuid instruction. |leaf| is passed in as EAX and ECX
- * is set to zero. It writes EAX, EBX, ECX, and EDX to |*out_eax| through
- * |*out_edx|. */
+// OPENSSL_cpuid runs the cpuid instruction. |leaf| is passed in as EAX and ECX
+// is set to zero. It writes EAX, EBX, ECX, and EDX to |*out_eax| through
+// |*out_edx|.
static void OPENSSL_cpuid(uint32_t *out_eax, uint32_t *out_ebx,
uint32_t *out_ecx, uint32_t *out_edx, uint32_t leaf) {
-#if defined(OPENSSL_WINDOWS)
+#if defined(_MSC_VER)
int tmp[4];
__cpuid(tmp, (int)leaf);
*out_eax = (uint32_t)tmp[0];
@@ -91,8 +91,8 @@
*out_ecx = (uint32_t)tmp[2];
*out_edx = (uint32_t)tmp[3];
#elif defined(__pic__) && defined(OPENSSL_32_BIT)
- /* Inline assembly may not clobber the PIC register. For 32-bit, this is EBX.
- * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=47602. */
+ // Inline assembly may not clobber the PIC register. For 32-bit, this is EBX.
+ // See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=47602.
__asm__ volatile (
"xor %%ecx, %%ecx\n"
"mov %%ebx, %%edi\n"
@@ -111,10 +111,10 @@
#endif
}
-/* OPENSSL_xgetbv returns the value of an Intel Extended Control Register (XCR).
- * Currently only XCR0 is defined by Intel so |xcr| should always be zero. */
+// OPENSSL_xgetbv returns the value of an Intel Extended Control Register (XCR).
+// Currently only XCR0 is defined by Intel so |xcr| should always be zero.
static uint64_t OPENSSL_xgetbv(uint32_t xcr) {
-#if defined(OPENSSL_WINDOWS)
+#if defined(_MSC_VER)
return (uint64_t)_xgetbv(xcr);
#else
uint32_t eax, edx;
@@ -123,8 +123,8 @@
#endif
}
-/* handle_cpu_env applies the value from |in| to the CPUID values in |out[0]|
- * and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this. */
+// handle_cpu_env applies the value from |in| to the CPUID values in |out[0]|
+// and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this.
static void handle_cpu_env(uint32_t *out, const char *in) {
const int invert = in[0] == '~';
uint64_t v;
@@ -143,7 +143,7 @@
}
void OPENSSL_cpuid_setup(void) {
- /* Determine the vendor and maximum input value. */
+ // Determine the vendor and maximum input value.
uint32_t eax, ebx, ecx, edx;
OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 0);
@@ -158,8 +158,8 @@
int has_amd_xop = 0;
if (is_amd) {
- /* AMD-specific logic.
- * See http://developer.amd.com/wordpress/media/2012/10/254811.pdf */
+ // AMD-specific logic.
+ // See http://developer.amd.com/wordpress/media/2012/10/254811.pdf
OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 0x80000000);
uint32_t num_extended_ids = eax;
if (num_extended_ids >= 0x80000001) {
@@ -176,23 +176,23 @@
extended_features = ebx;
}
- /* Determine the number of cores sharing an L1 data cache to adjust the
- * hyper-threading bit. */
+ // Determine the number of cores sharing an L1 data cache to adjust the
+ // hyper-threading bit.
uint32_t cores_per_cache = 0;
if (is_amd) {
- /* AMD CPUs never share an L1 data cache between threads but do set the HTT
- * bit on multi-core CPUs. */
+ // AMD CPUs never share an L1 data cache between threads but do set the HTT
+ // bit on multi-core CPUs.
cores_per_cache = 1;
} else if (num_ids >= 4) {
- /* TODO(davidben): The Intel manual says this CPUID leaf enumerates all
- * caches using ECX and doesn't say which is first. Does this matter? */
+ // TODO(davidben): The Intel manual says this CPUID leaf enumerates all
+ // caches using ECX and doesn't say which is first. Does this matter?
OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 4);
cores_per_cache = 1 + ((eax >> 14) & 0xfff);
}
OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 1);
- /* Adjust the hyper-threading bit. */
+ // Adjust the hyper-threading bit.
if (edx & (1 << 28)) {
uint32_t num_logical_cores = (ebx >> 16) & 0xff;
if (cores_per_cache == 1 || num_logical_cores <= 1) {
@@ -200,17 +200,17 @@
}
}
- /* Reserved bit #20 was historically repurposed to control the in-memory
- * representation of RC4 state. Always set it to zero. */
+ // Reserved bit #20 was historically repurposed to control the in-memory
+ // representation of RC4 state. Always set it to zero.
edx &= ~(1 << 20);
- /* Reserved bit #30 is repurposed to signal an Intel CPU. */
+ // Reserved bit #30 is repurposed to signal an Intel CPU.
if (is_intel) {
edx |= (1 << 30);
- /* Clear the XSAVE bit on Knights Landing to mimic Silvermont. This enables
- * some Silvermont-specific codepaths which perform better. See OpenSSL
- * commit 64d92d74985ebb3d0be58a9718f9e080a14a8e7f. */
+ // Clear the XSAVE bit on Knights Landing to mimic Silvermont. This enables
+ // some Silvermont-specific codepaths which perform better. See OpenSSL
+ // commit 64d92d74985ebb3d0be58a9718f9e080a14a8e7f.
if ((eax & 0x0fff0ff0) == 0x00050670 /* Knights Landing */ ||
(eax & 0x0fff0ff0) == 0x00080650 /* Knights Mill (per SDE) */) {
ecx &= ~(1 << 26);
@@ -219,7 +219,7 @@
edx &= ~(1 << 30);
}
- /* The SDBG bit is repurposed to denote AMD XOP support. */
+ // The SDBG bit is repurposed to denote AMD XOP support.
if (has_amd_xop) {
ecx |= (1 << 11);
} else {
@@ -228,31 +228,31 @@
uint64_t xcr0 = 0;
if (ecx & (1 << 27)) {
- /* XCR0 may only be queried if the OSXSAVE bit is set. */
+ // XCR0 may only be queried if the OSXSAVE bit is set.
xcr0 = OPENSSL_xgetbv(0);
}
- /* See Intel manual, volume 1, section 14.3. */
+ // See Intel manual, volume 1, section 14.3.
if ((xcr0 & 6) != 6) {
- /* YMM registers cannot be used. */
- ecx &= ~(1 << 28); /* AVX */
- ecx &= ~(1 << 12); /* FMA */
- ecx &= ~(1 << 11); /* AMD XOP */
- /* Clear AVX2 and AVX512* bits.
- *
- * TODO(davidben): Should bits 17 and 26-28 also be cleared? Upstream
- * doesn't clear those. */
+ // YMM registers cannot be used.
+ ecx &= ~(1 << 28); // AVX
+ ecx &= ~(1 << 12); // FMA
+ ecx &= ~(1 << 11); // AMD XOP
+ // Clear AVX2 and AVX512* bits.
+ //
+ // TODO(davidben): Should bits 17 and 26-28 also be cleared? Upstream
+ // doesn't clear those.
extended_features &=
~((1 << 5) | (1 << 16) | (1 << 21) | (1 << 30) | (1 << 31));
}
- /* See Intel manual, volume 1, section 15.2. */
+ // See Intel manual, volume 1, section 15.2.
if ((xcr0 & 0xe6) != 0xe6) {
- /* Clear AVX512F. Note we don't touch other AVX512 extensions because they
- * can be used with YMM. */
+ // Clear AVX512F. Note we don't touch other AVX512 extensions because they
+ // can be used with YMM.
extended_features &= ~(1 << 16);
}
- /* Disable ADX instructions on Knights Landing. See OpenSSL commit
- * 64d92d74985ebb3d0be58a9718f9e080a14a8e7f. */
+ // Disable ADX instructions on Knights Landing. See OpenSSL commit
+ // 64d92d74985ebb3d0be58a9718f9e080a14a8e7f.
if ((ecx & (1 << 26)) == 0) {
extended_features &= ~(1 << 19);
}
@@ -268,15 +268,15 @@
return;
}
- /* OPENSSL_ia32cap can contain zero, one or two values, separated with a ':'.
- * Each value is a 64-bit, unsigned value which may start with "0x" to
- * indicate a hex value. Prior to the 64-bit value, a '~' may be given.
- *
- * If '~' isn't present, then the value is taken as the result of the CPUID.
- * Otherwise the value is inverted and ANDed with the probed CPUID result.
- *
- * The first value determines OPENSSL_ia32cap_P[0] and [1]. The second [2]
- * and [3]. */
+ // OPENSSL_ia32cap can contain zero, one or two values, separated with a ':'.
+ // Each value is a 64-bit, unsigned value which may start with "0x" to
+ // indicate a hex value. Prior to the 64-bit value, a '~' may be given.
+ //
+ // If '~' isn't present, then the value is taken as the result of the CPUID.
+ // Otherwise the value is inverted and ANDed with the probed CPUID result.
+ //
+ // The first value determines OPENSSL_ia32cap_P[0] and [1]. The second [2]
+ // and [3].
handle_cpu_env(&OPENSSL_ia32cap_P[0], env1);
env2 = strchr(env1, ':');
@@ -285,4 +285,4 @@
}
}
-#endif /* !OPENSSL_NO_ASM && (OPENSSL_X86 || OPENSSL_X86_64) */
+#endif // !OPENSSL_NO_ASM && (OPENSSL_X86 || OPENSSL_X86_64)
diff --git a/src/crypto/cpu-ppc64le.c b/src/crypto/cpu-ppc64le.c
index 54571bd..6cc8aee 100644
--- a/src/crypto/cpu-ppc64le.c
+++ b/src/crypto/cpu-ppc64le.c
@@ -22,8 +22,8 @@
#if !defined(PPC_FEATURE2_HAS_VCRYPTO)
-/* PPC_FEATURE2_HAS_VCRYPTO was taken from section 4.1.2.3 of the “OpenPOWER
- * ABI for Linux Supplement”. */
+// PPC_FEATURE2_HAS_VCRYPTO was taken from section 4.1.2.3 of the “OpenPOWER
+// ABI for Linux Supplement”.
#define PPC_FEATURE2_HAS_VCRYPTO 0x02000000
#endif
@@ -35,4 +35,4 @@
return (OPENSSL_ppc64le_hwcap2 & PPC_FEATURE2_HAS_VCRYPTO) != 0;
}
-#endif /* OPENSSL_PPC64LE */
+#endif // OPENSSL_PPC64LE
diff --git a/src/crypto/crypto.c b/src/crypto/crypto.c
index 3e1765b..aee3521 100644
--- a/src/crypto/crypto.c
+++ b/src/crypto/crypto.c
@@ -23,14 +23,14 @@
(defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) || \
defined(OPENSSL_PPC64LE))
-/* x86, x86_64, the ARMs and ppc64le need to record the result of a
- * cpuid/getauxval call for the asm to work correctly, unless compiled without
- * asm code. */
+// x86, x86_64, the ARMs and ppc64le need to record the result of a
+// cpuid/getauxval call for the asm to work correctly, unless compiled without
+// asm code.
#define NEED_CPUID
#else
-/* Otherwise, don't emit a static initialiser. */
+// Otherwise, don't emit a static initialiser.
#if !defined(BORINGSSL_NO_STATIC_INITIALIZER)
#define BORINGSSL_NO_STATIC_INITIALIZER
@@ -40,23 +40,23 @@
OPENSSL_ARM || OPENSSL_AARCH64) */
-/* The capability variables are defined in this file in order to work around a
- * linker bug. When linking with a .a, if no symbols in a .o are referenced
- * then the .o is discarded, even if it has constructor functions.
- *
- * This still means that any binaries that don't include some functionality
- * that tests the capability values will still skip the constructor but, so
- * far, the init constructor function only sets the capability variables. */
+// The capability variables are defined in this file in order to work around a
+// linker bug. When linking with a .a, if no symbols in a .o are referenced
+// then the .o is discarded, even if it has constructor functions.
+//
+// This still means that any binaries that don't include some functionality
+// that tests the capability values will still skip the constructor but, so
+// far, the init constructor function only sets the capability variables.
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
-/* This value must be explicitly initialised to zero in order to work around a
- * bug in libtool or the linker on OS X.
- *
- * If not initialised then it becomes a "common symbol". When put into an
- * archive, linking on OS X will fail to resolve common symbols. By
- * initialising it to zero, it becomes a "data symbol", which isn't so
- * affected. */
+// This value must be explicitly initialised to zero in order to work around a
+// bug in libtool or the linker on OS X.
+//
+// If not initialised then it becomes a "common symbol". When put into an
+// archive, linking on OS X will fail to resolve common symbols. By
+// initialising it to zero, it becomes a "data symbol", which isn't so
+// affected.
uint32_t OPENSSL_ia32cap_P[4] = {0};
#elif defined(OPENSSL_PPC64LE)
@@ -94,8 +94,8 @@
#endif
#if defined(BORINGSSL_FIPS)
-/* In FIPS mode, the power-on self-test function calls |CRYPTO_library_init|
- * because we have to ensure that CPUID detection occurs first. */
+// In FIPS mode, the power-on self-test function calls |CRYPTO_library_init|
+// because we have to ensure that CPUID detection occurs first.
#define BORINGSSL_NO_STATIC_INITIALIZER
#endif
@@ -107,7 +107,7 @@
#if defined(BORINGSSL_NO_STATIC_INITIALIZER)
static CRYPTO_once_t once = CRYPTO_ONCE_INIT;
-#elif defined(OPENSSL_WINDOWS)
+#elif defined(_MSC_VER)
#pragma section(".CRT$XCU", read)
static void __cdecl do_library_init(void);
__declspec(allocate(".CRT$XCU")) void(*library_init_constructor)(void) =
@@ -116,21 +116,21 @@
static void do_library_init(void) __attribute__ ((constructor));
#endif
-/* do_library_init is the actual initialization function. If
- * BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static
- * initializer. Otherwise, it is called by CRYPTO_library_init. */
+// do_library_init is the actual initialization function. If
+// BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static
+// initializer. Otherwise, it is called by CRYPTO_library_init.
static void OPENSSL_CDECL do_library_init(void) {
- /* WARNING: this function may only configure the capability variables. See the
- * note above about the linker bug. */
+ // WARNING: this function may only configure the capability variables. See the
+ // note above about the linker bug.
#if defined(NEED_CPUID)
OPENSSL_cpuid_setup();
#endif
}
void CRYPTO_library_init(void) {
- /* TODO(davidben): It would be tidier if this build knob could be replaced
- * with an internal lazy-init mechanism that would handle things correctly
- * in-library. https://crbug.com/542879 */
+ // TODO(davidben): It would be tidier if this build knob could be replaced
+ // with an internal lazy-init mechanism that would handle things correctly
+ // in-library. https://crbug.com/542879
#if defined(BORINGSSL_NO_STATIC_INITIALIZER)
CRYPTO_once(&once, do_library_init);
#endif
diff --git a/src/crypto/curve25519/curve25519.c b/src/crypto/curve25519/curve25519.c
index c91e78e..e49a8b3 100644
--- a/src/crypto/curve25519/curve25519.c
+++ b/src/crypto/curve25519/curve25519.c
@@ -12,12 +12,12 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
- * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
- * public domain but this file has the ISC license just to keep licencing
- * simple.
- *
- * The field functions are shared by Ed25519 and X25519 where possible. */
+// This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
+// 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
+// public domain but this file has the ISC license just to keep licencing
+// simple.
+//
+// The field functions are shared by Ed25519 and X25519 where possible.
#include <openssl/curve25519.h>
@@ -55,7 +55,7 @@
}
static void fe_frombytes(fe h, const uint8_t *s) {
- /* Ignores top bit of h. */
+ // Ignores top bit of h.
int64_t h0 = load_4(s);
int64_t h1 = load_3(s + 4) << 6;
int64_t h2 = load_3(s + 7) << 5;
@@ -101,28 +101,28 @@
h[9] = h9;
}
-/* Preconditions:
- * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- *
- * Write p=2^255-19; q=floor(h/p).
- * Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
- *
- * Proof:
- * Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
- * Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
- *
- * Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
- * Then 0<y<1.
- *
- * Write r=h-pq.
- * Have 0<=r<=p-1=2^255-20.
- * Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
- *
- * Write x=r+19(2^-255)r+y.
- * Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
- *
- * Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
- * so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. */
+// Preconditions:
+// |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Write p=2^255-19; q=floor(h/p).
+// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
+//
+// Proof:
+// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
+// Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
+//
+// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
+// Then 0<y<1.
+//
+// Write r=h-pq.
+// Have 0<=r<=p-1=2^255-20.
+// Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
+//
+// Write x=r+19(2^-255)r+y.
+// Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
+//
+// Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
+// so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
static void fe_tobytes(uint8_t *s, const fe h) {
int32_t h0 = h[0];
int32_t h1 = h[1];
@@ -148,9 +148,9 @@
q = (h8 + q) >> 26;
q = (h9 + q) >> 25;
- /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
+ // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
h0 += 19 * q;
- /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
+ // Goal: Output h-2^255 q, which is between 0 and 2^255-20.
h1 += h0 >> 26; h0 &= kBottom26Bits;
h2 += h1 >> 25; h1 &= kBottom25Bits;
@@ -162,12 +162,12 @@
h8 += h7 >> 25; h7 &= kBottom25Bits;
h9 += h8 >> 26; h8 &= kBottom26Bits;
h9 &= kBottom25Bits;
- /* h10 = carry9 */
+ // h10 = carry9
- /* Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
- * Have h0+...+2^230 h9 between 0 and 2^255-1;
- * evidently 2^255 h10-2^255 q = 0.
- * Goal: Output h0+...+2^230 h9. */
+ // Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
+ // Have h0+...+2^230 h9 between 0 and 2^255-1;
+ // evidently 2^255 h10-2^255 q = 0.
+ // Goal: Output h0+...+2^230 h9.
s[0] = h0 >> 0;
s[1] = h0 >> 8;
@@ -203,29 +203,29 @@
s[31] = h9 >> 18;
}
-/* h = f */
+// h = f
static void fe_copy(fe h, const fe f) {
OPENSSL_memmove(h, f, sizeof(int32_t) * 10);
}
-/* h = 0 */
+// h = 0
static void fe_0(fe h) { OPENSSL_memset(h, 0, sizeof(int32_t) * 10); }
-/* h = 1 */
+// h = 1
static void fe_1(fe h) {
OPENSSL_memset(h, 0, sizeof(int32_t) * 10);
h[0] = 1;
}
-/* h = f + g
- * Can overlap h with f or g.
- *
- * Preconditions:
- * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- * |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// h = f + g
+// Can overlap h with f or g.
+//
+// Preconditions:
+// |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+// |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+// |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
static void fe_add(fe h, const fe f, const fe g) {
unsigned i;
for (i = 0; i < 10; i++) {
@@ -233,15 +233,15 @@
}
}
-/* h = f - g
- * Can overlap h with f or g.
- *
- * Preconditions:
- * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- * |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// h = f - g
+// Can overlap h with f or g.
+//
+// Preconditions:
+// |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+// |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+// |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
static void fe_sub(fe h, const fe f, const fe g) {
unsigned i;
for (i = 0; i < 10; i++) {
@@ -249,33 +249,33 @@
}
}
-/* h = f * g
- * Can overlap h with f or g.
- *
- * Preconditions:
- * |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- * |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * Notes on implementation strategy:
- *
- * Using schoolbook multiplication.
- * Karatsuba would save a little in some cost models.
- *
- * Most multiplications by 2 and 19 are 32-bit precomputations;
- * cheaper than 64-bit postcomputations.
- *
- * There is one remaining multiplication by 19 in the carry chain;
- * one *19 precomputation can be merged into this,
- * but the resulting data flow is considerably less clean.
- *
- * There are 12 carries below.
- * 10 of them are 2-way parallelizable and vectorizable.
- * Can get away with 11 carries, but then data flow is much deeper.
- *
- * With tighter constraints on inputs can squeeze carries into int32. */
+// h = f * g
+// Can overlap h with f or g.
+//
+// Preconditions:
+// |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+// |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+// |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// Notes on implementation strategy:
+//
+// Using schoolbook multiplication.
+// Karatsuba would save a little in some cost models.
+//
+// Most multiplications by 2 and 19 are 32-bit precomputations;
+// cheaper than 64-bit postcomputations.
+//
+// There is one remaining multiplication by 19 in the carry chain;
+// one *19 precomputation can be merged into this,
+// but the resulting data flow is considerably less clean.
+//
+// There are 12 carries below.
+// 10 of them are 2-way parallelizable and vectorizable.
+// Can get away with 11 carries, but then data flow is much deeper.
+//
+// With tighter constraints on inputs can squeeze carries into int32.
static void fe_mul(fe h, const fe f, const fe g) {
int32_t f0 = f[0];
int32_t f1 = f[1];
@@ -297,8 +297,8 @@
int32_t g7 = g[7];
int32_t g8 = g[8];
int32_t g9 = g[9];
- int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
- int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
+ int32_t g1_19 = 19 * g1; // 1.959375*2^29
+ int32_t g2_19 = 19 * g2; // 1.959375*2^30; still ok
int32_t g3_19 = 19 * g3;
int32_t g4_19 = 19 * g4;
int32_t g5_19 = 19 * g5;
@@ -432,53 +432,53 @@
int64_t carry8;
int64_t carry9;
- /* |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
- * i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
- * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
- * i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 */
+ // |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
+ // i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
+ // |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
+ // i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
- /* |h0| <= 2^25 */
- /* |h4| <= 2^25 */
- /* |h1| <= 1.71*2^59 */
- /* |h5| <= 1.71*2^59 */
+ // |h0| <= 2^25
+ // |h4| <= 2^25
+ // |h1| <= 1.71*2^59
+ // |h5| <= 1.71*2^59
carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
- /* |h1| <= 2^24; from now on fits into int32 */
- /* |h5| <= 2^24; from now on fits into int32 */
- /* |h2| <= 1.41*2^60 */
- /* |h6| <= 1.41*2^60 */
+ // |h1| <= 2^24; from now on fits into int32
+ // |h5| <= 2^24; from now on fits into int32
+ // |h2| <= 1.41*2^60
+ // |h6| <= 1.41*2^60
carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
- /* |h2| <= 2^25; from now on fits into int32 unchanged */
- /* |h6| <= 2^25; from now on fits into int32 unchanged */
- /* |h3| <= 1.71*2^59 */
- /* |h7| <= 1.71*2^59 */
+ // |h2| <= 2^25; from now on fits into int32 unchanged
+ // |h6| <= 2^25; from now on fits into int32 unchanged
+ // |h3| <= 1.71*2^59
+ // |h7| <= 1.71*2^59
carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
- /* |h3| <= 2^24; from now on fits into int32 unchanged */
- /* |h7| <= 2^24; from now on fits into int32 unchanged */
- /* |h4| <= 1.72*2^34 */
- /* |h8| <= 1.41*2^60 */
+ // |h3| <= 2^24; from now on fits into int32 unchanged
+ // |h7| <= 2^24; from now on fits into int32 unchanged
+ // |h4| <= 1.72*2^34
+ // |h8| <= 1.41*2^60
carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
- /* |h4| <= 2^25; from now on fits into int32 unchanged */
- /* |h8| <= 2^25; from now on fits into int32 unchanged */
- /* |h5| <= 1.01*2^24 */
- /* |h9| <= 1.71*2^59 */
+ // |h4| <= 2^25; from now on fits into int32 unchanged
+ // |h8| <= 2^25; from now on fits into int32 unchanged
+ // |h5| <= 1.01*2^24
+ // |h9| <= 1.71*2^59
carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
- /* |h9| <= 2^24; from now on fits into int32 unchanged */
- /* |h0| <= 1.1*2^39 */
+ // |h9| <= 2^24; from now on fits into int32 unchanged
+ // |h0| <= 1.1*2^39
carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
- /* |h0| <= 2^25; from now on fits into int32 unchanged */
- /* |h1| <= 1.01*2^24 */
+ // |h0| <= 2^25; from now on fits into int32 unchanged
+ // |h1| <= 1.01*2^24
h[0] = h0;
h[1] = h1;
@@ -492,16 +492,16 @@
h[9] = h9;
}
-/* h = f * f
- * Can overlap h with f.
- *
- * Preconditions:
- * |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * See fe_mul.c for discussion of implementation strategy. */
+// h = f * f
+// Can overlap h with f.
+//
+// Preconditions:
+// |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+// |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// See fe_mul.c for discussion of implementation strategy.
static void fe_sq(fe h, const fe f) {
int32_t f0 = f[0];
int32_t f1 = f[1];
@@ -521,11 +521,11 @@
int32_t f5_2 = 2 * f5;
int32_t f6_2 = 2 * f6;
int32_t f7_2 = 2 * f7;
- int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
- int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
- int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
- int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
- int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+ int32_t f5_38 = 38 * f5; // 1.959375*2^30
+ int32_t f6_19 = 19 * f6; // 1.959375*2^30
+ int32_t f7_38 = 38 * f7; // 1.959375*2^30
+ int32_t f8_19 = 19 * f8; // 1.959375*2^30
+ int32_t f9_38 = 38 * f9; // 1.959375*2^30
int64_t f0f0 = f0 * (int64_t) f0;
int64_t f0f1_2 = f0_2 * (int64_t) f1;
int64_t f0f2_2 = f0_2 * (int64_t) f2;
@@ -691,13 +691,13 @@
fe_mul(out, t1, t0);
}
-/* h = -f
- *
- * Preconditions:
- * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
+// h = -f
+//
+// Preconditions:
+// |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
static void fe_neg(fe h, const fe f) {
unsigned i;
for (i = 0; i < 10; i++) {
@@ -705,10 +705,10 @@
}
}
-/* Replace (f,g) with (g,g) if b == 1;
- * replace (f,g) with (f,g) if b == 0.
- *
- * Preconditions: b in {0,1}. */
+// Replace (f,g) with (g,g) if b == 1;
+// replace (f,g) with (f,g) if b == 0.
+//
+// Preconditions: b in {0,1}.
static void fe_cmov(fe f, const fe g, unsigned b) {
b = 0-b;
unsigned i;
@@ -719,11 +719,11 @@
}
}
-/* return 0 if f == 0
- * return 1 if f != 0
- *
- * Preconditions:
- * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// return 0 if f == 0
+// return 1 if f != 0
+//
+// Preconditions:
+// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
static int fe_isnonzero(const fe f) {
uint8_t s[32];
fe_tobytes(s, f);
@@ -732,27 +732,27 @@
return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;
}
-/* return 1 if f is in {1,3,5,...,q-2}
- * return 0 if f is in {0,2,4,...,q-1}
- *
- * Preconditions:
- * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// return 1 if f is in {1,3,5,...,q-2}
+// return 0 if f is in {0,2,4,...,q-1}
+//
+// Preconditions:
+// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
static int fe_isnegative(const fe f) {
uint8_t s[32];
fe_tobytes(s, f);
return s[0] & 1;
}
-/* h = 2 * f * f
- * Can overlap h with f.
- *
- * Preconditions:
- * |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * See fe_mul.c for discussion of implementation strategy. */
+// h = 2 * f * f
+// Can overlap h with f.
+//
+// Preconditions:
+// |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+// |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// See fe_mul.c for discussion of implementation strategy.
static void fe_sq2(fe h, const fe f) {
int32_t f0 = f[0];
int32_t f1 = f[1];
@@ -772,11 +772,11 @@
int32_t f5_2 = 2 * f5;
int32_t f6_2 = 2 * f6;
int32_t f7_2 = 2 * f7;
- int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
- int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
- int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
- int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
- int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+ int32_t f5_38 = 38 * f5; // 1.959375*2^30
+ int32_t f6_19 = 19 * f6; // 1.959375*2^30
+ int32_t f7_38 = 38 * f7; // 1.959375*2^30
+ int32_t f8_19 = 19 * f8; // 1.959375*2^30
+ int32_t f9_38 = 38 * f9; // 1.959375*2^30
int64_t f0f0 = f0 * (int64_t) f0;
int64_t f0f1_2 = f0_2 * (int64_t) f1;
int64_t f0f2_2 = f0_2 * (int64_t) f2;
@@ -993,24 +993,24 @@
fe_1(h->Z);
fe_sq(u, h->Y);
fe_mul(v, u, d);
- fe_sub(u, u, h->Z); /* u = y^2-1 */
- fe_add(v, v, h->Z); /* v = dy^2+1 */
+ fe_sub(u, u, h->Z); // u = y^2-1
+ fe_add(v, v, h->Z); // v = dy^2+1
fe_sq(v3, v);
- fe_mul(v3, v3, v); /* v3 = v^3 */
+ fe_mul(v3, v3, v); // v3 = v^3
fe_sq(h->X, v3);
fe_mul(h->X, h->X, v);
- fe_mul(h->X, h->X, u); /* x = uv^7 */
+ fe_mul(h->X, h->X, u); // x = uv^7
- fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
+ fe_pow22523(h->X, h->X); // x = (uv^7)^((q-5)/8)
fe_mul(h->X, h->X, v3);
- fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
+ fe_mul(h->X, h->X, u); // x = uv^3(uv^7)^((q-5)/8)
fe_sq(vxx, h->X);
fe_mul(vxx, vxx, v);
- fe_sub(check, vxx, u); /* vx^2-u */
+ fe_sub(check, vxx, u); // vx^2-u
if (fe_isnonzero(check)) {
- fe_add(check, vxx, u); /* vx^2+u */
+ fe_add(check, vxx, u); // vx^2+u
if (fe_isnonzero(check)) {
return -1;
}
@@ -1051,7 +1051,7 @@
fe_0(h->xy2d);
}
-/* r = p */
+// r = p
static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
fe_copy(r->X, p->X);
fe_copy(r->Y, p->Y);
@@ -1061,7 +1061,7 @@
static const fe d2 = {-21827239, -5839606, -30745221, 13898782, 229458,
15978800, -12551817, -6495438, 29715968, 9444199};
-/* r = p */
+// r = p
void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
fe_add(r->YplusX, p->Y, p->X);
fe_sub(r->YminusX, p->Y, p->X);
@@ -1069,14 +1069,14 @@
fe_mul(r->T2d, p->T, d2);
}
-/* r = p */
+// r = p
void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) {
fe_mul(r->X, p->X, p->T);
fe_mul(r->Y, p->Y, p->Z);
fe_mul(r->Z, p->Z, p->T);
}
-/* r = p */
+// r = p
void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {
fe_mul(r->X, p->X, p->T);
fe_mul(r->Y, p->Y, p->Z);
@@ -1084,14 +1084,14 @@
fe_mul(r->T, p->X, p->Y);
}
-/* r = p */
+// r = p
static void ge_p1p1_to_cached(ge_cached *r, const ge_p1p1 *p) {
ge_p3 t;
x25519_ge_p1p1_to_p3(&t, p);
x25519_ge_p3_to_cached(r, &t);
}
-/* r = 2 * p */
+// r = 2 * p
static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {
fe t0;
@@ -1106,14 +1106,14 @@
fe_sub(r->T, r->T, r->Z);
}
-/* r = 2 * p */
+// r = 2 * p
static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) {
ge_p2 q;
ge_p3_to_p2(&q, p);
ge_p2_dbl(r, &q);
}
-/* r = p + q */
+// r = p + q
static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
fe t0;
@@ -1129,7 +1129,7 @@
fe_sub(r->T, t0, r->T);
}
-/* r = p - q */
+// r = p - q
static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
fe t0;
@@ -1145,7 +1145,7 @@
fe_add(r->T, t0, r->T);
}
-/* r = p + q */
+// r = p + q
void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
fe t0;
@@ -1162,7 +1162,7 @@
fe_sub(r->T, t0, r->T);
}
-/* r = p - q */
+// r = p - q
void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
fe t0;
@@ -1182,10 +1182,10 @@
static uint8_t equal(signed char b, signed char c) {
uint8_t ub = b;
uint8_t uc = c;
- uint8_t x = ub ^ uc; /* 0: yes; 1..255: no */
- uint32_t y = x; /* 0: yes; 1..255: no */
- y -= 1; /* 4294967295: yes; 0..254: no */
- y >>= 31; /* 1: yes; 0: no */
+ uint8_t x = ub ^ uc; // 0: yes; 1..255: no
+ uint32_t y = x; // 0: yes; 1..255: no
+ y -= 1; // 4294967295: yes; 0..254: no
+ y >>= 31; // 1: yes; 0: no
return y;
}
@@ -1197,8 +1197,8 @@
void x25519_ge_scalarmult_small_precomp(
ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]) {
- /* precomp_table is first expanded into matching |ge_precomp|
- * elements. */
+ // precomp_table is first expanded into matching |ge_precomp|
+ // elements.
ge_precomp multiples[15];
unsigned i;
@@ -1215,9 +1215,9 @@
fe_mul(out->xy2d, out->xy2d, d2);
}
- /* See the comment above |k25519SmallPrecomp| about the structure of the
- * precomputed elements. This loop does 64 additions and 64 doublings to
- * calculate the result. */
+ // See the comment above |k25519SmallPrecomp| about the structure of the
+ // precomputed elements. This loop does 64 additions and 64 doublings to
+ // calculate the result.
ge_p3_0(h);
for (i = 63; i < 64; i--) {
@@ -1249,14 +1249,14 @@
#if defined(OPENSSL_SMALL)
-/* This block of code replaces the standard base-point table with a much smaller
- * one. The standard table is 30,720 bytes while this one is just 960.
- *
- * This table contains 15 pairs of group elements, (x, y), where each field
- * element is serialised with |fe_tobytes|. If |i| is the index of the group
- * element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀
- * is the most significant bit). The value of the group element is then:
- * (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator. */
+// This block of code replaces the standard base-point table with a much smaller
+// one. The standard table is 30,720 bytes while this one is just 960.
+//
+// This table contains 15 pairs of group elements, (x, y), where each field
+// element is serialised with |fe_tobytes|. If |i| is the index of the group
+// element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀
+// is the most significant bit). The value of the group element is then:
+// (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator.
static const uint8_t k25519SmallPrecomp[15 * 2 * 32] = {
0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
@@ -1346,7 +1346,7 @@
#else
-/* k25519Precomp[i][j] = (j+1)*256^i*B */
+// k25519Precomp[i][j] = (j+1)*256^i*B
static const ge_precomp k25519Precomp[32][8] = {
{
{
@@ -3464,7 +3464,7 @@
static uint8_t negative(signed char b) {
uint32_t x = b;
- x >>= 31; /* 1: yes; 0: no */
+ x >>= 31; // 1: yes; 0: no
return x;
}
@@ -3488,12 +3488,12 @@
cmov(t, &minust, bnegative);
}
-/* h = a * B
- * where a = a[0]+256*a[1]+...+256^31 a[31]
- * B is the Ed25519 base point (x,4/5) with x positive.
- *
- * Preconditions:
- * a[31] <= 127 */
+// h = a * B
+// where a = a[0]+256*a[1]+...+256^31 a[31]
+// B is the Ed25519 base point (x,4/5) with x positive.
+//
+// Preconditions:
+// a[31] <= 127
void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
signed char e[64];
signed char carry;
@@ -3506,8 +3506,8 @@
e[2 * i + 0] = (a[i] >> 0) & 15;
e[2 * i + 1] = (a[i] >> 4) & 15;
}
- /* each e[i] is between 0 and 15 */
- /* e[63] is between 0 and 7 */
+ // each e[i] is between 0 and 15
+ // e[63] is between 0 and 7
carry = 0;
for (i = 0; i < 63; ++i) {
@@ -3517,7 +3517,7 @@
e[i] -= carry << 4;
}
e[63] += carry;
- /* each e[i] is between -8 and 8 */
+ // each e[i] is between -8 and 8
ge_p3_0(h);
for (i = 1; i < 64; i += 2) {
@@ -3551,8 +3551,8 @@
fe_cmov(t->T2d, u->T2d, b);
}
-/* r = scalar * A.
- * where a = a[0]+256*a[1]+...+256^31 a[31]. */
+// r = scalar * A.
+// where a = a[0]+256*a[1]+...+256^31 a[31].
void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) {
ge_p2 Ai_p2[8];
ge_cached Ai[16];
@@ -3706,15 +3706,15 @@
},
};
-/* r = a * A + b * B
- * where a = a[0]+256*a[1]+...+256^31 a[31].
- * and b = b[0]+256*b[1]+...+256^31 b[31].
- * B is the Ed25519 base point (x,4/5) with x positive. */
+// r = a * A + b * B
+// where a = a[0]+256*a[1]+...+256^31 a[31].
+// and b = b[0]+256*b[1]+...+256^31 b[31].
+// B is the Ed25519 base point (x,4/5) with x positive.
static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
const ge_p3 *A, const uint8_t *b) {
signed char aslide[256];
signed char bslide[256];
- ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
+ ge_cached Ai[8]; // A,3A,5A,7A,9A,11A,13A,15A
ge_p1p1 t;
ge_p3 u;
ge_p3 A2;
@@ -3779,16 +3779,16 @@
}
}
-/* The set of scalars is \Z/l
- * where l = 2^252 + 27742317777372353535851937790883648493. */
+// The set of scalars is \Z/l
+// where l = 2^252 + 27742317777372353535851937790883648493.
-/* Input:
- * s[0]+256*s[1]+...+256^63*s[63] = s
- *
- * Output:
- * s[0]+256*s[1]+...+256^31*s[31] = s mod l
- * where l = 2^252 + 27742317777372353535851937790883648493.
- * Overwrites s in place. */
+// Input:
+// s[0]+256*s[1]+...+256^63*s[63] = s
+//
+// Output:
+// s[0]+256*s[1]+...+256^31*s[31] = s mod l
+// where l = 2^252 + 27742317777372353535851937790883648493.
+// Overwrites s in place.
void x25519_sc_reduce(uint8_t *s) {
int64_t s0 = 2097151 & load_3(s);
int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
@@ -4122,14 +4122,14 @@
s[31] = s11 >> 17;
}
-/* Input:
- * a[0]+256*a[1]+...+256^31*a[31] = a
- * b[0]+256*b[1]+...+256^31*b[31] = b
- * c[0]+256*c[1]+...+256^31*c[31] = c
- *
- * Output:
- * s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
- * where l = 2^252 + 27742317777372353535851937790883648493. */
+// Input:
+// a[0]+256*a[1]+...+256^31*a[31] = a
+// b[0]+256*b[1]+...+256^31*b[31] = b
+// c[0]+256*c[1]+...+256^31*c[31] = c
+//
+// Output:
+// s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
+// where l = 2^252 + 27742317777372353535851937790883648493.
static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
const uint8_t *c) {
int64_t a0 = 2097151 & load_3(a);
@@ -4716,10 +4716,10 @@
#else
-/* Replace (f,g) with (g,f) if b == 1;
- * replace (f,g) with (f,g) if b == 0.
- *
- * Preconditions: b in {0,1}. */
+// Replace (f,g) with (g,f) if b == 1;
+// replace (f,g) with (f,g) if b == 0.
+//
+// Preconditions: b in {0,1}.
static void fe_cswap(fe f, fe g, unsigned int b) {
b = 0-b;
unsigned i;
@@ -4731,14 +4731,14 @@
}
}
-/* h = f * 121666
- * Can overlap h with f.
- *
- * Preconditions:
- * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- *
- * Postconditions:
- * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
+// h = f * 121666
+// Can overlap h with f.
+//
+// Preconditions:
+// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Postconditions:
+// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
static void fe_mul121666(fe h, fe f) {
int32_t f0 = f[0];
int32_t f1 = f[1];
@@ -4858,25 +4858,25 @@
x25519_scalar_mult_generic(out, scalar, point);
}
-#endif /* BORINGSSL_X25519_X86_64 */
+#endif // BORINGSSL_X25519_X86_64
void X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) {
RAND_bytes(out_private_key, 32);
- /* All X25519 implementations should decode scalars correctly (see
- * https://tools.ietf.org/html/rfc7748#section-5). However, if an
- * implementation doesn't then it might interoperate with random keys a
- * fraction of the time because they'll, randomly, happen to be correctly
- * formed.
- *
- * Thus we do the opposite of the masking here to make sure that our private
- * keys are never correctly masked and so, hopefully, any incorrect
- * implementations are deterministically broken.
- *
- * This does not affect security because, although we're throwing away
- * entropy, a valid implementation of scalarmult should throw away the exact
- * same bits anyway. */
+ // All X25519 implementations should decode scalars correctly (see
+ // https://tools.ietf.org/html/rfc7748#section-5). However, if an
+ // implementation doesn't then it might interoperate with random keys a
+ // fraction of the time because they'll, randomly, happen to be correctly
+ // formed.
+ //
+ // Thus we do the opposite of the masking here to make sure that our private
+ // keys are never correctly masked and so, hopefully, any incorrect
+ // implementations are deterministically broken.
+ //
+ // This does not affect security because, although we're throwing away
+ // entropy, a valid implementation of scalarmult should throw away the exact
+ // same bits anyway.
out_private_key[0] |= 7;
out_private_key[31] &= 63;
out_private_key[31] |= 128;
@@ -4888,15 +4888,15 @@
const uint8_t peer_public_value[32]) {
static const uint8_t kZeros[32] = {0};
x25519_scalar_mult(out_shared_key, private_key, peer_public_value);
- /* The all-zero output results when the input is a point of small order. */
+ // The all-zero output results when the input is a point of small order.
return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
}
#if defined(BORINGSSL_X25519_X86_64)
-/* When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
- * the Montgomery ladder because it's faster. Otherwise it's done using the
- * Ed25519 tables. */
+// When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
+// the Montgomery ladder because it's faster. Otherwise it's done using the
+// Ed25519 tables.
void X25519_public_from_private(uint8_t out_public_value[32],
const uint8_t private_key[32]) {
@@ -4925,8 +4925,8 @@
ge_p3 A;
x25519_ge_scalarmult_base(&A, e);
- /* We only need the u-coordinate of the curve25519 point. The map is
- * u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */
+ // We only need the u-coordinate of the curve25519 point. The map is
+ // u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y).
fe zplusy, zminusy, zminusy_inv;
fe_add(zplusy, A.Z, A.Y);
fe_sub(zminusy, A.Z, A.Y);
@@ -4935,4 +4935,4 @@
fe_tobytes(out_public_value, zplusy);
}
-#endif /* BORINGSSL_X25519_X86_64 */
+#endif // BORINGSSL_X25519_X86_64
diff --git a/src/crypto/curve25519/internal.h b/src/crypto/curve25519/internal.h
index ee865bd..9487a6c 100644
--- a/src/crypto/curve25519/internal.h
+++ b/src/crypto/curve25519/internal.h
@@ -32,15 +32,15 @@
#if defined(OPENSSL_ARM) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_APPLE)
#define BORINGSSL_X25519_NEON
-/* x25519_NEON is defined in asm/x25519-arm.S. */
+// x25519_NEON is defined in asm/x25519-arm.S.
void x25519_NEON(uint8_t out[32], const uint8_t scalar[32],
const uint8_t point[32]);
#endif
-/* fe means field element. Here the field is \Z/(2^255-19). An element t,
- * entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
- * t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
- * context. */
+// fe means field element. Here the field is \Z/(2^255-19). An element t,
+// entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
+// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
+// context.
typedef int32_t fe[10];
/* ge means group element.
@@ -103,7 +103,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CURVE25519_INTERNAL_H */
+#endif // OPENSSL_HEADER_CURVE25519_INTERNAL_H
diff --git a/src/crypto/curve25519/spake25519.c b/src/crypto/curve25519/spake25519.c
index 5b794b3..8ebedf9 100644
--- a/src/crypto/curve25519/spake25519.c
+++ b/src/crypto/curve25519/spake25519.c
@@ -25,80 +25,82 @@
#include "../internal.h"
-/* The following precomputation tables are for the following
- * points used in the SPAKE2 protocol.
- *
- * N:
- * x: 49918732221787544735331783592030787422991506689877079631459872391322455579424
- * y: 54629554431565467720832445949441049581317094546788069926228343916274969994000
- * encoded: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778
- *
- * M:
- * x: 31406539342727633121250288103050113562375374900226415211311216773867585644232
- * y: 21177308356423958466833845032658859666296341766942662650232962324899758529114
- * encoded: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e
- *
- * These points and their precomputation tables are generated with the
- * following Python code. For a description of the precomputation table,
- * see curve25519.c in this directory.
- *
- * Exact copies of the source code are kept in bug 27296743.
- *
- * import hashlib
- * import ed25519 as E # http://ed25519.cr.yp.to/python/ed25519.py
- *
- * SEED_N = 'edwards25519 point generation seed (N)'
- * SEED_M = 'edwards25519 point generation seed (M)'
- *
- * def genpoint(seed):
- * v = hashlib.sha256(seed).digest()
- * it = 1
- * while True:
- * try:
- * x,y = E.decodepoint(v)
- * except Exception, e:
- * print e
- * it += 1
- * v = hashlib.sha256(v).digest()
- * continue
- * print "Found in %d iterations:" % it
- * print " x = %d" % x
- * print " y = %d" % y
- * print " Encoded (hex)"
- * print E.encodepoint((x,y)).encode('hex')
- * return (x,y)
- *
- * def gentable(P):
- * t = []
- * for i in range(1,16):
- * k = (i >> 3 & 1) * (1 << 192) + \
- * (i >> 2 & 1) * (1 << 128) + \
- * (i >> 1 & 1) * (1 << 64) + \
- * (i & 1)
- * t.append(E.scalarmult(P, k))
- * return ''.join(E.encodeint(x) + E.encodeint(y) for (x,y) in t)
- *
- * def printtable(table, name):
- * print "static const uint8_t %s[15 * 2 * 32] = {" % name,
- * for i in range(15 * 2 * 32):
- * if i % 12 == 0:
- * print "\n ",
- * print " 0x%02x," % ord(table[i]),
- * print "\n};"
- *
- * if __name__ == "__main__":
- * print "Searching for N"
- * N = genpoint(SEED_N)
- * print "Generating precomputation table for N"
- * Ntable = gentable(N)
- * printtable(Ntable, "kSpakeNSmallPrecomp")
- *
- * print "Searching for M"
- * M = genpoint(SEED_M)
- * print "Generating precomputation table for M"
- * Mtable = gentable(M)
- * printtable(Mtable, "kSpakeMSmallPrecomp")
- */
+// The following precomputation tables are for the following
+// points used in the SPAKE2 protocol.
+//
+// N:
+// x: 49918732221787544735331783592030787422991506689877079631459872391322455579424
+// y: 54629554431565467720832445949441049581317094546788069926228343916274969994000
+// encoded: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778
+//
+// M:
+// x: 31406539342727633121250288103050113562375374900226415211311216773867585644232
+// y: 21177308356423958466833845032658859666296341766942662650232962324899758529114
+// encoded: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e
+//
+// These points and their precomputation tables are generated with the
+// following Python code. For a description of the precomputation table,
+// see curve25519.c in this directory.
+//
+// Exact copies of the source code are kept in bug 27296743.
+//
+// import hashlib
+// import ed25519 as E # http://ed25519.cr.yp.to/python/ed25519.py
+//
+// SEED_N = 'edwards25519 point generation seed (N)'
+// SEED_M = 'edwards25519 point generation seed (M)'
+
+/*
+def genpoint(seed):
+ v = hashlib.sha256(seed).digest()
+ it = 1
+ while True:
+ try:
+ x,y = E.decodepoint(v)
+ except Exception, e:
+ print e
+ it += 1
+ v = hashlib.sha256(v).digest()
+ continue
+ print "Found in %d iterations:" % it
+ print " x = %d" % x
+ print " y = %d" % y
+ print " Encoded (hex)"
+ print E.encodepoint((x,y)).encode('hex')
+ return (x,y)
+
+def gentable(P):
+ t = []
+ for i in range(1,16):
+ k = (i >> 3 & 1) * (1 << 192) + \
+ (i >> 2 & 1) * (1 << 128) + \
+ (i >> 1 & 1) * (1 << 64) + \
+ (i & 1)
+ t.append(E.scalarmult(P, k))
+ return ''.join(E.encodeint(x) + E.encodeint(y) for (x,y) in t)
+
+def printtable(table, name):
+ print "static const uint8_t %s[15 * 2 * 32] = {" % name,
+ for i in range(15 * 2 * 32):
+ if i % 12 == 0:
+ print "\n ",
+ print " 0x%02x," % ord(table[i]),
+ print "\n};"
+
+if __name__ == "__main__":
+ print "Searching for N"
+ N = genpoint(SEED_N)
+ print "Generating precomputation table for N"
+ Ntable = gentable(N)
+ printtable(Ntable, "kSpakeNSmallPrecomp")
+
+ print "Searching for M"
+ M = genpoint(SEED_M)
+ print "Generating precomputation table for M"
+ Mtable = gentable(M)
+ printtable(Mtable, "kSpakeMSmallPrecomp")
+*/
+
static const uint8_t kSpakeNSmallPrecomp[15 * 2 * 32] = {
0x20, 0x1b, 0xc5, 0xb3, 0x43, 0x17, 0x71, 0x10, 0x44, 0x1e, 0x73, 0xb3,
0xae, 0x3f, 0xbf, 0x9f, 0xf5, 0x44, 0xc8, 0x13, 0x8f, 0xd1, 0x01, 0xc2,
@@ -317,8 +319,8 @@
OPENSSL_free(ctx);
}
-/* left_shift_3 sets |n| to |n|*8, where |n| is represented in little-endian
- * order. */
+// left_shift_3 sets |n| to |n|*8, where |n| is represented in little-endian
+// order.
static void left_shift_3(uint8_t n[32]) {
uint8_t carry = 0;
unsigned i;
@@ -344,15 +346,15 @@
uint8_t private_tmp[64];
RAND_bytes(private_tmp, sizeof(private_tmp));
x25519_sc_reduce(private_tmp);
- /* Multiply by the cofactor (eight) so that we'll clear it when operating on
- * the peer's point later in the protocol. */
+ // Multiply by the cofactor (eight) so that we'll clear it when operating on
+ // the peer's point later in the protocol.
left_shift_3(private_tmp);
OPENSSL_memcpy(ctx->private_key, private_tmp, sizeof(ctx->private_key));
ge_p3 P;
x25519_ge_scalarmult_base(&P, ctx->private_key);
- /* mask = h(password) * <N or M>. */
+ // mask = h(password) * <N or M>.
uint8_t password_tmp[SHA512_DIGEST_LENGTH];
SHA512(password, password_len, password_tmp);
OPENSSL_memcpy(ctx->password_hash, password_tmp, sizeof(ctx->password_hash));
@@ -365,13 +367,13 @@
? kSpakeMSmallPrecomp
: kSpakeNSmallPrecomp);
- /* P* = P + mask. */
+ // P* = P + mask.
ge_cached mask_cached;
x25519_ge_p3_to_cached(&mask_cached, &mask);
ge_p1p1 Pstar;
x25519_ge_add(&Pstar, &P, &mask_cached);
- /* Encode P* */
+ // Encode P*
ge_p2 Pstar_proj;
x25519_ge_p1p1_to_p2(&Pstar_proj, &Pstar);
x25519_ge_tobytes(ctx->my_msg, &Pstar_proj);
@@ -408,11 +410,11 @@
ge_p3 Qstar;
if (0 != x25519_ge_frombytes_vartime(&Qstar, their_msg)) {
- /* Point received from peer was not on the curve. */
+ // Point received from peer was not on the curve.
return 0;
}
- /* Unmask peer's value. */
+ // Unmask peer's value.
ge_p3 peers_mask;
x25519_ge_scalarmult_small_precomp(&peers_mask, ctx->password_scalar,
ctx->my_role == spake2_role_alice
diff --git a/src/crypto/curve25519/spake25519_test.cc b/src/crypto/curve25519/spake25519_test.cc
index 97f17b7..cdf4ff5 100644
--- a/src/crypto/curve25519/spake25519_test.cc
+++ b/src/crypto/curve25519/spake25519_test.cc
@@ -25,7 +25,7 @@
#include "../internal.h"
-/* TODO(agl): add tests with fixed vectors once SPAKE2 is nailed down. */
+// TODO(agl): add tests with fixed vectors once SPAKE2 is nailed down.
struct SPAKE2Run {
bool Run() {
diff --git a/src/crypto/curve25519/x25519-x86_64.c b/src/crypto/curve25519/x25519-x86_64.c
index 9c3d414..d677b52 100644
--- a/src/crypto/curve25519/x25519-x86_64.c
+++ b/src/crypto/curve25519/x25519-x86_64.c
@@ -12,12 +12,12 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
- * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
- * public domain but this file has the ISC license just to keep licencing
- * simple.
- *
- * The field functions are shared by Ed25519 and X25519 where possible. */
+// This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
+// 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
+// public domain but this file has the ISC license just to keep licencing
+// simple.
+//
+// The field functions are shared by Ed25519 and X25519 where possible.
#include <openssl/curve25519.h>
@@ -31,7 +31,7 @@
typedef struct { uint64_t v[5]; } fe25519;
-/* These functions are defined in asm/x25519-x86_64.S */
+// These functions are defined in asm/x25519-x86_64.S
void x25519_x86_64_work_cswap(fe25519 *, uint64_t);
void x25519_x86_64_mul(fe25519 *out, const fe25519 *a, const fe25519 *b);
void x25519_x86_64_square(fe25519 *out, const fe25519 *a);
@@ -46,7 +46,7 @@
r->v[4] = 0;
}
-/* Assumes input x being reduced below 2^255 */
+// Assumes input x being reduced below 2^255
static void fe25519_pack(unsigned char r[32], const fe25519 *x) {
fe25519 t;
t = *x;
@@ -244,4 +244,4 @@
fe25519_pack(out, &t);
}
-#endif /* BORINGSSL_X25519_X86_64 */
+#endif // BORINGSSL_X25519_X86_64
diff --git a/src/crypto/dh/check.c b/src/crypto/dh/check.c
index 55fc1c3..454ad44 100644
--- a/src/crypto/dh/check.c
+++ b/src/crypto/dh/check.c
@@ -70,7 +70,7 @@
int ok = 0;
- /* Check |pub_key| is greater than 1. */
+ // Check |pub_key| is greater than 1.
BIGNUM *tmp = BN_CTX_get(ctx);
if (tmp == NULL ||
!BN_set_word(tmp, 1)) {
@@ -80,7 +80,7 @@
*out_flags |= DH_CHECK_PUBKEY_TOO_SMALL;
}
- /* Check |pub_key| is less than |dh->p| - 1. */
+ // Check |pub_key| is less than |dh->p| - 1.
if (!BN_copy(tmp, dh->p) ||
!BN_sub_word(tmp, 1)) {
goto err;
@@ -90,9 +90,9 @@
}
if (dh->q != NULL) {
- /* Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
- * groups which are not safe primes but pick a generator on a prime-order
- * subgroup of size |dh->q|. */
+ // Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
+ // groups which are not safe primes but pick a generator on a prime-order
+ // subgroup of size |dh->q|.
if (!BN_mod_exp_mont(tmp, pub_key, dh->q, dh->p, ctx, NULL)) {
goto err;
}
@@ -111,13 +111,12 @@
int DH_check(const DH *dh, int *out_flags) {
- /* Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
- * suitable generator where:
- * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5
- * for 5, p mod 10 == 3 or 7
- * should hold.
- */
+ // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
+ // suitable generator where:
+ // for 2, p mod 24 == 11
+ // for 3, p mod 12 == 5
+ // for 5, p mod 10 == 3 or 7
+ // should hold.
int ok = 0, r;
BN_CTX *ctx = NULL;
BN_ULONG l;
@@ -144,7 +143,7 @@
} else if (BN_cmp(dh->g, dh->p) >= 0) {
*out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
} else {
- /* Check g^q == 1 mod p */
+ // Check g^q == 1 mod p
if (!BN_mod_exp_mont(t1, dh->g, dh->q, dh->p, ctx, NULL)) {
goto err;
}
@@ -159,7 +158,7 @@
if (!r) {
*out_flags |= DH_CHECK_Q_NOT_PRIME;
}
- /* Check p == 1 mod q i.e. q divides p - 1 */
+ // Check p == 1 mod q i.e. q divides p - 1
if (!BN_div(t1, t2, dh->p, dh->q, ctx)) {
goto err;
}
diff --git a/src/crypto/dh/dh.c b/src/crypto/dh/dh.c
index c884ae3..3356776 100644
--- a/src/crypto/dh/dh.c
+++ b/src/crypto/dh/dh.c
@@ -138,32 +138,30 @@
}
int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *cb) {
- /* We generate DH parameters as follows
- * find a prime q which is prime_bits/2 bits long.
- * p=(2*q)+1 or (p-1)/2 = q
- * For this case, g is a generator if
- * g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
- * Since the factors of p-1 are q and 2, we just need to check
- * g^2 mod p != 1 and g^q mod p != 1.
- *
- * Having said all that,
- * there is another special case method for the generators 2, 3 and 5.
- * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5 <<<<< does not work for safe primes.
- * for 5, p mod 10 == 3 or 7
- *
- * Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
- * special generators and for answering some of my questions.
- *
- * I've implemented the second simple method :-).
- * Since DH should be using a safe prime (both p and q are prime),
- * this generator function can take a very very long time to run.
- */
+ // We generate DH parameters as follows
+ // find a prime q which is prime_bits/2 bits long.
+ // p=(2*q)+1 or (p-1)/2 = q
+ // For this case, g is a generator if
+ // g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
+ // Since the factors of p-1 are q and 2, we just need to check
+ // g^2 mod p != 1 and g^q mod p != 1.
+ //
+ // Having said all that,
+ // there is another special case method for the generators 2, 3 and 5.
+ // for 2, p mod 24 == 11
+ // for 3, p mod 12 == 5 <<<<< does not work for safe primes.
+ // for 5, p mod 10 == 3 or 7
+ //
+ // Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
+ // special generators and for answering some of my questions.
+ //
+ // I've implemented the second simple method :-).
+ // Since DH should be using a safe prime (both p and q are prime),
+ // this generator function can take a very very long time to run.
- /* Actually there is no reason to insist that 'generator' be a generator.
- * It's just as OK (and in some sense better) to use a generator of the
- * order-q subgroup.
- */
+ // Actually there is no reason to insist that 'generator' be a generator.
+ // It's just as OK (and in some sense better) to use a generator of the
+ // order-q subgroup.
BIGNUM *t1, *t2;
int g, ok = 0;
@@ -180,7 +178,7 @@
goto err;
}
- /* Make sure |dh| has the necessary elements */
+ // Make sure |dh| has the necessary elements
if (dh->p == NULL) {
dh->p = BN_new();
if (dh->p == NULL) {
@@ -213,14 +211,14 @@
if (!BN_set_word(t2, 3)) {
goto err;
}
- /* BN_set_word(t3,7); just have to miss
- * out on these ones :-( */
+ // BN_set_word(t3,7); just have to miss
+ // out on these ones :-(
g = 5;
} else {
- /* in the general case, don't worry if 'generator' is a
- * generator or not: since we are using safe primes,
- * it will generate either an order-q or an order-2q group,
- * which both is OK */
+ // in the general case, don't worry if 'generator' is a
+ // generator or not: since we are using safe primes,
+ // it will generate either an order-q or an order-2q group,
+ // which both is OK
if (!BN_set_word(t1, 2)) {
goto err;
}
@@ -299,7 +297,7 @@
goto err;
}
} else {
- /* secret exponent length */
+ // secret exponent length
unsigned priv_bits = dh->priv_length;
if (priv_bits == 0) {
const unsigned p_bits = BN_num_bits(dh->p);
diff --git a/src/crypto/dh/dh_asn1.c b/src/crypto/dh/dh_asn1.c
index 1a147ee..9d32180 100644
--- a/src/crypto/dh/dh_asn1.c
+++ b/src/crypto/dh/dh_asn1.c
@@ -76,7 +76,7 @@
static int marshal_integer(CBB *cbb, BIGNUM *bn) {
if (bn == NULL) {
- /* A DH object may be missing some components. */
+ // A DH object may be missing some components.
OPENSSL_PUT_ERROR(DH, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
diff --git a/src/crypto/dh/dh_test.cc b/src/crypto/dh/dh_test.cc
index e08664f..c77e7e4 100644
--- a/src/crypto/dh/dh_test.cc
+++ b/src/crypto/dh/dh_test.cc
@@ -74,7 +74,6 @@
static bool RunBasicTests();
-static bool RunRFC5114Tests();
static bool TestBadY();
static bool TestASN1();
static bool TestRFC3526();
@@ -82,7 +81,6 @@
// TODO(davidben): Convert this file to GTest properly.
TEST(DHTest, AllTests) {
if (!RunBasicTests() ||
- !RunRFC5114Tests() ||
!TestBadY() ||
!TestASN1() ||
!TestRFC3526()) {
@@ -203,284 +201,61 @@
return true;
}
-/* Test data from RFC 5114 */
-
-static const uint8_t kDHTest1024_160_xA[] = {
- 0xB9, 0xA3, 0xB3, 0xAE, 0x8F, 0xEF, 0xC1, 0xA2, 0x93, 0x04,
- 0x96, 0x50, 0x70, 0x86, 0xF8, 0x45, 0x5D, 0x48, 0x94, 0x3E};
-static const uint8_t kDHTest1024_160_yA[] = {
- 0x2A, 0x85, 0x3B, 0x3D, 0x92, 0x19, 0x75, 0x01, 0xB9, 0x01, 0x5B, 0x2D,
- 0xEB, 0x3E, 0xD8, 0x4F, 0x5E, 0x02, 0x1D, 0xCC, 0x3E, 0x52, 0xF1, 0x09,
- 0xD3, 0x27, 0x3D, 0x2B, 0x75, 0x21, 0x28, 0x1C, 0xBA, 0xBE, 0x0E, 0x76,
- 0xFF, 0x57, 0x27, 0xFA, 0x8A, 0xCC, 0xE2, 0x69, 0x56, 0xBA, 0x9A, 0x1F,
- 0xCA, 0x26, 0xF2, 0x02, 0x28, 0xD8, 0x69, 0x3F, 0xEB, 0x10, 0x84, 0x1D,
- 0x84, 0xA7, 0x36, 0x00, 0x54, 0xEC, 0xE5, 0xA7, 0xF5, 0xB7, 0xA6, 0x1A,
- 0xD3, 0xDF, 0xB3, 0xC6, 0x0D, 0x2E, 0x43, 0x10, 0x6D, 0x87, 0x27, 0xDA,
- 0x37, 0xDF, 0x9C, 0xCE, 0x95, 0xB4, 0x78, 0x75, 0x5D, 0x06, 0xBC, 0xEA,
- 0x8F, 0x9D, 0x45, 0x96, 0x5F, 0x75, 0xA5, 0xF3, 0xD1, 0xDF, 0x37, 0x01,
- 0x16, 0x5F, 0xC9, 0xE5, 0x0C, 0x42, 0x79, 0xCE, 0xB0, 0x7F, 0x98, 0x95,
- 0x40, 0xAE, 0x96, 0xD5, 0xD8, 0x8E, 0xD7, 0x76};
-static const uint8_t kDHTest1024_160_xB[] = {
- 0x93, 0x92, 0xC9, 0xF9, 0xEB, 0x6A, 0x7A, 0x6A, 0x90, 0x22,
- 0xF7, 0xD8, 0x3E, 0x72, 0x23, 0xC6, 0x83, 0x5B, 0xBD, 0xDA};
-static const uint8_t kDHTest1024_160_yB[] = {
- 0x71, 0x7A, 0x6C, 0xB0, 0x53, 0x37, 0x1F, 0xF4, 0xA3, 0xB9, 0x32, 0x94,
- 0x1C, 0x1E, 0x56, 0x63, 0xF8, 0x61, 0xA1, 0xD6, 0xAD, 0x34, 0xAE, 0x66,
- 0x57, 0x6D, 0xFB, 0x98, 0xF6, 0xC6, 0xCB, 0xF9, 0xDD, 0xD5, 0xA5, 0x6C,
- 0x78, 0x33, 0xF6, 0xBC, 0xFD, 0xFF, 0x09, 0x55, 0x82, 0xAD, 0x86, 0x8E,
- 0x44, 0x0E, 0x8D, 0x09, 0xFD, 0x76, 0x9E, 0x3C, 0xEC, 0xCD, 0xC3, 0xD3,
- 0xB1, 0xE4, 0xCF, 0xA0, 0x57, 0x77, 0x6C, 0xAA, 0xF9, 0x73, 0x9B, 0x6A,
- 0x9F, 0xEE, 0x8E, 0x74, 0x11, 0xF8, 0xD6, 0xDA, 0xC0, 0x9D, 0x6A, 0x4E,
- 0xDB, 0x46, 0xCC, 0x2B, 0x5D, 0x52, 0x03, 0x09, 0x0E, 0xAE, 0x61, 0x26,
- 0x31, 0x1E, 0x53, 0xFD, 0x2C, 0x14, 0xB5, 0x74, 0xE6, 0xA3, 0x10, 0x9A,
- 0x3D, 0xA1, 0xBE, 0x41, 0xBD, 0xCE, 0xAA, 0x18, 0x6F, 0x5C, 0xE0, 0x67,
- 0x16, 0xA2, 0xB6, 0xA0, 0x7B, 0x3C, 0x33, 0xFE};
-static const uint8_t kDHTest1024_160_Z[] = {
- 0x5C, 0x80, 0x4F, 0x45, 0x4D, 0x30, 0xD9, 0xC4, 0xDF, 0x85, 0x27, 0x1F,
- 0x93, 0x52, 0x8C, 0x91, 0xDF, 0x6B, 0x48, 0xAB, 0x5F, 0x80, 0xB3, 0xB5,
- 0x9C, 0xAA, 0xC1, 0xB2, 0x8F, 0x8A, 0xCB, 0xA9, 0xCD, 0x3E, 0x39, 0xF3,
- 0xCB, 0x61, 0x45, 0x25, 0xD9, 0x52, 0x1D, 0x2E, 0x64, 0x4C, 0x53, 0xB8,
- 0x07, 0xB8, 0x10, 0xF3, 0x40, 0x06, 0x2F, 0x25, 0x7D, 0x7D, 0x6F, 0xBF,
- 0xE8, 0xD5, 0xE8, 0xF0, 0x72, 0xE9, 0xB6, 0xE9, 0xAF, 0xDA, 0x94, 0x13,
- 0xEA, 0xFB, 0x2E, 0x8B, 0x06, 0x99, 0xB1, 0xFB, 0x5A, 0x0C, 0xAC, 0xED,
- 0xDE, 0xAE, 0xAD, 0x7E, 0x9C, 0xFB, 0xB3, 0x6A, 0xE2, 0xB4, 0x20, 0x83,
- 0x5B, 0xD8, 0x3A, 0x19, 0xFB, 0x0B, 0x5E, 0x96, 0xBF, 0x8F, 0xA4, 0xD0,
- 0x9E, 0x34, 0x55, 0x25, 0x16, 0x7E, 0xCD, 0x91, 0x55, 0x41, 0x6F, 0x46,
- 0xF4, 0x08, 0xED, 0x31, 0xB6, 0x3C, 0x6E, 0x6D};
-static const uint8_t kDHTest2048_224_xA[] = {
- 0x22, 0xE6, 0x26, 0x01, 0xDB, 0xFF, 0xD0, 0x67, 0x08, 0xA6,
- 0x80, 0xF7, 0x47, 0xF3, 0x61, 0xF7, 0x6D, 0x8F, 0x4F, 0x72,
- 0x1A, 0x05, 0x48, 0xE4, 0x83, 0x29, 0x4B, 0x0C};
-static const uint8_t kDHTest2048_224_yA[] = {
- 0x1B, 0x3A, 0x63, 0x45, 0x1B, 0xD8, 0x86, 0xE6, 0x99, 0xE6, 0x7B, 0x49,
- 0x4E, 0x28, 0x8B, 0xD7, 0xF8, 0xE0, 0xD3, 0x70, 0xBA, 0xDD, 0xA7, 0xA0,
- 0xEF, 0xD2, 0xFD, 0xE7, 0xD8, 0xF6, 0x61, 0x45, 0xCC, 0x9F, 0x28, 0x04,
- 0x19, 0x97, 0x5E, 0xB8, 0x08, 0x87, 0x7C, 0x8A, 0x4C, 0x0C, 0x8E, 0x0B,
- 0xD4, 0x8D, 0x4A, 0x54, 0x01, 0xEB, 0x1E, 0x87, 0x76, 0xBF, 0xEE, 0xE1,
- 0x34, 0xC0, 0x38, 0x31, 0xAC, 0x27, 0x3C, 0xD9, 0xD6, 0x35, 0xAB, 0x0C,
- 0xE0, 0x06, 0xA4, 0x2A, 0x88, 0x7E, 0x3F, 0x52, 0xFB, 0x87, 0x66, 0xB6,
- 0x50, 0xF3, 0x80, 0x78, 0xBC, 0x8E, 0xE8, 0x58, 0x0C, 0xEF, 0xE2, 0x43,
- 0x96, 0x8C, 0xFC, 0x4F, 0x8D, 0xC3, 0xDB, 0x08, 0x45, 0x54, 0x17, 0x1D,
- 0x41, 0xBF, 0x2E, 0x86, 0x1B, 0x7B, 0xB4, 0xD6, 0x9D, 0xD0, 0xE0, 0x1E,
- 0xA3, 0x87, 0xCB, 0xAA, 0x5C, 0xA6, 0x72, 0xAF, 0xCB, 0xE8, 0xBD, 0xB9,
- 0xD6, 0x2D, 0x4C, 0xE1, 0x5F, 0x17, 0xDD, 0x36, 0xF9, 0x1E, 0xD1, 0xEE,
- 0xDD, 0x65, 0xCA, 0x4A, 0x06, 0x45, 0x5C, 0xB9, 0x4C, 0xD4, 0x0A, 0x52,
- 0xEC, 0x36, 0x0E, 0x84, 0xB3, 0xC9, 0x26, 0xE2, 0x2C, 0x43, 0x80, 0xA3,
- 0xBF, 0x30, 0x9D, 0x56, 0x84, 0x97, 0x68, 0xB7, 0xF5, 0x2C, 0xFD, 0xF6,
- 0x55, 0xFD, 0x05, 0x3A, 0x7E, 0xF7, 0x06, 0x97, 0x9E, 0x7E, 0x58, 0x06,
- 0xB1, 0x7D, 0xFA, 0xE5, 0x3A, 0xD2, 0xA5, 0xBC, 0x56, 0x8E, 0xBB, 0x52,
- 0x9A, 0x7A, 0x61, 0xD6, 0x8D, 0x25, 0x6F, 0x8F, 0xC9, 0x7C, 0x07, 0x4A,
- 0x86, 0x1D, 0x82, 0x7E, 0x2E, 0xBC, 0x8C, 0x61, 0x34, 0x55, 0x31, 0x15,
- 0xB7, 0x0E, 0x71, 0x03, 0x92, 0x0A, 0xA1, 0x6D, 0x85, 0xE5, 0x2B, 0xCB,
- 0xAB, 0x8D, 0x78, 0x6A, 0x68, 0x17, 0x8F, 0xA8, 0xFF, 0x7C, 0x2F, 0x5C,
- 0x71, 0x64, 0x8D, 0x6F};
-static const uint8_t kDHTest2048_224_xB[] = {
- 0x4F, 0xF3, 0xBC, 0x96, 0xC7, 0xFC, 0x6A, 0x6D, 0x71, 0xD3,
- 0xB3, 0x63, 0x80, 0x0A, 0x7C, 0xDF, 0xEF, 0x6F, 0xC4, 0x1B,
- 0x44, 0x17, 0xEA, 0x15, 0x35, 0x3B, 0x75, 0x90};
-static const uint8_t kDHTest2048_224_yB[] = {
- 0x4D, 0xCE, 0xE9, 0x92, 0xA9, 0x76, 0x2A, 0x13, 0xF2, 0xF8, 0x38, 0x44,
- 0xAD, 0x3D, 0x77, 0xEE, 0x0E, 0x31, 0xC9, 0x71, 0x8B, 0x3D, 0xB6, 0xC2,
- 0x03, 0x5D, 0x39, 0x61, 0x18, 0x2C, 0x3E, 0x0B, 0xA2, 0x47, 0xEC, 0x41,
- 0x82, 0xD7, 0x60, 0xCD, 0x48, 0xD9, 0x95, 0x99, 0x97, 0x06, 0x22, 0xA1,
- 0x88, 0x1B, 0xBA, 0x2D, 0xC8, 0x22, 0x93, 0x9C, 0x78, 0xC3, 0x91, 0x2C,
- 0x66, 0x61, 0xFA, 0x54, 0x38, 0xB2, 0x07, 0x66, 0x22, 0x2B, 0x75, 0xE2,
- 0x4C, 0x2E, 0x3A, 0xD0, 0xC7, 0x28, 0x72, 0x36, 0x12, 0x95, 0x25, 0xEE,
- 0x15, 0xB5, 0xDD, 0x79, 0x98, 0xAA, 0x04, 0xC4, 0xA9, 0x69, 0x6C, 0xAC,
- 0xD7, 0x17, 0x20, 0x83, 0xA9, 0x7A, 0x81, 0x66, 0x4E, 0xAD, 0x2C, 0x47,
- 0x9E, 0x44, 0x4E, 0x4C, 0x06, 0x54, 0xCC, 0x19, 0xE2, 0x8D, 0x77, 0x03,
- 0xCE, 0xE8, 0xDA, 0xCD, 0x61, 0x26, 0xF5, 0xD6, 0x65, 0xEC, 0x52, 0xC6,
- 0x72, 0x55, 0xDB, 0x92, 0x01, 0x4B, 0x03, 0x7E, 0xB6, 0x21, 0xA2, 0xAC,
- 0x8E, 0x36, 0x5D, 0xE0, 0x71, 0xFF, 0xC1, 0x40, 0x0A, 0xCF, 0x07, 0x7A,
- 0x12, 0x91, 0x3D, 0xD8, 0xDE, 0x89, 0x47, 0x34, 0x37, 0xAB, 0x7B, 0xA3,
- 0x46, 0x74, 0x3C, 0x1B, 0x21, 0x5D, 0xD9, 0xC1, 0x21, 0x64, 0xA7, 0xE4,
- 0x05, 0x31, 0x18, 0xD1, 0x99, 0xBE, 0xC8, 0xEF, 0x6F, 0xC5, 0x61, 0x17,
- 0x0C, 0x84, 0xC8, 0x7D, 0x10, 0xEE, 0x9A, 0x67, 0x4A, 0x1F, 0xA8, 0xFF,
- 0xE1, 0x3B, 0xDF, 0xBA, 0x1D, 0x44, 0xDE, 0x48, 0x94, 0x6D, 0x68, 0xDC,
- 0x0C, 0xDD, 0x77, 0x76, 0x35, 0xA7, 0xAB, 0x5B, 0xFB, 0x1E, 0x4B, 0xB7,
- 0xB8, 0x56, 0xF9, 0x68, 0x27, 0x73, 0x4C, 0x18, 0x41, 0x38, 0xE9, 0x15,
- 0xD9, 0xC3, 0x00, 0x2E, 0xBC, 0xE5, 0x31, 0x20, 0x54, 0x6A, 0x7E, 0x20,
- 0x02, 0x14, 0x2B, 0x6C};
-static const uint8_t kDHTest2048_224_Z[] = {
- 0x34, 0xD9, 0xBD, 0xDC, 0x1B, 0x42, 0x17, 0x6C, 0x31, 0x3F, 0xEA, 0x03,
- 0x4C, 0x21, 0x03, 0x4D, 0x07, 0x4A, 0x63, 0x13, 0xBB, 0x4E, 0xCD, 0xB3,
- 0x70, 0x3F, 0xFF, 0x42, 0x45, 0x67, 0xA4, 0x6B, 0xDF, 0x75, 0x53, 0x0E,
- 0xDE, 0x0A, 0x9D, 0xA5, 0x22, 0x9D, 0xE7, 0xD7, 0x67, 0x32, 0x28, 0x6C,
- 0xBC, 0x0F, 0x91, 0xDA, 0x4C, 0x3C, 0x85, 0x2F, 0xC0, 0x99, 0xC6, 0x79,
- 0x53, 0x1D, 0x94, 0xC7, 0x8A, 0xB0, 0x3D, 0x9D, 0xEC, 0xB0, 0xA4, 0xE4,
- 0xCA, 0x8B, 0x2B, 0xB4, 0x59, 0x1C, 0x40, 0x21, 0xCF, 0x8C, 0xE3, 0xA2,
- 0x0A, 0x54, 0x1D, 0x33, 0x99, 0x40, 0x17, 0xD0, 0x20, 0x0A, 0xE2, 0xC9,
- 0x51, 0x6E, 0x2F, 0xF5, 0x14, 0x57, 0x79, 0x26, 0x9E, 0x86, 0x2B, 0x0F,
- 0xB4, 0x74, 0xA2, 0xD5, 0x6D, 0xC3, 0x1E, 0xD5, 0x69, 0xA7, 0x70, 0x0B,
- 0x4C, 0x4A, 0xB1, 0x6B, 0x22, 0xA4, 0x55, 0x13, 0x53, 0x1E, 0xF5, 0x23,
- 0xD7, 0x12, 0x12, 0x07, 0x7B, 0x5A, 0x16, 0x9B, 0xDE, 0xFF, 0xAD, 0x7A,
- 0xD9, 0x60, 0x82, 0x84, 0xC7, 0x79, 0x5B, 0x6D, 0x5A, 0x51, 0x83, 0xB8,
- 0x70, 0x66, 0xDE, 0x17, 0xD8, 0xD6, 0x71, 0xC9, 0xEB, 0xD8, 0xEC, 0x89,
- 0x54, 0x4D, 0x45, 0xEC, 0x06, 0x15, 0x93, 0xD4, 0x42, 0xC6, 0x2A, 0xB9,
- 0xCE, 0x3B, 0x1C, 0xB9, 0x94, 0x3A, 0x1D, 0x23, 0xA5, 0xEA, 0x3B, 0xCF,
- 0x21, 0xA0, 0x14, 0x71, 0xE6, 0x7E, 0x00, 0x3E, 0x7F, 0x8A, 0x69, 0xC7,
- 0x28, 0xBE, 0x49, 0x0B, 0x2F, 0xC8, 0x8C, 0xFE, 0xB9, 0x2D, 0xB6, 0xA2,
- 0x15, 0xE5, 0xD0, 0x3C, 0x17, 0xC4, 0x64, 0xC9, 0xAC, 0x1A, 0x46, 0xE2,
- 0x03, 0xE1, 0x3F, 0x95, 0x29, 0x95, 0xFB, 0x03, 0xC6, 0x9D, 0x3C, 0xC4,
- 0x7F, 0xCB, 0x51, 0x0B, 0x69, 0x98, 0xFF, 0xD3, 0xAA, 0x6D, 0xE7, 0x3C,
- 0xF9, 0xF6, 0x38, 0x69};
-static const uint8_t kDHTest2048_256_xA[] = {
- 0x08, 0x81, 0x38, 0x2C, 0xDB, 0x87, 0x66, 0x0C, 0x6D, 0xC1, 0x3E,
- 0x61, 0x49, 0x38, 0xD5, 0xB9, 0xC8, 0xB2, 0xF2, 0x48, 0x58, 0x1C,
- 0xC5, 0xE3, 0x1B, 0x35, 0x45, 0x43, 0x97, 0xFC, 0xE5, 0x0E};
-static const uint8_t kDHTest2048_256_yA[] = {
- 0x2E, 0x93, 0x80, 0xC8, 0x32, 0x3A, 0xF9, 0x75, 0x45, 0xBC, 0x49, 0x41,
- 0xDE, 0xB0, 0xEC, 0x37, 0x42, 0xC6, 0x2F, 0xE0, 0xEC, 0xE8, 0x24, 0xA6,
- 0xAB, 0xDB, 0xE6, 0x6C, 0x59, 0xBE, 0xE0, 0x24, 0x29, 0x11, 0xBF, 0xB9,
- 0x67, 0x23, 0x5C, 0xEB, 0xA3, 0x5A, 0xE1, 0x3E, 0x4E, 0xC7, 0x52, 0xBE,
- 0x63, 0x0B, 0x92, 0xDC, 0x4B, 0xDE, 0x28, 0x47, 0xA9, 0xC6, 0x2C, 0xB8,
- 0x15, 0x27, 0x45, 0x42, 0x1F, 0xB7, 0xEB, 0x60, 0xA6, 0x3C, 0x0F, 0xE9,
- 0x15, 0x9F, 0xCC, 0xE7, 0x26, 0xCE, 0x7C, 0xD8, 0x52, 0x3D, 0x74, 0x50,
- 0x66, 0x7E, 0xF8, 0x40, 0xE4, 0x91, 0x91, 0x21, 0xEB, 0x5F, 0x01, 0xC8,
- 0xC9, 0xB0, 0xD3, 0xD6, 0x48, 0xA9, 0x3B, 0xFB, 0x75, 0x68, 0x9E, 0x82,
- 0x44, 0xAC, 0x13, 0x4A, 0xF5, 0x44, 0x71, 0x1C, 0xE7, 0x9A, 0x02, 0xDC,
- 0xC3, 0x42, 0x26, 0x68, 0x47, 0x80, 0xDD, 0xDC, 0xB4, 0x98, 0x59, 0x41,
- 0x06, 0xC3, 0x7F, 0x5B, 0xC7, 0x98, 0x56, 0x48, 0x7A, 0xF5, 0xAB, 0x02,
- 0x2A, 0x2E, 0x5E, 0x42, 0xF0, 0x98, 0x97, 0xC1, 0xA8, 0x5A, 0x11, 0xEA,
- 0x02, 0x12, 0xAF, 0x04, 0xD9, 0xB4, 0xCE, 0xBC, 0x93, 0x7C, 0x3C, 0x1A,
- 0x3E, 0x15, 0xA8, 0xA0, 0x34, 0x2E, 0x33, 0x76, 0x15, 0xC8, 0x4E, 0x7F,
- 0xE3, 0xB8, 0xB9, 0xB8, 0x7F, 0xB1, 0xE7, 0x3A, 0x15, 0xAF, 0x12, 0xA3,
- 0x0D, 0x74, 0x6E, 0x06, 0xDF, 0xC3, 0x4F, 0x29, 0x0D, 0x79, 0x7C, 0xE5,
- 0x1A, 0xA1, 0x3A, 0xA7, 0x85, 0xBF, 0x66, 0x58, 0xAF, 0xF5, 0xE4, 0xB0,
- 0x93, 0x00, 0x3C, 0xBE, 0xAF, 0x66, 0x5B, 0x3C, 0x2E, 0x11, 0x3A, 0x3A,
- 0x4E, 0x90, 0x52, 0x69, 0x34, 0x1D, 0xC0, 0x71, 0x14, 0x26, 0x68, 0x5F,
- 0x4E, 0xF3, 0x7E, 0x86, 0x8A, 0x81, 0x26, 0xFF, 0x3F, 0x22, 0x79, 0xB5,
- 0x7C, 0xA6, 0x7E, 0x29};
-static const uint8_t kDHTest2048_256_xB[] = {
- 0x7D, 0x62, 0xA7, 0xE3, 0xEF, 0x36, 0xDE, 0x61, 0x7B, 0x13, 0xD1,
- 0xAF, 0xB8, 0x2C, 0x78, 0x0D, 0x83, 0xA2, 0x3B, 0xD4, 0xEE, 0x67,
- 0x05, 0x64, 0x51, 0x21, 0xF3, 0x71, 0xF5, 0x46, 0xA5, 0x3D};
-static const uint8_t kDHTest2048_256_yB[] = {
- 0x57, 0x5F, 0x03, 0x51, 0xBD, 0x2B, 0x1B, 0x81, 0x74, 0x48, 0xBD, 0xF8,
- 0x7A, 0x6C, 0x36, 0x2C, 0x1E, 0x28, 0x9D, 0x39, 0x03, 0xA3, 0x0B, 0x98,
- 0x32, 0xC5, 0x74, 0x1F, 0xA2, 0x50, 0x36, 0x3E, 0x7A, 0xCB, 0xC7, 0xF7,
- 0x7F, 0x3D, 0xAC, 0xBC, 0x1F, 0x13, 0x1A, 0xDD, 0x8E, 0x03, 0x36, 0x7E,
- 0xFF, 0x8F, 0xBB, 0xB3, 0xE1, 0xC5, 0x78, 0x44, 0x24, 0x80, 0x9B, 0x25,
- 0xAF, 0xE4, 0xD2, 0x26, 0x2A, 0x1A, 0x6F, 0xD2, 0xFA, 0xB6, 0x41, 0x05,
- 0xCA, 0x30, 0xA6, 0x74, 0xE0, 0x7F, 0x78, 0x09, 0x85, 0x20, 0x88, 0x63,
- 0x2F, 0xC0, 0x49, 0x23, 0x37, 0x91, 0xAD, 0x4E, 0xDD, 0x08, 0x3A, 0x97,
- 0x8B, 0x88, 0x3E, 0xE6, 0x18, 0xBC, 0x5E, 0x0D, 0xD0, 0x47, 0x41, 0x5F,
- 0x2D, 0x95, 0xE6, 0x83, 0xCF, 0x14, 0x82, 0x6B, 0x5F, 0xBE, 0x10, 0xD3,
- 0xCE, 0x41, 0xC6, 0xC1, 0x20, 0xC7, 0x8A, 0xB2, 0x00, 0x08, 0xC6, 0x98,
- 0xBF, 0x7F, 0x0B, 0xCA, 0xB9, 0xD7, 0xF4, 0x07, 0xBE, 0xD0, 0xF4, 0x3A,
- 0xFB, 0x29, 0x70, 0xF5, 0x7F, 0x8D, 0x12, 0x04, 0x39, 0x63, 0xE6, 0x6D,
- 0xDD, 0x32, 0x0D, 0x59, 0x9A, 0xD9, 0x93, 0x6C, 0x8F, 0x44, 0x13, 0x7C,
- 0x08, 0xB1, 0x80, 0xEC, 0x5E, 0x98, 0x5C, 0xEB, 0xE1, 0x86, 0xF3, 0xD5,
- 0x49, 0x67, 0x7E, 0x80, 0x60, 0x73, 0x31, 0xEE, 0x17, 0xAF, 0x33, 0x80,
- 0xA7, 0x25, 0xB0, 0x78, 0x23, 0x17, 0xD7, 0xDD, 0x43, 0xF5, 0x9D, 0x7A,
- 0xF9, 0x56, 0x8A, 0x9B, 0xB6, 0x3A, 0x84, 0xD3, 0x65, 0xF9, 0x22, 0x44,
- 0xED, 0x12, 0x09, 0x88, 0x21, 0x93, 0x02, 0xF4, 0x29, 0x24, 0xC7, 0xCA,
- 0x90, 0xB8, 0x9D, 0x24, 0xF7, 0x1B, 0x0A, 0xB6, 0x97, 0x82, 0x3D, 0x7D,
- 0xEB, 0x1A, 0xFF, 0x5B, 0x0E, 0x8E, 0x4A, 0x45, 0xD4, 0x9F, 0x7F, 0x53,
- 0x75, 0x7E, 0x19, 0x13};
-static const uint8_t kDHTest2048_256_Z[] = {
- 0x86, 0xC7, 0x0B, 0xF8, 0xD0, 0xBB, 0x81, 0xBB, 0x01, 0x07, 0x8A, 0x17,
- 0x21, 0x9C, 0xB7, 0xD2, 0x72, 0x03, 0xDB, 0x2A, 0x19, 0xC8, 0x77, 0xF1,
- 0xD1, 0xF1, 0x9F, 0xD7, 0xD7, 0x7E, 0xF2, 0x25, 0x46, 0xA6, 0x8F, 0x00,
- 0x5A, 0xD5, 0x2D, 0xC8, 0x45, 0x53, 0xB7, 0x8F, 0xC6, 0x03, 0x30, 0xBE,
- 0x51, 0xEA, 0x7C, 0x06, 0x72, 0xCA, 0xC1, 0x51, 0x5E, 0x4B, 0x35, 0xC0,
- 0x47, 0xB9, 0xA5, 0x51, 0xB8, 0x8F, 0x39, 0xDC, 0x26, 0xDA, 0x14, 0xA0,
- 0x9E, 0xF7, 0x47, 0x74, 0xD4, 0x7C, 0x76, 0x2D, 0xD1, 0x77, 0xF9, 0xED,
- 0x5B, 0xC2, 0xF1, 0x1E, 0x52, 0xC8, 0x79, 0xBD, 0x95, 0x09, 0x85, 0x04,
- 0xCD, 0x9E, 0xEC, 0xD8, 0xA8, 0xF9, 0xB3, 0xEF, 0xBD, 0x1F, 0x00, 0x8A,
- 0xC5, 0x85, 0x30, 0x97, 0xD9, 0xD1, 0x83, 0x7F, 0x2B, 0x18, 0xF7, 0x7C,
- 0xD7, 0xBE, 0x01, 0xAF, 0x80, 0xA7, 0xC7, 0xB5, 0xEA, 0x3C, 0xA5, 0x4C,
- 0xC0, 0x2D, 0x0C, 0x11, 0x6F, 0xEE, 0x3F, 0x95, 0xBB, 0x87, 0x39, 0x93,
- 0x85, 0x87, 0x5D, 0x7E, 0x86, 0x74, 0x7E, 0x67, 0x6E, 0x72, 0x89, 0x38,
- 0xAC, 0xBF, 0xF7, 0x09, 0x8E, 0x05, 0xBE, 0x4D, 0xCF, 0xB2, 0x40, 0x52,
- 0xB8, 0x3A, 0xEF, 0xFB, 0x14, 0x78, 0x3F, 0x02, 0x9A, 0xDB, 0xDE, 0x7F,
- 0x53, 0xFA, 0xE9, 0x20, 0x84, 0x22, 0x40, 0x90, 0xE0, 0x07, 0xCE, 0xE9,
- 0x4D, 0x4B, 0xF2, 0xBA, 0xCE, 0x9F, 0xFD, 0x4B, 0x57, 0xD2, 0xAF, 0x7C,
- 0x72, 0x4D, 0x0C, 0xAA, 0x19, 0xBF, 0x05, 0x01, 0xF6, 0xF1, 0x7B, 0x4A,
- 0xA1, 0x0F, 0x42, 0x5E, 0x3E, 0xA7, 0x60, 0x80, 0xB4, 0xB9, 0xD6, 0xB3,
- 0xCE, 0xFE, 0xA1, 0x15, 0xB2, 0xCE, 0xB8, 0x78, 0x9B, 0xB8, 0xA3, 0xB0,
- 0xEA, 0x87, 0xFE, 0xBE, 0x63, 0xB6, 0xC8, 0xF8, 0x46, 0xEC, 0x6D, 0xB0,
- 0xC2, 0x6C, 0x5D, 0x7C};
-
-struct RFC5114TestData {
- DH *(*get_param)(const ENGINE *engine);
- const uint8_t *xA;
- size_t xA_len;
- const uint8_t *yA;
- size_t yA_len;
- const uint8_t *xB;
- size_t xB_len;
- const uint8_t *yB;
- size_t yB_len;
- const uint8_t *Z;
- size_t Z_len;
+// The following parameters are taken from RFC 5114, section 2.2. This is not a
+// safe prime. Do not use these parameters.
+static const uint8_t kRFC5114_2048_224P[] = {
+ 0xad, 0x10, 0x7e, 0x1e, 0x91, 0x23, 0xa9, 0xd0, 0xd6, 0x60, 0xfa, 0xa7,
+ 0x95, 0x59, 0xc5, 0x1f, 0xa2, 0x0d, 0x64, 0xe5, 0x68, 0x3b, 0x9f, 0xd1,
+ 0xb5, 0x4b, 0x15, 0x97, 0xb6, 0x1d, 0x0a, 0x75, 0xe6, 0xfa, 0x14, 0x1d,
+ 0xf9, 0x5a, 0x56, 0xdb, 0xaf, 0x9a, 0x3c, 0x40, 0x7b, 0xa1, 0xdf, 0x15,
+ 0xeb, 0x3d, 0x68, 0x8a, 0x30, 0x9c, 0x18, 0x0e, 0x1d, 0xe6, 0xb8, 0x5a,
+ 0x12, 0x74, 0xa0, 0xa6, 0x6d, 0x3f, 0x81, 0x52, 0xad, 0x6a, 0xc2, 0x12,
+ 0x90, 0x37, 0xc9, 0xed, 0xef, 0xda, 0x4d, 0xf8, 0xd9, 0x1e, 0x8f, 0xef,
+ 0x55, 0xb7, 0x39, 0x4b, 0x7a, 0xd5, 0xb7, 0xd0, 0xb6, 0xc1, 0x22, 0x07,
+ 0xc9, 0xf9, 0x8d, 0x11, 0xed, 0x34, 0xdb, 0xf6, 0xc6, 0xba, 0x0b, 0x2c,
+ 0x8b, 0xbc, 0x27, 0xbe, 0x6a, 0x00, 0xe0, 0xa0, 0xb9, 0xc4, 0x97, 0x08,
+ 0xb3, 0xbf, 0x8a, 0x31, 0x70, 0x91, 0x88, 0x36, 0x81, 0x28, 0x61, 0x30,
+ 0xbc, 0x89, 0x85, 0xdb, 0x16, 0x02, 0xe7, 0x14, 0x41, 0x5d, 0x93, 0x30,
+ 0x27, 0x82, 0x73, 0xc7, 0xde, 0x31, 0xef, 0xdc, 0x73, 0x10, 0xf7, 0x12,
+ 0x1f, 0xd5, 0xa0, 0x74, 0x15, 0x98, 0x7d, 0x9a, 0xdc, 0x0a, 0x48, 0x6d,
+ 0xcd, 0xf9, 0x3a, 0xcc, 0x44, 0x32, 0x83, 0x87, 0x31, 0x5d, 0x75, 0xe1,
+ 0x98, 0xc6, 0x41, 0xa4, 0x80, 0xcd, 0x86, 0xa1, 0xb9, 0xe5, 0x87, 0xe8,
+ 0xbe, 0x60, 0xe6, 0x9c, 0xc9, 0x28, 0xb2, 0xb9, 0xc5, 0x21, 0x72, 0xe4,
+ 0x13, 0x04, 0x2e, 0x9b, 0x23, 0xf1, 0x0b, 0x0e, 0x16, 0xe7, 0x97, 0x63,
+ 0xc9, 0xb5, 0x3d, 0xcf, 0x4b, 0xa8, 0x0a, 0x29, 0xe3, 0xfb, 0x73, 0xc1,
+ 0x6b, 0x8e, 0x75, 0xb9, 0x7e, 0xf3, 0x63, 0xe2, 0xff, 0xa3, 0x1f, 0x71,
+ 0xcf, 0x9d, 0xe5, 0x38, 0x4e, 0x71, 0xb8, 0x1c, 0x0a, 0xc4, 0xdf, 0xfe,
+ 0x0c, 0x10, 0xe6, 0x4f,
};
-
-#define MAKE_RFC5114_TEST_DATA(pre) \
- { \
- DH_get_##pre, kDHTest##pre##_xA, sizeof(kDHTest##pre##_xA), \
- kDHTest##pre##_yA, sizeof(kDHTest##pre##_yA), kDHTest##pre##_xB, \
- sizeof(kDHTest##pre##_xB), kDHTest##pre##_yB, \
- sizeof(kDHTest##pre##_yB), kDHTest##pre##_Z, sizeof(kDHTest##pre##_Z) \
- }
-
-static const RFC5114TestData kRFCTestData[] = {
- MAKE_RFC5114_TEST_DATA(1024_160),
- MAKE_RFC5114_TEST_DATA(2048_224),
- MAKE_RFC5114_TEST_DATA(2048_256),
- };
-
-static bool RunRFC5114Tests() {
- for (unsigned i = 0; i < sizeof(kRFCTestData) / sizeof(RFC5114TestData); i++) {
- const RFC5114TestData *td = kRFCTestData + i;
- /* Set up DH structures setting key components */
- bssl::UniquePtr<DH> dhA(td->get_param(nullptr));
- bssl::UniquePtr<DH> dhB(td->get_param(nullptr));
- if (!dhA || !dhB) {
- fprintf(stderr, "Initialisation error RFC5114 set %u\n", i + 1);
- return false;
- }
-
- dhA->priv_key = BN_bin2bn(td->xA, td->xA_len, nullptr);
- dhA->pub_key = BN_bin2bn(td->yA, td->yA_len, nullptr);
-
- dhB->priv_key = BN_bin2bn(td->xB, td->xB_len, nullptr);
- dhB->pub_key = BN_bin2bn(td->yB, td->yB_len, nullptr);
-
- if (!dhA->priv_key || !dhA->pub_key || !dhB->priv_key || !dhB->pub_key) {
- fprintf(stderr, "BN_bin2bn error RFC5114 set %u\n", i + 1);
- return false;
- }
-
- if ((td->Z_len != (size_t)DH_size(dhA.get())) ||
- (td->Z_len != (size_t)DH_size(dhB.get()))) {
- return false;
- }
-
- std::vector<uint8_t> Z1(DH_size(dhA.get()));
- std::vector<uint8_t> Z2(DH_size(dhB.get()));
- /* Work out shared secrets using both sides and compare
- * with expected values. */
- int ret1 = DH_compute_key(Z1.data(), dhB->pub_key, dhA.get());
- int ret2 = DH_compute_key(Z2.data(), dhA->pub_key, dhB.get());
- if (ret1 < 0 || ret2 < 0) {
- fprintf(stderr, "DH_compute_key error RFC5114 set %u\n", i + 1);
- return false;
- }
-
- if (static_cast<size_t>(ret1) != td->Z_len ||
- OPENSSL_memcmp(Z1.data(), td->Z, td->Z_len) != 0 ||
- static_cast<size_t>(ret2) != td->Z_len ||
- OPENSSL_memcmp(Z2.data(), td->Z, td->Z_len) != 0) {
- fprintf(stderr, "Test failed RFC5114 set %u\n", i + 1);
- return false;
- }
-
- printf("RFC5114 parameter test %u OK\n", i + 1);
- }
-
- return 1;
-}
+static const uint8_t kRFC5114_2048_224G[] = {
+ 0xac, 0x40, 0x32, 0xef, 0x4f, 0x2d, 0x9a, 0xe3, 0x9d, 0xf3, 0x0b, 0x5c,
+ 0x8f, 0xfd, 0xac, 0x50, 0x6c, 0xde, 0xbe, 0x7b, 0x89, 0x99, 0x8c, 0xaf,
+ 0x74, 0x86, 0x6a, 0x08, 0xcf, 0xe4, 0xff, 0xe3, 0xa6, 0x82, 0x4a, 0x4e,
+ 0x10, 0xb9, 0xa6, 0xf0, 0xdd, 0x92, 0x1f, 0x01, 0xa7, 0x0c, 0x4a, 0xfa,
+ 0xab, 0x73, 0x9d, 0x77, 0x00, 0xc2, 0x9f, 0x52, 0xc5, 0x7d, 0xb1, 0x7c,
+ 0x62, 0x0a, 0x86, 0x52, 0xbe, 0x5e, 0x90, 0x01, 0xa8, 0xd6, 0x6a, 0xd7,
+ 0xc1, 0x76, 0x69, 0x10, 0x19, 0x99, 0x02, 0x4a, 0xf4, 0xd0, 0x27, 0x27,
+ 0x5a, 0xc1, 0x34, 0x8b, 0xb8, 0xa7, 0x62, 0xd0, 0x52, 0x1b, 0xc9, 0x8a,
+ 0xe2, 0x47, 0x15, 0x04, 0x22, 0xea, 0x1e, 0xd4, 0x09, 0x93, 0x9d, 0x54,
+ 0xda, 0x74, 0x60, 0xcd, 0xb5, 0xf6, 0xc6, 0xb2, 0x50, 0x71, 0x7c, 0xbe,
+ 0xf1, 0x80, 0xeb, 0x34, 0x11, 0x8e, 0x98, 0xd1, 0x19, 0x52, 0x9a, 0x45,
+ 0xd6, 0xf8, 0x34, 0x56, 0x6e, 0x30, 0x25, 0xe3, 0x16, 0xa3, 0x30, 0xef,
+ 0xbb, 0x77, 0xa8, 0x6f, 0x0c, 0x1a, 0xb1, 0x5b, 0x05, 0x1a, 0xe3, 0xd4,
+ 0x28, 0xc8, 0xf8, 0xac, 0xb7, 0x0a, 0x81, 0x37, 0x15, 0x0b, 0x8e, 0xeb,
+ 0x10, 0xe1, 0x83, 0xed, 0xd1, 0x99, 0x63, 0xdd, 0xd9, 0xe2, 0x63, 0xe4,
+ 0x77, 0x05, 0x89, 0xef, 0x6a, 0xa2, 0x1e, 0x7f, 0x5f, 0x2f, 0xf3, 0x81,
+ 0xb5, 0x39, 0xcc, 0xe3, 0x40, 0x9d, 0x13, 0xcd, 0x56, 0x6a, 0xfb, 0xb4,
+ 0x8d, 0x6c, 0x01, 0x91, 0x81, 0xe1, 0xbc, 0xfe, 0x94, 0xb3, 0x02, 0x69,
+ 0xed, 0xfe, 0x72, 0xfe, 0x9b, 0x6a, 0xa4, 0xbd, 0x7b, 0x5a, 0x0f, 0x1c,
+ 0x71, 0xcf, 0xff, 0x4c, 0x19, 0xc4, 0x18, 0xe1, 0xf6, 0xec, 0x01, 0x79,
+ 0x81, 0xbc, 0x08, 0x7f, 0x2a, 0x70, 0x65, 0xb3, 0x84, 0xb8, 0x90, 0xd3,
+ 0x19, 0x1f, 0x2b, 0xfa,
+};
+static const uint8_t kRFC5114_2048_224Q[] = {
+ 0x80, 0x1c, 0x0d, 0x34, 0xc5, 0x8d, 0x93, 0xfe, 0x99, 0x71,
+ 0x77, 0x10, 0x1f, 0x80, 0x53, 0x5a, 0x47, 0x38, 0xce, 0xbc,
+ 0xbf, 0x38, 0x9a, 0x99, 0xb3, 0x63, 0x71, 0xeb,
+};
// kRFC5114_2048_224BadY is a bad y-coordinate for RFC 5114's 2048-bit MODP
// Group with 224-bit Prime Order Subgroup (section 2.2).
@@ -510,7 +285,14 @@
};
static bool TestBadY() {
- bssl::UniquePtr<DH> dh(DH_get_2048_224(nullptr));
+ bssl::UniquePtr<DH> dh(DH_new());
+ dh->p = BN_bin2bn(kRFC5114_2048_224P, sizeof(kRFC5114_2048_224P), nullptr);
+ dh->g = BN_bin2bn(kRFC5114_2048_224G, sizeof(kRFC5114_2048_224G), nullptr);
+ dh->q = BN_bin2bn(kRFC5114_2048_224Q, sizeof(kRFC5114_2048_224Q), nullptr);
+ if (!dh->p || !dh->g || !dh->q) {
+ return false;
+ }
+
bssl::UniquePtr<BIGNUM> pub_key(
BN_bin2bn(kRFC5114_2048_224BadY, sizeof(kRFC5114_2048_224BadY), nullptr));
if (!dh || !pub_key || !DH_generate_key(dh.get())) {
diff --git a/src/crypto/dh/params.c b/src/crypto/dh/params.c
index 8f65bd3..3336029 100644
--- a/src/crypto/dh/params.c
+++ b/src/crypto/dh/params.c
@@ -57,166 +57,6 @@
#include "../fipsmodule/bn/internal.h"
-static const BN_ULONG dh1024_160_p[] = {
- TOBN(0xDF1FB2BC, 0x2E4A4371), TOBN(0xE68CFDA7, 0x6D4DA708),
- TOBN(0x45BF37DF, 0x365C1A65), TOBN(0xA151AF5F, 0x0DC8B4BD),
- TOBN(0xFAA31A4F, 0xF55BCCC0), TOBN(0x4EFFD6FA, 0xE5644738),
- TOBN(0x98488E9C, 0x219A7372), TOBN(0xACCBDD7D, 0x90C4BD70),
- TOBN(0x24975C3C, 0xD49B83BF), TOBN(0x13ECB4AE, 0xA9061123),
- TOBN(0x9838EF1E, 0x2EE652C0), TOBN(0x6073E286, 0x75A23D18),
- TOBN(0x9A6A9DCA, 0x52D23B61), TOBN(0x52C99FBC, 0xFB06A3C6),
- TOBN(0xDE92DE5E, 0xAE5D54EC), TOBN(0xB10B8F96, 0xA080E01D),
-};
-static const BN_ULONG dh1024_160_g[] = {
- TOBN(0x855E6EEB, 0x22B3B2E5), TOBN(0x858F4DCE, 0xF97C2A24),
- TOBN(0x2D779D59, 0x18D08BC8), TOBN(0xD662A4D1, 0x8E73AFA3),
- TOBN(0x1DBF0A01, 0x69B6A28A), TOBN(0xA6A24C08, 0x7A091F53),
- TOBN(0x909D0D22, 0x63F80A76), TOBN(0xD7FBD7D3, 0xB9A92EE1),
- TOBN(0x5E91547F, 0x9E2749F4), TOBN(0x160217B4, 0xB01B886A),
- TOBN(0x777E690F, 0x5504F213), TOBN(0x266FEA1E, 0x5C41564B),
- TOBN(0xD6406CFF, 0x14266D31), TOBN(0xF8104DD2, 0x58AC507F),
- TOBN(0x6765A442, 0xEFB99905), TOBN(0xA4D1CBD5, 0xC3FD3412),
-};
-static const BN_ULONG dh1024_160_q[] = {
- TOBN(0x64B7CB9D, 0x49462353), TOBN(0x81A8DF27, 0x8ABA4E7D), 0xF518AA87,
-};
-
-static const BN_ULONG dh2048_224_p[] = {
- TOBN(0x0AC4DFFE, 0x0C10E64F), TOBN(0xCF9DE538, 0x4E71B81C),
- TOBN(0x7EF363E2, 0xFFA31F71), TOBN(0xE3FB73C1, 0x6B8E75B9),
- TOBN(0xC9B53DCF, 0x4BA80A29), TOBN(0x23F10B0E, 0x16E79763),
- TOBN(0xC52172E4, 0x13042E9B), TOBN(0xBE60E69C, 0xC928B2B9),
- TOBN(0x80CD86A1, 0xB9E587E8), TOBN(0x315D75E1, 0x98C641A4),
- TOBN(0xCDF93ACC, 0x44328387), TOBN(0x15987D9A, 0xDC0A486D),
- TOBN(0x7310F712, 0x1FD5A074), TOBN(0x278273C7, 0xDE31EFDC),
- TOBN(0x1602E714, 0x415D9330), TOBN(0x81286130, 0xBC8985DB),
- TOBN(0xB3BF8A31, 0x70918836), TOBN(0x6A00E0A0, 0xB9C49708),
- TOBN(0xC6BA0B2C, 0x8BBC27BE), TOBN(0xC9F98D11, 0xED34DBF6),
- TOBN(0x7AD5B7D0, 0xB6C12207), TOBN(0xD91E8FEF, 0x55B7394B),
- TOBN(0x9037C9ED, 0xEFDA4DF8), TOBN(0x6D3F8152, 0xAD6AC212),
- TOBN(0x1DE6B85A, 0x1274A0A6), TOBN(0xEB3D688A, 0x309C180E),
- TOBN(0xAF9A3C40, 0x7BA1DF15), TOBN(0xE6FA141D, 0xF95A56DB),
- TOBN(0xB54B1597, 0xB61D0A75), TOBN(0xA20D64E5, 0x683B9FD1),
- TOBN(0xD660FAA7, 0x9559C51F), TOBN(0xAD107E1E, 0x9123A9D0),
-};
-
-static const BN_ULONG dh2048_224_g[] = {
- TOBN(0x84B890D3, 0x191F2BFA), TOBN(0x81BC087F, 0x2A7065B3),
- TOBN(0x19C418E1, 0xF6EC0179), TOBN(0x7B5A0F1C, 0x71CFFF4C),
- TOBN(0xEDFE72FE, 0x9B6AA4BD), TOBN(0x81E1BCFE, 0x94B30269),
- TOBN(0x566AFBB4, 0x8D6C0191), TOBN(0xB539CCE3, 0x409D13CD),
- TOBN(0x6AA21E7F, 0x5F2FF381), TOBN(0xD9E263E4, 0x770589EF),
- TOBN(0x10E183ED, 0xD19963DD), TOBN(0xB70A8137, 0x150B8EEB),
- TOBN(0x051AE3D4, 0x28C8F8AC), TOBN(0xBB77A86F, 0x0C1AB15B),
- TOBN(0x6E3025E3, 0x16A330EF), TOBN(0x19529A45, 0xD6F83456),
- TOBN(0xF180EB34, 0x118E98D1), TOBN(0xB5F6C6B2, 0x50717CBE),
- TOBN(0x09939D54, 0xDA7460CD), TOBN(0xE2471504, 0x22EA1ED4),
- TOBN(0xB8A762D0, 0x521BC98A), TOBN(0xF4D02727, 0x5AC1348B),
- TOBN(0xC1766910, 0x1999024A), TOBN(0xBE5E9001, 0xA8D66AD7),
- TOBN(0xC57DB17C, 0x620A8652), TOBN(0xAB739D77, 0x00C29F52),
- TOBN(0xDD921F01, 0xA70C4AFA), TOBN(0xA6824A4E, 0x10B9A6F0),
- TOBN(0x74866A08, 0xCFE4FFE3), TOBN(0x6CDEBE7B, 0x89998CAF),
- TOBN(0x9DF30B5C, 0x8FFDAC50), TOBN(0xAC4032EF, 0x4F2D9AE3),
-};
-
-static const BN_ULONG dh2048_224_q[] = {
- TOBN(0xBF389A99, 0xB36371EB), TOBN(0x1F80535A, 0x4738CEBC),
- TOBN(0xC58D93FE, 0x99717710), 0x801C0D34,
-};
-
-static const BN_ULONG dh2048_256_p[] = {
- TOBN(0xDB094AE9, 0x1E1A1597), TOBN(0x693877FA, 0xD7EF09CA),
- TOBN(0x6116D227, 0x6E11715F), TOBN(0xA4B54330, 0xC198AF12),
- TOBN(0x75F26375, 0xD7014103), TOBN(0xC3A3960A, 0x54E710C3),
- TOBN(0xDED4010A, 0xBD0BE621), TOBN(0xC0B857F6, 0x89962856),
- TOBN(0xB3CA3F79, 0x71506026), TOBN(0x1CCACB83, 0xE6B486F6),
- TOBN(0x67E144E5, 0x14056425), TOBN(0xF6A167B5, 0xA41825D9),
- TOBN(0x3AD83477, 0x96524D8E), TOBN(0xF13C6D9A, 0x51BFA4AB),
- TOBN(0x2D525267, 0x35488A0E), TOBN(0xB63ACAE1, 0xCAA6B790),
- TOBN(0x4FDB70C5, 0x81B23F76), TOBN(0xBC39A0BF, 0x12307F5C),
- TOBN(0xB941F54E, 0xB1E59BB8), TOBN(0x6C5BFC11, 0xD45F9088),
- TOBN(0x22E0B1EF, 0x4275BF7B), TOBN(0x91F9E672, 0x5B4758C0),
- TOBN(0x5A8A9D30, 0x6BCF67ED), TOBN(0x209E0C64, 0x97517ABD),
- TOBN(0x3BF4296D, 0x830E9A7C), TOBN(0x16C3D911, 0x34096FAA),
- TOBN(0xFAF7DF45, 0x61B2AA30), TOBN(0xE00DF8F1, 0xD61957D4),
- TOBN(0x5D2CEED4, 0x435E3B00), TOBN(0x8CEEF608, 0x660DD0F2),
- TOBN(0xFFBBD19C, 0x65195999), TOBN(0x87A8E61D, 0xB4B6663C),
-};
-static const BN_ULONG dh2048_256_g[] = {
- TOBN(0x664B4C0F, 0x6CC41659), TOBN(0x5E2327CF, 0xEF98C582),
- TOBN(0xD647D148, 0xD4795451), TOBN(0x2F630784, 0x90F00EF8),
- TOBN(0x184B523D, 0x1DB246C3), TOBN(0xC7891428, 0xCDC67EB6),
- TOBN(0x7FD02837, 0x0DF92B52), TOBN(0xB3353BBB, 0x64E0EC37),
- TOBN(0xECD06E15, 0x57CD0915), TOBN(0xB7D2BBD2, 0xDF016199),
- TOBN(0xC8484B1E, 0x052588B9), TOBN(0xDB2A3B73, 0x13D3FE14),
- TOBN(0xD052B985, 0xD182EA0A), TOBN(0xA4BD1BFF, 0xE83B9C80),
- TOBN(0xDFC967C1, 0xFB3F2E55), TOBN(0xB5045AF2, 0x767164E1),
- TOBN(0x1D14348F, 0x6F2F9193), TOBN(0x64E67982, 0x428EBC83),
- TOBN(0x8AC376D2, 0x82D6ED38), TOBN(0x777DE62A, 0xAAB8A862),
- TOBN(0xDDF463E5, 0xE9EC144B), TOBN(0x0196F931, 0xC77A57F2),
- TOBN(0xA55AE313, 0x41000A65), TOBN(0x901228F8, 0xC28CBB18),
- TOBN(0xBC3773BF, 0x7E8C6F62), TOBN(0xBE3A6C1B, 0x0C6B47B1),
- TOBN(0xFF4FED4A, 0xAC0BB555), TOBN(0x10DBC150, 0x77BE463F),
- TOBN(0x07F4793A, 0x1A0BA125), TOBN(0x4CA7B18F, 0x21EF2054),
- TOBN(0x2E775066, 0x60EDBD48), TOBN(0x3FB32C9B, 0x73134D0B),
-};
-static const BN_ULONG dh2048_256_q[] = {
- TOBN(0xA308B0FE, 0x64F5FBD3), TOBN(0x99B1A47D, 0x1EB3750B),
- TOBN(0xB4479976, 0x40129DA2), TOBN(0x8CF83642, 0xA709A097),
-};
-
-struct standard_parameters {
- BIGNUM p, q, g;
-};
-
-static const struct standard_parameters dh1024_160 = {
- STATIC_BIGNUM(dh1024_160_p),
- STATIC_BIGNUM(dh1024_160_q),
- STATIC_BIGNUM(dh1024_160_g),
-};
-
-static const struct standard_parameters dh2048_224 = {
- STATIC_BIGNUM(dh2048_224_p),
- STATIC_BIGNUM(dh2048_224_q),
- STATIC_BIGNUM(dh2048_224_g),
-};
-
-static const struct standard_parameters dh2048_256 = {
- STATIC_BIGNUM(dh2048_256_p),
- STATIC_BIGNUM(dh2048_256_q),
- STATIC_BIGNUM(dh2048_256_g),
-};
-
-static DH *get_standard_parameters(const struct standard_parameters *params,
- const ENGINE *engine) {
- DH *dh = DH_new();
- if (!dh) {
- return NULL;
- }
-
- dh->p = BN_dup(¶ms->p);
- dh->q = BN_dup(¶ms->q);
- dh->g = BN_dup(¶ms->g);
- if (!dh->p || !dh->q || !dh->g) {
- DH_free(dh);
- return NULL;
- }
-
- return dh;
-}
-
-DH *DH_get_1024_160(const ENGINE *engine) {
- return get_standard_parameters(&dh1024_160, engine);
-}
-
-DH *DH_get_2048_224(const ENGINE *engine) {
- return get_standard_parameters(&dh2048_224, engine);
-}
-
-DH *DH_get_2048_256(const ENGINE *engine) {
- return get_standard_parameters(&dh2048_256, engine);
-}
-
BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *ret) {
static const BN_ULONG kPrime1536Data[] = {
TOBN(0xffffffff, 0xffffffff), TOBN(0xf1746c08, 0xca237327),
diff --git a/src/crypto/digest_extra/digest_extra.c b/src/crypto/digest_extra/digest_extra.c
index b18759a..ab7ff59 100644
--- a/src/crypto/digest_extra/digest_extra.c
+++ b/src/crypto/digest_extra/digest_extra.c
@@ -82,11 +82,11 @@
{NID_sha384, EVP_sha384, SN_sha384, LN_sha384},
{NID_sha512, EVP_sha512, SN_sha512, LN_sha512},
{NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1},
- /* As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
- * hash function when given a signature OID. To avoid unintended lax parsing
- * of hash OIDs, this is no longer supported for lookup by OID or NID.
- * Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to
- * consumers so we retain it there. */
+ // As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
+ // hash function when given a signature OID. To avoid unintended lax parsing
+ // of hash OIDs, this is no longer supported for lookup by OID or NID.
+ // Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to
+ // consumers so we retain it there.
{NID_undef, EVP_sha1, SN_dsaWithSHA, LN_dsaWithSHA},
{NID_undef, EVP_sha1, SN_dsaWithSHA1, LN_dsaWithSHA1},
{NID_undef, EVP_sha1, SN_ecdsa_with_SHA1, NULL},
@@ -104,7 +104,7 @@
const EVP_MD* EVP_get_digestbynid(int nid) {
if (nid == NID_undef) {
- /* Skip the |NID_undef| entries in |nid_to_digest_mapping|. */
+ // Skip the |NID_undef| entries in |nid_to_digest_mapping|.
return NULL;
}
@@ -122,19 +122,19 @@
uint8_t oid_len;
const EVP_MD *(*md_func) (void);
} kMDOIDs[] = {
- /* 1.2.840.113549.2.4 */
+ // 1.2.840.113549.2.4
{ {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, EVP_md4 },
- /* 1.2.840.113549.2.5 */
+ // 1.2.840.113549.2.5
{ {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, EVP_md5 },
- /* 1.3.14.3.2.26 */
+ // 1.3.14.3.2.26
{ {0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, EVP_sha1 },
- /* 2.16.840.1.101.3.4.2.1 */
+ // 2.16.840.1.101.3.4.2.1
{ {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, EVP_sha256 },
- /* 2.16.840.1.101.3.4.2.2 */
+ // 2.16.840.1.101.3.4.2.2
{ {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, EVP_sha384 },
- /* 2.16.840.1.101.3.4.2.3 */
+ // 2.16.840.1.101.3.4.2.3
{ {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, EVP_sha512 },
- /* 2.16.840.1.101.3.4.2.4 */
+ // 2.16.840.1.101.3.4.2.4
{ {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, EVP_sha224 },
};
@@ -151,7 +151,7 @@
}
const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj) {
- /* Handle objects with no corresponding OID. */
+ // Handle objects with no corresponding OID.
if (obj->nid != NID_undef) {
return EVP_get_digestbynid(obj->nid);
}
@@ -175,10 +175,10 @@
return NULL;
}
- /* The parameters, if present, must be NULL. Historically, whether the NULL
- * was included or omitted was not well-specified. When parsing an
- * AlgorithmIdentifier, we allow both. (Note this code is not used when
- * verifying RSASSA-PKCS1-v1_5 signatures.) */
+ // The parameters, if present, must be NULL. Historically, whether the NULL
+ // was included or omitted was not well-specified. When parsing an
+ // AlgorithmIdentifier, we allow both. (Note this code is not used when
+ // verifying RSASSA-PKCS1-v1_5 signatures.)
if (CBS_len(&algorithm) > 0) {
CBS param;
if (!CBS_get_asn1(&algorithm, ¶m, CBS_ASN1_NULL) ||
diff --git a/src/crypto/digest_extra/internal.h b/src/crypto/digest_extra/internal.h
index 264405f..1df200e 100644
--- a/src/crypto/digest_extra/internal.h
+++ b/src/crypto/digest_extra/internal.h
@@ -26,7 +26,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_DIGEST_EXTRA_INTERNAL */
+#endif // OPENSSL_HEADER_DIGEST_EXTRA_INTERNAL
diff --git a/src/crypto/dsa/dsa.c b/src/crypto/dsa/dsa.c
index d445f14..1dfc567 100644
--- a/src/crypto/dsa/dsa.c
+++ b/src/crypto/dsa/dsa.c
@@ -78,8 +78,8 @@
#define OPENSSL_DSA_MAX_MODULUS_BITS 10000
-/* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
- * Rabin-Miller */
+// Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
+// Rabin-Miller
#define DSS_prime_checks 50
static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
@@ -186,7 +186,7 @@
return 0;
}
if (seed_len > (size_t)qsize) {
- /* Only consume as much seed as is expected. */
+ // Only consume as much seed as is expected.
seed_len = qsize;
}
OPENSSL_memcpy(seed, seed_in, seed_len);
@@ -217,9 +217,9 @@
}
for (;;) {
- /* Find q. */
+ // Find q.
for (;;) {
- /* step 1 */
+ // step 1
if (!BN_GENCB_call(cb, 0, m++)) {
goto err;
}
@@ -230,12 +230,12 @@
goto err;
}
} else {
- /* If we come back through, use random seed next time. */
+ // If we come back through, use random seed next time.
seed_in = NULL;
}
OPENSSL_memcpy(buf, seed, qsize);
OPENSSL_memcpy(buf2, seed, qsize);
- /* precompute "SEED + 1" for step 7: */
+ // precompute "SEED + 1" for step 7:
for (i = qsize - 1; i < qsize; i--) {
buf[i]++;
if (buf[i] != 0) {
@@ -243,7 +243,7 @@
}
}
- /* step 2 */
+ // step 2
if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||
!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {
goto err;
@@ -252,14 +252,14 @@
md[i] ^= buf2[i];
}
- /* step 3 */
+ // step 3
md[0] |= 0x80;
md[qsize - 1] |= 0x01;
if (!BN_bin2bn(md, qsize, q)) {
goto err;
}
- /* step 4 */
+ // step 4
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);
if (r > 0) {
break;
@@ -268,17 +268,17 @@
goto err;
}
- /* do a callback call */
- /* step 5 */
+ // do a callback call
+ // step 5
}
if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {
goto err;
}
- /* step 6 */
+ // step 6
counter = 0;
- /* "offset = 2" */
+ // "offset = 2"
n = (bits - 1) / 160;
@@ -287,11 +287,11 @@
goto err;
}
- /* step 7 */
+ // step 7
BN_zero(W);
- /* now 'buf' contains "SEED + offset - 1" */
+ // now 'buf' contains "SEED + offset - 1"
for (k = 0; k <= n; k++) {
- /* obtain "SEED + offset + k" by incrementing: */
+ // obtain "SEED + offset + k" by incrementing:
for (i = qsize - 1; i < qsize; i--) {
buf[i]++;
if (buf[i] != 0) {
@@ -303,7 +303,7 @@
goto err;
}
- /* step 8 */
+ // step 8
if (!BN_bin2bn(md, qsize, r0) ||
!BN_lshift(r0, r0, (qsize << 3) * k) ||
!BN_add(W, W, r0)) {
@@ -311,14 +311,14 @@
}
}
- /* more of step 8 */
+ // more of step 8
if (!BN_mask_bits(W, bits - 1) ||
!BN_copy(X, W) ||
!BN_add(X, X, test)) {
goto err;
}
- /* step 9 */
+ // step 9
if (!BN_lshift1(r0, q) ||
!BN_mod(c, X, r0, ctx) ||
!BN_sub(r0, c, BN_value_one()) ||
@@ -326,23 +326,23 @@
goto err;
}
- /* step 10 */
+ // step 10
if (BN_cmp(p, test) >= 0) {
- /* step 11 */
+ // step 11
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);
if (r > 0) {
- goto end; /* found it */
+ goto end; // found it
}
if (r != 0) {
goto err;
}
}
- /* step 13 */
+ // step 13
counter++;
- /* "offset = offset + n + 1" */
+ // "offset = offset + n + 1"
- /* step 14 */
+ // step 14
if (counter >= 4096) {
break;
}
@@ -353,8 +353,8 @@
goto err;
}
- /* We now need to generate g */
- /* Set r0=(p-1)/q */
+ // We now need to generate g
+ // Set r0=(p-1)/q
if (!BN_sub(test, p, BN_value_one()) ||
!BN_div(r0, NULL, test, q, ctx)) {
goto err;
@@ -366,7 +366,7 @@
}
for (;;) {
- /* g=test^r0%p */
+ // g=test^r0%p
if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {
goto err;
}
@@ -544,9 +544,9 @@
}
if (digest_len > BN_num_bytes(dsa->q)) {
- /* if the digest length is greater than the size of q use the
- * BN_num_bits(dsa->q) leftmost bits of the digest, see
- * fips 186-3, 4.2 */
+ // if the digest length is greater than the size of q use the
+ // BN_num_bits(dsa->q) leftmost bits of the digest, see
+ // fips 186-3, 4.2
digest_len = BN_num_bytes(dsa->q);
}
@@ -554,12 +554,12 @@
goto err;
}
- /* Compute s = inv(k) (m + xr) mod q */
+ // Compute s = inv(k) (m + xr) mod q
if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {
- goto err; /* s = xr */
+ goto err; // s = xr
}
if (!BN_add(s, &xr, &m)) {
- goto err; /* s = m + xr */
+ goto err; // s = m + xr
}
if (BN_cmp(s, dsa->q) > 0) {
if (!BN_sub(s, s, dsa->q)) {
@@ -570,8 +570,8 @@
goto err;
}
- /* Redo if r or s is zero as required by FIPS 186-3: this is
- * very unlikely. */
+ // Redo if r or s is zero as required by FIPS 186-3: this is
+ // very unlikely.
if (BN_is_zero(r) || BN_is_zero(s)) {
if (noredo) {
reason = DSA_R_NEED_NEW_SETUP_VALUES;
@@ -624,7 +624,7 @@
}
i = BN_num_bits(dsa->q);
- /* fips 186-3 allows only different sizes for q */
+ // fips 186-3 allows only different sizes for q
if (i != 160 && i != 224 && i != 256) {
OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
return 0;
@@ -655,17 +655,17 @@
goto err;
}
- /* Calculate W = inv(S) mod Q
- * save W in u2 */
+ // Calculate W = inv(S) mod Q
+ // save W in u2
if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {
goto err;
}
- /* save M in u1 */
+ // save M in u1
if (digest_len > (i >> 3)) {
- /* if the digest length is greater than the size of q use the
- * BN_num_bits(dsa->q) leftmost bits of the digest, see
- * fips 186-3, 4.2 */
+ // if the digest length is greater than the size of q use the
+ // BN_num_bits(dsa->q) leftmost bits of the digest, see
+ // fips 186-3, 4.2
digest_len = (i >> 3);
}
@@ -673,12 +673,12 @@
goto err;
}
- /* u1 = M * w mod q */
+ // u1 = M * w mod q
if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {
goto err;
}
- /* u2 = r * w mod q */
+ // u2 = r * w mod q
if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {
goto err;
}
@@ -694,14 +694,14 @@
goto err;
}
- /* BN_copy(&u1,&t1); */
- /* let u1 = u1 mod q */
+ // BN_copy(&u1,&t1);
+ // let u1 = u1 mod q
if (!BN_mod(&u1, &t1, dsa->q, ctx)) {
goto err;
}
- /* V is now in u1. If the signature is correct, it will be
- * equal to R. */
+ // V is now in u1. If the signature is correct, it will be
+ // equal to R.
*out_valid = BN_ucmp(&u1, sig->r) == 0;
ret = 1;
@@ -758,7 +758,7 @@
goto err;
}
- /* Ensure that the signature uses DER and doesn't have trailing garbage. */
+ // Ensure that the signature uses DER and doesn't have trailing garbage.
int der_len = i2d_DSA_SIG(s, &der);
if (der_len < 0 || (size_t)der_len != sig_len ||
OPENSSL_memcmp(sig, der, sig_len)) {
@@ -773,8 +773,8 @@
return ret;
}
-/* der_len_len returns the number of bytes needed to represent a length of |len|
- * in DER. */
+// der_len_len returns the number of bytes needed to represent a length of |len|
+// in DER.
static size_t der_len_len(size_t len) {
if (len < 0x80) {
return 1;
@@ -789,18 +789,18 @@
int DSA_size(const DSA *dsa) {
size_t order_len = BN_num_bytes(dsa->q);
- /* Compute the maximum length of an |order_len| byte integer. Defensively
- * assume that the leading 0x00 is included. */
+ // Compute the maximum length of an |order_len| byte integer. Defensively
+ // assume that the leading 0x00 is included.
size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
if (integer_len < order_len) {
return 0;
}
- /* A DSA signature is two INTEGERs. */
+ // A DSA signature is two INTEGERs.
size_t value_len = 2 * integer_len;
if (value_len < integer_len) {
return 0;
}
- /* Add the header. */
+ // Add the header.
size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
if (ret < value_len) {
return 0;
@@ -835,7 +835,7 @@
goto err;
}
- /* Get random k */
+ // Get random k
if (!BN_rand_range_ex(&k, 1, dsa->q)) {
goto err;
}
@@ -849,16 +849,16 @@
goto err;
}
- /* Compute r = (g^k mod p) mod q */
+ // Compute r = (g^k mod p) mod q
if (!BN_copy(&kq, &k)) {
goto err;
}
- /* We do not want timing information to leak the length of k,
- * so we compute g^k using an equivalent exponent of fixed length.
- *
- * (This is a kludge that we need because the BN_mod_exp_mont()
- * does not let us specify the desired timing behaviour.) */
+ // We do not want timing information to leak the length of k,
+ // so we compute g^k using an equivalent exponent of fixed length.
+ //
+ // (This is a kludge that we need because the BN_mod_exp_mont()
+ // does not let us specify the desired timing behaviour.)
if (!BN_add(&kq, &kq, dsa->q)) {
goto err;
@@ -875,8 +875,8 @@
goto err;
}
- /* Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little
- * Theorem. */
+ // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little
+ // Theorem.
kinv = BN_new();
if (kinv == NULL ||
!bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) {
diff --git a/src/crypto/dsa/dsa_asn1.c b/src/crypto/dsa/dsa_asn1.c
index ff5ee00..97fd07f 100644
--- a/src/crypto/dsa/dsa_asn1.c
+++ b/src/crypto/dsa/dsa_asn1.c
@@ -75,7 +75,7 @@
static int marshal_integer(CBB *cbb, BIGNUM *bn) {
if (bn == NULL) {
- /* A DSA object may be missing some components. */
+ // A DSA object may be missing some components.
OPENSSL_PUT_ERROR(DSA, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
diff --git a/src/crypto/dsa/dsa_test.cc b/src/crypto/dsa/dsa_test.cc
index 63b7803..295a7fd 100644
--- a/src/crypto/dsa/dsa_test.cc
+++ b/src/crypto/dsa/dsa_test.cc
@@ -71,8 +71,8 @@
#include "../internal.h"
-/* The following values are taken from the updated Appendix 5 to FIPS PUB 186
- * and also appear in Appendix 5 to FIPS PUB 186-1. */
+// The following values are taken from the updated Appendix 5 to FIPS PUB 186
+// and also appear in Appendix 5 to FIPS PUB 186-1.
static const uint8_t seed[20] = {
0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b,
@@ -121,7 +121,7 @@
0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d,
};
-/* fips_sig is a DER-encoded version of the r and s values in FIPS PUB 186-1. */
+// fips_sig is a DER-encoded version of the r and s values in FIPS PUB 186-1.
static const uint8_t fips_sig[] = {
0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10,
0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92,
@@ -130,7 +130,7 @@
0xdc, 0xd8, 0xc8,
};
-/* fips_sig_negative is fips_sig with r encoded as a negative number. */
+// fips_sig_negative is fips_sig with r encoded as a negative number.
static const uint8_t fips_sig_negative[] = {
0x30, 0x2c, 0x02, 0x14, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10, 0x43,
0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, 0xb3,
@@ -139,7 +139,7 @@
0xd8, 0xc8,
};
-/* fip_sig_extra is fips_sig with trailing data. */
+// fip_sig_extra is fips_sig with trailing data.
static const uint8_t fips_sig_extra[] = {
0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10,
0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92,
@@ -148,7 +148,7 @@
0xdc, 0xd8, 0xc8, 0x00,
};
-/* fips_sig_lengths is fips_sig with a non-minimally encoded length. */
+// fips_sig_lengths is fips_sig with a non-minimally encoded length.
static const uint8_t fips_sig_bad_length[] = {
0x30, 0x81, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64,
0x10, 0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c,
@@ -157,7 +157,7 @@
0xb6, 0xdc, 0xd8, 0xc8, 0x00,
};
-/* fips_sig_bad_r is fips_sig with a bad r value. */
+// fips_sig_bad_r is fips_sig with a bad r value.
static const uint8_t fips_sig_bad_r[] = {
0x30, 0x2d, 0x02, 0x15, 0x00, 0x8c, 0xac, 0x1a, 0xb6, 0x64, 0x10,
0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92,
@@ -299,7 +299,7 @@
return false;
}
- /* Clear any errors from a test with expected failure. */
+ // Clear any errors from a test with expected failure.
ERR_clear_error();
return true;
}
diff --git a/src/crypto/ec_extra/ec_asn1.c b/src/crypto/ec_extra/ec_asn1.c
index 0772506..dc710a8 100644
--- a/src/crypto/ec_extra/ec_asn1.c
+++ b/src/crypto/ec_extra/ec_asn1.c
@@ -83,14 +83,14 @@
return NULL;
}
- /* Parse the optional parameters field. */
+ // Parse the optional parameters field.
EC_GROUP *inner_group = NULL;
EC_KEY *ret = NULL;
if (CBS_peek_asn1_tag(&ec_private_key, kParametersTag)) {
- /* Per SEC 1, as an alternative to omitting it, one is allowed to specify
- * this field and put in a NULL to mean inheriting this value. This was
- * omitted in a previous version of this logic without problems, so leave it
- * unimplemented. */
+ // Per SEC 1, as an alternative to omitting it, one is allowed to specify
+ // this field and put in a NULL to mean inheriting this value. This was
+ // omitted in a previous version of this logic without problems, so leave it
+ // unimplemented.
CBS child;
if (!CBS_get_asn1(&ec_private_key, &child, kParametersTag)) {
OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);
@@ -103,7 +103,7 @@
if (group == NULL) {
group = inner_group;
} else if (EC_GROUP_cmp(group, inner_group, NULL) != 0) {
- /* If a group was supplied externally, it must match. */
+ // If a group was supplied externally, it must match.
OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);
goto err;
}
@@ -123,9 +123,9 @@
goto err;
}
- /* Although RFC 5915 specifies the length of the key, OpenSSL historically
- * got this wrong, so accept any length. See upstream's
- * 30cd4ff294252c4b6a4b69cbef6a5b4117705d22. */
+ // Although RFC 5915 specifies the length of the key, OpenSSL historically
+ // got this wrong, so accept any length. See upstream's
+ // 30cd4ff294252c4b6a4b69cbef6a5b4117705d22.
ret->priv_key =
BN_bin2bn(CBS_data(&private_key), CBS_len(&private_key), NULL);
ret->pub_key = EC_POINT_new(group);
@@ -143,12 +143,12 @@
uint8_t padding;
if (!CBS_get_asn1(&ec_private_key, &child, kPublicKeyTag) ||
!CBS_get_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||
- /* As in a SubjectPublicKeyInfo, the byte-encoded public key is then
- * encoded as a BIT STRING with bits ordered as in the DER encoding. */
+ // As in a SubjectPublicKeyInfo, the byte-encoded public key is then
+ // encoded as a BIT STRING with bits ordered as in the DER encoding.
!CBS_get_u8(&public_key, &padding) ||
padding != 0 ||
- /* Explicitly check |public_key| is non-empty to save the conversion
- * form later. */
+ // Explicitly check |public_key| is non-empty to save the conversion
+ // form later.
CBS_len(&public_key) == 0 ||
!EC_POINT_oct2point(group, ret->pub_key, CBS_data(&public_key),
CBS_len(&public_key), NULL) ||
@@ -157,17 +157,17 @@
goto err;
}
- /* Save the point conversion form.
- * TODO(davidben): Consider removing this. */
+ // Save the point conversion form.
+ // TODO(davidben): Consider removing this.
ret->conv_form =
(point_conversion_form_t)(CBS_data(&public_key)[0] & ~0x01);
} else {
- /* Compute the public key instead. */
+ // Compute the public key instead.
if (!EC_POINT_mul(group, ret->pub_key, ret->priv_key, NULL, NULL, NULL)) {
goto err;
}
- /* Remember the original private-key-only encoding.
- * TODO(davidben): Consider removing this. */
+ // Remember the original private-key-only encoding.
+ // TODO(davidben): Consider removing this.
ret->enc_flag |= EC_PKEY_NO_PUBKEY;
}
@@ -176,7 +176,7 @@
goto err;
}
- /* Ensure the resulting key is valid. */
+ // Ensure the resulting key is valid.
if (!EC_KEY_check_key(ret)) {
goto err;
}
@@ -218,13 +218,13 @@
}
}
- /* TODO(fork): replace this flexibility with sensible default? */
+ // TODO(fork): replace this flexibility with sensible default?
if (!(enc_flags & EC_PKEY_NO_PUBKEY) && key->pub_key != NULL) {
CBB child, public_key;
if (!CBB_add_asn1(&ec_private_key, &child, kPublicKeyTag) ||
!CBB_add_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||
- /* As in a SubjectPublicKeyInfo, the byte-encoded public key is then
- * encoded as a BIT STRING with bits ordered as in the DER encoding. */
+ // As in a SubjectPublicKeyInfo, the byte-encoded public key is then
+ // encoded as a BIT STRING with bits ordered as in the DER encoding.
!CBB_add_u8(&public_key, 0 /* padding */) ||
!EC_POINT_point2cbb(&public_key, key->group, key->pub_key,
key->conv_form, NULL) ||
@@ -242,8 +242,8 @@
return 1;
}
-/* is_unsigned_integer returns one if |cbs| is a valid unsigned DER INTEGER and
- * zero otherwise. */
+// is_unsigned_integer returns one if |cbs| is a valid unsigned DER INTEGER and
+// zero otherwise.
static int is_unsigned_integer(const CBS *cbs) {
if (CBS_len(cbs) == 0) {
return 0;
@@ -251,20 +251,20 @@
uint8_t byte = CBS_data(cbs)[0];
if ((byte & 0x80) ||
(byte == 0 && CBS_len(cbs) > 1 && (CBS_data(cbs)[1] & 0x80) == 0)) {
- /* Negative or not minimally-encoded. */
+ // Negative or not minimally-encoded.
return 0;
}
return 1;
}
-/* kPrimeFieldOID is the encoding of 1.2.840.10045.1.1. */
+// kPrimeFieldOID is the encoding of 1.2.840.10045.1.1.
static const uint8_t kPrimeField[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01};
static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a,
CBS *out_b, CBS *out_base_x,
CBS *out_base_y, CBS *out_order) {
- /* See RFC 3279, section 2.3.5. Note that RFC 3279 calls this structure an
- * ECParameters while RFC 5480 calls it a SpecifiedECDomain. */
+ // See RFC 3279, section 2.3.5. Note that RFC 3279 calls this structure an
+ // ECParameters while RFC 5480 calls it a SpecifiedECDomain.
CBS params, field_id, field_type, curve, base;
uint64_t version;
if (!CBS_get_asn1(in, ¶ms, CBS_ASN1_SEQUENCE) ||
@@ -280,7 +280,7 @@
!CBS_get_asn1(¶ms, &curve, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1(&curve, out_a, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&curve, out_b, CBS_ASN1_OCTETSTRING) ||
- /* |curve| has an optional BIT STRING seed which we ignore. */
+ // |curve| has an optional BIT STRING seed which we ignore.
!CBS_get_asn1(¶ms, &base, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(¶ms, out_order, CBS_ASN1_INTEGER) ||
!is_unsigned_integer(out_order)) {
@@ -288,11 +288,11 @@
return 0;
}
- /* |params| has an optional cofactor which we ignore. With the optional seed
- * in |curve|, a group already has arbitrarily many encodings. Parse enough to
- * uniquely determine the curve. */
+ // |params| has an optional cofactor which we ignore. With the optional seed
+ // in |curve|, a group already has arbitrarily many encodings. Parse enough to
+ // uniquely determine the curve.
- /* Require that the base point use uncompressed form. */
+ // Require that the base point use uncompressed form.
uint8_t form;
if (!CBS_get_u8(&base, &form) || form != POINT_CONVERSION_UNCOMPRESSED) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FORM);
@@ -310,10 +310,10 @@
return 1;
}
-/* integers_equal returns one if |a| and |b| are equal, up to leading zeros, and
- * zero otherwise. */
+// integers_equal returns one if |a| and |b| are equal, up to leading zeros, and
+// zero otherwise.
static int integers_equal(const CBS *a, const uint8_t *b, size_t b_len) {
- /* Remove leading zeros from |a| and |b|. */
+ // Remove leading zeros from |a| and |b|.
CBS a_copy = *a;
while (CBS_len(&a_copy) > 0 && CBS_data(&a_copy)[0] == 0) {
CBS_skip(&a_copy, 1);
@@ -332,7 +332,7 @@
return NULL;
}
- /* Look for a matching curve. */
+ // Look for a matching curve.
const struct built_in_curves *const curves = OPENSSL_built_in_curves();
for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {
const struct built_in_curve *curve = &curves->curves[i];
@@ -374,26 +374,26 @@
return EC_KEY_parse_curve_name(cbs);
}
- /* OpenSSL sometimes produces ECPrivateKeys with explicitly-encoded versions
- * of named curves.
- *
- * TODO(davidben): Remove support for this. */
+ // OpenSSL sometimes produces ECPrivateKeys with explicitly-encoded versions
+ // of named curves.
+ //
+ // TODO(davidben): Remove support for this.
CBS prime, a, b, base_x, base_y, order;
if (!parse_explicit_prime_curve(cbs, &prime, &a, &b, &base_x, &base_y,
&order)) {
return NULL;
}
- /* Look for a matching prime curve. */
+ // Look for a matching prime curve.
const struct built_in_curves *const curves = OPENSSL_built_in_curves();
for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {
const struct built_in_curve *curve = &curves->curves[i];
const unsigned param_len = curve->param_len;
- /* |curve->params| is ordered p, a, b, x, y, order, each component
- * zero-padded up to the field length. Although SEC 1 states that the
- * Field-Element-to-Octet-String conversion also pads, OpenSSL mis-encodes
- * |a| and |b|, so this comparison must allow omitting leading zeros. (This
- * is relevant for P-521 whose |b| has a leading 0.) */
+ // |curve->params| is ordered p, a, b, x, y, order, each component
+ // zero-padded up to the field length. Although SEC 1 states that the
+ // Field-Element-to-Octet-String conversion also pads, OpenSSL mis-encodes
+ // |a| and |b|, so this comparison must allow omitting leading zeros. (This
+ // is relevant for P-521 whose |b| has a leading 0.)
if (integers_equal(&prime, curve->params, param_len) &&
integers_equal(&a, curve->params + param_len, param_len) &&
integers_equal(&b, curve->params + param_len * 2, param_len) &&
@@ -420,8 +420,8 @@
}
EC_KEY *d2i_ECPrivateKey(EC_KEY **out, const uint8_t **inp, long len) {
- /* This function treats its |out| parameter differently from other |d2i|
- * functions. If supplied, take the group from |*out|. */
+ // This function treats its |out| parameter differently from other |d2i|
+ // functions. If supplied, take the group from |*out|.
const EC_GROUP *group = NULL;
if (out != NULL && *out != NULL) {
group = EC_KEY_get0_group(*out);
@@ -515,7 +515,7 @@
OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
return NULL;
}
- /* save the point conversion form */
+ // save the point conversion form
ret->conv_form = (point_conversion_form_t)(*inp[0] & ~0x01);
*inp += len;
return ret;
@@ -534,7 +534,7 @@
0, NULL);
if (outp == NULL || buf_len == 0) {
- /* out == NULL => just return the length of the octet string */
+ // out == NULL => just return the length of the octet string
return buf_len;
}
diff --git a/src/crypto/ecdh/ecdh.c b/src/crypto/ecdh/ecdh.c
index 22b216e..f38de2f 100644
--- a/src/crypto/ecdh/ecdh.c
+++ b/src/crypto/ecdh/ecdh.c
@@ -138,7 +138,7 @@
goto err;
}
} else {
- /* no KDF, just copy as much as we can */
+ // no KDF, just copy as much as we can
if (buflen < outlen) {
outlen = buflen;
}
diff --git a/src/crypto/ecdsa_extra/ecdsa_asn1.c b/src/crypto/ecdsa_extra/ecdsa_asn1.c
index 5d827dc..8d0bc41 100644
--- a/src/crypto/ecdsa_extra/ecdsa_asn1.c
+++ b/src/crypto/ecdsa_extra/ecdsa_asn1.c
@@ -120,17 +120,17 @@
int ret = 0;
uint8_t *der = NULL;
- /* Decode the ECDSA signature. */
+ // Decode the ECDSA signature.
s = ECDSA_SIG_from_bytes(sig, sig_len);
if (s == NULL) {
goto err;
}
- /* Defend against potential laxness in the DER parser. */
+ // Defend against potential laxness in the DER parser.
size_t der_len;
if (!ECDSA_SIG_to_bytes(&der, &der_len, s) ||
der_len != sig_len || OPENSSL_memcmp(sig, der, sig_len) != 0) {
- /* This should never happen. crypto/bytestring is strictly DER. */
+ // This should never happen. crypto/bytestring is strictly DER.
OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
goto err;
}
@@ -219,8 +219,8 @@
return 1;
}
-/* der_len_len returns the number of bytes needed to represent a length of |len|
- * in DER. */
+// der_len_len returns the number of bytes needed to represent a length of |len|
+// in DER.
static size_t der_len_len(size_t len) {
if (len < 0x80) {
return 1;
@@ -234,18 +234,18 @@
}
size_t ECDSA_SIG_max_len(size_t order_len) {
- /* Compute the maximum length of an |order_len| byte integer. Defensively
- * assume that the leading 0x00 is included. */
+ // Compute the maximum length of an |order_len| byte integer. Defensively
+ // assume that the leading 0x00 is included.
size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
if (integer_len < order_len) {
return 0;
}
- /* An ECDSA signature is two INTEGERs. */
+ // An ECDSA signature is two INTEGERs.
size_t value_len = 2 * integer_len;
if (value_len < integer_len) {
return 0;
}
- /* Add the header. */
+ // Add the header.
size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
if (ret < value_len) {
return 0;
diff --git a/src/crypto/engine/engine.c b/src/crypto/engine/engine.c
index 141ed23..875f148 100644
--- a/src/crypto/engine/engine.c
+++ b/src/crypto/engine/engine.c
@@ -42,15 +42,15 @@
}
void ENGINE_free(ENGINE *engine) {
- /* Methods are currently required to be static so are not unref'ed. */
+ // Methods are currently required to be static so are not unref'ed.
OPENSSL_free(engine);
}
-/* set_method takes a pointer to a method and its given size and sets
- * |*out_member| to point to it. This function might want to be extended in the
- * future to support making a copy of the method so that a stable ABI for
- * ENGINEs can be supported. But, for the moment, all *_METHODS must be
- * static. */
+// set_method takes a pointer to a method and its given size and sets
+// |*out_member| to point to it. This function might want to be extended in the
+// future to support making a copy of the method so that a stable ABI for
+// ENGINEs can be supported. But, for the moment, all *_METHODS must be
+// static.
static int set_method(void **out_member, const void *method, size_t method_size,
size_t compiled_size) {
const struct openssl_method_common_st *common = method;
diff --git a/src/crypto/err/err.c b/src/crypto/err/err.c
index cbb1260..2c567ce 100644
--- a/src/crypto/err/err.c
+++ b/src/crypto/err/err.c
@@ -129,7 +129,7 @@
extern const size_t kOpenSSLReasonValuesLen;
extern const char kOpenSSLReasonStringData[];
-/* err_clear_data frees the optional |data| member of the given error. */
+// err_clear_data frees the optional |data| member of the given error.
static void err_clear_data(struct err_error_st *error) {
if ((error->flags & ERR_FLAG_MALLOCED) != 0) {
OPENSSL_free(error->data);
@@ -138,17 +138,17 @@
error->flags &= ~ERR_FLAG_MALLOCED;
}
-/* err_clear clears the given queued error. */
+// err_clear clears the given queued error.
static void err_clear(struct err_error_st *error) {
err_clear_data(error);
OPENSSL_memset(error, 0, sizeof(struct err_error_st));
}
-/* global_next_library contains the next custom library value to return. */
+// global_next_library contains the next custom library value to return.
static int global_next_library = ERR_NUM_LIBS;
-/* global_next_library_mutex protects |global_next_library| from concurrent
- * updates. */
+// global_next_library_mutex protects |global_next_library| from concurrent
+// updates.
static struct CRYPTO_STATIC_MUTEX global_next_library_mutex =
CRYPTO_STATIC_MUTEX_INIT;
@@ -167,7 +167,7 @@
OPENSSL_free(state);
}
-/* err_get_state gets the ERR_STATE object for the current thread. */
+// err_get_state gets the ERR_STATE object for the current thread.
static ERR_STATE *err_get_state(void) {
ERR_STATE *state = CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_ERR);
if (state == NULL) {
@@ -199,7 +199,7 @@
if (top) {
assert(!inc);
- /* last error */
+ // last error
i = state->top;
} else {
i = (state->bottom + 1) % ERR_NUM_ERRORS;
@@ -229,11 +229,11 @@
if (flags != NULL) {
*flags = error->flags & ERR_FLAG_PUBLIC_MASK;
}
- /* If this error is being removed, take ownership of data from
- * the error. The semantics are such that the caller doesn't
- * take ownership either. Instead the error system takes
- * ownership and retains it until the next call that affects the
- * error queue. */
+ // If this error is being removed, take ownership of data from
+ // the error. The semantics are such that the caller doesn't
+ // take ownership either. Instead the error system takes
+ // ownership and retains it until the next call that affects the
+ // error queue.
if (inc) {
if (error->flags & ERR_FLAG_MALLOCED) {
OPENSSL_free(state->to_free);
@@ -342,13 +342,13 @@
static char buf[ERR_ERROR_STRING_BUF_LEN];
if (ret == NULL) {
- /* TODO(fork): remove this. */
+ // TODO(fork): remove this.
ret = buf;
}
#if !defined(NDEBUG)
- /* This is aimed to help catch callers who don't provide
- * |ERR_ERROR_STRING_BUF_LEN| bytes of space. */
+ // This is aimed to help catch callers who don't provide
+ // |ERR_ERROR_STRING_BUF_LEN| bytes of space.
OPENSSL_memset(ret, 0, ERR_ERROR_STRING_BUF_LEN);
#endif
@@ -386,15 +386,15 @@
packed_error, lib_str, reason_str);
if (strlen(buf) == len - 1) {
- /* output may be truncated; make sure we always have 5 colon-separated
- * fields, i.e. 4 colons. */
+ // output may be truncated; make sure we always have 5 colon-separated
+ // fields, i.e. 4 colons.
static const unsigned num_colons = 4;
unsigned i;
char *s = buf;
if (len <= num_colons) {
- /* In this situation it's not possible to ensure that the correct number
- * of colons are included in the output. */
+ // In this situation it's not possible to ensure that the correct number
+ // of colons are included in the output.
return;
}
@@ -403,10 +403,10 @@
char *last_pos = &buf[len - 1] - num_colons + i;
if (colon == NULL || colon > last_pos) {
- /* set colon |i| at last possible position (buf[len-1] is the
- * terminating 0). If we're setting this colon, then all whole of the
- * rest of the string must be colons in order to have the correct
- * number. */
+ // set colon |i| at last possible position (buf[len-1] is the
+ // terminating 0). If we're setting this colon, then all whole of the
+ // rest of the string must be colons in order to have the correct
+ // number.
OPENSSL_memset(last_pos, ':', num_colons - i);
break;
}
@@ -431,25 +431,25 @@
}
}
-/* err_string_lookup looks up the string associated with |lib| and |key| in
- * |values| and |string_data|. It returns the string or NULL if not found. */
+// err_string_lookup looks up the string associated with |lib| and |key| in
+// |values| and |string_data|. It returns the string or NULL if not found.
static const char *err_string_lookup(uint32_t lib, uint32_t key,
const uint32_t *values,
size_t num_values,
const char *string_data) {
- /* |values| points to data in err_data.h, which is generated by
- * err_data_generate.go. It's an array of uint32_t values. Each value has the
- * following structure:
- * | lib | key | offset |
- * |6 bits| 11 bits | 15 bits |
- *
- * The |lib| value is a library identifier: one of the |ERR_LIB_*| values.
- * The |key| is a reason code, depending on the context.
- * The |offset| is the number of bytes from the start of |string_data| where
- * the (NUL terminated) string for this value can be found.
- *
- * Values are sorted based on treating the |lib| and |key| part as an
- * unsigned integer. */
+ // |values| points to data in err_data.h, which is generated by
+ // err_data_generate.go. It's an array of uint32_t values. Each value has the
+ // following structure:
+ // | lib | key | offset |
+ // |6 bits| 11 bits | 15 bits |
+ //
+ // The |lib| value is a library identifier: one of the |ERR_LIB_*| values.
+ // The |key| is a reason code, depending on the context.
+ // The |offset| is the number of bytes from the start of |string_data| where
+ // the (NUL terminated) string for this value can be found.
+ //
+ // Values are sorted based on treating the |lib| and |key| part as an
+ // unsigned integer.
if (lib >= (1 << 6) || key >= (1 << 11)) {
return NULL;
}
@@ -465,38 +465,38 @@
static const char *const kLibraryNames[ERR_NUM_LIBS] = {
"invalid library (0)",
- "unknown library", /* ERR_LIB_NONE */
- "system library", /* ERR_LIB_SYS */
- "bignum routines", /* ERR_LIB_BN */
- "RSA routines", /* ERR_LIB_RSA */
- "Diffie-Hellman routines", /* ERR_LIB_DH */
- "public key routines", /* ERR_LIB_EVP */
- "memory buffer routines", /* ERR_LIB_BUF */
- "object identifier routines", /* ERR_LIB_OBJ */
- "PEM routines", /* ERR_LIB_PEM */
- "DSA routines", /* ERR_LIB_DSA */
- "X.509 certificate routines", /* ERR_LIB_X509 */
- "ASN.1 encoding routines", /* ERR_LIB_ASN1 */
- "configuration file routines", /* ERR_LIB_CONF */
- "common libcrypto routines", /* ERR_LIB_CRYPTO */
- "elliptic curve routines", /* ERR_LIB_EC */
- "SSL routines", /* ERR_LIB_SSL */
- "BIO routines", /* ERR_LIB_BIO */
- "PKCS7 routines", /* ERR_LIB_PKCS7 */
- "PKCS8 routines", /* ERR_LIB_PKCS8 */
- "X509 V3 routines", /* ERR_LIB_X509V3 */
- "random number generator", /* ERR_LIB_RAND */
- "ENGINE routines", /* ERR_LIB_ENGINE */
- "OCSP routines", /* ERR_LIB_OCSP */
- "UI routines", /* ERR_LIB_UI */
- "COMP routines", /* ERR_LIB_COMP */
- "ECDSA routines", /* ERR_LIB_ECDSA */
- "ECDH routines", /* ERR_LIB_ECDH */
- "HMAC routines", /* ERR_LIB_HMAC */
- "Digest functions", /* ERR_LIB_DIGEST */
- "Cipher functions", /* ERR_LIB_CIPHER */
- "HKDF functions", /* ERR_LIB_HKDF */
- "User defined functions", /* ERR_LIB_USER */
+ "unknown library", // ERR_LIB_NONE
+ "system library", // ERR_LIB_SYS
+ "bignum routines", // ERR_LIB_BN
+ "RSA routines", // ERR_LIB_RSA
+ "Diffie-Hellman routines", // ERR_LIB_DH
+ "public key routines", // ERR_LIB_EVP
+ "memory buffer routines", // ERR_LIB_BUF
+ "object identifier routines", // ERR_LIB_OBJ
+ "PEM routines", // ERR_LIB_PEM
+ "DSA routines", // ERR_LIB_DSA
+ "X.509 certificate routines", // ERR_LIB_X509
+ "ASN.1 encoding routines", // ERR_LIB_ASN1
+ "configuration file routines", // ERR_LIB_CONF
+ "common libcrypto routines", // ERR_LIB_CRYPTO
+ "elliptic curve routines", // ERR_LIB_EC
+ "SSL routines", // ERR_LIB_SSL
+ "BIO routines", // ERR_LIB_BIO
+ "PKCS7 routines", // ERR_LIB_PKCS7
+ "PKCS8 routines", // ERR_LIB_PKCS8
+ "X509 V3 routines", // ERR_LIB_X509V3
+ "random number generator", // ERR_LIB_RAND
+ "ENGINE routines", // ERR_LIB_ENGINE
+ "OCSP routines", // ERR_LIB_OCSP
+ "UI routines", // ERR_LIB_UI
+ "COMP routines", // ERR_LIB_COMP
+ "ECDSA routines", // ERR_LIB_ECDSA
+ "ECDH routines", // ERR_LIB_ECDH
+ "HMAC routines", // ERR_LIB_HMAC
+ "Digest functions", // ERR_LIB_DIGEST
+ "Cipher functions", // ERR_LIB_CIPHER
+ "HKDF functions", // ERR_LIB_HKDF
+ "User defined functions", // ERR_LIB_USER
};
const char *ERR_lib_error_string(uint32_t packed_error) {
@@ -555,8 +555,8 @@
int line, flags;
uint32_t packed_error;
- /* thread_hash is the least-significant bits of the |ERR_STATE| pointer value
- * for this thread. */
+ // thread_hash is the least-significant bits of the |ERR_STATE| pointer value
+ // for this thread.
const unsigned long thread_hash = (uintptr_t) err_get_state();
for (;;) {
@@ -585,8 +585,8 @@
ERR_print_errors_cb(print_errors_to_file, file);
}
-/* err_set_error_data sets the data on the most recent error. The |flags|
- * argument is a combination of the |ERR_FLAG_*| values. */
+// err_set_error_data sets the data on the most recent error. The |flags|
+// argument is a combination of the |ERR_FLAG_*| values.
static void err_set_error_data(char *data, int flags) {
ERR_STATE *const state = err_get_state();
struct err_error_st *error;
@@ -634,9 +634,9 @@
error->packed = ERR_PACK(library, reason);
}
-/* ERR_add_error_data_vdata takes a variable number of const char* pointers,
- * concatenates them and sets the result as the data on the most recent
- * error. */
+// ERR_add_error_data_vdata takes a variable number of const char* pointers,
+// concatenates them and sets the result as the data on the most recent
+// error.
static void err_add_error_vdata(unsigned num, va_list args) {
size_t alloced, new_len, len = 0, substr_len;
char *buf;
@@ -661,7 +661,7 @@
char *new_buf;
if (alloced + 20 + 1 < alloced) {
- /* overflow. */
+ // overflow.
OPENSSL_free(buf);
return;
}
@@ -695,9 +695,9 @@
char *buf;
static const unsigned buf_len = 256;
- /* A fixed-size buffer is used because va_copy (which would be needed in
- * order to call vsnprintf twice and measure the buffer) wasn't defined until
- * C99. */
+ // A fixed-size buffer is used because va_copy (which would be needed in
+ // order to call vsnprintf twice and measure the buffer) wasn't defined until
+ // C99.
buf = OPENSSL_malloc(buf_len + 1);
if (buf == NULL) {
return;
diff --git a/src/crypto/err/err_test.cc b/src/crypto/err/err_test.cc
index 8e820b8..5d04ae2 100644
--- a/src/crypto/err/err_test.cc
+++ b/src/crypto/err/err_test.cc
@@ -30,9 +30,9 @@
for (unsigned i = 0; i < ERR_NUM_ERRORS - 1; i++) {
SCOPED_TRACE(i);
uint32_t err = ERR_get_error();
- /* Errors are returned in order they were pushed, with the least recent ones
- * removed, up to |ERR_NUM_ERRORS - 1| errors. So the errors returned are
- * |ERR_NUM_ERRORS + 2| through |ERR_NUM_ERRORS * 2|, inclusive. */
+ // Errors are returned in order they were pushed, with the least recent ones
+ // removed, up to |ERR_NUM_ERRORS - 1| errors. So the errors returned are
+ // |ERR_NUM_ERRORS + 2| through |ERR_NUM_ERRORS * 2|, inclusive.
EXPECT_NE(0u, err);
EXPECT_EQ(static_cast<int>(i + ERR_NUM_ERRORS + 2), ERR_GET_REASON(err));
}
diff --git a/src/crypto/err/ssl.errordata b/src/crypto/err/ssl.errordata
index 7949cc7..a528874 100644
--- a/src/crypto/err/ssl.errordata
+++ b/src/crypto/err/ssl.errordata
@@ -34,7 +34,6 @@
SSL,126,CERT_CB_ERROR
SSL,127,CERT_LENGTH_MISMATCH
SSL,128,CHANNEL_ID_NOT_P256
-SSL,279,CHANNEL_ID_ON_EARLY_DATA
SSL,129,CHANNEL_ID_SIGNATURE_INVALID
SSL,130,CIPHER_OR_HASH_UNAVAILABLE
SSL,131,CLIENTHELLO_PARSE_FAILED
@@ -183,6 +182,7 @@
SSL,270,TOO_MUCH_SKIPPED_EARLY_DATA
SSL,221,UNABLE_TO_FIND_ECDH_PARAMETERS
SSL,222,UNEXPECTED_EXTENSION
+SSL,279,UNEXPECTED_EXTENSION_ON_EARLY_DATA
SSL,223,UNEXPECTED_MESSAGE
SSL,224,UNEXPECTED_OPERATOR_IN_GROUP
SSL,225,UNEXPECTED_RECORD
diff --git a/src/crypto/evp/digestsign.c b/src/crypto/evp/digestsign.c
index de41f87..6e4d305 100644
--- a/src/crypto/evp/digestsign.c
+++ b/src/crypto/evp/digestsign.c
@@ -196,8 +196,8 @@
int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len,
const uint8_t *data, size_t data_len) {
if (uses_prehash(ctx, evp_sign)) {
- /* If |out_sig| is NULL, the caller is only querying the maximum output
- * length. |data| should only be incorporated in the final call. */
+ // If |out_sig| is NULL, the caller is only querying the maximum output
+ // length. |data| should only be incorporated in the final call.
if (out_sig != NULL &&
!EVP_DigestSignUpdate(ctx, data, data_len)) {
return 0;
diff --git a/src/crypto/evp/evp.c b/src/crypto/evp/evp.c
index 117e774..ad5f85b 100644
--- a/src/crypto/evp/evp.c
+++ b/src/crypto/evp/evp.c
@@ -127,7 +127,7 @@
if (a->ameth) {
int ret;
- /* Compare parameters if the algorithm has them */
+ // Compare parameters if the algorithm has them
if (a->ameth->param_cmp) {
ret = a->ameth->param_cmp(a, b);
if (ret <= 0) {
@@ -187,9 +187,9 @@
return pkey->type;
}
-/* evp_pkey_asn1_find returns the ASN.1 method table for the given |nid|, which
- * should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is
- * unknown. */
+// evp_pkey_asn1_find returns the ASN.1 method table for the given |nid|, which
+// should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is
+// unknown.
static const EVP_PKEY_ASN1_METHOD *evp_pkey_asn1_find(int nid) {
switch (nid) {
case EVP_PKEY_RSA:
diff --git a/src/crypto/evp/evp_asn1.c b/src/crypto/evp/evp_asn1.c
index 1f8d3eb..bcb86d7 100644
--- a/src/crypto/evp/evp_asn1.c
+++ b/src/crypto/evp/evp_asn1.c
@@ -94,7 +94,7 @@
}
EVP_PKEY *EVP_parse_public_key(CBS *cbs) {
- /* Parse the SubjectPublicKeyInfo. */
+ // Parse the SubjectPublicKeyInfo.
CBS spki, algorithm, key;
int type;
uint8_t padding;
@@ -103,22 +103,22 @@
!parse_key_type(&algorithm, &type) ||
!CBS_get_asn1(&spki, &key, CBS_ASN1_BITSTRING) ||
CBS_len(&spki) != 0 ||
- /* Every key type defined encodes the key as a byte string with the same
- * conversion to BIT STRING. */
+ // Every key type defined encodes the key as a byte string with the same
+ // conversion to BIT STRING.
!CBS_get_u8(&key, &padding) ||
padding != 0) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
return NULL;
}
- /* Set up an |EVP_PKEY| of the appropriate type. */
+ // Set up an |EVP_PKEY| of the appropriate type.
EVP_PKEY *ret = EVP_PKEY_new();
if (ret == NULL ||
!EVP_PKEY_set_type(ret, type)) {
goto err;
}
- /* Call into the type-specific SPKI decoding function. */
+ // Call into the type-specific SPKI decoding function.
if (ret->ameth->pub_decode == NULL) {
OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
goto err;
@@ -144,7 +144,7 @@
}
EVP_PKEY *EVP_parse_private_key(CBS *cbs) {
- /* Parse the PrivateKeyInfo. */
+ // Parse the PrivateKeyInfo.
CBS pkcs8, algorithm, key;
uint64_t version;
int type;
@@ -158,16 +158,16 @@
return NULL;
}
- /* A PrivateKeyInfo ends with a SET of Attributes which we ignore. */
+ // A PrivateKeyInfo ends with a SET of Attributes which we ignore.
- /* Set up an |EVP_PKEY| of the appropriate type. */
+ // Set up an |EVP_PKEY| of the appropriate type.
EVP_PKEY *ret = EVP_PKEY_new();
if (ret == NULL ||
!EVP_PKEY_set_type(ret, type)) {
goto err;
}
- /* Call into the type-specific PrivateKeyInfo decoding function. */
+ // Call into the type-specific PrivateKeyInfo decoding function.
if (ret->ameth->priv_decode == NULL) {
OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
goto err;
@@ -240,12 +240,12 @@
return NULL;
}
- /* Parse with the legacy format. */
+ // Parse with the legacy format.
CBS cbs;
CBS_init(&cbs, *inp, (size_t)len);
EVP_PKEY *ret = old_priv_decode(&cbs, type);
if (ret == NULL) {
- /* Try again with PKCS#8. */
+ // Try again with PKCS#8.
ERR_clear_error();
CBS_init(&cbs, *inp, (size_t)len);
ret = EVP_parse_private_key(&cbs);
@@ -267,8 +267,8 @@
return ret;
}
-/* num_elements parses one SEQUENCE from |in| and returns the number of elements
- * in it. On parse error, it returns zero. */
+// num_elements parses one SEQUENCE from |in| and returns the number of elements
+// in it. On parse error, it returns zero.
static size_t num_elements(const uint8_t *in, size_t in_len) {
CBS cbs, sequence;
CBS_init(&cbs, in, (size_t)in_len);
@@ -295,7 +295,7 @@
return NULL;
}
- /* Parse the input as a PKCS#8 PrivateKeyInfo. */
+ // Parse the input as a PKCS#8 PrivateKeyInfo.
CBS cbs;
CBS_init(&cbs, *inp, (size_t)len);
EVP_PKEY *ret = EVP_parse_private_key(&cbs);
@@ -309,7 +309,7 @@
}
ERR_clear_error();
- /* Count the elements to determine the legacy key format. */
+ // Count the elements to determine the legacy key format.
switch (num_elements(*inp, (size_t)len)) {
case 4:
return d2i_PrivateKey(EVP_PKEY_EC, out, inp, len);
diff --git a/src/crypto/evp/evp_ctx.c b/src/crypto/evp/evp_ctx.c
index 8d092ee..3599f77 100644
--- a/src/crypto/evp/evp_ctx.c
+++ b/src/crypto/evp/evp_ctx.c
@@ -369,11 +369,11 @@
return 0;
}
- /* ran@cryptocom.ru: For clarity. The error is if parameters in peer are
- * present (!missing) but don't match. EVP_PKEY_cmp_parameters may return
- * 1 (match), 0 (don't match) and -2 (comparison is not defined). -1
- * (different key types) is impossible here because it is checked earlier.
- * -2 is OK for us here, as well as 1, so we can check for 0 only. */
+ // ran@cryptocom.ru: For clarity. The error is if parameters in peer are
+ // present (!missing) but don't match. EVP_PKEY_cmp_parameters may return
+ // 1 (match), 0 (don't match) and -2 (comparison is not defined). -1
+ // (different key types) is impossible here because it is checked earlier.
+ // -2 is OK for us here, as well as 1, so we can check for 0 only.
if (!EVP_PKEY_missing_parameters(peer) &&
!EVP_PKEY_cmp_parameters(ctx->pkey, peer)) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_PARAMETERS);
diff --git a/src/crypto/evp/internal.h b/src/crypto/evp/internal.h
index 5e9aab0..4aefa35 100644
--- a/src/crypto/evp/internal.h
+++ b/src/crypto/evp/internal.h
@@ -71,33 +71,33 @@
uint8_t oid[9];
uint8_t oid_len;
- /* pub_decode decodes |params| and |key| as a SubjectPublicKeyInfo
- * and writes the result into |out|. It returns one on success and zero on
- * error. |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER
- * type field, and |key| is the contents of the subjectPublicKey with the
- * leading padding byte checked and removed. Although X.509 uses BIT STRINGs
- * to represent SubjectPublicKeyInfo, every key type defined encodes the key
- * as a byte string with the same conversion to BIT STRING. */
+ // pub_decode decodes |params| and |key| as a SubjectPublicKeyInfo
+ // and writes the result into |out|. It returns one on success and zero on
+ // error. |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER
+ // type field, and |key| is the contents of the subjectPublicKey with the
+ // leading padding byte checked and removed. Although X.509 uses BIT STRINGs
+ // to represent SubjectPublicKeyInfo, every key type defined encodes the key
+ // as a byte string with the same conversion to BIT STRING.
int (*pub_decode)(EVP_PKEY *out, CBS *params, CBS *key);
- /* pub_encode encodes |key| as a SubjectPublicKeyInfo and appends the result
- * to |out|. It returns one on success and zero on error. */
+ // pub_encode encodes |key| as a SubjectPublicKeyInfo and appends the result
+ // to |out|. It returns one on success and zero on error.
int (*pub_encode)(CBB *out, const EVP_PKEY *key);
int (*pub_cmp)(const EVP_PKEY *a, const EVP_PKEY *b);
- /* priv_decode decodes |params| and |key| as a PrivateKeyInfo and writes the
- * result into |out|. It returns one on success and zero on error. |params| is
- * the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, and |key|
- * is the contents of the OCTET STRING privateKey field. */
+ // priv_decode decodes |params| and |key| as a PrivateKeyInfo and writes the
+ // result into |out|. It returns one on success and zero on error. |params| is
+ // the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, and |key|
+ // is the contents of the OCTET STRING privateKey field.
int (*priv_decode)(EVP_PKEY *out, CBS *params, CBS *key);
- /* priv_encode encodes |key| as a PrivateKeyInfo and appends the result to
- * |out|. It returns one on success and zero on error. */
+ // priv_encode encodes |key| as a PrivateKeyInfo and appends the result to
+ // |out|. It returns one on success and zero on error.
int (*priv_encode)(CBB *out, const EVP_PKEY *key);
- /* pkey_opaque returns 1 if the |pk| is opaque. Opaque keys are backed by
- * custom implementations which do not expose key material and parameters.*/
+ // pkey_opaque returns 1 if the |pk| is opaque. Opaque keys are backed by
+ // custom implementations which do not expose key material and parameters.
int (*pkey_opaque)(const EVP_PKEY *pk);
int (*pkey_size)(const EVP_PKEY *pk);
@@ -130,33 +130,33 @@
#define EVP_PKEY_OP_TYPE_GEN EVP_PKEY_OP_KEYGEN
-/* EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype|
- * arguments can be -1 to specify that any type and operation are acceptable,
- * otherwise |keytype| must match the type of |ctx| and the bits of |optype|
- * must intersect the operation flags set on |ctx|.
- *
- * The |p1| and |p2| arguments depend on the value of |cmd|.
- *
- * It returns one on success and zero on error. */
+// EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype|
+// arguments can be -1 to specify that any type and operation are acceptable,
+// otherwise |keytype| must match the type of |ctx| and the bits of |optype|
+// must intersect the operation flags set on |ctx|.
+//
+// The |p1| and |p2| arguments depend on the value of |cmd|.
+//
+// It returns one on success and zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
int cmd, int p1, void *p2);
#define EVP_PKEY_CTRL_MD 1
#define EVP_PKEY_CTRL_GET_MD 2
-/* EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|:
- * 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key.
- * If the return value is <= 0, the key is rejected.
- * 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a
- * peer key. If the return value is <= 0, the key is rejected.
- * 2: Is called with |p2| == NULL to test whether the peer's key was used.
- * (EC)DH always return one in this case.
- * 3: Is called with |p2| == NULL to set whether the peer's key was used.
- * (EC)DH always return one in this case. This was only used for GOST. */
+// EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|:
+// 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key.
+// If the return value is <= 0, the key is rejected.
+// 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a
+// peer key. If the return value is <= 0, the key is rejected.
+// 2: Is called with |p2| == NULL to test whether the peer's key was used.
+// (EC)DH always return one in this case.
+// 3: Is called with |p2| == NULL to set whether the peer's key was used.
+// (EC)DH always return one in this case. This was only used for GOST.
#define EVP_PKEY_CTRL_PEER_KEY 3
-/* EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl
- * commands are numbered. */
+// EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl
+// commands are numbered.
#define EVP_PKEY_ALG_CTRL 0x1000
#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
@@ -173,17 +173,17 @@
#define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12)
struct evp_pkey_ctx_st {
- /* Method associated with this operation */
+ // Method associated with this operation
const EVP_PKEY_METHOD *pmeth;
- /* Engine that implements this method or NULL if builtin */
+ // Engine that implements this method or NULL if builtin
ENGINE *engine;
- /* Key: may be NULL */
+ // Key: may be NULL
EVP_PKEY *pkey;
- /* Peer key for key agreement, may be NULL */
+ // Peer key for key agreement, may be NULL
EVP_PKEY *peerkey;
- /* operation contains one of the |EVP_PKEY_OP_*| values. */
+ // operation contains one of the |EVP_PKEY_OP_*| values.
int operation;
- /* Algorithm specific data */
+ // Algorithm specific data
void *data;
} /* EVP_PKEY_CTX */;
@@ -226,8 +226,8 @@
union {
uint8_t priv[64];
struct {
- /* Shift the location of the public key to align with where it is in the
- * private key representation. */
+ // Shift the location of the public key to align with where it is in the
+ // private key representation.
uint8_t pad[32];
uint8_t value[32];
} pub;
@@ -246,7 +246,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_EVP_INTERNAL_H */
+#endif // OPENSSL_HEADER_EVP_INTERNAL_H
diff --git a/src/crypto/evp/p_dsa_asn1.c b/src/crypto/evp/p_dsa_asn1.c
index 0e5cdee..16d78b7 100644
--- a/src/crypto/evp/p_dsa_asn1.c
+++ b/src/crypto/evp/p_dsa_asn1.c
@@ -65,9 +65,9 @@
static int dsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See RFC 3279, section 2.3.2. */
+ // See RFC 3279, section 2.3.2.
- /* Parameters may or may not be present. */
+ // Parameters may or may not be present.
DSA *dsa;
if (CBS_len(params) == 0) {
dsa = DSA_new();
@@ -105,7 +105,7 @@
const DSA *dsa = key->pkey.dsa;
const int has_params = dsa->p != NULL && dsa->q != NULL && dsa->g != NULL;
- /* See RFC 5480, section 2. */
+ // See RFC 5480, section 2.
CBB spki, algorithm, oid, key_bitstring;
if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -125,9 +125,9 @@
}
static int dsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See PKCS#11, v2.40, section 2.5. */
+ // See PKCS#11, v2.40, section 2.5.
- /* Decode parameters. */
+ // Decode parameters.
BN_CTX *ctx = NULL;
DSA *dsa = DSA_parse_parameters(params);
if (dsa == NULL || CBS_len(params) != 0) {
@@ -141,14 +141,14 @@
goto err;
}
- /* Decode the key. */
+ // Decode the key.
if (!BN_parse_asn1_unsigned(key, dsa->priv_key) ||
CBS_len(key) != 0) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
goto err;
}
- /* Calculate the public key. */
+ // Calculate the public key.
ctx = BN_CTX_new();
if (ctx == NULL ||
!BN_mod_exp_mont(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx,
@@ -173,7 +173,7 @@
return 0;
}
- /* See PKCS#11, v2.40, section 2.5. */
+ // See PKCS#11, v2.40, section 2.5.
CBB pkcs8, algorithm, oid, private_key;
if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||
@@ -245,7 +245,7 @@
const EVP_PKEY_ASN1_METHOD dsa_asn1_meth = {
EVP_PKEY_DSA,
- /* 1.2.840.10040.4.1 */
+ // 1.2.840.10040.4.1
{0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x01}, 7,
dsa_pub_decode,
diff --git a/src/crypto/evp/p_ec.c b/src/crypto/evp/p_ec.c
index e2502a3..d311d22 100644
--- a/src/crypto/evp/p_ec.c
+++ b/src/crypto/evp/p_ec.c
@@ -74,7 +74,7 @@
typedef struct {
- /* message digest */
+ // message digest
const EVP_MD *md;
} EC_PKEY_CTX;
@@ -161,8 +161,8 @@
}
pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
- /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
- * not an error, the result is truncated. */
+ // NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
+ // not an error, the result is truncated.
outlen = *keylen;
@@ -196,7 +196,7 @@
return 1;
case EVP_PKEY_CTRL_PEER_KEY:
- /* Default behaviour is OK */
+ // Default behaviour is OK
return 1;
default:
diff --git a/src/crypto/evp/p_ec_asn1.c b/src/crypto/evp/p_ec_asn1.c
index 1f1bf2f..c5828d9 100644
--- a/src/crypto/evp/p_ec_asn1.c
+++ b/src/crypto/evp/p_ec_asn1.c
@@ -70,7 +70,7 @@
const EC_GROUP *group = EC_KEY_get0_group(ec_key);
const EC_POINT *public_key = EC_KEY_get0_public_key(ec_key);
- /* See RFC 5480, section 2. */
+ // See RFC 5480, section 2.
CBB spki, algorithm, oid, key_bitstring;
if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -90,9 +90,9 @@
}
static int eckey_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See RFC 5480, section 2. */
+ // See RFC 5480, section 2.
- /* The parameters are a named curve. */
+ // The parameters are a named curve.
EC_POINT *point = NULL;
EC_KEY *eckey = NULL;
EC_GROUP *group = EC_KEY_parse_curve_name(params);
@@ -141,7 +141,7 @@
}
static int eckey_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See RFC 5915. */
+ // See RFC 5915.
EC_GROUP *group = EC_KEY_parse_parameters(params);
if (group == NULL || CBS_len(params) != 0) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
@@ -164,13 +164,13 @@
static int eckey_priv_encode(CBB *out, const EVP_PKEY *key) {
const EC_KEY *ec_key = key->pkey.ec;
- /* Omit the redundant copy of the curve name. This contradicts RFC 5915 but
- * aligns with PKCS #11. SEC 1 only says they may be omitted if known by other
- * means. Both OpenSSL and NSS omit the redundant parameters, so we omit them
- * as well. */
+ // Omit the redundant copy of the curve name. This contradicts RFC 5915 but
+ // aligns with PKCS #11. SEC 1 only says they may be omitted if known by other
+ // means. Both OpenSSL and NSS omit the redundant parameters, so we omit them
+ // as well.
unsigned enc_flags = EC_KEY_get_enc_flags(ec_key) | EC_PKEY_NO_PARAMETERS;
- /* See RFC 5915. */
+ // See RFC 5915.
CBB pkcs8, algorithm, oid, private_key;
if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||
@@ -219,7 +219,7 @@
const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec),
*group_b = EC_KEY_get0_group(b->pkey.ec);
if (EC_GROUP_cmp(group_a, group_b, NULL) != 0) {
- /* mismatch */
+ // mismatch
return 0;
}
return 1;
@@ -233,7 +233,7 @@
const EVP_PKEY_ASN1_METHOD ec_asn1_meth = {
EVP_PKEY_EC,
- /* 1.2.840.10045.2.1 */
+ // 1.2.840.10045.2.1
{0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01}, 7,
eckey_pub_decode,
diff --git a/src/crypto/evp/p_ed25519.c b/src/crypto/evp/p_ed25519.c
index 0722624..554a379 100644
--- a/src/crypto/evp/p_ed25519.c
+++ b/src/crypto/evp/p_ed25519.c
@@ -20,7 +20,7 @@
#include "internal.h"
-/* Ed25519 has no parameters to copy. */
+// Ed25519 has no parameters to copy.
static int pkey_ed25519_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { return 1; }
static int pkey_ed25519_sign_message(EVP_PKEY_CTX *ctx, uint8_t *sig,
diff --git a/src/crypto/evp/p_ed25519_asn1.c b/src/crypto/evp/p_ed25519_asn1.c
index 8cb359e..37aebe0 100644
--- a/src/crypto/evp/p_ed25519_asn1.c
+++ b/src/crypto/evp/p_ed25519_asn1.c
@@ -61,9 +61,9 @@
}
static int ed25519_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See draft-ietf-curdle-pkix-04, section 4. */
+ // See draft-ietf-curdle-pkix-04, section 4.
- /* The parameters must be omitted. Public keys have length 32. */
+ // The parameters must be omitted. Public keys have length 32.
if (CBS_len(params) != 0 ||
CBS_len(key) != 32) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
@@ -76,7 +76,7 @@
static int ed25519_pub_encode(CBB *out, const EVP_PKEY *pkey) {
const ED25519_KEY *key = pkey->pkey.ptr;
- /* See draft-ietf-curdle-pkix-04, section 4. */
+ // See draft-ietf-curdle-pkix-04, section 4.
CBB spki, algorithm, oid, key_bitstring;
if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -100,10 +100,10 @@
}
static int ed25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See draft-ietf-curdle-pkix-04, section 7. */
+ // See draft-ietf-curdle-pkix-04, section 7.
- /* Parameters must be empty. The key is a 32-byte value wrapped in an extra
- * OCTET STRING layer. */
+ // Parameters must be empty. The key is a 32-byte value wrapped in an extra
+ // OCTET STRING layer.
CBS inner;
if (CBS_len(params) != 0 ||
!CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) ||
@@ -113,8 +113,8 @@
return 0;
}
- /* The PKCS#8 encoding stores only the 32-byte seed, so we must recover the
- * full representation which we use from it. */
+ // The PKCS#8 encoding stores only the 32-byte seed, so we must recover the
+ // full representation which we use from it.
uint8_t pubkey[32], privkey[64];
ED25519_keypair_from_seed(pubkey, privkey, CBS_data(&inner));
return set_privkey(out, privkey);
@@ -127,7 +127,7 @@
return 0;
}
- /* See draft-ietf-curdle-pkix-04, section 7. */
+ // See draft-ietf-curdle-pkix-04, section 7.
CBB pkcs8, algorithm, oid, private_key, inner;
if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||
@@ -136,8 +136,8 @@
!CBB_add_bytes(&oid, ed25519_asn1_meth.oid, ed25519_asn1_meth.oid_len) ||
!CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) ||
!CBB_add_asn1(&private_key, &inner, CBS_ASN1_OCTETSTRING) ||
- /* The PKCS#8 encoding stores only the 32-byte seed which is the first 32
- * bytes of the private key. */
+ // The PKCS#8 encoding stores only the 32-byte seed which is the first 32
+ // bytes of the private key.
!CBB_add_bytes(&inner, key->key.priv, 32) ||
!CBB_flush(out)) {
OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);
diff --git a/src/crypto/evp/p_rsa.c b/src/crypto/evp/p_rsa.c
index 36aa524..08c01c2 100644
--- a/src/crypto/evp/p_rsa.c
+++ b/src/crypto/evp/p_rsa.c
@@ -73,21 +73,21 @@
typedef struct {
- /* Key gen parameters */
+ // Key gen parameters
int nbits;
BIGNUM *pub_exp;
- /* RSA padding mode */
+ // RSA padding mode
int pad_mode;
- /* message digest */
+ // message digest
const EVP_MD *md;
- /* message digest for MGF1 */
+ // message digest for MGF1
const EVP_MD *mgf1md;
- /* PSS salt length */
+ // PSS salt length
int saltlen;
- /* tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
- * It's used to store the output of RSA operations. */
+ // tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
+ // It's used to store the output of RSA operations.
uint8_t *tbuf;
- /* OAEP label */
+ // OAEP label
uint8_t *oaep_label;
size_t oaep_labellen;
} RSA_PKEY_CTX;
@@ -260,7 +260,7 @@
return 0;
}
- /* Assemble the encoded hash, using a placeholder hash value. */
+ // Assemble the encoded hash, using a placeholder hash value.
static const uint8_t kDummyHash[EVP_MAX_MD_SIZE] = {0};
const size_t hash_len = EVP_MD_size(rctx->md);
uint8_t *asn1_prefix;
@@ -278,7 +278,7 @@
if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len,
RSA_PKCS1_PADDING) ||
rslen != asn1_prefix_len ||
- /* Compare all but the hash suffix. */
+ // Compare all but the hash suffix.
CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len - hash_len) != 0) {
ok = 0;
}
diff --git a/src/crypto/evp/p_rsa_asn1.c b/src/crypto/evp/p_rsa_asn1.c
index 866fc59..3231ffb 100644
--- a/src/crypto/evp/p_rsa_asn1.c
+++ b/src/crypto/evp/p_rsa_asn1.c
@@ -77,7 +77,7 @@
}
static int rsa_pub_encode(CBB *out, const EVP_PKEY *key) {
- /* See RFC 3279, section 2.3.1. */
+ // See RFC 3279, section 2.3.1.
CBB spki, algorithm, oid, null, key_bitstring;
if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -101,9 +101,9 @@
buggy = g_buggy;
CRYPTO_STATIC_MUTEX_unlock_read(&g_buggy_lock);
- /* See RFC 3279, section 2.3.1. */
+ // See RFC 3279, section 2.3.1.
- /* The parameters must be NULL. */
+ // The parameters must be NULL.
CBS null;
if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) ||
CBS_len(&null) != 0 ||
@@ -112,12 +112,12 @@
return 0;
}
- /* Estonian IDs issued between September 2014 to September 2015 are
- * broken. See https://crbug.com/532048 and https://crbug.com/534766.
- *
- * TODO(davidben): Switch this to the strict version in March 2016 or when
- * Chromium can force client certificates down a different codepath, whichever
- * comes first. */
+ // Estonian IDs issued between September 2014 to September 2015 are
+ // broken. See https://crbug.com/532048 and https://crbug.com/534766.
+ //
+ // TODO(davidben): Switch this to the strict version in March 2016 or when
+ // Chromium can force client certificates down a different codepath, whichever
+ // comes first.
RSA *rsa = buggy ? RSA_parse_public_key_buggy(key) : RSA_parse_public_key(key);
if (rsa == NULL || CBS_len(key) != 0) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
@@ -153,7 +153,7 @@
}
static int rsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* Per RFC 3447, A.1, the parameters have type NULL. */
+ // Per RFC 3447, A.1, the parameters have type NULL.
CBS null;
if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) ||
CBS_len(&null) != 0 ||
@@ -189,7 +189,7 @@
const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {
EVP_PKEY_RSA,
- /* 1.2.840.113549.1.1.1 */
+ // 1.2.840.113549.1.1.1
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01}, 9,
rsa_pub_decode,
diff --git a/src/crypto/evp/pbkdf.c b/src/crypto/evp/pbkdf.c
index daebb2d..f23a74b 100644
--- a/src/crypto/evp/pbkdf.c
+++ b/src/crypto/evp/pbkdf.c
@@ -65,7 +65,7 @@
int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,
const uint8_t *salt, size_t salt_len, unsigned iterations,
const EVP_MD *digest, size_t key_len, uint8_t *out_key) {
- /* See RFC 8018, section 5.2. */
+ // See RFC 8018, section 5.2.
int ret = 0;
size_t md_len = EVP_MD_size(digest);
uint32_t i = 1;
@@ -88,7 +88,7 @@
i_buf[2] = (uint8_t)((i >> 8) & 0xff);
i_buf[3] = (uint8_t)(i & 0xff);
- /* Compute U_1. */
+ // Compute U_1.
uint8_t digest_tmp[EVP_MAX_MD_SIZE];
if (!HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL) ||
!HMAC_Update(&hctx, salt, salt_len) ||
@@ -99,7 +99,7 @@
OPENSSL_memcpy(out_key, digest_tmp, todo);
for (unsigned j = 1; j < iterations; j++) {
- /* Compute the remaining U_* values and XOR. */
+ // Compute the remaining U_* values and XOR.
if (!HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL) ||
!HMAC_Update(&hctx, digest_tmp, md_len) ||
!HMAC_Final(&hctx, digest_tmp, NULL)) {
@@ -115,17 +115,17 @@
i++;
}
- /* RFC 8018 describes iterations (c) as being a "positive integer", so a
- * value of 0 is an error.
- *
- * Unfortunately not all consumers of PKCS5_PBKDF2_HMAC() check their return
- * value, expecting it to succeed and unconditionally using |out_key|. As a
- * precaution for such callsites in external code, the old behavior of
- * iterations < 1 being treated as iterations == 1 is preserved, but
- * additionally an error result is returned.
- *
- * TODO(eroman): Figure out how to remove this compatibility hack, or change
- * the default to something more sensible like 2048. */
+ // RFC 8018 describes iterations (c) as being a "positive integer", so a
+ // value of 0 is an error.
+ //
+ // Unfortunately not all consumers of PKCS5_PBKDF2_HMAC() check their return
+ // value, expecting it to succeed and unconditionally using |out_key|. As a
+ // precaution for such callsites in external code, the old behavior of
+ // iterations < 1 being treated as iterations == 1 is preserved, but
+ // additionally an error result is returned.
+ //
+ // TODO(eroman): Figure out how to remove this compatibility hack, or change
+ // the default to something more sensible like 2048.
if (iterations == 0) {
goto err;
}
diff --git a/src/crypto/evp/print.c b/src/crypto/evp/print.c
index a774087..3621d5f 100644
--- a/src/crypto/evp/print.c
+++ b/src/crypto/evp/print.c
@@ -131,7 +131,7 @@
}
}
-/* RSA keys. */
+// RSA keys.
static int do_rsa_print(BIO *out, const RSA *rsa, int off,
int include_private) {
@@ -212,7 +212,7 @@
}
-/* DSA keys. */
+// DSA keys.
static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) {
uint8_t *m = NULL;
@@ -288,7 +288,7 @@
}
-/* EC keys. */
+// EC keys.
static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) {
uint8_t *buffer = NULL;
@@ -379,7 +379,7 @@
if (pub_key_bytes != NULL) {
BIO_hexdump(bp, pub_key_bytes, pub_key_bytes_len, off);
}
- /* TODO(fork): implement */
+ // TODO(fork): implement
/*
if (!ECPKParameters_print(bp, group, off))
goto err; */
diff --git a/src/crypto/evp/scrypt.c b/src/crypto/evp/scrypt.c
index 3f10214..ed186ee 100644
--- a/src/crypto/evp/scrypt.c
+++ b/src/crypto/evp/scrypt.c
@@ -18,25 +18,25 @@
#include "../internal.h"
-/* This file implements scrypt, described in RFC 7914.
- *
- * Note scrypt refers to both "blocks" and a "block size" parameter, r. These
- * are two different notions of blocks. A Salsa20 block is 64 bytes long,
- * represented in this implementation by 16 |uint32_t|s. |r| determines the
- * number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * |r|
- * Salsa20 blocks. This implementation refers to them as Salsa20 blocks and
- * scrypt blocks, respectively. */
+// This file implements scrypt, described in RFC 7914.
+//
+// Note scrypt refers to both "blocks" and a "block size" parameter, r. These
+// are two different notions of blocks. A Salsa20 block is 64 bytes long,
+// represented in this implementation by 16 |uint32_t|s. |r| determines the
+// number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * |r|
+// Salsa20 blocks. This implementation refers to them as Salsa20 blocks and
+// scrypt blocks, respectively.
-/* A block_t is a Salsa20 block. */
+// A block_t is a Salsa20 block.
typedef struct { uint32_t words[16]; } block_t;
OPENSSL_COMPILE_ASSERT(sizeof(block_t) == 64, block_t_has_padding);
#define R(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
-/* salsa208_word_specification implements the Salsa20/8 core function, also
- * described in RFC 7914, section 3. It modifies the block at |inout|
- * in-place. */
+// salsa208_word_specification implements the Salsa20/8 core function, also
+// described in RFC 7914, section 3. It modifies the block at |inout|
+// in-place.
static void salsa208_word_specification(block_t *inout) {
block_t x;
OPENSSL_memcpy(&x, inout, sizeof(x));
@@ -81,16 +81,16 @@
}
}
-/* xor_block sets |*out| to be |*a| XOR |*b|. */
+// xor_block sets |*out| to be |*a| XOR |*b|.
static void xor_block(block_t *out, const block_t *a, const block_t *b) {
for (size_t i = 0; i < 16; i++) {
out->words[i] = a->words[i] ^ b->words[i];
}
}
-/* scryptBlockMix implements the function described in RFC 7914, section 4. B'
- * is written to |out|. |out| and |B| may not alias and must be each one scrypt
- * block (2 * |r| Salsa20 blocks) long. */
+// scryptBlockMix implements the function described in RFC 7914, section 4. B'
+// is written to |out|. |out| and |B| may not alias and must be each one scrypt
+// block (2 * |r| Salsa20 blocks) long.
static void scryptBlockMix(block_t *out, const block_t *B, uint64_t r) {
assert(out != B);
@@ -100,19 +100,19 @@
xor_block(&X, &X, &B[i]);
salsa208_word_specification(&X);
- /* This implements the permutation in step 3. */
+ // This implements the permutation in step 3.
OPENSSL_memcpy(&out[i / 2 + (i & 1) * r], &X, sizeof(X));
}
}
-/* scryptROMix implements the function described in RFC 7914, section 5. |B| is
- * an scrypt block (2 * |r| Salsa20 blocks) and is modified in-place. |T| and
- * |V| are scratch space allocated by the caller. |T| must have space for one
- * scrypt block (2 * |r| Salsa20 blocks). |V| must have space for |N| scrypt
- * blocks (2 * |r| * |N| Salsa20 blocks). */
+// scryptROMix implements the function described in RFC 7914, section 5. |B| is
+// an scrypt block (2 * |r| Salsa20 blocks) and is modified in-place. |T| and
+// |V| are scratch space allocated by the caller. |T| must have space for one
+// scrypt block (2 * |r| Salsa20 blocks). |V| must have space for |N| scrypt
+// blocks (2 * |r| * |N| Salsa20 blocks).
static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T,
block_t *V) {
- /* Steps 1 and 2. */
+ // Steps 1 and 2.
OPENSSL_memcpy(V, B, 2 * r * sizeof(block_t));
for (uint64_t i = 1; i < N; i++) {
scryptBlockMix(&V[2 * r * i /* scrypt block i */],
@@ -120,9 +120,9 @@
}
scryptBlockMix(B, &V[2 * r * (N - 1) /* scrypt block N-1 */], r);
- /* Step 3. */
+ // Step 3.
for (uint64_t i = 0; i < N; i++) {
- /* Note this assumes |N| <= 2^32 and is a power of 2. */
+ // Note this assumes |N| <= 2^32 and is a power of 2.
uint32_t j = B[2 * r - 1].words[0] & (N - 1);
for (size_t k = 0; k < 2 * r; k++) {
xor_block(&T[k], &B[k], &V[2 * r * j + k]);
@@ -131,16 +131,16 @@
}
}
-/* SCRYPT_PR_MAX is the maximum value of p * r. This is equivalent to the
- * bounds on p in section 6:
- *
- * p <= ((2^32-1) * hLen) / MFLen iff
- * p <= ((2^32-1) * 32) / (128 * r) iff
- * p * r <= (2^30-1) */
+// SCRYPT_PR_MAX is the maximum value of p * r. This is equivalent to the
+// bounds on p in section 6:
+//
+// p <= ((2^32-1) * hLen) / MFLen iff
+// p <= ((2^32-1) * 32) / (128 * r) iff
+// p * r <= (2^30-1)
#define SCRYPT_PR_MAX ((1 << 30) - 1)
-/* SCRYPT_MAX_MEM is the default maximum memory that may be allocated by
- * |EVP_PBE_scrypt|. */
+// SCRYPT_MAX_MEM is the default maximum memory that may be allocated by
+// |EVP_PBE_scrypt|.
#define SCRYPT_MAX_MEM (1024 * 1024 * 32)
int EVP_PBE_scrypt(const char *password, size_t password_len,
@@ -148,18 +148,18 @@
uint64_t p, size_t max_mem, uint8_t *out_key,
size_t key_len) {
if (r == 0 || p == 0 || p > SCRYPT_PR_MAX / r ||
- /* |N| must be a power of two. */
+ // |N| must be a power of two.
N < 2 || (N & (N - 1)) ||
- /* We only support |N| <= 2^32 in |scryptROMix|. */
+ // We only support |N| <= 2^32 in |scryptROMix|.
N > UINT64_C(1) << 32 ||
- /* Check that |N| < 2^(128×r / 8). */
+ // Check that |N| < 2^(128×r / 8).
(16 * r <= 63 && N >= UINT64_C(1) << (16 * r))) {
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS);
return 0;
}
- /* Determine the amount of memory needed. B, T, and V are |p|, 1, and |N|
- * scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s. */
+ // Determine the amount of memory needed. B, T, and V are |p|, 1, and |N|
+ // scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s.
if (max_mem == 0) {
max_mem = SCRYPT_MAX_MEM;
}
@@ -171,8 +171,8 @@
return 0;
}
- /* Allocate and divide up the scratch space. |max_mem| fits in a size_t, which
- * is no bigger than uint64_t, so none of these operations may overflow. */
+ // Allocate and divide up the scratch space. |max_mem| fits in a size_t, which
+ // is no bigger than uint64_t, so none of these operations may overflow.
OPENSSL_COMPILE_ASSERT(UINT64_MAX >= ((size_t)-1), size_t_exceeds_u64);
size_t B_blocks = p * 2 * r;
size_t B_bytes = B_blocks * sizeof(block_t);
diff --git a/src/crypto/ex_data.c b/src/crypto/ex_data.c
index 27b9a51..af7e7e2 100644
--- a/src/crypto/ex_data.c
+++ b/src/crypto/ex_data.c
@@ -124,8 +124,8 @@
DEFINE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
struct crypto_ex_data_func_st {
- long argl; /* Arbitary long */
- void *argp; /* Arbitary void pointer */
+ long argl; // Arbitary long
+ void *argp; // Arbitary void pointer
CRYPTO_EX_free *free_func;
};
@@ -179,7 +179,7 @@
n = sk_void_num(ad->sk);
- /* Add NULL values until the stack is long enough. */
+ // Add NULL values until the stack is long enough.
for (i = n; i <= index; i++) {
if (!sk_void_push(ad->sk, NULL)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE);
@@ -198,19 +198,19 @@
return sk_void_value(ad->sk, idx);
}
-/* get_func_pointers takes a copy of the CRYPTO_EX_DATA_FUNCS pointers, if any,
- * for the given class. If there are some pointers, it sets |*out| to point to
- * a fresh stack of them. Otherwise it sets |*out| to NULL. It returns one on
- * success or zero on error. */
+// get_func_pointers takes a copy of the CRYPTO_EX_DATA_FUNCS pointers, if any,
+// for the given class. If there are some pointers, it sets |*out| to point to
+// a fresh stack of them. Otherwise it sets |*out| to NULL. It returns one on
+// success or zero on error.
static int get_func_pointers(STACK_OF(CRYPTO_EX_DATA_FUNCS) **out,
CRYPTO_EX_DATA_CLASS *ex_data_class) {
size_t n;
*out = NULL;
- /* CRYPTO_EX_DATA_FUNCS structures are static once set, so we can take a
- * shallow copy of the list under lock and then use the structures without
- * the lock held. */
+ // CRYPTO_EX_DATA_FUNCS structures are static once set, so we can take a
+ // shallow copy of the list under lock and then use the structures without
+ // the lock held.
CRYPTO_STATIC_MUTEX_lock_read(&ex_data_class->lock);
n = sk_CRYPTO_EX_DATA_FUNCS_num(ex_data_class->meth);
if (n > 0) {
@@ -233,13 +233,13 @@
void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj,
CRYPTO_EX_DATA *ad) {
if (ad->sk == NULL) {
- /* Nothing to do. */
+ // Nothing to do.
return;
}
STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
if (!get_func_pointers(&func_pointers, ex_data_class)) {
- /* TODO(davidben): This leaks memory on malloc error. */
+ // TODO(davidben): This leaks memory on malloc error.
return;
}
diff --git a/src/crypto/fipsmodule/aes/aes.c b/src/crypto/fipsmodule/aes/aes.c
index c68a5d5..a988b39 100644
--- a/src/crypto/fipsmodule/aes/aes.c
+++ b/src/crypto/fipsmodule/aes/aes.c
@@ -59,16 +59,16 @@
#if defined(OPENSSL_NO_ASM) || \
(!defined(OPENSSL_X86) && !defined(OPENSSL_X86_64) && !defined(OPENSSL_ARM))
-/* Te0[x] = S [x].[02, 01, 01, 03];
- * Te1[x] = S [x].[03, 02, 01, 01];
- * Te2[x] = S [x].[01, 03, 02, 01];
- * Te3[x] = S [x].[01, 01, 03, 02];
- *
- * Td0[x] = Si[x].[0e, 09, 0d, 0b];
- * Td1[x] = Si[x].[0b, 0e, 09, 0d];
- * Td2[x] = Si[x].[0d, 0b, 0e, 09];
- * Td3[x] = Si[x].[09, 0d, 0b, 0e];
- * Td4[x] = Si[x].[01]; */
+// Te0[x] = S [x].[02, 01, 01, 03];
+// Te1[x] = S [x].[03, 02, 01, 01];
+// Te2[x] = S [x].[01, 03, 02, 01];
+// Te3[x] = S [x].[01, 01, 03, 02];
+//
+// Td0[x] = Si[x].[0e, 09, 0d, 0b];
+// Td1[x] = Si[x].[0b, 0e, 09, 0d];
+// Td2[x] = Si[x].[0d, 0b, 0e, 09];
+// Td3[x] = Si[x].[09, 0d, 0b, 0e];
+// Td4[x] = Si[x].[01];
static const uint32_t Te0[256] = {
0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, 0xfff2f20dU,
@@ -531,7 +531,7 @@
static const uint32_t rcon[] = {
0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
0x20000000, 0x40000000, 0x80000000, 0x1B000000, 0x36000000,
- /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
+ // for 128-bit blocks, Rijndael never uses more than 10 rcon values
};
int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) {
@@ -634,7 +634,7 @@
int i, j, status;
uint32_t temp;
- /* first, start with an encryption schedule */
+ // first, start with an encryption schedule
status = AES_set_encrypt_key(key, bits, aeskey);
if (status < 0) {
return status;
@@ -642,7 +642,7 @@
rk = aeskey->rd_key;
- /* invert the order of the round keys: */
+ // invert the order of the round keys:
for (i = 0, j = 4 * aeskey->rounds; i < j; i += 4, j -= 4) {
temp = rk[i];
rk[i] = rk[j];
@@ -657,8 +657,8 @@
rk[i + 3] = rk[j + 3];
rk[j + 3] = temp;
}
- /* apply the inverse MixColumn transform to all round keys but the first and
- * the last: */
+ // apply the inverse MixColumn transform to all round keys but the first and
+ // the last:
for (i = 1; i < (int)aeskey->rounds; i++) {
rk += 4;
rk[0] =
@@ -682,19 +682,19 @@
uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
#ifndef FULL_UNROLL
int r;
-#endif /* ?FULL_UNROLL */
+#endif // ?FULL_UNROLL
assert(in && out && key);
rk = key->rd_key;
- /* map byte array block to cipher state
- * and add initial round key: */
+ // map byte array block to cipher state
+ // and add initial round key:
s0 = GETU32(in) ^ rk[0];
s1 = GETU32(in + 4) ^ rk[1];
s2 = GETU32(in + 8) ^ rk[2];
s3 = GETU32(in + 12) ^ rk[3];
#ifdef FULL_UNROLL
- /* round 1: */
+ // round 1:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[4];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -703,7 +703,7 @@
Te3[s1 & 0xff] ^ rk[6];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[7];
- /* round 2: */
+ // round 2:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[8];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -712,7 +712,7 @@
Te3[t1 & 0xff] ^ rk[10];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[11];
- /* round 3: */
+ // round 3:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[12];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -721,7 +721,7 @@
Te3[s1 & 0xff] ^ rk[14];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[15];
- /* round 4: */
+ // round 4:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[16];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -730,7 +730,7 @@
Te3[t1 & 0xff] ^ rk[18];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[19];
- /* round 5: */
+ // round 5:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[20];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -739,7 +739,7 @@
Te3[s1 & 0xff] ^ rk[22];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[23];
- /* round 6: */
+ // round 6:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[24];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -748,7 +748,7 @@
Te3[t1 & 0xff] ^ rk[26];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[27];
- /* round 7: */
+ // round 7:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[28];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -757,7 +757,7 @@
Te3[s1 & 0xff] ^ rk[30];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[31];
- /* round 8: */
+ // round 8:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[32];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -766,7 +766,7 @@
Te3[t1 & 0xff] ^ rk[34];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[35];
- /* round 9: */
+ // round 9:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[36];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -776,7 +776,7 @@
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[39];
if (key->rounds > 10) {
- /* round 10: */
+ // round 10:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[40];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -785,7 +785,7 @@
Te3[t1 & 0xff] ^ rk[42];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[43];
- /* round 11: */
+ // round 11:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[44];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -795,7 +795,7 @@
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[47];
if (key->rounds > 12) {
- /* round 12: */
+ // round 12:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[48];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -804,7 +804,7 @@
Te3[t1 & 0xff] ^ rk[50];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[51];
- /* round 13: */
+ // round 13:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[52];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -816,10 +816,8 @@
}
}
rk += key->rounds << 2;
-#else /* !FULL_UNROLL */
- /*
- * Nr - 1 full rounds:
- */
+#else // !FULL_UNROLL
+ // Nr - 1 full rounds:
r = key->rounds >> 1;
for (;;) {
t0 = Te0[(s0 >> 24)] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
@@ -845,8 +843,8 @@
s3 = Te0[(t3 >> 24)] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[(t2) & 0xff] ^ rk[3];
}
-#endif /* ?FULL_UNROLL */
- /* apply last round and map cipher state to byte array block: */
+#endif // ?FULL_UNROLL
+ // apply last round and map cipher state to byte array block:
s0 = (Te2[(t0 >> 24)] & 0xff000000) ^ (Te3[(t1 >> 16) & 0xff] & 0x00ff0000) ^
(Te0[(t2 >> 8) & 0xff] & 0x0000ff00) ^ (Te1[(t3) & 0xff] & 0x000000ff) ^
rk[0];
@@ -870,19 +868,19 @@
uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
#ifndef FULL_UNROLL
int r;
-#endif /* ?FULL_UNROLL */
+#endif // ?FULL_UNROLL
assert(in && out && key);
rk = key->rd_key;
- /* map byte array block to cipher state
- * and add initial round key: */
+ // map byte array block to cipher state
+ // and add initial round key:
s0 = GETU32(in) ^ rk[0];
s1 = GETU32(in + 4) ^ rk[1];
s2 = GETU32(in + 8) ^ rk[2];
s3 = GETU32(in + 12) ^ rk[3];
#ifdef FULL_UNROLL
- /* round 1: */
+ // round 1:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[4];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -891,7 +889,7 @@
Td3[s3 & 0xff] ^ rk[6];
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[7];
- /* round 2: */
+ // round 2:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[8];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -900,7 +898,7 @@
Td3[t3 & 0xff] ^ rk[10];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[11];
- /* round 3: */
+ // round 3:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[12];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -909,7 +907,7 @@
Td3[s3 & 0xff] ^ rk[14];
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[15];
- /* round 4: */
+ // round 4:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[16];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -918,7 +916,7 @@
Td3[t3 & 0xff] ^ rk[18];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[19];
- /* round 5: */
+ // round 5:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[20];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -927,7 +925,7 @@
Td3[s3 & 0xff] ^ rk[22];
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[23];
- /* round 6: */
+ // round 6:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[24];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -936,7 +934,7 @@
Td3[t3 & 0xff] ^ rk[26];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[27];
- /* round 7: */
+ // round 7:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[28];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -945,7 +943,7 @@
Td3[s3 & 0xff] ^ rk[30];
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[31];
- /* round 8: */
+ // round 8:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[32];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -954,7 +952,7 @@
Td3[t3 & 0xff] ^ rk[34];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[35];
- /* round 9: */
+ // round 9:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[36];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -964,7 +962,7 @@
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[39];
if (key->rounds > 10) {
- /* round 10: */
+ // round 10:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[40];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -973,7 +971,7 @@
Td3[t3 & 0xff] ^ rk[42];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[43];
- /* round 11: */
+ // round 11:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[44];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -983,7 +981,7 @@
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[47];
if (key->rounds > 12) {
- /* round 12: */
+ // round 12:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[48];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -992,7 +990,7 @@
Td3[t3 & 0xff] ^ rk[50];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[51];
- /* round 13: */
+ // round 13:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[52];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -1004,10 +1002,8 @@
}
}
rk += key->rounds << 2;
-#else /* !FULL_UNROLL */
- /*
- * Nr - 1 full rounds:
- */
+#else // !FULL_UNROLL
+ // Nr - 1 full rounds:
r = key->rounds >> 1;
for (;;) {
t0 = Td0[(s0 >> 24)] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
@@ -1033,9 +1029,9 @@
s3 = Td0[(t3 >> 24)] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[(t0) & 0xff] ^ rk[3];
}
-#endif /* ?FULL_UNROLL */
- /* apply last round and
- * map cipher state to byte array block: */
+#endif // ?FULL_UNROLL
+ // apply last round and
+ // map cipher state to byte array block:
s0 = ((uint32_t)Td4[(t0 >> 24)] << 24) ^
((uint32_t)Td4[(t3 >> 16) & 0xff] << 16) ^
((uint32_t)Td4[(t2 >> 8) & 0xff] << 8) ^
@@ -1060,10 +1056,10 @@
#else
-/* In this case several functions are provided by asm code. However, one cannot
- * control asm symbol visibility with command line flags and such so they are
- * always hidden and wrapped by these C functions, which can be so
- * controlled. */
+// In this case several functions are provided by asm code. However, one cannot
+// control asm symbol visibility with command line flags and such so they are
+// always hidden and wrapped by these C functions, which can be so
+// controlled.
void asm_AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);
void AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
@@ -1101,4 +1097,4 @@
}
}
-#endif /* OPENSSL_NO_ASM || (!OPENSSL_X86 && !OPENSSL_X86_64 && !OPENSSL_ARM) */
+#endif // OPENSSL_NO_ASM || (!OPENSSL_X86 && !OPENSSL_X86_64 && !OPENSSL_ARM)
diff --git a/src/crypto/fipsmodule/aes/internal.h b/src/crypto/fipsmodule/aes/internal.h
index 01cff84..45db9ee 100644
--- a/src/crypto/fipsmodule/aes/internal.h
+++ b/src/crypto/fipsmodule/aes/internal.h
@@ -30,7 +30,7 @@
static int hwaes_capable(void) {
return CRYPTO_is_ARMv8_AES_capable();
}
-#endif /* !NO_ASM && (AES || AARCH64) */
+#endif // !NO_ASM && (AES || AARCH64)
#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_PPC64LE)
#define HWAES
@@ -38,7 +38,7 @@
static int hwaes_capable(void) {
return CRYPTO_is_PPC64LE_vcrypto_capable();
}
-#endif /* !NO_ASM && PPC64LE */
+#endif // !NO_ASM && PPC64LE
#if defined(HWAES)
@@ -56,8 +56,8 @@
#else
-/* If HWAES isn't defined then we provide dummy functions for each of the hwaes
- * functions. */
+// If HWAES isn't defined then we provide dummy functions for each of the hwaes
+// functions.
static int hwaes_capable(void) { return 0; }
static int aes_hw_set_encrypt_key(const uint8_t *user_key, int bits,
@@ -91,10 +91,10 @@
abort();
}
-#endif /* !HWAES */
+#endif // !HWAES
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_AES_INTERNAL_H */
+#endif // OPENSSL_HEADER_AES_INTERNAL_H
diff --git a/src/crypto/fipsmodule/aes/key_wrap.c b/src/crypto/fipsmodule/aes/key_wrap.c
index 73de17f..feee0c7 100644
--- a/src/crypto/fipsmodule/aes/key_wrap.c
+++ b/src/crypto/fipsmodule/aes/key_wrap.c
@@ -56,7 +56,7 @@
#include "../../internal.h"
-/* kDefaultIV is the default IV value given in RFC 3394, 2.2.3.1. */
+// kDefaultIV is the default IV value given in RFC 3394, 2.2.3.1.
static const uint8_t kDefaultIV[] = {
0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6,
};
@@ -65,7 +65,7 @@
int AES_wrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
const uint8_t *in, size_t in_len) {
- /* See RFC 3394, section 2.2.1. */
+ // See RFC 3394, section 2.2.1.
if (in_len > INT_MAX - 8 || in_len < 8 || in_len % 8 != 0) {
return -1;
@@ -101,7 +101,7 @@
int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
const uint8_t *in, size_t in_len) {
- /* See RFC 3394, section 2.2.2. */
+ // See RFC 3394, section 2.2.2.
if (in_len > INT_MAX || in_len < 16 || in_len % 8 != 0) {
return -1;
diff --git a/src/crypto/fipsmodule/aes/mode_wrappers.c b/src/crypto/fipsmodule/aes/mode_wrappers.c
index 4929920..34514db 100644
--- a/src/crypto/fipsmodule/aes/mode_wrappers.c
+++ b/src/crypto/fipsmodule/aes/mode_wrappers.c
@@ -92,7 +92,7 @@
asm_AES_cbc_encrypt(in, out, len, key, ivec, enc);
}
-#endif /* OPENSSL_NO_ASM || (!OPENSSL_X86_64 && !OPENSSL_X86) */
+#endif // OPENSSL_NO_ASM || (!OPENSSL_X86_64 && !OPENSSL_X86)
void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t length,
const AES_KEY *key, uint8_t *ivec, int *num) {
diff --git a/src/crypto/fipsmodule/bcm.c b/src/crypto/fipsmodule/bcm.c
index c6ea796..b506b43 100644
--- a/src/crypto/fipsmodule/bcm.c
+++ b/src/crypto/fipsmodule/bcm.c
@@ -13,7 +13,7 @@
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#if !defined(_GNU_SOURCE)
-#define _GNU_SOURCE /* needed for syscall() on Linux. */
+#define _GNU_SOURCE // needed for syscall() on Linux.
#endif
#include <openssl/aead.h>
@@ -145,7 +145,7 @@
0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,
0x94, 0xc0, 0xbe, 0xb3,
};
- static const uint8_t kE[] = {0x01, 0x00, 0x01}; /* 65537 */
+ static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537
static const uint8_t kD[] = {
0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,
0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,
@@ -288,8 +288,8 @@
}
#if !defined(OPENSSL_ASAN)
-/* These symbols are filled in by delocate.go. They point to the start and end
- * of the module, and the location of the integrity hash, respectively. */
+// These symbols are filled in by delocate.go. They point to the start and end
+// of the module, and the location of the integrity hash, respectively.
extern const uint8_t BORINGSSL_bcm_text_start[];
extern const uint8_t BORINGSSL_bcm_text_end[];
extern const uint8_t BORINGSSL_bcm_text_hash[];
@@ -300,8 +300,8 @@
CRYPTO_library_init();
#if !defined(OPENSSL_ASAN)
- /* Integrity tests cannot run under ASAN because it involves reading the full
- * .text section, which triggers the global-buffer overflow detection. */
+ // Integrity tests cannot run under ASAN because it involves reading the full
+ // .text section, which triggers the global-buffer overflow detection.
const uint8_t *const start = BORINGSSL_bcm_text_start;
const uint8_t *const end = BORINGSSL_bcm_text_end;
@@ -478,7 +478,7 @@
uint8_t aes_iv[16];
uint8_t output[256];
- /* AES-CBC Encryption KAT */
+ // AES-CBC Encryption KAT
memcpy(aes_iv, kAESIV, sizeof(kAESIV));
if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
goto err;
@@ -490,7 +490,7 @@
goto err;
}
- /* AES-CBC Decryption KAT */
+ // AES-CBC Decryption KAT
memcpy(aes_iv, kAESIV, sizeof(kAESIV));
if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
goto err;
@@ -511,7 +511,7 @@
goto err;
}
- /* AES-GCM Encryption KAT */
+ // AES-GCM Encryption KAT
if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,
EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
kPlaintext, sizeof(kPlaintext), NULL, 0) ||
@@ -520,7 +520,7 @@
goto err;
}
- /* AES-GCM Decryption KAT */
+ // AES-GCM Decryption KAT
if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,
EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL,
@@ -538,7 +538,7 @@
DES_set_key(&kDESKey2, &des2);
DES_set_key(&kDESKey3, &des3);
- /* 3DES Encryption KAT */
+ // 3DES Encryption KAT
memcpy(&des_iv, &kDESIV, sizeof(des_iv));
DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2,
&des3, &des_iv, DES_ENCRYPT);
@@ -547,7 +547,7 @@
goto err;
}
- /* 3DES Decryption KAT */
+ // 3DES Decryption KAT
memcpy(&des_iv, &kDESIV, sizeof(des_iv));
DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1,
&des2, &des3, &des_iv, DES_DECRYPT);
@@ -556,21 +556,21 @@
goto err;
}
- /* SHA-1 KAT */
+ // SHA-1 KAT
SHA1(kPlaintext, sizeof(kPlaintext), output);
if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1),
"SHA-1 KAT")) {
goto err;
}
- /* SHA-256 KAT */
+ // SHA-256 KAT
SHA256(kPlaintext, sizeof(kPlaintext), output);
if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),
"SHA-256 KAT")) {
goto err;
}
- /* SHA-512 KAT */
+ // SHA-512 KAT
SHA512(kPlaintext, sizeof(kPlaintext), output);
if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),
"SHA-512 KAT")) {
@@ -583,11 +583,11 @@
goto err;
}
- /* RSA Sign KAT */
+ // RSA Sign KAT
unsigned sig_len;
- /* Disable blinding for the power-on tests because it's not needed and
- * triggers an entropy draw. */
+ // Disable blinding for the power-on tests because it's not needed and
+ // triggers an entropy draw.
rsa_key->flags |= RSA_FLAG_NO_BLINDING;
if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output,
@@ -597,7 +597,7 @@
goto err;
}
- /* RSA Verify KAT */
+ // RSA Verify KAT
if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256),
kRSASignature, sizeof(kRSASignature), rsa_key)) {
printf("RSA Verify KAT failed.\n");
@@ -612,9 +612,9 @@
goto err;
}
- /* ECDSA Sign/Verify PWCT */
+ // ECDSA Sign/Verify PWCT
- /* The 'k' value for ECDSA is fixed to avoid an entropy draw. */
+ // The 'k' value for ECDSA is fixed to avoid an entropy draw.
ec_key->fixed_k = BN_new();
if (ec_key->fixed_k == NULL ||
!BN_set_word(ec_key->fixed_k, 42)) {
@@ -641,7 +641,7 @@
ECDSA_SIG_free(sig);
EC_KEY_free(ec_key);
- /* DBRG KAT */
+ // DBRG KAT
CTR_DRBG_STATE drbg;
if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
sizeof(kDRBGPersonalization)) ||
@@ -676,4 +676,4 @@
exit(1);
}
}
-#endif /* BORINGSSL_FIPS */
+#endif // BORINGSSL_FIPS
diff --git a/src/crypto/fipsmodule/bn/add.c b/src/crypto/fipsmodule/bn/add.c
index 5848543..bbe275e 100644
--- a/src/crypto/fipsmodule/bn/add.c
+++ b/src/crypto/fipsmodule/bn/add.c
@@ -68,20 +68,19 @@
const BIGNUM *tmp;
int a_neg = a->neg, ret;
- /* a + b a+b
- * a + -b a-b
- * -a + b b-a
- * -a + -b -(a+b)
- */
+ // a + b a+b
+ // a + -b a-b
+ // -a + b b-a
+ // -a + -b -(a+b)
if (a_neg ^ b->neg) {
- /* only one is negative */
+ // only one is negative
if (a_neg) {
tmp = a;
a = b;
b = tmp;
}
- /* we are now a - b */
+ // we are now a - b
if (BN_ucmp(a, b) < 0) {
if (!BN_usub(r, b, a)) {
return 0;
@@ -142,7 +141,7 @@
}
}
if (carry) {
- /* carry != 0 => dif == 0 */
+ // carry != 0 => dif == 0
*rp = 1;
r->top++;
}
@@ -150,7 +149,7 @@
if (dif && rp != ap) {
while (dif--) {
- /* copy remaining words if ap != rp */
+ // copy remaining words if ap != rp
*(rp++) = *(ap++);
}
}
@@ -165,17 +164,17 @@
w &= BN_MASK2;
- /* degenerate case: w is zero */
+ // degenerate case: w is zero
if (!w) {
return 1;
}
- /* degenerate case: a is zero */
+ // degenerate case: a is zero
if (BN_is_zero(a)) {
return BN_set_word(a, w);
}
- /* handle 'a' when negative */
+ // handle 'a' when negative
if (a->neg) {
a->neg = 0;
i = BN_sub_word(a, w);
@@ -206,11 +205,10 @@
int add = 0, neg = 0;
const BIGNUM *tmp;
- /* a - b a-b
- * a - -b a+b
- * -a - b -(a+b)
- * -a - -b b-a
- */
+ // a - b a-b
+ // a - -b a+b
+ // -a - b -(a+b)
+ // -a - -b b-a
if (a->neg) {
if (b->neg) {
tmp = a;
@@ -236,7 +234,7 @@
return 1;
}
- /* We are actually doing a - b :-) */
+ // We are actually doing a - b :-)
max = (a->top > b->top) ? a->top : b->top;
if (!bn_wexpand(r, max)) {
@@ -267,7 +265,7 @@
min = b->top;
dif = max - min;
- if (dif < 0) /* hmm... should not be happening */
+ if (dif < 0) // hmm... should not be happening
{
OPENSSL_PUT_ERROR(BN, BN_R_ARG2_LT_ARG3);
return 0;
@@ -295,10 +293,10 @@
*(rp++) = t1 & BN_MASK2;
}
- if (carry) /* subtracted */
+ if (carry) // subtracted
{
if (!dif) {
- /* error: a < b */
+ // error: a < b
return 0;
}
@@ -329,12 +327,12 @@
w &= BN_MASK2;
- /* degenerate case: w is zero */
+ // degenerate case: w is zero
if (!w) {
return 1;
}
- /* degenerate case: a is zero */
+ // degenerate case: a is zero
if (BN_is_zero(a)) {
i = BN_set_word(a, w);
if (i != 0) {
@@ -343,7 +341,7 @@
return i;
}
- /* handle 'a' when negative */
+ // handle 'a' when negative
if (a->neg) {
a->neg = 0;
i = BN_add_word(a, w);
diff --git a/src/crypto/fipsmodule/bn/asm/rsaz-avx2.pl b/src/crypto/fipsmodule/bn/asm/rsaz-avx2.pl
index 14a28dc..0bb50cd 100755
--- a/src/crypto/fipsmodule/bn/asm/rsaz-avx2.pl
+++ b/src/crypto/fipsmodule/bn/asm/rsaz-avx2.pl
@@ -83,9 +83,9 @@
# versions, but BoringSSL is intended to be used with pre-generated perlasm
# output, so this isn't useful anyway.
#
-# TODO(davidben): Enable these after testing. $avx goes up to 2 and $addx to 1.
+# TODO(davidben): Set $addx to one once build problems are resolved.
$avx = 2;
-$addx = 1;
+$addx = 0;
open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
*STDOUT = *OUT;
diff --git a/src/crypto/fipsmodule/bn/asm/x86_64-gcc.c b/src/crypto/fipsmodule/bn/asm/x86_64-gcc.c
index 72e7689..bfd770f 100644
--- a/src/crypto/fipsmodule/bn/asm/x86_64-gcc.c
+++ b/src/crypto/fipsmodule/bn/asm/x86_64-gcc.c
@@ -52,7 +52,7 @@
#include <openssl/bn.h>
-/* TODO(davidben): Get this file working on Windows x64. */
+// TODO(davidben): Get this file working on Windows x64.
#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__GNUC__)
#include "../internal.h"
@@ -61,41 +61,37 @@
#undef mul
#undef mul_add
-#define asm __asm__
-
-/*
- * "m"(a), "+m"(r) is the way to favor DirectPath µ-code;
- * "g"(0) let the compiler to decide where does it
- * want to keep the value of zero;
- */
-#define mul_add(r, a, word, carry) \
- do { \
- register BN_ULONG high, low; \
- asm("mulq %3" : "=a"(low), "=d"(high) : "a"(word), "m"(a) : "cc"); \
- asm("addq %2,%0; adcq %3,%1" \
- : "+r"(carry), "+d"(high) \
- : "a"(low), "g"(0) \
- : "cc"); \
- asm("addq %2,%0; adcq %3,%1" \
- : "+m"(r), "+d"(high) \
- : "r"(carry), "g"(0) \
- : "cc"); \
- (carry) = high; \
+// "m"(a), "+m"(r) is the way to favor DirectPath µ-code;
+// "g"(0) let the compiler to decide where does it
+// want to keep the value of zero;
+#define mul_add(r, a, word, carry) \
+ do { \
+ register BN_ULONG high, low; \
+ __asm__("mulq %3" : "=a"(low), "=d"(high) : "a"(word), "m"(a) : "cc"); \
+ __asm__("addq %2,%0; adcq %3,%1" \
+ : "+r"(carry), "+d"(high) \
+ : "a"(low), "g"(0) \
+ : "cc"); \
+ __asm__("addq %2,%0; adcq %3,%1" \
+ : "+m"(r), "+d"(high) \
+ : "r"(carry), "g"(0) \
+ : "cc"); \
+ (carry) = high; \
} while (0)
-#define mul(r, a, word, carry) \
- do { \
- register BN_ULONG high, low; \
- asm("mulq %3" : "=a"(low), "=d"(high) : "a"(word), "g"(a) : "cc"); \
- asm("addq %2,%0; adcq %3,%1" \
- : "+r"(carry), "+d"(high) \
- : "a"(low), "g"(0) \
- : "cc"); \
- (r) = (carry); \
- (carry) = high; \
+#define mul(r, a, word, carry) \
+ do { \
+ register BN_ULONG high, low; \
+ __asm__("mulq %3" : "=a"(low), "=d"(high) : "a"(word), "g"(a) : "cc"); \
+ __asm__("addq %2,%0; adcq %3,%1" \
+ : "+r"(carry), "+d"(high) \
+ : "a"(low), "g"(0) \
+ : "cc"); \
+ (r) = (carry); \
+ (carry) = high; \
} while (0)
#undef sqr
-#define sqr(r0, r1, a) asm("mulq %2" : "=a"(r0), "=d"(r1) : "a"(a) : "cc");
+#define sqr(r0, r1, a) __asm__("mulq %2" : "=a"(r0), "=d"(r1) : "a"(a) : "cc");
BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
BN_ULONG w) {
@@ -196,8 +192,8 @@
return 0;
}
- asm volatile (
- " subq %0,%0 \n" /* clear carry */
+ __asm__ volatile (
+ " subq %0,%0 \n" // clear carry
" jmp 1f \n"
".p2align 4 \n"
"1:"
@@ -223,8 +219,8 @@
return 0;
}
- asm volatile (
- " subq %0,%0 \n" /* clear borrow */
+ __asm__ volatile (
+ " subq %0,%0 \n" // clear borrow
" jmp 1f \n"
".p2align 4 \n"
"1:"
@@ -241,46 +237,45 @@
return ret & 1;
}
-/* mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) */
-/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
-/* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
-/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)
- */
+// mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0)
+// mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0)
+// sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0)
+// sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)
-/* Keep in mind that carrying into high part of multiplication result can not
- * overflow, because it cannot be all-ones. */
-#define mul_add_c(a, b, c0, c1, c2) \
- do { \
- BN_ULONG t1, t2; \
- asm("mulq %3" : "=a"(t1), "=d"(t2) : "a"(a), "m"(b) : "cc"); \
- asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
- : "+r"(c0), "+r"(c1), "+r"(c2) \
- : "r"(t1), "r"(t2), "g"(0) \
- : "cc"); \
+// Keep in mind that carrying into high part of multiplication result can not
+// overflow, because it cannot be all-ones.
+#define mul_add_c(a, b, c0, c1, c2) \
+ do { \
+ BN_ULONG t1, t2; \
+ __asm__("mulq %3" : "=a"(t1), "=d"(t2) : "a"(a), "m"(b) : "cc"); \
+ __asm__("addq %3,%0; adcq %4,%1; adcq %5,%2" \
+ : "+r"(c0), "+r"(c1), "+r"(c2) \
+ : "r"(t1), "r"(t2), "g"(0) \
+ : "cc"); \
} while (0)
-#define sqr_add_c(a, i, c0, c1, c2) \
- do { \
- BN_ULONG t1, t2; \
- asm("mulq %2" : "=a"(t1), "=d"(t2) : "a"((a)[i]) : "cc"); \
- asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
- : "+r"(c0), "+r"(c1), "+r"(c2) \
- : "r"(t1), "r"(t2), "g"(0) \
- : "cc"); \
+#define sqr_add_c(a, i, c0, c1, c2) \
+ do { \
+ BN_ULONG t1, t2; \
+ __asm__("mulq %2" : "=a"(t1), "=d"(t2) : "a"((a)[i]) : "cc"); \
+ __asm__("addq %3,%0; adcq %4,%1; adcq %5,%2" \
+ : "+r"(c0), "+r"(c1), "+r"(c2) \
+ : "r"(t1), "r"(t2), "g"(0) \
+ : "cc"); \
} while (0)
-#define mul_add_c2(a, b, c0, c1, c2) \
- do { \
- BN_ULONG t1, t2; \
- asm("mulq %3" : "=a"(t1), "=d"(t2) : "a"(a), "m"(b) : "cc"); \
- asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
- : "+r"(c0), "+r"(c1), "+r"(c2) \
- : "r"(t1), "r"(t2), "g"(0) \
- : "cc"); \
- asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
- : "+r"(c0), "+r"(c1), "+r"(c2) \
- : "r"(t1), "r"(t2), "g"(0) \
- : "cc"); \
+#define mul_add_c2(a, b, c0, c1, c2) \
+ do { \
+ BN_ULONG t1, t2; \
+ __asm__("mulq %3" : "=a"(t1), "=d"(t2) : "a"(a), "m"(b) : "cc"); \
+ __asm__("addq %3,%0; adcq %4,%1; adcq %5,%2" \
+ : "+r"(c0), "+r"(c1), "+r"(c2) \
+ : "r"(t1), "r"(t2), "g"(0) \
+ : "cc"); \
+ __asm__("addq %3,%0; adcq %4,%1; adcq %5,%2" \
+ : "+r"(c0), "+r"(c1), "+r"(c2) \
+ : "r"(t1), "r"(t2), "g"(0) \
+ : "cc"); \
} while (0)
#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)
@@ -539,4 +534,4 @@
#undef mul_add_c2
#undef sqr_add_c2
-#endif /* !NO_ASM && X86_64 && __GNUC__ */
+#endif // !NO_ASM && X86_64 && __GNUC__
diff --git a/src/crypto/fipsmodule/bn/asm/x86_64-mont.pl b/src/crypto/fipsmodule/bn/asm/x86_64-mont.pl
index 286e0a0..b57537e 100755
--- a/src/crypto/fipsmodule/bn/asm/x86_64-mont.pl
+++ b/src/crypto/fipsmodule/bn/asm/x86_64-mont.pl
@@ -57,7 +57,7 @@
# versions, but BoringSSL is intended to be used with pre-generated perlasm
# output, so this isn't useful anyway.
#
-# TODO(davidben): Enable this option after testing. $addx goes up to 1.
+# TODO(davidben): Set $addx to one once build problems are resolved.
$addx = 0;
# int bn_mul_mont(
diff --git a/src/crypto/fipsmodule/bn/asm/x86_64-mont5.pl b/src/crypto/fipsmodule/bn/asm/x86_64-mont5.pl
index db09624..dfb8b37 100755
--- a/src/crypto/fipsmodule/bn/asm/x86_64-mont5.pl
+++ b/src/crypto/fipsmodule/bn/asm/x86_64-mont5.pl
@@ -42,7 +42,7 @@
# versions, but BoringSSL is intended to be used with pre-generated perlasm
# output, so this isn't useful anyway.
#
-# TODO(davidben): Enable this after testing. $addx goes up to 1.
+# TODO(davidben): Set $addx to one once build problems are resolved.
$addx = 0;
# int bn_mul_mont_gather5(
diff --git a/src/crypto/fipsmodule/bn/bn.c b/src/crypto/fipsmodule/bn/bn.c
index af093e0..9ba1913 100644
--- a/src/crypto/fipsmodule/bn/bn.c
+++ b/src/crypto/fipsmodule/bn/bn.c
@@ -175,8 +175,8 @@
out->flags = BN_FLG_STATIC_DATA;
}
-/* BN_num_bits_word returns the minimum number of bits needed to represent the
- * value in |l|. */
+// BN_num_bits_word returns the minimum number of bits needed to represent the
+// value in |l|.
unsigned BN_num_bits_word(BN_ULONG l) {
static const unsigned char bits[256] = {
0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5,
@@ -290,7 +290,7 @@
return 0;
}
OPENSSL_memmove(bn->d, words, num * sizeof(BN_ULONG));
- /* |bn_wexpand| verified that |num| isn't too large. */
+ // |bn_wexpand| verified that |num| isn't too large.
bn->top = (int)num;
bn_correct_top(bn);
bn->neg = 0;
diff --git a/src/crypto/fipsmodule/bn/bn_test.cc b/src/crypto/fipsmodule/bn/bn_test.cc
index 3cb5f75..fe03e5f 100644
--- a/src/crypto/fipsmodule/bn/bn_test.cc
+++ b/src/crypto/fipsmodule/bn/bn_test.cc
@@ -67,9 +67,9 @@
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
* Laboratories. */
-/* Per C99, various stdint.h and inttypes.h macros (the latter used by bn.h) are
- * unavailable in C++ unless some macros are defined. C++11 overruled this
- * decision, but older Android NDKs still require it. */
+// Per C99, various stdint.h and inttypes.h macros (the latter used by bn.h) are
+// unavailable in C++ unless some macros are defined. C++11 overruled this
+// decision, but older Android NDKs still require it.
#if !defined(__STDC_CONSTANT_MACROS)
#define __STDC_CONSTANT_MACROS
#endif
diff --git a/src/crypto/fipsmodule/bn/bytes.c b/src/crypto/fipsmodule/bn/bytes.c
index 0988870..328d56e 100644
--- a/src/crypto/fipsmodule/bn/bytes.c
+++ b/src/crypto/fipsmodule/bn/bytes.c
@@ -90,8 +90,8 @@
return NULL;
}
- /* |bn_wexpand| must check bounds on |num_words| to write it into
- * |ret->dmax|. */
+ // |bn_wexpand| must check bounds on |num_words| to write it into
+ // |ret->dmax|.
assert(num_words <= INT_MAX);
ret->top = (int)num_words;
ret->neg = 0;
@@ -105,8 +105,8 @@
}
}
- /* need to call this due to clear byte at top if avoiding having the top bit
- * set (-ve number) */
+ // need to call this due to clear byte at top if avoiding having the top bit
+ // set (-ve number)
bn_correct_top(ret);
return ret;
}
@@ -128,7 +128,7 @@
return ret;
}
- /* Reserve enough space in |ret|. */
+ // Reserve enough space in |ret|.
size_t num_words = ((len - 1) / BN_BYTES) + 1;
if (!bn_wexpand(ret, num_words)) {
BN_free(bn);
@@ -136,11 +136,11 @@
}
ret->top = num_words;
- /* Make sure the top bytes will be zeroed. */
+ // Make sure the top bytes will be zeroed.
ret->d[num_words - 1] = 0;
- /* We only support little-endian platforms, so we can simply memcpy the
- * internal representation. */
+ // We only support little-endian platforms, so we can simply memcpy the
+ // internal representation.
OPENSSL_memcpy(ret->d, in, len);
bn_correct_top(ret);
@@ -160,24 +160,24 @@
}
int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) {
- /* If we don't have enough space, fail out. */
+ // If we don't have enough space, fail out.
size_t num_bytes = BN_num_bytes(in);
if (len < num_bytes) {
return 0;
}
- /* We only support little-endian platforms, so we can simply memcpy into the
- * internal representation. */
+ // We only support little-endian platforms, so we can simply memcpy into the
+ // internal representation.
OPENSSL_memcpy(out, in->d, num_bytes);
- /* Pad out the rest of the buffer with zeroes. */
+ // Pad out the rest of the buffer with zeroes.
OPENSSL_memset(out + num_bytes, 0, len - num_bytes);
return 1;
}
-/* constant_time_select_ulong returns |x| if |v| is 1 and |y| if |v| is 0. Its
- * behavior is undefined if |v| takes any other value. */
+// constant_time_select_ulong returns |x| if |v| is 1 and |y| if |v| is 0. Its
+// behavior is undefined if |v| takes any other value.
static BN_ULONG constant_time_select_ulong(int v, BN_ULONG x, BN_ULONG y) {
BN_ULONG mask = v;
mask--;
@@ -185,35 +185,35 @@
return (~mask & x) | (mask & y);
}
-/* constant_time_le_size_t returns 1 if |x| <= |y| and 0 otherwise. |x| and |y|
- * must not have their MSBs set. */
+// constant_time_le_size_t returns 1 if |x| <= |y| and 0 otherwise. |x| and |y|
+// must not have their MSBs set.
static int constant_time_le_size_t(size_t x, size_t y) {
return ((x - y - 1) >> (sizeof(size_t) * 8 - 1)) & 1;
}
-/* read_word_padded returns the |i|'th word of |in|, if it is not out of
- * bounds. Otherwise, it returns 0. It does so without branches on the size of
- * |in|, however it necessarily does not have the same memory access pattern. If
- * the access would be out of bounds, it reads the last word of |in|. |in| must
- * not be zero. */
+// read_word_padded returns the |i|'th word of |in|, if it is not out of
+// bounds. Otherwise, it returns 0. It does so without branches on the size of
+// |in|, however it necessarily does not have the same memory access pattern. If
+// the access would be out of bounds, it reads the last word of |in|. |in| must
+// not be zero.
static BN_ULONG read_word_padded(const BIGNUM *in, size_t i) {
- /* Read |in->d[i]| if valid. Otherwise, read the last word. */
+ // Read |in->d[i]| if valid. Otherwise, read the last word.
BN_ULONG l = in->d[constant_time_select_ulong(
constant_time_le_size_t(in->dmax, i), in->dmax - 1, i)];
- /* Clamp to zero if above |d->top|. */
+ // Clamp to zero if above |d->top|.
return constant_time_select_ulong(constant_time_le_size_t(in->top, i), 0, l);
}
int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) {
- /* Special case for |in| = 0. Just branch as the probability is negligible. */
+ // Special case for |in| = 0. Just branch as the probability is negligible.
if (BN_is_zero(in)) {
OPENSSL_memset(out, 0, len);
return 1;
}
- /* Check if the integer is too big. This case can exit early in non-constant
- * time. */
+ // Check if the integer is too big. This case can exit early in non-constant
+ // time.
if ((size_t)in->top > (len + (BN_BYTES - 1)) / BN_BYTES) {
return 0;
}
@@ -224,13 +224,13 @@
}
}
- /* Write the bytes out one by one. Serialization is done without branching on
- * the bits of |in| or on |in->top|, but if the routine would otherwise read
- * out of bounds, the memory access pattern can't be fixed. However, for an
- * RSA key of size a multiple of the word size, the probability of BN_BYTES
- * leading zero octets is low.
- *
- * See Falko Stenzke, "Manger's Attack revisited", ICICS 2010. */
+ // Write the bytes out one by one. Serialization is done without branching on
+ // the bits of |in| or on |in->top|, but if the routine would otherwise read
+ // out of bounds, the memory access pattern can't be fixed. However, for an
+ // RSA key of size a multiple of the word size, the probability of BN_BYTES
+ // leading zero octets is low.
