Run convert_comments.go on the recently-converted files
This CL is the result of the following commands:
for d in asn1 x509 x509v3 pem; do
go run util/convert_comments.go crypto/$d/*.h
go run util/convert_comments.go crypto/$d/*.c
done
Change-Id: If78433f68cb2f913b0de06ded744a5a65540e1cf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53087
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 5b97efa..8ef0d12 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -164,19 +164,17 @@
goto err;
}
- /* Unused bits in a BIT STRING must be zero. */
+ // Unused bits in a BIT STRING must be zero.
uint8_t padding_mask = (1 << padding) - 1;
if (padding != 0 && (len < 1 || (p[len - 1] & padding_mask) != 0)) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BIT_STRING_PADDING);
goto err;
}
- /*
- * We do this to preserve the settings. If we modify the settings, via
- * the _set_bit function, we will recalculate on output
- */
- ret->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); /* clear */
- ret->flags |= (ASN1_STRING_FLAG_BITS_LEFT | padding); /* set */
+ // We do this to preserve the settings. If we modify the settings, via
+ // the _set_bit function, we will recalculate on output
+ ret->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); // clear
+ ret->flags |= (ASN1_STRING_FLAG_BITS_LEFT | padding); // set
if (len > 0) {
s = OPENSSL_memdup(p, len);
@@ -205,9 +203,7 @@
return (NULL);
}
-/*
- * These next 2 functions from Goetz Babin-Ebell <babinebell@trustcenter.de>
- */
+// These next 2 functions from Goetz Babin-Ebell <babinebell@trustcenter.de>
int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) {
int w, v, iv;
unsigned char *c;
@@ -223,11 +219,11 @@
return 0;
}
- a->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); /* clear, set on write */
+ a->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); // clear, set on write
if ((a->length < (w + 1)) || (a->data == NULL)) {
if (!value) {
- return (1); /* Don't need to set */
+ return (1); // Don't need to set
}
if (a->data == NULL) {
c = (unsigned char *)OPENSSL_malloc(w + 1);
@@ -262,27 +258,23 @@
return ((a->data[w] & v) != 0);
}
-/*
- * Checks if the given bit string contains only bits specified by
- * the flags vector. Returns 0 if there is at least one bit set in 'a'
- * which is not specified in 'flags', 1 otherwise.
- * 'len' is the length of 'flags'.
- */
+// Checks if the given bit string contains only bits specified by
+// the flags vector. Returns 0 if there is at least one bit set in 'a'
+// which is not specified in 'flags', 1 otherwise.
+// 'len' is the length of 'flags'.
int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a, const unsigned char *flags,
int flags_len) {
int i, ok;
- /* Check if there is one bit set at all. */
+ // Check if there is one bit set at all.
if (!a || !a->data) {
return 1;
}
- /*
- * Check each byte of the internal representation of the bit string.
- */
+ // Check each byte of the internal representation of the bit string.
ok = 1;
for (i = 0; i < a->length && ok; ++i) {
unsigned char mask = i < flags_len ? ~flags[i] : 0xff;
- /* We are done if there is an unneeded bit set. */
+ // We are done if there is an unneeded bit set.
ok = (a->data[i] & mask) == 0;
}
return ok;
diff --git a/crypto/asn1/a_bool.c b/crypto/asn1/a_bool.c
index daf96fc..e4703c6 100644
--- a/crypto/asn1/a_bool.c
+++ b/crypto/asn1/a_bool.c
@@ -80,10 +80,8 @@
ASN1_put_object(&p, 0, 1, V_ASN1_BOOLEAN, V_ASN1_UNIVERSAL);
*p = a ? 0xff : 0x00;
- /*
- * If a new buffer was allocated, just return it back.
- * If not, return the incremented buffer pointer.
- */
+ // If a new buffer was allocated, just return it back.
+ // If not, return the incremented buffer pointer.
*pp = allocated != NULL ? allocated : p + 1;
return r;
}
diff --git a/crypto/asn1/a_dup.c b/crypto/asn1/a_dup.c
index 5434b78..402584c 100644
--- a/crypto/asn1/a_dup.c
+++ b/crypto/asn1/a_dup.c
@@ -59,12 +59,10 @@
#include <openssl/err.h>
#include <openssl/mem.h>
-/*
- * ASN1_ITEM version of dup: this follows the model above except we don't
- * need to allocate the buffer. At some point this could be rewritten to
- * directly dup the underlying structure instead of doing and encode and
- * decode.
- */
+// ASN1_ITEM version of dup: this follows the model above except we don't
+// need to allocate the buffer. At some point this could be rewritten to
+// directly dup the underlying structure instead of doing and encode and
+// decode.
void *ASN1_item_dup(const ASN1_ITEM *it, void *x) {
unsigned char *b = NULL;
const unsigned char *p;
diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c
index 1da9889..a13576a 100644
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -72,7 +72,7 @@
}
int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y) {
- /* Compare signs. */
+ // Compare signs.
int neg = x->type & V_ASN1_NEG;
if (neg != (y->type & V_ASN1_NEG)) {
return neg ? -1 : 1;
@@ -80,8 +80,8 @@
int ret = ASN1_STRING_cmp(x, y);
if (neg) {
- /* This could be |-ret|, but |ASN1_STRING_cmp| is not forbidden from
- * returning |INT_MIN|. */
+ // This could be |-ret|, but |ASN1_STRING_cmp| is not forbidden from
+ // returning |INT_MIN|.
if (ret < 0) {
return 1;
} else if (ret > 0) {
@@ -94,8 +94,8 @@
return ret;
}
-/* negate_twos_complement negates |len| bytes from |buf| in-place, interpreted
- * as a signed, big-endian two's complement value. */
+// negate_twos_complement negates |len| bytes from |buf| in-place, interpreted
+// as a signed, big-endian two's complement value.
static void negate_twos_complement(uint8_t *buf, size_t len) {
uint8_t borrow = 0;
for (size_t i = len - 1; i < len; i--) {
@@ -119,9 +119,9 @@
return 0;
}
- /* |ASN1_INTEGER|s should be represented minimally, but it is possible to
- * construct invalid ones. Skip leading zeros so this does not produce an
- * invalid encoding or break invariants. */
+ // |ASN1_INTEGER|s should be represented minimally, but it is possible to
+ // construct invalid ones. Skip leading zeros so this does not produce an
+ // invalid encoding or break invariants.
int start = 0;
while (start < in->length && in->data[start] == 0) {
start++;
@@ -130,20 +130,20 @@
int is_negative = (in->type & V_ASN1_NEG) != 0;
int pad;
if (start >= in->length) {
- /* Zero is represented as a single byte. */
+ // Zero is represented as a single byte.
is_negative = 0;
pad = 1;
} else if (is_negative) {
- /* 0x80...01 through 0xff...ff have a two's complement of 0x7f...ff
- * through 0x00...01 and need an extra byte to be negative.
- * 0x01...00 through 0x80...00 have a two's complement of 0xfe...ff
- * through 0x80...00 and can be negated as-is. */
+ // 0x80...01 through 0xff...ff have a two's complement of 0x7f...ff
+ // through 0x00...01 and need an extra byte to be negative.
+ // 0x01...00 through 0x80...00 have a two's complement of 0xfe...ff
+ // through 0x80...00 and can be negated as-is.
pad = in->data[start] > 0x80 ||
(in->data[start] == 0x80 &&
!is_all_zeros(in->data + start + 1, in->length - start - 1));
} else {
- /* If the high bit is set, the signed representation needs an extra
- * byte to be positive. */
+ // If the high bit is set, the signed representation needs an extra
+ // byte to be positive.
pad = (in->data[start] & 0x80) != 0;
}
@@ -173,11 +173,9 @@
ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **out, const unsigned char **inp,
long len) {
- /*
- * This function can handle lengths up to INT_MAX - 1, but the rest of the
- * legacy ASN.1 code mixes integer types, so avoid exposing it to
- * ASN1_INTEGERS with larger lengths.
- */
+ // This function can handle lengths up to INT_MAX - 1, but the rest of the
+ // legacy ASN.1 code mixes integer types, so avoid exposing it to
+ // ASN1_INTEGERS with larger lengths.
if (len < 0 || len > INT_MAX / 2) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);
return NULL;
@@ -201,19 +199,19 @@
ret = *out;
}
- /* Convert to |ASN1_INTEGER|'s sign-and-magnitude representation. First,
- * determine the size needed for a minimal result. */
+ // Convert to |ASN1_INTEGER|'s sign-and-magnitude representation. First,
+ // determine the size needed for a minimal result.
if (is_negative) {
- /* 0xff00...01 through 0xff7f..ff have a two's complement of 0x00ff...ff
- * through 0x000100...001 and need one leading zero removed. 0x8000...00
- * through 0xff00...00 have a two's complement of 0x8000...00 through
- * 0x0100...00 and will be minimally-encoded as-is. */
+ // 0xff00...01 through 0xff7f..ff have a two's complement of 0x00ff...ff
+ // through 0x000100...001 and need one leading zero removed. 0x8000...00
+ // through 0xff00...00 have a two's complement of 0x8000...00 through
+ // 0x0100...00 and will be minimally-encoded as-is.
if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0xff &&
!is_all_zeros(CBS_data(&cbs) + 1, CBS_len(&cbs) - 1)) {
CBS_skip(&cbs, 1);
}
} else {
- /* Remove the leading zero byte, if any. */
+ // Remove the leading zero byte, if any.
if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0x00) {
CBS_skip(&cbs, 1);
}
@@ -230,9 +228,9 @@
ret->type = V_ASN1_INTEGER;
}
- /* The value should be minimally-encoded. */
+ // The value should be minimally-encoded.
assert(ret->length == 0 || ret->data[0] != 0);
- /* Zero is not negative. */
+ // Zero is not negative.
assert(!is_negative || ret->length > 0);
*inp += len;
@@ -347,7 +345,7 @@
int64_t i64;
int fits_in_i64;
- /* Check |v != 0| to handle manually-constructed negative zeros. */
+ // Check |v != 0| to handle manually-constructed negative zeros.
if ((a->type & V_ASN1_NEG) && v != 0) {
i64 = (int64_t)(0u - v);
fits_in_i64 = i64 < 0;
@@ -362,7 +360,7 @@
}
err:
- /* This function's return value does not distinguish overflow from -1. */
+ // This function's return value does not distinguish overflow from -1.
ERR_clear_error();
return -1;
}
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index fd5562c..c53d6d5 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -66,14 +66,12 @@
#include "../bytestring/internal.h"
#include "internal.h"
-/*
- * These functions take a string in UTF8, ASCII or multibyte form and a mask
- * of permissible ASN1 string types. It then works out the minimal type
- * (using the order Printable < IA5 < T61 < BMP < Universal < UTF8) and
- * creates a string of the correct type with the supplied data. Yes this is
- * horrible: it has to be :-( The 'ncopy' form checks minimum and maximum
- * size limits too.
- */
+// These functions take a string in UTF8, ASCII or multibyte form and a mask
+// of permissible ASN1 string types. It then works out the minimal type
+// (using the order Printable < IA5 < T61 < BMP < Universal < UTF8) and
+// creates a string of the correct type with the supplied data. Yes this is
+// horrible: it has to be :-( The 'ncopy' form checks minimum and maximum
+// size limits too.
int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
int inform, unsigned long mask) {
@@ -127,7 +125,7 @@
return -1;
}
- /* Check |minsize| and |maxsize| and work out the minimal type, if any. */
+ // Check |minsize| and |maxsize| and work out the minimal type, if any.
CBS cbs;
CBS_init(&cbs, in, len);
size_t utf8_len = 0;
@@ -139,17 +137,17 @@
}
if (nchar == 0 && (inform == MBSTRING_BMP || inform == MBSTRING_UNIV) &&
c == 0xfeff) {
- /* Reject byte-order mark. We could drop it but that would mean
- * adding ambiguity around whether a BOM was included or not when
- * matching strings.
- *
- * For a little-endian UCS-2 string, the BOM will appear as 0xfffe
- * and will be rejected as noncharacter, below. */
+ // Reject byte-order mark. We could drop it but that would mean
+ // adding ambiguity around whether a BOM was included or not when
+ // matching strings.
+ //
+ // For a little-endian UCS-2 string, the BOM will appear as 0xfffe
+ // and will be rejected as noncharacter, below.
OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS);
return -1;
}
- /* Update which output formats are still possible. */
+ // Update which output formats are still possible.
if ((mask & B_ASN1_PRINTABLESTRING) && !asn1_is_printable(c)) {
mask &= ~B_ASN1_PRINTABLESTRING;
}
@@ -185,7 +183,7 @@
return -1;
}
- /* Now work out output format and string type */
+ // Now work out output format and string type
int (*encode_func)(CBB *, uint32_t) = cbb_add_latin1;
size_t size_estimate = nchar;
int outform = MBSTRING_ASC;
@@ -237,7 +235,7 @@
*out = dest;
}
- /* If both the same type just copy across */
+ // If both the same type just copy across
if (inform == outform) {
if (!ASN1_STRING_set(dest, in, len)) {
OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
@@ -261,8 +259,8 @@
}
uint8_t *data = NULL;
size_t data_len;
- if (/* OpenSSL historically NUL-terminated this value with a single byte,
- * even for |MBSTRING_BMP| and |MBSTRING_UNIV|. */
+ if (// OpenSSL historically NUL-terminated this value with a single byte,
+ // even for |MBSTRING_BMP| and |MBSTRING_UNIV|.
!CBB_add_u8(&cbb, 0) || !CBB_finish(&cbb, &data, &data_len) ||
data_len < 1 || data_len > INT_MAX) {
OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);
@@ -285,7 +283,7 @@
if (value > 0x7f) {
return 0;
}
- /* Note we cannot use |isalnum| because it is locale-dependent. */
+ // Note we cannot use |isalnum| because it is locale-dependent.
return ('a' <= value && value <= 'z') || //
('A' <= value && value <= 'Z') || //
('0' <= value && value <= '9') || //
diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index e157d90..186ee67 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -96,10 +96,8 @@
ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
OPENSSL_memcpy(p, a->data, a->length);
- /*
- * If a new buffer was allocated, just return it back.
- * If not, return the incremented buffer pointer.
- */
+ // If a new buffer was allocated, just return it back.
+ // If not, return the incremented buffer pointer.
*pp = allocated != NULL ? allocated : p + a->length;
return objsize;
}
@@ -122,7 +120,7 @@
const char *str = buf;
int len = i2t_ASN1_OBJECT(buf, sizeof(buf), a);
if (len > (int)sizeof(buf) - 1) {
- /* The input was truncated. Allocate a buffer that fits. */
+ // The input was truncated. Allocate a buffer that fits.
allocated = OPENSSL_malloc(len + 1);
if (allocated == NULL) {
return -1;
@@ -173,17 +171,15 @@
unsigned char *data;
int i, length;
- /*
- * Sanity check OID encoding. Need at least one content octet. MSB must
- * be clear in the last octet. can't have leading 0x80 in subidentifiers,
- * see: X.690 8.19.2
- */
+ // Sanity check OID encoding. Need at least one content octet. MSB must
+ // be clear in the last octet. can't have leading 0x80 in subidentifiers,
+ // see: X.690 8.19.2
if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
p[len - 1] & 0x80) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_OBJECT_ENCODING);
return NULL;
}
- /* Now 0 < len <= INT_MAX, so the cast is safe. */
+ // Now 0 < len <= INT_MAX, so the cast is safe.
length = (int)len;
for (i = 0; i < length; i++, p++) {
if (*p == 0x80 && (!i || !(p[-1] & 0x80))) {
@@ -202,10 +198,10 @@
}
p = *pp;
- /* detach data from object */
+ // detach data from object
data = (unsigned char *)ret->data;
ret->data = NULL;
- /* once detached we can change it */
+ // once detached we can change it
if ((data == NULL) || (ret->length < length)) {
ret->length = 0;
if (data != NULL) {
@@ -219,13 +215,13 @@
ret->flags |= ASN1_OBJECT_FLAG_DYNAMIC_DATA;
}
OPENSSL_memcpy(data, p, length);
- /* If there are dynamic strings, free them here, and clear the flag */
+ // If there are dynamic strings, free them here, and clear the flag
if ((ret->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) != 0) {
OPENSSL_free((char *)ret->sn);
OPENSSL_free((char *)ret->ln);
ret->flags &= ~ASN1_OBJECT_FLAG_DYNAMIC_STRINGS;
}
- /* reattach data to object, after which it remains const */
+ // reattach data to object, after which it remains const
ret->data = data;
ret->length = length;
ret->sn = NULL;
diff --git a/crypto/asn1/a_print.c b/crypto/asn1/a_print.c
index 3cd150f..a5be164 100644
--- a/crypto/asn1/a_print.c
+++ b/crypto/asn1/a_print.c
@@ -70,7 +70,7 @@
for (int i = 0; i < len; i++) {
unsigned char c = s[i];
if (c & 0x80) {
- /* No need to continue iterating. */
+ // No need to continue iterating.
return V_ASN1_T61STRING;
}
if (!asn1_is_printable(c)) {
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
index d855b04..3906bc9 100644
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -72,7 +72,7 @@
ASN1_STRFLGS_ESC_MSB)
static int maybe_write(BIO *out, const void *buf, int len) {
- /* If |out| is NULL, ignore the output but report the length. */
+ // If |out| is NULL, ignore the output but report the length.
return out == NULL || BIO_write(out, buf, len) == len;
}
@@ -80,9 +80,9 @@
static int do_esc_char(uint32_t c, unsigned long flags, char *do_quotes,
BIO *out, int is_first, int is_last) {
- /* |c| is a |uint32_t| because, depending on |ASN1_STRFLGS_UTF8_CONVERT|,
- * we may be escaping bytes or Unicode codepoints. */
- char buf[16]; /* Large enough for "\\W01234567". */
+ // |c| is a |uint32_t| because, depending on |ASN1_STRFLGS_UTF8_CONVERT|,
+ // we may be escaping bytes or Unicode codepoints.
+ char buf[16]; // Large enough for "\\W01234567".
unsigned char u8 = (unsigned char)c;
if (c > 0xffff) {
BIO_snprintf(buf, sizeof(buf), "\\W%08" PRIX32, c);
@@ -93,15 +93,15 @@
} else if ((flags & ASN1_STRFLGS_ESC_CTRL) && is_control_character(c)) {
BIO_snprintf(buf, sizeof(buf), "\\%02X", c);
} else if (flags & ASN1_STRFLGS_ESC_2253) {
- /* See RFC 2253, sections 2.4 and 4. */
+ // See RFC 2253, sections 2.4 and 4.
if (c == '\\' || c == '"') {
- /* Quotes and backslashes are always escaped, quoted or not. */
+ // Quotes and backslashes are always escaped, quoted or not.
BIO_snprintf(buf, sizeof(buf), "\\%c", (int)c);
} else if (c == ',' || c == '+' || c == '<' || c == '>' || c == ';' ||
(is_first && (c == ' ' || c == '#')) ||
(is_last && (c == ' '))) {
if (flags & ASN1_STRFLGS_ESC_QUOTE) {
- /* No need to escape, just tell the caller to quote. */
+ // No need to escape, just tell the caller to quote.
if (do_quotes != NULL) {
*do_quotes = 1;
}
@@ -112,7 +112,7 @@
return maybe_write(out, &u8, 1) ? 1 : -1;
}
} else if ((flags & ESC_FLAGS) && c == '\\') {
- /* If any escape flags are set, also escape backslashes. */
+ // If any escape flags are set, also escape backslashes.
BIO_snprintf(buf, sizeof(buf), "\\%c", (int)c);
} else {
return maybe_write(out, &u8, 1) ? 1 : -1;
@@ -122,16 +122,14 @@
return maybe_write(out, buf, len) ? len : -1;
}
-/*
- * This function sends each character in a buffer to do_esc_char(). It
- * interprets the content formats and converts to or from UTF8 as
- * appropriate.
- */
+// This function sends each character in a buffer to do_esc_char(). It
+// interprets the content formats and converts to or from UTF8 as
+// appropriate.
static int do_buf(const unsigned char *buf, int buflen, int encoding,
int utf8_convert, unsigned long flags, char *quotes,
BIO *out) {
- /* Reject invalid UCS-4 and UCS-2 lengths without parsing. */
+ // Reject invalid UCS-4 and UCS-2 lengths without parsing.
switch (encoding) {
case MBSTRING_UNIV:
if (buflen & 3) {
@@ -152,10 +150,10 @@
int outlen = 0;
while (p != q) {
const int is_first = p == buf;
- /* TODO(davidben): Replace this with |cbs_get_ucs2_be|, etc., to check
- * for invalid codepoints. Before doing that, enforce it in the parser,
- * https://crbug.com/boringssl/427, so these error cases are not
- * reachable from parsed objects. */
+ // TODO(davidben): Replace this with |cbs_get_ucs2_be|, etc., to check
+ // for invalid codepoints. Before doing that, enforce it in the parser,
+ // https://crbug.com/boringssl/427, so these error cases are not
+ // reachable from parsed objects.
uint32_t c;
switch (encoding) {
case MBSTRING_UNIV:
@@ -177,7 +175,7 @@
case MBSTRING_UTF8: {
int consumed = UTF8_getc(p, buflen, &c);
if (consumed < 0) {
- return -1; /* Invalid UTF8String */
+ return -1; // Invalid UTF8String
}
buflen -= consumed;
p += consumed;
@@ -194,12 +192,10 @@
int utflen;
utflen = UTF8_putc(utfbuf, sizeof utfbuf, c);
for (int i = 0; i < utflen; i++) {
- /*
- * We don't need to worry about setting orflags correctly
- * because if utflen==1 its value will be correct anyway
- * otherwise each character will be > 0x7f and so the
- * character will never be escaped on first and last.
- */
+ // We don't need to worry about setting orflags correctly
+ // because if utflen==1 its value will be correct anyway
+ // otherwise each character will be > 0x7f and so the
+ // character will never be escaped on first and last.
int len = do_esc_char(utfbuf[i], flags, quotes, out, is_first, is_last);
if (len < 0) {
return -1;
@@ -217,7 +213,7 @@
return outlen;
}
-/* This function hex dumps a buffer of characters */
+// This function hex dumps a buffer of characters
static int do_hex_dump(BIO *out, unsigned char *buf, int buflen) {
static const char hexdig[] = "0123456789ABCDEF";
@@ -238,18 +234,16 @@
return buflen << 1;
}
-/*
- * "dump" a string. This is done when the type is unknown, or the flags
- * request it. We can either dump the content octets or the entire DER
- * encoding. This uses the RFC 2253 #01234 format.
- */
+// "dump" a string. This is done when the type is unknown, or the flags
+// request it. We can either dump the content octets or the entire DER
+// encoding. This uses the RFC 2253 #01234 format.
static int do_dump(unsigned long flags, BIO *out, const ASN1_STRING *str) {
if (!maybe_write(out, "#", 1)) {
return -1;
}
- /* If we don't dump DER encoding just dump content octets */
+ // If we don't dump DER encoding just dump content octets
if (!(flags & ASN1_STRFLGS_DUMP_DER)) {
int outlen = do_hex_dump(out, str->data, str->length);
if (outlen < 0) {
@@ -258,21 +252,19 @@
return outlen + 1;
}
- /*
- * Placing the ASN1_STRING in a temporary ASN1_TYPE allows the DER encoding
- * to readily obtained.
- */
+ // Placing the ASN1_STRING in a temporary ASN1_TYPE allows the DER encoding
+ // to readily obtained.
ASN1_TYPE t;
t.type = str->type;
- /* Negative INTEGER and ENUMERATED values are the only case where
- * |ASN1_STRING| and |ASN1_TYPE| types do not match.
- *
- * TODO(davidben): There are also some type fields which, in |ASN1_TYPE|, do
- * not correspond to |ASN1_STRING|. It is unclear whether those are allowed
- * in |ASN1_STRING| at all, or what the space of allowed types is.
- * |ASN1_item_ex_d2i| will never produce such a value so, for now, we say
- * this is an invalid input. But this corner of the library in general
- * should be more robust. */
+ // Negative INTEGER and ENUMERATED values are the only case where
+ // |ASN1_STRING| and |ASN1_TYPE| types do not match.
+ //
+ // TODO(davidben): There are also some type fields which, in |ASN1_TYPE|, do
+ // not correspond to |ASN1_STRING|. It is unclear whether those are allowed
+ // in |ASN1_STRING| at all, or what the space of allowed types is.
+ // |ASN1_item_ex_d2i| will never produce such a value so, for now, we say
+ // this is an invalid input. But this corner of the library in general
+ // should be more robust.
if (t.type == V_ASN1_NEG_INTEGER) {
t.type = V_ASN1_INTEGER;
} else if (t.type == V_ASN1_NEG_ENUMERATED) {
@@ -292,12 +284,12 @@
return outlen + 1;
}
-/* string_type_to_encoding returns the |MBSTRING_*| constant for the encoding
- * used by the |ASN1_STRING| type |type|, or -1 if |tag| is not a string
- * type. */
+// string_type_to_encoding returns the |MBSTRING_*| constant for the encoding
+// used by the |ASN1_STRING| type |type|, or -1 if |tag| is not a string
+// type.
static int string_type_to_encoding(int type) {
- /* This function is sometimes passed ASN.1 universal types and sometimes
- * passed |ASN1_STRING| type values */
+ // This function is sometimes passed ASN.1 universal types and sometimes
+ // passed |ASN1_STRING| type values
switch (type) {
case V_ASN1_UTF8STRING:
return MBSTRING_UTF8;
@@ -308,7 +300,7 @@
case V_ASN1_UTCTIME:
case V_ASN1_GENERALIZEDTIME:
case V_ASN1_ISO64STRING:
- /* |MBSTRING_ASC| refers to Latin-1, not ASCII. */
+ // |MBSTRING_ASC| refers to Latin-1, not ASCII.
return MBSTRING_ASC;
case V_ASN1_UNIVERSALSTRING:
return MBSTRING_UNIV;
@@ -318,11 +310,9 @@
return -1;
}
-/*
- * This is the main function, print out an ASN1_STRING taking note of various
- * escape and display options. Returns number of characters written or -1 if
- * an error occurred.
- */
+// This is the main function, print out an ASN1_STRING taking note of various
+// escape and display options. Returns number of characters written or -1 if
+// an error occurred.
int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str,
unsigned long flags) {
@@ -337,13 +327,13 @@
outlen++;
}
- /* Decide what to do with |str|, either dump the contents or display it. */
+ // Decide what to do with |str|, either dump the contents or display it.
int encoding;
if (flags & ASN1_STRFLGS_DUMP_ALL) {
- /* Dump everything. */
+ // Dump everything.
encoding = -1;
} else if (flags & ASN1_STRFLGS_IGNORE_TYPE) {
- /* Ignore the string type and interpret the contents as Latin-1. */
+ // Ignore the string type and interpret the contents as Latin-1.
encoding = MBSTRING_ASC;
} else {
encoding = string_type_to_encoding(type);
@@ -363,11 +353,11 @@
int utf8_convert = 0;
if (flags & ASN1_STRFLGS_UTF8_CONVERT) {
- /* If the string is UTF-8, skip decoding and just interpret it as 1 byte
- * per character to avoid converting twice.
- *
- * TODO(davidben): This is not quite a valid optimization if the input
- * was invalid UTF-8. */
+ // If the string is UTF-8, skip decoding and just interpret it as 1 byte
+ // per character to avoid converting twice.
+ //
+ // TODO(davidben): This is not quite a valid optimization if the input
+ // was invalid UTF-8.
if (encoding == MBSTRING_UTF8) {
encoding = MBSTRING_ASC;
} else {
@@ -375,7 +365,7 @@
}
}
- /* Measure the length. */
+ // Measure the length.
char quotes = 0;
int len = do_buf(str->data, str->length, encoding, utf8_convert, flags,
"es, NULL);
@@ -390,7 +380,7 @@
return outlen;
}
- /* Encode the value. */
+ // Encode the value.
if ((quotes && !maybe_write(out, "\"", 1)) ||
do_buf(str->data, str->length, encoding, utf8_convert, flags, NULL, out) <
0 ||
@@ -404,8 +394,8 @@
unsigned long flags) {
BIO *bio = NULL;
if (fp != NULL) {
- /* If |fp| is NULL, this function returns the number of bytes without
- * writing. */
+ // If |fp| is NULL, this function returns the number of bytes without
+ // writing.
bio = BIO_new_fp(fp, BIO_NOCLOSE);
if (bio == NULL) {
return -1;
@@ -518,10 +508,10 @@
if (tm->length >= 14 && (v[12] >= '0') && (v[12] <= '9') && (v[13] >= '0') &&
(v[13] <= '9')) {
s = (v[12] - '0') * 10 + (v[13] - '0');
- /* Check for fractions of seconds. */
+ // Check for fractions of seconds.
if (tm->length >= 15 && v[14] == '.') {
int l = tm->length;
- f = &v[14]; /* The decimal point. */
+ f = &v[14]; // The decimal point.
f_len = 1;
while (14 + f_len < l && f[f_len] >= '0' && f[f_len] <= '9') {
++f_len;
diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c
index 937b794..3be266e 100644
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c
@@ -82,11 +82,9 @@
static const ASN1_STRING_TABLE *asn1_string_table_get(int nid);
-/*
- * The following function generates an ASN1_STRING based on limits in a
- * table. Frequently the types and length of an ASN1_STRING are restricted by
- * a corresponding OID. For example certificates and certificate requests.
- */
+// The following function generates an ASN1_STRING based on limits in a
+// table. Frequently the types and length of an ASN1_STRING are restricted by
+// a corresponding OID. For example certificates and certificate requests.
ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
int len, int inform, int nid) {
@@ -112,11 +110,9 @@
return *out;
}
-/*
- * Now the tables and helper functions for the string table:
- */
+// Now the tables and helper functions for the string table:
-/* See RFC 5280. */
+// See RFC 5280.
#define ub_name 32768
#define ub_common_name 64
#define ub_locality_name 128
@@ -126,7 +122,7 @@
#define ub_email_address 128
#define ub_serial_number 64
-/* This table must be kept in NID order */
+// This table must be kept in NID order
static const ASN1_STRING_TABLE tbl_standard[] = {
{NID_commonName, 1, ub_common_name, DIRSTRING_TYPE, 0},
@@ -185,15 +181,15 @@
tbl = lh_ASN1_STRING_TABLE_retrieve(string_tables, &key);
}
CRYPTO_STATIC_MUTEX_unlock_read(&string_tables_lock);
- /* Note returning |tbl| without the lock is only safe because
- * |ASN1_STRING_TABLE_add| cannot modify or delete existing entries. If we
- * wish to support that, this function must copy the result under a lock. */
+ // Note returning |tbl| without the lock is only safe because
+ // |ASN1_STRING_TABLE_add| cannot modify or delete existing entries. If we
+ // wish to support that, this function must copy the result under a lock.
return tbl;
}
int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize,
unsigned long mask, unsigned long flags) {
- /* Existing entries cannot be overwritten. */
+ // Existing entries cannot be overwritten.
if (asn1_string_table_get(nid) != NULL) {
OPENSSL_PUT_ERROR(ASN1, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
@@ -208,8 +204,8 @@
goto err;
}
} else {
- /* Check again for an existing entry. One may have been added while
- * unlocked. */
+ // Check again for an existing entry. One may have been added while
+ // unlocked.
ASN1_STRING_TABLE key;
key.nid = nid;
if (lh_ASN1_STRING_TABLE_retrieve(string_tables, &key) != NULL) {
diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
index 5fdbc33..2252118 100644
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -65,11 +65,9 @@
#include "internal.h"
-/*
- * This is an implementation of the ASN1 Time structure which is: Time ::=
- * CHOICE { utcTime UTCTime, generalTime GeneralizedTime } written by Steve
- * Henson.
- */
+// This is an implementation of the ASN1 Time structure which is: Time ::=
+// CHOICE { utcTime UTCTime, generalTime GeneralizedTime } written by Steve
+// Henson.
IMPLEMENT_ASN1_MSTRING(ASN1_TIME, B_ASN1_TIME)
@@ -109,7 +107,7 @@
return 0;
}
-/* Convert an ASN1_TIME structure to GeneralizedTime */
+// Convert an ASN1_TIME structure to GeneralizedTime
ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t,
ASN1_GENERALIZEDTIME **out) {
ASN1_GENERALIZEDTIME *ret = NULL;
@@ -128,7 +126,7 @@
ret = *out;
}
- /* If already GeneralizedTime just copy across */
+ // If already GeneralizedTime just copy across
if (t->type == V_ASN1_GENERALIZEDTIME) {
if (!ASN1_STRING_set(ret, t->data, t->length)) {
goto err;
@@ -136,14 +134,14 @@
goto done;
}
- /* grow the string */
+ // grow the string
if (!ASN1_STRING_set(ret, NULL, t->length + 2)) {
goto err;
}
- /* ASN1_STRING_set() allocated 'len + 1' bytes. */
+ // ASN1_STRING_set() allocated 'len + 1' bytes.
newlen = t->length + 2 + 1;
str = (char *)ret->data;
- /* Work out the century and prepend */
+ // Work out the century and prepend
if (t->data[0] >= '5') {
OPENSSL_strlcpy(str, "19", newlen);
} else {
diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
index 1a53c93..d59fdba 100644
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -115,7 +115,7 @@
return 1;
}
-/* Returns 0 if they are equal, != 0 otherwise. */
+// Returns 0 if they are equal, != 0 otherwise.
int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) {
int result = -1;
@@ -128,7 +128,7 @@
result = OBJ_cmp(a->value.object, b->value.object);
break;
case V_ASN1_NULL:
- result = 0; /* They do not have content. */
+ result = 0; // They do not have content.
break;
case V_ASN1_BOOLEAN:
result = a->value.boolean - b->value.boolean;
diff --git a/crypto/asn1/a_utf8.c b/crypto/asn1/a_utf8.c
index 0f2cba6..58496b2 100644
--- a/crypto/asn1/a_utf8.c
+++ b/crypto/asn1/a_utf8.c
@@ -61,16 +61,14 @@
#include "internal.h"
-/* UTF8 utilities */
+// UTF8 utilities
-/*
- * This parses a UTF8 string one character at a time. It is passed a pointer
- * to the string and the length of the string. It sets 'value' to the value
- * of the current character. It returns the number of characters read or a
- * negative error code: -1 = string too short -2 = illegal character -3 =
- * subsequent characters not of the form 10xxxxxx -4 = character encoded
- * incorrectly (not minimal length).
- */
+// This parses a UTF8 string one character at a time. It is passed a pointer
+// to the string and the length of the string. It sets 'value' to the value
+// of the current character. It returns the number of characters read or a
+// negative error code: -1 = string too short -2 = illegal character -3 =
+// subsequent characters not of the form 10xxxxxx -4 = character encoded
+// incorrectly (not minimal length).
int UTF8_getc(const unsigned char *str, int len, uint32_t *val) {
const unsigned char *p;
@@ -81,7 +79,7 @@
}
p = str;
- /* Check syntax and work out the encoded value (if correct) */
+ // Check syntax and work out the encoded value (if correct)
if ((*p & 0x80) == 0) {
value = *p++ & 0x7f;
ret = 1;
@@ -171,17 +169,15 @@
return ret;
}
-/*
- * This takes a character 'value' and writes the UTF8 encoded value in 'str'
- * where 'str' is a buffer containing 'len' characters. Returns the number of
- * characters written or -1 if 'len' is too small. 'str' can be set to NULL
- * in which case it just returns the number of characters. It will need at
- * most 6 characters.
- */
+// This takes a character 'value' and writes the UTF8 encoded value in 'str'
+// where 'str' is a buffer containing 'len' characters. Returns the number of
+// characters written or -1 if 'len' is too small. 'str' can be set to NULL
+// in which case it just returns the number of characters. It will need at
+// most 6 characters.
int UTF8_putc(unsigned char *str, int len, uint32_t value) {
if (!str) {
- len = 6; /* Maximum we will need */
+ len = 6; // Maximum we will need
} else if (len <= 0) {
return -1;
}
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index bc54706..6fbeb56 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -67,19 +67,17 @@
#include "internal.h"
-/* Cross-module errors from crypto/x509/i2d_pr.c. */
+// Cross-module errors from crypto/x509/i2d_pr.c.
OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_PUBLIC_KEY_TYPE)
-/* Cross-module errors from crypto/x509/algorithm.c. */
+// Cross-module errors from crypto/x509/algorithm.c.
OPENSSL_DECLARE_ERROR_REASON(ASN1, CONTEXT_NOT_INITIALISED)
OPENSSL_DECLARE_ERROR_REASON(ASN1, DIGEST_AND_KEY_TYPE_NOT_SUPPORTED)
OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_MESSAGE_DIGEST_ALGORITHM)
OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_SIGNATURE_ALGORITHM)
OPENSSL_DECLARE_ERROR_REASON(ASN1, WRONG_PUBLIC_KEY_TYPE)
-/*
- * Cross-module errors from crypto/x509/asn1_gen.c. TODO(davidben): Remove
- * these once asn1_gen.c is gone.
- */
+// Cross-module errors from crypto/x509/asn1_gen.c. TODO(davidben): Remove
+// these once asn1_gen.c is gone.
OPENSSL_DECLARE_ERROR_REASON(ASN1, DEPTH_EXCEEDED)
OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BITSTRING_FORMAT)
OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BOOLEAN)
@@ -113,12 +111,12 @@
return 0x80;
}
- /* TODO(https://crbug.com/boringssl/354): This should use |CBS_get_asn1| to
- * reject non-minimal lengths, which are only allowed in BER. However,
- * Android sometimes needs allow a non-minimal length in certificate
- * signature fields (see b/18228011). Make this only apply to that field,
- * while requiring DER elsewhere. Better yet, it should be limited to an
- * preprocessing step in that part of Android. */
+ // TODO(https://crbug.com/boringssl/354): This should use |CBS_get_asn1| to
+ // reject non-minimal lengths, which are only allowed in BER. However,
+ // Android sometimes needs allow a non-minimal length in certificate
+ // signature fields (see b/18228011). Make this only apply to that field,
+ // while requiring DER elsewhere. Better yet, it should be limited to an
+ // preprocessing step in that part of Android.
unsigned tag;
size_t header_len;
int indefinite;
@@ -127,19 +125,19 @@
if (!CBS_get_any_ber_asn1_element(&cbs, &body, &tag, &header_len,
/*out_ber_found=*/NULL, &indefinite) ||
indefinite || !CBS_skip(&body, header_len) ||
- /* Bound the length to comfortably fit in an int. Lengths in this
- * module often switch between int and long without overflow checks. */
+ // Bound the length to comfortably fit in an int. Lengths in this
+ // module often switch between int and long without overflow checks.
CBS_len(&body) > INT_MAX / 2) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);
return 0x80;
}
- /* Convert between tag representations. */
+ // Convert between tag representations.
int tag_class = (tag & CBS_ASN1_CLASS_MASK) >> CBS_ASN1_TAG_SHIFT;
int constructed = (tag & CBS_ASN1_CONSTRUCTED) >> CBS_ASN1_TAG_SHIFT;
int tag_number = tag & CBS_ASN1_TAG_NUMBER_MASK;
- /* To avoid ambiguity with V_ASN1_NEG, impose a limit on universal tags. */
+ // To avoid ambiguity with V_ASN1_NEG, impose a limit on universal tags.
if (tag_class == V_ASN1_UNIVERSAL && tag_number > V_ASN1_MAX_UNIVERSAL) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);
return 0x80;
@@ -152,9 +150,7 @@
return constructed;
}
-/*
- * class 0 is constructed constructed == 2 for indefinite length constructed
- */
+// class 0 is constructed constructed == 2 for indefinite length constructed
void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag,
int xclass) {
unsigned char *p = *pp;
@@ -188,8 +184,8 @@
}
int ASN1_put_eoc(unsigned char **pp) {
- /* This function is no longer used in the library, but some external code
- * uses it. */
+ // This function is no longer used in the library, but some external code
+ // uses it.
unsigned char *p = *pp;
*p++ = 0;
*p++ = 0;
@@ -303,7 +299,7 @@
str->length = len;
if (data != NULL) {
OPENSSL_memcpy(str->data, data, len);
- /* an allowance for strings :-) */
+ // an allowance for strings :-)
str->data[len] = '\0';
}
return (1);
@@ -343,7 +339,7 @@
}
int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) {
- /* Capture padding bits and implicit truncation in BIT STRINGs. */
+ // Capture padding bits and implicit truncation in BIT STRINGs.
int a_length = a->length, b_length = b->length;
uint8_t a_padding = 0, b_padding = 0;
if (a->type == V_ASN1_BIT_STRING) {
@@ -359,8 +355,8 @@
if (a_length > b_length) {
return 1;
}
- /* In a BIT STRING, the number of bits is 8 * length - padding. Invert this
- * comparison so we compare by lengths. */
+ // In a BIT STRING, the number of bits is 8 * length - padding. Invert this
+ // comparison so we compare by lengths.
if (a_padding > b_padding) {
return -1;
}
@@ -373,7 +369,7 @@
return ret;
}
- /* Comparing the type first is more natural, but this matches OpenSSL. */
+ // Comparing the type first is more natural, but this matches OpenSSL.
if (a->type < b->type) {
return -1;
}
diff --git a/crypto/asn1/internal.h b/crypto/asn1/internal.h
index a6929e3..9c0d73e 100644
--- a/crypto/asn1/internal.h
+++ b/crypto/asn1/internal.h
@@ -69,42 +69,42 @@
#endif
-/* Wrapper functions for time functions. */
+// Wrapper functions for time functions.
