Convert comments in ssl.
That's the last of it!
Change-Id: I93d1f5ab7e95b2ad105c34b24297a0bf77625263
Reviewed-on: https://boringssl-review.googlesource.com/19784
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/custom_extensions.cc b/ssl/custom_extensions.cc
index dff7041..c22f4fe 100644
--- a/ssl/custom_extensions.cc
+++ b/ssl/custom_extensions.cc
@@ -47,9 +47,9 @@
return NULL;
}
-/* default_add_callback is used as the |add_callback| when the user doesn't
- * provide one. For servers, it does nothing while, for clients, it causes an
- * empty extension to be included. */
+// default_add_callback is used as the |add_callback| when the user doesn't
+// provide one. For servers, it does nothing while, for clients, it causes an
+// empty extension to be included.
static int default_add_callback(SSL *ssl, unsigned extension_value,
const uint8_t **out, size_t *out_len,
int *out_alert_value, void *add_arg) {
@@ -76,7 +76,7 @@
if (ssl->server &&
!(hs->custom_extensions.received & (1u << i))) {
- /* Servers cannot echo extensions that the client didn't send. */
+ // Servers cannot echo extensions that the client didn't send.
continue;
}
@@ -135,9 +135,9 @@
const SSL_CUSTOM_EXTENSION *ext =
custom_ext_find(ssl->ctx->client_custom_extensions, &index, value);
- if (/* Unknown extensions are not allowed in a ServerHello. */
+ if (// Unknown extensions are not allowed in a ServerHello.
ext == NULL ||
- /* Also, if we didn't send the extension, that's also unacceptable. */
+ // Also, if we didn't send the extension, that's also unacceptable.
!(hs->custom_extensions.sent & (1u << index))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ERR_add_error_dataf("extension %u", (unsigned)value);
@@ -185,9 +185,9 @@
return custom_ext_add_hello(hs, extensions);
}
-/* MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that
- * can be set on an |SSL_CTX|. It's determined by the size of the bitset used
- * to track when an extension has been sent. */
+// MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that
+// can be set on an |SSL_CTX|. It's determined by the size of the bitset used
+// to track when an extension has been sent.
#define MAX_NUM_CUSTOM_EXTENSIONS \
(sizeof(((SSL_HANDSHAKE *)NULL)->custom_extensions.sent) * 8)
@@ -200,8 +200,8 @@
if (add_cb == NULL ||
0xffff < extension_value ||
SSL_extension_supported(extension_value) ||
- /* Specifying a free callback without an add callback is nonsensical
- * and an error. */
+ // Specifying a free callback without an add callback is nonsensical
+ // and an error.
(*stack != NULL &&
(MAX_NUM_CUSTOM_EXTENSIONS <= sk_SSL_CUSTOM_EXTENSION_num(*stack) ||
custom_ext_find(*stack, NULL, extension_value) != NULL))) {
diff --git a/ssl/d1_both.cc b/ssl/d1_both.cc
index 71a7161..cb447df 100644
--- a/ssl/d1_both.cc
+++ b/ssl/d1_both.cc
@@ -129,20 +129,20 @@
namespace bssl {
-/* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
- * for these values? Notably, why is kMinMTU a function of the transport
- * protocol's overhead rather than, say, what's needed to hold a minimally-sized
- * handshake fragment plus protocol overhead. */
+// TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
+// for these values? Notably, why is kMinMTU a function of the transport
+// protocol's overhead rather than, say, what's needed to hold a minimally-sized
+// handshake fragment plus protocol overhead.
-/* kMinMTU is the minimum acceptable MTU value. */
+// kMinMTU is the minimum acceptable MTU value.
static const unsigned int kMinMTU = 256 - 28;
-/* kDefaultMTU is the default MTU value to use if neither the user nor
- * the underlying BIO supplies one. */
+// kDefaultMTU is the default MTU value to use if neither the user nor
+// the underlying BIO supplies one.
static const unsigned int kDefaultMTU = 1500 - 28;
-/* Receiving handshake messages. */
+// Receiving handshake messages.
static void dtls1_hm_fragment_free(hm_fragment *frag) {
if (frag == NULL) {
@@ -165,7 +165,7 @@
frag->seq = msg_hdr->seq;
frag->msg_len = msg_hdr->msg_len;
- /* Allocate space for the reassembled message and fill in the header. */
+ // Allocate space for the reassembled message and fill in the header.
frag->data =
(uint8_t *)OPENSSL_malloc(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len);
if (frag->data == NULL) {
@@ -184,9 +184,9 @@
goto err;
}
- /* If the handshake message is empty, |frag->reassembly| is NULL. */
+ // If the handshake message is empty, |frag->reassembly| is NULL.
if (msg_hdr->msg_len > 0) {
- /* Initialize reassembly bitmask. */
+ // Initialize reassembly bitmask.
if (msg_hdr->msg_len + 7 < msg_hdr->msg_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
goto err;
@@ -207,16 +207,16 @@
return NULL;
}
-/* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
- * exclusive, set. */
+// bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
+// exclusive, set.
static uint8_t bit_range(size_t start, size_t end) {
return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));
}
-/* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
- * as received in |frag|. If |frag| becomes complete, it clears
- * |frag->reassembly|. The range must be within the bounds of |frag|'s message
- * and |frag->reassembly| must not be NULL. */
+// dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
+// as received in |frag|. If |frag| becomes complete, it clears
+// |frag->reassembly|. The range must be within the bounds of |frag|'s message
+// and |frag->reassembly| must not be NULL.
static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
size_t end) {
size_t msg_len = frag->msg_len;
@@ -225,7 +225,7 @@
assert(0);
return;
}
- /* A zero-length message will never have a pending reassembly. */
+ // A zero-length message will never have a pending reassembly.
assert(msg_len > 0);
if ((start >> 3) == (end >> 3)) {
@@ -240,7 +240,7 @@
}
}
- /* Check if the fragment is complete. */
+ // Check if the fragment is complete.
for (size_t i = 0; i < (msg_len >> 3); i++) {
if (frag->reassembly[i] != 0xff) {
return;
@@ -255,18 +255,18 @@
frag->reassembly = NULL;
}
-/* dtls1_is_current_message_complete returns one if the current handshake
- * message is complete and zero otherwise. */
+// dtls1_is_current_message_complete returns one if the current handshake
+// message is complete and zero otherwise.
static int dtls1_is_current_message_complete(const SSL *ssl) {
hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq %
SSL_MAX_HANDSHAKE_FLIGHT];
return frag != NULL && frag->reassembly == NULL;
}
-/* dtls1_get_incoming_message returns the incoming message corresponding to
- * |msg_hdr|. If none exists, it creates a new one and inserts it in the
- * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
- * returns NULL on failure. The caller does not take ownership of the result. */
+// dtls1_get_incoming_message returns the incoming message corresponding to
+// |msg_hdr|. If none exists, it creates a new one and inserts it in the
+// queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
+// returns NULL on failure. The caller does not take ownership of the result.
static hm_fragment *dtls1_get_incoming_message(
SSL *ssl, const struct hm_header_st *msg_hdr) {
if (msg_hdr->seq < ssl->d1->handshake_read_seq ||
@@ -278,8 +278,8 @@
hm_fragment *frag = ssl->d1->incoming_messages[idx];
if (frag != NULL) {
assert(frag->seq == msg_hdr->seq);
- /* The new fragment must be compatible with the previous fragments from this
- * message. */
+ // The new fragment must be compatible with the previous fragments from this
+ // message.
if (frag->type != msg_hdr->type ||
frag->msg_len != msg_hdr->msg_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);
@@ -289,7 +289,7 @@
return frag;
}
- /* This is the first fragment from this message. */
+ // This is the first fragment from this message.
frag = dtls1_hm_fragment_new(msg_hdr);
if (frag == NULL) {
return NULL;
@@ -309,22 +309,22 @@
switch (rr->type) {
case SSL3_RT_APPLICATION_DATA:
- /* Unencrypted application data records are always illegal. */
+ // Unencrypted application data records are always illegal.
if (ssl->s3->aead_read_ctx->is_null_cipher()) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
return -1;
}
- /* Out-of-order application data may be received between ChangeCipherSpec
- * and finished. Discard it. */
+ // Out-of-order application data may be received between ChangeCipherSpec
+ // and finished. Discard it.
rr->length = 0;
ssl_read_buffer_discard(ssl);
return 1;
case SSL3_RT_CHANGE_CIPHER_SPEC:
- /* We do not support renegotiation, so encrypted ChangeCipherSpec records
- * are illegal. */
+ // We do not support renegotiation, so encrypted ChangeCipherSpec records
+ // are illegal.
if (!ssl->s3->aead_read_ctx->is_null_cipher()) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
@@ -337,7 +337,7 @@
return -1;
}
- /* Flag the ChangeCipherSpec for later. */
+ // Flag the ChangeCipherSpec for later.
ssl->d1->has_change_cipher_spec = true;
ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC,
rr->data, rr->length);
@@ -347,7 +347,7 @@
return 1;
case SSL3_RT_HANDSHAKE:
- /* Break out to main processing. */
+ // Break out to main processing.
break;
default:
@@ -360,7 +360,7 @@
CBS_init(&cbs, rr->data, rr->length);
while (CBS_len(&cbs) > 0) {
- /* Read a handshake fragment. */
+ // Read a handshake fragment.
struct hm_header_st msg_hdr;
CBS body;
if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) {
@@ -380,7 +380,7 @@
return -1;
}
- /* The encrypted epoch in DTLS has only one handshake message. */
+ // The encrypted epoch in DTLS has only one handshake message.
if (ssl->d1->r_epoch == 1 && msg_hdr.seq != ssl->d1->handshake_read_seq) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
@@ -390,7 +390,7 @@
if (msg_hdr.seq < ssl->d1->handshake_read_seq ||
msg_hdr.seq >
(unsigned)ssl->d1->handshake_read_seq + SSL_MAX_HANDSHAKE_FLIGHT) {
- /* Ignore fragments from the past, or ones too far in the future. */
+ // Ignore fragments from the past, or ones too far in the future.
continue;
}
@@ -401,12 +401,12 @@
assert(frag->msg_len == msg_len);
if (frag->reassembly == NULL) {
- /* The message is already assembled. */
+ // The message is already assembled.
continue;
}
assert(msg_len > 0);
- /* Copy the body into the fragment. */
+ // Copy the body into the fragment.
OPENSSL_memcpy(frag->data + DTLS1_HM_HEADER_LENGTH + frag_off,
CBS_data(&body), CBS_len(&body));
dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);
@@ -444,8 +444,8 @@
ssl->d1->incoming_messages[index] = NULL;
ssl->d1->handshake_read_seq++;
ssl->s3->has_message = 0;
- /* If we previously sent a flight, mark it as having a reply, so
- * |on_handshake_complete| can manage post-handshake retransmission. */
+ // If we previously sent a flight, mark it as having a reply, so
+ // |on_handshake_complete| can manage post-handshake retransmission.
if (ssl->d1->outgoing_messages_complete) {
ssl->d1->flight_has_reply = true;
}
@@ -461,7 +461,7 @@
int dtls_has_incoming_messages(const SSL *ssl) {
size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {
- /* Skip the current message. */
+ // Skip the current message.
if (ssl->s3->has_message && i == current) {
assert(dtls1_is_current_message_complete(ssl));
continue;
@@ -490,7 +490,7 @@
}
int dtls1_read_change_cipher_spec(SSL *ssl) {
- /* Process handshake records until there is a ChangeCipherSpec. */
+ // Process handshake records until there is a ChangeCipherSpec.
while (!ssl->d1->has_change_cipher_spec) {
int ret = dtls1_read_message(ssl);
if (ret <= 0) {
@@ -503,7 +503,7 @@
}
-/* Sending handshake messages. */
+// Sending handshake messages.
void dtls_clear_outgoing_messages(SSL *ssl) {
for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) {
@@ -518,7 +518,7 @@
}
int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
- /* Pick a modest size hint to save most of the |realloc| calls. */
+ // Pick a modest size hint to save most of the |realloc| calls.
if (!CBB_init(cbb, 64) ||
!CBB_add_u8(cbb, type) ||
!CBB_add_u24(cbb, 0 /* length (filled in later) */) ||
@@ -541,20 +541,20 @@
return 0;
}
- /* Fix up the header. Copy the fragment length into the total message
- * length. */
+ // Fix up the header. Copy the fragment length into the total message
+ // length.
OPENSSL_memcpy(*out_msg + 1, *out_msg + DTLS1_HM_HEADER_LENGTH - 3, 3);
return 1;
}
-/* add_outgoing adds a new handshake message or ChangeCipherSpec to the current
- * outgoing flight. It returns one on success and zero on error. In both cases,
- * it takes ownership of |data| and releases it with |OPENSSL_free| when
- * done. */
+// add_outgoing adds a new handshake message or ChangeCipherSpec to the current
+// outgoing flight. It returns one on success and zero on error. In both cases,
+// it takes ownership of |data| and releases it with |OPENSSL_free| when
+// done.
static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) {
if (ssl->d1->outgoing_messages_complete) {
- /* If we've begun writing a new flight, we received the peer flight. Discard
- * the timer and the our flight. */
+ // If we've begun writing a new flight, we received the peer flight. Discard
+ // the timer and the our flight.
dtls1_stop_timer(ssl);
dtls_clear_outgoing_messages(ssl);
}
@@ -570,8 +570,8 @@
}
if (!is_ccs) {
- /* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
- * on hs. */
+ // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
+ // on hs.
if (ssl->s3->hs != NULL &&
!ssl->s3->hs->transcript.Update(data, len)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -601,20 +601,20 @@
}
int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {
- /* The |add_alert| path is only used for warning alerts for now, which DTLS
- * never sends. This will be implemented later once closure alerts are
- * converted. */
+ // The |add_alert| path is only used for warning alerts for now, which DTLS
+ // never sends. This will be implemented later once closure alerts are
+ // converted.
assert(0);
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
-/* dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above
- * the minimum. */
+// dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above
+// the minimum.
static void dtls1_update_mtu(SSL *ssl) {
- /* TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the
- * only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use
- * |SSL_set_mtu|. Does this need to be so complex? */
+ // TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the
+ // only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use
+ // |SSL_set_mtu|. Does this need to be so complex?
if (ssl->d1->mtu < dtls1_min_mtu() &&
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
@@ -626,7 +626,7 @@
}
}
- /* The MTU should be above the minimum now. */
+ // The MTU should be above the minimum now.
assert(ssl->d1->mtu >= dtls1_min_mtu());
}
@@ -637,9 +637,9 @@
seal_success,
};
-/* seal_next_message seals |msg|, which must be the next message, to |out|. If
- * progress was made, it returns |seal_partial| or |seal_success| and sets
- * |*out_len| to the number of bytes written. */
+// seal_next_message seals |msg|, which must be the next message, to |out|. If
+// progress was made, it returns |seal_partial| or |seal_success| and sets
+// |*out_len| to the number of bytes written.
static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
size_t *out_len, size_t max_out,
const DTLS_OUTGOING_MESSAGE *msg) {
@@ -658,7 +658,7 @@
size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);
if (msg->is_ccs) {
- /* Check there is room for the ChangeCipherSpec. */
+ // Check there is room for the ChangeCipherSpec.
static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};
if (max_out < sizeof(kChangeCipherSpec) + overhead) {
return seal_no_progress;
@@ -675,7 +675,7 @@
return seal_success;
}
- /* DTLS messages are serialized as a single fragment in |msg|. */
+ // DTLS messages are serialized as a single fragment in |msg|.
CBS cbs, body;
struct hm_header_st hdr;
CBS_init(&cbs, msg->data, msg->len);
@@ -689,7 +689,7 @@
return seal_error;
}
- /* Determine how much progress can be made. */
+ // Determine how much progress can be made.
if (max_out < DTLS1_HM_HEADER_LENGTH + 1 + overhead || max_out < prefix) {
return seal_no_progress;
}
@@ -698,7 +698,7 @@
todo = max_out - DTLS1_HM_HEADER_LENGTH - overhead;
}
- /* Assemble a fragment, to be sealed in-place. */
+ // Assemble a fragment, to be sealed in-place.
ScopedCBB cbb;
uint8_t *frag = out + prefix;
size_t max_frag = max_out - prefix, frag_len;
@@ -722,7 +722,7 @@
}
if (todo == CBS_len(&body)) {
- /* The next message is complete. */
+ // The next message is complete.
ssl->d1->outgoing_offset = 0;
return seal_success;
}
@@ -731,9 +731,9 @@
return seal_partial;
}
-/* seal_next_packet writes as much of the next flight as possible to |out| and
- * advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as
- * appropriate. */
+// seal_next_packet writes as much of the next flight as possible to |out| and
+// advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as
+// appropriate.
static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out) {
int made_progress = 0;
@@ -767,7 +767,7 @@
}
packet_full:
- /* The MTU was too small to make any progress. */
+ // The MTU was too small to make any progress.
if (!made_progress) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);
return 0;
@@ -798,7 +798,7 @@
int bio_ret = BIO_write(ssl->wbio, packet, packet_len);
if (bio_ret <= 0) {
- /* Retry this packet the next time around. */
+ // Retry this packet the next time around.
ssl->d1->outgoing_written = old_written;
ssl->d1->outgoing_offset = old_offset;
ssl->rwstate = SSL_WRITING;
@@ -821,16 +821,16 @@
int dtls1_flush_flight(SSL *ssl) {
ssl->d1->outgoing_messages_complete = true;
- /* Start the retransmission timer for the next flight (if any). */
+ // Start the retransmission timer for the next flight (if any).
dtls1_start_timer(ssl);
return send_flight(ssl);
}
int dtls1_retransmit_outgoing_messages(SSL *ssl) {
- /* Rewind to the start of the flight and write it again.
- *
- * TODO(davidben): This does not allow retransmits to be resumed on
- * non-blocking write. */
+ // Rewind to the start of the flight and write it again.
+ //
+ // TODO(davidben): This does not allow retransmits to be resumed on
+ // non-blocking write.
ssl->d1->outgoing_written = 0;
ssl->d1->outgoing_offset = 0;
diff --git a/ssl/d1_lib.cc b/ssl/d1_lib.cc
index 30110b4..ec5d470 100644
--- a/ssl/d1_lib.cc
+++ b/ssl/d1_lib.cc
@@ -70,12 +70,12 @@
namespace bssl {
-/* DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
- * before starting to decrease the MTU. */
+// DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
+// before starting to decrease the MTU.
#define DTLS1_MTU_TIMEOUTS 2
-/* DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire
- * before failing the DTLS handshake. */
+// DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire
+// before failing the DTLS handshake.
#define DTLS1_MAX_TIMEOUTS 12
int dtls1_new(SSL *ssl) {
@@ -91,11 +91,11 @@
ssl->d1 = d1;
- /* Set the version to the highest supported version.
- *
- * TODO(davidben): Move this field into |s3|, have it store the normalized
- * protocol version, and implement this pre-negotiation quirk in |SSL_version|
- * at the API boundary rather than in internal state. */
+ // Set the version to the highest supported version.
+ //
+ // TODO(davidben): Move this field into |s3|, have it store the normalized
+ // protocol version, and implement this pre-negotiation quirk in |SSL_version|
+ // at the API boundary rather than in internal state.
ssl->version = DTLS1_2_VERSION;
return 1;
}
@@ -116,15 +116,15 @@
}
void dtls1_start_timer(SSL *ssl) {
- /* If timer is not set, initialize duration (by default, 1 second) */
+ // If timer is not set, initialize duration (by default, 1 second)
if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) {
ssl->d1->timeout_duration_ms = ssl->initial_timeout_duration_ms;
}
- /* Set timeout to current time */
+ // Set timeout to current time
ssl_get_current_time(ssl, &ssl->d1->next_timeout);
- /* Add duration to current time */
+ // Add duration to current time
ssl->d1->next_timeout.tv_sec += ssl->d1->timeout_duration_ms / 1000;
ssl->d1->next_timeout.tv_usec += (ssl->d1->timeout_duration_ms % 1000) * 1000;
if (ssl->d1->next_timeout.tv_usec >= 1000000) {
@@ -136,17 +136,17 @@
int dtls1_is_timer_expired(SSL *ssl) {
struct timeval timeleft;
- /* Get time left until timeout, return false if no timer running */
+ // Get time left until timeout, return false if no timer running
if (!DTLSv1_get_timeout(ssl, &timeleft)) {
return 0;
}
- /* Return false if timer is not expired yet */
+ // Return false if timer is not expired yet
if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
return 0;
}
- /* Timer expired, so return true */
+ // Timer expired, so return true
return 1;
}
@@ -166,7 +166,7 @@
int dtls1_check_timeout_num(SSL *ssl) {
ssl->d1->num_timeouts++;
- /* Reduce MTU after 2 unsuccessful retransmissions */
+ // Reduce MTU after 2 unsuccessful retransmissions
if (ssl->d1->num_timeouts > DTLS1_MTU_TIMEOUTS &&
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
@@ -176,7 +176,7 @@
}
if (ssl->d1->num_timeouts > DTLS1_MAX_TIMEOUTS) {
- /* fail the connection, enough alerts have been sent */
+ // fail the connection, enough alerts have been sent
OPENSSL_PUT_ERROR(SSL, SSL_R_READ_TIMEOUT_EXPIRED);
return 0;
}
@@ -197,7 +197,7 @@
return 0;
}
- /* If no timeout is set, just return 0. */
+ // If no timeout is set, just return 0.
if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) {
return 0;
}
@@ -205,7 +205,7 @@
struct OPENSSL_timeval timenow;
ssl_get_current_time(ssl, &timenow);
- /* If timer already expired, set remaining time to 0. */
+ // If timer already expired, set remaining time to 0.
if (ssl->d1->next_timeout.tv_sec < timenow.tv_sec ||
(ssl->d1->next_timeout.tv_sec == timenow.tv_sec &&
ssl->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
@@ -213,7 +213,7 @@
return 1;
}
- /* Calculate time left until timer expires. */
+ // Calculate time left until timer expires.
struct OPENSSL_timeval ret;
OPENSSL_memcpy(&ret, &ssl->d1->next_timeout, sizeof(ret));
ret.tv_sec -= timenow.tv_sec;
@@ -224,13 +224,13 @@
ret.tv_sec--;
}
- /* If remaining time is less than 15 ms, set it to 0 to prevent issues
- * because of small divergences with socket timeouts. */
+ // If remaining time is less than 15 ms, set it to 0 to prevent issues
+ // because of small divergences with socket timeouts.
if (ret.tv_sec == 0 && ret.tv_usec < 15000) {
OPENSSL_memset(&ret, 0, sizeof(ret));
}
- /* Clamp the result in case of overflow. */
+ // Clamp the result in case of overflow.
if (ret.tv_sec > INT_MAX) {
assert(0);
out->tv_sec = INT_MAX;
@@ -250,7 +250,7 @@
return -1;
}
- /* If no timer is expired, don't do anything. */
+ // If no timer is expired, don't do anything.
if (!dtls1_is_timer_expired(ssl)) {
return 0;
}
diff --git a/ssl/d1_pkt.cc b/ssl/d1_pkt.cc
index 3841232..7a1c229 100644
--- a/ssl/d1_pkt.cc
+++ b/ssl/d1_pkt.cc
@@ -140,15 +140,15 @@
return 0;
}
- /* Read a new packet if there is no unconsumed one. */
+ // Read a new packet if there is no unconsumed one.
if (ssl_read_buffer_len(ssl) == 0) {
int read_ret = ssl_read_buffer_extend_to(ssl, 0 /* unused */);
if (read_ret < 0 && dtls1_is_timer_expired(ssl)) {
- /* Historically, timeouts were handled implicitly if the caller did not
- * handle them.
- *
- * TODO(davidben): This was to support blocking sockets but affected
- * non-blocking sockets. Can it be removed? */
+ // Historically, timeouts were handled implicitly if the caller did not
+ // handle them.
+ //
+ // TODO(davidben): This was to support blocking sockets but affected
+ // non-blocking sockets. Can it be removed?
int timeout_ret = DTLSv1_handle_timeout(ssl);
if (timeout_ret <= 0) {
return timeout_ret;
@@ -170,7 +170,7 @@
ssl_read_buffer_consume(ssl, consumed);
switch (open_ret) {
case ssl_open_record_partial:
- /* Impossible in DTLS. */
+ // Impossible in DTLS.
break;
case ssl_open_record_success: {
@@ -221,9 +221,9 @@
}
if (rr->type == SSL3_RT_HANDSHAKE) {
- /* Parse the first fragment header to determine if this is a pre-CCS or
- * post-CCS handshake record. DTLS resets handshake message numbers on each
- * handshake, so renegotiations and retransmissions are ambiguous. */
+ // Parse the first fragment header to determine if this is a pre-CCS or
+ // post-CCS handshake record. DTLS resets handshake message numbers on each
+ // handshake, so renegotiations and retransmissions are ambiguous.
CBS cbs, body;
struct hm_header_st msg_hdr;
CBS_init(&cbs, rr->data, rr->length);
@@ -236,9 +236,9 @@
if (msg_hdr.type == SSL3_MT_FINISHED &&
msg_hdr.seq == ssl->d1->handshake_read_seq - 1) {
if (msg_hdr.frag_off == 0) {
- /* Retransmit our last flight of messages. If the peer sends the second
- * Finished, they may not have received ours. Only do this for the
- * first fragment, in case the Finished was fragmented. */
+ // Retransmit our last flight of messages. If the peer sends the second
+ // Finished, they may not have received ours. Only do this for the
+ // first fragment, in case the Finished was fragmented.
if (!dtls1_check_timeout_num(ssl)) {
return -1;
}
@@ -250,8 +250,8 @@
goto again;
}
- /* Otherwise, this is a pre-CCS handshake message from an unsupported
- * renegotiation attempt. Fall through to the error path. */
+ // Otherwise, this is a pre-CCS handshake message from an unsupported
+ // renegotiation attempt. Fall through to the error path.
}
if (rr->type != SSL3_RT_APPLICATION_DATA) {
@@ -260,7 +260,7 @@
return -1;
}
- /* Discard empty records. */
+ // Discard empty records.
if (rr->length == 0) {
goto again;
}
@@ -275,12 +275,12 @@
OPENSSL_memcpy(buf, rr->data, len);
if (!peek) {
- /* TODO(davidben): Should the record be truncated instead? This is a
- * datagram transport. See https://crbug.com/boringssl/65. */
+ // TODO(davidben): Should the record be truncated instead? This is a
+ // datagram transport. See https://crbug.com/boringssl/65.
rr->length -= len;
rr->data += len;
if (rr->length == 0) {
- /* The record has been consumed, so we may now clear the buffer. */
+ // The record has been consumed, so we may now clear the buffer.
ssl_read_buffer_discard(ssl);
}
}
@@ -289,10 +289,10 @@
}
void dtls1_read_close_notify(SSL *ssl) {
- /* Bidirectional shutdown doesn't make sense for an unordered transport. DTLS
- * alerts also aren't delivered reliably, so we may even time out because the
- * peer never received our close_notify. Report to the caller that the channel
- * has fully shut down. */
+ // Bidirectional shutdown doesn't make sense for an unordered transport. DTLS
+ // alerts also aren't delivered reliably, so we may even time out because the
+ // peer never received our close_notify. Report to the caller that the channel
+ // has fully shut down.
if (ssl->s3->recv_shutdown == ssl_shutdown_none) {
ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
}
@@ -328,9 +328,9 @@
int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len,
enum dtls1_use_epoch_t use_epoch) {
assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
- /* There should never be a pending write buffer in DTLS. One can't write half
- * a datagram, so the write buffer is always dropped in
- * |ssl_write_buffer_flush|. */
+ // There should never be a pending write buffer in DTLS. One can't write half
+ // a datagram, so the write buffer is always dropped in
+ // |ssl_write_buffer_flush|.
assert(!ssl_write_buffer_is_pending(ssl));
if (len > SSL3_RT_MAX_PLAIN_LENGTH) {
@@ -364,7 +364,7 @@
}
ssl->s3->alert_dispatch = 0;
- /* If the alert is fatal, flush the BIO now. */
+ // If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
BIO_flush(ssl->wbio);
}
diff --git a/ssl/d1_srtp.cc b/ssl/d1_srtp.cc
index 2d94bd2..30733ec 100644
--- a/ssl/d1_srtp.cc
+++ b/ssl/d1_srtp.cc
@@ -226,11 +226,11 @@
}
int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) {
- /* This API inverts its return value. */
+ // This API inverts its return value.
return !SSL_CTX_set_srtp_profiles(ctx, profiles);
}
int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles) {
- /* This API inverts its return value. */
+ // This API inverts its return value.
return !SSL_set_srtp_profiles(ssl, profiles);
}
diff --git a/ssl/dtls_method.cc b/ssl/dtls_method.cc
index 1f95970..050246d 100644
--- a/ssl/dtls_method.cc
+++ b/ssl/dtls_method.cc
@@ -73,17 +73,17 @@
}
static void dtls1_on_handshake_complete(SSL *ssl) {
- /* Stop the reply timer left by the last flight we sent. */
+ // Stop the reply timer left by the last flight we sent.
dtls1_stop_timer(ssl);
- /* If the final flight had a reply, we know the peer has received it. If not,
- * we must leave the flight around for post-handshake retransmission. */
+ // If the final flight had a reply, we know the peer has received it. If not,
+ // we must leave the flight around for post-handshake retransmission.
if (ssl->d1->flight_has_reply) {
dtls_clear_outgoing_messages(ssl);
}
}
static int dtls1_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
- /* Cipher changes are illegal when there are buffered incoming messages. */
+ // Cipher changes are illegal when there are buffered incoming messages.
if (dtls_has_incoming_messages(ssl) || ssl->d1->has_change_cipher_spec) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
@@ -153,7 +153,7 @@
return &kMethod;
}
-/* Legacy version-locked methods. */
+// Legacy version-locked methods.
const SSL_METHOD *DTLSv1_2_method(void) {
static const SSL_METHOD kMethod = {
@@ -173,7 +173,7 @@
return &kMethod;
}
-/* Legacy side-specific methods. */
+// Legacy side-specific methods.
const SSL_METHOD *DTLSv1_2_server_method(void) {
return DTLSv1_2_method();
diff --git a/ssl/dtls_record.cc b/ssl/dtls_record.cc
index c7ee646..dbc8fa2 100644
--- a/ssl/dtls_record.cc
+++ b/ssl/dtls_record.cc
@@ -123,8 +123,8 @@
namespace bssl {
-/* to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as
- * a |uint64_t|. */
+// to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as
+// a |uint64_t|.
static uint64_t to_u64_be(const uint8_t in[8]) {
uint64_t ret = 0;
unsigned i;
@@ -135,8 +135,8 @@
return ret;
}
-/* dtls1_bitmap_should_discard returns one if |seq_num| has been seen in |bitmap|
- * or is stale. Otherwise it returns zero. */
+// dtls1_bitmap_should_discard returns one if |seq_num| has been seen in
+// |bitmap| or is stale. Otherwise it returns zero.
static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap,
const uint8_t seq_num[8]) {
const unsigned kWindowSize = sizeof(bitmap->map) * 8;
@@ -149,15 +149,15 @@
return idx >= kWindowSize || (bitmap->map & (((uint64_t)1) << idx));
}
-/* dtls1_bitmap_record updates |bitmap| to record receipt of sequence number
- * |seq_num|. It slides the window forward if needed. It is an error to call
- * this function on a stale sequence number. */
+// dtls1_bitmap_record updates |bitmap| to record receipt of sequence number
+// |seq_num|. It slides the window forward if needed. It is an error to call
+// this function on a stale sequence number.
static void dtls1_bitmap_record(DTLS1_BITMAP *bitmap,
const uint8_t seq_num[8]) {
const unsigned kWindowSize = sizeof(bitmap->map) * 8;
uint64_t seq_num_u = to_u64_be(seq_num);
- /* Shift the window if necessary. */
+ // Shift the window if necessary.
if (seq_num_u > bitmap->max_seq_num) {
uint64_t shift = seq_num_u - bitmap->max_seq_num;
if (shift >= kWindowSize) {
@@ -183,7 +183,7 @@
CBS cbs;
CBS_init(&cbs, in, in_len);
- /* Decode the record. */
+ // Decode the record.
uint8_t type;
uint16_t version;
uint8_t sequence[8];
@@ -195,7 +195,7 @@
(ssl->s3->have_version && version != ssl->version) ||
(version >> 8) != DTLS1_VERSION_MAJOR ||
CBS_len(&body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
- /* The record header was incomplete or malformed. Drop the entire packet. */
+ // The record header was incomplete or malformed. Drop the entire packet.
*out_consumed = in_len;
return ssl_open_record_discard;
}
@@ -206,31 +206,31 @@
uint16_t epoch = (((uint16_t)sequence[0]) << 8) | sequence[1];
if (epoch != ssl->d1->r_epoch ||
dtls1_bitmap_should_discard(&ssl->d1->bitmap, sequence)) {
- /* Drop this record. It's from the wrong epoch or is a replay. Note that if
- * |epoch| is the next epoch, the record could be buffered for later. For
- * simplicity, drop it and expect retransmit to handle it later; DTLS must
- * handle packet loss anyway. */
+ // Drop this record. It's from the wrong epoch or is a replay. Note that if
+ // |epoch| is the next epoch, the record could be buffered for later. For
+ // simplicity, drop it and expect retransmit to handle it later; DTLS must
+ // handle packet loss anyway.
*out_consumed = in_len - CBS_len(&cbs);
return ssl_open_record_discard;
}
- /* Decrypt the body in-place. */
+ // Decrypt the body in-place.
if (!ssl->s3->aead_read_ctx->Open(out, type, version, sequence,
(uint8_t *)CBS_data(&body),
CBS_len(&body))) {
- /* Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
- * Clear the error queue of any errors decryption may have added. Drop the
- * entire packet as it must not have come from the peer.
- *
- * TODO(davidben): This doesn't distinguish malloc failures from encryption
- * failures. */
+ // Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
+ // Clear the error queue of any errors decryption may have added. Drop the
+ // entire packet as it must not have come from the peer.
+ //
+ // TODO(davidben): This doesn't distinguish malloc failures from encryption
+ // failures.
ERR_clear_error();
*out_consumed = in_len - CBS_len(&cbs);
return ssl_open_record_discard;
}
*out_consumed = in_len - CBS_len(&cbs);
- /* Check the plaintext length. */
+ // Check the plaintext length.
if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
*out_alert = SSL_AD_RECORD_OVERFLOW;
@@ -239,8 +239,8 @@
dtls1_bitmap_record(&ssl->d1->bitmap, sequence);
- /* TODO(davidben): Limit the number of empty records as in TLS? This is only
- * useful if we also limit discarded packets. */
+ // TODO(davidben): Limit the number of empty records as in TLS? This is only
+ // useful if we also limit discarded packets.
if (type == SSL3_RT_ALERT) {
return ssl_process_alert(ssl, out_alert, CBS_data(out), CBS_len(out));
@@ -282,7 +282,7 @@
return 0;
}
- /* Determine the parameters for the current epoch. */
+ // Determine the parameters for the current epoch.
uint16_t epoch = ssl->d1->w_epoch;
SSLAEADContext *aead = ssl->s3->aead_write_ctx;
uint8_t *seq = ssl->s3->write_sequence;
diff --git a/ssl/handshake.cc b/ssl/handshake.cc
index ec6213f..3e2ae61 100644
--- a/ssl/handshake.cc
+++ b/ssl/handshake.cc
@@ -199,8 +199,8 @@
}
size_t ssl_max_handshake_message_len(const SSL *ssl) {
- /* kMaxMessageLen is the default maximum message size for handshakes which do
- * not accept peer certificate chains. */
+ // kMaxMessageLen is the default maximum message size for handshakes which do
+ // not accept peer certificate chains.
static const size_t kMaxMessageLen = 16384;
if (SSL_in_init(ssl)) {
@@ -212,24 +212,24 @@
}
if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
- /* In TLS 1.2 and below, the largest acceptable post-handshake message is
- * a HelloRequest. */
+ // In TLS 1.2 and below, the largest acceptable post-handshake message is
+ // a HelloRequest.
return 0;
}
if (ssl->server) {
- /* The largest acceptable post-handshake message for a server is a
- * KeyUpdate. We will never initiate post-handshake auth. */
+ // The largest acceptable post-handshake message for a server is a
+ // KeyUpdate. We will never initiate post-handshake auth.
return 1;
}
- /* Clients must accept NewSessionTicket and CertificateRequest, so allow the
- * default size. */
+ // Clients must accept NewSessionTicket and CertificateRequest, so allow the
+ // default size.
return kMaxMessageLen;
}
bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
- /* V2ClientHello messages are pre-hashed. */
+ // V2ClientHello messages are pre-hashed.
if (msg.is_v2_hello) {
return true;
}
@@ -240,7 +240,7 @@
int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
const SSL_EXTENSION_TYPE *ext_types,
size_t num_ext_types, int ignore_unknown) {
- /* Reset everything. */
+ // Reset everything.
for (size_t i = 0; i < num_ext_types; i++) {
*ext_types[i].out_present = 0;
CBS_init(ext_types[i].out_data, NULL, 0);
@@ -274,7 +274,7 @@
return 0;
}
- /* Duplicate ext_types are forbidden. */
+ // Duplicate ext_types are forbidden.
if (*ext_type->out_present) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
@@ -289,8 +289,8 @@
}
static void set_crypto_buffer(CRYPTO_BUFFER **dest, CRYPTO_BUFFER *src) {
- /* TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr|
- * and |UniquePtr| has up_ref helpers. */
+ // TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr|
+ // and |UniquePtr| has up_ref helpers.
CRYPTO_BUFFER_free(*dest);
*dest = src;
if (src != nullptr) {
@@ -302,10 +302,10 @@
SSL *const ssl = hs->ssl;
const SSL_SESSION *prev_session = ssl->s3->established_session;
if (prev_session != NULL) {
- /* If renegotiating, the server must not change the server certificate. See
- * https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
- * so this check is sufficient to ensure the reported peer certificate never
- * changes on renegotiation. */
+ // If renegotiating, the server must not change the server certificate. See
+ // https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
+ // so this check is sufficient to ensure the reported peer certificate never
+ // changes on renegotiation.
assert(!ssl->server);
if (sk_CRYPTO_BUFFER_num(prev_session->certs) !=
sk_CRYPTO_BUFFER_num(hs->new_session->certs)) {
@@ -329,10 +329,10 @@
}
}
- /* The certificate is identical, so we may skip re-verifying the
- * certificate. Since we only authenticated the previous one, copy other
- * authentication from the established session and ignore what was newly
- * received. */
+ // The certificate is identical, so we may skip re-verifying the
+ // certificate. Since we only authenticated the previous one, copy other
+ // authentication from the established session and ignore what was newly
+ // received.
set_crypto_buffer(&hs->new_session->ocsp_response,
prev_session->ocsp_response);
set_crypto_buffer(&hs->new_session->signed_cert_timestamp_list,
@@ -371,17 +371,17 @@
}
uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index) {
- /* Use the client_random or server_random for entropy. This both avoids
- * calling |RAND_bytes| on a single byte repeatedly and ensures the values are
- * deterministic. This allows the same ClientHello be sent twice for a
- * HelloRetryRequest or the same group be advertised in both supported_groups
- * and key_shares. */
+ // Use the client_random or server_random for entropy. This both avoids
+ // calling |RAND_bytes| on a single byte repeatedly and ensures the values are
+ // deterministic. This allows the same ClientHello be sent twice for a
+ // HelloRetryRequest or the same group be advertised in both supported_groups
+ // and key_shares.
uint16_t ret = ssl->server ? ssl->s3->server_random[index]
: ssl->s3->client_random[index];
- /* The first four bytes of server_random are a timestamp prior to TLS 1.3, but
- * servers have no fields to GREASE until TLS 1.3. */
+ // The first four bytes of server_random are a timestamp prior to TLS 1.3, but
+ // servers have no fields to GREASE until TLS 1.3.
assert(!ssl->server || ssl3_protocol_version(ssl) >= TLS1_3_VERSION);
- /* This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. */
+ // This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16.
ret = (ret & 0xf0) | 0x0a;
ret |= ret << 8;
return ret;
@@ -398,7 +398,7 @@
return ssl_hs_error;
}
- /* Snapshot the finished hash before incorporating the new message. */
+ // Snapshot the finished hash before incorporating the new message.
uint8_t finished[EVP_MAX_MD_SIZE];
size_t finished_len;
if (!hs->transcript.GetFinishedMAC(finished, &finished_len,
@@ -418,7 +418,7 @@
return ssl_hs_error;
}
- /* Copy the Finished so we can use it for renegotiation checks. */
+ // Copy the Finished so we can use it for renegotiation checks.
if (ssl->version != SSL3_VERSION) {
if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
finished_len > sizeof(ssl->s3->previous_server_finished)) {
@@ -442,7 +442,7 @@
int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) {
SSL *const ssl = hs->ssl;
for (;;) {
- /* Resolve the operation the handshake was waiting on. */
+ // Resolve the operation the handshake was waiting on.
switch (hs->wait) {
case ssl_hs_error:
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
@@ -464,13 +464,13 @@
if (hs->wait == ssl_hs_read_server_hello &&
ERR_GET_LIB(err) == ERR_LIB_SSL &&
ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) {
- /* Add a dedicated error code to the queue for a handshake_failure
- * alert in response to ClientHello. This matches NSS's client
- * behavior and gives a better error on a (probable) failure to
- * negotiate initial parameters. Note: this error code comes after
- * the original one.
- *
- * See https://crbug.com/446505. */
+ // Add a dedicated error code to the queue for a handshake_failure
+ // alert in response to ClientHello. This matches NSS's client
+ // behavior and gives a better error on a (probable) failure to
+ // negotiate initial parameters. Note: this error code comes after
+ // the original one.
+ //
+ // See https://crbug.com/446505.
OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO);
}
return ret;
@@ -488,7 +488,7 @@
case ssl_hs_read_end_of_early_data: {
if (ssl->s3->hs->can_early_read) {
- /* While we are processing early data, the handshake returns early. */
+ // While we are processing early data, the handshake returns early.
*out_early_return = 1;
return 1;
}
@@ -533,7 +533,7 @@
case ssl_hs_early_data_rejected:
ssl->rwstate = SSL_EARLY_DATA_REJECTED;
- /* Cause |SSL_write| to start failing immediately. */
+ // Cause |SSL_write| to start failing immediately.
hs->can_early_write = 0;
return -1;
@@ -546,20 +546,20 @@
break;
}
- /* Run the state machine again. */
+ // Run the state machine again.
hs->wait = ssl->do_handshake(hs);
if (hs->wait == ssl_hs_error) {
- /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
- * first time around. */
+ // Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
+ // first time around.
return -1;
}
if (hs->wait == ssl_hs_ok) {
- /* The handshake has completed. */
+ // The handshake has completed.
return 1;
}
- /* Otherwise, loop to the beginning and resolve what was blocking the
- * handshake. */
+ // Otherwise, loop to the beginning and resolve what was blocking the
+ // handshake.
}
}
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 37bf372..5a0902d 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -199,14 +199,14 @@
state_done,
};
-/* ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of
- * disabled algorithms. */
+// ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of
+// disabled algorithms.
static void ssl_get_client_disabled(SSL *ssl, uint32_t *out_mask_a,
uint32_t *out_mask_k) {
*out_mask_a = 0;
*out_mask_k = 0;
- /* PSK requires a client callback. */
+ // PSK requires a client callback.
if (ssl->psk_client_callback == NULL) {
*out_mask_a |= SSL_aPSK;
*out_mask_k |= SSL_kPSK;
@@ -223,14 +223,14 @@
return 0;
}
- /* Add a fake cipher suite. See draft-davidben-tls-grease-01. */
+ // Add a fake cipher suite. See draft-davidben-tls-grease-01.
if (ssl->ctx->grease_enabled &&
!CBB_add_u16(&child, ssl_get_grease_value(ssl, ssl_grease_cipher))) {
return 0;
}
- /* Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
- * hardware support. */
+ // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
+ // hardware support.
if (hs->max_version >= TLS1_3_VERSION) {
if (!EVP_has_aes_hardware() &&
!CBB_add_u16(&child, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
@@ -249,7 +249,7 @@
if (hs->min_version < TLS1_3_VERSION) {
int any_enabled = 0;
for (const SSL_CIPHER *cipher : SSL_get_ciphers(ssl)) {
- /* Skip disabled ciphers */
+ // Skip disabled ciphers
if ((cipher->algorithm_mkey & mask_k) ||
(cipher->algorithm_auth & mask_a)) {
continue;
@@ -264,15 +264,15 @@
}
}
- /* If all ciphers were disabled, return the error to the caller. */
+ // If all ciphers were disabled, return the error to the caller.
if (!any_enabled && hs->max_version < TLS1_3_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
return 0;
}
}
- /* For SSLv3, the SCSV is added. Otherwise the renegotiation extension is
- * added. */
+ // For SSLv3, the SCSV is added. Otherwise the renegotiation extension is
+ // added.
if (hs->max_version == SSL3_VERSION &&
!ssl->s3->initial_handshake_complete) {
if (!CBB_add_u16(&child, SSL3_CK_SCSV & 0xffff)) {
@@ -297,7 +297,7 @@
return 0;
}
- /* Renegotiations do not participate in session resumption. */
+ // Renegotiations do not participate in session resumption.
int has_session_id = ssl->session != NULL &&
!ssl->s3->initial_handshake_complete &&
ssl->session->session_id_length > 0;
@@ -315,8 +315,8 @@
return 0;
}
} else {
- /* In TLS 1.3 experimental encodings, send a fake placeholder session ID
- * when we do not otherwise have one to send. */
+ // In TLS 1.3 experimental encodings, send a fake placeholder session ID
+ // when we do not otherwise have one to send.
if (hs->max_version >= TLS1_3_VERSION &&
ssl->tls13_variant == tls13_experiment &&
!CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) {
@@ -346,8 +346,8 @@
return 0;
}
- /* Now that the length prefixes have been computed, fill in the placeholder
- * PSK binder. */
+ // Now that the length prefixes have been computed, fill in the placeholder
+ // PSK binder.
if (hs->needs_psk_binder &&
!tls13_write_psk_binder(hs, msg, len)) {
OPENSSL_free(msg);
@@ -374,8 +374,8 @@
return 0;
}
- /* The server version may also be in the supported_versions extension if
- * applicable. */
+ // The server version may also be in the supported_versions extension if
+ // applicable.
if (msg.type != SSL3_MT_SERVER_HELLO || *out != TLS1_2_VERSION) {
return 1;
}
@@ -390,7 +390,7 @@
return 0;
}
- /* The extensions block may not be present. */
+ // The extensions block may not be present.
if (CBS_len(&server_hello) == 0) {
return 1;
}
@@ -433,14 +433,14 @@
ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
- /* Freeze the version range. */
+ // Freeze the version range.
if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) {
return ssl_hs_error;
}
- /* Always advertise the ClientHello version from the original maximum version,
- * even on renegotiation. The static RSA key exchange uses this field, and
- * some servers fail when it changes across handshakes. */
+ // Always advertise the ClientHello version from the original maximum version,
+ // even on renegotiation. The static RSA key exchange uses this field, and
+ // some servers fail when it changes across handshakes.
if (SSL_is_dtls(hs->ssl)) {
hs->client_version =
hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION;
@@ -449,8 +449,8 @@
hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version;
}
- /* If the configured session has expired or was created at a disabled
- * version, drop it. */
+ // If the configured session has expired or was created at a disabled
+ // version, drop it.
if (ssl->session != NULL) {
if (ssl->session->is_server ||
!ssl_supports_version(hs, ssl->session->ssl_version) ||
@@ -466,8 +466,8 @@
return ssl_hs_error;
}
- /* Initialize a random session ID for the experimental TLS 1.3 variant
- * requiring a session id. */
+ // Initialize a random session ID for the experimental TLS 1.3 variant
+ // requiring a session id.
if (ssl->tls13_variant == tls13_experiment) {
hs->session_id_len = sizeof(hs->session_id);
if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
@@ -505,8 +505,8 @@
return ssl_hs_error;
}
- /* Stash the early data session, so connection properties may be queried out
- * of it. */
+ // Stash the early data session, so connection properties may be queried out
+ // of it.
hs->in_early_data = 1;
SSL_SESSION_up_ref(ssl->session);
hs->early_session.reset(ssl->session);
@@ -547,7 +547,7 @@
ssl->method->next_message(ssl);
- /* DTLS resets the handshake buffer after HelloVerifyRequest. */
+ // DTLS resets the handshake buffer after HelloVerifyRequest.
if (!hs->transcript.Init()) {
return ssl_hs_error;
}
@@ -581,8 +581,8 @@
assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete);
if (!ssl->s3->have_version) {
ssl->version = server_version;
- /* At this point, the connection's version is known and ssl->version is
- * fixed. Begin enforcing the record-layer version. */
+ // At this point, the connection's version is known and ssl->version is
+ // fixed. Begin enforcing the record-layer version.
ssl->s3->have_version = 1;
} else if (server_version != ssl->version) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
@@ -621,12 +621,12 @@
return ssl_hs_error;
}
- /* Copy over the server random. */
+ // Copy over the server random.
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
SSL3_RANDOM_SIZE);
- /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
- * 1.3 is finalized and we are not implementing a draft version. */
+ // TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
+ // 1.3 is finalized and we are not implementing a draft version.
if (!ssl->s3->initial_handshake_complete && ssl->session != NULL &&
ssl->session->session_id_length != 0 &&
@@ -634,14 +634,14 @@
ssl->session->session_id_length)) {
ssl->s3->session_reused = 1;
} else {
- /* The session wasn't resumed. Create a fresh SSL_SESSION to
- * fill out. */
+ // The session wasn't resumed. Create a fresh SSL_SESSION to
+ // fill out.
ssl_set_session(ssl, NULL);
if (!ssl_get_new_session(hs, 0 /* client */)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
- /* Note: session_id could be empty. */
+ // Note: session_id could be empty.
hs->new_session->session_id_length = CBS_len(&session_id);
OPENSSL_memcpy(hs->new_session->session_id, CBS_data(&session_id),
CBS_len(&session_id));
@@ -649,13 +649,13 @@
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
if (cipher == NULL) {
- /* unknown cipher */
+ // unknown cipher
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
- /* The cipher must be allowed in the selected version and enabled. */
+ // The cipher must be allowed in the selected version and enabled.
uint32_t mask_a, mask_k;
ssl_get_client_disabled(ssl, &mask_a, &mask_k);
if ((cipher->algorithm_mkey & mask_k) || (cipher->algorithm_auth & mask_a) ||
@@ -679,7 +679,7 @@
return ssl_hs_error;
}
if (!ssl_session_is_context_valid(ssl, ssl->session)) {
- /* This is actually a client application bug. */
+ // This is actually a client application bug.
OPENSSL_PUT_ERROR(SSL,
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -690,38 +690,38 @@
}
hs->new_cipher = cipher;
- /* Now that the cipher is known, initialize the handshake hash and hash the
- * ServerHello. */
+ // Now that the cipher is known, initialize the handshake hash and hash the
+ // ServerHello.
if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) ||
!ssl_hash_message(hs, msg)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
- /* If doing a full handshake, the server may request a client certificate
- * which requires hashing the handshake transcript. Otherwise, the handshake
- * buffer may be released. */
+ // If doing a full handshake, the server may request a client certificate
+ // which requires hashing the handshake transcript. Otherwise, the handshake
+ // buffer may be released.
if (ssl->session != NULL ||
!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
hs->transcript.FreeBuffer();
}
- /* Only the NULL compression algorithm is supported. */
+ // Only the NULL compression algorithm is supported.
if (compression_method != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
- /* TLS extensions */
+ // TLS extensions
if (!ssl_parse_serverhello_tlsext(hs, &server_hello)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
return ssl_hs_error;
}
- /* There should be nothing left over in the record. */
+ // There should be nothing left over in the record.
if (CBS_len(&server_hello) != 0) {
- /* wrong packet length */
+ // wrong packet length
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
@@ -823,8 +823,8 @@
}
if (msg.type != SSL3_MT_CERTIFICATE_STATUS) {
- /* A server may send status_request in ServerHello and then change
- * its mind about sending CertificateStatus. */
+ // A server may send status_request in ServerHello and then change its mind
+ // about sending CertificateStatus.
hs->state = state_verify_server_certificate;
return ssl_hs_ok;
}
@@ -887,7 +887,7 @@
}
if (msg.type != SSL3_MT_SERVER_KEY_EXCHANGE) {
- /* Some ciphers (pure PSK) have an optional ServerKeyExchange message. */
+ // Some ciphers (pure PSK) have an optional ServerKeyExchange message.
if (ssl_cipher_requires_server_key_exchange(hs->new_cipher)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
@@ -908,7 +908,7 @@
if (alg_a & SSL_aPSK) {
CBS psk_identity_hint;
- /* Each of the PSK key exchanges begins with a psk_identity_hint. */
+ // Each of the PSK key exchanges begins with a psk_identity_hint.
if (!CBS_get_u16_length_prefixed(&server_key_exchange,
&psk_identity_hint)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -916,13 +916,13 @@
return ssl_hs_error;
}
- /* Store PSK identity hint for later use, hint is used in
- * ssl3_send_client_key_exchange. Assume that the maximum length of a PSK
- * identity hint can be as long as the maximum length of a PSK identity.
- * Also do not allow NULL characters; identities are saved as C strings.
- *
- * TODO(davidben): Should invalid hints be ignored? It's a hint rather than
- * a specific identity. */
+ // Store PSK identity hint for later use, hint is used in
+ // ssl3_send_client_key_exchange. Assume that the maximum length of a PSK
+ // identity hint can be as long as the maximum length of a PSK identity.
+ // Also do not allow NULL characters; identities are saved as C strings.
+ //
+ // TODO(davidben): Should invalid hints be ignored? It's a hint rather than
+ // a specific identity.
if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN ||
CBS_contains_zero_byte(&psk_identity_hint)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
@@ -930,11 +930,11 @@
return ssl_hs_error;
}
- /* Save non-empty identity hints as a C string. Empty identity hints we
- * treat as missing. Plain PSK makes it possible to send either no hint
- * (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell
- * empty hint. Having different capabilities is odd, so we interpret empty
- * and missing as identical. */
+ // Save non-empty identity hints as a C string. Empty identity hints we
+ // treat as missing. Plain PSK makes it possible to send either no hint
+ // (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell
+ // empty hint. Having different capabilities is odd, so we interpret empty
+ // and missing as identical.
char *raw = nullptr;
if (CBS_len(&psk_identity_hint) != 0 &&
!CBS_strdup(&psk_identity_hint, &raw)) {
@@ -946,7 +946,7 @@
}
if (alg_k & SSL_kECDHE) {
- /* Parse the server parameters. */
+ // Parse the server parameters.
uint8_t group_type;
uint16_t group_id;
CBS point;
@@ -960,14 +960,14 @@
}
hs->new_session->group_id = group_id;
- /* Ensure the group is consistent with preferences. */
+ // Ensure the group is consistent with preferences.
if (!tls1_check_group_id(ssl, group_id)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
- /* Initialize ECDH and save the peer public key for later. */
+ // Initialize ECDH and save the peer public key for later.
hs->key_share = SSLKeyShare::Create(group_id);
if (!hs->key_share ||
!CBS_stow(&point, &hs->peer_key, &hs->peer_key_len)) {
@@ -979,14 +979,14 @@
return ssl_hs_error;
}
- /* At this point, |server_key_exchange| contains the signature, if any, while
- * |msg.body| contains the entire message. From that, derive a CBS containing
- * just the parameter. */
+ // At this point, |server_key_exchange| contains the signature, if any, while
+ // |msg.body| contains the entire message. From that, derive a CBS containing
+ // just the parameter.
