From c11ea942b7e94614655be1bc0e16eba33dc125d2 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Tue, 29 Aug 2017 16:33:21 -0400 Subject: [PATCH] Convert comments in ssl. That's the last of it! Change-Id: I93d1f5ab7e95b2ad105c34b24297a0bf77625263 Reviewed-on: https://boringssl-review.googlesource.com/19784 Reviewed-by: David Benjamin Commit-Queue: David Benjamin CQ-Verified: CQ bot account: commit-bot@chromium.org --- ssl/custom_extensions.cc | 22 +- ssl/d1_both.cc | 166 ++-- ssl/d1_lib.cc | 48 +- ssl/d1_pkt.cc | 54 +- ssl/d1_srtp.cc | 4 +- ssl/dtls_method.cc | 12 +- ssl/dtls_record.cc | 50 +- ssl/handshake.cc | 94 +- ssl/handshake_client.cc | 241 +++-- ssl/handshake_server.cc | 260 +++-- ssl/internal.h | 1978 +++++++++++++++++++------------------- ssl/s3_both.cc | 84 +- ssl/s3_lib.cc | 10 +- ssl/s3_pkt.cc | 101 +- ssl/ssl_aead_ctx.cc | 52 +- ssl/ssl_asn1.cc | 153 ++- ssl/ssl_buffer.cc | 58 +- ssl/ssl_cert.cc | 80 +- ssl/ssl_cipher.cc | 284 +++--- ssl/ssl_file.cc | 32 +- ssl/ssl_key_share.cc | 12 +- ssl/ssl_lib.cc | 308 +++--- ssl/ssl_privkey.cc | 38 +- ssl/ssl_session.cc | 161 ++-- ssl/ssl_test.cc | 28 +- ssl/ssl_transcript.cc | 18 +- ssl/ssl_versions.cc | 64 +- ssl/ssl_x509.cc | 80 +- ssl/t1_enc.cc | 44 +- ssl/t1_lib.cc | 596 ++++++------ ssl/test/bssl_shim.cc | 6 +- ssl/tls13_both.cc | 44 +- ssl/tls13_client.cc | 70 +- ssl/tls13_enc.cc | 30 +- ssl/tls13_server.cc | 150 +-- ssl/tls_method.cc | 20 +- ssl/tls_record.cc | 110 +-- 37 files changed, 2778 insertions(+), 2784 deletions(-) diff --git a/ssl/custom_extensions.cc b/ssl/custom_extensions.cc index dff7041b..c22f4fe8 100644 --- a/ssl/custom_extensions.cc +++ b/ssl/custom_extensions.cc @@ -47,9 +47,9 @@ static const SSL_CUSTOM_EXTENSION *custom_ext_find( return NULL; } -/* default_add_callback is used as the |add_callback| when the user doesn't - * provide one. For servers, it does nothing while, for clients, it causes an - * empty extension to be included. */ +// default_add_callback is used as the |add_callback| when the user doesn't +// provide one. For servers, it does nothing while, for clients, it causes an +// empty extension to be included. static int default_add_callback(SSL *ssl, unsigned extension_value, const uint8_t **out, size_t *out_len, int *out_alert_value, void *add_arg) { @@ -76,7 +76,7 @@ static int custom_ext_add_hello(SSL_HANDSHAKE *hs, CBB *extensions) { if (ssl->server && !(hs->custom_extensions.received & (1u << i))) { - /* Servers cannot echo extensions that the client didn't send. */ + // Servers cannot echo extensions that the client didn't send. continue; } @@ -135,9 +135,9 @@ int custom_ext_parse_serverhello(SSL_HANDSHAKE *hs, int *out_alert, const SSL_CUSTOM_EXTENSION *ext = custom_ext_find(ssl->ctx->client_custom_extensions, &index, value); - if (/* Unknown extensions are not allowed in a ServerHello. */ + if (// Unknown extensions are not allowed in a ServerHello. ext == NULL || - /* Also, if we didn't send the extension, that's also unacceptable. */ + // Also, if we didn't send the extension, that's also unacceptable. !(hs->custom_extensions.sent & (1u << index))) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); ERR_add_error_dataf("extension %u", (unsigned)value); @@ -185,9 +185,9 @@ int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions) { return custom_ext_add_hello(hs, extensions); } -/* MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that - * can be set on an |SSL_CTX|. It's determined by the size of the bitset used - * to track when an extension has been sent. */ +// MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that +// can be set on an |SSL_CTX|. It's determined by the size of the bitset used +// to track when an extension has been sent. #define MAX_NUM_CUSTOM_EXTENSIONS \ (sizeof(((SSL_HANDSHAKE *)NULL)->custom_extensions.sent) * 8) @@ -200,8 +200,8 @@ static int custom_ext_append(STACK_OF(SSL_CUSTOM_EXTENSION) **stack, if (add_cb == NULL || 0xffff < extension_value || SSL_extension_supported(extension_value) || - /* Specifying a free callback without an add callback is nonsensical - * and an error. */ + // Specifying a free callback without an add callback is nonsensical + // and an error. (*stack != NULL && (MAX_NUM_CUSTOM_EXTENSIONS <= sk_SSL_CUSTOM_EXTENSION_num(*stack) || custom_ext_find(*stack, NULL, extension_value) != NULL))) { diff --git a/ssl/d1_both.cc b/ssl/d1_both.cc index 71a7161a..cb447df0 100644 --- a/ssl/d1_both.cc +++ b/ssl/d1_both.cc @@ -129,20 +129,20 @@ namespace bssl { -/* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable - * for these values? Notably, why is kMinMTU a function of the transport - * protocol's overhead rather than, say, what's needed to hold a minimally-sized - * handshake fragment plus protocol overhead. */ +// TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable +// for these values? Notably, why is kMinMTU a function of the transport +// protocol's overhead rather than, say, what's needed to hold a minimally-sized +// handshake fragment plus protocol overhead. -/* kMinMTU is the minimum acceptable MTU value. */ +// kMinMTU is the minimum acceptable MTU value. static const unsigned int kMinMTU = 256 - 28; -/* kDefaultMTU is the default MTU value to use if neither the user nor - * the underlying BIO supplies one. */ +// kDefaultMTU is the default MTU value to use if neither the user nor +// the underlying BIO supplies one. static const unsigned int kDefaultMTU = 1500 - 28; -/* Receiving handshake messages. */ +// Receiving handshake messages. static void dtls1_hm_fragment_free(hm_fragment *frag) { if (frag == NULL) { @@ -165,7 +165,7 @@ static hm_fragment *dtls1_hm_fragment_new(const struct hm_header_st *msg_hdr) { frag->seq = msg_hdr->seq; frag->msg_len = msg_hdr->msg_len; - /* Allocate space for the reassembled message and fill in the header. */ + // Allocate space for the reassembled message and fill in the header. frag->data = (uint8_t *)OPENSSL_malloc(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len); if (frag->data == NULL) { @@ -184,9 +184,9 @@ static hm_fragment *dtls1_hm_fragment_new(const struct hm_header_st *msg_hdr) { goto err; } - /* If the handshake message is empty, |frag->reassembly| is NULL. */ + // If the handshake message is empty, |frag->reassembly| is NULL. if (msg_hdr->msg_len > 0) { - /* Initialize reassembly bitmask. */ + // Initialize reassembly bitmask. if (msg_hdr->msg_len + 7 < msg_hdr->msg_len) { OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); goto err; @@ -207,16 +207,16 @@ err: return NULL; } -/* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|, - * exclusive, set. */ +// bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|, +// exclusive, set. static uint8_t bit_range(size_t start, size_t end) { return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1)); } -/* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive, - * as received in |frag|. If |frag| becomes complete, it clears - * |frag->reassembly|. The range must be within the bounds of |frag|'s message - * and |frag->reassembly| must not be NULL. */ +// dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive, +// as received in |frag|. If |frag| becomes complete, it clears +// |frag->reassembly|. The range must be within the bounds of |frag|'s message +// and |frag->reassembly| must not be NULL. static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, size_t end) { size_t msg_len = frag->msg_len; @@ -225,7 +225,7 @@ static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, assert(0); return; } - /* A zero-length message will never have a pending reassembly. */ + // A zero-length message will never have a pending reassembly. assert(msg_len > 0); if ((start >> 3) == (end >> 3)) { @@ -240,7 +240,7 @@ static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, } } - /* Check if the fragment is complete. */ + // Check if the fragment is complete. for (size_t i = 0; i < (msg_len >> 3); i++) { if (frag->reassembly[i] != 0xff) { return; @@ -255,18 +255,18 @@ static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, frag->reassembly = NULL; } -/* dtls1_is_current_message_complete returns one if the current handshake - * message is complete and zero otherwise. */ +// dtls1_is_current_message_complete returns one if the current handshake +// message is complete and zero otherwise. static int dtls1_is_current_message_complete(const SSL *ssl) { hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT]; return frag != NULL && frag->reassembly == NULL; } -/* dtls1_get_incoming_message returns the incoming message corresponding to - * |msg_hdr|. If none exists, it creates a new one and inserts it in the - * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It - * returns NULL on failure. The caller does not take ownership of the result. */ +// dtls1_get_incoming_message returns the incoming message corresponding to +// |msg_hdr|. If none exists, it creates a new one and inserts it in the +// queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It +// returns NULL on failure. The caller does not take ownership of the result. static hm_fragment *dtls1_get_incoming_message( SSL *ssl, const struct hm_header_st *msg_hdr) { if (msg_hdr->seq < ssl->d1->handshake_read_seq || @@ -278,8 +278,8 @@ static hm_fragment *dtls1_get_incoming_message( hm_fragment *frag = ssl->d1->incoming_messages[idx]; if (frag != NULL) { assert(frag->seq == msg_hdr->seq); - /* The new fragment must be compatible with the previous fragments from this - * message. */ + // The new fragment must be compatible with the previous fragments from this + // message. if (frag->type != msg_hdr->type || frag->msg_len != msg_hdr->msg_len) { OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH); @@ -289,7 +289,7 @@ static hm_fragment *dtls1_get_incoming_message( return frag; } - /* This is the first fragment from this message. */ + // This is the first fragment from this message. frag = dtls1_hm_fragment_new(msg_hdr); if (frag == NULL) { return NULL; @@ -309,22 +309,22 @@ int dtls1_read_message(SSL *ssl) { switch (rr->type) { case SSL3_RT_APPLICATION_DATA: - /* Unencrypted application data records are always illegal. */ + // Unencrypted application data records are always illegal. if (ssl->s3->aead_read_ctx->is_null_cipher()) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); return -1; } - /* Out-of-order application data may be received between ChangeCipherSpec - * and finished. Discard it. */ + // Out-of-order application data may be received between ChangeCipherSpec + // and finished. Discard it. rr->length = 0; ssl_read_buffer_discard(ssl); return 1; case SSL3_RT_CHANGE_CIPHER_SPEC: - /* We do not support renegotiation, so encrypted ChangeCipherSpec records - * are illegal. */ + // We do not support renegotiation, so encrypted ChangeCipherSpec records + // are illegal. if (!ssl->s3->aead_read_ctx->is_null_cipher()) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); @@ -337,7 +337,7 @@ int dtls1_read_message(SSL *ssl) { return -1; } - /* Flag the ChangeCipherSpec for later. */ + // Flag the ChangeCipherSpec for later. ssl->d1->has_change_cipher_spec = true; ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, rr->length); @@ -347,7 +347,7 @@ int dtls1_read_message(SSL *ssl) { return 1; case SSL3_RT_HANDSHAKE: - /* Break out to main processing. */ + // Break out to main processing. break; default: @@ -360,7 +360,7 @@ int dtls1_read_message(SSL *ssl) { CBS_init(&cbs, rr->data, rr->length); while (CBS_len(&cbs) > 0) { - /* Read a handshake fragment. */ + // Read a handshake fragment. struct hm_header_st msg_hdr; CBS body; if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) { @@ -380,7 +380,7 @@ int dtls1_read_message(SSL *ssl) { return -1; } - /* The encrypted epoch in DTLS has only one handshake message. */ + // The encrypted epoch in DTLS has only one handshake message. if (ssl->d1->r_epoch == 1 && msg_hdr.seq != ssl->d1->handshake_read_seq) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); @@ -390,7 +390,7 @@ int dtls1_read_message(SSL *ssl) { if (msg_hdr.seq < ssl->d1->handshake_read_seq || msg_hdr.seq > (unsigned)ssl->d1->handshake_read_seq + SSL_MAX_HANDSHAKE_FLIGHT) { - /* Ignore fragments from the past, or ones too far in the future. */ + // Ignore fragments from the past, or ones too far in the future. continue; } @@ -401,12 +401,12 @@ int dtls1_read_message(SSL *ssl) { assert(frag->msg_len == msg_len); if (frag->reassembly == NULL) { - /* The message is already assembled. */ + // The message is already assembled. continue; } assert(msg_len > 0); - /* Copy the body into the fragment. */ + // Copy the body into the fragment. OPENSSL_memcpy(frag->data + DTLS1_HM_HEADER_LENGTH + frag_off, CBS_data(&body), CBS_len(&body)); dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len); @@ -444,8 +444,8 @@ void dtls1_next_message(SSL *ssl) { ssl->d1->incoming_messages[index] = NULL; ssl->d1->handshake_read_seq++; ssl->s3->has_message = 0; - /* If we previously sent a flight, mark it as having a reply, so - * |on_handshake_complete| can manage post-handshake retransmission. */ + // If we previously sent a flight, mark it as having a reply, so + // |on_handshake_complete| can manage post-handshake retransmission. if (ssl->d1->outgoing_messages_complete) { ssl->d1->flight_has_reply = true; } @@ -461,7 +461,7 @@ void dtls_clear_incoming_messages(SSL *ssl) { int dtls_has_incoming_messages(const SSL *ssl) { size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT; for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) { - /* Skip the current message. */ + // Skip the current message. if (ssl->s3->has_message && i == current) { assert(dtls1_is_current_message_complete(ssl)); continue; @@ -490,7 +490,7 @@ int dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr, } int dtls1_read_change_cipher_spec(SSL *ssl) { - /* Process handshake records until there is a ChangeCipherSpec. */ + // Process handshake records until there is a ChangeCipherSpec. while (!ssl->d1->has_change_cipher_spec) { int ret = dtls1_read_message(ssl); if (ret <= 0) { @@ -503,7 +503,7 @@ int dtls1_read_change_cipher_spec(SSL *ssl) { } -/* Sending handshake messages. */ +// Sending handshake messages. void dtls_clear_outgoing_messages(SSL *ssl) { for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) { @@ -518,7 +518,7 @@ void dtls_clear_outgoing_messages(SSL *ssl) { } int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) { - /* Pick a modest size hint to save most of the |realloc| calls. */ + // Pick a modest size hint to save most of the |realloc| calls. if (!CBB_init(cbb, 64) || !CBB_add_u8(cbb, type) || !CBB_add_u24(cbb, 0 /* length (filled in later) */) || @@ -541,20 +541,20 @@ int dtls1_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg, return 0; } - /* Fix up the header. Copy the fragment length into the total message - * length. */ + // Fix up the header. Copy the fragment length into the total message + // length. OPENSSL_memcpy(*out_msg + 1, *out_msg + DTLS1_HM_HEADER_LENGTH - 3, 3); return 1; } -/* add_outgoing adds a new handshake message or ChangeCipherSpec to the current - * outgoing flight. It returns one on success and zero on error. In both cases, - * it takes ownership of |data| and releases it with |OPENSSL_free| when - * done. */ +// add_outgoing adds a new handshake message or ChangeCipherSpec to the current +// outgoing flight. It returns one on success and zero on error. In both cases, +// it takes ownership of |data| and releases it with |OPENSSL_free| when +// done. static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) { if (ssl->d1->outgoing_messages_complete) { - /* If we've begun writing a new flight, we received the peer flight. Discard - * the timer and the our flight. */ + // If we've begun writing a new flight, we received the peer flight. Discard + // the timer and the our flight. dtls1_stop_timer(ssl); dtls_clear_outgoing_messages(ssl); } @@ -570,8 +570,8 @@ static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) { } if (!is_ccs) { - /* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript - * on hs. */ + // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript + // on hs. if (ssl->s3->hs != NULL && !ssl->s3->hs->transcript.Update(data, len)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -601,20 +601,20 @@ int dtls1_add_change_cipher_spec(SSL *ssl) { } int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc) { - /* The |add_alert| path is only used for warning alerts for now, which DTLS - * never sends. This will be implemented later once closure alerts are - * converted. */ + // The |add_alert| path is only used for warning alerts for now, which DTLS + // never sends. This will be implemented later once closure alerts are + // converted. assert(0); OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; } -/* dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above - * the minimum. */ +// dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above +// the minimum. static void dtls1_update_mtu(SSL *ssl) { - /* TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the - * only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use - * |SSL_set_mtu|. Does this need to be so complex? */ + // TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the + // only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use + // |SSL_set_mtu|. Does this need to be so complex? if (ssl->d1->mtu < dtls1_min_mtu() && !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); @@ -626,7 +626,7 @@ static void dtls1_update_mtu(SSL *ssl) { } } - /* The MTU should be above the minimum now. */ + // The MTU should be above the minimum now. assert(ssl->d1->mtu >= dtls1_min_mtu()); } @@ -637,9 +637,9 @@ enum seal_result_t { seal_success, }; -/* seal_next_message seals |msg|, which must be the next message, to |out|. If - * progress was made, it returns |seal_partial| or |seal_success| and sets - * |*out_len| to the number of bytes written. */ +// seal_next_message seals |msg|, which must be the next message, to |out|. If +// progress was made, it returns |seal_partial| or |seal_success| and sets +// |*out_len| to the number of bytes written. static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, const DTLS_OUTGOING_MESSAGE *msg) { @@ -658,7 +658,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, size_t prefix = dtls_seal_prefix_len(ssl, use_epoch); if (msg->is_ccs) { - /* Check there is room for the ChangeCipherSpec. */ + // Check there is room for the ChangeCipherSpec. static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS}; if (max_out < sizeof(kChangeCipherSpec) + overhead) { return seal_no_progress; @@ -675,7 +675,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, return seal_success; } - /* DTLS messages are serialized as a single fragment in |msg|. */ + // DTLS messages are serialized as a single fragment in |msg|. CBS cbs, body; struct hm_header_st hdr; CBS_init(&cbs, msg->data, msg->len); @@ -689,7 +689,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, return seal_error; } - /* Determine how much progress can be made. */ + // Determine how much progress can be made. if (max_out < DTLS1_HM_HEADER_LENGTH + 1 + overhead || max_out < prefix) { return seal_no_progress; } @@ -698,7 +698,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, todo = max_out - DTLS1_HM_HEADER_LENGTH - overhead; } - /* Assemble a fragment, to be sealed in-place. */ + // Assemble a fragment, to be sealed in-place. ScopedCBB cbb; uint8_t *frag = out + prefix; size_t max_frag = max_out - prefix, frag_len; @@ -722,7 +722,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, } if (todo == CBS_len(&body)) { - /* The next message is complete. */ + // The next message is complete. ssl->d1->outgoing_offset = 0; return seal_success; } @@ -731,9 +731,9 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, return seal_partial; } -/* seal_next_packet writes as much of the next flight as possible to |out| and - * advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as - * appropriate. */ +// seal_next_packet writes as much of the next flight as possible to |out| and +// advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as +// appropriate. static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out) { int made_progress = 0; @@ -767,7 +767,7 @@ static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len, } packet_full: - /* The MTU was too small to make any progress. */ + // The MTU was too small to make any progress. if (!made_progress) { OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL); return 0; @@ -798,7 +798,7 @@ static int send_flight(SSL *ssl) { int bio_ret = BIO_write(ssl->wbio, packet, packet_len); if (bio_ret <= 0) { - /* Retry this packet the next time around. */ + // Retry this packet the next time around. ssl->d1->outgoing_written = old_written; ssl->d1->outgoing_offset = old_offset; ssl->rwstate = SSL_WRITING; @@ -821,16 +821,16 @@ err: int dtls1_flush_flight(SSL *ssl) { ssl->d1->outgoing_messages_complete = true; - /* Start the retransmission timer for the next flight (if any). */ + // Start the retransmission timer for the next flight (if any). dtls1_start_timer(ssl); return send_flight(ssl); } int dtls1_retransmit_outgoing_messages(SSL *ssl) { - /* Rewind to the start of the flight and write it again. - * - * TODO(davidben): This does not allow retransmits to be resumed on - * non-blocking write. */ + // Rewind to the start of the flight and write it again. + // + // TODO(davidben): This does not allow retransmits to be resumed on + // non-blocking write. ssl->d1->outgoing_written = 0; ssl->d1->outgoing_offset = 0; diff --git a/ssl/d1_lib.cc b/ssl/d1_lib.cc index 30110b44..ec5d4705 100644 --- a/ssl/d1_lib.cc +++ b/ssl/d1_lib.cc @@ -70,12 +70,12 @@ namespace bssl { -/* DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire - * before starting to decrease the MTU. */ +// DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire +// before starting to decrease the MTU. #define DTLS1_MTU_TIMEOUTS 2 -/* DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire - * before failing the DTLS handshake. */ +// DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire +// before failing the DTLS handshake. #define DTLS1_MAX_TIMEOUTS 12 int dtls1_new(SSL *ssl) { @@ -91,11 +91,11 @@ int dtls1_new(SSL *ssl) { ssl->d1 = d1; - /* Set the version to the highest supported version. - * - * TODO(davidben): Move this field into |s3|, have it store the normalized - * protocol version, and implement this pre-negotiation quirk in |SSL_version| - * at the API boundary rather than in internal state. */ + // Set the version to the highest supported version. + // + // TODO(davidben): Move this field into |s3|, have it store the normalized + // protocol version, and implement this pre-negotiation quirk in |SSL_version| + // at the API boundary rather than in internal state. ssl->version = DTLS1_2_VERSION; return 1; } @@ -116,15 +116,15 @@ void dtls1_free(SSL *ssl) { } void dtls1_start_timer(SSL *ssl) { - /* If timer is not set, initialize duration (by default, 1 second) */ + // If timer is not set, initialize duration (by default, 1 second) if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) { ssl->d1->timeout_duration_ms = ssl->initial_timeout_duration_ms; } - /* Set timeout to current time */ + // Set timeout to current time ssl_get_current_time(ssl, &ssl->d1->next_timeout); - /* Add duration to current time */ + // Add duration to current time ssl->d1->next_timeout.tv_sec += ssl->d1->timeout_duration_ms / 1000; ssl->d1->next_timeout.tv_usec += (ssl->d1->timeout_duration_ms % 1000) * 1000; if (ssl->d1->next_timeout.tv_usec >= 1000000) { @@ -136,17 +136,17 @@ void dtls1_start_timer(SSL *ssl) { int dtls1_is_timer_expired(SSL *ssl) { struct timeval timeleft; - /* Get time left until timeout, return false if no timer running */ + // Get time left until timeout, return false if no timer running if (!DTLSv1_get_timeout(ssl, &timeleft)) { return 0; } - /* Return false if timer is not expired yet */ + // Return false if timer is not expired yet if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) { return 0; } - /* Timer expired, so return true */ + // Timer expired, so return true return 1; } @@ -166,7 +166,7 @@ void dtls1_stop_timer(SSL *ssl) { int dtls1_check_timeout_num(SSL *ssl) { ssl->d1->num_timeouts++; - /* Reduce MTU after 2 unsuccessful retransmissions */ + // Reduce MTU after 2 unsuccessful retransmissions if (ssl->d1->num_timeouts > DTLS1_MTU_TIMEOUTS && !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); @@ -176,7 +176,7 @@ int dtls1_check_timeout_num(SSL *ssl) { } if (ssl->d1->num_timeouts > DTLS1_MAX_TIMEOUTS) { - /* fail the connection, enough alerts have been sent */ + // fail the connection, enough alerts have been sent OPENSSL_PUT_ERROR(SSL, SSL_R_READ_TIMEOUT_EXPIRED); return 0; } @@ -197,7 +197,7 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) { return 0; } - /* If no timeout is set, just return 0. */ + // If no timeout is set, just return 0. if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) { return 0; } @@ -205,7 +205,7 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) { struct OPENSSL_timeval timenow; ssl_get_current_time(ssl, &timenow); - /* If timer already expired, set remaining time to 0. */ + // If timer already expired, set remaining time to 0. if (ssl->d1->next_timeout.tv_sec < timenow.tv_sec || (ssl->d1->next_timeout.tv_sec == timenow.tv_sec && ssl->d1->next_timeout.tv_usec <= timenow.tv_usec)) { @@ -213,7 +213,7 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) { return 1; } - /* Calculate time left until timer expires. */ + // Calculate time left until timer expires. struct OPENSSL_timeval ret; OPENSSL_memcpy(&ret, &ssl->d1->next_timeout, sizeof(ret)); ret.tv_sec -= timenow.tv_sec; @@ -224,13 +224,13 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) { ret.tv_sec--; } - /* If remaining time is less than 15 ms, set it to 0 to prevent issues - * because of small divergences with socket timeouts. */ + // If remaining time is less than 15 ms, set it to 0 to prevent issues + // because of small divergences with socket timeouts. if (ret.tv_sec == 0 && ret.tv_usec < 15000) { OPENSSL_memset(&ret, 0, sizeof(ret)); } - /* Clamp the result in case of overflow. */ + // Clamp the result in case of overflow. if (ret.tv_sec > INT_MAX) { assert(0); out->tv_sec = INT_MAX; @@ -250,7 +250,7 @@ int DTLSv1_handle_timeout(SSL *ssl) { return -1; } - /* If no timer is expired, don't do anything. */ + // If no timer is expired, don't do anything. if (!dtls1_is_timer_expired(ssl)) { return 0; } diff --git a/ssl/d1_pkt.cc b/ssl/d1_pkt.cc index 38412327..7a1c2292 100644 --- a/ssl/d1_pkt.cc +++ b/ssl/d1_pkt.cc @@ -140,15 +140,15 @@ again: return 0; } - /* Read a new packet if there is no unconsumed one. */ + // Read a new packet if there is no unconsumed one. if (ssl_read_buffer_len(ssl) == 0) { int read_ret = ssl_read_buffer_extend_to(ssl, 0 /* unused */); if (read_ret < 0 && dtls1_is_timer_expired(ssl)) { - /* Historically, timeouts were handled implicitly if the caller did not - * handle them. - * - * TODO(davidben): This was to support blocking sockets but affected - * non-blocking sockets. Can it be removed? */ + // Historically, timeouts were handled implicitly if the caller did not + // handle them. + // + // TODO(davidben): This was to support blocking sockets but affected + // non-blocking sockets. Can it be removed? int timeout_ret = DTLSv1_handle_timeout(ssl); if (timeout_ret <= 0) { return timeout_ret; @@ -170,7 +170,7 @@ again: ssl_read_buffer_consume(ssl, consumed); switch (open_ret) { case ssl_open_record_partial: - /* Impossible in DTLS. */ + // Impossible in DTLS. break; case ssl_open_record_success: { @@ -221,9 +221,9 @@ again: } if (rr->type == SSL3_RT_HANDSHAKE) { - /* Parse the first fragment header to determine if this is a pre-CCS or - * post-CCS handshake record. DTLS resets handshake message numbers on each - * handshake, so renegotiations and retransmissions are ambiguous. */ + // Parse the first fragment header to determine if this is a pre-CCS or + // post-CCS handshake record. DTLS resets handshake message numbers on each + // handshake, so renegotiations and retransmissions are ambiguous. CBS cbs, body; struct hm_header_st msg_hdr; CBS_init(&cbs, rr->data, rr->length); @@ -236,9 +236,9 @@ again: if (msg_hdr.type == SSL3_MT_FINISHED && msg_hdr.seq == ssl->d1->handshake_read_seq - 1) { if (msg_hdr.frag_off == 0) { - /* Retransmit our last flight of messages. If the peer sends the second - * Finished, they may not have received ours. Only do this for the - * first fragment, in case the Finished was fragmented. */ + // Retransmit our last flight of messages. If the peer sends the second + // Finished, they may not have received ours. Only do this for the + // first fragment, in case the Finished was fragmented. if (!dtls1_check_timeout_num(ssl)) { return -1; } @@ -250,8 +250,8 @@ again: goto again; } - /* Otherwise, this is a pre-CCS handshake message from an unsupported - * renegotiation attempt. Fall through to the error path. */ + // Otherwise, this is a pre-CCS handshake message from an unsupported + // renegotiation attempt. Fall through to the error path. } if (rr->type != SSL3_RT_APPLICATION_DATA) { @@ -260,7 +260,7 @@ again: return -1; } - /* Discard empty records. */ + // Discard empty records. if (rr->length == 0) { goto again; } @@ -275,12 +275,12 @@ again: OPENSSL_memcpy(buf, rr->data, len); if (!peek) { - /* TODO(davidben): Should the record be truncated instead? This is a - * datagram transport. See https://crbug.com/boringssl/65. */ + // TODO(davidben): Should the record be truncated instead? This is a + // datagram transport. See https://crbug.com/boringssl/65. rr->length -= len; rr->data += len; if (rr->length == 0) { - /* The record has been consumed, so we may now clear the buffer. */ + // The record has been consumed, so we may now clear the buffer. ssl_read_buffer_discard(ssl); } } @@ -289,10 +289,10 @@ again: } void dtls1_read_close_notify(SSL *ssl) { - /* Bidirectional shutdown doesn't make sense for an unordered transport. DTLS - * alerts also aren't delivered reliably, so we may even time out because the - * peer never received our close_notify. Report to the caller that the channel - * has fully shut down. */ + // Bidirectional shutdown doesn't make sense for an unordered transport. DTLS + // alerts also aren't delivered reliably, so we may even time out because the + // peer never received our close_notify. Report to the caller that the channel + // has fully shut down. if (ssl->s3->recv_shutdown == ssl_shutdown_none) { ssl->s3->recv_shutdown = ssl_shutdown_close_notify; } @@ -328,9 +328,9 @@ int dtls1_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf, int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len, enum dtls1_use_epoch_t use_epoch) { assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); - /* There should never be a pending write buffer in DTLS. One can't write half - * a datagram, so the write buffer is always dropped in - * |ssl_write_buffer_flush|. */ + // There should never be a pending write buffer in DTLS. One can't write half + // a datagram, so the write buffer is always dropped in + // |ssl_write_buffer_flush|. assert(!ssl_write_buffer_is_pending(ssl)); if (len > SSL3_RT_MAX_PLAIN_LENGTH) { @@ -364,7 +364,7 @@ int dtls1_dispatch_alert(SSL *ssl) { } ssl->s3->alert_dispatch = 0; - /* If the alert is fatal, flush the BIO now. */ + // If the alert is fatal, flush the BIO now. if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) { BIO_flush(ssl->wbio); } diff --git a/ssl/d1_srtp.cc b/ssl/d1_srtp.cc index 2d94bd24..30733ec6 100644 --- a/ssl/d1_srtp.cc +++ b/ssl/d1_srtp.cc @@ -226,11 +226,11 @@ const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *ssl) { } int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) { - /* This API inverts its return value. */ + // This API inverts its return value. return !SSL_CTX_set_srtp_profiles(ctx, profiles); } int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles) { - /* This API inverts its return value. */ + // This API inverts its return value. return !SSL_set_srtp_profiles(ssl, profiles); } diff --git a/ssl/dtls_method.cc b/ssl/dtls_method.cc index 1f95970e..050246db 100644 --- a/ssl/dtls_method.cc +++ b/ssl/dtls_method.cc @@ -73,17 +73,17 @@ static int dtls1_supports_cipher(const SSL_CIPHER *cipher) { } static void dtls1_on_handshake_complete(SSL *ssl) { - /* Stop the reply timer left by the last flight we sent. */ + // Stop the reply timer left by the last flight we sent. dtls1_stop_timer(ssl); - /* If the final flight had a reply, we know the peer has received it. If not, - * we must leave the flight around for post-handshake retransmission. */ + // If the final flight had a reply, we know the peer has received it. If not, + // we must leave the flight around for post-handshake retransmission. if (ssl->d1->flight_has_reply) { dtls_clear_outgoing_messages(ssl); } } static int dtls1_set_read_state(SSL *ssl, UniquePtr aead_ctx) { - /* Cipher changes are illegal when there are buffered incoming messages. */ + // Cipher changes are illegal when there are buffered incoming messages. if (dtls_has_incoming_messages(ssl) || ssl->d1->has_change_cipher_spec) { OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); @@ -153,7 +153,7 @@ const SSL_METHOD *DTLS_with_buffers_method(void) { return &kMethod; } -/* Legacy version-locked methods. */ +// Legacy version-locked methods. const SSL_METHOD *DTLSv1_2_method(void) { static const SSL_METHOD kMethod = { @@ -173,7 +173,7 @@ const SSL_METHOD *DTLSv1_method(void) { return &kMethod; } -/* Legacy side-specific methods. */ +// Legacy side-specific methods. const SSL_METHOD *DTLSv1_2_server_method(void) { return DTLSv1_2_method(); diff --git a/ssl/dtls_record.cc b/ssl/dtls_record.cc index c7ee6463..dbc8fa2d 100644 --- a/ssl/dtls_record.cc +++ b/ssl/dtls_record.cc @@ -123,8 +123,8 @@ namespace bssl { -/* to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as - * a |uint64_t|. */ +// to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as +// a |uint64_t|. static uint64_t to_u64_be(const uint8_t in[8]) { uint64_t ret = 0; unsigned i; @@ -135,8 +135,8 @@ static uint64_t to_u64_be(const uint8_t in[8]) { return ret; } -/* dtls1_bitmap_should_discard returns one if |seq_num| has been seen in |bitmap| - * or is stale. Otherwise it returns zero. */ +// dtls1_bitmap_should_discard returns one if |seq_num| has been seen in +// |bitmap| or is stale. Otherwise it returns zero. static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap, const uint8_t seq_num[8]) { const unsigned kWindowSize = sizeof(bitmap->map) * 8; @@ -149,15 +149,15 @@ static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap, return idx >= kWindowSize || (bitmap->map & (((uint64_t)1) << idx)); } -/* dtls1_bitmap_record updates |bitmap| to record receipt of sequence number - * |seq_num|. It slides the window forward if needed. It is an error to call - * this function on a stale sequence number. */ +// dtls1_bitmap_record updates |bitmap| to record receipt of sequence number +// |seq_num|. It slides the window forward if needed. It is an error to call +// this function on a stale sequence number. static void dtls1_bitmap_record(DTLS1_BITMAP *bitmap, const uint8_t seq_num[8]) { const unsigned kWindowSize = sizeof(bitmap->map) * 8; uint64_t seq_num_u = to_u64_be(seq_num); - /* Shift the window if necessary. */ + // Shift the window if necessary. if (seq_num_u > bitmap->max_seq_num) { uint64_t shift = seq_num_u - bitmap->max_seq_num; if (shift >= kWindowSize) { @@ -183,7 +183,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, CBS cbs; CBS_init(&cbs, in, in_len); - /* Decode the record. */ + // Decode the record. uint8_t type; uint16_t version; uint8_t sequence[8]; @@ -195,7 +195,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, (ssl->s3->have_version && version != ssl->version) || (version >> 8) != DTLS1_VERSION_MAJOR || CBS_len(&body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { - /* The record header was incomplete or malformed. Drop the entire packet. */ + // The record header was incomplete or malformed. Drop the entire packet. *out_consumed = in_len; return ssl_open_record_discard; } @@ -206,31 +206,31 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, uint16_t epoch = (((uint16_t)sequence[0]) << 8) | sequence[1]; if (epoch != ssl->d1->r_epoch || dtls1_bitmap_should_discard(&ssl->d1->bitmap, sequence)) { - /* Drop this record. It's from the wrong epoch or is a replay. Note that if - * |epoch| is the next epoch, the record could be buffered for later. For - * simplicity, drop it and expect retransmit to handle it later; DTLS must - * handle packet loss anyway. */ + // Drop this record. It's from the wrong epoch or is a replay. Note that if + // |epoch| is the next epoch, the record could be buffered for later. For + // simplicity, drop it and expect retransmit to handle it later; DTLS must + // handle packet loss anyway. *out_consumed = in_len - CBS_len(&cbs); return ssl_open_record_discard; } - /* Decrypt the body in-place. */ + // Decrypt the body in-place. if (!ssl->s3->aead_read_ctx->Open(out, type, version, sequence, (uint8_t *)CBS_data(&body), CBS_len(&body))) { - /* Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347. - * Clear the error queue of any errors decryption may have added. Drop the - * entire packet as it must not have come from the peer. - * - * TODO(davidben): This doesn't distinguish malloc failures from encryption - * failures. */ + // Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347. + // Clear the error queue of any errors decryption may have added. Drop the + // entire packet as it must not have come from the peer. + // + // TODO(davidben): This doesn't distinguish malloc failures from encryption + // failures. ERR_clear_error(); *out_consumed = in_len - CBS_len(&cbs); return ssl_open_record_discard; } *out_consumed = in_len - CBS_len(&cbs); - /* Check the plaintext length. */ + // Check the plaintext length. if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) { OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); *out_alert = SSL_AD_RECORD_OVERFLOW; @@ -239,8 +239,8 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, dtls1_bitmap_record(&ssl->d1->bitmap, sequence); - /* TODO(davidben): Limit the number of empty records as in TLS? This is only - * useful if we also limit discarded packets. */ + // TODO(davidben): Limit the number of empty records as in TLS? This is only + // useful if we also limit discarded packets. if (type == SSL3_RT_ALERT) { return ssl_process_alert(ssl, out_alert, CBS_data(out), CBS_len(out)); @@ -282,7 +282,7 @@ int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, return 0; } - /* Determine the parameters for the current epoch. */ + // Determine the parameters for the current epoch. uint16_t epoch = ssl->d1->w_epoch; SSLAEADContext *aead = ssl->s3->aead_write_ctx; uint8_t *seq = ssl->s3->write_sequence; diff --git a/ssl/handshake.cc b/ssl/handshake.cc index ec6213f8..3e2ae614 100644 --- a/ssl/handshake.cc +++ b/ssl/handshake.cc @@ -199,8 +199,8 @@ int ssl_add_message_cbb(SSL *ssl, CBB *cbb) { } size_t ssl_max_handshake_message_len(const SSL *ssl) { - /* kMaxMessageLen is the default maximum message size for handshakes which do - * not accept peer certificate chains. */ + // kMaxMessageLen is the default maximum message size for handshakes which do + // not accept peer certificate chains. static const size_t kMaxMessageLen = 16384; if (SSL_in_init(ssl)) { @@ -212,24 +212,24 @@ size_t ssl_max_handshake_message_len(const SSL *ssl) { } if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) { - /* In TLS 1.2 and below, the largest acceptable post-handshake message is - * a HelloRequest. */ + // In TLS 1.2 and below, the largest acceptable post-handshake message is + // a HelloRequest. return 0; } if (ssl->server) { - /* The largest acceptable post-handshake message for a server is a - * KeyUpdate. We will never initiate post-handshake auth. */ + // The largest acceptable post-handshake message for a server is a + // KeyUpdate. We will never initiate post-handshake auth. return 1; } - /* Clients must accept NewSessionTicket and CertificateRequest, so allow the - * default size. */ + // Clients must accept NewSessionTicket and CertificateRequest, so allow the + // default size. return kMaxMessageLen; } bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) { - /* V2ClientHello messages are pre-hashed. */ + // V2ClientHello messages are pre-hashed. if (msg.is_v2_hello) { return true; } @@ -240,7 +240,7 @@ bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) { int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, const SSL_EXTENSION_TYPE *ext_types, size_t num_ext_types, int ignore_unknown) { - /* Reset everything. */ + // Reset everything. for (size_t i = 0; i < num_ext_types; i++) { *ext_types[i].out_present = 0; CBS_init(ext_types[i].out_data, NULL, 0); @@ -274,7 +274,7 @@ int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, return 0; } - /* Duplicate ext_types are forbidden. */ + // Duplicate ext_types are forbidden. if (*ext_type->out_present) { OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION); *out_alert = SSL_AD_ILLEGAL_PARAMETER; @@ -289,8 +289,8 @@ int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, } static void set_crypto_buffer(CRYPTO_BUFFER **dest, CRYPTO_BUFFER *src) { - /* TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr| - * and |UniquePtr| has up_ref helpers. */ + // TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr| + // and |UniquePtr| has up_ref helpers. CRYPTO_BUFFER_free(*dest); *dest = src; if (src != nullptr) { @@ -302,10 +302,10 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; const SSL_SESSION *prev_session = ssl->s3->established_session; if (prev_session != NULL) { - /* If renegotiating, the server must not change the server certificate. See - * https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation, - * so this check is sufficient to ensure the reported peer certificate never - * changes on renegotiation. */ + // If renegotiating, the server must not change the server certificate. See + // https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation, + // so this check is sufficient to ensure the reported peer certificate never + // changes on renegotiation. assert(!ssl->server); if (sk_CRYPTO_BUFFER_num(prev_session->certs) != sk_CRYPTO_BUFFER_num(hs->new_session->certs)) { @@ -329,10 +329,10 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) { } } - /* The certificate is identical, so we may skip re-verifying the - * certificate. Since we only authenticated the previous one, copy other - * authentication from the established session and ignore what was newly - * received. */ + // The certificate is identical, so we may skip re-verifying the + // certificate. Since we only authenticated the previous one, copy other + // authentication from the established session and ignore what was newly + // received. set_crypto_buffer(&hs->new_session->ocsp_response, prev_session->ocsp_response); set_crypto_buffer(&hs->new_session->signed_cert_timestamp_list, @@ -371,17 +371,17 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) { } uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index) { - /* Use the client_random or server_random for entropy. This both avoids - * calling |RAND_bytes| on a single byte repeatedly and ensures the values are - * deterministic. This allows the same ClientHello be sent twice for a - * HelloRetryRequest or the same group be advertised in both supported_groups - * and key_shares. */ + // Use the client_random or server_random for entropy. This both avoids + // calling |RAND_bytes| on a single byte repeatedly and ensures the values are + // deterministic. This allows the same ClientHello be sent twice for a + // HelloRetryRequest or the same group be advertised in both supported_groups + // and key_shares. uint16_t ret = ssl->server ? ssl->s3->server_random[index] : ssl->s3->client_random[index]; - /* The first four bytes of server_random are a timestamp prior to TLS 1.3, but - * servers have no fields to GREASE until TLS 1.3. */ + // The first four bytes of server_random are a timestamp prior to TLS 1.3, but + // servers have no fields to GREASE until TLS 1.3. assert(!ssl->server || ssl3_protocol_version(ssl) >= TLS1_3_VERSION); - /* This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. */ + // This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. ret = (ret & 0xf0) | 0x0a; ret |= ret << 8; return ret; @@ -398,7 +398,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Snapshot the finished hash before incorporating the new message. */ + // Snapshot the finished hash before incorporating the new message. uint8_t finished[EVP_MAX_MD_SIZE]; size_t finished_len; if (!hs->transcript.GetFinishedMAC(finished, &finished_len, @@ -418,7 +418,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Copy the Finished so we can use it for renegotiation checks. */ + // Copy the Finished so we can use it for renegotiation checks. if (ssl->version != SSL3_VERSION) { if (finished_len > sizeof(ssl->s3->previous_client_finished) || finished_len > sizeof(ssl->s3->previous_server_finished)) { @@ -442,7 +442,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) { int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { SSL *const ssl = hs->ssl; for (;;) { - /* Resolve the operation the handshake was waiting on. */ + // Resolve the operation the handshake was waiting on. switch (hs->wait) { case ssl_hs_error: OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); @@ -464,13 +464,13 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { if (hs->wait == ssl_hs_read_server_hello && ERR_GET_LIB(err) == ERR_LIB_SSL && ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) { - /* Add a dedicated error code to the queue for a handshake_failure - * alert in response to ClientHello. This matches NSS's client - * behavior and gives a better error on a (probable) failure to - * negotiate initial parameters. Note: this error code comes after - * the original one. - * - * See https://crbug.com/446505. */ + // Add a dedicated error code to the queue for a handshake_failure + // alert in response to ClientHello. This matches NSS's client + // behavior and gives a better error on a (probable) failure to + // negotiate initial parameters. Note: this error code comes after + // the original one. + // + // See https://crbug.com/446505. OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO); } return ret; @@ -488,7 +488,7 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { case ssl_hs_read_end_of_early_data: { if (ssl->s3->hs->can_early_read) { - /* While we are processing early data, the handshake returns early. */ + // While we are processing early data, the handshake returns early. *out_early_return = 1; return 1; } @@ -533,7 +533,7 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { case ssl_hs_early_data_rejected: ssl->rwstate = SSL_EARLY_DATA_REJECTED; - /* Cause |SSL_write| to start failing immediately. */ + // Cause |SSL_write| to start failing immediately. hs->can_early_write = 0; return -1; @@ -546,20 +546,20 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { break; } - /* Run the state machine again. */ + // Run the state machine again. hs->wait = ssl->do_handshake(hs); if (hs->wait == ssl_hs_error) { - /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the - * first time around. */ + // Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the + // first time around. return -1; } if (hs->wait == ssl_hs_ok) { - /* The handshake has completed. */ + // The handshake has completed. return 1; } - /* Otherwise, loop to the beginning and resolve what was blocking the - * handshake. */ + // Otherwise, loop to the beginning and resolve what was blocking the + // handshake. } } diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc index 37bf3727..5a0902db 100644 --- a/ssl/handshake_client.cc +++ b/ssl/handshake_client.cc @@ -199,14 +199,14 @@ enum ssl_client_hs_state_t { state_done, }; -/* ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of - * disabled algorithms. */ +// ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of +// disabled algorithms. static void ssl_get_client_disabled(SSL *ssl, uint32_t *out_mask_a, uint32_t *out_mask_k) { *out_mask_a = 0; *out_mask_k = 0; - /* PSK requires a client callback. */ + // PSK requires a client callback. if (ssl->psk_client_callback == NULL) { *out_mask_a |= SSL_aPSK; *out_mask_k |= SSL_kPSK; @@ -223,14 +223,14 @@ static int ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) { return 0; } - /* Add a fake cipher suite. See draft-davidben-tls-grease-01. */ + // Add a fake cipher suite. See draft-davidben-tls-grease-01. if (ssl->ctx->grease_enabled && !CBB_add_u16(&child, ssl_get_grease_value(ssl, ssl_grease_cipher))) { return 0; } - /* Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on - * hardware support. */ + // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on + // hardware support. if (hs->max_version >= TLS1_3_VERSION) { if (!EVP_has_aes_hardware() && !CBB_add_u16(&child, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) { @@ -249,7 +249,7 @@ static int ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) { if (hs->min_version < TLS1_3_VERSION) { int any_enabled = 0; for (const SSL_CIPHER *cipher : SSL_get_ciphers(ssl)) { - /* Skip disabled ciphers */ + // Skip disabled ciphers if ((cipher->algorithm_mkey & mask_k) || (cipher->algorithm_auth & mask_a)) { continue; @@ -264,15 +264,15 @@ static int ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) { } } - /* If all ciphers were disabled, return the error to the caller. */ + // If all ciphers were disabled, return the error to the caller. if (!any_enabled && hs->max_version < TLS1_3_VERSION) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE); return 0; } } - /* For SSLv3, the SCSV is added. Otherwise the renegotiation extension is - * added. */ + // For SSLv3, the SCSV is added. Otherwise the renegotiation extension is + // added. if (hs->max_version == SSL3_VERSION && !ssl->s3->initial_handshake_complete) { if (!CBB_add_u16(&child, SSL3_CK_SCSV & 0xffff)) { @@ -297,7 +297,7 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) { return 0; } - /* Renegotiations do not participate in session resumption. */ + // Renegotiations do not participate in session resumption. int has_session_id = ssl->session != NULL && !ssl->s3->initial_handshake_complete && ssl->session->session_id_length > 0; @@ -315,8 +315,8 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) { return 0; } } else { - /* In TLS 1.3 experimental encodings, send a fake placeholder session ID - * when we do not otherwise have one to send. */ + // In TLS 1.3 experimental encodings, send a fake placeholder session ID + // when we do not otherwise have one to send. if (hs->max_version >= TLS1_3_VERSION && ssl->tls13_variant == tls13_experiment && !CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) { @@ -346,8 +346,8 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) { return 0; } - /* Now that the length prefixes have been computed, fill in the placeholder - * PSK binder. */ + // Now that the length prefixes have been computed, fill in the placeholder + // PSK binder. if (hs->needs_psk_binder && !tls13_write_psk_binder(hs, msg, len)) { OPENSSL_free(msg); @@ -374,8 +374,8 @@ static int parse_server_version(SSL_HANDSHAKE *hs, uint16_t *out, return 0; } - /* The server version may also be in the supported_versions extension if - * applicable. */ + // The server version may also be in the supported_versions extension if + // applicable. if (msg.type != SSL3_MT_SERVER_HELLO || *out != TLS1_2_VERSION) { return 1; } @@ -390,7 +390,7 @@ static int parse_server_version(SSL_HANDSHAKE *hs, uint16_t *out, return 0; } - /* The extensions block may not be present. */ + // The extensions block may not be present. if (CBS_len(&server_hello) == 0) { return 1; } @@ -433,14 +433,14 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1); - /* Freeze the version range. */ + // Freeze the version range. if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) { return ssl_hs_error; } - /* Always advertise the ClientHello version from the original maximum version, - * even on renegotiation. The static RSA key exchange uses this field, and - * some servers fail when it changes across handshakes. */ + // Always advertise the ClientHello version from the original maximum version, + // even on renegotiation. The static RSA key exchange uses this field, and + // some servers fail when it changes across handshakes. if (SSL_is_dtls(hs->ssl)) { hs->client_version = hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION; @@ -449,8 +449,8 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version; } - /* If the configured session has expired or was created at a disabled - * version, drop it. */ + // If the configured session has expired or was created at a disabled + // version, drop it. if (ssl->session != NULL) { if (ssl->session->is_server || !ssl_supports_version(hs, ssl->session->ssl_version) || @@ -466,8 +466,8 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Initialize a random session ID for the experimental TLS 1.3 variant - * requiring a session id. */ + // Initialize a random session ID for the experimental TLS 1.3 variant + // requiring a session id. if (ssl->tls13_variant == tls13_experiment) { hs->session_id_len = sizeof(hs->session_id); if (!RAND_bytes(hs->session_id, hs->session_id_len)) { @@ -505,8 +505,8 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Stash the early data session, so connection properties may be queried out - * of it. */ + // Stash the early data session, so connection properties may be queried out + // of it. hs->in_early_data = 1; SSL_SESSION_up_ref(ssl->session); hs->early_session.reset(ssl->session); @@ -547,7 +547,7 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) { ssl->method->next_message(ssl); - /* DTLS resets the handshake buffer after HelloVerifyRequest. */ + // DTLS resets the handshake buffer after HelloVerifyRequest. if (!hs->transcript.Init()) { return ssl_hs_error; } @@ -581,8 +581,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete); if (!ssl->s3->have_version) { ssl->version = server_version; - /* At this point, the connection's version is known and ssl->version is - * fixed. Begin enforcing the record-layer version. */ + // At this point, the connection's version is known and ssl->version is + // fixed. Begin enforcing the record-layer version. ssl->s3->have_version = 1; } else if (server_version != ssl->version) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); @@ -621,12 +621,12 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Copy over the server random. */ + // Copy over the server random. OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE); - /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS - * 1.3 is finalized and we are not implementing a draft version. */ + // TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS + // 1.3 is finalized and we are not implementing a draft version. if (!ssl->s3->initial_handshake_complete && ssl->session != NULL && ssl->session->session_id_length != 0 && @@ -634,14 +634,14 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { ssl->session->session_id_length)) { ssl->s3->session_reused = 1; } else { - /* The session wasn't resumed. Create a fresh SSL_SESSION to - * fill out. */ + // The session wasn't resumed. Create a fresh SSL_SESSION to + // fill out. ssl_set_session(ssl, NULL); if (!ssl_get_new_session(hs, 0 /* client */)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return ssl_hs_error; } - /* Note: session_id could be empty. */ + // Note: session_id could be empty. hs->new_session->session_id_length = CBS_len(&session_id); OPENSSL_memcpy(hs->new_session->session_id, CBS_data(&session_id), CBS_len(&session_id)); @@ -649,13 +649,13 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite); if (cipher == NULL) { - /* unknown cipher */ + // unknown cipher OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; } - /* The cipher must be allowed in the selected version and enabled. */ + // The cipher must be allowed in the selected version and enabled. uint32_t mask_a, mask_k; ssl_get_client_disabled(ssl, &mask_a, &mask_k); if ((cipher->algorithm_mkey & mask_k) || (cipher->algorithm_auth & mask_a) || @@ -679,7 +679,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } if (!ssl_session_is_context_valid(ssl, ssl->session)) { - /* This is actually a client application bug. */ + // This is actually a client application bug. OPENSSL_PUT_ERROR(SSL, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); @@ -690,38 +690,38 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { } hs->new_cipher = cipher; - /* Now that the cipher is known, initialize the handshake hash and hash the - * ServerHello. */ + // Now that the cipher is known, initialize the handshake hash and hash the + // ServerHello. if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) || !ssl_hash_message(hs, msg)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return ssl_hs_error; } - /* If doing a full handshake, the server may request a client certificate - * which requires hashing the handshake transcript. Otherwise, the handshake - * buffer may be released. */ + // If doing a full handshake, the server may request a client certificate + // which requires hashing the handshake transcript. Otherwise, the handshake + // buffer may be released. if (ssl->session != NULL || !ssl_cipher_uses_certificate_auth(hs->new_cipher)) { hs->transcript.FreeBuffer(); } - /* Only the NULL compression algorithm is supported. */ + // Only the NULL compression algorithm is supported. if (compression_method != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; } - /* TLS extensions */ + // TLS extensions if (!ssl_parse_serverhello_tlsext(hs, &server_hello)) { OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); return ssl_hs_error; } - /* There should be nothing left over in the record. */ + // There should be nothing left over in the record. if (CBS_len(&server_hello) != 0) { - /* wrong packet length */ + // wrong packet length OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; @@ -823,8 +823,8 @@ static enum ssl_hs_wait_t do_read_certificate_status(SSL_HANDSHAKE *hs) { } if (msg.type != SSL3_MT_CERTIFICATE_STATUS) { - /* A server may send status_request in ServerHello and then change - * its mind about sending CertificateStatus. */ + // A server may send status_request in ServerHello and then change its mind + // about sending CertificateStatus. hs->state = state_verify_server_certificate; return ssl_hs_ok; } @@ -887,7 +887,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { } if (msg.type != SSL3_MT_SERVER_KEY_EXCHANGE) { - /* Some ciphers (pure PSK) have an optional ServerKeyExchange message. */ + // Some ciphers (pure PSK) have an optional ServerKeyExchange message. if (ssl_cipher_requires_server_key_exchange(hs->new_cipher)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); @@ -908,7 +908,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { if (alg_a & SSL_aPSK) { CBS psk_identity_hint; - /* Each of the PSK key exchanges begins with a psk_identity_hint. */ + // Each of the PSK key exchanges begins with a psk_identity_hint. if (!CBS_get_u16_length_prefixed(&server_key_exchange, &psk_identity_hint)) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); @@ -916,13 +916,13 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Store PSK identity hint for later use, hint is used in - * ssl3_send_client_key_exchange. Assume that the maximum length of a PSK - * identity hint can be as long as the maximum length of a PSK identity. - * Also do not allow NULL characters; identities are saved as C strings. - * - * TODO(davidben): Should invalid hints be ignored? It's a hint rather than - * a specific identity. */ + // Store PSK identity hint for later use, hint is used in + // ssl3_send_client_key_exchange. Assume that the maximum length of a PSK + // identity hint can be as long as the maximum length of a PSK identity. + // Also do not allow NULL characters; identities are saved as C strings. + // + // TODO(davidben): Should invalid hints be ignored? It's a hint rather than + // a specific identity. if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN || CBS_contains_zero_byte(&psk_identity_hint)) { OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); @@ -930,11 +930,11 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Save non-empty identity hints as a C string. Empty identity hints we - * treat as missing. Plain PSK makes it possible to send either no hint - * (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell - * empty hint. Having different capabilities is odd, so we interpret empty - * and missing as identical. */ + // Save non-empty identity hints as a C string. Empty identity hints we + // treat as missing. Plain PSK makes it possible to send either no hint + // (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell + // empty hint. Having different capabilities is odd, so we interpret empty + // and missing as identical. char *raw = nullptr; if (CBS_len(&psk_identity_hint) != 0 && !CBS_strdup(&psk_identity_hint, &raw)) { @@ -946,7 +946,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { } if (alg_k & SSL_kECDHE) { - /* Parse the server parameters. */ + // Parse the server parameters. uint8_t group_type; uint16_t group_id; CBS point; @@ -960,14 +960,14 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { } hs->new_session->group_id = group_id; - /* Ensure the group is consistent with preferences. */ + // Ensure the group is consistent with preferences. if (!tls1_check_group_id(ssl, group_id)) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; } - /* Initialize ECDH and save the peer public key for later. */ + // Initialize ECDH and save the peer public key for later. hs->key_share = SSLKeyShare::Create(group_id); if (!hs->key_share || !CBS_stow(&point, &hs->peer_key, &hs->peer_key_len)) { @@ -979,14 +979,14 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* At this point, |server_key_exchange| contains the signature, if any, while - * |msg.body| contains the entire message. From that, derive a CBS containing - * just the parameter. */ + // At this point, |server_key_exchange| contains the signature, if any, while + // |msg.body| contains the entire message. From that, derive a CBS containing + // just the parameter. CBS parameter; CBS_init(¶meter, CBS_data(&msg.body), CBS_len(&msg.body) - CBS_len(&server_key_exchange)); - /* ServerKeyExchange should be signed by the server's public key. */ + // ServerKeyExchange should be signed by the server's public key. if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { uint16_t signature_algorithm = 0; if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { @@ -1008,7 +1008,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* The last field in |server_key_exchange| is the signature. */ + // The last field in |server_key_exchange| is the signature. CBS signature; if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) || CBS_len(&server_key_exchange) != 0) { @@ -1044,13 +1044,13 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { ERR_clear_error(); #endif if (!sig_ok) { - /* bad signature */ + // bad signature OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); return ssl_hs_error; } } else { - /* PSK ciphers are the only supported certificate-less ciphers. */ + // PSK ciphers are the only supported certificate-less ciphers. assert(alg_a == SSL_aPSK); if (CBS_len(&server_key_exchange) > 0) { @@ -1079,8 +1079,8 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { } if (msg.type == SSL3_MT_SERVER_HELLO_DONE) { - /* If we get here we don't need the handshake buffer as we won't be doing - * client auth. */ + // If we get here we don't need the handshake buffer as we won't be doing + // client auth. hs->transcript.FreeBuffer(); hs->state = state_read_server_hello_done; return ssl_hs_ok; @@ -1091,7 +1091,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Get the certificate types. */ + // Get the certificate types. CBS body = msg.body, certificate_types; if (!CBS_get_u8_length_prefixed(&body, &certificate_types)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); @@ -1150,7 +1150,7 @@ static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* ServerHelloDone is empty. */ + // ServerHelloDone is empty. if (CBS_len(&msg.body) != 0) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); @@ -1165,13 +1165,13 @@ static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* The peer didn't request a certificate. */ + // The peer didn't request a certificate. if (!hs->cert_request) { hs->state = state_send_client_key_exchange; return ssl_hs_ok; } - /* Call cert_cb to update the certificate. */ + // Call cert_cb to update the certificate. if (ssl->cert->cert_cb != NULL) { int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); if (rv == 0) { @@ -1186,10 +1186,10 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { } if (!ssl_has_certificate(ssl)) { - /* Without a client certificate, the handshake buffer may be released. */ + // Without a client certificate, the handshake buffer may be released. hs->transcript.FreeBuffer(); - /* In SSL 3.0, the Certificate message is replaced with a warning alert. */ + // In SSL 3.0, the Certificate message is replaced with a warning alert. if (ssl->version == SSL3_VERSION) { if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE)) { @@ -1227,7 +1227,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { uint32_t alg_k = hs->new_cipher->algorithm_mkey; uint32_t alg_a = hs->new_cipher->algorithm_auth; - /* If using a PSK key exchange, prepare the pre-shared key. */ + // If using a PSK key exchange, prepare the pre-shared key. unsigned psk_len = 0; uint8_t psk[PSK_MAX_PSK_LEN]; if (alg_a & SSL_aPSK) { @@ -1255,7 +1255,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* Write out psk_identity. */ + // Write out psk_identity. CBB child; if (!CBB_add_u16_length_prefixed(&body, &child) || !CBB_add_bytes(&child, (const uint8_t *)identity, @@ -1265,7 +1265,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { } } - /* Depending on the key exchange method, compute |pms| and |pms_len|. */ + // Depending on the key exchange method, compute |pms| and |pms_len|. if (alg_k & SSL_kRSA) { pms_len = SSL_MAX_MASTER_KEY_LENGTH; pms = (uint8_t *)OPENSSL_malloc(pms_len); @@ -1288,7 +1288,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { CBB child, *enc_pms = &body; size_t enc_pms_len; - /* In TLS, there is a length prefix. */ + // In TLS, there is a length prefix. if (ssl->version > SSL3_VERSION) { if (!CBB_add_u16_length_prefixed(&body, &child)) { goto err; @@ -1305,13 +1305,13 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } } else if (alg_k & SSL_kECDHE) { - /* Generate a keypair and serialize the public half. */ + // Generate a keypair and serialize the public half. CBB child; if (!CBB_add_u8_length_prefixed(&body, &child)) { goto err; } - /* Compute the premaster. */ + // Compute the premaster. uint8_t alert = SSL_AD_DECODE_ERROR; if (!hs->key_share->Accept(&child, &pms, &pms_len, &alert, hs->peer_key, hs->peer_key_len)) { @@ -1322,14 +1322,14 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* The key exchange state may now be discarded. */ + // The key exchange state may now be discarded. hs->key_share.reset(); OPENSSL_free(hs->peer_key); hs->peer_key = NULL; hs->peer_key_len = 0; } else if (alg_k & SSL_kPSK) { - /* For plain PSK, other_secret is a block of 0s with the same length as - * the pre-shared key. */ + // For plain PSK, other_secret is a block of 0s with the same length as + // the pre-shared key. pms_len = psk_len; pms = (uint8_t *)OPENSSL_malloc(pms_len); if (pms == NULL) { @@ -1343,8 +1343,8 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* For a PSK cipher suite, other_secret is combined with the pre-shared - * key. */ + // For a PSK cipher suite, other_secret is combined with the pre-shared + // key. if (alg_a & SSL_aPSK) { ScopedCBB pms_cbb; CBB child; @@ -1366,8 +1366,8 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { pms_len = new_pms_len; } - /* The message must be added to the finished hash before calculating the - * master secret. */ + // The message must be added to the finished hash before calculating the + // master secret. if (!ssl_add_message_cbb(ssl, cbb.get())) { goto err; } @@ -1414,14 +1414,14 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { return ssl_hs_error; } if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { - /* Write out the digest type in TLS 1.2. */ + // Write out the digest type in TLS 1.2. if (!CBB_add_u16(&body, signature_algorithm)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return ssl_hs_error; } } - /* Set aside space for the signature. */ + // Set aside space for the signature. const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); uint8_t *ptr; if (!CBB_add_u16_length_prefixed(&body, &child) || @@ -1430,8 +1430,8 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { } size_t sig_len = max_sig_len; - /* The SSL3 construction for CertificateVerify does not decompose into a - * single final digest and signature, and must be special-cased. */ + // The SSL3 construction for CertificateVerify does not decompose into a + // single final digest and signature, and must be special-cased. if (ssl3_protocol_version(ssl) == SSL3_VERSION) { if (ssl->cert->key_method != NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY); @@ -1470,7 +1470,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* The handshake buffer is no longer necessary. */ + // The handshake buffer is no longer necessary. hs->transcript.FreeBuffer(); hs->state = state_send_second_client_flight; @@ -1553,9 +1553,9 @@ static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) { return ssl_hs_ok; } - /* This is a full handshake. If it involves ChannelID, then record the - * handshake hashes at this point in the session so that any resumption of - * this session with ChannelID can sign those hashes. */ + // This is a full handshake. If it involves ChannelID, then record the + // handshake hashes at this point in the session so that any resumption of + // this session with ChannelID can sign those hashes. if (!tls1_record_handshake_hashes_for_channel_id(hs)) { return ssl_hs_error; } @@ -1564,8 +1564,7 @@ static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) { if ((SSL_get_mode(ssl) & SSL_MODE_ENABLE_FALSE_START) && ssl3_can_false_start(ssl) && - /* No False Start on renegotiation (would complicate the state - * machine). */ + // No False Start on renegotiation (would complicate the state machine). !ssl->s3->initial_handshake_complete) { hs->in_false_start = 1; hs->can_early_write = 1; @@ -1604,9 +1603,9 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) { } if (CBS_len(&ticket) == 0) { - /* RFC 5077 allows a server to change its mind and send no ticket after - * negotiating the extension. The value of |ticket_expected| is checked in - * |ssl_update_cache| so is cleared here to avoid an unnecessary update. */ + // RFC 5077 allows a server to change its mind and send no ticket after + // negotiating the extension. The value of |ticket_expected| is checked in + // |ssl_update_cache| so is cleared here to avoid an unnecessary update. hs->ticket_expected = 0; ssl->method->next_message(ssl); hs->state = state_process_change_cipher_spec; @@ -1616,20 +1615,20 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) { SSL_SESSION *session = hs->new_session.get(); UniquePtr renewed_session; if (ssl->session != NULL) { - /* The server is sending a new ticket for an existing session. Sessions are - * immutable once established, so duplicate all but the ticket of the - * existing session. */ + // The server is sending a new ticket for an existing session. Sessions are + // immutable once established, so duplicate all but the ticket of the + // existing session. renewed_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH); if (!renewed_session) { - /* This should never happen. */ + // This should never happen. OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return ssl_hs_error; } session = renewed_session.get(); } - /* |tlsext_tick_lifetime_hint| is measured from when the ticket was issued. */ + // |tlsext_tick_lifetime_hint| is measured from when the ticket was issued. ssl_session_rebase_time(ssl, session); if (!CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen)) { @@ -1638,9 +1637,9 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) { } session->tlsext_tick_lifetime_hint = tlsext_tick_lifetime_hint; - /* Generate a session ID for this session based on the session ticket. We use - * the session ID mechanism for detecting ticket resumption. This also fits in - * with assumptions elsewhere in OpenSSL.*/ + // Generate a session ID for this session based on the session ticket. We use + // the session ID mechanism for detecting ticket resumption. This also fits in + // with assumptions elsewhere in OpenSSL. if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), session->session_id, &session->session_id_length, EVP_sha256(), NULL)) { @@ -1693,16 +1692,16 @@ static enum ssl_hs_wait_t do_finish_client_handshake(SSL_HANDSHAKE *hs) { SSL_SESSION_up_ref(ssl->session); ssl->s3->established_session = ssl->session; } else { - /* We make a copy of the session in order to maintain the immutability - * of the new established_session due to False Start. The caller may - * have taken a reference to the temporary session. */ + // We make a copy of the session in order to maintain the immutability + // of the new established_session due to False Start. The caller may + // have taken a reference to the temporary session. ssl->s3->established_session = SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_DUP_ALL) .release(); if (ssl->s3->established_session == NULL) { return ssl_hs_error; } - /* Renegotiations do not participate in session resumption. */ + // Renegotiations do not participate in session resumption. if (!ssl->s3->initial_handshake_complete) { ssl->s3->established_session->not_resumable = 0; } diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc index efbb7bd0..eb79693e 100644 --- a/ssl/handshake_server.cc +++ b/ssl/handshake_server.cc @@ -231,18 +231,18 @@ static int negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } } else { - /* Convert the ClientHello version to an equivalent supported_versions - * extension. */ + // Convert the ClientHello version to an equivalent supported_versions + // extension. static const uint8_t kTLSVersions[] = { - 0x03, 0x03, /* TLS 1.2 */ - 0x03, 0x02, /* TLS 1.1 */ - 0x03, 0x01, /* TLS 1 */ - 0x03, 0x00, /* SSL 3 */ + 0x03, 0x03, // TLS 1.2 + 0x03, 0x02, // TLS 1.1 + 0x03, 0x01, // TLS 1 + 0x03, 0x00, // SSL 3 }; static const uint8_t kDTLSVersions[] = { - 0xfe, 0xfd, /* DTLS 1.2 */ - 0xfe, 0xff, /* DTLS 1.0 */ + 0xfe, 0xfd, // DTLS 1.2 + 0xfe, 0xff, // DTLS 1.0 }; size_t versions_len = 0; @@ -273,11 +273,11 @@ static int negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* At this point, the connection's version is known and |ssl->version| is - * fixed. Begin enforcing the record-layer version. */ + // At this point, the connection's version is known and |ssl->version| is + // fixed. Begin enforcing the record-layer version. ssl->s3->have_version = 1; - /* Handle FALLBACK_SCSV. */ + // Handle FALLBACK_SCSV. if (ssl_client_cipher_list_contains_cipher(client_hello, SSL3_CK_FALLBACK_SCSV & 0xffff) && ssl3_protocol_version(ssl) < hs->max_version) { @@ -319,10 +319,10 @@ static UniquePtr ssl_parse_client_cipher_list( return sk; } -/* ssl_get_compatible_server_ciphers determines the key exchange and - * authentication cipher suite masks compatible with the server configuration - * and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key - * exchange mask and |*out_mask_a| to the authentication mask. */ +// ssl_get_compatible_server_ciphers determines the key exchange and +// authentication cipher suite masks compatible with the server configuration +// and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key +// exchange mask and |*out_mask_a| to the authentication mask. static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs, uint32_t *out_mask_k, uint32_t *out_mask_a) { @@ -337,13 +337,13 @@ static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs, } } - /* Check for a shared group to consider ECDHE ciphers. */ + // Check for a shared group to consider ECDHE ciphers. uint16_t unused; if (tls1_get_shared_group(hs, &unused)) { mask_k |= SSL_kECDHE; } - /* PSK requires a server callback. */ + // PSK requires a server callback. if (ssl->psk_server_callback != NULL) { mask_k |= SSL_kPSK; mask_a |= SSL_aPSK; @@ -358,13 +358,13 @@ static const SSL_CIPHER *ssl3_choose_cipher( const struct ssl_cipher_preference_list_st *server_pref) { SSL *const ssl = hs->ssl; STACK_OF(SSL_CIPHER) *prio, *allow; - /* in_group_flags will either be NULL, or will point to an array of bytes - * which indicate equal-preference groups in the |prio| stack. See the - * comment about |in_group_flags| in the |ssl_cipher_preference_list_st| - * struct. */ + // in_group_flags will either be NULL, or will point to an array of bytes + // which indicate equal-preference groups in the |prio| stack. See the + // comment about |in_group_flags| in the |ssl_cipher_preference_list_st| + // struct. const uint8_t *in_group_flags; - /* group_min contains the minimal index so far found in a group, or -1 if no - * such value exists yet. */ + // group_min contains the minimal index so far found in a group, or -1 if no + // such value exists yet. int group_min = -1; UniquePtr client_pref = @@ -390,17 +390,17 @@ static const SSL_CIPHER *ssl3_choose_cipher( const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i); size_t cipher_index; - if (/* Check if the cipher is supported for the current version. */ + if (// Check if the cipher is supported for the current version. SSL_CIPHER_get_min_version(c) <= ssl3_protocol_version(ssl) && ssl3_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) && - /* Check the cipher is supported for the server configuration. */ + // Check the cipher is supported for the server configuration. (c->algorithm_mkey & mask_k) && (c->algorithm_auth & mask_a) && - /* Check the cipher is in the |allow| list. */ + // Check the cipher is in the |allow| list. sk_SSL_CIPHER_find(allow, &cipher_index, c)) { if (in_group_flags != NULL && in_group_flags[i] == 1) { - /* This element of |prio| is in a group. Update the minimum index found - * so far and continue looking. */ + // This element of |prio| is in a group. Update the minimum index found + // so far and continue looking. if (group_min == -1 || (size_t)group_min > cipher_index) { group_min = cipher_index; } @@ -413,8 +413,8 @@ static const SSL_CIPHER *ssl3_choose_cipher( } if (in_group_flags != NULL && in_group_flags[i] == 0 && group_min != -1) { - /* We are about to leave a group, but we found a match in it, so that's - * our answer. */ + // We are about to leave a group, but we found a match in it, so that's + // our answer. return sk_SSL_CIPHER_value(allow, group_min); } } @@ -447,14 +447,14 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Run the early callback. */ + // Run the early callback. if (ssl->ctx->select_certificate_cb != NULL) { switch (ssl->ctx->select_certificate_cb(&client_hello)) { case ssl_select_cert_retry: return ssl_hs_certificate_selection_pending; case ssl_select_cert_error: - /* Connection rejected. */ + // Connection rejected. OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return ssl_hs_error; @@ -464,7 +464,7 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { } } - /* Freeze the version range after the early callback. */ + // Freeze the version range after the early callback. if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) { return ssl_hs_error; } @@ -483,8 +483,8 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { OPENSSL_memcpy(ssl->s3->client_random, client_hello.random, client_hello.random_len); - /* Only null compression is supported. TLS 1.3 further requires the peer - * advertise no other compression. */ + // Only null compression is supported. TLS 1.3 further requires the peer + // advertise no other compression. if (OPENSSL_memchr(client_hello.compression_methods, 0, client_hello.compression_methods_len) == NULL || (ssl3_protocol_version(ssl) >= TLS1_3_VERSION && @@ -494,7 +494,7 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* TLS extensions. */ + // TLS extensions. if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) { OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); return ssl_hs_error; @@ -512,7 +512,7 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { return ssl_hs_read_message; } - /* Call |cert_cb| to update server certificates if required. */ + // Call |cert_cb| to update server certificates if required. if (ssl->cert->cert_cb != NULL) { int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); if (rv == 0) { @@ -530,7 +530,7 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { } if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { - /* Jump to the TLS 1.3 state machine. */ + // Jump to the TLS 1.3 state machine. hs->state = state_tls13; return ssl_hs_ok; } @@ -540,8 +540,8 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Negotiate the cipher suite. This must be done after |cert_cb| so the - * certificate is finalized. */ + // Negotiate the cipher suite. This must be done after |cert_cb| so the + // certificate is finalized. hs->new_cipher = ssl3_choose_cipher(hs, &client_hello, ssl_get_cipher_preferences(ssl)); if (hs->new_cipher == NULL) { @@ -577,7 +577,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Determine whether we are doing session resumption. */ + // Determine whether we are doing session resumption. UniquePtr session; int tickets_supported = 0, renew_ticket = 0; enum ssl_hs_wait_t wait = ssl_get_prev_session( @@ -588,23 +588,23 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { if (session) { if (session->extended_master_secret && !hs->extended_master_secret) { - /* A ClientHello without EMS that attempts to resume a session with EMS - * is fatal to the connection. */ + // A ClientHello without EMS that attempts to resume a session with EMS + // is fatal to the connection. OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return ssl_hs_error; } if (!ssl_session_is_resumable(hs, session.get()) || - /* If the client offers the EMS extension, but the previous session - * didn't use it, then negotiate a new session. */ + // If the client offers the EMS extension, but the previous session + // didn't use it, then negotiate a new session. hs->extended_master_secret != session->extended_master_secret) { session.reset(); } } if (session) { - /* Use the old session. */ + // Use the old session. hs->ticket_expected = renew_ticket; ssl->session = session.release(); ssl->s3->session_reused = 1; @@ -615,7 +615,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Clear the session ID if we want the session to be single-use. */ + // Clear the session ID if we want the session to be single-use. if (!(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) { hs->new_session->session_id_length = 0; } @@ -623,7 +623,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { if (ssl->ctx->dos_protection_cb != NULL && ssl->ctx->dos_protection_cb(&client_hello) == 0) { - /* Connection rejected for DOS reasons. */ + // Connection rejected for DOS reasons. OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return ssl_hs_error; @@ -632,7 +632,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { if (ssl->session == NULL) { hs->new_session->cipher = hs->new_cipher; - /* On new sessions, stash the SNI value in the session. */ + // On new sessions, stash the SNI value in the session. if (hs->hostname != NULL) { OPENSSL_free(hs->new_session->tlsext_hostname); hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname.get()); @@ -642,42 +642,42 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { } } - /* Determine whether to request a client certificate. */ + // Determine whether to request a client certificate. hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); - /* Only request a certificate if Channel ID isn't negotiated. */ + // Only request a certificate if Channel ID isn't negotiated. if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) && ssl->s3->tlsext_channel_id_valid) { hs->cert_request = 0; } - /* CertificateRequest may only be sent in certificate-based ciphers. */ + // CertificateRequest may only be sent in certificate-based ciphers. if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) { hs->cert_request = 0; } if (!hs->cert_request) { - /* OpenSSL returns X509_V_OK when no certificates are requested. This is - * classed by them as a bug, but it's assumed by at least NGINX. */ + // OpenSSL returns X509_V_OK when no certificates are requested. This is + // classed by them as a bug, but it's assumed by at least NGINX. hs->new_session->verify_result = X509_V_OK; } } - /* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was - * deferred. Complete it now. */ + // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was + // deferred. Complete it now. uint8_t alert = SSL_AD_DECODE_ERROR; if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); return ssl_hs_error; } - /* Now that all parameters are known, initialize the handshake hash and hash - * the ClientHello. */ + // Now that all parameters are known, initialize the handshake hash and hash + // the ClientHello. if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) || !ssl_hash_message(hs, msg)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return ssl_hs_error; } - /* Release the handshake buffer if client authentication isn't required. */ + // Release the handshake buffer if client authentication isn't required. if (!hs->cert_request) { hs->transcript.FreeBuffer(); } @@ -691,16 +691,16 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* We only accept ChannelIDs on connections with ECDHE in order to avoid a - * known attack while we fix ChannelID itself. */ + // We only accept ChannelIDs on connections with ECDHE in order to avoid a + // known attack while we fix ChannelID itself. if (ssl->s3->tlsext_channel_id_valid && (hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) { ssl->s3->tlsext_channel_id_valid = 0; } - /* If this is a resumption and the original handshake didn't support - * ChannelID then we didn't record the original handshake hashes in the - * session and so cannot resume with ChannelIDs. */ + // If this is a resumption and the original handshake didn't support + // ChannelID then we didn't record the original handshake hashes in the + // session and so cannot resume with ChannelIDs. if (ssl->session != NULL && ssl->session->original_handshake_hash_len == 0) { ssl->s3->tlsext_channel_id_valid = 0; @@ -716,8 +716,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS - * 1.3 is finalized and we are not implementing a draft version. */ + // TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS + // 1.3 is finalized and we are not implementing a draft version. const SSL_SESSION *session = hs->new_session.get(); if (ssl->session != NULL) { @@ -778,14 +778,14 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { } } - /* Assemble ServerKeyExchange parameters if needed. */ + // Assemble ServerKeyExchange parameters if needed. uint32_t alg_k = hs->new_cipher->algorithm_mkey; uint32_t alg_a = hs->new_cipher->algorithm_auth; if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) || ((alg_a & SSL_aPSK) && ssl->psk_identity_hint)) { - /* Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend - * the client and server randoms for the signing transcript. */ + // Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend + // the client and server randoms for the signing transcript. CBB child; if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) || !CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) || @@ -793,7 +793,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* PSK ciphers begin with an identity hint. */ + // PSK ciphers begin with an identity hint. if (alg_a & SSL_aPSK) { size_t len = (ssl->psk_identity_hint == NULL) ? 0 : strlen(ssl->psk_identity_hint); @@ -805,7 +805,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { } if (alg_k & SSL_kECDHE) { - /* Determine the group to use. */ + // Determine the group to use. uint16_t group_id; if (!tls1_get_shared_group(hs, &group_id)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -814,7 +814,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { } hs->new_session->group_id = group_id; - /* Set up ECDH, generate a key, and emit the public half. */ + // Set up ECDH, generate a key, and emit the public half. hs->key_share = SSLKeyShare::Create(group_id); if (!hs->key_share || !