-/* OPENSSL_gmtime wraps |gmtime_r|. See the manual page for that function. */
+// OPENSSL_gmtime wraps |gmtime_r|. See the manual page for that function.
OPENSSL_EXPORT struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result);
-/* OPENSSL_gmtime_adj updates |tm| by adding |offset_day| days and |offset_sec|
- * seconds. */
+// OPENSSL_gmtime_adj updates |tm| by adding |offset_day| days and |offset_sec|
+// seconds.
int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, long offset_sec);
-/* OPENSSL_gmtime_diff calculates the difference between |from| and |to| and
- * outputs the difference as a number of days and seconds in |*out_days| and
- * |*out_secs|. */
+// OPENSSL_gmtime_diff calculates the difference between |from| and |to| and
+// outputs the difference as a number of days and seconds in |*out_days| and
+// |*out_secs|.
OPENSSL_EXPORT int OPENSSL_gmtime_diff(int *out_days, int *out_secs,
const struct tm *from,
const struct tm *to);
-/* Internal ASN1 structures and functions: not for application use */
+// Internal ASN1 structures and functions: not for application use
-/* These are used internally in the ASN1_OBJECT to keep track of
- * whether the names and data need to be free()ed */
-#define ASN1_OBJECT_FLAG_DYNAMIC 0x01 /* internal use */
-#define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04 /* internal use */
-#define ASN1_OBJECT_FLAG_DYNAMIC_DATA 0x08 /* internal use */
+// These are used internally in the ASN1_OBJECT to keep track of
+// whether the names and data need to be free()ed
+#define ASN1_OBJECT_FLAG_DYNAMIC 0x01 // internal use
+#define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04 // internal use
+#define ASN1_OBJECT_FLAG_DYNAMIC_DATA 0x08 // internal use
-/* An asn1_object_st (aka |ASN1_OBJECT|) represents an ASN.1 OBJECT IDENTIFIER.
- * Note: Mutating an |ASN1_OBJECT| is only permitted when initializing it. The
- * library maintains a table of static |ASN1_OBJECT|s, which may be referenced
- * by non-const |ASN1_OBJECT| pointers. Code which receives an |ASN1_OBJECT|
- * pointer externally must assume it is immutable, even if the pointer is not
- * const. */
+// An asn1_object_st (aka |ASN1_OBJECT|) represents an ASN.1 OBJECT IDENTIFIER.
+// Note: Mutating an |ASN1_OBJECT| is only permitted when initializing it. The
+// library maintains a table of static |ASN1_OBJECT|s, which may be referenced
+// by non-const |ASN1_OBJECT| pointers. Code which receives an |ASN1_OBJECT|
+// pointer externally must assume it is immutable, even if the pointer is not
+// const.
struct asn1_object_st {
const char *sn, *ln;
int nid;
int length;
- const unsigned char *data; /* data remains const after init */
- int flags; /* Should we free this one */
+ const unsigned char *data; // data remains const after init
+ int flags; // Should we free this one
};
ASN1_OBJECT *ASN1_OBJECT_new(void);
@@ -144,31 +144,31 @@
const ASN1_ITEM *it, int tag, int aclass, char opt,
ASN1_TLC *ctx);
-/* ASN1_item_ex_i2d encodes |*pval| as a value of type |it| to |out| under the
- * i2d output convention. It returns a non-zero length on success and -1 on
- * error. If |tag| is -1. the tag and class come from |it|. Otherwise, the tag
- * number is |tag| and the class is |aclass|. This is used for implicit tagging.
- * This function treats a missing value as an error, not an optional field. */
+// ASN1_item_ex_i2d encodes |*pval| as a value of type |it| to |out| under the
+// i2d output convention. It returns a non-zero length on success and -1 on
+// error. If |tag| is -1. the tag and class come from |it|. Otherwise, the tag
+// number is |tag| and the class is |aclass|. This is used for implicit tagging.
+// This function treats a missing value as an error, not an optional field.
int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
const ASN1_ITEM *it, int tag, int aclass);
void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
-/* asn1_get_choice_selector returns the CHOICE selector value for |*pval|, which
- * must of type |it|. */
+// asn1_get_choice_selector returns the CHOICE selector value for |*pval|, which
+// must of type |it|.
int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it);
int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it);
-/* asn1_get_field_ptr returns a pointer to the field in |*pval| corresponding to
- * |tt|. */
+// asn1_get_field_ptr returns a pointer to the field in |*pval| corresponding to
+// |tt|.
ASN1_VALUE **asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);
-/* asn1_do_adb returns the |ASN1_TEMPLATE| for the ANY DEFINED BY field |tt|,
- * based on the selector INTEGER or OID in |*pval|. If |tt| is not an ADB field,
- * it returns |tt|. If the selector does not match any value, it returns NULL.
- * If |nullerr| is non-zero, it will additionally push an error to the error
- * queue when there is no match. */
+// asn1_do_adb returns the |ASN1_TEMPLATE| for the ANY DEFINED BY field |tt|,
+// based on the selector INTEGER or OID in |*pval|. If |tt| is not an ADB field,
+// it returns |tt|. If the selector does not match any value, it returns NULL.
+// If |nullerr| is non-zero, it will additionally push an error to the error
+// queue when there is no match.
const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt,
int nullerr);
@@ -178,29 +178,29 @@
void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it);
void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
-/* asn1_enc_restore, if |*pval| has a saved encoding, writes it to |out| under
- * the i2d output convention, sets |*len| to the length, and returns one. If it
- * has no saved encoding, it returns zero. */
+// asn1_enc_restore, if |*pval| has a saved encoding, writes it to |out| under
+// the i2d output convention, sets |*len| to the length, and returns one. If it
+// has no saved encoding, it returns zero.
int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval,
const ASN1_ITEM *it);
int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
const ASN1_ITEM *it);
-/* asn1_type_value_as_pointer returns |a|'s value in pointer form. This is
- * usually the value object but, for BOOLEAN values, is 0 or 0xff cast to
- * a pointer. */
+// asn1_type_value_as_pointer returns |a|'s value in pointer form. This is
+// usually the value object but, for BOOLEAN values, is 0 or 0xff cast to
+// a pointer.
const void *asn1_type_value_as_pointer(const ASN1_TYPE *a);
-/* asn1_is_printable returns one if |value| is a valid Unicode codepoint for an
- * ASN.1 PrintableString, and zero otherwise. */
+// asn1_is_printable returns one if |value| is a valid Unicode codepoint for an
+// ASN.1 PrintableString, and zero otherwise.
int asn1_is_printable(uint32_t value);
-/* asn1_bit_string_length returns the number of bytes in |str| and sets
- * |*out_padding_bits| to the number of padding bits.
- *
- * This function should be used instead of |ASN1_STRING_length| to correctly
- * handle the non-|ASN1_STRING_FLAG_BITS_LEFT| case. */
+// asn1_bit_string_length returns the number of bytes in |str| and sets
+// |*out_padding_bits| to the number of padding bits.
+//
+// This function should be used instead of |ASN1_STRING_length| to correctly
+// handle the non-|ASN1_STRING_FLAG_BITS_LEFT| case.
int asn1_bit_string_length(const ASN1_BIT_STRING *str,
uint8_t *out_padding_bits);
@@ -212,14 +212,14 @@
unsigned long flags;
} ASN1_STRING_TABLE;
-/* asn1_get_string_table_for_testing sets |*out_ptr| and |*out_len| to the table
- * of built-in |ASN1_STRING_TABLE| values. It is exported for testing. */
+// asn1_get_string_table_for_testing sets |*out_ptr| and |*out_len| to the table
+// of built-in |ASN1_STRING_TABLE| values. It is exported for testing.
OPENSSL_EXPORT void asn1_get_string_table_for_testing(
const ASN1_STRING_TABLE **out_ptr, size_t *out_len);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_ASN1_ASN1_LOCL_H */
+#endif // OPENSSL_HEADER_ASN1_ASN1_LOCL_H
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index f86026e..c855fe5 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -66,12 +66,10 @@
#include "../internal.h"
#include "internal.h"
-/*
- * Constructed types with a recursive definition (such as can be found in PKCS7)
- * could eventually exceed the stack given malicious input with excessive
- * recursion. Therefore we limit the stack depth. This is the maximum number of
- * recursive invocations of asn1_item_embed_d2i().
- */
+// Constructed types with a recursive definition (such as can be found in PKCS7)
+// could eventually exceed the stack given malicious input with excessive
+// recursion. Therefore we limit the stack depth. This is the maximum number of
+// recursive invocations of asn1_item_embed_d2i().
#define ASN1_MAX_CONSTRUCTED_NEST 30
static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
@@ -93,26 +91,26 @@
long len, const ASN1_ITEM *it, int tag, int aclass,
char opt, int depth);
-/* Table to convert tags to bit values, used for MSTRING type */
+// Table to convert tags to bit values, used for MSTRING type
static const unsigned long tag2bit[31] = {
- 0, /* (reserved) */
- 0, /* BOOLEAN */
- 0, /* INTEGER */
+ 0, // (reserved)
+ 0, // BOOLEAN
+ 0, // INTEGER
B_ASN1_BIT_STRING,
B_ASN1_OCTET_STRING,
- 0, /* NULL */
- 0, /* OBJECT IDENTIFIER */
- B_ASN1_UNKNOWN, /* ObjectDescriptor */
- B_ASN1_UNKNOWN, /* EXTERNAL */
- B_ASN1_UNKNOWN, /* REAL */
- B_ASN1_UNKNOWN, /* ENUMERATED */
- B_ASN1_UNKNOWN, /* EMBEDDED PDV */
+ 0, // NULL
+ 0, // OBJECT IDENTIFIER
+ B_ASN1_UNKNOWN, // ObjectDescriptor
+ B_ASN1_UNKNOWN, // EXTERNAL
+ B_ASN1_UNKNOWN, // REAL
+ B_ASN1_UNKNOWN, // ENUMERATED
+ B_ASN1_UNKNOWN, // EMBEDDED PDV
B_ASN1_UTF8STRING,
- B_ASN1_UNKNOWN, /* RELATIVE-OID */
- B_ASN1_UNKNOWN, /* TIME */
- B_ASN1_UNKNOWN, /* (reserved) */
+ B_ASN1_UNKNOWN, // RELATIVE-OID
+ B_ASN1_UNKNOWN, // TIME
+ B_ASN1_UNKNOWN, // (reserved)
B_ASN1_SEQUENCE,
- 0, /* SET */
+ 0, // SET
B_ASN1_NUMERICSTRING,
B_ASN1_PRINTABLESTRING,
B_ASN1_T61STRING,
@@ -124,7 +122,7 @@
B_ASN1_ISO64STRING,
B_ASN1_GENERALSTRING,
B_ASN1_UNIVERSALSTRING,
- B_ASN1_UNKNOWN, /* CHARACTER STRING */
+ B_ASN1_UNKNOWN, // CHARACTER STRING
B_ASN1_BMPSTRING,
};
@@ -135,14 +133,12 @@
return tag2bit[tag];
}
-/* Macro to initialize and invalidate the cache */
+// Macro to initialize and invalidate the cache
-/*
- * Decode an ASN1 item, this currently behaves just like a standard 'd2i'
- * function. 'in' points to a buffer to read the data from, in future we
- * will have more advanced versions that can input data a piece at a time and
- * this will simply be a special case.
- */
+// Decode an ASN1 item, this currently behaves just like a standard 'd2i'
+// function. 'in' points to a buffer to read the data from, in future we
+// will have more advanced versions that can input data a piece at a time and
+// this will simply be a special case.
ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
const ASN1_ITEM *it) {
@@ -157,10 +153,8 @@
return NULL;
}
-/*
- * Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
- * tag mismatch return -1 to handle OPTIONAL
- */
+// Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and
+// tag mismatch return -1 to handle OPTIONAL
static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,
long len, const ASN1_ITEM *it, int tag, int aclass,
@@ -180,10 +174,8 @@
return 0;
}
- /*
- * Bound |len| to comfortably fit in an int. Lengths in this module often
- * switch between int and long without overflow checks.
- */
+ // Bound |len| to comfortably fit in an int. Lengths in this module often
+ // switch between int and long without overflow checks.
if (len > INT_MAX / 2) {
len = INT_MAX / 2;
}
@@ -196,12 +188,10 @@
switch (it->itype) {
case ASN1_ITYPE_PRIMITIVE:
if (it->templates) {
- /*
- * tagging or OPTIONAL is currently illegal on an item template
- * because the flags can't get passed down. In practice this
- * isn't a problem: we include the relevant flags from the item
- * template in the template itself.
- */
+ // tagging or OPTIONAL is currently illegal on an item template
+ // because the flags can't get passed down. In practice this
+ // isn't a problem: we include the relevant flags from the item
+ // template in the template itself.
if ((tag != -1) || opt) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
goto err;
@@ -212,35 +202,33 @@
break;
case ASN1_ITYPE_MSTRING:
- /*
- * It never makes sense for multi-strings to have implicit tagging, so
- * if tag != -1, then this looks like an error in the template.
- */
+ // It never makes sense for multi-strings to have implicit tagging, so
+ // if tag != -1, then this looks like an error in the template.
if (tag != -1) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);
goto err;
}
p = *in;
- /* Just read in tag and class */
+ // Just read in tag and class
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, &p, len, -1, 0, 1);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
goto err;
}
- /* Must be UNIVERSAL class */
+ // Must be UNIVERSAL class
if (oclass != V_ASN1_UNIVERSAL) {
- /* If OPTIONAL, assume this is OK */
+ // If OPTIONAL, assume this is OK
if (opt) {
return -1;
}
OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_NOT_UNIVERSAL);
goto err;
}
- /* Check tag matches bit map */
+ // Check tag matches bit map
if (!(ASN1_tag2bit(otag) & it->utype)) {
- /* If OPTIONAL, assume this is OK */
+ // If OPTIONAL, assume this is OK
if (opt) {
return -1;
}
@@ -250,15 +238,13 @@
return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0);
case ASN1_ITYPE_EXTERN:
- /* Use new style d2i */
+ // Use new style d2i
ef = it->funcs;
return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, NULL);
case ASN1_ITYPE_CHOICE: {
- /*
- * It never makes sense for CHOICE types to have implicit tagging, so if
- * tag != -1, then this looks like an error in the template.
- */
+ // It never makes sense for CHOICE types to have implicit tagging, so if
+ // tag != -1, then this looks like an error in the template.
if (tag != -1) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);
goto err;
@@ -271,7 +257,7 @@
}
if (*pval) {
- /* Free up and zero CHOICE value if initialised */
+ // Free up and zero CHOICE value if initialised
i = asn1_get_choice_selector(pval, it);
if ((i >= 0) && (i < it->tcount)) {
tt = it->templates + i;
@@ -283,33 +269,31 @@
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
goto err;
}
- /* CHOICE type, try each possibility in turn */
+ // CHOICE type, try each possibility in turn
p = *in;
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
pchptr = asn1_get_field_ptr(pval, tt);
- /*
- * We mark field as OPTIONAL so its absence can be recognised.
- */
+ // We mark field as OPTIONAL so its absence can be recognised.
ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, depth);
- /* If field not present, try the next one */
+ // If field not present, try the next one
if (ret == -1) {
continue;
}
- /* If positive return, read OK, break loop */
+ // If positive return, read OK, break loop
if (ret > 0) {
break;
}
- /* Otherwise must be an ASN1 parsing error */
+ // Otherwise must be an ASN1 parsing error
errtt = tt;
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
goto err;
}
- /* Did we fall off the end without reading anything? */
+ // Did we fall off the end without reading anything?
if (i == it->tcount) {
- /* If OPTIONAL, this is OK */
+ // If OPTIONAL, this is OK
if (opt) {
- /* Free and zero it */
+ // Free and zero it
ASN1_item_ex_free(pval, it);
return -1;
}
@@ -328,12 +312,12 @@
case ASN1_ITYPE_SEQUENCE: {
p = *in;
- /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
+ // If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL
if (tag == -1) {
tag = V_ASN1_SEQUENCE;
aclass = V_ASN1_UNIVERSAL;
}
- /* Get SEQUENCE length and update len, p */
+ // Get SEQUENCE length and update len, p
ret = asn1_check_tlen(&len, NULL, NULL, &cst, &p, len, tag, aclass, opt);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
@@ -357,7 +341,7 @@
goto auxerr;
}
- /* Free up and zero any ADB found */
+ // Free up and zero any ADB found
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
if (tt->flags & ASN1_TFLG_ADB_MASK) {
const ASN1_TEMPLATE *seqtt;
@@ -371,7 +355,7 @@
}
}
- /* Get each field entry */
+ // Get each field entry
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
const ASN1_TEMPLATE *seqtt;
ASN1_VALUE **pseqval;
@@ -380,52 +364,44 @@
goto err;
}
pseqval = asn1_get_field_ptr(pval, seqtt);
- /* Have we ran out of data? */
+ // Have we ran out of data?
if (!len) {
break;
}
q = p;
- /*
- * This determines the OPTIONAL flag value. The field cannot be
- * omitted if it is the last of a SEQUENCE and there is still
- * data to be read. This isn't strictly necessary but it
- * increases efficiency in some cases.
- */
+ // This determines the OPTIONAL flag value. The field cannot be
+ // omitted if it is the last of a SEQUENCE and there is still
+ // data to be read. This isn't strictly necessary but it
+ // increases efficiency in some cases.
if (i == (it->tcount - 1)) {
isopt = 0;
} else {
isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL);
}
- /*
- * attempt to read in field, allowing each to be OPTIONAL
- */
+ // attempt to read in field, allowing each to be OPTIONAL
ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, depth);
if (!ret) {
errtt = seqtt;
goto err;
} else if (ret == -1) {
- /*
- * OPTIONAL component absent. Free and zero the field.
- */
+ // OPTIONAL component absent. Free and zero the field.
ASN1_template_free(pseqval, seqtt);
continue;
}
- /* Update length */
+ // Update length
len -= p - q;
}
- /* Check all data read */
+ // Check all data read
if (len) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH);
goto err;
}
- /*
- * If we get here we've got no more data in the SEQUENCE, however we
- * may not have read all fields so check all remaining are OPTIONAL
- * and clear any that are.
- */
+ // If we get here we've got no more data in the SEQUENCE, however we
+ // may not have read all fields so check all remaining are OPTIONAL
+ // and clear any that are.
for (; i < it->tcount; tt++, i++) {
const ASN1_TEMPLATE *seqtt;
seqtt = asn1_do_adb(pval, tt, 1);
@@ -442,7 +418,7 @@
goto err;
}
}
- /* Save encoding */
+ // Save encoding
if (!asn1_enc_save(pval, *in, p - *in, it)) {
goto auxerr;
}
@@ -476,10 +452,8 @@
return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, 0);
}
-/*
- * Templates are handled with two separate functions. One handles any
- * EXPLICIT tag and the other handles the rest.
- */
+// Templates are handled with two separate functions. One handles any
+// EXPLICIT tag and the other handles the rest.
static int asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in,
long inlen, const ASN1_TEMPLATE *tt, char opt,
@@ -496,13 +470,11 @@
p = *in;
- /* Check if EXPLICIT tag expected */
+ // Check if EXPLICIT tag expected
if (flags & ASN1_TFLG_EXPTAG) {
char cst;
- /*
- * Need to work out amount of data available to the inner content and
- * where it starts: so read in EXPLICIT header to get the info.
- */
+ // Need to work out amount of data available to the inner content and
+ // where it starts: so read in EXPLICIT header to get the info.
ret = asn1_check_tlen(&len, NULL, NULL, &cst, &p, inlen, tt->tag, aclass,
opt);
q = p;
@@ -516,15 +488,15 @@
OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);
return 0;
}
- /* We've found the field so it can't be OPTIONAL now */
+ // We've found the field so it can't be OPTIONAL now
ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, depth);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
return 0;
}
- /* We read the field in OK so update length */
+ // We read the field in OK so update length
len -= p - q;
- /* Check for trailing data. */
+ // Check for trailing data.
if (len) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH);
goto err;
@@ -556,9 +528,9 @@
p = *in;
if (flags & ASN1_TFLG_SK_MASK) {
- /* SET OF, SEQUENCE OF */
+ // SET OF, SEQUENCE OF
int sktag, skaclass;
- /* First work out expected inner tag value */
+ // First work out expected inner tag value
if (flags & ASN1_TFLG_IMPTAG) {
sktag = tt->tag;
skaclass = aclass;
@@ -570,7 +542,7 @@
sktag = V_ASN1_SEQUENCE;
}
}
- /* Get the tag */
+ // Get the tag
ret =
asn1_check_tlen(&len, NULL, NULL, NULL, &p, len, sktag, skaclass, opt);
if (!ret) {
@@ -582,9 +554,7 @@
if (!*val) {
*val = (ASN1_VALUE *)sk_ASN1_VALUE_new_null();
} else {
- /*
- * We've got a valid STACK: free up any items present
- */
+ // We've got a valid STACK: free up any items present
STACK_OF(ASN1_VALUE) *sktmp = (STACK_OF(ASN1_VALUE) *)*val;
ASN1_VALUE *vtmp;
while (sk_ASN1_VALUE_num(sktmp) > 0) {
@@ -598,7 +568,7 @@
goto err;
}
- /* Read as many items as we can */
+ // Read as many items as we can
while (len > 0) {
ASN1_VALUE *skfield;
const unsigned char *q = p;
@@ -616,7 +586,7 @@
}
}
} else if (flags & ASN1_TFLG_IMPTAG) {
- /* IMPLICIT tagging */
+ // IMPLICIT tagging
ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,
aclass, opt, depth);
if (!ret) {
@@ -626,7 +596,7 @@
return -1;
}
} else {
- /* Nothing special */
+ // Nothing special
ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), -1,
tt->flags & ASN1_TFLG_COMBINE, opt, depth);
if (!ret) {
@@ -656,7 +626,7 @@
long len;
if (!pval) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NULL);
- return 0; /* Should never happen */
+ return 0; // Should never happen
}
if (it->itype == ASN1_ITYPE_MSTRING) {
@@ -667,7 +637,7 @@
}
if (utype == V_ASN1_ANY) {
- /* If type is ANY need to figure out type from tag */
+ // If type is ANY need to figure out type from tag
unsigned char oclass;
if (tag >= 0) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TAGGED_ANY);
@@ -692,7 +662,7 @@
aclass = V_ASN1_UNIVERSAL;
}
p = *in;
- /* Check header */
+ // Check header
ret = asn1_check_tlen(&plen, NULL, NULL, &cst, &p, inlen, tag, aclass, opt);
if (!ret) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);
@@ -701,10 +671,10 @@
return -1;
}
ret = 0;
- /* SEQUENCE, SET and "OTHER" are left in encoded form */
+ // SEQUENCE, SET and "OTHER" are left in encoded form
if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) ||
(utype == V_ASN1_OTHER)) {
- /* SEQUENCE and SET must be constructed */
+ // SEQUENCE and SET must be constructed
if (utype != V_ASN1_OTHER && !cst) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED);
return 0;
@@ -714,9 +684,9 @@
len = p - cont + plen;
p += plen;
} else if (cst) {
- /* This parser historically supported BER constructed strings. We no
- * longer do and will gradually tighten this parser into a DER
- * parser. BER types should use |CBS_asn1_ber_to_der|. */
+ // This parser historically supported BER constructed strings. We no
+ // longer do and will gradually tighten this parser into a DER
+ // parser. BER types should use |CBS_asn1_ber_to_der|.
OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE);
return 0;
} else {
@@ -725,7 +695,7 @@
p += plen;
}
- /* We now have content length and type: translate into a structure */
+ // We now have content length and type: translate into a structure
if (!asn1_ex_c2i(pval, cont, len, utype, it)) {
goto err;
}
@@ -736,7 +706,7 @@
return ret;
}
-/* Translate ASN1 content octets into a structure */
+// Translate ASN1 content octets into a structure
static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
int utype, const ASN1_ITEM *it) {
@@ -746,11 +716,11 @@
int ret = 0;
ASN1_INTEGER **tint;
- /* Historically, |it->funcs| for primitive types contained an
- * |ASN1_PRIMITIVE_FUNCS| table of callbacks. */
+ // Historically, |it->funcs| for primitive types contained an
+ // |ASN1_PRIMITIVE_FUNCS| table of callbacks.
assert(it->funcs == NULL);
- /* If ANY type clear type and set pointer to internal value */
+ // If ANY type clear type and set pointer to internal value
if (it->utype == V_ASN1_ANY) {
if (!*pval) {
typ = ASN1_TYPE_new();
@@ -806,7 +776,7 @@
if (!c2i_ASN1_INTEGER(tint, &cont, len)) {
goto err;
}
- /* Fixup type to match the expected form */
+ // Fixup type to match the expected form
(*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);
break;
@@ -853,7 +823,7 @@
goto err;
}
}
- /* All based on ASN1_STRING and handled the same */
+ // All based on ASN1_STRING and handled the same
if (!*pval) {
stmp = ASN1_STRING_type_new(utype);
if (!stmp) {
@@ -873,7 +843,7 @@
}
break;
}
- /* If ASN1_ANY and NULL type fix up value */
+ // If ASN1_ANY and NULL type fix up value
if (typ && (utype == V_ASN1_NULL)) {
typ->value.ptr = NULL;
}
@@ -889,10 +859,8 @@
return ret;
}
-/*
- * Check an ASN1 tag and length: a bit like ASN1_get_object but it
- * checks the expected tag.
- */
+// Check an ASN1 tag and length: a bit like ASN1_get_object but it
+// checks the expected tag.
static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,
char *cst, const unsigned char **in, long len,
@@ -910,9 +878,7 @@
}
if (exptag >= 0) {
if ((exptag != ptag) || (expclass != pclass)) {
- /*
- * If type is OPTIONAL, not an error: indicate missing type.
- */
+ // If type is OPTIONAL, not an error: indicate missing type.
if (opt) {
return -1;
}
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index c46df2d..39a3d52 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -80,9 +80,7 @@
static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
const ASN1_TEMPLATE *tt, int tag, int aclass);
-/*
- * Top level i2d equivalents
- */
+// Top level i2d equivalents
int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) {
if (out && !*out) {
@@ -109,10 +107,8 @@
return ASN1_item_ex_i2d(&val, out, it, /*tag=*/-1, /*aclass=*/0);
}
-/*
- * Encode an item, taking care of IMPLICIT tagging (if any). This function
- * performs the normal item handling: it can be used in external types.
- */
+// Encode an item, taking care of IMPLICIT tagging (if any). This function
+// performs the normal item handling: it can be used in external types.
int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
const ASN1_ITEM *it, int tag, int aclass) {
@@ -121,22 +117,22 @@
return ret;
}
-/* asn1_item_ex_i2d_opt behaves like |ASN1_item_ex_i2d| but, if |optional| is
- * non-zero and |*pval| is omitted, it returns zero and writes no bytes. */
+// asn1_item_ex_i2d_opt behaves like |ASN1_item_ex_i2d| but, if |optional| is
+// non-zero and |*pval| is omitted, it returns zero and writes no bytes.
int asn1_item_ex_i2d_opt(ASN1_VALUE **pval, unsigned char **out,
const ASN1_ITEM *it, int tag, int aclass,
int optional) {
const ASN1_TEMPLATE *tt = NULL;
int i, seqcontlen, seqlen;
- /* Historically, |aclass| was repurposed to pass additional flags into the
- * encoding process. */
+ // Historically, |aclass| was repurposed to pass additional flags into the
+ // encoding process.
assert((aclass & ASN1_TFLG_TAG_CLASS) == aclass);
- /* If not overridding the tag, |aclass| is ignored and should be zero. */
+ // If not overridding the tag, |aclass| is ignored and should be zero.
assert(tag != -1 || aclass == 0);
- /* All fields are pointers, except for boolean |ASN1_ITYPE_PRIMITIVE|s.
- * Optional primitives are handled later. */
+ // All fields are pointers, except for boolean |ASN1_ITYPE_PRIMITIVE|s.
+ // Optional primitives are handled later.
if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) {
if (optional) {
return 0;
@@ -157,10 +153,8 @@
return asn1_i2d_ex_primitive(pval, out, it, tag, aclass, optional);
case ASN1_ITYPE_MSTRING:
- /*
- * It never makes sense for multi-strings to have implicit tagging, so
- * if tag != -1, then this looks like an error in the template.
- */
+ // It never makes sense for multi-strings to have implicit tagging, so
+ // if tag != -1, then this looks like an error in the template.
if (tag != -1) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);
return -1;
@@ -168,10 +162,8 @@
return asn1_i2d_ex_primitive(pval, out, it, -1, 0, optional);
case ASN1_ITYPE_CHOICE: {
- /*
- * It never makes sense for CHOICE types to have implicit tagging, so if
- * tag != -1, then this looks like an error in the template.
- */
+ // It never makes sense for CHOICE types to have implicit tagging, so if
+ // tag != -1, then this looks like an error in the template.
if (tag != -1) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);
return -1;
@@ -191,13 +183,13 @@
}
case ASN1_ITYPE_EXTERN: {
- /* If new style i2d it does all the work */
+ // If new style i2d it does all the work
const ASN1_EXTERN_FUNCS *ef = it->funcs;
int ret = ef->asn1_ex_i2d(pval, out, it, tag, aclass);
if (ret == 0) {
- /* |asn1_ex_i2d| should never return zero. We have already checked
- * for optional values generically, and |ASN1_ITYPE_EXTERN| fields
- * must be pointers. */
+ // |asn1_ex_i2d| should never return zero. We have already checked
+ // for optional values generically, and |ASN1_ITYPE_EXTERN| fields
+ // must be pointers.
OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);
return -1;
}
@@ -206,22 +198,22 @@
case ASN1_ITYPE_SEQUENCE: {
i = asn1_enc_restore(&seqcontlen, out, pval, it);
- /* An error occurred */
+ // An error occurred
if (i < 0) {
return -1;
}
- /* We have a valid cached encoding... */
+ // We have a valid cached encoding...
if (i > 0) {
return seqcontlen;
}
- /* Otherwise carry on */
+ // Otherwise carry on
seqcontlen = 0;
- /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */
+ // If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL
if (tag == -1) {
tag = V_ASN1_SEQUENCE;
aclass = V_ASN1_UNIVERSAL;
}
- /* First work out sequence content length */
+ // First work out sequence content length
for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
const ASN1_TEMPLATE *seqtt;
ASN1_VALUE **pseqval;
@@ -242,7 +234,7 @@
if (!out || seqlen == -1) {
return seqlen;
}
- /* Output SEQUENCE header */
+ // Output SEQUENCE header
ASN1_put_object(out, /*constructed=*/1, seqcontlen, tag, aclass);
for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
const ASN1_TEMPLATE *seqtt;
@@ -265,38 +257,36 @@
}
}
-/* asn1_template_ex_i2d behaves like |asn1_item_ex_i2d_opt| but uses an
- * |ASN1_TEMPLATE| instead of an |ASN1_ITEM|. An |ASN1_TEMPLATE| wraps an
- * |ASN1_ITEM| with modifiers such as tagging, SEQUENCE or SET, etc. Instead of
- * taking an |optional| parameter, it uses the |ASN1_TFLG_OPTIONAL| flag. */
+// asn1_template_ex_i2d behaves like |asn1_item_ex_i2d_opt| but uses an
+// |ASN1_TEMPLATE| instead of an |ASN1_ITEM|. An |ASN1_TEMPLATE| wraps an
+// |ASN1_ITEM| with modifiers such as tagging, SEQUENCE or SET, etc. Instead of
+// taking an |optional| parameter, it uses the |ASN1_TFLG_OPTIONAL| flag.
static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
const ASN1_TEMPLATE *tt, int tag, int iclass) {
int i, ret, flags, ttag, tclass;
size_t j;
flags = tt->flags;
- /* Historically, |iclass| was repurposed to pass additional flags into the
- * encoding process. */
+ // Historically, |iclass| was repurposed to pass additional flags into the
+ // encoding process.
assert((iclass & ASN1_TFLG_TAG_CLASS) == iclass);
- /* If not overridding the tag, |iclass| is ignored and should be zero. */
+ // If not overridding the tag, |iclass| is ignored and should be zero.
assert(tag != -1 || iclass == 0);
- /*
- * Work out tag and class to use: tagging may come either from the
- * template or the arguments, not both because this would create
- * ambiguity.
- */
+ // Work out tag and class to use: tagging may come either from the
+ // template or the arguments, not both because this would create
+ // ambiguity.
if (flags & ASN1_TFLG_TAG_MASK) {
- /* Error if argument and template tagging */
+ // Error if argument and template tagging
if (tag != -1) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);
return -1;
}
- /* Get tagging from template */
+ // Get tagging from template
ttag = tt->tag;
tclass = flags & ASN1_TFLG_TAG_CLASS;
} else if (tag != -1) {
- /* No template tagging, get from arguments */
+ // No template tagging, get from arguments
ttag = tag;
tclass = iclass & ASN1_TFLG_TAG_CLASS;
} else {
@@ -306,13 +296,11 @@
const int optional = (flags & ASN1_TFLG_OPTIONAL) != 0;
- /*
- * At this point 'ttag' contains the outer tag to use, and 'tclass' is the
- * class.
- */
+ // At this point 'ttag' contains the outer tag to use, and 'tclass' is the
+ // class.
if (flags & ASN1_TFLG_SK_MASK) {
- /* SET OF, SEQUENCE OF */
+ // SET OF, SEQUENCE OF
STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;
int isset, sktag, skaclass;
int skcontlen, sklen;
@@ -328,17 +316,15 @@
if (flags & ASN1_TFLG_SET_OF) {
isset = 1;
- /* Historically, types with both bits set were mutated when
- * serialized to apply the sort. We no longer support this. */
+ // Historically, types with both bits set were mutated when
+ // serialized to apply the sort. We no longer support this.
assert((flags & ASN1_TFLG_SEQUENCE_OF) == 0);
} else {
isset = 0;
}
- /*
- * Work out inner tag value: if EXPLICIT or no tagging use underlying
- * type.
- */
+ // Work out inner tag value: if EXPLICIT or no tagging use underlying
+ // type.
if ((ttag != -1) && !(flags & ASN1_TFLG_EXPTAG)) {
sktag = ttag;
skaclass = tclass;
@@ -351,7 +337,7 @@
}
}
- /* Determine total length of items */
+ // Determine total length of items
skcontlen = 0;
for (j = 0; j < sk_ASN1_VALUE_num(sk); j++) {
int tmplen;
@@ -366,7 +352,7 @@
if (sklen == -1) {
return -1;
}
- /* If EXPLICIT need length of surrounding tag */
+ // If EXPLICIT need length of surrounding tag
if (flags & ASN1_TFLG_EXPTAG) {
ret = ASN1_object_size(/*constructed=*/1, sklen, ttag);
} else {
@@ -377,14 +363,14 @@
return ret;
}
- /* Now encode this lot... */
- /* EXPLICIT tag */
+ // Now encode this lot...
+ // EXPLICIT tag
if (flags & ASN1_TFLG_EXPTAG) {
ASN1_put_object(out, /*constructed=*/1, sklen, ttag, tclass);
}
- /* SET or SEQUENCE and IMPLICIT tag */
+ // SET or SEQUENCE and IMPLICIT tag
ASN1_put_object(out, /*constructed=*/1, skcontlen, sktag, skaclass);
- /* And the stuff itself */
+ // And the stuff itself
if (!asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), isset)) {
return -1;
}
@@ -392,17 +378,17 @@
}
if (flags & ASN1_TFLG_EXPTAG) {
- /* EXPLICIT tagging */
- /* Find length of tagged item */
+ // EXPLICIT tagging
+ // Find length of tagged item
i = asn1_item_ex_i2d_opt(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, 0,
optional);
if (i <= 0) {
return i;
}
- /* Find length of EXPLICIT tag */
+ // Find length of EXPLICIT tag
ret = ASN1_object_size(/*constructed=*/1, i, ttag);
if (out && ret != -1) {
- /* Output tag and item */
+ // Output tag and item
ASN1_put_object(out, /*constructed=*/1, i, ttag, tclass);
if (ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0) < 0) {
return -1;
@@ -411,12 +397,12 @@
return ret;
}
- /* Either normal or IMPLICIT tagging */
+ // Either normal or IMPLICIT tagging
return asn1_item_ex_i2d_opt(pval, out, ASN1_ITEM_ptr(tt->item), ttag, tclass,
optional);
}
-/* Temporary structure used to hold DER encoding of items for SET OF */
+// Temporary structure used to hold DER encoding of items for SET OF
typedef struct {
unsigned char *data;
@@ -434,14 +420,14 @@
return d1->length - d2->length;
}
-/* asn1_set_seq_out writes |sk| to |out| under the i2d output convention,
- * excluding the tag and length. It returns one on success and zero on error.
- * |skcontlen| must be the total encoded size. If |do_sort| is non-zero, the
- * elements are sorted for a SET OF type. Each element of |sk| has type
- * |item|. */
+// asn1_set_seq_out writes |sk| to |out| under the i2d output convention,
+// excluding the tag and length. It returns one on success and zero on error.
+// |skcontlen| must be the total encoded size. If |do_sort| is non-zero, the
+// elements are sorted for a SET OF type. Each element of |sk| has type
+// |item|.
static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
int skcontlen, const ASN1_ITEM *item, int do_sort) {
- /* No need to sort if there are fewer than two items. */
+ // No need to sort if there are fewer than two items.
if (!do_sort || sk_ASN1_VALUE_num(sk) < 2) {
for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
ASN1_VALUE *skitem = sk_ASN1_VALUE_value(sk, i);
@@ -465,7 +451,7 @@
goto err;
}
- /* Encode all the elements into |buf| and populate |encoded|. */
+ // Encode all the elements into |buf| and populate |encoded|.
unsigned char *p = buf;
for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
ASN1_VALUE *skitem = sk_ASN1_VALUE_value(sk, i);
@@ -479,7 +465,7 @@
qsort(encoded, sk_ASN1_VALUE_num(sk), sizeof(*encoded), der_cmp);
- /* Output the elements in sorted order. */
+ // Output the elements in sorted order.
p = *out;
for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
OPENSSL_memcpy(p, encoded[i].data, encoded[i].length);
@@ -495,12 +481,12 @@
return ret;
}
-/* asn1_i2d_ex_primitive behaves like |ASN1_item_ex_i2d| but |item| must be a
- * a PRIMITIVE or MSTRING type that is not an |ASN1_ITEM_TEMPLATE|. */
+// asn1_i2d_ex_primitive behaves like |ASN1_item_ex_i2d| but |item| must be a
+// a PRIMITIVE or MSTRING type that is not an |ASN1_ITEM_TEMPLATE|.
static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
const ASN1_ITEM *it, int tag, int aclass,
int optional) {
- /* Get length of content octets and maybe find out the underlying type. */
+ // Get length of content octets and maybe find out the underlying type.
int omit;
int utype = it->utype;
int len = asn1_ex_i2c(pval, NULL, &omit, &utype, it);
@@ -515,20 +501,18 @@
return -1;
}
- /*
- * If SEQUENCE, SET or OTHER then header is included in pseudo content
- * octets so don't include tag+length. We need to check here because the
- * call to asn1_ex_i2c() could change utype.
- */
+ // If SEQUENCE, SET or OTHER then header is included in pseudo content
+ // octets so don't include tag+length. We need to check here because the
+ // call to asn1_ex_i2c() could change utype.
int usetag =
utype != V_ASN1_SEQUENCE && utype != V_ASN1_SET && utype != V_ASN1_OTHER;
- /* If not implicitly tagged get tag from underlying type */
+ // If not implicitly tagged get tag from underlying type
if (tag == -1) {
tag = utype;
}
- /* Output tag+length followed by content octets */
+ // Output tag+length followed by content octets
if (out) {
if (usetag) {
ASN1_put_object(out, /*constructed=*/0, len, tag, aclass);
@@ -548,22 +532,22 @@
return len;
}
-/* asn1_ex_i2c writes the |*pval| to |cout| under the i2d output convention,
- * excluding the tag and length. It returns the number of bytes written,
- * possibly zero, on success or -1 on error. If |*pval| should be omitted, it
- * returns zero and sets |*out_omit| to true.
- *
- * If |it| is an MSTRING or ANY type, it gets the underlying type from |*pval|,
- * which must be an |ASN1_STRING| or |ASN1_TYPE|, respectively. It then updates
- * |*putype| with the tag number of type used, or |V_ASN1_OTHER| if it was not a
- * universal type. If |*putype| is set to |V_ASN1_SEQUENCE|, |V_ASN1_SET|, or
- * |V_ASN1_OTHER|, it additionally outputs the tag and length, so the caller
- * must not do so.