+ //
+ // See Falko Stenzke, "Manger's Attack revisited", ICICS 2010.
size_t i = len;
while (i--) {
BN_ULONG l = read_word_padded(in, i / BN_BYTES);
diff --git a/src/crypto/fipsmodule/bn/cmp.c b/src/crypto/fipsmodule/bn/cmp.c
index 71c0465..7864707 100644
--- a/src/crypto/fipsmodule/bn/cmp.c
+++ b/src/crypto/fipsmodule/bn/cmp.c
@@ -159,14 +159,14 @@
if (dl < 0) {
for (i = dl; i < 0; i++) {
if (b[n - i] != 0) {
- return -1; /* a < b */
+ return -1; // a < b
}
}
}
if (dl > 0) {
for (i = dl; i > 0; i--) {
if (a[n + i] != 0) {
- return 1; /* a > b */
+ return 1; // a > b
}
}
}
diff --git a/src/crypto/fipsmodule/bn/ctx.c b/src/crypto/fipsmodule/bn/ctx.c
index 3819775..af50de9 100644
--- a/src/crypto/fipsmodule/bn/ctx.c
+++ b/src/crypto/fipsmodule/bn/ctx.c
@@ -62,24 +62,24 @@
#include "../../internal.h"
-/* How many bignums are in each "pool item"; */
+// How many bignums are in each "pool item";
#define BN_CTX_POOL_SIZE 16
-/* The stack frame info is resizing, set a first-time expansion size; */
+// The stack frame info is resizing, set a first-time expansion size;
#define BN_CTX_START_FRAMES 32
-/* A bundle of bignums that can be linked with other bundles */
+// A bundle of bignums that can be linked with other bundles
typedef struct bignum_pool_item {
- /* The bignum values */
+ // The bignum values
BIGNUM vals[BN_CTX_POOL_SIZE];
- /* Linked-list admin */
+ // Linked-list admin
struct bignum_pool_item *prev, *next;
} BN_POOL_ITEM;
typedef struct bignum_pool {
- /* Linked-list admin */
+ // Linked-list admin
BN_POOL_ITEM *head, *current, *tail;
- /* Stack depth and allocation size */
+ // Stack depth and allocation size
unsigned used, size;
} BN_POOL;
@@ -88,15 +88,14 @@
static BIGNUM *BN_POOL_get(BN_POOL *);
static void BN_POOL_release(BN_POOL *, unsigned int);
-/************/
-/* BN_STACK */
-/************/
-/* A wrapper to manage the "stack frames" */
+// BN_STACK
+
+// A wrapper to manage the "stack frames"
typedef struct bignum_ctx_stack {
- /* Array of indexes into the bignum stack */
+ // Array of indexes into the bignum stack
unsigned int *indexes;
- /* Number of stack frames, and the size of the allocated array */
+ // Number of stack frames, and the size of the allocated array
unsigned int depth, size;
} BN_STACK;
@@ -105,21 +104,20 @@
static int BN_STACK_push(BN_STACK *, unsigned int);
static unsigned int BN_STACK_pop(BN_STACK *);
-/**********/
-/* BN_CTX */
-/**********/
-/* The opaque BN_CTX type */
+// BN_CTX
+
+// The opaque BN_CTX type
struct bignum_ctx {
- /* The bignum bundles */
+ // The bignum bundles
BN_POOL pool;
- /* The "stack frames", if you will */
+ // The "stack frames", if you will
BN_STACK stack;
- /* The number of bignums currently assigned */
+ // The number of bignums currently assigned
unsigned int used;
- /* Depth of stack overflow */
+ // Depth of stack overflow
int err_stack;
- /* Block "gets" until an "end" (compatibility behaviour) */
+ // Block "gets" until an "end" (compatibility behaviour)
int too_many;
};
@@ -130,7 +128,7 @@
return NULL;
}
- /* Initialise the structure */
+ // Initialise the structure
BN_POOL_init(&ret->pool);
BN_STACK_init(&ret->stack);
ret->used = 0;
@@ -150,11 +148,11 @@
}
void BN_CTX_start(BN_CTX *ctx) {
- /* If we're already overflowing ... */
+ // If we're already overflowing ...
if (ctx->err_stack || ctx->too_many) {
ctx->err_stack++;
} else if (!BN_STACK_push(&ctx->stack, ctx->used)) {
- /* (Try to) get a new frame pointer */
+ // (Try to) get a new frame pointer
OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
ctx->err_stack++;
}
@@ -168,14 +166,14 @@
ret = BN_POOL_get(&ctx->pool);
if (ret == NULL) {
- /* Setting too_many prevents repeated "get" attempts from
- * cluttering the error stack. */
+ // Setting too_many prevents repeated "get" attempts from
+ // cluttering the error stack.
ctx->too_many = 1;
OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
return NULL;
}
- /* OK, make sure the returned bignum is "zero" */
+ // OK, make sure the returned bignum is "zero"
BN_zero(ret);
ctx->used++;
return ret;
@@ -186,20 +184,19 @@
ctx->err_stack--;
} else {
unsigned int fp = BN_STACK_pop(&ctx->stack);
- /* Does this stack frame have anything to release? */
+ // Does this stack frame have anything to release?
if (fp < ctx->used) {
BN_POOL_release(&ctx->pool, ctx->used - fp);
}
ctx->used = fp;
- /* Unjam "too_many" in case "get" had failed */
+ // Unjam "too_many" in case "get" had failed
ctx->too_many = 0;
}
}
-/************/
-/* BN_STACK */
-/************/
+
+// BN_STACK
static void BN_STACK_init(BN_STACK *st) {
st->indexes = NULL;
@@ -212,7 +209,7 @@
static int BN_STACK_push(BN_STACK *st, unsigned int idx) {
if (st->depth == st->size) {
- /* Need to expand */
+ // Need to expand
unsigned int newsize =
(st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES);
unsigned int *newitems = OPENSSL_malloc(newsize * sizeof(unsigned int));
@@ -235,6 +232,7 @@
return st->indexes[--(st->depth)];
}
+
static void BN_POOL_init(BN_POOL *p) {
p->head = p->current = p->tail = NULL;
p->used = p->size = 0;
@@ -259,14 +257,14 @@
return NULL;
}
- /* Initialise the structure */
+ // Initialise the structure
for (size_t i = 0; i < BN_CTX_POOL_SIZE; i++) {
BN_init(&item->vals[i]);
}
item->prev = p->tail;
item->next = NULL;
- /* Link it in */
+ // Link it in
if (!p->head) {
p->head = p->current = p->tail = item;
} else {
@@ -277,7 +275,7 @@
p->size += BN_CTX_POOL_SIZE;
p->used++;
- /* Return the first bignum from the new pool */
+ // Return the first bignum from the new pool
return item->vals;
}
diff --git a/src/crypto/fipsmodule/bn/div.c b/src/crypto/fipsmodule/bn/div.c
index dae5656..1bcff50 100644
--- a/src/crypto/fipsmodule/bn/div.c
+++ b/src/crypto/fipsmodule/bn/div.c
@@ -65,8 +65,8 @@
#if !defined(BN_ULLONG)
-/* bn_div_words divides a double-width |h|,|l| by |d| and returns the result,
- * which must fit in a |BN_ULONG|. */
+// bn_div_words divides a double-width |h|,|l| by |d| and returns the result,
+// which must fit in a |BN_ULONG|.
static BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) {
BN_ULONG dh, dl, q, ret = 0, th, tl, t;
int i, count = 2;
@@ -135,26 +135,26 @@
ret |= q;
return ret;
}
-#endif /* !defined(BN_ULLONG) */
+#endif // !defined(BN_ULLONG)
static inline void bn_div_rem_words(BN_ULONG *quotient_out, BN_ULONG *rem_out,
BN_ULONG n0, BN_ULONG n1, BN_ULONG d0) {
- /* GCC and Clang generate function calls to |__udivdi3| and |__umoddi3| when
- * the |BN_ULLONG|-based C code is used.
- *
- * GCC bugs:
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=14224
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=43721
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54183
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58897
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65668
- *
- * Clang bugs:
- * * https://llvm.org/bugs/show_bug.cgi?id=6397
- * * https://llvm.org/bugs/show_bug.cgi?id=12418
- *
- * These issues aren't specific to x86 and x86_64, so it might be worthwhile
- * to add more assembly language implementations. */
+ // GCC and Clang generate function calls to |__udivdi3| and |__umoddi3| when
+ // the |BN_ULLONG|-based C code is used.
+ //
+ // GCC bugs:
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=14224
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=43721
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54183
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58897
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65668
+ //
+ // Clang bugs:
+ // * https://llvm.org/bugs/show_bug.cgi?id=6397
+ // * https://llvm.org/bugs/show_bug.cgi?id=12418
+ //
+ // These issues aren't specific to x86 and x86_64, so it might be worthwhile
+ // to add more assembly language implementations.
#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__GNUC__)
__asm__ volatile (
"divl %4"
@@ -178,17 +178,17 @@
#endif
}
-/* BN_div computes dv := num / divisor, rounding towards
- * zero, and sets up rm such that dv*divisor + rm = num holds.
- * Thus:
- * dv->neg == num->neg ^ divisor->neg (unless the result is zero)
- * rm->neg == num->neg (unless the remainder is zero)
- * If 'dv' or 'rm' is NULL, the respective value is not returned.
- *
- * This was specifically designed to contain fewer branches that may leak
- * sensitive information; see "New Branch Prediction Vulnerabilities in OpenSSL
- * and Necessary Software Countermeasures" by Onur Acıçmez, Shay Gueron, and
- * Jean-Pierre Seifert. */
+// BN_div computes dv := num / divisor, rounding towards
+// zero, and sets up rm such that dv*divisor + rm = num holds.
+// Thus:
+// dv->neg == num->neg ^ divisor->neg (unless the result is zero)
+// rm->neg == num->neg (unless the remainder is zero)
+// If 'dv' or 'rm' is NULL, the respective value is not returned.
+//
+// This was specifically designed to contain fewer branches that may leak
+// sensitive information; see "New Branch Prediction Vulnerabilities in OpenSSL
+// and Necessary Software Countermeasures" by Onur Acıçmez, Shay Gueron, and
+// Jean-Pierre Seifert.
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX *ctx) {
int norm_shift, i, loop;
@@ -197,8 +197,8 @@
BN_ULONG d0, d1;
int num_n, div_n;
- /* Invalid zero-padding would have particularly bad consequences
- * so don't just rely on bn_check_top() here */
+ // Invalid zero-padding would have particularly bad consequences
+ // so don't just rely on bn_check_top() here
if ((num->top > 0 && num->d[num->top - 1] == 0) ||
(divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
OPENSSL_PUT_ERROR(BN, BN_R_NOT_INITIALIZED);
@@ -223,7 +223,7 @@
goto err;
}
- /* First we normalise the numbers */
+ // First we normalise the numbers
norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
if (!(BN_lshift(sdiv, divisor, norm_shift))) {
goto err;
@@ -235,9 +235,9 @@
}
snum->neg = 0;
- /* Since we don't want to have special-case logic for the case where snum is
- * larger than sdiv, we pad snum with enough zeroes without changing its
- * value. */
+ // Since we don't want to have special-case logic for the case where snum is
+ // larger than sdiv, we pad snum with enough zeroes without changing its
+ // value.
if (snum->top <= sdiv->top + 1) {
if (!bn_wexpand(snum, sdiv->top + 2)) {
goto err;
@@ -257,24 +257,24 @@
div_n = sdiv->top;
num_n = snum->top;
loop = num_n - div_n;
- /* Lets setup a 'window' into snum
- * This is the part that corresponds to the current
- * 'area' being divided */
+ // Lets setup a 'window' into snum
+ // This is the part that corresponds to the current
+ // 'area' being divided
wnum.neg = 0;
wnum.d = &(snum->d[loop]);
wnum.top = div_n;
- /* only needed when BN_ucmp messes up the values between top and max */
- wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
+ // only needed when BN_ucmp messes up the values between top and max
+ wnum.dmax = snum->dmax - loop; // so we don't step out of bounds
- /* Get the top 2 words of sdiv */
- /* div_n=sdiv->top; */
+ // Get the top 2 words of sdiv
+ // div_n=sdiv->top;
d0 = sdiv->d[div_n - 1];
d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
- /* pointer to the 'top' of snum */
+ // pointer to the 'top' of snum
wnump = &(snum->d[num_n - 1]);
- /* Setup to 'res' */
+ // Setup to 'res'
res->neg = (num->neg ^ divisor->neg);
if (!bn_wexpand(res, (loop + 1))) {
goto err;
@@ -282,13 +282,13 @@
res->top = loop - 1;
resp = &(res->d[loop - 1]);
- /* space for temp */
+ // space for temp
if (!bn_wexpand(tmp, (div_n + 1))) {
goto err;
}
- /* if res->top == 0 then clear the neg value otherwise decrease
- * the resp pointer */
+ // if res->top == 0 then clear the neg value otherwise decrease
+ // the resp pointer
if (res->top == 0) {
res->neg = 0;
} else {
@@ -297,8 +297,8 @@
for (i = 0; i < loop - 1; i++, wnump--, resp--) {
BN_ULONG q, l0;
- /* the first part of the loop uses the top two words of snum and sdiv to
- * calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv */
+ // the first part of the loop uses the top two words of snum and sdiv to
+ // calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
BN_ULONG n0, n1, rem = 0;
n0 = wnump[0];
@@ -306,7 +306,7 @@
if (n0 == d0) {
q = BN_MASK2;
} else {
- /* n0 < d0 */
+ // n0 < d0
bn_div_rem_words(&q, &rem, n0, n1, d0);
#ifdef BN_ULLONG
@@ -318,11 +318,11 @@
q--;
rem += d0;
if (rem < d0) {
- break; /* don't let rem overflow */
+ break; // don't let rem overflow
}
t2 -= d1;
}
-#else /* !BN_ULLONG */
+#else // !BN_ULLONG
BN_ULONG t2l, t2h;
BN_UMULT_LOHI(t2l, t2h, d1, q);
for (;;) {
@@ -332,43 +332,41 @@
q--;
rem += d0;
if (rem < d0) {
- break; /* don't let rem overflow */
+ break; // don't let rem overflow
}
if (t2l < d1) {
t2h--;
}
t2l -= d1;
}
-#endif /* !BN_ULLONG */
+#endif // !BN_ULLONG
}
l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
tmp->d[div_n] = l0;
wnum.d--;
- /* ingore top values of the bignums just sub the two
- * BN_ULONG arrays with bn_sub_words */
+ // ingore top values of the bignums just sub the two
+ // BN_ULONG arrays with bn_sub_words
if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
- /* Note: As we have considered only the leading
- * two BN_ULONGs in the calculation of q, sdiv * q
- * might be greater than wnum (but then (q-1) * sdiv
- * is less or equal than wnum)
- */
+ // Note: As we have considered only the leading
+ // two BN_ULONGs in the calculation of q, sdiv * q
+ // might be greater than wnum (but then (q-1) * sdiv
+ // is less or equal than wnum)
q--;
if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) {
- /* we can't have an overflow here (assuming
- * that q != 0, but if q == 0 then tmp is
- * zero anyway) */
+ // we can't have an overflow here (assuming
+ // that q != 0, but if q == 0 then tmp is
+ // zero anyway)
(*wnump)++;
}
}
- /* store part of the result */
+ // store part of the result
*resp = q;
}
bn_correct_top(snum);
if (rm != NULL) {
- /* Keep a copy of the neg flag in num because if rm==num
- * BN_rshift() will overwrite it.
- */
+ // Keep a copy of the neg flag in num because if rm==num
+ // BN_rshift() will overwrite it.
int neg = num->neg;
if (!BN_rshift(rm, snum, norm_shift)) {
goto err;
@@ -394,7 +392,7 @@
return 1;
}
- /* now -|d| < r < 0, so we have to set r := r + |d|. */
+ // now -|d| < r < 0, so we have to set r := r + |d|.
return (d->neg ? BN_sub : BN_add)(r, r, d);
}
@@ -425,8 +423,8 @@
return BN_nnmod(r, r, m, ctx);
}
-/* BN_mod_sub variant that may be used if both a and b are non-negative
- * and less than m */
+// BN_mod_sub variant that may be used if both a and b are non-negative
+// and less than m
int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m) {
if (!BN_sub(r, a, b)) {
@@ -475,7 +473,7 @@
return 0;
}
- /* r->neg == 0, thus we don't need BN_nnmod */
+ // r->neg == 0, thus we don't need BN_nnmod
return BN_mod(r, r, m, ctx);
}
@@ -512,9 +510,9 @@
while (n > 0) {
int max_shift;
- /* 0 < r < m */
+ // 0 < r < m
max_shift = BN_num_bits(m) - BN_num_bits(r);
- /* max_shift >= 0 */
+ // max_shift >= 0
if (max_shift < 0) {
OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);
@@ -537,7 +535,7 @@
--n;
}
- /* BN_num_bits(r) <= BN_num_bits(m) */
+ // BN_num_bits(r) <= BN_num_bits(m)
if (BN_cmp(r, m) >= 0) {
if (!BN_sub(r, r, m)) {
return 0;
@@ -574,7 +572,7 @@
w &= BN_MASK2;
if (!w) {
- /* actually this an error (division by zero) */
+ // actually this an error (division by zero)
return (BN_ULONG) - 1;
}
@@ -582,7 +580,7 @@
return 0;
}
- /* normalize input for |bn_div_rem_words|. */
+ // normalize input for |bn_div_rem_words|.
j = BN_BITS2 - BN_num_bits_word(w);
w <<= j;
if (!BN_lshift(a, a, j)) {
@@ -623,8 +621,8 @@
}
#ifndef BN_ULLONG
- /* If |w| is too long and we don't have |BN_ULLONG| then we need to fall back
- * to using |BN_div_word|. */
+ // If |w| is too long and we don't have |BN_ULLONG| then we need to fall back
+ // to using |BN_div_word|.
if (w > ((BN_ULONG)1 << BN_BITS4)) {
BIGNUM *tmp = BN_dup(a);
if (tmp == NULL) {
@@ -656,27 +654,27 @@
size_t num_words = 1 + ((e - 1) / BN_BITS2);
- /* If |a| definitely has less than |e| bits, just BN_copy. */
+ // If |a| definitely has less than |e| bits, just BN_copy.
if ((size_t) a->top < num_words) {
return BN_copy(r, a) != NULL;
}
- /* Otherwise, first make sure we have enough space in |r|.
- * Note that this will fail if num_words > INT_MAX. */
+ // Otherwise, first make sure we have enough space in |r|.
+ // Note that this will fail if num_words > INT_MAX.
if (!bn_wexpand(r, num_words)) {
return 0;
}
- /* Copy the content of |a| into |r|. */
+ // Copy the content of |a| into |r|.
OPENSSL_memcpy(r->d, a->d, num_words * sizeof(BN_ULONG));
- /* If |e| isn't word-aligned, we have to mask off some of our bits. */
+ // If |e| isn't word-aligned, we have to mask off some of our bits.
size_t top_word_exponent = e % (sizeof(BN_ULONG) * 8);
if (top_word_exponent != 0) {
r->d[num_words - 1] &= (((BN_ULONG) 1) << top_word_exponent) - 1;
}
- /* Fill in the remaining fields of |r|. */
+ // Fill in the remaining fields of |r|.
r->neg = a->neg;
r->top = (int) num_words;
bn_correct_top(r);
@@ -688,41 +686,41 @@
return 0;
}
- /* If the returned value was non-negative, we're done. */
+ // If the returned value was non-negative, we're done.
if (BN_is_zero(r) || !r->neg) {
return 1;
}
size_t num_words = 1 + (e - 1) / BN_BITS2;
- /* Expand |r| to the size of our modulus. */
+ // Expand |r| to the size of our modulus.
if (!bn_wexpand(r, num_words)) {
return 0;
}
- /* Clear the upper words of |r|. */
+ // Clear the upper words of |r|.
OPENSSL_memset(&r->d[r->top], 0, (num_words - r->top) * BN_BYTES);
- /* Set parameters of |r|. */
+ // Set parameters of |r|.
r->neg = 0;
r->top = (int) num_words;
- /* Now, invert every word. The idea here is that we want to compute 2^e-|x|,
- * which is actually equivalent to the twos-complement representation of |x|
- * in |e| bits, which is -x = ~x + 1. */
+ // Now, invert every word. The idea here is that we want to compute 2^e-|x|,
+ // which is actually equivalent to the twos-complement representation of |x|
+ // in |e| bits, which is -x = ~x + 1.
for (int i = 0; i < r->top; i++) {
r->d[i] = ~r->d[i];
}
- /* If our exponent doesn't span the top word, we have to mask the rest. */
+ // If our exponent doesn't span the top word, we have to mask the rest.
size_t top_word_exponent = e % BN_BITS2;
if (top_word_exponent != 0) {
r->d[r->top - 1] &= (((BN_ULONG) 1) << top_word_exponent) - 1;
}
- /* Keep the correct_top invariant for BN_add. */
+ // Keep the correct_top invariant for BN_add.
bn_correct_top(r);
- /* Finally, add one, for the reason described above. */
+ // Finally, add one, for the reason described above.
return BN_add(r, r, BN_value_one());
}
diff --git a/src/crypto/fipsmodule/bn/exponentiation.c b/src/crypto/fipsmodule/bn/exponentiation.c
index 187b845..ae78ff9 100644
--- a/src/crypto/fipsmodule/bn/exponentiation.c
+++ b/src/crypto/fipsmodule/bn/exponentiation.c
@@ -188,12 +188,12 @@
return ret;
}
-/* maximum precomputation table size for *variable* sliding windows */
+// maximum precomputation table size for *variable* sliding windows
#define TABLE_SIZE 32
typedef struct bn_recp_ctx_st {
- BIGNUM N; /* the divisor */
- BIGNUM Nr; /* the reciprocal */
+ BIGNUM N; // the divisor
+ BIGNUM Nr; // the reciprocal
int num_bits;
int shift;
int flags;
@@ -227,10 +227,10 @@
return 1;
}
-/* len is the expected size of the result We actually calculate with an extra
- * word of precision, so we can do faster division if the remainder is not
- * required.
- * r := 2^len / m */
+// len is the expected size of the result We actually calculate with an extra
+// word of precision, so we can do faster division if the remainder is not
+// required.
+// r := 2^len / m
static int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx) {
int ret = -1;
BIGNUM *t;
@@ -289,34 +289,34 @@
return 1;
}
- /* We want the remainder
- * Given input of ABCDEF / ab
- * we need multiply ABCDEF by 3 digests of the reciprocal of ab */
+ // We want the remainder
+ // Given input of ABCDEF / ab
+ // we need multiply ABCDEF by 3 digests of the reciprocal of ab
- /* i := max(BN_num_bits(m), 2*BN_num_bits(N)) */
+ // i := max(BN_num_bits(m), 2*BN_num_bits(N))
i = BN_num_bits(m);
j = recp->num_bits << 1;
if (j > i) {
i = j;
}
- /* Nr := round(2^i / N) */
+ // Nr := round(2^i / N)
if (i != recp->shift) {
recp->shift =
BN_reciprocal(&(recp->Nr), &(recp->N), i,
- ctx); /* BN_reciprocal returns i, or -1 for an error */
+ ctx); // BN_reciprocal returns i, or -1 for an error
}
if (recp->shift == -1) {
goto err;
}
- /* d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i -
- * BN_num_bits(N)))|
- * = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i -
- * BN_num_bits(N)))|
- * <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|
- * = |m/N| */
+ // d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i -
+ // BN_num_bits(N)))|
+ // = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i -
+ // BN_num_bits(N)))|
+ // <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|
+ // = |m/N|
if (!BN_rshift(a, m, recp->num_bits)) {
goto err;
}
@@ -383,7 +383,7 @@
}
ca = a;
} else {
- ca = x; /* Just do the mod */
+ ca = x; // Just do the mod
}
ret = BN_div_recp(NULL, r, ca, recp, ctx);
@@ -393,29 +393,29 @@
return ret;
}
-/* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp
- * functions
- *
- * For window size 'w' (w >= 2) and a random 'b' bits exponent, the number of
- * multiplications is a constant plus on average
- *
- * 2^(w-1) + (b-w)/(w+1);
- *
- * here 2^(w-1) is for precomputing the table (we actually need entries only
- * for windows that have the lowest bit set), and (b-w)/(w+1) is an
- * approximation for the expected number of w-bit windows, not counting the
- * first one.
- *
- * Thus we should use
- *
- * w >= 6 if b > 671
- * w = 5 if 671 > b > 239
- * w = 4 if 239 > b > 79
- * w = 3 if 79 > b > 23
- * w <= 2 if 23 > b
- *
- * (with draws in between). Very small exponents are often selected
- * with low Hamming weight, so we use w = 1 for b <= 23. */
+// BN_window_bits_for_exponent_size -- macro for sliding window mod_exp
+// functions
+//
+// For window size 'w' (w >= 2) and a random 'b' bits exponent, the number of
+// multiplications is a constant plus on average
+//
+// 2^(w-1) + (b-w)/(w+1);
+//
+// here 2^(w-1) is for precomputing the table (we actually need entries only
+// for windows that have the lowest bit set), and (b-w)/(w+1) is an
+// approximation for the expected number of w-bit windows, not counting the
+// first one.
+//
+// Thus we should use
+//
+// w >= 6 if b > 671
+// w = 5 if 671 > b > 239
+// w = 4 if 239 > b > 79
+// w = 3 if 79 > b > 23
+// w <= 2 if 23 > b
+//
+// (with draws in between). Very small exponents are often selected
+// with low Hamming weight, so we use w = 1 for b <= 23.
#define BN_window_bits_for_exponent_size(b) \
((b) > 671 ? 6 : \
(b) > 239 ? 5 : \
@@ -427,14 +427,14 @@
int i, j, bits, ret = 0, wstart, window;
int start = 1;
BIGNUM *aa;
- /* Table of variables obtained from 'ctx' */
+ // Table of variables obtained from 'ctx'
BIGNUM *val[TABLE_SIZE];
BN_RECP_CTX recp;
bits = BN_num_bits(p);
if (bits == 0) {
- /* x**0 mod 1 is still zero. */
+ // x**0 mod 1 is still zero.
if (BN_is_one(m)) {
BN_zero(r);
return 1;
@@ -451,7 +451,7 @@
BN_RECP_CTX_init(&recp);
if (m->neg) {
- /* ignore sign of 'm' */
+ // ignore sign of 'm'
if (!BN_copy(aa, m)) {
goto err;
}
@@ -466,7 +466,7 @@
}
if (!BN_nnmod(val[0], a, m, ctx)) {
- goto err; /* 1 */
+ goto err; // 1
}
if (BN_is_zero(val[0])) {
BN_zero(r);
@@ -477,7 +477,7 @@
window = BN_window_bits_for_exponent_size(bits);
if (window > 1) {
if (!BN_mod_mul_reciprocal(aa, val[0], val[0], &recp, ctx)) {
- goto err; /* 2 */
+ goto err; // 2
}
j = 1 << (window - 1);
for (i = 1; i < j; i++) {
@@ -488,18 +488,18 @@
}
}
- start = 1; /* This is used to avoid multiplication etc
- * when there is only the value '1' in the
- * buffer. */
- wstart = bits - 1; /* The top bit of the window */
+ start = 1; // This is used to avoid multiplication etc
+ // when there is only the value '1' in the
+ // buffer.
+ wstart = bits - 1; // The top bit of the window
if (!BN_one(r)) {
goto err;
}
for (;;) {
- int wvalue; /* The 'value' of the window */
- int wend; /* The bottom bit of the window */
+ int wvalue; // The 'value' of the window
+ int wend; // The bottom bit of the window
if (BN_is_bit_set(p, wstart) == 0) {
if (!start) {
@@ -514,10 +514,10 @@
continue;
}
- /* We now have wstart on a 'set' bit, we now need to work out
- * how bit a window to do. To do this we need to scan
- * forward until the last set bit before the end of the
- * window */
+ // We now have wstart on a 'set' bit, we now need to work out
+ // how bit a window to do. To do this we need to scan
+ // forward until the last set bit before the end of the
+ // window
wvalue = 1;
wend = 0;
for (i = 1; i < window; i++) {
@@ -531,9 +531,9 @@
}
}
- /* wend is the size of the current window */
+ // wend is the size of the current window
j = wend + 1;
- /* add the 'bytes above' */
+ // add the 'bytes above'
if (!start) {
for (i = 0; i < j; i++) {
if (!BN_mod_mul_reciprocal(r, r, r, &recp, ctx)) {
@@ -542,12 +542,12 @@
}
}
- /* wvalue will be an odd number < 2^window */
+ // wvalue will be an odd number < 2^window
if (!BN_mod_mul_reciprocal(r, r, val[wvalue >> 1], &recp, ctx)) {
goto err;
}
- /* move the 'window' down further */
+ // move the 'window' down further
wstart -= wend + 1;
start = 0;
if (wstart < 0) {
@@ -577,7 +577,7 @@
int start = 1;
BIGNUM *d, *r;
const BIGNUM *aa;
- /* Table of variables obtained from 'ctx' */
+ // Table of variables obtained from 'ctx'
BIGNUM *val[TABLE_SIZE];
BN_MONT_CTX *new_mont = NULL;
@@ -587,7 +587,7 @@
}
bits = BN_num_bits(p);
if (bits == 0) {
- /* x**0 mod 1 is still zero. */
+ // x**0 mod 1 is still zero.
if (BN_is_one(m)) {
BN_zero(rr);
return 1;
@@ -603,7 +603,7 @@
goto err;
}
- /* Allocate a montgomery context if it was not supplied by the caller. */
+ // Allocate a montgomery context if it was not supplied by the caller.
if (mont == NULL) {
new_mont = BN_MONT_CTX_new();
if (new_mont == NULL || !BN_MONT_CTX_set(new_mont, m, ctx)) {
@@ -627,13 +627,13 @@
goto err;
}
if (!BN_to_montgomery(val[0], aa, mont, ctx)) {
- goto err; /* 1 */
+ goto err; // 1
}
window = BN_window_bits_for_exponent_size(bits);
if (window > 1) {
if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) {
- goto err; /* 2 */
+ goto err; // 2
}
j = 1 << (window - 1);
for (i = 1; i < j; i++) {
@@ -644,32 +644,32 @@
}
}
- start = 1; /* This is used to avoid multiplication etc
- * when there is only the value '1' in the
- * buffer. */
- wstart = bits - 1; /* The top bit of the window */
+ start = 1; // This is used to avoid multiplication etc
+ // when there is only the value '1' in the
+ // buffer.
+ wstart = bits - 1; // The top bit of the window
- j = m->top; /* borrow j */
+ j = m->top; // borrow j
if (m->d[j - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
if (!bn_wexpand(r, j)) {
goto err;
}
- /* 2^(top*BN_BITS2) - m */
+ // 2^(top*BN_BITS2) - m
r->d[0] = (0 - m->d[0]) & BN_MASK2;
for (i = 1; i < j; i++) {
r->d[i] = (~m->d[i]) & BN_MASK2;
}
r->top = j;
- /* Upper words will be zero if the corresponding words of 'm'
- * were 0xfff[...], so decrement r->top accordingly. */
+ // Upper words will be zero if the corresponding words of 'm'
+ // were 0xfff[...], so decrement r->top accordingly.
bn_correct_top(r);
} else if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) {
goto err;
}
for (;;) {
- int wvalue; /* The 'value' of the window */
- int wend; /* The bottom bit of the window */
+ int wvalue; // The 'value' of the window
+ int wend; // The bottom bit of the window
if (BN_is_bit_set(p, wstart) == 0) {
if (!start && !BN_mod_mul_montgomery(r, r, r, mont, ctx)) {
@@ -682,9 +682,9 @@
continue;
}
- /* We now have wstart on a 'set' bit, we now need to work out how bit a
- * window to do. To do this we need to scan forward until the last set bit
- * before the end of the window */
+ // We now have wstart on a 'set' bit, we now need to work out how bit a
+ // window to do. To do this we need to scan forward until the last set bit
+ // before the end of the window
wvalue = 1;
wend = 0;
for (i = 1; i < window; i++) {
@@ -698,9 +698,9 @@
}
}
- /* wend is the size of the current window */
+ // wend is the size of the current window
j = wend + 1;
- /* add the 'bytes above' */
+ // add the 'bytes above'
if (!start) {
for (i = 0; i < j; i++) {
if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) {
@@ -709,12 +709,12 @@
}
}
- /* wvalue will be an odd number < 2^window */
+ // wvalue will be an odd number < 2^window
if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) {
goto err;
}
- /* move the 'window' down further */
+ // move the 'window' down further
wstart -= wend + 1;
start = 0;
if (wstart < 0) {
@@ -733,10 +733,10 @@
return ret;
}
-/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific
- * layout so that accessing any of these table values shows the same access
- * pattern as far as cache lines are concerned. The following functions are
- * used to transfer a BIGNUM from/to that table. */
+// BN_mod_exp_mont_consttime() stores the precomputed powers in a specific
+// layout so that accessing any of these table values shows the same access
+// pattern as far as cache lines are concerned. The following functions are
+// used to transfer a BIGNUM from/to that table.
static int copy_to_prebuf(const BIGNUM *b, int top, unsigned char *buf, int idx,
int window) {
int i, j;
@@ -744,7 +744,7 @@
BN_ULONG *table = (BN_ULONG *) buf;
if (top > b->top) {
- top = b->top; /* this works because 'buf' is explicitly zeroed */
+ top = b->top; // this works because 'buf' is explicitly zeroed
}
for (i = 0, j = idx; i < top; i++, j += width) {
@@ -778,8 +778,8 @@
int xstride = 1 << (window - 2);
BN_ULONG y0, y1, y2, y3;
- i = idx >> (window - 2); /* equivalent of idx / xstride */
- idx &= xstride - 1; /* equivalent of idx % xstride */
+ i = idx >> (window - 2); // equivalent of idx / xstride
+ idx &= xstride - 1; // equivalent of idx % xstride
y0 = (BN_ULONG)0 - (constant_time_eq_int(i, 0) & 1);
y1 = (BN_ULONG)0 - (constant_time_eq_int(i, 1) & 1);
@@ -804,23 +804,23 @@
return 1;
}
-/* BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
- * line width of the target processor is at least the following value. */
+// BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
+// line width of the target processor is at least the following value.
#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH (64)
#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK \
(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
-/* Window sizes optimized for fixed window size modular exponentiation
- * algorithm (BN_mod_exp_mont_consttime).
- *
- * To achieve the security goals of BN_mode_exp_mont_consttime, the maximum
- * size of the window must not exceed
- * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH).
- *
- * Window size thresholds are defined for cache line sizes of 32 and 64, cache
- * line sizes where log_2(32)=5 and log_2(64)=6 respectively. A window size of
- * 7 should only be used on processors that have a 128 byte or greater cache
- * line size. */
+// Window sizes optimized for fixed window size modular exponentiation
+// algorithm (BN_mod_exp_mont_consttime).
+//
+// To achieve the security goals of BN_mode_exp_mont_consttime, the maximum
+// size of the window must not exceed
+// log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH).
+//
+// Window size thresholds are defined for cache line sizes of 32 and 64, cache
+// line sizes where log_2(32)=5 and log_2(64)=6 respectively. A window size of
+// 7 should only be used on processors that have a 128 byte or greater cache
+// line size.
#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
#define BN_window_bits_for_ctime_exponent_size(b) \
@@ -835,19 +835,18 @@
#endif
-/* Given a pointer value, compute the next address that is a cache line
- * multiple. */
+// Given a pointer value, compute the next address that is a cache line
+// multiple.
#define MOD_EXP_CTIME_ALIGN(x_) \
((unsigned char *)(x_) + \
(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - \
(((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
-/* This variant of BN_mod_exp_mont() uses fixed windows and the special
- * precomputation memory layout to limit data-dependency to a minimum
- * to protect secret exponents (cf. the hyper-threading timing attacks
- * pointed out by Colin Percival,
- * http://www.daemonology.net/hyperthreading-considered-harmful/)
- */
+// This variant of BN_mod_exp_mont() uses fixed windows and the special
+// precomputation memory layout to limit data-dependency to a minimum
+// to protect secret exponents (cf. the hyper-threading timing attacks
+// pointed out by Colin Percival,
+// http://www.daemonology.net/hyperthreading-considered-harmful/)
int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
const BN_MONT_CTX *mont) {
@@ -871,7 +870,7 @@
bits = BN_num_bits(p);
if (bits == 0) {
- /* x**0 mod 1 is still zero. */
+ // x**0 mod 1 is still zero.
if (BN_is_one(m)) {
BN_zero(rr);
return 1;
@@ -879,7 +878,7 @@
return BN_one(rr);
}
- /* Allocate a montgomery context if it was not supplied by the caller. */
+ // Allocate a montgomery context if it was not supplied by the caller.
if (mont == NULL) {
new_mont = BN_MONT_CTX_new();
if (new_mont == NULL || !BN_MONT_CTX_set(new_mont, m, ctx)) {
@@ -898,9 +897,9 @@
}
#ifdef RSAZ_ENABLED
- /* If the size of the operands allow it, perform the optimized
- * RSAZ exponentiation. For further information see
- * crypto/bn/rsaz_exp.c and accompanying assembly modules. */
+ // If the size of the operands allow it, perform the optimized
+ // RSAZ exponentiation. For further information see
+ // crypto/bn/rsaz_exp.c and accompanying assembly modules.
if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024) &&
rsaz_avx2_eligible()) {
if (!bn_wexpand(rr, 16)) {
@@ -915,19 +914,18 @@
}
#endif
- /* Get the window size to use with size of p. */
+ // Get the window size to use with size of p.
window = BN_window_bits_for_ctime_exponent_size(bits);
#if defined(OPENSSL_BN_ASM_MONT5)
if (window >= 5) {
- window = 5; /* ~5% improvement for RSA2048 sign, and even for RSA4096 */
- /* reserve space for mont->N.d[] copy */
+ window = 5; // ~5% improvement for RSA2048 sign, and even for RSA4096
+ // reserve space for mont->N.d[] copy
powerbufLen += top * sizeof(mont->N.d[0]);
}
#endif
- /* Allocate a buffer large enough to hold all of the pre-computed
- * powers of am, am itself and tmp.
- */
+ // Allocate a buffer large enough to hold all of the pre-computed
+ // powers of am, am itself and tmp.
numPowers = 1 << window;
powerbufLen +=
sizeof(m->d[0]) *
@@ -953,7 +951,7 @@
}
#endif
- /* lay down tmp and am right after powers table */
+ // lay down tmp and am right after powers table
tmp.d = (BN_ULONG *)(powerbuf + sizeof(m->d[0]) * top * numPowers);
am.d = tmp.d + top;
tmp.top = am.top = 0;
@@ -961,10 +959,10 @@
tmp.neg = am.neg = 0;
tmp.flags = am.flags = BN_FLG_STATIC_DATA;
-/* prepare a^0 in Montgomery domain */
-/* by Shay Gueron's suggestion */
+// prepare a^0 in Montgomery domain
+// by Shay Gueron's suggestion
if (m->d[top - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
- /* 2^(top*BN_BITS2) - m */
+ // 2^(top*BN_BITS2) - m
tmp.d[0] = (0 - m->d[0]) & BN_MASK2;
for (i = 1; i < top; i++) {
tmp.d[i] = (~m->d[i]) & BN_MASK2;
@@ -974,7 +972,7 @@
goto err;
}
- /* prepare a^1 in Montgomery domain */
+ // prepare a^1 in Montgomery domain
assert(!a->neg);
assert(BN_ucmp(a, m) < 0);
if (!BN_to_montgomery(&am, a, mont, ctx)) {
@@ -982,18 +980,18 @@
}
#if defined(OPENSSL_BN_ASM_MONT5)
- /* This optimization uses ideas from http://eprint.iacr.org/2011/239,
- * specifically optimization of cache-timing attack countermeasures
- * and pre-computation optimization. */
+ // This optimization uses ideas from http://eprint.iacr.org/2011/239,
+ // specifically optimization of cache-timing attack countermeasures
+ // and pre-computation optimization.
- /* Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
- * 512-bit RSA is hardly relevant, we omit it to spare size... */
+ // Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
+ // 512-bit RSA is hardly relevant, we omit it to spare size...
if (window == 5 && top > 1) {
const BN_ULONG *n0 = mont->n0;
BN_ULONG *np;
- /* BN_to_montgomery can contaminate words above .top
- * [in BN_DEBUG[_DEBUG] build]... */
+ // BN_to_montgomery can contaminate words above .top
+ // [in BN_DEBUG[_DEBUG] build]...
for (i = am.top; i < top; i++) {
am.d[i] = 0;
}
@@ -1001,7 +999,7 @@
tmp.d[i] = 0;
}
- /* copy mont->N.d[] to improve cache locality */
+ // copy mont->N.d[] to improve cache locality
for (np = am.d + top, i = 0; i < top; i++) {
np[i] = mont->N.d[i];
}
@@ -1011,7 +1009,7 @@
bn_mul_mont(tmp.d, am.d, am.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, 2);
- /* same as above, but uses squaring for 1/2 of operations */
+ // same as above, but uses squaring for 1/2 of operations
for (i = 4; i < 32; i *= 2) {
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, i);
@@ -1042,13 +1040,12 @@
}
bn_gather5(tmp.d, top, powerbuf, wvalue);
- /* At this point |bits| is 4 mod 5 and at least -1. (|bits| is the first bit
- * that has not been read yet.) */
+ // At this point |bits| is 4 mod 5 and at least -1. (|bits| is the first bit
+ // that has not been read yet.)
assert(bits >= -1 && (bits == -1 || bits % 5 == 4));
- /* Scan the exponent one window at a time starting from the most
- * significant bits.
- */
+ // Scan the exponent one window at a time starting from the most
+ // significant bits.
if (top & 7) {
while (bits >= 0) {
for (wvalue = 0, i = 0; i < 5; i++, bits--) {
@@ -1066,16 +1063,16 @@
const uint8_t *p_bytes = (const uint8_t *)p->d;
int max_bits = p->top * BN_BITS2;
assert(bits < max_bits);
- /* |p = 0| has been handled as a special case, so |max_bits| is at least
- * one word. */
+ // |p = 0| has been handled as a special case, so |max_bits| is at least
+ // one word.
assert(max_bits >= 64);
- /* If the first bit to be read lands in the last byte, unroll the first
- * iteration to avoid reading past the bounds of |p->d|. (After the first
- * iteration, we are guaranteed to be past the last byte.) Note |bits|
- * here is the top bit, inclusive. */
+ // If the first bit to be read lands in the last byte, unroll the first
+ // iteration to avoid reading past the bounds of |p->d|. (After the first
+ // iteration, we are guaranteed to be past the last byte.) Note |bits|
+ // here is the top bit, inclusive.
if (bits - 4 >= max_bits - 8) {
- /* Read five bits from |bits-4| through |bits|, inclusive. */
+ // Read five bits from |bits-4| through |bits|, inclusive.
wvalue = p_bytes[p->top * BN_BYTES - 1];
wvalue >>= (bits - 4) & 7;
wvalue &= 0x1f;
@@ -1083,7 +1080,7 @@
bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue);
}
while (bits >= 0) {
- /* Read five bits from |bits-4| through |bits|, inclusive. */
+ // Read five bits from |bits-4| through |bits|, inclusive.
int first_bit = bits - 4;
uint16_t val;
OPENSSL_memcpy(&val, p_bytes + (first_bit >> 3), sizeof(val));
@@ -1101,7 +1098,7 @@
if (!BN_copy(rr, &tmp)) {
ret = 0;
}
- goto err; /* non-zero ret means it's not error */
+ goto err; // non-zero ret means it's not error
}
} else
#endif
@@ -1111,18 +1108,17 @@
goto err;
}
- /* If the window size is greater than 1, then calculate
- * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
- * (even powers could instead be computed as (a^(i/2))^2
- * to use the slight performance advantage of sqr over mul).
- */
+ // If the window size is greater than 1, then calculate
+ // val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
+ // (even powers could instead be computed as (a^(i/2))^2
+ // to use the slight performance advantage of sqr over mul).
if (window > 1) {
if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx) ||
!copy_to_prebuf(&tmp, top, powerbuf, 2, window)) {
goto err;
}
for (i = 3; i < numPowers; i++) {
- /* Calculate a^i = a^(i-1) * a */
+ // Calculate a^i = a^(i-1) * a
if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx) ||
!copy_to_prebuf(&tmp, top, powerbuf, i, window)) {
goto err;
@@ -1138,13 +1134,12 @@
goto err;
}
- /* Scan the exponent one window at a time starting from the most
- * significant bits.
- */
+ // Scan the exponent one window at a time starting from the most
+ // significant bits.
while (bits >= 0) {
- wvalue = 0; /* The 'value' of the window */
+ wvalue = 0; // The 'value' of the window
- /* Scan the window, squaring the result as we go */
+ // Scan the window, squaring the result as we go
for (i = 0; i < window; i++, bits--) {
if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx)) {
goto err;
@@ -1152,19 +1147,19 @@
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
}
- /* Fetch the appropriate pre-computed value from the pre-buf */
+ // Fetch the appropriate pre-computed value from the pre-buf
if (!copy_from_prebuf(&am, top, powerbuf, wvalue, window)) {
goto err;
}
- /* Multiply the result into the intermediate result */
+ // Multiply the result into the intermediate result
if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) {
goto err;
}
}
}
- /* Convert the final result from montgomery to standard format */
+ // Convert the final result from montgomery to standard format
if (!BN_from_montgomery(rr, &tmp, mont, ctx)) {
goto err;
}
@@ -1212,7 +1207,7 @@
int ret = 0;
BN_MONT_CTX *new_mont = NULL;
- /* Allocate a montgomery context if it was not supplied by the caller. */
+ // Allocate a montgomery context if it was not supplied by the caller.
if (mont == NULL) {
new_mont = BN_MONT_CTX_new();
if (new_mont == NULL || !BN_MONT_CTX_set(new_mont, m, ctx)) {
@@ -1221,9 +1216,9 @@
mont = new_mont;
}
- /* BN_mod_mul_montgomery removes one Montgomery factor, so passing one
- * Montgomery-encoded and one non-Montgomery-encoded value gives a
- * non-Montgomery-encoded result. */
+ // BN_mod_mul_montgomery removes one Montgomery factor, so passing one
+ // Montgomery-encoded and one non-Montgomery-encoded value gives a
+ // non-Montgomery-encoded result.
if (!BN_mod_exp_mont(rr, a1, p1, m, ctx, mont) ||
!BN_mod_exp_mont(&tmp, a2, p2, m, ctx, mont) ||
!BN_to_montgomery(rr, rr, mont, ctx) ||
diff --git a/src/crypto/fipsmodule/bn/gcd.c b/src/crypto/fipsmodule/bn/gcd.c
index 7c20b8e..850d446 100644
--- a/src/crypto/fipsmodule/bn/gcd.c
+++ b/src/crypto/fipsmodule/bn/gcd.c
@@ -118,9 +118,9 @@
BIGNUM *t;
int shifts = 0;
- /* 0 <= b <= a */
+ // 0 <= b <= a
while (!BN_is_zero(b)) {
- /* 0 < b <= a */
+ // 0 < b <= a
if (BN_is_odd(a)) {
if (BN_is_odd(b)) {
@@ -136,7 +136,7 @@
b = t;
}
} else {
- /* a odd - b even */
+ // a odd - b even
if (!BN_rshift1(b, b)) {
goto err;
}
@@ -147,7 +147,7 @@
}
}
} else {
- /* a is even */
+ // a is even
if (BN_is_odd(b)) {
if (!BN_rshift1(a, a)) {
goto err;
@@ -158,7 +158,7 @@
b = t;
}
} else {
- /* a even - b even */
+ // a even - b even
if (!BN_rshift1(a, a)) {
goto err;
}
@@ -168,7 +168,7 @@
shifts++;
}
}
- /* 0 <= b <= a */
+ // 0 <= b <= a
}
if (shifts) {
@@ -224,7 +224,7 @@
return ret;
}
-/* solves ax == 1 (mod n) */
+// solves ax == 1 (mod n)
static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx);
@@ -264,30 +264,29 @@
}
A->neg = 0;
sign = -1;
- /* From B = a mod |n|, A = |n| it follows that
- *
- * 0 <= B < A,
- * -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|).
- */
+ // From B = a mod |n|, A = |n| it follows that
+ //
+ // 0 <= B < A,
+ // -sign*X*a == B (mod |n|),
+ // sign*Y*a == A (mod |n|).
- /* Binary inversion algorithm; requires odd modulus. This is faster than the
- * general algorithm if the modulus is sufficiently small (about 400 .. 500
- * bits on 32-bit systems, but much more on 64-bit systems) */
+ // Binary inversion algorithm; requires odd modulus. This is faster than the
+ // general algorithm if the modulus is sufficiently small (about 400 .. 500
+ // bits on 32-bit systems, but much more on 64-bit systems)
int shift;
while (!BN_is_zero(B)) {
- /* 0 < B < |n|,
- * 0 < A <= |n|,
- * (1) -sign*X*a == B (mod |n|),
- * (2) sign*Y*a == A (mod |n|) */
+ // 0 < B < |n|,
+ // 0 < A <= |n|,
+ // (1) -sign*X*a == B (mod |n|),
+ // (2) sign*Y*a == A (mod |n|)
- /* Now divide B by the maximum possible power of two in the integers,
- * and divide X by the same value mod |n|.
- * When we're done, (1) still holds. */
+ // Now divide B by the maximum possible power of two in the integers,
+ // and divide X by the same value mod |n|.
+ // When we're done, (1) still holds.
shift = 0;
while (!BN_is_bit_set(B, shift)) {
- /* note that 0 < B */
+ // note that 0 < B
shift++;
if (BN_is_odd(X)) {
@@ -295,7 +294,7 @@
goto err;
}
}
- /* now X is even, so we can easily divide it by two */
+ // now X is even, so we can easily divide it by two
if (!BN_rshift1(X, X)) {
goto err;
}
@@ -306,10 +305,10 @@
}
}
- /* Same for A and Y. Afterwards, (2) still holds. */
+ // Same for A and Y. Afterwards, (2) still holds.
shift = 0;
while (!BN_is_bit_set(A, shift)) {
- /* note that 0 < A */
+ // note that 0 < A
shift++;
if (BN_is_odd(Y)) {
@@ -317,7 +316,7 @@
goto err;
}
}
- /* now Y is even */
+ // now Y is even
if (!BN_rshift1(Y, Y)) {
goto err;
}
@@ -328,32 +327,32 @@
}
}
- /* We still have (1) and (2).
- * Both A and B are odd.
- * The following computations ensure that
- *
- * 0 <= B < |n|,
- * 0 < A < |n|,
- * (1) -sign*X*a == B (mod |n|),
- * (2) sign*Y*a == A (mod |n|),
- *
- * and that either A or B is even in the next iteration. */
+ // We still have (1) and (2).
+ // Both A and B are odd.
+ // The following computations ensure that
+ //
+ // 0 <= B < |n|,
+ // 0 < A < |n|,
+ // (1) -sign*X*a == B (mod |n|),
+ // (2) sign*Y*a == A (mod |n|),
+ //
+ // and that either A or B is even in the next iteration.
if (BN_ucmp(B, A) >= 0) {
- /* -sign*(X + Y)*a == B - A (mod |n|) */
+ // -sign*(X + Y)*a == B - A (mod |n|)
if (!BN_uadd(X, X, Y)) {
goto err;
}
- /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
- * actually makes the algorithm slower */
+ // NB: we could use BN_mod_add_quick(X, X, Y, n), but that
+ // actually makes the algorithm slower
if (!BN_usub(B, B, A)) {
goto err;
}
} else {
- /* sign*(X + Y)*a == A - B (mod |n|) */
+ // sign*(X + Y)*a == A - B (mod |n|)
if (!BN_uadd(Y, Y, X)) {
goto err;
}
- /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
+ // as above, BN_mod_add_quick(Y, Y, X, n) would slow things down
if (!BN_usub(A, A, B)) {
goto err;
}
@@ -366,20 +365,20 @@
goto err;
}
- /* The while loop (Euclid's algorithm) ends when
- * A == gcd(a,n);
- * we have
- * sign*Y*a == A (mod |n|),
- * where Y is non-negative. */
+ // The while loop (Euclid's algorithm) ends when
+ // A == gcd(a,n);
+ // we have
+ // sign*Y*a == A (mod |n|),
+ // where Y is non-negative.
if (sign < 0) {
if (!BN_sub(Y, n, Y)) {
goto err;
}
}
- /* Now Y*a == A (mod |n|). */
+ // Now Y*a == A (mod |n|).
- /* Y*a == 1 (mod |n|) */
+ // Y*a == 1 (mod |n|)
if (!Y->neg && BN_ucmp(Y, n) < 0) {
if (!BN_copy(R, Y)) {
goto err;
@@ -470,11 +469,11 @@
return ret;
}
-/* bn_mod_inverse_general is the general inversion algorithm that works for
- * both even and odd |n|. It was specifically designed to contain fewer
- * branches that may leak sensitive information; see "New Branch Prediction
- * Vulnerabilities in OpenSSL and Necessary Software Countermeasures" by
- * Onur Acıçmez, Shay Gueron, and Jean-Pierre Seifert. */
+// bn_mod_inverse_general is the general inversion algorithm that works for
+// both even and odd |n|. It was specifically designed to contain fewer
+// branches that may leak sensitive information; see "New Branch Prediction
+// Vulnerabilities in OpenSSL and Necessary Software Countermeasures" by
+// Onur Acıçmez, Shay Gueron, and Jean-Pierre Seifert.
static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx) {
@@ -505,58 +504,53 @@
A->neg = 0;
sign = -1;
- /* From B = a mod |n|, A = |n| it follows that
- *
- * 0 <= B < A,
- * -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|).
- */
+ // From B = a mod |n|, A = |n| it follows that
+ //
+ // 0 <= B < A,
+ // -sign*X*a == B (mod |n|),
+ // sign*Y*a == A (mod |n|).
while (!BN_is_zero(B)) {
BIGNUM *tmp;
- /*
- * 0 < B < A,
- * (*) -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|)
- */
+ // 0 < B < A,
+ // (*) -sign*X*a == B (mod |n|),
+ // sign*Y*a == A (mod |n|)
- /* (D, M) := (A/B, A%B) ... */
+ // (D, M) := (A/B, A%B) ...
if (!BN_div(D, M, A, B, ctx)) {
goto err;
}
- /* Now
- * A = D*B + M;
- * thus we have
- * (**) sign*Y*a == D*B + M (mod |n|).
- */
+ // Now
+ // A = D*B + M;
+ // thus we have
+ // (**) sign*Y*a == D*B + M (mod |n|).
- tmp = A; /* keep the BIGNUM object, the value does not matter */
+ tmp = A; // keep the BIGNUM object, the value does not matter
- /* (A, B) := (B, A mod B) ... */
+ // (A, B) := (B, A mod B) ...
A = B;
B = M;
- /* ... so we have 0 <= B < A again */
+ // ... so we have 0 <= B < A again
- /* Since the former M is now B and the former B is now A,
- * (**) translates into
- * sign*Y*a == D*A + B (mod |n|),
- * i.e.
- * sign*Y*a - D*A == B (mod |n|).
- * Similarly, (*) translates into
- * -sign*X*a == A (mod |n|).
- *
- * Thus,
- * sign*Y*a + D*sign*X*a == B (mod |n|),
- * i.e.
- * sign*(Y + D*X)*a == B (mod |n|).
- *
- * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
- * -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|).
- * Note that X and Y stay non-negative all the time.
- */
+ // Since the former M is now B and the former B is now A,
+ // (**) translates into
+ // sign*Y*a == D*A + B (mod |n|),
+ // i.e.
+ // sign*Y*a - D*A == B (mod |n|).
+ // Similarly, (*) translates into
+ // -sign*X*a == A (mod |n|).
+ //
+ // Thus,
+ // sign*Y*a + D*sign*X*a == B (mod |n|),
+ // i.e.
+ // sign*(Y + D*X)*a == B (mod |n|).
+ //
+ // So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
+ // -sign*X*a == B (mod |n|),
+ // sign*Y*a == A (mod |n|).
+ // Note that X and Y stay non-negative all the time.
if (!BN_mul(tmp, D, X, ctx)) {
goto err;
@@ -565,7 +559,7 @@
goto err;
}
- M = Y; /* keep the BIGNUM object, the value does not matter */
+ M = Y; // keep the BIGNUM object, the value does not matter
Y = X;
X = tmp;
sign = -sign;
@@ -577,22 +571,20 @@
goto err;
}
- /*
- * The while loop (Euclid's algorithm) ends when
- * A == gcd(a,n);
- * we have
- * sign*Y*a == A (mod |n|),
- * where Y is non-negative.
- */
+ // The while loop (Euclid's algorithm) ends when
+ // A == gcd(a,n);
+ // we have
+ // sign*Y*a == A (mod |n|),
+ // where Y is non-negative.
if (sign < 0) {
if (!BN_sub(Y, n, Y)) {
goto err;
}
}
- /* Now Y*a == A (mod |n|). */
+ // Now Y*a == A (mod |n|).
- /* Y*a == 1 (mod |n|) */
+ // Y*a == 1 (mod |n|)
if (!Y->neg && BN_ucmp(Y, n) < 0) {
if (!BN_copy(R, Y)) {
goto err;
diff --git a/src/crypto/fipsmodule/bn/generic.c b/src/crypto/fipsmodule/bn/generic.c
index 3d98689..b70080f 100644
--- a/src/crypto/fipsmodule/bn/generic.c
+++ b/src/crypto/fipsmodule/bn/generic.c
@@ -61,8 +61,8 @@
#include "internal.h"
-/* This file has two other implementations: x86 assembly language in
- * asm/bn-586.pl and x86_64 inline assembly in asm/x86_64-gcc.c. */
+// This file has two other implementations: x86 assembly language in
+// asm/bn-586.pl and x86_64 inline assembly in asm/x86_64-gcc.c.
#if defined(OPENSSL_NO_ASM) || \
!(defined(OPENSSL_X86) || (defined(OPENSSL_X86_64) && defined(__GNUC__)))
@@ -122,7 +122,7 @@
BN_UMULT_LOHI(r0, r1, tmp, tmp); \
} while (0)
-#endif /* !BN_ULLONG */
+#endif // !BN_ULLONG
BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
BN_ULONG w) {
@@ -242,7 +242,7 @@
return (BN_ULONG)ll;
}
-#else /* !BN_ULLONG */
+#else // !BN_ULLONG
BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
int n) {
@@ -299,7 +299,7 @@
return (BN_ULONG)c;
}
-#endif /* !BN_ULLONG */
+#endif // !BN_ULLONG
BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
int n) {
@@ -356,15 +356,15 @@
return c;
}
-/* mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) */
-/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
-/* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
-/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
+// mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0)
+// mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0)
+// sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0)
+// sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)
#ifdef BN_ULLONG
-/* Keep in mind that additions to multiplication result can not overflow,
- * because its high half cannot be all-ones. */
+// Keep in mind that additions to multiplication result can not overflow,
+// because its high half cannot be all-ones.
#define mul_add_c(a, b, c0, c1, c2) \
do { \
BN_ULONG hi; \
@@ -415,8 +415,8 @@
#else
-/* Keep in mind that additions to hi can not overflow, because the high word of
- * a multiplication result cannot be all-ones. */
+// Keep in mind that additions to hi can not overflow, because the high word of
+// a multiplication result cannot be all-ones.
#define mul_add_c(a, b, c0, c1, c2) \
do { \
BN_ULONG ta = (a), tb = (b); \
@@ -456,7 +456,7 @@
#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)
-#endif /* !BN_ULLONG */
+#endif // !BN_ULLONG
void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) {
BN_ULONG c1, c2, c3;
diff --git a/src/crypto/fipsmodule/bn/internal.h b/src/crypto/fipsmodule/bn/internal.h
index 092e759..ecd7d6c 100644
--- a/src/crypto/fipsmodule/bn/internal.h
+++ b/src/crypto/fipsmodule/bn/internal.h
@@ -141,7 +141,7 @@
#if defined(OPENSSL_64_BIT)
#if !defined(_MSC_VER)
-/* MSVC doesn't support two-word integers on 64-bit. */
+// MSVC doesn't support two-word integers on 64-bit.
#define BN_ULLONG uint128_t
#endif
@@ -168,11 +168,11 @@
#define BN_MASK2l (0xffffUL)
#define BN_MASK2h1 (0xffff8000UL)
#define BN_MASK2h (0xffff0000UL)
-/* On some 32-bit platforms, Montgomery multiplication is done using 64-bit
- * arithmetic with SIMD instructions. On such platforms, |BN_MONT_CTX::n0|
- * needs to be two words long. Only certain 32-bit platforms actually make use
- * of n0[1] and shorter R value would suffice for the others. However,
- * currently only the assembly files know which is which. */
+// On some 32-bit platforms, Montgomery multiplication is done using 64-bit
+// arithmetic with SIMD instructions. On such platforms, |BN_MONT_CTX::n0|
+// needs to be two words long. Only certain 32-bit platforms actually make use
+// of n0[1] and shorter R value would suffice for the others. However,
+// currently only the assembly files know which is which.
#define BN_MONT_CTX_N0_LIMBS 2
#define BN_TBIT (0x80000000UL)
#define BN_DEC_CONV (1000000000UL)
@@ -195,21 +195,21 @@
#define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
#endif
-/* bn_correct_top decrements |bn->top| until |bn->d[top-1]| is non-zero or
- * until |top| is zero. If |bn| is zero, |bn->neg| is set to zero. */
+// bn_correct_top decrements |bn->top| until |bn->d[top-1]| is non-zero or
+// until |top| is zero. If |bn| is zero, |bn->neg| is set to zero.
void bn_correct_top(BIGNUM *bn);
-/* bn_wexpand ensures that |bn| has at least |words| works of space without
- * altering its value. It returns one on success or zero on allocation
- * failure. */
+// bn_wexpand ensures that |bn| has at least |words| works of space without
+// altering its value. It returns one on success or zero on allocation
+// failure.
int bn_wexpand(BIGNUM *bn, size_t words);
-/* bn_expand acts the same as |bn_wexpand|, but takes a number of bits rather
- * than a number of words. */
+// bn_expand acts the same as |bn_wexpand|, but takes a number of bits rather
+// than a number of words.
int bn_expand(BIGNUM *bn, size_t bits);
-/* bn_set_words sets |bn| to the value encoded in the |num| words in |words|,
- * least significant word first. */
+// bn_set_words sets |bn| to the value encoded in the |num| words in |words|,
+// least significant word first.
int bn_set_words(BIGNUM *bn, const BN_ULONG *words, size_t num);
BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
@@ -223,14 +223,14 @@
void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
-/* bn_cmp_words returns a value less than, equal to or greater than zero if
- * the, length |n|, array |a| is less than, equal to or greater than |b|. */
+// bn_cmp_words returns a value less than, equal to or greater than zero if
+// the, length |n|, array |a| is less than, equal to or greater than |b|.
int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n);
-/* bn_cmp_words returns a value less than, equal to or greater than zero if the
- * array |a| is less than, equal to or greater than |b|. The arrays can be of
- * different lengths: |cl| gives the minimum of the two lengths and |dl| gives
- * the length of |a| minus the length of |b|. */
+// bn_cmp_words returns a value less than, equal to or greater than zero if the
+// array |a| is less than, equal to or greater than |b|. The arrays can be of
+// different lengths: |cl| gives the minimum of the two lengths and |dl| gives
+// the length of |a| minus the length of |b|.
int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl);
int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
@@ -247,25 +247,25 @@
#error "Either BN_ULLONG or BN_UMULT_LOHI must be defined on every platform."
#endif
-/* bn_mod_inverse_prime sets |out| to the modular inverse of |a| modulo |p|,
- * computed with Fermat's Little Theorem. It returns one on success and zero on
- * error. If |mont_p| is NULL, one will be computed temporarily. */
+// bn_mod_inverse_prime sets |out| to the modular inverse of |a| modulo |p|,
+// computed with Fermat's Little Theorem. It returns one on success and zero on
+// error. If |mont_p| is NULL, one will be computed temporarily.
int bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx, const BN_MONT_CTX *mont_p);
-/* bn_mod_inverse_secret_prime behaves like |bn_mod_inverse_prime| but uses
- * |BN_mod_exp_mont_consttime| instead of |BN_mod_exp_mont| in hopes of
- * protecting the exponent. */
+// bn_mod_inverse_secret_prime behaves like |bn_mod_inverse_prime| but uses
+// |BN_mod_exp_mont_consttime| instead of |BN_mod_exp_mont| in hopes of
+// protecting the exponent.
int bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx, const BN_MONT_CTX *mont_p);
-/* bn_jacobi returns the Jacobi symbol of |a| and |b| (which is -1, 0 or 1), or
- * -2 on error. */
+// bn_jacobi returns the Jacobi symbol of |a| and |b| (which is -1, 0 or 1), or
+// -2 on error.
int bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_BN_INTERNAL_H */
+#endif // OPENSSL_HEADER_BN_INTERNAL_H
diff --git a/src/crypto/fipsmodule/bn/jacobi.c b/src/crypto/fipsmodule/bn/jacobi.c
index 93e8fd9..9c909bb 100644
--- a/src/crypto/fipsmodule/bn/jacobi.c
+++ b/src/crypto/fipsmodule/bn/jacobi.c
@@ -57,24 +57,24 @@
#include "internal.h"
-/* least significant word */
+// least significant word
#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0])
int bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
- /* In 'tab', only odd-indexed entries are relevant:
- * For any odd BIGNUM n,
- * tab[BN_lsw(n) & 7]
- * is $(-1)^{(n^2-1)/8}$ (using TeX notation).
- * Note that the sign of n does not matter. */
+ // In 'tab', only odd-indexed entries are relevant:
+ // For any odd BIGNUM n,
+ // tab[BN_lsw(n) & 7]
+ // is $(-1)^{(n^2-1)/8}$ (using TeX notation).
+ // Note that the sign of n does not matter.
static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1};
- /* The Jacobi symbol is only defined for odd modulus. */
+ // The Jacobi symbol is only defined for odd modulus.
if (!BN_is_odd(b)) {
OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
return -2;
}
- /* Require b be positive. */
+ // Require b be positive.
if (BN_is_negative(b)) {
OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
return -2;
@@ -93,22 +93,22 @@
goto end;
}
- /* Adapted from logic to compute the Kronecker symbol, originally implemented
- * according to Henri Cohen, "A Course in Computational Algebraic Number
- * Theory" (algorithm 1.4.10). */
+ // Adapted from logic to compute the Kronecker symbol, originally implemented
+ // according to Henri Cohen, "A Course in Computational Algebraic Number
+ // Theory" (algorithm 1.4.10).
ret = 1;
while (1) {
- /* Cohen's step 3: */
+ // Cohen's step 3:
- /* B is positive and odd */
+ // B is positive and odd
if (BN_is_zero(A)) {
ret = BN_is_one(B) ? ret : 0;
goto end;
}
- /* now A is non-zero */
+ // now A is non-zero
int i = 0;
while (!BN_is_bit_set(A, i)) {
i++;
@@ -118,18 +118,18 @@
goto end;
}
if (i & 1) {
- /* i is odd */
- /* multiply 'ret' by $(-1)^{(B^2-1)/8}$ */
+ // i is odd
+ // multiply 'ret' by $(-1)^{(B^2-1)/8}$
ret = ret * tab[BN_lsw(B) & 7];
}
- /* Cohen's step 4: */
- /* multiply 'ret' by $(-1)^{(A-1)(B-1)/4}$ */
+ // Cohen's step 4:
+ // multiply 'ret' by $(-1)^{(A-1)(B-1)/4}$
if ((A->neg ? ~BN_lsw(A) : BN_lsw(A)) & BN_lsw(B) & 2) {
ret = -ret;
}
- /* (A, B) := (B mod |A|, |A|) */
+ // (A, B) := (B mod |A|, |A|)
if (!BN_nnmod(B, B, A, ctx)) {
ret = -2;
goto end;
diff --git a/src/crypto/fipsmodule/bn/montgomery.c b/src/crypto/fipsmodule/bn/montgomery.c
index d70509f..8024e27 100644
--- a/src/crypto/fipsmodule/bn/montgomery.c
+++ b/src/crypto/fipsmodule/bn/montgomery.c
@@ -187,18 +187,18 @@
return 0;
}
- /* Save the modulus. */
+ // Save the modulus.
if (!BN_copy(&mont->N, mod)) {
OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR);
return 0;
}
- /* Find n0 such that n0 * N == -1 (mod r).
- *
- * Only certain BN_BITS2<=32 platforms actually make use of n0[1]. For the
- * others, we could use a shorter R value and use faster |BN_ULONG|-based
- * math instead of |uint64_t|-based math, which would be double-precision.
- * However, currently only the assembler files know which is which. */
+ // Find n0 such that n0 * N == -1 (mod r).
+ //
+ // Only certain BN_BITS2<=32 platforms actually make use of n0[1]. For the
+ // others, we could use a shorter R value and use faster |BN_ULONG|-based
+ // math instead of |uint64_t|-based math, which would be double-precision.
+ // However, currently only the assembler files know which is which.
uint64_t n0 = bn_mont_n0(mod);
mont->n0[0] = (BN_ULONG)n0;
#if BN_MONT_CTX_N0_LIMBS == 2
@@ -207,14 +207,14 @@
mont->n0[1] = 0;
#endif
- /* Save RR = R**2 (mod N). R is the smallest power of 2**BN_BITS such that R
- * > mod. Even though the assembly on some 32-bit platforms works with 64-bit
- * values, using |BN_BITS2| here, rather than |BN_MONT_CTX_N0_LIMBS *
- * BN_BITS2|, is correct because R**2 will still be a multiple of the latter
- * as |BN_MONT_CTX_N0_LIMBS| is either one or two.
- *
- * XXX: This is not constant time with respect to |mont->N|, but it should
- * be. */
+ // Save RR = R**2 (mod N). R is the smallest power of 2**BN_BITS such that R
+ // > mod. Even though the assembly on some 32-bit platforms works with 64-bit
+ // values, using |BN_BITS2| here, rather than |BN_MONT_CTX_N0_LIMBS *
+ // BN_BITS2|, is correct because R**2 will still be a multiple of the latter
+ // as |BN_MONT_CTX_N0_LIMBS| is either one or two.
+ //
+ // XXX: This is not constant time with respect to |mont->N|, but it should
+ // be.
unsigned lgBigR = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
if (!bn_mod_exp_base_2_vartime(&mont->RR, lgBigR * 2, &mont->N)) {
return 0;
@@ -272,7 +272,7 @@
return 1;
}
- max = (2 * nl); /* carry is stored separately */
+ max = (2 * nl); // carry is stored separately
if (!bn_wexpand(r, max)) {
return 0;
}
@@ -281,7 +281,7 @@
np = n->d;
rp = r->d;
- /* clear the top words of T */
+ // clear the top words of T
if (max > r->top) {
OPENSSL_memset(&rp[r->top], 0, (max - r->top) * sizeof(BN_ULONG));
}
@@ -311,8 +311,8 @@
uintptr_t m;
v = bn_sub_words(rp, ap, np, nl) - carry;
- /* if subtraction result is real, then trick unconditional memcpy below to
- * perform in-place "refresh" instead of actual copy. */
+ // if subtraction result is real, then trick unconditional memcpy below to
+ // perform in-place "refresh" instead of actual copy.
m = (0u - (uintptr_t)v);
nrp = (BN_ULONG *)(((uintptr_t)rp & ~m) | ((uintptr_t)ap & m));
@@ -371,7 +371,7 @@
#else
int num = mont->N.top;
- /* |bn_mul_mont| requires at least 128 bits of limbs, at least for x86. */
+ // |bn_mul_mont| requires at least 128 bits of limbs, at least for x86.
if (num < (128 / BN_BITS2) ||
a->top != num ||
b->top != num) {
@@ -382,7 +382,7 @@
return 0;
}
if (!bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
- /* The check above ensures this won't happen. */
+ // The check above ensures this won't happen.
assert(0);
OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR);
return 0;
@@ -417,7 +417,7 @@
}
}
- /* reduce from aRR to aR */
+ // reduce from aRR to aR
if (!BN_from_montgomery_word(r, tmp, mont)) {
goto err;
}
diff --git a/src/crypto/fipsmodule/bn/montgomery_inv.c b/src/crypto/fipsmodule/bn/montgomery_inv.c
index aa2574b..c3c788a 100644
--- a/src/crypto/fipsmodule/bn/montgomery_inv.c
+++ b/src/crypto/fipsmodule/bn/montgomery_inv.c
@@ -28,47 +28,47 @@
BN_MONT_CTX_N0_LIMBS * sizeof(BN_ULONG),
BN_MONT_CTX_N0_LIMBS_DOES_NOT_MATCH_UINT64_T);
-/* LG_LITTLE_R is log_2(r). */
+// LG_LITTLE_R is log_2(r).
#define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2)
uint64_t bn_mont_n0(const BIGNUM *n) {
- /* These conditions are checked by the caller, |BN_MONT_CTX_set|. */
+ // These conditions are checked by the caller, |BN_MONT_CTX_set|.
assert(!BN_is_zero(n));
assert(!BN_is_negative(n));
assert(BN_is_odd(n));
- /* r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This
- * ensures that we can do integer division by |r| by simply ignoring
- * |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo
- * |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is
- * what makes Montgomery multiplication efficient.
- *
- * As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography
- * with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a
- * multi-limb Montgomery multiplication of |a * b (mod n)|, given the
- * unreduced product |t == a * b|, we repeatedly calculate:
- *
- * t1 := t % r |t1| is |t|'s lowest limb (see previous paragraph).
- * t2 := t1*n0*n
- * t3 := t + t2
- * t := t3 / r copy all limbs of |t3| except the lowest to |t|.
- *
- * In the last step, it would only make sense to ignore the lowest limb of
- * |t3| if it were zero. The middle steps ensure that this is the case:
- *
- * t3 == 0 (mod r)
- * t + t2 == 0 (mod r)
- * t + t1*n0*n == 0 (mod r)
- * t1*n0*n == -t (mod r)
- * t*n0*n == -t (mod r)
- * n0*n == -1 (mod r)
- * n0 == -1/n (mod r)
- *
- * Thus, in each iteration of the loop, we multiply by the constant factor
- * |n0|, the negative inverse of n (mod r). */
+ // r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This
+ // ensures that we can do integer division by |r| by simply ignoring
+ // |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo
+ // |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is
+ // what makes Montgomery multiplication efficient.
+ //
+ // As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography
+ // with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a
+ // multi-limb Montgomery multiplication of |a * b (mod n)|, given the
+ // unreduced product |t == a * b|, we repeatedly calculate:
+ //
+ // t1 := t % r |t1| is |t|'s lowest limb (see previous paragraph).
+ // t2 := t1*n0*n
+ // t3 := t + t2
+ // t := t3 / r copy all limbs of |t3| except the lowest to |t|.
+ //
+ // In the last step, it would only make sense to ignore the lowest limb of
+ // |t3| if it were zero. The middle steps ensure that this is the case:
+ //
+ // t3 == 0 (mod r)
+ // t + t2 == 0 (mod r)
+ // t + t1*n0*n == 0 (mod r)
+ // t1*n0*n == -t (mod r)
+ // t*n0*n == -t (mod r)
+ // n0*n == -1 (mod r)
+ // n0 == -1/n (mod r)
+ //
+ // Thus, in each iteration of the loop, we multiply by the constant factor
+ // |n0|, the negative inverse of n (mod r).
- /* n_mod_r = n % r. As explained above, this is done by taking the lowest
- * |BN_MONT_CTX_N0_LIMBS| limbs of |n|. */
+ // n_mod_r = n % r. As explained above, this is done by taking the lowest
+ // |BN_MONT_CTX_N0_LIMBS| limbs of |n|.
uint64_t n_mod_r = n->d[0];
#if BN_MONT_CTX_N0_LIMBS == 2
if (n->top > 1) {
@@ -79,32 +79,32 @@
return bn_neg_inv_mod_r_u64(n_mod_r);
}
-/* bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v|
- * such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n|
- * must be odd.
- *
- * This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery
- * Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf).
- * It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and
- * Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000"
- * (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21).
- *
- * This is inspired by Joppe W. Bos's "Constant Time Modular Inversion"
- * (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is
- * constant-time with respect to |n|. We assume uint64_t additions,
- * subtractions, shifts, and bitwise operations are all constant time, which
- * may be a large leap of faith on 32-bit targets. We avoid division and
- * multiplication, which tend to be the most problematic in terms of timing
- * leaks.
- *
- * Most GCD implementations return values such that |u*r + v*n == 1|, so the
- * caller would have to negate the resultant |v| for the purpose of Montgomery
- * multiplication. This implementation does the negation implicitly by doing
- * the computations as a difference instead of a sum. */
+// bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v|
+// such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n|
+// must be odd.
+//
+// This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery
+// Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf).
+// It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and
+// Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000"
+// (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21).
+//
+// This is inspired by Joppe W. Bos's "Constant Time Modular Inversion"
+// (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is
+// constant-time with respect to |n|. We assume uint64_t additions,
+// subtractions, shifts, and bitwise operations are all constant time, which
+// may be a large leap of faith on 32-bit targets. We avoid division and
+// multiplication, which tend to be the most problematic in terms of timing
+// leaks.
+//
+// Most GCD implementations return values such that |u*r + v*n == 1|, so the
+// caller would have to negate the resultant |v| for the purpose of Montgomery
+// multiplication. This implementation does the negation implicitly by doing
+// the computations as a difference instead of a sum.
static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
assert(n % 2 == 1);
- /* alpha == 2**(lg r - 1) == r / 2. */
+ // alpha == 2**(lg r - 1) == r / 2.
static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1);
const uint64_t beta = n;
@@ -112,46 +112,46 @@
uint64_t u = 1;
uint64_t v = 0;
- /* The invariant maintained from here on is:
- * 2**(lg r - i) == u*2*alpha - v*beta. */
+ // The invariant maintained from here on is:
+ // 2**(lg r - i) == u*2*alpha - v*beta.
for (size_t i = 0; i < LG_LITTLE_R; ++i) {
#if BN_BITS2 == 64 && defined(BN_ULLONG)
assert((BN_ULLONG)(1) << (LG_LITTLE_R - i) ==
((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
#endif
- /* Delete a common factor of 2 in u and v if |u| is even. Otherwise, set
- * |u = (u + beta) / 2| and |v = (v / 2) + alpha|. */
+ // Delete a common factor of 2 in u and v if |u| is even. Otherwise, set
+ // |u = (u + beta) / 2| and |v = (v / 2) + alpha|.
- uint64_t u_is_odd = UINT64_C(0) - (u & 1); /* Either 0xff..ff or 0. */
+ uint64_t u_is_odd = UINT64_C(0) - (u & 1); // Either 0xff..ff or 0.
- /* The addition can overflow, so use Dietz's method for it.
- *
- * Dietz calculates (x+y)/2 by (x⊕y)>>1 + x&y. This is valid for all
- * (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values
- * (embedded in 64 bits to so that overflow can be ignored):
- *
- * (declare-fun x () (_ BitVec 64))
- * (declare-fun y () (_ BitVec 64))
- * (assert (let (
- * (one (_ bv1 64))
- * (thirtyTwo (_ bv32 64)))
- * (and
- * (bvult x (bvshl one thirtyTwo))
- * (bvult y (bvshl one thirtyTwo))
- * (not (=
- * (bvadd (bvlshr (bvxor x y) one) (bvand x y))
- * (bvlshr (bvadd x y) one)))
- * )))
- * (check-sat) */
- uint64_t beta_if_u_is_odd = beta & u_is_odd; /* Either |beta| or 0. */
+ // The addition can overflow, so use Dietz's method for it.
+ //
+ // Dietz calculates (x+y)/2 by (x⊕y)>>1 + x&y. This is valid for all
+ // (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values
+ // (embedded in 64 bits to so that overflow can be ignored):
+ //
+ // (declare-fun x () (_ BitVec 64))
+ // (declare-fun y () (_ BitVec 64))
+ // (assert (let (
+ // (one (_ bv1 64))
+ // (thirtyTwo (_ bv32 64)))
+ // (and
+ // (bvult x (bvshl one thirtyTwo))
+ // (bvult y (bvshl one thirtyTwo))
+ // (not (=
+ // (bvadd (bvlshr (bvxor x y) one) (bvand x y))
+ // (bvlshr (bvadd x y) one)))
+ // )))
+ // (check-sat)
+ uint64_t beta_if_u_is_odd = beta & u_is_odd; // Either |beta| or 0.
u = ((u ^ beta_if_u_is_odd) >> 1) + (u & beta_if_u_is_odd);
- uint64_t alpha_if_u_is_odd = alpha & u_is_odd; /* Either |alpha| or 0. */
+ uint64_t alpha_if_u_is_odd = alpha & u_is_odd; // Either |alpha| or 0.
v = (v >> 1) + alpha_if_u_is_odd;
}
- /* The invariant now shows that u*r - v*n == 1 since r == 2 * alpha. */
+ // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha.
#if BN_BITS2 == 64 && defined(BN_ULLONG)
assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
#endif
@@ -159,9 +159,9 @@
return v;
}
-/* bn_mod_exp_base_2_vartime calculates r = 2**p (mod n). |p| must be larger
- * than log_2(n); i.e. 2**p must be larger than |n|. |n| must be positive and
- * odd. */
+// bn_mod_exp_base_2_vartime calculates r = 2**p (mod n). |p| must be larger
+// than log_2(n); i.e. 2**p must be larger than |n|. |n| must be positive and
+// odd.
int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n) {
assert(!BN_is_zero(n));
assert(!BN_is_negative(n));
@@ -175,13 +175,13 @@
return 1;
}
- /* Set |r| to the smallest power of two larger than |n|. */
+ // Set |r| to the smallest power of two larger than |n|.
assert(p > n_bits);
if (!BN_set_bit(r, n_bits)) {
return 0;
}
- /* Unconditionally reduce |r|. */
+ // Unconditionally reduce |r|.
assert(BN_cmp(r, n) > 0);
if (!BN_usub(r, r, n)) {
return 0;
@@ -189,10 +189,10 @@
assert(BN_cmp(r, n) < 0);
for (unsigned i = n_bits; i < p; ++i) {
- /* This is like |BN_mod_lshift1_quick| except using |BN_usub|.
- *
- * TODO: Replace this with the use of a constant-time variant of
- * |BN_mod_lshift1_quick|. */
+ // This is like |BN_mod_lshift1_quick| except using |BN_usub|.
+ //
+ // TODO: Replace this with the use of a constant-time variant of
+ // |BN_mod_lshift1_quick|.
if (!BN_lshift1(r, r)) {
return 0;
}
diff --git a/src/crypto/fipsmodule/bn/mul.c b/src/crypto/fipsmodule/bn/mul.c
index 36a4060..7cc0e3c 100644
--- a/src/crypto/fipsmodule/bn/mul.c
+++ b/src/crypto/fipsmodule/bn/mul.c
@@ -113,15 +113,15 @@
}
#if !defined(OPENSSL_X86) || defined(OPENSSL_NO_ASM)
-/* Here follows specialised variants of bn_add_words() and bn_sub_words(). They
- * have the property performing operations on arrays of different sizes. The
- * sizes of those arrays is expressed through cl, which is the common length (
- * basicall, min(len(a),len(b)) ), and dl, which is the delta between the two
- * lengths, calculated as len(a)-len(b). All lengths are the number of
- * BN_ULONGs... For the operations that require a result array as parameter,
- * it must have the length cl+abs(dl). These functions should probably end up
- * in bn_asm.c as soon as there are assembler counterparts for the systems that
- * use assembler files. */
+// Here follows specialised variants of bn_add_words() and bn_sub_words(). They
+// have the property performing operations on arrays of different sizes. The
+// sizes of those arrays is expressed through cl, which is the common length (
+// basicall, min(len(a),len(b)) ), and dl, which is the delta between the two
+// lengths, calculated as len(a)-len(b). All lengths are the number of
+// BN_ULONGs... For the operations that require a result array as parameter,
+// it must have the length cl+abs(dl). These functions should probably end up
+// in bn_asm.c as soon as there are assembler counterparts for the systems that
+// use assembler files.
static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
const BN_ULONG *b, int cl, int dl) {
@@ -274,25 +274,24 @@
return c;
}
#else
-/* On other platforms the function is defined in asm. */
+// On other platforms the function is defined in asm.
BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
int cl, int dl);
#endif
-/* Karatsuba recursive multiplication algorithm
- * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
+// Karatsuba recursive multiplication algorithm
+// (cf. Knuth, The Art of Computer Programming, Vol. 2)
-/* r is 2*n2 words in size,
- * a and b are both n2 words in size.
- * n2 must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n2 words in size
- * We calculate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
-/* dnX may not be positive, but n2/2+dnX has to be */
+// r is 2*n2 words in size,
+// a and b are both n2 words in size.
+// n2 must be a power of 2.
+// We multiply and return the result.
+// t must be 2*n2 words in size
+// We calculate
+// a[0]*b[0]
+// a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
+// a[1]*b[1]
+// dnX may not be positive, but n2/2+dnX has to be
static void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
int dna, int dnb, BN_ULONG *t) {
int n = n2 / 2, c1, c2;
@@ -300,15 +299,14 @@
unsigned int neg, zero;
BN_ULONG ln, lo, *p;
- /* Only call bn_mul_comba 8 if n2 == 8 and the
- * two arrays are complete [steve]
- */
+ // Only call bn_mul_comba 8 if n2 == 8 and the
+ // two arrays are complete [steve]
if (n2 == 8 && dna == 0 && dnb == 0) {
bn_mul_comba8(r, a, b);
return;
}
- /* Else do normal multiply */
+ // Else do normal multiply
if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
if ((dna + dnb) < 0) {
@@ -318,21 +316,21 @@
return;
}
- /* r=(a[0]-a[1])*(b[1]-b[0]) */
+ // r=(a[0]-a[1])*(b[1]-b[0])
c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
zero = neg = 0;
switch (c1 * 3 + c2) {
case -4:
- bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
- bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
+ bn_sub_part_words(t, &(a[n]), a, tna, tna - n); // -
+ bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); // -
break;
case -3:
zero = 1;
break;
case -2:
- bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
- bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
+ bn_sub_part_words(t, &(a[n]), a, tna, tna - n); // -
+ bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); // +
neg = 1;
break;
case -1:
@@ -341,8 +339,8 @@
zero = 1;
break;
case 2:
- bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */
- bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
+ bn_sub_part_words(t, a, &(a[n]), tna, n - tna); // +
+ bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); // -
neg = 1;
break;
case 3:
@@ -355,7 +353,7 @@
}
if (n == 4 && dna == 0 && dnb == 0) {
- /* XXX: bn_mul_comba4 could take extra args to do this well */
+ // XXX: bn_mul_comba4 could take extra args to do this well
if (!zero) {
bn_mul_comba4(&(t[n2]), t, &(t[n]));
} else {
@@ -365,7 +363,7 @@
bn_mul_comba4(r, a, b);
bn_mul_comba4(&(r[n2]), &(a[n]), &(b[n]));
} else if (n == 8 && dna == 0 && dnb == 0) {
- /* XXX: bn_mul_comba8 could take extra args to do this well */
+ // XXX: bn_mul_comba8 could take extra args to do this well
if (!zero) {
bn_mul_comba8(&(t[n2]), t, &(t[n]));
} else {
@@ -385,24 +383,24 @@
bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
}
- /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1]) */
+ // t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
if (neg) {
- /* if t[32] is negative */
+ // if t[32] is negative
c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
} else {
- /* Might have a carry */
+ // Might have a carry
c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
}
- /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1])
- * c1 holds the carry bits */
+ // t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
+ // c1 holds the carry bits
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) {
p = &(r[n + n2]);
@@ -410,8 +408,8 @@
ln = (lo + c1) & BN_MASK2;
*p = ln;
- /* The overflow will stop before we over write
- * words we should not overwrite */
+ // The overflow will stop before we over write
+ // words we should not overwrite
if (ln < (BN_ULONG)c1) {
do {
p++;
@@ -423,9 +421,9 @@
}
}
-/* n+tn is the word length
- * t needs to be n*4 is size, as does r */
-/* tnX may not be negative but less than n */
+// n+tn is the word length
+// t needs to be n*4 is size, as does r
+// tnX may not be negative but less than n
static void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
int tna, int tnb, BN_ULONG *t) {
int i, j, n2 = n * 2;
@@ -437,33 +435,33 @@
return;
}
- /* r=(a[0]-a[1])*(b[1]-b[0]) */
+ // r=(a[0]-a[1])*(b[1]-b[0])
c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
neg = 0;
switch (c1 * 3 + c2) {
case -4:
- bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
- bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
+ bn_sub_part_words(t, &(a[n]), a, tna, tna - n); // -
+ bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); // -
break;
case -3:
- /* break; */
+ // break;
case -2:
- bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
- bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
+ bn_sub_part_words(t, &(a[n]), a, tna, tna - n); // -
+ bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); // +
neg = 1;
break;
case -1:
case 0:
case 1:
- /* break; */
+ // break;
case 2:
- bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */
- bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
+ bn_sub_part_words(t, a, &(a[n]), tna, n - tna); // +
+ bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); // -
neg = 1;
break;
case 3:
- /* break; */
+ // break;
case 4:
bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
@@ -480,8 +478,8 @@
bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
bn_mul_recursive(r, a, b, n, 0, 0, p);
i = n / 2;
- /* If there is only a bottom half to the number,
- * just do it */
+ // If there is only a bottom half to the number,
+ // just do it
if (tna > tnb) {
j = tna - i;
} else {
@@ -492,12 +490,12 @@
bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
OPENSSL_memset(&(r[n2 + i * 2]), 0, sizeof(BN_ULONG) * (n2 - i * 2));
} else if (j > 0) {
- /* eg, n == 16, i == 8 and tn == 11 */
+ // eg, n == 16, i == 8 and tn == 11
bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
OPENSSL_memset(&(r[n2 + tna + tnb]), 0,
sizeof(BN_ULONG) * (n2 - tna - tnb));
} else {
- /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
+ // (j < 0) eg, n == 16, i == 8 and tn == 5
OPENSSL_memset(&(r[n2]), 0, sizeof(BN_ULONG) * n2);
if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL &&
tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
@@ -505,9 +503,9 @@
} else {
for (;;) {
i /= 2;
- /* these simplified conditions work
- * exclusively because difference
- * between tna and tnb is 1 or 0 */
+ // these simplified conditions work
+ // exclusively because difference
+ // between tna and tnb is 1 or 0
if (i < tna || i < tnb) {
bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i,
tnb - i, p);
@@ -522,25 +520,24 @@
}
}
- /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1])
- */
+ // t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
if (neg) {
- /* if t[32] is negative */
+ // if t[32] is negative
c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
} else {
- /* Might have a carry */
+ // Might have a carry
c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
}
- /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1])
- * c1 holds the carry bits */
+ // t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
+ // c1 holds the carry bits
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) {
p = &(r[n + n2]);
@@ -548,8 +545,8 @@
ln = (lo + c1) & BN_MASK2;
*p = ln;
- /* The overflow will stop before we over write
- * words we should not overwrite */
+ // The overflow will stop before we over write
+ // words we should not overwrite
if (ln < (BN_ULONG)c1) {
do {
p++;
@@ -627,7 +624,7 @@
}
bn_mul_part_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
} else {
- /* al <= j || bl <= j */
+ // al <= j || bl <= j
if (!bn_wexpand(t, k * 2)) {
goto err;
}
@@ -659,7 +656,7 @@
return ret;
}
-/* tmp must have 2*n words */
+// tmp must have 2*n words
static void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp) {
int i, j, max;
const BN_ULONG *ap;
@@ -687,23 +684,22 @@
bn_add_words(r, r, r, max);
- /* There will not be a carry */
+ // There will not be a carry
bn_sqr_words(tmp, a, n);
bn_add_words(r, r, tmp, max);
}
-/* r is 2*n words in size,
- * a and b are both n words in size. (There's not actually a 'b' here ...)
- * n must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n words in size
- * We calculate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
+// r is 2*n words in size,
+// a and b are both n words in size. (There's not actually a 'b' here ...)
+// n must be a power of 2.
+// We multiply and return the result.
+// t must be 2*n words in size
+// We calculate
+// a[0]*b[0]
+// a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
+// a[1]*b[1]
static void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t) {
int n = n2 / 2;
int zero, c1;
@@ -720,7 +716,7 @@
bn_sqr_normal(r, a, n2, t);
return;
}
- /* r=(a[0]-a[1])*(a[1]-a[0]) */
+ // r=(a[0]-a[1])*(a[1]-a[0])
c1 = bn_cmp_words(a, &(a[n]), n);
zero = 0;
if (c1 > 0) {
@@ -731,7 +727,7 @@
zero = 1;
}
- /* The result will always be negative unless it is zero */
+ // The result will always be negative unless it is zero
p = &(t[n2 * 2]);
if (!zero) {
@@ -742,19 +738,19 @@
bn_sqr_recursive(r, a, n, p);
bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
- /* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1]) */
+ // t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
- /* t[32] is negative */
+ // t[32] is negative
c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
- /* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
- * r[10] holds (a[0]*a[0])
- * r[32] holds (a[1]*a[1])
- * c1 holds the carry bits */
+ // t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
+ // r[10] holds (a[0]*a[0])
+ // r[32] holds (a[1]*a[1])
+ // c1 holds the carry bits
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) {
p = &(r[n + n2]);
@@ -762,8 +758,8 @@
ln = (lo + c1) & BN_MASK2;
*p = ln;
- /* The overflow will stop before we over write
- * words we should not overwrite */
+ // The overflow will stop before we over write
+ // words we should not overwrite
if (ln < (BN_ULONG)c1) {
do {
p++;
@@ -818,7 +814,7 @@
goto err;
}
- max = 2 * al; /* Non-zero (from above) */
+ max = 2 * al; // Non-zero (from above)
if (!bn_wexpand(rr, max)) {
goto err;
}
@@ -852,8 +848,8 @@
}
rr->neg = 0;
- /* If the most-significant half of the top word of 'a' is zero, then
- * the square of 'a' will max-1 words. */
+ // If the most-significant half of the top word of 'a' is zero, then
+ // the square of 'a' will max-1 words.
if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) {
rr->top = max - 1;
} else {
diff --git a/src/crypto/fipsmodule/bn/prime.c b/src/crypto/fipsmodule/bn/prime.c
index 3e2e6f5..691d0cb 100644
--- a/src/crypto/fipsmodule/bn/prime.c
+++ b/src/crypto/fipsmodule/bn/prime.c
@@ -113,13 +113,13 @@
#include "internal.h"
-/* The quick sieve algorithm approach to weeding out primes is Philip
- * Zimmermann's, as implemented in PGP. I have had a read of his comments and
- * implemented my own version. */
+// The quick sieve algorithm approach to weeding out primes is Philip
+// Zimmermann's, as implemented in PGP. I have had a read of his comments and
+// implemented my own version.
#define NUMPRIMES 2048
-/* primes contains all the primes that fit into a uint16_t. */
+// primes contains all the primes that fit into a uint16_t.
static const uint16_t primes[NUMPRIMES] = {
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31,
37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79,
@@ -310,12 +310,12 @@
17851, 17863,
};
-/* BN_prime_checks_for_size returns the number of Miller-Rabin iterations
- * necessary for a 'bits'-bit prime, in order to maintain an error rate greater
- * than the security level for an RSA prime of that many bits (calculated using
- * the FIPS SP 800-57 security level and 186-4 Section F.1; original paper:
- * Damgaard, Landrock, Pomerance: Average case error estimates for the strong
- * probable prime test. -- Math. Comp. 61 (1993) 177-194) */
+// BN_prime_checks_for_size returns the number of Miller-Rabin iterations
+// necessary for a 'bits'-bit prime, in order to maintain an error rate greater
+// than the security level for an RSA prime of that many bits (calculated using
+// the FIPS SP 800-57 security level and 186-4 Section F.1; original paper:
+// Damgaard, Landrock, Pomerance: Average case error estimates for the strong
+// probable prime test. -- Math. Comp. 61 (1993) 177-194)
static int BN_prime_checks_for_size(int bits) {
if (bits >= 3747) {
return 3;
@@ -371,11 +371,11 @@
int checks = BN_prime_checks_for_size(bits);
if (bits < 2) {
- /* There are no prime numbers this small. */
+ // There are no prime numbers this small.
OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
return 0;
} else if (bits == 2 && safe) {
- /* The smallest safe prime (7) is three bits. */
+ // The smallest safe prime (7) is three bits.
OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
return 0;
}
@@ -391,7 +391,7 @@
}
loop:
- /* make a random number and set the top and bottom bits */
+ // make a random number and set the top and bottom bits
if (add == NULL) {
if (!probable_prime(ret, bits)) {
goto err;
@@ -409,7 +409,7 @@
}
if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, c1++)) {
- /* aborted */
+ // aborted
goto err;
}
@@ -421,8 +421,8 @@
goto loop;
}
} else {
- /* for "safe prime" generation, check that (p-1)/2 is prime. Since a prime
- * is odd, We just need to divide by 2 */
+ // for "safe prime" generation, check that (p-1)/2 is prime. Since a prime
+ // is odd, We just need to divide by 2
if (!BN_rshift1(t, ret)) {
goto err;
}
@@ -445,11 +445,11 @@
if (!BN_GENCB_call(cb, i, c1 - 1)) {
goto err;
}
- /* We have a safe prime test pass */
+ // We have a safe prime test pass
}
}
- /* we have a prime :-) */
+ // we have a prime :-)
found = 1;
err:
@@ -487,13 +487,13 @@
return 0;
}
- /* first look for small factors */
+ // first look for small factors
if (!BN_is_odd(a)) {
- /* a is even => a is prime if and only if a == 2 */
+ // a is even => a is prime if and only if a == 2
return BN_is_word(a, 2);
}
- /* Enhanced Miller-Rabin does not work for three. */
+ // Enhanced Miller-Rabin does not work for three.
if (BN_is_word(a, 3)) {
return 1;
}
@@ -539,7 +539,7 @@
int BN_enhanced_miller_rabin_primality_test(
enum bn_primality_result_t *out_result, const BIGNUM *w, int iterations,
BN_CTX *ctx, BN_GENCB *cb) {
- /* Enhanced Miller-Rabin is only valid on odd integers greater than 3. */
+ // Enhanced Miller-Rabin is only valid on odd integers greater than 3.
if (!BN_is_odd(w) || BN_cmp_word(w, 3) <= 0) {
OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT);
return 0;
@@ -561,7 +561,7 @@
goto err;
}
- /* Write w1 as m*2^a (Steps 1 and 2). */
+ // Write w1 as m*2^a (Steps 1 and 2).
int a = 0;
while (!BN_is_bit_set(w1, a)) {
a++;
@@ -585,22 +585,22 @@
goto err;
}
- /* Montgomery setup for computations mod A */
+ // Montgomery setup for computations mod A
mont = BN_MONT_CTX_new();
if (mont == NULL ||
!BN_MONT_CTX_set(mont, w, ctx)) {
goto err;
}
- /* The following loop performs in inner iteration of the Enhanced Miller-Rabin
- * Primality test (Step 4). */
+ // The following loop performs in inner iteration of the Enhanced Miller-Rabin
+ // Primality test (Step 4).
for (int i = 1; i <= iterations; i++) {
- /* Step 4.1-4.2 */
+ // Step 4.1-4.2
if (!BN_rand_range_ex(b, 2, w1)) {
goto err;
}
- /* Step 4.3-4.4 */
+ // Step 4.3-4.4
if (!BN_gcd(g, b, w, ctx)) {
goto err;
}
@@ -610,17 +610,17 @@
goto err;
}
- /* Step 4.5 */
+ // Step 4.5
if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) {
goto err;
}
- /* Step 4.6 */
+ // Step 4.6
if (BN_is_one(z) || BN_cmp(z, w1) == 0) {
goto loop;
}
- /* Step 4.7 */
+ // Step 4.7
for (int j = 1; j < a; j++) {
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
goto err;
@@ -633,18 +633,18 @@
}
}
- /* Step 4.8-4.9 */
+ // Step 4.8-4.9
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
goto err;
}
- /* Step 4.10-4.11 */
+ // Step 4.10-4.11
if (!BN_is_one(z) && !BN_copy(x, z)) {
goto err;
}
composite:
- /* Step 4.12-4.14 */
+ // Step 4.12-4.14
if (!BN_copy(x1, x) ||
!BN_sub_word(x1, 1) ||
!BN_gcd(g, x1, w, ctx)) {
@@ -660,7 +660,7 @@
goto err;
loop:
- /* Step 4.15 */
+ // Step 4.15
if (!BN_GENCB_call(cb, 1, i)) {
goto err;
}
@@ -688,7 +688,7 @@
return 0;
}
- /* we now have a random number 'rnd' to test. */
+ // we now have a random number 'rnd' to test.
for (i = 1; i < NUMPRIMES; i++) {
BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
if (mod == (BN_ULONG)-1) {
@@ -696,12 +696,12 @@
}
mods[i] = (uint16_t)mod;
}
- /* If bits is so small that it fits into a single word then we
- * additionally don't want to exceed that many bits. */
+ // If bits is so small that it fits into a single word then we
+ // additionally don't want to exceed that many bits.
if (is_single_word) {
BN_ULONG size_limit;
if (bits == BN_BITS2) {
- /* Avoid undefined behavior. */
+ // Avoid undefined behavior.
size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
} else {
size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
@@ -716,15 +716,15 @@
if (is_single_word) {
BN_ULONG rnd_word = BN_get_word(rnd);
- /* In the case that the candidate prime is a single word then
- * we check that:
- * 1) It's greater than primes[i] because we shouldn't reject
- * 3 as being a prime number because it's a multiple of
- * three.
- * 2) That it's not a multiple of a known prime. We don't
- * check that rnd-1 is also coprime to all the known
- * primes because there aren't many small primes where
- * that's true. */
+ // In the case that the candidate prime is a single word then
+ // we check that:
+ // 1) It's greater than primes[i] because we shouldn't reject
+ // 3 as being a prime number because it's a multiple of
+ // three.
+ // 2) That it's not a multiple of a known prime. We don't
+ // check that rnd-1 is also coprime to all the known
+ // primes because there aren't many small primes where
+ // that's true.
for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
if ((mods[i] + delta) % primes[i] == 0) {
delta += 2;
@@ -736,8 +736,8 @@
}
} else {
for (i = 1; i < NUMPRIMES; i++) {
- /* check that rnd is not a prime and also
- * that gcd(rnd-1,primes) == 1 (except for 2) */
+ // check that rnd is not a prime and also
+ // that gcd(rnd-1,primes) == 1 (except for 2)
if (((mods[i] + delta) % primes[i]) <= 1) {
delta += 2;
if (delta > maxdelta) {
@@ -772,7 +772,7 @@
goto err;
}
- /* we need ((rnd-rem) % add) == 0 */
+ // we need ((rnd-rem) % add) == 0
if (!BN_mod(t1, rnd, add, ctx)) {
goto err;
@@ -789,11 +789,11 @@
goto err;
}
}
- /* we now have a random number 'rand' to test. */
+ // we now have a random number 'rand' to test.
loop:
for (i = 1; i < NUMPRIMES; i++) {
- /* check that rnd is a prime */
+ // check that rnd is a prime
BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
if (mod == (BN_ULONG)-1) {
goto err;
@@ -835,7 +835,7 @@
goto err;
}
- /* we need ((rnd-rem) % add) == 0 */
+ // we need ((rnd-rem) % add) == 0
if (!BN_mod(t1, q, qadd, ctx)) {
goto err;
}
@@ -857,7 +857,7 @@
}
}
- /* we now have a random number 'rand' to test. */
+ // we now have a random number 'rand' to test.
if (!BN_lshift1(p, q)) {
goto err;
}
@@ -867,9 +867,9 @@
loop:
for (i = 1; i < NUMPRIMES; i++) {
- /* check that p and q are prime */
- /* check that for p and q
- * gcd(p-1,primes) == 1 (except for 2) */
+ // check that p and q are prime
+ // check that for p and q
+ // gcd(p-1,primes) == 1 (except for 2)
BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1) {
diff --git a/src/crypto/fipsmodule/bn/random.c b/src/crypto/fipsmodule/bn/random.c
index 8aa40cf..64e7605 100644
--- a/src/crypto/fipsmodule/bn/random.c
+++ b/src/crypto/fipsmodule/bn/random.c
@@ -158,7 +158,7 @@
goto err;
}
- /* Make a random number and set the top and bottom bits. */
+ // Make a random number and set the top and bottom bits.
RAND_bytes_with_additional_data(buf, bytes, additional_data);
if (top != BN_RAND_TOP_ANY) {
@@ -176,7 +176,7 @@
buf[0] &= ~mask;
- /* Set the bottom bit if requested, */
+ // Set the bottom bit if requested,
if (bottom == BN_RAND_BOTTOM_ODD) {
buf[bytes - 1] |= 1;
}
@@ -212,28 +212,28 @@
return 0;
}
- /* This function is used to implement steps 4 through 7 of FIPS 186-4
- * appendices B.4.2 and B.5.2. When called in those contexts, |max_exclusive|
- * is n and |min_inclusive| is one. */
+ // This function is used to implement steps 4 through 7 of FIPS 186-4
+ // appendices B.4.2 and B.5.2. When called in those contexts, |max_exclusive|
+ // is n and |min_inclusive| is one.
unsigned count = 100;
- unsigned n = BN_num_bits(max_exclusive); /* n > 0 */
+ unsigned n = BN_num_bits(max_exclusive); // n > 0
do {
if (!--count) {
OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
return 0;
}
- if (/* steps 4 and 5 */
+ if (// steps 4 and 5
!bn_rand_with_additional_data(r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY,
additional_data) ||
- /* step 7 */
+ // step 7
!BN_add_word(r, min_inclusive)) {
return 0;
}
- /* Step 6. This loops if |r| >= |max_exclusive|. This is identical to
- * checking |r| > |max_exclusive| - 1 or |r| - 1 > |max_exclusive| - 2, the
- * formulation stated in FIPS 186-4. */
+ // Step 6. This loops if |r| >= |max_exclusive|. This is identical to
+ // checking |r| > |max_exclusive| - 1 or |r| - 1 > |max_exclusive| - 2, the
+ // formulation stated in FIPS 186-4.
} while (BN_cmp(r, max_exclusive) >= 0);
return 1;
@@ -256,22 +256,22 @@
int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
const uint8_t *message, size_t message_len,
BN_CTX *ctx) {
- /* We copy |priv| into a local buffer to avoid furthur exposing its
- * length. */
+ // We copy |priv| into a local buffer to avoid furthur exposing its
+ // length.
uint8_t private_bytes[96];
size_t todo = sizeof(priv->d[0]) * priv->top;
if (todo > sizeof(private_bytes)) {
- /* No reasonable DSA or ECDSA key should have a private key
- * this large and we don't handle this case in order to avoid
- * leaking the length of the private key. */
+ // No reasonable DSA or ECDSA key should have a private key
+ // this large and we don't handle this case in order to avoid
+ // leaking the length of the private key.
OPENSSL_PUT_ERROR(BN, BN_R_PRIVATE_KEY_TOO_LARGE);
return 0;
}
OPENSSL_memcpy(private_bytes, priv->d, todo);
OPENSSL_memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
- /* Pass a SHA512 hash of the private key and message as additional data into
- * the RBG. This is a hardening measure against entropy failure. */
+ // Pass a SHA512 hash of the private key and message as additional data into
+ // the RBG. This is a hardening measure against entropy failure.
OPENSSL_COMPILE_ASSERT(SHA512_DIGEST_LENGTH >= 32,
additional_data_is_too_large_for_sha512);
SHA512_CTX sha;
@@ -281,6 +281,6 @@
SHA512_Update(&sha, message, message_len);
SHA512_Final(digest, &sha);
- /* Select a value k from [1, range-1], following FIPS 186-4 appendix B.5.2. */
+ // Select a value k from [1, range-1], following FIPS 186-4 appendix B.5.2.
return bn_rand_range_with_additional_data(out, 1, range, digest);
}
diff --git a/src/crypto/fipsmodule/bn/shift.c b/src/crypto/fipsmodule/bn/shift.c
index 1e41342..d3fcf39 100644
--- a/src/crypto/fipsmodule/bn/shift.c
+++ b/src/crypto/fipsmodule/bn/shift.c
@@ -157,7 +157,7 @@
}
} else {
if (n == 0) {
- return 1; /* or the copying loop will go berserk */
+ return 1; // or the copying loop will go berserk
}
}
diff --git a/src/crypto/fipsmodule/bn/sqrt.c b/src/crypto/fipsmodule/bn/sqrt.c
index 0342bc0..68ccb91 100644
--- a/src/crypto/fipsmodule/bn/sqrt.c
+++ b/src/crypto/fipsmodule/bn/sqrt.c
@@ -60,9 +60,9 @@
BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
- /* Compute a square root of |a| mod |p| using the Tonelli/Shanks algorithm
- * (cf. Henri Cohen, "A Course in Algebraic Computational Number Theory",
- * algorithm 1.5.1). |p| is assumed to be a prime. */
+ // Compute a square root of |a| mod |p| using the Tonelli/Shanks algorithm
+ // (cf. Henri Cohen, "A Course in Algebraic Computational Number Theory",
+ // algorithm 1.5.1). |p| is assumed to be a prime.
BIGNUM *ret = in;
int err = 1;
@@ -125,26 +125,25 @@
goto end;
}
- /* A = a mod p */
+ // A = a mod p
if (!BN_nnmod(A, a, p, ctx)) {
goto end;
}
- /* now write |p| - 1 as 2^e*q where q is odd */
+ // now write |p| - 1 as 2^e*q where q is odd
e = 1;
while (!BN_is_bit_set(p, e)) {
e++;
}
- /* we'll set q later (if needed) */
+ // we'll set q later (if needed)
if (e == 1) {
- /* The easy case: (|p|-1)/2 is odd, so 2 has an inverse
- * modulo (|p|-1)/2, and square roots can be computed
- * directly by modular exponentiation.
- * We have
- * 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
- * so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
- */
+ // The easy case: (|p|-1)/2 is odd, so 2 has an inverse
+ // modulo (|p|-1)/2, and square roots can be computed
+ // directly by modular exponentiation.
+ // We have
+ // 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
+ // so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
if (!BN_rshift(q, p, 2)) {
goto end;
}
@@ -158,39 +157,38 @@
}
if (e == 2) {
- /* |p| == 5 (mod 8)
- *
- * In this case 2 is always a non-square since
- * Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.
- * So if a really is a square, then 2*a is a non-square.
- * Thus for
- * b := (2*a)^((|p|-5)/8),
- * i := (2*a)*b^2
- * we have
- * i^2 = (2*a)^((1 + (|p|-5)/4)*2)
- * = (2*a)^((p-1)/2)
- * = -1;
- * so if we set
- * x := a*b*(i-1),
- * then
- * x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
- * = a^2 * b^2 * (-2*i)
- * = a*(-i)*(2*a*b^2)
- * = a*(-i)*i
- * = a.
- *
- * (This is due to A.O.L. Atkin,
- * <URL:
- *http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
- * November 1992.)
- */
+ // |p| == 5 (mod 8)
+ //
+ // In this case 2 is always a non-square since
+ // Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.
+ // So if a really is a square, then 2*a is a non-square.
+ // Thus for
+ // b := (2*a)^((|p|-5)/8),
+ // i := (2*a)*b^2
+ // we have
+ // i^2 = (2*a)^((1 + (|p|-5)/4)*2)
+ // = (2*a)^((p-1)/2)
+ // = -1;
+ // so if we set
+ // x := a*b*(i-1),
+ // then
+ // x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
+ // = a^2 * b^2 * (-2*i)
+ // = a*(-i)*(2*a*b^2)
+ // = a*(-i)*i
+ // = a.
+ //
+ // (This is due to A.O.L. Atkin,
+ // <URL:
+ //http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
+ // November 1992.)
- /* t := 2*a */
+ // t := 2*a
if (!BN_mod_lshift1_quick(t, A, p)) {
goto end;
}
- /* b := (2*a)^((|p|-5)/8) */
+ // b := (2*a)^((|p|-5)/8)
if (!BN_rshift(q, p, 3)) {
goto end;
}
@@ -199,18 +197,18 @@
goto end;
}
- /* y := b^2 */
+ // y := b^2
if (!BN_mod_sqr(y, b, p, ctx)) {
goto end;
}
- /* t := (2*a)*b^2 - 1*/
+ // t := (2*a)*b^2 - 1
if (!BN_mod_mul(t, t, y, p, ctx) ||
!BN_sub_word(t, 1)) {
goto end;
}
- /* x = a*b*t */
+ // x = a*b*t
if (!BN_mod_mul(x, A, b, p, ctx) ||
!BN_mod_mul(x, x, t, p, ctx)) {
goto end;
@@ -223,17 +221,16 @@
goto vrfy;
}
- /* e > 2, so we really have to use the Tonelli/Shanks algorithm.
- * First, find some y that is not a square. */
+ // e > 2, so we really have to use the Tonelli/Shanks algorithm.
+ // First, find some y that is not a square.
if (!BN_copy(q, p)) {
- goto end; /* use 'q' as temp */
+ goto end; // use 'q' as temp
}
q->neg = 0;
i = 2;
do {
- /* For efficiency, try small numbers first;
- * if this fails, try random numbers.
- */
+ // For efficiency, try small numbers first;
+ // if this fails, try random numbers.
if (i < 22) {
if (!BN_set_word(y, i)) {
goto end;
@@ -247,7 +244,7 @@
goto end;
}
}
- /* now 0 <= y < |p| */
+ // now 0 <= y < |p|
if (BN_is_zero(y)) {
if (!BN_set_word(y, i)) {
goto end;
@@ -255,34 +252,33 @@
}
}
- r = bn_jacobi(y, q, ctx); /* here 'q' is |p| */
+ r = bn_jacobi(y, q, ctx); // here 'q' is |p|
if (r < -1) {
goto end;
}
if (r == 0) {
- /* m divides p */
+ // m divides p
OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
goto end;
}
} while (r == 1 && ++i < 82);
if (r != -1) {
- /* Many rounds and still no non-square -- this is more likely
- * a bug than just bad luck.
- * Even if p is not prime, we should have found some y
- * such that r == -1.
- */
+ // Many rounds and still no non-square -- this is more likely
+ // a bug than just bad luck.
+ // Even if p is not prime, we should have found some y
+ // such that r == -1.
OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
goto end;
}
- /* Here's our actual 'q': */
+ // Here's our actual 'q':
if (!BN_rshift(q, q, e)) {
goto end;
}
- /* Now that we have some non-square, we can find an element
- * of order 2^e by computing its q'th power. */
+ // Now that we have some non-square, we can find an element
+ // of order 2^e by computing its q'th power.
if (!BN_mod_exp_mont(y, y, q, p, ctx, NULL)) {
goto end;
}
@@ -291,37 +287,36 @@
goto end;
}
- /* Now we know that (if p is indeed prime) there is an integer
- * k, 0 <= k < 2^e, such that
- *
- * a^q * y^k == 1 (mod p).
- *
- * As a^q is a square and y is not, k must be even.
- * q+1 is even, too, so there is an element
- *
- * X := a^((q+1)/2) * y^(k/2),
- *
- * and it satisfies
- *
- * X^2 = a^q * a * y^k
- * = a,
- *
- * so it is the square root that we are looking for.
- */
+ // Now we know that (if p is indeed prime) there is an integer
+ // k, 0 <= k < 2^e, such that
+ //
+ // a^q * y^k == 1 (mod p).
+ //
+ // As a^q is a square and y is not, k must be even.
+ // q+1 is even, too, so there is an element
+ //
+ // X := a^((q+1)/2) * y^(k/2),
+ //
+ // and it satisfies
+ //
+ // X^2 = a^q * a * y^k
+ // = a,
+ //
+ // so it is the square root that we are looking for.
- /* t := (q-1)/2 (note that q is odd) */
+ // t := (q-1)/2 (note that q is odd)
if (!BN_rshift1(t, q)) {
goto end;
}
- /* x := a^((q-1)/2) */
- if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
+ // x := a^((q-1)/2)
+ if (BN_is_zero(t)) // special case: p = 2^e + 1
{
if (!BN_nnmod(t, A, p, ctx)) {
goto end;
}
if (BN_is_zero(t)) {
- /* special case: a == 0 (mod p) */
+ // special case: a == 0 (mod p)
BN_zero(ret);
err = 0;
goto end;
@@ -333,33 +328,32 @@
goto end;
}
if (BN_is_zero(x)) {
- /* special case: a == 0 (mod p) */
+ // special case: a == 0 (mod p)
BN_zero(ret);
err = 0;
goto end;
}
}
- /* b := a*x^2 (= a^q) */
+ // b := a*x^2 (= a^q)
if (!BN_mod_sqr(b, x, p, ctx) ||
!BN_mod_mul(b, b, A, p, ctx)) {
goto end;
}
- /* x := a*x (= a^((q+1)/2)) */
+ // x := a*x (= a^((q+1)/2))
if (!BN_mod_mul(x, x, A, p, ctx)) {
goto end;
}
while (1) {
- /* Now b is a^q * y^k for some even k (0 <= k < 2^E
- * where E refers to the original value of e, which we
- * don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
- *
- * We have a*b = x^2,
- * y^2^(e-1) = -1,
- * b^2^(e-1) = 1.
- */
+ // Now b is a^q * y^k for some even k (0 <= k < 2^E
+ // where E refers to the original value of e, which we
+ // don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
+ //
+ // We have a*b = x^2,
+ // y^2^(e-1) = -1,
+ // b^2^(e-1) = 1.
if (BN_is_one(b)) {
if (!BN_copy(ret, x)) {
@@ -370,7 +364,7 @@
}
- /* find smallest i such that b^(2^i) = 1 */
+ // find smallest i such that b^(2^i) = 1
i = 1;
if (!BN_mod_sqr(t, b, p, ctx)) {
goto end;
@@ -387,7 +381,7 @@
}
- /* t := y^2^(e - i - 1) */
+ // t := y^2^(e - i - 1)
if (!BN_copy(t, y)) {
goto end;
}
@@ -406,8 +400,8 @@
vrfy:
if (!err) {
- /* verify the result -- the input might have been not a square
- * (test added in 0.9.8) */
+ // verify the result -- the input might have been not a square
+ // (test added in 0.9.8)
if (!BN_mod_sqr(x, ret, p, ctx)) {
err = 1;
@@ -457,30 +451,30 @@
goto err;
}
- /* We estimate that the square root of an n-bit number is 2^{n/2}. */
+ // We estimate that the square root of an n-bit number is 2^{n/2}.
if (!BN_lshift(estimate, BN_value_one(), BN_num_bits(in)/2)) {
goto err;
}
- /* This is Newton's method for finding a root of the equation |estimate|^2 -
- * |in| = 0. */
+ // This is Newton's method for finding a root of the equation |estimate|^2 -
+ // |in| = 0.
for (;;) {
- /* |estimate| = 1/2 * (|estimate| + |in|/|estimate|) */
+ // |estimate| = 1/2 * (|estimate| + |in|/|estimate|)
if (!BN_div(tmp, NULL, in, estimate, ctx) ||
!BN_add(tmp, tmp, estimate) ||
!BN_rshift1(estimate, tmp) ||
- /* |tmp| = |estimate|^2 */
+ // |tmp| = |estimate|^2
!BN_sqr(tmp, estimate, ctx) ||
- /* |delta| = |in| - |tmp| */
+ // |delta| = |in| - |tmp|
!BN_sub(delta, in, tmp)) {
OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);
goto err;
}
delta->neg = 0;
- /* The difference between |in| and |estimate| squared is required to always
- * decrease. This ensures that the loop always terminates, but I don't have
- * a proof that it always finds the square root for a given square. */
+ // The difference between |in| and |estimate| squared is required to always
+ // decrease. This ensures that the loop always terminates, but I don't have
+ // a proof that it always finds the square root for a given square.
if (last_delta_valid && BN_cmp(delta, last_delta) >= 0) {
break;
}
diff --git a/src/crypto/fipsmodule/cipher/aead.c b/src/crypto/fipsmodule/cipher/aead.c
index ed30209..8d2ad04 100644
--- a/src/crypto/fipsmodule/cipher/aead.c
+++ b/src/crypto/fipsmodule/cipher/aead.c
@@ -101,8 +101,8 @@
ctx->aead = NULL;
}
-/* check_alias returns 1 if |out| is compatible with |in| and 0 otherwise. If
- * |in| and |out| alias, we require that |in| == |out|. */
+// check_alias returns 1 if |out| is compatible with |in| and 0 otherwise. If
+// |in| and |out| alias, we require that |in| == |out|.
static int check_alias(const uint8_t *in, size_t in_len, const uint8_t *out,
size_t out_len) {
if (!buffers_alias(in, in_len, out, out_len)) {
@@ -140,8 +140,8 @@
}
error:
- /* In the event of an error, clear the output buffer so that a caller
- * that doesn't check the return value doesn't send raw data. */
+ // In the event of an error, clear the output buffer so that a caller
+ // that doesn't check the return value doesn't send raw data.
OPENSSL_memset(out, 0, max_out_len);
*out_len = 0;
return 0;
@@ -172,8 +172,8 @@
}
error:
- /* In the event of an error, clear the output buffer so that a caller
- * that doesn't check the return value doesn't send raw data. */
+ // In the event of an error, clear the output buffer so that a caller
+ // that doesn't check the return value doesn't send raw data.
OPENSSL_memset(out, 0, in_len);
OPENSSL_memset(out_tag, 0, max_out_tag_len);
*out_tag_len = 0;
@@ -218,9 +218,9 @@
}
error:
- /* In the event of an error, clear the output buffer so that a caller
- * that doesn't check the return value doesn't try and process bad
- * data. */
+ // In the event of an error, clear the output buffer so that a caller
+ // that doesn't check the return value doesn't try and process bad
+ // data.
OPENSSL_memset(out, 0, max_out_len);
*out_len = 0;
return 0;
@@ -247,9 +247,9 @@
}
error:
- /* In the event of an error, clear the output buffer so that a caller
- * that doesn't check the return value doesn't try and process bad
- * data. */
+ // In the event of an error, clear the output buffer so that a caller
+ // that doesn't check the return value doesn't try and process bad
+ // data.
OPENSSL_memset(out, 0, in_len);
return 0;
}
diff --git a/src/crypto/fipsmodule/cipher/cipher.c b/src/crypto/fipsmodule/cipher/cipher.c
index d116715..8f0d788 100644
--- a/src/crypto/fipsmodule/cipher/cipher.c
+++ b/src/crypto/fipsmodule/cipher/cipher.c
@@ -141,12 +141,12 @@
}
if (cipher) {
- /* Ensure a context left from last time is cleared (the previous check
- * attempted to avoid this if the same ENGINE and EVP_CIPHER could be
- * used). */
+ // Ensure a context left from last time is cleared (the previous check
+ // attempted to avoid this if the same ENGINE and EVP_CIPHER could be
+ // used).
if (ctx->cipher) {
EVP_CIPHER_CTX_cleanup(ctx);
- /* Restore encrypt and flags */
+ // Restore encrypt and flags
ctx->encrypt = enc;
}
@@ -177,7 +177,7 @@
return 0;
}
- /* we assume block size is a power of 2 in *cryptUpdate */
+ // we assume block size is a power of 2 in *cryptUpdate
assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 ||
ctx->cipher->block_size == 16);
@@ -189,7 +189,7 @@
case EVP_CIPH_CFB_MODE:
ctx->num = 0;
- /* fall-through */
+ // fall-through
case EVP_CIPH_CBC_MODE:
assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof(ctx->iv));
@@ -202,7 +202,7 @@
case EVP_CIPH_CTR_MODE:
case EVP_CIPH_OFB_MODE:
ctx->num = 0;
- /* Don't reuse IV for CTR mode */
+ // Don't reuse IV for CTR mode
if (iv) {
OPENSSL_memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
}
@@ -388,8 +388,8 @@
return 0;
}
- /* if we have 'decrypted' a multiple of block size, make sure
- * we have a copy of this last block */
+ // if we have 'decrypted' a multiple of block size, make sure
+ // we have a copy of this last block
if (b > 1 && !ctx->buf_len) {
*out_len -= b;
ctx->final_used = 1;
@@ -437,8 +437,8 @@
}
assert(b <= sizeof(ctx->final));
- /* The following assumes that the ciphertext has been authenticated.
- * Otherwise it provides a padding oracle. */
+ // The following assumes that the ciphertext has been authenticated.
+ // Otherwise it provides a padding oracle.
n = ctx->final[b - 1];
if (n == 0 || n > (int)b) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
diff --git a/src/crypto/fipsmodule/cipher/e_aes.c b/src/crypto/fipsmodule/cipher/e_aes.c
index 2c6fc41..bd9847c 100644
--- a/src/crypto/fipsmodule/cipher/e_aes.c
+++ b/src/crypto/fipsmodule/cipher/e_aes.c
@@ -68,7 +68,7 @@
#endif
-OPENSSL_MSVC_PRAGMA(warning(disable: 4702)) /* Unreachable code. */
+OPENSSL_MSVC_PRAGMA(warning(disable: 4702)) // Unreachable code.
typedef struct {
union {
@@ -86,14 +86,14 @@
union {
double align;
AES_KEY ks;
- } ks; /* AES key schedule to use */
- int key_set; /* Set if key initialised */
- int iv_set; /* Set if an iv is set */
+ } ks; // AES key schedule to use
+ int key_set; // Set if key initialised
+ int iv_set; // Set if an iv is set
GCM128_CONTEXT gcm;
- uint8_t *iv; /* Temporary IV store */
- int ivlen; /* IV length */
+ uint8_t *iv; // Temporary IV store
+ int ivlen; // IV length
int taglen;
- int iv_gen; /* It is OK to generate IVs */
+ int iv_gen; // It is OK to generate IVs
ctr128_f ctr;
} EVP_AES_GCM_CTX;
@@ -125,8 +125,8 @@
#if defined(BSAES)
-/* On platforms where BSAES gets defined (just above), then these functions are
- * provided by asm. */
+// On platforms where BSAES gets defined (just above), then these functions are
+// provided by asm.
void bsaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
const AES_KEY *key, uint8_t ivec[16], int enc);
void bsaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t len,
@@ -136,8 +136,8 @@
return 0;
}
-/* On other platforms, bsaes_capable() will always return false and so the
- * following will never be called. */
+// On other platforms, bsaes_capable() will always return false and so the
+// following will never be called.
static void bsaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
const AES_KEY *key, uint8_t ivec[16], int enc) {
abort();
@@ -151,8 +151,8 @@
#endif
#if defined(VPAES)
-/* On platforms where VPAES gets defined (just above), then these functions are
- * provided by asm. */
+// On platforms where VPAES gets defined (just above), then these functions are
+// provided by asm.
int vpaes_set_encrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);
int vpaes_set_decrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);
@@ -166,8 +166,8 @@
return 0;
}
-/* On other platforms, vpaes_capable() will always return false and so the
- * following will never be called. */
+// On other platforms, vpaes_capable() will always return false and so the
+// following will never be called.
static int vpaes_set_encrypt_key(const uint8_t *userKey, int bits,
AES_KEY *key) {
abort();
@@ -203,8 +203,8 @@
#else
-/* On other platforms, aesni_capable() will always return false and so the
- * following will never be called. */
+// On other platforms, aesni_capable() will always return false and so the
+// following will never be called.
static void aesni_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
abort();
}
@@ -404,7 +404,7 @@
if (key) {
gctx->ctr =
aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm, NULL, key, ctx->key_len);
- /* If we have an iv can set it directly, otherwise use saved IV. */
+ // If we have an iv can set it directly, otherwise use saved IV.
if (iv == NULL && gctx->iv_set) {
iv = gctx->iv;
}
@@ -414,7 +414,7 @@
}
gctx->key_set = 1;
} else {
- /* If key set use IV, otherwise copy */
+ // If key set use IV, otherwise copy
if (gctx->key_set) {
CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
} else {
@@ -434,7 +434,7 @@
}
}
-/* increment counter (64-bit int) by 1 */
+// increment counter (64-bit int) by 1
static void ctr64_inc(uint8_t *counter) {
int n = 8;
uint8_t c;
@@ -467,7 +467,7 @@
return 0;
}
- /* Allocate memory for IV if needed */
+ // Allocate memory for IV if needed
if (arg > EVP_MAX_IV_LENGTH && arg > gctx->ivlen) {
if (gctx->iv != c->iv) {
OPENSSL_free(gctx->iv);
@@ -496,14 +496,14 @@
return 1;
case EVP_CTRL_GCM_SET_IV_FIXED:
- /* Special case: -1 length restores whole IV */
+ // Special case: -1 length restores whole IV
if (arg == -1) {
OPENSSL_memcpy(gctx->iv, ptr, gctx->ivlen);
gctx->iv_gen = 1;
return 1;
}
- /* Fixed field must be at least 4 bytes and invocation field
- * at least 8. */
+ // Fixed field must be at least 4 bytes and invocation field
+ // at least 8.
if (arg < 4 || (gctx->ivlen - arg) < 8) {
return 0;
}
@@ -525,9 +525,9 @@
arg = gctx->ivlen;
}
OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
- /* Invocation field will be at least 8 bytes in size and
- * so no need to check wrap around or increment more than
- * last 8 bytes. */
+ // Invocation field will be at least 8 bytes in size and
+ // so no need to check wrap around or increment more than
+ // last 8 bytes.
ctr64_inc(gctx->iv + gctx->ivlen - 8);
gctx->iv_set = 1;
return 1;
@@ -565,7 +565,7 @@
size_t len) {
EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
- /* If not set up, return error */
+ // If not set up, return error
if (!gctx->key_set) {
return -1;
}
@@ -613,7 +613,7 @@
}
CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
gctx->taglen = 16;
- /* Don't reuse the IV */
+ // Don't reuse the IV
gctx->iv_set = 0;
return 0;
}
@@ -813,7 +813,7 @@
#if !defined(OPENSSL_NO_ASM) && \
(defined(OPENSSL_X86_64) || defined(OPENSSL_X86))
-/* AES-NI section. */
+// AES-NI section.
static char aesni_capable(void) {
return (OPENSSL_ia32cap_P[1] & (1 << (57 - 32))) != 0;
@@ -880,8 +880,8 @@
aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)aesni_encrypt, 1);
gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
- /* If we have an iv can set it directly, otherwise use
- * saved IV. */
+ // If we have an iv can set it directly, otherwise use
+ // saved IV.
if (iv == NULL && gctx->iv_set) {
iv = gctx->iv;
}
@@ -891,7 +891,7 @@
}
gctx->key_set = 1;
} else {
- /* If key set use IV, otherwise copy */
+ // If key set use IV, otherwise copy
if (gctx->key_set) {
CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
} else {
@@ -1104,7 +1104,7 @@
} \
}
-#else /* ^^^ OPENSSL_X86_64 || OPENSSL_X86 */
+#else // ^^^ OPENSSL_X86_64 || OPENSSL_X86
static char aesni_capable(void) {
return 0;
@@ -1158,7 +1158,7 @@
if (key_bits != 128 && key_bits != 256) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
diff --git a/src/crypto/fipsmodule/cipher/internal.h b/src/crypto/fipsmodule/cipher/internal.h
index 02335e0..7b5f23f 100644
--- a/src/crypto/fipsmodule/cipher/internal.h
+++ b/src/crypto/fipsmodule/cipher/internal.h
@@ -70,10 +70,10 @@
#endif
-/* EVP_CIPH_MODE_MASK contains the bits of |flags| that represent the mode. */
+// EVP_CIPH_MODE_MASK contains the bits of |flags| that represent the mode.
#define EVP_CIPH_MODE_MASK 0x3f
-/* EVP_AEAD represents a specific AEAD algorithm. */
+// EVP_AEAD represents a specific AEAD algorithm.
struct evp_aead_st {
uint8_t key_len;
uint8_t nonce_len;
@@ -81,8 +81,8 @@
uint8_t max_tag_len;
int seal_scatter_supports_extra_in;
- /* init initialises an |EVP_AEAD_CTX|. If this call returns zero then
- * |cleanup| will not be called for that context. */
+ // init initialises an |EVP_AEAD_CTX|. If this call returns zero then
+ // |cleanup| will not be called for that context.
int (*init)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
size_t tag_len);
int (*init_with_direction)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
@@ -112,18 +112,18 @@
size_t extra_in_len);
};
-/* aes_ctr_set_key initialises |*aes_key| using |key_bytes| bytes from |key|,
- * where |key_bytes| must either be 16, 24 or 32. If not NULL, |*out_block| is
- * set to a function that encrypts single blocks. If not NULL, |*gcm_ctx| is
- * initialised to do GHASH with the given key. It returns a function for
- * optimised CTR-mode, or NULL if CTR-mode should be built using
- * |*out_block|. */
+// aes_ctr_set_key initialises |*aes_key| using |key_bytes| bytes from |key|,
+// where |key_bytes| must either be 16, 24 or 32. If not NULL, |*out_block| is
+// set to a function that encrypts single blocks. If not NULL, |*gcm_ctx| is
+// initialised to do GHASH with the given key. It returns a function for
+// optimised CTR-mode, or NULL if CTR-mode should be built using
+// |*out_block|.
ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
block128_f *out_block, const uint8_t *key,
size_t key_bytes);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CIPHER_INTERNAL_H */
+#endif // OPENSSL_HEADER_CIPHER_INTERNAL_H
diff --git a/src/crypto/fipsmodule/delocate.h b/src/crypto/fipsmodule/delocate.h
index 0153a4e..065a21c 100644
--- a/src/crypto/fipsmodule/delocate.h
+++ b/src/crypto/fipsmodule/delocate.h
@@ -24,12 +24,12 @@
#define DEFINE_BSS_GET(type, name) \
static type name __attribute__((used)); \
type *name##_bss_get(void);
-/* For FIPS builds we require that CRYPTO_ONCE_INIT be zero. */
+// For FIPS builds we require that CRYPTO_ONCE_INIT be zero.
#define DEFINE_STATIC_ONCE(name) DEFINE_BSS_GET(CRYPTO_once_t, name)
-/* For FIPS builds we require that CRYPTO_STATIC_MUTEX_INIT be zero. */
+// For FIPS builds we require that CRYPTO_STATIC_MUTEX_INIT be zero.
#define DEFINE_STATIC_MUTEX(name) \
DEFINE_BSS_GET(struct CRYPTO_STATIC_MUTEX, name)
-/* For FIPS builds we require that CRYPTO_EX_DATA_CLASS_INIT be zero. */
+// For FIPS builds we require that CRYPTO_EX_DATA_CLASS_INIT be zero.
#define DEFINE_STATIC_EX_DATA_CLASS(name) \
DEFINE_BSS_GET(CRYPTO_EX_DATA_CLASS, name)
#else
@@ -60,29 +60,29 @@
} \
static void name##_do_init(type *out)
-/* DEFINE_METHOD_FUNCTION defines a function named |name| which returns a
- * method table of type const |type|*. In FIPS mode, to avoid rel.ro data, it
- * is split into a CRYPTO_once_t-guarded initializer in the module and
- * unhashed, non-module accessor functions to space reserved in the BSS. The
- * method table is initialized by a caller-supplied function which takes a
- * parameter named |out| of type |type|*. The caller should follow the macro
- * invocation with the body of this function:
- *
- * DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md4) {
- * out->type = NID_md4;
- * out->md_size = MD4_DIGEST_LENGTH;
- * out->flags = 0;
- * out->init = md4_init;
- * out->update = md4_update;
- * out->final = md4_final;
- * out->block_size = 64;
- * out->ctx_size = sizeof(MD4_CTX);
- * }
- *
- * This mechanism does not use a static initializer because their execution
- * order is undefined. See FIPS.md for more details. */
+// DEFINE_METHOD_FUNCTION defines a function named |name| which returns a
+// method table of type const |type|*. In FIPS mode, to avoid rel.ro data, it
+// is split into a CRYPTO_once_t-guarded initializer in the module and
+// unhashed, non-module accessor functions to space reserved in the BSS. The
+// method table is initialized by a caller-supplied function which takes a
+// parameter named |out| of type |type|*. The caller should follow the macro
+// invocation with the body of this function:
+//
+// DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md4) {
+// out->type = NID_md4;
+// out->md_size = MD4_DIGEST_LENGTH;
+// out->flags = 0;
+// out->init = md4_init;
+// out->update = md4_update;
+// out->final = md4_final;
+// out->block_size = 64;
+// out->ctx_size = sizeof(MD4_CTX);
+// }
+//
+// This mechanism does not use a static initializer because their execution
+// order is undefined. See FIPS.md for more details.
#define DEFINE_METHOD_FUNCTION(type, name) DEFINE_DATA(type, name, const)
#define DEFINE_LOCAL_DATA(type, name) DEFINE_DATA(type, name, static const)
-#endif /* OPENSSL_HEADER_FIPSMODULE_DELOCATE_H */
+#endif // OPENSSL_HEADER_FIPSMODULE_DELOCATE_H
diff --git a/src/crypto/fipsmodule/des/des.c b/src/crypto/fipsmodule/des/des.c
index a6c177c..2b0fdcd 100644
--- a/src/crypto/fipsmodule/des/des.c
+++ b/src/crypto/fipsmodule/des/des.c
@@ -62,7 +62,7 @@
static const uint32_t des_skb[8][64] = {
- {/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+ { // for C bits (numbered as per FIPS 46) 1 2 3 4 5 6
0x00000000L, 0x00000010L, 0x20000000L, 0x20000010L, 0x00010000L,
0x00010010L, 0x20010000L, 0x20010010L, 0x00000800L, 0x00000810L,
0x20000800L, 0x20000810L, 0x00010800L, 0x00010810L, 0x20010800L,
@@ -76,7 +76,7 @@
0x20080020L, 0x20080030L, 0x00090020L, 0x00090030L, 0x20090020L,
0x20090030L, 0x00080820L, 0x00080830L, 0x20080820L, 0x20080830L,
0x00090820L, 0x00090830L, 0x20090820L, 0x20090830L, },
- {/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
+ { // for C bits (numbered as per FIPS 46) 7 8 10 11 12 13
0x00000000L, 0x02000000L, 0x00002000L, 0x02002000L, 0x00200000L,
0x02200000L, 0x00202000L, 0x02202000L, 0x00000004L, 0x02000004L,
0x00002004L, 0x02002004L, 0x00200004L, 0x02200004L, 0x00202004L,
@@ -90,7 +90,7 @@
0x10002400L, 0x12002400L, 0x10200400L, 0x12200400L, 0x10202400L,
0x12202400L, 0x10000404L, 0x12000404L, 0x10002404L, 0x12002404L,
0x10200404L, 0x12200404L, 0x10202404L, 0x12202404L, },
- {/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
+ { // for C bits (numbered as per FIPS 46) 14 15 16 17 19 20
0x00000000L, 0x00000001L, 0x00040000L, 0x00040001L, 0x01000000L,
0x01000001L, 0x01040000L, 0x01040001L, 0x00000002L, 0x00000003L,
0x00040002L, 0x00040003L, 0x01000002L, 0x01000003L, 0x01040002L,
@@ -104,7 +104,7 @@
0x08040200L, 0x08040201L, 0x09000200L, 0x09000201L, 0x09040200L,
0x09040201L, 0x08000202L, 0x08000203L, 0x08040202L, 0x08040203L,
0x09000202L, 0x09000203L, 0x09040202L, 0x09040203L, },
- {/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
+ { // for C bits (numbered as per FIPS 46) 21 23 24 26 27 28
0x00000000L, 0x00100000L, 0x00000100L, 0x00100100L, 0x00000008L,
0x00100008L, 0x00000108L, 0x00100108L, 0x00001000L, 0x00101000L,
0x00001100L, 0x00101100L, 0x00001008L, 0x00101008L, 0x00001108L,
@@ -118,7 +118,7 @@
0x04020100L, 0x04120100L, 0x04020008L, 0x04120008L, 0x04020108L,
0x04120108L, 0x04021000L, 0x04121000L, 0x04021100L, 0x04121100L,
0x04021008L, 0x04121008L, 0x04021108L, 0x04121108L, },
- {/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+ { // for D bits (numbered as per FIPS 46) 1 2 3 4 5 6
0x00000000L, 0x10000000L, 0x00010000L, 0x10010000L, 0x00000004L,
0x10000004L, 0x00010004L, 0x10010004L, 0x20000000L, 0x30000000L,
0x20010000L, 0x30010000L, 0x20000004L, 0x30000004L, 0x20010004L,
@@ -132,7 +132,7 @@
0x00111000L, 0x10111000L, 0x00101004L, 0x10101004L, 0x00111004L,
0x10111004L, 0x20101000L, 0x30101000L, 0x20111000L, 0x30111000L,
0x20101004L, 0x30101004L, 0x20111004L, 0x30111004L, },
- {/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
+ { // for D bits (numbered as per FIPS 46) 8 9 11 12 13 14
0x00000000L, 0x08000000L, 0x00000008L, 0x08000008L, 0x00000400L,
0x08000400L, 0x00000408L, 0x08000408L, 0x00020000L, 0x08020000L,
0x00020008L, 0x08020008L, 0x00020400L, 0x08020400L, 0x00020408L,
@@ -146,7 +146,7 @@
0x02000009L, 0x0A000009L, 0x02000401L, 0x0A000401L, 0x02000409L,
0x0A000409L, 0x02020001L, 0x0A020001L, 0x02020009L, 0x0A020009L,
0x02020401L, 0x0A020401L, 0x02020409L, 0x0A020409L, },
- {/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
+ { // for D bits (numbered as per FIPS 46) 16 17 18 19 20 21
0x00000000L, 0x00000100L, 0x00080000L, 0x00080100L, 0x01000000L,
0x01000100L, 0x01080000L, 0x01080100L, 0x00000010L, 0x00000110L,
0x00080010L, 0x00080110L, 0x01000010L, 0x01000110L, 0x01080010L,
@@ -160,7 +160,7 @@
0x00280200L, 0x00280300L, 0x01200200L, 0x01200300L, 0x01280200L,
0x01280300L, 0x00200210L, 0x00200310L, 0x00280210L, 0x00280310L,
0x01200210L, 0x01200310L, 0x01280210L, 0x01280310L, },
- {/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
+ { // for D bits (numbered as per FIPS 46) 22 23 24 25 27 28
0x00000000L, 0x04000000L, 0x00040000L, 0x04040000L, 0x00000002L,
0x04000002L, 0x00040002L, 0x04040002L, 0x00002000L, 0x04002000L,
0x00042000L, 0x04042000L, 0x00002002L, 0x04002002L, 0x00042002L,
@@ -176,7 +176,7 @@
0x00002822L, 0x04002822L, 0x00042822L, 0x04042822L, }};
static const uint32_t DES_SPtrans[8][64] = {
- {/* nibble 0 */
+ { // nibble 0
0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L, 0x02000000L,
0x00080802L, 0x00080002L, 0x02000002L, 0x00080802L, 0x02080800L,
0x02080000L, 0x00000802L, 0x02000802L, 0x02000000L, 0x00000000L,
@@ -190,7 +190,7 @@
0x02080000L, 0x02000802L, 0x02000000L, 0x00000802L, 0x00080002L,
0x00000000L, 0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L,
0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L, },
- {/* nibble 1 */
+ { // nibble 1
0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L, 0x40000010L,
0x00008010L, 0x40008000L, 0x00108000L, 0x00008000L, 0x40100010L,
0x00000010L, 0x40008000L, 0x00100010L, 0x40108000L, 0x40100000L,
@@ -204,7 +204,7 @@
0x00000000L, 0x40000010L, 0x00000010L, 0x40108010L, 0x00108000L,
0x40100000L, 0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L,
0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L, },
- {/* nibble 2 */
+ { // nibble 2
0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L, 0x00040001L,
0x04000000L, 0x04000101L, 0x00040100L, 0x04000100L, 0x00040000L,
0x04040000L, 0x00000001L, 0x04040101L, 0x00000101L, 0x00000001L,
@@ -218,7 +218,7 @@
0x04000000L, 0x04040101L, 0x00040000L, 0x04000100L, 0x04000101L,
0x00040100L, 0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L,
0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L, },
- {/* nibble 3 */
+ { // nibble 3
0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L, 0x00000000L,
0x10400000L, 0x10001008L, 0x00400008L, 0x10401000L, 0x10000008L,
0x10000000L, 0x00001008L, 0x10000008L, 0x00401008L, 0x00400000L,
@@ -232,7 +232,7 @@
0x00401008L, 0x00400000L, 0x10401008L, 0x00000008L, 0x10001000L,
0x00401008L, 0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L,
0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L, },
- {/* nibble 4 */
+ { // nibble 4
0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L, 0x08010020L,
0x08000400L, 0x00010420L, 0x08010000L, 0x00010000L, 0x00000020L,
0x08000020L, 0x00010400L, 0x08000420L, 0x08010020L, 0x08010400L,
@@ -246,7 +246,7 @@
0x00000000L, 0x08010420L, 0x08010020L, 0x08010400L, 0x00000420L,
0x00010000L, 0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L,
0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L, },
- {/* nibble 5 */
+ { // nibble 5
0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L, 0x00200040L,
0x00002000L, 0x80002040L, 0x00200000L, 0x00002040L, 0x80202040L,
0x00202000L, 0x80000000L, 0x80002000L, 0x80000040L, 0x80200000L,
@@ -260,7 +260,7 @@
0x00200000L, 0x80002040L, 0x80000040L, 0x80200000L, 0x00202040L,
0x00000000L, 0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L,
0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L, },
- {/* nibble 6 */
+ { // nibble 6
0x00004000L, 0x00000200L, 0x01000200L, 0x01000004L, 0x01004204L,
0x00004004L, 0x00004200L, 0x00000000L, 0x01000000L, 0x01000204L,
0x00000204L, 0x01004000L, 0x00000004L, 0x01004200L, 0x01004000L,
@@ -274,7 +274,7 @@
0x01000200L, 0x00004200L, 0x00000204L, 0x00004000L, 0x01004204L,
0x01000000L, 0x01004200L, 0x00000004L, 0x00004004L, 0x01004204L,
0x01000004L, 0x01004200L, 0x01004000L, 0x00004004L, },
- {/* nibble 7 */
+ { // nibble 7
0x20800080L, 0x20820000L, 0x00020080L, 0x00000000L, 0x20020000L,
0x00800080L, 0x20800000L, 0x20820080L, 0x00000080L, 0x20000000L,
0x00820000L, 0x00020080L, 0x00820080L, 0x20020080L, 0x20000080L,
@@ -305,9 +305,9 @@
c2l(in, c);
c2l(in, d);
- /* do PC1 in 47 simple operations :-)
- * Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
- * for the inspiration. :-) */
+ // do PC1 in 47 simple operations :-)
+ // Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
+ // for the inspiration. :-)
PERM_OP(d, c, t, 4, 0x0f0f0f0fL);
HPERM_OP(c, t, -2, 0xcccc0000L);
HPERM_OP(d, t, -2, 0xcccc0000L);
@@ -328,8 +328,8 @@
}
c &= 0x0fffffffL;
d &= 0x0fffffffL;
- /* could be a few less shifts but I am to lazy at this
- * point in time to investigate */
+ // could be a few less shifts but I am to lazy at this
+ // point in time to investigate
s = des_skb[0][(c) & 0x3f] |
des_skb[1][((c >> 6L) & 0x03) | ((c >> 7L) & 0x3c)] |
des_skb[2][((c >> 13L) & 0x0f) | ((c >> 14L) & 0x30)] |
@@ -340,7 +340,7 @@
des_skb[6][(d >> 15L) & 0x3f] |
des_skb[7][((d >> 21L) & 0x0f) | ((d >> 22L) & 0x30)];
- /* table contained 0213 4657 */
+ // table contained 0213 4657
t2 = ((t << 16L) | (s & 0x0000ffffL)) & 0xffffffffL;
schedule->subkeys[i][0] = ROTATE(t2, 30) & 0xffffffffL;
@@ -385,18 +385,18 @@
l = data[1];
IP(r, l);
- /* Things have been modified so that the initial rotate is done outside
- * the loop. This required the DES_SPtrans values in sp.h to be
- * rotated 1 bit to the right. One perl script later and things have a
- * 5% speed up on a sparc2. Thanks to Richard Outerbridge
- * <71755.204@CompuServe.COM> for pointing this out. */
- /* clear the top bits on machines with 8byte longs */
- /* shift left by 2 */
+ // Things have been modified so that the initial rotate is done outside
+ // the loop. This required the DES_SPtrans values in sp.h to be
+ // rotated 1 bit to the right. One perl script later and things have a
+ // 5% speed up on a sparc2. Thanks to Richard Outerbridge
+ // <71755.204@CompuServe.COM> for pointing this out.
+ // clear the top bits on machines with 8byte longs
+ // shift left by 2
r = ROTATE(r, 29) & 0xffffffffL;
l = ROTATE(l, 29) & 0xffffffffL;
- /* I don't know if it is worth the effort of loop unrolling the
- * inner loop */
+ // I don't know if it is worth the effort of loop unrolling the
+ // inner loop
if (enc) {
D_ENCRYPT(ks, l, r, 0);
D_ENCRYPT(ks, r, l, 1);
@@ -433,7 +433,7 @@
D_ENCRYPT(ks, r, l, 0);
}
- /* rotate and clear the top bits on machines with 8byte longs */
+ // rotate and clear the top bits on machines with 8byte longs
l = ROTATE(l, 3) & 0xffffffffL;
r = ROTATE(r, 3) & 0xffffffffL;
@@ -448,17 +448,17 @@
r = data[0];
l = data[1];
- /* Things have been modified so that the initial rotate is done outside the
- * loop. This required the DES_SPtrans values in sp.h to be rotated 1 bit to
- * the right. One perl script later and things have a 5% speed up on a
- * sparc2. Thanks to Richard Outerbridge <71755.204@CompuServe.COM> for
- * pointing this out. */
- /* clear the top bits on machines with 8byte longs */
+ // Things have been modified so that the initial rotate is done outside the
+ // loop. This required the DES_SPtrans values in sp.h to be rotated 1 bit to
+ // the right. One perl script later and things have a 5% speed up on a
+ // sparc2. Thanks to Richard Outerbridge <71755.204@CompuServe.COM> for
+ // pointing this out.
+ // clear the top bits on machines with 8byte longs
r = ROTATE(r, 29) & 0xffffffffL;
l = ROTATE(l, 29) & 0xffffffffL;
- /* I don't know if it is worth the effort of loop unrolling the
- * inner loop */
+ // I don't know if it is worth the effort of loop unrolling the
+ // inner loop
if (enc) {
D_ENCRYPT(ks, l, r, 0);
D_ENCRYPT(ks, r, l, 1);
@@ -494,7 +494,7 @@
D_ENCRYPT(ks, l, r, 1);
D_ENCRYPT(ks, r, l, 0);
}
- /* rotate and clear the top bits on machines with 8byte longs */
+ // rotate and clear the top bits on machines with 8byte longs
data[0] = ROTATE(l, 3) & 0xffffffffL;
data[1] = ROTATE(r, 3) & 0xffffffffL;
}
@@ -764,7 +764,7 @@
}
-/* Deprecated functions. */
+// Deprecated functions.
void DES_set_key_unchecked(const DES_cblock *key, DES_key_schedule *schedule) {
DES_set_key(key, schedule);
diff --git a/src/crypto/fipsmodule/des/internal.h b/src/crypto/fipsmodule/des/internal.h
index 21eb933..7bfc45b 100644
--- a/src/crypto/fipsmodule/des/internal.h
+++ b/src/crypto/fipsmodule/des/internal.h
@@ -80,7 +80,7 @@
*((c)++) = (unsigned char)(((l) >> 24L) & 0xff); \
} while (0)
-/* NOTE - c is not incremented as per c2l */
+// NOTE - c is not incremented as per c2l
#define c2ln(c, l1, l2, n) \
do { \
(c) += (n); \
@@ -105,7 +105,7 @@
} \
} while (0)
-/* NOTE - c is not incremented as per l2c */
+// NOTE - c is not incremented as per l2c
#define l2cn(l1, l2, c, n) \
do { \
(c) += (n); \
@@ -218,7 +218,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_DES_INTERNAL_H */
+#endif // OPENSSL_HEADER_DES_INTERNAL_H
diff --git a/src/crypto/fipsmodule/digest/digest.c b/src/crypto/fipsmodule/digest/digest.c
index 00e6d4b..f8a0dd2 100644
--- a/src/crypto/fipsmodule/digest/digest.c
+++ b/src/crypto/fipsmodule/digest/digest.c
@@ -123,9 +123,9 @@
}
if (out->digest == in->digest) {
- /* |md_data| will be the correct size in this case so it's removed from
- * |out| at this point so that |EVP_MD_CTX_cleanup| doesn't free it and
- * then it's reused. */
+ // |md_data| will be the correct size in this case so it's removed from
+ // |out| at this point so that |EVP_MD_CTX_cleanup| doesn't free it and
+ // then it's reused.
tmp_buf = out->md_data;
out->md_data = NULL;
}
diff --git a/src/crypto/fipsmodule/digest/internal.h b/src/crypto/fipsmodule/digest/internal.h
index e3d812a..2d06ed0 100644
--- a/src/crypto/fipsmodule/digest/internal.h
+++ b/src/crypto/fipsmodule/digest/internal.h
@@ -65,48 +65,48 @@
struct env_md_st {
- /* type contains a NID identifing the digest function. (For example,
- * NID_md5.) */
+ // type contains a NID identifing the digest function. (For example,
+ // NID_md5.)
int type;
- /* md_size contains the size, in bytes, of the resulting digest. */
+ // md_size contains the size, in bytes, of the resulting digest.
unsigned md_size;
- /* flags contains the OR of |EVP_MD_FLAG_*| values. */
+ // flags contains the OR of |EVP_MD_FLAG_*| values.
uint32_t flags;
- /* init initialises the state in |ctx->md_data|. */
+ // init initialises the state in |ctx->md_data|.
void (*init)(EVP_MD_CTX *ctx);
- /* update hashes |len| bytes of |data| into the state in |ctx->md_data|. */
+ // update hashes |len| bytes of |data| into the state in |ctx->md_data|.
void (*update)(EVP_MD_CTX *ctx, const void *data, size_t count);
- /* final completes the hash and writes |md_size| bytes of digest to |out|. */
+ // final completes the hash and writes |md_size| bytes of digest to |out|.
void (*final)(EVP_MD_CTX *ctx, uint8_t *out);
- /* block_size contains the hash's native block size. */
+ // block_size contains the hash's native block size.
unsigned block_size;
- /* ctx_size contains the size, in bytes, of the state of the hash function. */
+ // ctx_size contains the size, in bytes, of the state of the hash function.
unsigned ctx_size;
};
-/* evp_md_pctx_ops contains function pointers to allow the |pctx| member of
- * |EVP_MD_CTX| to be manipulated without breaking layering by calling EVP
- * functions. */
+// evp_md_pctx_ops contains function pointers to allow the |pctx| member of
+// |EVP_MD_CTX| to be manipulated without breaking layering by calling EVP
+// functions.
struct evp_md_pctx_ops {
- /* free is called when an |EVP_MD_CTX| is being freed and the |pctx| also
- * needs to be freed. */
+ // free is called when an |EVP_MD_CTX| is being freed and the |pctx| also
+ // needs to be freed.
void (*free) (EVP_PKEY_CTX *pctx);
- /* dup is called when an |EVP_MD_CTX| is copied and so the |pctx| also needs
- * to be copied. */
+ // dup is called when an |EVP_MD_CTX| is copied and so the |pctx| also needs
+ // to be copied.
EVP_PKEY_CTX* (*dup) (EVP_PKEY_CTX *pctx);
};
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_DIGEST_INTERNAL */
+#endif // OPENSSL_HEADER_DIGEST_INTERNAL
diff --git a/src/crypto/fipsmodule/digest/md32_common.h b/src/crypto/fipsmodule/digest/md32_common.h
index 7371629..a0c3665 100644
--- a/src/crypto/fipsmodule/digest/md32_common.h
+++ b/src/crypto/fipsmodule/digest/md32_common.h
@@ -57,56 +57,55 @@
#endif
-/* This is a generic 32-bit "collector" for message digest algorithms. It
- * collects input character stream into chunks of 32-bit values and invokes the
- * block function that performs the actual hash calculations. To make use of
- * this mechanism, the following macros must be defined before including
- * md32_common.h.
- *
- * One of |DATA_ORDER_IS_BIG_ENDIAN| or |DATA_ORDER_IS_LITTLE_ENDIAN| must be
- * defined to specify the byte order of the input stream.
- *
- * |HASH_CBLOCK| must be defined as the integer block size, in bytes.
- *
- * |HASH_CTX| must be defined as the name of the context structure, which must
- * have at least the following members:
- *
- * typedef struct <name>_state_st {
- * uint32_t h[<chaining length> / sizeof(uint32_t)];
- * uint32_t Nl, Nh;
- * uint8_t data[HASH_CBLOCK];
- * unsigned num;
- * ...
- * } <NAME>_CTX;
- *
- * <chaining length> is the output length of the hash in bytes, before
- * any truncation (e.g. 64 for SHA-224 and SHA-256, 128 for SHA-384 and
- * SHA-512).
- *
- * |HASH_UPDATE| must be defined as the name of the "Update" function to
- * generate.
- *
- * |HASH_TRANSFORM| must be defined as the the name of the "Transform"
- * function to generate.
- *
- * |HASH_FINAL| must be defined as the name of "Final" function to generate.
- *
- * |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function.
- * That function must be implemented manually. It must be capable of operating
- * on *unaligned* input data in its original (data) byte order. It must have
- * this signature:
- *
- * void HASH_BLOCK_DATA_ORDER(uint32_t *state, const uint8_t *data,
- * size_t num);
- *
- * It must update the hash state |state| with |num| blocks of data from |data|,
- * where each block is |HASH_CBLOCK| bytes; i.e. |data| points to a array of
- * |HASH_CBLOCK * num| bytes. |state| points to the |h| member of a |HASH_CTX|,
- * and so will have |<chaining length> / sizeof(uint32_t)| elements.
- *
- * |HASH_MAKE_STRING(c, s)| must be defined as a block statement that converts
- * the hash state |c->h| into the output byte order, storing the result in |s|.
- */
+// This is a generic 32-bit "collector" for message digest algorithms. It
+// collects input character stream into chunks of 32-bit values and invokes the
+// block function that performs the actual hash calculations. To make use of
+// this mechanism, the following macros must be defined before including
+// md32_common.h.
+//
+// One of |DATA_ORDER_IS_BIG_ENDIAN| or |DATA_ORDER_IS_LITTLE_ENDIAN| must be
+// defined to specify the byte order of the input stream.
+//
+// |HASH_CBLOCK| must be defined as the integer block size, in bytes.
+//
+// |HASH_CTX| must be defined as the name of the context structure, which must
+// have at least the following members:
+//
+// typedef struct <name>_state_st {
+// uint32_t h[<chaining length> / sizeof(uint32_t)];
+// uint32_t Nl, Nh;
+// uint8_t data[HASH_CBLOCK];
+// unsigned num;
+// ...
+// } <NAME>_CTX;
+//
+// <chaining length> is the output length of the hash in bytes, before
+// any truncation (e.g. 64 for SHA-224 and SHA-256, 128 for SHA-384 and
+// SHA-512).
+//
+// |HASH_UPDATE| must be defined as the name of the "Update" function to
+// generate.
+//
+// |HASH_TRANSFORM| must be defined as the the name of the "Transform"
+// function to generate.
+//
+// |HASH_FINAL| must be defined as the name of "Final" function to generate.
+//
+// |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function.
+// That function must be implemented manually. It must be capable of operating
+// on *unaligned* input data in its original (data) byte order. It must have
+// this signature:
+//
+// void HASH_BLOCK_DATA_ORDER(uint32_t *state, const uint8_t *data,
+// size_t num);
+//
+// It must update the hash state |state| with |num| blocks of data from |data|,
+// where each block is |HASH_CBLOCK| bytes; i.e. |data| points to a array of
+// |HASH_CBLOCK * num| bytes. |state| points to the |h| member of a |HASH_CTX|,
+// and so will have |<chaining length> / sizeof(uint32_t)| elements.
+//
+// |HASH_MAKE_STRING(c, s)| must be defined as a block statement that converts
+// the hash state |c->h| into the output byte order, storing the result in |s|.
#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
#error "DATA_ORDER must be defined!"
@@ -173,7 +172,7 @@
*((c)++) = (uint8_t)(((l) >> 24) & 0xff); \
} while (0)
-#endif /* DATA_ORDER */
+#endif // DATA_ORDER
int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) {
const uint8_t *data = data_;
@@ -184,7 +183,7 @@
uint32_t l = c->Nl + (((uint32_t)len) << 3);
if (l < c->Nl) {
- /* Handle carries. */
+ // Handle carries.
c->Nh++;
}
c->Nh += (uint32_t)(len >> 29);
@@ -199,7 +198,7 @@
data += n;
len -= n;
c->num = 0;
- /* Keep |c->data| zeroed when unused. */
+ // Keep |c->data| zeroed when unused.
OPENSSL_memset(c->data, 0, HASH_CBLOCK);
} else {
OPENSSL_memcpy(c->data + n, data, len);
@@ -230,14 +229,14 @@
int HASH_FINAL(uint8_t *md, HASH_CTX *c) {
- /* |c->data| always has room for at least one byte. A full block would have
- * been consumed. */
+ // |c->data| always has room for at least one byte. A full block would have
+ // been consumed.
size_t n = c->num;
assert(n < HASH_CBLOCK);
c->data[n] = 0x80;
n++;
- /* Fill the block with zeros if there isn't room for a 64-bit length. */
+ // Fill the block with zeros if there isn't room for a 64-bit length.
if (n > (HASH_CBLOCK - 8)) {
OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - n);
n = 0;
@@ -245,7 +244,7 @@
}
OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - 8 - n);
- /* Append a 64-bit length to the block and process it. */
+ // Append a 64-bit length to the block and process it.
uint8_t *p = c->data + HASH_CBLOCK - 8;
#if defined(DATA_ORDER_IS_BIG_ENDIAN)
HOST_l2c(c->Nh, p);
@@ -265,5 +264,5 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
diff --git a/src/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl b/src/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl
index 1ac3d21..7ae2d5e 100755
--- a/src/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl
+++ b/src/crypto/fipsmodule/ec/asm/p256-x86_64-asm.pl
@@ -54,9 +54,9 @@
open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
*STDOUT=*OUT;
-# TODO: enable these after testing. $avx goes to two and $addx to one.
-$avx=0;
-$addx=0;
+# TODO(davidben): Set $addx to one once build problems are resolved.
+$avx = 2;
+$addx = 0;
$code.=<<___;
.text
@@ -150,8 +150,9 @@
ecp_nistz256_mul_mont:
___
$code.=<<___ if ($addx);
- mov \$0x80100, %ecx
- and OPENSSL_ia32cap_P+8(%rip), %ecx
+ leaq OPENSSL_ia32cap_P(%rip), %rcx
+ mov 8(%rcx), %rcx
+ and \$0x80100, %ecx
___
$code.=<<___;
.Lmul_mont:
@@ -431,8 +432,9 @@
ecp_nistz256_sqr_mont:
___
$code.=<<___ if ($addx);
- mov \$0x80100, %ecx
- and OPENSSL_ia32cap_P+8(%rip), %ecx
+ leaq OPENSSL_ia32cap_P(%rip), %rcx
+ mov 8(%rcx), %rcx
+ and \$0x80100, %ecx
___
$code.=<<___;
push %rbp
@@ -955,7 +957,8 @@
ecp_nistz256_select_w5:
___
$code.=<<___ if ($avx>1);
- mov OPENSSL_ia32cap_P+8(%rip), %eax
+ leaq OPENSSL_ia32cap_P(%rip), %rax
+ mov 8(%rax), %rax
test \$`1<<5`, %eax
jnz .Lavx2_select_w5
___
@@ -1052,7 +1055,8 @@
ecp_nistz256_select_w7:
___
$code.=<<___ if ($avx>1);
- mov OPENSSL_ia32cap_P+8(%rip), %eax
+ leaq OPENSSL_ia32cap_P(%rip), %rax
+ mov 8(%rax), %rax
test \$`1<<5`, %eax
jnz .Lavx2_select_w7
___
@@ -1555,8 +1559,9 @@
ecp_nistz256_point_double:
___
$code.=<<___ if ($addx);
- mov \$0x80100, %ecx
- and OPENSSL_ia32cap_P+8(%rip), %ecx
+ leaq OPENSSL_ia32cap_P(%rip), %rcx
+ mov 8(%rcx), %rcx
+ and \$0x80100, %ecx
cmp \$0x80100, %ecx
je .Lpoint_doublex
___
@@ -1785,8 +1790,9 @@
ecp_nistz256_point_add:
___
$code.=<<___ if ($addx);
- mov \$0x80100, %ecx
- and OPENSSL_ia32cap_P+8(%rip), %ecx
+ leaq OPENSSL_ia32cap_P(%rip), %rcx
+ mov 8(%rcx), %rcx
+ and \$0x80100, %ecx
cmp \$0x80100, %ecx
je .Lpoint_addx
___
@@ -2152,8 +2158,9 @@
ecp_nistz256_point_add_affine:
___
$code.=<<___ if ($addx);
- mov \$0x80100, %ecx
- and OPENSSL_ia32cap_P+8(%rip), %ecx
+ leaq OPENSSL_ia32cap_P(%rip), %rcx
+ mov 8(%rcx), %rcx
+ and \$0x80100, %ecx
cmp \$0x80100, %ecx
je .Lpoint_add_affinex
___
diff --git a/src/crypto/fipsmodule/ec/ec.c b/src/crypto/fipsmodule/ec/ec.c
index ef81634..d82e58f 100644
--- a/src/crypto/fipsmodule/ec/ec.c
+++ b/src/crypto/fipsmodule/ec/ec.c
@@ -81,86 +81,86 @@
static const uint8_t kP224Params[6 * 28] = {
- /* p */
+ // p
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01,
- /* a */
+ // a
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFE,
- /* b */
+ // b
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
0x23, 0x55, 0xFF, 0xB4,
- /* x */
+ // x
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
0x11, 0x5C, 0x1D, 0x21,
- /* y */
+ // y
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
0x85, 0x00, 0x7e, 0x34,
- /* order */
+ // order
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
0x5C, 0x5C, 0x2A, 0x3D,
};
static const uint8_t kP256Params[6 * 32] = {
- /* p */
+ // p
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- /* a */
+ // a
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
- /* b */
+ // b
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
- /* x */
+ // x
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
- /* y */
+ // y
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
- /* order */
+ // order
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51,
};
static const uint8_t kP384Params[6 * 48] = {
- /* p */
+ // p
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
- /* a */
+ // a
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
- /* b */
+ // b
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
- /* x */
+ // x
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
- /* y */
+ // y
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
- /* order */
+ // order
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
@@ -168,42 +168,42 @@
};
static const uint8_t kP521Params[6 * 66] = {
- /* p */
+ // p
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- /* a */
+ // a
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
- /* b */
+ // b
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
- /* x */
+ // x
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
- /* y */
+ // y
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
- /* order */
+ // order
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
@@ -212,15 +212,15 @@
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09,
};
-/* MSan appears to have a bug that causes code to be miscompiled in opt mode.
- * While that is being looked at, don't run the uint128_t code under MSan. */
+// MSan appears to have a bug that causes code to be miscompiled in opt mode.
+// While that is being looked at, don't run the uint128_t code under MSan.
#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS) && \
!defined(MEMORY_SANITIZER)
#define BORINGSSL_USE_INT128_CODE
#endif
DEFINE_METHOD_FUNCTION(struct built_in_curves, OPENSSL_built_in_curves) {
- /* 1.3.132.0.35 */
+ // 1.3.132.0.35
static const uint8_t kOIDP521[] = {0x2b, 0x81, 0x04, 0x00, 0x23};
out->curves[0].nid = NID_secp521r1;
out->curves[0].oid = kOIDP521;
@@ -230,7 +230,7 @@
out->curves[0].params = kP521Params;
out->curves[0].method = EC_GFp_mont_method();
- /* 1.3.132.0.34 */
+ // 1.3.132.0.34
static const uint8_t kOIDP384[] = {0x2b, 0x81, 0x04, 0x00, 0x22};
out->curves[1].nid = NID_secp384r1;
out->curves[1].oid = kOIDP384;
@@ -240,7 +240,7 @@
out->curves[1].params = kP384Params;
out->curves[1].method = EC_GFp_mont_method();
- /* 1.2.840.10045.3.1.7 */
+ // 1.2.840.10045.3.1.7
static const uint8_t kOIDP256[] = {0x2a, 0x86, 0x48, 0xce,
0x3d, 0x03, 0x01, 0x07};
out->curves[2].nid = NID_X9_62_prime256v1;
@@ -261,7 +261,7 @@
EC_GFp_mont_method();
#endif
- /* 1.3.132.0.33 */
+ // 1.3.132.0.33
static const uint8_t kOIDP224[] = {0x2b, 0x81, 0x04, 0x00, 0x21};
out->curves[3].nid = NID_secp224r1;
out->curves[3].oid = kOIDP224;
@@ -277,9 +277,9 @@
#endif
}
-/* built_in_curve_scalar_field_monts contains Montgomery contexts for
- * performing inversions in the scalar fields of each of the built-in
- * curves. It's protected by |built_in_curve_scalar_field_monts_once|. */
+// built_in_curve_scalar_field_monts contains Montgomery contexts for
+// performing inversions in the scalar fields of each of the built-in
+// curves. It's protected by |built_in_curve_scalar_field_monts_once|.
DEFINE_LOCAL_DATA(BN_MONT_CTX **, built_in_curve_scalar_field_monts) {
const struct built_in_curves *const curves = OPENSSL_built_in_curves();
@@ -386,12 +386,12 @@
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
const BIGNUM *order, const BIGNUM *cofactor) {
if (group->curve_name != NID_undef || group->generator != NULL) {
- /* |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by
- * |EC_GROUP_new_curve_GFp| and may only used once on each group. */
+ // |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by
+ // |EC_GROUP_new_curve_GFp| and may only used once on each group.
return 0;
}
- /* Require a cofactor of one for custom curves, which implies prime order. */
+ // Require a cofactor of one for custom curves, which implies prime order.
if (!BN_is_one(cofactor)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COFACTOR);
return 0;
@@ -456,7 +456,7 @@
const BN_MONT_CTX **monts = *built_in_curve_scalar_field_monts();
if (monts != NULL) {
- group->mont_data = monts[built_in_index];
+ group->order_mont = monts[built_in_index];
}
group->generator = P;
@@ -514,8 +514,8 @@
OPENSSL_free(group);
}
-const BN_MONT_CTX *ec_group_get_mont_data(const EC_GROUP *group) {
- return group->mont_data;
+const BN_MONT_CTX *ec_group_get_order_mont(const EC_GROUP *group) {
+ return group->order_mont;
}
EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) {
@@ -533,7 +533,7 @@
return NULL;
}
- ret->mont_data = a->mont_data;
+ ret->order_mont = a->order_mont;
ret->curve_name = a->curve_name;
if (a->generator != NULL) {
@@ -579,7 +579,7 @@
int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor,
BN_CTX *ctx) {
- /* All |EC_GROUP|s have cofactor 1. */
+ // All |EC_GROUP|s have cofactor 1.
return BN_set_word(cofactor, 1);
}
@@ -782,9 +782,9 @@
int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) {
- /* Previously, this function set |r| to the point at infinity if there was
- * nothing to multiply. But, nobody should be calling this function with
- * nothing to multiply in the first place. */
+ // Previously, this function set |r| to the point at infinity if there was
+ // nothing to multiply. But, nobody should be calling this function with
+ // nothing to multiply in the first place.
if ((g_scalar == NULL && p_scalar == NULL) ||
((p == NULL) != (p_scalar == NULL))) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
diff --git a/src/crypto/fipsmodule/ec/ec_key.c b/src/crypto/fipsmodule/ec/ec_key.c
index acabb06..e5e8b1a 100644
--- a/src/crypto/fipsmodule/ec/ec_key.c
+++ b/src/crypto/fipsmodule/ec/ec_key.c
@@ -165,9 +165,9 @@
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
- /* Copy the parameters. */
+ // Copy the parameters.
if (src->group) {
- /* TODO(fork): duplicating the group seems wasteful. */
+ // TODO(fork): duplicating the group seems wasteful.
EC_GROUP_free(dest->group);
dest->group = EC_GROUP_dup(src->group);
if (dest->group == NULL) {
@@ -175,7 +175,7 @@
}
}
- /* Copy the public key. */
+ // Copy the public key.
if (src->pub_key && src->group) {
EC_POINT_free(dest->pub_key);
dest->pub_key = EC_POINT_dup(src->pub_key, src->group);
@@ -184,7 +184,7 @@
}
}
- /* copy the private key */
+ // copy the private key
if (src->priv_key) {
if (dest->priv_key == NULL) {
dest->priv_key = BN_new();
@@ -196,14 +196,14 @@
return NULL;
}
}
- /* copy method/extra data */
+ // copy method/extra data
if (src->ecdsa_meth) {
METHOD_unref(dest->ecdsa_meth);
dest->ecdsa_meth = src->ecdsa_meth;
METHOD_ref(dest->ecdsa_meth);
}
- /* copy the rest */
+ // copy the rest
dest->enc_flag = src->enc_flag;
dest->conv_form = src->conv_form;
@@ -235,13 +235,13 @@
int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) {
EC_GROUP_free(key->group);
- /* TODO(fork): duplicating the group seems wasteful but see
- * |EC_KEY_set_conv_form|. */
+ // TODO(fork): duplicating the group seems wasteful but see
+ // |EC_KEY_set_conv_form|.
key->group = EC_GROUP_dup(group);
if (key->group == NULL) {
return 0;
}
- /* XXX: |BN_cmp| is not constant time. */
+ // XXX: |BN_cmp| is not constant time.
if (key->priv_key != NULL &&
BN_cmp(key->priv_key, EC_GROUP_get0_order(group)) >= 0) {
return 0;
@@ -254,7 +254,7 @@
}
int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) {
- /* XXX: |BN_cmp| is not constant time. */
+ // XXX: |BN_cmp| is not constant time.
if (key->group != NULL &&
BN_cmp(priv_key, EC_GROUP_get0_order(key->group)) >= 0) {
OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER);
@@ -310,16 +310,15 @@
goto err;
}
- /* testing whether the pub_key is on the elliptic curve */
+ // testing whether the pub_key is on the elliptic curve
if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_IS_NOT_ON_CURVE);
goto err;
}
- /* in case the priv_key is present :
- * check if generator * priv_key == pub_key
- */
+ // in case the priv_key is present :
+ // check if generator * priv_key == pub_key
if (eckey->priv_key) {
- /* XXX: |BN_cmp| is not constant time. */
+ // XXX: |BN_cmp| is not constant time.
if (BN_cmp(eckey->priv_key, EC_GROUP_get0_order(eckey->group)) >= 0) {
OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER);
goto err;
@@ -345,7 +344,7 @@
int EC_KEY_check_fips(const EC_KEY *key) {
if (EC_KEY_is_opaque(key)) {
- /* Opaque keys can't be checked. */
+ // Opaque keys can't be checked.
OPENSSL_PUT_ERROR(EC, EC_R_PUBLIC_KEY_VALIDATION_FAILED);
return 0;
}
@@ -408,8 +407,8 @@
goto err;
}
- /* Check if retrieved coordinates match originals: if not values
- * are out of range. */
+ // Check if retrieved coordinates match originals: if not values
+ // are out of range.
if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
OPENSSL_PUT_ERROR(EC, EC_R_COORDINATES_OUT_OF_RANGE);
goto err;
@@ -453,14 +452,14 @@
const BIGNUM *order = EC_GROUP_get0_order(eckey->group);
- /* Check that the size of the group order is FIPS compliant (FIPS 186-4
- * B.4.2). */
+ // Check that the size of the group order is FIPS compliant (FIPS 186-4
+ // B.4.2).
if (BN_num_bits(order) < 160) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
goto err;
}
- /* Generate the private key by testing candidates (FIPS 186-4 B.4.2). */
+ // Generate the private key by testing candidates (FIPS 186-4 B.4.2).
if (!BN_rand_range_ex(priv_key, 1, order)) {
goto err;
}
diff --git a/src/crypto/fipsmodule/ec/ec_montgomery.c b/src/crypto/fipsmodule/ec/ec_montgomery.c
index c2afe25..c5f240b 100644
--- a/src/crypto/fipsmodule/ec/ec_montgomery.c
+++ b/src/crypto/fipsmodule/ec/ec_montgomery.c
@@ -219,7 +219,7 @@
BN_CTX_start(ctx);
if (BN_cmp(&point->Z, &group->one) == 0) {
- /* |point| is already affine. */
+ // |point| is already affine.
if (x != NULL && !BN_from_montgomery(x, &point->X, group->mont, ctx)) {
goto err;
}
@@ -227,7 +227,7 @@
goto err;
}
} else {
- /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
+ // transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3)
BIGNUM *Z_1 = BN_CTX_get(ctx);
BIGNUM *Z_2 = BN_CTX_get(ctx);
@@ -238,18 +238,18 @@
goto err;
}
- /* The straightforward way to calculate the inverse of a Montgomery-encoded
- * value where the result is Montgomery-encoded is:
- *
- * |BN_from_montgomery| + invert + |BN_to_montgomery|.
- *
- * This is equivalent, but more efficient, because |BN_from_montgomery|
- * is more efficient (at least in theory) than |BN_to_montgomery|, since it
- * doesn't have to do the multiplication before the reduction.
- *
- * Use Fermat's Little Theorem instead of |BN_mod_inverse_odd| since this
- * inversion may be done as the final step of private key operations.
- * Unfortunately, this is suboptimal for ECDSA verification. */
+ // The straightforward way to calculate the inverse of a Montgomery-encoded
+ // value where the result is Montgomery-encoded is:
+ //
+ // |BN_from_montgomery| + invert + |BN_to_montgomery|.
+ //
+ // This is equivalent, but more efficient, because |BN_from_montgomery|
+ // is more efficient (at least in theory) than |BN_to_montgomery|, since it
+ // doesn't have to do the multiplication before the reduction.
+ //
+ // Use Fermat's Little Theorem instead of |BN_mod_inverse_odd| since this
+ // inversion may be done as the final step of private key operations.
+ // Unfortunately, this is suboptimal for ECDSA verification.
if (!BN_from_montgomery(Z_1, &point->Z, group->mont, ctx) ||
!BN_from_montgomery(Z_1, Z_1, group->mont, ctx) ||
!bn_mod_inverse_prime(Z_1, Z_1, &group->field, ctx, group->mont)) {
@@ -260,10 +260,10 @@
goto err;
}
- /* Instead of using |BN_from_montgomery| to convert the |x| coordinate
- * and then calling |BN_from_montgomery| again to convert the |y|
- * coordinate below, convert the common factor |Z_2| once now, saving one
- * reduction. */
+ // Instead of using |BN_from_montgomery| to convert the |x| coordinate
+ // and then calling |BN_from_montgomery| again to convert the |y|
+ // coordinate below, convert the common factor |Z_2| once now, saving one
+ // reduction.
if (!BN_from_montgomery(Z_2, Z_2, group->mont, ctx)) {
goto err;
}
diff --git a/src/crypto/fipsmodule/ec/internal.h b/src/crypto/fipsmodule/ec/internal.h
index de91e2b..39c9349 100644
--- a/src/crypto/fipsmodule/ec/internal.h
+++ b/src/crypto/fipsmodule/ec/internal.h
@@ -88,25 +88,25 @@
int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *,
BIGNUM *x, BIGNUM *y, BN_CTX *);
- /* Computes |r = g_scalar*generator + p_scalar*p| if |g_scalar| and |p_scalar|
- * are both non-null. Computes |r = g_scalar*generator| if |p_scalar| is null.
- * Computes |r = p_scalar*p| if g_scalar is null. At least one of |g_scalar|
- * and |p_scalar| must be non-null, and |p| must be non-null if |p_scalar| is
- * non-null. */
+ // Computes |r = g_scalar*generator + p_scalar*p| if |g_scalar| and |p_scalar|
+ // are both non-null. Computes |r = g_scalar*generator| if |p_scalar| is null.
+ // Computes |r = p_scalar*p| if g_scalar is null. At least one of |g_scalar|
+ // and |p_scalar| must be non-null, and |p| must be non-null if |p_scalar| is
+ // non-null.
int (*mul)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx);
- /* 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that the
- * same implementations of point operations can be used with different
- * optimized implementations of expensive field operations: */
+ // 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that the
+ // same implementations of point operations can be used with different
+ // optimized implementations of expensive field operations:
int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *); /* e.g. to Montgomery */
+ BN_CTX *); // e.g. to Montgomery
int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *); /* e.g. from Montgomery */
+ BN_CTX *); // e.g. from Montgomery
} /* EC_METHOD */;
const EC_METHOD *EC_GFp_mont_method(void);
@@ -117,22 +117,22 @@
EC_POINT *generator;
BIGNUM order;
- int curve_name; /* optional NID for named curve */
+ int curve_name; // optional NID for named curve
- const BN_MONT_CTX *mont_data; /* data for ECDSA inverse */
+ const BN_MONT_CTX *order_mont; // data for ECDSA inverse
- /* The following members are handled by the method functions,
- * even if they appear generic */
+ // The following members are handled by the method functions,
+ // even if they appear generic
- BIGNUM field; /* For curves over GF(p), this is the modulus. */
+ BIGNUM field; // For curves over GF(p), this is the modulus.
- BIGNUM a, b; /* Curve coefficients. */
+ BIGNUM a, b; // Curve coefficients.
- int a_is_minus3; /* enable optimized point arithmetics for special case */
+ int a_is_minus3; // enable optimized point arithmetics for special case
- BN_MONT_CTX *mont; /* Montgomery structure. */
+ BN_MONT_CTX *mont; // Montgomery structure.
- BIGNUM one; /* The value one. */
+ BIGNUM one; // The value one.
} /* EC_GROUP */;
struct ec_point_st {
@@ -140,22 +140,22 @@
BIGNUM X;
BIGNUM Y;
- BIGNUM Z; /* Jacobian projective coordinates:
- * (X, Y, Z) represents (X/Z^2, Y/Z^3) if Z != 0 */
+ BIGNUM Z; // Jacobian projective coordinates:
+ // (X, Y, Z) represents (X/Z^2, Y/Z^3) if Z != 0
} /* EC_POINT */;
EC_GROUP *ec_group_new(const EC_METHOD *meth);
int ec_group_copy(EC_GROUP *dest, const EC_GROUP *src);
-/* ec_group_get_mont_data returns a Montgomery context for operations in the
- * scalar field of |group|. It may return NULL in the case that |group| is not
- * a built-in group. */
-const BN_MONT_CTX *ec_group_get_mont_data(const EC_GROUP *group);
+// ec_group_get_order_mont returns a Montgomery context for operations modulo
+// |group|'s order. It may return NULL in the case that |group| is not a
+// built-in group.
+const BN_MONT_CTX *ec_group_get_order_mont(const EC_GROUP *group);
int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx);
-/* method functions in simple.c */
+// method functions in simple.c
int ec_GFp_simple_group_init(EC_GROUP *);
void ec_GFp_simple_group_finish(EC_GROUP *);
int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
@@ -200,7 +200,7 @@
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
-/* method functions in montgomery.c */
+// method functions in montgomery.c
int ec_GFp_mont_group_init(EC_GROUP *);
int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
@@ -225,8 +225,8 @@
const EC_METHOD *EC_GFp_nistp224_method(void);
const EC_METHOD *EC_GFp_nistp256_method(void);
-/* EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with
- * x86-64 optimized P256. See http://eprint.iacr.org/2013/816. */
+// EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with
+// x86-64 optimized P256. See http://eprint.iacr.org/2013/816.
const EC_METHOD *EC_GFp_nistz256_method(void);
struct ec_key_st {
@@ -235,8 +235,8 @@
EC_POINT *pub_key;
BIGNUM *priv_key;
- /* fixed_k may contain a specific value of 'k', to be used in ECDSA signing.
- * This is only for the FIPS power-on tests. */
+ // fixed_k may contain a specific value of 'k', to be used in ECDSA signing.
+ // This is only for the FIPS power-on tests.
BIGNUM *fixed_k;
unsigned int enc_flag;
@@ -253,13 +253,13 @@
int nid;
const uint8_t *oid;
uint8_t oid_len;
- /* comment is a human-readable string describing the curve. */
+ // comment is a human-readable string describing the curve.
const char *comment;
- /* param_len is the number of bytes needed to store a field element. */
+ // param_len is the number of bytes needed to store a field element.
uint8_t param_len;
- /* params points to an array of 6*|param_len| bytes which hold the field
- * elements of the following (in big-endian order): prime, a, b, generator x,
- * generator y, order. */
+ // params points to an array of 6*|param_len| bytes which hold the field
+ // elements of the following (in big-endian order): prime, a, b, generator x,
+ // generator y, order.
const uint8_t *params;
const EC_METHOD *method;
};
@@ -270,13 +270,13 @@
struct built_in_curve curves[OPENSSL_NUM_BUILT_IN_CURVES];
};
-/* OPENSSL_built_in_curves returns a pointer to static information about
- * standard curves. The array is terminated with an entry where |nid| is
- * |NID_undef|. */
+// OPENSSL_built_in_curves returns a pointer to static information about
+// standard curves. The array is terminated with an entry where |nid| is
+// |NID_undef|.
const struct built_in_curves *OPENSSL_built_in_curves(void);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_EC_INTERNAL_H */
+#endif // OPENSSL_HEADER_EC_INTERNAL_H
diff --git a/src/crypto/fipsmodule/ec/oct.c b/src/crypto/fipsmodule/ec/oct.c
index 5071c2e..cf51e4b 100644
--- a/src/crypto/fipsmodule/ec/oct.c
+++ b/src/crypto/fipsmodule/ec/oct.c
@@ -94,12 +94,12 @@
goto err;
}
- /* ret := required output buffer length */
+ // ret := required output buffer length
field_len = BN_num_bytes(&group->field);
ret =
(form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len;
- /* if 'buf' is NULL, just return required length */
+ // if 'buf' is NULL, just return required length
if (buf != NULL) {
if (len < ret) {
OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);
@@ -299,13 +299,13 @@
goto err;
}
- /* Recover y. We have a Weierstrass equation
- * y^2 = x^3 + a*x + b,
- * so y is one of the square roots of x^3 + a*x + b. */
+ // Recover y. We have a Weierstrass equation
+ // y^2 = x^3 + a*x + b,
+ // so y is one of the square roots of x^3 + a*x + b.
- /* tmp1 := x^3 */
+ // tmp1 := x^3
if (group->meth->field_decode == 0) {
- /* field_{sqr,mul} work on standard representation */
+ // field_{sqr,mul} work on standard representation
if (!group->meth->field_sqr(group, tmp2, x, ctx) ||
!group->meth->field_mul(group, tmp1, tmp2, x, ctx)) {
goto err;
@@ -317,7 +317,7 @@
}
}
- /* tmp1 := tmp1 + a*x */
+ // tmp1 := tmp1 + a*x
if (group->a_is_minus3) {
if (!BN_mod_lshift1_quick(tmp2, x, &group->field) ||
!BN_mod_add_quick(tmp2, tmp2, x, &group->field) ||
@@ -331,7 +331,7 @@
goto err;
}
} else {
- /* field_mul works on standard representation */
+ // field_mul works on standard representation
if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx)) {
goto err;
}
@@ -342,7 +342,7 @@
}
}
- /* tmp1 := tmp1 + b */
+ // tmp1 := tmp1 + b
if (group->meth->field_decode) {
if (!group->meth->field_decode(group, tmp2, &group->b, ctx) ||
!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) {
diff --git a/src/crypto/fipsmodule/ec/p224-64.c b/src/crypto/fipsmodule/ec/p224-64.c
index 67dfcc8..ec5a93d 100644
--- a/src/crypto/fipsmodule/ec/p224-64.c
+++ b/src/crypto/fipsmodule/ec/p224-64.c
@@ -12,10 +12,10 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* A 64-bit implementation of the NIST P-224 elliptic curve point multiplication
- *
- * Inspired by Daniel J. Bernstein's public domain nistp224 implementation
- * and Adam Langley's public domain 64-bit C implementation of curve25519. */
+// A 64-bit implementation of the NIST P-224 elliptic curve point multiplication
+//
+// Inspired by Daniel J. Bernstein's public domain nistp224 implementation
+// and Adam Langley's public domain 64-bit C implementation of curve25519.
#include <openssl/base.h>
@@ -34,18 +34,18 @@
#include "../../internal.h"
-/* Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3
- * using 64-bit coefficients called 'limbs', and sometimes (for multiplication
- * results) as b_0 + 2^56*b_1 + 2^112*b_2 + 2^168*b_3 + 2^224*b_4 + 2^280*b_5 +
- * 2^336*b_6 using 128-bit coefficients called 'widelimbs'. A 4-p224_limb
- * representation is an 'p224_felem'; a 7-p224_widelimb representation is a
- * 'p224_widefelem'. Even within felems, bits of adjacent limbs overlap, and we
- * don't always reduce the representations: we ensure that inputs to each
- * p224_felem multiplication satisfy a_i < 2^60, so outputs satisfy b_i <
- * 4*2^60*2^60, and fit into a 128-bit word without overflow. The coefficients
- * are then again partially reduced to obtain an p224_felem satisfying a_i <
- * 2^57. We only reduce to the unique minimal representation at the end of the
- * computation. */
+// Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3
+// using 64-bit coefficients called 'limbs', and sometimes (for multiplication
+// results) as b_0 + 2^56*b_1 + 2^112*b_2 + 2^168*b_3 + 2^224*b_4 + 2^280*b_5 +
+// 2^336*b_6 using 128-bit coefficients called 'widelimbs'. A 4-p224_limb
+// representation is an 'p224_felem'; a 7-p224_widelimb representation is a
+// 'p224_widefelem'. Even within felems, bits of adjacent limbs overlap, and we
+// don't always reduce the representations: we ensure that inputs to each
+// p224_felem multiplication satisfy a_i < 2^60, so outputs satisfy b_i <
+// 4*2^60*2^60, and fit into a 128-bit word without overflow. The coefficients
+// are then again partially reduced to obtain an p224_felem satisfying a_i <
+// 2^57. We only reduce to the unique minimal representation at the end of the
+// computation.
typedef uint64_t p224_limb;
typedef uint128_t p224_widelimb;
@@ -53,40 +53,40 @@
typedef p224_limb p224_felem[4];
typedef p224_widelimb p224_widefelem[7];
-/* Field element represented as a byte arrary. 28*8 = 224 bits is also the
- * group order size for the elliptic curve, and we also use this type for
- * scalars for point multiplication. */
+// Field element represented as a byte arrary. 28*8 = 224 bits is also the
+// group order size for the elliptic curve, and we also use this type for
+// scalars for point multiplication.
typedef uint8_t p224_felem_bytearray[28];
-/* Precomputed multiples of the standard generator
- * Points are given in coordinates (X, Y, Z) where Z normally is 1
- * (0 for the point at infinity).
- * For each field element, slice a_0 is word 0, etc.
- *
- * The table has 2 * 16 elements, starting with the following:
- * index | bits | point
- * ------+---------+------------------------------
- * 0 | 0 0 0 0 | 0G
- * 1 | 0 0 0 1 | 1G
- * 2 | 0 0 1 0 | 2^56G
- * 3 | 0 0 1 1 | (2^56 + 1)G
- * 4 | 0 1 0 0 | 2^112G
- * 5 | 0 1 0 1 | (2^112 + 1)G
- * 6 | 0 1 1 0 | (2^112 + 2^56)G
- * 7 | 0 1 1 1 | (2^112 + 2^56 + 1)G
- * 8 | 1 0 0 0 | 2^168G
- * 9 | 1 0 0 1 | (2^168 + 1)G
- * 10 | 1 0 1 0 | (2^168 + 2^56)G
- * 11 | 1 0 1 1 | (2^168 + 2^56 + 1)G
- * 12 | 1 1 0 0 | (2^168 + 2^112)G
- * 13 | 1 1 0 1 | (2^168 + 2^112 + 1)G
- * 14 | 1 1 1 0 | (2^168 + 2^112 + 2^56)G
- * 15 | 1 1 1 1 | (2^168 + 2^112 + 2^56 + 1)G
- * followed by a copy of this with each element multiplied by 2^28.
- *
- * The reason for this is so that we can clock bits into four different
- * locations when doing simple scalar multiplies against the base point,
- * and then another four locations using the second 16 elements. */
+// Precomputed multiples of the standard generator
+// Points are given in coordinates (X, Y, Z) where Z normally is 1
+// (0 for the point at infinity).
+// For each field element, slice a_0 is word 0, etc.
+//
+// The table has 2 * 16 elements, starting with the following:
+// index | bits | point
+// ------+---------+------------------------------
+// 0 | 0 0 0 0 | 0G
+// 1 | 0 0 0 1 | 1G
+// 2 | 0 0 1 0 | 2^56G
+// 3 | 0 0 1 1 | (2^56 + 1)G
+// 4 | 0 1 0 0 | 2^112G
+// 5 | 0 1 0 1 | (2^112 + 1)G
+// 6 | 0 1 1 0 | (2^112 + 2^56)G
+// 7 | 0 1 1 1 | (2^112 + 2^56 + 1)G
+// 8 | 1 0 0 0 | 2^168G
+// 9 | 1 0 0 1 | (2^168 + 1)G
+// 10 | 1 0 1 0 | (2^168 + 2^56)G
+// 11 | 1 0 1 1 | (2^168 + 2^56 + 1)G
+// 12 | 1 1 0 0 | (2^168 + 2^112)G
+// 13 | 1 1 0 1 | (2^168 + 2^112 + 1)G
+// 14 | 1 1 1 0 | (2^168 + 2^112 + 2^56)G
+// 15 | 1 1 1 1 | (2^168 + 2^112 + 2^56 + 1)G
+// followed by a copy of this with each element multiplied by 2^28.
+//
+// The reason for this is so that we can clock bits into four different
+// locations when doing simple scalar multiplies against the base point,
+// and then another four locations using the second 16 elements.
static const p224_felem g_p224_pre_comp[2][16][3] = {
{{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}},
{{0x3280d6115c1d21, 0xc1d356c2112234, 0x7f321390b94a03, 0xb70e0cbd6bb4bf},
@@ -187,7 +187,7 @@
return ret;
}
-/* Helper functions to convert field elements to/from internal representation */
+// Helper functions to convert field elements to/from internal representation
static void p224_bin28_to_felem(p224_felem out, const uint8_t in[28]) {
out[0] = p224_load_u64(in) & 0x00ffffffffffffff;
out[1] = p224_load_u64(in + 7) & 0x00ffffffffffffff;
@@ -204,16 +204,16 @@
}
}
-/* To preserve endianness when using BN_bn2bin and BN_bin2bn */
+// To preserve endianness when using BN_bn2bin and BN_bin2bn
static void p224_flip_endian(uint8_t *out, const uint8_t *in, size_t len) {
for (size_t i = 0; i < len; ++i) {
out[i] = in[len - 1 - i];
}
}
-/* From OpenSSL BIGNUM to internal representation */
+// From OpenSSL BIGNUM to internal representation
static int p224_BN_to_felem(p224_felem out, const BIGNUM *bn) {
- /* BN_bn2bin eats leading zeroes */
+ // BN_bn2bin eats leading zeroes
p224_felem_bytearray b_out;
OPENSSL_memset(b_out, 0, sizeof(b_out));
size_t num_bytes = BN_num_bytes(bn);
@@ -230,7 +230,7 @@
return 1;
}
-/* From internal representation to OpenSSL BIGNUM */
+// From internal representation to OpenSSL BIGNUM
static BIGNUM *p224_felem_to_BN(BIGNUM *out, const p224_felem in) {
p224_felem_bytearray b_in, b_out;
p224_felem_to_bin28(b_in, in);
@@ -238,10 +238,10 @@
return BN_bin2bn(b_out, sizeof(b_out), out);
}
-/* Field operations, using the internal representation of field elements.
- * NB! These operations are specific to our point multiplication and cannot be
- * expected to be correct in general - e.g., multiplication with a large scalar
- * will cause an overflow. */
+// Field operations, using the internal representation of field elements.
+// NB! These operations are specific to our point multiplication and cannot be
+// expected to be correct in general - e.g., multiplication with a large scalar
+// will cause an overflow.
static void p224_felem_assign(p224_felem out, const p224_felem in) {
out[0] = in[0];
@@ -250,7 +250,7 @@
out[3] = in[3];
}
-/* Sum two field elements: out += in */
+// Sum two field elements: out += in
static void p224_felem_sum(p224_felem out, const p224_felem in) {
out[0] += in[0];
out[1] += in[1];
@@ -258,8 +258,8 @@
out[3] += in[3];
}
-/* Get negative value: out = -in */
-/* Assumes in[i] < 2^57 */
+// Get negative value: out = -in
+// Assumes in[i] < 2^57
static void p224_felem_neg(p224_felem out, const p224_felem in) {
static const p224_limb two58p2 =
(((p224_limb)1) << 58) + (((p224_limb)1) << 2);
@@ -268,15 +268,15 @@
static const p224_limb two58m42m2 =
(((p224_limb)1) << 58) - (((p224_limb)1) << 42) - (((p224_limb)1) << 2);
- /* Set to 0 mod 2^224-2^96+1 to ensure out > in */
+ // Set to 0 mod 2^224-2^96+1 to ensure out > in
out[0] = two58p2 - in[0];
out[1] = two58m42m2 - in[1];
out[2] = two58m2 - in[2];
out[3] = two58m2 - in[3];
}
-/* Subtract field elements: out -= in */
-/* Assumes in[i] < 2^57 */
+// Subtract field elements: out -= in
+// Assumes in[i] < 2^57
static void p224_felem_diff(p224_felem out, const p224_felem in) {
static const p224_limb two58p2 =
(((p224_limb)1) << 58) + (((p224_limb)1) << 2);
@@ -285,7 +285,7 @@
static const p224_limb two58m42m2 =
(((p224_limb)1) << 58) - (((p224_limb)1) << 42) - (((p224_limb)1) << 2);
- /* Add 0 mod 2^224-2^96+1 to ensure out > in */
+ // Add 0 mod 2^224-2^96+1 to ensure out > in
out[0] += two58p2;
out[1] += two58m42m2;
out[2] += two58m2;
@@ -297,8 +297,8 @@
out[3] -= in[3];
}
-/* Subtract in unreduced 128-bit mode: out -= in */
-/* Assumes in[i] < 2^119 */
+// Subtract in unreduced 128-bit mode: out -= in
+// Assumes in[i] < 2^119
static void p224_widefelem_diff(p224_widefelem out, const p224_widefelem in) {
static const p224_widelimb two120 = ((p224_widelimb)1) << 120;
static const p224_widelimb two120m64 =
@@ -307,7 +307,7 @@
(((p224_widelimb)1) << 104) -
(((p224_widelimb)1) << 64);
- /* Add 0 mod 2^224-2^96+1 to ensure out > in */
+ // Add 0 mod 2^224-2^96+1 to ensure out > in
out[0] += two120;
out[1] += two120m64;
out[2] += two120m64;
@@ -325,8 +325,8 @@
out[6] -= in[6];
}
-/* Subtract in mixed mode: out128 -= in64 */
-/* in[i] < 2^63 */
+// Subtract in mixed mode: out128 -= in64
+// in[i] < 2^63
static void p224_felem_diff_128_64(p224_widefelem out, const p224_felem in) {
static const p224_widelimb two64p8 =
(((p224_widelimb)1) << 64) + (((p224_widelimb)1) << 8);
@@ -336,7 +336,7 @@
(((p224_widelimb)1) << 48) -
(((p224_widelimb)1) << 8);
- /* Add 0 mod 2^224-2^96+1 to ensure out > in */
+ // Add 0 mod 2^224-2^96+1 to ensure out > in
out[0] += two64p8;
out[1] += two64m48m8;
out[2] += two64m8;
@@ -348,8 +348,8 @@
out[3] -= in[3];
}
-/* Multiply a field element by a scalar: out = out * scalar
- * The scalars we actually use are small, so results fit without overflow */
+// Multiply a field element by a scalar: out = out * scalar
+// The scalars we actually use are small, so results fit without overflow
static void p224_felem_scalar(p224_felem out, const p224_limb scalar) {
out[0] *= scalar;
out[1] *= scalar;
@@ -357,8 +357,8 @@
out[3] *= scalar;
}
-/* Multiply an unreduced field element by a scalar: out = out * scalar
- * The scalars we actually use are small, so results fit without overflow */
+// Multiply an unreduced field element by a scalar: out = out * scalar
+// The scalars we actually use are small, so results fit without overflow
static void p224_widefelem_scalar(p224_widefelem out,
const p224_widelimb scalar) {
out[0] *= scalar;
@@ -370,7 +370,7 @@
out[6] *= scalar;
}
-/* Square a field element: out = in^2 */
+// Square a field element: out = in^2
static void p224_felem_square(p224_widefelem out, const p224_felem in) {
p224_limb tmp0, tmp1, tmp2;
tmp0 = 2 * in[0];
@@ -385,7 +385,7 @@
out[6] = ((p224_widelimb)in[3]) * in[3];
}
-/* Multiply two field elements: out = in1 * in2 */
+// Multiply two field elements: out = in1 * in2
static void p224_felem_mul(p224_widefelem out, const p224_felem in1,
const p224_felem in2) {
out[0] = ((p224_widelimb)in1[0]) * in2[0];
@@ -400,9 +400,9 @@
out[6] = ((p224_widelimb)in1[3]) * in2[3];
}
-/* Reduce seven 128-bit coefficients to four 64-bit coefficients.
- * Requires in[i] < 2^126,
- * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16 */
+// Reduce seven 128-bit coefficients to four 64-bit coefficients.
+// Requires in[i] < 2^126,
+// ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16
static void p224_felem_reduce(p224_felem out, const p224_widefelem in) {
static const p224_widelimb two127p15 =
(((p224_widelimb)1) << 127) + (((p224_widelimb)1) << 15);
@@ -413,14 +413,14 @@
(((p224_widelimb)1) << 55);
p224_widelimb output[5];
- /* Add 0 mod 2^224-2^96+1 to ensure all differences are positive */
+ // Add 0 mod 2^224-2^96+1 to ensure all differences are positive
output[0] = in[0] + two127p15;
output[1] = in[1] + two127m71m55;
output[2] = in[2] + two127m71;
output[3] = in[3];
output[4] = in[4];
- /* Eliminate in[4], in[5], in[6] */
+ // Eliminate in[4], in[5], in[6]
output[4] += in[6] >> 16;
output[3] += (in[6] & 0xffff) << 40;
output[2] -= in[6];
@@ -433,90 +433,90 @@
output[1] += (output[4] & 0xffff) << 40;
output[0] -= output[4];
- /* Carry 2 -> 3 -> 4 */
+ // Carry 2 -> 3 -> 4
output[3] += output[2] >> 56;
output[2] &= 0x00ffffffffffffff;
output[4] = output[3] >> 56;
output[3] &= 0x00ffffffffffffff;
- /* Now output[2] < 2^56, output[3] < 2^56, output[4] < 2^72 */
+ // Now output[2] < 2^56, output[3] < 2^56, output[4] < 2^72
- /* Eliminate output[4] */
+ // Eliminate output[4]
output[2] += output[4] >> 16;
- /* output[2] < 2^56 + 2^56 = 2^57 */
+ // output[2] < 2^56 + 2^56 = 2^57
output[1] += (output[4] & 0xffff) << 40;
output[0] -= output[4];
- /* Carry 0 -> 1 -> 2 -> 3 */
+ // Carry 0 -> 1 -> 2 -> 3
output[1] += output[0] >> 56;
out[0] = output[0] & 0x00ffffffffffffff;
output[2] += output[1] >> 56;
- /* output[2] < 2^57 + 2^72 */
+ // output[2] < 2^57 + 2^72
out[1] = output[1] & 0x00ffffffffffffff;
output[3] += output[2] >> 56;
- /* output[3] <= 2^56 + 2^16 */
+ // output[3] <= 2^56 + 2^16
out[2] = output[2] & 0x00ffffffffffffff;
- /* out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
- * out[3] <= 2^56 + 2^16 (due to final carry),
- * so out < 2*p */
+ // out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
+ // out[3] <= 2^56 + 2^16 (due to final carry),
+ // so out < 2*p
out[3] = output[3];
}
-/* Reduce to unique minimal representation.
- * Requires 0 <= in < 2*p (always call p224_felem_reduce first) */
+// Reduce to unique minimal representation.
+// Requires 0 <= in < 2*p (always call p224_felem_reduce first)
static void p224_felem_contract(p224_felem out, const p224_felem in) {
static const int64_t two56 = ((p224_limb)1) << 56;
- /* 0 <= in < 2*p, p = 2^224 - 2^96 + 1 */
- /* if in > p , reduce in = in - 2^224 + 2^96 - 1 */
+ // 0 <= in < 2*p, p = 2^224 - 2^96 + 1
+ // if in > p , reduce in = in - 2^224 + 2^96 - 1
int64_t tmp[4], a;
tmp[0] = in[0];
tmp[1] = in[1];
tmp[2] = in[2];
tmp[3] = in[3];
- /* Case 1: a = 1 iff in >= 2^224 */
+ // Case 1: a = 1 iff in >= 2^224
a = (in[3] >> 56);
tmp[0] -= a;
tmp[1] += a << 40;
tmp[3] &= 0x00ffffffffffffff;
- /* Case 2: a = 0 iff p <= in < 2^224, i.e., the high 128 bits are all 1 and
- * the lower part is non-zero */
+ // Case 2: a = 0 iff p <= in < 2^224, i.e., the high 128 bits are all 1 and
+ // the lower part is non-zero
a = ((in[3] & in[2] & (in[1] | 0x000000ffffffffff)) + 1) |
(((int64_t)(in[0] + (in[1] & 0x000000ffffffffff)) - 1) >> 63);
a &= 0x00ffffffffffffff;
- /* turn a into an all-one mask (if a = 0) or an all-zero mask */
+ // turn a into an all-one mask (if a = 0) or an all-zero mask
a = (a - 1) >> 63;
- /* subtract 2^224 - 2^96 + 1 if a is all-one */
+ // subtract 2^224 - 2^96 + 1 if a is all-one
tmp[3] &= a ^ 0xffffffffffffffff;
tmp[2] &= a ^ 0xffffffffffffffff;
tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;
tmp[0] -= 1 & a;
- /* eliminate negative coefficients: if tmp[0] is negative, tmp[1] must
- * be non-zero, so we only need one step */
+ // eliminate negative coefficients: if tmp[0] is negative, tmp[1] must
+ // be non-zero, so we only need one step
a = tmp[0] >> 63;
tmp[0] += two56 & a;
tmp[1] -= 1 & a;
- /* carry 1 -> 2 -> 3 */
+ // carry 1 -> 2 -> 3
tmp[2] += tmp[1] >> 56;
tmp[1] &= 0x00ffffffffffffff;
tmp[3] += tmp[2] >> 56;
tmp[2] &= 0x00ffffffffffffff;
- /* Now 0 <= out < p */
+ // Now 0 <= out < p
out[0] = tmp[0];
out[1] = tmp[1];
out[2] = tmp[2];
out[3] = tmp[3];
}
-/* Zero-check: returns 1 if input is 0, and 0 otherwise. We know that field
- * elements are reduced to in < 2^225, so we only need to check three cases: 0,
- * 2^224 - 2^96 + 1, and 2^225 - 2^97 + 2 */
+// Zero-check: returns 1 if input is 0, and 0 otherwise. We know that field
+// elements are reduced to in < 2^225, so we only need to check three cases: 0,
+// 2^224 - 2^96 + 1, and 2^225 - 2^97 + 2
static p224_limb p224_felem_is_zero(const p224_felem in) {
p224_limb zero = in[0] | in[1] | in[2] | in[3];
zero = (((int64_t)(zero)-1) >> 63) & 1;
@@ -532,92 +532,92 @@
return (zero | two224m96p1 | two225m97p2);
}
-/* Invert a field element */
-/* Computation chain copied from djb's code */
+// Invert a field element
+// Computation chain copied from djb's code
static void p224_felem_inv(p224_felem out, const p224_felem in) {
p224_felem ftmp, ftmp2, ftmp3, ftmp4;
p224_widefelem tmp;
p224_felem_square(tmp, in);
- p224_felem_reduce(ftmp, tmp); /* 2 */
+ p224_felem_reduce(ftmp, tmp); // 2
p224_felem_mul(tmp, in, ftmp);
- p224_felem_reduce(ftmp, tmp); /* 2^2 - 1 */
+ p224_felem_reduce(ftmp, tmp); // 2^2 - 1
p224_felem_square(tmp, ftmp);
- p224_felem_reduce(ftmp, tmp); /* 2^3 - 2 */
+ p224_felem_reduce(ftmp, tmp); // 2^3 - 2
p224_felem_mul(tmp, in, ftmp);
- p224_felem_reduce(ftmp, tmp); /* 2^3 - 1 */
+ p224_felem_reduce(ftmp, tmp); // 2^3 - 1
p224_felem_square(tmp, ftmp);
- p224_felem_reduce(ftmp2, tmp); /* 2^4 - 2 */
+ p224_felem_reduce(ftmp2, tmp); // 2^4 - 2
p224_felem_square(tmp, ftmp2);
- p224_felem_reduce(ftmp2, tmp); /* 2^5 - 4 */
+ p224_felem_reduce(ftmp2, tmp); // 2^5 - 4
p224_felem_square(tmp, ftmp2);
- p224_felem_reduce(ftmp2, tmp); /* 2^6 - 8 */
+ p224_felem_reduce(ftmp2, tmp); // 2^6 - 8
p224_felem_mul(tmp, ftmp2, ftmp);
- p224_felem_reduce(ftmp, tmp); /* 2^6 - 1 */
+ p224_felem_reduce(ftmp, tmp); // 2^6 - 1
p224_felem_square(tmp, ftmp);
- p224_felem_reduce(ftmp2, tmp); /* 2^7 - 2 */
- for (size_t i = 0; i < 5; ++i) { /* 2^12 - 2^6 */
+ p224_felem_reduce(ftmp2, tmp); // 2^7 - 2
+ for (size_t i = 0; i < 5; ++i) { // 2^12 - 2^6
p224_felem_square(tmp, ftmp2);
p224_felem_reduce(ftmp2, tmp);
}
p224_felem_mul(tmp, ftmp2, ftmp);
- p224_felem_reduce(ftmp2, tmp); /* 2^12 - 1 */
+ p224_felem_reduce(ftmp2, tmp); // 2^12 - 1
p224_felem_square(tmp, ftmp2);
- p224_felem_reduce(ftmp3, tmp); /* 2^13 - 2 */
- for (size_t i = 0; i < 11; ++i) {/* 2^24 - 2^12 */
+ p224_felem_reduce(ftmp3, tmp); // 2^13 - 2
+ for (size_t i = 0; i < 11; ++i) { // 2^24 - 2^12
p224_felem_square(tmp, ftmp3);
p224_felem_reduce(ftmp3, tmp);
}
p224_felem_mul(tmp, ftmp3, ftmp2);
- p224_felem_reduce(ftmp2, tmp); /* 2^24 - 1 */
+ p224_felem_reduce(ftmp2, tmp); // 2^24 - 1
p224_felem_square(tmp, ftmp2);
- p224_felem_reduce(ftmp3, tmp); /* 2^25 - 2 */
- for (size_t i = 0; i < 23; ++i) {/* 2^48 - 2^24 */
+ p224_felem_reduce(ftmp3, tmp); // 2^25 - 2
+ for (size_t i = 0; i < 23; ++i) { // 2^48 - 2^24
p224_felem_square(tmp, ftmp3);
p224_felem_reduce(ftmp3, tmp);
}
p224_felem_mul(tmp, ftmp3, ftmp2);
- p224_felem_reduce(ftmp3, tmp); /* 2^48 - 1 */
+ p224_felem_reduce(ftmp3, tmp); // 2^48 - 1
p224_felem_square(tmp, ftmp3);
- p224_felem_reduce(ftmp4, tmp); /* 2^49 - 2 */
- for (size_t i = 0; i < 47; ++i) {/* 2^96 - 2^48 */
+ p224_felem_reduce(ftmp4, tmp); // 2^49 - 2
+ for (size_t i = 0; i < 47; ++i) { // 2^96 - 2^48
p224_felem_square(tmp, ftmp4);
p224_felem_reduce(ftmp4, tmp);
}
p224_felem_mul(tmp, ftmp3, ftmp4);
- p224_felem_reduce(ftmp3, tmp); /* 2^96 - 1 */
+ p224_felem_reduce(ftmp3, tmp); // 2^96 - 1
p224_felem_square(tmp, ftmp3);
- p224_felem_reduce(ftmp4, tmp); /* 2^97 - 2 */
- for (size_t i = 0; i < 23; ++i) {/* 2^120 - 2^24 */
+ p224_felem_reduce(ftmp4, tmp); // 2^97 - 2
+ for (size_t i = 0; i < 23; ++i) { // 2^120 - 2^24
p224_felem_square(tmp, ftmp4);
p224_felem_reduce(ftmp4, tmp);
}
p224_felem_mul(tmp, ftmp2, ftmp4);
- p224_felem_reduce(ftmp2, tmp); /* 2^120 - 1 */
- for (size_t i = 0; i < 6; ++i) { /* 2^126 - 2^6 */
+ p224_felem_reduce(ftmp2, tmp); // 2^120 - 1
+ for (size_t i = 0; i < 6; ++i) { // 2^126 - 2^6
p224_felem_square(tmp, ftmp2);
p224_felem_reduce(ftmp2, tmp);
}
p224_felem_mul(tmp, ftmp2, ftmp);
- p224_felem_reduce(ftmp, tmp); /* 2^126 - 1 */
+ p224_felem_reduce(ftmp, tmp); // 2^126 - 1
p224_felem_square(tmp, ftmp);
- p224_felem_reduce(ftmp, tmp); /* 2^127 - 2 */
+ p224_felem_reduce(ftmp, tmp); // 2^127 - 2
p224_felem_mul(tmp, ftmp, in);
- p224_felem_reduce(ftmp, tmp); /* 2^127 - 1 */
- for (size_t i = 0; i < 97; ++i) {/* 2^224 - 2^97 */
+ p224_felem_reduce(ftmp, tmp); // 2^127 - 1
+ for (size_t i = 0; i < 97; ++i) { // 2^224 - 2^97
p224_felem_square(tmp, ftmp);
p224_felem_reduce(ftmp, tmp);
}
p224_felem_mul(tmp, ftmp, ftmp3);
- p224_felem_reduce(out, tmp); /* 2^224 - 2^96 - 1 */
+ p224_felem_reduce(out, tmp); // 2^224 - 2^96 - 1
}
-/* Copy in constant time:
- * if icopy == 1, copy in to out,
- * if icopy == 0, copy out to itself. */
+// Copy in constant time:
+// if icopy == 1, copy in to out,
+// if icopy == 0, copy out to itself.
static void p224_copy_conditional(p224_felem out, const p224_felem in,
p224_limb icopy) {
- /* icopy is a (64-bit) 0 or 1, so copy is either all-zero or all-one */
+ // icopy is a (64-bit) 0 or 1, so copy is either all-zero or all-one
const p224_limb copy = -icopy;
for (size_t i = 0; i < 4; ++i) {
const p224_limb tmp = copy & (in[i] ^ out[i]);
@@ -625,19 +625,19 @@
}
}
-/* ELLIPTIC CURVE POINT OPERATIONS
- *
- * Points are represented in Jacobian projective coordinates:
- * (X, Y, Z) corresponds to the affine point (X/Z^2, Y/Z^3),
- * or to the point at infinity if Z == 0. */
+// ELLIPTIC CURVE POINT OPERATIONS
+//
+// Points are represented in Jacobian projective coordinates:
+// (X, Y, Z) corresponds to the affine point (X/Z^2, Y/Z^3),
+// or to the point at infinity if Z == 0.
-/* Double an elliptic curve point:
- * (X', Y', Z') = 2 * (X, Y, Z), where
- * X' = (3 * (X - Z^2) * (X + Z^2))^2 - 8 * X * Y^2
- * Y' = 3 * (X - Z^2) * (X + Z^2) * (4 * X * Y^2 - X') - 8 * Y^2
- * Z' = (Y + Z)^2 - Y^2 - Z^2 = 2 * Y * Z
- * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed,
- * while x_out == y_in is not (maybe this works, but it's not tested). */
+// Double an elliptic curve point:
+// (X', Y', Z') = 2 * (X, Y, Z), where
+// X' = (3 * (X - Z^2) * (X + Z^2))^2 - 8 * X * Y^2
+// Y' = 3 * (X - Z^2) * (X + Z^2) * (4 * X * Y^2 - X') - 8 * Y^2
+// Z' = (Y + Z)^2 - Y^2 - Z^2 = 2 * Y * Z
+// Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed,
+// while x_out == y_in is not (maybe this works, but it's not tested).
static void p224_point_double(p224_felem x_out, p224_felem y_out,
p224_felem z_out, const p224_felem x_in,
const p224_felem y_in, const p224_felem z_in) {
@@ -647,82 +647,82 @@
p224_felem_assign(ftmp, x_in);
p224_felem_assign(ftmp2, x_in);
- /* delta = z^2 */
+ // delta = z^2
p224_felem_square(tmp, z_in);
p224_felem_reduce(delta, tmp);
- /* gamma = y^2 */
+ // gamma = y^2
p224_felem_square(tmp, y_in);
p224_felem_reduce(gamma, tmp);
- /* beta = x*gamma */
+ // beta = x*gamma
p224_felem_mul(tmp, x_in, gamma);
p224_felem_reduce(beta, tmp);
- /* alpha = 3*(x-delta)*(x+delta) */
+ // alpha = 3*(x-delta)*(x+delta)
p224_felem_diff(ftmp, delta);
- /* ftmp[i] < 2^57 + 2^58 + 2 < 2^59 */
+ // ftmp[i] < 2^57 + 2^58 + 2 < 2^59
p224_felem_sum(ftmp2, delta);
- /* ftmp2[i] < 2^57 + 2^57 = 2^58 */
+ // ftmp2[i] < 2^57 + 2^57 = 2^58
p224_felem_scalar(ftmp2, 3);
- /* ftmp2[i] < 3 * 2^58 < 2^60 */
+ // ftmp2[i] < 3 * 2^58 < 2^60
p224_felem_mul(tmp, ftmp, ftmp2);
- /* tmp[i] < 2^60 * 2^59 * 4 = 2^121 */
+ // tmp[i] < 2^60 * 2^59 * 4 = 2^121
p224_felem_reduce(alpha, tmp);
- /* x' = alpha^2 - 8*beta */
+ // x' = alpha^2 - 8*beta
p224_felem_square(tmp, alpha);
- /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
+ // tmp[i] < 4 * 2^57 * 2^57 = 2^116
p224_felem_assign(ftmp, beta);
p224_felem_scalar(ftmp, 8);
- /* ftmp[i] < 8 * 2^57 = 2^60 */
+ // ftmp[i] < 8 * 2^57 = 2^60
p224_felem_diff_128_64(tmp, ftmp);
- /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
+ // tmp[i] < 2^116 + 2^64 + 8 < 2^117
p224_felem_reduce(x_out, tmp);
- /* z' = (y + z)^2 - gamma - delta */
+ // z' = (y + z)^2 - gamma - delta
p224_felem_sum(delta, gamma);
- /* delta[i] < 2^57 + 2^57 = 2^58 */
+ // delta[i] < 2^57 + 2^57 = 2^58
p224_felem_assign(ftmp, y_in);
p224_felem_sum(ftmp, z_in);
- /* ftmp[i] < 2^57 + 2^57 = 2^58 */
+ // ftmp[i] < 2^57 + 2^57 = 2^58
p224_felem_square(tmp, ftmp);
- /* tmp[i] < 4 * 2^58 * 2^58 = 2^118 */
+ // tmp[i] < 4 * 2^58 * 2^58 = 2^118
p224_felem_diff_128_64(tmp, delta);
- /* tmp[i] < 2^118 + 2^64 + 8 < 2^119 */
+ // tmp[i] < 2^118 + 2^64 + 8 < 2^119
p224_felem_reduce(z_out, tmp);
- /* y' = alpha*(4*beta - x') - 8*gamma^2 */
+ // y' = alpha*(4*beta - x') - 8*gamma^2
p224_felem_scalar(beta, 4);
- /* beta[i] < 4 * 2^57 = 2^59 */
+ // beta[i] < 4 * 2^57 = 2^59
p224_felem_diff(beta, x_out);
- /* beta[i] < 2^59 + 2^58 + 2 < 2^60 */
+ // beta[i] < 2^59 + 2^58 + 2 < 2^60
p224_felem_mul(tmp, alpha, beta);
- /* tmp[i] < 4 * 2^57 * 2^60 = 2^119 */
+ // tmp[i] < 4 * 2^57 * 2^60 = 2^119
p224_felem_square(tmp2, gamma);
- /* tmp2[i] < 4 * 2^57 * 2^57 = 2^116 */
+ // tmp2[i] < 4 * 2^57 * 2^57 = 2^116
p224_widefelem_scalar(tmp2, 8);
- /* tmp2[i] < 8 * 2^116 = 2^119 */
+ // tmp2[i] < 8 * 2^116 = 2^119
p224_widefelem_diff(tmp, tmp2);
- /* tmp[i] < 2^119 + 2^120 < 2^121 */
+ // tmp[i] < 2^119 + 2^120 < 2^121
p224_felem_reduce(y_out, tmp);
}
-/* Add two elliptic curve points:
- * (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where
- * X_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1)^2 - (Z_1^2 * X_2 - Z_2^2 * X_1)^3 -
- * 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2
- * Y_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1) * (Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 *
- * X_1)^2 - X_3) -
- * Z_2^3 * Y_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^3
- * Z_3 = (Z_1^2 * X_2 - Z_2^2 * X_1) * (Z_1 * Z_2)
- *
- * This runs faster if 'mixed' is set, which requires Z_2 = 1 or Z_2 = 0. */
+// Add two elliptic curve points:
+// (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where
+// X_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1)^2 - (Z_1^2 * X_2 - Z_2^2 * X_1)^3 -
+// 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2
+// Y_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1) * (Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 *
+// X_1)^2 - X_3) -
+// Z_2^3 * Y_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^3
+// Z_3 = (Z_1^2 * X_2 - Z_2^2 * X_1) * (Z_1 * Z_2)
+//
+// This runs faster if 'mixed' is set, which requires Z_2 = 1 or Z_2 = 0.
-/* This function is not entirely constant-time: it includes a branch for
- * checking whether the two input points are equal, (while not equal to the
- * point at infinity). This case never happens during single point
- * multiplication, so there is no timing leak for ECDH or ECDSA signing. */
+// This function is not entirely constant-time: it includes a branch for
+// checking whether the two input points are equal, (while not equal to the
+// point at infinity). This case never happens during single point
+// multiplication, so there is no timing leak for ECDH or ECDSA signing.
static void p224_point_add(p224_felem x3, p224_felem y3, p224_felem z3,
const p224_felem x1, const p224_felem y1,
const p224_felem z1, const int mixed,
@@ -733,136 +733,136 @@
p224_limb z1_is_zero, z2_is_zero, x_equal, y_equal;
if (!mixed) {
- /* ftmp2 = z2^2 */
+ // ftmp2 = z2^2
p224_felem_square(tmp, z2);
p224_felem_reduce(ftmp2, tmp);
- /* ftmp4 = z2^3 */
+ // ftmp4 = z2^3
p224_felem_mul(tmp, ftmp2, z2);
p224_felem_reduce(ftmp4, tmp);
- /* ftmp4 = z2^3*y1 */
+ // ftmp4 = z2^3*y1
p224_felem_mul(tmp2, ftmp4, y1);
p224_felem_reduce(ftmp4, tmp2);
- /* ftmp2 = z2^2*x1 */
+ // ftmp2 = z2^2*x1
p224_felem_mul(tmp2, ftmp2, x1);
p224_felem_reduce(ftmp2, tmp2);
} else {
- /* We'll assume z2 = 1 (special case z2 = 0 is handled later) */
+ // We'll assume z2 = 1 (special case z2 = 0 is handled later)
- /* ftmp4 = z2^3*y1 */
+ // ftmp4 = z2^3*y1
p224_felem_assign(ftmp4, y1);
- /* ftmp2 = z2^2*x1 */
+ // ftmp2 = z2^2*x1
p224_felem_assign(ftmp2, x1);
}
- /* ftmp = z1^2 */
+ // ftmp = z1^2
p224_felem_square(tmp, z1);
p224_felem_reduce(ftmp, tmp);
- /* ftmp3 = z1^3 */
+ // ftmp3 = z1^3
p224_felem_mul(tmp, ftmp, z1);
p224_felem_reduce(ftmp3, tmp);
- /* tmp = z1^3*y2 */
+ // tmp = z1^3*y2
p224_felem_mul(tmp, ftmp3, y2);
- /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
+ // tmp[i] < 4 * 2^57 * 2^57 = 2^116
- /* ftmp3 = z1^3*y2 - z2^3*y1 */
+ // ftmp3 = z1^3*y2 - z2^3*y1
p224_felem_diff_128_64(tmp, ftmp4);
- /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
+ // tmp[i] < 2^116 + 2^64 + 8 < 2^117
p224_felem_reduce(ftmp3, tmp);
- /* tmp = z1^2*x2 */
+ // tmp = z1^2*x2
p224_felem_mul(tmp, ftmp, x2);
- /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
+ // tmp[i] < 4 * 2^57 * 2^57 = 2^116
- /* ftmp = z1^2*x2 - z2^2*x1 */
+ // ftmp = z1^2*x2 - z2^2*x1
p224_felem_diff_128_64(tmp, ftmp2);
- /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
+ // tmp[i] < 2^116 + 2^64 + 8 < 2^117
p224_felem_reduce(ftmp, tmp);
- /* the formulae are incorrect if the points are equal
- * so we check for this and do doubling if this happens */
+ // the formulae are incorrect if the points are equal
+ // so we check for this and do doubling if this happens
x_equal = p224_felem_is_zero(ftmp);
y_equal = p224_felem_is_zero(ftmp3);
z1_is_zero = p224_felem_is_zero(z1);
z2_is_zero = p224_felem_is_zero(z2);
- /* In affine coordinates, (X_1, Y_1) == (X_2, Y_2) */
+ // In affine coordinates, (X_1, Y_1) == (X_2, Y_2)
if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
p224_point_double(x3, y3, z3, x1, y1, z1);
return;
}
- /* ftmp5 = z1*z2 */
+ // ftmp5 = z1*z2
if (!mixed) {
p224_felem_mul(tmp, z1, z2);
p224_felem_reduce(ftmp5, tmp);
} else {
- /* special case z2 = 0 is handled later */
+ // special case z2 = 0 is handled later
p224_felem_assign(ftmp5, z1);
}
- /* z_out = (z1^2*x2 - z2^2*x1)*(z1*z2) */
+ // z_out = (z1^2*x2 - z2^2*x1)*(z1*z2)
p224_felem_mul(tmp, ftmp, ftmp5);
p224_felem_reduce(z_out, tmp);
- /* ftmp = (z1^2*x2 - z2^2*x1)^2 */
+ // ftmp = (z1^2*x2 - z2^2*x1)^2
p224_felem_assign(ftmp5, ftmp);
p224_felem_square(tmp, ftmp);
p224_felem_reduce(ftmp, tmp);
- /* ftmp5 = (z1^2*x2 - z2^2*x1)^3 */
+ // ftmp5 = (z1^2*x2 - z2^2*x1)^3
p224_felem_mul(tmp, ftmp, ftmp5);
p224_felem_reduce(ftmp5, tmp);
- /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
+ // ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2
p224_felem_mul(tmp, ftmp2, ftmp);
p224_felem_reduce(ftmp2, tmp);
- /* tmp = z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
+ // tmp = z2^3*y1*(z1^2*x2 - z2^2*x1)^3
p224_felem_mul(tmp, ftmp4, ftmp5);
- /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
+ // tmp[i] < 4 * 2^57 * 2^57 = 2^116
- /* tmp2 = (z1^3*y2 - z2^3*y1)^2 */
+ // tmp2 = (z1^3*y2 - z2^3*y1)^2
p224_felem_square(tmp2, ftmp3);
- /* tmp2[i] < 4 * 2^57 * 2^57 < 2^116 */
+ // tmp2[i] < 4 * 2^57 * 2^57 < 2^116
- /* tmp2 = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 */
+ // tmp2 = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3
p224_felem_diff_128_64(tmp2, ftmp5);
- /* tmp2[i] < 2^116 + 2^64 + 8 < 2^117 */
+ // tmp2[i] < 2^116 + 2^64 + 8 < 2^117
- /* ftmp5 = 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
+ // ftmp5 = 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2
p224_felem_assign(ftmp5, ftmp2);
p224_felem_scalar(ftmp5, 2);
- /* ftmp5[i] < 2 * 2^57 = 2^58 */
+ // ftmp5[i] < 2 * 2^57 = 2^58
/* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
p224_felem_diff_128_64(tmp2, ftmp5);
- /* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
+ // tmp2[i] < 2^117 + 2^64 + 8 < 2^118
p224_felem_reduce(x_out, tmp2);
- /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out */
+ // ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out
p224_felem_diff(ftmp2, x_out);
- /* ftmp2[i] < 2^57 + 2^58 + 2 < 2^59 */
+ // ftmp2[i] < 2^57 + 2^58 + 2 < 2^59
- /* tmp2 = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) */
+ // tmp2 = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out)
p224_felem_mul(tmp2, ftmp3, ftmp2);
- /* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
+ // tmp2[i] < 4 * 2^57 * 2^59 = 2^118
/* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
p224_widefelem_diff(tmp2, tmp);
- /* tmp2[i] < 2^118 + 2^120 < 2^121 */
+ // tmp2[i] < 2^118 + 2^120 < 2^121
p224_felem_reduce(y_out, tmp2);
- /* the result (x_out, y_out, z_out) is incorrect if one of the inputs is
- * the point at infinity, so we need to check for this separately */
+ // the result (x_out, y_out, z_out) is incorrect if one of the inputs is
+ // the point at infinity, so we need to check for this separately
- /* if point 1 is at infinity, copy point 2 to output, and vice versa */
+ // if point 1 is at infinity, copy point 2 to output, and vice versa
p224_copy_conditional(x_out, x2, z1_is_zero);
p224_copy_conditional(x_out, x1, z2_is_zero);
p224_copy_conditional(y_out, y2, z1_is_zero);
@@ -874,8 +874,8 @@
p224_felem_assign(z3, z_out);
}
-/* p224_select_point selects the |idx|th point from a precomputation table and
- * copies it to out. */
+// p224_select_point selects the |idx|th point from a precomputation table and
+// copies it to out.
static void p224_select_point(const uint64_t idx, size_t size,
const p224_felem pre_comp[/*size*/][3],
p224_felem out[3]) {
@@ -896,7 +896,7 @@
}
}
-/* p224_get_bit returns the |i|th bit in |in| */
+// p224_get_bit returns the |i|th bit in |in|
static char p224_get_bit(const p224_felem_bytearray in, size_t i) {
if (i >= 224) {
return 0;
@@ -904,11 +904,11 @@
return (in[i >> 3] >> (i & 7)) & 1;
}
-/* Interleaved point multiplication using precomputed point multiples:
- * The small point multiples 0*P, 1*P, ..., 16*P are in p_pre_comp, the scalars
- * in p_scalar, if non-NULL. If g_scalar is non-NULL, we also add this multiple
- * of the generator, using certain (large) precomputed multiples in
- * g_p224_pre_comp. Output point (X, Y, Z) is stored in x_out, y_out, z_out */
+// Interleaved point multiplication using precomputed point multiples:
+// The small point multiples 0*P, 1*P, ..., 16*P are in p_pre_comp, the scalars
+// in p_scalar, if non-NULL. If g_scalar is non-NULL, we also add this multiple
+// of the generator, using certain (large) precomputed multiples in
+// g_p224_pre_comp. Output point (X, Y, Z) is stored in x_out, y_out, z_out
static void p224_batch_mul(p224_felem x_out, p224_felem y_out, p224_felem z_out,
const uint8_t *p_scalar, const uint8_t *g_scalar,
const p224_felem p_pre_comp[17][3]) {
@@ -916,28 +916,28 @@
uint64_t bits;
uint8_t sign, digit;
- /* set nq to the point at infinity */
+ // set nq to the point at infinity
OPENSSL_memset(nq, 0, 3 * sizeof(p224_felem));
- /* Loop over both scalars msb-to-lsb, interleaving additions of multiples of
- * the generator (two in each of the last 28 rounds) and additions of p (every
- * 5th round). */
- int skip = 1; /* save two point operations in the first round */
+ // Loop over both scalars msb-to-lsb, interleaving additions of multiples of
+ // the generator (two in each of the last 28 rounds) and additions of p (every
+ // 5th round).
+ int skip = 1; // save two point operations in the first round
size_t i = p_scalar != NULL ? 220 : 27;
for (;;) {
- /* double */
+ // double
if (!skip) {
p224_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
}
- /* add multiples of the generator */
+ // add multiples of the generator
if (g_scalar != NULL && i <= 27) {
- /* first, look 28 bits upwards */
+ // first, look 28 bits upwards
bits = p224_get_bit(g_scalar, i + 196) << 3;
bits |= p224_get_bit(g_scalar, i + 140) << 2;
bits |= p224_get_bit(g_scalar, i + 84) << 1;
bits |= p224_get_bit(g_scalar, i + 28);
- /* select the point to add, in constant time */
+ // select the point to add, in constant time
p224_select_point(bits, 16, g_p224_pre_comp[1], tmp);
if (!skip) {
@@ -948,18 +948,18 @@
skip = 0;
}
- /* second, look at the current position */
+ // second, look at the current position
bits = p224_get_bit(g_scalar, i + 168) << 3;
bits |= p224_get_bit(g_scalar, i + 112) << 2;
bits |= p224_get_bit(g_scalar, i + 56) << 1;
bits |= p224_get_bit(g_scalar, i);
- /* select the point to add, in constant time */
+ // select the point to add, in constant time
p224_select_point(bits, 16, g_p224_pre_comp[0], tmp);
p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,
tmp[0], tmp[1], tmp[2]);
}
- /* do other additions every 5 doublings */
+ // do other additions every 5 doublings
if (p_scalar != NULL && i % 5 == 0) {
bits = p224_get_bit(p_scalar, i + 4) << 5;
bits |= p224_get_bit(p_scalar, i + 3) << 4;
@@ -969,9 +969,9 @@
bits |= p224_get_bit(p_scalar, i - 1);
ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
- /* select the point to add or subtract */
+ // select the point to add or subtract
p224_select_point(digit, 17, p_pre_comp, tmp);
- p224_felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative point */
+ p224_felem_neg(tmp[3], tmp[1]); // (X, -Y, Z) is the negative point
p224_copy_conditional(tmp[1], tmp[3], sign);
if (!skip) {
@@ -993,8 +993,8 @@
p224_felem_assign(z_out, nq[2]);
}
-/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns
- * (X', Y') = (X/Z^2, Y/Z^3) */
+// Takes the Jacobian coordinates (X, Y, Z) of a point and returns
+// (X', Y') = (X/Z^2, Y/Z^3)
static int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
const EC_POINT *point,
BIGNUM *x, BIGNUM *y,
@@ -1065,15 +1065,15 @@
}
if (p != NULL && p_scalar != NULL) {
- /* We treat NULL scalars as 0, and NULL points as points at infinity, i.e.,
- * they contribute nothing to the linear combination. */
+ // We treat NULL scalars as 0, and NULL points as points at infinity, i.e.,
+ // they contribute nothing to the linear combination.
OPENSSL_memset(&p_secret, 0, sizeof(p_secret));
OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp));
size_t num_bytes;
- /* reduce g_scalar to 0 <= g_scalar < 2^224 */
+ // reduce g_scalar to 0 <= g_scalar < 2^224
if (BN_num_bits(p_scalar) > 224 || BN_is_negative(p_scalar)) {
- /* this is an unusual input, and we don't guarantee
- * constant-timeness */
+ // this is an unusual input, and we don't guarantee
+ // constant-timeness
if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) {
OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
goto err;
@@ -1084,7 +1084,7 @@
}
p224_flip_endian(p_secret, tmp, num_bytes);
- /* precompute multiples */
+ // precompute multiples
if (!p224_BN_to_felem(x_out, &p->X) ||
!p224_BN_to_felem(y_out, &p->Y) ||
!p224_BN_to_felem(z_out, &p->Z)) {
@@ -1112,9 +1112,9 @@
if (g_scalar != NULL) {
OPENSSL_memset(g_secret, 0, sizeof(g_secret));
size_t num_bytes;
- /* reduce g_scalar to 0 <= g_scalar < 2^224 */
+ // reduce g_scalar to 0 <= g_scalar < 2^224
if (BN_num_bits(g_scalar) > 224 || BN_is_negative(g_scalar)) {
- /* this is an unusual input, and we don't guarantee constant-timeness */
+ // this is an unusual input, and we don't guarantee constant-timeness
if (!BN_nnmod(tmp_scalar, g_scalar, &group->order, ctx)) {
OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
goto err;
@@ -1130,7 +1130,7 @@
x_out, y_out, z_out, (p != NULL && p_scalar != NULL) ? p_secret : NULL,
g_scalar != NULL ? g_secret : NULL, (const p224_felem(*)[3])p_pre_comp);
- /* reduce the output to its unique minimal representation */
+ // reduce the output to its unique minimal representation
p224_felem_contract(x_in, x_out);
p224_felem_contract(y_in, y_out);
p224_felem_contract(z_in, z_out);
@@ -1162,4 +1162,4 @@
out->field_decode = NULL;
};
-#endif /* 64_BIT && !WINDOWS && !SMALL */
+#endif // 64_BIT && !WINDOWS && !SMALL
diff --git a/src/crypto/fipsmodule/ec/p256-64.c b/src/crypto/fipsmodule/ec/p256-64.c
index 8952aa2..f7d1ff1 100644
--- a/src/crypto/fipsmodule/ec/p256-64.c
+++ b/src/crypto/fipsmodule/ec/p256-64.c
@@ -12,12 +12,12 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* A 64-bit implementation of the NIST P-256 elliptic curve point
- * multiplication
- *
- * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c.
- * Otherwise based on Emilia's P224 work, which was inspired by my curve25519
- * work which got its smarts from Daniel J. Bernstein's work on the same. */
+// A 64-bit implementation of the NIST P-256 elliptic curve point
+// multiplication
+//
+// OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c.
+// Otherwise based on Emilia's P224 work, which was inspired by my curve25519
+// work which got its smarts from Daniel J. Bernstein's work on the same.
#include <openssl/base.h>
@@ -35,29 +35,29 @@
#include "internal.h"
-/* The underlying field. P256 operates over GF(2^256-2^224+2^192+2^96-1). We
- * can serialise an element of this field into 32 bytes. We call this an
- * felem_bytearray. */
+// The underlying field. P256 operates over GF(2^256-2^224+2^192+2^96-1). We
+// can serialise an element of this field into 32 bytes. We call this an
+// felem_bytearray.
typedef uint8_t felem_bytearray[32];
-/* The representation of field elements.
- * ------------------------------------
- *
- * We represent field elements with either four 128-bit values, eight 128-bit
- * values, or four 64-bit values. The field element represented is:
- * v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + v[3]*2^192 (mod p)
- * or:
- * v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + ... + v[8]*2^512 (mod p)
- *
- * 128-bit values are called 'limbs'. Since the limbs are spaced only 64 bits
- * apart, but are 128-bits wide, the most significant bits of each limb overlap
- * with the least significant bits of the next.
- *
- * A field element with four limbs is an 'felem'. One with eight limbs is a
- * 'longfelem'
- *
- * A field element with four, 64-bit values is called a 'smallfelem'. Small
- * values are used as intermediate values before multiplication. */
+// The representation of field elements.
+// ------------------------------------
+//
+// We represent field elements with either four 128-bit values, eight 128-bit
+// values, or four 64-bit values. The field element represented is:
+// v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + v[3]*2^192 (mod p)
+// or:
+// v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + ... + v[8]*2^512 (mod p)
+//
+// 128-bit values are called 'limbs'. Since the limbs are spaced only 64 bits
+// apart, but are 128-bits wide, the most significant bits of each limb overlap
+// with the least significant bits of the next.