CBS parameter;
CBS_init(¶meter, CBS_data(&msg.body),
CBS_len(&msg.body) - CBS_len(&server_key_exchange));
- /* ServerKeyExchange should be signed by the server's public key. */
+ // ServerKeyExchange should be signed by the server's public key.
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
uint16_t signature_algorithm = 0;
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
@@ -1008,7 +1008,7 @@
return ssl_hs_error;
}
- /* The last field in |server_key_exchange| is the signature. */
+ // The last field in |server_key_exchange| is the signature.
CBS signature;
if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) ||
CBS_len(&server_key_exchange) != 0) {
@@ -1044,13 +1044,13 @@
ERR_clear_error();
#endif
if (!sig_ok) {
- /* bad signature */
+ // bad signature
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
return ssl_hs_error;
}
} else {
- /* PSK ciphers are the only supported certificate-less ciphers. */
+ // PSK ciphers are the only supported certificate-less ciphers.
assert(alg_a == SSL_aPSK);
if (CBS_len(&server_key_exchange) > 0) {
@@ -1079,8 +1079,8 @@
}
if (msg.type == SSL3_MT_SERVER_HELLO_DONE) {
- /* If we get here we don't need the handshake buffer as we won't be doing
- * client auth. */
+ // If we get here we don't need the handshake buffer as we won't be doing
+ // client auth.
hs->transcript.FreeBuffer();
hs->state = state_read_server_hello_done;
return ssl_hs_ok;
@@ -1091,7 +1091,7 @@
return ssl_hs_error;
}
- /* Get the certificate types. */
+ // Get the certificate types.
CBS body = msg.body, certificate_types;
if (!CBS_get_u8_length_prefixed(&body, &certificate_types)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -1150,7 +1150,7 @@
return ssl_hs_error;
}
- /* ServerHelloDone is empty. */
+ // ServerHelloDone is empty.
if (CBS_len(&msg.body) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -1165,13 +1165,13 @@
static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* The peer didn't request a certificate. */
+ // The peer didn't request a certificate.
if (!hs->cert_request) {
hs->state = state_send_client_key_exchange;
return ssl_hs_ok;
}
- /* Call cert_cb to update the certificate. */
+ // Call cert_cb to update the certificate.
if (ssl->cert->cert_cb != NULL) {
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
if (rv == 0) {
@@ -1186,10 +1186,10 @@
}
if (!ssl_has_certificate(ssl)) {
- /* Without a client certificate, the handshake buffer may be released. */
+ // Without a client certificate, the handshake buffer may be released.
hs->transcript.FreeBuffer();
- /* In SSL 3.0, the Certificate message is replaced with a warning alert. */
+ // In SSL 3.0, the Certificate message is replaced with a warning alert.
if (ssl->version == SSL3_VERSION) {
if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING,
SSL_AD_NO_CERTIFICATE)) {
@@ -1227,7 +1227,7 @@
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;
- /* If using a PSK key exchange, prepare the pre-shared key. */
+ // If using a PSK key exchange, prepare the pre-shared key.
unsigned psk_len = 0;
uint8_t psk[PSK_MAX_PSK_LEN];
if (alg_a & SSL_aPSK) {
@@ -1255,7 +1255,7 @@
goto err;
}
- /* Write out psk_identity. */
+ // Write out psk_identity.
CBB child;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
!CBB_add_bytes(&child, (const uint8_t *)identity,
@@ -1265,7 +1265,7 @@
}
}
- /* Depending on the key exchange method, compute |pms| and |pms_len|. */
+ // Depending on the key exchange method, compute |pms| and |pms_len|.
if (alg_k & SSL_kRSA) {
pms_len = SSL_MAX_MASTER_KEY_LENGTH;
pms = (uint8_t *)OPENSSL_malloc(pms_len);
@@ -1288,7 +1288,7 @@
CBB child, *enc_pms = &body;
size_t enc_pms_len;
- /* In TLS, there is a length prefix. */
+ // In TLS, there is a length prefix.
if (ssl->version > SSL3_VERSION) {
if (!CBB_add_u16_length_prefixed(&body, &child)) {
goto err;
@@ -1305,13 +1305,13 @@
goto err;
}
} else if (alg_k & SSL_kECDHE) {
- /* Generate a keypair and serialize the public half. */
+ // Generate a keypair and serialize the public half.
CBB child;
if (!CBB_add_u8_length_prefixed(&body, &child)) {
goto err;
}
- /* Compute the premaster. */
+ // Compute the premaster.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!hs->key_share->Accept(&child, &pms, &pms_len, &alert, hs->peer_key,
hs->peer_key_len)) {
@@ -1322,14 +1322,14 @@
goto err;
}
- /* The key exchange state may now be discarded. */
+ // The key exchange state may now be discarded.
hs->key_share.reset();
OPENSSL_free(hs->peer_key);
hs->peer_key = NULL;
hs->peer_key_len = 0;
} else if (alg_k & SSL_kPSK) {
- /* For plain PSK, other_secret is a block of 0s with the same length as
- * the pre-shared key. */
+ // For plain PSK, other_secret is a block of 0s with the same length as
+ // the pre-shared key.
pms_len = psk_len;
pms = (uint8_t *)OPENSSL_malloc(pms_len);
if (pms == NULL) {
@@ -1343,8 +1343,8 @@
goto err;
}
- /* For a PSK cipher suite, other_secret is combined with the pre-shared
- * key. */
+ // For a PSK cipher suite, other_secret is combined with the pre-shared
+ // key.
if (alg_a & SSL_aPSK) {
ScopedCBB pms_cbb;
CBB child;
@@ -1366,8 +1366,8 @@
pms_len = new_pms_len;
}
- /* The message must be added to the finished hash before calculating the
- * master secret. */
+ // The message must be added to the finished hash before calculating the
+ // master secret.
if (!ssl_add_message_cbb(ssl, cbb.get())) {
goto err;
}
@@ -1414,14 +1414,14 @@
return ssl_hs_error;
}
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
- /* Write out the digest type in TLS 1.2. */
+ // Write out the digest type in TLS 1.2.
if (!CBB_add_u16(&body, signature_algorithm)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_hs_error;
}
}
- /* Set aside space for the signature. */
+ // Set aside space for the signature.
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
uint8_t *ptr;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
@@ -1430,8 +1430,8 @@
}
size_t sig_len = max_sig_len;
- /* The SSL3 construction for CertificateVerify does not decompose into a
- * single final digest and signature, and must be special-cased. */
+ // The SSL3 construction for CertificateVerify does not decompose into a
+ // single final digest and signature, and must be special-cased.
if (ssl3_protocol_version(ssl) == SSL3_VERSION) {
if (ssl->cert->key_method != NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
@@ -1470,7 +1470,7 @@
return ssl_hs_error;
}
- /* The handshake buffer is no longer necessary. */
+ // The handshake buffer is no longer necessary.
hs->transcript.FreeBuffer();
hs->state = state_send_second_client_flight;
@@ -1553,9 +1553,9 @@
return ssl_hs_ok;
}
- /* This is a full handshake. If it involves ChannelID, then record the
- * handshake hashes at this point in the session so that any resumption of
- * this session with ChannelID can sign those hashes. */
+ // This is a full handshake. If it involves ChannelID, then record the
+ // handshake hashes at this point in the session so that any resumption of
+ // this session with ChannelID can sign those hashes.
if (!tls1_record_handshake_hashes_for_channel_id(hs)) {
return ssl_hs_error;
}
@@ -1564,8 +1564,7 @@
if ((SSL_get_mode(ssl) & SSL_MODE_ENABLE_FALSE_START) &&
ssl3_can_false_start(ssl) &&
- /* No False Start on renegotiation (would complicate the state
- * machine). */
+ // No False Start on renegotiation (would complicate the state machine).
!ssl->s3->initial_handshake_complete) {
hs->in_false_start = 1;
hs->can_early_write = 1;
@@ -1604,9 +1603,9 @@
}
if (CBS_len(&ticket) == 0) {
- /* RFC 5077 allows a server to change its mind and send no ticket after
- * negotiating the extension. The value of |ticket_expected| is checked in
- * |ssl_update_cache| so is cleared here to avoid an unnecessary update. */
+ // RFC 5077 allows a server to change its mind and send no ticket after
+ // negotiating the extension. The value of |ticket_expected| is checked in
+ // |ssl_update_cache| so is cleared here to avoid an unnecessary update.
hs->ticket_expected = 0;
ssl->method->next_message(ssl);
hs->state = state_process_change_cipher_spec;
@@ -1616,20 +1615,20 @@
SSL_SESSION *session = hs->new_session.get();
UniquePtr<SSL_SESSION> renewed_session;
if (ssl->session != NULL) {
- /* The server is sending a new ticket for an existing session. Sessions are
- * immutable once established, so duplicate all but the ticket of the
- * existing session. */
+ // The server is sending a new ticket for an existing session. Sessions are
+ // immutable once established, so duplicate all but the ticket of the
+ // existing session.
renewed_session =
SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
if (!renewed_session) {
- /* This should never happen. */
+ // This should never happen.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_hs_error;
}
session = renewed_session.get();
}
- /* |tlsext_tick_lifetime_hint| is measured from when the ticket was issued. */
+ // |tlsext_tick_lifetime_hint| is measured from when the ticket was issued.
ssl_session_rebase_time(ssl, session);
if (!CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen)) {
@@ -1638,9 +1637,9 @@
}
session->tlsext_tick_lifetime_hint = tlsext_tick_lifetime_hint;
- /* Generate a session ID for this session based on the session ticket. We use
- * the session ID mechanism for detecting ticket resumption. This also fits in
- * with assumptions elsewhere in OpenSSL.*/
+ // Generate a session ID for this session based on the session ticket. We use
+ // the session ID mechanism for detecting ticket resumption. This also fits in
+ // with assumptions elsewhere in OpenSSL.
if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
session->session_id, &session->session_id_length,
EVP_sha256(), NULL)) {
@@ -1693,16 +1692,16 @@
SSL_SESSION_up_ref(ssl->session);
ssl->s3->established_session = ssl->session;
} else {
- /* We make a copy of the session in order to maintain the immutability
- * of the new established_session due to False Start. The caller may
- * have taken a reference to the temporary session. */
+ // We make a copy of the session in order to maintain the immutability
+ // of the new established_session due to False Start. The caller may
+ // have taken a reference to the temporary session.
ssl->s3->established_session =
SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_DUP_ALL)
.release();
if (ssl->s3->established_session == NULL) {
return ssl_hs_error;
}
- /* Renegotiations do not participate in session resumption. */
+ // Renegotiations do not participate in session resumption.
if (!ssl->s3->initial_handshake_complete) {
ssl->s3->established_session->not_resumable = 0;
}
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index efbb7bd..eb79693 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc
@@ -231,18 +231,18 @@
return 0;
}
} else {
- /* Convert the ClientHello version to an equivalent supported_versions
- * extension. */
+ // Convert the ClientHello version to an equivalent supported_versions
+ // extension.
static const uint8_t kTLSVersions[] = {
- 0x03, 0x03, /* TLS 1.2 */
- 0x03, 0x02, /* TLS 1.1 */
- 0x03, 0x01, /* TLS 1 */
- 0x03, 0x00, /* SSL 3 */
+ 0x03, 0x03, // TLS 1.2
+ 0x03, 0x02, // TLS 1.1
+ 0x03, 0x01, // TLS 1
+ 0x03, 0x00, // SSL 3
};
static const uint8_t kDTLSVersions[] = {
- 0xfe, 0xfd, /* DTLS 1.2 */
- 0xfe, 0xff, /* DTLS 1.0 */
+ 0xfe, 0xfd, // DTLS 1.2
+ 0xfe, 0xff, // DTLS 1.0
};
size_t versions_len = 0;
@@ -273,11 +273,11 @@
return 0;
}
- /* At this point, the connection's version is known and |ssl->version| is
- * fixed. Begin enforcing the record-layer version. */
+ // At this point, the connection's version is known and |ssl->version| is
+ // fixed. Begin enforcing the record-layer version.
ssl->s3->have_version = 1;
- /* Handle FALLBACK_SCSV. */
+ // Handle FALLBACK_SCSV.
if (ssl_client_cipher_list_contains_cipher(client_hello,
SSL3_CK_FALLBACK_SCSV & 0xffff) &&
ssl3_protocol_version(ssl) < hs->max_version) {
@@ -319,10 +319,10 @@
return sk;
}
-/* ssl_get_compatible_server_ciphers determines the key exchange and
- * authentication cipher suite masks compatible with the server configuration
- * and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key
- * exchange mask and |*out_mask_a| to the authentication mask. */
+// ssl_get_compatible_server_ciphers determines the key exchange and
+// authentication cipher suite masks compatible with the server configuration
+// and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key
+// exchange mask and |*out_mask_a| to the authentication mask.
static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs,
uint32_t *out_mask_k,
uint32_t *out_mask_a) {
@@ -337,13 +337,13 @@
}
}
- /* Check for a shared group to consider ECDHE ciphers. */
+ // Check for a shared group to consider ECDHE ciphers.
uint16_t unused;
if (tls1_get_shared_group(hs, &unused)) {
mask_k |= SSL_kECDHE;
}
- /* PSK requires a server callback. */
+ // PSK requires a server callback.
if (ssl->psk_server_callback != NULL) {
mask_k |= SSL_kPSK;
mask_a |= SSL_aPSK;
@@ -358,13 +358,13 @@
const struct ssl_cipher_preference_list_st *server_pref) {
SSL *const ssl = hs->ssl;
STACK_OF(SSL_CIPHER) *prio, *allow;
- /* in_group_flags will either be NULL, or will point to an array of bytes
- * which indicate equal-preference groups in the |prio| stack. See the
- * comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
- * struct. */
+ // in_group_flags will either be NULL, or will point to an array of bytes
+ // which indicate equal-preference groups in the |prio| stack. See the
+ // comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
+ // struct.
const uint8_t *in_group_flags;
- /* group_min contains the minimal index so far found in a group, or -1 if no
- * such value exists yet. */
+ // group_min contains the minimal index so far found in a group, or -1 if no
+ // such value exists yet.
int group_min = -1;
UniquePtr<STACK_OF(SSL_CIPHER)> client_pref =
@@ -390,17 +390,17 @@
const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i);
size_t cipher_index;
- if (/* Check if the cipher is supported for the current version. */
+ if (// Check if the cipher is supported for the current version.
SSL_CIPHER_get_min_version(c) <= ssl3_protocol_version(ssl) &&
ssl3_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) &&
- /* Check the cipher is supported for the server configuration. */
+ // Check the cipher is supported for the server configuration.
(c->algorithm_mkey & mask_k) &&
(c->algorithm_auth & mask_a) &&
- /* Check the cipher is in the |allow| list. */
+ // Check the cipher is in the |allow| list.
sk_SSL_CIPHER_find(allow, &cipher_index, c)) {
if (in_group_flags != NULL && in_group_flags[i] == 1) {
- /* This element of |prio| is in a group. Update the minimum index found
- * so far and continue looking. */
+ // This element of |prio| is in a group. Update the minimum index found
+ // so far and continue looking.
if (group_min == -1 || (size_t)group_min > cipher_index) {
group_min = cipher_index;
}
@@ -413,8 +413,8 @@
}
if (in_group_flags != NULL && in_group_flags[i] == 0 && group_min != -1) {
- /* We are about to leave a group, but we found a match in it, so that's
- * our answer. */
+ // We are about to leave a group, but we found a match in it, so that's
+ // our answer.
return sk_SSL_CIPHER_value(allow, group_min);
}
}
@@ -447,14 +447,14 @@
return ssl_hs_error;
}
- /* Run the early callback. */
+ // Run the early callback.
if (ssl->ctx->select_certificate_cb != NULL) {
switch (ssl->ctx->select_certificate_cb(&client_hello)) {
case ssl_select_cert_retry:
return ssl_hs_certificate_selection_pending;
case ssl_select_cert_error:
- /* Connection rejected. */
+ // Connection rejected.
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
@@ -464,7 +464,7 @@
}
}
- /* Freeze the version range after the early callback. */
+ // Freeze the version range after the early callback.
if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) {
return ssl_hs_error;
}
@@ -483,8 +483,8 @@
OPENSSL_memcpy(ssl->s3->client_random, client_hello.random,
client_hello.random_len);
- /* Only null compression is supported. TLS 1.3 further requires the peer
- * advertise no other compression. */
+ // Only null compression is supported. TLS 1.3 further requires the peer
+ // advertise no other compression.
if (OPENSSL_memchr(client_hello.compression_methods, 0,
client_hello.compression_methods_len) == NULL ||
(ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
@@ -494,7 +494,7 @@
return ssl_hs_error;
}
- /* TLS extensions. */
+ // TLS extensions.
if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
return ssl_hs_error;
@@ -512,7 +512,7 @@
return ssl_hs_read_message;
}
- /* Call |cert_cb| to update server certificates if required. */
+ // Call |cert_cb| to update server certificates if required.
if (ssl->cert->cert_cb != NULL) {
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
if (rv == 0) {
@@ -530,7 +530,7 @@
}
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
- /* Jump to the TLS 1.3 state machine. */
+ // Jump to the TLS 1.3 state machine.
hs->state = state_tls13;
return ssl_hs_ok;
}
@@ -540,8 +540,8 @@
return ssl_hs_error;
}
- /* Negotiate the cipher suite. This must be done after |cert_cb| so the
- * certificate is finalized. */
+ // Negotiate the cipher suite. This must be done after |cert_cb| so the
+ // certificate is finalized.
hs->new_cipher =
ssl3_choose_cipher(hs, &client_hello, ssl_get_cipher_preferences(ssl));
if (hs->new_cipher == NULL) {
@@ -577,7 +577,7 @@
return ssl_hs_error;
}
- /* Determine whether we are doing session resumption. */
+ // Determine whether we are doing session resumption.
UniquePtr<SSL_SESSION> session;
int tickets_supported = 0, renew_ticket = 0;
enum ssl_hs_wait_t wait = ssl_get_prev_session(
@@ -588,23 +588,23 @@
if (session) {
if (session->extended_master_secret && !hs->extended_master_secret) {
- /* A ClientHello without EMS that attempts to resume a session with EMS
- * is fatal to the connection. */
+ // A ClientHello without EMS that attempts to resume a session with EMS
+ // is fatal to the connection.
OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
if (!ssl_session_is_resumable(hs, session.get()) ||
- /* If the client offers the EMS extension, but the previous session
- * didn't use it, then negotiate a new session. */
+ // If the client offers the EMS extension, but the previous session
+ // didn't use it, then negotiate a new session.
hs->extended_master_secret != session->extended_master_secret) {
session.reset();
}
}
if (session) {
- /* Use the old session. */
+ // Use the old session.
hs->ticket_expected = renew_ticket;
ssl->session = session.release();
ssl->s3->session_reused = 1;
@@ -615,7 +615,7 @@
return ssl_hs_error;
}
- /* Clear the session ID if we want the session to be single-use. */
+ // Clear the session ID if we want the session to be single-use.
if (!(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
hs->new_session->session_id_length = 0;
}
@@ -623,7 +623,7 @@
if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
- /* Connection rejected for DOS reasons. */
+ // Connection rejected for DOS reasons.
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
@@ -632,7 +632,7 @@
if (ssl->session == NULL) {
hs->new_session->cipher = hs->new_cipher;
- /* On new sessions, stash the SNI value in the session. */
+ // On new sessions, stash the SNI value in the session.
if (hs->hostname != NULL) {
OPENSSL_free(hs->new_session->tlsext_hostname);
hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname.get());
@@ -642,42 +642,42 @@
}
}
- /* Determine whether to request a client certificate. */
+ // Determine whether to request a client certificate.
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
- /* Only request a certificate if Channel ID isn't negotiated. */
+ // Only request a certificate if Channel ID isn't negotiated.
if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
ssl->s3->tlsext_channel_id_valid) {
hs->cert_request = 0;
}
- /* CertificateRequest may only be sent in certificate-based ciphers. */
+ // CertificateRequest may only be sent in certificate-based ciphers.
if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
hs->cert_request = 0;
}
if (!hs->cert_request) {
- /* OpenSSL returns X509_V_OK when no certificates are requested. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are requested. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
}
}
- /* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
- * deferred. Complete it now. */
+ // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
+ // deferred. Complete it now.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
- /* Now that all parameters are known, initialize the handshake hash and hash
- * the ClientHello. */
+ // Now that all parameters are known, initialize the handshake hash and hash
+ // the ClientHello.
if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) ||
!ssl_hash_message(hs, msg)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
- /* Release the handshake buffer if client authentication isn't required. */
+ // Release the handshake buffer if client authentication isn't required.
if (!hs->cert_request) {
hs->transcript.FreeBuffer();
}
@@ -691,16 +691,16 @@
static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* We only accept ChannelIDs on connections with ECDHE in order to avoid a
- * known attack while we fix ChannelID itself. */
+ // We only accept ChannelIDs on connections with ECDHE in order to avoid a
+ // known attack while we fix ChannelID itself.
if (ssl->s3->tlsext_channel_id_valid &&
(hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
ssl->s3->tlsext_channel_id_valid = 0;
}
- /* If this is a resumption and the original handshake didn't support
- * ChannelID then we didn't record the original handshake hashes in the
- * session and so cannot resume with ChannelIDs. */
+ // If this is a resumption and the original handshake didn't support
+ // ChannelID then we didn't record the original handshake hashes in the
+ // session and so cannot resume with ChannelIDs.
if (ssl->session != NULL &&
ssl->session->original_handshake_hash_len == 0) {
ssl->s3->tlsext_channel_id_valid = 0;
@@ -716,8 +716,8 @@
return ssl_hs_error;
}
- /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
- * 1.3 is finalized and we are not implementing a draft version. */
+ // TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
+ // 1.3 is finalized and we are not implementing a draft version.
const SSL_SESSION *session = hs->new_session.get();
if (ssl->session != NULL) {
@@ -778,14 +778,14 @@
}
}
- /* Assemble ServerKeyExchange parameters if needed. */
+ // Assemble ServerKeyExchange parameters if needed.
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;
if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) ||
((alg_a & SSL_aPSK) && ssl->psk_identity_hint)) {
- /* Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend
- * the client and server randoms for the signing transcript. */
+ // Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend
+ // the client and server randoms for the signing transcript.
CBB child;
if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) ||
!CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
@@ -793,7 +793,7 @@
return ssl_hs_error;
}
- /* PSK ciphers begin with an identity hint. */
+ // PSK ciphers begin with an identity hint.
if (alg_a & SSL_aPSK) {
size_t len =
(ssl->psk_identity_hint == NULL) ? 0 : strlen(ssl->psk_identity_hint);
@@ -805,7 +805,7 @@
}
if (alg_k & SSL_kECDHE) {
- /* Determine the group to use. */
+ // Determine the group to use.
uint16_t group_id;
if (!tls1_get_shared_group(hs, &group_id)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -814,7 +814,7 @@
}
hs->new_session->group_id = group_id;
- /* Set up ECDH, generate a key, and emit the public half. */
+ // Set up ECDH, generate a key, and emit the public half.
hs->key_share = SSLKeyShare::Create(group_id);
if (!hs->key_share ||
!CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) ||
@@ -848,21 +848,21 @@
CBB body, child;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_SERVER_KEY_EXCHANGE) ||
- /* |hs->server_params| contains a prefix for signing. */
+ // |hs->server_params| contains a prefix for signing.
hs->server_params_len < 2 * SSL3_RANDOM_SIZE ||
!CBB_add_bytes(&body, hs->server_params + 2 * SSL3_RANDOM_SIZE,
hs->server_params_len - 2 * SSL3_RANDOM_SIZE)) {
return ssl_hs_error;
}
- /* Add a signature. */
+ // Add a signature.
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
if (!ssl_has_private_key(ssl)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
- /* Determine the signature algorithm. */
+ // Determine the signature algorithm.
uint16_t signature_algorithm;
if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
return ssl_hs_error;
@@ -875,7 +875,7 @@
}
}
- /* Add space for the signature. */
+ // Add space for the signature.
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
uint8_t *ptr;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
@@ -962,16 +962,16 @@
if (msg.type != SSL3_MT_CERTIFICATE) {
if (ssl->version == SSL3_VERSION &&
msg.type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
- /* In SSL 3.0, the Certificate message is omitted to signal no
- * certificate. */
+ // In SSL 3.0, the Certificate message is omitted to signal no
+ // certificate.
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
- /* OpenSSL returns X509_V_OK when no certificates are received. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are received. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
hs->state = state_verify_client_certificate;
return ssl_hs_ok;
@@ -1008,11 +1008,11 @@
}
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
- /* No client certificate so the handshake buffer may be discarded. */
+ // No client certificate so the handshake buffer may be discarded.
hs->transcript.FreeBuffer();
- /* In SSL 3.0, sending no certificate is signaled by omitting the
- * Certificate message. */
+ // In SSL 3.0, sending no certificate is signaled by omitting the
+ // Certificate message.
if (ssl->version == SSL3_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
@@ -1020,17 +1020,17 @@
}
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- /* Fail for TLS only if we required a certificate */
+ // Fail for TLS only if we required a certificate
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}
- /* OpenSSL returns X509_V_OK when no certificates are received. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are received. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
} else if (ssl->retain_only_sha256_of_client_certs) {
- /* The hash will have been filled in. */
+ // The hash will have been filled in.
hs->new_session->peer_sha256_valid = 1;
}
@@ -1076,12 +1076,12 @@
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;
- /* If using a PSK key exchange, parse the PSK identity. */
+ // If using a PSK key exchange, parse the PSK identity.
if (alg_a & SSL_aPSK) {
CBS psk_identity;
- /* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
- * then this is the only field in the message. */
+ // If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
+ // then this is the only field in the message.
if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||
((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -1103,8 +1103,8 @@
}
}
- /* Depending on the key exchange method, compute |premaster_secret| and
- * |premaster_secret_len|. */
+ // Depending on the key exchange method, compute |premaster_secret| and
+ // |premaster_secret_len|.
if (alg_k & SSL_kRSA) {
CBS encrypted_premaster_secret;
if (ssl->version > SSL3_VERSION) {
@@ -1119,7 +1119,7 @@
encrypted_premaster_secret = client_key_exchange;
}
- /* Allocate a buffer large enough for an RSA decryption. */
+ // Allocate a buffer large enough for an RSA decryption.
const size_t rsa_size = EVP_PKEY_size(hs->local_pubkey.get());
decrypt_buf = (uint8_t *)OPENSSL_malloc(rsa_size);
if (decrypt_buf == NULL) {
@@ -1127,8 +1127,8 @@
goto err;
}
- /* Decrypt with no padding. PKCS#1 padding will be removed as part of the
- * timing-sensitive code below. */
+ // Decrypt with no padding. PKCS#1 padding will be removed as part of the
+ // timing-sensitive code below.
size_t decrypt_len;
switch (ssl_private_key_decrypt(hs, decrypt_buf, &decrypt_len, rsa_size,
CBS_data(&encrypted_premaster_secret),
@@ -1148,8 +1148,8 @@
goto err;
}
- /* Prepare a random premaster, to be used on invalid padding. See RFC 5246,
- * section 7.4.7.1. */
+ // Prepare a random premaster, to be used on invalid padding. See RFC 5246,
+ // section 7.4.7.1.
premaster_secret_len = SSL_MAX_MASTER_KEY_LENGTH;
premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len);
if (premaster_secret == NULL) {
@@ -1160,15 +1160,15 @@
goto err;
}
- /* The smallest padded premaster is 11 bytes of overhead. Small keys are
- * publicly invalid. */
+ // The smallest padded premaster is 11 bytes of overhead. Small keys are
+ // publicly invalid.
if (decrypt_len < 11 + premaster_secret_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
goto err;
}
- /* Check the padding. See RFC 3447, section 7.2.2. */
+ // Check the padding. See RFC 3447, section 7.2.2.
size_t padding_len = decrypt_len - premaster_secret_len;
uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) &
constant_time_eq_int_8(decrypt_buf[1], 2);
@@ -1177,15 +1177,15 @@
}
good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]);
- /* The premaster secret must begin with |client_version|. This too must be
- * checked in constant time (http://eprint.iacr.org/2003/052/). */
+ // The premaster secret must begin with |client_version|. This too must be
+ // checked in constant time (http://eprint.iacr.org/2003/052/).
good &= constant_time_eq_8(decrypt_buf[padding_len],
(unsigned)(hs->client_version >> 8));
good &= constant_time_eq_8(decrypt_buf[padding_len + 1],
(unsigned)(hs->client_version & 0xff));
- /* Select, in constant time, either the decrypted premaster or the random
- * premaster based on |good|. */
+ // Select, in constant time, either the decrypted premaster or the random
+ // premaster based on |good|.
for (size_t i = 0; i < premaster_secret_len; i++) {
premaster_secret[i] = constant_time_select_8(
good, decrypt_buf[padding_len + i], premaster_secret[i]);
@@ -1194,7 +1194,7 @@
OPENSSL_free(decrypt_buf);
decrypt_buf = NULL;
} else if (alg_k & SSL_kECDHE) {
- /* Parse the ClientKeyExchange. */
+ // Parse the ClientKeyExchange.
CBS peer_key;
if (!CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key) ||
CBS_len(&client_key_exchange) != 0) {
@@ -1203,7 +1203,7 @@
goto err;
}
- /* Compute the premaster. */
+ // Compute the premaster.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!hs->key_share->Finish(&premaster_secret, &premaster_secret_len, &alert,
CBS_data(&peer_key), CBS_len(&peer_key))) {
@@ -1211,7 +1211,7 @@
goto err;
}
- /* The key exchange state may now be discarded. */
+ // The key exchange state may now be discarded.
hs->key_share.reset();
} else if (!(alg_k & SSL_kPSK)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1219,8 +1219,8 @@
goto err;
}
- /* For a PSK cipher suite, the actual pre-master secret is combined with the
- * pre-shared key. */
+ // For a PSK cipher suite, the actual pre-master secret is combined with the
+ // pre-shared key.
if (alg_a & SSL_aPSK) {
if (ssl->psk_server_callback == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1228,7 +1228,7 @@
goto err;
}
- /* Look up the key for the identity. */
+ // Look up the key for the identity.
uint8_t psk[PSK_MAX_PSK_LEN];
unsigned psk_len = ssl->psk_server_callback(
ssl, hs->new_session->psk_identity, psk, sizeof(psk));
@@ -1237,15 +1237,15 @@
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
goto err;
} else if (psk_len == 0) {
- /* PSK related to the given identity not found */
+ // PSK related to the given identity not found.
OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY);
goto err;
}
if (alg_k & SSL_kPSK) {
- /* In plain PSK, other_secret is a block of 0s with the same length as the
- * pre-shared key. */
+ // In plain PSK, other_secret is a block of 0s with the same length as the
+ // pre-shared key.
premaster_secret_len = psk_len;
premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len);
if (premaster_secret == NULL) {
@@ -1280,7 +1280,7 @@
goto err;
}
- /* Compute the master secret */
+ // Compute the master secret.
hs->new_session->master_key_length = tls1_generate_master_secret(
hs, hs->new_session->master_key, premaster_secret, premaster_secret_len);
if (hs->new_session->master_key_length == 0) {
@@ -1306,9 +1306,8 @@
static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* Only RSA and ECDSA client certificates are supported, so a
- * CertificateVerify is required if and only if there's a client certificate.
- * */
+ // Only RSA and ECDSA client certificates are supported, so a
+ // CertificateVerify is required if and only if there's a client certificate.
if (!hs->peer_pubkey) {
hs->transcript.FreeBuffer();
hs->state = state_read_change_cipher_spec;
@@ -1326,7 +1325,7 @@
CBS certificate_verify = msg.body, signature;
- /* Determine the signature algorithm. */
+ // Determine the signature algorithm.
uint16_t signature_algorithm = 0;
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) {
@@ -1347,7 +1346,7 @@
return ssl_hs_error;
}
- /* Parse and verify the signature. */
+ // Parse and verify the signature.
if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
CBS_len(&certificate_verify) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -1356,8 +1355,8 @@
}
int sig_ok;
- /* The SSL3 construction for CertificateVerify does not decompose into a
- * single final digest and signature, and must be special-cased. */
+ // The SSL3 construction for CertificateVerify does not decompose into a
+ // single final digest and signature, and must be special-cased.
if (ssl3_protocol_version(ssl) == SSL3_VERSION) {
uint8_t digest[EVP_MAX_MD_SIZE];
size_t digest_len;
@@ -1389,8 +1388,8 @@
return ssl_hs_error;
}
- /* The handshake buffer is no longer necessary, and we may hash the current
- * message.*/
+ // The handshake buffer is no longer necessary, and we may hash the current
+ // message.
hs->transcript.FreeBuffer();
if (!ssl_hash_message(hs, msg)) {
return ssl_hs_error;
@@ -1489,9 +1488,9 @@
hs->state = state_send_server_finished;
}
- /* If this is a full handshake with ChannelID then record the handshake
- * hashes in |hs->new_session| in case we need them to verify a
- * ChannelID signature on a resumption of this session in the future. */
+ // If this is a full handshake with ChannelID then record the handshake
+ // hashes in |hs->new_session| in case we need them to verify a
+ // ChannelID signature on a resumption of this session in the future.
if (ssl->session == NULL && ssl->s3->tlsext_channel_id_valid &&
!tls1_record_handshake_hashes_for_channel_id(hs)) {
return ssl_hs_error;
@@ -1507,12 +1506,12 @@
const SSL_SESSION *session;
UniquePtr<SSL_SESSION> session_copy;
if (ssl->session == NULL) {
- /* Fix the timeout to measure from the ticket issuance time. */
+ // Fix the timeout to measure from the ticket issuance time.
ssl_session_rebase_time(ssl, hs->new_session.get());
session = hs->new_session.get();
} else {
- /* We are renewing an existing session. Duplicate the session to adjust
- * the timeout. */
+ // We are renewing an existing session. Duplicate the session to adjust
+ // the timeout.
session_copy = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
if (!session_copy) {
return ssl_hs_error;
@@ -1553,8 +1552,7 @@
ssl->method->on_handshake_complete(ssl);
- /* If we aren't retaining peer certificates then we can discard it
- * now. */
+ // If we aren't retaining peer certificates then we can discard it now.
if (hs->new_session != NULL && ssl->retain_only_sha256_of_client_certs) {
sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);
hs->new_session->certs = NULL;
diff --git a/ssl/internal.h b/ssl/internal.h
index 393cd5e..7aefff2 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -158,7 +158,7 @@
#if defined(OPENSSL_WINDOWS)
-/* Windows defines struct timeval in winsock2.h. */
+// Windows defines struct timeval in winsock2.h.
OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
OPENSSL_MSVC_PRAGMA(warning(pop))
@@ -173,13 +173,13 @@
struct SSL_HANDSHAKE;
-/* C++ utilities. */
+// C++ utilities.
-/* New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It
- * returns nullptr on allocation error. It only implements single-object
- * allocation and not new T[n].
- *
- * Note: unlike |new|, this does not support non-public constructors. */
+// New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It
+// returns nullptr on allocation error. It only implements single-object
+// allocation and not new T[n].
+//
+// Note: unlike |new|, this does not support non-public constructors.
template <typename T, typename... Args>
T *New(Args &&... args) {
void *t = OPENSSL_malloc(sizeof(T));
@@ -190,9 +190,9 @@
return new (t) T(std::forward<Args>(args)...);
}
-/* Delete behaves like |delete| but uses |OPENSSL_free| to release memory.
- *
- * Note: unlike |delete| this does not support non-public destructors. */
+// Delete behaves like |delete| but uses |OPENSSL_free| to release memory.
+//
+// Note: unlike |delete| this does not support non-public destructors.
template <typename T>
void Delete(T *t) {
if (t != nullptr) {
@@ -201,8 +201,8 @@
}
}
-/* All types with kAllowUniquePtr set may be used with UniquePtr. Other types
- * may be C structs which require a |BORINGSSL_MAKE_DELETER| registration. */
+// All types with kAllowUniquePtr set may be used with UniquePtr. Other types
+// may be C structs which require a |BORINGSSL_MAKE_DELETER| registration.
namespace internal {
template <typename T>
struct DeleterImpl<T, typename std::enable_if<T::kAllowUniquePtr>::type> {
@@ -210,8 +210,8 @@
};
}
-/* MakeUnique behaves like |std::make_unique| but returns nullptr on allocation
- * error. */
+// MakeUnique behaves like |std::make_unique| but returns nullptr on allocation
+// error.
template <typename T, typename... Args>
UniquePtr<T> MakeUnique(Args &&... args) {
return UniquePtr<T>(New<T>(std::forward<Args>(args)...));
@@ -221,87 +221,87 @@
#define HAS_VIRTUAL_DESTRUCTOR
#define PURE_VIRTUAL = 0
#else
-/* HAS_VIRTUAL_DESTRUCTOR should be declared in any base clas ~s which defines a
- * virtual destructor. This avoids a dependency on |_ZdlPv| and prevents the
- * class from being used with |delete|. */
+// HAS_VIRTUAL_DESTRUCTOR should be declared in any base clas ~s which defines a
+// virtual destructor. This avoids a dependency on |_ZdlPv| and prevents the
+// class from being used with |delete|.
#define HAS_VIRTUAL_DESTRUCTOR \
void operator delete(void *) { abort(); }
-/* PURE_VIRTUAL should be used instead of = 0 when defining pure-virtual
- * functions. This avoids a dependency on |__cxa_pure_virtual| but loses
- * compile-time checking. */
+// PURE_VIRTUAL should be used instead of = 0 when defining pure-virtual
+// functions. This avoids a dependency on |__cxa_pure_virtual| but loses
+// compile-time checking.
#define PURE_VIRTUAL { abort(); }
#endif
-/* Protocol versions.
- *
- * Due to DTLS's historical wire version differences and to support multiple
- * variants of the same protocol during development, we maintain two notions of
- * version.
- *
- * The "version" or "wire version" is the actual 16-bit value that appears on
- * the wire. It uniquely identifies a version and is also used at API
- * boundaries. The set of supported versions differs between TLS and DTLS. Wire
- * versions are opaque values and may not be compared numerically.
- *
- * The "protocol version" identifies the high-level handshake variant being
- * used. DTLS versions map to the corresponding TLS versions. Draft TLS 1.3
- * variants all map to TLS 1.3. Protocol versions are sequential and may be
- * compared numerically. */
+// Protocol versions.
+//
+// Due to DTLS's historical wire version differences and to support multiple
+// variants of the same protocol during development, we maintain two notions of
+// version.
+//
+// The "version" or "wire version" is the actual 16-bit value that appears on
+// the wire. It uniquely identifies a version and is also used at API
+// boundaries. The set of supported versions differs between TLS and DTLS. Wire
+// versions are opaque values and may not be compared numerically.
+//
+// The "protocol version" identifies the high-level handshake variant being
+// used. DTLS versions map to the corresponding TLS versions. Draft TLS 1.3
+// variants all map to TLS 1.3. Protocol versions are sequential and may be
+// compared numerically.
-/* ssl_protocol_version_from_wire sets |*out| to the protocol version
- * corresponding to wire version |version| and returns one. If |version| is not
- * a valid TLS or DTLS version, it returns zero.
- *
- * Note this simultaneously handles both DTLS and TLS. Use one of the
- * higher-level functions below for most operations. */
+// ssl_protocol_version_from_wire sets |*out| to the protocol version
+// corresponding to wire version |version| and returns one. If |version| is not
+// a valid TLS or DTLS version, it returns zero.
+//
+// Note this simultaneously handles both DTLS and TLS. Use one of the
+// higher-level functions below for most operations.
int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version);
-/* ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the
- * minimum and maximum enabled protocol versions, respectively. */
+// ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the
+// minimum and maximum enabled protocol versions, respectively.
int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
uint16_t *out_max_version);
-/* ssl_supports_version returns one if |hs| supports |version| and zero
- * otherwise. */
+// ssl_supports_version returns one if |hs| supports |version| and zero
+// otherwise.
int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version);
-/* ssl_add_supported_versions writes the supported versions of |hs| to |cbb|, in
- * decreasing preference order. */
+// ssl_add_supported_versions writes the supported versions of |hs| to |cbb|, in
+// decreasing preference order.
int ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb);
-/* ssl_negotiate_version negotiates a common version based on |hs|'s preferences
- * and the peer preference list in |peer_versions|. On success, it returns one
- * and sets |*out_version| to the selected version. Otherwise, it returns zero
- * and sets |*out_alert| to an alert to send. */
+// ssl_negotiate_version negotiates a common version based on |hs|'s preferences
+// and the peer preference list in |peer_versions|. On success, it returns one
+// and sets |*out_version| to the selected version. Otherwise, it returns zero
+// and sets |*out_alert| to an alert to send.
int ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
uint16_t *out_version, const CBS *peer_versions);
-/* ssl3_protocol_version returns |ssl|'s protocol version. It is an error to
- * call this function before the version is determined. */
+// ssl3_protocol_version returns |ssl|'s protocol version. It is an error to
+// call this function before the version is determined.
uint16_t ssl3_protocol_version(const SSL *ssl);
-/* Cipher suites. */
+// Cipher suites.
-/* Bits for |algorithm_mkey| (key exchange algorithm). */
+// Bits for |algorithm_mkey| (key exchange algorithm).
#define SSL_kRSA 0x00000001u
#define SSL_kECDHE 0x00000002u
-/* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */
+// SSL_kPSK is only set for plain PSK, not ECDHE_PSK.
#define SSL_kPSK 0x00000004u
#define SSL_kGENERIC 0x00000008u
-/* Bits for |algorithm_auth| (server authentication). */
+// Bits for |algorithm_auth| (server authentication).
#define SSL_aRSA 0x00000001u
#define SSL_aECDSA 0x00000002u
-/* SSL_aPSK is set for both PSK and ECDHE_PSK. */
+// SSL_aPSK is set for both PSK and ECDHE_PSK.
#define SSL_aPSK 0x00000004u
#define SSL_aGENERIC 0x00000008u
#define SSL_aCERT (SSL_aRSA | SSL_aECDSA)
-/* Bits for |algorithm_enc| (symmetric encryption). */
+// Bits for |algorithm_enc| (symmetric encryption).
#define SSL_3DES 0x00000001u
#define SSL_AES128 0x00000002u
#define SSL_AES256 0x00000004u
@@ -312,91 +312,91 @@
#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
-/* Bits for |algorithm_mac| (symmetric authentication). */
+// Bits for |algorithm_mac| (symmetric authentication).
#define SSL_SHA1 0x00000001u
#define SSL_SHA256 0x00000002u
#define SSL_SHA384 0x00000004u
-/* SSL_AEAD is set for all AEADs. */
+// SSL_AEAD is set for all AEADs.
#define SSL_AEAD 0x00000008u
-/* Bits for |algorithm_prf| (handshake digest). */
+// Bits for |algorithm_prf| (handshake digest).
#define SSL_HANDSHAKE_MAC_DEFAULT 0x1
#define SSL_HANDSHAKE_MAC_SHA256 0x2
#define SSL_HANDSHAKE_MAC_SHA384 0x4
-/* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new
- * one, update the table in ssl_cipher.c. */
+// SSL_MAX_DIGEST is the number of digest types which exist. When adding a new
+// one, update the table in ssl_cipher.c.
#define SSL_MAX_DIGEST 4
-/* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD
- * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|
- * and |*out_fixed_iv_len| to the MAC key length and fixed IV length,
- * respectively. The MAC key length is zero except for legacy block and stream
- * ciphers. It returns 1 on success and 0 on error. */
+// ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD
+// object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|
+// and |*out_fixed_iv_len| to the MAC key length and fixed IV length,
+// respectively. The MAC key length is zero except for legacy block and stream
+// ciphers. It returns 1 on success and 0 on error.
int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
size_t *out_mac_secret_len,
size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,
uint16_t version, int is_dtls);
-/* ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and
- * |cipher|. */
+// ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and
+// |cipher|.
const EVP_MD *ssl_get_handshake_digest(uint16_t version,
const SSL_CIPHER *cipher);
-/* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
- * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
- * |ssl_cipher_preference_list_st| containing the result. It returns 1 on
- * success and 0 on failure. If |strict| is true, nonsense will be rejected. If
- * false, nonsense will be silently ignored. An empty result is considered an
- * error regardless of |strict|. */
+// ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
+// |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
+// |ssl_cipher_preference_list_st| containing the result. It returns 1 on
+// success and 0 on failure. If |strict| is true, nonsense will be rejected. If
+// false, nonsense will be silently ignored. An empty result is considered an
+// error regardless of |strict|.
int ssl_create_cipher_list(
const SSL_PROTOCOL_METHOD *ssl_method,
struct ssl_cipher_preference_list_st **out_cipher_list,
const char *rule_str, int strict);
-/* ssl_cipher_get_value returns the cipher suite id of |cipher|. */
+// ssl_cipher_get_value returns the cipher suite id of |cipher|.
uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher);
-/* ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth|
- * values suitable for use with |key| in TLS 1.2 and below. */
+// ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth|
+// values suitable for use with |key| in TLS 1.2 and below.
uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key);
-/* ssl_cipher_uses_certificate_auth returns one if |cipher| authenticates the
- * server and, optionally, the client with a certificate. Otherwise it returns
- * zero. */
+// ssl_cipher_uses_certificate_auth returns one if |cipher| authenticates the
+// server and, optionally, the client with a certificate. Otherwise it returns
+// zero.
int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher);
-/* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a
- * ServerKeyExchange message. Otherwise it returns 0.
- *
- * This function may return zero while still allowing |cipher| an optional
- * ServerKeyExchange. This is the case for plain PSK ciphers. */
+// ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a
+// ServerKeyExchange message. Otherwise it returns 0.
+//
+// This function may return zero while still allowing |cipher| an optional
+// ServerKeyExchange. This is the case for plain PSK ciphers.
int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher);
-/* ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the
- * length of an encrypted 1-byte record, for use in record-splitting. Otherwise
- * it returns zero. */
+// ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the
+// length of an encrypted 1-byte record, for use in record-splitting. Otherwise
+// it returns zero.
size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher);
-/* Transcript layer. */
+// Transcript layer.
-/* SSLTranscript maintains the handshake transcript as a combination of a
- * buffer and running hash. */
+// SSLTranscript maintains the handshake transcript as a combination of a
+// buffer and running hash.
class SSLTranscript {
public:
SSLTranscript();
~SSLTranscript();
- /* Init initializes the handshake transcript. If called on an existing
- * transcript, it resets the transcript and hash. It returns true on success
- * and false on failure. */
+ // Init initializes the handshake transcript. If called on an existing
+ // transcript, it resets the transcript and hash. It returns true on success
+ // and false on failure.
bool Init();
- /* InitHash initializes the handshake hash based on the PRF and contents of
- * the handshake transcript. Subsequent calls to |Update| will update the
- * rolling hash. It returns one on success and zero on failure. It is an error
- * to call this function after the handshake buffer is released. */
+ // InitHash initializes the handshake hash based on the PRF and contents of
+ // the handshake transcript. Subsequent calls to |Update| will update the
+ // rolling hash. It returns one on success and zero on failure. It is an error
+ // to call this function after the handshake buffer is released.
bool InitHash(uint16_t version, const SSL_CIPHER *cipher);
const uint8_t *buffer_data() const {
@@ -404,66 +404,66 @@
}
size_t buffer_len() const { return buffer_->length; }
- /* FreeBuffer releases the handshake buffer. Subsequent calls to
- * |Update| will not update the handshake buffer. */
+ // FreeBuffer releases the handshake buffer. Subsequent calls to
+ // |Update| will not update the handshake buffer.
void FreeBuffer();
- /* DigestLen returns the length of the PRF hash. */
+ // DigestLen returns the length of the PRF hash.
size_t DigestLen() const;
- /* Digest returns the PRF hash. For TLS 1.1 and below, this is
- * |EVP_md5_sha1|. */
+ // Digest returns the PRF hash. For TLS 1.1 and below, this is
+ // |EVP_md5_sha1|.
const EVP_MD *Digest() const;
- /* Update adds |in| to the handshake buffer and handshake hash, whichever is
- * enabled. It returns true on success and false on failure. */
+ // Update adds |in| to the handshake buffer and handshake hash, whichever is
+ // enabled. It returns true on success and false on failure.
bool Update(const uint8_t *in, size_t in_len);
- /* GetHash writes the handshake hash to |out| which must have room for at
- * least |DigestLen| bytes. On success, it returns true and sets |*out_len| to
- * the number of bytes written. Otherwise, it returns false. */
+ // GetHash writes the handshake hash to |out| which must have room for at
+ // least |DigestLen| bytes. On success, it returns true and sets |*out_len| to
+ // the number of bytes written. Otherwise, it returns false.
bool GetHash(uint8_t *out, size_t *out_len);
- /* GetSSL3CertVerifyHash writes the SSL 3.0 CertificateVerify hash into the
- * bytes pointed to by |out| and writes the number of bytes to
- * |*out_len|. |out| must have room for |EVP_MAX_MD_SIZE| bytes. It returns
- * one on success and zero on failure. */
+ // GetSSL3CertVerifyHash writes the SSL 3.0 CertificateVerify hash into the
+ // bytes pointed to by |out| and writes the number of bytes to
+ // |*out_len|. |out| must have room for |EVP_MAX_MD_SIZE| bytes. It returns
+ // one on success and zero on failure.
bool GetSSL3CertVerifyHash(uint8_t *out, size_t *out_len,
const SSL_SESSION *session,
uint16_t signature_algorithm);
- /* GetFinishedMAC computes the MAC for the Finished message into the bytes
- * pointed by |out| and writes the number of bytes to |*out_len|. |out| must
- * have room for |EVP_MAX_MD_SIZE| bytes. It returns true on success and false
- * on failure. */
+ // GetFinishedMAC computes the MAC for the Finished message into the bytes
+ // pointed by |out| and writes the number of bytes to |*out_len|. |out| must
+ // have room for |EVP_MAX_MD_SIZE| bytes. It returns true on success and false
+ // on failure.
bool GetFinishedMAC(uint8_t *out, size_t *out_len, const SSL_SESSION *session,
bool from_server, uint16_t version);
private:
- /* buffer_, if non-null, contains the handshake transcript. */
+ // buffer_, if non-null, contains the handshake transcript.
UniquePtr<BUF_MEM> buffer_;
- /* hash, if initialized with an |EVP_MD|, maintains the handshake hash. For
- * TLS 1.1 and below, it is the SHA-1 half. */
+ // hash, if initialized with an |EVP_MD|, maintains the handshake hash. For
+ // TLS 1.1 and below, it is the SHA-1 half.
ScopedEVP_MD_CTX hash_;
- /* md5, if initialized with an |EVP_MD|, maintains the MD5 half of the
- * handshake hash for TLS 1.1 and below. */
+ // md5, if initialized with an |EVP_MD|, maintains the MD5 half of the
+ // handshake hash for TLS 1.1 and below.
ScopedEVP_MD_CTX md5_;
};
-/* tls1_prf computes the PRF function for |ssl|. It writes |out_len| bytes to
- * |out|, using |secret| as the secret and |label| as the label. |seed1| and
- * |seed2| are concatenated to form the seed parameter. It returns one on
- * success and zero on failure. */
+// tls1_prf computes the PRF function for |ssl|. It writes |out_len| bytes to
+// |out|, using |secret| as the secret and |label| as the label. |seed1| and
+// |seed2| are concatenated to form the seed parameter. It returns one on
+// success and zero on failure.
int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len,
const uint8_t *secret, size_t secret_len, const char *label,
size_t label_len, const uint8_t *seed1, size_t seed1_len,
const uint8_t *seed2, size_t seed2_len);
-/* Encryption layer. */
+// Encryption layer.
-/* SSLAEADContext contains information about an AEAD that is being used to
- * encrypt an SSL connection. */
+// SSLAEADContext contains information about an AEAD that is being used to
+// encrypt an SSL connection.
class SSLAEADContext {
public:
SSLAEADContext(uint16_t version, const SSL_CIPHER *cipher);
@@ -473,13 +473,13 @@
SSLAEADContext(const SSLAEADContext &&) = delete;
SSLAEADContext &operator=(const SSLAEADContext &&) = delete;
- /* CreateNullCipher creates an |SSLAEADContext| for the null cipher. */
+ // CreateNullCipher creates an |SSLAEADContext| for the null cipher.
static UniquePtr<SSLAEADContext> CreateNullCipher();
- /* Create creates an |SSLAEADContext| using the supplied key material. It
- * returns nullptr on error. Only one of |Open| or |Seal| may be used with the
- * resulting object, depending on |direction|. |version| is the normalized
- * protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef. */
+ // Create creates an |SSLAEADContext| using the supplied key material. It
+ // returns nullptr on error. Only one of |Open| or |Seal| may be used with the
+ // resulting object, depending on |direction|. |version| is the normalized
+ // protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef.
static UniquePtr<SSLAEADContext> Create(
enum evp_aead_direction_t direction, uint16_t version, int is_dtls,
const SSL_CIPHER *cipher, const uint8_t *enc_key, size_t enc_key_len,
@@ -489,52 +489,52 @@
uint16_t version() const { return version_; }
const SSL_CIPHER *cipher() const { return cipher_; }
- /* is_null_cipher returns true if this is the null cipher. */
+ // is_null_cipher returns true if this is the null cipher.
bool is_null_cipher() const { return !cipher_; }
- /* ExplicitNonceLen returns the length of the explicit nonce. */
+ // ExplicitNonceLen returns the length of the explicit nonce.
size_t ExplicitNonceLen() const;
- /* MaxOverhead returns the maximum overhead of calling |Seal|. */
+ // MaxOverhead returns the maximum overhead of calling |Seal|.
size_t MaxOverhead() const;
- /* SuffixLen calculates the suffix length written by |SealScatter| and writes
- * it to |*out_suffix_len|. It returns true on success and false on error.
- * |in_len| and |extra_in_len| should equal the argument of the same names
- * passed to |SealScatter|. */
+ // SuffixLen calculates the suffix length written by |SealScatter| and writes
+ // it to |*out_suffix_len|. It returns true on success and false on error.
+ // |in_len| and |extra_in_len| should equal the argument of the same names
+ // passed to |SealScatter|.
bool SuffixLen(size_t *out_suffix_len, size_t in_len,
size_t extra_in_len) const;
- /* Open authenticates and decrypts |in_len| bytes from |in| in-place. On
- * success, it sets |*out| to the plaintext in |in| and returns true.
- * Otherwise, it returns false. The output will always be |ExplicitNonceLen|
- * bytes ahead of |in|. */
+ // Open authenticates and decrypts |in_len| bytes from |in| in-place. On
+ // success, it sets |*out| to the plaintext in |in| and returns true.
+ // Otherwise, it returns false. The output will always be |ExplicitNonceLen|
+ // bytes ahead of |in|.
bool Open(CBS *out, uint8_t type, uint16_t wire_version,
const uint8_t seqnum[8], uint8_t *in, size_t in_len);
- /* Seal encrypts and authenticates |in_len| bytes from |in| and writes the
- * result to |out|. It returns true on success and false on error.
- *
- * If |in| and |out| alias then |out| + |ExplicitNonceLen| must be == |in|. */
+ // Seal encrypts and authenticates |in_len| bytes from |in| and writes the
+ // result to |out|. It returns true on success and false on error.
+ //
+ // If |in| and |out| alias then |out| + |ExplicitNonceLen| must be == |in|.
bool Seal(uint8_t *out, size_t *out_len, size_t max_out, uint8_t type,
uint16_t wire_version, const uint8_t seqnum[8], const uint8_t *in,
size_t in_len);
- /* SealScatter encrypts and authenticates |in_len| bytes from |in| and splits
- * the result between |out_prefix|, |out| and |out_suffix|. It returns one on
- * success and zero on error.