- *
- * Otherwise, |*putype| must contain |it->utype|.
- *
- * WARNING: Unlike most functions in this file, |asn1_ex_i2c| can return zero
- * without omitting the element. ASN.1 values may have empty contents. */
+// asn1_ex_i2c writes the |*pval| to |cout| under the i2d output convention,
+// excluding the tag and length. It returns the number of bytes written,
+// possibly zero, on success or -1 on error. If |*pval| should be omitted, it
+// returns zero and sets |*out_omit| to true.
+//
+// If |it| is an MSTRING or ANY type, it gets the underlying type from |*pval|,
+// which must be an |ASN1_STRING| or |ASN1_TYPE|, respectively. It then updates
+// |*putype| with the tag number of type used, or |V_ASN1_OTHER| if it was not a
+// universal type. If |*putype| is set to |V_ASN1_SEQUENCE|, |V_ASN1_SET|, or
+// |V_ASN1_OTHER|, it additionally outputs the tag and length, so the caller
+// must not do so.
+//
+// Otherwise, |*putype| must contain |it->utype|.
+//
+// WARNING: Unlike most functions in this file, |asn1_ex_i2c| can return zero
+// without omitting the element. ASN.1 values may have empty contents.
static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit,
int *putype, const ASN1_ITEM *it) {
ASN1_BOOLEAN *tbool = NULL;
@@ -574,13 +558,13 @@
unsigned char c;
int len;
- /* Historically, |it->funcs| for primitive types contained an
- * |ASN1_PRIMITIVE_FUNCS| table of callbacks. */
+ // Historically, |it->funcs| for primitive types contained an
+ // |ASN1_PRIMITIVE_FUNCS| table of callbacks.
assert(it->funcs == NULL);
*out_omit = 0;
- /* Should type be omitted? */
+ // Should type be omitted?
if ((it->itype != ASN1_ITYPE_PRIMITIVE) || (it->utype != V_ASN1_BOOLEAN)) {
if (!*pval) {
*out_omit = 1;
@@ -589,23 +573,23 @@
}
if (it->itype == ASN1_ITYPE_MSTRING) {
- /* If MSTRING type set the underlying type */
+ // If MSTRING type set the underlying type
strtmp = (ASN1_STRING *)*pval;
utype = strtmp->type;
if (utype < 0 && utype != V_ASN1_OTHER) {
- /* MSTRINGs can have type -1 when default-constructed. */
+ // MSTRINGs can have type -1 when default-constructed.
OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE);
return -1;
}
- /* Negative INTEGER and ENUMERATED values use |ASN1_STRING| type values
- * that do not match their corresponding utype values. INTEGERs cannot
- * participate in MSTRING types, but ENUMERATEDs can.
- *
- * TODO(davidben): Is this a bug? Although arguably one of the MSTRING
- * types should contain more values, rather than less. See
- * https://crbug.com/boringssl/412. But it is not possible to fit all
- * possible ANY values into an |ASN1_STRING|, so matching the spec here
- * is somewhat hopeless. */
+ // Negative INTEGER and ENUMERATED values use |ASN1_STRING| type values
+ // that do not match their corresponding utype values. INTEGERs cannot
+ // participate in MSTRING types, but ENUMERATEDs can.
+ //
+ // TODO(davidben): Is this a bug? Although arguably one of the MSTRING
+ // types should contain more values, rather than less. See
+ // https://crbug.com/boringssl/412. But it is not possible to fit all
+ // possible ANY values into an |ASN1_STRING|, so matching the spec here
+ // is somewhat hopeless.
if (utype == V_ASN1_NEG_INTEGER) {
utype = V_ASN1_INTEGER;
} else if (utype == V_ASN1_NEG_ENUMERATED) {
@@ -613,12 +597,12 @@
}
*putype = utype;
} else if (it->utype == V_ASN1_ANY) {
- /* If ANY set type and pointer to value */
+ // If ANY set type and pointer to value
ASN1_TYPE *typ;
typ = (ASN1_TYPE *)*pval;
utype = typ->type;
if (utype < 0 && utype != V_ASN1_OTHER) {
- /* |ASN1_TYPE|s can have type -1 when default-constructed. */
+ // |ASN1_TYPE|s can have type -1 when default-constructed.
OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE);
return -1;
}
@@ -634,7 +618,7 @@
cont = otmp->data;
len = otmp->length;
if (len == 0) {
- /* Some |ASN1_OBJECT|s do not have OIDs and cannot be serialized. */
+ // Some |ASN1_OBJECT|s do not have OIDs and cannot be serialized.
OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OBJECT);
return -1;
}
@@ -652,9 +636,7 @@
return 0;
}
if (it->utype != V_ASN1_ANY) {
- /*
- * Default handling if value == size field then omit
- */
+ // Default handling if value == size field then omit
if ((*tbool && (it->size > 0)) || (!*tbool && !it->size)) {
*out_omit = 1;
return 0;
@@ -668,15 +650,15 @@
case V_ASN1_BIT_STRING: {
int ret =
i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? &cout : NULL);
- /* |i2c_ASN1_BIT_STRING| returns zero on error instead of -1. */
+ // |i2c_ASN1_BIT_STRING| returns zero on error instead of -1.
return ret <= 0 ? -1 : ret;
}
case V_ASN1_INTEGER:
case V_ASN1_ENUMERATED: {
- /* |i2c_ASN1_INTEGER| also handles ENUMERATED. */
+ // |i2c_ASN1_INTEGER| also handles ENUMERATED.
int ret = i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL);
- /* |i2c_ASN1_INTEGER| returns zero on error instead of -1. */
+ // |i2c_ASN1_INTEGER| returns zero on error instead of -1.
return ret <= 0 ? -1 : ret;
}
@@ -697,7 +679,7 @@
case V_ASN1_SEQUENCE:
case V_ASN1_SET:
default:
- /* All based on ASN1_STRING and handled the same */
+ // All based on ASN1_STRING and handled the same
strtmp = (ASN1_STRING *)*pval;
cont = strtmp->data;
len = strtmp->length;
diff --git a/crypto/asn1/tasn_fre.c b/crypto/asn1/tasn_fre.c
index be0d33d..3da1fa6 100644
--- a/crypto/asn1/tasn_fre.c
+++ b/crypto/asn1/tasn_fre.c
@@ -63,7 +63,7 @@
#include "internal.h"
-/* Free up an ASN1 structure */
+// Free up an ASN1 structure
void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it) {
asn1_item_combine_free(&val, it, 0);
@@ -144,11 +144,9 @@
}
}
asn1_enc_free(pval, it);
- /*
- * If we free up as normal we will invalidate any ANY DEFINED BY
- * field and we wont be able to determine the type of the field it
- * defines. So free up in reverse order.
- */
+ // If we free up as normal we will invalidate any ANY DEFINED BY
+ // field and we wont be able to determine the type of the field it
+ // defines. So free up in reverse order.
tt = it->templates + it->tcount - 1;
for (i = 0; i < it->tcount; tt--, i++) {
ASN1_VALUE **pseqval;
@@ -190,10 +188,10 @@
void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it) {
int utype;
- /* Historically, |it->funcs| for primitive types contained an
- * |ASN1_PRIMITIVE_FUNCS| table of calbacks. */
+ // Historically, |it->funcs| for primitive types contained an
+ // |ASN1_PRIMITIVE_FUNCS| table of calbacks.
assert(it == NULL || it->funcs == NULL);
- /* Special case: if 'it' is NULL free contents of ASN1_TYPE */
+ // Special case: if 'it' is NULL free contents of ASN1_TYPE
if (!it) {
ASN1_TYPE *typ = (ASN1_TYPE *)*pval;
utype = typ->type;
diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c
index f6cd96f..97411c5 100644
--- a/crypto/asn1/tasn_new.c
+++ b/crypto/asn1/tasn_new.c
@@ -83,7 +83,7 @@
return NULL;
}
-/* Allocate an ASN1 structure */
+// Allocate an ASN1 structure
int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) {
return asn1_item_ex_combine_new(pval, it, 0);
@@ -235,13 +235,13 @@
asn1_template_clear(pval, tt);
return 1;
}
- /* If ANY DEFINED BY nothing to do */
+ // If ANY DEFINED BY nothing to do
if (tt->flags & ASN1_TFLG_ADB_MASK) {
*pval = NULL;
return 1;
}
- /* If SET OF or SEQUENCE OF, its a STACK */
+ // If SET OF or SEQUENCE OF, its a STACK
if (tt->flags & ASN1_TFLG_SK_MASK) {
STACK_OF(ASN1_VALUE) *skval;
skval = sk_ASN1_VALUE_new_null();
@@ -254,14 +254,14 @@
ret = 1;
goto done;
}
- /* Otherwise pass it back to the item routine */
+ // Otherwise pass it back to the item routine
ret = asn1_item_ex_combine_new(pval, it, tt->flags & ASN1_TFLG_COMBINE);
done:
return ret;
}
static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) {
- /* If ADB or STACK just NULL the field */
+ // If ADB or STACK just NULL the field
if (tt->flags & (ASN1_TFLG_ADB_MASK | ASN1_TFLG_SK_MASK)) {
*pval = NULL;
} else {
@@ -269,10 +269,8 @@
}
}
-/*
- * NB: could probably combine most of the real XXX_new() behaviour and junk
- * all the old functions.
- */
+// NB: could probably combine most of the real XXX_new() behaviour and junk
+// all the old functions.
static int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it) {
ASN1_TYPE *typ;
@@ -282,8 +280,8 @@
return 0;
}
- /* Historically, |it->funcs| for primitive types contained an
- * |ASN1_PRIMITIVE_FUNCS| table of calbacks. */
+ // Historically, |it->funcs| for primitive types contained an
+ // |ASN1_PRIMITIVE_FUNCS| table of calbacks.
assert(it->funcs == NULL);
if (it->itype == ASN1_ITYPE_MSTRING) {
@@ -326,8 +324,8 @@
static void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it) {
int utype;
- /* Historically, |it->funcs| for primitive types contained an
- * |ASN1_PRIMITIVE_FUNCS| table of calbacks. */
+ // Historically, |it->funcs| for primitive types contained an
+ // |ASN1_PRIMITIVE_FUNCS| table of calbacks.
assert(it == NULL || it->funcs == NULL);
if (!it || (it->itype == ASN1_ITYPE_MSTRING)) {
utype = -1;
diff --git a/crypto/asn1/tasn_typ.c b/crypto/asn1/tasn_typ.c
index e38154e..756dd71 100644
--- a/crypto/asn1/tasn_typ.c
+++ b/crypto/asn1/tasn_typ.c
@@ -58,7 +58,7 @@
#include <openssl/asn1t.h>
-/* Declarations for string types */
+// Declarations for string types
#define IMPLEMENT_ASN1_STRING_FUNCTIONS(sname) \
IMPLEMENT_ASN1_TYPE(sname) \
@@ -88,12 +88,12 @@
IMPLEMENT_ASN1_TYPE(ASN1_ANY)
-/* Just swallow an ASN1_SEQUENCE in an ASN1_STRING */
+// Just swallow an ASN1_SEQUENCE in an ASN1_STRING
IMPLEMENT_ASN1_TYPE(ASN1_SEQUENCE)
IMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)
-/* Multistring types */
+// Multistring types
IMPLEMENT_ASN1_MSTRING(ASN1_PRINTABLE, B_ASN1_PRINTABLE)
IMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_STRING, ASN1_PRINTABLE,
@@ -106,12 +106,12 @@
IMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_STRING, DIRECTORYSTRING,
DIRECTORYSTRING)
-/* Three separate BOOLEAN type: normal, DEFAULT TRUE and DEFAULT FALSE */
+// Three separate BOOLEAN type: normal, DEFAULT TRUE and DEFAULT FALSE
IMPLEMENT_ASN1_TYPE_ex(ASN1_BOOLEAN, ASN1_BOOLEAN, -1)
IMPLEMENT_ASN1_TYPE_ex(ASN1_TBOOLEAN, ASN1_BOOLEAN, 1)
IMPLEMENT_ASN1_TYPE_ex(ASN1_FBOOLEAN, ASN1_BOOLEAN, 0)
-/* Special, OCTET STRING with indefinite length constructed support */
+// Special, OCTET STRING with indefinite length constructed support
ASN1_ITEM_TEMPLATE(ASN1_SEQUENCE_ANY) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, ASN1_SEQUENCE_ANY, ASN1_ANY)
diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c
index 9f52347..a476874 100644
--- a/crypto/asn1/tasn_utl.c
+++ b/crypto/asn1/tasn_utl.c
@@ -69,18 +69,18 @@
#include "internal.h"
-/* Utility functions for manipulating fields and offsets */
+// Utility functions for manipulating fields and offsets
-/* Add 'offset' to 'addr' */
+// Add 'offset' to 'addr'
#define offset2ptr(addr, offset) (void *)(((char *)(addr)) + (offset))
-/* Given an ASN1_ITEM CHOICE type return the selector value */
+// Given an ASN1_ITEM CHOICE type return the selector value
int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it) {
int *sel = offset2ptr(*pval, it->utype);
return *sel;
}
-/* Given an ASN1_ITEM CHOICE type set the selector value, return old value. */
+// Given an ASN1_ITEM CHOICE type set the selector value, return old value.
int asn1_set_choice_selector(ASN1_VALUE **pval, int value,
const ASN1_ITEM *it) {
int *sel, ret;
@@ -205,20 +205,20 @@
return 1;
}
-/* Given an ASN1_TEMPLATE get a pointer to a field */
+// Given an ASN1_TEMPLATE get a pointer to a field
ASN1_VALUE **asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) {
ASN1_VALUE **pvaltmp;
if (tt->flags & ASN1_TFLG_COMBINE) {
return pval;
}
pvaltmp = offset2ptr(*pval, tt->offset);
- /* NOTE for BOOLEAN types the field is just a plain int so we can't return
- * int **, so settle for (int *). */
+ // NOTE for BOOLEAN types the field is just a plain int so we can't return
+ // int **, so settle for (int *).
return pvaltmp;
}
-/* Handle ANY DEFINED BY template, find the selector, look up the relevant
- * ASN1_TEMPLATE in the table and return it. */
+// Handle ANY DEFINED BY template, find the selector, look up the relevant
+// ASN1_TEMPLATE in the table and return it.
const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt,
int nullerr) {
const ASN1_ADB *adb;
@@ -229,13 +229,13 @@
return tt;
}
- /* Else ANY DEFINED BY ... get the table */
+ // Else ANY DEFINED BY ... get the table
adb = ASN1_ADB_ptr(tt->item);
- /* Get the selector field */
+ // Get the selector field
sfld = offset2ptr(*pval, adb->offset);
- /* Check if NULL */
+ // Check if NULL
if (*sfld == NULL) {
if (!adb->null_tt) {
goto err;
@@ -243,16 +243,16 @@
return adb->null_tt;
}
- /* Convert type to a NID:
- * NB: don't check for NID_undef here because it
- * might be a legitimate value in the table */
+ // Convert type to a NID:
+ // NB: don't check for NID_undef here because it
+ // might be a legitimate value in the table
assert(tt->flags & ASN1_TFLG_ADB_OID);
int selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld);
- /* Try to find matching entry in table Maybe should check application types
- * first to allow application override? Might also be useful to have a flag
- * which indicates table is sorted and we can do a binary search. For now
- * stick to a linear search. */
+ // Try to find matching entry in table Maybe should check application types
+ // first to allow application override? Might also be useful to have a flag
+ // which indicates table is sorted and we can do a binary search. For now
+ // stick to a linear search.
for (atbl = adb->tbl, i = 0; i < adb->tblcount; i++, atbl++) {
if (atbl->value == selector) {
@@ -260,16 +260,16 @@
}
}
- /* FIXME: need to search application table too */
+ // FIXME: need to search application table too
- /* No match, return default type */
+ // No match, return default type
if (!adb->default_tt) {
goto err;
}
return adb->default_tt;
err:
- /* FIXME: should log the value or OID of unsupported type */
+ // FIXME: should log the value or OID of unsupported type
if (nullerr) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);
}
diff --git a/crypto/asn1/time_support.c b/crypto/asn1/time_support.c
index 5703a54..7929970 100644
--- a/crypto/asn1/time_support.c
+++ b/crypto/asn1/time_support.c
@@ -56,7 +56,7 @@
* Hudson (tjh@cryptsoft.com). */
#if defined(__linux__) && !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L /* for gmtime_r */
+#define _POSIX_C_SOURCE 201410L // for gmtime_r
#endif
#include "internal.h"
@@ -77,7 +77,7 @@
#endif
}
-/* Convert date to and from julian day Uses Fliegel & Van Flandern algorithm */
+// Convert date to and from julian day Uses Fliegel & Van Flandern algorithm
static long date_to_julian(int y, int m, int d) {
return (1461 * (y + 4800 + (m - 14) / 12)) / 4 +
(367 * (m - 2 - 12 * ((m - 14) / 12))) / 12 -
@@ -99,20 +99,20 @@
*y = 100 * (n - 49) + i + L;
}
-/* Convert tm structure and offset into julian day and seconds */
+// Convert tm structure and offset into julian day and seconds
static int julian_adj(const struct tm *tm, int off_day, long offset_sec,
long *pday, int *psec) {
int offset_hms, offset_day;
long time_jd;
int time_year, time_month, time_day;
- /* split offset into days and day seconds */
+ // split offset into days and day seconds
offset_day = offset_sec / SECS_PER_DAY;
- /* Avoid sign issues with % operator */
+ // Avoid sign issues with % operator
offset_hms = offset_sec - (offset_day * SECS_PER_DAY);
offset_day += off_day;
- /* Add current time seconds to offset */
+ // Add current time seconds to offset
offset_hms += tm->tm_hour * 3600 + tm->tm_min * 60 + tm->tm_sec;
- /* Adjust day seconds if overflow */
+ // Adjust day seconds if overflow
if (offset_hms >= SECS_PER_DAY) {
offset_day++;
offset_hms -= SECS_PER_DAY;
@@ -121,7 +121,7 @@
offset_hms += SECS_PER_DAY;
}
- /* Convert date of time structure into a Julian day number. */
+ // Convert date of time structure into a Julian day number.
time_year = tm->tm_year + 1900;
time_month = tm->tm_mon + 1;
@@ -129,7 +129,7 @@
time_jd = date_to_julian(time_year, time_month, time_day);
- /* Work out Julian day of new date */
+ // Work out Julian day of new date
time_jd += offset_day;
if (time_jd < 0) {
@@ -145,12 +145,12 @@
int time_sec, time_year, time_month, time_day;
long time_jd;
- /* Convert time and offset into julian day and seconds */
+ // Convert time and offset into julian day and seconds
if (!julian_adj(tm, off_day, offset_sec, &time_jd, &time_sec)) {
return 0;
}
- /* Convert Julian day back to date */
+ // Convert Julian day back to date
julian_to_date(time_jd, &time_year, &time_month, &time_day);
@@ -158,7 +158,7 @@
return 0;
}
- /* Update tm structure */
+ // Update tm structure
tm->tm_year = time_year - 1900;
tm->tm_mon = time_month - 1;
@@ -185,7 +185,7 @@
diff_day = to_jd - from_jd;
diff_sec = to_sec - from_sec;
- /* Adjust differences so both positive or both negative */
+ // Adjust differences so both positive or both negative
if (diff_day > 0 && diff_sec < 0) {
diff_day--;
diff_sec += SECS_PER_DAY;
diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c
index e211d5d..cade0a2 100644
--- a/crypto/pem/pem_all.c
+++ b/crypto/pem/pem_all.c
@@ -127,12 +127,10 @@
IMPLEMENT_PEM_rw(X509_CRL, X509_CRL, PEM_STRING_X509_CRL, X509_CRL)
IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRING_PKCS7, PKCS7)
-/*
- * We treat RSA or DSA private keys as a special case. For private keys we
- * read in an EVP_PKEY structure with PEM_read_bio_PrivateKey() and extract
- * the relevant private key: this means can handle "traditional" and PKCS#8
- * formats transparently.
- */
+// We treat RSA or DSA private keys as a special case. For private keys we
+// read in an EVP_PKEY structure with PEM_read_bio_PrivateKey() and extract
+// the relevant private key: this means can handle "traditional" and PKCS#8
+// formats transparently.
static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa) {
RSA *rtmp;
if (!key) {
@@ -190,7 +188,7 @@
void *u) {
EVP_PKEY *pktmp;
pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);
- return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
+ return pkey_get_dsa(pktmp, dsa); // will free pktmp
}
IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
@@ -199,7 +197,7 @@
DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb, void *u) {
EVP_PKEY *pktmp;
pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
- return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
+ return pkey_get_dsa(pktmp, dsa); // will free pktmp
}
IMPLEMENT_PEM_rw_const(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)
@@ -225,7 +223,7 @@
void *u) {
EVP_PKEY *pktmp;
pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);
- return pkey_get_eckey(pktmp, key); /* will free pktmp */
+ return pkey_get_eckey(pktmp, key); // will free pktmp
}
IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY,
@@ -236,7 +234,7 @@
void *u) {
EVP_PKEY *pktmp;
pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
- return pkey_get_eckey(pktmp, eckey); /* will free pktmp */
+ return pkey_get_eckey(pktmp, eckey); // will free pktmp
}
diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c
index 40f34ee..e30faa3 100644
--- a/crypto/pem/pem_info.c
+++ b/crypto/pem/pem_info.c
@@ -185,7 +185,7 @@
key_type = EVP_PKEY_EC;
}
- /* If a private key has a header, assume it is encrypted. */
+ // If a private key has a header, assume it is encrypted.
if (key_type != EVP_PKEY_NONE && strlen(header) > 10) {
if (info->x_pkey != NULL) {
if (!sk_X509_INFO_push(ret, info)) {
@@ -196,7 +196,7 @@
goto err;
}
}
- /* Historically, raw entries pushed an empty key. */
+ // Historically, raw entries pushed an empty key.
info->x_pkey = X509_PKEY_new();
if (info->x_pkey == NULL ||
!PEM_get_EVP_CIPHER_INFO(header, &info->enc_cipher)) {
@@ -235,7 +235,7 @@
data = NULL;
}
- /* Push the last entry on the stack if not empty. */
+ // Push the last entry on the stack if not empty.
if (info->x509 != NULL || info->crl != NULL || info->x_pkey != NULL ||
info->enc_data != NULL) {
if (!sk_X509_INFO_push(ret, info)) {
@@ -264,7 +264,7 @@
return ret;
}
-/* A TJH addition */
+// A TJH addition
int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
unsigned char *kstr, int klen, pem_password_cb *cb,
void *u) {
@@ -284,11 +284,9 @@
}
}
- /*
- * now for the fun part ... if we have a private key then we have to be
- * able to handle a not-yet-decrypted key being written out correctly ...
- * if it is decrypted or it is non-encrypted then we use the base code
- */
+ // now for the fun part ... if we have a private key then we have to be
+ // able to handle a not-yet-decrypted key being written out correctly ...
+ // if it is decrypted or it is non-encrypted then we use the base code
if (xi->x_pkey != NULL) {
if ((xi->enc_data != NULL) && (xi->enc_len > 0)) {
if (enc == NULL) {
@@ -296,36 +294,34 @@
goto err;
}
- /* copy from weirdo names into more normal things */
+ // copy from weirdo names into more normal things
iv = xi->enc_cipher.iv;
data = (unsigned char *)xi->enc_data;
i = xi->enc_len;
- /*
- * we take the encryption data from the internal stuff rather
- * than what the user has passed us ... as we have to match
- * exactly for some strange reason
- */
+ // we take the encryption data from the internal stuff rather
+ // than what the user has passed us ... as we have to match
+ // exactly for some strange reason
objstr = OBJ_nid2sn(EVP_CIPHER_nid(xi->enc_cipher.cipher));
if (objstr == NULL) {
OPENSSL_PUT_ERROR(PEM, PEM_R_UNSUPPORTED_CIPHER);
goto err;
}
- /* create the right magic header stuff */
+ // create the right magic header stuff
assert(strlen(objstr) + 23 + 2 * iv_len + 13 <= sizeof buf);
buf[0] = '\0';
PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
PEM_dek_info(buf, objstr, iv_len, (char *)iv);
- /* use the normal code to write things out */
+ // use the normal code to write things out
i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
if (i <= 0) {
goto err;
}
} else {
- /* Add DSA/DH */
- /* normal optionally encrypted stuff */
+ // Add DSA/DH
+ // normal optionally encrypted stuff
if (PEM_write_bio_RSAPrivateKey(bp, xi->x_pkey->dec_pkey->pkey.rsa, enc,
kstr, klen, cb, u) <= 0) {
goto err;
@@ -333,16 +329,14 @@
}
}
- /* if we have a certificate then write it out now */
+ // if we have a certificate then write it out now
if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp, xi->x509) <= 0)) {
goto err;
}
- /*
- * we are ignoring anything else that is loaded into the X509_INFO
- * structure for the moment ... as I don't need it so I'm not coding it
- * here and Eric can do it when this makes it into the base library --tjh
- */
+ // we are ignoring anything else that is loaded into the X509_INFO
+ // structure for the moment ... as I don't need it so I'm not coding it
+ // here and Eric can do it when this makes it into the base library --tjh
ret = 1;
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index 1f7c05f..f1d0798 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -130,12 +130,12 @@
}
static int check_pem(const char *nm, const char *name) {
- /* Normal matching nm and name */
+ // Normal matching nm and name
if (!strcmp(nm, name)) {
return 1;
}
- /* Make PEM_STRING_EVP_PKEY match any private key */
+ // Make PEM_STRING_EVP_PKEY match any private key
if (!strcmp(name, PEM_STRING_EVP_PKEY)) {
return !strcmp(nm, PEM_STRING_PKCS8) || !strcmp(nm, PEM_STRING_PKCS8INF) ||
@@ -143,7 +143,7 @@
!strcmp(nm, PEM_STRING_DSA);
}
- /* Permit older strings */
+ // Permit older strings
if (!strcmp(nm, PEM_STRING_X509_OLD) && !strcmp(name, PEM_STRING_X509)) {
return 1;
@@ -154,7 +154,7 @@
return 1;
}
- /* Allow normal certs to be read as trusted certs */
+ // Allow normal certs to be read as trusted certs
if (!strcmp(nm, PEM_STRING_X509) && !strcmp(name, PEM_STRING_X509_TRUSTED)) {
return 1;
}
@@ -164,7 +164,7 @@
return 1;
}
- /* Some CAs use PKCS#7 with CERTIFICATE headers */
+ // Some CAs use PKCS#7 with CERTIFICATE headers
if (!strcmp(nm, PEM_STRING_X509) && !strcmp(name, PEM_STRING_PKCS7)) {
return 1;
}
@@ -177,7 +177,7 @@
if (!strcmp(nm, PEM_STRING_X509) && !strcmp(name, PEM_STRING_CMS)) {
return 1;
}
- /* Allow CMS to be read from PKCS#7 headers */
+ // Allow CMS to be read from PKCS#7 headers
if (!strcmp(nm, PEM_STRING_PKCS7) && !strcmp(name, PEM_STRING_CMS)) {
return 1;
}
@@ -187,9 +187,9 @@
}
static const EVP_CIPHER *cipher_by_name(const char *name) {
- /* This is similar to the (deprecated) function |EVP_get_cipherbyname|. Note
- * the PEM code assumes that ciphers have at least 8 bytes of IV, at most 20
- * bytes of overhead and generally behave like CBC mode. */
+ // This is similar to the (deprecated) function |EVP_get_cipherbyname|. Note
+ // the PEM code assumes that ciphers have at least 8 bytes of IV, at most 20
+ // bytes of overhead and generally behave like CBC mode.
if (0 == strcmp(name, SN_des_cbc)) {
return EVP_des_cbc();
} else if (0 == strcmp(name, SN_des_ede3_cbc)) {
@@ -295,8 +295,8 @@
dsize = 0;
goto err;
}
- /* dzise + 8 bytes are needed */
- /* actually it needs the cipher block size extra... */
+ // dzise + 8 bytes are needed
+ // actually it needs the cipher block size extra...
data = (unsigned char *)OPENSSL_malloc((unsigned int)dsize + 20);
if (data == NULL) {
OPENSSL_PUT_ERROR(PEM, ERR_R_MALLOC_FAILURE);
@@ -321,13 +321,11 @@
kstr = (unsigned char *)buf;
}
assert(iv_len <= (int)sizeof(iv));
- if (!RAND_bytes(iv, iv_len)) { /* Generate a salt */
+ if (!RAND_bytes(iv, iv_len)) { // Generate a salt
goto err;
}
- /*
- * The 'iv' is used as the iv and as a salt. It is NOT taken from
- * the BytesToKey function
- */
+ // The 'iv' is used as the iv and as a salt. It is NOT taken from
+ // the BytesToKey function
if (!EVP_BytesToKey(enc, EVP_md5(), iv, kstr, klen, 1, key, NULL)) {
goto err;
}
@@ -341,7 +339,7 @@
buf[0] = '\0';
PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
PEM_dek_info(buf, objstr, iv_len, (char *)iv);
- /* k=strlen(buf); */
+ // k=strlen(buf);
EVP_CIPHER_CTX_init(&ctx);
ret = 1;
diff --git a/crypto/pem/pem_oth.c b/crypto/pem/pem_oth.c
index 7cb4e08..8ea05be 100644
--- a/crypto/pem/pem_oth.c
+++ b/crypto/pem/pem_oth.c
@@ -66,7 +66,7 @@
#include <openssl/rand.h>
#include <openssl/x509.h>
-/* Handle 'other' PEMs: not private keys */
+// Handle 'other' PEMs: not private keys
void *PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name, BIO *bp, void **x,
pem_password_cb *cb, void *u) {
diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c
index 53b2703..5aef6f1 100644
--- a/crypto/pem/pem_pk8.c
+++ b/crypto/pem/pem_pk8.c
@@ -71,12 +71,10 @@
const EVP_CIPHER *enc, char *kstr, int klen,
pem_password_cb *cb, void *u);
-/*
- * These functions write a private key in PKCS#8 format: it is a "drop in"
- * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
- * is NULL then it uses the unencrypted private key form. The 'nid' versions
- * uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
- */
+// These functions write a private key in PKCS#8 format: it is a "drop in"
+// replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'
+// is NULL then it uses the unencrypted private key form. The 'nid' versions
+// uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.
int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid, char *kstr,
int klen, pem_password_cb *cb, void *u) {
diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index b612304..c4b2ca6 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -130,9 +130,9 @@
}
PKCS8_PRIV_KEY_INFO_free(p8inf);
} else if (strcmp(nm, PEM_STRING_RSA) == 0) {
- /* TODO(davidben): d2i_PrivateKey parses PKCS#8 along with the
- * standalone format. This and the cases below probably should not
- * accept PKCS#8. */
+ // TODO(davidben): d2i_PrivateKey parses PKCS#8 along with the
+ // standalone format. This and the cases below probably should not
+ // accept PKCS#8.
ret = d2i_PrivateKey(EVP_PKEY_RSA, x, &p, len);
} else if (strcmp(nm, PEM_STRING_EC) == 0) {
ret = d2i_PrivateKey(EVP_PKEY_EC, x, &p, len);
diff --git a/crypto/x509/a_sign.c b/crypto/x509/a_sign.c
index 815d143..21552ea 100644
--- a/crypto/x509/a_sign.c
+++ b/crypto/x509/a_sign.c
@@ -85,7 +85,7 @@
pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx);
- /* Write out the requested copies of the AlgorithmIdentifier. */
+ // Write out the requested copies of the AlgorithmIdentifier.
if (algor1 && !x509_digest_sign_algorithm(ctx, algor1)) {
goto err;
}
@@ -113,10 +113,8 @@
signature->data = buf_out;
buf_out = NULL;
signature->length = outl;
- /*
- * In the interests of compatibility, I'll make sure that the bit string
- * has a 'not-used bits' value of 0
- */
+ // In the interests of compatibility, I'll make sure that the bit string
+ // has a 'not-used bits' value of 0
signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
err:
diff --git a/crypto/x509/algorithm.c b/crypto/x509/algorithm.c
index b7915ae..16235ee 100644
--- a/crypto/x509/algorithm.c
+++ b/crypto/x509/algorithm.c
@@ -64,7 +64,7 @@
#include "internal.h"
-/* Restrict the digests that are allowed in X509 certificates */
+// Restrict the digests that are allowed in X509 certificates
static int x509_digest_nid_ok(const int digest_nid) {
switch (digest_nid) {
case NID_md4:
@@ -86,7 +86,7 @@
if (!EVP_PKEY_CTX_get_rsa_padding(ctx->pctx, &pad_mode)) {
return 0;
}
- /* RSA-PSS has special signature algorithm logic. */
+ // RSA-PSS has special signature algorithm logic.
if (pad_mode == RSA_PKCS1_PSS_PADDING) {
return x509_rsa_ctx_to_pss(ctx, algor);
}
@@ -96,8 +96,8 @@
return X509_ALGOR_set0(algor, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
}
- /* Default behavior: look up the OID for the algorithm/hash pair and encode
- * that. */
+ // Default behavior: look up the OID for the algorithm/hash pair and encode
+ // that.
const EVP_MD *digest = EVP_MD_CTX_md(ctx);
if (digest == NULL) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_CONTEXT_NOT_INITIALISED);
@@ -112,8 +112,8 @@
return 0;
}
- /* RSA signature algorithms include an explicit NULL parameter. Others omit
- * it. */
+ // RSA signature algorithms include an explicit NULL parameter. Others omit
+ // it.
int paramtype =
(EVP_PKEY_id(pkey) == EVP_PKEY_RSA) ? V_ASN1_NULL : V_ASN1_UNDEF;
X509_ALGOR_set0(algor, OBJ_nid2obj(sign_nid), paramtype, NULL);
@@ -122,7 +122,7 @@
int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,
EVP_PKEY *pkey) {
- /* Convert the signature OID into digest and public key OIDs. */
+ // Convert the signature OID into digest and public key OIDs.
int sigalg_nid = OBJ_obj2nid(sigalg->algorithm);
int digest_nid, pkey_nid;
if (!OBJ_find_sigid_algs(sigalg_nid, &digest_nid, &pkey_nid)) {
@@ -130,19 +130,19 @@
return 0;
}
- /* Check the public key OID matches the public key type. */
+ // Check the public key OID matches the public key type.
if (pkey_nid != EVP_PKEY_id(pkey)) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_PUBLIC_KEY_TYPE);
return 0;
}
- /* Check for permitted digest algorithms */
+ // Check for permitted digest algorithms
if (!x509_digest_nid_ok(digest_nid)) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
return 0;
}
- /* NID_undef signals that there are custom parameters to set. */
+ // NID_undef signals that there are custom parameters to set.
if (digest_nid == NID_undef) {
if (sigalg_nid == NID_rsassaPss) {
return x509_rsa_pss_to_ctx(ctx, sigalg, pkey);
@@ -158,17 +158,17 @@
return 0;
}
- /* The parameter should be an explicit NULL for RSA and omitted for ECDSA. For
- * compatibility, we allow either for both algorithms. See b/167375496.
- *
- * TODO(davidben): Chromium's verifier allows both forms for RSA, but enforces
- * ECDSA more strictly. Align with Chromium and add a flag for b/167375496. */
+ // The parameter should be an explicit NULL for RSA and omitted for ECDSA. For
+ // compatibility, we allow either for both algorithms. See b/167375496.
+ //
+ // TODO(davidben): Chromium's verifier allows both forms for RSA, but enforces
+ // ECDSA more strictly. Align with Chromium and add a flag for b/167375496.
if (sigalg->parameter != NULL && sigalg->parameter->type != V_ASN1_NULL) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PARAMETER);
return 0;
}
- /* Otherwise, initialize with the digest from the OID. */
+ // Otherwise, initialize with the digest from the OID.
const EVP_MD *digest = EVP_get_digestbynid(digest_nid);
if (digest == NULL) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
diff --git a/crypto/x509/asn1_gen.c b/crypto/x509/asn1_gen.c
index e56da9a..3890c46 100644
--- a/crypto/x509/asn1_gen.c
+++ b/crypto/x509/asn1_gen.c
@@ -68,10 +68,8 @@
#include "../x509v3/internal.h"
#include "internal.h"
-/*
- * Although this file is in crypto/x509 for layering purposes, it emits
- * errors from the ASN.1 module for OpenSSL compatibility.
- */
+// Although this file is in crypto/x509 for layering purposes, it emits
+// errors from the ASN.1 module for OpenSSL compatibility.
#define ASN1_GEN_FLAG 0x10000
#define ASN1_GEN_FLAG_IMP (ASN1_GEN_FLAG | 1)
@@ -87,18 +85,18 @@
{ str, sizeof(str) - 1, val }
#define ASN1_FLAG_EXP_MAX 20
-/* Maximum number of nested sequences */
+// Maximum number of nested sequences
#define ASN1_GEN_SEQ_MAX_DEPTH 50
-/* Input formats */
+// Input formats
-/* ASCII: default */
+// ASCII: default
#define ASN1_GEN_FORMAT_ASCII 1
-/* UTF8 */
+// UTF8
#define ASN1_GEN_FORMAT_UTF8 2
-/* Hex */
+// Hex
#define ASN1_GEN_FORMAT_HEX 3
-/* List of bits */
+// List of bits
#define ASN1_GEN_FORMAT_BITLIST 4
struct tag_name_st {
@@ -190,65 +188,61 @@
return NULL;
}
- /* If no tagging return base type */
+ // If no tagging return base type
if ((asn1_tags.imp_tag == -1) && (asn1_tags.exp_count == 0)) {
return ret;
}
- /* Generate the encoding */
+ // Generate the encoding
cpy_len = i2d_ASN1_TYPE(ret, &orig_der);
ASN1_TYPE_free(ret);
ret = NULL;
- /* Set point to start copying for modified encoding */
+ // Set point to start copying for modified encoding
cpy_start = orig_der;
- /* Do we need IMPLICIT tagging? */
+ // Do we need IMPLICIT tagging?
if (asn1_tags.imp_tag != -1) {
- /* If IMPLICIT we will replace the underlying tag */
- /* Skip existing tag+len */
+ // If IMPLICIT we will replace the underlying tag
+ // Skip existing tag+len
r = ASN1_get_object(&cpy_start, &hdr_len, &hdr_tag, &hdr_class, cpy_len);
if (r & 0x80) {
goto err;
}
- /* Update copy length */
+ // Update copy length
cpy_len -= cpy_start - orig_der;
- /*
- * For IMPLICIT tagging the length should match the original length
- * and constructed flag should be consistent.
- */
+ // For IMPLICIT tagging the length should match the original length
+ // and constructed flag should be consistent.
hdr_constructed = r & V_ASN1_CONSTRUCTED;
- /*
- * Work out new length with IMPLICIT tag: ignore constructed because
- * it will mess up if indefinite length
- */
+ // Work out new length with IMPLICIT tag: ignore constructed because
+ // it will mess up if indefinite length
len = ASN1_object_size(0, hdr_len, asn1_tags.imp_tag);
} else {
len = cpy_len;
}
- /* Work out length in any EXPLICIT, starting from end */
+ // Work out length in any EXPLICIT, starting from end
for (i = 0, etmp = asn1_tags.exp_list + asn1_tags.exp_count - 1;
i < asn1_tags.exp_count; i++, etmp--) {
- /* Content length: number of content octets + any padding */
+ // Content length: number of content octets + any padding
len += etmp->exp_pad;
etmp->exp_len = len;
- /* Total object length: length including new header */
+ // Total object length: length including new header
len = ASN1_object_size(0, len, etmp->exp_tag);
}
- /* Allocate buffer for new encoding */
+ // Allocate buffer for new encoding
new_der = OPENSSL_malloc(len);
if (!new_der) {
goto err;
}
- /* Generate tagged encoding */
+ // Generate tagged encoding
p = new_der;
- /* Output explicit tags first */
+ // Output explicit tags first
for (i = 0, etmp = asn1_tags.exp_list; i < asn1_tags.exp_count; i++, etmp++) {
ASN1_put_object(&p, etmp->exp_constructed, etmp->exp_len, etmp->exp_tag,
@@ -258,7 +252,7 @@
}
}
- /* If IMPLICIT, output tag */
+ // If IMPLICIT, output tag
if (asn1_tags.imp_tag != -1) {
if (asn1_tags.imp_class == V_ASN1_UNIVERSAL &&
@@ -270,12 +264,12 @@
asn1_tags.imp_class);
}
- /* Copy across original encoding */
+ // Copy across original encoding
OPENSSL_memcpy(p, cpy_start, cpy_len);
cp = new_der;
- /* Obtain new ASN1_TYPE structure */
+ // Obtain new ASN1_TYPE structure
ret = d2i_ASN1_TYPE(NULL, &cp, len);
err:
@@ -303,7 +297,7 @@
}
for (i = 0, p = elem; i < len; p++, i++) {
- /* Look for the ':' in name value pairs */
+ // Look for the ':' in name value pairs
if (*p == ':') {
vstart = p + 1;
vlen = len - (vstart - elem);
@@ -320,11 +314,11 @@
return -1;
}
- /* If this is not a modifier mark end of string and exit */
+ // If this is not a modifier mark end of string and exit
if (!(utype & ASN1_GEN_FLAG)) {
arg->utype = utype;
arg->str = vstart;
- /* If no value and not end of string, error */
+ // If no value and not end of string, error
if (!vstart && elem[len]) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE);
return -1;
@@ -334,7 +328,7 @@
switch (utype) {
case ASN1_GEN_FLAG_IMP:
- /* Check for illegal multiple IMPLICIT tagging */
+ // Check for illegal multiple IMPLICIT tagging
if (arg->imp_tag != -1) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NESTED_TAGGING);
return -1;
@@ -409,7 +403,7 @@
return 0;
}
tag_num = strtoul(vstart, &eptr, 10);
- /* Check we haven't gone past max length: should be impossible */
+ // Check we haven't gone past max length: should be impossible
if (eptr && *eptr && (eptr > vstart + vlen)) {
return 0;
}
@@ -418,7 +412,7 @@
return 0;
}
*ptag = tag_num;
- /* If we have non numeric characters, parse them */
+ // If we have non numeric characters, parse them
if (eptr) {
vlen -= eptr - vstart;
} else {
@@ -457,7 +451,7 @@
return 1;
}
-/* Handle multiple types: SET and SEQUENCE */
+// Handle multiple types: SET and SEQUENCE
static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf,
int depth, int *perr) {
@@ -491,9 +485,7 @@
}
}
- /*
- * Now we has a STACK of the components, convert to the correct form
- */
+ // Now we has a STACK of the components, convert to the correct form
if (utype == V_ASN1_SET) {
derlen = i2d_ASN1_SET_ANY(sk, &der);
@@ -539,7 +531,7 @@
static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class,
int exp_constructed, int exp_pad, int imp_ok) {
tag_exp_type *exp_tmp;
- /* Can only have IMPLICIT if permitted */
+ // Can only have IMPLICIT if permitted
if ((arg->imp_tag != -1) && !imp_ok) {
OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_IMPLICIT_TAG);
return 0;
@@ -552,10 +544,8 @@
exp_tmp = &arg->exp_list[arg->exp_count++];
- /*
- * If IMPLICIT set tag to implicit value then reset implicit tag since it
- * has been used.