+//
+// A field element with four limbs is an 'felem'. One with eight limbs is a
+// 'longfelem'
+//
+// A field element with four, 64-bit values is called a 'smallfelem'. Small
+// values are used as intermediate values before multiplication.
#define NLIMBS 4
@@ -66,7 +66,7 @@
typedef limb longfelem[NLIMBS * 2];
typedef uint64_t smallfelem[NLIMBS];
-/* This is the value of the prime as four 64-bit words, little-endian. */
+// This is the value of the prime as four 64-bit words, little-endian.
static const uint64_t kPrime[4] = {0xfffffffffffffffful, 0xffffffff, 0,
0xffffffff00000001ul};
static const uint64_t bottom63bits = 0x7ffffffffffffffful;
@@ -81,8 +81,8 @@
OPENSSL_memcpy(out, &in, sizeof(in));
}
-/* bin32_to_felem takes a little-endian byte array and converts it into felem
- * form. This assumes that the CPU is little-endian. */
+// bin32_to_felem takes a little-endian byte array and converts it into felem
+// form. This assumes that the CPU is little-endian.
static void bin32_to_felem(felem out, const uint8_t in[32]) {
out[0] = load_u64(&in[0]);
out[1] = load_u64(&in[8]);
@@ -90,8 +90,8 @@
out[3] = load_u64(&in[24]);
}
-/* smallfelem_to_bin32 takes a smallfelem and serialises into a little endian,
- * 32 byte array. This assumes that the CPU is little-endian. */
+// smallfelem_to_bin32 takes a smallfelem and serialises into a little endian,
+// 32 byte array. This assumes that the CPU is little-endian.
static void smallfelem_to_bin32(uint8_t out[32], const smallfelem in) {
store_u64(&out[0], in[0]);
store_u64(&out[8], in[1]);
@@ -99,14 +99,14 @@
store_u64(&out[24], in[3]);
}
-/* To preserve endianness when using BN_bn2bin and BN_bin2bn. */
+// To preserve endianness when using BN_bn2bin and BN_bin2bn.
static void flip_endian(uint8_t *out, const uint8_t *in, size_t len) {
for (size_t i = 0; i < len; ++i) {
out[i] = in[len - 1 - i];
}
}
-/* BN_to_felem converts an OpenSSL BIGNUM into an felem. */
+// BN_to_felem converts an OpenSSL BIGNUM into an felem.
static int BN_to_felem(felem out, const BIGNUM *bn) {
if (BN_is_negative(bn)) {
OPENSSL_PUT_ERROR(EC, EC_R_BIGNUM_OUT_OF_RANGE);
@@ -114,7 +114,7 @@
}
felem_bytearray b_out;
- /* BN_bn2bin eats leading zeroes */
+ // BN_bn2bin eats leading zeroes
OPENSSL_memset(b_out, 0, sizeof(b_out));
size_t num_bytes = BN_num_bytes(bn);
if (num_bytes > sizeof(b_out)) {
@@ -129,7 +129,7 @@
return 1;
}
-/* felem_to_BN converts an felem into an OpenSSL BIGNUM. */
+// felem_to_BN converts an felem into an OpenSSL BIGNUM.
static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in) {
felem_bytearray b_in, b_out;
smallfelem_to_bin32(b_in, in);
@@ -137,7 +137,7 @@
return BN_bin2bn(b_out, sizeof(b_out), out);
}
-/* Field operations. */
+// Field operations.
static void felem_assign(felem out, const felem in) {
out[0] = in[0];
@@ -146,7 +146,7 @@
out[3] = in[3];
}
-/* felem_sum sets out = out + in. */
+// felem_sum sets out = out + in.
static void felem_sum(felem out, const felem in) {
out[0] += in[0];
out[1] += in[1];
@@ -154,7 +154,7 @@
out[3] += in[3];
}
-/* felem_small_sum sets out = out + in. */
+// felem_small_sum sets out = out + in.
static void felem_small_sum(felem out, const smallfelem in) {
out[0] += in[0];
out[1] += in[1];
@@ -162,7 +162,7 @@
out[3] += in[3];
}
-/* felem_scalar sets out = out * scalar */
+// felem_scalar sets out = out * scalar
static void felem_scalar(felem out, const uint64_t scalar) {
out[0] *= scalar;
out[1] *= scalar;
@@ -170,7 +170,7 @@
out[3] *= scalar;
}
-/* longfelem_scalar sets out = out * scalar */
+// longfelem_scalar sets out = out * scalar
static void longfelem_scalar(longfelem out, const uint64_t scalar) {
out[0] *= scalar;
out[1] *= scalar;
@@ -186,27 +186,27 @@
#define two105 (((limb)1) << 105)
#define two105m41p9 ((((limb)1) << 105) - (((limb)1) << 41) + (((limb)1) << 9))
-/* zero105 is 0 mod p */
+// zero105 is 0 mod p
static const felem zero105 = {two105m41m9, two105, two105m41p9, two105m41p9};
-/* smallfelem_neg sets |out| to |-small|
- * On exit:
- * out[i] < out[i] + 2^105 */
+// smallfelem_neg sets |out| to |-small|
+// On exit:
+// out[i] < out[i] + 2^105
static void smallfelem_neg(felem out, const smallfelem small) {
- /* In order to prevent underflow, we subtract from 0 mod p. */
+ // In order to prevent underflow, we subtract from 0 mod p.
out[0] = zero105[0] - small[0];
out[1] = zero105[1] - small[1];
out[2] = zero105[2] - small[2];
out[3] = zero105[3] - small[3];
}
-/* felem_diff subtracts |in| from |out|
- * On entry:
- * in[i] < 2^104
- * On exit:
- * out[i] < out[i] + 2^105. */
+// felem_diff subtracts |in| from |out|
+// On entry:
+// in[i] < 2^104
+// On exit:
+// out[i] < out[i] + 2^105.
static void felem_diff(felem out, const felem in) {
- /* In order to prevent underflow, we add 0 mod p before subtracting. */
+ // In order to prevent underflow, we add 0 mod p before subtracting.
out[0] += zero105[0];
out[1] += zero105[1];
out[2] += zero105[2];
@@ -224,17 +224,17 @@
#define two107m43p11 \
((((limb)1) << 107) - (((limb)1) << 43) + (((limb)1) << 11))
-/* zero107 is 0 mod p */
+// zero107 is 0 mod p
static const felem zero107 = {two107m43m11, two107, two107m43p11, two107m43p11};
-/* An alternative felem_diff for larger inputs |in|
- * felem_diff_zero107 subtracts |in| from |out|
- * On entry:
- * in[i] < 2^106
- * On exit:
- * out[i] < out[i] + 2^107. */
+// An alternative felem_diff for larger inputs |in|
+// felem_diff_zero107 subtracts |in| from |out|
+// On entry:
+// in[i] < 2^106
+// On exit:
+// out[i] < out[i] + 2^107.
static void felem_diff_zero107(felem out, const felem in) {
- /* In order to prevent underflow, we add 0 mod p before subtracting. */
+ // In order to prevent underflow, we add 0 mod p before subtracting.
out[0] += zero107[0];
out[1] += zero107[1];
out[2] += zero107[2];
@@ -246,11 +246,11 @@
out[3] -= in[3];
}
-/* longfelem_diff subtracts |in| from |out|
- * On entry:
- * in[i] < 7*2^67
- * On exit:
- * out[i] < out[i] + 2^70 + 2^40. */
+// longfelem_diff subtracts |in| from |out|
+// On entry:
+// in[i] < 7*2^67
+// On exit:
+// out[i] < out[i] + 2^70 + 2^40.
static void longfelem_diff(longfelem out, const longfelem in) {
static const limb two70m8p6 =
(((limb)1) << 70) - (((limb)1) << 8) + (((limb)1) << 6);
@@ -260,7 +260,7 @@
(((limb)1) << 38) + (((limb)1) << 6);
static const limb two70m6 = (((limb)1) << 70) - (((limb)1) << 6);
- /* add 0 mod p to avoid underflow */
+ // add 0 mod p to avoid underflow
out[0] += two70m8p6;
out[1] += two70p40;
out[2] += two70;
@@ -270,7 +270,7 @@
out[6] += two70m6;
out[7] += two70m6;
- /* in[i] < 7*2^67 < 2^70 - 2^40 - 2^38 + 2^6 */
+ // in[i] < 7*2^67 < 2^70 - 2^40 - 2^38 + 2^6
out[0] -= in[0];
out[1] -= in[1];
out[2] -= in[2];
@@ -286,80 +286,80 @@
#define two64m46 ((((limb)1) << 64) - (((limb)1) << 46))
#define two64m32 ((((limb)1) << 64) - (((limb)1) << 32))
-/* zero110 is 0 mod p. */
+// zero110 is 0 mod p.
static const felem zero110 = {two64m0, two110p32m0, two64m46, two64m32};
-/* felem_shrink converts an felem into a smallfelem. The result isn't quite
- * minimal as the value may be greater than p.
- *
- * On entry:
- * in[i] < 2^109
- * On exit:
- * out[i] < 2^64. */
+// felem_shrink converts an felem into a smallfelem. The result isn't quite
+// minimal as the value may be greater than p.
+//
+// On entry:
+// in[i] < 2^109
+// On exit:
+// out[i] < 2^64.
static void felem_shrink(smallfelem out, const felem in) {
felem tmp;
uint64_t a, b, mask;
int64_t high, low;
static const uint64_t kPrime3Test =
- 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */
+ 0x7fffffff00000001ul; // 2^63 - 2^32 + 1
- /* Carry 2->3 */
+ // Carry 2->3
tmp[3] = zero110[3] + in[3] + ((uint64_t)(in[2] >> 64));
- /* tmp[3] < 2^110 */
+ // tmp[3] < 2^110
tmp[2] = zero110[2] + (uint64_t)in[2];
tmp[0] = zero110[0] + in[0];
tmp[1] = zero110[1] + in[1];
- /* tmp[0] < 2**110, tmp[1] < 2^111, tmp[2] < 2**65 */
+ // tmp[0] < 2**110, tmp[1] < 2^111, tmp[2] < 2**65
- /* We perform two partial reductions where we eliminate the high-word of
- * tmp[3]. We don't update the other words till the end. */
- a = tmp[3] >> 64; /* a < 2^46 */
+ // We perform two partial reductions where we eliminate the high-word of
+ // tmp[3]. We don't update the other words till the end.
+ a = tmp[3] >> 64; // a < 2^46
tmp[3] = (uint64_t)tmp[3];
tmp[3] -= a;
tmp[3] += ((limb)a) << 32;
- /* tmp[3] < 2^79 */
+ // tmp[3] < 2^79
b = a;
- a = tmp[3] >> 64; /* a < 2^15 */
- b += a; /* b < 2^46 + 2^15 < 2^47 */
+ a = tmp[3] >> 64; // a < 2^15
+ b += a; // b < 2^46 + 2^15 < 2^47
tmp[3] = (uint64_t)tmp[3];
tmp[3] -= a;
tmp[3] += ((limb)a) << 32;
- /* tmp[3] < 2^64 + 2^47 */
+ // tmp[3] < 2^64 + 2^47
- /* This adjusts the other two words to complete the two partial
- * reductions. */
+ // This adjusts the other two words to complete the two partial
+ // reductions.
tmp[0] += b;
tmp[1] -= (((limb)b) << 32);
- /* In order to make space in tmp[3] for the carry from 2 -> 3, we
- * conditionally subtract kPrime if tmp[3] is large enough. */
+ // In order to make space in tmp[3] for the carry from 2 -> 3, we
+ // conditionally subtract kPrime if tmp[3] is large enough.
high = tmp[3] >> 64;
- /* As tmp[3] < 2^65, high is either 1 or 0 */
+ // As tmp[3] < 2^65, high is either 1 or 0
high = ~(high - 1);
- /* high is:
- * all ones if the high word of tmp[3] is 1
- * all zeros if the high word of tmp[3] if 0 */
+ // high is:
+ // all ones if the high word of tmp[3] is 1
+ // all zeros if the high word of tmp[3] if 0
low = tmp[3];
mask = low >> 63;
- /* mask is:
- * all ones if the MSB of low is 1
- * all zeros if the MSB of low if 0 */
+ // mask is:
+ // all ones if the MSB of low is 1
+ // all zeros if the MSB of low if 0
low &= bottom63bits;
low -= kPrime3Test;
- /* if low was greater than kPrime3Test then the MSB is zero */
+ // if low was greater than kPrime3Test then the MSB is zero
low = ~low;
low >>= 63;
- /* low is:
- * all ones if low was > kPrime3Test
- * all zeros if low was <= kPrime3Test */
+ // low is:
+ // all ones if low was > kPrime3Test
+ // all zeros if low was <= kPrime3Test
mask = (mask & low) | high;
tmp[0] -= mask & kPrime[0];
tmp[1] -= mask & kPrime[1];
- /* kPrime[2] is zero, so omitted */
+ // kPrime[2] is zero, so omitted
tmp[3] -= mask & kPrime[3];
- /* tmp[3] < 2**64 - 2**32 + 1 */
+ // tmp[3] < 2**64 - 2**32 + 1
tmp[1] += ((uint64_t)(tmp[0] >> 64));
tmp[0] = (uint64_t)tmp[0];
@@ -367,7 +367,7 @@
tmp[1] = (uint64_t)tmp[1];
tmp[3] += ((uint64_t)(tmp[2] >> 64));
tmp[2] = (uint64_t)tmp[2];
- /* tmp[i] < 2^64 */
+ // tmp[i] < 2^64
out[0] = tmp[0];
out[1] = tmp[1];
@@ -375,7 +375,7 @@
out[3] = tmp[3];
}
-/* smallfelem_expand converts a smallfelem to an felem */
+// smallfelem_expand converts a smallfelem to an felem
static void smallfelem_expand(felem out, const smallfelem in) {
out[0] = in[0];
out[1] = in[1];
@@ -383,11 +383,11 @@
out[3] = in[3];
}
-/* smallfelem_square sets |out| = |small|^2
- * On entry:
- * small[i] < 2^64
- * On exit:
- * out[i] < 7 * 2^64 < 2^67 */
+// smallfelem_square sets |out| = |small|^2
+// On entry:
+// small[i] < 2^64
+// On exit:
+// out[i] < 7 * 2^64 < 2^67
static void smallfelem_square(longfelem out, const smallfelem small) {
limb a;
uint64_t high, low;
@@ -459,23 +459,23 @@
out[7] = high;
}
-/*felem_square sets |out| = |in|^2
- * On entry:
- * in[i] < 2^109
- * On exit:
- * out[i] < 7 * 2^64 < 2^67. */
+//felem_square sets |out| = |in|^2
+// On entry:
+// in[i] < 2^109
+// On exit:
+// out[i] < 7 * 2^64 < 2^67.
static void felem_square(longfelem out, const felem in) {
uint64_t small[4];
felem_shrink(small, in);
smallfelem_square(out, small);
}
-/* smallfelem_mul sets |out| = |small1| * |small2|
- * On entry:
- * small1[i] < 2^64
- * small2[i] < 2^64
- * On exit:
- * out[i] < 7 * 2^64 < 2^67. */
+// smallfelem_mul sets |out| = |small1| * |small2|
+// On entry:
+// small1[i] < 2^64
+// small2[i] < 2^64
+// On exit:
+// out[i] < 7 * 2^64 < 2^67.
static void smallfelem_mul(longfelem out, const smallfelem small1,
const smallfelem small2) {
limb a;
@@ -578,12 +578,12 @@
out[7] = high;
}
-/* felem_mul sets |out| = |in1| * |in2|
- * On entry:
- * in1[i] < 2^109
- * in2[i] < 2^109
- * On exit:
- * out[i] < 7 * 2^64 < 2^67 */
+// felem_mul sets |out| = |in1| * |in2|
+// On entry:
+// in1[i] < 2^109
+// in2[i] < 2^109
+// On exit:
+// out[i] < 7 * 2^64 < 2^67
static void felem_mul(longfelem out, const felem in1, const felem in2) {
smallfelem small1, small2;
felem_shrink(small1, in1);
@@ -591,12 +591,12 @@
smallfelem_mul(out, small1, small2);
}
-/* felem_small_mul sets |out| = |small1| * |in2|
- * On entry:
- * small1[i] < 2^64
- * in2[i] < 2^109
- * On exit:
- * out[i] < 7 * 2^64 < 2^67 */
+// felem_small_mul sets |out| = |small1| * |in2|
+// On entry:
+// small1[i] < 2^64
+// in2[i] < 2^109
+// On exit:
+// out[i] < 7 * 2^64 < 2^67
static void felem_small_mul(longfelem out, const smallfelem small1,
const felem in2) {
smallfelem small2;
@@ -608,24 +608,24 @@
#define two100 (((limb)1) << 100)
#define two100m36p4 ((((limb)1) << 100) - (((limb)1) << 36) + (((limb)1) << 4))
-/* zero100 is 0 mod p */
+// zero100 is 0 mod p
static const felem zero100 = {two100m36m4, two100, two100m36p4, two100m36p4};
-/* Internal function for the different flavours of felem_reduce.
- * felem_reduce_ reduces the higher coefficients in[4]-in[7].
- * On entry:
- * out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7]
- * out[1] >= in[7] + 2^32*in[4]
- * out[2] >= in[5] + 2^32*in[5]
- * out[3] >= in[4] + 2^32*in[5] + 2^32*in[6]
- * On exit:
- * out[0] <= out[0] + in[4] + 2^32*in[5]
- * out[1] <= out[1] + in[5] + 2^33*in[6]
- * out[2] <= out[2] + in[7] + 2*in[6] + 2^33*in[7]
- * out[3] <= out[3] + 2^32*in[4] + 3*in[7] */
+// Internal function for the different flavours of felem_reduce.
+// felem_reduce_ reduces the higher coefficients in[4]-in[7].
+// On entry:
+// out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7]
+// out[1] >= in[7] + 2^32*in[4]
+// out[2] >= in[5] + 2^32*in[5]
+// out[3] >= in[4] + 2^32*in[5] + 2^32*in[6]
+// On exit:
+// out[0] <= out[0] + in[4] + 2^32*in[5]
+// out[1] <= out[1] + in[5] + 2^33*in[6]
+// out[2] <= out[2] + in[7] + 2*in[6] + 2^33*in[7]
+// out[3] <= out[3] + 2^32*in[4] + 3*in[7]
static void felem_reduce_(felem out, const longfelem in) {
int128_t c;
- /* combine common terms from below */
+ // combine common terms from below
c = in[4] + (in[5] << 32);
out[0] += c;
out[3] -= c;
@@ -634,35 +634,35 @@
out[1] += c;
out[2] -= c;
- /* the remaining terms */
- /* 256: [(0,1),(96,-1),(192,-1),(224,1)] */
+ // the remaining terms
+ // 256: [(0,1),(96,-1),(192,-1),(224,1)]
out[1] -= (in[4] << 32);
out[3] += (in[4] << 32);
- /* 320: [(32,1),(64,1),(128,-1),(160,-1),(224,-1)] */
+ // 320: [(32,1),(64,1),(128,-1),(160,-1),(224,-1)]
out[2] -= (in[5] << 32);
- /* 384: [(0,-1),(32,-1),(96,2),(128,2),(224,-1)] */
+ // 384: [(0,-1),(32,-1),(96,2),(128,2),(224,-1)]
out[0] -= in[6];
out[0] -= (in[6] << 32);
out[1] += (in[6] << 33);
out[2] += (in[6] * 2);
out[3] -= (in[6] << 32);
- /* 448: [(0,-1),(32,-1),(64,-1),(128,1),(160,2),(192,3)] */
+ // 448: [(0,-1),(32,-1),(64,-1),(128,1),(160,2),(192,3)]
out[0] -= in[7];
out[0] -= (in[7] << 32);
out[2] += (in[7] << 33);
out[3] += (in[7] * 3);
}
-/* felem_reduce converts a longfelem into an felem.
- * To be called directly after felem_square or felem_mul.
- * On entry:
- * in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64
- * in[4] < 7*2^64, in[5] < 5*2^64, in[6] < 3*2^64, in[7] < 2*64
- * On exit:
- * out[i] < 2^101 */
+// felem_reduce converts a longfelem into an felem.
+// To be called directly after felem_square or felem_mul.
+// On entry:
+// in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64
+// in[4] < 7*2^64, in[5] < 5*2^64, in[6] < 3*2^64, in[7] < 2*64
+// On exit:
+// out[i] < 2^101
static void felem_reduce(felem out, const longfelem in) {
out[0] = zero100[0] + in[0];
out[1] = zero100[1] + in[1];
@@ -671,22 +671,22 @@
felem_reduce_(out, in);
- /* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
- * out[1] > 2^100 - 2^64 - 7*2^96 > 0
- * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
- * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
- *
- * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101
- * out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101
- * out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101
- * out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101 */
+ // out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
+ // out[1] > 2^100 - 2^64 - 7*2^96 > 0
+ // out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
+ // out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
+ //
+ // out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101
+ // out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101
+ // out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101
+ // out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101
}
-/* felem_reduce_zero105 converts a larger longfelem into an felem.
- * On entry:
- * in[0] < 2^71
- * On exit:
- * out[i] < 2^106 */
+// felem_reduce_zero105 converts a larger longfelem into an felem.
+// On entry:
+// in[0] < 2^71
+// On exit:
+// out[i] < 2^106
static void felem_reduce_zero105(felem out, const longfelem in) {
out[0] = zero105[0] + in[0];
out[1] = zero105[1] + in[1];
@@ -695,19 +695,19 @@
felem_reduce_(out, in);
- /* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
- * out[1] > 2^105 - 2^71 - 2^103 > 0
- * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
- * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
- *
- * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
- * out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
- * out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106
- * out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106 */
+ // out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
+ // out[1] > 2^105 - 2^71 - 2^103 > 0
+ // out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
+ // out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
+ //
+ // out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
+ // out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
+ // out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106
+ // out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106
}
-/* subtract_u64 sets *result = *result - v and *carry to one if the
- * subtraction underflowed. */
+// subtract_u64 sets *result = *result - v and *carry to one if the
+// subtraction underflowed.
static void subtract_u64(uint64_t *result, uint64_t *carry, uint64_t v) {
uint128_t r = *result;
r -= v;
@@ -715,28 +715,28 @@
*result = (uint64_t)r;
}
-/* felem_contract converts |in| to its unique, minimal representation. On
- * entry: in[i] < 2^109. */
+// felem_contract converts |in| to its unique, minimal representation. On
+// entry: in[i] < 2^109.
static void felem_contract(smallfelem out, const felem in) {
uint64_t all_equal_so_far = 0, result = 0;
felem_shrink(out, in);
- /* small is minimal except that the value might be > p */
+ // small is minimal except that the value might be > p
all_equal_so_far--;
- /* We are doing a constant time test if out >= kPrime. We need to compare
- * each uint64_t, from most-significant to least significant. For each one, if
- * all words so far have been equal (m is all ones) then a non-equal
- * result is the answer. Otherwise we continue. */
+ // We are doing a constant time test if out >= kPrime. We need to compare
+ // each uint64_t, from most-significant to least significant. For each one, if
+ // all words so far have been equal (m is all ones) then a non-equal
+ // result is the answer. Otherwise we continue.
for (size_t i = 3; i < 4; i--) {
uint64_t equal;
uint128_t a = ((uint128_t)kPrime[i]) - out[i];
- /* if out[i] > kPrime[i] then a will underflow and the high 64-bits
- * will all be set. */
+ // if out[i] > kPrime[i] then a will underflow and the high 64-bits
+ // will all be set.
result |= all_equal_so_far & ((uint64_t)(a >> 64));
- /* if kPrime[i] == out[i] then |equal| will be all zeros and the
- * decrement will make it all ones. */
+ // if kPrime[i] == out[i] then |equal| will be all zeros and the
+ // decrement will make it all ones.
equal = kPrime[i] ^ out[i];
equal--;
equal &= equal << 32;
@@ -750,11 +750,11 @@
all_equal_so_far &= equal;
}
- /* if all_equal_so_far is still all ones then the two values are equal
- * and so out >= kPrime is true. */
+ // if all_equal_so_far is still all ones then the two values are equal
+ // and so out >= kPrime is true.
result |= all_equal_so_far;
- /* if out >= kPrime then we subtract kPrime. */
+ // if out >= kPrime then we subtract kPrime.
uint64_t carry;
subtract_u64(&out[0], &carry, result & kPrime[0]);
subtract_u64(&out[1], &carry, carry);
@@ -771,10 +771,10 @@
subtract_u64(&out[3], &carry, result & kPrime[3]);
}
-/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
- * otherwise.
- * On entry:
- * small[i] < 2^64 */
+// felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+// otherwise.
+// On entry:
+// small[i] < 2^64
static limb smallfelem_is_zero(const smallfelem small) {
limb result;
uint64_t is_p;
@@ -807,118 +807,118 @@
return result;
}
-/* felem_inv calculates |out| = |in|^{-1}
- *
- * Based on Fermat's Little Theorem:
- * a^p = a (mod p)
- * a^{p-1} = 1 (mod p)
- * a^{p-2} = a^{-1} (mod p) */
+// felem_inv calculates |out| = |in|^{-1}
+//
+// Based on Fermat's Little Theorem:
+// a^p = a (mod p)
+// a^{p-1} = 1 (mod p)
+// a^{p-2} = a^{-1} (mod p)
static void felem_inv(felem out, const felem in) {
felem ftmp, ftmp2;
- /* each e_I will hold |in|^{2^I - 1} */
+ // each e_I will hold |in|^{2^I - 1}
felem e2, e4, e8, e16, e32, e64;
longfelem tmp;
felem_square(tmp, in);
- felem_reduce(ftmp, tmp); /* 2^1 */
+ felem_reduce(ftmp, tmp); // 2^1
felem_mul(tmp, in, ftmp);
- felem_reduce(ftmp, tmp); /* 2^2 - 2^0 */
+ felem_reduce(ftmp, tmp); // 2^2 - 2^0
felem_assign(e2, ftmp);
felem_square(tmp, ftmp);
- felem_reduce(ftmp, tmp); /* 2^3 - 2^1 */
+ felem_reduce(ftmp, tmp); // 2^3 - 2^1
felem_square(tmp, ftmp);
- felem_reduce(ftmp, tmp); /* 2^4 - 2^2 */
+ felem_reduce(ftmp, tmp); // 2^4 - 2^2
felem_mul(tmp, ftmp, e2);
- felem_reduce(ftmp, tmp); /* 2^4 - 2^0 */
+ felem_reduce(ftmp, tmp); // 2^4 - 2^0
felem_assign(e4, ftmp);
felem_square(tmp, ftmp);
- felem_reduce(ftmp, tmp); /* 2^5 - 2^1 */
+ felem_reduce(ftmp, tmp); // 2^5 - 2^1
felem_square(tmp, ftmp);
- felem_reduce(ftmp, tmp); /* 2^6 - 2^2 */
+ felem_reduce(ftmp, tmp); // 2^6 - 2^2
felem_square(tmp, ftmp);
- felem_reduce(ftmp, tmp); /* 2^7 - 2^3 */
+ felem_reduce(ftmp, tmp); // 2^7 - 2^3
felem_square(tmp, ftmp);
- felem_reduce(ftmp, tmp); /* 2^8 - 2^4 */
+ felem_reduce(ftmp, tmp); // 2^8 - 2^4
felem_mul(tmp, ftmp, e4);
- felem_reduce(ftmp, tmp); /* 2^8 - 2^0 */
+ felem_reduce(ftmp, tmp); // 2^8 - 2^0
felem_assign(e8, ftmp);
for (size_t i = 0; i < 8; i++) {
felem_square(tmp, ftmp);
felem_reduce(ftmp, tmp);
- } /* 2^16 - 2^8 */
+ } // 2^16 - 2^8
felem_mul(tmp, ftmp, e8);
- felem_reduce(ftmp, tmp); /* 2^16 - 2^0 */
+ felem_reduce(ftmp, tmp); // 2^16 - 2^0
felem_assign(e16, ftmp);
for (size_t i = 0; i < 16; i++) {
felem_square(tmp, ftmp);
felem_reduce(ftmp, tmp);
- } /* 2^32 - 2^16 */
+ } // 2^32 - 2^16
felem_mul(tmp, ftmp, e16);
- felem_reduce(ftmp, tmp); /* 2^32 - 2^0 */
+ felem_reduce(ftmp, tmp); // 2^32 - 2^0
felem_assign(e32, ftmp);
for (size_t i = 0; i < 32; i++) {
felem_square(tmp, ftmp);
felem_reduce(ftmp, tmp);
- } /* 2^64 - 2^32 */
+ } // 2^64 - 2^32
felem_assign(e64, ftmp);
felem_mul(tmp, ftmp, in);
- felem_reduce(ftmp, tmp); /* 2^64 - 2^32 + 2^0 */
+ felem_reduce(ftmp, tmp); // 2^64 - 2^32 + 2^0
for (size_t i = 0; i < 192; i++) {
felem_square(tmp, ftmp);
felem_reduce(ftmp, tmp);
- } /* 2^256 - 2^224 + 2^192 */
+ } // 2^256 - 2^224 + 2^192
felem_mul(tmp, e64, e32);
- felem_reduce(ftmp2, tmp); /* 2^64 - 2^0 */
+ felem_reduce(ftmp2, tmp); // 2^64 - 2^0
for (size_t i = 0; i < 16; i++) {
felem_square(tmp, ftmp2);
felem_reduce(ftmp2, tmp);
- } /* 2^80 - 2^16 */
+ } // 2^80 - 2^16
felem_mul(tmp, ftmp2, e16);
- felem_reduce(ftmp2, tmp); /* 2^80 - 2^0 */
+ felem_reduce(ftmp2, tmp); // 2^80 - 2^0
for (size_t i = 0; i < 8; i++) {
felem_square(tmp, ftmp2);
felem_reduce(ftmp2, tmp);
- } /* 2^88 - 2^8 */
+ } // 2^88 - 2^8
felem_mul(tmp, ftmp2, e8);
- felem_reduce(ftmp2, tmp); /* 2^88 - 2^0 */
+ felem_reduce(ftmp2, tmp); // 2^88 - 2^0
for (size_t i = 0; i < 4; i++) {
felem_square(tmp, ftmp2);
felem_reduce(ftmp2, tmp);
- } /* 2^92 - 2^4 */
+ } // 2^92 - 2^4
felem_mul(tmp, ftmp2, e4);
- felem_reduce(ftmp2, tmp); /* 2^92 - 2^0 */
+ felem_reduce(ftmp2, tmp); // 2^92 - 2^0
felem_square(tmp, ftmp2);
- felem_reduce(ftmp2, tmp); /* 2^93 - 2^1 */
+ felem_reduce(ftmp2, tmp); // 2^93 - 2^1
felem_square(tmp, ftmp2);
- felem_reduce(ftmp2, tmp); /* 2^94 - 2^2 */
+ felem_reduce(ftmp2, tmp); // 2^94 - 2^2
felem_mul(tmp, ftmp2, e2);
- felem_reduce(ftmp2, tmp); /* 2^94 - 2^0 */
+ felem_reduce(ftmp2, tmp); // 2^94 - 2^0
felem_square(tmp, ftmp2);
- felem_reduce(ftmp2, tmp); /* 2^95 - 2^1 */
+ felem_reduce(ftmp2, tmp); // 2^95 - 2^1
felem_square(tmp, ftmp2);
- felem_reduce(ftmp2, tmp); /* 2^96 - 2^2 */
+ felem_reduce(ftmp2, tmp); // 2^96 - 2^2
felem_mul(tmp, ftmp2, in);
- felem_reduce(ftmp2, tmp); /* 2^96 - 3 */
+ felem_reduce(ftmp2, tmp); // 2^96 - 3
felem_mul(tmp, ftmp2, ftmp);
- felem_reduce(out, tmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */
+ felem_reduce(out, tmp); // 2^256 - 2^224 + 2^192 + 2^96 - 3
}
-/* Group operations
- * ----------------
- *
- * Building on top of the field operations we have the operations on the
- * elliptic curve group itself. Points on the curve are represented in Jacobian
- * coordinates. */
+// Group operations
+// ----------------
+//
+// Building on top of the field operations we have the operations on the
+// elliptic curve group itself. Points on the curve are represented in Jacobian
+// coordinates.
-/* point_double calculates 2*(x_in, y_in, z_in)
- *
- * The method is taken from:
- * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
- *
- * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
- * while x_out == y_in is not (maybe this works, but it's not tested). */
+// point_double calculates 2*(x_in, y_in, z_in)
+//
+// The method is taken from:
+// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
+//
+// Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
+// while x_out == y_in is not (maybe this works, but it's not tested).
static void point_double(felem x_out, felem y_out, felem z_out,
const felem x_in, const felem y_in, const felem z_in) {
longfelem tmp, tmp2;
@@ -926,77 +926,77 @@
smallfelem small1, small2;
felem_assign(ftmp, x_in);
- /* ftmp[i] < 2^106 */
+ // ftmp[i] < 2^106
felem_assign(ftmp2, x_in);
- /* ftmp2[i] < 2^106 */
+ // ftmp2[i] < 2^106
- /* delta = z^2 */
+ // delta = z^2
felem_square(tmp, z_in);
felem_reduce(delta, tmp);
- /* delta[i] < 2^101 */
+ // delta[i] < 2^101
- /* gamma = y^2 */
+ // gamma = y^2
felem_square(tmp, y_in);
felem_reduce(gamma, tmp);
- /* gamma[i] < 2^101 */
+ // gamma[i] < 2^101
felem_shrink(small1, gamma);
- /* beta = x*gamma */
+ // beta = x*gamma
felem_small_mul(tmp, small1, x_in);
felem_reduce(beta, tmp);
- /* beta[i] < 2^101 */
+ // beta[i] < 2^101
- /* alpha = 3*(x-delta)*(x+delta) */
+ // alpha = 3*(x-delta)*(x+delta)
felem_diff(ftmp, delta);
- /* ftmp[i] < 2^105 + 2^106 < 2^107 */
+ // ftmp[i] < 2^105 + 2^106 < 2^107
felem_sum(ftmp2, delta);
- /* ftmp2[i] < 2^105 + 2^106 < 2^107 */
+ // ftmp2[i] < 2^105 + 2^106 < 2^107
felem_scalar(ftmp2, 3);
- /* ftmp2[i] < 3 * 2^107 < 2^109 */
+ // ftmp2[i] < 3 * 2^107 < 2^109
felem_mul(tmp, ftmp, ftmp2);
felem_reduce(alpha, tmp);
- /* alpha[i] < 2^101 */
+ // alpha[i] < 2^101
felem_shrink(small2, alpha);
- /* x' = alpha^2 - 8*beta */
+ // x' = alpha^2 - 8*beta
smallfelem_square(tmp, small2);
felem_reduce(x_out, tmp);
felem_assign(ftmp, beta);
felem_scalar(ftmp, 8);
- /* ftmp[i] < 8 * 2^101 = 2^104 */
+ // ftmp[i] < 8 * 2^101 = 2^104
felem_diff(x_out, ftmp);
- /* x_out[i] < 2^105 + 2^101 < 2^106 */
+ // x_out[i] < 2^105 + 2^101 < 2^106
- /* z' = (y + z)^2 - gamma - delta */
+ // z' = (y + z)^2 - gamma - delta
felem_sum(delta, gamma);
- /* delta[i] < 2^101 + 2^101 = 2^102 */
+ // delta[i] < 2^101 + 2^101 = 2^102
felem_assign(ftmp, y_in);
felem_sum(ftmp, z_in);
- /* ftmp[i] < 2^106 + 2^106 = 2^107 */
+ // ftmp[i] < 2^106 + 2^106 = 2^107
felem_square(tmp, ftmp);
felem_reduce(z_out, tmp);
felem_diff(z_out, delta);
- /* z_out[i] < 2^105 + 2^101 < 2^106 */
+ // z_out[i] < 2^105 + 2^101 < 2^106
- /* y' = alpha*(4*beta - x') - 8*gamma^2 */
+ // y' = alpha*(4*beta - x') - 8*gamma^2
felem_scalar(beta, 4);
- /* beta[i] < 4 * 2^101 = 2^103 */
+ // beta[i] < 4 * 2^101 = 2^103
felem_diff_zero107(beta, x_out);
- /* beta[i] < 2^107 + 2^103 < 2^108 */
+ // beta[i] < 2^107 + 2^103 < 2^108
felem_small_mul(tmp, small2, beta);
- /* tmp[i] < 7 * 2^64 < 2^67 */
+ // tmp[i] < 7 * 2^64 < 2^67
smallfelem_square(tmp2, small1);
- /* tmp2[i] < 7 * 2^64 */
+ // tmp2[i] < 7 * 2^64
longfelem_scalar(tmp2, 8);
- /* tmp2[i] < 8 * 7 * 2^64 = 7 * 2^67 */
+ // tmp2[i] < 8 * 7 * 2^64 = 7 * 2^67
longfelem_diff(tmp, tmp2);
- /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
+ // tmp[i] < 2^67 + 2^70 + 2^40 < 2^71
felem_reduce_zero105(y_out, tmp);
- /* y_out[i] < 2^106 */
+ // y_out[i] < 2^106
}
-/* point_double_small is the same as point_double, except that it operates on
- * smallfelems. */
+// point_double_small is the same as point_double, except that it operates on
+// smallfelems.
static void point_double_small(smallfelem x_out, smallfelem y_out,
smallfelem z_out, const smallfelem x_in,
const smallfelem y_in, const smallfelem z_in) {
@@ -1013,7 +1013,7 @@
felem_shrink(z_out, felem_z_out);
}
-/* p256_copy_conditional copies in to out iff mask is all ones. */
+// p256_copy_conditional copies in to out iff mask is all ones.
static void p256_copy_conditional(felem out, const felem in, limb mask) {
for (size_t i = 0; i < NLIMBS; ++i) {
const limb tmp = mask & (in[i] ^ out[i]);
@@ -1021,7 +1021,7 @@
}
}
-/* copy_small_conditional copies in to out iff mask is all ones. */
+// copy_small_conditional copies in to out iff mask is all ones.
static void copy_small_conditional(felem out, const smallfelem in, limb mask) {
const uint64_t mask64 = mask;
for (size_t i = 0; i < NLIMBS; ++i) {
@@ -1029,16 +1029,16 @@
}
}
-/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
- *
- * The method is taken from:
- * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
- * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
- *
- * This function includes a branch for checking whether the two input points
- * are equal, (while not equal to the point at infinity). This case never
- * happens during single point multiplication, so there is no timing leak for
- * ECDH or ECDSA signing. */
+// point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+//
+// The method is taken from:
+// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
+// adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
+//
+// This function includes a branch for checking whether the two input points
+// are equal, (while not equal to the point at infinity). This case never
+// happens during single point multiplication, so there is no timing leak for
+// ECDH or ECDSA signing.
static void point_add(felem x3, felem y3, felem z3, const felem x1,
const felem y1, const felem z1, const int mixed,
const smallfelem x2, const smallfelem y2,
@@ -1053,94 +1053,94 @@
z1_is_zero = smallfelem_is_zero(small3);
z2_is_zero = smallfelem_is_zero(z2);
- /* ftmp = z1z1 = z1**2 */
+ // ftmp = z1z1 = z1**2
smallfelem_square(tmp, small3);
felem_reduce(ftmp, tmp);
- /* ftmp[i] < 2^101 */
+ // ftmp[i] < 2^101
felem_shrink(small1, ftmp);
if (!mixed) {
- /* ftmp2 = z2z2 = z2**2 */
+ // ftmp2 = z2z2 = z2**2
smallfelem_square(tmp, z2);
felem_reduce(ftmp2, tmp);
- /* ftmp2[i] < 2^101 */
+ // ftmp2[i] < 2^101
felem_shrink(small2, ftmp2);
felem_shrink(small5, x1);
- /* u1 = ftmp3 = x1*z2z2 */
+ // u1 = ftmp3 = x1*z2z2
smallfelem_mul(tmp, small5, small2);
felem_reduce(ftmp3, tmp);
- /* ftmp3[i] < 2^101 */
+ // ftmp3[i] < 2^101
- /* ftmp5 = z1 + z2 */
+ // ftmp5 = z1 + z2
felem_assign(ftmp5, z1);
felem_small_sum(ftmp5, z2);
- /* ftmp5[i] < 2^107 */
+ // ftmp5[i] < 2^107
- /* ftmp5 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2 */
+ // ftmp5 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2
felem_square(tmp, ftmp5);
felem_reduce(ftmp5, tmp);
- /* ftmp2 = z2z2 + z1z1 */
+ // ftmp2 = z2z2 + z1z1
felem_sum(ftmp2, ftmp);
- /* ftmp2[i] < 2^101 + 2^101 = 2^102 */
+ // ftmp2[i] < 2^101 + 2^101 = 2^102
felem_diff(ftmp5, ftmp2);
- /* ftmp5[i] < 2^105 + 2^101 < 2^106 */
+ // ftmp5[i] < 2^105 + 2^101 < 2^106
- /* ftmp2 = z2 * z2z2 */
+ // ftmp2 = z2 * z2z2
smallfelem_mul(tmp, small2, z2);
felem_reduce(ftmp2, tmp);
- /* s1 = ftmp2 = y1 * z2**3 */
+ // s1 = ftmp2 = y1 * z2**3
felem_mul(tmp, y1, ftmp2);
felem_reduce(ftmp6, tmp);
- /* ftmp6[i] < 2^101 */
+ // ftmp6[i] < 2^101
} else {
- /* We'll assume z2 = 1 (special case z2 = 0 is handled later). */
+ // We'll assume z2 = 1 (special case z2 = 0 is handled later).
- /* u1 = ftmp3 = x1*z2z2 */
+ // u1 = ftmp3 = x1*z2z2
felem_assign(ftmp3, x1);
- /* ftmp3[i] < 2^106 */
+ // ftmp3[i] < 2^106
- /* ftmp5 = 2z1z2 */
+ // ftmp5 = 2z1z2
felem_assign(ftmp5, z1);
felem_scalar(ftmp5, 2);
- /* ftmp5[i] < 2*2^106 = 2^107 */
+ // ftmp5[i] < 2*2^106 = 2^107
- /* s1 = ftmp2 = y1 * z2**3 */
+ // s1 = ftmp2 = y1 * z2**3
felem_assign(ftmp6, y1);
- /* ftmp6[i] < 2^106 */
+ // ftmp6[i] < 2^106
}
- /* u2 = x2*z1z1 */
+ // u2 = x2*z1z1
smallfelem_mul(tmp, x2, small1);
felem_reduce(ftmp4, tmp);
- /* h = ftmp4 = u2 - u1 */
+ // h = ftmp4 = u2 - u1
felem_diff_zero107(ftmp4, ftmp3);
- /* ftmp4[i] < 2^107 + 2^101 < 2^108 */
+ // ftmp4[i] < 2^107 + 2^101 < 2^108
felem_shrink(small4, ftmp4);
x_equal = smallfelem_is_zero(small4);
- /* z_out = ftmp5 * h */
+ // z_out = ftmp5 * h
felem_small_mul(tmp, small4, ftmp5);
felem_reduce(z_out, tmp);
- /* z_out[i] < 2^101 */
+ // z_out[i] < 2^101
- /* ftmp = z1 * z1z1 */
+ // ftmp = z1 * z1z1
smallfelem_mul(tmp, small1, small3);
felem_reduce(ftmp, tmp);
- /* s2 = tmp = y2 * z1**3 */
+ // s2 = tmp = y2 * z1**3
felem_small_mul(tmp, y2, ftmp);
felem_reduce(ftmp5, tmp);
- /* r = ftmp5 = (s2 - s1)*2 */
+ // r = ftmp5 = (s2 - s1)*2
felem_diff_zero107(ftmp5, ftmp6);
- /* ftmp5[i] < 2^107 + 2^107 = 2^108 */
+ // ftmp5[i] < 2^107 + 2^107 = 2^108
felem_scalar(ftmp5, 2);
- /* ftmp5[i] < 2^109 */
+ // ftmp5[i] < 2^109
felem_shrink(small1, ftmp5);
y_equal = smallfelem_is_zero(small1);
@@ -1149,42 +1149,42 @@
return;
}
- /* I = ftmp = (2h)**2 */
+ // I = ftmp = (2h)**2
felem_assign(ftmp, ftmp4);
felem_scalar(ftmp, 2);
- /* ftmp[i] < 2*2^108 = 2^109 */
+ // ftmp[i] < 2*2^108 = 2^109
felem_square(tmp, ftmp);
felem_reduce(ftmp, tmp);
- /* J = ftmp2 = h * I */
+ // J = ftmp2 = h * I
felem_mul(tmp, ftmp4, ftmp);
felem_reduce(ftmp2, tmp);
- /* V = ftmp4 = U1 * I */
+ // V = ftmp4 = U1 * I
felem_mul(tmp, ftmp3, ftmp);
felem_reduce(ftmp4, tmp);
- /* x_out = r**2 - J - 2V */
+ // x_out = r**2 - J - 2V
smallfelem_square(tmp, small1);
felem_reduce(x_out, tmp);
felem_assign(ftmp3, ftmp4);
felem_scalar(ftmp4, 2);
felem_sum(ftmp4, ftmp2);
- /* ftmp4[i] < 2*2^101 + 2^101 < 2^103 */
+ // ftmp4[i] < 2*2^101 + 2^101 < 2^103
felem_diff(x_out, ftmp4);
- /* x_out[i] < 2^105 + 2^101 */
+ // x_out[i] < 2^105 + 2^101
- /* y_out = r(V-x_out) - 2 * s1 * J */
+ // y_out = r(V-x_out) - 2 * s1 * J
felem_diff_zero107(ftmp3, x_out);
- /* ftmp3[i] < 2^107 + 2^101 < 2^108 */
+ // ftmp3[i] < 2^107 + 2^101 < 2^108
felem_small_mul(tmp, small1, ftmp3);
felem_mul(tmp2, ftmp6, ftmp2);
longfelem_scalar(tmp2, 2);
- /* tmp2[i] < 2*2^67 = 2^68 */
+ // tmp2[i] < 2*2^67 = 2^68
longfelem_diff(tmp, tmp2);
- /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
+ // tmp[i] < 2^67 + 2^70 + 2^40 < 2^71
felem_reduce_zero105(y_out, tmp);
- /* y_out[i] < 2^106 */
+ // y_out[i] < 2^106
copy_small_conditional(x_out, x2, z1_is_zero);
p256_copy_conditional(x_out, x1, z2_is_zero);
@@ -1197,8 +1197,8 @@
felem_assign(z3, z_out);
}
-/* point_add_small is the same as point_add, except that it operates on
- * smallfelems. */
+// point_add_small is the same as point_add, except that it operates on
+// smallfelems.
static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
smallfelem x1, smallfelem y1, smallfelem z1,
smallfelem x2, smallfelem y2, smallfelem z2) {
@@ -1214,42 +1214,42 @@
felem_shrink(z3, felem_z3);
}
-/* Base point pre computation
- * --------------------------
- *
- * Two different sorts of precomputed tables are used in the following code.
- * Each contain various points on the curve, where each point is three field
- * elements (x, y, z).
- *
- * For the base point table, z is usually 1 (0 for the point at infinity).
- * This table has 2 * 16 elements, starting with the following:
- * index | bits | point
- * ------+---------+------------------------------
- * 0 | 0 0 0 0 | 0G
- * 1 | 0 0 0 1 | 1G
- * 2 | 0 0 1 0 | 2^64G
- * 3 | 0 0 1 1 | (2^64 + 1)G
- * 4 | 0 1 0 0 | 2^128G
- * 5 | 0 1 0 1 | (2^128 + 1)G
- * 6 | 0 1 1 0 | (2^128 + 2^64)G
- * 7 | 0 1 1 1 | (2^128 + 2^64 + 1)G
- * 8 | 1 0 0 0 | 2^192G
- * 9 | 1 0 0 1 | (2^192 + 1)G
- * 10 | 1 0 1 0 | (2^192 + 2^64)G
- * 11 | 1 0 1 1 | (2^192 + 2^64 + 1)G
- * 12 | 1 1 0 0 | (2^192 + 2^128)G
- * 13 | 1 1 0 1 | (2^192 + 2^128 + 1)G
- * 14 | 1 1 1 0 | (2^192 + 2^128 + 2^64)G
- * 15 | 1 1 1 1 | (2^192 + 2^128 + 2^64 + 1)G
- * followed by a copy of this with each element multiplied by 2^32.
- *
- * The reason for this is so that we can clock bits into four different
- * locations when doing simple scalar multiplies against the base point,
- * and then another four locations using the second 16 elements.
- *
- * Tables for other points have table[i] = iG for i in 0 .. 16. */
+// Base point pre computation
+// --------------------------
+//
+// Two different sorts of precomputed tables are used in the following code.
+// Each contain various points on the curve, where each point is three field
+// elements (x, y, z).
+//
+// For the base point table, z is usually 1 (0 for the point at infinity).
+// This table has 2 * 16 elements, starting with the following:
+// index | bits | point
+// ------+---------+------------------------------
+// 0 | 0 0 0 0 | 0G
+// 1 | 0 0 0 1 | 1G
+// 2 | 0 0 1 0 | 2^64G
+// 3 | 0 0 1 1 | (2^64 + 1)G
+// 4 | 0 1 0 0 | 2^128G
+// 5 | 0 1 0 1 | (2^128 + 1)G
+// 6 | 0 1 1 0 | (2^128 + 2^64)G
+// 7 | 0 1 1 1 | (2^128 + 2^64 + 1)G
+// 8 | 1 0 0 0 | 2^192G
+// 9 | 1 0 0 1 | (2^192 + 1)G
+// 10 | 1 0 1 0 | (2^192 + 2^64)G
+// 11 | 1 0 1 1 | (2^192 + 2^64 + 1)G
+// 12 | 1 1 0 0 | (2^192 + 2^128)G
+// 13 | 1 1 0 1 | (2^192 + 2^128 + 1)G
+// 14 | 1 1 1 0 | (2^192 + 2^128 + 2^64)G
+// 15 | 1 1 1 1 | (2^192 + 2^128 + 2^64 + 1)G
+// followed by a copy of this with each element multiplied by 2^32.
+//
+// The reason for this is so that we can clock bits into four different
+// locations when doing simple scalar multiplies against the base point,
+// and then another four locations using the second 16 elements.
+//
+// Tables for other points have table[i] = iG for i in 0 .. 16.
-/* g_pre_comp is the table of precomputed base points */
+// g_pre_comp is the table of precomputed base points
static const smallfelem g_pre_comp[2][16][3] = {
{{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}},
{{0xf4a13945d898c296, 0x77037d812deb33a0, 0xf8bce6e563a440f2,
@@ -1404,8 +1404,8 @@
0x4ab5b6b2b8753f81},
{1, 0, 0, 0}}}};
-/* select_point selects the |idx|th point from a precomputation table and
- * copies it to out. */
+// select_point selects the |idx|th point from a precomputation table and
+// copies it to out.
static void select_point(const uint64_t idx, size_t size,
const smallfelem pre_comp[/*size*/][3],
smallfelem out[3]) {
@@ -1426,7 +1426,7 @@
}
}
-/* get_bit returns the |i|th bit in |in| */
+// get_bit returns the |i|th bit in |in|
static char get_bit(const felem_bytearray in, int i) {
if (i < 0 || i >= 256) {
return 0;
@@ -1434,11 +1434,11 @@
return (in[i >> 3] >> (i & 7)) & 1;
}
-/* Interleaved point multiplication using precomputed point multiples: The
- * small point multiples 0*P, 1*P, ..., 17*P are in p_pre_comp, the scalar
- * in p_scalar, if non-NULL. If g_scalar is non-NULL, we also add this multiple
- * of the generator, using certain (large) precomputed multiples in g_pre_comp.
- * Output point (X, Y, Z) is stored in x_out, y_out, z_out. */
+// Interleaved point multiplication using precomputed point multiples: The
+// small point multiples 0*P, 1*P, ..., 17*P are in p_pre_comp, the scalar
+// in p_scalar, if non-NULL. If g_scalar is non-NULL, we also add this multiple
+// of the generator, using certain (large) precomputed multiples in g_pre_comp.
+// Output point (X, Y, Z) is stored in x_out, y_out, z_out.
static void batch_mul(felem x_out, felem y_out, felem z_out,
const uint8_t *p_scalar, const uint8_t *g_scalar,
const smallfelem p_pre_comp[17][3]) {
@@ -1447,29 +1447,29 @@
uint64_t bits;
uint8_t sign, digit;
- /* set nq to the point at infinity */
+ // set nq to the point at infinity
OPENSSL_memset(nq, 0, 3 * sizeof(felem));
- /* Loop over both scalars msb-to-lsb, interleaving additions of multiples
- * of the generator (two in each of the last 32 rounds) and additions of p
- * (every 5th round). */
+ // Loop over both scalars msb-to-lsb, interleaving additions of multiples
+ // of the generator (two in each of the last 32 rounds) and additions of p
+ // (every 5th round).
- int skip = 1; /* save two point operations in the first round */
+ int skip = 1; // save two point operations in the first round
size_t i = p_scalar != NULL ? 255 : 31;
for (;;) {
- /* double */
+ // double
if (!skip) {
point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
}
- /* add multiples of the generator */
+ // add multiples of the generator
if (g_scalar != NULL && i <= 31) {
- /* first, look 32 bits upwards */
+ // first, look 32 bits upwards
bits = get_bit(g_scalar, i + 224) << 3;
bits |= get_bit(g_scalar, i + 160) << 2;
bits |= get_bit(g_scalar, i + 96) << 1;
bits |= get_bit(g_scalar, i + 32);
- /* select the point to add, in constant time */
+ // select the point to add, in constant time
select_point(bits, 16, g_pre_comp[1], tmp);
if (!skip) {
@@ -1482,18 +1482,18 @@
skip = 0;
}
- /* second, look at the current position */
+ // second, look at the current position
bits = get_bit(g_scalar, i + 192) << 3;
bits |= get_bit(g_scalar, i + 128) << 2;
bits |= get_bit(g_scalar, i + 64) << 1;
bits |= get_bit(g_scalar, i);
- /* select the point to add, in constant time */
+ // select the point to add, in constant time
select_point(bits, 16, g_pre_comp[0], tmp);
point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */, tmp[0],
tmp[1], tmp[2]);
}
- /* do other additions every 5 doublings */
+ // do other additions every 5 doublings
if (p_scalar != NULL && i % 5 == 0) {
bits = get_bit(p_scalar, i + 4) << 5;
bits |= get_bit(p_scalar, i + 3) << 4;
@@ -1503,10 +1503,10 @@
bits |= get_bit(p_scalar, i - 1);
ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
- /* select the point to add or subtract, in constant time. */
+ // select the point to add or subtract, in constant time.
select_point(digit, 17, p_pre_comp, tmp);
- smallfelem_neg(ftmp, tmp[1]); /* (X, -Y, Z) is the negative
- * point */
+ smallfelem_neg(ftmp, tmp[1]); // (X, -Y, Z) is the negative
+ // point
copy_small_conditional(ftmp, tmp[1], (((limb)sign) - 1));
felem_contract(tmp[1], ftmp);
@@ -1531,13 +1531,10 @@
felem_assign(z_out, nq[2]);
}
-/******************************************************************************/
-/*
- * OPENSSL EC_METHOD FUNCTIONS
- */
+// OPENSSL EC_METHOD FUNCTIONS
-/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
- * (X/Z^2, Y/Z^3). */
+// Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
+// (X/Z^2, Y/Z^3).
static int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,
const EC_POINT *point,
BIGNUM *x, BIGNUM *y,
@@ -1612,14 +1609,14 @@
}
if (p != NULL && p_scalar != NULL) {
- /* We treat NULL scalars as 0, and NULL points as points at infinity, i.e.,
- * they contribute nothing to the linear combination. */
+ // We treat NULL scalars as 0, and NULL points as points at infinity, i.e.,
+ // they contribute nothing to the linear combination.
OPENSSL_memset(&p_secret, 0, sizeof(p_secret));
OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp));
size_t num_bytes;
- /* Reduce g_scalar to 0 <= g_scalar < 2^256. */
+ // Reduce g_scalar to 0 <= g_scalar < 2^256.
if (BN_num_bits(p_scalar) > 256 || BN_is_negative(p_scalar)) {
- /* This is an unusual input, and we don't guarantee constant-timeness. */
+ // This is an unusual input, and we don't guarantee constant-timeness.
if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) {
OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
goto err;
@@ -1629,7 +1626,7 @@
num_bytes = BN_bn2bin(p_scalar, tmp);
}
flip_endian(p_secret, tmp, num_bytes);
- /* Precompute multiples. */
+ // Precompute multiples.
if (!BN_to_felem(x_out, &p->X) ||
!BN_to_felem(y_out, &p->Y) ||
!BN_to_felem(z_out, &p->Z)) {
@@ -1657,10 +1654,10 @@
size_t num_bytes;
OPENSSL_memset(g_secret, 0, sizeof(g_secret));
- /* reduce g_scalar to 0 <= g_scalar < 2^256 */
+ // reduce g_scalar to 0 <= g_scalar < 2^256
if (BN_num_bits(g_scalar) > 256 || BN_is_negative(g_scalar)) {
- /* this is an unusual input, and we don't guarantee
- * constant-timeness. */
+ // this is an unusual input, and we don't guarantee
+ // constant-timeness.
if (!BN_nnmod(tmp_scalar, g_scalar, &group->order, ctx)) {
OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);
goto err;
@@ -1676,7 +1673,7 @@
g_scalar != NULL ? g_secret : NULL,
(const smallfelem(*)[3]) &p_pre_comp);
- /* reduce the output to its unique minimal representation */
+ // reduce the output to its unique minimal representation
felem_contract(x_in, x_out);
felem_contract(y_in, y_out);
felem_contract(z_in, z_out);
@@ -1708,4 +1705,4 @@
out->field_decode = NULL;
};
-#endif /* 64_BIT && !WINDOWS */
+#endif // 64_BIT && !WINDOWS
diff --git a/src/crypto/fipsmodule/ec/p256-x86_64-table.h b/src/crypto/fipsmodule/ec/p256-x86_64-table.h
index e4705f8..575a203 100644
--- a/src/crypto/fipsmodule/ec/p256-x86_64-table.h
+++ b/src/crypto/fipsmodule/ec/p256-x86_64-table.h
@@ -12,17 +12,17 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* This is the precomputed constant time access table for the code in
- * p256-x86_64.c, for the default generator. The table consists of 37
- * subtables, each subtable contains 64 affine points. The affine points are
- * encoded as eight uint64's, four for the x coordinate and four for the y.
- * Both values are in little-endian order. There are 37 tables because a
- * signed, 6-bit wNAF form of the scalar is used and ceil(256/(6 + 1)) = 37.
- * Within each table there are 64 values because the 6-bit wNAF value can take
- * 64 values, ignoring the sign bit, which is implemented by performing a
- * negation of the affine point when required. We would like to align it to 2MB
- * in order to increase the chances of using a large page but that appears to
- * lead to invalid ELF files being produced. */
+// This is the precomputed constant time access table for the code in
+// p256-x86_64.c, for the default generator. The table consists of 37
+// subtables, each subtable contains 64 affine points. The affine points are
+// encoded as eight uint64's, four for the x coordinate and four for the y.
+// Both values are in little-endian order. There are 37 tables because a
+// signed, 6-bit wNAF form of the scalar is used and ceil(256/(6 + 1)) = 37.
+// Within each table there are 64 values because the 6-bit wNAF value can take
+// 64 values, ignoring the sign bit, which is implemented by performing a
+// negation of the affine point when required. We would like to align it to 2MB
+// in order to increase the chances of using a large page but that appears to
+// lead to invalid ELF files being produced.
static const alignas(4096) BN_ULONG
ecp_nistz256_precomputed[37][64 * sizeof(P256_POINT_AFFINE) /
diff --git a/src/crypto/fipsmodule/ec/p256-x86_64.c b/src/crypto/fipsmodule/ec/p256-x86_64.c
index de80dca..8b51677 100644
--- a/src/crypto/fipsmodule/ec/p256-x86_64.c
+++ b/src/crypto/fipsmodule/ec/p256-x86_64.c
@@ -12,13 +12,13 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* Developers and authors:
- * Shay Gueron (1, 2), and Vlad Krasnov (1)
- * (1) Intel Corporation, Israel Development Center
- * (2) University of Haifa
- * Reference:
- * S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with
- * 256 Bit Primes" */
+// Developers and authors:
+// Shay Gueron (1, 2), and Vlad Krasnov (1)
+// (1) Intel Corporation, Israel Development Center
+// (2) University of Haifa
+// Reference:
+// S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with
+// 256 Bit Primes"
#include <openssl/ec.h>
@@ -42,16 +42,16 @@
typedef P256_POINT_AFFINE PRECOMP256_ROW[64];
-/* One converted into the Montgomery domain */
+// One converted into the Montgomery domain
static const BN_ULONG ONE[P256_LIMBS] = {
TOBN(0x00000000, 0x00000001), TOBN(0xffffffff, 0x00000000),
TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0xfffffffe),
};
-/* Precomputed tables for the default generator */
+// Precomputed tables for the default generator
#include "p256-x86_64-table.h"
-/* Recode window to a signed digit, see util-64.c for details */
+// Recode window to a signed digit, see util-64.c for details
static unsigned booth_recode_w5(unsigned in) {
unsigned s, d;
@@ -74,11 +74,11 @@
return (d << 1) + (s & 1);
}
-/* copy_conditional copies |src| to |dst| if |move| is one and leaves it as-is
- * if |move| is zero.
- *
- * WARNING: this breaks the usual convention of constant-time functions
- * returning masks. */
+// copy_conditional copies |src| to |dst| if |move| is one and leaves it as-is
+// if |move| is zero.
+//
+// WARNING: this breaks the usual convention of constant-time functions
+// returning masks.
static void copy_conditional(BN_ULONG dst[P256_LIMBS],
const BN_ULONG src[P256_LIMBS], BN_ULONG move) {
BN_ULONG mask1 = ((BN_ULONG)0) - move;
@@ -96,32 +96,32 @@
}
}
-/* is_not_zero returns one iff in != 0 and zero otherwise.
- *
- * WARNING: this breaks the usual convention of constant-time functions
- * returning masks.
- *
- * (define-fun is_not_zero ((in (_ BitVec 64))) (_ BitVec 64)
- * (bvlshr (bvor in (bvsub #x0000000000000000 in)) #x000000000000003f)
- * )
- *
- * (declare-fun x () (_ BitVec 64))
- *
- * (assert (and (= x #x0000000000000000) (= (is_not_zero x) #x0000000000000001)))
- * (check-sat)
- *
- * (assert (and (not (= x #x0000000000000000)) (= (is_not_zero x) #x0000000000000000)))
- * (check-sat)
- * */
+// is_not_zero returns one iff in != 0 and zero otherwise.
+//
+// WARNING: this breaks the usual convention of constant-time functions
+// returning masks.
+//
+// (define-fun is_not_zero ((in (_ BitVec 64))) (_ BitVec 64)
+// (bvlshr (bvor in (bvsub #x0000000000000000 in)) #x000000000000003f)
+// )
+//
+// (declare-fun x () (_ BitVec 64))
+//
+// (assert (and (= x #x0000000000000000) (= (is_not_zero x) #x0000000000000001)))
+// (check-sat)
+//
+// (assert (and (not (= x #x0000000000000000)) (= (is_not_zero x) #x0000000000000000)))
+// (check-sat)
+//
static BN_ULONG is_not_zero(BN_ULONG in) {
in |= (0 - in);
in >>= BN_BITS2 - 1;
return in;
}
-/* ecp_nistz256_mod_inverse_mont sets |r| to (|in| * 2^-256)^-1 * 2^256 mod p.
- * That is, |r| is the modular inverse of |in| for input and output in the
- * Montgomery domain. */
+// ecp_nistz256_mod_inverse_mont sets |r| to (|in| * 2^-256)^-1 * 2^256 mod p.
+// That is, |r| is the modular inverse of |in| for input and output in the
+// Montgomery domain.
static void ecp_nistz256_mod_inverse_mont(BN_ULONG r[P256_LIMBS],
const BN_ULONG in[P256_LIMBS]) {
/* The poly is ffffffff 00000001 00000000 00000000 00000000 ffffffff ffffffff
@@ -136,29 +136,29 @@
int i;
ecp_nistz256_sqr_mont(res, in);
- ecp_nistz256_mul_mont(p2, res, in); /* 3*p */
+ ecp_nistz256_mul_mont(p2, res, in); // 3*p
ecp_nistz256_sqr_mont(res, p2);
ecp_nistz256_sqr_mont(res, res);
- ecp_nistz256_mul_mont(p4, res, p2); /* f*p */
+ ecp_nistz256_mul_mont(p4, res, p2); // f*p
ecp_nistz256_sqr_mont(res, p4);
ecp_nistz256_sqr_mont(res, res);
ecp_nistz256_sqr_mont(res, res);
ecp_nistz256_sqr_mont(res, res);
- ecp_nistz256_mul_mont(p8, res, p4); /* ff*p */
+ ecp_nistz256_mul_mont(p8, res, p4); // ff*p
ecp_nistz256_sqr_mont(res, p8);
for (i = 0; i < 7; i++) {
ecp_nistz256_sqr_mont(res, res);
}
- ecp_nistz256_mul_mont(p16, res, p8); /* ffff*p */
+ ecp_nistz256_mul_mont(p16, res, p8); // ffff*p
ecp_nistz256_sqr_mont(res, p16);
for (i = 0; i < 15; i++) {
ecp_nistz256_sqr_mont(res, res);
}
- ecp_nistz256_mul_mont(p32, res, p16); /* ffffffff*p */
+ ecp_nistz256_mul_mont(p32, res, p16); // ffffffff*p
ecp_nistz256_sqr_mont(res, p32);
for (i = 0; i < 31; i++) {
@@ -201,8 +201,8 @@
ecp_nistz256_mul_mont(r, res, in);
}
-/* ecp_nistz256_bignum_to_field_elem copies the contents of |in| to |out| and
- * returns one if it fits. Otherwise it returns zero. */
+// ecp_nistz256_bignum_to_field_elem copies the contents of |in| to |out| and
+// returns one if it fits. Otherwise it returns zero.
static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS],
const BIGNUM *in) {
if (in->top > P256_LIMBS) {
@@ -214,7 +214,7 @@
return 1;
}
-/* r = p * p_scalar */
+// r = p * p_scalar
static int ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,
const EC_POINT *p, const BIGNUM *p_scalar,
BN_CTX *ctx) {
@@ -224,9 +224,9 @@
static const unsigned kWindowSize = 5;
static const unsigned kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;
- /* A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should
- * add no more than 63 bytes of overhead. Thus, |table| should require
- * ~1599 ((96 * 16) + 63) bytes of stack space. */
+ // A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should
+ // add no more than 63 bytes of overhead. Thus, |table| should require
+ // ~1599 ((96 * 16) + 63) bytes of stack space.
alignas(64) P256_POINT table[16];
uint8_t p_str[33];
@@ -279,9 +279,9 @@
p_str[j] = 0;
}
- /* table[0] is implicitly (0,0,0) (the point at infinity), therefore it is
- * not stored. All other values are actually stored with an offset of -1 in
- * table. */
+ // table[0] is implicitly (0,0,0) (the point at infinity), therefore it is
+ // not stored. All other values are actually stored with an offset of -1 in
+ // table.
P256_POINT *row = table;
if (!ecp_nistz256_bignum_to_field_elem(row[1 - 1].X, &p->X) ||
@@ -341,7 +341,7 @@
ecp_nistz256_point_double(r, r);
}
- /* Final window */
+ // Final window
wvalue = p_str[0];
wvalue = (wvalue << 1) & kMask;
@@ -426,7 +426,7 @@
p_str[i] = 0;
}
- /* First window */
+ // First window
unsigned wvalue = (p_str[0] << 1) & kMask;
unsigned index = kWindowSize;
@@ -439,9 +439,9 @@
ecp_nistz256_neg(p.p.Z, p.p.Y);
copy_conditional(p.p.Y, p.p.Z, wvalue & 1);
- /* Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p|
- * is infinity and |ONE| otherwise. |p| was computed from the table, so it
- * is infinity iff |wvalue >> 1| is zero. */
+ // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p|
+ // is infinity and |ONE| otherwise. |p| was computed from the table, so it
+ // is infinity iff |wvalue >> 1| is zero.
OPENSSL_memset(p.p.Z, 0, sizeof(p.p.Z));
copy_conditional(p.p.Z, ONE, is_not_zero(wvalue >> 1));
@@ -478,7 +478,7 @@
}
}
- /* Not constant-time, but we're only operating on the public output. */
+ // Not constant-time, but we're only operating on the public output.
if (!bn_set_words(&r->X, p.p.X, P256_LIMBS) ||
!bn_set_words(&r->Y, p.p.Y, P256_LIMBS) ||
!bn_set_words(&r->Z, p.p.Z, P256_LIMBS)) {
@@ -516,10 +516,10 @@
ecp_nistz256_mod_inverse_mont(z_inv3, point_z);
ecp_nistz256_sqr_mont(z_inv2, z_inv3);
- /* Instead of using |ecp_nistz256_from_mont| to convert the |x| coordinate
- * and then calling |ecp_nistz256_from_mont| again to convert the |y|
- * coordinate below, convert the common factor |z_inv2| once now, saving one
- * reduction. */
+ // Instead of using |ecp_nistz256_from_mont| to convert the |x| coordinate
+ // and then calling |ecp_nistz256_from_mont| again to convert the |y|
+ // coordinate below, convert the common factor |z_inv2| once now, saving one
+ // reduction.
ecp_nistz256_from_mont(z_inv2, z_inv2);
if (x != NULL) {
diff --git a/src/crypto/fipsmodule/ec/p256-x86_64.h b/src/crypto/fipsmodule/ec/p256-x86_64.h
index 0132348..6a0bebb 100644
--- a/src/crypto/fipsmodule/ec/p256-x86_64.h
+++ b/src/crypto/fipsmodule/ec/p256-x86_64.h
@@ -27,30 +27,30 @@
#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \
!defined(OPENSSL_SMALL)
-/* P-256 field operations.
- *
- * An element mod P in P-256 is represented as a little-endian array of
- * |P256_LIMBS| |BN_ULONG|s, spanning the full range of values.
- *
- * The following functions take fully-reduced inputs mod P and give
- * fully-reduced outputs. They may be used in-place. */
+// P-256 field operations.
+//
+// An element mod P in P-256 is represented as a little-endian array of
+// |P256_LIMBS| |BN_ULONG|s, spanning the full range of values.
+//
+// The following functions take fully-reduced inputs mod P and give
+// fully-reduced outputs. They may be used in-place.
#define P256_LIMBS (256 / BN_BITS2)
-/* ecp_nistz256_neg sets |res| to -|a| mod P. */
+// ecp_nistz256_neg sets |res| to -|a| mod P.
void ecp_nistz256_neg(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS]);
-/* ecp_nistz256_mul_mont sets |res| to |a| * |b| * 2^-256 mod P. */
+// ecp_nistz256_mul_mont sets |res| to |a| * |b| * 2^-256 mod P.
void ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS],
const BN_ULONG a[P256_LIMBS],
const BN_ULONG b[P256_LIMBS]);
-/* ecp_nistz256_sqr_mont sets |res| to |a| * |a| * 2^-256 mod P. */
+// ecp_nistz256_sqr_mont sets |res| to |a| * |a| * 2^-256 mod P.
void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS],
const BN_ULONG a[P256_LIMBS]);
-/* ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain
- * by multiplying with 1. */
+// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain
+// by multiplying with 1.
static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS],
const BN_ULONG in[P256_LIMBS]) {
static const BN_ULONG ONE[P256_LIMBS] = { 1 };
@@ -58,47 +58,47 @@
}
-/* P-256 point operations.
- *
- * The following functions may be used in-place. All coordinates are in the
- * Montgomery domain. */
+// P-256 point operations.
+//
+// The following functions may be used in-place. All coordinates are in the
+// Montgomery domain.
-/* A P256_POINT represents a P-256 point in Jacobian coordinates. */
+// A P256_POINT represents a P-256 point in Jacobian coordinates.
typedef struct {
BN_ULONG X[P256_LIMBS];
BN_ULONG Y[P256_LIMBS];
BN_ULONG Z[P256_LIMBS];
} P256_POINT;
-/* A P256_POINT_AFFINE represents a P-256 point in affine coordinates. Infinity
- * is encoded as (0, 0). */
+// A P256_POINT_AFFINE represents a P-256 point in affine coordinates. Infinity
+// is encoded as (0, 0).
typedef struct {
BN_ULONG X[P256_LIMBS];
BN_ULONG Y[P256_LIMBS];
} P256_POINT_AFFINE;
-/* ecp_nistz256_select_w5 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 16
- * and all zeros (the point at infinity) if |index| is 0. This is done in
- * constant time. */
+// ecp_nistz256_select_w5 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 16
+// and all zeros (the point at infinity) if |index| is 0. This is done in
+// constant time.
void ecp_nistz256_select_w5(P256_POINT *val, const P256_POINT in_t[16],
int index);
-/* ecp_nistz256_select_w7 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 64
- * and all zeros (the point at infinity) if |index| is 0. This is done in
- * constant time. */
+// ecp_nistz256_select_w7 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 64
+// and all zeros (the point at infinity) if |index| is 0. This is done in
+// constant time.
void ecp_nistz256_select_w7(P256_POINT_AFFINE *val,
const P256_POINT_AFFINE in_t[64], int index);
-/* ecp_nistz256_point_double sets |r| to |a| doubled. */
+// ecp_nistz256_point_double sets |r| to |a| doubled.
void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a);
-/* ecp_nistz256_point_add adds |a| to |b| and places the result in |r|. */
+// ecp_nistz256_point_add adds |a| to |b| and places the result in |r|.
void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a,
const P256_POINT *b);
-/* ecp_nistz256_point_add_affine adds |a| to |b| and places the result in
- * |r|. |a| and |b| must not represent the same point unless they are both
- * infinity. */
+// ecp_nistz256_point_add_affine adds |a| to |b| and places the result in
+// |r|. |a| and |b| must not represent the same point unless they are both
+// infinity.
void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a,
const P256_POINT_AFFINE *b);
@@ -107,7 +107,7 @@
#if defined(__cplusplus)
-} /* extern C++ */
+} // extern C++
#endif
-#endif /* OPENSSL_HEADER_EC_P256_X86_64_H */
+#endif // OPENSSL_HEADER_EC_P256_X86_64_H
diff --git a/src/crypto/fipsmodule/ec/simple.c b/src/crypto/fipsmodule/ec/simple.c
index 1a03d84..75c06da 100644
--- a/src/crypto/fipsmodule/ec/simple.c
+++ b/src/crypto/fipsmodule/ec/simple.c
@@ -77,16 +77,16 @@
#include "../../internal.h"
-/* Most method functions in this file are designed to work with non-trivial
- * representations of field elements if necessary (see ecp_mont.c): while
- * standard modular addition and subtraction are used, the field_mul and
- * field_sqr methods will be used for multiplication, and field_encode and
- * field_decode (if defined) will be used for converting between
- * representations.
- *
- * Functions here specifically assume that if a non-trivial representation is
- * used, it is a Montgomery representation (i.e. 'encoding' means multiplying
- * by some factor R). */
+// Most method functions in this file are designed to work with non-trivial
+// representations of field elements if necessary (see ecp_mont.c): while
+// standard modular addition and subtraction are used, the field_mul and
+// field_sqr methods will be used for multiplication, and field_encode and
+// field_decode (if defined) will be used for converting between
+// representations.
+//
+// Functions here specifically assume that if a non-trivial representation is
+// used, it is a Montgomery representation (i.e. 'encoding' means multiplying
+// by some factor R).
int ec_GFp_simple_group_init(EC_GROUP *group) {
BN_init(&group->field);
@@ -123,7 +123,7 @@
BN_CTX *new_ctx = NULL;
BIGNUM *tmp_a;
- /* p must be a prime > 3 */
+ // p must be a prime > 3
if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);
return 0;
@@ -142,13 +142,13 @@
goto err;
}
- /* group->field */
+ // group->field
if (!BN_copy(&group->field, p)) {
goto err;
}
BN_set_negative(&group->field, 0);
- /* group->a */
+ // group->a
if (!BN_nnmod(tmp_a, a, p, ctx)) {
goto err;
}
@@ -160,7 +160,7 @@
goto err;
}
- /* group->b */
+ // group->b
if (!BN_nnmod(&group->b, b, p, ctx)) {
goto err;
}
@@ -169,7 +169,7 @@
goto err;
}
- /* group->a_is_minus3 */
+ // group->a_is_minus3
if (!BN_add_word(tmp_a, 3)) {
goto err;
}
@@ -360,7 +360,7 @@
EC_POINT *point, const BIGNUM *x,
const BIGNUM *y, BN_CTX *ctx) {
if (x == NULL || y == NULL) {
- /* unlike for projective coordinates, we do not tolerate this */
+ // unlike for projective coordinates, we do not tolerate this
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
@@ -412,88 +412,87 @@
goto end;
}
- /* Note that in this function we must not read components of 'a' or 'b'
- * once we have written the corresponding components of 'r'.
- * ('r' might be one of 'a' or 'b'.)
- */
+ // Note that in this function we must not read components of 'a' or 'b'
+ // once we have written the corresponding components of 'r'.
+ // ('r' might be one of 'a' or 'b'.)
- /* n1, n2 */
+ // n1, n2
int b_Z_is_one = BN_cmp(&b->Z, &group->one) == 0;
if (b_Z_is_one) {
if (!BN_copy(n1, &a->X) || !BN_copy(n2, &a->Y)) {
goto end;
}
- /* n1 = X_a */
- /* n2 = Y_a */
+ // n1 = X_a
+ // n2 = Y_a
} else {
if (!field_sqr(group, n0, &b->Z, ctx) ||
!field_mul(group, n1, &a->X, n0, ctx)) {
goto end;
}
- /* n1 = X_a * Z_b^2 */
+ // n1 = X_a * Z_b^2
if (!field_mul(group, n0, n0, &b->Z, ctx) ||
!field_mul(group, n2, &a->Y, n0, ctx)) {
goto end;
}
- /* n2 = Y_a * Z_b^3 */
+ // n2 = Y_a * Z_b^3
}
- /* n3, n4 */
+ // n3, n4
int a_Z_is_one = BN_cmp(&a->Z, &group->one) == 0;
if (a_Z_is_one) {
if (!BN_copy(n3, &b->X) || !BN_copy(n4, &b->Y)) {
goto end;
}
- /* n3 = X_b */
- /* n4 = Y_b */
+ // n3 = X_b
+ // n4 = Y_b
} else {
if (!field_sqr(group, n0, &a->Z, ctx) ||
!field_mul(group, n3, &b->X, n0, ctx)) {
goto end;
}
- /* n3 = X_b * Z_a^2 */
+ // n3 = X_b * Z_a^2
if (!field_mul(group, n0, n0, &a->Z, ctx) ||
!field_mul(group, n4, &b->Y, n0, ctx)) {
goto end;
}
- /* n4 = Y_b * Z_a^3 */
+ // n4 = Y_b * Z_a^3
}
- /* n5, n6 */
+ // n5, n6
if (!BN_mod_sub_quick(n5, n1, n3, p) ||
!BN_mod_sub_quick(n6, n2, n4, p)) {
goto end;
}
- /* n5 = n1 - n3 */
- /* n6 = n2 - n4 */
+ // n5 = n1 - n3
+ // n6 = n2 - n4
if (BN_is_zero(n5)) {
if (BN_is_zero(n6)) {
- /* a is the same point as b */
+ // a is the same point as b
BN_CTX_end(ctx);
ret = EC_POINT_dbl(group, r, a, ctx);
ctx = NULL;
goto end;
} else {
- /* a is the inverse of b */
+ // a is the inverse of b
BN_zero(&r->Z);
ret = 1;
goto end;
}
}
- /* 'n7', 'n8' */
+ // 'n7', 'n8'
if (!BN_mod_add_quick(n1, n1, n3, p) ||
!BN_mod_add_quick(n2, n2, n4, p)) {
goto end;
}
- /* 'n7' = n1 + n3 */
- /* 'n8' = n2 + n4 */
+ // 'n7' = n1 + n3
+ // 'n8' = n2 + n4
- /* Z_r */
+ // Z_r
if (a_Z_is_one && b_Z_is_one) {
if (!BN_copy(&r->Z, n5)) {
goto end;
@@ -515,28 +514,28 @@
}
}
- /* Z_r = Z_a * Z_b * n5 */
+ // Z_r = Z_a * Z_b * n5
- /* X_r */
+ // X_r
if (!field_sqr(group, n0, n6, ctx) ||
!field_sqr(group, n4, n5, ctx) ||
!field_mul(group, n3, n1, n4, ctx) ||
!BN_mod_sub_quick(&r->X, n0, n3, p)) {
goto end;
}
- /* X_r = n6^2 - n5^2 * 'n7' */
+ // X_r = n6^2 - n5^2 * 'n7'
- /* 'n9' */
+ // 'n9'
if (!BN_mod_lshift1_quick(n0, &r->X, p) ||
!BN_mod_sub_quick(n0, n3, n0, p)) {
goto end;
}
- /* n9 = n5^2 * 'n7' - 2 * X_r */
+ // n9 = n5^2 * 'n7' - 2 * X_r
- /* Y_r */
+ // Y_r
if (!field_mul(group, n0, n0, n6, ctx) ||
!field_mul(group, n5, n4, n5, ctx)) {
- goto end; /* now n5 is n5^3 */
+ goto end; // now n5 is n5^3
}
if (!field_mul(group, n1, n2, n5, ctx) ||
!BN_mod_sub_quick(n0, n0, n1, p)) {
@@ -545,17 +544,17 @@
if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
goto end;
}
- /* now 0 <= n0 < 2*p, and n0 is even */
+ // now 0 <= n0 < 2*p, and n0 is even
if (!BN_rshift1(&r->Y, n0)) {
goto end;
}
- /* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
+ // Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2
ret = 1;
end:
if (ctx) {
- /* otherwise we already called BN_CTX_end */
+ // otherwise we already called BN_CTX_end
BN_CTX_end(ctx);
}
BN_CTX_free(new_ctx);
@@ -597,12 +596,11 @@
goto err;
}
- /* Note that in this function we must not read components of 'a'
- * once we have written the corresponding components of 'r'.
- * ('r' might the same as 'a'.)
- */
+ // Note that in this function we must not read components of 'a'
+ // once we have written the corresponding components of 'r'.
+ // ('r' might the same as 'a'.)
- /* n1 */
+ // n1
if (BN_cmp(&a->Z, &group->one) == 0) {
if (!field_sqr(group, n0, &a->X, ctx) ||
!BN_mod_lshift1_quick(n1, n0, p) ||
@@ -610,7 +608,7 @@
!BN_mod_add_quick(n1, n0, &group->a, p)) {
goto err;
}
- /* n1 = 3 * X_a^2 + a_curve */
+ // n1 = 3 * X_a^2 + a_curve
} else if (group->a_is_minus3) {
if (!field_sqr(group, n1, &a->Z, ctx) ||
!BN_mod_add_quick(n0, &a->X, n1, p) ||
@@ -620,8 +618,8 @@
!BN_mod_add_quick(n1, n0, n1, p)) {
goto err;
}
- /* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
- * = 3 * X_a^2 - 3 * Z_a^4 */
+ // n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
+ // = 3 * X_a^2 - 3 * Z_a^4
} else {
if (!field_sqr(group, n0, &a->X, ctx) ||
!BN_mod_lshift1_quick(n1, n0, p) ||
@@ -632,10 +630,10 @@
!BN_mod_add_quick(n1, n1, n0, p)) {
goto err;
}
- /* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
+ // n1 = 3 * X_a^2 + a_curve * Z_a^4
}
- /* Z_r */
+ // Z_r
if (BN_cmp(&a->Z, &group->one) == 0) {
if (!BN_copy(n0, &a->Y)) {
goto err;
@@ -646,38 +644,38 @@
if (!BN_mod_lshift1_quick(&r->Z, n0, p)) {
goto err;
}
- /* Z_r = 2 * Y_a * Z_a */
+ // Z_r = 2 * Y_a * Z_a
- /* n2 */
+ // n2
if (!field_sqr(group, n3, &a->Y, ctx) ||
!field_mul(group, n2, &a->X, n3, ctx) ||
!BN_mod_lshift_quick(n2, n2, 2, p)) {
goto err;
}
- /* n2 = 4 * X_a * Y_a^2 */
+ // n2 = 4 * X_a * Y_a^2
- /* X_r */
+ // X_r
if (!BN_mod_lshift1_quick(n0, n2, p) ||
!field_sqr(group, &r->X, n1, ctx) ||
!BN_mod_sub_quick(&r->X, &r->X, n0, p)) {
goto err;
}
- /* X_r = n1^2 - 2 * n2 */
+ // X_r = n1^2 - 2 * n2
- /* n3 */
+ // n3
if (!field_sqr(group, n0, n3, ctx) ||
!BN_mod_lshift_quick(n3, n0, 3, p)) {
goto err;
}
- /* n3 = 8 * Y_a^4 */
+ // n3 = 8 * Y_a^4
- /* Y_r */
+ // Y_r
if (!BN_mod_sub_quick(n0, n2, &r->X, p) ||
!field_mul(group, n0, n1, n0, ctx) ||
!BN_mod_sub_quick(&r->Y, n0, n3, p)) {
goto err;
}
- /* Y_r = n1 * (n2 - X_r) - n3 */
+ // Y_r = n1 * (n2 - X_r) - n3
ret = 1;
@@ -689,7 +687,7 @@
int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) {
if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y)) {
- /* point is its own inverse */
+ // point is its own inverse
return 1;
}
@@ -734,17 +732,16 @@
goto err;
}
- /* We have a curve defined by a Weierstrass equation
- * y^2 = x^3 + a*x + b.
- * The point to consider is given in Jacobian projective coordinates
- * where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
- * Substituting this and multiplying by Z^6 transforms the above equation
- * into
- * Y^2 = X^3 + a*X*Z^4 + b*Z^6.
- * To test this, we add up the right-hand side in 'rh'.
- */
+ // We have a curve defined by a Weierstrass equation
+ // y^2 = x^3 + a*x + b.
+ // The point to consider is given in Jacobian projective coordinates
+ // where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).
+ // Substituting this and multiplying by Z^6 transforms the above equation
+ // into
+ // Y^2 = X^3 + a*X*Z^4 + b*Z^6.
+ // To test this, we add up the right-hand side in 'rh'.
- /* rh := X^2 */
+ // rh := X^2
if (!field_sqr(group, rh, &point->X, ctx)) {
goto err;
}
@@ -756,7 +753,7 @@
goto err;
}
- /* rh := (rh + a*Z^4)*X */
+ // rh := (rh + a*Z^4)*X
if (group->a_is_minus3) {
if (!BN_mod_lshift1_quick(tmp, Z4, p) ||
!BN_mod_add_quick(tmp, tmp, Z4, p) ||
@@ -772,24 +769,24 @@
}
}
- /* rh := rh + b*Z^6 */
+ // rh := rh + b*Z^6
if (!field_mul(group, tmp, &group->b, Z6, ctx) ||
!BN_mod_add_quick(rh, rh, tmp, p)) {
goto err;
}
} else {
- /* rh := (rh + a)*X */
+ // rh := (rh + a)*X
if (!BN_mod_add_quick(rh, rh, &group->a, p) ||
!field_mul(group, rh, rh, &point->X, ctx)) {
goto err;
}
- /* rh := rh + b */
+ // rh := rh + b
if (!BN_mod_add_quick(rh, rh, &group->b, p)) {
goto err;
}
}
- /* 'lh' := Y^2 */
+ // 'lh' := Y^2
if (!field_sqr(group, tmp, &point->Y, ctx)) {
goto err;
}
@@ -804,11 +801,10 @@
int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a,
const EC_POINT *b, BN_CTX *ctx) {
- /* return values:
- * -1 error
- * 0 equal (in affine coordinates)
- * 1 not equal
- */
+ // return values:
+ // -1 error
+ // 0 equal (in affine coordinates)
+ // 1 not equal
int (*field_mul)(const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *,
BN_CTX *);
@@ -852,11 +848,10 @@
goto end;
}
- /* We have to decide whether
- * (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
- * or equivalently, whether
- * (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
- */
+ // We have to decide whether
+ // (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
+ // or equivalently, whether
+ // (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
if (!b_Z_is_one) {
if (!field_sqr(group, Zb23, &b->Z, ctx) ||
@@ -877,9 +872,9 @@
tmp2_ = &b->X;
}
- /* compare X_a*Z_b^2 with X_b*Z_a^2 */
+ // compare X_a*Z_b^2 with X_b*Z_a^2
if (BN_cmp(tmp1_, tmp2_) != 0) {
- ret = 1; /* points differ */
+ ret = 1; // points differ
goto end;
}
@@ -889,7 +884,7 @@
!field_mul(group, tmp1, &a->Y, Zb23, ctx)) {
goto end;
}
- /* tmp1_ = tmp1 */
+ // tmp1_ = tmp1
} else {
tmp1_ = &a->Y;
}
@@ -898,18 +893,18 @@
!field_mul(group, tmp2, &b->Y, Za23, ctx)) {
goto end;
}
- /* tmp2_ = tmp2 */
+ // tmp2_ = tmp2
} else {
tmp2_ = &b->Y;
}
- /* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
+ // compare Y_a*Z_b^3 with Y_b*Z_a^3
if (BN_cmp(tmp1_, tmp2_) != 0) {
- ret = 1; /* points differ */
+ ret = 1; // points differ
goto end;
}
- /* points are equal */
+ // points are equal
ret = 0;
end:
@@ -997,8 +992,8 @@
}
}
- /* Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
- * skipping any zero-valued inputs (pretend that they're 1). */
+ // Set each prod_Z[i] to the product of points[0]->Z .. points[i]->Z,
+ // skipping any zero-valued inputs (pretend that they're 1).
if (!BN_is_zero(&points[0]->Z)) {
if (!BN_copy(prod_Z[0], &points[0]->Z)) {
@@ -1023,13 +1018,13 @@
}
}
- /* Now use a single explicit inversion to replace every non-zero points[i]->Z
- * by its inverse. We use |BN_mod_inverse_odd| instead of doing a constant-
- * time inversion using Fermat's Little Theorem because this function is
- * usually only used for converting multiples of a public key point to
- * affine, and a public key point isn't secret. If we were to use Fermat's
- * Little Theorem then the cost of the inversion would usually be so high
- * that converting the multiples to affine would be counterproductive. */
+ // Now use a single explicit inversion to replace every non-zero points[i]->Z
+ // by its inverse. We use |BN_mod_inverse_odd| instead of doing a constant-
+ // time inversion using Fermat's Little Theorem because this function is
+ // usually only used for converting multiples of a public key point to
+ // affine, and a public key point isn't secret. If we were to use Fermat's
+ // Little Theorem then the cost of the inversion would usually be so high
+ // that converting the multiples to affine would be counterproductive.
int no_inverse;
if (!BN_mod_inverse_odd(tmp, &no_inverse, prod_Z[num - 1], &group->field,
ctx)) {
@@ -1038,9 +1033,9 @@
}
if (group->meth->field_encode != NULL) {
- /* In the Montgomery case, we just turned R*H (representing H)
- * into 1/(R*H), but we need R*(1/H) (representing 1/H);
- * i.e. we need to multiply by the Montgomery factor twice. */
+ // In the Montgomery case, we just turned R*H (representing H)
+ // into 1/(R*H), but we need R*(1/H) (representing 1/H);
+ // i.e. we need to multiply by the Montgomery factor twice.
if (!group->meth->field_encode(group, tmp, tmp, ctx) ||
!group->meth->field_encode(group, tmp, tmp, ctx)) {
goto err;
@@ -1048,34 +1043,34 @@
}
for (size_t i = num - 1; i > 0; --i) {
- /* Loop invariant: tmp is the product of the inverses of
- * points[0]->Z .. points[i]->Z (zero-valued inputs skipped). */
+ // Loop invariant: tmp is the product of the inverses of
+ // points[0]->Z .. points[i]->Z (zero-valued inputs skipped).
if (BN_is_zero(&points[i]->Z)) {
continue;
}
- /* Set tmp_Z to the inverse of points[i]->Z (as product
- * of Z inverses 0 .. i, Z values 0 .. i - 1). */
+ // Set tmp_Z to the inverse of points[i]->Z (as product
+ // of Z inverses 0 .. i, Z values 0 .. i - 1).
if (!group->meth->field_mul(group, tmp_Z, prod_Z[i - 1], tmp, ctx) ||
- /* Update tmp to satisfy the loop invariant for i - 1. */
+ // Update tmp to satisfy the loop invariant for i - 1.
!group->meth->field_mul(group, tmp, tmp, &points[i]->Z, ctx) ||
- /* Replace points[i]->Z by its inverse. */
+ // Replace points[i]->Z by its inverse.
!BN_copy(&points[i]->Z, tmp_Z)) {
goto err;
}
}
- /* Replace points[0]->Z by its inverse. */
+ // Replace points[0]->Z by its inverse.
if (!BN_is_zero(&points[0]->Z) && !BN_copy(&points[0]->Z, tmp)) {
goto err;
}
- /* Finally, fix up the X and Y coordinates for all points. */
+ // Finally, fix up the X and Y coordinates for all points.
for (size_t i = 0; i < num; i++) {
EC_POINT *p = points[i];
if (!BN_is_zero(&p->Z)) {
- /* turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1). */
+ // turn (X, Y, 1/Z) into (X/Z^2, Y/Z^3, 1).
if (!group->meth->field_sqr(group, tmp, &p->Z, ctx) ||
!group->meth->field_mul(group, &p->X, &p->X, tmp, ctx) ||
!group->meth->field_mul(group, tmp, tmp, &p->Z, ctx) ||
diff --git a/src/crypto/fipsmodule/ec/util-64.c b/src/crypto/fipsmodule/ec/util-64.c
index 4006271..0cb117b 100644
--- a/src/crypto/fipsmodule/ec/util-64.c
+++ b/src/crypto/fipsmodule/ec/util-64.c
@@ -21,77 +21,77 @@
#include "internal.h"
-/* This function looks at 5+1 scalar bits (5 current, 1 adjacent less
- * significant bit), and recodes them into a signed digit for use in fast point
- * multiplication: the use of signed rather than unsigned digits means that
- * fewer points need to be precomputed, given that point inversion is easy (a
- * precomputed point dP makes -dP available as well).
- *
- * BACKGROUND:
- *
- * Signed digits for multiplication were introduced by Booth ("A signed binary
- * multiplication technique", Quart. Journ. Mech. and Applied Math., vol. IV,
- * pt. 2 (1951), pp. 236-240), in that case for multiplication of integers.
- * Booth's original encoding did not generally improve the density of nonzero
- * digits over the binary representation, and was merely meant to simplify the
- * handling of signed factors given in two's complement; but it has since been
- * shown to be the basis of various signed-digit representations that do have
- * further advantages, including the wNAF, using the following general
- * approach:
- *
- * (1) Given a binary representation
- *
- * b_k ... b_2 b_1 b_0,
- *
- * of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1
- * by using bit-wise subtraction as follows:
- *
- * b_k b_(k-1) ... b_2 b_1 b_0
- * - b_k ... b_3 b_2 b_1 b_0
- * -------------------------------------
- * s_k b_(k-1) ... s_3 s_2 s_1 s_0
- *
- * A left-shift followed by subtraction of the original value yields a new
- * representation of the same value, using signed bits s_i = b_(i+1) - b_i.
- * This representation from Booth's paper has since appeared in the
- * literature under a variety of different names including "reversed binary
- * form", "alternating greedy expansion", "mutual opposite form", and
- * "sign-alternating {+-1}-representation".
- *
- * An interesting property is that among the nonzero bits, values 1 and -1
- * strictly alternate.
- *
- * (2) Various window schemes can be applied to the Booth representation of
- * integers: for example, right-to-left sliding windows yield the wNAF
- * (a signed-digit encoding independently discovered by various researchers
- * in the 1990s), and left-to-right sliding windows yield a left-to-right
- * equivalent of the wNAF (independently discovered by various researchers
- * around 2004).
- *
- * To prevent leaking information through side channels in point multiplication,
- * we need to recode the given integer into a regular pattern: sliding windows
- * as in wNAFs won't do, we need their fixed-window equivalent -- which is a few
- * decades older: we'll be using the so-called "modified Booth encoding" due to
- * MacSorley ("High-speed arithmetic in binary computers", Proc. IRE, vol. 49
- * (1961), pp. 67-91), in a radix-2^5 setting. That is, we always combine five
- * signed bits into a signed digit:
- *
- * s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j)
- *
- * The sign-alternating property implies that the resulting digit values are
- * integers from -16 to 16.
- *
- * Of course, we don't actually need to compute the signed digits s_i as an
- * intermediate step (that's just a nice way to see how this scheme relates
- * to the wNAF): a direct computation obtains the recoded digit from the
- * six bits b_(4j + 4) ... b_(4j - 1).
- *
- * This function takes those five bits as an integer (0 .. 63), writing the
- * recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute
- * value, in the range 0 .. 8). Note that this integer essentially provides the
- * input bits "shifted to the left" by one position: for example, the input to
- * compute the least significant recoded digit, given that there's no bit b_-1,
- * has to be b_4 b_3 b_2 b_1 b_0 0. */
+// This function looks at 5+1 scalar bits (5 current, 1 adjacent less
+// significant bit), and recodes them into a signed digit for use in fast point
+// multiplication: the use of signed rather than unsigned digits means that
+// fewer points need to be precomputed, given that point inversion is easy (a
+// precomputed point dP makes -dP available as well).
+//
+// BACKGROUND:
+//
+// Signed digits for multiplication were introduced by Booth ("A signed binary
+// multiplication technique", Quart. Journ. Mech. and Applied Math., vol. IV,
+// pt. 2 (1951), pp. 236-240), in that case for multiplication of integers.
+// Booth's original encoding did not generally improve the density of nonzero
+// digits over the binary representation, and was merely meant to simplify the
+// handling of signed factors given in two's complement; but it has since been
+// shown to be the basis of various signed-digit representations that do have
+// further advantages, including the wNAF, using the following general
+// approach:
+//
+// (1) Given a binary representation
+//
+// b_k ... b_2 b_1 b_0,
+//
+// of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1
+// by using bit-wise subtraction as follows:
+//
+// b_k b_(k-1) ... b_2 b_1 b_0
+// - b_k ... b_3 b_2 b_1 b_0
+// -------------------------------------
+// s_k b_(k-1) ... s_3 s_2 s_1 s_0
+//
+// A left-shift followed by subtraction of the original value yields a new
+// representation of the same value, using signed bits s_i = b_(i+1) - b_i.
+// This representation from Booth's paper has since appeared in the
+// literature under a variety of different names including "reversed binary
+// form", "alternating greedy expansion", "mutual opposite form", and
+// "sign-alternating {+-1}-representation".
+//
+// An interesting property is that among the nonzero bits, values 1 and -1
+// strictly alternate.
+//
+// (2) Various window schemes can be applied to the Booth representation of
+// integers: for example, right-to-left sliding windows yield the wNAF
+// (a signed-digit encoding independently discovered by various researchers
+// in the 1990s), and left-to-right sliding windows yield a left-to-right
+// equivalent of the wNAF (independently discovered by various researchers
+// around 2004).
+//
+// To prevent leaking information through side channels in point multiplication,
+// we need to recode the given integer into a regular pattern: sliding windows
+// as in wNAFs won't do, we need their fixed-window equivalent -- which is a few
+// decades older: we'll be using the so-called "modified Booth encoding" due to
+// MacSorley ("High-speed arithmetic in binary computers", Proc. IRE, vol. 49
+// (1961), pp. 67-91), in a radix-2^5 setting. That is, we always combine five
+// signed bits into a signed digit:
+//
+// s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j)
+//
+// The sign-alternating property implies that the resulting digit values are
+// integers from -16 to 16.
+//
+// Of course, we don't actually need to compute the signed digits s_i as an
+// intermediate step (that's just a nice way to see how this scheme relates
+// to the wNAF): a direct computation obtains the recoded digit from the
+// six bits b_(4j + 4) ... b_(4j - 1).
+//
+// This function takes those five bits as an integer (0 .. 63), writing the
+// recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute
+// value, in the range 0 .. 8). Note that this integer essentially provides the
+// input bits "shifted to the left" by one position: for example, the input to
+// compute the least significant recoded digit, given that there's no bit b_-1,
+// has to be b_4 b_3 b_2 b_1 b_0 0.
void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit,
uint8_t in) {
uint8_t s, d;
@@ -106,4 +106,4 @@
*digit = d;
}
-#endif /* 64_BIT && !WINDOWS */
+#endif // 64_BIT && !WINDOWS
diff --git a/src/crypto/fipsmodule/ec/wnaf.c b/src/crypto/fipsmodule/ec/wnaf.c
index f009469..0e3ee13 100644
--- a/src/crypto/fipsmodule/ec/wnaf.c
+++ b/src/crypto/fipsmodule/ec/wnaf.c
@@ -78,19 +78,18 @@
#include "../../internal.h"
-/* This file implements the wNAF-based interleaving multi-exponentiation method
- * at:
- * http://link.springer.com/chapter/10.1007%2F3-540-45537-X_13
- * http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf */
+// This file implements the wNAF-based interleaving multi-exponentiation method
+// at:
+// http://link.springer.com/chapter/10.1007%2F3-540-45537-X_13
+// http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf
-/* Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
- * This is an array r[] of values that are either zero or odd with an
- * absolute value less than 2^w satisfying
- * scalar = \sum_j r[j]*2^j
- * where at most one of any w+1 consecutive digits is non-zero
- * with the exception that the most significant digit may be only
- * w-1 zeros away from that next non-zero digit.
- */
+// Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
+// This is an array r[] of values that are either zero or odd with an
+// absolute value less than 2^w satisfying
+// scalar = \sum_j r[j]*2^j
+// where at most one of any w+1 consecutive digits is non-zero
+// with the exception that the most significant digit may be only
+// w-1 zeros away from that next non-zero digit.
static int8_t *compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) {
int window_val;
int ok = 0;
@@ -110,14 +109,14 @@
return r;
}
- /* 'int8_t' can represent integers with absolute values less than 2^7. */
+ // 'int8_t' can represent integers with absolute values less than 2^7.
if (w <= 0 || w > 7) {
OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
goto err;
}
- bit = 1 << w; /* at most 128 */
- next_bit = bit << 1; /* at most 256 */
- mask = next_bit - 1; /* at most 255 */
+ bit = 1 << w; // at most 128
+ next_bit = bit << 1; // at most 256
+ mask = next_bit - 1; // at most 255
if (BN_is_negative(scalar)) {
sign = -1;
@@ -129,9 +128,9 @@
}
len = BN_num_bits(scalar);
- /* The modified wNAF may be one digit longer than binary representation
- * (*ret_len will be set to the actual length, i.e. at most
- * BN_num_bits(scalar) + 1). */
+ // The modified wNAF may be one digit longer than binary representation
+ // (*ret_len will be set to the actual length, i.e. at most
+ // BN_num_bits(scalar) + 1).
r = OPENSSL_malloc(len + 1);
if (r == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
@@ -139,30 +138,30 @@
}
window_val = scalar->d[0] & mask;
j = 0;
- /* If j+w+1 >= len, window_val will not increase. */
+ // If j+w+1 >= len, window_val will not increase.
while (window_val != 0 || j + w + 1 < len) {
int digit = 0;
- /* 0 <= window_val <= 2^(w+1) */
+ // 0 <= window_val <= 2^(w+1)
if (window_val & 1) {
- /* 0 < window_val < 2^(w+1) */
+ // 0 < window_val < 2^(w+1)
if (window_val & bit) {
- digit = window_val - next_bit; /* -2^w < digit < 0 */
+ digit = window_val - next_bit; // -2^w < digit < 0
-#if 1 /* modified wNAF */
+#if 1 // modified wNAF
if (j + w + 1 >= len) {
- /* special case for generating modified wNAFs:
- * no new bits will be added into window_val,
- * so using a positive digit here will decrease
- * the total length of the representation */
+ // special case for generating modified wNAFs:
+ // no new bits will be added into window_val,
+ // so using a positive digit here will decrease
+ // the total length of the representation
- digit = window_val & (mask >> 1); /* 0 < digit < 2^w */
+ digit = window_val & (mask >> 1); // 0 < digit < 2^w
}
#endif
} else {
- digit = window_val; /* 0 < digit < 2^w */
+ digit = window_val; // 0 < digit < 2^w
}
if (digit <= -bit || digit >= bit || !(digit & 1)) {
@@ -172,8 +171,8 @@
window_val -= digit;
- /* Now window_val is 0 or 2^(w+1) in standard wNAF generation;
- * for modified window NAFs, it may also be 2^w. */
+ // Now window_val is 0 or 2^(w+1) in standard wNAF generation;
+ // for modified window NAFs, it may also be 2^w.
if (window_val != 0 && window_val != next_bit && window_val != bit) {
OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);
goto err;
@@ -210,10 +209,9 @@
}
-/* TODO: table should be optimised for the wNAF-based implementation,
- * sometimes smaller windows will give better performance
- * (thus the boundaries should be increased)
- */
+// TODO: table should be optimised for the wNAF-based implementation,
+// sometimes smaller windows will give better performance
+// (thus the boundaries should be increased)
static size_t window_bits_for_scalar_size(size_t b) {
if (b >= 2000) {
return 6;
@@ -248,14 +246,14 @@
int k;
int r_is_inverted = 0;
int r_is_at_infinity = 1;
- size_t *wsize = NULL; /* individual window sizes */
- int8_t **wNAF = NULL; /* individual wNAFs */
+ size_t *wsize = NULL; // individual window sizes
+ int8_t **wNAF = NULL; // individual wNAFs
size_t *wNAF_len = NULL;
size_t max_len = 0;
size_t num_val = 0;
- EC_POINT **val = NULL; /* precomputation */
+ EC_POINT **val = NULL; // precomputation
EC_POINT **v;
- EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' */
+ EC_POINT ***val_sub = NULL; // pointers to sub-arrays of 'val'
int ret = 0;
if (ctx == NULL) {
@@ -265,9 +263,9 @@
}
}
- /* TODO: This function used to take |points| and |scalars| as arrays of
- * |num| elements. The code below should be simplified to work in terms of |p|
- * and |p_scalar|. */
+ // TODO: This function used to take |points| and |scalars| as arrays of
+ // |num| elements. The code below should be simplified to work in terms of |p|
+ // and |p_scalar|.
size_t num = p != NULL ? 1 : 0;
const EC_POINT **points = p != NULL ? &p : NULL;
const BIGNUM **scalars = p != NULL ? &p_scalar : NULL;
@@ -281,7 +279,7 @@
goto err;
}
- ++total_num; /* treat 'g_scalar' like 'num'-th element of 'scalars' */
+ ++total_num; // treat 'g_scalar' like 'num'-th element of 'scalars'
}
@@ -290,7 +288,7 @@
wNAF = OPENSSL_malloc(total_num * sizeof(wNAF[0]));
val_sub = OPENSSL_malloc(total_num * sizeof(val_sub[0]));
- /* Ensure wNAF is initialised in case we end up going to err. */
+ // Ensure wNAF is initialised in case we end up going to err.
if (wNAF != NULL) {
OPENSSL_memset(wNAF, 0, total_num * sizeof(wNAF[0]));
}
@@ -300,7 +298,7 @@
goto err;
}
- /* num_val will be the total number of temporarily precomputed points */
+ // num_val will be the total number of temporarily precomputed points
num_val = 0;
for (i = 0; i < total_num; i++) {
@@ -319,8 +317,8 @@
}
}
- /* All points we precompute now go into a single array 'val'. 'val_sub[i]' is
- * a pointer to the subarray for the i-th point. */
+ // All points we precompute now go into a single array 'val'. 'val_sub[i]' is
+ // a pointer to the subarray for the i-th point.
val = OPENSSL_malloc(num_val * sizeof(val[0]));
if (val == NULL) {
OPENSSL_PUT_ERROR(EC, ERR_R_MALLOC_FAILURE);
@@ -328,7 +326,7 @@
}
OPENSSL_memset(val, 0, num_val * sizeof(val[0]));
- /* allocate points for precomputation */
+ // allocate points for precomputation
v = val;
for (i = 0; i < total_num; i++) {
val_sub[i] = v;
@@ -349,12 +347,11 @@
goto err;
}
- /* prepare precomputed values:
- * val_sub[i][0] := points[i]
- * val_sub[i][1] := 3 * points[i]
- * val_sub[i][2] := 5 * points[i]
- * ...
- */
+ // prepare precomputed values:
+ // val_sub[i][0] := points[i]
+ // val_sub[i][1] := 3 * points[i]
+ // val_sub[i][2] := 5 * points[i]
+ // ...
for (i = 0; i < total_num; i++) {
if (i < num) {
if (!EC_POINT_copy(val_sub[i][0], points[i])) {
@@ -376,7 +373,7 @@
}
}
-#if 1 /* optional; window_bits_for_scalar_size assumes we do this step */
+#if 1 // optional; window_bits_for_scalar_size assumes we do this step
if (!EC_POINTs_make_affine(group, num_val, val, ctx)) {
goto err;
}
@@ -408,7 +405,7 @@
r_is_inverted = !r_is_inverted;
}
- /* digit > 0 */
+ // digit > 0
if (r_is_at_infinity) {
if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) {
diff --git a/src/crypto/fipsmodule/ecdsa/ecdsa.c b/src/crypto/fipsmodule/ecdsa/ecdsa.c
index 9e719f2..dfa3b67 100644
--- a/src/crypto/fipsmodule/ecdsa/ecdsa.c
+++ b/src/crypto/fipsmodule/ecdsa/ecdsa.c
@@ -64,16 +64,16 @@
#include "../../internal.h"
-/* digest_to_bn interprets |digest_len| bytes from |digest| as a big-endian
- * number and sets |out| to that value. It then truncates |out| so that it's,
- * at most, as long as |order|. It returns one on success and zero otherwise. */
+// digest_to_bn interprets |digest_len| bytes from |digest| as a big-endian
+// number and sets |out| to that value. It then truncates |out| so that it's,
+// at most, as long as |order|. It returns one on success and zero otherwise.
static int digest_to_bn(BIGNUM *out, const uint8_t *digest, size_t digest_len,
const BIGNUM *order) {
size_t num_bits;
num_bits = BN_num_bits(order);
- /* Need to truncate digest if it is too long: first truncate whole
- * bytes. */
+ // Need to truncate digest if it is too long: first truncate whole
+ // bytes.
if (8 * digest_len > num_bits) {
digest_len = (num_bits + 7) / 8;
}
@@ -82,7 +82,7 @@
return 0;
}
- /* If still too long truncate remaining bits with a shift */
+ // If still too long truncate remaining bits with a shift
if ((8 * digest_len > num_bits) &&
!BN_rshift(out, out, 8 - (num_bits & 0x7))) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
@@ -130,7 +130,7 @@
const EC_GROUP *group;
const EC_POINT *pub_key;
- /* check input values */
+ // check input values
if ((group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL ||
sig == NULL) {
@@ -160,7 +160,7 @@
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
goto err;
}
- /* calculate tmp1 = inv(S) mod order */
+ // calculate tmp1 = inv(S) mod order
int no_inverse;
if (!BN_mod_inverse_odd(u2, &no_inverse, sig->s, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
@@ -169,12 +169,12 @@
if (!digest_to_bn(m, digest, digest_len, order)) {
goto err;
}
- /* u1 = m * tmp mod order */
+ // u1 = m * tmp mod order
if (!BN_mod_mul(u1, m, u2, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
- /* u2 = r * w mod q */
+ // u2 = r * w mod q
if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
@@ -197,7 +197,7 @@
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
- /* if the signature is correct u1 is equal to sig->r */
+ // if the signature is correct u1 is equal to sig->r
if (BN_ucmp(u1, sig->r) != 0) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
goto err;
@@ -236,8 +236,8 @@
}
k = BN_new();
- kinv = BN_new(); /* this value is later returned in *kinvp */
- r = BN_new(); /* this value is later returned in *rp */
+ kinv = BN_new(); // this value is later returned in *kinvp
+ r = BN_new(); // this value is later returned in *rp
tmp = BN_new();
if (k == NULL || kinv == NULL || r == NULL || tmp == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
@@ -251,17 +251,17 @@
const BIGNUM *order = EC_GROUP_get0_order(group);
- /* Check that the size of the group order is FIPS compliant (FIPS 186-4
- * B.5.2). */
+ // Check that the size of the group order is FIPS compliant (FIPS 186-4
+ // B.5.2).
if (BN_num_bits(order) < 160) {
OPENSSL_PUT_ERROR(ECDSA, EC_R_INVALID_GROUP_ORDER);
goto err;
}
do {
- /* If possible, we'll include the private key and message digest in the k
- * generation. The |digest| argument is only empty if |ECDSA_sign_setup| is
- * being used. */
+ // If possible, we'll include the private key and message digest in the k
+ // generation. The |digest| argument is only empty if |ECDSA_sign_setup| is
+ // being used.
if (eckey->fixed_k != NULL) {
if (!BN_copy(k, eckey->fixed_k)) {
goto err;
@@ -279,18 +279,18 @@
goto err;
}
- /* Compute the inverse of k. The order is a prime, so use Fermat's Little
- * Theorem. Note |ec_group_get_mont_data| may return NULL but
- * |bn_mod_inverse_prime| allows this. */
+ // Compute the inverse of k. The order is a prime, so use Fermat's Little
+ // Theorem. Note |ec_group_get_order_mont| may return NULL but
+ // |bn_mod_inverse_prime| allows this.
if (!bn_mod_inverse_prime(kinv, k, order, ctx,
- ec_group_get_mont_data(group))) {
+ ec_group_get_order_mont(group))) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
- /* We do not want timing information to leak the length of k,
- * so we compute G*k using an equivalent scalar of fixed
- * bit-length. */
+ // We do not want timing information to leak the length of k,
+ // so we compute G*k using an equivalent scalar of fixed
+ // bit-length.
if (!BN_add(k, k, order)) {
goto err;
@@ -301,7 +301,7 @@
}
}
- /* compute r the x-coordinate of generator * k */
+ // compute r the x-coordinate of generator * k
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
goto err;
@@ -318,11 +318,11 @@
}
} while (BN_is_zero(r));
- /* clear old values if necessary */
+ // clear old values if necessary
BN_clear_free(*rp);
BN_clear_free(*kinvp);
- /* save the pre-computed values */
+ // save the pre-computed values
*rp = r;
*kinvp = kinv;
ret = 1;
@@ -417,14 +417,14 @@
goto err;
}
if (BN_is_zero(s)) {
- /* if kinv and r have been supplied by the caller
- * don't to generate new kinv and r values */
+ // if kinv and r have been supplied by the caller
+ // don't to generate new kinv and r values
if (in_kinv != NULL && in_r != NULL) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NEED_NEW_SETUP_VALUES);
goto err;
}
} else {
- /* s != 0 => we have a valid signature */
+ // s != 0 => we have a valid signature
break;
}
}
diff --git a/src/crypto/fipsmodule/ecdsa/ecdsa_test.cc b/src/crypto/fipsmodule/ecdsa/ecdsa_test.cc
index e1f109b..de4bc48 100644
--- a/src/crypto/fipsmodule/ecdsa/ecdsa_test.cc
+++ b/src/crypto/fipsmodule/ecdsa/ecdsa_test.cc
@@ -242,13 +242,13 @@
SCOPED_TRACE(bits);
size_t order_len = BitsToBytes(bits);
- /* Create the largest possible |ECDSA_SIG| of the given constraints. */
+ // Create the largest possible |ECDSA_SIG| of the given constraints.
bssl::UniquePtr<ECDSA_SIG> sig(ECDSA_SIG_new());
ASSERT_TRUE(sig);
std::vector<uint8_t> bytes(order_len, 0xff);
ASSERT_TRUE(BN_bin2bn(bytes.data(), bytes.size(), sig->r));
ASSERT_TRUE(BN_bin2bn(bytes.data(), bytes.size(), sig->s));
- /* Serialize it. */
+ // Serialize it.
uint8_t *der;
size_t der_len;
ASSERT_TRUE(ECDSA_SIG_to_bytes(&der, &der_len, sig.get()));
diff --git a/src/crypto/fipsmodule/hmac/hmac.c b/src/crypto/fipsmodule/hmac/hmac.c
index 3292350..5c098db 100644
--- a/src/crypto/fipsmodule/hmac/hmac.c
+++ b/src/crypto/fipsmodule/hmac/hmac.c
@@ -100,13 +100,13 @@
md = ctx->md;
}
- /* If either |key| is non-NULL or |md| has changed, initialize with a new key
- * rather than rewinding the previous one.
- *
- * TODO(davidben,eroman): Passing the previous |md| with a NULL |key| is
- * ambiguous between using the empty key and reusing the previous key. There
- * exist callers which intend the latter, but the former is an awkward edge
- * case. Fix to API to avoid this. */
+ // If either |key| is non-NULL or |md| has changed, initialize with a new key
+ // rather than rewinding the previous one.
+ //
+ // TODO(davidben,eroman): Passing the previous |md| with a NULL |key| is
+ // ambiguous between using the empty key and reusing the previous key. There
+ // exist callers which intend the latter, but the former is an awkward edge
+ // case. Fix to API to avoid this.
if (md != ctx->md || key != NULL) {
uint8_t pad[EVP_MAX_MD_BLOCK_SIZE];
uint8_t key_block[EVP_MAX_MD_BLOCK_SIZE];
@@ -115,7 +115,7 @@
size_t block_size = EVP_MD_block_size(md);
assert(block_size <= sizeof(key_block));
if (block_size < key_len) {
- /* Long keys are hashed. */
+ // Long keys are hashed.
if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl) ||
!EVP_DigestUpdate(&ctx->md_ctx, key, key_len) ||
!EVP_DigestFinal_ex(&ctx->md_ctx, key_block, &key_block_len)) {
@@ -126,7 +126,7 @@
OPENSSL_memcpy(key_block, key, key_len);
key_block_len = (unsigned)key_len;
}
- /* Keys are then padded with zeros. */
+ // Keys are then padded with zeros.
if (key_block_len != EVP_MAX_MD_BLOCK_SIZE) {
OPENSSL_memset(&key_block[key_block_len], 0, sizeof(key_block) - key_block_len);
}
@@ -165,8 +165,8 @@
unsigned int i;
uint8_t buf[EVP_MAX_MD_SIZE];
- /* TODO(davidben): The only thing that can officially fail here is
- * |EVP_MD_CTX_copy_ex|, but even that should be impossible in this case. */
+ // TODO(davidben): The only thing that can officially fail here is
+ // |EVP_MD_CTX_copy_ex|, but even that should be impossible in this case.
if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i) ||
!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx) ||
!EVP_DigestUpdate(&ctx->md_ctx, buf, i) ||
diff --git a/src/crypto/fipsmodule/is_fips.c b/src/crypto/fipsmodule/is_fips.c
index bff1a05..4182dfb 100644
--- a/src/crypto/fipsmodule/is_fips.c
+++ b/src/crypto/fipsmodule/is_fips.c
@@ -15,8 +15,8 @@
#include <openssl/crypto.h>
-/* This file exists in order to give the fipsmodule target, in non-FIPS mode,
- * something to compile. */
+// This file exists in order to give the fipsmodule target, in non-FIPS mode,
+// something to compile.
int FIPS_mode(void) {
#if defined(BORINGSSL_FIPS) && !defined(OPENSSL_ASAN)
diff --git a/src/crypto/fipsmodule/md4/md4.c b/src/crypto/fipsmodule/md4/md4.c
index 3028c8b..f0c1dcd 100644
--- a/src/crypto/fipsmodule/md4/md4.c
+++ b/src/crypto/fipsmodule/md4/md4.c
@@ -71,7 +71,7 @@
return out;
}
-/* Implemented from RFC1186 The MD4 Message-Digest Algorithm. */
+// Implemented from RFC1186 The MD4 Message-Digest Algorithm.
int MD4_Init(MD4_CTX *md4) {
OPENSSL_memset(md4, 0, sizeof(MD4_CTX));
@@ -107,9 +107,9 @@
#include "../digest/md32_common.h"
-/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
- * simplified to the code below. Wei attributes these optimizations
- * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel. */
+// As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
+// simplified to the code below. Wei attributes these optimizations
+// to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
#define F(b, c, d) ((((c) ^ (d)) & (b)) ^ (d))
#define G(b, c, d) (((b) & (c)) | ((b) & (d)) | ((c) & (d)))
#define H(b, c, d) ((b) ^ (c) ^ (d))
@@ -148,7 +148,7 @@
X0 = l;
HOST_c2l(data, l);
X1 = l;
- /* Round 0 */
+ // Round 0
R0(A, B, C, D, X0, 3, 0);
HOST_c2l(data, l);
X2 = l;
@@ -193,7 +193,7 @@
X15 = l;
R0(C, D, A, B, X14, 11, 0);
R0(B, C, D, A, X15, 19, 0);
- /* Round 1 */
+ // Round 1
R1(A, B, C, D, X0, 3, 0x5A827999L);
R1(D, A, B, C, X4, 5, 0x5A827999L);
R1(C, D, A, B, X8, 9, 0x5A827999L);
@@ -210,7 +210,7 @@
R1(D, A, B, C, X7, 5, 0x5A827999L);
R1(C, D, A, B, X11, 9, 0x5A827999L);
R1(B, C, D, A, X15, 13, 0x5A827999L);
- /* Round 2 */
+ // Round 2
R2(A, B, C, D, X0, 3, 0x6ED9EBA1L);
R2(D, A, B, C, X8, 9, 0x6ED9EBA1L);
R2(C, D, A, B, X4, 11, 0x6ED9EBA1L);
diff --git a/src/crypto/fipsmodule/md5/md5.c b/src/crypto/fipsmodule/md5/md5.c
index 15a0f53..32429da 100644
--- a/src/crypto/fipsmodule/md5/md5.c
+++ b/src/crypto/fipsmodule/md5/md5.c
@@ -113,10 +113,9 @@
#include "../digest/md32_common.h"
-/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
- * simplified to the code below. Wei attributes these optimizations
- * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
- */
+// As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
+// simplified to the code below. Wei attributes these optimizations
+// to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
#define F(b, c, d) ((((c) ^ (d)) & (b)) ^ (d))
#define G(b, c, d) ((((b) ^ (c)) & (d)) ^ (c))
#define H(b, c, d) ((b) ^ (c) ^ (d))
@@ -172,7 +171,7 @@
X(0) = l;
HOST_c2l(data, l);
X(1) = l;
- /* Round 0 */
+ // Round 0
R0(A, B, C, D, X(0), 7, 0xd76aa478L);
HOST_c2l(data, l);
X(2) = l;
@@ -217,7 +216,7 @@
X(15) = l;
R0(C, D, A, B, X(14), 17, 0xa679438eL);
R0(B, C, D, A, X(15), 22, 0x49b40821L);
- /* Round 1 */
+ // Round 1
R1(A, B, C, D, X(1), 5, 0xf61e2562L);
R1(D, A, B, C, X(6), 9, 0xc040b340L);
R1(C, D, A, B, X(11), 14, 0x265e5a51L);
@@ -234,7 +233,7 @@
R1(D, A, B, C, X(2), 9, 0xfcefa3f8L);
R1(C, D, A, B, X(7), 14, 0x676f02d9L);
R1(B, C, D, A, X(12), 20, 0x8d2a4c8aL);
- /* Round 2 */
+ // Round 2
R2(A, B, C, D, X(5), 4, 0xfffa3942L);
R2(D, A, B, C, X(8), 11, 0x8771f681L);
R2(C, D, A, B, X(11), 16, 0x6d9d6122L);
@@ -251,7 +250,7 @@
R2(D, A, B, C, X(12), 11, 0xe6db99e5L);
R2(C, D, A, B, X(15), 16, 0x1fa27cf8L);
R2(B, C, D, A, X(2), 23, 0xc4ac5665L);
- /* Round 3 */
+ // Round 3
R3(A, B, C, D, X(0), 6, 0xf4292244L);
R3(D, A, B, C, X(7), 10, 0x432aff97L);
R3(C, D, A, B, X(14), 15, 0xab9423a7L);
diff --git a/src/crypto/fipsmodule/modes/cbc.c b/src/crypto/fipsmodule/modes/cbc.c
index 12d551c..4b3bdb8 100644
--- a/src/crypto/fipsmodule/modes/cbc.c
+++ b/src/crypto/fipsmodule/modes/cbc.c
@@ -120,12 +120,12 @@
const uintptr_t inptr = (uintptr_t) in;
const uintptr_t outptr = (uintptr_t) out;
- /* If |in| and |out| alias, |in| must be ahead. */
+ // If |in| and |out| alias, |in| must be ahead.
assert(inptr >= outptr || inptr + len <= outptr);
if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) {
- /* If |out| is at least two blocks behind |in| or completely disjoint, there
- * is no need to decrypt to a temporary block. */
+ // If |out| is at least two blocks behind |in| or completely disjoint, there
+ // is no need to decrypt to a temporary block.
const uint8_t *iv = ivec;
if (STRICT_ALIGNMENT &&
@@ -140,7 +140,7 @@
in += 16;
out += 16;
}
- } else if (16 % sizeof(size_t) == 0) { /* always true */
+ } else if (16 % sizeof(size_t) == 0) { // always true
while (len >= 16) {
size_t *out_t = (size_t *)out, *iv_t = (size_t *)iv;
@@ -156,9 +156,9 @@
}
OPENSSL_memcpy(ivec, iv, 16);
} else {
- /* |out| is less than two blocks behind |in|. Decrypting an input block
- * directly to |out| would overwrite a ciphertext block before it is used as
- * the next block's IV. Decrypt to a temporary block instead. */
+ // |out| is less than two blocks behind |in|. Decrypting an input block
+ // directly to |out| would overwrite a ciphertext block before it is used as
+ // the next block's IV. Decrypt to a temporary block instead.
if (STRICT_ALIGNMENT &&
((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
uint8_t c;
@@ -173,7 +173,7 @@
in += 16;
out += 16;
}
- } else if (16 % sizeof(size_t) == 0) { /* always true */
+ } else if (16 % sizeof(size_t) == 0) { // always true
while (len >= 16) {
size_t c, *out_t = (size_t *)out, *ivec_t = (size_t *)ivec;
const size_t *in_t = (const size_t *)in;
diff --git a/src/crypto/fipsmodule/modes/cfb.c b/src/crypto/fipsmodule/modes/cfb.c
index 836eb3f..2775d19 100644
--- a/src/crypto/fipsmodule/modes/cfb.c
+++ b/src/crypto/fipsmodule/modes/cfb.c
@@ -166,23 +166,23 @@
return;
}
- /* fill in the first half of the new IV with the current IV */
+ // fill in the first half of the new IV with the current IV
OPENSSL_memcpy(ovec, ivec, 16);
- /* construct the new IV */
+ // construct the new IV
(*block)(ivec, ivec, key);
num = (nbits + 7) / 8;
if (enc) {
- /* encrypt the input */
+ // encrypt the input
for (n = 0; n < num; ++n) {
out[n] = (ovec[16 + n] = in[n] ^ ivec[n]);
}
} else {
- /* decrypt the input */
+ // decrypt the input
for (n = 0; n < num; ++n) {
out[n] = (ovec[16 + n] = in[n]) ^ ivec[n];
}
}
- /* shift ovec left... */
+ // shift ovec left...
rem = nbits % 8;
num = nbits / 8;
if (rem == 0) {
@@ -193,10 +193,10 @@
}
}
- /* it is not necessary to cleanse ovec, since the IV is not secret */
+ // it is not necessary to cleanse ovec, since the IV is not secret
}
-/* N.B. This expects the input to be packed, MS bit first */
+// N.B. This expects the input to be packed, MS bit first
void CRYPTO_cfb128_1_encrypt(const uint8_t *in, uint8_t *out, size_t bits,
const void *key, uint8_t ivec[16], unsigned *num,
int enc, block128_f block) {
diff --git a/src/crypto/fipsmodule/modes/ctr.c b/src/crypto/fipsmodule/modes/ctr.c
index a191f39..5a97cf6 100644
--- a/src/crypto/fipsmodule/modes/ctr.c
+++ b/src/crypto/fipsmodule/modes/ctr.c
@@ -54,10 +54,10 @@
#include "internal.h"
-/* NOTE: the IV/counter CTR mode is big-endian. The code itself
- * is endian-neutral. */
+// NOTE: the IV/counter CTR mode is big-endian. The code itself
+// is endian-neutral.
-/* increment counter (128-bit int) by 1 */
+// increment counter (128-bit int) by 1
static void ctr128_inc(uint8_t *counter) {
uint32_t n = 16, c = 1;
@@ -71,16 +71,16 @@
OPENSSL_COMPILE_ASSERT((16 % sizeof(size_t)) == 0, bad_size_t_size_ctr);
-/* The input encrypted as though 128bit counter mode is being used. The extra
- * state information to record how much of the 128bit block we have used is
- * contained in *num, and the encrypted counter is kept in ecount_buf. Both
- * *num and ecount_buf must be initialised with zeros before the first call to
- * CRYPTO_ctr128_encrypt().
- *
- * This algorithm assumes that the counter is in the x lower bits of the IV
- * (ivec), and that the application has full control over overflow and the rest
- * of the IV. This implementation takes NO responsibility for checking that
- * the counter doesn't overflow into the rest of the IV when incremented. */
+// The input encrypted as though 128bit counter mode is being used. The extra
+// state information to record how much of the 128bit block we have used is
+// contained in *num, and the encrypted counter is kept in ecount_buf. Both
+// *num and ecount_buf must be initialised with zeros before the first call to
+// CRYPTO_ctr128_encrypt().
+//
+// This algorithm assumes that the counter is in the x lower bits of the IV
+// (ivec), and that the application has full control over overflow and the rest
+// of the IV. This implementation takes NO responsibility for checking that
+// the counter doesn't overflow into the rest of the IV when incremented.
void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16],
uint8_t ecount_buf[16], unsigned int *num,
@@ -140,7 +140,7 @@
*num = n;
}
-/* increment upper 96 bits of 128-bit counter by 1 */
+// increment upper 96 bits of 128-bit counter by 1
static void ctr96_inc(uint8_t *counter) {
uint32_t n = 12, c = 1;
@@ -174,25 +174,25 @@
ctr32 = GETU32(ivec + 12);
while (len >= 16) {
size_t blocks = len / 16;
- /* 1<<28 is just a not-so-small yet not-so-large number...
- * Below condition is practically never met, but it has to
- * be checked for code correctness. */
+ // 1<<28 is just a not-so-small yet not-so-large number...
+ // Below condition is practically never met, but it has to
+ // be checked for code correctness.
if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) {
blocks = (1U << 28);
}
- /* As (*func) operates on 32-bit counter, caller
- * has to handle overflow. 'if' below detects the
- * overflow, which is then handled by limiting the
- * amount of blocks to the exact overflow point... */
+ // As (*func) operates on 32-bit counter, caller
+ // has to handle overflow. 'if' below detects the
+ // overflow, which is then handled by limiting the
+ // amount of blocks to the exact overflow point...
ctr32 += (uint32_t)blocks;
if (ctr32 < blocks) {
blocks -= ctr32;
ctr32 = 0;
}
(*func)(in, out, blocks, key, ivec);
- /* (*func) does not update ivec, caller does: */
+ // (*func) does not update ivec, caller does:
PUTU32(ivec + 12, ctr32);
- /* ... overflow was detected, propogate carry. */
+ // ... overflow was detected, propogate carry.
if (ctr32 == 0) {
ctr96_inc(ivec);
}
diff --git a/src/crypto/fipsmodule/modes/gcm.c b/src/crypto/fipsmodule/modes/gcm.c
index 47b093f..bb5be54 100644
--- a/src/crypto/fipsmodule/modes/gcm.c
+++ b/src/crypto/fipsmodule/modes/gcm.c
@@ -177,11 +177,11 @@
Xi[1] = CRYPTO_bswap8(Z.lo);
}
-/* Streamed gcm_mult_4bit, see CRYPTO_gcm128_[en|de]crypt for
- * details... Compiler-generated code doesn't seem to give any
- * performance improvement, at least not on x86[_64]. It's here
- * mostly as reference and a placeholder for possible future
- * non-trivial optimization[s]... */
+// Streamed gcm_mult_4bit, see CRYPTO_gcm128_[en|de]crypt for
+// details... Compiler-generated code doesn't seem to give any
+// performance improvement, at least not on x86[_64]. It's here
+// mostly as reference and a placeholder for possible future
+// non-trivial optimization[s]...
static void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16],
const uint8_t *inp, size_t len) {
u128 Z;
@@ -237,7 +237,7 @@
Xi[1] = CRYPTO_bswap8(Z.lo);
} while (inp += 16, len -= 16);
}
-#else /* GHASH_ASM */
+#else // GHASH_ASM
void gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16]);
void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
size_t len);
@@ -246,9 +246,9 @@
#define GCM_MUL(ctx, Xi) gcm_gmult_4bit((ctx)->Xi.u, (ctx)->Htable)
#if defined(GHASH_ASM)
#define GHASH(ctx, in, len) gcm_ghash_4bit((ctx)->Xi.u, (ctx)->Htable, in, len)
-/* GHASH_CHUNK is "stride parameter" missioned to mitigate cache
- * trashing effect. In other words idea is to hash data while it's
- * still in L1 cache after encryption pass... */
+// GHASH_CHUNK is "stride parameter" missioned to mitigate cache
+// trashing effect. In other words idea is to hash data while it's
+// still in L1 cache after encryption pass...
#define GHASH_CHUNK (3 * 1024)
#endif
@@ -298,7 +298,7 @@
size_t len);
#if defined(OPENSSL_ARM)
-/* 32-bit ARM also has support for doing GCM with NEON instructions. */
+// 32-bit ARM also has support for doing GCM with NEON instructions.
static int neon_capable(void) {
return CRYPTO_is_NEON_capable();
}
@@ -308,7 +308,7 @@
void gcm_ghash_neon(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
size_t len);
#else
-/* AArch64 only has the ARMv8 versions of functions. */
+// AArch64 only has the ARMv8 versions of functions.
static int neon_capable(void) {
return 0;
}
@@ -357,7 +357,7 @@
OPENSSL_memcpy(H.c, gcm_key, 16);
- /* H is stored in host byte order */
+ // H is stored in host byte order
H.u[0] = CRYPTO_bswap8(H.u[0]);
H.u[1] = CRYPTO_bswap8(H.u[1]);
@@ -365,7 +365,7 @@
#if defined(GHASH_ASM_X86_64)
if (crypto_gcm_clmul_enabled()) {
- if (((OPENSSL_ia32cap_get()[1] >> 22) & 0x41) == 0x41) { /* AVX+MOVBE */
+ if (((OPENSSL_ia32cap_get()[1] >> 22) & 0x41) == 0x41) { // AVX+MOVBE
gcm_init_avx(out_table, H.u);
*out_mult = gcm_gmult_avx;
*out_hash = gcm_ghash_avx;
@@ -444,8 +444,8 @@
ctx->Yi.u[1] = 0;
ctx->Xi.u[0] = 0;
ctx->Xi.u[1] = 0;
- ctx->len.u[0] = 0; /* AAD length */
- ctx->len.u[1] = 0; /* message length */
+ ctx->len.u[0] = 0; // AAD length
+ ctx->len.u[1] = 0; // message length
ctx->ares = 0;
ctx->mres = 0;
@@ -518,7 +518,7 @@
}
}
- /* Process a whole number of blocks. */
+ // Process a whole number of blocks.
#ifdef GHASH
size_t len_blocks = len & kSizeTWithoutLower4Bits;
if (len_blocks != 0) {
@@ -537,7 +537,7 @@
}
#endif
- /* Process the remainder. */
+ // Process the remainder.
if (len != 0) {
n = (unsigned int)len;
for (size_t i = 0; i < len; ++i) {
@@ -571,7 +571,7 @@
ctx->len.u[1] = mlen;
if (ctx->ares) {
- /* First call to encrypt finalizes GHASH(AAD) */
+ // First call to encrypt finalizes GHASH(AAD)
GCM_MUL(ctx, Xi);
ctx->ares = 0;
}
@@ -701,7 +701,7 @@
ctx->len.u[1] = mlen;
if (ctx->ares) {
- /* First call to decrypt finalizes GHASH(AAD) */
+ // First call to decrypt finalizes GHASH(AAD)
GCM_MUL(ctx, Xi);
ctx->ares = 0;
}
@@ -839,7 +839,7 @@
ctx->len.u[1] = mlen;
if (ctx->ares) {
- /* First call to encrypt finalizes GHASH(AAD) */
+ // First call to encrypt finalizes GHASH(AAD)
GCM_MUL(ctx, Xi);
ctx->ares = 0;
}
@@ -861,8 +861,8 @@
#if defined(AESNI_GCM)
if (ctx->use_aesni_gcm_crypt) {
- /* |aesni_gcm_encrypt| may not process all the input given to it. It may
- * not process *any* of its input if it is deemed too small. */
+ // |aesni_gcm_encrypt| may not process all the input given to it. It may
+ // not process *any* of its input if it is deemed too small.
size_t bulk = aesni_gcm_encrypt(in, out, len, key, ctx->Yi.c, ctx->Xi.u);
in += bulk;
out += bulk;
@@ -940,7 +940,7 @@
ctx->len.u[1] = mlen;
if (ctx->ares) {
- /* First call to decrypt finalizes GHASH(AAD) */
+ // First call to decrypt finalizes GHASH(AAD)
GCM_MUL(ctx, Xi);
ctx->ares = 0;
}
@@ -964,8 +964,8 @@
#if defined(AESNI_GCM)
if (ctx->use_aesni_gcm_crypt) {
- /* |aesni_gcm_decrypt| may not process all the input given to it. It may
- * not process *any* of its input if it is deemed too small. */
+ // |aesni_gcm_decrypt| may not process all the input given to it. It may
+ // not process *any* of its input if it is deemed too small.
size_t bulk = aesni_gcm_decrypt(in, out, len, key, ctx->Yi.c, ctx->Xi.u);
in += bulk;
out += bulk;
@@ -1065,8 +1065,8 @@
int crypto_gcm_clmul_enabled(void) {
#ifdef GHASH_ASM
const uint32_t *ia32cap = OPENSSL_ia32cap_get();
- return (ia32cap[0] & (1 << 24)) && /* check FXSR bit */
- (ia32cap[1] & (1 << 1)); /* check PCLMULQDQ bit */
+ return (ia32cap[0] & (1 << 24)) && // check FXSR bit
+ (ia32cap[1] & (1 << 1)); // check PCLMULQDQ bit
#else
return 0;
#endif
diff --git a/src/crypto/fipsmodule/modes/gcm_test.cc b/src/crypto/fipsmodule/modes/gcm_test.cc
index bfd4275..5988945 100644
--- a/src/crypto/fipsmodule/modes/gcm_test.cc
+++ b/src/crypto/fipsmodule/modes/gcm_test.cc
@@ -46,9 +46,9 @@
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ==================================================================== */
-/* Per C99, various stdint.h and inttypes.h macros (the latter used by
- * internal.h) are unavailable in C++ unless some macros are defined. C++11
- * overruled this decision, but older Android NDKs still require it. */
+// Per C99, various stdint.h and inttypes.h macros (the latter used by
+// internal.h) are unavailable in C++ unless some macros are defined. C++11
+// overruled this decision, but older Android NDKs still require it.
#if !defined(__STDC_CONSTANT_MACROS)
#define __STDC_CONSTANT_MACROS
#endif
diff --git a/src/crypto/fipsmodule/modes/internal.h b/src/crypto/fipsmodule/modes/internal.h
index 227f704..6a5ff99 100644
--- a/src/crypto/fipsmodule/modes/internal.h
+++ b/src/crypto/fipsmodule/modes/internal.h
@@ -109,28 +109,28 @@
OPENSSL_memcpy(out, &v, sizeof(v));
}
-/* block128_f is the type of a 128-bit, block cipher. */
+// block128_f is the type of a 128-bit, block cipher.
typedef void (*block128_f)(const uint8_t in[16], uint8_t out[16],
const void *key);
-/* GCM definitions */
+// GCM definitions
typedef struct { uint64_t hi,lo; } u128;
-/* gmult_func multiplies |Xi| by the GCM key and writes the result back to
- * |Xi|. */
+// gmult_func multiplies |Xi| by the GCM key and writes the result back to
+// |Xi|.
typedef void (*gmult_func)(uint64_t Xi[2], const u128 Htable[16]);
-/* ghash_func repeatedly multiplies |Xi| by the GCM key and adds in blocks from
- * |inp|. The result is written back to |Xi| and the |len| argument must be a
- * multiple of 16. */
+// ghash_func repeatedly multiplies |Xi| by the GCM key and adds in blocks from
+// |inp|. The result is written back to |Xi| and the |len| argument must be a
+// multiple of 16.
typedef void (*ghash_func)(uint64_t Xi[2], const u128 Htable[16],
const uint8_t *inp, size_t len);
-/* This differs from upstream's |gcm128_context| in that it does not have the
- * |key| pointer, in order to make it |memcpy|-friendly. Rather the key is
- * passed into each call that needs it. */
+// This differs from upstream's |gcm128_context| in that it does not have the
+// |key| pointer, in order to make it |memcpy|-friendly. Rather the key is
+// passed into each call that needs it.
struct gcm128_context {
- /* Following 6 names follow names in GCM specification */
+ // Following 6 names follow names in GCM specification
union {
uint64_t u[2];
uint32_t d[4];
@@ -138,8 +138,8 @@
size_t t[16 / sizeof(size_t)];
} Yi, EKi, EK0, len, Xi;
- /* Note that the order of |Xi|, |H| and |Htable| is fixed by the MOVBE-based,
- * x86-64, GHASH assembly. */
+ // Note that the order of |Xi|, |H| and |Htable| is fixed by the MOVBE-based,
+ // x86-64, GHASH assembly.
u128 H;
u128 Htable[16];
gmult_func gmult;
@@ -148,39 +148,39 @@
unsigned int mres, ares;
block128_f block;
- /* use_aesni_gcm_crypt is true if this context should use the assembly
- * functions |aesni_gcm_encrypt| and |aesni_gcm_decrypt| to process data. */
+ // use_aesni_gcm_crypt is true if this context should use the assembly
+ // functions |aesni_gcm_encrypt| and |aesni_gcm_decrypt| to process data.
unsigned use_aesni_gcm_crypt:1;
};
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
-/* crypto_gcm_clmul_enabled returns one if the CLMUL implementation of GCM is
- * used. */
+// crypto_gcm_clmul_enabled returns one if the CLMUL implementation of GCM is
+// used.
int crypto_gcm_clmul_enabled(void);
#endif
-/* CTR. */
+// CTR.
-/* ctr128_f is the type of a function that performs CTR-mode encryption. */
+// ctr128_f is the type of a function that performs CTR-mode encryption.
typedef void (*ctr128_f)(const uint8_t *in, uint8_t *out, size_t blocks,
const void *key, const uint8_t ivec[16]);
-/* CRYPTO_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode)
- * |len| bytes from |in| to |out| using |block| in counter mode. There's no
- * requirement that |len| be a multiple of any value and any partial blocks are
- * stored in |ecount_buf| and |*num|, which must be zeroed before the initial
- * call. The counter is a 128-bit, big-endian value in |ivec| and is
- * incremented by this function. */
+// CRYPTO_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode)
+// |len| bytes from |in| to |out| using |block| in counter mode. There's no
+// requirement that |len| be a multiple of any value and any partial blocks are
+// stored in |ecount_buf| and |*num|, which must be zeroed before the initial
+// call. The counter is a 128-bit, big-endian value in |ivec| and is
+// incremented by this function.
void CRYPTO_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16],
uint8_t ecount_buf[16], unsigned *num,
block128_f block);
-/* CRYPTO_ctr128_encrypt_ctr32 acts like |CRYPTO_ctr128_encrypt| but takes
- * |ctr|, a function that performs CTR mode but only deals with the lower 32
- * bits of the counter. This is useful when |ctr| can be an optimised
- * function. */
+// CRYPTO_ctr128_encrypt_ctr32 acts like |CRYPTO_ctr128_encrypt| but takes
+// |ctr|, a function that performs CTR mode but only deals with the lower 32
+// bits of the counter. This is useful when |ctr| can be an optimised
+// function.
void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16],
uint8_t ecount_buf[16], unsigned *num,
@@ -193,137 +193,137 @@
#endif
-/* GCM.
- *
- * This API differs from the upstream API slightly. The |GCM128_CONTEXT| does
- * not have a |key| pointer that points to the key as upstream's version does.
- * Instead, every function takes a |key| parameter. This way |GCM128_CONTEXT|
- * can be safely copied. */
+// GCM.
+//
+// This API differs from the upstream API slightly. The |GCM128_CONTEXT| does
+// not have a |key| pointer that points to the key as upstream's version does.
+// Instead, every function takes a |key| parameter. This way |GCM128_CONTEXT|
+// can be safely copied.
typedef struct gcm128_context GCM128_CONTEXT;
-/* CRYPTO_ghash_init writes a precomputed table of powers of |gcm_key| to
- * |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware
- * accelerated) functions for performing operations in the GHASH field. If the
- * AVX implementation was used |*out_is_avx| will be true. */
+// CRYPTO_ghash_init writes a precomputed table of powers of |gcm_key| to
+// |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware
+// accelerated) functions for performing operations in the GHASH field. If the
+// AVX implementation was used |*out_is_avx| will be true.
void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,
u128 *out_key, u128 out_table[16], int *out_is_avx,
const uint8_t *gcm_key);
-/* CRYPTO_gcm128_init initialises |ctx| to use |block| (typically AES) with
- * the given key. |is_aesni_encrypt| is one if |block| is |aesni_encrypt|. */
+// CRYPTO_gcm128_init initialises |ctx| to use |block| (typically AES) with
+// the given key. |is_aesni_encrypt| is one if |block| is |aesni_encrypt|.
OPENSSL_EXPORT void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, const void *key,
block128_f block, int is_aesni_encrypt);
-/* CRYPTO_gcm128_setiv sets the IV (nonce) for |ctx|. The |key| must be the
- * same key that was passed to |CRYPTO_gcm128_init|. */
+// CRYPTO_gcm128_setiv sets the IV (nonce) for |ctx|. The |key| must be the
+// same key that was passed to |CRYPTO_gcm128_init|.
OPENSSL_EXPORT void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const void *key,
const uint8_t *iv, size_t iv_len);
-/* CRYPTO_gcm128_aad sets the authenticated data for an instance of GCM.
- * This must be called before and data is encrypted. It returns one on success
- * and zero otherwise. */
+// CRYPTO_gcm128_aad sets the authenticated data for an instance of GCM.
+// This must be called before and data is encrypted. It returns one on success
+// and zero otherwise.
OPENSSL_EXPORT int CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const uint8_t *aad,
size_t len);
-/* CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. The |key|
- * must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
- * on success and zero otherwise. */
+// CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. The |key|
+// must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
+// on success and zero otherwise.
OPENSSL_EXPORT int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const void *key,
const uint8_t *in, uint8_t *out,
size_t len);
-/* CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. The |key|
- * must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
- * on success and zero otherwise. */
+// CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. The |key|
+// must be the same key that was passed to |CRYPTO_gcm128_init|. It returns one
+// on success and zero otherwise.
OPENSSL_EXPORT int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const void *key,
const uint8_t *in, uint8_t *out,
size_t len);
-/* CRYPTO_gcm128_encrypt_ctr32 encrypts |len| bytes from |in| to |out| using
- * a CTR function that only handles the bottom 32 bits of the nonce, like
- * |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
- * passed to |CRYPTO_gcm128_init|. It returns one on success and zero
- * otherwise. */
+// CRYPTO_gcm128_encrypt_ctr32 encrypts |len| bytes from |in| to |out| using
+// a CTR function that only handles the bottom 32 bits of the nonce, like
+// |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
+// passed to |CRYPTO_gcm128_init|. It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
const void *key,
const uint8_t *in, uint8_t *out,
size_t len, ctr128_f stream);
-/* CRYPTO_gcm128_decrypt_ctr32 decrypts |len| bytes from |in| to |out| using
- * a CTR function that only handles the bottom 32 bits of the nonce, like
- * |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
- * passed to |CRYPTO_gcm128_init|. It returns one on success and zero
- * otherwise. */
+// CRYPTO_gcm128_decrypt_ctr32 decrypts |len| bytes from |in| to |out| using
+// a CTR function that only handles the bottom 32 bits of the nonce, like
+// |CRYPTO_ctr128_encrypt_ctr32|. The |key| must be the same key that was
+// passed to |CRYPTO_gcm128_init|. It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
const void *key,
const uint8_t *in, uint8_t *out,
size_t len, ctr128_f stream);
-/* CRYPTO_gcm128_finish calculates the authenticator and compares it against
- * |len| bytes of |tag|. It returns one on success and zero otherwise. */
+// CRYPTO_gcm128_finish calculates the authenticator and compares it against
+// |len| bytes of |tag|. It returns one on success and zero otherwise.
OPENSSL_EXPORT int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const uint8_t *tag,
size_t len);
-/* CRYPTO_gcm128_tag calculates the authenticator and copies it into |tag|.
- * The minimum of |len| and 16 bytes are copied into |tag|. */
+// CRYPTO_gcm128_tag calculates the authenticator and copies it into |tag|.
+// The minimum of |len| and 16 bytes are copied into |tag|.
OPENSSL_EXPORT void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, uint8_t *tag,
size_t len);
-/* CBC. */
+// CBC.
-/* cbc128_f is the type of a function that performs CBC-mode encryption. */
+// cbc128_f is the type of a function that performs CBC-mode encryption.
typedef void (*cbc128_f)(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16], int enc);
-/* CRYPTO_cbc128_encrypt encrypts |len| bytes from |in| to |out| using the
- * given IV and block cipher in CBC mode. The input need not be a multiple of
- * 128 bits long, but the output will round up to the nearest 128 bit multiple,
- * zero padding the input if needed. The IV will be updated on return. */
+// CRYPTO_cbc128_encrypt encrypts |len| bytes from |in| to |out| using the
+// given IV and block cipher in CBC mode. The input need not be a multiple of
+// 128 bits long, but the output will round up to the nearest 128 bit multiple,
+// zero padding the input if needed. The IV will be updated on return.
void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16], block128_f block);
-/* CRYPTO_cbc128_decrypt decrypts |len| bytes from |in| to |out| using the
- * given IV and block cipher in CBC mode. If |len| is not a multiple of 128
- * bits then only that many bytes will be written, but a multiple of 128 bits
- * is always read from |in|. The IV will be updated on return. */
+// CRYPTO_cbc128_decrypt decrypts |len| bytes from |in| to |out| using the
+// given IV and block cipher in CBC mode. If |len| is not a multiple of 128
+// bits then only that many bytes will be written, but a multiple of 128 bits
+// is always read from |in|. The IV will be updated on return.
void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16], block128_f block);
-/* OFB. */
+// OFB.
-/* CRYPTO_ofb128_encrypt encrypts (or decrypts, it's the same with OFB mode)
- * |len| bytes from |in| to |out| using |block| in OFB mode. There's no
- * requirement that |len| be a multiple of any value and any partial blocks are
- * stored in |ivec| and |*num|, the latter must be zero before the initial
- * call. */
+// CRYPTO_ofb128_encrypt encrypts (or decrypts, it's the same with OFB mode)
+// |len| bytes from |in| to |out| using |block| in OFB mode. There's no
+// requirement that |len| be a multiple of any value and any partial blocks are
+// stored in |ivec| and |*num|, the latter must be zero before the initial
+// call.
void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out,
size_t len, const void *key, uint8_t ivec[16],
unsigned *num, block128_f block);
-/* CFB. */
+// CFB.
-/* CRYPTO_cfb128_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes
- * from |in| to |out| using |block| in CFB mode. There's no requirement that
- * |len| be a multiple of any value and any partial blocks are stored in |ivec|
- * and |*num|, the latter must be zero before the initial call. */
+// CRYPTO_cfb128_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes
+// from |in| to |out| using |block| in CFB mode. There's no requirement that
+// |len| be a multiple of any value and any partial blocks are stored in |ivec|
+// and |*num|, the latter must be zero before the initial call.
void CRYPTO_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16], unsigned *num,
int enc, block128_f block);
-/* CRYPTO_cfb128_8_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes
- * from |in| to |out| using |block| in CFB-8 mode. Prior to the first call
- * |num| should be set to zero. */
+// CRYPTO_cfb128_8_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes
+// from |in| to |out| using |block| in CFB-8 mode. Prior to the first call
+// |num| should be set to zero.
void CRYPTO_cfb128_8_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const void *key, uint8_t ivec[16], unsigned *num,
int enc, block128_f block);
-/* CRYPTO_cfb128_1_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes
- * from |in| to |out| using |block| in CFB-1 mode. Prior to the first call
- * |num| should be set to zero. */
+// CRYPTO_cfb128_1_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes
+// from |in| to |out| using |block| in CFB-1 mode. Prior to the first call
+// |num| should be set to zero.
void CRYPTO_cfb128_1_encrypt(const uint8_t *in, uint8_t *out, size_t bits,
const void *key, uint8_t ivec[16], unsigned *num,
int enc, block128_f block);
@@ -333,11 +333,11 @@
block128_f block);
-/* POLYVAL.
- *
- * POLYVAL is a polynomial authenticator that operates over a field very
- * similar to the one that GHASH uses. See
- * https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#section-3. */
+// POLYVAL.
+//
+// POLYVAL is a polynomial authenticator that operates over a field very
+// similar to the one that GHASH uses. See
+// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#section-3.
typedef union {
uint64_t u[2];
@@ -345,8 +345,8 @@
} polyval_block;
struct polyval_ctx {
- /* Note that the order of |S|, |H| and |Htable| is fixed by the MOVBE-based,
- * x86-64, GHASH assembly. */
+ // Note that the order of |S|, |H| and |Htable| is fixed by the MOVBE-based,
+ // x86-64, GHASH assembly.
polyval_block S;
u128 H;
u128 Htable[16];
@@ -354,21 +354,21 @@
ghash_func ghash;
};
-/* CRYPTO_POLYVAL_init initialises |ctx| using |key|. */
+// CRYPTO_POLYVAL_init initialises |ctx| using |key|.
void CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]);
-/* CRYPTO_POLYVAL_update_blocks updates the accumulator in |ctx| given the
- * blocks from |in|. Only a whole number of blocks can be processed so |in_len|
- * must be a multiple of 16. */
+// CRYPTO_POLYVAL_update_blocks updates the accumulator in |ctx| given the
+// blocks from |in|. Only a whole number of blocks can be processed so |in_len|
+// must be a multiple of 16.
void CRYPTO_POLYVAL_update_blocks(struct polyval_ctx *ctx, const uint8_t *in,
size_t in_len);
-/* CRYPTO_POLYVAL_finish writes the accumulator from |ctx| to |out|. */
+// CRYPTO_POLYVAL_finish writes the accumulator from |ctx| to |out|.
void CRYPTO_POLYVAL_finish(const struct polyval_ctx *ctx, uint8_t out[16]);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_MODES_INTERNAL_H */
+#endif // OPENSSL_HEADER_MODES_INTERNAL_H
diff --git a/src/crypto/fipsmodule/modes/polyval.c b/src/crypto/fipsmodule/modes/polyval.c
index 392e2d8..857dc0e 100644
--- a/src/crypto/fipsmodule/modes/polyval.c
+++ b/src/crypto/fipsmodule/modes/polyval.c
@@ -21,16 +21,16 @@
#include "../../internal.h"
-/* byte_reverse reverses the order of the bytes in |b->c|. */
+// byte_reverse reverses the order of the bytes in |b->c|.
static void byte_reverse(polyval_block *b) {
const uint64_t t = CRYPTO_bswap8(b->u[0]);
b->u[0] = CRYPTO_bswap8(b->u[1]);
b->u[1] = t;
}
-/* reverse_and_mulX_ghash interprets the bytes |b->c| as a reversed element of
- * the GHASH field, multiplies that by 'x' and serialises the result back into
- * |b|, but with GHASH's backwards bit ordering. */
+// reverse_and_mulX_ghash interprets the bytes |b->c| as a reversed element of
+// the GHASH field, multiplies that by 'x' and serialises the result back into
+// |b|, but with GHASH's backwards bit ordering.
static void reverse_and_mulX_ghash(polyval_block *b) {
uint64_t hi = b->u[0];
uint64_t lo = b->u[1];
@@ -44,11 +44,11 @@
b->u[1] = CRYPTO_bswap8(hi);
}
-/* POLYVAL(H, X_1, ..., X_n) =
- * ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
- * ByteReverse(X_n))).
- *
- * See https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#appendix-A. */
+// POLYVAL(H, X_1, ..., X_n) =
+// ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,
+// ByteReverse(X_n))).
+//
+// See https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#appendix-A.
void CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]) {
polyval_block H;
diff --git a/src/crypto/fipsmodule/rand/ctrdrbg.c b/src/crypto/fipsmodule/rand/ctrdrbg.c
index 2b22f5d..9f8be66 100644
--- a/src/crypto/fipsmodule/rand/ctrdrbg.c
+++ b/src/crypto/fipsmodule/rand/ctrdrbg.c
@@ -21,16 +21,16 @@
#include "../cipher/internal.h"
-/* Section references in this file refer to SP 800-90Ar1:
- * http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf */
+// Section references in this file refer to SP 800-90Ar1:
+// http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
-/* See table 3. */
+// See table 3.
static const uint64_t kMaxReseedCount = UINT64_C(1) << 48;
int CTR_DRBG_init(CTR_DRBG_STATE *drbg,
const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
const uint8_t *personalization, size_t personalization_len) {
- /* Section 10.2.1.3.1 */
+ // Section 10.2.1.3.1
if (personalization_len > CTR_DRBG_ENTROPY_LEN) {
return 0;
}
@@ -42,10 +42,10 @@
seed_material[i] ^= personalization[i];
}
- /* Section 10.2.1.2 */
+ // Section 10.2.1.2
- /* kInitMask is the result of encrypting blocks with big-endian value 1, 2
- * and 3 with the all-zero AES-256 key. */
+ // kInitMask is the result of encrypting blocks with big-endian value 1, 2
+ // and 3 with the all-zero AES-256 key.
static const uint8_t kInitMask[CTR_DRBG_ENTROPY_LEN] = {
0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9, 0xa9, 0x63, 0xb4, 0xf1,
0xc4, 0xcb, 0x73, 0x8b, 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
@@ -67,8 +67,8 @@
OPENSSL_COMPILE_ASSERT(CTR_DRBG_ENTROPY_LEN % AES_BLOCK_SIZE == 0,
not_a_multiple_of_block_size);
-/* ctr_inc adds |n| to the last four bytes of |drbg->counter|, treated as a
- * big-endian number. */
+// ctr_inc adds |n| to the last four bytes of |drbg->counter|, treated as a
+// big-endian number.
static void ctr32_add(CTR_DRBG_STATE *drbg, uint32_t n) {
drbg->counter.words[3] =
CRYPTO_bswap4(CRYPTO_bswap4(drbg->counter.words[3]) + n);
@@ -76,9 +76,9 @@
static int CTR_DRBG_update(CTR_DRBG_STATE *drbg, const uint8_t *data,
size_t data_len) {
- /* Section 10.2.1.2. A value of |data_len| which less than
- * |CTR_DRBG_ENTROPY_LEN| is permitted and acts the same as right-padding
- * with zeros. This can save a copy. */
+ // Section 10.2.1.2. A value of |data_len| which less than
+ // |CTR_DRBG_ENTROPY_LEN| is permitted and acts the same as right-padding
+ // with zeros. This can save a copy.
if (data_len > CTR_DRBG_ENTROPY_LEN) {
return 0;
}
@@ -103,7 +103,7 @@
const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
const uint8_t *additional_data,
size_t additional_data_len) {
- /* Section 10.2.1.4 */
+ // Section 10.2.1.4
uint8_t entropy_copy[CTR_DRBG_ENTROPY_LEN];
if (additional_data_len > 0) {
@@ -131,12 +131,12 @@
int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out, size_t out_len,
const uint8_t *additional_data,
size_t additional_data_len) {
- /* See 9.3.1 */
+ // See 9.3.1
if (out_len > CTR_DRBG_MAX_GENERATE_LENGTH) {
return 0;
}
- /* See 10.2.1.5.1 */
+ // See 10.2.1.5.1
if (drbg->reseed_counter > kMaxReseedCount) {
return 0;
}
@@ -146,12 +146,12 @@
return 0;
}
- /* kChunkSize is used to interact better with the cache. Since the AES-CTR
- * code assumes that it's encrypting rather than just writing keystream, the
- * buffer has to be zeroed first. Without chunking, large reads would zero
- * the whole buffer, flushing the L1 cache, and then do another pass (missing
- * the cache every time) to “encrypt” it. The code can avoid this by
- * chunking. */
+ // kChunkSize is used to interact better with the cache. Since the AES-CTR
+ // code assumes that it's encrypting rather than just writing keystream, the
+ // buffer has to be zeroed first. Without chunking, large reads would zero
+ // the whole buffer, flushing the L1 cache, and then do another pass (missing
+ // the cache every time) to “encrypt” it. The code can avoid this by
+ // chunking.
static const size_t kChunkSize = 8 * 1024;
while (out_len >= AES_BLOCK_SIZE) {
diff --git a/src/crypto/fipsmodule/rand/internal.h b/src/crypto/fipsmodule/rand/internal.h
index f569c38..c0812ee 100644
--- a/src/crypto/fipsmodule/rand/internal.h
+++ b/src/crypto/fipsmodule/rand/internal.h
@@ -25,21 +25,21 @@
#endif
-/* RAND_bytes_with_additional_data samples from the RNG after mixing 32 bytes
- * from |user_additional_data| in. */
+// RAND_bytes_with_additional_data samples from the RNG after mixing 32 bytes
+// from |user_additional_data| in.
void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len,
const uint8_t user_additional_data[32]);
-/* CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating
- * system. */
+// CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating
+// system.
void CRYPTO_sysrand(uint8_t *buf, size_t len);
-/* rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has
- * been enabled via |RAND_enable_fork_unsafe_buffering|. */
+// rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has
+// been enabled via |RAND_enable_fork_unsafe_buffering|.
int rand_fork_unsafe_buffering_enabled(void);
-/* CTR_DRBG_STATE contains the state of a CTR_DRBG based on AES-256. See SP
- * 800-90Ar1. */
+// CTR_DRBG_STATE contains the state of a CTR_DRBG based on AES-256. See SP
+// 800-90Ar1.
typedef struct {
alignas(16) AES_KEY ks;
block128_f block;
@@ -51,42 +51,42 @@
uint64_t reseed_counter;
} CTR_DRBG_STATE;
-/* See SP 800-90Ar1, table 3. */
+// See SP 800-90Ar1, table 3.
#define CTR_DRBG_ENTROPY_LEN 48
#define CTR_DRBG_MAX_GENERATE_LENGTH 65536
-/* CTR_DRBG_init initialises |*drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of
- * entropy in |entropy| and, optionally, a personalization string up to
- * |CTR_DRBG_ENTROPY_LEN| bytes in length. It returns one on success and zero
- * on error. */
+// CTR_DRBG_init initialises |*drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of
+// entropy in |entropy| and, optionally, a personalization string up to
+// |CTR_DRBG_ENTROPY_LEN| bytes in length. It returns one on success and zero
+// on error.
OPENSSL_EXPORT int CTR_DRBG_init(CTR_DRBG_STATE *drbg,
const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
const uint8_t *personalization,
size_t personalization_len);
-/* CTR_DRBG_reseed reseeds |drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of entropy
- * in |entropy| and, optionally, up to |CTR_DRBG_ENTROPY_LEN| bytes of
- * additional data. It returns one on success or zero on error. */
+// CTR_DRBG_reseed reseeds |drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of entropy
+// in |entropy| and, optionally, up to |CTR_DRBG_ENTROPY_LEN| bytes of
+// additional data. It returns one on success or zero on error.
OPENSSL_EXPORT int CTR_DRBG_reseed(CTR_DRBG_STATE *drbg,
const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],
const uint8_t *additional_data,
size_t additional_data_len);
-/* CTR_DRBG_generate processes to up |CTR_DRBG_ENTROPY_LEN| bytes of additional
- * data (if any) and then writes |out_len| random bytes to |out|, where
- * |out_len| <= |CTR_DRBG_MAX_GENERATE_LENGTH|. It returns one on success or
- * zero on error. */
+// CTR_DRBG_generate processes to up |CTR_DRBG_ENTROPY_LEN| bytes of additional
+// data (if any) and then writes |out_len| random bytes to |out|, where
+// |out_len| <= |CTR_DRBG_MAX_GENERATE_LENGTH|. It returns one on success or
+// zero on error.
OPENSSL_EXPORT int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out,
size_t out_len,
const uint8_t *additional_data,
size_t additional_data_len);
-/* CTR_DRBG_clear zeroises the state of |drbg|. */
+// CTR_DRBG_clear zeroises the state of |drbg|.
OPENSSL_EXPORT void CTR_DRBG_clear(CTR_DRBG_STATE *drbg);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H */
+#endif // OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
diff --git a/src/crypto/fipsmodule/rand/rand.c b/src/crypto/fipsmodule/rand/rand.c
index 9480ddb..dafc91f 100644
--- a/src/crypto/fipsmodule/rand/rand.c
+++ b/src/crypto/fipsmodule/rand/rand.c
@@ -31,53 +31,53 @@
#include "../delocate.h"
-/* It's assumed that the operating system always has an unfailing source of
- * entropy which is accessed via |CRYPTO_sysrand|. (If the operating system
- * entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we
- * don't try to handle it.)
- *
- * In addition, the hardware may provide a low-latency RNG. Intel's rdrand
- * instruction is the canonical example of this. When a hardware RNG is
- * available we don't need to worry about an RNG failure arising from fork()ing
- * the process or moving a VM, so we can keep thread-local RNG state and use it
- * as an additional-data input to CTR-DRBG.
- *
- * (We assume that the OS entropy is safe from fork()ing and VM duplication.
- * This might be a bit of a leap of faith, esp on Windows, but there's nothing
- * that we can do about it.) */
+// It's assumed that the operating system always has an unfailing source of
+// entropy which is accessed via |CRYPTO_sysrand|. (If the operating system
+// entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we
+// don't try to handle it.)
+//
+// In addition, the hardware may provide a low-latency RNG. Intel's rdrand
+// instruction is the canonical example of this. When a hardware RNG is
+// available we don't need to worry about an RNG failure arising from fork()ing
+// the process or moving a VM, so we can keep thread-local RNG state and use it
+// as an additional-data input to CTR-DRBG.
+//
+// (We assume that the OS entropy is safe from fork()ing and VM duplication.
+// This might be a bit of a leap of faith, esp on Windows, but there's nothing
+// that we can do about it.)
-/* kReseedInterval is the number of generate calls made to CTR-DRBG before
- * reseeding. */
+// kReseedInterval is the number of generate calls made to CTR-DRBG before
+// reseeding.
static const unsigned kReseedInterval = 4096;
-/* CRNGT_BLOCK_SIZE is the number of bytes in a “block” for the purposes of the
- * continuous random number generator test in FIPS 140-2, section 4.9.2. */
+// CRNGT_BLOCK_SIZE is the number of bytes in a “block” for the purposes of the
+// continuous random number generator test in FIPS 140-2, section 4.9.2.
#define CRNGT_BLOCK_SIZE 16
-/* rand_thread_state contains the per-thread state for the RNG. */
+// rand_thread_state contains the per-thread state for the RNG.
struct rand_thread_state {
CTR_DRBG_STATE drbg;
- /* calls is the number of generate calls made on |drbg| since it was last
- * (re)seeded. This is bound by |kReseedInterval|. */
+ // calls is the number of generate calls made on |drbg| since it was last
+ // (re)seeded. This is bound by |kReseedInterval|.
unsigned calls;
- /* last_block_valid is non-zero iff |last_block| contains data from
- * |CRYPTO_sysrand|. */
+ // last_block_valid is non-zero iff |last_block| contains data from
+ // |CRYPTO_sysrand|.
int last_block_valid;
#if defined(BORINGSSL_FIPS)
- /* last_block contains the previous block from |CRYPTO_sysrand|. */
+ // last_block contains the previous block from |CRYPTO_sysrand|.
uint8_t last_block[CRNGT_BLOCK_SIZE];
- /* next and prev form a NULL-terminated, double-linked list of all states in
- * a process. */
+ // next and prev form a NULL-terminated, double-linked list of all states in
+ // a process.
struct rand_thread_state *next, *prev;
#endif
};
#if defined(BORINGSSL_FIPS)
-/* thread_states_list is the head of a linked-list of all |rand_thread_state|
- * objects in the process, one per thread. This is needed because FIPS requires
- * that they be zeroed on process exit, but thread-local destructors aren't
- * called when the whole process is exiting. */
+// thread_states_list is the head of a linked-list of all |rand_thread_state|
+// objects in the process, one per thread. This is needed because FIPS requires
+// that they be zeroed on process exit, but thread-local destructors aren't
+// called when the whole process is exiting.
DEFINE_BSS_GET(struct rand_thread_state *, thread_states_list);
DEFINE_STATIC_MUTEX(thread_states_list_lock);
@@ -88,13 +88,13 @@
cur != NULL; cur = cur->next) {
CTR_DRBG_clear(&cur->drbg);
}
- /* |thread_states_list_lock is deliberately left locked so that any threads
- * that are still running will hang if they try to call |RAND_bytes|. */
+ // |thread_states_list_lock is deliberately left locked so that any threads
+ // that are still running will hang if they try to call |RAND_bytes|.
}
#endif
-/* rand_thread_state_free frees a |rand_thread_state|. This is called when a
- * thread exits. */
+// rand_thread_state_free frees a |rand_thread_state|. This is called when a
+// thread exits.
static void rand_thread_state_free(void *state_in) {
struct rand_thread_state *state = state_in;
@@ -126,7 +126,7 @@
#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \
!defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
-/* These functions are defined in asm/rdrand-x86_64.pl */
+// These functions are defined in asm/rdrand-x86_64.pl
extern int CRYPTO_rdrand(uint8_t out[8]);
extern int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);
@@ -183,8 +183,8 @@
state->last_block_valid = 1;
}
- /* We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to
- * whiten. */
+ // We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to
+ // whiten.
#define FIPS_OVERREAD 10
uint8_t entropy[CTR_DRBG_ENTROPY_LEN * FIPS_OVERREAD];
@@ -192,9 +192,9 @@
CRYPTO_sysrand(entropy, sizeof(entropy));
}
- /* See FIPS 140-2, section 4.9.2. This is the “continuous random number
- * generator test” which causes the program to randomly abort. Hopefully the
- * rate of failure is small enough not to be a problem in practice. */
+ // See FIPS 140-2, section 4.9.2. This is the “continuous random number
+ // generator test” which causes the program to randomly abort. Hopefully the
+ // rate of failure is small enough not to be a problem in practice.
if (CRYPTO_memcmp(state->last_block, entropy, CRNGT_BLOCK_SIZE) == 0) {
printf("CRNGT failed.\n");
BORINGSSL_FIPS_abort();
@@ -225,8 +225,8 @@
static void rand_get_seed(struct rand_thread_state *state,
uint8_t seed[CTR_DRBG_ENTROPY_LEN]) {
- /* If not in FIPS mode, we don't overread from the system entropy source and
- * we don't depend only on the hardware RDRAND. */
+ // If not in FIPS mode, we don't overread from the system entropy source and
+ // we don't depend only on the hardware RDRAND.
CRYPTO_sysrand(seed, CTR_DRBG_ENTROPY_LEN);
}
@@ -238,16 +238,16 @@
return;
}
- /* Additional data is mixed into every CTR-DRBG call to protect, as best we
- * can, against forks & VM clones. We do not over-read this information and
- * don't reseed with it so, from the point of view of FIPS, this doesn't
- * provide “prediction resistance”. But, in practice, it does. */
+ // Additional data is mixed into every CTR-DRBG call to protect, as best we
+ // can, against forks & VM clones. We do not over-read this information and
+ // don't reseed with it so, from the point of view of FIPS, this doesn't
+ // provide “prediction resistance”. But, in practice, it does.
uint8_t additional_data[32];
if (!hwrand(additional_data, sizeof(additional_data))) {
- /* Without a hardware RNG to save us from address-space duplication, the OS
- * entropy is used. This can be expensive (one read per |RAND_bytes| call)
- * and so can be disabled by applications that we have ensured don't fork
- * and aren't at risk of VM cloning. */
+ // Without a hardware RNG to save us from address-space duplication, the OS
+ // entropy is used. This can be expensive (one read per |RAND_bytes| call)
+ // and so can be disabled by applications that we have ensured don't fork
+ // and aren't at risk of VM cloning.
if (!rand_fork_unsafe_buffering_enabled()) {
CRYPTO_sysrand(additional_data, sizeof(additional_data));
} else {
@@ -268,8 +268,8 @@
if (state == NULL ||
!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state,
rand_thread_state_free)) {
- /* If the system is out of memory, use an ephemeral state on the
- * stack. */
+ // If the system is out of memory, use an ephemeral state on the
+ // stack.
state = &stack_state;
}
@@ -300,14 +300,14 @@
uint8_t seed[CTR_DRBG_ENTROPY_LEN];
rand_get_seed(state, seed);
#if defined(BORINGSSL_FIPS)
- /* Take a read lock around accesses to |state->drbg|. This is needed to
- * avoid returning bad entropy if we race with
- * |rand_thread_state_clear_all|.
- *
- * This lock must be taken after any calls to |CRYPTO_sysrand| to avoid a
- * bug on ppc64le. glibc may implement pthread locks by wrapping user code
- * in a hardware transaction, but, on some older versions of glibc and the
- * kernel, syscalls made with |syscall| did not abort the transaction. */
+ // Take a read lock around accesses to |state->drbg|. This is needed to
+ // avoid returning bad entropy if we race with
+ // |rand_thread_state_clear_all|.
+ //
+ // This lock must be taken after any calls to |CRYPTO_sysrand| to avoid a
+ // bug on ppc64le. glibc may implement pthread locks by wrapping user code
+ // in a hardware transaction, but, on some older versions of glibc and the
+ // kernel, syscalls made with |syscall| did not abort the transaction.
CRYPTO_STATIC_MUTEX_lock_read(thread_states_list_lock_bss_get());
#endif
if (!CTR_DRBG_reseed(&state->drbg, seed, NULL, 0)) {
diff --git a/src/crypto/fipsmodule/rand/urandom.c b/src/crypto/fipsmodule/rand/urandom.c
index 8cbf727..d2be719 100644
--- a/src/crypto/fipsmodule/rand/urandom.c
+++ b/src/crypto/fipsmodule/rand/urandom.c
@@ -13,7 +13,7 @@
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#if !defined(_GNU_SOURCE)
-#define _GNU_SOURCE /* needed for syscall() on Linux. */
+#define _GNU_SOURCE // needed for syscall() on Linux.
#endif
#include <openssl/rand.h>
@@ -29,8 +29,10 @@
#include <unistd.h>
#if defined(OPENSSL_LINUX)
+#if defined(BORINGSSL_FIPS)
#include <linux/random.h>
#include <sys/ioctl.h>
+#endif
#include <sys/syscall.h>
#endif
@@ -65,40 +67,40 @@
#error "system call number for getrandom is not the expected value"
#endif
-#else /* __NR_getrandom */
+#else // __NR_getrandom
#define __NR_getrandom EXPECTED_NR_getrandom
-#endif /* __NR_getrandom */
+#endif // __NR_getrandom
-#endif /* EXPECTED_NR_getrandom */
+#endif // EXPECTED_NR_getrandom
#if !defined(GRND_NONBLOCK)
#define GRND_NONBLOCK 1
#endif
-#endif /* OPENSSL_LINUX */
+#endif // OPENSSL_LINUX
-/* rand_lock is used to protect the |*_requested| variables. */
+// rand_lock is used to protect the |*_requested| variables.
DEFINE_STATIC_MUTEX(rand_lock);
-/* The following constants are magic values of |urandom_fd|. */
+// The following constants are magic values of |urandom_fd|.
static const int kUnset = 0;
static const int kHaveGetrandom = -3;
-/* urandom_fd_requested is set by |RAND_set_urandom_fd|. It's protected by
- * |rand_lock|. */
+// urandom_fd_requested is set by |RAND_set_urandom_fd|. It's protected by
+// |rand_lock|.
DEFINE_BSS_GET(int, urandom_fd_requested);
-/* urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|. */
+// urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|.
DEFINE_BSS_GET(int, urandom_fd);
DEFINE_STATIC_ONCE(rand_once);
#if defined(USE_NR_getrandom) || defined(BORINGSSL_FIPS)
-/* message writes |msg| to stderr. We use this because referencing |stderr|
- * with |fprintf| generates relocations, which is a problem inside the FIPS
- * module. */
+// message writes |msg| to stderr. We use this because referencing |stderr|
+// with |fprintf| generates relocations, which is a problem inside the FIPS
+// module.
static void message(const char *msg) {
ssize_t r;
do {
@@ -107,10 +109,10 @@
}
#endif
-/* init_once initializes the state of this module to values previously
- * requested. This is the only function that modifies |urandom_fd| and
- * |urandom_buffering|, whose values may be read safely after calling the
- * once. */
+// init_once initializes the state of this module to values previously
+// requested. This is the only function that modifies |urandom_fd| and
+// |urandom_buffering|, whose values may be read safely after calling the
+// once.
static void init_once(void) {
CRYPTO_STATIC_MUTEX_lock_read(rand_lock_bss_get());
int fd = *urandom_fd_requested_bss_get();
@@ -140,7 +142,7 @@
return;
}
}
-#endif /* USE_NR_getrandom */
+#endif // USE_NR_getrandom
if (fd == kUnset) {
do {
@@ -154,9 +156,9 @@
assert(kUnset == 0);
if (fd == kUnset) {
- /* Because we want to keep |urandom_fd| in the BSS, we have to initialise
- * it to zero. But zero is a valid file descriptor too. Thus if open
- * returns zero for /dev/urandom, we dup it to get a non-zero number. */
+ // Because we want to keep |urandom_fd| in the BSS, we have to initialise
+ // it to zero. But zero is a valid file descriptor too. Thus if open
+ // returns zero for /dev/urandom, we dup it to get a non-zero number.
fd = dup(fd);
close(kUnset);
@@ -166,10 +168,10 @@
}
#if defined(BORINGSSL_FIPS)
- /* In FIPS mode we ensure that the kernel has sufficient entropy before
- * continuing. This is automatically handled by getrandom, which requires
- * that the entropy pool has been initialised, but for urandom we have to
- * poll. */
+ // In FIPS mode we ensure that the kernel has sufficient entropy before
+ // continuing. This is automatically handled by getrandom, which requires
+ // that the entropy pool has been initialised, but for urandom we have to
+ // poll.
for (;;) {
int entropy_bits;
if (ioctl(fd, RNDGETENTCNT, &entropy_bits)) {
@@ -190,7 +192,7 @@
int flags = fcntl(fd, F_GETFD);
if (flags == -1) {
- /* Native Client doesn't implement |fcntl|. */
+ // Native Client doesn't implement |fcntl|.
if (errno != ENOSYS) {
abort();
}
@@ -211,9 +213,9 @@
assert(kUnset == 0);
if (fd == kUnset) {
- /* Because we want to keep |urandom_fd| in the BSS, we have to initialise
- * it to zero. But zero is a valid file descriptor too. Thus if dup
- * returned zero we dup it again to get a non-zero number. */
+ // Because we want to keep |urandom_fd| in the BSS, we have to initialise
+ // it to zero. But zero is a valid file descriptor too. Thus if dup
+ // returned zero we dup it again to get a non-zero number.
fd = dup(fd);
close(kUnset);
@@ -238,8 +240,8 @@
void __msan_unpoison(void *, size_t);
#endif
-/* fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
- * on success and zero on error. */
+// fill_with_entropy writes |len| bytes of entropy into |out|. It returns one
+// on success and zero on error.
static char fill_with_entropy(uint8_t *out, size_t len) {
while (len > 0) {
ssize_t r;
@@ -252,13 +254,13 @@
#if defined(OPENSSL_MSAN)
if (r > 0) {
- /* MSAN doesn't recognise |syscall| and thus doesn't notice that we
- * have initialised the output buffer. */
+ // MSAN doesn't recognise |syscall| and thus doesn't notice that we
+ // have initialised the output buffer.
__msan_unpoison(out, r);
}
-#endif /* OPENSSL_MSAN */
+#endif // OPENSSL_MSAN
-#else /* USE_NR_getrandom */
+#else // USE_NR_getrandom
abort();
#endif
} else {
@@ -277,7 +279,7 @@
return 1;
}
-/* CRYPTO_sysrand puts |requested| random bytes into |out|. */
+// CRYPTO_sysrand puts |requested| random bytes into |out|.
void CRYPTO_sysrand(uint8_t *out, size_t requested) {
if (requested == 0) {
return;
diff --git a/src/crypto/fipsmodule/rsa/blinding.c b/src/crypto/fipsmodule/rsa/blinding.c
index 71feb3b..d956057 100644
--- a/src/crypto/fipsmodule/rsa/blinding.c
+++ b/src/crypto/fipsmodule/rsa/blinding.c
@@ -121,8 +121,8 @@
#define BN_BLINDING_COUNTER 32
struct bn_blinding_st {
- BIGNUM *A; /* The base blinding factor, Montgomery-encoded. */
- BIGNUM *Ai; /* The inverse of the blinding factor, Montgomery-encoded. */
+ BIGNUM *A; // The base blinding factor, Montgomery-encoded.
+ BIGNUM *Ai; // The inverse of the blinding factor, Montgomery-encoded.
unsigned counter;
};
@@ -147,7 +147,7 @@
goto err;
}
- /* The blinding values need to be created before this blinding can be used. */
+ // The blinding values need to be created before this blinding can be used.
ret->counter = BN_BLINDING_COUNTER - 1;
return ret;
@@ -170,7 +170,7 @@
static int bn_blinding_update(BN_BLINDING *b, const BIGNUM *e,
const BN_MONT_CTX *mont, BN_CTX *ctx) {
if (++b->counter == BN_BLINDING_COUNTER) {
- /* re-create blinding parameters */
+ // re-create blinding parameters
if (!bn_blinding_create_param(b, e, mont, ctx)) {
goto err;
}
@@ -185,10 +185,10 @@
return 1;
err:
- /* |A| and |Ai| may be in an inconsistent state so they both need to be
- * replaced the next time this blinding is used. Note that this is only
- * sufficient because support for |BN_BLINDING_NO_UPDATE| and
- * |BN_BLINDING_NO_RECREATE| was previously dropped. */
+ // |A| and |Ai| may be in an inconsistent state so they both need to be
+ // replaced the next time this blinding is used. Note that this is only
+ // sufficient because support for |BN_BLINDING_NO_UPDATE| and
+ // |BN_BLINDING_NO_RECREATE| was previously dropped.
b->counter = BN_BLINDING_COUNTER - 1;
return 0;
@@ -196,9 +196,8 @@
int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e,
const BN_MONT_CTX *mont, BN_CTX *ctx) {
- /* |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|
- * cancels one Montgomery factor, so the resulting value of |n| is unencoded.
- */
+ // |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|
+ // cancels one Montgomery factor, so the resulting value of |n| is unencoded.
if (!bn_blinding_update(b, e, mont, ctx) ||
!BN_mod_mul_montgomery(n, n, b->A, mont, ctx)) {
return 0;
@@ -209,9 +208,8 @@
int BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont,
BN_CTX *ctx) {
- /* |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|
- * cancels one Montgomery factor, so the resulting value of |n| is unencoded.
- */
+ // |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|
+ // cancels one Montgomery factor, so the resulting value of |n| is unencoded.
return BN_mod_mul_montgomery(n, n, b->Ai, mont, ctx);
}
@@ -225,8 +223,8 @@
return 0;
}
- /* |BN_from_montgomery| + |BN_mod_inverse_blinded| is equivalent to, but
- * more efficient than, |BN_mod_inverse_blinded| + |BN_to_montgomery|. */
+ // |BN_from_montgomery| + |BN_mod_inverse_blinded| is equivalent to, but
+ // more efficient than, |BN_mod_inverse_blinded| + |BN_to_montgomery|.
if (!BN_from_montgomery(b->Ai, b->A, mont, ctx)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
return 0;
@@ -242,8 +240,8 @@
return 0;
}
- /* For reasonably-sized RSA keys, it should almost never be the case that a
- * random value doesn't have an inverse. */
+ // For reasonably-sized RSA keys, it should almost never be the case that a
+ // random value doesn't have an inverse.
if (retry_counter-- == 0) {
OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
return 0;
diff --git a/src/crypto/fipsmodule/rsa/internal.h b/src/crypto/fipsmodule/rsa/internal.h
index fb5ffff..67f2cb9 100644
--- a/src/crypto/fipsmodule/rsa/internal.h
+++ b/src/crypto/fipsmodule/rsa/internal.h
@@ -67,7 +67,7 @@
#endif
-/* Default implementations of RSA operations. */
+// Default implementations of RSA operations.
const RSA_METHOD *RSA_default_method(void);
@@ -107,29 +107,29 @@
int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,
size_t from_len);
-/* RSA_private_transform calls either the method-specific |private_transform|
- * function (if given) or the generic one. See the comment for
- * |private_transform| in |rsa_meth_st|. */
+// RSA_private_transform calls either the method-specific |private_transform|
+// function (if given) or the generic one. See the comment for
+// |private_transform| in |rsa_meth_st|.
int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,
size_t len);
-/* The following utility functions are exported for test purposes. */
+// The following utility functions are exported for test purposes.
extern const BN_ULONG kBoringSSLRSASqrtTwo[];
extern const size_t kBoringSSLRSASqrtTwoLen;
-/* rsa_less_than_words returns one if |a| < |b| and zero otherwise, where |a|
- * and |b| both are |len| words long. It runs in constant time. */
+// rsa_less_than_words returns one if |a| < |b| and zero otherwise, where |a|
+// and |b| both are |len| words long. It runs in constant time.
int rsa_less_than_words(const BN_ULONG *a, const BN_ULONG *b, size_t len);
-/* rsa_greater_than_pow2 returns one if |b| is greater than 2^|n| and zero
- * otherwise. */
+// rsa_greater_than_pow2 returns one if |b| is greater than 2^|n| and zero
+// otherwise.
int rsa_greater_than_pow2(const BIGNUM *b, int n);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_RSA_INTERNAL_H */
+#endif // OPENSSL_HEADER_RSA_INTERNAL_H
diff --git a/src/crypto/fipsmodule/rsa/padding.c b/src/crypto/fipsmodule/rsa/padding.c
index 9f002d2..9d88dba 100644
--- a/src/crypto/fipsmodule/rsa/padding.c
+++ b/src/crypto/fipsmodule/rsa/padding.c
@@ -74,7 +74,7 @@
int RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,
const uint8_t *from, size_t from_len) {
- /* See RFC 8017, section 9.2. */
+ // See RFC 8017, section 9.2.
if (to_len < RSA_PKCS1_PADDING_SIZE) {
OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
@@ -96,20 +96,20 @@
int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len,
size_t max_out, const uint8_t *from,
size_t from_len) {
- /* See RFC 8017, section 9.2. This is part of signature verification and thus
- * does not need to run in constant-time. */
+ // See RFC 8017, section 9.2. This is part of signature verification and thus
+ // does not need to run in constant-time.
if (from_len < 2) {
OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);
return 0;
}
- /* Check the header. */
+ // Check the header.
if (from[0] != 0 || from[1] != 1) {
OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);
return 0;
}
- /* Scan over padded data, looking for the 00. */
+ // Scan over padded data, looking for the 00.
size_t pad;
for (pad = 2 /* header */; pad < from_len; pad++) {
if (from[pad] == 0x00) {
@@ -132,7 +132,7 @@
return 0;
}
- /* Skip over the 00. */
+ // Skip over the 00.
pad++;
if (from_len - pad > max_out) {
@@ -163,7 +163,7 @@
int RSA_padding_add_PKCS1_type_2(uint8_t *to, size_t to_len,
const uint8_t *from, size_t from_len) {
- /* See RFC 8017, section 7.2.1. */
+ // See RFC 8017, section 7.2.1.
if (to_len < RSA_PKCS1_PADDING_SIZE) {
OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
@@ -195,11 +195,11 @@
return 0;
}
- /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
- * Standard", section 7.2.2. */
+ // PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
+ // Standard", section 7.2.2.
if (from_len < RSA_PKCS1_PADDING_SIZE) {
- /* |from| is zero-padded to the size of the RSA modulus, a public value, so
- * this can be rejected in non-constant time. */
+ // |from| is zero-padded to the size of the RSA modulus, a public value, so
+ // this can be rejected in non-constant time.
OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
}
@@ -215,24 +215,24 @@
looking_for_index = constant_time_select_w(equals0, 0, looking_for_index);
}
- /* The input must begin with 00 02. */
+ // The input must begin with 00 02.
crypto_word_t valid_index = first_byte_is_zero;
valid_index &= second_byte_is_two;
- /* We must have found the end of PS. */
+ // We must have found the end of PS.
valid_index &= ~looking_for_index;
- /* PS must be at least 8 bytes long, and it starts two bytes into |from|. */
+ // PS must be at least 8 bytes long, and it starts two bytes into |from|.
valid_index &= constant_time_ge_w(zero_index, 2 + 8);
- /* Skip the zero byte. */
+ // Skip the zero byte.
zero_index++;
- /* NOTE: Although this logic attempts to be constant time, the API contracts
- * of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it
- * impossible to completely avoid Bleichenbacher's attack. Consumers should
- * use |RSA_PADDING_NONE| and perform the padding check in constant-time
- * combined with a swap to a random session key or other mitigation. */
+ // NOTE: Although this logic attempts to be constant time, the API contracts
+ // of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it
+ // impossible to completely avoid Bleichenbacher's attack. Consumers should
+ // use |RSA_PADDING_NONE| and perform the padding check in constant-time
+ // combined with a swap to a random session key or other mitigation.
if (!valid_index) {
OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
return 0;
@@ -240,8 +240,8 @@
const size_t msg_len = from_len - zero_index;
if (msg_len > max_out) {
- /* This shouldn't happen because this function is always called with
- * |max_out| as the key size and |from_len| is bounded by the key size. */
+ // This shouldn't happen because this function is always called with
+ // |max_out| as the key size and |from_len| is bounded by the key size.
OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);
return 0;
}
@@ -397,12 +397,12 @@
size_t mdlen = EVP_MD_size(md);
- /* The encoded message is one byte smaller than the modulus to ensure that it
- * doesn't end up greater than the modulus. Thus there's an extra "+1" here
- * compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2. */
+ // The encoded message is one byte smaller than the modulus to ensure that it
+ // doesn't end up greater than the modulus. Thus there's an extra "+1" here
+ // compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2.
if (from_len < 1 + 2*mdlen + 1) {
- /* 'from_len' is the length of the modulus, i.e. does not depend on the
- * particular ciphertext. */
+ // 'from_len' is the length of the modulus, i.e. does not depend on the
+ // particular ciphertext.
goto decoding_err;
}
@@ -470,8 +470,8 @@
return 1;
decoding_err:
- /* to avoid chosen ciphertext attacks, the error message should not reveal
- * which kind of decoding error happened */
+ // to avoid chosen ciphertext attacks, the error message should not reveal
+ // which kind of decoding error happened
OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);
err:
OPENSSL_free(db);
@@ -499,10 +499,10 @@
hLen = EVP_MD_size(Hash);
- /* Negative sLen has special meanings:
- * -1 sLen == hLen
- * -2 salt length is autorecovered from signature
- * -N reserved */
+ // Negative sLen has special meanings:
+ // -1 sLen == hLen
+ // -2 salt length is autorecovered from signature
+ // -N reserved
if (sLen == -1) {
sLen = hLen;
} else if (sLen == -2) {
@@ -523,7 +523,7 @@
emLen--;
}
if (emLen < (int)hLen + 2 || emLen < ((int)hLen + sLen + 2)) {
- /* sLen can be small negative */
+ // sLen can be small negative
OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
goto err;
}
@@ -612,10 +612,10 @@
goto err;
}
- /* Negative sLenRequested has special meanings:
- * -1 sLen == hLen
- * -2 salt length is maximized
- * -N reserved */
+ // Negative sLenRequested has special meanings:
+ // -1 sLen == hLen
+ // -2 salt length is maximized
+ // -N reserved
size_t sLen;
if (sLenRequested == -1) {
sLen = hLen;
@@ -658,16 +658,16 @@
goto err;
}
- /* Generate dbMask in place then perform XOR on it */
+ // Generate dbMask in place then perform XOR on it
if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {
goto err;
}
p = EM;
- /* Initial PS XORs with all zeroes which is a NOP so just update
- * pointer. Note from a test above this value is guaranteed to
- * be non-negative. */
+ // Initial PS XORs with all zeroes which is a NOP so just update
+ // pointer. Note from a test above this value is guaranteed to
+ // be non-negative.
p += emLen - sLen - hLen - 2;
*p++ ^= 0x1;
if (sLen > 0) {
@@ -679,7 +679,7 @@
EM[0] &= 0xFF >> (8 - MSBits);
}
- /* H is already in place so just set final 0xbc */
+ // H is already in place so just set final 0xbc
EM[emLen - 1] = 0xbc;
diff --git a/src/crypto/fipsmodule/rsa/rsa.c b/src/crypto/fipsmodule/rsa/rsa.c
index a434cb1..17348c1 100644
--- a/src/crypto/fipsmodule/rsa/rsa.c
+++ b/src/crypto/fipsmodule/rsa/rsa.c
@@ -301,25 +301,25 @@
return CRYPTO_get_ex_data(&rsa->ex_data, idx);
}
-/* SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
- * the length of an MD5 and SHA1 hash. */
+// SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's
+// the length of an MD5 and SHA1 hash.
static const unsigned SSL_SIG_LENGTH = 36;
-/* pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
- * to be signed with PKCS#1. */
+// pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is
+// to be signed with PKCS#1.
struct pkcs1_sig_prefix {
- /* nid identifies the hash function. */
+ // nid identifies the hash function.
int nid;
- /* hash_len is the expected length of the hash function. */
+ // hash_len is the expected length of the hash function.
uint8_t hash_len;
- /* len is the number of bytes of |bytes| which are valid. */
+ // len is the number of bytes of |bytes| which are valid.
uint8_t len;
- /* bytes contains the DER bytes. */
+ // bytes contains the DER bytes.
uint8_t bytes[19];
};
-/* kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
- * different hash functions. */
+// kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with
+// different hash functions.
static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {
{
NID_md5,
@@ -374,7 +374,7 @@
unsigned i;
if (hash_nid == NID_md5_sha1) {
- /* Special case: SSL signature, just check the length. */
+ // Special case: SSL signature, just check the length.
if (msg_len != SSL_SIG_LENGTH) {
OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);
return 0;
@@ -516,8 +516,8 @@
goto out;
}
- /* Check that no other information follows the hash value (FIPS 186-4 Section
- * 5.5) and it matches the expected hash. */
+ // Check that no other information follows the hash value (FIPS 186-4 Section
+ // 5.5) and it matches the expected hash.
if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {
OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);
goto out;
@@ -571,7 +571,7 @@
int ok = 0, has_crt_values;
if (RSA_is_opaque(key)) {
- /* Opaque keys can't be checked. */
+ // Opaque keys can't be checked.
return 1;
}
@@ -586,8 +586,8 @@
}
if (!key->d || !key->p) {
- /* For a public key, or without p and q, there's nothing that can be
- * checked. */
+ // For a public key, or without p and q, there's nothing that can be
+ // checked.
return 1;
}
@@ -608,7 +608,7 @@
BN_init(&iqmp_times_q);
if (!BN_mul(&n, key->p, key->q, ctx) ||
- /* lcm = lcm(p, q) */
+ // lcm = lcm(p, q)
!BN_sub(&pm1, key->p, BN_value_one()) ||
!BN_sub(&qm1, key->q, BN_value_one()) ||
!BN_mul(&lcm, &pm1, &qm1, ctx) ||
@@ -619,7 +619,7 @@
if (!BN_div(&lcm, NULL, &lcm, &gcd, ctx) ||
!BN_gcd(&gcd, &pm1, &qm1, ctx) ||
- /* de = d*e mod lcm(p, q). */
+ // de = d*e mod lcm(p, q).
!BN_mod_mul(&de, key->d, key->e, &lcm, ctx)) {
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
goto out;
@@ -643,11 +643,11 @@
}
if (has_crt_values) {
- if (/* dmp1 = d mod (p-1) */
+ if (// dmp1 = d mod (p-1)
!BN_mod(&dmp1, key->d, &pm1, ctx) ||
- /* dmq1 = d mod (q-1) */
+ // dmq1 = d mod (q-1)
!BN_mod(&dmq1, key->d, &qm1, ctx) ||
- /* iqmp = q^-1 mod p */
+ // iqmp = q^-1 mod p
!BN_mod_mul(&iqmp_times_q, key->iqmp, key->q, key->p, ctx)) {
OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);
goto out;
@@ -680,7 +680,7 @@
}
-/* This is the product of the 132 smallest odd primes, from 3 to 751. */
+// This is the product of the 132 smallest odd primes, from 3 to 751.
static const BN_ULONG kSmallFactorsLimbs[] = {
TOBN(0xc4309333, 0x3ef4e3e1), TOBN(0x71161eb6, 0xcd2d655f),
TOBN(0x95e2238c, 0x0bf94862), TOBN(0x3eb233d3, 0x24f7912b),
@@ -703,7 +703,7 @@
int RSA_check_fips(RSA *key) {
if (RSA_is_opaque(key)) {
- /* Opaque keys can't be checked. */
+ // Opaque keys can't be checked.
OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);
return 0;
}
@@ -723,7 +723,7 @@
int ret = 1;
- /* Perform partial public key validation of RSA keys (SP 800-89 5.3.3). */
+ // Perform partial public key validation of RSA keys (SP 800-89 5.3.3).
enum bn_primality_result_t primality_result;
if (BN_num_bits(key->e) <= 16 ||
BN_num_bits(key->e) > 256 ||
@@ -742,15 +742,15 @@
BN_CTX_free(ctx);
if (!ret || key->d == NULL || key->p == NULL) {
- /* On a failure or on only a public key, there's nothing else can be
- * checked. */
+ // On a failure or on only a public key, there's nothing else can be
+ // checked.
return ret;
}
- /* FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
- * section 9.9, it is not known whether |rsa| will be used for signing or
- * encryption, so either pair-wise consistency self-test is acceptable. We
- * perform a signing test. */
+ // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,
+ // section 9.9, it is not known whether |rsa| will be used for signing or
+ // encryption, so either pair-wise consistency self-test is acceptable. We
+ // perform a signing test.
uint8_t data[32] = {0};
unsigned sig_len = RSA_size(key);
uint8_t *sig = OPENSSL_malloc(sig_len);
diff --git a/src/crypto/fipsmodule/rsa/rsa_impl.c b/src/crypto/fipsmodule/rsa/rsa_impl.c
index b126164..f8cb9e3 100644
--- a/src/crypto/fipsmodule/rsa/rsa_impl.c
+++ b/src/crypto/fipsmodule/rsa/rsa_impl.c
@@ -80,15 +80,15 @@
return 0;
}
- /* Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as
- * the limit based on the recommendations in [1] and [2]. Windows CryptoAPI
- * doesn't support values larger than 32 bits [3], so it is unlikely that
- * exponents larger than 32 bits are being used for anything Windows commonly
- * does.
- *
- * [1] https://www.imperialviolet.org/2012/03/16/rsae.html
- * [2] https://www.imperialviolet.org/2012/03/17/rsados.html
- * [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx */
+ // Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen as
+ // the limit based on the recommendations in [1] and [2]. Windows CryptoAPI
+ // doesn't support values larger than 32 bits [3], so it is unlikely that
+ // exponents larger than 32 bits are being used for anything Windows commonly
+ // does.
+ //
+ // [1] https://www.imperialviolet.org/2012/03/16/rsae.html
+ // [2] https://www.imperialviolet.org/2012/03/17/rsados.html
+ // [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx
static const unsigned kMaxExponentBits = 33;
if (BN_num_bits(rsa->e) > kMaxExponentBits) {
@@ -96,10 +96,10 @@
return 0;
}
- /* Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small
- * shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits|
- * is much smaller than the minimum RSA key size that any application should
- * accept. */
+ // Verify |n > e|. Comparing |rsa_bits| to |kMaxExponentBits| is a small
+ // shortcut to comparing |n| and |e| directly. In reality, |kMaxExponentBits|
+ // is much smaller than the minimum RSA key size that any application should
+ // accept.
if (rsa_bits <= kMaxExponentBits) {
OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
@@ -154,7 +154,7 @@
i = RSA_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);
break;
case RSA_PKCS1_OAEP_PADDING:
- /* Use the default parameters: SHA-1 for both hashes and no label. */
+ // Use the default parameters: SHA-1 for both hashes and no label.
i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len,
NULL, 0, NULL, NULL);
break;
@@ -175,7 +175,7 @@
}
if (BN_ucmp(f, rsa->n) >= 0) {
- /* usually the padding functions would catch this */
+ // usually the padding functions would catch this
OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
goto err;
}
@@ -185,8 +185,8 @@
goto err;
}
- /* put in leading 0 bytes if the number is less than the length of the
- * modulus */
+ // put in leading 0 bytes if the number is less than the length of the
+ // modulus
if (!BN_bn2bin_padded(out, rsa_size, result)) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
goto err;
@@ -208,18 +208,18 @@
return ret;
}
-/* MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
- * RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
- * destroyed as needed. */
+// MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per
+// RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and
+// destroyed as needed.
#define MAX_BLINDINGS_PER_RSA 1024
-/* rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
- * allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
- * none are free, the cache will be extended by a extra element and the new
- * BN_BLINDING is returned.
- *
- * On success, the index of the assigned BN_BLINDING is written to
- * |*index_used| and must be passed to |rsa_blinding_release| when finished. */
+// rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by
+// allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If
+// none are free, the cache will be extended by a extra element and the new
+// BN_BLINDING is returned.
+//
+// On success, the index of the assigned BN_BLINDING is written to
+// |*index_used| and must be passed to |rsa_blinding_release| when finished.
static BN_BLINDING *rsa_blinding_get(RSA *rsa, unsigned *index_used,
BN_CTX *ctx) {
assert(ctx != NULL);
@@ -249,8 +249,8 @@
overflow = rsa->num_blindings >= MAX_BLINDINGS_PER_RSA;
- /* We didn't find a free BN_BLINDING to use so increase the length of
- * the arrays by one and use the newly created element. */
+ // We didn't find a free BN_BLINDING to use so increase the length of
+ // the arrays by one and use the newly created element.
CRYPTO_MUTEX_unlock_write(&rsa->lock);
ret = BN_BLINDING_new();
@@ -259,8 +259,8 @@
}
if (overflow) {
- /* We cannot add any more cached BN_BLINDINGs so we use |ret|
- * and mark it for destruction in |rsa_blinding_release|. */
+ // We cannot add any more cached BN_BLINDINGs so we use |ret|
+ // and mark it for destruction in |rsa_blinding_release|.
*index_used = MAX_BLINDINGS_PER_RSA;
return ret;
}
@@ -302,12 +302,12 @@
return NULL;
}
-/* rsa_blinding_release marks the cached BN_BLINDING at the given index as free
- * for other threads to use. */
+// rsa_blinding_release marks the cached BN_BLINDING at the given index as free
+// for other threads to use.
static void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,
unsigned blinding_index) {
if (blinding_index == MAX_BLINDINGS_PER_RSA) {
- /* This blinding wasn't cached. */
+ // This blinding wasn't cached.
BN_BLINDING_free(blinding);
return;
}
@@ -317,7 +317,7 @@
CRYPTO_MUTEX_unlock_write(&rsa->lock);
}
-/* signing */
+// signing
int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
size_t max_out, const uint8_t *in, size_t in_len,
int padding) {
@@ -382,7 +382,7 @@
if (padding == RSA_NO_PADDING) {
buf = out;
} else {
- /* Allocate a temporary buffer to hold the padded plaintext. */
+ // Allocate a temporary buffer to hold the padded plaintext.
buf = OPENSSL_malloc(rsa_size);
if (buf == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
@@ -405,7 +405,7 @@
RSA_padding_check_PKCS1_type_2(out, out_len, rsa_size, buf, rsa_size);
break;
case RSA_PKCS1_OAEP_PADDING:
- /* Use the default parameters: SHA-1 for both hashes and no label. */
+ // Use the default parameters: SHA-1 for both hashes and no label.
ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, out_len, rsa_size, buf,
rsa_size, NULL, 0, NULL, NULL);
break;
@@ -476,7 +476,7 @@
if (padding == RSA_NO_PADDING) {
buf = out;
} else {
- /* Allocate a temporary buffer to hold the padded plaintext. */
+ // Allocate a temporary buffer to hold the padded plaintext.
buf = OPENSSL_malloc(rsa_size);
if (buf == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_MALLOC_FAILURE);
@@ -562,7 +562,7 @@
}
if (BN_ucmp(f, rsa->n) >= 0) {
- /* Usually the padding functions would catch this. */
+ // Usually the padding functions would catch this.
OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);
goto err;
}
@@ -575,10 +575,10 @@
const int do_blinding = (rsa->flags & RSA_FLAG_NO_BLINDING) == 0;
if (rsa->e == NULL && do_blinding) {
- /* We cannot do blinding or verification without |e|, and continuing without
- * those countermeasures is dangerous. However, the Java/Android RSA API
- * requires support for keys where only |d| and |n| (and not |e|) are known.
- * The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|. */
+ // We cannot do blinding or verification without |e|, and continuing without
+ // those countermeasures is dangerous. However, the Java/Android RSA API
+ // requires support for keys where only |d| and |n| (and not |e|) are known.
+ // The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|.
OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT);
goto err;
}
@@ -604,15 +604,15 @@
goto err;
}
- /* Verify the result to protect against fault attacks as described in the
- * 1997 paper "On the Importance of Checking Cryptographic Protocols for
- * Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some
- * implementations do this only when the CRT is used, but we do it in all
- * cases. Section 6 of the aforementioned paper describes an attack that
- * works when the CRT isn't used. That attack is much less likely to succeed
- * than the CRT attack, but there have likely been improvements since 1997.
- *
- * This check is cheap assuming |e| is small; it almost always is. */
+ // Verify the result to protect against fault attacks as described in the
+ // 1997 paper "On the Importance of Checking Cryptographic Protocols for
+ // Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some
+ // implementations do this only when the CRT is used, but we do it in all
+ // cases. Section 6 of the aforementioned paper describes an attack that
+ // works when the CRT isn't used. That attack is much less likely to succeed
+ // than the CRT attack, but there have likely been improvements since 1997.
+ //
+ // This check is cheap assuming |e| is small; it almost always is.
if (rsa->e != NULL) {
BIGNUM *vrfy = BN_CTX_get(ctx);
if (vrfy == NULL ||
@@ -682,22 +682,22 @@
goto err;
}
- /* compute I mod q */
+ // compute I mod q
if (!BN_mod(r1, I, rsa->q, ctx)) {
goto err;
}
- /* compute r1^dmq1 mod q */
+ // compute r1^dmq1 mod q
if (!BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1, rsa->q, ctx, rsa->mont_q)) {
goto err;
}
- /* compute I mod p */
+ // compute I mod p
if (!BN_mod(r1, I, rsa->p, ctx)) {
goto err;
}
- /* compute r1^dmp1 mod p */
+ // compute r1^dmp1 mod p
if (!BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1, rsa->p, ctx, rsa->mont_p)) {
goto err;
}
@@ -705,8 +705,8 @@
if (!BN_sub(r0, r0, m1)) {
goto err;
}
- /* This will help stop the size of r0 increasing, which does
- * affect the multiply if it optimised for a power of 2 size */
+ // This will help stop the size of r0 increasing, which does
+ // affect the multiply if it optimised for a power of 2 size
if (BN_is_negative(r0)) {
if (!BN_add(r0, r0, rsa->p)) {
goto err;
@@ -721,12 +721,12 @@
goto err;
}
- /* If p < q it is occasionally possible for the correction of
- * adding 'p' if r0 is negative above to leave the result still
- * negative. This can break the private key operations: the following
- * second correction should *always* correct this rare occurrence.
- * This will *never* happen with OpenSSL generated keys because
- * they ensure p > q [steve] */
+ // If p < q it is occasionally possible for the correction of
+ // adding 'p' if r0 is negative above to leave the result still
+ // negative. This can break the private key operations: the following
+ // second correction should *always* correct this rare occurrence.
+ // This will *never* happen with OpenSSL generated keys because
+ // they ensure p > q [steve]
if (BN_is_negative(r0)) {
if (!BN_add(r0, r0, rsa->p)) {
goto err;
@@ -753,20 +753,19 @@
return *out != NULL;
}
-/* kBoringSSLRSASqrtTwo is the BIGNUM representation of ⌊2¹⁵³⁵×√2⌋. This is
- * chosen to give enough precision for 3072-bit RSA, the largest key size FIPS
- * specifies. Key sizes beyond this will round up.
- *
- * To verify this number, check that n² < 2³⁰⁷¹ < (n+1)², where n is value
- * represented here. Note the components are listed in little-endian order. Here
- * is some sample Python code to check:
- *
- * >>> TOBN = lambda a, b: a << 32 | b
- * >>> l = [ <paste the contents of kSqrtTwo> ]
- * >>> n = sum(a * 2**(64*i) for i, a in enumerate(l))
- * >>> n**2 < 2**3071 < (n+1)**2
- * True
- */
+// kBoringSSLRSASqrtTwo is the BIGNUM representation of ⌊2¹⁵³⁵×√2⌋. This is
+// chosen to give enough precision for 3072-bit RSA, the largest key size FIPS
+// specifies. Key sizes beyond this will round up.
+//
+// To verify this number, check that n² < 2³⁰⁷¹ < (n+1)², where n is value
+// represented here. Note the components are listed in little-endian order. Here
+// is some sample Python code to check:
+//
+// >>> TOBN = lambda a, b: a << 32 | b
+// >>> l = [ <paste the contents of kSqrtTwo> ]
+// >>> n = sum(a * 2**(64*i) for i, a in enumerate(l))
+// >>> n**2 < 2**3071 < (n+1)**2
+// True
const BN_ULONG kBoringSSLRSASqrtTwo[] = {
TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307),
TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f),
@@ -787,7 +786,7 @@
OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t),
crypto_word_t_too_small);
int ret = 0;
- /* Process the words in little-endian order. */
+ // Process the words in little-endian order.
for (size_t i = 0; i < len; i++) {
crypto_word_t eq = constant_time_eq_w(a[i], b[i]);
crypto_word_t lt = constant_time_lt_w(a[i], b[i]);
@@ -805,9 +804,9 @@
return b_bits > n + 1 || (b_bits == n + 1 && !BN_is_pow2(b));
}
-/* generate_prime sets |out| to a prime with length |bits| such that |out|-1 is
- * relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to
- * |p|. */
+// generate_prime sets |out| to a prime with length |bits| such that |out|-1 is
+// relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to
+// |p|.
static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,
const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb) {
if (bits < 128 || (bits % BN_BITS2) != 0) {
@@ -815,7 +814,7 @@
return 0;
}
- /* Ensure the bound on |tries| does not overflow. */
+ // Ensure the bound on |tries| does not overflow.
if (bits >= INT_MAX/5) {
OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);
return 0;
@@ -828,19 +827,19 @@
goto err;
}
- /* See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is
- * nlen/2. */
+ // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is
+ // nlen/2.
for (;;) {
- /* Generate a random number of length |bits| where the bottom bit is set
- * (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the
- * bound checked below in steps 4.4 and 5.5). */
+ // Generate a random number of length |bits| where the bottom bit is set
+ // (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the
+ // bound checked below in steps 4.4 and 5.5).
if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) ||
!BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) {
goto err;
}
if (p != NULL) {
- /* If |p| and |out| are too close, try again (step 5.4). */
+ // If |p| and |out| are too close, try again (step 5.4).
if (!BN_sub(tmp, out, p)) {
goto err;
}
@@ -850,21 +849,21 @@
}
}
- /* If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5).
- *
- * We check the most significant words, so we retry if ⌊out/2^k⌋ <= ⌊b/2^k⌋,
- * where b = 2^(bits-1)×√2 and k = max(0, bits - 1536). For key sizes up to
- * 3072 (bits = 1536), k = 0, so we are testing that ⌊out⌋ <= ⌊b⌋. out is an
- * integer and b is not, so this is equivalent to out < b. That is, the
- * comparison is exact for FIPS key sizes.
- *
- * For larger keys, the comparison is approximate, leaning towards
- * retrying. That is, we reject a negligible fraction of primes that are
- * within the FIPS bound, but we will never accept a prime outside the
- * bound, ensuring the resulting RSA key is the right size. Specifically, if
- * the FIPS bound holds, we have ⌊out/2^k⌋ < out/2^k < b/2^k. This implies
- * ⌊out/2^k⌋ <= ⌊b/2^k⌋. That is, the FIPS bound implies our bound and so we
- * are slightly tighter. */
+ // If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5).
+ //
+ // We check the most significant words, so we retry if ⌊out/2^k⌋ <= ⌊b/2^k⌋,
+ // where b = 2^(bits-1)×√2 and k = max(0, bits - 1536). For key sizes up to
+ // 3072 (bits = 1536), k = 0, so we are testing that ⌊out⌋ <= ⌊b⌋. out is an
+ // integer and b is not, so this is equivalent to out < b. That is, the
+ // comparison is exact for FIPS key sizes.
+ //
+ // For larger keys, the comparison is approximate, leaning towards
+ // retrying. That is, we reject a negligible fraction of primes that are
+ // within the FIPS bound, but we will never accept a prime outside the
+ // bound, ensuring the resulting RSA key is the right size. Specifically, if
+ // the FIPS bound holds, we have ⌊out/2^k⌋ < out/2^k < b/2^k. This implies
+ // ⌊out/2^k⌋ <= ⌊b/2^k⌋. That is, the FIPS bound implies our bound and so we
+ // are slightly tighter.
size_t out_len = (size_t)out->top;
assert(out_len == (size_t)bits / BN_BITS2);
size_t to_check = kBoringSSLRSASqrtTwoLen;
@@ -877,13 +876,13 @@
continue;
}
- /* Check gcd(out-1, e) is one (steps 4.5 and 5.6). */
+ // Check gcd(out-1, e) is one (steps 4.5 and 5.6).
if (!BN_sub(tmp, out, BN_value_one()) ||
!BN_gcd(tmp, tmp, e, ctx)) {
goto err;
}
if (BN_is_one(tmp)) {
- /* Test |out| for primality (steps 4.5.1 and 5.6.1). */
+ // Test |out| for primality (steps 4.5.1 and 5.6.1).
int is_probable_prime;
if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks, ctx, 1,
cb)) {
@@ -895,8 +894,8 @@
}
}
- /* If we've tried too many times to find a prime, abort (steps 4.7 and
- * 5.8). */
+ // If we've tried too many times to find a prime, abort (steps 4.7 and
+ // 5.8).
tries++;
if (tries >= bits * 5) {
OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);
@@ -913,15 +912,15 @@
}
int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) {
- /* See FIPS 186-4 appendix B.3. This function implements a generalized version
- * of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks
- * for FIPS-compliant key generation. */
+ // See FIPS 186-4 appendix B.3. This function implements a generalized version
+ // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks
+ // for FIPS-compliant key generation.
- /* Always generate RSA keys which are a multiple of 128 bits. Round |bits|
- * down as needed. */
+ // Always generate RSA keys which are a multiple of 128 bits. Round |bits|
+ // down as needed.
bits &= ~127;
- /* Reject excessively small keys. */
+ // Reject excessively small keys.
if (bits < 256) {
OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
@@ -941,7 +940,7 @@
goto bn_err;
}
- /* We need the RSA components non-NULL. */
+ // We need the RSA components non-NULL.
if (!ensure_bignum(&rsa->n) ||
!ensure_bignum(&rsa->d) ||
!ensure_bignum(&rsa->e) ||
@@ -959,8 +958,8 @@
int prime_bits = bits / 2;
do {
- /* Generate p and q, each of size |prime_bits|, using the steps outlined in
- * appendix FIPS 186-4 appendix B.3.3. */
+ // Generate p and q, each of size |prime_bits|, using the steps outlined in
+ // appendix FIPS 186-4 appendix B.3.3.
if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, ctx, cb) ||
!BN_GENCB_call(cb, 3, 0) ||
!generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, ctx, cb) ||
@@ -974,13 +973,13 @@
rsa->q = tmp;
}
- /* Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs
- * from typical RSA implementations which use (p-1)*(q-1).
- *
- * Note this means the size of d might reveal information about p-1 and
- * q-1. However, we do operations with Chinese Remainder Theorem, so we only
- * use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
- * does not affect those two values. */
+ // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs
+ // from typical RSA implementations which use (p-1)*(q-1).
+ //
+ // Note this means the size of d might reveal information about p-1 and
+ // q-1. However, we do operations with Chinese Remainder Theorem, so we only
+ // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient
+ // does not affect those two values.
if (!BN_sub(pm1, rsa->p, BN_value_one()) ||
!BN_sub(qm1, rsa->q, BN_value_one()) ||
!BN_mul(totient, pm1, qm1, ctx) ||
@@ -990,39 +989,39 @@
goto bn_err;
}
- /* Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See
- * appendix B.3.1's guidance on values for d. */
+ // Check that |rsa->d| > 2^|prime_bits| and try again if it fails. See
+ // appendix B.3.1's guidance on values for d.
} while (!rsa_greater_than_pow2(rsa->d, prime_bits));
- if (/* Calculate n. */
+ if (// Calculate n.
!BN_mul(rsa->n, rsa->p, rsa->q, ctx) ||
- /* Calculate d mod (p-1). */
+ // Calculate d mod (p-1).
!BN_mod(rsa->dmp1, rsa->d, pm1, ctx) ||
- /* Calculate d mod (q-1) */
+ // Calculate d mod (q-1)
!BN_mod(rsa->dmq1, rsa->d, qm1, ctx)) {
goto bn_err;
}
- /* Sanity-check that |rsa->n| has the specified size. This is implied by
- * |generate_prime|'s bounds. */
+ // Sanity-check that |rsa->n| has the specified size. This is implied by
+ // |generate_prime|'s bounds.
if (BN_num_bits(rsa->n) != (unsigned)bits) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
- /* Calculate inverse of q mod p. Note that although RSA key generation is far
- * from constant-time, |bn_mod_inverse_secret_prime| uses the same modular
- * exponentation logic as in RSA private key operations and, if the RSAZ-1024
- * code is enabled, will be optimized for common RSA prime sizes. */
+ // Calculate inverse of q mod p. Note that although RSA key generation is far
+ // from constant-time, |bn_mod_inverse_secret_prime| uses the same modular
+ // exponentation logic as in RSA private key operations and, if the RSAZ-1024
+ // code is enabled, will be optimized for common RSA prime sizes.
if (!BN_MONT_CTX_set_locked(&rsa->mont_p, &rsa->lock, rsa->p, ctx) ||
!bn_mod_inverse_secret_prime(rsa->iqmp, rsa->q, rsa->p, ctx,
rsa->mont_p)) {
goto bn_err;
}
- /* The key generation process is complex and thus error-prone. It could be
- * disastrous to generate and then use a bad key so double-check that the key
- * makes sense. */
+ // The key generation process is complex and thus error-prone. It could be
+ // disastrous to generate and then use a bad key so double-check that the key
+ // makes sense.
if (!RSA_check_key(rsa)) {
OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);
goto err;
@@ -1043,8 +1042,8 @@
}
int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) {
- /* FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit
- * primes, respectively) with the prime generation method we use. */
+ // FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit
+ // primes, respectively) with the prime generation method we use.
if (bits != 2048 && bits != 3072) {
OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);
return 0;
@@ -1060,9 +1059,9 @@
}
DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) {
- /* All of the methods are NULL to make it easier for the compiler/linker to
- * drop unused functions. The wrapper functions will select the appropriate
- * |rsa_default_*| implementation. */
+ // All of the methods are NULL to make it easier for the compiler/linker to
+ // drop unused functions. The wrapper functions will select the appropriate
+ // |rsa_default_*| implementation.
OPENSSL_memset(out, 0, sizeof(RSA_METHOD));
out->common.is_static = 1;
out->flags = RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE;
diff --git a/src/crypto/fipsmodule/sha/sha1-altivec.c b/src/crypto/fipsmodule/sha/sha1-altivec.c
index 14e2bae..3152827 100644
--- a/src/crypto/fipsmodule/sha/sha1-altivec.c
+++ b/src/crypto/fipsmodule/sha/sha1-altivec.c
@@ -54,14 +54,14 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
-/* Altivec-optimized SHA1 in C. This is tested on ppc64le only.
- *
- * References:
- * https://software.intel.com/en-us/articles/improving-the-performance-of-the-secure-hash-algorithm-1
- * http://arctic.org/~dean/crypto/sha1.html
- *
- * This code used the generic SHA-1 from OpenSSL as a basis and AltiVec
- * optimisations were added on top. */
+// Altivec-optimized SHA1 in C. This is tested on ppc64le only.
+//
+// References:
+// https://software.intel.com/en-us/articles/improving-the-performance-of-the-secure-hash-algorithm-1
+// http://arctic.org/~dean/crypto/sha1.html
+//
+// This code used the generic SHA-1 from OpenSSL as a basis and AltiVec
+// optimisations were added on top.
#include <openssl/sha.h>
@@ -76,11 +76,11 @@
typedef vector unsigned int vec_uint32_t;
typedef vector unsigned char vec_uint8_t;
-/* Vector constants */
+// Vector constants
static const vec_uint8_t k_swap_endianness = {3, 2, 1, 0, 7, 6, 5, 4,
11, 10, 9, 8, 15, 14, 13, 12};
-/* Shift amounts for byte and bit shifts and rotations */
+// Shift amounts for byte and bit shifts and rotations
static const vec_uint8_t k_4_bytes = {32, 32, 32, 32, 32, 32, 32, 32,
32, 32, 32, 32, 32, 32, 32, 32};
static const vec_uint8_t k_12_bytes = {96, 96, 96, 96, 96, 96, 96, 96,
@@ -91,18 +91,18 @@
#define K_40_59 0x8f1bbcdcUL
#define K_60_79 0xca62c1d6UL
-/* Vector versions of the above. */
+// Vector versions of the above.
static const vec_uint32_t K_00_19_x_4 = {K_00_19, K_00_19, K_00_19, K_00_19};
static const vec_uint32_t K_20_39_x_4 = {K_20_39, K_20_39, K_20_39, K_20_39};
static const vec_uint32_t K_40_59_x_4 = {K_40_59, K_40_59, K_40_59, K_40_59};
static const vec_uint32_t K_60_79_x_4 = {K_60_79, K_60_79, K_60_79, K_60_79};
-/* vector message scheduling: compute message schedule for round i..i+3 where i
- * is divisible by 4. We return the schedule w[i..i+3] as a vector. In
- * addition, we also precompute sum w[i..+3] and an additive constant K. This
- * is done to offload some computation of f() in the integer execution units.
- *
- * Byte shifting code below may not be correct for big-endian systems. */
+// vector message scheduling: compute message schedule for round i..i+3 where i
+// is divisible by 4. We return the schedule w[i..i+3] as a vector. In
+// addition, we also precompute sum w[i..+3] and an additive constant K. This
+// is done to offload some computation of f() in the integer execution units.
+//
+// Byte shifting code below may not be correct for big-endian systems.
static vec_uint32_t sched_00_15(vec_uint32_t *pre_added, const void *data,
vec_uint32_t k) {
const vector unsigned char unaligned_data =
@@ -113,17 +113,17 @@
return w;
}
-/* Compute w[i..i+3] using these steps for i in [16, 20, 24, 28]
- *
- * w'[i ] = (w[i-3] ^ w[i-8] ^ w[i-14] ^ w[i-16]) <<< 1
- * w'[i+1] = (w[i-2] ^ w[i-7] ^ w[i-13] ^ w[i-15]) <<< 1
- * w'[i+2] = (w[i-1] ^ w[i-6] ^ w[i-12] ^ w[i-14]) <<< 1
- * w'[i+3] = ( 0 ^ w[i-5] ^ w[i-11] ^ w[i-13]) <<< 1
- *
- * w[ i] = w'[ i]
- * w[i+1] = w'[i+1]
- * w[i+2] = w'[i+2]
- * w[i+3] = w'[i+3] ^ (w'[i] <<< 1) */
+// Compute w[i..i+3] using these steps for i in [16, 20, 24, 28]
+//
+// w'[i ] = (w[i-3] ^ w[i-8] ^ w[i-14] ^ w[i-16]) <<< 1
+// w'[i+1] = (w[i-2] ^ w[i-7] ^ w[i-13] ^ w[i-15]) <<< 1
+// w'[i+2] = (w[i-1] ^ w[i-6] ^ w[i-12] ^ w[i-14]) <<< 1
+// w'[i+3] = ( 0 ^ w[i-5] ^ w[i-11] ^ w[i-13]) <<< 1
+//
+// w[ i] = w'[ i]
+// w[i+1] = w'[i+1]
+// w[i+2] = w'[i+2]
+// w[i+3] = w'[i+3] ^ (w'[i] <<< 1)
static vec_uint32_t sched_16_31(vec_uint32_t *pre_added, vec_uint32_t minus_4,
vec_uint32_t minus_8, vec_uint32_t minus_12,
vec_uint32_t minus_16, vec_uint32_t k) {
@@ -138,8 +138,8 @@
return w;
}
-/* Compute w[i..i+3] using this relation for i in [32, 36, 40 ... 76]
- * w[i] = (w[i-6] ^ w[i-16] ^ w[i-28] ^ w[i-32]), 2) <<< 2 */
+// Compute w[i..i+3] using this relation for i in [32, 36, 40 ... 76]
+// w[i] = (w[i-6] ^ w[i-16] ^ w[i-28] ^ w[i-32]), 2) <<< 2
static vec_uint32_t sched_32_79(vec_uint32_t *pre_added, vec_uint32_t minus_4,
vec_uint32_t minus_8, vec_uint32_t minus_16,
vec_uint32_t minus_28, vec_uint32_t minus_32,
@@ -152,17 +152,17 @@
return w;
}
-/* As pointed out by Wei Dai <weidai@eskimo.com>, F() below can be simplified
- * to the code in F_00_19. Wei attributes these optimisations to Peter
- * Gutmann's SHS code, and he attributes it to Rich Schroeppel. #define
- * F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) I've just become aware of another
- * tweak to be made, again from Wei Dai, in F_40_59, (x&a)|(y&a) -> (x|y)&a */
+// As pointed out by Wei Dai <weidai@eskimo.com>, F() below can be simplified
+// to the code in F_00_19. Wei attributes these optimisations to Peter
+// Gutmann's SHS code, and he attributes it to Rich Schroeppel. #define
+// F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) I've just become aware of another
+// tweak to be made, again from Wei Dai, in F_40_59, (x&a)|(y&a) -> (x|y)&a
#define F_00_19(b, c, d) ((((c) ^ (d)) & (b)) ^ (d))
#define F_20_39(b, c, d) ((b) ^ (c) ^ (d))
#define F_40_59(b, c, d) (((b) & (c)) | (((b) | (c)) & (d)))
#define F_60_79(b, c, d) F_20_39(b, c, d)
-/* We pre-added the K constants during message scheduling. */
+// We pre-added the K constants during message scheduling.
#define BODY_00_19(i, a, b, c, d, e, f) \
do { \
(f) = w[i] + (e) + rotate((a), 5) + F_00_19((b), (c), (d)); \
@@ -318,7 +318,7 @@
BODY_60_79(74, E, T, A, B, C, D);
BODY_60_79(75, D, E, T, A, B, C);
- /* We don't use the last value */
+ // We don't use the last value
(void)sched_32_79(vw + 19, w72, w68, w60, w48, w44, k);
BODY_60_79(76, C, D, E, T, A, B);
BODY_60_79(77, B, C, D, E, T, A);
@@ -345,7 +345,7 @@
}
}
-#endif /* OPENSSL_PPC64LE */
+#endif // OPENSSL_PPC64LE
#undef K_00_19
#undef K_20_39
diff --git a/src/crypto/fipsmodule/sha/sha1.c b/src/crypto/fipsmodule/sha/sha1.c
index 7b44563..7ce0193 100644
--- a/src/crypto/fipsmodule/sha/sha1.c
+++ b/src/crypto/fipsmodule/sha/sha1.c
@@ -131,11 +131,11 @@
#define K_40_59 0x8f1bbcdcUL
#define K_60_79 0xca62c1d6UL
-/* As pointed out by Wei Dai <weidai@eskimo.com>, F() below can be simplified
- * to the code in F_00_19. Wei attributes these optimisations to Peter
- * Gutmann's SHS code, and he attributes it to Rich Schroeppel. #define
- * F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) I've just become aware of another
- * tweak to be made, again from Wei Dai, in F_40_59, (x&a)|(y&a) -> (x|y)&a */
+// As pointed out by Wei Dai <weidai@eskimo.com>, F() below can be simplified
+// to the code in F_00_19. Wei attributes these optimisations to Peter
+// Gutmann's SHS code, and he attributes it to Rich Schroeppel. #define
+// F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) I've just become aware of another
+// tweak to be made, again from Wei Dai, in F_40_59, (x&a)|(y&a) -> (x|y)&a
#define F_00_19(b, c, d) ((((c) ^ (d)) & (b)) ^ (d))
#define F_20_39(b, c, d) ((b) ^ (c) ^ (d))
#define F_40_59(b, c, d) (((b) & (c)) | (((b) | (c)) & (d)))
diff --git a/src/crypto/fipsmodule/sha/sha256.c b/src/crypto/fipsmodule/sha/sha256.c
index cd6becb..6d709a6 100644
--- a/src/crypto/fipsmodule/sha/sha256.c
+++ b/src/crypto/fipsmodule/sha/sha256.c
@@ -128,15 +128,15 @@
#define HASH_CTX SHA256_CTX
#define HASH_CBLOCK 64
-/* Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
- * default: case below covers for it. It's not clear however if it's permitted
- * to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
- * then default: case shall be extended. For reference. Idea behind separate
- * cases for pre-defined lenghts is to let the compiler decide if it's
- * appropriate to unroll small loops.
- *
- * TODO(davidben): The small |md_len| case is one of the few places a low-level
- * hash 'final' function can fail. This should never happen. */
+// Note that FIPS180-2 discusses "Truncation of the Hash Function Output."
+// default: case below covers for it. It's not clear however if it's permitted
+// to truncate to amount of bytes not divisible by 4. I bet not, but if it is,
+// then default: case shall be extended. For reference. Idea behind separate
+// cases for pre-defined lenghts is to let the compiler decide if it's
+// appropriate to unroll small loops.
+//
+// TODO(davidben): The small |md_len| case is one of the few places a low-level
+// hash 'final' function can fail. This should never happen.
#define HASH_MAKE_STRING(c, s) \
do { \
uint32_t ll; \
@@ -196,9 +196,9 @@
#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n))))
-/* FIPS specification refers to right rotations, while our ROTATE macro
- * is left one. This is why you might notice that rotation coefficients
- * differ from those observed in FIPS document by 32-N... */
+// FIPS specification refers to right rotations, while our ROTATE macro
+// is left one. This is why you might notice that rotation coefficients
+// differ from those observed in FIPS document by 32-N...
#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10))
#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7))
#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3))
@@ -314,7 +314,7 @@
}
}
-#endif /* !SHA256_ASM */
+#endif // !SHA256_ASM
#undef DATA_ORDER_IS_BIG_ENDIAN
#undef HASH_CTX
diff --git a/src/crypto/fipsmodule/sha/sha512.c b/src/crypto/fipsmodule/sha/sha512.c
index 6e1f79b..3902f50 100644
--- a/src/crypto/fipsmodule/sha/sha512.c
+++ b/src/crypto/fipsmodule/sha/sha512.c
@@ -63,17 +63,17 @@
#include "../../internal.h"
-/* IMPLEMENTATION NOTES.
- *
- * The 32-bit hash algorithms share a common byte-order neutral collector and
- * padding function implementations that operate on unaligned data,
- * ../md32_common.h. This SHA-512 implementation does not. Reasons
- * [in reverse order] are:
- *
- * - It's the only 64-bit hash algorithm for the moment of this writing,
- * there is no need for common collector/padding implementation [yet];
- * - By supporting only a transform function that operates on *aligned* data
- * the collector/padding function is simpler and easier to optimize. */
+// IMPLEMENTATION NOTES.
+//
+// The 32-bit hash algorithms share a common byte-order neutral collector and
+// padding function implementations that operate on unaligned data,
+// ../md32_common.h. This SHA-512 implementation does not. Reasons
+// [in reverse order] are:
+//
+// - It's the only 64-bit hash algorithm for the moment of this writing,
+// there is no need for common collector/padding implementation [yet];
+// - By supporting only a transform function that operates on *aligned* data
+// the collector/padding function is simpler and easier to optimize.
#if !defined(OPENSSL_NO_ASM) && \
(defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
@@ -227,7 +227,7 @@
uint8_t *p = (uint8_t *)sha->u.p;
size_t n = sha->num;
- p[n] = 0x80; /* There always is a room for one */
+ p[n] = 0x80; // There always is a room for one
n++;
if (n > (sizeof(sha->u) - 16)) {
OPENSSL_memset(p + n, 0, sizeof(sha->u) - n);
@@ -256,13 +256,13 @@
sha512_block_data_order(sha->h, (uint64_t *)p, 1);
if (md == NULL) {
- /* TODO(davidben): This NULL check is absent in other low-level hash 'final'
- * functions and is one of the few places one can fail. */
+ // TODO(davidben): This NULL check is absent in other low-level hash 'final'
+ // functions and is one of the few places one can fail.
return 0;
}
switch (sha->md_len) {
- /* Let compiler decide if it's appropriate to unroll... */
+ // Let compiler decide if it's appropriate to unroll...
case SHA384_DIGEST_LENGTH:
for (n = 0; n < SHA384_DIGEST_LENGTH / 8; n++) {
uint64_t t = sha->h[n];
@@ -291,10 +291,10 @@
*(md++) = (uint8_t)(t);
}
break;
- /* ... as well as make sure md_len is not abused. */
+ // ... as well as make sure md_len is not abused.
default:
- /* TODO(davidben): This bad |md_len| case is one of the few places a
- * low-level hash 'final' function can fail. This should never happen. */
+ // TODO(davidben): This bad |md_len| case is one of the few places a
+ // low-level hash 'final' function can fail. This should never happen.
return 0;
}
@@ -392,7 +392,7 @@
#endif
#endif
#elif defined(_MSC_VER)
-#if defined(_WIN64) /* applies to both IA-64 and AMD64 */
+#if defined(_WIN64) // applies to both IA-64 and AMD64
#pragma intrinsic(_rotr64)
#define ROTR(a, n) _rotr64((a), n)
#endif
@@ -432,10 +432,8 @@
#if defined(__i386) || defined(__i386__) || defined(_M_IX86)
-/*
- * This code should give better results on 32-bit CPU with less than
- * ~24 registers, both size and performance wise...
- */
+// This code should give better results on 32-bit CPU with less than
+// ~24 registers, both size and performance wise...
static void sha512_block_data_order(uint64_t *state, const uint64_t *W,
size_t num) {
uint64_t A, E, T;
@@ -593,7 +591,7 @@
#endif
-#endif /* !SHA512_ASM */
+#endif // !SHA512_ASM
#undef ROTR
#undef PULL64
diff --git a/src/crypto/hkdf/hkdf.c b/src/crypto/hkdf/hkdf.c
index ae43b69..23b60af 100644
--- a/src/crypto/hkdf/hkdf.c
+++ b/src/crypto/hkdf/hkdf.c
@@ -26,7 +26,7 @@
int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
const uint8_t *secret, size_t secret_len, const uint8_t *salt,
size_t salt_len, const uint8_t *info, size_t info_len) {
- /* https://tools.ietf.org/html/rfc5869#section-2 */
+ // https://tools.ietf.org/html/rfc5869#section-2
uint8_t prk[EVP_MAX_MD_SIZE];
size_t prk_len;
@@ -42,10 +42,10 @@
int HKDF_extract(uint8_t *out_key, size_t *out_len, const EVP_MD *digest,
const uint8_t *secret, size_t secret_len, const uint8_t *salt,
size_t salt_len) {
- /* https://tools.ietf.org/html/rfc5869#section-2.2 */
+ // https://tools.ietf.org/html/rfc5869#section-2.2
- /* If salt is not given, HashLength zeros are used. However, HMAC does that
- * internally already so we can ignore it.*/
+ // If salt is not given, HashLength zeros are used. However, HMAC does that
+ // internally already so we can ignore it.
unsigned len;
if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) == NULL) {
OPENSSL_PUT_ERROR(HKDF, ERR_R_HMAC_LIB);
@@ -59,7 +59,7 @@
int HKDF_expand(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
const uint8_t *prk, size_t prk_len, const uint8_t *info,
size_t info_len) {
- /* https://tools.ietf.org/html/rfc5869#section-2.3 */
+ // https://tools.ietf.org/html/rfc5869#section-2.3
const size_t digest_len = EVP_MD_size(digest);
uint8_t previous[EVP_MAX_MD_SIZE];
size_t n, done = 0;
@@ -67,7 +67,7 @@
int ret = 0;
HMAC_CTX hmac;
- /* Expand key material to desired length. */
+ // Expand key material to desired length.
n = (out_len + digest_len - 1) / digest_len;
if (out_len + digest_len < out_len || n > 255) {
OPENSSL_PUT_ERROR(HKDF, HKDF_R_OUTPUT_TOO_LARGE);
diff --git a/src/crypto/hkdf/hkdf_test.cc b/src/crypto/hkdf/hkdf_test.cc
index b763b9b..5352685 100644
--- a/src/crypto/hkdf/hkdf_test.cc
+++ b/src/crypto/hkdf/hkdf_test.cc
@@ -35,7 +35,7 @@
const uint8_t out[82];
};
-/* These test vectors are from RFC 5869. */
+// These test vectors are from RFC 5869.
static const HKDFTestVector kTests[] = {
{
EVP_sha256,
diff --git a/src/crypto/internal.h b/src/crypto/internal.h
index 28ec3ee..87b69da 100644
--- a/src/crypto/internal.h
+++ b/src/crypto/internal.h
@@ -113,6 +113,7 @@
#include <openssl/stack.h>
#include <openssl/thread.h>
+#include <assert.h>
#include <string.h>
#if defined(_MSC_VER)
@@ -145,7 +146,7 @@
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || defined(OPENSSL_ARM) || \
defined(OPENSSL_AARCH64) || defined(OPENSSL_PPC64LE)
-/* OPENSSL_cpuid_setup initializes the platform-specific feature cache. */
+// OPENSSL_cpuid_setup initializes the platform-specific feature cache.
void OPENSSL_cpuid_setup(void);
#endif
@@ -157,42 +158,42 @@
#define OPENSSL_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
-/* buffers_alias returns one if |a| and |b| alias and zero otherwise. */
+// buffers_alias returns one if |a| and |b| alias and zero otherwise.
static inline int buffers_alias(const uint8_t *a, size_t a_len,
const uint8_t *b, size_t b_len) {
- /* Cast |a| and |b| to integers. In C, pointer comparisons between unrelated
- * objects are undefined whereas pointer to integer conversions are merely
- * implementation-defined. We assume the implementation defined it in a sane
- * way. */
+ // Cast |a| and |b| to integers. In C, pointer comparisons between unrelated
+ // objects are undefined whereas pointer to integer conversions are merely
+ // implementation-defined. We assume the implementation defined it in a sane
+ // way.
uintptr_t a_u = (uintptr_t)a;
uintptr_t b_u = (uintptr_t)b;
return a_u + a_len > b_u && b_u + b_len > a_u;
}
-/* Constant-time utility functions.