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || @@ -848,21 +848,21 @@ static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) { CBB body, child; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_KEY_EXCHANGE) || - /* |hs->server_params| contains a prefix for signing. */ + // |hs->server_params| contains a prefix for signing. hs->server_params_len < 2 * SSL3_RANDOM_SIZE || !CBB_add_bytes(&body, hs->server_params + 2 * SSL3_RANDOM_SIZE, hs->server_params_len - 2 * SSL3_RANDOM_SIZE)) { return ssl_hs_error; } - /* Add a signature. */ + // Add a signature. if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { if (!ssl_has_private_key(ssl)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return ssl_hs_error; } - /* Determine the signature algorithm. */ + // Determine the signature algorithm. uint16_t signature_algorithm; if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) { return ssl_hs_error; @@ -875,7 +875,7 @@ static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) { } } - /* Add space for the signature. */ + // Add space for the signature. const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); uint8_t *ptr; if (!CBB_add_u16_length_prefixed(&body, &child) || @@ -962,16 +962,16 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { if (msg.type != SSL3_MT_CERTIFICATE) { if (ssl->version == SSL3_VERSION && msg.type == SSL3_MT_CLIENT_KEY_EXCHANGE) { - /* In SSL 3.0, the Certificate message is omitted to signal no - * certificate. */ + // In SSL 3.0, the Certificate message is omitted to signal no + // certificate. if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return ssl_hs_error; } - /* OpenSSL returns X509_V_OK when no certificates are received. This is - * classed by them as a bug, but it's assumed by at least NGINX. */ + // OpenSSL returns X509_V_OK when no certificates are received. This is + // classed by them as a bug, but it's assumed by at least NGINX. hs->new_session->verify_result = X509_V_OK; hs->state = state_verify_client_certificate; return ssl_hs_ok; @@ -1008,11 +1008,11 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { } if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) { - /* No client certificate so the handshake buffer may be discarded. */ + // No client certificate so the handshake buffer may be discarded. hs->transcript.FreeBuffer(); - /* In SSL 3.0, sending no certificate is signaled by omitting the - * Certificate message. */ + // In SSL 3.0, sending no certificate is signaled by omitting the + // Certificate message. if (ssl->version == SSL3_VERSION) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); @@ -1020,17 +1020,17 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { } if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { - /* Fail for TLS only if we required a certificate */ + // Fail for TLS only if we required a certificate OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return ssl_hs_error; } - /* OpenSSL returns X509_V_OK when no certificates are received. This is - * classed by them as a bug, but it's assumed by at least NGINX. */ + // OpenSSL returns X509_V_OK when no certificates are received. This is + // classed by them as a bug, but it's assumed by at least NGINX. hs->new_session->verify_result = X509_V_OK; } else if (ssl->retain_only_sha256_of_client_certs) { - /* The hash will have been filled in. */ + // The hash will have been filled in. hs->new_session->peer_sha256_valid = 1; } @@ -1076,12 +1076,12 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { uint32_t alg_k = hs->new_cipher->algorithm_mkey; uint32_t alg_a = hs->new_cipher->algorithm_auth; - /* If using a PSK key exchange, parse the PSK identity. */ + // If using a PSK key exchange, parse the PSK identity. if (alg_a & SSL_aPSK) { CBS psk_identity; - /* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK, - * then this is the only field in the message. */ + // If using PSK, the ClientKeyExchange contains a psk_identity. If PSK, + // then this is the only field in the message. if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) || ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); @@ -1103,8 +1103,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { } } - /* Depending on the key exchange method, compute |premaster_secret| and - * |premaster_secret_len|. */ + // Depending on the key exchange method, compute |premaster_secret| and + // |premaster_secret_len|. if (alg_k & SSL_kRSA) { CBS encrypted_premaster_secret; if (ssl->version > SSL3_VERSION) { @@ -1119,7 +1119,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { encrypted_premaster_secret = client_key_exchange; } - /* Allocate a buffer large enough for an RSA decryption. */ + // Allocate a buffer large enough for an RSA decryption. const size_t rsa_size = EVP_PKEY_size(hs->local_pubkey.get()); decrypt_buf = (uint8_t *)OPENSSL_malloc(rsa_size); if (decrypt_buf == NULL) { @@ -1127,8 +1127,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* Decrypt with no padding. PKCS#1 padding will be removed as part of the - * timing-sensitive code below. */ + // Decrypt with no padding. PKCS#1 padding will be removed as part of the + // timing-sensitive code below. size_t decrypt_len; switch (ssl_private_key_decrypt(hs, decrypt_buf, &decrypt_len, rsa_size, CBS_data(&encrypted_premaster_secret), @@ -1148,8 +1148,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* Prepare a random premaster, to be used on invalid padding. See RFC 5246, - * section 7.4.7.1. */ + // Prepare a random premaster, to be used on invalid padding. See RFC 5246, + // section 7.4.7.1. premaster_secret_len = SSL_MAX_MASTER_KEY_LENGTH; premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len); if (premaster_secret == NULL) { @@ -1160,15 +1160,15 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* The smallest padded premaster is 11 bytes of overhead. Small keys are - * publicly invalid. */ + // The smallest padded premaster is 11 bytes of overhead. Small keys are + // publicly invalid. if (decrypt_len < 11 + premaster_secret_len) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); goto err; } - /* Check the padding. See RFC 3447, section 7.2.2. */ + // Check the padding. See RFC 3447, section 7.2.2. size_t padding_len = decrypt_len - premaster_secret_len; uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) & constant_time_eq_int_8(decrypt_buf[1], 2); @@ -1177,15 +1177,15 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { } good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]); - /* The premaster secret must begin with |client_version|. This too must be - * checked in constant time (http://eprint.iacr.org/2003/052/). */ + // The premaster secret must begin with |client_version|. This too must be + // checked in constant time (http://eprint.iacr.org/2003/052/). good &= constant_time_eq_8(decrypt_buf[padding_len], (unsigned)(hs->client_version >> 8)); good &= constant_time_eq_8(decrypt_buf[padding_len + 1], (unsigned)(hs->client_version & 0xff)); - /* Select, in constant time, either the decrypted premaster or the random - * premaster based on |good|. */ + // Select, in constant time, either the decrypted premaster or the random + // premaster based on |good|. for (size_t i = 0; i < premaster_secret_len; i++) { premaster_secret[i] = constant_time_select_8( good, decrypt_buf[padding_len + i], premaster_secret[i]); @@ -1194,7 +1194,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { OPENSSL_free(decrypt_buf); decrypt_buf = NULL; } else if (alg_k & SSL_kECDHE) { - /* Parse the ClientKeyExchange. */ + // Parse the ClientKeyExchange. CBS peer_key; if (!CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key) || CBS_len(&client_key_exchange) != 0) { @@ -1203,7 +1203,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* Compute the premaster. */ + // Compute the premaster. uint8_t alert = SSL_AD_DECODE_ERROR; if (!hs->key_share->Finish(&premaster_secret, &premaster_secret_len, &alert, CBS_data(&peer_key), CBS_len(&peer_key))) { @@ -1211,7 +1211,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* The key exchange state may now be discarded. */ + // The key exchange state may now be discarded. hs->key_share.reset(); } else if (!(alg_k & SSL_kPSK)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -1219,8 +1219,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* For a PSK cipher suite, the actual pre-master secret is combined with the - * pre-shared key. */ + // For a PSK cipher suite, the actual pre-master secret is combined with the + // pre-shared key. if (alg_a & SSL_aPSK) { if (ssl->psk_server_callback == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -1228,7 +1228,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* Look up the key for the identity. */ + // Look up the key for the identity. uint8_t psk[PSK_MAX_PSK_LEN]; unsigned psk_len = ssl->psk_server_callback( ssl, hs->new_session->psk_identity, psk, sizeof(psk)); @@ -1237,15 +1237,15 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); goto err; } else if (psk_len == 0) { - /* PSK related to the given identity not found */ + // PSK related to the given identity not found. OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY); goto err; } if (alg_k & SSL_kPSK) { - /* In plain PSK, other_secret is a block of 0s with the same length as the - * pre-shared key. */ + // In plain PSK, other_secret is a block of 0s with the same length as the + // pre-shared key. premaster_secret_len = psk_len; premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len); if (premaster_secret == NULL) { @@ -1280,7 +1280,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { goto err; } - /* Compute the master secret */ + // Compute the master secret. hs->new_session->master_key_length = tls1_generate_master_secret( hs, hs->new_session->master_key, premaster_secret, premaster_secret_len); if (hs->new_session->master_key_length == 0) { @@ -1306,9 +1306,8 @@ err: static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* Only RSA and ECDSA client certificates are supported, so a - * CertificateVerify is required if and only if there's a client certificate. - * */ + // Only RSA and ECDSA client certificates are supported, so a + // CertificateVerify is required if and only if there's a client certificate. if (!hs->peer_pubkey) { hs->transcript.FreeBuffer(); hs->state = state_read_change_cipher_spec; @@ -1326,7 +1325,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { CBS certificate_verify = msg.body, signature; - /* Determine the signature algorithm. */ + // Determine the signature algorithm. uint16_t signature_algorithm = 0; if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) { @@ -1347,7 +1346,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Parse and verify the signature. */ + // Parse and verify the signature. if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) || CBS_len(&certificate_verify) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); @@ -1356,8 +1355,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { } int sig_ok; - /* The SSL3 construction for CertificateVerify does not decompose into a - * single final digest and signature, and must be special-cased. */ + // The SSL3 construction for CertificateVerify does not decompose into a + // single final digest and signature, and must be special-cased. if (ssl3_protocol_version(ssl) == SSL3_VERSION) { uint8_t digest[EVP_MAX_MD_SIZE]; size_t digest_len; @@ -1389,8 +1388,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* The handshake buffer is no longer necessary, and we may hash the current - * message.*/ + // The handshake buffer is no longer necessary, and we may hash the current + // message. hs->transcript.FreeBuffer(); if (!ssl_hash_message(hs, msg)) { return ssl_hs_error; @@ -1489,9 +1488,9 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { hs->state = state_send_server_finished; } - /* If this is a full handshake with ChannelID then record the handshake - * hashes in |hs->new_session| in case we need them to verify a - * ChannelID signature on a resumption of this session in the future. */ + // If this is a full handshake with ChannelID then record the handshake + // hashes in |hs->new_session| in case we need them to verify a + // ChannelID signature on a resumption of this session in the future. if (ssl->session == NULL && ssl->s3->tlsext_channel_id_valid && !tls1_record_handshake_hashes_for_channel_id(hs)) { return ssl_hs_error; @@ -1507,12 +1506,12 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { const SSL_SESSION *session; UniquePtr session_copy; if (ssl->session == NULL) { - /* Fix the timeout to measure from the ticket issuance time. */ + // Fix the timeout to measure from the ticket issuance time. ssl_session_rebase_time(ssl, hs->new_session.get()); session = hs->new_session.get(); } else { - /* We are renewing an existing session. Duplicate the session to adjust - * the timeout. */ + // We are renewing an existing session. Duplicate the session to adjust + // the timeout. session_copy = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH); if (!session_copy) { return ssl_hs_error; @@ -1553,8 +1552,7 @@ static enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) { ssl->method->on_handshake_complete(ssl); - /* If we aren't retaining peer certificates then we can discard it - * now. */ + // If we aren't retaining peer certificates then we can discard it now. if (hs->new_session != NULL && ssl->retain_only_sha256_of_client_certs) { sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free); hs->new_session->certs = NULL; diff --git a/ssl/internal.h b/ssl/internal.h index 393cd5ef..7aefff21 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -158,7 +158,7 @@ #if defined(OPENSSL_WINDOWS) -/* Windows defines struct timeval in winsock2.h. */ +// Windows defines struct timeval in winsock2.h. OPENSSL_MSVC_PRAGMA(warning(push, 3)) #include OPENSSL_MSVC_PRAGMA(warning(pop)) @@ -173,13 +173,13 @@ namespace bssl { struct SSL_HANDSHAKE; -/* C++ utilities. */ +// C++ utilities. -/* New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It - * returns nullptr on allocation error. It only implements single-object - * allocation and not new T[n]. - * - * Note: unlike |new|, this does not support non-public constructors. */ +// New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It +// returns nullptr on allocation error. It only implements single-object +// allocation and not new T[n]. +// +// Note: unlike |new|, this does not support non-public constructors. template T *New(Args &&... args) { void *t = OPENSSL_malloc(sizeof(T)); @@ -190,9 +190,9 @@ T *New(Args &&... args) { return new (t) T(std::forward(args)...); } -/* Delete behaves like |delete| but uses |OPENSSL_free| to release memory. - * - * Note: unlike |delete| this does not support non-public destructors. */ +// Delete behaves like |delete| but uses |OPENSSL_free| to release memory. +// +// Note: unlike |delete| this does not support non-public destructors. template void Delete(T *t) { if (t != nullptr) { @@ -201,8 +201,8 @@ void Delete(T *t) { } } -/* All types with kAllowUniquePtr set may be used with UniquePtr. Other types - * may be C structs which require a |BORINGSSL_MAKE_DELETER| registration. */ +// All types with kAllowUniquePtr set may be used with UniquePtr. Other types +// may be C structs which require a |BORINGSSL_MAKE_DELETER| registration. namespace internal { template struct DeleterImpl::type> { @@ -210,8 +210,8 @@ struct DeleterImpl::type> { }; } -/* MakeUnique behaves like |std::make_unique| but returns nullptr on allocation - * error. */ +// MakeUnique behaves like |std::make_unique| but returns nullptr on allocation +// error. template UniquePtr MakeUnique(Args &&... args) { return UniquePtr(New(std::forward(args)...)); @@ -221,87 +221,87 @@ UniquePtr MakeUnique(Args &&... args) { #define HAS_VIRTUAL_DESTRUCTOR #define PURE_VIRTUAL = 0 #else -/* HAS_VIRTUAL_DESTRUCTOR should be declared in any base clas ~s which defines a - * virtual destructor. This avoids a dependency on |_ZdlPv| and prevents the - * class from being used with |delete|. */ +// HAS_VIRTUAL_DESTRUCTOR should be declared in any base clas ~s which defines a +// virtual destructor. This avoids a dependency on |_ZdlPv| and prevents the +// class from being used with |delete|. #define HAS_VIRTUAL_DESTRUCTOR \ void operator delete(void *) { abort(); } -/* PURE_VIRTUAL should be used instead of = 0 when defining pure-virtual - * functions. This avoids a dependency on |__cxa_pure_virtual| but loses - * compile-time checking. */ +// PURE_VIRTUAL should be used instead of = 0 when defining pure-virtual +// functions. This avoids a dependency on |__cxa_pure_virtual| but loses +// compile-time checking. #define PURE_VIRTUAL { abort(); } #endif -/* Protocol versions. - * - * Due to DTLS's historical wire version differences and to support multiple - * variants of the same protocol during development, we maintain two notions of - * version. - * - * The "version" or "wire version" is the actual 16-bit value that appears on - * the wire. It uniquely identifies a version and is also used at API - * boundaries. The set of supported versions differs between TLS and DTLS. Wire - * versions are opaque values and may not be compared numerically. - * - * The "protocol version" identifies the high-level handshake variant being - * used. DTLS versions map to the corresponding TLS versions. Draft TLS 1.3 - * variants all map to TLS 1.3. Protocol versions are sequential and may be - * compared numerically. */ - -/* ssl_protocol_version_from_wire sets |*out| to the protocol version - * corresponding to wire version |version| and returns one. If |version| is not - * a valid TLS or DTLS version, it returns zero. - * - * Note this simultaneously handles both DTLS and TLS. Use one of the - * higher-level functions below for most operations. */ +// Protocol versions. +// +// Due to DTLS's historical wire version differences and to support multiple +// variants of the same protocol during development, we maintain two notions of +// version. +// +// The "version" or "wire version" is the actual 16-bit value that appears on +// the wire. It uniquely identifies a version and is also used at API +// boundaries. The set of supported versions differs between TLS and DTLS. Wire +// versions are opaque values and may not be compared numerically. +// +// The "protocol version" identifies the high-level handshake variant being +// used. DTLS versions map to the corresponding TLS versions. Draft TLS 1.3 +// variants all map to TLS 1.3. Protocol versions are sequential and may be +// compared numerically. + +// ssl_protocol_version_from_wire sets |*out| to the protocol version +// corresponding to wire version |version| and returns one. If |version| is not +// a valid TLS or DTLS version, it returns zero. +// +// Note this simultaneously handles both DTLS and TLS. Use one of the +// higher-level functions below for most operations. int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version); -/* ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the - * minimum and maximum enabled protocol versions, respectively. */ +// ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the +// minimum and maximum enabled protocol versions, respectively. int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, uint16_t *out_max_version); -/* ssl_supports_version returns one if |hs| supports |version| and zero - * otherwise. */ +// ssl_supports_version returns one if |hs| supports |version| and zero +// otherwise. int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version); -/* ssl_add_supported_versions writes the supported versions of |hs| to |cbb|, in - * decreasing preference order. */ +// ssl_add_supported_versions writes the supported versions of |hs| to |cbb|, in +// decreasing preference order. int ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb); -/* ssl_negotiate_version negotiates a common version based on |hs|'s preferences - * and the peer preference list in |peer_versions|. On success, it returns one - * and sets |*out_version| to the selected version. Otherwise, it returns zero - * and sets |*out_alert| to an alert to send. */ +// ssl_negotiate_version negotiates a common version based on |hs|'s preferences +// and the peer preference list in |peer_versions|. On success, it returns one +// and sets |*out_version| to the selected version. Otherwise, it returns zero +// and sets |*out_alert| to an alert to send. int ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, uint16_t *out_version, const CBS *peer_versions); -/* ssl3_protocol_version returns |ssl|'s protocol version. It is an error to - * call this function before the version is determined. */ +// ssl3_protocol_version returns |ssl|'s protocol version. It is an error to +// call this function before the version is determined. uint16_t ssl3_protocol_version(const SSL *ssl); -/* Cipher suites. */ +// Cipher suites. -/* Bits for |algorithm_mkey| (key exchange algorithm). */ +// Bits for |algorithm_mkey| (key exchange algorithm). #define SSL_kRSA 0x00000001u #define SSL_kECDHE 0x00000002u -/* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */ +// SSL_kPSK is only set for plain PSK, not ECDHE_PSK. #define SSL_kPSK 0x00000004u #define SSL_kGENERIC 0x00000008u -/* Bits for |algorithm_auth| (server authentication). */ +// Bits for |algorithm_auth| (server authentication). #define SSL_aRSA 0x00000001u #define SSL_aECDSA 0x00000002u -/* SSL_aPSK is set for both PSK and ECDHE_PSK. */ +// SSL_aPSK is set for both PSK and ECDHE_PSK. #define SSL_aPSK 0x00000004u #define SSL_aGENERIC 0x00000008u #define SSL_aCERT (SSL_aRSA | SSL_aECDSA) -/* Bits for |algorithm_enc| (symmetric encryption). */ +// Bits for |algorithm_enc| (symmetric encryption). #define SSL_3DES 0x00000001u #define SSL_AES128 0x00000002u #define SSL_AES256 0x00000004u @@ -312,91 +312,91 @@ uint16_t ssl3_protocol_version(const SSL *ssl); #define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM) -/* Bits for |algorithm_mac| (symmetric authentication). */ +// Bits for |algorithm_mac| (symmetric authentication). #define SSL_SHA1 0x00000001u #define SSL_SHA256 0x00000002u #define SSL_SHA384 0x00000004u -/* SSL_AEAD is set for all AEADs. */ +// SSL_AEAD is set for all AEADs. #define SSL_AEAD 0x00000008u -/* Bits for |algorithm_prf| (handshake digest). */ +// Bits for |algorithm_prf| (handshake digest). #define SSL_HANDSHAKE_MAC_DEFAULT 0x1 #define SSL_HANDSHAKE_MAC_SHA256 0x2 #define SSL_HANDSHAKE_MAC_SHA384 0x4 -/* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new - * one, update the table in ssl_cipher.c. */ +// SSL_MAX_DIGEST is the number of digest types which exist. When adding a new +// one, update the table in ssl_cipher.c. #define SSL_MAX_DIGEST 4 -/* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD - * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len| - * and |*out_fixed_iv_len| to the MAC key length and fixed IV length, - * respectively. The MAC key length is zero except for legacy block and stream - * ciphers. It returns 1 on success and 0 on error. */ +// ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD +// object for |cipher| protocol version |version|. It sets |*out_mac_secret_len| +// and |*out_fixed_iv_len| to the MAC key length and fixed IV length, +// respectively. The MAC key length is zero except for legacy block and stream +// ciphers. It returns 1 on success and 0 on error. int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, size_t *out_mac_secret_len, size_t *out_fixed_iv_len, const SSL_CIPHER *cipher, uint16_t version, int is_dtls); -/* ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and - * |cipher|. */ +// ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and +// |cipher|. const EVP_MD *ssl_get_handshake_digest(uint16_t version, const SSL_CIPHER *cipher); -/* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in - * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated - * |ssl_cipher_preference_list_st| containing the result. It returns 1 on - * success and 0 on failure. If |strict| is true, nonsense will be rejected. If - * false, nonsense will be silently ignored. An empty result is considered an - * error regardless of |strict|. */ +// ssl_create_cipher_list evaluates |rule_str| according to the ciphers in +// |ssl_method|. It sets |*out_cipher_list| to a newly-allocated +// |ssl_cipher_preference_list_st| containing the result. It returns 1 on +// success and 0 on failure. If |strict| is true, nonsense will be rejected. If +// false, nonsense will be silently ignored. An empty result is considered an +// error regardless of |strict|. int ssl_create_cipher_list( const SSL_PROTOCOL_METHOD *ssl_method, struct ssl_cipher_preference_list_st **out_cipher_list, const char *rule_str, int strict); -/* ssl_cipher_get_value returns the cipher suite id of |cipher|. */ +// ssl_cipher_get_value returns the cipher suite id of |cipher|. uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher); -/* ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth| - * values suitable for use with |key| in TLS 1.2 and below. */ +// ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth| +// values suitable for use with |key| in TLS 1.2 and below. uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key); -/* ssl_cipher_uses_certificate_auth returns one if |cipher| authenticates the - * server and, optionally, the client with a certificate. Otherwise it returns - * zero. */ +// ssl_cipher_uses_certificate_auth returns one if |cipher| authenticates the +// server and, optionally, the client with a certificate. Otherwise it returns +// zero. int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher); -/* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a - * ServerKeyExchange message. Otherwise it returns 0. - * - * This function may return zero while still allowing |cipher| an optional - * ServerKeyExchange. This is the case for plain PSK ciphers. */ +// ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a +// ServerKeyExchange message. Otherwise it returns 0. +// +// This function may return zero while still allowing |cipher| an optional +// ServerKeyExchange. This is the case for plain PSK ciphers. int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher); -/* ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the - * length of an encrypted 1-byte record, for use in record-splitting. Otherwise - * it returns zero. */ +// ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the +// length of an encrypted 1-byte record, for use in record-splitting. Otherwise +// it returns zero. size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher); -/* Transcript layer. */ +// Transcript layer. -/* SSLTranscript maintains the handshake transcript as a combination of a - * buffer and running hash. */ +// SSLTranscript maintains the handshake transcript as a combination of a +// buffer and running hash. class SSLTranscript { public: SSLTranscript(); ~SSLTranscript(); - /* Init initializes the handshake transcript. If called on an existing - * transcript, it resets the transcript and hash. It returns true on success - * and false on failure. */ + // Init initializes the handshake transcript. If called on an existing + // transcript, it resets the transcript and hash. It returns true on success + // and false on failure. bool Init(); - /* InitHash initializes the handshake hash based on the PRF and contents of - * the handshake transcript. Subsequent calls to |Update| will update the - * rolling hash. It returns one on success and zero on failure. It is an error - * to call this function after the handshake buffer is released. */ + // InitHash initializes the handshake hash based on the PRF and contents of + // the handshake transcript. Subsequent calls to |Update| will update the + // rolling hash. It returns one on success and zero on failure. It is an error + // to call this function after the handshake buffer is released. bool InitHash(uint16_t version, const SSL_CIPHER *cipher); const uint8_t *buffer_data() const { @@ -404,66 +404,66 @@ class SSLTranscript { } size_t buffer_len() const { return buffer_->length; } - /* FreeBuffer releases the handshake buffer. Subsequent calls to - * |Update| will not update the handshake buffer. */ + // FreeBuffer releases the handshake buffer. Subsequent calls to + // |Update| will not update the handshake buffer. void FreeBuffer(); - /* DigestLen returns the length of the PRF hash. */ + // DigestLen returns the length of the PRF hash. size_t DigestLen() const; - /* Digest returns the PRF hash. For TLS 1.1 and below, this is - * |EVP_md5_sha1|. */ + // Digest returns the PRF hash. For TLS 1.1 and below, this is + // |EVP_md5_sha1|. const EVP_MD *Digest() const; - /* Update adds |in| to the handshake buffer and handshake hash, whichever is - * enabled. It returns true on success and false on failure. */ + // Update adds |in| to the handshake buffer and handshake hash, whichever is + // enabled. It returns true on success and false on failure. bool Update(const uint8_t *in, size_t in_len); - /* GetHash writes the handshake hash to |out| which must have room for at - * least |DigestLen| bytes. On success, it returns true and sets |*out_len| to - * the number of bytes written. Otherwise, it returns false. */ + // GetHash writes the handshake hash to |out| which must have room for at + // least |DigestLen| bytes. On success, it returns true and sets |*out_len| to + // the number of bytes written. Otherwise, it returns false. bool GetHash(uint8_t *out, size_t *out_len); - /* GetSSL3CertVerifyHash writes the SSL 3.0 CertificateVerify hash into the - * bytes pointed to by |out| and writes the number of bytes to - * |*out_len|. |out| must have room for |EVP_MAX_MD_SIZE| bytes. It returns - * one on success and zero on failure. */ + // GetSSL3CertVerifyHash writes the SSL 3.0 CertificateVerify hash into the + // bytes pointed to by |out| and writes the number of bytes to + // |*out_len|. |out| must have room for |EVP_MAX_MD_SIZE| bytes. It returns + // one on success and zero on failure. bool GetSSL3CertVerifyHash(uint8_t *out, size_t *out_len, const SSL_SESSION *session, uint16_t signature_algorithm); - /* GetFinishedMAC computes the MAC for the Finished message into the bytes - * pointed by |out| and writes the number of bytes to |*out_len|. |out| must - * have room for |EVP_MAX_MD_SIZE| bytes. It returns true on success and false - * on failure. */ + // GetFinishedMAC computes the MAC for the Finished message into the bytes + // pointed by |out| and writes the number of bytes to |*out_len|. |out| must + // have room for |EVP_MAX_MD_SIZE| bytes. It returns true on success and false + // on failure. bool GetFinishedMAC(uint8_t *out, size_t *out_len, const SSL_SESSION *session, bool from_server, uint16_t version); private: - /* buffer_, if non-null, contains the handshake transcript. */ + // buffer_, if non-null, contains the handshake transcript. UniquePtr buffer_; - /* hash, if initialized with an |EVP_MD|, maintains the handshake hash. For - * TLS 1.1 and below, it is the SHA-1 half. */ + // hash, if initialized with an |EVP_MD|, maintains the handshake hash. For + // TLS 1.1 and below, it is the SHA-1 half. ScopedEVP_MD_CTX hash_; - /* md5, if initialized with an |EVP_MD|, maintains the MD5 half of the - * handshake hash for TLS 1.1 and below. */ + // md5, if initialized with an |EVP_MD|, maintains the MD5 half of the + // handshake hash for TLS 1.1 and below. ScopedEVP_MD_CTX md5_; }; -/* tls1_prf computes the PRF function for |ssl|. It writes |out_len| bytes to - * |out|, using |secret| as the secret and |label| as the label. |seed1| and - * |seed2| are concatenated to form the seed parameter. It returns one on - * success and zero on failure. */ +// tls1_prf computes the PRF function for |ssl|. It writes |out_len| bytes to +// |out|, using |secret| as the secret and |label| as the label. |seed1| and +// |seed2| are concatenated to form the seed parameter. It returns one on +// success and zero on failure. int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len, const uint8_t *secret, size_t secret_len, const char *label, size_t label_len, const uint8_t *seed1, size_t seed1_len, const uint8_t *seed2, size_t seed2_len); -/* Encryption layer. */ +// Encryption layer. -/* SSLAEADContext contains information about an AEAD that is being used to - * encrypt an SSL connection. */ +// SSLAEADContext contains information about an AEAD that is being used to +// encrypt an SSL connection. class SSLAEADContext { public: SSLAEADContext(uint16_t version, const SSL_CIPHER *cipher); @@ -473,13 +473,13 @@ class SSLAEADContext { SSLAEADContext(const SSLAEADContext &&) = delete; SSLAEADContext &operator=(const SSLAEADContext &&) = delete; - /* CreateNullCipher creates an |SSLAEADContext| for the null cipher. */ + // CreateNullCipher creates an |SSLAEADContext| for the null cipher. static UniquePtr CreateNullCipher(); - /* Create creates an |SSLAEADContext| using the supplied key material. It - * returns nullptr on error. Only one of |Open| or |Seal| may be used with the - * resulting object, depending on |direction|. |version| is the normalized - * protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef. */ + // Create creates an |SSLAEADContext| using the supplied key material. It + // returns nullptr on error. Only one of |Open| or |Seal| may be used with the + // resulting object, depending on |direction|. |version| is the normalized + // protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef. static UniquePtr Create( enum evp_aead_direction_t direction, uint16_t version, int is_dtls, const SSL_CIPHER *cipher, const uint8_t *enc_key, size_t enc_key_len, @@ -489,52 +489,52 @@ class SSLAEADContext { uint16_t version() const { return version_; } const SSL_CIPHER *cipher() const { return cipher_; } - /* is_null_cipher returns true if this is the null cipher. */ + // is_null_cipher returns true if this is the null cipher. bool is_null_cipher() const { return !cipher_; } - /* ExplicitNonceLen returns the length of the explicit nonce. */ + // ExplicitNonceLen returns the length of the explicit nonce. size_t ExplicitNonceLen() const; - /* MaxOverhead returns the maximum overhead of calling |Seal|. */ + // MaxOverhead returns the maximum overhead of calling |Seal|. size_t MaxOverhead() const; - /* SuffixLen calculates the suffix length written by |SealScatter| and writes - * it to |*out_suffix_len|. It returns true on success and false on error. - * |in_len| and |extra_in_len| should equal the argument of the same names - * passed to |SealScatter|. */ + // SuffixLen calculates the suffix length written by |SealScatter| and writes + // it to |*out_suffix_len|. It returns true on success and false on error. + // |in_len| and |extra_in_len| should equal the argument of the same names + // passed to |SealScatter|. bool SuffixLen(size_t *out_suffix_len, size_t in_len, size_t extra_in_len) const; - /* Open authenticates and decrypts |in_len| bytes from |in| in-place. On - * success, it sets |*out| to the plaintext in |in| and returns true. - * Otherwise, it returns false. The output will always be |ExplicitNonceLen| - * bytes ahead of |in|. */ + // Open authenticates and decrypts |in_len| bytes from |in| in-place. On + // success, it sets |*out| to the plaintext in |in| and returns true. + // Otherwise, it returns false. The output will always be |ExplicitNonceLen| + // bytes ahead of |in|. bool Open(CBS *out, uint8_t type, uint16_t wire_version, const uint8_t seqnum[8], uint8_t *in, size_t in_len); - /* Seal encrypts and authenticates |in_len| bytes from |in| and writes the - * result to |out|. It returns true on success and false on error. - * - * If |in| and |out| alias then |out| + |ExplicitNonceLen| must be == |in|. */ + // Seal encrypts and authenticates |in_len| bytes from |in| and writes the + // result to |out|. It returns true on success and false on error. + // + // If |in| and |out| alias then |out| + |ExplicitNonceLen| must be == |in|. bool Seal(uint8_t *out, size_t *out_len, size_t max_out, uint8_t type, uint16_t wire_version, const uint8_t seqnum[8], const uint8_t *in, size_t in_len); - /* SealScatter encrypts and authenticates |in_len| bytes from |in| and splits - * the result between |out_prefix|, |out| and |out_suffix|. It returns one on - * success and zero on error. - * - * On successful return, exactly |ExplicitNonceLen| bytes are written to - * |out_prefix|, |in_len| bytes to |out|, and |SuffixLen| bytes to - * |out_suffix|. - * - * |extra_in| may point to an additional plaintext buffer. If present, - * |extra_in_len| additional bytes are encrypted and authenticated, and the - * ciphertext is written to the beginning of |out_suffix|. |SuffixLen| should - * be used to size |out_suffix| accordingly. - * - * If |in| and |out| alias then |out| must be == |in|. Other arguments may not - * alias anything. */ + // SealScatter encrypts and authenticates |in_len| bytes from |in| and splits + // the result between |out_prefix|, |out| and |out_suffix|. It returns one on + // success and zero on error. + // + // On successful return, exactly |ExplicitNonceLen| bytes are written to + // |out_prefix|, |in_len| bytes to |out|, and |SuffixLen| bytes to + // |out_suffix|. + // + // |extra_in| may point to an additional plaintext buffer. If present, + // |extra_in_len| additional bytes are encrypted and authenticated, and the + // ciphertext is written to the beginning of |out_suffix|. |SuffixLen| should + // be used to size |out_suffix| accordingly. + // + // If |in| and |out| alias then |out| must be == |in|. Other arguments may not + // alias anything. bool SealScatter(uint8_t *out_prefix, uint8_t *out, uint8_t *out_suffix, uint8_t type, uint16_t wire_version, const uint8_t seqnum[8], const uint8_t *in, size_t in_len, const uint8_t *extra_in, @@ -543,65 +543,65 @@ class SSLAEADContext { bool GetIV(const uint8_t **out_iv, size_t *out_iv_len) const; private: - /* GetAdditionalData writes the additional data into |out| and returns the - * number of bytes written. */ + // GetAdditionalData writes the additional data into |out| and returns the + // number of bytes written. size_t GetAdditionalData(uint8_t out[13], uint8_t type, uint16_t wire_version, const uint8_t seqnum[8], size_t plaintext_len); const SSL_CIPHER *cipher_; ScopedEVP_AEAD_CTX ctx_; - /* fixed_nonce_ contains any bytes of the nonce that are fixed for all - * records. */ + // fixed_nonce_ contains any bytes of the nonce that are fixed for all + // records. uint8_t fixed_nonce_[12]; uint8_t fixed_nonce_len_ = 0, variable_nonce_len_ = 0; - /* version_ is the protocol version that should be used with this AEAD. */ + // version_ is the protocol version that should be used with this AEAD. uint16_t version_; - /* variable_nonce_included_in_record_ is true if the variable nonce - * for a record is included as a prefix before the ciphertext. */ + // variable_nonce_included_in_record_ is true if the variable nonce + // for a record is included as a prefix before the ciphertext. bool variable_nonce_included_in_record_ : 1; - /* random_variable_nonce_ is true if the variable nonce is - * randomly generated, rather than derived from the sequence - * number. */ + // random_variable_nonce_ is true if the variable nonce is + // randomly generated, rather than derived from the sequence + // number. bool random_variable_nonce_ : 1; - /* omit_length_in_ad_ is true if the length should be omitted in the - * AEAD's ad parameter. */ + // omit_length_in_ad_ is true if the length should be omitted in the + // AEAD's ad parameter. bool omit_length_in_ad_ : 1; - /* omit_version_in_ad_ is true if the version should be omitted - * in the AEAD's ad parameter. */ + // omit_version_in_ad_ is true if the version should be omitted + // in the AEAD's ad parameter. bool omit_version_in_ad_ : 1; - /* omit_ad_ is true if the AEAD's ad parameter should be omitted. */ + // omit_ad_ is true if the AEAD's ad parameter should be omitted. bool omit_ad_ : 1; - /* xor_fixed_nonce_ is true if the fixed nonce should be XOR'd into the - * variable nonce rather than prepended. */ + // xor_fixed_nonce_ is true if the fixed nonce should be XOR'd into the + // variable nonce rather than prepended. bool xor_fixed_nonce_ : 1; }; -/* DTLS replay bitmap. */ +// DTLS replay bitmap. -/* DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect - * replayed packets. It should be initialized by zeroing every field. */ +// DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect +// replayed packets. It should be initialized by zeroing every field. struct DTLS1_BITMAP { - /* map is a bit mask of the last 64 sequence numbers. Bit - * |1< Create(uint16_t group_id); - /* GroupID returns the group ID. */ + // GroupID returns the group ID. virtual uint16_t GroupID() const PURE_VIRTUAL; - /* Offer generates a keypair and writes the public value to - * |out_public_key|. It returns true on success and false on error. */ + // Offer generates a keypair and writes the public value to + // |out_public_key|. It returns true on success and false on error. virtual bool Offer(CBB *out_public_key) PURE_VIRTUAL; - /* Accept performs a key exchange against the |peer_key| generated by |offer|. - * On success, it returns true, writes the public value to |out_public_key|, - * and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer - * containing the shared secret. The caller must release this buffer with - * |OPENSSL_free|. On failure, it returns false and sets |*out_alert| to an - * alert to send to the peer. - * - * The default implementation calls |Offer| and then |Finish|, assuming a key - * exchange protocol where the peers are symmetric. - * - * TODO(davidben): out_secret should be a smart pointer. */ + // Accept performs a key exchange against the |peer_key| generated by |offer|. + // On success, it returns true, writes the public value to |out_public_key|, + // and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer + // containing the shared secret. The caller must release this buffer with + // |OPENSSL_free|. On failure, it returns false and sets |*out_alert| to an + // alert to send to the peer. + // + // The default implementation calls |Offer| and then |Finish|, assuming a key + // exchange protocol where the peers are symmetric. + // + // TODO(davidben): out_secret should be a smart pointer. virtual bool Accept(CBB *out_public_key, uint8_t **out_secret, size_t *out_secret_len, uint8_t *out_alert, const uint8_t *peer_key, size_t peer_key_len); - /* Finish performs a key exchange against the |peer_key| generated by - * |Accept|. On success, it returns true and sets |*out_secret| and - * |*out_secret_len| to a newly-allocated buffer containing the shared - * secret. The caller must release this buffer with |OPENSSL_free|. On - * failure, it returns zero and sets |*out_alert| to an alert to send to the - * peer. - * - * TODO(davidben): out_secret should be a smart pointer. */ + // Finish performs a key exchange against the |peer_key| generated by + // |Accept|. On success, it returns true and sets |*out_secret| and + // |*out_secret_len| to a newly-allocated buffer containing the shared + // secret. The caller must release this buffer with |OPENSSL_free|. On + // failure, it returns zero and sets |*out_alert| to an alert to send to the + // peer. + // + // TODO(davidben): out_secret should be a smart pointer. virtual bool Finish(uint8_t **out_secret, size_t *out_secret_len, uint8_t *out_alert, const uint8_t *peer_key, size_t peer_key_len) PURE_VIRTUAL; }; -/* ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it - * sets |*out_group_id| to the group ID and returns one. Otherwise, it returns - * zero. */ +// ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it +// sets |*out_group_id| to the group ID and returns one. Otherwise, it returns +// zero. int ssl_nid_to_group_id(uint16_t *out_group_id, int nid); -/* ssl_name_to_group_id looks up the group corresponding to the |name| string - * of length |len|. On success, it sets |*out_group_id| to the group ID and - * returns one. Otherwise, it returns zero. */ +// ssl_name_to_group_id looks up the group corresponding to the |name| string +// of length |len|. On success, it sets |*out_group_id| to the group ID and +// returns one. Otherwise, it returns zero. int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len); -/* Handshake messages. */ +// Handshake messages. struct SSLMessage { bool is_v2_hello; uint8_t type; CBS body; - /* raw is the entire serialized handshake message, including the TLS or DTLS - * message header. */ + // raw is the entire serialized handshake message, including the TLS or DTLS + // message header. CBS raw; }; -/* SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including - * ChangeCipherSpec, in the longest handshake flight. Currently this is the - * client's second leg in a full handshake when client certificates, NPN, and - * Channel ID, are all enabled. */ +// SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including +// ChangeCipherSpec, in the longest handshake flight. Currently this is the +// client's second leg in a full handshake when client certificates, NPN, and +// Channel ID, are all enabled. #define SSL_MAX_HANDSHAKE_FLIGHT 7 -/* ssl_max_handshake_message_len returns the maximum number of bytes permitted - * in a handshake message for |ssl|. */ +// ssl_max_handshake_message_len returns the maximum number of bytes permitted +// in a handshake message for |ssl|. size_t ssl_max_handshake_message_len(const SSL *ssl); -/* dtls_clear_incoming_messages releases all buffered incoming messages. */ +// dtls_clear_incoming_messages releases all buffered incoming messages. void dtls_clear_incoming_messages(SSL *ssl); -/* dtls_has_incoming_messages returns one if there are buffered incoming - * messages ahead of the current message and zero otherwise. */ +// dtls_has_incoming_messages returns one if there are buffered incoming +// messages ahead of the current message and zero otherwise. int dtls_has_incoming_messages(const SSL *ssl); struct DTLS_OUTGOING_MESSAGE { @@ -858,209 +858,209 @@ struct DTLS_OUTGOING_MESSAGE { char is_ccs; }; -/* dtls_clear_outgoing_messages releases all buffered outgoing messages. */ +// dtls_clear_outgoing_messages releases all buffered outgoing messages. void dtls_clear_outgoing_messages(SSL *ssl); -/* Callbacks. */ +// Callbacks. -/* ssl_do_info_callback calls |ssl|'s