- */
+ // If IMPLICIT set tag to implicit value then reset implicit tag since it
+ // has been used.
if (arg->imp_tag != -1) {
exp_tmp->exp_tag = arg->imp_tag;
exp_tmp->exp_class = arg->imp_class;
@@ -612,24 +602,24 @@
ASN1_GEN_STR("NUMERIC", V_ASN1_NUMERICSTRING),
ASN1_GEN_STR("NUMERICSTRING", V_ASN1_NUMERICSTRING),
- /* Special cases */
+ // Special cases
ASN1_GEN_STR("SEQUENCE", V_ASN1_SEQUENCE),
ASN1_GEN_STR("SEQ", V_ASN1_SEQUENCE),
ASN1_GEN_STR("SET", V_ASN1_SET),
- /* type modifiers */
- /* Explicit tag */
+ // type modifiers
+ // Explicit tag
ASN1_GEN_STR("EXP", ASN1_GEN_FLAG_EXP),
ASN1_GEN_STR("EXPLICIT", ASN1_GEN_FLAG_EXP),
- /* Implicit tag */
+ // Implicit tag
ASN1_GEN_STR("IMP", ASN1_GEN_FLAG_IMP),
ASN1_GEN_STR("IMPLICIT", ASN1_GEN_FLAG_IMP),
- /* OCTET STRING wrapper */
+ // OCTET STRING wrapper
ASN1_GEN_STR("OCTWRAP", ASN1_GEN_FLAG_OCTWRAP),
- /* SEQUENCE wrapper */
+ // SEQUENCE wrapper
ASN1_GEN_STR("SEQWRAP", ASN1_GEN_FLAG_SEQWRAP),
- /* SET wrapper */
+ // SET wrapper
ASN1_GEN_STR("SETWRAP", ASN1_GEN_FLAG_SETWRAP),
- /* BIT STRING wrapper */
+ // BIT STRING wrapper
ASN1_GEN_STR("BITWRAP", ASN1_GEN_FLAG_BITWRAP),
ASN1_GEN_STR("FORM", ASN1_GEN_FLAG_FORMAT),
ASN1_GEN_STR("FORMAT", ASN1_GEN_FLAG_FORMAT),
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index e5e72b3..9af3d00 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -98,15 +98,15 @@
X509_OBJECT *ret);
static X509_LOOKUP_METHOD x509_dir_lookup = {
"Load certs from files in a directory",
- new_dir, /* new */
- free_dir, /* free */
- NULL, /* init */
- NULL, /* shutdown */
- dir_ctrl, /* ctrl */
- get_cert_by_subject, /* get_by_subject */
- NULL, /* get_by_issuer_serial */
- NULL, /* get_by_fingerprint */
- NULL, /* get_by_alias */
+ new_dir, // new
+ free_dir, // free
+ NULL, // init
+ NULL, // shutdown
+ dir_ctrl, // ctrl
+ get_cert_by_subject, // get_by_subject
+ NULL, // get_by_issuer_serial
+ NULL, // get_by_fingerprint
+ NULL, // get_by_alias
};
X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void) { return (&x509_dir_lookup); }
@@ -247,10 +247,8 @@
return 1;
}
-/*
- * g_ent_hashes_lock protects the |hashes| member of all |BY_DIR_ENTRY|
- * objects.
- */
+// g_ent_hashes_lock protects the |hashes| member of all |BY_DIR_ENTRY|
+// objects.
static struct CRYPTO_STATIC_MUTEX g_ent_hashes_lock = CRYPTO_STATIC_MUTEX_INIT;
static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
@@ -337,23 +335,19 @@
#ifdef OPENSSL_SYS_VMS
c = ent->dir[strlen(ent->dir) - 1];
if (c != ':' && c != '>' && c != ']') {
- /*
- * If no separator is present, we assume the directory
- * specifier is a logical name, and add a colon. We
- * really should use better VMS routines for merging
- * things like this, but this will do for now... --
- * Richard Levitte
- */
+ // If no separator is present, we assume the directory
+ // specifier is a logical name, and add a colon. We
+ // really should use better VMS routines for merging
+ // things like this, but this will do for now... --
+ // Richard Levitte
c = ':';
} else {
c = '\0';
}
#endif
if (c == '\0') {
- /*
- * This is special. When c == '\0', no directory
- * separator should be added.
- */
+ // This is special. When c == '\0', no directory
+ // separator should be added.
BIO_snprintf(b->data, b->max, "%s%08lx.%s%d", ent->dir, h, postfix,
k);
} else {
@@ -371,7 +365,7 @@
}
}
#endif
- /* found one. */
+ // found one.
if (type == X509_LU_X509) {
if ((X509_load_cert_file(xl, b->data, ent->dir_type)) == 0) {
break;
@@ -381,13 +375,11 @@
break;
}
}
- /* else case will caught higher up */
+ // else case will caught higher up
k++;
}
- /*
- * we have added it to the cache so now pull it out again
- */
+ // we have added it to the cache so now pull it out again
CRYPTO_MUTEX_lock_write(&xl->store_ctx->objs_lock);
tmp = NULL;
sk_X509_OBJECT_sort(xl->store_ctx->objs);
@@ -396,16 +388,12 @@
}
CRYPTO_MUTEX_unlock_write(&xl->store_ctx->objs_lock);
- /*
- * If a CRL, update the last file suffix added for this
- */
+ // If a CRL, update the last file suffix added for this
if (type == X509_LU_CRL) {
CRYPTO_STATIC_MUTEX_lock_write(&g_ent_hashes_lock);
- /*
- * Look for entry again in case another thread added an entry
- * first.
- */
+ // Look for entry again in case another thread added an entry
+ // first.
if (!hent) {
htmp.hash = h;
sk_BY_DIR_HASH_sort(ent->hashes);
@@ -441,20 +429,15 @@
ret->type = tmp->type;
OPENSSL_memcpy(&ret->data, &tmp->data, sizeof(ret->data));
- /*
- * Clear any errors that might have been raised processing empty
- * or malformed files.
- */
+ // Clear any errors that might have been raised processing empty
+ // or malformed files.
ERR_clear_error();
- /*
- * If we were going to up the reference count, we would need
- * to do it on a perl 'type' basis
- */
- /*
- * CRYPTO_add(&tmp->data.x509->references,1,
- * CRYPTO_LOCK_X509);
- */
+ // If we were going to up the reference count, we would need
+ // to do it on a perl 'type' basis
+ //
+ // CRYPTO_add(&tmp->data.x509->references,1,
+ // CRYPTO_LOCK_X509);
goto finish;
}
}
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index d45c96f..fe19dbd 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -69,15 +69,15 @@
char **ret);
static X509_LOOKUP_METHOD x509_file_lookup = {
"Load file into cache",
- NULL, /* new */
- NULL, /* free */
- NULL, /* init */
- NULL, /* shutdown */
- by_file_ctrl, /* ctrl */
- NULL, /* get_by_subject */
- NULL, /* get_by_issuer_serial */
- NULL, /* get_by_fingerprint */
- NULL, /* get_by_alias */
+ NULL, // new
+ NULL, // free
+ NULL, // init
+ NULL, // shutdown
+ by_file_ctrl, // ctrl
+ NULL, // get_by_subject
+ NULL, // get_by_issuer_serial
+ NULL, // get_by_fingerprint
+ NULL, // get_by_alias
};
X509_LOOKUP_METHOD *X509_LOOKUP_file(void) { return (&x509_file_lookup); }
@@ -291,4 +291,4 @@
return count;
}
-#endif /* OPENSSL_NO_STDIO */
+#endif // OPENSSL_NO_STDIO
diff --git a/crypto/x509/i2d_pr.c b/crypto/x509/i2d_pr.c
index 456ab8b..3c8887f 100644
--- a/crypto/x509/i2d_pr.c
+++ b/crypto/x509/i2d_pr.c
@@ -72,10 +72,8 @@
case EVP_PKEY_DSA:
return i2d_DSAPrivateKey(a->pkey.dsa, pp);
default:
- /*
- * Although this file is in crypto/x509 for layering reasons, it emits
- * an error code from ASN1 for OpenSSL compatibility.
- */
+ // Although this file is in crypto/x509 for layering reasons, it emits
+ // an error code from ASN1 for OpenSSL compatibility.
OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
return -1;
}
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
index 0f77fa0..6ac8a3f 100644
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@@ -70,7 +70,7 @@
#endif
-/* Internal structures. */
+// Internal structures.
typedef struct X509_val_st {
ASN1_TIME *notBefore;
@@ -372,44 +372,44 @@
int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent);
-/* RSA-PSS functions. */
+// RSA-PSS functions.
-/* x509_rsa_pss_to_ctx configures |ctx| for an RSA-PSS operation based on
- * signature algorithm parameters in |sigalg| (which must have type
- * |NID_rsassaPss|) and key |pkey|. It returns one on success and zero on
- * error. */
+// x509_rsa_pss_to_ctx configures |ctx| for an RSA-PSS operation based on
+// signature algorithm parameters in |sigalg| (which must have type
+// |NID_rsassaPss|) and key |pkey|. It returns one on success and zero on
+// error.
int x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,
EVP_PKEY *pkey);
-/* x509_rsa_pss_to_ctx sets |algor| to the signature algorithm parameters for
- * |ctx|, which must have been configured for an RSA-PSS signing operation. It
- * returns one on success and zero on error. */
+// x509_rsa_pss_to_ctx sets |algor| to the signature algorithm parameters for
+// |ctx|, which must have been configured for an RSA-PSS signing operation. It
+// returns one on success and zero on error.
int x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor);
-/* x509_print_rsa_pss_params prints a human-readable representation of RSA-PSS
- * parameters in |sigalg| to |bp|. It returns one on success and zero on
- * error. */
+// x509_print_rsa_pss_params prints a human-readable representation of RSA-PSS
+// parameters in |sigalg| to |bp|. It returns one on success and zero on
+// error.
int x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, int indent,
ASN1_PCTX *pctx);
-/* Signature algorithm functions. */
+// Signature algorithm functions.
-/* x509_digest_sign_algorithm encodes the signing parameters of |ctx| as an
- * AlgorithmIdentifer and saves the result in |algor|. It returns one on
- * success, or zero on error. */
+// x509_digest_sign_algorithm encodes the signing parameters of |ctx| as an
+// AlgorithmIdentifer and saves the result in |algor|. It returns one on
+// success, or zero on error.
int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor);
-/* x509_digest_verify_init sets up |ctx| for a signature verification operation
- * with public key |pkey| and parameters from |algor|. The |ctx| argument must
- * have been initialised with |EVP_MD_CTX_init|. It returns one on success, or
- * zero on error. */
+// x509_digest_verify_init sets up |ctx| for a signature verification operation
+// with public key |pkey| and parameters from |algor|. The |ctx| argument must
+// have been initialised with |EVP_MD_CTX_init|. It returns one on success, or
+// zero on error.
int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,
EVP_PKEY *pkey);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_X509_INTERNAL_H */
+#endif // OPENSSL_HEADER_X509_INTERNAL_H
diff --git a/crypto/x509/name_print.c b/crypto/x509/name_print.c
index 9ca3a99..f871df9 100644
--- a/crypto/x509/name_print.c
+++ b/crypto/x509/name_print.c
@@ -65,11 +65,11 @@
static int maybe_write(BIO *out, const void *buf, int len) {
- /* If |out| is NULL, ignore the output but report the length. */
+ // If |out| is NULL, ignore the output but report the length.
return out == NULL || BIO_write(out, buf, len) == len;
}
-/* do_indent prints |indent| spaces to |out|. */
+// do_indent prints |indent| spaces to |out|.
static int do_indent(BIO *out, int indent) {
for (int i = 0; i < indent; i++) {
if (!maybe_write(out, " ", 1)) {
@@ -179,7 +179,7 @@
int objlen, fld_len;
if ((fn_opt == XN_FLAG_FN_OID) || (fn_nid == NID_undef)) {
OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1);
- fld_len = 0; /* XXX: what should this be? */
+ fld_len = 0; // XXX: what should this be?
objbuf = objtmp;
} else {
if (fn_opt == XN_FLAG_FN_SN) {
@@ -189,7 +189,7 @@
fld_len = FN_WIDTH_LN;
objbuf = OBJ_nid2ln(fn_nid);
} else {
- fld_len = 0; /* XXX: what should this be? */
+ fld_len = 0; // XXX: what should this be?
objbuf = "";
}
}
@@ -208,11 +208,9 @@
}
outlen += objlen + sep_eq_len;
}
- /*
- * If the field name is unknown then fix up the DER dump flag. We
- * might want to limit this further so it will DER dump on anything
- * other than a few 'standard' fields.
- */
+ // If the field name is unknown then fix up the DER dump flag. We
+ // might want to limit this further so it will DER dump on anything
+ // other than a few 'standard' fields.
if ((fn_nid == NID_undef) && (flags & XN_FLAG_DUMP_UNKNOWN_FIELDS)) {
orflags = ASN1_STRFLGS_DUMP_ALL;
} else {
@@ -240,8 +238,8 @@
unsigned long flags) {
BIO *bio = NULL;
if (fp != NULL) {
- /* If |fp| is NULL, this function returns the number of bytes without
- * writing. */
+ // If |fp| is NULL, this function returns the number of bytes without
+ // writing.
bio = BIO_new_fp(fp, BIO_NOCLOSE);
if (bio == NULL) {
return -1;
diff --git a/crypto/x509/rsa_pss.c b/crypto/x509/rsa_pss.c
index 8c50344..049e6bc 100644
--- a/crypto/x509/rsa_pss.c
+++ b/crypto/x509/rsa_pss.c
@@ -86,7 +86,7 @@
IMPLEMENT_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
-/* Given an MGF1 Algorithm ID decode to an Algorithm Identifier */
+// Given an MGF1 Algorithm ID decode to an Algorithm Identifier
static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg) {
if (alg == NULL || alg->parameter == NULL ||
OBJ_obj2nid(alg->algorithm) != NID_mgf1 ||
@@ -118,7 +118,7 @@
return pss;
}
-/* allocate and set algorithm ID from EVP_MD, default SHA1 */
+// allocate and set algorithm ID from EVP_MD, default SHA1
static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) {
if (EVP_MD_type(md) == NID_sha1) {
return 1;
@@ -131,7 +131,7 @@
return 1;
}
-/* Allocate and set MGF1 algorithm ID from EVP_MD */
+// Allocate and set MGF1 algorithm ID from EVP_MD
static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) {
X509_ALGOR *algtmp = NULL;
ASN1_STRING *stmp = NULL;
@@ -140,7 +140,7 @@
if (EVP_MD_type(mgf1md) == NID_sha1) {
return 1;
}
- /* need to embed algorithm ID inside another */
+ // need to embed algorithm ID inside another
if (!rsa_md_to_algor(&algtmp, mgf1md) ||
!ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp)) {
goto err;
@@ -162,7 +162,7 @@
return 0;
}
-/* convert algorithm ID to EVP_MD, default SHA1 */
+// convert algorithm ID to EVP_MD, default SHA1
static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg) {
const EVP_MD *md;
if (!alg) {
@@ -175,14 +175,14 @@
return md;
}
-/* convert MGF1 algorithm ID to EVP_MD, default SHA1 */
+// convert MGF1 algorithm ID to EVP_MD, default SHA1
static const EVP_MD *rsa_mgf1_to_md(const X509_ALGOR *alg,
X509_ALGOR *maskHash) {
const EVP_MD *md;
if (!alg) {
return EVP_sha1();
}
- /* Check mask and lookup mask hash algorithm */
+ // Check mask and lookup mask hash algorithm
if (OBJ_obj2nid(alg->algorithm) != NID_mgf1 || maskHash == NULL) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
return NULL;
@@ -239,7 +239,7 @@
goto err;
}
- /* Finally create string with pss parameter encoding. */
+ // Finally create string with pss parameter encoding.
if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os)) {
goto err;
}
@@ -258,7 +258,7 @@
EVP_PKEY *pkey) {
assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);
- /* Decode PSS parameters */
+ // Decode PSS parameters
int ret = 0;
X509_ALGOR *maskHash;
RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg, &maskHash);
@@ -277,16 +277,16 @@
if (pss->saltLength != NULL) {
saltlen = ASN1_INTEGER_get(pss->saltLength);
- /* Could perform more salt length sanity checks but the main
- * RSA routines will trap other invalid values anyway. */
+ // Could perform more salt length sanity checks but the main
+ // RSA routines will trap other invalid values anyway.
if (saltlen < 0) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
goto err;
}
}
- /* low-level routines support only trailer field 0xbc (value 1)
- * and PKCS#1 says we should reject any other value anyway. */
+ // low-level routines support only trailer field 0xbc (value 1)
+ // and PKCS#1 says we should reject any other value anyway.
if (pss->trailerField != NULL && ASN1_INTEGER_get(pss->trailerField) != 1) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);
goto err;
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 63cb444..fd83cdb 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -139,7 +139,7 @@
goto err;
}
} else {
- ERR_clear_error(); /* Clear |ASN1_INTEGER_get_uint64|'s error. */
+ ERR_clear_error(); // Clear |ASN1_INTEGER_get_uint64|'s error.
neg = (serial->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : "";
if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) {
goto err;
@@ -276,9 +276,7 @@
int i;
unsigned char SHA1md[SHA_DIGEST_LENGTH];
- /*
- * display the hash of the subject as it would appear in OCSP requests
- */
+ // display the hash of the subject as it would appear in OCSP requests
if (BIO_printf(bp, " Subject OCSP hash: ") <= 0) {
goto err;
}
@@ -299,9 +297,7 @@
OPENSSL_free(der);
der = NULL;
- /*
- * display the hash of the public key as it would appear in OCSP requests
- */
+ // display the hash of the public key as it would appear in OCSP requests
if (BIO_printf(bp, "\n Public key OCSP hash: ") <= 0) {
goto err;
}
@@ -335,7 +331,7 @@
return 0;
}
- /* RSA-PSS signatures have parameters to print. */
+ // RSA-PSS signatures have parameters to print.
int sig_nid = OBJ_obj2nid(sigalg->algorithm);
if (sig_nid == NID_rsassaPss &&
!x509_print_rsa_pss_params(bp, sigalg, 9, 0)) {
@@ -362,7 +358,7 @@
OPENSSL_free(b);
return 1;
}
- s = b + 1; /* skip the first slash */
+ s = b + 1; // skip the first slash
c = s;
for (;;) {
@@ -374,7 +370,7 @@
if (BIO_write(bp, c, i) != i) {
goto err;
}
- c = s + 1; /* skip following slash */
+ c = s + 1; // skip following slash
if (*s != '\0') {
if (BIO_write(bp, ", ", 2) != 2) {
goto err;
diff --git a/crypto/x509/t_x509a.c b/crypto/x509/t_x509a.c
index f8495e3..956b9a0 100644
--- a/crypto/x509/t_x509a.c
+++ b/crypto/x509/t_x509a.c
@@ -63,7 +63,7 @@
#include "internal.h"
-/* X509_CERT_AUX and string set routines */
+// X509_CERT_AUX and string set routines
int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) {
char oidstr[80], first;
diff --git a/crypto/x509/x509.c b/crypto/x509/x509.c
index 0ae368e..f6b8fab 100644
--- a/crypto/x509/x509.c
+++ b/crypto/x509/x509.c
@@ -61,8 +61,8 @@
#include <openssl/mem.h>
-/* |X509_R_UNSUPPORTED_ALGORITHM| is no longer emitted, but continue to define
- * it to avoid downstream churn. */
+// |X509_R_UNSUPPORTED_ALGORITHM| is no longer emitted, but continue to define
+// it to avoid downstream churn.
OPENSSL_DECLARE_ERROR_REASON(X509, UNSUPPORTED_ALGORITHM)
int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent) {
diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c
index 3824a6e..0942196 100644
--- a/crypto/x509/x509_att.c
+++ b/crypto/x509/x509_att.c
@@ -304,11 +304,9 @@
}
atype = attrtype;
}
- /*
- * This is a bit naughty because the attribute should really have at
- * least one value but some types use and zero length SET and require
- * this.
- */
+ // This is a bit naughty because the attribute should really have at
+ // least one value but some types use and zero length SET and require
+ // this.
if (attrtype == 0) {
ASN1_STRING_free(stmp);
return 1;
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 788a073..208ce37 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -132,23 +132,21 @@
return (X509_NAME_hash_old(x->cert_info->subject));
}
-/*
- * Compare two certificates: they must be identical for this to work. NB:
- * Although "cmp" operations are generally prototyped to take "const"
- * arguments (eg. for use in STACKs), the way X509 handling is - these
- * operations may involve ensuring the hashes are up-to-date and ensuring
- * certain cert information is cached. So this is the point where the
- * "depth-first" constification tree has to halt with an evil cast.
- */
+// Compare two certificates: they must be identical for this to work. NB:
+// Although "cmp" operations are generally prototyped to take "const"
+// arguments (eg. for use in STACKs), the way X509 handling is - these
+// operations may involve ensuring the hashes are up-to-date and ensuring
+// certain cert information is cached. So this is the point where the
+// "depth-first" constification tree has to halt with an evil cast.
int X509_cmp(const X509 *a, const X509 *b) {
- /* Fill in the |cert_hash| fields.
- *
- * TODO(davidben): This may fail, in which case the the hash will be all
- * zeros. This produces a consistent comparison (failures are sticky), but
- * not a good one. OpenSSL now returns -2, but this is not a consistent
- * comparison and may cause misbehaving sorts by transitivity. For now, we
- * retain the old OpenSSL behavior, which was to ignore the error. See
- * https://crbug.com/boringssl/355. */
+ // Fill in the |cert_hash| fields.
+ //
+ // TODO(davidben): This may fail, in which case the the hash will be all
+ // zeros. This produces a consistent comparison (failures are sticky), but
+ // not a good one. OpenSSL now returns -2, but this is not a consistent
+ // comparison and may cause misbehaving sorts by transitivity. For now, we
+ // retain the old OpenSSL behavior, which was to ignore the error. See
+ // https://crbug.com/boringssl/355.
x509v3_cache_extensions((X509 *)a);
x509v3_cache_extensions((X509 *)b);
@@ -158,7 +156,7 @@
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) {
int ret;
- /* Ensure canonical encoding is present and up to date */
+ // Ensure canonical encoding is present and up to date
if (!a->canon_enc || a->modified) {
ret = i2d_X509_NAME((X509_NAME *)a, NULL);
@@ -187,7 +185,7 @@
unsigned long ret = 0;
unsigned char md[SHA_DIGEST_LENGTH];
- /* Make sure X509_NAME structure contains valid cached encoding */
+ // Make sure X509_NAME structure contains valid cached encoding
i2d_X509_NAME(x, NULL);
if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL)) {
return 0;
@@ -199,20 +197,18 @@
return (ret);
}
-/*
- * I now DER encode the name and hash it. Since I cache the DER encoding,
- * this is reasonably efficient.
- */
+// I now DER encode the name and hash it. Since I cache the DER encoding,
+// this is reasonably efficient.
unsigned long X509_NAME_hash_old(X509_NAME *x) {
EVP_MD_CTX md_ctx;
unsigned long ret = 0;
unsigned char md[16];
- /* Make sure X509_NAME structure contains valid cached encoding */
+ // Make sure X509_NAME structure contains valid cached encoding
i2d_X509_NAME(x, NULL);
EVP_MD_CTX_init(&md_ctx);
- /* EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); */
+ // EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL) &&
EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length) &&
EVP_DigestFinal_ex(&md_ctx, md, NULL)) {
@@ -225,7 +221,7 @@
return (ret);
}
-/* Search a stack of X509 for a match */
+// Search a stack of X509 for a match
X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
ASN1_INTEGER *serial) {
size_t i;
@@ -309,11 +305,9 @@
return 0;
}
-/*
- * Check a suite B algorithm is permitted: pass in a public key and the NID
- * of its signature (or 0 if no signature). The pflags is a pointer to a
- * flags field which must contain the suite B verification flags.
- */
+// Check a suite B algorithm is permitted: pass in a public key and the NID
+// of its signature (or 0 if no signature). The pflags is a pointer to a
+// flags field which must contain the suite B verification flags.
static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) {
const EC_GROUP *grp = NULL;
@@ -325,20 +319,18 @@
return X509_V_ERR_SUITE_B_INVALID_ALGORITHM;
}
curve_nid = EC_GROUP_get_curve_name(grp);
- /* Check curve is consistent with LOS */
- if (curve_nid == NID_secp384r1) { /* P-384 */
- /*
- * Check signature algorithm is consistent with curve.
- */
+ // Check curve is consistent with LOS
+ if (curve_nid == NID_secp384r1) { // P-384
+ // Check signature algorithm is consistent with curve.
if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA384) {
return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
}
if (!(*pflags & X509_V_FLAG_SUITEB_192_LOS)) {
return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;
}
- /* If we encounter P-384 we cannot use P-256 later */
+ // If we encounter P-384 we cannot use P-256 later
*pflags &= ~X509_V_FLAG_SUITEB_128_LOS_ONLY;
- } else if (curve_nid == NID_X9_62_prime256v1) { /* P-256 */
+ } else if (curve_nid == NID_X9_62_prime256v1) { // P-256
if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA256) {
return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
}
@@ -362,7 +354,7 @@
return X509_V_OK;
}
tflags = flags;
- /* If no EE certificate passed in must be first in chain */
+ // If no EE certificate passed in must be first in chain
if (x == NULL) {
x = sk_X509_value(chain, 0);
i = 1;
@@ -372,16 +364,16 @@
if (X509_get_version(x) != X509_VERSION_3) {
rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
- /* Correct error depth */
+ // Correct error depth
i = 0;
goto end;
}
pk = X509_get_pubkey(x);
- /* Check EE key only */
+ // Check EE key only
rv = check_suite_b(pk, -1, &tflags);
if (rv != X509_V_OK) {
- /* Correct error depth */
+ // Correct error depth
i = 0;
goto end;
}
@@ -400,23 +392,21 @@
}
}
- /* Final check: root CA signature */
+ // Final check: root CA signature
rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags);
end:
if (pk) {
EVP_PKEY_free(pk);
}
if (rv != X509_V_OK) {
- /* Invalid signature or LOS errors are for previous cert */
+ // Invalid signature or LOS errors are for previous cert
if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM ||
rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED) &&
i) {
i--;
}
- /*
- * If we have LOS error and flags changed then we are signing P-384
- * with P-256. Use more meaninggul error.
- */
+ // If we have LOS error and flags changed then we are signing P-384
+ // with P-256. Use more meaninggul error.
if (rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED && flags != tflags) {
rv = X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256;
}
@@ -436,11 +426,9 @@
return check_suite_b(pk, sign_nid, &flags);
}
-/*
- * Not strictly speaking an "up_ref" as a STACK doesn't have a reference
- * count but it has the same effect by duping the STACK and upping the ref of
- * each X509 structure.
- */
+// Not strictly speaking an "up_ref" as a STACK doesn't have a reference
+// count but it has the same effect by duping the STACK and upping the ref of
+// each X509 structure.
STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain) {
STACK_OF(X509) *ret;
size_t i;
diff --git a/crypto/x509/x509_d2.c b/crypto/x509/x509_d2.c
index 7043123..3168330 100644
--- a/crypto/x509/x509_d2.c
+++ b/crypto/x509/x509_d2.c
@@ -74,7 +74,7 @@
}
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
- /* clear any errors */
+ // clear any errors
ERR_clear_error();
return (1);
diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c
index 71d2331..ada9af4 100644
--- a/crypto/x509/x509_def.c
+++ b/crypto/x509/x509_def.c
@@ -57,7 +57,7 @@
#include <openssl/x509.h>
-/* TODO(fork): cleanup */
+// TODO(fork): cleanup
#if defined(OPENSSL_FUCHSIA)
#define OPENSSLDIR "/config/ssl"
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 09661fc..8165d24 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -180,7 +180,7 @@
ret = X509_CRL_cmp((*a)->data.crl, (*b)->data.crl);
break;
default:
- /* abort(); */
+ // abort();
return 0;
}
return ret;
@@ -241,7 +241,7 @@
} else if (a->type == X509_LU_CRL) {
X509_CRL_free(a->data.crl);
} else {
- /* abort(); */
+ // abort();
}
OPENSSL_free(a);
@@ -289,7 +289,7 @@
return lu;
}
}
- /* a new one */
+ // a new one
lu = X509_LOOKUP_new(m);
if (lu == NULL) {
return NULL;
@@ -328,9 +328,7 @@
}
}
- /*
- * if (ret->data.ptr != NULL) X509_OBJECT_free_contents(ret);
- */
+ // if (ret->data.ptr != NULL) X509_OBJECT_free_contents(ret);
ret->type = tmp->type;
ret->data.ptr = tmp->data.ptr;
@@ -364,7 +362,7 @@
int ret = 1;
int added = 0;
- /* Duplicates are silently ignored */
+ // Duplicates are silently ignored
if (!X509_OBJECT_retrieve_match(ctx->objs, obj)) {
ret = added = (sk_X509_OBJECT_push(ctx->objs, obj) != 0);
}
@@ -440,7 +438,7 @@
crl_info_s.issuer = name;
break;
default:
- /* abort(); */
+ // abort();
return -1;
}
@@ -498,10 +496,8 @@
CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock);
idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
if (idx < 0) {
- /*
- * Nothing found in cache: do lookup to possibly add new objects to
- * cache
- */
+ // Nothing found in cache: do lookup to possibly add new objects to
+ // cache
X509_OBJECT xobj;
CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);
if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {
@@ -541,7 +537,7 @@
return NULL;
}
- /* Always do lookup to possibly add new CRLs to cache. */
+ // Always do lookup to possibly add new CRLs to cache.
if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) {
sk_X509_CRL_free(sk);
return NULL;
@@ -602,13 +598,11 @@
return NULL;
}
-/*
- * Try to get issuer certificate from store. Due to limitations of the API
- * this can only retrieve a single certificate matching a given subject name.
- * However it will fill the cache with all matching certificates, so we can
- * examine the cache for all matches. Return values are: 1 lookup
- * successful. 0 certificate not found. -1 some other error.
- */
+// Try to get issuer certificate from store. Due to limitations of the API
+// this can only retrieve a single certificate matching a given subject name.
+// However it will fill the cache with all matching certificates, so we can
+// examine the cache for all matches. Return values are: 1 lookup
+// successful. 0 certificate not found. -1 some other error.
int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) {
X509_NAME *xn;
X509_OBJECT obj, *pobj;
@@ -618,23 +612,23 @@
if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj)) {
return 0;
}
- /* If certificate matches all OK */
+ // If certificate matches all OK
if (ctx->check_issued(ctx, x, obj.data.x509)) {
*issuer = obj.data.x509;
return 1;
}
X509_OBJECT_free_contents(&obj);
- /* Else find index of first cert accepted by 'check_issued' */
+ // Else find index of first cert accepted by 'check_issued'
ret = 0;
CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock);
idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
- if (idx != -1) { /* should be true as we've had at least one
- * match */
- /* Look through all matching certs for suitable issuer */
+ if (idx != -1) { // should be true as we've had at least one
+ // match
+ // Look through all matching certs for suitable issuer
for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {
pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
- /* See if we've run past the matches */
+ // See if we've run past the matches
if (pobj->type != X509_LU_X509) {
break;
}
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index 65463fa..ab8e2d6 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -67,10 +67,8 @@
#include "internal.h"
-/*
- * Limit to ensure we don't overflow: much greater than
- * anything enountered in practice.
- */
+// Limit to ensure we don't overflow: much greater than
+// anything enountered in practice.
#define NAME_ONELINE_MAX (1024 * 1024)
@@ -107,7 +105,7 @@
return buf;
}
- len--; /* space for '\0' */
+ len--; // space for '\0'
l = 0;
for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
ne = sk_X509_NAME_ENTRY_value(a->entries, i);
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 778d573..bc8e08d 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -104,7 +104,7 @@
break;
}
if (k->type == EVP_PKEY_DH) {
- /* No idea */
+ // No idea
OPENSSL_PUT_ERROR(X509, X509_R_CANT_CHECK_DH_KEY);
break;
}
@@ -142,14 +142,12 @@
NULL, &p, ext->value.sequence->length, ASN1_ITEM_rptr(X509_EXTENSIONS));
}
-/*
- * Add a STACK_OF extensions to a certificate request: allow alternative OIDs
- * in case we want to create a non standard one.
- */
+// Add a STACK_OF extensions to a certificate request: allow alternative OIDs
+// in case we want to create a non standard one.
int X509_REQ_add_extensions_nid(X509_REQ *req,
const STACK_OF(X509_EXTENSION) *exts, int nid) {
- /* Generate encoding of extensions */
+ // Generate encoding of extensions
unsigned char *ext = NULL;
int ext_len =
ASN1_item_i2d((ASN1_VALUE *)exts, &ext, ASN1_ITEM_rptr(X509_EXTENSIONS));
@@ -161,13 +159,13 @@
return ret;
}
-/* This is the normal usage: use the "official" OID */
+// This is the normal usage: use the "official" OID
int X509_REQ_add_extensions(X509_REQ *req,
const STACK_OF(X509_EXTENSION) *exts) {
return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
}
-/* Request attribute functions */
+// Request attribute functions
int X509_REQ_get_attr_count(const X509_REQ *req) {
return X509at_get_attr_count(req->req_info->attributes);
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index 99fbdc3..adc6c32 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -81,7 +81,7 @@
return 0;
}
- /* v1(0) is default and is represented by omitting the version. */
+ // v1(0) is default and is represented by omitting the version.
if (version == X509_VERSION_1) {
ASN1_INTEGER_free(x->cert_info->version);
x->cert_info->version = NULL;
diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c
index 9436b2f..49c66c1 100644
--- a/crypto/x509/x509_trs.c
+++ b/crypto/x509/x509_trs.c
@@ -72,11 +72,9 @@
static int obj_trust(int id, X509 *x, int flags);
-/*
- * WARNING: the following table should be kept in order of trust and without
- * any gaps so we can just subtract the minimum trust value to get an index
- * into the table
- */
+// WARNING: the following table should be kept in order of trust and without
+// any gaps so we can just subtract the minimum trust value to get an index
+// into the table
static X509_TRUST trstandard[] = {
{X509_TRUST_COMPAT, 0, trust_compat, (char *)"compatible", 0, NULL},
@@ -109,7 +107,7 @@
if (id == -1) {
return 1;
}
- /* We get this as a default value */
+ // We get this as a default value
if (id == 0) {
int rv;
rv = obj_trust(NID_anyExtendedKeyUsage, x, 0);
@@ -176,15 +174,13 @@
X509_TRUST *trtmp;
char *name_dup;
- /*
- * This is set according to what we change: application can't set it
- */
+ // This is set according to what we change: application can't set it
flags &= ~X509_TRUST_DYNAMIC;
- /* This will always be set for application modified trust entries */
+ // This will always be set for application modified trust entries
flags |= X509_TRUST_DYNAMIC_NAME;
- /* Get existing entry if any */
+ // Get existing entry if any
idx = X509_TRUST_get_by_id(id);
- /* Need a new entry */
+ // Need a new entry
if (idx == -1) {
if (!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
@@ -195,7 +191,7 @@
trtmp = X509_TRUST_get0(idx);
}
- /* Duplicate the supplied name. */
+ // Duplicate the supplied name.
name_dup = OPENSSL_strdup(name);
if (name_dup == NULL) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
@@ -205,14 +201,14 @@
return 0;
}
- /* OPENSSL_free existing name if dynamic */
+ // OPENSSL_free existing name if dynamic
if (trtmp->flags & X509_TRUST_DYNAMIC_NAME) {
OPENSSL_free(trtmp->name);
}
trtmp->name = name_dup;
- /* Keep the dynamic flag of existing entry */
+ // Keep the dynamic flag of existing entry
trtmp->flags &= X509_TRUST_DYNAMIC;
- /* Set all other flags */
+ // Set all other flags
trtmp->flags |= flags;
trtmp->trust = id;
@@ -220,7 +216,7 @@
trtmp->arg1 = arg1;
trtmp->arg2 = arg2;
- /* If its a new entry manage the dynamic table */
+ // If its a new entry manage the dynamic table
if (idx == -1) {
if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
@@ -267,10 +263,8 @@
if (x->aux && (x->aux->trust || x->aux->reject)) {
return obj_trust(trust->arg1, x, flags);
}
- /*
- * we don't have any trust settings: for compatibility we return trusted
- * if it is self signed
- */
+ // we don't have any trust settings: for compatibility we return trusted
+ // if it is self signed
return trust_compat(trust, x, flags);
}
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index bbbecc6..8569d2a 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -74,42 +74,42 @@
static CRYPTO_EX_DATA_CLASS g_ex_data_class =
CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
-/* CRL score values */
+// CRL score values
-/* No unhandled critical extensions */
+// No unhandled critical extensions
#define CRL_SCORE_NOCRITICAL 0x100
-/* certificate is within CRL scope */
+// certificate is within CRL scope
#define CRL_SCORE_SCOPE 0x080
-/* CRL times valid */
+// CRL times valid
#define CRL_SCORE_TIME 0x040
-/* Issuer name matches certificate */
+// Issuer name matches certificate
#define CRL_SCORE_ISSUER_NAME 0x020
-/* If this score or above CRL is probably valid */
+// If this score or above CRL is probably valid
#define CRL_SCORE_VALID \
(CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)
-/* CRL issuer is certificate issuer */
+// CRL issuer is certificate issuer
#define CRL_SCORE_ISSUER_CERT 0x018
-/* CRL issuer is on certificate path */
+// CRL issuer is on certificate path
#define CRL_SCORE_SAME_PATH 0x008
-/* CRL issuer matches CRL AKID */
+// CRL issuer matches CRL AKID
#define CRL_SCORE_AKID 0x004
-/* Have a delta CRL with valid times */
+// Have a delta CRL with valid times
#define CRL_SCORE_TIME_DELTA 0x002
@@ -142,9 +142,9 @@
static int null_callback(int ok, X509_STORE_CTX *e) { return ok; }
-/* cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
- * one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
- * returns zero. */
+// cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns
+// one and sets |*out_is_self_signed| to the result. If |x| is invalid, it
+// returns zero.
static int cert_self_signed(X509 *x, int *out_is_self_signed) {
if (!x509v3_cache_extensions(x)) {
return 0;
@@ -153,18 +153,18 @@
return 1;
}
-/* Given a certificate try and find an exact match in the store */
+// Given a certificate try and find an exact match in the store
static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) {
STACK_OF(X509) *certs;
X509 *xtmp = NULL;
size_t i;
- /* Lookup all certs with matching subject name */
+ // Lookup all certs with matching subject name
certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
if (certs == NULL) {
return NULL;
}
- /* Look for exact match */
+ // Look for exact match
for (i = 0; i < sk_X509_num(certs); i++) {
xtmp = sk_X509_value(certs, i);
if (!X509_cmp(xtmp, x)) {
@@ -194,19 +194,15 @@
return -1;
}
if (ctx->chain != NULL) {
- /*
- * This X509_STORE_CTX has already been used to verify a cert. We
- * cannot do another one.