- *
- * The following methods return a bitmask of all ones (0xff...f) for true and 0
- * for false. This is useful for choosing a value based on the result of a
- * conditional in constant time. For example,
- *
- * if (a < b) {
- * c = a;
- * } else {
- * c = b;
- * }
- *
- * can be written as
- *
- * crypto_word_t lt = constant_time_lt_w(a, b);
- * c = constant_time_select_w(lt, a, b); */
+// Constant-time utility functions.
+//
+// The following methods return a bitmask of all ones (0xff...f) for true and 0
+// for false. This is useful for choosing a value based on the result of a
+// conditional in constant time. For example,
+//
+// if (a < b) {
+// c = a;
+// } else {
+// c = b;
+// }
+//
+// can be written as
+//
+// crypto_word_t lt = constant_time_lt_w(a, b);
+// c = constant_time_select_w(lt, a, b);
-/* crypto_word_t is the type that most constant-time functions use. Ideally we
- * would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit
- * pointers, which means that |size_t| can be 32 bits when |BN_ULONG| is 64
- * bits. Since we want to be able to do constant-time operations on a
- * |BN_ULONG|, |crypto_word_t| is defined as an unsigned value with the native
- * word length. */
+// crypto_word_t is the type that most constant-time functions use. Ideally we
+// would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit
+// pointers, which means that |size_t| can be 32 bits when |BN_ULONG| is 64
+// bits. Since we want to be able to do constant-time operations on a
+// |BN_ULONG|, |crypto_word_t| is defined as an unsigned value with the native
+// word length.
#if defined(OPENSSL_64_BIT)
typedef uint64_t crypto_word_t;
#elif defined(OPENSSL_32_BIT)
@@ -210,139 +211,137 @@
#define CONSTTIME_TRUE_8 ((uint8_t)0xff)
#define CONSTTIME_FALSE_8 ((uint8_t)0)
-/* constant_time_msb_w returns the given value with the MSB copied to all the
- * other bits. */
+// constant_time_msb_w returns the given value with the MSB copied to all the
+// other bits.
static inline crypto_word_t constant_time_msb_w(crypto_word_t a) {
return 0u - (a >> (sizeof(a) * 8 - 1));
}
-/* constant_time_lt_w returns 0xff..f if a < b and 0 otherwise. */
+// constant_time_lt_w returns 0xff..f if a < b and 0 otherwise.
static inline crypto_word_t constant_time_lt_w(crypto_word_t a,
crypto_word_t b) {
- /* Consider the two cases of the problem:
- * msb(a) == msb(b): a < b iff the MSB of a - b is set.
- * msb(a) != msb(b): a < b iff the MSB of b is set.
- *
- * If msb(a) == msb(b) then the following evaluates as:
- * msb(a^((a^b)|((a-b)^a))) ==
- * msb(a^((a-b) ^ a)) == (because msb(a^b) == 0)
- * msb(a^a^(a-b)) == (rearranging)
- * msb(a-b) (because ∀x. x^x == 0)
- *
- * Else, if msb(a) != msb(b) then the following evaluates as:
- * msb(a^((a^b)|((a-b)^a))) ==
- * msb(a^(𝟙 | ((a-b)^a))) == (because msb(a^b) == 1 and 𝟙
- * represents a value s.t. msb(𝟙) = 1)
- * msb(a^𝟙) == (because ORing with 1 results in 1)
- * msb(b)
- *
- *
- * Here is an SMT-LIB verification of this formula:
- *
- * (define-fun lt ((a (_ BitVec 32)) (b (_ BitVec 32))) (_ BitVec 32)
- * (bvxor a (bvor (bvxor a b) (bvxor (bvsub a b) a)))
- * )
- *
- * (declare-fun a () (_ BitVec 32))
- * (declare-fun b () (_ BitVec 32))
- *
- * (assert (not (= (= #x00000001 (bvlshr (lt a b) #x0000001f)) (bvult a b))))
- * (check-sat)
- * (get-model)
- */
+ // Consider the two cases of the problem:
+ // msb(a) == msb(b): a < b iff the MSB of a - b is set.
+ // msb(a) != msb(b): a < b iff the MSB of b is set.
+ //
+ // If msb(a) == msb(b) then the following evaluates as:
+ // msb(a^((a^b)|((a-b)^a))) ==
+ // msb(a^((a-b) ^ a)) == (because msb(a^b) == 0)
+ // msb(a^a^(a-b)) == (rearranging)
+ // msb(a-b) (because ∀x. x^x == 0)
+ //
+ // Else, if msb(a) != msb(b) then the following evaluates as:
+ // msb(a^((a^b)|((a-b)^a))) ==
+ // msb(a^(𝟙 | ((a-b)^a))) == (because msb(a^b) == 1 and 𝟙
+ // represents a value s.t. msb(𝟙) = 1)
+ // msb(a^𝟙) == (because ORing with 1 results in 1)
+ // msb(b)
+ //
+ //
+ // Here is an SMT-LIB verification of this formula:
+ //
+ // (define-fun lt ((a (_ BitVec 32)) (b (_ BitVec 32))) (_ BitVec 32)
+ // (bvxor a (bvor (bvxor a b) (bvxor (bvsub a b) a)))
+ // )
+ //
+ // (declare-fun a () (_ BitVec 32))
+ // (declare-fun b () (_ BitVec 32))
+ //
+ // (assert (not (= (= #x00000001 (bvlshr (lt a b) #x0000001f)) (bvult a b))))
+ // (check-sat)
+ // (get-model)
return constant_time_msb_w(a^((a^b)|((a-b)^a)));
}
-/* constant_time_lt_8 acts like |constant_time_lt_w| but returns an 8-bit
- * mask. */
+// constant_time_lt_8 acts like |constant_time_lt_w| but returns an 8-bit
+// mask.
static inline uint8_t constant_time_lt_8(crypto_word_t a, crypto_word_t b) {
return (uint8_t)(constant_time_lt_w(a, b));
}
-/* constant_time_ge_w returns 0xff..f if a >= b and 0 otherwise. */
+// constant_time_ge_w returns 0xff..f if a >= b and 0 otherwise.
static inline crypto_word_t constant_time_ge_w(crypto_word_t a,
crypto_word_t b) {
return ~constant_time_lt_w(a, b);
}
-/* constant_time_ge_8 acts like |constant_time_ge_w| but returns an 8-bit
- * mask. */
+// constant_time_ge_8 acts like |constant_time_ge_w| but returns an 8-bit
+// mask.
static inline uint8_t constant_time_ge_8(crypto_word_t a, crypto_word_t b) {
return (uint8_t)(constant_time_ge_w(a, b));
}
-/* constant_time_is_zero returns 0xff..f if a == 0 and 0 otherwise. */
+// constant_time_is_zero returns 0xff..f if a == 0 and 0 otherwise.
static inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) {
- /* Here is an SMT-LIB verification of this formula:
- *
- * (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32)
- * (bvand (bvnot a) (bvsub a #x00000001))
- * )
- *
- * (declare-fun a () (_ BitVec 32))
- *
- * (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a #x00000000))))
- * (check-sat)
- * (get-model)
- */
+ // Here is an SMT-LIB verification of this formula:
+ //
+ // (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32)
+ // (bvand (bvnot a) (bvsub a #x00000001))
+ // )
+ //
+ // (declare-fun a () (_ BitVec 32))
+ //
+ // (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a #x00000000))))
+ // (check-sat)
+ // (get-model)
return constant_time_msb_w(~a & (a - 1));
}
-/* constant_time_is_zero_8 acts like |constant_time_is_zero_w| but returns an
- * 8-bit mask. */
+// constant_time_is_zero_8 acts like |constant_time_is_zero_w| but returns an
+// 8-bit mask.
static inline uint8_t constant_time_is_zero_8(crypto_word_t a) {
return (uint8_t)(constant_time_is_zero_w(a));
}
-/* constant_time_eq_w returns 0xff..f if a == b and 0 otherwise. */
+// constant_time_eq_w returns 0xff..f if a == b and 0 otherwise.
static inline crypto_word_t constant_time_eq_w(crypto_word_t a,
crypto_word_t b) {
return constant_time_is_zero_w(a ^ b);
}
-/* constant_time_eq_8 acts like |constant_time_eq_w| but returns an 8-bit
- * mask. */
+// constant_time_eq_8 acts like |constant_time_eq_w| but returns an 8-bit
+// mask.
static inline uint8_t constant_time_eq_8(crypto_word_t a, crypto_word_t b) {
return (uint8_t)(constant_time_eq_w(a, b));
}
-/* constant_time_eq_int acts like |constant_time_eq_w| but works on int
- * values. */
+// constant_time_eq_int acts like |constant_time_eq_w| but works on int
+// values.
static inline crypto_word_t constant_time_eq_int(int a, int b) {
return constant_time_eq_w((crypto_word_t)(a), (crypto_word_t)(b));
}
-/* constant_time_eq_int_8 acts like |constant_time_eq_int| but returns an 8-bit
- * mask. */
+// constant_time_eq_int_8 acts like |constant_time_eq_int| but returns an 8-bit
+// mask.
static inline uint8_t constant_time_eq_int_8(int a, int b) {
return constant_time_eq_8((crypto_word_t)(a), (crypto_word_t)(b));
}
-/* constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all
- * 1s or all 0s (as returned by the methods above), the select methods return
- * either |a| (if |mask| is nonzero) or |b| (if |mask| is zero). */
+// constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all
+// 1s or all 0s (as returned by the methods above), the select methods return
+// either |a| (if |mask| is nonzero) or |b| (if |mask| is zero).
static inline crypto_word_t constant_time_select_w(crypto_word_t mask,
crypto_word_t a,
crypto_word_t b) {
return (mask & a) | (~mask & b);
}
-/* constant_time_select_8 acts like |constant_time_select| but operates on
- * 8-bit values. */
+// constant_time_select_8 acts like |constant_time_select| but operates on
+// 8-bit values.
static inline uint8_t constant_time_select_8(uint8_t mask, uint8_t a,
uint8_t b) {
return (uint8_t)(constant_time_select_w(mask, a, b));
}
-/* constant_time_select_int acts like |constant_time_select| but operates on
- * ints. */
+// constant_time_select_int acts like |constant_time_select| but operates on
+// ints.
static inline int constant_time_select_int(crypto_word_t mask, int a, int b) {
return (int)(constant_time_select_w(mask, (crypto_word_t)(a),
(crypto_word_t)(b)));
}
-/* Thread-safe initialisation. */
+// Thread-safe initialisation.
#if defined(OPENSSL_NO_THREADS)
typedef uint32_t CRYPTO_once_t;
@@ -357,52 +356,52 @@
#error "Unknown threading library"
#endif
-/* CRYPTO_once calls |init| exactly once per process. This is thread-safe: if
- * concurrent threads call |CRYPTO_once| with the same |CRYPTO_once_t| argument
- * then they will block until |init| completes, but |init| will have only been
- * called once.
- *
- * The |once| argument must be a |CRYPTO_once_t| that has been initialised with
- * the value |CRYPTO_ONCE_INIT|. */
+// CRYPTO_once calls |init| exactly once per process. This is thread-safe: if
+// concurrent threads call |CRYPTO_once| with the same |CRYPTO_once_t| argument
+// then they will block until |init| completes, but |init| will have only been
+// called once.
+//
+// The |once| argument must be a |CRYPTO_once_t| that has been initialised with
+// the value |CRYPTO_ONCE_INIT|.
OPENSSL_EXPORT void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void));
-/* Reference counting. */
+// Reference counting.
-/* CRYPTO_REFCOUNT_MAX is the value at which the reference count saturates. */
+// CRYPTO_REFCOUNT_MAX is the value at which the reference count saturates.
#define CRYPTO_REFCOUNT_MAX 0xffffffff
-/* CRYPTO_refcount_inc atomically increments the value at |*count| unless the
- * value would overflow. It's safe for multiple threads to concurrently call
- * this or |CRYPTO_refcount_dec_and_test_zero| on the same
- * |CRYPTO_refcount_t|. */
+// CRYPTO_refcount_inc atomically increments the value at |*count| unless the
+// value would overflow. It's safe for multiple threads to concurrently call
+// this or |CRYPTO_refcount_dec_and_test_zero| on the same
+// |CRYPTO_refcount_t|.
OPENSSL_EXPORT void CRYPTO_refcount_inc(CRYPTO_refcount_t *count);
-/* CRYPTO_refcount_dec_and_test_zero tests the value at |*count|:
- * if it's zero, it crashes the address space.
- * if it's the maximum value, it returns zero.
- * otherwise, it atomically decrements it and returns one iff the resulting
- * value is zero.
- *
- * It's safe for multiple threads to concurrently call this or
- * |CRYPTO_refcount_inc| on the same |CRYPTO_refcount_t|. */
+// CRYPTO_refcount_dec_and_test_zero tests the value at |*count|:
+// if it's zero, it crashes the address space.
+// if it's the maximum value, it returns zero.
+// otherwise, it atomically decrements it and returns one iff the resulting
+// value is zero.
+//
+// It's safe for multiple threads to concurrently call this or
+// |CRYPTO_refcount_inc| on the same |CRYPTO_refcount_t|.
OPENSSL_EXPORT int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count);
-/* Locks.
- *
- * Two types of locks are defined: |CRYPTO_MUTEX|, which can be used in
- * structures as normal, and |struct CRYPTO_STATIC_MUTEX|, which can be used as
- * a global lock. A global lock must be initialised to the value
- * |CRYPTO_STATIC_MUTEX_INIT|.
- *
- * |CRYPTO_MUTEX| can appear in public structures and so is defined in
- * thread.h as a structure large enough to fit the real type. The global lock is
- * a different type so it may be initialized with platform initializer macros.*/
+// Locks.
+//
+// Two types of locks are defined: |CRYPTO_MUTEX|, which can be used in
+// structures as normal, and |struct CRYPTO_STATIC_MUTEX|, which can be used as
+// a global lock. A global lock must be initialised to the value
+// |CRYPTO_STATIC_MUTEX_INIT|.
+//
+// |CRYPTO_MUTEX| can appear in public structures and so is defined in
+// thread.h as a structure large enough to fit the real type. The global lock is
+// a different type so it may be initialized with platform initializer macros.
#if defined(OPENSSL_NO_THREADS)
struct CRYPTO_STATIC_MUTEX {
- char padding; /* Empty structs have different sizes in C and C++. */
+ char padding; // Empty structs have different sizes in C and C++.
};
#define CRYPTO_STATIC_MUTEX_INIT { 0 }
#elif defined(OPENSSL_WINDOWS_THREADS)
@@ -419,54 +418,90 @@
#error "Unknown threading library"
#endif
-/* CRYPTO_MUTEX_init initialises |lock|. If |lock| is a static variable, use a
- * |CRYPTO_STATIC_MUTEX|. */
+// CRYPTO_MUTEX_init initialises |lock|. If |lock| is a static variable, use a
+// |CRYPTO_STATIC_MUTEX|.
OPENSSL_EXPORT void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock);
-/* CRYPTO_MUTEX_lock_read locks |lock| such that other threads may also have a
- * read lock, but none may have a write lock. */
+// CRYPTO_MUTEX_lock_read locks |lock| such that other threads may also have a
+// read lock, but none may have a write lock.
OPENSSL_EXPORT void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock);
-/* CRYPTO_MUTEX_lock_write locks |lock| such that no other thread has any type
- * of lock on it. */
+// CRYPTO_MUTEX_lock_write locks |lock| such that no other thread has any type
+// of lock on it.
OPENSSL_EXPORT void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock);
-/* CRYPTO_MUTEX_unlock_read unlocks |lock| for reading. */
+// CRYPTO_MUTEX_unlock_read unlocks |lock| for reading.
OPENSSL_EXPORT void CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock);
-/* CRYPTO_MUTEX_unlock_write unlocks |lock| for writing. */
+// CRYPTO_MUTEX_unlock_write unlocks |lock| for writing.
OPENSSL_EXPORT void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock);
-/* CRYPTO_MUTEX_cleanup releases all resources held by |lock|. */
+// CRYPTO_MUTEX_cleanup releases all resources held by |lock|.
OPENSSL_EXPORT void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock);
-/* CRYPTO_STATIC_MUTEX_lock_read locks |lock| such that other threads may also
- * have a read lock, but none may have a write lock. The |lock| variable does
- * not need to be initialised by any function, but must have been statically
- * initialised with |CRYPTO_STATIC_MUTEX_INIT|. */
+// CRYPTO_STATIC_MUTEX_lock_read locks |lock| such that other threads may also
+// have a read lock, but none may have a write lock. The |lock| variable does
+// not need to be initialised by any function, but must have been statically
+// initialised with |CRYPTO_STATIC_MUTEX_INIT|.
OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_lock_read(
struct CRYPTO_STATIC_MUTEX *lock);
-/* CRYPTO_STATIC_MUTEX_lock_write locks |lock| such that no other thread has
- * any type of lock on it. The |lock| variable does not need to be initialised
- * by any function, but must have been statically initialised with
- * |CRYPTO_STATIC_MUTEX_INIT|. */
+// CRYPTO_STATIC_MUTEX_lock_write locks |lock| such that no other thread has
+// any type of lock on it. The |lock| variable does not need to be initialised
+// by any function, but must have been statically initialised with
+// |CRYPTO_STATIC_MUTEX_INIT|.
OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_lock_write(
struct CRYPTO_STATIC_MUTEX *lock);
-/* CRYPTO_STATIC_MUTEX_unlock_read unlocks |lock| for reading. */
+// CRYPTO_STATIC_MUTEX_unlock_read unlocks |lock| for reading.
OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_read(
struct CRYPTO_STATIC_MUTEX *lock);
-/* CRYPTO_STATIC_MUTEX_unlock_write unlocks |lock| for writing. */
+// CRYPTO_STATIC_MUTEX_unlock_write unlocks |lock| for writing.
OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_write(
struct CRYPTO_STATIC_MUTEX *lock);
+#if defined(__cplusplus)
+extern "C++" {
-/* Thread local storage. */
+namespace bssl {
-/* thread_local_data_t enumerates the types of thread-local data that can be
- * stored. */
+namespace internal {
+
+// MutexLockBase is a RAII helper for CRYPTO_MUTEX locking.
+template <void (*LockFunc)(CRYPTO_MUTEX *), void (*ReleaseFunc)(CRYPTO_MUTEX *)>
+class MutexLockBase {
+ public:
+ explicit MutexLockBase(CRYPTO_MUTEX *mu) : mu_(mu) {
+ assert(mu_ != nullptr);
+ LockFunc(mu_);
+ }
+ ~MutexLockBase() { ReleaseFunc(mu_); }
+ MutexLockBase(const MutexLockBase<LockFunc, ReleaseFunc> &) = delete;
+ MutexLockBase &operator=(const MutexLockBase<LockFunc, ReleaseFunc> &) =
+ delete;
+
+ private:
+ CRYPTO_MUTEX *const mu_;
+};
+
+} // namespace internal
+
+using MutexWriteLock =
+ internal::MutexLockBase<CRYPTO_MUTEX_lock_write, CRYPTO_MUTEX_unlock_write>;
+using MutexReadLock =
+ internal::MutexLockBase<CRYPTO_MUTEX_lock_read, CRYPTO_MUTEX_unlock_read>;
+
+} // namespace bssl
+
+} // extern "C++"
+#endif // defined(__cplusplus)
+
+
+// Thread local storage.
+
+// thread_local_data_t enumerates the types of thread-local data that can be
+// stored.
typedef enum {
OPENSSL_THREAD_LOCAL_ERR = 0,
OPENSSL_THREAD_LOCAL_RAND,
@@ -474,47 +509,47 @@
NUM_OPENSSL_THREAD_LOCALS,
} thread_local_data_t;
-/* thread_local_destructor_t is the type of a destructor function that will be
- * called when a thread exits and its thread-local storage needs to be freed. */
+// thread_local_destructor_t is the type of a destructor function that will be
+// called when a thread exits and its thread-local storage needs to be freed.
typedef void (*thread_local_destructor_t)(void *);
-/* CRYPTO_get_thread_local gets the pointer value that is stored for the
- * current thread for the given index, or NULL if none has been set. */
+// CRYPTO_get_thread_local gets the pointer value that is stored for the
+// current thread for the given index, or NULL if none has been set.
OPENSSL_EXPORT void *CRYPTO_get_thread_local(thread_local_data_t value);
-/* CRYPTO_set_thread_local sets a pointer value for the current thread at the
- * given index. This function should only be called once per thread for a given
- * |index|: rather than update the pointer value itself, update the data that
- * is pointed to.
- *
- * The destructor function will be called when a thread exits to free this
- * thread-local data. All calls to |CRYPTO_set_thread_local| with the same
- * |index| should have the same |destructor| argument. The destructor may be
- * called with a NULL argument if a thread that never set a thread-local
- * pointer for |index|, exits. The destructor may be called concurrently with
- * different arguments.
- *
- * This function returns one on success or zero on error. If it returns zero
- * then |destructor| has been called with |value| already. */
+// CRYPTO_set_thread_local sets a pointer value for the current thread at the
+// given index. This function should only be called once per thread for a given
+// |index|: rather than update the pointer value itself, update the data that
+// is pointed to.
+//
+// The destructor function will be called when a thread exits to free this
+// thread-local data. All calls to |CRYPTO_set_thread_local| with the same
+// |index| should have the same |destructor| argument. The destructor may be
+// called with a NULL argument if a thread that never set a thread-local
+// pointer for |index|, exits. The destructor may be called concurrently with
+// different arguments.
+//
+// This function returns one on success or zero on error. If it returns zero
+// then |destructor| has been called with |value| already.
OPENSSL_EXPORT int CRYPTO_set_thread_local(
thread_local_data_t index, void *value,
thread_local_destructor_t destructor);
-/* ex_data */
+// ex_data
typedef struct crypto_ex_data_func_st CRYPTO_EX_DATA_FUNCS;
DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
-/* CRYPTO_EX_DATA_CLASS tracks the ex_indices registered for a type which
- * supports ex_data. It should defined as a static global within the module
- * which defines that type. */
+// CRYPTO_EX_DATA_CLASS tracks the ex_indices registered for a type which
+// supports ex_data. It should defined as a static global within the module
+// which defines that type.
typedef struct {
struct CRYPTO_STATIC_MUTEX lock;
STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth;
- /* num_reserved is one if the ex_data index zero is reserved for legacy
- * |TYPE_get_app_data| functions. */
+ // num_reserved is one if the ex_data index zero is reserved for legacy
+ // |TYPE_get_app_data| functions.
uint8_t num_reserved;
} CRYPTO_EX_DATA_CLASS;
@@ -522,47 +557,47 @@
#define CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA \
{CRYPTO_STATIC_MUTEX_INIT, NULL, 1}
-/* CRYPTO_get_ex_new_index allocates a new index for |ex_data_class| and writes
- * it to |*out_index|. Each class of object should provide a wrapper function
- * that uses the correct |CRYPTO_EX_DATA_CLASS|. It returns one on success and
- * zero otherwise. */
+// CRYPTO_get_ex_new_index allocates a new index for |ex_data_class| and writes
+// it to |*out_index|. Each class of object should provide a wrapper function
+// that uses the correct |CRYPTO_EX_DATA_CLASS|. It returns one on success and
+// zero otherwise.
OPENSSL_EXPORT int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class,
int *out_index, long argl,
void *argp,
CRYPTO_EX_free *free_func);
-/* CRYPTO_set_ex_data sets an extra data pointer on a given object. Each class
- * of object should provide a wrapper function. */
+// CRYPTO_set_ex_data sets an extra data pointer on a given object. Each class
+// of object should provide a wrapper function.
OPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val);
-/* CRYPTO_get_ex_data returns an extra data pointer for a given object, or NULL
- * if no such index exists. Each class of object should provide a wrapper
- * function. */
+// CRYPTO_get_ex_data returns an extra data pointer for a given object, or NULL
+// if no such index exists. Each class of object should provide a wrapper
+// function.
OPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index);
-/* CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA|. */
+// CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA|.
OPENSSL_EXPORT void CRYPTO_new_ex_data(CRYPTO_EX_DATA *ad);
-/* CRYPTO_free_ex_data frees |ad|, which is embedded inside |obj|, which is an
- * object of the given class. */
+// CRYPTO_free_ex_data frees |ad|, which is embedded inside |obj|, which is an
+// object of the given class.
OPENSSL_EXPORT void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class,
void *obj, CRYPTO_EX_DATA *ad);
-/* Language bug workarounds.
- *
- * Most C standard library functions are undefined if passed NULL, even when the
- * corresponding length is zero. This gives them (and, in turn, all functions
- * which call them) surprising behavior on empty arrays. Some compilers will
- * miscompile code due to this rule. See also
- * https://www.imperialviolet.org/2016/06/26/nonnull.html
- *
- * These wrapper functions behave the same as the corresponding C standard
- * functions, but behave as expected when passed NULL if the length is zero.
- *
- * Note |OPENSSL_memcmp| is a different function from |CRYPTO_memcmp|. */
+// Language bug workarounds.
+//
+// Most C standard library functions are undefined if passed NULL, even when the
+// corresponding length is zero. This gives them (and, in turn, all functions
+// which call them) surprising behavior on empty arrays. Some compilers will
+// miscompile code due to this rule. See also
+// https://www.imperialviolet.org/2016/06/26/nonnull.html
+//
+// These wrapper functions behave the same as the corresponding C standard
+// functions, but behave as expected when passed NULL if the length is zero.
+//
+// Note |OPENSSL_memcmp| is a different function from |CRYPTO_memcmp|.
-/* C++ defines |memchr| as a const-correct overload. */
+// C++ defines |memchr| as a const-correct overload.
#if defined(__cplusplus)
extern "C++" {
@@ -582,8 +617,8 @@
return memchr(s, c, n);
}
-} /* extern "C++" */
-#else /* __cplusplus */
+} // extern "C++"
+#else // __cplusplus
static inline void *OPENSSL_memchr(const void *s, int c, size_t n) {
if (n == 0) {
@@ -593,7 +628,7 @@
return memchr(s, c, n);
}
-#endif /* __cplusplus */
+#endif // __cplusplus
static inline int OPENSSL_memcmp(const void *s1, const void *s2, size_t n) {
if (n == 0) {
@@ -628,14 +663,14 @@
}
#if defined(BORINGSSL_FIPS)
-/* BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test
- * fails. It prevents any further cryptographic operations by the current
- * process. */
+// BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test
+// fails. It prevents any further cryptographic operations by the current
+// process.
void BORINGSSL_FIPS_abort(void) __attribute__((noreturn));
#endif
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CRYPTO_INTERNAL_H */
+#endif // OPENSSL_HEADER_CRYPTO_INTERNAL_H
diff --git a/src/crypto/lhash/lhash.c b/src/crypto/lhash/lhash.c
index 27960d9..5054529 100644
--- a/src/crypto/lhash/lhash.c
+++ b/src/crypto/lhash/lhash.c
@@ -65,11 +65,11 @@
#include "../internal.h"
-/* kMinNumBuckets is the minimum size of the buckets array in an |_LHASH|. */
+// kMinNumBuckets is the minimum size of the buckets array in an |_LHASH|.
static const size_t kMinNumBuckets = 16;
-/* kMaxAverageChainLength contains the maximum, average chain length. When the
- * average chain length exceeds this value, the hash table will be resized. */
+// kMaxAverageChainLength contains the maximum, average chain length. When the
+// average chain length exceeds this value, the hash table will be resized.
static const size_t kMaxAverageChainLength = 2;
static const size_t kMinAverageChainLength = 1;
@@ -112,13 +112,13 @@
size_t lh_num_items(const _LHASH *lh) { return lh->num_items; }
-/* get_next_ptr_and_hash returns a pointer to the pointer that points to the
- * item equal to |data|. In other words, it searches for an item equal to |data|
- * and, if it's at the start of a chain, then it returns a pointer to an
- * element of |lh->buckets|, otherwise it returns a pointer to the |next|
- * element of the previous item in the chain. If an element equal to |data| is
- * not found, it returns a pointer that points to a NULL pointer. If |out_hash|
- * is not NULL, then it also puts the hash value of |data| in |*out_hash|. */
+// get_next_ptr_and_hash returns a pointer to the pointer that points to the
+// item equal to |data|. In other words, it searches for an item equal to |data|
+// and, if it's at the start of a chain, then it returns a pointer to an
+// element of |lh->buckets|, otherwise it returns a pointer to the |next|
+// element of the previous item in the chain. If an element equal to |data| is
+// not found, it returns a pointer that points to a NULL pointer. If |out_hash|
+// is not NULL, then it also puts the hash value of |data| in |*out_hash|.
static LHASH_ITEM **get_next_ptr_and_hash(const _LHASH *lh, uint32_t *out_hash,
const void *data) {
const uint32_t hash = lh->hash(data);
@@ -151,9 +151,9 @@
return (*next_ptr)->data;
}
-/* lh_rebucket allocates a new array of |new_num_buckets| pointers and
- * redistributes the existing items into it before making it |lh->buckets| and
- * freeing the old array. */
+// lh_rebucket allocates a new array of |new_num_buckets| pointers and
+// redistributes the existing items into it before making it |lh->buckets| and
+// freeing the old array.
static void lh_rebucket(_LHASH *lh, const size_t new_num_buckets) {
LHASH_ITEM **new_buckets, *cur, *next;
size_t i, alloc_size;
@@ -184,12 +184,12 @@
lh->buckets = new_buckets;
}
-/* lh_maybe_resize resizes the |buckets| array if needed. */
+// lh_maybe_resize resizes the |buckets| array if needed.
static void lh_maybe_resize(_LHASH *lh) {
size_t avg_chain_length;
if (lh->callback_depth > 0) {
- /* Don't resize the hash if we are currently iterating over it. */
+ // Don't resize the hash if we are currently iterating over it.
return;
}
@@ -223,14 +223,14 @@
if (*next_ptr != NULL) {
- /* An element equal to |data| already exists in the hash table. It will be
- * replaced. */
+ // An element equal to |data| already exists in the hash table. It will be
+ // replaced.
*old_data = (*next_ptr)->data;
(*next_ptr)->data = data;
return 1;
}
- /* An element equal to |data| doesn't exist in the hash table yet. */
+ // An element equal to |data| doesn't exist in the hash table yet.
item = OPENSSL_malloc(sizeof(LHASH_ITEM));
if (item == NULL) {
return 0;
@@ -252,7 +252,7 @@
next_ptr = get_next_ptr_and_hash(lh, NULL, data);
if (*next_ptr == NULL) {
- /* No such element. */
+ // No such element.
return NULL;
}
@@ -274,7 +274,7 @@
}
if (lh->callback_depth < UINT_MAX) {
- /* |callback_depth| is a saturating counter. */
+ // |callback_depth| is a saturating counter.
lh->callback_depth++;
}
@@ -294,9 +294,9 @@
lh->callback_depth--;
}
- /* The callback may have added or removed elements and the non-zero value of
- * |callback_depth| will have suppressed any resizing. Thus any needed
- * resizing is done here. */
+ // The callback may have added or removed elements and the non-zero value of
+ // |callback_depth| will have suppressed any resizing. Thus any needed
+ // resizing is done here.
lh_maybe_resize(lh);
}
@@ -309,28 +309,9 @@
}
uint32_t lh_strhash(const char *c) {
- /* The following hash seems to work very well on normal text strings
- * no collisions on /usr/dict/words and it distributes on %2^n quite
- * well, not as good as MD5, but still good. */
- unsigned long ret = 0;
- long n;
- unsigned long v;
- int r;
-
- if ((c == NULL) || (*c == '\0')) {
- return (ret);
+ if (c == NULL) {
+ return 0;
}
- n = 0x100;
- while (*c) {
- v = n | (*c);
- n += 0x100;
- r = (int)((v >> 2) ^ v) & 0x0f;
- ret = (ret << r) | (ret >> (32 - r));
- ret &= 0xFFFFFFFFL;
- ret ^= v * v;
- c++;
- }
-
- return ((ret >> 16) ^ ret);
+ return OPENSSL_hash32(c, strlen(c));
}
diff --git a/src/crypto/mem.c b/src/crypto/mem.c
index f451a12..576ab7f 100644
--- a/src/crypto/mem.c
+++ b/src/crypto/mem.c
@@ -55,7 +55,7 @@
* [including the GNU Public Licence.] */
#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L /* needed for strdup, snprintf, vprintf etc */
+#define _POSIX_C_SOURCE 201410L // needed for strdup, snprintf, vprintf etc
#endif
#include <openssl/mem.h>
@@ -85,8 +85,8 @@
return NULL;
}
- /* We don't support shrinking the buffer. Note the memcpy that copies
- * |old_size| bytes to the new buffer, below. */
+ // We don't support shrinking the buffer. Note the memcpy that copies
+ // |old_size| bytes to the new buffer, below.
if (new_size < old_size) {
return NULL;
}
@@ -114,7 +114,7 @@
detect memset_s, it would be better to use that. */
__asm__ __volatile__("" : : "r"(ptr) : "memory");
#endif
-#endif /* !OPENSSL_NO_ASM */
+#endif // !OPENSSL_NO_ASM
}
int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) {
@@ -130,7 +130,7 @@
}
uint32_t OPENSSL_hash32(const void *ptr, size_t len) {
- /* These are the FNV-1a parameters for 32 bits. */
+ // These are the FNV-1a parameters for 32 bits.
static const uint32_t kPrime = 16777619u;
static const uint32_t kOffsetBasis = 2166136261u;
diff --git a/src/crypto/obj/obj.c b/src/crypto/obj/obj.c
index 173257f..3968515 100644
--- a/src/crypto/obj/obj.c
+++ b/src/crypto/obj/obj.c
@@ -77,7 +77,7 @@
static struct CRYPTO_STATIC_MUTEX global_added_lock = CRYPTO_STATIC_MUTEX_INIT;
-/* These globals are protected by |global_added_lock|. */
+// These globals are protected by |global_added_lock|.
static LHASH_OF(ASN1_OBJECT) *global_added_by_data = NULL;
static LHASH_OF(ASN1_OBJECT) *global_added_by_nid = NULL;
static LHASH_OF(ASN1_OBJECT) *global_added_by_short_name = NULL;
@@ -107,7 +107,7 @@
}
if (!(o->flags & ASN1_OBJECT_FLAG_DYNAMIC)) {
- /* TODO(fork): this is a little dangerous. */
+ // TODO(fork): this is a little dangerous.
return (ASN1_OBJECT *)o;
}
@@ -126,7 +126,7 @@
OPENSSL_memcpy(data, o->data, o->length);
}
- /* once data is attached to an object, it remains const */
+ // once data is attached to an object, it remains const
r->data = data;
r->length = o->length;
r->nid = o->nid;
@@ -172,9 +172,9 @@
return OPENSSL_memcmp(a->data, b->data, a->length);
}
-/* obj_cmp is called to search the kNIDsInOIDOrder array. The |key| argument is
- * an |ASN1_OBJECT|* that we're looking for and |element| is a pointer to an
- * unsigned int in the array. */
+// obj_cmp is called to search the kNIDsInOIDOrder array. The |key| argument is
+// an |ASN1_OBJECT|* that we're looking for and |element| is a pointer to an
+// unsigned int in the array.
static int obj_cmp(const void *key, const void *element) {
unsigned nid = *((const unsigned*) element);
const ASN1_OBJECT *a = key;
@@ -233,9 +233,9 @@
return OBJ_obj2nid(&obj);
}
-/* short_name_cmp is called to search the kNIDsInShortNameOrder array. The
- * |key| argument is name that we're looking for and |element| is a pointer to
- * an unsigned int in the array. */
+// short_name_cmp is called to search the kNIDsInShortNameOrder array. The
+// |key| argument is name that we're looking for and |element| is a pointer to
+// an unsigned int in the array.
static int short_name_cmp(const void *key, const void *element) {
const char *name = (const char *) key;
unsigned nid = *((unsigned*) element);
@@ -269,9 +269,9 @@
return kObjects[*nid_ptr].nid;
}
-/* long_name_cmp is called to search the kNIDsInLongNameOrder array. The
- * |key| argument is name that we're looking for and |element| is a pointer to
- * an unsigned int in the array. */
+// long_name_cmp is called to search the kNIDsInLongNameOrder array. The
+// |key| argument is name that we're looking for and |element| is a pointer to
+// an unsigned int in the array.
static int long_name_cmp(const void *key, const void *element) {
const char *name = (const char *) key;
unsigned nid = *((unsigned*) element);
@@ -392,12 +392,12 @@
}
}
- /* Work out size of content octets */
+ // Work out size of content octets
contents_len = a2d_ASN1_OBJECT(NULL, 0, s, -1);
if (contents_len <= 0) {
return NULL;
}
- /* Work out total size */
+ // Work out total size
total_len = ASN1_object_size(0, contents_len, V_ASN1_OBJECT);
buf = OPENSSL_malloc(total_len);
@@ -407,9 +407,9 @@
}
p = buf;
- /* Write out tag+length */
+ // Write out tag+length
ASN1_put_object(&p, 0, contents_len, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
- /* Write out contents */
+ // Write out contents
a2d_ASN1_OBJECT(p, contents_len, s, -1);
bufp = buf;
@@ -436,16 +436,16 @@
return 0;
}
if ((v >> (64 - 7)) != 0) {
- /* The component is too large. */
+ // The component is too large.
return 0;
}
if (v == 0 && b == 0x80) {
- /* The component must be minimally encoded. */
+ // The component must be minimally encoded.
return 0;
}
v = (v << 7) | (b & 0x7f);
- /* Components end at an octet with the high bit cleared. */
+ // Components end at an octet with the high bit cleared.
} while (b & 0x80);
*out = v;
@@ -460,8 +460,8 @@
int OBJ_obj2txt(char *out, int out_len, const ASN1_OBJECT *obj,
int always_return_oid) {
- /* Python depends on the empty OID successfully encoding as the empty
- * string. */
+ // Python depends on the empty OID successfully encoding as the empty
+ // string.
if (obj == NULL || obj->length == 0) {
return strlcpy_int(out, "", out_len);
}
@@ -487,7 +487,7 @@
CBS cbs;
CBS_init(&cbs, obj->data, obj->length);
- /* The first component is 40 * value1 + value2, where value1 is 0, 1, or 2. */
+ // The first component is 40 * value1 + value2, where value1 is 0, 1, or 2.
uint64_t v;
if (!parse_oid_component(&cbs, &v)) {
goto err;
@@ -567,8 +567,8 @@
return strcmp(a->ln, b->ln);
}
-/* obj_add_object inserts |obj| into the various global hashes for run-time
- * added objects. It returns one on success or zero otherwise. */
+// obj_add_object inserts |obj| into the various global hashes for run-time
+// added objects. It returns one on success or zero otherwise.
static int obj_add_object(ASN1_OBJECT *obj) {
int ok;
ASN1_OBJECT *old_object;
@@ -584,10 +584,10 @@
global_added_by_long_name = lh_ASN1_OBJECT_new(hash_long_name, cmp_long_name);
}
- /* We don't pay attention to |old_object| (which contains any previous object
- * that was evicted from the hashes) because we don't have a reference count
- * on ASN1_OBJECT values. Also, we should never have duplicates nids and so
- * should always have objects in |global_added_by_nid|. */
+ // We don't pay attention to |old_object| (which contains any previous object
+ // that was evicted from the hashes) because we don't have a reference count
+ // on ASN1_OBJECT values. Also, we should never have duplicates nids and so
+ // should always have objects in |global_added_by_nid|.
ok = lh_ASN1_OBJECT_insert(global_added_by_nid, &old_object, obj);
if (obj->length != 0 && obj->data != NULL) {
diff --git a/src/crypto/obj/obj_xref.c b/src/crypto/obj/obj_xref.c
index 6136e99..21bde27 100644
--- a/src/crypto/obj/obj_xref.c
+++ b/src/crypto/obj/obj_xref.c
@@ -66,7 +66,7 @@
} nid_triple;
static const nid_triple kTriples[] = {
- /* RSA PKCS#1. */
+ // RSA PKCS#1.
{NID_md4WithRSAEncryption, NID_md4, NID_rsaEncryption},
{NID_md5WithRSAEncryption, NID_md5, NID_rsaEncryption},
{NID_sha1WithRSAEncryption, NID_sha1, NID_rsaEncryption},
@@ -74,19 +74,19 @@
{NID_sha256WithRSAEncryption, NID_sha256, NID_rsaEncryption},
{NID_sha384WithRSAEncryption, NID_sha384, NID_rsaEncryption},
{NID_sha512WithRSAEncryption, NID_sha512, NID_rsaEncryption},
- /* DSA. */
+ // DSA.
{NID_dsaWithSHA1, NID_sha1, NID_dsa},
{NID_dsaWithSHA1_2, NID_sha1, NID_dsa_2},
{NID_dsa_with_SHA224, NID_sha224, NID_dsa},
{NID_dsa_with_SHA256, NID_sha256, NID_dsa},
- /* ECDSA. */
+ // ECDSA.
{NID_ecdsa_with_SHA1, NID_sha1, NID_X9_62_id_ecPublicKey},
{NID_ecdsa_with_SHA224, NID_sha224, NID_X9_62_id_ecPublicKey},
{NID_ecdsa_with_SHA256, NID_sha256, NID_X9_62_id_ecPublicKey},
{NID_ecdsa_with_SHA384, NID_sha384, NID_X9_62_id_ecPublicKey},
{NID_ecdsa_with_SHA512, NID_sha512, NID_X9_62_id_ecPublicKey},
- /* The following algorithms use more complex (or simpler) parameters. The
- * digest "undef" indicates the caller should handle this explicitly. */
+ // The following algorithms use more complex (or simpler) parameters. The
+ // digest "undef" indicates the caller should handle this explicitly.
{NID_rsassaPss, NID_undef, NID_rsaEncryption},
{NID_ED25519, NID_undef, NID_ED25519},
};
diff --git a/src/crypto/pkcs7/internal.h b/src/crypto/pkcs7/internal.h
index 9ca2a29..9541bea 100644
--- a/src/crypto/pkcs7/internal.h
+++ b/src/crypto/pkcs7/internal.h
@@ -22,28 +22,28 @@
#endif
-/* pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
- * SignedData blob from |cbs| and sets |*out| to point to the rest of the
- * input. If the input is in BER format, then |*der_bytes| will be set to a
- * pointer that needs to be freed by the caller once they have finished
- * processing |*out| (which will be pointing into |*der_bytes|).
- *
- * It returns one on success or zero on error. On error, |*der_bytes| is
- * NULL. */
+// pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
+// SignedData blob from |cbs| and sets |*out| to point to the rest of the
+// input. If the input is in BER format, then |*der_bytes| will be set to a
+// pointer that needs to be freed by the caller once they have finished
+// processing |*out| (which will be pointing into |*der_bytes|).
+//
+// It returns one on success or zero on error. On error, |*der_bytes| is
+// NULL.
int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs);
-/* pkcs7_bundle writes a PKCS#7, SignedData structure to |out| and then calls
- * |cb| with a CBB to which certificate or CRL data can be written, and the
- * opaque context pointer, |arg|. The callback can return zero to indicate an
- * error.
- *
- * pkcs7_bundle returns one on success or zero on error. */
+// pkcs7_bundle writes a PKCS#7, SignedData structure to |out| and then calls
+// |cb| with a CBB to which certificate or CRL data can be written, and the
+// opaque context pointer, |arg|. The callback can return zero to indicate an
+// error.
+//
+// pkcs7_bundle returns one on success or zero on error.
int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg),
const void *arg);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_PKCS7_INTERNAL_H */
+#endif // OPENSSL_HEADER_PKCS7_INTERNAL_H
diff --git a/src/crypto/pkcs7/pkcs7.c b/src/crypto/pkcs7/pkcs7.c
index 1b7e1cb..fc175a9 100644
--- a/src/crypto/pkcs7/pkcs7.c
+++ b/src/crypto/pkcs7/pkcs7.c
@@ -24,28 +24,28 @@
#include "../bytestring/internal.h"
-/* 1.2.840.113549.1.7.1 */
+// 1.2.840.113549.1.7.1
static const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x07, 0x01};
-/* 1.2.840.113549.1.7.2 */
+// 1.2.840.113549.1.7.2
static const uint8_t kPKCS7SignedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x07, 0x02};
-/* pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
- * SignedData blob from |cbs| and sets |*out| to point to the rest of the
- * input. If the input is in BER format, then |*der_bytes| will be set to a
- * pointer that needs to be freed by the caller once they have finished
- * processing |*out| (which will be pointing into |*der_bytes|).
- *
- * It returns one on success or zero on error. On error, |*der_bytes| is
- * NULL. */
+// pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
+// SignedData blob from |cbs| and sets |*out| to point to the rest of the
+// input. If the input is in BER format, then |*der_bytes| will be set to a
+// pointer that needs to be freed by the caller once they have finished
+// processing |*out| (which will be pointing into |*der_bytes|).
+//
+// It returns one on success or zero on error. On error, |*der_bytes| is
+// NULL.
int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {
size_t der_len;
CBS in, content_info, content_type, wrapped_signed_data, signed_data;
uint64_t version;
- /* The input may be in BER format. */
+ // The input may be in BER format.
*der_bytes = NULL;
if (!CBS_asn1_ber_to_der(cbs, der_bytes, &der_len)) {
return 0;
@@ -56,7 +56,7 @@
CBS_init(&in, CBS_data(cbs), CBS_len(cbs));
}
- /* See https://tools.ietf.org/html/rfc2315#section-7 */
+ // See https://tools.ietf.org/html/rfc2315#section-7
if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT)) {
goto err;
@@ -68,7 +68,7 @@
goto err;
}
- /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
+ // See https://tools.ietf.org/html/rfc2315#section-9.1
if (!CBS_get_asn1(&content_info, &wrapped_signed_data,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
!CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) ||
@@ -103,7 +103,7 @@
return 0;
}
- /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
+ // See https://tools.ietf.org/html/rfc2315#section-9.1
if (!CBS_get_asn1(&signed_data, &certificates,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CERTIFICATES_INCLUDED);
@@ -144,13 +144,13 @@
CBB outer_seq, oid, wrapped_seq, seq, version_bytes, digest_algos_set,
content_info;
- /* See https://tools.ietf.org/html/rfc2315#section-7 */
+ // See https://tools.ietf.org/html/rfc2315#section-7
if (!CBB_add_asn1(out, &outer_seq, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&outer_seq, &oid, CBS_ASN1_OBJECT) ||
!CBB_add_bytes(&oid, kPKCS7SignedData, sizeof(kPKCS7SignedData)) ||
!CBB_add_asn1(&outer_seq, &wrapped_seq,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
- /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
+ // See https://tools.ietf.org/html/rfc2315#section-9.1
!CBB_add_asn1(&wrapped_seq, &seq, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&seq, &version_bytes, CBS_ASN1_INTEGER) ||
!CBB_add_u8(&version_bytes, 1) ||
diff --git a/src/crypto/pkcs7/pkcs7_test.cc b/src/crypto/pkcs7/pkcs7_test.cc
index 544dffc..54f7e8a 100644
--- a/src/crypto/pkcs7/pkcs7_test.cc
+++ b/src/crypto/pkcs7/pkcs7_test.cc
@@ -25,8 +25,8 @@
#include "../test/test_util.h"
-/* kPKCS7NSS contains the certificate chain of mail.google.com, as saved by NSS
- * using the Chrome UI. */
+// kPKCS7NSS contains the certificate chain of mail.google.com, as saved by NSS
+// using the Chrome UI.
static const uint8_t kPKCS7NSS[] = {
0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
0x02, 0xa0, 0x80, 0x30, 0x80, 0x02, 0x01, 0x01, 0x31, 0x00, 0x30, 0x80,
@@ -272,7 +272,7 @@
0x00, 0x00, 0x00,
};
-/* kPKCS7Windows is the Equifax root certificate, as exported by Windows 7. */
+// kPKCS7Windows is the Equifax root certificate, as exported by Windows 7.
static const uint8_t kPKCS7Windows[] = {
0x30, 0x82, 0x02, 0xb1, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x07, 0x02, 0xa0, 0x82, 0x02, 0xa2, 0x30, 0x82, 0x02, 0x9e, 0x02,
@@ -334,8 +334,8 @@
0xcd, 0x5a, 0x2a, 0x82, 0xb2, 0x37, 0x79, 0x31, 0x00,
};
-/* kOpenSSLCRL is the Equifax CRL, converted to PKCS#7 form by:
- * openssl crl2pkcs7 -inform DER -in secureca.crl */
+// kOpenSSLCRL is the Equifax CRL, converted to PKCS#7 form by:
+// openssl crl2pkcs7 -inform DER -in secureca.crl
static const uint8_t kOpenSSLCRL[] = {
0x30, 0x82, 0x03, 0x85, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x07, 0x02, 0xa0, 0x82, 0x03, 0x76, 0x30, 0x82, 0x03, 0x72, 0x02,
@@ -415,9 +415,9 @@
0xf0, 0x00, 0x54, 0x31, 0x00,
};
-/* kPEMCert is the result of exporting the mail.google.com certificate from
- * Chrome and then running it through:
- * openssl pkcs7 -inform DER -in mail.google.com -outform PEM */
+// kPEMCert is the result of exporting the mail.google.com certificate from
+// Chrome and then running it through:
+// openssl pkcs7 -inform DER -in mail.google.com -outform PEM
static const char kPEMCert[] =
"-----BEGIN PKCS7-----\n"
"MIID+wYJKoZIhvcNAQcCoIID7DCCA+gCAQExADALBgkqhkiG9w0BBwGgggPQMIID\n"
diff --git a/src/crypto/pkcs7/pkcs7_x509.c b/src/crypto/pkcs7/pkcs7_x509.c
index f2a49a7..7bc39d2 100644
--- a/src/crypto/pkcs7/pkcs7_x509.c
+++ b/src/crypto/pkcs7/pkcs7_x509.c
@@ -71,10 +71,10 @@
return 0;
}
- /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
+ // See https://tools.ietf.org/html/rfc2315#section-9.1
- /* Even if only CRLs are included, there may be an empty certificates block.
- * OpenSSL does this, for example. */
+ // Even if only CRLs are included, there may be an empty certificates block.
+ // OpenSSL does this, for example.
if (CBS_peek_asn1_tag(&signed_data,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) &&
!CBS_get_asn1(&signed_data, NULL /* certificates */,
@@ -133,9 +133,9 @@
long len;
int ret;
- /* Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
- * internally will actually allow several other values too, including
- * "CERTIFICATE". */
+ // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
+ // internally will actually allow several other values too, including
+ // "CERTIFICATE".
if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
PEM_STRING_PKCS7, pem_bio,
NULL /* password callback */,
@@ -155,9 +155,9 @@
long len;
int ret;
- /* Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
- * internally will actually allow several other values too, including
- * "CERTIFICATE". */
+ // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
+ // internally will actually allow several other values too, including
+ // "CERTIFICATE".
if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
PEM_STRING_PKCS7, pem_bio,
NULL /* password callback */,
@@ -177,7 +177,7 @@
size_t i;
CBB certificates;
- /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
+ // See https://tools.ietf.org/html/rfc2315#section-9.1
if (!CBB_add_asn1(out, &certificates,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
return 0;
@@ -207,7 +207,7 @@
size_t i;
CBB crl_data;
- /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
+ // See https://tools.ietf.org/html/rfc2315#section-9.1
if (!CBB_add_asn1(out, &crl_data,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
return 0;
diff --git a/src/crypto/pkcs8/internal.h b/src/crypto/pkcs8/internal.h
index 583997d..9399489 100644
--- a/src/crypto/pkcs8/internal.h
+++ b/src/crypto/pkcs8/internal.h
@@ -63,10 +63,10 @@
#endif
-/* pkcs8_pbe_decrypt decrypts |in| using the PBE scheme described by
- * |algorithm|, which should be a serialized AlgorithmIdentifier structure. On
- * success, it sets |*out| to a newly-allocated buffer containing the decrypted
- * result and returns one. Otherwise, it returns zero. */
+// pkcs8_pbe_decrypt decrypts |in| using the PBE scheme described by
+// |algorithm|, which should be a serialized AlgorithmIdentifier structure. On
+// success, it sets |*out| to a newly-allocated buffer containing the decrypted
+// result and returns one. Otherwise, it returns zero.
int pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm,
const char *pass, size_t pass_len, const uint8_t *in,
size_t in_len);
@@ -75,10 +75,10 @@
#define PKCS12_IV_ID 2
#define PKCS12_MAC_ID 3
-/* pkcs12_key_gen runs the PKCS#12 key derivation function as specified in
- * RFC 7292, appendix B. On success, it writes the resulting |out_len| bytes of
- * key material to |out| and returns one. Otherwise, it returns zero. |id|
- * should be one of the |PKCS12_*_ID| values. */
+// pkcs12_key_gen runs the PKCS#12 key derivation function as specified in
+// RFC 7292, appendix B. On success, it writes the resulting |out_len| bytes of
+// key material to |out| and returns one. Otherwise, it returns zero. |id|
+// should be one of the |PKCS12_*_ID| values.
int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt,
size_t salt_len, uint8_t id, unsigned iterations,
size_t out_len, uint8_t *out, const EVP_MD *md);
@@ -89,11 +89,11 @@
uint8_t oid_len;
const EVP_CIPHER *(*cipher_func)(void);
const EVP_MD *(*md_func)(void);
- /* decrypt_init initialize |ctx| for decrypting. The password is specified by
- * |pass| and |pass_len|. |param| contains the serialized parameters field of
- * the AlgorithmIdentifier.
- *
- * It returns one on success and zero on error. */
+ // decrypt_init initialize |ctx| for decrypting. The password is specified by
+ // |pass| and |pass_len|. |param| contains the serialized parameters field of
+ // the AlgorithmIdentifier.
+ //
+ // It returns one on success and zero on error.
int (*decrypt_init)(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
const char *pass, size_t pass_len, CBS *param);
};
@@ -104,9 +104,9 @@
int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
const char *pass, size_t pass_len, CBS *param);
-/* PKCS5_pbe2_encrypt_init configures |ctx| for encrypting with PKCS #5 PBES2,
- * as defined in RFC 2998, with the specified parameters. It writes the
- * corresponding AlgorithmIdentifier to |out|. */
+// PKCS5_pbe2_encrypt_init configures |ctx| for encrypting with PKCS #5 PBES2,
+// as defined in RFC 2998, with the specified parameters. It writes the
+// corresponding AlgorithmIdentifier to |out|.
int PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *cipher, unsigned iterations,
const char *pass, size_t pass_len,
@@ -114,7 +114,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_PKCS8_INTERNAL_H */
+#endif // OPENSSL_HEADER_PKCS8_INTERNAL_H
diff --git a/src/crypto/pkcs8/p5_pbev2.c b/src/crypto/pkcs8/p5_pbev2.c
index 29d8929..6686cf3 100644
--- a/src/crypto/pkcs8/p5_pbev2.c
+++ b/src/crypto/pkcs8/p5_pbev2.c
@@ -69,15 +69,15 @@
#include "../internal.h"
-/* 1.2.840.113549.1.5.12 */
+// 1.2.840.113549.1.5.12
static const uint8_t kPBKDF2[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x05, 0x0c};
-/* 1.2.840.113549.1.5.13 */
+// 1.2.840.113549.1.5.13
static const uint8_t kPBES2[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x05, 0x0d};
-/* 1.2.840.113549.2.7 */
+// 1.2.840.113549.2.7
static const uint8_t kHMACWithSHA1[] = {0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x02, 0x07};
@@ -87,27 +87,27 @@
int nid;
const EVP_CIPHER *(*cipher_func)(void);
} kCipherOIDs[] = {
- /* 1.2.840.113549.3.2 */
+ // 1.2.840.113549.3.2
{{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x02},
8,
NID_rc2_cbc,
&EVP_rc2_cbc},
- /* 1.2.840.113549.3.7 */
+ // 1.2.840.113549.3.7
{{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07},
8,
NID_des_ede3_cbc,
&EVP_des_ede3_cbc},
- /* 2.16.840.1.101.3.4.1.2 */
+ // 2.16.840.1.101.3.4.1.2
{{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02},
9,
NID_aes_128_cbc,
&EVP_aes_128_cbc},
- /* 2.16.840.1.101.3.4.1.22 */
+ // 2.16.840.1.101.3.4.1.22
{{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16},
9,
NID_aes_192_cbc,
&EVP_aes_192_cbc},
- /* 2.16.840.1.101.3.4.1.42 */
+ // 2.16.840.1.101.3.4.1.42
{{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a},
9,
NID_aes_256_cbc,
@@ -167,13 +167,13 @@
return 0;
}
- /* Generate a random IV. */
+ // Generate a random IV.
uint8_t iv[EVP_MAX_IV_LENGTH];
if (!RAND_bytes(iv, EVP_CIPHER_iv_length(cipher))) {
return 0;
}
- /* See RFC 2898, appendix A. */
+ // See RFC 2898, appendix A.
CBB algorithm, oid, param, kdf, kdf_oid, kdf_param, salt_cbb, cipher_cbb,
iv_cbb;
if (!CBB_add_asn1(out, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -187,14 +187,14 @@
!CBB_add_asn1(&kdf_param, &salt_cbb, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&salt_cbb, salt, salt_len) ||
!CBB_add_asn1_uint64(&kdf_param, iterations) ||
- /* Specify a key length for RC2. */
+ // Specify a key length for RC2.
(cipher_nid == NID_rc2_cbc &&
!CBB_add_asn1_uint64(&kdf_param, EVP_CIPHER_key_length(cipher))) ||
- /* Omit the PRF. We use the default hmacWithSHA1. */
+ // Omit the PRF. We use the default hmacWithSHA1.
!CBB_add_asn1(¶m, &cipher_cbb, CBS_ASN1_SEQUENCE) ||
!add_cipher_oid(&cipher_cbb, cipher_nid) ||
- /* RFC 2898 says RC2-CBC and RC5-CBC-Pad use a SEQUENCE with version and
- * IV, but OpenSSL always uses an OCTET STRING IV, so we do the same. */
+ // RFC 2898 says RC2-CBC and RC5-CBC-Pad use a SEQUENCE with version and
+ // IV, but OpenSSL always uses an OCTET STRING IV, so we do the same.
!CBB_add_asn1(&cipher_cbb, &iv_cbb, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&iv_cbb, iv, EVP_CIPHER_iv_length(cipher)) ||
!CBB_flush(out)) {
@@ -220,20 +220,20 @@
return 0;
}
- /* Only PBKDF2 is supported. */
+ // Only PBKDF2 is supported.
if (!CBS_mem_equal(&kdf_obj, kPBKDF2, sizeof(kPBKDF2))) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);
return 0;
}
- /* See if we recognise the encryption algorithm. */
+ // See if we recognise the encryption algorithm.
const EVP_CIPHER *cipher = cbs_to_cipher(&enc_obj);
if (cipher == NULL) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_CIPHER);
return 0;
}
- /* Parse the KDF parameters. See RFC 8018, appendix A.2. */
+ // Parse the KDF parameters. See RFC 8018, appendix A.2.
CBS pbkdf2_params, salt;
uint64_t iterations;
if (!CBS_get_asn1(&kdf, &pbkdf2_params, CBS_ASN1_SEQUENCE) ||
@@ -249,8 +249,8 @@
return 0;
}
- /* The optional keyLength parameter, if present, must match the key length of
- * the cipher. */
+ // The optional keyLength parameter, if present, must match the key length of
+ // the cipher.
if (CBS_peek_asn1_tag(&pbkdf2_params, CBS_ASN1_INTEGER)) {
uint64_t key_len;
if (!CBS_get_asn1_uint64(&pbkdf2_params, &key_len)) {
@@ -273,14 +273,14 @@
return 0;
}
- /* We only support hmacWithSHA1. It is the DEFAULT, so DER requires it be
- * omitted, but we match OpenSSL in tolerating it being present. */
+ // We only support hmacWithSHA1. It is the DEFAULT, so DER requires it be
+ // omitted, but we match OpenSSL in tolerating it being present.
if (!CBS_mem_equal(&prf, kHMACWithSHA1, sizeof(kHMACWithSHA1))) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRF);
return 0;
}
- /* hmacWithSHA1 has a NULL parameter. */
+ // hmacWithSHA1 has a NULL parameter.
CBS null;
if (!CBS_get_asn1(&alg_id, &null, CBS_ASN1_NULL) ||
CBS_len(&null) != 0 ||
@@ -290,10 +290,10 @@
}
}
- /* Parse the encryption scheme parameters. Note OpenSSL does not match the
- * specification. Per RFC 2898, this should depend on the encryption scheme.
- * In particular, RC2-CBC uses a SEQUENCE with version and IV. We align with
- * OpenSSL. */
+ // Parse the encryption scheme parameters. Note OpenSSL does not match the
+ // specification. Per RFC 2898, this should depend on the encryption scheme.
+ // In particular, RC2-CBC uses a SEQUENCE with version and IV. We align with
+ // OpenSSL.
CBS iv;
if (!CBS_get_asn1(&enc_scheme, &iv, CBS_ASN1_OCTETSTRING) ||
CBS_len(&enc_scheme) != 0) {
diff --git a/src/crypto/pkcs8/pkcs12_test.cc b/src/crypto/pkcs8/pkcs12_test.cc
index c5a7e07..66d0397 100644
--- a/src/crypto/pkcs8/pkcs12_test.cc
+++ b/src/crypto/pkcs8/pkcs12_test.cc
@@ -24,8 +24,8 @@
#include <openssl/x509.h>
-/* kPKCS12DER contains sample PKCS#12 data generated by OpenSSL with:
- * openssl pkcs12 -export -inkey key.pem -in cacert.pem */
+// kPKCS12DER contains sample PKCS#12 data generated by OpenSSL with:
+// openssl pkcs12 -export -inkey key.pem -in cacert.pem
static const uint8_t kOpenSSL[] = {
0x30, 0x82, 0x09, 0xa1, 0x02, 0x01, 0x03, 0x30, 0x82, 0x09, 0x67, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82,
@@ -235,8 +235,8 @@
0xfd, 0x82, 0x14, 0xd8, 0x5c, 0x02, 0x02, 0x08, 0x00,
};
-/* kNSS is the result of importing the OpenSSL example PKCS#12 into Chrome and
- * then exporting it again. */
+// kNSS is the result of importing the OpenSSL example PKCS#12 into Chrome and
+// then exporting it again.
static const uint8_t kNSS[] = {
0x30, 0x80, 0x02, 0x01, 0x03, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x82,
@@ -460,8 +460,8 @@
0xbc, 0x8d, 0x02, 0x02, 0x07, 0xd0, 0x00, 0x00,
};
-/* kWindows is a dummy key and certificate exported from the certificate
- * manager on Windows 7. */
+// kWindows is a dummy key and certificate exported from the certificate
+// manager on Windows 7.
static const uint8_t kWindows[] = {
0x30, 0x82, 0x0a, 0x02, 0x02, 0x01, 0x03, 0x30, 0x82, 0x09, 0xbe, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82,
@@ -679,9 +679,8 @@
0xfe, 0x3a, 0x66, 0x47, 0x40, 0x49, 0x02, 0x02, 0x07, 0xd0,
};
-/* kPBES2 is a PKCS#12 file using PBES2 created with:
- * openssl pkcs12 -export -inkey key.pem -in cert.pem -keypbe AES-128-CBC \
- * -certpbe AES-128-CBC */
+// kPBES2 is a PKCS#12 file using PBES2 created with:
+// openssl pkcs12 -export -inkey key.pem -in cert.pem -keypbe AES-128-CBC -certpbe AES-128-CBC
static const uint8_t kPBES2[] = {
0x30, 0x82, 0x0a, 0x03, 0x02, 0x01, 0x03, 0x30, 0x82, 0x09, 0xc9, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82,
diff --git a/src/crypto/pkcs8/pkcs8.c b/src/crypto/pkcs8/pkcs8.c
index 08cc5a3..388d65e 100644
--- a/src/crypto/pkcs8/pkcs8.c
+++ b/src/crypto/pkcs8/pkcs8.c
@@ -88,7 +88,7 @@
unitmp[i + 1] = ascii[i >> 1];
}
- /* Terminate the result with a UCS-2 NUL. */
+ // Terminate the result with a UCS-2 NUL.
unitmp[ulen - 2] = 0;
unitmp[ulen - 1] = 0;
*out_len = ulen;
@@ -99,8 +99,8 @@
int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt,
size_t salt_len, uint8_t id, unsigned iterations,
size_t out_len, uint8_t *out, const EVP_MD *md) {
- /* See https://tools.ietf.org/html/rfc7292#appendix-B. Quoted parts of the
- * specification have errata applied and other typos fixed. */
+ // See https://tools.ietf.org/html/rfc7292#appendix-B. Quoted parts of the
+ // specification have errata applied and other typos fixed.
if (iterations < 1) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_ITERATION_COUNT);
@@ -112,31 +112,31 @@
EVP_MD_CTX_init(&ctx);
uint8_t *pass_raw = NULL, *I = NULL;
size_t pass_raw_len = 0, I_len = 0;
- /* If |pass| is NULL, we use the empty string rather than {0, 0} as the raw
- * password. */
+ // If |pass| is NULL, we use the empty string rather than {0, 0} as the raw
+ // password.
if (pass != NULL &&
!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {
goto err;
}
- /* In the spec, |block_size| is called "v", but measured in bits. */
+ // In the spec, |block_size| is called "v", but measured in bits.
size_t block_size = EVP_MD_block_size(md);
- /* 1. Construct a string, D (the "diversifier"), by concatenating v/8 copies
- * of ID. */
+ // 1. Construct a string, D (the "diversifier"), by concatenating v/8 copies
+ // of ID.
uint8_t D[EVP_MAX_MD_BLOCK_SIZE];
OPENSSL_memset(D, id, block_size);
- /* 2. Concatenate copies of the salt together to create a string S of length
- * v(ceiling(s/v)) bits (the final copy of the salt may be truncated to
- * create S). Note that if the salt is the empty string, then so is S.
- *
- * 3. Concatenate copies of the password together to create a string P of
- * length v(ceiling(p/v)) bits (the final copy of the password may be
- * truncated to create P). Note that if the password is the empty string,
- * then so is P.
- *
- * 4. Set I=S||P to be the concatenation of S and P. */
+ // 2. Concatenate copies of the salt together to create a string S of length
+ // v(ceiling(s/v)) bits (the final copy of the salt may be truncated to
+ // create S). Note that if the salt is the empty string, then so is S.
+ //
+ // 3. Concatenate copies of the password together to create a string P of
+ // length v(ceiling(p/v)) bits (the final copy of the password may be
+ // truncated to create P). Note that if the password is the empty string,
+ // then so is P.
+ //
+ // 4. Set I=S||P to be the concatenation of S and P.
if (salt_len + block_size - 1 < salt_len ||
pass_raw_len + block_size - 1 < pass_raw_len) {
OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);
@@ -164,8 +164,8 @@
}
while (out_len != 0) {
- /* A. Set A_i=H^r(D||I). (i.e., the r-th hash of D||I,
- * H(H(H(... H(D||I)))) */
+ // A. Set A_i=H^r(D||I). (i.e., the r-th hash of D||I,
+ // H(H(H(... H(D||I))))
uint8_t A[EVP_MAX_MD_SIZE];
unsigned A_len;
if (!EVP_DigestInit_ex(&ctx, md, NULL) ||
@@ -190,16 +190,16 @@
break;
}
- /* B. Concatenate copies of A_i to create a string B of length v bits (the
- * final copy of A_i may be truncated to create B). */
+ // B. Concatenate copies of A_i to create a string B of length v bits (the
+ // final copy of A_i may be truncated to create B).
uint8_t B[EVP_MAX_MD_BLOCK_SIZE];
for (size_t i = 0; i < block_size; i++) {
B[i] = A[i % A_len];
}
- /* C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit blocks,
- * where k=ceiling(s/v)+ceiling(p/v), modify I by setting I_j=(I_j+B+1) mod
- * 2^v for each j. */
+ // C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit blocks,
+ // where k=ceiling(s/v)+ceiling(p/v), modify I by setting I_j=(I_j+B+1) mod
+ // 2^v for each j.
assert(I_len % block_size == 0);
for (size_t i = 0; i < I_len; i += block_size) {
unsigned carry = 1;
@@ -277,7 +277,7 @@
static const struct pbe_suite kBuiltinPBE[] = {
{
NID_pbe_WithSHA1And40BitRC2_CBC,
- /* 1.2.840.113549.1.12.1.6 */
+ // 1.2.840.113549.1.12.1.6
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06},
10,
EVP_rc2_40_cbc,
@@ -286,7 +286,7 @@
},
{
NID_pbe_WithSHA1And128BitRC4,
- /* 1.2.840.113549.1.12.1.1 */
+ // 1.2.840.113549.1.12.1.1
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x01},
10,
EVP_rc4,
@@ -295,7 +295,7 @@
},
{
NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
- /* 1.2.840.113549.1.12.1.3 */
+ // 1.2.840.113549.1.12.1.3
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03},
10,
EVP_des_ede3_cbc,
@@ -304,7 +304,7 @@
},
{
NID_pbes2,
- /* 1.2.840.113549.1.5.13 */
+ // 1.2.840.113549.1.5.13
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0d},
9,
NULL,
@@ -333,7 +333,7 @@
return 0;
}
- /* See RFC 2898, appendix A.3. */
+ // See RFC 2898, appendix A.3.
CBB algorithm, oid, param, salt_cbb;
if (!CBB_add_asn1(out, &algorithm, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||
@@ -411,7 +411,7 @@
EVP_PKEY *PKCS8_parse_encrypted_private_key(CBS *cbs, const char *pass,
size_t pass_len) {
- /* See RFC 5208, section 6. */
+ // See RFC 5208, section 6.
CBS epki, algorithm, ciphertext;
if (!CBS_get_asn1(cbs, &epki, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1(&epki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -447,7 +447,7 @@
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(&ctx);
- /* Generate a random salt if necessary. */
+ // Generate a random salt if necessary.
if (salt == NULL) {
if (salt_len == 0) {
salt_len = PKCS5_SALT_LEN;
@@ -466,7 +466,7 @@
iterations = PKCS5_DEFAULT_ITERATIONS;
}
- /* Serialize the input key. */
+ // Serialize the input key.
CBB plaintext_cbb;
if (!CBB_init(&plaintext_cbb, 128) ||
!EVP_marshal_private_key(&plaintext_cbb, pkey) ||
diff --git a/src/crypto/pkcs8/pkcs8_test.cc b/src/crypto/pkcs8/pkcs8_test.cc
index 020c9d9..44388bb 100644
--- a/src/crypto/pkcs8/pkcs8_test.cc
+++ b/src/crypto/pkcs8/pkcs8_test.cc
@@ -22,14 +22,13 @@
#include "../internal.h"
-/* kDER is a PKCS#8 encrypted private key. It was generated with:
- *
- * openssl genrsa 512 > test.key
- * openssl pkcs8 -topk8 -in test.key -out test.key.encrypted -v2 des3 -outform der
- * hexdump -Cv test.key.encrypted
- *
- * The password is "testing".
- */
+// kDER is a PKCS#8 encrypted private key. It was generated with:
+//
+// openssl genrsa 512 > test.key
+// openssl pkcs8 -topk8 -in test.key -out test.key.encrypted -v2 des3 -outform der
+// hexdump -Cv test.key.encrypted
+//
+// The password is "testing".
static const uint8_t kDER[] = {
0x30, 0x82, 0x01, 0x9e, 0x30, 0x40, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05,
0x0d, 0x30, 0x33, 0x30, 0x1b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0c,
@@ -60,7 +59,7 @@
0xd6, 0x2d,
};
-/* kNullPassword is a PKCS#8 encrypted private key using the null password. */
+// kNullPassword is a PKCS#8 encrypted private key using the null password.
static const uint8_t kNullPassword[] = {
0x30, 0x81, 0xb0, 0x30, 0x1b, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30, 0x0d, 0x04, 0x08, 0xb2, 0xfe, 0x68,
@@ -79,8 +78,8 @@
0x49, 0xf6, 0x7e, 0xd0, 0x42, 0xaa, 0x14, 0x3c, 0x24, 0x77, 0xb4,
};
-/* kNullPasswordNSS is a PKCS#8 encrypted private key using the null password
- * and generated by NSS. */
+// kNullPasswordNSS is a PKCS#8 encrypted private key using the null password
+// and generated by NSS.
static const uint8_t kNullPasswordNSS[] = {
0x30, 0x81, 0xb8, 0x30, 0x23, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30, 0x15, 0x04, 0x10, 0x3f, 0xac, 0xe9,
@@ -100,8 +99,8 @@
0x0a, 0xb2, 0x1d, 0xca, 0x15, 0xb2, 0xca,
};
-/* kEmptyPasswordOpenSSL is a PKCS#8 encrypted private key using the empty
- * password and generated by OpenSSL. */
+// kEmptyPasswordOpenSSL is a PKCS#8 encrypted private key using the empty
+// password and generated by OpenSSL.
static const uint8_t kEmptyPasswordOpenSSL[] = {
0x30, 0x82, 0x01, 0xa1, 0x30, 0x1b, 0x06, 0x0a, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03, 0x30, 0x0d, 0x04, 0x08, 0x86, 0xaa,
diff --git a/src/crypto/pkcs8/pkcs8_x509.c b/src/crypto/pkcs8/pkcs8_x509.c
index 875b4ca..ace5f33 100644
--- a/src/crypto/pkcs8/pkcs8_x509.c
+++ b/src/crypto/pkcs8/pkcs8_x509.c
@@ -75,10 +75,10 @@
#include "../internal.h"
-/* Minor tweak to operation: zero private key data */
+// Minor tweak to operation: zero private key data
static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg) {
- /* Since the structure must still be valid use ASN1_OP_FREE_PRE */
+ // Since the structure must still be valid use ASN1_OP_FREE_PRE
if (operation == ASN1_OP_FREE_PRE) {
PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
if (key->pkey && key->pkey->type == V_ASN1_OCTET_STRING &&
@@ -162,7 +162,7 @@
EVP_PKEY *pkey = NULL;
uint8_t *in = NULL;
- /* Convert the legacy ASN.1 object to a byte string. */
+ // Convert the legacy ASN.1 object to a byte string.
int in_len = i2d_X509_SIG(pkcs8, &in);
if (in_len < 0) {
goto err;
@@ -193,7 +193,7 @@
pass_len = (size_t)pass_len_in;
}
- /* Parse out the private key. */
+ // Parse out the private key.
EVP_PKEY *pkey = EVP_PKCS82PKEY(p8inf);
if (pkey == NULL) {
return NULL;
@@ -212,7 +212,7 @@
goto err;
}
- /* Convert back to legacy ASN.1 objects. */
+ // Convert back to legacy ASN.1 objects.
const uint8_t *ptr = der;
ret = d2i_X509_SIG(NULL, &ptr, der_len);
if (ret == NULL || ptr != der + der_len) {
@@ -234,8 +234,8 @@
size_t password_len;
};
-/* PKCS12_handle_sequence parses a BER-encoded SEQUENCE of elements in a PKCS#12
- * structure. */
+// PKCS12_handle_sequence parses a BER-encoded SEQUENCE of elements in a PKCS#12
+// structure.
static int PKCS12_handle_sequence(
CBS *sequence, struct pkcs12_context *ctx,
int (*handle_element)(CBS *cbs, struct pkcs12_context *ctx)) {
@@ -244,10 +244,10 @@
CBS in;
int ret = 0;
- /* Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,
- * the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the
- * conversion cannot see through those wrappings. So each time we step
- * through one we need to convert to DER again. */
+ // Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,
+ // the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the
+ // conversion cannot see through those wrappings. So each time we step
+ // through one we need to convert to DER again.
if (!CBS_asn1_ber_to_der(sequence, &der_bytes, &der_len)) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
return 0;
@@ -285,20 +285,20 @@
return ret;
}
-/* 1.2.840.113549.1.12.10.1.2 */
+// 1.2.840.113549.1.12.10.1.2
static const uint8_t kPKCS8ShroudedKeyBag[] = {
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02};
-/* 1.2.840.113549.1.12.10.1.3 */
+// 1.2.840.113549.1.12.10.1.3
static const uint8_t kCertBag[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x0c, 0x0a, 0x01, 0x03};
-/* 1.2.840.113549.1.9.22.1 */
+// 1.2.840.113549.1.9.22.1
static const uint8_t kX509Certificate[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x09, 0x16, 0x01};
-/* PKCS12_handle_safe_bag parses a single SafeBag element in a PKCS#12
- * structure. */
+// PKCS12_handle_safe_bag parses a single SafeBag element in a PKCS#12
+// structure.
static int PKCS12_handle_safe_bag(CBS *safe_bag, struct pkcs12_context *ctx) {
CBS bag_id, wrapped_value;
if (!CBS_get_asn1(safe_bag, &bag_id, CBS_ASN1_OBJECT) ||
@@ -311,7 +311,7 @@
if (CBS_mem_equal(&bag_id, kPKCS8ShroudedKeyBag,
sizeof(kPKCS8ShroudedKeyBag))) {
- /* See RFC 7292, section 4.2.2. */
+ // See RFC 7292, section 4.2.2.
if (*ctx->out_key) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);
return 0;
@@ -334,7 +334,7 @@
}
if (CBS_mem_equal(&bag_id, kCertBag, sizeof(kCertBag))) {
- /* See RFC 7292, section 4.2.3. */
+ // See RFC 7292, section 4.2.3.
CBS cert_bag, cert_type, wrapped_cert, cert;
if (!CBS_get_asn1(&wrapped_value, &cert_bag, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||
@@ -345,7 +345,7 @@
return 0;
}
- /* Skip unknown certificate types. */
+ // Skip unknown certificate types.
if (!CBS_mem_equal(&cert_type, kX509Certificate,
sizeof(kX509Certificate))) {
return 1;
@@ -377,20 +377,20 @@
return 1;
}
- /* Unknown element type - ignore it. */
+ // Unknown element type - ignore it.
return 1;
}
-/* 1.2.840.113549.1.7.1 */
+// 1.2.840.113549.1.7.1
static const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x07, 0x01};
-/* 1.2.840.113549.1.7.6 */
+// 1.2.840.113549.1.7.6
static const uint8_t kPKCS7EncryptedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x07, 0x06};
-/* PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a
- * PKCS#12 structure. */
+// PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a
+// PKCS#12 structure.
static int PKCS12_handle_content_info(CBS *content_info,
struct pkcs12_context *ctx) {
CBS content_type, wrapped_contents, contents;
@@ -407,23 +407,23 @@
if (CBS_mem_equal(&content_type, kPKCS7EncryptedData,
sizeof(kPKCS7EncryptedData))) {
- /* See https://tools.ietf.org/html/rfc2315#section-13.
- *
- * PKCS#7 encrypted data inside a PKCS#12 structure is generally an
- * encrypted certificate bag and it's generally encrypted with 40-bit
- * RC2-CBC. */
+ // See https://tools.ietf.org/html/rfc2315#section-13.
+ //
+ // PKCS#7 encrypted data inside a PKCS#12 structure is generally an
+ // encrypted certificate bag and it's generally encrypted with 40-bit
+ // RC2-CBC.
CBS version_bytes, eci, contents_type, ai, encrypted_contents;
uint8_t *out;
size_t out_len;
if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||
- /* EncryptedContentInfo, see
- * https://tools.ietf.org/html/rfc2315#section-10.1 */
+ // EncryptedContentInfo, see
+ // https://tools.ietf.org/html/rfc2315#section-10.1
!CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||
- /* AlgorithmIdentifier, see
- * https://tools.ietf.org/html/rfc5280#section-4.1.1.2 */
+ // AlgorithmIdentifier, see
+ // https://tools.ietf.org/html/rfc5280#section-4.1.1.2
!CBS_get_asn1(&eci, &ai, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1_implicit_string(
&eci, &encrypted_contents, &storage,
@@ -459,7 +459,7 @@
ret = PKCS12_handle_sequence(&octet_string_contents, ctx,
PKCS12_handle_safe_bag);
} else {
- /* Unknown element type - ignore it. */
+ // Unknown element type - ignore it.
ret = 1;
}
@@ -478,7 +478,7 @@
struct pkcs12_context ctx;
const size_t original_out_certs_len = sk_X509_num(out_certs);
- /* The input may be in BER format. */
+ // The input may be in BER format.
if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
return 0;
@@ -492,8 +492,8 @@
*out_key = NULL;
OPENSSL_memset(&ctx, 0, sizeof(ctx));
- /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section
- * four. */
+ // See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section
+ // four.
if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||
CBS_len(&in) != 0 ||
!CBS_get_asn1_uint64(&pfx, &version)) {
@@ -521,8 +521,8 @@
goto err;
}
- /* authsafe is a PKCS#7 ContentInfo. See
- * https://tools.ietf.org/html/rfc2315#section-7. */
+ // authsafe is a PKCS#7 ContentInfo. See
+ // https://tools.ietf.org/html/rfc2315#section-7.
if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||
!CBS_get_asn1(&authsafe, &wrapped_authsafes,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
@@ -530,8 +530,8 @@
goto err;
}
- /* The content type can either be data or signedData. The latter indicates
- * that it's signed by a public key, which isn't supported. */
+ // The content type can either be data or signedData. The latter indicates
+ // that it's signed by a public key, which isn't supported.
if (!CBS_mem_equal(&content_type, kPKCS7Data, sizeof(kPKCS7Data))) {
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);
goto err;
@@ -547,7 +547,7 @@
ctx.password = password;
ctx.password_len = password != NULL ? strlen(password) : 0;
- /* Verify the MAC. */
+ // Verify the MAC.
{
CBS mac, salt, expected_mac;
if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE)) {
@@ -566,7 +566,7 @@
goto err;
}
- /* The iteration count is optional and the default is one. */
+ // The iteration count is optional and the default is one.
uint64_t iterations = 1;
if (CBS_len(&mac_data) > 0) {
if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||
@@ -596,7 +596,7 @@
}
}
- /* authsafes contains a series of PKCS#7 ContentInfos. */
+ // authsafes contains a series of PKCS#7 ContentInfos.
if (!PKCS12_handle_sequence(&authsafes, &ctx, PKCS12_handle_content_info)) {
goto err;
}
@@ -673,8 +673,8 @@
if (used == 0) {
goto out;
}
- /* Workaround a bug in node.js. It uses a memory BIO for this in the wrong
- * mode. */
+ // Workaround a bug in node.js. It uses a memory BIO for this in the wrong
+ // mode.
n = 0;
}
diff --git a/src/crypto/poly1305/internal.h b/src/crypto/poly1305/internal.h
index 079f51e..251b1f4 100644
--- a/src/crypto/poly1305/internal.h
+++ b/src/crypto/poly1305/internal.h
@@ -35,7 +35,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_POLY1305_INTERNAL_H */
+#endif // OPENSSL_HEADER_POLY1305_INTERNAL_H
diff --git a/src/crypto/poly1305/poly1305.c b/src/crypto/poly1305/poly1305.c
index 5c310e9..c3e9272 100644
--- a/src/crypto/poly1305/poly1305.c
+++ b/src/crypto/poly1305/poly1305.c
@@ -12,9 +12,9 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* This implementation of poly1305 is by Andrew Moon
- * (https://github.com/floodyberry/poly1305-donna) and released as public
- * domain. */
+// This implementation of poly1305 is by Andrew Moon
+// (https://github.com/floodyberry/poly1305-donna) and released as public
+// domain.
#include <openssl/poly1305.h>
@@ -28,7 +28,7 @@
#if defined(OPENSSL_WINDOWS) || !defined(OPENSSL_X86_64)
-/* We can assume little-endian. */
+// We can assume little-endian.
static uint32_t U8TO32_LE(const uint8_t *m) {
uint32_t r;
OPENSSL_memcpy(&r, m, sizeof(r));
@@ -55,9 +55,9 @@
return (struct poly1305_state_st *)(((uintptr_t)state + 63) & ~63);
}
-/* poly1305_blocks updates |state| given some amount of input data. This
- * function may only be called with a |len| that is not a multiple of 16 at the
- * end of the data. Otherwise the input must be buffered into 16 byte blocks. */
+// poly1305_blocks updates |state| given some amount of input data. This
+// function may only be called with a |len| that is not a multiple of 16 at the
+// end of the data. Otherwise the input must be buffered into 16 byte blocks.
static void poly1305_update(struct poly1305_state_st *state, const uint8_t *in,
size_t len) {
uint32_t t0, t1, t2, t3;
@@ -123,7 +123,7 @@
goto poly1305_donna_16bytes;
}
-/* final bytes */
+// final bytes
poly1305_donna_atmost15bytes:
if (!len) {
return;
@@ -168,7 +168,7 @@
t2 = U8TO32_LE(key + 8);
t3 = U8TO32_LE(key + 12);
- /* precompute multipliers */
+ // precompute multipliers
state->r0 = t0 & 0x3ffffff;
t0 >>= 26;
t0 |= t1 << 6;
@@ -187,7 +187,7 @@
state->s3 = state->r3 * 5;
state->s4 = state->r4 * 5;
- /* init state */
+ // init state
state->h0 = 0;
state->h1 = 0;
state->h2 = 0;
@@ -315,4 +315,4 @@
U32TO8_LE(&mac[12], f3);
}
-#endif /* OPENSSL_WINDOWS || !OPENSSL_X86_64 */
+#endif // OPENSSL_WINDOWS || !OPENSSL_X86_64
diff --git a/src/crypto/poly1305/poly1305_arm.c b/src/crypto/poly1305/poly1305_arm.c
index 6280e2c..4aff713 100644
--- a/src/crypto/poly1305/poly1305_arm.c
+++ b/src/crypto/poly1305/poly1305_arm.c
@@ -12,8 +12,8 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* This implementation was taken from the public domain, neon2 version in
- * SUPERCOP by D. J. Bernstein and Peter Schwabe. */
+// This implementation was taken from the public domain, neon2 version in
+// SUPERCOP by D. J. Bernstein and Peter Schwabe.
#include <openssl/poly1305.h>
@@ -26,7 +26,7 @@
#if defined(OPENSSL_POLY1305_NEON)
typedef struct {
- uint32_t v[12]; /* for alignment; only using 10 */
+ uint32_t v[12]; // for alignment; only using 10
} fe1305x2;
#define addmulmod openssl_poly1305_neon2_addmulmod
@@ -125,8 +125,8 @@
*(uint32_t *)(r + 12) = (x3 >> 18) + (x4 << 8);
}
-/* load32 exists to avoid breaking strict aliasing rules in
- * fe1305x2_frombytearray. */
+// load32 exists to avoid breaking strict aliasing rules in
+// fe1305x2_frombytearray.
static uint32_t load32(uint8_t *t) {
uint32_t tmp;
OPENSSL_memcpy(&tmp, t, sizeof(tmp));
@@ -197,11 +197,11 @@
r->v[9] = r->v[8] = 0x00fffff & ((*(uint32_t *)(key + 12)) >> 8);
for (j = 0; j < 10; j++) {
- h->v[j] = 0; /* XXX: should fast-forward a bit */
+ h->v[j] = 0; // XXX: should fast-forward a bit
}
- addmulmod(precomp, r, r, &zero); /* precompute r^2 */
- addmulmod(precomp + 1, precomp, precomp, &zero); /* precompute r^4 */
+ addmulmod(precomp, r, r, &zero); // precompute r^2
+ addmulmod(precomp + 1, precomp, precomp, &zero); // precompute r^4
OPENSSL_memcpy(st->key, key + 16, 16);
st->buf_used = 0;
@@ -301,4 +301,4 @@
fe1305x2_tobytearray(mac, h);
}
-#endif /* OPENSSL_POLY1305_NEON */
+#endif // OPENSSL_POLY1305_NEON
diff --git a/src/crypto/poly1305/poly1305_vec.c b/src/crypto/poly1305/poly1305_vec.c
index 3045a2f..80eaa36 100644
--- a/src/crypto/poly1305/poly1305_vec.c
+++ b/src/crypto/poly1305/poly1305_vec.c
@@ -12,11 +12,11 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* This implementation of poly1305 is by Andrew Moon
- * (https://github.com/floodyberry/poly1305-donna) and released as public
- * domain. It implements SIMD vectorization based on the algorithm described in
- * http://cr.yp.to/papers.html#neoncrypto. Unrolled to 2 powers, i.e. 64 byte
- * block size */
+// This implementation of poly1305 is by Andrew Moon
+// (https://github.com/floodyberry/poly1305-donna) and released as public
+// domain. It implements SIMD vectorization based on the algorithm described in
+// http://cr.yp.to/papers.html#neoncrypto. Unrolled to 2 powers, i.e. 64 byte
+// block size
#include <openssl/poly1305.h>
@@ -69,14 +69,14 @@
poly1305_power P[2]; /* 288 bytes, top 32 bit halves unused = 144
bytes of free storage */
union {
- xmmi H[5]; /* 80 bytes */
+ xmmi H[5]; // 80 bytes
uint64_t HH[10];
};
- /* uint64_t r0,r1,r2; [24 bytes] */
- /* uint64_t pad0,pad1; [16 bytes] */
- uint64_t started; /* 8 bytes */
- uint64_t leftover; /* 8 bytes */
- uint8_t buffer[64]; /* 64 bytes */
+ // uint64_t r0,r1,r2; [24 bytes]
+ // uint64_t pad0,pad1; [16 bytes]
+ uint64_t started; // 8 bytes
+ uint64_t leftover; // 8 bytes
+ uint8_t buffer[64]; // 64 bytes
} poly1305_state_internal; /* 448 bytes total + 63 bytes for
alignment = 511 bytes raw */
@@ -85,7 +85,7 @@
return (poly1305_state_internal *)(((uint64_t)state + 63) & ~63);
}
-/* copy 0-63 bytes */
+// copy 0-63 bytes
static inline void
poly1305_block_copy(uint8_t *dst, const uint8_t *src, size_t bytes) {
size_t offset = src - dst;
@@ -117,7 +117,7 @@
}
}
-/* zero 0-15 bytes */
+// zero 0-15 bytes
static inline void poly1305_block_zero(uint8_t *dst, size_t bytes) {
if (bytes & 8) {
*(uint64_t *)dst = 0;
@@ -146,7 +146,7 @@
uint64_t r0, r1, r2;
uint64_t t0, t1;
- /* clamp key */
+ // clamp key
t0 = U8TO64_LE(key + 0);
t1 = U8TO64_LE(key + 8);
r0 = t0 & 0xffc0fffffff;
@@ -156,7 +156,7 @@
t1 >>= 24;
r2 = t1 & 0x00ffffffc0f;
- /* store r in un-used space of st->P[1] */
+ // store r in un-used space of st->P[1]
p = &st->P[1];
p->R20.d[1] = (uint32_t)(r0);
p->R20.d[3] = (uint32_t)(r0 >> 32);
@@ -165,13 +165,13 @@
p->R22.d[1] = (uint32_t)(r2);
p->R22.d[3] = (uint32_t)(r2 >> 32);
- /* store pad */
+ // store pad
p->R23.d[1] = U8TO32_LE(key + 16);
p->R23.d[3] = U8TO32_LE(key + 20);
p->R24.d[1] = U8TO32_LE(key + 24);
p->R24.d[3] = U8TO32_LE(key + 28);
- /* H = 0 */
+ // H = 0
st->H[0] = _mm_setzero_si128();
st->H[1] = _mm_setzero_si128();
st->H[2] = _mm_setzero_si128();
@@ -196,7 +196,7 @@
uint64_t c;
uint64_t i;
- /* pull out stored info */
+ // pull out stored info
p = &st->P[1];
r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
@@ -205,7 +205,7 @@
pad0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
pad1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
- /* compute powers r^2,r^4 */
+ // compute powers r^2,r^4
r20 = r0;
r21 = r1;
r22 = r2;
@@ -249,7 +249,7 @@
p--;
}
- /* put saved info back */
+ // put saved info back
p = &st->P[1];
p->R20.d[1] = (uint32_t)(r0);
p->R20.d[3] = (uint32_t)(r0 >> 32);
@@ -262,7 +262,7 @@
p->R24.d[1] = (uint32_t)(pad1);
p->R24.d[3] = (uint32_t)(pad1 >> 32);
- /* H = [Mx,My] */
+ // H = [Mx,My]
T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 0)),
_mm_loadl_epi64((const xmmi *)(m + 16)));
T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 8)),
@@ -294,7 +294,7 @@
H4 = st->H[4];
while (bytes >= 64) {
- /* H *= [r^4,r^4] */
+ // H *= [r^4,r^4]
p = &st->P[0];
T0 = _mm_mul_epu32(H0, p->R20.v);
T1 = _mm_mul_epu32(H0, p->R21.v);
@@ -342,7 +342,7 @@
T5 = _mm_mul_epu32(H4, p->R20.v);
T4 = _mm_add_epi64(T4, T5);
- /* H += [Mx,My]*[r^2,r^2] */
+ // H += [Mx,My]*[r^2,r^2]
T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 0)),
_mm_loadl_epi64((const xmmi *)(m + 16)));
T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 8)),
@@ -406,7 +406,7 @@
T5 = _mm_mul_epu32(M4, p->R20.v);
T4 = _mm_add_epi64(T4, T5);
- /* H += [Mx,My] */
+ // H += [Mx,My]
T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 32)),
_mm_loadl_epi64((const xmmi *)(m + 48)));
T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 40)),
@@ -424,7 +424,7 @@
T3 = _mm_add_epi64(T3, M3);
T4 = _mm_add_epi64(T4, M4);
- /* reduce */
+ // reduce
C1 = _mm_srli_epi64(T0, 26);
C2 = _mm_srli_epi64(T3, 26);
T0 = _mm_and_si128(T0, MMASK);
@@ -447,7 +447,7 @@
T3 = _mm_and_si128(T3, MMASK);
T4 = _mm_add_epi64(T4, C1);
- /* H = (H*[r^4,r^4] + [Mx,My]*[r^2,r^2] + [Mx,My]) */
+ // H = (H*[r^4,r^4] + [Mx,My]*[r^2,r^2] + [Mx,My])
H0 = T0;
H1 = T1;
H2 = T2;
@@ -488,11 +488,11 @@
H3 = st->H[3];
H4 = st->H[4];
- /* p = [r^2,r^2] */
+ // p = [r^2,r^2]
p = &st->P[1];
if (bytes >= 32) {
- /* H *= [r^2,r^2] */
+ // H *= [r^2,r^2]
T0 = _mm_mul_epu32(H0, p->R20.v);
T1 = _mm_mul_epu32(H0, p->R21.v);
T2 = _mm_mul_epu32(H0, p->R22.v);
@@ -539,7 +539,7 @@
T5 = _mm_mul_epu32(H4, p->R20.v);
T4 = _mm_add_epi64(T4, T5);
- /* H += [Mx,My] */
+ // H += [Mx,My]
T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 0)),
_mm_loadl_epi64((const xmmi *)(m + 16)));
T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 8)),
@@ -557,7 +557,7 @@
T3 = _mm_add_epi64(T3, M3);
T4 = _mm_add_epi64(T4, M4);
- /* reduce */
+ // reduce
C1 = _mm_srli_epi64(T0, 26);
C2 = _mm_srli_epi64(T3, 26);
T0 = _mm_and_si128(T0, MMASK);
@@ -580,7 +580,7 @@
T3 = _mm_and_si128(T3, MMASK);
T4 = _mm_add_epi64(T4, C1);
- /* H = (H*[r^2,r^2] + [Mx,My]) */
+ // H = (H*[r^2,r^2] + [Mx,My])
H0 = T0;
H1 = T1;
H2 = T2;
@@ -590,7 +590,7 @@
consumed = 32;
}
- /* finalize, H *= [r^2,r] */
+ // finalize, H *= [r^2,r]
r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];
r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];
r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];
@@ -605,7 +605,7 @@
p->S23.d[2] = p->R23.d[2] * 5;
p->S24.d[2] = p->R24.d[2] * 5;
- /* H *= [r^2,r] */
+ // H *= [r^2,r]
T0 = _mm_mul_epu32(H0, p->R20.v);
T1 = _mm_mul_epu32(H0, p->R21.v);
T2 = _mm_mul_epu32(H0, p->R22.v);
@@ -674,7 +674,7 @@
T3 = _mm_and_si128(T3, MMASK);
T4 = _mm_add_epi64(T4, C1);
- /* H = H[0]+H[1] */
+ // H = H[0]+H[1]
H0 = _mm_add_epi64(T0, _mm_srli_si128(T0, 8));
H1 = _mm_add_epi64(T1, _mm_srli_si128(T1, 8));
H2 = _mm_add_epi64(T2, _mm_srli_si128(T2, 8));
@@ -713,7 +713,7 @@
poly1305_state_internal *st = poly1305_aligned_state(state);
size_t want;
- /* need at least 32 initial bytes to start the accelerated branch */
+ // need at least 32 initial bytes to start the accelerated branch
if (!st->started) {
if ((st->leftover == 0) && (bytes > 32)) {
poly1305_first_block(st, m);
@@ -734,7 +734,7 @@
st->started = 1;
}
- /* handle leftover */
+ // handle leftover
if (st->leftover) {
want = poly1305_min(64 - st->leftover, bytes);
poly1305_block_copy(st->buffer + st->leftover, m, want);
@@ -748,7 +748,7 @@
st->leftover = 0;
}
- /* process 64 byte blocks */
+ // process 64 byte blocks
if (bytes >= 64) {
want = (bytes & ~63);
poly1305_blocks(st, m, want);
@@ -779,7 +779,7 @@
m += consumed;
}
- /* st->HH will either be 0 or have the combined result */
+ // st->HH will either be 0 or have the combined result
h0 = st->HH[0];
h1 = st->HH[1];
h2 = st->HH[2];
@@ -826,7 +826,7 @@
goto poly1305_donna_atleast16bytes;
}
-/* final bytes */
+// final bytes
poly1305_donna_atmost15bytes:
if (!leftover) {
goto poly1305_donna_finish;
@@ -870,7 +870,7 @@
h1 = (h1 & nc) | (g1 & c);
h2 = (h2 & nc) | (g2 & c);
- /* pad */
+ // pad
t0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];
t1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];
h0 += (t0 & 0xfffffffffff);
@@ -887,4 +887,4 @@
U64TO8_LE(mac + 8, ((h1 >> 20) | (h2 << 24)));
}
-#endif /* !OPENSSL_WINDOWS && OPENSSL_X86_64 */
+#endif // !OPENSSL_WINDOWS && OPENSSL_X86_64
diff --git a/src/crypto/pool/internal.h b/src/crypto/pool/internal.h
index 3ec2ec2..5b288eb 100644
--- a/src/crypto/pool/internal.h
+++ b/src/crypto/pool/internal.h
@@ -39,7 +39,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_POOL_INTERNAL_H */
+#endif // OPENSSL_HEADER_POOL_INTERNAL_H
diff --git a/src/crypto/pool/pool.c b/src/crypto/pool/pool.c
index 44d10af..9cfbf1e 100644
--- a/src/crypto/pool/pool.c
+++ b/src/crypto/pool/pool.c
@@ -125,8 +125,8 @@
CRYPTO_MUTEX_unlock_write(&pool->lock);
if (!inserted) {
- /* We raced to insert |buf| into the pool and lost, or else there was an
- * error inserting. */
+ // We raced to insert |buf| into the pool and lost, or else there was an
+ // error inserting.
OPENSSL_free(buf->data);
OPENSSL_free(buf);
return duplicate;
@@ -147,9 +147,9 @@
CRYPTO_BUFFER_POOL *const pool = buf->pool;
if (pool == NULL) {
if (CRYPTO_refcount_dec_and_test_zero(&buf->references)) {
- /* If a reference count of zero is observed, there cannot be a reference
- * from any pool to this buffer and thus we are able to free this
- * buffer. */
+ // If a reference count of zero is observed, there cannot be a reference
+ // from any pool to this buffer and thus we are able to free this
+ // buffer.
OPENSSL_free(buf->data);
OPENSSL_free(buf);
}
@@ -163,10 +163,10 @@
return;
}
- /* We have an exclusive lock on the pool, therefore no concurrent lookups can
- * find this buffer and increment the reference count. Thus, if the count is
- * zero there are and can never be any more references and thus we can free
- * this buffer. */
+ // We have an exclusive lock on the pool, therefore no concurrent lookups can
+ // find this buffer and increment the reference count. Thus, if the count is
+ // zero there are and can never be any more references and thus we can free
+ // this buffer.
void *found = lh_CRYPTO_BUFFER_delete(pool->bufs, buf);
assert(found != NULL);
assert(found == buf);
@@ -177,12 +177,12 @@
}
int CRYPTO_BUFFER_up_ref(CRYPTO_BUFFER *buf) {
- /* This is safe in the case that |buf->pool| is NULL because it's just
- * standard reference counting in that case.
- *
- * This is also safe if |buf->pool| is non-NULL because, if it were racing
- * with |CRYPTO_BUFFER_free| then the two callers must have independent
- * references already and so the reference count will never hit zero. */
+ // This is safe in the case that |buf->pool| is NULL because it's just
+ // standard reference counting in that case.
+ //
+ // This is also safe if |buf->pool| is non-NULL because, if it were racing
+ // with |CRYPTO_BUFFER_free| then the two callers must have independent
+ // references already and so the reference count will never hit zero.
CRYPTO_refcount_inc(&buf->references);
return 1;
}
diff --git a/src/crypto/rand_extra/deterministic.c b/src/crypto/rand_extra/deterministic.c
index 5d3a9ce..17fa71e 100644
--- a/src/crypto/rand_extra/deterministic.c
+++ b/src/crypto/rand_extra/deterministic.c
@@ -24,11 +24,11 @@
#include "../fipsmodule/rand/internal.h"
-/* g_num_calls is the number of calls to |CRYPTO_sysrand| that have occurred.
- *
- * This is intentionally not thread-safe. If the fuzzer mode is ever used in a
- * multi-threaded program, replace this with a thread-local. (A mutex would not
- * be deterministic.) */
+// g_num_calls is the number of calls to |CRYPTO_sysrand| that have occurred.
+//
+// This is intentionally not thread-safe. If the fuzzer mode is ever used in a
+// multi-threaded program, replace this with a thread-local. (A mutex would not
+// be deterministic.)
static uint64_t g_num_calls = 0;
void RAND_reset_for_fuzzing(void) { g_num_calls = 0; }
@@ -45,4 +45,4 @@
g_num_calls++;
}
-#endif /* BORINGSSL_UNSAFE_DETERMINISTIC_MODE */
+#endif // BORINGSSL_UNSAFE_DETERMINISTIC_MODE
diff --git a/src/crypto/rand_extra/forkunsafe.c b/src/crypto/rand_extra/forkunsafe.c
index 1a3977f..0f1ecec 100644
--- a/src/crypto/rand_extra/forkunsafe.c
+++ b/src/crypto/rand_extra/forkunsafe.c
@@ -19,14 +19,15 @@
#include "../fipsmodule/rand/internal.h"
-/* g_buffering_enabled is true if fork-unsafe buffering has been enabled. */
+// g_buffering_enabled is true if fork-unsafe buffering has been enabled.
static int g_buffering_enabled = 0;
-/* g_lock protects |g_buffering_enabled|. */
+// g_lock protects |g_buffering_enabled|.
static struct CRYPTO_STATIC_MUTEX g_lock = CRYPTO_STATIC_MUTEX_INIT;
+#if !defined(OPENSSL_WINDOWS)
void RAND_enable_fork_unsafe_buffering(int fd) {
- /* We no longer support setting the file-descriptor with this function. */
+ // We no longer support setting the file-descriptor with this function.
if (fd != -1) {
abort();
}
@@ -35,6 +36,7 @@
g_buffering_enabled = 1;
CRYPTO_STATIC_MUTEX_unlock_write(&g_lock);
}
+#endif
int rand_fork_unsafe_buffering_enabled(void) {
CRYPTO_STATIC_MUTEX_lock_read(&g_lock);
diff --git a/src/crypto/rand_extra/fuchsia.c b/src/crypto/rand_extra/fuchsia.c
index 9711c1d..9355d8c 100644
--- a/src/crypto/rand_extra/fuchsia.c
+++ b/src/crypto/rand_extra/fuchsia.c
@@ -40,4 +40,4 @@
}
}
-#endif /* OPENSSL_FUCHSIA && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE */
+#endif // OPENSSL_FUCHSIA && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE
diff --git a/src/crypto/rand_extra/rand_extra.c b/src/crypto/rand_extra/rand_extra.c
index 3b37e29..bed9e1e 100644
--- a/src/crypto/rand_extra/rand_extra.c
+++ b/src/crypto/rand_extra/rand_extra.c
@@ -18,14 +18,14 @@
void RAND_seed(const void *buf, int num) {
- /* OpenSSH calls |RAND_seed| before jailing on the assumption that any needed
- * file descriptors etc will be opened. */
+ // OpenSSH calls |RAND_seed| before jailing on the assumption that any needed
+ // file descriptors etc will be opened.
uint8_t unused;
RAND_bytes(&unused, sizeof(unused));
}
int RAND_load_file(const char *path, long num) {
- if (num < 0) { /* read the "whole file" */
+ if (num < 0) { // read the "whole file"
return 1;
} else if (num <= INT_MAX) {
return (int) num;
diff --git a/src/crypto/rand_extra/windows.c b/src/crypto/rand_extra/windows.c
index fb94847..c955587 100644
--- a/src/crypto/rand_extra/windows.c
+++ b/src/crypto/rand_extra/windows.c
@@ -23,9 +23,9 @@
#include <windows.h>
-/* #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036. See the
- * "Community Additions" comment on MSDN here:
- * http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx */
+// #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036. See the
+// "Community Additions" comment on MSDN here:
+// http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx
#define SystemFunction036 NTAPI SystemFunction036
#include <ntsecapi.h>
#undef SystemFunction036
@@ -50,4 +50,4 @@
return;
}
-#endif /* OPENSSL_WINDOWS && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE */
+#endif // OPENSSL_WINDOWS && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE
diff --git a/src/crypto/refcount_c11.c b/src/crypto/refcount_c11.c
index fbc0343..0a331a4 100644
--- a/src/crypto/refcount_c11.c
+++ b/src/crypto/refcount_c11.c
@@ -25,7 +25,7 @@
#include <openssl/type_check.h>
-/* See comment above the typedef of CRYPTO_refcount_t about these tests. */
+// See comment above the typedef of CRYPTO_refcount_t about these tests.
static_assert(alignof(CRYPTO_refcount_t) == alignof(_Atomic CRYPTO_refcount_t),
"_Atomic alters the needed alignment of a reference count");
static_assert(sizeof(CRYPTO_refcount_t) == sizeof(_Atomic CRYPTO_refcount_t),
@@ -64,4 +64,4 @@
}
}
-#endif /* OPENSSL_C11_ATOMIC */
+#endif // OPENSSL_C11_ATOMIC
diff --git a/src/crypto/refcount_lock.c b/src/crypto/refcount_lock.c
index ea6a06d..8b855d6 100644
--- a/src/crypto/refcount_lock.c
+++ b/src/crypto/refcount_lock.c
@@ -50,4 +50,4 @@
return ret;
}
-#endif /* OPENSSL_C11_ATOMIC */
+#endif // OPENSSL_C11_ATOMIC
diff --git a/src/crypto/rsa_extra/rsa_asn1.c b/src/crypto/rsa_extra/rsa_asn1.c
index 785044e..23c91bd 100644
--- a/src/crypto/rsa_extra/rsa_asn1.c
+++ b/src/crypto/rsa_extra/rsa_asn1.c
@@ -87,7 +87,7 @@
static int marshal_integer(CBB *cbb, BIGNUM *bn) {
if (bn == NULL) {
- /* An RSA object may be missing some components. */
+ // An RSA object may be missing some components.
OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);
return 0;
}
@@ -124,10 +124,10 @@
}
RSA *RSA_parse_public_key_buggy(CBS *cbs) {
- /* Estonian IDs issued between September 2014 to September 2015 are
- * broken. See https://crbug.com/532048 and https://crbug.com/534766.
- *
- * TODO(davidben): Remove this code and callers in March 2016. */
+ // Estonian IDs issued between September 2014 to September 2015 are
+ // broken. See https://crbug.com/532048 and https://crbug.com/534766.
+ //
+ // TODO(davidben): Remove this code and callers in March 2016.
return parse_public_key(cbs, 1 /* buggy */);
}
@@ -169,8 +169,8 @@
return 1;
}
-/* kVersionTwoPrime is the value of the version field for a two-prime
- * RSAPrivateKey structure (RFC 3447). */
+// kVersionTwoPrime is the value of the version field for a two-prime
+// RSAPrivateKey structure (RFC 3447).
static const uint64_t kVersionTwoPrime = 0;
RSA *RSA_parse_private_key(CBS *cbs) {
diff --git a/src/crypto/stack/stack.c b/src/crypto/stack/stack.c
index f78209d..f6b4412 100644
--- a/src/crypto/stack/stack.c
+++ b/src/crypto/stack/stack.c
@@ -63,8 +63,8 @@
#include "../internal.h"
-/* kMinSize is the number of pointers that will be initially allocated in a new
- * stack. */
+// kMinSize is the number of pointers that will be initially allocated in a new
+// stack.
static const size_t kMinSize = 4;
_STACK *sk_new(stack_cmp_func comp) {
@@ -152,18 +152,18 @@
}
if (sk->num_alloc <= sk->num + 1) {
- /* Attempt to double the size of the array. */
+ // Attempt to double the size of the array.
size_t new_alloc = sk->num_alloc << 1;
size_t alloc_size = new_alloc * sizeof(void *);
void **data;
- /* If the doubling overflowed, try to increment. */
+ // If the doubling overflowed, try to increment.
if (new_alloc < sk->num_alloc || alloc_size / sizeof(void *) != new_alloc) {
new_alloc = sk->num_alloc + 1;
alloc_size = new_alloc * sizeof(void *);
}
- /* If the increment also overflowed, fail. */
+ // If the increment also overflowed, fail.
if (new_alloc < sk->num_alloc || alloc_size / sizeof(void *) != new_alloc) {
return 0;
}
@@ -229,7 +229,7 @@
}
if (sk->comp == NULL) {
- /* Use pointer equality when no comparison function has been set. */
+ // Use pointer equality when no comparison function has been set.
for (size_t i = 0; i < sk->num; i++) {
if (sk->data[i] == p) {
if (out_index) {
@@ -247,18 +247,18 @@
sk_sort(sk);
- /* sk->comp is a function that takes pointers to pointers to elements, but
- * qsort and bsearch take a comparison function that just takes pointers to
- * elements. However, since we're passing an array of pointers to
- * qsort/bsearch, we can just cast the comparison function and everything
- * works. */
+ // sk->comp is a function that takes pointers to pointers to elements, but
+ // qsort and bsearch take a comparison function that just takes pointers to
+ // elements. However, since we're passing an array of pointers to
+ // qsort/bsearch, we can just cast the comparison function and everything
+ // works.
const void *const *r = bsearch(&p, sk->data, sk->num, sizeof(void *),
(int (*)(const void *, const void *))sk->comp);
if (r == NULL) {
return 0;
}
size_t idx = ((void **)r) - sk->data;
- /* This function always returns the first result. */
+ // This function always returns the first result.
while (idx > 0 &&
sk->comp((const void **)&p, (const void **)&sk->data[idx - 1]) == 0) {
idx--;
@@ -329,7 +329,7 @@
return;
}
- /* See the comment in sk_find about this cast. */
+ // See the comment in sk_find about this cast.
comp_func = (int (*)(const void *, const void *))(sk->comp);
qsort(sk->data, sk->num, sizeof(void *), comp_func);
sk->sorted = 1;
diff --git a/src/crypto/test/file_test.h b/src/crypto/test/file_test.h
index fd1dcd7..204ef9c 100644
--- a/src/crypto/test/file_test.h
+++ b/src/crypto/test/file_test.h
@@ -246,4 +246,4 @@
// name of a test file embedded in the test binary.
void FileTestGTest(const char *path, std::function<void(FileTest *)> run_test);
-#endif /* OPENSSL_HEADER_CRYPTO_TEST_FILE_TEST_H */
+#endif // OPENSSL_HEADER_CRYPTO_TEST_FILE_TEST_H
diff --git a/src/crypto/test/gtest_main.h b/src/crypto/test/gtest_main.h
index 395b281..759aaf7 100644
--- a/src/crypto/test/gtest_main.h
+++ b/src/crypto/test/gtest_main.h
@@ -75,4 +75,4 @@
} // namespace bssl
-#endif /* OPENSSL_HEADER_CRYPTO_TEST_GTEST_MAIN_H */
+#endif // OPENSSL_HEADER_CRYPTO_TEST_GTEST_MAIN_H
diff --git a/src/crypto/test/malloc.cc b/src/crypto/test/malloc.cc
index bcd7974..5f0bc6e 100644
--- a/src/crypto/test/malloc.cc
+++ b/src/crypto/test/malloc.cc
@@ -140,4 +140,4 @@
} // extern "C"
-#endif /* defined(linux) && GLIBC && !ARM && !AARCH64 && !ASAN */
+#endif // defined(linux) && GLIBC && !ARM && !AARCH64 && !ASAN
diff --git a/src/crypto/test/test_util.h b/src/crypto/test/test_util.h
index 3bf41ab..9c9ef58 100644
--- a/src/crypto/test/test_util.h
+++ b/src/crypto/test/test_util.h
@@ -62,4 +62,4 @@
std::ostream &operator<<(std::ostream &os, const Bytes &in);
-#endif /* OPENSSL_HEADER_CRYPTO_TEST_TEST_UTIL_H */
+#endif // OPENSSL_HEADER_CRYPTO_TEST_TEST_UTIL_H
diff --git a/src/crypto/thread_none.c b/src/crypto/thread_none.c
index 85768b4..718d960 100644
--- a/src/crypto/thread_none.c
+++ b/src/crypto/thread_none.c
@@ -56,4 +56,4 @@
return 1;
}
-#endif /* OPENSSL_NO_THREADS */
+#endif // OPENSSL_NO_THREADS
diff --git a/src/crypto/thread_pthread.c b/src/crypto/thread_pthread.c
index d9e87f2..90b3d60 100644
--- a/src/crypto/thread_pthread.c
+++ b/src/crypto/thread_pthread.c
@@ -173,4 +173,4 @@
return 1;
}
-#endif /* OPENSSL_PTHREADS */
+#endif // OPENSSL_PTHREADS
diff --git a/src/crypto/thread_test.cc b/src/crypto/thread_test.cc
index f1b04f3..2a6f60b 100644
--- a/src/crypto/thread_test.cc
+++ b/src/crypto/thread_test.cc
@@ -34,7 +34,7 @@
static DWORD WINAPI thread_run(LPVOID arg) {
void (*thread_func)(void);
- /* VC really doesn't like casting between data and function pointers. */
+ // VC really doesn't like casting between data and function pointers.
OPENSSL_memcpy(&thread_func, &arg, sizeof(thread_func));
thread_func();
return 0;
@@ -42,7 +42,7 @@
static int run_thread(thread_t *out_thread, void (*thread_func)(void)) {
void *arg;
- /* VC really doesn't like casting between data and function pointers. */
+ // VC really doesn't like casting between data and function pointers.
OPENSSL_memcpy(&arg, &thread_func, sizeof(arg));
*out_thread = CreateThread(NULL /* security attributes */,
@@ -78,15 +78,15 @@
return pthread_join(thread, NULL) == 0;
}
-#endif /* OPENSSL_WINDOWS */
+#endif // OPENSSL_WINDOWS
static unsigned g_once_init_called = 0;
static void once_init(void) {
g_once_init_called++;
- /* Sleep briefly so one |call_once_thread| instance will call |CRYPTO_once|
- * while the other is running this function. */
+ // Sleep briefly so one |call_once_thread| instance will call |CRYPTO_once|
+ // while the other is running this function.
#if defined(OPENSSL_WINDOWS)
Sleep(1 /* milliseconds */);
#else
@@ -129,9 +129,9 @@
TEST(ThreadTest, InitZeros) {
if (FIPS_mode()) {
- /* Our FIPS tooling currently requires that |CRYPTO_ONCE_INIT|,
- * |CRYPTO_STATIC_MUTEX_INIT| and |CRYPTO_EX_DATA_CLASS| are all zeros and
- * so can be placed in the BSS section. */
+ // Our FIPS tooling currently requires that |CRYPTO_ONCE_INIT|,
+ // |CRYPTO_STATIC_MUTEX_INIT| and |CRYPTO_EX_DATA_CLASS| are all zeros and
+ // so can be placed in the BSS section.
EXPECT_EQ(Bytes((uint8_t *)&once_bss, sizeof(once_bss)),
Bytes((uint8_t *)&once_init_value, sizeof(once_init_value)));
EXPECT_EQ(Bytes((uint8_t *)&mutex_bss, sizeof(mutex_bss)),
@@ -183,9 +183,9 @@
}
TEST(ThreadTest, RandState) {
- /* In FIPS mode, rand.c maintains a linked-list of thread-local data because
- * we're required to clear it on process exit. This test exercises removing a
- * value from that list. */
+ // In FIPS mode, rand.c maintains a linked-list of thread-local data because
+ // we're required to clear it on process exit. This test exercises removing a
+ // value from that list.
uint8_t buf[1];
RAND_bytes(buf, sizeof(buf));
@@ -197,4 +197,4 @@
ASSERT_TRUE(wait_for_thread(thread));
}
-#endif /* !OPENSSL_NO_THREADS */
+#endif // !OPENSSL_NO_THREADS
diff --git a/src/crypto/thread_win.c b/src/crypto/thread_win.c
index 62119b4..d6fa548 100644
--- a/src/crypto/thread_win.c
+++ b/src/crypto/thread_win.c
@@ -63,7 +63,7 @@
}
void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {
- /* SRWLOCKs require no cleanup. */
+ // SRWLOCKs require no cleanup.
}
void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) {
@@ -100,11 +100,11 @@
static void NTAPI thread_local_destructor(PVOID module, DWORD reason,
PVOID reserved) {
- /* Only free memory on |DLL_THREAD_DETACH|, not |DLL_PROCESS_DETACH|. In
- * VS2015's debug runtime, the C runtime has been unloaded by the time
- * |DLL_PROCESS_DETACH| runs. See https://crbug.com/575795. This is consistent
- * with |pthread_key_create| which does not call destructors on process exit,
- * only thread exit. */
+ // Only free memory on |DLL_THREAD_DETACH|, not |DLL_PROCESS_DETACH|. In
+ // VS2015's debug runtime, the C runtime has been unloaded by the time
+ // |DLL_PROCESS_DETACH| runs. See https://crbug.com/575795. This is consistent
+ // with |pthread_key_create| which does not call destructors on process exit,
+ // only thread exit.
if (reason != DLL_THREAD_DETACH) {
return;
}
@@ -135,17 +135,17 @@
OPENSSL_free(pointers);
}
-/* Thread Termination Callbacks.
- *
- * Windows doesn't support a per-thread destructor with its TLS primitives.
- * So, we build it manually by inserting a function to be called on each
- * thread's exit. This magic is from http://www.codeproject.com/threads/tls.asp
- * and it works for VC++ 7.0 and later.
- *
- * Force a reference to _tls_used to make the linker create the TLS directory
- * if it's not already there. (E.g. if __declspec(thread) is not used). Force
- * a reference to p_thread_callback_boringssl to prevent whole program
- * optimization from discarding the variable. */
+// Thread Termination Callbacks.
+//
+// Windows doesn't support a per-thread destructor with its TLS primitives.
+// So, we build it manually by inserting a function to be called on each
+// thread's exit. This magic is from http://www.codeproject.com/threads/tls.asp
+// and it works for VC++ 7.0 and later.
+//
+// Force a reference to _tls_used to make the linker create the TLS directory
+// if it's not already there. (E.g. if __declspec(thread) is not used). Force
+// a reference to p_thread_callback_boringssl to prevent whole program
+// optimization from discarding the variable.
#ifdef _WIN64
#pragma comment(linker, "/INCLUDE:_tls_used")
#pragma comment(linker, "/INCLUDE:p_thread_callback_boringssl")
@@ -154,41 +154,41 @@
#pragma comment(linker, "/INCLUDE:_p_thread_callback_boringssl")
#endif
-/* .CRT$XLA to .CRT$XLZ is an array of PIMAGE_TLS_CALLBACK pointers that are
- * called automatically by the OS loader code (not the CRT) when the module is
- * loaded and on thread creation. They are NOT called if the module has been
- * loaded by a LoadLibrary() call. It must have implicitly been loaded at
- * process startup.
- *
- * By implicitly loaded, I mean that it is directly referenced by the main EXE
- * or by one of its dependent DLLs. Delay-loaded DLL doesn't count as being
- * implicitly loaded.
- *
- * See VC\crt\src\tlssup.c for reference. */
+// .CRT$XLA to .CRT$XLZ is an array of PIMAGE_TLS_CALLBACK pointers that are
+// called automatically by the OS loader code (not the CRT) when the module is
+// loaded and on thread creation. They are NOT called if the module has been
+// loaded by a LoadLibrary() call. It must have implicitly been loaded at
+// process startup.
+//
+// By implicitly loaded, I mean that it is directly referenced by the main EXE
+// or by one of its dependent DLLs. Delay-loaded DLL doesn't count as being
+// implicitly loaded.
+//
+// See VC\crt\src\tlssup.c for reference.
-/* The linker must not discard p_thread_callback_boringssl. (We force a reference
- * to this variable with a linker /INCLUDE:symbol pragma to ensure that.) If
- * this variable is discarded, the OnThreadExit function will never be
- * called. */
+// The linker must not discard p_thread_callback_boringssl. (We force a
+// reference to this variable with a linker /INCLUDE:symbol pragma to ensure
+// that.) If this variable is discarded, the OnThreadExit function will never
+// be called.
#ifdef _WIN64
-/* .CRT section is merged with .rdata on x64 so it must be constant data. */
+// .CRT section is merged with .rdata on x64 so it must be constant data.
#pragma const_seg(".CRT$XLC")
-/* When defining a const variable, it must have external linkage to be sure the
- * linker doesn't discard it. */
+// When defining a const variable, it must have external linkage to be sure the
+// linker doesn't discard it.
extern const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl;
const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor;
-/* Reset the default section. */
+// Reset the default section.
#pragma const_seg()
#else
#pragma data_seg(".CRT$XLC")
PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor;
-/* Reset the default section. */
+// Reset the default section.
#pragma data_seg()
-#endif /* _WIN64 */
+#endif // _WIN64
void *CRYPTO_get_thread_local(thread_local_data_t index) {
CRYPTO_once(&g_thread_local_init_once, thread_local_init);
@@ -234,4 +234,4 @@
return 1;
}
-#endif /* OPENSSL_WINDOWS_THREADS */
+#endif // OPENSSL_WINDOWS_THREADS
diff --git a/src/crypto/x509/x509_def.c b/src/crypto/x509/x509_def.c
index 2bf2240..cb34ea4 100644
--- a/src/crypto/x509/x509_def.c
+++ b/src/crypto/x509/x509_def.c
@@ -59,7 +59,12 @@
/* TODO(fork): cleanup */
+#if defined(OPENSSL_FUCHSIA)
+#define OPENSSLDIR "/system/data/boringssl"
+#else
#define OPENSSLDIR "/etc/ssl"
+#endif
+
#define X509_CERT_AREA OPENSSLDIR
#define X509_CERT_DIR OPENSSLDIR "/certs"
#define X509_CERT_FILE OPENSSLDIR "/cert.pem"
diff --git a/src/decrepit/bio/base64_bio.c b/src/decrepit/bio/base64_bio.c
index eef4e1a..139d562 100644
--- a/src/decrepit/bio/base64_bio.c
+++ b/src/decrepit/bio/base64_bio.c
@@ -78,11 +78,11 @@
typedef struct b64_struct {
int buf_len;
int buf_off;
- int tmp_len; /* used to find the start when decoding */
- int tmp_nl; /* If true, scan until '\n' */
+ int tmp_len; // used to find the start when decoding
+ int tmp_nl; // If true, scan until '\n'
int encode;
- int start; /* have we started decoding yet? */
- int cont; /* <= 0 when finished */
+ int start; // have we started decoding yet?
+ int cont; // <= 0 when finished
EVP_ENCODE_CTX base64;
char buf[EVP_ENCODE_LENGTH(B64_BLOCK_SIZE) + 10];
char tmp[B64_BLOCK_SIZE];
@@ -141,7 +141,7 @@
EVP_DecodeInit(&ctx->base64);
}
- /* First check if there are bytes decoded/encoded */
+ // First check if there are bytes decoded/encoded
if (ctx->buf_len > 0) {
assert(ctx->buf_len >= ctx->buf_off);
i = ctx->buf_len - ctx->buf_off;
@@ -160,8 +160,8 @@
}
}
- /* At this point, we have room of outl bytes and an empty buffer, so we
- * should read in some more. */
+ // At this point, we have room of outl bytes and an empty buffer, so we
+ // should read in some more.
ret_code = 0;
while (outl > 0) {
@@ -175,28 +175,28 @@
if (i <= 0) {
ret_code = i;
- /* Should we continue next time we are called? */
+ // Should we continue next time we are called?
if (!BIO_should_retry(b->next_bio)) {
ctx->cont = i;
- /* If buffer empty break */
+ // If buffer empty break
if (ctx->tmp_len == 0) {
break;
} else {
- /* Fall through and process what we have */
+ // Fall through and process what we have
i = 0;
}
} else {
- /* else we retry and add more data to buffer */
+ // else we retry and add more data to buffer
break;
}
}
i += ctx->tmp_len;
ctx->tmp_len = i;
- /* We need to scan, a line at a time until we have a valid line if we are
- * starting. */
+ // We need to scan, a line at a time until we have a valid line if we are
+ // starting.
if (ctx->start && (BIO_test_flags(b, BIO_FLAGS_BASE64_NO_NL))) {
- /* ctx->start = 1; */
+ // ctx->start = 1;
ctx->tmp_len = 0;
} else if (ctx->start) {
q = p = (uint8_t *)ctx->tmp;
@@ -206,8 +206,8 @@
continue;
}
- /* due to a previous very long line, we need to keep on scanning for a
- * '\n' before we even start looking for base64 encoded stuff. */
+ // due to a previous very long line, we need to keep on scanning for a
+ // '\n' before we even start looking for base64 encoded stuff.
if (ctx->tmp_nl) {
p = q;
ctx->tmp_nl = 0;
@@ -233,38 +233,38 @@
p = q;
}
- /* we fell off the end without starting */
+ // we fell off the end without starting
if (j == i && num == 0) {
- /* Is this is one long chunk?, if so, keep on reading until a new
- * line. */
+ // Is this is one long chunk?, if so, keep on reading until a new
+ // line.
if (p == (uint8_t *)&(ctx->tmp[0])) {
- /* Check buffer full */
+ // Check buffer full
if (i == B64_BLOCK_SIZE) {
ctx->tmp_nl = 1;
ctx->tmp_len = 0;
}
- } else if (p != q) { /* finished on a '\n' */
+ } else if (p != q) { // finished on a '\n'
n = q - p;
for (ii = 0; ii < n; ii++) {
ctx->tmp[ii] = p[ii];
}
ctx->tmp_len = n;
}
- /* else finished on a '\n' */
+ // else finished on a '\n'
continue;
} else {
ctx->tmp_len = 0;
}
} else if (i < B64_BLOCK_SIZE && ctx->cont > 0) {
- /* If buffer isn't full and we can retry then restart to read in more
- * data. */
+ // If buffer isn't full and we can retry then restart to read in more
+ // data.
continue;
}
if (BIO_test_flags(b, BIO_FLAGS_BASE64_NO_NL)) {
int z, jj;
- jj = i & ~3; /* process per 4 */
+ jj = i & ~3; // process per 4
z = EVP_DecodeBlock((uint8_t *)ctx->buf, (uint8_t *)ctx->tmp, jj);
if (jj > 2) {
if (ctx->tmp[jj - 1] == '=') {
@@ -274,7 +274,7 @@
}
}
}
- /* z is now number of output bytes and jj is the number consumed. */
+ // z is now number of output bytes and jj is the number consumed.
if (jj != i) {
OPENSSL_memmove(ctx->tmp, &ctx->tmp[jj], i - jj);
ctx->tmp_len = i - jj;
@@ -350,7 +350,7 @@
n -= i;
}
- /* at this point all pending data has been written. */
+ // at this point all pending data has been written.
ctx->buf_off = 0;
ctx->buf_len = 0;
@@ -365,7 +365,7 @@
if (ctx->tmp_len > 0) {
assert(ctx->tmp_len <= 3);
n = 3 - ctx->tmp_len;
- /* There's a theoretical possibility of this. */
+ // There's a theoretical possibility of this.
if (n > inl) {
n = inl;
}
@@ -380,8 +380,8 @@
assert(ctx->buf_len <= (int)sizeof(ctx->buf));
assert(ctx->buf_len >= ctx->buf_off);
- /* Since we're now done using the temporary buffer, the length should
- * be zeroed. */
+ // Since we're now done using the temporary buffer, the length should
+ // be zeroed.
ctx->tmp_len = 0;
} else {
if (n < 3) {
@@ -443,7 +443,7 @@
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
break;
- case BIO_CTRL_EOF: /* More to read */
+ case BIO_CTRL_EOF: // More to read
if (ctx->cont <= 0) {
ret = 1;
} else {
@@ -451,7 +451,7 @@
}
break;
- case BIO_CTRL_WPENDING: /* More to write in buffer */
+ case BIO_CTRL_WPENDING: // More to write in buffer
assert(ctx->buf_len >= ctx->buf_off);
ret = ctx->buf_len - ctx->buf_off;
if ((ret == 0) && (ctx->encode != B64_NONE) && (ctx->base64.data_used != 0)) {
@@ -461,7 +461,7 @@
}
break;
- case BIO_CTRL_PENDING: /* More to read in buffer */
+ case BIO_CTRL_PENDING: // More to read in buffer
assert(ctx->buf_len >= ctx->buf_off);
ret = ctx->buf_len - ctx->buf_off;
if (ret <= 0) {
@@ -470,7 +470,7 @@
break;
case BIO_CTRL_FLUSH:
- /* do a final write */
+ // do a final write
again:
while (ctx->buf_len != ctx->buf_off) {
i = b64_write(b, NULL, 0);
@@ -489,10 +489,10 @@
} else if (ctx->encode != B64_NONE && ctx->base64.data_used != 0) {
ctx->buf_off = 0;
EVP_EncodeFinal(&(ctx->base64), (uint8_t *)ctx->buf, &(ctx->buf_len));
- /* push out the bytes */
+ // push out the bytes
goto again;
}
- /* Finally flush the underlying BIO */
+ // Finally flush the underlying BIO
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
break;
diff --git a/src/decrepit/cast/cast.c b/src/decrepit/cast/cast.c
index 75ea656..8d80aba 100644
--- a/src/decrepit/cast/cast.c
+++ b/src/decrepit/cast/cast.c
@@ -348,9 +348,9 @@
}
}
-/* The input and output encrypted as though 64bit cfb mode is being used. The
- * extra state information to record how much of the 64bit block we have used
- * is contained in *num. */
+// The input and output encrypted as though 64bit cfb mode is being used. The
+// extra state information to record how much of the 64bit block we have used
+// is contained in *num.
void CAST_cfb64_encrypt(const uint8_t *in, uint8_t *out, long length,
const CAST_KEY *schedule, uint8_t *ivec, int *num,
int enc) {
diff --git a/src/decrepit/cast/internal.h b/src/decrepit/cast/internal.h
index 15e2222..cc53691 100644
--- a/src/decrepit/cast/internal.h
+++ b/src/decrepit/cast/internal.h
@@ -75,7 +75,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CAST_INTERNAL_H */
+#endif // OPENSSL_HEADER_CAST_INTERNAL_H
diff --git a/src/decrepit/des/cfb64ede.c b/src/decrepit/des/cfb64ede.c
index 822ca44..6c39923 100644
--- a/src/decrepit/des/cfb64ede.c
+++ b/src/decrepit/des/cfb64ede.c
@@ -62,9 +62,9 @@
#include "../../crypto/internal.h"
-/* The input and output encrypted as though 64bit cfb mode is being used. The
- * extra state information to record how much of the 64bit block we have used
- * is contained in *num; */
+// The input and output encrypted as though 64bit cfb mode is being used. The
+// extra state information to record how much of the 64bit block we have used
+// is contained in *num;
void DES_ede3_cfb64_encrypt(const uint8_t *in, uint8_t *out,
long length, DES_key_schedule *ks1,
DES_key_schedule *ks2, DES_key_schedule *ks3,
@@ -126,8 +126,8 @@
*num = n;
}
-/* This is compatible with the single key CFB-r for DES, even thought that's
- * not what EVP needs. */
+// This is compatible with the single key CFB-r for DES, even thought that's
+// not what EVP needs.
void DES_ede3_cfb_encrypt(const uint8_t *in, uint8_t *out, int numbits,
long length, DES_key_schedule *ks1,
@@ -160,8 +160,8 @@
d1 ^= ti[1];
l2cn(d0, d1, out, n);
out += n;
- /* 30-08-94 - eay - changed because l>>32 and l<<32 are bad under
- * gcc :-( */
+ // 30-08-94 - eay - changed because l>>32 and l<<32 are bad under
+ // gcc :-(
if (num == 32) {
v0 = v1;
v1 = d0;
@@ -174,9 +174,9 @@
l2c(v1, iv);
l2c(d0, iv);
l2c(d1, iv);
- /* shift ovec left most of the bits... */
+ // shift ovec left most of the bits...
OPENSSL_memmove(ovec, ovec + num / 8, 8 + (num % 8 ? 1 : 0));
- /* now the remaining bits */
+ // now the remaining bits
if (num % 8 != 0) {
for (i = 0; i < 8; ++i) {
ovec[i] <<= num % 8;
@@ -196,8 +196,8 @@
DES_encrypt3(ti, ks1, ks2, ks3);
c2ln(in, d0, d1, n);
in += n;
- /* 30-08-94 - eay - changed because l>>32 and l<<32 are bad under
- * gcc :-( */
+ // 30-08-94 - eay - changed because l>>32 and l<<32 are bad under
+ // gcc :-(
if (num == 32) {
v0 = v1;
v1 = d0;
@@ -210,9 +210,9 @@
l2c(v1, iv);
l2c(d0, iv);
l2c(d1, iv);
- /* shift ovec left most of the bits... */
+ // shift ovec left most of the bits...
OPENSSL_memmove(ovec, ovec + num / 8, 8 + (num % 8 ? 1 : 0));
- /* now the remaining bits */
+ // now the remaining bits
if (num % 8 != 0) {
for (i = 0; i < 8; ++i) {
ovec[i] <<= num % 8;
diff --git a/src/decrepit/dh/dh_decrepit.c b/src/decrepit/dh/dh_decrepit.c
index 1d38c12..c24c5af 100644
--- a/src/decrepit/dh/dh_decrepit.c
+++ b/src/decrepit/dh/dh_decrepit.c
@@ -59,8 +59,8 @@
void *arg;
};
-/* callback_wrapper converts an “old” style generation callback to the newer
- * |BN_GENCB| form. */
+// callback_wrapper converts an “old” style generation callback to the newer
+// |BN_GENCB| form.
static int callback_wrapper(int event, int n, BN_GENCB *gencb) {
struct wrapped_callback *wrapped = (struct wrapped_callback *) gencb->arg;
wrapped->callback(event, n, wrapped->arg);
diff --git a/src/decrepit/dsa/dsa_decrepit.c b/src/decrepit/dsa/dsa_decrepit.c
index aef8056..0ca75a9 100644
--- a/src/decrepit/dsa/dsa_decrepit.c
+++ b/src/decrepit/dsa/dsa_decrepit.c
@@ -59,8 +59,8 @@
void *arg;
};
-/* callback_wrapper converts an “old” style generation callback to the newer
- * |BN_GENCB| form. */
+// callback_wrapper converts an “old” style generation callback to the newer
+// |BN_GENCB| form.
static int callback_wrapper(int event, int n, BN_GENCB *gencb) {
struct wrapped_callback *wrapped = (struct wrapped_callback *) gencb->arg;
wrapped->callback(event, n, wrapped->arg);
diff --git a/src/decrepit/evp/evp_do_all.c b/src/decrepit/evp/evp_do_all.c
index 621c0b1..38b8f9f 100644
--- a/src/decrepit/evp/evp_do_all.c
+++ b/src/decrepit/evp/evp_do_all.c
@@ -36,7 +36,7 @@
callback(EVP_rc2_cbc(), "RC2-CBC", NULL, arg);
callback(EVP_rc4(), "RC4", NULL, arg);
- /* OpenSSL returns everything twice, the second time in lower case. */
+ // OpenSSL returns everything twice, the second time in lower case.
callback(EVP_aes_128_cbc(), "aes-128-cbc", NULL, arg);
callback(EVP_aes_128_ctr(), "aes-128-ctr", NULL, arg);
callback(EVP_aes_128_ecb(), "aes-128-ecb", NULL, arg);
diff --git a/src/decrepit/macros.h b/src/decrepit/macros.h
index 228183a..6c598d4 100644
--- a/src/decrepit/macros.h
+++ b/src/decrepit/macros.h
@@ -58,7 +58,7 @@
#define OPENSSL_HEADER_DECREPIT_MACROS_H
-/* NOTE - c is not incremented as per n2l */
+// NOTE - c is not incremented as per n2l
#define n2ln(c, l1, l2, n) \
{ \
c += n; \
@@ -83,7 +83,7 @@
} \
}
-/* NOTE - c is not incremented as per l2n */
+// NOTE - c is not incremented as per l2n
#define l2nn(l1, l2, c, n) \
{ \
c += n; \
@@ -120,4 +120,4 @@
l |= ((unsigned long)(*((c)++))))
-#endif /* OPENSSL_HEADER_DECREPIT_MACROS_H */
+#endif // OPENSSL_HEADER_DECREPIT_MACROS_H
diff --git a/src/decrepit/ripemd/internal.h b/src/decrepit/ripemd/internal.h
index 891d6a7..fe172ca 100644
--- a/src/decrepit/ripemd/internal.h
+++ b/src/decrepit/ripemd/internal.h
@@ -93,7 +93,7 @@
#include "../../crypto/fipsmodule/digest/md32_common.h"
-/* Transformed F2 and F4 are courtesy of Wei Dai <weidai@eskimo.com> */
+// Transformed F2 and F4 are courtesy of Wei Dai <weidai@eskimo.com>
#define F1(x, y, z) ((x) ^ (y) ^ (z))
#define F2(x, y, z) ((((y) ^ (z)) & (x)) ^ (z))
#define F3(x, y, z) (((~(y)) | (x)) ^ (z))
@@ -487,7 +487,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_BN_INTERNAL_H */
+#endif // OPENSSL_HEADER_BN_INTERNAL_H
diff --git a/src/decrepit/ripemd/ripemd.c b/src/decrepit/ripemd/ripemd.c
index ab9bc32..275d439 100644
--- a/src/decrepit/ripemd/ripemd.c
+++ b/src/decrepit/ripemd/ripemd.c
@@ -208,7 +208,7 @@
c = C;
d = D;
e = E;
- /* Do other half */
+ // Do other half
A = h[0];
B = h[1];
C = h[2];
diff --git a/src/decrepit/ssl/ssl_decrepit.c b/src/decrepit/ssl/ssl_decrepit.c
index 12a03da..32f703e 100644
--- a/src/decrepit/ssl/ssl_decrepit.c
+++ b/src/decrepit/ssl/ssl_decrepit.c
@@ -131,7 +131,7 @@
int ret = 0;
for (;;) {
- /* |readdir| may fail with or without setting |errno|. */
+ // |readdir| may fail with or without setting |errno|.
errno = 0;
struct dirent *dirent = readdir(dir);
if (dirent == NULL) {
@@ -162,4 +162,4 @@
return ret;
}
-#endif /* !WINDOWS && !PNACL */
+#endif // !WINDOWS && !PNACL
diff --git a/src/decrepit/xts/xts.c b/src/decrepit/xts/xts.c
index b0eb572..e3189e5 100644
--- a/src/decrepit/xts/xts.c
+++ b/src/decrepit/xts/xts.c
@@ -171,7 +171,7 @@
union {
double align;
AES_KEY ks;
- } ks1, ks2; /* AES key schedules to use */
+ } ks1, ks2; // AES key schedules to use
XTS128_CONTEXT xts;
} EVP_AES_XTS_CTX;
@@ -183,7 +183,7 @@
}
if (key) {
- /* key_len is two AES keys */
+ // key_len is two AES keys
if (enc) {
AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
xctx->xts.block1 = (block128_f) AES_encrypt;
@@ -241,7 +241,7 @@
} else if (type != EVP_CTRL_INIT) {
return -1;
}
- /* key1 and key2 are used as an indicator both key and IV are set */
+ // key1 and key2 are used as an indicator both key and IV are set
xctx->xts.key1 = NULL;
xctx->xts.key2 = NULL;
return 1;
diff --git a/src/include/openssl/aead.h b/src/include/openssl/aead.h
index dd2e418..7424e29 100644
--- a/src/include/openssl/aead.h
+++ b/src/include/openssl/aead.h
@@ -22,271 +22,271 @@
#endif
-/* Authenticated Encryption with Additional Data.
- *
- * AEAD couples confidentiality and integrity in a single primitive. AEAD
- * algorithms take a key and then can seal and open individual messages. Each
- * message has a unique, per-message nonce and, optionally, additional data
- * which is authenticated but not included in the ciphertext.
- *
- * The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and
- * performs any precomputation needed to use |aead| with |key|. The length of
- * the key, |key_len|, is given in bytes.
- *
- * The |tag_len| argument contains the length of the tags, in bytes, and allows
- * for the processing of truncated authenticators. A zero value indicates that
- * the default tag length should be used and this is defined as
- * |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using
- * truncated tags increases an attacker's chance of creating a valid forgery.
- * Be aware that the attacker's chance may increase more than exponentially as
- * would naively be expected.
- *
- * When no longer needed, the initialised |EVP_AEAD_CTX| structure must be
- * passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used.
- *
- * With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These
- * operations are intended to meet the standard notions of privacy and
- * authenticity for authenticated encryption. For formal definitions see
- * Bellare and Namprempre, "Authenticated encryption: relations among notions
- * and analysis of the generic composition paradigm," Lecture Notes in Computer
- * Science B<1976> (2000), 531–545,
- * http://www-cse.ucsd.edu/~mihir/papers/oem.html.
- *
- * When sealing messages, a nonce must be given. The length of the nonce is
- * fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The
- * nonce must be unique for all messages with the same key*. This is critically
- * important - nonce reuse may completely undermine the security of the AEAD.
- * Nonces may be predictable and public, so long as they are unique. Uniqueness
- * may be achieved with a simple counter or, if large enough, may be generated
- * randomly. The nonce must be passed into the "open" operation by the receiver
- * so must either be implicit (e.g. a counter), or must be transmitted along
- * with the sealed message.
- *
- * The "seal" and "open" operations are atomic - an entire message must be
- * encrypted or decrypted in a single call. Large messages may have to be split
- * up in order to accommodate this. When doing so, be mindful of the need not to
- * repeat nonces and the possibility that an attacker could duplicate, reorder
- * or drop message chunks. For example, using a single key for a given (large)
- * message and sealing chunks with nonces counting from zero would be secure as
- * long as the number of chunks was securely transmitted. (Otherwise an
- * attacker could truncate the message by dropping chunks from the end.)
- *
- * The number of chunks could be transmitted by prefixing it to the plaintext,
- * for example. This also assumes that no other message would ever use the same
- * key otherwise the rule that nonces must be unique for a given key would be
- * violated.
- *
- * The "seal" and "open" operations also permit additional data to be
- * authenticated via the |ad| parameter. This data is not included in the
- * ciphertext and must be identical for both the "seal" and "open" call. This
- * permits implicit context to be authenticated but may be empty if not needed.
- *
- * The "seal" and "open" operations may work in-place if the |out| and |in|
- * arguments are equal. Otherwise, if |out| and |in| alias, input data may be
- * overwritten before it is read. This situation will cause an error.
- *
- * The "seal" and "open" operations return one on success and zero on error. */
+// Authenticated Encryption with Additional Data.
+//
+// AEAD couples confidentiality and integrity in a single primitive. AEAD
+// algorithms take a key and then can seal and open individual messages. Each
+// message has a unique, per-message nonce and, optionally, additional data
+// which is authenticated but not included in the ciphertext.
+//
+// The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and
+// performs any precomputation needed to use |aead| with |key|. The length of
+// the key, |key_len|, is given in bytes.
+//
+// The |tag_len| argument contains the length of the tags, in bytes, and allows
+// for the processing of truncated authenticators. A zero value indicates that
+// the default tag length should be used and this is defined as
+// |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using
+// truncated tags increases an attacker's chance of creating a valid forgery.
+// Be aware that the attacker's chance may increase more than exponentially as
+// would naively be expected.
+//
+// When no longer needed, the initialised |EVP_AEAD_CTX| structure must be
+// passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used.
+//
+// With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These
+// operations are intended to meet the standard notions of privacy and
+// authenticity for authenticated encryption. For formal definitions see
+// Bellare and Namprempre, "Authenticated encryption: relations among notions
+// and analysis of the generic composition paradigm," Lecture Notes in Computer
+// Science B<1976> (2000), 531–545,
+// http://www-cse.ucsd.edu/~mihir/papers/oem.html.
+//
+// When sealing messages, a nonce must be given. The length of the nonce is
+// fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The
+// nonce must be unique for all messages with the same key*. This is critically
+// important - nonce reuse may completely undermine the security of the AEAD.
+// Nonces may be predictable and public, so long as they are unique. Uniqueness
+// may be achieved with a simple counter or, if large enough, may be generated
+// randomly. The nonce must be passed into the "open" operation by the receiver
+// so must either be implicit (e.g. a counter), or must be transmitted along
+// with the sealed message.
+//
+// The "seal" and "open" operations are atomic - an entire message must be
+// encrypted or decrypted in a single call. Large messages may have to be split
+// up in order to accommodate this. When doing so, be mindful of the need not to
+// repeat nonces and the possibility that an attacker could duplicate, reorder
+// or drop message chunks. For example, using a single key for a given (large)
+// message and sealing chunks with nonces counting from zero would be secure as
+// long as the number of chunks was securely transmitted. (Otherwise an
+// attacker could truncate the message by dropping chunks from the end.)
+//
+// The number of chunks could be transmitted by prefixing it to the plaintext,
+// for example. This also assumes that no other message would ever use the same
+// key otherwise the rule that nonces must be unique for a given key would be
+// violated.
+//
+// The "seal" and "open" operations also permit additional data to be
+// authenticated via the |ad| parameter. This data is not included in the
+// ciphertext and must be identical for both the "seal" and "open" call. This
+// permits implicit context to be authenticated but may be empty if not needed.
+//
+// The "seal" and "open" operations may work in-place if the |out| and |in|
+// arguments are equal. Otherwise, if |out| and |in| alias, input data may be
+// overwritten before it is read. This situation will cause an error.
+//
+// The "seal" and "open" operations return one on success and zero on error.
-/* AEAD algorithms. */
+// AEAD algorithms.
-/* EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode. */
+// EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode.
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);
-/* EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode. */
+// EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode.
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);
-/* EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and
- * Poly1305 as described in RFC 7539. */
+// EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and
+// Poly1305 as described in RFC 7539.
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);
-/* EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for
- * authentication. The nonce is 12 bytes; the bottom 32-bits are used as the
- * block counter, thus the maximum plaintext size is 64GB. */
+// EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for
+// authentication. The nonce is 12 bytes; the bottom 32-bits are used as the
+// block counter, thus the maximum plaintext size is 64GB.
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);
-/* EVP_aead_aes_256_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for
- * authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. */
+// EVP_aead_aes_256_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for
+// authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details.
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);
-/* EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See
- * https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 */
+// EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See
+// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void);
-/* EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See
- * https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02 */
+// EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See
+// https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void);
-/* EVP_has_aes_hardware returns one if we enable hardware support for fast and
- * constant-time AES-GCM. */
+// EVP_has_aes_hardware returns one if we enable hardware support for fast and
+// constant-time AES-GCM.
OPENSSL_EXPORT int EVP_has_aes_hardware(void);
-/* Utility functions. */
+// Utility functions.
-/* EVP_AEAD_key_length returns the length, in bytes, of the keys used by
- * |aead|. */
+// EVP_AEAD_key_length returns the length, in bytes, of the keys used by
+// |aead|.
OPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead);
-/* EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce
- * for |aead|. */
+// EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce
+// for |aead|.
OPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);
-/* EVP_AEAD_max_overhead returns the maximum number of additional bytes added
- * by the act of sealing data with |aead|. */
+// EVP_AEAD_max_overhead returns the maximum number of additional bytes added
+// by the act of sealing data with |aead|.
OPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);
-/* EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This
- * is the largest value that can be passed as |tag_len| to
- * |EVP_AEAD_CTX_init|. */
+// EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This
+// is the largest value that can be passed as |tag_len| to
+// |EVP_AEAD_CTX_init|.
OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);
-/* AEAD operations. */
+// AEAD operations.
-/* An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
- * and message-independent IV. */
+// An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key
+// and message-independent IV.
typedef struct evp_aead_ctx_st {
const EVP_AEAD *aead;
- /* aead_state is an opaque pointer to whatever state the AEAD needs to
- * maintain. */
+ // aead_state is an opaque pointer to whatever state the AEAD needs to
+ // maintain.
void *aead_state;
- /* tag_len may contain the actual length of the authentication tag if it is
- * known at initialization time. */
+ // tag_len may contain the actual length of the authentication tag if it is
+ // known at initialization time.
uint8_t tag_len;
} EVP_AEAD_CTX;
-/* EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by
- * any AEAD defined in this header. */
+// EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by
+// any AEAD defined in this header.
#define EVP_AEAD_MAX_KEY_LENGTH 80
-/* EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by
- * any AEAD defined in this header. */
+// EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by
+// any AEAD defined in this header.
#define EVP_AEAD_MAX_NONCE_LENGTH 16
-/* EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD
- * defined in this header. */
+// EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD
+// defined in this header.
#define EVP_AEAD_MAX_OVERHEAD 64
-/* EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to
- * EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should
- * be used. */
+// EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to
+// EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should
+// be used.
#define EVP_AEAD_DEFAULT_TAG_LENGTH 0
-/* EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be
- * initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not
- * necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for
- * more uniform cleanup of |EVP_AEAD_CTX|. */
+// EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be
+// initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not
+// necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for
+// more uniform cleanup of |EVP_AEAD_CTX|.
OPENSSL_EXPORT void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx);
-/* EVP_AEAD_CTX_new allocates an |EVP_AEAD_CTX|, calls |EVP_AEAD_CTX_init| and
- * returns the |EVP_AEAD_CTX|, or NULL on error. */
+// EVP_AEAD_CTX_new allocates an |EVP_AEAD_CTX|, calls |EVP_AEAD_CTX_init| and
+// returns the |EVP_AEAD_CTX|, or NULL on error.
OPENSSL_EXPORT EVP_AEAD_CTX *EVP_AEAD_CTX_new(const EVP_AEAD *aead,
const uint8_t *key,
size_t key_len, size_t tag_len);
-/* EVP_AEAD_CTX_free calls |EVP_AEAD_CTX_cleanup| and |OPENSSL_free| on
- * |ctx|. */
+// EVP_AEAD_CTX_free calls |EVP_AEAD_CTX_cleanup| and |OPENSSL_free| on
+// |ctx|.
OPENSSL_EXPORT void EVP_AEAD_CTX_free(EVP_AEAD_CTX *ctx);
-/* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm. The |impl|
- * argument is ignored and should be NULL. Authentication tags may be truncated
- * by passing a size as |tag_len|. A |tag_len| of zero indicates the default
- * tag length and this is defined as EVP_AEAD_DEFAULT_TAG_LENGTH for
- * readability.
- *
- * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In
- * the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's
- * harmless to do so. */
+// EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm. The |impl|
+// argument is ignored and should be NULL. Authentication tags may be truncated
+// by passing a size as |tag_len|. A |tag_len| of zero indicates the default
+// tag length and this is defined as EVP_AEAD_DEFAULT_TAG_LENGTH for
+// readability.
+//
+// Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In
+// the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's
+// harmless to do so.
OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
const uint8_t *key, size_t key_len,
size_t tag_len, ENGINE *impl);
-/* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to
- * call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to
- * all zeros. */
+// EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to
+// call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to
+// all zeros.
OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
-/* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
- * authenticates |ad_len| bytes from |ad| and writes the result to |out|. It
- * returns one on success and zero otherwise.
- *
- * This function may be called concurrently with itself or any other seal/open
- * function on the same |EVP_AEAD_CTX|.
- *
- * At most |max_out_len| bytes are written to |out| and, in order to ensure
- * success, |max_out_len| should be |in_len| plus the result of
- * |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the
- * actual number of bytes written.
- *
- * The length of |nonce|, |nonce_len|, must be equal to the result of
- * |EVP_AEAD_nonce_length| for this AEAD.
- *
- * |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is
- * insufficient, zero will be returned. If any error occurs, |out| will be
- * filled with zero bytes and |*out_len| set to zero.
- *
- * If |in| and |out| alias then |out| must be == |in|. */
+// EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
+// authenticates |ad_len| bytes from |ad| and writes the result to |out|. It
+// returns one on success and zero otherwise.
+//
+// This function may be called concurrently with itself or any other seal/open
+// function on the same |EVP_AEAD_CTX|.
+//
+// At most |max_out_len| bytes are written to |out| and, in order to ensure
+// success, |max_out_len| should be |in_len| plus the result of
+// |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the
+// actual number of bytes written.
+//
+// The length of |nonce|, |nonce_len|, must be equal to the result of
+// |EVP_AEAD_nonce_length| for this AEAD.
+//
+// |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is
+// insufficient, zero will be returned. If any error occurs, |out| will be
+// filled with zero bytes and |*out_len| set to zero.
+//
+// If |in| and |out| alias then |out| must be == |in|.
OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *nonce, size_t nonce_len,
const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len);
-/* EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes
- * from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on
- * success and zero otherwise.
- *
- * This function may be called concurrently with itself or any other seal/open
- * function on the same |EVP_AEAD_CTX|.
- *
- * At most |in_len| bytes are written to |out|. In order to ensure success,
- * |max_out_len| should be at least |in_len|. On successful return, |*out_len|
- * is set to the the actual number of bytes written.
- *
- * The length of |nonce|, |nonce_len|, must be equal to the result of
- * |EVP_AEAD_nonce_length| for this AEAD.
- *
- * |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is
- * insufficient, zero will be returned. If any error occurs, |out| will be
- * filled with zero bytes and |*out_len| set to zero.
- *
- * If |in| and |out| alias then |out| must be == |in|. */
+// EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes
+// from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on
+// success and zero otherwise.
+//
+// This function may be called concurrently with itself or any other seal/open
+// function on the same |EVP_AEAD_CTX|.
+//
+// At most |in_len| bytes are written to |out|. In order to ensure success,
+// |max_out_len| should be at least |in_len|. On successful return, |*out_len|
+// is set to the the actual number of bytes written.
+//
+// The length of |nonce|, |nonce_len|, must be equal to the result of
+// |EVP_AEAD_nonce_length| for this AEAD.
+//
+// |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is
+// insufficient, zero will be returned. If any error occurs, |out| will be
+// filled with zero bytes and |*out_len| set to zero.
+//
+// If |in| and |out| alias then |out| must be == |in|.
OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *nonce, size_t nonce_len,
const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len);
-/* EVP_AEAD_CTX_seal_scatter encrypts and authenticates |in_len| bytes from |in|
- * and authenticates |ad_len| bytes from |ad|. It writes |in_len| bytes of
- * ciphertext to |out| and the authentication tag to |out_tag|. It returns one
- * on success and zero otherwise.
- *
- * This function may be called concurrently with itself or any other seal/open
- * function on the same |EVP_AEAD_CTX|.
- *
- * Exactly |in_len| bytes are written to |out|, and up to
- * |EVP_AEAD_max_overhead+extra_in_len| bytes to |out_tag|. On successful
- * return, |*out_tag_len| is set to the actual number of bytes written to
- * |out_tag|.
- *
- * |extra_in| may point to an additional plaintext input buffer if the cipher
- * supports it. If present, |extra_in_len| additional bytes of plaintext are
- * encrypted and authenticated, and the ciphertext is written (before the tag)
- * to |out_tag|. |max_out_tag_len| must be sized to allow for the additional
- * |extra_in_len| bytes.
- *
- * The length of |nonce|, |nonce_len|, must be equal to the result of
- * |EVP_AEAD_nonce_length| for this AEAD.
- *
- * |EVP_AEAD_CTX_seal_scatter| never results in a partial output. If
- * |max_out_tag_len| is insufficient, zero will be returned. If any error
- * occurs, |out| and |out_tag| will be filled with zero bytes and |*out_tag_len|
- * set to zero.
- *
- * If |in| and |out| alias then |out| must be == |in|. |out_tag| may not alias
- * any other argument. */
+// EVP_AEAD_CTX_seal_scatter encrypts and authenticates |in_len| bytes from |in|
+// and authenticates |ad_len| bytes from |ad|. It writes |in_len| bytes of
+// ciphertext to |out| and the authentication tag to |out_tag|. It returns one
+// on success and zero otherwise.
+//
+// This function may be called concurrently with itself or any other seal/open
+// function on the same |EVP_AEAD_CTX|.
+//
+// Exactly |in_len| bytes are written to |out|, and up to
+// |EVP_AEAD_max_overhead+extra_in_len| bytes to |out_tag|. On successful
+// return, |*out_tag_len| is set to the actual number of bytes written to
+// |out_tag|.
+//
+// |extra_in| may point to an additional plaintext input buffer if the cipher
+// supports it. If present, |extra_in_len| additional bytes of plaintext are
+// encrypted and authenticated, and the ciphertext is written (before the tag)
+// to |out_tag|. |max_out_tag_len| must be sized to allow for the additional
+// |extra_in_len| bytes.
+//
+// The length of |nonce|, |nonce_len|, must be equal to the result of
+// |EVP_AEAD_nonce_length| for this AEAD.
+//
+// |EVP_AEAD_CTX_seal_scatter| never results in a partial output. If
+// |max_out_tag_len| is insufficient, zero will be returned. If any error
+// occurs, |out| and |out_tag| will be filled with zero bytes and |*out_tag_len|
+// set to zero.
+//
+// If |in| and |out| alias then |out| must be == |in|. |out_tag| may not alias
+// any other argument.
OPENSSL_EXPORT int EVP_AEAD_CTX_seal_scatter(
const EVP_AEAD_CTX *ctx, uint8_t *out,
uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len,
@@ -295,39 +295,39 @@
const uint8_t *extra_in, size_t extra_in_len,
const uint8_t *ad, size_t ad_len);
-/* EVP_AEAD_CTX_open_gather decrypts and authenticates |in_len| bytes from |in|
- * and authenticates |ad_len| bytes from |ad| using |in_tag_len| bytes of
- * authentication tag from |in_tag|. If successful, it writes |in_len| bytes of
- * plaintext to |out|. It returns one on success and zero otherwise.
- *
- * This function may be called concurrently with itself or any other seal/open
- * function on the same |EVP_AEAD_CTX|.
- *
- * The length of |nonce|, |nonce_len|, must be equal to the result of
- * |EVP_AEAD_nonce_length| for this AEAD.
- *
- * |EVP_AEAD_CTX_open_gather| never results in a partial output. If any error
- * occurs, |out| will be filled with zero bytes.
- *
- * If |in| and |out| alias then |out| must be == |in|. */
+// EVP_AEAD_CTX_open_gather decrypts and authenticates |in_len| bytes from |in|
+// and authenticates |ad_len| bytes from |ad| using |in_tag_len| bytes of
+// authentication tag from |in_tag|. If successful, it writes |in_len| bytes of
+// plaintext to |out|. It returns one on success and zero otherwise.
+//
+// This function may be called concurrently with itself or any other seal/open
+// function on the same |EVP_AEAD_CTX|.
+//
+// The length of |nonce|, |nonce_len|, must be equal to the result of
+// |EVP_AEAD_nonce_length| for this AEAD.
+//
+// |EVP_AEAD_CTX_open_gather| never results in a partial output. If any error
+// occurs, |out| will be filled with zero bytes.
+//
+// If |in| and |out| alias then |out| must be == |in|.
OPENSSL_EXPORT int EVP_AEAD_CTX_open_gather(
const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,
size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,
size_t in_tag_len, const uint8_t *ad, size_t ad_len);
-/* EVP_AEAD_CTX_aead returns the underlying AEAD for |ctx|, or NULL if one has
- * not been set. */
+// EVP_AEAD_CTX_aead returns the underlying AEAD for |ctx|, or NULL if one has
+// not been set.
OPENSSL_EXPORT const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx);
-/* TLS-specific AEAD algorithms.
- *
- * These AEAD primitives do not meet the definition of generic AEADs. They are
- * all specific to TLS and should not be used outside of that context. They must
- * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may
- * not be used concurrently. Any nonces are used as IVs, so they must be
- * unpredictable. They only accept an |ad| parameter of length 11 (the standard
- * TLS one with length omitted). */
+// TLS-specific AEAD algorithms.
+//
+// These AEAD primitives do not meet the definition of generic AEADs. They are
+// all specific to TLS and should not be used outside of that context. They must
+// be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may
+// not be used concurrently. Any nonces are used as IVs, so they must be
+// unpredictable. They only accept an |ad| parameter of length 11 (the standard
+// TLS one with length omitted).
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);
@@ -343,22 +343,22 @@
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void);
-/* EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS
- * 1.2 nonce construction. */
+// EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS
+// 1.2 nonce construction.
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void);
-/* EVP_aead_aes_256_gcm_tls12 is AES-256 in Galois Counter Mode using the TLS
- * 1.2 nonce construction. */
+// EVP_aead_aes_256_gcm_tls12 is AES-256 in Galois Counter Mode using the TLS
+// 1.2 nonce construction.
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls12(void);
-/* SSLv3-specific AEAD algorithms.
- *
- * These AEAD primitives do not meet the definition of generic AEADs. They are
- * all specific to SSLv3 and should not be used outside of that context. They
- * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
- * and may not be used concurrently. They only accept an |ad| parameter of
- * length 9 (the standard TLS one with length and version omitted). */
+// SSLv3-specific AEAD algorithms.
+//
+// These AEAD primitives do not meet the definition of generic AEADs. They are
+// all specific to SSLv3 and should not be used outside of that context. They
+// must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
+// and may not be used concurrently. They only accept an |ad| parameter of
+// length 9 (the standard TLS one with length and version omitted).
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_ssl3(void);
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_ssl3(void);
@@ -366,33 +366,33 @@
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_ssl3(void);
-/* Obscure functions. */
+// Obscure functions.
-/* evp_aead_direction_t denotes the direction of an AEAD operation. */
+// evp_aead_direction_t denotes the direction of an AEAD operation.
enum evp_aead_direction_t {
evp_aead_open,
evp_aead_seal,
};
-/* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal
- * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a
- * given direction. */
+// EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal
+// AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a
+// given direction.
OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(
EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,
size_t tag_len, enum evp_aead_direction_t dir);
-/* EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and
- * sets |*out_iv| to point to that many bytes of the current IV. This is only
- * meaningful for AEADs with implicit IVs (i.e. CBC mode in SSLv3 and TLS 1.0).
- *
- * It returns one on success or zero on error. */
+// EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and
+// sets |*out_iv| to point to that many bytes of the current IV. This is only
+// meaningful for AEADs with implicit IVs (i.e. CBC mode in SSLv3 and TLS 1.0).
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx,
const uint8_t **out_iv, size_t *out_len);
-/* EVP_AEAD_CTX_tag_len computes the exact byte length of the tag written by
- * |EVP_AEAD_CTX_seal_scatter| and writes it to |*out_tag_len|. It returns one
- * on success or zero on error. |in_len| and |extra_in_len| must equal the
- * arguments of the same names passed to |EVP_AEAD_CTX_seal_scatter|. */
+// EVP_AEAD_CTX_tag_len computes the exact byte length of the tag written by
+// |EVP_AEAD_CTX_seal_scatter| and writes it to |*out_tag_len|. It returns one
+// on success or zero on error. |in_len| and |extra_in_len| must equal the
+// arguments of the same names passed to |EVP_AEAD_CTX_seal_scatter|.
OPENSSL_EXPORT int EVP_AEAD_CTX_tag_len(const EVP_AEAD_CTX *ctx,
size_t *out_tag_len,
const size_t in_len,
@@ -400,7 +400,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#if !defined(BORINGSSL_NO_CXX)
extern "C++" {
@@ -420,4 +420,4 @@
#endif
-#endif /* OPENSSL_HEADER_AEAD_H */
+#endif // OPENSSL_HEADER_AEAD_H
diff --git a/src/include/openssl/aes.h b/src/include/openssl/aes.h
index 2aef918..1156585 100644
--- a/src/include/openssl/aes.h
+++ b/src/include/openssl/aes.h
@@ -56,115 +56,115 @@
#endif
-/* Raw AES functions. */
+// Raw AES functions.
#define AES_ENCRYPT 1
#define AES_DECRYPT 0
-/* AES_MAXNR is the maximum number of AES rounds. */
+// AES_MAXNR is the maximum number of AES rounds.
#define AES_MAXNR 14
#define AES_BLOCK_SIZE 16
-/* aes_key_st should be an opaque type, but EVP requires that the size be
- * known. */
+// aes_key_st should be an opaque type, but EVP requires that the size be
+// known.
struct aes_key_st {
uint32_t rd_key[4 * (AES_MAXNR + 1)];
unsigned rounds;
};
typedef struct aes_key_st AES_KEY;
-/* AES_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit key,
- * |key|.
- *
- * WARNING: unlike other OpenSSL functions, this returns zero on success and a
- * negative number on error. */
+// AES_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit key,
+// |key|.
+//
+// WARNING: unlike other OpenSSL functions, this returns zero on success and a
+// negative number on error.
OPENSSL_EXPORT int AES_set_encrypt_key(const uint8_t *key, unsigned bits,
AES_KEY *aeskey);
-/* AES_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit key,
- * |key|.
- *
- * WARNING: unlike other OpenSSL functions, this returns zero on success and a
- * negative number on error. */
+// AES_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit key,
+// |key|.
+//
+// WARNING: unlike other OpenSSL functions, this returns zero on success and a
+// negative number on error.
OPENSSL_EXPORT int AES_set_decrypt_key(const uint8_t *key, unsigned bits,
AES_KEY *aeskey);
-/* AES_encrypt encrypts a single block from |in| to |out| with |key|. The |in|
- * and |out| pointers may overlap. */
+// AES_encrypt encrypts a single block from |in| to |out| with |key|. The |in|
+// and |out| pointers may overlap.
OPENSSL_EXPORT void AES_encrypt(const uint8_t *in, uint8_t *out,
const AES_KEY *key);
-/* AES_decrypt decrypts a single block from |in| to |out| with |key|. The |in|
- * and |out| pointers may overlap. */
+// AES_decrypt decrypts a single block from |in| to |out| with |key|. The |in|
+// and |out| pointers may overlap.
OPENSSL_EXPORT void AES_decrypt(const uint8_t *in, uint8_t *out,
const AES_KEY *key);
-/* Block cipher modes. */
+// Block cipher modes.
-/* AES_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode) |len|
- * bytes from |in| to |out|. The |num| parameter must be set to zero on the
- * first call and |ivec| will be incremented. */
+// AES_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode) |len|
+// bytes from |in| to |out|. The |num| parameter must be set to zero on the
+// first call and |ivec| will be incremented.
OPENSSL_EXPORT void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out,
size_t len, const AES_KEY *key,
uint8_t ivec[AES_BLOCK_SIZE],
uint8_t ecount_buf[AES_BLOCK_SIZE],
unsigned int *num);
-/* AES_ecb_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) a single,
- * 16 byte block from |in| to |out|. */
+// AES_ecb_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) a single,
+// 16 byte block from |in| to |out|.
OPENSSL_EXPORT void AES_ecb_encrypt(const uint8_t *in, uint8_t *out,
const AES_KEY *key, const int enc);
-/* AES_cbc_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len|
- * bytes from |in| to |out|. The length must be a multiple of the block size. */
+// AES_cbc_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len|
+// bytes from |in| to |out|. The length must be a multiple of the block size.
OPENSSL_EXPORT void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const AES_KEY *key, uint8_t *ivec,
const int enc);
-/* AES_ofb128_encrypt encrypts (or decrypts, it's the same in OFB mode) |len|
- * bytes from |in| to |out|. The |num| parameter must be set to zero on the
- * first call. */
+// AES_ofb128_encrypt encrypts (or decrypts, it's the same in OFB mode) |len|
+// bytes from |in| to |out|. The |num| parameter must be set to zero on the
+// first call.
OPENSSL_EXPORT void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out,
size_t len, const AES_KEY *key,
uint8_t *ivec, int *num);
-/* AES_cfb128_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len|
- * bytes from |in| to |out|. The |num| parameter must be set to zero on the
- * first call. */
+// AES_cfb128_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len|
+// bytes from |in| to |out|. The |num| parameter must be set to zero on the
+// first call.
OPENSSL_EXPORT void AES_cfb128_encrypt(const uint8_t *in, uint8_t *out,
size_t len, const AES_KEY *key,
uint8_t *ivec, int *num, int enc);
-/* AES key wrap.
- *
- * These functions implement AES Key Wrap mode, as defined in RFC 3394. They
- * should never be used except to interoperate with existing systems that use
- * this mode. */
+// AES key wrap.
+//
+// These functions implement AES Key Wrap mode, as defined in RFC 3394. They
+// should never be used except to interoperate with existing systems that use
+// this mode.
-/* AES_wrap_key performs AES key wrap on |in| which must be a multiple of 8
- * bytes. |iv| must point to an 8 byte value or be NULL to use the default IV.
- * |key| must have been configured for encryption. On success, it writes
- * |in_len| + 8 bytes to |out| and returns |in_len| + 8. Otherwise, it returns
- * -1. */
+// AES_wrap_key performs AES key wrap on |in| which must be a multiple of 8
+// bytes. |iv| must point to an 8 byte value or be NULL to use the default IV.
+// |key| must have been configured for encryption. On success, it writes
+// |in_len| + 8 bytes to |out| and returns |in_len| + 8. Otherwise, it returns
+// -1.
OPENSSL_EXPORT int AES_wrap_key(const AES_KEY *key, const uint8_t *iv,
uint8_t *out, const uint8_t *in, size_t in_len);
-/* AES_unwrap_key performs AES key unwrap on |in| which must be a multiple of 8
- * bytes. |iv| must point to an 8 byte value or be NULL to use the default IV.
- * |key| must have been configured for decryption. On success, it writes
- * |in_len| - 8 bytes to |out| and returns |in_len| - 8. Otherwise, it returns
- * -1. */
+// AES_unwrap_key performs AES key unwrap on |in| which must be a multiple of 8
+// bytes. |iv| must point to an 8 byte value or be NULL to use the default IV.
+// |key| must have been configured for decryption. On success, it writes
+// |in_len| - 8 bytes to |out| and returns |in_len| - 8. Otherwise, it returns
+// -1.
OPENSSL_EXPORT int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv,
uint8_t *out, const uint8_t *in,
size_t in_len);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_AES_H */
+#endif // OPENSSL_HEADER_AES_H
diff --git a/src/include/openssl/arm_arch.h b/src/include/openssl/arm_arch.h
index e7010f4..faa2655 100644
--- a/src/include/openssl/arm_arch.h
+++ b/src/include/openssl/arm_arch.h
@@ -69,10 +69,10 @@
# else
# define __ARMEL__
# endif
- /* Why doesn't gcc define __ARM_ARCH__? Instead it defines
- * bunch of below macros. See all_architectires[] table in
- * gcc/config/arm/arm.c. On a side note it defines
- * __ARMEL__/__ARMEB__ for little-/big-endian. */
+ // Why doesn't gcc define __ARM_ARCH__? Instead it defines
+ // bunch of below macros. See all_architectires[] table in
+ // gcc/config/arm/arm.c. On a side note it defines
+ // __ARMEL__/__ARMEB__ for little-/big-endian.
# elif defined(__ARM_ARCH)
# define __ARM_ARCH__ __ARM_ARCH
# elif defined(__ARM_ARCH_8A__)
@@ -98,24 +98,24 @@
# endif
#endif
-/* Even when building for 32-bit ARM, support for aarch64 crypto instructions
- * will be included. */
+// Even when building for 32-bit ARM, support for aarch64 crypto instructions
+// will be included.
#define __ARM_MAX_ARCH__ 8
-/* ARMV7_NEON is true when a NEON unit is present in the current CPU. */
+// ARMV7_NEON is true when a NEON unit is present in the current CPU.
#define ARMV7_NEON (1 << 0)
-/* ARMV8_AES indicates support for hardware AES instructions. */
+// ARMV8_AES indicates support for hardware AES instructions.
#define ARMV8_AES (1 << 2)
-/* ARMV8_SHA1 indicates support for hardware SHA-1 instructions. */
+// ARMV8_SHA1 indicates support for hardware SHA-1 instructions.
#define ARMV8_SHA1 (1 << 3)
-/* ARMV8_SHA256 indicates support for hardware SHA-256 instructions. */
+// ARMV8_SHA256 indicates support for hardware SHA-256 instructions.
#define ARMV8_SHA256 (1 << 4)
-/* ARMV8_PMULL indicates support for carryless multiplication. */
+// ARMV8_PMULL indicates support for carryless multiplication.
#define ARMV8_PMULL (1 << 5)
-#endif /* OPENSSL_HEADER_ARM_ARCH_H */
+#endif // OPENSSL_HEADER_ARM_ARCH_H
diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h
index 6b43c76..a796c73 100644
--- a/src/include/openssl/base.h
+++ b/src/include/openssl/base.h
@@ -54,20 +54,20 @@
#define OPENSSL_HEADER_BASE_H
-/* This file should be the first included by all BoringSSL headers. */
+// This file should be the first included by all BoringSSL headers.
#include <stddef.h>
#include <stdint.h>
#include <sys/types.h>
#if defined(__MINGW32__)
-/* stdio.h is needed on MinGW for __MINGW_PRINTF_FORMAT. */
+// stdio.h is needed on MinGW for __MINGW_PRINTF_FORMAT.
#include <stdio.h>
#endif
-/* Include a BoringSSL-only header so consumers including this header without
- * setting up include paths do not accidentally pick up the system
- * opensslconf.h. */
+// Include a BoringSSL-only header so consumers including this header without
+// setting up include paths do not accidentally pick up the system
+// opensslconf.h.
#include <openssl/is_boringssl.h>
#include <openssl/opensslconf.h>
@@ -107,10 +107,10 @@
#elif defined(__myriad2__)
#define OPENSSL_32_BIT
#else
-/* Note BoringSSL only supports standard 32-bit and 64-bit two's-complement,
- * little-endian architectures. Functions will not produce the correct answer
- * on other systems. Run the crypto_test binary, notably
- * crypto/compiler_test.cc, before adding a new architecture. */
+// Note BoringSSL only supports standard 32-bit and 64-bit two's-complement,
+// little-endian architectures. Functions will not produce the correct answer
+// on other systems. Run the crypto_test binary, notably
+// crypto/compiler_test.cc, before adding a new architecture.
#error "Unknown target CPU"
#endif
@@ -136,19 +136,17 @@
#endif
#define OPENSSL_IS_BORINGSSL
-#define BORINGSSL_201512
-#define BORINGSSL_201603
#define OPENSSL_VERSION_NUMBER 0x100020af
#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
-/* BORINGSSL_API_VERSION is a positive integer that increments as BoringSSL
- * changes over time. The value itself is not meaningful. It will be incremented
- * whenever is convenient to coordinate an API change with consumers. This will
- * not denote any special point in development.
- *
- * A consumer may use this symbol in the preprocessor to temporarily build
- * against multiple revisions of BoringSSL at the same time. It is not
- * recommended to do so for longer than is necessary. */
+// BORINGSSL_API_VERSION is a positive integer that increments as BoringSSL
+// changes over time. The value itself is not meaningful. It will be incremented
+// whenever is convenient to coordinate an API change with consumers. This will
+// not denote any special point in development.
+//
+// A consumer may use this symbol in the preprocessor to temporarily build
+// against multiple revisions of BoringSSL at the same time. It is not
+// recommended to do so for longer than is necessary.
#define BORINGSSL_API_VERSION 4
#if defined(BORINGSSL_SHARED_LIBRARY)
@@ -161,7 +159,7 @@
#define OPENSSL_EXPORT __declspec(dllimport)
#endif
-#else /* defined(OPENSSL_WINDOWS) */
+#else // defined(OPENSSL_WINDOWS)
#if defined(BORINGSSL_IMPLEMENTATION)
#define OPENSSL_EXPORT __attribute__((visibility("default")))
@@ -169,19 +167,19 @@
#define OPENSSL_EXPORT
#endif
-#endif /* defined(OPENSSL_WINDOWS) */
+#endif // defined(OPENSSL_WINDOWS)
-#else /* defined(BORINGSSL_SHARED_LIBRARY) */
+#else // defined(BORINGSSL_SHARED_LIBRARY)
#define OPENSSL_EXPORT
-#endif /* defined(BORINGSSL_SHARED_LIBRARY) */
+#endif // defined(BORINGSSL_SHARED_LIBRARY)
#if defined(__GNUC__)
-/* MinGW has two different printf implementations. Ensure the format macro
- * matches the selected implementation. See
- * https://sourceforge.net/p/mingw-w64/wiki2/gnu%20printf/. */
+// MinGW has two different printf implementations. Ensure the format macro
+// matches the selected implementation. See
+// https://sourceforge.net/p/mingw-w64/wiki2/gnu%20printf/.
#if defined(__MINGW_PRINTF_FORMAT)
#define OPENSSL_PRINTF_FORMAT_FUNC(string_index, first_to_check) \
__attribute__( \
@@ -194,7 +192,7 @@
#define OPENSSL_PRINTF_FORMAT_FUNC(string_index, first_to_check)
#endif
-/* OPENSSL_MSVC_PRAGMA emits a pragma on MSVC and nothing on other compilers. */
+// OPENSSL_MSVC_PRAGMA emits a pragma on MSVC and nothing on other compilers.
#if defined(_MSC_VER)
#define OPENSSL_MSVC_PRAGMA(arg) __pragma(arg)
#else
@@ -221,7 +219,7 @@
#endif
#endif
-/* CRYPTO_THREADID is a dummy value. */
+// CRYPTO_THREADID is a dummy value.
typedef int CRYPTO_THREADID;
typedef int ASN1_BOOLEAN;
@@ -343,7 +341,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#elif !defined(BORINGSSL_NO_CXX)
#define BORINGSSL_NO_CXX
#endif
@@ -443,8 +441,8 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif // !BORINGSSL_NO_CXX
-#endif /* OPENSSL_HEADER_BASE_H */
+#endif // OPENSSL_HEADER_BASE_H
diff --git a/src/include/openssl/base64.h b/src/include/openssl/base64.h
index 4bf3888..ef76088 100644
--- a/src/include/openssl/base64.h
+++ b/src/include/openssl/base64.h
@@ -64,124 +64,124 @@
#endif
-/* base64 functions.
- *
- * For historical reasons, these functions have the EVP_ prefix but just do
- * base64 encoding and decoding. */
+// base64 functions.
+//
+// For historical reasons, these functions have the EVP_ prefix but just do
+// base64 encoding and decoding.
-/* Encoding */
+// Encoding
-/* EVP_EncodeBlock encodes |src_len| bytes from |src| and writes the
- * result to |dst| with a trailing NUL. It returns the number of bytes
- * written, not including this trailing NUL. */
+// EVP_EncodeBlock encodes |src_len| bytes from |src| and writes the
+// result to |dst| with a trailing NUL. It returns the number of bytes
+// written, not including this trailing NUL.
OPENSSL_EXPORT size_t EVP_EncodeBlock(uint8_t *dst, const uint8_t *src,
size_t src_len);
-/* EVP_EncodedLength sets |*out_len| to the number of bytes that will be needed
- * to call |EVP_EncodeBlock| on an input of length |len|. This includes the
- * final NUL that |EVP_EncodeBlock| writes. It returns one on success or zero
- * on error. */
+// EVP_EncodedLength sets |*out_len| to the number of bytes that will be needed
+// to call |EVP_EncodeBlock| on an input of length |len|. This includes the
+// final NUL that |EVP_EncodeBlock| writes. It returns one on success or zero
+// on error.
OPENSSL_EXPORT int EVP_EncodedLength(size_t *out_len, size_t len);
-/* Decoding */
+// Decoding
-/* EVP_DecodedLength sets |*out_len| to the maximum number of bytes that will
- * be needed to call |EVP_DecodeBase64| on an input of length |len|. It returns
- * one on success or zero if |len| is not a valid length for a base64-encoded
- * string. */
+// EVP_DecodedLength sets |*out_len| to the maximum number of bytes that will
+// be needed to call |EVP_DecodeBase64| on an input of length |len|. It returns
+// one on success or zero if |len| is not a valid length for a base64-encoded
+// string.
OPENSSL_EXPORT int EVP_DecodedLength(size_t *out_len, size_t len);
-/* EVP_DecodeBase64 decodes |in_len| bytes from base64 and writes
- * |*out_len| bytes to |out|. |max_out| is the size of the output
- * buffer. If it is not enough for the maximum output size, the
- * operation fails. It returns one on success or zero on error. */
+// EVP_DecodeBase64 decodes |in_len| bytes from base64 and writes
+// |*out_len| bytes to |out|. |max_out| is the size of the output
+// buffer. If it is not enough for the maximum output size, the
+// operation fails. It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_DecodeBase64(uint8_t *out, size_t *out_len,
size_t max_out, const uint8_t *in,
size_t in_len);
-/* Deprecated functions.
- *
- * OpenSSL provides a streaming base64 implementation, however its behavior is
- * very specific to PEM. It is also very lenient of invalid input. Use of any of
- * these functions is thus deprecated. */
+// Deprecated functions.
+//
+// OpenSSL provides a streaming base64 implementation, however its behavior is
+// very specific to PEM. It is also very lenient of invalid input. Use of any of
+// these functions is thus deprecated.
-/* EVP_EncodeInit initialises |*ctx|, which is typically stack
- * allocated, for an encoding operation.
- *
- * NOTE: The encoding operation breaks its output with newlines every
- * 64 characters of output (48 characters of input). Use
- * EVP_EncodeBlock to encode raw base64. */
+// EVP_EncodeInit initialises |*ctx|, which is typically stack
+// allocated, for an encoding operation.
+//
+// NOTE: The encoding operation breaks its output with newlines every
+// 64 characters of output (48 characters of input). Use
+// EVP_EncodeBlock to encode raw base64.
OPENSSL_EXPORT void EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
-/* EVP_EncodeUpdate encodes |in_len| bytes from |in| and writes an encoded
- * version of them to |out| and sets |*out_len| to the number of bytes written.
- * Some state may be contained in |ctx| so |EVP_EncodeFinal| must be used to
- * flush it before using the encoded data. */
+// EVP_EncodeUpdate encodes |in_len| bytes from |in| and writes an encoded
+// version of them to |out| and sets |*out_len| to the number of bytes written.
+// Some state may be contained in |ctx| so |EVP_EncodeFinal| must be used to
+// flush it before using the encoded data.
OPENSSL_EXPORT void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out,
int *out_len, const uint8_t *in,
size_t in_len);
-/* EVP_EncodeFinal flushes any remaining output bytes from |ctx| to |out| and
- * sets |*out_len| to the number of bytes written. */
+// EVP_EncodeFinal flushes any remaining output bytes from |ctx| to |out| and
+// sets |*out_len| to the number of bytes written.
OPENSSL_EXPORT void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out,
int *out_len);
-/* EVP_DecodeInit initialises |*ctx|, which is typically stack allocated, for
- * a decoding operation.
- *
- * TODO(davidben): This isn't a straight-up base64 decode either. Document
- * and/or fix exactly what's going on here; maximum line length and such. */
+// EVP_DecodeInit initialises |*ctx|, which is typically stack allocated, for
+// a decoding operation.
+//
+// TODO(davidben): This isn't a straight-up base64 decode either. Document
+// and/or fix exactly what's going on here; maximum line length and such.
OPENSSL_EXPORT void EVP_DecodeInit(EVP_ENCODE_CTX *ctx);
-/* EVP_DecodeUpdate decodes |in_len| bytes from |in| and writes the decoded
- * data to |out| and sets |*out_len| to the number of bytes written. Some state
- * may be contained in |ctx| so |EVP_DecodeFinal| must be used to flush it
- * before using the encoded data.
- *
- * It returns -1 on error, one if a full line of input was processed and zero
- * if the line was short (i.e. it was the last line). */
+// EVP_DecodeUpdate decodes |in_len| bytes from |in| and writes the decoded
+// data to |out| and sets |*out_len| to the number of bytes written. Some state
+// may be contained in |ctx| so |EVP_DecodeFinal| must be used to flush it
+// before using the encoded data.
+//
+// It returns -1 on error, one if a full line of input was processed and zero
+// if the line was short (i.e. it was the last line).
OPENSSL_EXPORT int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out,
int *out_len, const uint8_t *in,
size_t in_len);
-/* EVP_DecodeFinal flushes any remaining output bytes from |ctx| to |out| and
- * sets |*out_len| to the number of bytes written. It returns one on success
- * and minus one on error. */
+// EVP_DecodeFinal flushes any remaining output bytes from |ctx| to |out| and
+// sets |*out_len| to the number of bytes written. It returns one on success
+// and minus one on error.
OPENSSL_EXPORT int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out,
int *out_len);
-/* EVP_DecodeBlock encodes |src_len| bytes from |src| and writes the result to
- * |dst|. It returns the number of bytes written or -1 on error.
- *
- * WARNING: EVP_DecodeBlock's return value does not take padding into
- * account. It also strips leading whitespace and trailing
- * whitespace and minuses. */
+// EVP_DecodeBlock encodes |src_len| bytes from |src| and writes the result to
+// |dst|. It returns the number of bytes written or -1 on error.
+//
+// WARNING: EVP_DecodeBlock's return value does not take padding into
+// account. It also strips leading whitespace and trailing
+// whitespace and minuses.
OPENSSL_EXPORT int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src,
size_t src_len);
struct evp_encode_ctx_st {
- /* data_used indicates the number of bytes of |data| that are valid. When
- * encoding, |data| will be filled and encoded as a lump. When decoding, only
- * the first four bytes of |data| will be used. */
+ // data_used indicates the number of bytes of |data| that are valid. When
+ // encoding, |data| will be filled and encoded as a lump. When decoding, only
+ // the first four bytes of |data| will be used.
unsigned data_used;
uint8_t data[48];
- /* eof_seen indicates that the end of the base64 data has been seen when
- * decoding. Only whitespace can follow. */
+ // eof_seen indicates that the end of the base64 data has been seen when
+ // decoding. Only whitespace can follow.
char eof_seen;
- /* error_encountered indicates that invalid base64 data was found. This will
- * cause all future calls to fail. */
+ // error_encountered indicates that invalid base64 data was found. This will
+ // cause all future calls to fail.
char error_encountered;
};
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_BASE64_H */
+#endif // OPENSSL_HEADER_BASE64_H
diff --git a/src/include/openssl/bio.h b/src/include/openssl/bio.h
index 9a80cd5..095ac75 100644
--- a/src/include/openssl/bio.h
+++ b/src/include/openssl/bio.h
@@ -59,10 +59,10 @@
#include <openssl/base.h>
-#include <stdio.h> /* For FILE */
+#include <stdio.h> // For FILE
#include <openssl/buffer.h>
-#include <openssl/err.h> /* for ERR_print_errors_fp */
+#include <openssl/err.h> // for ERR_print_errors_fp
#include <openssl/ex_data.h>
#include <openssl/stack.h>
#include <openssl/thread.h>
@@ -72,494 +72,481 @@
#endif
-/* BIO abstracts over a file-descriptor like interface. */
+// BIO abstracts over a file-descriptor like interface.
-/* Allocation and freeing. */
+// Allocation and freeing.
DEFINE_STACK_OF(BIO)
-/* BIO_new creates a new BIO with the given method and a reference count of one.
- * It returns the fresh |BIO|, or NULL on error. */
+// BIO_new creates a new BIO with the given method and a reference count of one.
+// It returns the fresh |BIO|, or NULL on error.
OPENSSL_EXPORT BIO *BIO_new(const BIO_METHOD *method);
-/* BIO_free decrements the reference count of |bio|. If the reference count
- * drops to zero, it (optionally) calls the BIO's callback with |BIO_CB_FREE|,
- * frees the ex_data and then, if the BIO has a destroy callback for the
- * method, calls it. Finally it frees |bio| itself. It then repeats that for
- * the next BIO in the chain, if any.
- *
- * It returns one on success or zero otherwise. */
+// BIO_free decrements the reference count of |bio|. If the reference count
+// drops to zero, it calls the destroy callback, if present, on the method and
+// frees |bio| itself. It then repeats that for the next BIO in the chain, if
+// any.
+//
+// It returns one on success or zero otherwise.
OPENSSL_EXPORT int BIO_free(BIO *bio);
-/* BIO_vfree performs the same actions as |BIO_free|, but has a void return
- * value. This is provided for API-compat.
- *
- * TODO(fork): remove. */
+// BIO_vfree performs the same actions as |BIO_free|, but has a void return
+// value. This is provided for API-compat.
+//
+// TODO(fork): remove.
OPENSSL_EXPORT void BIO_vfree(BIO *bio);
-/* BIO_up_ref increments the reference count of |bio| and returns one. */
+// BIO_up_ref increments the reference count of |bio| and returns one.
OPENSSL_EXPORT int BIO_up_ref(BIO *bio);
-/* Basic I/O. */
+// Basic I/O.
-/* BIO_read attempts to read |len| bytes into |data|. It returns the number of
- * bytes read, zero on EOF, or a negative number on error. */
+// BIO_read attempts to read |len| bytes into |data|. It returns the number of
+// bytes read, zero on EOF, or a negative number on error.
OPENSSL_EXPORT int BIO_read(BIO *bio, void *data, int len);
-/* BIO_gets "reads a line" from |bio| and puts at most |size| bytes into |buf|.
- * It returns the number of bytes read or a negative number on error. The
- * phrase "reads a line" is in quotes in the previous sentence because the
- * exact operation depends on the BIO's method. For example, a digest BIO will
- * return the digest in response to a |BIO_gets| call.
- *
- * TODO(fork): audit the set of BIOs that we end up needing. If all actually
- * return a line for this call, remove the warning above. */
+// BIO_gets "reads a line" from |bio| and puts at most |size| bytes into |buf|.
+// It returns the number of bytes read or a negative number on error. The
+// phrase "reads a line" is in quotes in the previous sentence because the
+// exact operation depends on the BIO's method. For example, a digest BIO will
+// return the digest in response to a |BIO_gets| call.
+//
+// TODO(fork): audit the set of BIOs that we end up needing. If all actually
+// return a line for this call, remove the warning above.
OPENSSL_EXPORT int BIO_gets(BIO *bio, char *buf, int size);
-/* BIO_write writes |len| bytes from |data| to BIO. It returns the number of
- * bytes written or a negative number on error. */
+// BIO_write writes |len| bytes from |data| to BIO. It returns the number of
+// bytes written or a negative number on error.
OPENSSL_EXPORT int BIO_write(BIO *bio, const void *data, int len);
-/* BIO_puts writes a NUL terminated string from |buf| to |bio|. It returns the
- * number of bytes written or a negative number on error. */
+// BIO_puts writes a NUL terminated string from |buf| to |bio|. It returns the
+// number of bytes written or a negative number on error.
OPENSSL_EXPORT int BIO_puts(BIO *bio, const char *buf);
-/* BIO_flush flushes any buffered output. It returns one on success and zero
- * otherwise. */
+// BIO_flush flushes any buffered output. It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int BIO_flush(BIO *bio);
-/* Low-level control functions.
- *
- * These are generic functions for sending control requests to a BIO. In
- * general one should use the wrapper functions like |BIO_get_close|. */
+// Low-level control functions.
+//
+// These are generic functions for sending control requests to a BIO. In
+// general one should use the wrapper functions like |BIO_get_close|.
-/* BIO_ctrl sends the control request |cmd| to |bio|. The |cmd| argument should
- * be one of the |BIO_C_*| values. */
+// BIO_ctrl sends the control request |cmd| to |bio|. The |cmd| argument should
+// be one of the |BIO_C_*| values.
OPENSSL_EXPORT long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg);
-/* BIO_ptr_ctrl acts like |BIO_ctrl| but passes the address of a |void*|
- * pointer as |parg| and returns the value that is written to it, or NULL if
- * the control request returns <= 0. */
+// BIO_ptr_ctrl acts like |BIO_ctrl| but passes the address of a |void*|
+// pointer as |parg| and returns the value that is written to it, or NULL if
+// the control request returns <= 0.
OPENSSL_EXPORT char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
-/* BIO_int_ctrl acts like |BIO_ctrl| but passes the address of a copy of |iarg|
- * as |parg|. */
+// BIO_int_ctrl acts like |BIO_ctrl| but passes the address of a copy of |iarg|
+// as |parg|.
OPENSSL_EXPORT long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);
-/* BIO_reset resets |bio| to its initial state, the precise meaning of which
- * depends on the concrete type of |bio|. It returns one on success and zero
- * otherwise. */
+// BIO_reset resets |bio| to its initial state, the precise meaning of which
+// depends on the concrete type of |bio|. It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int BIO_reset(BIO *bio);
-/* BIO_eof returns non-zero when |bio| has reached end-of-file. The precise
- * meaning of which depends on the concrete type of |bio|. Note that in the
- * case of BIO_pair this always returns non-zero. */
+// BIO_eof returns non-zero when |bio| has reached end-of-file. The precise
+// meaning of which depends on the concrete type of |bio|. Note that in the
+// case of BIO_pair this always returns non-zero.
OPENSSL_EXPORT int BIO_eof(BIO *bio);
-/* BIO_set_flags ORs |flags| with |bio->flags|. */
+// BIO_set_flags ORs |flags| with |bio->flags|.
OPENSSL_EXPORT void BIO_set_flags(BIO *bio, int flags);
-/* BIO_test_flags returns |bio->flags| AND |flags|. */
+// BIO_test_flags returns |bio->flags| AND |flags|.
OPENSSL_EXPORT int BIO_test_flags(const BIO *bio, int flags);
-/* BIO_should_read returns non-zero if |bio| encountered a temporary error
- * while reading (i.e. EAGAIN), indicating that the caller should retry the
- * read. */
+// BIO_should_read returns non-zero if |bio| encountered a temporary error
+// while reading (i.e. EAGAIN), indicating that the caller should retry the
+// read.
OPENSSL_EXPORT int BIO_should_read(const BIO *bio);
-/* BIO_should_write returns non-zero if |bio| encountered a temporary error
- * while writing (i.e. EAGAIN), indicating that the caller should retry the
- * write. */
+// BIO_should_write returns non-zero if |bio| encountered a temporary error
+// while writing (i.e. EAGAIN), indicating that the caller should retry the
+// write.
OPENSSL_EXPORT int BIO_should_write(const BIO *bio);
-/* BIO_should_retry returns non-zero if the reason that caused a failed I/O
- * operation is temporary and thus the operation should be retried. Otherwise,
- * it was a permanent error and it returns zero. */
+// BIO_should_retry returns non-zero if the reason that caused a failed I/O
+// operation is temporary and thus the operation should be retried. Otherwise,
+// it was a permanent error and it returns zero.
OPENSSL_EXPORT int BIO_should_retry(const BIO *bio);
-/* BIO_should_io_special returns non-zero if |bio| encountered a temporary
- * error while performing a special I/O operation, indicating that the caller
- * should retry. The operation that caused the error is returned by
- * |BIO_get_retry_reason|. */
+// BIO_should_io_special returns non-zero if |bio| encountered a temporary
+// error while performing a special I/O operation, indicating that the caller
+// should retry. The operation that caused the error is returned by
+// |BIO_get_retry_reason|.
OPENSSL_EXPORT int BIO_should_io_special(const BIO *bio);
-/* BIO_RR_CONNECT indicates that a connect would have blocked */
+// BIO_RR_CONNECT indicates that a connect would have blocked
#define BIO_RR_CONNECT 0x02
-/* BIO_RR_ACCEPT indicates that an accept would have blocked */
+// BIO_RR_ACCEPT indicates that an accept would have blocked
#define BIO_RR_ACCEPT 0x03
-/* BIO_get_retry_reason returns the special I/O operation that needs to be
- * retried. The return value is one of the |BIO_RR_*| values. */
+// BIO_get_retry_reason returns the special I/O operation that needs to be
+// retried. The return value is one of the |BIO_RR_*| values.
OPENSSL_EXPORT int BIO_get_retry_reason(const BIO *bio);
-/* BIO_clear_flags ANDs |bio->flags| with the bitwise-complement of |flags|. */
+// BIO_clear_flags ANDs |bio->flags| with the bitwise-complement of |flags|.
OPENSSL_EXPORT void BIO_clear_flags(BIO *bio, int flags);
-/* BIO_set_retry_read sets the |BIO_FLAGS_READ| and |BIO_FLAGS_SHOULD_RETRY|
- * flags on |bio|. */
+// BIO_set_retry_read sets the |BIO_FLAGS_READ| and |BIO_FLAGS_SHOULD_RETRY|
+// flags on |bio|.
OPENSSL_EXPORT void BIO_set_retry_read(BIO *bio);
-/* BIO_set_retry_write sets the |BIO_FLAGS_WRITE| and |BIO_FLAGS_SHOULD_RETRY|
- * flags on |bio|. */
+// BIO_set_retry_write sets the |BIO_FLAGS_WRITE| and |BIO_FLAGS_SHOULD_RETRY|
+// flags on |bio|.
OPENSSL_EXPORT void BIO_set_retry_write(BIO *bio);
-/* BIO_get_retry_flags gets the |BIO_FLAGS_READ|, |BIO_FLAGS_WRITE|,
- * |BIO_FLAGS_IO_SPECIAL| and |BIO_FLAGS_SHOULD_RETRY| flags from |bio|. */
+// BIO_get_retry_flags gets the |BIO_FLAGS_READ|, |BIO_FLAGS_WRITE|,
+// |BIO_FLAGS_IO_SPECIAL| and |BIO_FLAGS_SHOULD_RETRY| flags from |bio|.
OPENSSL_EXPORT int BIO_get_retry_flags(BIO *bio);
-/* BIO_clear_retry_flags clears the |BIO_FLAGS_READ|, |BIO_FLAGS_WRITE|,
- * |BIO_FLAGS_IO_SPECIAL| and |BIO_FLAGS_SHOULD_RETRY| flags from |bio|. */
+// BIO_clear_retry_flags clears the |BIO_FLAGS_READ|, |BIO_FLAGS_WRITE|,
+// |BIO_FLAGS_IO_SPECIAL| and |BIO_FLAGS_SHOULD_RETRY| flags from |bio|.
OPENSSL_EXPORT void BIO_clear_retry_flags(BIO *bio);
-/* BIO_method_type returns the type of |bio|, which is one of the |BIO_TYPE_*|
- * values. */
+// BIO_method_type returns the type of |bio|, which is one of the |BIO_TYPE_*|
+// values.
OPENSSL_EXPORT int BIO_method_type(const BIO *bio);
-/* bio_info_cb is the type of a callback function that can be called for most
- * BIO operations. The |event| argument is one of |BIO_CB_*| and can be ORed
- * with |BIO_CB_RETURN| if the callback is being made after the operation in
- * question. In that case, |return_value| will contain the return value from
- * the operation. */
+// bio_info_cb is the type of a callback function that can be called for most
+// BIO operations. The |event| argument is one of |BIO_CB_*| and can be ORed
+// with |BIO_CB_RETURN| if the callback is being made after the operation in
+// question. In that case, |return_value| will contain the return value from
+// the operation.
typedef long (*bio_info_cb)(BIO *bio, int event, const char *parg, int cmd,
long larg, long return_value);
-/* BIO_callback_ctrl allows the callback function to be manipulated. The |cmd|
- * arg will generally be |BIO_CTRL_SET_CALLBACK| but arbitrary command values
- * can be interpreted by the |BIO|. */
+// BIO_callback_ctrl allows the callback function to be manipulated. The |cmd|
+// arg will generally be |BIO_CTRL_SET_CALLBACK| but arbitrary command values
+// can be interpreted by the |BIO|.
OPENSSL_EXPORT long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp);
-/* BIO_pending returns the number of bytes pending to be read. */
+// BIO_pending returns the number of bytes pending to be read.
OPENSSL_EXPORT size_t BIO_pending(const BIO *bio);
-/* BIO_ctrl_pending calls |BIO_pending| and exists only for compatibility with
- * OpenSSL. */
+// BIO_ctrl_pending calls |BIO_pending| and exists only for compatibility with
+// OpenSSL.
OPENSSL_EXPORT size_t BIO_ctrl_pending(const BIO *bio);
-/* BIO_wpending returns the number of bytes pending to be written. */
+// BIO_wpending returns the number of bytes pending to be written.
OPENSSL_EXPORT size_t BIO_wpending(const BIO *bio);
-/* BIO_set_close sets the close flag for |bio|. The meaning of which depends on
- * the type of |bio| but, for example, a memory BIO interprets the close flag
- * as meaning that it owns its buffer. It returns one on success and zero
- * otherwise. */
+// BIO_set_close sets the close flag for |bio|. The meaning of which depends on
+// the type of |bio| but, for example, a memory BIO interprets the close flag
+// as meaning that it owns its buffer. It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int BIO_set_close(BIO *bio, int close_flag);
-/* BIO_set_callback sets a callback function that will be called before and
- * after most operations. See the comment above |bio_info_cb|. */
-OPENSSL_EXPORT void BIO_set_callback(BIO *bio, bio_info_cb callback_func);
-
-/* BIO_set_callback_arg sets the opaque pointer value that can be read within a
- * callback with |BIO_get_callback_arg|. */
-OPENSSL_EXPORT void BIO_set_callback_arg(BIO *bio, char *arg);
-
-/* BIO_get_callback_arg returns the last value of the opaque callback pointer
- * set by |BIO_set_callback_arg|. */
-OPENSSL_EXPORT char *BIO_get_callback_arg(const BIO *bio);
-
-/* BIO_number_read returns the number of bytes that have been read from
- * |bio|. */
+// BIO_number_read returns the number of bytes that have been read from
+// |bio|.
OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio);
-/* BIO_number_written returns the number of bytes that have been written to
- * |bio|. */
+// BIO_number_written returns the number of bytes that have been written to
+// |bio|.
OPENSSL_EXPORT size_t BIO_number_written(const BIO *bio);
-/* Managing chains of BIOs.
- *
- * BIOs can be put into chains where the output of one is used as the input of
- * the next etc. The most common case is a buffering BIO, which accepts and
- * buffers writes until flushed into the next BIO in the chain. */
+// Managing chains of BIOs.
+//
+// BIOs can be put into chains where the output of one is used as the input of
+// the next etc. The most common case is a buffering BIO, which accepts and
+// buffers writes until flushed into the next BIO in the chain.
-/* BIO_push adds |appended_bio| to the end of the chain with |bio| at the head.
- * It returns |bio|. Note that |appended_bio| may be the head of a chain itself
- * and thus this function can be used to join two chains.
- *
- * BIO_push takes ownership of the caller's reference to |appended_bio|. */
+// BIO_push adds |appended_bio| to the end of the chain with |bio| at the head.
+// It returns |bio|. Note that |appended_bio| may be the head of a chain itself
+// and thus this function can be used to join two chains.
+//
+// BIO_push takes ownership of the caller's reference to |appended_bio|.
OPENSSL_EXPORT BIO *BIO_push(BIO *bio, BIO *appended_bio);
-/* BIO_pop removes |bio| from the head of a chain and returns the next BIO in
- * the chain, or NULL if there is no next BIO.
- *
- * The caller takes ownership of the chain's reference to |bio|. */
+// BIO_pop removes |bio| from the head of a chain and returns the next BIO in
+// the chain, or NULL if there is no next BIO.
+//
+// The caller takes ownership of the chain's reference to |bio|.
OPENSSL_EXPORT BIO *BIO_pop(BIO *bio);
-/* BIO_next returns the next BIO in the chain after |bio|, or NULL if there is
- * no such BIO. */
+// BIO_next returns the next BIO in the chain after |bio|, or NULL if there is
+// no such BIO.
OPENSSL_EXPORT BIO *BIO_next(BIO *bio);
-/* BIO_free_all calls |BIO_free|.
- *
- * TODO(fork): update callers and remove. */
+// BIO_free_all calls |BIO_free|.
+//
+// TODO(fork): update callers and remove.
OPENSSL_EXPORT void BIO_free_all(BIO *bio);
-/* BIO_find_type walks a chain of BIOs and returns the first that matches
- * |type|, which is one of the |BIO_TYPE_*| values. */
+// BIO_find_type walks a chain of BIOs and returns the first that matches
+// |type|, which is one of the |BIO_TYPE_*| values.
OPENSSL_EXPORT BIO *BIO_find_type(BIO *bio, int type);
-/* BIO_copy_next_retry sets the retry flags and |retry_reason| of |bio| from
- * the next BIO in the chain. */
+// BIO_copy_next_retry sets the retry flags and |retry_reason| of |bio| from
+// the next BIO in the chain.
OPENSSL_EXPORT void BIO_copy_next_retry(BIO *bio);
-/* Printf functions. */
+// Printf functions.
-/* BIO_printf behaves like |printf| but outputs to |bio| rather than a |FILE|.
- * It returns the number of bytes written or a negative number on error. */
+// BIO_printf behaves like |printf| but outputs to |bio| rather than a |FILE|.
+// It returns the number of bytes written or a negative number on error.
OPENSSL_EXPORT int BIO_printf(BIO *bio, const char *format, ...)
OPENSSL_PRINTF_FORMAT_FUNC(2, 3);
-/* Utility functions. */
+// Utility functions.
-/* BIO_indent prints min(|indent|, |max_indent|) spaces. It returns one on
- * success and zero otherwise. */
+// BIO_indent prints min(|indent|, |max_indent|) spaces. It returns one on
+// success and zero otherwise.
OPENSSL_EXPORT int BIO_indent(BIO *bio, unsigned indent, unsigned max_indent);
-/* BIO_hexdump writes a hex dump of |data| to |bio|. Each line will be indented
- * by |indent| spaces. */
+// BIO_hexdump writes a hex dump of |data| to |bio|. Each line will be indented
+// by |indent| spaces.
OPENSSL_EXPORT int BIO_hexdump(BIO *bio, const uint8_t *data, size_t len,
unsigned indent);
-/* ERR_print_errors prints the current contents of the error stack to |bio|
- * using human readable strings where possible. */
+// ERR_print_errors prints the current contents of the error stack to |bio|
+// using human readable strings where possible.
OPENSSL_EXPORT void ERR_print_errors(BIO *bio);
-/* BIO_read_asn1 reads a single ASN.1 object from |bio|. If successful it sets
- * |*out| to be an allocated buffer (that should be freed with |OPENSSL_free|),
- * |*out_size| to the length, in bytes, of that buffer and returns one.
- * Otherwise it returns zero.
- *
- * If the length of the object is greater than |max_len| or 2^32 then the
- * function will fail. Long-form tags are not supported. If the length of the
- * object is indefinite the full contents of |bio| are read, unless it would be
- * greater than |max_len|, in which case the function fails.
- *
- * If the function fails then some unknown amount of data may have been read
- * from |bio|. */
+// BIO_read_asn1 reads a single ASN.1 object from |bio|. If successful it sets
+// |*out| to be an allocated buffer (that should be freed with |OPENSSL_free|),
+// |*out_size| to the length, in bytes, of that buffer and returns one.
+// Otherwise it returns zero.
+//
+// If the length of the object is greater than |max_len| or 2^32 then the
+// function will fail. Long-form tags are not supported. If the length of the
+// object is indefinite the full contents of |bio| are read, unless it would be
+// greater than |max_len|, in which case the function fails.
+//
+// If the function fails then some unknown amount of data may have been read
+// from |bio|.
OPENSSL_EXPORT int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len,
size_t max_len);
-/* Memory BIOs.
- *
- * Memory BIOs can be used as a read-only source (with |BIO_new_mem_buf|) or a
- * writable sink (with |BIO_new|, |BIO_s_mem| and |BIO_get_mem_buf|). Data
- * written to a writable, memory BIO can be recalled by reading from it.
- *
- * Calling |BIO_reset| on a read-only BIO resets it to the original contents.
- * On a writable BIO, it clears any data.
- *
- * If the close flag is set to |BIO_NOCLOSE| (not the default) then the
- * underlying |BUF_MEM| will not be freed when the |BIO| is freed.
- *
- * Memory BIOs support |BIO_gets| and |BIO_puts|.
- *
- * |BIO_ctrl_pending| returns the number of bytes currently stored. */
+// Memory BIOs.
+//
+// Memory BIOs can be used as a read-only source (with |BIO_new_mem_buf|) or a
+// writable sink (with |BIO_new|, |BIO_s_mem| and |BIO_get_mem_buf|). Data
+// written to a writable, memory BIO can be recalled by reading from it.
+//
+// Calling |BIO_reset| on a read-only BIO resets it to the original contents.
+// On a writable BIO, it clears any data.
+//
+// If the close flag is set to |BIO_NOCLOSE| (not the default) then the
+// underlying |BUF_MEM| will not be freed when the |BIO| is freed.
+//
+// Memory BIOs support |BIO_gets| and |BIO_puts|.
+//
+// |BIO_ctrl_pending| returns the number of bytes currently stored.
-/* BIO_s_mem returns a |BIO_METHOD| that uses a in-memory buffer. */
+// BIO_s_mem returns a |BIO_METHOD| that uses a in-memory buffer.
OPENSSL_EXPORT const BIO_METHOD *BIO_s_mem(void);
-/* BIO_new_mem_buf creates read-only BIO that reads from |len| bytes at |buf|.
- * It does not take ownership of |buf|. It returns the BIO or NULL on error.
- *
- * If |len| is negative, then |buf| is treated as a NUL-terminated string, but
- * don't depend on this in new code. */
+// BIO_new_mem_buf creates read-only BIO that reads from |len| bytes at |buf|.
+// It does not take ownership of |buf|. It returns the BIO or NULL on error.
+//
+// If |len| is negative, then |buf| is treated as a NUL-terminated string, but
+// don't depend on this in new code.
OPENSSL_EXPORT BIO *BIO_new_mem_buf(const void *buf, int len);
-/* BIO_mem_contents sets |*out_contents| to point to the current contents of
- * |bio| and |*out_len| to contain the length of that data. It returns one on
- * success and zero otherwise. */
+// BIO_mem_contents sets |*out_contents| to point to the current contents of
+// |bio| and |*out_len| to contain the length of that data. It returns one on
+// success and zero otherwise.
OPENSSL_EXPORT int BIO_mem_contents(const BIO *bio,
const uint8_t **out_contents,
size_t *out_len);
-/* BIO_get_mem_data sets |*contents| to point to the current contents of |bio|
- * and returns the length of the data.
- *
- * WARNING: don't use this, use |BIO_mem_contents|. A return value of zero from
- * this function can mean either that it failed or that the memory buffer is
- * empty. */
+// BIO_get_mem_data sets |*contents| to point to the current contents of |bio|
+// and returns the length of the data.
+//
+// WARNING: don't use this, use |BIO_mem_contents|. A return value of zero from
+// this function can mean either that it failed or that the memory buffer is
+// empty.
OPENSSL_EXPORT long BIO_get_mem_data(BIO *bio, char **contents);
-/* BIO_get_mem_ptr sets |*out| to a BUF_MEM containing the current contents of
- * |bio|. It returns one on success or zero on error. */
+// BIO_get_mem_ptr sets |*out| to a BUF_MEM containing the current contents of
+// |bio|. It returns one on success or zero on error.
OPENSSL_EXPORT int BIO_get_mem_ptr(BIO *bio, BUF_MEM **out);
-/* BIO_set_mem_buf sets |b| as the contents of |bio|. If |take_ownership| is
- * non-zero, then |b| will be freed when |bio| is closed. Returns one on
- * success or zero otherwise. */
+// BIO_set_mem_buf sets |b| as the contents of |bio|. If |take_ownership| is
+// non-zero, then |b| will be freed when |bio| is closed. Returns one on
+// success or zero otherwise.
OPENSSL_EXPORT int BIO_set_mem_buf(BIO *bio, BUF_MEM *b, int take_ownership);
-/* BIO_set_mem_eof_return sets the value that will be returned from reading
- * |bio| when empty. If |eof_value| is zero then an empty memory BIO will
- * return EOF (that is it will return zero and |BIO_should_retry| will be
- * false). If |eof_value| is non zero then it will return |eof_value| when it
- * is empty and it will set the read retry flag (that is |BIO_read_retry| is
- * true). To avoid ambiguity with a normal positive return value, |eof_value|
- * should be set to a negative value, typically -1.
- *
- * For a read-only BIO, the default is zero (EOF). For a writable BIO, the
- * default is -1 so that additional data can be written once exhausted. */
+// BIO_set_mem_eof_return sets the value that will be returned from reading
+// |bio| when empty. If |eof_value| is zero then an empty memory BIO will
+// return EOF (that is it will return zero and |BIO_should_retry| will be
+// false). If |eof_value| is non zero then it will return |eof_value| when it
+// is empty and it will set the read retry flag (that is |BIO_read_retry| is
+// true). To avoid ambiguity with a normal positive return value, |eof_value|
+// should be set to a negative value, typically -1.
+//
+// For a read-only BIO, the default is zero (EOF). For a writable BIO, the
+// default is -1 so that additional data can be written once exhausted.
OPENSSL_EXPORT int BIO_set_mem_eof_return(BIO *bio, int eof_value);
-/* File descriptor BIOs.
- *
- * File descriptor BIOs are wrappers around the system's |read| and |write|
- * functions. If the close flag is set then then |close| is called on the
- * underlying file descriptor when the BIO is freed.
- *
- * |BIO_reset| attempts to seek the file pointer to the start of file using
- * |lseek|. */
+// File descriptor BIOs.
+//
+// File descriptor BIOs are wrappers around the system's |read| and |write|
+// functions. If the close flag is set then then |close| is called on the
+// underlying file descriptor when the BIO is freed.
+//
+// |BIO_reset| attempts to seek the file pointer to the start of file using
+// |lseek|.
-/* BIO_s_fd returns a |BIO_METHOD| for file descriptor fds. */
+// BIO_s_fd returns a |BIO_METHOD| for file descriptor fds.
OPENSSL_EXPORT const BIO_METHOD *BIO_s_fd(void);
-/* BIO_new_fd creates a new file descriptor BIO wrapping |fd|. If |close_flag|
- * is non-zero, then |fd| will be closed when the BIO is. */
+// BIO_new_fd creates a new file descriptor BIO wrapping |fd|. If |close_flag|
+// is non-zero, then |fd| will be closed when the BIO is.
OPENSSL_EXPORT BIO *BIO_new_fd(int fd, int close_flag);
-/* BIO_set_fd sets the file descriptor of |bio| to |fd|. If |close_flag| is
- * non-zero then |fd| will be closed when |bio| is. It returns one on success
- * or zero on error.
- *
- * This function may also be used with socket BIOs (see |BIO_s_socket| and
- * |BIO_new_socket|). */
+// BIO_set_fd sets the file descriptor of |bio| to |fd|. If |close_flag| is
+// non-zero then |fd| will be closed when |bio| is. It returns one on success
+// or zero on error.
+//
+// This function may also be used with socket BIOs (see |BIO_s_socket| and
+// |BIO_new_socket|).
OPENSSL_EXPORT int BIO_set_fd(BIO *bio, int fd, int close_flag);
-/* BIO_get_fd returns the file descriptor currently in use by |bio| or -1 if
- * |bio| does not wrap a file descriptor. If there is a file descriptor and
- * |out_fd| is not NULL, it also sets |*out_fd| to the file descriptor.
- *
- * This function may also be used with socket BIOs (see |BIO_s_socket| and
- * |BIO_new_socket|). */
+// BIO_get_fd returns the file descriptor currently in use by |bio| or -1 if
+// |bio| does not wrap a file descriptor. If there is a file descriptor and
+// |out_fd| is not NULL, it also sets |*out_fd| to the file descriptor.
+//
+// This function may also be used with socket BIOs (see |BIO_s_socket| and
+// |BIO_new_socket|).
OPENSSL_EXPORT int BIO_get_fd(BIO *bio, int *out_fd);
-/* File BIOs.
- *
- * File BIOs are wrappers around a C |FILE| object.
- *
- * |BIO_flush| on a file BIO calls |fflush| on the wrapped stream.
- *
- * |BIO_reset| attempts to seek the file pointer to the start of file using
- * |fseek|.
- *
- * Setting the close flag causes |fclose| to be called on the stream when the
- * BIO is freed. */
+// File BIOs.
+//
+// File BIOs are wrappers around a C |FILE| object.
+//
+// |BIO_flush| on a file BIO calls |fflush| on the wrapped stream.
+//
+// |BIO_reset| attempts to seek the file pointer to the start of file using
+// |fseek|.
+//
+// Setting the close flag causes |fclose| to be called on the stream when the
+// BIO is freed.
-/* BIO_s_file returns a BIO_METHOD that wraps a |FILE|. */
+// BIO_s_file returns a BIO_METHOD that wraps a |FILE|.
OPENSSL_EXPORT const BIO_METHOD *BIO_s_file(void);
-/* BIO_new_file creates a file BIO by opening |filename| with the given mode.
- * See the |fopen| manual page for details of the mode argument. */
+// BIO_new_file creates a file BIO by opening |filename| with the given mode.
+// See the |fopen| manual page for details of the mode argument.
OPENSSL_EXPORT BIO *BIO_new_file(const char *filename, const char *mode);
-/* BIO_new_fp creates a new file BIO that wraps the given |FILE|. If
- * |close_flag| is |BIO_CLOSE|, then |fclose| will be called on |stream| when
- * the BIO is closed. */
+// BIO_new_fp creates a new file BIO that wraps the given |FILE|. If
+// |close_flag| is |BIO_CLOSE|, then |fclose| will be called on |stream| when
+// the BIO is closed.
OPENSSL_EXPORT BIO *BIO_new_fp(FILE *stream, int close_flag);
-/* BIO_get_fp sets |*out_file| to the current |FILE| for |bio|. It returns one
- * on success and zero otherwise. */
+// BIO_get_fp sets |*out_file| to the current |FILE| for |bio|. It returns one
+// on success and zero otherwise.
OPENSSL_EXPORT int BIO_get_fp(BIO *bio, FILE **out_file);
-/* BIO_set_fp sets the |FILE| for |bio|. If |close_flag| is |BIO_CLOSE| then
- * |fclose| will be called on |file| when |bio| is closed. It returns one on
- * success and zero otherwise. */
+// BIO_set_fp sets the |FILE| for |bio|. If |close_flag| is |BIO_CLOSE| then
+// |fclose| will be called on |file| when |bio| is closed. It returns one on
+// success and zero otherwise.
OPENSSL_EXPORT int BIO_set_fp(BIO *bio, FILE *file, int close_flag);
-/* BIO_read_filename opens |filename| for reading and sets the result as the
- * |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE|
- * will be closed when |bio| is freed. */
+// BIO_read_filename opens |filename| for reading and sets the result as the
+// |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE|
+// will be closed when |bio| is freed.
OPENSSL_EXPORT int BIO_read_filename(BIO *bio, const char *filename);
-/* BIO_write_filename opens |filename| for writing and sets the result as the
- * |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE|
- * will be closed when |bio| is freed. */
+// BIO_write_filename opens |filename| for writing and sets the result as the
+// |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE|
+// will be closed when |bio| is freed.
OPENSSL_EXPORT int BIO_write_filename(BIO *bio, const char *filename);
-/* BIO_append_filename opens |filename| for appending and sets the result as
- * the |FILE| for |bio|. It returns one on success and zero otherwise. The
- * |FILE| will be closed when |bio| is freed. */
+// BIO_append_filename opens |filename| for appending and sets the result as
+// the |FILE| for |bio|. It returns one on success and zero otherwise. The
+// |FILE| will be closed when |bio| is freed.
OPENSSL_EXPORT int BIO_append_filename(BIO *bio, const char *filename);
-/* BIO_rw_filename opens |filename| for reading and writing and sets the result
- * as the |FILE| for |bio|. It returns one on success and zero otherwise. The
- * |FILE| will be closed when |bio| is freed. */
+// BIO_rw_filename opens |filename| for reading and writing and sets the result
+// as the |FILE| for |bio|. It returns one on success and zero otherwise. The
+// |FILE| will be closed when |bio| is freed.
OPENSSL_EXPORT int BIO_rw_filename(BIO *bio, const char *filename);
-/* Socket BIOs.
- *
- * Socket BIOs behave like file descriptor BIOs but, on Windows systems, wrap
- * the system's |recv| and |send| functions instead of |read| and |write|. On
- * Windows, file descriptors are provided by C runtime and are not
- * interchangeable with sockets.
- *
- * Socket BIOs may be used with |BIO_set_fd| and |BIO_get_fd|.
- *
- * TODO(davidben): Add separate APIs and fix the internals to use |SOCKET|s
- * around rather than rely on int casts. */
+// Socket BIOs.
+//
+// Socket BIOs behave like file descriptor BIOs but, on Windows systems, wrap
+// the system's |recv| and |send| functions instead of |read| and |write|. On
+// Windows, file descriptors are provided by C runtime and are not
+// interchangeable with sockets.
+//
+// Socket BIOs may be used with |BIO_set_fd| and |BIO_get_fd|.
+//
+// TODO(davidben): Add separate APIs and fix the internals to use |SOCKET|s
+// around rather than rely on int casts.
OPENSSL_EXPORT const BIO_METHOD *BIO_s_socket(void);
-/* BIO_new_socket allocates and initialises a fresh BIO which will read and
- * write to the socket |fd|. If |close_flag| is |BIO_CLOSE| then closing the
- * BIO will close |fd|. It returns the fresh |BIO| or NULL on error. */
+// BIO_new_socket allocates and initialises a fresh BIO which will read and
+// write to the socket |fd|. If |close_flag| is |BIO_CLOSE| then closing the
+// BIO will close |fd|. It returns the fresh |BIO| or NULL on error.
OPENSSL_EXPORT BIO *BIO_new_socket(int fd, int close_flag);
-/* Connect BIOs.
- *
- * A connection BIO creates a network connection and transfers data over the
- * resulting socket. */
+// Connect BIOs.
+//
+// A connection BIO creates a network connection and transfers data over the
+// resulting socket.
OPENSSL_EXPORT const BIO_METHOD *BIO_s_connect(void);
-/* BIO_new_connect returns a BIO that connects to the given hostname and port.
- * The |host_and_optional_port| argument should be of the form
- * "www.example.com" or "www.example.com:443". If the port is omitted, it must
- * be provided with |BIO_set_conn_port|.
- *
- * It returns the new BIO on success, or NULL on error. */
+// BIO_new_connect returns a BIO that connects to the given hostname and port.
+// The |host_and_optional_port| argument should be of the form
+// "www.example.com" or "www.example.com:443". If the port is omitted, it must
+// be provided with |BIO_set_conn_port|.
+//
+// It returns the new BIO on success, or NULL on error.
OPENSSL_EXPORT BIO *BIO_new_connect(const char *host_and_optional_port);
-/* BIO_set_conn_hostname sets |host_and_optional_port| as the hostname and
- * optional port that |bio| will connect to. If the port is omitted, it must be
- * provided with |BIO_set_conn_port|.
- *
- * It returns one on success and zero otherwise. */
+// BIO_set_conn_hostname sets |host_and_optional_port| as the hostname and
+// optional port that |bio| will connect to. If the port is omitted, it must be
+// provided with |BIO_set_conn_port|.
+//
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int BIO_set_conn_hostname(BIO *bio,
const char *host_and_optional_port);
-/* BIO_set_conn_port sets |port_str| as the port or service name that |bio|
- * will connect to. It returns one on success and zero otherwise. */
+// BIO_set_conn_port sets |port_str| as the port or service name that |bio|
+// will connect to. It returns one on success and zero otherwise.
OPENSSL_EXPORT int BIO_set_conn_port(BIO *bio, const char *port_str);
-/* BIO_set_conn_int_port sets |*port| as the port that |bio| will connect to.
- * It returns one on success and zero otherwise. */
+// BIO_set_conn_int_port sets |*port| as the port that |bio| will connect to.
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int BIO_set_conn_int_port(BIO *bio, const int *port);
-/* BIO_set_nbio sets whether |bio| will use non-blocking I/O operations. It
- * returns one on success and zero otherwise. */
+// BIO_set_nbio sets whether |bio| will use non-blocking I/O operations. It
+// returns one on success and zero otherwise.
OPENSSL_EXPORT int BIO_set_nbio(BIO *bio, int on);
-/* BIO_do_connect connects |bio| if it has not been connected yet. It returns
- * one on success and <= 0 otherwise. */
+// BIO_do_connect connects |bio| if it has not been connected yet. It returns
+// one on success and <= 0 otherwise.
OPENSSL_EXPORT int BIO_do_connect(BIO *bio);
-/* Datagram BIOs.
- *
- * TODO(fork): not implemented. */
+// Datagram BIOs.
+//
+// TODO(fork): not implemented.
-#define BIO_CTRL_DGRAM_QUERY_MTU 40 /* as kernel for current MTU */
+#define BIO_CTRL_DGRAM_QUERY_MTU 40 // as kernel for current MTU
#define BIO_CTRL_DGRAM_SET_MTU 42 /* set cached value for MTU. want to use
this if asking the kernel fails */
@@ -567,47 +554,47 @@
#define BIO_CTRL_DGRAM_MTU_EXCEEDED 43 /* check whether the MTU was exceed in
the previous write operation. */
-/* BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT is unsupported as it is unused by consumers
- * and depends on |timeval|, which is not 2038-clean on all platforms. */
+// BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT is unsupported as it is unused by consumers
+// and depends on |timeval|, which is not 2038-clean on all platforms.
#define BIO_CTRL_DGRAM_GET_PEER 46
#define BIO_CTRL_DGRAM_GET_FALLBACK_MTU 47
-/* BIO Pairs.
- *
- * BIO pairs provide a "loopback" like system: a pair of BIOs where data
- * written to one can be read from the other and vice versa. */
+// BIO Pairs.
+//
+// BIO pairs provide a "loopback" like system: a pair of BIOs where data
+// written to one can be read from the other and vice versa.
-/* BIO_new_bio_pair sets |*out1| and |*out2| to two freshly created BIOs where
- * data written to one can be read from the other and vice versa. The
- * |writebuf1| argument gives the size of the buffer used in |*out1| and
- * |writebuf2| for |*out2|. It returns one on success and zero on error. */
+// BIO_new_bio_pair sets |*out1| and |*out2| to two freshly created BIOs where
+// data written to one can be read from the other and vice versa. The
+// |writebuf1| argument gives the size of the buffer used in |*out1| and
+// |writebuf2| for |*out2|. It returns one on success and zero on error.
OPENSSL_EXPORT int BIO_new_bio_pair(BIO **out1, size_t writebuf1, BIO **out2,
size_t writebuf2);
-/* BIO_ctrl_get_read_request returns the number of bytes that the other side of
- * |bio| tried (unsuccessfully) to read. */
+// BIO_ctrl_get_read_request returns the number of bytes that the other side of
+// |bio| tried (unsuccessfully) to read.
OPENSSL_EXPORT size_t BIO_ctrl_get_read_request(BIO *bio);
-/* BIO_ctrl_get_write_guarantee returns the number of bytes that |bio| (which
- * must have been returned by |BIO_new_bio_pair|) will accept on the next
- * |BIO_write| call. */
+// BIO_ctrl_get_write_guarantee returns the number of bytes that |bio| (which
+// must have been returned by |BIO_new_bio_pair|) will accept on the next
+// |BIO_write| call.
OPENSSL_EXPORT size_t BIO_ctrl_get_write_guarantee(BIO *bio);
-/* BIO_shutdown_wr marks |bio| as closed, from the point of view of the other
- * side of the pair. Future |BIO_write| calls on |bio| will fail. It returns
- * one on success and zero otherwise. */
+// BIO_shutdown_wr marks |bio| as closed, from the point of view of the other
+// side of the pair. Future |BIO_write| calls on |bio| will fail. It returns
+// one on success and zero otherwise.
OPENSSL_EXPORT int BIO_shutdown_wr(BIO *bio);
-/* BIO_NOCLOSE and |BIO_CLOSE| can be used as symbolic arguments when a "close
- * flag" is passed to a BIO function. */
+// BIO_NOCLOSE and |BIO_CLOSE| can be used as symbolic arguments when a "close
+// flag" is passed to a BIO function.
#define BIO_NOCLOSE 0
#define BIO_CLOSE 1
-/* These are passed to the BIO callback */
+// These are passed to the BIO callback
#define BIO_CB_FREE 0x01
#define BIO_CB_READ 0x02
#define BIO_CB_WRITE 0x03
@@ -615,49 +602,49 @@
#define BIO_CB_GETS 0x05
#define BIO_CB_CTRL 0x06
-/* The callback is called before and after the underling operation,
- * The BIO_CB_RETURN flag indicates if it is after the call */
+// The callback is called before and after the underling operation,
+// The BIO_CB_RETURN flag indicates if it is after the call
#define BIO_CB_RETURN 0x80
-/* These are values of the |cmd| argument to |BIO_ctrl|. */
-#define BIO_CTRL_RESET 1 /* opt - rewind/zero etc */
-#define BIO_CTRL_EOF 2 /* opt - are we at the eof */
-#define BIO_CTRL_INFO 3 /* opt - extra tit-bits */
-#define BIO_CTRL_SET 4 /* man - set the 'IO' type */
-#define BIO_CTRL_GET 5 /* man - get the 'IO' type */
+// These are values of the |cmd| argument to |BIO_ctrl|.
+#define BIO_CTRL_RESET 1 // opt - rewind/zero etc
+#define BIO_CTRL_EOF 2 // opt - are we at the eof
+#define BIO_CTRL_INFO 3 // opt - extra tit-bits
+#define BIO_CTRL_SET 4 // man - set the 'IO' type
+#define BIO_CTRL_GET 5 // man - get the 'IO' type
#define BIO_CTRL_PUSH 6
#define BIO_CTRL_POP 7
-#define BIO_CTRL_GET_CLOSE 8 /* man - set the 'close' on free */
-#define BIO_CTRL_SET_CLOSE 9 /* man - set the 'close' on free */
-#define BIO_CTRL_PENDING 10 /* opt - is their more data buffered */
-#define BIO_CTRL_FLUSH 11 /* opt - 'flush' buffered output */
-#define BIO_CTRL_WPENDING 13 /* opt - number of bytes still to write */
-/* callback is int cb(BIO *bio,state,ret); */
-#define BIO_CTRL_SET_CALLBACK 14 /* opt - set callback function */
-#define BIO_CTRL_GET_CALLBACK 15 /* opt - set callback function */
-#define BIO_CTRL_SET_FILENAME 30 /* BIO_s_file special */
+#define BIO_CTRL_GET_CLOSE 8 // man - set the 'close' on free
+#define BIO_CTRL_SET_CLOSE 9 // man - set the 'close' on free
+#define BIO_CTRL_PENDING 10 // opt - is their more data buffered
+#define BIO_CTRL_FLUSH 11 // opt - 'flush' buffered output
+#define BIO_CTRL_WPENDING 13 // opt - number of bytes still to write
+// callback is int cb(BIO *bio,state,ret);
+#define BIO_CTRL_SET_CALLBACK 14 // opt - set callback function
+#define BIO_CTRL_GET_CALLBACK 15 // opt - set callback function
+#define BIO_CTRL_SET_FILENAME 30 // BIO_s_file special
-/* BIO_CTRL_DUP is never used, but exists to allow code to compile more
- * easily. */
+// BIO_CTRL_DUP is never used, but exists to allow code to compile more
+// easily.
#define BIO_CTRL_DUP 12
-/* Deprecated functions. */
+// Deprecated functions.
-/* BIO_f_base64 returns a filter |BIO| that base64-encodes data written into
- * it, and decodes data read from it. |BIO_gets| is not supported. Call
- * |BIO_flush| when done writing, to signal that no more data are to be
- * encoded. The flag |BIO_FLAGS_BASE64_NO_NL| may be set to encode all the data
- * on one line. */
+// BIO_f_base64 returns a filter |BIO| that base64-encodes data written into
+// it, and decodes data read from it. |BIO_gets| is not supported. Call
+// |BIO_flush| when done writing, to signal that no more data are to be
+// encoded. The flag |BIO_FLAGS_BASE64_NO_NL| may be set to encode all the data
+// on one line.
OPENSSL_EXPORT const BIO_METHOD *BIO_f_base64(void);
OPENSSL_EXPORT void BIO_set_retry_special(BIO *bio);
-/* BIO_set_write_buffer_size returns zero. */
+// BIO_set_write_buffer_size returns zero.
OPENSSL_EXPORT int BIO_set_write_buffer_size(BIO *bio, int buffer_size);
-/* Private functions */
+// Private functions
#define BIO_FLAGS_READ 0x01
#define BIO_FLAGS_WRITE 0x02
@@ -665,11 +652,11 @@
#define BIO_FLAGS_RWS (BIO_FLAGS_READ | BIO_FLAGS_WRITE | BIO_FLAGS_IO_SPECIAL)
#define BIO_FLAGS_SHOULD_RETRY 0x08
#define BIO_FLAGS_BASE64_NO_NL 0x100
-/* This is used with memory BIOs: it means we shouldn't free up or change the
- * data in any way. */
+// This is used with memory BIOs: it means we shouldn't free up or change the
+// data in any way.
#define BIO_FLAGS_MEM_RDONLY 0x200
-/* These are the 'types' of BIOs */
+// These are the 'types' of BIOs
#define BIO_TYPE_NONE 0
#define BIO_TYPE_MEM (1 | 0x0400)
#define BIO_TYPE_FILE (2 | 0x0400)
@@ -677,24 +664,24 @@
#define BIO_TYPE_SOCKET (5 | 0x0400 | 0x0100)
#define BIO_TYPE_NULL (6 | 0x0400)
#define BIO_TYPE_SSL (7 | 0x0200)
-#define BIO_TYPE_MD (8 | 0x0200) /* passive filter */
-#define BIO_TYPE_BUFFER (9 | 0x0200) /* filter */
-#define BIO_TYPE_CIPHER (10 | 0x0200) /* filter */
-#define BIO_TYPE_BASE64 (11 | 0x0200) /* filter */
-#define BIO_TYPE_CONNECT (12 | 0x0400 | 0x0100) /* socket - connect */
-#define BIO_TYPE_ACCEPT (13 | 0x0400 | 0x0100) /* socket for accept */
-#define BIO_TYPE_PROXY_CLIENT (14 | 0x0200) /* client proxy BIO */
-#define BIO_TYPE_PROXY_SERVER (15 | 0x0200) /* server proxy BIO */
-#define BIO_TYPE_NBIO_TEST (16 | 0x0200) /* server proxy BIO */
+#define BIO_TYPE_MD (8 | 0x0200) // passive filter
+#define BIO_TYPE_BUFFER (9 | 0x0200) // filter
+#define BIO_TYPE_CIPHER (10 | 0x0200) // filter
+#define BIO_TYPE_BASE64 (11 | 0x0200) // filter
+#define BIO_TYPE_CONNECT (12 | 0x0400 | 0x0100) // socket - connect
+#define BIO_TYPE_ACCEPT (13 | 0x0400 | 0x0100) // socket for accept
+#define BIO_TYPE_PROXY_CLIENT (14 | 0x0200) // client proxy BIO
+#define BIO_TYPE_PROXY_SERVER (15 | 0x0200) // server proxy BIO
+#define BIO_TYPE_NBIO_TEST (16 | 0x0200) // server proxy BIO
#define BIO_TYPE_NULL_FILTER (17 | 0x0200)
-#define BIO_TYPE_BER (18 | 0x0200) /* BER -> bin filter */
-#define BIO_TYPE_BIO (19 | 0x0400) /* (half a) BIO pair */
-#define BIO_TYPE_LINEBUFFER (20 | 0x0200) /* filter */
+#define BIO_TYPE_BER (18 | 0x0200) // BER -> bin filter
+#define BIO_TYPE_BIO (19 | 0x0400) // (half a) BIO pair
+#define BIO_TYPE_LINEBUFFER (20 | 0x0200) // filter
#define BIO_TYPE_DGRAM (21 | 0x0400 | 0x0100)
-#define BIO_TYPE_ASN1 (22 | 0x0200) /* filter */
-#define BIO_TYPE_COMP (23 | 0x0200) /* filter */
+#define BIO_TYPE_ASN1 (22 | 0x0200) // filter
+#define BIO_TYPE_COMP (23 | 0x0200) // filter
-#define BIO_TYPE_DESCRIPTOR 0x0100 /* socket, fd, connect or accept */
+#define BIO_TYPE_DESCRIPTOR 0x0100 // socket, fd, connect or accept
#define BIO_TYPE_FILTER 0x0200
#define BIO_TYPE_SOURCE_SINK 0x0400
@@ -703,7 +690,7 @@
const char *name;
int (*bwrite)(BIO *, const char *, int);
int (*bread)(BIO *, char *, int);
- /* TODO(fork): remove bputs. */
+ // TODO(fork): remove bputs.
int (*bputs)(BIO *, const char *);
int (*bgets)(BIO *, char *, int);
long (*ctrl)(BIO *, int, long, void *);
@@ -714,27 +701,24 @@
struct bio_st {
const BIO_METHOD *method;
- /* bio, mode, argp, argi, argl, ret */
- long (*callback)(BIO *, int, const char *, int, long, long);
- char *cb_arg; /* first argument for the callback */
- /* init is non-zero if this |BIO| has been initialised. */
+ // init is non-zero if this |BIO| has been initialised.
int init;
- /* shutdown is often used by specific |BIO_METHOD|s to determine whether
- * they own some underlying resource. This flag can often by controlled by
- * |BIO_set_close|. For example, whether an fd BIO closes the underlying fd
- * when it, itself, is closed. */
+ // shutdown is often used by specific |BIO_METHOD|s to determine whether
+ // they own some underlying resource. This flag can often by controlled by
+ // |BIO_set_close|. For example, whether an fd BIO closes the underlying fd
+ // when it, itself, is closed.
int shutdown;
int flags;
int retry_reason;
- /* num is a BIO-specific value. For example, in fd BIOs it's used to store a
- * file descriptor. */
+ // num is a BIO-specific value. For example, in fd BIOs it's used to store a
+ // file descriptor.
int num;
CRYPTO_refcount_t references;
void *ptr;
- /* next_bio points to the next |BIO| in a chain. This |BIO| owns a reference
- * to |next_bio|. */
- BIO *next_bio; /* used by filter BIOs */
+ // next_bio points to the next |BIO| in a chain. This |BIO| owns a reference
+ // to |next_bio|.
+ BIO *next_bio; // used by filter BIOs
size_t num_read, num_write;
};
@@ -760,21 +744,21 @@
#define BIO_C_SSL_MODE 119
#define BIO_C_GET_MD_CTX 120
#define BIO_C_GET_PROXY_PARAM 121
-#define BIO_C_SET_BUFF_READ_DATA 122 /* data to read first */
+#define BIO_C_SET_BUFF_READ_DATA 122 // data to read first
#define BIO_C_GET_ACCEPT 124
#define BIO_C_SET_SSL_RENEGOTIATE_BYTES 125
#define BIO_C_GET_SSL_NUM_RENEGOTIATES 126
#define BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT 127
#define BIO_C_FILE_SEEK 128
#define BIO_C_GET_CIPHER_CTX 129
-#define BIO_C_SET_BUF_MEM_EOF_RETURN 130/*return end of input value*/
+#define BIO_C_SET_BUF_MEM_EOF_RETURN 130 //return end of input value
#define BIO_C_SET_BIND_MODE 131
#define BIO_C_GET_BIND_MODE 132
#define BIO_C_FILE_TELL 133
#define BIO_C_GET_SOCKS 134
#define BIO_C_SET_SOCKS 135
-#define BIO_C_SET_WRITE_BUF_SIZE 136/* for BIO_s_bio */
+#define BIO_C_SET_WRITE_BUF_SIZE 136 // for BIO_s_bio
#define BIO_C_GET_WRITE_BUF_SIZE 137
#define BIO_C_GET_WRITE_GUARANTEE 140
#define BIO_C_GET_READ_REQUEST 141
@@ -796,7 +780,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -806,7 +790,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
@@ -828,4 +812,4 @@
#define BIO_R_UNSUPPORTED_METHOD 115
#define BIO_R_WRITE_TO_READ_ONLY_BIO 116
-#endif /* OPENSSL_HEADER_BIO_H */
+#endif // OPENSSL_HEADER_BIO_H
diff --git a/src/include/openssl/blowfish.h b/src/include/openssl/blowfish.h
index fa60d53..ecf9d45 100644
--- a/src/include/openssl/blowfish.h
+++ b/src/include/openssl/blowfish.h
@@ -90,4 +90,4 @@
}
#endif
-#endif /* OPENSSL_HEADER_BLOWFISH_H */
+#endif // OPENSSL_HEADER_BLOWFISH_H
diff --git a/src/include/openssl/bn.h b/src/include/openssl/bn.h
index bdd41ba..52333ac 100644
--- a/src/include/openssl/bn.h
+++ b/src/include/openssl/bn.h
@@ -126,25 +126,25 @@
#include <openssl/base.h>
#include <openssl/thread.h>
-#include <inttypes.h> /* for PRIu64 and friends */
-#include <stdio.h> /* for FILE* */
+#include <inttypes.h> // for PRIu64 and friends
+#include <stdio.h> // for FILE*
#if defined(__cplusplus)
extern "C" {
#endif
-/* BN provides support for working with arbitrary sized integers. For example,
- * although the largest integer supported by the compiler might be 64 bits, BN
- * will allow you to work with numbers until you run out of memory. */
+// BN provides support for working with arbitrary sized integers. For example,
+// although the largest integer supported by the compiler might be 64 bits, BN
+// will allow you to work with numbers until you run out of memory.