- *
- * On successful return, exactly |ExplicitNonceLen| bytes are written to
- * |out_prefix|, |in_len| bytes to |out|, and |SuffixLen| bytes to
- * |out_suffix|.
- *
- * |extra_in| may point to an additional plaintext buffer. If present,
- * |extra_in_len| additional bytes are encrypted and authenticated, and the
- * ciphertext is written to the beginning of |out_suffix|. |SuffixLen| should
- * be used to size |out_suffix| accordingly.
- *
- * If |in| and |out| alias then |out| must be == |in|. Other arguments may not
- * alias anything. */
+ // SealScatter encrypts and authenticates |in_len| bytes from |in| and splits
+ // the result between |out_prefix|, |out| and |out_suffix|. It returns one on
+ // success and zero on error.
+ //
+ // On successful return, exactly |ExplicitNonceLen| bytes are written to
+ // |out_prefix|, |in_len| bytes to |out|, and |SuffixLen| bytes to
+ // |out_suffix|.
+ //
+ // |extra_in| may point to an additional plaintext buffer. If present,
+ // |extra_in_len| additional bytes are encrypted and authenticated, and the
+ // ciphertext is written to the beginning of |out_suffix|. |SuffixLen| should
+ // be used to size |out_suffix| accordingly.
+ //
+ // If |in| and |out| alias then |out| must be == |in|. Other arguments may not
+ // alias anything.
bool SealScatter(uint8_t *out_prefix, uint8_t *out, uint8_t *out_suffix,
uint8_t type, uint16_t wire_version, const uint8_t seqnum[8],
const uint8_t *in, size_t in_len, const uint8_t *extra_in,
@@ -543,65 +543,65 @@
bool GetIV(const uint8_t **out_iv, size_t *out_iv_len) const;
private:
- /* GetAdditionalData writes the additional data into |out| and returns the
- * number of bytes written. */
+ // GetAdditionalData writes the additional data into |out| and returns the
+ // number of bytes written.
size_t GetAdditionalData(uint8_t out[13], uint8_t type, uint16_t wire_version,
const uint8_t seqnum[8], size_t plaintext_len);
const SSL_CIPHER *cipher_;
ScopedEVP_AEAD_CTX ctx_;
- /* fixed_nonce_ contains any bytes of the nonce that are fixed for all
- * records. */
+ // fixed_nonce_ contains any bytes of the nonce that are fixed for all
+ // records.
uint8_t fixed_nonce_[12];
uint8_t fixed_nonce_len_ = 0, variable_nonce_len_ = 0;
- /* version_ is the protocol version that should be used with this AEAD. */
+ // version_ is the protocol version that should be used with this AEAD.
uint16_t version_;
- /* variable_nonce_included_in_record_ is true if the variable nonce
- * for a record is included as a prefix before the ciphertext. */
+ // variable_nonce_included_in_record_ is true if the variable nonce
+ // for a record is included as a prefix before the ciphertext.
bool variable_nonce_included_in_record_ : 1;
- /* random_variable_nonce_ is true if the variable nonce is
- * randomly generated, rather than derived from the sequence
- * number. */
+ // random_variable_nonce_ is true if the variable nonce is
+ // randomly generated, rather than derived from the sequence
+ // number.
bool random_variable_nonce_ : 1;
- /* omit_length_in_ad_ is true if the length should be omitted in the
- * AEAD's ad parameter. */
+ // omit_length_in_ad_ is true if the length should be omitted in the
+ // AEAD's ad parameter.
bool omit_length_in_ad_ : 1;
- /* omit_version_in_ad_ is true if the version should be omitted
- * in the AEAD's ad parameter. */
+ // omit_version_in_ad_ is true if the version should be omitted
+ // in the AEAD's ad parameter.
bool omit_version_in_ad_ : 1;
- /* omit_ad_ is true if the AEAD's ad parameter should be omitted. */
+ // omit_ad_ is true if the AEAD's ad parameter should be omitted.
bool omit_ad_ : 1;
- /* xor_fixed_nonce_ is true if the fixed nonce should be XOR'd into the
- * variable nonce rather than prepended. */
+ // xor_fixed_nonce_ is true if the fixed nonce should be XOR'd into the
+ // variable nonce rather than prepended.
bool xor_fixed_nonce_ : 1;
};
-/* DTLS replay bitmap. */
+// DTLS replay bitmap.
-/* DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect
- * replayed packets. It should be initialized by zeroing every field. */
+// DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect
+// replayed packets. It should be initialized by zeroing every field.
struct DTLS1_BITMAP {
- /* map is a bit mask of the last 64 sequence numbers. Bit
- * |1<<i| corresponds to |max_seq_num - i|. */
+ // map is a bit mask of the last 64 sequence numbers. Bit
+ // |1<<i| corresponds to |max_seq_num - i|.
uint64_t map;
- /* max_seq_num is the largest sequence number seen so far as a 64-bit
- * integer. */
+ // max_seq_num is the largest sequence number seen so far as a 64-bit
+ // integer.
uint64_t max_seq_num;
};
-/* Record layer. */
+// Record layer.
-/* ssl_record_sequence_update increments the sequence number in |seq|. It
- * returns one on success and zero on wraparound. */
+// ssl_record_sequence_update increments the sequence number in |seq|. It
+// returns one on success and zero on wraparound.
int ssl_record_sequence_update(uint8_t *seq, size_t seq_len);
-/* ssl_record_prefix_len returns the length of the prefix before the ciphertext
- * of a record for |ssl|.
- *
- * TODO(davidben): Expose this as part of public API once the high-level
- * buffer-free APIs are available. */
+// ssl_record_prefix_len returns the length of the prefix before the ciphertext
+// of a record for |ssl|.
+//
+// TODO(davidben): Expose this as part of public API once the high-level
+// buffer-free APIs are available.
size_t ssl_record_prefix_len(const SSL *ssl);
enum ssl_open_record_t {
@@ -613,63 +613,63 @@
ssl_open_record_error,
};
-/* tls_open_record decrypts a record from |in| in-place.
- *
- * If the input did not contain a complete record, it returns
- * |ssl_open_record_partial|. It sets |*out_consumed| to the total number of
- * bytes necessary. It is guaranteed that a successful call to |tls_open_record|
- * will consume at least that many bytes.
- *
- * Otherwise, it sets |*out_consumed| to the number of bytes of input
- * consumed. Note that input may be consumed on all return codes if a record was
- * decrypted.
- *
- * On success, it returns |ssl_open_record_success|. It sets |*out_type| to the
- * record type and |*out| to the record body in |in|. Note that |*out| may be
- * empty.
- *
- * If a record was successfully processed but should be discarded, it returns
- * |ssl_open_record_discard|.
- *
- * If a record was successfully processed but is a close_notify or fatal alert,
- * it returns |ssl_open_record_close_notify| or |ssl_open_record_fatal_alert|.
- *
- * On failure, it returns |ssl_open_record_error| and sets |*out_alert| to an
- * alert to emit. */
+// tls_open_record decrypts a record from |in| in-place.
+//
+// If the input did not contain a complete record, it returns
+// |ssl_open_record_partial|. It sets |*out_consumed| to the total number of
+// bytes necessary. It is guaranteed that a successful call to |tls_open_record|
+// will consume at least that many bytes.
+//
+// Otherwise, it sets |*out_consumed| to the number of bytes of input
+// consumed. Note that input may be consumed on all return codes if a record was
+// decrypted.
+//
+// On success, it returns |ssl_open_record_success|. It sets |*out_type| to the
+// record type and |*out| to the record body in |in|. Note that |*out| may be
+// empty.
+//
+// If a record was successfully processed but should be discarded, it returns
+// |ssl_open_record_discard|.
+//
+// If a record was successfully processed but is a close_notify or fatal alert,
+// it returns |ssl_open_record_close_notify| or |ssl_open_record_fatal_alert|.
+//
+// On failure, it returns |ssl_open_record_error| and sets |*out_alert| to an
+// alert to emit.
enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
size_t *out_consumed, uint8_t *out_alert,
uint8_t *in, size_t in_len);
-/* dtls_open_record implements |tls_open_record| for DTLS. It never returns
- * |ssl_open_record_partial| but otherwise behaves analogously. */
+// dtls_open_record implements |tls_open_record| for DTLS. It never returns
+// |ssl_open_record_partial| but otherwise behaves analogously.
enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
size_t *out_consumed,
uint8_t *out_alert, uint8_t *in,
size_t in_len);
-/* ssl_seal_align_prefix_len returns the length of the prefix before the start
- * of the bulk of the ciphertext when sealing a record with |ssl|. Callers may
- * use this to align buffers.
- *
- * Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte
- * record and is the offset into second record's ciphertext. Thus sealing a
- * small record may result in a smaller output than this value.
- *
- * TODO(davidben): Is this alignment valuable? Record-splitting makes this a
- * mess. */
+// ssl_seal_align_prefix_len returns the length of the prefix before the start
+// of the bulk of the ciphertext when sealing a record with |ssl|. Callers may
+// use this to align buffers.
+//
+// Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte
+// record and is the offset into second record's ciphertext. Thus sealing a
+// small record may result in a smaller output than this value.
+//
+// TODO(davidben): Is this alignment valuable? Record-splitting makes this a
+// mess.
size_t ssl_seal_align_prefix_len(const SSL *ssl);
-/* tls_seal_record seals a new record of type |type| and body |in| and writes it
- * to |out|. At most |max_out| bytes will be written. It returns one on success
- * and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1
- * record splitting and may write two records concatenated.
- *
- * For a large record, the bulk of the ciphertext will begin
- * |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may
- * improve performance. It writes at most |in_len| + |SSL_max_seal_overhead|
- * bytes to |out|.
- *
- * |in| and |out| may not alias. */
+// tls_seal_record seals a new record of type |type| and body |in| and writes it
+// to |out|. At most |max_out| bytes will be written. It returns one on success
+// and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1
+// record splitting and may write two records concatenated.
+//
+// For a large record, the bulk of the ciphertext will begin
+// |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may
+// improve performance. It writes at most |in_len| + |SSL_max_seal_overhead|
+// bytes to |out|.
+//
+// |in| and |out| may not alias.
int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
uint8_t type, const uint8_t *in, size_t in_len);
@@ -678,41 +678,41 @@
dtls1_use_current_epoch,
};
-/* dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
- * record. */
+// dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
+// record.
size_t dtls_max_seal_overhead(const SSL *ssl, enum dtls1_use_epoch_t use_epoch);
-/* dtls_seal_prefix_len returns the number of bytes of prefix to reserve in
- * front of the plaintext when sealing a record in-place. */
+// dtls_seal_prefix_len returns the number of bytes of prefix to reserve in
+// front of the plaintext when sealing a record in-place.
size_t dtls_seal_prefix_len(const SSL *ssl, enum dtls1_use_epoch_t use_epoch);
-/* dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects
- * which epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out|
- * may alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
- * ahead of |out|. */
+// dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects
+// which epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out|
+// may alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
+// ahead of |out|.
int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
uint8_t type, const uint8_t *in, size_t in_len,
enum dtls1_use_epoch_t use_epoch);
-/* ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
- * state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
- * |ssl_open_record_close_notify|, or |ssl_open_record_fatal_alert| as
- * appropriate. */
+// ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
+// state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
+// |ssl_open_record_close_notify|, or |ssl_open_record_fatal_alert| as
+// appropriate.
enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
const uint8_t *in, size_t in_len);
-/* Private key operations. */
+// Private key operations.
-/* ssl_has_private_key returns one if |ssl| has a private key
- * configured and zero otherwise. */
+// ssl_has_private_key returns one if |ssl| has a private key
+// configured and zero otherwise.
int ssl_has_private_key(const SSL *ssl);
-/* ssl_private_key_* perform the corresponding operation on
- * |SSL_PRIVATE_KEY_METHOD|. If there is a custom private key configured, they
- * call the corresponding function or |complete| depending on whether there is a
- * pending operation. Otherwise, they implement the operation with
- * |EVP_PKEY|. */
+// ssl_private_key_* perform the corresponding operation on
+// |SSL_PRIVATE_KEY_METHOD|. If there is a custom private key configured, they
+// call the corresponding function or |complete| depending on whether there is a
+// pending operation. Otherwise, they implement the operation with
+// |EVP_PKEY|.
enum ssl_private_key_result_t ssl_private_key_sign(
SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
@@ -722,25 +722,25 @@
SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
const uint8_t *in, size_t in_len);
-/* ssl_private_key_supports_signature_algorithm returns one if |hs|'s private
- * key supports |sigalg| and zero otherwise. */
+// ssl_private_key_supports_signature_algorithm returns one if |hs|'s private
+// key supports |sigalg| and zero otherwise.
int ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,
uint16_t sigalg);
-/* ssl_public_key_verify verifies that the |signature| is valid for the public
- * key |pkey| and input |in|, using the signature algorithm |sigalg|. */
+// ssl_public_key_verify verifies that the |signature| is valid for the public
+// key |pkey| and input |in|, using the signature algorithm |sigalg|.
int ssl_public_key_verify(SSL *ssl, const uint8_t *signature,
size_t signature_len, uint16_t sigalg, EVP_PKEY *pkey,
const uint8_t *in, size_t in_len);
-/* Custom extensions */
+// Custom extensions
} // namespace bssl
-/* |SSL_CUSTOM_EXTENSION| is a structure that contains information about
- * custom-extension callbacks. It is defined unnamespaced for compatibility with
- * |STACK_OF(SSL_CUSTOM_EXTENSION)|. */
+// |SSL_CUSTOM_EXTENSION| is a structure that contains information about
+// custom-extension callbacks. It is defined unnamespaced for compatibility with
+// |STACK_OF(SSL_CUSTOM_EXTENSION)|.
typedef struct ssl_custom_extension {
SSL_custom_ext_add_cb add_callback;
void *add_arg;
@@ -764,91 +764,91 @@
int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions);
-/* Key shares. */
+// Key shares.
-/* SSLKeyShare abstracts over Diffie-Hellman-like key exchanges. */
+// SSLKeyShare abstracts over Diffie-Hellman-like key exchanges.
class SSLKeyShare {
public:
virtual ~SSLKeyShare() {}
static constexpr bool kAllowUniquePtr = true;
HAS_VIRTUAL_DESTRUCTOR
- /* Create returns a SSLKeyShare instance for use with group |group_id| or
- * nullptr on error. */
+ // Create returns a SSLKeyShare instance for use with group |group_id| or
+ // nullptr on error.
static UniquePtr<SSLKeyShare> Create(uint16_t group_id);
- /* GroupID returns the group ID. */
+ // GroupID returns the group ID.
virtual uint16_t GroupID() const PURE_VIRTUAL;
- /* Offer generates a keypair and writes the public value to
- * |out_public_key|. It returns true on success and false on error. */
+ // Offer generates a keypair and writes the public value to
+ // |out_public_key|. It returns true on success and false on error.
virtual bool Offer(CBB *out_public_key) PURE_VIRTUAL;
- /* Accept performs a key exchange against the |peer_key| generated by |offer|.
- * On success, it returns true, writes the public value to |out_public_key|,
- * and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer
- * containing the shared secret. The caller must release this buffer with
- * |OPENSSL_free|. On failure, it returns false and sets |*out_alert| to an
- * alert to send to the peer.
- *
- * The default implementation calls |Offer| and then |Finish|, assuming a key
- * exchange protocol where the peers are symmetric.
- *
- * TODO(davidben): out_secret should be a smart pointer. */
+ // Accept performs a key exchange against the |peer_key| generated by |offer|.
+ // On success, it returns true, writes the public value to |out_public_key|,
+ // and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer
+ // containing the shared secret. The caller must release this buffer with
+ // |OPENSSL_free|. On failure, it returns false and sets |*out_alert| to an
+ // alert to send to the peer.
+ //
+ // The default implementation calls |Offer| and then |Finish|, assuming a key
+ // exchange protocol where the peers are symmetric.
+ //
+ // TODO(davidben): out_secret should be a smart pointer.
virtual bool Accept(CBB *out_public_key, uint8_t **out_secret,
size_t *out_secret_len, uint8_t *out_alert,
const uint8_t *peer_key, size_t peer_key_len);
- /* Finish performs a key exchange against the |peer_key| generated by
- * |Accept|. On success, it returns true and sets |*out_secret| and
- * |*out_secret_len| to a newly-allocated buffer containing the shared
- * secret. The caller must release this buffer with |OPENSSL_free|. On
- * failure, it returns zero and sets |*out_alert| to an alert to send to the
- * peer.
- *
- * TODO(davidben): out_secret should be a smart pointer. */
+ // Finish performs a key exchange against the |peer_key| generated by
+ // |Accept|. On success, it returns true and sets |*out_secret| and
+ // |*out_secret_len| to a newly-allocated buffer containing the shared
+ // secret. The caller must release this buffer with |OPENSSL_free|. On
+ // failure, it returns zero and sets |*out_alert| to an alert to send to the
+ // peer.
+ //
+ // TODO(davidben): out_secret should be a smart pointer.
virtual bool Finish(uint8_t **out_secret, size_t *out_secret_len,
uint8_t *out_alert, const uint8_t *peer_key,
size_t peer_key_len) PURE_VIRTUAL;
};
-/* ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it
- * sets |*out_group_id| to the group ID and returns one. Otherwise, it returns
- * zero. */
+// ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it
+// sets |*out_group_id| to the group ID and returns one. Otherwise, it returns
+// zero.
int ssl_nid_to_group_id(uint16_t *out_group_id, int nid);
-/* ssl_name_to_group_id looks up the group corresponding to the |name| string
- * of length |len|. On success, it sets |*out_group_id| to the group ID and
- * returns one. Otherwise, it returns zero. */
+// ssl_name_to_group_id looks up the group corresponding to the |name| string
+// of length |len|. On success, it sets |*out_group_id| to the group ID and
+// returns one. Otherwise, it returns zero.
int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len);
-/* Handshake messages. */
+// Handshake messages.
struct SSLMessage {
bool is_v2_hello;
uint8_t type;
CBS body;
- /* raw is the entire serialized handshake message, including the TLS or DTLS
- * message header. */
+ // raw is the entire serialized handshake message, including the TLS or DTLS
+ // message header.
CBS raw;
};
-/* SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including
- * ChangeCipherSpec, in the longest handshake flight. Currently this is the
- * client's second leg in a full handshake when client certificates, NPN, and
- * Channel ID, are all enabled. */
+// SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including
+// ChangeCipherSpec, in the longest handshake flight. Currently this is the
+// client's second leg in a full handshake when client certificates, NPN, and
+// Channel ID, are all enabled.
#define SSL_MAX_HANDSHAKE_FLIGHT 7
-/* ssl_max_handshake_message_len returns the maximum number of bytes permitted
- * in a handshake message for |ssl|. */
+// ssl_max_handshake_message_len returns the maximum number of bytes permitted
+// in a handshake message for |ssl|.
size_t ssl_max_handshake_message_len(const SSL *ssl);
-/* dtls_clear_incoming_messages releases all buffered incoming messages. */
+// dtls_clear_incoming_messages releases all buffered incoming messages.
void dtls_clear_incoming_messages(SSL *ssl);
-/* dtls_has_incoming_messages returns one if there are buffered incoming
- * messages ahead of the current message and zero otherwise. */
+// dtls_has_incoming_messages returns one if there are buffered incoming
+// messages ahead of the current message and zero otherwise.
int dtls_has_incoming_messages(const SSL *ssl);
struct DTLS_OUTGOING_MESSAGE {
@@ -858,209 +858,209 @@
char is_ccs;
};
-/* dtls_clear_outgoing_messages releases all buffered outgoing messages. */
+// dtls_clear_outgoing_messages releases all buffered outgoing messages.
void dtls_clear_outgoing_messages(SSL *ssl);
-/* Callbacks. */
+// Callbacks.
-/* ssl_do_info_callback calls |ssl|'s info callback, if set. */
+// ssl_do_info_callback calls |ssl|'s info callback, if set.
void ssl_do_info_callback(const SSL *ssl, int type, int value);
-/* ssl_do_msg_callback calls |ssl|'s message callback, if set. */
+// ssl_do_msg_callback calls |ssl|'s message callback, if set.
void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
const void *buf, size_t len);
-/* Transport buffers. */
+// Transport buffers.
-/* ssl_read_buffer returns a pointer to contents of the read buffer. */
+// ssl_read_buffer returns a pointer to contents of the read buffer.
uint8_t *ssl_read_buffer(SSL *ssl);
-/* ssl_read_buffer_len returns the length of the read buffer. */
+// ssl_read_buffer_len returns the length of the read buffer.
size_t ssl_read_buffer_len(const SSL *ssl);
-/* ssl_read_buffer_extend_to extends the read buffer to the desired length. For
- * TLS, it reads to the end of the buffer until the buffer is |len| bytes
- * long. For DTLS, it reads a new packet and ignores |len|. It returns one on
- * success, zero on EOF, and a negative number on error.
- *
- * It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is
- * non-empty. */
+// ssl_read_buffer_extend_to extends the read buffer to the desired length. For
+// TLS, it reads to the end of the buffer until the buffer is |len| bytes
+// long. For DTLS, it reads a new packet and ignores |len|. It returns one on
+// success, zero on EOF, and a negative number on error.
+//
+// It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is
+// non-empty.
int ssl_read_buffer_extend_to(SSL *ssl, size_t len);
-/* ssl_read_buffer_consume consumes |len| bytes from the read buffer. It
- * advances the data pointer and decrements the length. The memory consumed will
- * remain valid until the next call to |ssl_read_buffer_extend| or it is
- * discarded with |ssl_read_buffer_discard|. */
+// ssl_read_buffer_consume consumes |len| bytes from the read buffer. It
+// advances the data pointer and decrements the length. The memory consumed will
+// remain valid until the next call to |ssl_read_buffer_extend| or it is
+// discarded with |ssl_read_buffer_discard|.
void ssl_read_buffer_consume(SSL *ssl, size_t len);
-/* ssl_read_buffer_discard discards the consumed bytes from the read buffer. If
- * the buffer is now empty, it releases memory used by it. */
+// ssl_read_buffer_discard discards the consumed bytes from the read buffer. If
+// the buffer is now empty, it releases memory used by it.
void ssl_read_buffer_discard(SSL *ssl);
-/* ssl_read_buffer_clear releases all memory associated with the read buffer and
- * zero-initializes it. */
+// ssl_read_buffer_clear releases all memory associated with the read buffer and
+// zero-initializes it.
void ssl_read_buffer_clear(SSL *ssl);
-/* ssl_write_buffer_is_pending returns one if the write buffer has pending data
- * and zero if is empty. */
+// ssl_write_buffer_is_pending returns one if the write buffer has pending data
+// and zero if is empty.
int ssl_write_buffer_is_pending(const SSL *ssl);
-/* ssl_write_buffer_init initializes the write buffer. On success, it sets
- * |*out_ptr| to the start of the write buffer with space for up to |max_len|
- * bytes. It returns one on success and zero on failure. Call
- * |ssl_write_buffer_set_len| to complete initialization. */
+// ssl_write_buffer_init initializes the write buffer. On success, it sets
+// |*out_ptr| to the start of the write buffer with space for up to |max_len|
+// bytes. It returns one on success and zero on failure. Call
+// |ssl_write_buffer_set_len| to complete initialization.
int ssl_write_buffer_init(SSL *ssl, uint8_t **out_ptr, size_t max_len);
-/* ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete
- * initialization after |len| bytes are written to the buffer. */
+// ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete
+// initialization after |len| bytes are written to the buffer.
void ssl_write_buffer_set_len(SSL *ssl, size_t len);
-/* ssl_write_buffer_flush flushes the write buffer to the transport. It returns
- * one on success and <= 0 on error. For DTLS, whether or not the write
- * succeeds, the write buffer will be cleared. */
+// ssl_write_buffer_flush flushes the write buffer to the transport. It returns
+// one on success and <= 0 on error. For DTLS, whether or not the write
+// succeeds, the write buffer will be cleared.
int ssl_write_buffer_flush(SSL *ssl);
-/* ssl_write_buffer_clear releases all memory associated with the write buffer
- * and zero-initializes it. */
+// ssl_write_buffer_clear releases all memory associated with the write buffer
+// and zero-initializes it.
void ssl_write_buffer_clear(SSL *ssl);
-/* Certificate functions. */
+// Certificate functions.
-/* ssl_has_certificate returns one if a certificate and private key are
- * configured and zero otherwise. */
+// ssl_has_certificate returns one if a certificate and private key are
+// configured and zero otherwise.
int ssl_has_certificate(const SSL *ssl);
-/* ssl_parse_cert_chain parses a certificate list from |cbs| in the format used
- * by a TLS Certificate message. On success, it advances |cbs| and returns
- * true. Otherwise, it returns false and sets |*out_alert| to an alert to send
- * to the peer.
- *
- * If the list is non-empty then |*out_chain| and |*out_pubkey| will be set to
- * the certificate chain and the leaf certificate's public key
- * respectively. Otherwise, both will be set to nullptr.
- *
- * If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the
- * SHA-256 hash of the leaf to |out_leaf_sha256|. */
+// ssl_parse_cert_chain parses a certificate list from |cbs| in the format used
+// by a TLS Certificate message. On success, it advances |cbs| and returns
+// true. Otherwise, it returns false and sets |*out_alert| to an alert to send
+// to the peer.
+//
+// If the list is non-empty then |*out_chain| and |*out_pubkey| will be set to
+// the certificate chain and the leaf certificate's public key
+// respectively. Otherwise, both will be set to nullptr.
+//
+// If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the
+// SHA-256 hash of the leaf to |out_leaf_sha256|.
bool ssl_parse_cert_chain(uint8_t *out_alert,
UniquePtr<STACK_OF(CRYPTO_BUFFER)> *out_chain,
UniquePtr<EVP_PKEY> *out_pubkey,
uint8_t *out_leaf_sha256, CBS *cbs,
CRYPTO_BUFFER_POOL *pool);
-/* ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used
- * by a TLS Certificate message. If there is no certificate chain, it emits an
- * empty certificate list. It returns one on success and zero on error. */
+// ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used
+// by a TLS Certificate message. If there is no certificate chain, it emits an
+// empty certificate list. It returns one on success and zero on error.
int ssl_add_cert_chain(SSL *ssl, CBB *cbb);
-/* ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509
- * certificate in |in| and returns one if doesn't specify a key usage or, if it
- * does, if it includes digitalSignature. Otherwise it pushes to the error
- * queue and returns zero. */
+// ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509
+// certificate in |in| and returns one if doesn't specify a key usage or, if it
+// does, if it includes digitalSignature. Otherwise it pushes to the error
+// queue and returns zero.
int ssl_cert_check_digital_signature_key_usage(const CBS *in);
-/* ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509
- * certificate in |in|. It returns an allocated |EVP_PKEY| or else returns
- * nullptr and pushes to the error queue. */
+// ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509
+// certificate in |in|. It returns an allocated |EVP_PKEY| or else returns
+// nullptr and pushes to the error queue.
UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in);
-/* ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a
- * TLS CertificateRequest message. On success, it returns a newly-allocated
- * |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns nullptr and
- * sets |*out_alert| to an alert to send to the peer. */
+// ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a
+// TLS CertificateRequest message. On success, it returns a newly-allocated
+// |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns nullptr and
+// sets |*out_alert| to an alert to send to the peer.
UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
uint8_t *out_alert,
CBS *cbs);
-/* ssl_add_client_CA_list adds the configured CA list to |cbb| in the format
- * used by a TLS CertificateRequest message. It returns one on success and zero
- * on error. */
+// ssl_add_client_CA_list adds the configured CA list to |cbb| in the format
+// used by a TLS CertificateRequest message. It returns one on success and zero
+// on error.
int ssl_add_client_CA_list(SSL *ssl, CBB *cbb);
-/* ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as
- * a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes
- * an error on the error queue. */
+// ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as
+// a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes
+// an error on the error queue.
int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
const CRYPTO_BUFFER *leaf);
-/* ssl_on_certificate_selected is called once the certificate has been selected.
- * It finalizes the certificate and initializes |hs->local_pubkey|. It returns
- * one on success and zero on error. */
+// ssl_on_certificate_selected is called once the certificate has been selected.
+// It finalizes the certificate and initializes |hs->local_pubkey|. It returns
+// one on success and zero on error.
int ssl_on_certificate_selected(SSL_HANDSHAKE *hs);
-/* TLS 1.3 key derivation. */
+// TLS 1.3 key derivation.
-/* tls13_init_key_schedule initializes the handshake hash and key derivation
- * state. The cipher suite and PRF hash must have been selected at this point.
- * It returns one on success and zero on error. */
+// tls13_init_key_schedule initializes the handshake hash and key derivation
+// state. The cipher suite and PRF hash must have been selected at this point.
+// It returns one on success and zero on error.
int tls13_init_key_schedule(SSL_HANDSHAKE *hs);
-/* tls13_init_early_key_schedule initializes the handshake hash and key
- * derivation state from the resumption secret to derive the early secrets. It
- * returns one on success and zero on error. */
+// tls13_init_early_key_schedule initializes the handshake hash and key
+// derivation state from the resumption secret to derive the early secrets. It
+// returns one on success and zero on error.
int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs);
-/* tls13_advance_key_schedule incorporates |in| into the key schedule with
- * HKDF-Extract. It returns one on success and zero on error. */
+// tls13_advance_key_schedule incorporates |in| into the key schedule with
+// HKDF-Extract. It returns one on success and zero on error.
int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
size_t len);
-/* tls13_set_traffic_key sets the read or write traffic keys to
- * |traffic_secret|. It returns one on success and zero on error. */
+// tls13_set_traffic_key sets the read or write traffic keys to
+// |traffic_secret|. It returns one on success and zero on error.
int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
const uint8_t *traffic_secret,
size_t traffic_secret_len);
-/* tls13_derive_early_secrets derives the early traffic secret. It returns one
- * on success and zero on error. */
+// tls13_derive_early_secrets derives the early traffic secret. It returns one
+// on success and zero on error.
int tls13_derive_early_secrets(SSL_HANDSHAKE *hs);
-/* tls13_derive_handshake_secrets derives the handshake traffic secret. It
- * returns one on success and zero on error. */
+// tls13_derive_handshake_secrets derives the handshake traffic secret. It
+// returns one on success and zero on error.
int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs);
-/* tls13_rotate_traffic_key derives the next read or write traffic secret. It
- * returns one on success and zero on error. */
+// tls13_rotate_traffic_key derives the next read or write traffic secret. It
+// returns one on success and zero on error.
int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction);
-/* tls13_derive_application_secrets derives the initial application data traffic
- * and exporter secrets based on the handshake transcripts and |master_secret|.
- * It returns one on success and zero on error. */
+// tls13_derive_application_secrets derives the initial application data traffic
+// and exporter secrets based on the handshake transcripts and |master_secret|.
+// It returns one on success and zero on error.
int tls13_derive_application_secrets(SSL_HANDSHAKE *hs);
-/* tls13_derive_resumption_secret derives the |resumption_secret|. */
+// tls13_derive_resumption_secret derives the |resumption_secret|.
int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs);
-/* tls13_export_keying_material provides an exporter interface to use the
- * |exporter_secret|. */
+// tls13_export_keying_material provides an exporter interface to use the
+// |exporter_secret|.
int tls13_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
const char *label, size_t label_len,
const uint8_t *context, size_t context_len,
int use_context);
-/* tls13_finished_mac calculates the MAC of the handshake transcript to verify
- * the integrity of the Finished message, and stores the result in |out| and
- * length in |out_len|. |is_server| is 1 if this is for the Server Finished and
- * 0 for the Client Finished. */
+// tls13_finished_mac calculates the MAC of the handshake transcript to verify
+// the integrity of the Finished message, and stores the result in |out| and
+// length in |out_len|. |is_server| is 1 if this is for the Server Finished and
+// 0 for the Client Finished.
int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out,
size_t *out_len, int is_server);
-/* tls13_write_psk_binder calculates the PSK binder value and replaces the last
- * bytes of |msg| with the resulting value. It returns 1 on success, and 0 on
- * failure. */
+// tls13_write_psk_binder calculates the PSK binder value and replaces the last
+// bytes of |msg| with the resulting value. It returns 1 on success, and 0 on
+// failure.
int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len);
-/* tls13_verify_psk_binder verifies that the handshake transcript, truncated
- * up to the binders has a valid signature using the value of |session|'s
- * resumption secret. It returns 1 on success, and 0 on failure. */
+// tls13_verify_psk_binder verifies that the handshake transcript, truncated
+// up to the binders has a valid signature using the value of |session|'s
+// resumption secret. It returns 1 on success, and 0 on failure.
int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
const SSLMessage &msg, CBS *binders);
-/* Handshake functions. */
+// Handshake functions.
enum ssl_hs_wait_t {
ssl_hs_error,
@@ -1086,31 +1086,31 @@
~SSL_HANDSHAKE();
static constexpr bool kAllowUniquePtr = true;
- /* ssl is a non-owning pointer to the parent |SSL| object. */
+ // ssl is a non-owning pointer to the parent |SSL| object.
SSL *ssl;
- /* wait contains the operation the handshake is currently blocking on or
- * |ssl_hs_ok| if none. */
+ // wait contains the operation the handshake is currently blocking on or
+ // |ssl_hs_ok| if none.
enum ssl_hs_wait_t wait = ssl_hs_ok;
- /* state is the internal state for the TLS 1.2 and below handshake. Its
- * values depend on |do_handshake| but the starting state is always zero. */
+ // state is the internal state for the TLS 1.2 and below handshake. Its
+ // values depend on |do_handshake| but the starting state is always zero.
int state = 0;
- /* tls13_state is the internal state for the TLS 1.3 handshake. Its values
- * depend on |do_handshake| but the starting state is always zero. */
+ // tls13_state is the internal state for the TLS 1.3 handshake. Its values
+ // depend on |do_handshake| but the starting state is always zero.
int tls13_state = 0;
- /* min_version is the minimum accepted protocol version, taking account both
- * |SSL_OP_NO_*| and |SSL_CTX_set_min_proto_version| APIs. */
+ // min_version is the minimum accepted protocol version, taking account both
+ // |SSL_OP_NO_*| and |SSL_CTX_set_min_proto_version| APIs.
uint16_t min_version = 0;
- /* max_version is the maximum accepted protocol version, taking account both
- * |SSL_OP_NO_*| and |SSL_CTX_set_max_proto_version| APIs. */
+ // max_version is the maximum accepted protocol version, taking account both
+ // |SSL_OP_NO_*| and |SSL_CTX_set_max_proto_version| APIs.
uint16_t max_version = 0;
- /* session_id is the session ID in the ClientHello, used for the experimental
- * TLS 1.3 variant. */
+ // session_id is the session ID in the ClientHello, used for the experimental
+ // TLS 1.3 variant.
uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH] = {0};
uint8_t session_id_len = 0;
@@ -1124,238 +1124,238 @@
uint8_t expected_client_finished[EVP_MAX_MD_SIZE] = {0};
union {
- /* sent is a bitset where the bits correspond to elements of kExtensions
- * in t1_lib.c. Each bit is set if that extension was sent in a
- * ClientHello. It's not used by servers. */
+ // sent is a bitset where the bits correspond to elements of kExtensions
+ // in t1_lib.c. Each bit is set if that extension was sent in a
+ // ClientHello. It's not used by servers.
uint32_t sent = 0;
- /* received is a bitset, like |sent|, but is used by servers to record
- * which extensions were received from a client. */
+ // received is a bitset, like |sent|, but is used by servers to record
+ // which extensions were received from a client.
uint32_t received;
} extensions;
union {
- /* sent is a bitset where the bits correspond to elements of
- * |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that
- * extension was sent in a ClientHello. It's not used by servers. */
+ // sent is a bitset where the bits correspond to elements of
+ // |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that
+ // extension was sent in a ClientHello. It's not used by servers.
uint16_t sent = 0;
- /* received is a bitset, like |sent|, but is used by servers to record
- * which custom extensions were received from a client. The bits here
- * correspond to |server_custom_extensions|. */
+ // received is a bitset, like |sent|, but is used by servers to record
+ // which custom extensions were received from a client. The bits here
+ // correspond to |server_custom_extensions|.
uint16_t received;
} custom_extensions;
- /* retry_group is the group ID selected by the server in HelloRetryRequest in
- * TLS 1.3. */
+ // retry_group is the group ID selected by the server in HelloRetryRequest in
+ // TLS 1.3.
uint16_t retry_group = 0;
- /* key_share is the current key exchange instance. */
+ // key_share is the current key exchange instance.
UniquePtr<SSLKeyShare> key_share;
- /* transcript is the current handshake transcript. */
+ // transcript is the current handshake transcript.
SSLTranscript transcript;
- /* cookie is the value of the cookie received from the server, if any. */
+ // cookie is the value of the cookie received from the server, if any.
uint8_t *cookie = nullptr;
size_t cookie_len = 0;
- /* key_share_bytes is the value of the previously sent KeyShare extension by
- * the client in TLS 1.3. */
+ // key_share_bytes is the value of the previously sent KeyShare extension by
+ // the client in TLS 1.3.
uint8_t *key_share_bytes = nullptr;
size_t key_share_bytes_len = 0;
- /* ecdh_public_key, for servers, is the key share to be sent to the client in
- * TLS 1.3. */
+ // ecdh_public_key, for servers, is the key share to be sent to the client in
+ // TLS 1.3.
uint8_t *ecdh_public_key = nullptr;
size_t ecdh_public_key_len = 0;
- /* peer_sigalgs are the signature algorithms that the peer supports. These are
- * taken from the contents of the signature algorithms extension for a server
- * or from the CertificateRequest for a client. */
+ // peer_sigalgs are the signature algorithms that the peer supports. These are
+ // taken from the contents of the signature algorithms extension for a server
+ // or from the CertificateRequest for a client.
uint16_t *peer_sigalgs = nullptr;
- /* num_peer_sigalgs is the number of entries in |peer_sigalgs|. */
+ // num_peer_sigalgs is the number of entries in |peer_sigalgs|.
size_t num_peer_sigalgs = 0;
- /* peer_supported_group_list contains the supported group IDs advertised by
- * the peer. This is only set on the server's end. The server does not
- * advertise this extension to the client. */
+ // peer_supported_group_list contains the supported group IDs advertised by
+ // the peer. This is only set on the server's end. The server does not
+ // advertise this extension to the client.
uint16_t *peer_supported_group_list = nullptr;
size_t peer_supported_group_list_len = 0;
- /* peer_key is the peer's ECDH key for a TLS 1.2 client. */
+ // peer_key is the peer's ECDH key for a TLS 1.2 client.
uint8_t *peer_key = nullptr;
size_t peer_key_len = 0;
- /* server_params, in a TLS 1.2 server, stores the ServerKeyExchange
- * parameters. It has client and server randoms prepended for signing
- * convenience. */
+ // server_params, in a TLS 1.2 server, stores the ServerKeyExchange
+ // parameters. It has client and server randoms prepended for signing
+ // convenience.
uint8_t *server_params = nullptr;
size_t server_params_len = 0;
- /* peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the
- * server when using a TLS 1.2 PSK key exchange. */
+ // peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the
+ // server when using a TLS 1.2 PSK key exchange.
UniquePtr<char> peer_psk_identity_hint;
- /* ca_names, on the client, contains the list of CAs received in a
- * CertificateRequest message. */
+ // ca_names, on the client, contains the list of CAs received in a
+ // CertificateRequest message.
UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names;
- /* cached_x509_ca_names contains a cache of parsed versions of the elements
- * of |ca_names|. */
+ // cached_x509_ca_names contains a cache of parsed versions of the elements
+ // of |ca_names|.
STACK_OF(X509_NAME) *cached_x509_ca_names = nullptr;
- /* certificate_types, on the client, contains the set of certificate types
- * received in a CertificateRequest message. */
+ // certificate_types, on the client, contains the set of certificate types
+ // received in a CertificateRequest message.
uint8_t *certificate_types = nullptr;
size_t num_certificate_types = 0;
- /* hostname, on the server, is the value of the SNI extension. */
+ // hostname, on the server, is the value of the SNI extension.
UniquePtr<char> hostname;
- /* local_pubkey is the public key we are authenticating as. */
+ // local_pubkey is the public key we are authenticating as.
UniquePtr<EVP_PKEY> local_pubkey;
- /* peer_pubkey is the public key parsed from the peer's leaf certificate. */
+ // peer_pubkey is the public key parsed from the peer's leaf certificate.
UniquePtr<EVP_PKEY> peer_pubkey;
- /* new_session is the new mutable session being established by the current
- * handshake. It should not be cached. */
+ // new_session is the new mutable session being established by the current
+ // handshake. It should not be cached.
UniquePtr<SSL_SESSION> new_session;
- /* early_session is the session corresponding to the current 0-RTT state on
- * the client if |in_early_data| is true. */
+ // early_session is the session corresponding to the current 0-RTT state on
+ // the client if |in_early_data| is true.
UniquePtr<SSL_SESSION> early_session;
- /* new_cipher is the cipher being negotiated in this handshake. */
+ // new_cipher is the cipher being negotiated in this handshake.
const SSL_CIPHER *new_cipher = nullptr;
- /* key_block is the record-layer key block for TLS 1.2 and earlier. */
+ // key_block is the record-layer key block for TLS 1.2 and earlier.
uint8_t *key_block = nullptr;
uint8_t key_block_len = 0;
- /* scts_requested is one if the SCT extension is in the ClientHello. */
+ // scts_requested is one if the SCT extension is in the ClientHello.
unsigned scts_requested:1;
- /* needs_psk_binder if the ClientHello has a placeholder PSK binder to be
- * filled in. */
+ // needs_psk_binder if the ClientHello has a placeholder PSK binder to be
+ // filled in.
unsigned needs_psk_binder:1;
unsigned received_hello_retry_request:1;
unsigned received_custom_extension:1;
- /* accept_psk_mode stores whether the client's PSK mode is compatible with our
- * preferences. */
+ // accept_psk_mode stores whether the client's PSK mode is compatible with our
+ // preferences.
unsigned accept_psk_mode:1;
- /* cert_request is one if a client certificate was requested and zero
- * otherwise. */
+ // cert_request is one if a client certificate was requested and zero
+ // otherwise.
unsigned cert_request:1;
- /* certificate_status_expected is one if OCSP stapling was negotiated and the
- * server is expected to send a CertificateStatus message. (This is used on
- * both the client and server sides.) */
+ // certificate_status_expected is one if OCSP stapling was negotiated and the
+ // server is expected to send a CertificateStatus message. (This is used on
+ // both the client and server sides.)
unsigned certificate_status_expected:1;
- /* ocsp_stapling_requested is one if a client requested OCSP stapling. */
+ // ocsp_stapling_requested is one if a client requested OCSP stapling.
unsigned ocsp_stapling_requested:1;
- /* should_ack_sni is used by a server and indicates that the SNI extension
- * should be echoed in the ServerHello. */
+ // should_ack_sni is used by a server and indicates that the SNI extension
+ // should be echoed in the ServerHello.
unsigned should_ack_sni:1;
- /* in_false_start is one if there is a pending client handshake in False
- * Start. The client may write data at this point. */
+ // in_false_start is one if there is a pending client handshake in False
+ // Start. The client may write data at this point.
unsigned in_false_start:1;
- /* in_early_data is one if there is a pending handshake that has progressed
- * enough to send and receive early data. */
+ // in_early_data is one if there is a pending handshake that has progressed
+ // enough to send and receive early data.
unsigned in_early_data:1;
- /* early_data_offered is one if the client sent the early_data extension. */
+ // early_data_offered is one if the client sent the early_data extension.
unsigned early_data_offered:1;
- /* can_early_read is one if application data may be read at this point in the
- * handshake. */
+ // can_early_read is one if application data may be read at this point in the
+ // handshake.
unsigned can_early_read:1;
- /* can_early_write is one if application data may be written at this point in
- * the handshake. */
+ // can_early_write is one if application data may be written at this point in
+ // the handshake.
unsigned can_early_write:1;
- /* next_proto_neg_seen is one of NPN was negotiated. */
+ // next_proto_neg_seen is one of NPN was negotiated.
unsigned next_proto_neg_seen:1;
- /* ticket_expected is one if a TLS 1.2 NewSessionTicket message is to be sent
- * or received. */
+ // ticket_expected is one if a TLS 1.2 NewSessionTicket message is to be sent
+ // or received.
unsigned ticket_expected:1;
- /* extended_master_secret is one if the extended master secret extension is
- * negotiated in this handshake. */
+ // extended_master_secret is one if the extended master secret extension is
+ // negotiated in this handshake.
unsigned extended_master_secret:1;
- /* pending_private_key_op is one if there is a pending private key operation
- * in progress. */
+ // pending_private_key_op is one if there is a pending private key operation
+ // in progress.
unsigned pending_private_key_op:1;
- /* client_version is the value sent or received in the ClientHello version. */
+ // client_version is the value sent or received in the ClientHello version.
uint16_t client_version = 0;
- /* early_data_read is the amount of early data that has been read by the
- * record layer. */
+ // early_data_read is the amount of early data that has been read by the
+ // record layer.
uint16_t early_data_read = 0;
- /* early_data_written is the amount of early data that has been written by the
- * record layer. */
+ // early_data_written is the amount of early data that has been written by the
+ // record layer.
uint16_t early_data_written = 0;
};
SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl);
-/* ssl_handshake_free releases all memory associated with |hs|. */
+// ssl_handshake_free releases all memory associated with |hs|.
void ssl_handshake_free(SSL_HANDSHAKE *hs);
-/* ssl_check_message_type checks if |msg| has type |type|. If so it returns
- * one. Otherwise, it sends an alert and returns zero. */
+// ssl_check_message_type checks if |msg| has type |type|. If so it returns
+// one. Otherwise, it sends an alert and returns zero.
int ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type);
-/* ssl_run_handshake runs the TLS handshake. It returns one on success and <= 0
- * on error. It sets |out_early_return| to one if we've completed the handshake
- * early. */
+// ssl_run_handshake runs the TLS handshake. It returns one on success and <= 0
+// on error. It sets |out_early_return| to one if we've completed the handshake
+// early.
int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return);
-/* The following are implementations of |do_handshake| for the client and
- * server. */
+// The following are implementations of |do_handshake| for the client and
+// server.
enum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs);
enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs);
enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs);
enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs);
-/* The following functions return human-readable representations of the TLS
- * handshake states for debugging. */
+// The following functions return human-readable representations of the TLS
+// handshake states for debugging.
const char *ssl_client_handshake_state(SSL_HANDSHAKE *hs);
const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs);
const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs);
const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs);
-/* tls13_post_handshake processes a post-handshake message. It returns one on
- * success and zero on failure. */
+// tls13_post_handshake processes a post-handshake message. It returns one on
+// success and zero on failure.
int tls13_post_handshake(SSL *ssl, const SSLMessage &msg);
int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
int allow_anonymous);
int tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg);
-/* tls13_process_finished processes |msg| as a Finished message from the
- * peer. If |use_saved_value| is one, the verify_data is compared against
- * |hs->expected_client_finished| rather than computed fresh. */
+// tls13_process_finished processes |msg| as a Finished message from the
+// peer. If |use_saved_value| is one, the verify_data is compared against
+// |hs->expected_client_finished| rather than computed fresh.
int tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,
int use_saved_value);
int tls13_add_certificate(SSL_HANDSHAKE *hs);
-/* tls13_add_certificate_verify adds a TLS 1.3 CertificateVerify message to the
- * handshake. If it returns |ssl_private_key_retry|, it should be called again
- * to retry when the signing operation is completed. */
+// tls13_add_certificate_verify adds a TLS 1.3 CertificateVerify message to the
+// handshake. If it returns |ssl_private_key_retry|, it should be called again
+// to retry when the signing operation is completed.
enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs);
int tls13_add_finished(SSL_HANDSHAKE *hs);
@@ -1377,14 +1377,14 @@
uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents);
int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out);
-/* ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and
- * returns one iff it's valid. */
+// ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and
+// returns one iff it's valid.
int ssl_is_sct_list_valid(const CBS *contents);
int ssl_write_client_hello(SSL_HANDSHAKE *hs);
-/* ssl_clear_tls13_state releases client state only needed for TLS 1.3. It
- * should be called once the version is known to be TLS 1.2 or earlier. */
+// ssl_clear_tls13_state releases client state only needed for TLS 1.3. It
+// should be called once the version is known to be TLS 1.2 or earlier.
void ssl_clear_tls13_state(SSL_HANDSHAKE *hs);
enum ssl_cert_verify_context_t {
@@ -1393,18 +1393,18 @@
ssl_cert_verify_channel_id,
};
-/* tls13_get_cert_verify_signature_input generates the message to be signed for
- * TLS 1.3's CertificateVerify message. |cert_verify_context| determines the
- * type of signature. It sets |*out| and |*out_len| to a newly allocated buffer
- * containing the result. The caller must free it with |OPENSSL_free| to release
- * it. This function returns one on success and zero on failure. */
+// tls13_get_cert_verify_signature_input generates the message to be signed for
+// TLS 1.3's CertificateVerify message. |cert_verify_context| determines the
+// type of signature. It sets |*out| and |*out_len| to a newly allocated buffer
+// containing the result. The caller must free it with |OPENSSL_free| to release
+// it. This function returns one on success and zero on failure.
int tls13_get_cert_verify_signature_input(
SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len,
enum ssl_cert_verify_context_t cert_verify_context);
-/* ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns
- * one on successful negotiation or if nothing was negotiated. It returns zero
- * and sets |*out_alert| to an alert on error. */
+// ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns
+// one on successful negotiation or if nothing was negotiated. It returns zero
+// and sets |*out_alert| to an alert on error.
int ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
const SSL_CLIENT_HELLO *client_hello);
@@ -1414,28 +1414,28 @@
CBS *out_data;
};
-/* ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances
- * it. It writes the parsed extensions to pointers denoted by |ext_types|. On
- * success, it fills in the |out_present| and |out_data| fields and returns one.
- * Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown
- * extensions are rejected unless |ignore_unknown| is 1. */
+// ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances
+// it. It writes the parsed extensions to pointers denoted by |ext_types|. On
+// success, it fills in the |out_present| and |out_data| fields and returns one.
+// Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown
+// extensions are rejected unless |ignore_unknown| is 1.
int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
const SSL_EXTENSION_TYPE *ext_types,
size_t num_ext_types, int ignore_unknown);
-/* ssl_verify_peer_cert verifies the peer certificate for |hs|. */
+// ssl_verify_peer_cert verifies the peer certificate for |hs|.
enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs);
-/* SSLKEYLOGFILE functions. */
+// SSLKEYLOGFILE functions.
-/* ssl_log_secret logs |secret| with label |label|, if logging is enabled for
- * |ssl|. It returns one on success and zero on failure. */
+// ssl_log_secret logs |secret| with label |label|, if logging is enabled for
+// |ssl|. It returns one on success and zero on failure.
int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
size_t secret_len);
-/* ClientHello functions. */
+// ClientHello functions.
int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
const SSLMessage &msg);
@@ -1447,7 +1447,7 @@
uint16_t id);
-/* GREASE. */
+// GREASE.
enum ssl_grease_index_t {
ssl_grease_cipher = 0,
@@ -1458,146 +1458,146 @@
ssl_grease_ticket_extension,
};
-/* ssl_get_grease_value returns a GREASE value for |ssl|. For a given
- * connection, the values for each index will be deterministic. This allows the
- * same ClientHello be sent twice for a HelloRetryRequest or the same group be
- * advertised in both supported_groups and key_shares. */
+// ssl_get_grease_value returns a GREASE value for |ssl|. For a given
+// connection, the values for each index will be deterministic. This allows the
+// same ClientHello be sent twice for a HelloRetryRequest or the same group be
+// advertised in both supported_groups and key_shares.
uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index);
-/* Signature algorithms. */
+// Signature algorithms.
-/* tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature
- * algorithms and saves them on |hs|. It returns one on success and zero on
- * error. */
+// tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature
+// algorithms and saves them on |hs|. It returns one on success and zero on
+// error.
int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs);
-/* tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm
- * that should be used with |pkey| in TLS 1.1 and earlier. It returns one on
- * success and zero if |pkey| may not be used at those versions. */
+// tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm
+// that should be used with |pkey| in TLS 1.1 and earlier. It returns one on
+// success and zero if |pkey| may not be used at those versions.
int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey);
-/* tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use
- * with |hs|'s private key based on the peer's preferences and the algorithms
- * supported. It returns one on success and zero on error. */
+// tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use
+// with |hs|'s private key based on the peer's preferences and the algorithms
+// supported. It returns one on success and zero on error.
int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out);
-/* tls12_add_verify_sigalgs adds the signature algorithms acceptable for the
- * peer signature to |out|. It returns one on success and zero on error. */
+// tls12_add_verify_sigalgs adds the signature algorithms acceptable for the
+// peer signature to |out|. It returns one on success and zero on error.
int tls12_add_verify_sigalgs(const SSL *ssl, CBB *out);
-/* tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
- * signature. It returns one on success and zero on error, setting |*out_alert|
- * to an alert to send. */
+// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
+// signature. It returns one on success and zero on error, setting |*out_alert|
+// to an alert to send.
int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg);
-/* Underdocumented functions.
- *
- * Functions below here haven't been touched up and may be underdocumented. */
+// Underdocumented functions.
+//
+// Functions below here haven't been touched up and may be underdocumented.
#define TLSEXT_CHANNEL_ID_SIZE 128
-/* From RFC4492, used in encoding the curve type in ECParameters */
+// From RFC4492, used in encoding the curve type in ECParameters
#define NAMED_CURVE_TYPE 3
struct SSLCertConfig {
EVP_PKEY *privatekey;
- /* chain contains the certificate chain, with the leaf at the beginning. The
- * first element of |chain| may be NULL to indicate that the leaf certificate
- * has not yet been set.
- * If |chain| != NULL -> len(chain) >= 1
- * If |chain[0]| == NULL -> len(chain) >= 2.
- * |chain[1..]| != NULL */
+ // chain contains the certificate chain, with the leaf at the beginning. The
+ // first element of |chain| may be NULL to indicate that the leaf certificate
+ // has not yet been set.
+ // If |chain| != NULL -> len(chain) >= 1
+ // If |chain[0]| == NULL -> len(chain) >= 2.
+ // |chain[1..]| != NULL
STACK_OF(CRYPTO_BUFFER) *chain;
- /* x509_chain may contain a parsed copy of |chain[1..]|. This is only used as
- * a cache in order to implement “get0” functions that return a non-owning
- * pointer to the certificate chain. */
+ // x509_chain may contain a parsed copy of |chain[1..]|. This is only used as
+ // a cache in order to implement “get0” functions that return a non-owning
+ // pointer to the certificate chain.
STACK_OF(X509) *x509_chain;
- /* x509_leaf may contain a parsed copy of the first element of |chain|. This
- * is only used as a cache in order to implement “get0” functions that return
- * a non-owning pointer to the certificate chain. */
+ // x509_leaf may contain a parsed copy of the first element of |chain|. This
+ // is only used as a cache in order to implement “get0” functions that return
+ // a non-owning pointer to the certificate chain.
X509 *x509_leaf;
- /* x509_stash contains the last |X509| object append to the chain. This is a
- * workaround for some third-party code that continue to use an |X509| object
- * even after passing ownership with an “add0” function. */
+ // x509_stash contains the last |X509| object append to the chain. This is a
+ // workaround for some third-party code that continue to use an |X509| object
+ // even after passing ownership with an “add0” function.