- */
+ // This X509_STORE_CTX has already been used to verify a cert. We
+ // cannot do another one.
OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
ctx->error = X509_V_ERR_INVALID_CALL;
return -1;
}
- /*
- * first we make sure the chain we are going to build is present and that
- * the first entry is in place
- */
+ // first we make sure the chain we are going to build is present and that
+ // the first entry is in place
ctx->chain = sk_X509_new_null();
if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
@@ -216,7 +212,7 @@
X509_up_ref(ctx->cert);
ctx->last_untrusted = 1;
- /* We use a temporary STACK so we can chop and hack at it. */
+ // We use a temporary STACK so we can chop and hack at it.
if (ctx->untrusted != NULL && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
@@ -228,12 +224,12 @@
depth = param->depth;
for (;;) {
- /* If we have enough, we break */
+ // If we have enough, we break
if (depth < num) {
- break; /* FIXME: If this happens, we should take
- * note of it and, if appropriate, use the
- * X509_V_ERR_CERT_CHAIN_TOO_LONG error code
- * later. */
+ break; // FIXME: If this happens, we should take
+ // note of it and, if appropriate, use the
+ // X509_V_ERR_CERT_CHAIN_TOO_LONG error code
+ // later.
}
int is_self_signed;
@@ -242,30 +238,26 @@
goto end;
}
- /* If we are self signed, we break */
+ // If we are self signed, we break
if (is_self_signed) {
break;
}
- /*
- * If asked see if we can find issuer in trusted store first
- */
+ // If asked see if we can find issuer in trusted store first
if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
ok = ctx->get_issuer(&xtmp, ctx, x);
if (ok < 0) {
ctx->error = X509_V_ERR_STORE_LOOKUP;
goto end;
}
- /*
- * If successful for now free up cert so it will be picked up
- * again later.
- */
+ // If successful for now free up cert so it will be picked up
+ // again later.
if (ok > 0) {
X509_free(xtmp);
break;
}
}
- /* If we were passed a cert chain, use it first */
+ // If we were passed a cert chain, use it first
if (sktmp != NULL) {
xtmp = find_issuer(ctx, sktmp, x);
if (xtmp != NULL) {
@@ -280,27 +272,21 @@
ctx->last_untrusted++;
x = xtmp;
num++;
- /*
- * reparse the full chain for the next one
- */
+ // reparse the full chain for the next one
continue;
}
}
break;
}
- /* Remember how many untrusted certs we have */
+ // Remember how many untrusted certs we have
j = num;
- /*
- * at this point, chain should contain a list of untrusted certificates.
- * We now need to add at least one trusted one, if possible, otherwise we
- * complain.
- */
+ // at this point, chain should contain a list of untrusted certificates.
+ // We now need to add at least one trusted one, if possible, otherwise we
+ // complain.
do {
- /*
- * Examine last certificate in chain and see if it is self signed.
- */
+ // Examine last certificate in chain and see if it is self signed.
i = sk_X509_num(ctx->chain);
x = sk_X509_value(ctx->chain, i - 1);
@@ -311,13 +297,11 @@
}
if (is_self_signed) {
- /* we have a self signed certificate */
+ // we have a self signed certificate
if (sk_X509_num(ctx->chain) == 1) {
- /*
- * We have a single self signed certificate: see if we can
- * find it in the store. We must have an exact match to avoid
- * possible impersonation.
- */
+ // We have a single self signed certificate: see if we can
+ // find it in the store. We must have an exact match to avoid
+ // possible impersonation.
ok = ctx->get_issuer(&xtmp, ctx, x);
if ((ok <= 0) || X509_cmp(x, xtmp)) {
ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
@@ -332,19 +316,15 @@
goto end;
}
} else {
- /*
- * We have a match: replace certificate with store
- * version so we get any trust settings.
- */
+ // We have a match: replace certificate with store
+ // version so we get any trust settings.
X509_free(x);
x = xtmp;
(void)sk_X509_set(ctx->chain, i - 1, x);
ctx->last_untrusted = 0;
}
} else {
- /*
- * extract and save self signed certificate for later use
- */
+ // extract and save self signed certificate for later use
chain_ss = sk_X509_pop(ctx->chain);
ctx->last_untrusted--;
num--;
@@ -352,9 +332,9 @@
x = sk_X509_value(ctx->chain, num - 1);
}
}
- /* We now lookup certs from the certificate store */
+ // We now lookup certs from the certificate store
for (;;) {
- /* If we have enough, we break */
+ // If we have enough, we break
if (depth < num) {
break;
}
@@ -362,7 +342,7 @@
ctx->error = X509_V_ERR_INVALID_EXTENSION;
goto end;
}
- /* If we are self signed, we break */
+ // If we are self signed, we break
if (is_self_signed) {
break;
}
@@ -386,20 +366,18 @@
num++;
}
- /* we now have our chain, lets check it... */
+ // we now have our chain, lets check it...
trust = check_trust(ctx);
- /* If explicitly rejected error */
+ // If explicitly rejected error
if (trust == X509_TRUST_REJECTED) {
ok = 0;
goto end;
}
- /*
- * If it's not explicitly trusted then check if there is an alternative
- * chain that could be used. We only do this if we haven't already
- * checked via TRUSTED_FIRST and the user hasn't switched off alternate
- * chain checking
- */
+ // If it's not explicitly trusted then check if there is an alternative
+ // chain that could be used. We only do this if we haven't already
+ // checked via TRUSTED_FIRST and the user hasn't switched off alternate
+ // chain checking
retry = 0;
if (trust != X509_TRUST_TRUSTED &&
!(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) &&
@@ -410,17 +388,13 @@
if (ok < 0) {
goto end;
}
- /* Check if we found an alternate chain */
+ // Check if we found an alternate chain
if (ok > 0) {
- /*
- * Free up the found cert we'll add it again later
- */
+ // Free up the found cert we'll add it again later
X509_free(xtmp);
- /*
- * Dump all the certs above this point - we've found an
- * alternate chain
- */
+ // Dump all the certs above this point - we've found an
+ // alternate chain
while (num > j) {
xtmp = sk_X509_pop(ctx->chain);
X509_free(xtmp);
@@ -434,11 +408,9 @@
}
} while (retry);
- /*
- * If not explicitly trusted then indicate error unless it's a single
- * self signed certificate in which case we've indicated an error already
- * and set bad_chain == 1
- */
+ // If not explicitly trusted then indicate error unless it's a single
+ // self signed certificate in which case we've indicated an error already
+ // and set bad_chain == 1
if (trust != X509_TRUST_TRUSTED && !bad_chain) {
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
if (ctx->last_untrusted >= num) {
@@ -464,7 +436,7 @@
}
}
- /* We have the chain complete: now we need to check its purpose */
+ // We have the chain complete: now we need to check its purpose
ok = check_chain_extensions(ctx);
if (!ok) {
@@ -477,10 +449,8 @@
goto end;
}
- /*
- * Check revocation status: we do this after copying parameters because
- * they may be needed for CRL signature verification.
- */
+ // Check revocation status: we do this after copying parameters because
+ // they may be needed for CRL signature verification.
ok = ctx->check_revocation(ctx);
if (!ok) {
@@ -498,7 +468,7 @@
}
}
- /* At this point, we have a chain and need to verify it */
+ // At this point, we have a chain and need to verify it
if (ctx->verify != NULL) {
ok = ctx->verify(ctx);
} else {
@@ -508,14 +478,14 @@
goto end;
}
- /* Check name constraints */
+ // Check name constraints
ok = check_name_constraints(ctx);
if (!ok) {
goto end;
}
- /* If we get this far evaluate policies */
+ // If we get this far evaluate policies
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) {
ok = ctx->check_policy(ctx);
}
@@ -528,16 +498,14 @@
X509_free(chain_ss);
}
- /* Safety net, error returns must set ctx->error */
+ // Safety net, error returns must set ctx->error
if (ok <= 0 && ctx->error == X509_V_OK) {
ctx->error = X509_V_ERR_UNSPECIFIED;
}
return ok;
}
-/*
- * Given a STACK_OF(X509) find the issuer of cert (if any)
- */
+// Given a STACK_OF(X509) find the issuer of cert (if any)
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) {
size_t i;
@@ -551,7 +519,7 @@
return NULL;
}
-/* Given a possible certificate and issuer check them */
+// Given a possible certificate and issuer check them
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) {
int ret;
@@ -559,7 +527,7 @@
if (ret == X509_V_OK) {
return 1;
}
- /* If we haven't asked for issuer errors don't set ctx */
+ // If we haven't asked for issuer errors don't set ctx
if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) {
return 0;
}
@@ -570,7 +538,7 @@
return ctx->verify_cb(0, ctx);
}
-/* Alternative lookup method: look from a STACK stored in other_ctx */
+// Alternative lookup method: look from a STACK stored in other_ctx
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) {
*issuer = find_issuer(ctx, ctx->other_ctx, x);
@@ -582,10 +550,8 @@
}
}
-/*
- * Check a certificate chains extensions for consistency with the supplied
- * purpose
- */
+// Check a certificate chains extensions for consistency with the supplied
+// purpose
static int check_chain_extensions(X509_STORE_CTX *ctx) {
int i, ok = 0, plen = 0;
@@ -602,7 +568,7 @@
must_not_be_ca,
} ca_requirement;
- /* CRL path validation */
+ // CRL path validation
if (ctx->parent) {
allow_proxy_certs = 0;
purpose = X509_PURPOSE_CRL_SIGN;
@@ -613,7 +579,7 @@
ca_requirement = ca_or_leaf;
- /* Check all untrusted certificates */
+ // Check all untrusted certificates
for (i = 0; i < ctx->last_untrusted; i++) {
int ret;
x = sk_X509_value(ctx->chain, i);
@@ -683,7 +649,7 @@
}
}
}
- /* Check pathlen if not self issued */
+ // Check pathlen if not self issued
if ((i > 1) && !(x->ex_flags & EXFLAG_SI) && (x->ex_pathlen != -1) &&
(plen > (x->ex_pathlen + proxy_path_length + 1))) {
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
@@ -694,15 +660,13 @@
goto end;
}
}
- /* Increment path length if not self issued */
+ // Increment path length if not self issued
if (!(x->ex_flags & EXFLAG_SI)) {
plen++;
}
- /*
- * If this certificate is a proxy certificate, the next certificate
- * must be another proxy certificate or a EE certificate. If not,
- * the next certificate must be a CA certificate.
- */
+ // If this certificate is a proxy certificate, the next certificate
+ // must be another proxy certificate or a EE certificate. If not,
+ // the next certificate must be a CA certificate.
if (x->ex_flags & EXFLAG_PROXY) {
if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) {
ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
@@ -740,8 +704,8 @@
if (idlen < 0) {
return X509_V_ERR_OUT_OF_MEM;
}
- /* Only process attributes that look like host names. Note it is
- * important that this check be mirrored in |X509_check_host|. */
+ // Only process attributes that look like host names. Note it is
+ // important that this check be mirrored in |X509_check_host|.
int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);
OPENSSL_free(idval);
if (looks_like_dns) {
@@ -753,19 +717,17 @@
static int check_name_constraints(X509_STORE_CTX *ctx) {
int i, j, rv;
int has_name_constraints = 0;
- /* Check name constraints for all certificates */
+ // Check name constraints for all certificates
for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
X509 *x = sk_X509_value(ctx->chain, i);
- /* Ignore self issued certs unless last in chain */
+ // Ignore self issued certs unless last in chain
if (i && (x->ex_flags & EXFLAG_SI)) {
continue;
}
- /*
- * Check against constraints for all certificates higher in chain
- * including trust anchor. Trust anchor not strictly speaking needed
- * but if it includes constraints it is to be assumed it expects them
- * to be obeyed.
- */
+ // Check against constraints for all certificates higher in chain
+ // including trust anchor. Trust anchor not strictly speaking needed
+ // but if it includes constraints it is to be assumed it expects them
+ // to be obeyed.
for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
if (nc) {
@@ -790,16 +752,16 @@
}
}
- /* Name constraints do not match against the common name, but
- * |X509_check_host| still implements the legacy behavior where, on
- * certificates lacking a SAN list, DNS-like names in the common name are
- * checked instead.
- *
- * While we could apply the name constraints to the common name, name
- * constraints are rare enough that can hold such certificates to a higher
- * standard. Note this does not make "DNS-like" heuristic failures any
- * worse. A decorative common-name misidentified as a DNS name would fail
- * the name constraint anyway. */
+ // Name constraints do not match against the common name, but
+ // |X509_check_host| still implements the legacy behavior where, on
+ // certificates lacking a SAN list, DNS-like names in the common name are
+ // checked instead.
+ //
+ // While we could apply the name constraints to the common name, name
+ // constraints are rare enough that can hold such certificates to a higher
+ // standard. Note this does not make "DNS-like" heuristic failures any
+ // worse. A decorative common-name misidentified as a DNS name would fail
+ // the name constraint anyway.
X509 *leaf = sk_X509_value(ctx->chain, 0);
if (has_name_constraints && leaf->altname == NULL) {
rv = reject_dns_name_in_common_name(leaf);
@@ -879,18 +841,16 @@
size_t i;
int ok;
X509 *x = NULL;
- /* Check all trusted certificates in chain */
+ // Check all trusted certificates in chain
for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
x = sk_X509_value(ctx->chain, i);
ok = X509_check_trust(x, ctx->param->trust, 0);
- /* If explicitly trusted return trusted */
+ // If explicitly trusted return trusted
if (ok == X509_TRUST_TRUSTED) {
return X509_TRUST_TRUSTED;
}
- /*
- * If explicitly rejected notify callback and reject if not
- * overridden.
- */
+ // If explicitly rejected notify callback and reject if not
+ // overridden.
if (ok == X509_TRUST_REJECTED) {
ctx->error_depth = i;
ctx->current_cert = x;
@@ -901,10 +861,8 @@
}
}
}
- /*
- * If we accept partial chains and have at least one trusted certificate
- * return success.
- */
+ // If we accept partial chains and have at least one trusted certificate
+ // return success.
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
X509 *mx;
if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain)) {
@@ -920,10 +878,8 @@
}
}
- /*
- * If no trusted certs in chain at all return untrusted and allow
- * standard (no issuer cert) etc errors to be indicated.
- */
+ // If no trusted certs in chain at all return untrusted and allow
+ // standard (no issuer cert) etc errors to be indicated.
return X509_TRUST_UNTRUSTED;
}
@@ -935,7 +891,7 @@
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) {
last = sk_X509_num(ctx->chain) - 1;
} else {
- /* If checking CRL paths this isn't the EE certificate */
+ // If checking CRL paths this isn't the EE certificate
if (ctx->parent) {
return 1;
}
@@ -964,15 +920,13 @@
ctx->current_reasons = 0;
while (ctx->current_reasons != CRLDP_ALL_REASONS) {
last_reasons = ctx->current_reasons;
- /* Try to retrieve relevant CRL */
+ // Try to retrieve relevant CRL
if (ctx->get_crl) {
ok = ctx->get_crl(ctx, &crl, x);
} else {
ok = get_crl_delta(ctx, &crl, &dcrl, x);
}
- /*
- * If error looking up CRL, nothing we can do except notify callback
- */
+ // If error looking up CRL, nothing we can do except notify callback
if (!ok) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
@@ -997,7 +951,7 @@
ok = 1;
}
- /* Don't look in full CRL if delta reason is removefromCRL */
+ // Don't look in full CRL if delta reason is removefromCRL
if (ok != 2) {
ok = ctx->cert_crl(ctx, crl, x);
if (!ok) {
@@ -1009,10 +963,8 @@
X509_CRL_free(dcrl);
crl = NULL;
dcrl = NULL;
- /*
- * If reasons not updated we wont get anywhere by another iteration,
- * so exit loop.
- */
+ // If reasons not updated we wont get anywhere by another iteration,
+ // so exit loop.
if (last_reasons == ctx->current_reasons) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
ok = ctx->verify_cb(0, ctx);
@@ -1027,7 +979,7 @@
return ok;
}
-/* Check CRL times against values in X509_STORE_CTX */
+// Check CRL times against values in X509_STORE_CTX
static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) {
time_t *ptime;
@@ -1074,7 +1026,7 @@
return 0;
}
}
- /* Ignore expiry of base CRL is delta is valid */
+ // Ignore expiry of base CRL is delta is valid
if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
if (!notify) {
return 0;
@@ -1110,17 +1062,15 @@
if (crl_score < best_score || crl_score == 0) {
continue;
}
- /* If current CRL is equivalent use it if it is newer */
+ // If current CRL is equivalent use it if it is newer
if (crl_score == best_score && best_crl != NULL) {
int day, sec;
if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
X509_CRL_get0_lastUpdate(crl)) == 0) {
continue;
}
- /*
- * ASN1_TIME_diff never returns inconsistent signs for |day|
- * and |sec|.
- */
+ // ASN1_TIME_diff never returns inconsistent signs for |day|
+ // and |sec|.
if (day <= 0 && sec <= 0) {
continue;
}
@@ -1154,17 +1104,15 @@
return 0;
}
-/*
- * Compare two CRL extensions for delta checking purposes. They should be
- * both present or both absent. If both present all fields must be identical.
- */
+// Compare two CRL extensions for delta checking purposes. They should be
+// both present or both absent. If both present all fields must be identical.
static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) {
ASN1_OCTET_STRING *exta, *extb;
int i;
i = X509_CRL_get_ext_by_NID(a, nid, -1);
if (i >= 0) {
- /* Can't have multiple occurrences */
+ // Can't have multiple occurrences
if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) {
return 0;
}
@@ -1199,43 +1147,41 @@
return 1;
}
-/* See if a base and delta are compatible */
+// See if a base and delta are compatible
static int check_delta_base(X509_CRL *delta, X509_CRL *base) {
- /* Delta CRL must be a delta */
+ // Delta CRL must be a delta
if (!delta->base_crl_number) {
return 0;
}
- /* Base must have a CRL number */
+ // Base must have a CRL number
if (!base->crl_number) {
return 0;
}
- /* Issuer names must match */
+ // Issuer names must match
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta))) {
return 0;
}
- /* AKID and IDP must match */
+ // AKID and IDP must match
if (!crl_extension_match(delta, base, NID_authority_key_identifier)) {
return 0;
}
if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) {
return 0;
}
- /* Delta CRL base number must not exceed Full CRL number. */
+ // Delta CRL base number must not exceed Full CRL number.
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) {
return 0;
}
- /* Delta CRL number must exceed full CRL number */
+ // Delta CRL number must exceed full CRL number
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) {
return 1;
}
return 0;
}
-/*
- * For a given base CRL find a delta... maybe extend to delta scoring or
- * retrieve a chain of deltas...
- */
+// For a given base CRL find a delta... maybe extend to delta scoring or
+// retrieve a chain of deltas...
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
X509_CRL *base, STACK_OF(X509_CRL) *crls) {
@@ -1261,41 +1207,39 @@
*dcrl = NULL;
}
-/*
- * For a given CRL return how suitable it is for the supplied certificate
- * 'x'. The return value is a mask of several criteria. If the issuer is not
- * the certificate issuer this is returned in *pissuer. The reasons mask is
- * also used to determine if the CRL is suitable: if no new reasons the CRL
- * is rejected, otherwise reasons is updated.
- */
+// For a given CRL return how suitable it is for the supplied certificate
+// 'x'. The return value is a mask of several criteria. If the issuer is not
+// the certificate issuer this is returned in *pissuer. The reasons mask is
+// also used to determine if the CRL is suitable: if no new reasons the CRL
+// is rejected, otherwise reasons is updated.
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
unsigned int *preasons, X509_CRL *crl, X509 *x) {
int crl_score = 0;
unsigned int tmp_reasons = *preasons, crl_reasons;
- /* First see if we can reject CRL straight away */
+ // First see if we can reject CRL straight away
- /* Invalid IDP cannot be processed */
+ // Invalid IDP cannot be processed
if (crl->idp_flags & IDP_INVALID) {
return 0;
}
- /* Reason codes or indirect CRLs need extended CRL support */
+ // Reason codes or indirect CRLs need extended CRL support
if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) {
return 0;
}
} else if (crl->idp_flags & IDP_REASONS) {
- /* If no new reasons reject */
+ // If no new reasons reject
if (!(crl->idp_reasons & ~tmp_reasons)) {
return 0;
}
}
- /* Don't process deltas at this stage */
+ // Don't process deltas at this stage
else if (crl->base_crl_number) {
return 0;
}
- /* If issuer name doesn't match certificate need indirect CRL */
+ // If issuer name doesn't match certificate need indirect CRL
if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
if (!(crl->idp_flags & IDP_INDIRECT)) {
return 0;
@@ -1308,24 +1252,24 @@
crl_score |= CRL_SCORE_NOCRITICAL;
}
- /* Check expiry */
+ // Check expiry
if (check_crl_time(ctx, crl, 0)) {
crl_score |= CRL_SCORE_TIME;
}
- /* Check authority key ID and locate certificate issuer */
+ // Check authority key ID and locate certificate issuer
crl_akid_check(ctx, crl, pissuer, &crl_score);
- /* If we can't locate certificate issuer at this point forget it */
+ // If we can't locate certificate issuer at this point forget it
if (!(crl_score & CRL_SCORE_AKID)) {
return 0;
}
- /* Check cert for matching CRL distribution points */
+ // Check cert for matching CRL distribution points
if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
- /* If no new reasons reject */
+ // If no new reasons reject
if (!(crl_reasons & ~tmp_reasons)) {
return 0;
}
@@ -1371,16 +1315,14 @@
}
}
- /* Anything else needs extended CRL support */
+ // Anything else needs extended CRL support
if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
return;
}
- /*
- * Otherwise the CRL issuer is not on the path. Look for it in the set of
- * untrusted certificates.
- */
+ // Otherwise the CRL issuer is not on the path. Look for it in the set of
+ // untrusted certificates.
for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
crl_issuer = sk_X509_value(ctx->untrusted, i);
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {
@@ -1394,17 +1336,15 @@
}
}
-/*
- * Check the path of a CRL issuer certificate. This creates a new
- * X509_STORE_CTX and populates it with most of the parameters from the
- * parent. This could be optimised somewhat since a lot of path checking will
- * be duplicated by the parent, but this will rarely be used in practice.
- */
+// Check the path of a CRL issuer certificate. This creates a new
+// X509_STORE_CTX and populates it with most of the parameters from the
+// parent. This could be optimised somewhat since a lot of path checking will
+// be duplicated by the parent, but this will rarely be used in practice.
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) {
X509_STORE_CTX crl_ctx;
int ret;
- /* Don't allow recursive CRL path validation */
+ // Don't allow recursive CRL path validation
if (ctx->parent) {
return 0;
}
@@ -1413,20 +1353,20 @@
}
crl_ctx.crls = ctx->crls;
- /* Copy verify params across */
+ // Copy verify params across
X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
crl_ctx.parent = ctx;
crl_ctx.verify_cb = ctx->verify_cb;
- /* Verify CRL issuer */
+ // Verify CRL issuer
ret = X509_verify_cert(&crl_ctx);
if (ret <= 0) {
goto err;
}
- /* Check chain is acceptable */
+ // Check chain is acceptable
ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
err:
@@ -1434,14 +1374,12 @@
return ret;
}
-/*
- * RFC 3280 says nothing about the relationship between CRL path and
- * certificate path, which could lead to situations where a certificate could
- * be revoked or validated by a CA not authorised to do so. RFC 5280 is more
- * strict and states that the two paths must end in the same trust anchor,
- * though some discussions remain... until this is resolved we use the
- * RFC 5280 version
- */
+// RFC 3280 says nothing about the relationship between CRL path and
+// certificate path, which could lead to situations where a certificate could
+// be revoked or validated by a CA not authorised to do so. RFC 5280 is more
+// strict and states that the two paths must end in the same trust anchor,
+// though some discussions remain... until this is resolved we use the
+// RFC 5280 version
static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path,
STACK_OF(X509) *crl_path) {
@@ -1454,12 +1392,10 @@
return 0;
}
-/*
- * Check for match between two dist point names: three separate cases. 1.
- * Both are relative names and compare X509_NAME types. 2. One full, one
- * relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
- * compare two GENERAL_NAMES. 4. One is NULL: automatic match.
- */
+// Check for match between two dist point names: three separate cases. 1.
+// Both are relative names and compare X509_NAME types. 2. One full, one
+// relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and
+// compare two GENERAL_NAMES. 4. One is NULL: automatic match.
static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) {
X509_NAME *nm = NULL;
@@ -1473,7 +1409,7 @@
if (!a->dpname) {
return 0;
}
- /* Case 1: two X509_NAME */
+ // Case 1: two X509_NAME
if (b->type == 1) {
if (!b->dpname) {
return 0;
@@ -1484,19 +1420,19 @@
return 0;
}
}
- /* Case 2: set name and GENERAL_NAMES appropriately */
+ // Case 2: set name and GENERAL_NAMES appropriately
nm = a->dpname;
gens = b->name.fullname;
} else if (b->type == 1) {
if (!b->dpname) {
return 0;
}
- /* Case 2: set name and GENERAL_NAMES appropriately */
+ // Case 2: set name and GENERAL_NAMES appropriately
gens = a->name.fullname;
nm = b->dpname;
}
- /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
+ // Handle case 2 with one GENERAL_NAMES and one X509_NAME
if (nm) {
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
gena = sk_GENERAL_NAME_value(gens, i);
@@ -1510,7 +1446,7 @@
return 0;
}
- /* Else case 3: two GENERAL_NAMES */
+ // Else case 3: two GENERAL_NAMES
for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
gena = sk_GENERAL_NAME_value(a->name.fullname, i);
@@ -1528,7 +1464,7 @@
static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) {
size_t i;
X509_NAME *nm = X509_CRL_get_issuer(crl);
- /* If no CRLissuer return is successful iff don't need a match */
+ // If no CRLissuer return is successful iff don't need a match
if (!dp->CRLissuer) {
return !!(crl_score & CRL_SCORE_ISSUER_NAME);
}
@@ -1544,7 +1480,7 @@
return 0;
}
-/* Check CRLDP and IDP */
+// Check CRLDP and IDP
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
unsigned int *preasons) {
@@ -1578,10 +1514,8 @@
return 0;
}
-/*
- * Retrieve CRL corresponding to current certificate. If deltas enabled try
- * to find a delta CRL too
- */
+// Retrieve CRL corresponding to current certificate. If deltas enabled try
+// to find a delta CRL too
static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
X509 *x) {
@@ -1599,11 +1533,11 @@
goto done;
}
- /* Lookup CRLs from store */
+ // Lookup CRLs from store
skcrl = ctx->lookup_crls(ctx, nm);
- /* If no CRLs found and a near match from get_crl_sk use that */
+ // If no CRLs found and a near match from get_crl_sk use that
if (!skcrl && crl) {
goto done;
}
@@ -1614,7 +1548,7 @@
done:
- /* If we got any kind of CRL use it and return success */
+ // If we got any kind of CRL use it and return success
if (crl) {
ctx->current_issuer = issuer;
ctx->current_crl_score = crl_score;
@@ -1627,27 +1561,25 @@
return 0;
}
-/* Check CRL validity */
+// Check CRL validity
static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) {
X509 *issuer = NULL;
EVP_PKEY *ikey = NULL;
int ok = 0, chnum, cnum;
cnum = ctx->error_depth;
chnum = sk_X509_num(ctx->chain) - 1;
- /* if we have an alternative CRL issuer cert use that */
+ // if we have an alternative CRL issuer cert use that
if (ctx->current_issuer) {
issuer = ctx->current_issuer;
}
- /*
- * Else find CRL issuer: if not last certificate then issuer is next
- * certificate in chain.
- */
+ // Else find CRL issuer: if not last certificate then issuer is next
+ // certificate in chain.
else if (cnum < chnum) {
issuer = sk_X509_value(ctx->chain, cnum + 1);
} else {
issuer = sk_X509_value(ctx->chain, chnum);
- /* If not self signed, can't check signature */
+ // If not self signed, can't check signature
if (!ctx->check_issued(ctx, issuer, issuer)) {
ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
ok = ctx->verify_cb(0, ctx);
@@ -1658,11 +1590,9 @@
}
if (issuer) {
- /*
- * Skip most tests for deltas because they have already been done
- */
+ // Skip most tests for deltas because they have already been done
if (!crl->base_crl_number) {
- /* Check for cRLSign bit if keyUsage present */
+ // Check for cRLSign bit if keyUsage present
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
!(issuer->ex_kusage & KU_CRL_SIGN)) {
ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
@@ -1706,7 +1636,7 @@
}
}
- /* Attempt to get issuer certificate public key */
+ // Attempt to get issuer certificate public key
ikey = X509_get_pubkey(issuer);
if (!ikey) {
@@ -1725,7 +1655,7 @@
goto err;
}
}
- /* Verify CRL signature */
+ // Verify CRL signature
if (X509_CRL_verify(crl, ikey) <= 0) {
ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;
ok = ctx->verify_cb(0, ctx);
@@ -1743,16 +1673,14 @@
return ok;
}
-/* Check certificate against CRL */
+// Check certificate against CRL
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) {
int ok;
X509_REVOKED *rev;
- /*
- * The rules changed for this... previously if a CRL contained unhandled
- * critical extensions it could still be used to indicate a certificate
- * was revoked. This has since been changed since critical extension can
- * change the meaning of CRL entries.
- */
+ // The rules changed for this... previously if a CRL contained unhandled
+ // critical extensions it could still be used to indicate a certificate
+ // was revoked. This has since been changed since critical extension can
+ // change the meaning of CRL entries.
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
(crl->flags & EXFLAG_CRITICAL)) {
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
@@ -1761,10 +1689,8 @@
return 0;
}
}
- /*
- * Look for serial number of certificate in CRL If found make sure reason
- * is not removeFromCRL.
- */
+ // Look for serial number of certificate in CRL If found make sure reason
+ // is not removeFromCRL.
if (X509_CRL_get0_by_cert(crl, &rev, x)) {
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) {
return 2;
@@ -1791,11 +1717,9 @@
ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
- /* Invalid or inconsistent extensions */
+ // Invalid or inconsistent extensions
if (ret == -1) {
- /*
- * Locate certificates with bad extensions and notify callback.
- */
+ // Locate certificates with bad extensions and notify callback.
X509 *x;
size_t i;
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
@@ -1819,12 +1743,10 @@
if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
ctx->current_cert = NULL;
- /*
- * Verification errors need to be "sticky", a callback may have allowed
- * an SSL handshake to continue despite an error, and we must then
- * remain in an error state. Therefore, we MUST NOT clear earlier
- * verification errors by setting the error to X509_V_OK.
- */
+ // Verification errors need to be "sticky", a callback may have allowed
+ // an SSL handshake to continue despite an error, and we must then
+ // remain in an error state. Therefore, we MUST NOT clear earlier
+ // verification errors by setting the error to X509_V_OK.
if (!ctx->verify_cb(2, ctx)) {
return 0;
}
@@ -1909,15 +1831,13 @@
}
}
- /* ctx->error=0; not needed */
+ // ctx->error=0; not needed
while (n >= 0) {
ctx->error_depth = n;
- /*
- * Skip signature check for self signed certificates unless
- * explicitly asked for. It doesn't add any security and just wastes
- * time.
- */
+ // Skip signature check for self signed certificates unless
+ // explicitly asked for. It doesn't add any security and just wastes
+ // time.
if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
if ((pkey = X509_get_pubkey(xi)) == NULL) {
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
@@ -1945,7 +1865,7 @@
goto end;
}
- /* The last error (if any) is still in the error value */
+ // The last error (if any) is still in the error value
ctx->current_issuer = xi;
ctx->current_cert = xs;
ok = ctx->verify_cb(1, ctx);
@@ -1974,17 +1894,15 @@
ASN1_TIME *asn1_cmp_time = NULL;
int i, day, sec, ret = 0;
- /*
- * Note that ASN.1 allows much more slack in the time format than RFC 5280.
- * In RFC 5280, the representation is fixed:
- * UTCTime: YYMMDDHHMMSSZ
- * GeneralizedTime: YYYYMMDDHHMMSSZ
- *
- * We do NOT currently enforce the following RFC 5280 requirement:
- * "CAs conforming to this profile MUST always encode certificate
- * validity dates through the year 2049 as UTCTime; certificate validity
- * dates in 2050 or later MUST be encoded as GeneralizedTime."
- */
+ // Note that ASN.1 allows much more slack in the time format than RFC 5280.
+ // In RFC 5280, the representation is fixed:
+ // UTCTime: YYMMDDHHMMSSZ
+ // GeneralizedTime: YYYYMMDDHHMMSSZ
+ //
+ // We do NOT currently enforce the following RFC 5280 requirement:
+ // "CAs conforming to this profile MUST always encode certificate
+ // validity dates through the year 2049 as UTCTime; certificate validity
+ // dates in 2050 or later MUST be encoded as GeneralizedTime."
switch (ctm->type) {
case V_ASN1_UTCTIME:
if (ctm->length != (int)(utctime_length)) {
@@ -2000,11 +1918,10 @@
return 0;
}
- /**
- * Verify the format: the ASN.1 functions we use below allow a more
- * flexible format than what's mandated by RFC 5280.
- * Digit and date ranges will be verified in the conversion methods.
- */
+ //*
+ // Verify the format: the ASN.1 functions we use below allow a more
+ // flexible format than what's mandated by RFC 5280.
+ // Digit and date ranges will be verified in the conversion methods.
for (i = 0; i < ctm->length - 1; i++) {
if (!isdigit(ctm->data[i])) {
return 0;
@@ -2014,11 +1931,9 @@
return 0;
}
- /*
- * There is ASN1_UTCTIME_cmp_time_t but no
- * ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
- * so we go through ASN.1
- */
+ // There is ASN1_UTCTIME_cmp_time_t but no
+ // ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
+ // so we go through ASN.1
asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
if (asn1_cmp_time == NULL) {
goto err;
@@ -2027,10 +1942,8 @@
goto err;
}
- /*
- * X509_cmp_time comparison is <=.
- * The return value 0 is reserved for errors.
- */
+ // X509_cmp_time comparison is <=.
+ // The return value 0 is reserved for errors.
ret = (day >= 0 && sec >= 0) ? -1 : 1;
err:
@@ -2059,7 +1972,7 @@
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
-/* Make a delta CRL as the diff between two full CRLs */
+// Make a delta CRL as the diff between two full CRLs
X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey,
const EVP_MD *md, unsigned int flags) {
@@ -2067,22 +1980,22 @@
int i;
size_t j;
STACK_OF(X509_REVOKED) *revs = NULL;
- /* CRLs can't be delta already */
+ // CRLs can't be delta already
if (base->base_crl_number || newer->base_crl_number) {
OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA);
return NULL;
}
- /* Base and new CRL must have a CRL number */
+ // Base and new CRL must have a CRL number
if (!base->crl_number || !newer->crl_number) {
OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER);
return NULL;
}
- /* Issuer names must match */
+ // Issuer names must match
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH);
return NULL;
}
- /* AKID and IDP must match */
+ // AKID and IDP must match
if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH);
return NULL;
@@ -2091,23 +2004,23 @@
OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH);
return NULL;
}
- /* Newer CRL number must exceed full CRL number */
+ // Newer CRL number must exceed full CRL number
if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER);
return NULL;
}
- /* CRLs must verify */
+ // CRLs must verify
if (skey &&
(X509_CRL_verify(base, skey) <= 0 || X509_CRL_verify(newer, skey) <= 0)) {
OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE);
return NULL;
}
- /* Create new CRL */
+ // Create new CRL
crl = X509_CRL_new();
if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) {
goto memerr;
}
- /* Set issuer name */
+ // Set issuer name
if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) {
goto memerr;
}
@@ -2119,16 +2032,14 @@
goto memerr;
}
- /* Set base CRL number: must be critical */
+ // Set base CRL number: must be critical
if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) {
goto memerr;
}
- /*
- * Copy extensions across from newest CRL to delta: this will set CRL
- * number to correct value too.
- */
+ // Copy extensions across from newest CRL to delta: this will set CRL
+ // number to correct value too.
for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
X509_EXTENSION *ext;
@@ -2138,17 +2049,15 @@
}
}
- /* Go through revoked entries, copying as needed */
+ // Go through revoked entries, copying as needed
revs = X509_CRL_get_REVOKED(newer);
for (j = 0; j < sk_X509_REVOKED_num(revs); j++) {
X509_REVOKED *rvn, *rvtmp;
rvn = sk_X509_REVOKED_value(revs, j);
- /*
- * Add only if not also in base. TODO: need something cleverer here
- * for some more complex CRLs covering multiple CAs.
- */
+ // Add only if not also in base. TODO: need something cleverer here
+ // for some more complex CRLs covering multiple CAs.
if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) {
rvtmp = X509_REVOKED_dup(rvn);
if (!rvtmp) {
@@ -2160,7 +2069,7 @@
}
}
}
- /* TODO: optionally prune deleted entries */
+ // TODO: optionally prune deleted entries
if (skey && md && !X509_CRL_sign(crl, skey, md)) {
goto memerr;
@@ -2180,10 +2089,8 @@
CRYPTO_EX_unused *unused,
CRYPTO_EX_dup *dup_unused,
CRYPTO_EX_free *free_func) {
- /*
- * This function is (usually) called only once, by
- * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
- */
+ // This function is (usually) called only once, by
+ // SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
int index;
if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
free_func)) {
@@ -2263,25 +2170,23 @@
return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
}
-/*
- * This function is used to set the X509_STORE_CTX purpose and trust values.
- * This is intended to be used when another structure has its own trust and
- * purpose values which (if set) will be inherited by the ctx. If they aren't
- * set then we will usually have a default purpose in mind which should then
- * be used to set the trust value. An example of this is SSL use: an SSL
- * structure will have its own purpose and trust settings which the
- * application can set: if they aren't set then we use the default of SSL
- * client/server.
- */
+// This function is used to set the X509_STORE_CTX purpose and trust values.
+// This is intended to be used when another structure has its own trust and
+// purpose values which (if set) will be inherited by the ctx. If they aren't
+// set then we will usually have a default purpose in mind which should then
+// be used to set the trust value. An example of this is SSL use: an SSL
+// structure will have its own purpose and trust settings which the
+// application can set: if they aren't set then we use the default of SSL
+// client/server.
int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
int purpose, int trust) {
int idx;
- /* If purpose not set use default */
+ // If purpose not set use default
if (!purpose) {
purpose = def_purpose;
}
- /* If we have a purpose then check it is valid */
+ // If we have a purpose then check it is valid
if (purpose) {
X509_PURPOSE *ptmp;
idx = X509_PURPOSE_get_by_id(purpose);
@@ -2298,7 +2203,7 @@
}
ptmp = X509_PURPOSE_get0(idx);
}
- /* If trust not set then get from purpose default */
+ // If trust not set then get from purpose default
if (!trust) {
trust = ptmp->trust;
}
@@ -2362,9 +2267,7 @@
goto err;
}
- /*
- * Inherit callbacks and flags from X509_STORE.
- */
+ // Inherit callbacks and flags from X509_STORE.
ctx->verify_cb = store->verify_cb;
ctx->cleanup = store->cleanup;
@@ -2450,10 +2353,8 @@
return 0;
}
-/*
- * Set alternative lookup method: just a STACK of trusted certificates. This
- * avoids X509_STORE nastiness where it isn't needed.
- */
+// Set alternative lookup method: just a STACK of trusted certificates. This
+// avoids X509_STORE nastiness where it isn't needed.
void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {
ctx->other_ctx = sk;
@@ -2461,8 +2362,8 @@
}
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) {
- /* We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
- * also calls this function. */
+ // We need to be idempotent because, unfortunately, |X509_STORE_CTX_free|
+ // also calls this function.
if (ctx->cleanup != NULL) {
ctx->cleanup(ctx);
ctx->cleanup = NULL;
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 9555c56..e594033 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -67,7 +67,7 @@
#include "internal.h"
-/* X509_VERIFY_PARAM functions */
+// X509_VERIFY_PARAM functions
#define SET_HOST 0
#define ADD_HOST 1
@@ -87,10 +87,8 @@
return 0;
}
- /*
- * Refuse names with embedded NUL bytes.
- * XXX: Do we need to push an error onto the error stack?
- */
+ // Refuse names with embedded NUL bytes.
+ // XXX: Do we need to push an error onto the error stack?
if (name && OPENSSL_memchr(name, '\0', namelen)) {
return 0;
}
@@ -130,9 +128,7 @@
param->name = NULL;
param->purpose = 0;
param->trust = 0;
- /*
- * param->inh_flags = X509_VP_FLAG_DEFAULT;
- */
+ // param->inh_flags = X509_VP_FLAG_DEFAULT;
param->inh_flags = 0;
param->flags = 0;
param->depth = -1;
@@ -180,45 +176,44 @@
OPENSSL_free(param);
}
-/*-
- * This function determines how parameters are "inherited" from one structure
- * to another. There are several different ways this can happen.