-/* BN_ULONG is the native word size when working with big integers.
- *
- * Note: on some platforms, inttypes.h does not define print format macros in
- * C++ unless |__STDC_FORMAT_MACROS| defined. As this is a public header, bn.h
- * does not define |__STDC_FORMAT_MACROS| itself. C++ source files which use the
- * FMT macros must define it externally. */
+// BN_ULONG is the native word size when working with big integers.
+//
+// Note: on some platforms, inttypes.h does not define print format macros in
+// C++ unless |__STDC_FORMAT_MACROS| defined. As this is a public header, bn.h
+// does not define |__STDC_FORMAT_MACROS| itself. C++ source files which use the
+// FMT macros must define it externally.
#if defined(OPENSSL_64_BIT)
#define BN_ULONG uint64_t
#define BN_BITS2 64
@@ -164,703 +164,703 @@
#endif
-/* Allocation and freeing. */
+// Allocation and freeing.
-/* BN_new creates a new, allocated BIGNUM and initialises it. */
+// BN_new creates a new, allocated BIGNUM and initialises it.
OPENSSL_EXPORT BIGNUM *BN_new(void);
-/* BN_init initialises a stack allocated |BIGNUM|. */
+// BN_init initialises a stack allocated |BIGNUM|.
OPENSSL_EXPORT void BN_init(BIGNUM *bn);
-/* BN_free frees the data referenced by |bn| and, if |bn| was originally
- * allocated on the heap, frees |bn| also. */
+// BN_free frees the data referenced by |bn| and, if |bn| was originally
+// allocated on the heap, frees |bn| also.
OPENSSL_EXPORT void BN_free(BIGNUM *bn);
-/* BN_clear_free erases and frees the data referenced by |bn| and, if |bn| was
- * originally allocated on the heap, frees |bn| also. */
+// BN_clear_free erases and frees the data referenced by |bn| and, if |bn| was
+// originally allocated on the heap, frees |bn| also.
OPENSSL_EXPORT void BN_clear_free(BIGNUM *bn);
-/* BN_dup allocates a new BIGNUM and sets it equal to |src|. It returns the
- * allocated BIGNUM on success or NULL otherwise. */
+// BN_dup allocates a new BIGNUM and sets it equal to |src|. It returns the
+// allocated BIGNUM on success or NULL otherwise.
OPENSSL_EXPORT BIGNUM *BN_dup(const BIGNUM *src);
-/* BN_copy sets |dest| equal to |src| and returns |dest| or NULL on allocation
- * failure. */
+// BN_copy sets |dest| equal to |src| and returns |dest| or NULL on allocation
+// failure.
OPENSSL_EXPORT BIGNUM *BN_copy(BIGNUM *dest, const BIGNUM *src);
-/* BN_clear sets |bn| to zero and erases the old data. */
+// BN_clear sets |bn| to zero and erases the old data.
OPENSSL_EXPORT void BN_clear(BIGNUM *bn);
-/* BN_value_one returns a static BIGNUM with value 1. */
+// BN_value_one returns a static BIGNUM with value 1.
OPENSSL_EXPORT const BIGNUM *BN_value_one(void);
-/* Basic functions. */
+// Basic functions.
-/* BN_num_bits returns the minimum number of bits needed to represent the
- * absolute value of |bn|. */
+// BN_num_bits returns the minimum number of bits needed to represent the
+// absolute value of |bn|.
OPENSSL_EXPORT unsigned BN_num_bits(const BIGNUM *bn);
-/* BN_num_bytes returns the minimum number of bytes needed to represent the
- * absolute value of |bn|. */
+// BN_num_bytes returns the minimum number of bytes needed to represent the
+// absolute value of |bn|.
OPENSSL_EXPORT unsigned BN_num_bytes(const BIGNUM *bn);
-/* BN_zero sets |bn| to zero. */
+// BN_zero sets |bn| to zero.
OPENSSL_EXPORT void BN_zero(BIGNUM *bn);
-/* BN_one sets |bn| to one. It returns one on success or zero on allocation
- * failure. */
+// BN_one sets |bn| to one. It returns one on success or zero on allocation
+// failure.
OPENSSL_EXPORT int BN_one(BIGNUM *bn);
-/* BN_set_word sets |bn| to |value|. It returns one on success or zero on
- * allocation failure. */
+// BN_set_word sets |bn| to |value|. It returns one on success or zero on
+// allocation failure.
OPENSSL_EXPORT int BN_set_word(BIGNUM *bn, BN_ULONG value);
-/* BN_set_u64 sets |bn| to |value|. It returns one on success or zero on
- * allocation failure. */
+// BN_set_u64 sets |bn| to |value|. It returns one on success or zero on
+// allocation failure.
OPENSSL_EXPORT int BN_set_u64(BIGNUM *bn, uint64_t value);
-/* BN_set_negative sets the sign of |bn|. */
+// BN_set_negative sets the sign of |bn|.
OPENSSL_EXPORT void BN_set_negative(BIGNUM *bn, int sign);
-/* BN_is_negative returns one if |bn| is negative and zero otherwise. */
+// BN_is_negative returns one if |bn| is negative and zero otherwise.
OPENSSL_EXPORT int BN_is_negative(const BIGNUM *bn);
-/* Conversion functions. */
+// Conversion functions.
-/* BN_bin2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as
- * a big-endian number, and returns |ret|. If |ret| is NULL then a fresh
- * |BIGNUM| is allocated and returned. It returns NULL on allocation
- * failure. */
+// BN_bin2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as
+// a big-endian number, and returns |ret|. If |ret| is NULL then a fresh
+// |BIGNUM| is allocated and returned. It returns NULL on allocation
+// failure.
OPENSSL_EXPORT BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret);
-/* BN_bn2bin serialises the absolute value of |in| to |out| as a big-endian
- * integer, which must have |BN_num_bytes| of space available. It returns the
- * number of bytes written. */
+// BN_bn2bin serialises the absolute value of |in| to |out| as a big-endian
+// integer, which must have |BN_num_bytes| of space available. It returns the
+// number of bytes written.
OPENSSL_EXPORT size_t BN_bn2bin(const BIGNUM *in, uint8_t *out);
-/* BN_le2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as
- * a little-endian number, and returns |ret|. If |ret| is NULL then a fresh
- * |BIGNUM| is allocated and returned. It returns NULL on allocation
- * failure. */
+// BN_le2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as
+// a little-endian number, and returns |ret|. If |ret| is NULL then a fresh
+// |BIGNUM| is allocated and returned. It returns NULL on allocation
+// failure.
OPENSSL_EXPORT BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret);
-/* BN_bn2le_padded serialises the absolute value of |in| to |out| as a
- * little-endian integer, which must have |len| of space available, padding
- * out the remainder of out with zeros. If |len| is smaller than |BN_num_bytes|,
- * the function fails and returns 0. Otherwise, it returns 1. */
+// BN_bn2le_padded serialises the absolute value of |in| to |out| as a
+// little-endian integer, which must have |len| of space available, padding
+// out the remainder of out with zeros. If |len| is smaller than |BN_num_bytes|,
+// the function fails and returns 0. Otherwise, it returns 1.
OPENSSL_EXPORT int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in);
-/* BN_bn2bin_padded serialises the absolute value of |in| to |out| as a
- * big-endian integer. The integer is padded with leading zeros up to size
- * |len|. If |len| is smaller than |BN_num_bytes|, the function fails and
- * returns 0. Otherwise, it returns 1. */
+// BN_bn2bin_padded serialises the absolute value of |in| to |out| as a
+// big-endian integer. The integer is padded with leading zeros up to size
+// |len|. If |len| is smaller than |BN_num_bytes|, the function fails and
+// returns 0. Otherwise, it returns 1.
OPENSSL_EXPORT int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in);
-/* BN_bn2cbb_padded behaves like |BN_bn2bin_padded| but writes to a |CBB|. */
+// BN_bn2cbb_padded behaves like |BN_bn2bin_padded| but writes to a |CBB|.
OPENSSL_EXPORT int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in);
-/* BN_bn2hex returns an allocated string that contains a NUL-terminated, hex
- * representation of |bn|. If |bn| is negative, the first char in the resulting
- * string will be '-'. Returns NULL on allocation failure. */
+// BN_bn2hex returns an allocated string that contains a NUL-terminated, hex
+// representation of |bn|. If |bn| is negative, the first char in the resulting
+// string will be '-'. Returns NULL on allocation failure.
OPENSSL_EXPORT char *BN_bn2hex(const BIGNUM *bn);
-/* BN_hex2bn parses the leading hex number from |in|, which may be proceeded by
- * a '-' to indicate a negative number and may contain trailing, non-hex data.
- * If |outp| is not NULL, it constructs a BIGNUM equal to the hex number and
- * stores it in |*outp|. If |*outp| is NULL then it allocates a new BIGNUM and
- * updates |*outp|. It returns the number of bytes of |in| processed or zero on
- * error. */
+// BN_hex2bn parses the leading hex number from |in|, which may be proceeded by
+// a '-' to indicate a negative number and may contain trailing, non-hex data.
+// If |outp| is not NULL, it constructs a BIGNUM equal to the hex number and
+// stores it in |*outp|. If |*outp| is NULL then it allocates a new BIGNUM and
+// updates |*outp|. It returns the number of bytes of |in| processed or zero on
+// error.
OPENSSL_EXPORT int BN_hex2bn(BIGNUM **outp, const char *in);
-/* BN_bn2dec returns an allocated string that contains a NUL-terminated,
- * decimal representation of |bn|. If |bn| is negative, the first char in the
- * resulting string will be '-'. Returns NULL on allocation failure. */
+// BN_bn2dec returns an allocated string that contains a NUL-terminated,
+// decimal representation of |bn|. If |bn| is negative, the first char in the
+// resulting string will be '-'. Returns NULL on allocation failure.
OPENSSL_EXPORT char *BN_bn2dec(const BIGNUM *a);
-/* BN_dec2bn parses the leading decimal number from |in|, which may be
- * proceeded by a '-' to indicate a negative number and may contain trailing,
- * non-decimal data. If |outp| is not NULL, it constructs a BIGNUM equal to the
- * decimal number and stores it in |*outp|. If |*outp| is NULL then it
- * allocates a new BIGNUM and updates |*outp|. It returns the number of bytes
- * of |in| processed or zero on error. */
+// BN_dec2bn parses the leading decimal number from |in|, which may be
+// proceeded by a '-' to indicate a negative number and may contain trailing,
+// non-decimal data. If |outp| is not NULL, it constructs a BIGNUM equal to the
+// decimal number and stores it in |*outp|. If |*outp| is NULL then it
+// allocates a new BIGNUM and updates |*outp|. It returns the number of bytes
+// of |in| processed or zero on error.
OPENSSL_EXPORT int BN_dec2bn(BIGNUM **outp, const char *in);
-/* BN_asc2bn acts like |BN_dec2bn| or |BN_hex2bn| depending on whether |in|
- * begins with "0X" or "0x" (indicating hex) or not (indicating decimal). A
- * leading '-' is still permitted and comes before the optional 0X/0x. It
- * returns one on success or zero on error. */
+// BN_asc2bn acts like |BN_dec2bn| or |BN_hex2bn| depending on whether |in|
+// begins with "0X" or "0x" (indicating hex) or not (indicating decimal). A
+// leading '-' is still permitted and comes before the optional 0X/0x. It
+// returns one on success or zero on error.
OPENSSL_EXPORT int BN_asc2bn(BIGNUM **outp, const char *in);
-/* BN_print writes a hex encoding of |a| to |bio|. It returns one on success
- * and zero on error. */
+// BN_print writes a hex encoding of |a| to |bio|. It returns one on success
+// and zero on error.
OPENSSL_EXPORT int BN_print(BIO *bio, const BIGNUM *a);
-/* BN_print_fp acts like |BIO_print|, but wraps |fp| in a |BIO| first. */
+// BN_print_fp acts like |BIO_print|, but wraps |fp| in a |BIO| first.
OPENSSL_EXPORT int BN_print_fp(FILE *fp, const BIGNUM *a);
-/* BN_get_word returns the absolute value of |bn| as a single word. If |bn| is
- * too large to be represented as a single word, the maximum possible value
- * will be returned. */
+// BN_get_word returns the absolute value of |bn| as a single word. If |bn| is
+// too large to be represented as a single word, the maximum possible value
+// will be returned.
OPENSSL_EXPORT BN_ULONG BN_get_word(const BIGNUM *bn);
-/* BN_get_u64 sets |*out| to the absolute value of |bn| as a |uint64_t| and
- * returns one. If |bn| is too large to be represented as a |uint64_t|, it
- * returns zero. */
+// BN_get_u64 sets |*out| to the absolute value of |bn| as a |uint64_t| and
+// returns one. If |bn| is too large to be represented as a |uint64_t|, it
+// returns zero.
OPENSSL_EXPORT int BN_get_u64(const BIGNUM *bn, uint64_t *out);
-/* ASN.1 functions. */
+// ASN.1 functions.
-/* BN_parse_asn1_unsigned parses a non-negative DER INTEGER from |cbs| writes
- * the result to |ret|. It returns one on success and zero on failure. */
+// BN_parse_asn1_unsigned parses a non-negative DER INTEGER from |cbs| writes
+// the result to |ret|. It returns one on success and zero on failure.
OPENSSL_EXPORT int BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret);
-/* BN_parse_asn1_unsigned_buggy acts like |BN_parse_asn1_unsigned| but tolerates
- * some invalid encodings. Do not use this function. */
+// BN_parse_asn1_unsigned_buggy acts like |BN_parse_asn1_unsigned| but tolerates
+// some invalid encodings. Do not use this function.
OPENSSL_EXPORT int BN_parse_asn1_unsigned_buggy(CBS *cbs, BIGNUM *ret);
-/* BN_marshal_asn1 marshals |bn| as a non-negative DER INTEGER and appends the
- * result to |cbb|. It returns one on success and zero on failure. */
+// BN_marshal_asn1 marshals |bn| as a non-negative DER INTEGER and appends the
+// result to |cbb|. It returns one on success and zero on failure.
OPENSSL_EXPORT int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn);
-/* BIGNUM pools.
- *
- * Certain BIGNUM operations need to use many temporary variables and
- * allocating and freeing them can be quite slow. Thus such operations typically
- * take a |BN_CTX| parameter, which contains a pool of |BIGNUMs|. The |ctx|
- * argument to a public function may be NULL, in which case a local |BN_CTX|
- * will be created just for the lifetime of that call.
- *
- * A function must call |BN_CTX_start| first. Then, |BN_CTX_get| may be called
- * repeatedly to obtain temporary |BIGNUM|s. All |BN_CTX_get| calls must be made
- * before calling any other functions that use the |ctx| as an argument.
- *
- * Finally, |BN_CTX_end| must be called before returning from the function.
- * When |BN_CTX_end| is called, the |BIGNUM| pointers obtained from
- * |BN_CTX_get| become invalid. */
+// BIGNUM pools.
+//
+// Certain BIGNUM operations need to use many temporary variables and
+// allocating and freeing them can be quite slow. Thus such operations typically
+// take a |BN_CTX| parameter, which contains a pool of |BIGNUMs|. The |ctx|
+// argument to a public function may be NULL, in which case a local |BN_CTX|
+// will be created just for the lifetime of that call.
+//
+// A function must call |BN_CTX_start| first. Then, |BN_CTX_get| may be called
+// repeatedly to obtain temporary |BIGNUM|s. All |BN_CTX_get| calls must be made
+// before calling any other functions that use the |ctx| as an argument.
+//
+// Finally, |BN_CTX_end| must be called before returning from the function.
+// When |BN_CTX_end| is called, the |BIGNUM| pointers obtained from
+// |BN_CTX_get| become invalid.
-/* BN_CTX_new returns a new, empty BN_CTX or NULL on allocation failure. */
+// BN_CTX_new returns a new, empty BN_CTX or NULL on allocation failure.
OPENSSL_EXPORT BN_CTX *BN_CTX_new(void);
-/* BN_CTX_free frees all BIGNUMs contained in |ctx| and then frees |ctx|
- * itself. */
+// BN_CTX_free frees all BIGNUMs contained in |ctx| and then frees |ctx|
+// itself.
OPENSSL_EXPORT void BN_CTX_free(BN_CTX *ctx);
-/* BN_CTX_start "pushes" a new entry onto the |ctx| stack and allows future
- * calls to |BN_CTX_get|. */
+// BN_CTX_start "pushes" a new entry onto the |ctx| stack and allows future
+// calls to |BN_CTX_get|.
OPENSSL_EXPORT void BN_CTX_start(BN_CTX *ctx);
-/* BN_CTX_get returns a new |BIGNUM|, or NULL on allocation failure. Once
- * |BN_CTX_get| has returned NULL, all future calls will also return NULL until
- * |BN_CTX_end| is called. */
+// BN_CTX_get returns a new |BIGNUM|, or NULL on allocation failure. Once
+// |BN_CTX_get| has returned NULL, all future calls will also return NULL until
+// |BN_CTX_end| is called.
OPENSSL_EXPORT BIGNUM *BN_CTX_get(BN_CTX *ctx);
-/* BN_CTX_end invalidates all |BIGNUM|s returned from |BN_CTX_get| since the
- * matching |BN_CTX_start| call. */
+// BN_CTX_end invalidates all |BIGNUM|s returned from |BN_CTX_get| since the
+// matching |BN_CTX_start| call.
OPENSSL_EXPORT void BN_CTX_end(BN_CTX *ctx);
-/* Simple arithmetic */
+// Simple arithmetic
-/* BN_add sets |r| = |a| + |b|, where |r| may be the same pointer as either |a|
- * or |b|. It returns one on success and zero on allocation failure. */
+// BN_add sets |r| = |a| + |b|, where |r| may be the same pointer as either |a|
+// or |b|. It returns one on success and zero on allocation failure.
OPENSSL_EXPORT int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-/* BN_uadd sets |r| = |a| + |b|, where |a| and |b| are non-negative and |r| may
- * be the same pointer as either |a| or |b|. It returns one on success and zero
- * on allocation failure. */
+// BN_uadd sets |r| = |a| + |b|, where |a| and |b| are non-negative and |r| may
+// be the same pointer as either |a| or |b|. It returns one on success and zero
+// on allocation failure.
OPENSSL_EXPORT int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-/* BN_add_word adds |w| to |a|. It returns one on success and zero otherwise. */
+// BN_add_word adds |w| to |a|. It returns one on success and zero otherwise.
OPENSSL_EXPORT int BN_add_word(BIGNUM *a, BN_ULONG w);
-/* BN_sub sets |r| = |a| - |b|, where |r| may be the same pointer as either |a|
- * or |b|. It returns one on success and zero on allocation failure. */
+// BN_sub sets |r| = |a| - |b|, where |r| may be the same pointer as either |a|
+// or |b|. It returns one on success and zero on allocation failure.
OPENSSL_EXPORT int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-/* BN_usub sets |r| = |a| - |b|, where |a| and |b| are non-negative integers,
- * |b| < |a| and |r| may be the same pointer as either |a| or |b|. It returns
- * one on success and zero on allocation failure. */
+// BN_usub sets |r| = |a| - |b|, where |a| and |b| are non-negative integers,
+// |b| < |a| and |r| may be the same pointer as either |a| or |b|. It returns
+// one on success and zero on allocation failure.
OPENSSL_EXPORT int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
-/* BN_sub_word subtracts |w| from |a|. It returns one on success and zero on
- * allocation failure. */
+// BN_sub_word subtracts |w| from |a|. It returns one on success and zero on
+// allocation failure.
OPENSSL_EXPORT int BN_sub_word(BIGNUM *a, BN_ULONG w);
-/* BN_mul sets |r| = |a| * |b|, where |r| may be the same pointer as |a| or
- * |b|. Returns one on success and zero otherwise. */
+// BN_mul sets |r| = |a| * |b|, where |r| may be the same pointer as |a| or
+// |b|. Returns one on success and zero otherwise.
OPENSSL_EXPORT int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_CTX *ctx);
-/* BN_mul_word sets |bn| = |bn| * |w|. It returns one on success or zero on
- * allocation failure. */
+// BN_mul_word sets |bn| = |bn| * |w|. It returns one on success or zero on
+// allocation failure.
OPENSSL_EXPORT int BN_mul_word(BIGNUM *bn, BN_ULONG w);
-/* BN_sqr sets |r| = |a|^2 (i.e. squares), where |r| may be the same pointer as
- * |a|. Returns one on success and zero otherwise. This is more efficient than
- * BN_mul(r, a, a, ctx). */
+// BN_sqr sets |r| = |a|^2 (i.e. squares), where |r| may be the same pointer as
+// |a|. Returns one on success and zero otherwise. This is more efficient than
+// BN_mul(r, a, a, ctx).
OPENSSL_EXPORT int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
-/* BN_div divides |numerator| by |divisor| and places the result in |quotient|
- * and the remainder in |rem|. Either of |quotient| or |rem| may be NULL, in
- * which case the respective value is not returned. The result is rounded
- * towards zero; thus if |numerator| is negative, the remainder will be zero or
- * negative. It returns one on success or zero on error. */
+// BN_div divides |numerator| by |divisor| and places the result in |quotient|
+// and the remainder in |rem|. Either of |quotient| or |rem| may be NULL, in
+// which case the respective value is not returned. The result is rounded
+// towards zero; thus if |numerator| is negative, the remainder will be zero or
+// negative. It returns one on success or zero on error.
OPENSSL_EXPORT int BN_div(BIGNUM *quotient, BIGNUM *rem,
const BIGNUM *numerator, const BIGNUM *divisor,
BN_CTX *ctx);
-/* BN_div_word sets |numerator| = |numerator|/|divisor| and returns the
- * remainder or (BN_ULONG)-1 on error. */
+// BN_div_word sets |numerator| = |numerator|/|divisor| and returns the
+// remainder or (BN_ULONG)-1 on error.
OPENSSL_EXPORT BN_ULONG BN_div_word(BIGNUM *numerator, BN_ULONG divisor);
-/* BN_sqrt sets |*out_sqrt| (which may be the same |BIGNUM| as |in|) to the
- * square root of |in|, using |ctx|. It returns one on success or zero on
- * error. Negative numbers and non-square numbers will result in an error with
- * appropriate errors on the error queue. */
+// BN_sqrt sets |*out_sqrt| (which may be the same |BIGNUM| as |in|) to the
+// square root of |in|, using |ctx|. It returns one on success or zero on
+// error. Negative numbers and non-square numbers will result in an error with
+// appropriate errors on the error queue.
OPENSSL_EXPORT int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx);
-/* Comparison functions */
+// Comparison functions
-/* BN_cmp returns a value less than, equal to or greater than zero if |a| is
- * less than, equal to or greater than |b|, respectively. */
+// BN_cmp returns a value less than, equal to or greater than zero if |a| is
+// less than, equal to or greater than |b|, respectively.
OPENSSL_EXPORT int BN_cmp(const BIGNUM *a, const BIGNUM *b);
-/* BN_cmp_word is like |BN_cmp| except it takes its second argument as a
- * |BN_ULONG| instead of a |BIGNUM|. */
+// BN_cmp_word is like |BN_cmp| except it takes its second argument as a
+// |BN_ULONG| instead of a |BIGNUM|.
OPENSSL_EXPORT int BN_cmp_word(const BIGNUM *a, BN_ULONG b);
-/* BN_ucmp returns a value less than, equal to or greater than zero if the
- * absolute value of |a| is less than, equal to or greater than the absolute
- * value of |b|, respectively. */
+// BN_ucmp returns a value less than, equal to or greater than zero if the
+// absolute value of |a| is less than, equal to or greater than the absolute
+// value of |b|, respectively.
OPENSSL_EXPORT int BN_ucmp(const BIGNUM *a, const BIGNUM *b);
-/* BN_equal_consttime returns one if |a| is equal to |b|, and zero otherwise.
- * It takes an amount of time dependent on the sizes of |a| and |b|, but
- * independent of the contents (including the signs) of |a| and |b|. */
+// BN_equal_consttime returns one if |a| is equal to |b|, and zero otherwise.
+// It takes an amount of time dependent on the sizes of |a| and |b|, but
+// independent of the contents (including the signs) of |a| and |b|.
OPENSSL_EXPORT int BN_equal_consttime(const BIGNUM *a, const BIGNUM *b);
-/* BN_abs_is_word returns one if the absolute value of |bn| equals |w| and zero
- * otherwise. */
+// BN_abs_is_word returns one if the absolute value of |bn| equals |w| and zero
+// otherwise.
OPENSSL_EXPORT int BN_abs_is_word(const BIGNUM *bn, BN_ULONG w);
-/* BN_is_zero returns one if |bn| is zero and zero otherwise. */
+// BN_is_zero returns one if |bn| is zero and zero otherwise.
OPENSSL_EXPORT int BN_is_zero(const BIGNUM *bn);
-/* BN_is_one returns one if |bn| equals one and zero otherwise. */
+// BN_is_one returns one if |bn| equals one and zero otherwise.
OPENSSL_EXPORT int BN_is_one(const BIGNUM *bn);
-/* BN_is_word returns one if |bn| is exactly |w| and zero otherwise. */
+// BN_is_word returns one if |bn| is exactly |w| and zero otherwise.
OPENSSL_EXPORT int BN_is_word(const BIGNUM *bn, BN_ULONG w);
-/* BN_is_odd returns one if |bn| is odd and zero otherwise. */
+// BN_is_odd returns one if |bn| is odd and zero otherwise.
OPENSSL_EXPORT int BN_is_odd(const BIGNUM *bn);
-/* BN_is_pow2 returns 1 if |a| is a power of two, and 0 otherwise. */
+// BN_is_pow2 returns 1 if |a| is a power of two, and 0 otherwise.
OPENSSL_EXPORT int BN_is_pow2(const BIGNUM *a);
-/* Bitwise operations. */
+// Bitwise operations.
-/* BN_lshift sets |r| equal to |a| << n. The |a| and |r| arguments may be the
- * same |BIGNUM|. It returns one on success and zero on allocation failure. */
+// BN_lshift sets |r| equal to |a| << n. The |a| and |r| arguments may be the
+// same |BIGNUM|. It returns one on success and zero on allocation failure.
OPENSSL_EXPORT int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
-/* BN_lshift1 sets |r| equal to |a| << 1, where |r| and |a| may be the same
- * pointer. It returns one on success and zero on allocation failure. */
+// BN_lshift1 sets |r| equal to |a| << 1, where |r| and |a| may be the same
+// pointer. It returns one on success and zero on allocation failure.
OPENSSL_EXPORT int BN_lshift1(BIGNUM *r, const BIGNUM *a);
-/* BN_rshift sets |r| equal to |a| >> n, where |r| and |a| may be the same
- * pointer. It returns one on success and zero on allocation failure. */
+// BN_rshift sets |r| equal to |a| >> n, where |r| and |a| may be the same
+// pointer. It returns one on success and zero on allocation failure.
OPENSSL_EXPORT int BN_rshift(BIGNUM *r, const BIGNUM *a, int n);
-/* BN_rshift1 sets |r| equal to |a| >> 1, where |r| and |a| may be the same
- * pointer. It returns one on success and zero on allocation failure. */
+// BN_rshift1 sets |r| equal to |a| >> 1, where |r| and |a| may be the same
+// pointer. It returns one on success and zero on allocation failure.
OPENSSL_EXPORT int BN_rshift1(BIGNUM *r, const BIGNUM *a);
-/* BN_set_bit sets the |n|th, least-significant bit in |a|. For example, if |a|
- * is 2 then setting bit zero will make it 3. It returns one on success or zero
- * on allocation failure. */
+// BN_set_bit sets the |n|th, least-significant bit in |a|. For example, if |a|
+// is 2 then setting bit zero will make it 3. It returns one on success or zero
+// on allocation failure.
OPENSSL_EXPORT int BN_set_bit(BIGNUM *a, int n);
-/* BN_clear_bit clears the |n|th, least-significant bit in |a|. For example, if
- * |a| is 3, clearing bit zero will make it two. It returns one on success or
- * zero on allocation failure. */
+// BN_clear_bit clears the |n|th, least-significant bit in |a|. For example, if
+// |a| is 3, clearing bit zero will make it two. It returns one on success or
+// zero on allocation failure.
OPENSSL_EXPORT int BN_clear_bit(BIGNUM *a, int n);
-/* BN_is_bit_set returns the value of the |n|th, least-significant bit in |a|,
- * or zero if the bit doesn't exist. */
+// BN_is_bit_set returns the value of the |n|th, least-significant bit in |a|,
+// or zero if the bit doesn't exist.
OPENSSL_EXPORT int BN_is_bit_set(const BIGNUM *a, int n);
-/* BN_mask_bits truncates |a| so that it is only |n| bits long. It returns one
- * on success or zero if |n| is greater than the length of |a| already. */
+// BN_mask_bits truncates |a| so that it is only |n| bits long. It returns one
+// on success or zero if |n| is greater than the length of |a| already.
OPENSSL_EXPORT int BN_mask_bits(BIGNUM *a, int n);
-/* Modulo arithmetic. */
+// Modulo arithmetic.
-/* BN_mod_word returns |a| mod |w| or (BN_ULONG)-1 on error. */
+// BN_mod_word returns |a| mod |w| or (BN_ULONG)-1 on error.
OPENSSL_EXPORT BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
-/* BN_mod_pow2 sets |r| = |a| mod 2^|e|. It returns 1 on success and
- * 0 on error. */
+// BN_mod_pow2 sets |r| = |a| mod 2^|e|. It returns 1 on success and
+// 0 on error.
OPENSSL_EXPORT int BN_mod_pow2(BIGNUM *r, const BIGNUM *a, size_t e);
-/* BN_nnmod_pow2 sets |r| = |a| mod 2^|e| where |r| is always positive.
- * It returns 1 on success and 0 on error. */
+// BN_nnmod_pow2 sets |r| = |a| mod 2^|e| where |r| is always positive.
+// It returns 1 on success and 0 on error.
OPENSSL_EXPORT int BN_nnmod_pow2(BIGNUM *r, const BIGNUM *a, size_t e);
-/* BN_mod is a helper macro that calls |BN_div| and discards the quotient. */
+// BN_mod is a helper macro that calls |BN_div| and discards the quotient.
#define BN_mod(rem, numerator, divisor, ctx) \
BN_div(NULL, (rem), (numerator), (divisor), (ctx))
-/* BN_nnmod is a non-negative modulo function. It acts like |BN_mod|, but 0 <=
- * |rem| < |divisor| is always true. It returns one on success and zero on
- * error. */
+// BN_nnmod is a non-negative modulo function. It acts like |BN_mod|, but 0 <=
+// |rem| < |divisor| is always true. It returns one on success and zero on
+// error.
OPENSSL_EXPORT int BN_nnmod(BIGNUM *rem, const BIGNUM *numerator,
const BIGNUM *divisor, BN_CTX *ctx);
-/* BN_mod_add sets |r| = |a| + |b| mod |m|. It returns one on success and zero
- * on error. */
+// BN_mod_add sets |r| = |a| + |b| mod |m|. It returns one on success and zero
+// on error.
OPENSSL_EXPORT int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m, BN_CTX *ctx);
-/* BN_mod_add_quick acts like |BN_mod_add| but requires that |a| and |b| be
- * non-negative and less than |m|. */
+// BN_mod_add_quick acts like |BN_mod_add| but requires that |a| and |b| be
+// non-negative and less than |m|.
OPENSSL_EXPORT int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m);
-/* BN_mod_sub sets |r| = |a| - |b| mod |m|. It returns one on success and zero
- * on error. */
+// BN_mod_sub sets |r| = |a| - |b| mod |m|. It returns one on success and zero
+// on error.
OPENSSL_EXPORT int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m, BN_CTX *ctx);
-/* BN_mod_sub_quick acts like |BN_mod_sub| but requires that |a| and |b| be
- * non-negative and less than |m|. */
+// BN_mod_sub_quick acts like |BN_mod_sub| but requires that |a| and |b| be
+// non-negative and less than |m|.
OPENSSL_EXPORT int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m);
-/* BN_mod_mul sets |r| = |a|*|b| mod |m|. It returns one on success and zero
- * on error. */
+// BN_mod_mul sets |r| = |a|*|b| mod |m|. It returns one on success and zero
+// on error.
OPENSSL_EXPORT int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m, BN_CTX *ctx);
-/* BN_mod_sqr sets |r| = |a|^2 mod |m|. It returns one on success and zero
- * on error. */
+// BN_mod_sqr sets |r| = |a|^2 mod |m|. It returns one on success and zero
+// on error.
OPENSSL_EXPORT int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m,
BN_CTX *ctx);
-/* BN_mod_lshift sets |r| = (|a| << n) mod |m|, where |r| and |a| may be the
- * same pointer. It returns one on success and zero on error. */
+// BN_mod_lshift sets |r| = (|a| << n) mod |m|, where |r| and |a| may be the
+// same pointer. It returns one on success and zero on error.
OPENSSL_EXPORT int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n,
const BIGNUM *m, BN_CTX *ctx);
-/* BN_mod_lshift_quick acts like |BN_mod_lshift| but requires that |a| be
- * non-negative and less than |m|. */
+// BN_mod_lshift_quick acts like |BN_mod_lshift| but requires that |a| be
+// non-negative and less than |m|.
OPENSSL_EXPORT int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n,
const BIGNUM *m);
-/* BN_mod_lshift1 sets |r| = (|a| << 1) mod |m|, where |r| and |a| may be the
- * same pointer. It returns one on success and zero on error. */
+// BN_mod_lshift1 sets |r| = (|a| << 1) mod |m|, where |r| and |a| may be the
+// same pointer. It returns one on success and zero on error.
OPENSSL_EXPORT int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m,
BN_CTX *ctx);
-/* BN_mod_lshift1_quick acts like |BN_mod_lshift1| but requires that |a| be
- * non-negative and less than |m|. */
+// BN_mod_lshift1_quick acts like |BN_mod_lshift1| but requires that |a| be
+// non-negative and less than |m|.
OPENSSL_EXPORT int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a,
const BIGNUM *m);
-/* BN_mod_sqrt returns a newly-allocated |BIGNUM|, r, such that
- * r^2 == a (mod p). |p| must be a prime. It returns NULL on error or if |a| is
- * not a square mod |p|. In the latter case, it will add |BN_R_NOT_A_SQUARE| to
- * the error queue. */
+// BN_mod_sqrt returns a newly-allocated |BIGNUM|, r, such that
+// r^2 == a (mod p). |p| must be a prime. It returns NULL on error or if |a| is
+// not a square mod |p|. In the latter case, it will add |BN_R_NOT_A_SQUARE| to
+// the error queue.
OPENSSL_EXPORT BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx);
-/* Random and prime number generation. */
+// Random and prime number generation.
-/* The following are values for the |top| parameter of |BN_rand|. */
+// The following are values for the |top| parameter of |BN_rand|.
#define BN_RAND_TOP_ANY (-1)
#define BN_RAND_TOP_ONE 0
#define BN_RAND_TOP_TWO 1
-/* The following are values for the |bottom| parameter of |BN_rand|. */
+// The following are values for the |bottom| parameter of |BN_rand|.
#define BN_RAND_BOTTOM_ANY 0
#define BN_RAND_BOTTOM_ODD 1
-/* BN_rand sets |rnd| to a random number of length |bits|. It returns one on
- * success and zero otherwise.
- *
- * |top| must be one of the |BN_RAND_TOP_*| values. If |BN_RAND_TOP_ONE|, the
- * most-significant bit, if any, will be set. If |BN_RAND_TOP_TWO|, the two
- * most significant bits, if any, will be set. If |BN_RAND_TOP_ANY|, no extra
- * action will be taken and |BN_num_bits(rnd)| may not equal |bits| if the most
- * significant bits randomly ended up as zeros.
- *
- * |bottom| must be one of the |BN_RAND_BOTTOM_*| values. If
- * |BN_RAND_BOTTOM_ODD|, the least-significant bit, if any, will be set. If
- * |BN_RAND_BOTTOM_ANY|, no extra action will be taken. */
+// BN_rand sets |rnd| to a random number of length |bits|. It returns one on
+// success and zero otherwise.
+//
+// |top| must be one of the |BN_RAND_TOP_*| values. If |BN_RAND_TOP_ONE|, the
+// most-significant bit, if any, will be set. If |BN_RAND_TOP_TWO|, the two
+// most significant bits, if any, will be set. If |BN_RAND_TOP_ANY|, no extra
+// action will be taken and |BN_num_bits(rnd)| may not equal |bits| if the most
+// significant bits randomly ended up as zeros.
+//
+// |bottom| must be one of the |BN_RAND_BOTTOM_*| values. If
+// |BN_RAND_BOTTOM_ODD|, the least-significant bit, if any, will be set. If
+// |BN_RAND_BOTTOM_ANY|, no extra action will be taken.
OPENSSL_EXPORT int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
-/* BN_pseudo_rand is an alias for |BN_rand|. */
+// BN_pseudo_rand is an alias for |BN_rand|.
OPENSSL_EXPORT int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
-/* BN_rand_range is equivalent to |BN_rand_range_ex| with |min_inclusive| set
- * to zero and |max_exclusive| set to |range|. */
+// BN_rand_range is equivalent to |BN_rand_range_ex| with |min_inclusive| set
+// to zero and |max_exclusive| set to |range|.
OPENSSL_EXPORT int BN_rand_range(BIGNUM *rnd, const BIGNUM *range);
-/* BN_rand_range_ex sets |rnd| to a random value in
- * [min_inclusive..max_exclusive). It returns one on success and zero
- * otherwise. */
+// BN_rand_range_ex sets |rnd| to a random value in
+// [min_inclusive..max_exclusive). It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,
const BIGNUM *max_exclusive);
-/* BN_pseudo_rand_range is an alias for BN_rand_range. */
+// BN_pseudo_rand_range is an alias for BN_rand_range.
OPENSSL_EXPORT int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
-/* BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike
- * BN_rand_range, it also includes the contents of |priv| and |message| in the
- * generation so that an RNG failure isn't fatal as long as |priv| remains
- * secret. This is intended for use in DSA and ECDSA where an RNG weakness
- * leads directly to private key exposure unless this function is used.
- * It returns one on success and zero on error. */
+// BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike
+// BN_rand_range, it also includes the contents of |priv| and |message| in the
+// generation so that an RNG failure isn't fatal as long as |priv| remains
+// secret. This is intended for use in DSA and ECDSA where an RNG weakness
+// leads directly to private key exposure unless this function is used.
+// It returns one on success and zero on error.
OPENSSL_EXPORT int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
const BIGNUM *priv,
const uint8_t *message,
size_t message_len, BN_CTX *ctx);
-/* BN_GENCB holds a callback function that is used by generation functions that
- * can take a very long time to complete. Use |BN_GENCB_set| to initialise a
- * |BN_GENCB| structure.
- *
- * The callback receives the address of that |BN_GENCB| structure as its last
- * argument and the user is free to put an arbitrary pointer in |arg|. The other
- * arguments are set as follows:
- * event=BN_GENCB_GENERATED, n=i: after generating the i'th possible prime
- * number.
- * event=BN_GENCB_PRIME_TEST, n=-1: when finished trial division primality
- * checks.
- * event=BN_GENCB_PRIME_TEST, n=i: when the i'th primality test has finished.
- *
- * The callback can return zero to abort the generation progress or one to
- * allow it to continue.
- *
- * When other code needs to call a BN generation function it will often take a
- * BN_GENCB argument and may call the function with other argument values. */
+// BN_GENCB holds a callback function that is used by generation functions that
+// can take a very long time to complete. Use |BN_GENCB_set| to initialise a
+// |BN_GENCB| structure.
+//
+// The callback receives the address of that |BN_GENCB| structure as its last
+// argument and the user is free to put an arbitrary pointer in |arg|. The other
+// arguments are set as follows:
+// event=BN_GENCB_GENERATED, n=i: after generating the i'th possible prime
+// number.
+// event=BN_GENCB_PRIME_TEST, n=-1: when finished trial division primality
+// checks.
+// event=BN_GENCB_PRIME_TEST, n=i: when the i'th primality test has finished.
+//
+// The callback can return zero to abort the generation progress or one to
+// allow it to continue.
+//
+// When other code needs to call a BN generation function it will often take a
+// BN_GENCB argument and may call the function with other argument values.
#define BN_GENCB_GENERATED 0
#define BN_GENCB_PRIME_TEST 1
struct bn_gencb_st {
- void *arg; /* callback-specific data */
+ void *arg; // callback-specific data
int (*callback)(int event, int n, struct bn_gencb_st *);
};
-/* BN_GENCB_set configures |callback| to call |f| and sets |callout->arg| to
- * |arg|. */
+// BN_GENCB_set configures |callback| to call |f| and sets |callout->arg| to
+// |arg|.
OPENSSL_EXPORT void BN_GENCB_set(BN_GENCB *callback,
int (*f)(int event, int n,
struct bn_gencb_st *),
void *arg);
-/* BN_GENCB_call calls |callback|, if not NULL, and returns the return value of
- * the callback, or 1 if |callback| is NULL. */
+// BN_GENCB_call calls |callback|, if not NULL, and returns the return value of
+// the callback, or 1 if |callback| is NULL.
OPENSSL_EXPORT int BN_GENCB_call(BN_GENCB *callback, int event, int n);
-/* BN_generate_prime_ex sets |ret| to a prime number of |bits| length. If safe
- * is non-zero then the prime will be such that (ret-1)/2 is also a prime.
- * (This is needed for Diffie-Hellman groups to ensure that the only subgroups
- * are of size 2 and (p-1)/2.).
- *
- * If |add| is not NULL, the prime will fulfill the condition |ret| % |add| ==
- * |rem| in order to suit a given generator. (If |rem| is NULL then |ret| %
- * |add| == 1.)
- *
- * If |cb| is not NULL, it will be called during processing to give an
- * indication of progress. See the comments for |BN_GENCB|. It returns one on
- * success and zero otherwise. */
+// BN_generate_prime_ex sets |ret| to a prime number of |bits| length. If safe
+// is non-zero then the prime will be such that (ret-1)/2 is also a prime.
+// (This is needed for Diffie-Hellman groups to ensure that the only subgroups
+// are of size 2 and (p-1)/2.).
+//
+// If |add| is not NULL, the prime will fulfill the condition |ret| % |add| ==
+// |rem| in order to suit a given generator. (If |rem| is NULL then |ret| %
+// |add| == 1.)
+//
+// If |cb| is not NULL, it will be called during processing to give an
+// indication of progress. See the comments for |BN_GENCB|. It returns one on
+// success and zero otherwise.
OPENSSL_EXPORT int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,
const BIGNUM *add, const BIGNUM *rem,
BN_GENCB *cb);
-/* BN_prime_checks is magic value that can be used as the |checks| argument to
- * the primality testing functions in order to automatically select a number of
- * Miller-Rabin checks that gives a false positive rate of ~2^{-80}. */
+// BN_prime_checks is magic value that can be used as the |checks| argument to
+// the primality testing functions in order to automatically select a number of
+// Miller-Rabin checks that gives a false positive rate of ~2^{-80}.
#define BN_prime_checks 0
-/* bn_primality_result_t enumerates the outcomes of primality-testing. */
+// bn_primality_result_t enumerates the outcomes of primality-testing.
enum bn_primality_result_t {
bn_probably_prime,
bn_composite,
bn_non_prime_power_composite,
};
-/* BN_enhanced_miller_rabin_primality_test tests whether |w| is probably a prime
- * number using the Enhanced Miller-Rabin Test (FIPS 186-4 C.3.2) with
- * |iterations| iterations and returns the result in |out_result|. Enhanced
- * Miller-Rabin tests primality for odd integers greater than 3, returning
- * |bn_probably_prime| if the number is probably prime,
- * |bn_non_prime_power_composite| if the number is a composite that is not the
- * power of a single prime, and |bn_composite| otherwise. If |iterations| is
- * |BN_prime_checks|, then a value that results in a false positive rate lower
- * than the number-field sieve security level of |w| is used. It returns one on
- * success and zero on failure. If |cb| is not NULL, then it is called during
- * each iteration of the primality test. */
+// BN_enhanced_miller_rabin_primality_test tests whether |w| is probably a prime
+// number using the Enhanced Miller-Rabin Test (FIPS 186-4 C.3.2) with
+// |iterations| iterations and returns the result in |out_result|. Enhanced
+// Miller-Rabin tests primality for odd integers greater than 3, returning
+// |bn_probably_prime| if the number is probably prime,
+// |bn_non_prime_power_composite| if the number is a composite that is not the
+// power of a single prime, and |bn_composite| otherwise. If |iterations| is
+// |BN_prime_checks|, then a value that results in a false positive rate lower
+// than the number-field sieve security level of |w| is used. It returns one on
+// success and zero on failure. If |cb| is not NULL, then it is called during
+// each iteration of the primality test.
int BN_enhanced_miller_rabin_primality_test(
enum bn_primality_result_t *out_result, const BIGNUM *w, int iterations,
BN_CTX *ctx, BN_GENCB *cb);
-/* BN_primality_test sets |*is_probably_prime| to one if |candidate| is
- * probably a prime number by the Miller-Rabin test or zero if it's certainly
- * not.
- *
- * If |do_trial_division| is non-zero then |candidate| will be tested against a
- * list of small primes before Miller-Rabin tests. The probability of this
- * function returning a false positive is 2^{2*checks}. If |checks| is
- * |BN_prime_checks| then a value that results in a false positive rate lower
- * than the number-field sieve security level of |candidate| is used. If |cb| is
- * not NULL then it is called during the checking process. See the comment above
- * |BN_GENCB|.
- *
- * The function returns one on success and zero on error.
- *
- * (If you are unsure whether you want |do_trial_division|, don't set it.) */
+// BN_primality_test sets |*is_probably_prime| to one if |candidate| is
+// probably a prime number by the Miller-Rabin test or zero if it's certainly
+// not.
+//
+// If |do_trial_division| is non-zero then |candidate| will be tested against a
+// list of small primes before Miller-Rabin tests. The probability of this
+// function returning a false positive is 2^{2*checks}. If |checks| is
+// |BN_prime_checks| then a value that results in a false positive rate lower
+// than the number-field sieve security level of |candidate| is used. If |cb| is
+// not NULL then it is called during the checking process. See the comment above
+// |BN_GENCB|.
+//
+// The function returns one on success and zero on error.
+//
+// (If you are unsure whether you want |do_trial_division|, don't set it.)
OPENSSL_EXPORT int BN_primality_test(int *is_probably_prime,
const BIGNUM *candidate, int checks,
BN_CTX *ctx, int do_trial_division,
BN_GENCB *cb);
-/* BN_is_prime_fasttest_ex returns one if |candidate| is probably a prime
- * number by the Miller-Rabin test, zero if it's certainly not and -1 on error.
- *
- * If |do_trial_division| is non-zero then |candidate| will be tested against a
- * list of small primes before Miller-Rabin tests. The probability of this
- * function returning one when |candidate| is composite is 2^{2*checks}. If
- * |checks| is |BN_prime_checks| then a value that results in a false positive
- * rate lower than the number-field sieve security level of |candidate| is used.
- * If |cb| is not NULL then it is called during the checking process. See the
- * comment above |BN_GENCB|.
- *
- * WARNING: deprecated. Use |BN_primality_test|. */
+// BN_is_prime_fasttest_ex returns one if |candidate| is probably a prime
+// number by the Miller-Rabin test, zero if it's certainly not and -1 on error.
+//
+// If |do_trial_division| is non-zero then |candidate| will be tested against a
+// list of small primes before Miller-Rabin tests. The probability of this
+// function returning one when |candidate| is composite is 2^{2*checks}. If
+// |checks| is |BN_prime_checks| then a value that results in a false positive
+// rate lower than the number-field sieve security level of |candidate| is used.
+// If |cb| is not NULL then it is called during the checking process. See the
+// comment above |BN_GENCB|.
+//
+// WARNING: deprecated. Use |BN_primality_test|.
OPENSSL_EXPORT int BN_is_prime_fasttest_ex(const BIGNUM *candidate, int checks,
BN_CTX *ctx, int do_trial_division,
BN_GENCB *cb);
-/* BN_is_prime_ex acts the same as |BN_is_prime_fasttest_ex| with
- * |do_trial_division| set to zero.
- *
- * WARNING: deprecated: Use |BN_primality_test|. */
+// BN_is_prime_ex acts the same as |BN_is_prime_fasttest_ex| with
+// |do_trial_division| set to zero.
+//
+// WARNING: deprecated: Use |BN_primality_test|.
OPENSSL_EXPORT int BN_is_prime_ex(const BIGNUM *candidate, int checks,
BN_CTX *ctx, BN_GENCB *cb);
-/* Number theory functions */
+// Number theory functions
-/* BN_gcd sets |r| = gcd(|a|, |b|). It returns one on success and zero
- * otherwise. */
+// BN_gcd sets |r| = gcd(|a|, |b|). It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_CTX *ctx);
-/* BN_mod_inverse sets |out| equal to |a|^-1, mod |n|. If |out| is NULL, a
- * fresh BIGNUM is allocated. It returns the result or NULL on error.
- *
- * If |n| is even then the operation is performed using an algorithm that avoids
- * some branches but which isn't constant-time. This function shouldn't be used
- * for secret values; use |BN_mod_inverse_blinded| instead. Or, if |n| is
- * guaranteed to be prime, use
- * |BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)|, taking
- * advantage of Fermat's Little Theorem. */
+// BN_mod_inverse sets |out| equal to |a|^-1, mod |n|. If |out| is NULL, a
+// fresh BIGNUM is allocated. It returns the result or NULL on error.
+//
+// If |n| is even then the operation is performed using an algorithm that avoids
+// some branches but which isn't constant-time. This function shouldn't be used
+// for secret values; use |BN_mod_inverse_blinded| instead. Or, if |n| is
+// guaranteed to be prime, use
+// |BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)|, taking
+// advantage of Fermat's Little Theorem.
OPENSSL_EXPORT BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a,
const BIGNUM *n, BN_CTX *ctx);
-/* BN_mod_inverse_blinded sets |out| equal to |a|^-1, mod |n|, where |n| is the
- * Montgomery modulus for |mont|. |a| must be non-negative and must be less
- * than |n|. |n| must be greater than 1. |a| is blinded (masked by a random
- * value) to protect it against side-channel attacks. On failure, if the failure
- * was caused by |a| having no inverse mod |n| then |*out_no_inverse| will be
- * set to one; otherwise it will be set to zero. */
+// BN_mod_inverse_blinded sets |out| equal to |a|^-1, mod |n|, where |n| is the
+// Montgomery modulus for |mont|. |a| must be non-negative and must be less
+// than |n|. |n| must be greater than 1. |a| is blinded (masked by a random
+// value) to protect it against side-channel attacks. On failure, if the failure
+// was caused by |a| having no inverse mod |n| then |*out_no_inverse| will be
+// set to one; otherwise it will be set to zero.
int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
const BN_MONT_CTX *mont, BN_CTX *ctx);
-/* BN_mod_inverse_odd sets |out| equal to |a|^-1, mod |n|. |a| must be
- * non-negative and must be less than |n|. |n| must be odd. This function
- * shouldn't be used for secret values; use |BN_mod_inverse_blinded| instead.
- * Or, if |n| is guaranteed to be prime, use
- * |BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)|, taking
- * advantage of Fermat's Little Theorem. It returns one on success or zero on
- * failure. On failure, if the failure was caused by |a| having no inverse mod
- * |n| then |*out_no_inverse| will be set to one; otherwise it will be set to
- * zero. */
+// BN_mod_inverse_odd sets |out| equal to |a|^-1, mod |n|. |a| must be
+// non-negative and must be less than |n|. |n| must be odd. This function
+// shouldn't be used for secret values; use |BN_mod_inverse_blinded| instead.
+// Or, if |n| is guaranteed to be prime, use
+// |BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)|, taking
+// advantage of Fermat's Little Theorem. It returns one on success or zero on
+// failure. On failure, if the failure was caused by |a| having no inverse mod
+// |n| then |*out_no_inverse| will be set to one; otherwise it will be set to
+// zero.
int BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
const BIGNUM *n, BN_CTX *ctx);
-/* Montgomery arithmetic. */
+// Montgomery arithmetic.
-/* BN_MONT_CTX contains the precomputed values needed to work in a specific
- * Montgomery domain. */
+// BN_MONT_CTX contains the precomputed values needed to work in a specific
+// Montgomery domain.
-/* BN_MONT_CTX_new returns a fresh BN_MONT_CTX or NULL on allocation failure. */
+// BN_MONT_CTX_new returns a fresh BN_MONT_CTX or NULL on allocation failure.
OPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_new(void);
-/* BN_MONT_CTX_free frees memory associated with |mont|. */
+// BN_MONT_CTX_free frees memory associated with |mont|.
OPENSSL_EXPORT void BN_MONT_CTX_free(BN_MONT_CTX *mont);
-/* BN_MONT_CTX_copy sets |to| equal to |from|. It returns |to| on success or
- * NULL on error. */
+// BN_MONT_CTX_copy sets |to| equal to |from|. It returns |to| on success or
+// NULL on error.
OPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,
const BN_MONT_CTX *from);
-/* BN_MONT_CTX_set sets up a Montgomery context given the modulus, |mod|. It
- * returns one on success and zero on error. */
+// BN_MONT_CTX_set sets up a Montgomery context given the modulus, |mod|. It
+// returns one on success and zero on error.
OPENSSL_EXPORT int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod,
BN_CTX *ctx);
-/* BN_MONT_CTX_set_locked takes |lock| and checks whether |*pmont| is NULL. If
- * so, it creates a new |BN_MONT_CTX| and sets the modulus for it to |mod|. It
- * then stores it as |*pmont|. It returns one on success and zero on error.
- *
- * If |*pmont| is already non-NULL then it does nothing and returns one. */
+// BN_MONT_CTX_set_locked takes |lock| and checks whether |*pmont| is NULL. If
+// so, it creates a new |BN_MONT_CTX| and sets the modulus for it to |mod|. It
+// then stores it as |*pmont|. It returns one on success and zero on error.
+//
+// If |*pmont| is already non-NULL then it does nothing and returns one.
int BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,
const BIGNUM *mod, BN_CTX *bn_ctx);
-/* BN_to_montgomery sets |ret| equal to |a| in the Montgomery domain. |a| is
- * assumed to be in the range [0, n), where |n| is the Montgomery modulus. It
- * returns one on success or zero on error. */
+// BN_to_montgomery sets |ret| equal to |a| in the Montgomery domain. |a| is
+// assumed to be in the range [0, n), where |n| is the Montgomery modulus. It
+// returns one on success or zero on error.
OPENSSL_EXPORT int BN_to_montgomery(BIGNUM *ret, const BIGNUM *a,
const BN_MONT_CTX *mont, BN_CTX *ctx);
-/* BN_from_montgomery sets |ret| equal to |a| * R^-1, i.e. translates values out
- * of the Montgomery domain. |a| is assumed to be in the range [0, n), where |n|
- * is the Montgomery modulus. It returns one on success or zero on error. */
+// BN_from_montgomery sets |ret| equal to |a| * R^-1, i.e. translates values out
+// of the Montgomery domain. |a| is assumed to be in the range [0, n), where |n|
+// is the Montgomery modulus. It returns one on success or zero on error.
OPENSSL_EXPORT int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a,
const BN_MONT_CTX *mont, BN_CTX *ctx);
-/* BN_mod_mul_montgomery set |r| equal to |a| * |b|, in the Montgomery domain.
- * Both |a| and |b| must already be in the Montgomery domain (by
- * |BN_to_montgomery|). In particular, |a| and |b| are assumed to be in the
- * range [0, n), where |n| is the Montgomery modulus. It returns one on success
- * or zero on error. */
+// BN_mod_mul_montgomery set |r| equal to |a| * |b|, in the Montgomery domain.
+// Both |a| and |b| must already be in the Montgomery domain (by
+// |BN_to_montgomery|). In particular, |a| and |b| are assumed to be in the
+// range [0, n), where |n| is the Montgomery modulus. It returns one on success
+// or zero on error.
OPENSSL_EXPORT int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a,
const BIGNUM *b,
const BN_MONT_CTX *mont, BN_CTX *ctx);
-/* Exponentiation. */
+// Exponentiation.
-/* BN_exp sets |r| equal to |a|^{|p|}. It does so with a square-and-multiply
- * algorithm that leaks side-channel information. It returns one on success or
- * zero otherwise. */
+// BN_exp sets |r| equal to |a|^{|p|}. It does so with a square-and-multiply
+// algorithm that leaks side-channel information. It returns one on success or
+// zero otherwise.
OPENSSL_EXPORT int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx);
-/* BN_mod_exp sets |r| equal to |a|^{|p|} mod |m|. It does so with the best
- * algorithm for the values provided. It returns one on success or zero
- * otherwise. The |BN_mod_exp_mont_consttime| variant must be used if the
- * exponent is secret. */
+// BN_mod_exp sets |r| equal to |a|^{|p|} mod |m|. It does so with the best
+// algorithm for the values provided. It returns one on success or zero
+// otherwise. The |BN_mod_exp_mont_consttime| variant must be used if the
+// exponent is secret.
OPENSSL_EXPORT int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx);
@@ -874,69 +874,69 @@
const BN_MONT_CTX *mont);
-/* Deprecated functions */
+// Deprecated functions
-/* BN_bn2mpi serialises the value of |in| to |out|, using a format that consists
- * of the number's length in bytes represented as a 4-byte big-endian number,
- * and the number itself in big-endian format, where the most significant bit
- * signals a negative number. (The representation of numbers with the MSB set is
- * prefixed with null byte). |out| must have sufficient space available; to
- * find the needed amount of space, call the function with |out| set to NULL. */
+// BN_bn2mpi serialises the value of |in| to |out|, using a format that consists
+// of the number's length in bytes represented as a 4-byte big-endian number,
+// and the number itself in big-endian format, where the most significant bit
+// signals a negative number. (The representation of numbers with the MSB set is
+// prefixed with null byte). |out| must have sufficient space available; to
+// find the needed amount of space, call the function with |out| set to NULL.
OPENSSL_EXPORT size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out);
-/* BN_mpi2bn parses |len| bytes from |in| and returns the resulting value. The
- * bytes at |in| are expected to be in the format emitted by |BN_bn2mpi|.
- *
- * If |out| is NULL then a fresh |BIGNUM| is allocated and returned, otherwise
- * |out| is reused and returned. On error, NULL is returned and the error queue
- * is updated. */
+// BN_mpi2bn parses |len| bytes from |in| and returns the resulting value. The
+// bytes at |in| are expected to be in the format emitted by |BN_bn2mpi|.
+//
+// If |out| is NULL then a fresh |BIGNUM| is allocated and returned, otherwise
+// |out| is reused and returned. On error, NULL is returned and the error queue
+// is updated.
OPENSSL_EXPORT BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out);
-/* BN_mod_exp_mont_word is like |BN_mod_exp_mont| except that the base |a| is
- * given as a |BN_ULONG| instead of a |BIGNUM *|. It returns one on success
- * or zero otherwise. */
+// BN_mod_exp_mont_word is like |BN_mod_exp_mont| except that the base |a| is
+// given as a |BN_ULONG| instead of a |BIGNUM *|. It returns one on success
+// or zero otherwise.
OPENSSL_EXPORT int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
const BN_MONT_CTX *mont);
-/* BN_mod_exp2_mont calculates (a1^p1) * (a2^p2) mod m. It returns 1 on success
- * or zero otherwise. */
+// BN_mod_exp2_mont calculates (a1^p1) * (a2^p2) mod m. It returns 1 on success
+// or zero otherwise.
OPENSSL_EXPORT int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1,
const BIGNUM *p1, const BIGNUM *a2,
const BIGNUM *p2, const BIGNUM *m,
BN_CTX *ctx, const BN_MONT_CTX *mont);
-/* Private functions */
+// Private functions
struct bignum_st {
BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks in little-endian
order. */
- int top; /* Index of last used element in |d|, plus one. */
- int dmax; /* Size of |d|, in words. */
- int neg; /* one if the number is negative */
- int flags; /* bitmask of BN_FLG_* values */
+ int top; // Index of last used element in |d|, plus one.
+ int dmax; // Size of |d|, in words.
+ int neg; // one if the number is negative
+ int flags; // bitmask of BN_FLG_* values
};
struct bn_mont_ctx_st {
- BIGNUM RR; /* used to convert to montgomery form */
- BIGNUM N; /* The modulus */
- BN_ULONG n0[2]; /* least significant words of (R*Ri-1)/N */
+ BIGNUM RR; // used to convert to montgomery form
+ BIGNUM N; // The modulus
+ BN_ULONG n0[2]; // least significant words of (R*Ri-1)/N
};
OPENSSL_EXPORT unsigned BN_num_bits_word(BN_ULONG l);
#define BN_FLG_MALLOCED 0x01
#define BN_FLG_STATIC_DATA 0x02
-/* |BN_FLG_CONSTTIME| has been removed and intentionally omitted so code relying
- * on it will not compile. Consumers outside BoringSSL should use the
- * higher-level cryptographic algorithms exposed by other modules. Consumers
- * within the library should call the appropriate timing-sensitive algorithm
- * directly. */
+// |BN_FLG_CONSTTIME| has been removed and intentionally omitted so code relying
+// on it will not compile. Consumers outside BoringSSL should use the
+// higher-level cryptographic algorithms exposed by other modules. Consumers
+// within the library should call the appropriate timing-sensitive algorithm
+// directly.
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#if !defined(BORINGSSL_NO_CXX)
extern "C++" {
@@ -961,7 +961,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
#endif
@@ -987,4 +987,4 @@
#define BN_R_ENCODE_ERROR 118
#define BN_R_INVALID_INPUT 119
-#endif /* OPENSSL_HEADER_BN_H */
+#endif // OPENSSL_HEADER_BN_H
diff --git a/src/include/openssl/buf.h b/src/include/openssl/buf.h
index 013c546..d4c3e22 100644
--- a/src/include/openssl/buf.h
+++ b/src/include/openssl/buf.h
@@ -64,59 +64,59 @@
#endif
-/* Memory and string functions, see also mem.h. */
+// Memory and string functions, see also mem.h.
-/* buf_mem_st (aka |BUF_MEM|) is a generic buffer object used by OpenSSL. */
+// buf_mem_st (aka |BUF_MEM|) is a generic buffer object used by OpenSSL.
struct buf_mem_st {
- size_t length; /* current number of bytes */
+ size_t length; // current number of bytes
char *data;
- size_t max; /* size of buffer */
+ size_t max; // size of buffer
};
-/* BUF_MEM_new creates a new BUF_MEM which has no allocated data buffer. */
+// BUF_MEM_new creates a new BUF_MEM which has no allocated data buffer.
OPENSSL_EXPORT BUF_MEM *BUF_MEM_new(void);
-/* BUF_MEM_free frees |buf->data| if needed and then frees |buf| itself. */
+// BUF_MEM_free frees |buf->data| if needed and then frees |buf| itself.
OPENSSL_EXPORT void BUF_MEM_free(BUF_MEM *buf);
-/* BUF_MEM_reserve ensures |buf| has capacity |cap| and allocates memory if
- * needed. It returns one on success and zero on error. */
+// BUF_MEM_reserve ensures |buf| has capacity |cap| and allocates memory if
+// needed. It returns one on success and zero on error.
OPENSSL_EXPORT int BUF_MEM_reserve(BUF_MEM *buf, size_t cap);
-/* BUF_MEM_grow ensures that |buf| has length |len| and allocates memory if
- * needed. If the length of |buf| increased, the new bytes are filled with
- * zeros. It returns the length of |buf|, or zero if there's an error. */
+// BUF_MEM_grow ensures that |buf| has length |len| and allocates memory if
+// needed. If the length of |buf| increased, the new bytes are filled with
+// zeros. It returns the length of |buf|, or zero if there's an error.
OPENSSL_EXPORT size_t BUF_MEM_grow(BUF_MEM *buf, size_t len);
-/* BUF_MEM_grow_clean acts the same as |BUF_MEM_grow|, but clears the previous
- * contents of memory if reallocing. */
+// BUF_MEM_grow_clean acts the same as |BUF_MEM_grow|, but clears the previous
+// contents of memory if reallocing.
OPENSSL_EXPORT size_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len);
-/* BUF_strdup returns an allocated, duplicate of |str|. */
+// BUF_strdup returns an allocated, duplicate of |str|.
OPENSSL_EXPORT char *BUF_strdup(const char *str);
-/* BUF_strnlen returns the number of characters in |str|, excluding the NUL
- * byte, but at most |max_len|. This function never reads more than |max_len|
- * bytes from |str|. */
+// BUF_strnlen returns the number of characters in |str|, excluding the NUL
+// byte, but at most |max_len|. This function never reads more than |max_len|
+// bytes from |str|.
OPENSSL_EXPORT size_t BUF_strnlen(const char *str, size_t max_len);
-/* BUF_strndup returns an allocated, duplicate of |str|, which is, at most,
- * |size| bytes. The result is always NUL terminated. */
+// BUF_strndup returns an allocated, duplicate of |str|, which is, at most,
+// |size| bytes. The result is always NUL terminated.
OPENSSL_EXPORT char *BUF_strndup(const char *str, size_t size);
-/* BUF_memdup returns an allocated, duplicate of |size| bytes from |data|. */
+// BUF_memdup returns an allocated, duplicate of |size| bytes from |data|.
OPENSSL_EXPORT void *BUF_memdup(const void *data, size_t size);
-/* BUF_strlcpy acts like strlcpy(3). */
+// BUF_strlcpy acts like strlcpy(3).
OPENSSL_EXPORT size_t BUF_strlcpy(char *dst, const char *src, size_t dst_size);
-/* BUF_strlcat acts like strlcat(3). */
+// BUF_strlcat acts like strlcat(3).
OPENSSL_EXPORT size_t BUF_strlcat(char *dst, const char *src, size_t dst_size);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -126,8 +126,8 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
-#endif /* OPENSSL_HEADER_BUFFER_H */
+#endif // OPENSSL_HEADER_BUFFER_H
diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h
index 1e74956..a09b49c 100644
--- a/src/include/openssl/bytestring.h
+++ b/src/include/openssl/bytestring.h
@@ -22,110 +22,110 @@
#endif
-/* Bytestrings are used for parsing and building TLS and ASN.1 messages.
- *
- * A "CBS" (CRYPTO ByteString) represents a string of bytes in memory and
- * provides utility functions for safely parsing length-prefixed structures
- * like TLS and ASN.1 from it.
- *
- * A "CBB" (CRYPTO ByteBuilder) is a memory buffer that grows as needed and
- * provides utility functions for building length-prefixed messages. */
+// Bytestrings are used for parsing and building TLS and ASN.1 messages.
+//
+// A "CBS" (CRYPTO ByteString) represents a string of bytes in memory and
+// provides utility functions for safely parsing length-prefixed structures
+// like TLS and ASN.1 from it.
+//
+// A "CBB" (CRYPTO ByteBuilder) is a memory buffer that grows as needed and
+// provides utility functions for building length-prefixed messages.
-/* CRYPTO ByteString */
+// CRYPTO ByteString
struct cbs_st {
const uint8_t *data;
size_t len;
};
-/* CBS_init sets |cbs| to point to |data|. It does not take ownership of
- * |data|. */
+// CBS_init sets |cbs| to point to |data|. It does not take ownership of
+// |data|.
OPENSSL_EXPORT void CBS_init(CBS *cbs, const uint8_t *data, size_t len);
-/* CBS_skip advances |cbs| by |len| bytes. It returns one on success and zero
- * otherwise. */
+// CBS_skip advances |cbs| by |len| bytes. It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int CBS_skip(CBS *cbs, size_t len);
-/* CBS_data returns a pointer to the contents of |cbs|. */
+// CBS_data returns a pointer to the contents of |cbs|.
OPENSSL_EXPORT const uint8_t *CBS_data(const CBS *cbs);
-/* CBS_len returns the number of bytes remaining in |cbs|. */
+// CBS_len returns the number of bytes remaining in |cbs|.
OPENSSL_EXPORT size_t CBS_len(const CBS *cbs);
-/* CBS_stow copies the current contents of |cbs| into |*out_ptr| and
- * |*out_len|. If |*out_ptr| is not NULL, the contents are freed with
- * OPENSSL_free. It returns one on success and zero on allocation failure. On
- * success, |*out_ptr| should be freed with OPENSSL_free. If |cbs| is empty,
- * |*out_ptr| will be NULL. */
+// CBS_stow copies the current contents of |cbs| into |*out_ptr| and
+// |*out_len|. If |*out_ptr| is not NULL, the contents are freed with
+// OPENSSL_free. It returns one on success and zero on allocation failure. On
+// success, |*out_ptr| should be freed with OPENSSL_free. If |cbs| is empty,
+// |*out_ptr| will be NULL.
OPENSSL_EXPORT int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len);
-/* CBS_strdup copies the current contents of |cbs| into |*out_ptr| as a
- * NUL-terminated C string. If |*out_ptr| is not NULL, the contents are freed
- * with OPENSSL_free. It returns one on success and zero on allocation
- * failure. On success, |*out_ptr| should be freed with OPENSSL_free.
- *
- * NOTE: If |cbs| contains NUL bytes, the string will be truncated. Call
- * |CBS_contains_zero_byte(cbs)| to check for NUL bytes. */
+// CBS_strdup copies the current contents of |cbs| into |*out_ptr| as a
+// NUL-terminated C string. If |*out_ptr| is not NULL, the contents are freed
+// with OPENSSL_free. It returns one on success and zero on allocation
+// failure. On success, |*out_ptr| should be freed with OPENSSL_free.
+//
+// NOTE: If |cbs| contains NUL bytes, the string will be truncated. Call
+// |CBS_contains_zero_byte(cbs)| to check for NUL bytes.
OPENSSL_EXPORT int CBS_strdup(const CBS *cbs, char **out_ptr);
-/* CBS_contains_zero_byte returns one if the current contents of |cbs| contains
- * a NUL byte and zero otherwise. */
+// CBS_contains_zero_byte returns one if the current contents of |cbs| contains
+// a NUL byte and zero otherwise.
OPENSSL_EXPORT int CBS_contains_zero_byte(const CBS *cbs);
-/* CBS_mem_equal compares the current contents of |cbs| with the |len| bytes
- * starting at |data|. If they're equal, it returns one, otherwise zero. If the
- * lengths match, it uses a constant-time comparison. */
+// CBS_mem_equal compares the current contents of |cbs| with the |len| bytes
+// starting at |data|. If they're equal, it returns one, otherwise zero. If the
+// lengths match, it uses a constant-time comparison.
OPENSSL_EXPORT int CBS_mem_equal(const CBS *cbs, const uint8_t *data,
size_t len);
-/* CBS_get_u8 sets |*out| to the next uint8_t from |cbs| and advances |cbs|. It
- * returns one on success and zero on error. */
+// CBS_get_u8 sets |*out| to the next uint8_t from |cbs| and advances |cbs|. It
+// returns one on success and zero on error.
OPENSSL_EXPORT int CBS_get_u8(CBS *cbs, uint8_t *out);
-/* CBS_get_u16 sets |*out| to the next, big-endian uint16_t from |cbs| and
- * advances |cbs|. It returns one on success and zero on error. */
+// CBS_get_u16 sets |*out| to the next, big-endian uint16_t from |cbs| and
+// advances |cbs|. It returns one on success and zero on error.
OPENSSL_EXPORT int CBS_get_u16(CBS *cbs, uint16_t *out);
-/* CBS_get_u24 sets |*out| to the next, big-endian 24-bit value from |cbs| and
- * advances |cbs|. It returns one on success and zero on error. */
+// CBS_get_u24 sets |*out| to the next, big-endian 24-bit value from |cbs| and
+// advances |cbs|. It returns one on success and zero on error.
OPENSSL_EXPORT int CBS_get_u24(CBS *cbs, uint32_t *out);
-/* CBS_get_u32 sets |*out| to the next, big-endian uint32_t value from |cbs|
- * and advances |cbs|. It returns one on success and zero on error. */
+// CBS_get_u32 sets |*out| to the next, big-endian uint32_t value from |cbs|
+// and advances |cbs|. It returns one on success and zero on error.
OPENSSL_EXPORT int CBS_get_u32(CBS *cbs, uint32_t *out);
-/* CBS_get_last_u8 sets |*out| to the last uint8_t from |cbs| and shortens
- * |cbs|. It returns one on success and zero on error. */
+// CBS_get_last_u8 sets |*out| to the last uint8_t from |cbs| and shortens
+// |cbs|. It returns one on success and zero on error.
OPENSSL_EXPORT int CBS_get_last_u8(CBS *cbs, uint8_t *out);
-/* CBS_get_bytes sets |*out| to the next |len| bytes from |cbs| and advances
- * |cbs|. It returns one on success and zero on error. */
+// CBS_get_bytes sets |*out| to the next |len| bytes from |cbs| and advances
+// |cbs|. It returns one on success and zero on error.
OPENSSL_EXPORT int CBS_get_bytes(CBS *cbs, CBS *out, size_t len);
-/* CBS_copy_bytes copies the next |len| bytes from |cbs| to |out| and advances
- * |cbs|. It returns one on success and zero on error. */
+// CBS_copy_bytes copies the next |len| bytes from |cbs| to |out| and advances
+// |cbs|. It returns one on success and zero on error.
OPENSSL_EXPORT int CBS_copy_bytes(CBS *cbs, uint8_t *out, size_t len);
-/* CBS_get_u8_length_prefixed sets |*out| to the contents of an 8-bit,
- * length-prefixed value from |cbs| and advances |cbs| over it. It returns one
- * on success and zero on error. */
+// CBS_get_u8_length_prefixed sets |*out| to the contents of an 8-bit,
+// length-prefixed value from |cbs| and advances |cbs| over it. It returns one
+// on success and zero on error.
OPENSSL_EXPORT int CBS_get_u8_length_prefixed(CBS *cbs, CBS *out);
-/* CBS_get_u16_length_prefixed sets |*out| to the contents of a 16-bit,
- * big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It
- * returns one on success and zero on error. */
+// CBS_get_u16_length_prefixed sets |*out| to the contents of a 16-bit,
+// big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It
+// returns one on success and zero on error.
OPENSSL_EXPORT int CBS_get_u16_length_prefixed(CBS *cbs, CBS *out);
-/* CBS_get_u24_length_prefixed sets |*out| to the contents of a 24-bit,
- * big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It
- * returns one on success and zero on error. */
+// CBS_get_u24_length_prefixed sets |*out| to the contents of a 24-bit,
+// big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It
+// returns one on success and zero on error.
OPENSSL_EXPORT int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out);
-/* Parsing ASN.1 */
+// Parsing ASN.1
-/* The following values are tag numbers for UNIVERSAL elements. */
+// The following values are tag numbers for UNIVERSAL elements.
#define CBS_ASN1_BOOLEAN 0x1u
#define CBS_ASN1_INTEGER 0x2u
#define CBS_ASN1_BITSTRING 0x3u
@@ -149,143 +149,143 @@
#define CBS_ASN1_UNIVERSALSTRING 0x1cu
#define CBS_ASN1_BMPSTRING 0x1eu
-/* CBS_ASN1_CONSTRUCTED may be ORed into a tag to toggle the constructed
- * bit. |CBS| and |CBB| APIs consider the constructed bit to be part of the
- * tag. */
+// CBS_ASN1_CONSTRUCTED may be ORed into a tag to toggle the constructed
+// bit. |CBS| and |CBB| APIs consider the constructed bit to be part of the
+// tag.
#define CBS_ASN1_CONSTRUCTED 0x20u
-/* The following values specify the constructed bit or tag class and may be ORed
- * into a tag number to produce the final tag. If none is used, the tag will be
- * UNIVERSAL.
- *
- * Note that although they currently match the DER serialization, consumers must
- * use these bits rather than make assumptions about the representation. This is
- * to allow for tag numbers beyond 31 in the future. */
+// The following values specify the constructed bit or tag class and may be ORed
+// into a tag number to produce the final tag. If none is used, the tag will be
+// UNIVERSAL.
+//
+// Note that although they currently match the DER serialization, consumers must
+// use these bits rather than make assumptions about the representation. This is
+// to allow for tag numbers beyond 31 in the future.
#define CBS_ASN1_APPLICATION 0x40u
#define CBS_ASN1_CONTEXT_SPECIFIC 0x80u
#define CBS_ASN1_PRIVATE 0xc0u
-/* CBS_ASN1_CLASS_MASK may be ANDed with a tag to query its class. */
+// CBS_ASN1_CLASS_MASK may be ANDed with a tag to query its class.
#define CBS_ASN1_CLASS_MASK 0xc0u
-/* CBS_ASN1_TAG_NUMBER_MASK may be ANDed with a tag to query its number. */
+// CBS_ASN1_TAG_NUMBER_MASK may be ANDed with a tag to query its number.
#define CBS_ASN1_TAG_NUMBER_MASK 0x1fu
-/* CBS_get_asn1 sets |*out| to the contents of DER-encoded, ASN.1 element (not
- * including tag and length bytes) and advances |cbs| over it. The ASN.1
- * element must match |tag_value|. It returns one on success and zero
- * on error.
- *
- * Tag numbers greater than 30 are not supported (i.e. short form only). */
+// CBS_get_asn1 sets |*out| to the contents of DER-encoded, ASN.1 element (not
+// including tag and length bytes) and advances |cbs| over it. The ASN.1
+// element must match |tag_value|. It returns one on success and zero
+// on error.
+//
+// Tag numbers greater than 30 are not supported (i.e. short form only).
OPENSSL_EXPORT int CBS_get_asn1(CBS *cbs, CBS *out, unsigned tag_value);
-/* CBS_get_asn1_element acts like |CBS_get_asn1| but |out| will include the
- * ASN.1 header bytes too. */
+// CBS_get_asn1_element acts like |CBS_get_asn1| but |out| will include the
+// ASN.1 header bytes too.
OPENSSL_EXPORT int CBS_get_asn1_element(CBS *cbs, CBS *out, unsigned tag_value);
-/* CBS_peek_asn1_tag looks ahead at the next ASN.1 tag and returns one
- * if the next ASN.1 element on |cbs| would have tag |tag_value|. If
- * |cbs| is empty or the tag does not match, it returns zero. Note: if
- * it returns one, CBS_get_asn1 may still fail if the rest of the
- * element is malformed. */
+// CBS_peek_asn1_tag looks ahead at the next ASN.1 tag and returns one
+// if the next ASN.1 element on |cbs| would have tag |tag_value|. If
+// |cbs| is empty or the tag does not match, it returns zero. Note: if
+// it returns one, CBS_get_asn1 may still fail if the rest of the
+// element is malformed.
OPENSSL_EXPORT int CBS_peek_asn1_tag(const CBS *cbs, unsigned tag_value);
-/* CBS_get_any_asn1 sets |*out| to contain the next ASN.1 element from |*cbs|
- * (not including tag and length bytes), sets |*out_tag| to the tag number, and
- * advances |*cbs|. It returns one on success and zero on error. Either of |out|
- * and |out_tag| may be NULL to ignore the value.
- *
- * Tag numbers greater than 30 are not supported (i.e. short form only). */
+// CBS_get_any_asn1 sets |*out| to contain the next ASN.1 element from |*cbs|
+// (not including tag and length bytes), sets |*out_tag| to the tag number, and
+// advances |*cbs|. It returns one on success and zero on error. Either of |out|
+// and |out_tag| may be NULL to ignore the value.
+//
+// Tag numbers greater than 30 are not supported (i.e. short form only).
OPENSSL_EXPORT int CBS_get_any_asn1(CBS *cbs, CBS *out, unsigned *out_tag);
-/* CBS_get_any_asn1_element sets |*out| to contain the next ASN.1 element from
- * |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to
- * the tag number and |*out_header_len| to the length of the ASN.1 header. Each
- * of |out|, |out_tag|, and |out_header_len| may be NULL to ignore the value.
- *
- * Tag numbers greater than 30 are not supported (i.e. short form only). */
+// CBS_get_any_asn1_element sets |*out| to contain the next ASN.1 element from
+// |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to
+// the tag number and |*out_header_len| to the length of the ASN.1 header. Each
+// of |out|, |out_tag|, and |out_header_len| may be NULL to ignore the value.
+//
+// Tag numbers greater than 30 are not supported (i.e. short form only).
OPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out,
unsigned *out_tag,
size_t *out_header_len);
-/* CBS_get_any_ber_asn1_element acts the same as |CBS_get_any_asn1_element| but
- * also allows indefinite-length elements to be returned. In that case,
- * |*out_header_len| and |CBS_len(out)| will both be two as only the header is
- * returned, otherwise it behaves the same as the previous function. */
+// CBS_get_any_ber_asn1_element acts the same as |CBS_get_any_asn1_element| but
+// also allows indefinite-length elements to be returned. In that case,
+// |*out_header_len| and |CBS_len(out)| will both be two as only the header is
+// returned, otherwise it behaves the same as the previous function.
OPENSSL_EXPORT int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out,
unsigned *out_tag,
size_t *out_header_len);
-/* CBS_get_asn1_uint64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1|
- * and sets |*out| to its value. It returns one on success and zero on error,
- * where error includes the integer being negative, or too large to represent
- * in 64 bits. */
+// CBS_get_asn1_uint64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1|
+// and sets |*out| to its value. It returns one on success and zero on error,
+// where error includes the integer being negative, or too large to represent
+// in 64 bits.
OPENSSL_EXPORT int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out);
-/* CBS_get_optional_asn1 gets an optional explicitly-tagged element from |cbs|
- * tagged with |tag| and sets |*out| to its contents. If present and if
- * |out_present| is not NULL, it sets |*out_present| to one, otherwise zero. It
- * returns one on success, whether or not the element was present, and zero on
- * decode failure. */
+// CBS_get_optional_asn1 gets an optional explicitly-tagged element from |cbs|
+// tagged with |tag| and sets |*out| to its contents. If present and if
+// |out_present| is not NULL, it sets |*out_present| to one, otherwise zero. It
+// returns one on success, whether or not the element was present, and zero on
+// decode failure.
OPENSSL_EXPORT int CBS_get_optional_asn1(CBS *cbs, CBS *out, int *out_present,
unsigned tag);
-/* CBS_get_optional_asn1_octet_string gets an optional
- * explicitly-tagged OCTET STRING from |cbs|. If present, it sets
- * |*out| to the string and |*out_present| to one. Otherwise, it sets
- * |*out| to empty and |*out_present| to zero. |out_present| may be
- * NULL. It returns one on success, whether or not the element was
- * present, and zero on decode failure. */
+// CBS_get_optional_asn1_octet_string gets an optional
+// explicitly-tagged OCTET STRING from |cbs|. If present, it sets
+// |*out| to the string and |*out_present| to one. Otherwise, it sets
+// |*out| to empty and |*out_present| to zero. |out_present| may be
+// NULL. It returns one on success, whether or not the element was
+// present, and zero on decode failure.
OPENSSL_EXPORT int CBS_get_optional_asn1_octet_string(CBS *cbs, CBS *out,
int *out_present,
unsigned tag);
-/* CBS_get_optional_asn1_uint64 gets an optional explicitly-tagged
- * INTEGER from |cbs|. If present, it sets |*out| to the
- * value. Otherwise, it sets |*out| to |default_value|. It returns one
- * on success, whether or not the element was present, and zero on
- * decode failure. */
+// CBS_get_optional_asn1_uint64 gets an optional explicitly-tagged
+// INTEGER from |cbs|. If present, it sets |*out| to the
+// value. Otherwise, it sets |*out| to |default_value|. It returns one
+// on success, whether or not the element was present, and zero on
+// decode failure.
OPENSSL_EXPORT int CBS_get_optional_asn1_uint64(CBS *cbs, uint64_t *out,
unsigned tag,
uint64_t default_value);
-/* CBS_get_optional_asn1_bool gets an optional, explicitly-tagged BOOLEAN from
- * |cbs|. If present, it sets |*out| to either zero or one, based on the
- * boolean. Otherwise, it sets |*out| to |default_value|. It returns one on
- * success, whether or not the element was present, and zero on decode
- * failure. */
+// CBS_get_optional_asn1_bool gets an optional, explicitly-tagged BOOLEAN from
+// |cbs|. If present, it sets |*out| to either zero or one, based on the
+// boolean. Otherwise, it sets |*out| to |default_value|. It returns one on
+// success, whether or not the element was present, and zero on decode
+// failure.
OPENSSL_EXPORT int CBS_get_optional_asn1_bool(CBS *cbs, int *out, unsigned tag,
int default_value);
-/* CBS_is_valid_asn1_bitstring returns one if |cbs| is a valid ASN.1 BIT STRING
- * and zero otherwise. */
+// CBS_is_valid_asn1_bitstring returns one if |cbs| is a valid ASN.1 BIT STRING
+// and zero otherwise.
OPENSSL_EXPORT int CBS_is_valid_asn1_bitstring(const CBS *cbs);
-/* CBS_asn1_bitstring_has_bit returns one if |cbs| is a valid ASN.1 BIT STRING
- * and the specified bit is present and set. Otherwise, it returns zero. |bit|
- * is indexed starting from zero. */
+// CBS_asn1_bitstring_has_bit returns one if |cbs| is a valid ASN.1 BIT STRING
+// and the specified bit is present and set. Otherwise, it returns zero. |bit|
+// is indexed starting from zero.
OPENSSL_EXPORT int CBS_asn1_bitstring_has_bit(const CBS *cbs, unsigned bit);
-/* CRYPTO ByteBuilder.
- *
- * |CBB| objects allow one to build length-prefixed serialisations. A |CBB|
- * object is associated with a buffer and new buffers are created with
- * |CBB_init|. Several |CBB| objects can point at the same buffer when a
- * length-prefix is pending, however only a single |CBB| can be 'current' at
- * any one time. For example, if one calls |CBB_add_u8_length_prefixed| then
- * the new |CBB| points at the same buffer as the original. But if the original
- * |CBB| is used then the length prefix is written out and the new |CBB| must
- * not be used again.
- *
- * If one needs to force a length prefix to be written out because a |CBB| is
- * going out of scope, use |CBB_flush|. If an operation on a |CBB| fails, it is
- * in an undefined state and must not be used except to call |CBB_cleanup|. */
+// CRYPTO ByteBuilder.
+//
+// |CBB| objects allow one to build length-prefixed serialisations. A |CBB|
+// object is associated with a buffer and new buffers are created with
+// |CBB_init|. Several |CBB| objects can point at the same buffer when a
+// length-prefix is pending, however only a single |CBB| can be 'current' at
+// any one time. For example, if one calls |CBB_add_u8_length_prefixed| then
+// the new |CBB| points at the same buffer as the original. But if the original
+// |CBB| is used then the length prefix is written out and the new |CBB| must
+// not be used again.
+//
+// If one needs to force a length prefix to be written out because a |CBB| is
+// going out of scope, use |CBB_flush|. If an operation on a |CBB| fails, it is
+// in an undefined state and must not be used except to call |CBB_cleanup|.
struct cbb_buffer_st {
uint8_t *buf;
- size_t len; /* The number of valid bytes. */
- size_t cap; /* The size of buf. */
+ size_t len; // The number of valid bytes.
+ size_t cap; // The size of buf.
char can_resize; /* One iff |buf| is owned by this object. If not then |buf|
cannot be resized. */
char error; /* One iff there was an error writing to this CBB. All future
@@ -294,147 +294,147 @@
struct cbb_st {
struct cbb_buffer_st *base;
- /* child points to a child CBB if a length-prefix is pending. */
+ // child points to a child CBB if a length-prefix is pending.
CBB *child;
- /* offset is the number of bytes from the start of |base->buf| to this |CBB|'s
- * pending length prefix. */
+ // offset is the number of bytes from the start of |base->buf| to this |CBB|'s
+ // pending length prefix.
size_t offset;
- /* pending_len_len contains the number of bytes in this |CBB|'s pending
- * length-prefix, or zero if no length-prefix is pending. */
+ // pending_len_len contains the number of bytes in this |CBB|'s pending
+ // length-prefix, or zero if no length-prefix is pending.
uint8_t pending_len_len;
char pending_is_asn1;
- /* is_top_level is true iff this is a top-level |CBB| (as opposed to a child
- * |CBB|). Top-level objects are valid arguments for |CBB_finish|. */
+ // is_top_level is true iff this is a top-level |CBB| (as opposed to a child
+ // |CBB|). Top-level objects are valid arguments for |CBB_finish|.
char is_top_level;
};
-/* CBB_zero sets an uninitialised |cbb| to the zero state. It must be
- * initialised with |CBB_init| or |CBB_init_fixed| before use, but it is safe to
- * call |CBB_cleanup| without a successful |CBB_init|. This may be used for more
- * uniform cleanup of a |CBB|. */
+// CBB_zero sets an uninitialised |cbb| to the zero state. It must be
+// initialised with |CBB_init| or |CBB_init_fixed| before use, but it is safe to
+// call |CBB_cleanup| without a successful |CBB_init|. This may be used for more
+// uniform cleanup of a |CBB|.
OPENSSL_EXPORT void CBB_zero(CBB *cbb);
-/* CBB_init initialises |cbb| with |initial_capacity|. Since a |CBB| grows as
- * needed, the |initial_capacity| is just a hint. It returns one on success or
- * zero on error. */
+// CBB_init initialises |cbb| with |initial_capacity|. Since a |CBB| grows as
+// needed, the |initial_capacity| is just a hint. It returns one on success or
+// zero on error.
OPENSSL_EXPORT int CBB_init(CBB *cbb, size_t initial_capacity);
-/* CBB_init_fixed initialises |cbb| to write to |len| bytes at |buf|. Since
- * |buf| cannot grow, trying to write more than |len| bytes will cause CBB
- * functions to fail. It returns one on success or zero on error. */
+// CBB_init_fixed initialises |cbb| to write to |len| bytes at |buf|. Since
+// |buf| cannot grow, trying to write more than |len| bytes will cause CBB
+// functions to fail. It returns one on success or zero on error.
OPENSSL_EXPORT int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len);
-/* CBB_cleanup frees all resources owned by |cbb| and other |CBB| objects
- * writing to the same buffer. This should be used in an error case where a
- * serialisation is abandoned.
- *
- * This function can only be called on a "top level" |CBB|, i.e. one initialised
- * with |CBB_init| or |CBB_init_fixed|, or a |CBB| set to the zero state with
- * |CBB_zero|. */
+// CBB_cleanup frees all resources owned by |cbb| and other |CBB| objects
+// writing to the same buffer. This should be used in an error case where a
+// serialisation is abandoned.
+//
+// This function can only be called on a "top level" |CBB|, i.e. one initialised
+// with |CBB_init| or |CBB_init_fixed|, or a |CBB| set to the zero state with
+// |CBB_zero|.
OPENSSL_EXPORT void CBB_cleanup(CBB *cbb);
-/* CBB_finish completes any pending length prefix and sets |*out_data| to a
- * malloced buffer and |*out_len| to the length of that buffer. The caller
- * takes ownership of the buffer and, unless the buffer was fixed with
- * |CBB_init_fixed|, must call |OPENSSL_free| when done.
- *
- * It can only be called on a "top level" |CBB|, i.e. one initialised with
- * |CBB_init| or |CBB_init_fixed|. It returns one on success and zero on
- * error. */
+// CBB_finish completes any pending length prefix and sets |*out_data| to a
+// malloced buffer and |*out_len| to the length of that buffer. The caller
+// takes ownership of the buffer and, unless the buffer was fixed with
+// |CBB_init_fixed|, must call |OPENSSL_free| when done.
+//
+// It can only be called on a "top level" |CBB|, i.e. one initialised with
+// |CBB_init| or |CBB_init_fixed|. It returns one on success and zero on
+// error.
OPENSSL_EXPORT int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len);
-/* CBB_flush causes any pending length prefixes to be written out and any child
- * |CBB| objects of |cbb| to be invalidated. This allows |cbb| to continue to be
- * used after the children go out of scope, e.g. when local |CBB| objects are
- * added as children to a |CBB| that persists after a function returns. This
- * function returns one on success or zero on error. */
+// CBB_flush causes any pending length prefixes to be written out and any child
+// |CBB| objects of |cbb| to be invalidated. This allows |cbb| to continue to be
+// used after the children go out of scope, e.g. when local |CBB| objects are
+// added as children to a |CBB| that persists after a function returns. This
+// function returns one on success or zero on error.
OPENSSL_EXPORT int CBB_flush(CBB *cbb);
-/* CBB_data returns a pointer to the bytes written to |cbb|. It does not flush
- * |cbb|. The pointer is valid until the next operation to |cbb|.
- *
- * To avoid unfinalized length prefixes, it is a fatal error to call this on a
- * CBB with any active children. */
+// CBB_data returns a pointer to the bytes written to |cbb|. It does not flush
+// |cbb|. The pointer is valid until the next operation to |cbb|.
+//
+// To avoid unfinalized length prefixes, it is a fatal error to call this on a
+// CBB with any active children.
OPENSSL_EXPORT const uint8_t *CBB_data(const CBB *cbb);
-/* CBB_len returns the number of bytes written to |cbb|. It does not flush
- * |cbb|.
- *
- * To avoid unfinalized length prefixes, it is a fatal error to call this on a
- * CBB with any active children. */
+// CBB_len returns the number of bytes written to |cbb|. It does not flush
+// |cbb|.
+//
+// To avoid unfinalized length prefixes, it is a fatal error to call this on a
+// CBB with any active children.
OPENSSL_EXPORT size_t CBB_len(const CBB *cbb);
-/* CBB_add_u8_length_prefixed sets |*out_contents| to a new child of |cbb|. The
- * data written to |*out_contents| will be prefixed in |cbb| with an 8-bit
- * length. It returns one on success or zero on error. */
+// CBB_add_u8_length_prefixed sets |*out_contents| to a new child of |cbb|. The
+// data written to |*out_contents| will be prefixed in |cbb| with an 8-bit
+// length. It returns one on success or zero on error.
OPENSSL_EXPORT int CBB_add_u8_length_prefixed(CBB *cbb, CBB *out_contents);
-/* CBB_add_u16_length_prefixed sets |*out_contents| to a new child of |cbb|.
- * The data written to |*out_contents| will be prefixed in |cbb| with a 16-bit,
- * big-endian length. It returns one on success or zero on error. */
+// CBB_add_u16_length_prefixed sets |*out_contents| to a new child of |cbb|.
+// The data written to |*out_contents| will be prefixed in |cbb| with a 16-bit,
+// big-endian length. It returns one on success or zero on error.
OPENSSL_EXPORT int CBB_add_u16_length_prefixed(CBB *cbb, CBB *out_contents);
-/* CBB_add_u24_length_prefixed sets |*out_contents| to a new child of |cbb|.
- * The data written to |*out_contents| will be prefixed in |cbb| with a 24-bit,
- * big-endian length. It returns one on success or zero on error. */
+// CBB_add_u24_length_prefixed sets |*out_contents| to a new child of |cbb|.
+// The data written to |*out_contents| will be prefixed in |cbb| with a 24-bit,
+// big-endian length. It returns one on success or zero on error.
OPENSSL_EXPORT int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents);
-/* CBB_add_asn1 sets |*out_contents| to a |CBB| into which the contents of an
- * ASN.1 object can be written. The |tag| argument will be used as the tag for
- * the object. Passing in |tag| number 31 will return in an error since only
- * single octet identifiers are supported. It returns one on success or zero
- * on error. */
+// CBB_add_asn1 sets |*out_contents| to a |CBB| into which the contents of an
+// ASN.1 object can be written. The |tag| argument will be used as the tag for
+// the object. Passing in |tag| number 31 will return in an error since only
+// single octet identifiers are supported. It returns one on success or zero
+// on error.
OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag);
-/* CBB_add_bytes appends |len| bytes from |data| to |cbb|. It returns one on
- * success and zero otherwise. */
+// CBB_add_bytes appends |len| bytes from |data| to |cbb|. It returns one on
+// success and zero otherwise.
OPENSSL_EXPORT int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len);
-/* CBB_add_space appends |len| bytes to |cbb| and sets |*out_data| to point to
- * the beginning of that space. The caller must then write |len| bytes of
- * actual contents to |*out_data|. It returns one on success and zero
- * otherwise. */
+// CBB_add_space appends |len| bytes to |cbb| and sets |*out_data| to point to
+// the beginning of that space. The caller must then write |len| bytes of
+// actual contents to |*out_data|. It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len);
-/* CBB_reserve ensures |cbb| has room for |len| additional bytes and sets
- * |*out_data| to point to the beginning of that space. It returns one on
- * success and zero otherwise. The caller may write up to |len| bytes to
- * |*out_data| and call |CBB_did_write| to complete the write. |*out_data| is
- * valid until the next operation on |cbb| or an ancestor |CBB|. */
+// CBB_reserve ensures |cbb| has room for |len| additional bytes and sets
+// |*out_data| to point to the beginning of that space. It returns one on
+// success and zero otherwise. The caller may write up to |len| bytes to
+// |*out_data| and call |CBB_did_write| to complete the write. |*out_data| is
+// valid until the next operation on |cbb| or an ancestor |CBB|.
OPENSSL_EXPORT int CBB_reserve(CBB *cbb, uint8_t **out_data, size_t len);
-/* CBB_did_write advances |cbb| by |len| bytes, assuming the space has been
- * written to by the caller. It returns one on success and zero on error. */
+// CBB_did_write advances |cbb| by |len| bytes, assuming the space has been
+// written to by the caller. It returns one on success and zero on error.
OPENSSL_EXPORT int CBB_did_write(CBB *cbb, size_t len);
-/* CBB_add_u8 appends an 8-bit number from |value| to |cbb|. It returns one on
- * success and zero otherwise. */
+// CBB_add_u8 appends an 8-bit number from |value| to |cbb|. It returns one on
+// success and zero otherwise.
OPENSSL_EXPORT int CBB_add_u8(CBB *cbb, uint8_t value);
-/* CBB_add_u16 appends a 16-bit, big-endian number from |value| to |cbb|. It
- * returns one on success and zero otherwise. */
+// CBB_add_u16 appends a 16-bit, big-endian number from |value| to |cbb|. It
+// returns one on success and zero otherwise.
OPENSSL_EXPORT int CBB_add_u16(CBB *cbb, uint16_t value);
-/* CBB_add_u24 appends a 24-bit, big-endian number from |value| to |cbb|. It
- * returns one on success and zero otherwise. */
+// CBB_add_u24 appends a 24-bit, big-endian number from |value| to |cbb|. It
+// returns one on success and zero otherwise.
OPENSSL_EXPORT int CBB_add_u24(CBB *cbb, uint32_t value);
-/* CBB_add_u32 appends a 32-bit, big-endian number from |value| to |cbb|. It
- * returns one on success and zero otherwise. */
+// CBB_add_u32 appends a 32-bit, big-endian number from |value| to |cbb|. It
+// returns one on success and zero otherwise.
OPENSSL_EXPORT int CBB_add_u32(CBB *cbb, uint32_t value);
-/* CBB_discard_child discards the current unflushed child of |cbb|. Neither the
- * child's contents nor the length prefix will be included in the output. */
+// CBB_discard_child discards the current unflushed child of |cbb|. Neither the
+// child's contents nor the length prefix will be included in the output.
OPENSSL_EXPORT void CBB_discard_child(CBB *cbb);
-/* CBB_add_asn1_uint64 writes an ASN.1 INTEGER into |cbb| using |CBB_add_asn1|
- * and writes |value| in its contents. It returns one on success and zero on
- * error. */
+// CBB_add_asn1_uint64 writes an ASN.1 INTEGER into |cbb| using |CBB_add_asn1|
+// and writes |value| in its contents. It returns one on success and zero on
+// error.
OPENSSL_EXPORT int CBB_add_asn1_uint64(CBB *cbb, uint64_t value);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#if !defined(BORINGSSL_NO_CXX)
@@ -451,4 +451,4 @@
#endif
-#endif /* OPENSSL_HEADER_BYTESTRING_H */
+#endif // OPENSSL_HEADER_BYTESTRING_H
diff --git a/src/include/openssl/cast.h b/src/include/openssl/cast.h
index 8021723..2978a67 100644
--- a/src/include/openssl/cast.h
+++ b/src/include/openssl/cast.h
@@ -72,7 +72,7 @@
typedef struct cast_key_st {
uint32_t data[32];
- int short_key; /* Use reduced rounds for short key */
+ int short_key; // Use reduced rounds for short key
} CAST_KEY;
OPENSSL_EXPORT void CAST_set_key(CAST_KEY *key, size_t len,
@@ -93,4 +93,4 @@
}
#endif
-#endif /* OPENSSL_HEADER_CAST_H */
+#endif // OPENSSL_HEADER_CAST_H
diff --git a/src/include/openssl/chacha.h b/src/include/openssl/chacha.h
index 3d035e6..61deb8e 100644
--- a/src/include/openssl/chacha.h
+++ b/src/include/openssl/chacha.h
@@ -22,16 +22,16 @@
#endif
-/* CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
- * nonce and writes the result to |out|. If |in| and |out| alias, they must be
- * equal. The initial block counter is specified by |counter|. */
+// CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
+// nonce and writes the result to |out|. If |in| and |out| alias, they must be
+// equal. The initial block counter is specified by |counter|.
OPENSSL_EXPORT void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in,
size_t in_len, const uint8_t key[32],
const uint8_t nonce[12], uint32_t counter);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CHACHA_H */
+#endif // OPENSSL_HEADER_CHACHA_H
diff --git a/src/include/openssl/cipher.h b/src/include/openssl/cipher.h
index 5710e3c..a8dd63a 100644
--- a/src/include/openssl/cipher.h
+++ b/src/include/openssl/cipher.h
@@ -64,13 +64,13 @@
#endif
-/* Ciphers. */
+// Ciphers.
-/* Cipher primitives.
- *
- * The following functions return |EVP_CIPHER| objects that implement the named
- * cipher algorithm. */
+// Cipher primitives.
+//
+// The following functions return |EVP_CIPHER| objects that implement the named
+// cipher algorithm.
OPENSSL_EXPORT const EVP_CIPHER *EVP_rc4(void);
@@ -92,242 +92,242 @@
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ofb(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_xts(void);
-/* EVP_enc_null returns a 'cipher' that passes plaintext through as
- * ciphertext. */
+// EVP_enc_null returns a 'cipher' that passes plaintext through as
+// ciphertext.
OPENSSL_EXPORT const EVP_CIPHER *EVP_enc_null(void);
-/* EVP_rc2_cbc returns a cipher that implements 128-bit RC2 in CBC mode. */
+// EVP_rc2_cbc returns a cipher that implements 128-bit RC2 in CBC mode.
OPENSSL_EXPORT const EVP_CIPHER *EVP_rc2_cbc(void);
-/* EVP_rc2_40_cbc returns a cipher that implements 40-bit RC2 in CBC mode. This
- * is obviously very, very weak and is included only in order to read PKCS#12
- * files, which often encrypt the certificate chain using this cipher. It is
- * deliberately not exported. */
+// EVP_rc2_40_cbc returns a cipher that implements 40-bit RC2 in CBC mode. This
+// is obviously very, very weak and is included only in order to read PKCS#12
+// files, which often encrypt the certificate chain using this cipher. It is
+// deliberately not exported.
const EVP_CIPHER *EVP_rc2_40_cbc(void);
-/* EVP_get_cipherbynid returns the cipher corresponding to the given NID, or
- * NULL if no such cipher is known. */
+// EVP_get_cipherbynid returns the cipher corresponding to the given NID, or
+// NULL if no such cipher is known.
OPENSSL_EXPORT const EVP_CIPHER *EVP_get_cipherbynid(int nid);
-/* Cipher context allocation.
- *
- * An |EVP_CIPHER_CTX| represents the state of an encryption or decryption in
- * progress. */
+// Cipher context allocation.
+//
+// An |EVP_CIPHER_CTX| represents the state of an encryption or decryption in
+// progress.
-/* EVP_CIPHER_CTX_init initialises an, already allocated, |EVP_CIPHER_CTX|. */
+// EVP_CIPHER_CTX_init initialises an, already allocated, |EVP_CIPHER_CTX|.
OPENSSL_EXPORT void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_new allocates a fresh |EVP_CIPHER_CTX|, calls
- * |EVP_CIPHER_CTX_init| and returns it, or NULL on allocation failure. */
+// EVP_CIPHER_CTX_new allocates a fresh |EVP_CIPHER_CTX|, calls
+// |EVP_CIPHER_CTX_init| and returns it, or NULL on allocation failure.
OPENSSL_EXPORT EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
-/* EVP_CIPHER_CTX_cleanup frees any memory referenced by |ctx|. It returns
- * one. */
+// EVP_CIPHER_CTX_cleanup frees any memory referenced by |ctx|. It returns
+// one.
OPENSSL_EXPORT int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_free calls |EVP_CIPHER_CTX_cleanup| on |ctx| and then frees
- * |ctx| itself. */
+// EVP_CIPHER_CTX_free calls |EVP_CIPHER_CTX_cleanup| on |ctx| and then frees
+// |ctx| itself.
OPENSSL_EXPORT void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_copy sets |out| to be a duplicate of the current state of
- * |in|. The |out| argument must have been previously initialised. */
+// EVP_CIPHER_CTX_copy sets |out| to be a duplicate of the current state of
+// |in|. The |out| argument must have been previously initialised.
OPENSSL_EXPORT int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out,
const EVP_CIPHER_CTX *in);
-/* Cipher context configuration. */
+// Cipher context configuration.
-/* EVP_CipherInit_ex configures |ctx| for a fresh encryption (or decryption, if
- * |enc| is zero) operation using |cipher|. If |ctx| has been previously
- * configured with a cipher then |cipher|, |key| and |iv| may be |NULL| and
- * |enc| may be -1 to reuse the previous values. The operation will use |key|
- * as the key and |iv| as the IV (if any). These should have the correct
- * lengths given by |EVP_CIPHER_key_length| and |EVP_CIPHER_iv_length|. It
- * returns one on success and zero on error. */
+// EVP_CipherInit_ex configures |ctx| for a fresh encryption (or decryption, if
+// |enc| is zero) operation using |cipher|. If |ctx| has been previously
+// configured with a cipher then |cipher|, |key| and |iv| may be |NULL| and
+// |enc| may be -1 to reuse the previous values. The operation will use |key|
+// as the key and |iv| as the IV (if any). These should have the correct
+// lengths given by |EVP_CIPHER_key_length| and |EVP_CIPHER_iv_length|. It
+// returns one on success and zero on error.
OPENSSL_EXPORT int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *cipher, ENGINE *engine,
const uint8_t *key, const uint8_t *iv,
int enc);
-/* EVP_EncryptInit_ex calls |EVP_CipherInit_ex| with |enc| equal to one. */
+// EVP_EncryptInit_ex calls |EVP_CipherInit_ex| with |enc| equal to one.
OPENSSL_EXPORT int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *cipher, ENGINE *impl,
const uint8_t *key, const uint8_t *iv);
-/* EVP_DecryptInit_ex calls |EVP_CipherInit_ex| with |enc| equal to zero. */
+// EVP_DecryptInit_ex calls |EVP_CipherInit_ex| with |enc| equal to zero.
OPENSSL_EXPORT int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *cipher, ENGINE *impl,
const uint8_t *key, const uint8_t *iv);
-/* Cipher operations. */
+// Cipher operations.
-/* EVP_EncryptUpdate encrypts |in_len| bytes from |in| to |out|. The number
- * of output bytes may be up to |in_len| plus the block length minus one and
- * |out| must have sufficient space. The number of bytes actually output is
- * written to |*out_len|. It returns one on success and zero otherwise. */
+// EVP_EncryptUpdate encrypts |in_len| bytes from |in| to |out|. The number
+// of output bytes may be up to |in_len| plus the block length minus one and
+// |out| must have sufficient space. The number of bytes actually output is
+// written to |*out_len|. It returns one on success and zero otherwise.
OPENSSL_EXPORT int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out,
int *out_len, const uint8_t *in,
int in_len);
-/* EVP_EncryptFinal_ex writes at most a block of ciphertext to |out| and sets
- * |*out_len| to the number of bytes written. If padding is enabled (the
- * default) then standard padding is applied to create the final block. If
- * padding is disabled (with |EVP_CIPHER_CTX_set_padding|) then any partial
- * block remaining will cause an error. The function returns one on success and
- * zero otherwise. */
+// EVP_EncryptFinal_ex writes at most a block of ciphertext to |out| and sets
+// |*out_len| to the number of bytes written. If padding is enabled (the
+// default) then standard padding is applied to create the final block. If
+// padding is disabled (with |EVP_CIPHER_CTX_set_padding|) then any partial
+// block remaining will cause an error. The function returns one on success and
+// zero otherwise.
OPENSSL_EXPORT int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out,
int *out_len);
-/* EVP_DecryptUpdate decrypts |in_len| bytes from |in| to |out|. The number of
- * output bytes may be up to |in_len| plus the block length minus one and |out|
- * must have sufficient space. The number of bytes actually output is written
- * to |*out_len|. It returns one on success and zero otherwise. */
+// EVP_DecryptUpdate decrypts |in_len| bytes from |in| to |out|. The number of
+// output bytes may be up to |in_len| plus the block length minus one and |out|
+// must have sufficient space. The number of bytes actually output is written
+// to |*out_len|. It returns one on success and zero otherwise.
OPENSSL_EXPORT int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out,
int *out_len, const uint8_t *in,
int in_len);
-/* EVP_DecryptFinal_ex writes at most a block of ciphertext to |out| and sets
- * |*out_len| to the number of bytes written. If padding is enabled (the
- * default) then padding is removed from the final block.
- *
- * WARNING: it is unsafe to call this function with unauthenticated
- * ciphertext if padding is enabled. */
+// EVP_DecryptFinal_ex writes at most a block of ciphertext to |out| and sets
+// |*out_len| to the number of bytes written. If padding is enabled (the
+// default) then padding is removed from the final block.
+//
+// WARNING: it is unsafe to call this function with unauthenticated
+// ciphertext if padding is enabled.
OPENSSL_EXPORT int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
int *out_len);
-/* EVP_Cipher performs a one-shot encryption/decryption operation. No partial
- * blocks are maintained between calls. However, any internal cipher state is
- * still updated. For CBC-mode ciphers, the IV is updated to the final
- * ciphertext block. For stream ciphers, the stream is advanced past the bytes
- * used. It returns one on success and zero otherwise, unless |EVP_CIPHER_flags|
- * has |EVP_CIPH_FLAG_CUSTOM_CIPHER| set. Then it returns the number of bytes
- * written or -1 on error.
- *
- * WARNING: this differs from the usual return value convention when using
- * |EVP_CIPH_FLAG_CUSTOM_CIPHER|.
- *
- * TODO(davidben): The normal ciphers currently never fail, even if, e.g.,
- * |in_len| is not a multiple of the block size for CBC-mode decryption. The
- * input just gets rounded up while the output gets truncated. This should
- * either be officially documented or fail. */
+// EVP_Cipher performs a one-shot encryption/decryption operation. No partial
+// blocks are maintained between calls. However, any internal cipher state is
+// still updated. For CBC-mode ciphers, the IV is updated to the final
+// ciphertext block. For stream ciphers, the stream is advanced past the bytes
+// used. It returns one on success and zero otherwise, unless |EVP_CIPHER_flags|
+// has |EVP_CIPH_FLAG_CUSTOM_CIPHER| set. Then it returns the number of bytes
+// written or -1 on error.
+//
+// WARNING: this differs from the usual return value convention when using
+// |EVP_CIPH_FLAG_CUSTOM_CIPHER|.
+//
+// TODO(davidben): The normal ciphers currently never fail, even if, e.g.,
+// |in_len| is not a multiple of the block size for CBC-mode decryption. The
+// input just gets rounded up while the output gets truncated. This should
+// either be officially documented or fail.
OPENSSL_EXPORT int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
const uint8_t *in, size_t in_len);
-/* EVP_CipherUpdate calls either |EVP_EncryptUpdate| or |EVP_DecryptUpdate|
- * depending on how |ctx| has been setup. */
+// EVP_CipherUpdate calls either |EVP_EncryptUpdate| or |EVP_DecryptUpdate|
+// depending on how |ctx| has been setup.
OPENSSL_EXPORT int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out,
int *out_len, const uint8_t *in,
int in_len);
-/* EVP_CipherFinal_ex calls either |EVP_EncryptFinal_ex| or
- * |EVP_DecryptFinal_ex| depending on how |ctx| has been setup. */
+// EVP_CipherFinal_ex calls either |EVP_EncryptFinal_ex| or
+// |EVP_DecryptFinal_ex| depending on how |ctx| has been setup.
OPENSSL_EXPORT int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out,
int *out_len);
-/* Cipher context accessors. */
+// Cipher context accessors.
-/* EVP_CIPHER_CTX_cipher returns the |EVP_CIPHER| underlying |ctx|, or NULL if
- * none has been set. */
+// EVP_CIPHER_CTX_cipher returns the |EVP_CIPHER| underlying |ctx|, or NULL if
+// none has been set.
OPENSSL_EXPORT const EVP_CIPHER *EVP_CIPHER_CTX_cipher(
const EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_nid returns a NID identifying the |EVP_CIPHER| underlying
- * |ctx| (e.g. |NID_aes_128_gcm|). It will crash if no cipher has been
- * configured. */
+// EVP_CIPHER_CTX_nid returns a NID identifying the |EVP_CIPHER| underlying
+// |ctx| (e.g. |NID_aes_128_gcm|). It will crash if no cipher has been
+// configured.
OPENSSL_EXPORT int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_block_size returns the block size, in bytes, of the cipher
- * underlying |ctx|, or one if the cipher is a stream cipher. It will crash if
- * no cipher has been configured. */
+// EVP_CIPHER_CTX_block_size returns the block size, in bytes, of the cipher
+// underlying |ctx|, or one if the cipher is a stream cipher. It will crash if
+// no cipher has been configured.
OPENSSL_EXPORT unsigned EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_key_length returns the key size, in bytes, of the cipher
- * underlying |ctx| or zero if no cipher has been configured. */
+// EVP_CIPHER_CTX_key_length returns the key size, in bytes, of the cipher
+// underlying |ctx| or zero if no cipher has been configured.
OPENSSL_EXPORT unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_iv_length returns the IV size, in bytes, of the cipher
- * underlying |ctx|. It will crash if no cipher has been configured. */
+// EVP_CIPHER_CTX_iv_length returns the IV size, in bytes, of the cipher
+// underlying |ctx|. It will crash if no cipher has been configured.
OPENSSL_EXPORT unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_get_app_data returns the opaque, application data pointer for
- * |ctx|, or NULL if none has been set. */
+// EVP_CIPHER_CTX_get_app_data returns the opaque, application data pointer for
+// |ctx|, or NULL if none has been set.
OPENSSL_EXPORT void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_set_app_data sets the opaque, application data pointer for
- * |ctx| to |data|. */
+// EVP_CIPHER_CTX_set_app_data sets the opaque, application data pointer for
+// |ctx| to |data|.
OPENSSL_EXPORT void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx,
void *data);
-/* EVP_CIPHER_CTX_flags returns a value which is the OR of zero or more
- * |EVP_CIPH_*| flags. It will crash if no cipher has been configured. */
+// EVP_CIPHER_CTX_flags returns a value which is the OR of zero or more
+// |EVP_CIPH_*| flags. It will crash if no cipher has been configured.
OPENSSL_EXPORT uint32_t EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_mode returns one of the |EVP_CIPH_*| cipher mode values
- * enumerated below. It will crash if no cipher has been configured. */
+// EVP_CIPHER_CTX_mode returns one of the |EVP_CIPH_*| cipher mode values
+// enumerated below. It will crash if no cipher has been configured.
OPENSSL_EXPORT uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx);
-/* EVP_CIPHER_CTX_ctrl is an |ioctl| like function. The |command| argument
- * should be one of the |EVP_CTRL_*| values. The |arg| and |ptr| arguments are
- * specific to the command in question. */
+// EVP_CIPHER_CTX_ctrl is an |ioctl| like function. The |command| argument
+// should be one of the |EVP_CTRL_*| values. The |arg| and |ptr| arguments are
+// specific to the command in question.
OPENSSL_EXPORT int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command,
int arg, void *ptr);
-/* EVP_CIPHER_CTX_set_padding sets whether padding is enabled for |ctx| and
- * returns one. Pass a non-zero |pad| to enable padding (the default) or zero
- * to disable. */
+// EVP_CIPHER_CTX_set_padding sets whether padding is enabled for |ctx| and
+// returns one. Pass a non-zero |pad| to enable padding (the default) or zero
+// to disable.
OPENSSL_EXPORT int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad);
-/* EVP_CIPHER_CTX_set_key_length sets the key length for |ctx|. This is only
- * valid for ciphers that can take a variable length key. It returns one on
- * success and zero on error. */
+// EVP_CIPHER_CTX_set_key_length sets the key length for |ctx|. This is only
+// valid for ciphers that can take a variable length key. It returns one on
+// success and zero on error.
OPENSSL_EXPORT int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *ctx,
unsigned key_len);
-/* Cipher accessors. */
+// Cipher accessors.
-/* EVP_CIPHER_nid returns a NID identifying |cipher|. (For example,
- * |NID_aes_128_gcm|.) */
+// EVP_CIPHER_nid returns a NID identifying |cipher|. (For example,
+// |NID_aes_128_gcm|.)
OPENSSL_EXPORT int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
-/* EVP_CIPHER_block_size returns the block size, in bytes, for |cipher|, or one
- * if |cipher| is a stream cipher. */
+// EVP_CIPHER_block_size returns the block size, in bytes, for |cipher|, or one
+// if |cipher| is a stream cipher.
OPENSSL_EXPORT unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher);
-/* EVP_CIPHER_key_length returns the key size, in bytes, for |cipher|. If
- * |cipher| can take a variable key length then this function returns the
- * default key length and |EVP_CIPHER_flags| will return a value with
- * |EVP_CIPH_VARIABLE_LENGTH| set. */
+// EVP_CIPHER_key_length returns the key size, in bytes, for |cipher|. If
+// |cipher| can take a variable key length then this function returns the
+// default key length and |EVP_CIPHER_flags| will return a value with
+// |EVP_CIPH_VARIABLE_LENGTH| set.
OPENSSL_EXPORT unsigned EVP_CIPHER_key_length(const EVP_CIPHER *cipher);
-/* EVP_CIPHER_iv_length returns the IV size, in bytes, of |cipher|, or zero if
- * |cipher| doesn't take an IV. */
+// EVP_CIPHER_iv_length returns the IV size, in bytes, of |cipher|, or zero if
+// |cipher| doesn't take an IV.
OPENSSL_EXPORT unsigned EVP_CIPHER_iv_length(const EVP_CIPHER *cipher);
-/* EVP_CIPHER_flags returns a value which is the OR of zero or more
- * |EVP_CIPH_*| flags. */
+// EVP_CIPHER_flags returns a value which is the OR of zero or more
+// |EVP_CIPH_*| flags.
OPENSSL_EXPORT uint32_t EVP_CIPHER_flags(const EVP_CIPHER *cipher);
-/* EVP_CIPHER_mode returns one of the cipher mode values enumerated below. */
+// EVP_CIPHER_mode returns one of the cipher mode values enumerated below.
OPENSSL_EXPORT uint32_t EVP_CIPHER_mode(const EVP_CIPHER *cipher);
-/* Key derivation. */
+// Key derivation.
-/* EVP_BytesToKey generates a key and IV for the cipher |type| by iterating
- * |md| |count| times using |data| and |salt|. On entry, the |key| and |iv|
- * buffers must have enough space to hold a key and IV for |type|. It returns
- * the length of the key on success or zero on error. */
+// EVP_BytesToKey generates a key and IV for the cipher |type| by iterating
+// |md| |count| times using |data| and |salt|. On entry, the |key| and |iv|
+// buffers must have enough space to hold a key and IV for |type|. It returns
+// the length of the key on success or zero on error.
OPENSSL_EXPORT int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
const uint8_t *salt, const uint8_t *data,
size_t data_len, unsigned count, uint8_t *key,
uint8_t *iv);
-/* Cipher modes (for |EVP_CIPHER_mode|). */
+// Cipher modes (for |EVP_CIPHER_mode|).
#define EVP_CIPH_STREAM_CIPHER 0x0
#define EVP_CIPH_ECB_MODE 0x1
@@ -339,84 +339,84 @@
#define EVP_CIPH_XTS_MODE 0x7
-/* Cipher flags (for |EVP_CIPHER_flags|). */
+// Cipher flags (for |EVP_CIPHER_flags|).
-/* EVP_CIPH_VARIABLE_LENGTH indicates that the cipher takes a variable length
- * key. */
+// EVP_CIPH_VARIABLE_LENGTH indicates that the cipher takes a variable length
+// key.
#define EVP_CIPH_VARIABLE_LENGTH 0x40
-/* EVP_CIPH_ALWAYS_CALL_INIT indicates that the |init| function for the cipher
- * should always be called when initialising a new operation, even if the key
- * is NULL to indicate that the same key is being used. */
+// EVP_CIPH_ALWAYS_CALL_INIT indicates that the |init| function for the cipher
+// should always be called when initialising a new operation, even if the key
+// is NULL to indicate that the same key is being used.
#define EVP_CIPH_ALWAYS_CALL_INIT 0x80
-/* EVP_CIPH_CUSTOM_IV indicates that the cipher manages the IV itself rather
- * than keeping it in the |iv| member of |EVP_CIPHER_CTX|. */
+// EVP_CIPH_CUSTOM_IV indicates that the cipher manages the IV itself rather
+// than keeping it in the |iv| member of |EVP_CIPHER_CTX|.
#define EVP_CIPH_CUSTOM_IV 0x100
-/* EVP_CIPH_CTRL_INIT indicates that EVP_CTRL_INIT should be used when
- * initialising an |EVP_CIPHER_CTX|. */
+// EVP_CIPH_CTRL_INIT indicates that EVP_CTRL_INIT should be used when
+// initialising an |EVP_CIPHER_CTX|.
#define EVP_CIPH_CTRL_INIT 0x200
-/* EVP_CIPH_FLAG_CUSTOM_CIPHER indicates that the cipher manages blocking
- * itself. This causes EVP_(En|De)crypt_ex to be simple wrapper functions. */
+// EVP_CIPH_FLAG_CUSTOM_CIPHER indicates that the cipher manages blocking
+// itself. This causes EVP_(En|De)crypt_ex to be simple wrapper functions.
#define EVP_CIPH_FLAG_CUSTOM_CIPHER 0x400
-/* EVP_CIPH_FLAG_AEAD_CIPHER specifies that the cipher is an AEAD. This is an
- * older version of the proper AEAD interface. See aead.h for the current
- * one. */
+// EVP_CIPH_FLAG_AEAD_CIPHER specifies that the cipher is an AEAD. This is an
+// older version of the proper AEAD interface. See aead.h for the current
+// one.
#define EVP_CIPH_FLAG_AEAD_CIPHER 0x800
-/* EVP_CIPH_CUSTOM_COPY indicates that the |ctrl| callback should be called
- * with |EVP_CTRL_COPY| at the end of normal |EVP_CIPHER_CTX_copy|
- * processing. */
+// EVP_CIPH_CUSTOM_COPY indicates that the |ctrl| callback should be called
+// with |EVP_CTRL_COPY| at the end of normal |EVP_CIPHER_CTX_copy|
+// processing.
#define EVP_CIPH_CUSTOM_COPY 0x1000
-/* Deprecated functions */
+// Deprecated functions
-/* EVP_CipherInit acts like EVP_CipherInit_ex except that |EVP_CIPHER_CTX_init|
- * is called on |cipher| first, if |cipher| is not NULL. */
+// EVP_CipherInit acts like EVP_CipherInit_ex except that |EVP_CIPHER_CTX_init|
+// is called on |cipher| first, if |cipher| is not NULL.
OPENSSL_EXPORT int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
const uint8_t *key, const uint8_t *iv,
int enc);
-/* EVP_EncryptInit calls |EVP_CipherInit| with |enc| equal to one. */
+// EVP_EncryptInit calls |EVP_CipherInit| with |enc| equal to one.
OPENSSL_EXPORT int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *cipher, const uint8_t *key,
const uint8_t *iv);
-/* EVP_DecryptInit calls |EVP_CipherInit| with |enc| equal to zero. */
+// EVP_DecryptInit calls |EVP_CipherInit| with |enc| equal to zero.
OPENSSL_EXPORT int EVP_DecryptInit(EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *cipher, const uint8_t *key,
const uint8_t *iv);
-/* EVP_add_cipher_alias does nothing and returns one. */
+// EVP_add_cipher_alias does nothing and returns one.
OPENSSL_EXPORT int EVP_add_cipher_alias(const char *a, const char *b);
-/* EVP_get_cipherbyname returns an |EVP_CIPHER| given a human readable name in
- * |name|, or NULL if the name is unknown. */
+// EVP_get_cipherbyname returns an |EVP_CIPHER| given a human readable name in
+// |name|, or NULL if the name is unknown.
OPENSSL_EXPORT const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
-/* These AEADs are deprecated AES-GCM implementations that set
- * |EVP_CIPH_FLAG_CUSTOM_CIPHER|. Use |EVP_aead_aes_128_gcm| and
- * |EVP_aead_aes_256_gcm| instead. */
+// These AEADs are deprecated AES-GCM implementations that set
+// |EVP_CIPH_FLAG_CUSTOM_CIPHER|. Use |EVP_aead_aes_128_gcm| and
+// |EVP_aead_aes_256_gcm| instead.
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_gcm(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_gcm(void);
-/* These are deprecated, 192-bit version of AES. */
+// These are deprecated, 192-bit version of AES.
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ecb(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cbc(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ctr(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_gcm(void);
-/* Private functions. */
+// Private functions.
-/* EVP_CIPH_NO_PADDING disables padding in block ciphers. */
+// EVP_CIPH_NO_PADDING disables padding in block ciphers.
#define EVP_CIPH_NO_PADDING 0x800
-/* EVP_CIPHER_CTX_ctrl commands. */
+// EVP_CIPHER_CTX_ctrl commands.
#define EVP_CTRL_INIT 0x0
#define EVP_CTRL_SET_KEY_LENGTH 0x1
#define EVP_CTRL_GET_RC2_KEY_BITS 0x2
@@ -432,15 +432,15 @@
#define EVP_CTRL_GCM_SET_IV_FIXED 0x12
#define EVP_CTRL_GCM_IV_GEN 0x13
#define EVP_CTRL_AEAD_SET_MAC_KEY 0x17
-/* Set the GCM invocation field, decrypt only */
+// Set the GCM invocation field, decrypt only
#define EVP_CTRL_GCM_SET_IV_INV 0x18
-/* GCM TLS constants */
-/* Length of fixed part of IV derived from PRF */
+// GCM TLS constants
+// Length of fixed part of IV derived from PRF
#define EVP_GCM_TLS_FIXED_IV_LEN 4
-/* Length of explicit part of IV part of TLS records */
+// Length of explicit part of IV part of TLS records
#define EVP_GCM_TLS_EXPLICIT_IV_LEN 8
-/* Length of tag for TLS */
+// Length of tag for TLS
#define EVP_GCM_TLS_TAG_LEN 16
#define EVP_MAX_KEY_LENGTH 64
@@ -448,51 +448,51 @@
#define EVP_MAX_BLOCK_LENGTH 32
struct evp_cipher_ctx_st {
- /* cipher contains the underlying cipher for this context. */
+ // cipher contains the underlying cipher for this context.
const EVP_CIPHER *cipher;
- /* app_data is a pointer to opaque, user data. */
- void *app_data; /* application stuff */
+ // app_data is a pointer to opaque, user data.
+ void *app_data; // application stuff
- /* cipher_data points to the |cipher| specific state. */
+ // cipher_data points to the |cipher| specific state.
void *cipher_data;
- /* key_len contains the length of the key, which may differ from
- * |cipher->key_len| if the cipher can take a variable key length. */
+ // key_len contains the length of the key, which may differ from
+ // |cipher->key_len| if the cipher can take a variable key length.
unsigned key_len;
- /* encrypt is one if encrypting and zero if decrypting. */
+ // encrypt is one if encrypting and zero if decrypting.
int encrypt;
- /* flags contains the OR of zero or more |EVP_CIPH_*| flags, above. */
+ // flags contains the OR of zero or more |EVP_CIPH_*| flags, above.
uint32_t flags;
- /* oiv contains the original IV value. */
+ // oiv contains the original IV value.
uint8_t oiv[EVP_MAX_IV_LENGTH];
- /* iv contains the current IV value, which may have been updated. */
+ // iv contains the current IV value, which may have been updated.
uint8_t iv[EVP_MAX_IV_LENGTH];
- /* buf contains a partial block which is used by, for example, CTR mode to
- * store unused keystream bytes. */
+ // buf contains a partial block which is used by, for example, CTR mode to
+ // store unused keystream bytes.
uint8_t buf[EVP_MAX_BLOCK_LENGTH];
- /* buf_len contains the number of bytes of a partial block contained in
- * |buf|. */
+ // buf_len contains the number of bytes of a partial block contained in
+ // |buf|.
int buf_len;
- /* num contains the number of bytes of |iv| which are valid for modes that
- * manage partial blocks themselves. */
+ // num contains the number of bytes of |iv| which are valid for modes that
+ // manage partial blocks themselves.
unsigned num;
- /* final_used is non-zero if the |final| buffer contains plaintext. */
+ // final_used is non-zero if the |final| buffer contains plaintext.
int final_used;
- /* block_mask contains |cipher->block_size| minus one. (The block size
- * assumed to be a power of two.) */
+ // block_mask contains |cipher->block_size| minus one. (The block size
+ // assumed to be a power of two.)
int block_mask;
- uint8_t final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
+ uint8_t final[EVP_MAX_BLOCK_LENGTH]; // possible final block
} /* EVP_CIPHER_CTX */;
typedef struct evp_cipher_info_st {
@@ -501,28 +501,28 @@
} EVP_CIPHER_INFO;
struct evp_cipher_st {
- /* type contains a NID identifing the cipher. (e.g. NID_aes_128_gcm.) */
+ // type contains a NID identifing the cipher. (e.g. NID_aes_128_gcm.)
int nid;
- /* block_size contains the block size, in bytes, of the cipher, or 1 for a
- * stream cipher. */
+ // block_size contains the block size, in bytes, of the cipher, or 1 for a
+ // stream cipher.
unsigned block_size;
- /* key_len contains the key size, in bytes, for the cipher. If the cipher
- * takes a variable key size then this contains the default size. */
+ // key_len contains the key size, in bytes, for the cipher. If the cipher
+ // takes a variable key size then this contains the default size.
unsigned key_len;
- /* iv_len contains the IV size, in bytes, or zero if inapplicable. */
+ // iv_len contains the IV size, in bytes, or zero if inapplicable.
unsigned iv_len;
- /* ctx_size contains the size, in bytes, of the per-key context for this
- * cipher. */
+ // ctx_size contains the size, in bytes, of the per-key context for this
+ // cipher.
unsigned ctx_size;
- /* flags contains the OR of a number of flags. See |EVP_CIPH_*|. */
+ // flags contains the OR of a number of flags. See |EVP_CIPH_*|.
uint32_t flags;
- /* app_data is a pointer to opaque, user data. */
+ // app_data is a pointer to opaque, user data.
void *app_data;
int (*init)(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv,
@@ -531,9 +531,9 @@
int (*cipher)(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
size_t inl);
- /* cleanup, if non-NULL, releases memory associated with the context. It is
- * called if |EVP_CTRL_INIT| succeeds. Note that |init| may not have been
- * called at this point. */
+ // cleanup, if non-NULL, releases memory associated with the context. It is
+ // called if |EVP_CTRL_INIT| succeeds. Note that |init| may not have been
+ // called at this point.
void (*cleanup)(EVP_CIPHER_CTX *);
int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
@@ -541,7 +541,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#if !defined(BORINGSSL_NO_CXX)
extern "C++" {
@@ -588,4 +588,4 @@
#define CIPHER_R_NO_DIRECTION_SET 124
#define CIPHER_R_INVALID_NONCE 125
-#endif /* OPENSSL_HEADER_CIPHER_H */
+#endif // OPENSSL_HEADER_CIPHER_H
diff --git a/src/include/openssl/cmac.h b/src/include/openssl/cmac.h
index 0f05bc9..dfcd37b 100644
--- a/src/include/openssl/cmac.h
+++ b/src/include/openssl/cmac.h
@@ -22,55 +22,55 @@
#endif
-/* CMAC.
- *
- * CMAC is a MAC based on AES-CBC and defined in
- * https://tools.ietf.org/html/rfc4493#section-2.3. */
+// CMAC.
+//
+// CMAC is a MAC based on AES-CBC and defined in
+// https://tools.ietf.org/html/rfc4493#section-2.3.
-/* One-shot functions. */
+// One-shot functions.
-/* AES_CMAC calculates the 16-byte, CMAC authenticator of |in_len| bytes of
- * |in| and writes it to |out|. The |key_len| may be 16 or 32 bytes to select
- * between AES-128 and AES-256. It returns one on success or zero on error. */
+// AES_CMAC calculates the 16-byte, CMAC authenticator of |in_len| bytes of
+// |in| and writes it to |out|. The |key_len| may be 16 or 32 bytes to select
+// between AES-128 and AES-256. It returns one on success or zero on error.
OPENSSL_EXPORT int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,
const uint8_t *in, size_t in_len);
-/* Incremental interface. */
+// Incremental interface.
-/* CMAC_CTX_new allocates a fresh |CMAC_CTX| and returns it, or NULL on
- * error. */
+// CMAC_CTX_new allocates a fresh |CMAC_CTX| and returns it, or NULL on
+// error.
OPENSSL_EXPORT CMAC_CTX *CMAC_CTX_new(void);
-/* CMAC_CTX_free frees a |CMAC_CTX|. */
+// CMAC_CTX_free frees a |CMAC_CTX|.
OPENSSL_EXPORT void CMAC_CTX_free(CMAC_CTX *ctx);
-/* CMAC_Init configures |ctx| to use the given |key| and |cipher|. The CMAC RFC
- * only specifies the use of AES-128 thus |key_len| should be 16 and |cipher|
- * should be |EVP_aes_128_cbc()|. However, this implementation also supports
- * AES-256 by setting |key_len| to 32 and |cipher| to |EVP_aes_256_cbc()|. The
- * |engine| argument is ignored.
- *
- * It returns one on success or zero on error. */
+// CMAC_Init configures |ctx| to use the given |key| and |cipher|. The CMAC RFC
+// only specifies the use of AES-128 thus |key_len| should be 16 and |cipher|
+// should be |EVP_aes_128_cbc()|. However, this implementation also supports
+// AES-256 by setting |key_len| to 32 and |cipher| to |EVP_aes_256_cbc()|. The
+// |engine| argument is ignored.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
const EVP_CIPHER *cipher, ENGINE *engine);
-/* CMAC_Reset resets |ctx| so that a fresh message can be authenticated. */
+// CMAC_Reset resets |ctx| so that a fresh message can be authenticated.
OPENSSL_EXPORT int CMAC_Reset(CMAC_CTX *ctx);
-/* CMAC_Update processes |in_len| bytes of message from |in|. It returns one on
- * success or zero on error. */
+// CMAC_Update processes |in_len| bytes of message from |in|. It returns one on
+// success or zero on error.
OPENSSL_EXPORT int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len);
-/* CMAC_Final sets |*out_len| to 16 and, if |out| is not NULL, writes 16 bytes
- * of authenticator to it. It returns one on success or zero on error. */
+// CMAC_Final sets |*out_len| to 16 and, if |out| is not NULL, writes 16 bytes
+// of authenticator to it. It returns one on success or zero on error.
OPENSSL_EXPORT int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -80,8 +80,8 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
-#endif /* OPENSSL_HEADER_CMAC_H */
+#endif // OPENSSL_HEADER_CMAC_H
diff --git a/src/include/openssl/conf.h b/src/include/openssl/conf.h
index ae71575..ebf6dc4 100644
--- a/src/include/openssl/conf.h
+++ b/src/include/openssl/conf.h
@@ -67,17 +67,17 @@
#endif
-/* Config files look like:
- *
- * # Comment
- *
- * # This key is in the default section.
- * key=value
- *
- * [section_name]
- * key2=value2
- *
- * Config files are represented by a |CONF|. */
+// Config files look like:
+//
+// # Comment
+//
+// # This key is in the default section.
+// key=value
+//
+// [section_name]
+// key2=value2
+//
+// Config files are represented by a |CONF|.
struct conf_value_st {
char *section;
@@ -92,77 +92,77 @@
DEFINE_STACK_OF(CONF_VALUE)
-/* NCONF_new returns a fresh, empty |CONF|, or NULL on error. The |method|
- * argument must be NULL. */
+// NCONF_new returns a fresh, empty |CONF|, or NULL on error. The |method|
+// argument must be NULL.
OPENSSL_EXPORT CONF *NCONF_new(void *method);
-/* NCONF_free frees all the data owned by |conf| and then |conf| itself. */
+// NCONF_free frees all the data owned by |conf| and then |conf| itself.
OPENSSL_EXPORT void NCONF_free(CONF *conf);
-/* NCONF_load parses the file named |filename| and adds the values found to
- * |conf|. It returns one on success and zero on error. In the event of an
- * error, if |out_error_line| is not NULL, |*out_error_line| is set to the
- * number of the line that contained the error. */
+// NCONF_load parses the file named |filename| and adds the values found to
+// |conf|. It returns one on success and zero on error. In the event of an
+// error, if |out_error_line| is not NULL, |*out_error_line| is set to the
+// number of the line that contained the error.
int NCONF_load(CONF *conf, const char *filename, long *out_error_line);
-/* NCONF_load_bio acts like |NCONF_load| but reads from |bio| rather than from
- * a named file. */
+// NCONF_load_bio acts like |NCONF_load| but reads from |bio| rather than from
+// a named file.
int NCONF_load_bio(CONF *conf, BIO *bio, long *out_error_line);
-/* NCONF_get_section returns a stack of values for a given section in |conf|.
- * If |section| is NULL, the default section is returned. It returns NULL on
- * error. */
+// NCONF_get_section returns a stack of values for a given section in |conf|.
+// If |section| is NULL, the default section is returned. It returns NULL on
+// error.
STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf, const char *section);
-/* NCONF_get_string returns the value of the key |name|, in section |section|.
- * The |section| argument may be NULL to indicate the default section. It
- * returns the value or NULL on error. */
+// NCONF_get_string returns the value of the key |name|, in section |section|.
+// The |section| argument may be NULL to indicate the default section. It
+// returns the value or NULL on error.
const char *NCONF_get_string(const CONF *conf, const char *section,
const char *name);
-/* Utility functions */
+// Utility functions
-/* CONF_parse_list takes a list separated by 'sep' and calls |list_cb| giving
- * the start and length of each member, optionally stripping leading and
- * trailing whitespace. This can be used to parse comma separated lists for
- * example. If |list_cb| returns <= 0, then the iteration is halted and that
- * value is returned immediately. Otherwise it returns one. Note that |list_cb|
- * may be called on an empty member. */
+// CONF_parse_list takes a list separated by 'sep' and calls |list_cb| giving
+// the start and length of each member, optionally stripping leading and
+// trailing whitespace. This can be used to parse comma separated lists for
+// example. If |list_cb| returns <= 0, then the iteration is halted and that
+// value is returned immediately. Otherwise it returns one. Note that |list_cb|
+// may be called on an empty member.
int CONF_parse_list(const char *list, char sep, int remove_whitespace,
int (*list_cb)(const char *elem, int len, void *usr),
void *arg);
-/* Deprecated functions */
+// Deprecated functions
-/* These defines do nothing but are provided to make old code easier to
- * compile. */
+// These defines do nothing but are provided to make old code easier to
+// compile.
#define CONF_MFLAGS_DEFAULT_SECTION 0
#define CONF_MFLAGS_IGNORE_MISSING_FILE 0
typedef struct conf_must_be_null_st CONF_MUST_BE_NULL;
-/* CONF_modules_load_file returns one. |filename| was originally a string, with
- * NULL indicating the default. BoringSSL does not support configuration files,
- * so this stub emulates the "default" no-op file but intentionally breaks
- * compilation of consumers actively attempting to use this subsystem. */
+// CONF_modules_load_file returns one. |filename| was originally a string, with
+// NULL indicating the default. BoringSSL does not support configuration files,
+// so this stub emulates the "default" no-op file but intentionally breaks
+// compilation of consumers actively attempting to use this subsystem.
OPENSSL_EXPORT int CONF_modules_load_file(CONF_MUST_BE_NULL *filename,
const char *appname,
unsigned long flags);
-/* CONF_modules_free does nothing. */
+// CONF_modules_free does nothing.
OPENSSL_EXPORT void CONF_modules_free(void);
-/* OPENSSL_config does nothing. */
+// OPENSSL_config does nothing.
OPENSSL_EXPORT void OPENSSL_config(CONF_MUST_BE_NULL *config_name);
-/* OPENSSL_no_config does nothing. */
+// OPENSSL_no_config does nothing.
OPENSSL_EXPORT void OPENSSL_no_config(void);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -172,7 +172,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
@@ -184,4 +184,4 @@
#define CONF_R_VARIABLE_HAS_NO_VALUE 105
#define CONF_R_VARIABLE_EXPANSION_TOO_LONG 106
-#endif /* OPENSSL_HEADER_THREAD_H */
+#endif // OPENSSL_HEADER_THREAD_H
diff --git a/src/include/openssl/cpu.h b/src/include/openssl/cpu.h
index 5ccf14b..39e7264 100644
--- a/src/include/openssl/cpu.h
+++ b/src/include/openssl/cpu.h
@@ -68,28 +68,28 @@
#endif
-/* Runtime CPU feature support */
+// Runtime CPU feature support
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
-/* OPENSSL_ia32cap_P contains the Intel CPUID bits when running on an x86 or
- * x86-64 system.
- *
- * Index 0:
- * EDX for CPUID where EAX = 1
- * Bit 20 is always zero
- * Bit 28 is adjusted to reflect whether the data cache is shared between
- * multiple logical cores
- * Bit 30 is used to indicate an Intel CPU
- * Index 1:
- * ECX for CPUID where EAX = 1
- * Bit 11 is used to indicate AMD XOP support, not SDBG
- * Index 2:
- * EBX for CPUID where EAX = 7
- * Index 3 is set to zero.
- *
- * Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the YMM and XMM
- * bits in XCR0, so it is not necessary to check those. */
+// OPENSSL_ia32cap_P contains the Intel CPUID bits when running on an x86 or
+// x86-64 system.
+//
+// Index 0:
+// EDX for CPUID where EAX = 1
+// Bit 20 is always zero
+// Bit 28 is adjusted to reflect whether the data cache is shared between
+// multiple logical cores
+// Bit 30 is used to indicate an Intel CPU
+// Index 1:
+// ECX for CPUID where EAX = 1
+// Bit 11 is used to indicate AMD XOP support, not SDBG
+// Index 2:
+// EBX for CPUID where EAX = 7
+// Index 3 is set to zero.
+//
+// Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the YMM and XMM
+// bits in XCR0, so it is not necessary to check those.
extern uint32_t OPENSSL_ia32cap_P[4];
#if defined(BORINGSSL_FIPS)
@@ -105,25 +105,25 @@
#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
#if defined(OPENSSL_APPLE)
-/* iOS builds use the static ARM configuration. */
+// iOS builds use the static ARM configuration.
#define OPENSSL_STATIC_ARMCAP
#endif
#if !defined(OPENSSL_STATIC_ARMCAP)
-/* CRYPTO_is_NEON_capable_at_runtime returns true if the current CPU has a NEON
- * unit. Note that |OPENSSL_armcap_P| also exists and contains the same
- * information in a form that's easier for assembly to use. */
+// CRYPTO_is_NEON_capable_at_runtime returns true if the current CPU has a NEON
+// unit. Note that |OPENSSL_armcap_P| also exists and contains the same
+// information in a form that's easier for assembly to use.
OPENSSL_EXPORT char CRYPTO_is_NEON_capable_at_runtime(void);
-/* CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If
- * this is known statically then it returns one immediately. */
+// CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If
+// this is known statically then it returns one immediately.
static inline int CRYPTO_is_NEON_capable(void) {
- /* Only statically skip the runtime lookup on aarch64. On arm, one CPU is
- * known to have a broken NEON unit which is known to fail with on some
- * hand-written NEON assembly. For now, continue to apply the workaround even
- * when the compiler is instructed to freely emit NEON code. See
- * https://crbug.com/341598 and https://crbug.com/606629. */
+ // Only statically skip the runtime lookup on aarch64. On arm, one CPU is
+ // known to have a broken NEON unit which is known to fail with on some
+ // hand-written NEON assembly. For now, continue to apply the workaround even
+ // when the compiler is instructed to freely emit NEON code. See
+ // https://crbug.com/341598 and https://crbug.com/606629.
#if defined(__ARM_NEON__) && !defined(OPENSSL_ARM)
return 1;
#else
@@ -132,17 +132,17 @@
}
#if defined(OPENSSL_ARM)
-/* CRYPTO_has_broken_NEON returns one if the current CPU is known to have a
- * broken NEON unit. See https://crbug.com/341598. */
+// CRYPTO_has_broken_NEON returns one if the current CPU is known to have a
+// broken NEON unit. See https://crbug.com/341598.
OPENSSL_EXPORT int CRYPTO_has_broken_NEON(void);
#endif
-/* CRYPTO_is_ARMv8_AES_capable returns true if the current CPU supports the
- * ARMv8 AES instruction. */
+// CRYPTO_is_ARMv8_AES_capable returns true if the current CPU supports the
+// ARMv8 AES instruction.
int CRYPTO_is_ARMv8_AES_capable(void);
-/* CRYPTO_is_ARMv8_PMULL_capable returns true if the current CPU supports the
- * ARMv8 PMULL instruction. */
+// CRYPTO_is_ARMv8_PMULL_capable returns true if the current CPU supports the
+// ARMv8 PMULL instruction.
int CRYPTO_is_ARMv8_PMULL_capable(void);
#else
@@ -171,22 +171,22 @@
#endif
}
-#endif /* OPENSSL_STATIC_ARMCAP */
-#endif /* OPENSSL_ARM || OPENSSL_AARCH64 */
+#endif // OPENSSL_STATIC_ARMCAP
+#endif // OPENSSL_ARM || OPENSSL_AARCH64
#if defined(OPENSSL_PPC64LE)
-/* CRYPTO_is_PPC64LE_vcrypto_capable returns true iff the current CPU supports
- * the Vector.AES category of instructions. */
+// CRYPTO_is_PPC64LE_vcrypto_capable returns true iff the current CPU supports
+// the Vector.AES category of instructions.
int CRYPTO_is_PPC64LE_vcrypto_capable(void);
extern unsigned long OPENSSL_ppc64le_hwcap2;
-#endif /* OPENSSL_PPC64LE */
+#endif // OPENSSL_PPC64LE
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CPU_H */
+#endif // OPENSSL_HEADER_CPU_H
diff --git a/src/include/openssl/crypto.h b/src/include/openssl/crypto.h
index e071c70..c94f39f 100644
--- a/src/include/openssl/crypto.h
+++ b/src/include/openssl/crypto.h
@@ -17,12 +17,12 @@
#include <openssl/base.h>
-/* Upstream OpenSSL defines |OPENSSL_malloc|, etc., in crypto.h rather than
- * mem.h. */
+// Upstream OpenSSL defines |OPENSSL_malloc|, etc., in crypto.h rather than
+// mem.h.
#include <openssl/mem.h>
-/* Upstream OpenSSL defines |CRYPTO_LOCK|, etc., in crypto.h rather than
- * thread.h. */
+// Upstream OpenSSL defines |CRYPTO_LOCK|, etc., in crypto.h rather than
+// thread.h.
#include <openssl/thread.h>
@@ -31,65 +31,65 @@
#endif
-/* crypto.h contains functions for initializing the crypto library. */
+// crypto.h contains functions for initializing the crypto library.
-/* CRYPTO_library_init initializes the crypto library. It must be called if the
- * library is built with BORINGSSL_NO_STATIC_INITIALIZER. Otherwise, it does
- * nothing and a static initializer is used instead. It is safe to call this
- * function multiple times and concurrently from multiple threads.
- *
- * On some ARM configurations, this function may require filesystem access and
- * should be called before entering a sandbox. */
+// CRYPTO_library_init initializes the crypto library. It must be called if the
+// library is built with BORINGSSL_NO_STATIC_INITIALIZER. Otherwise, it does
+// nothing and a static initializer is used instead. It is safe to call this
+// function multiple times and concurrently from multiple threads.
+//
+// On some ARM configurations, this function may require filesystem access and
+// should be called before entering a sandbox.
OPENSSL_EXPORT void CRYPTO_library_init(void);
-/* CRYPTO_is_confidential_build returns one if the linked version of BoringSSL
- * has been built with the BORINGSSL_CONFIDENTIAL define and zero otherwise.
- *
- * This is used by some consumers to identify whether they are using an
- * internal version of BoringSSL. */
+// CRYPTO_is_confidential_build returns one if the linked version of BoringSSL
+// has been built with the BORINGSSL_CONFIDENTIAL define and zero otherwise.
+//
+// This is used by some consumers to identify whether they are using an
+// internal version of BoringSSL.
OPENSSL_EXPORT int CRYPTO_is_confidential_build(void);
-/* CRYPTO_has_asm returns one unless BoringSSL was built with OPENSSL_NO_ASM,
- * in which case it returns zero. */
+// CRYPTO_has_asm returns one unless BoringSSL was built with OPENSSL_NO_ASM,
+// in which case it returns zero.
OPENSSL_EXPORT int CRYPTO_has_asm(void);
-/* FIPS_mode returns zero unless BoringSSL is built with BORINGSSL_FIPS, in
- * which case it returns one. */
+// FIPS_mode returns zero unless BoringSSL is built with BORINGSSL_FIPS, in
+// which case it returns one.
OPENSSL_EXPORT int FIPS_mode(void);
-/* Deprecated functions. */
+// Deprecated functions.
-/* OPENSSL_VERSION_TEXT contains a string the identifies the version of
- * “OpenSSL”. node.js requires a version number in this text. */
+// OPENSSL_VERSION_TEXT contains a string the identifies the version of
+// “OpenSSL”. node.js requires a version number in this text.
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2 (compatible; BoringSSL)"
#define SSLEAY_VERSION 0
-/* SSLeay_version is a compatibility function that returns the string
- * "BoringSSL". */
+// SSLeay_version is a compatibility function that returns the string
+// "BoringSSL".
OPENSSL_EXPORT const char *SSLeay_version(int unused);
-/* SSLeay is a compatibility function that returns OPENSSL_VERSION_NUMBER from
- * base.h. */
+// SSLeay is a compatibility function that returns OPENSSL_VERSION_NUMBER from
+// base.h.
OPENSSL_EXPORT unsigned long SSLeay(void);
-/* CRYPTO_malloc_init returns one. */
+// CRYPTO_malloc_init returns one.
OPENSSL_EXPORT int CRYPTO_malloc_init(void);
-/* ENGINE_load_builtin_engines does nothing. */
+// ENGINE_load_builtin_engines does nothing.
OPENSSL_EXPORT void ENGINE_load_builtin_engines(void);
-/* ENGINE_register_all_complete returns one. */
+// ENGINE_register_all_complete returns one.
OPENSSL_EXPORT int ENGINE_register_all_complete(void);
-/* OPENSSL_load_builtin_modules does nothing. */
+// OPENSSL_load_builtin_modules does nothing.
OPENSSL_EXPORT void OPENSSL_load_builtin_modules(void);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CRYPTO_H */
+#endif // OPENSSL_HEADER_CRYPTO_H
diff --git a/src/include/openssl/curve25519.h b/src/include/openssl/curve25519.h
index 11fc25e..58a181f 100644
--- a/src/include/openssl/curve25519.h
+++ b/src/include/openssl/curve25519.h
@@ -22,160 +22,160 @@
#endif
-/* Curve25519.
- *
- * Curve25519 is an elliptic curve. See https://tools.ietf.org/html/rfc7748. */
+// Curve25519.
+//
+// Curve25519 is an elliptic curve. See https://tools.ietf.org/html/rfc7748.
-/* X25519.
- *
- * X25519 is the Diffie-Hellman primitive built from curve25519. It is
- * sometimes referred to as “curve25519”, but “X25519” is a more precise name.
- * See http://cr.yp.to/ecdh.html and https://tools.ietf.org/html/rfc7748. */
+// X25519.
+//
+// X25519 is the Diffie-Hellman primitive built from curve25519. It is
+// sometimes referred to as “curve25519”, but “X25519” is a more precise name.
+// See http://cr.yp.to/ecdh.html and https://tools.ietf.org/html/rfc7748.
#define X25519_PRIVATE_KEY_LEN 32
#define X25519_PUBLIC_VALUE_LEN 32
#define X25519_SHARED_KEY_LEN 32
-/* X25519_keypair sets |out_public_value| and |out_private_key| to a freshly
- * generated, public–private key pair. */
+// X25519_keypair sets |out_public_value| and |out_private_key| to a freshly
+// generated, public–private key pair.
OPENSSL_EXPORT void X25519_keypair(uint8_t out_public_value[32],
uint8_t out_private_key[32]);
-/* X25519 writes a shared key to |out_shared_key| that is calculated from the
- * given private key and the peer's public value. It returns one on success and
- * zero on error.
- *
- * Don't use the shared key directly, rather use a KDF and also include the two
- * public values as inputs. */
+// X25519 writes a shared key to |out_shared_key| that is calculated from the
+// given private key and the peer's public value. It returns one on success and
+// zero on error.
+//
+// Don't use the shared key directly, rather use a KDF and also include the two
+// public values as inputs.
OPENSSL_EXPORT int X25519(uint8_t out_shared_key[32],
const uint8_t private_key[32],
const uint8_t peer_public_value[32]);
-/* X25519_public_from_private calculates a Diffie-Hellman public value from the
- * given private key and writes it to |out_public_value|. */
+// X25519_public_from_private calculates a Diffie-Hellman public value from the
+// given private key and writes it to |out_public_value|.
OPENSSL_EXPORT void X25519_public_from_private(uint8_t out_public_value[32],
const uint8_t private_key[32]);
-/* Ed25519.
- *
- * Ed25519 is a signature scheme using a twisted-Edwards curve that is
- * birationally equivalent to curve25519.
- *
- * Note that, unlike RFC 8032's formulation, our private key representation
- * includes a public key suffix to make multiple key signing operations with the
- * same key more efficient. The RFC 8032 key private key is referred to in this
- * implementation as the "seed" and is the first 32 bytes of our private key. */
+// Ed25519.
+//
+// Ed25519 is a signature scheme using a twisted-Edwards curve that is
+// birationally equivalent to curve25519.
+//
+// Note that, unlike RFC 8032's formulation, our private key representation
+// includes a public key suffix to make multiple key signing operations with the
+// same key more efficient. The RFC 8032 key private key is referred to in this
+// implementation as the "seed" and is the first 32 bytes of our private key.
#define ED25519_PRIVATE_KEY_LEN 64
#define ED25519_PUBLIC_KEY_LEN 32
#define ED25519_SIGNATURE_LEN 64
-/* ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly
- * generated, public–private key pair. */
+// ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly
+// generated, public–private key pair.
OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[32],
uint8_t out_private_key[64]);
-/* ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
- * |message| using |private_key|. It returns one on success or zero on
- * error. */
+// ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from
+// |message| using |private_key|. It returns one on success or zero on
+// error.
OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,
size_t message_len,
const uint8_t private_key[64]);
-/* ED25519_verify returns one iff |signature| is a valid signature, by
- * |public_key| of |message_len| bytes from |message|. It returns zero
- * otherwise. */
+// ED25519_verify returns one iff |signature| is a valid signature, by
+// |public_key| of |message_len| bytes from |message|. It returns zero
+// otherwise.
OPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len,
const uint8_t signature[64],
const uint8_t public_key[32]);
-/* ED25519_keypair_from_seed calculates a public and private key from an
- * Ed25519 “seed”. Seed values are not exposed by this API (although they
- * happen to be the first 32 bytes of a private key) so this function is for
- * interoperating with systems that may store just a seed instead of a full
- * private key. */
+// ED25519_keypair_from_seed calculates a public and private key from an
+// Ed25519 “seed”. Seed values are not exposed by this API (although they
+// happen to be the first 32 bytes of a private key) so this function is for
+// interoperating with systems that may store just a seed instead of a full
+// private key.
OPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[32],
uint8_t out_private_key[64],
const uint8_t seed[32]);
-/* SPAKE2.
- *
- * SPAKE2 is a password-authenticated key-exchange. It allows two parties,
- * who share a low-entropy secret (i.e. password), to agree on a shared key.
- * An attacker can only make one guess of the password per execution of the
- * protocol.
- *
- * See https://tools.ietf.org/html/draft-irtf-cfrg-spake2-02. */
+// SPAKE2.
+//
+// SPAKE2 is a password-authenticated key-exchange. It allows two parties,
+// who share a low-entropy secret (i.e. password), to agree on a shared key.
+// An attacker can only make one guess of the password per execution of the
+// protocol.
+//
+// See https://tools.ietf.org/html/draft-irtf-cfrg-spake2-02.
-/* spake2_role_t enumerates the different “roles” in SPAKE2. The protocol
- * requires that the symmetry of the two parties be broken so one participant
- * must be “Alice” and the other be “Bob”. */
+// spake2_role_t enumerates the different “roles” in SPAKE2. The protocol
+// requires that the symmetry of the two parties be broken so one participant
+// must be “Alice” and the other be “Bob”.
enum spake2_role_t {
spake2_role_alice,
spake2_role_bob,
};
-/* SPAKE2_CTX_new creates a new |SPAKE2_CTX| (which can only be used for a
- * single execution of the protocol). SPAKE2 requires the symmetry of the two
- * parties to be broken which is indicated via |my_role| – each party must pass
- * a different value for this argument.
- *
- * The |my_name| and |their_name| arguments allow optional, opaque names to be
- * bound into the protocol. For example MAC addresses, hostnames, usernames
- * etc. These values are not exposed and can avoid context-confusion attacks
- * when a password is shared between several devices. */
+// SPAKE2_CTX_new creates a new |SPAKE2_CTX| (which can only be used for a
+// single execution of the protocol). SPAKE2 requires the symmetry of the two
+// parties to be broken which is indicated via |my_role| – each party must pass
+// a different value for this argument.
+//
+// The |my_name| and |their_name| arguments allow optional, opaque names to be
+// bound into the protocol. For example MAC addresses, hostnames, usernames
+// etc. These values are not exposed and can avoid context-confusion attacks
+// when a password is shared between several devices.
OPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new(
enum spake2_role_t my_role,
const uint8_t *my_name, size_t my_name_len,
const uint8_t *their_name, size_t their_name_len);
-/* SPAKE2_CTX_free frees |ctx| and all the resources that it has allocated. */
+// SPAKE2_CTX_free frees |ctx| and all the resources that it has allocated.
OPENSSL_EXPORT void SPAKE2_CTX_free(SPAKE2_CTX *ctx);
-/* SPAKE2_MAX_MSG_SIZE is the maximum size of a SPAKE2 message. */
+// SPAKE2_MAX_MSG_SIZE is the maximum size of a SPAKE2 message.
#define SPAKE2_MAX_MSG_SIZE 32
-/* SPAKE2_generate_msg generates a SPAKE2 message given |password|, writes
- * it to |out| and sets |*out_len| to the number of bytes written.
- *
- * At most |max_out_len| bytes are written to |out| and, in order to ensure
- * success, |max_out_len| should be at least |SPAKE2_MAX_MSG_SIZE| bytes.
- *
- * This function can only be called once for a given |SPAKE2_CTX|.
- *
- * It returns one on success and zero on error. */
+// SPAKE2_generate_msg generates a SPAKE2 message given |password|, writes
+// it to |out| and sets |*out_len| to the number of bytes written.
+//
+// At most |max_out_len| bytes are written to |out| and, in order to ensure
+// success, |max_out_len| should be at least |SPAKE2_MAX_MSG_SIZE| bytes.
+//
+// This function can only be called once for a given |SPAKE2_CTX|.
+//
+// It returns one on success and zero on error.
OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *password,
size_t password_len);
-/* SPAKE2_MAX_KEY_SIZE is the maximum amount of key material that SPAKE2 will
- * produce. */
+// SPAKE2_MAX_KEY_SIZE is the maximum amount of key material that SPAKE2 will
+// produce.
#define SPAKE2_MAX_KEY_SIZE 64
-/* SPAKE2_process_msg completes the SPAKE2 exchange given the peer's message in
- * |their_msg|, writes at most |max_out_key_len| bytes to |out_key| and sets
- * |*out_key_len| to the number of bytes written.
- *
- * The resulting keying material is suitable for:
- * a) Using directly in a key-confirmation step: i.e. each side could
- * transmit a hash of their role, a channel-binding value and the key
- * material to prove to the other side that they know the shared key.
- * b) Using as input keying material to HKDF to generate a variety of subkeys
- * for encryption etc.
- *
- * If |max_out_key_key| is smaller than the amount of key material generated
- * then the key is silently truncated. If you want to ensure that no truncation
- * occurs then |max_out_key| should be at least |SPAKE2_MAX_KEY_SIZE|.
- *
- * You must call |SPAKE2_generate_msg| on a given |SPAKE2_CTX| before calling
- * this function. On successful return, |ctx| is complete and calling
- * |SPAKE2_CTX_free| is the only acceptable operation on it.
- *
- * Returns one on success or zero on error. */
+// SPAKE2_process_msg completes the SPAKE2 exchange given the peer's message in
+// |their_msg|, writes at most |max_out_key_len| bytes to |out_key| and sets
+// |*out_key_len| to the number of bytes written.
+//
+// The resulting keying material is suitable for:
+// a) Using directly in a key-confirmation step: i.e. each side could
+// transmit a hash of their role, a channel-binding value and the key
+// material to prove to the other side that they know the shared key.
+// b) Using as input keying material to HKDF to generate a variety of subkeys
+// for encryption etc.
+//
+// If |max_out_key_key| is smaller than the amount of key material generated
+// then the key is silently truncated. If you want to ensure that no truncation
+// occurs then |max_out_key| should be at least |SPAKE2_MAX_KEY_SIZE|.
+//
+// You must call |SPAKE2_generate_msg| on a given |SPAKE2_CTX| before calling
+// this function. On successful return, |ctx| is complete and calling
+// |SPAKE2_CTX_free| is the only acceptable operation on it.
+//
+// Returns one on success or zero on error.
OPENSSL_EXPORT int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key,
size_t *out_key_len,
size_t max_out_key_len,
@@ -184,7 +184,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -194,8 +194,8 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
-#endif /* OPENSSL_HEADER_CURVE25519_H */
+#endif // OPENSSL_HEADER_CURVE25519_H
diff --git a/src/include/openssl/des.h b/src/include/openssl/des.h
index 2b8dd0f..af1c822 100644
--- a/src/include/openssl/des.h
+++ b/src/include/openssl/des.h
@@ -64,7 +64,7 @@
#endif
-/* DES. */
+// DES.
typedef struct DES_cblock_st {
@@ -85,30 +85,30 @@
#define DES_CBC_MODE 0
#define DES_PCBC_MODE 1
-/* DES_set_key performs a key schedule and initialises |schedule| with |key|. */
+// DES_set_key performs a key schedule and initialises |schedule| with |key|.
OPENSSL_EXPORT void DES_set_key(const DES_cblock *key,
DES_key_schedule *schedule);
-/* DES_set_odd_parity sets the parity bits (the least-significant bits in each
- * byte) of |key| given the other bits in each byte. */
+// DES_set_odd_parity sets the parity bits (the least-significant bits in each
+// byte) of |key| given the other bits in each byte.
OPENSSL_EXPORT void DES_set_odd_parity(DES_cblock *key);
-/* DES_ecb_encrypt encrypts (or decrypts, if |is_encrypt| is |DES_DECRYPT|) a
- * single DES block (8 bytes) from in to out, using the key configured in
- * |schedule|. */
+// DES_ecb_encrypt encrypts (or decrypts, if |is_encrypt| is |DES_DECRYPT|) a
+// single DES block (8 bytes) from in to out, using the key configured in
+// |schedule|.
OPENSSL_EXPORT void DES_ecb_encrypt(const DES_cblock *in, DES_cblock *out,
const DES_key_schedule *schedule,
int is_encrypt);
-/* DES_ncbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|
- * bytes from |in| to |out| with DES in CBC mode. */
+// DES_ncbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|
+// bytes from |in| to |out| with DES in CBC mode.
OPENSSL_EXPORT void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out,
size_t len,
const DES_key_schedule *schedule,
DES_cblock *ivec, int enc);
-/* DES_ecb3_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) a single
- * block (8 bytes) of data from |input| to |output| using 3DES. */
+// DES_ecb3_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) a single
+// block (8 bytes) of data from |input| to |output| using 3DES.
OPENSSL_EXPORT void DES_ecb3_encrypt(const DES_cblock *input,
DES_cblock *output,
const DES_key_schedule *ks1,
@@ -116,9 +116,9 @@
const DES_key_schedule *ks3,
int enc);
-/* DES_ede3_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|
- * bytes from |in| to |out| with 3DES in CBC mode. 3DES uses three keys, thus
- * the function takes three different |DES_key_schedule|s. */
+// DES_ede3_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|
+// bytes from |in| to |out| with 3DES in CBC mode. 3DES uses three keys, thus
+// the function takes three different |DES_key_schedule|s.
OPENSSL_EXPORT void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out,
size_t len,
const DES_key_schedule *ks1,
@@ -126,10 +126,10 @@
const DES_key_schedule *ks3,
DES_cblock *ivec, int enc);
-/* DES_ede2_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|
- * bytes from |in| to |out| with 3DES in CBC mode. With this keying option, the
- * first and third 3DES keys are identical. Thus, this function takes only two
- * different |DES_key_schedule|s. */
+// DES_ede2_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|
+// bytes from |in| to |out| with 3DES in CBC mode. With this keying option, the
+// first and third 3DES keys are identical. Thus, this function takes only two
+// different |DES_key_schedule|s.
OPENSSL_EXPORT void DES_ede2_cbc_encrypt(const uint8_t *in, uint8_t *out,
size_t len,
const DES_key_schedule *ks1,
@@ -137,9 +137,9 @@
DES_cblock *ivec, int enc);
-/* Deprecated functions. */
+// Deprecated functions.
-/* DES_set_key_unchecked calls |DES_set_key|. */
+// DES_set_key_unchecked calls |DES_set_key|.
OPENSSL_EXPORT void DES_set_key_unchecked(const DES_cblock *key,
DES_key_schedule *schedule);
@@ -157,9 +157,9 @@
DES_cblock *ivec, int enc);
-/* Private functions.
- *
- * These functions are only exported for use in |decrepit|. */
+// Private functions.
+//
+// These functions are only exported for use in |decrepit|.
OPENSSL_EXPORT void DES_decrypt3(uint32_t *data, const DES_key_schedule *ks1,
const DES_key_schedule *ks2,
@@ -171,7 +171,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_DES_H */
+#endif // OPENSSL_HEADER_DES_H
diff --git a/src/include/openssl/dh.h b/src/include/openssl/dh.h
index 9f92a06..d78bbeb 100644
--- a/src/include/openssl/dh.h
+++ b/src/include/openssl/dh.h
@@ -59,7 +59,6 @@
#include <openssl/base.h>
-#include <openssl/engine.h>
#include <openssl/ex_data.h>
#include <openssl/thread.h>
@@ -68,92 +67,83 @@
#endif
-/* DH contains functions for performing Diffie-Hellman key agreement in
- * multiplicative groups. */
+// DH contains functions for performing Diffie-Hellman key agreement in
+// multiplicative groups.
-/* Allocation and destruction. */
+// Allocation and destruction.
-/* DH_new returns a new, empty DH object or NULL on error. */
+// DH_new returns a new, empty DH object or NULL on error.
OPENSSL_EXPORT DH *DH_new(void);
-/* DH_free decrements the reference count of |dh| and frees it if the reference
- * count drops to zero. */
+// DH_free decrements the reference count of |dh| and frees it if the reference
+// count drops to zero.
OPENSSL_EXPORT void DH_free(DH *dh);
-/* DH_up_ref increments the reference count of |dh| and returns one. */
+// DH_up_ref increments the reference count of |dh| and returns one.
OPENSSL_EXPORT int DH_up_ref(DH *dh);
-/* Properties. */
+// Properties.
-/* DH_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dh|'s
- * public and private key, respectively. If |dh| is a public key, the private
- * key will be set to NULL. */
+// DH_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dh|'s
+// public and private key, respectively. If |dh| is a public key, the private
+// key will be set to NULL.
OPENSSL_EXPORT void DH_get0_key(const DH *dh, const BIGNUM **out_pub_key,
const BIGNUM **out_priv_key);
-/* DH_get0_pqg sets |*out_p|, |*out_q|, and |*out_g|, if non-NULL, to |dh|'s p,
- * q, and g parameters, respectively. */
+// DH_get0_pqg sets |*out_p|, |*out_q|, and |*out_g|, if non-NULL, to |dh|'s p,
+// q, and g parameters, respectively.
OPENSSL_EXPORT void DH_get0_pqg(const DH *dh, const BIGNUM **out_p,
const BIGNUM **out_q, const BIGNUM **out_g);
-/* Standard parameters.
- *
- * These functions return new DH objects with standard parameters. They return
- * NULL on allocation failure. The |engine| parameter is ignored. */
+// Standard parameters.
-/* These parameters are taken from RFC 5114. */
-
-OPENSSL_EXPORT DH *DH_get_1024_160(const ENGINE *engine);
-OPENSSL_EXPORT DH *DH_get_2048_224(const ENGINE *engine);
-OPENSSL_EXPORT DH *DH_get_2048_256(const ENGINE *engine);
-
-/* BN_get_rfc3526_prime_1536 sets |*ret| to the 1536-bit MODP group from RFC
- * 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated
- * and returned. It returns NULL on allocation failure. */
+// BN_get_rfc3526_prime_1536 sets |*ret| to the 1536-bit MODP group from RFC
+// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated
+// and returned. It returns NULL on allocation failure.
OPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *ret);
-/* Parameter generation. */
+// Parameter generation.
#define DH_GENERATOR_2 2
#define DH_GENERATOR_5 5
-/* DH_generate_parameters_ex generates a suitable Diffie-Hellman group with a
- * prime that is |prime_bits| long and stores it in |dh|. The generator of the
- * group will be |generator|, which should be |DH_GENERATOR_2| unless there's a
- * good reason to use a different value. The |cb| argument contains a callback
- * function that will be called during the generation. See the documentation in
- * |bn.h| about this. In addition to the callback invocations from |BN|, |cb|
- * will also be called with |event| equal to three when the generation is
- * complete. */
+// DH_generate_parameters_ex generates a suitable Diffie-Hellman group with a
+// prime that is |prime_bits| long and stores it in |dh|. The generator of the
+// group will be |generator|, which should be |DH_GENERATOR_2| unless there's a
+// good reason to use a different value. The |cb| argument contains a callback
+// function that will be called during the generation. See the documentation in
+// |bn.h| about this. In addition to the callback invocations from |BN|, |cb|
+// will also be called with |event| equal to three when the generation is
+// complete.
OPENSSL_EXPORT int DH_generate_parameters_ex(DH *dh, int prime_bits,
int generator, BN_GENCB *cb);
-/* Diffie-Hellman operations. */
+// Diffie-Hellman operations.
-/* DH_generate_key generates a new, random, private key and stores it in
- * |dh|. It returns one on success and zero on error. */
+// DH_generate_key generates a new, random, private key and stores it in
+// |dh|. It returns one on success and zero on error.
OPENSSL_EXPORT int DH_generate_key(DH *dh);
-/* DH_compute_key calculates the shared key between |dh| and |peers_key| and
- * writes it as a big-endian integer into |out|, which must have |DH_size|
- * bytes of space. It returns the number of bytes written, or a negative number
- * on error. */
+// DH_compute_key calculates the shared key between |dh| and |peers_key| and
+// writes it as a big-endian integer into |out|, which must have |DH_size|
+// bytes of space. It returns the number of bytes written, or a negative number
+// on error.
OPENSSL_EXPORT int DH_compute_key(uint8_t *out, const BIGNUM *peers_key,
DH *dh);
-/* Utility functions. */
+// Utility functions.
-/* DH_size returns the number of bytes in the DH group's prime. */
+// DH_size returns the number of bytes in the DH group's prime.
OPENSSL_EXPORT int DH_size(const DH *dh);
-/* DH_num_bits returns the minimum number of bits needed to represent the
- * absolute value of the DH group's prime. */
+// DH_num_bits returns the minimum number of bits needed to represent the
+// absolute value of the DH group's prime.
OPENSSL_EXPORT unsigned DH_num_bits(const DH *dh);
#define DH_CHECK_P_NOT_PRIME 0x01
@@ -164,49 +154,49 @@
#define DH_CHECK_INVALID_Q_VALUE 0x20
#define DH_CHECK_INVALID_J_VALUE 0x40
-/* These are compatibility defines. */
+// These are compatibility defines.
#define DH_NOT_SUITABLE_GENERATOR DH_CHECK_NOT_SUITABLE_GENERATOR
#define DH_UNABLE_TO_CHECK_GENERATOR DH_CHECK_UNABLE_TO_CHECK_GENERATOR
-/* DH_check checks the suitability of |dh| as a Diffie-Hellman group. and sets
- * |DH_CHECK_*| flags in |*out_flags| if it finds any errors. It returns one if
- * |*out_flags| was successfully set and zero on error.
- *
- * Note: these checks may be quite computationally expensive. */
+// DH_check checks the suitability of |dh| as a Diffie-Hellman group. and sets
+// |DH_CHECK_*| flags in |*out_flags| if it finds any errors. It returns one if
+// |*out_flags| was successfully set and zero on error.
+//
+// Note: these checks may be quite computationally expensive.
OPENSSL_EXPORT int DH_check(const DH *dh, int *out_flags);
#define DH_CHECK_PUBKEY_TOO_SMALL 0x1
#define DH_CHECK_PUBKEY_TOO_LARGE 0x2
#define DH_CHECK_PUBKEY_INVALID 0x4
-/* DH_check_pub_key checks the suitability of |pub_key| as a public key for the
- * DH group in |dh| and sets |DH_CHECK_PUBKEY_*| flags in |*out_flags| if it
- * finds any errors. It returns one if |*out_flags| was successfully set and
- * zero on error. */
+// DH_check_pub_key checks the suitability of |pub_key| as a public key for the
+// DH group in |dh| and sets |DH_CHECK_PUBKEY_*| flags in |*out_flags| if it
+// finds any errors. It returns one if |*out_flags| was successfully set and
+// zero on error.
OPENSSL_EXPORT int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key,
int *out_flags);
-/* DHparams_dup allocates a fresh |DH| and copies the parameters from |dh| into
- * it. It returns the new |DH| or NULL on error. */
+// DHparams_dup allocates a fresh |DH| and copies the parameters from |dh| into
+// it. It returns the new |DH| or NULL on error.
OPENSSL_EXPORT DH *DHparams_dup(const DH *dh);
-/* ASN.1 functions. */
+// ASN.1 functions.
-/* DH_parse_parameters decodes a DER-encoded DHParameter structure (PKCS #3)
- * from |cbs| and advances |cbs|. It returns a newly-allocated |DH| or NULL on
- * error. */
+// DH_parse_parameters decodes a DER-encoded DHParameter structure (PKCS #3)
+// from |cbs| and advances |cbs|. It returns a newly-allocated |DH| or NULL on
+// error.
OPENSSL_EXPORT DH *DH_parse_parameters(CBS *cbs);
-/* DH_marshal_parameters marshals |dh| as a DER-encoded DHParameter structure
- * (PKCS #3) and appends the result to |cbb|. It returns one on success and zero
- * on error. */
+// DH_marshal_parameters marshals |dh| as a DER-encoded DHParameter structure
+// (PKCS #3) and appends the result to |cbb|. It returns one on success and zero
+// on error.
OPENSSL_EXPORT int DH_marshal_parameters(CBB *cbb, const DH *dh);
-/* ex_data functions.
- *
- * See |ex_data.h| for details. */
+// ex_data functions.
+//
+// See |ex_data.h| for details.
OPENSSL_EXPORT int DH_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_unused *unused,
@@ -216,50 +206,50 @@
OPENSSL_EXPORT void *DH_get_ex_data(DH *d, int idx);
-/* Deprecated functions. */
+// Deprecated functions.
-/* DH_generate_parameters behaves like |DH_generate_parameters_ex|, which is
- * what you should use instead. It returns NULL on error, or a newly-allocated
- * |DH| on success. This function is provided for compatibility only. */
+// DH_generate_parameters behaves like |DH_generate_parameters_ex|, which is
+// what you should use instead. It returns NULL on error, or a newly-allocated
+// |DH| on success. This function is provided for compatibility only.
OPENSSL_EXPORT DH *DH_generate_parameters(int prime_len, int generator,
void (*callback)(int, int, void *),
void *cb_arg);
-/* d2i_DHparams parses an ASN.1, DER encoded Diffie-Hellman parameters structure
- * from |len| bytes at |*inp|. If |ret| is not NULL then, on exit, a pointer to
- * the result is in |*ret|. Note that, even if |*ret| is already non-NULL on
- * entry, it will not be written to. Rather, a fresh |DH| is allocated and the
- * previous one is freed.
- *
- * On successful exit, |*inp| is advanced past the DER structure. It
- * returns the result or NULL on error.
- *
- * Use |DH_parse_parameters| instead. */
+// d2i_DHparams parses an ASN.1, DER encoded Diffie-Hellman parameters structure
+// from |len| bytes at |*inp|. If |ret| is not NULL then, on exit, a pointer to
+// the result is in |*ret|. Note that, even if |*ret| is already non-NULL on
+// entry, it will not be written to. Rather, a fresh |DH| is allocated and the
+// previous one is freed.
+//
+// On successful exit, |*inp| is advanced past the DER structure. It
+// returns the result or NULL on error.
+//
+// Use |DH_parse_parameters| instead.
OPENSSL_EXPORT DH *d2i_DHparams(DH **ret, const unsigned char **inp, long len);
-/* i2d_DHparams marshals |in| to an ASN.1, DER structure. If |outp| is not NULL
- * then the result is written to |*outp| and |*outp| is advanced just past the
- * output. It returns the number of bytes in the result, whether written or
- * not, or a negative value on error.
- *
- * Use |DH_marshal_parameters| instead. */
+// i2d_DHparams marshals |in| to an ASN.1, DER structure. If |outp| is not NULL
+// then the result is written to |*outp| and |*outp| is advanced just past the
+// output. It returns the number of bytes in the result, whether written or
+// not, or a negative value on error.
+//
+// Use |DH_marshal_parameters| instead.
OPENSSL_EXPORT int i2d_DHparams(const DH *in, unsigned char **outp);
struct dh_st {
BIGNUM *p;
BIGNUM *g;
- BIGNUM *pub_key; /* g^x mod p */
- BIGNUM *priv_key; /* x */
+ BIGNUM *pub_key; // g^x mod p
+ BIGNUM *priv_key; // x
- /* priv_length contains the length, in bits, of the private value. If zero,
- * the private value will be the same length as |p|. */
+ // priv_length contains the length, in bits, of the private value. If zero,
+ // the private value will be the same length as |p|.
unsigned priv_length;
CRYPTO_MUTEX method_mont_p_lock;
BN_MONT_CTX *method_mont_p;
- /* Place holders if we want to do X9.42 DH */
+ // Place holders if we want to do X9.42 DH
BIGNUM *q;
BIGNUM *j;
unsigned char *seed;
@@ -273,7 +263,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -283,7 +273,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
@@ -294,4 +284,4 @@
#define DH_R_DECODE_ERROR 104
#define DH_R_ENCODE_ERROR 105
-#endif /* OPENSSL_HEADER_DH_H */
+#endif // OPENSSL_HEADER_DH_H
diff --git a/src/include/openssl/digest.h b/src/include/openssl/digest.h
index 2de84f7..ad6dd50 100644
--- a/src/include/openssl/digest.h
+++ b/src/include/openssl/digest.h
@@ -64,17 +64,17 @@
#endif
-/* Digest functions.
- *
- * An EVP_MD abstracts the details of a specific hash function allowing code to
- * deal with the concept of a "hash function" without needing to know exactly
- * which hash function it is. */
+// Digest functions.
+//
+// An EVP_MD abstracts the details of a specific hash function allowing code to
+// deal with the concept of a "hash function" without needing to know exactly
+// which hash function it is.
-/* Hash algorithms.
- *
- * The following functions return |EVP_MD| objects that implement the named hash
- * function. */
+// Hash algorithms.
+//
+// The following functions return |EVP_MD| objects that implement the named hash
+// function.
OPENSSL_EXPORT const EVP_MD *EVP_md4(void);
OPENSSL_EXPORT const EVP_MD *EVP_md5(void);
@@ -84,185 +84,185 @@
OPENSSL_EXPORT const EVP_MD *EVP_sha384(void);
OPENSSL_EXPORT const EVP_MD *EVP_sha512(void);
-/* EVP_md5_sha1 is a TLS-specific |EVP_MD| which computes the concatenation of
- * MD5 and SHA-1, as used in TLS 1.1 and below. */
+// EVP_md5_sha1 is a TLS-specific |EVP_MD| which computes the concatenation of
+// MD5 and SHA-1, as used in TLS 1.1 and below.
OPENSSL_EXPORT const EVP_MD *EVP_md5_sha1(void);
-/* EVP_get_digestbynid returns an |EVP_MD| for the given NID, or NULL if no
- * such digest is known. */
+// EVP_get_digestbynid returns an |EVP_MD| for the given NID, or NULL if no
+// such digest is known.
OPENSSL_EXPORT const EVP_MD *EVP_get_digestbynid(int nid);
-/* EVP_get_digestbyobj returns an |EVP_MD| for the given |ASN1_OBJECT|, or NULL
- * if no such digest is known. */
+// EVP_get_digestbyobj returns an |EVP_MD| for the given |ASN1_OBJECT|, or NULL
+// if no such digest is known.
OPENSSL_EXPORT const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj);
-/* Digest contexts.
- *
- * An EVP_MD_CTX represents the state of a specific digest operation in
- * progress. */
+// Digest contexts.
+//
+// An EVP_MD_CTX represents the state of a specific digest operation in
+// progress.
-/* EVP_MD_CTX_init initialises an, already allocated, |EVP_MD_CTX|. This is the
- * same as setting the structure to zero. */
+// EVP_MD_CTX_init initialises an, already allocated, |EVP_MD_CTX|. This is the
+// same as setting the structure to zero.
OPENSSL_EXPORT void EVP_MD_CTX_init(EVP_MD_CTX *ctx);
-/* EVP_MD_CTX_create allocates and initialises a fresh |EVP_MD_CTX| and returns
- * it, or NULL on allocation failure. */
+// EVP_MD_CTX_create allocates and initialises a fresh |EVP_MD_CTX| and returns
+// it, or NULL on allocation failure.
OPENSSL_EXPORT EVP_MD_CTX *EVP_MD_CTX_create(void);
-/* EVP_MD_CTX_cleanup frees any resources owned by |ctx| and resets it to a
- * freshly initialised state. It does not free |ctx| itself. It returns one. */
+// EVP_MD_CTX_cleanup frees any resources owned by |ctx| and resets it to a
+// freshly initialised state. It does not free |ctx| itself. It returns one.
OPENSSL_EXPORT int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
-/* EVP_MD_CTX_destroy calls |EVP_MD_CTX_cleanup| and then frees |ctx| itself. */
+// EVP_MD_CTX_destroy calls |EVP_MD_CTX_cleanup| and then frees |ctx| itself.
OPENSSL_EXPORT void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
-/* EVP_MD_CTX_copy_ex sets |out|, which must already be initialised, to be a
- * copy of |in|. It returns one on success and zero on error. */
+// EVP_MD_CTX_copy_ex sets |out|, which must already be initialised, to be a
+// copy of |in|. It returns one on success and zero on error.
OPENSSL_EXPORT int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in);
-/* Digest operations. */
+// Digest operations.
-/* EVP_DigestInit_ex configures |ctx|, which must already have been
- * initialised, for a fresh hashing operation using |type|. It returns one on
- * success and zero otherwise. */
+// EVP_DigestInit_ex configures |ctx|, which must already have been
+// initialised, for a fresh hashing operation using |type|. It returns one on
+// success and zero otherwise.
OPENSSL_EXPORT int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type,
ENGINE *engine);
-/* EVP_DigestInit acts like |EVP_DigestInit_ex| except that |ctx| is
- * initialised before use. */
+// EVP_DigestInit acts like |EVP_DigestInit_ex| except that |ctx| is
+// initialised before use.
OPENSSL_EXPORT int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
-/* EVP_DigestUpdate hashes |len| bytes from |data| into the hashing operation
- * in |ctx|. It returns one. */
+// EVP_DigestUpdate hashes |len| bytes from |data| into the hashing operation
+// in |ctx|. It returns one.
OPENSSL_EXPORT int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data,
size_t len);
-/* EVP_MAX_MD_SIZE is the largest digest size supported, in bytes.
- * Functions that output a digest generally require the buffer have
- * at least this much space. */
-#define EVP_MAX_MD_SIZE 64 /* SHA-512 is the longest so far. */
+// EVP_MAX_MD_SIZE is the largest digest size supported, in bytes.
+// Functions that output a digest generally require the buffer have
+// at least this much space.
+#define EVP_MAX_MD_SIZE 64 // SHA-512 is the longest so far.
-/* EVP_MAX_MD_BLOCK_SIZE is the largest digest block size supported, in
- * bytes. */
-#define EVP_MAX_MD_BLOCK_SIZE 128 /* SHA-512 is the longest so far. */
+// EVP_MAX_MD_BLOCK_SIZE is the largest digest block size supported, in
+// bytes.
+#define EVP_MAX_MD_BLOCK_SIZE 128 // SHA-512 is the longest so far.
-/* EVP_DigestFinal_ex finishes the digest in |ctx| and writes the output to
- * |md_out|. |EVP_MD_CTX_size| bytes are written, which is at most
- * |EVP_MAX_MD_SIZE|. If |out_size| is not NULL then |*out_size| is set to the
- * number of bytes written. It returns one. After this call, the hash cannot be
- * updated or finished again until |EVP_DigestInit_ex| is called to start
- * another hashing operation. */
+// EVP_DigestFinal_ex finishes the digest in |ctx| and writes the output to
+// |md_out|. |EVP_MD_CTX_size| bytes are written, which is at most
+// |EVP_MAX_MD_SIZE|. If |out_size| is not NULL then |*out_size| is set to the
+// number of bytes written. It returns one. After this call, the hash cannot be
+// updated or finished again until |EVP_DigestInit_ex| is called to start
+// another hashing operation.
OPENSSL_EXPORT int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, uint8_t *md_out,
unsigned int *out_size);
-/* EVP_DigestFinal acts like |EVP_DigestFinal_ex| except that
- * |EVP_MD_CTX_cleanup| is called on |ctx| before returning. */
+// EVP_DigestFinal acts like |EVP_DigestFinal_ex| except that
+// |EVP_MD_CTX_cleanup| is called on |ctx| before returning.
OPENSSL_EXPORT int EVP_DigestFinal(EVP_MD_CTX *ctx, uint8_t *md_out,
unsigned int *out_size);
-/* EVP_Digest performs a complete hashing operation in one call. It hashes |len|
- * bytes from |data| and writes the digest to |md_out|. |EVP_MD_CTX_size| bytes
- * are written, which is at most |EVP_MAX_MD_SIZE|. If |out_size| is not NULL
- * then |*out_size| is set to the number of bytes written. It returns one on
- * success and zero otherwise. */
+// EVP_Digest performs a complete hashing operation in one call. It hashes |len|
+// bytes from |data| and writes the digest to |md_out|. |EVP_MD_CTX_size| bytes
+// are written, which is at most |EVP_MAX_MD_SIZE|. If |out_size| is not NULL
+// then |*out_size| is set to the number of bytes written. It returns one on
+// success and zero otherwise.
OPENSSL_EXPORT int EVP_Digest(const void *data, size_t len, uint8_t *md_out,
unsigned int *md_out_size, const EVP_MD *type,
ENGINE *impl);
-/* Digest function accessors.
- *
- * These functions allow code to learn details about an abstract hash
- * function. */
+// Digest function accessors.
+//
+// These functions allow code to learn details about an abstract hash
+// function.
-/* EVP_MD_type returns a NID identifying |md|. (For example, |NID_sha256|.) */
+// EVP_MD_type returns a NID identifying |md|. (For example, |NID_sha256|.)
OPENSSL_EXPORT int EVP_MD_type(const EVP_MD *md);
-/* EVP_MD_flags returns the flags for |md|, which is a set of |EVP_MD_FLAG_*|
- * values, ORed together. */
+// EVP_MD_flags returns the flags for |md|, which is a set of |EVP_MD_FLAG_*|
+// values, ORed together.
OPENSSL_EXPORT uint32_t EVP_MD_flags(const EVP_MD *md);
-/* EVP_MD_size returns the digest size of |md|, in bytes. */
+// EVP_MD_size returns the digest size of |md|, in bytes.
OPENSSL_EXPORT size_t EVP_MD_size(const EVP_MD *md);
-/* EVP_MD_block_size returns the native block-size of |md|, in bytes. */
+// EVP_MD_block_size returns the native block-size of |md|, in bytes.
OPENSSL_EXPORT size_t EVP_MD_block_size(const EVP_MD *md);
-/* EVP_MD_FLAG_PKEY_DIGEST indicates the the digest function is used with a
- * specific public key in order to verify signatures. (For example,
- * EVP_dss1.) */
+// EVP_MD_FLAG_PKEY_DIGEST indicates the the digest function is used with a
+// specific public key in order to verify signatures. (For example,
+// EVP_dss1.)
#define EVP_MD_FLAG_PKEY_DIGEST 1
-/* EVP_MD_FLAG_DIGALGID_ABSENT indicates that the parameter type in an X.509
- * DigestAlgorithmIdentifier representing this digest function should be
- * undefined rather than NULL. */
+// EVP_MD_FLAG_DIGALGID_ABSENT indicates that the parameter type in an X.509
+// DigestAlgorithmIdentifier representing this digest function should be
+// undefined rather than NULL.
#define EVP_MD_FLAG_DIGALGID_ABSENT 2
-/* Deprecated functions. */
+// Deprecated functions.
-/* EVP_MD_CTX_copy sets |out|, which must /not/ be initialised, to be a copy of
- * |in|. It returns one on success and zero on error. */
+// EVP_MD_CTX_copy sets |out|, which must /not/ be initialised, to be a copy of
+// |in|. It returns one on success and zero on error.
OPENSSL_EXPORT int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in);
-/* EVP_add_digest does nothing and returns one. It exists only for
- * compatibility with OpenSSL. */
+// EVP_add_digest does nothing and returns one. It exists only for
+// compatibility with OpenSSL.
OPENSSL_EXPORT int EVP_add_digest(const EVP_MD *digest);
-/* EVP_get_digestbyname returns an |EVP_MD| given a human readable name in
- * |name|, or NULL if the name is unknown. */
+// EVP_get_digestbyname returns an |EVP_MD| given a human readable name in
+// |name|, or NULL if the name is unknown.
OPENSSL_EXPORT const EVP_MD *EVP_get_digestbyname(const char *);
-/* EVP_dss1 returns the value of EVP_sha1(). This was provided by OpenSSL to
- * specifiy the original DSA signatures, which were fixed to use SHA-1. Note,
- * however, that attempting to sign or verify DSA signatures with the EVP
- * interface will always fail. */
+// EVP_dss1 returns the value of EVP_sha1(). This was provided by OpenSSL to
+// specifiy the original DSA signatures, which were fixed to use SHA-1. Note,
+// however, that attempting to sign or verify DSA signatures with the EVP
+// interface will always fail.
OPENSSL_EXPORT const EVP_MD *EVP_dss1(void);
-/* Digest operation accessors. */
+// Digest operation accessors.
-/* EVP_MD_CTX_md returns the underlying digest function, or NULL if one has not
- * been set. */
+// EVP_MD_CTX_md returns the underlying digest function, or NULL if one has not
+// been set.
OPENSSL_EXPORT const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
-/* EVP_MD_CTX_size returns the digest size of |ctx|, in bytes. It
- * will crash if a digest hasn't been set on |ctx|. */
+// EVP_MD_CTX_size returns the digest size of |ctx|, in bytes. It
+// will crash if a digest hasn't been set on |ctx|.
OPENSSL_EXPORT size_t EVP_MD_CTX_size(const EVP_MD_CTX *ctx);
-/* EVP_MD_CTX_block_size returns the block size of the digest function used by
- * |ctx|, in bytes. It will crash if a digest hasn't been set on |ctx|. */
+// EVP_MD_CTX_block_size returns the block size of the digest function used by
+// |ctx|, in bytes. It will crash if a digest hasn't been set on |ctx|.
OPENSSL_EXPORT size_t EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx);
-/* EVP_MD_CTX_type returns a NID describing the digest function used by |ctx|.
- * (For example, |NID_sha256|.) It will crash if a digest hasn't been set on
- * |ctx|. */
+// EVP_MD_CTX_type returns a NID describing the digest function used by |ctx|.
+// (For example, |NID_sha256|.) It will crash if a digest hasn't been set on
+// |ctx|.
OPENSSL_EXPORT int EVP_MD_CTX_type(const EVP_MD_CTX *ctx);
struct evp_md_pctx_ops;
struct env_md_ctx_st {
- /* digest is the underlying digest function, or NULL if not set. */
+ // digest is the underlying digest function, or NULL if not set.
const EVP_MD *digest;
- /* md_data points to a block of memory that contains the hash-specific
- * context. */
+ // md_data points to a block of memory that contains the hash-specific
+ // context.
void *md_data;
- /* pctx is an opaque (at this layer) pointer to additional context that
- * EVP_PKEY functions may store in this object. */
+ // pctx is an opaque (at this layer) pointer to additional context that
+ // EVP_PKEY functions may store in this object.
EVP_PKEY_CTX *pctx;
- /* pctx_ops, if not NULL, points to a vtable that contains functions to
- * manipulate |pctx|. */
+ // pctx_ops, if not NULL, points to a vtable that contains functions to
+ // manipulate |pctx|.
const struct evp_md_pctx_ops *pctx_ops;
} /* EVP_MD_CTX */;
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#if !defined(BORINGSSL_NO_CXX)
extern "C++" {
@@ -286,4 +286,4 @@
#define DIGEST_R_DECODE_ERROR 101
#define DIGEST_R_UNKNOWN_HASH 102
-#endif /* OPENSSL_HEADER_DIGEST_H */
+#endif // OPENSSL_HEADER_DIGEST_H
diff --git a/src/include/openssl/dsa.h b/src/include/openssl/dsa.h
index f992b91..2b4c08b 100644
--- a/src/include/openssl/dsa.h
+++ b/src/include/openssl/dsa.h
@@ -71,228 +71,228 @@
#endif
-/* DSA contains functions for signing and verifying with the Digital Signature
- * Algorithm. */
+// DSA contains functions for signing and verifying with the Digital Signature
+// Algorithm.
-/* Allocation and destruction. */
+// Allocation and destruction.
-/* DSA_new returns a new, empty DSA object or NULL on error. */
+// DSA_new returns a new, empty DSA object or NULL on error.
OPENSSL_EXPORT DSA *DSA_new(void);
-/* DSA_free decrements the reference count of |dsa| and frees it if the
- * reference count drops to zero. */
+// DSA_free decrements the reference count of |dsa| and frees it if the
+// reference count drops to zero.
OPENSSL_EXPORT void DSA_free(DSA *dsa);
-/* DSA_up_ref increments the reference count of |dsa| and returns one. */
+// DSA_up_ref increments the reference count of |dsa| and returns one.
OPENSSL_EXPORT int DSA_up_ref(DSA *dsa);
-/* Properties. */
+// Properties.
-/* DSA_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dsa|'s
- * public and private key, respectively. If |dsa| is a public key, the private
- * key will be set to NULL. */
+// DSA_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dsa|'s
+// public and private key, respectively. If |dsa| is a public key, the private
+// key will be set to NULL.
OPENSSL_EXPORT void DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key,
const BIGNUM **out_priv_key);
-/* DSA_get0_pqg sets |*out_p|, |*out_q|, and |*out_g|, if non-NULL, to |dsa|'s
- * p, q, and g parameters, respectively. */
+// DSA_get0_pqg sets |*out_p|, |*out_q|, and |*out_g|, if non-NULL, to |dsa|'s
+// p, q, and g parameters, respectively.
OPENSSL_EXPORT void DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p,
const BIGNUM **out_q, const BIGNUM **out_g);
-/* Parameter generation. */
+// Parameter generation.
-/* DSA_generate_parameters_ex generates a set of DSA parameters by following
- * the procedure given in FIPS 186-4, appendix A.
- * (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf)
- *
- * The larger prime will have a length of |bits| (e.g. 2048). The |seed| value
- * allows others to generate and verify the same parameters and should be
- * random input which is kept for reference. If |out_counter| or |out_h| are
- * not NULL then the counter and h value used in the generation are written to
- * them.
- *
- * The |cb| argument is passed to |BN_generate_prime_ex| and is thus called
- * during the generation process in order to indicate progress. See the
- * comments for that function for details. In addition to the calls made by
- * |BN_generate_prime_ex|, |DSA_generate_parameters_ex| will call it with
- * |event| equal to 2 and 3 at different stages of the process.
- *
- * It returns one on success and zero otherwise. */
+// DSA_generate_parameters_ex generates a set of DSA parameters by following
+// the procedure given in FIPS 186-4, appendix A.
+// (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf)
+//
+// The larger prime will have a length of |bits| (e.g. 2048). The |seed| value
+// allows others to generate and verify the same parameters and should be
+// random input which is kept for reference. If |out_counter| or |out_h| are
+// not NULL then the counter and h value used in the generation are written to
+// them.
+//
+// The |cb| argument is passed to |BN_generate_prime_ex| and is thus called
+// during the generation process in order to indicate progress. See the
+// comments for that function for details. In addition to the calls made by
+// |BN_generate_prime_ex|, |DSA_generate_parameters_ex| will call it with
+// |event| equal to 2 and 3 at different stages of the process.
+//
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int DSA_generate_parameters_ex(DSA *dsa, unsigned bits,
const uint8_t *seed,
size_t seed_len, int *out_counter,
unsigned long *out_h,
BN_GENCB *cb);
-/* DSAparams_dup returns a freshly allocated |DSA| that contains a copy of the
- * parameters from |dsa|. It returns NULL on error. */
+// DSAparams_dup returns a freshly allocated |DSA| that contains a copy of the
+// parameters from |dsa|. It returns NULL on error.
OPENSSL_EXPORT DSA *DSAparams_dup(const DSA *dsa);
-/* Key generation. */
+// Key generation.
-/* DSA_generate_key generates a public/private key pair in |dsa|, which must
- * already have parameters setup. It returns one on success and zero on
- * error. */
+// DSA_generate_key generates a public/private key pair in |dsa|, which must
+// already have parameters setup. It returns one on success and zero on
+// error.
OPENSSL_EXPORT int DSA_generate_key(DSA *dsa);
-/* Signatures. */
+// Signatures.
-/* DSA_SIG_st (aka |DSA_SIG|) contains a DSA signature as a pair of integers. */
+// DSA_SIG_st (aka |DSA_SIG|) contains a DSA signature as a pair of integers.
struct DSA_SIG_st {
BIGNUM *r, *s;
};
-/* DSA_SIG_new returns a freshly allocated, DIG_SIG structure or NULL on error.
- * Both |r| and |s| in the signature will be NULL. */
+// DSA_SIG_new returns a freshly allocated, DIG_SIG structure or NULL on error.
+// Both |r| and |s| in the signature will be NULL.
OPENSSL_EXPORT DSA_SIG *DSA_SIG_new(void);
-/* DSA_SIG_free frees the contents of |sig| and then frees |sig| itself. */
+// DSA_SIG_free frees the contents of |sig| and then frees |sig| itself.
OPENSSL_EXPORT void DSA_SIG_free(DSA_SIG *sig);
-/* DSA_do_sign returns a signature of the hash in |digest| by the key in |dsa|
- * and returns an allocated, DSA_SIG structure, or NULL on error. */
+// DSA_do_sign returns a signature of the hash in |digest| by the key in |dsa|
+// and returns an allocated, DSA_SIG structure, or NULL on error.
OPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len,
DSA *dsa);
-/* DSA_do_verify verifies that |sig| is a valid signature, by the public key in
- * |dsa|, of the hash in |digest|. It returns one if so, zero if invalid and -1
- * on error.
- *
- * WARNING: do not use. This function returns -1 for error, 0 for invalid and 1
- * for valid. However, this is dangerously different to the usual OpenSSL
- * convention and could be a disaster if a user did |if (DSA_do_verify(...))|.
- * Because of this, |DSA_check_signature| is a safer version of this.
- *
- * TODO(fork): deprecate. */
+// DSA_do_verify verifies that |sig| is a valid signature, by the public key in
+// |dsa|, of the hash in |digest|. It returns one if so, zero if invalid and -1
+// on error.
+//
+// WARNING: do not use. This function returns -1 for error, 0 for invalid and 1
+// for valid. However, this is dangerously different to the usual OpenSSL
+// convention and could be a disaster if a user did |if (DSA_do_verify(...))|.
+// Because of this, |DSA_check_signature| is a safer version of this.
+//
+// TODO(fork): deprecate.
OPENSSL_EXPORT int DSA_do_verify(const uint8_t *digest, size_t digest_len,
DSA_SIG *sig, const DSA *dsa);
-/* DSA_do_check_signature sets |*out_valid| to zero. Then it verifies that |sig|
- * is a valid signature, by the public key in |dsa| of the hash in |digest|
- * and, if so, it sets |*out_valid| to one.
- *
- * It returns one if it was able to verify the signature as valid or invalid,
- * and zero on error. */
+// DSA_do_check_signature sets |*out_valid| to zero. Then it verifies that |sig|
+// is a valid signature, by the public key in |dsa| of the hash in |digest|
+// and, if so, it sets |*out_valid| to one.
+//
+// It returns one if it was able to verify the signature as valid or invalid,
+// and zero on error.
OPENSSL_EXPORT int DSA_do_check_signature(int *out_valid, const uint8_t *digest,
size_t digest_len, DSA_SIG *sig,
const DSA *dsa);
-/* ASN.1 signatures.
- *
- * These functions also perform DSA signature operations, but deal with ASN.1
- * encoded signatures as opposed to raw |BIGNUM|s. If you don't know what
- * encoding a DSA signature is in, it's probably ASN.1. */
+// ASN.1 signatures.
+//
+// These functions also perform DSA signature operations, but deal with ASN.1
+// encoded signatures as opposed to raw |BIGNUM|s. If you don't know what
+// encoding a DSA signature is in, it's probably ASN.1.
-/* DSA_sign signs |digest| with the key in |dsa| and writes the resulting
- * signature, in ASN.1 form, to |out_sig| and the length of the signature to
- * |*out_siglen|. There must be, at least, |DSA_size(dsa)| bytes of space in
- * |out_sig|. It returns one on success and zero otherwise.
- *
- * (The |type| argument is ignored.) */
+// DSA_sign signs |digest| with the key in |dsa| and writes the resulting
+// signature, in ASN.1 form, to |out_sig| and the length of the signature to
+// |*out_siglen|. There must be, at least, |DSA_size(dsa)| bytes of space in
+// |out_sig|. It returns one on success and zero otherwise.
+//
+// (The |type| argument is ignored.)
OPENSSL_EXPORT int DSA_sign(int type, const uint8_t *digest, size_t digest_len,
uint8_t *out_sig, unsigned int *out_siglen,
DSA *dsa);
-/* DSA_verify verifies that |sig| is a valid, ASN.1 signature, by the public
- * key in |dsa|, of the hash in |digest|. It returns one if so, zero if invalid
- * and -1 on error.
- *
- * (The |type| argument is ignored.)
- *
- * WARNING: do not use. This function returns -1 for error, 0 for invalid and 1
- * for valid. However, this is dangerously different to the usual OpenSSL
- * convention and could be a disaster if a user did |if (DSA_do_verify(...))|.
- * Because of this, |DSA_check_signature| is a safer version of this.
- *
- * TODO(fork): deprecate. */
+// DSA_verify verifies that |sig| is a valid, ASN.1 signature, by the public
+// key in |dsa|, of the hash in |digest|. It returns one if so, zero if invalid
+// and -1 on error.
+//
+// (The |type| argument is ignored.)
+//
+// WARNING: do not use. This function returns -1 for error, 0 for invalid and 1
+// for valid. However, this is dangerously different to the usual OpenSSL
+// convention and could be a disaster if a user did |if (DSA_do_verify(...))|.
+// Because of this, |DSA_check_signature| is a safer version of this.
+//
+// TODO(fork): deprecate.
OPENSSL_EXPORT int DSA_verify(int type, const uint8_t *digest,
size_t digest_len, const uint8_t *sig,
size_t sig_len, const DSA *dsa);
-/* DSA_check_signature sets |*out_valid| to zero. Then it verifies that |sig|
- * is a valid, ASN.1 signature, by the public key in |dsa|, of the hash in
- * |digest|. If so, it sets |*out_valid| to one.
- *
- * It returns one if it was able to verify the signature as valid or invalid,
- * and zero on error. */
+// DSA_check_signature sets |*out_valid| to zero. Then it verifies that |sig|
+// is a valid, ASN.1 signature, by the public key in |dsa|, of the hash in
+// |digest|. If so, it sets |*out_valid| to one.
+//
+// It returns one if it was able to verify the signature as valid or invalid,
+// and zero on error.
OPENSSL_EXPORT int DSA_check_signature(int *out_valid, const uint8_t *digest,
size_t digest_len, const uint8_t *sig,
size_t sig_len, const DSA *dsa);
-/* DSA_size returns the size, in bytes, of an ASN.1 encoded, DSA signature
- * generated by |dsa|. Parameters must already have been setup in |dsa|. */
+// DSA_size returns the size, in bytes, of an ASN.1 encoded, DSA signature
+// generated by |dsa|. Parameters must already have been setup in |dsa|.
OPENSSL_EXPORT int DSA_size(const DSA *dsa);
-/* ASN.1 encoding. */
+// ASN.1 encoding.
-/* DSA_SIG_parse parses a DER-encoded DSA-Sig-Value structure from |cbs| and
- * advances |cbs|. It returns a newly-allocated |DSA_SIG| or NULL on error. */
+// DSA_SIG_parse parses a DER-encoded DSA-Sig-Value structure from |cbs| and
+// advances |cbs|. It returns a newly-allocated |DSA_SIG| or NULL on error.
OPENSSL_EXPORT DSA_SIG *DSA_SIG_parse(CBS *cbs);
-/* DSA_SIG_marshal marshals |sig| as a DER-encoded DSA-Sig-Value and appends the
- * result to |cbb|. It returns one on success and zero on error. */
+// DSA_SIG_marshal marshals |sig| as a DER-encoded DSA-Sig-Value and appends the
+// result to |cbb|. It returns one on success and zero on error.
OPENSSL_EXPORT int DSA_SIG_marshal(CBB *cbb, const DSA_SIG *sig);
-/* DSA_parse_public_key parses a DER-encoded DSA public key from |cbs| and
- * advances |cbs|. It returns a newly-allocated |DSA| or NULL on error. */
+// DSA_parse_public_key parses a DER-encoded DSA public key from |cbs| and
+// advances |cbs|. It returns a newly-allocated |DSA| or NULL on error.
OPENSSL_EXPORT DSA *DSA_parse_public_key(CBS *cbs);
-/* DSA_marshal_public_key marshals |dsa| as a DER-encoded DSA public key and
- * appends the result to |cbb|. It returns one on success and zero on
- * failure. */
+// DSA_marshal_public_key marshals |dsa| as a DER-encoded DSA public key and
+// appends the result to |cbb|. It returns one on success and zero on
+// failure.
OPENSSL_EXPORT int DSA_marshal_public_key(CBB *cbb, const DSA *dsa);
-/* DSA_parse_private_key parses a DER-encoded DSA private key from |cbs| and
- * advances |cbs|. It returns a newly-allocated |DSA| or NULL on error. */
+// DSA_parse_private_key parses a DER-encoded DSA private key from |cbs| and
+// advances |cbs|. It returns a newly-allocated |DSA| or NULL on error.
OPENSSL_EXPORT DSA *DSA_parse_private_key(CBS *cbs);
-/* DSA_marshal_private_key marshals |dsa| as a DER-encoded DSA private key and
- * appends the result to |cbb|. It returns one on success and zero on
- * failure. */
+// DSA_marshal_private_key marshals |dsa| as a DER-encoded DSA private key and
+// appends the result to |cbb|. It returns one on success and zero on
+// failure.
OPENSSL_EXPORT int DSA_marshal_private_key(CBB *cbb, const DSA *dsa);
-/* DSA_parse_parameters parses a DER-encoded Dss-Parms structure (RFC 3279)
- * from |cbs| and advances |cbs|. It returns a newly-allocated |DSA| or NULL on
- * error. */
+// DSA_parse_parameters parses a DER-encoded Dss-Parms structure (RFC 3279)
+// from |cbs| and advances |cbs|. It returns a newly-allocated |DSA| or NULL on
+// error.
OPENSSL_EXPORT DSA *DSA_parse_parameters(CBS *cbs);
-/* DSA_marshal_parameters marshals |dsa| as a DER-encoded Dss-Parms structure
- * (RFC 3447) and appends the result to |cbb|. It returns one on success and
- * zero on failure. */
+// DSA_marshal_parameters marshals |dsa| as a DER-encoded Dss-Parms structure
+// (RFC 3447) and appends the result to |cbb|. It returns one on success and
+// zero on failure.
OPENSSL_EXPORT int DSA_marshal_parameters(CBB *cbb, const DSA *dsa);
-/* Precomputation. */
+// Precomputation.
-/* DSA_sign_setup precomputes the message independent part of the DSA signature
- * and writes them to |*out_kinv| and |*out_r|. Returns one on success, zero on
- * error.
- *
- * TODO(fork): decide what to do with this. Since making DSA* opaque there's no
- * way for the user to install them. Also, it forces the DSA* not to be const
- * when passing to the signing function. */
+// DSA_sign_setup precomputes the message independent part of the DSA signature
+// and writes them to |*out_kinv| and |*out_r|. Returns one on success, zero on
+// error.
+//
+// TODO(fork): decide what to do with this. Since making DSA* opaque there's no
+// way for the user to install them. Also, it forces the DSA* not to be const
+// when passing to the signing function.
OPENSSL_EXPORT int DSA_sign_setup(const DSA *dsa, BN_CTX *ctx,
BIGNUM **out_kinv, BIGNUM **out_r);
-/* Conversion. */
+// Conversion.
-/* DSA_dup_DH returns a |DH| constructed from the parameters of |dsa|. This is
- * sometimes needed when Diffie-Hellman parameters are stored in the form of
- * DSA parameters. It returns an allocated |DH| on success or NULL on error. */
+// DSA_dup_DH returns a |DH| constructed from the parameters of |dsa|. This is
+// sometimes needed when Diffie-Hellman parameters are stored in the form of
+// DSA parameters. It returns an allocated |DH| on success or NULL on error.
OPENSSL_EXPORT DH *DSA_dup_DH(const DSA *dsa);
-/* ex_data functions.
- *
- * See |ex_data.h| for details. */
+// ex_data functions.
+//
+// See |ex_data.h| for details.
OPENSSL_EXPORT int DSA_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_unused *unused,
@@ -302,84 +302,84 @@
OPENSSL_EXPORT void *DSA_get_ex_data(const DSA *dsa, int idx);
-/* Deprecated functions. */
+// Deprecated functions.
-/* d2i_DSA_SIG parses an ASN.1, DER-encoded, DSA signature from |len| bytes at
- * |*inp|. If |out_sig| is not NULL then, on exit, a pointer to the result is
- * in |*out_sig|. Note that, even if |*out_sig| is already non-NULL on entry, it
- * will not be written to. Rather, a fresh |DSA_SIG| is allocated and the
- * previous one is freed. On successful exit, |*inp| is advanced past the DER
- * structure. It returns the result or NULL on error.
- *
- * Use |DSA_SIG_parse| instead. */
+// d2i_DSA_SIG parses an ASN.1, DER-encoded, DSA signature from |len| bytes at
+// |*inp|. If |out_sig| is not NULL then, on exit, a pointer to the result is
+// in |*out_sig|. Note that, even if |*out_sig| is already non-NULL on entry, it
+// will not be written to. Rather, a fresh |DSA_SIG| is allocated and the
+// previous one is freed. On successful exit, |*inp| is advanced past the DER
+// structure. It returns the result or NULL on error.
+//
+// Use |DSA_SIG_parse| instead.
OPENSSL_EXPORT DSA_SIG *d2i_DSA_SIG(DSA_SIG **out_sig, const uint8_t **inp,
long len);
-/* i2d_DSA_SIG marshals |in| to an ASN.1, DER structure. If |outp| is not NULL
- * then the result is written to |*outp| and |*outp| is advanced just past the
- * output. It returns the number of bytes in the result, whether written or not,
- * or a negative value on error.
- *
- * Use |DSA_SIG_marshal| instead. */
+// i2d_DSA_SIG marshals |in| to an ASN.1, DER structure. If |outp| is not NULL
+// then the result is written to |*outp| and |*outp| is advanced just past the
+// output. It returns the number of bytes in the result, whether written or not,
+// or a negative value on error.
+//
+// Use |DSA_SIG_marshal| instead.
OPENSSL_EXPORT int i2d_DSA_SIG(const DSA_SIG *in, uint8_t **outp);
-/* d2i_DSAPublicKey parses an ASN.1, DER-encoded, DSA public key from |len|
- * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
- * is in |*out|. Note that, even if |*ou| is already non-NULL on entry, it will
- * not be written to. Rather, a fresh |DSA| is allocated and the previous one is
- * freed. On successful exit, |*inp| is advanced past the DER structure. It
- * returns the result or NULL on error.
- *
- * Use |DSA_parse_public_key| instead. */
+// d2i_DSAPublicKey parses an ASN.1, DER-encoded, DSA public key from |len|
+// bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
+// is in |*out|. Note that, even if |*ou| is already non-NULL on entry, it will
+// not be written to. Rather, a fresh |DSA| is allocated and the previous one is
+// freed. On successful exit, |*inp| is advanced past the DER structure. It
+// returns the result or NULL on error.
+//
+// Use |DSA_parse_public_key| instead.
OPENSSL_EXPORT DSA *d2i_DSAPublicKey(DSA **out, const uint8_t **inp, long len);
-/* i2d_DSAPublicKey marshals a public key from |in| to an ASN.1, DER structure.
- * If |outp| is not NULL then the result is written to |*outp| and |*outp| is
- * advanced just past the output. It returns the number of bytes in the result,
- * whether written or not, or a negative value on error.
- *
- * Use |DSA_marshal_public_key| instead. */
+// i2d_DSAPublicKey marshals a public key from |in| to an ASN.1, DER structure.
+// If |outp| is not NULL then the result is written to |*outp| and |*outp| is
+// advanced just past the output. It returns the number of bytes in the result,
+// whether written or not, or a negative value on error.
+//
+// Use |DSA_marshal_public_key| instead.
OPENSSL_EXPORT int i2d_DSAPublicKey(const DSA *in, uint8_t **outp);
-/* d2i_DSAPrivateKey parses an ASN.1, DER-encoded, DSA private key from |len|
- * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
- * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it will
- * not be written to. Rather, a fresh |DSA| is allocated and the previous one is
- * freed. On successful exit, |*inp| is advanced past the DER structure. It
- * returns the result or NULL on error.
- *
- * Use |DSA_parse_private_key| instead. */
+// d2i_DSAPrivateKey parses an ASN.1, DER-encoded, DSA private key from |len|
+// bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
+// is in |*out|. Note that, even if |*out| is already non-NULL on entry, it will
+// not be written to. Rather, a fresh |DSA| is allocated and the previous one is
+// freed. On successful exit, |*inp| is advanced past the DER structure. It
+// returns the result or NULL on error.
+//
+// Use |DSA_parse_private_key| instead.
OPENSSL_EXPORT DSA *d2i_DSAPrivateKey(DSA **out, const uint8_t **inp, long len);
-/* i2d_DSAPrivateKey marshals a private key from |in| to an ASN.1, DER
- * structure. If |outp| is not NULL then the result is written to |*outp| and
- * |*outp| is advanced just past the output. It returns the number of bytes in
- * the result, whether written or not, or a negative value on error.
- *
- * Use |DSA_marshal_private_key| instead. */
+// i2d_DSAPrivateKey marshals a private key from |in| to an ASN.1, DER
+// structure. If |outp| is not NULL then the result is written to |*outp| and
+// |*outp| is advanced just past the output. It returns the number of bytes in
+// the result, whether written or not, or a negative value on error.
+//
+// Use |DSA_marshal_private_key| instead.
OPENSSL_EXPORT int i2d_DSAPrivateKey(const DSA *in, uint8_t **outp);
-/* d2i_DSAparams parses ASN.1, DER-encoded, DSA parameters from |len| bytes at
- * |*inp|. If |out| is not NULL then, on exit, a pointer to the result is in
- * |*out|. Note that, even if |*out| is already non-NULL on entry, it will not
- * be written to. Rather, a fresh |DSA| is allocated and the previous one is
- * freed. On successful exit, |*inp| is advanced past the DER structure. It
- * returns the result or NULL on error.
- *
- * Use |DSA_parse_parameters| instead. */
+// d2i_DSAparams parses ASN.1, DER-encoded, DSA parameters from |len| bytes at
+// |*inp|. If |out| is not NULL then, on exit, a pointer to the result is in
+// |*out|. Note that, even if |*out| is already non-NULL on entry, it will not
+// be written to. Rather, a fresh |DSA| is allocated and the previous one is
+// freed. On successful exit, |*inp| is advanced past the DER structure. It
+// returns the result or NULL on error.
+//
+// Use |DSA_parse_parameters| instead.
OPENSSL_EXPORT DSA *d2i_DSAparams(DSA **out, const uint8_t **inp, long len);
-/* i2d_DSAparams marshals DSA parameters from |in| to an ASN.1, DER structure.
- * If |outp| is not NULL then the result is written to |*outp| and |*outp| is
- * advanced just past the output. It returns the number of bytes in the result,
- * whether written or not, or a negative value on error.
- *
- * Use |DSA_marshal_parameters| instead. */
+// i2d_DSAparams marshals DSA parameters from |in| to an ASN.1, DER structure.
+// If |outp| is not NULL then the result is written to |*outp| and |*outp| is
+// advanced just past the output. It returns the number of bytes in the result,
+// whether written or not, or a negative value on error.
+//
+// Use |DSA_marshal_parameters| instead.
OPENSSL_EXPORT int i2d_DSAparams(const DSA *in, uint8_t **outp);
-/* DSA_generate_parameters is a deprecated version of
- * |DSA_generate_parameters_ex| that creates and returns a |DSA*|. Don't use
- * it. */
+// DSA_generate_parameters is a deprecated version of
+// |DSA_generate_parameters_ex| that creates and returns a |DSA*|. Don't use
+// it.
OPENSSL_EXPORT DSA *DSA_generate_parameters(int bits, unsigned char *seed,
int seed_len, int *counter_ret,
unsigned long *h_ret,
@@ -390,17 +390,17 @@
struct dsa_st {
long version;
BIGNUM *p;
- BIGNUM *q; /* == 20 */
+ BIGNUM *q; // == 20
BIGNUM *g;
- BIGNUM *pub_key; /* y public key */
- BIGNUM *priv_key; /* x private key */
+ BIGNUM *pub_key; // y public key
+ BIGNUM *priv_key; // x private key
- BIGNUM *kinv; /* Signing pre-calc */
- BIGNUM *r; /* Signing pre-calc */
+ BIGNUM *kinv; // Signing pre-calc
+ BIGNUM *r; // Signing pre-calc
int flags;
- /* Normally used to cache montgomery values */
+ // Normally used to cache montgomery values
CRYPTO_MUTEX method_mont_lock;
BN_MONT_CTX *method_mont_p;
BN_MONT_CTX *method_mont_q;
@@ -410,7 +410,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -421,7 +421,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
@@ -433,4 +433,4 @@
#define DSA_R_DECODE_ERROR 105
#define DSA_R_ENCODE_ERROR 106
-#endif /* OPENSSL_HEADER_DSA_H */
+#endif // OPENSSL_HEADER_DSA_H
diff --git a/src/include/openssl/ec.h b/src/include/openssl/ec.h
index 4f06cfb..4a08a9b 100644
--- a/src/include/openssl/ec.h
+++ b/src/include/openssl/ec.h
@@ -75,287 +75,287 @@
#endif
-/* Low-level operations on elliptic curves. */
+// Low-level operations on elliptic curves.
-/* point_conversion_form_t enumerates forms, as defined in X9.62 (ECDSA), for
- * the encoding of a elliptic curve point (x,y) */
+// point_conversion_form_t enumerates forms, as defined in X9.62 (ECDSA), for
+// the encoding of a elliptic curve point (x,y)
typedef enum {
- /* POINT_CONVERSION_COMPRESSED indicates that the point is encoded as z||x,
- * where the octet z specifies which solution of the quadratic equation y
- * is. */
+ // POINT_CONVERSION_COMPRESSED indicates that the point is encoded as z||x,
+ // where the octet z specifies which solution of the quadratic equation y
+ // is.
POINT_CONVERSION_COMPRESSED = 2,
- /* POINT_CONVERSION_UNCOMPRESSED indicates that the point is encoded as
- * z||x||y, where z is the octet 0x04. */
+ // POINT_CONVERSION_UNCOMPRESSED indicates that the point is encoded as
+ // z||x||y, where z is the octet 0x04.
POINT_CONVERSION_UNCOMPRESSED = 4,
- /* POINT_CONVERSION_HYBRID indicates that the point is encoded as z||x||y,
- * where z specifies which solution of the quadratic equation y is. This is
- * not supported by the code and has never been observed in use.
- *
- * TODO(agl): remove once node.js no longer references this. */
+ // POINT_CONVERSION_HYBRID indicates that the point is encoded as z||x||y,
+ // where z specifies which solution of the quadratic equation y is. This is
+ // not supported by the code and has never been observed in use.
+ //
+ // TODO(agl): remove once node.js no longer references this.
POINT_CONVERSION_HYBRID = 6,
} point_conversion_form_t;
-/* Elliptic curve groups. */
+// Elliptic curve groups.
-/* EC_GROUP_new_by_curve_name returns a fresh EC_GROUP object for the elliptic
- * curve specified by |nid|, or NULL on error.
- *
- * The supported NIDs are:
- * NID_secp224r1,
- * NID_X9_62_prime256v1,
- * NID_secp384r1,
- * NID_secp521r1 */
+// EC_GROUP_new_by_curve_name returns a fresh EC_GROUP object for the elliptic
+// curve specified by |nid|, or NULL on error.
+//
+// The supported NIDs are:
+// NID_secp224r1,
+// NID_X9_62_prime256v1,
+// NID_secp384r1,
+// NID_secp521r1
OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
-/* EC_GROUP_free frees |group| and the data that it points to. */
+// EC_GROUP_free frees |group| and the data that it points to.
OPENSSL_EXPORT void EC_GROUP_free(EC_GROUP *group);
-/* EC_GROUP_dup returns a fresh |EC_GROUP| which is equal to |a| or NULL on
- * error. */
+// EC_GROUP_dup returns a fresh |EC_GROUP| which is equal to |a| or NULL on
+// error.
OPENSSL_EXPORT EC_GROUP *EC_GROUP_dup(const EC_GROUP *a);
-/* EC_GROUP_cmp returns zero if |a| and |b| are the same group and non-zero
- * otherwise. */
+// EC_GROUP_cmp returns zero if |a| and |b| are the same group and non-zero
+// otherwise.
OPENSSL_EXPORT int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b,
BN_CTX *ignored);
-/* EC_GROUP_get0_generator returns a pointer to the internal |EC_POINT| object
- * in |group| that specifies the generator for the group. */
+// EC_GROUP_get0_generator returns a pointer to the internal |EC_POINT| object
+// in |group| that specifies the generator for the group.
OPENSSL_EXPORT const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group);
-/* EC_GROUP_get0_order returns a pointer to the internal |BIGNUM| object in
- * |group| that specifies the order of the group. */
+// EC_GROUP_get0_order returns a pointer to the internal |BIGNUM| object in
+// |group| that specifies the order of the group.
OPENSSL_EXPORT const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group);
-/* EC_GROUP_get_cofactor sets |*cofactor| to the cofactor of |group| using
- * |ctx|, if it's not NULL. It returns one on success and zero otherwise. */
+// EC_GROUP_get_cofactor sets |*cofactor| to the cofactor of |group| using
+// |ctx|, if it's not NULL. It returns one on success and zero otherwise.
OPENSSL_EXPORT int EC_GROUP_get_cofactor(const EC_GROUP *group,
BIGNUM *cofactor, BN_CTX *ctx);
-/* EC_GROUP_get_curve_GFp gets various parameters about a group. It sets
- * |*out_p| to the order of the coordinate field and |*out_a| and |*out_b| to
- * the parameters of the curve when expressed as y² = x³ + ax + b. Any of the
- * output parameters can be NULL. It returns one on success and zero on
- * error. */
+// EC_GROUP_get_curve_GFp gets various parameters about a group. It sets
+// |*out_p| to the order of the coordinate field and |*out_a| and |*out_b| to
+// the parameters of the curve when expressed as y² = x³ + ax + b. Any of the
+// output parameters can be NULL. It returns one on success and zero on
+// error.
OPENSSL_EXPORT int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *out_p,
BIGNUM *out_a, BIGNUM *out_b,
BN_CTX *ctx);
-/* EC_GROUP_get_curve_name returns a NID that identifies |group|. */
+// EC_GROUP_get_curve_name returns a NID that identifies |group|.
OPENSSL_EXPORT int EC_GROUP_get_curve_name(const EC_GROUP *group);
-/* EC_GROUP_get_degree returns the number of bits needed to represent an
- * element of the field underlying |group|. */
+// EC_GROUP_get_degree returns the number of bits needed to represent an
+// element of the field underlying |group|.
OPENSSL_EXPORT unsigned EC_GROUP_get_degree(const EC_GROUP *group);
-/* Points on elliptic curves. */
+// Points on elliptic curves.
-/* EC_POINT_new returns a fresh |EC_POINT| object in the given group, or NULL
- * on error. */
+// EC_POINT_new returns a fresh |EC_POINT| object in the given group, or NULL
+// on error.
OPENSSL_EXPORT EC_POINT *EC_POINT_new(const EC_GROUP *group);
-/* EC_POINT_free frees |point| and the data that it points to. */
+// EC_POINT_free frees |point| and the data that it points to.
OPENSSL_EXPORT void EC_POINT_free(EC_POINT *point);
-/* EC_POINT_clear_free clears the data that |point| points to, frees it and
- * then frees |point| itself. */
+// EC_POINT_clear_free clears the data that |point| points to, frees it and
+// then frees |point| itself.
OPENSSL_EXPORT void EC_POINT_clear_free(EC_POINT *point);
-/* EC_POINT_copy sets |*dest| equal to |*src|. It returns one on success and
- * zero otherwise. */
+// EC_POINT_copy sets |*dest| equal to |*src|. It returns one on success and
+// zero otherwise.
OPENSSL_EXPORT int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src);
-/* EC_POINT_dup returns a fresh |EC_POINT| that contains the same values as
- * |src|, or NULL on error. */
+// EC_POINT_dup returns a fresh |EC_POINT| that contains the same values as
+// |src|, or NULL on error.
OPENSSL_EXPORT EC_POINT *EC_POINT_dup(const EC_POINT *src,
const EC_GROUP *group);
-/* EC_POINT_set_to_infinity sets |point| to be the "point at infinity" for the
- * given group. */
+// EC_POINT_set_to_infinity sets |point| to be the "point at infinity" for the
+// given group.
OPENSSL_EXPORT int EC_POINT_set_to_infinity(const EC_GROUP *group,
EC_POINT *point);
-/* EC_POINT_is_at_infinity returns one iff |point| is the point at infinity and
- * zero otherwise. */
+// EC_POINT_is_at_infinity returns one iff |point| is the point at infinity and
+// zero otherwise.
OPENSSL_EXPORT int EC_POINT_is_at_infinity(const EC_GROUP *group,
const EC_POINT *point);
-/* EC_POINT_is_on_curve returns one if |point| is an element of |group| and
- * and zero otherwise or when an error occurs. This is different from OpenSSL,
- * which returns -1 on error. If |ctx| is non-NULL, it may be used. */
+// EC_POINT_is_on_curve returns one if |point| is an element of |group| and
+// and zero otherwise or when an error occurs. This is different from OpenSSL,
+// which returns -1 on error. If |ctx| is non-NULL, it may be used.
OPENSSL_EXPORT int EC_POINT_is_on_curve(const EC_GROUP *group,
const EC_POINT *point, BN_CTX *ctx);
-/* EC_POINT_cmp returns zero if |a| is equal to |b|, greater than zero if
- * not equal and -1 on error. If |ctx| is not NULL, it may be used. */
+// EC_POINT_cmp returns zero if |a| is equal to |b|, greater than zero if
+// not equal and -1 on error. If |ctx| is not NULL, it may be used.
OPENSSL_EXPORT int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a,
const EC_POINT *b, BN_CTX *ctx);
-/* EC_POINT_make_affine converts |point| to affine form, internally. It returns
- * one on success and zero otherwise. If |ctx| is not NULL, it may be used. */
+// EC_POINT_make_affine converts |point| to affine form, internally. It returns
+// one on success and zero otherwise. If |ctx| is not NULL, it may be used.
OPENSSL_EXPORT int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point,
BN_CTX *ctx);
-/* EC_POINTs_make_affine converts |num| points from |points| to affine form,
- * internally. It returns one on success and zero otherwise. If |ctx| is not
- * NULL, it may be used. */
+// EC_POINTs_make_affine converts |num| points from |points| to affine form,
+// internally. It returns one on success and zero otherwise. If |ctx| is not
+// NULL, it may be used.
OPENSSL_EXPORT int EC_POINTs_make_affine(const EC_GROUP *group, size_t num,
EC_POINT *points[], BN_CTX *ctx);
-/* Point conversion. */
+// Point conversion.
-/* EC_POINT_get_affine_coordinates_GFp sets |x| and |y| to the affine value of
- * |point| using |ctx|, if it's not NULL. It returns one on success and zero
- * otherwise. */
+// EC_POINT_get_affine_coordinates_GFp sets |x| and |y| to the affine value of
+// |point| using |ctx|, if it's not NULL. It returns one on success and zero
+// otherwise.
OPENSSL_EXPORT int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
const EC_POINT *point,
BIGNUM *x, BIGNUM *y,
BN_CTX *ctx);
-/* EC_POINT_set_affine_coordinates_GFp sets the value of |point| to be
- * (|x|, |y|). The |ctx| argument may be used if not NULL. It returns one
- * on success or zero on error. Note that, unlike with OpenSSL, it's
- * considered an error if the point is not on the curve. */
+// EC_POINT_set_affine_coordinates_GFp sets the value of |point| to be
+// (|x|, |y|). The |ctx| argument may be used if not NULL. It returns one
+// on success or zero on error. Note that, unlike with OpenSSL, it's
+// considered an error if the point is not on the curve.
OPENSSL_EXPORT int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group,
EC_POINT *point,
const BIGNUM *x,
const BIGNUM *y,
BN_CTX *ctx);
-/* EC_POINT_point2oct serialises |point| into the X9.62 form given by |form|
- * into, at most, |len| bytes at |buf|. It returns the number of bytes written
- * or zero on error if |buf| is non-NULL, else the number of bytes needed. The
- * |ctx| argument may be used if not NULL. */
+// EC_POINT_point2oct serialises |point| into the X9.62 form given by |form|
+// into, at most, |len| bytes at |buf|. It returns the number of bytes written
+// or zero on error if |buf| is non-NULL, else the number of bytes needed. The
+// |ctx| argument may be used if not NULL.
OPENSSL_EXPORT size_t EC_POINT_point2oct(const EC_GROUP *group,
const EC_POINT *point,
point_conversion_form_t form,
uint8_t *buf, size_t len, BN_CTX *ctx);
-/* EC_POINT_point2cbb behaves like |EC_POINT_point2oct| but appends the
- * serialised point to |cbb|. It returns one on success and zero on error. */
+// EC_POINT_point2cbb behaves like |EC_POINT_point2oct| but appends the
+// serialised point to |cbb|. It returns one on success and zero on error.
OPENSSL_EXPORT int EC_POINT_point2cbb(CBB *out, const EC_GROUP *group,
const EC_POINT *point,
point_conversion_form_t form,
BN_CTX *ctx);
-/* EC_POINT_oct2point sets |point| from |len| bytes of X9.62 format
- * serialisation in |buf|. It returns one on success and zero otherwise. The
- * |ctx| argument may be used if not NULL. */
+// EC_POINT_oct2point sets |point| from |len| bytes of X9.62 format
+// serialisation in |buf|. It returns one on success and zero otherwise. The
+// |ctx| argument may be used if not NULL.
OPENSSL_EXPORT int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
const uint8_t *buf, size_t len,
BN_CTX *ctx);
-/* EC_POINT_set_compressed_coordinates_GFp sets |point| to equal the point with
- * the given |x| coordinate and the y coordinate specified by |y_bit| (see
- * X9.62). It returns one on success and zero otherwise. */
+// EC_POINT_set_compressed_coordinates_GFp sets |point| to equal the point with
+// the given |x| coordinate and the y coordinate specified by |y_bit| (see
+// X9.62). It returns one on success and zero otherwise.
OPENSSL_EXPORT int EC_POINT_set_compressed_coordinates_GFp(
const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, int y_bit,
BN_CTX *ctx);
-/* Group operations. */
+// Group operations.
-/* EC_POINT_add sets |r| equal to |a| plus |b|. It returns one on success and
- * zero otherwise. If |ctx| is not NULL, it may be used. */
+// EC_POINT_add sets |r| equal to |a| plus |b|. It returns one on success and
+// zero otherwise. If |ctx| is not NULL, it may be used.
OPENSSL_EXPORT int EC_POINT_add(const EC_GROUP *group, EC_POINT *r,
const EC_POINT *a, const EC_POINT *b,
BN_CTX *ctx);
-/* EC_POINT_dbl sets |r| equal to |a| plus |a|. It returns one on success and
- * zero otherwise. If |ctx| is not NULL, it may be used. */
+// EC_POINT_dbl sets |r| equal to |a| plus |a|. It returns one on success and
+// zero otherwise. If |ctx| is not NULL, it may be used.
OPENSSL_EXPORT int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r,
const EC_POINT *a, BN_CTX *ctx);
-/* EC_POINT_invert sets |a| equal to minus |a|. It returns one on success and
- * zero otherwise. If |ctx| is not NULL, it may be used. */
+// EC_POINT_invert sets |a| equal to minus |a|. It returns one on success and
+// zero otherwise. If |ctx| is not NULL, it may be used.
OPENSSL_EXPORT int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a,
BN_CTX *ctx);
-/* EC_POINT_mul sets r = generator*n + q*m. It returns one on success and zero
- * otherwise. If |ctx| is not NULL, it may be used. */
+// EC_POINT_mul sets r = generator*n + q*m. It returns one on success and zero
+// otherwise. If |ctx| is not NULL, it may be used.
OPENSSL_EXPORT int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r,
const BIGNUM *n, const EC_POINT *q,
const BIGNUM *m, BN_CTX *ctx);
-/* Deprecated functions. */
+// Deprecated functions.
-/* EC_GROUP_new_curve_GFp creates a new, arbitrary elliptic curve group based
- * on the equation y² = x³ + a·x + b. It returns the new group or NULL on
- * error.
- *
- * This new group has no generator. It is an error to use a generator-less group
- * with any functions except for |EC_GROUP_free|, |EC_POINT_new|,
- * |EC_POINT_set_affine_coordinates_GFp|, and |EC_GROUP_set_generator|.
- *
- * |EC_GROUP|s returned by this function will always compare as unequal via
- * |EC_GROUP_cmp| (even to themselves). |EC_GROUP_get_curve_name| will always
- * return |NID_undef|.
- *
- * Avoid using arbitrary curves and use |EC_GROUP_new_by_curve_name| instead. */
+// EC_GROUP_new_curve_GFp creates a new, arbitrary elliptic curve group based
+// on the equation y² = x³ + a·x + b. It returns the new group or NULL on
+// error.
+//
+// This new group has no generator. It is an error to use a generator-less group
+// with any functions except for |EC_GROUP_free|, |EC_POINT_new|,
+// |EC_POINT_set_affine_coordinates_GFp|, and |EC_GROUP_set_generator|.
+//
+// |EC_GROUP|s returned by this function will always compare as unequal via
+// |EC_GROUP_cmp| (even to themselves). |EC_GROUP_get_curve_name| will always
+// return |NID_undef|.
+//
+// Avoid using arbitrary curves and use |EC_GROUP_new_by_curve_name| instead.
OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p,
const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx);
-/* EC_GROUP_set_generator sets the generator for |group| to |generator|, which
- * must have the given order and cofactor. It may only be used with |EC_GROUP|
- * objects returned by |EC_GROUP_new_curve_GFp| and may only be used once on
- * each group. */
+// EC_GROUP_set_generator sets the generator for |group| to |generator|, which
+// must have the given order and cofactor. It may only be used with |EC_GROUP|
+// objects returned by |EC_GROUP_new_curve_GFp| and may only be used once on
+// each group.
OPENSSL_EXPORT int EC_GROUP_set_generator(EC_GROUP *group,
const EC_POINT *generator,
const BIGNUM *order,
const BIGNUM *cofactor);
-/* EC_GROUP_get_order sets |*order| to the order of |group|, if it's not
- * NULL. It returns one on success and zero otherwise. |ctx| is ignored. Use
- * |EC_GROUP_get0_order| instead. */
+// EC_GROUP_get_order sets |*order| to the order of |group|, if it's not
+// NULL. It returns one on success and zero otherwise. |ctx| is ignored. Use
+// |EC_GROUP_get0_order| instead.
OPENSSL_EXPORT int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order,
BN_CTX *ctx);
-/* EC_GROUP_set_asn1_flag does nothing. */
+// EC_GROUP_set_asn1_flag does nothing.
OPENSSL_EXPORT void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
#define OPENSSL_EC_NAMED_CURVE 0
typedef struct ec_method_st EC_METHOD;
-/* EC_GROUP_method_of returns NULL. */
+// EC_GROUP_method_of returns NULL.
OPENSSL_EXPORT const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group);
-/* EC_METHOD_get_field_type returns NID_X9_62_prime_field. */
+// EC_METHOD_get_field_type returns NID_X9_62_prime_field.