X509 *x509_stash;
- /* key_method, if non-NULL, is a set of callbacks to call for private key
- * operations. */
+ // key_method, if non-NULL, is a set of callbacks to call for private key
+ // operations.
const SSL_PRIVATE_KEY_METHOD *key_method;
- /* x509_method contains pointers to functions that might deal with |X509|
- * compatibility, or might be a no-op, depending on the application. */
+ // x509_method contains pointers to functions that might deal with |X509|
+ // compatibility, or might be a no-op, depending on the application.
const SSL_X509_METHOD *x509_method;
- /* sigalgs, if non-NULL, is the set of signature algorithms supported by
- * |privatekey| in decreasing order of preference. */
+ // sigalgs, if non-NULL, is the set of signature algorithms supported by
+ // |privatekey| in decreasing order of preference.
uint16_t *sigalgs;
size_t num_sigalgs;
- /* Certificate setup callback: if set is called whenever a
- * certificate may be required (client or server). the callback
- * can then examine any appropriate parameters and setup any
- * certificates required. This allows advanced applications
- * to select certificates on the fly: for example based on
- * supported signature algorithms or curves. */
+ // Certificate setup callback: if set is called whenever a
+ // certificate may be required (client or server). the callback
+ // can then examine any appropriate parameters and setup any
+ // certificates required. This allows advanced applications
+ // to select certificates on the fly: for example based on
+ // supported signature algorithms or curves.
int (*cert_cb)(SSL *ssl, void *arg);
void *cert_cb_arg;
- /* Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX
- * store is used instead. */
+ // Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX
+ // store is used instead.
X509_STORE *verify_store;
- /* Signed certificate timestamp list to be sent to the client, if requested */
+ // Signed certificate timestamp list to be sent to the client, if requested
CRYPTO_BUFFER *signed_cert_timestamp_list;
- /* OCSP response to be sent to the client, if requested. */
+ // OCSP response to be sent to the client, if requested.
CRYPTO_BUFFER *ocsp_response;
- /* sid_ctx partitions the session space within a shared session cache or
- * ticket key. Only sessions with a matching value will be accepted. */
+ // sid_ctx partitions the session space within a shared session cache or
+ // ticket key. Only sessions with a matching value will be accepted.
uint8_t sid_ctx_length;
uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
- /* If enable_early_data is non-zero, early data can be sent and accepted. */
+ // If enable_early_data is non-zero, early data can be sent and accepted.
unsigned enable_early_data:1;
};
-/* ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using
- * crypto/x509. */
+// ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using
+// crypto/x509.
extern const SSL_X509_METHOD ssl_crypto_x509_method;
-/* ssl_noop_x509_method provides the |SSL_X509_METHOD| functions that avoid
- * crypto/x509. */
+// ssl_noop_x509_method provides the |SSL_X509_METHOD| functions that avoid
+// crypto/x509.
extern const SSL_X509_METHOD ssl_noop_x509_method;
struct SSL3_RECORD {
- /* type is the record type. */
+ // type is the record type.
uint8_t type;
- /* length is the number of unconsumed bytes in the record. */
+ // length is the number of unconsumed bytes in the record.
uint16_t length;
- /* data is a non-owning pointer to the first unconsumed byte of the record. */
+ // data is a non-owning pointer to the first unconsumed byte of the record.
uint8_t *data;
};
struct SSL3_BUFFER {
- /* buf is the memory allocated for this buffer. */
+ // buf is the memory allocated for this buffer.
uint8_t *buf;
- /* offset is the offset into |buf| which the buffer contents start at. */
+ // offset is the offset into |buf| which the buffer contents start at.
uint16_t offset;
- /* len is the length of the buffer contents from |buf| + |offset|. */
+ // len is the length of the buffer contents from |buf| + |offset|.
uint16_t len;
- /* cap is how much memory beyond |buf| + |offset| is available. */
+ // cap is how much memory beyond |buf| + |offset| is available.
uint16_t cap;
};
-/* An ssl_shutdown_t describes the shutdown state of one end of the connection,
- * whether it is alive or has been shutdown via close_notify or fatal alert. */
+// An ssl_shutdown_t describes the shutdown state of one end of the connection,
+// whether it is alive or has been shutdown via close_notify or fatal alert.
enum ssl_shutdown_t {
ssl_shutdown_none = 0,
ssl_shutdown_close_notify = 1,
@@ -1611,106 +1611,106 @@
uint8_t server_random[SSL3_RANDOM_SIZE];
uint8_t client_random[SSL3_RANDOM_SIZE];
- /* read_buffer holds data from the transport to be processed. */
+ // read_buffer holds data from the transport to be processed.
SSL3_BUFFER read_buffer;
- /* write_buffer holds data to be written to the transport. */
+ // write_buffer holds data to be written to the transport.
SSL3_BUFFER write_buffer;
- SSL3_RECORD rrec; /* each decoded record goes in here */
+ SSL3_RECORD rrec; // each decoded record goes in here
- /* partial write - check the numbers match */
- unsigned int wnum; /* number of bytes sent so far */
- int wpend_tot; /* number bytes written */
+ // partial write - check the numbers match
+ unsigned int wnum; // number of bytes sent so far
+ int wpend_tot; // number bytes written
int wpend_type;
- int wpend_ret; /* number of bytes submitted */
+ int wpend_ret; // number of bytes submitted
const uint8_t *wpend_buf;
- /* recv_shutdown is the shutdown state for the receive half of the
- * connection. */
+ // recv_shutdown is the shutdown state for the receive half of the
+ // connection.
enum ssl_shutdown_t recv_shutdown;
- /* recv_shutdown is the shutdown state for the send half of the connection. */
+ // recv_shutdown is the shutdown state for the send half of the connection.
enum ssl_shutdown_t send_shutdown;
int alert_dispatch;
int total_renegotiations;
- /* early_data_skipped is the amount of early data that has been skipped by the
- * record layer. */
+ // early_data_skipped is the amount of early data that has been skipped by the
+ // record layer.
uint16_t early_data_skipped;
- /* empty_record_count is the number of consecutive empty records received. */
+ // empty_record_count is the number of consecutive empty records received.
uint8_t empty_record_count;
- /* warning_alert_count is the number of consecutive warning alerts
- * received. */
+ // warning_alert_count is the number of consecutive warning alerts
+ // received.
uint8_t warning_alert_count;
- /* key_update_count is the number of consecutive KeyUpdates received. */
+ // key_update_count is the number of consecutive KeyUpdates received.
uint8_t key_update_count;
- /* skip_early_data instructs the record layer to skip unexpected early data
- * messages when 0RTT is rejected. */
+ // skip_early_data instructs the record layer to skip unexpected early data
+ // messages when 0RTT is rejected.
unsigned skip_early_data:1;
- /* have_version is true if the connection's final version is known. Otherwise
- * the version has not been negotiated yet. */
+ // have_version is true if the connection's final version is known. Otherwise
+ // the version has not been negotiated yet.
unsigned have_version:1;
- /* v2_hello_done is true if the peer's V2ClientHello, if any, has been handled
- * and future messages should use the record layer. */
+ // v2_hello_done is true if the peer's V2ClientHello, if any, has been handled
+ // and future messages should use the record layer.
unsigned v2_hello_done:1;
- /* is_v2_hello is true if the current handshake message was derived from a
- * V2ClientHello rather than received from the peer directly. */
+ // is_v2_hello is true if the current handshake message was derived from a
+ // V2ClientHello rather than received from the peer directly.
unsigned is_v2_hello:1;
- /* has_message is true if the current handshake message has been returned
- * at least once by |get_message| and false otherwise. */
+ // has_message is true if the current handshake message has been returned
+ // at least once by |get_message| and false otherwise.
unsigned has_message:1;
- /* initial_handshake_complete is true if the initial handshake has
- * completed. */
+ // initial_handshake_complete is true if the initial handshake has
+ // completed.
unsigned initial_handshake_complete:1;
- /* session_reused indicates whether a session was resumed. */
+ // session_reused indicates whether a session was resumed.
unsigned session_reused:1;
unsigned send_connection_binding:1;
- /* In a client, this means that the server supported Channel ID and that a
- * Channel ID was sent. In a server it means that we echoed support for
- * Channel IDs and that tlsext_channel_id will be valid after the
- * handshake. */
+ // In a client, this means that the server supported Channel ID and that a
+ // Channel ID was sent. In a server it means that we echoed support for
+ // Channel IDs and that tlsext_channel_id will be valid after the
+ // handshake.
unsigned tlsext_channel_id_valid:1;
- /* key_update_pending is one if we have a KeyUpdate acknowledgment
- * outstanding. */
+ // key_update_pending is one if we have a KeyUpdate acknowledgment
+ // outstanding.
unsigned key_update_pending:1;
- /* wpend_pending is one if we have a pending write outstanding. */
+ // wpend_pending is one if we have a pending write outstanding.
unsigned wpend_pending:1;
uint8_t send_alert[2];
- /* pending_flight is the pending outgoing flight. This is used to flush each
- * handshake flight in a single write. |write_buffer| must be written out
- * before this data. */
+ // pending_flight is the pending outgoing flight. This is used to flush each
+ // handshake flight in a single write. |write_buffer| must be written out
+ // before this data.
BUF_MEM *pending_flight;
- /* pending_flight_offset is the number of bytes of |pending_flight| which have
- * been successfully written. */
+ // pending_flight_offset is the number of bytes of |pending_flight| which have
+ // been successfully written.
uint32_t pending_flight_offset;
- /* aead_read_ctx is the current read cipher state. */
+ // aead_read_ctx is the current read cipher state.
SSLAEADContext *aead_read_ctx;
- /* aead_write_ctx is the current write cipher state. */
+ // aead_write_ctx is the current write cipher state.
SSLAEADContext *aead_write_ctx;
- /* hs is the handshake state for the current handshake or NULL if there isn't
- * one. */
+ // hs is the handshake state for the current handshake or NULL if there isn't
+ // one.
SSL_HANDSHAKE *hs;
uint8_t write_traffic_secret[EVP_MAX_MD_SIZE];
@@ -1722,58 +1722,58 @@
uint8_t exporter_secret_len;
uint8_t early_exporter_secret_len;
- /* Connection binding to prevent renegotiation attacks */
+ // Connection binding to prevent renegotiation attacks
uint8_t previous_client_finished[12];
uint8_t previous_client_finished_len;
uint8_t previous_server_finished_len;
uint8_t previous_server_finished[12];
- /* State pertaining to the pending handshake.
- *
- * TODO(davidben): Move everything not needed after the handshake completes to
- * |hs| and remove this. */
+ // State pertaining to the pending handshake.
+ //
+ // TODO(davidben): Move everything not needed after the handshake completes to
+ // |hs| and remove this.
struct {
uint8_t new_mac_secret_len;
uint8_t new_key_len;
uint8_t new_fixed_iv_len;
} tmp;
- /* established_session is the session established by the connection. This
- * session is only filled upon the completion of the handshake and is
- * immutable. */
+ // established_session is the session established by the connection. This
+ // session is only filled upon the completion of the handshake and is
+ // immutable.
SSL_SESSION *established_session;
- /* Next protocol negotiation. For the client, this is the protocol that we
- * sent in NextProtocol and is set when handling ServerHello extensions.
- *
- * For a server, this is the client's selected_protocol from NextProtocol and
- * is set when handling the NextProtocol message, before the Finished
- * message. */
+ // Next protocol negotiation. For the client, this is the protocol that we
+ // sent in NextProtocol and is set when handling ServerHello extensions.
+ //
+ // For a server, this is the client's selected_protocol from NextProtocol and
+ // is set when handling the NextProtocol message, before the Finished
+ // message.
uint8_t *next_proto_negotiated;
size_t next_proto_negotiated_len;
- /* ALPN information
- * (we are in the process of transitioning from NPN to ALPN.) */
+ // ALPN information
+ // (we are in the process of transitioning from NPN to ALPN.)
- /* In a server these point to the selected ALPN protocol after the
- * ClientHello has been processed. In a client these contain the protocol
- * that the server selected once the ServerHello has been processed. */
+ // In a server these point to the selected ALPN protocol after the
+ // ClientHello has been processed. In a client these contain the protocol
+ // that the server selected once the ServerHello has been processed.
uint8_t *alpn_selected;
size_t alpn_selected_len;
- /* For a server:
- * If |tlsext_channel_id_valid| is true, then this contains the
- * verified Channel ID from the client: a P256 point, (x,y), where
- * each are big-endian values. */
+ // For a server:
+ // If |tlsext_channel_id_valid| is true, then this contains the
+ // verified Channel ID from the client: a P256 point, (x,y), where
+ // each are big-endian values.
uint8_t tlsext_channel_id[64];
- /* ticket_age_skew is the difference, in seconds, between the client-sent
- * ticket age and the server-computed value in TLS 1.3 server connections
- * which resumed a session. */
+ // ticket_age_skew is the difference, in seconds, between the client-sent
+ // ticket age and the server-computed value in TLS 1.3 server connections
+ // which resumed a session.
int32_t ticket_age_skew;
};
-/* lengths of messages */
+// lengths of messages
#define DTLS1_COOKIE_LENGTH 256
#define DTLS1_RT_HEADER_LENGTH 13
@@ -1792,19 +1792,19 @@
uint32_t frag_len;
};
-/* An hm_fragment is an incoming DTLS message, possibly not yet assembled. */
+// An hm_fragment is an incoming DTLS message, possibly not yet assembled.
struct hm_fragment {
- /* type is the type of the message. */
+ // type is the type of the message.
uint8_t type;
- /* seq is the sequence number of this message. */
+ // seq is the sequence number of this message.
uint16_t seq;
- /* msg_len is the length of the message body. */
+ // msg_len is the length of the message body.
uint32_t msg_len;
- /* data is a pointer to the message, including message header. It has length
- * |DTLS1_HM_HEADER_LENGTH| + |msg_len|. */
+ // data is a pointer to the message, including message header. It has length
+ // |DTLS1_HM_HEADER_LENGTH| + |msg_len|.
uint8_t *data;
- /* reassembly is a bitmask of |msg_len| bits corresponding to which parts of
- * the message have been received. It is NULL if the message is complete. */
+ // reassembly is a bitmask of |msg_len| bits corresponding to which parts of
+ // the message have been received. It is NULL if the message is complete.
uint8_t *reassembly;
};
@@ -1814,151 +1814,151 @@
};
struct DTLS1_STATE {
- /* has_change_cipher_spec is true if we have received a ChangeCipherSpec from
- * the peer in this epoch. */
+ // has_change_cipher_spec is true if we have received a ChangeCipherSpec from
+ // the peer in this epoch.
bool has_change_cipher_spec:1;
- /* outgoing_messages_complete is true if |outgoing_messages| has been
- * completed by an attempt to flush it. Future calls to |add_message| and
- * |add_change_cipher_spec| will start a new flight. */
+ // outgoing_messages_complete is true if |outgoing_messages| has been
+ // completed by an attempt to flush it. Future calls to |add_message| and
+ // |add_change_cipher_spec| will start a new flight.
bool outgoing_messages_complete:1;
- /* flight_has_reply is true if the current outgoing flight is complete and has
- * processed at least one message. This is used to detect whether we or the
- * peer sent the final flight. */
+ // flight_has_reply is true if the current outgoing flight is complete and has
+ // processed at least one message. This is used to detect whether we or the
+ // peer sent the final flight.
bool flight_has_reply:1;
uint8_t cookie[DTLS1_COOKIE_LENGTH];
size_t cookie_len;
- /* The current data and handshake epoch. This is initially undefined, and
- * starts at zero once the initial handshake is completed. */
+ // The current data and handshake epoch. This is initially undefined, and
+ // starts at zero once the initial handshake is completed.
uint16_t r_epoch;
uint16_t w_epoch;
- /* records being received in the current epoch */
+ // records being received in the current epoch
DTLS1_BITMAP bitmap;
uint16_t handshake_write_seq;
uint16_t handshake_read_seq;
- /* save last sequence number for retransmissions */
+ // save last sequence number for retransmissions
uint8_t last_write_sequence[8];
SSLAEADContext *last_aead_write_ctx;
- /* incoming_messages is a ring buffer of incoming handshake messages that have
- * yet to be processed. The front of the ring buffer is message number
- * |handshake_read_seq|, at position |handshake_read_seq| %
- * |SSL_MAX_HANDSHAKE_FLIGHT|. */
+ // incoming_messages is a ring buffer of incoming handshake messages that have
+ // yet to be processed. The front of the ring buffer is message number
+ // |handshake_read_seq|, at position |handshake_read_seq| %
+ // |SSL_MAX_HANDSHAKE_FLIGHT|.
hm_fragment *incoming_messages[SSL_MAX_HANDSHAKE_FLIGHT];
- /* outgoing_messages is the queue of outgoing messages from the last handshake
- * flight. */
+ // outgoing_messages is the queue of outgoing messages from the last handshake
+ // flight.
DTLS_OUTGOING_MESSAGE outgoing_messages[SSL_MAX_HANDSHAKE_FLIGHT];
uint8_t outgoing_messages_len;
- /* outgoing_written is the number of outgoing messages that have been
- * written. */
+ // outgoing_written is the number of outgoing messages that have been
+ // written.
uint8_t outgoing_written;
- /* outgoing_offset is the number of bytes of the next outgoing message have
- * been written. */
+ // outgoing_offset is the number of bytes of the next outgoing message have
+ // been written.
uint32_t outgoing_offset;
- unsigned int mtu; /* max DTLS packet size */
+ unsigned int mtu; // max DTLS packet size
- /* num_timeouts is the number of times the retransmit timer has fired since
- * the last time it was reset. */
+ // num_timeouts is the number of times the retransmit timer has fired since
+ // the last time it was reset.
unsigned int num_timeouts;
- /* Indicates when the last handshake msg or heartbeat sent will
- * timeout. */
+ // Indicates when the last handshake msg or heartbeat sent will
+ // timeout.
struct OPENSSL_timeval next_timeout;
- /* timeout_duration_ms is the timeout duration in milliseconds. */
+ // timeout_duration_ms is the timeout duration in milliseconds.
unsigned timeout_duration_ms;
};
-/* SSLConnection backs the public |SSL| type. Due to compatibility constraints,
- * it is a base class for |ssl_st|. */
+// SSLConnection backs the public |SSL| type. Due to compatibility constraints,
+// it is a base class for |ssl_st|.
struct SSLConnection {
- /* method is the method table corresponding to the current protocol (DTLS or
- * TLS). */
+ // method is the method table corresponding to the current protocol (DTLS or
+ // TLS).
const SSL_PROTOCOL_METHOD *method;
- /* version is the protocol version. */
+ // version is the protocol version.
uint16_t version;
- /* conf_max_version is the maximum acceptable protocol version configured by
- * |SSL_set_max_proto_version|. Note this version is normalized in DTLS and is
- * further constrainted by |SSL_OP_NO_*|. */
+ // conf_max_version is the maximum acceptable protocol version configured by
+ // |SSL_set_max_proto_version|. Note this version is normalized in DTLS and is
+ // further constrainted by |SSL_OP_NO_*|.
uint16_t conf_max_version;
- /* conf_min_version is the minimum acceptable protocol version configured by
- * |SSL_set_min_proto_version|. Note this version is normalized in DTLS and is
- * further constrainted by |SSL_OP_NO_*|. */
+ // conf_min_version is the minimum acceptable protocol version configured by
+ // |SSL_set_min_proto_version|. Note this version is normalized in DTLS and is
+ // further constrainted by |SSL_OP_NO_*|.
uint16_t conf_min_version;
- /* tls13_variant is the variant of TLS 1.3 we are using for this
- * configuration. */
+ // tls13_variant is the variant of TLS 1.3 we are using for this
+ // configuration.
enum tls13_variant_t tls13_variant;
uint16_t max_send_fragment;
- /* There are 2 BIO's even though they are normally both the same. This is so
- * data can be read and written to different handlers */
+ // There are 2 BIO's even though they are normally both the same. This is so
+ // data can be read and written to different handlers
- BIO *rbio; /* used by SSL_read */
- BIO *wbio; /* used by SSL_write */
+ BIO *rbio; // used by SSL_read
+ BIO *wbio; // used by SSL_write
- /* do_handshake runs the handshake. On completion, it returns |ssl_hs_ok|.
- * Otherwise, it returns a value corresponding to what operation is needed to
- * progress. */
+ // do_handshake runs the handshake. On completion, it returns |ssl_hs_ok|.
+ // Otherwise, it returns a value corresponding to what operation is needed to
+ // progress.
enum ssl_hs_wait_t (*do_handshake)(SSL_HANDSHAKE *hs);
- BUF_MEM *init_buf; /* buffer used during init */
+ BUF_MEM *init_buf; // buffer used during init
- SSL3_STATE *s3; /* SSLv3 variables */
- DTLS1_STATE *d1; /* DTLSv1 variables */
+ SSL3_STATE *s3; // SSLv3 variables
+ DTLS1_STATE *d1; // DTLSv1 variables
- /* callback that allows applications to peek at protocol messages */
+ // callback that allows applications to peek at protocol messages
void (*msg_callback)(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg);
void *msg_callback_arg;
X509_VERIFY_PARAM *param;
- /* crypto */
+ // crypto
struct ssl_cipher_preference_list_st *cipher_list;
- /* session info */
+ // session info
- /* client cert? */
- /* This is used to hold the server certificate used */
+ // client cert?
+ // This is used to hold the server certificate used
CERT *cert;
- /* This holds a variable that indicates what we were doing when a 0 or -1 is
- * returned. This is needed for non-blocking IO so we know what request
- * needs re-doing when in SSL_accept or SSL_connect */
+ // This holds a variable that indicates what we were doing when a 0 or -1 is
+ // returned. This is needed for non-blocking IO so we know what request
+ // needs re-doing when in SSL_accept or SSL_connect
int rwstate;
- /* initial_timeout_duration_ms is the default DTLS timeout duration in
- * milliseconds. It's used to initialize the timer any time it's restarted. */
+ // initial_timeout_duration_ms is the default DTLS timeout duration in
+ // milliseconds. It's used to initialize the timer any time it's restarted.
unsigned initial_timeout_duration_ms;
- /* session is the configured session to be offered by the client. This session
- * is immutable. */
+ // session is the configured session to be offered by the client. This session
+ // is immutable.
SSL_SESSION *session;
int (*verify_callback)(int ok,
- X509_STORE_CTX *ctx); /* fail if callback returns 0 */
+ X509_STORE_CTX *ctx); // fail if callback returns 0
enum ssl_verify_result_t (*custom_verify_callback)(SSL *ssl,
uint8_t *out_alert);
void (*info_callback)(const SSL *ssl, int type, int value);
- /* Server-only: psk_identity_hint is the identity hint to send in
- * PSK-based key exchanges. */
+ // Server-only: psk_identity_hint is the identity hint to send in
+ // PSK-based key exchanges.
char *psk_identity_hint;
unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
@@ -1970,91 +1970,91 @@
SSL_CTX *ctx;
- /* extra application data */
+ // extra application data
CRYPTO_EX_DATA ex_data;
- /* for server side, keep the list of CA_dn we can use */
+ // for server side, keep the list of CA_dn we can use
STACK_OF(CRYPTO_BUFFER) *client_CA;
- /* cached_x509_client_CA is a cache of parsed versions of the elements of
- * |client_CA|. */
+ // cached_x509_client_CA is a cache of parsed versions of the elements of
+ // |client_CA|.
STACK_OF(X509_NAME) *cached_x509_client_CA;
- uint32_t options; /* protocol behaviour */
- uint32_t mode; /* API behaviour */
+ uint32_t options; // protocol behaviour
+ uint32_t mode; // API behaviour
uint32_t max_cert_list;
char *tlsext_hostname;
size_t supported_group_list_len;
- uint16_t *supported_group_list; /* our list */
+ uint16_t *supported_group_list; // our list
- /* session_ctx is the |SSL_CTX| used for the session cache and related
- * settings. */
+ // session_ctx is the |SSL_CTX| used for the session cache and related
+ // settings.
SSL_CTX *session_ctx;
- /* srtp_profiles is the list of configured SRTP protection profiles for
- * DTLS-SRTP. */
+ // srtp_profiles is the list of configured SRTP protection profiles for
+ // DTLS-SRTP.
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
- /* srtp_profile is the selected SRTP protection profile for
- * DTLS-SRTP. */
+ // srtp_profile is the selected SRTP protection profile for
+ // DTLS-SRTP.
const SRTP_PROTECTION_PROFILE *srtp_profile;
- /* The client's Channel ID private key. */
+ // The client's Channel ID private key.
EVP_PKEY *tlsext_channel_id_private;
- /* For a client, this contains the list of supported protocols in wire
- * format. */
+ // For a client, this contains the list of supported protocols in wire
+ // format.
uint8_t *alpn_client_proto_list;
unsigned alpn_client_proto_list_len;
- /* renegotiate_mode controls how peer renegotiation attempts are handled. */
+ // renegotiate_mode controls how peer renegotiation attempts are handled.
enum ssl_renegotiate_mode_t renegotiate_mode;
- /* verify_mode is a bitmask of |SSL_VERIFY_*| values. */
+ // verify_mode is a bitmask of |SSL_VERIFY_*| values.
uint8_t verify_mode;
- /* server is true iff the this SSL* is the server half. Note: before the SSL*
- * is initialized by either SSL_set_accept_state or SSL_set_connect_state,
- * the side is not determined. In this state, server is always false. */
+ // server is true iff the this SSL* is the server half. Note: before the SSL*
+ // is initialized by either SSL_set_accept_state or SSL_set_connect_state,
+ // the side is not determined. In this state, server is always false.
unsigned server:1;
- /* quiet_shutdown is true if the connection should not send a close_notify on
- * shutdown. */
+ // quiet_shutdown is true if the connection should not send a close_notify on
+ // shutdown.
unsigned quiet_shutdown:1;
- /* Enable signed certificate time stamps. Currently client only. */
+ // Enable signed certificate time stamps. Currently client only.
unsigned signed_cert_timestamps_enabled:1;
- /* ocsp_stapling_enabled is only used by client connections and indicates
- * whether OCSP stapling will be requested. */
+ // ocsp_stapling_enabled is only used by client connections and indicates
+ // whether OCSP stapling will be requested.
unsigned ocsp_stapling_enabled:1;
- /* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server,
- * means that we'll accept Channel IDs from clients. For a client, means that
- * we'll advertise support. */
+ // tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server,
+ // means that we'll accept Channel IDs from clients. For a client, means that
+ // we'll advertise support.
unsigned tlsext_channel_id_enabled:1;
- /* retain_only_sha256_of_client_certs is true if we should compute the SHA256
- * hash of the peer's certificate and then discard it to save memory and
- * session space. Only effective on the server side. */
+ // retain_only_sha256_of_client_certs is true if we should compute the SHA256
+ // hash of the peer's certificate and then discard it to save memory and
+ // session space. Only effective on the server side.
unsigned retain_only_sha256_of_client_certs:1;
- /* early_data_accepted is true if early data was accepted by the server. */
+ // early_data_accepted is true if early data was accepted by the server.
unsigned early_data_accepted:1;
};
-/* From draft-ietf-tls-tls13-18, used in determining PSK modes. */
+// From draft-ietf-tls-tls13-18, used in determining PSK modes.
#define SSL_PSK_KE 0x0
#define SSL_PSK_DHE_KE 0x1
-/* From draft-ietf-tls-tls13-16, used in determining whether to respond with a
- * KeyUpdate. */
+// From draft-ietf-tls-tls13-16, used in determining whether to respond with a
+// KeyUpdate.
#define SSL_KEY_UPDATE_NOT_REQUESTED 0
#define SSL_KEY_UPDATE_REQUESTED 1
-/* kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early
- * data that will be accepted. This value should be slightly below
- * kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. */
+// kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early
+// data that will be accepted. This value should be slightly below
+// kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext.
static const size_t kMaxEarlyDataAccepted = 14336;
CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method);
@@ -2063,9 +2063,9 @@
void ssl_cert_free(CERT *cert);
int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer);
int ssl_is_key_type_supported(int key_type);
-/* ssl_compare_public_and_private_key returns one if |pubkey| is the public
- * counterpart to |privkey|. Otherwise it returns zero and pushes a helpful
- * message on the error queue. */
+// ssl_compare_public_and_private_key returns one if |pubkey| is the public
+// counterpart to |privkey|. Otherwise it returns zero and pushes a helpful
+// message on the error queue.
int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
const EVP_PKEY *privkey);
int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey);
@@ -2073,78 +2073,78 @@
int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session);
int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx);
-/* ssl_session_new returns a newly-allocated blank |SSL_SESSION| or nullptr on
- * error. */
+// ssl_session_new returns a newly-allocated blank |SSL_SESSION| or nullptr on
+// error.
UniquePtr<SSL_SESSION> ssl_session_new(const SSL_X509_METHOD *x509_method);
-/* SSL_SESSION_parse parses an |SSL_SESSION| from |cbs| and advances |cbs| over
- * the parsed data. */
+// SSL_SESSION_parse parses an |SSL_SESSION| from |cbs| and advances |cbs| over
+// the parsed data.
UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
const SSL_X509_METHOD *x509_method,
CRYPTO_BUFFER_POOL *pool);
-/* ssl_session_is_context_valid returns one if |session|'s session ID context
- * matches the one set on |ssl| and zero otherwise. */
+// ssl_session_is_context_valid returns one if |session|'s session ID context
+// matches the one set on |ssl| and zero otherwise.
int ssl_session_is_context_valid(const SSL *ssl, const SSL_SESSION *session);
-/* ssl_session_is_time_valid returns one if |session| is still valid and zero if
- * it has expired. */
+// ssl_session_is_time_valid returns one if |session| is still valid and zero if
+// it has expired.
int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session);
-/* ssl_session_is_resumable returns one if |session| is resumable for |hs| and
- * zero otherwise. */
+// ssl_session_is_resumable returns one if |session| is resumable for |hs| and
+// zero otherwise.
int ssl_session_is_resumable(const SSL_HANDSHAKE *hs,
const SSL_SESSION *session);
-/* SSL_SESSION_protocol_version returns the protocol version associated with
- * |session|. */
+// SSL_SESSION_protocol_version returns the protocol version associated with
+// |session|.
uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session);
-/* SSL_SESSION_get_digest returns the digest used in |session|. */
+// SSL_SESSION_get_digest returns the digest used in |session|.
const EVP_MD *SSL_SESSION_get_digest(const SSL_SESSION *session);
void ssl_set_session(SSL *ssl, SSL_SESSION *session);
-/* ssl_get_prev_session looks up the previous session based on |client_hello|.
- * On success, it sets |*out_session| to the session or nullptr if none was
- * found. If the session could not be looked up synchronously, it returns
- * |ssl_hs_pending_session| and should be called again. If a ticket could not be
- * decrypted immediately it returns |ssl_hs_pending_ticket| and should also
- * be called again. Otherwise, it returns |ssl_hs_error|. */
+// ssl_get_prev_session looks up the previous session based on |client_hello|.
+// On success, it sets |*out_session| to the session or nullptr if none was
+// found. If the session could not be looked up synchronously, it returns
+// |ssl_hs_pending_session| and should be called again. If a ticket could not be
+// decrypted immediately it returns |ssl_hs_pending_ticket| and should also
+// be called again. Otherwise, it returns |ssl_hs_error|.
enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl,
UniquePtr<SSL_SESSION> *out_session,
int *out_tickets_supported,
int *out_renew_ticket,
const SSL_CLIENT_HELLO *client_hello);
-/* The following flags determine which parts of the session are duplicated. */
+// The following flags determine which parts of the session are duplicated.
#define SSL_SESSION_DUP_AUTH_ONLY 0x0
#define SSL_SESSION_INCLUDE_TICKET 0x1
#define SSL_SESSION_INCLUDE_NONAUTH 0x2
#define SSL_SESSION_DUP_ALL \
(SSL_SESSION_INCLUDE_TICKET | SSL_SESSION_INCLUDE_NONAUTH)
-/* SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the
- * fields in |session| or nullptr on error. The new session is non-resumable and
- * must be explicitly marked resumable once it has been filled in. */
+// SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the
+// fields in |session| or nullptr on error. The new session is non-resumable and
+// must be explicitly marked resumable once it has been filled in.
OPENSSL_EXPORT UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session,
int dup_flags);
-/* ssl_session_rebase_time updates |session|'s start time to the current time,
- * adjusting the timeout so the expiration time is unchanged. */
+// ssl_session_rebase_time updates |session|'s start time to the current time,
+// adjusting the timeout so the expiration time is unchanged.
void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session);
-/* ssl_session_renew_timeout calls |ssl_session_rebase_time| and renews
- * |session|'s timeout to |timeout| (measured from the current time). The
- * renewal is clamped to the session's auth_timeout. */
+// ssl_session_renew_timeout calls |ssl_session_rebase_time| and renews
+// |session|'s timeout to |timeout| (measured from the current time). The
+// renewal is clamped to the session's auth_timeout.
void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session,
uint32_t timeout);
void ssl_cipher_preference_list_free(
struct ssl_cipher_preference_list_st *cipher_list);
-/* ssl_get_cipher_preferences returns the cipher preference list for TLS 1.2 and
- * below. */
+// ssl_get_cipher_preferences returns the cipher preference list for TLS 1.2 and
+// below.
const struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(
const SSL *ssl);
@@ -2185,17 +2185,17 @@
int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc);
int dtls1_flush_flight(SSL *ssl);
-/* ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to
- * the pending flight. It returns one on success and zero on error. */
+// ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to
+// the pending flight. It returns one on success and zero on error.
int ssl_add_message_cbb(SSL *ssl, CBB *cbb);
-/* ssl_hash_message incorporates |msg| into the handshake hash. It returns one
- * on success and zero on allocation failure. */
+// ssl_hash_message incorporates |msg| into the handshake hash. It returns one
+// on success and zero on allocation failure.
bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg);
-/* dtls1_get_record reads a new input record. On success, it places it in
- * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
- * more data is needed. */
+// dtls1_get_record reads a new input record. On success, it places it in
+// |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
+// more data is needed.
int dtls1_get_record(SSL *ssl);
int dtls1_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
@@ -2206,8 +2206,8 @@
int dtls1_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
int len);
-/* dtls1_write_record sends a record. It returns one on success and <= 0 on
- * error. */
+// dtls1_write_record sends a record. It returns one on success and <= 0 on
+// error.
int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len,
enum dtls1_use_epoch_t use_epoch);
@@ -2238,38 +2238,38 @@
int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
const uint8_t *premaster, size_t premaster_len);
-/* tls1_get_grouplist sets |*out_group_ids| and |*out_group_ids_len| to the
- * locally-configured group preference list. */
+// tls1_get_grouplist sets |*out_group_ids| and |*out_group_ids_len| to the
+// locally-configured group preference list.
void tls1_get_grouplist(SSL *ssl, const uint16_t **out_group_ids,
size_t *out_group_ids_len);
-/* tls1_check_group_id returns one if |group_id| is consistent with
- * locally-configured group preferences. */
+// tls1_check_group_id returns one if |group_id| is consistent with
+// locally-configured group preferences.
int tls1_check_group_id(SSL *ssl, uint16_t group_id);
-/* tls1_get_shared_group sets |*out_group_id| to the first preferred shared
- * group between client and server preferences and returns one. If none may be
- * found, it returns zero. */
+// tls1_get_shared_group sets |*out_group_id| to the first preferred shared
+// group between client and server preferences and returns one. If none may be
+// found, it returns zero.
int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id);
-/* tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves|
- * into a newly allocated array of TLS group IDs. On success, the function
- * returns one and writes the array to |*out_group_ids| and its size to
- * |*out_group_ids_len|. Otherwise, it returns zero. */
+// tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves|
+// into a newly allocated array of TLS group IDs. On success, the function
+// returns one and writes the array to |*out_group_ids| and its size to
+// |*out_group_ids_len|. Otherwise, it returns zero.
int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len,
const int *curves, size_t ncurves);
-/* tls1_set_curves_list converts the string of curves pointed to by |curves|
- * into a newly allocated array of TLS group IDs. On success, the function
- * returns one and writes the array to |*out_group_ids| and its size to
- * |*out_group_ids_len|. Otherwise, it returns zero. */
+// tls1_set_curves_list converts the string of curves pointed to by |curves|
+// into a newly allocated array of TLS group IDs. On success, the function
+// returns one and writes the array to |*out_group_ids| and its size to
+// |*out_group_ids_len|. Otherwise, it returns zero.
int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
const char *curves);
-/* ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It
- * returns one on success and zero on failure. The |header_len| argument is the
- * length of the ClientHello written so far and is used to compute the padding
- * length. (It does not include the record header.) */
+// ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It
+// returns one on success and zero on failure. The |header_len| argument is the
+// length of the ClientHello written so far and is used to compute the padding
+// length. (It does not include the record header.)
int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len);
int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out);
@@ -2279,65 +2279,65 @@
#define tlsext_tick_md EVP_sha256
-/* ssl_process_ticket processes a session ticket from the client. It returns
- * one of:
- * |ssl_ticket_aead_success|: |*out_session| is set to the parsed session and
- * |*out_renew_ticket| is set to whether the ticket should be renewed.
- * |ssl_ticket_aead_ignore_ticket|: |*out_renew_ticket| is set to whether a
- * fresh ticket should be sent, but the given ticket cannot be used.
- * |ssl_ticket_aead_retry|: the ticket could not be immediately decrypted.
- * Retry later.
- * |ssl_ticket_aead_error|: an error occured that is fatal to the connection. */
+// ssl_process_ticket processes a session ticket from the client. It returns
+// one of:
+// |ssl_ticket_aead_success|: |*out_session| is set to the parsed session and
+// |*out_renew_ticket| is set to whether the ticket should be renewed.
+// |ssl_ticket_aead_ignore_ticket|: |*out_renew_ticket| is set to whether a
+// fresh ticket should be sent, but the given ticket cannot be used.
+// |ssl_ticket_aead_retry|: the ticket could not be immediately decrypted.
+// Retry later.
+// |ssl_ticket_aead_error|: an error occured that is fatal to the connection.
enum ssl_ticket_aead_result_t ssl_process_ticket(
SSL *ssl, UniquePtr<SSL_SESSION> *out_session, int *out_renew_ticket,
const uint8_t *ticket, size_t ticket_len, const uint8_t *session_id,
size_t session_id_len);
-/* tls1_verify_channel_id processes |msg| as a Channel ID message, and verifies
- * the signature. If the key is valid, it saves the Channel ID and returns
- * one. Otherwise, it returns zero. */
+// tls1_verify_channel_id processes |msg| as a Channel ID message, and verifies
+// the signature. If the key is valid, it saves the Channel ID and returns
+// one. Otherwise, it returns zero.
int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg);
-/* tls1_write_channel_id generates a Channel ID message and puts the output in
- * |cbb|. |ssl->tlsext_channel_id_private| must already be set before calling.
- * This function returns one on success and zero on error. */
+// tls1_write_channel_id generates a Channel ID message and puts the output in
+// |cbb|. |ssl->tlsext_channel_id_private| must already be set before calling.
+// This function returns one on success and zero on error.
int tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb);
-/* tls1_channel_id_hash computes the hash to be signed by Channel ID and writes
- * it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns
- * one on success and zero on failure. */
+// tls1_channel_id_hash computes the hash to be signed by Channel ID and writes
+// it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns
+// one on success and zero on failure.
int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len);
int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs);
-/* ssl_do_channel_id_callback checks runs |ssl->ctx->channel_id_cb| if
- * necessary. It returns one on success and zero on fatal error. Note that, on
- * success, |ssl->tlsext_channel_id_private| may be unset, in which case the
- * operation should be retried later. */
+// ssl_do_channel_id_callback checks runs |ssl->ctx->channel_id_cb| if
+// necessary. It returns one on success and zero on fatal error. Note that, on
+// success, |ssl->tlsext_channel_id_private| may be unset, in which case the
+// operation should be retried later.
int ssl_do_channel_id_callback(SSL *ssl);
-/* ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero
- * otherwise. */
+// ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero
+// otherwise.
int ssl3_can_false_start(const SSL *ssl);
-/* ssl_can_write returns one if |ssl| is allowed to write and zero otherwise. */
+// ssl_can_write returns one if |ssl| is allowed to write and zero otherwise.
int ssl_can_write(const SSL *ssl);
-/* ssl_can_read returns one if |ssl| is allowed to read and zero otherwise. */
+// ssl_can_read returns one if |ssl| is allowed to read and zero otherwise.
int ssl_can_read(const SSL *ssl);
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock);
void ssl_ctx_get_current_time(const SSL_CTX *ctx,
struct OPENSSL_timeval *out_clock);
-/* ssl_reset_error_state resets state for |SSL_get_error|. */
+// ssl_reset_error_state resets state for |SSL_get_error|.
void ssl_reset_error_state(SSL *ssl);
-/* Utility macros */
+// Utility macros
#if defined(__clang__)
-/* SSL_FALLTHROUGH annotates a fallthough case in a switch statement. */
+// SSL_FALLTHROUGH annotates a fallthough case in a switch statement.
#define SSL_FALLTHROUGH [[clang::fallthrough]]
#else
#define SSL_FALLTHROUGH
@@ -2346,45 +2346,45 @@
} // namespace bssl
-/* Opaque C types.
- *
- * The following types are exported to C code as public typedefs, so they must
- * be defined outside of the namespace. */
+// Opaque C types.
+//
+// The following types are exported to C code as public typedefs, so they must
+// be defined outside of the namespace.
-/* ssl_method_st backs the public |SSL_METHOD| type. It is a compatibility
- * structure to support the legacy version-locked methods. */
+// ssl_method_st backs the public |SSL_METHOD| type. It is a compatibility
+// structure to support the legacy version-locked methods.
struct ssl_method_st {
- /* version, if non-zero, is the only protocol version acceptable to an
- * SSL_CTX initialized from this method. */
+ // version, if non-zero, is the only protocol version acceptable to an
+ // SSL_CTX initialized from this method.
uint16_t version;
- /* method is the underlying SSL_PROTOCOL_METHOD that initializes the
- * SSL_CTX. */
+ // method is the underlying SSL_PROTOCOL_METHOD that initializes the
+ // SSL_CTX.
const SSL_PROTOCOL_METHOD *method;
- /* x509_method contains pointers to functions that might deal with |X509|
- * compatibility, or might be a no-op, depending on the application. */
+ // x509_method contains pointers to functions that might deal with |X509|
+ // compatibility, or might be a no-op, depending on the application.
const SSL_X509_METHOD *x509_method;
};
-/* ssl_protocol_method_st, aka |SSL_PROTOCOL_METHOD| abstracts between TLS and
- * DTLS. */
+// ssl_protocol_method_st, aka |SSL_PROTOCOL_METHOD| abstracts between TLS and
+// DTLS.
struct ssl_protocol_method_st {
- /* is_dtls is one if the protocol is DTLS and zero otherwise. */
+ // is_dtls is one if the protocol is DTLS and zero otherwise.
char is_dtls;
int (*ssl_new)(SSL *ssl);
void (*ssl_free)(SSL *ssl);
- /* get_message sets |*out| to the current handshake message and returns true
- * if one has been received. It returns false if more input is needed. */
+ // get_message sets |*out| to the current handshake message and returns true
+ // if one has been received. It returns false if more input is needed.
bool (*get_message)(SSL *ssl, bssl::SSLMessage *out);
- /* read_message reads additional handshake data for |get_message|. On success,
- * it returns one. Otherwise, it returns <= 0. */
+ // read_message reads additional handshake data for |get_message|. On success,
+ // it returns one. Otherwise, it returns <= 0.
int (*read_message)(SSL *ssl);
- /* next_message is called to release the current handshake message. */
+ // next_message is called to release the current handshake message.
void (*next_message)(SSL *ssl);
- /* read_app_data reads up to |len| bytes of application data into |buf|. On
- * success, it returns the number of bytes read. Otherwise, it returns <= 0
- * and sets |*out_got_handshake| to whether the failure was due to a
- * post-handshake handshake message. If so, any handshake messages consumed
- * may be read with |get_message|. */
+ // read_app_data reads up to |len| bytes of application data into |buf|. On
+ // success, it returns the number of bytes read. Otherwise, it returns <= 0
+ // and sets |*out_got_handshake| to whether the failure was due to a
+ // post-handshake handshake message. If so, any handshake messages consumed
+ // may be read with |get_message|.
int (*read_app_data)(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
int peek);
int (*read_change_cipher_spec)(SSL *ssl);
@@ -2392,107 +2392,107 @@
int (*write_app_data)(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
int len);
int (*dispatch_alert)(SSL *ssl);
- /* supports_cipher returns one if |cipher| is supported by this protocol and
- * zero otherwise. */
+ // supports_cipher returns one if |cipher| is supported by this protocol and
+ // zero otherwise.
int (*supports_cipher)(const SSL_CIPHER *cipher);
- /* init_message begins a new handshake message of type |type|. |cbb| is the
- * root CBB to be passed into |finish_message|. |*body| is set to a child CBB
- * the caller should write to. It returns one on success and zero on error. */
+ // init_message begins a new handshake message of type |type|. |cbb| is the
+ // root CBB to be passed into |finish_message|. |*body| is set to a child CBB
+ // the caller should write to. It returns one on success and zero on error.
int (*init_message)(SSL *ssl, CBB *cbb, CBB *body, uint8_t type);
- /* finish_message finishes a handshake message. It sets |*out_msg| to a
- * newly-allocated buffer with the serialized message. The caller must
- * release it with |OPENSSL_free| when done. It returns one on success and
- * zero on error. */
+ // finish_message finishes a handshake message. It sets |*out_msg| to a
+ // newly-allocated buffer with the serialized message. The caller must
+ // release it with |OPENSSL_free| when done. It returns one on success and
+ // zero on error.
int (*finish_message)(SSL *ssl, CBB *cbb, uint8_t **out_msg, size_t *out_len);
- /* add_message adds a handshake message to the pending flight. It returns one
- * on success and zero on error. In either case, it takes ownership of |msg|
- * and releases it with |OPENSSL_free| when done. */
+ // add_message adds a handshake message to the pending flight. It returns one
+ // on success and zero on error. In either case, it takes ownership of |msg|
+ // and releases it with |OPENSSL_free| when done.
int (*add_message)(SSL *ssl, uint8_t *msg, size_t len);
- /* add_change_cipher_spec adds a ChangeCipherSpec record to the pending
- * flight. It returns one on success and zero on error. */
+ // add_change_cipher_spec adds a ChangeCipherSpec record to the pending
+ // flight. It returns one on success and zero on error.
int (*add_change_cipher_spec)(SSL *ssl);
- /* add_alert adds an alert to the pending flight. It returns one on success
- * and zero on error. */
+ // add_alert adds an alert to the pending flight. It returns one on success
+ // and zero on error.
int (*add_alert)(SSL *ssl, uint8_t level, uint8_t desc);
- /* flush_flight flushes the pending flight to the transport. It returns one on
- * success and <= 0 on error. */
+ // flush_flight flushes the pending flight to the transport. It returns one on
+ // success and <= 0 on error.
int (*flush_flight)(SSL *ssl);
- /* on_handshake_complete is called when the handshake is complete. */
+ // on_handshake_complete is called when the handshake is complete.
void (*on_handshake_complete)(SSL *ssl);
- /* set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns
- * one on success and zero if changing the read state is forbidden at this
- * point. */
+ // set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns
+ // one on success and zero if changing the read state is forbidden at this
+ // point.
int (*set_read_state)(SSL *ssl,
bssl::UniquePtr<bssl::SSLAEADContext> aead_ctx);
- /* set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns
- * one on success and zero if changing the write state is forbidden at this
- * point. */
+ // set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns
+ // one on success and zero if changing the write state is forbidden at this
+ // point.
int (*set_write_state)(SSL *ssl,
bssl::UniquePtr<bssl::SSLAEADContext> aead_ctx);
};
struct ssl_x509_method_st {
- /* check_client_CA_list returns one if |names| is a good list of X.509
- * distinguished names and zero otherwise. This is used to ensure that we can
- * reject unparsable values at handshake time when using crypto/x509. */
+ // check_client_CA_list returns one if |names| is a good list of X.509
+ // distinguished names and zero otherwise. This is used to ensure that we can
+ // reject unparsable values at handshake time when using crypto/x509.
int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);
- /* cert_clear frees and NULLs all X509 certificate-related state. */
+ // cert_clear frees and NULLs all X509 certificate-related state.
void (*cert_clear)(CERT *cert);
- /* cert_free frees all X509-related state. */
+ // cert_free frees all X509-related state.
void (*cert_free)(CERT *cert);
- /* cert_flush_cached_chain drops any cached |X509|-based certificate chain
- * from |cert|. */
- /* cert_dup duplicates any needed fields from |cert| to |new_cert|. */
+ // cert_flush_cached_chain drops any cached |X509|-based certificate chain
+ // from |cert|.
+ // cert_dup duplicates any needed fields from |cert| to |new_cert|.
void (*cert_dup)(CERT *new_cert, const CERT *cert);
void (*cert_flush_cached_chain)(CERT *cert);
- /* cert_flush_cached_chain drops any cached |X509|-based leaf certificate
- * from |cert|. */
+ // cert_flush_cached_chain drops any cached |X509|-based leaf certificate
+ // from |cert|.
void (*cert_flush_cached_leaf)(CERT *cert);
- /* session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain|
- * from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns
- * one on success or zero on error. */
+ // session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain|
+ // from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns
+ // one on success or zero on error.
int (*session_cache_objects)(SSL_SESSION *session);
- /* session_dup duplicates any needed fields from |session| to |new_session|.
- * It returns one on success or zero on error. */
+ // session_dup duplicates any needed fields from |session| to |new_session|.
+ // It returns one on success or zero on error.
int (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session);
- /* session_clear frees any X509-related state from |session|. */
+ // session_clear frees any X509-related state from |session|.
void (*session_clear)(SSL_SESSION *session);
- /* session_verify_cert_chain verifies the certificate chain in |session|,
- * sets |session->verify_result| and returns one on success or zero on
- * error. */
+ // session_verify_cert_chain verifies the certificate chain in |session|,
+ // sets |session->verify_result| and returns one on success or zero on
+ // error.
int (*session_verify_cert_chain)(SSL_SESSION *session, SSL *ssl,
uint8_t *out_alert);
- /* hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|. */
+ // hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|.
void (*hs_flush_cached_ca_names)(bssl::SSL_HANDSHAKE *hs);
- /* ssl_new does any neccessary initialisation of |ssl|. It returns one on
- * success or zero on error. */
+ // ssl_new does any neccessary initialisation of |ssl|. It returns one on
+ // success or zero on error.
int (*ssl_new)(SSL *ssl);
- /* ssl_free frees anything created by |ssl_new|. */
+ // ssl_free frees anything created by |ssl_new|.
void (*ssl_free)(SSL *ssl);
- /* ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|. */
+ // ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|.
void (*ssl_flush_cached_client_CA)(SSL *ssl);
- /* ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if
- * necessary. On success, it updates |ssl|'s certificate configuration as
- * needed and returns one. Otherwise, it returns zero. */
+ // ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if
+ // necessary. On success, it updates |ssl|'s certificate configuration as
+ // needed and returns one. Otherwise, it returns zero.
int (*ssl_auto_chain_if_needed)(SSL *ssl);
- /* ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on
- * success or zero on error. */
+ // ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on
+ // success or zero on error.
int (*ssl_ctx_new)(SSL_CTX *ctx);
- /* ssl_ctx_free frees anything created by |ssl_ctx_new|. */
+ // ssl_ctx_free frees anything created by |ssl_ctx_new|.
void (*ssl_ctx_free)(SSL_CTX *ctx);
- /* ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|. */
+ // ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|.
void (*ssl_ctx_flush_cached_client_CA)(SSL_CTX *ssl);
};
-/* ssl_st backs the public |SSL| type. It subclasses the true type so that
- * SSLConnection may be a C++ type with methods and destructor without
- * polluting the global namespace. */
+// ssl_st backs the public |SSL| type. It subclasses the true type so that
+// SSLConnection may be a C++ type with methods and destructor without
+// polluting the global namespace.
struct ssl_st : public bssl::SSLConnection {};
struct cert_st : public bssl::SSLCertConfig {};
-#endif /* OPENSSL_HEADER_SSL_INTERNAL_H */
+#endif // OPENSSL_HEADER_SSL_INTERNAL_H
diff --git a/ssl/s3_both.cc b/ssl/s3_both.cc
index 11da692..144da07 100644
--- a/ssl/s3_both.cc
+++ b/ssl/s3_both.cc
@@ -134,7 +134,7 @@
static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in,
size_t in_len) {
- /* We'll never add a flight while in the process of writing it out. */
+ // We'll never add a flight while in the process of writing it out.
assert(ssl->s3->pending_flight_offset == 0);
if (ssl->s3->pending_flight == NULL) {
@@ -164,7 +164,7 @@
}
int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
- /* Pick a modest size hint to save most of the |realloc| calls. */
+ // Pick a modest size hint to save most of the |realloc| calls.
if (!CBB_init(cbb, 64) ||
!CBB_add_u8(cbb, type) ||
!CBB_add_u24_length_prefixed(cbb, body)) {
@@ -187,8 +187,8 @@
}
int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) {
- /* Add the message to the current flight, splitting into several records if
- * needed. */
+ // Add the message to the current flight, splitting into several records if
+ // needed.
int ret = 0;
size_t added = 0;
do {
@@ -212,8 +212,8 @@
} while (added < len);
ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len);
- /* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
- * hs. */
+ // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
+ // hs.
if (ssl->s3->hs != NULL &&
!ssl->s3->hs->transcript.Update(msg, len)) {
goto err;
@@ -260,8 +260,8 @@
return -1;
}
- /* If there is pending data in the write buffer, it must be flushed out before
- * any new data in pending_flight. */
+ // If there is pending data in the write buffer, it must be flushed out before
+ // any new data in pending_flight.
if (ssl_write_buffer_is_pending(ssl)) {
int ret = ssl_write_buffer_flush(ssl);
if (ret <= 0) {
@@ -270,7 +270,7 @@
}
}
- /* Write the pending flight. */
+ // Write the pending flight.
while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {
int ret = BIO_write(
ssl->wbio,
@@ -306,14 +306,14 @@
return 0;
}
- /* Log the master secret, if logging is enabled. */
+ // Log the master secret, if logging is enabled.
if (!ssl_log_secret(ssl, "CLIENT_RANDOM",
session->master_key,
session->master_key_length)) {
return 0;
}
- /* Copy the Finished so we can use it for renegotiation checks. */
+ // Copy the Finished so we can use it for renegotiation checks.
if (ssl->version != SSL3_VERSION) {
if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
finished_len > sizeof(ssl->s3->previous_server_finished)) {
@@ -372,18 +372,18 @@
}
static int read_v2_client_hello(SSL *ssl) {
- /* Read the first 5 bytes, the size of the TLS record header. This is
- * sufficient to detect a V2ClientHello and ensures that we never read beyond
- * the first record. */
+ // Read the first 5 bytes, the size of the TLS record header. This is
+ // sufficient to detect a V2ClientHello and ensures that we never read beyond
+ // the first record.
int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH);
if (ret <= 0) {
return ret;
}
const uint8_t *p = ssl_read_buffer(ssl);
- /* Some dedicated error codes for protocol mixups should the application wish
- * to interpret them differently. (These do not overlap with ClientHello or
- * V2ClientHello.) */
+ // Some dedicated error codes for protocol mixups should the application wish
+ // to interpret them differently. (These do not overlap with ClientHello or
+ // V2ClientHello.)
if (strncmp("GET ", (const char *)p, 4) == 0 ||
strncmp("POST ", (const char *)p, 5) == 0 ||
strncmp("HEAD ", (const char *)p, 5) == 0 ||
@@ -398,25 +398,25 @@
if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO ||
p[3] != SSL3_VERSION_MAJOR) {
- /* Not a V2ClientHello. */
+ // Not a V2ClientHello.
return 1;
}
- /* Determine the length of the V2ClientHello. */
+ // Determine the length of the V2ClientHello.
size_t msg_length = ((p[0] & 0x7f) << 8) | p[1];
if (msg_length > (1024 * 4)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
return -1;
}
if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {
- /* Reject lengths that are too short early. We have already read
- * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
- * (invalid) V2ClientHello which would be shorter than that. */
+ // Reject lengths that are too short early. We have already read
+ // |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
+ // (invalid) V2ClientHello which would be shorter than that.