- *
- * 1. If a child structure needs to have its values initialized from a parent
- * they are simply copied across. For example SSL_CTX copied to SSL.
- * 2. If the structure should take on values only if they are currently unset.
- * For example the values in an SSL structure will take appropriate value
- * for SSL servers or clients but only if the application has not set new
- * ones.
- *
- * The "inh_flags" field determines how this function behaves.
- *
- * Normally any values which are set in the default are not copied from the
- * destination and verify flags are ORed together.
- *
- * If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
- * to the destination. Effectively the values in "to" become default values
- * which will be used only if nothing new is set in "from".
- *
- * If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
- * they are set or not. Flags is still Ored though.
- *
- * If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
- * of ORed.
- *
- * If X509_VP_FLAG_LOCKED is set then no values are copied.
- *
- * If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
- * after the next call.
- */
+//-
+// This function determines how parameters are "inherited" from one structure
+// to another. There are several different ways this can happen.
+//
+// 1. If a child structure needs to have its values initialized from a parent
+// they are simply copied across. For example SSL_CTX copied to SSL.
+// 2. If the structure should take on values only if they are currently unset.
+// For example the values in an SSL structure will take appropriate value
+// for SSL servers or clients but only if the application has not set new
+// ones.
+//
+// The "inh_flags" field determines how this function behaves.
+//
+// Normally any values which are set in the default are not copied from the
+// destination and verify flags are ORed together.
+//
+// If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied
+// to the destination. Effectively the values in "to" become default values
+// which will be used only if nothing new is set in "from".
+//
+// If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether
+// they are set or not. Flags is still Ored though.
+//
+// If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead
+// of ORed.
+//
+// If X509_VP_FLAG_LOCKED is set then no values are copied.
+//
+// If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed
+// after the next call.
-/* Macro to test if a field should be copied from src to dest */
+// Macro to test if a field should be copied from src to dest
#define test_x509_verify_param_copy(field, def) \
(to_overwrite || \
((src->field != (def)) && (to_default || (dest->field == (def)))))
-/* Macro to test and copy a field if necessary */
+// Macro to test and copy a field if necessary
#define x509_verify_param_copy(field, def) \
if (test_x509_verify_param_copy(field, def)) \
@@ -257,12 +252,12 @@
x509_verify_param_copy(trust, 0);
x509_verify_param_copy(depth, -1);
- /* If overwrite or check time not set, copy across */
+ // If overwrite or check time not set, copy across
if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {
dest->check_time = src->check_time;
dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME;
- /* Don't need to copy flag: that is done below */
+ // Don't need to copy flag: that is done below
}
if (inh_flags & X509_VP_FLAG_RESET_FLAGS) {
@@ -277,7 +272,7 @@
}
}
- /* Copy the host flags if and only if we're copying the host list */
+ // Copy the host flags if and only if we're copying the host list
if (test_x509_verify_param_copy(hosts, NULL)) {
if (dest->hosts) {
string_stack_free(dest->hosts);
@@ -510,57 +505,55 @@
#define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0, 0
-/*
- * Default verify parameters: these are used for various applications and can
- * be overridden by the user specified table. NB: the 'name' field *must* be
- * in alphabetical order because it will be searched using OBJ_search.
- */
+// Default verify parameters: these are used for various applications and can
+// be overridden by the user specified table. NB: the 'name' field *must* be
+// in alphabetical order because it will be searched using OBJ_search.
static const X509_VERIFY_PARAM default_table[] = {
- {(char *)"default", /* X509 default parameters */
- 0, /* Check time */
- 0, /* internal flags */
- X509_V_FLAG_TRUSTED_FIRST, /* flags */
- 0, /* purpose */
- 0, /* trust */
- 100, /* depth */
- NULL, /* policies */
+ {(char *)"default", // X509 default parameters
+ 0, // Check time
+ 0, // internal flags
+ X509_V_FLAG_TRUSTED_FIRST, // flags
+ 0, // purpose
+ 0, // trust
+ 100, // depth
+ NULL, // policies
vpm_empty_id},
- {(char *)"pkcs7", /* S/MIME sign parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SMIME_SIGN, /* purpose */
- X509_TRUST_EMAIL, /* trust */
- -1, /* depth */
- NULL, /* policies */
+ {(char *)"pkcs7", // S/MIME sign parameters
+ 0, // Check time
+ 0, // internal flags
+ 0, // flags
+ X509_PURPOSE_SMIME_SIGN, // purpose
+ X509_TRUST_EMAIL, // trust
+ -1, // depth
+ NULL, // policies
vpm_empty_id},
- {(char *)"smime_sign", /* S/MIME sign parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SMIME_SIGN, /* purpose */
- X509_TRUST_EMAIL, /* trust */
- -1, /* depth */
- NULL, /* policies */
+ {(char *)"smime_sign", // S/MIME sign parameters
+ 0, // Check time
+ 0, // internal flags
+ 0, // flags
+ X509_PURPOSE_SMIME_SIGN, // purpose
+ X509_TRUST_EMAIL, // trust
+ -1, // depth
+ NULL, // policies
vpm_empty_id},
- {(char *)"ssl_client", /* SSL/TLS client parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SSL_CLIENT, /* purpose */
- X509_TRUST_SSL_CLIENT, /* trust */
- -1, /* depth */
- NULL, /* policies */
+ {(char *)"ssl_client", // SSL/TLS client parameters
+ 0, // Check time
+ 0, // internal flags
+ 0, // flags
+ X509_PURPOSE_SSL_CLIENT, // purpose
+ X509_TRUST_SSL_CLIENT, // trust
+ -1, // depth
+ NULL, // policies
vpm_empty_id},
- {(char *)"ssl_server", /* SSL/TLS server parameters */
- 0, /* Check time */
- 0, /* internal flags */
- 0, /* flags */
- X509_PURPOSE_SSL_SERVER, /* purpose */
- X509_TRUST_SSL_SERVER, /* trust */
- -1, /* depth */
- NULL, /* policies */
+ {(char *)"ssl_server", // SSL/TLS server parameters
+ 0, // Check time
+ 0, // internal flags
+ 0, // flags
+ X509_PURPOSE_SSL_SERVER, // purpose
+ X509_TRUST_SSL_SERVER, // trust
+ -1, // depth
+ NULL, // policies
vpm_empty_id}};
static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c
index 27c7140..3ff1018 100644
--- a/crypto/x509/x509cset.c
+++ b/crypto/x509/x509cset.c
@@ -72,7 +72,7 @@
return 0;
}
- /* v1(0) is default and is represented by omitting the version. */
+ // v1(0) is default and is represented by omitting the version.
if (version == X509_CRL_VERSION_1) {
ASN1_INTEGER_free(x->crl->version);
x->crl->version = NULL;
@@ -130,7 +130,7 @@
}
int X509_CRL_sort(X509_CRL *c) {
- /* Sort the data so it will be written in serial number order. */
+ // Sort the data so it will be written in serial number order.
sk_X509_REVOKED_sort(c->crl->revoked);
c->crl->enc.modified = 1;
return 1;
@@ -245,9 +245,9 @@
}
int X509_CRL_set1_signature_algo(X509_CRL *crl, const X509_ALGOR *algo) {
- /* TODO(https://crbug.com/boringssl/407): Generated ASN.1 dup functions
- * should be const. Alternatively, when we can embed required fields
- * directly in structs, import |X509_ALGOR_copy| from upstream. */
+ // TODO(https://crbug.com/boringssl/407): Generated ASN.1 dup functions
+ // should be const. Alternatively, when we can embed required fields
+ // directly in structs, import |X509_ALGOR_copy| from upstream.
X509_ALGOR *copy1 = X509_ALGOR_dup((X509_ALGOR *)algo);
X509_ALGOR *copy2 = X509_ALGOR_dup((X509_ALGOR *)algo);
if (copy1 == NULL || copy2 == NULL) {
diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c
index d3aa6de..4087218 100644
--- a/crypto/x509/x509name.c
+++ b/crypto/x509/x509name.c
@@ -114,7 +114,7 @@
return (X509_NAME_get_index_by_OBJ(name, obj, lastpos));
}
-/* NOTE: you should be passsing -1, not 0 as lastpos */
+// NOTE: you should be passsing -1, not 0 as lastpos
int X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,
int lastpos) {
int n;
@@ -164,7 +164,7 @@
return (ret);
}
- /* else we need to fixup the set field */
+ // else we need to fixup the set field
if (loc != 0) {
set_prev = (sk_X509_NAME_ENTRY_value(sk, loc - 1))->set;
} else {
@@ -172,11 +172,9 @@
}
set_next = sk_X509_NAME_ENTRY_value(sk, loc)->set;
- /*
- * set_prev is the previous set set is the current set set_next is the
- * following prev 1 1 1 1 1 1 1 1 set 1 1 2 2 next 1 1 2 2 2 2 3 2 so
- * basically only if prev and next differ by 2, then re-number down by 1
- */
+ // set_prev is the previous set set is the current set set_next is the
+ // following prev 1 1 1 1 1 1 1 1 set 1 1 2 2 next 1 1 2 2 2 2 3 2 so
+ // basically only if prev and next differ by 2, then re-number down by 1
if (set_prev + 1 < set_next) {
for (i = loc; i < n; i++) {
sk_X509_NAME_ENTRY_value(sk, i)->set--;
@@ -227,10 +225,8 @@
return ret;
}
-/*
- * if set is -1, append to previous set, 0 'a new one', and 1, prepend to the
- * guy we are about to stomp on.
- */
+// if set is -1, append to previous set, 0 'a new one', and 1, prepend to the
+// guy we are about to stomp on.
int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc,
int set) {
X509_NAME_ENTRY *new_name = NULL;
@@ -258,7 +254,7 @@
} else {
set = sk_X509_NAME_ENTRY_value(sk, loc - 1)->set;
}
- } else { /* if (set >= 0) */
+ } else { // if (set >= 0)
if (loc >= n) {
if (loc != 0) {
diff --git a/crypto/x509/x509rset.c b/crypto/x509/x509rset.c
index 1d5457f..7e4e083 100644
--- a/crypto/x509/x509rset.c
+++ b/crypto/x509/x509rset.c
@@ -88,9 +88,9 @@
}
int X509_REQ_set1_signature_algo(X509_REQ *req, const X509_ALGOR *algo) {
- /* TODO(https://crbug.com/boringssl/407): Generated ASN.1 dup functions
- * should be const. Alternatively, when we can embed required fields
- * directly in structs, import |X509_ALGOR_copy| from upstream. */
+ // TODO(https://crbug.com/boringssl/407): Generated ASN.1 dup functions
+ // should be const. Alternatively, when we can embed required fields
+ // directly in structs, import |X509_ALGOR_copy| from upstream.
X509_ALGOR *copy = X509_ALGOR_dup((X509_ALGOR *)algo);
if (copy == NULL) {
return 0;
diff --git a/crypto/x509/x509spki.c b/crypto/x509/x509spki.c
index 88ab9cd..d819a5c 100644
--- a/crypto/x509/x509spki.c
+++ b/crypto/x509/x509spki.c
@@ -75,7 +75,7 @@
return (X509_PUBKEY_get(x->spkac->pubkey));
}
-/* Load a Netscape SPKI from a base64 encoded string */
+// Load a Netscape SPKI from a base64 encoded string
NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, int len) {
unsigned char *spki_der;
@@ -105,7 +105,7 @@
return spki;
}
-/* Generate a base64 encoded string from an SPKI */
+// Generate a base64 encoded string from an SPKI
char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki) {
unsigned char *der_spki, *p;
diff --git a/crypto/x509/x_algor.c b/crypto/x509/x_algor.c
index 8285fb3..09a2221 100644
--- a/crypto/x509/x_algor.c
+++ b/crypto/x509/x_algor.c
@@ -127,7 +127,7 @@
}
}
-/* Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD */
+// Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD
void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md) {
int param_type;
@@ -141,9 +141,7 @@
X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);
}
-/*
- * X509_ALGOR_cmp returns 0 if |a| and |b| are equal and non-zero otherwise.
- */
+// X509_ALGOR_cmp returns 0 if |a| and |b| are equal and non-zero otherwise.
int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b) {
int rv;
rv = OBJ_cmp(a->algorithm, b->algorithm);
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index 7b23797..f65afba 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -80,11 +80,9 @@
static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial,
X509_NAME *issuer);
-/*
- * The X509_CRL_INFO structure needs a bit of customisation. Since we cache
- * the original encoding the signature wont be affected by reordering of the
- * revoked field.
- */
+// The X509_CRL_INFO structure needs a bit of customisation. Since we cache
+// the original encoding the signature wont be affected by reordering of the
+// revoked field.
static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg) {
X509_CRL_INFO *a = (X509_CRL_INFO *)*pval;
@@ -93,10 +91,8 @@
return 1;
}
switch (operation) {
- /*
- * Just set cmp function here. We don't sort because that would
- * affect the output of X509_CRL_print().
- */
+ // Just set cmp function here. We don't sort because that would
+ // affect the output of X509_CRL_print().
case ASN1_OP_D2I_POST:
(void)sk_X509_REVOKED_set_cmp_func(a->revoked, X509_REVOKED_cmp);
break;
@@ -115,10 +111,8 @@
ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0),
} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)
-/*
- * Set CRL entry issuer according to CRL certificate issuer extension. Check
- * for unhandled critical CRL entry extensions.
- */
+// Set CRL entry issuer according to CRL certificate issuer extension. Check
+// for unhandled critical CRL entry extensions.
static int crl_set_issuers(X509_CRL *crl) {
size_t i, k;
@@ -167,7 +161,7 @@
rev->reason = CRL_REASON_NONE;
}
- /* Check for critical CRL entry extensions */
+ // Check for critical CRL entry extensions
exts = rev->extensions;
@@ -187,10 +181,8 @@
return 1;
}
-/*
- * The X509_CRL structure needs a bit of customisation. Cache some extensions
- * and hash of the whole CRL.
- */
+// The X509_CRL structure needs a bit of customisation. Cache some extensions
+// and hash of the whole CRL.
static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg) {
X509_CRL *crl = (X509_CRL *)*pval;
@@ -212,20 +204,20 @@
break;
case ASN1_OP_D2I_POST: {
- /* The version must be one of v1(0) or v2(1). */
+ // The version must be one of v1(0) or v2(1).
long version = X509_CRL_VERSION_1;
if (crl->crl->version != NULL) {
version = ASN1_INTEGER_get(crl->crl->version);
- /* TODO(https://crbug.com/boringssl/364): |X509_CRL_VERSION_1|
- * should also be rejected. This means an explicitly-encoded X.509v1
- * version. v1 is DEFAULT, so DER requires it be omitted. */
+ // TODO(https://crbug.com/boringssl/364): |X509_CRL_VERSION_1|
+ // should also be rejected. This means an explicitly-encoded X.509v1
+ // version. v1 is DEFAULT, so DER requires it be omitted.
if (version < X509_CRL_VERSION_1 || version > X509_CRL_VERSION_2) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);
return 0;
}
}
- /* Per RFC 5280, section 5.1.2.1, extensions require v2. */
+ // Per RFC 5280, section 5.1.2.1, extensions require v2.
if (version != X509_CRL_VERSION_2 && crl->crl->extensions != NULL) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
return 0;
@@ -260,18 +252,16 @@
if (crl->base_crl_number == NULL && i != -1) {
return 0;
}
- /* Delta CRLs must have CRL number */
+ // Delta CRLs must have CRL number
if (crl->base_crl_number && !crl->crl_number) {
OPENSSL_PUT_ERROR(X509, X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER);
return 0;
}
- /*
- * See if we have any unhandled critical CRL extensions and indicate
- * this in a flag. We only currently handle IDP so anything else
- * critical sets the flag. This code accesses the X509_CRL structure
- * directly: applications shouldn't do this.
- */
+ // See if we have any unhandled critical CRL extensions and indicate
+ // this in a flag. We only currently handle IDP so anything else
+ // critical sets the flag. This code accesses the X509_CRL structure
+ // directly: applications shouldn't do this.
exts = crl->crl->extensions;
@@ -283,7 +273,7 @@
crl->flags |= EXFLAG_FRESHEST;
}
if (X509_EXTENSION_get_critical(ext)) {
- /* We handle IDP and deltas */
+ // We handle IDP and deltas
if ((nid == NID_issuing_distribution_point) ||
(nid == NID_authority_key_identifier) || (nid == NID_delta_crl)) {
continue;
@@ -311,11 +301,11 @@
return 1;
}
-/* Convert IDP into a more convenient form */
+// Convert IDP into a more convenient form
static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) {
int idp_only = 0;
- /* Set various flags according to IDP */
+ // Set various flags according to IDP
crl->idp_flags |= IDP_PRESENT;
if (idp->onlyuser > 0) {
idp_only++;
@@ -441,10 +431,8 @@
X509_REVOKED rtmp, *rev;
size_t idx;
rtmp.serialNumber = serial;
- /*
- * Sort revoked into serial number order if not already sorted. Do this
- * under a lock to avoid race condition.
- */
+ // Sort revoked into serial number order if not already sorted. Do this
+ // under a lock to avoid race condition.
CRYPTO_STATIC_MUTEX_lock_read(&g_crl_sort_lock);
const int is_sorted = sk_X509_REVOKED_is_sorted(crl->crl->revoked);
@@ -461,7 +449,7 @@
if (!sk_X509_REVOKED_find(crl->crl->revoked, &idx, &rtmp)) {
return 0;
}
- /* Need to look for matching name */
+ // Need to look for matching name
for (; idx < sk_X509_REVOKED_num(crl->crl->revoked); idx++) {
rev = sk_X509_REVOKED_value(crl->crl->revoked, idx);
if (ASN1_INTEGER_cmp(rev->serialNumber, serial)) {
diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c
index 58c1083..f54cbe8 100644
--- a/crypto/x509/x_name.c
+++ b/crypto/x509/x_name.c
@@ -74,10 +74,8 @@
typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
DEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
-/*
- * Maximum length of X509_NAME: much larger than anything we should
- * ever see in practice.
- */
+// Maximum length of X509_NAME: much larger than anything we should
+// ever see in practice.
#define X509_NAME_MAX (1024 * 1024)
@@ -104,10 +102,8 @@
IMPLEMENT_ASN1_FUNCTIONS(X509_NAME_ENTRY)
IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME_ENTRY)
-/*
- * For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } so
- * declare two template wrappers for this
- */
+// For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } so
+// declare two template wrappers for this
ASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF,
0, RDNS,
@@ -118,18 +114,16 @@
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Name, X509_NAME_ENTRIES)
ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL)
-/*
- * Normally that's where it would end: we'd have two nested STACK structures
- * representing the ASN1. Unfortunately X509_NAME uses a completely different
- * form and caches encodings so we have to process the internal form and
- * convert to the external form.
- */
+// Normally that's where it would end: we'd have two nested STACK structures
+// representing the ASN1. Unfortunately X509_NAME uses a completely different
+// form and caches encodings so we have to process the internal form and
+// convert to the external form.
static const ASN1_EXTERN_FUNCS x509_name_ff = {
NULL,
x509_name_ex_new,
x509_name_ex_free,
- 0, /* Default clear behaviour is OK */
+ 0, // Default clear behaviour is OK
x509_name_ex_d2i,
x509_name_ex_i2d,
NULL,
@@ -204,13 +198,13 @@
int ret;
STACK_OF(X509_NAME_ENTRY) *entries;
X509_NAME_ENTRY *entry;
- /* Bound the size of an X509_NAME we are willing to parse. */
+ // Bound the size of an X509_NAME we are willing to parse.
if (len > X509_NAME_MAX) {
len = X509_NAME_MAX;
}
q = p;
- /* Get internal representation of Name */
+ // Get internal representation of Name
ASN1_VALUE *intname_val = NULL;
ret = ASN1_item_ex_d2i(&intname_val, &p, len,
ASN1_ITEM_rptr(X509_NAME_INTERNAL), tag, aclass, opt,
@@ -228,13 +222,13 @@
goto err;
}
nm = (X509_NAME *)nm_val;
- /* We've decoded it: now cache encoding */
+ // We've decoded it: now cache encoding
if (!BUF_MEM_grow(nm->bytes, p - q)) {
goto err;
}
OPENSSL_memcpy(nm->bytes->data, q, p - q);
- /* Convert internal representation to X509_NAME structure */
+ // Convert internal representation to X509_NAME structure
for (i = 0; i < sk_STACK_OF_X509_NAME_ENTRY_num(intname); i++) {
entries = sk_STACK_OF_X509_NAME_ENTRY_value(intname, i);
for (j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) {
@@ -330,16 +324,14 @@
return 0;
}
-/*
- * This function generates the canonical encoding of the Name structure. In
- * it all strings are converted to UTF8, leading, trailing and multiple
- * spaces collapsed, converted to lower case and the leading SEQUENCE header
- * removed. In future we could also normalize the UTF8 too. By doing this
- * comparison of Name structures can be rapidly perfomed by just using
- * OPENSSL_memcmp() of the canonical encoding. By omitting the leading SEQUENCE
- * name constraints of type dirName can also be checked with a simple
- * OPENSSL_memcmp().
- */
+// This function generates the canonical encoding of the Name structure. In
+// it all strings are converted to UTF8, leading, trailing and multiple
+// spaces collapsed, converted to lower case and the leading SEQUENCE header
+// removed. In future we could also normalize the UTF8 too. By doing this
+// comparison of Name structures can be rapidly perfomed by just using
+// OPENSSL_memcmp() of the canonical encoding. By omitting the leading SEQUENCE
+// name constraints of type dirName can also be checked with a simple
+// OPENSSL_memcmp().
static int x509_name_canon(X509_NAME *a) {
unsigned char *p;
@@ -353,7 +345,7 @@
OPENSSL_free(a->canon_enc);
a->canon_enc = NULL;
}
- /* Special case: empty X509_NAME => null encoding */
+ // Special case: empty X509_NAME => null encoding
if (sk_X509_NAME_ENTRY_num(a->entries) == 0) {
a->canon_enclen = 0;
return 1;
@@ -389,7 +381,7 @@
tmpentry = NULL;
}
- /* Finally generate encoding */
+ // Finally generate encoding
len = i2d_name_canon(intname, NULL);
if (len < 0) {
@@ -421,7 +413,7 @@
return ret;
}
-/* Bitmap of all the types of string that will be canonicalized. */
+// Bitmap of all the types of string that will be canonicalized.
#define ASN1_MASK_CANON \
(B_ASN1_UTF8STRING | B_ASN1_BMPSTRING | B_ASN1_UNIVERSALSTRING | \
@@ -432,7 +424,7 @@
unsigned char *to, *from;
int len, i;
- /* If type not in bitmask just copy string across */
+ // If type not in bitmask just copy string across
if (!(ASN1_tag2bit(in->type) & ASN1_MASK_CANON)) {
if (!ASN1_STRING_copy(out, in)) {
return 0;
@@ -451,13 +443,11 @@
len = out->length;
- /*
- * Convert string in place to canonical form. Ultimately we may need to
- * handle a wider range of characters but for now ignore anything with
- * MSB set and rely on the isspace() and tolower() functions.
- */
+ // Convert string in place to canonical form. Ultimately we may need to
+ // handle a wider range of characters but for now ignore anything with
+ // MSB set and rely on the isspace() and tolower() functions.
- /* Ignore leading spaces */
+ // Ignore leading spaces
while ((len > 0) && !(*from & 0x80) && isspace(*from)) {
from++;
len--;
@@ -465,7 +455,7 @@
to = from + len;
- /* Ignore trailing spaces */
+ // Ignore trailing spaces
while ((len > 0) && !(to[-1] & 0x80) && isspace(to[-1])) {
to--;
len--;
@@ -475,20 +465,18 @@
i = 0;
while (i < len) {
- /* If MSB set just copy across */
+ // If MSB set just copy across
if (*from & 0x80) {
*to++ = *from++;
i++;
}
- /* Collapse multiple spaces */
+ // Collapse multiple spaces
else if (isspace(*from)) {
- /* Copy one space across */
+ // Copy one space across
*to++ = ' ';
- /*
- * Ignore subsequent spaces. Note: don't need to check len here
- * because we know the last character is a non-space so we can't
- * overflow.
- */
+ // Ignore subsequent spaces. Note: don't need to check len here
+ // because we know the last character is a non-space so we can't
+ // overflow.
do {
from++;
i++;
@@ -538,7 +526,7 @@
int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
size_t *pderlen) {
- /* Make sure encoding is valid */
+ // Make sure encoding is valid
if (i2d_X509_NAME(nm, NULL) <= 0) {
return 0;
}
diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c
index 12e7d68..3a19135 100644
--- a/crypto/x509/x_pubkey.c
+++ b/crypto/x509/x_pubkey.c
@@ -70,7 +70,7 @@
#include "../internal.h"
#include "internal.h"
-/* Minor tweak to operation: free up EVP_PKEY */
+// Minor tweak to operation: free up EVP_PKEY
static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg) {
if (operation == ASN1_OP_FREE_POST) {
@@ -122,10 +122,10 @@
return 0;
}
-/* g_pubkey_lock is used to protect the initialisation of the |pkey| member of
- * |X509_PUBKEY| objects. Really |X509_PUBKEY| should have a |CRYPTO_once_t|
- * inside it for this, but |CRYPTO_once_t| is private and |X509_PUBKEY| is
- * not. */
+// g_pubkey_lock is used to protect the initialisation of the |pkey| member of
+// |X509_PUBKEY| objects. Really |X509_PUBKEY| should have a |CRYPTO_once_t|
+// inside it for this, but |CRYPTO_once_t| is private and |X509_PUBKEY| is
+// not.
static struct CRYPTO_STATIC_MUTEX g_pubkey_lock = CRYPTO_STATIC_MUTEX_INIT;
EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) {
@@ -144,7 +144,7 @@
}
CRYPTO_STATIC_MUTEX_unlock_read(&g_pubkey_lock);
- /* Re-encode the |X509_PUBKEY| to DER and parse it. */
+ // Re-encode the |X509_PUBKEY| to DER and parse it.
int spki_len = i2d_X509_PUBKEY(key, &spki);
if (spki_len < 0) {
goto error;
@@ -157,7 +157,7 @@
goto error;
}
- /* Check to see if another thread set key->pkey first */
+ // Check to see if another thread set key->pkey first
CRYPTO_STATIC_MUTEX_lock_write(&g_pubkey_lock);
if (key->pkey) {
CRYPTO_STATIC_MUTEX_unlock_write(&g_pubkey_lock);
@@ -185,7 +185,7 @@
}
ASN1_STRING_set0(pub->public_key, key, key_len);
- /* Set the number of unused bits to zero. */
+ // Set the number of unused bits to zero.
pub->public_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
pub->public_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
return 1;
diff --git a/crypto/x509/x_req.c b/crypto/x509/x_req.c
index 42e9496..4ddeaea 100644
--- a/crypto/x509/x_req.c
+++ b/crypto/x509/x_req.c
@@ -63,14 +63,12 @@
#include "internal.h"
-/*
- * X509_REQ_INFO is handled in an unusual way to get round invalid encodings.
- * Some broken certificate requests don't encode the attributes field if it
- * is empty. This is in violation of PKCS#10 but we need to tolerate it. We
- * do this by making the attributes field OPTIONAL then using the callback to
- * initialise it to an empty STACK. This means that the field will be
- * correctly encoded unless we NULL out the field.
- */
+// X509_REQ_INFO is handled in an unusual way to get round invalid encodings.
+// Some broken certificate requests don't encode the attributes field if it
+// is empty. This is in violation of PKCS#10 but we need to tolerate it. We
+// do this by making the attributes field OPTIONAL then using the callback to
+// initialise it to an empty STACK. This means that the field will be
+// correctly encoded unless we NULL out the field.
static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
void *exarg) {
@@ -97,7 +95,7 @@
ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
- /* This isn't really OPTIONAL but it gets around invalid encodings. */
+ // This isn't really OPTIONAL but it gets around invalid encodings.
ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0),
} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
diff --git a/crypto/x509/x_spki.c b/crypto/x509/x_spki.c
index 5e582f5..435ff85 100644
--- a/crypto/x509/x_spki.c
+++ b/crypto/x509/x_spki.c
@@ -55,10 +55,8 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
-/*
- * This module was send to me my Pat Richards <patr@x509.com> who wrote it.
- * It is under my Copyright with his permission.
- */
+// This module was send to me my Pat Richards <patr@x509.com> who wrote it.
+// It is under my Copyright with his permission.
#include <openssl/asn1t.h>
#include <openssl/x509.h>
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index 743fd80..ee558a4 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -87,7 +87,7 @@
} ASN1_SEQUENCE_END_enc(X509_CINF, X509_CINF)
IMPLEMENT_ASN1_FUNCTIONS(X509_CINF)
-/* X509 top level structure needs a bit of customisation */
+// X509 top level structure needs a bit of customisation
extern void policy_cache_free(X509_POLICY_CACHE *cache);
@@ -114,27 +114,27 @@
break;
case ASN1_OP_D2I_POST: {
- /* The version must be one of v1(0), v2(1), or v3(2). */
+ // The version must be one of v1(0), v2(1), or v3(2).
long version = X509_VERSION_1;
if (ret->cert_info->version != NULL) {
version = ASN1_INTEGER_get(ret->cert_info->version);
- /* TODO(https://crbug.com/boringssl/364): |X509_VERSION_1| should
- * also be rejected here. This means an explicitly-encoded X.509v1
- * version. v1 is DEFAULT, so DER requires it be omitted. */
+ // TODO(https://crbug.com/boringssl/364): |X509_VERSION_1| should
+ // also be rejected here. This means an explicitly-encoded X.509v1
+ // version. v1 is DEFAULT, so DER requires it be omitted.
if (version < X509_VERSION_1 || version > X509_VERSION_3) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);
return 0;
}
}
- /* Per RFC 5280, section 4.1.2.8, these fields require v2 or v3. */
+ // Per RFC 5280, section 4.1.2.8, these fields require v2 or v3.
if (version == X509_VERSION_1 && (ret->cert_info->issuerUID != NULL ||
ret->cert_info->subjectUID != NULL)) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
return 0;
}
- /* Per RFC 5280, section 4.1.2.9, extensions require v3. */
+ // Per RFC 5280, section 4.1.2.9, extensions require v3.
if (version != X509_VERSION_3 && ret->cert_info->extensions != NULL) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
return 0;
@@ -224,12 +224,10 @@
return (CRYPTO_get_ex_data(&r->ex_data, idx));
}
-/*
- * X509_AUX ASN1 routines. X509_AUX is the name given to a certificate with
- * extra info tagged on the end. Since these functions set how a certificate
- * is trusted they should only be used when the certificate comes from a
- * reliable source such as local storage.
- */
+// X509_AUX ASN1 routines. X509_AUX is the name given to a certificate with
+// extra info tagged on the end. Since these functions set how a certificate
+// is trusted they should only be used when the certificate comes from a
+// reliable source such as local storage.
X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) {
const unsigned char *q = *pp;
@@ -240,13 +238,13 @@
freeret = 1;
}
ret = d2i_X509(a, &q, length);
- /* If certificate unreadable then forget it */
+ // If certificate unreadable then forget it
if (!ret) {
return NULL;
}
- /* update length */
+ // update length
length -= q - *pp;
- /* Parse auxiliary information if there is any. */
+ // Parse auxiliary information if there is any.
if (length > 0 && !d2i_X509_CERT_AUX(&ret->aux, &q, length)) {
goto err;
}
@@ -262,23 +260,19 @@
return NULL;
}
-/*
- * Serialize trusted certificate to *pp or just return the required buffer
- * length if pp == NULL. We ultimately want to avoid modifying *pp in the
- * error path, but that depends on similar hygiene in lower-level functions.
- * Here we avoid compounding the problem.
- */
+// Serialize trusted certificate to *pp or just return the required buffer
+// length if pp == NULL. We ultimately want to avoid modifying *pp in the
+// error path, but that depends on similar hygiene in lower-level functions.
+// Here we avoid compounding the problem.
static int i2d_x509_aux_internal(X509 *a, unsigned char **pp) {
int length, tmplen;
unsigned char *start = pp != NULL ? *pp : NULL;
assert(pp == NULL || *pp != NULL);
- /*
- * This might perturb *pp on error, but fixing that belongs in i2d_X509()
- * not here. It should be that if a == NULL length is zero, but we check
- * both just in case.
- */
+ // This might perturb *pp on error, but fixing that belongs in i2d_X509()
+ // not here. It should be that if a == NULL length is zero, but we check
+ // both just in case.
length = i2d_X509(a, pp);
if (length <= 0 || a == NULL) {
return length;
@@ -298,36 +292,34 @@
return length;
}
-/*
- * Serialize trusted certificate to *pp, or just return the required buffer
- * length if pp == NULL.
- *
- * When pp is not NULL, but *pp == NULL, we allocate the buffer, but since
- * we're writing two ASN.1 objects back to back, we can't have i2d_X509() do
- * the allocation, nor can we allow i2d_X509_CERT_AUX() to increment the
- * allocated buffer.
- */
+// Serialize trusted certificate to *pp, or just return the required buffer
+// length if pp == NULL.
+//
+// When pp is not NULL, but *pp == NULL, we allocate the buffer, but since
+// we're writing two ASN.1 objects back to back, we can't have i2d_X509() do
+// the allocation, nor can we allow i2d_X509_CERT_AUX() to increment the
+// allocated buffer.
int i2d_X509_AUX(X509 *a, unsigned char **pp) {
int length;
unsigned char *tmp;
- /* Buffer provided by caller */
+ // Buffer provided by caller
if (pp == NULL || *pp != NULL) {
return i2d_x509_aux_internal(a, pp);
}
- /* Obtain the combined length */
+ // Obtain the combined length
if ((length = i2d_x509_aux_internal(a, NULL)) <= 0) {
return length;
}
- /* Allocate requisite combined storage */
+ // Allocate requisite combined storage
*pp = tmp = OPENSSL_malloc(length);
if (tmp == NULL) {
- return -1; /* Push error onto error stack? */
+ return -1; // Push error onto error stack?
}
- /* Encode, but keep *pp at the originally malloced pointer */
+ // Encode, but keep *pp at the originally malloced pointer
length = i2d_x509_aux_internal(a, &tmp);
if (length <= 0) {
OPENSSL_free(*pp);
@@ -346,9 +338,9 @@
}
int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo) {
- /* TODO(https://crbug.com/boringssl/407): Generated ASN.1 dup functions
- * should be const. Alternatively, when we can embed required fields
- * directly in structs, import |X509_ALGOR_copy| from upstream. */
+ // TODO(https://crbug.com/boringssl/407): Generated ASN.1 dup functions
+ // should be const. Alternatively, when we can embed required fields
+ // directly in structs, import |X509_ALGOR_copy| from upstream.
X509_ALGOR *copy1 = X509_ALGOR_dup((X509_ALGOR *)algo);
X509_ALGOR *copy2 = X509_ALGOR_dup((X509_ALGOR *)algo);
if (copy1 == NULL || copy2 == NULL) {
diff --git a/crypto/x509/x_x509a.c b/crypto/x509/x_x509a.c
index 96161f5..d372537 100644
--- a/crypto/x509/x_x509a.c
+++ b/crypto/x509/x_x509a.c
@@ -64,12 +64,10 @@
#include "internal.h"
-/*
- * X509_CERT_AUX routines. These are used to encode additional user
- * modifiable data about a certificate. This data is appended to the X509
- * encoding when the *_X509_AUX routines are used. This means that the
- * "traditional" X509 routines will simply ignore the extra data.
- */
+// X509_CERT_AUX routines. These are used to encode additional user
+// modifiable data about a certificate. This data is appended to the X509
+// encoding when the *_X509_AUX routines are used. This means that the
+// "traditional" X509 routines will simply ignore the extra data.
static X509_CERT_AUX *aux_get(X509 *x);
@@ -94,9 +92,9 @@
int X509_alias_set1(X509 *x, const unsigned char *name, int len) {
X509_CERT_AUX *aux;
- /* TODO(davidben): Empty aliases are not meaningful in PKCS#12, and the
- * getters cannot quite represent them. Also erase the object if |len| is
- * zero. */
+ // TODO(davidben): Empty aliases are not meaningful in PKCS#12, and the
+ // getters cannot quite represent them. Also erase the object if |len| is
+ // zero.
if (!name) {
if (!x || !x->aux || !x->aux->alias) {
return 1;
@@ -116,9 +114,9 @@
int X509_keyid_set1(X509 *x, const unsigned char *id, int len) {
X509_CERT_AUX *aux;
- /* TODO(davidben): Empty key IDs are not meaningful in PKCS#12, and the
- * getters cannot quite represent them. Also erase the object if |len| is
- * zero. */
+ // TODO(davidben): Empty key IDs are not meaningful in PKCS#12, and the
+ // getters cannot quite represent them. Also erase the object if |len| is
+ // zero.
if (!id) {
if (!x || !x->aux || !x->aux->keyid) {
return 1;
diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h
index 0773608..2491431 100644
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -54,7 +54,7 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
-/* This file contains a table of "standard" extensions */
+// This file contains a table of "standard" extensions
#if defined(__cplusplus)
extern "C" {
@@ -74,12 +74,10 @@
extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
extern const X509V3_EXT_METHOD v3_addr, v3_asid;
-/*
- * This table will be searched using OBJ_bsearch so it *must* kept in order
- * of the ext_nid values.
- */
+// This table will be searched using OBJ_bsearch so it *must* kept in order
+// of the ext_nid values.
-/* TODO(fork): OCSP support */
+// TODO(fork): OCSP support
#define OPENSSL_NO_OCSP
static const X509V3_EXT_METHOD *const standard_exts[] = {
@@ -127,11 +125,11 @@
&v3_freshest_crl,
};
-/* Number of standard extensions */
+// Number of standard extensions
#define STANDARD_EXTENSION_COUNT \
(sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *))
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
diff --git a/crypto/x509v3/internal.h b/crypto/x509v3/internal.h
index b26b313..abace33 100644
--- a/crypto/x509v3/internal.h
+++ b/crypto/x509v3/internal.h
@@ -126,129 +126,114 @@
DEFINE_STACK_OF(X509_POLICY_DATA)
-/* Internal structures */
+// Internal structures
-/*
- * This structure and the field names correspond to the Policy 'node' of
- * RFC 3280. NB this structure contains no pointers to parent or child data:
- * X509_POLICY_NODE contains that. This means that the main policy data can
- * be kept static and cached with the certificate.
- */
+// This structure and the field names correspond to the Policy 'node' of
+// RFC 3280. NB this structure contains no pointers to parent or child data:
+// X509_POLICY_NODE contains that. This means that the main policy data can
+// be kept static and cached with the certificate.
struct X509_POLICY_DATA_st {
unsigned int flags;
- /* Policy OID and qualifiers for this data */
+ // Policy OID and qualifiers for this data
ASN1_OBJECT *valid_policy;
STACK_OF(POLICYQUALINFO) *qualifier_set;
STACK_OF(ASN1_OBJECT) *expected_policy_set;
};
-/* X509_POLICY_DATA flags values */
+// X509_POLICY_DATA flags values
-/*
- * This flag indicates the structure has been mapped using a policy mapping
- * extension. If policy mapping is not active its references get deleted.
- */
+// This flag indicates the structure has been mapped using a policy mapping
+// extension. If policy mapping is not active its references get deleted.
#define POLICY_DATA_FLAG_MAPPED 0x1
-/*
- * This flag indicates the data doesn't correspond to a policy in Certificate
- * Policies: it has been mapped to any policy.
- */
+// This flag indicates the data doesn't correspond to a policy in Certificate
+// Policies: it has been mapped to any policy.
#define POLICY_DATA_FLAG_MAPPED_ANY 0x2
-/* AND with flags to see if any mapping has occurred */
+// AND with flags to see if any mapping has occurred
#define POLICY_DATA_FLAG_MAP_MASK 0x3
-/* qualifiers are shared and shouldn't be freed */
+// qualifiers are shared and shouldn't be freed
#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4
-/* Parent node is an extra node and should be freed */
+// Parent node is an extra node and should be freed
#define POLICY_DATA_FLAG_EXTRA_NODE 0x8
-/* Corresponding CertificatePolicies is critical */
+// Corresponding CertificatePolicies is critical
#define POLICY_DATA_FLAG_CRITICAL 0x10
-/* This structure is cached with a certificate */
+// This structure is cached with a certificate
struct X509_POLICY_CACHE_st {
- /* anyPolicy data or NULL if no anyPolicy */
+ // anyPolicy data or NULL if no anyPolicy
X509_POLICY_DATA *anyPolicy;
- /* other policy data */
+ // other policy data
STACK_OF(X509_POLICY_DATA) *data;
- /* If InhibitAnyPolicy present this is its value or -1 if absent. */
+ // If InhibitAnyPolicy present this is its value or -1 if absent.
long any_skip;
- /*
- * If policyConstraints and requireExplicitPolicy present this is its
- * value or -1 if absent.