info callback, if set. */ +// ssl_do_info_callback calls |ssl|'s info callback, if set. void ssl_do_info_callback(const SSL *ssl, int type, int value); -/* ssl_do_msg_callback calls |ssl|'s message callback, if set. */ +// ssl_do_msg_callback calls |ssl|'s message callback, if set. void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, const void *buf, size_t len); -/* Transport buffers. */ +// Transport buffers. -/* ssl_read_buffer returns a pointer to contents of the read buffer. */ +// ssl_read_buffer returns a pointer to contents of the read buffer. uint8_t *ssl_read_buffer(SSL *ssl); -/* ssl_read_buffer_len returns the length of the read buffer. */ +// ssl_read_buffer_len returns the length of the read buffer. size_t ssl_read_buffer_len(const SSL *ssl); -/* ssl_read_buffer_extend_to extends the read buffer to the desired length. For - * TLS, it reads to the end of the buffer until the buffer is |len| bytes - * long. For DTLS, it reads a new packet and ignores |len|. It returns one on - * success, zero on EOF, and a negative number on error. - * - * It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is - * non-empty. */ +// ssl_read_buffer_extend_to extends the read buffer to the desired length. For +// TLS, it reads to the end of the buffer until the buffer is |len| bytes +// long. For DTLS, it reads a new packet and ignores |len|. It returns one on +// success, zero on EOF, and a negative number on error. +// +// It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is +// non-empty. int ssl_read_buffer_extend_to(SSL *ssl, size_t len); -/* ssl_read_buffer_consume consumes |len| bytes from the read buffer. It - * advances the data pointer and decrements the length. The memory consumed will - * remain valid until the next call to |ssl_read_buffer_extend| or it is - * discarded with |ssl_read_buffer_discard|. */ +// ssl_read_buffer_consume consumes |len| bytes from the read buffer. It +// advances the data pointer and decrements the length. The memory consumed will +// remain valid until the next call to |ssl_read_buffer_extend| or it is +// discarded with |ssl_read_buffer_discard|. void ssl_read_buffer_consume(SSL *ssl, size_t len); -/* ssl_read_buffer_discard discards the consumed bytes from the read buffer. If - * the buffer is now empty, it releases memory used by it. */ +// ssl_read_buffer_discard discards the consumed bytes from the read buffer. If +// the buffer is now empty, it releases memory used by it. void ssl_read_buffer_discard(SSL *ssl); -/* ssl_read_buffer_clear releases all memory associated with the read buffer and - * zero-initializes it. */ +// ssl_read_buffer_clear releases all memory associated with the read buffer and +// zero-initializes it. void ssl_read_buffer_clear(SSL *ssl); -/* ssl_write_buffer_is_pending returns one if the write buffer has pending data - * and zero if is empty. */ +// ssl_write_buffer_is_pending returns one if the write buffer has pending data +// and zero if is empty. int ssl_write_buffer_is_pending(const SSL *ssl); -/* ssl_write_buffer_init initializes the write buffer. On success, it sets - * |*out_ptr| to the start of the write buffer with space for up to |max_len| - * bytes. It returns one on success and zero on failure. Call - * |ssl_write_buffer_set_len| to complete initialization. */ +// ssl_write_buffer_init initializes the write buffer. On success, it sets +// |*out_ptr| to the start of the write buffer with space for up to |max_len| +// bytes. It returns one on success and zero on failure. Call +// |ssl_write_buffer_set_len| to complete initialization. int ssl_write_buffer_init(SSL *ssl, uint8_t **out_ptr, size_t max_len); -/* ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete - * initialization after |len| bytes are written to the buffer. */ +// ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete +// initialization after |len| bytes are written to the buffer. void ssl_write_buffer_set_len(SSL *ssl, size_t len); -/* ssl_write_buffer_flush flushes the write buffer to the transport. It returns - * one on success and <= 0 on error. For DTLS, whether or not the write - * succeeds, the write buffer will be cleared. */ +// ssl_write_buffer_flush flushes the write buffer to the transport. It returns +// one on success and <= 0 on error. For DTLS, whether or not the write +// succeeds, the write buffer will be cleared. int ssl_write_buffer_flush(SSL *ssl); -/* ssl_write_buffer_clear releases all memory associated with the write buffer - * and zero-initializes it. */ +// ssl_write_buffer_clear releases all memory associated with the write buffer +// and zero-initializes it. void ssl_write_buffer_clear(SSL *ssl); -/* Certificate functions. */ +// Certificate functions. -/* ssl_has_certificate returns one if a certificate and private key are - * configured and zero otherwise. */ +// ssl_has_certificate returns one if a certificate and private key are +// configured and zero otherwise. int ssl_has_certificate(const SSL *ssl); -/* ssl_parse_cert_chain parses a certificate list from |cbs| in the format used - * by a TLS Certificate message. On success, it advances |cbs| and returns - * true. Otherwise, it returns false and sets |*out_alert| to an alert to send - * to the peer. - * - * If the list is non-empty then |*out_chain| and |*out_pubkey| will be set to - * the certificate chain and the leaf certificate's public key - * respectively. Otherwise, both will be set to nullptr. - * - * If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the - * SHA-256 hash of the leaf to |out_leaf_sha256|. */ +// ssl_parse_cert_chain parses a certificate list from |cbs| in the format used +// by a TLS Certificate message. On success, it advances |cbs| and returns +// true. Otherwise, it returns false and sets |*out_alert| to an alert to send +// to the peer. +// +// If the list is non-empty then |*out_chain| and |*out_pubkey| will be set to +// the certificate chain and the leaf certificate's public key +// respectively. Otherwise, both will be set to nullptr. +// +// If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the +// SHA-256 hash of the leaf to |out_leaf_sha256|. bool ssl_parse_cert_chain(uint8_t *out_alert, UniquePtr *out_chain, UniquePtr *out_pubkey, uint8_t *out_leaf_sha256, CBS *cbs, CRYPTO_BUFFER_POOL *pool); -/* ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used - * by a TLS Certificate message. If there is no certificate chain, it emits an - * empty certificate list. It returns one on success and zero on error. */ +// ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used +// by a TLS Certificate message. If there is no certificate chain, it emits an +// empty certificate list. It returns one on success and zero on error. int ssl_add_cert_chain(SSL *ssl, CBB *cbb); -/* ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509 - * certificate in |in| and returns one if doesn't specify a key usage or, if it - * does, if it includes digitalSignature. Otherwise it pushes to the error - * queue and returns zero. */ +// ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509 +// certificate in |in| and returns one if doesn't specify a key usage or, if it +// does, if it includes digitalSignature. Otherwise it pushes to the error +// queue and returns zero. int ssl_cert_check_digital_signature_key_usage(const CBS *in); -/* ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509 - * certificate in |in|. It returns an allocated |EVP_PKEY| or else returns - * nullptr and pushes to the error queue. */ +// ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509 +// certificate in |in|. It returns an allocated |EVP_PKEY| or else returns +// nullptr and pushes to the error queue. UniquePtr ssl_cert_parse_pubkey(const CBS *in); -/* ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a - * TLS CertificateRequest message. On success, it returns a newly-allocated - * |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns nullptr and - * sets |*out_alert| to an alert to send to the peer. */ +// ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a +// TLS CertificateRequest message. On success, it returns a newly-allocated +// |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns nullptr and +// sets |*out_alert| to an alert to send to the peer. UniquePtr ssl_parse_client_CA_list(SSL *ssl, uint8_t *out_alert, CBS *cbs); -/* ssl_add_client_CA_list adds the configured CA list to |cbb| in the format - * used by a TLS CertificateRequest message. It returns one on success and zero - * on error. */ +// ssl_add_client_CA_list adds the configured CA list to |cbb| in the format +// used by a TLS CertificateRequest message. It returns one on success and zero +// on error. int ssl_add_client_CA_list(SSL *ssl, CBB *cbb); -/* ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as - * a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes - * an error on the error queue. */ +// ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as +// a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes +// an error on the error queue. int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, const CRYPTO_BUFFER *leaf); -/* ssl_on_certificate_selected is called once the certificate has been selected. - * It finalizes the certificate and initializes |hs->local_pubkey|. It returns - * one on success and zero on error. */ +// ssl_on_certificate_selected is called once the certificate has been selected. +// It finalizes the certificate and initializes |hs->local_pubkey|. It returns +// one on success and zero on error. int ssl_on_certificate_selected(SSL_HANDSHAKE *hs); -/* TLS 1.3 key derivation. */ +// TLS 1.3 key derivation. -/* tls13_init_key_schedule initializes the handshake hash and key derivation - * state. The cipher suite and PRF hash must have been selected at this point. - * It returns one on success and zero on error. */ +// tls13_init_key_schedule initializes the handshake hash and key derivation +// state. The cipher suite and PRF hash must have been selected at this point. +// It returns one on success and zero on error. int tls13_init_key_schedule(SSL_HANDSHAKE *hs); -/* tls13_init_early_key_schedule initializes the handshake hash and key - * derivation state from the resumption secret to derive the early secrets. It - * returns one on success and zero on error. */ +// tls13_init_early_key_schedule initializes the handshake hash and key +// derivation state from the resumption secret to derive the early secrets. It +// returns one on success and zero on error. int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs); -/* tls13_advance_key_schedule incorporates |in| into the key schedule with - * HKDF-Extract. It returns one on success and zero on error. */ +// tls13_advance_key_schedule incorporates |in| into the key schedule with +// HKDF-Extract. It returns one on success and zero on error. int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in, size_t len); -/* tls13_set_traffic_key sets the read or write traffic keys to - * |traffic_secret|. It returns one on success and zero on error. */ +// tls13_set_traffic_key sets the read or write traffic keys to +// |traffic_secret|. It returns one on success and zero on error. int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, const uint8_t *traffic_secret, size_t traffic_secret_len); -/* tls13_derive_early_secrets derives the early traffic secret. It returns one - * on success and zero on error. */ +// tls13_derive_early_secrets derives the early traffic secret. It returns one +// on success and zero on error. int tls13_derive_early_secrets(SSL_HANDSHAKE *hs); -/* tls13_derive_handshake_secrets derives the handshake traffic secret. It - * returns one on success and zero on error. */ +// tls13_derive_handshake_secrets derives the handshake traffic secret. It +// returns one on success and zero on error. int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs); -/* tls13_rotate_traffic_key derives the next read or write traffic secret. It - * returns one on success and zero on error. */ +// tls13_rotate_traffic_key derives the next read or write traffic secret. It +// returns one on success and zero on error. int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction); -/* tls13_derive_application_secrets derives the initial application data traffic - * and exporter secrets based on the handshake transcripts and |master_secret|. - * It returns one on success and zero on error. */ +// tls13_derive_application_secrets derives the initial application data traffic +// and exporter secrets based on the handshake transcripts and |master_secret|. +// It returns one on success and zero on error. int tls13_derive_application_secrets(SSL_HANDSHAKE *hs); -/* tls13_derive_resumption_secret derives the |resumption_secret|. */ +// tls13_derive_resumption_secret derives the |resumption_secret|. int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs); -/* tls13_export_keying_material provides an exporter interface to use the - * |exporter_secret|. */ +// tls13_export_keying_material provides an exporter interface to use the +// |exporter_secret|. int tls13_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len, const uint8_t *context, size_t context_len, int use_context); -/* tls13_finished_mac calculates the MAC of the handshake transcript to verify - * the integrity of the Finished message, and stores the result in |out| and - * length in |out_len|. |is_server| is 1 if this is for the Server Finished and - * 0 for the Client Finished. */ +// tls13_finished_mac calculates the MAC of the handshake transcript to verify +// the integrity of the Finished message, and stores the result in |out| and +// length in |out_len|. |is_server| is 1 if this is for the Server Finished and +// 0 for the Client Finished. int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, int is_server); -/* tls13_write_psk_binder calculates the PSK binder value and replaces the last - * bytes of |msg| with the resulting value. It returns 1 on success, and 0 on - * failure. */ +// tls13_write_psk_binder calculates the PSK binder value and replaces the last +// bytes of |msg| with the resulting value. It returns 1 on success, and 0 on +// failure. int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len); -/* tls13_verify_psk_binder verifies that the handshake transcript, truncated - * up to the binders has a valid signature using the value of |session|'s - * resumption secret. It returns 1 on success, and 0 on failure. */ +// tls13_verify_psk_binder verifies that the handshake transcript, truncated +// up to the binders has a valid signature using the value of |session|'s +// resumption secret. It returns 1 on success, and 0 on failure. int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session, const SSLMessage &msg, CBS *binders); -/* Handshake functions. */ +// Handshake functions. enum ssl_hs_wait_t { ssl_hs_error, @@ -1086,31 +1086,31 @@ struct SSL_HANDSHAKE { ~SSL_HANDSHAKE(); static constexpr bool kAllowUniquePtr = true; - /* ssl is a non-owning pointer to the parent |SSL| object. */ + // ssl is a non-owning pointer to the parent |SSL| object. SSL *ssl; - /* wait contains the operation the handshake is currently blocking on or - * |ssl_hs_ok| if none. */ + // wait contains the operation the handshake is currently blocking on or + // |ssl_hs_ok| if none. enum ssl_hs_wait_t wait = ssl_hs_ok; - /* state is the internal state for the TLS 1.2 and below handshake. Its - * values depend on |do_handshake| but the starting state is always zero. */ + // state is the internal state for the TLS 1.2 and below handshake. Its + // values depend on |do_handshake| but the starting state is always zero. int state = 0; - /* tls13_state is the internal state for the TLS 1.3 handshake. Its values - * depend on |do_handshake| but the starting state is always zero. */ + // tls13_state is the internal state for the TLS 1.3 handshake. Its values + // depend on |do_handshake| but the starting state is always zero. int tls13_state = 0; - /* min_version is the minimum accepted protocol version, taking account both - * |SSL_OP_NO_*| and |SSL_CTX_set_min_proto_version| APIs. */ + // min_version is the minimum accepted protocol version, taking account both + // |SSL_OP_NO_*| and |SSL_CTX_set_min_proto_version| APIs. uint16_t min_version = 0; - /* max_version is the maximum accepted protocol version, taking account both - * |SSL_OP_NO_*| and |SSL_CTX_set_max_proto_version| APIs. */ + // max_version is the maximum accepted protocol version, taking account both + // |SSL_OP_NO_*| and |SSL_CTX_set_max_proto_version| APIs. uint16_t max_version = 0; - /* session_id is the session ID in the ClientHello, used for the experimental - * TLS 1.3 variant. */ + // session_id is the session ID in the ClientHello, used for the experimental + // TLS 1.3 variant. uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH] = {0}; uint8_t session_id_len = 0; @@ -1124,238 +1124,238 @@ struct SSL_HANDSHAKE { uint8_t expected_client_finished[EVP_MAX_MD_SIZE] = {0}; union { - /* sent is a bitset where the bits correspond to elements of kExtensions - * in t1_lib.c. Each bit is set if that extension was sent in a - * ClientHello. It's not used by servers. */ + // sent is a bitset where the bits correspond to elements of kExtensions + // in t1_lib.c. Each bit is set if that extension was sent in a + // ClientHello. It's not used by servers. uint32_t sent = 0; - /* received is a bitset, like |sent|, but is used by servers to record - * which extensions were received from a client. */ + // received is a bitset, like |sent|, but is used by servers to record + // which extensions were received from a client. uint32_t received; } extensions; union { - /* sent is a bitset where the bits correspond to elements of - * |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that - * extension was sent in a ClientHello. It's not used by servers. */ + // sent is a bitset where the bits correspond to elements of + // |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that + // extension was sent in a ClientHello. It's not used by servers. uint16_t sent = 0; - /* received is a bitset, like |sent|, but is used by servers to record - * which custom extensions were received from a client. The bits here - * correspond to |server_custom_extensions|. */ + // received is a bitset, like |sent|, but is used by servers to record + // which custom extensions were received from a client. The bits here + // correspond to |server_custom_extensions|. uint16_t received; } custom_extensions; - /* retry_group is the group ID selected by the server in HelloRetryRequest in - * TLS 1.3. */ + // retry_group is the group ID selected by the server in HelloRetryRequest in + // TLS 1.3. uint16_t retry_group = 0; - /* key_share is the current key exchange instance. */ + // key_share is the current key exchange instance. UniquePtr key_share; - /* transcript is the current handshake transcript. */ + // transcript is the current handshake transcript. SSLTranscript transcript; - /* cookie is the value of the cookie received from the server, if any. */ + // cookie is the value of the cookie received from the server, if any. uint8_t *cookie = nullptr; size_t cookie_len = 0; - /* key_share_bytes is the value of the previously sent KeyShare extension by - * the client in TLS 1.3. */ + // key_share_bytes is the value of the previously sent KeyShare extension by + // the client in TLS 1.3. uint8_t *key_share_bytes = nullptr; size_t key_share_bytes_len = 0; - /* ecdh_public_key, for servers, is the key share to be sent to the client in - * TLS 1.3. */ + // ecdh_public_key, for servers, is the key share to be sent to the client in + // TLS 1.3. uint8_t *ecdh_public_key = nullptr; size_t ecdh_public_key_len = 0; - /* peer_sigalgs are the signature algorithms that the peer supports. These are - * taken from the contents of the signature algorithms extension for a server - * or from the CertificateRequest for a client. */ + // peer_sigalgs are the signature algorithms that the peer supports. These are + // taken from the contents of the signature algorithms extension for a server + // or from the CertificateRequest for a client. uint16_t *peer_sigalgs = nullptr; - /* num_peer_sigalgs is the number of entries in |peer_sigalgs|. */ + // num_peer_sigalgs is the number of entries in |peer_sigalgs|. size_t num_peer_sigalgs = 0; - /* peer_supported_group_list contains the supported group IDs advertised by - * the peer. This is only set on the server's end. The server does not - * advertise this extension to the client. */ + // peer_supported_group_list contains the supported group IDs advertised by + // the peer. This is only set on the server's end. The server does not + // advertise this extension to the client. uint16_t *peer_supported_group_list = nullptr; size_t peer_supported_group_list_len = 0; - /* peer_key is the peer's ECDH key for a TLS 1.2 client. */ + // peer_key is the peer's ECDH key for a TLS 1.2 client. uint8_t *peer_key = nullptr; size_t peer_key_len = 0; - /* server_params, in a TLS 1.2 server, stores the ServerKeyExchange - * parameters. It has client and server randoms prepended for signing - * convenience. */ + // server_params, in a TLS 1.2 server, stores the ServerKeyExchange + // parameters. It has client and server randoms prepended for signing + // convenience. uint8_t *server_params = nullptr; size_t server_params_len = 0; - /* peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the - * server when using a TLS 1.2 PSK key exchange. */ + // peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the + // server when using a TLS 1.2 PSK key exchange. UniquePtr peer_psk_identity_hint; - /* ca_names, on the client, contains the list of CAs received in a - * CertificateRequest message. */ + // ca_names, on the client, contains the list of CAs received in a + // CertificateRequest message. UniquePtr ca_names; - /* cached_x509_ca_names contains a cache of parsed versions of the elements - * of |ca_names|. */ + // cached_x509_ca_names contains a cache of parsed versions of the elements + // of |ca_names|. STACK_OF(X509_NAME) *cached_x509_ca_names = nullptr; - /* certificate_types, on the client, contains the set of certificate types - * received in a CertificateRequest message. */ + // certificate_types, on the client, contains the set of certificate types + // received in a CertificateRequest message. uint8_t *certificate_types = nullptr; size_t num_certificate_types = 0; - /* hostname, on the server, is the value of the SNI extension. */ + // hostname, on the server, is the value of the SNI extension. UniquePtr hostname; - /* local_pubkey is the public key we are authenticating as. */ + // local_pubkey is the public key we are authenticating as. UniquePtr local_pubkey; - /* peer_pubkey is the public key parsed from the peer's leaf certificate. */ + // peer_pubkey is the public key parsed from the peer's leaf certificate. UniquePtr peer_pubkey; - /* new_session is the new mutable session being established by the current - * handshake. It should not be cached. */ + // new_session is the new mutable session being established by the current + // handshake. It should not be cached. UniquePtr new_session; - /* early_session is the session corresponding to the current 0-RTT state on - * the client if |in_early_data| is true. */ + // early_session is the session corresponding to the current 0-RTT state on + // the client if |in_early_data| is true. UniquePtr early_session; - /* new_cipher is the cipher being negotiated in this handshake. */ + // new_cipher is the cipher being negotiated in this handshake. const SSL_CIPHER *new_cipher = nullptr; - /* key_block is the record-layer key block for TLS 1.2 and earlier. */ + // key_block is the record-layer key block for TLS 1.2 and earlier. uint8_t *key_block = nullptr; uint8_t key_block_len = 0; - /* scts_requested is one if the SCT extension is in the ClientHello. */ + // scts_requested is one if the SCT extension is in the ClientHello. unsigned scts_requested:1; - /* needs_psk_binder if the ClientHello has a placeholder PSK binder to be - * filled in. */ + // needs_psk_binder if the ClientHello has a placeholder PSK binder to be + // filled in. unsigned needs_psk_binder:1; unsigned received_hello_retry_request:1; unsigned received_custom_extension:1; - /* accept_psk_mode stores whether the client's PSK mode is compatible with our - * preferences. */ + // accept_psk_mode stores whether the client's PSK mode is compatible with our + // preferences. unsigned accept_psk_mode:1; - /* cert_request is one if a client certificate was requested and zero - * otherwise. */ + // cert_request is one if a client certificate was requested and zero + // otherwise. unsigned cert_request:1; - /* certificate_status_expected is one if OCSP stapling was negotiated and the - * server is expected to send a CertificateStatus message. (This is used on - * both the client and server sides.) */ + // certificate_status_expected is one if OCSP stapling was negotiated and the + // server is expected to send a CertificateStatus message. (This is used on + // both the client and server sides.) unsigned certificate_status_expected:1; - /* ocsp_stapling_requested is one if a client requested OCSP stapling. */ + // ocsp_stapling_requested is one if a client requested OCSP stapling. unsigned ocsp_stapling_requested:1; - /* should_ack_sni is used by a server and indicates that the SNI extension - * should be echoed in the ServerHello. */ + // should_ack_sni is used by a server and indicates that the SNI extension + // should be echoed in the ServerHello. unsigned should_ack_sni:1; - /* in_false_start is one if there is a pending client handshake in False - * Start. The client may write data at this point. */ + // in_false_start is one if there is a pending client handshake in False + // Start. The client may write data at this point. unsigned in_false_start:1; - /* in_early_data is one if there is a pending handshake that has progressed - * enough to send and receive early data. */ + // in_early_data is one if there is a pending handshake that has progressed + // enough to send and receive early data. unsigned in_early_data:1; - /* early_data_offered is one if the client sent the early_data extension. */ + // early_data_offered is one if the client sent the early_data extension. unsigned early_data_offered:1; - /* can_early_read is one if application data may be read at this point in the - * handshake. */ + // can_early_read is one if application data may be read at this point in the + // handshake. unsigned can_early_read:1; - /* can_early_write is one if application data may be written at this point in - * the handshake. */ + // can_early_write is one if application data may be written at this point in + // the handshake. unsigned can_early_write:1; - /* next_proto_neg_seen is one of NPN was negotiated. */ + // next_proto_neg_seen is one of NPN was negotiated. unsigned next_proto_neg_seen:1; - /* ticket_expected is one if a TLS 1.2 NewSessionTicket message is to be sent - * or received. */ + // ticket_expected is one if a TLS 1.2 NewSessionTicket message is to be sent + // or received. unsigned ticket_expected:1; - /* extended_master_secret is one if the extended master secret extension is - * negotiated in this handshake. */ + // extended_master_secret is one if the extended master secret extension is + // negotiated in this handshake. unsigned extended_master_secret:1; - /* pending_private_key_op is one if there is a pending private key operation - * in progress. */ + // pending_private_key_op is one if there is a pending private key operation + // in progress. unsigned pending_private_key_op:1; - /* client_version is the value sent or received in the ClientHello version. */ + // client_version is the value sent or received in the ClientHello version. uint16_t client_version = 0; - /* early_data_read is the amount of early data that has been read by the - * record layer. */ + // early_data_read is the amount of early data that has been read by the + // record layer. uint16_t early_data_read = 0; - /* early_data_written is the amount of early data that has been written by the - * record layer. */ + // early_data_written is the amount of early data that has been written by the + // record layer. uint16_t early_data_written = 0; }; SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl); -/* ssl_handshake_free releases all memory associated with |hs|. */ +// ssl_handshake_free releases all memory associated with |hs|. void ssl_handshake_free(SSL_HANDSHAKE *hs); -/* ssl_check_message_type checks if |msg| has type |type|. If so it returns - * one. Otherwise, it sends an alert and returns zero. */ +// ssl_check_message_type checks if |msg| has type |type|. If so it returns +// one. Otherwise, it sends an alert and returns zero. int ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type); -/* ssl_run_handshake runs the TLS handshake. It returns one on success and <= 0 - * on error. It sets |out_early_return| to one if we've completed the handshake - * early. */ +// ssl_run_handshake runs the TLS handshake. It returns one on success and <= 0 +// on error. It sets |out_early_return| to one if we've completed the handshake +// early. int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return); -/* The following are implementations of |do_handshake| for the client and - * server. */ +// The following are implementations of |do_handshake| for the client and +// server. enum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs); enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs); enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs); enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs); -/* The following functions return human-readable representations of the TLS - * handshake states for debugging. */ +// The following functions return human-readable representations of the TLS +// handshake states for debugging. const char *ssl_client_handshake_state(SSL_HANDSHAKE *hs); const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs); const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs); const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs); -/* tls13_post_handshake processes a post-handshake message. It returns one on - * success and zero on failure. */ +// tls13_post_handshake processes a post-handshake message. It returns one on +// success and zero on failure. int tls13_post_handshake(SSL *ssl, const SSLMessage &msg); int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, int allow_anonymous); int tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg); -/* tls13_process_finished processes |msg| as a Finished message from the - * peer. If |use_saved_value| is one, the verify_data is compared against - * |hs->expected_client_finished| rather than computed fresh. */ +// tls13_process_finished processes |msg| as a Finished message from the +// peer. If |use_saved_value| is one, the verify_data is compared against +// |hs->expected_client_finished| rather than computed fresh. int tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg, int use_saved_value); int tls13_add_certificate(SSL_HANDSHAKE *hs); -/* tls13_add_certificate_verify adds a TLS 1.3 CertificateVerify message to the - * handshake. If it returns |ssl_private_key_retry|, it should be called again - * to retry when the signing operation is completed. */ +// tls13_add_certificate_verify adds a TLS 1.3 CertificateVerify message to the +// handshake. If it returns |ssl_private_key_retry|, it should be called again +// to retry when the signing operation is completed. enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs); int tls13_add_finished(SSL_HANDSHAKE *hs); @@ -1377,14 +1377,14 @@ int ssl_ext_pre_shared_key_parse_clienthello( uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents); int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out); -/* ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and - * returns one iff it's valid. */ +// ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and +// returns one iff it's valid. int ssl_is_sct_list_valid(const CBS *contents); int ssl_write_client_hello(SSL_HANDSHAKE *hs); -/* ssl_clear_tls13_state releases client state only needed for TLS 1.3. It - * should be called once the version is known to be TLS 1.2 or earlier. */ +// ssl_clear_tls13_state releases client state only needed for TLS 1.3. It +// should be called once the version is known to be TLS 1.2 or earlier. void ssl_clear_tls13_state(SSL_HANDSHAKE *hs); enum ssl_cert_verify_context_t { @@ -1393,18 +1393,18 @@ enum ssl_cert_verify_context_t { ssl_cert_verify_channel_id, }; -/* tls13_get_cert_verify_signature_input generates the message to be signed for - * TLS 1.3's CertificateVerify message. |cert_verify_context| determines the - * type of signature. It sets |*out| and |*out_len| to a newly allocated buffer - * containing the result. The caller must free it with |OPENSSL_free| to release - * it. This function returns one on success and zero on failure. */ +// tls13_get_cert_verify_signature_input generates the message to be signed for +// TLS 1.3's CertificateVerify message. |cert_verify_context| determines the +// type of signature. It sets |*out| and |*out_len| to a newly allocated buffer +// containing the result. The caller must free it with |OPENSSL_free| to release +// it. This function returns one on success and zero on failure. int tls13_get_cert_verify_signature_input( SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len, enum ssl_cert_verify_context_t cert_verify_context); -/* ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns - * one on successful negotiation or if nothing was negotiated. It returns zero - * and sets |*out_alert| to an alert on error. */ +// ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns +// one on successful negotiation or if nothing was negotiated. It returns zero +// and sets |*out_alert| to an alert on error. int ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert, const SSL_CLIENT_HELLO *client_hello); @@ -1414,28 +1414,28 @@ struct SSL_EXTENSION_TYPE { CBS *out_data; }; -/* ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances - * it. It writes the parsed extensions to pointers denoted by |ext_types|. On - * success, it fills in the |out_present| and |out_data| fields and returns one. - * Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown - * extensions are rejected unless |ignore_unknown| is 1. */ +// ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances +// it. It writes the parsed extensions to pointers denoted by |ext_types|. On +// success, it fills in the |out_present| and |out_data| fields and returns one. +// Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown +// extensions are rejected unless |ignore_unknown| is 1. int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, const SSL_EXTENSION_TYPE *ext_types, size_t num_ext_types, int ignore_unknown); -/* ssl_verify_peer_cert verifies the peer certificate for |hs|. */ +// ssl_verify_peer_cert verifies the peer certificate for |hs|. enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs); -/* SSLKEYLOGFILE functions. */ +// SSLKEYLOGFILE functions. -/* ssl_log_secret logs |secret| with label |label|, if logging is enabled for - * |ssl|. It returns one on success and zero on failure. */ +// ssl_log_secret logs |secret| with label |label|, if logging is enabled for +// |ssl|. It returns one on success and zero on failure. int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, size_t secret_len); -/* ClientHello functions. */ +// ClientHello functions. int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out, const SSLMessage &msg); @@ -1447,7 +1447,7 @@ int ssl_client_cipher_list_contains_cipher(const SSL_CLIENT_HELLO *client_hello, uint16_t id); -/* GREASE. */ +// GREASE. enum ssl_grease_index_t { ssl_grease_cipher = 0, @@ -1458,146 +1458,146 @@ enum ssl_grease_index_t { ssl_grease_ticket_extension, }; -/* ssl_get_grease_value returns a GREASE value for |ssl|. For a given - * connection, the values for each index will be deterministic. This allows the - * same ClientHello be sent twice for a HelloRetryRequest or the same group be - * advertised in both supported_groups and key_shares. */ +// ssl_get_grease_value returns a GREASE value for |ssl|. For a given +// connection, the values for each index will be deterministic. This allows the +// same ClientHello be sent twice for a HelloRetryRequest or the same group be +// advertised in both supported_groups and key_shares. uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index); -/* Signature algorithms. */ +// Signature algorithms. -/* tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature - * algorithms and saves them on |hs|. It returns one on success and zero on - * error. */ +// tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature +// algorithms and saves them on |hs|. It returns one on success and zero on +// error. int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs); -/* tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm - * that should be used with |pkey| in TLS 1.1 and earlier. It returns one on - * success and zero if |pkey| may not be used at those versions. */ +// tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm +// that should be used with |pkey| in TLS 1.1 and earlier. It returns one on +// success and zero if |pkey| may not be used at those versions. int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey); -/* tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use - * with |hs|'s private key based on the peer's preferences and the algorithms - * supported. It returns one on success and zero on error. */ +// tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use +// with |hs|'s private key based on the peer's preferences and the algorithms +// supported. It returns one on success and zero on error. int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out); -/* tls12_add_verify_sigalgs adds the signature algorithms acceptable for the - * peer signature to |out|. It returns one on success and zero on error. */ +// tls12_add_verify_sigalgs adds the signature algorithms acceptable for the +// peer signature to |out|. It returns one on success and zero on error. int tls12_add_verify_sigalgs(const SSL *ssl, CBB *out); -/* tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer - * signature. It returns one on success and zero on error, setting |*out_alert| - * to an alert to send. */ +// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer +// signature. It returns one on success and zero on error, setting |*out_alert| +// to an alert to send. int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg); -/* Underdocumented functions. - * - * Functions below here haven't been touched up and may be underdocumented. */ +// Underdocumented functions. +// +// Functions below here haven't been touched up and may be underdocumented. #define TLSEXT_CHANNEL_ID_SIZE 128 -/* From RFC4492, used in encoding the curve type in ECParameters */ +// From RFC4492, used in encoding the curve type in ECParameters #define NAMED_CURVE_TYPE 3 struct SSLCertConfig { EVP_PKEY *privatekey; - /* chain contains the certificate chain, with the leaf at the beginning. The - * first element of |chain| may be NULL to indicate that the leaf certificate - * has not yet been set. - * If |chain| != NULL -> len(chain) >= 1 - * If |chain[0]| == NULL -> len(chain) >= 2. - * |chain[1..]| != NULL */ + // chain contains the certificate chain, with the leaf at the beginning. The + // first element of |chain| may be NULL to indicate that the leaf certificate + // has not yet been set. + // If |chain| != NULL -> len(chain) >= 1 + // If |chain[0]| == NULL -> len(chain) >= 2. + // |chain[1..]| != NULL STACK_OF(CRYPTO_BUFFER) *chain; - /* x509_chain may contain a parsed copy of |chain[1..]|. This is only used as - * a cache in order to implement “get0” functions that return a non-owning - * pointer to the certificate chain. */ + // x509_chain may contain a parsed copy of |chain[1..]