OPENSSL_EXPORT int EC_METHOD_get_field_type(const EC_METHOD *meth);
-/* EC_GROUP_set_point_conversion_form aborts the process if |form| is not
- * |POINT_CONVERSION_UNCOMPRESSED| and otherwise does nothing. */
+// EC_GROUP_set_point_conversion_form aborts the process if |form| is not
+// |POINT_CONVERSION_UNCOMPRESSED| and otherwise does nothing.
OPENSSL_EXPORT void EC_GROUP_set_point_conversion_form(
EC_GROUP *group, point_conversion_form_t form);
-/* EC_builtin_curve describes a supported elliptic curve. */
+// EC_builtin_curve describes a supported elliptic curve.
typedef struct {
int nid;
const char *comment;
} EC_builtin_curve;
-/* EC_get_builtin_curves writes at most |max_num_curves| elements to
- * |out_curves| and returns the total number that it would have written, had
- * |max_num_curves| been large enough.
- *
- * The |EC_builtin_curve| items describe the supported elliptic curves. */
+// EC_get_builtin_curves writes at most |max_num_curves| elements to
+// |out_curves| and returns the total number that it would have written, had
+// |max_num_curves| been large enough.
+//
+// The |EC_builtin_curve| items describe the supported elliptic curves.
OPENSSL_EXPORT size_t EC_get_builtin_curves(EC_builtin_curve *out_curves,
size_t max_num_curves);
-/* Old code expects to get EC_KEY from ec.h. */
+// Old code expects to get EC_KEY from ec.h.
#include <openssl/ec_key.h>
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -366,7 +366,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
@@ -404,4 +404,4 @@
#define EC_R_INVALID_COFACTOR 131
#define EC_R_PUBLIC_KEY_VALIDATION_FAILED 132
-#endif /* OPENSSL_HEADER_EC_H */
+#endif // OPENSSL_HEADER_EC_H
diff --git a/src/include/openssl/ec_key.h b/src/include/openssl/ec_key.h
index 7c2957e..7ef1b14 100644
--- a/src/include/openssl/ec_key.h
+++ b/src/include/openssl/ec_key.h
@@ -79,147 +79,147 @@
#endif
-/* ec_key.h contains functions that handle elliptic-curve points that are
- * public/private keys. */
+// ec_key.h contains functions that handle elliptic-curve points that are
+// public/private keys.
-/* EC key objects. */
+// EC key objects.
-/* EC_KEY_new returns a fresh |EC_KEY| object or NULL on error. */
+// EC_KEY_new returns a fresh |EC_KEY| object or NULL on error.
OPENSSL_EXPORT EC_KEY *EC_KEY_new(void);
-/* EC_KEY_new_method acts the same as |EC_KEY_new|, but takes an explicit
- * |ENGINE|. */
+// EC_KEY_new_method acts the same as |EC_KEY_new|, but takes an explicit
+// |ENGINE|.
OPENSSL_EXPORT EC_KEY *EC_KEY_new_method(const ENGINE *engine);
-/* EC_KEY_new_by_curve_name returns a fresh EC_KEY for group specified by |nid|
- * or NULL on error. */
+// EC_KEY_new_by_curve_name returns a fresh EC_KEY for group specified by |nid|
+// or NULL on error.
OPENSSL_EXPORT EC_KEY *EC_KEY_new_by_curve_name(int nid);
-/* EC_KEY_free frees all the data owned by |key| and |key| itself. */
+// EC_KEY_free frees all the data owned by |key| and |key| itself.
OPENSSL_EXPORT void EC_KEY_free(EC_KEY *key);
-/* EC_KEY_copy sets |dst| equal to |src| and returns |dst| or NULL on error. */
+// EC_KEY_copy sets |dst| equal to |src| and returns |dst| or NULL on error.
OPENSSL_EXPORT EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
-/* EC_KEY_dup returns a fresh copy of |src| or NULL on error. */
+// EC_KEY_dup returns a fresh copy of |src| or NULL on error.
OPENSSL_EXPORT EC_KEY *EC_KEY_dup(const EC_KEY *src);
-/* EC_KEY_up_ref increases the reference count of |key| and returns one. */
+// EC_KEY_up_ref increases the reference count of |key| and returns one.
OPENSSL_EXPORT int EC_KEY_up_ref(EC_KEY *key);
-/* EC_KEY_is_opaque returns one if |key| is opaque and doesn't expose its key
- * material. Otherwise it return zero. */
+// EC_KEY_is_opaque returns one if |key| is opaque and doesn't expose its key
+// material. Otherwise it return zero.
OPENSSL_EXPORT int EC_KEY_is_opaque(const EC_KEY *key);
-/* EC_KEY_get0_group returns a pointer to the |EC_GROUP| object inside |key|. */
+// EC_KEY_get0_group returns a pointer to the |EC_GROUP| object inside |key|.
OPENSSL_EXPORT const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
-/* EC_KEY_set_group sets the |EC_GROUP| object that |key| will use to |group|.
- * It returns one on success and zero otherwise. */
+// EC_KEY_set_group sets the |EC_GROUP| object that |key| will use to |group|.
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
-/* EC_KEY_get0_private_key returns a pointer to the private key inside |key|. */
+// EC_KEY_get0_private_key returns a pointer to the private key inside |key|.
OPENSSL_EXPORT const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
-/* EC_KEY_set_private_key sets the private key of |key| to |priv|. It returns
- * one on success and zero otherwise. */
+// EC_KEY_set_private_key sets the private key of |key| to |priv|. It returns
+// one on success and zero otherwise.
OPENSSL_EXPORT int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv);
-/* EC_KEY_get0_public_key returns a pointer to the public key point inside
- * |key|. */
+// EC_KEY_get0_public_key returns a pointer to the public key point inside
+// |key|.
OPENSSL_EXPORT const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
-/* EC_KEY_set_public_key sets the public key of |key| to |pub|, by copying it.
- * It returns one on success and zero otherwise. */
+// EC_KEY_set_public_key sets the public key of |key| to |pub|, by copying it.
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
#define EC_PKEY_NO_PARAMETERS 0x001
#define EC_PKEY_NO_PUBKEY 0x002
-/* EC_KEY_get_enc_flags returns the encoding flags for |key|, which is a
- * bitwise-OR of |EC_PKEY_*| values. */
+// EC_KEY_get_enc_flags returns the encoding flags for |key|, which is a
+// bitwise-OR of |EC_PKEY_*| values.
OPENSSL_EXPORT unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
-/* EC_KEY_set_enc_flags sets the encoding flags for |key|, which is a
- * bitwise-OR of |EC_PKEY_*| values. */
+// EC_KEY_set_enc_flags sets the encoding flags for |key|, which is a
+// bitwise-OR of |EC_PKEY_*| values.
OPENSSL_EXPORT void EC_KEY_set_enc_flags(EC_KEY *key, unsigned flags);
-/* EC_KEY_get_conv_form returns the conversation form that will be used by
- * |key|. */
+// EC_KEY_get_conv_form returns the conversation form that will be used by
+// |key|.
OPENSSL_EXPORT point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
-/* EC_KEY_set_conv_form sets the conversion form to be used by |key|. */
+// EC_KEY_set_conv_form sets the conversion form to be used by |key|.
OPENSSL_EXPORT void EC_KEY_set_conv_form(EC_KEY *key,
point_conversion_form_t cform);
-/* EC_KEY_check_key performs several checks on |key| (possibly including an
- * expensive check that the public key is in the primary subgroup). It returns
- * one if all checks pass and zero otherwise. If it returns zero then detail
- * about the problem can be found on the error stack. */
+// EC_KEY_check_key performs several checks on |key| (possibly including an
+// expensive check that the public key is in the primary subgroup). It returns
+// one if all checks pass and zero otherwise. If it returns zero then detail
+// about the problem can be found on the error stack.
OPENSSL_EXPORT int EC_KEY_check_key(const EC_KEY *key);
-/* EC_KEY_check_fips performs a signing pairwise consistency test (FIPS 140-2
- * 4.9.2). It returns one if it passes and zero otherwise. */
+// EC_KEY_check_fips performs a signing pairwise consistency test (FIPS 140-2
+// 4.9.2). It returns one if it passes and zero otherwise.
OPENSSL_EXPORT int EC_KEY_check_fips(const EC_KEY *key);
-/* EC_KEY_set_public_key_affine_coordinates sets the public key in |key| to
- * (|x|, |y|). It returns one on success and zero otherwise. */
+// EC_KEY_set_public_key_affine_coordinates sets the public key in |key| to
+// (|x|, |y|). It returns one on success and zero otherwise.
OPENSSL_EXPORT int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key,
BIGNUM *x,
BIGNUM *y);
-/* Key generation. */
+// Key generation.
-/* EC_KEY_generate_key generates a random, private key, calculates the
- * corresponding public key and stores both in |key|. It returns one on success
- * or zero otherwise. */
+// EC_KEY_generate_key generates a random, private key, calculates the
+// corresponding public key and stores both in |key|. It returns one on success
+// or zero otherwise.
OPENSSL_EXPORT int EC_KEY_generate_key(EC_KEY *key);
-/* EC_KEY_generate_key_fips behaves like |EC_KEY_generate_key| but performs
- * additional checks for FIPS compliance. */
+// EC_KEY_generate_key_fips behaves like |EC_KEY_generate_key| but performs
+// additional checks for FIPS compliance.
OPENSSL_EXPORT int EC_KEY_generate_key_fips(EC_KEY *key);
-/* Serialisation. */
+// Serialisation.
-/* EC_KEY_parse_private_key parses a DER-encoded ECPrivateKey structure (RFC
- * 5915) from |cbs| and advances |cbs|. It returns a newly-allocated |EC_KEY| or
- * NULL on error. If |group| is non-null, the parameters field of the
- * ECPrivateKey may be omitted (but must match |group| if present). Otherwise,
- * the parameters field is required. */
+// EC_KEY_parse_private_key parses a DER-encoded ECPrivateKey structure (RFC
+// 5915) from |cbs| and advances |cbs|. It returns a newly-allocated |EC_KEY| or
+// NULL on error. If |group| is non-null, the parameters field of the
+// ECPrivateKey may be omitted (but must match |group| if present). Otherwise,
+// the parameters field is required.
OPENSSL_EXPORT EC_KEY *EC_KEY_parse_private_key(CBS *cbs,
const EC_GROUP *group);
-/* EC_KEY_marshal_private_key marshals |key| as a DER-encoded ECPrivateKey
- * structure (RFC 5915) and appends the result to |cbb|. It returns one on
- * success and zero on failure. |enc_flags| is a combination of |EC_PKEY_*|
- * values and controls whether corresponding fields are omitted. */
+// EC_KEY_marshal_private_key marshals |key| as a DER-encoded ECPrivateKey
+// structure (RFC 5915) and appends the result to |cbb|. It returns one on
+// success and zero on failure. |enc_flags| is a combination of |EC_PKEY_*|
+// values and controls whether corresponding fields are omitted.
OPENSSL_EXPORT int EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key,
unsigned enc_flags);
-/* EC_KEY_parse_curve_name parses a DER-encoded OBJECT IDENTIFIER as a curve
- * name from |cbs| and advances |cbs|. It returns a newly-allocated |EC_GROUP|
- * or NULL on error. */
+// EC_KEY_parse_curve_name parses a DER-encoded OBJECT IDENTIFIER as a curve
+// name from |cbs| and advances |cbs|. It returns a newly-allocated |EC_GROUP|
+// or NULL on error.
OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs);
-/* EC_KEY_marshal_curve_name marshals |group| as a DER-encoded OBJECT IDENTIFIER
- * and appends the result to |cbb|. It returns one on success and zero on
- * failure. */
+// EC_KEY_marshal_curve_name marshals |group| as a DER-encoded OBJECT IDENTIFIER
+// and appends the result to |cbb|. It returns one on success and zero on
+// failure.
OPENSSL_EXPORT int EC_KEY_marshal_curve_name(CBB *cbb, const EC_GROUP *group);
-/* EC_KEY_parse_parameters parses a DER-encoded ECParameters structure (RFC
- * 5480) from |cbs| and advances |cbs|. It returns a newly-allocated |EC_GROUP|
- * or NULL on error. It supports the namedCurve and specifiedCurve options, but
- * use of specifiedCurve is deprecated. Use |EC_KEY_parse_curve_name|
- * instead. */
+// EC_KEY_parse_parameters parses a DER-encoded ECParameters structure (RFC
+// 5480) from |cbs| and advances |cbs|. It returns a newly-allocated |EC_GROUP|
+// or NULL on error. It supports the namedCurve and specifiedCurve options, but
+// use of specifiedCurve is deprecated. Use |EC_KEY_parse_curve_name|
+// instead.
OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_parameters(CBS *cbs);
-/* ex_data functions.
- *
- * These functions are wrappers. See |ex_data.h| for details. */
+// ex_data functions.
+//
+// These functions are wrappers. See |ex_data.h| for details.
OPENSSL_EXPORT int EC_KEY_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_unused *unused,
@@ -229,15 +229,15 @@
OPENSSL_EXPORT void *EC_KEY_get_ex_data(const EC_KEY *r, int idx);
-/* ECDSA method. */
+// ECDSA method.
-/* ECDSA_FLAG_OPAQUE specifies that this ECDSA_METHOD does not expose its key
- * material. This may be set if, for instance, it is wrapping some other crypto
- * API, like a platform key store. */
+// ECDSA_FLAG_OPAQUE specifies that this ECDSA_METHOD does not expose its key
+// material. This may be set if, for instance, it is wrapping some other crypto
+// API, like a platform key store.
#define ECDSA_FLAG_OPAQUE 1
-/* ecdsa_method_st is a structure of function pointers for implementing ECDSA.
- * See engine.h. */
+// ecdsa_method_st is a structure of function pointers for implementing ECDSA.
+// See engine.h.
struct ecdsa_method_st {
struct openssl_method_common_st common;
@@ -246,12 +246,12 @@
int (*init)(EC_KEY *key);
int (*finish)(EC_KEY *key);
- /* group_order_size returns the number of bytes needed to represent the order
- * of the group. This is used to calculate the maximum size of an ECDSA
- * signature in |ECDSA_size|. */
+ // group_order_size returns the number of bytes needed to represent the order
+ // of the group. This is used to calculate the maximum size of an ECDSA
+ // signature in |ECDSA_size|.
size_t (*group_order_size)(const EC_KEY *key);
- /* sign matches the arguments and behaviour of |ECDSA_sign|. */
+ // sign matches the arguments and behaviour of |ECDSA_sign|.
int (*sign)(const uint8_t *digest, size_t digest_len, uint8_t *sig,
unsigned int *sig_len, EC_KEY *eckey);
@@ -259,72 +259,72 @@
};
-/* Deprecated functions. */
+// Deprecated functions.
-/* EC_KEY_set_asn1_flag does nothing. */
+// EC_KEY_set_asn1_flag does nothing.
OPENSSL_EXPORT void EC_KEY_set_asn1_flag(EC_KEY *key, int flag);
-/* d2i_ECPrivateKey parses an ASN.1, DER-encoded, private key from |len| bytes
- * at |*inp|. If |out_key| is not NULL then, on exit, a pointer to the result
- * is in |*out_key|. Note that, even if |*out_key| is already non-NULL on entry,
- * it * will not be written to. Rather, a fresh |EC_KEY| is allocated and the
- * previous * one is freed. On successful exit, |*inp| is advanced past the DER
- * structure. It returns the result or NULL on error.
- *
- * On input, if |*out_key| is non-NULL and has a group configured, the
- * parameters field may be omitted but must match that group if present.
- *
- * Use |EC_KEY_parse_private_key| instead. */
+// d2i_ECPrivateKey parses an ASN.1, DER-encoded, private key from |len| bytes
+// at |*inp|. If |out_key| is not NULL then, on exit, a pointer to the result
+// is in |*out_key|. Note that, even if |*out_key| is already non-NULL on entry,
+// it * will not be written to. Rather, a fresh |EC_KEY| is allocated and the
+// previous * one is freed. On successful exit, |*inp| is advanced past the DER
+// structure. It returns the result or NULL on error.
+//
+// On input, if |*out_key| is non-NULL and has a group configured, the
+// parameters field may be omitted but must match that group if present.
+//
+// Use |EC_KEY_parse_private_key| instead.
OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey(EC_KEY **out_key, const uint8_t **inp,
long len);
-/* i2d_ECPrivateKey marshals an EC private key from |key| to an ASN.1, DER
- * structure. If |outp| is not NULL then the result is written to |*outp| and
- * |*outp| is advanced just past the output. It returns the number of bytes in
- * the result, whether written or not, or a negative value on error.
- *
- * Use |EC_KEY_marshal_private_key| instead. */
+// i2d_ECPrivateKey marshals an EC private key from |key| to an ASN.1, DER
+// structure. If |outp| is not NULL then the result is written to |*outp| and
+// |*outp| is advanced just past the output. It returns the number of bytes in
+// the result, whether written or not, or a negative value on error.
+//
+// Use |EC_KEY_marshal_private_key| instead.
OPENSSL_EXPORT int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp);
-/* d2i_ECParameters parses an ASN.1, DER-encoded, set of EC parameters from
- * |len| bytes at |*inp|. If |out_key| is not NULL then, on exit, a pointer to
- * the result is in |*out_key|. Note that, even if |*out_key| is already
- * non-NULL on entry, it will not be written to. Rather, a fresh |EC_KEY| is
- * allocated and the previous one is freed. On successful exit, |*inp| is
- * advanced past the DER structure. It returns the result or NULL on error.
- *
- * Use |EC_KEY_parse_parameters| or |EC_KEY_parse_curve_name| instead. */
+// d2i_ECParameters parses an ASN.1, DER-encoded, set of EC parameters from
+// |len| bytes at |*inp|. If |out_key| is not NULL then, on exit, a pointer to
+// the result is in |*out_key|. Note that, even if |*out_key| is already
+// non-NULL on entry, it will not be written to. Rather, a fresh |EC_KEY| is
+// allocated and the previous one is freed. On successful exit, |*inp| is
+// advanced past the DER structure. It returns the result or NULL on error.
+//
+// Use |EC_KEY_parse_parameters| or |EC_KEY_parse_curve_name| instead.
OPENSSL_EXPORT EC_KEY *d2i_ECParameters(EC_KEY **out_key, const uint8_t **inp,
long len);
-/* i2d_ECParameters marshals EC parameters from |key| to an ASN.1, DER
- * structure. If |outp| is not NULL then the result is written to |*outp| and
- * |*outp| is advanced just past the output. It returns the number of bytes in
- * the result, whether written or not, or a negative value on error.
- *
- * Use |EC_KEY_marshal_curve_name| instead. */
+// i2d_ECParameters marshals EC parameters from |key| to an ASN.1, DER
+// structure. If |outp| is not NULL then the result is written to |*outp| and
+// |*outp| is advanced just past the output. It returns the number of bytes in
+// the result, whether written or not, or a negative value on error.
+//
+// Use |EC_KEY_marshal_curve_name| instead.
OPENSSL_EXPORT int i2d_ECParameters(const EC_KEY *key, uint8_t **outp);
-/* o2i_ECPublicKey parses an EC point from |len| bytes at |*inp| into
- * |*out_key|. Note that this differs from the d2i format in that |*out_key|
- * must be non-NULL with a group set. On successful exit, |*inp| is advanced by
- * |len| bytes. It returns |*out_key| or NULL on error.
- *
- * Use |EC_POINT_oct2point| instead. */
+// o2i_ECPublicKey parses an EC point from |len| bytes at |*inp| into
+// |*out_key|. Note that this differs from the d2i format in that |*out_key|
+// must be non-NULL with a group set. On successful exit, |*inp| is advanced by
+// |len| bytes. It returns |*out_key| or NULL on error.
+//
+// Use |EC_POINT_oct2point| instead.
OPENSSL_EXPORT EC_KEY *o2i_ECPublicKey(EC_KEY **out_key, const uint8_t **inp,
long len);
-/* i2o_ECPublicKey marshals an EC point from |key|. If |outp| is not NULL then
- * the result is written to |*outp| and |*outp| is advanced just past the
- * output. It returns the number of bytes in the result, whether written or
- * not, or a negative value on error.
- *
- * Use |EC_POINT_point2cbb| instead. */
+// i2o_ECPublicKey marshals an EC point from |key|. If |outp| is not NULL then
+// the result is written to |*outp| and |*outp| is advanced just past the
+// output. It returns the number of bytes in the result, whether written or
+// not, or a negative value on error.
+//
+// Use |EC_POINT_point2cbb| instead.
OPENSSL_EXPORT int i2o_ECPublicKey(const EC_KEY *key, unsigned char **outp);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -334,8 +334,8 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
-#endif /* OPENSSL_HEADER_EC_KEY_H */
+#endif // OPENSSL_HEADER_EC_KEY_H
diff --git a/src/include/openssl/ecdh.h b/src/include/openssl/ecdh.h
index c167503..73e2140 100644
--- a/src/include/openssl/ecdh.h
+++ b/src/include/openssl/ecdh.h
@@ -76,26 +76,26 @@
#endif
-/* Elliptic curve Diffie-Hellman. */
+// Elliptic curve Diffie-Hellman.
-/* ECDH_compute_key calculates the shared key between |pub_key| and |priv_key|.
- * If |kdf| is not NULL, then it is called with the bytes of the shared key and
- * the parameter |out|. When |kdf| returns, the value of |*outlen| becomes the
- * return value. Otherwise, as many bytes of the shared key as will fit are
- * copied directly to, at most, |outlen| bytes at |out|. It returns the number
- * of bytes written to |out|, or -1 on error. */
+// ECDH_compute_key calculates the shared key between |pub_key| and |priv_key|.
+// If |kdf| is not NULL, then it is called with the bytes of the shared key and
+// the parameter |out|. When |kdf| returns, the value of |*outlen| becomes the
+// return value. Otherwise, as many bytes of the shared key as will fit are
+// copied directly to, at most, |outlen| bytes at |out|. It returns the number
+// of bytes written to |out|, or -1 on error.
OPENSSL_EXPORT int ECDH_compute_key(
void *out, size_t outlen, const EC_POINT *pub_key, const EC_KEY *priv_key,
void *(*kdf)(const void *in, size_t inlen, void *out, size_t *outlen));
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
#define ECDH_R_KDF_FAILED 100
#define ECDH_R_NO_PRIVATE_VALUE 101
#define ECDH_R_POINT_ARITHMETIC_FAILURE 102
-#endif /* OPENSSL_HEADER_ECDH_H */
+#endif // OPENSSL_HEADER_ECDH_H
diff --git a/src/include/openssl/ecdsa.h b/src/include/openssl/ecdsa.h
index 8a158b8..ff26fe4 100644
--- a/src/include/openssl/ecdsa.h
+++ b/src/include/openssl/ecdsa.h
@@ -62,138 +62,138 @@
#endif
-/* ECDSA contains functions for signing and verifying with the Digital Signature
- * Algorithm over elliptic curves. */
+// ECDSA contains functions for signing and verifying with the Digital Signature
+// Algorithm over elliptic curves.
-/* Signing and verifying. */
+// Signing and verifying.
-/* ECDSA_sign signs |digest_len| bytes from |digest| with |key| and writes the
- * resulting signature to |sig|, which must have |ECDSA_size(key)| bytes of
- * space. On successful exit, |*sig_len| is set to the actual number of bytes
- * written. The |type| argument should be zero. It returns one on success and
- * zero otherwise. */
+// ECDSA_sign signs |digest_len| bytes from |digest| with |key| and writes the
+// resulting signature to |sig|, which must have |ECDSA_size(key)| bytes of
+// space. On successful exit, |*sig_len| is set to the actual number of bytes
+// written. The |type| argument should be zero. It returns one on success and
+// zero otherwise.
OPENSSL_EXPORT int ECDSA_sign(int type, const uint8_t *digest,
size_t digest_len, uint8_t *sig,
unsigned int *sig_len, const EC_KEY *key);
-/* ECDSA_verify verifies that |sig_len| bytes from |sig| constitute a valid
- * signature by |key| of |digest|. (The |type| argument should be zero.) It
- * returns one on success or zero if the signature is invalid or an error
- * occurred. */
+// ECDSA_verify verifies that |sig_len| bytes from |sig| constitute a valid
+// signature by |key| of |digest|. (The |type| argument should be zero.) It
+// returns one on success or zero if the signature is invalid or an error
+// occurred.
OPENSSL_EXPORT int ECDSA_verify(int type, const uint8_t *digest,
size_t digest_len, const uint8_t *sig,
size_t sig_len, const EC_KEY *key);
-/* ECDSA_size returns the maximum size of an ECDSA signature using |key|. It
- * returns zero on error. */
+// ECDSA_size returns the maximum size of an ECDSA signature using |key|. It
+// returns zero on error.
OPENSSL_EXPORT size_t ECDSA_size(const EC_KEY *key);
-/* Low-level signing and verification.
- *
- * Low-level functions handle signatures as |ECDSA_SIG| structures which allow
- * the two values in an ECDSA signature to be handled separately. */
+// Low-level signing and verification.
+//
+// Low-level functions handle signatures as |ECDSA_SIG| structures which allow
+// the two values in an ECDSA signature to be handled separately.
struct ecdsa_sig_st {
BIGNUM *r;
BIGNUM *s;
};
-/* ECDSA_SIG_new returns a fresh |ECDSA_SIG| structure or NULL on error. */
+// ECDSA_SIG_new returns a fresh |ECDSA_SIG| structure or NULL on error.
OPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_new(void);
-/* ECDSA_SIG_free frees |sig| its member |BIGNUM|s. */
+// ECDSA_SIG_free frees |sig| its member |BIGNUM|s.
OPENSSL_EXPORT void ECDSA_SIG_free(ECDSA_SIG *sig);
-/* ECDSA_do_sign signs |digest_len| bytes from |digest| with |key| and returns
- * the resulting signature structure, or NULL on error. */
+// ECDSA_do_sign signs |digest_len| bytes from |digest| with |key| and returns
+// the resulting signature structure, or NULL on error.
OPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest,
size_t digest_len, const EC_KEY *key);
-/* ECDSA_do_verify verifies that |sig| constitutes a valid signature by |key|
- * of |digest|. It returns one on success or zero if the signature is invalid
- * or on error. */
+// ECDSA_do_verify verifies that |sig| constitutes a valid signature by |key|
+// of |digest|. It returns one on success or zero if the signature is invalid
+// or on error.
OPENSSL_EXPORT int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
const ECDSA_SIG *sig, const EC_KEY *key);
-/* Signing with precomputation.
- *
- * Parts of the ECDSA signature can be independent of the message to be signed
- * thus it's possible to precompute them and reduce the signing latency.
- *
- * TODO(fork): remove support for this as it cannot support safe-randomness. */
+// Signing with precomputation.
+//
+// Parts of the ECDSA signature can be independent of the message to be signed
+// thus it's possible to precompute them and reduce the signing latency.
+//
+// TODO(fork): remove support for this as it cannot support safe-randomness.
-/* ECDSA_sign_setup precomputes parts of an ECDSA signing operation. It sets
- * |*kinv| and |*rp| to the precomputed values and uses the |ctx| argument, if
- * not NULL. It returns one on success and zero otherwise. */
+// ECDSA_sign_setup precomputes parts of an ECDSA signing operation. It sets
+// |*kinv| and |*rp| to the precomputed values and uses the |ctx| argument, if
+// not NULL. It returns one on success and zero otherwise.
OPENSSL_EXPORT int ECDSA_sign_setup(const EC_KEY *eckey, BN_CTX *ctx,
BIGNUM **kinv, BIGNUM **rp);
-/* ECDSA_do_sign_ex is the same as |ECDSA_do_sign| but takes precomputed values
- * as generated by |ECDSA_sign_setup|. */
+// ECDSA_do_sign_ex is the same as |ECDSA_do_sign| but takes precomputed values
+// as generated by |ECDSA_sign_setup|.
OPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign_ex(const uint8_t *digest,
size_t digest_len,
const BIGNUM *kinv, const BIGNUM *rp,
const EC_KEY *eckey);
-/* ECDSA_sign_ex is the same as |ECDSA_sign| but takes precomputed values as
- * generated by |ECDSA_sign_setup|. */
+// ECDSA_sign_ex is the same as |ECDSA_sign| but takes precomputed values as
+// generated by |ECDSA_sign_setup|.
OPENSSL_EXPORT int ECDSA_sign_ex(int type, const uint8_t *digest,
size_t digest_len, uint8_t *sig,
unsigned int *sig_len, const BIGNUM *kinv,
const BIGNUM *rp, const EC_KEY *eckey);
-/* ASN.1 functions. */
+// ASN.1 functions.
-/* ECDSA_SIG_parse parses a DER-encoded ECDSA-Sig-Value structure from |cbs| and
- * advances |cbs|. It returns a newly-allocated |ECDSA_SIG| or NULL on error. */
+// ECDSA_SIG_parse parses a DER-encoded ECDSA-Sig-Value structure from |cbs| and
+// advances |cbs|. It returns a newly-allocated |ECDSA_SIG| or NULL on error.
OPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs);
-/* ECDSA_SIG_from_bytes parses |in| as a DER-encoded ECDSA-Sig-Value structure.
- * It returns a newly-allocated |ECDSA_SIG| structure or NULL on error. */
+// ECDSA_SIG_from_bytes parses |in| as a DER-encoded ECDSA-Sig-Value structure.
+// It returns a newly-allocated |ECDSA_SIG| structure or NULL on error.
OPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in,
size_t in_len);
-/* ECDSA_SIG_marshal marshals |sig| as a DER-encoded ECDSA-Sig-Value and appends
- * the result to |cbb|. It returns one on success and zero on error. */
+// ECDSA_SIG_marshal marshals |sig| as a DER-encoded ECDSA-Sig-Value and appends
+// the result to |cbb|. It returns one on success and zero on error.
OPENSSL_EXPORT int ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig);
-/* ECDSA_SIG_to_bytes marshals |sig| as a DER-encoded ECDSA-Sig-Value and, on
- * success, sets |*out_bytes| to a newly allocated buffer containing the result
- * and returns one. Otherwise, it returns zero. The result should be freed with
- * |OPENSSL_free|. */
+// ECDSA_SIG_to_bytes marshals |sig| as a DER-encoded ECDSA-Sig-Value and, on
+// success, sets |*out_bytes| to a newly allocated buffer containing the result
+// and returns one. Otherwise, it returns zero. The result should be freed with
+// |OPENSSL_free|.
OPENSSL_EXPORT int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len,
const ECDSA_SIG *sig);
-/* ECDSA_SIG_max_len returns the maximum length of a DER-encoded ECDSA-Sig-Value
- * structure for a group whose order is represented in |order_len| bytes, or
- * zero on overflow. */
+// ECDSA_SIG_max_len returns the maximum length of a DER-encoded ECDSA-Sig-Value
+// structure for a group whose order is represented in |order_len| bytes, or
+// zero on overflow.
OPENSSL_EXPORT size_t ECDSA_SIG_max_len(size_t order_len);
-/* Deprecated functions. */
+// Deprecated functions.
-/* d2i_ECDSA_SIG parses an ASN.1, DER-encoded, signature from |len| bytes at
- * |*inp|. If |out| is not NULL then, on exit, a pointer to the result is in
- * |*out|. Note that, even if |*out| is already non-NULL on entry, it will not
- * be written to. Rather, a fresh |ECDSA_SIG| is allocated and the previous one
- * is freed. On successful exit, |*inp| is advanced past the DER structure. It
- * returns the result or NULL on error. */
+// d2i_ECDSA_SIG parses an ASN.1, DER-encoded, signature from |len| bytes at
+// |*inp|. If |out| is not NULL then, on exit, a pointer to the result is in
+// |*out|. Note that, even if |*out| is already non-NULL on entry, it will not
+// be written to. Rather, a fresh |ECDSA_SIG| is allocated and the previous one
+// is freed. On successful exit, |*inp| is advanced past the DER structure. It
+// returns the result or NULL on error.
OPENSSL_EXPORT ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp,
long len);
-/* i2d_ECDSA_SIG marshals a signature from |sig| to an ASN.1, DER
- * structure. If |outp| is not NULL then the result is written to |*outp| and
- * |*outp| is advanced just past the output. It returns the number of bytes in
- * the result, whether written or not, or a negative value on error. */
+// i2d_ECDSA_SIG marshals a signature from |sig| to an ASN.1, DER
+// structure. If |outp| is not NULL then the result is written to |*outp| and
+// |*outp| is advanced just past the output. It returns the number of bytes in
+// the result, whether written or not, or a negative value on error.
OPENSSL_EXPORT int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -203,7 +203,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
@@ -214,4 +214,4 @@
#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104
#define ECDSA_R_ENCODE_ERROR 105
-#endif /* OPENSSL_HEADER_ECDSA_H */
+#endif // OPENSSL_HEADER_ECDSA_H
diff --git a/src/include/openssl/engine.h b/src/include/openssl/engine.h
index b029ef9..595e53c 100644
--- a/src/include/openssl/engine.h
+++ b/src/include/openssl/engine.h
@@ -22,36 +22,36 @@
#endif
-/* Engines are collections of methods. Methods are tables of function pointers,
- * defined for certain algorithms, that allow operations on those algorithms to
- * be overridden via a callback. This can be used, for example, to implement an
- * RSA* that forwards operations to a hardware module.
- *
- * Methods are reference counted but |ENGINE|s are not. When creating a method,
- * you should zero the whole structure and fill in the function pointers that
- * you wish before setting it on an |ENGINE|. Any functions pointers that
- * are NULL indicate that the default behaviour should be used. */
+// Engines are collections of methods. Methods are tables of function pointers,
+// defined for certain algorithms, that allow operations on those algorithms to
+// be overridden via a callback. This can be used, for example, to implement an
+// RSA* that forwards operations to a hardware module.
+//
+// Methods are reference counted but |ENGINE|s are not. When creating a method,
+// you should zero the whole structure and fill in the function pointers that
+// you wish before setting it on an |ENGINE|. Any functions pointers that
+// are NULL indicate that the default behaviour should be used.
-/* Allocation and destruction. */
+// Allocation and destruction.
-/* ENGINE_new returns an empty ENGINE that uses the default method for all
- * algorithms. */
+// ENGINE_new returns an empty ENGINE that uses the default method for all
+// algorithms.
OPENSSL_EXPORT ENGINE *ENGINE_new(void);
-/* ENGINE_free decrements the reference counts for all methods linked from
- * |engine| and frees |engine| itself. */
+// ENGINE_free decrements the reference counts for all methods linked from
+// |engine| and frees |engine| itself.
OPENSSL_EXPORT void ENGINE_free(ENGINE *engine);
-/* Method accessors.
- *
- * Method accessors take a method pointer and the size of the structure. The
- * size allows for ABI compatibility in the case that the method structure is
- * extended with extra elements at the end. Methods are always copied by the
- * set functions.
- *
- * Set functions return one on success and zero on allocation failure. */
+// Method accessors.
+//
+// Method accessors take a method pointer and the size of the structure. The
+// size allows for ABI compatibility in the case that the method structure is
+// extended with extra elements at the end. Methods are always copied by the
+// set functions.
+//
+// Set functions return one on success and zero on allocation failure.
OPENSSL_EXPORT int ENGINE_set_RSA_method(ENGINE *engine,
const RSA_METHOD *method,
@@ -64,33 +64,33 @@
OPENSSL_EXPORT ECDSA_METHOD *ENGINE_get_ECDSA_method(const ENGINE *engine);
-/* Generic method functions.
- *
- * These functions take a void* type but actually operate on all method
- * structures. */
+// Generic method functions.
+//
+// These functions take a void* type but actually operate on all method
+// structures.
-/* METHOD_ref increments the reference count of |method|. This is a no-op for
- * now because all methods are currently static. */
+// METHOD_ref increments the reference count of |method|. This is a no-op for
+// now because all methods are currently static.
void METHOD_ref(void *method);
-/* METHOD_unref decrements the reference count of |method| and frees it if the
- * reference count drops to zero. This is a no-op for now because all methods
- * are currently static. */
+// METHOD_unref decrements the reference count of |method| and frees it if the
+// reference count drops to zero. This is a no-op for now because all methods
+// are currently static.
void METHOD_unref(void *method);
-/* Private functions. */
+// Private functions.
-/* openssl_method_common_st contains the common part of all method structures.
- * This must be the first member of all method structures. */
+// openssl_method_common_st contains the common part of all method structures.
+// This must be the first member of all method structures.
struct openssl_method_common_st {
- int references; /* dummy – not used. */
+ int references; // dummy – not used.
char is_static;
};
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -100,10 +100,10 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
#define ENGINE_R_OPERATION_NOT_SUPPORTED 100
-#endif /* OPENSSL_HEADER_ENGINE_H */
+#endif // OPENSSL_HEADER_ENGINE_H
diff --git a/src/include/openssl/err.h b/src/include/openssl/err.h
index 33a0bda..63e79d5 100644
--- a/src/include/openssl/err.h
+++ b/src/include/openssl/err.h
@@ -118,73 +118,73 @@
#endif
-/* Error queue handling functions.
- *
- * Errors in OpenSSL are generally signaled by the return value of a function.
- * When a function fails it may add an entry to a per-thread error queue,
- * which is managed by the functions in this header.
- *
- * Each error contains:
- * 1) The library (i.e. ec, pem, rsa) which created it.
- * 2) The file and line number of the call that added the error.
- * 3) A pointer to some error specific data, which may be NULL.
- *
- * The library identifier and reason code are packed in a uint32_t and there
- * exist various functions for unpacking it.
- *
- * The typical behaviour is that an error will occur deep in a call queue and
- * that code will push an error onto the error queue. As the error queue
- * unwinds, other functions will push their own errors. Thus, the "least
- * recent" error is the most specific and the other errors will provide a
- * backtrace of sorts. */
+// Error queue handling functions.
+//
+// Errors in OpenSSL are generally signaled by the return value of a function.
+// When a function fails it may add an entry to a per-thread error queue,
+// which is managed by the functions in this header.
+//
+// Each error contains:
+// 1) The library (i.e. ec, pem, rsa) which created it.
+// 2) The file and line number of the call that added the error.
+// 3) A pointer to some error specific data, which may be NULL.
+//
+// The library identifier and reason code are packed in a uint32_t and there
+// exist various functions for unpacking it.
+//
+// The typical behaviour is that an error will occur deep in a call queue and
+// that code will push an error onto the error queue. As the error queue
+// unwinds, other functions will push their own errors. Thus, the "least
+// recent" error is the most specific and the other errors will provide a
+// backtrace of sorts.
-/* Startup and shutdown. */
+// Startup and shutdown.
-/* ERR_load_BIO_strings does nothing.
- *
- * TODO(fork): remove. libjingle calls this. */
+// ERR_load_BIO_strings does nothing.
+//
+// TODO(fork): remove. libjingle calls this.
OPENSSL_EXPORT void ERR_load_BIO_strings(void);
-/* ERR_load_ERR_strings does nothing. */
+// ERR_load_ERR_strings does nothing.
OPENSSL_EXPORT void ERR_load_ERR_strings(void);
-/* ERR_load_crypto_strings does nothing. */
+// ERR_load_crypto_strings does nothing.
OPENSSL_EXPORT void ERR_load_crypto_strings(void);
-/* ERR_free_strings does nothing. */
+// ERR_free_strings does nothing.
OPENSSL_EXPORT void ERR_free_strings(void);
-/* Reading and formatting errors. */
+// Reading and formatting errors.
-/* ERR_get_error gets the packed error code for the least recent error and
- * removes that error from the queue. If there are no errors in the queue then
- * it returns zero. */
+// ERR_get_error gets the packed error code for the least recent error and
+// removes that error from the queue. If there are no errors in the queue then
+// it returns zero.
OPENSSL_EXPORT uint32_t ERR_get_error(void);
-/* ERR_get_error_line acts like |ERR_get_error|, except that the file and line
- * number of the call that added the error are also returned. */
+// ERR_get_error_line acts like |ERR_get_error|, except that the file and line
+// number of the call that added the error are also returned.
OPENSSL_EXPORT uint32_t ERR_get_error_line(const char **file, int *line);
-/* ERR_get_error_line_data acts like |ERR_get_error_line|, but also returns the
- * error-specific data pointer and flags. The flags are a bitwise-OR of
- * |ERR_FLAG_*| values. The error-specific data is owned by the error queue
- * and the pointer becomes invalid after the next call that affects the same
- * thread's error queue. If |*flags| contains |ERR_FLAG_STRING| then |*data| is
- * human-readable. */
+// ERR_get_error_line_data acts like |ERR_get_error_line|, but also returns the
+// error-specific data pointer and flags. The flags are a bitwise-OR of
+// |ERR_FLAG_*| values. The error-specific data is owned by the error queue
+// and the pointer becomes invalid after the next call that affects the same
+// thread's error queue. If |*flags| contains |ERR_FLAG_STRING| then |*data| is
+// human-readable.
OPENSSL_EXPORT uint32_t ERR_get_error_line_data(const char **file, int *line,
const char **data, int *flags);
-/* The "peek" functions act like the |ERR_get_error| functions, above, but they
- * do not remove the error from the queue. */
+// The "peek" functions act like the |ERR_get_error| functions, above, but they
+// do not remove the error from the queue.
OPENSSL_EXPORT uint32_t ERR_peek_error(void);
OPENSSL_EXPORT uint32_t ERR_peek_error_line(const char **file, int *line);
OPENSSL_EXPORT uint32_t ERR_peek_error_line_data(const char **file, int *line,
const char **data, int *flags);
-/* The "peek last" functions act like the "peek" functions, above, except that
- * they return the most recent error. */
+// The "peek last" functions act like the "peek" functions, above, except that
+// they return the most recent error.
OPENSSL_EXPORT uint32_t ERR_peek_last_error(void);
OPENSSL_EXPORT uint32_t ERR_peek_last_error_line(const char **file, int *line);
OPENSSL_EXPORT uint32_t ERR_peek_last_error_line_data(const char **file,
@@ -192,196 +192,196 @@
const char **data,
int *flags);
-/* ERR_error_string_n generates a human-readable string representing
- * |packed_error| and places it at |buf|. It writes at most |len| bytes
- * (including the terminating NUL) and truncates the string if necessary. If
- * |len| is greater than zero then |buf| is always NUL terminated.
- *
- * The string will have the following format:
- *
- * error:[error code]:[library name]:OPENSSL_internal:[reason string]
- *
- * error code is an 8 digit hexadecimal number; library name and reason string
- * are ASCII text. */
+// ERR_error_string_n generates a human-readable string representing
+// |packed_error| and places it at |buf|. It writes at most |len| bytes
+// (including the terminating NUL) and truncates the string if necessary. If
+// |len| is greater than zero then |buf| is always NUL terminated.
+//
+// The string will have the following format:
+//
+// error:[error code]:[library name]:OPENSSL_internal:[reason string]
+//
+// error code is an 8 digit hexadecimal number; library name and reason string
+// are ASCII text.
OPENSSL_EXPORT void ERR_error_string_n(uint32_t packed_error, char *buf,
size_t len);
-/* ERR_lib_error_string returns a string representation of the library that
- * generated |packed_error|. */
+// ERR_lib_error_string returns a string representation of the library that
+// generated |packed_error|.
OPENSSL_EXPORT const char *ERR_lib_error_string(uint32_t packed_error);
-/* ERR_reason_error_string returns a string representation of the reason for
- * |packed_error|. */
+// ERR_reason_error_string returns a string representation of the reason for
+// |packed_error|.
OPENSSL_EXPORT const char *ERR_reason_error_string(uint32_t packed_error);
-/* ERR_print_errors_callback_t is the type of a function used by
- * |ERR_print_errors_cb|. It takes a pointer to a human readable string (and
- * its length) that describes an entry in the error queue. The |ctx| argument
- * is an opaque pointer given to |ERR_print_errors_cb|.
- *
- * It should return one on success or zero on error, which will stop the
- * iteration over the error queue. */
+// ERR_print_errors_callback_t is the type of a function used by
+// |ERR_print_errors_cb|. It takes a pointer to a human readable string (and
+// its length) that describes an entry in the error queue. The |ctx| argument
+// is an opaque pointer given to |ERR_print_errors_cb|.
+//
+// It should return one on success or zero on error, which will stop the
+// iteration over the error queue.
typedef int (*ERR_print_errors_callback_t)(const char *str, size_t len,
void *ctx);
-/* ERR_print_errors_cb calls |callback| with a string representation of each
- * error in the current thread's error queue, from the least recent to the most
- * recent error.
- *
- * The string will have the following format (which differs from
- * |ERR_error_string|):
- *
- * [thread id]:error:[error code]:[library name]:OPENSSL_internal:
- * [reason string]:[file]:[line number]:[optional string data]
- *
- * (All in one line.)
- *
- * The callback can return one to continue the iteration or zero to stop it.
- * The |ctx| argument is an opaque value that is passed through to the
- * callback. */
+// ERR_print_errors_cb calls |callback| with a string representation of each
+// error in the current thread's error queue, from the least recent to the most
+// recent error.
+//
+// The string will have the following format (which differs from
+// |ERR_error_string|):
+//
+// [thread id]:error:[error code]:[library name]:OPENSSL_internal:
+// [reason string]:[file]:[line number]:[optional string data]
+//
+// (All in one line.)
+//
+// The callback can return one to continue the iteration or zero to stop it.
+// The |ctx| argument is an opaque value that is passed through to the
+// callback.
OPENSSL_EXPORT void ERR_print_errors_cb(ERR_print_errors_callback_t callback,
void *ctx);
-/* ERR_print_errors_fp prints the current contents of the error stack to |file|
- * using human readable strings where possible. */
+// ERR_print_errors_fp prints the current contents of the error stack to |file|
+// using human readable strings where possible.
OPENSSL_EXPORT void ERR_print_errors_fp(FILE *file);
-/* Clearing errors. */
+// Clearing errors.
-/* ERR_clear_error clears the error queue for the current thread. */
+// ERR_clear_error clears the error queue for the current thread.
OPENSSL_EXPORT void ERR_clear_error(void);
-/* ERR_remove_thread_state clears the error queue for the current thread if
- * |tid| is NULL. Otherwise it calls |assert(0)|, because it's no longer
- * possible to delete the error queue for other threads.
- *
- * Error queues are thread-local data and are deleted automatically. You do not
- * need to call this function. Use |ERR_clear_error|. */
+// ERR_remove_thread_state clears the error queue for the current thread if
+// |tid| is NULL. Otherwise it calls |assert(0)|, because it's no longer
+// possible to delete the error queue for other threads.
+//
+// Error queues are thread-local data and are deleted automatically. You do not
+// need to call this function. Use |ERR_clear_error|.
OPENSSL_EXPORT void ERR_remove_thread_state(const CRYPTO_THREADID *tid);
-/* Custom errors. */
+// Custom errors.
-/* ERR_get_next_error_library returns a value suitable for passing as the
- * |library| argument to |ERR_put_error|. This is intended for code that wishes
- * to push its own, non-standard errors to the error queue. */
+// ERR_get_next_error_library returns a value suitable for passing as the
+// |library| argument to |ERR_put_error|. This is intended for code that wishes
+// to push its own, non-standard errors to the error queue.
OPENSSL_EXPORT int ERR_get_next_error_library(void);
-/* Deprecated functions. */
+// Deprecated functions.
-/* ERR_remove_state calls |ERR_clear_error|. */
+// ERR_remove_state calls |ERR_clear_error|.
OPENSSL_EXPORT void ERR_remove_state(unsigned long pid);
-/* ERR_func_error_string returns the string "OPENSSL_internal". */
+// ERR_func_error_string returns the string "OPENSSL_internal".
OPENSSL_EXPORT const char *ERR_func_error_string(uint32_t packed_error);
-/* ERR_error_string behaves like |ERR_error_string_n| but |len| is implicitly
- * |ERR_ERROR_STRING_BUF_LEN| and it returns |buf|. If |buf| is NULL, the error
- * string is placed in a static buffer which is returned. (The static buffer may
- * be overridden by concurrent calls in other threads so this form should not be
- * used.)
- *
- * Use |ERR_error_string_n| instead.
- *
- * TODO(fork): remove this function. */
+// ERR_error_string behaves like |ERR_error_string_n| but |len| is implicitly
+// |ERR_ERROR_STRING_BUF_LEN| and it returns |buf|. If |buf| is NULL, the error
+// string is placed in a static buffer which is returned. (The static buffer may
+// be overridden by concurrent calls in other threads so this form should not be
+// used.)
+//
+// Use |ERR_error_string_n| instead.
+//
+// TODO(fork): remove this function.
OPENSSL_EXPORT char *ERR_error_string(uint32_t packed_error, char *buf);
#define ERR_ERROR_STRING_BUF_LEN 256
-/* Private functions. */
+// Private functions.
-/* ERR_clear_system_error clears the system's error value (i.e. errno). */
+// ERR_clear_system_error clears the system's error value (i.e. errno).
OPENSSL_EXPORT void ERR_clear_system_error(void);
-/* OPENSSL_PUT_ERROR is used by OpenSSL code to add an error to the error
- * queue. */
+// OPENSSL_PUT_ERROR is used by OpenSSL code to add an error to the error
+// queue.
#define OPENSSL_PUT_ERROR(library, reason) \
ERR_put_error(ERR_LIB_##library, 0, reason, __FILE__, __LINE__)
-/* OPENSSL_PUT_SYSTEM_ERROR is used by OpenSSL code to add an error from the
- * operating system to the error queue.
- * TODO(fork): include errno. */
+// OPENSSL_PUT_SYSTEM_ERROR is used by OpenSSL code to add an error from the
+// operating system to the error queue.
+// TODO(fork): include errno.
#define OPENSSL_PUT_SYSTEM_ERROR() \
ERR_put_error(ERR_LIB_SYS, 0, 0, __FILE__, __LINE__);
-/* ERR_put_error adds an error to the error queue, dropping the least recent
- * error if necessary for space reasons. */
+// ERR_put_error adds an error to the error queue, dropping the least recent
+// error if necessary for space reasons.
OPENSSL_EXPORT void ERR_put_error(int library, int unused, int reason,
const char *file, unsigned line);
-/* ERR_add_error_data takes a variable number (|count|) of const char*
- * pointers, concatenates them and sets the result as the data on the most
- * recent error. */
+// ERR_add_error_data takes a variable number (|count|) of const char*
+// pointers, concatenates them and sets the result as the data on the most
+// recent error.
OPENSSL_EXPORT void ERR_add_error_data(unsigned count, ...);
-/* ERR_add_error_dataf takes a printf-style format and arguments, and sets the
- * result as the data on the most recent error. */
+// ERR_add_error_dataf takes a printf-style format and arguments, and sets the
+// result as the data on the most recent error.
OPENSSL_EXPORT void ERR_add_error_dataf(const char *format, ...)
OPENSSL_PRINTF_FORMAT_FUNC(1, 2);
-/* ERR_set_mark "marks" the most recent error for use with |ERR_pop_to_mark|.
- * It returns one if an error was marked and zero if there are no errors. */
+// ERR_set_mark "marks" the most recent error for use with |ERR_pop_to_mark|.
+// It returns one if an error was marked and zero if there are no errors.
OPENSSL_EXPORT int ERR_set_mark(void);
-/* ERR_pop_to_mark removes errors from the most recent to the least recent
- * until (and not including) a "marked" error. It returns zero if no marked
- * error was found (and thus all errors were removed) and one otherwise. Errors
- * are marked using |ERR_set_mark|. */
+// ERR_pop_to_mark removes errors from the most recent to the least recent
+// until (and not including) a "marked" error. It returns zero if no marked
+// error was found (and thus all errors were removed) and one otherwise. Errors
+// are marked using |ERR_set_mark|.
OPENSSL_EXPORT int ERR_pop_to_mark(void);
struct err_error_st {
- /* file contains the filename where the error occurred. */
+ // file contains the filename where the error occurred.
const char *file;
- /* data contains optional data. It must be freed with |OPENSSL_free| if
- * |flags&ERR_FLAG_MALLOCED|. */
+ // data contains optional data. It must be freed with |OPENSSL_free| if
+ // |flags&ERR_FLAG_MALLOCED|.
char *data;
- /* packed contains the error library and reason, as packed by ERR_PACK. */
+ // packed contains the error library and reason, as packed by ERR_PACK.
uint32_t packed;
- /* line contains the line number where the error occurred. */
+ // line contains the line number where the error occurred.
uint16_t line;
- /* flags contains a bitwise-OR of ERR_FLAG_* values. */
+ // flags contains a bitwise-OR of ERR_FLAG_* values.
uint8_t flags;
};
-/* ERR_FLAG_STRING means that the |data| member is a NUL-terminated string that
- * can be printed. */
+// ERR_FLAG_STRING means that the |data| member is a NUL-terminated string that
+// can be printed.
#define ERR_FLAG_STRING 1
-/* ERR_TXT_STRING is provided for compatibility with code that assumes that
- * it's using OpenSSL. */
+// ERR_TXT_STRING is provided for compatibility with code that assumes that
+// it's using OpenSSL.
#define ERR_TXT_STRING ERR_FLAG_STRING
-/* ERR_FLAG_PUBLIC_MASK is applied to the flags field before it is returned
- * from functions like |ERR_get_error_line_data|. */
+// ERR_FLAG_PUBLIC_MASK is applied to the flags field before it is returned
+// from functions like |ERR_get_error_line_data|.
#define ERR_FLAG_PUBLIC_MASK 0xf
-/* The following flag values are internal and are masked when flags are
- * returned from functions like |ERR_get_error_line_data|. */
+// The following flag values are internal and are masked when flags are
+// returned from functions like |ERR_get_error_line_data|.
-/* ERR_FLAG_MALLOCED means the the |data| member must be freed when no longer
- * needed. */
+// ERR_FLAG_MALLOCED means the the |data| member must be freed when no longer
+// needed.
#define ERR_FLAG_MALLOCED 16
-/* ERR_FLAG_MARK is used to indicate a reversion point in the queue. See
- * |ERR_pop_to_mark|. */
+// ERR_FLAG_MARK is used to indicate a reversion point in the queue. See
+// |ERR_pop_to_mark|.
#define ERR_FLAG_MARK 32
-/* ERR_NUM_ERRORS is the limit of the number of errors in the queue. */
+// ERR_NUM_ERRORS is the limit of the number of errors in the queue.
#define ERR_NUM_ERRORS 16
-/* err_state_st (aka |ERR_STATE|) contains the per-thread, error queue. */
+// err_state_st (aka |ERR_STATE|) contains the per-thread, error queue.
typedef struct err_state_st {
- /* errors contains the ERR_NUM_ERRORS most recent errors, organised as a ring
- * buffer. */
+ // errors contains the ERR_NUM_ERRORS most recent errors, organised as a ring
+ // buffer.
struct err_error_st errors[ERR_NUM_ERRORS];
- /* top contains the index one past the most recent error. If |top| equals
- * |bottom| then the queue is empty. */
+ // top contains the index one past the most recent error. If |top| equals
+ // |bottom| then the queue is empty.
unsigned top;
- /* bottom contains the index of the last error in the queue. */
+ // bottom contains the index of the last error in the queue.
unsigned bottom;
- /* to_free, if not NULL, contains a pointer owned by this structure that was
- * previously a |data| pointer of one of the elements of |errors|. */
+ // to_free, if not NULL, contains a pointer owned by this structure that was
+ // previously a |data| pointer of one of the elements of |errors|.
void *to_free;
} ERR_STATE;
@@ -459,7 +459,7 @@
#define ERR_R_CIPHER_LIB ERR_LIB_CIPHER
#define ERR_R_HKDF_LIB ERR_LIB_HKDF
-/* Global reasons. */
+// Global reasons.
#define ERR_R_FATAL 64
#define ERR_R_MALLOC_FAILURE (1 | ERR_R_FATAL)
#define ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED (2 | ERR_R_FATAL)
@@ -474,16 +474,16 @@
#define ERR_GET_FUNC(packed_error) 0
#define ERR_GET_REASON(packed_error) ((int)((packed_error) & 0xfff))
-/* OPENSSL_DECLARE_ERROR_REASON is used by util/make_errors.h (which generates
- * the error defines) to recognise that an additional reason value is needed.
- * This is needed when the reason value is used outside of an
- * |OPENSSL_PUT_ERROR| macro. The resulting define will be
- * ${lib}_R_${reason}. */
+// OPENSSL_DECLARE_ERROR_REASON is used by util/make_errors.h (which generates
+// the error defines) to recognise that an additional reason value is needed.
+// This is needed when the reason value is used outside of an
+// |OPENSSL_PUT_ERROR| macro. The resulting define will be
+// ${lib}_R_${reason}.
#define OPENSSL_DECLARE_ERROR_REASON(lib, reason)
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_ERR_H */
+#endif // OPENSSL_HEADER_ERR_H
diff --git a/src/include/openssl/evp.h b/src/include/openssl/evp.h
index 37c965a..274b73a 100644
--- a/src/include/openssl/evp.h
+++ b/src/include/openssl/evp.h
@@ -61,10 +61,10 @@
#include <openssl/thread.h>
-/* OpenSSL included digest and cipher functions in this header so we include
- * them for users that still expect that.
- *
- * TODO(fork): clean up callers so that they include what they use. */
+// OpenSSL included digest and cipher functions in this header so we include
+// them for users that still expect that.
+//
+// TODO(fork): clean up callers so that they include what they use.
#include <openssl/aead.h>
#include <openssl/base64.h>
#include <openssl/cipher.h>
@@ -76,71 +76,71 @@
#endif
-/* EVP abstracts over public/private key algorithms. */
+// EVP abstracts over public/private key algorithms.
-/* Public key objects. */
+// Public key objects.
-/* EVP_PKEY_new creates a new, empty public-key object and returns it or NULL
- * on allocation failure. */
+// EVP_PKEY_new creates a new, empty public-key object and returns it or NULL
+// on allocation failure.
OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new(void);
-/* EVP_PKEY_free frees all data referenced by |pkey| and then frees |pkey|
- * itself. */
+// EVP_PKEY_free frees all data referenced by |pkey| and then frees |pkey|
+// itself.
OPENSSL_EXPORT void EVP_PKEY_free(EVP_PKEY *pkey);
-/* EVP_PKEY_up_ref increments the reference count of |pkey| and returns one. */
+// EVP_PKEY_up_ref increments the reference count of |pkey| and returns one.
OPENSSL_EXPORT int EVP_PKEY_up_ref(EVP_PKEY *pkey);
-/* EVP_PKEY_is_opaque returns one if |pkey| is opaque. Opaque keys are backed by
- * custom implementations which do not expose key material and parameters. It is
- * an error to attempt to duplicate, export, or compare an opaque key. */
+// EVP_PKEY_is_opaque returns one if |pkey| is opaque. Opaque keys are backed by
+// custom implementations which do not expose key material and parameters. It is
+// an error to attempt to duplicate, export, or compare an opaque key.
OPENSSL_EXPORT int EVP_PKEY_is_opaque(const EVP_PKEY *pkey);
-/* EVP_PKEY_cmp compares |a| and |b| and returns one if they are equal, zero if
- * not and a negative number on error.
- *
- * WARNING: this differs from the traditional return value of a "cmp"
- * function. */
+// EVP_PKEY_cmp compares |a| and |b| and returns one if they are equal, zero if
+// not and a negative number on error.
+//
+// WARNING: this differs from the traditional return value of a "cmp"
+// function.
OPENSSL_EXPORT int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
-/* EVP_PKEY_copy_parameters sets the parameters of |to| to equal the parameters
- * of |from|. It returns one on success and zero on error. */
+// EVP_PKEY_copy_parameters sets the parameters of |to| to equal the parameters
+// of |from|. It returns one on success and zero on error.
OPENSSL_EXPORT int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
-/* EVP_PKEY_missing_parameters returns one if |pkey| is missing needed
- * parameters or zero if not, or if the algorithm doesn't take parameters. */
+// EVP_PKEY_missing_parameters returns one if |pkey| is missing needed
+// parameters or zero if not, or if the algorithm doesn't take parameters.
OPENSSL_EXPORT int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);
-/* EVP_PKEY_size returns the maximum size, in bytes, of a signature signed by
- * |pkey|. For an RSA key, this returns the number of bytes needed to represent
- * the modulus. For an EC key, this returns the maximum size of a DER-encoded
- * ECDSA signature. */
+// EVP_PKEY_size returns the maximum size, in bytes, of a signature signed by
+// |pkey|. For an RSA key, this returns the number of bytes needed to represent
+// the modulus. For an EC key, this returns the maximum size of a DER-encoded
+// ECDSA signature.
OPENSSL_EXPORT int EVP_PKEY_size(const EVP_PKEY *pkey);
-/* EVP_PKEY_bits returns the "size", in bits, of |pkey|. For an RSA key, this
- * returns the bit length of the modulus. For an EC key, this returns the bit
- * length of the group order. */
+// EVP_PKEY_bits returns the "size", in bits, of |pkey|. For an RSA key, this
+// returns the bit length of the modulus. For an EC key, this returns the bit
+// length of the group order.
OPENSSL_EXPORT int EVP_PKEY_bits(EVP_PKEY *pkey);
-/* EVP_PKEY_id returns the type of |pkey|, which is one of the |EVP_PKEY_*|
- * values. */
+// EVP_PKEY_id returns the type of |pkey|, which is one of the |EVP_PKEY_*|
+// values.
OPENSSL_EXPORT int EVP_PKEY_id(const EVP_PKEY *pkey);
-/* EVP_PKEY_type returns |nid| if |nid| is a known key type and |NID_undef|
- * otherwise. */
+// EVP_PKEY_type returns |nid| if |nid| is a known key type and |NID_undef|
+// otherwise.
OPENSSL_EXPORT int EVP_PKEY_type(int nid);
-/* Getting and setting concrete public key types.
- *
- * The following functions get and set the underlying public key in an
- * |EVP_PKEY| object. The |set1| functions take an additional reference to the
- * underlying key and return one on success or zero on error. The |assign|
- * functions adopt the caller's reference. The |get1| functions return a fresh
- * reference to the underlying object or NULL if |pkey| is not of the correct
- * type. The |get0| functions behave the same but return a non-owning
- * pointer. */
+// Getting and setting concrete public key types.
+//
+// The following functions get and set the underlying public key in an
+// |EVP_PKEY| object. The |set1| functions take an additional reference to the
+// underlying key and return one on success or zero on error. The |assign|
+// functions adopt the caller's reference. The |get1| functions return a fresh
+// reference to the underlying object or NULL if |pkey| is not of the correct
+// type. The |get0| functions behave the same but return a non-owning
+// pointer.
OPENSSL_EXPORT int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key);
OPENSSL_EXPORT int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key);
@@ -157,13 +157,13 @@
OPENSSL_EXPORT EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
OPENSSL_EXPORT EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
-/* EVP_PKEY_new_ed25519_public returns a newly allocated |EVP_PKEY| wrapping an
- * Ed25519 public key, or NULL on allocation error. */
+// EVP_PKEY_new_ed25519_public returns a newly allocated |EVP_PKEY| wrapping an
+// Ed25519 public key, or NULL on allocation error.
OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_ed25519_public(
const uint8_t public_key[32]);
-/* EVP_PKEY_new_ed25519_private returns a newly allocated |EVP_PKEY| wrapping an
- * Ed25519 private key, or NULL on allocation error. */
+// EVP_PKEY_new_ed25519_private returns a newly allocated |EVP_PKEY| wrapping an
+// Ed25519 private key, or NULL on allocation error.
OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_ed25519_private(
const uint8_t private_key[64]);
@@ -173,274 +173,274 @@
#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey
#define EVP_PKEY_ED25519 NID_ED25519
-/* EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of
- * the given type. The |type| argument should be one of the |EVP_PKEY_*|
- * values. */
+// EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of
+// the given type. The |type| argument should be one of the |EVP_PKEY_*|
+// values.
OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key);
-/* EVP_PKEY_set_type sets the type of |pkey| to |type|, which should be one of
- * the |EVP_PKEY_*| values. It returns one if successful or zero otherwise. If
- * |pkey| is NULL, it simply reports whether the type is known. */
+// EVP_PKEY_set_type sets the type of |pkey| to |type|, which should be one of
+// the |EVP_PKEY_*| values. It returns one if successful or zero otherwise. If
+// |pkey| is NULL, it simply reports whether the type is known.
OPENSSL_EXPORT int EVP_PKEY_set_type(EVP_PKEY *pkey, int type);
-/* EVP_PKEY_cmp_parameters compares the parameters of |a| and |b|. It returns
- * one if they match, zero if not, or a negative number of on error.
- *
- * WARNING: the return value differs from the usual return value convention. */
+// EVP_PKEY_cmp_parameters compares the parameters of |a| and |b|. It returns
+// one if they match, zero if not, or a negative number of on error.
+//
+// WARNING: the return value differs from the usual return value convention.
OPENSSL_EXPORT int EVP_PKEY_cmp_parameters(const EVP_PKEY *a,
const EVP_PKEY *b);
-/* ASN.1 functions */
+// ASN.1 functions
-/* EVP_parse_public_key decodes a DER-encoded SubjectPublicKeyInfo structure
- * (RFC 5280) from |cbs| and advances |cbs|. It returns a newly-allocated
- * |EVP_PKEY| or NULL on error.
- *
- * The caller must check the type of the parsed public key to ensure it is
- * suitable and validate other desired key properties such as RSA modulus size
- * or EC curve. */
+// EVP_parse_public_key decodes a DER-encoded SubjectPublicKeyInfo structure
+// (RFC 5280) from |cbs| and advances |cbs|. It returns a newly-allocated
+// |EVP_PKEY| or NULL on error.
+//
+// The caller must check the type of the parsed public key to ensure it is
+// suitable and validate other desired key properties such as RSA modulus size
+// or EC curve.
OPENSSL_EXPORT EVP_PKEY *EVP_parse_public_key(CBS *cbs);
-/* EVP_marshal_public_key marshals |key| as a DER-encoded SubjectPublicKeyInfo
- * structure (RFC 5280) and appends the result to |cbb|. It returns one on
- * success and zero on error. */
+// EVP_marshal_public_key marshals |key| as a DER-encoded SubjectPublicKeyInfo
+// structure (RFC 5280) and appends the result to |cbb|. It returns one on
+// success and zero on error.
OPENSSL_EXPORT int EVP_marshal_public_key(CBB *cbb, const EVP_PKEY *key);
-/* EVP_parse_private_key decodes a DER-encoded PrivateKeyInfo structure (RFC
- * 5208) from |cbs| and advances |cbs|. It returns a newly-allocated |EVP_PKEY|
- * or NULL on error.
- *
- * The caller must check the type of the parsed private key to ensure it is
- * suitable and validate other desired key properties such as RSA modulus size
- * or EC curve.
- *
- * A PrivateKeyInfo ends with an optional set of attributes. These are not
- * processed and so this function will silently ignore any trailing data in the
- * structure. */
+// EVP_parse_private_key decodes a DER-encoded PrivateKeyInfo structure (RFC
+// 5208) from |cbs| and advances |cbs|. It returns a newly-allocated |EVP_PKEY|
+// or NULL on error.
+//
+// The caller must check the type of the parsed private key to ensure it is
+// suitable and validate other desired key properties such as RSA modulus size
+// or EC curve.
+//
+// A PrivateKeyInfo ends with an optional set of attributes. These are not
+// processed and so this function will silently ignore any trailing data in the
+// structure.
OPENSSL_EXPORT EVP_PKEY *EVP_parse_private_key(CBS *cbs);
-/* EVP_marshal_private_key marshals |key| as a DER-encoded PrivateKeyInfo
- * structure (RFC 5208) and appends the result to |cbb|. It returns one on
- * success and zero on error. */
+// EVP_marshal_private_key marshals |key| as a DER-encoded PrivateKeyInfo
+// structure (RFC 5208) and appends the result to |cbb|. It returns one on
+// success and zero on error.
OPENSSL_EXPORT int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key);
-/* EVP_set_buggy_rsa_parser configures whether |RSA_parse_public_key_buggy| is
- * used by |EVP_parse_public_key|. By default, it is used. */
+// EVP_set_buggy_rsa_parser configures whether |RSA_parse_public_key_buggy| is
+// used by |EVP_parse_public_key|. By default, it is used.
OPENSSL_EXPORT void EVP_set_buggy_rsa_parser(int buggy);
-/* Signing */
+// Signing
-/* EVP_DigestSignInit sets up |ctx| for a signing operation with |type| and
- * |pkey|. The |ctx| argument must have been initialised with
- * |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing
- * operation will be written to |*pctx|; this can be used to set alternative
- * signing options.
- *
- * For single-shot signing algorithms which do not use a pre-hash, such as
- * Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is
- * present so the API is uniform. See |EVP_DigestSign|.
- *
- * It returns one on success, or zero on error. */
+// EVP_DigestSignInit sets up |ctx| for a signing operation with |type| and
+// |pkey|. The |ctx| argument must have been initialised with
+// |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing
+// operation will be written to |*pctx|; this can be used to set alternative
+// signing options.
+//
+// For single-shot signing algorithms which do not use a pre-hash, such as
+// Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is
+// present so the API is uniform. See |EVP_DigestSign|.
+//
+// It returns one on success, or zero on error.
OPENSSL_EXPORT int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e,
EVP_PKEY *pkey);
-/* EVP_DigestSignUpdate appends |len| bytes from |data| to the data which will
- * be signed in |EVP_DigestSignFinal|. It returns one.
- *
- * This function performs a streaming signing operation and will fail for
- * signature algorithms which do not support this. Use |EVP_DigestSign| for a
- * single-shot operation. */
+// EVP_DigestSignUpdate appends |len| bytes from |data| to the data which will
+// be signed in |EVP_DigestSignFinal|. It returns one.
+//
+// This function performs a streaming signing operation and will fail for
+// signature algorithms which do not support this. Use |EVP_DigestSign| for a
+// single-shot operation.
OPENSSL_EXPORT int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data,
size_t len);
-/* EVP_DigestSignFinal signs the data that has been included by one or more
- * calls to |EVP_DigestSignUpdate|. If |out_sig| is NULL then |*out_sig_len| is
- * set to the maximum number of output bytes. Otherwise, on entry,
- * |*out_sig_len| must contain the length of the |out_sig| buffer. If the call
- * is successful, the signature is written to |out_sig| and |*out_sig_len| is
- * set to its length.
- *
- * This function performs a streaming signing operation and will fail for
- * signature algorithms which do not support this. Use |EVP_DigestSign| for a
- * single-shot operation.
- *
- * It returns one on success, or zero on error. */
+// EVP_DigestSignFinal signs the data that has been included by one or more
+// calls to |EVP_DigestSignUpdate|. If |out_sig| is NULL then |*out_sig_len| is
+// set to the maximum number of output bytes. Otherwise, on entry,
+// |*out_sig_len| must contain the length of the |out_sig| buffer. If the call
+// is successful, the signature is written to |out_sig| and |*out_sig_len| is
+// set to its length.
+//
+// This function performs a streaming signing operation and will fail for
+// signature algorithms which do not support this. Use |EVP_DigestSign| for a
+// single-shot operation.
+//
+// It returns one on success, or zero on error.
OPENSSL_EXPORT int EVP_DigestSignFinal(EVP_MD_CTX *ctx, uint8_t *out_sig,
size_t *out_sig_len);
-/* EVP_DigestSign signs |data_len| bytes from |data| using |ctx|. If |out_sig|
- * is NULL then |*out_sig_len| is set to the maximum number of output
- * bytes. Otherwise, on entry, |*out_sig_len| must contain the length of the
- * |out_sig| buffer. If the call is successful, the signature is written to
- * |out_sig| and |*out_sig_len| is set to its length.
- *
- * It returns one on success and zero on error. */
+// EVP_DigestSign signs |data_len| bytes from |data| using |ctx|. If |out_sig|
+// is NULL then |*out_sig_len| is set to the maximum number of output
+// bytes. Otherwise, on entry, |*out_sig_len| must contain the length of the
+// |out_sig| buffer. If the call is successful, the signature is written to
+// |out_sig| and |*out_sig_len| is set to its length.
+//
+// It returns one on success and zero on error.
OPENSSL_EXPORT int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig,
size_t *out_sig_len, const uint8_t *data,
size_t data_len);
-/* Verifying */
+// Verifying
-/* EVP_DigestVerifyInit sets up |ctx| for a signature verification operation
- * with |type| and |pkey|. The |ctx| argument must have been initialised with
- * |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing
- * operation will be written to |*pctx|; this can be used to set alternative
- * signing options.
- *
- * For single-shot signing algorithms which do not use a pre-hash, such as
- * Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is
- * present so the API is uniform. See |EVP_DigestVerify|.
- *
- * It returns one on success, or zero on error. */
+// EVP_DigestVerifyInit sets up |ctx| for a signature verification operation
+// with |type| and |pkey|. The |ctx| argument must have been initialised with
+// |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing
+// operation will be written to |*pctx|; this can be used to set alternative
+// signing options.
+//
+// For single-shot signing algorithms which do not use a pre-hash, such as
+// Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is
+// present so the API is uniform. See |EVP_DigestVerify|.
+//
+// It returns one on success, or zero on error.
OPENSSL_EXPORT int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
const EVP_MD *type, ENGINE *e,
EVP_PKEY *pkey);
-/* EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
- * will be verified by |EVP_DigestVerifyFinal|. It returns one.
- *
- * This function performs streaming signature verification and will fail for
- * signature algorithms which do not support this. Use |EVP_PKEY_verify_message|
- * for a single-shot verification. */
+// EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
+// will be verified by |EVP_DigestVerifyFinal|. It returns one.
+//
+// This function performs streaming signature verification and will fail for
+// signature algorithms which do not support this. Use |EVP_PKEY_verify_message|
+// for a single-shot verification.
OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data,
size_t len);
-/* EVP_DigestVerifyFinal verifies that |sig_len| bytes of |sig| are a valid
- * signature for the data that has been included by one or more calls to
- * |EVP_DigestVerifyUpdate|. It returns one on success and zero otherwise.
- *
- * This function performs streaming signature verification and will fail for
- * signature algorithms which do not support this. Use |EVP_PKEY_verify_message|
- * for a single-shot verification. */
+// EVP_DigestVerifyFinal verifies that |sig_len| bytes of |sig| are a valid
+// signature for the data that has been included by one or more calls to
+// |EVP_DigestVerifyUpdate|. It returns one on success and zero otherwise.
+//
+// This function performs streaming signature verification and will fail for
+// signature algorithms which do not support this. Use |EVP_PKEY_verify_message|
+// for a single-shot verification.
OPENSSL_EXPORT int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig,
size_t sig_len);
-/* EVP_DigestVerify verifies that |sig_len| bytes from |sig| are a valid
- * signature for |data|. It returns one on success or zero on error. */
+// EVP_DigestVerify verifies that |sig_len| bytes from |sig| are a valid
+// signature for |data|. It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_DigestVerify(EVP_MD_CTX *ctx, const uint8_t *sig,
size_t sig_len, const uint8_t *data,
size_t len);
-/* Signing (old functions) */
+// Signing (old functions)
-/* EVP_SignInit_ex configures |ctx|, which must already have been initialised,
- * for a fresh signing operation using the hash function |type|. It returns one
- * on success and zero otherwise.
- *
- * (In order to initialise |ctx|, either obtain it initialised with
- * |EVP_MD_CTX_create|, or use |EVP_MD_CTX_init|.) */
+// EVP_SignInit_ex configures |ctx|, which must already have been initialised,
+// for a fresh signing operation using the hash function |type|. It returns one
+// on success and zero otherwise.
+//
+// (In order to initialise |ctx|, either obtain it initialised with
+// |EVP_MD_CTX_create|, or use |EVP_MD_CTX_init|.)
OPENSSL_EXPORT int EVP_SignInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type,
ENGINE *impl);
-/* EVP_SignInit is a deprecated version of |EVP_SignInit_ex|.
- *
- * TODO(fork): remove. */
+// EVP_SignInit is a deprecated version of |EVP_SignInit_ex|.
+//
+// TODO(fork): remove.
OPENSSL_EXPORT int EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
-/* EVP_SignUpdate appends |len| bytes from |data| to the data which will be
- * signed in |EVP_SignFinal|. */
+// EVP_SignUpdate appends |len| bytes from |data| to the data which will be
+// signed in |EVP_SignFinal|.
OPENSSL_EXPORT int EVP_SignUpdate(EVP_MD_CTX *ctx, const void *data,
size_t len);
-/* EVP_SignFinal signs the data that has been included by one or more calls to
- * |EVP_SignUpdate|, using the key |pkey|, and writes it to |sig|. On entry,
- * |sig| must point to at least |EVP_PKEY_size(pkey)| bytes of space. The
- * actual size of the signature is written to |*out_sig_len|.
- *
- * It returns one on success and zero otherwise.
- *
- * It does not modify |ctx|, thus it's possible to continue to use |ctx| in
- * order to sign a longer message. */
+// EVP_SignFinal signs the data that has been included by one or more calls to
+// |EVP_SignUpdate|, using the key |pkey|, and writes it to |sig|. On entry,
+// |sig| must point to at least |EVP_PKEY_size(pkey)| bytes of space. The
+// actual size of the signature is written to |*out_sig_len|.
+//
+// It returns one on success and zero otherwise.
+//
+// It does not modify |ctx|, thus it's possible to continue to use |ctx| in
+// order to sign a longer message.
OPENSSL_EXPORT int EVP_SignFinal(const EVP_MD_CTX *ctx, uint8_t *sig,
unsigned int *out_sig_len, EVP_PKEY *pkey);
-/* Verifying (old functions) */
+// Verifying (old functions)
-/* EVP_VerifyInit_ex configures |ctx|, which must already have been
- * initialised, for a fresh signature verification operation using the hash
- * function |type|. It returns one on success and zero otherwise.
- *
- * (In order to initialise |ctx|, either obtain it initialised with
- * |EVP_MD_CTX_create|, or use |EVP_MD_CTX_init|.) */
+// EVP_VerifyInit_ex configures |ctx|, which must already have been
+// initialised, for a fresh signature verification operation using the hash
+// function |type|. It returns one on success and zero otherwise.
+//
+// (In order to initialise |ctx|, either obtain it initialised with
+// |EVP_MD_CTX_create|, or use |EVP_MD_CTX_init|.)
OPENSSL_EXPORT int EVP_VerifyInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type,
ENGINE *impl);
-/* EVP_VerifyInit is a deprecated version of |EVP_VerifyInit_ex|.
- *
- * TODO(fork): remove. */
+// EVP_VerifyInit is a deprecated version of |EVP_VerifyInit_ex|.
+//
+// TODO(fork): remove.
OPENSSL_EXPORT int EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
-/* EVP_VerifyUpdate appends |len| bytes from |data| to the data which will be
- * signed in |EVP_VerifyFinal|. */
+// EVP_VerifyUpdate appends |len| bytes from |data| to the data which will be
+// signed in |EVP_VerifyFinal|.
OPENSSL_EXPORT int EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *data,
size_t len);
-/* EVP_VerifyFinal verifies that |sig_len| bytes of |sig| are a valid
- * signature, by |pkey|, for the data that has been included by one or more
- * calls to |EVP_VerifyUpdate|.
- *
- * It returns one on success and zero otherwise.
- *
- * It does not modify |ctx|, thus it's possible to continue to use |ctx| in
- * order to sign a longer message. */
+// EVP_VerifyFinal verifies that |sig_len| bytes of |sig| are a valid
+// signature, by |pkey|, for the data that has been included by one or more
+// calls to |EVP_VerifyUpdate|.
+//
+// It returns one on success and zero otherwise.
+//
+// It does not modify |ctx|, thus it's possible to continue to use |ctx| in
+// order to sign a longer message.
OPENSSL_EXPORT int EVP_VerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig,
size_t sig_len, EVP_PKEY *pkey);
-/* Printing */
+// Printing
-/* EVP_PKEY_print_public prints a textual representation of the public key in
- * |pkey| to |out|. Returns one on success or zero otherwise. */
+// EVP_PKEY_print_public prints a textual representation of the public key in
+// |pkey| to |out|. Returns one on success or zero otherwise.
OPENSSL_EXPORT int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey,
int indent, ASN1_PCTX *pctx);
-/* EVP_PKEY_print_private prints a textual representation of the private key in
- * |pkey| to |out|. Returns one on success or zero otherwise. */
+// EVP_PKEY_print_private prints a textual representation of the private key in
+// |pkey| to |out|. Returns one on success or zero otherwise.
OPENSSL_EXPORT int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey,
int indent, ASN1_PCTX *pctx);
-/* EVP_PKEY_print_params prints a textual representation of the parameters in
- * |pkey| to |out|. Returns one on success or zero otherwise. */
+// EVP_PKEY_print_params prints a textual representation of the parameters in
+// |pkey| to |out|. Returns one on success or zero otherwise.
OPENSSL_EXPORT int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey,
int indent, ASN1_PCTX *pctx);
-/* Password stretching.
- *
- * Password stretching functions take a low-entropy password and apply a slow
- * function that results in a key suitable for use in symmetric
- * cryptography. */
+// Password stretching.
+//
+// Password stretching functions take a low-entropy password and apply a slow
+// function that results in a key suitable for use in symmetric
+// cryptography.
-/* PKCS5_PBKDF2_HMAC computes |iterations| iterations of PBKDF2 of |password|
- * and |salt|, using |digest|, and outputs |key_len| bytes to |out_key|. It
- * returns one on success and zero on error. */
+// PKCS5_PBKDF2_HMAC computes |iterations| iterations of PBKDF2 of |password|
+// and |salt|, using |digest|, and outputs |key_len| bytes to |out_key|. It
+// returns one on success and zero on error.
OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,
const uint8_t *salt, size_t salt_len,
unsigned iterations, const EVP_MD *digest,
size_t key_len, uint8_t *out_key);
-/* PKCS5_PBKDF2_HMAC_SHA1 is the same as PKCS5_PBKDF2_HMAC, but with |digest|
- * fixed to |EVP_sha1|. */
+// PKCS5_PBKDF2_HMAC_SHA1 is the same as PKCS5_PBKDF2_HMAC, but with |digest|
+// fixed to |EVP_sha1|.
OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC_SHA1(const char *password,
size_t password_len,
const uint8_t *salt, size_t salt_len,
unsigned iterations, size_t key_len,
uint8_t *out_key);
-/* EVP_PBE_scrypt expands |password| into a secret key of length |key_len| using
- * scrypt, as described in RFC 7914, and writes the result to |out_key|. It
- * returns one on success and zero on error.
- *
- * |N|, |r|, and |p| are as described in RFC 7914 section 6. They determine the
- * cost of the operation. If the memory required exceeds |max_mem|, the
- * operation will fail instead. If |max_mem| is zero, a defult limit of 32MiB
- * will be used. */
+// EVP_PBE_scrypt expands |password| into a secret key of length |key_len| using
+// scrypt, as described in RFC 7914, and writes the result to |out_key|. It
+// returns one on success and zero on error.
+//
+// |N|, |r|, and |p| are as described in RFC 7914 section 6. They determine the
+// cost of the operation. If the memory required exceeds |max_mem|, the
+// operation will fail instead. If |max_mem| is zero, a defult limit of 32MiB
+// will be used.
OPENSSL_EXPORT int EVP_PBE_scrypt(const char *password, size_t password_len,
const uint8_t *salt, size_t salt_len,
uint64_t N, uint64_t r, uint64_t p,
@@ -448,298 +448,298 @@
size_t key_len);
-/* Public key contexts.
- *
- * |EVP_PKEY_CTX| objects hold the context of an operation (e.g. signing or
- * encrypting) that uses a public key. */
+// Public key contexts.
+//
+// |EVP_PKEY_CTX| objects hold the context of an operation (e.g. signing or
+// encrypting) that uses a public key.
-/* EVP_PKEY_CTX_new allocates a fresh |EVP_PKEY_CTX| for use with |pkey|. It
- * returns the context or NULL on error. */
+// EVP_PKEY_CTX_new allocates a fresh |EVP_PKEY_CTX| for use with |pkey|. It
+// returns the context or NULL on error.
OPENSSL_EXPORT EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);
-/* EVP_PKEY_CTX_new_id allocates a fresh |EVP_PKEY_CTX| for a key of type |id|
- * (e.g. |EVP_PKEY_HMAC|). This can be used for key generation where
- * |EVP_PKEY_CTX_new| can't be used because there isn't an |EVP_PKEY| to pass
- * it. It returns the context or NULL on error. */
+// EVP_PKEY_CTX_new_id allocates a fresh |EVP_PKEY_CTX| for a key of type |id|
+// (e.g. |EVP_PKEY_HMAC|). This can be used for key generation where
+// |EVP_PKEY_CTX_new| can't be used because there isn't an |EVP_PKEY| to pass
+// it. It returns the context or NULL on error.
OPENSSL_EXPORT EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e);
-/* EVP_PKEY_CTX_free frees |ctx| and the data it owns. */
+// EVP_PKEY_CTX_free frees |ctx| and the data it owns.
OPENSSL_EXPORT void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_CTX_dup allocates a fresh |EVP_PKEY_CTX| and sets it equal to the
- * state of |ctx|. It returns the fresh |EVP_PKEY_CTX| or NULL on error. */
+// EVP_PKEY_CTX_dup allocates a fresh |EVP_PKEY_CTX| and sets it equal to the
+// state of |ctx|. It returns the fresh |EVP_PKEY_CTX| or NULL on error.
OPENSSL_EXPORT EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_CTX_get0_pkey returns the |EVP_PKEY| associated with |ctx|. */
+// EVP_PKEY_CTX_get0_pkey returns the |EVP_PKEY| associated with |ctx|.
OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_sign_init initialises an |EVP_PKEY_CTX| for a signing operation. It
- * should be called before |EVP_PKEY_sign|.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_sign_init initialises an |EVP_PKEY_CTX| for a signing operation. It
+// should be called before |EVP_PKEY_sign|.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_sign signs |digest_len| bytes from |digest| using |ctx|. If |sig| is
- * NULL, the maximum size of the signature is written to
- * |out_sig_len|. Otherwise, |*sig_len| must contain the number of bytes of
- * space available at |sig|. If sufficient, the signature will be written to
- * |sig| and |*sig_len| updated with the true length.
- *
- * This function expects a pre-hashed input and will fail for signature
- * algorithms which do not support this. Use |EVP_DigestSignInit| to sign an
- * unhashed input.
- *
- * WARNING: Setting |sig| to NULL only gives the maximum size of the
- * signature. The actual signature may be smaller.
- *
- * It returns one on success or zero on error. (Note: this differs from
- * OpenSSL, which can also return negative values to indicate an error. ) */
+// EVP_PKEY_sign signs |digest_len| bytes from |digest| using |ctx|. If |sig| is
+// NULL, the maximum size of the signature is written to
+// |out_sig_len|. Otherwise, |*sig_len| must contain the number of bytes of
+// space available at |sig|. If sufficient, the signature will be written to
+// |sig| and |*sig_len| updated with the true length.
+//
+// This function expects a pre-hashed input and will fail for signature
+// algorithms which do not support this. Use |EVP_DigestSignInit| to sign an
+// unhashed input.
+//
+// WARNING: Setting |sig| to NULL only gives the maximum size of the
+// signature. The actual signature may be smaller.
+//
+// It returns one on success or zero on error. (Note: this differs from
+// OpenSSL, which can also return negative values to indicate an error. )
OPENSSL_EXPORT int EVP_PKEY_sign(EVP_PKEY_CTX *ctx, uint8_t *sig,
size_t *sig_len, const uint8_t *digest,
size_t digest_len);
-/* EVP_PKEY_verify_init initialises an |EVP_PKEY_CTX| for a signature
- * verification operation. It should be called before |EVP_PKEY_verify|.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_verify_init initialises an |EVP_PKEY_CTX| for a signature
+// verification operation. It should be called before |EVP_PKEY_verify|.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_verify verifies that |sig_len| bytes from |sig| are a valid
- * signature for |digest|.
- *
- * This function expects a pre-hashed input and will fail for signature
- * algorithms which do not support this. Use |EVP_DigestVerifyInit| to verify a
- * signature given the unhashed input.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_verify verifies that |sig_len| bytes from |sig| are a valid
+// signature for |digest|.
+//
+// This function expects a pre-hashed input and will fail for signature
+// algorithms which do not support this. Use |EVP_DigestVerifyInit| to verify a
+// signature given the unhashed input.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig,
size_t sig_len, const uint8_t *digest,
size_t digest_len);
-/* EVP_PKEY_encrypt_init initialises an |EVP_PKEY_CTX| for an encryption
- * operation. It should be called before |EVP_PKEY_encrypt|.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_encrypt_init initialises an |EVP_PKEY_CTX| for an encryption
+// operation. It should be called before |EVP_PKEY_encrypt|.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_encrypt encrypts |in_len| bytes from |in|. If |out| is NULL, the
- * maximum size of the ciphertext is written to |out_len|. Otherwise, |*out_len|
- * must contain the number of bytes of space available at |out|. If sufficient,
- * the ciphertext will be written to |out| and |*out_len| updated with the true
- * length.
- *
- * WARNING: Setting |out| to NULL only gives the maximum size of the
- * ciphertext. The actual ciphertext may be smaller.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_encrypt encrypts |in_len| bytes from |in|. If |out| is NULL, the
+// maximum size of the ciphertext is written to |out_len|. Otherwise, |*out_len|
+// must contain the number of bytes of space available at |out|. If sufficient,
+// the ciphertext will be written to |out| and |*out_len| updated with the true
+// length.
+//
+// WARNING: Setting |out| to NULL only gives the maximum size of the
+// ciphertext. The actual ciphertext may be smaller.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out,
size_t *out_len, const uint8_t *in,
size_t in_len);
-/* EVP_PKEY_decrypt_init initialises an |EVP_PKEY_CTX| for a decryption
- * operation. It should be called before |EVP_PKEY_decrypt|.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_decrypt_init initialises an |EVP_PKEY_CTX| for a decryption
+// operation. It should be called before |EVP_PKEY_decrypt|.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_decrypt decrypts |in_len| bytes from |in|. If |out| is NULL, the
- * maximum size of the plaintext is written to |out_len|. Otherwise, |*out_len|
- * must contain the number of bytes of space available at |out|. If sufficient,
- * the ciphertext will be written to |out| and |*out_len| updated with the true
- * length.
- *
- * WARNING: Setting |out| to NULL only gives the maximum size of the
- * plaintext. The actual plaintext may be smaller.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_decrypt decrypts |in_len| bytes from |in|. If |out| is NULL, the
+// maximum size of the plaintext is written to |out_len|. Otherwise, |*out_len|
+// must contain the number of bytes of space available at |out|. If sufficient,
+// the ciphertext will be written to |out| and |*out_len| updated with the true
+// length.
+//
+// WARNING: Setting |out| to NULL only gives the maximum size of the
+// plaintext. The actual plaintext may be smaller.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out,
size_t *out_len, const uint8_t *in,
size_t in_len);
-/* EVP_PKEY_verify_recover_init initialises an |EVP_PKEY_CTX| for a public-key
- * decryption operation. It should be called before |EVP_PKEY_verify_recover|.
- *
- * Public-key decryption is a very obscure operation that is only implemented
- * by RSA keys. It is effectively a signature verification operation that
- * returns the signed message directly. It is almost certainly not what you
- * want.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_verify_recover_init initialises an |EVP_PKEY_CTX| for a public-key
+// decryption operation. It should be called before |EVP_PKEY_verify_recover|.
+//
+// Public-key decryption is a very obscure operation that is only implemented
+// by RSA keys. It is effectively a signature verification operation that
+// returns the signed message directly. It is almost certainly not what you
+// want.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_verify_recover decrypts |sig_len| bytes from |sig|. If |out| is
- * NULL, the maximum size of the plaintext is written to |out_len|. Otherwise,
- * |*out_len| must contain the number of bytes of space available at |out|. If
- * sufficient, the ciphertext will be written to |out| and |*out_len| updated
- * with the true length.
- *
- * WARNING: Setting |out| to NULL only gives the maximum size of the
- * plaintext. The actual plaintext may be smaller.
- *
- * See the warning about this operation in |EVP_PKEY_verify_recover_init|. It
- * is probably not what you want.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_verify_recover decrypts |sig_len| bytes from |sig|. If |out| is
+// NULL, the maximum size of the plaintext is written to |out_len|. Otherwise,
+// |*out_len| must contain the number of bytes of space available at |out|. If
+// sufficient, the ciphertext will be written to |out| and |*out_len| updated
+// with the true length.
+//
+// WARNING: Setting |out| to NULL only gives the maximum size of the
+// plaintext. The actual plaintext may be smaller.
+//
+// See the warning about this operation in |EVP_PKEY_verify_recover_init|. It
+// is probably not what you want.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,
size_t *out_len, const uint8_t *sig,
size_t siglen);
-/* EVP_PKEY_derive_init initialises an |EVP_PKEY_CTX| for a key derivation
- * operation. It should be called before |EVP_PKEY_derive_set_peer| and
- * |EVP_PKEY_derive|.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_derive_init initialises an |EVP_PKEY_CTX| for a key derivation
+// operation. It should be called before |EVP_PKEY_derive_set_peer| and
+// |EVP_PKEY_derive|.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_derive_set_peer sets the peer's key to be used for key derivation
- * by |ctx| to |peer|. It should be called after |EVP_PKEY_derive_init|. (For
- * example, this is used to set the peer's key in (EC)DH.) It returns one on
- * success and zero on error. */
+// EVP_PKEY_derive_set_peer sets the peer's key to be used for key derivation
+// by |ctx| to |peer|. It should be called after |EVP_PKEY_derive_init|. (For
+// example, this is used to set the peer's key in (EC)DH.) It returns one on
+// success and zero on error.
OPENSSL_EXPORT int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer);
-/* EVP_PKEY_derive derives a shared key between the two keys configured in
- * |ctx|. If |key| is non-NULL then, on entry, |out_key_len| must contain the
- * amount of space at |key|. If sufficient then the shared key will be written
- * to |key| and |*out_key_len| will be set to the length. If |key| is NULL then
- * |out_key_len| will be set to the maximum length.
- *
- * WARNING: Setting |out| to NULL only gives the maximum size of the key. The
- * actual key may be smaller.
- *
- * It returns one on success and zero on error. */
+// EVP_PKEY_derive derives a shared key between the two keys configured in
+// |ctx|. If |key| is non-NULL then, on entry, |out_key_len| must contain the
+// amount of space at |key|. If sufficient then the shared key will be written
+// to |key| and |*out_key_len| will be set to the length. If |key| is NULL then
+// |out_key_len| will be set to the maximum length.
+//
+// WARNING: Setting |out| to NULL only gives the maximum size of the key. The
+// actual key may be smaller.
+//
+// It returns one on success and zero on error.
OPENSSL_EXPORT int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, uint8_t *key,
size_t *out_key_len);
-/* EVP_PKEY_keygen_init initialises an |EVP_PKEY_CTX| for a key generation
- * operation. It should be called before |EVP_PKEY_keygen|.
- *
- * It returns one on success or zero on error. */
+// EVP_PKEY_keygen_init initialises an |EVP_PKEY_CTX| for a key generation
+// operation. It should be called before |EVP_PKEY_keygen|.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_keygen performs a key generation operation using the values from
- * |ctx| and sets |*ppkey| to a fresh |EVP_PKEY| containing the resulting key.
- * It returns one on success or zero on error. */
+// EVP_PKEY_keygen performs a key generation operation using the values from
+// |ctx| and sets |*ppkey| to a fresh |EVP_PKEY| containing the resulting key.
+// It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
-/* Generic control functions. */
+// Generic control functions.
-/* EVP_PKEY_CTX_set_signature_md sets |md| as the digest to be used in a
- * signature operation. It returns one on success or zero on error. */
+// EVP_PKEY_CTX_set_signature_md sets |md| as the digest to be used in a
+// signature operation. It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx,
const EVP_MD *md);
-/* EVP_PKEY_CTX_get_signature_md sets |*out_md| to the digest to be used in a
- * signature operation. It returns one on success or zero on error. */
+// EVP_PKEY_CTX_get_signature_md sets |*out_md| to the digest to be used in a
+// signature operation. It returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx,
const EVP_MD **out_md);
-/* RSA specific control functions. */
+// RSA specific control functions.
-/* EVP_PKEY_CTX_set_rsa_padding sets the padding type to use. It should be one
- * of the |RSA_*_PADDING| values. Returns one on success or zero on error. */
+// EVP_PKEY_CTX_set_rsa_padding sets the padding type to use. It should be one
+// of the |RSA_*_PADDING| values. Returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding);
-/* EVP_PKEY_CTX_get_rsa_padding sets |*out_padding| to the current padding
- * value, which is one of the |RSA_*_PADDING| values. Returns one on success or
- * zero on error. */
+// EVP_PKEY_CTX_get_rsa_padding sets |*out_padding| to the current padding
+// value, which is one of the |RSA_*_PADDING| values. Returns one on success or
+// zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx,
int *out_padding);
-/* EVP_PKEY_CTX_set_rsa_pss_saltlen sets the length of the salt in a PSS-padded
- * signature. A value of -1 cause the salt to be the same length as the digest
- * in the signature. A value of -2 causes the salt to be the maximum length
- * that will fit when signing and recovered from the signature when verifying.
- * Otherwise the value gives the size of the salt in bytes.
- *
- * If unsure, use -1.
- *
- * Returns one on success or zero on error. */
+// EVP_PKEY_CTX_set_rsa_pss_saltlen sets the length of the salt in a PSS-padded
+// signature. A value of -1 cause the salt to be the same length as the digest
+// in the signature. A value of -2 causes the salt to be the maximum length
+// that will fit when signing and recovered from the signature when verifying.
+// Otherwise the value gives the size of the salt in bytes.
+//
+// If unsure, use -1.
+//
+// Returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,
int salt_len);
-/* EVP_PKEY_CTX_get_rsa_pss_saltlen sets |*out_salt_len| to the salt length of
- * a PSS-padded signature. See the documentation for
- * |EVP_PKEY_CTX_set_rsa_pss_saltlen| for details of the special values that it
- * can take.
- *
- * Returns one on success or zero on error. */
+// EVP_PKEY_CTX_get_rsa_pss_saltlen sets |*out_salt_len| to the salt length of
+// a PSS-padded signature. See the documentation for
+// |EVP_PKEY_CTX_set_rsa_pss_saltlen| for details of the special values that it
+// can take.
+//
+// Returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,
int *out_salt_len);
-/* EVP_PKEY_CTX_set_rsa_keygen_bits sets the size of the desired RSA modulus,
- * in bits, for key generation. Returns one on success or zero on
- * error. */
+// EVP_PKEY_CTX_set_rsa_keygen_bits sets the size of the desired RSA modulus,
+// in bits, for key generation. Returns one on success or zero on
+// error.
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx,
int bits);
-/* EVP_PKEY_CTX_set_rsa_keygen_pubexp sets |e| as the public exponent for key
- * generation. Returns one on success or zero on error. */
+// EVP_PKEY_CTX_set_rsa_keygen_pubexp sets |e| as the public exponent for key
+// generation. Returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx,
BIGNUM *e);
-/* EVP_PKEY_CTX_set_rsa_oaep_md sets |md| as the digest used in OAEP padding.
- * Returns one on success or zero on error. */
+// EVP_PKEY_CTX_set_rsa_oaep_md sets |md| as the digest used in OAEP padding.
+// Returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx,
const EVP_MD *md);
-/* EVP_PKEY_CTX_get_rsa_oaep_md sets |*out_md| to the digest function used in
- * OAEP padding. Returns one on success or zero on error. */
+// EVP_PKEY_CTX_get_rsa_oaep_md sets |*out_md| to the digest function used in
+// OAEP padding. Returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx,
const EVP_MD **out_md);
-/* EVP_PKEY_CTX_set_rsa_mgf1_md sets |md| as the digest used in MGF1. Returns
- * one on success or zero on error. */
+// EVP_PKEY_CTX_set_rsa_mgf1_md sets |md| as the digest used in MGF1. Returns
+// one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx,
const EVP_MD *md);
-/* EVP_PKEY_CTX_get_rsa_mgf1_md sets |*out_md| to the digest function used in
- * MGF1. Returns one on success or zero on error. */
+// EVP_PKEY_CTX_get_rsa_mgf1_md sets |*out_md| to the digest function used in
+// MGF1. Returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx,
const EVP_MD **out_md);
-/* EVP_PKEY_CTX_set0_rsa_oaep_label sets |label_len| bytes from |label| as the
- * label used in OAEP. DANGER: On success, this call takes ownership of |label|
- * and will call |OPENSSL_free| on it when |ctx| is destroyed.
- *
- * Returns one on success or zero on error. */
+// EVP_PKEY_CTX_set0_rsa_oaep_label sets |label_len| bytes from |label| as the
+// label used in OAEP. DANGER: On success, this call takes ownership of |label|
+// and will call |OPENSSL_free| on it when |ctx| is destroyed.
+//
+// Returns one on success or zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
uint8_t *label,
size_t label_len);
-/* EVP_PKEY_CTX_get0_rsa_oaep_label sets |*out_label| to point to the internal
- * buffer containing the OAEP label (which may be NULL) and returns the length
- * of the label or a negative value on error.
- *
- * WARNING: the return value differs from the usual return value convention. */
+// EVP_PKEY_CTX_get0_rsa_oaep_label sets |*out_label| to point to the internal
+// buffer containing the OAEP label (which may be NULL) and returns the length
+// of the label or a negative value on error.
+//
+// WARNING: the return value differs from the usual return value convention.
OPENSSL_EXPORT int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
const uint8_t **out_label);
-/* Deprecated functions. */
+// Deprecated functions.
-/* EVP_PKEY_DH is defined for compatibility, but it is impossible to create an
- * |EVP_PKEY| of that type. */
+// EVP_PKEY_DH is defined for compatibility, but it is impossible to create an
+// |EVP_PKEY| of that type.
#define EVP_PKEY_DH NID_dhKeyAgreement
-/* EVP_PKEY_RSA2 was historically an alternate form for RSA public keys (OID
- * 2.5.8.1.1), but is no longer accepted. */
+// EVP_PKEY_RSA2 was historically an alternate form for RSA public keys (OID
+// 2.5.8.1.1), but is no longer accepted.
#define EVP_PKEY_RSA2 NID_rsa
-/* OpenSSL_add_all_algorithms does nothing. */
+// OpenSSL_add_all_algorithms does nothing.
OPENSSL_EXPORT void OpenSSL_add_all_algorithms(void);
-/* OPENSSL_add_all_algorithms_conf does nothing. */
+// OPENSSL_add_all_algorithms_conf does nothing.
OPENSSL_EXPORT void OPENSSL_add_all_algorithms_conf(void);
-/* OpenSSL_add_all_ciphers does nothing. */
+// OpenSSL_add_all_ciphers does nothing.
OPENSSL_EXPORT void OpenSSL_add_all_ciphers(void);
-/* OpenSSL_add_all_digests does nothing. */
+// OpenSSL_add_all_digests does nothing.
OPENSSL_EXPORT void OpenSSL_add_all_digests(void);
-/* EVP_cleanup does nothing. */
+// EVP_cleanup does nothing.
OPENSSL_EXPORT void EVP_cleanup(void);
OPENSSL_EXPORT void EVP_CIPHER_do_all_sorted(
@@ -753,61 +753,61 @@
void *arg),
void *arg);
-/* i2d_PrivateKey marshals a private key from |key| to an ASN.1, DER
- * structure. If |outp| is not NULL then the result is written to |*outp| and
- * |*outp| is advanced just past the output. It returns the number of bytes in
- * the result, whether written or not, or a negative value on error.
- *
- * RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 3447) structure.
- * EC keys are serialized as a DER-encoded ECPrivateKey (RFC 5915) structure.
- *
- * Use |RSA_marshal_private_key| or |EC_marshal_private_key| instead. */
+// i2d_PrivateKey marshals a private key from |key| to an ASN.1, DER
+// structure. If |outp| is not NULL then the result is written to |*outp| and
+// |*outp| is advanced just past the output. It returns the number of bytes in
+// the result, whether written or not, or a negative value on error.
+//
+// RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 3447) structure.
+// EC keys are serialized as a DER-encoded ECPrivateKey (RFC 5915) structure.
+//
+// Use |RSA_marshal_private_key| or |EC_marshal_private_key| instead.
OPENSSL_EXPORT int i2d_PrivateKey(const EVP_PKEY *key, uint8_t **outp);
-/* i2d_PublicKey marshals a public key from |key| to a type-specific format.
- * If |outp| is not NULL then the result is written to |*outp| and
- * |*outp| is advanced just past the output. It returns the number of bytes in
- * the result, whether written or not, or a negative value on error.
- *
- * RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 3447) structure.
- * EC keys are serialized as an EC point per SEC 1.
- *
- * Use |RSA_marshal_public_key| or |EC_POINT_point2cbb| instead. */
+// i2d_PublicKey marshals a public key from |key| to a type-specific format.
+// If |outp| is not NULL then the result is written to |*outp| and
+// |*outp| is advanced just past the output. It returns the number of bytes in
+// the result, whether written or not, or a negative value on error.
+//
+// RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 3447) structure.
+// EC keys are serialized as an EC point per SEC 1.
+//
+// Use |RSA_marshal_public_key| or |EC_POINT_point2cbb| instead.
OPENSSL_EXPORT int i2d_PublicKey(EVP_PKEY *key, uint8_t **outp);
-/* d2i_PrivateKey parses an ASN.1, DER-encoded, private key from |len| bytes at
- * |*inp|. If |out| is not NULL then, on exit, a pointer to the result is in
- * |*out|. Note that, even if |*out| is already non-NULL on entry, it will not
- * be written to. Rather, a fresh |EVP_PKEY| is allocated and the previous one
- * is freed. On successful exit, |*inp| is advanced past the DER structure. It
- * returns the result or NULL on error.
- *
- * This function tries to detect one of several formats. Instead, use
- * |EVP_parse_private_key| for a PrivateKeyInfo, |RSA_parse_private_key| for an
- * RSAPrivateKey, and |EC_parse_private_key| for an ECPrivateKey. */
+// d2i_PrivateKey parses an ASN.1, DER-encoded, private key from |len| bytes at
+// |*inp|. If |out| is not NULL then, on exit, a pointer to the result is in
+// |*out|. Note that, even if |*out| is already non-NULL on entry, it will not
+// be written to. Rather, a fresh |EVP_PKEY| is allocated and the previous one
+// is freed. On successful exit, |*inp| is advanced past the DER structure. It
+// returns the result or NULL on error.
+//
+// This function tries to detect one of several formats. Instead, use
+// |EVP_parse_private_key| for a PrivateKeyInfo, |RSA_parse_private_key| for an
+// RSAPrivateKey, and |EC_parse_private_key| for an ECPrivateKey.
OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out,
const uint8_t **inp, long len);
-/* d2i_AutoPrivateKey acts the same as |d2i_PrivateKey|, but detects the type
- * of the private key.
- *
- * This function tries to detect one of several formats. Instead, use
- * |EVP_parse_private_key| for a PrivateKeyInfo, |RSA_parse_private_key| for an
- * RSAPrivateKey, and |EC_parse_private_key| for an ECPrivateKey. */
+// d2i_AutoPrivateKey acts the same as |d2i_PrivateKey|, but detects the type
+// of the private key.
+//
+// This function tries to detect one of several formats. Instead, use
+// |EVP_parse_private_key| for a PrivateKeyInfo, |RSA_parse_private_key| for an
+// RSAPrivateKey, and |EC_parse_private_key| for an ECPrivateKey.
OPENSSL_EXPORT EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp,
long len);
-/* EVP_PKEY_get0_DH returns NULL. */
+// EVP_PKEY_get0_DH returns NULL.
OPENSSL_EXPORT DH *EVP_PKEY_get0_DH(EVP_PKEY *pkey);
-/* Private structures. */
+// Private structures.
struct evp_pkey_st {
CRYPTO_refcount_t references;
- /* type contains one of the EVP_PKEY_* values or NID_undef and determines
- * which element (if any) of the |pkey| union is valid. */
+ // type contains one of the EVP_PKEY_* values or NID_undef and determines
+ // which element (if any) of the |pkey| union is valid.
int type;
union {
@@ -818,14 +818,14 @@
EC_KEY *ec;
} pkey;
- /* ameth contains a pointer to a method table that contains many ASN.1
- * methods for the key type. */
+ // ameth contains a pointer to a method table that contains many ASN.1
+ // methods for the key type.
const EVP_PKEY_ASN1_METHOD *ameth;
} /* EVP_PKEY */;
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
namespace bssl {
@@ -835,7 +835,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
@@ -874,4 +874,4 @@
#define EVP_R_MEMORY_LIMIT_EXCEEDED 132
#define EVP_R_INVALID_PARAMETERS 133
-#endif /* OPENSSL_HEADER_EVP_H */
+#endif // OPENSSL_HEADER_EVP_H
diff --git a/src/include/openssl/ex_data.h b/src/include/openssl/ex_data.h
index 5d1a45c..102f8a8 100644
--- a/src/include/openssl/ex_data.h
+++ b/src/include/openssl/ex_data.h
@@ -118,77 +118,77 @@
#endif
-/* ex_data is a mechanism for associating arbitrary extra data with objects.
- * For each type of object that supports ex_data, different users can be
- * assigned indexes in which to store their data. Each index has callback
- * functions that are called when an object of that type is freed or
- * duplicated. */
+// ex_data is a mechanism for associating arbitrary extra data with objects.
+// For each type of object that supports ex_data, different users can be
+// assigned indexes in which to store their data. Each index has callback
+// functions that are called when an object of that type is freed or
+// duplicated.
typedef struct crypto_ex_data_st CRYPTO_EX_DATA;
-/* Type-specific functions.
- *
- * Each type that supports ex_data provides three functions: */
+// Type-specific functions.
+//
+// Each type that supports ex_data provides three functions:
-#if 0 /* Sample */
+#if 0 // Sample
-/* TYPE_get_ex_new_index allocates a new index for |TYPE|. An optional
- * |free_func| argument may be provided which is called when the owning object
- * is destroyed. See |CRYPTO_EX_free| for details. The |argl| and |argp|
- * arguments are opaque values that are passed to the callback. It returns the
- * new index or a negative number on error. */
+// TYPE_get_ex_new_index allocates a new index for |TYPE|. An optional
+// |free_func| argument may be provided which is called when the owning object
+// is destroyed. See |CRYPTO_EX_free| for details. The |argl| and |argp|
+// arguments are opaque values that are passed to the callback. It returns the
+// new index or a negative number on error.
OPENSSL_EXPORT int TYPE_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_unused *unused,
CRYPTO_EX_dup *dup_unused,
CRYPTO_EX_free *free_func);
-/* TYPE_set_ex_data sets an extra data pointer on |t|. The |index| argument
- * should have been returned from a previous call to |TYPE_get_ex_new_index|. */
+// TYPE_set_ex_data sets an extra data pointer on |t|. The |index| argument
+// should have been returned from a previous call to |TYPE_get_ex_new_index|.
OPENSSL_EXPORT int TYPE_set_ex_data(TYPE *t, int index, void *arg);
-/* TYPE_get_ex_data returns an extra data pointer for |t|, or NULL if no such
- * pointer exists. The |index| argument should have been returned from a
- * previous call to |TYPE_get_ex_new_index|. */
+// TYPE_get_ex_data returns an extra data pointer for |t|, or NULL if no such
+// pointer exists. The |index| argument should have been returned from a
+// previous call to |TYPE_get_ex_new_index|.
OPENSSL_EXPORT void *TYPE_get_ex_data(const TYPE *t, int index);
-#endif /* Sample */
+#endif // Sample
-/* Callback types. */
+// Callback types.
-/* CRYPTO_EX_free is a callback function that is called when an object of the
- * class with extra data pointers is being destroyed. For example, if this
- * callback has been passed to |SSL_get_ex_new_index| then it may be called each
- * time an |SSL*| is destroyed.
- *
- * The callback is passed the new object (i.e. the |SSL*|) in |parent|. The
- * arguments |argl| and |argp| contain opaque values that were given to
- * |CRYPTO_get_ex_new_index|. The callback should return one on success, but
- * the value is ignored.
- *
- * This callback may be called with a NULL value for |ptr| if |parent| has no
- * value set for this index. However, the callbacks may also be skipped entirely
- * if no extra data pointers are set on |parent| at all. */
+// CRYPTO_EX_free is a callback function that is called when an object of the
+// class with extra data pointers is being destroyed. For example, if this
+// callback has been passed to |SSL_get_ex_new_index| then it may be called each
+// time an |SSL*| is destroyed.
+//
+// The callback is passed the new object (i.e. the |SSL*|) in |parent|. The
+// arguments |argl| and |argp| contain opaque values that were given to
+// |CRYPTO_get_ex_new_index|. The callback should return one on success, but
+// the value is ignored.
+//
+// This callback may be called with a NULL value for |ptr| if |parent| has no
+// value set for this index. However, the callbacks may also be skipped entirely
+// if no extra data pointers are set on |parent| at all.
typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
int index, long argl, void *argp);
-/* Deprecated functions. */
+// Deprecated functions.
-/* CRYPTO_cleanup_all_ex_data does nothing. */
+// CRYPTO_cleanup_all_ex_data does nothing.
OPENSSL_EXPORT void CRYPTO_cleanup_all_ex_data(void);
-/* CRYPTO_EX_dup is a legacy callback function type which is ignored. */
+// CRYPTO_EX_dup is a legacy callback function type which is ignored.
typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
void **from_d, int index, long argl, void *argp);
-/* Private structures. */
+// Private structures.
-/* CRYPTO_EX_unused is a placeholder for an unused callback. It is aliased to
- * int to ensure non-NULL callers fail to compile rather than fail silently. */
+// CRYPTO_EX_unused is a placeholder for an unused callback. It is aliased to
+// int to ensure non-NULL callers fail to compile rather than fail silently.
typedef int CRYPTO_EX_unused;
struct crypto_ex_data_st {
@@ -197,7 +197,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_EX_DATA_H */
+#endif // OPENSSL_HEADER_EX_DATA_H
diff --git a/src/include/openssl/hkdf.h b/src/include/openssl/hkdf.h
index bffb01e..59aaa49 100644
--- a/src/include/openssl/hkdf.h
+++ b/src/include/openssl/hkdf.h
@@ -22,33 +22,33 @@
#endif
-/* HKDF. */
+// HKDF.
-/* HKDF computes HKDF (as specified by RFC 5869) of initial keying material
- * |secret| with |salt| and |info| using |digest|, and outputs |out_len| bytes
- * to |out_key|. It returns one on success and zero on error.
- *
- * HKDF is an Extract-and-Expand algorithm. It does not do any key stretching,
- * and as such, is not suited to be used alone to generate a key from a
- * password. */
+// HKDF computes HKDF (as specified by RFC 5869) of initial keying material
+// |secret| with |salt| and |info| using |digest|, and outputs |out_len| bytes
+// to |out_key|. It returns one on success and zero on error.
+//
+// HKDF is an Extract-and-Expand algorithm. It does not do any key stretching,
+// and as such, is not suited to be used alone to generate a key from a
+// password.
OPENSSL_EXPORT int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
const uint8_t *secret, size_t secret_len,
const uint8_t *salt, size_t salt_len,
const uint8_t *info, size_t info_len);
-/* HKDF_extract computes a HKDF PRK (as specified by RFC 5869) from initial
- * keying material |secret| and salt |salt| using |digest|, and outputs
- * |out_len| bytes to |out_key|. The maximum output size is |EVP_MAX_MD_SIZE|.
- * It returns one on success and zero on error. */
+// HKDF_extract computes a HKDF PRK (as specified by RFC 5869) from initial
+// keying material |secret| and salt |salt| using |digest|, and outputs
+// |out_len| bytes to |out_key|. The maximum output size is |EVP_MAX_MD_SIZE|.
+// It returns one on success and zero on error.
OPENSSL_EXPORT int HKDF_extract(uint8_t *out_key, size_t *out_len,
const EVP_MD *digest, const uint8_t *secret,
size_t secret_len, const uint8_t *salt,
size_t salt_len);
-/* HKDF_expand computes a HKDF OKM (as specified by RFC 5869) of length
- * |out_len| from the PRK |prk| and info |info| using |digest|, and outputs
- * the result to |out_key|. It returns one on success and zero on error. */
+// HKDF_expand computes a HKDF OKM (as specified by RFC 5869) of length
+// |out_len| from the PRK |prk| and info |info| using |digest|, and outputs
+// the result to |out_key|. It returns one on success and zero on error.
OPENSSL_EXPORT int HKDF_expand(uint8_t *out_key, size_t out_len,
const EVP_MD *digest, const uint8_t *prk,
size_t prk_len, const uint8_t *info,
@@ -56,9 +56,9 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
#define HKDF_R_OUTPUT_TOO_LARGE 100
-#endif /* OPENSSL_HEADER_HKDF_H */
+#endif // OPENSSL_HEADER_HKDF_H
diff --git a/src/include/openssl/hmac.h b/src/include/openssl/hmac.h
index e4cc04e..1754d7f 100644
--- a/src/include/openssl/hmac.h
+++ b/src/include/openssl/hmac.h
@@ -66,84 +66,84 @@
#endif
-/* HMAC contains functions for constructing PRFs from Merkle–Damgård hash
- * functions using HMAC. */
+// HMAC contains functions for constructing PRFs from Merkle–Damgård hash
+// functions using HMAC.
-/* One-shot operation. */
+// One-shot operation.
-/* HMAC calculates the HMAC of |data_len| bytes of |data|, using the given key
- * and hash function, and writes the result to |out|. On entry, |out| must
- * contain at least |EVP_MD_size| bytes of space. The actual length of the
- * result is written to |*out_len|. An output size of |EVP_MAX_MD_SIZE| will
- * always be large enough. It returns |out| or NULL on error. */
+// HMAC calculates the HMAC of |data_len| bytes of |data|, using the given key
+// and hash function, and writes the result to |out|. On entry, |out| must
+// contain at least |EVP_MD_size| bytes of space. The actual length of the
+// result is written to |*out_len|. An output size of |EVP_MAX_MD_SIZE| will
+// always be large enough. It returns |out| or NULL on error.
OPENSSL_EXPORT uint8_t *HMAC(const EVP_MD *evp_md, const void *key,
size_t key_len, const uint8_t *data,
size_t data_len, uint8_t *out,
unsigned int *out_len);
-/* Incremental operation. */
+// Incremental operation.
-/* HMAC_CTX_init initialises |ctx| for use in an HMAC operation. It's assumed
- * that HMAC_CTX objects will be allocated on the stack thus no allocation
- * function is provided. If needed, allocate |sizeof(HMAC_CTX)| and call
- * |HMAC_CTX_init| on it. */
+// HMAC_CTX_init initialises |ctx| for use in an HMAC operation. It's assumed
+// that HMAC_CTX objects will be allocated on the stack thus no allocation
+// function is provided. If needed, allocate |sizeof(HMAC_CTX)| and call
+// |HMAC_CTX_init| on it.
OPENSSL_EXPORT void HMAC_CTX_init(HMAC_CTX *ctx);
-/* HMAC_CTX_cleanup frees data owned by |ctx|. */
+// HMAC_CTX_cleanup frees data owned by |ctx|.
OPENSSL_EXPORT void HMAC_CTX_cleanup(HMAC_CTX *ctx);
-/* HMAC_Init_ex sets up an initialised |HMAC_CTX| to use |md| as the hash
- * function and |key| as the key. For a non-initial call, |md| may be NULL, in
- * which case the previous hash function will be used. If the hash function has
- * not changed and |key| is NULL, |ctx| reuses the previous key. It returns one
- * on success or zero otherwise.
- *
- * WARNING: NULL and empty keys are ambiguous on non-initial calls. Passing NULL
- * |key| but repeating the previous |md| reuses the previous key rather than the
- * empty key. */
+// HMAC_Init_ex sets up an initialised |HMAC_CTX| to use |md| as the hash
+// function and |key| as the key. For a non-initial call, |md| may be NULL, in
+// which case the previous hash function will be used. If the hash function has
+// not changed and |key| is NULL, |ctx| reuses the previous key. It returns one
+// on success or zero otherwise.
+//
+// WARNING: NULL and empty keys are ambiguous on non-initial calls. Passing NULL
+// |key| but repeating the previous |md| reuses the previous key rather than the
+// empty key.
OPENSSL_EXPORT int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
const EVP_MD *md, ENGINE *impl);
-/* HMAC_Update hashes |data_len| bytes from |data| into the current HMAC
- * operation in |ctx|. It returns one. */
+// HMAC_Update hashes |data_len| bytes from |data| into the current HMAC
+// operation in |ctx|. It returns one.
OPENSSL_EXPORT int HMAC_Update(HMAC_CTX *ctx, const uint8_t *data,
size_t data_len);
-/* HMAC_Final completes the HMAC operation in |ctx| and writes the result to
- * |out| and the sets |*out_len| to the length of the result. On entry, |out|
- * must contain at least |HMAC_size| bytes of space. An output size of
- * |EVP_MAX_MD_SIZE| will always be large enough. It returns one on success or
- * zero on error. */
+// HMAC_Final completes the HMAC operation in |ctx| and writes the result to
+// |out| and the sets |*out_len| to the length of the result. On entry, |out|
+// must contain at least |HMAC_size| bytes of space. An output size of
+// |EVP_MAX_MD_SIZE| will always be large enough. It returns one on success or
+// zero on error.
OPENSSL_EXPORT int HMAC_Final(HMAC_CTX *ctx, uint8_t *out,
unsigned int *out_len);
-/* Utility functions. */
+// Utility functions.
-/* HMAC_size returns the size, in bytes, of the HMAC that will be produced by
- * |ctx|. On entry, |ctx| must have been setup with |HMAC_Init_ex|. */
+// HMAC_size returns the size, in bytes, of the HMAC that will be produced by
+// |ctx|. On entry, |ctx| must have been setup with |HMAC_Init_ex|.
OPENSSL_EXPORT size_t HMAC_size(const HMAC_CTX *ctx);
-/* HMAC_CTX_copy_ex sets |dest| equal to |src|. On entry, |dest| must have been
- * initialised by calling |HMAC_CTX_init|. It returns one on success and zero
- * on error. */
+// HMAC_CTX_copy_ex sets |dest| equal to |src|. On entry, |dest| must have been
+// initialised by calling |HMAC_CTX_init|. It returns one on success and zero
+// on error.
OPENSSL_EXPORT int HMAC_CTX_copy_ex(HMAC_CTX *dest, const HMAC_CTX *src);
-/* Deprecated functions. */
+// Deprecated functions.
OPENSSL_EXPORT int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
const EVP_MD *md);
-/* HMAC_CTX_copy calls |HMAC_CTX_init| on |dest| and then sets it equal to
- * |src|. On entry, |dest| must /not/ be initialised for an operation with
- * |HMAC_Init_ex|. It returns one on success and zero on error. */
+// HMAC_CTX_copy calls |HMAC_CTX_init| on |dest| and then sets it equal to
+// |src|. On entry, |dest| must /not/ be initialised for an operation with
+// |HMAC_Init_ex|. It returns one on success and zero on error.
OPENSSL_EXPORT int HMAC_CTX_copy(HMAC_CTX *dest, const HMAC_CTX *src);
-/* Private functions */
+// Private functions
struct hmac_ctx_st {
const EVP_MD *md;
@@ -154,7 +154,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#if !defined(BORINGSSL_NO_CXX)
extern "C++" {
@@ -171,4 +171,4 @@
#endif
-#endif /* OPENSSL_HEADER_HMAC_H */
+#endif // OPENSSL_HEADER_HMAC_H
diff --git a/src/include/openssl/is_boringssl.h b/src/include/openssl/is_boringssl.h
index def6e82..302cbe2 100644
--- a/src/include/openssl/is_boringssl.h
+++ b/src/include/openssl/is_boringssl.h
@@ -12,5 +12,5 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* This header is provided in order to catch include path errors in consuming
- * BoringSSL. */
+// This header is provided in order to catch include path errors in consuming
+// BoringSSL.
diff --git a/src/include/openssl/lhash.h b/src/include/openssl/lhash.h
index b95d4f2..7525c08 100644
--- a/src/include/openssl/lhash.h
+++ b/src/include/openssl/lhash.h
@@ -65,24 +65,24 @@
#endif
-/* lhash is a traditional, chaining hash table that automatically expands and
- * contracts as needed. One should not use the lh_* functions directly, rather
- * use the type-safe macro wrappers:
- *
- * A hash table of a specific type of object has type |LHASH_OF(type)|. This
- * can be defined (once) with |DEFINE_LHASH_OF(type)| and declared where needed
- * with |DECLARE_LHASH_OF(type)|. For example:
- *
- * struct foo {
- * int bar;
- * };
- *
- * DEFINE_LHASH_OF(struct foo);
- *
- * Although note that the hash table will contain /pointers/ to |foo|.
- *
- * A macro will be defined for each of the lh_* functions below. For
- * LHASH_OF(foo), the macros would be lh_foo_new, lh_foo_num_items etc. */
+// lhash is a traditional, chaining hash table that automatically expands and
+// contracts as needed. One should not use the lh_* functions directly, rather
+// use the type-safe macro wrappers:
+//
+// A hash table of a specific type of object has type |LHASH_OF(type)|. This
+// can be defined (once) with |DEFINE_LHASH_OF(type)| and declared where needed
+// with |DECLARE_LHASH_OF(type)|. For example:
+//
+// struct foo {
+// int bar;
+// };
+//
+// DEFINE_LHASH_OF(struct foo);
+//
+// Although note that the hash table will contain /pointers/ to |foo|.
+//
+// A macro will be defined for each of the lh_* functions below. For
+// LHASH_OF(foo), the macros would be lh_foo_new, lh_foo_num_items etc.
#define LHASH_OF(type) struct lhash_st_##type
@@ -91,101 +91,101 @@
#define DECLARE_LHASH_OF(type) LHASH_OF(type);
-/* The make_macros.sh script in this directory parses the following lines and
- * generates the lhash_macros.h file that contains macros for the following
- * types of stacks:
- *
- * LHASH_OF:ASN1_OBJECT
- * LHASH_OF:CONF_VALUE
- * LHASH_OF:CRYPTO_BUFFER
- * LHASH_OF:SSL_SESSION */
+// The make_macros.sh script in this directory parses the following lines and
+// generates the lhash_macros.h file that contains macros for the following
+// types of stacks:
+//
+// LHASH_OF:ASN1_OBJECT
+// LHASH_OF:CONF_VALUE
+// LHASH_OF:CRYPTO_BUFFER
+// LHASH_OF:SSL_SESSION
#define IN_LHASH_H
#include <openssl/lhash_macros.h>
#undef IN_LHASH_H
-/* lhash_item_st is an element of a hash chain. It points to the opaque data
- * for this element and to the next item in the chain. The linked-list is NULL
- * terminated. */
+// lhash_item_st is an element of a hash chain. It points to the opaque data
+// for this element and to the next item in the chain. The linked-list is NULL
+// terminated.
typedef struct lhash_item_st {
void *data;
struct lhash_item_st *next;
- /* hash contains the cached, hash value of |data|. */
+ // hash contains the cached, hash value of |data|.
uint32_t hash;
} LHASH_ITEM;
-/* lhash_cmp_func is a comparison function that returns a value equal, or not
- * equal, to zero depending on whether |*a| is equal, or not equal to |*b|,
- * respectively. Note the difference between this and |stack_cmp_func| in that
- * this takes pointers to the objects directly. */
+// lhash_cmp_func is a comparison function that returns a value equal, or not
+// equal, to zero depending on whether |*a| is equal, or not equal to |*b|,
+// respectively. Note the difference between this and |stack_cmp_func| in that
+// this takes pointers to the objects directly.
typedef int (*lhash_cmp_func)(const void *a, const void *b);
-/* lhash_hash_func is a function that maps an object to a uniformly distributed
- * uint32_t. */
+// lhash_hash_func is a function that maps an object to a uniformly distributed
+// uint32_t.
typedef uint32_t (*lhash_hash_func)(const void *a);
typedef struct lhash_st {
- /* num_items contains the total number of items in the hash table. */
+ // num_items contains the total number of items in the hash table.
size_t num_items;
- /* buckets is an array of |num_buckets| pointers. Each points to the head of
- * a chain of LHASH_ITEM objects that have the same hash value, mod
- * |num_buckets|. */
+ // buckets is an array of |num_buckets| pointers. Each points to the head of
+ // a chain of LHASH_ITEM objects that have the same hash value, mod
+ // |num_buckets|.
LHASH_ITEM **buckets;
- /* num_buckets contains the length of |buckets|. This value is always >=
- * kMinNumBuckets. */
+ // num_buckets contains the length of |buckets|. This value is always >=
+ // kMinNumBuckets.
size_t num_buckets;
- /* callback_depth contains the current depth of |lh_doall| or |lh_doall_arg|
- * calls. If non-zero then this suppresses resizing of the |buckets| array,
- * which would otherwise disrupt the iteration. */
+ // callback_depth contains the current depth of |lh_doall| or |lh_doall_arg|
+ // calls. If non-zero then this suppresses resizing of the |buckets| array,
+ // which would otherwise disrupt the iteration.
unsigned callback_depth;
lhash_cmp_func comp;
lhash_hash_func hash;
} _LHASH;
-/* lh_new returns a new, empty hash table or NULL on error. */
+// lh_new returns a new, empty hash table or NULL on error.
OPENSSL_EXPORT _LHASH *lh_new(lhash_hash_func hash, lhash_cmp_func comp);
-/* lh_free frees the hash table itself but none of the elements. See
- * |lh_doall|. */
+// lh_free frees the hash table itself but none of the elements. See
+// |lh_doall|.
OPENSSL_EXPORT void lh_free(_LHASH *lh);
-/* lh_num_items returns the number of items in |lh|. */
+// lh_num_items returns the number of items in |lh|.
OPENSSL_EXPORT size_t lh_num_items(const _LHASH *lh);
-/* lh_retrieve finds an element equal to |data| in the hash table and returns
- * it. If no such element exists, it returns NULL. */
+// lh_retrieve finds an element equal to |data| in the hash table and returns
+// it. If no such element exists, it returns NULL.
OPENSSL_EXPORT void *lh_retrieve(const _LHASH *lh, const void *data);
-/* lh_insert inserts |data| into the hash table. If an existing element is
- * equal to |data| (with respect to the comparison function) then |*old_data|
- * will be set to that value and it will be replaced. Otherwise, or in the
- * event of an error, |*old_data| will be set to NULL. It returns one on
- * success or zero in the case of an allocation error. */
+// lh_insert inserts |data| into the hash table. If an existing element is
+// equal to |data| (with respect to the comparison function) then |*old_data|
+// will be set to that value and it will be replaced. Otherwise, or in the
+// event of an error, |*old_data| will be set to NULL. It returns one on
+// success or zero in the case of an allocation error.
OPENSSL_EXPORT int lh_insert(_LHASH *lh, void **old_data, void *data);
-/* lh_delete removes an element equal to |data| from the hash table and returns
- * it. If no such element is found, it returns NULL. */
+// lh_delete removes an element equal to |data| from the hash table and returns
+// it. If no such element is found, it returns NULL.
OPENSSL_EXPORT void *lh_delete(_LHASH *lh, const void *data);
-/* lh_doall calls |func| on each element of the hash table.
- * TODO(fork): rename this */
+// lh_doall calls |func| on each element of the hash table.
+// TODO(fork): rename this
OPENSSL_EXPORT void lh_doall(_LHASH *lh, void (*func)(void *));
-/* lh_doall_arg calls |func| on each element of the hash table and also passes
- * |arg| as the second argument.
- * TODO(fork): rename this */
+// lh_doall_arg calls |func| on each element of the hash table and also passes
+// |arg| as the second argument.
+// TODO(fork): rename this
OPENSSL_EXPORT void lh_doall_arg(_LHASH *lh, void (*func)(void *, void *),
void *arg);
-/* lh_strhash is the default hash function which processes NUL-terminated
- * strings. */
+// lh_strhash is the default hash function which processes NUL-terminated
+// strings.
OPENSSL_EXPORT uint32_t lh_strhash(const char *c);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_LHASH_H */
+#endif // OPENSSL_HEADER_LHASH_H
diff --git a/src/include/openssl/lhash_macros.h b/src/include/openssl/lhash_macros.h
index ca349a9..378c839 100644
--- a/src/include/openssl/lhash_macros.h
+++ b/src/include/openssl/lhash_macros.h
@@ -16,7 +16,7 @@
#error "Don't include this file directly. Include lhash.h"
#endif
-/* ASN1_OBJECT */
+// ASN1_OBJECT
#define lh_ASN1_OBJECT_new(hash, comp) \
((LHASH_OF(ASN1_OBJECT) *)lh_new( \
CHECKED_CAST(lhash_hash_func, uint32_t(*)(const ASN1_OBJECT *), hash), \
@@ -56,7 +56,7 @@
arg);
-/* CONF_VALUE */
+// CONF_VALUE
#define lh_CONF_VALUE_new(hash, comp) \
((LHASH_OF(CONF_VALUE) *)lh_new( \
CHECKED_CAST(lhash_hash_func, uint32_t(*)(const CONF_VALUE *), hash), \
@@ -94,7 +94,7 @@
arg);
-/* CRYPTO_BUFFER */
+// CRYPTO_BUFFER
#define lh_CRYPTO_BUFFER_new(hash, comp) \
((LHASH_OF(CRYPTO_BUFFER) *)lh_new( \
CHECKED_CAST(lhash_hash_func, uint32_t(*)(const CRYPTO_BUFFER *), hash), \
@@ -134,7 +134,7 @@
arg);
-/* SSL_SESSION */
+// SSL_SESSION
#define lh_SSL_SESSION_new(hash, comp) \
((LHASH_OF(SSL_SESSION) *)lh_new( \
CHECKED_CAST(lhash_hash_func, uint32_t(*)(const SSL_SESSION *), hash), \
diff --git a/src/include/openssl/md4.h b/src/include/openssl/md4.h
index b66fcb0..52b88ca 100644
--- a/src/include/openssl/md4.h
+++ b/src/include/openssl/md4.h
@@ -64,31 +64,31 @@
#endif
-/* MD4. */
+// MD4.
-/* MD4_CBLOCK is the block size of MD4. */
+// MD4_CBLOCK is the block size of MD4.
#define MD4_CBLOCK 64
-/* MD4_DIGEST_LENGTH is the length of an MD4 digest. */
+// MD4_DIGEST_LENGTH is the length of an MD4 digest.
#define MD4_DIGEST_LENGTH 16
-/* MD4_Init initialises |md4| and returns one. */
+// MD4_Init initialises |md4| and returns one.
OPENSSL_EXPORT int MD4_Init(MD4_CTX *md4);
-/* MD4_Update adds |len| bytes from |data| to |md4| and returns one. */
+// MD4_Update adds |len| bytes from |data| to |md4| and returns one.
OPENSSL_EXPORT int MD4_Update(MD4_CTX *md4, const void *data, size_t len);
-/* MD4_Final adds the final padding to |md4| and writes the resulting digest to
- * |md|, which must have at least |MD4_DIGEST_LENGTH| bytes of space. It
- * returns one. */
+// MD4_Final adds the final padding to |md4| and writes the resulting digest to
+// |md|, which must have at least |MD4_DIGEST_LENGTH| bytes of space. It
+// returns one.
OPENSSL_EXPORT int MD4_Final(uint8_t *md, MD4_CTX *md4);
-/* MD4 writes the digest of |len| bytes from |data| to |out| and returns |out|.
- * There must be at least |MD4_DIGEST_LENGTH| bytes of space in |out|. */
+// MD4 writes the digest of |len| bytes from |data| to |out| and returns |out|.
+// There must be at least |MD4_DIGEST_LENGTH| bytes of space in |out|.
OPENSSL_EXPORT uint8_t *MD4(const uint8_t *data, size_t len, uint8_t *out);
-/* MD4_Transform is a low-level function that performs a single, MD4 block
- * transformation using the state from |md4| and 64 bytes from |block|. */
+// MD4_Transform is a low-level function that performs a single, MD4 block
+// transformation using the state from |md4| and 64 bytes from |block|.
OPENSSL_EXPORT void MD4_Transform(MD4_CTX *md4, const uint8_t *block);
struct md4_state_st {
@@ -100,7 +100,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_MD4_H */
+#endif // OPENSSL_HEADER_MD4_H
diff --git a/src/include/openssl/md5.h b/src/include/openssl/md5.h
index 55162f0..de6027f 100644
--- a/src/include/openssl/md5.h
+++ b/src/include/openssl/md5.h
@@ -64,32 +64,32 @@
#endif
-/* MD5. */
+// MD5.
-/* MD5_CBLOCK is the block size of MD5. */
+// MD5_CBLOCK is the block size of MD5.
#define MD5_CBLOCK 64
-/* MD5_DIGEST_LENGTH is the length of an MD5 digest. */
+// MD5_DIGEST_LENGTH is the length of an MD5 digest.
#define MD5_DIGEST_LENGTH 16
-/* MD5_Init initialises |md5| and returns one. */
+// MD5_Init initialises |md5| and returns one.
OPENSSL_EXPORT int MD5_Init(MD5_CTX *md5);
-/* MD5_Update adds |len| bytes from |data| to |md5| and returns one. */
+// MD5_Update adds |len| bytes from |data| to |md5| and returns one.
OPENSSL_EXPORT int MD5_Update(MD5_CTX *md5, const void *data, size_t len);
-/* MD5_Final adds the final padding to |md5| and writes the resulting digest to
- * |md|, which must have at least |MD5_DIGEST_LENGTH| bytes of space. It
- * returns one. */
+// MD5_Final adds the final padding to |md5| and writes the resulting digest to
+// |md|, which must have at least |MD5_DIGEST_LENGTH| bytes of space. It
+// returns one.
OPENSSL_EXPORT int MD5_Final(uint8_t *md, MD5_CTX *md5);
-/* MD5 writes the digest of |len| bytes from |data| to |out| and returns |out|.
- * There must be at least |MD5_DIGEST_LENGTH| bytes of space in |out|. */
+// MD5 writes the digest of |len| bytes from |data| to |out| and returns |out|.
+// There must be at least |MD5_DIGEST_LENGTH| bytes of space in |out|.
OPENSSL_EXPORT uint8_t *MD5(const uint8_t *data, size_t len, uint8_t *out);
-/* MD5_Transform is a low-level function that performs a single, MD5 block
- * transformation using the state from |md5| and 64 bytes from |block|. */
+// MD5_Transform is a low-level function that performs a single, MD5 block
+// transformation using the state from |md5| and 64 bytes from |block|.
OPENSSL_EXPORT void MD5_Transform(MD5_CTX *md5, const uint8_t *block);
struct md5_state_st {
@@ -101,7 +101,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_MD5_H */
+#endif // OPENSSL_HEADER_MD5_H
diff --git a/src/include/openssl/mem.h b/src/include/openssl/mem.h
index c43a16a..92cbb0d 100644
--- a/src/include/openssl/mem.h
+++ b/src/include/openssl/mem.h
@@ -67,67 +67,67 @@
#endif
-/* Memory and string functions, see also buf.h.
- *
- * OpenSSL has, historically, had a complex set of malloc debugging options.
- * However, that was written in a time before Valgrind and ASAN. Since we now
- * have those tools, the OpenSSL allocation functions are simply macros around
- * the standard memory functions. */
+// Memory and string functions, see also buf.h.
+//
+// OpenSSL has, historically, had a complex set of malloc debugging options.
+// However, that was written in a time before Valgrind and ASAN. Since we now
+// have those tools, the OpenSSL allocation functions are simply macros around
+// the standard memory functions.
#define OPENSSL_malloc malloc
#define OPENSSL_realloc realloc
#define OPENSSL_free free
-/* OPENSSL_realloc_clean acts like |realloc|, but clears the previous memory
- * buffer. Because this is implemented as a wrapper around |malloc|, it needs
- * to be given the size of the buffer pointed to by |ptr|. */
+// OPENSSL_realloc_clean acts like |realloc|, but clears the previous memory
+// buffer. Because this is implemented as a wrapper around |malloc|, it needs
+// to be given the size of the buffer pointed to by |ptr|.
void *OPENSSL_realloc_clean(void *ptr, size_t old_size, size_t new_size);
-/* OPENSSL_cleanse zeros out |len| bytes of memory at |ptr|. This is similar to
- * |memset_s| from C11. */
+// OPENSSL_cleanse zeros out |len| bytes of memory at |ptr|. This is similar to
+// |memset_s| from C11.
OPENSSL_EXPORT void OPENSSL_cleanse(void *ptr, size_t len);
-/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
- * takes an amount of time dependent on |len|, but independent of the contents
- * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
- * defined order as the return value when a != b is undefined, other than to be
- * non-zero. */
+// CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
+// takes an amount of time dependent on |len|, but independent of the contents
+// of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
+// defined order as the return value when a != b is undefined, other than to be
+// non-zero.
OPENSSL_EXPORT int CRYPTO_memcmp(const void *a, const void *b, size_t len);
-/* OPENSSL_hash32 implements the 32 bit, FNV-1a hash. */
+// OPENSSL_hash32 implements the 32 bit, FNV-1a hash.
OPENSSL_EXPORT uint32_t OPENSSL_hash32(const void *ptr, size_t len);
-/* OPENSSL_strdup has the same behaviour as strdup(3). */
+// OPENSSL_strdup has the same behaviour as strdup(3).
OPENSSL_EXPORT char *OPENSSL_strdup(const char *s);
-/* OPENSSL_strnlen has the same behaviour as strnlen(3). */
+// OPENSSL_strnlen has the same behaviour as strnlen(3).
OPENSSL_EXPORT size_t OPENSSL_strnlen(const char *s, size_t len);
-/* OPENSSL_tolower is a locale-independent version of tolower(3). */
+// OPENSSL_tolower is a locale-independent version of tolower(3).
OPENSSL_EXPORT int OPENSSL_tolower(int c);
-/* OPENSSL_strcasecmp is a locale-independent version of strcasecmp(3). */
+// OPENSSL_strcasecmp is a locale-independent version of strcasecmp(3).
OPENSSL_EXPORT int OPENSSL_strcasecmp(const char *a, const char *b);
-/* OPENSSL_strncasecmp is a locale-independent version of strncasecmp(3). */
+// OPENSSL_strncasecmp is a locale-independent version of strncasecmp(3).
OPENSSL_EXPORT int OPENSSL_strncasecmp(const char *a, const char *b, size_t n);
-/* DECIMAL_SIZE returns an upper bound for the length of the decimal
- * representation of the given type. */
+// DECIMAL_SIZE returns an upper bound for the length of the decimal
+// representation of the given type.
#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1)
-/* BIO_snprintf has the same behavior as snprintf(3). */
+// BIO_snprintf has the same behavior as snprintf(3).
OPENSSL_EXPORT int BIO_snprintf(char *buf, size_t n, const char *format, ...)
OPENSSL_PRINTF_FORMAT_FUNC(3, 4);
-/* BIO_vsnprintf has the same behavior as vsnprintf(3). */
+// BIO_vsnprintf has the same behavior as vsnprintf(3).
OPENSSL_EXPORT int BIO_vsnprintf(char *buf, size_t n, const char *format,
va_list args)
OPENSSL_PRINTF_FORMAT_FUNC(3, 0);
-/* Deprecated functions. */
+// Deprecated functions.
#define CRYPTO_malloc OPENSSL_malloc
#define CRYPTO_realloc OPENSSL_realloc
@@ -135,7 +135,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -146,8 +146,8 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
-#endif /* OPENSSL_HEADER_MEM_H */
+#endif // OPENSSL_HEADER_MEM_H
diff --git a/src/include/openssl/obj.h b/src/include/openssl/obj.h
index 63cf866..ae1a4ec 100644
--- a/src/include/openssl/obj.h
+++ b/src/include/openssl/obj.h
@@ -67,129 +67,129 @@
#endif
-/* The objects library deals with the registration and indexing of ASN.1 object
- * identifiers. These values are often written as a dotted sequence of numbers,
- * e.g. 1.2.840.113549.1.9.16.3.9.
- *
- * Internally, OpenSSL likes to deal with these values by numbering them with
- * numbers called "nids". OpenSSL has a large, built-in database of common
- * object identifiers and also has both short and long names for them.
- *
- * This library provides functions for translating between object identifiers,
- * nids, short names and long names.
- *
- * The nid values should not be used outside of a single process: they are not
- * stable identifiers. */
+// The objects library deals with the registration and indexing of ASN.1 object
+// identifiers. These values are often written as a dotted sequence of numbers,
+// e.g. 1.2.840.113549.1.9.16.3.9.
+//
+// Internally, OpenSSL likes to deal with these values by numbering them with
+// numbers called "nids". OpenSSL has a large, built-in database of common
+// object identifiers and also has both short and long names for them.
+//
+// This library provides functions for translating between object identifiers,
+// nids, short names and long names.
+//
+// The nid values should not be used outside of a single process: they are not
+// stable identifiers.
-/* Basic operations. */
+// Basic operations.
-/* OBJ_dup returns a duplicate copy of |obj| or NULL on allocation failure. */
+// OBJ_dup returns a duplicate copy of |obj| or NULL on allocation failure.
OPENSSL_EXPORT ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *obj);
-/* OBJ_cmp returns a value less than, equal to or greater than zero if |a| is
- * less than, equal to or greater than |b|, respectively. */
+// OBJ_cmp returns a value less than, equal to or greater than zero if |a| is
+// less than, equal to or greater than |b|, respectively.
OPENSSL_EXPORT int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b);
-/* Looking up nids. */
+// Looking up nids.
-/* OBJ_obj2nid returns the nid corresponding to |obj|, or |NID_undef| if no
- * such object is known. */
+// OBJ_obj2nid returns the nid corresponding to |obj|, or |NID_undef| if no
+// such object is known.
OPENSSL_EXPORT int OBJ_obj2nid(const ASN1_OBJECT *obj);
-/* OBJ_cbs2nid returns the nid corresponding to the DER data in |cbs|, or
- * |NID_undef| if no such object is known. */
+// OBJ_cbs2nid returns the nid corresponding to the DER data in |cbs|, or
+// |NID_undef| if no such object is known.
OPENSSL_EXPORT int OBJ_cbs2nid(const CBS *cbs);
-/* OBJ_sn2nid returns the nid corresponding to |short_name|, or |NID_undef| if
- * no such short name is known. */
+// OBJ_sn2nid returns the nid corresponding to |short_name|, or |NID_undef| if
+// no such short name is known.
OPENSSL_EXPORT int OBJ_sn2nid(const char *short_name);
-/* OBJ_ln2nid returns the nid corresponding to |long_name|, or |NID_undef| if
- * no such long name is known. */
+// OBJ_ln2nid returns the nid corresponding to |long_name|, or |NID_undef| if
+// no such long name is known.
OPENSSL_EXPORT int OBJ_ln2nid(const char *long_name);
-/* OBJ_txt2nid returns the nid corresponding to |s|, which may be a short name,
- * long name, or an ASCII string containing a dotted sequence of numbers. It
- * returns the nid or NID_undef if unknown. */
+// OBJ_txt2nid returns the nid corresponding to |s|, which may be a short name,
+// long name, or an ASCII string containing a dotted sequence of numbers. It
+// returns the nid or NID_undef if unknown.
OPENSSL_EXPORT int OBJ_txt2nid(const char *s);
-/* Getting information about nids. */
+// Getting information about nids.
-/* OBJ_nid2obj returns the ASN1_OBJECT corresponding to |nid|, or NULL if |nid|
- * is unknown. */
+// OBJ_nid2obj returns the ASN1_OBJECT corresponding to |nid|, or NULL if |nid|
+// is unknown.
OPENSSL_EXPORT const ASN1_OBJECT *OBJ_nid2obj(int nid);
-/* OBJ_nid2sn returns the short name for |nid|, or NULL if |nid| is unknown. */
+// OBJ_nid2sn returns the short name for |nid|, or NULL if |nid| is unknown.
OPENSSL_EXPORT const char *OBJ_nid2sn(int nid);
-/* OBJ_nid2ln returns the long name for |nid|, or NULL if |nid| is unknown. */
+// OBJ_nid2ln returns the long name for |nid|, or NULL if |nid| is unknown.
OPENSSL_EXPORT const char *OBJ_nid2ln(int nid);
-/* OBJ_nid2cbb writes |nid| as an ASN.1 OBJECT IDENTIFIER to |out|. It returns
- * one on success or zero otherwise. */
+// OBJ_nid2cbb writes |nid| as an ASN.1 OBJECT IDENTIFIER to |out|. It returns
+// one on success or zero otherwise.
OPENSSL_EXPORT int OBJ_nid2cbb(CBB *out, int nid);
-/* Dealing with textual representations of object identifiers. */
+// Dealing with textual representations of object identifiers.
-/* OBJ_txt2obj returns an ASN1_OBJECT for the textual representation in |s|.
- * If |dont_search_names| is zero, then |s| will be matched against the long
- * and short names of a known objects to find a match. Otherwise |s| must
- * contain an ASCII string with a dotted sequence of numbers. The resulting
- * object need not be previously known. It returns a freshly allocated
- * |ASN1_OBJECT| or NULL on error. */
+// OBJ_txt2obj returns an ASN1_OBJECT for the textual representation in |s|.
+// If |dont_search_names| is zero, then |s| will be matched against the long
+// and short names of a known objects to find a match. Otherwise |s| must
+// contain an ASCII string with a dotted sequence of numbers. The resulting
+// object need not be previously known. It returns a freshly allocated
+// |ASN1_OBJECT| or NULL on error.
OPENSSL_EXPORT ASN1_OBJECT *OBJ_txt2obj(const char *s, int dont_search_names);
-/* OBJ_obj2txt converts |obj| to a textual representation. If
- * |always_return_oid| is zero then |obj| will be matched against known objects
- * and the long (preferably) or short name will be used if found. Otherwise
- * |obj| will be converted into a dotted sequence of integers. If |out| is not
- * NULL, then at most |out_len| bytes of the textual form will be written
- * there. If |out_len| is at least one, then string written to |out| will
- * always be NUL terminated. It returns the number of characters that could
- * have been written, not including the final NUL, or -1 on error. */
+// OBJ_obj2txt converts |obj| to a textual representation. If
+// |always_return_oid| is zero then |obj| will be matched against known objects
+// and the long (preferably) or short name will be used if found. Otherwise
+// |obj| will be converted into a dotted sequence of integers. If |out| is not
+// NULL, then at most |out_len| bytes of the textual form will be written
+// there. If |out_len| is at least one, then string written to |out| will
+// always be NUL terminated. It returns the number of characters that could
+// have been written, not including the final NUL, or -1 on error.
OPENSSL_EXPORT int OBJ_obj2txt(char *out, int out_len, const ASN1_OBJECT *obj,
int always_return_oid);
-/* Adding objects at runtime. */
+// Adding objects at runtime.
-/* OBJ_create adds a known object and returns the nid of the new object, or
- * NID_undef on error. */
+// OBJ_create adds a known object and returns the nid of the new object, or
+// NID_undef on error.
OPENSSL_EXPORT int OBJ_create(const char *oid, const char *short_name,
const char *long_name);
-/* Handling signature algorithm identifiers.
- *
- * Some NIDs (e.g. sha256WithRSAEncryption) specify both a digest algorithm and
- * a public key algorithm. The following functions map between pairs of digest
- * and public-key algorithms and the NIDs that specify their combination.
- *
- * Sometimes the combination NID leaves the digest unspecified (e.g.
- * rsassaPss). In these cases, the digest NID is |NID_undef|. */
+// Handling signature algorithm identifiers.
+//
+// Some NIDs (e.g. sha256WithRSAEncryption) specify both a digest algorithm and
+// a public key algorithm. The following functions map between pairs of digest
+// and public-key algorithms and the NIDs that specify their combination.
+//
+// Sometimes the combination NID leaves the digest unspecified (e.g.
+// rsassaPss). In these cases, the digest NID is |NID_undef|.
-/* OBJ_find_sigid_algs finds the digest and public-key NIDs that correspond to
- * the signing algorithm |sign_nid|. If successful, it sets |*out_digest_nid|
- * and |*out_pkey_nid| and returns one. Otherwise it returns zero. Any of
- * |out_digest_nid| or |out_pkey_nid| can be NULL if the caller doesn't need
- * that output value. */
+// OBJ_find_sigid_algs finds the digest and public-key NIDs that correspond to
+// the signing algorithm |sign_nid|. If successful, it sets |*out_digest_nid|
+// and |*out_pkey_nid| and returns one. Otherwise it returns zero. Any of
+// |out_digest_nid| or |out_pkey_nid| can be NULL if the caller doesn't need
+// that output value.
OPENSSL_EXPORT int OBJ_find_sigid_algs(int sign_nid, int *out_digest_nid,
int *out_pkey_nid);
-/* OBJ_find_sigid_by_algs finds the signature NID that corresponds to the
- * combination of |digest_nid| and |pkey_nid|. If success, it sets
- * |*out_sign_nid| and returns one. Otherwise it returns zero. The
- * |out_sign_nid| argument can be NULL if the caller only wishes to learn
- * whether the combination is valid. */
+// OBJ_find_sigid_by_algs finds the signature NID that corresponds to the
+// combination of |digest_nid| and |pkey_nid|. If success, it sets
+// |*out_sign_nid| and returns one. Otherwise it returns zero. The
+// |out_sign_nid| argument can be NULL if the caller only wishes to learn
+// whether the combination is valid.
OPENSSL_EXPORT int OBJ_find_sigid_by_algs(int *out_sign_nid, int digest_nid,
int pkey_nid);
-/* Deprecated functions. */
+// Deprecated functions.
typedef struct obj_name_st {
int type;
@@ -201,26 +201,26 @@
#define OBJ_NAME_TYPE_MD_METH 1
#define OBJ_NAME_TYPE_CIPHER_METH 2
-/* OBJ_NAME_do_all_sorted calls |callback| zero or more times, each time with
- * the name of a different primitive. If |type| is |OBJ_NAME_TYPE_MD_METH| then
- * the primitives will be hash functions, alternatively if |type| is
- * |OBJ_NAME_TYPE_CIPHER_METH| then the primitives will be ciphers or cipher
- * modes.
- *
- * This function is ill-specified and should never be used. */
+// OBJ_NAME_do_all_sorted calls |callback| zero or more times, each time with
+// the name of a different primitive. If |type| is |OBJ_NAME_TYPE_MD_METH| then
+// the primitives will be hash functions, alternatively if |type| is
+// |OBJ_NAME_TYPE_CIPHER_METH| then the primitives will be ciphers or cipher
+// modes.
+//
+// This function is ill-specified and should never be used.
OPENSSL_EXPORT void OBJ_NAME_do_all_sorted(
int type, void (*callback)(const OBJ_NAME *, void *arg), void *arg);
-/* OBJ_NAME_do_all calls |OBJ_NAME_do_all_sorted|. */
+// OBJ_NAME_do_all calls |OBJ_NAME_do_all_sorted|.
OPENSSL_EXPORT void OBJ_NAME_do_all(int type, void (*callback)(const OBJ_NAME *,
void *arg),
void *arg);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
#define OBJ_R_UNKNOWN_NID 100
-#endif /* OPENSSL_HEADER_OBJ_H */
+#endif // OPENSSL_HEADER_OBJ_H
diff --git a/src/include/openssl/opensslconf.h b/src/include/openssl/opensslconf.h
index deff101..db409d9 100644
--- a/src/include/openssl/opensslconf.h
+++ b/src/include/openssl/opensslconf.h
@@ -59,4 +59,4 @@
#define OPENSSL_NO_WHIRLPOOL
-#endif /* OPENSSL_HEADER_OPENSSLCONF_H */
+#endif // OPENSSL_HEADER_OPENSSLCONF_H
diff --git a/src/include/openssl/pkcs7.h b/src/include/openssl/pkcs7.h
index eaba29e..d708141 100644
--- a/src/include/openssl/pkcs7.h
+++ b/src/include/openssl/pkcs7.h
@@ -24,54 +24,54 @@
#endif
-/* PKCS#7.
- *
- * This library contains functions for extracting information from PKCS#7
- * structures (RFC 2315). */
+// PKCS#7.
+//
+// This library contains functions for extracting information from PKCS#7
+// structures (RFC 2315).
DECLARE_STACK_OF(CRYPTO_BUFFER)
DECLARE_STACK_OF(X509)
DECLARE_STACK_OF(X509_CRL)
-/* PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs|
- * and appends the included certificates to |out_certs|. It returns one on
- * success and zero on error. */
+// PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs|
+// and appends the included certificates to |out_certs|. It returns one on
+// success and zero on error.
OPENSSL_EXPORT int PKCS7_get_raw_certificates(
STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, CRYPTO_BUFFER_POOL *pool);
-/* PKCS7_get_certificates behaves like |PKCS7_get_raw_certificates| but parses
- * them into |X509| objects. */
+// PKCS7_get_certificates behaves like |PKCS7_get_raw_certificates| but parses
+// them into |X509| objects.
OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs);
-/* PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing
- * |certs| to |out|. It returns one on success and zero on error. */
+// PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing
+// |certs| to |out|. It returns one on success and zero on error.
OPENSSL_EXPORT int PKCS7_bundle_certificates(
CBB *out, const STACK_OF(X509) *certs);
-/* PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends
- * the included CRLs to |out_crls|. It returns one on success and zero on
- * error. */
+// PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends
+// the included CRLs to |out_crls|. It returns one on success and zero on
+// error.
OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs);
-/* PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing
- * |crls| to |out|. It returns one on success and zero on error. */
+// PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing
+// |crls| to |out|. It returns one on success and zero on error.
OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls);
-/* PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure
- * from |pem_bio| and appends the included certificates to |out_certs|. It
- * returns one on success and zero on error. */
+// PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure
+// from |pem_bio| and appends the included certificates to |out_certs|. It
+// returns one on success and zero on error.
OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs,
BIO *pem_bio);
-/* PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from
- * |pem_bio| and appends the included CRLs to |out_crls|. It returns one on
- * success and zero on error. */
+// PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from
+// |pem_bio| and appends the included CRLs to |out_crls|. It returns one on
+// success and zero on error.
OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
BIO *pem_bio);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
#define PKCS7_R_BAD_PKCS7_VERSION 100
@@ -79,4 +79,4 @@
#define PKCS7_R_NO_CERTIFICATES_INCLUDED 102
#define PKCS7_R_NO_CRLS_INCLUDED 103
-#endif /* OPENSSL_HEADER_PKCS7_H */
+#endif // OPENSSL_HEADER_PKCS7_H
diff --git a/src/include/openssl/pkcs8.h b/src/include/openssl/pkcs8.h
index d30ea8e..f865c76 100644
--- a/src/include/openssl/pkcs8.h
+++ b/src/include/openssl/pkcs8.h
@@ -66,121 +66,121 @@
#endif
-/* PKCS8_encrypt serializes and encrypts a PKCS8_PRIV_KEY_INFO with PBES1 or
- * PBES2 as defined in PKCS #5. Only pbeWithSHAAnd128BitRC4,
- * pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHA1And40BitRC2, defined in PKCS
- * #12, and PBES2, are supported. PBES2 is selected by setting |cipher| and
- * passing -1 for |pbe_nid|. Otherwise, PBES1 is used and |cipher| is ignored.
- *
- * |pass| is used as the password. If a PBES1 scheme from PKCS #12 is used, this
- * will be converted to a raw byte string as specified in B.1 of PKCS #12. If
- * |pass| is NULL, it will be encoded as the empty byte string rather than two
- * zero bytes, the PKCS #12 encoding of the empty string.
- *
- * If |salt| is NULL, a random salt of |salt_len| bytes is generated. If
- * |salt_len| is zero, a default salt length is used instead.
- *
- * The resulting structure is stored in an |X509_SIG| which must be freed by the
- * caller. */
+// PKCS8_encrypt serializes and encrypts a PKCS8_PRIV_KEY_INFO with PBES1 or
+// PBES2 as defined in PKCS #5. Only pbeWithSHAAnd128BitRC4,
+// pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHA1And40BitRC2, defined in PKCS
+// #12, and PBES2, are supported. PBES2 is selected by setting |cipher| and
+// passing -1 for |pbe_nid|. Otherwise, PBES1 is used and |cipher| is ignored.
+//
+// |pass| is used as the password. If a PBES1 scheme from PKCS #12 is used, this
+// will be converted to a raw byte string as specified in B.1 of PKCS #12. If
+// |pass| is NULL, it will be encoded as the empty byte string rather than two
+// zero bytes, the PKCS #12 encoding of the empty string.
+//
+// If |salt| is NULL, a random salt of |salt_len| bytes is generated. If
+// |salt_len| is zero, a default salt length is used instead.
+//
+// The resulting structure is stored in an |X509_SIG| which must be freed by the
+// caller.
OPENSSL_EXPORT X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
const char *pass, int pass_len,
const uint8_t *salt, size_t salt_len,
int iterations,
PKCS8_PRIV_KEY_INFO *p8inf);
-/* PKCS8_marshal_encrypted_private_key behaves like |PKCS8_encrypt| but encrypts
- * an |EVP_PKEY| and writes the serialized EncryptedPrivateKeyInfo to |out|. It
- * returns one on success and zero on error. */
+// PKCS8_marshal_encrypted_private_key behaves like |PKCS8_encrypt| but encrypts
+// an |EVP_PKEY| and writes the serialized EncryptedPrivateKeyInfo to |out|. It
+// returns one on success and zero on error.
OPENSSL_EXPORT int PKCS8_marshal_encrypted_private_key(
CBB *out, int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
size_t pass_len, const uint8_t *salt, size_t salt_len, int iterations,
const EVP_PKEY *pkey);
-/* PKCS8_decrypt decrypts and decodes a PKCS8_PRIV_KEY_INFO with PBES1 or PBES2
- * as defined in PKCS #5. Only pbeWithSHAAnd128BitRC4,
- * pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHA1And40BitRC2, and PBES2,
- * defined in PKCS #12, are supported.
- *
- * |pass| is used as the password. If a PBES1 scheme from PKCS #12 is used, this
- * will be converted to a raw byte string as specified in B.1 of PKCS #12. If
- * |pass| is NULL, it will be encoded as the empty byte string rather than two
- * zero bytes, the PKCS #12 encoding of the empty string.
- *
- * The resulting structure must be freed by the caller. */
+// PKCS8_decrypt decrypts and decodes a PKCS8_PRIV_KEY_INFO with PBES1 or PBES2
+// as defined in PKCS #5. Only pbeWithSHAAnd128BitRC4,
+// pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHA1And40BitRC2, and PBES2,
+// defined in PKCS #12, are supported.
+//
+// |pass| is used as the password. If a PBES1 scheme from PKCS #12 is used, this
+// will be converted to a raw byte string as specified in B.1 of PKCS #12. If
+// |pass| is NULL, it will be encoded as the empty byte string rather than two
+// zero bytes, the PKCS #12 encoding of the empty string.
+//
+// The resulting structure must be freed by the caller.
OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8,
const char *pass,
int pass_len);
-/* PKCS8_parse_encrypted_private_key behaves like |PKCS8_decrypt| but it parses
- * the EncryptedPrivateKeyInfo structure from |cbs| and advances |cbs|. It
- * returns a newly-allocated |EVP_PKEY| on success and zero on error. */
+// PKCS8_parse_encrypted_private_key behaves like |PKCS8_decrypt| but it parses
+// the EncryptedPrivateKeyInfo structure from |cbs| and advances |cbs|. It
+// returns a newly-allocated |EVP_PKEY| on success and zero on error.
OPENSSL_EXPORT EVP_PKEY *PKCS8_parse_encrypted_private_key(CBS *cbs,
const char *pass,
size_t pass_len);
-/* PKCS12_get_key_and_certs parses a PKCS#12 structure from |in|, authenticates
- * and decrypts it using |password|, sets |*out_key| to the included private
- * key and appends the included certificates to |out_certs|. It returns one on
- * success and zero on error. The caller takes ownership of the outputs. */
+// PKCS12_get_key_and_certs parses a PKCS#12 structure from |in|, authenticates
+// and decrypts it using |password|, sets |*out_key| to the included private
+// key and appends the included certificates to |out_certs|. It returns one on
+// success and zero on error. The caller takes ownership of the outputs.
OPENSSL_EXPORT int PKCS12_get_key_and_certs(EVP_PKEY **out_key,
STACK_OF(X509) *out_certs,
CBS *in, const char *password);
-/* Deprecated functions. */
+// Deprecated functions.
-/* PKCS12_PBE_add does nothing. It exists for compatibility with OpenSSL. */
+// PKCS12_PBE_add does nothing. It exists for compatibility with OpenSSL.
OPENSSL_EXPORT void PKCS12_PBE_add(void);
-/* d2i_PKCS12 is a dummy function that copies |*ber_bytes| into a
- * |PKCS12| structure. The |out_p12| argument should be NULL(✝). On exit,
- * |*ber_bytes| will be advanced by |ber_len|. It returns a fresh |PKCS12|
- * structure or NULL on error.
- *
- * Note: unlike other d2i functions, |d2i_PKCS12| will always consume |ber_len|
- * bytes.
- *
- * (✝) If |out_p12| is not NULL and the function is successful, |*out_p12| will
- * be freed if not NULL itself and the result will be written to |*out_p12|.
- * New code should not depend on this. */
+// d2i_PKCS12 is a dummy function that copies |*ber_bytes| into a
+// |PKCS12| structure. The |out_p12| argument should be NULL(✝). On exit,
+// |*ber_bytes| will be advanced by |ber_len|. It returns a fresh |PKCS12|
+// structure or NULL on error.
+//
+// Note: unlike other d2i functions, |d2i_PKCS12| will always consume |ber_len|
+// bytes.
+//
+// (✝) If |out_p12| is not NULL and the function is successful, |*out_p12| will
+// be freed if not NULL itself and the result will be written to |*out_p12|.
+// New code should not depend on this.
OPENSSL_EXPORT PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes,
size_t ber_len);
-/* d2i_PKCS12_bio acts like |d2i_PKCS12| but reads from a |BIO|. */
+// d2i_PKCS12_bio acts like |d2i_PKCS12| but reads from a |BIO|.
OPENSSL_EXPORT PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12);
-/* d2i_PKCS12_fp acts like |d2i_PKCS12| but reads from a |FILE|. */
+// d2i_PKCS12_fp acts like |d2i_PKCS12| but reads from a |FILE|.
OPENSSL_EXPORT PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12);
-/* PKCS12_parse calls |PKCS12_get_key_and_certs| on the ASN.1 data stored in
- * |p12|. The |out_pkey| and |out_cert| arguments must not be NULL and, on
- * successful exit, the private key and first certificate will be stored in
- * them. The |out_ca_certs| argument may be NULL but, if not, then any extra
- * certificates will be appended to |*out_ca_certs|. If |*out_ca_certs| is NULL
- * then it will be set to a freshly allocated stack containing the extra certs.
- *
- * It returns one on success and zero on error. */
+// PKCS12_parse calls |PKCS12_get_key_and_certs| on the ASN.1 data stored in
+// |p12|. The |out_pkey| and |out_cert| arguments must not be NULL and, on
+// successful exit, the private key and first certificate will be stored in
+// them. The |out_ca_certs| argument may be NULL but, if not, then any extra
+// certificates will be appended to |*out_ca_certs|. If |*out_ca_certs| is NULL
+// then it will be set to a freshly allocated stack containing the extra certs.
+//
+// It returns one on success and zero on error.
OPENSSL_EXPORT int PKCS12_parse(const PKCS12 *p12, const char *password,
EVP_PKEY **out_pkey, X509 **out_cert,
STACK_OF(X509) **out_ca_certs);
-/* PKCS12_verify_mac returns one if |password| is a valid password for |p12|
- * and zero otherwise. Since |PKCS12_parse| doesn't take a length parameter,
- * it's not actually possible to use a non-NUL-terminated password to actually
- * get anything from a |PKCS12|. Thus |password| and |password_len| may be
- * |NULL| and zero, respectively, or else |password_len| may be -1, or else
- * |password[password_len]| must be zero and no other NUL bytes may appear in
- * |password|. If the |password_len| checks fail, zero is returned
- * immediately. */
+// PKCS12_verify_mac returns one if |password| is a valid password for |p12|
+// and zero otherwise. Since |PKCS12_parse| doesn't take a length parameter,
+// it's not actually possible to use a non-NUL-terminated password to actually
+// get anything from a |PKCS12|. Thus |password| and |password_len| may be
+// |NULL| and zero, respectively, or else |password_len| may be -1, or else
+// |password[password_len]| must be zero and no other NUL bytes may appear in
+// |password|. If the |password_len| checks fail, zero is returned
+// immediately.
OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
int password_len);
-/* PKCS12_free frees |p12| and its contents. */
+// PKCS12_free frees |p12| and its contents.
OPENSSL_EXPORT void PKCS12_free(PKCS12 *p12);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -191,7 +191,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
@@ -227,4 +227,4 @@
#define PKCS8_R_BAD_ITERATION_COUNT 129
#define PKCS8_R_UNSUPPORTED_PRF 130
-#endif /* OPENSSL_HEADER_PKCS8_H */
+#endif // OPENSSL_HEADER_PKCS8_H
diff --git a/src/include/openssl/poly1305.h b/src/include/openssl/poly1305.h
index b4e23e2..cefe2b1 100644
--- a/src/include/openssl/poly1305.h
+++ b/src/include/openssl/poly1305.h
@@ -24,28 +24,28 @@
typedef uint8_t poly1305_state[512];
-/* CRYPTO_poly1305_init sets up |state| so that it can be used to calculate an
- * authentication tag with the one-time key |key|. Note that |key| is a
- * one-time key and therefore there is no `reset' method because that would
- * enable several messages to be authenticated with the same key. */
+// CRYPTO_poly1305_init sets up |state| so that it can be used to calculate an
+// authentication tag with the one-time key |key|. Note that |key| is a
+// one-time key and therefore there is no `reset' method because that would
+// enable several messages to be authenticated with the same key.
OPENSSL_EXPORT void CRYPTO_poly1305_init(poly1305_state* state,
const uint8_t key[32]);
-/* CRYPTO_poly1305_update processes |in_len| bytes from |in|. It can be called
- * zero or more times after poly1305_init. */
+// CRYPTO_poly1305_update processes |in_len| bytes from |in|. It can be called
+// zero or more times after poly1305_init.
OPENSSL_EXPORT void CRYPTO_poly1305_update(poly1305_state* state,
const uint8_t* in,
size_t in_len);
-/* CRYPTO_poly1305_finish completes the poly1305 calculation and writes a 16
- * byte authentication tag to |mac|. The |mac| address must be 16-byte
- * aligned. */
+// CRYPTO_poly1305_finish completes the poly1305 calculation and writes a 16
+// byte authentication tag to |mac|. The |mac| address must be 16-byte
+// aligned.
OPENSSL_EXPORT void CRYPTO_poly1305_finish(poly1305_state* state,
uint8_t mac[16]);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_POLY1305_H */
+#endif // OPENSSL_HEADER_POLY1305_H
diff --git a/src/include/openssl/pool.h b/src/include/openssl/pool.h
index 8a07af5..373952f 100644
--- a/src/include/openssl/pool.h
+++ b/src/include/openssl/pool.h
@@ -24,56 +24,56 @@
#endif
-/* Buffers and buffer pools.
- *
- * |CRYPTO_BUFFER|s are simply reference-counted blobs. A |CRYPTO_BUFFER_POOL|
- * is an intern table for |CRYPTO_BUFFER|s. This allows for a single copy of a
- * given blob to be kept in memory and referenced from multiple places. */
+// Buffers and buffer pools.
+//
+// |CRYPTO_BUFFER|s are simply reference-counted blobs. A |CRYPTO_BUFFER_POOL|
+// is an intern table for |CRYPTO_BUFFER|s. This allows for a single copy of a
+// given blob to be kept in memory and referenced from multiple places.
DEFINE_STACK_OF(CRYPTO_BUFFER)
-/* CRYPTO_BUFFER_POOL_new returns a freshly allocated |CRYPTO_BUFFER_POOL| or
- * NULL on error. */
+// CRYPTO_BUFFER_POOL_new returns a freshly allocated |CRYPTO_BUFFER_POOL| or
+// NULL on error.
OPENSSL_EXPORT CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void);
-/* CRYPTO_BUFFER_POOL_free frees |pool|, which must be empty. */
+// CRYPTO_BUFFER_POOL_free frees |pool|, which must be empty.
OPENSSL_EXPORT void CRYPTO_BUFFER_POOL_free(CRYPTO_BUFFER_POOL *pool);
-/* CRYPTO_BUFFER_new returns a |CRYPTO_BUFFER| containing a copy of |data|, or
- * else NULL on error. If |pool| is not NULL then the returned value may be a
- * reference to a previously existing |CRYPTO_BUFFER| that contained the same
- * data. Otherwise, the returned, fresh |CRYPTO_BUFFER| will be added to the
- * pool. */
+// CRYPTO_BUFFER_new returns a |CRYPTO_BUFFER| containing a copy of |data|, or
+// else NULL on error. If |pool| is not NULL then the returned value may be a
+// reference to a previously existing |CRYPTO_BUFFER| that contained the same
+// data. Otherwise, the returned, fresh |CRYPTO_BUFFER| will be added to the
+// pool.
OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len,
CRYPTO_BUFFER_POOL *pool);
-/* CRYPTO_BUFFER_new_from_CBS acts the same as |CRYPTO_BUFFER_new|. */
+// CRYPTO_BUFFER_new_from_CBS acts the same as |CRYPTO_BUFFER_new|.
OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_CBS(
CBS *cbs, CRYPTO_BUFFER_POOL *pool);
-/* CRYPTO_BUFFER_free decrements the reference count of |buf|. If there are no
- * other references, or if the only remaining reference is from a pool, then
- * |buf| will be freed. */
+// CRYPTO_BUFFER_free decrements the reference count of |buf|. If there are no
+// other references, or if the only remaining reference is from a pool, then
+// |buf| will be freed.
OPENSSL_EXPORT void CRYPTO_BUFFER_free(CRYPTO_BUFFER *buf);
-/* CRYPTO_BUFFER_up_ref increments the reference count of |buf| and returns
- * one. */
+// CRYPTO_BUFFER_up_ref increments the reference count of |buf| and returns
+// one.
OPENSSL_EXPORT int CRYPTO_BUFFER_up_ref(CRYPTO_BUFFER *buf);
-/* CRYPTO_BUFFER_data returns a pointer to the data contained in |buf|. */
+// CRYPTO_BUFFER_data returns a pointer to the data contained in |buf|.
OPENSSL_EXPORT const uint8_t *CRYPTO_BUFFER_data(const CRYPTO_BUFFER *buf);
-/* CRYPTO_BUFFER_len returns the length, in bytes, of the data contained in
- * |buf|. */
+// CRYPTO_BUFFER_len returns the length, in bytes, of the data contained in
+// |buf|.
OPENSSL_EXPORT size_t CRYPTO_BUFFER_len(const CRYPTO_BUFFER *buf);
-/* CRYPTO_BUFFER_init_CBS initialises |out| to point at the data from |buf|. */
+// CRYPTO_BUFFER_init_CBS initialises |out| to point at the data from |buf|.
OPENSSL_EXPORT void CRYPTO_BUFFER_init_CBS(const CRYPTO_BUFFER *buf, CBS *out);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -84,7 +84,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
diff --git a/src/include/openssl/rand.h b/src/include/openssl/rand.h
index a535fbd..5d02e12 100644
--- a/src/include/openssl/rand.h
+++ b/src/include/openssl/rand.h
@@ -22,83 +22,83 @@
#endif
-/* Random number generation. */
+// Random number generation.
-/* RAND_bytes writes |len| bytes of random data to |buf| and returns one. */
+// RAND_bytes writes |len| bytes of random data to |buf| and returns one.
OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len);
-/* RAND_cleanup frees any resources used by the RNG. This is not safe if other
- * threads might still be calling |RAND_bytes|. */
+// RAND_cleanup frees any resources used by the RNG. This is not safe if other
+// threads might still be calling |RAND_bytes|.
OPENSSL_EXPORT void RAND_cleanup(void);
-/* Obscure functions. */
+// Obscure functions.
#if !defined(OPENSSL_WINDOWS)
-/* RAND_set_urandom_fd causes the module to use a copy of |fd| for system
- * randomness rather opening /dev/urandom internally. The caller retains
- * ownership of |fd| and is at liberty to close it at any time. This is useful
- * if, due to a sandbox, /dev/urandom isn't available. If used, it must be
- * called before the first call to |RAND_bytes|, and it is mutually exclusive
- * with |RAND_enable_fork_unsafe_buffering|.
- *
- * |RAND_set_urandom_fd| does not buffer any entropy, so it is safe to call
- * |fork| at any time after calling |RAND_set_urandom_fd|. */
+// RAND_set_urandom_fd causes the module to use a copy of |fd| for system
+// randomness rather opening /dev/urandom internally. The caller retains
+// ownership of |fd| and is at liberty to close it at any time. This is useful
+// if, due to a sandbox, /dev/urandom isn't available. If used, it must be
+// called before the first call to |RAND_bytes|, and it is mutually exclusive
+// with |RAND_enable_fork_unsafe_buffering|.
+//
+// |RAND_set_urandom_fd| does not buffer any entropy, so it is safe to call
+// |fork| at any time after calling |RAND_set_urandom_fd|.
OPENSSL_EXPORT void RAND_set_urandom_fd(int fd);
-/* RAND_enable_fork_unsafe_buffering enables efficient buffered reading of
- * /dev/urandom. It adds an overhead of a few KB of memory per thread. It must
- * be called before the first call to |RAND_bytes| and it is mutually exclusive
- * with calls to |RAND_set_urandom_fd|.
- *
- * If |fd| is non-negative then a copy of |fd| will be used rather than opening
- * /dev/urandom internally. Like |RAND_set_urandom_fd|, the caller retains
- * ownership of |fd|. If |fd| is negative then /dev/urandom will be opened and
- * any error from open(2) crashes the address space.
- *
- * It has an unusual name because the buffer is unsafe across calls to |fork|.
- * Hence, this function should never be called by libraries. */
+// RAND_enable_fork_unsafe_buffering enables efficient buffered reading of
+// /dev/urandom. It adds an overhead of a few KB of memory per thread. It must
+// be called before the first call to |RAND_bytes| and it is mutually exclusive
+// with calls to |RAND_set_urandom_fd|.
+//
+// If |fd| is non-negative then a copy of |fd| will be used rather than opening
+// /dev/urandom internally. Like |RAND_set_urandom_fd|, the caller retains
+// ownership of |fd|. If |fd| is negative then /dev/urandom will be opened and
+// any error from open(2) crashes the address space.
+//
+// It has an unusual name because the buffer is unsafe across calls to |fork|.
+// Hence, this function should never be called by libraries.
OPENSSL_EXPORT void RAND_enable_fork_unsafe_buffering(int fd);
#endif
#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
-/* RAND_reset_for_fuzzing resets the fuzzer-only deterministic RNG. This
- * function is only defined in the fuzzer-only build configuration. */
+// RAND_reset_for_fuzzing resets the fuzzer-only deterministic RNG. This
+// function is only defined in the fuzzer-only build configuration.
OPENSSL_EXPORT void RAND_reset_for_fuzzing(void);
#endif
-/* Deprecated functions */
+// Deprecated functions
-/* RAND_pseudo_bytes is a wrapper around |RAND_bytes|. */
+// RAND_pseudo_bytes is a wrapper around |RAND_bytes|.
OPENSSL_EXPORT int RAND_pseudo_bytes(uint8_t *buf, size_t len);
-/* RAND_seed reads a single byte of random data to ensure that any file
- * descriptors etc are opened. */
+// RAND_seed reads a single byte of random data to ensure that any file
+// descriptors etc are opened.
OPENSSL_EXPORT void RAND_seed(const void *buf, int num);
-/* RAND_load_file returns a nonnegative number. */
+// RAND_load_file returns a nonnegative number.
OPENSSL_EXPORT int RAND_load_file(const char *path, long num);
-/* RAND_file_name returns NULL. */
+// RAND_file_name returns NULL.
OPENSSL_EXPORT const char *RAND_file_name(char *buf, size_t num);
-/* RAND_add does nothing. */
+// RAND_add does nothing.
OPENSSL_EXPORT void RAND_add(const void *buf, int num, double entropy);
-/* RAND_egd returns 255. */
+// RAND_egd returns 255.
OPENSSL_EXPORT int RAND_egd(const char *);
-/* RAND_poll returns one. */
+// RAND_poll returns one.
OPENSSL_EXPORT int RAND_poll(void);
-/* RAND_status returns one. */
+// RAND_status returns one.
OPENSSL_EXPORT int RAND_status(void);
-/* rand_meth_st is typedefed to |RAND_METHOD| in base.h. It isn't used; it
- * exists only to be the return type of |RAND_SSLeay|. It's
- * external so that variables of this type can be initialized. */
+// rand_meth_st is typedefed to |RAND_METHOD| in base.h. It isn't used; it
+// exists only to be the return type of |RAND_SSLeay|. It's
+// external so that variables of this type can be initialized.
struct rand_meth_st {
void (*seed) (const void *buf, int num);
int (*bytes) (uint8_t *buf, size_t num);
@@ -108,18 +108,18 @@
int (*status) (void);
};
-/* RAND_SSLeay returns a pointer to a dummy |RAND_METHOD|. */
+// RAND_SSLeay returns a pointer to a dummy |RAND_METHOD|.
OPENSSL_EXPORT RAND_METHOD *RAND_SSLeay(void);
-/* RAND_get_rand_method returns |RAND_SSLeay()|. */
+// RAND_get_rand_method returns |RAND_SSLeay()|.
OPENSSL_EXPORT const RAND_METHOD *RAND_get_rand_method(void);
-/* RAND_set_rand_method does nothing. */
+// RAND_set_rand_method does nothing.
OPENSSL_EXPORT void RAND_set_rand_method(const RAND_METHOD *);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_RAND_H */
+#endif // OPENSSL_HEADER_RAND_H
diff --git a/src/include/openssl/rc4.h b/src/include/openssl/rc4.h
index 68af878..acf56ae 100644
--- a/src/include/openssl/rc4.h
+++ b/src/include/openssl/rc4.h
@@ -64,7 +64,7 @@
#endif
-/* RC4. */
+// RC4.
struct rc4_key_st {
@@ -72,25 +72,25 @@
uint32_t data[256];
} /* RC4_KEY */;
-/* RC4_set_key performs an RC4 key schedule and initialises |rc4key| with |len|
- * bytes of key material from |key|. */
+// RC4_set_key performs an RC4 key schedule and initialises |rc4key| with |len|
+// bytes of key material from |key|.
OPENSSL_EXPORT void RC4_set_key(RC4_KEY *rc4key, unsigned len,
const uint8_t *key);
-/* RC4 encrypts (or decrypts, it's the same with RC4) |len| bytes from |in| to
- * |out|. */
+// RC4 encrypts (or decrypts, it's the same with RC4) |len| bytes from |in| to
+// |out|.
OPENSSL_EXPORT void RC4(RC4_KEY *key, size_t len, const uint8_t *in,
uint8_t *out);
-/* Deprecated functions. */
+// Deprecated functions.
-/* RC4_options returns the string "rc4(ptr,int)". */
+// RC4_options returns the string "rc4(ptr,int)".
OPENSSL_EXPORT const char *RC4_options(void);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_RC4_H */
+#endif // OPENSSL_HEADER_RC4_H
diff --git a/src/include/openssl/ripemd.h b/src/include/openssl/ripemd.h
index cf1e49e..fb0b50c 100644
--- a/src/include/openssl/ripemd.h
+++ b/src/include/openssl/ripemd.h
@@ -75,33 +75,33 @@
unsigned num;
};
-/* RIPEMD160_Init initialises |ctx| and returns one. */
+// RIPEMD160_Init initialises |ctx| and returns one.
OPENSSL_EXPORT int RIPEMD160_Init(RIPEMD160_CTX *ctx);
-/* RIPEMD160_Update adds |len| bytes from |data| to |ctx| and returns one. */
+// RIPEMD160_Update adds |len| bytes from |data| to |ctx| and returns one.
OPENSSL_EXPORT int RIPEMD160_Update(RIPEMD160_CTX *ctx, const void *data,
size_t len);
-/* RIPEMD160_Final adds the final padding to |ctx| and writes the resulting
- * digest to |md|, which must have at least |RIPEMD160_DIGEST_LENGTH| bytes of
- * space. It returns one. */
+// RIPEMD160_Final adds the final padding to |ctx| and writes the resulting
+// digest to |md|, which must have at least |RIPEMD160_DIGEST_LENGTH| bytes of
+// space. It returns one.
OPENSSL_EXPORT int RIPEMD160_Final(uint8_t *md, RIPEMD160_CTX *ctx);
-/* RIPEMD160 writes the digest of |len| bytes from |data| to |out| and returns
- * |out|. There must be at least |RIPEMD160_DIGEST_LENGTH| bytes of space in
- * |out|. */
+// RIPEMD160 writes the digest of |len| bytes from |data| to |out| and returns
+// |out|. There must be at least |RIPEMD160_DIGEST_LENGTH| bytes of space in
+// |out|.
OPENSSL_EXPORT uint8_t *RIPEMD160(const uint8_t *data, size_t len,
uint8_t *out);
-/* RIPEMD160_Transform is a low-level function that performs a single,
- * RIPEMD160 block transformation using the state from |ctx| and 64 bytes from
- * |block|. */
+// RIPEMD160_Transform is a low-level function that performs a single,
+// RIPEMD160 block transformation using the state from |ctx| and 64 bytes from
+// |block|.
OPENSSL_EXPORT void RIPEMD160_Transform(RIPEMD160_CTX *ctx,
const uint8_t *block);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_RIPEMD_H */
+#endif // OPENSSL_HEADER_RIPEMD_H
diff --git a/src/include/openssl/rsa.h b/src/include/openssl/rsa.h
index ed2c0be..d977277 100644
--- a/src/include/openssl/rsa.h
+++ b/src/include/openssl/rsa.h
@@ -68,389 +68,389 @@
#endif
-/* rsa.h contains functions for handling encryption and signature using RSA. */
+// rsa.h contains functions for handling encryption and signature using RSA.
-/* Allocation and destruction. */
+// Allocation and destruction.
-/* RSA_new returns a new, empty RSA object or NULL on error. */
+// RSA_new returns a new, empty RSA object or NULL on error.
OPENSSL_EXPORT RSA *RSA_new(void);
-/* RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. */
+// RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|.
OPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine);
-/* RSA_free decrements the reference count of |rsa| and frees it if the
- * reference count drops to zero. */
+// RSA_free decrements the reference count of |rsa| and frees it if the
+// reference count drops to zero.
OPENSSL_EXPORT void RSA_free(RSA *rsa);
-/* RSA_up_ref increments the reference count of |rsa| and returns one. */
+// RSA_up_ref increments the reference count of |rsa| and returns one.
OPENSSL_EXPORT int RSA_up_ref(RSA *rsa);
-/* Properties. */
+// Properties.
-/* RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s
- * modulus, public exponent, and private exponent, respectively. If |rsa| is a
- * public key, the private exponent will be set to NULL. */
+// RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s
+// modulus, public exponent, and private exponent, respectively. If |rsa| is a
+// public key, the private exponent will be set to NULL.
OPENSSL_EXPORT void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n,
const BIGNUM **out_e, const BIGNUM **out_d);
-/* RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime
- * factors. If |rsa| is a public key, they will be set to NULL. */
+// RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime
+// factors. If |rsa| is a public key, they will be set to NULL.
OPENSSL_EXPORT void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,
const BIGNUM **out_q);
-/* RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if
- * non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and
- * q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be
- * set to NULL. */
+// RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if
+// non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and
+// q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be
+// set to NULL.
OPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,
const BIGNUM **out_dmq1,
const BIGNUM **out_iqmp);
-/* Key generation. */
+// Key generation.
-/* RSA_generate_key_ex generates a new RSA key where the modulus has size
- * |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value
- * for |e|. If |cb| is not NULL then it is called during the key generation
- * process. In addition to the calls documented for |BN_generate_prime_ex|, it
- * is called with event=2 when the n'th prime is rejected as unsuitable and
- * with event=3 when a suitable value for |p| is found.
- *
- * It returns one on success or zero on error. */
+// RSA_generate_key_ex generates a new RSA key where the modulus has size
+// |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value
+// for |e|. If |cb| is not NULL then it is called during the key generation
+// process. In addition to the calls documented for |BN_generate_prime_ex|, it
+// is called with event=2 when the n'th prime is rejected as unsuitable and
+// with event=3 when a suitable value for |p| is found.
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
BN_GENCB *cb);
-/* RSA_generate_key_fips behaves like |RSA_generate_key_ex| but performs
- * additional checks for FIPS compliance. The public exponent is always 65537
- * and |bits| must be either 2048 or 3072. */
+// RSA_generate_key_fips behaves like |RSA_generate_key_ex| but performs
+// additional checks for FIPS compliance. The public exponent is always 65537
+// and |bits| must be either 2048 or 3072.
OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb);
-/* Encryption / Decryption */
+// Encryption / Decryption
-/* Padding types for encryption. */
+// Padding types for encryption.
#define RSA_PKCS1_PADDING 1
#define RSA_NO_PADDING 3
#define RSA_PKCS1_OAEP_PADDING 4
-/* RSA_PKCS1_PSS_PADDING can only be used via the EVP interface. */
+// RSA_PKCS1_PSS_PADDING can only be used via the EVP interface.
#define RSA_PKCS1_PSS_PADDING 6
-/* RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa|
- * and writes, at most, |max_out| bytes of encrypted data to |out|. The
- * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
- *
- * It returns 1 on success or zero on error.
- *
- * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
- * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
- * |RSA_PKCS1_PADDING| is most common. */
+// RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa|
+// and writes, at most, |max_out| bytes of encrypted data to |out|. The
+// |max_out| argument must be, at least, |RSA_size| in order to ensure success.
+//
+// It returns 1 on success or zero on error.
+//
+// The |padding| argument must be one of the |RSA_*_PADDING| values. If in
+// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
+// |RSA_PKCS1_PADDING| is most common.
OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out,
size_t max_out, const uint8_t *in, size_t in_len,
int padding);
-/* RSA_decrypt decrypts |in_len| bytes from |in| with the private key from
- * |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The
- * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
- *
- * It returns 1 on success or zero on error.
- *
- * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
- * doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols.
- *
- * Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If
- * implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then
- * check padding in constant-time combined with a swap to a random session key
- * or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based
- * on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in
- * Cryptology (Crypto '98). */
+// RSA_decrypt decrypts |in_len| bytes from |in| with the private key from
+// |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The
+// |max_out| argument must be, at least, |RSA_size| in order to ensure success.
+//
+// It returns 1 on success or zero on error.
+//
+// The |padding| argument must be one of the |RSA_*_PADDING| values. If in
+// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols.
+//
+// Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If
+// implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then
+// check padding in constant-time combined with a swap to a random session key
+// or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based
+// on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in
+// Cryptology (Crypto '98).
OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out,
size_t max_out, const uint8_t *in, size_t in_len,
int padding);
-/* RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in
- * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
- * least |RSA_size| bytes of space. It returns the number of bytes written, or
- * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
- * values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
- * |RSA_PKCS1_PADDING| is most common.
- *
- * WARNING: this function is dangerous because it breaks the usual return value
- * convention. Use |RSA_encrypt| instead. */
+// RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in
+// |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
+// least |RSA_size| bytes of space. It returns the number of bytes written, or
+// -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
+// values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but
+// |RSA_PKCS1_PADDING| is most common.
+//
+// WARNING: this function is dangerous because it breaks the usual return value
+// convention. Use |RSA_encrypt| instead.
OPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from,
uint8_t *to, RSA *rsa, int padding);
-/* RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in
- * |rsa| and writes the plaintext to |to|. The |to| buffer must have at least
- * |RSA_size| bytes of space. It returns the number of bytes written, or -1 on
- * error. The |padding| argument must be one of the |RSA_*_PADDING| values. If
- * in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing
- * |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See
- * |RSA_decrypt|.
- *
- * WARNING: this function is dangerous because it breaks the usual return value
- * convention. Use |RSA_decrypt| instead. */
+// RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in
+// |rsa| and writes the plaintext to |to|. The |to| buffer must have at least
+// |RSA_size| bytes of space. It returns the number of bytes written, or -1 on
+// error. The |padding| argument must be one of the |RSA_*_PADDING| values. If
+// in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing
+// |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See
+// |RSA_decrypt|.
+//
+// WARNING: this function is dangerous because it breaks the usual return value
+// convention. Use |RSA_decrypt| instead.
OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,
uint8_t *to, RSA *rsa, int padding);
-/* Signing / Verification */
+// Signing / Verification
-/* RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using
- * RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On
- * successful return, the actual number of bytes written is written to
- * |*out_len|.
- *
- * The |hash_nid| argument identifies the hash function used to calculate |in|
- * and is embedded in the resulting signature. For example, it might be
- * |NID_sha256|.
- *
- * It returns 1 on success and zero on error. */
+// RSA_sign signs |in_len| bytes of digest from |in| with |rsa| using
+// RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On
+// successful return, the actual number of bytes written is written to
+// |*out_len|.
+//
+// The |hash_nid| argument identifies the hash function used to calculate |in|
+// and is embedded in the resulting signature. For example, it might be
+// |NID_sha256|.
+//
+// It returns 1 on success and zero on error.
OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *in,
unsigned int in_len, uint8_t *out,
unsigned int *out_len, RSA *rsa);
-/* RSA_sign_pss_mgf1 signs |in_len| bytes from |in| with the public key from
- * |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It writes,
- * at most, |max_out| bytes of signature data to |out|. The |max_out| argument
- * must be, at least, |RSA_size| in order to ensure success. It returns 1 on
- * success or zero on error.
- *
- * The |md| and |mgf1_md| arguments identify the hash used to calculate |msg|
- * and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
- * used.
- *
- * |salt_len| specifies the expected salt length in bytes. If |salt_len| is -1,
- * then the salt length is the same as the hash length. If -2, then the salt
- * length is maximal given the size of |rsa|. If unsure, use -1. */
+// RSA_sign_pss_mgf1 signs |in_len| bytes from |in| with the public key from
+// |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It writes,
+// at most, |max_out| bytes of signature data to |out|. The |max_out| argument
+// must be, at least, |RSA_size| in order to ensure success. It returns 1 on
+// success or zero on error.
+//
+// The |md| and |mgf1_md| arguments identify the hash used to calculate |msg|
+// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
+// used.
+//
+// |salt_len| specifies the expected salt length in bytes. If |salt_len| is -1,
+// then the salt length is the same as the hash length. If -2, then the salt
+// length is maximal given the size of |rsa|. If unsure, use -1.
OPENSSL_EXPORT int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out,
size_t max_out, const uint8_t *in,
size_t in_len, const EVP_MD *md,
const EVP_MD *mgf1_md, int salt_len);
-/* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa|
- * and writes, at most, |max_out| bytes of signature data to |out|. The
- * |max_out| argument must be, at least, |RSA_size| in order to ensure success.
- *
- * It returns 1 on success or zero on error.
- *
- * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
- * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
- * (via the |EVP_PKEY| interface) is preferred for new protocols. */
+// RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa|
+// and writes, at most, |max_out| bytes of signature data to |out|. The
+// |max_out| argument must be, at least, |RSA_size| in order to ensure success.
+//
+// It returns 1 on success or zero on error.
+//
+// The |padding| argument must be one of the |RSA_*_PADDING| values. If in
+// doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
+// (via the |EVP_PKEY| interface) is preferred for new protocols.
OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,
size_t max_out, const uint8_t *in,
size_t in_len, int padding);
-/* RSA_verify verifies that |sig_len| bytes from |sig| are a valid,
- * RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|.
- *
- * The |hash_nid| argument identifies the hash function used to calculate |msg|
- * and is embedded in the resulting signature in order to prevent hash
- * confusion attacks. For example, it might be |NID_sha256|.
- *
- * It returns one if the signature is valid and zero otherwise.
- *
- * WARNING: this differs from the original, OpenSSL function which additionally
- * returned -1 on error. */
+// RSA_verify verifies that |sig_len| bytes from |sig| are a valid,
+// RSASSA-PKCS1-v1_5 signature of |msg_len| bytes at |msg| by |rsa|.
+//
+// The |hash_nid| argument identifies the hash function used to calculate |msg|
+// and is embedded in the resulting signature in order to prevent hash
+// confusion attacks. For example, it might be |NID_sha256|.
+//
+// It returns one if the signature is valid and zero otherwise.
+//
+// WARNING: this differs from the original, OpenSSL function which additionally
+// returned -1 on error.
OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len,
const uint8_t *sig, size_t sig_len, RSA *rsa);
-/* RSA_verify_pss_mgf1 verifies that |sig_len| bytes from |sig| are a valid,
- * RSASSA-PSS signature of |msg_len| bytes at |msg| by |rsa|. It returns one if
- * the signature is valid and zero otherwise. MGF1 is used as the mask
- * generation function.
- *
- * The |md| and |mgf1_md| arguments identify the hash used to calculate |msg|
- * and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
- * used. |salt_len| specifies the expected salt length in bytes.
- *
- * If |salt_len| is -1, then the salt length is the same as the hash length. If
- * -2, then the salt length is recovered and all values accepted. If unsure, use
- * -1. */
+// RSA_verify_pss_mgf1 verifies that |sig_len| bytes from |sig| are a valid,
+// RSASSA-PSS signature of |msg_len| bytes at |msg| by |rsa|. It returns one if
+// the signature is valid and zero otherwise. MGF1 is used as the mask
+// generation function.
+//
+// The |md| and |mgf1_md| arguments identify the hash used to calculate |msg|
+// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is
+// used. |salt_len| specifies the expected salt length in bytes.
+//
+// If |salt_len| is -1, then the salt length is the same as the hash length. If
+// -2, then the salt length is recovered and all values accepted. If unsure, use
+// -1.
OPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *msg,
size_t msg_len, const EVP_MD *md,
const EVP_MD *mgf1_md, int salt_len,
const uint8_t *sig, size_t sig_len);
-/* RSA_verify_raw verifies |in_len| bytes of signature from |in| using the
- * public key from |rsa| and writes, at most, |max_out| bytes of plaintext to
- * |out|. The |max_out| argument must be, at least, |RSA_size| in order to
- * ensure success.
- *
- * It returns 1 on success or zero on error.
- *
- * The |padding| argument must be one of the |RSA_*_PADDING| values. If in
- * doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
- * (via the |EVP_PKEY| interface) is preferred for new protocols. */
+// RSA_verify_raw verifies |in_len| bytes of signature from |in| using the
+// public key from |rsa| and writes, at most, |max_out| bytes of plaintext to
+// |out|. The |max_out| argument must be, at least, |RSA_size| in order to
+// ensure success.
+//
+// It returns 1 on success or zero on error.
+//
+// The |padding| argument must be one of the |RSA_*_PADDING| values. If in
+// doubt, |RSA_PKCS1_PADDING| is the most common but |RSA_PKCS1_PSS_PADDING|
+// (via the |EVP_PKEY| interface) is preferred for new protocols.
OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,
size_t max_out, const uint8_t *in,
size_t in_len, int padding);
-/* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
- * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
- * least |RSA_size| bytes of space. It returns the number of bytes written, or
- * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
- * values. If in doubt, |RSA_PKCS1_PADDING| is the most common but
- * |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new
- * protocols.
- *
- * WARNING: this function is dangerous because it breaks the usual return value
- * convention. Use |RSA_sign_raw| instead. */
+// RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
+// |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
+// least |RSA_size| bytes of space. It returns the number of bytes written, or
+// -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
+// values. If in doubt, |RSA_PKCS1_PADDING| is the most common but
+// |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for new
+// protocols.
+//
+// WARNING: this function is dangerous because it breaks the usual return value
+// convention. Use |RSA_sign_raw| instead.
OPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from,
uint8_t *to, RSA *rsa, int padding);
-/* RSA_public_decrypt verifies |flen| bytes of signature from |from| using the
- * public key in |rsa| and writes the plaintext to |to|. The |to| buffer must
- * have at least |RSA_size| bytes of space. It returns the number of bytes
- * written, or -1 on error. The |padding| argument must be one of the
- * |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common
- * but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for
- * new protocols.
- *
- * WARNING: this function is dangerous because it breaks the usual return value
- * convention. Use |RSA_verify_raw| instead. */
+// RSA_public_decrypt verifies |flen| bytes of signature from |from| using the
+// public key in |rsa| and writes the plaintext to |to|. The |to| buffer must
+// have at least |RSA_size| bytes of space. It returns the number of bytes
+// written, or -1 on error. The |padding| argument must be one of the
+// |RSA_*_PADDING| values. If in doubt, |RSA_PKCS1_PADDING| is the most common
+// but |RSA_PKCS1_PSS_PADDING| (via the |EVP_PKEY| interface) is preferred for
+// new protocols.
+//
+// WARNING: this function is dangerous because it breaks the usual return value
+// convention. Use |RSA_verify_raw| instead.
OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from,
uint8_t *to, RSA *rsa, int padding);
-/* Utility functions. */
+// Utility functions.
-/* RSA_size returns the number of bytes in the modulus, which is also the size
- * of a signature or encrypted value using |rsa|. */
+// RSA_size returns the number of bytes in the modulus, which is also the size
+// of a signature or encrypted value using |rsa|.
OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);
-/* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
- * material. Otherwise it returns zero. */
+// RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
+// material. Otherwise it returns zero.
OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa);
-/* RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from
- * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
+// RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from
+// |rsa| into it. It returns the fresh |RSA| object, or NULL on error.
OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa);
-/* RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from
- * |rsa| into it. It returns the fresh |RSA| object, or NULL on error. */
+// RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from
+// |rsa| into it. It returns the fresh |RSA| object, or NULL on error.
OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa);
-/* RSA_check_key performs basic validity tests on |rsa|. It returns one if
- * they pass and zero otherwise. Opaque keys and public keys always pass. If it
- * returns zero then a more detailed error is available on the error queue. */
+// RSA_check_key performs basic validity tests on |rsa|. It returns one if
+// they pass and zero otherwise. Opaque keys and public keys always pass. If it
+// returns zero then a more detailed error is available on the error queue.
OPENSSL_EXPORT int RSA_check_key(const RSA *rsa);
-/* RSA_check_fips performs public key validity tests on |key|. It returns one
- * if they pass and zero otherwise. Opaque keys always fail. */
+// RSA_check_fips performs public key validity tests on |key|. It returns one
+// if they pass and zero otherwise. Opaque keys always fail.
OPENSSL_EXPORT int RSA_check_fips(RSA *key);
-/* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of
- * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to
- * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the
- * hash function for generating the mask. If NULL, |Hash| is used. The |sLen|
- * argument specifies the expected salt length in bytes. If |sLen| is -1 then
- * the salt length is the same as the hash length. If -2, then the salt length
- * is recovered and all values accepted.
- *
- * If unsure, use -1.
- *
- * It returns one on success or zero on error.
- *
- * This function implements only the low-level padding logic. Use
- * |RSA_verify_pss_mgf1| instead. */
+// RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of
+// |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to
+// exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the
+// hash function for generating the mask. If NULL, |Hash| is used. The |sLen|
+// argument specifies the expected salt length in bytes. If |sLen| is -1 then
+// the salt length is the same as the hash length. If -2, then the salt length
+// is recovered and all values accepted.
+//
+// If unsure, use -1.
+//
+// It returns one on success or zero on error.
+//
+// This function implements only the low-level padding logic. Use
+// |RSA_verify_pss_mgf1| instead.
OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
const EVP_MD *Hash,
const EVP_MD *mgf1Hash,
const uint8_t *EM, int sLen);
-/* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|,
- * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of
- * output will be written to |EM|. The |mgf1Hash| argument specifies the hash
- * function for generating the mask. If NULL, |Hash| is used. The |sLen|
- * argument specifies the expected salt length in bytes. If |sLen| is -1 then
- * the salt length is the same as the hash length. If -2, then the salt length
- * is maximal given the space in |EM|.
- *
- * It returns one on success or zero on error.
- *
- * This function implements only the low-level padding logic. Use
- * |RSA_sign_pss_mgf1| instead. */
+// RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|,
+// where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of
+// output will be written to |EM|. The |mgf1Hash| argument specifies the hash
+// function for generating the mask. If NULL, |Hash| is used. The |sLen|
+// argument specifies the expected salt length in bytes. If |sLen| is -1 then
+// the salt length is the same as the hash length. If -2, then the salt length
+// is maximal given the space in |EM|.
+//
+// It returns one on success or zero on error.
+//
+// This function implements only the low-level padding logic. Use
+// |RSA_sign_pss_mgf1| instead.
OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM,
const uint8_t *mHash,
const EVP_MD *Hash,
const EVP_MD *mgf1Hash,
int sLen);
-/* RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to|
- * with the given parameters and hash functions. If |md| is NULL then SHA-1 is
- * used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1
- * if that, in turn, is NULL).
- *
- * It returns one on success or zero on error. */
+// RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to|
+// with the given parameters and hash functions. If |md| is NULL then SHA-1 is
+// used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1
+// if that, in turn, is NULL).
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1(
uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len,
const uint8_t *param, size_t param_len, const EVP_MD *md,
const EVP_MD *mgf1md);
-/* RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo
- * header for the given hash function and sets |out_msg| to point to it. On
- * successful return, |*out_msg| may be allocated memory and, if so,
- * |*is_alloced| will be 1. */
+// RSA_add_pkcs1_prefix builds a version of |msg| prefixed with the DigestInfo
+// header for the given hash function and sets |out_msg| to point to it. On
+// successful return, |*out_msg| may be allocated memory and, if so,
+// |*is_alloced| will be 1.
OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,
int *is_alloced, int hash_nid,
const uint8_t *msg, size_t msg_len);
-/* ASN.1 functions. */
+// ASN.1 functions.
-/* RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447)
- * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
- * error. */
+// RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447)
+// from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
+// error.
OPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs);
-/* RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it
- * tolerates some invalid encodings. Do not use this function. */
+// RSA_parse_public_key_buggy behaves like |RSA_parse_public_key|, but it
+// tolerates some invalid encodings. Do not use this function.
OPENSSL_EXPORT RSA *RSA_parse_public_key_buggy(CBS *cbs);
-/* RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure
- * (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */
+// RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure
+// (RFC 3447). It returns a newly-allocated |RSA| or NULL on error.
OPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len);
-/* RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure
- * (RFC 3447) and appends the result to |cbb|. It returns one on success and
- * zero on failure. */
+// RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure
+// (RFC 3447) and appends the result to |cbb|. It returns one on success and
+// zero on failure.
OPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa);
-/* RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey
- * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
- * buffer containing the result and returns one. Otherwise, it returns zero. The
- * result should be freed with |OPENSSL_free|. */
+// RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey
+// structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
+// buffer containing the result and returns one. Otherwise, it returns zero. The
+// result should be freed with |OPENSSL_free|.
OPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,
const RSA *rsa);
-/* RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447)
- * from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
- * error. */
+// RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447)
+// from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on
+// error.
OPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs);
-/* RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey
- * structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. */
+// RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey
+// structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error.
OPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in,
size_t in_len);
-/* RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey
- * structure (RFC 3447) and appends the result to |cbb|. It returns one on
- * success and zero on failure. */
+// RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey
+// structure (RFC 3447) and appends the result to |cbb|. It returns one on
+// success and zero on failure.
OPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa);
-/* RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey
- * structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
- * buffer containing the result and returns one. Otherwise, it returns zero. The
- * result should be freed with |OPENSSL_free|. */
+// RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey
+// structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated
+// buffer containing the result and returns one. Otherwise, it returns zero. The
+// result should be freed with |OPENSSL_free|.
OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes,
size_t *out_len, const RSA *rsa);
-/* ex_data functions.
- *
- * See |ex_data.h| for details. */
+// ex_data functions.
+//
+// See |ex_data.h| for details.
OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_unused *unused,
@@ -460,102 +460,102 @@
OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx);
-/* Flags. */
+// Flags.
-/* RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key
- * material. This may be set if, for instance, it is wrapping some other crypto
- * API, like a platform key store. */
+// RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key
+// material. This may be set if, for instance, it is wrapping some other crypto
+// API, like a platform key store.
#define RSA_FLAG_OPAQUE 1
-/* Deprecated and ignored. */
+// Deprecated and ignored.
#define RSA_FLAG_CACHE_PUBLIC 2
-/* Deprecated and ignored. */
+// Deprecated and ignored.
#define RSA_FLAG_CACHE_PRIVATE 4
-/* RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a
- * dangerous thing to do. It is deprecated and should not be used. It will
- * be ignored whenever possible.
- *
- * This flag must be used if a key without the public exponent |e| is used for
- * private key operations; avoid using such keys whenever possible. */
+// RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a
+// dangerous thing to do. It is deprecated and should not be used. It will
+// be ignored whenever possible.
+//
+// This flag must be used if a key without the public exponent |e| is used for
+// private key operations; avoid using such keys whenever possible.
#define RSA_FLAG_NO_BLINDING 8
-/* RSA_FLAG_EXT_PKEY is deprecated and ignored. */
+// RSA_FLAG_EXT_PKEY is deprecated and ignored.
#define RSA_FLAG_EXT_PKEY 0x20
-/* RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st|
- * to be called when set. */
+// RSA_FLAG_SIGN_VER causes the |sign| and |verify| functions of |rsa_meth_st|
+// to be called when set.
#define RSA_FLAG_SIGN_VER 0x40
-/* RSA public exponent values. */
+// RSA public exponent values.
#define RSA_3 0x3
#define RSA_F4 0x10001
-/* Deprecated functions. */
+// Deprecated functions.
-/* RSA_blinding_on returns one. */
+// RSA_blinding_on returns one.
OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
-/* RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you
- * should use instead. It returns NULL on error, or a newly-allocated |RSA| on
- * success. This function is provided for compatibility only. The |callback|
- * and |cb_arg| parameters must be NULL. */
+// RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you
+// should use instead. It returns NULL on error, or a newly-allocated |RSA| on
+// success. This function is provided for compatibility only. The |callback|
+// and |cb_arg| parameters must be NULL.
OPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback,
void *cb_arg);
-/* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len|
- * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
- * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it
- * will not be written to. Rather, a fresh |RSA| is allocated and the previous
- * one is freed. On successful exit, |*inp| is advanced past the DER structure.
- * It returns the result or NULL on error. */
+// d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len|
+// bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
+// is in |*out|. Note that, even if |*out| is already non-NULL on entry, it
+// will not be written to. Rather, a fresh |RSA| is allocated and the previous
+// one is freed. On successful exit, |*inp| is advanced past the DER structure.
+// It returns the result or NULL on error.
OPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len);
-/* i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not
- * NULL then the result is written to |*outp| and |*outp| is advanced just past
- * the output. It returns the number of bytes in the result, whether written or
- * not, or a negative value on error. */
+// i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not
+// NULL then the result is written to |*outp| and |*outp| is advanced just past
+// the output. It returns the number of bytes in the result, whether written or
+// not, or a negative value on error.
OPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp);
-/* d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len|
- * bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
- * is in |*out|. Note that, even if |*out| is already non-NULL on entry, it
- * will not be written to. Rather, a fresh |RSA| is allocated and the previous
- * one is freed. On successful exit, |*inp| is advanced past the DER structure.
- * It returns the result or NULL on error. */
+// d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len|
+// bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result
+// is in |*out|. Note that, even if |*out| is already non-NULL on entry, it
+// will not be written to. Rather, a fresh |RSA| is allocated and the previous
+// one is freed. On successful exit, |*inp| is advanced past the DER structure.
+// It returns the result or NULL on error.
OPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len);
-/* i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not
- * NULL then the result is written to |*outp| and |*outp| is advanced just past
- * the output. It returns the number of bytes in the result, whether written or
- * not, or a negative value on error. */
+// i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not
+// NULL then the result is written to |*outp| and |*outp| is advanced just past
+// the output. It returns the number of bytes in the result, whether written or
+// not, or a negative value on error.
OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp);
-/* RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the
- * |mgf1Hash| parameter of the latter is implicitly set to |Hash|.
- *
- * This function implements only the low-level padding logic. Use
- * |RSA_sign_pss_mgf1| instead. */
+// RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the
+// |mgf1Hash| parameter of the latter is implicitly set to |Hash|.
+//
+// This function implements only the low-level padding logic. Use
+// |RSA_sign_pss_mgf1| instead.
OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(RSA *rsa, uint8_t *EM,
const uint8_t *mHash,
const EVP_MD *Hash, int sLen);
-/* RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the
- * |mgf1Hash| parameter of the latter is implicitly set to |Hash|.
- *
- * This function implements only the low-level padding logic. Use
- * |RSA_verify_pss_mgf1| instead. */
+// RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the
+// |mgf1Hash| parameter of the latter is implicitly set to |Hash|.
+//
+// This function implements only the low-level padding logic. Use
+// |RSA_verify_pss_mgf1| instead.
OPENSSL_EXPORT int RSA_verify_PKCS1_PSS(RSA *rsa, const uint8_t *mHash,
const EVP_MD *Hash, const uint8_t *EM,
int sLen);
-/* RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but
- * the |md| and |mgf1md| parameters of the latter are implicitly set to NULL,
- * which means SHA-1. */
+// RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but
+// the |md| and |mgf1md| parameters of the latter are implicitly set to NULL,
+// which means SHA-1.
OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len,
const uint8_t *from,
size_t from_len,
@@ -571,37 +571,37 @@
int (*init)(RSA *rsa);
int (*finish)(RSA *rsa);
- /* size returns the size of the RSA modulus in bytes. */
+ // size returns the size of the RSA modulus in bytes.
size_t (*size)(const RSA *rsa);
int (*sign)(int type, const uint8_t *m, unsigned int m_length,
uint8_t *sigret, unsigned int *siglen, const RSA *rsa);
- /* Ignored. Set this to NULL.
- * TODO(davidben): Remove this when
- * https://github.com/google/conscrypt/commit/bb0571e358e95e1c70ac7a6984fc4d7236cac72f
- * is in all BoringSSL consumers. */
+ // Ignored. Set this to NULL.
+ // TODO(davidben): Remove this when
+ // https://github.com/google/conscrypt/commit/bb0571e358e95e1c70ac7a6984fc4d7236cac72f
+ // is in all BoringSSL consumers.
int (*encrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
const uint8_t *in, size_t in_len, int padding);
- /* These functions mirror the |RSA_*| functions of the same name. */
+ // These functions mirror the |RSA_*| functions of the same name.
int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
const uint8_t *in, size_t in_len, int padding);
int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,
const uint8_t *in, size_t in_len, int padding);
- /* private_transform takes a big-endian integer from |in|, calculates the
- * d'th power of it, modulo the RSA modulus and writes the result as a
- * big-endian integer to |out|. Both |in| and |out| are |len| bytes long and
- * |len| is always equal to |RSA_size(rsa)|. If the result of the transform
- * can be represented in fewer than |len| bytes, then |out| must be zero
- * padded on the left.
- *
- * It returns one on success and zero otherwise.
- *
- * RSA decrypt and sign operations will call this, thus an ENGINE might wish
- * to override it in order to avoid having to implement the padding
- * functionality demanded by those, higher level, operations. */
+ // private_transform takes a big-endian integer from |in|, calculates the
+ // d'th power of it, modulo the RSA modulus and writes the result as a
+ // big-endian integer to |out|. Both |in| and |out| are |len| bytes long and
+ // |len| is always equal to |RSA_size(rsa)|. If the result of the transform
+ // can be represented in fewer than |len| bytes, then |out| must be zero
+ // padded on the left.
+ //
+ // It returns one on success and zero otherwise.
+ //
+ // RSA decrypt and sign operations will call this, thus an ENGINE might wish
+ // to override it in order to avoid having to implement the padding
+ // functionality demanded by those, higher level, operations.
int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in,
size_t len);
@@ -609,7 +609,7 @@
};
-/* Private functions. */
+// Private functions.
typedef struct bn_blinding_st BN_BLINDING;
@@ -625,33 +625,33 @@
BIGNUM *dmq1;
BIGNUM *iqmp;
- /* be careful using this if the RSA structure is shared */
+ // be careful using this if the RSA structure is shared
CRYPTO_EX_DATA ex_data;
CRYPTO_refcount_t references;
int flags;
CRYPTO_MUTEX lock;
- /* Used to cache montgomery values. The creation of these values is protected
- * by |lock|. */
+ // Used to cache montgomery values. The creation of these values is protected
+ // by |lock|.
BN_MONT_CTX *mont_n;
BN_MONT_CTX *mont_p;
BN_MONT_CTX *mont_q;
- /* num_blindings contains the size of the |blindings| and |blindings_inuse|
- * arrays. This member and the |blindings_inuse| array are protected by
- * |lock|. */
+ // num_blindings contains the size of the |blindings| and |blindings_inuse|
+ // arrays. This member and the |blindings_inuse| array are protected by
+ // |lock|.
unsigned num_blindings;
- /* blindings is an array of BN_BLINDING structures that can be reserved by a
- * thread by locking |lock| and changing the corresponding element in
- * |blindings_inuse| from 0 to 1. */
+ // blindings is an array of BN_BLINDING structures that can be reserved by a
+ // thread by locking |lock| and changing the corresponding element in
+ // |blindings_inuse| from 0 to 1.
BN_BLINDING **blindings;
unsigned char *blindings_inuse;
};
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
extern "C++" {
@@ -661,7 +661,7 @@
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif
@@ -713,4 +713,4 @@
#define RSA_R_WRONG_SIGNATURE_LENGTH 145
#define RSA_R_PUBLIC_KEY_VALIDATION_FAILED 146
-#endif /* OPENSSL_HEADER_RSA_H */
+#endif // OPENSSL_HEADER_RSA_H
diff --git a/src/include/openssl/sha.h b/src/include/openssl/sha.h
index 7c31097..fc4644b 100644
--- a/src/include/openssl/sha.h
+++ b/src/include/openssl/sha.h
@@ -64,42 +64,42 @@
#endif
-/* The SHA family of hash functions (SHA-1 and SHA-2). */
+// The SHA family of hash functions (SHA-1 and SHA-2).
-/* SHA_CBLOCK is the block size of SHA-1. */
+// SHA_CBLOCK is the block size of SHA-1.
#define SHA_CBLOCK 64
-/* SHA_DIGEST_LENGTH is the length of a SHA-1 digest. */
+// SHA_DIGEST_LENGTH is the length of a SHA-1 digest.
#define SHA_DIGEST_LENGTH 20
-/* SHA1_Init initialises |sha| and returns one. */
+// SHA1_Init initialises |sha| and returns one.
OPENSSL_EXPORT int SHA1_Init(SHA_CTX *sha);
-/* SHA1_Update adds |len| bytes from |data| to |sha| and returns one. */
+// SHA1_Update adds |len| bytes from |data| to |sha| and returns one.
OPENSSL_EXPORT int SHA1_Update(SHA_CTX *sha, const void *data, size_t len);
-/* SHA1_Final adds the final padding to |sha| and writes the resulting digest
- * to |md|, which must have at least |SHA_DIGEST_LENGTH| bytes of space. It
- * returns one. */
+// SHA1_Final adds the final padding to |sha| and writes the resulting digest
+// to |md|, which must have at least |SHA_DIGEST_LENGTH| bytes of space. It
+// returns one.
OPENSSL_EXPORT int SHA1_Final(uint8_t *md, SHA_CTX *sha);
-/* SHA1 writes the digest of |len| bytes from |data| to |out| and returns
- * |out|. There must be at least |SHA_DIGEST_LENGTH| bytes of space in
- * |out|. */
+// SHA1 writes the digest of |len| bytes from |data| to |out| and returns
+// |out|. There must be at least |SHA_DIGEST_LENGTH| bytes of space in
+// |out|.
OPENSSL_EXPORT uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t *out);
-/* SHA1_Transform is a low-level function that performs a single, SHA-1 block
- * transformation using the state from |sha| and |SHA_CBLOCK| bytes from
- * |block|. */
+// SHA1_Transform is a low-level function that performs a single, SHA-1 block
+// transformation using the state from |sha| and |SHA_CBLOCK| bytes from
+// |block|.
OPENSSL_EXPORT void SHA1_Transform(SHA_CTX *sha, const uint8_t *block);
struct sha_state_st {
#if defined(OPENSSL_WINDOWS)
uint32_t h[5];
#else
- /* wpa_supplicant accesses |h0|..|h4| so we must support those names
- * for compatibility with it until it can be updated. */
+ // wpa_supplicant accesses |h0|..|h4| so we must support those names
+ // for compatibility with it until it can be updated.
union {
uint32_t h[5];
struct {
@@ -117,58 +117,58 @@
};
-/* SHA-224. */
+// SHA-224.
-/* SHA224_CBLOCK is the block size of SHA-224. */
+// SHA224_CBLOCK is the block size of SHA-224.
#define SHA224_CBLOCK 64
-/* SHA224_DIGEST_LENGTH is the length of a SHA-224 digest. */
+// SHA224_DIGEST_LENGTH is the length of a SHA-224 digest.
#define SHA224_DIGEST_LENGTH 28
-/* SHA224_Init initialises |sha| and returns 1. */
+// SHA224_Init initialises |sha| and returns 1.
OPENSSL_EXPORT int SHA224_Init(SHA256_CTX *sha);
-/* SHA224_Update adds |len| bytes from |data| to |sha| and returns 1. */
+// SHA224_Update adds |len| bytes from |data| to |sha| and returns 1.
OPENSSL_EXPORT int SHA224_Update(SHA256_CTX *sha, const void *data, size_t len);
-/* SHA224_Final adds the final padding to |sha| and writes the resulting digest
- * to |md|, which must have at least |SHA224_DIGEST_LENGTH| bytes of space. It
- * returns one on success and zero on programmer error. */
+// SHA224_Final adds the final padding to |sha| and writes the resulting digest
+// to |md|, which must have at least |SHA224_DIGEST_LENGTH| bytes of space. It
+// returns one on success and zero on programmer error.
OPENSSL_EXPORT int SHA224_Final(uint8_t *md, SHA256_CTX *sha);
-/* SHA224 writes the digest of |len| bytes from |data| to |out| and returns
- * |out|. There must be at least |SHA224_DIGEST_LENGTH| bytes of space in
- * |out|. */
+// SHA224 writes the digest of |len| bytes from |data| to |out| and returns
+// |out|. There must be at least |SHA224_DIGEST_LENGTH| bytes of space in
+// |out|.
OPENSSL_EXPORT uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t *out);
-/* SHA-256. */
+// SHA-256.
-/* SHA256_CBLOCK is the block size of SHA-256. */
+// SHA256_CBLOCK is the block size of SHA-256.
#define SHA256_CBLOCK 64
-/* SHA256_DIGEST_LENGTH is the length of a SHA-256 digest. */
+// SHA256_DIGEST_LENGTH is the length of a SHA-256 digest.
#define SHA256_DIGEST_LENGTH 32
-/* SHA256_Init initialises |sha| and returns 1. */
+// SHA256_Init initialises |sha| and returns 1.
OPENSSL_EXPORT int SHA256_Init(SHA256_CTX *sha);
-/* SHA256_Update adds |len| bytes from |data| to |sha| and returns 1. */
+// SHA256_Update adds |len| bytes from |data| to |sha| and returns 1.
OPENSSL_EXPORT int SHA256_Update(SHA256_CTX *sha, const void *data, size_t len);
-/* SHA256_Final adds the final padding to |sha| and writes the resulting digest
- * to |md|, which must have at least |SHA256_DIGEST_LENGTH| bytes of space. It
- * returns one on success and zero on programmer error. */
+// SHA256_Final adds the final padding to |sha| and writes the resulting digest
+// to |md|, which must have at least |SHA256_DIGEST_LENGTH| bytes of space. It
+// returns one on success and zero on programmer error.
OPENSSL_EXPORT int SHA256_Final(uint8_t *md, SHA256_CTX *sha);
-/* SHA256 writes the digest of |len| bytes from |data| to |out| and returns
- * |out|. There must be at least |SHA256_DIGEST_LENGTH| bytes of space in
- * |out|. */
+// SHA256 writes the digest of |len| bytes from |data| to |out| and returns
+// |out|. There must be at least |SHA256_DIGEST_LENGTH| bytes of space in
+// |out|.
OPENSSL_EXPORT uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t *out);
-/* SHA256_Transform is a low-level function that performs a single, SHA-256
- * block transformation using the state from |sha| and |SHA256_CBLOCK| bytes
- * from |block|. */
+// SHA256_Transform is a low-level function that performs a single, SHA-256
+// block transformation using the state from |sha| and |SHA256_CBLOCK| bytes
+// from |block|.
OPENSSL_EXPORT void SHA256_Transform(SHA256_CTX *sha, const uint8_t *block);
struct sha256_state_st {
@@ -179,63 +179,63 @@
};
-/* SHA-384. */
+// SHA-384.
-/* SHA384_CBLOCK is the block size of SHA-384. */
+// SHA384_CBLOCK is the block size of SHA-384.
#define SHA384_CBLOCK 128
-/* SHA384_DIGEST_LENGTH is the length of a SHA-384 digest. */
+// SHA384_DIGEST_LENGTH is the length of a SHA-384 digest.
#define SHA384_DIGEST_LENGTH 48
-/* SHA384_Init initialises |sha| and returns 1. */
+// SHA384_Init initialises |sha| and returns 1.
OPENSSL_EXPORT int SHA384_Init(SHA512_CTX *sha);
-/* SHA384_Update adds |len| bytes from |data| to |sha| and returns 1. */
+// SHA384_Update adds |len| bytes from |data| to |sha| and returns 1.
OPENSSL_EXPORT int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len);
-/* SHA384_Final adds the final padding to |sha| and writes the resulting digest
- * to |md|, which must have at least |SHA384_DIGEST_LENGTH| bytes of space. It
- * returns one on success and zero on programmer error. */
+// SHA384_Final adds the final padding to |sha| and writes the resulting digest
+// to |md|, which must have at least |SHA384_DIGEST_LENGTH| bytes of space. It
+// returns one on success and zero on programmer error.
OPENSSL_EXPORT int SHA384_Final(uint8_t *md, SHA512_CTX *sha);
-/* SHA384 writes the digest of |len| bytes from |data| to |out| and returns
- * |out|. There must be at least |SHA384_DIGEST_LENGTH| bytes of space in
- * |out|. */
+// SHA384 writes the digest of |len| bytes from |data| to |out| and returns
+// |out|. There must be at least |SHA384_DIGEST_LENGTH| bytes of space in
+// |out|.
OPENSSL_EXPORT uint8_t *SHA384(const uint8_t *data, size_t len, uint8_t *out);
-/* SHA384_Transform is a low-level function that performs a single, SHA-384
- * block transformation using the state from |sha| and |SHA384_CBLOCK| bytes
- * from |block|. */
+// SHA384_Transform is a low-level function that performs a single, SHA-384
+// block transformation using the state from |sha| and |SHA384_CBLOCK| bytes
+// from |block|.
OPENSSL_EXPORT void SHA384_Transform(SHA512_CTX *sha, const uint8_t *block);
-/* SHA-512. */
+// SHA-512.
-/* SHA512_CBLOCK is the block size of SHA-512. */
+// SHA512_CBLOCK is the block size of SHA-512.
#define SHA512_CBLOCK 128
-/* SHA512_DIGEST_LENGTH is the length of a SHA-512 digest. */
+// SHA512_DIGEST_LENGTH is the length of a SHA-512 digest.
#define SHA512_DIGEST_LENGTH 64
-/* SHA512_Init initialises |sha| and returns 1. */
+// SHA512_Init initialises |sha| and returns 1.
OPENSSL_EXPORT int SHA512_Init(SHA512_CTX *sha);
-/* SHA512_Update adds |len| bytes from |data| to |sha| and returns 1. */
+// SHA512_Update adds |len| bytes from |data| to |sha| and returns 1.
OPENSSL_EXPORT int SHA512_Update(SHA512_CTX *sha, const void *data, size_t len);
-/* SHA512_Final adds the final padding to |sha| and writes the resulting digest
- * to |md|, which must have at least |SHA512_DIGEST_LENGTH| bytes of space. It
- * returns one on success and zero on programmer error. */
+// SHA512_Final adds the final padding to |sha| and writes the resulting digest
+// to |md|, which must have at least |SHA512_DIGEST_LENGTH| bytes of space. It
+// returns one on success and zero on programmer error.
OPENSSL_EXPORT int SHA512_Final(uint8_t *md, SHA512_CTX *sha);
-/* SHA512 writes the digest of |len| bytes from |data| to |out| and returns
- * |out|. There must be at least |SHA512_DIGEST_LENGTH| bytes of space in
- * |out|. */
+// SHA512 writes the digest of |len| bytes from |data| to |out| and returns
+// |out|. There must be at least |SHA512_DIGEST_LENGTH| bytes of space in
+// |out|.
OPENSSL_EXPORT uint8_t *SHA512(const uint8_t *data, size_t len, uint8_t *out);
-/* SHA512_Transform is a low-level function that performs a single, SHA-512
- * block transformation using the state from |sha| and |SHA512_CBLOCK| bytes
- * from |block|. */
+// SHA512_Transform is a low-level function that performs a single, SHA-512
+// block transformation using the state from |sha| and |SHA512_CBLOCK| bytes
+// from |block|.
OPENSSL_EXPORT void SHA512_Transform(SHA512_CTX *sha, const uint8_t *block);
struct sha512_state_st {
@@ -250,7 +250,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_SHA_H */
+#endif // OPENSSL_HEADER_SHA_H
diff --git a/src/include/openssl/span.h b/src/include/openssl/span.h
index 4c09159..08c4518 100644
--- a/src/include/openssl/span.h
+++ b/src/include/openssl/span.h
@@ -32,16 +32,16 @@
namespace internal {
template <typename T>
class SpanBase {
- /* Put comparison operator implementations into a base class with const T, so
- * they can be used with any type that implicitly converts into a Span. */
+ // Put comparison operator implementations into a base class with const T, so
+ // they can be used with any type that implicitly converts into a Span.
static_assert(std::is_const<T>::value,
"Span<T> must be derived from SpanBase<const T>");
friend bool operator==(Span<T> lhs, Span<T> rhs) {
- /* MSVC issues warning C4996 because std::equal is unsafe. The pragma to
- * suppress the warning mysteriously has no effect, hence this
- * implementation. See
- * https://msdn.microsoft.com/en-us/library/aa985974.aspx. */
+ // MSVC issues warning C4996 because std::equal is unsafe. The pragma to
+ // suppress the warning mysteriously has no effect, hence this
+ // implementation. See
+ // https://msdn.microsoft.com/en-us/library/aa985974.aspx.
if (lhs.size() != rhs.size()) {
return false;
}
@@ -58,37 +58,37 @@
};
} // namespace internal
-/* A Span<T> is a non-owning reference to a contiguous array of objects of type
- * |T|. Conceptually, a Span is a simple a pointer to |T| and a count of
- * elements accessible via that pointer. The elements referenced by the Span can
- * be mutated if |T| is mutable.
- *
- * A Span can be constructed from container types implementing |data()| and
- * |size()| methods. If |T| is constant, construction from a container type is
- * implicit. This allows writing methods that accept data from some unspecified
- * container type:
- *
- * // Foo views data referenced by v.
- * void Foo(bssl::Span<const uint8_t> v) { ... }
- *
- * std::vector<uint8_t> vec;
- * Foo(vec);
- *
- * For mutable Spans, conversion is explicit:
- *
- * // FooMutate mutates data referenced by v.
- * void FooMutate(bssl::Span<uint8_t> v) { ... }
- *
- * FooMutate(bssl::Span<uint8_t>(vec));
- *
- * You can also use the |MakeSpan| and |MakeConstSpan| factory methods to
- * construct Spans in order to deduce the type of the Span automatically.
- *
- * FooMutate(bssl::MakeSpan(vec));
- *
- * Note that Spans have value type sematics. They are cheap to construct and
- * copy, and should be passed by value whenever a method would otherwise accept
- * a reference or pointer to a container or array. */
+// A Span<T> is a non-owning reference to a contiguous array of objects of type
+// |T|. Conceptually, a Span is a simple a pointer to |T| and a count of
+// elements accessible via that pointer. The elements referenced by the Span can
+// be mutated if |T| is mutable.
+//
+// A Span can be constructed from container types implementing |data()| and
+// |size()| methods. If |T| is constant, construction from a container type is
+// implicit. This allows writing methods that accept data from some unspecified
+// container type:
+//
+// // Foo views data referenced by v.
+// void Foo(bssl::Span<const uint8_t> v) { ... }
+//
+// std::vector<uint8_t> vec;
+// Foo(vec);
+//
+// For mutable Spans, conversion is explicit:
+//
+// // FooMutate mutates data referenced by v.
+// void FooMutate(bssl::Span<uint8_t> v) { ... }
+//
+// FooMutate(bssl::Span<uint8_t>(vec));
+//
+// You can also use the |MakeSpan| and |MakeConstSpan| factory methods to
+// construct Spans in order to deduce the type of the Span automatically.
+//
+// FooMutate(bssl::MakeSpan(vec));
+//
+// Note that Spans have value type sematics. They are cheap to construct and
+// copy, and should be passed by value whenever a method would otherwise accept
+// a reference or pointer to a container or array.
template <typename T>
class Span : private internal::SpanBase<const T> {
private:
@@ -160,4 +160,4 @@
#endif // !defined(BORINGSSL_NO_CXX)
-#endif /* OPENSSL_HEADER_SSL_SPAN_H */
+#endif // OPENSSL_HEADER_SSL_SPAN_H
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index 63651b5..016c83c 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -159,9 +159,9 @@
#include <sys/time.h>
#endif
-/* Forward-declare struct timeval. On Windows, it is defined in winsock2.h and
- * Windows headers define too many macros to be included in public headers.
- * However, only a forward declaration is needed. */
+// Forward-declare struct timeval. On Windows, it is defined in winsock2.h and
+// Windows headers define too many macros to be included in public headers.
+// However, only a forward declaration is needed.
struct timeval;
#if defined(__cplusplus)
@@ -169,412 +169,412 @@
#endif
-/* SSL implementation. */
+// SSL implementation.
-/* SSL contexts.
- *
- * |SSL_CTX| objects manage shared state and configuration between multiple TLS
- * or DTLS connections. Whether the connections are TLS or DTLS is selected by
- * an |SSL_METHOD| on creation.
- *
- * |SSL_CTX| are reference-counted and may be shared by connections across
- * multiple threads. Once shared, functions which change the |SSL_CTX|'s
- * configuration may not be used. */
+// SSL contexts.
+//
+// |SSL_CTX| objects manage shared state and configuration between multiple TLS
+// or DTLS connections. Whether the connections are TLS or DTLS is selected by
+// an |SSL_METHOD| on creation.
+//
+// |SSL_CTX| are reference-counted and may be shared by connections across
+// multiple threads. Once shared, functions which change the |SSL_CTX|'s
+// configuration may not be used.
-/* TLS_method is the |SSL_METHOD| used for TLS (and SSLv3) connections. */
+// TLS_method is the |SSL_METHOD| used for TLS (and SSLv3) connections.
OPENSSL_EXPORT const SSL_METHOD *TLS_method(void);
-/* DTLS_method is the |SSL_METHOD| used for DTLS connections. */
+// DTLS_method is the |SSL_METHOD| used for DTLS connections.
OPENSSL_EXPORT const SSL_METHOD *DTLS_method(void);
-/* TLS_with_buffers_method is like |TLS_method|, but avoids all use of
- * crypto/x509. */
+// TLS_with_buffers_method is like |TLS_method|, but avoids all use of
+// crypto/x509.
OPENSSL_EXPORT const SSL_METHOD *TLS_with_buffers_method(void);
-/* DTLS_with_buffers_method is like |DTLS_method|, but avoids all use of
- * crypto/x509. */
+// DTLS_with_buffers_method is like |DTLS_method|, but avoids all use of
+// crypto/x509.
OPENSSL_EXPORT const SSL_METHOD *DTLS_with_buffers_method(void);
-/* SSL_CTX_new returns a newly-allocated |SSL_CTX| with default settings or NULL
- * on error. */
+// SSL_CTX_new returns a newly-allocated |SSL_CTX| with default settings or NULL
+// on error.
OPENSSL_EXPORT SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
-/* SSL_CTX_up_ref increments the reference count of |ctx|. It returns one. */
+// SSL_CTX_up_ref increments the reference count of |ctx|. It returns one.
OPENSSL_EXPORT int SSL_CTX_up_ref(SSL_CTX *ctx);
-/* SSL_CTX_free releases memory associated with |ctx|. */
+// SSL_CTX_free releases memory associated with |ctx|.
OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *ctx);
-/* SSL connections.
- *
- * An |SSL| object represents a single TLS or DTLS connection. Although the
- * shared |SSL_CTX| is thread-safe, an |SSL| is not thread-safe and may only be
- * used on one thread at a time. */
+// SSL connections.
+//
+// An |SSL| object represents a single TLS or DTLS connection. Although the
+// shared |SSL_CTX| is thread-safe, an |SSL| is not thread-safe and may only be
+// used on one thread at a time.
-/* SSL_new returns a newly-allocated |SSL| using |ctx| or NULL on error. The new
- * connection inherits settings from |ctx| at the time of creation. Settings may
- * also be individually configured on the connection.
- *
- * On creation, an |SSL| is not configured to be either a client or server. Call
- * |SSL_set_connect_state| or |SSL_set_accept_state| to set this. */
+// SSL_new returns a newly-allocated |SSL| using |ctx| or NULL on error. The new
+// connection inherits settings from |ctx| at the time of creation. Settings may
+// also be individually configured on the connection.
+//
+// On creation, an |SSL| is not configured to be either a client or server. Call
+// |SSL_set_connect_state| or |SSL_set_accept_state| to set this.
OPENSSL_EXPORT SSL *SSL_new(SSL_CTX *ctx);
-/* SSL_free releases memory associated with |ssl|. */
+// SSL_free releases memory associated with |ssl|.
OPENSSL_EXPORT void SSL_free(SSL *ssl);
-/* SSL_get_SSL_CTX returns the |SSL_CTX| associated with |ssl|. If
- * |SSL_set_SSL_CTX| is called, it returns the new |SSL_CTX|, not the initial
- * one. */
+// SSL_get_SSL_CTX returns the |SSL_CTX| associated with |ssl|. If
+// |SSL_set_SSL_CTX| is called, it returns the new |SSL_CTX|, not the initial
+// one.
OPENSSL_EXPORT SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
-/* SSL_set_connect_state configures |ssl| to be a client. */
+// SSL_set_connect_state configures |ssl| to be a client.
OPENSSL_EXPORT void SSL_set_connect_state(SSL *ssl);
-/* SSL_set_accept_state configures |ssl| to be a server. */
+// SSL_set_accept_state configures |ssl| to be a server.
OPENSSL_EXPORT void SSL_set_accept_state(SSL *ssl);
-/* SSL_is_server returns one if |ssl| is configured as a server and zero
- * otherwise. */
+// SSL_is_server returns one if |ssl| is configured as a server and zero
+// otherwise.
OPENSSL_EXPORT int SSL_is_server(const SSL *ssl);
-/* SSL_is_dtls returns one if |ssl| is a DTLS connection and zero otherwise. */
+// SSL_is_dtls returns one if |ssl| is a DTLS connection and zero otherwise.
OPENSSL_EXPORT int SSL_is_dtls(const SSL *ssl);
-/* SSL_set_bio configures |ssl| to read from |rbio| and write to |wbio|. |ssl|
- * takes ownership of the two |BIO|s. If |rbio| and |wbio| are the same, |ssl|
- * only takes ownership of one reference.
- *
- * In DTLS, |rbio| must be non-blocking to properly handle timeouts and
- * retransmits.
- *
- * If |rbio| is the same as the currently configured |BIO| for reading, that
- * side is left untouched and is not freed.
- *
- * If |wbio| is the same as the currently configured |BIO| for writing AND |ssl|
- * is not currently configured to read from and write to the same |BIO|, that
- * side is left untouched and is not freed. This asymmetry is present for
- * historical reasons.
- *
- * Due to the very complex historical behavior of this function, calling this
- * function if |ssl| already has |BIO|s configured is deprecated. Prefer
- * |SSL_set0_rbio| and |SSL_set0_wbio| instead. */
+// SSL_set_bio configures |ssl| to read from |rbio| and write to |wbio|. |ssl|
+// takes ownership of the two |BIO|s. If |rbio| and |wbio| are the same, |ssl|
+// only takes ownership of one reference.
+//
+// In DTLS, |rbio| must be non-blocking to properly handle timeouts and
+// retransmits.