- */
+ // If policyConstraints and requireExplicitPolicy present this is its
+ // value or -1 if absent.
long explicit_skip;
- /*
- * If policyConstraints and policyMapping present this is its value or -1
- * if absent.
- */
+ // If policyConstraints and policyMapping present this is its value or -1
+ // if absent.
long map_skip;
};
-/*
- * #define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL
- */
+// #define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL
-/* This structure represents the relationship between nodes */
+// This structure represents the relationship between nodes
struct X509_POLICY_NODE_st {
- /* node data this refers to */
+ // node data this refers to
const X509_POLICY_DATA *data;
- /* Parent node */
+ // Parent node
X509_POLICY_NODE *parent;
- /* Number of child nodes */
+ // Number of child nodes
int nchild;
};
struct X509_POLICY_LEVEL_st {
- /* Cert for this level */
+ // Cert for this level
X509 *cert;
- /* nodes at this level */
+ // nodes at this level
STACK_OF(X509_POLICY_NODE) *nodes;
- /* anyPolicy node */
+ // anyPolicy node
X509_POLICY_NODE *anyPolicy;
- /* Extra data */
- /*
- * STACK_OF(X509_POLICY_DATA) *extra_data;
- */
+ // Extra data
+ //
+ // STACK_OF(X509_POLICY_DATA) *extra_data;
unsigned int flags;
};
struct X509_POLICY_TREE_st {
- /* This is the tree 'level' data */
+ // This is the tree 'level' data
X509_POLICY_LEVEL *levels;
int nlevel;
- /*
- * Extra policy data when additional nodes (not from the certificate) are
- * required.
- */
+ // Extra policy data when additional nodes (not from the certificate) are
+ // required.
STACK_OF(X509_POLICY_DATA) *extra_data;
- /* This is the authority constained policy set */
+ // This is the authority constained policy set
STACK_OF(X509_POLICY_NODE) *auth_policies;
STACK_OF(X509_POLICY_NODE) *user_policies;
unsigned int flags;
};
-/* Set if anyPolicy present in user policies */
+// Set if anyPolicy present in user policies
#define POLICY_FLAG_ANY_POLICY 0x2
-/* Useful macros */
+// Useful macros
#define node_data_critical(data) ((data)->flags & POLICY_DATA_FLAG_CRITICAL)
#define node_critical(node) node_data_critical((node)->data)
-/* Internal functions */
+// Internal functions
X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
int crit);
@@ -283,7 +268,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_X509V3_INTERNAL_H */
+#endif // OPENSSL_HEADER_X509V3_INTERNAL_H
diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c
index f4de366..74f95f9 100644
--- a/crypto/x509v3/pcy_cache.c
+++ b/crypto/x509v3/pcy_cache.c
@@ -68,10 +68,8 @@
const X509_POLICY_DATA **b);
static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
-/*
- * Set cache entry according to CertificatePolicies extension. Note: this
- * destroys the passed CERTIFICATEPOLICIES structure.
- */
+// Set cache entry according to CertificatePolicies extension. Note: this
+// destroys the passed CERTIFICATEPOLICIES structure.
static int policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies,
int crit) {
@@ -93,9 +91,7 @@
if (!data) {
goto bad_policy;
}
- /*
- * Duplicate policy OIDs are illegal: reject if matches found.
- */
+ // Duplicate policy OIDs are illegal: reject if matches found.
sk_X509_POLICY_DATA_sort(cache->data);
if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
if (cache->anyPolicy) {
@@ -146,10 +142,8 @@
x->policy_cache = cache;
- /*
- * Handle requireExplicitPolicy *first*. Need to process this even if we
- * don't have any policies.
- */
+ // Handle requireExplicitPolicy *first*. Need to process this even if we
+ // don't have any policies.
ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
if (!ext_pcons) {
@@ -170,15 +164,13 @@
}
}
- /* Process CertificatePolicies */
+ // Process CertificatePolicies
ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
- /*
- * If no CertificatePolicies extension or problem decoding then there is
- * no point continuing because the valid policies will be NULL.
- */
+ // If no CertificatePolicies extension or problem decoding then there is
+ // no point continuing because the valid policies will be NULL.
if (!ext_cpols) {
- /* If not absent some problem with extension */
+ // If not absent some problem with extension
if (i != -1) {
goto bad_cache;
}
@@ -187,7 +179,7 @@
i = policy_cache_create(x, ext_cpols, i);
- /* NB: ext_cpols freed by policy_cache_set_policies */
+ // NB: ext_cpols freed by policy_cache_set_policies
if (i <= 0) {
return i;
@@ -196,7 +188,7 @@
ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
if (!ext_pmaps) {
- /* If not absent some problem with extension */
+ // If not absent some problem with extension
if (i != -1) {
goto bad_cache;
}
@@ -246,11 +238,9 @@
OPENSSL_free(cache);
}
-/*
- * g_x509_policy_cache_lock is used to protect against concurrent calls to
- * |policy_cache_new|. Ideally this would be done with a |CRYPTO_once_t| in
- * the |X509| structure, but |CRYPTO_once_t| isn't public.
- */
+// g_x509_policy_cache_lock is used to protect against concurrent calls to
+// |policy_cache_new|. Ideally this would be done with a |CRYPTO_once_t| in
+// the |X509| structure, but |CRYPTO_once_t| isn't public.
static struct CRYPTO_STATIC_MUTEX g_x509_policy_cache_lock =
CRYPTO_STATIC_MUTEX_INIT;
diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c
index e2df5b2..28a572f 100644
--- a/crypto/x509v3/pcy_data.c
+++ b/crypto/x509v3/pcy_data.c
@@ -64,11 +64,11 @@
#include "internal.h"
-/* Policy Node routines */
+// Policy Node routines
void policy_data_free(X509_POLICY_DATA *data) {
ASN1_OBJECT_free(data->valid_policy);
- /* Don't free qualifiers if shared */
+ // Don't free qualifiers if shared
if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS)) {
sk_POLICYQUALINFO_pop_free(data->qualifier_set, POLICYQUALINFO_free);
}
@@ -76,13 +76,11 @@
OPENSSL_free(data);
}
-/*
- * Create a data based on an existing policy. If 'id' is NULL use the oid in
- * the policy, otherwise use 'id'. This behaviour covers the two types of
- * data in RFC 3280: data with from a CertificatePolcies extension and
- * additional data with just the qualifiers of anyPolicy and ID from another
- * source.
- */
+// Create a data based on an existing policy. If 'id' is NULL use the oid in
+// the policy, otherwise use 'id'. This behaviour covers the two types of
+// data in RFC 3280: data with from a CertificatePolcies extension and
+// additional data with just the qualifiers of anyPolicy and ID from another
+// source.
X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *cid,
int crit) {
diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509v3/pcy_lib.c
index 3775d35..9a629a3 100644
--- a/crypto/x509v3/pcy_lib.c
+++ b/crypto/x509v3/pcy_lib.c
@@ -60,9 +60,9 @@
#include "internal.h"
-/* accessor functions */
+// accessor functions
-/* X509_POLICY_TREE stuff */
+// X509_POLICY_TREE stuff
int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) {
if (!tree) {
@@ -99,7 +99,7 @@
}
}
-/* X509_POLICY_LEVEL stuff */
+// X509_POLICY_LEVEL stuff
int X509_policy_level_node_count(X509_POLICY_LEVEL *level) {
int n;
@@ -130,7 +130,7 @@
return sk_X509_POLICY_NODE_value(level->nodes, i);
}
-/* X509_POLICY_NODE stuff */
+// X509_POLICY_NODE stuff
const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) {
if (!node) {
diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c
index efc3ecd..e4fa9a1 100644
--- a/crypto/x509v3/pcy_map.c
+++ b/crypto/x509v3/pcy_map.c
@@ -64,10 +64,8 @@
#include "../x509/internal.h"
#include "internal.h"
-/*
- * Set policy mapping entries in cache. Note: this modifies the passed
- * POLICY_MAPPINGS structure
- */
+// Set policy mapping entries in cache. Note: this modifies the passed
+// POLICY_MAPPINGS structure
int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) {
POLICY_MAPPING *map;
@@ -81,21 +79,21 @@
}
for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
map = sk_POLICY_MAPPING_value(maps, i);
- /* Reject if map to or from anyPolicy */
+ // Reject if map to or from anyPolicy
if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) ||
(OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
ret = -1;
goto bad_mapping;
}
- /* Attempt to find matching policy data */
+ // Attempt to find matching policy data
data = policy_cache_find_data(cache, map->issuerDomainPolicy);
- /* If we don't have anyPolicy can't map */
+ // If we don't have anyPolicy can't map
if (!data && !cache->anyPolicy) {
continue;
}
- /* Create a NODE from anyPolicy */
+ // Create a NODE from anyPolicy
if (!data) {
data =
policy_data_new(NULL, map->issuerDomainPolicy,
@@ -104,9 +102,7 @@
goto bad_mapping;
}
data->qualifier_set = cache->anyPolicy->qualifier_set;
- /*
- * map->issuerDomainPolicy = NULL;
- */
+ // map->issuerDomainPolicy = NULL;
data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
index 330194f..71847f3 100644
--- a/crypto/x509v3/pcy_node.c
+++ b/crypto/x509v3/pcy_node.c
@@ -160,10 +160,8 @@
void policy_node_free(X509_POLICY_NODE *node) { OPENSSL_free(node); }
-/*
- * See if a policy node matches a policy OID. If mapping enabled look through
- * expected policy set otherwise just valid policy.
- */
+// See if a policy node matches a policy OID. If mapping enabled look through
+// expected policy set otherwise just valid policy.
int policy_node_match(const X509_POLICY_LEVEL *lvl,
const X509_POLICY_NODE *node, const ASN1_OBJECT *oid) {
diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index db7704e..10dad05 100644
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -69,14 +69,10 @@
#include "../x509/internal.h"
#include "internal.h"
-/*
- * Enable this to print out the complete policy tree at various point during
- * evaluation.
- */
+// Enable this to print out the complete policy tree at various point during
+// evaluation.
-/*
- * #define OPENSSL_POLICY_DEBUG
- */
+// #define OPENSSL_POLICY_DEBUG
#ifdef OPENSSL_POLICY_DEBUG
@@ -133,19 +129,18 @@
}
#else
-#define tree_print(a, b, c) /* */
+#define tree_print(a, b, c) //
#endif
-/*-
- * Initialize policy tree. Return values:
- * 0 Some internal error occurred.
- * -1 Inconsistent or invalid extensions in certificates.
- * 1 Tree initialized OK.
- * 2 Policy tree is empty.
- * 5 Tree OK and requireExplicitPolicy true.
- * 6 Tree empty and requireExplicitPolicy true.
- */
+//-
+// Initialize policy tree. Return values:
+// 0 Some internal error occurred.
+// -1 Inconsistent or invalid extensions in certificates.
+// 1 Tree initialized OK.
+// 2 Policy tree is empty.
+// 5 Tree OK and requireExplicitPolicy true.
+// 6 Tree empty and requireExplicitPolicy true.
static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
unsigned int flags) {
@@ -163,7 +158,7 @@
n = sk_X509_num(certs);
#if 0
- /* Disable policy mapping for now... */
+ // Disable policy mapping for now...
flags |= X509_V_FLAG_INHIBIT_MAP;
#endif
@@ -185,33 +180,27 @@
map_skip = n + 1;
}
- /* Can't do anything with just a trust anchor */
+ // Can't do anything with just a trust anchor
if (n == 1) {
return 1;
}
- /*
- * First setup policy cache in all certificates apart from the trust
- * anchor. Note any bad cache results on the way. Also can calculate
- * explicit_policy value at this point.
- */
+ // First setup policy cache in all certificates apart from the trust
+ // anchor. Note any bad cache results on the way. Also can calculate
+ // explicit_policy value at this point.
for (i = n - 2; i >= 0; i--) {
x = sk_X509_value(certs, i);
X509_check_purpose(x, -1, -1);
cache = policy_cache_set(x);
- /* If cache NULL something bad happened: return immediately */
+ // If cache NULL something bad happened: return immediately
if (cache == NULL) {
return 0;
}
- /*
- * If inconsistent extensions keep a note of it but continue
- */
+ // If inconsistent extensions keep a note of it but continue
if (x->ex_flags & EXFLAG_INVALID_POLICY) {
ret = -1;
}
- /*
- * Otherwise if we have no data (hence no CertificatePolicies) and
- * haven't already set an inconsistent code note it.
- */
+ // Otherwise if we have no data (hence no CertificatePolicies) and
+ // haven't already set an inconsistent code note it.
else if ((ret == 1) && !cache->data) {
ret = 2;
}
@@ -233,7 +222,7 @@
return ret;
}
- /* If we get this far initialize the tree */
+ // If we get this far initialize the tree
tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE));
@@ -259,7 +248,7 @@
level = tree->levels;
- /* Root data: initialize to anyPolicy */
+ // Root data: initialize to anyPolicy
data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
@@ -278,12 +267,10 @@
level->flags |= X509_V_FLAG_INHIBIT_ANY;
}
- /* Determine inhibit any and inhibit map flags */
+ // Determine inhibit any and inhibit map flags
if (any_skip == 0) {
- /*
- * Any matching allowed if certificate is self issued and not the
- * last in the chain.
- */
+ // Any matching allowed if certificate is self issued and not the
+ // last in the chain.
if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) {
level->flags |= X509_V_FLAG_INHIBIT_ANY;
}
@@ -329,7 +316,7 @@
X509_POLICY_NODE *node;
int matched = 0;
size_t i;
- /* Iterate through all in nodes linking matches */
+ // Iterate through all in nodes linking matches
for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
node = sk_X509_POLICY_NODE_value(last->nodes, i);
if (policy_node_match(last, node, data->valid_policy)) {
@@ -347,10 +334,8 @@
return 1;
}
-/*
- * This corresponds to RFC 3280 6.1.3(d)(1): link any data from
- * CertificatePolicies onto matching parent or anyPolicy if no match.
- */
+// This corresponds to RFC 3280 6.1.3(d)(1): link any data from
+// CertificatePolicies onto matching parent or anyPolicy if no match.
static int tree_link_nodes(X509_POLICY_LEVEL *curr,
const X509_POLICY_CACHE *cache) {
@@ -359,20 +344,18 @@
for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
data = sk_X509_POLICY_DATA_value(cache->data, i);
- /*
- * If a node is mapped any it doesn't have a corresponding
- * CertificatePolicies entry. However such an identical node would
- * be created if anyPolicy matching is enabled because there would be
- * no match with the parent valid_policy_set. So we create link
- * because then it will have the mapping flags right and we can prune
- * it later.
- */
+ // If a node is mapped any it doesn't have a corresponding
+ // CertificatePolicies entry. However such an identical node would
+ // be created if anyPolicy matching is enabled because there would be
+ // no match with the parent valid_policy_set. So we create link
+ // because then it will have the mapping flags right and we can prune
+ // it later.
#if 0
if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY)
&& !(curr->flags & X509_V_FLAG_INHIBIT_ANY))
continue;
#endif
- /* Look for matching nodes in previous level */
+ // Look for matching nodes in previous level
if (!tree_link_matching_nodes(curr, data)) {
return 0;
}
@@ -380,10 +363,8 @@
return 1;
}
-/*
- * This corresponds to RFC 3280 6.1.3(d)(2): Create new data for any unmatched
- * policies in the parent and link to anyPolicy.
- */
+// This corresponds to RFC 3280 6.1.3(d)(2): Create new data for any unmatched
+// policies in the parent and link to anyPolicy.
static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
const X509_POLICY_CACHE *cache,
@@ -393,16 +374,14 @@
if (id == NULL) {
id = node->data->valid_policy;
}
- /*
- * Create a new node with qualifiers from anyPolicy and id from unmatched
- * node.
- */
+ // Create a new node with qualifiers from anyPolicy and id from unmatched
+ // node.
data = policy_data_new(NULL, id, node_critical(node));
if (data == NULL) {
return 0;
}
- /* Curr may not have anyPolicy */
+ // Curr may not have anyPolicy
data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
if (!level_add_node(curr, data, node, tree)) {
@@ -421,21 +400,21 @@
if ((last->flags & X509_V_FLAG_INHIBIT_MAP) ||
!(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
- /* If no policy mapping: matched if one child present */
+ // If no policy mapping: matched if one child present
if (node->nchild) {
return 1;
}
if (!tree_add_unmatched(curr, cache, NULL, node, tree)) {
return 0;
}
- /* Add it */
+ // Add it
} else {
- /* If mapping: matched if one child per expected policy set */
+ // If mapping: matched if one child per expected policy set
STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
if ((size_t)node->nchild == sk_ASN1_OBJECT_num(expset)) {
return 1;
}
- /* Locate unmatched nodes */
+ // Locate unmatched nodes
for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
if (level_find_node(curr, node, oid)) {
@@ -454,9 +433,7 @@
const X509_POLICY_CACHE *cache,
X509_POLICY_TREE *tree) {
size_t i;
- /*
- * X509_POLICY_DATA *data;
- */
+ // X509_POLICY_DATA *data;
X509_POLICY_NODE *node;
X509_POLICY_LEVEL *last = curr - 1;
@@ -469,24 +446,20 @@
#if 0
- /*
- * Skip any node with any children: we only want unmathced nodes.
- * Note: need something better for policy mapping because each node
- * may have multiple children
- */
+ // Skip any node with any children: we only want unmathced nodes.
+ // Note: need something better for policy mapping because each node
+ // may have multiple children
if (node->nchild)
continue;
- /*
- * Create a new node with qualifiers from anyPolicy and id from
- * unmatched node.
- */
+ // Create a new node with qualifiers from anyPolicy and id from
+ // unmatched node.
data = policy_data_new(NULL, node->data->valid_policy,
node_critical(node));
if (data == NULL)
return 0;
- /* Curr may not have anyPolicy */
+ // Curr may not have anyPolicy
data->qualifier_set = cache->anyPolicy->qualifier_set;
data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
if (!level_add_node(curr, data, node, tree)) {
@@ -495,7 +468,7 @@
}
#endif
}
- /* Finally add link to anyPolicy */
+ // Finally add link to anyPolicy
if (last->anyPolicy) {
if (!level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL)) {
return 0;
@@ -504,11 +477,9 @@
return 1;
}
-/*
- * Prune the tree: delete any child mapped child data on the current level
- * then proceed up the tree deleting any data with no children. If we ever
- * have no data on a level we can halt because the tree will be empty.
- */
+// Prune the tree: delete any child mapped child data on the current level
+// then proceed up the tree deleting any data with no children. If we ever
+// have no data on a level we can halt because the tree will be empty.
static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) {
STACK_OF(X509_POLICY_NODE) *nodes;
@@ -518,7 +489,7 @@
if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
node = sk_X509_POLICY_NODE_value(nodes, i);
- /* Delete any mapped data: see RFC 3280 XXXX */
+ // Delete any mapped data: see RFC 3280 XXXX
if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
node->parent->nchild--;
OPENSSL_free(node);
@@ -546,7 +517,7 @@
curr->anyPolicy = NULL;
}
if (curr == tree->levels) {
- /* If we zapped anyPolicy at top then tree is empty */
+ // If we zapped anyPolicy at top then tree is empty
if (!curr->anyPolicy) {
return 2;
}
@@ -575,14 +546,12 @@
return 1;
}
-/*
- * Calculate the authority set based on policy tree. The 'pnodes' parameter
- * is used as a store for the set of policy nodes used to calculate the user
- * set. If the authority set is not anyPolicy then pnodes will just point to
- * the authority set. If however the authority set is anyPolicy then the set
- * of valid policies (other than anyPolicy) is store in pnodes. The return
- * value of '2' is used in this case to indicate that pnodes should be freed.
- */
+// Calculate the authority set based on policy tree. The 'pnodes' parameter
+// is used as a store for the set of policy nodes used to calculate the user
+// set. If the authority set is not anyPolicy then pnodes will just point to
+// the authority set. If however the authority set is anyPolicy then the set
+// of valid policies (other than anyPolicy) is store in pnodes. The return
+// value of '2' is used in this case to indicate that pnodes should be freed.
static int tree_calculate_authority_set(X509_POLICY_TREE *tree,
STACK_OF(X509_POLICY_NODE) **pnodes) {
@@ -593,23 +562,21 @@
size_t j;
curr = tree->levels + tree->nlevel - 1;
- /* If last level contains anyPolicy set is anyPolicy */
+ // If last level contains anyPolicy set is anyPolicy
if (curr->anyPolicy) {
if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy)) {
return 0;
}
addnodes = pnodes;
} else {
- /* Add policies to authority set */
+ // Add policies to authority set
addnodes = &tree->auth_policies;
}
curr = tree->levels;
for (i = 1; i < tree->nlevel; i++) {
- /*
- * If no anyPolicy node on this this level it can't appear on lower
- * levels so end search.
- */
+ // If no anyPolicy node on this this level it can't appear on lower
+ // levels so end search.
if (!(anyptr = curr->anyPolicy)) {
break;
}
@@ -641,10 +608,8 @@
X509_POLICY_NODE *anyPolicy;
X509_POLICY_DATA *extra;
- /*
- * Check if anyPolicy present in authority constrained policy set: this
- * will happen if it is a leaf node.
- */
+ // Check if anyPolicy present in authority constrained policy set: this
+ // will happen if it is a leaf node.
if (sk_ASN1_OBJECT_num(policy_oids) <= 0) {
return 1;
@@ -667,10 +632,8 @@
if (!anyPolicy) {
continue;
}
- /*
- * Create a new node with policy ID from user set and qualifiers
- * from anyPolicy.
- */
+ // Create a new node with policy ID from user set and qualifiers
+ // from anyPolicy.
extra = policy_data_new(NULL, oid, node_critical(anyPolicy));
if (!extra) {
return 0;
@@ -755,14 +718,13 @@
OPENSSL_free(tree);
}
-/*-
- * Application policy checking function.
- * Return codes:
- * 0 Internal Error.
- * 1 Successful.
- * -1 One or more certificates contain invalid or inconsistent extensions
- * -2 User constrained policy set empty and requireExplicit true.
- */
+//-
+// Application policy checking function.
+// Return codes:
+// 0 Internal Error.
+// 1 Successful.
+// -1 One or more certificates contain invalid or inconsistent extensions
+// -2 User constrained policy set empty and requireExplicit true.
int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
@@ -777,41 +739,39 @@
ret = tree_init(&tree, certs, flags);
switch (ret) {
- /* Tree empty requireExplicit False: OK */
+ // Tree empty requireExplicit False: OK
case 2:
return 1;
- /* Some internal error */
+ // Some internal error
case -1:
return -1;
- /* Some internal error */
+ // Some internal error
case 0:
return 0;
- /* Tree empty requireExplicit True: Error */
+ // Tree empty requireExplicit True: Error
case 6:
*pexplicit_policy = 1;
return -2;
- /* Tree OK requireExplicit True: OK and continue */
+ // Tree OK requireExplicit True: OK and continue
case 5:
*pexplicit_policy = 1;
break;
- /* Tree OK: continue */
+ // Tree OK: continue
case 1:
if (!tree) {
- /*
- * tree_init() returns success and a null tree
- * if it's just looking at a trust anchor.
- * I'm not sure that returning success here is
- * correct, but I'm sure that reporting this
- * as an internal error which our caller
- * interprets as a malloc failure is wrong.
- */
+ // tree_init() returns success and a null tree
+ // if it's just looking at a trust anchor.
+ // I'm not sure that returning success here is
+ // correct, but I'm sure that reporting this
+ // as an internal error which our caller
+ // interprets as a malloc failure is wrong.
return 1;
}
break;
@@ -828,7 +788,7 @@
goto error;
}
- /* Return value 2 means tree empty */
+ // Return value 2 means tree empty
if (ret == 2) {
X509_policy_tree_free(tree);
if (*pexplicit_policy) {
@@ -838,7 +798,7 @@
}
}
- /* Tree is not empty: continue */
+ // Tree is not empty: continue
calc_ret = tree_calculate_authority_set(tree, &auth_nodes);
diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c
index e893561..343940b 100644
--- a/crypto/x509v3/v3_akey.c
+++ b/crypto/x509v3/v3_akey.c
@@ -125,13 +125,11 @@
return NULL;
}
-/*
- * Currently two options: keyid: use the issuers subject keyid, the value
- * 'always' means its is an error if the issuer certificate doesn't have a
- * key id. issuer: use the issuers cert issuer and serial number. The default
- * is to only use this if keyid is not present. With the option 'always' this
- * is always included.
- */
+// Currently two options: keyid: use the issuers subject keyid, the value
+// 'always' means its is an error if the issuer certificate doesn't have a
+// key id. issuer: use the issuers cert issuer and serial number. The default
+// is to only use this if keyid is not present. With the option 'always' this
+// is always included.
static void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx,
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 3f47901..1f83d88 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -117,9 +117,9 @@
STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(const X509V3_EXT_METHOD *method,
GENERAL_NAME *gen,
STACK_OF(CONF_VALUE) *ret) {
- /* Note the error-handling for this function relies on there being at most
- * one |X509V3_add_value| call. If there were two and the second failed, we
- * would need to sometimes free the first call's result. */
+ // Note the error-handling for this function relies on there being at most
+ // one |X509V3_add_value| call. If there were two and the second failed, we
+ // would need to sometimes free the first call's result.
unsigned char *p;
char oline[256], htmp[5];
int i;
@@ -217,7 +217,7 @@
break;
case GEN_EDIPARTY:
- /* Maybe fix this: it is supported now */
+ // Maybe fix this: it is supported now
BIO_printf(out, "EdiPartyName:<unsupported>");
break;
@@ -297,7 +297,7 @@
return NULL;
}
-/* Append subject altname of issuer to issuer alt name of subject */
+// Append subject altname of issuer to issuer alt name of subject
static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) {
if (ctx && (ctx->flags == CTX_TEST)) {
@@ -327,7 +327,7 @@
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
goto err;
}
- /* Ownership of |gen| has moved from |ialt| to |gens|. */
+ // Ownership of |gen| has moved from |ialt| to |gens|.
sk_GENERAL_NAME_set(ialt, j, NULL);
}
@@ -373,9 +373,7 @@
return NULL;
}
-/*
- * Copy any email addresses in a certificate or request to GENERAL_NAMES
- */
+// Copy any email addresses in a certificate or request to GENERAL_NAMES
static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) {
X509_NAME *nm;
@@ -390,14 +388,14 @@
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_SUBJECT_DETAILS);
goto err;
}
- /* Find the subject name */
+ // Find the subject name
if (ctx->subject_cert) {
nm = X509_get_subject_name(ctx->subject_cert);
} else {
nm = X509_REQ_get_subject_name(ctx->subject_req);
}
- /* Now add any email address(es) to STACK */
+ // Now add any email address(es) to STACK
i = -1;
while ((i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i)) >= 0) {
ne = X509_NAME_get_entry(nm, i);
@@ -593,10 +591,8 @@
if (!(gen->d.otherName = OTHERNAME_new())) {
return 0;
}
- /*
- * Free this up because we will overwrite it. no need to free type_id
- * because it is static
- */
+ // Free this up because we will overwrite it. no need to free type_id
+ // because it is static
ASN1_TYPE_free(gen->d.otherName->value);
if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx))) {
return 0;
@@ -628,7 +624,7 @@
ERR_add_error_data(2, "section=", value);
goto err;
}
- /* FIXME: should allow other character types... */
+ // FIXME: should allow other character types...
if (!X509V3_NAME_from_section(nm, sk, MBSTRING_ASC)) {
goto err;
}
diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c
index 1c10158..7140edd 100644
--- a/crypto/x509v3/v3_conf.c
+++ b/crypto/x509v3/v3_conf.c
@@ -55,7 +55,7 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
-/* extension creation utilities */
+// extension creation utilities
#include <ctype.h>
#include <stdio.h>
@@ -83,9 +83,9 @@
int crit, void *ext_struc);
static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
long *ext_len);
-/* CONF *conf: Config file */
-/* char *name: Name */
-/* char *value: Value */
+// CONF *conf: Config file
+// char *name: Name
+// char *value: Value
X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
const char *value) {
int crit;
@@ -103,8 +103,8 @@
return ret;
}
-/* CONF *conf: Config file */
-/* char *value: Value */
+// CONF *conf: Config file
+// char *value: Value
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
const char *value) {
int crit;
@@ -117,8 +117,8 @@
return do_ext_nconf(conf, ctx, ext_nid, crit, value);
}
-/* CONF *conf: Config file */
-/* char *value: Value */
+// CONF *conf: Config file
+// char *value: Value
static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
int crit, const char *value) {
const X509V3_EXT_METHOD *method;
@@ -133,7 +133,7 @@
OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_EXTENSION);
return NULL;
}
- /* Now get internal extension representation based on type */
+ // Now get internal extension representation based on type
if (method->v2i) {
if (*value == '@') {
nval = NCONF_get_section(conf, value + 1);
@@ -188,7 +188,7 @@
int ext_len;
ASN1_OCTET_STRING *ext_oct;
X509_EXTENSION *ext;
- /* Convert internal representation to DER */
+ // Convert internal representation to DER
if (method->it) {
ext_der = NULL;
ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
@@ -223,7 +223,7 @@
return NULL;
}
-/* Given an internal structure, nid and critical flag create an extension */
+// Given an internal structure, nid and critical flag create an extension
X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc) {
const X509V3_EXT_METHOD *method;
@@ -234,7 +234,7 @@
return do_ext_i2d(method, ext_nid, crit, ext_struc);
}
-/* Check the extension string for critical flag */
+// Check the extension string for critical flag
static int v3_check_critical(const char **value) {
const char *p = *value;
if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) {
@@ -248,7 +248,7 @@
return 1;
}
-/* Check extension string for generic extension and return the type */
+// Check extension string for generic extension and return the type
static int v3_check_generic(const char **value) {
int gen_type = 0;
const char *p = *value;
@@ -269,7 +269,7 @@
return gen_type;
}
-/* Create a generic extension: for now just handle DER type */
+// Create a generic extension: for now just handle DER type
static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
int crit, int gen_type,
X509V3_CTX *ctx) {
@@ -329,10 +329,8 @@
return ext_der;
}
-/*
- * This is the main function: add a bunch of extensions based on a config
- * file section to an extension STACK.
- */
+// This is the main function: add a bunch of extensions based on a config
+// file section to an extension STACK.
int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
STACK_OF(X509_EXTENSION) **sk) {
@@ -356,9 +354,7 @@
return 1;
}
-/*
- * Convenience functions to add extensions to a certificate, CRL and request
- */
+// Convenience functions to add extensions to a certificate, CRL and request
int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509 *cert) {
@@ -369,7 +365,7 @@
return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}
-/* Same as above but for a CRL */
+// Same as above but for a CRL
int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509_CRL *crl) {
@@ -380,7 +376,7 @@
return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
}
-/* Add extensions to certificate request */
+// Add extensions to certificate request
int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
X509_REQ *req) {
@@ -398,7 +394,7 @@
return i;
}
-/* Config database functions */
+// Config database functions
char *X509V3_get_string(X509V3_CTX *ctx, const char *name,
const char *section) {
@@ -443,11 +439,11 @@
static char *nconf_get_string(void *db, const char *section,
const char *value) {
- /* TODO(fork): This returns a non-const pointer because |X509V3_CONF_METHOD|
- * allows |get_string| to return caller-owned pointers, provided they're
- * freed by |free_string|. |nconf_method| leaves |free_string| NULL, and
- * there are no other implementations of |X509V3_CONF_METHOD|, so this can
- * be simplified if we make it private. */
+ // TODO(fork): This returns a non-const pointer because |X509V3_CONF_METHOD|
+ // allows |get_string| to return caller-owned pointers, provided they're
+ // freed by |free_string|. |nconf_method| leaves |free_string| NULL, and
+ // there are no other implementations of |X509V3_CONF_METHOD|, so this can
+ // be simplified if we make it private.
return (char *)NCONF_get_string(db, section, value);
}
diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index d2a6747..5b6841e 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@@ -71,7 +71,7 @@
#include "internal.h"
-/* Certificate policies extension support: this one is a bit complex... */
+// Certificate policies extension support: this one is a bit complex...
static int i2r_certpol(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
int indent);
@@ -432,7 +432,7 @@
static int i2r_certpol(const X509V3_EXT_METHOD *method, void *ext, BIO *out,
int indent) {
const STACK_OF(POLICYINFO) *pol = ext;
- /* First print out the policy OIDs */
+ // First print out the policy OIDs
for (size_t i = 0; i < sk_POLICYINFO_num(pol); i++) {
const POLICYINFO *pinfo = sk_POLICYINFO_value(pol, i);
BIO_printf(out, "%*sPolicy: ", indent, "");
diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c
index a7b9ff3..f1cab70 100644
--- a/crypto/x509v3/v3_crld.c
+++ b/crypto/x509v3/v3_crld.c
@@ -161,9 +161,7 @@
if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0) {
goto err;
}
- /*
- * Since its a name fragment can't have more than one RDNSequence
- */
+ // Since its a name fragment can't have more than one RDNSequence
if (sk_X509_NAME_ENTRY_value(rnm, sk_X509_NAME_ENTRY_num(rnm) - 1)->set) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_MULTIPLE_RDNS);
goto err;
@@ -609,7 +607,7 @@
return 0;
}
}
- /* generate cached encoding of name */
+ // generate cached encoding of name
if (i2d_X509_NAME(dpn->dpname, NULL) < 0) {
X509_NAME_free(dpn->dpname);
dpn->dpname = NULL;
diff --git a/crypto/x509v3/v3_extku.c b/crypto/x509v3/v3_extku.c
index 9d43b0f..7eb7cc8 100644
--- a/crypto/x509v3/v3_extku.c
+++ b/crypto/x509v3/v3_extku.c
@@ -86,7 +86,7 @@
NULL,
};
-/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
+// NB OCSP acceptable responses also is a SEQUENCE OF OBJECT
const X509V3_EXT_METHOD v3_ocsp_accresp = {
NID_id_pkix_OCSP_acceptableResponses,
0,
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index 4b37fc9..bd1aac1 100644
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -65,14 +65,14 @@
ASN1_SEQUENCE(OTHERNAME) = {
ASN1_SIMPLE(OTHERNAME, type_id, ASN1_OBJECT),
- /* Maybe have a true ANY DEFINED BY later */
+ // Maybe have a true ANY DEFINED BY later
ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0),
} ASN1_SEQUENCE_END(OTHERNAME)
IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
ASN1_SEQUENCE(EDIPARTYNAME) = {
- /* DirectoryString is a CHOICE type, so use explicit tagging. */
+ // DirectoryString is a CHOICE type, so use explicit tagging.
ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1),
} ASN1_SEQUENCE_END(EDIPARTYNAME)
@@ -83,9 +83,9 @@
ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME),
ASN1_IMP(GENERAL_NAME, d.rfc822Name, ASN1_IA5STRING, GEN_EMAIL),
ASN1_IMP(GENERAL_NAME, d.dNSName, ASN1_IA5STRING, GEN_DNS),
- /* Don't decode this */
+ // Don't decode this
ASN1_IMP(GENERAL_NAME, d.x400Address, ASN1_SEQUENCE, GEN_X400),
- /* X509_NAME is a CHOICE type so use EXPLICIT */
+ // X509_NAME is a CHOICE type so use EXPLICIT
ASN1_EXP(GENERAL_NAME, d.directoryName, X509_NAME, GEN_DIRNAME),
ASN1_IMP(GENERAL_NAME, d.ediPartyName, EDIPARTYNAME, GEN_EDIPARTY),
ASN1_IMP(GENERAL_NAME, d.uniformResourceIdentifier, ASN1_IA5STRING,
@@ -106,7 +106,7 @@
IMPLEMENT_ASN1_DUP_FUNCTION(GENERAL_NAME)
static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) {
- /* nameAssigner is optional and may be NULL. */
+ // nameAssigner is optional and may be NULL.
if (a->nameAssigner == NULL) {
if (b->nameAssigner != NULL) {
return -1;
@@ -118,11 +118,11 @@
}
}
- /* partyName may not be NULL. */
+ // partyName may not be NULL.
return ASN1_STRING_cmp(a->partyName, b->partyName);
}
-/* Returns 0 if they are equal, != 0 otherwise. */
+// Returns 0 if they are equal, != 0 otherwise.
int GENERAL_NAME_cmp(const GENERAL_NAME *a, const GENERAL_NAME *b) {
if (!a || !b || a->type != b->type) {
return -1;
@@ -156,18 +156,18 @@
return -1;
}
-/* Returns 0 if they are equal, != 0 otherwise. */
+// Returns 0 if they are equal, != 0 otherwise.
int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b) {
int result = -1;
if (!a || !b) {
return -1;
}
- /* Check their type first. */
+ // Check their type first.
if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0) {
return result;
}
- /* Check the value. */
+ // Check the value.
result = ASN1_TYPE_cmp(a->value, b->value);
return result;
}
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index 9434d37..4400b8e 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -189,14 +189,12 @@
}
}
-/*
- * Legacy function: we don't need to add standard extensions any more because
- * they are now kept in ext_dat.h.
- */
+// Legacy function: we don't need to add standard extensions any more because
+// they are now kept in ext_dat.h.
int X509V3_add_standard_extensions(void) { return 1; }
-/* Return an extension internal structure */
+// Return an extension internal structure
void *X509V3_EXT_d2i(const X509_EXTENSION *ext) {
const X509V3_EXT_METHOD *method;
@@ -216,7 +214,7 @@
if (ret == NULL) {
return NULL;
}
- /* Check for trailing data. */
+ // Check for trailing data.
if (p != ext->value->data + ext->value->length) {
if (method->it) {
ASN1_item_free(ret, ASN1_ITEM_ptr(method->it));
@@ -255,13 +253,13 @@
ex = sk_X509_EXTENSION_value(extensions, i);
if (OBJ_obj2nid(ex->object) == nid) {
if (out_idx) {
- /* TODO(https://crbug.com/boringssl/379): Consistently reject
- * duplicate extensions. */
+ // TODO(https://crbug.com/boringssl/379): Consistently reject
+ // duplicate extensions.
*out_idx = i;
found_ex = ex;
break;
} else if (found_ex) {
- /* Found more than one */
+ // Found more than one
if (out_critical) {
*out_critical = -2;
}
@@ -271,14 +269,14 @@
}
}
if (found_ex) {
- /* Found it */
+ // Found it
if (out_critical) {
*out_critical = X509_EXTENSION_get_critical(found_ex);
}
return X509V3_EXT_d2i(found_ex);
}
- /* Extension not found */
+ // Extension not found
if (out_idx) {
*out_idx = -1;
}
@@ -288,11 +286,9 @@
return NULL;
}
-/*
- * This function is a general extension append, replace and delete utility.
- * The precise operation is governed by the 'flags' value. The 'crit' and
- * 'value' arguments (if relevant) are the extensions internal structure.
- */
+// This function is a general extension append, replace and delete utility.
+// The precise operation is governed by the 'flags' value. The 'crit' and
+// 'value' arguments (if relevant) are the extensions internal structure.
int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
int crit, unsigned long flags) {
@@ -301,26 +297,24 @@
STACK_OF(X509_EXTENSION) *ret = NULL;
unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
- /*
- * If appending we don't care if it exists, otherwise look for existing
- * extension.
- */
+ // If appending we don't care if it exists, otherwise look for existing
+ // extension.
if (ext_op != X509V3_ADD_APPEND) {
extidx = X509v3_get_ext_by_NID(*x, nid, -1);
}
- /* See if extension exists */
+ // See if extension exists
if (extidx >= 0) {
- /* If keep existing, nothing to do */
+ // If keep existing, nothing to do
if (ext_op == X509V3_ADD_KEEP_EXISTING) {
return 1;
}
- /* If default then its an error */
+ // If default then its an error
if (ext_op == X509V3_ADD_DEFAULT) {
errcode = X509V3_R_EXTENSION_EXISTS;
goto err;
}
- /* If delete, just delete it */
+ // If delete, just delete it
if (ext_op == X509V3_ADD_DELETE) {
if (!sk_X509_EXTENSION_delete(*x, extidx)) {
return -1;
@@ -328,9 +322,7 @@
return 1;
}
} else {
- /*
- * If replace existing or delete, error since extension must exist
- */
+ // If replace existing or delete, error since extension must exist
if ((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
(ext_op == X509V3_ADD_DELETE)) {
errcode = X509V3_R_EXTENSION_NOT_FOUND;
@@ -338,10 +330,8 @@
}
}
- /*
- * If we get this far then we have to create an extension: could have
- * some flags for alternative encoding schemes...
- */
+ // If we get this far then we have to create an extension: could have
+ // some flags for alternative encoding schemes...
ext = X509V3_EXT_i2d(nid, crit, value);
@@ -350,7 +340,7 @@
return 0;
}
- /* If extension exists replace it.. */
+ // If extension exists replace it..
if (extidx >= 0) {
extmp = sk_X509_EXTENSION_value(*x, extidx);
X509_EXTENSION_free(extmp);
diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index ce1c82e..55f4eed 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -227,19 +227,18 @@
return 1;
}
-/*-
- * Check a certificate conforms to a specified set of constraints.