|. This is only used as + // a cache in order to implement “get0” functions that return a non-owning + // pointer to the certificate chain. STACK_OF(X509) *x509_chain; - /* x509_leaf may contain a parsed copy of the first element of |chain|. This - * is only used as a cache in order to implement “get0” functions that return - * a non-owning pointer to the certificate chain. */ + // x509_leaf may contain a parsed copy of the first element of |chain|. This + // is only used as a cache in order to implement “get0” functions that return + // a non-owning pointer to the certificate chain. X509 *x509_leaf; - /* x509_stash contains the last |X509| object append to the chain. This is a - * workaround for some third-party code that continue to use an |X509| object - * even after passing ownership with an “add0” function. */ + // x509_stash contains the last |X509| object append to the chain. This is a + // workaround for some third-party code that continue to use an |X509| object + // even after passing ownership with an “add0” function. X509 *x509_stash; - /* key_method, if non-NULL, is a set of callbacks to call for private key - * operations. */ + // key_method, if non-NULL, is a set of callbacks to call for private key + // operations. const SSL_PRIVATE_KEY_METHOD *key_method; - /* x509_method contains pointers to functions that might deal with |X509| - * compatibility, or might be a no-op, depending on the application. */ + // x509_method contains pointers to functions that might deal with |X509| + // compatibility, or might be a no-op, depending on the application. const SSL_X509_METHOD *x509_method; - /* sigalgs, if non-NULL, is the set of signature algorithms supported by - * |privatekey| in decreasing order of preference. */ + // sigalgs, if non-NULL, is the set of signature algorithms supported by + // |privatekey| in decreasing order of preference. uint16_t *sigalgs; size_t num_sigalgs; - /* Certificate setup callback: if set is called whenever a - * certificate may be required (client or server). the callback - * can then examine any appropriate parameters and setup any - * certificates required. This allows advanced applications - * to select certificates on the fly: for example based on - * supported signature algorithms or curves. */ + // Certificate setup callback: if set is called whenever a + // certificate may be required (client or server). the callback + // can then examine any appropriate parameters and setup any + // certificates required. This allows advanced applications + // to select certificates on the fly: for example based on + // supported signature algorithms or curves. int (*cert_cb)(SSL *ssl, void *arg); void *cert_cb_arg; - /* Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX - * store is used instead. */ + // Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX + // store is used instead. X509_STORE *verify_store; - /* Signed certificate timestamp list to be sent to the client, if requested */ + // Signed certificate timestamp list to be sent to the client, if requested CRYPTO_BUFFER *signed_cert_timestamp_list; - /* OCSP response to be sent to the client, if requested. */ + // OCSP response to be sent to the client, if requested. CRYPTO_BUFFER *ocsp_response; - /* sid_ctx partitions the session space within a shared session cache or - * ticket key. Only sessions with a matching value will be accepted. */ + // sid_ctx partitions the session space within a shared session cache or + // ticket key. Only sessions with a matching value will be accepted. uint8_t sid_ctx_length; uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - /* If enable_early_data is non-zero, early data can be sent and accepted. */ + // If enable_early_data is non-zero, early data can be sent and accepted. unsigned enable_early_data:1; }; -/* ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using - * crypto/x509. */ +// ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using +// crypto/x509. extern const SSL_X509_METHOD ssl_crypto_x509_method; -/* ssl_noop_x509_method provides the |SSL_X509_METHOD| functions that avoid - * crypto/x509. */ +// ssl_noop_x509_method provides the |SSL_X509_METHOD| functions that avoid +// crypto/x509. extern const SSL_X509_METHOD ssl_noop_x509_method; struct SSL3_RECORD { - /* type is the record type. */ + // type is the record type. uint8_t type; - /* length is the number of unconsumed bytes in the record. */ + // length is the number of unconsumed bytes in the record. uint16_t length; - /* data is a non-owning pointer to the first unconsumed byte of the record. */ + // data is a non-owning pointer to the first unconsumed byte of the record. uint8_t *data; }; struct SSL3_BUFFER { - /* buf is the memory allocated for this buffer. */ + // buf is the memory allocated for this buffer. uint8_t *buf; - /* offset is the offset into |buf| which the buffer contents start at. */ + // offset is the offset into |buf| which the buffer contents start at. uint16_t offset; - /* len is the length of the buffer contents from |buf| + |offset|. */ + // len is the length of the buffer contents from |buf| + |offset|. uint16_t len; - /* cap is how much memory beyond |buf| + |offset| is available. */ + // cap is how much memory beyond |buf| + |offset| is available. uint16_t cap; }; -/* An ssl_shutdown_t describes the shutdown state of one end of the connection, - * whether it is alive or has been shutdown via close_notify or fatal alert. */ +// An ssl_shutdown_t describes the shutdown state of one end of the connection, +// whether it is alive or has been shutdown via close_notify or fatal alert. enum ssl_shutdown_t { ssl_shutdown_none = 0, ssl_shutdown_close_notify = 1, @@ -1611,106 +1611,106 @@ struct SSL3_STATE { uint8_t server_random[SSL3_RANDOM_SIZE]; uint8_t client_random[SSL3_RANDOM_SIZE]; - /* read_buffer holds data from the transport to be processed. */ + // read_buffer holds data from the transport to be processed. SSL3_BUFFER read_buffer; - /* write_buffer holds data to be written to the transport. */ + // write_buffer holds data to be written to the transport. SSL3_BUFFER write_buffer; - SSL3_RECORD rrec; /* each decoded record goes in here */ + SSL3_RECORD rrec; // each decoded record goes in here - /* partial write - check the numbers match */ - unsigned int wnum; /* number of bytes sent so far */ - int wpend_tot; /* number bytes written */ + // partial write - check the numbers match + unsigned int wnum; // number of bytes sent so far + int wpend_tot; // number bytes written int wpend_type; - int wpend_ret; /* number of bytes submitted */ + int wpend_ret; // number of bytes submitted const uint8_t *wpend_buf; - /* recv_shutdown is the shutdown state for the receive half of the - * connection. */ + // recv_shutdown is the shutdown state for the receive half of the + // connection. enum ssl_shutdown_t recv_shutdown; - /* recv_shutdown is the shutdown state for the send half of the connection. */ + // recv_shutdown is the shutdown state for the send half of the connection. enum ssl_shutdown_t send_shutdown; int alert_dispatch; int total_renegotiations; - /* early_data_skipped is the amount of early data that has been skipped by the - * record layer. */ + // early_data_skipped is the amount of early data that has been skipped by the + // record layer. uint16_t early_data_skipped; - /* empty_record_count is the number of consecutive empty records received. */ + // empty_record_count is the number of consecutive empty records received. uint8_t empty_record_count; - /* warning_alert_count is the number of consecutive warning alerts - * received. */ + // warning_alert_count is the number of consecutive warning alerts + // received. uint8_t warning_alert_count; - /* key_update_count is the number of consecutive KeyUpdates received. */ + // key_update_count is the number of consecutive KeyUpdates received. uint8_t key_update_count; - /* skip_early_data instructs the record layer to skip unexpected early data - * messages when 0RTT is rejected. */ + // skip_early_data instructs the record layer to skip unexpected early data + // messages when 0RTT is rejected. unsigned skip_early_data:1; - /* have_version is true if the connection's final version is known. Otherwise - * the version has not been negotiated yet. */ + // have_version is true if the connection's final version is known. Otherwise + // the version has not been negotiated yet. unsigned have_version:1; - /* v2_hello_done is true if the peer's V2ClientHello, if any, has been handled - * and future messages should use the record layer. */ + // v2_hello_done is true if the peer's V2ClientHello, if any, has been handled + // and future messages should use the record layer. unsigned v2_hello_done:1; - /* is_v2_hello is true if the current handshake message was derived from a - * V2ClientHello rather than received from the peer directly. */ + // is_v2_hello is true if the current handshake message was derived from a + // V2ClientHello rather than received from the peer directly. unsigned is_v2_hello:1; - /* has_message is true if the current handshake message has been returned - * at least once by |get_message| and false otherwise. */ + // has_message is true if the current handshake message has been returned + // at least once by |get_message| and false otherwise. unsigned has_message:1; - /* initial_handshake_complete is true if the initial handshake has - * completed. */ + // initial_handshake_complete is true if the initial handshake has + // completed. unsigned initial_handshake_complete:1; - /* session_reused indicates whether a session was resumed. */ + // session_reused indicates whether a session was resumed. unsigned session_reused:1; unsigned send_connection_binding:1; - /* In a client, this means that the server supported Channel ID and that a - * Channel ID was sent. In a server it means that we echoed support for - * Channel IDs and that tlsext_channel_id will be valid after the - * handshake. */ + // In a client, this means that the server supported Channel ID and that a + // Channel ID was sent. In a server it means that we echoed support for + // Channel IDs and that tlsext_channel_id will be valid after the + // handshake. unsigned tlsext_channel_id_valid:1; - /* key_update_pending is one if we have a KeyUpdate acknowledgment - * outstanding. */ + // key_update_pending is one if we have a KeyUpdate acknowledgment + // outstanding. unsigned key_update_pending:1; - /* wpend_pending is one if we have a pending write outstanding. */ + // wpend_pending is one if we have a pending write outstanding. unsigned wpend_pending:1; uint8_t send_alert[2]; - /* pending_flight is the pending outgoing flight. This is used to flush each - * handshake flight in a single write. |write_buffer| must be written out - * before this data. */ + // pending_flight is the pending outgoing flight. This is used to flush each + // handshake flight in a single write. |write_buffer| must be written out + // before this data. BUF_MEM *pending_flight; - /* pending_flight_offset is the number of bytes of |pending_flight| which have - * been successfully written. */ + // pending_flight_offset is the number of bytes of |pending_flight| which have + // been successfully written. uint32_t pending_flight_offset; - /* aead_read_ctx is the current read cipher state. */ + // aead_read_ctx is the current read cipher state. SSLAEADContext *aead_read_ctx; - /* aead_write_ctx is the current write cipher state. */ + // aead_write_ctx is the current write cipher state. SSLAEADContext *aead_write_ctx; - /* hs is the handshake state for the current handshake or NULL if there isn't - * one. */ + // hs is the handshake state for the current handshake or NULL if there isn't + // one. SSL_HANDSHAKE *hs; uint8_t write_traffic_secret[EVP_MAX_MD_SIZE]; @@ -1722,58 +1722,58 @@ struct SSL3_STATE { uint8_t exporter_secret_len; uint8_t early_exporter_secret_len; - /* Connection binding to prevent renegotiation attacks */ + // Connection binding to prevent renegotiation attacks uint8_t previous_client_finished[12]; uint8_t previous_client_finished_len; uint8_t previous_server_finished_len; uint8_t previous_server_finished[12]; - /* State pertaining to the pending handshake. - * - * TODO(davidben): Move everything not needed after the handshake completes to - * |hs| and remove this. */ + // State pertaining to the pending handshake. + // + // TODO(davidben): Move everything not needed after the handshake completes to + // |hs| and remove this. struct { uint8_t new_mac_secret_len; uint8_t new_key_len; uint8_t new_fixed_iv_len; } tmp; - /* established_session is the session established by the connection. This - * session is only filled upon the completion of the handshake and is - * immutable. */ + // established_session is the session established by the connection. This + // session is only filled upon the completion of the handshake and is + // immutable. SSL_SESSION *established_session; - /* Next protocol negotiation. For the client, this is the protocol that we - * sent in NextProtocol and is set when handling ServerHello extensions. - * - * For a server, this is the client's selected_protocol from NextProtocol and - * is set when handling the NextProtocol message, before the Finished - * message. */ + // Next protocol negotiation. For the client, this is the protocol that we + // sent in NextProtocol and is set when handling ServerHello extensions. + // + // For a server, this is the client's selected_protocol from NextProtocol and + // is set when handling the NextProtocol message, before the Finished + // message. uint8_t *next_proto_negotiated; size_t next_proto_negotiated_len; - /* ALPN information - * (we are in the process of transitioning from NPN to ALPN.) */ + // ALPN information + // (we are in the process of transitioning from NPN to ALPN.) - /* In a server these point to the selected ALPN protocol after the - * ClientHello has been processed. In a client these contain the protocol - * that the server selected once the ServerHello has been processed. */ + // In a server these point to the selected ALPN protocol after the + // ClientHello has been processed. In a client these contain the protocol + // that the server selected once the ServerHello has been processed. uint8_t *alpn_selected; size_t alpn_selected_len; - /* For a server: - * If |tlsext_channel_id_valid| is true, then this contains the - * verified Channel ID from the client: a P256 point, (x,y), where - * each are big-endian values. */ + // For a server: + // If |tlsext_channel_id_valid| is true, then this contains the + // verified Channel ID from the client: a P256 point, (x,y), where + // each are big-endian values. uint8_t tlsext_channel_id[64]; - /* ticket_age_skew is the difference, in seconds, between the client-sent - * ticket age and the server-computed value in TLS 1.3 server connections - * which resumed a session. */ + // ticket_age_skew is the difference, in seconds, between the client-sent + // ticket age and the server-computed value in TLS 1.3 server connections + // which resumed a session. int32_t ticket_age_skew; }; -/* lengths of messages */ +// lengths of messages #define DTLS1_COOKIE_LENGTH 256 #define DTLS1_RT_HEADER_LENGTH 13 @@ -1792,19 +1792,19 @@ struct hm_header_st { uint32_t frag_len; }; -/* An hm_fragment is an incoming DTLS message, possibly not yet assembled. */ +// An hm_fragment is an incoming DTLS message, possibly not yet assembled. struct hm_fragment { - /* type is the type of the message. */ + // type is the type of the message. uint8_t type; - /* seq is the sequence number of this message. */ + // seq is the sequence number of this message. uint16_t seq; - /* msg_len is the length of the message body. */ + // msg_len is the length of the message body. uint32_t msg_len; - /* data is a pointer to the message, including message header. It has length - * |DTLS1_HM_HEADER_LENGTH| + |msg_len|. */ + // data is a pointer to the message, including message header. It has length + // |DTLS1_HM_HEADER_LENGTH| + |msg_len|. uint8_t *data; - /* reassembly is a bitmask of |msg_len| bits corresponding to which parts of - * the message have been received. It is NULL if the message is complete. */ + // reassembly is a bitmask of |msg_len| bits corresponding to which parts of + // the message have been received. It is NULL if the message is complete. uint8_t *reassembly; }; @@ -1814,151 +1814,151 @@ struct OPENSSL_timeval { }; struct DTLS1_STATE { - /* has_change_cipher_spec is true if we have received a ChangeCipherSpec from - * the peer in this epoch. */ + // has_change_cipher_spec is true if we have received a ChangeCipherSpec from + // the peer in this epoch. bool has_change_cipher_spec:1; - /* outgoing_messages_complete is true if |outgoing_messages| has been - * completed by an attempt to flush it. Future calls to |add_message| and - * |add_change_cipher_spec| will start a new flight. */ + // outgoing_messages_complete is true if |outgoing_messages| has been + // completed by an attempt to flush it. Future calls to |add_message| and + // |add_change_cipher_spec| will start a new flight. bool outgoing_messages_complete:1; - /* flight_has_reply is true if the current outgoing flight is complete and has - * processed at least one message. This is used to detect whether we or the - * peer sent the final flight. */ + // flight_has_reply is true if the current outgoing flight is complete and has + // processed at least one message. This is used to detect whether we or the + // peer sent the final flight. bool flight_has_reply:1; uint8_t cookie[DTLS1_COOKIE_LENGTH]; size_t cookie_len; - /* The current data and handshake epoch. This is initially undefined, and - * starts at zero once the initial handshake is completed. */ + // The current data and handshake epoch. This is initially undefined, and + // starts at zero once the initial handshake is completed. uint16_t r_epoch; uint16_t w_epoch; - /* records being received in the current epoch */ + // records being received in the current epoch DTLS1_BITMAP bitmap; uint16_t handshake_write_seq; uint16_t handshake_read_seq; - /* save last sequence number for retransmissions */ + // save last sequence number for retransmissions uint8_t last_write_sequence[8]; SSLAEADContext *last_aead_write_ctx; - /* incoming_messages is a ring buffer of incoming handshake messages that have - * yet to be processed. The front of the ring buffer is message number - * |handshake_read_seq|, at position |handshake_read_seq| % - * |SSL_MAX_HANDSHAKE_FLIGHT|. */ + // incoming_messages is a ring buffer of incoming handshake messages that have + // yet to be processed. The front of the ring buffer is message number + // |handshake_read_seq|, at position |handshake_read_seq| % + // |SSL_MAX_HANDSHAKE_FLIGHT|. hm_fragment *incoming_messages[SSL_MAX_HANDSHAKE_FLIGHT]; - /* outgoing_messages is the queue of outgoing messages from the last handshake - * flight. */ + // outgoing_messages is the queue of outgoing messages from the last handshake + // flight. DTLS_OUTGOING_MESSAGE outgoing_messages[SSL_MAX_HANDSHAKE_FLIGHT]; uint8_t outgoing_messages_len; - /* outgoing_written is the number of outgoing messages that have been - * written. */ + // outgoing_written is the number of outgoing messages that have been + // written. uint8_t outgoing_written; - /* outgoing_offset is the number of bytes of the next outgoing message have - * been written. */ + // outgoing_offset is the number of bytes of the next outgoing message have + // been written. uint32_t outgoing_offset; - unsigned int mtu; /* max DTLS packet size */ + unsigned int mtu; // max DTLS packet size - /* num_timeouts is the number of times the retransmit timer has fired since - * the last time it was reset. */ + // num_timeouts is the number of times the retransmit timer has fired since + // the last time it was reset. unsigned int num_timeouts; - /* Indicates when the last handshake msg or heartbeat sent will - * timeout. */ + // Indicates when the last handshake msg or heartbeat sent will + // timeout. struct OPENSSL_timeval next_timeout; - /* timeout_duration_ms is the timeout duration in milliseconds. */ + // timeout_duration_ms is the timeout duration in milliseconds. unsigned timeout_duration_ms; }; -/* SSLConnection backs the public |SSL| type. Due to compatibility constraints, - * it is a base class for |ssl_st|. */ +// SSLConnection backs the public |SSL| type. Due to compatibility constraints, +// it is a base class for |ssl_st|. struct SSLConnection { - /* method is the method table corresponding to the current protocol (DTLS or - * TLS). */ + // method is the method table corresponding to the current protocol (DTLS or + // TLS). const SSL_PROTOCOL_METHOD *method; - /* version is the protocol version. */ + // version is the protocol version. uint16_t version; - /* conf_max_version is the maximum acceptable protocol version configured by - * |SSL_set_max_proto_version|. Note this version is normalized in DTLS and is - * further constrainted by |SSL_OP_NO_*|. */ + // conf_max_version is the maximum acceptable protocol version configured by + // |SSL_set_max_proto_version|. Note this version is normalized in DTLS and is + // further constrainted by |SSL_OP_NO_*|. uint16_t conf_max_version; - /* conf_min_version is the minimum acceptable protocol version configured by - * |SSL_set_min_proto_version|. Note this version is normalized in DTLS and is - * further constrainted by |SSL_OP_NO_*|. */ + // conf_min_version is the minimum acceptable protocol version configured by + // |SSL_set_min_proto_version|. Note this version is normalized in DTLS and is + // further constrainted by |SSL_OP_NO_*|. uint16_t conf_min_version; - /* tls13_variant is the variant of TLS 1.3 we are using for this - * configuration. */ + // tls13_variant is the variant of TLS 1.3 we are using for this + // configuration. enum tls13_variant_t tls13_variant; uint16_t max_send_fragment; - /* There are 2 BIO's even though they are normally both the same. This is so - * data can be read and written to different handlers */ + // There are 2 BIO's even though they are normally both the same. This is so + // data can be read and written to different handlers - BIO *rbio; /* used by SSL_read */ - BIO *wbio; /* used by SSL_write */ + BIO *rbio; // used by SSL_read + BIO *wbio; // used by SSL_write - /* do_handshake runs the handshake. On completion, it returns |ssl_hs_ok|. - * Otherwise, it returns a value corresponding to what operation is needed to - * progress. */ + // do_handshake runs the handshake. On completion, it returns |ssl_hs_ok|. + // Otherwise, it returns a value corresponding to what operation is needed to + // progress. enum ssl_hs_wait_t (*do_handshake)(SSL_HANDSHAKE *hs); - BUF_MEM *init_buf; /* buffer used during init */ + BUF_MEM *init_buf; // buffer used during init - SSL3_STATE *s3; /* SSLv3 variables */ - DTLS1_STATE *d1; /* DTLSv1 variables */ + SSL3_STATE *s3; // SSLv3 variables + DTLS1_STATE *d1; // DTLSv1 variables - /* callback that allows applications to peek at protocol messages */ + // callback that allows applications to peek at protocol messages void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); void *msg_callback_arg; X509_VERIFY_PARAM *param; - /* crypto */ + // crypto struct ssl_cipher_preference_list_st *cipher_list; - /* session info */ + // session info - /* client cert? */ - /* This is used to hold the server certificate used */ + // client cert? + // This is used to hold the server certificate used CERT *cert; - /* This holds a variable that indicates what we were doing when a 0 or -1 is - * returned. This is needed for non-blocking IO so we know what request - * needs re-doing when in SSL_accept or SSL_connect */ + // This holds a variable that indicates what we were doing when a 0 or -1 is + // returned. This is needed for non-blocking IO so we know what request + // needs re-doing when in SSL_accept or SSL_connect int rwstate; - /* initial_timeout_duration_ms is the default DTLS timeout duration in - * milliseconds. It's used to initialize the timer any time it's restarted. */ + // initial_timeout_duration_ms is the default DTLS timeout duration in + // milliseconds. It's used to initialize the timer any time it's restarted. unsigned initial_timeout_duration_ms; - /* session is the configured session to be offered by the client. This session - * is immutable. */ + // session is the configured session to be offered by the client. This session + // is immutable. SSL_SESSION *session; int (*verify_callback)(int ok, - X509_STORE_CTX *ctx); /* fail if callback returns 0 */ + X509_STORE_CTX *ctx); // fail if callback returns 0 enum ssl_verify_result_t (*custom_verify_callback)(SSL *ssl, uint8_t *out_alert); void (*info_callback)(const SSL *ssl, int type, int value); - /* Server-only: psk_identity_hint is the identity hint to send in - * PSK-based key exchanges. */ + // Server-only: psk_identity_hint is the identity hint to send in + // PSK-based key exchanges. char *psk_identity_hint; unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, @@ -1970,91 +1970,91 @@ struct SSLConnection { SSL_CTX *ctx; - /* extra application data */ + // extra application data CRYPTO_EX_DATA ex_data; - /* for server side, keep the list of CA_dn we can use */ + // for server side, keep the list of CA_dn we can use STACK_OF(CRYPTO_BUFFER) *client_CA; - /* cached_x509_client_CA is a cache of parsed versions of the elements of - * |client_CA|. */ + // cached_x509_client_CA is a cache of parsed versions of the elements of + // |client_CA|. STACK_OF(X509_NAME) *cached_x509_client_CA; - uint32_t options; /* protocol behaviour */ - uint32_t mode; /* API behaviour */ + uint32_t options; // protocol behaviour + uint32_t mode; // API behaviour uint32_t max_cert_list; char *tlsext_hostname; size_t supported_group_list_len; - uint16_t *supported_group_list; /* our list */ + uint16_t *supported_group_list; // our list - /* session_ctx is the |SSL_CTX| used for the session cache and related - * settings. */ + // session_ctx is the |SSL_CTX| used for the session cache and related + // settings. SSL_CTX *session_ctx; - /* srtp_profiles is the list of configured SRTP protection profiles for - * DTLS-SRTP. */ + // srtp_profiles is the list of configured SRTP protection profiles for + // DTLS-SRTP. STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; - /* srtp_profile is the selected SRTP protection profile for - * DTLS-SRTP. */ + // srtp_profile is the selected SRTP protection profile for + // DTLS-SRTP. const SRTP_PROTECTION_PROFILE *srtp_profile; - /* The client's Channel ID private key. */ + // The client's Channel ID private key. EVP_PKEY *tlsext_channel_id_private; - /* For a client, this contains the list of supported protocols in wire - * format. */ + // For a client, this contains the list of supported protocols in wire + // format. uint8_t *alpn_client_proto_list; unsigned alpn_client_proto_list_len; - /* renegotiate_mode controls how peer renegotiation attempts are handled. */ + // renegotiate_mode controls how peer renegotiation attempts are handled. enum ssl_renegotiate_mode_t renegotiate_mode; - /* verify_mode is a bitmask of |SSL_VERIFY_*| values. */ + // verify_mode is a bitmask of |SSL_VERIFY_*| values. uint8_t verify_mode; - /* server is true iff the this SSL* is the server half. Note: before the SSL* - * is initialized by either SSL_set_accept_state or SSL_set_connect_state, - * the side is not determined. In this state, server is always false. */ + // server is true iff the this SSL* is the server half. Note: before the SSL* + // is initialized by either SSL_set_accept_state or SSL_set_connect_state, + // the side is not determined. In this state, server is always false. unsigned server:1; - /* quiet_shutdown is true if the connection should not send a close_notify on - * shutdown. */ + // quiet_shutdown is true if the connection should not send a close_notify on + // shutdown. unsigned quiet_shutdown:1; - /* Enable signed certificate time stamps. Currently client only. */ + // Enable signed certificate time stamps. Currently client only. unsigned signed_cert_timestamps_enabled:1; - /* ocsp_stapling_enabled is only used by client connections and indicates - * whether OCSP stapling will be requested. */ + // ocsp_stapling_enabled is only used by client connections and indicates + // whether OCSP stapling will be requested. unsigned ocsp_stapling_enabled:1; - /* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server, - * means that we'll accept Channel IDs from clients. For a client, means that - * we'll advertise support. */ + // tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server, + // means that we'll accept Channel IDs from clients. For a client, means that + // we'll advertise support. unsigned tlsext_channel_id_enabled:1; - /* retain_only_sha256_of_client_certs is true if we should compute the SHA256 - * hash of the peer's certificate and then discard it to save memory and - * session space. Only effective on the server side. */ + // retain_only_sha256_of_client_certs is true if we should compute the SHA256 + // hash of the peer's certificate and then discard it to save memory and + // session space. Only effective on the server side. unsigned retain_only_sha256_of_client_certs:1; - /* early_data_accepted is true if early data was accepted by the server. */ + // early_data_accepted is true if early data was accepted by the server. unsigned early_data_accepted:1; }; -/* From draft-ietf-tls-tls13-18, used in determining PSK modes. */ +// From draft-ietf-tls-tls13-18, used in determining PSK modes. #define SSL_PSK_KE 0x0 #define SSL_PSK_DHE_KE 0x1 -/* From draft-ietf-tls-tls13-16, used in determining whether to respond with a - * KeyUpdate. */ +// From draft-ietf-tls-tls13-16, used in determining whether to respond with a +// KeyUpdate. #define SSL_KEY_UPDATE_NOT_REQUESTED 0 #define SSL_KEY_UPDATE_REQUESTED 1 -/* kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early - * data that will be accepted. This value should be slightly below - * kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. */ +// kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early +// data that will be accepted. This value should be slightly below +// kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. static const size_t kMaxEarlyDataAccepted = 14336; CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method); @@ -2063,9 +2063,9 @@ void ssl_cert_clear_certs(CERT *cert); void ssl_cert_free(CERT *cert); int ssl_set_cert(CERT *cert, UniquePtr buffer); int ssl_is_key_type_supported(int key_type); -/* ssl_compare_public_and_private_key returns one if |pubkey| is the public - * counterpart to |privkey|. Otherwise it returns zero and pushes a helpful - * message on the error queue. */ +// ssl_compare_public_and_private_key returns one if |pubkey| is the public +// counterpart to |privkey|. Otherwise it returns zero and pushes a helpful +// message on the error queue. int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey, const EVP_PKEY *privkey); int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey); @@ -2073,78 +2073,78 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server); int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session); int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx); -/* ssl_session_new returns a newly-allocated blank |SSL_SESSION| or nullptr on - * error. */ +// ssl_session_new returns a newly-allocated blank |SSL_SESSION| or nullptr on +// error. UniquePtr ssl_session_new(const SSL_X509_METHOD *x509_method); -/* SSL_SESSION_parse parses an |SSL_SESSION| from |cbs| and advances |cbs| over - * the parsed data. */ +// SSL_SESSION_parse parses an |SSL_SESSION| from |cbs| and advances |cbs| over +// the parsed data. UniquePtr SSL_SESSION_parse(CBS *cbs, const SSL_X509_METHOD *x509_method, CRYPTO_BUFFER_POOL *pool); -/* ssl_session_is_context_valid returns one if |session|'s session ID context - * matches the one set on |ssl| and zero otherwise. */ +// ssl_session_is_context_valid returns one if |session|'s session ID context +// matches the one set on |ssl| and zero otherwise. int ssl_session_is_context_valid(const SSL *ssl, const SSL_SESSION *session); -/* ssl_session_is_time_valid returns one if |session| is still valid and zero if - * it has expired. */ +// ssl_session_is_time_valid returns one if |session| is still valid and zero if +// it has expired. int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session); -/* ssl_session_is_resumable returns one if |session| is resumable for |hs| and - * zero otherwise. */ +// ssl_session_is_resumable returns one if |session| is resumable for |hs| and +// zero otherwise. int ssl_session_is_resumable(const SSL_HANDSHAKE *hs, const SSL_SESSION *session); -/* SSL_SESSION_protocol_version returns the protocol version associated with - * |session|. */ +// SSL_SESSION_protocol_version returns the protocol version associated with +// |session|. uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session); -/* SSL_SESSION_get_digest returns the digest used in |session|. */ +// SSL_SESSION_get_digest returns the digest used in |session|. const EVP_MD *SSL_SESSION_get_digest(const SSL_SESSION *session); void ssl_set_session(SSL *ssl, SSL_SESSION *session); -/* ssl_get_prev_session looks up the previous session based on |client_hello|. - * On success, it sets |*out_session| to the session or nullptr if none was - * found. If the session could not be looked up synchronously, it returns - * |ssl_hs_pending_session| and should be called again. If a ticket could not be - * decrypted immediately it returns |ssl_hs_pending_ticket| and should also - * be called again. Otherwise, it returns |ssl_hs_error|. */ +// ssl_get_prev_session looks up the previous session based on |client_hello|. +// On success, it sets |*out_session| to the session or nullptr if none was +// found. If the session could not be looked up synchronously, it returns +// |ssl_hs_pending_session| and should be called again. If a ticket could not be +// decrypted immediately it returns |ssl_hs_pending_ticket| and should also +// be called again. Otherwise, it returns |ssl_hs_error|. enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl, UniquePtr *out_session, int *out_tickets_supported, int *out_renew_ticket, const SSL_CLIENT_HELLO *client_hello); -/* The following flags determine which parts of the session are duplicated. */ +// The following flags determine which parts of the session are duplicated. #define SSL_SESSION_DUP_AUTH_ONLY 0x0 #define SSL_SESSION_INCLUDE_TICKET 0x1 #define SSL_SESSION_INCLUDE_NONAUTH 0x2 #define SSL_SESSION_DUP_ALL \ (SSL_SESSION_INCLUDE_TICKET | SSL_SESSION_INCLUDE_NONAUTH) -/* SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the - * fields in |session| or nullptr on error. The new session is non-resumable and - * must be explicitly marked resumable once it has been filled in. */ +// SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the +// fields in |session| or nullptr on error. The new session is non-resumable and +// must be explicitly marked resumable once it has been filled in. OPENSSL_EXPORT UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags); -/* ssl_session_rebase_time updates |session|'s start time to the current time, - * adjusting the timeout so the expiration time is unchanged. */ +// ssl_session_rebase_time updates |session|'s start time to the current time, +// adjusting the timeout so the expiration time is unchanged. void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session); -/* ssl_session_renew_timeout calls |ssl_session_rebase_time| and renews - * |session|'s timeout to |timeout| (measured from the current time). The - * renewal is clamped to the session's auth_timeout. */ +// ssl_session_renew_timeout calls |ssl_session_rebase_time| and renews +// |session|'s timeout to |timeout| (measured from the current time). The +// renewal is clamped to the session's auth_timeout. void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session, uint32_t timeout); void ssl_cipher_preference_list_free( struct ssl_cipher_preference_list_st *cipher_list); -/* ssl_get_cipher_preferences returns the cipher preference list for TLS 1.2 and - * below. */ +// ssl_get_cipher_preferences returns the cipher preference list for TLS 1.2 and +// below. const struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences( const SSL *ssl); @@ -2185,17 +2185,17 @@ int dtls1_add_change_cipher_spec(SSL *ssl); int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc); int dtls1_flush_flight(SSL *ssl); -/* ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to - * the pending flight. It returns one on success and zero on error. */ +// ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to +// the pending flight. It returns one on success and zero on error. int ssl_add_message_cbb(SSL *ssl, CBB *cbb); -/* ssl_hash_message incorporates |msg| into the handshake hash. It returns one - * on success and zero on allocation failure. */ +// ssl_hash_message incorporates |msg| into the handshake hash. It returns one +// on success and zero on allocation failure. bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg); -/* dtls1_get_record reads a new input record. On success, it places it in - * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if - * more data is needed. */ +// dtls1_get_record reads a new input record. On success, it places it in +// |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if +// more data is needed. int dtls1_get_record(SSL *ssl); int dtls1_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, @@ -2206,8 +2206,8 @@ void dtls1_read_close_notify(SSL *ssl); int dtls1_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf, int len); -/* dtls1_write_record sends a record. It returns one on success and <= 0 on - * error. */ +// dtls1_write_record sends a record. It returns one on success and <= 0 on +// error. int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len, enum dtls1_use_epoch_t use_epoch); @@ -2238,38 +2238,38 @@ int tls1_change_cipher_state(SSL_HANDSHAKE *hs, int which); int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out, const uint8_t *premaster, size_t premaster_len); -/* tls1_get_grouplist sets |*out_group_ids| and |*out_group_ids_len| to the - * locally-configured group preference list. */ +// tls1_get_grouplist sets |*out_group_ids| and |*out_group_ids_len| to the +// locally-configured group preference list. void tls1_get_grouplist(SSL *ssl, const uint16_t **out_group_ids, size_t *out_group_ids_len); -/* tls1_check_group_id returns one if |group_id| is consistent with - * locally-configured group preferences. */ +// tls1_check_group_id returns one if |group_id| is consistent with +// locally-configured group preferences. int tls1_check_group_id(SSL *ssl, uint16_t group_id); -/* tls1_get_shared_group sets |*out_group_id| to the first preferred shared - * group between client and server preferences and returns one. If none may be - * found, it returns zero. */ +// tls1_get_shared_group sets |*out_group_id| to the first preferred shared +// group between client and server preferences and returns one. If none may be +// found, it returns zero. int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id); -/* tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves| - * into a newly allocated array of TLS group IDs. On success, the function - * returns one and writes the array to |*out_group_ids| and its size to - * |*out_group_ids_len|. Otherwise, it returns zero. */ +// tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves| +// into a newly allocated array of TLS group IDs. On success, the function +// returns one and writes the array to |*out_group_ids| and its size to +// |*out_group_ids_len|. Otherwise, it returns zero. int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len, const int *curves, size_t ncurves); -/* tls1_set_curves_list converts the string of curves pointed to by |curves| - * into a newly allocated array of TLS group IDs. On success, the function - * returns one and writes the array to |*out_group_ids| and its size to - * |*out_group_ids_len|. Otherwise, it returns zero. */ +// tls1_set_curves_list converts the string of curves pointed to by |curves| +// into a newly allocated array of TLS group IDs. On success, the function +// returns one and writes the array to |*out_group_ids| and its size to +// |*out_group_ids_len|. Otherwise, it returns zero. int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len, const char *curves); -/* ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It - * returns one on success and zero on failure. The |header_len| argument is the - * length of the ClientHello written so far and is used to compute the padding - * length. (It does not include the record header.) */ +// ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It +// returns one on success and zero on failure. The |header_len| argument is the +// length of the ClientHello written so far and is used to compute the padding +// length. (It does not include the record header.) int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len); int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out); @@ -2279,65 +2279,65 @@ int ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs); #define tlsext_tick_md EVP_sha256 -/* ssl_process_ticket processes a session ticket from the client. It returns - * one of: - * |ssl_ticket_aead_success|: |*out_session| is set to the parsed session and - * |*out_renew_ticket| is set to whether the ticket should be renewed. - * |ssl_ticket_aead_ignore_ticket|: |*out_renew_ticket| is set to whether a - * fresh ticket should be sent, but the given ticket cannot be used. - * |ssl_ticket_aead_retry|: the ticket could not be immediately decrypted. - * Retry later. - * |ssl_ticket_aead_error|: an error occured that is fatal to the connection. */ +// ssl_process_ticket processes a session ticket from the client. It returns +// one of: +// |ssl_ticket_aead_success|: |*out_session| is set to the parsed session and +// |*out_renew_ticket| is set to whether the ticket should be renewed. +// |ssl_ticket_aead_ignore_ticket|: |*out_renew_ticket| is set to whether a +// fresh ticket should be sent, but the given ticket cannot be used. +// |ssl_ticket_aead_retry|: the ticket could not be immediately decrypted. +// Retry later. +// |ssl_ticket_aead_error|: an error occured that is fatal to the connection. enum ssl_ticket_aead_result_t ssl_process_ticket( SSL *ssl, UniquePtr *out_session, int *out_renew_ticket, const uint8_t *ticket, size_t ticket_len, const uint8_t *session_id, size_t session_id_len); -/* tls1_verify_channel_id processes |msg| as a Channel ID message, and verifies - * the signature. If the key is valid, it saves the Channel ID and returns - * one. Otherwise, it returns zero. */ +// tls1_verify_channel_id processes |msg| as a Channel ID message, and verifies +// the signature. If the key is valid, it saves the Channel ID and returns +// one. Otherwise, it returns zero. int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg); -/* tls1_write_channel_id generates a Channel ID message and puts the output in - * |cbb|. |ssl->tlsext_channel_id_private| must already be set before calling. - * This function returns one on success and zero on error. */ +// tls1_write_channel_id generates a Channel ID message and puts the output in +// |cbb|. |ssl->tlsext_channel_id_private| must already be set before calling. +// This function returns one on success and zero on error. int tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb); -/* tls1_channel_id_hash computes the hash to be signed by Channel ID and writes - * it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns - * one on success and zero on failure. */ +// tls1_channel_id_hash computes the hash to be signed by Channel ID and writes +// it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns +// one on success and zero on failure. int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len); int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs); -/* ssl_do_channel_id_callback checks runs |ssl->ctx->channel_id_cb| if - * necessary. It returns one on success and zero on fatal error. Note that, on - * success, |ssl->tlsext_channel_id_private| may be unset, in which case the - * operation should be retried later. */ +// ssl_do_channel_id_callback checks runs |ssl->ctx->channel_id_cb| if +// necessary. It returns one on success and zero on fatal error. Note that, on +// success, |ssl->tlsext_channel_id_private| may be unset, in which case the +// operation should be retried later. int ssl_do_channel_id_callback(SSL *ssl); -/* ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero - * otherwise. */ +// ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero +// otherwise. int ssl3_can_false_start(const SSL *ssl); -/* ssl_can_write returns one if |ssl| is allowed to write and zero otherwise. */ +// ssl_can_write returns one if |ssl| is allowed to write and zero otherwise. int ssl_can_write(const SSL *ssl); -/* ssl_can_read returns one if |ssl| is allowed to read and zero otherwise. */ +// ssl_can_read returns one if |ssl| is allowed to read and zero otherwise. int ssl_can_read(const SSL *ssl); void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock); void ssl_ctx_get_current_time(const SSL_CTX *ctx, struct OPENSSL_timeval *out_clock); -/* ssl_reset_error_state resets state for |SSL_get_error|. */ +// ssl_reset_error_state resets state for |SSL_get_error|. void ssl_reset_error_state(SSL *ssl); -/* Utility macros */ +// Utility macros #if defined(__clang__) -/* SSL_FALLTHROUGH annotates a fallthough case in a switch statement. */ +// SSL_FALLTHROUGH annotates a fallthough case in a switch statement. #define SSL_FALLTHROUGH [[clang::fallthrough]] #else #define SSL_FALLTHROUGH @@ -2346,45 +2346,45 @@ void ssl_reset_error_state(SSL *ssl); } // namespace bssl -/* Opaque C types. - * - * The following types are exported to C code as public typedefs, so they must - * be defined outside of the namespace. */ +// Opaque C types. +// +// The following types are exported to C code as public typedefs, so they must +// be defined outside of the namespace. -/* ssl_method_st backs the public |SSL_METHOD| type. It is a compatibility - * structure to support the legacy version-locked methods. */ +// ssl_method_st backs the public |SSL_METHOD| type. It is a compatibility +// structure to support the legacy version-locked methods. struct ssl_method_st { - /* version, if non-zero, is the only protocol version acceptable to an - * SSL_CTX initialized from this method. */ + // version, if non-zero, is the only protocol version acceptable to an + // SSL_CTX initialized from this method. uint16_t version; - /* method is the underlying SSL_PROTOCOL_METHOD that initializes the - * SSL_CTX. */ + // method is the underlying SSL_PROTOCOL_METHOD that initializes the + // SSL_CTX. const SSL_PROTOCOL_METHOD *method; - /* x509_method contains pointers to functions that might deal with |X509| - * compatibility, or might be a no-op, depending on the application. */ + // x509_method contains pointers to functions that might deal with |X509| + // compatibility, or might be a no-op, depending on the application. const SSL_X509_METHOD *x509_method; }; -/* ssl_protocol_method_st, aka |SSL_PROTOCOL_METHOD| abstracts between TLS and - * DTLS. */ +// ssl_protocol_method_st, aka |SSL_PROTOCOL_METHOD| abstracts between TLS and +// DTLS. struct ssl_protocol_method_st { - /* is_dtls is one if the protocol is DTLS and zero otherwise. */ + // is_dtls is one if the protocol is DTLS and zero otherwise. char is_dtls; int (*ssl_new)(SSL *ssl); void (*ssl_free)(SSL *ssl); - /* get_message sets |*out| to the current handshake message and returns true - * if one has been received. It returns false if more input is needed. */ + // get_message sets |*out| to the current handshake message and returns true + // if one has been received. It returns false if more input is needed. bool (*get_message)(SSL *ssl, bssl::SSLMessage *out); - /* read_message reads additional handshake data for |get_message|. On success, - * it returns one. Otherwise, it returns <= 0. */ + // read_message reads additional handshake data for |get_message|. On success, + // it returns one. Otherwise, it returns <= 0. int (*read_message)(SSL *ssl); - /* next_message is called to release the current handshake message. */ + // next_message is called to release the current handshake message. void (*next_message)(SSL *ssl); - /* read_app_data reads up to |len| bytes of application data into |buf|. On - * success, it returns the number of bytes read. Otherwise, it returns <= 0 - * and sets |*out_got_handshake| to whether the failure was due to a - * post-handshake handshake message. If so, any handshake messages consumed - * may be read with |get_message|. */ + // read_app_data reads up to |len| bytes of application data into |buf|. On + // success, it returns the number of bytes read. Otherwise, it returns <= 0 + // and sets |*out_got_handshake| to whether the failure was due to a + // post-handshake handshake message. If so, any handshake messages consumed + // may be read with |get_message|. int (*read_app_data)(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, int peek); int (*read_change_cipher_spec)(SSL *ssl); @@ -2392,107 +2392,107 @@ struct ssl_protocol_method_st { int (*write_app_data)(SSL *ssl, int *out_needs_handshake, const uint8_t *buf, int len); int (*dispatch_alert)(SSL *ssl); - /* supports_cipher returns one if |cipher| is supported by this protocol and - * zero otherwise. */ + // supports_cipher returns one if |cipher| is supported by this protocol and + // zero otherwise. int (*supports_cipher)(const SSL_CIPHER *cipher); - /* init_message begins a new handshake message of type |type|. |cbb| is the - * root CBB to be passed into |finish_message|. |*body| is set to a child CBB - * the caller should write to. It returns one on success and zero on error. */ + // init_message begins a new handshake message of type |type|. |cbb| is the + // root CBB to be passed into |finish_message|. |*body| is set to a child CBB + // the caller should write to. It returns one on success and zero on error. int (*init_message)(SSL *ssl, CBB *cbb, CBB *body, uint8_t type); - /* finish_message finishes a handshake message. It sets |*out_msg| to a - * newly-allocated buffer with the serialized message. The caller must - * release it with |OPENSSL_free| when done. It returns one on success and - * zero on error. */ + // finish_message finishes a handshake message. It sets |*out_msg| to a + // newly-allocated buffer with the serialized message. The caller must + // release it with |OPENSSL_free| when done. It returns one on success and + // zero on error. int (*finish_message)(SSL *ssl, CBB *cbb, uint8_t **out_msg, size_t *out_len); - /* add_message adds a handshake message to the pending flight. It returns one - * on success and zero on error. In either case, it takes ownership of |msg| - * and releases it with |OPENSSL_free| when done. */ + // add_message adds a handshake message to the pending flight. It returns one + // on success and zero on error. In either case, it takes ownership of |msg| + // and releases it with |OPENSSL_free| when done. int (*add_message)(SSL *ssl, uint8_t *msg, size_t len); - /* add_change_cipher_spec adds a ChangeCipherSpec record to the pending - * flight. It returns one on success and zero on error. */ + // add_change_cipher_spec adds a ChangeCipherSpec record to the pending + // flight. It returns one on success and zero on error. int (*add_change_cipher_spec)(SSL *ssl); - /* add_alert adds an alert to the pending flight. It returns one on success - * and zero on error. */ + // add_alert adds an alert to the pending flight. It returns one on success + // and zero on error. int (*add_alert)(SSL *ssl, uint8_t level, uint8_t desc); - /* flush_flight flushes the pending flight to the transport. It returns one on - * success and <= 0 on error. */ + // flush_flight flushes the pending flight to the transport. It returns one on + // success and <= 0 on error. int (*flush_flight)(SSL *ssl); - /* on_handshake_complete is called when the handshake is complete. */ + // on_handshake_complete is called when the handshake is complete. void (*on_handshake_complete)(SSL *ssl); - /* set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns - * one on success and zero if changing the read state is forbidden at this - * point. */ + // set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns + // one on success and zero if changing the read state is forbidden at this + // point. int (*set_read_state)(SSL *ssl, bssl::UniquePtr aead_ctx); - /* set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns - * one on success and zero if changing the write state is forbidden at this - * point. */ + // set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns + // one on success and zero if changing the write state is forbidden at this + // point. int (*set_write_state)(SSL *ssl, bssl::UniquePtr aead_ctx); }; struct ssl_x509_method_st { - /* check_client_CA_list returns one if |names| is a good list of X.509 - * distinguished names and zero otherwise. This is used to ensure that we can - * reject unparsable values at handshake time when using crypto/x509. */ + // check_client_CA_list returns one if |names| is a good list of X.509 + // distinguished names and zero otherwise. This is used to ensure that we can + // reject unparsable values at handshake time when using crypto/x509. int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names); - /* cert_clear frees and NULLs all X509 certificate-related state. */ + // cert_clear frees and NULLs all X509 certificate-related state. void (*cert_clear)(CERT *cert); - /* cert_free frees all X509-related state. */ + // cert_free frees all X509-related state. void (*cert_free)(CERT *cert); - /* cert_flush_cached_chain drops any cached |X509|-based certificate chain - * from |cert|. */ - /* cert_dup duplicates any needed fields from |cert| to |new_cert|. */ + // cert_flush_cached_chain drops any cached |X509|-based certificate chain + // from |cert|. + // cert_dup duplicates any needed fields from |cert| to |new_cert|. void (*cert_dup)(CERT *new_cert, const CERT *cert); void (*cert_flush_cached_chain)(CERT *cert); - /* cert_flush_cached_chain drops any cached |X509|-based leaf certificate - * from |cert|. */ + // cert_flush_cached_chain drops any cached |X509|-based leaf certificate + // from |cert|. void (*cert_flush_cached_leaf)(CERT *cert); - /* session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain| - * from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns - * one on success or zero on error. */ + // session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain| + // from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns + // one on success or zero on error. int (*session_cache_objects)(SSL_SESSION *session); - /* session_dup duplicates any needed fields from |session| to |new_session|. - * It returns one on success or zero on error. */ + // session_dup duplicates any needed fields from |session| to |new_session|. + // It returns one on success or zero on error. int (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session); - /* session_clear frees any X509-related state from |session|. */ + // session_clear frees any X509-related state from |session|. void (*session_clear)(SSL_SESSION *session); - /* session_verify_cert_chain verifies the certificate chain in |session|, - * sets |session->verify_result| and returns one on success or zero on - * error. */ + // session_verify_cert_chain verifies the certificate chain in |session|, + // sets |session->verify_result| and returns one on success or zero on + // error. int (*session_verify_cert_chain)(SSL_SESSION *session, SSL *ssl, uint8_t *out_alert); - /* hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|. */ + // hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|. void (*hs_flush_cached_ca_names)(bssl::SSL_HANDSHAKE *hs); - /* ssl_new does any neccessary initialisation of |ssl|. It returns one on - * success or zero on error. */ + // ssl_new does any neccessary initialisation of |ssl|. It returns one on + // success or zero on error. int (*ssl_new)(SSL *ssl); - /* ssl_free frees anything created by |ssl_new|. */ + // ssl_free frees anything created by |ssl_new|. void (*ssl_free)(SSL *ssl); - /* ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|. */ + // ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|. void (*ssl_flush_cached_client_CA)(SSL *ssl); - /* ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if - * necessary. On success, it updates |ssl|'s certificate configuration as - * needed and returns one. Otherwise, it returns zero. */ + // ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if + // necessary. On success, it updates |ssl|'s certificate configuration as + // needed and returns one. Otherwise, it returns zero. int (*ssl_auto_chain_if_needed)(SSL *ssl); - /* ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on - * success or zero on error. */ + // ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on + // success or zero on error. int (*ssl_ctx_new)(SSL_CTX *ctx); - /* ssl_ctx_free frees anything created by |ssl_ctx_new|. */ + // ssl_ctx_free frees anything created by |ssl_ctx_new|. void (*ssl_ctx_free)(SSL_CTX *ctx); - /* ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|. */ + // ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|. void (*ssl_ctx_flush_cached_client_CA)(SSL_CTX *ssl); }; -/* ssl_st backs the public |SSL| type. It subclasses the true type so that - * SSLConnection may be a C++ type with methods and destructor without - * polluting the global namespace. */ +// ssl_st backs the public |SSL| type. It subclasses the true type so that +// SSLConnection may be a C++ type with methods and destructor without +// polluting the global namespace. struct ssl_st : public bssl::SSLConnection {}; struct cert_st : public bssl::SSLCertConfig {}; -#endif /* OPENSSL_HEADER_SSL_INTERNAL_H */ +#endif // OPENSSL_HEADER_SSL_INTERNAL_H diff --git a/ssl/s3_both.cc b/ssl/s3_both.cc index 11da6923..144da07b 100644 --- a/ssl/s3_both.cc +++ b/ssl/s3_both.cc @@ -134,7 +134,7 @@ namespace bssl { static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in, size_t in_len) { - /* We'll never add a flight while in the process of writing it out. */ + // We'll never add a flight while in the process of writing it out. assert(ssl->s3->pending_flight_offset == 0); if (ssl->s3->pending_flight == NULL) { @@ -164,7 +164,7 @@ static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in, } int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) { - /* Pick a modest size hint to save most of the |realloc| calls. */ + // Pick a modest size hint to save most of the |realloc| calls. if (!CBB_init(cbb, 64) || !CBB_add_u8(cbb, type) || !CBB_add_u24_length_prefixed(cbb, body)) { @@ -187,8 +187,8 @@ int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg, } int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) { - /* Add the message to the current flight, splitting into several records if - * needed. */ + // Add the message to the current flight, splitting into several records if + // needed. int ret = 0; size_t added = 0; do { @@ -212,8 +212,8 @@ int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) { } while (added < len); ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len); - /* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on - * hs. */ + // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on + // hs. if (ssl->s3->hs != NULL && !ssl->s3->hs->transcript.Update(msg, len)) { goto err; @@ -260,8 +260,8 @@ int ssl3_flush_flight(SSL *ssl) { return -1; } - /* If there is pending data in the write buffer, it must be flushed out before - * any new data in pending_flight. */ + // If there is pending data in the write buffer, it must be flushed out before + // any new data in pending_flight. if (ssl_write_buffer_is_pending(ssl)) { int ret = ssl_write_buffer_flush(ssl); if (ret <= 0) { @@ -270,7 +270,7 @@ int ssl3_flush_flight(SSL *ssl) { } } - /* Write the pending flight. */ + // Write the pending flight. while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) { int ret = BIO_write( ssl->wbio, @@ -306,14 +306,14 @@ int ssl3_send_finished(SSL_HANDSHAKE *hs) { return 0; } - /* Log the master secret, if logging is enabled. */ + // Log the master secret, if logging is enabled. if (!ssl_log_secret(ssl, "CLIENT_RANDOM", session->master_key, session->master_key_length)) { return 0; } - /* Copy the Finished so we can use it for renegotiation checks. */ + // Copy the Finished so we can use it for renegotiation checks. if (ssl->version != SSL3_VERSION) { if (finished_len > sizeof(ssl->s3->previous_client_finished) || finished_len > sizeof(ssl->s3->previous_server_finished)) { @@ -372,18 +372,18 @@ static int extend_handshake_buffer(SSL *ssl, size_t length) { } static int read_v2_client_hello(SSL *ssl) { - /* Read the first 5 bytes, the size of the TLS record header. This is - * sufficient to detect a V2ClientHello and ensures that we never read beyond - * the first record. */ + // Read the first 5 bytes, the size of the TLS record header. This is + // sufficient to detect a V2ClientHello and ensures that we never read beyond + // the first record. int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH); if (ret <= 0) { return ret; } const uint8_t *p = ssl_read_buffer(ssl); - /* Some dedicated error codes for protocol mixups should the application wish - * to interpret them differently. (These do not overlap with ClientHello or - * V2ClientHello.) */ + // Some dedicated error codes for protocol mixups should the application wish + // to interpret them differently. (These do not overlap with ClientHello or + // V2ClientHello.) if (strncmp("GET ", (const char *)p, 4) == 0 || strncmp("POST ", (const char *)p, 5) == 0 || strncmp("HEAD ", (const char *)p, 5) == 0 || @@ -398,25 +398,25 @@ static int read_v2_client_hello(SSL *ssl) { if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO || p[3] != SSL3_VERSION_MAJOR) { - /* Not a V2ClientHello. */ + // Not a V2ClientHello. return 1; } - /* Determine the length of the V2ClientHello. */ + // Determine the length of the V2ClientHello. size_t msg_length = ((p[0] & 0x7f) << 8) | p[1]; if (msg_length > (1024 * 4)) { OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); return -1; } if (msg_length < SSL3_RT_HEADER_LENGTH - 2) { - /* Reject lengths that are too short early. We have already read - * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an - * (invalid) V2ClientHello which would be shorter than that. */ + // Reject lengths that are too short early. We have already read + // |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an + // (invalid) V2ClientHello which would be shorter than that. OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH); return -1; } - /* Read the remainder of the V2ClientHello. */ + // Read the remainder of the V2ClientHello. ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length); if (ret <= 0) { return ret; @@ -425,9 +425,9 @@ static int read_v2_client_hello(SSL *ssl) { CBS v2_client_hello; CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length); - /* The V2ClientHello without the length is incorporated into the handshake - * hash. This is only ever called at the start of the handshake, so hs is - * guaranteed to be non-NULL. */ + // The V2ClientHello without the length is incorporated into the handshake + // hash. This is only ever called at the start of the handshake, so hs is + // guaranteed to be non-NULL. if (!ssl->s3->hs->transcript.Update(CBS_data(&v2_client_hello), CBS_len(&v2_client_hello))) { return -1; @@ -452,11 +452,11 @@ static int read_v2_client_hello(SSL *ssl) { return -1; } - /* msg_type has already been checked. */ + // msg_type has already been checked. assert(msg_type == SSL2_MT_CLIENT_HELLO); - /* The client_random is the V2ClientHello challenge. Truncate or - * left-pad with zeros as needed. */ + // The client_random is the V2ClientHello challenge. Truncate or left-pad with + // zeros as needed. size_t rand_len = CBS_len(&challenge); if (rand_len > SSL3_RANDOM_SIZE) { rand_len = SSL3_RANDOM_SIZE; @@ -466,7 +466,7 @@ static int read_v2_client_hello(SSL *ssl) { OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge), rand_len); - /* Write out an equivalent SSLv3 ClientHello. */ + // Write out an equivalent SSLv3 ClientHello. size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ + SSL3_RANDOM_SIZE + 1 /* session ID length */ + 2 /* cipher list length */ + @@ -481,14 +481,14 @@ static int read_v2_client_hello(SSL *ssl) { !CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) || !CBB_add_u16(&hello_body, version) || !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) || - /* No session id. */ + // No session id. !CBB_add_u8(&hello_body, 0) || !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return -1; } - /* Copy the cipher suites. */ + // Copy the cipher suites. while (CBS_len(&cipher_specs) > 0) { uint32_t cipher_spec; if (!CBS_get_u24(&cipher_specs, &cipher_spec)) { @@ -496,7 +496,7 @@ static int read_v2_client_hello(SSL *ssl) { return -1; } - /* Skip SSLv2 ciphers. */ + // Skip SSLv2 ciphers. if ((cipher_spec & 0xff0000) != 0) { continue; } @@ -506,7 +506,7 @@ static int read_v2_client_hello(SSL *ssl) { } } - /* Add the null compression scheme and finish. */ + // Add the null compression scheme and finish. if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) || !CBB_finish(client_hello.get(), NULL, &ssl->init_buf->length)) { @@ -514,7 +514,7 @@ static int read_v2_client_hello(SSL *ssl) { return -1; } - /* Consume and discard the V2ClientHello. */ + // Consume and discard the V2ClientHello. ssl_read_buffer_consume(ssl, 2 + msg_length); ssl_read_buffer_discard(ssl); @@ -522,8 +522,8 @@ static int read_v2_client_hello(SSL *ssl) { return 1; } -/* TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message| - * when the entire record is copied into |init_buf|. */ +// TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message| +// when the entire record is copied into |init_buf|. static bool parse_message(SSL *ssl, SSLMessage *out, size_t *out_bytes_needed) { if (ssl->init_buf == NULL) { *out_bytes_needed = 4; @@ -571,14 +571,14 @@ int ssl3_read_message(SSL *ssl) { return -1; } - /* Enforce the limit so the peer cannot force us to buffer 16MB. */ + // Enforce the limit so the peer cannot force us to buffer 16MB. if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE); return -1; } - /* Re-create the handshake buffer if needed. */ + // Re-create the handshake buffer if needed. if (ssl->init_buf == NULL) { ssl->init_buf = BUF_MEM_new(); if (ssl->init_buf == NULL) { @@ -586,7 +586,7 @@ int ssl3_read_message(SSL *ssl) { } } - /* Bypass the record layer for the first message to handle V2ClientHello. */ + // Bypass the record layer for the first message to handle V2ClientHello. if (ssl->server && !ssl->s3->v2_hello_done) { int ret = read_v2_client_hello(ssl); if (ret > 0) { @@ -613,8 +613,8 @@ void ssl3_next_message(SSL *ssl) { ssl->s3->is_v2_hello = 0; ssl->s3->has_message = 0; - /* Post-handshake messages are rare, so release the buffer after every - * message. During the handshake, |on_handshake_complete| will release it. */ + // Post-handshake messages are rare, so release the buffer after every + // message. During the handshake, |on_handshake_complete| will release it. if (!SSL_in_init(ssl) && ssl->init_buf->length == 0) { BUF_MEM_free(ssl->init_buf); ssl->init_buf = NULL; diff --git a/ssl/s3_lib.cc b/ssl/s3_lib.cc index cc9be2db..fb705aa2 100644 --- a/ssl/s3_lib.cc +++ b/ssl/s3_lib.cc @@ -187,11 +187,11 @@ int ssl3_new(SSL *ssl) { s3->aead_write_ctx = aead_write_ctx.release(); ssl->s3 = s3; - /* Set the version to the highest supported version. - * - * TODO(davidben): Move this field into |s3|, have it store the normalized - * protocol version, and implement this pre-negotiation quirk in |SSL_version| - * at the API boundary rather than in internal state. */ + // Set the version to the highest supported version. + // + // TODO(davidben): Move this field into |s3|, have it store the normalized + // protocol version, and implement this pre-negotiation quirk in |SSL_version| + // at the API boundary rather than in internal state. ssl->version = TLS1_2_VERSION; return 1; } diff --git a/ssl/s3_pkt.cc b/ssl/s3_pkt.cc index 4f802df7..858d77a7 100644 --- a/ssl/s3_pkt.cc +++ b/ssl/s3_pkt.cc @@ -126,9 +126,9 @@ namespace bssl { static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len); -/* ssl3_get_record reads a new input record. On success, it places it in - * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if - * more data is needed. */ +// ssl3_get_record reads a new input record. On success, it places it in +// |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if +// more data is needed. static int ssl3_get_record(SSL *ssl) { again: switch (ssl->s3->recv_shutdown) { @@ -204,13 +204,13 @@ int ssl3_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf, tot = ssl->s3->wnum; ssl->s3->wnum = 0; - /* Ensure that if we end up with a smaller value of data to write out than - * the the original len from a write which didn't complete for non-blocking - * I/O and also somehow ended up avoiding the check for this in - * ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to - * end up with (len-tot) as a large number that will then promptly send - * beyond the end of the users buffer ... so we trap and report the error in - * a way the user will notice. */ + // Ensure that if we end up with a smaller value of data to write out than + // the the original len from a write which didn't complete for non-blocking + // I/O and also somehow ended up avoiding the check for this in + // ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to + // end up with (len-tot) as a large number that will then promptly send + // beyond the end of the users buffer ... so we trap and report the error in + // a way the user will notice. if (len < 0 || (size_t)len < tot) { OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH); return -1; @@ -221,8 +221,7 @@ int ssl3_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf, n = len - tot; for (;;) { - /* max contains the maximum number of bytes that we can put into a - * record. */ + // max contains the maximum number of bytes that we can put into a record. unsigned max = ssl->max_send_fragment; if (is_early_data_write && max > ssl->session->ticket_max_early_data - ssl->s3->hs->early_data_written) { @@ -278,9 +277,9 @@ static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *buf, return ssl->s3->wpend_ret; } -/* do_ssl3_write writes an SSL record of the given type. */ +// do_ssl3_write writes an SSL record of the given type. static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) { - /* If there is still data from the previous record, flush it. */ + // If there is still data from the previous record, flush it. if (ssl->s3->wpend_pending) { return ssl3_write_pending(ssl, type, buf, len); } @@ -313,10 +312,10 @@ static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) { return -1; } - /* Add any unflushed handshake data as a prefix. This may be a KeyUpdate - * acknowledgment or 0-RTT key change messages. |pending_flight| must be clear - * when data is added to |write_buffer| or it will be written in the wrong - * order. */ + // Add any unflushed handshake data as a prefix. This may be a KeyUpdate + // acknowledgment or 0-RTT key change messages. |pending_flight| must be clear + // when data is added to |write_buffer| or it will be written in the wrong + // order. if (ssl->s3->pending_flight != NULL) { OPENSSL_memcpy( out, ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset, @@ -332,19 +331,19 @@ static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) { } ssl_write_buffer_set_len(ssl, flight_len + ciphertext_len); - /* Now that we've made progress on the connection, uncork KeyUpdate - * acknowledgments. */ + // Now that we've made progress on the connection, uncork KeyUpdate + // acknowledgments. ssl->s3->key_update_pending = 0; - /* memorize arguments so that ssl3_write_pending can detect bad write retries - * later */ + // Memorize arguments so that ssl3_write_pending can detect bad write retries + // later. ssl->s3->wpend_tot = len; ssl->s3->wpend_buf = buf; ssl->s3->wpend_type = type; ssl->s3->wpend_ret = len; ssl->s3->wpend_pending = 1; - /* we now just need to write the buffer */ + // We now just need to write the buffer. return ssl3_write_pending(ssl, type, buf, len); } @@ -364,7 +363,7 @@ static int consume_record(SSL *ssl, uint8_t *out, int len, int peek) { rr->length -= len; rr->data += len; if (rr->length == 0) { - /* The record has been consumed, so we may now clear the buffer. */ + // The record has been consumed, so we may now clear the buffer. ssl_read_buffer_discard(ssl); } } @@ -380,11 +379,11 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, SSL3_RECORD *rr = &ssl->s3->rrec; for (;;) { - /* A previous iteration may have read a partial handshake message. Do not - * allow more app data in that case. */ + // A previous iteration may have read a partial handshake message. Do not + // allow more app data in that case. int has_hs_data = ssl->init_buf != NULL && ssl->init_buf->length > 0; - /* Get new packet if necessary. */ + // Get new packet if necessary. if (rr->length == 0 && !has_hs_data) { int ret = ssl3_get_record(ssl); if (ret <= 0) { @@ -393,24 +392,24 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, } if (has_hs_data || rr->type == SSL3_RT_HANDSHAKE) { - /* If reading 0-RTT data, reject handshake data. 0-RTT data is terminated - * by an alert. */ + // If reading 0-RTT data, reject handshake data. 0-RTT data is terminated + // by an alert. if (SSL_in_init(ssl)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); return -1; } - /* Post-handshake data prior to TLS 1.3 is always renegotiation, which we - * never accept as a server. Otherwise |ssl3_get_message| will send - * |SSL_R_EXCESSIVE_MESSAGE_SIZE|. */ + // Post-handshake data prior to TLS 1.3 is always renegotiation, which we + // never accept as a server. Otherwise |ssl3_get_message| will send + // |SSL_R_EXCESSIVE_MESSAGE_SIZE|. if (ssl->server && ssl3_protocol_version(ssl) < TLS1_3_VERSION) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); return -1; } - /* Parse post-handshake handshake messages. */ + // Parse post-handshake handshake messages. int ret = ssl3_read_message(ssl); if (ret <= 0) { return ret; @@ -424,16 +423,16 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, ssl->s3->hs->can_early_read && ssl3_protocol_version(ssl) >= TLS1_3_VERSION; - /* Handle the end_of_early_data alert. */ + // Handle the end_of_early_data alert. if (rr->type == SSL3_RT_ALERT && rr->length == 2 && rr->data[0] == SSL3_AL_WARNING && rr->data[1] == TLS1_AD_END_OF_EARLY_DATA && is_early_data_read) { - /* Consume the record. */ + // Consume the record. rr->length = 0; ssl_read_buffer_discard(ssl); - /* Stop accepting early data. */ + // Stop accepting early data. ssl->s3->hs->can_early_read = 0; *out_got_handshake = 1; return -1; @@ -459,7 +458,7 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, return consume_record(ssl, buf, len, peek); } - /* Discard empty records and loop again. */ + // Discard empty records and loop again. } } @@ -494,7 +493,7 @@ int ssl3_read_change_cipher_spec(SSL *ssl) { } void ssl3_read_close_notify(SSL *ssl) { - /* Read records until an error or close_notify. */ + // Read records until an error or close_notify. while (ssl3_get_record(ssl) > 0) { ; } @@ -504,7 +503,7 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) { SSL3_RECORD *rr = &ssl->s3->rrec; for (;;) { - /* Get new packet if necessary. */ + // Get new packet if necessary. if (rr->length == 0) { int ret = ssl3_get_record(ssl); if (ret <= 0) { @@ -512,10 +511,10 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) { } } - /* WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the - * ServerHello and send the remaining encrypted application data records - * as-is. This manifests as an application data record when we expect - * handshake. Report a dedicated error code for this case. */ + // WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the + // ServerHello and send the remaining encrypted application data records + // as-is. This manifests as an application data record when we expect + // handshake. Report a dedicated error code for this case. if (!ssl->server && rr->type == SSL3_RT_APPLICATION_DATA && ssl->s3->aead_read_ctx->is_null_cipher()) { OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE); @@ -523,8 +522,8 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) { return -1; } - /* Accept server_plaintext_handshake records when the content type TLS 1.3 - * variant is enabled. */ + // Accept server_plaintext_handshake records when the content type TLS 1.3 + // variant is enabled. if (rr->type != SSL3_RT_HANDSHAKE && !(!ssl->server && ssl->tls13_variant == tls13_record_type_experiment && @@ -539,12 +538,12 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) { return consume_record(ssl, buf, len, 0 /* consume data */); } - /* Discard empty records and loop again. */ + // Discard empty records and loop again. } } int ssl3_send_alert(SSL *ssl, int level, int desc) { - /* It is illegal to send an alert when we've already sent a closing one. */ + // It is illegal to send an alert when we've already sent a closing one. if (ssl->s3->send_shutdown != ssl_shutdown_none) { OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); return -1; @@ -561,12 +560,12 @@ int ssl3_send_alert(SSL *ssl, int level, int desc) { ssl->s3->send_alert[0] = level; ssl->s3->send_alert[1] = desc; if (!ssl_write_buffer_is_pending(ssl)) { - /* Nothing is being written out, so the alert may be dispatched - * immediately. */ + // Nothing is being written out, so the alert may be dispatched + // immediately. return ssl->method->dispatch_alert(ssl); } - /* The alert will be dispatched later. */ + // The alert will be dispatched later. return -1; } @@ -577,7 +576,7 @@ int ssl3_dispatch_alert(SSL *ssl) { } ssl->s3->alert_dispatch = 0; - /* If the alert is fatal, flush the BIO now. */ + // If the alert is fatal, flush the BIO now. if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) { BIO_flush(ssl->wbio); } diff --git a/ssl/ssl_aead_ctx.cc b/ssl/ssl_aead_ctx.cc index 53dff78a..69129af3 100644 --- a/ssl/ssl_aead_ctx.cc +++ b/ssl/ssl_aead_ctx.cc @@ -62,7 +62,7 @@ UniquePtr SSLAEADContext::Create( if (!ssl_cipher_get_evp_aead(&aead, &expected_mac_key_len, &expected_fixed_iv_len, cipher, version, is_dtls) || - /* Ensure the caller returned correct key sizes. */ + // Ensure the caller returned correct key sizes. expected_fixed_iv_len != fixed_iv_len || expected_mac_key_len != mac_key_len) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -71,8 +71,8 @@ UniquePtr SSLAEADContext::Create( uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH]; if (mac_key_len > 0) { - /* This is a "stateful" AEAD (for compatibility with pre-AEAD cipher - * suites). */ + // This is a "stateful" AEAD (for compatibility with pre-AEAD cipher + // suites). if (mac_key_len + enc_key_len + fixed_iv_len > sizeof(merged_key)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return nullptr; @@ -109,22 +109,22 @@ UniquePtr SSLAEADContext::Create( aead_ctx->fixed_nonce_len_ = fixed_iv_len; if (cipher->algorithm_enc & SSL_CHACHA20POLY1305) { - /* The fixed nonce into the actual nonce (the sequence number). */ + // The fixed nonce into the actual nonce (the sequence number). aead_ctx->xor_fixed_nonce_ = true; aead_ctx->variable_nonce_len_ = 8; } else { - /* The fixed IV is prepended to the nonce. */ + // The fixed IV is prepended to the nonce. assert(fixed_iv_len <= aead_ctx->variable_nonce_len_); aead_ctx->variable_nonce_len_ -= fixed_iv_len; } - /* AES-GCM uses an explicit nonce. */ + // AES-GCM uses an explicit nonce. if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) { aead_ctx->variable_nonce_included_in_record_ = true; } - /* The TLS 1.3 construction XORs the fixed nonce into the sequence number - * and omits the additional data. */ + // The TLS 1.3 construction XORs the fixed nonce into the sequence number + // and omits the additional data. if (version >= TLS1_3_VERSION) { aead_ctx->xor_fixed_nonce_ = true; aead_ctx->variable_nonce_len_ = 8; @@ -192,18 +192,18 @@ size_t SSLAEADContext::GetAdditionalData(uint8_t out[13], uint8_t type, bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, const uint8_t seqnum[8], uint8_t *in, size_t in_len) { if (is_null_cipher() || FUZZER_MODE) { - /* Handle the initial NULL cipher. */ + // Handle the initial NULL cipher. CBS_init(out, in, in_len); return true; } - /* TLS 1.2 AEADs include the length in the AD and are assumed to have fixed - * overhead. Otherwise the parameter is unused. */ + // TLS 1.2 AEADs include the length in the AD and are assumed to have fixed + // overhead. Otherwise the parameter is unused. size_t plaintext_len = 0; if (!omit_length_in_ad_) { size_t overhead = MaxOverhead(); if (in_len < overhead) { - /* Publicly invalid. */ + // Publicly invalid. OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH); return false; } @@ -213,11 +213,11 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, size_t ad_len = GetAdditionalData(ad, type, wire_version, seqnum, plaintext_len); - /* Assemble the nonce. */ + // Assemble the nonce. uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; size_t nonce_len = 0; - /* Prepend the fixed nonce, or left-pad with zeros if XORing. */ + // Prepend the fixed nonce, or left-pad with zeros if XORing. if (xor_fixed_nonce_) { nonce_len = fixed_nonce_len_ - variable_nonce_len_; OPENSSL_memset(nonce, 0, nonce_len); @@ -226,10 +226,10 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, nonce_len += fixed_nonce_len_; } - /* Add the variable nonce. */ + // Add the variable nonce. if (variable_nonce_included_in_record_) { if (in_len < variable_nonce_len_) { - /* Publicly invalid. */ + // Publicly invalid. OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH); return false; } @@ -242,7 +242,7 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, } nonce_len += variable_nonce_len_; - /* XOR the fixed nonce, if necessary. */ + // XOR the fixed nonce, if necessary. if (xor_fixed_nonce_) { assert(nonce_len == fixed_nonce_len_); for (size_t i = 0; i < fixed_nonce_len_; i++) { @@ -250,7 +250,7 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, } } - /* Decrypt in-place. */ + // Decrypt in-place. size_t len; if (!EVP_AEAD_CTX_open(ctx_.get(), in, &len, in_len, nonce, nonce_len, in, in_len, ad, ad_len)) { @@ -279,7 +279,7 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, } if (is_null_cipher() || FUZZER_MODE) { - /* Handle the initial NULL cipher. */ + // Handle the initial NULL cipher. OPENSSL_memmove(out, in, in_len); OPENSSL_memmove(out_suffix, extra_in, extra_in_len); return true; @@ -288,11 +288,11 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, uint8_t ad[13]; size_t ad_len = GetAdditionalData(ad, type, wire_version, seqnum, in_len); - /* Assemble the nonce. */ + // Assemble the nonce. uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; size_t nonce_len = 0; - /* Prepend the fixed nonce, or left-pad with zeros if XORing. */ + // Prepend the fixed nonce, or left-pad with zeros if XORing. if (xor_fixed_nonce_) { nonce_len = fixed_nonce_len_ - variable_nonce_len_; OPENSSL_memset(nonce, 0, nonce_len); @@ -301,21 +301,21 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, nonce_len += fixed_nonce_len_; } - /* Select the variable nonce. */ + // Select the variable nonce. if (random_variable_nonce_) { assert(variable_nonce_included_in_record_); if (!RAND_bytes(nonce + nonce_len, variable_nonce_len_)) { return false; } } else { - /* When sending we use the sequence number as the variable part of the - * nonce. */ + // When sending we use the sequence number as the variable part of the + // nonce. assert(variable_nonce_len_ == 8); OPENSSL_memcpy(nonce + nonce_len, seqnum, variable_nonce_len_); } nonce_len += variable_nonce_len_; - /* Emit the variable nonce if included in the record. */ + // Emit the variable nonce if included in the record. if (variable_nonce_included_in_record_) { assert(!xor_fixed_nonce_); if (buffers_alias(in, in_len, out_prefix, variable_nonce_len_)) { @@ -326,7 +326,7 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, variable_nonce_len_); } - /* XOR the fixed nonce, if necessary. */ + // XOR the fixed nonce, if necessary. if (xor_fixed_nonce_) { assert(nonce_len == fixed_nonce_len_); for (size_t i = 0; i < fixed_nonce_len_; i++) { diff --git a/ssl/ssl_asn1.cc b/ssl/ssl_asn1.cc index b87c7954..73908db1 100644 --- a/ssl/ssl_asn1.cc +++ b/ssl/ssl_asn1.cc @@ -80,9 +80,9 @@ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR * OTHERWISE. */ -/* Per C99, various stdint.h macros are unavailable in C++ unless some macros - * are defined. C++11 overruled this decision, but older Android NDKs still - * require it. */ +// Per C99, various stdint.h macros are unavailable in C++ unless some macros +// are defined. C++11 overruled this decision, but older Android NDKs still +// require it. #if !defined(__STDC_LIMIT_MACROS) #define __STDC_LIMIT_MACROS #endif @@ -106,50 +106,49 @@ namespace bssl { -/* An SSL_SESSION is serialized as the following ASN.1 structure: - * - * SSLSession ::= SEQUENCE { - * version INTEGER (1), -- session structure version - * sslVersion INTEGER, -- protocol version number - * cipher OCTET STRING, -- two bytes long - * sessionID OCTET STRING, - * masterKey OCTET STRING, - * time [1] INTEGER, -- seconds since UNIX epoch - * timeout [2] INTEGER, -- in seconds - * peer [3] Certificate OPTIONAL, - * sessionIDContext [4] OCTET STRING OPTIONAL, - * verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes - * hostName [6] OCTET STRING OPTIONAL, - * -- from server_name extension - * pskIdentity [8] OCTET STRING OPTIONAL, - * ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only - * ticket [10] OCTET STRING OPTIONAL, -- client-only - * peerSHA256 [13] OCTET STRING OPTIONAL, - * originalHandshakeHash [14] OCTET STRING OPTIONAL, - * signedCertTimestampList [15] OCTET STRING OPTIONAL, - * -- contents of SCT extension - * ocspResponse [16] OCTET STRING OPTIONAL, - * -- stapled OCSP response from the server - * extendedMasterSecret [17] BOOLEAN OPTIONAL, - * groupID [18] INTEGER OPTIONAL, - * certChain [19] SEQUENCE OF Certificate OPTIONAL, - * ticketAgeAdd [21] OCTET STRING OPTIONAL, - * isServer [22] BOOLEAN DEFAULT TRUE, - * peerSignatureAlgorithm [23] INTEGER OPTIONAL, - * ticketMaxEarlyData [24] INTEGER OPTIONAL, - * authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout - * earlyALPN [26] OCTET STRING OPTIONAL, - * } - * - * Note: historically this serialization has included other optional - * fields. Their presence is currently treated as a parse error: - * - * keyArg [0] IMPLICIT OCTET STRING OPTIONAL, - * pskIdentityHint [7] OCTET STRING OPTIONAL, - * compressionMethod [11] OCTET STRING OPTIONAL, - * srpUsername [12] OCTET STRING OPTIONAL, - * ticketFlags [20] INTEGER OPTIONAL, - */ +// An SSL_SESSION is serialized as the following ASN.1 structure: +// +// SSLSession ::= SEQUENCE { +// version INTEGER (1), -- session structure version +// sslVersion INTEGER, -- protocol version number +// cipher OCTET STRING, -- two bytes long +// sessionID OCTET STRING, +// masterKey OCTET STRING, +// time [1] INTEGER, -- seconds since UNIX epoch +// timeout [2] INTEGER, -- in seconds +// peer [3] Certificate OPTIONAL, +// sessionIDContext [4] OCTET STRING OPTIONAL, +// verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes +// hostName [6] OCTET STRING OPTIONAL, +// -- from server_name extension +// pskIdentity [8] OCTET STRING OPTIONAL, +// ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only +// ticket [10] OCTET STRING OPTIONAL, -- client-only +// peerSHA256 [13] OCTET STRING OPTIONAL, +// originalHandshakeHash [14] OCTET STRING OPTIONAL, +// signedCertTimestampList [15] OCTET STRING OPTIONAL, +// -- contents of SCT extension +// ocspResponse [16] OCTET STRING OPTIONAL, +// -- stapled OCSP response from the server +// extendedMasterSecret [17] BOOLEAN OPTIONAL, +// groupID [18] INTEGER OPTIONAL, +// certChain [19] SEQUENCE OF Certificate OPTIONAL, +// ticketAgeAdd [21] OCTET STRING OPTIONAL, +// isServer [22] BOOLEAN DEFAULT TRUE, +// peerSignatureAlgorithm [23] INTEGER OPTIONAL, +// ticketMaxEarlyData [24] INTEGER OPTIONAL, +// authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout +// earlyALPN [26] OCTET STRING OPTIONAL, +// } +// +// Note: historically this serialization has included other optional +// fields. Their presence is currently treated as a parse error: +// +// keyArg [0] IMPLICIT OCTET STRING OPTIONAL, +// pskIdentityHint [7] OCTET STRING OPTIONAL, +// compressionMethod [11] OCTET STRING OPTIONAL, +// srpUsername [12] OCTET STRING OPTIONAL, +// ticketFlags [20] INTEGER OPTIONAL, static const unsigned kVersion = 1; @@ -213,7 +212,7 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || !CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) || !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || - /* The session ID is irrelevant for a session ticket. */ + // The session ID is irrelevant for a session ticket. !CBB_add_bytes(&child, in->session_id, for_ticket ? 0 : in->session_id_length) || !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || @@ -226,8 +225,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, return 0; } - /* The peer certificate is only serialized if the SHA-256 isn't - * serialized instead. */ + // The peer certificate is only serialized if the SHA-256 isn't + // serialized instead. if (sk_CRYPTO_BUFFER_num(in->certs) > 0 && !in->peer_sha256_valid) { const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, 0); if (!CBB_add_asn1(&session, &child, kPeerTag) || @@ -238,8 +237,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, } } - /* Although it is OPTIONAL and usually empty, OpenSSL has - * historically always encoded the sid_ctx. */ + // Although it is OPTIONAL and usually empty, OpenSSL has + // historically always encoded the sid_ctx. if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) || !