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);
return -1;
}
- /* Read the remainder of the V2ClientHello. */
+ // Read the remainder of the V2ClientHello.
ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length);
if (ret <= 0) {
return ret;
@@ -425,9 +425,9 @@
CBS v2_client_hello;
CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length);
- /* The V2ClientHello without the length is incorporated into the handshake
- * hash. This is only ever called at the start of the handshake, so hs is
- * guaranteed to be non-NULL. */
+ // The V2ClientHello without the length is incorporated into the handshake
+ // hash. This is only ever called at the start of the handshake, so hs is
+ // guaranteed to be non-NULL.
if (!ssl->s3->hs->transcript.Update(CBS_data(&v2_client_hello),
CBS_len(&v2_client_hello))) {
return -1;
@@ -452,11 +452,11 @@
return -1;
}
- /* msg_type has already been checked. */
+ // msg_type has already been checked.
assert(msg_type == SSL2_MT_CLIENT_HELLO);
- /* The client_random is the V2ClientHello challenge. Truncate or
- * left-pad with zeros as needed. */
+ // The client_random is the V2ClientHello challenge. Truncate or left-pad with
+ // zeros as needed.
size_t rand_len = CBS_len(&challenge);
if (rand_len > SSL3_RANDOM_SIZE) {
rand_len = SSL3_RANDOM_SIZE;
@@ -466,7 +466,7 @@
OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),
rand_len);
- /* Write out an equivalent SSLv3 ClientHello. */
+ // Write out an equivalent SSLv3 ClientHello.
size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +
SSL3_RANDOM_SIZE + 1 /* session ID length */ +
2 /* cipher list length */ +
@@ -481,14 +481,14 @@
!CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) ||
!CBB_add_u16(&hello_body, version) ||
!CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||
- /* No session id. */
+ // No session id.
!CBB_add_u8(&hello_body, 0) ||
!CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return -1;
}
- /* Copy the cipher suites. */
+ // Copy the cipher suites.
while (CBS_len(&cipher_specs) > 0) {
uint32_t cipher_spec;
if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {
@@ -496,7 +496,7 @@
return -1;
}
- /* Skip SSLv2 ciphers. */
+ // Skip SSLv2 ciphers.
if ((cipher_spec & 0xff0000) != 0) {
continue;
}
@@ -506,7 +506,7 @@
}
}
- /* Add the null compression scheme and finish. */
+ // Add the null compression scheme and finish.
if (!CBB_add_u8(&hello_body, 1) ||
!CBB_add_u8(&hello_body, 0) ||
!CBB_finish(client_hello.get(), NULL, &ssl->init_buf->length)) {
@@ -514,7 +514,7 @@
return -1;
}
- /* Consume and discard the V2ClientHello. */
+ // Consume and discard the V2ClientHello.
ssl_read_buffer_consume(ssl, 2 + msg_length);
ssl_read_buffer_discard(ssl);
@@ -522,8 +522,8 @@
return 1;
}
-/* TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message|
- * when the entire record is copied into |init_buf|. */
+// TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message|
+// when the entire record is copied into |init_buf|.
static bool parse_message(SSL *ssl, SSLMessage *out, size_t *out_bytes_needed) {
if (ssl->init_buf == NULL) {
*out_bytes_needed = 4;
@@ -571,14 +571,14 @@
return -1;
}
- /* Enforce the limit so the peer cannot force us to buffer 16MB. */
+ // Enforce the limit so the peer cannot force us to buffer 16MB.
if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
return -1;
}
- /* Re-create the handshake buffer if needed. */
+ // Re-create the handshake buffer if needed.
if (ssl->init_buf == NULL) {
ssl->init_buf = BUF_MEM_new();
if (ssl->init_buf == NULL) {
@@ -586,7 +586,7 @@
}
}
- /* Bypass the record layer for the first message to handle V2ClientHello. */
+ // Bypass the record layer for the first message to handle V2ClientHello.
if (ssl->server && !ssl->s3->v2_hello_done) {
int ret = read_v2_client_hello(ssl);
if (ret > 0) {
@@ -613,8 +613,8 @@
ssl->s3->is_v2_hello = 0;
ssl->s3->has_message = 0;
- /* Post-handshake messages are rare, so release the buffer after every
- * message. During the handshake, |on_handshake_complete| will release it. */
+ // Post-handshake messages are rare, so release the buffer after every
+ // message. During the handshake, |on_handshake_complete| will release it.
if (!SSL_in_init(ssl) && ssl->init_buf->length == 0) {
BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;
diff --git a/ssl/s3_lib.cc b/ssl/s3_lib.cc
index cc9be2d..fb705aa 100644
--- a/ssl/s3_lib.cc
+++ b/ssl/s3_lib.cc
@@ -187,11 +187,11 @@
s3->aead_write_ctx = aead_write_ctx.release();
ssl->s3 = s3;
- /* Set the version to the highest supported version.
- *
- * TODO(davidben): Move this field into |s3|, have it store the normalized
- * protocol version, and implement this pre-negotiation quirk in |SSL_version|
- * at the API boundary rather than in internal state. */
+ // Set the version to the highest supported version.
+ //
+ // TODO(davidben): Move this field into |s3|, have it store the normalized
+ // protocol version, and implement this pre-negotiation quirk in |SSL_version|
+ // at the API boundary rather than in internal state.
ssl->version = TLS1_2_VERSION;
return 1;
}
diff --git a/ssl/s3_pkt.cc b/ssl/s3_pkt.cc
index 4f802df..858d77a 100644
--- a/ssl/s3_pkt.cc
+++ b/ssl/s3_pkt.cc
@@ -126,9 +126,9 @@
static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len);
-/* ssl3_get_record reads a new input record. On success, it places it in
- * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
- * more data is needed. */
+// ssl3_get_record reads a new input record. On success, it places it in
+// |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
+// more data is needed.
static int ssl3_get_record(SSL *ssl) {
again:
switch (ssl->s3->recv_shutdown) {
@@ -204,13 +204,13 @@
tot = ssl->s3->wnum;
ssl->s3->wnum = 0;
- /* Ensure that if we end up with a smaller value of data to write out than
- * the the original len from a write which didn't complete for non-blocking
- * I/O and also somehow ended up avoiding the check for this in
- * ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
- * end up with (len-tot) as a large number that will then promptly send
- * beyond the end of the users buffer ... so we trap and report the error in
- * a way the user will notice. */
+ // Ensure that if we end up with a smaller value of data to write out than
+ // the the original len from a write which didn't complete for non-blocking
+ // I/O and also somehow ended up avoiding the check for this in
+ // ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
+ // end up with (len-tot) as a large number that will then promptly send
+ // beyond the end of the users buffer ... so we trap and report the error in
+ // a way the user will notice.
if (len < 0 || (size_t)len < tot) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);
return -1;
@@ -221,8 +221,7 @@
n = len - tot;
for (;;) {
- /* max contains the maximum number of bytes that we can put into a
- * record. */
+ // max contains the maximum number of bytes that we can put into a record.
unsigned max = ssl->max_send_fragment;
if (is_early_data_write && max > ssl->session->ticket_max_early_data -
ssl->s3->hs->early_data_written) {
@@ -278,9 +277,9 @@
return ssl->s3->wpend_ret;
}
-/* do_ssl3_write writes an SSL record of the given type. */
+// do_ssl3_write writes an SSL record of the given type.
static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) {
- /* If there is still data from the previous record, flush it. */
+ // If there is still data from the previous record, flush it.
if (ssl->s3->wpend_pending) {
return ssl3_write_pending(ssl, type, buf, len);
}
@@ -313,10 +312,10 @@
return -1;
}
- /* Add any unflushed handshake data as a prefix. This may be a KeyUpdate
- * acknowledgment or 0-RTT key change messages. |pending_flight| must be clear
- * when data is added to |write_buffer| or it will be written in the wrong
- * order. */
+ // Add any unflushed handshake data as a prefix. This may be a KeyUpdate
+ // acknowledgment or 0-RTT key change messages. |pending_flight| must be clear
+ // when data is added to |write_buffer| or it will be written in the wrong
+ // order.
if (ssl->s3->pending_flight != NULL) {
OPENSSL_memcpy(
out, ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,
@@ -332,19 +331,19 @@
}
ssl_write_buffer_set_len(ssl, flight_len + ciphertext_len);
- /* Now that we've made progress on the connection, uncork KeyUpdate
- * acknowledgments. */
+ // Now that we've made progress on the connection, uncork KeyUpdate
+ // acknowledgments.
ssl->s3->key_update_pending = 0;
- /* memorize arguments so that ssl3_write_pending can detect bad write retries
- * later */
+ // Memorize arguments so that ssl3_write_pending can detect bad write retries
+ // later.
ssl->s3->wpend_tot = len;
ssl->s3->wpend_buf = buf;
ssl->s3->wpend_type = type;
ssl->s3->wpend_ret = len;
ssl->s3->wpend_pending = 1;
- /* we now just need to write the buffer */
+ // We now just need to write the buffer.
return ssl3_write_pending(ssl, type, buf, len);
}
@@ -364,7 +363,7 @@
rr->length -= len;
rr->data += len;
if (rr->length == 0) {
- /* The record has been consumed, so we may now clear the buffer. */
+ // The record has been consumed, so we may now clear the buffer.
ssl_read_buffer_discard(ssl);
}
}
@@ -380,11 +379,11 @@
SSL3_RECORD *rr = &ssl->s3->rrec;
for (;;) {
- /* A previous iteration may have read a partial handshake message. Do not
- * allow more app data in that case. */
+ // A previous iteration may have read a partial handshake message. Do not
+ // allow more app data in that case.
int has_hs_data = ssl->init_buf != NULL && ssl->init_buf->length > 0;
- /* Get new packet if necessary. */
+ // Get new packet if necessary.
if (rr->length == 0 && !has_hs_data) {
int ret = ssl3_get_record(ssl);
if (ret <= 0) {
@@ -393,24 +392,24 @@
}
if (has_hs_data || rr->type == SSL3_RT_HANDSHAKE) {
- /* If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
- * by an alert. */
+ // If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
+ // by an alert.
if (SSL_in_init(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
return -1;
}
- /* Post-handshake data prior to TLS 1.3 is always renegotiation, which we
- * never accept as a server. Otherwise |ssl3_get_message| will send
- * |SSL_R_EXCESSIVE_MESSAGE_SIZE|. */
+ // Post-handshake data prior to TLS 1.3 is always renegotiation, which we
+ // never accept as a server. Otherwise |ssl3_get_message| will send
+ // |SSL_R_EXCESSIVE_MESSAGE_SIZE|.
if (ssl->server && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
return -1;
}
- /* Parse post-handshake handshake messages. */
+ // Parse post-handshake handshake messages.
int ret = ssl3_read_message(ssl);
if (ret <= 0) {
return ret;
@@ -424,16 +423,16 @@
ssl->s3->hs->can_early_read &&
ssl3_protocol_version(ssl) >= TLS1_3_VERSION;
- /* Handle the end_of_early_data alert. */
+ // Handle the end_of_early_data alert.
if (rr->type == SSL3_RT_ALERT &&
rr->length == 2 &&
rr->data[0] == SSL3_AL_WARNING &&
rr->data[1] == TLS1_AD_END_OF_EARLY_DATA &&
is_early_data_read) {
- /* Consume the record. */
+ // Consume the record.
rr->length = 0;
ssl_read_buffer_discard(ssl);
- /* Stop accepting early data. */
+ // Stop accepting early data.
ssl->s3->hs->can_early_read = 0;
*out_got_handshake = 1;
return -1;
@@ -459,7 +458,7 @@
return consume_record(ssl, buf, len, peek);
}
- /* Discard empty records and loop again. */
+ // Discard empty records and loop again.
}
}
@@ -494,7 +493,7 @@
}
void ssl3_read_close_notify(SSL *ssl) {
- /* Read records until an error or close_notify. */
+ // Read records until an error or close_notify.
while (ssl3_get_record(ssl) > 0) {
;
}
@@ -504,7 +503,7 @@
SSL3_RECORD *rr = &ssl->s3->rrec;
for (;;) {
- /* Get new packet if necessary. */
+ // Get new packet if necessary.
if (rr->length == 0) {
int ret = ssl3_get_record(ssl);
if (ret <= 0) {
@@ -512,10 +511,10 @@
}
}
- /* WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
- * ServerHello and send the remaining encrypted application data records
- * as-is. This manifests as an application data record when we expect
- * handshake. Report a dedicated error code for this case. */
+ // WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
+ // ServerHello and send the remaining encrypted application data records
+ // as-is. This manifests as an application data record when we expect
+ // handshake. Report a dedicated error code for this case.
if (!ssl->server && rr->type == SSL3_RT_APPLICATION_DATA &&
ssl->s3->aead_read_ctx->is_null_cipher()) {
OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);
@@ -523,8 +522,8 @@
return -1;
}
- /* Accept server_plaintext_handshake records when the content type TLS 1.3
- * variant is enabled. */
+ // Accept server_plaintext_handshake records when the content type TLS 1.3
+ // variant is enabled.
if (rr->type != SSL3_RT_HANDSHAKE &&
!(!ssl->server &&
ssl->tls13_variant == tls13_record_type_experiment &&
@@ -539,12 +538,12 @@
return consume_record(ssl, buf, len, 0 /* consume data */);
}
- /* Discard empty records and loop again. */
+ // Discard empty records and loop again.
}
}
int ssl3_send_alert(SSL *ssl, int level, int desc) {
- /* It is illegal to send an alert when we've already sent a closing one. */
+ // It is illegal to send an alert when we've already sent a closing one.
if (ssl->s3->send_shutdown != ssl_shutdown_none) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
return -1;
@@ -561,12 +560,12 @@
ssl->s3->send_alert[0] = level;
ssl->s3->send_alert[1] = desc;
if (!ssl_write_buffer_is_pending(ssl)) {
- /* Nothing is being written out, so the alert may be dispatched
- * immediately. */
+ // Nothing is being written out, so the alert may be dispatched
+ // immediately.
return ssl->method->dispatch_alert(ssl);
}
- /* The alert will be dispatched later. */
+ // The alert will be dispatched later.
return -1;
}
@@ -577,7 +576,7 @@
}
ssl->s3->alert_dispatch = 0;
- /* If the alert is fatal, flush the BIO now. */
+ // If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
BIO_flush(ssl->wbio);
}
diff --git a/ssl/ssl_aead_ctx.cc b/ssl/ssl_aead_ctx.cc
index 53dff78..69129af 100644
--- a/ssl/ssl_aead_ctx.cc
+++ b/ssl/ssl_aead_ctx.cc
@@ -62,7 +62,7 @@
if (!ssl_cipher_get_evp_aead(&aead, &expected_mac_key_len,
&expected_fixed_iv_len, cipher, version,
is_dtls) ||
- /* Ensure the caller returned correct key sizes. */
+ // Ensure the caller returned correct key sizes.
expected_fixed_iv_len != fixed_iv_len ||
expected_mac_key_len != mac_key_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -71,8 +71,8 @@
uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH];
if (mac_key_len > 0) {
- /* This is a "stateful" AEAD (for compatibility with pre-AEAD cipher
- * suites). */
+ // This is a "stateful" AEAD (for compatibility with pre-AEAD cipher
+ // suites).
if (mac_key_len + enc_key_len + fixed_iv_len > sizeof(merged_key)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return nullptr;
@@ -109,22 +109,22 @@
aead_ctx->fixed_nonce_len_ = fixed_iv_len;
if (cipher->algorithm_enc & SSL_CHACHA20POLY1305) {
- /* The fixed nonce into the actual nonce (the sequence number). */
+ // The fixed nonce into the actual nonce (the sequence number).
aead_ctx->xor_fixed_nonce_ = true;
aead_ctx->variable_nonce_len_ = 8;
} else {
- /* The fixed IV is prepended to the nonce. */
+ // The fixed IV is prepended to the nonce.
assert(fixed_iv_len <= aead_ctx->variable_nonce_len_);
aead_ctx->variable_nonce_len_ -= fixed_iv_len;
}
- /* AES-GCM uses an explicit nonce. */
+ // AES-GCM uses an explicit nonce.
if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) {
aead_ctx->variable_nonce_included_in_record_ = true;
}
- /* The TLS 1.3 construction XORs the fixed nonce into the sequence number
- * and omits the additional data. */
+ // The TLS 1.3 construction XORs the fixed nonce into the sequence number
+ // and omits the additional data.
if (version >= TLS1_3_VERSION) {
aead_ctx->xor_fixed_nonce_ = true;
aead_ctx->variable_nonce_len_ = 8;
@@ -192,18 +192,18 @@
bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version,
const uint8_t seqnum[8], uint8_t *in, size_t in_len) {
if (is_null_cipher() || FUZZER_MODE) {
- /* Handle the initial NULL cipher. */
+ // Handle the initial NULL cipher.
CBS_init(out, in, in_len);
return true;
}
- /* TLS 1.2 AEADs include the length in the AD and are assumed to have fixed
- * overhead. Otherwise the parameter is unused. */
+ // TLS 1.2 AEADs include the length in the AD and are assumed to have fixed
+ // overhead. Otherwise the parameter is unused.
size_t plaintext_len = 0;
if (!omit_length_in_ad_) {
size_t overhead = MaxOverhead();
if (in_len < overhead) {
- /* Publicly invalid. */
+ // Publicly invalid.
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
return false;
}
@@ -213,11 +213,11 @@
size_t ad_len =
GetAdditionalData(ad, type, wire_version, seqnum, plaintext_len);
- /* Assemble the nonce. */
+ // Assemble the nonce.
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
size_t nonce_len = 0;
- /* Prepend the fixed nonce, or left-pad with zeros if XORing. */
+ // Prepend the fixed nonce, or left-pad with zeros if XORing.
if (xor_fixed_nonce_) {
nonce_len = fixed_nonce_len_ - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
@@ -226,10 +226,10 @@
nonce_len += fixed_nonce_len_;
}
- /* Add the variable nonce. */
+ // Add the variable nonce.
if (variable_nonce_included_in_record_) {
if (in_len < variable_nonce_len_) {
- /* Publicly invalid. */
+ // Publicly invalid.
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
return false;
}
@@ -242,7 +242,7 @@
}
nonce_len += variable_nonce_len_;
- /* XOR the fixed nonce, if necessary. */
+ // XOR the fixed nonce, if necessary.
if (xor_fixed_nonce_) {
assert(nonce_len == fixed_nonce_len_);
for (size_t i = 0; i < fixed_nonce_len_; i++) {
@@ -250,7 +250,7 @@
}
}
- /* Decrypt in-place. */
+ // Decrypt in-place.
size_t len;
if (!EVP_AEAD_CTX_open(ctx_.get(), in, &len, in_len, nonce, nonce_len, in,
in_len, ad, ad_len)) {
@@ -279,7 +279,7 @@
}
if (is_null_cipher() || FUZZER_MODE) {
- /* Handle the initial NULL cipher. */
+ // Handle the initial NULL cipher.
OPENSSL_memmove(out, in, in_len);
OPENSSL_memmove(out_suffix, extra_in, extra_in_len);
return true;
@@ -288,11 +288,11 @@
uint8_t ad[13];
size_t ad_len = GetAdditionalData(ad, type, wire_version, seqnum, in_len);
- /* Assemble the nonce. */
+ // Assemble the nonce.
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
size_t nonce_len = 0;
- /* Prepend the fixed nonce, or left-pad with zeros if XORing. */
+ // Prepend the fixed nonce, or left-pad with zeros if XORing.
if (xor_fixed_nonce_) {
nonce_len = fixed_nonce_len_ - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
@@ -301,21 +301,21 @@
nonce_len += fixed_nonce_len_;
}
- /* Select the variable nonce. */
+ // Select the variable nonce.
if (random_variable_nonce_) {
assert(variable_nonce_included_in_record_);
if (!RAND_bytes(nonce + nonce_len, variable_nonce_len_)) {
return false;
}
} else {
- /* When sending we use the sequence number as the variable part of the
- * nonce. */
+ // When sending we use the sequence number as the variable part of the
+ // nonce.
assert(variable_nonce_len_ == 8);
OPENSSL_memcpy(nonce + nonce_len, seqnum, variable_nonce_len_);
}
nonce_len += variable_nonce_len_;
- /* Emit the variable nonce if included in the record. */
+ // Emit the variable nonce if included in the record.
if (variable_nonce_included_in_record_) {
assert(!xor_fixed_nonce_);
if (buffers_alias(in, in_len, out_prefix, variable_nonce_len_)) {
@@ -326,7 +326,7 @@
variable_nonce_len_);
}
- /* XOR the fixed nonce, if necessary. */
+ // XOR the fixed nonce, if necessary.
if (xor_fixed_nonce_) {
assert(nonce_len == fixed_nonce_len_);
for (size_t i = 0; i < fixed_nonce_len_; i++) {
diff --git a/ssl/ssl_asn1.cc b/ssl/ssl_asn1.cc
index b87c795..73908db 100644
--- a/ssl/ssl_asn1.cc
+++ b/ssl/ssl_asn1.cc
@@ -80,9 +80,9 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE. */
-/* Per C99, various stdint.h macros are unavailable in C++ unless some macros
- * are defined. C++11 overruled this decision, but older Android NDKs still
- * require it. */
+// Per C99, various stdint.h macros are unavailable in C++ unless some macros
+// are defined. C++11 overruled this decision, but older Android NDKs still
+// require it.
#if !defined(__STDC_LIMIT_MACROS)
#define __STDC_LIMIT_MACROS
#endif
@@ -106,50 +106,49 @@
namespace bssl {
-/* An SSL_SESSION is serialized as the following ASN.1 structure:
- *
- * SSLSession ::= SEQUENCE {
- * version INTEGER (1), -- session structure version
- * sslVersion INTEGER, -- protocol version number
- * cipher OCTET STRING, -- two bytes long
- * sessionID OCTET STRING,
- * masterKey OCTET STRING,
- * time [1] INTEGER, -- seconds since UNIX epoch
- * timeout [2] INTEGER, -- in seconds
- * peer [3] Certificate OPTIONAL,
- * sessionIDContext [4] OCTET STRING OPTIONAL,
- * verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes
- * hostName [6] OCTET STRING OPTIONAL,
- * -- from server_name extension
- * pskIdentity [8] OCTET STRING OPTIONAL,
- * ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only
- * ticket [10] OCTET STRING OPTIONAL, -- client-only
- * peerSHA256 [13] OCTET STRING OPTIONAL,
- * originalHandshakeHash [14] OCTET STRING OPTIONAL,
- * signedCertTimestampList [15] OCTET STRING OPTIONAL,
- * -- contents of SCT extension
- * ocspResponse [16] OCTET STRING OPTIONAL,
- * -- stapled OCSP response from the server
- * extendedMasterSecret [17] BOOLEAN OPTIONAL,
- * groupID [18] INTEGER OPTIONAL,
- * certChain [19] SEQUENCE OF Certificate OPTIONAL,
- * ticketAgeAdd [21] OCTET STRING OPTIONAL,
- * isServer [22] BOOLEAN DEFAULT TRUE,
- * peerSignatureAlgorithm [23] INTEGER OPTIONAL,
- * ticketMaxEarlyData [24] INTEGER OPTIONAL,
- * authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout
- * earlyALPN [26] OCTET STRING OPTIONAL,
- * }
- *
- * Note: historically this serialization has included other optional
- * fields. Their presence is currently treated as a parse error:
- *
- * keyArg [0] IMPLICIT OCTET STRING OPTIONAL,
- * pskIdentityHint [7] OCTET STRING OPTIONAL,
- * compressionMethod [11] OCTET STRING OPTIONAL,
- * srpUsername [12] OCTET STRING OPTIONAL,
- * ticketFlags [20] INTEGER OPTIONAL,
- */
+// An SSL_SESSION is serialized as the following ASN.1 structure:
+//
+// SSLSession ::= SEQUENCE {
+// version INTEGER (1), -- session structure version
+// sslVersion INTEGER, -- protocol version number
+// cipher OCTET STRING, -- two bytes long
+// sessionID OCTET STRING,
+// masterKey OCTET STRING,
+// time [1] INTEGER, -- seconds since UNIX epoch
+// timeout [2] INTEGER, -- in seconds
+// peer [3] Certificate OPTIONAL,
+// sessionIDContext [4] OCTET STRING OPTIONAL,
+// verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes
+// hostName [6] OCTET STRING OPTIONAL,
+// -- from server_name extension
+// pskIdentity [8] OCTET STRING OPTIONAL,
+// ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only
+// ticket [10] OCTET STRING OPTIONAL, -- client-only
+// peerSHA256 [13] OCTET STRING OPTIONAL,
+// originalHandshakeHash [14] OCTET STRING OPTIONAL,
+// signedCertTimestampList [15] OCTET STRING OPTIONAL,
+// -- contents of SCT extension
+// ocspResponse [16] OCTET STRING OPTIONAL,
+// -- stapled OCSP response from the server
+// extendedMasterSecret [17] BOOLEAN OPTIONAL,
+// groupID [18] INTEGER OPTIONAL,
+// certChain [19] SEQUENCE OF Certificate OPTIONAL,
+// ticketAgeAdd [21] OCTET STRING OPTIONAL,
+// isServer [22] BOOLEAN DEFAULT TRUE,
+// peerSignatureAlgorithm [23] INTEGER OPTIONAL,
+// ticketMaxEarlyData [24] INTEGER OPTIONAL,
+// authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout
+// earlyALPN [26] OCTET STRING OPTIONAL,
+// }
+//
+// Note: historically this serialization has included other optional
+// fields. Their presence is currently treated as a parse error:
+//
+// keyArg [0] IMPLICIT OCTET STRING OPTIONAL,
+// pskIdentityHint [7] OCTET STRING OPTIONAL,
+// compressionMethod [11] OCTET STRING OPTIONAL,
+// srpUsername [12] OCTET STRING OPTIONAL,
+// ticketFlags [20] INTEGER OPTIONAL,
static const unsigned kVersion = 1;
@@ -213,7 +212,7 @@
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
!CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) ||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
- /* The session ID is irrelevant for a session ticket. */
+ // The session ID is irrelevant for a session ticket.
!CBB_add_bytes(&child, in->session_id,
for_ticket ? 0 : in->session_id_length) ||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
@@ -226,8 +225,8 @@
return 0;
}
- /* The peer certificate is only serialized if the SHA-256 isn't
- * serialized instead. */
+ // The peer certificate is only serialized if the SHA-256 isn't
+ // serialized instead.
if (sk_CRYPTO_BUFFER_num(in->certs) > 0 && !in->peer_sha256_valid) {
const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, 0);
if (!CBB_add_asn1(&session, &child, kPeerTag) ||
@@ -238,8 +237,8 @@
}
}
- /* Although it is OPTIONAL and usually empty, OpenSSL has
- * historically always encoded the sid_ctx. */
+ // Although it is OPTIONAL and usually empty, OpenSSL has
+ // historically always encoded the sid_ctx.
if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, in->sid_ctx, in->sid_ctx_length)) {
@@ -348,8 +347,8 @@
return 0;
}
- /* The certificate chain is only serialized if the leaf's SHA-256 isn't
- * serialized instead. */
+ // The certificate chain is only serialized if the leaf's SHA-256 isn't
+ // serialized instead.
if (in->certs != NULL &&
!in->peer_sha256_valid &&
sk_CRYPTO_BUFFER_num(in->certs) >= 2) {
@@ -423,12 +422,12 @@
return 1;
}
-/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
- * explicitly tagged with |tag| from |cbs| and saves it in |*out|. On
- * entry, if |*out| is not NULL, it frees the existing contents. If
- * the element was not found, it sets |*out| to NULL. It returns one
- * on success, whether or not the element was found, and zero on
- * decode error. */
+// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
+// explicitly tagged with |tag| from |cbs| and saves it in |*out|. On
+// entry, if |*out| is not NULL, it frees the existing contents. If
+// the element was not found, it sets |*out| to NULL. It returns one
+// on success, whether or not the element was found, and zero on
+// decode error.
static int SSL_SESSION_parse_string(CBS *cbs, char **out, unsigned tag) {
CBS value;
int present;
@@ -452,12 +451,12 @@
return 1;
}
-/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
- * explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr|
- * and |*out_len|. If |*out_ptr| is not NULL, it frees the existing
- * contents. On entry, if the element was not found, it sets
- * |*out_ptr| to NULL. It returns one on success, whether or not the
- * element was found, and zero on decode error. */
+// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
+// explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr|
+// and |*out_len|. If |*out_ptr| is not NULL, it frees the existing
+// contents. On entry, if the element was not found, it sets
+// |*out_ptr| to NULL. It returns one on success, whether or not the
+// element was found, and zero on decode error.
static int SSL_SESSION_parse_octet_string(CBS *cbs, uint8_t **out_ptr,
size_t *out_len, unsigned tag) {
CBS value;
@@ -495,8 +494,8 @@
return 1;
}
-/* SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
- * explicitly tagged with |tag| of size at most |max_out|. */
+// SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
+// explicitly tagged with |tag| of size at most |max_out|.
static int SSL_SESSION_parse_bounded_octet_string(
CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) {
CBS value;
@@ -564,10 +563,10 @@
!CBS_get_asn1_uint64(&session, &version) ||
version != kVersion ||
!CBS_get_asn1_uint64(&session, &ssl_version) ||
- /* Require sessions have versions valid in either TLS or DTLS. The session
- * will not be used by the handshake if not applicable, but, for
- * simplicity, never parse a session that does not pass
- * |ssl_protocol_version_from_wire|. */
+ // Require sessions have versions valid in either TLS or DTLS. The session
+ // will not be used by the handshake if not applicable, but, for
+ // simplicity, never parse a session that does not pass
+ // |ssl_protocol_version_from_wire|.
ssl_version > UINT16_MAX ||
!ssl_protocol_version_from_wire(&unused, ssl_version)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
@@ -622,7 +621,7 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
return nullptr;
}
- /* |peer| is processed with the certificate chain. */
+ // |peer| is processed with the certificate chain.
if (!SSL_SESSION_parse_bounded_octet_string(
&session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx),
@@ -779,10 +778,10 @@
int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data,
size_t *out_len) {
if (in->not_resumable) {
- /* If the caller has an unresumable session, e.g. if |SSL_get_session| were
- * called on a TLS 1.3 or False Started connection, serialize with a
- * placeholder value so it is not accidentally deserialized into a resumable
- * one. */
+ // If the caller has an unresumable session, e.g. if |SSL_get_session| were
+ // called on a TLS 1.3 or False Started connection, serialize with a
+ // placeholder value so it is not accidentally deserialized into a resumable
+ // one.
static const char kNotResumableSession[] = "NOT RESUMABLE";
*out_len = strlen(kNotResumableSession);
diff --git a/ssl/ssl_buffer.cc b/ssl/ssl_buffer.cc
index 7f11b6f..d74278e 100644
--- a/ssl/ssl_buffer.cc
+++ b/ssl/ssl_buffer.cc
@@ -29,16 +29,16 @@
namespace bssl {
-/* BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
- * not overflow. */
+// BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
+// not overflow.
static_assert(0xffff <= INT_MAX, "uint16_t does not fit in int");
static_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0,
"SSL3_ALIGN_PAYLOAD must be a power of 2");
-/* ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that
- * data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte
- * boundary. It returns one on success and zero on error. */
+// ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that
+// data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte
+// boundary. It returns one on success and zero on error.
static int ensure_buffer(SSL3_BUFFER *buf, size_t header_len, size_t cap) {
if (cap > 0xffff) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -49,14 +49,14 @@
return 1;
}
- /* Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment. */
+ // Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment.
uint8_t *new_buf = (uint8_t *)OPENSSL_malloc(cap + SSL3_ALIGN_PAYLOAD - 1);
if (new_buf == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
- /* Offset the buffer such that the record body is aligned. */
+ // Offset the buffer such that the record body is aligned.
size_t new_offset =
(0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1);
@@ -97,19 +97,19 @@
SSL3_BUFFER *buf = &ssl->s3->read_buffer;
if (buf->len > 0) {
- /* It is an error to call |dtls_read_buffer_extend| when the read buffer is
- * not empty. */
+ // It is an error to call |dtls_read_buffer_extend| when the read buffer is
+ // not empty.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
}
- /* Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int. */
+ // Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int.
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset, (int)buf->cap);
if (ret <= 0) {
ssl->rwstate = SSL_READING;
return ret;
}
- /* |BIO_read| was bound by |buf->cap|, so this cannot overflow. */
+ // |BIO_read| was bound by |buf->cap|, so this cannot overflow.
buf->len = (uint16_t)ret;
return 1;
}
@@ -122,18 +122,18 @@
return -1;
}
- /* Read until the target length is reached. */
+ // Read until the target length is reached.
while (buf->len < len) {
- /* The amount of data to read is bounded by |buf->cap|, which must fit in an
- * int. */
+ // The amount of data to read is bounded by |buf->cap|, which must fit in an
+ // int.
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset + buf->len,
(int)(len - buf->len));
if (ret <= 0) {
ssl->rwstate = SSL_READING;
return ret;
}
- /* |BIO_read| was bound by |buf->cap - buf->len|, so this cannot
- * overflow. */
+ // |BIO_read| was bound by |buf->cap - buf->len|, so this cannot
+ // overflow.
buf->len += (uint16_t)ret;
}
@@ -141,7 +141,7 @@
}
int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {
- /* |ssl_read_buffer_extend_to| implicitly discards any consumed data. */
+ // |ssl_read_buffer_extend_to| implicitly discards any consumed data.
ssl_read_buffer_discard(ssl);
if (SSL_is_dtls(ssl)) {
@@ -149,7 +149,7 @@
DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff,
"DTLS read buffer is too large");
- /* The |len| parameter is ignored in DTLS. */
+ // The |len| parameter is ignored in DTLS.
len = DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
}
@@ -164,15 +164,15 @@
int ret;
if (SSL_is_dtls(ssl)) {
- /* |len| is ignored for a datagram transport. */
+ // |len| is ignored for a datagram transport.
ret = dtls_read_buffer_next_packet(ssl);
} else {
ret = tls_read_buffer_extend_to(ssl, len);
}
if (ret <= 0) {
- /* If the buffer was empty originally and remained empty after attempting to
- * extend it, release the buffer until the next attempt. */
+ // If the buffer was empty originally and remained empty after attempting to
+ // extend it, release the buffer until the next attempt.
ssl_read_buffer_discard(ssl);
}
return ret;
@@ -183,11 +183,11 @@
consume_buffer(buf, len);
- /* The TLS stack never reads beyond the current record, so there will never be
- * unconsumed data. If read-ahead is ever reimplemented,
- * |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back
- * to the front of the buffer, to ensure there is enough space for the next
- * record. */
+ // The TLS stack never reads beyond the current record, so there will never be
+ // unconsumed data. If read-ahead is ever reimplemented,
+ // |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back
+ // to the front of the buffer, to ensure there is enough space for the next
+ // record.
assert(SSL_is_dtls(ssl) || len == 0 || buf->len == 0);
}
@@ -265,9 +265,9 @@
int ret = BIO_write(ssl->wbio, buf->buf + buf->offset, buf->len);
if (ret <= 0) {
ssl->rwstate = SSL_WRITING;
- /* If the write failed, drop the write buffer anyway. Datagram transports
- * can't write half a packet, so the caller is expected to retry from the
- * top. */
+ // If the write failed, drop the write buffer anyway. Datagram transports
+ // can't write half a packet, so the caller is expected to retry from the
+ // top.
ssl_write_buffer_clear(ssl);
return ret;
}
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index 76af31e..094d85a 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc
@@ -207,7 +207,7 @@
return NULL;
}
-/* Free up and clear all certificates and chains */
+// Free up and clear all certificates and chains
void ssl_cert_clear_certs(CERT *cert) {
if (cert == NULL) {
return;
@@ -248,12 +248,12 @@
leaf_cert_and_privkey_mismatch,
};
-/* check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|
- * and the private key in |privkey| are suitable and coherent. It returns
- * |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is
- * found. If the certificate and private key are valid, but incoherent, it
- * returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns
- * |leaf_cert_and_privkey_ok|. */
+// check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|
+// and the private key in |privkey| are suitable and coherent. It returns
+// |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is
+// found. If the certificate and private key are valid, but incoherent, it
+// returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns
+// |leaf_cert_and_privkey_ok|.
static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(
CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) {
CBS cert_cbs;
@@ -269,8 +269,8 @@
return leaf_cert_and_privkey_error;
}
- /* An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA
- * certificates, so sanity-check the key usage extension. */
+ // An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA
+ // certificates, so sanity-check the key usage extension.
if (pubkey->type == EVP_PKEY_EC &&
!ssl_cert_check_digital_signature_key_usage(&cert_cbs)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
@@ -278,7 +278,7 @@
}
if (privkey != NULL &&
- /* Sanity-check that the private key and the certificate match. */
+ // Sanity-check that the private key and the certificate match.
!ssl_compare_public_and_private_key(pubkey.get(), privkey)) {
ERR_clear_error();
return leaf_cert_and_privkey_mismatch;
@@ -342,9 +342,9 @@
case leaf_cert_and_privkey_error:
return 0;
case leaf_cert_and_privkey_mismatch:
- /* don't fail for a cert/key mismatch, just free current private key
- * (when switching to a different cert & key, first this function should
- * be used, then |ssl_set_pkey|. */
+ // don't fail for a cert/key mismatch, just free current private key
+ // (when switching to a different cert & key, first this function should
+ // be used, then |ssl_set_pkey|.
EVP_PKEY_free(cert->privatekey);
cert->privatekey = NULL;
break;
@@ -423,7 +423,7 @@
return false;
}
- /* Retain the hash of the leaf certificate if requested. */
+ // Retain the hash of the leaf certificate if requested.
if (out_leaf_sha256 != NULL) {
SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256);
}
@@ -471,9 +471,9 @@
return CBB_flush(cbb);
}
-/* ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
- * positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
- * subjectPublicKeyInfo. */
+// ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
+// positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
+// subjectPublicKeyInfo.
static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
/* From RFC 5280, section 4.1
* Certificate ::= SEQUENCE {
@@ -496,19 +496,19 @@
if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) ||
CBS_len(&buf) != 0 ||
!CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) ||
- /* version */
+ // version
!CBS_get_optional_asn1(
out_tbs_cert, NULL, NULL,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
- /* serialNumber */
+ // serialNumber
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) ||
- /* signature algorithm */
+ // signature algorithm
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
- /* issuer */
+ // issuer
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
- /* validity */
+ // validity
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
- /* subject */
+ // subject
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {
return 0;
}
@@ -529,8 +529,8 @@
int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
const EVP_PKEY *privkey) {
if (EVP_PKEY_is_opaque(privkey)) {
- /* We cannot check an opaque private key and have to trust that it
- * matches. */
+ // We cannot check an opaque private key and have to trust that it
+ // matches.
return 1;
}
@@ -586,13 +586,13 @@
CBS tbs_cert, outer_extensions;
int has_extensions;
if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) ||
- /* subjectPublicKeyInfo */
+ // subjectPublicKeyInfo
!CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
- /* issuerUniqueID */
+ // issuerUniqueID
!CBS_get_optional_asn1(
&tbs_cert, NULL, NULL,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||
- /* subjectUniqueID */
+ // subjectUniqueID
!CBS_get_optional_asn1(
&tbs_cert, NULL, NULL,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||
@@ -635,8 +635,8 @@
goto parse_err;
}
- /* This is the KeyUsage extension. See
- * https://tools.ietf.org/html/rfc5280#section-4.2.1.3 */
+ // This is the KeyUsage extension. See
+ // https://tools.ietf.org/html/rfc5280#section-4.2.1.3
if (!CBS_is_valid_asn1_bitstring(&bit_string)) {
goto parse_err;
}
@@ -649,7 +649,7 @@
return 1;
}
- /* No KeyUsage extension found. */
+ // No KeyUsage extension found.
return 1;
parse_err:
@@ -733,18 +733,18 @@
SSL *const ssl = hs->ssl;
assert(ssl3_protocol_version(ssl) < TLS1_3_VERSION);
- /* Check the certificate's type matches the cipher. */
+ // Check the certificate's type matches the cipher.
if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);
return 0;
}
- /* Check key usages for all key types but RSA. This is needed to distinguish
- * ECDH certificates, which we do not support, from ECDSA certificates. In
- * principle, we should check RSA key usages based on cipher, but this breaks
- * buggy antivirus deployments. Other key types are always used for signing.
- *
- * TODO(davidben): Get more recent data on RSA key usages. */
+ // Check key usages for all key types but RSA. This is needed to distinguish
+ // ECDH certificates, which we do not support, from ECDSA certificates. In
+ // principle, we should check RSA key usages based on cipher, but this breaks
+ // buggy antivirus deployments. Other key types are always used for signing.
+ //
+ // TODO(davidben): Get more recent data on RSA key usages.
if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {
CBS leaf_cbs;
CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));
@@ -754,7 +754,7 @@
}
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
- /* Check the key's group and point format are acceptable. */
+ // Check the key's group and point format are acceptable.
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
uint16_t group_id;
if (!ssl_nid_to_group_id(
@@ -772,7 +772,7 @@
int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!ssl_has_certificate(ssl)) {
- /* Nothing to do. */
+ // Nothing to do.
return 1;
}
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index ecdecdd..e7a81a3 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -156,10 +156,10 @@
namespace bssl {
-/* kCiphers is an array of all supported ciphers, sorted by id. */
+// kCiphers is an array of all supported ciphers, sorted by id.
static const SSL_CIPHER kCiphers[] = {
- /* The RSA ciphers */
- /* Cipher 02 */
+ // The RSA ciphers
+ // Cipher 02
{
SSL3_TXT_RSA_NULL_SHA,
"TLS_RSA_WITH_NULL_SHA",
@@ -171,7 +171,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher 0A */
+ // Cipher 0A
{
SSL3_TXT_RSA_DES_192_CBC3_SHA,
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
@@ -184,9 +184,9 @@
},
- /* New AES ciphersuites */
+ // New AES ciphersuites
- /* Cipher 2F */
+ // Cipher 2F
{
TLS1_TXT_RSA_WITH_AES_128_SHA,
"TLS_RSA_WITH_AES_128_CBC_SHA",
@@ -198,7 +198,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher 35 */
+ // Cipher 35
{
TLS1_TXT_RSA_WITH_AES_256_SHA,
"TLS_RSA_WITH_AES_256_CBC_SHA",
@@ -211,9 +211,9 @@
},
- /* TLS v1.2 ciphersuites */
+ // TLS v1.2 ciphersuites
- /* Cipher 3C */
+ // Cipher 3C
{
TLS1_TXT_RSA_WITH_AES_128_SHA256,
"TLS_RSA_WITH_AES_128_CBC_SHA256",
@@ -225,7 +225,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher 3D */
+ // Cipher 3D
{
TLS1_TXT_RSA_WITH_AES_256_SHA256,
"TLS_RSA_WITH_AES_256_CBC_SHA256",
@@ -237,9 +237,9 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* PSK cipher suites. */
+ // PSK cipher suites.
- /* Cipher 8C */
+ // Cipher 8C
{
TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
"TLS_PSK_WITH_AES_128_CBC_SHA",
@@ -251,7 +251,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher 8D */
+ // Cipher 8D
{
TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
"TLS_PSK_WITH_AES_256_CBC_SHA",
@@ -263,9 +263,9 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* GCM ciphersuites from RFC5288 */
+ // GCM ciphersuites from RFC5288
- /* Cipher 9C */
+ // Cipher 9C
{
TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
"TLS_RSA_WITH_AES_128_GCM_SHA256",
@@ -277,7 +277,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher 9D */
+ // Cipher 9D
{
TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
"TLS_RSA_WITH_AES_256_GCM_SHA384",
@@ -289,9 +289,9 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* TLS 1.3 suites. */
+ // TLS 1.3 suites.
- /* Cipher 1301 */
+ // Cipher 1301
{
TLS1_TXT_AES_128_GCM_SHA256,
"TLS_AES_128_GCM_SHA256",
@@ -303,7 +303,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher 1302 */
+ // Cipher 1302
{
TLS1_TXT_AES_256_GCM_SHA384,
"TLS_AES_256_GCM_SHA384",
@@ -315,7 +315,7 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* Cipher 1303 */
+ // Cipher 1303
{
TLS1_TXT_CHACHA20_POLY1305_SHA256,
"TLS_CHACHA20_POLY1305_SHA256",
@@ -327,7 +327,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C009 */
+ // Cipher C009
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
@@ -339,7 +339,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher C00A */
+ // Cipher C00A
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
@@ -351,7 +351,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher C013 */
+ // Cipher C013
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
@@ -363,7 +363,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher C014 */
+ // Cipher C014
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
@@ -376,9 +376,9 @@
},
- /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
+ // HMAC based TLS v1.2 ciphersuites from RFC5289
- /* Cipher C023 */
+ // Cipher C023
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
@@ -390,7 +390,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C024 */
+ // Cipher C024
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
@@ -402,7 +402,7 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* Cipher C027 */
+ // Cipher C027
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
@@ -414,7 +414,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C028 */
+ // Cipher C028
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
@@ -427,9 +427,9 @@
},
- /* GCM based TLS v1.2 ciphersuites from RFC5289 */
+ // GCM based TLS v1.2 ciphersuites from RFC5289
- /* Cipher C02B */
+ // Cipher C02B
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
@@ -441,7 +441,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C02C */
+ // Cipher C02C
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
@@ -453,7 +453,7 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* Cipher C02F */
+ // Cipher C02F
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
@@ -465,7 +465,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C030 */
+ // Cipher C030
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
@@ -477,9 +477,9 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* ECDHE-PSK cipher suites. */
+ // ECDHE-PSK cipher suites.
- /* Cipher C035 */
+ // Cipher C035
{
TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
@@ -491,7 +491,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher C036 */
+ // Cipher C036
{
TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
@@ -503,9 +503,9 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* ChaCha20-Poly1305 cipher suites. */
+ // ChaCha20-Poly1305 cipher suites.
- /* Cipher CCA8 */
+ // Cipher CCA8
{
TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
@@ -517,7 +517,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher CCA9 */
+ // Cipher CCA9
{
TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
@@ -529,7 +529,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher CCAB */
+ // Cipher CCAB
{
TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
"TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
@@ -559,32 +559,32 @@
} CIPHER_ORDER;
typedef struct cipher_alias_st {
- /* name is the name of the cipher alias. */
+ // name is the name of the cipher alias.
const char *name;
- /* The following fields are bitmasks for the corresponding fields on
- * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
- * bit corresponding to the cipher's value is set to 1. If any bitmask is
- * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
+ // The following fields are bitmasks for the corresponding fields on
+ // |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
+ // bit corresponding to the cipher's value is set to 1. If any bitmask is
+ // all zeroes, the alias matches nothing. Use |~0u| for the default value.
uint32_t algorithm_mkey;
uint32_t algorithm_auth;
uint32_t algorithm_enc;
uint32_t algorithm_mac;
- /* min_version, if non-zero, matches all ciphers which were added in that
- * particular protocol version. */
+ // min_version, if non-zero, matches all ciphers which were added in that
+ // particular protocol version.
uint16_t min_version;
} CIPHER_ALIAS;
static const CIPHER_ALIAS kCipherAliases[] = {
- /* "ALL" doesn't include eNULL. It must be explicitly enabled. */
+ // "ALL" doesn't include eNULL. It must be explicitly enabled.
{"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
- /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
+ // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.
- /* key exchange aliases
- * (some of those using only a single bit here combine
- * multiple key exchange algs according to the RFCs. */
+ // key exchange aliases
+ // (some of those using only a single bit here combine
+ // multiple key exchange algs according to the RFCs.
{"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
{"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
@@ -593,19 +593,19 @@
{"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
- /* server authentication aliases */
+ // server authentication aliases
{"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
{"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
{"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
{"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
- /* aliases combining key exchange and server authentication */
+ // aliases combining key exchange and server authentication
{"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
{"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
{"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
{"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
- /* symmetric encryption aliases */
+ // symmetric encryption aliases
{"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
{"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
{"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
@@ -613,19 +613,19 @@
{"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
{"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
- /* MAC aliases */
+ // MAC aliases
{"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
{"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
{"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
{"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
- /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
- * same as "SSLv3". */
+ // Legacy protocol minimum version aliases. "TLSv1" is intentionally the
+ // same as "SSLv3".
{"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
{"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
{"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
- /* Legacy strength classes. */
+ // Legacy strength classes.
{"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
{"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
};
@@ -671,8 +671,8 @@
return 0;
}
- /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
- * above computes the TLS 1.2 construction. */
+ // In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
+ // above computes the TLS 1.2 construction.
if (version >= TLS1_3_VERSION) {
*out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
}
@@ -764,10 +764,10 @@
return !is_strict && (c == ' ' || c == ';' || c == ',');
}
-/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
- * |buf_len| bytes at |buf|. */
+// rule_equals returns one iff the NUL-terminated string |rule| is equal to the
+// |buf_len| bytes at |buf|.
static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
- /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
+ // |strncmp| alone only checks that |buf| is a prefix of |rule|.
return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
}
@@ -815,13 +815,13 @@
CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p) {
- /* The set of ciphers is static, but some subset may be unsupported by
- * |ssl_method|, so the list may be smaller. */
+ // The set of ciphers is static, but some subset may be unsupported by
+ // |ssl_method|, so the list may be smaller.
size_t co_list_num = 0;
for (size_t i = 0; i < kCiphersLen; i++) {
const SSL_CIPHER *cipher = &kCiphers[i];
if (ssl_method->supports_cipher(cipher) &&
- /* TLS 1.3 ciphers do not participate in this mechanism. */
+ // TLS 1.3 ciphers do not participate in this mechanism.
cipher->algorithm_mkey != SSL_kGENERIC) {
co_list[co_list_num].cipher = cipher;
co_list[co_list_num].next = NULL;
@@ -832,7 +832,7 @@
}
}
- /* Prepare linked list from list entries. */
+ // Prepare linked list from list entries.
if (co_list_num > 0) {
co_list[0].prev = NULL;
@@ -854,15 +854,15 @@
}
}
-/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
- * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
- * head and tail of the list to |*head_p| and |*tail_p|, respectively.
- *
- * - If |cipher_id| is non-zero, only that cipher is selected.
- * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
- * of that strength.
- * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
- * |min_version|. */
+// ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
+// parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
+// head and tail of the list to |*head_p| and |*tail_p|, respectively.
+//
+// - If |cipher_id| is non-zero, only that cipher is selected.
+// - Otherwise, if |strength_bits| is non-negative, it selects ciphers
+// of that strength.
+// - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
+// |min_version|.
static void ssl_cipher_apply_rule(
uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
@@ -874,12 +874,12 @@
if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
(alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
- /* The rule matches nothing, so bail early. */
+ // The rule matches nothing, so bail early.
return;
}
if (rule == CIPHER_DEL) {
- /* needed to maintain sorting between currently deleted ciphers */
+ // needed to maintain sorting between currently deleted ciphers
reverse = 1;
}
@@ -908,8 +908,8 @@
next = reverse ? curr->prev : curr->next;
cp = curr->cipher;
- /* Selection criteria is either a specific cipher, the value of
- * |strength_bits|, or the algorithms used. */
+ // Selection criteria is either a specific cipher, the value of
+ // |strength_bits|, or the algorithms used.
if (cipher_id != 0) {
if (cipher_id != cp->id) {
continue;
@@ -928,9 +928,9 @@
}
}
- /* add the cipher if it has not been added yet. */
+ // add the cipher if it has not been added yet.
if (rule == CIPHER_ADD) {
- /* reverse == 0 */
+ // reverse == 0
if (!curr->active) {
ll_append_tail(&head, curr, &tail);
curr->active = 1;
@@ -938,25 +938,25 @@
}
}
- /* Move the added cipher to this location */
+ // Move the added cipher to this location
else if (rule == CIPHER_ORD) {
- /* reverse == 0 */
+ // reverse == 0
if (curr->active) {
ll_append_tail(&head, curr, &tail);
curr->in_group = 0;
}
} else if (rule == CIPHER_DEL) {
- /* reverse == 1 */
+ // reverse == 1
if (curr->active) {
- /* most recently deleted ciphersuites get best positions
- * for any future CIPHER_ADD (note that the CIPHER_DEL loop
- * works in reverse to maintain the order) */
+ // most recently deleted ciphersuites get best positions
+ // for any future CIPHER_ADD (note that the CIPHER_DEL loop
+ // works in reverse to maintain the order)
ll_append_head(&head, curr, &tail);
curr->active = 0;
curr->in_group = 0;
}
} else if (rule == CIPHER_KILL) {
- /* reverse == 0 */
+ // reverse == 0
if (head == curr) {
head = curr->next;
} else {
@@ -987,9 +987,9 @@
int max_strength_bits, i, *number_uses;
CIPHER_ORDER *curr;
- /* This routine sorts the ciphers with descending strength. The sorting must
- * keep the pre-sorted sequence, so we apply the normal sorting routine as
- * '+' movement to the end of the list. */
+ // This routine sorts the ciphers with descending strength. The sorting must
+ // keep the pre-sorted sequence, so we apply the normal sorting routine as
+ // '+' movement to the end of the list.
max_strength_bits = 0;
curr = *head_p;
while (curr != NULL) {
@@ -1007,7 +1007,7 @@
}
OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
- /* Now find the strength_bits values actually used. */
+ // Now find the strength_bits values actually used.
curr = *head_p;
while (curr != NULL) {
if (curr->active) {
@@ -1016,7 +1016,7 @@
curr = curr->next;
}
- /* Go through the list of used strength_bits values in descending order. */
+ // Go through the list of used strength_bits values in descending order.
for (i = max_strength_bits; i >= 0; i--) {
if (number_uses[i] > 0) {
ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
@@ -1044,7 +1044,7 @@
ch = *l;
if (ch == '\0') {
- break; /* done */
+ break; // done
}
if (in_group) {
@@ -1090,8 +1090,8 @@
rule = CIPHER_ADD;
}
- /* If preference groups are enabled, the only legal operator is +.
- * Otherwise the in_group bits will get mixed up. */
+ // If preference groups are enabled, the only legal operator is +.
+ // Otherwise the in_group bits will get mixed up.
if (has_group && rule != CIPHER_ADD) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
return 0;
@@ -1122,8 +1122,8 @@
}
if (buf_len == 0) {
- /* We hit something we cannot deal with, it is no command or separator
- * nor alphanumeric, so we call this an error. */
+ // We hit something we cannot deal with, it is no command or separator
+ // nor alphanumeric, so we call this an error.