+//
+// If |rbio| is the same as the currently configured |BIO| for reading, that
+// side is left untouched and is not freed.
+//
+// If |wbio| is the same as the currently configured |BIO| for writing AND |ssl|
+// is not currently configured to read from and write to the same |BIO|, that
+// side is left untouched and is not freed. This asymmetry is present for
+// historical reasons.
+//
+// Due to the very complex historical behavior of this function, calling this
+// function if |ssl| already has |BIO|s configured is deprecated. Prefer
+// |SSL_set0_rbio| and |SSL_set0_wbio| instead.
OPENSSL_EXPORT void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
-/* SSL_set0_rbio configures |ssl| to write to |rbio|. It takes ownership of
- * |rbio|.
- *
- * Note that, although this function and |SSL_set0_wbio| may be called on the
- * same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this. */
+// SSL_set0_rbio configures |ssl| to write to |rbio|. It takes ownership of
+// |rbio|.
+//
+// Note that, although this function and |SSL_set0_wbio| may be called on the
+// same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this.
OPENSSL_EXPORT void SSL_set0_rbio(SSL *ssl, BIO *rbio);
-/* SSL_set0_wbio configures |ssl| to write to |wbio|. It takes ownership of
- * |wbio|.
- *
- * Note that, although this function and |SSL_set0_rbio| may be called on the
- * same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this. */
+// SSL_set0_wbio configures |ssl| to write to |wbio|. It takes ownership of
+// |wbio|.
+//
+// Note that, although this function and |SSL_set0_rbio| may be called on the
+// same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this.
OPENSSL_EXPORT void SSL_set0_wbio(SSL *ssl, BIO *wbio);
-/* SSL_get_rbio returns the |BIO| that |ssl| reads from. */
+// SSL_get_rbio returns the |BIO| that |ssl| reads from.
OPENSSL_EXPORT BIO *SSL_get_rbio(const SSL *ssl);
-/* SSL_get_wbio returns the |BIO| that |ssl| writes to. */
+// SSL_get_wbio returns the |BIO| that |ssl| writes to.
OPENSSL_EXPORT BIO *SSL_get_wbio(const SSL *ssl);
-/* SSL_get_fd calls |SSL_get_rfd|. */
+// SSL_get_fd calls |SSL_get_rfd|.
OPENSSL_EXPORT int SSL_get_fd(const SSL *ssl);
-/* SSL_get_rfd returns the file descriptor that |ssl| is configured to read
- * from. If |ssl|'s read |BIO| is not configured or doesn't wrap a file
- * descriptor then it returns -1.
- *
- * Note: On Windows, this may return either a file descriptor or a socket (cast
- * to int), depending on whether |ssl| was configured with a file descriptor or
- * socket |BIO|. */
+// SSL_get_rfd returns the file descriptor that |ssl| is configured to read
+// from. If |ssl|'s read |BIO| is not configured or doesn't wrap a file
+// descriptor then it returns -1.
+//
+// Note: On Windows, this may return either a file descriptor or a socket (cast
+// to int), depending on whether |ssl| was configured with a file descriptor or
+// socket |BIO|.
OPENSSL_EXPORT int SSL_get_rfd(const SSL *ssl);
-/* SSL_get_wfd returns the file descriptor that |ssl| is configured to write
- * to. If |ssl|'s write |BIO| is not configured or doesn't wrap a file
- * descriptor then it returns -1.
- *
- * Note: On Windows, this may return either a file descriptor or a socket (cast
- * to int), depending on whether |ssl| was configured with a file descriptor or
- * socket |BIO|. */
+// SSL_get_wfd returns the file descriptor that |ssl| is configured to write
+// to. If |ssl|'s write |BIO| is not configured or doesn't wrap a file
+// descriptor then it returns -1.
+//
+// Note: On Windows, this may return either a file descriptor or a socket (cast
+// to int), depending on whether |ssl| was configured with a file descriptor or
+// socket |BIO|.
OPENSSL_EXPORT int SSL_get_wfd(const SSL *ssl);
-/* SSL_set_fd configures |ssl| to read from and write to |fd|. It returns one
- * on success and zero on allocation error. The caller retains ownership of
- * |fd|.
- *
- * On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs. */
+// SSL_set_fd configures |ssl| to read from and write to |fd|. It returns one
+// on success and zero on allocation error. The caller retains ownership of
+// |fd|.
+//
+// On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs.
OPENSSL_EXPORT int SSL_set_fd(SSL *ssl, int fd);
-/* SSL_set_rfd configures |ssl| to read from |fd|. It returns one on success and
- * zero on allocation error. The caller retains ownership of |fd|.
- *
- * On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs. */
+// SSL_set_rfd configures |ssl| to read from |fd|. It returns one on success and
+// zero on allocation error. The caller retains ownership of |fd|.
+//
+// On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs.
OPENSSL_EXPORT int SSL_set_rfd(SSL *ssl, int fd);
-/* SSL_set_wfd configures |ssl| to write to |fd|. It returns one on success and
- * zero on allocation error. The caller retains ownership of |fd|.
- *
- * On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs. */
+// SSL_set_wfd configures |ssl| to write to |fd|. It returns one on success and
+// zero on allocation error. The caller retains ownership of |fd|.
+//
+// On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs.
OPENSSL_EXPORT int SSL_set_wfd(SSL *ssl, int fd);
-/* SSL_do_handshake continues the current handshake. If there is none or the
- * handshake has completed or False Started, it returns one. Otherwise, it
- * returns <= 0. The caller should pass the value into |SSL_get_error| to
- * determine how to proceed.
- *
- * In DTLS, the caller must drive retransmissions. Whenever |SSL_get_error|
- * signals |SSL_ERROR_WANT_READ|, use |DTLSv1_get_timeout| to determine the
- * current timeout. If it expires before the next retry, call
- * |DTLSv1_handle_timeout|. Note that DTLS handshake retransmissions use fresh
- * sequence numbers, so it is not sufficient to replay packets at the transport.
- *
- * TODO(davidben): Ensure 0 is only returned on transport EOF.
- * https://crbug.com/466303. */
+// SSL_do_handshake continues the current handshake. If there is none or the
+// handshake has completed or False Started, it returns one. Otherwise, it
+// returns <= 0. The caller should pass the value into |SSL_get_error| to
+// determine how to proceed.
+//
+// In DTLS, the caller must drive retransmissions. Whenever |SSL_get_error|
+// signals |SSL_ERROR_WANT_READ|, use |DTLSv1_get_timeout| to determine the
+// current timeout. If it expires before the next retry, call
+// |DTLSv1_handle_timeout|. Note that DTLS handshake retransmissions use fresh
+// sequence numbers, so it is not sufficient to replay packets at the transport.
+//
+// TODO(davidben): Ensure 0 is only returned on transport EOF.
+// https://crbug.com/466303.
OPENSSL_EXPORT int SSL_do_handshake(SSL *ssl);
-/* SSL_connect configures |ssl| as a client, if unconfigured, and calls
- * |SSL_do_handshake|. */
+// SSL_connect configures |ssl| as a client, if unconfigured, and calls
+// |SSL_do_handshake|.
OPENSSL_EXPORT int SSL_connect(SSL *ssl);
-/* SSL_accept configures |ssl| as a server, if unconfigured, and calls
- * |SSL_do_handshake|. */
+// SSL_accept configures |ssl| as a server, if unconfigured, and calls
+// |SSL_do_handshake|.
OPENSSL_EXPORT int SSL_accept(SSL *ssl);
-/* SSL_read reads up to |num| bytes from |ssl| into |buf|. It implicitly runs
- * any pending handshakes, including renegotiations when enabled. On success, it
- * returns the number of bytes read. Otherwise, it returns <= 0. The caller
- * should pass the value into |SSL_get_error| to determine how to proceed.
- *
- * TODO(davidben): Ensure 0 is only returned on transport EOF.
- * https://crbug.com/466303. */
+// SSL_read reads up to |num| bytes from |ssl| into |buf|. It implicitly runs
+// any pending handshakes, including renegotiations when enabled. On success, it
+// returns the number of bytes read. Otherwise, it returns <= 0. The caller
+// should pass the value into |SSL_get_error| to determine how to proceed.
+//
+// TODO(davidben): Ensure 0 is only returned on transport EOF.
+// https://crbug.com/466303.
OPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num);
-/* SSL_peek behaves like |SSL_read| but does not consume any bytes returned. */
+// SSL_peek behaves like |SSL_read| but does not consume any bytes returned.
OPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num);
-/* SSL_pending returns the number of bytes available in |ssl|. It does not read
- * from the transport. */
+// SSL_pending returns the number of bytes available in |ssl|. It does not read
+// from the transport.
OPENSSL_EXPORT int SSL_pending(const SSL *ssl);
-/* SSL_write writes up to |num| bytes from |buf| into |ssl|. It implicitly runs
- * any pending handshakes, including renegotiations when enabled. On success, it
- * returns the number of bytes written. Otherwise, it returns <= 0. The caller
- * should pass the value into |SSL_get_error| to determine how to proceed.
- *
- * In TLS, a non-blocking |SSL_write| differs from non-blocking |write| in that
- * a failed |SSL_write| still commits to the data passed in. When retrying, the
- * caller must supply the original write buffer (or a larger one containing the
- * original as a prefix). By default, retries will fail if they also do not
- * reuse the same |buf| pointer. This may be relaxed with
- * |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, but the buffer contents still must be
- * unchanged.
- *
- * By default, in TLS, |SSL_write| will not return success until all |num| bytes
- * are written. This may be relaxed with |SSL_MODE_ENABLE_PARTIAL_WRITE|. It
- * allows |SSL_write| to complete with a partial result when only part of the
- * input was written in a single record.
- *
- * In DTLS, neither |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| and
- * |SSL_MODE_ENABLE_PARTIAL_WRITE| do anything. The caller may retry with a
- * different buffer freely. A single call to |SSL_write| only ever writes a
- * single record in a single packet, so |num| must be at most
- * |SSL3_RT_MAX_PLAIN_LENGTH|.
- *
- * TODO(davidben): Ensure 0 is only returned on transport EOF.
- * https://crbug.com/466303. */
+// SSL_write writes up to |num| bytes from |buf| into |ssl|. It implicitly runs
+// any pending handshakes, including renegotiations when enabled. On success, it
+// returns the number of bytes written. Otherwise, it returns <= 0. The caller
+// should pass the value into |SSL_get_error| to determine how to proceed.
+//
+// In TLS, a non-blocking |SSL_write| differs from non-blocking |write| in that
+// a failed |SSL_write| still commits to the data passed in. When retrying, the
+// caller must supply the original write buffer (or a larger one containing the
+// original as a prefix). By default, retries will fail if they also do not
+// reuse the same |buf| pointer. This may be relaxed with
+// |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, but the buffer contents still must be
+// unchanged.
+//
+// By default, in TLS, |SSL_write| will not return success until all |num| bytes
+// are written. This may be relaxed with |SSL_MODE_ENABLE_PARTIAL_WRITE|. It
+// allows |SSL_write| to complete with a partial result when only part of the
+// input was written in a single record.
+//
+// In DTLS, neither |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| and
+// |SSL_MODE_ENABLE_PARTIAL_WRITE| do anything. The caller may retry with a
+// different buffer freely. A single call to |SSL_write| only ever writes a
+// single record in a single packet, so |num| must be at most
+// |SSL3_RT_MAX_PLAIN_LENGTH|.
+//
+// TODO(davidben): Ensure 0 is only returned on transport EOF.
+// https://crbug.com/466303.
OPENSSL_EXPORT int SSL_write(SSL *ssl, const void *buf, int num);
-/* SSL_shutdown shuts down |ssl|. On success, it completes in two stages. First,
- * it returns 0 if |ssl| completed uni-directional shutdown; close_notify has
- * been sent, but the peer's close_notify has not been received. Most callers
- * may stop at this point. For bi-directional shutdown, call |SSL_shutdown|
- * again. It returns 1 if close_notify has been both sent and received.
- *
- * If the peer's close_notify arrived first, the first stage is skipped.
- * |SSL_shutdown| will return 1 once close_notify is sent and skip 0. Callers
- * only interested in uni-directional shutdown must therefore allow for the
- * first stage returning either 0 or 1.
- *
- * |SSL_shutdown| returns -1 on failure. The caller should pass the return value
- * into |SSL_get_error| to determine how to proceed. If the underlying |BIO| is
- * non-blocking, both stages may require retry. */
+// SSL_shutdown shuts down |ssl|. On success, it completes in two stages. First,
+// it returns 0 if |ssl| completed uni-directional shutdown; close_notify has
+// been sent, but the peer's close_notify has not been received. Most callers
+// may stop at this point. For bi-directional shutdown, call |SSL_shutdown|
+// again. It returns 1 if close_notify has been both sent and received.
+//
+// If the peer's close_notify arrived first, the first stage is skipped.
+// |SSL_shutdown| will return 1 once close_notify is sent and skip 0. Callers
+// only interested in uni-directional shutdown must therefore allow for the
+// first stage returning either 0 or 1.
+//
+// |SSL_shutdown| returns -1 on failure. The caller should pass the return value
+// into |SSL_get_error| to determine how to proceed. If the underlying |BIO| is
+// non-blocking, both stages may require retry.
OPENSSL_EXPORT int SSL_shutdown(SSL *ssl);
-/* SSL_CTX_set_quiet_shutdown sets quiet shutdown on |ctx| to |mode|. If
- * enabled, |SSL_shutdown| will not send a close_notify alert or wait for one
- * from the peer. It will instead synchronously return one. */
+// SSL_CTX_set_quiet_shutdown sets quiet shutdown on |ctx| to |mode|. If
+// enabled, |SSL_shutdown| will not send a close_notify alert or wait for one
+// from the peer. It will instead synchronously return one.
OPENSSL_EXPORT void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
-/* SSL_CTX_get_quiet_shutdown returns whether quiet shutdown is enabled for
- * |ctx|. */
+// SSL_CTX_get_quiet_shutdown returns whether quiet shutdown is enabled for
+// |ctx|.
OPENSSL_EXPORT int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
-/* SSL_set_quiet_shutdown sets quiet shutdown on |ssl| to |mode|. If enabled,
- * |SSL_shutdown| will not send a close_notify alert or wait for one from the
- * peer. It will instead synchronously return one. */
+// SSL_set_quiet_shutdown sets quiet shutdown on |ssl| to |mode|. If enabled,
+// |SSL_shutdown| will not send a close_notify alert or wait for one from the
+// peer. It will instead synchronously return one.
OPENSSL_EXPORT void SSL_set_quiet_shutdown(SSL *ssl, int mode);
-/* SSL_get_quiet_shutdown returns whether quiet shutdown is enabled for
- * |ssl|. */
+// SSL_get_quiet_shutdown returns whether quiet shutdown is enabled for
+// |ssl|.
OPENSSL_EXPORT int SSL_get_quiet_shutdown(const SSL *ssl);
-/* SSL_get_error returns a |SSL_ERROR_*| value for the most recent operation on
- * |ssl|. It should be called after an operation failed to determine whether the
- * error was fatal and, if not, when to retry. */
+// SSL_get_error returns a |SSL_ERROR_*| value for the most recent operation on
+// |ssl|. It should be called after an operation failed to determine whether the
+// error was fatal and, if not, when to retry.
OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);
-/* SSL_ERROR_NONE indicates the operation succeeded. */
+// SSL_ERROR_NONE indicates the operation succeeded.
#define SSL_ERROR_NONE 0
-/* SSL_ERROR_SSL indicates the operation failed within the library. The caller
- * may inspect the error queue for more information. */
+// SSL_ERROR_SSL indicates the operation failed within the library. The caller
+// may inspect the error queue for more information.
#define SSL_ERROR_SSL 1
-/* SSL_ERROR_WANT_READ indicates the operation failed attempting to read from
- * the transport. The caller may retry the operation when the transport is ready
- * for reading.
- *
- * If signaled by a DTLS handshake, the caller must also call
- * |DTLSv1_get_timeout| and |DTLSv1_handle_timeout| as appropriate. See
- * |SSL_do_handshake|. */
+// SSL_ERROR_WANT_READ indicates the operation failed attempting to read from
+// the transport. The caller may retry the operation when the transport is ready
+// for reading.
+//
+// If signaled by a DTLS handshake, the caller must also call
+// |DTLSv1_get_timeout| and |DTLSv1_handle_timeout| as appropriate. See
+// |SSL_do_handshake|.
#define SSL_ERROR_WANT_READ 2
-/* SSL_ERROR_WANT_WRITE indicates the operation failed attempting to write to
- * the transport. The caller may retry the operation when the transport is ready
- * for writing. */
+// SSL_ERROR_WANT_WRITE indicates the operation failed attempting to write to
+// the transport. The caller may retry the operation when the transport is ready
+// for writing.
#define SSL_ERROR_WANT_WRITE 3
-/* SSL_ERROR_WANT_X509_LOOKUP indicates the operation failed in calling the
- * |cert_cb| or |client_cert_cb|. The caller may retry the operation when the
- * callback is ready to return a certificate or one has been configured
- * externally.
- *
- * See also |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb|. */
+// SSL_ERROR_WANT_X509_LOOKUP indicates the operation failed in calling the
+// |cert_cb| or |client_cert_cb|. The caller may retry the operation when the
+// callback is ready to return a certificate or one has been configured
+// externally.
+//
+// See also |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb|.
#define SSL_ERROR_WANT_X509_LOOKUP 4
-/* SSL_ERROR_SYSCALL indicates the operation failed externally to the library.
- * The caller should consult the system-specific error mechanism. This is
- * typically |errno| but may be something custom if using a custom |BIO|. It
- * may also be signaled if the transport returned EOF, in which case the
- * operation's return value will be zero. */
+// SSL_ERROR_SYSCALL indicates the operation failed externally to the library.
+// The caller should consult the system-specific error mechanism. This is
+// typically |errno| but may be something custom if using a custom |BIO|. It
+// may also be signaled if the transport returned EOF, in which case the
+// operation's return value will be zero.
#define SSL_ERROR_SYSCALL 5
-/* SSL_ERROR_ZERO_RETURN indicates the operation failed because the connection
- * was cleanly shut down with a close_notify alert. */
+// SSL_ERROR_ZERO_RETURN indicates the operation failed because the connection
+// was cleanly shut down with a close_notify alert.
#define SSL_ERROR_ZERO_RETURN 6
-/* SSL_ERROR_WANT_CONNECT indicates the operation failed attempting to connect
- * the transport (the |BIO| signaled |BIO_RR_CONNECT|). The caller may retry the
- * operation when the transport is ready. */
+// SSL_ERROR_WANT_CONNECT indicates the operation failed attempting to connect
+// the transport (the |BIO| signaled |BIO_RR_CONNECT|). The caller may retry the
+// operation when the transport is ready.
#define SSL_ERROR_WANT_CONNECT 7
-/* SSL_ERROR_WANT_ACCEPT indicates the operation failed attempting to accept a
- * connection from the transport (the |BIO| signaled |BIO_RR_ACCEPT|). The
- * caller may retry the operation when the transport is ready.
- *
- * TODO(davidben): Remove this. It's used by accept BIOs which are bizarre. */
+// SSL_ERROR_WANT_ACCEPT indicates the operation failed attempting to accept a
+// connection from the transport (the |BIO| signaled |BIO_RR_ACCEPT|). The
+// caller may retry the operation when the transport is ready.
+//
+// TODO(davidben): Remove this. It's used by accept BIOs which are bizarre.
#define SSL_ERROR_WANT_ACCEPT 8
-/* SSL_ERROR_WANT_CHANNEL_ID_LOOKUP indicates the operation failed looking up
- * the Channel ID key. The caller may retry the operation when |channel_id_cb|
- * is ready to return a key or one has been configured with
- * |SSL_set1_tls_channel_id|.
- *
- * See also |SSL_CTX_set_channel_id_cb|. */
+// SSL_ERROR_WANT_CHANNEL_ID_LOOKUP indicates the operation failed looking up
+// the Channel ID key. The caller may retry the operation when |channel_id_cb|
+// is ready to return a key or one has been configured with
+// |SSL_set1_tls_channel_id|.
+//
+// See also |SSL_CTX_set_channel_id_cb|.
#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9
-/* SSL_ERROR_PENDING_SESSION indicates the operation failed because the session
- * lookup callback indicated the session was unavailable. The caller may retry
- * the operation when lookup has completed.
- *
- * See also |SSL_CTX_sess_set_get_cb| and |SSL_magic_pending_session_ptr|. */
+// SSL_ERROR_PENDING_SESSION indicates the operation failed because the session
+// lookup callback indicated the session was unavailable. The caller may retry
+// the operation when lookup has completed.
+//
+// See also |SSL_CTX_sess_set_get_cb| and |SSL_magic_pending_session_ptr|.
#define SSL_ERROR_PENDING_SESSION 11
-/* SSL_ERROR_PENDING_CERTIFICATE indicates the operation failed because the
- * early callback indicated certificate lookup was incomplete. The caller may
- * retry the operation when lookup has completed.
- *
- * See also |SSL_CTX_set_select_certificate_cb|. */
+// SSL_ERROR_PENDING_CERTIFICATE indicates the operation failed because the
+// early callback indicated certificate lookup was incomplete. The caller may
+// retry the operation when lookup has completed.
+//
+// See also |SSL_CTX_set_select_certificate_cb|.
#define SSL_ERROR_PENDING_CERTIFICATE 12
-/* SSL_ERROR_WANT_PRIVATE_KEY_OPERATION indicates the operation failed because
- * a private key operation was unfinished. The caller may retry the operation
- * when the private key operation is complete.
- *
- * See also |SSL_set_private_key_method| and
- * |SSL_CTX_set_private_key_method|. */
+// SSL_ERROR_WANT_PRIVATE_KEY_OPERATION indicates the operation failed because
+// a private key operation was unfinished. The caller may retry the operation
+// when the private key operation is complete.
+//
+// See also |SSL_set_private_key_method| and
+// |SSL_CTX_set_private_key_method|.
#define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION 13
-/* SSL_ERROR_PENDING_TICKET indicates that a ticket decryption is pending. The
- * caller may retry the operation when the decryption is ready.
- *
- * See also |SSL_CTX_set_ticket_aead_method|. */
+// SSL_ERROR_PENDING_TICKET indicates that a ticket decryption is pending. The
+// caller may retry the operation when the decryption is ready.
+//
+// See also |SSL_CTX_set_ticket_aead_method|.
#define SSL_ERROR_PENDING_TICKET 14
-/* SSL_ERROR_EARLY_DATA_REJECTED indicates that early data was rejected. The
- * caller should treat this as a connection failure and retry any operations
- * associated with the rejected early data. |SSL_reset_early_data_reject| may be
- * used to reuse the underlying connection for the retry. */
+// SSL_ERROR_EARLY_DATA_REJECTED indicates that early data was rejected. The
+// caller should treat this as a connection failure and retry any operations
+// associated with the rejected early data. |SSL_reset_early_data_reject| may be
+// used to reuse the underlying connection for the retry.
#define SSL_ERROR_EARLY_DATA_REJECTED 15
-/* SSL_ERROR_WANT_CERTIFICATE_VERIFY indicates the operation failed because
- * certificate verification was incomplete. The caller may retry the operation
- * when certificate verification is complete.
- *
- * See also |SSL_CTX_set_custom_verify|. */
+// SSL_ERROR_WANT_CERTIFICATE_VERIFY indicates the operation failed because
+// certificate verification was incomplete. The caller may retry the operation
+// when certificate verification is complete.
+//
+// See also |SSL_CTX_set_custom_verify|.
#define SSL_ERROR_WANT_CERTIFICATE_VERIFY 16
-/* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
- * and zero on failure. */
+// SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
+// and zero on failure.
OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
-/* DTLSv1_set_initial_timeout_duration sets the initial duration for a DTLS
- * handshake timeout.
- *
- * This duration overrides the default of 1 second, which is the strong
- * recommendation of RFC 6347 (see section 4.2.4.1). However, there may exist
- * situations where a shorter timeout would be beneficial, such as for
- * time-sensitive applications. */
+// DTLSv1_set_initial_timeout_duration sets the initial duration for a DTLS
+// handshake timeout.
+//
+// This duration overrides the default of 1 second, which is the strong
+// recommendation of RFC 6347 (see section 4.2.4.1). However, there may exist
+// situations where a shorter timeout would be beneficial, such as for
+// time-sensitive applications.
OPENSSL_EXPORT void DTLSv1_set_initial_timeout_duration(SSL *ssl,
unsigned duration_ms);
-/* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
- * timeout in progress, it sets |*out| to the time remaining and returns one.
- * Otherwise, it returns zero.
- *
- * When the timeout expires, call |DTLSv1_handle_timeout| to handle the
- * retransmit behavior.
- *
- * NOTE: This function must be queried again whenever the handshake state
- * machine changes, including when |DTLSv1_handle_timeout| is called. */
+// DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
+// timeout in progress, it sets |*out| to the time remaining and returns one.
+// Otherwise, it returns zero.
+//
+// When the timeout expires, call |DTLSv1_handle_timeout| to handle the
+// retransmit behavior.
+//
+// NOTE: This function must be queried again whenever the handshake state
+// machine changes, including when |DTLSv1_handle_timeout| is called.
OPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out);
-/* DTLSv1_handle_timeout is called when a DTLS handshake timeout expires. If no
- * timeout had expired, it returns 0. Otherwise, it retransmits the previous
- * flight of handshake messages and returns 1. If too many timeouts had expired
- * without progress or an error occurs, it returns -1.
- *
- * The caller's external timer should be compatible with the one |ssl| queries
- * within some fudge factor. Otherwise, the call will be a no-op, but
- * |DTLSv1_get_timeout| will return an updated timeout.
- *
- * If the function returns -1, checking if |SSL_get_error| returns
- * |SSL_ERROR_WANT_WRITE| may be used to determine if the retransmit failed due
- * to a non-fatal error at the write |BIO|. However, the operation may not be
- * retried until the next timeout fires.
- *
- * WARNING: This function breaks the usual return value convention.
- *
- * TODO(davidben): This |SSL_ERROR_WANT_WRITE| behavior is kind of bizarre. */
+// DTLSv1_handle_timeout is called when a DTLS handshake timeout expires. If no
+// timeout had expired, it returns 0. Otherwise, it retransmits the previous
+// flight of handshake messages and returns 1. If too many timeouts had expired
+// without progress or an error occurs, it returns -1.
+//
+// The caller's external timer should be compatible with the one |ssl| queries
+// within some fudge factor. Otherwise, the call will be a no-op, but
+// |DTLSv1_get_timeout| will return an updated timeout.
+//
+// If the function returns -1, checking if |SSL_get_error| returns
+// |SSL_ERROR_WANT_WRITE| may be used to determine if the retransmit failed due
+// to a non-fatal error at the write |BIO|. However, the operation may not be
+// retried until the next timeout fires.
+//
+// WARNING: This function breaks the usual return value convention.
+//
+// TODO(davidben): This |SSL_ERROR_WANT_WRITE| behavior is kind of bizarre.
OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);
-/* Protocol versions. */
+// Protocol versions.
#define DTLS1_VERSION_MAJOR 0xfe
#define SSL3_VERSION_MAJOR 0x03
@@ -592,53 +592,53 @@
#define TLS1_3_EXPERIMENT_VERSION 0x7e01
#define TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION 0x7a12
-/* SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to
- * |version|. If |version| is zero, the default minimum version is used. It
- * returns one on success and zero if |version| is invalid. */
+// SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to
+// |version|. If |version| is zero, the default minimum version is used. It
+// returns one on success and zero if |version| is invalid.
OPENSSL_EXPORT int SSL_CTX_set_min_proto_version(SSL_CTX *ctx,
uint16_t version);
-/* SSL_CTX_set_max_proto_version sets the maximum protocol version for |ctx| to
- * |version|. If |version| is zero, the default maximum version is used. It
- * returns one on success and zero if |version| is invalid. */
+// SSL_CTX_set_max_proto_version sets the maximum protocol version for |ctx| to
+// |version|. If |version| is zero, the default maximum version is used. It
+// returns one on success and zero if |version| is invalid.
OPENSSL_EXPORT int SSL_CTX_set_max_proto_version(SSL_CTX *ctx,
uint16_t version);
-/* SSL_set_min_proto_version sets the minimum protocol version for |ssl| to
- * |version|. If |version| is zero, the default minimum version is used. It
- * returns one on success and zero if |version| is invalid. */
+// SSL_set_min_proto_version sets the minimum protocol version for |ssl| to
+// |version|. If |version| is zero, the default minimum version is used. It
+// returns one on success and zero if |version| is invalid.
OPENSSL_EXPORT int SSL_set_min_proto_version(SSL *ssl, uint16_t version);
-/* SSL_set_max_proto_version sets the maximum protocol version for |ssl| to
- * |version|. If |version| is zero, the default maximum version is used. It
- * returns one on success and zero if |version| is invalid. */
+// SSL_set_max_proto_version sets the maximum protocol version for |ssl| to
+// |version|. If |version| is zero, the default maximum version is used. It
+// returns one on success and zero if |version| is invalid.
OPENSSL_EXPORT int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
-/* SSL_version returns the TLS or DTLS protocol version used by |ssl|, which is
- * one of the |*_VERSION| values. (E.g. |TLS1_2_VERSION|.) Before the version
- * is negotiated, the result is undefined. */
+// SSL_version returns the TLS or DTLS protocol version used by |ssl|, which is
+// one of the |*_VERSION| values. (E.g. |TLS1_2_VERSION|.) Before the version
+// is negotiated, the result is undefined.
OPENSSL_EXPORT int SSL_version(const SSL *ssl);
-/* Options.
- *
- * Options configure protocol behavior. */
+// Options.
+//
+// Options configure protocol behavior.
-/* SSL_OP_NO_QUERY_MTU, in DTLS, disables querying the MTU from the underlying
- * |BIO|. Instead, the MTU is configured with |SSL_set_mtu|. */
+// SSL_OP_NO_QUERY_MTU, in DTLS, disables querying the MTU from the underlying
+// |BIO|. Instead, the MTU is configured with |SSL_set_mtu|.
#define SSL_OP_NO_QUERY_MTU 0x00001000L
-/* SSL_OP_NO_TICKET disables session ticket support (RFC 5077). */
+// SSL_OP_NO_TICKET disables session ticket support (RFC 5077).
#define SSL_OP_NO_TICKET 0x00004000L
-/* SSL_OP_CIPHER_SERVER_PREFERENCE configures servers to select ciphers and
- * ECDHE curves according to the server's preferences instead of the
- * client's. */
+// SSL_OP_CIPHER_SERVER_PREFERENCE configures servers to select ciphers and
+// ECDHE curves according to the server's preferences instead of the
+// client's.
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
-/* The following flags toggle individual protocol versions. This is deprecated.
- * Use |SSL_CTX_set_min_proto_version| and |SSL_CTX_set_max_proto_version|
- * instead. */
+// The following flags toggle individual protocol versions. This is deprecated.
+// Use |SSL_CTX_set_min_proto_version| and |SSL_CTX_set_max_proto_version|
+// instead.
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
#define SSL_OP_NO_TLSv1_2 0x08000000L
@@ -647,314 +647,314 @@
#define SSL_OP_NO_DTLSv1 SSL_OP_NO_TLSv1
#define SSL_OP_NO_DTLSv1_2 SSL_OP_NO_TLSv1_2
-/* SSL_CTX_set_options enables all options set in |options| (which should be one
- * or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
- * bitmask representing the resulting enabled options. */
+// SSL_CTX_set_options enables all options set in |options| (which should be one
+// or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
+// bitmask representing the resulting enabled options.
OPENSSL_EXPORT uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options);
-/* SSL_CTX_clear_options disables all options set in |options| (which should be
- * one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
- * bitmask representing the resulting enabled options. */
+// SSL_CTX_clear_options disables all options set in |options| (which should be
+// one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
+// bitmask representing the resulting enabled options.
OPENSSL_EXPORT uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options);
-/* SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all
- * the options enabled for |ctx|. */
+// SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all
+// the options enabled for |ctx|.
OPENSSL_EXPORT uint32_t SSL_CTX_get_options(const SSL_CTX *ctx);
-/* SSL_set_options enables all options set in |options| (which should be one or
- * more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask
- * representing the resulting enabled options. */
+// SSL_set_options enables all options set in |options| (which should be one or
+// more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask
+// representing the resulting enabled options.
OPENSSL_EXPORT uint32_t SSL_set_options(SSL *ssl, uint32_t options);
-/* SSL_clear_options disables all options set in |options| (which should be one
- * or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a
- * bitmask representing the resulting enabled options. */
+// SSL_clear_options disables all options set in |options| (which should be one
+// or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a
+// bitmask representing the resulting enabled options.
OPENSSL_EXPORT uint32_t SSL_clear_options(SSL *ssl, uint32_t options);
-/* SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the
- * options enabled for |ssl|. */
+// SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the
+// options enabled for |ssl|.
OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl);
-/* Modes.
- *
- * Modes configure API behavior. */
+// Modes.
+//
+// Modes configure API behavior.
-/* SSL_MODE_ENABLE_PARTIAL_WRITE, in TLS, allows |SSL_write| to complete with a
- * partial result when the only part of the input was written in a single
- * record. In DTLS, it does nothing. */
+// SSL_MODE_ENABLE_PARTIAL_WRITE, in TLS, allows |SSL_write| to complete with a
+// partial result when the only part of the input was written in a single
+// record. In DTLS, it does nothing.
#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L
-/* SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, in TLS, allows retrying an incomplete
- * |SSL_write| with a different buffer. However, |SSL_write| still assumes the
- * buffer contents are unchanged. This is not the default to avoid the
- * misconception that non-blocking |SSL_write| behaves like non-blocking
- * |write|. In DTLS, it does nothing. */
+// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, in TLS, allows retrying an incomplete
+// |SSL_write| with a different buffer. However, |SSL_write| still assumes the
+// buffer contents are unchanged. This is not the default to avoid the
+// misconception that non-blocking |SSL_write| behaves like non-blocking
+// |write|. In DTLS, it does nothing.
#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
-/* SSL_MODE_NO_AUTO_CHAIN disables automatically building a certificate chain
- * before sending certificates to the peer. This flag is set (and the feature
- * disabled) by default.
- * TODO(davidben): Remove this behavior. https://crbug.com/boringssl/42. */
+// SSL_MODE_NO_AUTO_CHAIN disables automatically building a certificate chain
+// before sending certificates to the peer. This flag is set (and the feature
+// disabled) by default.
+// TODO(davidben): Remove this behavior. https://crbug.com/boringssl/42.
#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
-/* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before
- * receipt of ChangeCipherSpec and Finished. This mode enables full handshakes
- * to 'complete' in one RTT. See RFC 7918.
- *
- * When False Start is enabled, |SSL_do_handshake| may succeed before the
- * handshake has completely finished. |SSL_write| will function at this point,
- * and |SSL_read| will transparently wait for the final handshake leg before
- * returning application data. To determine if False Start occurred or when the
- * handshake is completely finished, see |SSL_in_false_start|, |SSL_in_init|,
- * and |SSL_CB_HANDSHAKE_DONE| from |SSL_CTX_set_info_callback|. */
+// SSL_MODE_ENABLE_FALSE_START allows clients to send application data before
+// receipt of ChangeCipherSpec and Finished. This mode enables full handshakes
+// to 'complete' in one RTT. See RFC 7918.
+//
+// When False Start is enabled, |SSL_do_handshake| may succeed before the
+// handshake has completely finished. |SSL_write| will function at this point,
+// and |SSL_read| will transparently wait for the final handshake leg before
+// returning application data. To determine if False Start occurred or when the
+// handshake is completely finished, see |SSL_in_false_start|, |SSL_in_init|,
+// and |SSL_CB_HANDSHAKE_DONE| from |SSL_CTX_set_info_callback|.
#define SSL_MODE_ENABLE_FALSE_START 0x00000080L
-/* SSL_MODE_CBC_RECORD_SPLITTING causes multi-byte CBC records in SSL 3.0 and
- * TLS 1.0 to be split in two: the first record will contain a single byte and
- * the second will contain the remainder. This effectively randomises the IV and
- * prevents BEAST attacks. */
+// SSL_MODE_CBC_RECORD_SPLITTING causes multi-byte CBC records in SSL 3.0 and
+// TLS 1.0 to be split in two: the first record will contain a single byte and
+// the second will contain the remainder. This effectively randomises the IV and
+// prevents BEAST attacks.
#define SSL_MODE_CBC_RECORD_SPLITTING 0x00000100L
-/* SSL_MODE_NO_SESSION_CREATION will cause any attempts to create a session to
- * fail with SSL_R_SESSION_MAY_NOT_BE_CREATED. This can be used to enforce that
- * session resumption is used for a given SSL*. */
+// SSL_MODE_NO_SESSION_CREATION will cause any attempts to create a session to
+// fail with SSL_R_SESSION_MAY_NOT_BE_CREATED. This can be used to enforce that
+// session resumption is used for a given SSL*.
#define SSL_MODE_NO_SESSION_CREATION 0x00000200L
-/* SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello.
- * To be set only by applications that reconnect with a downgraded protocol
- * version; see RFC 7507 for details.
- *
- * DO NOT ENABLE THIS if your application attempts a normal handshake. Only use
- * this in explicit fallback retries, following the guidance in RFC 7507. */
+// SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello.
+// To be set only by applications that reconnect with a downgraded protocol
+// version; see RFC 7507 for details.
+//
+// DO NOT ENABLE THIS if your application attempts a normal handshake. Only use
+// this in explicit fallback retries, following the guidance in RFC 7507.
#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L
-/* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more
- * of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask
- * representing the resulting enabled modes. */
+// SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more
+// of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask
+// representing the resulting enabled modes.
OPENSSL_EXPORT uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode);
-/* SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or
- * more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a
- * bitmask representing the resulting enabled modes. */
+// SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or
+// more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a
+// bitmask representing the resulting enabled modes.
OPENSSL_EXPORT uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode);
-/* SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all
- * the modes enabled for |ssl|. */
+// SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all
+// the modes enabled for |ssl|.
OPENSSL_EXPORT uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx);
-/* SSL_set_mode enables all modes set in |mode| (which should be one or more of
- * the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
- * representing the resulting enabled modes. */
+// SSL_set_mode enables all modes set in |mode| (which should be one or more of
+// the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
+// representing the resulting enabled modes.
OPENSSL_EXPORT uint32_t SSL_set_mode(SSL *ssl, uint32_t mode);
-/* SSL_clear_mode disables all modes set in |mode| (which should be one or more
- * of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
- * representing the resulting enabled modes. */
+// SSL_clear_mode disables all modes set in |mode| (which should be one or more
+// of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
+// representing the resulting enabled modes.
OPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode);
-/* SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the
- * modes enabled for |ssl|. */
+// SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the
+// modes enabled for |ssl|.
OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl);
-/* SSL_CTX_set0_buffer_pool sets a |CRYPTO_BUFFER_POOL| that will be used to
- * store certificates. This can allow multiple connections to share
- * certificates and thus save memory.
- *
- * The SSL_CTX does not take ownership of |pool| and the caller must ensure
- * that |pool| outlives |ctx| and all objects linked to it, including |SSL|,
- * |X509| and |SSL_SESSION| objects. Basically, don't ever free |pool|. */
+// SSL_CTX_set0_buffer_pool sets a |CRYPTO_BUFFER_POOL| that will be used to
+// store certificates. This can allow multiple connections to share
+// certificates and thus save memory.
+//
+// The SSL_CTX does not take ownership of |pool| and the caller must ensure
+// that |pool| outlives |ctx| and all objects linked to it, including |SSL|,
+// |X509| and |SSL_SESSION| objects. Basically, don't ever free |pool|.
OPENSSL_EXPORT void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx,
CRYPTO_BUFFER_POOL *pool);
-/* Configuring certificates and private keys.
- *
- * These functions configure the connection's leaf certificate, private key, and
- * certificate chain. The certificate chain is ordered leaf to root (as sent on
- * the wire) but does not include the leaf. Both client and server certificates
- * use these functions.
- *
- * Certificates and keys may be configured before the handshake or dynamically
- * in the early callback and certificate callback. */
+// Configuring certificates and private keys.
+//
+// These functions configure the connection's leaf certificate, private key, and
+// certificate chain. The certificate chain is ordered leaf to root (as sent on
+// the wire) but does not include the leaf. Both client and server certificates
+// use these functions.
+//
+// Certificates and keys may be configured before the handshake or dynamically
+// in the early callback and certificate callback.
-/* SSL_CTX_use_certificate sets |ctx|'s leaf certificate to |x509|. It returns
- * one on success and zero on failure. */
+// SSL_CTX_use_certificate sets |ctx|'s leaf certificate to |x509|. It returns
+// one on success and zero on failure.
OPENSSL_EXPORT int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x509);
-/* SSL_use_certificate sets |ssl|'s leaf certificate to |x509|. It returns one
- * on success and zero on failure. */
+// SSL_use_certificate sets |ssl|'s leaf certificate to |x509|. It returns one
+// on success and zero on failure.
OPENSSL_EXPORT int SSL_use_certificate(SSL *ssl, X509 *x509);
-/* SSL_CTX_use_PrivateKey sets |ctx|'s private key to |pkey|. It returns one on
- * success and zero on failure. */
+// SSL_CTX_use_PrivateKey sets |ctx|'s private key to |pkey|. It returns one on
+// success and zero on failure.
OPENSSL_EXPORT int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
-/* SSL_use_PrivateKey sets |ssl|'s private key to |pkey|. It returns one on
- * success and zero on failure. */
+// SSL_use_PrivateKey sets |ssl|'s private key to |pkey|. It returns one on
+// success and zero on failure.
OPENSSL_EXPORT int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
-/* SSL_CTX_set0_chain sets |ctx|'s certificate chain, excluding the leaf, to
- * |chain|. On success, it returns one and takes ownership of |chain|.
- * Otherwise, it returns zero. */
+// SSL_CTX_set0_chain sets |ctx|'s certificate chain, excluding the leaf, to
+// |chain|. On success, it returns one and takes ownership of |chain|.
+// Otherwise, it returns zero.
OPENSSL_EXPORT int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
-/* SSL_CTX_set1_chain sets |ctx|'s certificate chain, excluding the leaf, to
- * |chain|. It returns one on success and zero on failure. The caller retains
- * ownership of |chain| and may release it freely. */
+// SSL_CTX_set1_chain sets |ctx|'s certificate chain, excluding the leaf, to
+// |chain|. It returns one on success and zero on failure. The caller retains
+// ownership of |chain| and may release it freely.
OPENSSL_EXPORT int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
-/* SSL_set0_chain sets |ssl|'s certificate chain, excluding the leaf, to
- * |chain|. On success, it returns one and takes ownership of |chain|.
- * Otherwise, it returns zero. */
+// SSL_set0_chain sets |ssl|'s certificate chain, excluding the leaf, to
+// |chain|. On success, it returns one and takes ownership of |chain|.
+// Otherwise, it returns zero.
OPENSSL_EXPORT int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain);
-/* SSL_set1_chain sets |ssl|'s certificate chain, excluding the leaf, to
- * |chain|. It returns one on success and zero on failure. The caller retains
- * ownership of |chain| and may release it freely. */
+// SSL_set1_chain sets |ssl|'s certificate chain, excluding the leaf, to
+// |chain|. It returns one on success and zero on failure. The caller retains
+// ownership of |chain| and may release it freely.
OPENSSL_EXPORT int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain);
-/* SSL_CTX_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On
- * success, it returns one and takes ownership of |x509|. Otherwise, it returns
- * zero. */
+// SSL_CTX_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On
+// success, it returns one and takes ownership of |x509|. Otherwise, it returns
+// zero.
OPENSSL_EXPORT int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509);
-/* SSL_CTX_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It
- * returns one on success and zero on failure. The caller retains ownership of
- * |x509| and may release it freely. */
+// SSL_CTX_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It
+// returns one on success and zero on failure. The caller retains ownership of
+// |x509| and may release it freely.
OPENSSL_EXPORT int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509);
-/* SSL_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On success,
- * it returns one and takes ownership of |x509|. Otherwise, it returns zero. */
+// SSL_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On success,
+// it returns one and takes ownership of |x509|. Otherwise, it returns zero.
OPENSSL_EXPORT int SSL_add0_chain_cert(SSL *ssl, X509 *x509);
-/* SSL_CTX_add_extra_chain_cert calls |SSL_CTX_add0_chain_cert|. */
+// SSL_CTX_add_extra_chain_cert calls |SSL_CTX_add0_chain_cert|.
OPENSSL_EXPORT int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
-/* SSL_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It returns
- * one on success and zero on failure. The caller retains ownership of |x509|
- * and may release it freely. */
+// SSL_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It returns
+// one on success and zero on failure. The caller retains ownership of |x509|
+// and may release it freely.
OPENSSL_EXPORT int SSL_add1_chain_cert(SSL *ssl, X509 *x509);
-/* SSL_CTX_clear_chain_certs clears |ctx|'s certificate chain and returns
- * one. */
+// SSL_CTX_clear_chain_certs clears |ctx|'s certificate chain and returns
+// one.
OPENSSL_EXPORT int SSL_CTX_clear_chain_certs(SSL_CTX *ctx);
-/* SSL_CTX_clear_extra_chain_certs calls |SSL_CTX_clear_chain_certs|. */
+// SSL_CTX_clear_extra_chain_certs calls |SSL_CTX_clear_chain_certs|.
OPENSSL_EXPORT int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);
-/* SSL_clear_chain_certs clears |ssl|'s certificate chain and returns one. */
+// SSL_clear_chain_certs clears |ssl|'s certificate chain and returns one.
OPENSSL_EXPORT int SSL_clear_chain_certs(SSL *ssl);
-/* SSL_CTX_set_cert_cb sets a callback that is called to select a certificate.
- * The callback returns one on success, zero on internal error, and a negative
- * number on failure or to pause the handshake. If the handshake is paused,
- * |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|.
- *
- * On the client, the callback may call |SSL_get0_certificate_types| and
- * |SSL_get_client_CA_list| for information on the server's certificate
- * request.
- *
- * On the server, the callback will be called on non-resumption handshakes,
- * after extensions have been processed. */
+// SSL_CTX_set_cert_cb sets a callback that is called to select a certificate.
+// The callback returns one on success, zero on internal error, and a negative
+// number on failure or to pause the handshake. If the handshake is paused,
+// |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|.
+//
+// On the client, the callback may call |SSL_get0_certificate_types| and
+// |SSL_get_client_CA_list| for information on the server's certificate
+// request.
+//
+// On the server, the callback will be called on non-resumption handshakes,
+// after extensions have been processed.
OPENSSL_EXPORT void SSL_CTX_set_cert_cb(SSL_CTX *ctx,
int (*cb)(SSL *ssl, void *arg),
void *arg);
-/* SSL_set_cert_cb sets a callback that is called to select a certificate. The
- * callback returns one on success, zero on internal error, and a negative
- * number on failure or to pause the handshake. If the handshake is paused,
- * |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|.
- *
- * On the client, the callback may call |SSL_get0_certificate_types| and
- * |SSL_get_client_CA_list| for information on the server's certificate
- * request. */
+// SSL_set_cert_cb sets a callback that is called to select a certificate. The
+// callback returns one on success, zero on internal error, and a negative
+// number on failure or to pause the handshake. If the handshake is paused,
+// |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|.
+//
+// On the client, the callback may call |SSL_get0_certificate_types| and
+// |SSL_get_client_CA_list| for information on the server's certificate
+// request.
OPENSSL_EXPORT void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg),
void *arg);
-/* SSL_get0_certificate_types, for a client, sets |*out_types| to an array
- * containing the client certificate types requested by a server. It returns the
- * length of the array.
- *
- * The behavior of this function is undefined except during the callbacks set by
- * by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or when the
- * handshake is paused because of them. */
+// SSL_get0_certificate_types, for a client, sets |*out_types| to an array
+// containing the client certificate types requested by a server. It returns the
+// length of the array.
+//
+// The behavior of this function is undefined except during the callbacks set by
+// by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or when the
+// handshake is paused because of them.
OPENSSL_EXPORT size_t SSL_get0_certificate_types(SSL *ssl,
const uint8_t **out_types);
-/* SSL_certs_clear resets the private key, leaf certificate, and certificate
- * chain of |ssl|. */
+// SSL_certs_clear resets the private key, leaf certificate, and certificate
+// chain of |ssl|.
OPENSSL_EXPORT void SSL_certs_clear(SSL *ssl);
-/* SSL_CTX_check_private_key returns one if the certificate and private key
- * configured in |ctx| are consistent and zero otherwise. */
+// SSL_CTX_check_private_key returns one if the certificate and private key
+// configured in |ctx| are consistent and zero otherwise.
OPENSSL_EXPORT int SSL_CTX_check_private_key(const SSL_CTX *ctx);
-/* SSL_check_private_key returns one if the certificate and private key
- * configured in |ssl| are consistent and zero otherwise. */
+// SSL_check_private_key returns one if the certificate and private key
+// configured in |ssl| are consistent and zero otherwise.
OPENSSL_EXPORT int SSL_check_private_key(const SSL *ssl);
-/* SSL_CTX_get0_certificate returns |ctx|'s leaf certificate. */
+// SSL_CTX_get0_certificate returns |ctx|'s leaf certificate.
OPENSSL_EXPORT X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
-/* SSL_get_certificate returns |ssl|'s leaf certificate. */
+// SSL_get_certificate returns |ssl|'s leaf certificate.
OPENSSL_EXPORT X509 *SSL_get_certificate(const SSL *ssl);
-/* SSL_CTX_get0_privatekey returns |ctx|'s private key. */
+// SSL_CTX_get0_privatekey returns |ctx|'s private key.
OPENSSL_EXPORT EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
-/* SSL_get_privatekey returns |ssl|'s private key. */
+// SSL_get_privatekey returns |ssl|'s private key.
OPENSSL_EXPORT EVP_PKEY *SSL_get_privatekey(const SSL *ssl);
-/* SSL_CTX_get0_chain_certs sets |*out_chain| to |ctx|'s certificate chain and
- * returns one. */
+// SSL_CTX_get0_chain_certs sets |*out_chain| to |ctx|'s certificate chain and
+// returns one.
OPENSSL_EXPORT int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx,
STACK_OF(X509) **out_chain);
-/* SSL_CTX_get_extra_chain_certs calls |SSL_CTX_get0_chain_certs|. */
+// SSL_CTX_get_extra_chain_certs calls |SSL_CTX_get0_chain_certs|.
OPENSSL_EXPORT int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,
STACK_OF(X509) **out_chain);
-/* SSL_get0_chain_certs sets |*out_chain| to |ssl|'s certificate chain and
- * returns one. */
+// SSL_get0_chain_certs sets |*out_chain| to |ssl|'s certificate chain and
+// returns one.
OPENSSL_EXPORT int SSL_get0_chain_certs(const SSL *ssl,
STACK_OF(X509) **out_chain);
-/* SSL_CTX_set_signed_cert_timestamp_list sets the list of signed certificate
- * timestamps that is sent to clients that request it. The |list| argument must
- * contain one or more SCT structures serialised as a SignedCertificateTimestamp
- * List (see https://tools.ietf.org/html/rfc6962#section-3.3) – i.e. each SCT
- * is prefixed by a big-endian, uint16 length and the concatenation of one or
- * more such prefixed SCTs are themselves also prefixed by a uint16 length. It
- * returns one on success and zero on error. The caller retains ownership of
- * |list|. */
+// SSL_CTX_set_signed_cert_timestamp_list sets the list of signed certificate
+// timestamps that is sent to clients that request it. The |list| argument must
+// contain one or more SCT structures serialised as a SignedCertificateTimestamp
+// List (see https://tools.ietf.org/html/rfc6962#section-3.3) – i.e. each SCT
+// is prefixed by a big-endian, uint16 length and the concatenation of one or
+// more such prefixed SCTs are themselves also prefixed by a uint16 length. It
+// returns one on success and zero on error. The caller retains ownership of
+// |list|.
OPENSSL_EXPORT int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx,
const uint8_t *list,
size_t list_len);
-/* SSL_set_signed_cert_timestamp_list sets the list of signed certificate
- * timestamps that is sent to clients that request is. The same format as the
- * one used for |SSL_CTX_set_signed_cert_timestamp_list| applies. The caller
- * retains ownership of |list|. */
+// SSL_set_signed_cert_timestamp_list sets the list of signed certificate
+// timestamps that is sent to clients that request is. The same format as the
+// one used for |SSL_CTX_set_signed_cert_timestamp_list| applies. The caller
+// retains ownership of |list|.
OPENSSL_EXPORT int SSL_set_signed_cert_timestamp_list(SSL *ctx,
const uint8_t *list,
size_t list_len);
-/* SSL_CTX_set_ocsp_response sets the OCSP response that is sent to clients
- * which request it. It returns one on success and zero on error. The caller
- * retains ownership of |response|. */
+// SSL_CTX_set_ocsp_response sets the OCSP response that is sent to clients
+// which request it. It returns one on success and zero on error. The caller
+// retains ownership of |response|.
OPENSSL_EXPORT int SSL_CTX_set_ocsp_response(SSL_CTX *ctx,
const uint8_t *response,
size_t response_len);
-/* SSL_set_ocsp_response sets the OCSP response that is sent to clients which
- * request it. It returns one on success and zero on error. The caller retains
- * ownership of |response|. */
+// SSL_set_ocsp_response sets the OCSP response that is sent to clients which
+// request it. It returns one on success and zero on error. The caller retains
+// ownership of |response|.
OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl,
const uint8_t *response,
size_t response_len);
-/* SSL_SIGN_* are signature algorithm values as defined in TLS 1.3. */
+// SSL_SIGN_* are signature algorithm values as defined in TLS 1.3.
#define SSL_SIGN_RSA_PKCS1_SHA1 0x0201
#define SSL_SIGN_RSA_PKCS1_SHA256 0x0401
#define SSL_SIGN_RSA_PKCS1_SHA384 0x0501
@@ -968,57 +968,57 @@
#define SSL_SIGN_RSA_PSS_SHA512 0x0806
#define SSL_SIGN_ED25519 0x0807
-/* SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal signature algorithm used to
- * specify raw RSASSA-PKCS1-v1_5 with an MD5/SHA-1 concatenation, as used in TLS
- * before TLS 1.2. */
+// SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal signature algorithm used to
+// specify raw RSASSA-PKCS1-v1_5 with an MD5/SHA-1 concatenation, as used in TLS
+// before TLS 1.2.
#define SSL_SIGN_RSA_PKCS1_MD5_SHA1 0xff01
-/* SSL_CTX_set_signing_algorithm_prefs configures |ctx| to use |prefs| as the
- * preference list when signing with |ctx|'s private key. It returns one on
- * success and zero on error. |prefs| should not include the internal-only value
- * |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */
+// SSL_CTX_set_signing_algorithm_prefs configures |ctx| to use |prefs| as the
+// preference list when signing with |ctx|'s private key. It returns one on
+// success and zero on error. |prefs| should not include the internal-only value
+// |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
OPENSSL_EXPORT int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx,
const uint16_t *prefs,
size_t num_prefs);
-/* SSL_set_signing_algorithm_prefs configures |ssl| to use |prefs| as the
- * preference list when signing with |ssl|'s private key. It returns one on
- * success and zero on error. |prefs| should not include the internal-only value
- * |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */
+// SSL_set_signing_algorithm_prefs configures |ssl| to use |prefs| as the
+// preference list when signing with |ssl|'s private key. It returns one on
+// success and zero on error. |prefs| should not include the internal-only value
+// |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
OPENSSL_EXPORT int SSL_set_signing_algorithm_prefs(SSL *ssl,
const uint16_t *prefs,
size_t num_prefs);
-/* Certificate and private key convenience functions. */
+// Certificate and private key convenience functions.
-/* SSL_CTX_set_chain_and_key sets the certificate chain and private key for a
- * TLS client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY|
- * objects are added as needed. Exactly one of |privkey| or |privkey_method|
- * may be non-NULL. Returns one on success and zero on error. */
+// SSL_CTX_set_chain_and_key sets the certificate chain and private key for a
+// TLS client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY|
+// objects are added as needed. Exactly one of |privkey| or |privkey_method|
+// may be non-NULL. Returns one on success and zero on error.
OPENSSL_EXPORT int SSL_CTX_set_chain_and_key(
SSL_CTX *ctx, CRYPTO_BUFFER *const *certs, size_t num_certs,
EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method);
-/* SSL_set_chain_and_key sets the certificate chain and private key for a TLS
- * client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY|
- * objects are added as needed. Exactly one of |privkey| or |privkey_method|
- * may be non-NULL. Returns one on success and zero on error. */
+// SSL_set_chain_and_key sets the certificate chain and private key for a TLS
+// client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY|
+// objects are added as needed. Exactly one of |privkey| or |privkey_method|
+// may be non-NULL. Returns one on success and zero on error.
OPENSSL_EXPORT int SSL_set_chain_and_key(
SSL *ssl, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey,
const SSL_PRIVATE_KEY_METHOD *privkey_method);
-/* SSL_CTX_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one
- * on success and zero on failure. */
+// SSL_CTX_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one
+// on success and zero on failure.
OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
-/* SSL_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one on
- * success and zero on failure. */
+// SSL_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one on
+// success and zero on failure.
OPENSSL_EXPORT int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
-/* The following functions configure certificates or private keys but take as
- * input DER-encoded structures. They return one on success and zero on
- * failure. */
+// The following functions configure certificates or private keys but take as
+// input DER-encoded structures. They return one on success and zero on
+// failure.
OPENSSL_EXPORT int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,
const uint8_t *der);
@@ -1037,10 +1037,10 @@
OPENSSL_EXPORT int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der,
size_t der_len);
-/* The following functions configure certificates or private keys but take as
- * input files to read from. They return one on success and zero on failure. The
- * |type| parameter is one of the |SSL_FILETYPE_*| values and determines whether
- * the file's contents are read as PEM or DER. */
+// The following functions configure certificates or private keys but take as
+// input files to read from. They return one on success and zero on failure. The
+// |type| parameter is one of the |SSL_FILETYPE_*| values and determines whether
+// the file's contents are read as PEM or DER.
#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
@@ -1061,25 +1061,25 @@
OPENSSL_EXPORT int SSL_use_PrivateKey_file(SSL *ssl, const char *file,
int type);
-/* SSL_CTX_use_certificate_chain_file configures certificates for |ctx|. It
- * reads the contents of |file| as a PEM-encoded leaf certificate followed
- * optionally by the certificate chain to send to the peer. It returns one on
- * success and zero on failure. */
+// SSL_CTX_use_certificate_chain_file configures certificates for |ctx|. It
+// reads the contents of |file| as a PEM-encoded leaf certificate followed
+// optionally by the certificate chain to send to the peer. It returns one on
+// success and zero on failure.
OPENSSL_EXPORT int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx,
const char *file);
-/* SSL_CTX_set_default_passwd_cb sets the password callback for PEM-based
- * convenience functions called on |ctx|. */
+// SSL_CTX_set_default_passwd_cb sets the password callback for PEM-based
+// convenience functions called on |ctx|.
OPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx,
pem_password_cb *cb);
-/* SSL_CTX_set_default_passwd_cb_userdata sets the userdata parameter for
- * |ctx|'s password callback. */
+// SSL_CTX_set_default_passwd_cb_userdata sets the userdata parameter for
+// |ctx|'s password callback.
OPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,
void *data);
-/* Custom private keys. */
+// Custom private keys.
enum ssl_private_key_result_t {
ssl_private_key_success,
@@ -1087,1114 +1087,1118 @@
ssl_private_key_failure,
};
-/* ssl_private_key_method_st (aka |SSL_PRIVATE_KEY_METHOD|) describes private
- * key hooks. This is used to off-load signing operations to a custom,
- * potentially asynchronous, backend. Metadata about the key such as the type
- * and size are parsed out of the certificate.
- *
- * TODO(davidben): This API has a number of legacy hooks. Remove the last
- * consumer of |sign_digest| and trim it. */
+// ssl_private_key_method_st (aka |SSL_PRIVATE_KEY_METHOD|) describes private
+// key hooks. This is used to off-load signing operations to a custom,
+// potentially asynchronous, backend. Metadata about the key such as the type
+// and size are parsed out of the certificate.
+//
+// TODO(davidben): This API has a number of legacy hooks. Remove the last
+// consumer of |sign_digest| and trim it.
struct ssl_private_key_method_st {
- /* type is ignored and should be NULL. */
+ // type is ignored and should be NULL.
int (*type)(SSL *ssl);
- /* max_signature_len is ignored and should be NULL. */
+ // max_signature_len is ignored and should be NULL.
size_t (*max_signature_len)(SSL *ssl);
- /* sign signs the message |in| in using the specified signature algorithm. On
- * success, it returns |ssl_private_key_success| and writes at most |max_out|
- * bytes of signature data to |out| and sets |*out_len| to the number of bytes
- * written. On failure, it returns |ssl_private_key_failure|. If the operation
- * has not completed, it returns |ssl_private_key_retry|. |sign| should
- * arrange for the high-level operation on |ssl| to be retried when the
- * operation is completed. This will result in a call to |complete|.
- *
- * |signature_algorithm| is one of the |SSL_SIGN_*| values, as defined in TLS
- * 1.3. Note that, in TLS 1.2, ECDSA algorithms do not require that curve
- * sizes match hash sizes, so the curve portion of |SSL_SIGN_ECDSA_*| values
- * must be ignored. BoringSSL will internally handle the curve matching logic
- * where appropriate.
- *
- * It is an error to call |sign| while another private key operation is in
- * progress on |ssl|. */
+ // sign signs the message |in| in using the specified signature algorithm. On
+ // success, it returns |ssl_private_key_success| and writes at most |max_out|
+ // bytes of signature data to |out| and sets |*out_len| to the number of bytes
+ // written. On failure, it returns |ssl_private_key_failure|. If the operation
+ // has not completed, it returns |ssl_private_key_retry|. |sign| should
+ // arrange for the high-level operation on |ssl| to be retried when the
+ // operation is completed. This will result in a call to |complete|.
+ //
+ // |signature_algorithm| is one of the |SSL_SIGN_*| values, as defined in TLS
+ // 1.3. Note that, in TLS 1.2, ECDSA algorithms do not require that curve
+ // sizes match hash sizes, so the curve portion of |SSL_SIGN_ECDSA_*| values
+ // must be ignored. BoringSSL will internally handle the curve matching logic
+ // where appropriate.
+ //
+ // It is an error to call |sign| while another private key operation is in
+ // progress on |ssl|.
enum ssl_private_key_result_t (*sign)(SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out,
uint16_t signature_algorithm,
const uint8_t *in, size_t in_len);
- /* sign_digest signs |in_len| bytes of digest from |in|. |md| is the hash
- * function used to calculate |in|. On success, it returns
- * |ssl_private_key_success| and writes at most |max_out| bytes of signature
- * data to |out|. On failure, it returns |ssl_private_key_failure|. If the
- * operation has not completed, it returns |ssl_private_key_retry|. |sign|
- * should arrange for the high-level operation on |ssl| to be retried when the
- * operation is completed. This will result in a call to |complete|.
- *
- * If the key is an RSA key, implementations must use PKCS#1 padding. |in| is
- * the digest itself, so the DigestInfo prefix, if any, must be prepended by
- * |sign|. If |md| is |EVP_md5_sha1|, there is no prefix.
- *
- * It is an error to call |sign_digest| while another private key operation is
- * in progress on |ssl|.
- *
- * This function is deprecated. Implement |sign| instead.
- *
- * TODO(davidben): Remove this function. */
+ // sign_digest signs |in_len| bytes of digest from |in|. |md| is the hash
+ // function used to calculate |in|. On success, it returns
+ // |ssl_private_key_success| and writes at most |max_out| bytes of signature
+ // data to |out|. On failure, it returns |ssl_private_key_failure|. If the
+ // operation has not completed, it returns |ssl_private_key_retry|. |sign|
+ // should arrange for the high-level operation on |ssl| to be retried when the
+ // operation is completed. This will result in a call to |complete|.
+ //
+ // If the key is an RSA key, implementations must use PKCS#1 padding. |in| is
+ // the digest itself, so the DigestInfo prefix, if any, must be prepended by
+ // |sign|. If |md| is |EVP_md5_sha1|, there is no prefix.
+ //
+ // It is an error to call |sign_digest| while another private key operation is
+ // in progress on |ssl|.
+ //
+ // This function is deprecated. Implement |sign| instead.
+ //
+ // TODO(davidben): Remove this function.
enum ssl_private_key_result_t (*sign_digest)(SSL *ssl, uint8_t *out,
size_t *out_len, size_t max_out,
const EVP_MD *md,
const uint8_t *in,
size_t in_len);
- /* decrypt decrypts |in_len| bytes of encrypted data from |in|. On success it
- * returns |ssl_private_key_success|, writes at most |max_out| bytes of
- * decrypted data to |out| and sets |*out_len| to the actual number of bytes
- * written. On failure it returns |ssl_private_key_failure|. If the operation
- * has not completed, it returns |ssl_private_key_retry|. The caller should
- * arrange for the high-level operation on |ssl| to be retried when the
- * operation is completed, which will result in a call to |complete|. This
- * function only works with RSA keys and should perform a raw RSA decryption
- * operation with no padding.
- *
- * It is an error to call |decrypt| while another private key operation is in
- * progress on |ssl|. */
+ // decrypt decrypts |in_len| bytes of encrypted data from |in|. On success it
+ // returns |ssl_private_key_success|, writes at most |max_out| bytes of
+ // decrypted data to |out| and sets |*out_len| to the actual number of bytes
+ // written. On failure it returns |ssl_private_key_failure|. If the operation
+ // has not completed, it returns |ssl_private_key_retry|. The caller should
+ // arrange for the high-level operation on |ssl| to be retried when the
+ // operation is completed, which will result in a call to |complete|. This
+ // function only works with RSA keys and should perform a raw RSA decryption
+ // operation with no padding.
+ //
+ // It is an error to call |decrypt| while another private key operation is in
+ // progress on |ssl|.
enum ssl_private_key_result_t (*decrypt)(SSL *ssl, uint8_t *out,
size_t *out_len, size_t max_out,
const uint8_t *in, size_t in_len);
- /* complete completes a pending operation. If the operation has completed, it
- * returns |ssl_private_key_success| and writes the result to |out| as in
- * |sign|. Otherwise, it returns |ssl_private_key_failure| on failure and
- * |ssl_private_key_retry| if the operation is still in progress.
- *
- * |complete| may be called arbitrarily many times before completion, but it
- * is an error to call |complete| if there is no pending operation in progress
- * on |ssl|. */
+ // complete completes a pending operation. If the operation has completed, it
+ // returns |ssl_private_key_success| and writes the result to |out| as in
+ // |sign|. Otherwise, it returns |ssl_private_key_failure| on failure and
+ // |ssl_private_key_retry| if the operation is still in progress.
+ //
+ // |complete| may be called arbitrarily many times before completion, but it
+ // is an error to call |complete| if there is no pending operation in progress
+ // on |ssl|.
enum ssl_private_key_result_t (*complete)(SSL *ssl, uint8_t *out,
size_t *out_len, size_t max_out);
};
-/* SSL_set_private_key_method configures a custom private key on |ssl|.
- * |key_method| must remain valid for the lifetime of |ssl|. */
+// SSL_set_private_key_method configures a custom private key on |ssl|.
+// |key_method| must remain valid for the lifetime of |ssl|.
OPENSSL_EXPORT void SSL_set_private_key_method(
SSL *ssl, const SSL_PRIVATE_KEY_METHOD *key_method);
-/* SSL_CTX_set_private_key_method configures a custom private key on |ctx|.
- * |key_method| must remain valid for the lifetime of |ctx|. */
+// SSL_CTX_set_private_key_method configures a custom private key on |ctx|.
+// |key_method| must remain valid for the lifetime of |ctx|.
OPENSSL_EXPORT void SSL_CTX_set_private_key_method(
SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method);
-/* Cipher suites.
- *
- * |SSL_CIPHER| objects represent cipher suites. */
+// Cipher suites.
+//
+// |SSL_CIPHER| objects represent cipher suites.
DEFINE_CONST_STACK_OF(SSL_CIPHER)
-/* SSL_get_cipher_by_value returns the structure representing a TLS cipher
- * suite based on its assigned number, or NULL if unknown. See
- * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4. */
+// SSL_get_cipher_by_value returns the structure representing a TLS cipher
+// suite based on its assigned number, or NULL if unknown. See
+// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4.
OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value);
-/* SSL_CIPHER_get_id returns |cipher|'s id. It may be cast to a |uint16_t| to
- * get the cipher suite value. */
+// SSL_CIPHER_get_id returns |cipher|'s id. It may be cast to a |uint16_t| to
+// get the cipher suite value.
OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_aead returns one if |cipher| uses an AEAD cipher. */
+// SSL_CIPHER_is_aead returns one if |cipher| uses an AEAD cipher.
OPENSSL_EXPORT int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher. */
+// SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher.
OPENSSL_EXPORT int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_cipher_nid returns the NID for |cipher|'s bulk
- * cipher. Possible values are |NID_aes_128_gcm|, |NID_aes_256_gcm|,
- * |NID_chacha20_poly1305|, |NID_aes_128_cbc|, |NID_aes_256_cbc|, and
- * |NID_des_ede3_cbc|. */
+// SSL_CIPHER_get_cipher_nid returns the NID for |cipher|'s bulk
+// cipher. Possible values are |NID_aes_128_gcm|, |NID_aes_256_gcm|,
+// |NID_chacha20_poly1305|, |NID_aes_128_cbc|, |NID_aes_256_cbc|, and
+// |NID_des_ede3_cbc|.
OPENSSL_EXPORT int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_digest_nid returns the NID for |cipher|'s HMAC if it is a
- * legacy cipher suite. For modern AEAD-based ciphers (see
- * |SSL_CIPHER_is_aead|), it returns |NID_undef|.
- *
- * Note this function only returns the legacy HMAC digest, not the PRF hash. */
+// SSL_CIPHER_get_digest_nid returns the NID for |cipher|'s HMAC if it is a
+// legacy cipher suite. For modern AEAD-based ciphers (see
+// |SSL_CIPHER_is_aead|), it returns |NID_undef|.
+//
+// Note this function only returns the legacy HMAC digest, not the PRF hash.
OPENSSL_EXPORT int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_kx_nid returns the NID for |cipher|'s key exchange. This may
- * be |NID_kx_rsa|, |NID_kx_ecdhe|, or |NID_kx_psk| for TLS 1.2. In TLS 1.3,
- * cipher suites do not specify the key exchange, so this function returns
- * |NID_kx_any|. */
+// SSL_CIPHER_get_kx_nid returns the NID for |cipher|'s key exchange. This may
+// be |NID_kx_rsa|, |NID_kx_ecdhe|, or |NID_kx_psk| for TLS 1.2. In TLS 1.3,
+// cipher suites do not specify the key exchange, so this function returns
+// |NID_kx_any|.
OPENSSL_EXPORT int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_auth_nid returns the NID for |cipher|'s authentication
- * type. This may be |NID_auth_rsa|, |NID_auth_ecdsa|, or |NID_auth_psk| for TLS
- * 1.2. In TLS 1.3, cipher suites do not specify authentication, so this
- * function returns |NID_auth_any|. */
+// SSL_CIPHER_get_auth_nid returns the NID for |cipher|'s authentication
+// type. This may be |NID_auth_rsa|, |NID_auth_ecdsa|, or |NID_auth_psk| for TLS
+// 1.2. In TLS 1.3, cipher suites do not specify authentication, so this
+// function returns |NID_auth_any|.
OPENSSL_EXPORT int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_min_version returns the minimum protocol version required
- * for |cipher|. */
+// SSL_CIPHER_get_min_version returns the minimum protocol version required
+// for |cipher|.
OPENSSL_EXPORT uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_max_version returns the maximum protocol version that
- * supports |cipher|. */
+// SSL_CIPHER_get_max_version returns the maximum protocol version that
+// supports |cipher|.
OPENSSL_EXPORT uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_standard_name returns the standard IETF name for |cipher|. For
- * example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". */
+// SSL_CIPHER_standard_name returns the standard IETF name for |cipher|. For
+// example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256".
OPENSSL_EXPORT const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. For example,
- * "ECDHE-RSA-AES128-GCM-SHA256". */
+// SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. For example,
+// "ECDHE-RSA-AES128-GCM-SHA256".
OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
- * method used by |cipher|. For example, "ECDHE_ECDSA". TLS 1.3 AEAD-only
- * ciphers return the string "GENERIC". */
+// SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
+// method used by |cipher|. For example, "ECDHE_ECDSA". TLS 1.3 AEAD-only
+// ciphers return the string "GENERIC".
OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If
- * |out_alg_bits| is not NULL, it writes the number of bits consumed by the
- * symmetric algorithm to |*out_alg_bits|. */
+// SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If
+// |out_alg_bits| is not NULL, it writes the number of bits consumed by the
+// symmetric algorithm to |*out_alg_bits|.
OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,
int *out_alg_bits);
-/* Cipher suite configuration.
- *
- * OpenSSL uses a mini-language to configure cipher suites. The language
- * maintains an ordered list of enabled ciphers, along with an ordered list of
- * disabled but available ciphers. Initially, all ciphers are disabled with a
- * default ordering. The cipher string is then interpreted as a sequence of
- * directives, separated by colons, each of which modifies this state.
- *
- * Most directives consist of a one character or empty opcode followed by a
- * selector which matches a subset of available ciphers.
- *
- * Available opcodes are:
- *
- * The empty opcode enables and appends all matching disabled ciphers to the
- * end of the enabled list. The newly appended ciphers are ordered relative to
- * each other matching their order in the disabled list.
- *
- * |-| disables all matching enabled ciphers and prepends them to the disabled
- * list, with relative order from the enabled list preserved. This means the
- * most recently disabled ciphers get highest preference relative to other
- * disabled ciphers if re-enabled.
- *
- * |+| moves all matching enabled ciphers to the end of the enabled list, with
- * relative order preserved.
- *
- * |!| deletes all matching ciphers, enabled or not, from either list. Deleted
- * ciphers will not matched by future operations.
- *
- * A selector may be a specific cipher (using either the standard or OpenSSL
- * name for the cipher) or one or more rules separated by |+|. The final
- * selector matches the intersection of each rule. For instance, |AESGCM+aECDSA|
- * matches ECDSA-authenticated AES-GCM ciphers.
- *
- * Available cipher rules are:
- *
- * |ALL| matches all ciphers.
- *
- * |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE,
- * ECDHE, and plain PSK key exchanges, respectively. Note that ECDHE_PSK is
- * matched by |kECDHE| and not |kPSK|.
- *
- * |aRSA|, |aECDSA|, and |aPSK| match ciphers authenticated by RSA, ECDSA, and
- * a pre-shared key, respectively.
- *
- * |RSA|, |DHE|, |ECDHE|, |PSK|, |ECDSA|, and |PSK| are aliases for the
- * corresponding |k*| or |a*| cipher rule. |RSA| is an alias for |kRSA|, not
- * |aRSA|.
- *
- * |3DES|, |AES128|, |AES256|, |AES|, |AESGCM|, |CHACHA20| match ciphers
- * whose bulk cipher use the corresponding encryption scheme. Note that
- * |AES|, |AES128|, and |AES256| match both CBC and GCM ciphers.
- *
- * |SHA1|, |SHA256|, and |SHA384| match legacy cipher suites using the
- * corresponding hash function in their MAC. AEADs are matched by none of
- * these.
- *
- * |SHA| is an alias for |SHA1|.
- *
- * Although implemented, authentication-only ciphers match no rules and must be
- * explicitly selected by name.
- *
- * Deprecated cipher rules:
- *
- * |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|,
- * |kECDHE|, and |ECDHE|, respectively.
- *
- * |HIGH| is an alias for |ALL|.
- *
- * |FIPS| is an alias for |HIGH|.
- *
- * |SSLv3| and |TLSv1| match ciphers available in TLS 1.1 or earlier.
- * |TLSv1_2| matches ciphers new in TLS 1.2. This is confusing and should not
- * be used.
- *
- * Unknown rules are silently ignored by legacy APIs, and rejected by APIs with
- * "strict" in the name, which should be preferred. Cipher lists can be long
- * and it's easy to commit typos. Strict functions will also reject the use of
- * spaces, semi-colons and commas as alternative separators.
- *
- * The special |@STRENGTH| directive will sort all enabled ciphers by strength.
- *
- * The |DEFAULT| directive, when appearing at the front of the string, expands
- * to the default ordering of available ciphers.
- *
- * If configuring a server, one may also configure equal-preference groups to
- * partially respect the client's preferences when
- * |SSL_OP_CIPHER_SERVER_PREFERENCE| is enabled. Ciphers in an equal-preference
- * group have equal priority and use the client order. This may be used to
- * enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
- * based on client preferences. An equal-preference is specified with square
- * brackets, combining multiple selectors separated by |. For example:
- *
- * [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
- *
- * Once an equal-preference group is used, future directives must be
- * opcode-less. Inside an equal-preference group, spaces are not allowed.
- *
- * TLS 1.3 ciphers do not participate in this mechanism and instead have a
- * built-in preference order. Functions to set cipher lists do not affect TLS
- * 1.3, and functions to query the cipher list do not include TLS 1.3
- * ciphers. */
+// Cipher suite configuration.
+//
+// OpenSSL uses a mini-language to configure cipher suites. The language
+// maintains an ordered list of enabled ciphers, along with an ordered list of
+// disabled but available ciphers. Initially, all ciphers are disabled with a
+// default ordering. The cipher string is then interpreted as a sequence of
+// directives, separated by colons, each of which modifies this state.
+//
+// Most directives consist of a one character or empty opcode followed by a
+// selector which matches a subset of available ciphers.
+//
+// Available opcodes are:
+//
+// The empty opcode enables and appends all matching disabled ciphers to the
+// end of the enabled list. The newly appended ciphers are ordered relative to
+// each other matching their order in the disabled list.
+//
+// |-| disables all matching enabled ciphers and prepends them to the disabled
+// list, with relative order from the enabled list preserved. This means the
+// most recently disabled ciphers get highest preference relative to other
+// disabled ciphers if re-enabled.
+//
+// |+| moves all matching enabled ciphers to the end of the enabled list, with
+// relative order preserved.
+//
+// |!| deletes all matching ciphers, enabled or not, from either list. Deleted
+// ciphers will not matched by future operations.
+//
+// A selector may be a specific cipher (using either the standard or OpenSSL
+// name for the cipher) or one or more rules separated by |+|. The final
+// selector matches the intersection of each rule. For instance, |AESGCM+aECDSA|
+// matches ECDSA-authenticated AES-GCM ciphers.
+//
+// Available cipher rules are:
+//
+// |ALL| matches all ciphers.
+//
+// |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE,
+// ECDHE, and plain PSK key exchanges, respectively. Note that ECDHE_PSK is
+// matched by |kECDHE| and not |kPSK|.
+//
+// |aRSA|, |aECDSA|, and |aPSK| match ciphers authenticated by RSA, ECDSA, and
+// a pre-shared key, respectively.
+//
+// |RSA|, |DHE|, |ECDHE|, |PSK|, |ECDSA|, and |PSK| are aliases for the
+// corresponding |k*| or |a*| cipher rule. |RSA| is an alias for |kRSA|, not
+// |aRSA|.
+//
+// |3DES|, |AES128|, |AES256|, |AES|, |AESGCM|, |CHACHA20| match ciphers
+// whose bulk cipher use the corresponding encryption scheme. Note that
+// |AES|, |AES128|, and |AES256| match both CBC and GCM ciphers.
+//
+// |SHA1|, |SHA256|, and |SHA384| match legacy cipher suites using the
+// corresponding hash function in their MAC. AEADs are matched by none of
+// these.
+//
+// |SHA| is an alias for |SHA1|.
+//
+// Although implemented, authentication-only ciphers match no rules and must be
+// explicitly selected by name.
+//
+// Deprecated cipher rules:
+//
+// |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|,
+// |kECDHE|, and |ECDHE|, respectively.
+//
+// |HIGH| is an alias for |ALL|.
+//
+// |FIPS| is an alias for |HIGH|.
+//
+// |SSLv3| and |TLSv1| match ciphers available in TLS 1.1 or earlier.
+// |TLSv1_2| matches ciphers new in TLS 1.2. This is confusing and should not
+// be used.
+//
+// Unknown rules are silently ignored by legacy APIs, and rejected by APIs with
+// "strict" in the name, which should be preferred. Cipher lists can be long
+// and it's easy to commit typos. Strict functions will also reject the use of
+// spaces, semi-colons and commas as alternative separators.
+//
+// The special |@STRENGTH| directive will sort all enabled ciphers by strength.
+//
+// The |DEFAULT| directive, when appearing at the front of the string, expands
+// to the default ordering of available ciphers.
+//
+// If configuring a server, one may also configure equal-preference groups to
+// partially respect the client's preferences when
+// |SSL_OP_CIPHER_SERVER_PREFERENCE| is enabled. Ciphers in an equal-preference
+// group have equal priority and use the client order. This may be used to
+// enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305
+// based on client preferences. An equal-preference is specified with square
+// brackets, combining multiple selectors separated by |. For example:
+//
+// [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]
+//
+// Once an equal-preference group is used, future directives must be
+// opcode-less. Inside an equal-preference group, spaces are not allowed.
+//
+// TLS 1.3 ciphers do not participate in this mechanism and instead have a
+// built-in preference order. Functions to set cipher lists do not affect TLS
+// 1.3, and functions to query the cipher list do not include TLS 1.3
+// ciphers.
-/* SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is
- * substituted when a cipher string starts with 'DEFAULT'. */
+// SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is
+// substituted when a cipher string starts with 'DEFAULT'.
#define SSL_DEFAULT_CIPHER_LIST "ALL"
-/* SSL_CTX_set_strict_cipher_list configures the cipher list for |ctx|,
- * evaluating |str| as a cipher string and returning error if |str| contains
- * anything meaningless. It returns one on success and zero on failure. */
+// SSL_CTX_set_strict_cipher_list configures the cipher list for |ctx|,
+// evaluating |str| as a cipher string and returning error if |str| contains
+// anything meaningless. It returns one on success and zero on failure.
OPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,
const char *str);
-/* SSL_CTX_set_cipher_list configures the cipher list for |ctx|, evaluating
- * |str| as a cipher string. It returns one on success and zero on failure.
- *
- * Prefer to use |SSL_CTX_set_strict_cipher_list|. This function tolerates
- * garbage inputs, unless an empty cipher list results. */
+// SSL_CTX_set_cipher_list configures the cipher list for |ctx|, evaluating
+// |str| as a cipher string. It returns one on success and zero on failure.
+//
+// Prefer to use |SSL_CTX_set_strict_cipher_list|. This function tolerates
+// garbage inputs, unless an empty cipher list results.
OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
-/* SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating
- * |str| as a cipher string and returning error if |str| contains anything
- * meaningless. It returns one on success and zero on failure. */
+// SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating
+// |str| as a cipher string and returning error if |str| contains anything
+// meaningless. It returns one on success and zero on failure.
OPENSSL_EXPORT int SSL_set_strict_cipher_list(SSL *ssl, const char *str);
-/* SSL_set_cipher_list configures the cipher list for |ssl|, evaluating |str| as
- * a cipher string. It returns one on success and zero on failure.
- *
- * Prefer to use |SSL_set_strict_cipher_list|. This function tolerates garbage
- * inputs, unless an empty cipher list results. */
+// SSL_set_cipher_list configures the cipher list for |ssl|, evaluating |str| as
+// a cipher string. It returns one on success and zero on failure.
+//
+// Prefer to use |SSL_set_strict_cipher_list|. This function tolerates garbage
+// inputs, unless an empty cipher list results.
OPENSSL_EXPORT int SSL_set_cipher_list(SSL *ssl, const char *str);
-/* SSL_CTX_get_ciphers returns the cipher list for |ctx|, in order of
- * preference. */
+// SSL_CTX_get_ciphers returns the cipher list for |ctx|, in order of
+// preference.
OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
-/* SSL_CTX_cipher_in_group returns one if the |i|th cipher (see
- * |SSL_CTX_get_ciphers|) is in the same equipreference group as the one
- * following it and zero otherwise. */
+// SSL_CTX_cipher_in_group returns one if the |i|th cipher (see
+// |SSL_CTX_get_ciphers|) is in the same equipreference group as the one
+// following it and zero otherwise.
OPENSSL_EXPORT int SSL_CTX_cipher_in_group(const SSL_CTX *ctx, size_t i);
-/* SSL_get_ciphers returns the cipher list for |ssl|, in order of preference. */
+// SSL_get_ciphers returns the cipher list for |ssl|, in order of preference.
OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl);
-/* Connection information. */
+// Connection information.
-/* SSL_is_init_finished returns one if |ssl| has completed its initial handshake
- * and has no pending handshake. It returns zero otherwise. */
+// SSL_is_init_finished returns one if |ssl| has completed its initial handshake
+// and has no pending handshake. It returns zero otherwise.
OPENSSL_EXPORT int SSL_is_init_finished(const SSL *ssl);
-/* SSL_in_init returns one if |ssl| has a pending handshake and zero
- * otherwise. */
+// SSL_in_init returns one if |ssl| has a pending handshake and zero
+// otherwise.
OPENSSL_EXPORT int SSL_in_init(const SSL *ssl);
-/* SSL_in_false_start returns one if |ssl| has a pending handshake that is in
- * False Start. |SSL_write| may be called at this point without waiting for the
- * peer, but |SSL_read| will complete the handshake before accepting application
- * data.
- *
- * See also |SSL_MODE_ENABLE_FALSE_START|. */
+// SSL_in_false_start returns one if |ssl| has a pending handshake that is in
+// False Start. |SSL_write| may be called at this point without waiting for the
+// peer, but |SSL_read| will complete the handshake before accepting application
+// data.
+//
+// See also |SSL_MODE_ENABLE_FALSE_START|.
OPENSSL_EXPORT int SSL_in_false_start(const SSL *ssl);
-/* SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the
- * peer did not use certificates. The caller must call |X509_free| on the
- * result to release it. */
+// SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the
+// peer did not use certificates. The caller must call |X509_free| on the
+// result to release it.
OPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl);
-/* SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if
- * unavailable or the peer did not use certificates. This is the unverified list
- * of certificates as sent by the peer, not the final chain built during
- * verification. The caller does not take ownership of the result.
- *
- * WARNING: This function behaves differently between client and server. If
- * |ssl| is a server, the returned chain does not include the leaf certificate.
- * If a client, it does. */
+// SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if
+// unavailable or the peer did not use certificates. This is the unverified list
+// of certificates as sent by the peer, not the final chain built during
+// verification. The caller does not take ownership of the result.
+//
+// WARNING: This function behaves differently between client and server. If
+// |ssl| is a server, the returned chain does not include the leaf certificate.
+// If a client, it does.
OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
-/* SSL_get_peer_full_cert_chain returns the peer's certificate chain, or NULL if
- * unavailable or the peer did not use certificates. This is the unverified list
- * of certificates as sent by the peer, not the final chain built during
- * verification. The caller does not take ownership of the result.
- *
- * This is the same as |SSL_get_peer_cert_chain| except that this function
- * always returns the full chain, i.e. the first element of the return value
- * (if any) will be the leaf certificate. In constrast,
- * |SSL_get_peer_cert_chain| returns only the intermediate certificates if the
- * |ssl| is a server. */
+// SSL_get_peer_full_cert_chain returns the peer's certificate chain, or NULL if
+// unavailable or the peer did not use certificates. This is the unverified list
+// of certificates as sent by the peer, not the final chain built during
+// verification. The caller does not take ownership of the result.
+//
+// This is the same as |SSL_get_peer_cert_chain| except that this function
+// always returns the full chain, i.e. the first element of the return value
+// (if any) will be the leaf certificate. In constrast,
+// |SSL_get_peer_cert_chain| returns only the intermediate certificates if the
+// |ssl| is a server.
OPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl);
-/* SSL_get0_peer_certificates returns the peer's certificate chain, or NULL if
- * unavailable or the peer did not use certificates. This is the unverified list
- * of certificates as sent by the peer, not the final chain built during
- * verification. The caller does not take ownership of the result.
- *
- * This is the |CRYPTO_BUFFER| variant of |SSL_get_peer_full_cert_chain|. */
+// SSL_get0_peer_certificates returns the peer's certificate chain, or NULL if
+// unavailable or the peer did not use certificates. This is the unverified list
+// of certificates as sent by the peer, not the final chain built during
+// verification. The caller does not take ownership of the result.
+//
+// This is the |CRYPTO_BUFFER| variant of |SSL_get_peer_full_cert_chain|.
OPENSSL_EXPORT STACK_OF(CRYPTO_BUFFER) *
SSL_get0_peer_certificates(const SSL *ssl);
-/* SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to
- * |*out_len| bytes of SCT information from the server. This is only valid if
- * |ssl| is a client. The SCT information is a SignedCertificateTimestampList
- * (including the two leading length bytes).
- * See https://tools.ietf.org/html/rfc6962#section-3.3
- * If no SCT was received then |*out_len| will be zero on return.
- *
- * WARNING: the returned data is not guaranteed to be well formed. */
+// SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to
+// |*out_len| bytes of SCT information from the server. This is only valid if
+// |ssl| is a client. The SCT information is a SignedCertificateTimestampList
+// (including the two leading length bytes).
+// See https://tools.ietf.org/html/rfc6962#section-3.3
+// If no SCT was received then |*out_len| will be zero on return.
+//
+// WARNING: the returned data is not guaranteed to be well formed.
OPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl,
const uint8_t **out,
size_t *out_len);
-/* SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len|
- * bytes of an OCSP response from the server. This is the DER encoding of an
- * OCSPResponse type as defined in RFC 2560.
- *
- * WARNING: the returned data is not guaranteed to be well formed. */
+// SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len|
+// bytes of an OCSP response from the server. This is the DER encoding of an
+// OCSPResponse type as defined in RFC 2560.
+//
+// WARNING: the returned data is not guaranteed to be well formed.
OPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
size_t *out_len);
-/* SSL_get_tls_unique writes at most |max_out| bytes of the tls-unique value
- * for |ssl| to |out| and sets |*out_len| to the number of bytes written. It
- * returns one on success or zero on error. In general |max_out| should be at
- * least 12.
- *
- * This function will always fail if the initial handshake has not completed.
- * The tls-unique value will change after a renegotiation but, since
- * renegotiations can be initiated by the server at any point, the higher-level
- * protocol must either leave them disabled or define states in which the
- * tls-unique value can be read.
- *
- * The tls-unique value is defined by
- * https://tools.ietf.org/html/rfc5929#section-3.1. Due to a weakness in the
- * TLS protocol, tls-unique is broken for resumed connections unless the
- * Extended Master Secret extension is negotiated. Thus this function will
- * return zero if |ssl| performed session resumption unless EMS was used when
- * negotiating the original session. */
+// SSL_get_tls_unique writes at most |max_out| bytes of the tls-unique value
+// for |ssl| to |out| and sets |*out_len| to the number of bytes written. It
+// returns one on success or zero on error. In general |max_out| should be at
+// least 12.
+//
+// This function will always fail if the initial handshake has not completed.
+// The tls-unique value will change after a renegotiation but, since
+// renegotiations can be initiated by the server at any point, the higher-level
+// protocol must either leave them disabled or define states in which the
+// tls-unique value can be read.
+//
+// The tls-unique value is defined by
+// https://tools.ietf.org/html/rfc5929#section-3.1. Due to a weakness in the
+// TLS protocol, tls-unique is broken for resumed connections unless the
+// Extended Master Secret extension is negotiated. Thus this function will
+// return zero if |ssl| performed session resumption unless EMS was used when
+// negotiating the original session.
OPENSSL_EXPORT int SSL_get_tls_unique(const SSL *ssl, uint8_t *out,
size_t *out_len, size_t max_out);
-/* SSL_get_extms_support returns one if the Extended Master Secret extension or
- * TLS 1.3 was negotiated. Otherwise, it returns zero. */
+// SSL_get_extms_support returns one if the Extended Master Secret extension or
+// TLS 1.3 was negotiated. Otherwise, it returns zero.
OPENSSL_EXPORT int SSL_get_extms_support(const SSL *ssl);
-/* SSL_get_current_cipher returns the cipher used in the current outgoing
- * connection state, or NULL if the null cipher is active. */
+// SSL_get_current_cipher returns the cipher used in the current outgoing
+// connection state, or NULL if the null cipher is active.
OPENSSL_EXPORT const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
-/* SSL_session_reused returns one if |ssl| performed an abbreviated handshake
- * and zero otherwise.
- *
- * TODO(davidben): Hammer down the semantics of this API while a handshake,
- * initial or renego, is in progress. */
+// SSL_session_reused returns one if |ssl| performed an abbreviated handshake
+// and zero otherwise.
+//
+// TODO(davidben): Hammer down the semantics of this API while a handshake,
+// initial or renego, is in progress.
OPENSSL_EXPORT int SSL_session_reused(const SSL *ssl);
-/* SSL_get_secure_renegotiation_support returns one if the peer supports secure
- * renegotiation (RFC 5746) or TLS 1.3. Otherwise, it returns zero. */
+// SSL_get_secure_renegotiation_support returns one if the peer supports secure
+// renegotiation (RFC 5746) or TLS 1.3. Otherwise, it returns zero.
OPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl);
-/* SSL_export_keying_material exports a value derived from the master secret, as
- * specified in RFC 5705. It writes |out_len| bytes to |out| given a label and
- * optional context. (Since a zero length context is allowed, the |use_context|
- * flag controls whether a context is included.)
- *
- * It returns one on success and zero otherwise. */
+// SSL_export_keying_material exports a value derived from the master secret, as
+// specified in RFC 5705. It writes |out_len| bytes to |out| given a label and
+// optional context. (Since a zero length context is allowed, the |use_context|
+// flag controls whether a context is included.)
+//
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int SSL_export_keying_material(
SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len,
const uint8_t *context, size_t context_len, int use_context);
-/* Custom extensions.
- *
- * The custom extension functions allow TLS extensions to be added to
- * ClientHello and ServerHello messages. */
+// Custom extensions.
+//
+// The custom extension functions allow TLS extensions to be added to
+// ClientHello and ServerHello messages.
-/* SSL_custom_ext_add_cb is a callback function that is called when the
- * ClientHello (for clients) or ServerHello (for servers) is constructed. In
- * the case of a server, this callback will only be called for a given
- * extension if the ClientHello contained that extension – it's not possible to
- * inject extensions into a ServerHello that the client didn't request.
- *
- * When called, |extension_value| will contain the extension number that is
- * being considered for addition (so that a single callback can handle multiple
- * extensions). If the callback wishes to include the extension, it must set
- * |*out| to point to |*out_len| bytes of extension contents and return one. In
- * this case, the corresponding |SSL_custom_ext_free_cb| callback will later be
- * called with the value of |*out| once that data has been copied.
- *
- * If the callback does not wish to add an extension it must return zero.
- *
- * Alternatively, the callback can abort the connection by setting
- * |*out_alert_value| to a TLS alert number and returning -1. */
+// SSL_custom_ext_add_cb is a callback function that is called when the
+// ClientHello (for clients) or ServerHello (for servers) is constructed. In
+// the case of a server, this callback will only be called for a given
+// extension if the ClientHello contained that extension – it's not possible to
+// inject extensions into a ServerHello that the client didn't request.
+//
+// When called, |extension_value| will contain the extension number that is
+// being considered for addition (so that a single callback can handle multiple
+// extensions). If the callback wishes to include the extension, it must set
+// |*out| to point to |*out_len| bytes of extension contents and return one. In
+// this case, the corresponding |SSL_custom_ext_free_cb| callback will later be
+// called with the value of |*out| once that data has been copied.
+//
+// If the callback does not wish to add an extension it must return zero.
+//
+// Alternatively, the callback can abort the connection by setting
+// |*out_alert_value| to a TLS alert number and returning -1.
typedef int (*SSL_custom_ext_add_cb)(SSL *ssl, unsigned extension_value,
const uint8_t **out, size_t *out_len,
int *out_alert_value, void *add_arg);
-/* SSL_custom_ext_free_cb is a callback function that is called by OpenSSL iff
- * an |SSL_custom_ext_add_cb| callback previously returned one. In that case,
- * this callback is called and passed the |out| pointer that was returned by
- * the add callback. This is to free any dynamically allocated data created by
- * the add callback. */
+// SSL_custom_ext_free_cb is a callback function that is called by OpenSSL iff
+// an |SSL_custom_ext_add_cb| callback previously returned one. In that case,
+// this callback is called and passed the |out| pointer that was returned by
+// the add callback. This is to free any dynamically allocated data created by
+// the add callback.
typedef void (*SSL_custom_ext_free_cb)(SSL *ssl, unsigned extension_value,
const uint8_t *out, void *add_arg);
-/* SSL_custom_ext_parse_cb is a callback function that is called by OpenSSL to
- * parse an extension from the peer: that is from the ServerHello for a client
- * and from the ClientHello for a server.
- *
- * When called, |extension_value| will contain the extension number and the
- * contents of the extension are |contents_len| bytes at |contents|.
- *
- * The callback must return one to continue the handshake. Otherwise, if it
- * returns zero, a fatal alert with value |*out_alert_value| is sent and the
- * handshake is aborted. */
+// SSL_custom_ext_parse_cb is a callback function that is called by OpenSSL to
+// parse an extension from the peer: that is from the ServerHello for a client
+// and from the ClientHello for a server.
+//
+// When called, |extension_value| will contain the extension number and the
+// contents of the extension are |contents_len| bytes at |contents|.
+//
+// The callback must return one to continue the handshake. Otherwise, if it
+// returns zero, a fatal alert with value |*out_alert_value| is sent and the
+// handshake is aborted.
typedef int (*SSL_custom_ext_parse_cb)(SSL *ssl, unsigned extension_value,
const uint8_t *contents,
size_t contents_len,
int *out_alert_value, void *parse_arg);
-/* SSL_extension_supported returns one iff OpenSSL internally handles
- * extensions of type |extension_value|. This can be used to avoid registering
- * custom extension handlers for extensions that a future version of OpenSSL
- * may handle internally. */
+// SSL_extension_supported returns one iff OpenSSL internally handles
+// extensions of type |extension_value|. This can be used to avoid registering
+// custom extension handlers for extensions that a future version of OpenSSL
+// may handle internally.
OPENSSL_EXPORT int SSL_extension_supported(unsigned extension_value);
-/* SSL_CTX_add_client_custom_ext registers callback functions for handling
- * custom TLS extensions for client connections.
- *
- * If |add_cb| is NULL then an empty extension will be added in each
- * ClientHello. Otherwise, see the comment for |SSL_custom_ext_add_cb| about
- * this callback.
- *
- * The |free_cb| may be NULL if |add_cb| doesn't dynamically allocate data that
- * needs to be freed.
- *
- * It returns one on success or zero on error. It's always an error to register
- * callbacks for the same extension twice, or to register callbacks for an
- * extension that OpenSSL handles internally. See |SSL_extension_supported| to
- * discover, at runtime, which extensions OpenSSL handles internally. */
+// SSL_CTX_add_client_custom_ext registers callback functions for handling
+// custom TLS extensions for client connections.
+//
+// If |add_cb| is NULL then an empty extension will be added in each
+// ClientHello. Otherwise, see the comment for |SSL_custom_ext_add_cb| about
+// this callback.
+//
+// The |free_cb| may be NULL if |add_cb| doesn't dynamically allocate data that
+// needs to be freed.
+//
+// It returns one on success or zero on error. It's always an error to register
+// callbacks for the same extension twice, or to register callbacks for an
+// extension that OpenSSL handles internally. See |SSL_extension_supported| to
+// discover, at runtime, which extensions OpenSSL handles internally.
OPENSSL_EXPORT int SSL_CTX_add_client_custom_ext(
SSL_CTX *ctx, unsigned extension_value, SSL_custom_ext_add_cb add_cb,
SSL_custom_ext_free_cb free_cb, void *add_arg,
SSL_custom_ext_parse_cb parse_cb, void *parse_arg);
-/* SSL_CTX_add_server_custom_ext is the same as
- * |SSL_CTX_add_client_custom_ext|, but for server connections.
- *
- * Unlike on the client side, if |add_cb| is NULL no extension will be added.
- * The |add_cb|, if any, will only be called if the ClientHello contained a
- * matching extension. */
+// SSL_CTX_add_server_custom_ext is the same as
+// |SSL_CTX_add_client_custom_ext|, but for server connections.
+//
+// Unlike on the client side, if |add_cb| is NULL no extension will be added.
+// The |add_cb|, if any, will only be called if the ClientHello contained a
+// matching extension.
OPENSSL_EXPORT int SSL_CTX_add_server_custom_ext(
SSL_CTX *ctx, unsigned extension_value, SSL_custom_ext_add_cb add_cb,
SSL_custom_ext_free_cb free_cb, void *add_arg,
SSL_custom_ext_parse_cb parse_cb, void *parse_arg);
-/* Sessions.
- *
- * An |SSL_SESSION| represents an SSL session that may be resumed in an
- * abbreviated handshake. It is reference-counted and immutable. Once
- * established, an |SSL_SESSION| may be shared by multiple |SSL| objects on
- * different threads and must not be modified. */
+// Sessions.
+//
+// An |SSL_SESSION| represents an SSL session that may be resumed in an
+// abbreviated handshake. It is reference-counted and immutable. Once
+// established, an |SSL_SESSION| may be shared by multiple |SSL| objects on
+// different threads and must not be modified.
DECLARE_LHASH_OF(SSL_SESSION)
DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
-/* SSL_SESSION_new returns a newly-allocated blank |SSL_SESSION| or NULL on
- * error. This may be useful when writing tests but should otherwise not be
- * used. */
+// SSL_SESSION_new returns a newly-allocated blank |SSL_SESSION| or NULL on
+// error. This may be useful when writing tests but should otherwise not be
+// used.
OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_new(const SSL_CTX *ctx);
-/* SSL_SESSION_up_ref increments the reference count of |session| and returns
- * one. */
+// SSL_SESSION_up_ref increments the reference count of |session| and returns
+// one.
OPENSSL_EXPORT int SSL_SESSION_up_ref(SSL_SESSION *session);
-/* SSL_SESSION_free decrements the reference count of |session|. If it reaches
- * zero, all data referenced by |session| and |session| itself are released. */
+// SSL_SESSION_free decrements the reference count of |session|. If it reaches
+// zero, all data referenced by |session| and |session| itself are released.
OPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *session);
-/* SSL_SESSION_to_bytes serializes |in| into a newly allocated buffer and sets
- * |*out_data| to that buffer and |*out_len| to its length. The caller takes
- * ownership of the buffer and must call |OPENSSL_free| when done. It returns
- * one on success and zero on error. */
+// SSL_SESSION_to_bytes serializes |in| into a newly allocated buffer and sets
+// |*out_data| to that buffer and |*out_len| to its length. The caller takes
+// ownership of the buffer and must call |OPENSSL_free| when done. It returns
+// one on success and zero on error.
OPENSSL_EXPORT int SSL_SESSION_to_bytes(const SSL_SESSION *in,
uint8_t **out_data, size_t *out_len);
-/* SSL_SESSION_to_bytes_for_ticket serializes |in|, but excludes the session
- * identification information, namely the session ID and ticket. */
+// SSL_SESSION_to_bytes_for_ticket serializes |in|, but excludes the session
+// identification information, namely the session ID and ticket.
OPENSSL_EXPORT int SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in,
uint8_t **out_data,
size_t *out_len);
-/* SSL_SESSION_from_bytes parses |in_len| bytes from |in| as an SSL_SESSION. It
- * returns a newly-allocated |SSL_SESSION| on success or NULL on error. */
+// SSL_SESSION_from_bytes parses |in_len| bytes from |in| as an SSL_SESSION. It
+// returns a newly-allocated |SSL_SESSION| on success or NULL on error.
OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_from_bytes(
const uint8_t *in, size_t in_len, const SSL_CTX *ctx);
-/* SSL_SESSION_get_version returns a string describing the TLS version |session|
- * was established at. For example, "TLSv1.2" or "SSLv3". */
+// SSL_SESSION_get_version returns a string describing the TLS version |session|
+// was established at. For example, "TLSv1.2" or "SSLv3".
OPENSSL_EXPORT const char *SSL_SESSION_get_version(const SSL_SESSION *session);
-/* SSL_SESSION_get_id returns a pointer to a buffer containing |session|'s
- * session ID and sets |*out_len| to its length. */
+// SSL_SESSION_get_id returns a pointer to a buffer containing |session|'s
+// session ID and sets |*out_len| to its length.
OPENSSL_EXPORT const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session,
unsigned *out_len);
-/* SSL_SESSION_get_time returns the time at which |session| was established in
- * seconds since the UNIX epoch. */
+// SSL_SESSION_get_time returns the time at which |session| was established in
+// seconds since the UNIX epoch.
OPENSSL_EXPORT uint64_t SSL_SESSION_get_time(const SSL_SESSION *session);
-/* SSL_SESSION_get_timeout returns the lifetime of |session| in seconds. */
+// SSL_SESSION_get_timeout returns the lifetime of |session| in seconds.
OPENSSL_EXPORT uint32_t SSL_SESSION_get_timeout(const SSL_SESSION *session);
-/* SSL_SESSION_get0_peer returns the peer leaf certificate stored in
- * |session|.
- *
- * TODO(davidben): This should return a const X509 *. */
+// SSL_SESSION_get0_peer returns the peer leaf certificate stored in
+// |session|.
+//
+// TODO(davidben): This should return a const X509 *.
OPENSSL_EXPORT X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session);
-/* SSL_SESSION_get_master_key writes up to |max_out| bytes of |session|'s master
- * secret to |out| and returns the number of bytes written. If |max_out| is
- * zero, it returns the size of the master secret. */
+// SSL_SESSION_get_master_key writes up to |max_out| bytes of |session|'s master
+// secret to |out| and returns the number of bytes written. If |max_out| is
+// zero, it returns the size of the master secret.
OPENSSL_EXPORT size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
uint8_t *out, size_t max_out);
-/* SSL_SESSION_set_time sets |session|'s creation time to |time| and returns
- * |time|. This function may be useful in writing tests but otherwise should not
- * be used. */
+// SSL_SESSION_set_time sets |session|'s creation time to |time| and returns
+// |time|. This function may be useful in writing tests but otherwise should not
+// be used.
OPENSSL_EXPORT uint64_t SSL_SESSION_set_time(SSL_SESSION *session,
uint64_t time);
-/* SSL_SESSION_set_timeout sets |session|'s timeout to |timeout| and returns
- * one. This function may be useful in writing tests but otherwise should not
- * be used. */
+// SSL_SESSION_set_timeout sets |session|'s timeout to |timeout| and returns
+// one. This function may be useful in writing tests but otherwise should not
+// be used.
OPENSSL_EXPORT uint32_t SSL_SESSION_set_timeout(SSL_SESSION *session,
uint32_t timeout);
-/* SSL_SESSION_set1_id_context sets |session|'s session ID context (see
- * |SSL_CTX_set_session_id_context|) to |sid_ctx|. It returns one on success and
- * zero on error. This function may be useful in writing tests but otherwise
- * should not be used. */
+// SSL_SESSION_set1_id_context sets |session|'s session ID context (see
+// |SSL_CTX_set_session_id_context|) to |sid_ctx|. It returns one on success and
+// zero on error. This function may be useful in writing tests but otherwise
+// should not be used.
OPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session,
const uint8_t *sid_ctx,
size_t sid_ctx_len);
-/* Session caching.
- *
- * Session caching allows connections to be established more efficiently based
- * on saved parameters from a previous connection, called a session (see
- * |SSL_SESSION|). The client offers a saved session, using an opaque identifier
- * from a previous connection. The server may accept the session, if it has the
- * parameters available. Otherwise, it will decline and continue with a full
- * handshake.
- *
- * This requires both the client and the server to retain session state. A
- * client does so with a stateful session cache. A server may do the same or, if
- * supported by both sides, statelessly using session tickets. For more
- * information on the latter, see the next section.
- *
- * For a server, the library implements a built-in internal session cache as an
- * in-memory hash table. Servers may also use |SSL_CTX_sess_set_get_cb| and
- * |SSL_CTX_sess_set_new_cb| to implement a custom external session cache. In
- * particular, this may be used to share a session cache between multiple
- * servers in a large deployment. An external cache may be used in addition to
- * or instead of the internal one. Use |SSL_CTX_set_session_cache_mode| to
- * toggle the internal cache.
- *
- * For a client, the only option is an external session cache. Clients may use
- * |SSL_CTX_sess_set_new_cb| to register a callback for when new sessions are
- * available. These may be cached and, in subsequent compatible connections,
- * configured with |SSL_set_session|.
- *
- * Note that offering or accepting a session short-circuits certificate
- * verification and most parameter negotiation. Resuming sessions across
- * different contexts may result in security failures and surprising
- * behavior. For a typical client, this means sessions for different hosts must
- * be cached under different keys. A client that connects to the same host with,
- * e.g., different cipher suite settings or client certificates should also use
- * separate session caches between those contexts. Servers should also partition
- * session caches between SNI hosts with |SSL_CTX_set_session_id_context|. */
+// Session caching.
+//
+// Session caching allows connections to be established more efficiently based
+// on saved parameters from a previous connection, called a session (see
+// |SSL_SESSION|). The client offers a saved session, using an opaque identifier
+// from a previous connection. The server may accept the session, if it has the
+// parameters available. Otherwise, it will decline and continue with a full
+// handshake.
+//
+// This requires both the client and the server to retain session state. A
+// client does so with a stateful session cache. A server may do the same or, if
+// supported by both sides, statelessly using session tickets. For more
+// information on the latter, see the next section.
+//
+// For a server, the library implements a built-in internal session cache as an
+// in-memory hash table. Servers may also use |SSL_CTX_sess_set_get_cb| and
+// |SSL_CTX_sess_set_new_cb| to implement a custom external session cache. In
+// particular, this may be used to share a session cache between multiple
+// servers in a large deployment. An external cache may be used in addition to
+// or instead of the internal one. Use |SSL_CTX_set_session_cache_mode| to
+// toggle the internal cache.
+//
+// For a client, the only option is an external session cache. Clients may use
+// |SSL_CTX_sess_set_new_cb| to register a callback for when new sessions are
+// available. These may be cached and, in subsequent compatible connections,
+// configured with |SSL_set_session|.
+//
+// Note that offering or accepting a session short-circuits certificate
+// verification and most parameter negotiation. Resuming sessions across
+// different contexts may result in security failures and surprising
+// behavior. For a typical client, this means sessions for different hosts must
+// be cached under different keys. A client that connects to the same host with,
+// e.g., different cipher suite settings or client certificates should also use
+// separate session caches between those contexts. Servers should also partition
+// session caches between SNI hosts with |SSL_CTX_set_session_id_context|.
-/* SSL_SESS_CACHE_OFF disables all session caching. */
+// SSL_SESS_CACHE_OFF disables all session caching.
#define SSL_SESS_CACHE_OFF 0x0000
-/* SSL_SESS_CACHE_CLIENT enables session caching for a client. The internal
- * cache is never used on a client, so this only enables the callbacks. */
+// SSL_SESS_CACHE_CLIENT enables session caching for a client. The internal
+// cache is never used on a client, so this only enables the callbacks.
#define SSL_SESS_CACHE_CLIENT 0x0001
-/* SSL_SESS_CACHE_SERVER enables session caching for a server. */
+// SSL_SESS_CACHE_SERVER enables session caching for a server.
#define SSL_SESS_CACHE_SERVER 0x0002
-/* SSL_SESS_CACHE_BOTH enables session caching for both client and server. */
+// SSL_SESS_CACHE_BOTH enables session caching for both client and server.
#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER)
-/* SSL_SESS_CACHE_NO_AUTO_CLEAR disables automatically calling
- * |SSL_CTX_flush_sessions| every 255 connections. */
+// SSL_SESS_CACHE_NO_AUTO_CLEAR disables automatically calling
+// |SSL_CTX_flush_sessions| every 255 connections.
#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
-/* SSL_SESS_CACHE_NO_INTERNAL_LOOKUP, on a server, disables looking up a session
- * from the internal session cache. */
+// SSL_SESS_CACHE_NO_INTERNAL_LOOKUP, on a server, disables looking up a session
+// from the internal session cache.
#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
-/* SSL_SESS_CACHE_NO_INTERNAL_STORE, on a server, disables storing sessions in
- * the internal session cache. */
+// SSL_SESS_CACHE_NO_INTERNAL_STORE, on a server, disables storing sessions in
+// the internal session cache.
#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
-/* SSL_SESS_CACHE_NO_INTERNAL, on a server, disables the internal session
- * cache. */
+// SSL_SESS_CACHE_NO_INTERNAL, on a server, disables the internal session
+// cache.
#define SSL_SESS_CACHE_NO_INTERNAL \
(SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE)
-/* SSL_CTX_set_session_cache_mode sets the session cache mode bits for |ctx| to
- * |mode|. It returns the previous value. */
+// SSL_CTX_set_session_cache_mode sets the session cache mode bits for |ctx| to
+// |mode|. It returns the previous value.
OPENSSL_EXPORT int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);
-/* SSL_CTX_get_session_cache_mode returns the session cache mode bits for
- * |ctx| */
+// SSL_CTX_get_session_cache_mode returns the session cache mode bits for
+// |ctx|
OPENSSL_EXPORT int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx);
-/* SSL_set_session, for a client, configures |ssl| to offer to resume |session|
- * in the initial handshake and returns one. The caller retains ownership of
- * |session|.
- *
- * It is an error to call this function after the handshake has begun. */
+// SSL_set_session, for a client, configures |ssl| to offer to resume |session|
+// in the initial handshake and returns one. The caller retains ownership of
+// |session|.
+//
+// It is an error to call this function after the handshake has begun.
OPENSSL_EXPORT int SSL_set_session(SSL *ssl, SSL_SESSION *session);
-/* SSL_DEFAULT_SESSION_TIMEOUT is the default lifetime, in seconds, of a
- * session in TLS 1.2 or earlier. This is how long we are willing to use the
- * secret to encrypt traffic without fresh key material. */
+// SSL_DEFAULT_SESSION_TIMEOUT is the default lifetime, in seconds, of a
+// session in TLS 1.2 or earlier. This is how long we are willing to use the
+// secret to encrypt traffic without fresh key material.
#define SSL_DEFAULT_SESSION_TIMEOUT (2 * 60 * 60)
-/* SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT is the default lifetime, in seconds, of a
- * session for TLS 1.3 psk_dhe_ke. This is how long we are willing to use the
- * secret as an authenticator. */
+// SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT is the default lifetime, in seconds, of a
+// session for TLS 1.3 psk_dhe_ke. This is how long we are willing to use the
+// secret as an authenticator.
#define SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT (2 * 24 * 60 * 60)
-/* SSL_DEFAULT_SESSION_AUTH_TIMEOUT is the default non-renewable lifetime, in
- * seconds, of a TLS 1.3 session. This is how long we are willing to trust the
- * signature in the initial handshake. */
+// SSL_DEFAULT_SESSION_AUTH_TIMEOUT is the default non-renewable lifetime, in
+// seconds, of a TLS 1.3 session. This is how long we are willing to trust the
+// signature in the initial handshake.
#define SSL_DEFAULT_SESSION_AUTH_TIMEOUT (7 * 24 * 60 * 60)
-/* SSL_CTX_set_timeout sets the lifetime, in seconds, of TLS 1.2 (or earlier)
- * sessions created in |ctx| to |timeout|. */
+// SSL_CTX_set_timeout sets the lifetime, in seconds, of TLS 1.2 (or earlier)
+// sessions created in |ctx| to |timeout|.
OPENSSL_EXPORT uint32_t SSL_CTX_set_timeout(SSL_CTX *ctx, uint32_t timeout);
-/* SSL_CTX_set_session_psk_dhe_timeout sets the lifetime, in seconds, of TLS 1.3
- * sessions created in |ctx| to |timeout|. */
+// SSL_CTX_set_session_psk_dhe_timeout sets the lifetime, in seconds, of TLS 1.3
+// sessions created in |ctx| to |timeout|.
OPENSSL_EXPORT void SSL_CTX_set_session_psk_dhe_timeout(SSL_CTX *ctx,
uint32_t timeout);
-/* SSL_CTX_get_timeout returns the lifetime, in seconds, of TLS 1.2 (or earlier)
- * sessions created in |ctx|. */
+// SSL_CTX_get_timeout returns the lifetime, in seconds, of TLS 1.2 (or earlier)
+// sessions created in |ctx|.
OPENSSL_EXPORT uint32_t SSL_CTX_get_timeout(const SSL_CTX *ctx);
-/* SSL_CTX_set_session_id_context sets |ctx|'s session ID context to |sid_ctx|.
- * It returns one on success and zero on error. The session ID context is an
- * application-defined opaque byte string. A session will not be used in a
- * connection without a matching session ID context.
- *
- * For a server, if |SSL_VERIFY_PEER| is enabled, it is an error to not set a
- * session ID context. */
+// SSL_CTX_set_session_id_context sets |ctx|'s session ID context to |sid_ctx|.
+// It returns one on success and zero on error. The session ID context is an
+// application-defined opaque byte string. A session will not be used in a
+// connection without a matching session ID context.
+//
+// For a server, if |SSL_VERIFY_PEER| is enabled, it is an error to not set a
+// session ID context.
OPENSSL_EXPORT int SSL_CTX_set_session_id_context(SSL_CTX *ctx,
const uint8_t *sid_ctx,
size_t sid_ctx_len);
-/* SSL_set_session_id_context sets |ssl|'s session ID context to |sid_ctx|. It
- * returns one on success and zero on error. See also
- * |SSL_CTX_set_session_id_context|. */
+// SSL_set_session_id_context sets |ssl|'s session ID context to |sid_ctx|. It
+// returns one on success and zero on error. See also
+// |SSL_CTX_set_session_id_context|.
OPENSSL_EXPORT int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,
size_t sid_ctx_len);
-/* SSL_get0_session_id_context returns a pointer to |ssl|'s session ID context
- * and sets |*out_len| to its length. */
+// SSL_get0_session_id_context returns a pointer to |ssl|'s session ID context
+// and sets |*out_len| to its length.
OPENSSL_EXPORT const uint8_t *SSL_get0_session_id_context(const SSL *ssl,
size_t *out_len);
-/* SSL_SESSION_CACHE_MAX_SIZE_DEFAULT is the default maximum size of a session
- * cache. */
+// SSL_SESSION_CACHE_MAX_SIZE_DEFAULT is the default maximum size of a session
+// cache.
#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024 * 20)
-/* SSL_CTX_sess_set_cache_size sets the maximum size of |ctx|'s internal session
- * cache to |size|. It returns the previous value. */
+// SSL_CTX_sess_set_cache_size sets the maximum size of |ctx|'s internal session
+// cache to |size|. It returns the previous value.
OPENSSL_EXPORT unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx,
unsigned long size);
-/* SSL_CTX_sess_get_cache_size returns the maximum size of |ctx|'s internal
- * session cache. */
+// SSL_CTX_sess_get_cache_size returns the maximum size of |ctx|'s internal
+// session cache.
OPENSSL_EXPORT unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx);
-/* SSL_CTX_sessions returns |ctx|'s internal session cache. */
+// SSL_CTX_sessions returns |ctx|'s internal session cache.
OPENSSL_EXPORT LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
-/* SSL_CTX_sess_number returns the number of sessions in |ctx|'s internal
- * session cache. */
+// SSL_CTX_sess_number returns the number of sessions in |ctx|'s internal
+// session cache.
OPENSSL_EXPORT size_t SSL_CTX_sess_number(const SSL_CTX *ctx);
-/* SSL_CTX_add_session inserts |session| into |ctx|'s internal session cache. It
- * returns one on success and zero on error or if |session| is already in the
- * cache. The caller retains its reference to |session|. */
+// SSL_CTX_add_session inserts |session| into |ctx|'s internal session cache. It
+// returns one on success and zero on error or if |session| is already in the
+// cache. The caller retains its reference to |session|.
OPENSSL_EXPORT int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session);
-/* SSL_CTX_remove_session removes |session| from |ctx|'s internal session cache.
- * It returns one on success and zero if |session| was not in the cache. */
+// SSL_CTX_remove_session removes |session| from |ctx|'s internal session cache.
+// It returns one on success and zero if |session| was not in the cache.
OPENSSL_EXPORT int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session);
-/* SSL_CTX_flush_sessions removes all sessions from |ctx| which have expired as
- * of time |time|. If |time| is zero, all sessions are removed. */
+// SSL_CTX_flush_sessions removes all sessions from |ctx| which have expired as
+// of time |time|. If |time| is zero, all sessions are removed.
OPENSSL_EXPORT void SSL_CTX_flush_sessions(SSL_CTX *ctx, uint64_t time);
-/* SSL_CTX_sess_set_new_cb sets the callback to be called when a new session is
- * established and ready to be cached. If the session cache is disabled (the
- * appropriate one of |SSL_SESS_CACHE_CLIENT| or |SSL_SESS_CACHE_SERVER| is
- * unset), the callback is not called.
- *
- * The callback is passed a reference to |session|. It returns one if it takes
- * ownership (and then calls |SSL_SESSION_free| when done) and zero otherwise. A
- * consumer which places |session| into an in-memory cache will likely return
- * one, with the cache calling |SSL_SESSION_free|. A consumer which serializes
- * |session| with |SSL_SESSION_to_bytes| may not need to retain |session| and
- * will likely return zero. Returning one is equivalent to calling
- * |SSL_SESSION_up_ref| and then returning zero.
- *
- * Note: For a client, the callback may be called on abbreviated handshakes if a
- * ticket is renewed. Further, it may not be called until some time after
- * |SSL_do_handshake| or |SSL_connect| completes if False Start is enabled. Thus
- * it's recommended to use this callback over calling |SSL_get_session| on
- * handshake completion. */
+// SSL_CTX_sess_set_new_cb sets the callback to be called when a new session is
+// established and ready to be cached. If the session cache is disabled (the
+// appropriate one of |SSL_SESS_CACHE_CLIENT| or |SSL_SESS_CACHE_SERVER| is
+// unset), the callback is not called.
+//
+// The callback is passed a reference to |session|. It returns one if it takes
+// ownership (and then calls |SSL_SESSION_free| when done) and zero otherwise. A
+// consumer which places |session| into an in-memory cache will likely return
+// one, with the cache calling |SSL_SESSION_free|. A consumer which serializes
+// |session| with |SSL_SESSION_to_bytes| may not need to retain |session| and
+// will likely return zero. Returning one is equivalent to calling
+// |SSL_SESSION_up_ref| and then returning zero.
+//
+// Note: For a client, the callback may be called on abbreviated handshakes if a
+// ticket is renewed. Further, it may not be called until some time after
+// |SSL_do_handshake| or |SSL_connect| completes if False Start is enabled. Thus
+// it's recommended to use this callback over calling |SSL_get_session| on
+// handshake completion.
OPENSSL_EXPORT void SSL_CTX_sess_set_new_cb(
SSL_CTX *ctx, int (*new_session_cb)(SSL *ssl, SSL_SESSION *session));
-/* SSL_CTX_sess_get_new_cb returns the callback set by
- * |SSL_CTX_sess_set_new_cb|. */
+// SSL_CTX_sess_get_new_cb returns the callback set by
+// |SSL_CTX_sess_set_new_cb|.
OPENSSL_EXPORT int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(
SSL *ssl, SSL_SESSION *session);
-/* SSL_CTX_sess_set_remove_cb sets a callback which is called when a session is
- * removed from the internal session cache.
- *
- * TODO(davidben): What is the point of this callback? It seems useless since it
- * only fires on sessions in the internal cache. */
+// SSL_CTX_sess_set_remove_cb sets a callback which is called when a session is
+// removed from the internal session cache.
+//
+// TODO(davidben): What is the point of this callback? It seems useless since it
+// only fires on sessions in the internal cache.
OPENSSL_EXPORT void SSL_CTX_sess_set_remove_cb(
SSL_CTX *ctx,
void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *session));
-/* SSL_CTX_sess_get_remove_cb returns the callback set by
- * |SSL_CTX_sess_set_remove_cb|. */
+// SSL_CTX_sess_get_remove_cb returns the callback set by
+// |SSL_CTX_sess_set_remove_cb|.
OPENSSL_EXPORT void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(
SSL_CTX *ctx, SSL_SESSION *session);
-/* SSL_CTX_sess_set_get_cb sets a callback to look up a session by ID for a
- * server. The callback is passed the session ID and should return a matching
- * |SSL_SESSION| or NULL if not found. It should set |*out_copy| to zero and
- * return a new reference to the session. This callback is not used for a
- * client.
- *
- * For historical reasons, if |*out_copy| is set to one (default), the SSL
- * library will take a new reference to the returned |SSL_SESSION|, expecting
- * the callback to return a non-owning pointer. This is not recommended. If
- * |ctx| and thus the callback is used on multiple threads, the session may be
- * removed and invalidated before the SSL library calls |SSL_SESSION_up_ref|,
- * whereas the callback may synchronize internally.
- *
- * To look up a session asynchronously, the callback may return
- * |SSL_magic_pending_session_ptr|. See the documentation for that function and
- * |SSL_ERROR_PENDING_SESSION|.
- *
- * If the internal session cache is enabled, the callback is only consulted if
- * the internal cache does not return a match.
- *
- * The callback's |id| parameter is not const for historical reasons, but the
- * contents may not be modified. */
+// SSL_CTX_sess_set_get_cb sets a callback to look up a session by ID for a
+// server. The callback is passed the session ID and should return a matching
+// |SSL_SESSION| or NULL if not found. It should set |*out_copy| to zero and
+// return a new reference to the session. This callback is not used for a
+// client.
+//
+// For historical reasons, if |*out_copy| is set to one (default), the SSL
+// library will take a new reference to the returned |SSL_SESSION|, expecting
+// the callback to return a non-owning pointer. This is not recommended. If
+// |ctx| and thus the callback is used on multiple threads, the session may be
+// removed and invalidated before the SSL library calls |SSL_SESSION_up_ref|,
+// whereas the callback may synchronize internally.
+//
+// To look up a session asynchronously, the callback may return
+// |SSL_magic_pending_session_ptr|. See the documentation for that function and
+// |SSL_ERROR_PENDING_SESSION|.
+//
+// If the internal session cache is enabled, the callback is only consulted if
+// the internal cache does not return a match.
+//
+// The callback's |id| parameter is not const for historical reasons, but the
+// contents may not be modified.
OPENSSL_EXPORT void SSL_CTX_sess_set_get_cb(
SSL_CTX *ctx,
SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *id, int id_len,
int *out_copy));
-/* SSL_CTX_sess_get_get_cb returns the callback set by
- * |SSL_CTX_sess_set_get_cb|. */
+// SSL_CTX_sess_get_get_cb returns the callback set by
+// |SSL_CTX_sess_set_get_cb|.
OPENSSL_EXPORT SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(
SSL *ssl, uint8_t *id, int id_len, int *out_copy);
-/* SSL_magic_pending_session_ptr returns a magic |SSL_SESSION|* which indicates
- * that the session isn't currently unavailable. |SSL_get_error| will then
- * return |SSL_ERROR_PENDING_SESSION| and the handshake can be retried later
- * when the lookup has completed. */
+// SSL_magic_pending_session_ptr returns a magic |SSL_SESSION|* which indicates
+// that the session isn't currently unavailable. |SSL_get_error| will then
+// return |SSL_ERROR_PENDING_SESSION| and the handshake can be retried later
+// when the lookup has completed.
OPENSSL_EXPORT SSL_SESSION *SSL_magic_pending_session_ptr(void);
-/* Session tickets.
- *
- * Session tickets, from RFC 5077, allow session resumption without server-side
- * state. The server maintains a secret ticket key and sends the client opaque
- * encrypted session parameters, called a ticket. When offering the session, the
- * client sends the ticket which the server decrypts to recover session state.
- * Session tickets are enabled by default but may be disabled with
- * |SSL_OP_NO_TICKET|.
- *
- * On the client, ticket-based sessions use the same APIs as ID-based tickets.
- * Callers do not need to handle them differently.
- *
- * On the server, tickets are encrypted and authenticated with a secret key. By
- * default, an |SSL_CTX| generates a key on creation and uses it for the
- * lifetime of the |SSL_CTX|. Tickets are minted and processed
- * transparently. The following functions may be used to configure a persistent
- * key or implement more custom behavior, including key rotation and sharing
- * keys between multiple servers in a large deployment. There are three levels
- * of customisation possible:
- *
- * 1) One can simply set the keys with |SSL_CTX_set_tlsext_ticket_keys|.
- * 2) One can configure an |EVP_CIPHER_CTX| and |HMAC_CTX| directly for
- * encryption and authentication.
- * 3) One can configure an |SSL_TICKET_ENCRYPTION_METHOD| to have more control
- * and the option of asynchronous decryption.
- *
- * An attacker that compromises a server's session ticket key can impersonate
- * the server and, prior to TLS 1.3, retroactively decrypt all application
- * traffic from sessions using that ticket key. Thus ticket keys must be
- * regularly rotated for forward secrecy. Note the default key is currently not
- * rotated.
- *
- * TODO(davidben): This is silly. Rotate the default key automatically. */
+// Session tickets.
+//
+// Session tickets, from RFC 5077, allow session resumption without server-side
+// state. The server maintains a secret ticket key and sends the client opaque
+// encrypted session parameters, called a ticket. When offering the session, the
+// client sends the ticket which the server decrypts to recover session state.
+// Session tickets are enabled by default but may be disabled with
+// |SSL_OP_NO_TICKET|.
+//
+// On the client, ticket-based sessions use the same APIs as ID-based tickets.
+// Callers do not need to handle them differently.
+//
+// On the server, tickets are encrypted and authenticated with a secret key. By
+// default, an |SSL_CTX| generates a key on creation and uses it for the
+// lifetime of the |SSL_CTX|. Tickets are minted and processed
+// transparently. The following functions may be used to configure a persistent
+// key or implement more custom behavior, including key rotation and sharing
+// keys between multiple servers in a large deployment. There are three levels
+// of customisation possible:
+//
+// 1) One can simply set the keys with |SSL_CTX_set_tlsext_ticket_keys|.
+// 2) One can configure an |EVP_CIPHER_CTX| and |HMAC_CTX| directly for
+// encryption and authentication.
+// 3) One can configure an |SSL_TICKET_ENCRYPTION_METHOD| to have more control
+// and the option of asynchronous decryption.
+//
+// An attacker that compromises a server's session ticket key can impersonate
+// the server and, prior to TLS 1.3, retroactively decrypt all application
+// traffic from sessions using that ticket key. Thus ticket keys must be
+// regularly rotated for forward secrecy. Note the default key is rotated
+// automatically once every 48 hours but manually configured keys are not.
-/* SSL_CTX_get_tlsext_ticket_keys writes |ctx|'s session ticket key material to
- * |len| bytes of |out|. It returns one on success and zero if |len| is not
- * 48. If |out| is NULL, it returns 48 instead. */
+// SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL is the interval with which the
+// default session ticket encryption key is rotated, if in use. If any
+// non-default ticket encryption mechanism is configured, automatic rotation is
+// disabled.
+#define SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL (2 * 24 * 60 * 60)
+
+// SSL_CTX_get_tlsext_ticket_keys writes |ctx|'s session ticket key material to
+// |len| bytes of |out|. It returns one on success and zero if |len| is not
+// 48. If |out| is NULL, it returns 48 instead.
OPENSSL_EXPORT int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out,
size_t len);
-/* SSL_CTX_set_tlsext_ticket_keys sets |ctx|'s session ticket key material to
- * |len| bytes of |in|. It returns one on success and zero if |len| is not
- * 48. If |in| is NULL, it returns 48 instead. */
+// SSL_CTX_set_tlsext_ticket_keys sets |ctx|'s session ticket key material to
+// |len| bytes of |in|. It returns one on success and zero if |len| is not
+// 48. If |in| is NULL, it returns 48 instead.
OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in,
size_t len);
-/* SSL_TICKET_KEY_NAME_LEN is the length of the key name prefix of a session
- * ticket. */
+// SSL_TICKET_KEY_NAME_LEN is the length of the key name prefix of a session
+// ticket.
#define SSL_TICKET_KEY_NAME_LEN 16
-/* SSL_CTX_set_tlsext_ticket_key_cb sets the ticket callback to |callback| and
- * returns one. |callback| will be called when encrypting a new ticket and when
- * decrypting a ticket from the client.
- *
- * In both modes, |ctx| and |hmac_ctx| will already have been initialized with
- * |EVP_CIPHER_CTX_init| and |HMAC_CTX_init|, respectively. |callback|
- * configures |hmac_ctx| with an HMAC digest and key, and configures |ctx|
- * for encryption or decryption, based on the mode.
- *
- * When encrypting a new ticket, |encrypt| will be one. It writes a public
- * 16-byte key name to |key_name| and a fresh IV to |iv|. The output IV length
- * must match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
- * |callback| returns 1 on success and -1 on error.
- *
- * When decrypting a ticket, |encrypt| will be zero. |key_name| will point to a
- * 16-byte key name and |iv| points to an IV. The length of the IV consumed must
- * match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
- * |callback| returns -1 to abort the handshake, 0 if decrypting the ticket
- * failed, and 1 or 2 on success. If it returns 2, the ticket will be renewed.
- * This may be used to re-key the ticket.
- *
- * WARNING: |callback| wildly breaks the usual return value convention and is
- * called in two different modes. */
+// SSL_CTX_set_tlsext_ticket_key_cb sets the ticket callback to |callback| and
+// returns one. |callback| will be called when encrypting a new ticket and when
+// decrypting a ticket from the client.
+//
+// In both modes, |ctx| and |hmac_ctx| will already have been initialized with
+// |EVP_CIPHER_CTX_init| and |HMAC_CTX_init|, respectively. |callback|
+// configures |hmac_ctx| with an HMAC digest and key, and configures |ctx|
+// for encryption or decryption, based on the mode.
+//
+// When encrypting a new ticket, |encrypt| will be one. It writes a public
+// 16-byte key name to |key_name| and a fresh IV to |iv|. The output IV length
+// must match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
+// |callback| returns 1 on success and -1 on error.
+//
+// When decrypting a ticket, |encrypt| will be zero. |key_name| will point to a
+// 16-byte key name and |iv| points to an IV. The length of the IV consumed must
+// match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
+// |callback| returns -1 to abort the handshake, 0 if decrypting the ticket
+// failed, and 1 or 2 on success. If it returns 2, the ticket will be renewed.
+// This may be used to re-key the ticket.
+//
+// WARNING: |callback| wildly breaks the usual return value convention and is
+// called in two different modes.
OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_key_cb(
SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
int encrypt));
-/* ssl_ticket_aead_result_t enumerates the possible results from decrypting a
- * ticket with an |SSL_TICKET_AEAD_METHOD|. */
+// ssl_ticket_aead_result_t enumerates the possible results from decrypting a
+// ticket with an |SSL_TICKET_AEAD_METHOD|.
enum ssl_ticket_aead_result_t {
- /* ssl_ticket_aead_success indicates that the ticket was successfully
- * decrypted. */
+ // ssl_ticket_aead_success indicates that the ticket was successfully
+ // decrypted.
ssl_ticket_aead_success,
- /* ssl_ticket_aead_retry indicates that the operation could not be
- * immediately completed and must be reattempted, via |open|, at a later
- * point. */
+ // ssl_ticket_aead_retry indicates that the operation could not be
+ // immediately completed and must be reattempted, via |open|, at a later
+ // point.
ssl_ticket_aead_retry,
- /* ssl_ticket_aead_ignore_ticket indicates that the ticket should be ignored
- * (i.e. is corrupt or otherwise undecryptable). */
+ // ssl_ticket_aead_ignore_ticket indicates that the ticket should be ignored
+ // (i.e. is corrupt or otherwise undecryptable).
ssl_ticket_aead_ignore_ticket,
- /* ssl_ticket_aead_error indicates that a fatal error occured and the
- * handshake should be terminated. */
+ // ssl_ticket_aead_error indicates that a fatal error occured and the
+ // handshake should be terminated.
ssl_ticket_aead_error,
};
-/* ssl_ticket_aead_method_st (aka |SSL_TICKET_ENCRYPTION_METHOD|) contains
- * methods for encrypting and decrypting session tickets. */
+// ssl_ticket_aead_method_st (aka |SSL_TICKET_ENCRYPTION_METHOD|) contains
+// methods for encrypting and decrypting session tickets.
struct ssl_ticket_aead_method_st {
- /* max_overhead returns the maximum number of bytes of overhead that |seal|
- * may add. */
+ // max_overhead returns the maximum number of bytes of overhead that |seal|
+ // may add.
size_t (*max_overhead)(SSL *ssl);
- /* seal encrypts and authenticates |in_len| bytes from |in|, writes, at most,
- * |max_out_len| bytes to |out|, and puts the number of bytes written in
- * |*out_len|. The |in| and |out| buffers may be equal but will not otherwise
- * alias. It returns one on success or zero on error. */
+ // seal encrypts and authenticates |in_len| bytes from |in|, writes, at most,
+ // |max_out_len| bytes to |out|, and puts the number of bytes written in
+ // |*out_len|. The |in| and |out| buffers may be equal but will not otherwise
+ // alias. It returns one on success or zero on error.
int (*seal)(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
const uint8_t *in, size_t in_len);
- /* open authenticates and decrypts |in_len| bytes from |in|, writes, at most,
- * |max_out_len| bytes of plaintext to |out|, and puts the number of bytes
- * written in |*out_len|. The |in| and |out| buffers may be equal but will
- * not otherwise alias. See |ssl_ticket_aead_result_t| for details of the
- * return values. In the case that a retry is indicated, the caller should
- * arrange for the high-level operation on |ssl| to be retried when the
- * operation is completed, which will result in another call to |open|. */
+ // open authenticates and decrypts |in_len| bytes from |in|, writes, at most,
+ // |max_out_len| bytes of plaintext to |out|, and puts the number of bytes
+ // written in |*out_len|. The |in| and |out| buffers may be equal but will
+ // not otherwise alias. See |ssl_ticket_aead_result_t| for details of the
+ // return values. In the case that a retry is indicated, the caller should
+ // arrange for the high-level operation on |ssl| to be retried when the
+ // operation is completed, which will result in another call to |open|.
enum ssl_ticket_aead_result_t (*open)(SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out_len, const uint8_t *in,
size_t in_len);
};
-/* SSL_CTX_set_ticket_aead_method configures a custom ticket AEAD method table
- * on |ctx|. |aead_method| must remain valid for the lifetime of |ctx|. */
+// SSL_CTX_set_ticket_aead_method configures a custom ticket AEAD method table
+// on |ctx|. |aead_method| must remain valid for the lifetime of |ctx|.
OPENSSL_EXPORT void SSL_CTX_set_ticket_aead_method(
SSL_CTX *ctx, const SSL_TICKET_AEAD_METHOD *aead_method);
-/* Elliptic curve Diffie-Hellman.
- *
- * Cipher suites using an ECDHE key exchange perform Diffie-Hellman over an
- * elliptic curve negotiated by both endpoints. See RFC 4492. Only named curves
- * are supported. ECDHE is always enabled, but the curve preferences may be
- * configured with these functions.
- *
- * Note that TLS 1.3 renames these from curves to groups. For consistency, we
- * currently use the TLS 1.2 name in the API. */
+// Elliptic curve Diffie-Hellman.
+//
+// Cipher suites using an ECDHE key exchange perform Diffie-Hellman over an
+// elliptic curve negotiated by both endpoints. See RFC 4492. Only named curves
+// are supported. ECDHE is always enabled, but the curve preferences may be
+// configured with these functions.
+//
+// Note that TLS 1.3 renames these from curves to groups. For consistency, we
+// currently use the TLS 1.2 name in the API.
-/* SSL_CTX_set1_curves sets the preferred curves for |ctx| to be |curves|. Each
- * element of |curves| should be a curve nid. It returns one on success and
- * zero on failure.
- *
- * Note that this API uses nid values from nid.h and not the |SSL_CURVE_*|
- * values defined below. */
+// SSL_CTX_set1_curves sets the preferred curves for |ctx| to be |curves|. Each
+// element of |curves| should be a curve nid. It returns one on success and
+// zero on failure.
+//
+// Note that this API uses nid values from nid.h and not the |SSL_CURVE_*|
+// values defined below.
OPENSSL_EXPORT int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves,
size_t curves_len);
-/* SSL_set1_curves sets the preferred curves for |ssl| to be |curves|. Each
- * element of |curves| should be a curve nid. It returns one on success and
- * zero on failure.
- *
- * Note that this API uses nid values from nid.h and not the |SSL_CURVE_*|
- * values defined below. */
+// SSL_set1_curves sets the preferred curves for |ssl| to be |curves|. Each
+// element of |curves| should be a curve nid. It returns one on success and
+// zero on failure.
+//
+// Note that this API uses nid values from nid.h and not the |SSL_CURVE_*|
+// values defined below.
OPENSSL_EXPORT int SSL_set1_curves(SSL *ssl, const int *curves,
size_t curves_len);
-/* SSL_CTX_set1_curves_list sets the preferred curves for |ctx| to be the
- * colon-separated list |curves|. Each element of |curves| should be a curve
- * name (e.g. P-256, X25519, ...). It returns one on success and zero on
- * failure. */
+// SSL_CTX_set1_curves_list sets the preferred curves for |ctx| to be the
+// colon-separated list |curves|. Each element of |curves| should be a curve
+// name (e.g. P-256, X25519, ...). It returns one on success and zero on
+// failure.
OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves);
-/* SSL_set1_curves_list sets the preferred curves for |ssl| to be the
- * colon-separated list |curves|. Each element of |curves| should be a curve
- * name (e.g. P-256, X25519, ...). It returns one on success and zero on
- * failure. */
+// SSL_set1_curves_list sets the preferred curves for |ssl| to be the
+// colon-separated list |curves|. Each element of |curves| should be a curve
+// name (e.g. P-256, X25519, ...). It returns one on success and zero on
+// failure.
OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
-/* SSL_CURVE_* define TLS curve IDs. */
+// SSL_CURVE_* define TLS curve IDs.
#define SSL_CURVE_SECP224R1 21
#define SSL_CURVE_SECP256R1 23
#define SSL_CURVE_SECP384R1 24
#define SSL_CURVE_SECP521R1 25
#define SSL_CURVE_X25519 29
-/* SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
- * completed handshake or 0 if not applicable.
- *
- * TODO(davidben): This API currently does not work correctly if there is a
- * renegotiation in progress. Fix this. */
+// SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
+// completed handshake or 0 if not applicable.
+//
+// TODO(davidben): This API currently does not work correctly if there is a
+// renegotiation in progress. Fix this.
OPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl);
-/* SSL_get_curve_name returns a human-readable name for the curve specified by
- * the given TLS curve id, or NULL if the curve is unknown. */
+// SSL_get_curve_name returns a human-readable name for the curve specified by
+// the given TLS curve id, or NULL if the curve is unknown.
OPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id);
-/* Certificate verification.
- *
- * SSL may authenticate either endpoint with an X.509 certificate. Typically
- * this is used to authenticate the server to the client. These functions
- * configure certificate verification.
- *
- * WARNING: By default, certificate verification errors on a client are not
- * fatal. See |SSL_VERIFY_NONE| This may be configured with
- * |SSL_CTX_set_verify|.
- *
- * By default clients are anonymous but a server may request a certificate from
- * the client by setting |SSL_VERIFY_PEER|.
- *
- * Many of these functions use OpenSSL's legacy X.509 stack which is
- * underdocumented and deprecated, but the replacement isn't ready yet. For
- * now, consumers may use the existing stack or bypass it by performing
- * certificate verification externally. This may be done with
- * |SSL_CTX_set_cert_verify_callback| or by extracting the chain with
- * |SSL_get_peer_cert_chain| after the handshake. In the future, functions will
- * be added to use the SSL stack without dependency on any part of the legacy
- * X.509 and ASN.1 stack.
- *
- * To augment certificate verification, a client may also enable OCSP stapling
- * (RFC 6066) and Certificate Transparency (RFC 6962) extensions. */
+// Certificate verification.
+//
+// SSL may authenticate either endpoint with an X.509 certificate. Typically
+// this is used to authenticate the server to the client. These functions
+// configure certificate verification.
+//
+// WARNING: By default, certificate verification errors on a client are not
+// fatal. See |SSL_VERIFY_NONE| This may be configured with
+// |SSL_CTX_set_verify|.
+//
+// By default clients are anonymous but a server may request a certificate from
+// the client by setting |SSL_VERIFY_PEER|.
+//
+// Many of these functions use OpenSSL's legacy X.509 stack which is
+// underdocumented and deprecated, but the replacement isn't ready yet. For
+// now, consumers may use the existing stack or bypass it by performing
+// certificate verification externally. This may be done with
+// |SSL_CTX_set_cert_verify_callback| or by extracting the chain with
+// |SSL_get_peer_cert_chain| after the handshake. In the future, functions will
+// be added to use the SSL stack without dependency on any part of the legacy
+// X.509 and ASN.1 stack.
+//
+// To augment certificate verification, a client may also enable OCSP stapling
+// (RFC 6066) and Certificate Transparency (RFC 6962) extensions.
-/* SSL_VERIFY_NONE, on a client, verifies the server certificate but does not
- * make errors fatal. The result may be checked with |SSL_get_verify_result|. On
- * a server it does not request a client certificate. This is the default. */
+// SSL_VERIFY_NONE, on a client, verifies the server certificate but does not
+// make errors fatal. The result may be checked with |SSL_get_verify_result|. On
+// a server it does not request a client certificate. This is the default.
#define SSL_VERIFY_NONE 0x00
-/* SSL_VERIFY_PEER, on a client, makes server certificate errors fatal. On a
- * server it requests a client certificate and makes errors fatal. However,
- * anonymous clients are still allowed. See
- * |SSL_VERIFY_FAIL_IF_NO_PEER_CERT|. */
+// SSL_VERIFY_PEER, on a client, makes server certificate errors fatal. On a
+// server it requests a client certificate and makes errors fatal. However,
+// anonymous clients are still allowed. See
+// |SSL_VERIFY_FAIL_IF_NO_PEER_CERT|.
#define SSL_VERIFY_PEER 0x01
-/* SSL_VERIFY_FAIL_IF_NO_PEER_CERT configures a server to reject connections if
- * the client declines to send a certificate. This flag must be used together
- * with |SSL_VERIFY_PEER|, otherwise it won't work. */
+// SSL_VERIFY_FAIL_IF_NO_PEER_CERT configures a server to reject connections if
+// the client declines to send a certificate. This flag must be used together
+// with |SSL_VERIFY_PEER|, otherwise it won't work.
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
-/* SSL_VERIFY_PEER_IF_NO_OBC configures a server to request a client certificate
- * if and only if Channel ID is not negotiated. */
+// SSL_VERIFY_PEER_IF_NO_OBC configures a server to request a client certificate
+// if and only if Channel ID is not negotiated.
#define SSL_VERIFY_PEER_IF_NO_OBC 0x04
-/* SSL_CTX_set_verify configures certificate verification behavior. |mode| is
- * one of the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is
- * used to customize certificate verification. See the behavior of
- * |X509_STORE_CTX_set_verify_cb|.
- *
- * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
- * |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. */
+// SSL_CTX_set_verify configures certificate verification behavior. |mode| is
+// one of the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is
+// used to customize certificate verification. See the behavior of
+// |X509_STORE_CTX_set_verify_cb|.
+//
+// The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
+// |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|.
OPENSSL_EXPORT void SSL_CTX_set_verify(
SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx));
-/* SSL_set_verify configures certificate verification behavior. |mode| is one of
- * the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is used to
- * customize certificate verification. See the behavior of
- * |X509_STORE_CTX_set_verify_cb|.
- *
- * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
- * |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. */
+// SSL_set_verify configures certificate verification behavior. |mode| is one of
+// the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is used to
+// customize certificate verification. See the behavior of
+// |X509_STORE_CTX_set_verify_cb|.
+//
+// The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with
+// |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|.
OPENSSL_EXPORT void SSL_set_verify(SSL *ssl, int mode,
int (*callback)(int ok,
X509_STORE_CTX *store_ctx));
@@ -2205,479 +2209,479 @@
ssl_verify_retry,
};
-/* SSL_CTX_set_custom_verify configures certificate verification. |mode| is one
- * of the |SSL_VERIFY_*| values defined above. |callback| performs the
- * certificate verification.
- *
- * The callback may call |SSL_get0_peer_certificates| for the certificate chain
- * to validate. The callback should return |ssl_verify_ok| if the certificate is
- * valid. If the certificate is invalid, the callback should return
- * |ssl_verify_invalid| and optionally set |*out_alert| to an alert to send to
- * the peer. Some useful alerts include |SSL_AD_CERTIFICATE_EXPIRED|,
- * |SSL_AD_CERTIFICATE_REVOKED|, |SSL_AD_UNKNOWN_CA|, |SSL_AD_BAD_CERTIFICATE|,
- * |SSL_AD_CERTIFICATE_UNKNOWN|, and |SSL_AD_INTERNAL_ERROR|. See RFC 5246
- * section 7.2.2 for their precise meanings. If unspecified,
- * |SSL_AD_CERTIFICATE_UNKNOWN| will be sent by default.
- *
- * To verify a certificate asynchronously, the callback may return
- * |ssl_verify_retry|. The handshake will then pause with |SSL_get_error|
- * returning |SSL_ERROR_WANT_CERTIFICATE_VERIFY|. */
+// SSL_CTX_set_custom_verify configures certificate verification. |mode| is one
+// of the |SSL_VERIFY_*| values defined above. |callback| performs the
+// certificate verification.
+//
+// The callback may call |SSL_get0_peer_certificates| for the certificate chain
+// to validate. The callback should return |ssl_verify_ok| if the certificate is
+// valid. If the certificate is invalid, the callback should return
+// |ssl_verify_invalid| and optionally set |*out_alert| to an alert to send to
+// the peer. Some useful alerts include |SSL_AD_CERTIFICATE_EXPIRED|,
+// |SSL_AD_CERTIFICATE_REVOKED|, |SSL_AD_UNKNOWN_CA|, |SSL_AD_BAD_CERTIFICATE|,
+// |SSL_AD_CERTIFICATE_UNKNOWN|, and |SSL_AD_INTERNAL_ERROR|. See RFC 5246
+// section 7.2.2 for their precise meanings. If unspecified,
+// |SSL_AD_CERTIFICATE_UNKNOWN| will be sent by default.
+//
+// To verify a certificate asynchronously, the callback may return
+// |ssl_verify_retry|. The handshake will then pause with |SSL_get_error|
+// returning |SSL_ERROR_WANT_CERTIFICATE_VERIFY|.
OPENSSL_EXPORT void SSL_CTX_set_custom_verify(
SSL_CTX *ctx, int mode,
enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert));
-/* SSL_set_custom_verify behaves like |SSL_CTX_set_custom_verify| but configures
- * an individual |SSL|. */
+// SSL_set_custom_verify behaves like |SSL_CTX_set_custom_verify| but configures
+// an individual |SSL|.
OPENSSL_EXPORT void SSL_set_custom_verify(
SSL *ssl, int mode,
enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert));
-/* SSL_CTX_get_verify_mode returns |ctx|'s verify mode, set by
- * |SSL_CTX_set_verify|. */
+// SSL_CTX_get_verify_mode returns |ctx|'s verify mode, set by
+// |SSL_CTX_set_verify|.
OPENSSL_EXPORT int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
-/* SSL_get_verify_mode returns |ssl|'s verify mode, set by |SSL_CTX_set_verify|
- * or |SSL_set_verify|. */
+// SSL_get_verify_mode returns |ssl|'s verify mode, set by |SSL_CTX_set_verify|
+// or |SSL_set_verify|.
OPENSSL_EXPORT int SSL_get_verify_mode(const SSL *ssl);
-/* SSL_CTX_get_verify_callback returns the callback set by
- * |SSL_CTX_set_verify|. */
+// SSL_CTX_get_verify_callback returns the callback set by
+// |SSL_CTX_set_verify|.
OPENSSL_EXPORT int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(
int ok, X509_STORE_CTX *store_ctx);
-/* SSL_get_verify_callback returns the callback set by |SSL_CTX_set_verify| or
- * |SSL_set_verify|. */
+// SSL_get_verify_callback returns the callback set by |SSL_CTX_set_verify| or
+// |SSL_set_verify|.
OPENSSL_EXPORT int (*SSL_get_verify_callback(const SSL *ssl))(
int ok, X509_STORE_CTX *store_ctx);
-/* SSL_CTX_set_verify_depth sets the maximum depth of a certificate chain
- * accepted in verification. This number does not include the leaf, so a depth
- * of 1 allows the leaf and one CA certificate. */
+// SSL_CTX_set_verify_depth sets the maximum depth of a certificate chain
+// accepted in verification. This number does not include the leaf, so a depth
+// of 1 allows the leaf and one CA certificate.
OPENSSL_EXPORT void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
-/* SSL_set_verify_depth sets the maximum depth of a certificate chain accepted
- * in verification. This number does not include the leaf, so a depth of 1
- * allows the leaf and one CA certificate. */
+// SSL_set_verify_depth sets the maximum depth of a certificate chain accepted
+// in verification. This number does not include the leaf, so a depth of 1
+// allows the leaf and one CA certificate.
OPENSSL_EXPORT void SSL_set_verify_depth(SSL *ssl, int depth);
-/* SSL_CTX_get_verify_depth returns the maximum depth of a certificate accepted
- * in verification. */
+// SSL_CTX_get_verify_depth returns the maximum depth of a certificate accepted
+// in verification.
OPENSSL_EXPORT int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
-/* SSL_get_verify_depth returns the maximum depth of a certificate accepted in
- * verification. */
+// SSL_get_verify_depth returns the maximum depth of a certificate accepted in
+// verification.
OPENSSL_EXPORT int SSL_get_verify_depth(const SSL *ssl);
-/* SSL_CTX_set1_param sets verification parameters from |param|. It returns one
- * on success and zero on failure. The caller retains ownership of |param|. */
+// SSL_CTX_set1_param sets verification parameters from |param|. It returns one
+// on success and zero on failure. The caller retains ownership of |param|.
OPENSSL_EXPORT int SSL_CTX_set1_param(SSL_CTX *ctx,
const X509_VERIFY_PARAM *param);
-/* SSL_set1_param sets verification parameters from |param|. It returns one on
- * success and zero on failure. The caller retains ownership of |param|. */
+// SSL_set1_param sets verification parameters from |param|. It returns one on
+// success and zero on failure. The caller retains ownership of |param|.
OPENSSL_EXPORT int SSL_set1_param(SSL *ssl,
const X509_VERIFY_PARAM *param);
-/* SSL_CTX_get0_param returns |ctx|'s |X509_VERIFY_PARAM| for certificate
- * verification. The caller must not release the returned pointer but may call
- * functions on it to configure it. */
+// SSL_CTX_get0_param returns |ctx|'s |X509_VERIFY_PARAM| for certificate
+// verification. The caller must not release the returned pointer but may call
+// functions on it to configure it.
OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
-/* SSL_get0_param returns |ssl|'s |X509_VERIFY_PARAM| for certificate
- * verification. The caller must not release the returned pointer but may call
- * functions on it to configure it. */
+// SSL_get0_param returns |ssl|'s |X509_VERIFY_PARAM| for certificate
+// verification. The caller must not release the returned pointer but may call
+// functions on it to configure it.
OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
-/* SSL_CTX_set_purpose sets |ctx|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to
- * |purpose|. It returns one on success and zero on error. */
+// SSL_CTX_set_purpose sets |ctx|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to
+// |purpose|. It returns one on success and zero on error.
OPENSSL_EXPORT int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose);
-/* SSL_set_purpose sets |ssl|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to
- * |purpose|. It returns one on success and zero on error. */
+// SSL_set_purpose sets |ssl|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to
+// |purpose|. It returns one on success and zero on error.
OPENSSL_EXPORT int SSL_set_purpose(SSL *ssl, int purpose);
-/* SSL_CTX_set_trust sets |ctx|'s |X509_VERIFY_PARAM|'s 'trust' parameter to
- * |trust|. It returns one on success and zero on error. */
+// SSL_CTX_set_trust sets |ctx|'s |X509_VERIFY_PARAM|'s 'trust' parameter to
+// |trust|. It returns one on success and zero on error.
OPENSSL_EXPORT int SSL_CTX_set_trust(SSL_CTX *ctx, int trust);
-/* SSL_set_trust sets |ssl|'s |X509_VERIFY_PARAM|'s 'trust' parameter to
- * |trust|. It returns one on success and zero on error. */
+// SSL_set_trust sets |ssl|'s |X509_VERIFY_PARAM|'s 'trust' parameter to
+// |trust|. It returns one on success and zero on error.
OPENSSL_EXPORT int SSL_set_trust(SSL *ssl, int trust);
-/* SSL_CTX_set_cert_store sets |ctx|'s certificate store to |store|. It takes
- * ownership of |store|. The store is used for certificate verification.
- *
- * The store is also used for the auto-chaining feature, but this is deprecated.
- * See also |SSL_MODE_NO_AUTO_CHAIN|. */
+// SSL_CTX_set_cert_store sets |ctx|'s certificate store to |store|. It takes
+// ownership of |store|. The store is used for certificate verification.
+//
+// The store is also used for the auto-chaining feature, but this is deprecated.
+// See also |SSL_MODE_NO_AUTO_CHAIN|.
OPENSSL_EXPORT void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
-/* SSL_CTX_get_cert_store returns |ctx|'s certificate store. */
+// SSL_CTX_get_cert_store returns |ctx|'s certificate store.
OPENSSL_EXPORT X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
-/* SSL_CTX_set_default_verify_paths loads the OpenSSL system-default trust
- * anchors into |ctx|'s store. It returns one on success and zero on failure. */
+// SSL_CTX_set_default_verify_paths loads the OpenSSL system-default trust
+// anchors into |ctx|'s store. It returns one on success and zero on failure.
OPENSSL_EXPORT int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
-/* SSL_CTX_load_verify_locations loads trust anchors into |ctx|'s store from
- * |ca_file| and |ca_dir|, either of which may be NULL. If |ca_file| is passed,
- * it is opened and PEM-encoded CA certificates are read. If |ca_dir| is passed,
- * it is treated as a directory in OpenSSL's hashed directory format. It returns
- * one on success and zero on failure.
- *
- * See
- * https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html
- * for documentation on the directory format. */
+// SSL_CTX_load_verify_locations loads trust anchors into |ctx|'s store from
+// |ca_file| and |ca_dir|, either of which may be NULL. If |ca_file| is passed,
+// it is opened and PEM-encoded CA certificates are read. If |ca_dir| is passed,
+// it is treated as a directory in OpenSSL's hashed directory format. It returns
+// one on success and zero on failure.
+//
+// See
+// https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html
+// for documentation on the directory format.
OPENSSL_EXPORT int SSL_CTX_load_verify_locations(SSL_CTX *ctx,
const char *ca_file,
const char *ca_dir);
-/* SSL_get_verify_result returns the result of certificate verification. It is
- * either |X509_V_OK| or a |X509_V_ERR_*| value. */
+// SSL_get_verify_result returns the result of certificate verification. It is
+// either |X509_V_OK| or a |X509_V_ERR_*| value.
OPENSSL_EXPORT long SSL_get_verify_result(const SSL *ssl);
-/* SSL_get_ex_data_X509_STORE_CTX_idx returns the ex_data index used to look up
- * the |SSL| associated with an |X509_STORE_CTX| in the verify callback. */
+// SSL_get_ex_data_X509_STORE_CTX_idx returns the ex_data index used to look up
+// the |SSL| associated with an |X509_STORE_CTX| in the verify callback.
OPENSSL_EXPORT int SSL_get_ex_data_X509_STORE_CTX_idx(void);
-/* SSL_CTX_set_cert_verify_callback sets a custom callback to be called on
- * certificate verification rather than |X509_verify_cert|. |store_ctx| contains
- * the verification parameters. The callback should return one on success and
- * zero on fatal error. It may use |X509_STORE_CTX_set_error| to set a
- * verification result.
- *
- * The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| to recover the
- * |SSL| object from |store_ctx|. */
+// SSL_CTX_set_cert_verify_callback sets a custom callback to be called on
+// certificate verification rather than |X509_verify_cert|. |store_ctx| contains
+// the verification parameters. The callback should return one on success and
+// zero on fatal error. It may use |X509_STORE_CTX_set_error| to set a
+// verification result.
+//
+// The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| to recover the
+// |SSL| object from |store_ctx|.
OPENSSL_EXPORT void SSL_CTX_set_cert_verify_callback(
SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *store_ctx, void *arg),
void *arg);
-/* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end
- * of a connection) to request SCTs from the server. See
- * https://tools.ietf.org/html/rfc6962.
- *
- * Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the
- * handshake. */
+// SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end
+// of a connection) to request SCTs from the server. See
+// https://tools.ietf.org/html/rfc6962.
+//
+// Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the
+// handshake.
OPENSSL_EXPORT void SSL_enable_signed_cert_timestamps(SSL *ssl);
-/* SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL
- * objects created from |ctx|.
- *
- * Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the
- * handshake. */
+// SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL
+// objects created from |ctx|.
+//
+// Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the
+// handshake.
OPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx);
-/* SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a
- * connection) to request a stapled OCSP response from the server.
- *
- * Call |SSL_get0_ocsp_response| to recover the OCSP response after the
- * handshake. */
+// SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a
+// connection) to request a stapled OCSP response from the server.
+//
+// Call |SSL_get0_ocsp_response| to recover the OCSP response after the
+// handshake.
OPENSSL_EXPORT void SSL_enable_ocsp_stapling(SSL *ssl);
-/* SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects
- * created from |ctx|.
- *
- * Call |SSL_get0_ocsp_response| to recover the OCSP response after the
- * handshake. */
+// SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects
+// created from |ctx|.
+//
+// Call |SSL_get0_ocsp_response| to recover the OCSP response after the
+// handshake.
OPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx);
-/* SSL_CTX_set0_verify_cert_store sets an |X509_STORE| that will be used
- * exclusively for certificate verification and returns one. Ownership of
- * |store| is transferred to the |SSL_CTX|. */
+// SSL_CTX_set0_verify_cert_store sets an |X509_STORE| that will be used
+// exclusively for certificate verification and returns one. Ownership of
+// |store| is transferred to the |SSL_CTX|.
OPENSSL_EXPORT int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx,
X509_STORE *store);
-/* SSL_CTX_set1_verify_cert_store sets an |X509_STORE| that will be used
- * exclusively for certificate verification and returns one. An additional
- * reference to |store| will be taken. */
+// SSL_CTX_set1_verify_cert_store sets an |X509_STORE| that will be used
+// exclusively for certificate verification and returns one. An additional
+// reference to |store| will be taken.
OPENSSL_EXPORT int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx,
X509_STORE *store);
-/* SSL_set0_verify_cert_store sets an |X509_STORE| that will be used
- * exclusively for certificate verification and returns one. Ownership of
- * |store| is transferred to the |SSL|. */
+// SSL_set0_verify_cert_store sets an |X509_STORE| that will be used
+// exclusively for certificate verification and returns one. Ownership of
+// |store| is transferred to the |SSL|.
OPENSSL_EXPORT int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store);
-/* SSL_set1_verify_cert_store sets an |X509_STORE| that will be used
- * exclusively for certificate verification and returns one. An additional
- * reference to |store| will be taken. */
+// SSL_set1_verify_cert_store sets an |X509_STORE| that will be used
+// exclusively for certificate verification and returns one. An additional
+// reference to |store| will be taken.
OPENSSL_EXPORT int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store);
-/* SSL_CTX_set_ed25519_enabled configures whether |ctx| advertises support for
- * the Ed25519 signature algorithm when using the default preference list. */
+// SSL_CTX_set_ed25519_enabled configures whether |ctx| advertises support for
+// the Ed25519 signature algorithm when using the default preference list.
OPENSSL_EXPORT void SSL_CTX_set_ed25519_enabled(SSL_CTX *ctx, int enabled);
-/* SSL_CTX_set_verify_algorithm_prefs confingures |ctx| to use |prefs| as the
- * preference list when verifying signature's from the peer's long-term key. It
- * returns one on zero on error. |prefs| should not include the internal-only
- * value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. */
+// SSL_CTX_set_verify_algorithm_prefs confingures |ctx| to use |prefs| as the
+// preference list when verifying signature's from the peer's long-term key. It
+// returns one on zero on error. |prefs| should not include the internal-only
+// value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.
OPENSSL_EXPORT int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx,
const uint16_t *prefs,
size_t num_prefs);
-/* Client certificate CA list.
- *
- * When requesting a client certificate, a server may advertise a list of
- * certificate authorities which are accepted. These functions may be used to
- * configure this list. */
+// Client certificate CA list.
+//
+// When requesting a client certificate, a server may advertise a list of
+// certificate authorities which are accepted. These functions may be used to
+// configure this list.
-/* SSL_set_client_CA_list sets |ssl|'s client certificate CA list to
- * |name_list|. It takes ownership of |name_list|. */
+// SSL_set_client_CA_list sets |ssl|'s client certificate CA list to
+// |name_list|. It takes ownership of |name_list|.
OPENSSL_EXPORT void SSL_set_client_CA_list(SSL *ssl,
STACK_OF(X509_NAME) *name_list);
-/* SSL_CTX_set_client_CA_list sets |ctx|'s client certificate CA list to
- * |name_list|. It takes ownership of |name_list|. */
+// SSL_CTX_set_client_CA_list sets |ctx|'s client certificate CA list to
+// |name_list|. It takes ownership of |name_list|.
OPENSSL_EXPORT void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,
STACK_OF(X509_NAME) *name_list);
-/* SSL_set0_client_CAs sets |ssl|'s client certificate CA list to |name_list|,
- * which should contain DER-encoded distinguished names (RFC 5280). It takes
- * ownership of |name_list|. */
+// SSL_set0_client_CAs sets |ssl|'s client certificate CA list to |name_list|,
+// which should contain DER-encoded distinguished names (RFC 5280). It takes
+// ownership of |name_list|.
OPENSSL_EXPORT void SSL_set0_client_CAs(SSL *ssl,
STACK_OF(CRYPTO_BUFFER) *name_list);
-/* SSL_CTX_set0_client_CAs sets |ctx|'s client certificate CA list to
- * |name_list|, which should contain DER-encoded distinguished names (RFC 5280).
- * It takes ownership of |name_list|. */
+// SSL_CTX_set0_client_CAs sets |ctx|'s client certificate CA list to
+// |name_list|, which should contain DER-encoded distinguished names (RFC 5280).
+// It takes ownership of |name_list|.
OPENSSL_EXPORT void SSL_CTX_set0_client_CAs(SSL_CTX *ctx,
STACK_OF(CRYPTO_BUFFER) *name_list);
-/* SSL_get_client_CA_list returns |ssl|'s client certificate CA list. If |ssl|
- * has not been configured as a client, this is the list configured by
- * |SSL_CTX_set_client_CA_list|.
- *
- * If configured as a client, it returns the client certificate CA list sent by
- * the server. In this mode, the behavior is undefined except during the
- * callbacks set by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or
- * when the handshake is paused because of them. */
+// SSL_get_client_CA_list returns |ssl|'s client certificate CA list. If |ssl|
+// has not been configured as a client, this is the list configured by
+// |SSL_CTX_set_client_CA_list|.
+//
+// If configured as a client, it returns the client certificate CA list sent by
+// the server. In this mode, the behavior is undefined except during the
+// callbacks set by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or
+// when the handshake is paused because of them.
OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl);
-/* SSL_get0_server_requested_CAs returns the CAs sent by a server to guide a
- * client in certificate selection. They are a series of DER-encoded X.509
- * names. This function may only be called during a callback set by
- * |SSL_CTX_set_cert_cb| or when the handshake is paused because of it.
- *
- * The returned stack is owned by |ssl|, as are its contents. It should not be
- * used past the point where the handshake is restarted after the callback. */
+// SSL_get0_server_requested_CAs returns the CAs sent by a server to guide a
+// client in certificate selection. They are a series of DER-encoded X.509
+// names. This function may only be called during a callback set by
+// |SSL_CTX_set_cert_cb| or when the handshake is paused because of it.
+//
+// The returned stack is owned by |ssl|, as are its contents. It should not be
+// used past the point where the handshake is restarted after the callback.
OPENSSL_EXPORT STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(
const SSL *ssl);
-/* SSL_CTX_get_client_CA_list returns |ctx|'s client certificate CA list. */
+// SSL_CTX_get_client_CA_list returns |ctx|'s client certificate CA list.
OPENSSL_EXPORT STACK_OF(X509_NAME) *
SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
-/* SSL_add_client_CA appends |x509|'s subject to the client certificate CA list.
- * It returns one on success or zero on error. The caller retains ownership of
- * |x509|. */
+// SSL_add_client_CA appends |x509|'s subject to the client certificate CA list.
+// It returns one on success or zero on error. The caller retains ownership of
+// |x509|.
OPENSSL_EXPORT int SSL_add_client_CA(SSL *ssl, X509 *x509);
-/* SSL_CTX_add_client_CA appends |x509|'s subject to the client certificate CA
- * list. It returns one on success or zero on error. The caller retains
- * ownership of |x509|. */
+// SSL_CTX_add_client_CA appends |x509|'s subject to the client certificate CA
+// list. It returns one on success or zero on error. The caller retains
+// ownership of |x509|.
OPENSSL_EXPORT int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509);
-/* SSL_load_client_CA_file opens |file| and reads PEM-encoded certificates from
- * it. It returns a newly-allocated stack of the certificate subjects or NULL
- * on error. */
+// SSL_load_client_CA_file opens |file| and reads PEM-encoded certificates from
+// it. It returns a newly-allocated stack of the certificate subjects or NULL
+// on error.
OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
-/* SSL_dup_CA_list makes a deep copy of |list|. It returns the new list on
- * success or NULL on allocation error. */
+// SSL_dup_CA_list makes a deep copy of |list|. It returns the new list on
+// success or NULL on allocation error.
OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list);
-/* SSL_add_file_cert_subjects_to_stack behaves like |SSL_load_client_CA_file|
- * but appends the result to |out|. It returns one on success or zero on
- * error. */
+// SSL_add_file_cert_subjects_to_stack behaves like |SSL_load_client_CA_file|
+// but appends the result to |out|. It returns one on success or zero on
+// error.
OPENSSL_EXPORT int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
const char *file);
-/* Server name indication.
- *
- * The server_name extension (RFC 3546) allows the client to advertise the name
- * of the server it is connecting to. This is used in virtual hosting
- * deployments to select one of a several certificates on a single IP. Only the
- * host_name name type is supported. */
+// Server name indication.
+//
+// The server_name extension (RFC 3546) allows the client to advertise the name
+// of the server it is connecting to. This is used in virtual hosting
+// deployments to select one of a several certificates on a single IP. Only the
+// host_name name type is supported.
#define TLSEXT_NAMETYPE_host_name 0
-/* SSL_set_tlsext_host_name, for a client, configures |ssl| to advertise |name|
- * in the server_name extension. It returns one on success and zero on error. */
+// SSL_set_tlsext_host_name, for a client, configures |ssl| to advertise |name|
+// in the server_name extension. It returns one on success and zero on error.
OPENSSL_EXPORT int SSL_set_tlsext_host_name(SSL *ssl, const char *name);
-/* SSL_get_servername, for a server, returns the hostname supplied by the
- * client or NULL if there was none. The |type| argument must be
- * |TLSEXT_NAMETYPE_host_name|. Note that the returned pointer points inside
- * |ssl| and is only valid until the next operation on |ssl|. */
+// SSL_get_servername, for a server, returns the hostname supplied by the
+// client or NULL if there was none. The |type| argument must be
+// |TLSEXT_NAMETYPE_host_name|. Note that the returned pointer points inside
+// |ssl| and is only valid until the next operation on |ssl|.
OPENSSL_EXPORT const char *SSL_get_servername(const SSL *ssl, const int type);
-/* SSL_get_servername_type, for a server, returns |TLSEXT_NAMETYPE_host_name|
- * if the client sent a hostname and -1 otherwise. */
+// SSL_get_servername_type, for a server, returns |TLSEXT_NAMETYPE_host_name|
+// if the client sent a hostname and -1 otherwise.
OPENSSL_EXPORT int SSL_get_servername_type(const SSL *ssl);
-/* SSL_CTX_set_tlsext_servername_callback configures |callback| to be called on
- * the server after ClientHello extensions have been parsed and returns one.
- * The callback may use |SSL_get_servername| to examine the server_name
- * extension and returns a |SSL_TLSEXT_ERR_*| value. The value of |arg| may be
- * set by calling |SSL_CTX_set_tlsext_servername_arg|.
- *
- * If the callback returns |SSL_TLSEXT_ERR_NOACK|, the server_name extension is
- * not acknowledged in the ServerHello. If the return value is
- * |SSL_TLSEXT_ERR_ALERT_FATAL|, then |*out_alert| is the alert to send,
- * defaulting to |SSL_AD_UNRECOGNIZED_NAME|. |SSL_TLSEXT_ERR_ALERT_WARNING| is
- * ignored and treated as |SSL_TLSEXT_ERR_OK|. */
+// SSL_CTX_set_tlsext_servername_callback configures |callback| to be called on
+// the server after ClientHello extensions have been parsed and returns one.
+// The callback may use |SSL_get_servername| to examine the server_name
+// extension and returns a |SSL_TLSEXT_ERR_*| value. The value of |arg| may be
+// set by calling |SSL_CTX_set_tlsext_servername_arg|.
+//
+// If the callback returns |SSL_TLSEXT_ERR_NOACK|, the server_name extension is
+// not acknowledged in the ServerHello. If the return value is
+// |SSL_TLSEXT_ERR_ALERT_FATAL|, then |*out_alert| is the alert to send,
+// defaulting to |SSL_AD_UNRECOGNIZED_NAME|. |SSL_TLSEXT_ERR_ALERT_WARNING| is
+// ignored and treated as |SSL_TLSEXT_ERR_OK|.
OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg));
-/* SSL_CTX_set_tlsext_servername_arg sets the argument to the servername
- * callback and returns one. See |SSL_CTX_set_tlsext_servername_callback|. */
+// SSL_CTX_set_tlsext_servername_arg sets the argument to the servername
+// callback and returns one. See |SSL_CTX_set_tlsext_servername_callback|.
OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);
-/* SSL_TLSEXT_ERR_* are values returned by some extension-related callbacks. */
+// SSL_TLSEXT_ERR_* are values returned by some extension-related callbacks.
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_ALERT_WARNING 1
#define SSL_TLSEXT_ERR_ALERT_FATAL 2
#define SSL_TLSEXT_ERR_NOACK 3
-/* SSL_set_SSL_CTX changes |ssl|'s |SSL_CTX|. |ssl| will use the
- * certificate-related settings from |ctx|, and |SSL_get_SSL_CTX| will report
- * |ctx|. This function may be used during the callbacks registered by
- * |SSL_CTX_set_select_certificate_cb|,
- * |SSL_CTX_set_tlsext_servername_callback|, and |SSL_CTX_set_cert_cb| or when
- * the handshake is paused from them. It is typically used to switch
- * certificates based on SNI.
- *
- * Note the session cache and related settings will continue to use the initial
- * |SSL_CTX|. Callers should use |SSL_CTX_set_session_id_context| to partition
- * the session cache between different domains.
- *
- * TODO(davidben): Should other settings change after this call? */
+// SSL_set_SSL_CTX changes |ssl|'s |SSL_CTX|. |ssl| will use the
+// certificate-related settings from |ctx|, and |SSL_get_SSL_CTX| will report
+// |ctx|. This function may be used during the callbacks registered by
+// |SSL_CTX_set_select_certificate_cb|,
+// |SSL_CTX_set_tlsext_servername_callback|, and |SSL_CTX_set_cert_cb| or when
+// the handshake is paused from them. It is typically used to switch
+// certificates based on SNI.
+//
+// Note the session cache and related settings will continue to use the initial
+// |SSL_CTX|. Callers should use |SSL_CTX_set_session_id_context| to partition
+// the session cache between different domains.
+//
+// TODO(davidben): Should other settings change after this call?
OPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
-/* Application-layer protocol negotiation.
- *
- * The ALPN extension (RFC 7301) allows negotiating different application-layer
- * protocols over a single port. This is used, for example, to negotiate
- * HTTP/2. */
+// Application-layer protocol negotiation.
+//
+// The ALPN extension (RFC 7301) allows negotiating different application-layer
+// protocols over a single port. This is used, for example, to negotiate
+// HTTP/2.
-/* SSL_CTX_set_alpn_protos sets the client ALPN protocol list on |ctx| to
- * |protos|. |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
- * length-prefixed strings). It returns zero on success and one on failure.
- * Configuring this list enables ALPN on a client.
- *
- * WARNING: this function is dangerous because it breaks the usual return value
- * convention. */
+// SSL_CTX_set_alpn_protos sets the client ALPN protocol list on |ctx| to
+// |protos|. |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
+// length-prefixed strings). It returns zero on success and one on failure.
+// Configuring this list enables ALPN on a client.
+//
+// WARNING: this function is dangerous because it breaks the usual return value
+// convention.
OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
unsigned protos_len);
-/* SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|.
- * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
- * length-prefixed strings). It returns zero on success and one on failure.
- * Configuring this list enables ALPN on a client.
- *
- * WARNING: this function is dangerous because it breaks the usual return value
- * convention. */
+// SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|.
+// |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
+// length-prefixed strings). It returns zero on success and one on failure.
+// Configuring this list enables ALPN on a client.
+//
+// WARNING: this function is dangerous because it breaks the usual return value
+// convention.
OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
unsigned protos_len);
-/* SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called
- * during ClientHello processing in order to select an ALPN protocol from the
- * client's list of offered protocols. Configuring this callback enables ALPN on
- * a server.
- *
- * The callback is passed a wire-format (i.e. a series of non-empty, 8-bit
- * length-prefixed strings) ALPN protocol list in |in|. It should set |*out| and
- * |*out_len| to the selected protocol and return |SSL_TLSEXT_ERR_OK| on
- * success. It does not pass ownership of the buffer. Otherwise, it should
- * return |SSL_TLSEXT_ERR_NOACK|. Other |SSL_TLSEXT_ERR_*| values are
- * unimplemented and will be treated as |SSL_TLSEXT_ERR_NOACK|.
- *
- * The cipher suite is selected before negotiating ALPN. The callback may use
- * |SSL_get_pending_cipher| to query the cipher suite. */
+// SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called
+// during ClientHello processing in order to select an ALPN protocol from the
+// client's list of offered protocols. Configuring this callback enables ALPN on
+// a server.
+//
+// The callback is passed a wire-format (i.e. a series of non-empty, 8-bit
+// length-prefixed strings) ALPN protocol list in |in|. It should set |*out| and
+// |*out_len| to the selected protocol and return |SSL_TLSEXT_ERR_OK| on
+// success. It does not pass ownership of the buffer. Otherwise, it should
+// return |SSL_TLSEXT_ERR_NOACK|. Other |SSL_TLSEXT_ERR_*| values are
+// unimplemented and will be treated as |SSL_TLSEXT_ERR_NOACK|.
+//
+// The cipher suite is selected before negotiating ALPN. The callback may use
+// |SSL_get_pending_cipher| to query the cipher suite.
OPENSSL_EXPORT void SSL_CTX_set_alpn_select_cb(
SSL_CTX *ctx, int (*cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len,
const uint8_t *in, unsigned in_len, void *arg),
void *arg);
-/* SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
- * On return it sets |*out_data| to point to |*out_len| bytes of protocol name
- * (not including the leading length-prefix byte). If the server didn't respond
- * with a negotiated protocol then |*out_len| will be zero. */
+// SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.
+// On return it sets |*out_data| to point to |*out_len| bytes of protocol name
+// (not including the leading length-prefix byte). If the server didn't respond
+// with a negotiated protocol then |*out_len| will be zero.
OPENSSL_EXPORT void SSL_get0_alpn_selected(const SSL *ssl,
const uint8_t **out_data,
unsigned *out_len);
-/* SSL_CTX_set_allow_unknown_alpn_protos configures client connections on |ctx|
- * to allow unknown ALPN protocols from the server. Otherwise, by default, the
- * client will require that the protocol be advertised in
- * |SSL_CTX_set_alpn_protos|. */
+// SSL_CTX_set_allow_unknown_alpn_protos configures client connections on |ctx|
+// to allow unknown ALPN protocols from the server. Otherwise, by default, the
+// client will require that the protocol be advertised in
+// |SSL_CTX_set_alpn_protos|.
OPENSSL_EXPORT void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx,
int enabled);
-/* Next protocol negotiation.
- *
- * The NPN extension (draft-agl-tls-nextprotoneg-03) is the predecessor to ALPN
- * and deprecated in favor of it. */
+// Next protocol negotiation.
+//
+// The NPN extension (draft-agl-tls-nextprotoneg-03) is the predecessor to ALPN
+// and deprecated in favor of it.
-/* SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
- * TLS server needs a list of supported protocols for Next Protocol
- * Negotiation. The returned list must be in wire format. The list is returned
- * by setting |*out| to point to it and |*out_len| to its length. This memory
- * will not be modified, but one should assume that |ssl| keeps a reference to
- * it.
- *
- * The callback should return |SSL_TLSEXT_ERR_OK| if it wishes to advertise.
- * Otherwise, no such extension will be included in the ServerHello. */
+// SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a
+// TLS server needs a list of supported protocols for Next Protocol
+// Negotiation. The returned list must be in wire format. The list is returned
+// by setting |*out| to point to it and |*out_len| to its length. This memory
+// will not be modified, but one should assume that |ssl| keeps a reference to
+// it.
+//
+// The callback should return |SSL_TLSEXT_ERR_OK| if it wishes to advertise.
+// Otherwise, no such extension will be included in the ServerHello.
OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb(
SSL_CTX *ctx,
int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),
void *arg);
-/* SSL_CTX_set_next_proto_select_cb sets a callback that is called when a client
- * needs to select a protocol from the server's provided list. |*out| must be
- * set to point to the selected protocol (which may be within |in|). The length
- * of the protocol name must be written into |*out_len|. The server's advertised
- * protocols are provided in |in| and |in_len|. The callback can assume that
- * |in| is syntactically valid.
- *
- * The client must select a protocol. It is fatal to the connection if this
- * callback returns a value other than |SSL_TLSEXT_ERR_OK|.
- *
- * Configuring this callback enables NPN on a client. */
+// SSL_CTX_set_next_proto_select_cb sets a callback that is called when a client
+// needs to select a protocol from the server's provided list. |*out| must be
+// set to point to the selected protocol (which may be within |in|). The length
+// of the protocol name must be written into |*out_len|. The server's advertised
+// protocols are provided in |in| and |in_len|. The callback can assume that
+// |in| is syntactically valid.
+//
+// The client must select a protocol. It is fatal to the connection if this
+// callback returns a value other than |SSL_TLSEXT_ERR_OK|.
+//
+// Configuring this callback enables NPN on a client.
OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(
SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
const uint8_t *in, unsigned in_len, void *arg),
void *arg);
-/* SSL_get0_next_proto_negotiated sets |*out_data| and |*out_len| to point to
- * the client's requested protocol for this connection. If the client didn't
- * request any protocol, then |*out_data| is set to NULL.
- *
- * Note that the client can request any protocol it chooses. The value returned
- * from this function need not be a member of the list of supported protocols
- * provided by the server. */
+// SSL_get0_next_proto_negotiated sets |*out_data| and |*out_len| to point to
+// the client's requested protocol for this connection. If the client didn't
+// request any protocol, then |*out_data| is set to NULL.
+//
+// Note that the client can request any protocol it chooses. The value returned
+// from this function need not be a member of the list of supported protocols
+// provided by the server.
OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *ssl,
const uint8_t **out_data,
unsigned *out_len);
-/* SSL_select_next_proto implements the standard protocol selection. It is
- * expected that this function is called from the callback set by
- * |SSL_CTX_set_next_proto_select_cb|.
- *
- * |peer| and |supported| must be vectors of 8-bit, length-prefixed byte strings
- * containing the peer and locally-configured protocols, respectively. The
- * length byte itself is not included in the length. A byte string of length 0
- * is invalid. No byte string may be truncated. |supported| is assumed to be
- * non-empty.
- *
- * This function finds the first protocol in |peer| which is also in
- * |supported|. If one was found, it sets |*out| and |*out_len| to point to it
- * and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns
- * |OPENSSL_NPN_NO_OVERLAP| and sets |*out| and |*out_len| to the first
- * supported protocol. */
+// SSL_select_next_proto implements the standard protocol selection. It is
+// expected that this function is called from the callback set by
+// |SSL_CTX_set_next_proto_select_cb|.
+//
+// |peer| and |supported| must be vectors of 8-bit, length-prefixed byte strings
+// containing the peer and locally-configured protocols, respectively. The
+// length byte itself is not included in the length. A byte string of length 0
+// is invalid. No byte string may be truncated. |supported| is assumed to be
+// non-empty.
+//
+// This function finds the first protocol in |peer| which is also in
+// |supported|. If one was found, it sets |*out| and |*out_len| to point to it
+// and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns
+// |OPENSSL_NPN_NO_OVERLAP| and sets |*out| and |*out_len| to the first
+// supported protocol.
OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
const uint8_t *peer, unsigned peer_len,
const uint8_t *supported,
@@ -2688,59 +2692,59 @@
#define OPENSSL_NPN_NO_OVERLAP 2
-/* Channel ID.
- *
- * See draft-balfanz-tls-channelid-01. */
+// Channel ID.
+//
+// See draft-balfanz-tls-channelid-01.
-/* SSL_CTX_set_tls_channel_id_enabled configures whether connections associated
- * with |ctx| should enable Channel ID. */
+// SSL_CTX_set_tls_channel_id_enabled configures whether connections associated
+// with |ctx| should enable Channel ID.
OPENSSL_EXPORT void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx,
int enabled);
-/* SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel
- * ID. */
+// SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel
+// ID.
OPENSSL_EXPORT void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled);
-/* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
- * to compatible servers. |private_key| must be a P-256 EC key. It returns one
- * on success and zero on error. */
+// SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
+// to compatible servers. |private_key| must be a P-256 EC key. It returns one
+// on success and zero on error.
OPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx,
EVP_PKEY *private_key);
-/* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to
- * compatible servers. |private_key| must be a P-256 EC key. It returns one on
- * success and zero on error. */
+// SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to
+// compatible servers. |private_key| must be a P-256 EC key. It returns one on
+// success and zero on error.
OPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key);
-/* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL*|
- * and copies up to the first |max_out| bytes into |out|. The Channel ID
- * consists of the client's P-256 public key as an (x,y) pair where each is a
- * 32-byte, big-endian field element. It returns 0 if the client didn't offer a
- * Channel ID and the length of the complete Channel ID otherwise. */
+// SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL*|
+// and copies up to the first |max_out| bytes into |out|. The Channel ID
+// consists of the client's P-256 public key as an (x,y) pair where each is a
+// 32-byte, big-endian field element. It returns 0 if the client didn't offer a
+// Channel ID and the length of the complete Channel ID otherwise.
OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
size_t max_out);
-/* SSL_CTX_set_channel_id_cb sets a callback to be called when a TLS Channel ID
- * is requested. The callback may set |*out_pkey| to a key, passing a reference
- * to the caller. If none is returned, the handshake will pause and
- * |SSL_get_error| will return |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|.
- *
- * See also |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|. */
+// SSL_CTX_set_channel_id_cb sets a callback to be called when a TLS Channel ID
+// is requested. The callback may set |*out_pkey| to a key, passing a reference
+// to the caller. If none is returned, the handshake will pause and
+// |SSL_get_error| will return |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|.
+//
+// See also |SSL_ERROR_WANT_CHANNEL_ID_LOOKUP|.
OPENSSL_EXPORT void SSL_CTX_set_channel_id_cb(
SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey));
-/* SSL_CTX_get_channel_id_cb returns the callback set by
- * |SSL_CTX_set_channel_id_cb|. */
+// SSL_CTX_get_channel_id_cb returns the callback set by
+// |SSL_CTX_set_channel_id_cb|.
OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(
SSL *ssl, EVP_PKEY **out_pkey);
-/* DTLS-SRTP.
- *
- * See RFC 5764. */
+// DTLS-SRTP.
+//
+// See RFC 5764.
-/* srtp_protection_profile_st (aka |SRTP_PROTECTION_PROFILE|) is an SRTP
- * profile for use with the use_srtp extension. */
+// srtp_protection_profile_st (aka |SRTP_PROTECTION_PROFILE|) is an SRTP
+// profile for use with the use_srtp extension.
struct srtp_protection_profile_st {
const char *name;
unsigned long id;
@@ -2748,7 +2752,7 @@
DEFINE_CONST_STACK_OF(SRTP_PROTECTION_PROFILE)
-/* SRTP_* define constants for SRTP profiles. */
+// SRTP_* define constants for SRTP profiles.
#define SRTP_AES128_CM_SHA1_80 0x0001
#define SRTP_AES128_CM_SHA1_32 0x0002
#define SRTP_AES128_F8_SHA1_80 0x0003
@@ -2758,207 +2762,207 @@
#define SRTP_AEAD_AES_128_GCM 0x0007
#define SRTP_AEAD_AES_256_GCM 0x0008
-/* SSL_CTX_set_srtp_profiles enables SRTP for all SSL objects created from
- * |ctx|. |profile| contains a colon-separated list of profile names. It returns
- * one on success and zero on failure. */
+// SSL_CTX_set_srtp_profiles enables SRTP for all SSL objects created from
+// |ctx|. |profile| contains a colon-separated list of profile names. It returns
+// one on success and zero on failure.
OPENSSL_EXPORT int SSL_CTX_set_srtp_profiles(SSL_CTX *ctx,
const char *profiles);
-/* SSL_set_srtp_profiles enables SRTP for |ssl|. |profile| contains a
- * colon-separated list of profile names. It returns one on success and zero on
- * failure. */
+// SSL_set_srtp_profiles enables SRTP for |ssl|. |profile| contains a
+// colon-separated list of profile names. It returns one on success and zero on
+// failure.
OPENSSL_EXPORT int SSL_set_srtp_profiles(SSL *ssl, const char *profiles);
-/* SSL_get_srtp_profiles returns the SRTP profiles supported by |ssl|. */
+// SSL_get_srtp_profiles returns the SRTP profiles supported by |ssl|.
OPENSSL_EXPORT STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(
SSL *ssl);
-/* SSL_get_selected_srtp_profile returns the selected SRTP profile, or NULL if
- * SRTP was not negotiated. */
+// SSL_get_selected_srtp_profile returns the selected SRTP profile, or NULL if
+// SRTP was not negotiated.
OPENSSL_EXPORT const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(
SSL *ssl);
-/* Pre-shared keys.
- *
- * Connections may be configured with PSK (Pre-Shared Key) cipher suites. These
- * authenticate using out-of-band pre-shared keys rather than certificates. See
- * RFC 4279.
- *
- * This implementation uses NUL-terminated C strings for identities and identity
- * hints, so values with a NUL character are not supported. (RFC 4279 does not
- * specify the format of an identity.) */
+// Pre-shared keys.
+//
+// Connections may be configured with PSK (Pre-Shared Key) cipher suites. These
+// authenticate using out-of-band pre-shared keys rather than certificates. See
+// RFC 4279.
+//
+// This implementation uses NUL-terminated C strings for identities and identity
+// hints, so values with a NUL character are not supported. (RFC 4279 does not
+// specify the format of an identity.)
-/* PSK_MAX_IDENTITY_LEN is the maximum supported length of a PSK identity,
- * excluding the NUL terminator. */
+// PSK_MAX_IDENTITY_LEN is the maximum supported length of a PSK identity,
+// excluding the NUL terminator.
#define PSK_MAX_IDENTITY_LEN 128
-/* PSK_MAX_PSK_LEN is the maximum supported length of a pre-shared key. */
+// PSK_MAX_PSK_LEN is the maximum supported length of a pre-shared key.
#define PSK_MAX_PSK_LEN 256
-/* SSL_CTX_set_psk_client_callback sets the callback to be called when PSK is
- * negotiated on the client. This callback must be set to enable PSK cipher
- * suites on the client.
- *
- * The callback is passed the identity hint in |hint| or NULL if none was
- * provided. It should select a PSK identity and write the identity and the
- * corresponding PSK to |identity| and |psk|, respectively. The identity is
- * written as a NUL-terminated C string of length (excluding the NUL terminator)
- * at most |max_identity_len|. The PSK's length must be at most |max_psk_len|.
- * The callback returns the length of the PSK or 0 if no suitable identity was
- * found. */
+// SSL_CTX_set_psk_client_callback sets the callback to be called when PSK is
+// negotiated on the client. This callback must be set to enable PSK cipher
+// suites on the client.
+//
+// The callback is passed the identity hint in |hint| or NULL if none was
+// provided. It should select a PSK identity and write the identity and the
+// corresponding PSK to |identity| and |psk|, respectively. The identity is
+// written as a NUL-terminated C string of length (excluding the NUL terminator)
+// at most |max_identity_len|. The PSK's length must be at most |max_psk_len|.
+// The callback returns the length of the PSK or 0 if no suitable identity was
+// found.
OPENSSL_EXPORT void SSL_CTX_set_psk_client_callback(
SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
unsigned max_identity_len, uint8_t *psk,
unsigned max_psk_len));
-/* SSL_set_psk_client_callback sets the callback to be called when PSK is
- * negotiated on the client. This callback must be set to enable PSK cipher
- * suites on the client. See also |SSL_CTX_set_psk_client_callback|. */
+// SSL_set_psk_client_callback sets the callback to be called when PSK is
+// negotiated on the client. This callback must be set to enable PSK cipher
+// suites on the client. See also |SSL_CTX_set_psk_client_callback|.
OPENSSL_EXPORT void SSL_set_psk_client_callback(
SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,
unsigned max_identity_len, uint8_t *psk,
unsigned max_psk_len));
-/* SSL_CTX_set_psk_server_callback sets the callback to be called when PSK is
- * negotiated on the server. This callback must be set to enable PSK cipher
- * suites on the server.
- *
- * The callback is passed the identity in |identity|. It should write a PSK of
- * length at most |max_psk_len| to |psk| and return the number of bytes written
- * or zero if the PSK identity is unknown. */
+// SSL_CTX_set_psk_server_callback sets the callback to be called when PSK is
+// negotiated on the server. This callback must be set to enable PSK cipher
+// suites on the server.
+//
+// The callback is passed the identity in |identity|. It should write a PSK of
+// length at most |max_psk_len| to |psk| and return the number of bytes written
+// or zero if the PSK identity is unknown.
OPENSSL_EXPORT void SSL_CTX_set_psk_server_callback(
SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,
unsigned max_psk_len));
-/* SSL_set_psk_server_callback sets the callback to be called when PSK is
- * negotiated on the server. This callback must be set to enable PSK cipher
- * suites on the server. See also |SSL_CTX_set_psk_server_callback|. */
+// SSL_set_psk_server_callback sets the callback to be called when PSK is
+// negotiated on the server. This callback must be set to enable PSK cipher
+// suites on the server. See also |SSL_CTX_set_psk_server_callback|.
OPENSSL_EXPORT void SSL_set_psk_server_callback(
SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,
unsigned max_psk_len));
-/* SSL_CTX_use_psk_identity_hint configures server connections to advertise an
- * identity hint of |identity_hint|. It returns one on success and zero on
- * error. */
+// SSL_CTX_use_psk_identity_hint configures server connections to advertise an
+// identity hint of |identity_hint|. It returns one on success and zero on
+// error.
OPENSSL_EXPORT int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx,
const char *identity_hint);
-/* SSL_use_psk_identity_hint configures server connections to advertise an
- * identity hint of |identity_hint|. It returns one on success and zero on
- * error. */
+// SSL_use_psk_identity_hint configures server connections to advertise an
+// identity hint of |identity_hint|. It returns one on success and zero on
+// error.
OPENSSL_EXPORT int SSL_use_psk_identity_hint(SSL *ssl,
const char *identity_hint);
-/* SSL_get_psk_identity_hint returns the PSK identity hint advertised for |ssl|
- * or NULL if there is none. */
+// SSL_get_psk_identity_hint returns the PSK identity hint advertised for |ssl|
+// or NULL if there is none.
OPENSSL_EXPORT const char *SSL_get_psk_identity_hint(const SSL *ssl);
-/* SSL_get_psk_identity, after the handshake completes, returns the PSK identity
- * that was negotiated by |ssl| or NULL if PSK was not used. */
+// SSL_get_psk_identity, after the handshake completes, returns the PSK identity
+// that was negotiated by |ssl| or NULL if PSK was not used.
OPENSSL_EXPORT const char *SSL_get_psk_identity(const SSL *ssl);
-/* Early data.
- *
- * WARNING: 0-RTT support in BoringSSL is currently experimental and not fully
- * implemented. It may cause interoperability or security failures when used.
- *
- * Early data, or 0-RTT, is a feature in TLS 1.3 which allows clients to send
- * data on the first flight during a resumption handshake. This can save a
- * round-trip in some application protocols.
- *
- * WARNING: A 0-RTT handshake has different security properties from normal
- * handshake, so it is off by default unless opted in. In particular, early data
- * is replayable by a network attacker. Callers must account for this when
- * sending or processing data before the handshake is confirmed. See
- * draft-ietf-tls-tls13-18 for more information.
- *
- * As a server, if early data is accepted, |SSL_do_handshake| will complete as
- * soon as the ClientHello is processed and server flight sent. |SSL_write| may
- * be used to send half-RTT data. |SSL_read| will consume early data and
- * transition to 1-RTT data as appropriate. Prior to the transition,
- * |SSL_in_init| will report the handshake is still in progress. Callers may use
- * it or |SSL_in_early_data| to defer or reject requests as needed.
- *
- * Early data as a client is more complex. If the offered session (see
- * |SSL_set_session|) is 0-RTT-capable, the handshake will return after sending
- * the ClientHello. The predicted peer certificates and ALPN protocol will be
- * available via the usual APIs. |SSL_write| will write early data, up to the
- * session's limit. Writes past this limit and |SSL_read| will complete the
- * handshake before continuing. Callers may also call |SSL_do_handshake| again
- * to complete the handshake sooner.
- *
- * If the server accepts early data, the handshake will succeed. |SSL_read| and
- * |SSL_write| will then act as in a 1-RTT handshake. The peer certificates and
- * ALPN protocol will be as predicted and need not be re-queried.
- *
- * If the server rejects early data, |SSL_do_handshake| (and thus |SSL_read| and
- * |SSL_write|) will then fail with |SSL_get_error| returning
- * |SSL_ERROR_EARLY_DATA_REJECTED|. The caller should treat this as a connection
- * error and most likely perform a high-level retry. Note the server may still
- * have processed the early data due to attacker replays.
- *
- * To then continue the handshake on the original connection, use
- * |SSL_reset_early_data_reject|. The connection will then behave as one which
- * had not yet completed the handshake. This allows a faster retry than making a
- * fresh connection. |SSL_do_handshake| will complete the full handshake,
- * possibly resulting in different peer certificates, ALPN protocol, and other
- * properties. The caller must disregard any values from before the reset and
- * query again.
- *
- * Finally, to implement the fallback described in draft-ietf-tls-tls13-18
- * appendix C.3, retry on a fresh connection without 0-RTT if the handshake
- * fails with |SSL_R_WRONG_VERSION_ON_EARLY_DATA|. */
+// Early data.
+//
+// WARNING: 0-RTT support in BoringSSL is currently experimental and not fully
+// implemented. It may cause interoperability or security failures when used.
+//
+// Early data, or 0-RTT, is a feature in TLS 1.3 which allows clients to send
+// data on the first flight during a resumption handshake. This can save a
+// round-trip in some application protocols.
+//
+// WARNING: A 0-RTT handshake has different security properties from normal
+// handshake, so it is off by default unless opted in. In particular, early data
+// is replayable by a network attacker. Callers must account for this when
+// sending or processing data before the handshake is confirmed. See
+// draft-ietf-tls-tls13-18 for more information.
+//
+// As a server, if early data is accepted, |SSL_do_handshake| will complete as
+// soon as the ClientHello is processed and server flight sent. |SSL_write| may
+// be used to send half-RTT data. |SSL_read| will consume early data and
+// transition to 1-RTT data as appropriate. Prior to the transition,
+// |SSL_in_init| will report the handshake is still in progress. Callers may use
+// it or |SSL_in_early_data| to defer or reject requests as needed.
+//
+// Early data as a client is more complex. If the offered session (see
+// |SSL_set_session|) is 0-RTT-capable, the handshake will return after sending
+// the ClientHello. The predicted peer certificates and ALPN protocol will be
+// available via the usual APIs. |SSL_write| will write early data, up to the
+// session's limit. Writes past this limit and |SSL_read| will complete the
+// handshake before continuing. Callers may also call |SSL_do_handshake| again
+// to complete the handshake sooner.
+//
+// If the server accepts early data, the handshake will succeed. |SSL_read| and
+// |SSL_write| will then act as in a 1-RTT handshake. The peer certificates and
+// ALPN protocol will be as predicted and need not be re-queried.
+//
+// If the server rejects early data, |SSL_do_handshake| (and thus |SSL_read| and
+// |SSL_write|) will then fail with |SSL_get_error| returning
+// |SSL_ERROR_EARLY_DATA_REJECTED|. The caller should treat this as a connection
+// error and most likely perform a high-level retry. Note the server may still
+// have processed the early data due to attacker replays.
+//
+// To then continue the handshake on the original connection, use
+// |SSL_reset_early_data_reject|. The connection will then behave as one which
+// had not yet completed the handshake. This allows a faster retry than making a
+// fresh connection. |SSL_do_handshake| will complete the full handshake,
+// possibly resulting in different peer certificates, ALPN protocol, and other
+// properties. The caller must disregard any values from before the reset and
+// query again.
+//
+// Finally, to implement the fallback described in draft-ietf-tls-tls13-18
+// appendix C.3, retry on a fresh connection without 0-RTT if the handshake
+// fails with |SSL_R_WRONG_VERSION_ON_EARLY_DATA|.
-/* SSL_CTX_set_early_data_enabled sets whether early data is allowed to be used
- * with resumptions using |ctx|. */
+// SSL_CTX_set_early_data_enabled sets whether early data is allowed to be used
+// with resumptions using |ctx|.
OPENSSL_EXPORT void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled);
-/* SSL_set_early_data_enabled sets whether early data is allowed to be used
- * with resumptions using |ssl|. See |SSL_CTX_set_early_data_enabled| for more
- * information. */
+// SSL_set_early_data_enabled sets whether early data is allowed to be used
+// with resumptions using |ssl|. See |SSL_CTX_set_early_data_enabled| for more
+// information.
OPENSSL_EXPORT void SSL_set_early_data_enabled(SSL *ssl, int enabled);
-/* SSL_in_early_data returns one if |ssl| has a pending handshake that has
- * progressed enough to send or receive early data. Clients may call |SSL_write|
- * to send early data, but |SSL_read| will complete the handshake before
- * accepting application data. Servers may call |SSL_read| to read early data
- * and |SSL_write| to send half-RTT data. */
+// SSL_in_early_data returns one if |ssl| has a pending handshake that has
+// progressed enough to send or receive early data. Clients may call |SSL_write|
+// to send early data, but |SSL_read| will complete the handshake before
+// accepting application data. Servers may call |SSL_read| to read early data
+// and |SSL_write| to send half-RTT data.
OPENSSL_EXPORT int SSL_in_early_data(const SSL *ssl);
-/* SSL_early_data_accepted returns whether early data was accepted on the
- * handshake performed by |ssl|. */
+// SSL_early_data_accepted returns whether early data was accepted on the
+// handshake performed by |ssl|.
OPENSSL_EXPORT int SSL_early_data_accepted(const SSL *ssl);
-/* SSL_reset_early_data_reject resets |ssl| after an early data reject. All
- * 0-RTT state is discarded, including any pending |SSL_write| calls. The caller
- * should treat |ssl| as a logically fresh connection, usually by driving the
- * handshake to completion using |SSL_do_handshake|.
- *
- * It is an error to call this function on an |SSL| object that is not signaling
- * |SSL_ERROR_EARLY_DATA_REJECTED|. */
+// SSL_reset_early_data_reject resets |ssl| after an early data reject. All
+// 0-RTT state is discarded, including any pending |SSL_write| calls. The caller
+// should treat |ssl| as a logically fresh connection, usually by driving the
+// handshake to completion using |SSL_do_handshake|.
+//
+// It is an error to call this function on an |SSL| object that is not signaling
+// |SSL_ERROR_EARLY_DATA_REJECTED|.
OPENSSL_EXPORT void SSL_reset_early_data_reject(SSL *ssl);
-/* Alerts.
- *
- * TLS and SSL 3.0 use alerts to signal error conditions. Alerts have a type
- * (warning or fatal) and description. OpenSSL internally handles fatal alerts
- * with dedicated error codes (see |SSL_AD_REASON_OFFSET|). Except for
- * close_notify, warning alerts are silently ignored and may only be surfaced
- * with |SSL_CTX_set_info_callback|. */
+// Alerts.
+//
+// TLS and SSL 3.0 use alerts to signal error conditions. Alerts have a type
+// (warning or fatal) and description. OpenSSL internally handles fatal alerts
+// with dedicated error codes (see |SSL_AD_REASON_OFFSET|). Except for
+// close_notify, warning alerts are silently ignored and may only be surfaced
+// with |SSL_CTX_set_info_callback|.
-/* SSL_AD_REASON_OFFSET is the offset between error reasons and |SSL_AD_*|
- * values. Any error code under |ERR_LIB_SSL| with an error reason above this
- * value corresponds to an alert description. Consumers may add or subtract
- * |SSL_AD_REASON_OFFSET| to convert between them.
- *
- * make_errors.go reserves error codes above 1000 for manually-assigned errors.
- * This value must be kept in sync with reservedReasonCode in make_errors.h */
+// SSL_AD_REASON_OFFSET is the offset between error reasons and |SSL_AD_*|
+// values. Any error code under |ERR_LIB_SSL| with an error reason above this
+// value corresponds to an alert description. Consumers may add or subtract
+// |SSL_AD_REASON_OFFSET| to convert between them.
+//
+// make_errors.go reserves error codes above 1000 for manually-assigned errors.
+// This value must be kept in sync with reservedReasonCode in make_errors.h
#define SSL_AD_REASON_OFFSET 1000
-/* SSL_AD_* are alert descriptions for SSL 3.0 and TLS. */
+// SSL_AD_* are alert descriptions for SSL 3.0 and TLS.
#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY
#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE
#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC
@@ -2966,7 +2970,7 @@
#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW
#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE
#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE
-#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE /* Not used in TLS */
+#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE // Not used in TLS
#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE
#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED
@@ -2994,28 +2998,28 @@
#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY
#define SSL_AD_CERTIFICATE_REQUIRED TLS1_AD_CERTIFICATE_REQUIRED
-/* SSL_alert_type_string_long returns a string description of |value| as an
- * alert type (warning or fatal). */
+// SSL_alert_type_string_long returns a string description of |value| as an
+// alert type (warning or fatal).
OPENSSL_EXPORT const char *SSL_alert_type_string_long(int value);
-/* SSL_alert_desc_string_long returns a string description of |value| as an
- * alert description or "unknown" if unknown. */
+// SSL_alert_desc_string_long returns a string description of |value| as an
+// alert description or "unknown" if unknown.
OPENSSL_EXPORT const char *SSL_alert_desc_string_long(int value);
-/* SSL_send_fatal_alert sends a fatal alert over |ssl| of the specified type,
- * which should be one of the |SSL_AD_*| constants. It returns one on success
- * and <= 0 on error. The caller should pass the return value into
- * |SSL_get_error| to determine how to proceed. Once this function has been
- * called, future calls to |SSL_write| will fail.
- *
- * If retrying a failed operation due to |SSL_ERROR_WANT_WRITE|, subsequent
- * calls must use the same |alert| parameter. */
+// SSL_send_fatal_alert sends a fatal alert over |ssl| of the specified type,
+// which should be one of the |SSL_AD_*| constants. It returns one on success
+// and <= 0 on error. The caller should pass the return value into
+// |SSL_get_error| to determine how to proceed. Once this function has been
+// called, future calls to |SSL_write| will fail.
+//
+// If retrying a failed operation due to |SSL_ERROR_WANT_WRITE|, subsequent
+// calls must use the same |alert| parameter.
OPENSSL_EXPORT int SSL_send_fatal_alert(SSL *ssl, uint8_t alert);
-/* ex_data functions.
- *
- * See |ex_data.h| for details. */
+// ex_data functions.
+//
+// See |ex_data.h| for details.
OPENSSL_EXPORT int SSL_set_ex_data(SSL *ssl, int idx, void *data);
OPENSSL_EXPORT void *SSL_get_ex_data(const SSL *ssl, int idx);
@@ -3041,100 +3045,100 @@
CRYPTO_EX_free *free_func);
-/* Low-level record-layer state. */
+// Low-level record-layer state.
-/* SSL_get_ivs sets |*out_iv_len| to the length of the IVs for the ciphers
- * underlying |ssl| and sets |*out_read_iv| and |*out_write_iv| to point to the
- * current IVs for the read and write directions. This is only meaningful for
- * connections with implicit IVs (i.e. CBC mode with SSLv3 or TLS 1.0).
- *
- * It returns one on success or zero on error. */
+// SSL_get_ivs sets |*out_iv_len| to the length of the IVs for the ciphers
+// underlying |ssl| and sets |*out_read_iv| and |*out_write_iv| to point to the
+// current IVs for the read and write directions. This is only meaningful for
+// connections with implicit IVs (i.e. CBC mode with SSLv3 or TLS 1.0).
+//
+// It returns one on success or zero on error.
OPENSSL_EXPORT int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,
const uint8_t **out_write_iv,
size_t *out_iv_len);
-/* SSL_get_key_block_len returns the length of |ssl|'s key block. */
+// SSL_get_key_block_len returns the length of |ssl|'s key block.
OPENSSL_EXPORT size_t SSL_get_key_block_len(const SSL *ssl);
-/* SSL_generate_key_block generates |out_len| bytes of key material for |ssl|'s
- * current connection state. */
+// SSL_generate_key_block generates |out_len| bytes of key material for |ssl|'s
+// current connection state.
OPENSSL_EXPORT int SSL_generate_key_block(const SSL *ssl, uint8_t *out,
size_t out_len);
-/* SSL_get_read_sequence returns, in TLS, the expected sequence number of the
- * next incoming record in the current epoch. In DTLS, it returns the maximum
- * sequence number received in the current epoch and includes the epoch number
- * in the two most significant bytes. */
+// SSL_get_read_sequence returns, in TLS, the expected sequence number of the
+// next incoming record in the current epoch. In DTLS, it returns the maximum
+// sequence number received in the current epoch and includes the epoch number
+// in the two most significant bytes.
OPENSSL_EXPORT uint64_t SSL_get_read_sequence(const SSL *ssl);
-/* SSL_get_write_sequence returns the sequence number of the next outgoing
- * record in the current epoch. In DTLS, it includes the epoch number in the
- * two most significant bytes. */
+// SSL_get_write_sequence returns the sequence number of the next outgoing
+// record in the current epoch. In DTLS, it includes the epoch number in the
+// two most significant bytes.
OPENSSL_EXPORT uint64_t SSL_get_write_sequence(const SSL *ssl);
-/* Obscure functions. */
+// Obscure functions.
-/* SSL_get_structure_sizes returns the sizes of the SSL, SSL_CTX and
- * SSL_SESSION structures so that a test can ensure that outside code agrees on
- * these values. */
+// SSL_get_structure_sizes returns the sizes of the SSL, SSL_CTX and
+// SSL_SESSION structures so that a test can ensure that outside code agrees on
+// these values.
OPENSSL_EXPORT void SSL_get_structure_sizes(size_t *ssl_size,
size_t *ssl_ctx_size,
size_t *ssl_session_size);
-/* SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|.
- * This callback will be called when sending or receiving low-level record
- * headers, complete handshake messages, ChangeCipherSpec, and alerts.
- * |write_p| is one for outgoing messages and zero for incoming messages.
- *
- * For each record header, |cb| is called with |version| = 0 and |content_type|
- * = |SSL3_RT_HEADER|. The |len| bytes from |buf| contain the header. Note that
- * this does not include the record body. If the record is sealed, the length
- * in the header is the length of the ciphertext.
- *
- * For each handshake message, ChangeCipherSpec, and alert, |version| is the
- * protocol version and |content_type| is the corresponding record type. The
- * |len| bytes from |buf| contain the handshake message, one-byte
- * ChangeCipherSpec body, and two-byte alert, respectively.
- *
- * For a V2ClientHello, |version| is |SSL2_VERSION|, |content_type| is zero, and
- * the |len| bytes from |buf| contain the V2ClientHello structure. */
+// SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|.
+// This callback will be called when sending or receiving low-level record
+// headers, complete handshake messages, ChangeCipherSpec, and alerts.
+// |write_p| is one for outgoing messages and zero for incoming messages.
+//
+// For each record header, |cb| is called with |version| = 0 and |content_type|
+// = |SSL3_RT_HEADER|. The |len| bytes from |buf| contain the header. Note that
+// this does not include the record body. If the record is sealed, the length
+// in the header is the length of the ciphertext.
+//
+// For each handshake message, ChangeCipherSpec, and alert, |version| is the
+// protocol version and |content_type| is the corresponding record type. The
+// |len| bytes from |buf| contain the handshake message, one-byte
+// ChangeCipherSpec body, and two-byte alert, respectively.
+//
+// For a V2ClientHello, |version| is |SSL2_VERSION|, |content_type| is zero, and
+// the |len| bytes from |buf| contain the V2ClientHello structure.
OPENSSL_EXPORT void SSL_CTX_set_msg_callback(
SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg));
-/* SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message
- * callback. */
+// SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message
+// callback.
OPENSSL_EXPORT void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
-/* SSL_set_msg_callback installs |cb| as the message callback of |ssl|. See
- * |SSL_CTX_set_msg_callback| for when this callback is called. */
+// SSL_set_msg_callback installs |cb| as the message callback of |ssl|. See
+// |SSL_CTX_set_msg_callback| for when this callback is called.
OPENSSL_EXPORT void SSL_set_msg_callback(
SSL *ssl, void (*cb)(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg));
-/* SSL_set_msg_callback_arg sets the |arg| parameter of the message callback. */
+// SSL_set_msg_callback_arg sets the |arg| parameter of the message callback.
OPENSSL_EXPORT void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
-/* SSL_CTX_set_keylog_callback configures a callback to log key material. This
- * is intended for debugging use with tools like Wireshark. The |cb| function
- * should log |line| followed by a newline, synchronizing with any concurrent
- * access to the log.
- *
- * The format is described in
- * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. */
+// SSL_CTX_set_keylog_callback configures a callback to log key material. This
+// is intended for debugging use with tools like Wireshark. The |cb| function
+// should log |line| followed by a newline, synchronizing with any concurrent
+// access to the log.
+//
+// The format is described in
+// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format.
OPENSSL_EXPORT void SSL_CTX_set_keylog_callback(
SSL_CTX *ctx, void (*cb)(const SSL *ssl, const char *line));
-/* SSL_CTX_get_keylog_callback returns the callback configured by
- * |SSL_CTX_set_keylog_callback|. */
+// SSL_CTX_get_keylog_callback returns the callback configured by
+// |SSL_CTX_set_keylog_callback|.
OPENSSL_EXPORT void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(
const SSL *ssl, const char *line);
-/* SSL_CTX_set_current_time_cb configures a callback to retrieve the current
- * time, which should be set in |*out_clock|. This can be used for testing
- * purposes; for example, a callback can be configured that returns a time
- * set explicitly by the test. */
+// SSL_CTX_set_current_time_cb configures a callback to retrieve the current
+// time, which should be set in |*out_clock|. This can be used for testing
+// purposes; for example, a callback can be configured that returns a time
+// set explicitly by the test. The |ssl| pointer passed to |cb| is always null.
OPENSSL_EXPORT void SSL_CTX_set_current_time_cb(
SSL_CTX *ctx, void (*cb)(const SSL *ssl, struct timeval *out_clock));
@@ -3145,28 +3149,28 @@
ssl_renegotiate_ignore,
};
-/* SSL_set_renegotiate_mode configures how |ssl|, a client, reacts to
- * renegotiation attempts by a server. If |ssl| is a server, peer-initiated
- * renegotiations are *always* rejected and this function does nothing.
- *
- * The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set
- * at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to
- * allow one renegotiation, |ssl_renegotiate_freely| to allow all
- * renegotiations or |ssl_renegotiate_ignore| to ignore HelloRequest messages.
- * Note that ignoring HelloRequest messages may cause the connection to stall
- * if the server waits for the renegotiation to complete.
- *
- * There is no support in BoringSSL for initiating renegotiations as a client
- * or server. */
+// SSL_set_renegotiate_mode configures how |ssl|, a client, reacts to
+// renegotiation attempts by a server. If |ssl| is a server, peer-initiated
+// renegotiations are *always* rejected and this function does nothing.
+//
+// The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set
+// at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to
+// allow one renegotiation, |ssl_renegotiate_freely| to allow all
+// renegotiations or |ssl_renegotiate_ignore| to ignore HelloRequest messages.
+// Note that ignoring HelloRequest messages may cause the connection to stall
+// if the server waits for the renegotiation to complete.
+//
+// There is no support in BoringSSL for initiating renegotiations as a client
+// or server.
OPENSSL_EXPORT void SSL_set_renegotiate_mode(SSL *ssl,
enum ssl_renegotiate_mode_t mode);
-/* SSL_renegotiate_pending returns one if |ssl| is in the middle of a
- * renegotiation. */
+// SSL_renegotiate_pending returns one if |ssl| is in the middle of a
+// renegotiation.
OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *ssl);
-/* SSL_total_renegotiations returns the total number of renegotiation handshakes
- * performed by |ssl|. This includes the pending renegotiation, if any. */
+// SSL_total_renegotiations returns the total number of renegotiation handshakes
+// performed by |ssl|. This includes the pending renegotiation, if any.
OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);
enum tls13_variant_t {
@@ -3176,59 +3180,59 @@
tls13_no_session_id_experiment = 3,
};
-/* SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the
- * server, if |variant| is not |tls13_default|, all variants are enabled. On the
- * client, only the configured variant is enabled. */
+// SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the
+// server, if |variant| is not |tls13_default|, all variants are enabled. On the
+// client, only the configured variant is enabled.
OPENSSL_EXPORT void SSL_CTX_set_tls13_variant(SSL_CTX *ctx,
enum tls13_variant_t variant);
-/* SSL_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the
- * server, if |variant| is not |tls13_default|, all variants are enabled. On the
- * client, only the configured variant is enabled. */
+// SSL_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the
+// server, if |variant| is not |tls13_default|, all variants are enabled. On the
+// client, only the configured variant is enabled.
OPENSSL_EXPORT void SSL_set_tls13_variant(SSL *ssl,
enum tls13_variant_t variant);
-/* SSL_MAX_CERT_LIST_DEFAULT is the default maximum length, in bytes, of a peer
- * certificate chain. */
+// SSL_MAX_CERT_LIST_DEFAULT is the default maximum length, in bytes, of a peer
+// certificate chain.
#define SSL_MAX_CERT_LIST_DEFAULT (1024 * 100)
-/* SSL_CTX_get_max_cert_list returns the maximum length, in bytes, of a peer
- * certificate chain accepted by |ctx|. */
+// SSL_CTX_get_max_cert_list returns the maximum length, in bytes, of a peer
+// certificate chain accepted by |ctx|.
OPENSSL_EXPORT size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx);
-/* SSL_CTX_set_max_cert_list sets the maximum length, in bytes, of a peer
- * certificate chain to |max_cert_list|. This affects how much memory may be
- * consumed during the handshake. */
+// SSL_CTX_set_max_cert_list sets the maximum length, in bytes, of a peer
+// certificate chain to |max_cert_list|. This affects how much memory may be
+// consumed during the handshake.
OPENSSL_EXPORT void SSL_CTX_set_max_cert_list(SSL_CTX *ctx,
size_t max_cert_list);
-/* SSL_get_max_cert_list returns the maximum length, in bytes, of a peer
- * certificate chain accepted by |ssl|. */
+// SSL_get_max_cert_list returns the maximum length, in bytes, of a peer
+// certificate chain accepted by |ssl|.
OPENSSL_EXPORT size_t SSL_get_max_cert_list(const SSL *ssl);
-/* SSL_set_max_cert_list sets the maximum length, in bytes, of a peer
- * certificate chain to |max_cert_list|. This affects how much memory may be
- * consumed during the handshake. */
+// SSL_set_max_cert_list sets the maximum length, in bytes, of a peer
+// certificate chain to |max_cert_list|. This affects how much memory may be
+// consumed during the handshake.
OPENSSL_EXPORT void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list);
-/* SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records
- * sent by |ctx|. Beyond this length, handshake messages and application data
- * will be split into multiple records. It returns one on success or zero on
- * error. */
+// SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records
+// sent by |ctx|. Beyond this length, handshake messages and application data
+// will be split into multiple records. It returns one on success or zero on
+// error.
OPENSSL_EXPORT int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx,
size_t max_send_fragment);
-/* SSL_set_max_send_fragment sets the maximum length, in bytes, of records sent
- * by |ssl|. Beyond this length, handshake messages and application data will
- * be split into multiple records. It returns one on success or zero on
- * error. */
+// SSL_set_max_send_fragment sets the maximum length, in bytes, of records sent
+// by |ssl|. Beyond this length, handshake messages and application data will
+// be split into multiple records. It returns one on success or zero on
+// error.
OPENSSL_EXPORT int SSL_set_max_send_fragment(SSL *ssl,
size_t max_send_fragment);
-/* ssl_early_callback_ctx (aka |SSL_CLIENT_HELLO|) is passed to certain
- * callbacks that are called very early on during the server handshake. At this
- * point, much of the SSL* hasn't been filled out and only the ClientHello can
- * be depended on. */
+// ssl_early_callback_ctx (aka |SSL_CLIENT_HELLO|) is passed to certain
+// callbacks that are called very early on during the server handshake. At this
+// point, much of the SSL* hasn't been filled out and only the ClientHello can
+// be depended on.
typedef struct ssl_early_callback_ctx {
SSL *ssl;
const uint8_t *client_hello;
@@ -3246,53 +3250,53 @@
size_t extensions_len;
} SSL_CLIENT_HELLO;
-/* ssl_select_cert_result_t enumerates the possible results from selecting a
- * certificate with |select_certificate_cb|. */
+// ssl_select_cert_result_t enumerates the possible results from selecting a
+// certificate with |select_certificate_cb|.
enum ssl_select_cert_result_t {
- /* ssl_select_cert_success indicates that the certificate selection was
- * successful. */
+ // ssl_select_cert_success indicates that the certificate selection was
+ // successful.
ssl_select_cert_success = 1,
- /* ssl_select_cert_retry indicates that the operation could not be
- * immediately completed and must be reattempted at a later point. */
+ // ssl_select_cert_retry indicates that the operation could not be
+ // immediately completed and must be reattempted at a later point.
ssl_select_cert_retry = 0,
- /* ssl_select_cert_error indicates that a fatal error occured and the
- * handshake should be terminated. */
+ // ssl_select_cert_error indicates that a fatal error occured and the
+ // handshake should be terminated.
ssl_select_cert_error = -1,
};
-/* SSL_early_callback_ctx_extension_get searches the extensions in
- * |client_hello| for an extension of the given type. If not found, it returns
- * zero. Otherwise it sets |out_data| to point to the extension contents (not
- * including the type and length bytes), sets |out_len| to the length of the
- * extension contents and returns one. */
+// SSL_early_callback_ctx_extension_get searches the extensions in
+// |client_hello| for an extension of the given type. If not found, it returns
+// zero. Otherwise it sets |out_data| to point to the extension contents (not
+// including the type and length bytes), sets |out_len| to the length of the
+// extension contents and returns one.
OPENSSL_EXPORT int SSL_early_callback_ctx_extension_get(
const SSL_CLIENT_HELLO *client_hello, uint16_t extension_type,
const uint8_t **out_data, size_t *out_len);
-/* SSL_CTX_set_select_certificate_cb sets a callback that is called before most
- * ClientHello processing and before the decision whether to resume a session
- * is made. The callback may inspect the ClientHello and configure the
- * connection. See |ssl_select_cert_result_t| for details of the return values.
- *
- * In the case that a retry is indicated, |SSL_get_error| will return
- * |SSL_ERROR_PENDING_CERTIFICATE| and the caller should arrange for the
- * high-level operation on |ssl| to be retried at a later time, which will
- * result in another call to |cb|.
- *
- * Note: The |SSL_CLIENT_HELLO| is only valid for the duration of the callback
- * and is not valid while the handshake is paused. */
+// SSL_CTX_set_select_certificate_cb sets a callback that is called before most
+// ClientHello processing and before the decision whether to resume a session
+// is made. The callback may inspect the ClientHello and configure the
+// connection. See |ssl_select_cert_result_t| for details of the return values.
+//
+// In the case that a retry is indicated, |SSL_get_error| will return
+// |SSL_ERROR_PENDING_CERTIFICATE| and the caller should arrange for the
+// high-level operation on |ssl| to be retried at a later time, which will
+// result in another call to |cb|.
+//
+// Note: The |SSL_CLIENT_HELLO| is only valid for the duration of the callback
+// and is not valid while the handshake is paused.
OPENSSL_EXPORT void SSL_CTX_set_select_certificate_cb(
SSL_CTX *ctx,
enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *));
-/* SSL_CTX_set_dos_protection_cb sets a callback that is called once the
- * resumption decision for a ClientHello has been made. It can return one to
- * allow the handshake to continue or zero to cause the handshake to abort. */
+// SSL_CTX_set_dos_protection_cb sets a callback that is called once the
+// resumption decision for a ClientHello has been made. It can return one to
+// allow the handshake to continue or zero to cause the handshake to abort.
OPENSSL_EXPORT void SSL_CTX_set_dos_protection_cb(
SSL_CTX *ctx, int (*cb)(const SSL_CLIENT_HELLO *));
-/* SSL_ST_* are possible values for |SSL_state| and the bitmasks that make them
- * up. */
+// SSL_ST_* are possible values for |SSL_state| and the bitmasks that make them
+// up.
#define SSL_ST_CONNECT 0x1000
#define SSL_ST_ACCEPT 0x2000
#define SSL_ST_MASK 0x0FFF
@@ -3301,8 +3305,8 @@
#define SSL_ST_RENEGOTIATE (0x04 | SSL_ST_INIT)
#define SSL_ST_TLS13 (0x05 | SSL_ST_INIT)
-/* SSL_CB_* are possible values for the |type| parameter in the info
- * callback and the bitmasks that make them up. */
+// SSL_CB_* are possible values for the |type| parameter in the info
+// callback and the bitmasks that make them up.
#define SSL_CB_LOOP 0x01
#define SSL_CB_EXIT 0x02
#define SSL_CB_READ 0x04
@@ -3317,176 +3321,176 @@
#define SSL_CB_HANDSHAKE_START 0x10
#define SSL_CB_HANDSHAKE_DONE 0x20
-/* SSL_CTX_set_info_callback configures a callback to be run when various
- * events occur during a connection's lifetime. The |type| argument determines
- * the type of event and the meaning of the |value| argument. Callbacks must
- * ignore unexpected |type| values.
- *
- * |SSL_CB_READ_ALERT| is signaled for each alert received, warning or fatal.
- * The |value| argument is a 16-bit value where the alert level (either
- * |SSL3_AL_WARNING| or |SSL3_AL_FATAL|) is in the most-significant eight bits
- * and the alert type (one of |SSL_AD_*|) is in the least-significant eight.
- *
- * |SSL_CB_WRITE_ALERT| is signaled for each alert sent. The |value| argument
- * is constructed as with |SSL_CB_READ_ALERT|.
- *
- * |SSL_CB_HANDSHAKE_START| is signaled when a handshake begins. The |value|
- * argument is always one.
- *
- * |SSL_CB_HANDSHAKE_DONE| is signaled when a handshake completes successfully.
- * The |value| argument is always one. If a handshake False Starts, this event
- * may be used to determine when the Finished message is received.
- *
- * The following event types expose implementation details of the handshake
- * state machine. Consuming them is deprecated.
- *
- * |SSL_CB_ACCEPT_LOOP| (respectively, |SSL_CB_CONNECT_LOOP|) is signaled when
- * a server (respectively, client) handshake progresses. The |value| argument
- * is always one.
- *
- * |SSL_CB_ACCEPT_EXIT| (respectively, |SSL_CB_CONNECT_EXIT|) is signaled when
- * a server (respectively, client) handshake completes, fails, or is paused.
- * The |value| argument is one if the handshake succeeded and <= 0
- * otherwise. */
+// SSL_CTX_set_info_callback configures a callback to be run when various
+// events occur during a connection's lifetime. The |type| argument determines
+// the type of event and the meaning of the |value| argument. Callbacks must
+// ignore unexpected |type| values.
+//
+// |SSL_CB_READ_ALERT| is signaled for each alert received, warning or fatal.
+// The |value| argument is a 16-bit value where the alert level (either
+// |SSL3_AL_WARNING| or |SSL3_AL_FATAL|) is in the most-significant eight bits
+// and the alert type (one of |SSL_AD_*|) is in the least-significant eight.
+//
+// |SSL_CB_WRITE_ALERT| is signaled for each alert sent. The |value| argument
+// is constructed as with |SSL_CB_READ_ALERT|.
+//
+// |SSL_CB_HANDSHAKE_START| is signaled when a handshake begins. The |value|
+// argument is always one.
+//
+// |SSL_CB_HANDSHAKE_DONE| is signaled when a handshake completes successfully.
+// The |value| argument is always one. If a handshake False Starts, this event
+// may be used to determine when the Finished message is received.
+//
+// The following event types expose implementation details of the handshake
+// state machine. Consuming them is deprecated.
+//
+// |SSL_CB_ACCEPT_LOOP| (respectively, |SSL_CB_CONNECT_LOOP|) is signaled when
+// a server (respectively, client) handshake progresses. The |value| argument
+// is always one.
+//
+// |SSL_CB_ACCEPT_EXIT| (respectively, |SSL_CB_CONNECT_EXIT|) is signaled when
+// a server (respectively, client) handshake completes, fails, or is paused.
+// The |value| argument is one if the handshake succeeded and <= 0
+// otherwise.
OPENSSL_EXPORT void SSL_CTX_set_info_callback(
SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int value));
-/* SSL_CTX_get_info_callback returns the callback set by
- * |SSL_CTX_set_info_callback|. */
+// SSL_CTX_get_info_callback returns the callback set by
+// |SSL_CTX_set_info_callback|.
OPENSSL_EXPORT void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,
int type,
int value);
-/* SSL_set_info_callback configures a callback to be run at various events
- * during a connection's lifetime. See |SSL_CTX_set_info_callback|. */
+// SSL_set_info_callback configures a callback to be run at various events
+// during a connection's lifetime. See |SSL_CTX_set_info_callback|.
OPENSSL_EXPORT void SSL_set_info_callback(
SSL *ssl, void (*cb)(const SSL *ssl, int type, int value));
-/* SSL_get_info_callback returns the callback set by |SSL_set_info_callback|. */
+// SSL_get_info_callback returns the callback set by |SSL_set_info_callback|.
OPENSSL_EXPORT void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,
int type,
int value);
-/* SSL_state_string_long returns the current state of the handshake state
- * machine as a string. This may be useful for debugging and logging. */
+// SSL_state_string_long returns the current state of the handshake state
+// machine as a string. This may be useful for debugging and logging.
OPENSSL_EXPORT const char *SSL_state_string_long(const SSL *ssl);
#define SSL_SENT_SHUTDOWN 1
#define SSL_RECEIVED_SHUTDOWN 2
-/* SSL_get_shutdown returns a bitmask with a subset of |SSL_SENT_SHUTDOWN| and
- * |SSL_RECEIVED_SHUTDOWN| to query whether close_notify was sent or received,
- * respectively. */
+// SSL_get_shutdown returns a bitmask with a subset of |SSL_SENT_SHUTDOWN| and
+// |SSL_RECEIVED_SHUTDOWN| to query whether close_notify was sent or received,
+// respectively.
OPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl);
-/* SSL_get_peer_signature_algorithm returns the signature algorithm used by the
- * peer. If not applicable, it returns zero. */
+// SSL_get_peer_signature_algorithm returns the signature algorithm used by the
+// peer. If not applicable, it returns zero.
OPENSSL_EXPORT uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl);
-/* SSL_get_client_random writes up to |max_out| bytes of the most recent
- * handshake's client_random to |out| and returns the number of bytes written.
- * If |max_out| is zero, it returns the size of the client_random. */
+// SSL_get_client_random writes up to |max_out| bytes of the most recent
+// handshake's client_random to |out| and returns the number of bytes written.
+// If |max_out| is zero, it returns the size of the client_random.
OPENSSL_EXPORT size_t SSL_get_client_random(const SSL *ssl, uint8_t *out,
size_t max_out);
-/* SSL_get_server_random writes up to |max_out| bytes of the most recent
- * handshake's server_random to |out| and returns the number of bytes written.
- * If |max_out| is zero, it returns the size of the server_random. */
+// SSL_get_server_random writes up to |max_out| bytes of the most recent
+// handshake's server_random to |out| and returns the number of bytes written.
+// If |max_out| is zero, it returns the size of the server_random.
OPENSSL_EXPORT size_t SSL_get_server_random(const SSL *ssl, uint8_t *out,
size_t max_out);
-/* SSL_get_pending_cipher returns the cipher suite for the current handshake or
- * NULL if one has not been negotiated yet or there is no pending handshake. */
+// SSL_get_pending_cipher returns the cipher suite for the current handshake or
+// NULL if one has not been negotiated yet or there is no pending handshake.
OPENSSL_EXPORT const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl);
-/* SSL_set_retain_only_sha256_of_client_certs, on a server, sets whether only
- * the SHA-256 hash of peer's certificate should be saved in memory and in the
- * session. This can save memory, ticket size and session cache space. If
- * enabled, |SSL_get_peer_certificate| will return NULL after the handshake
- * completes. See the |peer_sha256| field of |SSL_SESSION| for the hash. */
+// SSL_set_retain_only_sha256_of_client_certs, on a server, sets whether only
+// the SHA-256 hash of peer's certificate should be saved in memory and in the
+// session. This can save memory, ticket size and session cache space. If
+// enabled, |SSL_get_peer_certificate| will return NULL after the handshake
+// completes. See the |peer_sha256| field of |SSL_SESSION| for the hash.
OPENSSL_EXPORT void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl,
int enable);
-/* SSL_CTX_set_retain_only_sha256_of_client_certs, on a server, sets whether
- * only the SHA-256 hash of peer's certificate should be saved in memory and in
- * the session. This can save memory, ticket size and session cache space. If
- * enabled, |SSL_get_peer_certificate| will return NULL after the handshake
- * completes. See the |peer_sha256| field of |SSL_SESSION| for the hash. */
+// SSL_CTX_set_retain_only_sha256_of_client_certs, on a server, sets whether
+// only the SHA-256 hash of peer's certificate should be saved in memory and in
+// the session. This can save memory, ticket size and session cache space. If
+// enabled, |SSL_get_peer_certificate| will return NULL after the handshake
+// completes. See the |peer_sha256| field of |SSL_SESSION| for the hash.
OPENSSL_EXPORT void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx,
int enable);
-/* SSL_CTX_set_grease_enabled configures whether sockets on |ctx| should enable
- * GREASE. See draft-davidben-tls-grease-01. */
+// SSL_CTX_set_grease_enabled configures whether sockets on |ctx| should enable
+// GREASE. See draft-davidben-tls-grease-01.
OPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);
-/* SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
- * record with |ssl|. */
+// SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
+// record with |ssl|.
OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);
-/* SSL_get_ticket_age_skew returns the difference, in seconds, between the
- * client-sent ticket age and the server-computed value in TLS 1.3 server
- * connections which resumed a session. */
+// SSL_get_ticket_age_skew returns the difference, in seconds, between the
+// client-sent ticket age and the server-computed value in TLS 1.3 server
+// connections which resumed a session.
OPENSSL_EXPORT int32_t SSL_get_ticket_age_skew(const SSL *ssl);
-/* Deprecated functions. */
+// Deprecated functions.
-/* SSL_library_init calls |CRYPTO_library_init| and returns one. */
+// SSL_library_init calls |CRYPTO_library_init| and returns one.
OPENSSL_EXPORT int SSL_library_init(void);
-/* SSL_CIPHER_description writes a description of |cipher| into |buf| and
- * returns |buf|. If |buf| is NULL, it returns a newly allocated string, to be
- * freed with |OPENSSL_free|, or NULL on error.
- *
- * The description includes a trailing newline and has the form:
- * AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
- *
- * Consider |SSL_CIPHER_standard_name| or |SSL_CIPHER_get_name| instead. */
+// SSL_CIPHER_description writes a description of |cipher| into |buf| and
+// returns |buf|. If |buf| is NULL, it returns a newly allocated string, to be
+// freed with |OPENSSL_free|, or NULL on error.
+//
+// The description includes a trailing newline and has the form:
+// AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
+//
+// Consider |SSL_CIPHER_standard_name| or |SSL_CIPHER_get_name| instead.
OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher,
char *buf, int len);
-/* SSL_CIPHER_get_version returns the string "TLSv1/SSLv3". */
+// SSL_CIPHER_get_version returns the string "TLSv1/SSLv3".
OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_get_rfc_name returns a newly-allocated string containing the
- * result of |SSL_CIPHER_standard_name| or NULL on error. The caller is
- * responsible for calling |OPENSSL_free| on the result.
- *
- * Use |SSL_CIPHER_standard_name| instead. */
+// SSL_CIPHER_get_rfc_name returns a newly-allocated string containing the
+// result of |SSL_CIPHER_standard_name| or NULL on error. The caller is
+// responsible for calling |OPENSSL_free| on the result.
+//
+// Use |SSL_CIPHER_standard_name| instead.
OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
typedef void COMP_METHOD;
-/* SSL_COMP_get_compression_methods returns NULL. */
+// SSL_COMP_get_compression_methods returns NULL.
OPENSSL_EXPORT STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
-/* SSL_COMP_add_compression_method returns one. */
+// SSL_COMP_add_compression_method returns one.
OPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
-/* SSL_COMP_get_name returns NULL. */
+// SSL_COMP_get_name returns NULL.
OPENSSL_EXPORT const char *SSL_COMP_get_name(const COMP_METHOD *comp);
-/* SSL_COMP_free_compression_methods does nothing. */
+// SSL_COMP_free_compression_methods does nothing.
OPENSSL_EXPORT void SSL_COMP_free_compression_methods(void);
-/* SSLv23_method calls |TLS_method|. */
+// SSLv23_method calls |TLS_method|.
OPENSSL_EXPORT const SSL_METHOD *SSLv23_method(void);
-/* These version-specific methods behave exactly like |TLS_method| and
- * |DTLS_method| except they also call |SSL_CTX_set_min_proto_version| and
- * |SSL_CTX_set_max_proto_version| to lock connections to that protocol
- * version. */
+// These version-specific methods behave exactly like |TLS_method| and
+// |DTLS_method| except they also call |SSL_CTX_set_min_proto_version| and
+// |SSL_CTX_set_max_proto_version| to lock connections to that protocol
+// version.
OPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void);
OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void);
OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);
OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);
-/* SSLv3_method returns an |SSL_METHOD| with no versions enabled. */
+// SSLv3_method returns an |SSL_METHOD| with no versions enabled.
OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
-/* These client- and server-specific methods call their corresponding generic
- * methods. */
+// These client- and server-specific methods call their corresponding generic
+// methods.
OPENSSL_EXPORT const SSL_METHOD *TLS_server_method(void);
OPENSSL_EXPORT const SSL_METHOD *TLS_client_method(void);
OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);
@@ -3506,167 +3510,167 @@
OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void);
OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void);
-/* SSL_clear resets |ssl| to allow another connection and returns one on success
- * or zero on failure. It returns most configuration state but releases memory
- * associated with the current connection.
- *
- * Free |ssl| and create a new one instead. */
+// SSL_clear resets |ssl| to allow another connection and returns one on success
+// or zero on failure. It returns most configuration state but releases memory
+// associated with the current connection.
+//
+// Free |ssl| and create a new one instead.