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child2, in->sid_ctx, in->sid_ctx_length)) { @@ -348,8 +347,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, return 0; } - /* The certificate chain is only serialized if the leaf's SHA-256 isn't - * serialized instead. */ + // The certificate chain is only serialized if the leaf's SHA-256 isn't + // serialized instead. if (in->certs != NULL && !in->peer_sha256_valid && sk_CRYPTO_BUFFER_num(in->certs) >= 2) { @@ -423,12 +422,12 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, return 1; } -/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING - * explicitly tagged with |tag| from |cbs| and saves it in |*out|. On - * entry, if |*out| is not NULL, it frees the existing contents. If - * the element was not found, it sets |*out| to NULL. It returns one - * on success, whether or not the element was found, and zero on - * decode error. */ +// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING +// explicitly tagged with |tag| from |cbs| and saves it in |*out|. On +// entry, if |*out| is not NULL, it frees the existing contents. If +// the element was not found, it sets |*out| to NULL. It returns one +// on success, whether or not the element was found, and zero on +// decode error. static int SSL_SESSION_parse_string(CBS *cbs, char **out, unsigned tag) { CBS value; int present; @@ -452,12 +451,12 @@ static int SSL_SESSION_parse_string(CBS *cbs, char **out, unsigned tag) { return 1; } -/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING - * explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr| - * and |*out_len|. If |*out_ptr| is not NULL, it frees the existing - * contents. On entry, if the element was not found, it sets - * |*out_ptr| to NULL. It returns one on success, whether or not the - * element was found, and zero on decode error. */ +// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING +// explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr| +// and |*out_len|. If |*out_ptr| is not NULL, it frees the existing +// contents. On entry, if the element was not found, it sets +// |*out_ptr| to NULL. It returns one on success, whether or not the +// element was found, and zero on decode error. static int SSL_SESSION_parse_octet_string(CBS *cbs, uint8_t **out_ptr, size_t *out_len, unsigned tag) { CBS value; @@ -495,8 +494,8 @@ static int SSL_SESSION_parse_crypto_buffer(CBS *cbs, CRYPTO_BUFFER **out, return 1; } -/* SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING - * explicitly tagged with |tag| of size at most |max_out|. */ +// SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING +// explicitly tagged with |tag| of size at most |max_out|. static int SSL_SESSION_parse_bounded_octet_string( CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) { CBS value; @@ -564,10 +563,10 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, !CBS_get_asn1_uint64(&session, &version) || version != kVersion || !CBS_get_asn1_uint64(&session, &ssl_version) || - /* Require sessions have versions valid in either TLS or DTLS. The session - * will not be used by the handshake if not applicable, but, for - * simplicity, never parse a session that does not pass - * |ssl_protocol_version_from_wire|. */ + // Require sessions have versions valid in either TLS or DTLS. The session + // will not be used by the handshake if not applicable, but, for + // simplicity, never parse a session that does not pass + // |ssl_protocol_version_from_wire|. ssl_version > UINT16_MAX || !ssl_protocol_version_from_wire(&unused, ssl_version)) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); @@ -622,7 +621,7 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); return nullptr; } - /* |peer| is processed with the certificate chain. */ + // |peer| is processed with the certificate chain. if (!SSL_SESSION_parse_bounded_octet_string( &session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx), @@ -779,10 +778,10 @@ using namespace bssl; int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data, size_t *out_len) { if (in->not_resumable) { - /* If the caller has an unresumable session, e.g. if |SSL_get_session| were - * called on a TLS 1.3 or False Started connection, serialize with a - * placeholder value so it is not accidentally deserialized into a resumable - * one. */ + // If the caller has an unresumable session, e.g. if |SSL_get_session| were + // called on a TLS 1.3 or False Started connection, serialize with a + // placeholder value so it is not accidentally deserialized into a resumable + // one. static const char kNotResumableSession[] = "NOT RESUMABLE"; *out_len = strlen(kNotResumableSession); diff --git a/ssl/ssl_buffer.cc b/ssl/ssl_buffer.cc index 7f11b6f1..d74278e3 100644 --- a/ssl/ssl_buffer.cc +++ b/ssl/ssl_buffer.cc @@ -29,16 +29,16 @@ namespace bssl { -/* BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will - * not overflow. */ +// BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will +// not overflow. static_assert(0xffff <= INT_MAX, "uint16_t does not fit in int"); static_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0, "SSL3_ALIGN_PAYLOAD must be a power of 2"); -/* ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that - * data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte - * boundary. It returns one on success and zero on error. */ +// ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that +// data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte +// boundary. It returns one on success and zero on error. static int ensure_buffer(SSL3_BUFFER *buf, size_t header_len, size_t cap) { if (cap > 0xffff) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -49,14 +49,14 @@ static int ensure_buffer(SSL3_BUFFER *buf, size_t header_len, size_t cap) { return 1; } - /* Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment. */ + // Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment. uint8_t *new_buf = (uint8_t *)OPENSSL_malloc(cap + SSL3_ALIGN_PAYLOAD - 1); if (new_buf == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); return 0; } - /* Offset the buffer such that the record body is aligned. */ + // Offset the buffer such that the record body is aligned. size_t new_offset = (0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1); @@ -97,19 +97,19 @@ static int dtls_read_buffer_next_packet(SSL *ssl) { SSL3_BUFFER *buf = &ssl->s3->read_buffer; if (buf->len > 0) { - /* It is an error to call |dtls_read_buffer_extend| when the read buffer is - * not empty. */ + // It is an error to call |dtls_read_buffer_extend| when the read buffer is + // not empty. OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return -1; } - /* Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int. */ + // Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int. int ret = BIO_read(ssl->rbio, buf->buf + buf->offset, (int)buf->cap); if (ret <= 0) { ssl->rwstate = SSL_READING; return ret; } - /* |BIO_read| was bound by |buf->cap|, so this cannot overflow. */ + // |BIO_read| was bound by |buf->cap|, so this cannot overflow. buf->len = (uint16_t)ret; return 1; } @@ -122,18 +122,18 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) { return -1; } - /* Read until the target length is reached. */ + // Read until the target length is reached. while (buf->len < len) { - /* The amount of data to read is bounded by |buf->cap|, which must fit in an - * int. */ + // The amount of data to read is bounded by |buf->cap|, which must fit in an + // int. int ret = BIO_read(ssl->rbio, buf->buf + buf->offset + buf->len, (int)(len - buf->len)); if (ret <= 0) { ssl->rwstate = SSL_READING; return ret; } - /* |BIO_read| was bound by |buf->cap - buf->len|, so this cannot - * overflow. */ + // |BIO_read| was bound by |buf->cap - buf->len|, so this cannot + // overflow. buf->len += (uint16_t)ret; } @@ -141,7 +141,7 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) { } int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { - /* |ssl_read_buffer_extend_to| implicitly discards any consumed data. */ + // |ssl_read_buffer_extend_to| implicitly discards any consumed data. ssl_read_buffer_discard(ssl); if (SSL_is_dtls(ssl)) { @@ -149,7 +149,7 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff, "DTLS read buffer is too large"); - /* The |len| parameter is ignored in DTLS. */ + // The |len| parameter is ignored in DTLS. len = DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; } @@ -164,15 +164,15 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { int ret; if (SSL_is_dtls(ssl)) { - /* |len| is ignored for a datagram transport. */ + // |len| is ignored for a datagram transport. ret = dtls_read_buffer_next_packet(ssl); } else { ret = tls_read_buffer_extend_to(ssl, len); } if (ret <= 0) { - /* If the buffer was empty originally and remained empty after attempting to - * extend it, release the buffer until the next attempt. */ + // If the buffer was empty originally and remained empty after attempting to + // extend it, release the buffer until the next attempt. ssl_read_buffer_discard(ssl); } return ret; @@ -183,11 +183,11 @@ void ssl_read_buffer_consume(SSL *ssl, size_t len) { consume_buffer(buf, len); - /* The TLS stack never reads beyond the current record, so there will never be - * unconsumed data. If read-ahead is ever reimplemented, - * |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back - * to the front of the buffer, to ensure there is enough space for the next - * record. */ + // The TLS stack never reads beyond the current record, so there will never be + // unconsumed data. If read-ahead is ever reimplemented, + // |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back + // to the front of the buffer, to ensure there is enough space for the next + // record. assert(SSL_is_dtls(ssl) || len == 0 || buf->len == 0); } @@ -265,9 +265,9 @@ static int dtls_write_buffer_flush(SSL *ssl) { int ret = BIO_write(ssl->wbio, buf->buf + buf->offset, buf->len); if (ret <= 0) { ssl->rwstate = SSL_WRITING; - /* If the write failed, drop the write buffer anyway. Datagram transports - * can't write half a packet, so the caller is expected to retry from the - * top. */ + // If the write failed, drop the write buffer anyway. Datagram transports + // can't write half a packet, so the caller is expected to retry from the + // top. ssl_write_buffer_clear(ssl); return ret; } diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc index 76af31ee..094d85a5 100644 --- a/ssl/ssl_cert.cc +++ b/ssl/ssl_cert.cc @@ -207,7 +207,7 @@ err: return NULL; } -/* Free up and clear all certificates and chains */ +// Free up and clear all certificates and chains void ssl_cert_clear_certs(CERT *cert) { if (cert == NULL) { return; @@ -248,12 +248,12 @@ enum leaf_cert_and_privkey_result_t { leaf_cert_and_privkey_mismatch, }; -/* check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer| - * and the private key in |privkey| are suitable and coherent. It returns - * |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is - * found. If the certificate and private key are valid, but incoherent, it - * returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns - * |leaf_cert_and_privkey_ok|. */ +// check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer| +// and the private key in |privkey| are suitable and coherent. It returns +// |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is +// found. If the certificate and private key are valid, but incoherent, it +// returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns +// |leaf_cert_and_privkey_ok|. static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey( CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) { CBS cert_cbs; @@ -269,8 +269,8 @@ static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey( return leaf_cert_and_privkey_error; } - /* An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA - * certificates, so sanity-check the key usage extension. */ + // An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA + // certificates, so sanity-check the key usage extension. if (pubkey->type == EVP_PKEY_EC && !ssl_cert_check_digital_signature_key_usage(&cert_cbs)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); @@ -278,7 +278,7 @@ static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey( } if (privkey != NULL && - /* Sanity-check that the private key and the certificate match. */ + // Sanity-check that the private key and the certificate match. !ssl_compare_public_and_private_key(pubkey.get(), privkey)) { ERR_clear_error(); return leaf_cert_and_privkey_mismatch; @@ -342,9 +342,9 @@ int ssl_set_cert(CERT *cert, UniquePtr buffer) { case leaf_cert_and_privkey_error: return 0; case leaf_cert_and_privkey_mismatch: - /* don't fail for a cert/key mismatch, just free current private key - * (when switching to a different cert & key, first this function should - * be used, then |ssl_set_pkey|. */ + // don't fail for a cert/key mismatch, just free current private key + // (when switching to a different cert & key, first this function should + // be used, then |ssl_set_pkey|. EVP_PKEY_free(cert->privatekey); cert->privatekey = NULL; break; @@ -423,7 +423,7 @@ bool ssl_parse_cert_chain(uint8_t *out_alert, return false; } - /* Retain the hash of the leaf certificate if requested. */ + // Retain the hash of the leaf certificate if requested. if (out_leaf_sha256 != NULL) { SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256); } @@ -471,9 +471,9 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) { return CBB_flush(cbb); } -/* ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and - * positions |*out_tbs_cert| to cover the TBSCertificate, starting at the - * subjectPublicKeyInfo. */ +// ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and +// positions |*out_tbs_cert| to cover the TBSCertificate, starting at the +// subjectPublicKeyInfo. static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) { /* From RFC 5280, section 4.1 * Certificate ::= SEQUENCE { @@ -496,19 +496,19 @@ static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) { if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) || CBS_len(&buf) != 0 || !CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) || - /* version */ + // version !CBS_get_optional_asn1( out_tbs_cert, NULL, NULL, CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) || - /* serialNumber */ + // serialNumber !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) || - /* signature algorithm */ + // signature algorithm !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) || - /* issuer */ + // issuer !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) || - /* validity */ + // validity !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) || - /* subject */ + // subject !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) { return 0; } @@ -529,8 +529,8 @@ UniquePtr ssl_cert_parse_pubkey(const CBS *in) { int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey, const EVP_PKEY *privkey) { if (EVP_PKEY_is_opaque(privkey)) { - /* We cannot check an opaque private key and have to trust that it - * matches. */ + // We cannot check an opaque private key and have to trust that it + // matches. return 1; } @@ -586,13 +586,13 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) { CBS tbs_cert, outer_extensions; int has_extensions; if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) || - /* subjectPublicKeyInfo */ + // subjectPublicKeyInfo !CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) || - /* issuerUniqueID */ + // issuerUniqueID !CBS_get_optional_asn1( &tbs_cert, NULL, NULL, CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) || - /* subjectUniqueID */ + // subjectUniqueID !CBS_get_optional_asn1( &tbs_cert, NULL, NULL, CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) || @@ -635,8 +635,8 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) { goto parse_err; } - /* This is the KeyUsage extension. See - * https://tools.ietf.org/html/rfc5280#section-4.2.1.3 */ + // This is the KeyUsage extension. See + // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 if (!CBS_is_valid_asn1_bitstring(&bit_string)) { goto parse_err; } @@ -649,7 +649,7 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) { return 1; } - /* No KeyUsage extension found. */ + // No KeyUsage extension found. return 1; parse_err: @@ -733,18 +733,18 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, SSL *const ssl = hs->ssl; assert(ssl3_protocol_version(ssl) < TLS1_3_VERSION); - /* Check the certificate's type matches the cipher. */ + // Check the certificate's type matches the cipher. if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE); return 0; } - /* Check key usages for all key types but RSA. This is needed to distinguish - * ECDH certificates, which we do not support, from ECDSA certificates. In - * principle, we should check RSA key usages based on cipher, but this breaks - * buggy antivirus deployments. Other key types are always used for signing. - * - * TODO(davidben): Get more recent data on RSA key usages. */ + // Check key usages for all key types but RSA. This is needed to distinguish + // ECDH certificates, which we do not support, from ECDSA certificates. In + // principle, we should check RSA key usages based on cipher, but this breaks + // buggy antivirus deployments. Other key types are always used for signing. + // + // TODO(davidben): Get more recent data on RSA key usages. if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) { CBS leaf_cbs; CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf)); @@ -754,7 +754,7 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, } if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { - /* Check the key's group and point format are acceptable. */ + // Check the key's group and point format are acceptable. EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey); uint16_t group_id; if (!ssl_nid_to_group_id( @@ -772,7 +772,7 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; if (!ssl_has_certificate(ssl)) { - /* Nothing to do. */ + // Nothing to do. return 1; } diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc index ecdecddf..e7a81a3f 100644 --- a/ssl/ssl_cipher.cc +++ b/ssl/ssl_cipher.cc @@ -156,10 +156,10 @@ namespace bssl { -/* kCiphers is an array of all supported ciphers, sorted by id. */ +// kCiphers is an array of all supported ciphers, sorted by id. static const SSL_CIPHER kCiphers[] = { - /* The RSA ciphers */ - /* Cipher 02 */ + // The RSA ciphers + // Cipher 02 { SSL3_TXT_RSA_NULL_SHA, "TLS_RSA_WITH_NULL_SHA", @@ -171,7 +171,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_DEFAULT, }, - /* Cipher 0A */ + // Cipher 0A { SSL3_TXT_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", @@ -184,9 +184,9 @@ static const SSL_CIPHER kCiphers[] = { }, - /* New AES ciphersuites */ + // New AES ciphersuites - /* Cipher 2F */ + // Cipher 2F { TLS1_TXT_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", @@ -198,7 +198,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_DEFAULT, }, - /* Cipher 35 */ + // Cipher 35 { TLS1_TXT_RSA_WITH_AES_256_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", @@ -211,9 +211,9 @@ static const SSL_CIPHER kCiphers[] = { }, - /* TLS v1.2 ciphersuites */ + // TLS v1.2 ciphersuites - /* Cipher 3C */ + // Cipher 3C { TLS1_TXT_RSA_WITH_AES_128_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", @@ -225,7 +225,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher 3D */ + // Cipher 3D { TLS1_TXT_RSA_WITH_AES_256_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256", @@ -237,9 +237,9 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* PSK cipher suites. */ + // PSK cipher suites. - /* Cipher 8C */ + // Cipher 8C { TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, "TLS_PSK_WITH_AES_128_CBC_SHA", @@ -251,7 +251,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_DEFAULT, }, - /* Cipher 8D */ + // Cipher 8D { TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, "TLS_PSK_WITH_AES_256_CBC_SHA", @@ -263,9 +263,9 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_DEFAULT, }, - /* GCM ciphersuites from RFC5288 */ + // GCM ciphersuites from RFC5288 - /* Cipher 9C */ + // Cipher 9C { TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", @@ -277,7 +277,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher 9D */ + // Cipher 9D { TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", @@ -289,9 +289,9 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA384, }, - /* TLS 1.3 suites. */ + // TLS 1.3 suites. - /* Cipher 1301 */ + // Cipher 1301 { TLS1_TXT_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", @@ -303,7 +303,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher 1302 */ + // Cipher 1302 { TLS1_TXT_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", @@ -315,7 +315,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA384, }, - /* Cipher 1303 */ + // Cipher 1303 { TLS1_TXT_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", @@ -327,7 +327,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher C009 */ + // Cipher C009 { TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", @@ -339,7 +339,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_DEFAULT, }, - /* Cipher C00A */ + // Cipher C00A { TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", @@ -351,7 +351,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_DEFAULT, }, - /* Cipher C013 */ + // Cipher C013 { TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", @@ -363,7 +363,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_DEFAULT, }, - /* Cipher C014 */ + // Cipher C014 { TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", @@ -376,9 +376,9 @@ static const SSL_CIPHER kCiphers[] = { }, - /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ + // HMAC based TLS v1.2 ciphersuites from RFC5289 - /* Cipher C023 */ + // Cipher C023 { TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", @@ -390,7 +390,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher C024 */ + // Cipher C024 { TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", @@ -402,7 +402,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA384, }, - /* Cipher C027 */ + // Cipher C027 { TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", @@ -414,7 +414,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher C028 */ + // Cipher C028 { TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", @@ -427,9 +427,9 @@ static const SSL_CIPHER kCiphers[] = { }, - /* GCM based TLS v1.2 ciphersuites from RFC5289 */ + // GCM based TLS v1.2 ciphersuites from RFC5289 - /* Cipher C02B */ + // Cipher C02B { TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", @@ -441,7 +441,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher C02C */ + // Cipher C02C { TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", @@ -453,7 +453,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA384, }, - /* Cipher C02F */ + // Cipher C02F { TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", @@ -465,7 +465,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher C030 */ + // Cipher C030 { TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", @@ -477,9 +477,9 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA384, }, - /* ECDHE-PSK cipher suites. */ + // ECDHE-PSK cipher suites. - /* Cipher C035 */ + // Cipher C035 { TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", @@ -491,7 +491,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_DEFAULT, }, - /* Cipher C036 */ + // Cipher C036 { TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", @@ -503,9 +503,9 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_DEFAULT, }, - /* ChaCha20-Poly1305 cipher suites. */ + // ChaCha20-Poly1305 cipher suites. - /* Cipher CCA8 */ + // Cipher CCA8 { TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", @@ -517,7 +517,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher CCA9 */ + // Cipher CCA9 { TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", @@ -529,7 +529,7 @@ static const SSL_CIPHER kCiphers[] = { SSL_HANDSHAKE_MAC_SHA256, }, - /* Cipher CCAB */ + // Cipher CCAB { TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", @@ -559,32 +559,32 @@ typedef struct cipher_order_st { } CIPHER_ORDER; typedef struct cipher_alias_st { - /* name is the name of the cipher alias. */ + // name is the name of the cipher alias. const char *name; - /* The following fields are bitmasks for the corresponding fields on - * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the - * bit corresponding to the cipher's value is set to 1. If any bitmask is - * all zeroes, the alias matches nothing. Use |~0u| for the default value. */ + // The following fields are bitmasks for the corresponding fields on + // |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the + // bit corresponding to the cipher's value is set to 1. If any bitmask is + // all zeroes, the alias matches nothing. Use |~0u| for the default value. uint32_t algorithm_mkey; uint32_t algorithm_auth; uint32_t algorithm_enc; uint32_t algorithm_mac; - /* min_version, if non-zero, matches all ciphers which were added in that - * particular protocol version. */ + // min_version, if non-zero, matches all ciphers which were added in that + // particular protocol version. uint16_t min_version; } CIPHER_ALIAS; static const CIPHER_ALIAS kCipherAliases[] = { - /* "ALL" doesn't include eNULL. It must be explicitly enabled. */ + // "ALL" doesn't include eNULL. It must be explicitly enabled. {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, - /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */ + // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. - /* key exchange aliases - * (some of those using only a single bit here combine - * multiple key exchange algs according to the RFCs. */ + // key exchange aliases + // (some of those using only a single bit here combine + // multiple key exchange algs according to the RFCs. {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0}, {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, @@ -593,19 +593,19 @@ static const CIPHER_ALIAS kCipherAliases[] = { {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0}, - /* server authentication aliases */ + // server authentication aliases {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0}, - /* aliases combining key exchange and server authentication */ + // aliases combining key exchange and server authentication {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0}, - /* symmetric encryption aliases */ + // symmetric encryption aliases {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0}, {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0}, {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0}, @@ -613,19 +613,19 @@ static const CIPHER_ALIAS kCipherAliases[] = { {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0}, {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0}, - /* MAC aliases */ + // MAC aliases {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0}, {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0}, - /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the - * same as "SSLv3". */ + // Legacy protocol minimum version aliases. "TLSv1" is intentionally the + // same as "SSLv3". {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION}, - /* Legacy strength classes. */ + // Legacy strength classes. {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, }; @@ -671,8 +671,8 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, return 0; } - /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code - * above computes the TLS 1.2 construction. */ + // In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code + // above computes the TLS 1.2 construction. if (version >= TLS1_3_VERSION) { *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead); } @@ -764,10 +764,10 @@ static bool is_cipher_list_separator(char c, int is_strict) { return !is_strict && (c == ' ' || c == ';' || c == ','); } -/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the - * |buf_len| bytes at |buf|. */ +// rule_equals returns one iff the NUL-terminated string |rule| is equal to the +// |buf_len| bytes at |buf|. static int rule_equals(const char *rule, const char *buf, size_t buf_len) { - /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */ + // |strncmp| alone only checks that |buf| is a prefix of |rule|. return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0'; } @@ -815,13 +815,13 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method, CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { - /* The set of ciphers is static, but some subset may be unsupported by - * |ssl_method|, so the list may be smaller. */ + // The set of ciphers is static, but some subset may be unsupported by + // |ssl_method|, so the list may be smaller. size_t co_list_num = 0; for (size_t i = 0; i < kCiphersLen; i++) { const SSL_CIPHER *cipher = &kCiphers[i]; if (ssl_method->supports_cipher(cipher) && - /* TLS 1.3 ciphers do not participate in this mechanism. */ + // TLS 1.3 ciphers do not participate in this mechanism. cipher->algorithm_mkey != SSL_kGENERIC) { co_list[co_list_num].cipher = cipher; co_list[co_list_num].next = NULL; @@ -832,7 +832,7 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method, } } - /* Prepare linked list from list entries. */ + // Prepare linked list from list entries. if (co_list_num > 0) { co_list[0].prev = NULL; @@ -854,15 +854,15 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method, } } -/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its - * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new - * head and tail of the list to |*head_p| and |*tail_p|, respectively. - * - * - If |cipher_id| is non-zero, only that cipher is selected. - * - Otherwise, if |strength_bits| is non-negative, it selects ciphers - * of that strength. - * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and - * |min_version|. */ +// ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its +// parameters in the linked list from |*head_p| to |*tail_p|. It writes the new +// head and tail of the list to |*head_p| and |*tail_p|, respectively. +// +// - If |cipher_id| is non-zero, only that cipher is selected. +// - Otherwise, if |strength_bits| is non-negative, it selects ciphers +// of that strength. +// - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and +// |min_version|. static void ssl_cipher_apply_rule( uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth, uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule, @@ -874,12 +874,12 @@ static void ssl_cipher_apply_rule( if (cipher_id == 0 && strength_bits == -1 && min_version == 0 && (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) { - /* The rule matches nothing, so bail early. */ + // The rule matches nothing, so bail early. return; } if (rule == CIPHER_DEL) { - /* needed to maintain sorting between currently deleted ciphers */ + // needed to maintain sorting between currently deleted ciphers reverse = 1; } @@ -908,8 +908,8 @@ static void ssl_cipher_apply_rule( next = reverse ? curr->prev : curr->next; cp = curr->cipher; - /* Selection criteria is either a specific cipher, the value of - * |strength_bits|, or the algorithms used. */ + // Selection criteria is either a specific cipher, the value of + // |strength_bits|, or the algorithms used. if (cipher_id != 0) { if (cipher_id != cp->id) { continue; @@ -928,9 +928,9 @@ static void ssl_cipher_apply_rule( } } - /* add the cipher if it has not been added yet. */ + // add the cipher if it has not been added yet. if (rule == CIPHER_ADD) { - /* reverse == 0 */ + // reverse == 0 if (!curr->active) { ll_append_tail(&head, curr, &tail); curr->active = 1; @@ -938,25 +938,25 @@ static void ssl_cipher_apply_rule( } } - /* Move the added cipher to this location */ + // Move the added cipher to this location else if (rule == CIPHER_ORD) { - /* reverse == 0 */ + // reverse == 0 if (curr->active) { ll_append_tail(&head, curr, &tail); curr->in_group = 0; } } else if (rule == CIPHER_DEL) { - /* reverse == 1 */ + // reverse == 1 if (curr->active) { - /* most recently deleted ciphersuites get best positions - * for any future CIPHER_ADD (note that the CIPHER_DEL loop - * works in reverse to maintain the order) */ + // most recently deleted ciphersuites get best positions + // for any future CIPHER_ADD (note that the CIPHER_DEL loop + // works in reverse to maintain the order) ll_append_head(&head, curr, &tail); curr->active = 0; curr->in_group = 0; } } else if (rule == CIPHER_KILL) { - /* reverse == 0 */ + // reverse == 0 if (head == curr) { head = curr->next; } else { @@ -987,9 +987,9 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, int max_strength_bits, i, *number_uses; CIPHER_ORDER *curr; - /* This routine sorts the ciphers with descending strength. The sorting must - * keep the pre-sorted sequence, so we apply the normal sorting routine as - * '+' movement to the end of the list. */ + // This routine sorts the ciphers with descending strength. The sorting must + // keep the pre-sorted sequence, so we apply the normal sorting routine as + // '+' movement to the end of the list. max_strength_bits = 0; curr = *head_p; while (curr != NULL) { @@ -1007,7 +1007,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, } OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); - /* Now find the strength_bits values actually used. */ + // Now find the strength_bits values actually used. curr = *head_p; while (curr != NULL) { if (curr->active) { @@ -1016,7 +1016,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, curr = curr->next; } - /* Go through the list of used strength_bits values in descending order. */ + // Go through the list of used strength_bits values in descending order. for (i = max_strength_bits; i >= 0; i--) { if (number_uses[i] > 0) { ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p); @@ -1044,7 +1044,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, ch = *l; if (ch == '\0') { - break; /* done */ + break; // done } if (in_group) { @@ -1090,8 +1090,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, rule = CIPHER_ADD; } - /* If preference groups are enabled, the only legal operator is +. - * Otherwise the in_group bits will get mixed up. */ + // If preference groups are enabled, the only legal operator is +. + // Otherwise the in_group bits will get mixed up. if (has_group && rule != CIPHER_ADD) { OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS); return 0; @@ -1122,8 +1122,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, } if (buf_len == 0) { - /* We hit something we cannot deal with, it is no command or separator - * nor alphanumeric, so we call this an error. */ + // We hit something we cannot deal with, it is no command or separator + // nor alphanumeric, so we call this an error. OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); return 0; } @@ -1132,8 +1132,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, break; } - /* Look for a matching exact cipher. These aren't allowed in multipart - * rules. */ + // Look for a matching exact cipher. These aren't allowed in multipart + // rules. if (!multi && ch != '+') { for (j = 0; j < kCiphersLen; j++) { const SSL_CIPHER *cipher = &kCiphers[j]; @@ -1145,7 +1145,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, } } if (cipher_id == 0) { - /* If not an exact cipher, look for a matching cipher alias. */ + // If not an exact cipher, look for a matching cipher alias. for (j = 0; j < kCipherAliasesLen; j++) { if (rule_equals(kCipherAliases[j].name, buf, buf_len)) { alg_mkey &= kCipherAliases[j].algorithm_mkey; @@ -1171,7 +1171,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, } } - /* Check for a multipart rule. */ + // Check for a multipart rule. if (ch != '+') { break; } @@ -1179,7 +1179,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, multi = 1; } - /* Ok, we have the rule, now apply it. */ + // Ok, we have the rule, now apply it. if (rule == CIPHER_SPECIAL) { if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); @@ -1189,8 +1189,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, return 0; } - /* We do not support any "multi" options together with "@", so throw away - * the rest of the command, if any left, until end or ':' is found. */ + // We do not support any "multi" options together with "@", so throw away + // the rest of the command, if any left, until end or ':' is found. while (*l != '\0' && !is_cipher_list_separator(*l, strict)) { l++; } @@ -1218,14 +1218,14 @@ int ssl_create_cipher_list( unsigned int num_in_group_flags = 0; struct ssl_cipher_preference_list_st *pref_list = NULL; - /* Return with error if nothing to do. */ + // Return with error if nothing to do. if (rule_str == NULL || out_cipher_list == NULL) { return 0; } - /* Now we have to collect the available ciphers from the compiled in ciphers. - * We cannot get more than the number compiled in, so it is used for - * allocation. */ + // Now we have to collect the available ciphers from the compiled in ciphers. + // We cannot get more than the number compiled in, so it is used for + // allocation. co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen); if (co_list == NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); @@ -1234,11 +1234,11 @@ int ssl_create_cipher_list( ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail); - /* Now arrange all ciphers by preference: - * TODO(davidben): Compute this order once and copy it. */ + // Now arrange all ciphers by preference: + // TODO(davidben): Compute this order once and copy it. - /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other - * key exchange mechanisms */ + // Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other + // key exchange mechanisms ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head, &tail); ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, @@ -1246,10 +1246,10 @@ int ssl_create_cipher_list( ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head, &tail); - /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer - * CHACHA20 unless there is hardware support for fast and constant-time - * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the - * old one. */ + // Order the bulk ciphers. First the preferred AEAD ciphers. We prefer + // CHACHA20 unless there is hardware support for fast and constant-time + // AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the + // old one. if (EVP_has_aes_hardware()) { ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0, &head, &tail); @@ -1266,8 +1266,8 @@ int ssl_create_cipher_list( &head, &tail); } - /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC, - * 3DES_EDE_CBC_SHA. */ + // Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC, + // 3DES_EDE_CBC_SHA. ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0, &head, &tail); ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0, @@ -1275,20 +1275,20 @@ int ssl_create_cipher_list( ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head, &tail); - /* Temporarily enable everything else for sorting */ + // Temporarily enable everything else for sorting ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head, &tail); - /* Move ciphers without forward secrecy to the end. */ + // Move ciphers without forward secrecy to the end. ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0, CIPHER_ORD, -1, 0, &head, &tail); - /* Now disable everything (maintaining the ordering!) */ + // Now disable everything (maintaining the ordering!) ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head, &tail); - /* If the rule_string begins with DEFAULT, apply the default rule before - * using the (possibly available) additional rules. */ + // If the rule_string begins with DEFAULT, apply the default rule before + // using the (possibly available) additional rules. const char *rule_p = rule_str; if (strncmp(rule_str, "DEFAULT", 7) == 0) { if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head, @@ -1306,8 +1306,8 @@ int ssl_create_cipher_list( goto err; } - /* Allocate new "cipherstack" for the result, return with error - * if we cannot get one. */ + // Allocate new "cipherstack" for the result, return with error + // if we cannot get one. cipherstack = sk_SSL_CIPHER_new_null(); if (cipherstack == NULL) { goto err; @@ -1318,8 +1318,8 @@ int ssl_create_cipher_list( goto err; } - /* The cipher selection for the list is done. The ciphers are added - * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ + // The cipher selection for the list is done. The ciphers are added + // to the resulting precedence to the STACK_OF(SSL_CIPHER). for (curr = head; curr != NULL; curr = curr->next) { if (curr->active) { if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { @@ -1328,7 +1328,7 @@ int ssl_create_cipher_list( in_group_flags[num_in_group_flags++] = curr->in_group; } } - OPENSSL_free(co_list); /* Not needed any longer */ + OPENSSL_free(co_list); // Not needed any longer co_list = NULL; pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc( @@ -1350,8 +1350,8 @@ int ssl_create_cipher_list( *out_cipher_list = pref_list; pref_list = NULL; - /* Configuring an empty cipher list is an error but still updates the - * output. */ + // Configuring an empty cipher list is an error but still updates the + // output. if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH); return 0; @@ -1372,7 +1372,7 @@ err: uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) { uint32_t id = cipher->id; - /* All ciphers are SSLv3. */ + // All ciphers are SSLv3. assert((id & 0xff000000) == 0x03000000); return id & 0xffff; } @@ -1383,7 +1383,7 @@ uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) { return SSL_aRSA; case EVP_PKEY_EC: case EVP_PKEY_ED25519: - /* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */ + // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. return SSL_aECDSA; default: return 0; @@ -1395,12 +1395,12 @@ int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) { } int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) { - /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */ + // Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. if (cipher->algorithm_mkey & SSL_kECDHE) { return 1; } - /* It is optional in all others. */ + // It is optional in all others. return 0; } @@ -1418,7 +1418,7 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) { return 0; } - /* All supported TLS 1.0 ciphers use SHA-1. */ + // All supported TLS 1.0 ciphers use SHA-1. assert(cipher->algorithm_mac == SSL_SHA1); size_t ret = 1 + SHA_DIGEST_LENGTH; ret += block_size - (ret % block_size); @@ -1521,8 +1521,8 @@ uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) { } if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) { - /* Cipher suites before TLS 1.2 use the default PRF, while all those added - * afterwards specify a particular hash. */ + // Cipher suites before TLS 1.2 use the default PRF, while all those added + // afterwards specify a particular hash. return TLS1_2_VERSION; } return SSL3_VERSION; @@ -1536,7 +1536,7 @@ uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) { return TLS1_2_VERSION; } -/* return the actual cipher being used */ +// return the actual cipher being used const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) { if (cipher != NULL) { return cipher->name; diff --git a/ssl/ssl_file.cc b/ssl/ssl_file.cc index 59351a32..1bdc14fa 100644 --- a/ssl/ssl_file.cc +++ b/ssl/ssl_file.cc @@ -128,8 +128,8 @@ static int xname_cmp(const X509_NAME **a, const X509_NAME **b) { return X509_NAME_cmp(*a, *b); } -/* TODO(davidben): Is there any reason this doesn't call - * |SSL_add_file_cert_subjects_to_stack|? */ +// TODO(davidben): Is there any reason this doesn't call +// |SSL_add_file_cert_subjects_to_stack|? STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { BIO *in; X509 *x = NULL; @@ -164,7 +164,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { goto err; } - /* Check for duplicates. */ + // Check for duplicates. if (sk_X509_NAME_find(sk, NULL, xn)) { continue; } @@ -222,7 +222,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, goto err; } - /* Check for duplicates. */ + // Check for duplicates. if (sk_X509_NAME_find(stack, NULL, xn)) { continue; } @@ -493,15 +493,15 @@ end: return ret; } -/* Read a file that contains our certificate in "PEM" format, possibly followed - * by a sequence of CA certificates that should be sent to the peer in the - * Certificate message. */ +// Read a file that contains our certificate in "PEM" format, possibly followed +// by a sequence of CA certificates that should be sent to the peer in the +// Certificate message. int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) { BIO *in; int ret = 0; X509 *x = NULL; - ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ + ERR_clear_error(); // clear error stack for SSL_CTX_use_certificate() in = BIO_new(BIO_s_file()); if (in == NULL) { @@ -524,12 +524,12 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) { ret = SSL_CTX_use_certificate(ctx, x); if (ERR_peek_error() != 0) { - ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ + ret = 0; // Key/certificate mismatch doesn't imply ret==0 ... } if (ret) { - /* If we could set up our certificate, now proceed to the CA - * certificates. */ + // If we could set up our certificate, now proceed to the CA + // certificates. X509 *ca; int r; uint32_t err; @@ -545,18 +545,18 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) { ret = 0; goto end; } - /* Note that we must not free r if it was successfully added to the chain - * (while we must free the main certificate, since its reference count is - * increased by SSL_CTX_use_certificate). */ + // Note that we must not free r if it was successfully added to the chain + // (while we must free the main certificate, since its reference count is + // increased by SSL_CTX_use_certificate). } - /* When the while loop ends, it's usually just EOF. */ + // When the while loop ends, it's usually just EOF. err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { ERR_clear_error(); } else { - ret = 0; /* some real error */ + ret = 0; // some real error } } diff --git a/ssl/ssl_key_share.cc b/ssl/ssl_key_share.cc index eb615352..207f11e1 100644 --- a/ssl/ssl_key_share.cc +++ b/ssl/ssl_key_share.cc @@ -42,14 +42,14 @@ class ECKeyShare : public SSLKeyShare { bool Offer(CBB *out) override { assert(!private_key_); - /* Set up a shared |BN_CTX| for all operations. */ + // Set up a shared |BN_CTX| for all operations. UniquePtr bn_ctx(BN_CTX_new()); if (!bn_ctx) { return false; } BN_CTXScope scope(bn_ctx.get()); - /* Generate a private key. */ + // Generate a private key. UniquePtr group(EC_GROUP_new_by_curve_name(nid_)); private_key_.reset(BN_new()); if (!group || !private_key_ || @@ -58,7 +58,7 @@ class ECKeyShare : public SSLKeyShare { return false; } - /* Compute the corresponding public key and serialize it. */ + // Compute the corresponding public key and serialize it. UniquePtr public_key(EC_POINT_new(group.get())); if (!public_key || !EC_POINT_mul(group.get(), public_key.get(), private_key_.get(), NULL, @@ -76,7 +76,7 @@ class ECKeyShare : public SSLKeyShare { assert(private_key_); *out_alert = SSL_AD_INTERNAL_ERROR; - /* Set up a shared |BN_CTX| for all operations. */ + // Set up a shared |BN_CTX| for all operations. UniquePtr bn_ctx(BN_CTX_new()); if (!bn_ctx) { return false; @@ -101,7 +101,7 @@ class ECKeyShare : public SSLKeyShare { return false; } - /* Compute the x-coordinate of |peer_key| * |private_key_|. */ + // Compute the x-coordinate of |peer_key| * |private_key_|. if (!EC_POINT_mul(group.get(), result.get(), NULL, peer_point.get(), private_key_.get(), bn_ctx.get()) || !EC_POINT_get_affine_coordinates_GFp(group.get(), result.get(), x, NULL, @@ -109,7 +109,7 @@ class ECKeyShare : public SSLKeyShare { return false; } - /* Encode the x-coordinate left-padded with zeros. */ + // Encode the x-coordinate left-padded with zeros. size_t secret_len = (EC_GROUP_get_degree(group.get()) + 7) / 8; UniquePtr secret((uint8_t *)OPENSSL_malloc(secret_len)); if (!secret || !BN_bn2bin_padded(secret.get(), secret_len, x)) { diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index 63053566..e2106160 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc @@ -164,22 +164,22 @@ namespace bssl { -/* |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it - * to avoid downstream churn. */ +// |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it +// to avoid downstream churn. OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL) -/* The following errors are no longer emitted, but are used in nginx without - * #ifdefs. */ +// The following errors are no longer emitted, but are used in nginx without +// #ifdefs. OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG) OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED) -/* Some error codes are special. Ensure the make_errors.go script never - * regresses this. */ +// Some error codes are special. Ensure the make_errors.go script never +// regresses this. static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION == SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET, "alert reason code mismatch"); -/* kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. */ +// kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. static const size_t kMaxHandshakeSize = (1u << 24) - 1; static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl = @@ -188,8 +188,8 @@ static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx = CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; void ssl_reset_error_state(SSL *ssl) { - /* Functions which use |SSL_get_error| must reset I/O and error state on - * entry. */ + // Functions which use |SSL_get_error| must reset I/O and error state on + // entry. ssl->rwstate = SSL_NOTHING; ERR_clear_error(); ERR_clear_system_error(); @@ -216,20 +216,20 @@ void ssl_cipher_preference_list_free( void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { SSL *const ssl = hs->ssl; SSL_CTX *ctx = ssl->session_ctx; - /* Never cache sessions with empty session IDs. */ + // Never cache sessions with empty session IDs. if (ssl->s3->established_session->session_id_length == 0 || ssl->s3->established_session->not_resumable || (ctx->session_cache_mode & mode) != mode) { return; } - /* Clients never use the internal session cache. */ + // Clients never use the internal session cache. int use_internal_cache = ssl->server && !