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
return 0;
}
@@ -1132,8 +1132,8 @@
break;
}
- /* Look for a matching exact cipher. These aren't allowed in multipart
- * rules. */
+ // Look for a matching exact cipher. These aren't allowed in multipart
+ // rules.
if (!multi && ch != '+') {
for (j = 0; j < kCiphersLen; j++) {
const SSL_CIPHER *cipher = &kCiphers[j];
@@ -1145,7 +1145,7 @@
}
}
if (cipher_id == 0) {
- /* If not an exact cipher, look for a matching cipher alias. */
+ // If not an exact cipher, look for a matching cipher alias.
for (j = 0; j < kCipherAliasesLen; j++) {
if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
alg_mkey &= kCipherAliases[j].algorithm_mkey;
@@ -1171,7 +1171,7 @@
}
}
- /* Check for a multipart rule. */
+ // Check for a multipart rule.
if (ch != '+') {
break;
}
@@ -1179,7 +1179,7 @@
multi = 1;
}
- /* Ok, we have the rule, now apply it. */
+ // Ok, we have the rule, now apply it.
if (rule == CIPHER_SPECIAL) {
if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
@@ -1189,8 +1189,8 @@
return 0;
}
- /* We do not support any "multi" options together with "@", so throw away
- * the rest of the command, if any left, until end or ':' is found. */
+ // We do not support any "multi" options together with "@", so throw away
+ // the rest of the command, if any left, until end or ':' is found.
while (*l != '\0' && !is_cipher_list_separator(*l, strict)) {
l++;
}
@@ -1218,14 +1218,14 @@
unsigned int num_in_group_flags = 0;
struct ssl_cipher_preference_list_st *pref_list = NULL;
- /* Return with error if nothing to do. */
+ // Return with error if nothing to do.
if (rule_str == NULL || out_cipher_list == NULL) {
return 0;
}
- /* Now we have to collect the available ciphers from the compiled in ciphers.
- * We cannot get more than the number compiled in, so it is used for
- * allocation. */
+ // Now we have to collect the available ciphers from the compiled in ciphers.
+ // We cannot get more than the number compiled in, so it is used for
+ // allocation.
co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
if (co_list == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
@@ -1234,11 +1234,11 @@
ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
- /* Now arrange all ciphers by preference:
- * TODO(davidben): Compute this order once and copy it. */
+ // Now arrange all ciphers by preference:
+ // TODO(davidben): Compute this order once and copy it.
- /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
- * key exchange mechanisms */
+ // Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
+ // key exchange mechanisms
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
0, &head, &tail);
ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
@@ -1246,10 +1246,10 @@
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
&tail);
- /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
- * CHACHA20 unless there is hardware support for fast and constant-time
- * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
- * old one. */
+ // Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
+ // CHACHA20 unless there is hardware support for fast and constant-time
+ // AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
+ // old one.
if (EVP_has_aes_hardware()) {
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
&head, &tail);
@@ -1266,8 +1266,8 @@
&head, &tail);
}
- /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
- * 3DES_EDE_CBC_SHA. */
+ // Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
+ // 3DES_EDE_CBC_SHA.
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
&head, &tail);
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
@@ -1275,20 +1275,20 @@
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
&tail);
- /* Temporarily enable everything else for sorting */
+ // Temporarily enable everything else for sorting
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
&tail);
- /* Move ciphers without forward secrecy to the end. */
+ // Move ciphers without forward secrecy to the end.
ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0,
CIPHER_ORD, -1, 0, &head, &tail);
- /* Now disable everything (maintaining the ordering!) */
+ // Now disable everything (maintaining the ordering!)
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
&tail);
- /* If the rule_string begins with DEFAULT, apply the default rule before
- * using the (possibly available) additional rules. */
+ // If the rule_string begins with DEFAULT, apply the default rule before
+ // using the (possibly available) additional rules.
const char *rule_p = rule_str;
if (strncmp(rule_str, "DEFAULT", 7) == 0) {
if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
@@ -1306,8 +1306,8 @@
goto err;
}
- /* Allocate new "cipherstack" for the result, return with error
- * if we cannot get one. */
+ // Allocate new "cipherstack" for the result, return with error
+ // if we cannot get one.
cipherstack = sk_SSL_CIPHER_new_null();
if (cipherstack == NULL) {
goto err;
@@ -1318,8 +1318,8 @@
goto err;
}
- /* The cipher selection for the list is done. The ciphers are added
- * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
+ // The cipher selection for the list is done. The ciphers are added
+ // to the resulting precedence to the STACK_OF(SSL_CIPHER).
for (curr = head; curr != NULL; curr = curr->next) {
if (curr->active) {
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
@@ -1328,7 +1328,7 @@
in_group_flags[num_in_group_flags++] = curr->in_group;
}
}
- OPENSSL_free(co_list); /* Not needed any longer */
+ OPENSSL_free(co_list); // Not needed any longer
co_list = NULL;
pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc(
@@ -1350,8 +1350,8 @@
*out_cipher_list = pref_list;
pref_list = NULL;
- /* Configuring an empty cipher list is an error but still updates the
- * output. */
+ // Configuring an empty cipher list is an error but still updates the
+ // output.
if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
return 0;
@@ -1372,7 +1372,7 @@
uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
uint32_t id = cipher->id;
- /* All ciphers are SSLv3. */
+ // All ciphers are SSLv3.
assert((id & 0xff000000) == 0x03000000);
return id & 0xffff;
}
@@ -1383,7 +1383,7 @@
return SSL_aRSA;
case EVP_PKEY_EC:
case EVP_PKEY_ED25519:
- /* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */
+ // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers.
return SSL_aECDSA;
default:
return 0;
@@ -1395,12 +1395,12 @@
}
int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
- /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
+ // Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange.
if (cipher->algorithm_mkey & SSL_kECDHE) {
return 1;
}
- /* It is optional in all others. */
+ // It is optional in all others.
return 0;
}
@@ -1418,7 +1418,7 @@
return 0;
}
- /* All supported TLS 1.0 ciphers use SHA-1. */
+ // All supported TLS 1.0 ciphers use SHA-1.
assert(cipher->algorithm_mac == SSL_SHA1);
size_t ret = 1 + SHA_DIGEST_LENGTH;
ret += block_size - (ret % block_size);
@@ -1521,8 +1521,8 @@
}
if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
- /* Cipher suites before TLS 1.2 use the default PRF, while all those added
- * afterwards specify a particular hash. */
+ // Cipher suites before TLS 1.2 use the default PRF, while all those added
+ // afterwards specify a particular hash.
return TLS1_2_VERSION;
}
return SSL3_VERSION;
@@ -1536,7 +1536,7 @@
return TLS1_2_VERSION;
}
-/* return the actual cipher being used */
+// return the actual cipher being used
const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
if (cipher != NULL) {
return cipher->name;
diff --git a/ssl/ssl_file.cc b/ssl/ssl_file.cc
index 59351a3..1bdc14f 100644
--- a/ssl/ssl_file.cc
+++ b/ssl/ssl_file.cc
@@ -128,8 +128,8 @@
return X509_NAME_cmp(*a, *b);
}
-/* TODO(davidben): Is there any reason this doesn't call
- * |SSL_add_file_cert_subjects_to_stack|? */
+// TODO(davidben): Is there any reason this doesn't call
+// |SSL_add_file_cert_subjects_to_stack|?
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
BIO *in;
X509 *x = NULL;
@@ -164,7 +164,7 @@
goto err;
}
- /* Check for duplicates. */
+ // Check for duplicates.
if (sk_X509_NAME_find(sk, NULL, xn)) {
continue;
}
@@ -222,7 +222,7 @@
goto err;
}
- /* Check for duplicates. */
+ // Check for duplicates.
if (sk_X509_NAME_find(stack, NULL, xn)) {
continue;
}
@@ -493,15 +493,15 @@
return ret;
}
-/* Read a file that contains our certificate in "PEM" format, possibly followed
- * by a sequence of CA certificates that should be sent to the peer in the
- * Certificate message. */
+// Read a file that contains our certificate in "PEM" format, possibly followed
+// by a sequence of CA certificates that should be sent to the peer in the
+// Certificate message.
int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
BIO *in;
int ret = 0;
X509 *x = NULL;
- ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
+ ERR_clear_error(); // clear error stack for SSL_CTX_use_certificate()
in = BIO_new(BIO_s_file());
if (in == NULL) {
@@ -524,12 +524,12 @@
ret = SSL_CTX_use_certificate(ctx, x);
if (ERR_peek_error() != 0) {
- ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
+ ret = 0; // Key/certificate mismatch doesn't imply ret==0 ...
}
if (ret) {
- /* If we could set up our certificate, now proceed to the CA
- * certificates. */
+ // If we could set up our certificate, now proceed to the CA
+ // certificates.
X509 *ca;
int r;
uint32_t err;
@@ -545,18 +545,18 @@
ret = 0;
goto end;
}
- /* Note that we must not free r if it was successfully added to the chain
- * (while we must free the main certificate, since its reference count is
- * increased by SSL_CTX_use_certificate). */
+ // Note that we must not free r if it was successfully added to the chain
+ // (while we must free the main certificate, since its reference count is
+ // increased by SSL_CTX_use_certificate).
}
- /* When the while loop ends, it's usually just EOF. */
+ // When the while loop ends, it's usually just EOF.
err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
ERR_clear_error();
} else {
- ret = 0; /* some real error */
+ ret = 0; // some real error
}
}
diff --git a/ssl/ssl_key_share.cc b/ssl/ssl_key_share.cc
index eb61535..207f11e 100644
--- a/ssl/ssl_key_share.cc
+++ b/ssl/ssl_key_share.cc
@@ -42,14 +42,14 @@
bool Offer(CBB *out) override {
assert(!private_key_);
- /* Set up a shared |BN_CTX| for all operations. */
+ // Set up a shared |BN_CTX| for all operations.
UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
if (!bn_ctx) {
return false;
}
BN_CTXScope scope(bn_ctx.get());
- /* Generate a private key. */
+ // Generate a private key.
UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_));
private_key_.reset(BN_new());
if (!group || !private_key_ ||
@@ -58,7 +58,7 @@
return false;
}
- /* Compute the corresponding public key and serialize it. */
+ // Compute the corresponding public key and serialize it.
UniquePtr<EC_POINT> public_key(EC_POINT_new(group.get()));
if (!public_key ||
!EC_POINT_mul(group.get(), public_key.get(), private_key_.get(), NULL,
@@ -76,7 +76,7 @@
assert(private_key_);
*out_alert = SSL_AD_INTERNAL_ERROR;
- /* Set up a shared |BN_CTX| for all operations. */
+ // Set up a shared |BN_CTX| for all operations.
UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
if (!bn_ctx) {
return false;
@@ -101,7 +101,7 @@
return false;
}
- /* Compute the x-coordinate of |peer_key| * |private_key_|. */
+ // Compute the x-coordinate of |peer_key| * |private_key_|.
if (!EC_POINT_mul(group.get(), result.get(), NULL, peer_point.get(),
private_key_.get(), bn_ctx.get()) ||
!EC_POINT_get_affine_coordinates_GFp(group.get(), result.get(), x, NULL,
@@ -109,7 +109,7 @@
return false;
}
- /* Encode the x-coordinate left-padded with zeros. */
+ // Encode the x-coordinate left-padded with zeros.
size_t secret_len = (EC_GROUP_get_degree(group.get()) + 7) / 8;
UniquePtr<uint8_t> secret((uint8_t *)OPENSSL_malloc(secret_len));
if (!secret || !BN_bn2bin_padded(secret.get(), secret_len, x)) {
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 6305356..e210616 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -164,22 +164,22 @@
namespace bssl {
-/* |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
- * to avoid downstream churn. */
+// |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
+// to avoid downstream churn.
OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)
-/* The following errors are no longer emitted, but are used in nginx without
- * #ifdefs. */
+// The following errors are no longer emitted, but are used in nginx without
+// #ifdefs.
OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG)
OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED)
-/* Some error codes are special. Ensure the make_errors.go script never
- * regresses this. */
+// Some error codes are special. Ensure the make_errors.go script never
+// regresses this.
static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ==
SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,
"alert reason code mismatch");
-/* kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. */
+// kMaxHandshakeSize is the maximum size, in bytes, of a handshake message.
static const size_t kMaxHandshakeSize = (1u << 24) - 1;
static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl =
@@ -188,8 +188,8 @@
CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
void ssl_reset_error_state(SSL *ssl) {
- /* Functions which use |SSL_get_error| must reset I/O and error state on
- * entry. */
+ // Functions which use |SSL_get_error| must reset I/O and error state on
+ // entry.
ssl->rwstate = SSL_NOTHING;
ERR_clear_error();
ERR_clear_system_error();
@@ -216,20 +216,20 @@
void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
SSL *const ssl = hs->ssl;
SSL_CTX *ctx = ssl->session_ctx;
- /* Never cache sessions with empty session IDs. */
+ // Never cache sessions with empty session IDs.
if (ssl->s3->established_session->session_id_length == 0 ||
ssl->s3->established_session->not_resumable ||
(ctx->session_cache_mode & mode) != mode) {
return;
}
- /* Clients never use the internal session cache. */
+ // Clients never use the internal session cache.
int use_internal_cache = ssl->server && !(ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE);
- /* A client may see new sessions on abbreviated handshakes if the server
- * decides to renew the ticket. Once the handshake is completed, it should be
- * inserted into the cache. */
+ // A client may see new sessions on abbreviated handshakes if the server
+ // decides to renew the ticket. Once the handshake is completed, it should be
+ // inserted into the cache.
if (ssl->s3->established_session != ssl->session ||
(!ssl->server && hs->ticket_expected)) {
if (use_internal_cache) {
@@ -238,7 +238,7 @@
if (ctx->new_session_cb != NULL) {
SSL_SESSION_up_ref(ssl->s3->established_session);
if (!ctx->new_session_cb(ssl, ssl->s3->established_session)) {
- /* |new_session_cb|'s return value signals whether it took ownership. */
+ // |new_session_cb|'s return value signals whether it took ownership.
SSL_SESSION_free(ssl->s3->established_session);
}
}
@@ -246,7 +246,7 @@
if (use_internal_cache &&
!(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) {
- /* Automatically flush the internal session cache every 255 connections. */
+ // Automatically flush the internal session cache every 255 connections.
int flush_cache = 0;
CRYPTO_MUTEX_lock_write(&ctx->lock);
ctx->handshakes_since_cache_flush++;
@@ -309,7 +309,7 @@
int ssl3_can_false_start(const SSL *ssl) {
const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl);
- /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
+ // False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN.
return !SSL_is_dtls(ssl) &&
SSL_version(ssl) == TLS1_2_VERSION &&
(ssl->s3->alpn_selected != NULL ||
@@ -338,12 +338,12 @@
return;
}
- /* |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
- * a V2ClientHello. */
+ // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
+ // a V2ClientHello.
int version;
switch (content_type) {
case 0:
- /* V2ClientHello */
+ // V2ClientHello
version = SSL2_VERSION;
break;
case SSL3_RT_HEADER:
@@ -358,16 +358,16 @@
}
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
- /* TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
- * |ssl| arg from |current_time_cb| if possible. */
+ // TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
+ // |ssl| arg from |current_time_cb| if possible.
ssl_ctx_get_current_time(ssl->ctx, out_clock);
}
void ssl_ctx_get_current_time(const SSL_CTX *ctx,
struct OPENSSL_timeval *out_clock) {
if (ctx->current_time_cb != NULL) {
- /* TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
- * https://crbug.com/boringssl/155. */
+ // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
+ // https://crbug.com/boringssl/155.
struct timeval clock;
ctx->current_time_cb(nullptr /* ssl */, &clock);
if (clock.tv_sec < 0) {
@@ -437,11 +437,11 @@
return hash;
}
-/* NB: If this function (or indeed the hash function which uses a sort of
- * coarser function than this one) is changed, ensure
- * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
- * able to construct an SSL_SESSION that will collide with any existing session
- * with a matching session ID. */
+// NB: If this function (or indeed the hash function which uses a sort of
+// coarser function than this one) is changed, ensure
+// SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
+// able to construct an SSL_SESSION that will collide with any existing session
+// with a matching session ID.
static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {
if (a->ssl_version != b->ssl_version) {
return 1;
@@ -511,16 +511,16 @@
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
- /* Disable the auto-chaining feature by default. Once this has stuck without
- * problems, the feature will be removed entirely. */
+ // Disable the auto-chaining feature by default. Once this has stuck without
+ // problems, the feature will be removed entirely.
ret->mode = SSL_MODE_NO_AUTO_CHAIN;
- /* Lock the SSL_CTX to the specified version, for compatibility with legacy
- * uses of SSL_METHOD, but we do not set the minimum version for
- * |SSLv3_method|. */
+ // Lock the SSL_CTX to the specified version, for compatibility with legacy
+ // uses of SSL_METHOD, but we do not set the minimum version for
+ // |SSLv3_method|.
if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
!SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION
- ? 0 /* default */
+ ? 0 // default
: method->version)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err2;
@@ -546,12 +546,12 @@
return;
}
- /* Free internal session cache. However: the remove_cb() may reference the
- * ex_data of SSL_CTX, thus the ex_data store can only be removed after the
- * sessions were flushed. As the ex_data handling routines might also touch
- * the session cache, the most secure solution seems to be: empty (flush) the
- * cache, then free ex_data, then finally free the cache. (See ticket
- * [openssl.org #212].) */
+ // Free internal session cache. However: the remove_cb() may reference the
+ // ex_data of SSL_CTX, thus the ex_data store can only be removed after the
+ // sessions were flushed. As the ex_data handling routines might also touch
+ // the session cache, the most secure solution seems to be: empty (flush) the
+ // cache, then free ex_data, then finally free the cache. (See ticket
+ // [openssl.org #212].)
SSL_CTX_flush_sessions(ctx, 0);
CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data);
@@ -598,8 +598,8 @@
ssl->conf_max_version = ctx->conf_max_version;
ssl->tls13_variant = ctx->tls13_variant;
- /* RFC 6347 states that implementations SHOULD use an initial timer value of
- * 1 second. */
+ // RFC 6347 states that implementations SHOULD use an initial timer value of
+ // 1 second.
ssl->initial_timeout_duration_ms = 1000;
ssl->options = ctx->options;
@@ -703,7 +703,7 @@
BUF_MEM_free(ssl->init_buf);
- /* add extra stuff */
+ // add extra stuff
ssl_cipher_preference_list_free(ssl->cipher_list);
SSL_SESSION_free(ssl->session);
@@ -748,35 +748,35 @@
}
void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
- /* For historical reasons, this function has many different cases in ownership
- * handling. */
+ // For historical reasons, this function has many different cases in ownership
+ // handling.
- /* If nothing has changed, do nothing */
+ // If nothing has changed, do nothing
if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) {
return;
}
- /* If the two arguments are equal, one fewer reference is granted than
- * taken. */
+ // If the two arguments are equal, one fewer reference is granted than
+ // taken.
if (rbio != NULL && rbio == wbio) {
BIO_up_ref(rbio);
}
- /* If only the wbio is changed, adopt only one reference. */
+ // If only the wbio is changed, adopt only one reference.
if (rbio == SSL_get_rbio(ssl)) {
SSL_set0_wbio(ssl, wbio);
return;
}
- /* There is an asymmetry here for historical reasons. If only the rbio is
- * changed AND the rbio and wbio were originally different, then we only adopt
- * one reference. */
+ // There is an asymmetry here for historical reasons. If only the rbio is
+ // changed AND the rbio and wbio were originally different, then we only adopt
+ // one reference.
if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) {
SSL_set0_rbio(ssl, rbio);
return;
}
- /* Otherwise, adopt both references. */
+ // Otherwise, adopt both references.
SSL_set0_rbio(ssl, rbio);
SSL_set0_wbio(ssl, wbio);
}
@@ -797,7 +797,7 @@
return 1;
}
- /* Run the handshake. */
+ // Run the handshake.
SSL_HANDSHAKE *hs = ssl->s3->hs;
int early_return = 0;
@@ -808,7 +808,7 @@
return ret;
}
- /* Destroy the handshake object if the handshake has completely finished. */
+ // Destroy the handshake object if the handshake has completely finished.
if (!early_return) {
ssl_handshake_free(ssl->s3->hs);
ssl->s3->hs = NULL;
@@ -819,7 +819,7 @@
int SSL_connect(SSL *ssl) {
if (ssl->do_handshake == NULL) {
- /* Not properly initialized yet */
+ // Not properly initialized yet
SSL_set_connect_state(ssl);
}
@@ -828,7 +828,7 @@
int SSL_accept(SSL *ssl) {
if (ssl->do_handshake == NULL) {
- /* Not properly initialized yet */
+ // Not properly initialized yet
SSL_set_accept_state(ssl);
}
@@ -840,9 +840,9 @@
return tls13_post_handshake(ssl, msg);
}
- /* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
- * removed entirely in the future and requires retaining more data for
- * renegotiation_info. */
+ // We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
+ // removed entirely in the future and requires retaining more data for
+ // renegotiation_info.
if (ssl->server || ssl->version == SSL3_VERSION) {
goto no_renegotiation;
}
@@ -855,7 +855,7 @@
switch (ssl->renegotiate_mode) {
case ssl_renegotiate_ignore:
- /* Ignore the HelloRequest. */
+ // Ignore the HelloRequest.
return 1;
case ssl_renegotiate_once:
@@ -871,15 +871,15 @@
break;
}
- /* Renegotiation is only supported at quiescent points in the application
- * protocol, namely in HTTPS, just before reading the HTTP response. Require
- * the record-layer be idle and avoid complexities of sending a handshake
- * record while an application_data record is being written. */
+ // Renegotiation is only supported at quiescent points in the application
+ // protocol, namely in HTTPS, just before reading the HTTP response. Require
+ // the record-layer be idle and avoid complexities of sending a handshake
+ // record while an application_data record is being written.
if (ssl_write_buffer_is_pending(ssl)) {
goto no_renegotiation;
}
- /* Begin a new handshake. */
+ // Begin a new handshake.
if (ssl->s3->hs != NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
@@ -907,9 +907,9 @@
}
for (;;) {
- /* Complete the current handshake, if any. False Start will cause
- * |SSL_do_handshake| to return mid-handshake, so this may require multiple
- * iterations. */
+ // Complete the current handshake, if any. False Start will cause
+ // |SSL_do_handshake| to return mid-handshake, so this may require multiple
+ // iterations.
while (!ssl_can_read(ssl)) {
int ret = SSL_do_handshake(ssl);
if (ret < 0) {
@@ -929,15 +929,15 @@
return ret;
}
- /* If we received an interrupt in early read (the end_of_early_data alert),
- * loop again for the handshake to process it. */
+ // If we received an interrupt in early read (the end_of_early_data alert),
+ // loop again for the handshake to process it.
if (SSL_in_init(ssl)) {
continue;
}
SSLMessage msg;
while (ssl->method->get_message(ssl, &msg)) {
- /* Handle the post-handshake message and try again. */
+ // Handle the post-handshake message and try again.
if (!ssl_do_post_handshake(ssl, msg)) {
return -1;
}
@@ -969,7 +969,7 @@
int ret = 0, needs_handshake = 0;
do {
- /* If necessary, complete the handshake implicitly. */
+ // If necessary, complete the handshake implicitly.
if (!ssl_can_write(ssl)) {
ret = SSL_do_handshake(ssl);
if (ret < 0) {
@@ -995,43 +995,43 @@
return -1;
}
- /* If we are in the middle of a handshake, silently succeed. Consumers often
- * call this function before |SSL_free|, whether the handshake succeeded or
- * not. We assume the caller has already handled failed handshakes. */
+ // If we are in the middle of a handshake, silently succeed. Consumers often
+ // call this function before |SSL_free|, whether the handshake succeeded or
+ // not. We assume the caller has already handled failed handshakes.
if (SSL_in_init(ssl)) {
return 1;
}
if (ssl->quiet_shutdown) {
- /* Do nothing if configured not to send a close_notify. */
+ // Do nothing if configured not to send a close_notify.
ssl->s3->send_shutdown = ssl_shutdown_close_notify;
ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
return 1;
}
- /* This function completes in two stages. It sends a close_notify and then it
- * waits for a close_notify to come in. Perform exactly one action and return
- * whether or not it succeeds. */
+ // This function completes in two stages. It sends a close_notify and then it
+ // waits for a close_notify to come in. Perform exactly one action and return
+ // whether or not it succeeds.
if (ssl->s3->send_shutdown != ssl_shutdown_close_notify) {
- /* Send a close_notify. */
+ // Send a close_notify.
if (ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {
return -1;
}
} else if (ssl->s3->alert_dispatch) {
- /* Finish sending the close_notify. */
+ // Finish sending the close_notify.
if (ssl->method->dispatch_alert(ssl) <= 0) {
return -1;
}
} else if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
- /* Wait for the peer's close_notify. */
+ // Wait for the peer's close_notify.
ssl->method->read_close_notify(ssl);
if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
return -1;
}
}
- /* Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. */
+ // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown.
return ssl->s3->recv_shutdown == ssl_shutdown_close_notify;
}
@@ -1039,7 +1039,7 @@
if (ssl->s3->alert_dispatch) {
if (ssl->s3->send_alert[0] != SSL3_AL_FATAL ||
ssl->s3->send_alert[1] != alert) {
- /* We are already attempting to write a different alert. */
+ // We are already attempting to write a different alert.
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
return -1;
}
@@ -1087,9 +1087,9 @@
hs->in_early_data = 0;
hs->early_session.reset();
- /* Discard any unfinished writes from the perspective of |SSL_write|'s
- * retry. The handshake will transparently flush out the pending record
- * (discarded by the server) to keep the framing correct. */
+ // Discard any unfinished writes from the perspective of |SSL_write|'s
+ // retry. The handshake will transparently flush out the pending record
+ // (discarded by the server) to keep the framing correct.
ssl->s3->wpend_pending = 0;
}
@@ -1109,8 +1109,8 @@
return SSL_ERROR_NONE;
}
- /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
- * where we do encode the error */
+ // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
+ // where we do encode the error
uint32_t err = ERR_peek_error();
if (err != 0) {
if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
@@ -1123,9 +1123,9 @@
if (ssl->s3->recv_shutdown == ssl_shutdown_close_notify) {
return SSL_ERROR_ZERO_RETURN;
}
- /* An EOF was observed which violates the protocol, and the underlying
- * transport does not participate in the error queue. Bubble up to the
- * caller. */
+ // An EOF was observed which violates the protocol, and the underlying
+ // transport does not participate in the error queue. Bubble up to the
+ // caller.
return SSL_ERROR_SYSCALL;
}
@@ -1143,8 +1143,8 @@
}
if (BIO_should_write(bio)) {
- /* TODO(davidben): OpenSSL historically checked for writes on the read
- * BIO. Can this be removed? */
+ // TODO(davidben): OpenSSL historically checked for writes on the read
+ // BIO. Can this be removed?
return SSL_ERROR_WANT_WRITE;
}
@@ -1162,8 +1162,8 @@
}
if (BIO_should_read(bio)) {
- /* TODO(davidben): OpenSSL historically checked for reads on the write
- * BIO. Can this be removed? */
+ // TODO(davidben): OpenSSL historically checked for reads on the write
+ // BIO. Can this be removed?
return SSL_ERROR_WANT_READ;
}
@@ -1253,20 +1253,20 @@
*out_len = 0;
OPENSSL_memset(out, 0, max_out);
- /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */
+ // tls-unique is not defined for SSL 3.0 or TLS 1.3.
if (!ssl->s3->initial_handshake_complete ||
ssl3_protocol_version(ssl) < TLS1_VERSION ||
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
return 0;
}
- /* The tls-unique value is the first Finished message in the handshake, which
- * is the client's in a full handshake and the server's for a resumption. See
- * https://tools.ietf.org/html/rfc5929#section-3.1. */
+ // The tls-unique value is the first Finished message in the handshake, which
+ // is the client's in a full handshake and the server's for a resumption. See
+ // https://tools.ietf.org/html/rfc5929#section-3.1.
const uint8_t *finished = ssl->s3->previous_client_finished;
size_t finished_len = ssl->s3->previous_client_finished_len;
if (ssl->session != NULL) {
- /* tls-unique is broken for resumed sessions unless EMS is used. */
+ // tls-unique is broken for resumed sessions unless EMS is used.
if (!ssl->session->extended_master_secret) {
return 0;
}
@@ -1356,7 +1356,7 @@
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set0_wbio(ssl, bio);
} else {
- /* Copy the rbio over to the wbio. */
+ // Copy the rbio over to the wbio.
BIO_up_ref(rbio);
SSL_set0_wbio(ssl, rbio);
}
@@ -1376,7 +1376,7 @@
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set0_rbio(ssl, bio);
} else {
- /* Copy the wbio over to the rbio. */
+ // Copy the wbio over to the rbio.
BIO_up_ref(wbio);
SSL_set0_rbio(ssl, wbio);
}
@@ -1427,8 +1427,8 @@
int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; }
int SSL_get_extms_support(const SSL *ssl) {
- /* TLS 1.3 does not require extended master secret and always reports as
- * supporting it. */
+ // TLS 1.3 does not require extended master secret and always reports as
+ // supporting it.
if (!ssl->s3->have_version) {
return 0;
}
@@ -1436,12 +1436,12 @@
return 1;
}
- /* If the initial handshake completed, query the established session. */
+ // If the initial handshake completed, query the established session.
if (ssl->s3->established_session != NULL) {
return ssl->s3->established_session->extended_master_secret;
}
- /* Otherwise, query the in-progress handshake. */
+ // Otherwise, query the in-progress handshake.
if (ssl->s3->hs != NULL) {
return ssl->s3->hs->extended_master_secret;
}
@@ -1464,12 +1464,12 @@
return ssl->s3->rrec.length;
}
-/* Fix this so it checks all the valid key/cert options */
+// Fix this so it checks all the valid key/cert options
int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey);
}
-/* Fix this function so that it takes an optional type parameter */
+// Fix this function so that it takes an optional type parameter
int SSL_check_private_key(const SSL *ssl) {
return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey);
}
@@ -1479,7 +1479,7 @@
}
int SSL_renegotiate(SSL *ssl) {
- /* Caller-initiated renegotiation is not supported. */
+ // Caller-initiated renegotiation is not supported.
OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
@@ -1590,8 +1590,8 @@
return 0;
}
- /* The default ticket keys are initialized lazily. Trigger a key
- * rotation to initialize them. */
+ // The default ticket keys are initialized lazily. Trigger a key
+ // rotation to initialize them.
if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
return 0;
}
@@ -1626,7 +1626,7 @@
OPENSSL_memcpy(ctx->tlsext_ticket_key_current->aes_key, in_bytes + 32, 16);
OPENSSL_free(ctx->tlsext_ticket_key_prev);
ctx->tlsext_ticket_key_prev = nullptr;
- /* Disable automatic key rotation. */
+ // Disable automatic key rotation.
ctx->tlsext_ticket_key_current->next_rotation_tv_sec = 0;
return 1;
}
@@ -1662,8 +1662,8 @@
}
uint16_t SSL_get_curve_id(const SSL *ssl) {
- /* TODO(davidben): This checks the wrong session if there is a renegotiation in
- * progress. */
+ // TODO(davidben): This checks the wrong session if there is a renegotiation
+ // in progress.
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return 0;
@@ -1748,21 +1748,21 @@
return NULL;
}
- /* Historically, |SSL_get_servername| was also the configuration getter
- * corresponding to |SSL_set_tlsext_host_name|. */
+ // Historically, |SSL_get_servername| was also the configuration getter
+ // corresponding to |SSL_set_tlsext_host_name|.
if (ssl->tlsext_hostname != NULL) {
return ssl->tlsext_hostname;
}
- /* During the handshake, report the handshake value. */
+ // During the handshake, report the handshake value.
if (ssl->s3->hs != NULL) {
return ssl->s3->hs->hostname.get();
}
- /* SSL_get_servername may also be called after the handshake to look up the
- * SNI value.
- *
- * TODO(davidben): This is almost unused. Can we remove it? */
+ // SSL_get_servername may also be called after the handshake to look up the
+ // SNI value.
+ //
+ // TODO(davidben): This is almost unused. Can we remove it?
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return NULL;
@@ -1872,12 +1872,12 @@
const uint8_t *result;
int status;
- /* For each protocol in peer preference order, see if we support it. */
+ // For each protocol in peer preference order, see if we support it.
for (unsigned i = 0; i < peer_len;) {
for (unsigned j = 0; j < supported_len;) {
if (peer[i] == supported[j] &&
OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) {
- /* We found a match */
+ // We found a match
result = &peer[i];
status = OPENSSL_NPN_NEGOTIATED;
goto found;
@@ -1889,7 +1889,7 @@
i++;
}
- /* There's no overlap between our protocols and the peer's list. */
+ // There's no overlap between our protocols and the peer's list.
result = supported;
status = OPENSSL_NPN_NO_OVERLAP;
@@ -2084,8 +2084,8 @@
int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; }
void SSL_set_shutdown(SSL *ssl, int mode) {
- /* It is an error to clear any bits that have already been set. (We can't try
- * to get a second close_notify or send two.) */
+ // It is an error to clear any bits that have already been set. (We can't try
+ // to get a second close_notify or send two.)
assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));
if (mode & SSL_RECEIVED_SHUTDOWN &&
@@ -2102,12 +2102,12 @@
int SSL_get_shutdown(const SSL *ssl) {
int ret = 0;
if (ssl->s3->recv_shutdown != ssl_shutdown_none) {
- /* Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
- * and fatal alert. */
+ // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
+ // and fatal alert.
ret |= SSL_RECEIVED_SHUTDOWN;
}
if (ssl->s3->send_shutdown == ssl_shutdown_close_notify) {
- /* Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. */
+ // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify.
ret |= SSL_SENT_SHUTDOWN;
}
return ret;
@@ -2120,7 +2120,7 @@
return ssl->ctx;
}
- /* One cannot change the X.509 callbacks during a connection. */
+ // One cannot change the X.509 callbacks during a connection.
if (ssl->ctx->x509_method != ctx->x509_method) {
assert(0);
return NULL;
@@ -2223,14 +2223,14 @@
return 0;
}
- /* Clear currently configured hint, if any. */
+ // Clear currently configured hint, if any.
OPENSSL_free(*out);
*out = NULL;
- /* Treat the empty hint as not supplying one. Plain PSK makes it possible to
- * send either no hint (omit ServerKeyExchange) or an empty hint, while
- * ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
- * so we interpret empty and missing as identical. */
+ // Treat the empty hint as not supplying one. Plain PSK makes it possible to
+ // send either no hint (omit ServerKeyExchange) or an empty hint, while
+ // ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
+ // so we interpret empty and missing as identical.
if (identity_hint != NULL && identity_hint[0] != '\0') {
*out = BUF_strdup(identity_hint);
if (*out == NULL) {
@@ -2396,9 +2396,9 @@
}
uint64_t SSL_get_read_sequence(const SSL *ssl) {
- /* TODO(davidben): Internally represent sequence numbers as uint64_t. */
+ // TODO(davidben): Internally represent sequence numbers as uint64_t.
if (SSL_is_dtls(ssl)) {
- /* max_seq_num already includes the epoch. */
+ // max_seq_num already includes the epoch.
assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
return ssl->d1->bitmap.max_seq_num;
}
@@ -2415,8 +2415,8 @@
}
uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
- /* TODO(davidben): This checks the wrong session if there is a renegotiation
- * in progress. */
+ // TODO(davidben): This checks the wrong session if there is a renegotiation
+ // in progress.
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return 0;
@@ -2472,30 +2472,30 @@
}
int SSL_clear(SSL *ssl) {
- /* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
- * established session to be offered the next time around. wpa_supplicant
- * depends on this behavior, so emulate it. */
+ // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
+ // established session to be offered the next time around. wpa_supplicant
+ // depends on this behavior, so emulate it.
SSL_SESSION *session = NULL;
if (!ssl->server && ssl->s3->established_session != NULL) {
session = ssl->s3->established_session;
SSL_SESSION_up_ref(session);
}
- /* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
- * |SSL_clear| because it is per-connection state rather than configuration
- * state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
- * naturally reset at the right points between |SSL_new|, |SSL_clear|, and
- * |ssl3_new|. */
+ // TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
+ // |SSL_clear| because it is per-connection state rather than configuration
+ // state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
+ // naturally reset at the right points between |SSL_new|, |SSL_clear|, and
+ // |ssl3_new|.
ssl->rwstate = SSL_NOTHING;
BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;
- /* The ssl->d1->mtu is simultaneously configuration (preserved across
- * clear) and connection-specific state (gets reset).
- *
- * TODO(davidben): Avoid this. */
+ // The ssl->d1->mtu is simultaneously configuration (preserved across
+ // clear) and connection-specific state (gets reset).
+ //
+ // TODO(davidben): Avoid this.
unsigned mtu = 0;
if (ssl->d1 != NULL) {
mtu = ssl->d1->mtu;
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index ecdf48f..d275561 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -84,7 +84,7 @@
if (cert->chain != NULL &&
sk_CRYPTO_BUFFER_value(cert->chain, 0) != NULL &&
- /* Sanity-check that the private key and the certificate match. */
+ // Sanity-check that the private key and the certificate match.
!ssl_cert_check_private_key(cert, pkey)) {
return 0;
}
@@ -148,12 +148,12 @@
}
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
- /* RSA keys may only be used with RSA-PSS. */
+ // RSA keys may only be used with RSA-PSS.
if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {
return 0;
}
- /* EC keys have a curve requirement. */
+ // EC keys have a curve requirement.
if (alg->pkey_type == EVP_PKEY_EC &&
(alg->curve == NID_undef ||
EC_GROUP_get_curve_name(
@@ -201,8 +201,8 @@
static enum ssl_private_key_result_t legacy_sign(
SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t sigalg,
const uint8_t *in, size_t in_len) {
- /* TODO(davidben): Remove support for |sign_digest|-only
- * |SSL_PRIVATE_KEY_METHOD|s. */
+ // TODO(davidben): Remove support for |sign_digest|-only
+ // |SSL_PRIVATE_KEY_METHOD|s.
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
if (alg == NULL || !legacy_sign_digest_supported(alg)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
@@ -272,13 +272,13 @@
RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey);
if (rsa == NULL) {
- /* Decrypt operations are only supported for RSA keys. */
+ // Decrypt operations are only supported for RSA keys.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_private_key_failure;
}
- /* Decrypt with no padding. PKCS#1 padding will be removed as part
- * of the timing-sensitive code by the caller. */
+ // Decrypt with no padding. PKCS#1 padding will be removed as part of the
+ // timing-sensitive code by the caller.
if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) {
return ssl_private_key_failure;
}
@@ -292,20 +292,20 @@
return 0;
}
- /* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
- * emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
- * hash in TLS. Reasonable RSA key sizes are large enough for the largest
- * defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for
- * SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the
- * size so that we can fall back to another algorithm in that case. */
+ // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
+ // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
+ // hash in TLS. Reasonable RSA key sizes are large enough for the largest
+ // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for
+ // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the
+ // size so that we can fall back to another algorithm in that case.
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
if (alg->is_rsa_pss && (size_t)EVP_PKEY_size(hs->local_pubkey.get()) <
2 * EVP_MD_size(alg->digest_func()) + 2) {
return 0;
}
- /* Newer algorithms require message-based private keys.
- * TODO(davidben): Remove this check when sign_digest is gone. */
+ // Newer algorithms require message-based private keys.
+ // TODO(davidben): Remove this check when sign_digest is gone.
if (ssl->cert->key_method != NULL &&
ssl->cert->key_method->sign == NULL &&
!legacy_sign_digest_supported(alg)) {
@@ -483,9 +483,9 @@
return 0;
}
- /* Convert the digest list to a signature algorithms list.
- *
- * TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */
+ // Convert the digest list to a signature algorithms list.
+ //
+ // TODO(davidben): Replace this API with one that can express RSA-PSS, etc.
for (size_t i = 0; i < num_digests; i++) {
switch (digest_nids[i]) {
case NID_sha1:
diff --git a/ssl/ssl_session.cc b/ssl/ssl_session.cc
index e92f452..cdae03a 100644
--- a/ssl/ssl_session.cc
+++ b/ssl/ssl_session.cc
@@ -152,9 +152,9 @@
namespace bssl {
-/* The address of this is a magic value, a pointer to which is returned by
- * SSL_magic_pending_session_ptr(). It allows a session callback to indicate
- * that it needs to asynchronously fetch session information. */
+// The address of this is a magic value, a pointer to which is returned by
+// SSL_magic_pending_session_ptr(). It allows a session callback to indicate
+// that it needs to asynchronously fetch session information.
static const char g_pending_session_magic = 0;
static CRYPTO_EX_DATA_CLASS g_ex_data_class =
@@ -194,13 +194,13 @@
new_session->sid_ctx_length = session->sid_ctx_length;
OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length);
- /* Copy the key material. */
+ // Copy the key material.
new_session->master_key_length = session->master_key_length;
OPENSSL_memcpy(new_session->master_key, session->master_key,
session->master_key_length);
new_session->cipher = session->cipher;
- /* Copy authentication state. */
+ // Copy authentication state.
if (session->psk_identity != NULL) {
new_session->psk_identity = BUF_strdup(session->psk_identity);
if (new_session->psk_identity == NULL) {
@@ -255,7 +255,7 @@
new_session->auth_timeout = session->auth_timeout;
new_session->time = session->time;
- /* Copy non-authentication connection properties. */
+ // Copy non-authentication connection properties.
if (dup_flags & SSL_SESSION_INCLUDE_NONAUTH) {
new_session->session_id_length = session->session_id_length;
OPENSSL_memcpy(new_session->session_id, session->session_id,
@@ -283,7 +283,7 @@
new_session->early_alpn_len = session->early_alpn_len;
}
- /* Copy the ticket. */
+ // Copy the ticket.
if (dup_flags & SSL_SESSION_INCLUDE_TICKET) {
if (session->tlsext_tick != NULL) {
new_session->tlsext_tick =
@@ -295,7 +295,7 @@
new_session->tlsext_ticklen = session->tlsext_ticklen;
}
- /* The new_session does not get a copy of the ex_data. */
+ // The new_session does not get a copy of the ex_data.
new_session->not_resumable = 1;
return new_session;
@@ -305,8 +305,8 @@
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
- /* To avoid overflows and underflows, if we've gone back in time, update the
- * time, but mark the session expired. */
+ // To avoid overflows and underflows, if we've gone back in time, update the
+ // time, but mark the session expired.
if (session->time > now.tv_sec) {
session->time = now.tv_sec;
session->timeout = 0;
@@ -314,8 +314,8 @@
return;
}
- /* Adjust the session time and timeouts. If the session has already expired,
- * clamp the timeouts at zero. */
+ // Adjust the session time and timeouts. If the session has already expired,
+ // clamp the timeouts at zero.
uint64_t delta = now.tv_sec - session->time;
session->time = now.tv_sec;
if (session->timeout < delta) {
@@ -332,8 +332,8 @@
void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session,
uint32_t timeout) {
- /* Rebase the timestamp relative to the current time so |timeout| is measured
- * correctly. */
+ // Rebase the timestamp relative to the current time so |timeout| is measured
+ // correctly.
ssl_session_rebase_time(ssl, session);
if (session->timeout > timeout) {
@@ -349,8 +349,8 @@
uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session) {
uint16_t ret;
if (!ssl_protocol_version_from_wire(&ret, session->ssl_version)) {
- /* An |SSL_SESSION| will never have an invalid version. This is enforced by
- * the parser. */
+ // An |SSL_SESSION| will never have an invalid version. This is enforced by
+ // the parser.
assert(0);
return 0;
}
@@ -378,28 +378,28 @@
session->is_server = is_server;
session->ssl_version = ssl->version;
- /* Fill in the time from the |SSL_CTX|'s clock. */
+ // Fill in the time from the |SSL_CTX|'s clock.
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
session->time = now.tv_sec;
uint16_t version = ssl3_protocol_version(ssl);
if (version >= TLS1_3_VERSION) {
- /* TLS 1.3 uses tickets as authenticators, so we are willing to use them for
- * longer. */
+ // TLS 1.3 uses tickets as authenticators, so we are willing to use them for
+ // longer.
session->timeout = ssl->session_ctx->session_psk_dhe_timeout;
session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
} else {
- /* TLS 1.2 resumption does not incorporate new key material, so we use a
- * much shorter timeout. */
+ // TLS 1.2 resumption does not incorporate new key material, so we use a
+ // much shorter timeout.
session->timeout = ssl->session_ctx->session_timeout;
session->auth_timeout = ssl->session_ctx->session_timeout;
}
if (is_server) {
if (hs->ticket_expected || version >= TLS1_3_VERSION) {
- /* Don't set session IDs for sessions resumed with tickets. This will keep
- * them out of the session cache. */
+ // Don't set session IDs for sessions resumed with tickets. This will keep
+ // them out of the session cache.
session->session_id_length = 0;
} else {
session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
@@ -419,7 +419,7 @@
ssl->cert->sid_ctx_length);
session->sid_ctx_length = ssl->cert->sid_ctx_length;
- /* The session is marked not resumable until it is completely filled in. */
+ // The session is marked not resumable until it is completely filled in.
session->not_resumable = 1;
session->verify_result = X509_V_ERR_INVALID_CALL;
@@ -432,8 +432,8 @@
OPENSSL_timeval now;
ssl_ctx_get_current_time(ctx, &now);
{
- /* Avoid acquiring a write lock in the common case (i.e. a non-default key
- * is used or the default keys have not expired yet). */
+ // Avoid acquiring a write lock in the common case (i.e. a non-default key
+ // is used or the default keys have not expired yet).
MutexReadLock lock(&ctx->lock);
if (ctx->tlsext_ticket_key_current &&
(ctx->tlsext_ticket_key_current->next_rotation_tv_sec == 0 ||
@@ -448,16 +448,16 @@
if (!ctx->tlsext_ticket_key_current ||
(ctx->tlsext_ticket_key_current->next_rotation_tv_sec != 0 &&
ctx->tlsext_ticket_key_current->next_rotation_tv_sec <= now.tv_sec)) {
- /* The current key has not been initialized or it is expired. */
+ // The current key has not been initialized or it is expired.
auto new_key = bssl::MakeUnique<struct tlsext_ticket_key>();
if (!new_key) {
return 0;
}
OPENSSL_memset(new_key.get(), 0, sizeof(struct tlsext_ticket_key));
if (ctx->tlsext_ticket_key_current) {
- /* The current key expired. Rotate it to prev and bump up its rotation
- * timestamp. Note that even with the new rotation time it may still be
- * expired and get droppped below. */
+ // The current key expired. Rotate it to prev and bump up its rotation
+ // timestamp. Note that even with the new rotation time it may still be
+ // expired and get droppped below.
ctx->tlsext_ticket_key_current->next_rotation_tv_sec +=
SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
OPENSSL_free(ctx->tlsext_ticket_key_prev);
@@ -471,7 +471,7 @@
now.tv_sec + SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
}
- /* Drop an expired prev key. */
+ // Drop an expired prev key.
if (ctx->tlsext_ticket_key_prev &&
ctx->tlsext_ticket_key_prev->next_rotation_tv_sec <= now.tv_sec) {
OPENSSL_free(ctx->tlsext_ticket_key_prev);
@@ -487,8 +487,8 @@
ScopedEVP_CIPHER_CTX ctx;
ScopedHMAC_CTX hctx;
- /* If the session is too long, emit a dummy value rather than abort the
- * connection. */
+ // If the session is too long, emit a dummy value rather than abort the
+ // connection.
static const size_t kMaxTicketOverhead =
16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE;
if (session_len > 0xffff - kMaxTicketOverhead) {
@@ -497,8 +497,8 @@
strlen(kTicketPlaceholder));
}
- /* Initialize HMAC and cipher contexts. If callback present it does all the
- * work otherwise use generated values from parent ctx. */
+ // Initialize HMAC and cipher contexts. If callback present it does all the
+ // work otherwise use generated values from parent ctx.
SSL_CTX *tctx = ssl->session_ctx;
uint8_t iv[EVP_MAX_IV_LENGTH];
uint8_t key_name[16];
@@ -508,7 +508,7 @@
return 0;
}
} else {
- /* Rotate ticket key if necessary. */
+ // Rotate ticket key if necessary.
if (!ssl_ctx_rotate_ticket_encryption_key(tctx)) {
return 0;
}
@@ -590,7 +590,7 @@
}
int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session) {
- /* Serialize the SSL_SESSION to be encoded into the ticket. */
+ // Serialize the SSL_SESSION to be encoded into the ticket.
uint8_t *session_buf = NULL;
size_t session_len;
if (!SSL_SESSION_to_bytes_for_ticket(session, &session_buf, &session_len)) {
@@ -627,7 +627,7 @@
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
- /* Reject tickets from the future to avoid underflow. */
+ // Reject tickets from the future to avoid underflow.
if (now.tv_sec < session->time) {
return 0;
}
@@ -639,27 +639,27 @@
const SSL_SESSION *session) {
const SSL *const ssl = hs->ssl;
return ssl_session_is_context_valid(ssl, session) &&
- /* The session must have been created by the same type of end point as
- * we're now using it with. */
+ // The session must have been created by the same type of end point as
+ // we're now using it with.
ssl->server == session->is_server &&
- /* The session must not be expired. */
+ // The session must not be expired.
ssl_session_is_time_valid(ssl, session) &&
/* Only resume if the session's version matches the negotiated
* version. */
ssl->version == session->ssl_version &&
- /* Only resume if the session's cipher matches the negotiated one. */
+ // Only resume if the session's cipher matches the negotiated one.
hs->new_cipher == session->cipher &&
- /* If the session contains a client certificate (either the full
- * certificate or just the hash) then require that the form of the
- * certificate matches the current configuration. */
+ // If the session contains a client certificate (either the full
+ // certificate or just the hash) then require that the form of the
+ // certificate matches the current configuration.
((sk_CRYPTO_BUFFER_num(session->certs) == 0 &&
!session->peer_sha256_valid) ||
session->peer_sha256_valid ==
ssl->retain_only_sha256_of_client_certs);
}
-/* ssl_lookup_session looks up |session_id| in the session cache and sets
- * |*out_session| to an |SSL_SESSION| object if found. */
+// ssl_lookup_session looks up |session_id| in the session cache and sets
+// |*out_session| to an |SSL_SESSION| object if found.
static enum ssl_hs_wait_t ssl_lookup_session(
SSL *ssl, UniquePtr<SSL_SESSION> *out_session, const uint8_t *session_id,
size_t session_id_len) {
@@ -670,7 +670,7 @@
}
UniquePtr<SSL_SESSION> session;
- /* Try the internal cache, if it exists. */
+ // Try the internal cache, if it exists.
if (!(ssl->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
SSL_SESSION data;
@@ -681,14 +681,14 @@
CRYPTO_MUTEX_lock_read(&ssl->session_ctx->lock);
session.reset(lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &data));
if (session) {
- /* |lh_SSL_SESSION_retrieve| returns a non-owning pointer. */
+ // |lh_SSL_SESSION_retrieve| returns a non-owning pointer.
SSL_SESSION_up_ref(session.get());
}
- /* TODO(davidben): This should probably move it to the front of the list. */
+ // TODO(davidben): This should probably move it to the front of the list.
CRYPTO_MUTEX_unlock_read(&ssl->session_ctx->lock);
}
- /* Fall back to the external cache, if it exists. */
+ // Fall back to the external cache, if it exists.
if (!session && ssl->session_ctx->get_session_cb != NULL) {
int copy = 1;
session.reset(ssl->session_ctx->get_session_cb(ssl, (uint8_t *)session_id,
@@ -703,15 +703,15 @@
return ssl_hs_pending_session;
}
- /* Increment reference count now if the session callback asks us to do so
- * (note that if the session structures returned by the callback are shared
- * between threads, it must handle the reference count itself [i.e. copy ==
- * 0], or things won't be thread-safe). */
+ // Increment reference count now if the session callback asks us to do so
+ // (note that if the session structures returned by the callback are shared
+ // between threads, it must handle the reference count itself [i.e. copy ==
+ // 0], or things won't be thread-safe).
if (copy) {
SSL_SESSION_up_ref(session.get());
}
- /* Add the externally cached session to the internal cache if necessary. */
+ // Add the externally cached session to the internal cache if necessary.
if (!(ssl->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
SSL_CTX_add_session(ssl->session_ctx, session.get());
@@ -719,7 +719,7 @@
}
if (session && !ssl_session_is_time_valid(ssl, session.get())) {
- /* The session was from the cache, so remove it. */
+ // The session was from the cache, so remove it.
SSL_CTX_remove_session(ssl->session_ctx, session.get());
session.reset();
}
@@ -733,12 +733,12 @@
int *out_tickets_supported,
int *out_renew_ticket,
const SSL_CLIENT_HELLO *client_hello) {
- /* This is used only by servers. */
+ // This is used only by servers.
assert(ssl->server);
UniquePtr<SSL_SESSION> session;
int renew_ticket = 0;
- /* If tickets are disabled, always behave as if no tickets are present. */
+ // If tickets are disabled, always behave as if no tickets are present.
const uint8_t *ticket = NULL;
size_t ticket_len = 0;
const int tickets_supported =
@@ -761,7 +761,7 @@
return ssl_hs_pending_ticket;
}
} else {
- /* The client didn't send a ticket, so the session ID is a real ID. */
+ // The client didn't send a ticket, so the session ID is a real ID.
enum ssl_hs_wait_t lookup_ret = ssl_lookup_session(
ssl, &session, client_hello->session_id, client_hello->session_id_len);
if (lookup_ret != ssl_hs_ok) {
@@ -817,16 +817,16 @@
}
}
-/* locked by SSL_CTX in the calling function */
+// locked by SSL_CTX in the calling function
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) {
if (session->next == NULL || session->prev == NULL) {
return;
}
if (session->next == (SSL_SESSION *)&ctx->session_cache_tail) {
- /* last element in list */
+ // last element in list
if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {
- /* only one element in list */
+ // only one element in list
ctx->session_cache_head = NULL;
ctx->session_cache_tail = NULL;
} else {
@@ -835,10 +835,10 @@
}
} else {
if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {
- /* first element in list */
+ // first element in list
ctx->session_cache_head = session->next;
session->next->prev = (SSL_SESSION *)&(ctx->session_cache_head);
- } else { /* middle of list */
+ } else { // middle of list
session->next->prev = session->prev;
session->prev->next = session->next;
}
@@ -913,7 +913,7 @@
uint64_t SSL_SESSION_get_time(const SSL_SESSION *session) {
if (session == NULL) {
- /* NULL should crash, but silently accept it here for compatibility. */
+ // NULL should crash, but silently accept it here for compatibility.
return 0;
}
return session->time;
@@ -925,7 +925,7 @@
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,
size_t max_out) {
- /* TODO(davidben): Fix master_key_length's type and remove these casts. */
+ // TODO(davidben): Fix master_key_length's type and remove these casts.
if (max_out == 0) {
return (size_t)session->master_key_length;
}
@@ -974,9 +974,9 @@
}
SSL_SESSION *SSL_get_session(const SSL *ssl) {
- /* Once the handshake completes we return the established session. Otherwise
- * we return the intermediate session, either |session| (for resumption) or
- * |new_session| if doing a full handshake. */
+ // Once the handshake completes we return the established session. Otherwise
+ // we return the intermediate session, either |session| (for resumption) or
+ // |new_session| if doing a full handshake.
if (!SSL_in_init(ssl)) {
return ssl->s3->established_session;
}
@@ -1019,8 +1019,8 @@
}
int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) {
- /* Although |session| is inserted into two structures (a doubly-linked list
- * and the hash table), |ctx| only takes one reference. */
+ // Although |session| is inserted into two structures (a doubly-linked list
+ // and the hash table), |ctx| only takes one reference.
SSL_SESSION_up_ref(session);
SSL_SESSION *old_session;
@@ -1033,21 +1033,21 @@
if (old_session != NULL) {
if (old_session == session) {
- /* |session| was already in the cache. */
+ // |session| was already in the cache.
CRYPTO_MUTEX_unlock_write(&ctx->lock);
SSL_SESSION_free(old_session);
return 0;
}
- /* There was a session ID collision. |old_session| must be removed from
- * the linked list and released. */
+ // There was a session ID collision. |old_session| must be removed from
+ // the linked list and released.