- * Return values:
- * X509_V_OK: All constraints obeyed.
- * X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
- * X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
- * X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
- * X509_V_ERR_UNSPECIFIED: Unspecified error.
- * X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
- * X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: Bad or unsupported constraint
- * syntax.
- * X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: Bad or unsupported syntax of name.
- */
+//-
+// Check a certificate conforms to a specified set of constraints.
+// Return values:
+// X509_V_OK: All constraints obeyed.
+// X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
+// X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
+// X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
+// X509_V_ERR_UNSPECIFIED: Unspecified error.
+// X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.
+// X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: Bad or unsupported constraint
+// syntax.
+// X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: Bad or unsupported syntax of name.
int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) {
int r, i;
@@ -248,9 +247,9 @@
nm = X509_get_subject_name(x);
- /* Guard against certificates with an excessive number of names or
- * constraints causing a computationally expensive name constraints
- * check. */
+ // Guard against certificates with an excessive number of names or
+ // constraints causing a computationally expensive name constraints
+ // check.
size_t name_count =
X509_NAME_entry_count(nm) + sk_GENERAL_NAME_num(x->altname);
size_t constraint_count = sk_GENERAL_SUBTREE_num(nc->permittedSubtrees) +
@@ -276,7 +275,7 @@
gntmp.type = GEN_EMAIL;
- /* Process any email address attributes in subject name */
+ // Process any email address attributes in subject name
for (i = -1;;) {
X509_NAME_ENTRY *ne;
@@ -314,10 +313,8 @@
int r, match = 0;
size_t i;
- /*
- * Permitted subtrees: if any subtrees exist of matching the type at
- * least one subtree must match.
- */
+ // Permitted subtrees: if any subtrees exist of matching the type at
+ // least one subtree must match.
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
@@ -327,7 +324,7 @@
if (sub->minimum || sub->maximum) {
return X509_V_ERR_SUBTREE_MINMAX;
}
- /* If we already have a match don't bother trying any more */
+ // If we already have a match don't bother trying any more
if (match == 2) {
continue;
}
@@ -346,7 +343,7 @@
return X509_V_ERR_PERMITTED_VIOLATION;
}
- /* Excluded subtrees: must not match any of these */
+ // Excluded subtrees: must not match any of these
for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
@@ -388,14 +385,12 @@
}
}
-/*
- * directoryName name constraint matching. The canonical encoding of
- * X509_NAME makes this comparison easy. It is matched if the subtree is a
- * subset of the name.
- */
+// directoryName name constraint matching. The canonical encoding of
+// X509_NAME makes this comparison easy. It is matched if the subtree is a
+// subset of the name.
static int nc_dn(X509_NAME *nm, X509_NAME *base) {
- /* Ensure canonical encodings are up to date. */
+ // Ensure canonical encodings are up to date.
if (nm->modified && i2d_X509_NAME(nm, NULL) < 0) {
return X509_V_ERR_OUT_OF_MEM;
}
@@ -419,8 +414,8 @@
if (CBS_len(a) != CBS_len(b)) {
return 0;
}
- /* Note we cannot use |OPENSSL_strncasecmp| because that would stop
- * iterating at NUL. */
+ // Note we cannot use |OPENSSL_strncasecmp| because that would stop
+ // iterating at NUL.
const uint8_t *a_data = CBS_data(a), *b_data = CBS_data(b);
for (size_t i = 0; i < CBS_len(a); i++) {
if (OPENSSL_tolower(a_data[i]) != OPENSSL_tolower(b_data[i])) {
@@ -444,13 +439,13 @@
CBS_init(&dns_cbs, dns->data, dns->length);
CBS_init(&base_cbs, base->data, base->length);
- /* Empty matches everything */
+ // Empty matches everything
if (CBS_len(&base_cbs) == 0) {
return X509_V_OK;
}
- /* If |base_cbs| begins with a '.', do a simple suffix comparison. This is
- * not part of RFC5280, but is part of OpenSSL's original behavior. */
+ // If |base_cbs| begins with a '.', do a simple suffix comparison. This is
+ // not part of RFC5280, but is part of OpenSSL's original behavior.
if (starts_with(&base_cbs, '.')) {
if (has_suffix_case(&dns_cbs, &base_cbs)) {
return X509_V_OK;
@@ -458,10 +453,8 @@
return X509_V_ERR_PERMITTED_VIOLATION;
}
- /*
- * Otherwise can add zero or more components on the left so compare RHS
- * and if dns is longer and expect '.' as preceding character.
- */
+ // Otherwise can add zero or more components on the left so compare RHS
+ // and if dns is longer and expect '.' as preceding character.
if (CBS_len(&dns_cbs) > CBS_len(&base_cbs)) {
uint8_t dot;
if (!CBS_skip(&dns_cbs, CBS_len(&dns_cbs) - CBS_len(&base_cbs) - 1) ||
@@ -482,16 +475,16 @@
CBS_init(&eml_cbs, eml->data, eml->length);
CBS_init(&base_cbs, base->data, base->length);
- /* TODO(davidben): In OpenSSL 1.1.1, this switched from the first '@' to the
- * last one. Match them here, or perhaps do an actual parse. Looks like
- * multiple '@'s may be allowed in quoted strings. */
+ // TODO(davidben): In OpenSSL 1.1.1, this switched from the first '@' to the
+ // last one. Match them here, or perhaps do an actual parse. Looks like
+ // multiple '@'s may be allowed in quoted strings.
CBS eml_local, base_local;
if (!CBS_get_until_first(&eml_cbs, &eml_local, '@')) {
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
}
int base_has_at = CBS_get_until_first(&base_cbs, &base_local, '@');
- /* Special case: inital '.' is RHS match */
+ // Special case: inital '.' is RHS match
if (!base_has_at && starts_with(&base_cbs, '.')) {
if (has_suffix_case(&eml_cbs, &base_cbs)) {
return X509_V_OK;
@@ -499,23 +492,23 @@
return X509_V_ERR_PERMITTED_VIOLATION;
}
- /* If we have anything before '@' match local part */
+ // If we have anything before '@' match local part
if (base_has_at) {
- /* TODO(davidben): This interprets a constraint of "@example.com" as
- * "example.com", which is not part of RFC5280. */
+ // TODO(davidben): This interprets a constraint of "@example.com" as
+ // "example.com", which is not part of RFC5280.
if (CBS_len(&base_local) > 0) {
- /* Case sensitive match of local part */
+ // Case sensitive match of local part
if (!CBS_mem_equal(&base_local, CBS_data(&eml_local),
CBS_len(&eml_local))) {
return X509_V_ERR_PERMITTED_VIOLATION;
}
}
- /* Position base after '@' */
+ // Position base after '@'
assert(starts_with(&base_cbs, '@'));
CBS_skip(&base_cbs, 1);
}
- /* Just have hostname left to match: case insensitive */
+ // Just have hostname left to match: case insensitive
assert(starts_with(&eml_cbs, '@'));
CBS_skip(&eml_cbs, 1);
if (!equal_case(&base_cbs, &eml_cbs)) {
@@ -530,7 +523,7 @@
CBS_init(&uri_cbs, uri->data, uri->length);
CBS_init(&base_cbs, base->data, base->length);
- /* Check for foo:// and skip past it */
+ // Check for foo:// and skip past it
CBS scheme;
uint8_t byte;
if (!CBS_get_until_first(&uri_cbs, &scheme, ':') ||
@@ -540,10 +533,10 @@
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
}
- /* Look for a port indicator as end of hostname first. Otherwise look for
- * trailing slash, or the end of the string.
- * TODO(davidben): This is not a correct URI parser and mishandles IPv6
- * literals. */
+ // Look for a port indicator as end of hostname first. Otherwise look for
+ // trailing slash, or the end of the string.
+ // TODO(davidben): This is not a correct URI parser and mishandles IPv6
+ // literals.
CBS host;
if (!CBS_get_until_first(&uri_cbs, &host, ':') &&
!CBS_get_until_first(&uri_cbs, &host, '/')) {
@@ -554,7 +547,7 @@
return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
}
- /* Special case: inital '.' is RHS match */
+ // Special case: inital '.' is RHS match
if (starts_with(&base_cbs, '.')) {
if (has_suffix_case(&host, &base_cbs)) {
return X509_V_OK;
diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509v3/v3_ocsp.c
index 9d648f6..b490a11 100644
--- a/crypto/x509v3/v3_ocsp.c
+++ b/crypto/x509v3/v3_ocsp.c
@@ -13,9 +13,7 @@
#include <openssl/bio.h>
#include <openssl/nid.h>
-/*
- * OCSP extensions and a couple of CRL entry extensions
- */
+// OCSP extensions and a couple of CRL entry extensions
static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
BIO *out, int indent);
@@ -70,7 +68,7 @@
return 1;
}
-/* Nocheck is just a single NULL. Don't print anything and always set it */
+// Nocheck is just a single NULL. Don't print anything and always set it
static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,
BIO *out, int indent) {
diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c
index 95fda03..cafb40c 100644
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c
@@ -147,10 +147,8 @@
(*policy)->data[(*policy)->length] = '\0';
} else {
OPENSSL_free(tmp_data2);
- /*
- * realloc failure implies the original data space is b0rked
- * too!
- */
+ // realloc failure implies the original data space is b0rked
+ // too!
(*policy)->data = NULL;
(*policy)->length = 0;
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
@@ -169,10 +167,8 @@
(*policy)->length += val_len;
(*policy)->data[(*policy)->length] = '\0';
} else {
- /*
- * realloc failure implies the original data space is b0rked
- * too!
- */
+ // realloc failure implies the original data space is b0rked
+ // too!
(*policy)->data = NULL;
(*policy)->length = 0;
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
@@ -243,7 +239,7 @@
}
}
- /* Language is mandatory */
+ // Language is mandatory
if (!language) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
goto err;
diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c
index ba56c87..129c4fa 100644
--- a/crypto/x509v3/v3_prn.c
+++ b/crypto/x509v3/v3_prn.c
@@ -55,7 +55,7 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
-/* X509 v3 extension utilities */
+// X509 v3 extension utilities
#include <stdio.h>
@@ -64,12 +64,12 @@
#include <openssl/mem.h>
#include <openssl/x509v3.h>
-/* Extension printing routines */
+// Extension printing routines
static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
int indent, int supported);
-/* Print out a name+value stack */
+// Print out a name+value stack
void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
int ml) {
@@ -104,7 +104,7 @@
}
}
-/* Main routine: print out a general extension */
+// Main routine: print out a general extension
int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
int indent) {
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 0b51a07..9a925b2 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -131,11 +131,9 @@
return (*a)->purpose - (*b)->purpose;
}
-/*
- * As much as I'd like to make X509_check_purpose use a "const" X509* I
- * really can't because it does recalculate hashes and do other non-const
- * things.
- */
+// As much as I'd like to make X509_check_purpose use a "const" X509* I
+// really can't because it does recalculate hashes and do other non-const
+// things.
int X509_check_purpose(X509 *x, int id, int ca) {
int idx;
const X509_PURPOSE *pt;
@@ -218,15 +216,13 @@
X509_PURPOSE *ptmp;
char *name_dup, *sname_dup;
- /*
- * This is set according to what we change: application can't set it
- */
+ // This is set according to what we change: application can't set it
flags &= ~X509_PURPOSE_DYNAMIC;
- /* This will always be set for application modified trust entries */
+ // This will always be set for application modified trust entries
flags |= X509_PURPOSE_DYNAMIC_NAME;
- /* Get existing entry if any */
+ // Get existing entry if any
idx = X509_PURPOSE_get_by_id(id);
- /* Need a new entry */
+ // Need a new entry
if (idx == -1) {
if (!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
@@ -237,7 +233,7 @@
ptmp = X509_PURPOSE_get0(idx);
}
- /* Duplicate the supplied names. */
+ // Duplicate the supplied names.
name_dup = OPENSSL_strdup(name);
sname_dup = OPENSSL_strdup(sname);
if (name_dup == NULL || sname_dup == NULL) {
@@ -254,17 +250,17 @@
return 0;
}
- /* OPENSSL_free existing name if dynamic */
+ // OPENSSL_free existing name if dynamic
if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
OPENSSL_free(ptmp->name);
OPENSSL_free(ptmp->sname);
}
- /* dup supplied name */
+ // dup supplied name
ptmp->name = name_dup;
ptmp->sname = sname_dup;
- /* Keep the dynamic flag of existing entry */
+ // Keep the dynamic flag of existing entry
ptmp->flags &= X509_PURPOSE_DYNAMIC;
- /* Set all other flags */
+ // Set all other flags
ptmp->flags |= flags;
ptmp->purpose = id;
@@ -272,7 +268,7 @@
ptmp->check_purpose = ck;
ptmp->usr_data = arg;
- /* If its a new entry manage the dynamic table */
+ // If its a new entry manage the dynamic table
if (idx == -1) {
if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
@@ -325,26 +321,24 @@
}
int X509_supported_extension(X509_EXTENSION *ex) {
- /*
- * This table is a list of the NIDs of supported extensions: that is
- * those which are used by the verify process. If an extension is
- * critical and doesn't appear in this list then the verify process will
- * normally reject the certificate. The list must be kept in numerical
- * order because it will be searched using bsearch.
- */
+ // This table is a list of the NIDs of supported extensions: that is
+ // those which are used by the verify process. If an extension is
+ // critical and doesn't appear in this list then the verify process will
+ // normally reject the certificate. The list must be kept in numerical
+ // order because it will be searched using bsearch.
static const int supported_nids[] = {
- NID_netscape_cert_type, /* 71 */
- NID_key_usage, /* 83 */
- NID_subject_alt_name, /* 85 */
- NID_basic_constraints, /* 87 */
- NID_certificate_policies, /* 89 */
- NID_ext_key_usage, /* 126 */
- NID_policy_constraints, /* 401 */
- NID_proxyCertInfo, /* 663 */
- NID_name_constraints, /* 666 */
- NID_policy_mappings, /* 747 */
- NID_inhibit_any_policy /* 748 */
+ NID_netscape_cert_type, // 71
+ NID_key_usage, // 83
+ NID_subject_alt_name, // 85
+ NID_basic_constraints, // 87
+ NID_certificate_policies, // 89
+ NID_ext_key_usage, // 126
+ NID_policy_constraints, // 401
+ NID_proxyCertInfo, // 663
+ NID_name_constraints, // 666
+ NID_policy_mappings, // 747
+ NID_inhibit_any_policy // 748
};
int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
@@ -432,11 +426,11 @@
if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL)) {
x->ex_flags |= EXFLAG_INVALID;
}
- /* V1 should mean no extensions ... */
+ // V1 should mean no extensions ...
if (X509_get_version(x) == X509_VERSION_1) {
x->ex_flags |= EXFLAG_V1;
}
- /* Handle basic constraints */
+ // Handle basic constraints
if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &j, NULL))) {
if (bs->ca) {
x->ex_flags |= EXFLAG_CA;
@@ -446,11 +440,11 @@
x->ex_flags |= EXFLAG_INVALID;
x->ex_pathlen = 0;
} else {
- /* TODO(davidben): |ASN1_INTEGER_get| returns -1 on overflow,
- * which currently acts as if the constraint isn't present. This
- * works (an overflowing path length constraint may as well be
- * infinity), but Chromium's verifier simply treats values above
- * 255 as an error. */
+ // TODO(davidben): |ASN1_INTEGER_get| returns -1 on overflow,
+ // which currently acts as if the constraint isn't present. This
+ // works (an overflowing path length constraint may as well be
+ // infinity), but Chromium's verifier simply treats values above
+ // 255 as an error.
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
}
} else {
@@ -461,7 +455,7 @@
} else if (j != -1) {
x->ex_flags |= EXFLAG_INVALID;
}
- /* Handle proxy certificates */
+ // Handle proxy certificates
if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &j, NULL))) {
if (x->ex_flags & EXFLAG_CA ||
X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
@@ -478,7 +472,7 @@
} else if (j != -1) {
x->ex_flags |= EXFLAG_INVALID;
}
- /* Handle key usage */
+ // Handle key usage
if ((usage = X509_get_ext_d2i(x, NID_key_usage, &j, NULL))) {
if (usage->length > 0) {
x->ex_kusage = usage->data[0];
@@ -560,10 +554,10 @@
if (x->akid == NULL && j != -1) {
x->ex_flags |= EXFLAG_INVALID;
}
- /* Does subject name match issuer ? */
+ // Does subject name match issuer ?
if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
x->ex_flags |= EXFLAG_SI;
- /* If SKID matches AKID also indicate self signed */
+ // If SKID matches AKID also indicate self signed
if (X509_check_akid(x, x->akid) == X509_V_OK &&
!ku_reject(x, KU_KEY_CERT_SIGN)) {
x->ex_flags |= EXFLAG_SS;
@@ -600,18 +594,18 @@
return (x->ex_flags & EXFLAG_INVALID) == 0;
}
-/* check_ca returns one if |x| should be considered a CA certificate and zero
- * otherwise. */
+// check_ca returns one if |x| should be considered a CA certificate and zero
+// otherwise.
static int check_ca(const X509 *x) {
- /* keyUsage if present should allow cert signing */
+ // keyUsage if present should allow cert signing
if (ku_reject(x, KU_KEY_CERT_SIGN)) {
return 0;
}
- /* Version 1 certificates are considered CAs and don't have extensions. */
+ // Version 1 certificates are considered CAs and don't have extensions.
if ((x->ex_flags & V1_ROOT) == V1_ROOT) {
return 1;
}
- /* Otherwise, it's only a CA if basicConstraints says so. */
+ // Otherwise, it's only a CA if basicConstraints says so.
return ((x->ex_flags & EXFLAG_BCONS) && (x->ex_flags & EXFLAG_CA));
}
@@ -630,22 +624,20 @@
if (ca) {
return check_ca(x);
}
- /* We need to do digital signatures or key agreement */
+ // We need to do digital signatures or key agreement
if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) {
return 0;
}
- /* nsCertType if present should allow SSL client use */
+ // nsCertType if present should allow SSL client use
if (ns_reject(x, NS_SSL_CLIENT)) {
return 0;
}
return 1;
}
-/*
- * Key usage needed for TLS/SSL server: digital signature, encipherment or
- * key agreement. The ssl code can check this more thoroughly for individual
- * key types.
- */
+// Key usage needed for TLS/SSL server: digital signature, encipherment or
+// key agreement. The ssl code can check this more thoroughly for individual
+// key types.
#define KU_TLS (KU_DIGITAL_SIGNATURE | KU_KEY_ENCIPHERMENT | KU_KEY_AGREEMENT)
static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
@@ -674,21 +666,21 @@
if (!ret || ca) {
return ret;
}
- /* We need to encipher or Netscape complains */
+ // We need to encipher or Netscape complains
if (ku_reject(x, KU_KEY_ENCIPHERMENT)) {
return 0;
}
return ret;
}
-/* purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA
- * (|ca| is one) certificate, and zero otherwise. */
+// purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA
+// (|ca| is one) certificate, and zero otherwise.
static int purpose_smime(const X509 *x, int ca) {
if (xku_reject(x, XKU_SMIME)) {
return 0;
}
if (ca) {
- /* check nsCertType if present */
+ // check nsCertType if present
if ((x->ex_flags & EXFLAG_NSCERT) && (x->ex_nscert & NS_SMIME_CA) == 0) {
return 0;
}
@@ -738,16 +730,14 @@
return 1;
}
-/*
- * OCSP helper: this is *not* a full OCSP check. It just checks that each CA
- * is valid. Additional checks must be made on the chain.
- */
+// OCSP helper: this is *not* a full OCSP check. It just checks that each CA
+// is valid. Additional checks must be made on the chain.
static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) {
if (ca) {
return check_ca(x);
}
- /* leaf certificate is checked in OCSP_verify() */
+ // leaf certificate is checked in OCSP_verify()
return 1;
}
@@ -755,29 +745,27 @@
int ca) {
int i_ext;
- /* If ca is true we must return if this is a valid CA certificate. */
+ // If ca is true we must return if this is a valid CA certificate.
if (ca) {
return check_ca(x);
}
- /*
- * Check the optional key usage field:
- * if Key Usage is present, it must be one of digitalSignature
- * and/or nonRepudiation (other values are not consistent and shall
- * be rejected).
- */
+ // Check the optional key usage field:
+ // if Key Usage is present, it must be one of digitalSignature
+ // and/or nonRepudiation (other values are not consistent and shall
+ // be rejected).
if ((x->ex_flags & EXFLAG_KUSAGE) &&
((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
!(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) {
return 0;
}
- /* Only time stamp key usage is permitted and it's required. */
+ // Only time stamp key usage is permitted and it's required.
if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP) {
return 0;
}
- /* Extended Key Usage MUST be critical */
+ // Extended Key Usage MUST be critical
i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1);
if (i_ext >= 0) {
X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
@@ -791,15 +779,13 @@
static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) { return 1; }
-/*
- * Various checks to see if one certificate issued the second. This can be
- * used to prune a set of possible issuer certificates which have been looked
- * up using some simple method such as by subject name. These are: 1. Check
- * issuer_name(subject) == subject_name(issuer) 2. If akid(subject) exists
- * check it matches issuer 3. If key_usage(issuer) exists check it supports
- * certificate signing returns 0 for OK, positive for reason for mismatch,
- * reasons match codes for X509_verify_cert()
- */
+// Various checks to see if one certificate issued the second. This can be
+// used to prune a set of possible issuer certificates which have been looked
+// up using some simple method such as by subject name. These are: 1. Check
+// issuer_name(subject) == subject_name(issuer) 2. If akid(subject) exists
+// check it matches issuer 3. If key_usage(issuer) exists check it supports
+// certificate signing returns 0 for OK, positive for reason for mismatch,
+// reasons match codes for X509_verify_cert()
int X509_check_issued(X509 *issuer, X509 *subject) {
if (X509_NAME_cmp(X509_get_subject_name(issuer),
@@ -832,23 +818,21 @@
return X509_V_OK;
}
- /* Check key ids (if present) */
+ // Check key ids (if present)
if (akid->keyid && issuer->skid &&
ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid)) {
return X509_V_ERR_AKID_SKID_MISMATCH;
}
- /* Check serial number */
+ // Check serial number
if (akid->serial &&
ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) {
return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
}
- /* Check issuer name */
+ // Check issuer name
if (akid->issuer) {
- /*
- * Ugh, for some peculiar reason AKID includes SEQUENCE OF
- * GeneralName. So look for a DirName. There may be more than one but
- * we only take any notice of the first.
- */
+ // Ugh, for some peculiar reason AKID includes SEQUENCE OF
+ // GeneralName. So look for a DirName. There may be more than one but
+ // we only take any notice of the first.
GENERAL_NAMES *gens;
GENERAL_NAME *gen;
X509_NAME *nm = NULL;
@@ -869,8 +853,8 @@
}
uint32_t X509_get_extension_flags(X509 *x) {
- /* Ignore the return value. On failure, |x->ex_flags| will include
- * |EXFLAG_INVALID|. */
+ // Ignore the return value. On failure, |x->ex_flags| will include
+ // |EXFLAG_INVALID|.
x509v3_cache_extensions(x);
return x->ex_flags;
}
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index bd443c3..16e0e07 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -87,7 +87,7 @@
static int ipv6_cb(const char *elem, int len, void *usr);
static int ipv6_hex(unsigned char *out, const char *in, int inlen);
-/* Add a CONF_VALUE name value pair to stack */
+// Add a CONF_VALUE name value pair to stack
static int x509V3_add_len_value(const char *name, const char *value,
size_t value_len, int omit_value,
@@ -99,7 +99,7 @@
goto malloc_err;
}
if (!omit_value) {
- /* |CONF_VALUE| cannot represent strings with NULs. */
+ // |CONF_VALUE| cannot represent strings with NULs.
if (OPENSSL_memchr(value, 0, value_len)) {
OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_VALUE);
goto err;
@@ -152,7 +152,7 @@
/*omit_value=*/0, extlist);
}
-/* Free function for STACK_OF(CONF_VALUE) */
+// Free function for STACK_OF(CONF_VALUE)
void X509V3_conf_free(CONF_VALUE *conf) {
if (!conf) {
@@ -190,11 +190,9 @@
char *tmp, *ret;
size_t len;
- /*
- * Display large numbers in hex and small numbers in decimal. Converting to
- * decimal takes quadratic time and is no more useful than hex for large
- * numbers.
- */
+ // Display large numbers in hex and small numbers in decimal. Converting to
+ // decimal takes quadratic time and is no more useful than hex for large
+ // numbers.
if (BN_num_bits(bn) < 32) {
return BN_bn2dec(bn);
}
@@ -212,7 +210,7 @@
return NULL;
}
- /* Prepend "0x", but place it after the "-" if negative. */
+ // Prepend "0x", but place it after the "-" if negative.
if (tmp[0] == '-') {
OPENSSL_strlcpy(ret, "-0x", len);
OPENSSL_strlcat(ret, tmp + 1, len);
@@ -355,9 +353,7 @@
#define HDR_NAME 1
#define HDR_VALUE 2
-/*
- * #define DEBUG
- */
+// #define DEBUG
STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line) {
char *p, *q, c;
@@ -365,7 +361,7 @@
STACK_OF(CONF_VALUE) *values = NULL;
char *linebuf;
int state;
- /* We are going to modify the line so copy it first */
+ // We are going to modify the line so copy it first
linebuf = OPENSSL_strdup(line);
if (linebuf == NULL) {
OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE);
@@ -373,7 +369,7 @@
}
state = HDR_NAME;
ntmp = NULL;
- /* Go through all characters */
+ // Go through all characters
for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n'); p++) {
switch (state) {
case HDR_NAME:
@@ -450,10 +446,10 @@
return NULL;
}
-/* Delete leading and trailing spaces from a string */
+// Delete leading and trailing spaces from a string
static char *strip_spaces(char *name) {
char *p, *q;
- /* Skip over leading spaces */
+ // Skip over leading spaces
p = name;
while (*p && isspace((unsigned char)*p)) {
p++;
@@ -474,7 +470,7 @@
return p;
}
-/* hex string utilities */
+// hex string utilities
char *x509v3_bytes_to_hex(const uint8_t *in, size_t len) {
CBB cbb;
@@ -637,9 +633,9 @@
GENERAL_NAME *gen;
int i;
size_t j;
- /* Now add any email address(es) to STACK */
+ // Now add any email address(es) to STACK
i = -1;
- /* First supplied X509_NAME */
+ // First supplied X509_NAME
while ((i = X509_NAME_get_index_by_NID(name, NID_pkcs9_emailAddress, i)) >=
0) {
ne = X509_NAME_get_entry(name, i);
@@ -663,15 +659,15 @@
static void str_free(OPENSSL_STRING str) { OPENSSL_free(str); }
static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email) {
- /* First some sanity checks */
+ // First some sanity checks
if (email->type != V_ASN1_IA5STRING) {
return 1;
}
if (email->data == NULL || email->length == 0) {
return 1;
}
- /* |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not
- * report them as outputs. */
+ // |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not
+ // report them as outputs.
if (OPENSSL_memchr(email->data, 0, email->length) != NULL) {
return 1;
}
@@ -689,7 +685,7 @@
goto err;
}
- /* Don't add duplicates */
+ // Don't add duplicates
sk_OPENSSL_STRING_sort(*sk);
if (sk_OPENSSL_STRING_find(*sk, NULL, emtmp)) {
OPENSSL_free(emtmp);
@@ -701,8 +697,8 @@
return 1;
err:
- /* TODO(davidben): Fix the error-handling in this file. It currently relies
- * on |append_ia5| leaving |*sk| at NULL on error. */
+ // TODO(davidben): Fix the error-handling in this file. It currently relies
+ // on |append_ia5| leaving |*sk| at NULL on error.
OPENSSL_free(emtmp);
X509_email_free(*sk);
*sk = NULL;
@@ -717,7 +713,7 @@
const unsigned char *subject, size_t subject_len,
unsigned int flags);
-/* Compare while ASCII ignoring case. */
+// Compare while ASCII ignoring case.
static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags) {
@@ -727,7 +723,7 @@
while (pattern_len) {
unsigned char l = *pattern;
unsigned char r = *subject;
- /* The pattern must not contain NUL characters. */
+ // The pattern must not contain NUL characters.
if (l == 0) {
return 0;
}
@@ -749,7 +745,7 @@
return 1;
}
-/* Compare using OPENSSL_memcmp. */
+// Compare using OPENSSL_memcmp.
static int equal_case(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags) {
@@ -759,10 +755,8 @@
return !OPENSSL_memcmp(pattern, subject, pattern_len);
}
-/*
- * RFC 5280, section 7.5, requires that only the domain is compared in a
- * case-insensitive manner.
- */
+// RFC 5280, section 7.5, requires that only the domain is compared in a
+// case-insensitive manner.
static int equal_email(const unsigned char *a, size_t a_len,
const unsigned char *b, size_t b_len,
unsigned int unused_flags) {
@@ -770,11 +764,9 @@
if (a_len != b_len) {
return 0;
}
- /*
- * We search backwards for the '@' character, so that we do not have to
- * deal with quoted local-parts. The domain part is compared in a
- * case-insensitive manner.
- */
+ // We search backwards for the '@' character, so that we do not have to
+ // deal with quoted local-parts. The domain part is compared in a
+ // case-insensitive manner.
while (i > 0) {
--i;
if (a[i] == '@' || b[i] == '@') {
@@ -790,10 +782,8 @@
return equal_case(a, i, b, i, 0);
}
-/*
- * Compare the prefix and suffix with the subject, and check that the
- * characters in-between are valid.
- */
+// Compare the prefix and suffix with the subject, and check that the
+// characters in-between are valid.
static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
const unsigned char *suffix, size_t suffix_len,
const unsigned char *subject, size_t subject_len,
@@ -814,29 +804,25 @@
if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags)) {
return 0;
}
- /*
- * If the wildcard makes up the entire first label, it must match at
- * least one character.
- */
+ // If the wildcard makes up the entire first label, it must match at
+ // least one character.
if (prefix_len == 0 && *suffix == '.') {
if (wildcard_start == wildcard_end) {
return 0;
}
allow_idna = 1;
}
- /* IDNA labels cannot match partial wildcards */
+ // IDNA labels cannot match partial wildcards
if (!allow_idna && subject_len >= 4 &&
OPENSSL_strncasecmp((char *)subject, "xn--", 4) == 0) {
return 0;
}
- /* The wildcard may match a literal '*' */
+ // The wildcard may match a literal '*'
if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*') {
return 1;
}
- /*
- * Check that the part matched by the wildcard contains only
- * permitted characters and only matches a single label.
- */
+ // Check that the part matched by the wildcard contains only
+ // permitted characters and only matches a single label.
for (p = wildcard_start; p != wildcard_end; ++p) {
if (!(('0' <= *p && *p <= '9') || ('A' <= *p && *p <= 'Z') ||
('a' <= *p && *p <= 'z') || *p == '-')) {
@@ -858,22 +844,18 @@
int state = LABEL_START;
int dots = 0;
for (i = 0; i < len; ++i) {
- /*
- * Locate first and only legal wildcard, either at the start
- * or end of a non-IDNA first and not final label.
- */
+ // Locate first and only legal wildcard, either at the start
+ // or end of a non-IDNA first and not final label.
if (p[i] == '*') {
int atstart = (state & LABEL_START);
int atend = (i == len - 1 || p[i + 1] == '.');
- /*
- * At most one wildcard per pattern.
- * No wildcards in IDNA labels.
- * No wildcards after the first label.
- */
+ // At most one wildcard per pattern.
+ // No wildcards in IDNA labels.
+ // No wildcards after the first label.
if (star != NULL || (state & LABEL_IDNA) != 0 || dots) {
return NULL;
}
- /* Only full-label '*.example.com' wildcards. */
+ // Only full-label '*.example.com' wildcards.
if (!atstart || !atend) {
return NULL;
}
@@ -893,7 +875,7 @@
state = LABEL_START;
++dots;
} else if (p[i] == '-') {
- /* no domain/subdomain starts with '-' */
+ // no domain/subdomain starts with '-'
if ((state & LABEL_START) != 0) {
return NULL;
}
@@ -903,26 +885,22 @@
}
}
- /*
- * The final label must not end in a hyphen or ".", and
- * there must be at least two dots after the star.
- */
+ // The final label must not end in a hyphen or ".", and
+ // there must be at least two dots after the star.
if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2) {
return NULL;
}
return star;
}
-/* Compare using wildcards. */
+// Compare using wildcards.
static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags) {
const unsigned char *star = NULL;
- /*
- * Subject names starting with '.' can only match a wildcard pattern
- * via a subject sub-domain pattern suffix match.
- */
+ // Subject names starting with '.' can only match a wildcard pattern
+ // via a subject sub-domain pattern suffix match.
if (!(subject_len > 1 && subject[0] == '.')) {
star = valid_star(pattern, pattern_len, flags);
}
@@ -935,17 +913,17 @@
}
int x509v3_looks_like_dns_name(const unsigned char *in, size_t len) {
- /* This function is used as a heuristic for whether a common name is a
- * hostname to be matched, or merely a decorative name to describe the
- * subject. This heuristic must be applied to both name constraints and the
- * common name fallback, so it must be loose enough to accept hostname
- * common names, and tight enough to reject decorative common names. */
+ // This function is used as a heuristic for whether a common name is a
+ // hostname to be matched, or merely a decorative name to describe the
+ // subject. This heuristic must be applied to both name constraints and the
+ // common name fallback, so it must be loose enough to accept hostname
+ // common names, and tight enough to reject decorative common names.
if (len > 0 && in[len - 1] == '.') {
len--;
}
- /* Wildcards are allowed in front. */
+ // Wildcards are allowed in front.
if (len >= 2 && in[0] == '*' && in[1] == '.') {
in += 2;
len -= 2;
@@ -960,13 +938,13 @@
unsigned char c = in[i];
if ((c >= 'a' && c <= 'z') || (c >= '0' && c <= '9') ||
(c >= 'A' && c <= 'Z') || (c == '-' && i > label_start) ||
- /* These are not valid characters in hostnames, but commonly found
- * in deployments outside the Web PKI. */
+ // These are not valid characters in hostnames, but commonly found
+ // in deployments outside the Web PKI.
c == '_' || c == ':') {
continue;
}
- /* Labels must not be empty. */
+ // Labels must not be empty.
if (c == '.' && i > label_start && i < len - 1) {
label_start = i + 1;
continue;
@@ -978,11 +956,9 @@
return 1;
}
-/*
- * Compare an ASN1_STRING to a supplied string. If they match return 1. If
- * cmp_type > 0 only compare if string matches the type, otherwise convert it
- * to UTF8.
- */
+// Compare an ASN1_STRING to a supplied string. If they match return 1. If
+// cmp_type > 0 only compare if string matches the type, otherwise convert it
+// to UTF8.
static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
unsigned int flags, int check_type, const char *b,
@@ -1011,11 +987,9 @@
if (astrlen < 0) {
return -1;
}
- /*
- * We check the common name against DNS name constraints if it passes
- * |x509v3_looks_like_dns_name|. Thus we must not consider common names
- * for DNS fallbacks if they fail this check.
- */
+ // We check the common name against DNS name constraints if it passes
+ // |x509v3_looks_like_dns_name|. Thus we must not consider common names
+ // for DNS fallbacks if they fail this check.
if (check_type == GEN_DNS && !x509v3_looks_like_dns_name(astr, astrlen)) {
rv = 0;
} else {
@@ -1073,7 +1047,7 @@
} else {
cstr = gen->d.iPAddress;
}
- /* Positive on success, negative on error! */
+ // Positive on success, negative on error!
if ((rv = do_check_string(cstr, alt_type, equal, flags, check_type, chk,
chklen, peername)) != 0) {
break;
@@ -1083,7 +1057,7 @@
return rv;
}
- /* We're done if CN-ID is not pertinent */
+ // We're done if CN-ID is not pertinent
if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) {
return 0;
}
@@ -1095,7 +1069,7 @@
ASN1_STRING *str;
ne = X509_NAME_get_entry(name, j);
str = X509_NAME_ENTRY_get_data(ne);
- /* Positive on success, negative on error! */
+ // Positive on success, negative on error!
if ((rv = do_check_string(str, -1, equal, flags, check_type, chk, chklen,
peername)) != 0) {
return rv;
@@ -1148,10 +1122,8 @@
return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
}
-/*
- * Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
- * with RFC 3280.
- */
+// Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
+// with RFC 3280.
ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc) {
unsigned char ipout[16];
@@ -1226,7 +1198,7 @@
}
int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc) {
- /* If string contains a ':' assume IPv6 */
+ // If string contains a ':' assume IPv6
if (strchr(ipasc, ':')) {
if (!ipv6_from_asc(ipout, ipasc)) {
@@ -1258,13 +1230,13 @@
}
typedef struct {
- /* Temporary store for IPV6 output */
+ // Temporary store for IPV6 output
unsigned char tmp[16];
- /* Total number of bytes in tmp */
+ // Total number of bytes in tmp
int total;
- /* The position of a zero (corresponding to '::') */
+ // The position of a zero (corresponding to '::')
int zero_pos;
- /* Number of zeroes */
+ // Number of zeroes
int zero_cnt;
} IPV6_STAT;
@@ -1273,44 +1245,42 @@
v6stat.total = 0;
v6stat.zero_pos = -1;
v6stat.zero_cnt = 0;
- /*
- * Treat the IPv6 representation as a list of values separated by ':'.
- * The presence of a '::' will parse as one, two or three zero length
- * elements.
- */
+ // Treat the IPv6 representation as a list of values separated by ':'.
+ // The presence of a '::' will parse as one, two or three zero length
+ // elements.
if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat)) {
return 0;
}
- /* Now for some sanity checks */
+ // Now for some sanity checks
if (v6stat.zero_pos == -1) {
- /* If no '::' must have exactly 16 bytes */
+ // If no '::' must have exactly 16 bytes
if (v6stat.total != 16) {
return 0;
}
} else {
- /* If '::' must have less than 16 bytes */
+ // If '::' must have less than 16 bytes
if (v6stat.total == 16) {
return 0;
}
- /* More than three zeroes is an error */
+ // More than three zeroes is an error
if (v6stat.zero_cnt > 3) {
return 0;
}
- /* Can only have three zeroes if nothing else present */
+ // Can only have three zeroes if nothing else present
else if (v6stat.zero_cnt == 3) {
if (v6stat.total > 0) {
return 0;
}
}
- /* Can only have two zeroes if at start or end */
+ // Can only have two zeroes if at start or end
else if (v6stat.zero_cnt == 2) {
if ((v6stat.zero_pos != 0) && (v6stat.zero_pos != v6stat.total)) {
return 0;
}
} else
- /* Can only have one zero if *not* start or end */
+ // Can only have one zero if *not* start or end
{
if ((v6stat.zero_pos == 0) || (v6stat.zero_pos == v6stat.total)) {
return 0;
@@ -1318,14 +1288,14 @@
}
}
- /* Format result */
+ // Format result
if (v6stat.zero_pos >= 0) {
- /* Copy initial part */
+ // Copy initial part
OPENSSL_memcpy(v6, v6stat.tmp, v6stat.zero_pos);
- /* Zero middle */
+ // Zero middle
OPENSSL_memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
- /* Copy final part */
+ // Copy final part
if (v6stat.total != v6stat.zero_pos) {
OPENSSL_memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
v6stat.tmp + v6stat.zero_pos,
@@ -1340,28 +1310,28 @@
static int ipv6_cb(const char *elem, int len, void *usr) {
IPV6_STAT *s = usr;
- /* Error if 16 bytes written */
+ // Error if 16 bytes written
if (s->total == 16) {
return 0;
}
if (len == 0) {
- /* Zero length element, corresponds to '::' */
+ // Zero length element, corresponds to '::'
if (s->zero_pos == -1) {
s->zero_pos = s->total;
}
- /* If we've already got a :: its an error */
+ // If we've already got a :: its an error
else if (s->zero_pos != s->total) {
return 0;
}
s->zero_cnt++;
} else {
- /* If more than 4 characters could be final a.b.c.d form */
+ // If more than 4 characters could be final a.b.c.d form
if (len > 4) {
- /* Need at least 4 bytes left */
+ // Need at least 4 bytes left
if (s->total > 12) {
return 0;
}
- /* Must be end of string */
+ // Must be end of string
if (elem[len]) {
return 0;
}
@@ -1379,9 +1349,7 @@
return 1;
}
-/*
- * Convert a string of up to 4 hex digits into the corresponding IPv6 form.
- */
+// Convert a string of up to 4 hex digits into the corresponding IPv6 form.
static int ipv6_hex(unsigned char *out, const char *in, int inlen) {
unsigned char c;
@@ -1420,9 +1388,7 @@
for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
v = sk_CONF_VALUE_value(dn_sk, i);
type = v->name;
- /*
- * Skip past any leading X. X: X, etc to allow for multiple instances
- */
+ // Skip past any leading X. X: X, etc to allow for multiple instances
for (p = type; *p; p++) {
if ((*p == ':') || (*p == ',') || (*p == '.')) {
p++;