OPENSSL_EXPORT int SSL_clear(SSL *ssl);
-/* SSL_CTX_set_tmp_rsa_callback does nothing. */
+// SSL_CTX_set_tmp_rsa_callback does nothing.
OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(
SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength));
-/* SSL_set_tmp_rsa_callback does nothing. */
+// SSL_set_tmp_rsa_callback does nothing.
OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl,
RSA *(*cb)(SSL *ssl, int is_export,
int keylength));
-/* SSL_CTX_sess_connect returns zero. */
+// SSL_CTX_sess_connect returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_connect(const SSL_CTX *ctx);
-/* SSL_CTX_sess_connect_good returns zero. */
+// SSL_CTX_sess_connect_good returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_connect_good(const SSL_CTX *ctx);
-/* SSL_CTX_sess_connect_renegotiate returns zero. */
+// SSL_CTX_sess_connect_renegotiate returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx);
-/* SSL_CTX_sess_accept returns zero. */
+// SSL_CTX_sess_accept returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_accept(const SSL_CTX *ctx);
-/* SSL_CTX_sess_accept_renegotiate returns zero. */
+// SSL_CTX_sess_accept_renegotiate returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx);
-/* SSL_CTX_sess_accept_good returns zero. */
+// SSL_CTX_sess_accept_good returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_accept_good(const SSL_CTX *ctx);
-/* SSL_CTX_sess_hits returns zero. */
+// SSL_CTX_sess_hits returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_hits(const SSL_CTX *ctx);
-/* SSL_CTX_sess_cb_hits returns zero. */
+// SSL_CTX_sess_cb_hits returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx);
-/* SSL_CTX_sess_misses returns zero. */
+// SSL_CTX_sess_misses returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_misses(const SSL_CTX *ctx);
-/* SSL_CTX_sess_timeouts returns zero. */
+// SSL_CTX_sess_timeouts returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_timeouts(const SSL_CTX *ctx);
-/* SSL_CTX_sess_cache_full returns zero. */
+// SSL_CTX_sess_cache_full returns zero.
OPENSSL_EXPORT int SSL_CTX_sess_cache_full(const SSL_CTX *ctx);
-/* SSL_cutthrough_complete calls |SSL_in_false_start|. */
+// SSL_cutthrough_complete calls |SSL_in_false_start|.
OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *ssl);
-/* SSL_num_renegotiations calls |SSL_total_renegotiations|. */
+// SSL_num_renegotiations calls |SSL_total_renegotiations|.
OPENSSL_EXPORT int SSL_num_renegotiations(const SSL *ssl);
-/* SSL_CTX_need_tmp_RSA returns zero. */
+// SSL_CTX_need_tmp_RSA returns zero.
OPENSSL_EXPORT int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx);
-/* SSL_need_tmp_RSA returns zero. */
+// SSL_need_tmp_RSA returns zero.
OPENSSL_EXPORT int SSL_need_tmp_RSA(const SSL *ssl);
-/* SSL_CTX_set_tmp_rsa returns one. */
+// SSL_CTX_set_tmp_rsa returns one.
OPENSSL_EXPORT int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa);
-/* SSL_set_tmp_rsa returns one. */
+// SSL_set_tmp_rsa returns one.
OPENSSL_EXPORT int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa);
-/* SSL_CTX_get_read_ahead returns zero. */
+// SSL_CTX_get_read_ahead returns zero.
OPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx);
-/* SSL_CTX_set_read_ahead does nothing. */
+// SSL_CTX_set_read_ahead does nothing.
OPENSSL_EXPORT void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes);
-/* SSL_get_read_ahead returns zero. */
+// SSL_get_read_ahead returns zero.
OPENSSL_EXPORT int SSL_get_read_ahead(const SSL *ssl);
-/* SSL_set_read_ahead does nothing. */
+// SSL_set_read_ahead does nothing.
OPENSSL_EXPORT void SSL_set_read_ahead(SSL *ssl, int yes);
-/* SSL_renegotiate put an error on the error queue and returns zero. */
+// SSL_renegotiate put an error on the error queue and returns zero.
OPENSSL_EXPORT int SSL_renegotiate(SSL *ssl);
-/* SSL_set_state does nothing. */
+// SSL_set_state does nothing.
OPENSSL_EXPORT void SSL_set_state(SSL *ssl, int state);
-/* SSL_get_shared_ciphers writes an empty string to |buf| and returns a
- * pointer to |buf|, or NULL if |len| is less than or equal to zero. */
+// SSL_get_shared_ciphers writes an empty string to |buf| and returns a
+// pointer to |buf|, or NULL if |len| is less than or equal to zero.
OPENSSL_EXPORT char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len);
-/* SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as SSL_MODE_ENABLE_FALSE_START. */
+// SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as SSL_MODE_ENABLE_FALSE_START.
#define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START
-/* i2d_SSL_SESSION serializes |in| to the bytes pointed to by |*pp|. On success,
- * it returns the number of bytes written and advances |*pp| by that many bytes.
- * On failure, it returns -1. If |pp| is NULL, no bytes are written and only the
- * length is returned.
- *
- * Use |SSL_SESSION_to_bytes| instead. */
+// i2d_SSL_SESSION serializes |in| to the bytes pointed to by |*pp|. On success,
+// it returns the number of bytes written and advances |*pp| by that many bytes.
+// On failure, it returns -1. If |pp| is NULL, no bytes are written and only the
+// length is returned.
+//
+// Use |SSL_SESSION_to_bytes| instead.
OPENSSL_EXPORT int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp);
-/* d2i_SSL_SESSION parses a serialized session from the |length| bytes pointed
- * to by |*pp|. It returns the new |SSL_SESSION| and advances |*pp| by the
- * number of bytes consumed on success and NULL on failure. The caller takes
- * ownership of the new session and must call |SSL_SESSION_free| when done.
- *
- * If |a| is non-NULL, |*a| is released and set the new |SSL_SESSION|.
- *
- * Use |SSL_SESSION_from_bytes| instead. */
+// d2i_SSL_SESSION parses a serialized session from the |length| bytes pointed
+// to by |*pp|. It returns the new |SSL_SESSION| and advances |*pp| by the
+// number of bytes consumed on success and NULL on failure. The caller takes
+// ownership of the new session and must call |SSL_SESSION_free| when done.
+//
+// If |a| is non-NULL, |*a| is released and set the new |SSL_SESSION|.
+//
+// Use |SSL_SESSION_from_bytes| instead.
OPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp,
long length);
-/* i2d_SSL_SESSION_bio serializes |session| and writes the result to |bio|. It
- * returns the number of bytes written on success and <= 0 on error. */
+// i2d_SSL_SESSION_bio serializes |session| and writes the result to |bio|. It
+// returns the number of bytes written on success and <= 0 on error.
OPENSSL_EXPORT int i2d_SSL_SESSION_bio(BIO *bio, const SSL_SESSION *session);
-/* d2i_SSL_SESSION_bio reads a serialized |SSL_SESSION| from |bio| and returns a
- * newly-allocated |SSL_SESSION| or NULL on error. If |out| is not NULL, it also
- * frees |*out| and sets |*out| to the new |SSL_SESSION|. */
+// d2i_SSL_SESSION_bio reads a serialized |SSL_SESSION| from |bio| and returns a
+// newly-allocated |SSL_SESSION| or NULL on error. If |out| is not NULL, it also
+// frees |*out| and sets |*out| to the new |SSL_SESSION|.
OPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION_bio(BIO *bio, SSL_SESSION **out);
-/* ERR_load_SSL_strings does nothing. */
+// ERR_load_SSL_strings does nothing.
OPENSSL_EXPORT void ERR_load_SSL_strings(void);
-/* SSL_load_error_strings does nothing. */
+// SSL_load_error_strings does nothing.
OPENSSL_EXPORT void SSL_load_error_strings(void);
-/* SSL_CTX_set_tlsext_use_srtp calls |SSL_CTX_set_srtp_profiles|. It returns
- * zero on success and one on failure.
- *
- * WARNING: this function is dangerous because it breaks the usual return value
- * convention. Use |SSL_CTX_set_srtp_profiles| instead. */
+// SSL_CTX_set_tlsext_use_srtp calls |SSL_CTX_set_srtp_profiles|. It returns
+// zero on success and one on failure.
+//
+// WARNING: this function is dangerous because it breaks the usual return value
+// convention. Use |SSL_CTX_set_srtp_profiles| instead.
OPENSSL_EXPORT int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx,
const char *profiles);
-/* SSL_set_tlsext_use_srtp calls |SSL_set_srtp_profiles|. It returns zero on
- * success and one on failure.
- *
- * WARNING: this function is dangerous because it breaks the usual return value
- * convention. Use |SSL_set_srtp_profiles| instead. */
+// SSL_set_tlsext_use_srtp calls |SSL_set_srtp_profiles|. It returns zero on
+// success and one on failure.
+//
+// WARNING: this function is dangerous because it breaks the usual return value
+// convention. Use |SSL_set_srtp_profiles| instead.
OPENSSL_EXPORT int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles);
-/* SSL_get_current_compression returns NULL. */
+// SSL_get_current_compression returns NULL.
OPENSSL_EXPORT const COMP_METHOD *SSL_get_current_compression(SSL *ssl);
-/* SSL_get_current_expansion returns NULL. */
+// SSL_get_current_expansion returns NULL.
OPENSSL_EXPORT const COMP_METHOD *SSL_get_current_expansion(SSL *ssl);
-/* SSL_get_server_tmp_key returns zero. */
+// SSL_get_server_tmp_key returns zero.
OPENSSL_EXPORT int *SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key);
-/* SSL_CTX_set_tmp_dh returns 1. */
+// SSL_CTX_set_tmp_dh returns 1.
OPENSSL_EXPORT int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh);
-/* SSL_set_tmp_dh returns 1. */
+// SSL_set_tmp_dh returns 1.
OPENSSL_EXPORT int SSL_set_tmp_dh(SSL *ssl, const DH *dh);
-/* SSL_CTX_set_tmp_dh_callback does nothing. */
+// SSL_CTX_set_tmp_dh_callback does nothing.
OPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback(
SSL_CTX *ctx, DH *(*cb)(SSL *ssl, int is_export, int keylength));
-/* SSL_set_tmp_dh_callback does nothing. */
+// SSL_set_tmp_dh_callback does nothing.
OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl,
DH *(*cb)(SSL *ssl, int is_export,
int keylength));
@@ -3707,8 +3711,8 @@
DEFINE_STACK_OF(SSL_COMP)
-/* The following flags do nothing and are included only to make it easier to
- * compile code with BoringSSL. */
+// The following flags do nothing and are included only to make it easier to
+// compile code with BoringSSL.
#define SSL_MODE_AUTO_RETRY 0
#define SSL_MODE_RELEASE_BUFFERS 0
#define SSL_MODE_SEND_CLIENTHELLO_TIME 0
@@ -3739,34 +3743,34 @@
#define SSL_OP_TLS_ROLLBACK_BUG 0
#define SSL_VERIFY_CLIENT_ONCE 0
-/* SSL_cache_hit calls |SSL_session_reused|. */
+// SSL_cache_hit calls |SSL_session_reused|.
OPENSSL_EXPORT int SSL_cache_hit(SSL *ssl);
-/* SSL_get_default_timeout returns |SSL_DEFAULT_SESSION_TIMEOUT|. */
+// SSL_get_default_timeout returns |SSL_DEFAULT_SESSION_TIMEOUT|.
OPENSSL_EXPORT long SSL_get_default_timeout(const SSL *ssl);
-/* SSL_get_version returns a string describing the TLS version used by |ssl|.
- * For example, "TLSv1.2" or "SSLv3". */
+// SSL_get_version returns a string describing the TLS version used by |ssl|.
+// For example, "TLSv1.2" or "SSLv3".
OPENSSL_EXPORT const char *SSL_get_version(const SSL *ssl);
-/* SSL_get_cipher_list returns the name of the |n|th cipher in the output of
- * |SSL_get_ciphers| or NULL if out of range. Use |SSL_get_ciphers| instead. */
+// SSL_get_cipher_list returns the name of the |n|th cipher in the output of
+// |SSL_get_ciphers| or NULL if out of range. Use |SSL_get_ciphers| instead.
OPENSSL_EXPORT const char *SSL_get_cipher_list(const SSL *ssl, int n);
-/* SSL_CTX_set_client_cert_cb sets a callback which is called on the client if
- * the server requests a client certificate and none is configured. On success,
- * the callback should return one and set |*out_x509| to |*out_pkey| to a leaf
- * certificate and private key, respectively, passing ownership. It should
- * return zero to send no certificate and -1 to fail or pause the handshake. If
- * the handshake is paused, |SSL_get_error| will return
- * |SSL_ERROR_WANT_X509_LOOKUP|.
- *
- * The callback may call |SSL_get0_certificate_types| and
- * |SSL_get_client_CA_list| for information on the server's certificate request.
- *
- * Use |SSL_CTX_set_cert_cb| instead. Configuring intermediate certificates with
- * this function is confusing. This callback may not be registered concurrently
- * with |SSL_CTX_set_cert_cb| or |SSL_set_cert_cb|. */
+// SSL_CTX_set_client_cert_cb sets a callback which is called on the client if
+// the server requests a client certificate and none is configured. On success,
+// the callback should return one and set |*out_x509| to |*out_pkey| to a leaf
+// certificate and private key, respectively, passing ownership. It should
+// return zero to send no certificate and -1 to fail or pause the handshake. If
+// the handshake is paused, |SSL_get_error| will return
+// |SSL_ERROR_WANT_X509_LOOKUP|.
+//
+// The callback may call |SSL_get0_certificate_types| and
+// |SSL_get_client_CA_list| for information on the server's certificate request.
+//
+// Use |SSL_CTX_set_cert_cb| instead. Configuring intermediate certificates with
+// this function is confusing. This callback may not be registered concurrently
+// with |SSL_CTX_set_cert_cb| or |SSL_set_cert_cb|.
OPENSSL_EXPORT void SSL_CTX_set_client_cert_cb(
SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey));
@@ -3782,38 +3786,38 @@
#define SSL_EARLY_DATA_REJECTED 11
#define SSL_CERTIFICATE_VERIFY 12
-/* SSL_want returns one of the above values to determine what the most recent
- * operation on |ssl| was blocked on. Use |SSL_get_error| instead. */
+// SSL_want returns one of the above values to determine what the most recent
+// operation on |ssl| was blocked on. Use |SSL_get_error| instead.
OPENSSL_EXPORT int SSL_want(const SSL *ssl);
#define SSL_want_read(ssl) (SSL_want(ssl) == SSL_READING)
#define SSL_want_write(ssl) (SSL_want(ssl) == SSL_WRITING)
- /* SSL_get_finished writes up to |count| bytes of the Finished message sent by
- * |ssl| to |buf|. It returns the total untruncated length or zero if none has
- * been sent yet. At SSL 3.0 or TLS 1.3 and later, it returns zero.
- *
- * Use |SSL_get_tls_unique| instead. */
+ // SSL_get_finished writes up to |count| bytes of the Finished message sent by
+ // |ssl| to |buf|. It returns the total untruncated length or zero if none has
+ // been sent yet. At SSL 3.0 or TLS 1.3 and later, it returns zero.
+ //
+ // Use |SSL_get_tls_unique| instead.
OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count);
- /* SSL_get_peer_finished writes up to |count| bytes of the Finished message
- * received from |ssl|'s peer to |buf|. It returns the total untruncated length
- * or zero if none has been received yet. At SSL 3.0 or TLS 1.3 and later, it
- * returns zero.
- *
- * Use |SSL_get_tls_unique| instead. */
+ // SSL_get_peer_finished writes up to |count| bytes of the Finished message
+ // received from |ssl|'s peer to |buf|. It returns the total untruncated length
+ // or zero if none has been received yet. At SSL 3.0 or TLS 1.3 and later, it
+ // returns zero.
+ //
+ // Use |SSL_get_tls_unique| instead.
OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf,
size_t count);
-/* SSL_alert_type_string returns "!". Use |SSL_alert_type_string_long|
- * instead. */
+// SSL_alert_type_string returns "!". Use |SSL_alert_type_string_long|
+// instead.
OPENSSL_EXPORT const char *SSL_alert_type_string(int value);
-/* SSL_alert_desc_string returns "!!". Use |SSL_alert_desc_string_long|
- * instead. */
+// SSL_alert_desc_string returns "!!". Use |SSL_alert_desc_string_long|
+// instead.
OPENSSL_EXPORT const char *SSL_alert_desc_string(int value);
-/* SSL_TXT_* expand to strings. */
+// SSL_TXT_* expand to strings.
#define SSL_TXT_MEDIUM "MEDIUM"
#define SSL_TXT_HIGH "HIGH"
#define SSL_TXT_FIPS "FIPS"
@@ -3857,192 +3861,192 @@
typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
-/* SSL_state returns |SSL_ST_INIT| if a handshake is in progress and |SSL_ST_OK|
- * otherwise.
- *
- * Use |SSL_is_init| instead. */
+// SSL_state returns |SSL_ST_INIT| if a handshake is in progress and |SSL_ST_OK|
+// otherwise.
+//
+// Use |SSL_is_init| instead.
OPENSSL_EXPORT int SSL_state(const SSL *ssl);
#define SSL_get_state(ssl) SSL_state(ssl)
-/* SSL_state_string returns the current state of the handshake state machine as
- * a six-letter string. Use |SSL_state_string_long| for a more intelligible
- * string. */
+// SSL_state_string returns the current state of the handshake state machine as
+// a six-letter string. Use |SSL_state_string_long| for a more intelligible
+// string.
OPENSSL_EXPORT const char *SSL_state_string(const SSL *ssl);
-/* SSL_set_shutdown causes |ssl| to behave as if the shutdown bitmask (see
- * |SSL_get_shutdown|) were |mode|. This may be used to skip sending or
- * receiving close_notify in |SSL_shutdown| by causing the implementation to
- * believe the events already happened.
- *
- * It is an error to use |SSL_set_shutdown| to unset a bit that has already been
- * set. Doing so will trigger an |assert| in debug builds and otherwise be
- * ignored.
- *
- * Use |SSL_CTX_set_quiet_shutdown| instead. */
+// SSL_set_shutdown causes |ssl| to behave as if the shutdown bitmask (see
+// |SSL_get_shutdown|) were |mode|. This may be used to skip sending or
+// receiving close_notify in |SSL_shutdown| by causing the implementation to
+// believe the events already happened.
+//
+// It is an error to use |SSL_set_shutdown| to unset a bit that has already been
+// set. Doing so will trigger an |assert| in debug builds and otherwise be
+// ignored.
+//
+// Use |SSL_CTX_set_quiet_shutdown| instead.
OPENSSL_EXPORT void SSL_set_shutdown(SSL *ssl, int mode);
-/* SSL_CTX_set_tmp_ecdh calls |SSL_CTX_set1_curves| with a one-element list
- * containing |ec_key|'s curve. */
+// SSL_CTX_set_tmp_ecdh calls |SSL_CTX_set1_curves| with a one-element list
+// containing |ec_key|'s curve.
OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key);
-/* SSL_set_tmp_ecdh calls |SSL_set1_curves| with a one-element list containing
- * |ec_key|'s curve. */
+// SSL_set_tmp_ecdh calls |SSL_set1_curves| with a one-element list containing
+// |ec_key|'s curve.
OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key);
-/* SSL_add_dir_cert_subjects_to_stack lists files in directory |dir|. It calls
- * |SSL_add_file_cert_subjects_to_stack| on each file and returns one on success
- * or zero on error. This function is only available from the libdecrepit
- * library. */
+// SSL_add_dir_cert_subjects_to_stack lists files in directory |dir|. It calls
+// |SSL_add_file_cert_subjects_to_stack| on each file and returns one on success
+// or zero on error. This function is only available from the libdecrepit
+// library.
OPENSSL_EXPORT int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,
const char *dir);
-/* SSL_set_private_key_digest_prefs copies |num_digests| NIDs from |digest_nids|
- * into |ssl|. These digests will be used, in decreasing order of preference,
- * when signing with |ssl|'s private key. It returns one on success and zero on
- * error.
- *
- * Use |SSL_set_signing_algorithm_prefs| instead.
- *
- * TODO(davidben): Remove this API when callers have been updated. */
+// SSL_set_private_key_digest_prefs copies |num_digests| NIDs from |digest_nids|
+// into |ssl|. These digests will be used, in decreasing order of preference,
+// when signing with |ssl|'s private key. It returns one on success and zero on
+// error.
+//
+// Use |SSL_set_signing_algorithm_prefs| instead.
+//
+// TODO(davidben): Remove this API when callers have been updated.
OPENSSL_EXPORT int SSL_set_private_key_digest_prefs(SSL *ssl,
const int *digest_nids,
size_t num_digests);
-/* SSL_set_verify_result calls |abort| unless |result| is |X509_V_OK|.
- *
- * TODO(davidben): Remove this function once it has been removed from
- * netty-tcnative. */
+// SSL_set_verify_result calls |abort| unless |result| is |X509_V_OK|.
+//
+// TODO(davidben): Remove this function once it has been removed from
+// netty-tcnative.
OPENSSL_EXPORT void SSL_set_verify_result(SSL *ssl, long result);
-/* SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|. */
+// SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|.
OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
-/* SSL_enable_tls_channel_id calls |SSL_set_tls_channel_id_enabled|. */
+// SSL_enable_tls_channel_id calls |SSL_set_tls_channel_id_enabled|.
OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
-/* BIO_f_ssl returns a |BIO_METHOD| that can wrap an |SSL*| in a |BIO*|. Note
- * that this has quite different behaviour from the version in OpenSSL (notably
- * that it doesn't try to auto renegotiate).
- *
- * IMPORTANT: if you are not curl, don't use this. */
+// BIO_f_ssl returns a |BIO_METHOD| that can wrap an |SSL*| in a |BIO*|. Note
+// that this has quite different behaviour from the version in OpenSSL (notably
+// that it doesn't try to auto renegotiate).
+//
+// IMPORTANT: if you are not curl, don't use this.
OPENSSL_EXPORT const BIO_METHOD *BIO_f_ssl(void);
-/* BIO_set_ssl sets |ssl| as the underlying connection for |bio|, which must
- * have been created using |BIO_f_ssl|. If |take_owership| is true, |bio| will
- * call |SSL_free| on |ssl| when closed. It returns one on success or something
- * other than one on error. */
+// BIO_set_ssl sets |ssl| as the underlying connection for |bio|, which must
+// have been created using |BIO_f_ssl|. If |take_owership| is true, |bio| will
+// call |SSL_free| on |ssl| when closed. It returns one on success or something
+// other than one on error.
OPENSSL_EXPORT long BIO_set_ssl(BIO *bio, SSL *ssl, int take_owership);
-/* SSL_CTX_set_ecdh_auto returns one. */
+// SSL_CTX_set_ecdh_auto returns one.
#define SSL_CTX_set_ecdh_auto(ctx, onoff) 1
-/* SSL_set_ecdh_auto returns one. */
+// SSL_set_ecdh_auto returns one.
#define SSL_set_ecdh_auto(ssl, onoff) 1
-/* SSL_get_session returns a non-owning pointer to |ssl|'s session. For
- * historical reasons, which session it returns depends on |ssl|'s state.
- *
- * Prior to the start of the initial handshake, it returns the session the
- * caller set with |SSL_set_session|. After the initial handshake has finished
- * and if no additional handshakes are in progress, it returns the currently
- * active session. Its behavior is undefined while a handshake is in progress.
- *
- * If trying to add new sessions to an external session cache, use
- * |SSL_CTX_sess_set_new_cb| instead. In particular, using the callback is
- * required as of TLS 1.3. For compatibility, this function will return an
- * unresumable session which may be cached, but will never be resumed.
- *
- * If querying properties of the connection, use APIs on the |SSL| object. */
+// SSL_get_session returns a non-owning pointer to |ssl|'s session. For
+// historical reasons, which session it returns depends on |ssl|'s state.
+//
+// Prior to the start of the initial handshake, it returns the session the
+// caller set with |SSL_set_session|. After the initial handshake has finished
+// and if no additional handshakes are in progress, it returns the currently
+// active session. Its behavior is undefined while a handshake is in progress.
+//
+// If trying to add new sessions to an external session cache, use
+// |SSL_CTX_sess_set_new_cb| instead. In particular, using the callback is
+// required as of TLS 1.3. For compatibility, this function will return an
+// unresumable session which may be cached, but will never be resumed.
+//
+// If querying properties of the connection, use APIs on the |SSL| object.
OPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl);
-/* SSL_get0_session is an alias for |SSL_get_session|. */
+// SSL_get0_session is an alias for |SSL_get_session|.
#define SSL_get0_session SSL_get_session
-/* SSL_get1_session acts like |SSL_get_session| but returns a new reference to
- * the session. */
+// SSL_get1_session acts like |SSL_get_session| but returns a new reference to
+// the session.
OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);
-/* TODO(davidben): Convert all the callers of these old |SSL_CIPHER| functions
- * and remove them. */
+// TODO(davidben): Convert all the callers of these old |SSL_CIPHER| functions
+// and remove them.
-/* SSL_CIPHER_is_AEAD calls |SSL_CIPHER_is_aead|. */
+// SSL_CIPHER_is_AEAD calls |SSL_CIPHER_is_aead|.
OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
- * mode). Use |SSL_CIPHER_get_cipher_nid| instead. */
+// SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
+// mode). Use |SSL_CIPHER_get_cipher_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. Use
- * |SSL_CIPHER_get_digest_nid| instead. */
+// SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. Use
+// |SSL_CIPHER_get_digest_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. Use
- * |SSL_CIPHER_get_digest_nid| instead. */
+// SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. Use
+// |SSL_CIPHER_get_digest_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. Use
- * |SSL_CIPHER_get_digest_nid| instead. */
+// SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. Use
+// |SSL_CIPHER_get_digest_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. Use
- * |SSL_CIPHER_get_cipher_nid| instead. */
+// SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. Use
+// |SSL_CIPHER_get_cipher_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. Use
- * |SSL_CIPHER_get_cipher_nid| instead. */
+// SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. Use
+// |SSL_CIPHER_get_cipher_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
- * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */
+// SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
+// mode. Use |SSL_CIPHER_get_cipher_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
- * mode. Use |SSL_CIPHER_get_cipher_nid| instead. */
+// SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
+// mode. Use |SSL_CIPHER_get_cipher_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
- * CHACHA20_POLY1305. Use |SSL_CIPHER_get_cipher_nid| instead. */
+// SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
+// CHACHA20_POLY1305. Use |SSL_CIPHER_get_cipher_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. Use
- * |SSL_CIPHER_get_cipher_nid| instead. */
+// SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. Use
+// |SSL_CIPHER_get_cipher_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. Use
- * |SSL_CIPHER_get_auth_nid| instead. */
+// SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. Use
+// |SSL_CIPHER_get_auth_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. Use
- * |SSL_CIPHER_get_kx_nid| instead. */
+// SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. Use
+// |SSL_CIPHER_get_kx_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);
-/* SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
- * exchange. Use |SSL_CIPHER_get_kx_nid| instead. */
+// SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
+// exchange. Use |SSL_CIPHER_get_kx_nid| instead.
OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher);
-/* Private structures.
- *
- * This structures are exposed for historical reasons, but access to them is
- * deprecated. */
+// Private structures.
+//
+// This structures are exposed for historical reasons, but access to them is
+// deprecated.
-/* TODO(davidben): Opaquify most or all of |SSL_CTX| and |SSL_SESSION| so these
- * forward declarations are not needed. */
+// TODO(davidben): Opaquify most or all of |SSL_CTX| and |SSL_SESSION| so these
+// forward declarations are not needed.
typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD;
typedef struct ssl_x509_method_st SSL_X509_METHOD;
DECLARE_STACK_OF(SSL_CUSTOM_EXTENSION)
struct ssl_cipher_st {
- /* name is the OpenSSL name for the cipher. */
+ // name is the OpenSSL name for the cipher.
const char *name;
- /* standard_name is the IETF name for the cipher. */
+ // standard_name is the IETF name for the cipher.
const char *standard_name;
- /* id is the cipher suite value bitwise OR-d with 0x03000000. */
+ // id is the cipher suite value bitwise OR-d with 0x03000000.
uint32_t id;
- /* algorithm_* are internal fields. See ssl/internal.h for their values. */
+ // algorithm_* are internal fields. See ssl/internal.h for their values.
uint32_t algorithm_mkey;
uint32_t algorithm_auth;
uint32_t algorithm_enc;
@@ -4056,226 +4060,234 @@
struct ssl_session_st {
CRYPTO_refcount_t references;
- int ssl_version; /* what ssl version session info is being kept in here? */
+ int ssl_version; // what ssl version session info is being kept in here?
- /* group_id is the ID of the ECDH group used to establish this session or zero
- * if not applicable or unknown. */
+ // group_id is the ID of the ECDH group used to establish this session or zero
+ // if not applicable or unknown.
uint16_t group_id;
- /* peer_signature_algorithm is the signature algorithm used to authenticate
- * the peer, or zero if not applicable or unknown. */
+ // peer_signature_algorithm is the signature algorithm used to authenticate
+ // the peer, or zero if not applicable or unknown.
uint16_t peer_signature_algorithm;
- /* master_key, in TLS 1.2 and below, is the master secret associated with the
- * session. In TLS 1.3 and up, it is the resumption secret. */
+ // master_key, in TLS 1.2 and below, is the master secret associated with the
+ // session. In TLS 1.3 and up, it is the resumption secret.
int master_key_length;
uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH];
- /* session_id - valid? */
+ // session_id - valid?
unsigned int session_id_length;
uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
- /* this is used to determine whether the session is being reused in
- * the appropriate context. It is up to the application to set this,
- * via SSL_new */
+ // this is used to determine whether the session is being reused in
+ // the appropriate context. It is up to the application to set this,
+ // via SSL_new
uint8_t sid_ctx_length;
uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
char *psk_identity;
- /* certs contains the certificate chain from the peer, starting with the leaf
- * certificate. */
+ // certs contains the certificate chain from the peer, starting with the leaf
+ // certificate.
STACK_OF(CRYPTO_BUFFER) *certs;
const SSL_X509_METHOD *x509_method;
- /* x509_peer is the peer's certificate. */
+ // x509_peer is the peer's certificate.
X509 *x509_peer;
- /* x509_chain is the certificate chain sent by the peer. NOTE: for historical
- * reasons, when a client (so the peer is a server), the chain includes
- * |peer|, but when a server it does not. */
+ // x509_chain is the certificate chain sent by the peer. NOTE: for historical
+ // reasons, when a client (so the peer is a server), the chain includes
+ // |peer|, but when a server it does not.
STACK_OF(X509) *x509_chain;
- /* x509_chain_without_leaf is a lazily constructed copy of |x509_chain| that
- * omits the leaf certificate. This exists because OpenSSL, historically,
- * didn't include the leaf certificate in the chain for a server, but did for
- * a client. The |x509_chain| always includes it and, if an API call requires
- * a chain without, it is stored here. */
+ // x509_chain_without_leaf is a lazily constructed copy of |x509_chain| that
+ // omits the leaf certificate. This exists because OpenSSL, historically,
+ // didn't include the leaf certificate in the chain for a server, but did for
+ // a client. The |x509_chain| always includes it and, if an API call requires
+ // a chain without, it is stored here.
STACK_OF(X509) *x509_chain_without_leaf;
- /* verify_result is the result of certificate verification in the case of
- * non-fatal certificate errors. */
+ // verify_result is the result of certificate verification in the case of
+ // non-fatal certificate errors.
long verify_result;
- /* timeout is the lifetime of the session in seconds, measured from |time|.
- * This is renewable up to |auth_timeout|. */
+ // timeout is the lifetime of the session in seconds, measured from |time|.
+ // This is renewable up to |auth_timeout|.
uint32_t timeout;
- /* auth_timeout is the non-renewable lifetime of the session in seconds,
- * measured from |time|. */
+ // auth_timeout is the non-renewable lifetime of the session in seconds,
+ // measured from |time|.
uint32_t auth_timeout;
- /* time is the time the session was issued, measured in seconds from the UNIX
- * epoch. */
+ // time is the time the session was issued, measured in seconds from the UNIX
+ // epoch.
uint64_t time;
const SSL_CIPHER *cipher;
- CRYPTO_EX_DATA ex_data; /* application specific data */
+ CRYPTO_EX_DATA ex_data; // application specific data
- /* These are used to make removal of session-ids more efficient and to
- * implement a maximum cache size. */
+ // These are used to make removal of session-ids more efficient and to
+ // implement a maximum cache size.
SSL_SESSION *prev, *next;
char *tlsext_hostname;
- /* RFC4507 info */
- uint8_t *tlsext_tick; /* Session ticket */
- size_t tlsext_ticklen; /* Session ticket length */
+ // RFC4507 info
+ uint8_t *tlsext_tick; // Session ticket
+ size_t tlsext_ticklen; // Session ticket length
- size_t tlsext_signed_cert_timestamp_list_length;
- uint8_t *tlsext_signed_cert_timestamp_list; /* Server's list. */
+ CRYPTO_BUFFER *signed_cert_timestamp_list;
- /* The OCSP response that came with the session. */
- size_t ocsp_response_length;
- uint8_t *ocsp_response;
+ // The OCSP response that came with the session.
+ CRYPTO_BUFFER *ocsp_response;
- /* peer_sha256 contains the SHA-256 hash of the peer's certificate if
- * |peer_sha256_valid| is true. */
+ // peer_sha256 contains the SHA-256 hash of the peer's certificate if
+ // |peer_sha256_valid| is true.
uint8_t peer_sha256[SHA256_DIGEST_LENGTH];
- /* original_handshake_hash contains the handshake hash (either SHA-1+MD5 or
- * SHA-2, depending on TLS version) for the original, full handshake that
- * created a session. This is used by Channel IDs during resumption. */
+ // original_handshake_hash contains the handshake hash (either SHA-1+MD5 or
+ // SHA-2, depending on TLS version) for the original, full handshake that
+ // created a session. This is used by Channel IDs during resumption.
uint8_t original_handshake_hash[EVP_MAX_MD_SIZE];
uint8_t original_handshake_hash_len;
- uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
+ uint32_t tlsext_tick_lifetime_hint; // Session lifetime hint in seconds
uint32_t ticket_age_add;
- /* ticket_max_early_data is the maximum amount of data allowed to be sent as
- * early data. If zero, 0-RTT is disallowed. */
+ // ticket_max_early_data is the maximum amount of data allowed to be sent as
+ // early data. If zero, 0-RTT is disallowed.
uint32_t ticket_max_early_data;
- /* early_alpn is the ALPN protocol from the initial handshake. This is only
- * stored for TLS 1.3 and above in order to enforce ALPN matching for 0-RTT
- * resumptions. */
+ // early_alpn is the ALPN protocol from the initial handshake. This is only
+ // stored for TLS 1.3 and above in order to enforce ALPN matching for 0-RTT
+ // resumptions.
uint8_t *early_alpn;
size_t early_alpn_len;
- /* extended_master_secret is true if the master secret in this session was
- * generated using EMS and thus isn't vulnerable to the Triple Handshake
- * attack. */
+ // extended_master_secret is true if the master secret in this session was
+ // generated using EMS and thus isn't vulnerable to the Triple Handshake
+ // attack.
unsigned extended_master_secret:1;
- /* peer_sha256_valid is non-zero if |peer_sha256| is valid. */
- unsigned peer_sha256_valid:1; /* Non-zero if peer_sha256 is valid */
+ // peer_sha256_valid is non-zero if |peer_sha256| is valid.
+ unsigned peer_sha256_valid:1; // Non-zero if peer_sha256 is valid
- /* not_resumable is used to indicate that session resumption is disallowed. */
+ // not_resumable is used to indicate that session resumption is disallowed.
unsigned not_resumable:1;
- /* ticket_age_add_valid is non-zero if |ticket_age_add| is valid. */
+ // ticket_age_add_valid is non-zero if |ticket_age_add| is valid.
unsigned ticket_age_add_valid:1;
- /* is_server is true if this session was created by a server. */
+ // is_server is true if this session was created by a server.
unsigned is_server:1;
};
-/* ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
- * equal-preference groups. For TLS clients, the groups are moot because the
- * server picks the cipher and groups cannot be expressed on the wire. However,
- * for servers, the equal-preference groups allow the client's preferences to
- * be partially respected. (This only has an effect with
- * SSL_OP_CIPHER_SERVER_PREFERENCE).
- *
- * The equal-preference groups are expressed by grouping SSL_CIPHERs together.
- * All elements of a group have the same priority: no ordering is expressed
- * within a group.
- *
- * The values in |ciphers| are in one-to-one correspondence with
- * |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
- * bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
- * indicate that the corresponding SSL_CIPHER is not the last element of a
- * group, or 0 to indicate that it is.
- *
- * For example, if |in_group_flags| contains all zeros then that indicates a
- * traditional, fully-ordered preference. Every SSL_CIPHER is the last element
- * of the group (i.e. they are all in a one-element group).
- *
- * For a more complex example, consider:
- * ciphers: A B C D E F
- * in_group_flags: 1 1 0 0 1 0
- *
- * That would express the following, order:
- *
- * A E
- * B -> D -> F
- * C
- */
+// ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
+// equal-preference groups. For TLS clients, the groups are moot because the
+// server picks the cipher and groups cannot be expressed on the wire. However,
+// for servers, the equal-preference groups allow the client's preferences to
+// be partially respected. (This only has an effect with
+// SSL_OP_CIPHER_SERVER_PREFERENCE).
+//
+// The equal-preference groups are expressed by grouping SSL_CIPHERs together.
+// All elements of a group have the same priority: no ordering is expressed
+// within a group.
+//
+// The values in |ciphers| are in one-to-one correspondence with
+// |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
+// bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
+// indicate that the corresponding SSL_CIPHER is not the last element of a
+// group, or 0 to indicate that it is.
+//
+// For example, if |in_group_flags| contains all zeros then that indicates a
+// traditional, fully-ordered preference. Every SSL_CIPHER is the last element
+// of the group (i.e. they are all in a one-element group).
+//
+// For a more complex example, consider:
+// ciphers: A B C D E F
+// in_group_flags: 1 1 0 0 1 0
+//
+// That would express the following, order:
+//
+// A E
+// B -> D -> F
+// C
struct ssl_cipher_preference_list_st {
STACK_OF(SSL_CIPHER) *ciphers;
uint8_t *in_group_flags;
};
-/* ssl_ctx_st (aka |SSL_CTX|) contains configuration common to several SSL
- * connections. */
+struct tlsext_ticket_key {
+ uint8_t name[SSL_TICKET_KEY_NAME_LEN];
+ uint8_t hmac_key[16];
+ uint8_t aes_key[16];
+ // next_rotation_tv_sec is the time (in seconds from the epoch) when the
+ // current key should be superseded by a new key, or the time when a previous
+ // key should be dropped. If zero, then the key should not be automatically
+ // rotated.
+ uint64_t next_rotation_tv_sec;
+};
+
+// ssl_ctx_st (aka |SSL_CTX|) contains configuration common to several SSL
+// connections.
struct ssl_ctx_st {
const SSL_PROTOCOL_METHOD *method;
const SSL_X509_METHOD *x509_method;
- /* lock is used to protect various operations on this object. */
+ // lock is used to protect various operations on this object.
CRYPTO_MUTEX lock;
- /* conf_max_version is the maximum acceptable protocol version configured by
- * |SSL_CTX_set_max_proto_version|. Note this version is normalized in DTLS
- * and is further constrainted by |SSL_OP_NO_*|. */
+ // conf_max_version is the maximum acceptable protocol version configured by
+ // |SSL_CTX_set_max_proto_version|. Note this version is normalized in DTLS
+ // and is further constrainted by |SSL_OP_NO_*|.
uint16_t conf_max_version;
- /* conf_min_version is the minimum acceptable protocol version configured by
- * |SSL_CTX_set_min_proto_version|. Note this version is normalized in DTLS
- * and is further constrainted by |SSL_OP_NO_*|. */
+ // conf_min_version is the minimum acceptable protocol version configured by
+ // |SSL_CTX_set_min_proto_version|. Note this version is normalized in DTLS
+ // and is further constrainted by |SSL_OP_NO_*|.
uint16_t conf_min_version;
- /* tls13_variant is the variant of TLS 1.3 we are using for this
- * configuration. */
+ // tls13_variant is the variant of TLS 1.3 we are using for this
+ // configuration.
enum tls13_variant_t tls13_variant;
struct ssl_cipher_preference_list_st *cipher_list;
X509_STORE *cert_store;
LHASH_OF(SSL_SESSION) *sessions;
- /* Most session-ids that will be cached, default is
- * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
+ // Most session-ids that will be cached, default is
+ // SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited.
unsigned long session_cache_size;
SSL_SESSION *session_cache_head;
SSL_SESSION *session_cache_tail;
- /* handshakes_since_cache_flush is the number of successful handshakes since
- * the last cache flush. */
+ // handshakes_since_cache_flush is the number of successful handshakes since
+ // the last cache flush.
int handshakes_since_cache_flush;
- /* This can have one of 2 values, ored together,
- * SSL_SESS_CACHE_CLIENT,
- * SSL_SESS_CACHE_SERVER,
- * Default is SSL_SESSION_CACHE_SERVER, which means only
- * SSL_accept which cache SSL_SESSIONS. */
+ // This can have one of 2 values, ored together,
+ // SSL_SESS_CACHE_CLIENT,
+ // SSL_SESS_CACHE_SERVER,
+ // Default is SSL_SESSION_CACHE_SERVER, which means only
+ // SSL_accept which cache SSL_SESSIONS.
int session_cache_mode;
- /* session_timeout is the default lifetime for new sessions in TLS 1.2 and
- * earlier, in seconds. */
+ // session_timeout is the default lifetime for new sessions in TLS 1.2 and
+ // earlier, in seconds.
uint32_t session_timeout;
- /* session_psk_dhe_timeout is the default lifetime for new sessions in TLS
- * 1.3, in seconds. */
+ // session_psk_dhe_timeout is the default lifetime for new sessions in TLS
+ // 1.3, in seconds.
uint32_t session_psk_dhe_timeout;
- /* If this callback is not null, it will be called each time a session id is
- * added to the cache. If this function returns 1, it means that the
- * callback will do a SSL_SESSION_free() when it has finished using it.
- * Otherwise, on 0, it means the callback has finished with it. If
- * remove_session_cb is not null, it will be called when a session-id is
- * removed from the cache. After the call, OpenSSL will SSL_SESSION_free()
- * it. */
+ // If this callback is not null, it will be called each time a session id is
+ // added to the cache. If this function returns 1, it means that the
+ // callback will do a SSL_SESSION_free() when it has finished using it.
+ // Otherwise, on 0, it means the callback has finished with it. If
+ // remove_session_cb is not null, it will be called when a session-id is
+ // removed from the cache. After the call, OpenSSL will SSL_SESSION_free()
+ // it.
int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess);
void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess);
SSL_SESSION *(*get_session_cb)(SSL *ssl, uint8_t *data, int len,
@@ -4283,46 +4295,46 @@
CRYPTO_refcount_t references;
- /* if defined, these override the X509_verify_cert() calls */
+ // if defined, these override the X509_verify_cert() calls
int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg);
void *app_verify_arg;
enum ssl_verify_result_t (*custom_verify_callback)(SSL *ssl,
uint8_t *out_alert);
- /* Default password callback. */
+ // Default password callback.
pem_password_cb *default_passwd_callback;
- /* Default password callback user data. */
+ // Default password callback user data.
void *default_passwd_callback_userdata;
- /* get client cert callback */
+ // get client cert callback
int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey);
- /* get channel id callback */
+ // get channel id callback
void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey);
CRYPTO_EX_DATA ex_data;
- /* custom_*_extensions stores any callback sets for custom extensions. Note
- * that these pointers will be NULL if the stack would otherwise be empty. */
+ // custom_*_extensions stores any callback sets for custom extensions. Note
+ // that these pointers will be NULL if the stack would otherwise be empty.
STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions;
STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions;
- /* Default values used when no per-SSL value is defined follow */
+ // Default values used when no per-SSL value is defined follow
void (*info_callback)(const SSL *ssl, int type, int value);
- /* what we put in client cert requests */
+ // what we put in client cert requests
STACK_OF(CRYPTO_BUFFER) *client_CA;
- /* cached_x509_client_CA is a cache of parsed versions of the elements of
- * |client_CA|. */
+ // cached_x509_client_CA is a cache of parsed versions of the elements of
+ // |client_CA|.
STACK_OF(X509_NAME) *cached_x509_client_CA;
- /* Default values to use in SSL structures follow (these are copied by
- * SSL_new) */
+ // Default values to use in SSL structures follow (these are copied by
+ // SSL_new)
uint32_t options;
uint32_t mode;
@@ -4330,45 +4342,49 @@
struct cert_st *cert;
- /* callback that allows applications to peek at protocol messages */
+ // callback that allows applications to peek at protocol messages
void (*msg_callback)(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg);
void *msg_callback_arg;
int verify_mode;
int (*default_verify_callback)(
- int ok, X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
+ int ok, X509_STORE_CTX *ctx); // called 'verify_callback' in the SSL
X509_VERIFY_PARAM *param;
- /* select_certificate_cb is called before most ClientHello processing and
- * before the decision whether to resume a session is made. See
- * |ssl_select_cert_result_t| for details of the return values. */
+ // select_certificate_cb is called before most ClientHello processing and
+ // before the decision whether to resume a session is made. See
+ // |ssl_select_cert_result_t| for details of the return values.
enum ssl_select_cert_result_t (*select_certificate_cb)(
const SSL_CLIENT_HELLO *);
- /* dos_protection_cb is called once the resumption decision for a ClientHello
- * has been made. It returns one to continue the handshake or zero to
- * abort. */
+ // dos_protection_cb is called once the resumption decision for a ClientHello
+ // has been made. It returns one to continue the handshake or zero to
+ // abort.
int (*dos_protection_cb) (const SSL_CLIENT_HELLO *);
- /* Maximum amount of data to send in one fragment. actual record size can be
- * more than this due to padding and MAC overheads. */
+ // Maximum amount of data to send in one fragment. actual record size can be
+ // more than this due to padding and MAC overheads.
uint16_t max_send_fragment;
- /* TLS extensions servername callback */
+ // TLS extensions servername callback
int (*tlsext_servername_callback)(SSL *, int *, void *);
void *tlsext_servername_arg;
- /* RFC 4507 session ticket keys */
- uint8_t tlsext_tick_key_name[SSL_TICKET_KEY_NAME_LEN];
- uint8_t tlsext_tick_hmac_key[16];
- uint8_t tlsext_tick_aes_key[16];
- /* Callback to support customisation of ticket key setting */
+
+ // RFC 4507 session ticket keys. |tlsext_ticket_key_current| may be NULL
+ // before the first handshake and |tlsext_ticket_key_prev| may be NULL at any
+ // time. Automatically generated ticket keys are rotated as needed at
+ // handshake time. Hence, all access must be synchronized through |lock|.
+ struct tlsext_ticket_key *tlsext_ticket_key_current;
+ struct tlsext_ticket_key *tlsext_ticket_key_prev;
+
+ // Callback to support customisation of ticket key setting
int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv,
EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
- /* Server-only: psk_identity_hint is the default identity hint to send in
- * PSK-based key exchanges. */
+ // Server-only: psk_identity_hint is the default identity hint to send in
+ // PSK-based key exchanges.
char *psk_identity_hint;
unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
@@ -4379,128 +4395,127 @@
uint8_t *psk, unsigned int max_psk_len);
- /* retain_only_sha256_of_client_certs is true if we should compute the SHA256
- * hash of the peer's certificate and then discard it to save memory and
- * session space. Only effective on the server side. */
+ // retain_only_sha256_of_client_certs is true if we should compute the SHA256
+ // hash of the peer's certificate and then discard it to save memory and
+ // session space. Only effective on the server side.
char retain_only_sha256_of_client_certs;
- /* Next protocol negotiation information */
- /* (for experimental NPN extension). */
+ // Next protocol negotiation information
+ // (for experimental NPN extension).
- /* For a server, this contains a callback function by which the set of
- * advertised protocols can be provided. */
+ // For a server, this contains a callback function by which the set of
+ // advertised protocols can be provided.
int (*next_protos_advertised_cb)(SSL *ssl, const uint8_t **out,
unsigned *out_len, void *arg);
void *next_protos_advertised_cb_arg;
- /* For a client, this contains a callback function that selects the
- * next protocol from the list provided by the server. */
+ // For a client, this contains a callback function that selects the
+ // next protocol from the list provided by the server.
int (*next_proto_select_cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
const uint8_t *in, unsigned in_len, void *arg);
void *next_proto_select_cb_arg;
- /* ALPN information
- * (we are in the process of transitioning from NPN to ALPN.) */
+ // ALPN information
+ // (we are in the process of transitioning from NPN to ALPN.)
- /* For a server, this contains a callback function that allows the
- * server to select the protocol for the connection.
- * out: on successful return, this must point to the raw protocol
- * name (without the length prefix).
- * outlen: on successful return, this contains the length of |*out|.
- * in: points to the client's list of supported protocols in
- * wire-format.
- * inlen: the length of |in|. */
+ // For a server, this contains a callback function that allows the
+ // server to select the protocol for the connection.
+ // out: on successful return, this must point to the raw protocol
+ // name (without the length prefix).
+ // outlen: on successful return, this contains the length of |*out|.
+ // in: points to the client's list of supported protocols in
+ // wire-format.
+ // inlen: the length of |in|.
int (*alpn_select_cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len,
const uint8_t *in, unsigned in_len, void *arg);
void *alpn_select_cb_arg;
- /* For a client, this contains the list of supported protocols in wire
- * format. */
+ // For a client, this contains the list of supported protocols in wire
+ // format.
uint8_t *alpn_client_proto_list;
unsigned alpn_client_proto_list_len;
- /* SRTP profiles we are willing to do from RFC 5764 */
+ // SRTP profiles we are willing to do from RFC 5764
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
- /* Supported group values inherited by SSL structure */
+ // Supported group values inherited by SSL structure
size_t supported_group_list_len;
uint16_t *supported_group_list;
- /* The client's Channel ID private key. */
+ // The client's Channel ID private key.
EVP_PKEY *tlsext_channel_id_private;
- /* keylog_callback, if not NULL, is the key logging callback. See
- * |SSL_CTX_set_keylog_callback|. */
+ // keylog_callback, if not NULL, is the key logging callback. See
+ // |SSL_CTX_set_keylog_callback|.
void (*keylog_callback)(const SSL *ssl, const char *line);
- /* current_time_cb, if not NULL, is the function to use to get the current
- * time. It sets |*out_clock| to the current time. See
- * |SSL_CTX_set_current_time_cb|. */
+ // current_time_cb, if not NULL, is the function to use to get the current
+ // time. It sets |*out_clock| to the current time. The |ssl| argument is
+ // always NULL. See |SSL_CTX_set_current_time_cb|.
void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock);
- /* pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate
- * memory. */
+ // pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate
+ // memory.
CRYPTO_BUFFER_POOL *pool;
- /* ticket_aead_method contains function pointers for opening and sealing
- * session tickets. */
+ // ticket_aead_method contains function pointers for opening and sealing
+ // session tickets.
const SSL_TICKET_AEAD_METHOD *ticket_aead_method;
- /* verify_sigalgs, if not empty, is the set of signature algorithms
- * accepted from the peer in decreasing order of preference. */
+ // verify_sigalgs, if not empty, is the set of signature algorithms
+ // accepted from the peer in decreasing order of preference.
uint16_t *verify_sigalgs;
size_t num_verify_sigalgs;
- /* quiet_shutdown is true if the connection should not send a close_notify on
- * shutdown. */
+ // quiet_shutdown is true if the connection should not send a close_notify on
+ // shutdown.
unsigned quiet_shutdown:1;
- /* ocsp_stapling_enabled is only used by client connections and indicates
- * whether OCSP stapling will be requested. */
+ // ocsp_stapling_enabled is only used by client connections and indicates
+ // whether OCSP stapling will be requested.
unsigned ocsp_stapling_enabled:1;
- /* If true, a client will request certificate timestamps. */
+ // If true, a client will request certificate timestamps.
unsigned signed_cert_timestamps_enabled:1;
- /* tlsext_channel_id_enabled is one if Channel ID is enabled and zero
- * otherwise. For a server, means that we'll accept Channel IDs from clients.
- * For a client, means that we'll advertise support. */
+ // tlsext_channel_id_enabled is one if Channel ID is enabled and zero
+ // otherwise. For a server, means that we'll accept Channel IDs from clients.
+ // For a client, means that we'll advertise support.
unsigned tlsext_channel_id_enabled:1;
- /* grease_enabled is one if draft-davidben-tls-grease-01 is enabled and zero
- * otherwise. */
+ // grease_enabled is one if draft-davidben-tls-grease-01 is enabled and zero
+ // otherwise.
unsigned grease_enabled:1;
- /* allow_unknown_alpn_protos is one if the client allows unsolicited ALPN
- * protocols from the peer. */
+ // allow_unknown_alpn_protos is one if the client allows unsolicited ALPN
+ // protocols from the peer.
unsigned allow_unknown_alpn_protos:1;
- /* ed25519_enabled is one if Ed25519 is advertised in the handshake. */
+ // ed25519_enabled is one if Ed25519 is advertised in the handshake.
unsigned ed25519_enabled:1;
};
-/* Nodejs compatibility section (hidden).
- *
- * These defines exist for node.js, with the hope that we can eliminate the
- * need for them over time. */
+// Nodejs compatibility section (hidden).
+//
+// These defines exist for node.js, with the hope that we can eliminate the
+// need for them over time.
#define SSLerr(function, reason) \
ERR_put_error(ERR_LIB_SSL, 0, reason, __FILE__, __LINE__)
-/* Preprocessor compatibility section (hidden).
- *
- * Historically, a number of APIs were implemented in OpenSSL as macros and
- * constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this
- * section defines a number of legacy macros.
- *
- * Although using either the CTRL values or their wrapper macros in #ifdefs is
- * still supported, the CTRL values may not be passed to |SSL_ctrl| and
- * |SSL_CTX_ctrl|. Call the functions (previously wrapper macros) instead.
- *
- * See PORTING.md in the BoringSSL source tree for a table of corresponding
- * functions.
- * https://boringssl.googlesource.com/boringssl/+/master/PORTING.md#Replacements-for-values
- */
+// Preprocessor compatibility section (hidden).
+//
+// Historically, a number of APIs were implemented in OpenSSL as macros and
+// constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this
+// section defines a number of legacy macros.
+//
+// Although using either the CTRL values or their wrapper macros in #ifdefs is
+// still supported, the CTRL values may not be passed to |SSL_ctrl| and
+// |SSL_CTX_ctrl|. Call the functions (previously wrapper macros) instead.
+//
+// See PORTING.md in the BoringSSL source tree for a table of corresponding
+// functions.
+// https://boringssl.googlesource.com/boringssl/+/master/PORTING.md#Replacements-for-values
#define DTLS_CTRL_GET_TIMEOUT doesnt_exist
#define DTLS_CTRL_HANDLE_TIMEOUT doesnt_exist
@@ -4622,7 +4637,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#if !defined(BORINGSSL_NO_CXX)
@@ -4633,6 +4648,7 @@
BORINGSSL_MAKE_DELETER(SSL, SSL_free)
BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free)
BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
+BORINGSSL_MAKE_DELETER(tlsext_ticket_key, OPENSSL_free);
enum class OpenRecordResult {
kOK,
@@ -4643,19 +4659,19 @@
kError,
};
-/* *** EXPERIMENTAL -- DO NOT USE ***
- *
- * OpenRecord decrypts the first complete SSL record from |in| in-place, sets
- * |out| to the decrypted application data, and |out_record_len| to the length
- * of the encrypted record. Returns:
- * - kOK if an application-data record was successfully decrypted and verified.
- * - kDiscard if a record was sucessfully processed, but should be discarded.
- * - kIncompleteRecord if |in| did not contain a complete record.
- * - kAlertCloseNotify if a record was successfully processed but is a
- * close_notify alert.
- * - kAlertFatal if a record was successfully processed but is a fatal alert.
- * - kError if an error occurred or the record is invalid. |*out_alert| will be
- * set to an alert to emit. */
+// *** EXPERIMENTAL -- DO NOT USE ***
+//
+// OpenRecord decrypts the first complete SSL record from |in| in-place, sets
+// |out| to the decrypted application data, and |out_record_len| to the length
+// of the encrypted record. Returns:
+// - kOK if an application-data record was successfully decrypted and verified.
+// - kDiscard if a record was sucessfully processed, but should be discarded.
+// - kIncompleteRecord if |in| did not contain a complete record.
+// - kAlertCloseNotify if a record was successfully processed but is a
+// close_notify alert.
+// - kAlertFatal if a record was successfully processed but is a fatal alert.
+// - kError if an error occurred or the record is invalid. |*out_alert| will be
+// set to an alert to emit.
OPENSSL_EXPORT OpenRecordResult OpenRecord(SSL *ssl, Span<uint8_t> *out,
size_t *out_record_len,
uint8_t *out_alert,
@@ -4663,38 +4679,38 @@
OPENSSL_EXPORT size_t SealRecordPrefixLen(const SSL *ssl, size_t plaintext_len);
-/* SealRecordSuffixLen returns the length of the suffix written by |SealRecord|.
- *
- * |plaintext_len| must be equal to the size of the plaintext passed to
- * |SealRecord|.
- *
- * |plaintext_len| must not exceed |SSL3_RT_MAX_PLAINTEXT_LENGTH|. The returned
- * suffix length will not exceed |SSL3_RT_MAX_ENCRYPTED_OVERHEAD|. */
+// SealRecordSuffixLen returns the length of the suffix written by |SealRecord|.
+//
+// |plaintext_len| must be equal to the size of the plaintext passed to
+// |SealRecord|.
+//
+// |plaintext_len| must not exceed |SSL3_RT_MAX_PLAINTEXT_LENGTH|. The returned
+// suffix length will not exceed |SSL3_RT_MAX_ENCRYPTED_OVERHEAD|.
OPENSSL_EXPORT size_t SealRecordSuffixLen(const SSL *ssl, size_t plaintext_len);
-/* *** EXPERIMENTAL -- DO NOT USE ***
- *
- * SealRecord encrypts the cleartext of |in| and scatters the resulting TLS
- * application data record between |out_prefix|, |out|, and |out_suffix|. It
- * returns true on success or false if an error occurred.
- *
- * The length of |out_prefix| must equal |SealRecordPrefixLen|. The length of
- * |out| must equal the length of |in|, which must not exceed
- * |SSL3_RT_MAX_PLAINTEXT_LENGTH|. The length of |out_suffix| must equal
- * |SealRecordSuffixLen|.
- *
- * If enabled, |SealRecord| may perform TLS 1.0 CBC 1/n-1 record splitting.
- * |SealRecordPrefixLen| accounts for the required overhead if that is the case.
- *
- * |out| may equal |in| to encrypt in-place but may not otherwise alias.
- * |out_prefix| and |out_suffix| may not alias anything. */
+// *** EXPERIMENTAL -- DO NOT USE ***
+//
+// SealRecord encrypts the cleartext of |in| and scatters the resulting TLS
+// application data record between |out_prefix|, |out|, and |out_suffix|. It
+// returns true on success or false if an error occurred.
+//
+// The length of |out_prefix| must equal |SealRecordPrefixLen|. The length of
+// |out| must equal the length of |in|, which must not exceed
+// |SSL3_RT_MAX_PLAINTEXT_LENGTH|. The length of |out_suffix| must equal
+// |SealRecordSuffixLen|.
+//
+// If enabled, |SealRecord| may perform TLS 1.0 CBC 1/n-1 record splitting.
+// |SealRecordPrefixLen| accounts for the required overhead if that is the case.
+//
+// |out| may equal |in| to encrypt in-place but may not otherwise alias.
+// |out_prefix| and |out_suffix| may not alias anything.
OPENSSL_EXPORT bool SealRecord(SSL *ssl, Span<uint8_t> out_prefix,
Span<uint8_t> out, Span<uint8_t> out_suffix,
Span<const uint8_t> in);
} // namespace bssl
-} /* extern C++ */
+} // extern C++
#endif // !defined(BORINGSSL_NO_CXX)
@@ -4878,7 +4894,7 @@
#define SSL_R_TICKET_ENCRYPTION_FAILED 276
#define SSL_R_ALPN_MISMATCH_ON_EARLY_DATA 277
#define SSL_R_WRONG_VERSION_ON_EARLY_DATA 278
-#define SSL_R_CHANNEL_ID_ON_EARLY_DATA 279
+#define SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA 279
#define SSL_R_NO_SUPPORTED_VERSIONS_ENABLED 280
#define SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE 281
#define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
@@ -4915,4 +4931,4 @@
#define SSL_R_TLSV1_CERTIFICATE_REQUIRED 1116
#define SSL_R_TOO_MUCH_READ_EARLY_DATA 1117
-#endif /* OPENSSL_HEADER_SSL_H */
+#endif // OPENSSL_HEADER_SSL_H
diff --git a/src/include/openssl/ssl3.h b/src/include/openssl/ssl3.h
index f213dba..60eb7fc 100644
--- a/src/include/openssl/ssl3.h
+++ b/src/include/openssl/ssl3.h
@@ -125,14 +125,14 @@
#endif
-/* These are kept to support clients that negotiates higher protocol versions
- * using SSLv2 client hello records. */
+// These are kept to support clients that negotiates higher protocol versions
+// using SSLv2 client hello records.
#define SSL2_MT_CLIENT_HELLO 1
#define SSL2_VERSION 0x0002
-/* Signalling cipher suite value from RFC 5746. */
+// Signalling cipher suite value from RFC 5746.
#define SSL3_CK_SCSV 0x030000FF
-/* Fallback signalling cipher suite value from RFC 7507. */
+// Fallback signalling cipher suite value from RFC 7507.
#define SSL3_CK_FALLBACK_SCSV 0x03005600
#define SSL3_CK_RSA_NULL_MD5 0x03000001
@@ -208,11 +208,11 @@
#define SSL3_HM_HEADER_LENGTH 4
#ifndef SSL3_ALIGN_PAYLOAD
-/* Some will argue that this increases memory footprint, but it's not actually
- * true. Point is that malloc has to return at least 64-bit aligned pointers,
- * meaning that allocating 5 bytes wastes 3 bytes in either case. Suggested
- * pre-gaping simply moves these wasted bytes from the end of allocated region
- * to its front, but makes data payload aligned, which improves performance. */
+// Some will argue that this increases memory footprint, but it's not actually
+// true. Point is that malloc has to return at least 64-bit aligned pointers,
+// meaning that allocating 5 bytes wastes 3 bytes in either case. Suggested
+// pre-gaping simply moves these wasted bytes from the end of allocated region
+// to its front, but makes data payload aligned, which improves performance.
#define SSL3_ALIGN_PAYLOAD 8
#else
#if (SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) != 0
@@ -221,33 +221,33 @@
#endif
#endif
-/* This is the maximum MAC (digest) size used by the SSL library. Currently
- * maximum of 20 is used by SHA1, but we reserve for future extension for
- * 512-bit hashes. */
+// This is the maximum MAC (digest) size used by the SSL library. Currently
+// maximum of 20 is used by SHA1, but we reserve for future extension for
+// 512-bit hashes.
#define SSL3_RT_MAX_MD_SIZE 64
-/* Maximum block size used in all ciphersuites. Currently 16 for AES. */
+// Maximum block size used in all ciphersuites. Currently 16 for AES.
#define SSL_RT_MAX_CIPHER_BLOCK_SIZE 16
-/* Maximum plaintext length: defined by SSL/TLS standards */
+// Maximum plaintext length: defined by SSL/TLS standards
#define SSL3_RT_MAX_PLAIN_LENGTH 16384
-/* Maximum compression overhead: defined by SSL/TLS standards */
+// Maximum compression overhead: defined by SSL/TLS standards
#define SSL3_RT_MAX_COMPRESSED_OVERHEAD 1024
-/* The standards give a maximum encryption overhead of 1024 bytes. In practice
- * the value is lower than this. The overhead is the maximum number of padding
- * bytes (256) plus the mac size.
- *
- * TODO(davidben): This derivation doesn't take AEADs into account, or TLS 1.1
- * explicit nonces. It happens to work because |SSL3_RT_MAX_MD_SIZE| is larger
- * than necessary and no true AEAD has variable overhead in TLS 1.2. */
+// The standards give a maximum encryption overhead of 1024 bytes. In practice
+// the value is lower than this. The overhead is the maximum number of padding
+// bytes (256) plus the mac size.
+//
+// TODO(davidben): This derivation doesn't take AEADs into account, or TLS 1.1
+// explicit nonces. It happens to work because |SSL3_RT_MAX_MD_SIZE| is larger
+// than necessary and no true AEAD has variable overhead in TLS 1.2.
#define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE)
-/* SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD is the maximum overhead in encrypting a
- * record. This does not include the record header. Some ciphers use explicit
- * nonces, so it includes both the AEAD overhead as well as the nonce. */
+// SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD is the maximum overhead in encrypting a
+// record. This does not include the record header. Some ciphers use explicit
+// nonces, so it includes both the AEAD overhead as well as the nonce.
#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
(EVP_AEAD_MAX_OVERHEAD + EVP_AEAD_MAX_NONCE_LENGTH)
@@ -255,9 +255,9 @@
SSL3_RT_MAX_ENCRYPTED_OVERHEAD >= SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD,
max_overheads_are_consistent);
-/* SSL3_RT_MAX_COMPRESSED_LENGTH is an alias for
- * |SSL3_RT_MAX_PLAIN_LENGTH|. Compression is gone, so don't include the
- * compression overhead. */
+// SSL3_RT_MAX_COMPRESSED_LENGTH is an alias for
+// |SSL3_RT_MAX_PLAIN_LENGTH|. Compression is gone, so don't include the
+// compression overhead.
#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH
#define SSL3_RT_MAX_ENCRYPTED_LENGTH \
@@ -274,46 +274,46 @@
#define SSL3_RT_APPLICATION_DATA 23
#define SSL3_RT_PLAINTEXT_HANDSHAKE 24
-/* Pseudo content type for SSL/TLS header info */
+// Pseudo content type for SSL/TLS header info
#define SSL3_RT_HEADER 0x100
#define SSL3_AL_WARNING 1
#define SSL3_AL_FATAL 2
#define SSL3_AD_CLOSE_NOTIFY 0
-#define SSL3_AD_UNEXPECTED_MESSAGE 10 /* fatal */
-#define SSL3_AD_BAD_RECORD_MAC 20 /* fatal */
-#define SSL3_AD_DECOMPRESSION_FAILURE 30 /* fatal */
-#define SSL3_AD_HANDSHAKE_FAILURE 40 /* fatal */
+#define SSL3_AD_UNEXPECTED_MESSAGE 10 // fatal
+#define SSL3_AD_BAD_RECORD_MAC 20 // fatal
+#define SSL3_AD_DECOMPRESSION_FAILURE 30 // fatal
+#define SSL3_AD_HANDSHAKE_FAILURE 40 // fatal
#define SSL3_AD_NO_CERTIFICATE 41
#define SSL3_AD_BAD_CERTIFICATE 42
#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
#define SSL3_AD_CERTIFICATE_REVOKED 44
#define SSL3_AD_CERTIFICATE_EXPIRED 45
#define SSL3_AD_CERTIFICATE_UNKNOWN 46
-#define SSL3_AD_ILLEGAL_PARAMETER 47 /* fatal */
-#define SSL3_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
+#define SSL3_AD_ILLEGAL_PARAMETER 47 // fatal
+#define SSL3_AD_INAPPROPRIATE_FALLBACK 86 // fatal
#define SSL3_CT_RSA_SIGN 1
-/* SSLv3 */
-/* client */
-/* extra state */
+// SSLv3
+// client
+// extra state
#define SSL3_ST_CW_FLUSH (0x100 | SSL_ST_CONNECT)
#define SSL3_ST_FALSE_START (0x101 | SSL_ST_CONNECT)
#define SSL3_ST_VERIFY_SERVER_CERT (0x102 | SSL_ST_CONNECT)
#define SSL3_ST_FINISH_CLIENT_HANDSHAKE (0x103 | SSL_ST_CONNECT)
#define SSL3_ST_WRITE_EARLY_DATA (0x104 | SSL_ST_CONNECT)
-/* write to server */
+// write to server
#define SSL3_ST_CW_CLNT_HELLO_A (0x110 | SSL_ST_CONNECT)
-/* read from server */
+// read from server
#define SSL3_ST_CR_SRVR_HELLO_A (0x120 | SSL_ST_CONNECT)
#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A (0x126 | SSL_ST_CONNECT)
#define SSL3_ST_CR_CERT_A (0x130 | SSL_ST_CONNECT)
#define SSL3_ST_CR_KEY_EXCH_A (0x140 | SSL_ST_CONNECT)
#define SSL3_ST_CR_CERT_REQ_A (0x150 | SSL_ST_CONNECT)
#define SSL3_ST_CR_SRVR_DONE_A (0x160 | SSL_ST_CONNECT)
-/* write to server */
+// write to server
#define SSL3_ST_CW_CERT_A (0x170 | SSL_ST_CONNECT)
#define SSL3_ST_CW_KEY_EXCH_A (0x180 | SSL_ST_CONNECT)
#define SSL3_ST_CW_CERT_VRFY_A (0x190 | SSL_ST_CONNECT)
@@ -321,30 +321,30 @@
#define SSL3_ST_CW_NEXT_PROTO_A (0x200 | SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANNEL_ID_A (0x220 | SSL_ST_CONNECT)
#define SSL3_ST_CW_FINISHED_A (0x1B0 | SSL_ST_CONNECT)
-/* read from server */
+// read from server
#define SSL3_ST_CR_CHANGE (0x1C0 | SSL_ST_CONNECT)
#define SSL3_ST_CR_FINISHED_A (0x1D0 | SSL_ST_CONNECT)
#define SSL3_ST_CR_SESSION_TICKET_A (0x1E0 | SSL_ST_CONNECT)
#define SSL3_ST_CR_CERT_STATUS_A (0x1F0 | SSL_ST_CONNECT)
-/* SSL3_ST_CR_SRVR_HELLO_B is a legacy alias for |SSL3_ST_CR_SRVR_HELLO_A| used
- * by some consumers which check |SSL_state|. */
+// SSL3_ST_CR_SRVR_HELLO_B is a legacy alias for |SSL3_ST_CR_SRVR_HELLO_A| used
+// by some consumers which check |SSL_state|.
#define SSL3_ST_CR_SRVR_HELLO_B SSL3_ST_CR_SRVR_HELLO_A
-/* server */
-/* extra state */
+// server
+// extra state
#define SSL3_ST_SW_FLUSH (0x100 | SSL_ST_ACCEPT)
#define SSL3_ST_VERIFY_CLIENT_CERT (0x101 | SSL_ST_ACCEPT)
-/* read from client */
+// read from client
#define SSL3_ST_SR_CLNT_HELLO_A (0x110 | SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_B (0x111 | SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_C (0x112 | SSL_ST_ACCEPT)
-/* write to client */
+// write to client
#define SSL3_ST_SW_SRVR_HELLO_A (0x130 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_CERT_A (0x140 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_KEY_EXCH_A (0x150 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_SRVR_DONE_A (0x170 | SSL_ST_ACCEPT)
-/* read from client */
+// read from client
#define SSL3_ST_SR_CERT_A (0x180 | SSL_ST_ACCEPT)
#define SSL3_ST_SR_KEY_EXCH_A (0x190 | SSL_ST_ACCEPT)
#define SSL3_ST_SR_CERT_VRFY_A (0x1A0 | SSL_ST_ACCEPT)
@@ -353,7 +353,7 @@
#define SSL3_ST_SR_CHANNEL_ID_A (0x230 | SSL_ST_ACCEPT)
#define SSL3_ST_SR_FINISHED_A (0x1C0 | SSL_ST_ACCEPT)
-/* write to client */
+// write to client
#define SSL3_ST_SW_FINISHED_A (0x1E0 | SSL_ST_ACCEPT)
#define SSL3_MT_HELLO_REQUEST 0
@@ -376,15 +376,15 @@
#define SSL3_MT_CHANNEL_ID 203
#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
-/* The following are legacy aliases for consumers which use
- * |SSL_CTX_set_msg_callback|. */
+// The following are legacy aliases for consumers which use
+// |SSL_CTX_set_msg_callback|.
#define SSL3_MT_SERVER_DONE SSL3_MT_SERVER_HELLO_DONE
#define SSL3_MT_NEWSESSION_TICKET SSL3_MT_NEW_SESSION_TICKET
#define SSL3_MT_CCS 1
-/* These are used when changing over to a new cipher */
+// These are used when changing over to a new cipher
#define SSL3_CC_READ 0x01
#define SSL3_CC_WRITE 0x02
#define SSL3_CC_CLIENT 0x10
@@ -396,7 +396,7 @@
#ifdef __cplusplus
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_SSL3_H */
+#endif // OPENSSL_HEADER_SSL3_H
diff --git a/src/include/openssl/stack.h b/src/include/openssl/stack.h
index 3626fb0..1a0347e 100644
--- a/src/include/openssl/stack.h
+++ b/src/include/openssl/stack.h
@@ -66,45 +66,45 @@
#endif
-/* A stack, in OpenSSL, is an array of pointers. They are the most commonly
- * used collection object.
- *
- * This file defines macros for type safe use of the stack functions. A stack
- * of a specific type of object has type |STACK_OF(type)|. This can be defined
- * (once) with |DEFINE_STACK_OF(type)| and declared where needed with
- * |DECLARE_STACK_OF(type)|. For example:
- *
- * typedef struct foo_st {
- * int bar;
- * } FOO;
- *
- * DEFINE_STACK_OF(FOO);
- *
- * Although note that the stack will contain /pointers/ to |FOO|.
- *
- * A macro will be defined for each of the sk_* functions below. For
- * STACK_OF(FOO), the macros would be sk_FOO_new, sk_FOO_pop etc. */
+// A stack, in OpenSSL, is an array of pointers. They are the most commonly
+// used collection object.
+//
+// This file defines macros for type safe use of the stack functions. A stack
+// of a specific type of object has type |STACK_OF(type)|. This can be defined
+// (once) with |DEFINE_STACK_OF(type)| and declared where needed with
+// |DECLARE_STACK_OF(type)|. For example:
+//
+// typedef struct foo_st {
+// int bar;
+// } FOO;
+//
+// DEFINE_STACK_OF(FOO);
+//
+// Although note that the stack will contain /pointers/ to |FOO|.
+//
+// A macro will be defined for each of the sk_* functions below. For
+// STACK_OF(FOO), the macros would be sk_FOO_new, sk_FOO_pop etc.
-/* stack_cmp_func is a comparison function that returns a value < 0, 0 or > 0
- * if |*a| is less than, equal to or greater than |*b|, respectively. Note the
- * extra indirection - the function is given a pointer to a pointer to the
- * element. This differs from the usual qsort/bsearch comparison function. */
+// stack_cmp_func is a comparison function that returns a value < 0, 0 or > 0
+// if |*a| is less than, equal to or greater than |*b|, respectively. Note the
+// extra indirection - the function is given a pointer to a pointer to the
+// element. This differs from the usual qsort/bsearch comparison function.
typedef int (*stack_cmp_func)(const void **a, const void **b);
-/* stack_st contains an array of pointers. It is not designed to be used
- * directly, rather the wrapper macros should be used. */
+// stack_st contains an array of pointers. It is not designed to be used
+// directly, rather the wrapper macros should be used.
typedef struct stack_st {
- /* num contains the number of valid pointers in |data|. */
+ // num contains the number of valid pointers in |data|.
size_t num;
void **data;
- /* sorted is non-zero if the values pointed to by |data| are in ascending
- * order, based on |comp|. */
+ // sorted is non-zero if the values pointed to by |data| are in ascending
+ // order, based on |comp|.
int sorted;
- /* num_alloc contains the number of pointers allocated in the buffer pointed
- * to by |data|, which may be larger than |num|. */
+ // num_alloc contains the number of pointers allocated in the buffer pointed
+ // to by |data|, which may be larger than |num|.
size_t num_alloc;
- /* comp is an optional comparison function. */
+ // comp is an optional comparison function.
stack_cmp_func comp;
} _STACK;
@@ -113,104 +113,104 @@
#define DECLARE_STACK_OF(type) STACK_OF(type);
-/* These are the raw stack functions, you shouldn't be using them. Rather you
- * should be using the type stack macros implemented above. */
+// These are the raw stack functions, you shouldn't be using them. Rather you
+// should be using the type stack macros implemented above.
-/* sk_new creates a new, empty stack with the given comparison function, which
- * may be zero. It returns the new stack or NULL on allocation failure. */
+// sk_new creates a new, empty stack with the given comparison function, which
+// may be zero. It returns the new stack or NULL on allocation failure.
OPENSSL_EXPORT _STACK *sk_new(stack_cmp_func comp);
-/* sk_new_null creates a new, empty stack. It returns the new stack or NULL on
- * allocation failure. */
+// sk_new_null creates a new, empty stack. It returns the new stack or NULL on
+// allocation failure.
OPENSSL_EXPORT _STACK *sk_new_null(void);
-/* sk_num returns the number of elements in |s|. */
+// sk_num returns the number of elements in |s|.
OPENSSL_EXPORT size_t sk_num(const _STACK *sk);
-/* sk_zero resets |sk| to the empty state but does nothing to free the
- * individual elements themselves. */
+// sk_zero resets |sk| to the empty state but does nothing to free the
+// individual elements themselves.
OPENSSL_EXPORT void sk_zero(_STACK *sk);
-/* sk_value returns the |i|th pointer in |sk|, or NULL if |i| is out of
- * range. */
+// sk_value returns the |i|th pointer in |sk|, or NULL if |i| is out of
+// range.
OPENSSL_EXPORT void *sk_value(const _STACK *sk, size_t i);
-/* sk_set sets the |i|th pointer in |sk| to |p| and returns |p|. If |i| is out
- * of range, it returns NULL. */
+// sk_set sets the |i|th pointer in |sk| to |p| and returns |p|. If |i| is out
+// of range, it returns NULL.
OPENSSL_EXPORT void *sk_set(_STACK *sk, size_t i, void *p);
-/* sk_free frees the given stack and array of pointers, but does nothing to
- * free the individual elements. Also see |sk_pop_free|. */
+// sk_free frees the given stack and array of pointers, but does nothing to
+// free the individual elements. Also see |sk_pop_free|.
OPENSSL_EXPORT void sk_free(_STACK *sk);
-/* sk_pop_free calls |free_func| on each element in the stack and then frees
- * the stack itself. */
+// sk_pop_free calls |free_func| on each element in the stack and then frees
+// the stack itself.
OPENSSL_EXPORT void sk_pop_free(_STACK *sk, void (*free_func)(void *));
-/* sk_insert inserts |p| into the stack at index |where|, moving existing
- * elements if needed. It returns the length of the new stack, or zero on
- * error. */
+// sk_insert inserts |p| into the stack at index |where|, moving existing
+// elements if needed. It returns the length of the new stack, or zero on
+// error.
OPENSSL_EXPORT size_t sk_insert(_STACK *sk, void *p, size_t where);
-/* sk_delete removes the pointer at index |where|, moving other elements down
- * if needed. It returns the removed pointer, or NULL if |where| is out of
- * range. */
+// sk_delete removes the pointer at index |where|, moving other elements down
+// if needed. It returns the removed pointer, or NULL if |where| is out of
+// range.
OPENSSL_EXPORT void *sk_delete(_STACK *sk, size_t where);
-/* sk_delete_ptr removes, at most, one instance of |p| from the stack based on
- * pointer equality. If an instance of |p| is found then |p| is returned,
- * otherwise it returns NULL. */
+// sk_delete_ptr removes, at most, one instance of |p| from the stack based on
+// pointer equality. If an instance of |p| is found then |p| is returned,
+// otherwise it returns NULL.
OPENSSL_EXPORT void *sk_delete_ptr(_STACK *sk, void *p);
-/* sk_find returns the first value in the stack equal to |p|. If a comparison
- * function has been set on the stack, then equality is defined by it and the
- * stack will be sorted if need be so that a binary search can be used.
- * Otherwise pointer equality is used. If a matching element is found, its
- * index is written to |*out_index| (if |out_index| is not NULL) and one is
- * returned. Otherwise zero is returned. */
+// sk_find returns the first value in the stack equal to |p|. If a comparison
+// function has been set on the stack, then equality is defined by it and the
+// stack will be sorted if need be so that a binary search can be used.
+// Otherwise pointer equality is used. If a matching element is found, its
+// index is written to |*out_index| (if |out_index| is not NULL) and one is
+// returned. Otherwise zero is returned.
OPENSSL_EXPORT int sk_find(_STACK *sk, size_t *out_index, void *p);
-/* sk_shift removes and returns the first element in the stack, or returns NULL
- * if the stack is empty. */
+// sk_shift removes and returns the first element in the stack, or returns NULL
+// if the stack is empty.
OPENSSL_EXPORT void *sk_shift(_STACK *sk);
-/* sk_push appends |p| to the stack and returns the length of the new stack, or
- * 0 on allocation failure. */
+// sk_push appends |p| to the stack and returns the length of the new stack, or
+// 0 on allocation failure.
OPENSSL_EXPORT size_t sk_push(_STACK *sk, void *p);
-/* sk_pop returns and removes the last element on the stack, or NULL if the
- * stack is empty. */
+// sk_pop returns and removes the last element on the stack, or NULL if the
+// stack is empty.
OPENSSL_EXPORT void *sk_pop(_STACK *sk);
-/* sk_dup performs a shallow copy of a stack and returns the new stack, or NULL
- * on error. */
+// sk_dup performs a shallow copy of a stack and returns the new stack, or NULL
+// on error.
OPENSSL_EXPORT _STACK *sk_dup(const _STACK *sk);
-/* sk_sort sorts the elements of |sk| into ascending order based on the
- * comparison function. The stack maintains a |sorted| flag and sorting an
- * already sorted stack is a no-op. */
+// sk_sort sorts the elements of |sk| into ascending order based on the
+// comparison function. The stack maintains a |sorted| flag and sorting an
+// already sorted stack is a no-op.
OPENSSL_EXPORT void sk_sort(_STACK *sk);
-/* sk_is_sorted returns one if |sk| is known to be sorted and zero
- * otherwise. */
+// sk_is_sorted returns one if |sk| is known to be sorted and zero
+// otherwise.
OPENSSL_EXPORT int sk_is_sorted(const _STACK *sk);
-/* sk_set_cmp_func sets the comparison function to be used by |sk| and returns
- * the previous one. */
+// sk_set_cmp_func sets the comparison function to be used by |sk| and returns
+// the previous one.
OPENSSL_EXPORT stack_cmp_func sk_set_cmp_func(_STACK *sk, stack_cmp_func comp);
-/* sk_deep_copy performs a copy of |sk| and of each of the non-NULL elements in
- * |sk| by using |copy_func|. If an error occurs, |free_func| is used to free
- * any copies already made and NULL is returned. */
+// sk_deep_copy performs a copy of |sk| and of each of the non-NULL elements in
+// |sk| by using |copy_func|. If an error occurs, |free_func| is used to free
+// any copies already made and NULL is returned.
OPENSSL_EXPORT _STACK *sk_deep_copy(const _STACK *sk,
void *(*copy_func)(void *),
void (*free_func)(void *));
-/* Defining stack types.
- *
- * This set of macros is used to emit the typed functions that act on a
- * |STACK_OF(T)|. */
+// Defining stack types.
+//
+// This set of macros is used to emit the typed functions that act on a
+// |STACK_OF(T)|.
#if !defined(BORINGSSL_NO_CXX)
extern "C++" {
@@ -240,9 +240,9 @@
#define BORINGSSL_DEFINE_STACK_TRAITS(name, type, is_const)
#endif
-/* Stack functions must be tagged unused to support file-local stack types.
- * Clang's -Wunused-function only allows unused static inline functions if they
- * are defined in a header. */
+// Stack functions must be tagged unused to support file-local stack types.
+// Clang's -Wunused-function only allows unused static inline functions if they
+// are defined in a header.
#define BORINGSSL_DEFINE_STACK_OF_IMPL(name, ptrtype, constptrtype) \
DECLARE_STACK_OF(name); \
@@ -349,20 +349,20 @@
(void (*)(void *))free_func); \
}
-/* DEFINE_STACK_OF defines |STACK_OF(type)| to be a stack whose elements are
- * |type| *. */
+// DEFINE_STACK_OF defines |STACK_OF(type)| to be a stack whose elements are
+// |type| *.
#define DEFINE_STACK_OF(type) \
BORINGSSL_DEFINE_STACK_OF_IMPL(type, type *, const type *) \
BORINGSSL_DEFINE_STACK_TRAITS(type, type, false)
-/* DEFINE_CONST_STACK_OF defines |STACK_OF(type)| to be a stack whose elements
- * are const |type| *. */
+// DEFINE_CONST_STACK_OF defines |STACK_OF(type)| to be a stack whose elements
+// are const |type| *.
#define DEFINE_CONST_STACK_OF(type) \
BORINGSSL_DEFINE_STACK_OF_IMPL(type, const type *, const type *) \
BORINGSSL_DEFINE_STACK_TRAITS(type, const type, true)
-/* DEFINE_SPECIAL_STACK_OF defines |STACK_OF(type)| to be a stack whose elements
- * are |type|, where |type| must be a typedef for a pointer. */
+// DEFINE_SPECIAL_STACK_OF defines |STACK_OF(type)| to be a stack whose elements
+// are |type|, where |type| must be a typedef for a pointer.
#define DEFINE_SPECIAL_STACK_OF(type) \
OPENSSL_COMPILE_ASSERT(sizeof(type) == sizeof(void *), \
special_stack_of_non_pointer_##type); \
@@ -376,7 +376,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
#if !defined(BORINGSSL_NO_CXX)
@@ -482,4 +482,4 @@
} // extern C++
#endif
-#endif /* OPENSSL_HEADER_STACK_H */
+#endif // OPENSSL_HEADER_STACK_H
diff --git a/src/include/openssl/thread.h b/src/include/openssl/thread.h
index 8151484..98073b0 100644
--- a/src/include/openssl/thread.h
+++ b/src/include/openssl/thread.h
@@ -68,88 +68,88 @@
#if defined(OPENSSL_NO_THREADS)
typedef struct crypto_mutex_st {
- char padding; /* Empty structs have different sizes in C and C++. */
+ char padding; // Empty structs have different sizes in C and C++.
} CRYPTO_MUTEX;
#elif defined(OPENSSL_WINDOWS)
-/* CRYPTO_MUTEX can appear in public header files so we really don't want to
- * pull in windows.h. It's statically asserted that this structure is large
- * enough to contain a Windows SRWLOCK by thread_win.c. */
+// CRYPTO_MUTEX can appear in public header files so we really don't want to
+// pull in windows.h. It's statically asserted that this structure is large
+// enough to contain a Windows SRWLOCK by thread_win.c.
typedef union crypto_mutex_st {
void *handle;
} CRYPTO_MUTEX;
#elif defined(__MACH__) && defined(__APPLE__)
typedef pthread_rwlock_t CRYPTO_MUTEX;
#else
-/* It is reasonable to include pthread.h on non-Windows systems, however the
- * |pthread_rwlock_t| that we need is hidden under feature flags, and we can't
- * ensure that we'll be able to get it. It's statically asserted that this
- * structure is large enough to contain a |pthread_rwlock_t| by
- * thread_pthread.c. */
+// It is reasonable to include pthread.h on non-Windows systems, however the
+// |pthread_rwlock_t| that we need is hidden under feature flags, and we can't
+// ensure that we'll be able to get it. It's statically asserted that this
+// structure is large enough to contain a |pthread_rwlock_t| by
+// thread_pthread.c.
typedef union crypto_mutex_st {
double alignment;
uint8_t padding[3*sizeof(int) + 5*sizeof(unsigned) + 16 + 8];
} CRYPTO_MUTEX;
#endif
-/* CRYPTO_refcount_t is the type of a reference count.
- *
- * Since some platforms use C11 atomics to access this, it should have the
- * _Atomic qualifier. However, this header is included by C++ programs as well
- * as C code that might not set -std=c11. So, in practice, it's not possible to
- * do that. Instead we statically assert that the size and native alignment of
- * a plain uint32_t and an _Atomic uint32_t are equal in refcount_c11.c. */
+// CRYPTO_refcount_t is the type of a reference count.
+//
+// Since some platforms use C11 atomics to access this, it should have the
+// _Atomic qualifier. However, this header is included by C++ programs as well
+// as C code that might not set -std=c11. So, in practice, it's not possible to
+// do that. Instead we statically assert that the size and native alignment of
+// a plain uint32_t and an _Atomic uint32_t are equal in refcount_c11.c.
typedef uint32_t CRYPTO_refcount_t;
-/* Deprecated functions.
- *
- * Historically, OpenSSL required callers to provide locking callbacks.
- * BoringSSL is thread-safe by default, but some old code calls these functions
- * and so no-op implementations are provided. */
+// Deprecated functions.
+//
+// Historically, OpenSSL required callers to provide locking callbacks.
+// BoringSSL is thread-safe by default, but some old code calls these functions
+// and so no-op implementations are provided.
-/* These defines do nothing but are provided to make old code easier to
- * compile. */
+// These defines do nothing but are provided to make old code easier to
+// compile.
#define CRYPTO_LOCK 1
#define CRYPTO_UNLOCK 2
#define CRYPTO_READ 4
#define CRYPTO_WRITE 8
-/* CRYPTO_num_locks returns one. (This is non-zero that callers who allocate
- * sizeof(lock) times this value don't get zero and then fail because malloc(0)
- * returned NULL.) */
+// CRYPTO_num_locks returns one. (This is non-zero that callers who allocate
+// sizeof(lock) times this value don't get zero and then fail because malloc(0)
+// returned NULL.)
OPENSSL_EXPORT int CRYPTO_num_locks(void);
-/* CRYPTO_set_locking_callback does nothing. */
+// CRYPTO_set_locking_callback does nothing.
OPENSSL_EXPORT void CRYPTO_set_locking_callback(
void (*func)(int mode, int lock_num, const char *file, int line));
-/* CRYPTO_set_add_lock_callback does nothing. */
+// CRYPTO_set_add_lock_callback does nothing.
OPENSSL_EXPORT void CRYPTO_set_add_lock_callback(int (*func)(
int *num, int amount, int lock_num, const char *file, int line));
-/* CRYPTO_get_locking_callback returns NULL. */
+// CRYPTO_get_locking_callback returns NULL.
OPENSSL_EXPORT void (*CRYPTO_get_locking_callback(void))(int mode, int lock_num,
const char *file,
int line);
-/* CRYPTO_get_lock_name returns a fixed, dummy string. */
+// CRYPTO_get_lock_name returns a fixed, dummy string.
OPENSSL_EXPORT const char *CRYPTO_get_lock_name(int lock_num);
-/* CRYPTO_THREADID_set_callback returns one. */
+// CRYPTO_THREADID_set_callback returns one.
OPENSSL_EXPORT int CRYPTO_THREADID_set_callback(
void (*threadid_func)(CRYPTO_THREADID *threadid));
-/* CRYPTO_THREADID_set_numeric does nothing. */
+// CRYPTO_THREADID_set_numeric does nothing.
OPENSSL_EXPORT void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id,
unsigned long val);
-/* CRYPTO_THREADID_set_pointer does nothing. */
+// CRYPTO_THREADID_set_pointer does nothing.
OPENSSL_EXPORT void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr);
-/* CRYPTO_THREADID_current does nothing. */
+// CRYPTO_THREADID_current does nothing.
OPENSSL_EXPORT void CRYPTO_THREADID_current(CRYPTO_THREADID *id);
-/* CRYPTO_set_id_callback does nothing. */
+// CRYPTO_set_id_callback does nothing.
OPENSSL_EXPORT void CRYPTO_set_id_callback(unsigned long (*func)(void));
typedef struct {
@@ -157,35 +157,35 @@
struct CRYPTO_dynlock_value *data;
} CRYPTO_dynlock;
-/* CRYPTO_set_dynlock_create_callback does nothing. */
+// CRYPTO_set_dynlock_create_callback does nothing.
OPENSSL_EXPORT void CRYPTO_set_dynlock_create_callback(
struct CRYPTO_dynlock_value *(*dyn_create_function)(const char *file,
int line));
-/* CRYPTO_set_dynlock_lock_callback does nothing. */
+// CRYPTO_set_dynlock_lock_callback does nothing.
OPENSSL_EXPORT void CRYPTO_set_dynlock_lock_callback(void (*dyn_lock_function)(
int mode, struct CRYPTO_dynlock_value *l, const char *file, int line));
-/* CRYPTO_set_dynlock_destroy_callback does nothing. */
+// CRYPTO_set_dynlock_destroy_callback does nothing.
OPENSSL_EXPORT void CRYPTO_set_dynlock_destroy_callback(
void (*dyn_destroy_function)(struct CRYPTO_dynlock_value *l,
const char *file, int line));
-/* CRYPTO_get_dynlock_create_callback returns NULL. */
+// CRYPTO_get_dynlock_create_callback returns NULL.
OPENSSL_EXPORT struct CRYPTO_dynlock_value *(
*CRYPTO_get_dynlock_create_callback(void))(const char *file, int line);
-/* CRYPTO_get_dynlock_lock_callback returns NULL. */
+// CRYPTO_get_dynlock_lock_callback returns NULL.
OPENSSL_EXPORT void (*CRYPTO_get_dynlock_lock_callback(void))(
int mode, struct CRYPTO_dynlock_value *l, const char *file, int line);
-/* CRYPTO_get_dynlock_destroy_callback returns NULL. */
+// CRYPTO_get_dynlock_destroy_callback returns NULL.
OPENSSL_EXPORT void (*CRYPTO_get_dynlock_destroy_callback(void))(
struct CRYPTO_dynlock_value *l, const char *file, int line);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_THREAD_H */
+#endif // OPENSSL_HEADER_THREAD_H
diff --git a/src/include/openssl/tls1.h b/src/include/openssl/tls1.h
index 1842ee5..8eafe4c 100644
--- a/src/include/openssl/tls1.h
+++ b/src/include/openssl/tls1.h
@@ -171,7 +171,7 @@
#define TLS1_AD_USER_CANCELLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
#define TLS1_AD_MISSING_EXTENSION 109
-/* codes 110-114 are from RFC3546 */
+// codes 110-114 are from RFC3546
#define TLS1_AD_UNSUPPORTED_EXTENSION 110
#define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111
#define TLS1_AD_UNRECOGNIZED_NAME 112
@@ -180,32 +180,32 @@
#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115
#define TLS1_AD_CERTIFICATE_REQUIRED 116
-/* ExtensionType values from RFC6066 */
+// ExtensionType values from RFC6066
#define TLSEXT_TYPE_server_name 0
#define TLSEXT_TYPE_status_request 5
-/* ExtensionType values from RFC4492 */
+// ExtensionType values from RFC4492
#define TLSEXT_TYPE_ec_point_formats 11
-/* ExtensionType values from RFC5246 */
+// ExtensionType values from RFC5246
#define TLSEXT_TYPE_signature_algorithms 13
-/* ExtensionType value from RFC5764 */
+// ExtensionType value from RFC5764
#define TLSEXT_TYPE_srtp 14
-/* ExtensionType value from RFC7301 */
+// ExtensionType value from RFC7301
#define TLSEXT_TYPE_application_layer_protocol_negotiation 16
-/* ExtensionType value from RFC7685 */
+// ExtensionType value from RFC7685
#define TLSEXT_TYPE_padding 21
-/* ExtensionType value from RFC7627 */
+// ExtensionType value from RFC7627
#define TLSEXT_TYPE_extended_master_secret 23
-/* ExtensionType value from RFC4507 */
+// ExtensionType value from RFC4507
#define TLSEXT_TYPE_session_ticket 35
-/* ExtensionType values from draft-ietf-tls-tls13-18 */
+// ExtensionType values from draft-ietf-tls-tls13-18
#define TLSEXT_TYPE_supported_groups 10
#define TLSEXT_TYPE_key_share 40
#define TLSEXT_TYPE_pre_shared_key 41
@@ -215,26 +215,26 @@
#define TLSEXT_TYPE_psk_key_exchange_modes 45
#define TLSEXT_TYPE_ticket_early_data_info 46
-/* ExtensionType value from RFC5746 */
+// ExtensionType value from RFC5746
#define TLSEXT_TYPE_renegotiate 0xff01
-/* ExtensionType value from RFC6962 */
+// ExtensionType value from RFC6962
#define TLSEXT_TYPE_certificate_timestamp 18
-/* This is not an IANA defined extension number */
+// This is not an IANA defined extension number
#define TLSEXT_TYPE_next_proto_neg 13172
-/* This is not an IANA defined extension number */
+// This is not an IANA defined extension number
#define TLSEXT_TYPE_channel_id 30032
-/* status request value from RFC 3546 */
+// status request value from RFC 3546
#define TLSEXT_STATUSTYPE_ocsp 1
-/* ECPointFormat values from RFC 4492 */
+// ECPointFormat values from RFC 4492
#define TLSEXT_ECPOINTFORMAT_uncompressed 0
#define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime 1
-/* Signature and hash algorithms from RFC 5246 */
+// Signature and hash algorithms from RFC 5246
#define TLSEXT_signature_anonymous 0
#define TLSEXT_signature_rsa 1
@@ -251,30 +251,30 @@
#define TLSEXT_MAXLEN_host_name 255
-/* PSK ciphersuites from 4279 */
+// PSK ciphersuites from 4279
#define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A
#define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x0300008B
#define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C
#define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D
-/* PSK ciphersuites from RFC 5489 */
+// PSK ciphersuites from RFC 5489
#define TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA 0x0300C035
#define TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA 0x0300C036
-/* Additional TLS ciphersuites from expired Internet Draft
- * draft-ietf-tls-56-bit-ciphersuites-01.txt
- * (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
- * s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably
- * shouldn't. Note that the first two are actually not in the IDs. */
-#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 /* not in ID */
-#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 /* not in ID */
+// Additional TLS ciphersuites from expired Internet Draft
+// draft-ietf-tls-56-bit-ciphersuites-01.txt
+// (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see
+// s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably
+// shouldn't. Note that the first two are actually not in the IDs.
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 // not in ID
+#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 // not in ID
#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062
#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063
#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064
#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065
#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066
-/* AES ciphersuites from RFC3268 */
+// AES ciphersuites from RFC3268
#define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F
#define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030
@@ -290,7 +290,7 @@
#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA 0x03000039
#define TLS1_CK_ADH_WITH_AES_256_SHA 0x0300003A
-/* TLS v1.2 ciphersuites */
+// TLS v1.2 ciphersuites
#define TLS1_CK_RSA_WITH_NULL_SHA256 0x0300003B
#define TLS1_CK_RSA_WITH_AES_128_SHA256 0x0300003C
#define TLS1_CK_RSA_WITH_AES_256_SHA256 0x0300003D
@@ -298,7 +298,7 @@
#define TLS1_CK_DH_RSA_WITH_AES_128_SHA256 0x0300003F
#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA256 0x03000040
-/* Camellia ciphersuites from RFC4132 */
+// Camellia ciphersuites from RFC4132
#define TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000041
#define TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x03000042
#define TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000043
@@ -306,7 +306,7 @@
#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000045
#define TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA 0x03000046
-/* TLS v1.2 ciphersuites */
+// TLS v1.2 ciphersuites
#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA256 0x03000067
#define TLS1_CK_DH_DSS_WITH_AES_256_SHA256 0x03000068
#define TLS1_CK_DH_RSA_WITH_AES_256_SHA256 0x03000069
@@ -315,7 +315,7 @@
#define TLS1_CK_ADH_WITH_AES_128_SHA256 0x0300006C
#define TLS1_CK_ADH_WITH_AES_256_SHA256 0x0300006D
-/* Camellia ciphersuites from RFC4132 */
+// Camellia ciphersuites from RFC4132
#define TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000084
#define TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x03000085
#define TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000086
@@ -323,7 +323,7 @@
#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000088
#define TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA 0x03000089
-/* SEED ciphersuites from RFC4162 */
+// SEED ciphersuites from RFC4162
#define TLS1_CK_RSA_WITH_SEED_SHA 0x03000096
#define TLS1_CK_DH_DSS_WITH_SEED_SHA 0x03000097
#define TLS1_CK_DH_RSA_WITH_SEED_SHA 0x03000098
@@ -331,7 +331,7 @@
#define TLS1_CK_DHE_RSA_WITH_SEED_SHA 0x0300009A
#define TLS1_CK_ADH_WITH_SEED_SHA 0x0300009B
-/* TLS v1.2 GCM ciphersuites from RFC5288 */
+// TLS v1.2 GCM ciphersuites from RFC5288
#define TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 0x0300009C
#define TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 0x0300009D
#define TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 0x0300009E
@@ -345,7 +345,7 @@
#define TLS1_CK_ADH_WITH_AES_128_GCM_SHA256 0x030000A6
#define TLS1_CK_ADH_WITH_AES_256_GCM_SHA384 0x030000A7
-/* ECC ciphersuites from RFC4492 */
+// ECC ciphersuites from RFC4492
#define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA 0x0300C001
#define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA 0x0300C002
#define TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA 0x0300C003
@@ -376,7 +376,7 @@
#define TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA 0x0300C018
#define TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA 0x0300C019
-/* SRP ciphersuites from RFC 5054 */
+// SRP ciphersuites from RFC 5054
#define TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA 0x0300C01A
#define TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA 0x0300C01B
#define TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA 0x0300C01C
@@ -387,7 +387,7 @@
#define TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA 0x0300C021
#define TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA 0x0300C022
-/* ECDH HMAC based ciphersuites from RFC5289 */
+// ECDH HMAC based ciphersuites from RFC5289
#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 0x0300C023
#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 0x0300C024
@@ -398,7 +398,7 @@
#define TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256 0x0300C029
#define TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384 0x0300C02A
-/* ECDH GCM based ciphersuites from RFC5289 */
+// ECDH GCM based ciphersuites from RFC5289
#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02B
#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0x0300C02C
#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02D
@@ -408,23 +408,23 @@
#define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256 0x0300C031
#define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032
-/* ChaCha20-Poly1305 cipher suites from RFC 7905. */
+// ChaCha20-Poly1305 cipher suites from RFC 7905.
#define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0x0300CCA8
#define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0x0300CCA9
#define TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0x0300CCAC
-/* TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16 */
+// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16
#define TLS1_CK_AES_128_GCM_SHA256 0x03001301
#define TLS1_CK_AES_256_GCM_SHA384 0x03001302
#define TLS1_CK_CHACHA20_POLY1305_SHA256 0x03001303
-/* XXX
- * Inconsistency alert:
- * The OpenSSL names of ciphers with ephemeral DH here include the string
- * "DHE", while elsewhere it has always been "EDH".
- * (The alias for the list of all such ciphers also is "EDH".)
- * The specifications speak of "EDH"; maybe we should allow both forms
- * for everything. */
+// XXX
+// Inconsistency alert:
+// The OpenSSL names of ciphers with ephemeral DH here include the string
+// "DHE", while elsewhere it has always been "EDH".
+// (The alias for the list of all such ciphers also is "EDH".)
+// The specifications speak of "EDH"; maybe we should allow both forms
+// for everything.
#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 "EXP1024-RC4-MD5"
#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 "EXP1024-RC2-CBC-MD5"
#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA "EXP1024-DES-CBC-SHA"
@@ -434,7 +434,7 @@
#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA"
#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA"
-/* AES ciphersuites from RFC3268 */
+// AES ciphersuites from RFC3268
#define TLS1_TXT_RSA_WITH_AES_128_SHA "AES128-SHA"
#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AES128-SHA"
#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AES128-SHA"
@@ -449,7 +449,7 @@
#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AES256-SHA"
#define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AES256-SHA"
-/* ECC ciphersuites from RFC4492 */
+// ECC ciphersuites from RFC4492
#define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA "ECDH-ECDSA-NULL-SHA"
#define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA "ECDH-ECDSA-RC4-SHA"
#define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA "ECDH-ECDSA-DES-CBC3-SHA"
@@ -480,17 +480,17 @@
#define TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA "AECDH-AES128-SHA"
#define TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA "AECDH-AES256-SHA"
-/* PSK ciphersuites from RFC 4279 */
+// PSK ciphersuites from RFC 4279
#define TLS1_TXT_PSK_WITH_RC4_128_SHA "PSK-RC4-SHA"
#define TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA "PSK-3DES-EDE-CBC-SHA"
#define TLS1_TXT_PSK_WITH_AES_128_CBC_SHA "PSK-AES128-CBC-SHA"
#define TLS1_TXT_PSK_WITH_AES_256_CBC_SHA "PSK-AES256-CBC-SHA"
-/* PSK ciphersuites from RFC 5489 */
+// PSK ciphersuites from RFC 5489
#define TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA "ECDHE-PSK-AES128-CBC-SHA"
#define TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA "ECDHE-PSK-AES256-CBC-SHA"
-/* SRP ciphersuite from RFC 5054 */
+// SRP ciphersuite from RFC 5054
#define TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA "SRP-3DES-EDE-CBC-SHA"
#define TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA "SRP-RSA-3DES-EDE-CBC-SHA"
#define TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA "SRP-DSS-3DES-EDE-CBC-SHA"
@@ -501,7 +501,7 @@
#define TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA "SRP-RSA-AES-256-CBC-SHA"
#define TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA "SRP-DSS-AES-256-CBC-SHA"
-/* Camellia ciphersuites from RFC4132 */
+// Camellia ciphersuites from RFC4132
#define TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA "CAMELLIA128-SHA"
#define TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA "DH-DSS-CAMELLIA128-SHA"
#define TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA "DH-RSA-CAMELLIA128-SHA"
@@ -516,7 +516,7 @@
#define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA "DHE-RSA-CAMELLIA256-SHA"
#define TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA "ADH-CAMELLIA256-SHA"
-/* SEED ciphersuites from RFC4162 */
+// SEED ciphersuites from RFC4162
#define TLS1_TXT_RSA_WITH_SEED_SHA "SEED-SHA"
#define TLS1_TXT_DH_DSS_WITH_SEED_SHA "DH-DSS-SEED-SHA"
#define TLS1_TXT_DH_RSA_WITH_SEED_SHA "DH-RSA-SEED-SHA"
@@ -524,7 +524,7 @@
#define TLS1_TXT_DHE_RSA_WITH_SEED_SHA "DHE-RSA-SEED-SHA"
#define TLS1_TXT_ADH_WITH_SEED_SHA "ADH-SEED-SHA"
-/* TLS v1.2 ciphersuites */
+// TLS v1.2 ciphersuites
#define TLS1_TXT_RSA_WITH_NULL_SHA256 "NULL-SHA256"
#define TLS1_TXT_RSA_WITH_AES_128_SHA256 "AES128-SHA256"
#define TLS1_TXT_RSA_WITH_AES_256_SHA256 "AES256-SHA256"
@@ -539,7 +539,7 @@
#define TLS1_TXT_ADH_WITH_AES_128_SHA256 "ADH-AES128-SHA256"
#define TLS1_TXT_ADH_WITH_AES_256_SHA256 "ADH-AES256-SHA256"
-/* TLS v1.2 GCM ciphersuites from RFC5288 */
+// TLS v1.2 GCM ciphersuites from RFC5288
#define TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256 "AES128-GCM-SHA256"
#define TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384 "AES256-GCM-SHA384"
#define TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 "DHE-RSA-AES128-GCM-SHA256"
@@ -553,7 +553,7 @@
#define TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256 "ADH-AES128-GCM-SHA256"
#define TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384 "ADH-AES256-GCM-SHA384"
-/* ECDH HMAC based ciphersuites from RFC5289 */
+// ECDH HMAC based ciphersuites from RFC5289
#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256 "ECDHE-ECDSA-AES128-SHA256"
#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384 "ECDHE-ECDSA-AES256-SHA384"
@@ -564,7 +564,7 @@
#define TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256 "ECDH-RSA-AES128-SHA256"
#define TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384 "ECDH-RSA-AES256-SHA384"
-/* ECDH GCM based ciphersuites from RFC5289 */
+// ECDH GCM based ciphersuites from RFC5289
#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \
"ECDHE-ECDSA-AES128-GCM-SHA256"
#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
@@ -585,7 +585,7 @@
#define TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \
"ECDHE-PSK-CHACHA20-POLY1305"
-/* TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16 */
+// TLS 1.3 ciphersuites from draft-ietf-tls-tls13-16
#define TLS1_TXT_AES_128_GCM_SHA256 "AEAD-AES128-GCM-SHA256"
#define TLS1_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384"
#define TLS1_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256"
@@ -619,7 +619,7 @@
#ifdef __cplusplus
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_TLS1_H */
+#endif // OPENSSL_HEADER_TLS1_H
diff --git a/src/include/openssl/type_check.h b/src/include/openssl/type_check.h
index a6f8284..da78d70 100644
--- a/src/include/openssl/type_check.h
+++ b/src/include/openssl/type_check.h
@@ -64,16 +64,16 @@
#endif
-/* This header file contains some common macros for enforcing type checking.
- * Several, common OpenSSL structures (i.e. stack and lhash) operate on void
- * pointers, but we wish to have type checking when they are used with a
- * specific type. */
+// This header file contains some common macros for enforcing type checking.
+// Several, common OpenSSL structures (i.e. stack and lhash) operate on void
+// pointers, but we wish to have type checking when they are used with a
+// specific type.
-/* CHECKED_CAST casts |p| from type |from| to type |to|. */
+// CHECKED_CAST casts |p| from type |from| to type |to|.
#define CHECKED_CAST(to, from, p) ((to) (1 ? (p) : (from)0))
-/* CHECKED_PTR_OF casts a given pointer to void* and statically checks that it
- * was a pointer to |type|. */
+// CHECKED_PTR_OF casts a given pointer to void* and statically checks that it
+// was a pointer to |type|.
#define CHECKED_PTR_OF(type, p) CHECKED_CAST(void*, type*, (p))
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L
@@ -85,7 +85,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_TYPE_CHECK_H */
+#endif // OPENSSL_HEADER_TYPE_CHECK_H
diff --git a/src/infra/config/cq.cfg b/src/infra/config/cq.cfg
index 4f6ea47..c657250 100644
--- a/src/infra/config/cq.cfg
+++ b/src/infra/config/cq.cfg
@@ -54,6 +54,7 @@
builders { name: "win64_rel" }
builders { name: "win64_small" }
+
builders { name: "linux_fips" }
builders { name: "linux_fips_rel" }
builders { name: "linux_fips_clang" }
diff --git a/src/ssl/custom_extensions.cc b/src/ssl/custom_extensions.cc
index d86bd48..dff7041 100644
--- a/src/ssl/custom_extensions.cc
+++ b/src/ssl/custom_extensions.cc
@@ -71,14 +71,6 @@
return 1;
}
- if (ssl->cert->enable_early_data) {
- /* TODO(svaldez): Support Custom Extensions with 0-RTT. For now the caller
- * is expected not to configure both together.
- * https://crbug.com/boringssl/173. */
- OPENSSL_PUT_ERROR(SSL, SSL_R_CUSTOM_EXTENSION_ERROR);
- return 0;
- }
-
for (size_t i = 0; i < sk_SSL_CUSTOM_EXTENSION_num(stack); i++) {
const SSL_CUSTOM_EXTENSION *ext = sk_SSL_CUSTOM_EXTENSION_value(stack, i);
diff --git a/src/ssl/d1_both.cc b/src/ssl/d1_both.cc
index 2538d28..71a7161 100644
--- a/src/ssl/d1_both.cc
+++ b/src/ssl/d1_both.cc
@@ -444,6 +444,11 @@
ssl->d1->incoming_messages[index] = NULL;
ssl->d1->handshake_read_seq++;
ssl->s3->has_message = 0;
+ /* If we previously sent a flight, mark it as having a reply, so
+ * |on_handshake_complete| can manage post-handshake retransmission. */
+ if (ssl->d1->outgoing_messages_complete) {
+ ssl->d1->flight_has_reply = true;
+ }
}
void dtls_clear_incoming_messages(SSL *ssl) {
@@ -509,6 +514,7 @@
ssl->d1->outgoing_written = 0;
ssl->d1->outgoing_offset = 0;
ssl->d1->outgoing_messages_complete = false;
+ ssl->d1->flight_has_reply = false;
}
int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
diff --git a/src/ssl/dtls_method.cc b/src/ssl/dtls_method.cc
index 9189427..1f95970 100644
--- a/src/ssl/dtls_method.cc
+++ b/src/ssl/dtls_method.cc
@@ -73,10 +73,13 @@
}
static void dtls1_on_handshake_complete(SSL *ssl) {
- /* If we wrote the last flight, we'll have a timer left over without waiting
- * for a read. Stop the timer but leave the flight around for post-handshake
- * transmission logic. */
+ /* Stop the reply timer left by the last flight we sent. */
dtls1_stop_timer(ssl);
+ /* If the final flight had a reply, we know the peer has received it. If not,
+ * we must leave the flight around for post-handshake retransmission. */
+ if (ssl->d1->flight_has_reply) {
+ dtls_clear_outgoing_messages(ssl);
+ }
}
static int dtls1_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
diff --git a/src/ssl/handshake_client.cc b/src/ssl/handshake_client.cc
index dd09797..f018c0e 100644
--- a/src/ssl/handshake_client.cc
+++ b/src/ssl/handshake_client.cc
@@ -508,7 +508,10 @@
ret = -1;
goto end;
}
- ssl->s3->established_session->not_resumable = 0;
+ /* Renegotiations do not participate in session resumption. */
+ if (!ssl->s3->initial_handshake_complete) {
+ ssl->s3->established_session->not_resumable = 0;
+ }
hs->new_session.reset();
}
@@ -517,12 +520,8 @@
break;
case SSL_ST_OK: {
- const int is_initial_handshake = !ssl->s3->initial_handshake_complete;
ssl->s3->initial_handshake_complete = 1;
- if (is_initial_handshake) {
- /* Renegotiations do not participate in session resumption. */
- ssl_update_cache(hs, SSL_SESS_CACHE_CLIENT);
- }
+ ssl_update_cache(hs, SSL_SESS_CACHE_CLIENT);
ret = 1;
ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_DONE, 1);
@@ -1101,33 +1100,6 @@
return -1;
}
- /* Disallow the server certificate from changing during a renegotiation. See
- * https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
- * so this check is sufficient. */
- if (ssl->s3->established_session != NULL) {
- if (sk_CRYPTO_BUFFER_num(ssl->s3->established_session->certs) !=
- sk_CRYPTO_BUFFER_num(hs->new_session->certs)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
- }
-
- for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(hs->new_session->certs); i++) {
- const CRYPTO_BUFFER *old_cert =
- sk_CRYPTO_BUFFER_value(ssl->s3->established_session->certs, i);
- const CRYPTO_BUFFER *new_cert =
- sk_CRYPTO_BUFFER_value(hs->new_session->certs, i);
- if (CRYPTO_BUFFER_len(old_cert) != CRYPTO_BUFFER_len(new_cert) ||
- OPENSSL_memcmp(CRYPTO_BUFFER_data(old_cert),
- CRYPTO_BUFFER_data(new_cert),
- CRYPTO_BUFFER_len(old_cert)) != 0) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
- }
- }
- }
-
ssl->method->next_message(ssl);
return 1;
}
@@ -1162,9 +1134,10 @@
return -1;
}
- if (!CBS_stow(&ocsp_response, &hs->new_session->ocsp_response,
- &hs->new_session->ocsp_response_length)) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+ CRYPTO_BUFFER_free(hs->new_session->ocsp_response);
+ hs->new_session->ocsp_response =
+ CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool);
+ if (hs->new_session->ocsp_response == nullptr) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return -1;
}
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
index 931ac82..b9c3998 100644
--- a/src/ssl/internal.h
+++ b/src/ssl/internal.h
@@ -1249,6 +1249,8 @@
unsigned received_hello_retry_request:1;
+ unsigned received_custom_extension:1;
+
/* accept_psk_mode stores whether the client's PSK mode is compatible with our
* preferences. */
unsigned accept_psk_mode:1;
@@ -1334,6 +1336,11 @@
enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs);
enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs);
+/* The following functions return human-readable representations of the TLS 1.3
+ * handshake states for debugging. */
+const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs);
+const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs);
+
/* tls13_post_handshake processes a post-handshake message. It returns one on
* success and zero on failure. */
int tls13_post_handshake(SSL *ssl, const SSLMessage &msg);
@@ -1824,6 +1831,11 @@
* |add_change_cipher_spec| will start a new flight. */
bool outgoing_messages_complete:1;
+ /* flight_has_reply is true if the current outgoing flight is complete and has
+ * processed at least one message. This is used to detect whether we or the
+ * peer sent the final flight. */
+ bool flight_has_reply:1;
+
uint8_t cookie[DTLS1_COOKIE_LENGTH];
size_t cookie_len;
@@ -2064,6 +2076,7 @@
int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey);
int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server);
int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session);
+int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx);
/* ssl_session_new returns a newly-allocated blank |SSL_SESSION| or nullptr on
* error. */
@@ -2326,6 +2339,8 @@
int ssl_can_read(const SSL *ssl);
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock);
+void ssl_ctx_get_current_time(const SSL_CTX *ctx,
+ struct OPENSSL_timeval *out_clock);
/* ssl_reset_error_state resets state for |SSL_get_error|. */
void ssl_reset_error_state(SSL *ssl);
diff --git a/src/ssl/s3_both.cc b/src/ssl/s3_both.cc
index 9c4aa7f..f51af69 100644
--- a/src/ssl/s3_both.cc
+++ b/src/ssl/s3_both.cc
@@ -137,6 +137,7 @@
scts_requested(0),
needs_psk_binder(0),
received_hello_retry_request(0),
+ received_custom_extension(0),
accept_psk_mode(0),
cert_request(0),
certificate_status_expected(0),
@@ -851,8 +852,59 @@
return 1;
}
+static void set_crypto_buffer(CRYPTO_BUFFER **dest, CRYPTO_BUFFER *src) {
+ /* TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr|
+ * and |UniquePtr| has up_ref helpers. */
+ CRYPTO_BUFFER_free(*dest);
+ *dest = src;
+ if (src != nullptr) {
+ CRYPTO_BUFFER_up_ref(src);
+ }
+}
+
enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+ const SSL_SESSION *prev_session = ssl->s3->established_session;
+ if (prev_session != NULL) {
+ /* If renegotiating, the server must not change the server certificate. See
+ * https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
+ * so this check is sufficient to ensure the reported peer certificate never
+ * changes on renegotiation. */
+ assert(!ssl->server);
+ if (sk_CRYPTO_BUFFER_num(prev_session->certs) !=
+ sk_CRYPTO_BUFFER_num(hs->new_session->certs)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+ return ssl_verify_invalid;
+ }
+
+ for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(hs->new_session->certs); i++) {
+ const CRYPTO_BUFFER *old_cert =
+ sk_CRYPTO_BUFFER_value(prev_session->certs, i);
+ const CRYPTO_BUFFER *new_cert =
+ sk_CRYPTO_BUFFER_value(hs->new_session->certs, i);
+ if (CRYPTO_BUFFER_len(old_cert) != CRYPTO_BUFFER_len(new_cert) ||
+ OPENSSL_memcmp(CRYPTO_BUFFER_data(old_cert),
+ CRYPTO_BUFFER_data(new_cert),
+ CRYPTO_BUFFER_len(old_cert)) != 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+ return ssl_verify_invalid;
+ }
+ }
+
+ /* The certificate is identical, so we may skip re-verifying the
+ * certificate. Since we only authenticated the previous one, copy other
+ * authentication from the established session and ignore what was newly
+ * received. */
+ set_crypto_buffer(&hs->new_session->ocsp_response,
+ prev_session->ocsp_response);
+ set_crypto_buffer(&hs->new_session->signed_cert_timestamp_list,
+ prev_session->signed_cert_timestamp_list);
+ hs->new_session->verify_result = prev_session->verify_result;
+ return ssl_verify_ok;
+ }
+
uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;
enum ssl_verify_result_t ret;
if (ssl->custom_verify_callback != nullptr) {
diff --git a/src/ssl/ssl_asn1.cc b/src/ssl/ssl_asn1.cc
index 0cf90d1..b87c795 100644
--- a/src/ssl/ssl_asn1.cc
+++ b/src/ssl/ssl_asn1.cc
@@ -311,20 +311,22 @@
}
}
- if (in->tlsext_signed_cert_timestamp_list_length > 0) {
+ if (in->signed_cert_timestamp_list != nullptr) {
if (!CBB_add_asn1(&session, &child, kSignedCertTimestampListTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
- !CBB_add_bytes(&child2, in->tlsext_signed_cert_timestamp_list,
- in->tlsext_signed_cert_timestamp_list_length)) {
+ !CBB_add_bytes(&child2,
+ CRYPTO_BUFFER_data(in->signed_cert_timestamp_list),
+ CRYPTO_BUFFER_len(in->signed_cert_timestamp_list))) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
}
- if (in->ocsp_response_length > 0) {
+ if (in->ocsp_response != nullptr) {
if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
- !CBB_add_bytes(&child2, in->ocsp_response, in->ocsp_response_length)) {
+ !CBB_add_bytes(&child2, CRYPTO_BUFFER_data(in->ocsp_response),
+ CRYPTO_BUFFER_len(in->ocsp_response))) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -470,6 +472,29 @@
return 1;
}
+static int SSL_SESSION_parse_crypto_buffer(CBS *cbs, CRYPTO_BUFFER **out,
+ unsigned tag,
+ CRYPTO_BUFFER_POOL *pool) {
+ if (!CBS_peek_asn1_tag(cbs, tag)) {
+ return 1;
+ }
+
+ CBS child, value;
+ if (!CBS_get_asn1(cbs, &child, tag) ||
+ !CBS_get_asn1(&child, &value, CBS_ASN1_OCTETSTRING) ||
+ CBS_len(&child) != 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
+ return 0;
+ }
+ CRYPTO_BUFFER_free(*out);
+ *out = CRYPTO_BUFFER_new_from_CBS(&value, pool);
+ if (*out == nullptr) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ return 1;
+}
+
/* SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
* explicitly tagged with |tag| of size at most |max_out|. */
static int SSL_SESSION_parse_bounded_octet_string(
@@ -635,13 +660,11 @@
&session, ret->original_handshake_hash,
&ret->original_handshake_hash_len,
sizeof(ret->original_handshake_hash), kOriginalHandshakeHashTag) ||
- !SSL_SESSION_parse_octet_string(
- &session, &ret->tlsext_signed_cert_timestamp_list,
- &ret->tlsext_signed_cert_timestamp_list_length,
- kSignedCertTimestampListTag) ||
- !SSL_SESSION_parse_octet_string(
- &session, &ret->ocsp_response, &ret->ocsp_response_length,
- kOCSPResponseTag)) {
+ !SSL_SESSION_parse_crypto_buffer(&session,
+ &ret->signed_cert_timestamp_list,
+ kSignedCertTimestampListTag, pool) ||
+ !SSL_SESSION_parse_crypto_buffer(&session, &ret->ocsp_response,
+ kOCSPResponseTag, pool)) {
return nullptr;
}
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index 10128d8..9ecd7df 100644
--- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc
@@ -218,6 +218,7 @@
SSL_CTX *ctx = ssl->session_ctx;
/* Never cache sessions with empty session IDs. */
if (ssl->s3->established_session->session_id_length == 0 ||
+ ssl->s3->established_session->not_resumable ||
(ctx->session_cache_mode & mode) != mode) {
return;
}
@@ -357,11 +358,18 @@
}
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
- if (ssl->ctx->current_time_cb != NULL) {
+ /* TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
+ * |ssl| arg from |current_time_cb| if possible. */
+ ssl_ctx_get_current_time(ssl->ctx, out_clock);
+}
+
+void ssl_ctx_get_current_time(const SSL_CTX *ctx,
+ struct OPENSSL_timeval *out_clock) {
+ if (ctx->current_time_cb != NULL) {
/* TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
* https://crbug.com/boringssl/155. */
struct timeval clock;
- ssl->ctx->current_time_cb(ssl, &clock);
+ ctx->current_time_cb(nullptr /* ssl */, &clock);
if (clock.tv_sec < 0) {
assert(0);
out_clock->tv_sec = 0;
@@ -503,13 +511,6 @@
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
- /* Setup RFC4507 ticket keys */
- if (!RAND_bytes(ret->tlsext_tick_key_name, 16) ||
- !RAND_bytes(ret->tlsext_tick_hmac_key, 16) ||
- !RAND_bytes(ret->tlsext_tick_aes_key, 16)) {
- ret->options |= SSL_OP_NO_TICKET;
- }
-
/* Disable the auto-chaining feature by default. Once this has stuck without
* problems, the feature will be removed entirely. */
ret->mode = SSL_MODE_NO_AUTO_CHAIN;
@@ -571,6 +572,8 @@
OPENSSL_free(ctx->alpn_client_proto_list);
EVP_PKEY_free(ctx->tlsext_channel_id_private);
OPENSSL_free(ctx->verify_sigalgs);
+ OPENSSL_free(ctx->tlsext_ticket_key_current);
+ OPENSSL_free(ctx->tlsext_ticket_key_prev);
OPENSSL_free(ctx);
}
@@ -1587,10 +1590,18 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
return 0;
}
+
+ /* The default ticket keys are initialized lazily. Trigger a key
+ * rotation to initialize them. */
+ if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
+ return 0;
+ }
+
uint8_t *out_bytes = reinterpret_cast<uint8_t *>(out);
- OPENSSL_memcpy(out_bytes, ctx->tlsext_tick_key_name, 16);
- OPENSSL_memcpy(out_bytes + 16, ctx->tlsext_tick_hmac_key, 16);
- OPENSSL_memcpy(out_bytes + 32, ctx->tlsext_tick_aes_key, 16);
+ MutexReadLock lock(&ctx->lock);
+ OPENSSL_memcpy(out_bytes, ctx->tlsext_ticket_key_current->name, 16);
+ OPENSSL_memcpy(out_bytes + 16, ctx->tlsext_ticket_key_current->hmac_key, 16);
+ OPENSSL_memcpy(out_bytes + 32, ctx->tlsext_ticket_key_current->aes_key, 16);
return 1;
}
@@ -1602,10 +1613,22 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
return 0;
}
+ if (!ctx->tlsext_ticket_key_current) {
+ ctx->tlsext_ticket_key_current =
+ (tlsext_ticket_key *)OPENSSL_malloc(sizeof(tlsext_ticket_key));
+ if (!ctx->tlsext_ticket_key_current) {
+ return 0;
+ }
+ }
+ OPENSSL_memset(ctx->tlsext_ticket_key_current, 0, sizeof(tlsext_ticket_key));
const uint8_t *in_bytes = reinterpret_cast<const uint8_t *>(in);
- OPENSSL_memcpy(ctx->tlsext_tick_key_name, in_bytes, 16);
- OPENSSL_memcpy(ctx->tlsext_tick_hmac_key, in_bytes + 16, 16);
- OPENSSL_memcpy(ctx->tlsext_tick_aes_key, in_bytes + 32, 16);
+ OPENSSL_memcpy(ctx->tlsext_ticket_key_current->name, in_bytes, 16);
+ OPENSSL_memcpy(ctx->tlsext_ticket_key_current->hmac_key, in_bytes + 16, 16);
+ OPENSSL_memcpy(ctx->tlsext_ticket_key_current->aes_key, in_bytes + 32, 16);
+ OPENSSL_free(ctx->tlsext_ticket_key_prev);
+ ctx->tlsext_ticket_key_prev = nullptr;
+ /* Disable automatic key rotation. */
+ ctx->tlsext_ticket_key_current->next_rotation_tv_sec = 0;
return 1;
}
@@ -1789,28 +1812,27 @@
void SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,
size_t *out_len) {
SSL_SESSION *session = SSL_get_session(ssl);
-
- *out_len = 0;
- *out = NULL;
- if (ssl->server || !session || !session->tlsext_signed_cert_timestamp_list) {
+ if (ssl->server || !session || !session->signed_cert_timestamp_list) {
+ *out_len = 0;
+ *out = NULL;
return;
}
- *out = session->tlsext_signed_cert_timestamp_list;
- *out_len = session->tlsext_signed_cert_timestamp_list_length;
+ *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list);
+ *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list);
}
void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,
size_t *out_len) {
SSL_SESSION *session = SSL_get_session(ssl);
-
- *out_len = 0;
- *out = NULL;
if (ssl->server || !session || !session->ocsp_response) {
+ *out_len = 0;
+ *out = NULL;
return;
}
- *out = session->ocsp_response;
- *out_len = session->ocsp_response_length;
+
+ *out = CRYPTO_BUFFER_data(session->ocsp_response);
+ *out_len = CRYPTO_BUFFER_len(session->ocsp_response);
}
int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
diff --git a/src/ssl/ssl_session.cc b/src/ssl/ssl_session.cc
index a1c21dc..6bacc80 100644
--- a/src/ssl/ssl_session.cc
+++ b/src/ssl/ssl_session.cc
@@ -227,24 +227,15 @@
new_session->verify_result = session->verify_result;
- new_session->ocsp_response_length = session->ocsp_response_length;
if (session->ocsp_response != NULL) {
- new_session->ocsp_response = (uint8_t *)BUF_memdup(
- session->ocsp_response, session->ocsp_response_length);
- if (new_session->ocsp_response == NULL) {
- return nullptr;
- }
+ new_session->ocsp_response = session->ocsp_response;
+ CRYPTO_BUFFER_up_ref(new_session->ocsp_response);
}
- new_session->tlsext_signed_cert_timestamp_list_length =
- session->tlsext_signed_cert_timestamp_list_length;
- if (session->tlsext_signed_cert_timestamp_list != NULL) {
- new_session->tlsext_signed_cert_timestamp_list = (uint8_t *)BUF_memdup(
- session->tlsext_signed_cert_timestamp_list,
- session->tlsext_signed_cert_timestamp_list_length);
- if (new_session->tlsext_signed_cert_timestamp_list == NULL) {
- return nullptr;
- }
+ if (session->signed_cert_timestamp_list != NULL) {
+ new_session->signed_cert_timestamp_list =
+ session->signed_cert_timestamp_list;
+ CRYPTO_BUFFER_up_ref(new_session->signed_cert_timestamp_list);
}
OPENSSL_memcpy(new_session->peer_sha256, session->peer_sha256,
@@ -437,6 +428,59 @@
return 1;
}
+int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) {
+ OPENSSL_timeval now;
+ ssl_ctx_get_current_time(ctx, &now);
+ {
+ /* Avoid acquiring a write lock in the common case (i.e. a non-default key
+ * is used or the default keys have not expired yet). */
+ MutexReadLock lock(&ctx->lock);
+ if (ctx->tlsext_ticket_key_current &&
+ (ctx->tlsext_ticket_key_current->next_rotation_tv_sec == 0 ||
+ ctx->tlsext_ticket_key_current->next_rotation_tv_sec > now.tv_sec) &&
+ (!ctx->tlsext_ticket_key_prev ||
+ ctx->tlsext_ticket_key_prev->next_rotation_tv_sec > now.tv_sec)) {
+ return 1;
+ }
+ }
+
+ MutexWriteLock lock(&ctx->lock);
+ if (!ctx->tlsext_ticket_key_current ||
+ (ctx->tlsext_ticket_key_current->next_rotation_tv_sec != 0 &&
+ ctx->tlsext_ticket_key_current->next_rotation_tv_sec <= now.tv_sec)) {
+ /* The current key has not been initialized or it is expired. */
+ auto new_key = bssl::MakeUnique<struct tlsext_ticket_key>();
+ if (!new_key) {
+ return 0;
+ }
+ OPENSSL_memset(new_key.get(), 0, sizeof(struct tlsext_ticket_key));
+ if (ctx->tlsext_ticket_key_current) {
+ /* The current key expired. Rotate it to prev and bump up its rotation
+ * timestamp. Note that even with the new rotation time it may still be
+ * expired and get droppped below. */
+ ctx->tlsext_ticket_key_current->next_rotation_tv_sec +=
+ SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
+ OPENSSL_free(ctx->tlsext_ticket_key_prev);
+ ctx->tlsext_ticket_key_prev = ctx->tlsext_ticket_key_current;
+ }
+ ctx->tlsext_ticket_key_current = new_key.release();
+ RAND_bytes(ctx->tlsext_ticket_key_current->name, 16);
+ RAND_bytes(ctx->tlsext_ticket_key_current->hmac_key, 16);
+ RAND_bytes(ctx->tlsext_ticket_key_current->aes_key, 16);
+ ctx->tlsext_ticket_key_current->next_rotation_tv_sec =
+ now.tv_sec + SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
+ }
+
+ /* Drop an expired prev key. */
+ if (ctx->tlsext_ticket_key_prev &&
+ ctx->tlsext_ticket_key_prev->next_rotation_tv_sec <= now.tv_sec) {
+ OPENSSL_free(ctx->tlsext_ticket_key_prev);
+ ctx->tlsext_ticket_key_prev = nullptr;
+ }
+
+ return 1;
+}
+
static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out,
const uint8_t *session_buf,
size_t session_len) {
@@ -464,14 +508,19 @@
return 0;
}
} else {
+ /* Rotate ticket key if necessary. */
+ if (!ssl_ctx_rotate_ticket_encryption_key(tctx)) {
+ return 0;
+ }
+ MutexReadLock lock(&tctx->lock);
if (!RAND_bytes(iv, 16) ||
!EVP_EncryptInit_ex(ctx.get(), EVP_aes_128_cbc(), NULL,
- tctx->tlsext_tick_aes_key, iv) ||
- !HMAC_Init_ex(hctx.get(), tctx->tlsext_tick_hmac_key, 16,
+ tctx->tlsext_ticket_key_current->aes_key, iv) ||
+ !HMAC_Init_ex(hctx.get(), tctx->tlsext_ticket_key_current->hmac_key, 16,
tlsext_tick_md(), NULL)) {
return 0;
}
- OPENSSL_memcpy(key_name, tctx->tlsext_tick_key_name, 16);
+ OPENSSL_memcpy(key_name, tctx->tlsext_ticket_key_current->name, 16);
}
uint8_t *ptr;
@@ -840,8 +889,8 @@
session->x509_method->session_clear(session);
OPENSSL_free(session->tlsext_hostname);
OPENSSL_free(session->tlsext_tick);
- OPENSSL_free(session->tlsext_signed_cert_timestamp_list);
- OPENSSL_free(session->ocsp_response);
+ CRYPTO_BUFFER_free(session->signed_cert_timestamp_list);
+ CRYPTO_BUFFER_free(session->ocsp_response);
OPENSSL_free(session->psk_identity);
OPENSSL_free(session->early_alpn);
OPENSSL_cleanse(session, sizeof(*session));
diff --git a/src/ssl/ssl_stat.cc b/src/ssl/ssl_stat.cc
index 56e4f2b..31cce4d 100644
--- a/src/ssl/ssl_stat.cc
+++ b/src/ssl/ssl_stat.cc
@@ -195,6 +195,10 @@
case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
return "DTLS1 read hello verify request A";
+ case SSL_ST_TLS13:
+ return ssl->server ? tls13_server_handshake_state(ssl->s3->hs)
+ : tls13_client_handshake_state(ssl->s3->hs);
+
default:
return "unknown state";
}
diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc
index 898cd04..bc89202 100644
--- a/src/ssl/ssl_test.cc
+++ b/src/ssl/ssl_test.cc
@@ -49,6 +49,40 @@
#endif
+namespace bssl {
+
+namespace {
+
+#define TRACED_CALL(code) \
+ do { \
+ SCOPED_TRACE("<- called from here"); \
+ code; \
+ if (::testing::Test::HasFatalFailure()) { \
+ return; \
+ } \
+ } while (false)
+
+struct VersionParam {
+ uint16_t version;
+ enum { is_tls, is_dtls } ssl_method;
+ const char name[8];
+};
+
+static const size_t kTicketKeyLen = 48;
+
+static const VersionParam kAllVersions[] = {
+ {SSL3_VERSION, VersionParam::is_tls, "SSL3"},
+ {TLS1_VERSION, VersionParam::is_tls, "TLS1"},
+ {TLS1_1_VERSION, VersionParam::is_tls, "TLS1_1"},
+ {TLS1_2_VERSION, VersionParam::is_tls, "TLS1_2"},
+// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
+#if !defined(BORINGSSL_ANDROID_SYSTEM)
+ {TLS1_3_VERSION, VersionParam::is_tls, "TLS1_3"},
+#endif
+ {DTLS1_VERSION, VersionParam::is_dtls, "DTLS1"},
+ {DTLS1_2_VERSION, VersionParam::is_dtls, "DTLS1_2"},
+};
+
struct ExpectedCipher {
unsigned long id;
int in_group_flag;
@@ -1473,148 +1507,130 @@
return true;
}
-static bool TestSequenceNumber(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
- bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
- if (!server_ctx || !client_ctx ||
- !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
- return false;
+/* SSLVersionTest executes its test cases under all available protocol versions.
+ * Test cases call |Connect| to create a connection using context objects with
+ * the protocol version fixed to the current version under test. */
+class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
+ protected:
+ SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
+
+ void SetUp() { ResetContexts(); }
+
+ bssl::UniquePtr<SSL_CTX> CreateContext() const {
+ const SSL_METHOD *method = is_dtls() ? DTLS_method() : TLS_method();
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
+ if (!ctx || !SSL_CTX_set_min_proto_version(ctx.get(), version()) ||
+ !SSL_CTX_set_max_proto_version(ctx.get(), version())) {
+ return nullptr;
+ }
+ return ctx;
}
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- if (!cert || !key || !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
- return false;
+ void ResetContexts() {
+ ASSERT_TRUE(cert_);
+ ASSERT_TRUE(key_);
+ client_ctx_ = CreateContext();
+ ASSERT_TRUE(client_ctx_);
+ server_ctx_ = CreateContext();
+ ASSERT_TRUE(server_ctx_);
+ // Set up a server cert. Client certs can be set up explicitly.
+ ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
}
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
- server_ctx.get(), nullptr /* no session */)) {
- return false;
+ bool UseCertAndKey(SSL_CTX *ctx) const {
+ return SSL_CTX_use_certificate(ctx, cert_.get()) &&
+ SSL_CTX_use_PrivateKey(ctx, key_.get());
}
+ bool Connect() {
+ return ConnectClientAndServer(&client_, &server_, client_ctx_.get(),
+ server_ctx_.get(), nullptr /* no session */);
+ }
+
+ uint16_t version() const { return GetParam().version; }
+
+ bool is_dtls() const {
+ return GetParam().ssl_method == VersionParam::is_dtls;
+ }
+
+ bssl::UniquePtr<SSL> client_, server_;
+ bssl::UniquePtr<SSL_CTX> server_ctx_, client_ctx_;
+ bssl::UniquePtr<X509> cert_;
+ bssl::UniquePtr<EVP_PKEY> key_;
+};
+
+INSTANTIATE_TEST_CASE_P(WithVersion, SSLVersionTest,
+ testing::ValuesIn(kAllVersions),
+ [](const testing::TestParamInfo<VersionParam> &i) {
+ return i.param.name;
+ });
+
+TEST_P(SSLVersionTest, SequenceNumber) {
+ ASSERT_TRUE(Connect());
+
// Drain any post-handshake messages to ensure there are no unread records
// on either end.
uint8_t byte = 0;
- if (SSL_read(client.get(), &byte, 1) > 0 ||
- SSL_read(server.get(), &byte, 1) > 0) {
- fprintf(stderr, "Received unexpected data.\n");
- return false;
- }
+ ASSERT_LE(SSL_read(client_.get(), &byte, 1), 0);
+ ASSERT_LE(SSL_read(server_.get(), &byte, 1), 0);
- uint64_t client_read_seq = SSL_get_read_sequence(client.get());
- uint64_t client_write_seq = SSL_get_write_sequence(client.get());
- uint64_t server_read_seq = SSL_get_read_sequence(server.get());
- uint64_t server_write_seq = SSL_get_write_sequence(server.get());
+ uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
+ uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
+ uint64_t server_read_seq = SSL_get_read_sequence(server_.get());
+ uint64_t server_write_seq = SSL_get_write_sequence(server_.get());
- if (is_dtls) {
+ if (is_dtls()) {
// Both client and server must be at epoch 1.
- if (EpochFromSequence(client_read_seq) != 1 ||
- EpochFromSequence(client_write_seq) != 1 ||
- EpochFromSequence(server_read_seq) != 1 ||
- EpochFromSequence(server_write_seq) != 1) {
- fprintf(stderr, "Bad epochs.\n");
- return false;
- }
+ EXPECT_EQ(EpochFromSequence(client_read_seq), 1);
+ EXPECT_EQ(EpochFromSequence(client_write_seq), 1);
+ EXPECT_EQ(EpochFromSequence(server_read_seq), 1);
+ EXPECT_EQ(EpochFromSequence(server_write_seq), 1);
// The next record to be written should exceed the largest received.
- if (client_write_seq <= server_read_seq ||
- server_write_seq <= client_read_seq) {
- fprintf(stderr, "Inconsistent sequence numbers.\n");
- return false;
- }
+ EXPECT_GT(client_write_seq, server_read_seq);
+ EXPECT_GT(server_write_seq, client_read_seq);
} else {
// The next record to be written should equal the next to be received.
- if (client_write_seq != server_read_seq ||
- server_write_seq != client_read_seq) {
- fprintf(stderr, "Inconsistent sequence numbers.\n");
- return false;
- }
+ EXPECT_EQ(client_write_seq, server_read_seq);
+ EXPECT_EQ(server_write_seq, client_read_seq);
}
// Send a record from client to server.
- if (SSL_write(client.get(), &byte, 1) != 1 ||
- SSL_read(server.get(), &byte, 1) != 1) {
- fprintf(stderr, "Could not send byte.\n");
- return false;
- }
+ EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
+ EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
// The client write and server read sequence numbers should have
// incremented.
- if (client_write_seq + 1 != SSL_get_write_sequence(client.get()) ||
- server_read_seq + 1 != SSL_get_read_sequence(server.get())) {
- fprintf(stderr, "Sequence numbers did not increment.\n");
- return false;
- }
-
- return true;
+ EXPECT_EQ(client_write_seq + 1, SSL_get_write_sequence(client_.get()));
+ EXPECT_EQ(server_read_seq + 1, SSL_get_read_sequence(server_.get()));
}
-static bool TestOneSidedShutdown(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
+TEST_P(SSLVersionTest, OneSidedShutdown) {
// SSL_shutdown is a no-op in DTLS.
- if (is_dtls) {
- return true;
+ if (is_dtls()) {
+ return;
}
-
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
- bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- if (!client_ctx || !server_ctx || !cert || !key ||
- !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get())) {
- return false;
- }
-
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
- server_ctx.get(), nullptr /* no session */)) {
- return false;
- }
+ ASSERT_TRUE(Connect());
// Shut down half the connection. SSL_shutdown will return 0 to signal only
// one side has shut down.
- if (SSL_shutdown(client.get()) != 0) {
- fprintf(stderr, "Could not shutdown.\n");
- return false;
- }
+ ASSERT_EQ(SSL_shutdown(client_.get()), 0);
// Reading from the server should consume the EOF.
uint8_t byte;
- if (SSL_read(server.get(), &byte, 1) != 0 ||
- SSL_get_error(server.get(), 0) != SSL_ERROR_ZERO_RETURN) {
- fprintf(stderr, "Connection was not shut down cleanly.\n");
- return false;
- }
+ ASSERT_EQ(SSL_read(server_.get(), &byte, 1), 0);
+ ASSERT_EQ(SSL_get_error(server_.get(), 0), SSL_ERROR_ZERO_RETURN);
// However, the server may continue to write data and then shut down the
// connection.
byte = 42;
- if (SSL_write(server.get(), &byte, 1) != 1 ||
- SSL_read(client.get(), &byte, 1) != 1 ||
- byte != 42) {
- fprintf(stderr, "Could not send byte.\n");
- return false;
- }
+ ASSERT_EQ(SSL_write(server_.get(), &byte, 1), 1);
+ ASSERT_EQ(SSL_read(client_.get(), &byte, 1), 1);
+ ASSERT_EQ(byte, 42);
// The server may then shutdown the connection.
- if (SSL_shutdown(server.get()) != 1 ||
- SSL_shutdown(client.get()) != 1) {
- fprintf(stderr, "Could not complete shutdown.\n");
- return false;
- }
-
- return true;
+ EXPECT_EQ(SSL_shutdown(server_.get()), 1);
+ EXPECT_EQ(SSL_shutdown(client_.get()), 1);
}
TEST(SSLTest, SessionDuplication) {
@@ -1786,164 +1802,87 @@
static int VerifySucceed(X509_STORE_CTX *store_ctx, void *arg) { return 1; }
-static bool TestGetPeerCertificate(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- if (!cert || !key) {
- return false;
- }
+TEST_P(SSLVersionTest, GetPeerCertificate) {
+ ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
// Configure both client and server to accept any certificate.
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
- if (!ctx ||
- !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
- return false;
- }
- SSL_CTX_set_verify(
- ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
- SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
+ SSL_CTX_set_verify(client_ctx_.get(),
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ nullptr);
+ SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
+ SSL_CTX_set_verify(server_ctx_.get(),
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ nullptr);
+ SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
- nullptr /* no session */)) {
- return false;
- }
+ ASSERT_TRUE(Connect());
// Client and server should both see the leaf certificate.
- bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
- if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
- fprintf(stderr, "Server peer certificate did not match.\n");
- return false;
- }
+ bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
+ ASSERT_TRUE(peer);
+ ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
- peer.reset(SSL_get_peer_certificate(client.get()));
- if (!peer || X509_cmp(cert.get(), peer.get()) != 0) {
- fprintf(stderr, "Client peer certificate did not match.\n");
- return false;
- }
+ peer.reset(SSL_get_peer_certificate(client_.get()));
+ ASSERT_TRUE(peer);
+ ASSERT_EQ(X509_cmp(cert_.get(), peer.get()), 0);
// However, for historical reasons, the X509 chain includes the leaf on the
// client, but does not on the server.
- if (sk_X509_num(SSL_get_peer_cert_chain(client.get())) != 1 ||
- sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client.get())) != 1) {
- fprintf(stderr, "Client peer chain was incorrect.\n");
- return false;
- }
+ EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(client_.get())), 1u);
+ EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(client_.get())),
+ 1u);
- if (sk_X509_num(SSL_get_peer_cert_chain(server.get())) != 0 ||
- sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server.get())) != 1) {
- fprintf(stderr, "Server peer chain was incorrect.\n");
- return false;
- }
-
- return true;
+ EXPECT_EQ(sk_X509_num(SSL_get_peer_cert_chain(server_.get())), 0u);
+ EXPECT_EQ(sk_CRYPTO_BUFFER_num(SSL_get0_peer_certificates(server_.get())),
+ 1u);
}
-static bool TestNoPeerCertificate(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- if (!cert || !key) {
- return false;
- }
+TEST_P(SSLVersionTest, NoPeerCertificate) {
+ SSL_CTX_set_verify(server_ctx_.get(), SSL_VERIFY_PEER, nullptr);
+ SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
+ SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
- // Configure an anonymous client.
- bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method)),
- client_ctx(SSL_CTX_new(method));
- if (!server_ctx || !client_ctx ||
- !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(client_ctx.get(), version)) {
- return false;
- }
- SSL_CTX_set_verify(
- server_ctx.get(), SSL_VERIFY_PEER, nullptr);
- SSL_CTX_set_cert_verify_callback(server_ctx.get(), VerifySucceed, NULL);
- SSL_CTX_set_cert_verify_callback(client_ctx.get(), VerifySucceed, NULL);
+ ASSERT_TRUE(Connect());
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
- server_ctx.get(), nullptr /* no session */)) {
- return false;
- }
-
- // Client and server should both see the leaf certificate.
- bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
- if (peer ||
- SSL_get0_peer_certificates(server.get()) != nullptr) {
- fprintf(stderr, "Server peer certificate was non-null.\n");
- return false;
- }
-
- return true;
+ // Server should not see a peer certificate.
+ bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
+ ASSERT_FALSE(peer);
+ ASSERT_FALSE(SSL_get0_peer_certificates(server_.get()));
}
-static bool TestRetainOnlySHA256OfCerts(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- if (!cert || !key) {
- return false;
- }
-
+TEST_P(SSLVersionTest, RetainOnlySHA256OfCerts) {
uint8_t *cert_der = NULL;
- int cert_der_len = i2d_X509(cert.get(), &cert_der);
- if (cert_der_len < 0) {
- return false;
- }
+ int cert_der_len = i2d_X509(cert_.get(), &cert_der);
+ ASSERT_GE(cert_der_len, 0);
bssl::UniquePtr<uint8_t> free_cert_der(cert_der);
uint8_t cert_sha256[SHA256_DIGEST_LENGTH];
SHA256(cert_der, cert_der_len, cert_sha256);
+ ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
+
// Configure both client and server to accept any certificate, but the
// server must retain only the SHA-256 of the peer.
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
- if (!ctx ||
- !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
- return false;
- }
- SSL_CTX_set_verify(
- ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
- SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
- SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1);
+ SSL_CTX_set_verify(client_ctx_.get(),
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ nullptr);
+ SSL_CTX_set_verify(server_ctx_.get(),
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ nullptr);
+ SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
+ SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
+ SSL_CTX_set_retain_only_sha256_of_client_certs(server_ctx_.get(), 1);
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
- nullptr /* no session */)) {
- return false;
- }
+ ASSERT_TRUE(Connect());
// The peer certificate has been dropped.
- bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server.get()));
- if (peer) {
- fprintf(stderr, "Peer certificate was retained.\n");
- return false;
- }
+ bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(server_.get()));
+ EXPECT_FALSE(peer);
- SSL_SESSION *session = SSL_get_session(server.get());
- if (!session->peer_sha256_valid) {
- fprintf(stderr, "peer_sha256_valid was not set.\n");
- return false;
- }
+ SSL_SESSION *session = SSL_get_session(server_.get());
+ EXPECT_TRUE(session->peer_sha256_valid);
- if (OPENSSL_memcmp(cert_sha256, session->peer_sha256, SHA256_DIGEST_LENGTH) !=
- 0) {
- fprintf(stderr, "peer_sha256 did not match.\n");
- return false;
- }
-
- return true;
+ EXPECT_EQ(Bytes(cert_sha256), Bytes(session->peer_sha256));
}
static bool ClientHelloMatches(uint16_t version, const uint8_t *expected,
@@ -2172,29 +2111,16 @@
return std::move(g_last_session);
}
-static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
- SSL_SESSION *session,
- bool reused) {
+static void ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
+ SSL_SESSION *session, bool want_reused) {
bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, client_ctx,
- server_ctx, session)) {
- fprintf(stderr, "Failed to connect client and server.\n");
- return false;
- }
+ EXPECT_TRUE(ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
+ session));
- if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
- fprintf(stderr, "Client and server were inconsistent.\n");
- return false;
- }
+ EXPECT_EQ(SSL_session_reused(client.get()), SSL_session_reused(server.get()));
bool was_reused = !!SSL_session_reused(client.get());
- if (was_reused != reused) {
- fprintf(stderr, "Session was%s reused, but we expected the opposite.\n",
- was_reused ? "" : " not");
- return false;
- }
-
- return true;
+ EXPECT_EQ(was_reused, want_reused);
}
static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
@@ -2232,6 +2158,19 @@
return std::move(g_last_session);
}
+static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
+ bool changed) {
+ uint8_t new_key[kTicketKeyLen];
+ /* May return 0, 1 or 48. */
+ ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
+ if (changed) {
+ ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
+ } else {
+ ASSERT_EQ(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
+ }
+ OPENSSL_memcpy(inout_key, new_key, kTicketKeyLen);
+}
+
static int SwitchSessionIDContextSNI(SSL *ssl, int *out_alert, void *arg) {
static const uint8_t kContext[] = {3};
@@ -2242,79 +2181,48 @@
return SSL_TLSEXT_ERR_OK;
}
-static bool TestSessionIDContext(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- if (!cert || !key) {
- return false;
- }
-
+TEST_P(SSLVersionTest, SessionIDContext) {
static const uint8_t kContext1[] = {1};
static const uint8_t kContext2[] = {2};
- bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
- if (!server_ctx || !client_ctx ||
- !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
- !SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
- sizeof(kContext1)) ||
- !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
- return false;
- }
+ ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
+ sizeof(kContext1)));
- SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
- SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
+ SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
+ SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
bssl::UniquePtr<SSL_SESSION> session =
- CreateClientSession(client_ctx.get(), server_ctx.get());
- if (!session) {
- fprintf(stderr, "Error getting session.\n");
- return false;
- }
+ CreateClientSession(client_ctx_.get(), server_ctx_.get());
+ ASSERT_TRUE(session);
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
- true /* expect session reused */)) {
- fprintf(stderr, "Error resuming session.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(),
+ true /* expect session reused */));
// Change the session ID context.
- if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2,
- sizeof(kContext2))) {
- return false;
- }
+ ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext2,
+ sizeof(kContext2)));
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
- false /* expect session not reused */)) {
- fprintf(stderr, "Error connecting with a different context.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(),
+ false /* expect session not reused */));
// Change the session ID context back and install an SNI callback to switch
// it.
- if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
- sizeof(kContext1))) {
- return false;
- }
+ ASSERT_TRUE(SSL_CTX_set_session_id_context(server_ctx_.get(), kContext1,
+ sizeof(kContext1)));
- SSL_CTX_set_tlsext_servername_callback(server_ctx.get(),
+ SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(),
SwitchSessionIDContextSNI);
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
- false /* expect session not reused */)) {
- fprintf(stderr, "Error connecting with a context switch on SNI callback.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(),
+ false /* expect session not reused */));
// Switch the session ID context with the early callback instead.
- SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), nullptr);
+ SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), nullptr);
SSL_CTX_set_select_certificate_cb(
- server_ctx.get(),
+ server_ctx_.get(),
[](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t {
static const uint8_t kContext[] = {3};
@@ -2326,14 +2234,9 @@
return ssl_select_cert_success;
});
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
- false /* expect session not reused */)) {
- fprintf(stderr,
- "Error connecting with a context switch on early callback.\n");
- return false;
- }
-
- return true;
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(),
+ false /* expect session not reused */));
}
static timeval g_current_time;
@@ -2409,142 +2312,99 @@
return true;
}
-static bool TestSessionTimeout(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- if (!cert || !key) {
- return false;
- }
+TEST_P(SSLVersionTest, SessionTimeout) {
+ for (bool server_test : {false, true}) {
+ SCOPED_TRACE(server_test);
- for (bool server_test : std::vector<bool>{false, true}) {
+ ResetContexts();
+ SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
+ SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_BOTH);
+
static const time_t kStartTime = 1000;
g_current_time.tv_sec = kStartTime;
// We are willing to use a longer lifetime for TLS 1.3 sessions as
// resumptions still perform ECDHE.
- const time_t timeout = version == TLS1_3_VERSION
+ const time_t timeout = version() == TLS1_3_VERSION
? SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT
: SSL_DEFAULT_SESSION_TIMEOUT;
- bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
- if (!server_ctx || !client_ctx ||
- !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
- return false;
- }
-
- SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
- SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
-
// Both client and server must enforce session timeouts. We configure the
// other side with a frozen clock so it never expires tickets.
if (server_test) {
- SSL_CTX_set_current_time_cb(client_ctx.get(), FrozenTimeCallback);
- SSL_CTX_set_current_time_cb(server_ctx.get(), CurrentTimeCallback);
+ SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
+ SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
} else {
- SSL_CTX_set_current_time_cb(client_ctx.get(), CurrentTimeCallback);
- SSL_CTX_set_current_time_cb(server_ctx.get(), FrozenTimeCallback);
+ SSL_CTX_set_current_time_cb(client_ctx_.get(), CurrentTimeCallback);
+ SSL_CTX_set_current_time_cb(server_ctx_.get(), FrozenTimeCallback);
}
// Configure a ticket callback which renews tickets.
- SSL_CTX_set_tlsext_ticket_key_cb(server_ctx.get(), RenewTicketCallback);
+ SSL_CTX_set_tlsext_ticket_key_cb(server_ctx_.get(), RenewTicketCallback);
bssl::UniquePtr<SSL_SESSION> session =
- CreateClientSession(client_ctx.get(), server_ctx.get());
- if (!session) {
- fprintf(stderr, "Error getting session.\n");
- return false;
- }
+ CreateClientSession(client_ctx_.get(), server_ctx_.get());
+ ASSERT_TRUE(session);
// Advance the clock just behind the timeout.
g_current_time.tv_sec += timeout - 1;
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
- true /* expect session reused */)) {
- fprintf(stderr, "Error resuming session.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(),
+ true /* expect session reused */));
// Advance the clock one more second.
g_current_time.tv_sec++;
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
- false /* expect session not reused */)) {
- fprintf(stderr, "Error resuming session.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(),
+ false /* expect session not reused */));
// Rewind the clock to before the session was minted.
g_current_time.tv_sec = kStartTime - 1;
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
- false /* expect session not reused */)) {
- fprintf(stderr, "Error resuming session.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(),
+ false /* expect session not reused */));
// SSL 3.0 cannot renew sessions.
- if (version == SSL3_VERSION) {
+ if (version() == SSL3_VERSION) {
continue;
}
// Renew the session 10 seconds before expiration.
time_t new_start_time = kStartTime + timeout - 10;
g_current_time.tv_sec = new_start_time;
- bssl::UniquePtr<SSL_SESSION> new_session =
- ExpectSessionRenewed(client_ctx.get(), server_ctx.get(), session.get());
- if (!new_session) {
- fprintf(stderr, "Error renewing session.\n");
- return false;
- }
+ bssl::UniquePtr<SSL_SESSION> new_session = ExpectSessionRenewed(
+ client_ctx_.get(), server_ctx_.get(), session.get());
+ ASSERT_TRUE(new_session);
// This new session is not the same object as before.
- if (session.get() == new_session.get()) {
- fprintf(stderr, "New and old sessions alias.\n");
- return false;
- }
+ EXPECT_NE(session.get(), new_session.get());
// Check the sessions have timestamps measured from issuance.
long session_time = 0;
if (server_test) {
- if (!GetServerTicketTime(&session_time, new_session.get())) {
- fprintf(stderr, "Failed to decode session ticket.\n");
- return false;
- }
+ ASSERT_TRUE(GetServerTicketTime(&session_time, new_session.get()));
} else {
session_time = new_session->time;
}
- if (session_time != g_current_time.tv_sec) {
- fprintf(stderr, "New session is not measured from issuance.\n");
- return false;
- }
+ ASSERT_EQ(session_time, g_current_time.tv_sec);
- if (version == TLS1_3_VERSION) {
+ if (version() == TLS1_3_VERSION) {
// Renewal incorporates fresh key material in TLS 1.3, so we extend the
// lifetime TLS 1.3.
g_current_time.tv_sec = new_start_time + timeout - 1;
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
- new_session.get(),
- true /* expect session reused */)) {
- fprintf(stderr, "Error resuming renewed session.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ new_session.get(),
+ true /* expect session reused */));
// The new session expires after the new timeout.
g_current_time.tv_sec = new_start_time + timeout + 1;
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
- new_session.get(),
- false /* expect session ot reused */)) {
- fprintf(stderr, "Renewed session's lifetime is too long.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ new_session.get(),
+ false /* expect session ot reused */));
// Renew the session until it begins just past the auth timeout.
time_t auth_end_time = kStartTime + SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
@@ -2553,75 +2413,129 @@
new_start_time =
std::min(auth_end_time - 1000, new_start_time + timeout - 1);
g_current_time.tv_sec = new_start_time;
- new_session = ExpectSessionRenewed(client_ctx.get(), server_ctx.get(),
+ new_session = ExpectSessionRenewed(client_ctx_.get(), server_ctx_.get(),
new_session.get());
- if (!new_session) {
- fprintf(stderr, "Error renewing session.\n");
- return false;
- }
+ ASSERT_TRUE(new_session);
}
// Now the session's lifetime is bound by the auth timeout.
g_current_time.tv_sec = auth_end_time - 1;
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
- new_session.get(),
- true /* expect session reused */)) {
- fprintf(stderr, "Error resuming renewed session.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ new_session.get(),
+ true /* expect session reused */));
g_current_time.tv_sec = auth_end_time + 1;
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
- new_session.get(),
- false /* expect session ot reused */)) {
- fprintf(stderr, "Renewed session's lifetime is too long.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ new_session.get(),
+ false /* expect session ot reused */));
} else {
// The new session is usable just before the old expiration.
g_current_time.tv_sec = kStartTime + timeout - 1;
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
- new_session.get(),
- true /* expect session reused */)) {
- fprintf(stderr, "Error resuming renewed session.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ new_session.get(),
+ true /* expect session reused */));
// Renewal does not extend the lifetime, so it is not usable beyond the
// old expiration.
g_current_time.tv_sec = kStartTime + timeout + 1;
- if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(),
- new_session.get(),
- false /* expect session not reused */)) {
- fprintf(stderr, "Renewed session's lifetime is too long.\n");
- return false;
- }
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ new_session.get(),
+ false /* expect session not reused */));
}
}
+}
- return true;
+TEST_P(SSLVersionTest, DefaultTicketKeyInitialization) {
+ static const uint8_t kZeroKey[kTicketKeyLen] = {};
+ uint8_t ticket_key[kTicketKeyLen];
+ ASSERT_EQ(1, SSL_CTX_get_tlsext_ticket_keys(server_ctx_.get(), ticket_key,
+ kTicketKeyLen));
+ ASSERT_NE(0, OPENSSL_memcmp(ticket_key, kZeroKey, kTicketKeyLen));
+}
+
+TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
+ if (GetParam().version == SSL3_VERSION) {
+ return;
+ }
+
+ static const time_t kStartTime = 1001;
+ g_current_time.tv_sec = kStartTime;
+ uint8_t ticket_key[kTicketKeyLen];
+
+ /* We use session reuse as a proxy for ticket decryption success, hence
+ * disable session timeouts. */
+ SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
+ SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
+ std::numeric_limits<uint32_t>::max());
+
+ SSL_CTX_set_current_time_cb(client_ctx_.get(), FrozenTimeCallback);
+ SSL_CTX_set_current_time_cb(server_ctx_.get(), CurrentTimeCallback);
+
+ SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
+ SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
+
+ /* Initialize ticket_key with the current key. */
+ TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
+ true /* changed */));
+
+ /* Verify ticket resumption actually works. */
+ bssl::UniquePtr<SSL> client, server;
+ bssl::UniquePtr<SSL_SESSION> session =
+ CreateClientSession(client_ctx_.get(), server_ctx_.get());
+ ASSERT_TRUE(session);
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(), true /* reused */));
+
+ /* Advance time to just before key rotation. */
+ g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(), true /* reused */));
+ TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
+ false /* NOT changed */));
+
+ /* Force key rotation. */
+ g_current_time.tv_sec += 1;
+ bssl::UniquePtr<SSL_SESSION> new_session =
+ CreateClientSession(client_ctx_.get(), server_ctx_.get());
+ TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
+ true /* changed */));
+
+ /* Resumption with both old and new ticket should work. */
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(), true /* reused */));
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ new_session.get(), true /* reused */));
+ TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
+ false /* NOT changed */));
+
+ /* Force key rotation again. Resumption with the old ticket now fails. */
+ g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ session.get(), false /* NOT reused */));
+ TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
+ true /* changed */));
+
+ /* But resumption with the newer session still works. */
+ TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
+ new_session.get(), true /* reused */));
}
static int SwitchContext(SSL *ssl, int *out_alert, void *arg) {
- SSL_CTX *ctx = reinterpret_cast<SSL_CTX*>(arg);
+ SSL_CTX *ctx = reinterpret_cast<SSL_CTX *>(arg);
SSL_set_SSL_CTX(ssl, ctx);
return SSL_TLSEXT_ERR_OK;
}
-static bool TestSNICallback(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
+TEST_P(SSLVersionTest, SNICallback) {
// SSL 3.0 lacks extensions.
- if (version == SSL3_VERSION) {
- return true;
+ if (version() == SSL3_VERSION) {
+ return;
}
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
bssl::UniquePtr<X509> cert2 = GetECDSATestCertificate();
+ ASSERT_TRUE(cert2);
bssl::UniquePtr<EVP_PKEY> key2 = GetECDSATestKey();
- if (!cert || !key || !cert2 || !key2) {
- return false;
- }
+ ASSERT_TRUE(key2);
// Test that switching the |SSL_CTX| at the SNI callback behaves correctly.
static const uint16_t kECDSAWithSHA256 = SSL_SIGN_ECDSA_SECP256R1_SHA256;
@@ -2629,70 +2543,43 @@
static const uint8_t kSCTList[] = {0, 6, 0, 4, 5, 6, 7, 8};
static const uint8_t kOCSPResponse[] = {1, 2, 3, 4};
- bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
- bssl::UniquePtr<SSL_CTX> server_ctx2(SSL_CTX_new(method));
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
- if (!server_ctx || !server_ctx2 || !client_ctx ||
- !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
- !SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()) ||
- !SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()) ||
- !SSL_CTX_set_signed_cert_timestamp_list(server_ctx2.get(), kSCTList,
- sizeof(kSCTList)) ||
- !SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
- sizeof(kOCSPResponse)) ||
- // Historically signing preferences would be lost in some cases with the
- // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
- // this doesn't happen when |version| is TLS 1.2, configure the private
- // key to only sign SHA-256.
- !SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(), &kECDSAWithSHA256,
- 1) ||
- !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_min_proto_version(server_ctx2.get(), version) ||
- !SSL_CTX_set_max_proto_version(server_ctx2.get(), version)) {
- return false;
- }
+ bssl::UniquePtr<SSL_CTX> server_ctx2 = CreateContext();
+ ASSERT_TRUE(server_ctx2);
+ ASSERT_TRUE(SSL_CTX_use_certificate(server_ctx2.get(), cert2.get()));
+ ASSERT_TRUE(SSL_CTX_use_PrivateKey(server_ctx2.get(), key2.get()));
+ ASSERT_TRUE(SSL_CTX_set_signed_cert_timestamp_list(
+ server_ctx2.get(), kSCTList, sizeof(kSCTList)));
+ ASSERT_TRUE(SSL_CTX_set_ocsp_response(server_ctx2.get(), kOCSPResponse,
+ sizeof(kOCSPResponse)));
+ // Historically signing preferences would be lost in some cases with the
+ // SNI callback, which triggers the TLS 1.2 SHA-1 default. To ensure
+ // this doesn't happen when |version| is TLS 1.2, configure the private
+ // key to only sign SHA-256.
+ ASSERT_TRUE(SSL_CTX_set_signing_algorithm_prefs(server_ctx2.get(),
+ &kECDSAWithSHA256, 1));
- SSL_CTX_set_tlsext_servername_callback(server_ctx.get(), SwitchContext);
- SSL_CTX_set_tlsext_servername_arg(server_ctx.get(), server_ctx2.get());
+ SSL_CTX_set_tlsext_servername_callback(server_ctx_.get(), SwitchContext);
+ SSL_CTX_set_tlsext_servername_arg(server_ctx_.get(), server_ctx2.get());
- SSL_CTX_enable_signed_cert_timestamps(client_ctx.get());
- SSL_CTX_enable_ocsp_stapling(client_ctx.get());
+ SSL_CTX_enable_signed_cert_timestamps(client_ctx_.get());
+ SSL_CTX_enable_ocsp_stapling(client_ctx_.get());
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
- server_ctx.get(), nullptr)) {
- fprintf(stderr, "Handshake failed.\n");
- return false;
- }
+ ASSERT_TRUE(Connect());
// The client should have received |cert2|.
- bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client.get()));
- if (!peer || X509_cmp(peer.get(), cert2.get()) != 0) {
- fprintf(stderr, "Incorrect certificate received.\n");
- return false;
- }
+ bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(client_.get()));
+ ASSERT_TRUE(peer);
+ EXPECT_EQ(X509_cmp(peer.get(), cert2.get()), 0);
// The client should have received |server_ctx2|'s SCT list.
const uint8_t *data;
size_t len;
- SSL_get0_signed_cert_timestamp_list(client.get(), &data, &len);
- if (Bytes(kSCTList) != Bytes(data, len)) {
- fprintf(stderr, "Incorrect SCT list received.\n");
- return false;
- }
+ SSL_get0_signed_cert_timestamp_list(client_.get(), &data, &len);
+ EXPECT_EQ(Bytes(kSCTList), Bytes(data, len));
// The client should have received |server_ctx2|'s OCSP response.
- SSL_get0_ocsp_response(client.get(), &data, &len);
- if (Bytes(kOCSPResponse) != Bytes(data, len)) {
- fprintf(stderr, "Incorrect OCSP response received.\n");
- return false;
- }
-
- return true;
+ SSL_get0_ocsp_response(client_.get(), &data, &len);
+ EXPECT_EQ(Bytes(kOCSPResponse), Bytes(data, len));
}
// Test that the early callback can swap the maximum version.
@@ -2804,95 +2691,46 @@
}
}
-static bool TestVersion(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- if (!cert || !key) {
- return false;
- }
+TEST_P(SSLVersionTest, Version) {
+ ASSERT_TRUE(Connect());
- bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
- bssl::UniquePtr<SSL> client, server;
- if (!server_ctx || !client_ctx ||
- !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(server_ctx.get(), version) ||
- !ConnectClientAndServer(&client, &server, client_ctx.get(),
- server_ctx.get(), nullptr /* no session */)) {
- fprintf(stderr, "Failed to connect.\n");
- return false;
- }
-
- if (SSL_version(client.get()) != version ||
- SSL_version(server.get()) != version) {
- fprintf(stderr, "Version mismatch. Got %04x and %04x, wanted %04x.\n",
- SSL_version(client.get()), SSL_version(server.get()), version);
- return false;
- }
+ EXPECT_EQ(SSL_version(client_.get()), version());
+ EXPECT_EQ(SSL_version(server_.get()), version());
// Test the version name is reported as expected.
- const char *version_name = GetVersionName(version);
- if (strcmp(version_name, SSL_get_version(client.get())) != 0 ||
- strcmp(version_name, SSL_get_version(server.get())) != 0) {
- fprintf(stderr, "Version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
- SSL_get_version(client.get()), SSL_get_version(server.get()),
- version_name);
- return false;
- }
+ const char *version_name = GetVersionName(version());
+ EXPECT_EQ(strcmp(version_name, SSL_get_version(client_.get())), 0);
+ EXPECT_EQ(strcmp(version_name, SSL_get_version(server_.get())), 0);
// Test SSL_SESSION reports the same name.
const char *client_name =
- SSL_SESSION_get_version(SSL_get_session(client.get()));
+ SSL_SESSION_get_version(SSL_get_session(client_.get()));
const char *server_name =
- SSL_SESSION_get_version(SSL_get_session(server.get()));
- if (strcmp(version_name, client_name) != 0 ||
- strcmp(version_name, server_name) != 0) {
- fprintf(stderr,
- "Session version name mismatch. Got '%s' and '%s', wanted '%s'.\n",
- client_name, server_name, version_name);
- return false;
- }
-
- return true;
+ SSL_SESSION_get_version(SSL_get_session(server_.get()));
+ EXPECT_EQ(strcmp(version_name, client_name), 0);
+ EXPECT_EQ(strcmp(version_name, server_name), 0);
}
// Tests that that |SSL_get_pending_cipher| is available during the ALPN
// selection callback.
-static bool TestALPNCipherAvailable(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
+TEST_P(SSLVersionTest, ALPNCipherAvailable) {
// SSL 3.0 lacks extensions.
- if (version == SSL3_VERSION) {
- return true;
+ if (version() == SSL3_VERSION) {
+ return;
}
+ ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
+
static const uint8_t kALPNProtos[] = {0x03, 'f', 'o', 'o'};
-
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- if (!cert || !key) {
- return false;
- }
-
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
- if (!ctx || !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
- SSL_CTX_set_alpn_protos(ctx.get(), kALPNProtos, sizeof(kALPNProtos)) !=
- 0) {
- return false;
- }
+ ASSERT_EQ(SSL_CTX_set_alpn_protos(client_ctx_.get(), kALPNProtos,
+ sizeof(kALPNProtos)),
+ 0);
// The ALPN callback does not fail the handshake on error, so have the
// callback write a boolean.
- std::pair<uint16_t, bool> callback_state(version, false);
+ std::pair<uint16_t, bool> callback_state(version(), false);
SSL_CTX_set_alpn_select_cb(
- ctx.get(),
+ server_ctx_.get(),
[](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
unsigned in_len, void *arg) -> int {
auto state = reinterpret_cast<std::pair<uint16_t, bool> *>(arg);
@@ -2904,81 +2742,37 @@
},
&callback_state);
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
- nullptr /* no session */)) {
- return false;
- }
+ ASSERT_TRUE(Connect());
- if (!callback_state.second) {
- fprintf(stderr, "The pending cipher was not known in the ALPN callback.\n");
- return false;
- }
-
- return true;
+ ASSERT_TRUE(callback_state.second);
}
-static bool TestSSLClearSessionResumption(bool is_dtls,
- const SSL_METHOD *method,
- uint16_t version) {
+TEST_P(SSLVersionTest, SSLClearSessionResumption) {
// Skip this for TLS 1.3. TLS 1.3's ticket mechanism is incompatible with this
// API pattern.
- if (version == TLS1_3_VERSION) {
- return true;
+ if (version() == TLS1_3_VERSION) {
+ return;
}
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(method));
- bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(method));
- if (!cert || !key || !server_ctx || !client_ctx ||
- !SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(client_ctx.get(), version) ||
- !SSL_CTX_set_min_proto_version(server_ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(server_ctx.get(), version)) {
- return false;
- }
+ ASSERT_TRUE(Connect());
- // Connect a client and a server.
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
- server_ctx.get(), nullptr /* no session */)) {
- return false;
- }
-
- if (SSL_session_reused(client.get()) ||
- SSL_session_reused(server.get())) {
- fprintf(stderr, "Session unexpectedly reused.\n");
- return false;
- }
+ EXPECT_FALSE(SSL_session_reused(client_.get()));
+ EXPECT_FALSE(SSL_session_reused(server_.get()));
// Reset everything.
- if (!SSL_clear(client.get()) ||
- !SSL_clear(server.get())) {
- fprintf(stderr, "SSL_clear failed.\n");
- return false;
- }
+ ASSERT_TRUE(SSL_clear(client_.get()));
+ ASSERT_TRUE(SSL_clear(server_.get()));
// Attempt to connect a second time.
- if (!CompleteHandshakes(client.get(), server.get())) {
- fprintf(stderr, "Could not reuse SSL objects.\n");
- return false;
- }
+ ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get()));
// |SSL_clear| should implicitly offer the previous session to the server.
- if (!SSL_session_reused(client.get()) ||
- !SSL_session_reused(server.get())) {
- fprintf(stderr, "Session was not reused in second try.\n");
- return false;
- }
-
- return true;
+ EXPECT_TRUE(SSL_session_reused(client_.get()));
+ EXPECT_TRUE(SSL_session_reused(server_.get()));
}
-static bool ChainsEqual(STACK_OF(X509) *chain,
- const std::vector<X509 *> &expected) {
+static bool ChainsEqual(STACK_OF(X509) * chain,
+ const std::vector<X509 *> &expected) {
if (sk_X509_num(chain) != expected.size()) {
return false;
}
@@ -2992,91 +2786,60 @@
return true;
}
-static bool TestAutoChain(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- bssl::UniquePtr<X509> cert = GetChainTestCertificate();
+TEST_P(SSLVersionTest, AutoChain) {
+ cert_ = GetChainTestCertificate();
+ ASSERT_TRUE(cert_);
+ key_ = GetChainTestKey();
+ ASSERT_TRUE(key_);
bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
- bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
- if (!cert || !intermediate || !key) {
- return false;
- }
+ ASSERT_TRUE(intermediate);
+
+ ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
+ ASSERT_TRUE(UseCertAndKey(server_ctx_.get()));
// Configure both client and server to accept any certificate. Add
// |intermediate| to the cert store.
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
- if (!ctx ||
- !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
- !X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx.get()),
- intermediate.get())) {
- return false;
- }
- SSL_CTX_set_verify(
- ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
- SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
+ ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(client_ctx_.get()),
+ intermediate.get()));
+ ASSERT_TRUE(X509_STORE_add_cert(SSL_CTX_get_cert_store(server_ctx_.get()),
+ intermediate.get()));
+ SSL_CTX_set_verify(client_ctx_.get(),
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ nullptr);
+ SSL_CTX_set_verify(server_ctx_.get(),
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ nullptr);
+ SSL_CTX_set_cert_verify_callback(client_ctx_.get(), VerifySucceed, NULL);
+ SSL_CTX_set_cert_verify_callback(server_ctx_.get(), VerifySucceed, NULL);
// By default, the client and server should each only send the leaf.
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
- nullptr /* no session */)) {
- return false;
- }
+ ASSERT_TRUE(Connect());
- if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()), {cert.get()})) {
- fprintf(stderr, "Client-received chain did not match.\n");
- return false;
- }
-
- if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()), {cert.get()})) {
- fprintf(stderr, "Server-received chain did not match.\n");
- return false;
- }
+ EXPECT_TRUE(
+ ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()), {cert_.get()}));
+ EXPECT_TRUE(
+ ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()), {cert_.get()}));
// If auto-chaining is enabled, then the intermediate is sent.
- SSL_CTX_clear_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN);
- if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
- nullptr /* no session */)) {
- return false;
- }
+ SSL_CTX_clear_mode(client_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
+ SSL_CTX_clear_mode(server_ctx_.get(), SSL_MODE_NO_AUTO_CHAIN);
+ ASSERT_TRUE(Connect());
- if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
- {cert.get(), intermediate.get()})) {
- fprintf(stderr, "Client-received chain did not match (auto-chaining).\n");
- return false;
- }
-
- if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
- {cert.get(), intermediate.get()})) {
- fprintf(stderr, "Server-received chain did not match (auto-chaining).\n");
- return false;
- }
+ EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
+ {cert_.get(), intermediate.get()}));
+ EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
+ {cert_.get(), intermediate.get()}));
// Auto-chaining does not override explicitly-configured intermediates.
- if (!SSL_CTX_add1_chain_cert(ctx.get(), cert.get()) ||
- !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
- nullptr /* no session */)) {
- return false;
- }
+ ASSERT_TRUE(SSL_CTX_add1_chain_cert(client_ctx_.get(), cert_.get()));
+ ASSERT_TRUE(SSL_CTX_add1_chain_cert(server_ctx_.get(), cert_.get()));
+ ASSERT_TRUE(Connect());
- if (!ChainsEqual(SSL_get_peer_full_cert_chain(client.get()),
- {cert.get(), cert.get()})) {
- fprintf(stderr,
- "Client-received chain did not match (auto-chaining, explicit "
- "intermediate).\n");
- return false;
- }
+ EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(client_.get()),
+ {cert_.get(), cert_.get()}));
- if (!ChainsEqual(SSL_get_peer_full_cert_chain(server.get()),
- {cert.get(), cert.get()})) {
- fprintf(stderr,
- "Server-received chain did not match (auto-chaining, explicit "
- "intermediate).\n");
- return false;
- }
-
- return true;
+ EXPECT_TRUE(ChainsEqual(SSL_get_peer_full_cert_chain(server_.get()),
+ {cert_.get(), cert_.get()}));
}
static bool ExpectBadWriteRetry() {
@@ -3097,30 +2860,21 @@
return true;
}
-static bool TestSSLWriteRetry(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- if (is_dtls) {
- return true;
+TEST_P(SSLVersionTest, SSLWriteRetry) {
+ if (is_dtls()) {
+ return;
}
- for (bool enable_partial_write : std::vector<bool>{false, true}) {
+ for (bool enable_partial_write : {false, true}) {
+ SCOPED_TRACE(enable_partial_write);
+
// Connect a client and server.
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- bssl::UniquePtr<EVP_PKEY> key = GetTestKey();
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
- bssl::UniquePtr<SSL> client, server;
- if (!cert || !key || !ctx ||
- !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(ctx.get(), version) ||
- !ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
- nullptr /* no session */)) {
- return false;
- }
+ ASSERT_TRUE(UseCertAndKey(client_ctx_.get()));
+
+ ASSERT_TRUE(Connect());
if (enable_partial_write) {
- SSL_set_mode(client.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
+ SSL_set_mode(client_.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
}
// Write without reading until the buffer is full and we have an unfinished
@@ -3130,83 +2884,57 @@
static const int kChunkLen = 5; // The length of "hello".
unsigned count = 0;
for (;;) {
- int ret = SSL_write(client.get(), data, kChunkLen);
+ int ret = SSL_write(client_.get(), data, kChunkLen);
if (ret <= 0) {
- int err = SSL_get_error(client.get(), ret);
- if (SSL_get_error(client.get(), ret) == SSL_ERROR_WANT_WRITE) {
- break;
- }
- fprintf(stderr, "SSL_write failed in unexpected way: %d\n", err);
- return false;
+ ASSERT_EQ(SSL_get_error(client_.get(), ret), SSL_ERROR_WANT_WRITE);
+ break;
}
- if (ret != 5) {
- fprintf(stderr, "SSL_write wrote %d bytes, expected 5.\n", ret);
- return false;
- }
+ ASSERT_EQ(ret, 5);
count++;
}
// Retrying with the same parameters is legal.
- if (SSL_get_error(client.get(), SSL_write(client.get(), data, kChunkLen)) !=
- SSL_ERROR_WANT_WRITE) {
- fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
- return false;
- }
+ ASSERT_EQ(
+ SSL_get_error(client_.get(), SSL_write(client_.get(), data, kChunkLen)),
+ SSL_ERROR_WANT_WRITE);
// Retrying with the same buffer but shorter length is not legal.
- if (SSL_get_error(client.get(),
- SSL_write(client.get(), data, kChunkLen - 1)) !=
- SSL_ERROR_SSL ||
- !ExpectBadWriteRetry()) {
- fprintf(stderr, "SSL_write retry did not fail as expected.\n");
- return false;
- }
+ ASSERT_EQ(SSL_get_error(client_.get(),
+ SSL_write(client_.get(), data, kChunkLen - 1)),
+ SSL_ERROR_SSL);
+ ASSERT_TRUE(ExpectBadWriteRetry());
// Retrying with a different buffer pointer is not legal.
char data2[] = "hello";
- if (SSL_get_error(client.get(), SSL_write(client.get(), data2,
- kChunkLen)) != SSL_ERROR_SSL ||
- !ExpectBadWriteRetry()) {
- fprintf(stderr, "SSL_write retry did not fail as expected.\n");
- return false;
- }
+ ASSERT_EQ(SSL_get_error(client_.get(),
+ SSL_write(client_.get(), data2, kChunkLen)),
+ SSL_ERROR_SSL);
+ ASSERT_TRUE(ExpectBadWriteRetry());
// With |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, the buffer may move.
- SSL_set_mode(client.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
- if (SSL_get_error(client.get(),
- SSL_write(client.get(), data2, kChunkLen)) !=
- SSL_ERROR_WANT_WRITE) {
- fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
- return false;
- }
+ SSL_set_mode(client_.get(), SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+ ASSERT_EQ(SSL_get_error(client_.get(),
+ SSL_write(client_.get(), data2, kChunkLen)),
+ SSL_ERROR_WANT_WRITE);
// |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| does not disable length checks.
- if (SSL_get_error(client.get(),
- SSL_write(client.get(), data2, kChunkLen - 1)) !=
- SSL_ERROR_SSL ||
- !ExpectBadWriteRetry()) {
- fprintf(stderr, "SSL_write retry did not fail as expected.\n");
- return false;
- }
+ ASSERT_EQ(SSL_get_error(client_.get(),
+ SSL_write(client_.get(), data2, kChunkLen - 1)),
+ SSL_ERROR_SSL);
+ ASSERT_TRUE(ExpectBadWriteRetry());
// Retrying with a larger buffer is legal.
- if (SSL_get_error(client.get(),
- SSL_write(client.get(), data, kChunkLen + 1)) !=
- SSL_ERROR_WANT_WRITE) {
- fprintf(stderr, "SSL_write retry unexpectedly failed.\n");
- return false;
- }
+ ASSERT_EQ(SSL_get_error(client_.get(),
+ SSL_write(client_.get(), data, kChunkLen + 1)),
+ SSL_ERROR_WANT_WRITE);
// Drain the buffer.
char buf[20];
for (unsigned i = 0; i < count; i++) {
- if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
- OPENSSL_memcmp(buf, "hello", kChunkLen) != 0) {
- fprintf(stderr, "Failed to read initial records.\n");
- return false;
- }
+ ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
+ ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
}
// Now that there is space, a retry with a larger buffer should flush the
@@ -3215,138 +2943,77 @@
// is set, this will complete in two steps.
char data3[] = "_____!";
if (enable_partial_write) {
- if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen ||
- SSL_write(client.get(), data3 + kChunkLen, 1) != 1) {
- fprintf(stderr, "SSL_write retry failed.\n");
- return false;
- }
- } else if (SSL_write(client.get(), data3, kChunkLen + 1) != kChunkLen + 1) {
- fprintf(stderr, "SSL_write retry failed.\n");
- return false;
+ ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen);
+ ASSERT_EQ(SSL_write(client_.get(), data3 + kChunkLen, 1), 1);
+ } else {
+ ASSERT_EQ(SSL_write(client_.get(), data3, kChunkLen + 1), kChunkLen + 1);
}
// Check the last write was correct. The data will be spread over two
// records, so SSL_read returns twice.
- if (SSL_read(server.get(), buf, sizeof(buf)) != kChunkLen ||
- OPENSSL_memcmp(buf, "hello", kChunkLen) != 0 ||
- SSL_read(server.get(), buf, sizeof(buf)) != 1 ||
- buf[0] != '!') {
- fprintf(stderr, "Failed to read write retry.\n");
- return false;
- }
+ ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), kChunkLen);
+ ASSERT_EQ(OPENSSL_memcmp(buf, "hello", kChunkLen), 0);
+ ASSERT_EQ(SSL_read(server_.get(), buf, sizeof(buf)), 1);
+ ASSERT_EQ(buf[0], '!');
}
-
- return true;
}
-static bool TestRecordCallback(bool is_dtls, const SSL_METHOD *method,
- uint16_t version) {
- bssl::UniquePtr<X509> cert = GetChainTestCertificate();
- bssl::UniquePtr<X509> intermediate = GetChainTestIntermediate();
- bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
- if (!cert || !intermediate || !key) {
- return false;
+TEST_P(SSLVersionTest, RecordCallback) {
+ for (bool test_server : {true, false}) {
+ SCOPED_TRACE(test_server);
+ ResetContexts();
+
+ bool read_seen = false;
+ bool write_seen = false;
+ auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
+ size_t len, SSL *ssl) {
+ if (cb_type != SSL3_RT_HEADER) {
+ return;
+ }
+
+ // The callback does not report a version for records.
+ EXPECT_EQ(0, cb_version);
+
+ if (is_write) {
+ write_seen = true;
+ } else {
+ read_seen = true;
+ }
+
+ // Sanity-check that the record header is plausible.
+ CBS cbs;
+ CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
+ uint8_t type;
+ uint16_t record_version, length;
+ ASSERT_TRUE(CBS_get_u8(&cbs, &type));
+ ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
+ EXPECT_TRUE(record_version == version() ||
+ record_version == (is_dtls() ? DTLS1_VERSION : TLS1_VERSION))
+ << "Invalid record version: " << record_version;
+ if (is_dtls()) {
+ uint16_t epoch;
+ ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
+ EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
+ ASSERT_TRUE(CBS_skip(&cbs, 6));
+ }
+ ASSERT_TRUE(CBS_get_u16(&cbs, &length));
+ EXPECT_EQ(0u, CBS_len(&cbs));
+ };
+ using CallbackType = decltype(cb);
+ SSL_CTX *ctx = test_server ? server_ctx_.get() : client_ctx_.get();
+ SSL_CTX_set_msg_callback(
+ ctx, [](int is_write, int cb_version, int cb_type, const void *buf,
+ size_t len, SSL *ssl, void *arg) {
+ CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
+ (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
+ });
+ SSL_CTX_set_msg_callback_arg(ctx, &cb);
+
+ ASSERT_TRUE(Connect());
+
+ EXPECT_TRUE(read_seen);
+ EXPECT_TRUE(write_seen);
}
-
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method));
- if (!ctx ||
- !SSL_CTX_use_certificate(ctx.get(), cert.get()) ||
- !SSL_CTX_use_PrivateKey(ctx.get(), key.get()) ||
- !SSL_CTX_set_min_proto_version(ctx.get(), version) ||
- !SSL_CTX_set_max_proto_version(ctx.get(), version)) {
- return false;
- }
-
- bool read_seen = false;
- bool write_seen = false;
- auto cb = [&](int is_write, int cb_version, int cb_type, const void *buf,
- size_t len, SSL *ssl) {
- if (cb_type != SSL3_RT_HEADER) {
- return;
- }
-
- // The callback does not report a version for records.
- EXPECT_EQ(0, cb_version);
-
- if (is_write) {
- write_seen = true;
- } else {
- read_seen = true;
- }
-
- // Sanity-check that the record header is plausible.
- CBS cbs;
- CBS_init(&cbs, reinterpret_cast<const uint8_t *>(buf), len);
- uint8_t type;
- uint16_t record_version, length;
- ASSERT_TRUE(CBS_get_u8(&cbs, &type));
- ASSERT_TRUE(CBS_get_u16(&cbs, &record_version));
- EXPECT_TRUE(record_version == version ||
- record_version == (is_dtls ? DTLS1_VERSION : TLS1_VERSION))
- << "Invalid record version: " << record_version;
- if (is_dtls) {
- uint16_t epoch;
- ASSERT_TRUE(CBS_get_u16(&cbs, &epoch));
- EXPECT_TRUE(epoch == 0 || epoch == 1) << "Invalid epoch: " << epoch;
- ASSERT_TRUE(CBS_skip(&cbs, 6));
- }
- ASSERT_TRUE(CBS_get_u16(&cbs, &length));
- EXPECT_EQ(0u, CBS_len(&cbs));
- };
- using CallbackType = decltype(cb);
- SSL_CTX_set_msg_callback(
- ctx.get(), [](int is_write, int cb_version, int cb_type, const void *buf,
- size_t len, SSL *ssl, void *arg) {
- CallbackType *cb_ptr = reinterpret_cast<CallbackType *>(arg);
- (*cb_ptr)(is_write, cb_version, cb_type, buf, len, ssl);
- });
- SSL_CTX_set_msg_callback_arg(ctx.get(), &cb);
-
- bssl::UniquePtr<SSL> client, server;
- if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
- nullptr /* no session */)) {
- return false;
- }
-
- EXPECT_TRUE(read_seen);
- EXPECT_TRUE(write_seen);
- return true;
-}
-
-
-static bool ForEachVersion(bool (*test_func)(bool is_dtls,
- const SSL_METHOD *method,
- uint16_t version)) {
- static uint16_t kTLSVersions[] = {
- SSL3_VERSION,
- TLS1_VERSION,
- TLS1_1_VERSION,
- TLS1_2_VERSION,
-// TLS 1.3 requires RSA-PSS, which is disabled for Android system builds.
-#if !defined(BORINGSSL_ANDROID_SYSTEM)
- TLS1_3_VERSION,
-#endif
- };
-
- static uint16_t kDTLSVersions[] = {
- DTLS1_VERSION, DTLS1_2_VERSION,
- };
-
- for (uint16_t version : kTLSVersions) {
- if (!test_func(false, TLS_method(), version)) {
- fprintf(stderr, "Test failed at TLS version %04x.\n", version);
- return false;
- }
- }
-
- for (uint16_t version : kDTLSVersions) {
- if (!test_func(true, DTLS_method(), version)) {
- fprintf(stderr, "Test failed at DTLS version %04x.\n", version);
- return false;
- }
- }
-
- return true;
}
TEST(SSLTest, AddChainCertHack) {
@@ -4046,21 +3713,10 @@
// Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
// will be a PSK binder after the padding extension.
!TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
- !ForEachVersion(TestSequenceNumber) ||
- !ForEachVersion(TestOneSidedShutdown) ||
- !ForEachVersion(TestGetPeerCertificate) ||
- !ForEachVersion(TestNoPeerCertificate) ||
- !ForEachVersion(TestRetainOnlySHA256OfCerts) ||
- !TestClientHello() ||
- !ForEachVersion(TestSessionIDContext) ||
- !ForEachVersion(TestSessionTimeout) ||
- !ForEachVersion(TestSNICallback) ||
- !ForEachVersion(TestVersion) ||
- !ForEachVersion(TestALPNCipherAvailable) ||
- !ForEachVersion(TestSSLClearSessionResumption) ||
- !ForEachVersion(TestAutoChain) ||
- !ForEachVersion(TestSSLWriteRetry) ||
- !ForEachVersion(TestRecordCallback)) {
+ !TestClientHello()) {
ADD_FAILURE() << "Tests failed";
}
}
+
+} // namespace
+} // namespace bssl
diff --git a/src/ssl/t1_lib.cc b/src/ssl/t1_lib.cc
index 39f4be6..e50710a 100644
--- a/src/ssl/t1_lib.cc
+++ b/src/ssl/t1_lib.cc
@@ -1327,11 +1327,14 @@
* requirement, so tolerate this.
*
* TODO(davidben): Enforce this anyway. */
- if (!ssl->s3->session_reused &&
- !CBS_stow(contents, &hs->new_session->tlsext_signed_cert_timestamp_list,
- &hs->new_session->tlsext_signed_cert_timestamp_list_length)) {
- *out_alert = SSL_AD_INTERNAL_ERROR;
- return 0;
+ if (!ssl->s3->session_reused) {
+ CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);
+ hs->new_session->signed_cert_timestamp_list =
+ CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool);
+ if (hs->new_session->signed_cert_timestamp_list == nullptr) {
+ *out_alert = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
}
return 1;
@@ -2795,7 +2798,6 @@
hs->extensions.received = 0;
hs->custom_extensions.received = 0;
-
CBS extensions;
CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
while (CBS_len(&extensions) != 0) {
@@ -2919,6 +2921,7 @@
tls_extension_find(&ext_index, type);
if (ext == NULL) {
+ hs->received_custom_extension = 1;
if (!custom_ext_parse_serverhello(hs, out_alert, type, &extension)) {
return 0;
}
@@ -3004,60 +3007,20 @@
return 1;
}
-static enum ssl_ticket_aead_result_t
-ssl_decrypt_ticket_with_cipher_ctx(SSL *ssl, uint8_t **out, size_t *out_len,
- int *out_renew_ticket, const uint8_t *ticket,
- size_t ticket_len) {
- const SSL_CTX *const ssl_ctx = ssl->session_ctx;
-
- ScopedHMAC_CTX hmac_ctx;
- ScopedEVP_CIPHER_CTX cipher_ctx;
-
- /* Ensure there is room for the key name and the largest IV
- * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower, but
- * the maximum IV length should be well under the minimum size for the
- * session material and HMAC. */
- if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
- return ssl_ticket_aead_ignore_ticket;
- }
- const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
-
- if (ssl_ctx->tlsext_ticket_key_cb != NULL) {
- int cb_ret = ssl_ctx->tlsext_ticket_key_cb(
- ssl, (uint8_t *)ticket /* name */, (uint8_t *)iv, cipher_ctx.get(),
- hmac_ctx.get(), 0 /* decrypt */);
- if (cb_ret < 0) {
- return ssl_ticket_aead_error;
- } else if (cb_ret == 0) {
- return ssl_ticket_aead_ignore_ticket;
- } else if (cb_ret == 2) {
- *out_renew_ticket = 1;
- }
- } else {
- /* Check the key name matches. */
- if (OPENSSL_memcmp(ticket, ssl_ctx->tlsext_tick_key_name,
- SSL_TICKET_KEY_NAME_LEN) != 0) {
- return ssl_ticket_aead_ignore_ticket;
- }
- if (!HMAC_Init_ex(hmac_ctx.get(), ssl_ctx->tlsext_tick_hmac_key,
- sizeof(ssl_ctx->tlsext_tick_hmac_key), tlsext_tick_md(),
- NULL) ||
- !EVP_DecryptInit_ex(cipher_ctx.get(), EVP_aes_128_cbc(), NULL,
- ssl_ctx->tlsext_tick_aes_key, iv)) {
- return ssl_ticket_aead_error;
- }
- }
- size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx.get());
+static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(
+ uint8_t **out, size_t *out_len, EVP_CIPHER_CTX *cipher_ctx,
+ HMAC_CTX *hmac_ctx, const uint8_t *ticket, size_t ticket_len) {
+ size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
/* Check the MAC at the end of the ticket. */
uint8_t mac[EVP_MAX_MD_SIZE];
- size_t mac_len = HMAC_size(hmac_ctx.get());
+ size_t mac_len = HMAC_size(hmac_ctx);
if (ticket_len < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
/* The ticket must be large enough for key name, IV, data, and MAC. */
return ssl_ticket_aead_ignore_ticket;
}
- HMAC_Update(hmac_ctx.get(), ticket, ticket_len - mac_len);
- HMAC_Final(hmac_ctx.get(), mac, NULL);
+ HMAC_Update(hmac_ctx, ticket, ticket_len - mac_len);
+ HMAC_Final(hmac_ctx, mac, NULL);
int mac_ok =
CRYPTO_memcmp(mac, ticket + (ticket_len - mac_len), mac_len) == 0;
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
@@ -3084,9 +3047,9 @@
return ssl_ticket_aead_ignore_ticket;
}
int len1, len2;
- if (!EVP_DecryptUpdate(cipher_ctx.get(), plaintext.get(), &len1, ciphertext,
+ if (!EVP_DecryptUpdate(cipher_ctx, plaintext.get(), &len1, ciphertext,
(int)ciphertext_len) ||
- !EVP_DecryptFinal_ex(cipher_ctx.get(), plaintext.get() + len1, &len2)) {
+ !EVP_DecryptFinal_ex(cipher_ctx, plaintext.get() + len1, &len2)) {
ERR_clear_error();
return ssl_ticket_aead_ignore_ticket;
}
@@ -3098,6 +3061,69 @@
return ssl_ticket_aead_success;
}
+static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
+ SSL *ssl, uint8_t **out, size_t *out_len, int *out_renew_ticket,
+ const uint8_t *ticket, size_t ticket_len) {
+ assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
+ ScopedEVP_CIPHER_CTX cipher_ctx;
+ ScopedHMAC_CTX hmac_ctx;
+ const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
+ int cb_ret = ssl->session_ctx->tlsext_ticket_key_cb(
+ ssl, (uint8_t *)ticket /* name */, (uint8_t *)iv, cipher_ctx.get(),
+ hmac_ctx.get(), 0 /* decrypt */);
+ if (cb_ret < 0) {
+ return ssl_ticket_aead_error;
+ } else if (cb_ret == 0) {
+ return ssl_ticket_aead_ignore_ticket;
+ } else if (cb_ret == 2) {
+ *out_renew_ticket = 1;
+ } else {
+ assert(cb_ret == 1);
+ }
+ return decrypt_ticket_with_cipher_ctx(out, out_len, cipher_ctx.get(),
+ hmac_ctx.get(), ticket, ticket_len);
+}
+
+static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(
+ SSL *ssl, uint8_t **out, size_t *out_len, const uint8_t *ticket,
+ size_t ticket_len) {
+ assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
+ SSL_CTX *ctx = ssl->session_ctx;
+
+ /* Rotate the ticket key if necessary. */
+ if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
+ return ssl_ticket_aead_error;
+ }
+
+ /* Pick the matching ticket key and decrypt. */
+ ScopedEVP_CIPHER_CTX cipher_ctx;
+ ScopedHMAC_CTX hmac_ctx;
+ {
+ MutexReadLock lock(&ctx->lock);
+ const tlsext_ticket_key *key;
+ if (ctx->tlsext_ticket_key_current &&
+ !OPENSSL_memcmp(ctx->tlsext_ticket_key_current->name, ticket,
+ SSL_TICKET_KEY_NAME_LEN)) {
+ key = ctx->tlsext_ticket_key_current;
+ } else if (ctx->tlsext_ticket_key_prev &&
+ !OPENSSL_memcmp(ctx->tlsext_ticket_key_prev->name, ticket,
+ SSL_TICKET_KEY_NAME_LEN)) {
+ key = ctx->tlsext_ticket_key_prev;
+ } else {
+ return ssl_ticket_aead_ignore_ticket;
+ }
+ const uint8_t *iv = ticket + SSL_TICKET_KEY_NAME_LEN;
+ if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
+ tlsext_tick_md(), NULL) ||
+ !EVP_DecryptInit_ex(cipher_ctx.get(), EVP_aes_128_cbc(), NULL,
+ key->aes_key, iv)) {
+ return ssl_ticket_aead_error;
+ }
+ }
+ return decrypt_ticket_with_cipher_ctx(out, out_len, cipher_ctx.get(),
+ hmac_ctx.get(), ticket, ticket_len);
+}
+
static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
SSL *ssl, uint8_t **out, size_t *out_len, int *out_renew_ticket,
const uint8_t *ticket, size_t ticket_len) {
@@ -3141,8 +3167,20 @@
result = ssl_decrypt_ticket_with_method(
ssl, &plaintext, &plaintext_len, out_renew_ticket, ticket, ticket_len);
} else {
- result = ssl_decrypt_ticket_with_cipher_ctx(
- ssl, &plaintext, &plaintext_len, out_renew_ticket, ticket, ticket_len);
+ /* Ensure there is room for the key name and the largest IV
+ * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower,
+ * but the maximum IV length should be well under the minimum size for the
+ * session material and HMAC. */
+ if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
+ return ssl_ticket_aead_ignore_ticket;
+ }
+ if (ssl->session_ctx->tlsext_ticket_key_cb != NULL) {
+ result = ssl_decrypt_ticket_with_cb(ssl, &plaintext, &plaintext_len,
+ out_renew_ticket, ticket, ticket_len);
+ } else {
+ result = ssl_decrypt_ticket_with_ticket_keys(
+ ssl, &plaintext, &plaintext_len, ticket, ticket_len);
+ }
}
if (result != ssl_ticket_aead_success) {
diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc
index 8f4126e..7179832 100644
--- a/src/ssl/test/bssl_shim.cc
+++ b/src/ssl/test/bssl_shim.cc
@@ -115,6 +115,7 @@
bool custom_verify_ready = false;
std::string msg_callback_text;
bool msg_callback_ok = true;
+ bool cert_verified = false;
};
static void TestStateExFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
@@ -699,6 +700,11 @@
}
}
+ if (GetTestState(ssl)->cert_verified) {
+ fprintf(stderr, "Certificate verified twice.\n");
+ return false;
+ }
+
return true;
}
@@ -715,6 +721,7 @@
return 0;
}
+ GetTestState(ssl)->cert_verified = true;
return 1;
}
@@ -732,6 +739,7 @@
return ssl_verify_invalid;
}
+ GetTestState(ssl)->cert_verified = true;
return ssl_verify_ok;
}
@@ -1483,11 +1491,111 @@
return 0x0201 + ~version;
}
+// CheckAuthProperties checks, after the initial handshake is completed or
+// after a renegotiation, that authentication-related properties match |config|.
+static bool CheckAuthProperties(SSL *ssl, bool is_resume,
+ const TestConfig *config) {
+ if (!config->expected_ocsp_response.empty()) {
+ const uint8_t *data;
+ size_t len;
+ SSL_get0_ocsp_response(ssl, &data, &len);
+ if (config->expected_ocsp_response.size() != len ||
+ OPENSSL_memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
+ fprintf(stderr, "OCSP response mismatch\n");
+ return false;
+ }
+ }
+
+ if (!config->expected_signed_cert_timestamps.empty()) {
+ const uint8_t *data;
+ size_t len;
+ SSL_get0_signed_cert_timestamp_list(ssl, &data, &len);
+ if (config->expected_signed_cert_timestamps.size() != len ||
+ OPENSSL_memcmp(config->expected_signed_cert_timestamps.data(), data,
+ len) != 0) {
+ fprintf(stderr, "SCT list mismatch\n");
+ return false;
+ }
+ }
+
+ if (config->expect_verify_result) {
+ int expected_verify_result = config->verify_fail ?
+ X509_V_ERR_APPLICATION_VERIFICATION :
+ X509_V_OK;
+
+ if (SSL_get_verify_result(ssl) != expected_verify_result) {
+ fprintf(stderr, "Wrong certificate verification result\n");
+ return false;
+ }
+ }
+
+ if (!config->expect_peer_cert_file.empty()) {
+ bssl::UniquePtr<X509> expect_leaf;
+ bssl::UniquePtr<STACK_OF(X509)> expect_chain;
+ if (!LoadCertificate(&expect_leaf, &expect_chain,
+ config->expect_peer_cert_file)) {
+ return false;
+ }
+
+ // For historical reasons, clients report a chain with a leaf and servers
+ // without.
+ if (!config->is_server) {
+ if (!sk_X509_insert(expect_chain.get(), expect_leaf.get(), 0)) {
+ return false;
+ }
+ X509_up_ref(expect_leaf.get()); // sk_X509_push takes ownership.
+ }
+
+ bssl::UniquePtr<X509> leaf(SSL_get_peer_certificate(ssl));
+ STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl);
+ if (X509_cmp(leaf.get(), expect_leaf.get()) != 0) {
+ fprintf(stderr, "Received a different leaf certificate than expected.\n");
+ return false;
+ }
+
+ if (sk_X509_num(chain) != sk_X509_num(expect_chain.get())) {
+ fprintf(stderr, "Received a chain of length %zu instead of %zu.\n",
+ sk_X509_num(chain), sk_X509_num(expect_chain.get()));
+ return false;
+ }
+
+ for (size_t i = 0; i < sk_X509_num(chain); i++) {
+ if (X509_cmp(sk_X509_value(chain, i),
+ sk_X509_value(expect_chain.get(), i)) != 0) {
+ fprintf(stderr, "Chain certificate %zu did not match.\n",
+ i + 1);
+ return false;
+ }
+ }
+ }
+
+ if (SSL_get_session(ssl)->peer_sha256_valid !=
+ config->expect_sha256_client_cert) {
+ fprintf(stderr,
+ "Unexpected SHA-256 client cert state: expected:%d is_resume:%d.\n",
+ config->expect_sha256_client_cert, is_resume);
+ return false;
+ }
+
+ if (config->expect_sha256_client_cert &&
+ SSL_get_session(ssl)->certs != nullptr) {
+ fprintf(stderr, "Have both client cert and SHA-256 hash: is_resume:%d.\n",
+ is_resume);
+ return false;
+ }
+
+ return true;
+}
+
// CheckHandshakeProperties checks, immediately after |ssl| completes its
// initial handshake (or False Starts), whether all the properties are
// consistent with the test configuration and invariants.
static bool CheckHandshakeProperties(SSL *ssl, bool is_resume,
const TestConfig *config) {
+ if (!CheckAuthProperties(ssl, is_resume, config)) {
+ return false;
+ }
+
if (SSL_get_current_cipher(ssl) == nullptr) {
fprintf(stderr, "null cipher after handshake\n");
return false;
@@ -1613,40 +1721,6 @@
return false;
}
- if (!config->expected_ocsp_response.empty()) {
- const uint8_t *data;
- size_t len;
- SSL_get0_ocsp_response(ssl, &data, &len);
- if (config->expected_ocsp_response.size() != len ||
- OPENSSL_memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
- fprintf(stderr, "OCSP response mismatch\n");
- return false;
- }
- }
-
- if (!config->expected_signed_cert_timestamps.empty()) {
- const uint8_t *data;
- size_t len;
- SSL_get0_signed_cert_timestamp_list(ssl, &data, &len);
- if (config->expected_signed_cert_timestamps.size() != len ||
- OPENSSL_memcmp(config->expected_signed_cert_timestamps.data(), data,
- len) != 0) {
- fprintf(stderr, "SCT list mismatch\n");
- return false;
- }
- }
-
- if (config->expect_verify_result) {
- int expected_verify_result = config->verify_fail ?
- X509_V_ERR_APPLICATION_VERIFICATION :
- X509_V_OK;
-
- if (SSL_get_verify_result(ssl) != expected_verify_result) {
- fprintf(stderr, "Wrong certificate verification result\n");
- return false;
- }
- }
-
if (config->expect_peer_signature_algorithm != 0 &&
config->expect_peer_signature_algorithm !=
SSL_get_peer_signature_algorithm(ssl)) {
@@ -1705,65 +1779,6 @@
}
}
- if (!config->expect_peer_cert_file.empty()) {
- bssl::UniquePtr<X509> expect_leaf;
- bssl::UniquePtr<STACK_OF(X509)> expect_chain;
- if (!LoadCertificate(&expect_leaf, &expect_chain,
- config->expect_peer_cert_file)) {
- return false;
- }
-
- // For historical reasons, clients report a chain with a leaf and servers
- // without.
- if (!config->is_server) {
- if (!sk_X509_insert(expect_chain.get(), expect_leaf.get(), 0)) {
- return false;
- }
- X509_up_ref(expect_leaf.get()); // sk_X509_push takes ownership.
- }
-
- bssl::UniquePtr<X509> leaf(SSL_get_peer_certificate(ssl));
- STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl);
- if (X509_cmp(leaf.get(), expect_leaf.get()) != 0) {
- fprintf(stderr, "Received a different leaf certificate than expected.\n");
- return false;
- }
-
- if (sk_X509_num(chain) != sk_X509_num(expect_chain.get())) {
- fprintf(stderr, "Received a chain of length %zu instead of %zu.\n",
- sk_X509_num(chain), sk_X509_num(expect_chain.get()));
- return false;
- }
-
- for (size_t i = 0; i < sk_X509_num(chain); i++) {
- if (X509_cmp(sk_X509_value(chain, i),
- sk_X509_value(expect_chain.get(), i)) != 0) {
- fprintf(stderr, "Chain certificate %zu did not match.\n",
- i + 1);
- return false;
- }
- }
- }
-
- bool expected_sha256_client_cert = config->expect_sha256_client_cert_initial;
- if (is_resume) {
- expected_sha256_client_cert = config->expect_sha256_client_cert_resume;
- }
-
- if (SSL_get_session(ssl)->peer_sha256_valid != expected_sha256_client_cert) {
- fprintf(stderr,
- "Unexpected SHA-256 client cert state: expected:%d is_resume:%d.\n",
- expected_sha256_client_cert, is_resume);
- return false;
- }
-
- if (expected_sha256_client_cert &&
- SSL_get_session(ssl)->certs != nullptr) {
- fprintf(stderr, "Have both client cert and SHA-256 hash: is_resume:%d.\n",
- is_resume);
- return false;
- }
-
if (is_resume && config->expect_ticket_age_skew != 0 &&
SSL_get_ticket_age_skew(ssl) != config->expect_ticket_age_skew) {
fprintf(stderr, "Ticket age skew was %" PRId32 ", wanted %d\n",
@@ -2006,10 +2021,7 @@
if (config->max_cert_list > 0) {
SSL_set_max_cert_list(ssl.get(), config->max_cert_list);
}
- if (!is_resume && config->retain_only_sha256_client_cert_initial) {
- SSL_set_retain_only_sha256_of_client_certs(ssl.get(), 1);
- }
- if (is_resume && config->retain_only_sha256_client_cert_resume) {
+ if (config->retain_only_sha256_client_cert) {
SSL_set_retain_only_sha256_of_client_certs(ssl.get(), 1);
}
if (config->max_send_fragment > 0) {
@@ -2372,6 +2384,21 @@
return false;
}
+ if (SSL_total_renegotiations(ssl) > 0) {
+ if (!SSL_get_session(ssl)->not_resumable) {
+ fprintf(stderr,
+ "Renegotiations should never produce resumable sessions.\n");
+ return false;
+ }
+
+ // Re-check authentication properties after a renegotiation. The reported
+ // values should remain unchanged even if the server sent different SCT
+ // lists.
+ if (!CheckAuthProperties(ssl, is_resume, config)) {
+ return false;
+ }
+ }
+
if (SSL_total_renegotiations(ssl) != config->expect_total_renegotiations) {
fprintf(stderr, "Expected %d renegotiations, got %d\n",
config->expect_total_renegotiations, SSL_total_renegotiations(ssl));
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index b402f38..b2f5277 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -886,6 +886,10 @@
// and include a copy of the full one.
MixCompleteMessageWithFragments bool
+ // RetransmitFinished, if true, causes the DTLS Finished message to be
+ // sent twice.
+ RetransmitFinished bool
+
// SendInvalidRecordType, if true, causes a record with an invalid
// content type to be sent immediately following the handshake.
SendInvalidRecordType bool
@@ -1081,11 +1085,19 @@
// supplied SCT list in resumption handshakes.
SendSCTListOnResume []byte
+ // SendSCTListOnRenegotiation, if not nil, causes the server to send the
+ // supplied SCT list on renegotiation.
+ SendSCTListOnRenegotiation []byte
+
// SendOCSPResponseOnResume, if not nil, causes the server to advertise
// OCSP stapling in resumption handshakes and, if applicable, send the
// supplied stapled response.
SendOCSPResponseOnResume []byte
+ // SendOCSPResponseOnResume, if not nil, causes the server to send the
+ // supplied OCSP response on renegotiation.
+ SendOCSPResponseOnRenegotiation []byte
+
// SendExtensionOnCertificate, if not nil, causes the runner to send the
// supplied bytes in the extensions on the Certificate message.
SendExtensionOnCertificate []byte
diff --git a/src/ssl/test/runner/dtls.go b/src/ssl/test/runner/dtls.go
index 42b3a65..c81955e 100644
--- a/src/ssl/test/runner/dtls.go
+++ b/src/ssl/test/runner/dtls.go
@@ -248,7 +248,11 @@
fragOffset += fragLen
n += fragLen
}
- if !isFinished && c.config.Bugs.MixCompleteMessageWithFragments {
+ shouldSendTwice := c.config.Bugs.MixCompleteMessageWithFragments
+ if isFinished {
+ shouldSendTwice = c.config.Bugs.RetransmitFinished
+ }
+ if shouldSendTwice {
fragment := c.makeFragment(header, data, 0, len(data))
c.pendingFragments = append(c.pendingFragments, fragment)
}
diff --git a/src/ssl/test/runner/handshake_server.go b/src/ssl/test/runner/handshake_server.go
index 194244d..5dee5fb 100644
--- a/src/ssl/test/runner/handshake_server.go
+++ b/src/ssl/test/runner/handshake_server.go
@@ -1442,6 +1442,10 @@
hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList
}
+ if len(c.clientVerify) > 0 && config.Bugs.SendSCTListOnRenegotiation != nil {
+ hs.hello.extensions.sctList = config.Bugs.SendSCTListOnRenegotiation
+ }
+
hs.hello.extensions.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled && c.vers > VersionSSL30
hs.hello.cipherSuite = hs.suite.id
if config.Bugs.SendCipherSuite != 0 {
@@ -1488,6 +1492,9 @@
certStatus := new(certificateStatusMsg)
certStatus.statusType = statusTypeOCSP
certStatus.response = hs.cert.OCSPStaple
+ if len(c.clientVerify) > 0 && config.Bugs.SendOCSPResponseOnRenegotiation != nil {
+ certStatus.response = config.Bugs.SendOCSPResponseOnRenegotiation
+ }
hs.writeServerHash(certStatus.marshal())
c.writeRecord(recordTypeHandshake, certStatus.marshal())
}
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index 7e64fe5..56814d3 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -199,7 +199,9 @@
var channelIDBytes []byte
var testOCSPResponse = []byte{1, 2, 3, 4}
+var testOCSPResponse2 = []byte{5, 6, 7, 8}
var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
+var testSCTList2 = []byte{0, 6, 0, 4, 1, 2, 3, 4}
var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
@@ -6473,10 +6475,6 @@
expectedError: ":UNEXPECTED_EXTENSION:",
})
- var differentSCTList []byte
- differentSCTList = append(differentSCTList, testSCTList...)
- differentSCTList[len(differentSCTList)-1] ^= 1
-
// Test that extensions on intermediates are allowed but ignored.
testCases = append(testCases, testCase{
name: "IgnoreExtensionsOnIntermediates-TLS13",
@@ -6487,8 +6485,8 @@
// Send different values on the intermediate. This tests
// the intermediate's extensions do not override the
// leaf's.
- SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
- SendSCTOnIntermediates: differentSCTList,
+ SendOCSPOnIntermediates: testOCSPResponse2,
+ SendSCTOnIntermediates: testSCTList2,
},
},
flags: []string{
@@ -7543,6 +7541,34 @@
shouldFail: true,
expectedError: ":UNEXPECTED_EXTENSION:",
})
+
+ // The server may send different stapled OCSP responses or SCT lists on
+ // renegotiation, but BoringSSL ignores this and reports the old values.
+ // Also test that non-fatal verify results are preserved.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "Renegotiation-ChangeAuthProperties",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ SendOCSPResponseOnRenegotiation: testOCSPResponse2,
+ SendSCTListOnRenegotiation: testSCTList2,
+ },
+ },
+ renegotiate: 1,
+ flags: []string{
+ "-renegotiate-freely",
+ "-expect-total-renegotiations", "1",
+ "-enable-ocsp-stapling",
+ "-expect-ocsp-response",
+ base64.StdEncoding.EncodeToString(testOCSPResponse),
+ "-enable-signed-cert-timestamps",
+ "-expect-signed-cert-timestamps",
+ base64.StdEncoding.EncodeToString(testSCTList),
+ "-verify-fail",
+ "-expect-verify-result",
+ },
+ })
}
func addDTLSReplayTests() {
@@ -8782,6 +8808,38 @@
"-initial-timeout-duration-ms", "250",
},
})
+
+ // If the shim sends the last Finished (server full or client resume
+ // handshakes), it must retransmit that Finished when it sees a
+ // post-handshake penultimate Finished from the runner. The above tests
+ // cover this. Conversely, if the shim sends the penultimate Finished
+ // (client full or server resume), test that it does not retransmit.
+ testCases = append(testCases, testCase{
+ protocol: dtls,
+ testType: clientTest,
+ name: "DTLS-StrayRetransmitFinished-ClientFull",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ RetransmitFinished: true,
+ },
+ },
+ })
+ testCases = append(testCases, testCase{
+ protocol: dtls,
+ testType: serverTest,
+ name: "DTLS-StrayRetransmitFinished-ServerResume",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ },
+ resumeConfig: &Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ RetransmitFinished: true,
+ },
+ },
+ resumeSession: true,
+ })
}
func addExportKeyingMaterialTests() {
@@ -8980,22 +9038,6 @@
flags: []string{flag},
})
- // 0-RTT is not currently supported with Custom Extensions.
- testCases = append(testCases, testCase{
- testType: testType,
- name: "CustomExtensions-" + suffix + "-EarlyData",
- config: Config{
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- CustomExtension: expectedContents,
- ExpectedCustomExtension: &expectedContents,
- },
- },
- shouldFail: true,
- expectedError: ":CUSTOM_EXTENSION_ERROR:",
- flags: []string{flag, "-enable-early-data"},
- })
-
// If the parse callback fails, the handshake should also fail.
testCases = append(testCases, testCase{
testType: testType,
@@ -9090,6 +9132,121 @@
})
}
+ // If the client sends both early data and custom extension, the handshake
+ // should succeed as long as both the extensions aren't returned by the
+ // server.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "CustomExtensions-Client-EarlyData-None",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ ExpectedCustomExtension: &expectedContents,
+ AlwaysRejectEarlyData: true,
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-client-custom-extension",
+ "-enable-early-data",
+ "-expect-early-data-info",
+ "-expect-reject-early-data",
+ },
+ })
+
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "CustomExtensions-Client-EarlyData-EarlyDataAccepted",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ ExpectedCustomExtension: &expectedContents,
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-client-custom-extension",
+ "-enable-early-data",
+ "-expect-early-data-info",
+ "-expect-accept-early-data",
+ },
+ })
+
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "CustomExtensions-Client-EarlyData-CustomExtensionAccepted",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ AlwaysRejectEarlyData: true,
+ CustomExtension: expectedContents,
+ ExpectedCustomExtension: &expectedContents,
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-client-custom-extension",
+ "-enable-early-data",
+ "-expect-early-data-info",
+ "-expect-reject-early-data",
+ },
+ })
+
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "CustomExtensions-Client-EarlyDataAndCustomExtensions",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ CustomExtension: expectedContents,
+ ExpectedCustomExtension: &expectedContents,
+ },
+ },
+ resumeConfig: &Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ CustomExtension: expectedContents,
+ ExpectedCustomExtension: &expectedContents,
+ SendEarlyDataExtension: true,
+ },
+ },
+ resumeSession: true,
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:",
+ flags: []string{
+ "-enable-client-custom-extension",
+ "-enable-early-data",
+ "-expect-early-data-info",
+ },
+ })
+
+ // If the server receives both early data and custom extension, only the
+ // custom extension should be accepted.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "CustomExtensions-Server-EarlyDataAccepted",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ CustomExtension: expectedContents,
+ ExpectedCustomExtension: &expectedContents,
+ ExpectEarlyDataAccepted: false,
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-server-custom-extension",
+ "-enable-early-data",
+ "-expect-early-data-info",
+ },
+ })
+
// The custom extension add callback should not be called if the client
// doesn't send the extension.
testCases = append(testCases, testCase{
@@ -11661,7 +11818,7 @@
resumeSession: true,
expectChannelID: true,
shouldFail: true,
- expectedError: ":CHANNEL_ID_ON_EARLY_DATA:",
+ expectedError: ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:",
flags: []string{
"-enable-early-data",
"-expect-early-data-info",
@@ -12139,8 +12296,8 @@
},
tls13Variant: ver.tls13Variant,
flags: []string{
- "-retain-only-sha256-client-cert-initial",
- "-retain-only-sha256-client-cert-resume",
+ "-on-initial-retain-only-sha256-client-cert",
+ "-on-resume-retain-only-sha256-client-cert",
},
resumeSession: true,
})
@@ -12158,10 +12315,10 @@
tls13Variant: ver.tls13Variant,
flags: []string{
"-verify-peer",
- "-retain-only-sha256-client-cert-initial",
- "-retain-only-sha256-client-cert-resume",
- "-expect-sha256-client-cert-initial",
- "-expect-sha256-client-cert-resume",
+ "-on-initial-retain-only-sha256-client-cert",
+ "-on-resume-retain-only-sha256-client-cert",
+ "-on-initial-expect-sha256-client-cert",
+ "-on-resume-expect-sha256-client-cert",
},
resumeSession: true,
})
@@ -12180,8 +12337,8 @@
tls13Variant: ver.tls13Variant,
flags: []string{
"-verify-peer",
- "-retain-only-sha256-client-cert-initial",
- "-expect-sha256-client-cert-initial",
+ "-on-initial-retain-only-sha256-client-cert",
+ "-on-initial-expect-sha256-client-cert",
},
resumeSession: true,
expectResumeRejected: true,
@@ -12201,8 +12358,8 @@
tls13Variant: ver.tls13Variant,
flags: []string{
"-verify-peer",
- "-retain-only-sha256-client-cert-resume",
- "-expect-sha256-client-cert-resume",
+ "-on-resume-retain-only-sha256-client-cert",
+ "-on-resume-expect-sha256-client-cert",
},
resumeSession: true,
expectResumeRejected: true,
diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc
index 8b2f7f2..6df8d2a 100644
--- a/src/ssl/test/test_config.cc
+++ b/src/ssl/test/test_config.cc
@@ -108,14 +108,10 @@
{ "-peek-then-read", &TestConfig::peek_then_read },
{ "-enable-grease", &TestConfig::enable_grease },
{ "-use-exporter-between-reads", &TestConfig::use_exporter_between_reads },
- { "-retain-only-sha256-client-cert-initial",
- &TestConfig::retain_only_sha256_client_cert_initial },
- { "-retain-only-sha256-client-cert-resume",
- &TestConfig::retain_only_sha256_client_cert_resume },
- { "-expect-sha256-client-cert-initial",
- &TestConfig::expect_sha256_client_cert_initial },
- { "-expect-sha256-client-cert-resume",
- &TestConfig::expect_sha256_client_cert_resume },
+ { "-retain-only-sha256-client-cert",
+ &TestConfig::retain_only_sha256_client_cert },
+ { "-expect-sha256-client-cert",
+ &TestConfig::expect_sha256_client_cert },
{ "-read-with-unfinished-write", &TestConfig::read_with_unfinished_write },
{ "-expect-secure-renegotiation",
&TestConfig::expect_secure_renegotiation },
diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h
index af75548..9af64bc 100644
--- a/src/ssl/test/test_config.h
+++ b/src/ssl/test/test_config.h
@@ -128,10 +128,8 @@
int expect_cipher_no_aes = 0;
std::string expect_peer_cert_file;
int resumption_delay = 0;
- bool retain_only_sha256_client_cert_initial = false;
- bool retain_only_sha256_client_cert_resume = false;
- bool expect_sha256_client_cert_initial = false;
- bool expect_sha256_client_cert_resume = false;
+ bool retain_only_sha256_client_cert = false;
+ bool expect_sha256_client_cert = false;
bool read_with_unfinished_write = false;
bool expect_secure_renegotiation = false;
bool expect_no_secure_renegotiation = false;
diff --git a/src/ssl/tls13_both.cc b/src/ssl/tls13_both.cc
index 39e0cb3..6e7260e 100644
--- a/src/ssl/tls13_both.cc
+++ b/src/ssl/tls13_both.cc
@@ -284,11 +284,14 @@
return 0;
}
- if (sk_CRYPTO_BUFFER_num(certs.get()) == 1 &&
- !CBS_stow(&ocsp_response, &hs->new_session->ocsp_response,
- &hs->new_session->ocsp_response_length)) {
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return 0;
+ if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {
+ CRYPTO_BUFFER_free(hs->new_session->ocsp_response);
+ hs->new_session->ocsp_response =
+ CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool);
+ if (hs->new_session->ocsp_response == nullptr) {
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
+ }
}
}
@@ -305,12 +308,14 @@
return 0;
}
- if (sk_CRYPTO_BUFFER_num(certs.get()) == 1 &&
- !CBS_stow(
- &sct, &hs->new_session->tlsext_signed_cert_timestamp_list,
- &hs->new_session->tlsext_signed_cert_timestamp_list_length)) {
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return 0;
+ if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {
+ CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);
+ hs->new_session->signed_cert_timestamp_list =
+ CRYPTO_BUFFER_new_from_CBS(&sct, ssl->ctx->pool);
+ if (hs->new_session->signed_cert_timestamp_list == nullptr) {
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
+ }
}
}
}
diff --git a/src/ssl/tls13_client.cc b/src/ssl/tls13_client.cc
index 83066be..6608404 100644
--- a/src/ssl/tls13_client.cc
+++ b/src/ssl/tls13_client.cc
@@ -417,8 +417,8 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
return ssl_hs_error;
}
- if (ssl->s3->tlsext_channel_id_valid) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_ON_EARLY_DATA);
+ if (ssl->s3->tlsext_channel_id_valid || hs->received_custom_extension) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
return ssl_hs_error;
}
}
@@ -733,6 +733,10 @@
break;
}
+ if (hs->state != state) {
+ ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);
+ }
+
if (ret != ssl_hs_ok) {
return ret;
}
@@ -741,6 +745,43 @@
return ssl_hs_ok;
}
+const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {
+ enum client_hs_state_t state =
+ static_cast<enum client_hs_state_t>(hs->tls13_state);
+ switch (state) {
+ case state_read_hello_retry_request:
+ return "TLS 1.3 client read_hello_retry_request";
+ case state_send_second_client_hello:
+ return "TLS 1.3 client send_second_client_hello";
+ case state_read_server_hello:
+ return "TLS 1.3 client read_server_hello";
+ case state_process_change_cipher_spec:
+ return "TLS 1.3 client process_change_cipher_spec";
+ case state_read_encrypted_extensions:
+ return "TLS 1.3 client read_encrypted_extensions";
+ case state_read_certificate_request:
+ return "TLS 1.3 client read_certificate_request";
+ case state_read_server_certificate:
+ return "TLS 1.3 client read_server_certificate";
+ case state_read_server_certificate_verify:
+ return "TLS 1.3 client read_server_certificate_verify";
+ case state_read_server_finished:
+ return "TLS 1.3 client read_server_finished";
+ case state_send_end_of_early_data:
+ return "TLS 1.3 client send_end_of_early_data";
+ case state_send_client_certificate:
+ return "TLS 1.3 client send_client_certificate";
+ case state_send_client_certificate_verify:
+ return "TLS 1.3 client send_client_certificate_verify";
+ case state_complete_second_flight:
+ return "TLS 1.3 client complete_second_flight";
+ case state_done:
+ return "TLS 1.3 client done";
+ }
+
+ return "TLS 1.3 client unknown";
+}
+
int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
UniquePtr<SSL_SESSION> session(SSL_SESSION_dup(ssl->s3->established_session,
SSL_SESSION_INCLUDE_NONAUTH));
diff --git a/src/ssl/tls13_server.cc b/src/ssl/tls13_server.cc
index 2b802c4..894fa87 100644
--- a/src/ssl/tls13_server.cc
+++ b/src/ssl/tls13_server.cc
@@ -380,6 +380,8 @@
hs->early_data_offered &&
/* Channel ID is incompatible with 0-RTT. */
!ssl->s3->tlsext_channel_id_valid &&
+ /* Custom extensions is incompatible with 0-RTT. */
+ hs->custom_extensions.received == 0 &&
/* The negotiated ALPN must match the one in the ticket. */
ssl->s3->alpn_selected_len == session->early_alpn_len &&
OPENSSL_memcmp(ssl->s3->alpn_selected, session->early_alpn,
@@ -920,6 +922,10 @@
break;
}
+ if (hs->state != state) {
+ ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
+ }
+
if (ret != ssl_hs_ok) {
return ret;
}
@@ -928,4 +934,45 @@
return ssl_hs_ok;
}
+const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {
+ enum server_hs_state_t state =
+ static_cast<enum server_hs_state_t>(hs->tls13_state);
+ switch (state) {
+ case state_select_parameters:
+ return "TLS 1.3 server select_parameters";
+ case state_select_session:
+ return "TLS 1.3 server select_session";
+ case state_send_hello_retry_request:
+ return "TLS 1.3 server send_hello_retry_request";
+ case state_read_second_client_hello:
+ return "TLS 1.3 server read_second_client_hello";
+ case state_send_server_hello:
+ return "TLS 1.3 server send_server_hello";
+ case state_send_server_certificate_verify:
+ return "TLS 1.3 server send_server_certificate_verify";
+ case state_send_server_finished:
+ return "TLS 1.3 server send_server_finished";
+ case state_read_second_client_flight:
+ return "TLS 1.3 server read_second_client_flight";
+ case state_process_change_cipher_spec:
+ return "TLS 1.3 server process_change_cipher_spec";
+ case state_process_end_of_early_data:
+ return "TLS 1.3 server process_end_of_early_data";
+ case state_read_client_certificate:
+ return "TLS 1.3 server read_client_certificate";
+ case state_read_client_certificate_verify:
+ return "TLS 1.3 server read_client_certificate_verify";
+ case state_read_channel_id:
+ return "TLS 1.3 server read_channel_id";
+ case state_read_client_finished:
+ return "TLS 1.3 server read_client_finished";
+ case state_send_new_session_ticket:
+ return "TLS 1.3 server send_new_session_ticket";
+ case state_done:
+ return "TLS 1.3 server done";
+ }
+
+ return "TLS 1.3 server unknown";
+}
+
} // namespace bssl
diff --git a/src/tool/ciphers.cc b/src/tool/ciphers.cc
index 3a7e23d..c4f167b 100644
--- a/src/tool/ciphers.cc
+++ b/src/tool/ciphers.cc
@@ -24,26 +24,29 @@
bool Ciphers(const std::vector<std::string> &args) {
- if (args.size() != 1) {
- fprintf(stderr, "Usage: bssl ciphers <cipher suite string>\n");
+ bool openssl_name = false;
+ if (args.size() == 2 && args[0] == "-openssl-name") {
+ openssl_name = true;
+ } else if (args.size() != 1) {
+ fprintf(stderr,
+ "Usage: bssl ciphers [-openssl-name] <cipher suite string>\n");
return false;
}
const std::string &ciphers_string = args.back();
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_client_method()));
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
if (!SSL_CTX_set_strict_cipher_list(ctx.get(), ciphers_string.c_str())) {
fprintf(stderr, "Failed to parse cipher suite config.\n");
ERR_print_errors_fp(stderr);
return false;
}
- const struct ssl_cipher_preference_list_st *pref_list = ctx->cipher_list;
- STACK_OF(SSL_CIPHER) *ciphers = pref_list->ciphers;
+ STACK_OF(SSL_CIPHER) *ciphers = SSL_CTX_get_ciphers(ctx.get());
bool last_in_group = false;
for (size_t i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
- bool in_group = pref_list->in_group_flags[i];
+ bool in_group = SSL_CTX_cipher_in_group(ctx.get(), i);
const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, i);
if (in_group && !last_in_group) {
@@ -52,7 +55,8 @@
printf(" ");
}
- printf("%s\n", SSL_CIPHER_standard_name(cipher));
+ printf("%s\n", openssl_name ? SSL_CIPHER_get_name(cipher)
+ : SSL_CIPHER_standard_name(cipher));
if (!in_group && last_in_group) {
printf("]\n");
diff --git a/src/tool/client.cc b/src/tool/client.cc
index d3a3115..a5254b2 100644
--- a/src/tool/client.cc
+++ b/src/tool/client.cc
@@ -135,6 +135,14 @@
"An HTTP proxy server to tunnel the TCP connection through",
},
{
+ "-renegotiate-freely", kBooleanArgument,
+ "Allow renegotiations from the peer.",
+ },
+ {
+ "-debug", kBooleanArgument,
+ "Print debug information about the handshake",
+ },
+ {
"", kOptionalArgument, "",
},
};
@@ -262,6 +270,10 @@
SSL_set_session(ssl.get(), session.get());
}
+ if (args_map.count("-renegotiate-freely") != 0) {
+ SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_freely);
+ }
+
if (resume_session) {
SSL_set_session(ssl.get(), resume_session.get());
}
@@ -317,6 +329,20 @@
return false;
}
+static void InfoCallback(const SSL *ssl, int type, int value) {
+ switch (type) {
+ case SSL_CB_HANDSHAKE_START:
+ fprintf(stderr, "Handshake started.\n");
+ break;
+ case SSL_CB_HANDSHAKE_DONE:
+ fprintf(stderr, "Handshake done.\n");
+ break;
+ case SSL_CB_CONNECT_LOOP:
+ fprintf(stderr, "Handshake progress: %s\n", SSL_state_string_long(ssl));
+ break;
+ }
+}
+
bool Client(const std::vector<std::string> &args) {
if (!InitSocketLibrary()) {
return false;
@@ -329,7 +355,7 @@
return false;
}
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_client_method()));
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
const char *keylog_file = getenv("SSLKEYLOGFILE");
if (keylog_file) {
@@ -497,6 +523,10 @@
SSL_CTX_set_ed25519_enabled(ctx.get(), 1);
}
+ if (args_map.count("-debug") != 0) {
+ SSL_CTX_set_info_callback(ctx.get(), InfoCallback);
+ }
+
if (args_map.count("-test-resumption") != 0) {
if (args_map.count("-session-in") != 0) {
fprintf(stderr,
diff --git a/src/tool/internal.h b/src/tool/internal.h
index a3d608a..a6c8eca 100644
--- a/src/tool/internal.h
+++ b/src/tool/internal.h
@@ -90,4 +90,4 @@
extern const size_t kDERRSAPrivate4096Len;
-#endif /* !OPENSSL_HEADER_TOOL_INTERNAL_H */
+#endif // !OPENSSL_HEADER_TOOL_INTERNAL_H
diff --git a/src/tool/server.cc b/src/tool/server.cc
index 3b125ad..4cc183b 100644
--- a/src/tool/server.cc
+++ b/src/tool/server.cc
@@ -71,6 +71,10 @@
"-tls13-variant", kBooleanArgument, "Enable TLS 1.3 variants",
},
{
+ "-debug", kBooleanArgument,
+ "Print debug information about the handshake",
+ },
+ {
"", kOptionalArgument, "",
},
};
@@ -142,6 +146,20 @@
return x509;
}
+static void InfoCallback(const SSL *ssl, int type, int value) {
+ switch (type) {
+ case SSL_CB_HANDSHAKE_START:
+ fprintf(stderr, "Handshake started.\n");
+ break;
+ case SSL_CB_HANDSHAKE_DONE:
+ fprintf(stderr, "Handshake done.\n");
+ break;
+ case SSL_CB_ACCEPT_LOOP:
+ fprintf(stderr, "Handshake progress: %s\n", SSL_state_string_long(ssl));
+ break;
+ }
+}
+
bool Server(const std::vector<std::string> &args) {
if (!InitSocketLibrary()) {
return false;
@@ -241,6 +259,10 @@
SSL_CTX_set_tls13_variant(ctx.get(), tls13_experiment);
}
+ if (args_map.count("-debug") != 0) {
+ SSL_CTX_set_info_callback(ctx.get(), InfoCallback);
+ }
+
Listener listener;
if (!listener.Init(args_map["-accept"])) {
return false;
diff --git a/src/tool/speed.cc b/src/tool/speed.cc
index cf7e70e..87aa2de 100644
--- a/src/tool/speed.cc
+++ b/src/tool/speed.cc
@@ -153,9 +153,9 @@
TimeResults results;
if (!TimeFunction(&results,
[key, &sig, &fake_sha256_hash, &sig_len]() -> bool {
- /* Usually during RSA signing we're using a long-lived |RSA| that has
- * already had all of its |BN_MONT_CTX|s constructed, so it makes
- * sense to use |key| directly here. */
+ // Usually during RSA signing we're using a long-lived |RSA| that has
+ // already had all of its |BN_MONT_CTX|s constructed, so it makes
+ // sense to use |key| directly here.
return RSA_sign(NID_sha256, fake_sha256_hash, sizeof(fake_sha256_hash),
sig.get(), &sig_len, key);
})) {
@@ -167,11 +167,11 @@
if (!TimeFunction(&results,
[key, &fake_sha256_hash, &sig, sig_len]() -> bool {
- /* Usually during RSA verification we have to parse an RSA key from a
- * certificate or similar, in which case we'd need to construct a new
- * RSA key, with a new |BN_MONT_CTX| for the public modulus. If we were
- * to use |key| directly instead, then these costs wouldn't be
- * accounted for. */
+ // Usually during RSA verification we have to parse an RSA key from a
+ // certificate or similar, in which case we'd need to construct a new
+ // RSA key, with a new |BN_MONT_CTX| for the public modulus. If we were
+ // to use |key| directly instead, then these costs wouldn't be
+ // accounted for.
bssl::UniquePtr<RSA> verify_key(RSA_new());
if (!verify_key) {
return false;
diff --git a/src/tool/transport_common.h b/src/tool/transport_common.h
index b149671..0bc6053 100644
--- a/src/tool/transport_common.h
+++ b/src/tool/transport_common.h
@@ -65,4 +65,4 @@
// success and false otherwise.
bool DoHTTPTunnel(int sock, const std::string &hostname_and_port);
-#endif /* !OPENSSL_HEADER_TOOL_TRANSPORT_COMMON_H */
+#endif // !OPENSSL_HEADER_TOOL_TRANSPORT_COMMON_H
diff --git a/src/util/bot/UPDATING b/src/util/bot/UPDATING
index 43aa30a..6b8b48e 100644
--- a/src/util/bot/UPDATING
+++ b/src/util/bot/UPDATING
@@ -54,7 +54,7 @@
Use the release at http://yasm.tortall.net/Download.html labeled
"Win32 .exe". The download will be named yasm-VERSION-win32.exe.
- The current revision is yasm-1.2.0-win32.exe.
+ The current revision is yasm-1.3.0-win32.exe.
Finally, update sde-linux64.tar.bz2 by downloading the latet release from intel
at
diff --git a/src/util/bot/yasm-win32.exe.sha1 b/src/util/bot/yasm-win32.exe.sha1
index 5b8c9aa..542a6c9 100644
--- a/src/util/bot/yasm-win32.exe.sha1
+++ b/src/util/bot/yasm-win32.exe.sha1
@@ -1 +1 @@
-4c4d1951181a610923523cb10d83d9ae9952fbf3
\ No newline at end of file
+8374a6a1d6a240a3baa771ffd61b3bc096ccd11f
\ No newline at end of file