SSL_SESSION_list_remove(ctx, old_session);
SSL_SESSION_free(old_session);
}
SSL_SESSION_list_add(ctx, session);
- /* Enforce any cache size limits. */
+ // Enforce any cache size limits.
if (SSL_CTX_sess_get_cache_size(ctx) > 0) {
while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) {
if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) {
@@ -1065,7 +1065,7 @@
}
int SSL_set_session(SSL *ssl, SSL_SESSION *session) {
- /* SSL_set_session may only be called before the handshake has started. */
+ // SSL_set_session may only be called before the handshake has started.
if (ssl->s3->initial_handshake_complete ||
ssl->s3->hs == NULL ||
ssl->s3->hs->state != 0) {
@@ -1081,7 +1081,7 @@
return 0;
}
- /* Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|. */
+ // Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|.
if (timeout == 0) {
timeout = SSL_DEFAULT_SESSION_TIMEOUT;
}
@@ -1115,9 +1115,8 @@
if (param->time == 0 ||
session->time + session->timeout < session->time ||
param->time > (session->time + session->timeout)) {
- /* timeout */
- /* The reason we don't call SSL_CTX_remove_session() is to
- * save on locking overhead */
+ // The reason we don't call SSL_CTX_remove_session() is to
+ // save on locking overhead
(void) lh_SSL_SESSION_delete(param->cache, session);
SSL_SESSION_list_remove(param->ctx, session);
if (param->ctx->remove_session_cb != NULL) {
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index ddac86a..dd795a6 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -40,7 +40,7 @@
#include "../crypto/test/test_util.h"
#if defined(OPENSSL_WINDOWS)
-/* Windows defines struct timeval in winsock2.h. */
+// Windows defines struct timeval in winsock2.h.
OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
OPENSSL_MSVC_PRAGMA(warning(pop))
@@ -1538,9 +1538,9 @@
return true;
}
-/* SSLVersionTest executes its test cases under all available protocol versions.
- * Test cases call |Connect| to create a connection using context objects with
- * the protocol version fixed to the current version under test. */
+// SSLVersionTest executes its test cases under all available protocol versions.
+// Test cases call |Connect| to create a connection using context objects with
+// the protocol version fixed to the current version under test.
class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
protected:
SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
@@ -2192,7 +2192,7 @@
static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
bool changed) {
uint8_t new_key[kTicketKeyLen];
- /* May return 0, 1 or 48. */
+ // May return 0, 1 or 48.
ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
if (changed) {
ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
@@ -2493,8 +2493,8 @@
g_current_time.tv_sec = kStartTime;
uint8_t ticket_key[kTicketKeyLen];
- /* We use session reuse as a proxy for ticket decryption success, hence
- * disable session timeouts. */
+ // We use session reuse as a proxy for ticket decryption success, hence
+ // disable session timeouts.
SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
std::numeric_limits<uint32_t>::max());
@@ -2505,11 +2505,11 @@
SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
- /* Initialize ticket_key with the current key. */
+ // Initialize ticket_key with the current key.
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
true /* changed */));
- /* Verify ticket resumption actually works. */
+ // Verify ticket resumption actually works.
bssl::UniquePtr<SSL> client, server;
bssl::UniquePtr<SSL_SESSION> session =
CreateClientSession(client_ctx_.get(), server_ctx_.get());
@@ -2517,21 +2517,21 @@
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), true /* reused */));
- /* Advance time to just before key rotation. */
+ // Advance time to just before key rotation.
g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), true /* reused */));
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
false /* NOT changed */));
- /* Force key rotation. */
+ // Force key rotation.
g_current_time.tv_sec += 1;
bssl::UniquePtr<SSL_SESSION> new_session =
CreateClientSession(client_ctx_.get(), server_ctx_.get());
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
true /* changed */));
- /* Resumption with both old and new ticket should work. */
+ // Resumption with both old and new ticket should work.
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), true /* reused */));
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
@@ -2539,14 +2539,14 @@
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
false /* NOT changed */));
- /* Force key rotation again. Resumption with the old ticket now fails. */
+ // Force key rotation again. Resumption with the old ticket now fails.
g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), false /* NOT reused */));
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
true /* changed */));
- /* But resumption with the newer session still works. */
+ // But resumption with the newer session still works.
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
new_session.get(), true /* reused */));
}
diff --git a/ssl/ssl_transcript.cc b/ssl/ssl_transcript.cc
index 2dfaf76..81d85da 100644
--- a/ssl/ssl_transcript.cc
+++ b/ssl/ssl_transcript.cc
@@ -167,8 +167,8 @@
return true;
}
-/* InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then
- * writes the data in |buf| to it. */
+// InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then
+// writes the data in |buf| to it.
static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md,
const BUF_MEM *buf) {
if (!EVP_DigestInit_ex(ctx, md, NULL)) {
@@ -181,9 +181,9 @@
bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) {
const EVP_MD *md = ssl_get_handshake_digest(version, cipher);
- /* To support SSL 3.0's Finished and CertificateVerify constructions,
- * EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed,
- * we can simplify this. */
+ // To support SSL 3.0's Finished and CertificateVerify constructions,
+ // EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed,
+ // we can simplify this.
if (md == EVP_md5_sha1()) {
if (!InitDigestWithData(md5_.get(), EVP_md5(), buffer_.get())) {
return false;
@@ -210,8 +210,8 @@
}
bool SSLTranscript::Update(const uint8_t *in, size_t in_len) {
- /* Depending on the state of the handshake, either the handshake buffer may be
- * active, the rolling hash, or both. */
+ // Depending on the state of the handshake, either the handshake buffer may be
+ // active, the rolling hash, or both.
if (buffer_) {
size_t new_len = buffer_->length + in_len;
if (new_len < in_len) {
@@ -351,8 +351,8 @@
return true;
}
- /* At this point, the handshake should have released the handshake buffer on
- * its own. */
+ // At this point, the handshake should have released the handshake buffer on
+ // its own.
assert(!buffer_);
const char *label = TLS_MD_CLIENT_FINISH_CONST;
diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
index 0b13781..184eb44 100644
--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
@@ -41,7 +41,7 @@
return 1;
case DTLS1_VERSION:
- /* DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. */
+ // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
*out = TLS1_1_VERSION;
return 1;
@@ -54,8 +54,8 @@
}
}
-/* The follow arrays are the supported versions for TLS and DTLS, in order of
- * decreasing preference. */
+// The follow arrays are the supported versions for TLS and DTLS, in order of
+// decreasing preference.
static const uint16_t kTLSVersions[] = {
TLS1_3_EXPERIMENT_VERSION,
@@ -98,9 +98,9 @@
static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
uint16_t version) {
- /* The public API uses wire versions, except we use |TLS1_3_VERSION|
- * everywhere to refer to any draft TLS 1.3 versions. In this direction, we
- * map it to some representative TLS 1.3 draft version. */
+ // The public API uses wire versions, except we use |TLS1_3_VERSION|
+ // everywhere to refer to any draft TLS 1.3 versions. In this direction, we
+ // map it to some representative TLS 1.3 draft version.
if (version == TLS1_3_DRAFT_VERSION ||
version == TLS1_3_EXPERIMENT_VERSION ||
version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) {
@@ -122,9 +122,9 @@
static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
uint16_t version) {
- /* Zero is interpreted as the default minimum version. */
+ // Zero is interpreted as the default minimum version.
if (version == 0) {
- /* SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. */
+ // SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS.
*out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
return 1;
}
@@ -134,7 +134,7 @@
static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
uint16_t version) {
- /* Zero is interpreted as the default maximum version. */
+ // Zero is interpreted as the default maximum version.
if (version == 0) {
*out = TLS1_2_VERSION;
return 1;
@@ -156,8 +156,8 @@
int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
uint16_t *out_max_version) {
- /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
- * DTLS 1.0 should be mapped to TLS 1.1. */
+ // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
+ // DTLS 1.0 should be mapped to TLS 1.1.
uint32_t options = ssl->options;
if (SSL_is_dtls(ssl)) {
options &= ~SSL_OP_NO_TLSv1_1;
@@ -169,19 +169,19 @@
uint16_t min_version = ssl->conf_min_version;
uint16_t max_version = ssl->conf_max_version;
- /* OpenSSL's API for controlling versions entails blacklisting individual
- * protocols. This has two problems. First, on the client, the protocol can
- * only express a contiguous range of versions. Second, a library consumer
- * trying to set a maximum version cannot disable protocol versions that get
- * added in a future version of the library.
- *
- * To account for both of these, OpenSSL interprets the client-side bitmask
- * as a min/max range by picking the lowest contiguous non-empty range of
- * enabled protocols. Note that this means it is impossible to set a maximum
- * version of the higest supported TLS version in a future-proof way. */
+ // OpenSSL's API for controlling versions entails blacklisting individual
+ // protocols. This has two problems. First, on the client, the protocol can
+ // only express a contiguous range of versions. Second, a library consumer
+ // trying to set a maximum version cannot disable protocol versions that get
+ // added in a future version of the library.
+ //
+ // To account for both of these, OpenSSL interprets the client-side bitmask
+ // as a min/max range by picking the lowest contiguous non-empty range of
+ // enabled protocols. Note that this means it is impossible to set a maximum
+ // version of the higest supported TLS version in a future-proof way.
int any_enabled = 0;
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
- /* Only look at the versions already enabled. */
+ // Only look at the versions already enabled.
if (min_version > kProtocolVersions[i].version) {
continue;
}
@@ -190,7 +190,7 @@
}
if (!(options & kProtocolVersions[i].flag)) {
- /* The minimum version is the first enabled version. */
+ // The minimum version is the first enabled version.
if (!any_enabled) {
any_enabled = 1;
min_version = kProtocolVersions[i].version;
@@ -198,8 +198,8 @@
continue;
}
- /* If there is a disabled version after the first enabled one, all versions
- * after it are implicitly disabled. */
+ // If there is a disabled version after the first enabled one, all versions
+ // after it are implicitly disabled.
if (any_enabled) {
max_version = kProtocolVersions[i-1].version;
break;
@@ -217,7 +217,7 @@
}
static uint16_t ssl_version(const SSL *ssl) {
- /* In early data, we report the predicted version. */
+ // In early data, we report the predicted version.
if (SSL_in_early_data(ssl) && !ssl->server) {
return ssl->s3->hs->early_session->ssl_version;
}
@@ -226,7 +226,7 @@
static const char *ssl_version_to_string(uint16_t version) {
switch (version) {
- /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
+ // Report TLS 1.3 draft version as TLS 1.3 in the public API.
case TLS1_3_DRAFT_VERSION:
case TLS1_3_EXPERIMENT_VERSION:
case TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION:
@@ -259,7 +259,7 @@
assert(ssl->s3->have_version);
uint16_t version;
if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
- /* |ssl->version| will always be set to a valid version. */
+ // |ssl->version| will always be set to a valid version.
assert(0);
return 0;
}
@@ -269,9 +269,9 @@
int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
SSL *const ssl = hs->ssl;
- /* As a client, only allow the configured TLS 1.3 variant. As a server,
- * support all TLS 1.3 variants as long as tls13_variant is set to a
- * non-default value. */
+ // As a client, only allow the configured TLS 1.3 variant. As a server,
+ // support all TLS 1.3 variants as long as tls13_variant is set to a
+ // non-default value.
if (ssl->server) {
if (ssl->tls13_variant == tls13_default &&
(version == TLS1_3_EXPERIMENT_VERSION ||
@@ -363,7 +363,7 @@
int SSL_version(const SSL *ssl) {
uint16_t ret = ssl_version(ssl);
- /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
+ // Report TLS 1.3 draft version as TLS 1.3 in the public API.
if (ret == TLS1_3_DRAFT_VERSION || ret == TLS1_3_EXPERIMENT_VERSION ||
ret == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) {
return TLS1_3_VERSION;
diff --git a/ssl/ssl_x509.cc b/ssl/ssl_x509.cc
index e442dfb..7ff6a89 100644
--- a/ssl/ssl_x509.cc
+++ b/ssl/ssl_x509.cc
@@ -157,21 +157,21 @@
namespace bssl {
-/* check_ssl_x509_method asserts that |ssl| has the X509-based method
- * installed. Calling an X509-based method on an |ssl| with a different method
- * will likely misbehave and possibly crash or leak memory. */
+// check_ssl_x509_method asserts that |ssl| has the X509-based method
+// installed. Calling an X509-based method on an |ssl| with a different method
+// will likely misbehave and possibly crash or leak memory.
static void check_ssl_x509_method(const SSL *ssl) {
assert(ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method);
}
-/* check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an
- * |SSL_CTX|. */
+// check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an
+// |SSL_CTX|.
static void check_ssl_ctx_x509_method(const SSL_CTX *ctx) {
assert(ctx == NULL || ctx->x509_method == &ssl_crypto_x509_method);
}
-/* x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
- * contents of |x509|. */
+// x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
+// contents of |x509|.
static UniquePtr<CRYPTO_BUFFER> x509_to_buffer(X509 *x509) {
uint8_t *buf = NULL;
int cert_len = i2d_X509(x509, &buf);
@@ -185,7 +185,7 @@
return buffer;
}
-/* new_leafless_chain returns a fresh stack of buffers set to {NULL}. */
+// new_leafless_chain returns a fresh stack of buffers set to {NULL}.
static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) {
STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null();
if (chain == NULL) {
@@ -200,10 +200,10 @@
return chain;
}
-/* ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
- * forms of elements of |chain|. It returns one on success or zero on error, in
- * which case no change to |cert->chain| is made. It preverses the existing
- * leaf from |cert->chain|, if any. */
+// ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
+// forms of elements of |chain|. It returns one on success or zero on error, in
+// which case no change to |cert->chain| is made. It preverses the existing
+// leaf from |cert->chain|, if any.
static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_chain;
@@ -217,7 +217,7 @@
if (!sk_CRYPTO_BUFFER_push(new_chain.get(), leaf)) {
return 0;
}
- /* |leaf| might be NULL if it's a “leafless” chain. */
+ // |leaf| might be NULL if it's a “leafless” chain.
if (leaf != NULL) {
CRYPTO_BUFFER_up_ref(leaf);
}
@@ -439,13 +439,13 @@
return 0;
}
- /* We need to inherit the verify parameters. These can be determined by the
- * context: if its a server it will verify SSL client certificates or vice
- * versa. */
+ // We need to inherit the verify parameters. These can be determined by the
+ // context: if its a server it will verify SSL client certificates or vice
+ // versa.
X509_STORE_CTX_set_default(ctx.get(),
ssl->server ? "ssl_client" : "ssl_server");
- /* Anything non-default in "param" should overwrite anything in the ctx. */
+ // Anything non-default in "param" should overwrite anything in the ctx.
X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param);
if (ssl->verify_callback) {
@@ -462,7 +462,7 @@
session->verify_result = ctx->error;
- /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
+ // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
*out_alert = ssl_verify_alarm_type(ctx->error);
return 0;
@@ -497,8 +497,8 @@
}
static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) {
- /* Only build a chain if there are no intermediates configured and the feature
- * isn't disabled. */
+ // Only build a chain if there are no intermediates configured and the feature
+ // isn't disabled.
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) ||
!ssl_has_certificate(ssl) ||
ssl->cert->chain == NULL ||
@@ -519,11 +519,11 @@
return 0;
}
- /* Attempt to build a chain, ignoring the result. */
+ // Attempt to build a chain, ignoring the result.
X509_verify_cert(ctx.get());
ERR_clear_error();
- /* Remove the leaf from the generated chain. */
+ // Remove the leaf from the generated chain.
X509_free(sk_X509_shift(ctx->chain));
if (!ssl_cert_set_chain(ssl->cert, ctx->chain)) {
@@ -605,8 +605,8 @@
return session->x509_chain;
}
- /* OpenSSL historically didn't include the leaf certificate in the returned
- * certificate chain, but only for servers. */
+ // OpenSSL historically didn't include the leaf certificate in the returned
+ // certificate chain, but only for servers.
if (session->x509_chain_without_leaf == NULL) {
session->x509_chain_without_leaf = sk_X509_new_null();
if (session->x509_chain_without_leaf == NULL) {
@@ -800,8 +800,8 @@
return ssl_use_certificate(ctx->cert, x);
}
-/* ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the
- * first element of |cert->chain|. */
+// ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the
+// first element of |cert->chain|.
static int ssl_cert_cache_leaf_cert(CERT *cert) {
assert(cert->x509_method);
@@ -963,8 +963,8 @@
return SSL_set0_chain(ssl, NULL);
}
-/* ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
- * |cert->chain|. */
+// ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
+// |cert->chain|.
static int ssl_cert_cache_chain_certs(CERT *cert) {
assert(cert->x509_method);
@@ -1140,11 +1140,11 @@
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {
check_ssl_x509_method(ssl);
- /* For historical reasons, this function is used both to query configuration
- * state on a server as well as handshake state on a client. However, whether
- * |ssl| is a client or server is not known until explicitly configured with
- * |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an
- * indeterminate mode and |ssl->server| is unset. */
+ // For historical reasons, this function is used both to query configuration
+ // state on a server as well as handshake state on a client. However, whether
+ // |ssl| is a client or server is not known until explicitly configured with
+ // |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an
+ // indeterminate mode and |ssl->server| is unset.
if (ssl->do_handshake != NULL && !ssl->server) {
if (ssl->s3->hs != NULL) {
return buffer_names_to_x509(ssl->s3->hs->ca_names.get(),
@@ -1163,8 +1163,8 @@
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
check_ssl_ctx_x509_method(ctx);
- /* This is a logically const operation that may be called on multiple threads,
- * so it needs to lock around updating |cached_x509_client_CA|. */
+ // This is a logically const operation that may be called on multiple threads,
+ // so it needs to lock around updating |cached_x509_client_CA|.
CRYPTO_MUTEX_lock_write((CRYPTO_MUTEX *) &ctx->lock);
STACK_OF(X509_NAME) *ret = buffer_names_to_x509(
ctx->client_CA, (STACK_OF(X509_NAME) **)&ctx->cached_x509_client_CA);
@@ -1259,7 +1259,7 @@
X509 **out_x509,
EVP_PKEY **out_pkey)) {
check_ssl_ctx_x509_method(ctx);
- /* Emulate the old client certificate callback with the new one. */
+ // Emulate the old client certificate callback with the new one.
SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL);
ctx->client_cert_cb = cb;
}
@@ -1277,10 +1277,10 @@
}
int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
- /* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
- * reserved app_data slot. Before ex_data was introduced, app_data was used.
- * Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
- * works. */
+ // The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
+ // reserved app_data slot. Before ex_data was introduced, app_data was used.
+ // Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
+ // works.
return 0;
}
diff --git a/ssl/t1_enc.cc b/ssl/t1_enc.cc
index d4a6ee9..f917ed7 100644
--- a/ssl/t1_enc.cc
+++ b/ssl/t1_enc.cc
@@ -154,10 +154,10 @@
namespace bssl {
-/* tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
- * section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and
- * |secret| as the secret. |seed1| through |seed3| are concatenated to form the
- * seed parameter. It returns one on success and zero on failure. */
+// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
+// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and
+// |secret| as the secret. |seed1| through |seed3| are concatenated to form the
+// seed parameter. It returns one on success and zero on failure.
static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md,
const uint8_t *secret, size_t secret_len,
const uint8_t *seed1, size_t seed1_len,
@@ -184,7 +184,7 @@
uint8_t hmac[EVP_MAX_MD_SIZE];
if (!HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) ||
!HMAC_Update(ctx.get(), A1, A1_len) ||
- /* Save a copy of |ctx| to compute the next A1 value below. */
+ // Save a copy of |ctx| to compute the next A1 value below.
(out_len > chunk && !HMAC_CTX_copy_ex(ctx_tmp.get(), ctx.get())) ||
!HMAC_Update(ctx.get(), seed1, seed1_len) ||
!HMAC_Update(ctx.get(), seed2, seed2_len) ||
@@ -194,7 +194,7 @@
}
assert(len == chunk);
- /* XOR the result into |out|. */
+ // XOR the result into |out|.
if (len > out_len) {
len = out_len;
}
@@ -209,7 +209,7 @@
break;
}
- /* Calculate the next A1 value. */
+ // Calculate the next A1 value.
if (!HMAC_Final(ctx_tmp.get(), A1, &A1_len)) {
goto err;
}
@@ -233,8 +233,8 @@
OPENSSL_memset(out, 0, out_len);
if (digest == EVP_md5_sha1()) {
- /* If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and
- * MD5, MD5 first. */
+ // If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and
+ // MD5, MD5 first.
size_t secret_half = secret_len - (secret_len / 2);
if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half,
(const uint8_t *)label, label_len, seed1, seed1_len, seed2,
@@ -242,7 +242,7 @@
return 0;
}
- /* Note that, if |secret_len| is odd, the two halves share a byte. */
+ // Note that, if |secret_len| is odd, the two halves share a byte.
secret = secret + (secret_len - secret_half);
secret_len = secret_half;
@@ -272,7 +272,7 @@
for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {
k++;
if (k > sizeof(buf)) {
- /* bug: 'buf' is too small for this ciphersuite */
+ // bug: 'buf' is too small for this ciphersuite
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -287,7 +287,7 @@
}
EVP_DigestUpdate(sha1.get(), buf, k);
EVP_DigestUpdate(sha1.get(), secret, secret_len);
- /* |label| is ignored for SSLv3. */
+ // |label| is ignored for SSLv3.
if (seed1_len) {
EVP_DigestUpdate(sha1.get(), seed1, seed1_len);
}
@@ -338,9 +338,9 @@
}
size_t key_len = EVP_AEAD_key_length(aead);
if (mac_secret_len > 0) {
- /* For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the
- * key length reported by |EVP_AEAD_key_length| will include the MAC key
- * bytes and initial implicit IV. */
+ // For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the
+ // key length reported by |EVP_AEAD_key_length| will include the MAC key
+ // bytes and initial implicit IV.
if (key_len < mac_secret_len + fixed_iv_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
@@ -377,17 +377,17 @@
int tls1_change_cipher_state(SSL_HANDSHAKE *hs, int which) {
SSL *const ssl = hs->ssl;
- /* Ensure the key block is set up. */
+ // Ensure the key block is set up.
if (!tls1_setup_key_block(hs)) {
return 0;
}
- /* is_read is true if we have just read a ChangeCipherSpec message - i.e. we
- * need to update the read cipherspec. Otherwise we have just written one. */
+ // is_read is true if we have just read a ChangeCipherSpec message - i.e. we
+ // need to update the read cipherspec. Otherwise we have just written one.
const char is_read = (which & SSL3_CC_READ) != 0;
- /* use_client_keys is true if we wish to use the keys for the "client write"
- * direction. This is the case if we're a client sending a ChangeCipherSpec,
- * or a server reading a client's ChangeCipherSpec. */
+ // use_client_keys is true if we wish to use the keys for the "client write"
+ // direction. This is the case if we're a client sending a ChangeCipherSpec,
+ // or a server reading a client's ChangeCipherSpec.
const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE ||
which == SSL3_CHANGE_CIPHER_SERVER_READ;
@@ -506,7 +506,7 @@
return 0;
}
- /* Exporters may not be used in the middle of a renegotiation. */
+ // Exporters may not be used in the middle of a renegotiation.
if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {
return 0;
}
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 7527a98..0ff5a09 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -142,17 +142,17 @@
}
}
-/* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
- * more than one extension of the same type in a ClientHello or ServerHello.
- * This function does an initial scan over the extensions block to filter those
- * out. */
+// Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
+// more than one extension of the same type in a ClientHello or ServerHello.
+// This function does an initial scan over the extensions block to filter those
+// out.
static int tls1_check_duplicate_extensions(const CBS *cbs) {
CBS extensions = *cbs;
size_t num_extensions = 0, i = 0;
uint16_t *extension_types = NULL;
int ret = 0;
- /* First pass: count the extensions. */
+ // First pass: count the extensions.
while (CBS_len(&extensions) > 0) {
uint16_t type;
CBS extension;
@@ -176,20 +176,20 @@
goto done;
}
- /* Second pass: gather the extension types. */
+ // Second pass: gather the extension types.
extensions = *cbs;
for (i = 0; i < num_extensions; i++) {
CBS extension;
if (!CBS_get_u16(&extensions, &extension_types[i]) ||
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
- /* This should not happen. */
+ // This should not happen.
goto done;
}
}
assert(CBS_len(&extensions) == 0);
- /* Sort the extensions and make sure there are no duplicates. */
+ // Sort the extensions and make sure there are no duplicates.
qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t);
for (i = 1; i < num_extensions; i++) {
if (extension_types[i - 1] == extension_types[i]) {
@@ -225,7 +225,7 @@
out->session_id = CBS_data(&session_id);
out->session_id_len = CBS_len(&session_id);
- /* Skip past DTLS cookie */
+ // Skip past DTLS cookie
if (SSL_is_dtls(out->ssl)) {
CBS cookie;
if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
@@ -247,15 +247,15 @@
out->compression_methods = CBS_data(&compression_methods);
out->compression_methods_len = CBS_len(&compression_methods);
- /* If the ClientHello ends here then it's valid, but doesn't have any
- * extensions. (E.g. SSLv3.) */
+ // If the ClientHello ends here then it's valid, but doesn't have any
+ // extensions. (E.g. SSLv3.)
if (CBS_len(&client_hello) == 0) {
out->extensions = NULL;
out->extensions_len = 0;
return 1;
}
- /* Extract extensions and check it is valid. */
+ // Extract extensions and check it is valid.
CBS extensions;
if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
!tls1_check_duplicate_extensions(&extensions) ||
@@ -274,7 +274,7 @@
CBS extensions;
CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
while (CBS_len(&extensions) != 0) {
- /* Decode the next extension. */
+ // Decode the next extension.
uint16_t type;
CBS extension;
if (!CBS_get_u16(&extensions, &type) ||
@@ -315,14 +315,14 @@
size_t groups_len, pref_len, supp_len;
tls1_get_grouplist(ssl, &groups, &groups_len);
- /* Clients are not required to send a supported_groups extension. In this
- * case, the server is free to pick any group it likes. See RFC 4492,
- * section 4, paragraph 3.
- *
- * However, in the interests of compatibility, we will skip ECDH if the
- * client didn't send an extension because we can't be sure that they'll
- * support our favoured group. Thus we do not special-case an emtpy
- * |peer_supported_group_list|. */
+ // Clients are not required to send a supported_groups extension. In this
+ // case, the server is free to pick any group it likes. See RFC 4492,
+ // section 4, paragraph 3.
+ //
+ // However, in the interests of compatibility, we will skip ECDH if the
+ // client didn't send an extension because we can't be sure that they'll
+ // support our favoured group. Thus we do not special-case an emtpy
+ // |peer_supported_group_list|.
if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
pref = groups;
@@ -425,14 +425,14 @@
return 0;
}
-/* kVerifySignatureAlgorithms is the default list of accepted signature
- * algorithms for verifying.
- *
- * For now, RSA-PSS signature algorithms are not enabled on Android's system
- * BoringSSL. Once the change in Chrome has stuck and the values are finalized,
- * restore them. */
+// kVerifySignatureAlgorithms is the default list of accepted signature
+// algorithms for verifying.
+//
+// For now, RSA-PSS signature algorithms are not enabled on Android's system
+// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
+// restore them.
static const uint16_t kVerifySignatureAlgorithms[] = {
- /* List our preferred algorithms first. */
+ // List our preferred algorithms first.
SSL_SIGN_ED25519,
SSL_SIGN_ECDSA_SECP256R1_SHA256,
#if !defined(BORINGSSL_ANDROID_SYSTEM)
@@ -440,14 +440,14 @@
#endif
SSL_SIGN_RSA_PKCS1_SHA256,
- /* Larger hashes are acceptable. */
+ // Larger hashes are acceptable.
SSL_SIGN_ECDSA_SECP384R1_SHA384,
#if !defined(BORINGSSL_ANDROID_SYSTEM)
SSL_SIGN_RSA_PSS_SHA384,
#endif
SSL_SIGN_RSA_PKCS1_SHA384,
- /* TODO(davidben): Remove this. */
+ // TODO(davidben): Remove this.
#if defined(BORINGSSL_ANDROID_SYSTEM)
SSL_SIGN_ECDSA_SECP521R1_SHA512,
#endif
@@ -456,19 +456,19 @@
#endif
SSL_SIGN_RSA_PKCS1_SHA512,
- /* For now, SHA-1 is still accepted but least preferable. */
+ // For now, SHA-1 is still accepted but least preferable.
SSL_SIGN_RSA_PKCS1_SHA1,
};
-/* kSignSignatureAlgorithms is the default list of supported signature
- * algorithms for signing.
- *
- * For now, RSA-PSS signature algorithms are not enabled on Android's system
- * BoringSSL. Once the change in Chrome has stuck and the values are finalized,
- * restore them. */
+// kSignSignatureAlgorithms is the default list of supported signature
+// algorithms for signing.
+//
+// For now, RSA-PSS signature algorithms are not enabled on Android's system
+// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
+// restore them.
static const uint16_t kSignSignatureAlgorithms[] = {
- /* List our preferred algorithms first. */
+ // List our preferred algorithms first.
SSL_SIGN_ED25519,
SSL_SIGN_ECDSA_SECP256R1_SHA256,
#if !defined(BORINGSSL_ANDROID_SYSTEM)
@@ -476,9 +476,9 @@
#endif
SSL_SIGN_RSA_PKCS1_SHA256,
- /* If needed, sign larger hashes.
- *
- * TODO(davidben): Determine which of these may be pruned. */
+ // If needed, sign larger hashes.
+ //
+ // TODO(davidben): Determine which of these may be pruned.
SSL_SIGN_ECDSA_SECP384R1_SHA384,
#if !defined(BORINGSSL_ANDROID_SYSTEM)
SSL_SIGN_RSA_PSS_SHA384,
@@ -491,7 +491,7 @@
#endif
SSL_SIGN_RSA_PKCS1_SHA512,
- /* If the peer supports nothing else, sign with SHA-1. */
+ // If the peer supports nothing else, sign with SHA-1.
SSL_SIGN_ECDSA_SHA1,
SSL_SIGN_RSA_PKCS1_SHA1,
};
@@ -542,21 +542,21 @@
return 0;
}
-/* tls_extension represents a TLS extension that is handled internally. The
- * |init| function is called for each handshake, before any other functions of
- * the extension. Then the add and parse callbacks are called as needed.
- *
- * The parse callbacks receive a |CBS| that contains the contents of the
- * extension (i.e. not including the type and length bytes). If an extension is
- * not received then the parse callbacks will be called with a NULL CBS so that
- * they can do any processing needed to handle the absence of an extension.
- *
- * The add callbacks receive a |CBB| to which the extension can be appended but
- * the function is responsible for appending the type and length bytes too.
- *
- * All callbacks return one for success and zero for error. If a parse function
- * returns zero then a fatal alert with value |*out_alert| will be sent. If
- * |*out_alert| isn't set, then a |decode_error| alert will be sent. */
+// tls_extension represents a TLS extension that is handled internally. The
+// |init| function is called for each handshake, before any other functions of
+// the extension. Then the add and parse callbacks are called as needed.
+//
+// The parse callbacks receive a |CBS| that contains the contents of the
+// extension (i.e. not including the type and length bytes). If an extension is
+// not received then the parse callbacks will be called with a NULL CBS so that
+// they can do any processing needed to handle the absence of an extension.
+//
+// The add callbacks receive a |CBB| to which the extension can be appended but
+// the function is responsible for appending the type and length bytes too.
+//
+// All callbacks return one for success and zero for error. If a parse function
+// returns zero then a fatal alert with value |*out_alert| will be sent. If
+// |*out_alert| isn't set, then a |decode_error| alert will be sent.
struct tls_extension {
uint16_t value;
void (*init)(SSL_HANDSHAKE *hs);
@@ -573,7 +573,7 @@
static int forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
if (contents != NULL) {
- /* Servers MUST NOT send this extension. */
+ // Servers MUST NOT send this extension.
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
return 0;
@@ -584,7 +584,7 @@
static int ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
- /* This extension from the client is handled elsewhere. */
+ // This extension from the client is handled elsewhere.
return 1;
}
@@ -592,9 +592,9 @@
return 1;
}
-/* Server name indication (SNI).
- *
- * https://tools.ietf.org/html/rfc6066#section-3. */
+// Server name indication (SNI).
+//
+// https://tools.ietf.org/html/rfc6066#section-3.
static int ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -652,13 +652,13 @@
uint8_t name_type;
if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
!CBS_get_u8(&server_name_list, &name_type) ||
- /* Although the server_name extension was intended to be extensible to
- * new name types and multiple names, OpenSSL 1.0.x had a bug which meant
- * different name types will cause an error. Further, RFC 4366 originally
- * defined syntax inextensibly. RFC 6066 corrected this mistake, but
- * adding new name types is no longer feasible.
- *
- * Act as if the extensibility does not exist to simplify parsing. */
+ // Although the server_name extension was intended to be extensible to
+ // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
+ // different name types will cause an error. Further, RFC 4366 originally
+ // defined syntax inextensibly. RFC 6066 corrected this mistake, but
+ // adding new name types is no longer feasible.
+ //
+ // Act as if the extensibility does not exist to simplify parsing.
!CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
CBS_len(&server_name_list) != 0 ||
CBS_len(contents) != 0) {
@@ -673,7 +673,7 @@
return 0;
}
- /* Copy the hostname as a string. */
+ // Copy the hostname as a string.
char *hostname_raw = nullptr;
if (!CBS_strdup(&host_name, &hostname_raw)) {
*out_alert = SSL_AD_INTERNAL_ERROR;
@@ -700,13 +700,13 @@
}
-/* Renegotiation indication.
- *
- * https://tools.ietf.org/html/rfc5746 */
+// Renegotiation indication.
+//
+// https://tools.ietf.org/html/rfc5746
static int ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* Renegotiation indication is not necessary in TLS 1.3. */
+ // Renegotiation indication is not necessary in TLS 1.3.
if (hs->min_version >= TLS1_3_VERSION) {
return 1;
}
@@ -735,8 +735,8 @@
return 0;
}
- /* Servers may not switch between omitting the extension and supporting it.
- * See RFC 5746, sections 3.5 and 4.2. */
+ // Servers may not switch between omitting the extension and supporting it.
+ // See RFC 5746, sections 3.5 and 4.2.
if (ssl->s3->initial_handshake_complete &&
(contents != NULL) != ssl->s3->send_connection_binding) {
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
@@ -745,20 +745,20 @@
}
if (contents == NULL) {
- /* Strictly speaking, if we want to avoid an attack we should *always* see
- * RI even on initial ServerHello because the client doesn't see any
- * renegotiation during an attack. However this would mean we could not
- * connect to any server which doesn't support RI.
- *
- * OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
- * practical terms every client sets it so it's just assumed here. */
+ // Strictly speaking, if we want to avoid an attack we should *always* see
+ // RI even on initial ServerHello because the client doesn't see any
+ // renegotiation during an attack. However this would mean we could not
+ // connect to any server which doesn't support RI.
+ //
+ // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
+ // practical terms every client sets it so it's just assumed here.
return 1;
}
const size_t expected_len = ssl->s3->previous_client_finished_len +
ssl->s3->previous_server_finished_len;
- /* Check for logic errors */
+ // Check for logic errors
assert(!expected_len || ssl->s3->previous_client_finished_len);
assert(!expected_len || ssl->s3->previous_server_finished_len);
assert(ssl->s3->initial_handshake_complete ==
@@ -766,7 +766,7 @@
assert(ssl->s3->initial_handshake_complete ==
(ssl->s3->previous_server_finished_len != 0));
- /* Parse out the extension contents. */
+ // Parse out the extension contents.
CBS renegotiated_connection;
if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
CBS_len(contents) != 0) {
@@ -775,7 +775,7 @@
return 0;
}
- /* Check that the extension matches. */
+ // Check that the extension matches.
if (CBS_len(&renegotiated_connection) != expected_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
@@ -813,8 +813,8 @@
static int ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
SSL *const ssl = hs->ssl;
- /* Renegotiation isn't supported as a server so this function should never be
- * called after the initial handshake. */
+ // Renegotiation isn't supported as a server so this function should never be
+ // called after the initial handshake.
assert(!ssl->s3->initial_handshake_complete);
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
@@ -832,8 +832,8 @@
return 0;
}
- /* Check that the extension matches. We do not support renegotiation as a
- * server, so this must be empty. */
+ // Check that the extension matches. We do not support renegotiation as a
+ // server, so this must be empty.
if (CBS_len(&renegotiated_connection) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
@@ -847,8 +847,8 @@
static int ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* Renegotiation isn't supported as a server so this function should never be
- * called after the initial handshake. */
+ // Renegotiation isn't supported as a server so this function should never be
+ // called after the initial handshake.
assert(!ssl->s3->initial_handshake_complete);
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
@@ -865,12 +865,12 @@
}
-/* Extended Master Secret.
- *
- * https://tools.ietf.org/html/rfc7627 */
+// Extended Master Secret.
+//
+// https://tools.ietf.org/html/rfc7627
static int ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
- /* Extended master secret is not necessary in TLS 1.3. */
+ // Extended master secret is not necessary in TLS 1.3.
if (hs->min_version >= TLS1_3_VERSION || hs->max_version <= SSL3_VERSION) {
return 1;
}
@@ -897,7 +897,7 @@
hs->extended_master_secret = 1;
}
- /* Whether EMS is negotiated may not change on renegotiation. */
+ // Whether EMS is negotiated may not change on renegotiation.
if (ssl->s3->established_session != NULL &&
hs->extended_master_secret !=
ssl->s3->established_session->extended_master_secret) {
@@ -943,13 +943,13 @@
}
-/* Session tickets.
- *
- * https://tools.ietf.org/html/rfc5077 */
+// Session tickets.
+//
+// https://tools.ietf.org/html/rfc5077
static int ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* TLS 1.3 uses a different ticket extension. */
+ // TLS 1.3 uses a different ticket extension.
if (hs->min_version >= TLS1_3_VERSION ||
SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
return 1;
@@ -958,14 +958,14 @@
const uint8_t *ticket_data = NULL;
int ticket_len = 0;
- /* Renegotiation does not participate in session resumption. However, still
- * advertise the extension to avoid potentially breaking servers which carry
- * over the state from the previous handshake, such as OpenSSL servers
- * without upstream's 3c3f0259238594d77264a78944d409f2127642c4. */
+ // Renegotiation does not participate in session resumption. However, still
+ // advertise the extension to avoid potentially breaking servers which carry
+ // over the state from the previous handshake, such as OpenSSL servers
+ // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
if (!ssl->s3->initial_handshake_complete &&
ssl->session != NULL &&
ssl->session->tlsext_tick != NULL &&
- /* Don't send TLS 1.3 session tickets in the ticket extension. */
+ // Don't send TLS 1.3 session tickets in the ticket extension.
SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION) {
ticket_data = ssl->session->tlsext_tick;
ticket_len = ssl->session->tlsext_ticklen;
@@ -993,9 +993,9 @@
return 0;
}
- /* If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
- * this function should never be called, even if the server tries to send the
- * extension. */
+ // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
+ // this function should never be called, even if the server tries to send the
+ // extension.
assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
if (CBS_len(contents) != 0) {
@@ -1011,7 +1011,7 @@
return 1;
}
- /* If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true. */
+ // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.
assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
@@ -1023,9 +1023,9 @@
}
-/* Signature Algorithms.
- *
- * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+// Signature Algorithms.
+//
+// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
static int ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1067,9 +1067,9 @@
}
-/* OCSP Stapling.
- *
- * https://tools.ietf.org/html/rfc6066#section-8 */
+// OCSP Stapling.
+//
+// https://tools.ietf.org/html/rfc6066#section-8
static int ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1097,20 +1097,20 @@
return 1;
}
- /* TLS 1.3 OCSP responses are included in the Certificate extensions. */
+ // TLS 1.3 OCSP responses are included in the Certificate extensions.
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
return 0;
}
- /* OCSP stapling is forbidden on non-certificate ciphers. */
+ // OCSP stapling is forbidden on non-certificate ciphers.
if (CBS_len(contents) != 0 ||
!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
return 0;
}
- /* Note this does not check for resumption in TLS 1.2. Sending
- * status_request here does not make sense, but OpenSSL does so and the
- * specification does not say anything. Tolerate it but ignore it. */
+ // Note this does not check for resumption in TLS 1.2. Sending
+ // status_request here does not make sense, but OpenSSL does so and the
+ // specification does not say anything. Tolerate it but ignore it.
hs->certificate_status_expected = 1;
return 1;
@@ -1127,8 +1127,8 @@
return 0;
}
- /* We cannot decide whether OCSP stapling will occur yet because the correct
- * SSL_CTX might not have been selected. */
+ // We cannot decide whether OCSP stapling will occur yet because the correct
+ // SSL_CTX might not have been selected.
hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
return 1;
@@ -1151,9 +1151,9 @@
}
-/* Next protocol negotiation.
- *
- * https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html */
+// Next protocol negotiation.
+//
+// https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
static int ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1182,15 +1182,15 @@
return 0;
}
- /* If any of these are false then we should never have sent the NPN
- * extension in the ClientHello and thus this function should never have been
- * called. */
+ // If any of these are false then we should never have sent the NPN
+ // extension in the ClientHello and thus this function should never have been
+ // called.
assert(!ssl->s3->initial_handshake_complete);
assert(!SSL_is_dtls(ssl));
assert(ssl->ctx->next_proto_select_cb != NULL);
if (ssl->s3->alpn_selected != NULL) {
- /* NPN and ALPN may not be negotiated in the same connection. */
+ // NPN and ALPN may not be negotiated in the same connection.
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
return 0;
@@ -1254,8 +1254,8 @@
static int ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* |next_proto_neg_seen| might have been cleared when an ALPN extension was
- * parsed. */
+ // |next_proto_neg_seen| might have been cleared when an ALPN extension was
+ // parsed.
if (!hs->next_proto_neg_seen) {
return 1;
}
@@ -1282,9 +1282,9 @@
}
-/* Signed certificate timestamps.
- *
- * https://tools.ietf.org/html/rfc6962#section-3.3.1 */
+// Signed certificate timestamps.
+//
+// https://tools.ietf.org/html/rfc6962#section-3.3.1
static int ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1307,14 +1307,14 @@
return 1;
}
- /* TLS 1.3 SCTs are included in the Certificate extensions. */
+ // TLS 1.3 SCTs are included in the Certificate extensions.
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
*out_alert = SSL_AD_DECODE_ERROR;
return 0;
}
- /* If this is false then we should never have sent the SCT extension in the
- * ClientHello and thus this function should never have been called. */
+ // If this is false then we should never have sent the SCT extension in the
+ // ClientHello and thus this function should never have been called.
assert(ssl->signed_cert_timestamps_enabled);
if (!ssl_is_sct_list_valid(contents)) {
@@ -1322,11 +1322,11 @@
return 0;
}
- /* Session resumption uses the original session information. The extension
- * should not be sent on resumption, but RFC 6962 did not make it a
- * requirement, so tolerate this.
- *
- * TODO(davidben): Enforce this anyway. */
+ // Session resumption uses the original session information. The extension
+ // should not be sent on resumption, but RFC 6962 did not make it a
+ // requirement, so tolerate this.
+ //
+ // TODO(davidben): Enforce this anyway.
if (!ssl->s3->session_reused) {
CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);
hs->new_session->signed_cert_timestamp_list =
@@ -1356,7 +1356,7 @@
static int ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* The extension shouldn't be sent when resuming sessions. */
+ // The extension shouldn't be sent when resuming sessions.
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
ssl->s3->session_reused ||
ssl->cert->signed_cert_timestamp_list == NULL) {
@@ -1374,9 +1374,9 @@
}
-/* Application-level Protocol Negotiation.
- *
- * https://tools.ietf.org/html/rfc7301 */
+// Application-level Protocol Negotiation.
+//
+// https://tools.ietf.org/html/rfc7301
static int ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1409,26 +1409,26 @@
assert(ssl->alpn_client_proto_list != NULL);
if (hs->next_proto_neg_seen) {
- /* NPN and ALPN may not be negotiated in the same connection. */
+ // NPN and ALPN may not be negotiated in the same connection.
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
return 0;
}
- /* The extension data consists of a ProtocolNameList which must have
- * exactly one ProtocolName. Each of these is length-prefixed. */
+ // The extension data consists of a ProtocolNameList which must have
+ // exactly one ProtocolName. Each of these is length-prefixed.
CBS protocol_name_list, protocol_name;
if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
CBS_len(contents) != 0 ||
!CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
- /* Empty protocol names are forbidden. */
+ // Empty protocol names are forbidden.
CBS_len(&protocol_name) == 0 ||
CBS_len(&protocol_name_list) != 0) {
return 0;
}
if (!ssl->ctx->allow_unknown_alpn_protos) {
- /* Check that the protocol name is one of the ones we advertised. */
+ // Check that the protocol name is one of the ones we advertised.
int protocol_ok = 0;
CBS client_protocol_name_list, client_protocol_name;
CBS_init(&client_protocol_name_list, ssl->alpn_client_proto_list,
@@ -1473,11 +1473,11 @@
!ssl_client_hello_get_extension(
client_hello, &contents,
TLSEXT_TYPE_application_layer_protocol_negotiation)) {
- /* Ignore ALPN if not configured or no extension was supplied. */
+ // Ignore ALPN if not configured or no extension was supplied.
return 1;
}
- /* ALPN takes precedence over NPN. */
+ // ALPN takes precedence over NPN.
hs->next_proto_neg_seen = 0;
CBS protocol_name_list;
@@ -1489,13 +1489,13 @@
return 0;
}
- /* Validate the protocol list. */
+ // Validate the protocol list.
CBS protocol_name_list_copy = protocol_name_list;
while (CBS_len(&protocol_name_list_copy) > 0) {
CBS protocol_name;
if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
- /* Empty protocol names are forbidden. */
+ // Empty protocol names are forbidden.
CBS_len(&protocol_name) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -1542,9 +1542,9 @@
}
-/* Channel ID.
- *
- * https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 */
+// Channel ID.
+//
+// https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
hs->ssl->s3->tlsext_channel_id_valid = 0;
@@ -1615,9 +1615,9 @@
}
-/* Secure Real-time Transport Protocol (SRTP) extension.
- *
- * https://tools.ietf.org/html/rfc5764 */
+// Secure Real-time Transport Protocol (SRTP) extension.
+//
+// https://tools.ietf.org/html/rfc5764
static void ext_srtp_init(SSL_HANDSHAKE *hs) {
@@ -1660,10 +1660,10 @@
return 1;
}
- /* The extension consists of a u16-prefixed profile ID list containing a
- * single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
- *
- * See https://tools.ietf.org/html/rfc5764#section-4.1.1 */
+ // The extension consists of a u16-prefixed profile ID list containing a
+ // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
+ //
+ // See https://tools.ietf.org/html/rfc5764#section-4.1.1
CBS profile_ids, srtp_mki;
uint16_t profile_id;
if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
@@ -1676,7 +1676,7 @@
}
if (CBS_len(&srtp_mki) != 0) {
- /* Must be no MKI, since we never offer one. */
+ // Must be no MKI, since we never offer one.
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
@@ -1684,8 +1684,8 @@
STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
- /* Check to see if the server gave us something we support (and presumably
- * offered). */
+ // Check to see if the server gave us something we support (and presumably
+ // offered).
for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
if (profile->id == profile_id) {
ssl->srtp_profile = profile;
@@ -1713,12 +1713,12 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
return 0;
}
- /* Discard the MKI value for now. */
+ // Discard the MKI value for now.
const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
SSL_get_srtp_profiles(ssl);
- /* Pick the server's most preferred profile. */
+ // Pick the server's most preferred profile.
for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {
CBS profile_ids_tmp;
CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
@@ -1759,9 +1759,9 @@
}
-/* EC point formats.
- *
- * https://tools.ietf.org/html/rfc4492#section-5.1.2 */
+// EC point formats.
+//
+// https://tools.ietf.org/html/rfc4492#section-5.1.2
static int ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
CBB contents, formats;
@@ -1777,7 +1777,7 @@
}
static int ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
- /* The point format extension is unneccessary in TLS 1.3. */
+ // The point format extension is unneccessary in TLS 1.3.
if (hs->min_version >= TLS1_3_VERSION) {
return 1;
}
@@ -1801,8 +1801,8 @@
return 0;
}
- /* Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
- * point format. */
+ // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
+ // point format.
if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
TLSEXT_ECPOINTFORMAT_uncompressed,
CBS_len(&ec_point_format_list)) == NULL) {
@@ -1840,9 +1840,9 @@
}
-/* Pre Shared Key
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6 */
+// Pre Shared Key
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
@@ -1867,8 +1867,8 @@
uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
- /* Fill in a placeholder zero binder of the appropriate length. It will be
- * computed and filled in later after length prefixes are computed. */
+ // Fill in a placeholder zero binder of the appropriate length. It will be
+ // computed and filled in later after length prefixes are computed.
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
size_t binder_len = EVP_MD_size(SSL_SESSION_get_digest(ssl->session));
@@ -1901,7 +1901,7 @@
return 0;
}
- /* We only advertise one PSK identity, so the only legal index is zero. */
+ // We only advertise one PSK identity, so the only legal index is zero.
if (psk_id != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
*out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
@@ -1914,7 +1914,7 @@
int ssl_ext_pre_shared_key_parse_clienthello(
SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) {
- /* We only process the first PSK identity since we don't support pure PSK. */
+ // We only process the first PSK identity since we don't support pure PSK.
CBS identities, binders;
if (!CBS_get_u16_length_prefixed(contents, &identities) ||
!CBS_get_u16_length_prefixed(&identities, out_ticket) ||
@@ -1929,7 +1929,7 @@
*out_binders = binders;
- /* Check the syntax of the remaining identities, but do not process them. */
+ // Check the syntax of the remaining identities, but do not process them.
size_t num_identities = 1;
while (CBS_len(&identities) != 0) {
CBS unused_ticket;
@@ -1944,8 +1944,8 @@
num_identities++;
}
- /* Check the syntax of the binders. The value will be checked later if
- * resuming. */
+ // Check the syntax of the binders. The value will be checked later if
+ // resuming.
size_t num_binders = 0;
while (CBS_len(&binders) != 0) {
CBS binder;
@@ -1975,7 +1975,7 @@
CBB contents;
if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
!CBB_add_u16_length_prefixed(out, &contents) ||
- /* We only consider the first identity for resumption */
+ // We only consider the first identity for resumption
!CBB_add_u16(&contents, 0) ||
!CBB_flush(out)) {
return 0;
@@ -1985,9 +1985,9 @@
}
-/* Pre-Shared Key Exchange Modes
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7 */
+// Pre-Shared Key Exchange Modes
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7
static int ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
CBB *out) {
@@ -2021,7 +2021,7 @@
return 0;
}
- /* We only support tickets with PSK_DHE_KE. */
+ // We only support tickets with PSK_DHE_KE.
hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
CBS_len(&ke_modes)) != NULL;
@@ -2029,9 +2029,9 @@
}
-/* Early Data Indication
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8 */
+// Early Data Indication
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
static int ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2108,9 +2108,9 @@
}
-/* Key Share
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5 */
+// Key Share
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5
static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2127,8 +2127,8 @@
uint16_t group_id = hs->retry_group;
if (hs->received_hello_retry_request) {
- /* We received a HelloRetryRequest without a new curve, so there is no new
- * share to append. Leave |hs->key_share| as-is. */
+ // We received a HelloRetryRequest without a new curve, so there is no new
+ // share to append. Leave |hs->key_share| as-is.
if (group_id == 0 &&
!CBB_add_bytes(&kse_bytes, hs->key_share_bytes,
hs->key_share_bytes_len)) {
@@ -2141,7 +2141,7 @@
return CBB_flush(out);
}
} else {
- /* Add a fake group. See draft-davidben-tls-grease-01. */
+ // Add a fake group. See draft-davidben-tls-grease-01.
if (ssl->ctx->grease_enabled &&
(!CBB_add_u16(&kse_bytes,
ssl_get_grease_value(ssl, ssl_grease_group)) ||
@@ -2150,7 +2150,7 @@
return 0;
}
- /* Predict the most preferred group. */
+ // Predict the most preferred group.
const uint16_t *groups;
size_t groups_len;
tls1_get_grouplist(ssl, &groups, &groups_len);
@@ -2173,8 +2173,8 @@
}
if (!hs->received_hello_retry_request) {
- /* Save the contents of the extension to repeat it in the second
- * ClientHello. */
+ // Save the contents of the extension to repeat it in the second
+ // ClientHello.
hs->key_share_bytes_len = CBB_len(&kse_bytes);
hs->key_share_bytes =
(uint8_t *)BUF_memdup(CBB_data(&kse_bytes), CBB_len(&kse_bytes));
@@ -2233,7 +2233,7 @@
return 0;
}
- /* Find the corresponding key share. */
+ // Find the corresponding key share.
int found = 0;
CBS peer_key;
while (CBS_len(&key_shares) > 0) {
@@ -2254,7 +2254,7 @@
found = 1;
peer_key = peer_key_tmp;
- /* Continue parsing the structure to keep peers honest. */
+ // Continue parsing the structure to keep peers honest.
}
}
@@ -2265,7 +2265,7 @@
return 1;
}
- /* Compute the DH secret. */
+ // Compute the DH secret.
uint8_t *secret = NULL;
size_t secret_len;
ScopedCBB public_key;
@@ -2310,9 +2310,9 @@
}
-/* Supported Versions
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1 */
+// Supported Versions
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1
static int ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2327,7 +2327,7 @@
return 0;
}
- /* Add a fake version. See draft-davidben-tls-grease-01. */
+ // Add a fake version. See draft-davidben-tls-grease-01.
if (ssl->ctx->grease_enabled &&
!CBB_add_u16(&versions, ssl_get_grease_value(ssl, ssl_grease_version))) {
return 0;
@@ -2342,9 +2342,9 @@
}
-/* Cookie
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2 */
+// Cookie
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2
static int ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
if (hs->cookie == NULL) {
@@ -2360,7 +2360,7 @@
return 0;
}
- /* The cookie is no longer needed in memory. */
+ // The cookie is no longer needed in memory.
OPENSSL_free(hs->cookie);
hs->cookie = NULL;
hs->cookie_len = 0;
@@ -2368,10 +2368,10 @@
}
-/* Negotiated Groups
- *
- * https://tools.ietf.org/html/rfc4492#section-5.1.2
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4 */
+// Negotiated Groups
+//
+// https://tools.ietf.org/html/rfc4492#section-5.1.2
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4
static int ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2382,7 +2382,7 @@
return 0;
}
- /* Add a fake group. See draft-davidben-tls-grease-01. */
+ // Add a fake group. See draft-davidben-tls-grease-01.
if (ssl->ctx->grease_enabled &&
!CBB_add_u16(&groups_bytes,
ssl_get_grease_value(ssl, ssl_grease_group))) {
@@ -2405,8 +2405,8 @@
static int ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
uint8_t *out_alert,
CBS *contents) {
- /* This extension is not expected to be echoed by servers in TLS 1.2, but some
- * BigIP servers send it nonetheless, so do not enforce this. */
+ // This extension is not expected to be echoed by servers in TLS 1.2, but some
+ // BigIP servers send it nonetheless, so do not enforce this.
return 1;
}
@@ -2453,12 +2453,12 @@
}
static int ext_supported_groups_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
- /* Servers don't echo this extension. */
+ // Servers don't echo this extension.
return 1;
}
-/* kExtensions contains all the supported extensions. */
+// kExtensions contains all the supported extensions.
static const struct tls_extension kExtensions[] = {
{
TLSEXT_TYPE_renegotiate,
@@ -2489,7 +2489,7 @@
NULL,
ext_ticket_add_clienthello,
ext_ticket_parse_serverhello,
- /* Ticket extension client parsing is handled in ssl_session.c */
+ // Ticket extension client parsing is handled in ssl_session.c
ignore_parse_clienthello,
ext_ticket_add_serverhello,
},
@@ -2530,7 +2530,7 @@
NULL,
ext_alpn_add_clienthello,
ext_alpn_parse_serverhello,
- /* ALPN is negotiated late in |ssl_negotiate_alpn|. */
+ // ALPN is negotiated late in |ssl_negotiate_alpn|.
ignore_parse_clienthello,
ext_alpn_add_serverhello,
},
@@ -2598,9 +2598,9 @@
ignore_parse_clienthello,
dont_add_serverhello,
},
- /* The final extension must be non-empty. WebSphere Application Server 7.0 is
- * intolerant to the last extension being zero-length. See
- * https://crbug.com/363583. */
+ // The final extension must be non-empty. WebSphere Application Server 7.0 is
+ // intolerant to the last extension being zero-length. See
+ // https://crbug.com/363583.
{
TLSEXT_TYPE_supported_groups,
NULL,
@@ -2635,7 +2635,7 @@
int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
SSL *const ssl = hs->ssl;
- /* Don't add extensions for SSLv3 unless doing secure renegotiation. */
+ // Don't add extensions for SSLv3 unless doing secure renegotiation.
if (hs->client_version == SSL3_VERSION &&
!ssl->s3->send_connection_binding) {
return 1;
@@ -2658,7 +2658,7 @@
uint16_t grease_ext1 = 0;
if (ssl->ctx->grease_enabled) {
- /* Add a fake empty extension. See draft-davidben-tls-grease-01. */
+ // Add a fake empty extension. See draft-davidben-tls-grease-01.
grease_ext1 = ssl_get_grease_value(ssl, ssl_grease_extension1);
if (!CBB_add_u16(&extensions, grease_ext1) ||
!CBB_add_u16(&extensions, 0 /* zero length */)) {
@@ -2686,12 +2686,12 @@
}
if (ssl->ctx->grease_enabled) {
- /* Add a fake non-empty extension. See draft-davidben-tls-grease-01. */
+ // Add a fake non-empty extension. See draft-davidben-tls-grease-01.
uint16_t grease_ext2 = ssl_get_grease_value(ssl, ssl_grease_extension2);
- /* The two fake extensions must not have the same value. GREASE values are
- * of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
- * one. */
+ // The two fake extensions must not have the same value. GREASE values are
+ // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
+ // one.
if (grease_ext1 == grease_ext2) {
grease_ext2 ^= 0x1010;
}
@@ -2708,15 +2708,15 @@
size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
header_len += 2 + CBB_len(&extensions) + psk_extension_len;
if (header_len > 0xff && header_len < 0x200) {
- /* Add padding to workaround bugs in F5 terminators. See RFC 7685.
- *
- * NB: because this code works out the length of all existing extensions
- * it MUST always appear last. */
+ // Add padding to workaround bugs in F5 terminators. See RFC 7685.
+ //
+ // NB: because this code works out the length of all existing extensions
+ // it MUST always appear last.
size_t padding_len = 0x200 - header_len;
- /* Extensions take at least four bytes to encode. Always include at least
- * one byte of data if including the extension. WebSphere Application
- * Server 7.0 is intolerant to the last extension being zero-length. See
- * https://crbug.com/363583. */
+ // Extensions take at least four bytes to encode. Always include at least
+ // one byte of data if including the extension. WebSphere Application
+ // Server 7.0 is intolerant to the last extension being zero-length. See
+ // https://crbug.com/363583.
if (padding_len >= 4 + 1) {
padding_len -= 4;
} else {
@@ -2735,13 +2735,13 @@
}
}
- /* The PSK extension must be last, including after the padding. */
+ // The PSK extension must be last, including after the padding.
if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
- /* Discard empty extensions blocks. */
+ // Discard empty extensions blocks.
if (CBB_len(&extensions) == 0) {
CBB_discard_child(out);
}
@@ -2758,7 +2758,7 @@
for (unsigned i = 0; i < kNumExtensions; i++) {
if (!(hs->extensions.received & (1u << i))) {
- /* Don't send extensions that were not received. */
+ // Don't send extensions that were not received.
continue;
}
@@ -2773,7 +2773,7 @@
goto err;
}
- /* Discard empty extensions blocks before TLS 1.3. */
+ // Discard empty extensions blocks before TLS 1.3.
if (ssl3_protocol_version(ssl) < TLS1_3_VERSION &&
CBB_len(&extensions) == 0) {
CBB_discard_child(out);
@@ -2804,15 +2804,15 @@
uint16_t type;
CBS extension;
- /* Decode the next extension. */
+ // Decode the next extension.
if (!CBS_get_u16(&extensions, &type) ||
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
*out_alert = SSL_AD_DECODE_ERROR;
return 0;
}
- /* RFC 5746 made the existence of extensions in SSL 3.0 somewhat
- * ambiguous. Ignore all but the renegotiation_info extension. */
+ // RFC 5746 made the existence of extensions in SSL 3.0 somewhat
+ // ambiguous. Ignore all but the renegotiation_info extension.
if (ssl->version == SSL3_VERSION && type != TLSEXT_TYPE_renegotiate) {
continue;
}
@@ -2849,16 +2849,16 @@
if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
ssl_client_cipher_list_contains_cipher(client_hello,
SSL3_CK_SCSV & 0xffff)) {
- /* The renegotiation SCSV was received so pretend that we received a
- * renegotiation extension. */
+ // The renegotiation SCSV was received so pretend that we received a
+ // renegotiation extension.
CBS_init(&fake_contents, kFakeRenegotiateExtension,
sizeof(kFakeRenegotiateExtension));
contents = &fake_contents;
hs->extensions.received |= (1u << i);
}
- /* Extension wasn't observed so call the callback with a NULL
- * parameter. */
+ // Extension wasn't observed so call the callback with a NULL
+ // parameter.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
@@ -2891,12 +2891,12 @@
static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
int *out_alert) {
SSL *const ssl = hs->ssl;
- /* Before TLS 1.3, ServerHello extensions blocks may be omitted if empty. */
+ // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
if (CBS_len(cbs) == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
return 1;
}
- /* Decode the extensions block and check it is valid. */
+ // Decode the extensions block and check it is valid.
CBS extensions;
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
!tls1_check_duplicate_extensions(&extensions)) {
@@ -2909,7 +2909,7 @@
uint16_t type;
CBS extension;
- /* Decode the next extension. */
+ // Decode the next extension.
if (!CBS_get_u16(&extensions, &type) ||
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
*out_alert = SSL_AD_DECODE_ERROR;
@@ -2933,8 +2933,8 @@
if (!(hs->extensions.sent & (1u << ext_index)) &&
type != TLSEXT_TYPE_renegotiate) {
- /* If the extension was never sent then it is illegal, except for the
- * renegotiation extension which, in SSL 3.0, is signaled via SCSV. */
+ // If the extension was never sent then it is illegal, except for the
+ // renegotiation extension which, in SSL 3.0, is signaled via SCSV.
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ERR_add_error_dataf("extension :%u", (unsigned)type);
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
@@ -2954,8 +2954,8 @@
for (size_t i = 0; i < kNumExtensions; i++) {
if (!(received & (1u << i))) {
- /* Extension wasn't observed so call the callback with a NULL
- * parameter. */
+ // Extension wasn't observed so call the callback with a NULL
+ // parameter.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
@@ -3012,11 +3012,11 @@
HMAC_CTX *hmac_ctx, const uint8_t *ticket, size_t ticket_len) {
size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
- /* Check the MAC at the end of the ticket. */
+ // Check the MAC at the end of the ticket.
uint8_t mac[EVP_MAX_MD_SIZE];
size_t mac_len = HMAC_size(hmac_ctx);
if (ticket_len < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
- /* The ticket must be large enough for key name, IV, data, and MAC. */
+ // The ticket must be large enough for key name, IV, data, and MAC.
return ssl_ticket_aead_ignore_ticket;
}
HMAC_Update(hmac_ctx, ticket, ticket_len - mac_len);
@@ -3030,7 +3030,7 @@
return ssl_ticket_aead_ignore_ticket;
}
- /* Decrypt the session data. */
+ // Decrypt the session data.
const uint8_t *ciphertext = ticket + SSL_TICKET_KEY_NAME_LEN + iv_len;
size_t ciphertext_len = ticket_len - SSL_TICKET_KEY_NAME_LEN - iv_len -
mac_len;
@@ -3090,12 +3090,12 @@
assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
SSL_CTX *ctx = ssl->session_ctx;
- /* Rotate the ticket key if necessary. */
+ // Rotate the ticket key if necessary.
if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
return ssl_ticket_aead_error;
}
- /* Pick the matching ticket key and decrypt. */
+ // Pick the matching ticket key and decrypt.
ScopedEVP_CIPHER_CTX cipher_ctx;
ScopedHMAC_CTX hmac_ctx;
{
@@ -3167,10 +3167,10 @@
result = ssl_decrypt_ticket_with_method(
ssl, &plaintext, &plaintext_len, out_renew_ticket, ticket, ticket_len);
} else {
- /* Ensure there is room for the key name and the largest IV
- * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower,
- * but the maximum IV length should be well under the minimum size for the
- * session material and HMAC. */
+ // Ensure there is room for the key name and the largest IV
+ // |tlsext_ticket_key_cb| may try to consume. The real limit may be lower,
+ // but the maximum IV length should be well under the minimum size for the
+ // session material and HMAC.
if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
return ssl_ticket_aead_ignore_ticket;
}
@@ -3187,18 +3187,18 @@
return result;
}
- /* Decode the session. */
+ // Decode the session.
UniquePtr<SSL_SESSION> session(
SSL_SESSION_from_bytes(plaintext, plaintext_len, ssl->ctx));
OPENSSL_free(plaintext);
if (!session) {
- ERR_clear_error(); /* Don't leave an error on the queue. */
+ ERR_clear_error(); // Don't leave an error on the queue.
return ssl_ticket_aead_ignore_ticket;
}
- /* Copy the client's session ID into the new session, to denote the ticket has
- * been accepted. */
+ // Copy the client's session ID into the new session, to denote the ticket has
+ // been accepted.
OPENSSL_memcpy(session->session_id, session_id, session_id_len);
session->session_id_length = session_id_len;
@@ -3207,7 +3207,7 @@
}
int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
- /* Extension ignored for inappropriate versions */
+ // Extension ignored for inappropriate versions
if (ssl3_protocol_version(hs->ssl) < TLS1_2_VERSION) {
return 1;
}
@@ -3222,14 +3222,14 @@
}
num_sigalgs /= 2;
- /* supported_signature_algorithms in the certificate request is
- * allowed to be empty. */
+ // supported_signature_algorithms in the certificate request is
+ // allowed to be empty.
if (num_sigalgs == 0) {
return 1;
}
- /* This multiplication doesn't overflow because sizeof(uint16_t) is two
- * and we just divided |num_sigalgs| by two. */
+ // This multiplication doesn't overflow because sizeof(uint16_t) is two
+ // and we just divided |num_sigalgs| by two.
hs->peer_sigalgs = (uint16_t *)OPENSSL_malloc(num_sigalgs * sizeof(uint16_t));
if (hs->peer_sigalgs == NULL) {
return 0;
@@ -3264,8 +3264,8 @@
SSL *const ssl = hs->ssl;
CERT *cert = ssl->cert;
- /* Before TLS 1.2, the signature algorithm isn't negotiated as part of the
- * handshake. */
+ // Before TLS 1.2, the signature algorithm isn't negotiated as part of the
+ // handshake.
if (ssl3_protocol_version(ssl) < TLS1_2_VERSION) {
if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
@@ -3284,9 +3284,9 @@
const uint16_t *peer_sigalgs = hs->peer_sigalgs;
size_t num_peer_sigalgs = hs->num_peer_sigalgs;
if (num_peer_sigalgs == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
- /* If the client didn't specify any signature_algorithms extension then
- * we can assume that it supports SHA1. See
- * http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+ // If the client didn't specify any signature_algorithms extension then
+ // we can assume that it supports SHA1. See
+ // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
SSL_SIGN_ECDSA_SHA1};
peer_sigalgs = kDefaultPeerAlgorithms;
@@ -3295,8 +3295,8 @@
for (size_t i = 0; i < num_sigalgs; i++) {
uint16_t sigalg = sigalgs[i];
- /* SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
- * negotiated. */
+ // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
+ // negotiated.
if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
!ssl_private_key_supports_signature_algorithm(hs, sigalgs[i])) {
continue;
@@ -3316,8 +3316,8 @@
int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
SSL *const ssl = hs->ssl;
- /* A Channel ID handshake message is structured to contain multiple
- * extensions, but the only one that can be present is Channel ID. */
+ // A Channel ID handshake message is structured to contain multiple
+ // extensions, but the only one that can be present is Channel ID.
uint16_t extension_type;
CBS channel_id = msg.body, extension;
if (!CBS_get_u16(&channel_id, &extension_type) ||
@@ -3474,14 +3474,14 @@
return 1;
}
-/* tls1_record_handshake_hashes_for_channel_id records the current handshake
- * hashes in |hs->new_session| so that Channel ID resumptions can sign that
- * data. */
+// tls1_record_handshake_hashes_for_channel_id records the current handshake
+// hashes in |hs->new_session| so that Channel ID resumptions can sign that
+// data.
int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* This function should never be called for a resumed session because the
- * handshake hashes that we wish to record are for the original, full
- * handshake. */
+ // This function should never be called for a resumed session because the
+ // handshake hashes that we wish to record are for the original, full
+ // handshake.
if (ssl->session != NULL) {
return 0;
}
@@ -3512,7 +3512,7 @@
EVP_PKEY *key = NULL;
ssl->ctx->channel_id_cb(ssl, &key);
if (key == NULL) {
- /* The caller should try again later. */
+ // The caller should try again later.
return 1;
}
@@ -3522,9 +3522,9 @@
}
int ssl_is_sct_list_valid(const CBS *contents) {
- /* Shallow parse the SCT list for sanity. By the RFC
- * (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
- * of the SCTs may be empty. */
+ // Shallow parse the SCT list for sanity. By the RFC
+ // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
+ // of the SCTs may be empty.
CBS copy = *contents;
CBS sct_list;
if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 8daa105..d86efab 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -1040,8 +1040,8 @@
uint8_t type;
uint32_t msg_len;
if (!CBS_get_u8(&cbs, &type) ||
- /* TODO(davidben): Reporting on entire messages would be more
- * consistent than fragments. */
+ // TODO(davidben): Reporting on entire messages would be more
+ // consistent than fragments.
(config->is_dtls &&
!CBS_skip(&cbs, 3 /* total */ + 2 /* seq */ + 3 /* frag_off */)) ||
!CBS_get_u24(&cbs, &msg_len) ||
@@ -2421,7 +2421,7 @@
StderrDelimiter delimiter;
#if defined(OPENSSL_WINDOWS)
- /* Initialize Winsock. */
+ // Initialize Winsock.
WORD wsa_version = MAKEWORD(2, 2);
WSADATA wsa_data;
int wsa_err = WSAStartup(wsa_version, &wsa_data);
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
index 509079d..1b031d5 100644
--- a/ssl/tls13_both.cc
+++ b/ssl/tls13_both.cc
@@ -32,9 +32,9 @@
namespace bssl {
-/* kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
- * processed. Without this limit an attacker could force unbounded processing
- * without being able to return application data. */
+// kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
+// processed. Without this limit an attacker could force unbounded processing
+// without being able to return application data.
static const uint8_t kMaxKeyUpdates = 32;
int tls13_get_cert_verify_signature_input(
@@ -56,7 +56,7 @@
const uint8_t *context;
size_t context_len;
if (cert_verify_context == ssl_cert_verify_server) {
- /* Include the NUL byte. */
+ // Include the NUL byte.
static const char kContext[] = "TLS 1.3, server CertificateVerify";
context = (const uint8_t *)kContext;
context_len = sizeof(kContext);
@@ -130,15 +130,15 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
return 0;
}
- /* TLS 1.3 always uses certificate keys for signing thus the correct
- * keyUsage is enforced. */
+ // TLS 1.3 always uses certificate keys for signing thus the correct
+ // keyUsage is enforced.
if (!ssl_cert_check_digital_signature_key_usage(&certificate)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return 0;
}
if (retain_sha256) {
- /* Retain the hash of the leaf certificate if requested. */
+ // Retain the hash of the leaf certificate if requested.
SHA256(CBS_data(&certificate), CBS_len(&certificate),
hs->new_session->peer_sha256);
}
@@ -153,7 +153,7 @@
return 0;
}
- /* Parse out the extensions. */
+ // Parse out the extensions.
int have_status_request = 0, have_sct = 0;
CBS status_request, sct;
const SSL_EXTENSION_TYPE ext_types[] = {
@@ -169,8 +169,8 @@
return 0;
}
- /* All Certificate extensions are parsed, but only the leaf extensions are
- * stored. */
+ // All Certificate extensions are parsed, but only the leaf extensions are
+ // stored.
if (have_status_request) {
if (ssl->server || !ssl->ocsp_stapling_enabled) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
@@ -225,8 +225,8 @@
}
}
- /* Store a null certificate list rather than an empty one if the peer didn't
- * send certificates. */
+ // Store a null certificate list rather than an empty one if the peer didn't
+ // send certificates.
if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {
certs.reset();
}
@@ -249,11 +249,11 @@
return 0;
}
- /* OpenSSL returns X509_V_OK when no certificates are requested. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are requested. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
- /* No certificate, so nothing more to do. */
+ // No certificate, so nothing more to do.
return 1;
}
@@ -347,7 +347,7 @@
ScopedCBB cbb;
CBB body, certificate_list;
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) ||
- /* The request context is always empty in the handshake. */
+ // The request context is always empty in the handshake.
!CBB_add_u8(&body, 0) ||
!CBB_add_u24_length_prefixed(&body, &certificate_list)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -430,7 +430,7 @@
return ssl_private_key_failure;
}
- /* Sign the digest. */
+ // Sign the digest.
CBB child;
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
uint8_t *sig;
@@ -503,7 +503,7 @@
return 0;
}
- /* Acknowledge the KeyUpdate */
+ // Acknowledge the KeyUpdate
if (key_update_request == SSL_KEY_UPDATE_REQUESTED &&
!ssl->s3->key_update_pending) {
ScopedCBB cbb;
@@ -516,10 +516,10 @@
return 0;
}
- /* Suppress KeyUpdate acknowledgments until this change is written to the
- * wire. This prevents us from accumulating write obligations when read and
- * write progress at different rates. See draft-ietf-tls-tls13-18, section
- * 4.5.3. */
+ // Suppress KeyUpdate acknowledgments until this change is written to the
+ // wire. This prevents us from accumulating write obligations when read and
+ // write progress at different rates. See draft-ietf-tls-tls13-18, section
+ // 4.5.3.
ssl->s3->key_update_pending = 1;
}
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index 8221368..51d275c 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -66,7 +66,7 @@
uint16_t server_version;
if (!CBS_get_u16(&body, &server_version) ||
!CBS_get_u16_length_prefixed(&body, &extensions) ||
- /* HelloRetryRequest may not be empty. */
+ // HelloRetryRequest may not be empty.
CBS_len(&extensions) == 0 ||
CBS_len(&body) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -112,7 +112,7 @@
return ssl_hs_error;
}
- /* The group must be supported. */
+ // The group must be supported.
const uint16_t *groups;
size_t groups_len;
tls1_get_grouplist(ssl, &groups, &groups_len);
@@ -130,8 +130,8 @@
return ssl_hs_error;
}
- /* Check that the HelloRetryRequest does not request the key share that
- * was provided in the initial ClientHello. */
+ // Check that the HelloRetryRequest does not request the key share that
+ // was provided in the initial ClientHello.
if (hs->key_share->GroupID() == group_id) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
@@ -149,7 +149,7 @@
ssl->method->next_message(ssl);
hs->received_hello_retry_request = 1;
hs->tls13_state = state_send_second_client_hello;
- /* 0-RTT is rejected if we receive a HelloRetryRequest. */
+ // 0-RTT is rejected if we receive a HelloRetryRequest.
if (hs->in_early_data) {
return ssl_hs_early_data_rejected;
}
@@ -158,7 +158,7 @@
static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* Restore the null cipher. We may have switched due to 0-RTT. */
+ // Restore the null cipher. We may have switched due to 0-RTT.
bssl::UniquePtr<SSLAEADContext> null_ctx = SSLAEADContext::CreateNullCipher();
if (!null_ctx ||
!ssl->method->set_write_state(ssl, std::move(null_ctx)) ||
@@ -217,7 +217,7 @@
return ssl_hs_error;
}
- /* Check if the cipher is a TLS 1.3 cipher. */
+ // Check if the cipher is a TLS 1.3 cipher.
if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
@@ -225,7 +225,7 @@
return ssl_hs_error;
}
- /* Parse out the extensions. */
+ // Parse out the extensions.
int have_key_share = 0, have_pre_shared_key = 0, have_supported_versions = 0;
CBS key_share, pre_shared_key, supported_versions;
const SSL_EXTENSION_TYPE ext_types[] = {
@@ -243,8 +243,8 @@
return ssl_hs_error;
}
- /* supported_versions is parsed in handshake_client to select the experimental
- * TLS 1.3 version. */
+ // supported_versions is parsed in handshake_client to select the experimental
+ // TLS 1.3 version.
if (have_supported_versions && ssl->version != TLS1_3_EXPERIMENT_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
@@ -278,7 +278,7 @@
}
if (!ssl_session_is_context_valid(ssl, ssl->session)) {
- /* This is actually a client application bug. */
+ // This is actually a client application bug.
OPENSSL_PUT_ERROR(SSL,
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -286,7 +286,7 @@
}
ssl->s3->session_reused = 1;
- /* Only authentication information carries over in TLS 1.3. */
+ // Only authentication information carries over in TLS 1.3.
hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);
if (!hs->new_session) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
@@ -294,7 +294,7 @@
}
ssl_set_session(ssl, NULL);
- /* Resumption incorporates fresh key material, so refresh the timeout. */
+ // Resumption incorporates fresh key material, so refresh the timeout.
ssl_session_renew_timeout(ssl, hs->new_session.get(),
ssl->session_ctx->session_psk_dhe_timeout);
} else if (!ssl_get_new_session(hs, 0)) {
@@ -305,12 +305,12 @@
hs->new_session->cipher = cipher;
hs->new_cipher = cipher;
- /* The PRF hash is now known. Set up the key schedule. */
+ // The PRF hash is now known. Set up the key schedule.
if (!tls13_init_key_schedule(hs)) {
return ssl_hs_error;
}
- /* Incorporate the PSK into the running secret. */
+ // Incorporate the PSK into the running secret.
if (ssl->s3->session_reused) {
if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
hs->new_session->master_key_length)) {
@@ -321,13 +321,13 @@
}
if (!have_key_share) {
- /* We do not support psk_ke and thus always require a key share. */
+ // We do not support psk_ke and thus always require a key share.
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
return ssl_hs_error;
}
- /* Resolve ECDHE and incorporate it into the secret. */
+ // Resolve ECDHE and incorporate it into the secret.
uint8_t *dhe_secret;
size_t dhe_secret_len;
alert = SSL_AD_DECODE_ERROR;
@@ -363,8 +363,8 @@
}
if (!hs->early_data_offered) {
- /* If not sending early data, set client traffic keys now so that alerts are
- * encrypted. */
+ // If not sending early data, set client traffic keys now so that alerts are
+ // encrypted.
if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&
!ssl3_add_change_cipher_spec(ssl)) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
@@ -398,7 +398,7 @@
return ssl_hs_error;
}
- /* Store the negotiated ALPN in the session. */
+ // Store the negotiated ALPN in the session.
if (ssl->s3->alpn_selected != NULL) {
hs->new_session->early_alpn = (uint8_t *)BUF_memdup(
ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
@@ -437,7 +437,7 @@
static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* CertificateRequest may only be sent in non-resumption handshakes. */
+ // CertificateRequest may only be sent in non-resumption handshakes.
if (ssl->s3->session_reused) {
hs->tls13_state = state_read_server_finished;
return ssl_hs_ok;
@@ -448,7 +448,7 @@
return ssl_hs_read_message;
}
- /* CertificateRequest is optional. */
+ // CertificateRequest is optional.
if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {
hs->tls13_state = state_read_server_certificate;
return ssl_hs_ok;
@@ -456,7 +456,7 @@
CBS body = msg.body, context, supported_signature_algorithms;
if (!CBS_get_u8_length_prefixed(&body, &context) ||
- /* The request context is always empty during the handshake. */
+ // The request context is always empty during the handshake.
CBS_len(&context) != 0 ||
!CBS_get_u16_length_prefixed(&body, &supported_signature_algorithms) ||
CBS_len(&supported_signature_algorithms) == 0 ||
@@ -474,7 +474,7 @@
return ssl_hs_error;
}
- /* Ignore extensions. */
+ // Ignore extensions.
CBS extensions;
if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
CBS_len(&body) != 0) {
@@ -550,7 +550,7 @@
if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
!tls13_process_finished(hs, msg, 0 /* don't use saved value */) ||
!ssl_hash_message(hs, msg) ||
- /* Update the secret to the master secret and derive traffic keys. */
+ // Update the secret to the master secret and derive traffic keys.
!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
!tls13_derive_application_secrets(hs)) {
return ssl_hs_error;
@@ -588,13 +588,13 @@
static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* The peer didn't request a certificate. */
+ // The peer didn't request a certificate.
if (!hs->cert_request) {
hs->tls13_state = state_complete_second_flight;
return ssl_hs_ok;
}
- /* Call cert_cb to update the certificate. */
+ // Call cert_cb to update the certificate.
if (ssl->cert->cert_cb != NULL) {
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
if (rv == 0) {
@@ -619,7 +619,7 @@
static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* Don't send CertificateVerify if there is no certificate. */
+ // Don't send CertificateVerify if there is no certificate.
if (!ssl_has_certificate(ssl)) {
hs->tls13_state = state_complete_second_flight;
return ssl_hs_ok;
@@ -645,7 +645,7 @@
static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* Send a Channel ID assertion if necessary. */
+ // Send a Channel ID assertion if necessary.
if (ssl->s3->tlsext_channel_id_valid) {
if (!ssl_do_channel_id_callback(ssl)) {
hs->tls13_state = state_complete_second_flight;
@@ -665,12 +665,12 @@
}
}
- /* Send a Finished message. */
+ // Send a Finished message.
if (!tls13_add_finished(hs)) {
return ssl_hs_error;
}
- /* Derive the final keys and enable them. */
+ // Derive the final keys and enable them.
if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,
hs->hash_len) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,
@@ -804,13 +804,13 @@
return 0;
}
- /* Cap the renewable lifetime by the server advertised value. This avoids
- * wasting bandwidth on 0-RTT when we know the server will reject it. */
+ // Cap the renewable lifetime by the server advertised value. This avoids
+ // wasting bandwidth on 0-RTT when we know the server will reject it.
if (session->timeout > server_timeout) {
session->timeout = server_timeout;
}
- /* Parse out the extensions. */
+ // Parse out the extensions.
int have_early_data_info = 0;
CBS early_data_info;
const SSL_EXTENSION_TYPE ext_types[] = {
@@ -840,7 +840,7 @@
if (ssl->ctx->new_session_cb != NULL &&
ssl->ctx->new_session_cb(ssl, session.get())) {
- /* |new_session_cb|'s return value signals that it took ownership. */
+ // |new_session_cb|'s return value signals that it took ownership.
session.release();
}
diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc
index 39e80be..7bd87c5 100644
--- a/ssl/tls13_enc.cc
+++ b/ssl/tls13_enc.cc
@@ -40,7 +40,7 @@
hs->hash_len = hs->transcript.DigestLen();
- /* Initialize the secret to the zero key. */
+ // Initialize the secret to the zero key.
OPENSSL_memset(hs->secret, 0, hs->hash_len);
return 1;
@@ -96,9 +96,9 @@
return ret;
}
-/* derive_secret derives a secret of length |len| and writes the result in |out|
- * with the given label and the current base secret and most recently-saved
- * handshake context. It returns one on success and zero on error. */
+// derive_secret derives a secret of length |len| and writes the result in |out|
+// with the given label and the current base secret and most recently-saved
+// handshake context. It returns one on success and zero on error.
static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,
const uint8_t *label, size_t label_len) {
uint8_t context_hash[EVP_MAX_MD_SIZE];
@@ -123,7 +123,7 @@
return 0;
}
- /* Look up cipher suite properties. */
+ // Look up cipher suite properties.
const EVP_AEAD *aead;
size_t discard;
if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,
@@ -133,7 +133,7 @@
const EVP_MD *digest = SSL_SESSION_get_digest(session);
- /* Derive the key. */
+ // Derive the key.
size_t key_len = EVP_AEAD_key_length(aead);
uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len,
@@ -141,7 +141,7 @@
return 0;
}
- /* Derive the IV. */
+ // Derive the IV.
size_t iv_len = EVP_AEAD_nonce_length(aead);
uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];
if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len,
@@ -166,7 +166,7 @@
}
}
- /* Save the traffic secret. */
+ // Save the traffic secret.
if (direction == evp_aead_open) {
OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret,
traffic_secret_len);
@@ -279,8 +279,8 @@
static const char kTLS13LabelFinished[] = "finished";
-/* tls13_verify_data sets |out| to be the HMAC of |context| using a derived
- * Finished key for both Finished messages and the PSK binder. */
+// tls13_verify_data sets |out| to be the HMAC of |context| using a derived
+// Finished key for both Finished messages and the PSK binder.
static int tls13_verify_data(const EVP_MD *digest, uint8_t *out,
size_t *out_len, const uint8_t *secret,
size_t hash_len, uint8_t *context,
@@ -401,15 +401,15 @@
const SSLMessage &msg, CBS *binders) {
size_t hash_len = hs->transcript.DigestLen();
- /* The message must be large enough to exclude the binders. */
+ // The message must be large enough to exclude the binders.
if (CBS_len(&msg.raw) < CBS_len(binders) + 2) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
- /* Hash a ClientHello prefix up to the binders. This includes the header. For
- * now, this assumes we only ever verify PSK binders on initial
- * ClientHellos. */
+ // Hash a ClientHello prefix up to the binders. This includes the header. For
+ // now, this assumes we only ever verify PSK binders on initial
+ // ClientHellos.
uint8_t context[EVP_MAX_MD_SIZE];
unsigned context_len;
if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2,
@@ -422,7 +422,7 @@
if (!tls13_psk_binder(verify_data, hs->transcript.Digest(),
session->master_key, session->master_key_length,
context, context_len, hash_len) ||
- /* We only consider the first PSK, so compare against the first binder. */
+ // We only consider the first PSK, so compare against the first binder.
!CBS_get_u8_length_prefixed(binders, &binder)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index 781d59e..26ce0e1 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -12,9 +12,9 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* Per C99, various stdint.h macros are unavailable in C++ unless some macros
- * are defined. C++11 overruled this decision, but older Android NDKs still
- * require it. */
+// Per C99, various stdint.h macros are unavailable in C++ unless some macros
+// are defined. C++11 overruled this decision, but older Android NDKs still
+// require it.
#if !defined(__STDC_LIMIT_MACROS)
#define __STDC_LIMIT_MACROS
#endif
@@ -64,7 +64,7 @@
SSL *const ssl = hs->ssl;
*out_need_retry = 0;
- /* We only support connections that include an ECDHE key exchange. */
+ // We only support connections that include an ECDHE key exchange.
CBS key_share;
if (!ssl_client_hello_get_extension(client_hello, &key_share,
TLSEXT_TYPE_key_share)) {
@@ -127,7 +127,7 @@
return NULL;
}
- /* Limit to TLS 1.3 ciphers we know about. */
+ // Limit to TLS 1.3 ciphers we know about.
const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
if (candidate == NULL ||
SSL_CIPHER_get_min_version(candidate) > version ||
@@ -135,8 +135,8 @@
continue;
}
- /* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
- * ChaCha20 if we do not have AES hardware. */
+ // TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
+ // ChaCha20 if we do not have AES hardware.
if (aes_is_fine) {
return candidate;
}
@@ -155,12 +155,12 @@
static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
- * the client makes several connections before getting a renewal. */
+ // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
+ // the client makes several connections before getting a renewal.
static const int kNumTickets = 2;
- /* Rebase the session timestamp so that it is measured from ticket
- * issuance. */
+ // Rebase the session timestamp so that it is measured from ticket
+ // issuance.
ssl_session_rebase_time(ssl, hs->new_session.get());
for (int i = 0; i < kNumTickets; i++) {
@@ -194,7 +194,7 @@
}
}
- /* Add a fake extension. See draft-davidben-tls-grease-01. */
+ // Add a fake extension. See draft-davidben-tls-grease-01.
if (!CBB_add_u16(&extensions,
ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) ||
!CBB_add_u16(&extensions, 0 /* empty */)) {
@@ -210,8 +210,8 @@
}
static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
- /* At this point, most ClientHello extensions have already been processed by
- * the common handshake logic. Resolve the remaining non-PSK parameters. */
+ // At this point, most ClientHello extensions have already been processed by
+ // the common handshake logic. Resolve the remaining non-PSK parameters.
SSL *const ssl = hs->ssl;
SSLMessage msg;
if (!ssl->method->get_message(ssl, &msg)) {
@@ -228,7 +228,7 @@
client_hello.session_id_len);
hs->session_id_len = client_hello.session_id_len;
- /* Negotiate the cipher suite. */
+ // Negotiate the cipher suite.
hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
if (hs->new_cipher == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
@@ -236,16 +236,16 @@
return ssl_hs_error;
}
- /* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
- * deferred. Complete it now. */
+ // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
+ // deferred. Complete it now.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
- /* The PRF hash is now known. Set up the key schedule and hash the
- * ClientHello. */
+ // The PRF hash is now known. Set up the key schedule and hash the
+ // ClientHello.
if (!tls13_init_key_schedule(hs) ||
!ssl_hash_message(hs, msg)) {
return ssl_hs_error;
@@ -262,7 +262,7 @@
SSL *const ssl = hs->ssl;
*out_session = NULL;
- /* Decode the ticket if we agreed on a PSK key exchange mode. */
+ // Decode the ticket if we agreed on a PSK key exchange mode.
CBS pre_shared_key;
if (!hs->accept_psk_mode ||
!ssl_client_hello_get_extension(client_hello, &pre_shared_key,
@@ -270,8 +270,8 @@
return ssl_ticket_aead_ignore_ticket;
}
- /* Verify that the pre_shared_key extension is the last extension in
- * ClientHello. */
+ // Verify that the pre_shared_key extension is the last extension in
+ // ClientHello.
if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
client_hello->extensions + client_hello->extensions_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
@@ -287,8 +287,8 @@
return ssl_ticket_aead_error;
}
- /* TLS 1.3 session tickets are renewed separately as part of the
- * NewSessionTicket. */
+ // TLS 1.3 session tickets are renewed separately as part of the
+ // NewSessionTicket.
int unused_renew;
UniquePtr<SSL_SESSION> session;
enum ssl_ticket_aead_result_t ret =
@@ -305,34 +305,34 @@
}
if (!ssl_session_is_resumable(hs, session.get()) ||
- /* Historically, some TLS 1.3 tickets were missing ticket_age_add. */
+ // Historically, some TLS 1.3 tickets were missing ticket_age_add.
!session->ticket_age_add_valid) {
return ssl_ticket_aead_ignore_ticket;
}
- /* Recover the client ticket age and convert to seconds. */
+ // Recover the client ticket age and convert to seconds.
client_ticket_age -= session->ticket_age_add;
client_ticket_age /= 1000;
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
- /* Compute the server ticket age in seconds. */
+ // Compute the server ticket age in seconds.
assert(now.tv_sec >= session->time);
uint64_t server_ticket_age = now.tv_sec - session->time;
- /* To avoid overflowing |hs->ticket_age_skew|, we will not resume
- * 68-year-old sessions. */
+ // To avoid overflowing |hs->ticket_age_skew|, we will not resume
+ // 68-year-old sessions.
if (server_ticket_age > INT32_MAX) {
return ssl_ticket_aead_ignore_ticket;
}
- /* TODO(davidben,svaldez): Measure this value to decide on tolerance. For
- * now, accept all values. https://crbug.com/boringssl/113. */
+ // TODO(davidben,svaldez): Measure this value to decide on tolerance. For
+ // now, accept all values. https://crbug.com/boringssl/113.
*out_ticket_age_skew =
(int32_t)client_ticket_age - (int32_t)server_ticket_age;
- /* Check the PSK binder. */
+ // Check the PSK binder.
if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
*out_alert = SSL_AD_DECRYPT_ERROR;
return ssl_ticket_aead_error;
@@ -368,21 +368,21 @@
break;
case ssl_ticket_aead_success:
- /* Carry over authentication information from the previous handshake into
- * a fresh session. */
+ // Carry over authentication information from the previous handshake into
+ // a fresh session.
hs->new_session =
SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
- if (/* Early data must be acceptable for this ticket. */
+ if (// Early data must be acceptable for this ticket.
ssl->cert->enable_early_data &&
session->ticket_max_early_data != 0 &&
- /* The client must have offered early data. */
+ // The client must have offered early data.
hs->early_data_offered &&
- /* Channel ID is incompatible with 0-RTT. */
+ // Channel ID is incompatible with 0-RTT.
!ssl->s3->tlsext_channel_id_valid &&
- /* Custom extensions is incompatible with 0-RTT. */
+ // Custom extensions is incompatible with 0-RTT.
hs->custom_extensions.received == 0 &&
- /* The negotiated ALPN must match the one in the ticket. */
+ // The negotiated ALPN must match the one in the ticket.
ssl->s3->alpn_selected_len == session->early_alpn_len &&
OPENSSL_memcmp(ssl->s3->alpn_selected, session->early_alpn,
ssl->s3->alpn_selected_len) == 0) {
@@ -396,7 +396,7 @@
ssl->s3->session_reused = 1;
- /* Resumption incorporates fresh key material, so refresh the timeout. */
+ // Resumption incorporates fresh key material, so refresh the timeout.
ssl_session_renew_timeout(ssl, hs->new_session.get(),
ssl->session_ctx->session_psk_dhe_timeout);
break;
@@ -410,7 +410,7 @@
return ssl_hs_pending_ticket;
}
- /* Record connection properties in the new session. */
+ // Record connection properties in the new session.
hs->new_session->cipher = hs->new_cipher;
if (hs->hostname != NULL) {
@@ -422,7 +422,7 @@
}
}
- /* Store the initial negotiated ALPN in the session. */
+ // Store the initial negotiated ALPN in the session.
if (ssl->s3->alpn_selected != NULL) {
hs->new_session->early_alpn = (uint8_t *)BUF_memdup(
ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
@@ -435,13 +435,13 @@
if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
- /* Connection rejected for DOS reasons. */
+ // Connection rejected for DOS reasons.
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
- /* Incorporate the PSK into the running secret. */
+ // Incorporate the PSK into the running secret.
if (ssl->s3->session_reused) {
if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
hs->new_session->master_key_length)) {
@@ -459,7 +459,7 @@
ssl->s3->skip_early_data = 1;
}
- /* Resolve ECDHE and incorporate it into the secret. */
+ // Resolve ECDHE and incorporate it into the secret.
int need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
@@ -517,7 +517,7 @@
int need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
- /* Only send one HelloRetryRequest. */
+ // Only send one HelloRetryRequest.
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
}
@@ -541,7 +541,7 @@
version = TLS1_2_VERSION;
}
- /* Send a ServerHello. */
+ // Send a ServerHello.
ScopedCBB cbb;
CBB body, extensions, session_id;
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
@@ -567,14 +567,14 @@
return ssl_hs_error;
}
- /* Derive and enable the handshake traffic secrets. */
+ // Derive and enable the handshake traffic secrets.
if (!tls13_derive_handshake_secrets(hs) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
hs->hash_len)) {
return ssl_hs_error;
}
- /* Send EncryptedExtensions. */
+ // Send EncryptedExtensions.
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_ENCRYPTED_EXTENSIONS) ||
!ssl_add_serverhello_tlsext(hs, &body) ||
@@ -583,16 +583,16 @@
}
if (!ssl->s3->session_reused) {
- /* Determine whether to request a client certificate. */
+ // Determine whether to request a client certificate.
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
- /* Only request a certificate if Channel ID isn't negotiated. */
+ // Only request a certificate if Channel ID isn't negotiated.
if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
ssl->s3->tlsext_channel_id_valid) {
hs->cert_request = 0;
}
}
- /* Send a CertificateRequest, if necessary. */
+ // Send a CertificateRequest, if necessary.
if (hs->cert_request) {
CBB sigalgs_cbb;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
@@ -607,7 +607,7 @@
}
}
- /* Send the server Certificate message, if necessary. */
+ // Send the server Certificate message, if necessary.
if (!ssl->s3->session_reused) {
if (!ssl_has_certificate(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
@@ -647,7 +647,7 @@
static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!tls13_add_finished(hs) ||
- /* Update the secret to the master secret and derive traffic keys. */
+ // Update the secret to the master secret and derive traffic keys.
!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
!tls13_derive_application_secrets(hs) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
@@ -656,10 +656,10 @@
}
if (ssl->early_data_accepted) {
- /* If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
- * the wire sooner and also avoids triggering a write on |SSL_read| when
- * processing the client Finished. This requires computing the client
- * Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. */
+ // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
+ // the wire sooner and also avoids triggering a write on |SSL_read| when
+ // processing the client Finished. This requires computing the client
+ // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1.
size_t finished_len;
if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,
0 /* client */)) {
@@ -671,10 +671,10 @@
return ssl_hs_error;
}
- /* Feed the predicted Finished into the transcript. This allows us to derive
- * the resumption secret early and send half-RTT tickets.
- *
- * TODO(davidben): This will need to be updated for DTLS 1.3. */
+ // Feed the predicted Finished into the transcript. This allows us to derive
+ // the resumption secret early and send half-RTT tickets.
+ //
+ // TODO(davidben): This will need to be updated for DTLS 1.3.
assert(!SSL_is_dtls(hs->ssl));
assert(hs->hash_len <= 0xff);
uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0,
@@ -710,8 +710,8 @@
static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
hs->tls13_state = state_process_change_cipher_spec;
- /* If early data was accepted, the ChangeCipherSpec message will be in the
- * discarded early data. */
+ // If early data was accepted, the ChangeCipherSpec message will be in the
+ // discarded early data.
if (hs->early_data_offered && !hs->ssl->early_data_accepted) {
return ssl_hs_ok;
}
@@ -734,11 +734,11 @@
static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!hs->cert_request) {
- /* OpenSSL returns X509_V_OK when no certificates are requested. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are requested. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
- /* Skip this state. */
+ // Skip this state.
hs->tls13_state = state_read_channel_id;
return ssl_hs_ok;
}
@@ -764,7 +764,7 @@
SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
- /* Skip this state. */
+ // Skip this state.
hs->tls13_state = state_read_channel_id;
return ssl_hs_ok;
}
@@ -824,10 +824,10 @@
return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
- /* If early data was accepted, we've already computed the client Finished
- * and derived the resumption secret. */
+ // If early data was accepted, we've already computed the client Finished
+ // and derived the resumption secret.
!tls13_process_finished(hs, msg, ssl->early_data_accepted) ||
- /* evp_aead_seal keys have already been switched. */
+ // evp_aead_seal keys have already been switched.
!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
hs->hash_len)) {
return ssl_hs_error;
@@ -839,10 +839,10 @@
return ssl_hs_error;
}
- /* We send post-handshake tickets as part of the handshake in 1-RTT. */
+ // We send post-handshake tickets as part of the handshake in 1-RTT.
hs->tls13_state = state_send_new_session_ticket;
} else {
- /* We already sent half-RTT tickets. */
+ // We already sent half-RTT tickets.
hs->tls13_state = state_done;
}
@@ -851,8 +851,8 @@
}
static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
- /* If the client doesn't accept resumption with PSK_DHE_KE, don't send a
- * session ticket. */
+ // If the client doesn't accept resumption with PSK_DHE_KE, don't send a
+ // session ticket.
if (!hs->accept_psk_mode) {
hs->tls13_state = state_done;
return ssl_hs_ok;
diff --git a/ssl/tls_method.cc b/ssl/tls_method.cc
index 2fe4be3..286bf03 100644
--- a/ssl/tls_method.cc
+++ b/ssl/tls_method.cc
@@ -70,15 +70,15 @@
static int ssl3_supports_cipher(const SSL_CIPHER *cipher) { return 1; }
static void ssl3_on_handshake_complete(SSL *ssl) {
- /* The handshake should have released its final message. */
+ // The handshake should have released its final message.
assert(!ssl->s3->has_message);
- /* During the handshake, |init_buf| is retained. Release if it there is no
- * excess in it.
- *
- * TODO(davidben): The second check is always true but will not be once we
- * switch to copying the entire handshake record. Replace this comment with an
- * explanation when that happens and a TODO to reject it. */
+ // During the handshake, |init_buf| is retained. Release if it there is no
+ // excess in it.
+ //
+ // TODO(davidben): The second check is always true but will not be once we
+ // switch to copying the entire handshake record. Replace this comment with an
+ // explanation when that happens and a TODO to reject it.
if (ssl->init_buf != NULL && ssl->init_buf->length == 0) {
BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;
@@ -87,7 +87,7 @@
static int ssl3_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
if (ssl->s3->rrec.length != 0) {
- /* There may not be unprocessed record data at a cipher change. */
+ // There may not be unprocessed record data at a cipher change.
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
return 0;
@@ -212,7 +212,7 @@
return &kMethod;
}
-/* Legacy version-locked methods. */
+// Legacy version-locked methods.
const SSL_METHOD *TLSv1_2_method(void) {
static const SSL_METHOD kMethod = {
@@ -250,7 +250,7 @@
return &kMethod;
}
-/* Legacy side-specific methods. */
+// Legacy side-specific methods.
const SSL_METHOD *TLSv1_2_server_method(void) {
return TLSv1_2_method();
diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc
index f8bb521..eed6431 100644
--- a/ssl/tls_record.cc
+++ b/ssl/tls_record.cc
@@ -121,25 +121,25 @@
namespace bssl {
-/* kMaxEmptyRecords is the number of consecutive, empty records that will be
- * processed. Without this limit an attacker could send empty records at a
- * faster rate than we can process and cause record processing to loop
- * forever. */
+// kMaxEmptyRecords is the number of consecutive, empty records that will be
+// processed. Without this limit an attacker could send empty records at a
+// faster rate than we can process and cause record processing to loop
+// forever.
static const uint8_t kMaxEmptyRecords = 32;
-/* kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that
- * will be skipped. Without this limit an attacker could send records at a
- * faster rate than we can process and cause trial decryption to loop forever.
- * This value should be slightly above kMaxEarlyDataAccepted, which is measured
- * in plaintext. */
+// kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that
+// will be skipped. Without this limit an attacker could send records at a
+// faster rate than we can process and cause trial decryption to loop forever.
+// This value should be slightly above kMaxEarlyDataAccepted, which is measured
+// in plaintext.
static const size_t kMaxEarlyDataSkipped = 16384;
-/* kMaxWarningAlerts is the number of consecutive warning alerts that will be
- * processed. */
+// kMaxWarningAlerts is the number of consecutive warning alerts that will be
+// processed.
static const uint8_t kMaxWarningAlerts = 4;
-/* ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
- * state needs record-splitting and zero otherwise. */
+// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
+// state needs record-splitting and zero otherwise.
static int ssl_needs_record_splitting(const SSL *ssl) {
#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
return !ssl->s3->aead_write_ctx->is_null_cipher() &&
@@ -195,7 +195,7 @@
CBS cbs;
CBS_init(&cbs, in, in_len);
- /* Decode the record header. */
+ // Decode the record header.
uint8_t type;
uint16_t version, ciphertext_len;
if (!CBS_get_u8(&cbs, &type) ||
@@ -207,14 +207,14 @@
int version_ok;
if (ssl->s3->aead_read_ctx->is_null_cipher()) {
- /* Only check the first byte. Enforcing beyond that can prevent decoding
- * version negotiation failure alerts. */
+ // Only check the first byte. Enforcing beyond that can prevent decoding
+ // version negotiation failure alerts.
version_ok = (version >> 8) == SSL3_VERSION_MAJOR;
} else if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
- /* Earlier versions of TLS switch the record version. */
+ // Earlier versions of TLS switch the record version.
version_ok = version == ssl->version;
} else {
- /* Starting TLS 1.3, the version field is frozen at {3, 1}. */
+ // Starting TLS 1.3, the version field is frozen at {3, 1}.
version_ok = version == TLS1_VERSION;
}
@@ -224,14 +224,14 @@
return ssl_open_record_error;
}
- /* Check the ciphertext length. */
+ // Check the ciphertext length.
if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
*out_alert = SSL_AD_RECORD_OVERFLOW;
return ssl_open_record_error;
}
- /* Extract the body. */
+ // Extract the body.
CBS body;
if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) {
*out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len;
@@ -243,15 +243,15 @@
*out_consumed = in_len - CBS_len(&cbs);
- /* Skip early data received when expecting a second ClientHello if we rejected
- * 0RTT. */
+ // Skip early data received when expecting a second ClientHello if we rejected
+ // 0RTT.
if (ssl->s3->skip_early_data &&
ssl->s3->aead_read_ctx->is_null_cipher() &&
type == SSL3_RT_APPLICATION_DATA) {
goto skipped_data;
}
- /* Decrypt the body in-place. */
+ // Decrypt the body in-place.
if (!ssl->s3->aead_read_ctx->Open(out, type, version, ssl->s3->read_sequence,
(uint8_t *)CBS_data(&body),
CBS_len(&body))) {
@@ -272,10 +272,10 @@
return ssl_open_record_error;
}
- /* TLS 1.3 hides the record type inside the encrypted data. */
+ // TLS 1.3 hides the record type inside the encrypted data.
if (!ssl->s3->aead_read_ctx->is_null_cipher() &&
ssl->s3->aead_read_ctx->version() >= TLS1_3_VERSION) {
- /* The outer record type is always application_data. */
+ // The outer record type is always application_data.
if (type != SSL3_RT_APPLICATION_DATA) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -291,14 +291,14 @@
} while (type == 0);
}
- /* Check the plaintext length. */
+ // Check the plaintext length.
if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
*out_alert = SSL_AD_RECORD_OVERFLOW;
return ssl_open_record_error;
}
- /* Limit the number of consecutive empty records. */
+ // Limit the number of consecutive empty records.
if (CBS_len(out) == 0) {
ssl->s3->empty_record_count++;
if (ssl->s3->empty_record_count > kMaxEmptyRecords) {
@@ -306,14 +306,14 @@
*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
return ssl_open_record_error;
}
- /* Apart from the limit, empty records are returned up to the caller. This
- * allows the caller to reject records of the wrong type. */
+ // Apart from the limit, empty records are returned up to the caller. This
+ // allows the caller to reject records of the wrong type.
} else {
ssl->s3->empty_record_count = 0;
}
if (type == SSL3_RT_ALERT) {
- /* Return end_of_early_data alerts as-is for the caller to process. */
+ // Return end_of_early_data alerts as-is for the caller to process.
if (CBS_len(out) == 2 &&
CBS_data(out)[0] == SSL3_AL_WARNING &&
CBS_data(out)[1] == TLS1_AD_END_OF_EARLY_DATA) {
@@ -351,7 +351,7 @@
size_t extra_in_len = 0;
if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
- /* TLS 1.3 hides the actual record type inside the encrypted data. */
+ // TLS 1.3 hides the actual record type inside the encrypted data.
extra_in = &type;
extra_in_len = 1;
}
@@ -379,10 +379,10 @@
out_prefix[0] = type;
}
- /* The TLS record-layer version number is meaningless and, starting in
- * TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0
- * ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version
- * to change after version negotiation. */
+ // The TLS record-layer version number is meaningless and, starting in
+ // TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0
+ // ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version
+ // to change after version negotiation.
uint16_t wire_version = TLS1_VERSION;
if (ssl->s3->hs != NULL && ssl->s3->hs->max_version == SSL3_VERSION) {
wire_version = SSL3_VERSION;
@@ -413,10 +413,10 @@
size_t ret = SSL3_RT_HEADER_LENGTH;
if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
ssl_needs_record_splitting(ssl)) {
- /* In the case of record splitting, the 1-byte record (of the 1/n-1 split)
- * will be placed in the prefix, as will four of the five bytes of the
- * record header for the main record. The final byte will replace the first
- * byte of the plaintext that was used in the small record. */
+ // In the case of record splitting, the 1-byte record (of the 1/n-1 split)
+ // will be placed in the prefix, as will four of the five bytes of the
+ // record header for the main record. The final byte will replace the first
+ // byte of the plaintext that was used in the small record.
ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
ret += SSL3_RT_HEADER_LENGTH - 1;
} else {
@@ -430,26 +430,26 @@
size_t extra_in_len = 0;
if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
- /* TLS 1.3 adds an extra byte for encrypted record type. */
+ // TLS 1.3 adds an extra byte for encrypted record type.
extra_in_len = 1;
}
if (type == SSL3_RT_APPLICATION_DATA && // clang-format off
in_len > 1 &&
ssl_needs_record_splitting(ssl)) {
- /* With record splitting enabled, the first byte gets sealed into a separate
- * record which is written into the prefix. */
+ // With record splitting enabled, the first byte gets sealed into a separate
+ // record which is written into the prefix.
in_len -= 1;
}
return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len);
}
-/* tls_seal_scatter_record seals a new record of type |type| and body |in| and
- * splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
- * |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
- * bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It
- * returns one on success and zero on error. If enabled,
- * |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
- * may write two records concatenated. */
+// tls_seal_scatter_record seals a new record of type |type| and body |in| and
+// splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
+// |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
+// bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It
+// returns one on success and zero on error. If enabled,
+// |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
+// may write two records concatenated.
static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
uint8_t *out_suffix, uint8_t type,
const uint8_t *in, size_t in_len) {
@@ -458,7 +458,7 @@
assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0);
const size_t prefix_len = SSL3_RT_HEADER_LENGTH;
- /* Write the 1-byte fragment into |out_prefix|. */
+ // Write the 1-byte fragment into |out_prefix|.
uint8_t *split_body = out_prefix + prefix_len;
uint8_t *split_suffix = split_body + 1;
@@ -477,8 +477,8 @@
ssl->s3->aead_write_ctx->cipher()) ==
split_record_len);
- /* Write the n-1-byte fragment. The header gets split between |out_prefix|
- * (header[:-1]) and |out| (header[-1:]). */
+ // Write the n-1-byte fragment. The header gets split between |out_prefix|
+ // (header[:-1]) and |out| (header[-1:]).
uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH];
if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1,
in_len - 1)) {
@@ -530,7 +530,7 @@
enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
const uint8_t *in, size_t in_len) {
- /* Alerts records may not contain fragmented or multiple alerts. */
+ // Alerts records may not contain fragmented or multiple alerts.
if (in_len != 2) {
*out_alert = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
@@ -551,7 +551,7 @@
return ssl_open_record_close_notify;
}
- /* Warning alerts do not exist in TLS 1.3. */
+ // Warning alerts do not exist in TLS 1.3.
if (ssl->s3->have_version &&
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
*out_alert = SSL_AD_DECODE_ERROR;
@@ -677,7 +677,7 @@
size_t ret = SSL3_RT_HEADER_LENGTH;
ret += ssl->s3->aead_write_ctx->MaxOverhead();
- /* TLS 1.3 needs an extra byte for the encrypted record type. */
+ // TLS 1.3 needs an extra byte for the encrypted record type.
if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
ret += 1;