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE); - /* A client may see new sessions on abbreviated handshakes if the server - * decides to renew the ticket. Once the handshake is completed, it should be - * inserted into the cache. */ + // A client may see new sessions on abbreviated handshakes if the server + // decides to renew the ticket. Once the handshake is completed, it should be + // inserted into the cache. if (ssl->s3->established_session != ssl->session || (!ssl->server && hs->ticket_expected)) { if (use_internal_cache) { @@ -238,7 +238,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { if (ctx->new_session_cb != NULL) { SSL_SESSION_up_ref(ssl->s3->established_session); if (!ctx->new_session_cb(ssl, ssl->s3->established_session)) { - /* |new_session_cb|'s return value signals whether it took ownership. */ + // |new_session_cb|'s return value signals whether it took ownership. SSL_SESSION_free(ssl->s3->established_session); } } @@ -246,7 +246,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { if (use_internal_cache && !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) { - /* Automatically flush the internal session cache every 255 connections. */ + // Automatically flush the internal session cache every 255 connections. int flush_cache = 0; CRYPTO_MUTEX_lock_write(&ctx->lock); ctx->handshakes_since_cache_flush++; @@ -309,7 +309,7 @@ int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, int ssl3_can_false_start(const SSL *ssl) { const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl); - /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */ + // False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. return !SSL_is_dtls(ssl) && SSL_version(ssl) == TLS1_2_VERSION && (ssl->s3->alpn_selected != NULL || @@ -338,12 +338,12 @@ void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, return; } - /* |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for - * a V2ClientHello. */ + // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for + // a V2ClientHello. int version; switch (content_type) { case 0: - /* V2ClientHello */ + // V2ClientHello version = SSL2_VERSION; break; case SSL3_RT_HEADER: @@ -358,16 +358,16 @@ void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, } void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) { - /* TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the - * |ssl| arg from |current_time_cb| if possible. */ + // TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the + // |ssl| arg from |current_time_cb| if possible. ssl_ctx_get_current_time(ssl->ctx, out_clock); } void ssl_ctx_get_current_time(const SSL_CTX *ctx, struct OPENSSL_timeval *out_clock) { if (ctx->current_time_cb != NULL) { - /* TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See - * https://crbug.com/boringssl/155. */ + // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See + // https://crbug.com/boringssl/155. struct timeval clock; ctx->current_time_cb(nullptr /* ssl */, &clock); if (clock.tv_sec < 0) { @@ -437,11 +437,11 @@ static uint32_t ssl_session_hash(const SSL_SESSION *sess) { return hash; } -/* NB: If this function (or indeed the hash function which uses a sort of - * coarser function than this one) is changed, ensure - * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being - * able to construct an SSL_SESSION that will collide with any existing session - * with a matching session ID. */ +// NB: If this function (or indeed the hash function which uses a sort of +// coarser function than this one) is changed, ensure +// SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being +// able to construct an SSL_SESSION that will collide with any existing session +// with a matching session ID. static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { if (a->ssl_version != b->ssl_version) { return 1; @@ -511,16 +511,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; - /* Disable the auto-chaining feature by default. Once this has stuck without - * problems, the feature will be removed entirely. */ + // Disable the auto-chaining feature by default. Once this has stuck without + // problems, the feature will be removed entirely. ret->mode = SSL_MODE_NO_AUTO_CHAIN; - /* Lock the SSL_CTX to the specified version, for compatibility with legacy - * uses of SSL_METHOD, but we do not set the minimum version for - * |SSLv3_method|. */ + // Lock the SSL_CTX to the specified version, for compatibility with legacy + // uses of SSL_METHOD, but we do not set the minimum version for + // |SSLv3_method|. if (!SSL_CTX_set_max_proto_version(ret, method->version) || !SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION - ? 0 /* default */ + ? 0 // default : method->version)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); goto err2; @@ -546,12 +546,12 @@ void SSL_CTX_free(SSL_CTX *ctx) { return; } - /* Free internal session cache. However: the remove_cb() may reference the - * ex_data of SSL_CTX, thus the ex_data store can only be removed after the - * sessions were flushed. As the ex_data handling routines might also touch - * the session cache, the most secure solution seems to be: empty (flush) the - * cache, then free ex_data, then finally free the cache. (See ticket - * [openssl.org #212].) */ + // Free internal session cache. However: the remove_cb() may reference the + // ex_data of SSL_CTX, thus the ex_data store can only be removed after the + // sessions were flushed. As the ex_data handling routines might also touch + // the session cache, the most secure solution seems to be: empty (flush) the + // cache, then free ex_data, then finally free the cache. (See ticket + // [openssl.org #212].) SSL_CTX_flush_sessions(ctx, 0); CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data); @@ -598,8 +598,8 @@ SSL *SSL_new(SSL_CTX *ctx) { ssl->conf_max_version = ctx->conf_max_version; ssl->tls13_variant = ctx->tls13_variant; - /* RFC 6347 states that implementations SHOULD use an initial timer value of - * 1 second. */ + // RFC 6347 states that implementations SHOULD use an initial timer value of + // 1 second. ssl->initial_timeout_duration_ms = 1000; ssl->options = ctx->options; @@ -703,7 +703,7 @@ void SSL_free(SSL *ssl) { BUF_MEM_free(ssl->init_buf); - /* add extra stuff */ + // add extra stuff ssl_cipher_preference_list_free(ssl->cipher_list); SSL_SESSION_free(ssl->session); @@ -748,35 +748,35 @@ void SSL_set0_wbio(SSL *ssl, BIO *wbio) { } void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) { - /* For historical reasons, this function has many different cases in ownership - * handling. */ + // For historical reasons, this function has many different cases in ownership + // handling. - /* If nothing has changed, do nothing */ + // If nothing has changed, do nothing if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) { return; } - /* If the two arguments are equal, one fewer reference is granted than - * taken. */ + // If the two arguments are equal, one fewer reference is granted than + // taken. if (rbio != NULL && rbio == wbio) { BIO_up_ref(rbio); } - /* If only the wbio is changed, adopt only one reference. */ + // If only the wbio is changed, adopt only one reference. if (rbio == SSL_get_rbio(ssl)) { SSL_set0_wbio(ssl, wbio); return; } - /* There is an asymmetry here for historical reasons. If only the rbio is - * changed AND the rbio and wbio were originally different, then we only adopt - * one reference. */ + // There is an asymmetry here for historical reasons. If only the rbio is + // changed AND the rbio and wbio were originally different, then we only adopt + // one reference. if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) { SSL_set0_rbio(ssl, rbio); return; } - /* Otherwise, adopt both references. */ + // Otherwise, adopt both references. SSL_set0_rbio(ssl, rbio); SSL_set0_wbio(ssl, wbio); } @@ -797,7 +797,7 @@ int SSL_do_handshake(SSL *ssl) { return 1; } - /* Run the handshake. */ + // Run the handshake. SSL_HANDSHAKE *hs = ssl->s3->hs; int early_return = 0; @@ -808,7 +808,7 @@ int SSL_do_handshake(SSL *ssl) { return ret; } - /* Destroy the handshake object if the handshake has completely finished. */ + // Destroy the handshake object if the handshake has completely finished. if (!early_return) { ssl_handshake_free(ssl->s3->hs); ssl->s3->hs = NULL; @@ -819,7 +819,7 @@ int SSL_do_handshake(SSL *ssl) { int SSL_connect(SSL *ssl) { if (ssl->do_handshake == NULL) { - /* Not properly initialized yet */ + // Not properly initialized yet SSL_set_connect_state(ssl); } @@ -828,7 +828,7 @@ int SSL_connect(SSL *ssl) { int SSL_accept(SSL *ssl) { if (ssl->do_handshake == NULL) { - /* Not properly initialized yet */ + // Not properly initialized yet SSL_set_accept_state(ssl); } @@ -840,9 +840,9 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { return tls13_post_handshake(ssl, msg); } - /* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be - * removed entirely in the future and requires retaining more data for - * renegotiation_info. */ + // We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be + // removed entirely in the future and requires retaining more data for + // renegotiation_info. if (ssl->server || ssl->version == SSL3_VERSION) { goto no_renegotiation; } @@ -855,7 +855,7 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { switch (ssl->renegotiate_mode) { case ssl_renegotiate_ignore: - /* Ignore the HelloRequest. */ + // Ignore the HelloRequest. return 1; case ssl_renegotiate_once: @@ -871,15 +871,15 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { break; } - /* Renegotiation is only supported at quiescent points in the application - * protocol, namely in HTTPS, just before reading the HTTP response. Require - * the record-layer be idle and avoid complexities of sending a handshake - * record while an application_data record is being written. */ + // Renegotiation is only supported at quiescent points in the application + // protocol, namely in HTTPS, just before reading the HTTP response. Require + // the record-layer be idle and avoid complexities of sending a handshake + // record while an application_data record is being written. if (ssl_write_buffer_is_pending(ssl)) { goto no_renegotiation; } - /* Begin a new handshake. */ + // Begin a new handshake. if (ssl->s3->hs != NULL) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; @@ -907,9 +907,9 @@ static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) { } for (;;) { - /* Complete the current handshake, if any. False Start will cause - * |SSL_do_handshake| to return mid-handshake, so this may require multiple - * iterations. */ + // Complete the current handshake, if any. False Start will cause + // |SSL_do_handshake| to return mid-handshake, so this may require multiple + // iterations. while (!ssl_can_read(ssl)) { int ret = SSL_do_handshake(ssl); if (ret < 0) { @@ -929,15 +929,15 @@ static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) { return ret; } - /* If we received an interrupt in early read (the end_of_early_data alert), - * loop again for the handshake to process it. */ + // If we received an interrupt in early read (the end_of_early_data alert), + // loop again for the handshake to process it. if (SSL_in_init(ssl)) { continue; } SSLMessage msg; while (ssl->method->get_message(ssl, &msg)) { - /* Handle the post-handshake message and try again. */ + // Handle the post-handshake message and try again. if (!ssl_do_post_handshake(ssl, msg)) { return -1; } @@ -969,7 +969,7 @@ int SSL_write(SSL *ssl, const void *buf, int num) { int ret = 0, needs_handshake = 0; do { - /* If necessary, complete the handshake implicitly. */ + // If necessary, complete the handshake implicitly. if (!ssl_can_write(ssl)) { ret = SSL_do_handshake(ssl); if (ret < 0) { @@ -995,43 +995,43 @@ int SSL_shutdown(SSL *ssl) { return -1; } - /* If we are in the middle of a handshake, silently succeed. Consumers often - * call this function before |SSL_free|, whether the handshake succeeded or - * not. We assume the caller has already handled failed handshakes. */ + // If we are in the middle of a handshake, silently succeed. Consumers often + // call this function before |SSL_free|, whether the handshake succeeded or + // not. We assume the caller has already handled failed handshakes. if (SSL_in_init(ssl)) { return 1; } if (ssl->quiet_shutdown) { - /* Do nothing if configured not to send a close_notify. */ + // Do nothing if configured not to send a close_notify. ssl->s3->send_shutdown = ssl_shutdown_close_notify; ssl->s3->recv_shutdown = ssl_shutdown_close_notify; return 1; } - /* This function completes in two stages. It sends a close_notify and then it - * waits for a close_notify to come in. Perform exactly one action and return - * whether or not it succeeds. */ + // This function completes in two stages. It sends a close_notify and then it + // waits for a close_notify to come in. Perform exactly one action and return + // whether or not it succeeds. if (ssl->s3->send_shutdown != ssl_shutdown_close_notify) { - /* Send a close_notify. */ + // Send a close_notify. if (ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) { return -1; } } else if (ssl->s3->alert_dispatch) { - /* Finish sending the close_notify. */ + // Finish sending the close_notify. if (ssl->method->dispatch_alert(ssl) <= 0) { return -1; } } else if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) { - /* Wait for the peer's close_notify. */ + // Wait for the peer's close_notify. ssl->method->read_close_notify(ssl); if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) { return -1; } } - /* Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. */ + // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. return ssl->s3->recv_shutdown == ssl_shutdown_close_notify; } @@ -1039,7 +1039,7 @@ int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) { if (ssl->s3->alert_dispatch) { if (ssl->s3->send_alert[0] != SSL3_AL_FATAL || ssl->s3->send_alert[1] != alert) { - /* We are already attempting to write a different alert. */ + // We are already attempting to write a different alert. OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); return -1; } @@ -1087,9 +1087,9 @@ void SSL_reset_early_data_reject(SSL *ssl) { hs->in_early_data = 0; hs->early_session.reset(); - /* Discard any unfinished writes from the perspective of |SSL_write|'s - * retry. The handshake will transparently flush out the pending record - * (discarded by the server) to keep the framing correct. */ + // Discard any unfinished writes from the perspective of |SSL_write|'s + // retry. The handshake will transparently flush out the pending record + // (discarded by the server) to keep the framing correct. ssl->s3->wpend_pending = 0; } @@ -1109,8 +1109,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) { return SSL_ERROR_NONE; } - /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, - * where we do encode the error */ + // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, + // where we do encode the error uint32_t err = ERR_peek_error(); if (err != 0) { if (ERR_GET_LIB(err) == ERR_LIB_SYS) { @@ -1123,9 +1123,9 @@ int SSL_get_error(const SSL *ssl, int ret_code) { if (ssl->s3->recv_shutdown == ssl_shutdown_close_notify) { return SSL_ERROR_ZERO_RETURN; } - /* An EOF was observed which violates the protocol, and the underlying - * transport does not participate in the error queue. Bubble up to the - * caller. */ + // An EOF was observed which violates the protocol, and the underlying + // transport does not participate in the error queue. Bubble up to the + // caller. return SSL_ERROR_SYSCALL; } @@ -1143,8 +1143,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) { } if (BIO_should_write(bio)) { - /* TODO(davidben): OpenSSL historically checked for writes on the read - * BIO. Can this be removed? */ + // TODO(davidben): OpenSSL historically checked for writes on the read + // BIO. Can this be removed? return SSL_ERROR_WANT_WRITE; } @@ -1162,8 +1162,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) { } if (BIO_should_read(bio)) { - /* TODO(davidben): OpenSSL historically checked for reads on the write - * BIO. Can this be removed? */ + // TODO(davidben): OpenSSL historically checked for reads on the write + // BIO. Can this be removed? return SSL_ERROR_WANT_READ; } @@ -1253,20 +1253,20 @@ int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, *out_len = 0; OPENSSL_memset(out, 0, max_out); - /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */ + // tls-unique is not defined for SSL 3.0 or TLS 1.3. if (!ssl->s3->initial_handshake_complete || ssl3_protocol_version(ssl) < TLS1_VERSION || ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { return 0; } - /* The tls-unique value is the first Finished message in the handshake, which - * is the client's in a full handshake and the server's for a resumption. See - * https://tools.ietf.org/html/rfc5929#section-3.1. */ + // The tls-unique value is the first Finished message in the handshake, which + // is the client's in a full handshake and the server's for a resumption. See + // https://tools.ietf.org/html/rfc5929#section-3.1. const uint8_t *finished = ssl->s3->previous_client_finished; size_t finished_len = ssl->s3->previous_client_finished_len; if (ssl->session != NULL) { - /* tls-unique is broken for resumed sessions unless EMS is used. */ + // tls-unique is broken for resumed sessions unless EMS is used. if (!ssl->session->extended_master_secret) { return 0; } @@ -1356,7 +1356,7 @@ int SSL_set_wfd(SSL *ssl, int fd) { BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set0_wbio(ssl, bio); } else { - /* Copy the rbio over to the wbio. */ + // Copy the rbio over to the wbio. BIO_up_ref(rbio); SSL_set0_wbio(ssl, rbio); } @@ -1376,7 +1376,7 @@ int SSL_set_rfd(SSL *ssl, int fd) { BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set0_rbio(ssl, bio); } else { - /* Copy the wbio over to the rbio. */ + // Copy the wbio over to the rbio. BIO_up_ref(wbio); SSL_set0_rbio(ssl, wbio); } @@ -1427,8 +1427,8 @@ size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; } int SSL_get_extms_support(const SSL *ssl) { - /* TLS 1.3 does not require extended master secret and always reports as - * supporting it. */ + // TLS 1.3 does not require extended master secret and always reports as + // supporting it. if (!ssl->s3->have_version) { return 0; } @@ -1436,12 +1436,12 @@ int SSL_get_extms_support(const SSL *ssl) { return 1; } - /* If the initial handshake completed, query the established session. */ + // If the initial handshake completed, query the established session. if (ssl->s3->established_session != NULL) { return ssl->s3->established_session->extended_master_secret; } - /* Otherwise, query the in-progress handshake. */ + // Otherwise, query the in-progress handshake. if (ssl->s3->hs != NULL) { return ssl->s3->hs->extended_master_secret; } @@ -1464,12 +1464,12 @@ int SSL_pending(const SSL *ssl) { return ssl->s3->rrec.length; } -/* Fix this so it checks all the valid key/cert options */ +// Fix this so it checks all the valid key/cert options int SSL_CTX_check_private_key(const SSL_CTX *ctx) { return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey); } -/* Fix this function so that it takes an optional type parameter */ +// Fix this function so that it takes an optional type parameter int SSL_check_private_key(const SSL *ssl) { return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey); } @@ -1479,7 +1479,7 @@ long SSL_get_default_timeout(const SSL *ssl) { } int SSL_renegotiate(SSL *ssl) { - /* Caller-initiated renegotiation is not supported. */ + // Caller-initiated renegotiation is not supported. OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -1590,8 +1590,8 @@ int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) { return 0; } - /* The default ticket keys are initialized lazily. Trigger a key - * rotation to initialize them. */ + // The default ticket keys are initialized lazily. Trigger a key + // rotation to initialize them. if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) { return 0; } @@ -1626,7 +1626,7 @@ int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) { OPENSSL_memcpy(ctx->tlsext_ticket_key_current->aes_key, in_bytes + 32, 16); OPENSSL_free(ctx->tlsext_ticket_key_prev); ctx->tlsext_ticket_key_prev = nullptr; - /* Disable automatic key rotation. */ + // Disable automatic key rotation. ctx->tlsext_ticket_key_current->next_rotation_tv_sec = 0; return 1; } @@ -1662,8 +1662,8 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) { } uint16_t SSL_get_curve_id(const SSL *ssl) { - /* TODO(davidben): This checks the wrong session if there is a renegotiation in - * progress. */ + // TODO(davidben): This checks the wrong session if there is a renegotiation + // in progress. SSL_SESSION *session = SSL_get_session(ssl); if (session == NULL) { return 0; @@ -1748,21 +1748,21 @@ const char *SSL_get_servername(const SSL *ssl, const int type) { return NULL; } - /* Historically, |SSL_get_servername| was also the configuration getter - * corresponding to |SSL_set_tlsext_host_name|. */ + // Historically, |SSL_get_servername| was also the configuration getter + // corresponding to |SSL_set_tlsext_host_name|. if (ssl->tlsext_hostname != NULL) { return ssl->tlsext_hostname; } - /* During the handshake, report the handshake value. */ + // During the handshake, report the handshake value. if (ssl->s3->hs != NULL) { return ssl->s3->hs->hostname.get(); } - /* SSL_get_servername may also be called after the handshake to look up the - * SNI value. - * - * TODO(davidben): This is almost unused. Can we remove it? */ + // SSL_get_servername may also be called after the handshake to look up the + // SNI value. + // + // TODO(davidben): This is almost unused. Can we remove it? SSL_SESSION *session = SSL_get_session(ssl); if (session == NULL) { return NULL; @@ -1872,12 +1872,12 @@ int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer, const uint8_t *result; int status; - /* For each protocol in peer preference order, see if we support it. */ + // For each protocol in peer preference order, see if we support it. for (unsigned i = 0; i < peer_len;) { for (unsigned j = 0; j < supported_len;) { if (peer[i] == supported[j] && OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) { - /* We found a match */ + // We found a match result = &peer[i]; status = OPENSSL_NPN_NEGOTIATED; goto found; @@ -1889,7 +1889,7 @@ int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer, i++; } - /* There's no overlap between our protocols and the peer's list. */ + // There's no overlap between our protocols and the peer's list. result = supported; status = OPENSSL_NPN_NO_OVERLAP; @@ -2084,8 +2084,8 @@ void SSL_set_quiet_shutdown(SSL *ssl, int mode) { int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; } void SSL_set_shutdown(SSL *ssl, int mode) { - /* It is an error to clear any bits that have already been set. (We can't try - * to get a second close_notify or send two.) */ + // It is an error to clear any bits that have already been set. (We can't try + // to get a second close_notify or send two.) assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)); if (mode & SSL_RECEIVED_SHUTDOWN && @@ -2102,12 +2102,12 @@ void SSL_set_shutdown(SSL *ssl, int mode) { int SSL_get_shutdown(const SSL *ssl) { int ret = 0; if (ssl->s3->recv_shutdown != ssl_shutdown_none) { - /* Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify - * and fatal alert. */ + // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify + // and fatal alert. ret |= SSL_RECEIVED_SHUTDOWN; } if (ssl->s3->send_shutdown == ssl_shutdown_close_notify) { - /* Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. */ + // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. ret |= SSL_SENT_SHUTDOWN; } return ret; @@ -2120,7 +2120,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { return ssl->ctx; } - /* One cannot change the X.509 callbacks during a connection. */ + // One cannot change the X.509 callbacks during a connection. if (ssl->ctx->x509_method != ctx->x509_method) { assert(0); return NULL; @@ -2223,14 +2223,14 @@ static int use_psk_identity_hint(char **out, const char *identity_hint) { return 0; } - /* Clear currently configured hint, if any. */ + // Clear currently configured hint, if any. OPENSSL_free(*out); *out = NULL; - /* Treat the empty hint as not supplying one. Plain PSK makes it possible to - * send either no hint (omit ServerKeyExchange) or an empty hint, while - * ECDHE_PSK can only spell empty hint. Having different capabilities is odd, - * so we interpret empty and missing as identical. */ + // Treat the empty hint as not supplying one. Plain PSK makes it possible to + // send either no hint (omit ServerKeyExchange) or an empty hint, while + // ECDHE_PSK can only spell empty hint. Having different capabilities is odd, + // so we interpret empty and missing as identical. if (identity_hint != NULL && identity_hint[0] != '\0') { *out = BUF_strdup(identity_hint); if (*out == NULL) { @@ -2396,9 +2396,9 @@ static uint64_t be_to_u64(const uint8_t in[8]) { } uint64_t SSL_get_read_sequence(const SSL *ssl) { - /* TODO(davidben): Internally represent sequence numbers as uint64_t. */ + // TODO(davidben): Internally represent sequence numbers as uint64_t. if (SSL_is_dtls(ssl)) { - /* max_seq_num already includes the epoch. */ + // max_seq_num already includes the epoch. assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48)); return ssl->d1->bitmap.max_seq_num; } @@ -2415,8 +2415,8 @@ uint64_t SSL_get_write_sequence(const SSL *ssl) { } uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) { - /* TODO(davidben): This checks the wrong session if there is a renegotiation - * in progress. */ + // TODO(davidben): This checks the wrong session if there is a renegotiation + // in progress. SSL_SESSION *session = SSL_get_session(ssl); if (session == NULL) { return 0; @@ -2472,30 +2472,30 @@ int32_t SSL_get_ticket_age_skew(const SSL *ssl) { } int SSL_clear(SSL *ssl) { - /* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously - * established session to be offered the next time around. wpa_supplicant - * depends on this behavior, so emulate it. */ + // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously + // established session to be offered the next time around. wpa_supplicant + // depends on this behavior, so emulate it. SSL_SESSION *session = NULL; if (!ssl->server && ssl->s3->established_session != NULL) { session = ssl->s3->established_session; SSL_SESSION_up_ref(session); } - /* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and - * |SSL_clear| because it is per-connection state rather than configuration - * state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is - * naturally reset at the right points between |SSL_new|, |SSL_clear|, and - * |ssl3_new|. */ + // TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and + // |SSL_clear| because it is per-connection state rather than configuration + // state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is + // naturally reset at the right points between |SSL_new|, |SSL_clear|, and + // |ssl3_new|. ssl->rwstate = SSL_NOTHING; BUF_MEM_free(ssl->init_buf); ssl->init_buf = NULL; - /* The ssl->d1->mtu is simultaneously configuration (preserved across - * clear) and connection-specific state (gets reset). - * - * TODO(davidben): Avoid this. */ + // The ssl->d1->mtu is simultaneously configuration (preserved across + // clear) and connection-specific state (gets reset). + // + // TODO(davidben): Avoid this. unsigned mtu = 0; if (ssl->d1 != NULL) { mtu = ssl->d1->mtu; diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc index ecdf48f4..d275561a 100644 --- a/ssl/ssl_privkey.cc +++ b/ssl/ssl_privkey.cc @@ -84,7 +84,7 @@ static int ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) { if (cert->chain != NULL && sk_CRYPTO_BUFFER_value(cert->chain, 0) != NULL && - /* Sanity-check that the private key and the certificate match. */ + // Sanity-check that the private key and the certificate match. !ssl_cert_check_private_key(cert, pkey)) { return 0; } @@ -148,12 +148,12 @@ static int pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey, } if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { - /* RSA keys may only be used with RSA-PSS. */ + // RSA keys may only be used with RSA-PSS. if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) { return 0; } - /* EC keys have a curve requirement. */ + // EC keys have a curve requirement. if (alg->pkey_type == EVP_PKEY_EC && (alg->curve == NID_undef || EC_GROUP_get_curve_name( @@ -201,8 +201,8 @@ static int legacy_sign_digest_supported(const SSL_SIGNATURE_ALGORITHM *alg) { static enum ssl_private_key_result_t legacy_sign( SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t sigalg, const uint8_t *in, size_t in_len) { - /* TODO(davidben): Remove support for |sign_digest|-only - * |SSL_PRIVATE_KEY_METHOD|s. */ + // TODO(davidben): Remove support for |sign_digest|-only + // |SSL_PRIVATE_KEY_METHOD|s. const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); if (alg == NULL || !legacy_sign_digest_supported(alg)) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY); @@ -272,13 +272,13 @@ enum ssl_private_key_result_t ssl_private_key_decrypt( RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey); if (rsa == NULL) { - /* Decrypt operations are only supported for RSA keys. */ + // Decrypt operations are only supported for RSA keys. OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return ssl_private_key_failure; } - /* Decrypt with no padding. PKCS#1 padding will be removed as part - * of the timing-sensitive code by the caller. */ + // Decrypt with no padding. PKCS#1 padding will be removed as part of the + // timing-sensitive code by the caller. if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) { return ssl_private_key_failure; } @@ -292,20 +292,20 @@ int ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs, return 0; } - /* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that - * emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the - * hash in TLS. Reasonable RSA key sizes are large enough for the largest - * defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for - * SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the - * size so that we can fall back to another algorithm in that case. */ + // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that + // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the + // hash in TLS. Reasonable RSA key sizes are large enough for the largest + // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for + // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the + // size so that we can fall back to another algorithm in that case. const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); if (alg->is_rsa_pss && (size_t)EVP_PKEY_size(hs->local_pubkey.get()) < 2 * EVP_MD_size(alg->digest_func()) + 2) { return 0; } - /* Newer algorithms require message-based private keys. - * TODO(davidben): Remove this check when sign_digest is gone. */ + // Newer algorithms require message-based private keys. + // TODO(davidben): Remove this check when sign_digest is gone. if (ssl->cert->key_method != NULL && ssl->cert->key_method->sign == NULL && !legacy_sign_digest_supported(alg)) { @@ -483,9 +483,9 @@ int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids, return 0; } - /* Convert the digest list to a signature algorithms list. - * - * TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */ + // Convert the digest list to a signature algorithms list. + // + // TODO(davidben): Replace this API with one that can express RSA-PSS, etc. for (size_t i = 0; i < num_digests; i++) { switch (digest_nids[i]) { case NID_sha1: diff --git a/ssl/ssl_session.cc b/ssl/ssl_session.cc index e92f4526..cdae03af 100644 --- a/ssl/ssl_session.cc +++ b/ssl/ssl_session.cc @@ -152,9 +152,9 @@ namespace bssl { -/* The address of this is a magic value, a pointer to which is returned by - * SSL_magic_pending_session_ptr(). It allows a session callback to indicate - * that it needs to asynchronously fetch session information. */ +// The address of this is a magic value, a pointer to which is returned by +// SSL_magic_pending_session_ptr(). It allows a session callback to indicate +// that it needs to asynchronously fetch session information. static const char g_pending_session_magic = 0; static CRYPTO_EX_DATA_CLASS g_ex_data_class = @@ -194,13 +194,13 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { new_session->sid_ctx_length = session->sid_ctx_length; OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length); - /* Copy the key material. */ + // Copy the key material. new_session->master_key_length = session->master_key_length; OPENSSL_memcpy(new_session->master_key, session->master_key, session->master_key_length); new_session->cipher = session->cipher; - /* Copy authentication state. */ + // Copy authentication state. if (session->psk_identity != NULL) { new_session->psk_identity = BUF_strdup(session->psk_identity); if (new_session->psk_identity == NULL) { @@ -255,7 +255,7 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { new_session->auth_timeout = session->auth_timeout; new_session->time = session->time; - /* Copy non-authentication connection properties. */ + // Copy non-authentication connection properties. if (dup_flags & SSL_SESSION_INCLUDE_NONAUTH) { new_session->session_id_length = session->session_id_length; OPENSSL_memcpy(new_session->session_id, session->session_id, @@ -283,7 +283,7 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { new_session->early_alpn_len = session->early_alpn_len; } - /* Copy the ticket. */ + // Copy the ticket. if (dup_flags & SSL_SESSION_INCLUDE_TICKET) { if (session->tlsext_tick != NULL) { new_session->tlsext_tick = @@ -295,7 +295,7 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { new_session->tlsext_ticklen = session->tlsext_ticklen; } - /* The new_session does not get a copy of the ex_data. */ + // The new_session does not get a copy of the ex_data. new_session->not_resumable = 1; return new_session; @@ -305,8 +305,8 @@ void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) { struct OPENSSL_timeval now; ssl_get_current_time(ssl, &now); - /* To avoid overflows and underflows, if we've gone back in time, update the - * time, but mark the session expired. */ + // To avoid overflows and underflows, if we've gone back in time, update the + // time, but mark the session expired. if (session->time > now.tv_sec) { session->time = now.tv_sec; session->timeout = 0; @@ -314,8 +314,8 @@ void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) { return; } - /* Adjust the session time and timeouts. If the session has already expired, - * clamp the timeouts at zero. */ + // Adjust the session time and timeouts. If the session has already expired, + // clamp the timeouts at zero. uint64_t delta = now.tv_sec - session->time; session->time = now.tv_sec; if (session->timeout < delta) { @@ -332,8 +332,8 @@ void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) { void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session, uint32_t timeout) { - /* Rebase the timestamp relative to the current time so |timeout| is measured - * correctly. */ + // Rebase the timestamp relative to the current time so |timeout| is measured + // correctly. ssl_session_rebase_time(ssl, session); if (session->timeout > timeout) { @@ -349,8 +349,8 @@ void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session, uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session) { uint16_t ret; if (!ssl_protocol_version_from_wire(&ret, session->ssl_version)) { - /* An |SSL_SESSION| will never have an invalid version. This is enforced by - * the parser. */ + // An |SSL_SESSION| will never have an invalid version. This is enforced by + // the parser. assert(0); return 0; } @@ -378,28 +378,28 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) { session->is_server = is_server; session->ssl_version = ssl->version; - /* Fill in the time from the |SSL_CTX|'s clock. */ + // Fill in the time from the |SSL_CTX|'s clock. struct OPENSSL_timeval now; ssl_get_current_time(ssl, &now); session->time = now.tv_sec; uint16_t version = ssl3_protocol_version(ssl); if (version >= TLS1_3_VERSION) { - /* TLS 1.3 uses tickets as authenticators, so we are willing to use them for - * longer. */ + // TLS 1.3 uses tickets as authenticators, so we are willing to use them for + // longer. session->timeout = ssl->session_ctx->session_psk_dhe_timeout; session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT; } else { - /* TLS 1.2 resumption does not incorporate new key material, so we use a - * much shorter timeout. */ + // TLS 1.2 resumption does not incorporate new key material, so we use a + // much shorter timeout. session->timeout = ssl->session_ctx->session_timeout; session->auth_timeout = ssl->session_ctx->session_timeout; } if (is_server) { if (hs->ticket_expected || version >= TLS1_3_VERSION) { - /* Don't set session IDs for sessions resumed with tickets. This will keep - * them out of the session cache. */ + // Don't set session IDs for sessions resumed with tickets. This will keep + // them out of the session cache. session->session_id_length = 0; } else { session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; @@ -419,7 +419,7 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) { ssl->cert->sid_ctx_length); session->sid_ctx_length = ssl->cert->sid_ctx_length; - /* The session is marked not resumable until it is completely filled in. */ + // The session is marked not resumable until it is completely filled in. session->not_resumable = 1; session->verify_result = X509_V_ERR_INVALID_CALL; @@ -432,8 +432,8 @@ int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) { OPENSSL_timeval now; ssl_ctx_get_current_time(ctx, &now); { - /* Avoid acquiring a write lock in the common case (i.e. a non-default key - * is used or the default keys have not expired yet). */ + // Avoid acquiring a write lock in the common case (i.e. a non-default key + // is used or the default keys have not expired yet). MutexReadLock lock(&ctx->lock); if (ctx->tlsext_ticket_key_current && (ctx->tlsext_ticket_key_current->next_rotation_tv_sec == 0 || @@ -448,16 +448,16 @@ int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) { if (!ctx->tlsext_ticket_key_current || (ctx->tlsext_ticket_key_current->next_rotation_tv_sec != 0 && ctx->tlsext_ticket_key_current->next_rotation_tv_sec <= now.tv_sec)) { - /* The current key has not been initialized or it is expired. */ + // The current key has not been initialized or it is expired. auto new_key = bssl::MakeUnique(); if (!new_key) { return 0; } OPENSSL_memset(new_key.get(), 0, sizeof(struct tlsext_ticket_key)); if (ctx->tlsext_ticket_key_current) { - /* The current key expired. Rotate it to prev and bump up its rotation - * timestamp. Note that even with the new rotation time it may still be - * expired and get droppped below. */ + // The current key expired. Rotate it to prev and bump up its rotation + // timestamp. Note that even with the new rotation time it may still be + // expired and get droppped below. ctx->tlsext_ticket_key_current->next_rotation_tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL; OPENSSL_free(ctx->tlsext_ticket_key_prev); @@ -471,7 +471,7 @@ int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) { now.tv_sec + SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL; } - /* Drop an expired prev key. */ + // Drop an expired prev key. if (ctx->tlsext_ticket_key_prev && ctx->tlsext_ticket_key_prev->next_rotation_tv_sec <= now.tv_sec) { OPENSSL_free(ctx->tlsext_ticket_key_prev); @@ -487,8 +487,8 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out, ScopedEVP_CIPHER_CTX ctx; ScopedHMAC_CTX hctx; - /* If the session is too long, emit a dummy value rather than abort the - * connection. */ + // If the session is too long, emit a dummy value rather than abort the + // connection. static const size_t kMaxTicketOverhead = 16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE; if (session_len > 0xffff - kMaxTicketOverhead) { @@ -497,8 +497,8 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out, strlen(kTicketPlaceholder)); } - /* Initialize HMAC and cipher contexts. If callback present it does all the - * work otherwise use generated values from parent ctx. */ + // Initialize HMAC and cipher contexts. If callback present it does all the + // work otherwise use generated values from parent ctx. SSL_CTX *tctx = ssl->session_ctx; uint8_t iv[EVP_MAX_IV_LENGTH]; uint8_t key_name[16]; @@ -508,7 +508,7 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out, return 0; } } else { - /* Rotate ticket key if necessary. */ + // Rotate ticket key if necessary. if (!ssl_ctx_rotate_ticket_encryption_key(tctx)) { return 0; } @@ -590,7 +590,7 @@ static int ssl_encrypt_ticket_with_method(SSL *ssl, CBB *out, } int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session) { - /* Serialize the SSL_SESSION to be encoded into the ticket. */ + // Serialize the SSL_SESSION to be encoded into the ticket. uint8_t *session_buf = NULL; size_t session_len; if (!SSL_SESSION_to_bytes_for_ticket(session, &session_buf, &session_len)) { @@ -627,7 +627,7 @@ int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session) { struct OPENSSL_timeval now; ssl_get_current_time(ssl, &now); - /* Reject tickets from the future to avoid underflow. */ + // Reject tickets from the future to avoid underflow. if (now.tv_sec < session->time) { return 0; } @@ -639,27 +639,27 @@ int ssl_session_is_resumable(const SSL_HANDSHAKE *hs, const SSL_SESSION *session) { const SSL *const ssl = hs->ssl; return ssl_session_is_context_valid(ssl, session) && - /* The session must have been created by the same type of end point as - * we're now using it with. */ + // The session must have been created by the same type of end point as + // we're now using it with. ssl->server == session->is_server && - /* The session must not be expired. */ + // The session must not be expired. ssl_session_is_time_valid(ssl, session) && /* Only resume if the session's version matches the negotiated * version. */ ssl->version == session->ssl_version && - /* Only resume if the session's cipher matches the negotiated one. */ + // Only resume if the session's cipher matches the negotiated one. hs->new_cipher == session->cipher && - /* If the session contains a client certificate (either the full - * certificate or just the hash) then require that the form of the - * certificate matches the current configuration. */ + // If the session contains a client certificate (either the full + // certificate or just the hash) then require that the form of the + // certificate matches the current configuration. ((sk_CRYPTO_BUFFER_num(session->certs) == 0 && !session->peer_sha256_valid) || session->peer_sha256_valid == ssl->retain_only_sha256_of_client_certs); } -/* ssl_lookup_session looks up |session_id| in the session cache and sets - * |*out_session| to an |SSL_SESSION| object if found. */ +// ssl_lookup_session looks up |session_id| in the session cache and sets +// |*out_session| to an |SSL_SESSION| object if found. static enum ssl_hs_wait_t ssl_lookup_session( SSL *ssl, UniquePtr *out_session, const uint8_t *session_id, size_t session_id_len) { @@ -670,7 +670,7 @@ static enum ssl_hs_wait_t ssl_lookup_session( } UniquePtr session; - /* Try the internal cache, if it exists. */ + // Try the internal cache, if it exists. if (!(ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { SSL_SESSION data; @@ -681,14 +681,14 @@ static enum ssl_hs_wait_t ssl_lookup_session( CRYPTO_MUTEX_lock_read(&ssl->session_ctx->lock); session.reset(lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &data)); if (session) { - /* |lh_SSL_SESSION_retrieve| returns a non-owning pointer. */ + // |lh_SSL_SESSION_retrieve| returns a non-owning pointer. SSL_SESSION_up_ref(session.get()); } - /* TODO(davidben): This should probably move it to the front of the list. */ + // TODO(davidben): This should probably move it to the front of the list. CRYPTO_MUTEX_unlock_read(&ssl->session_ctx->lock); } - /* Fall back to the external cache, if it exists. */ + // Fall back to the external cache, if it exists. if (!session && ssl->session_ctx->get_session_cb != NULL) { int copy = 1; session.reset(ssl->session_ctx->get_session_cb(ssl, (uint8_t *)session_id, @@ -703,15 +703,15 @@ static enum ssl_hs_wait_t ssl_lookup_session( return ssl_hs_pending_session; } - /* Increment reference count now if the session callback asks us to do so - * (note that if the session structures returned by the callback are shared - * between threads, it must handle the reference count itself [i.e. copy == - * 0], or things won't be thread-safe). */ + // Increment reference count now if the session callback asks us to do so + // (note that if the session structures returned by the callback are shared + // between threads, it must handle the reference count itself [i.e. copy == + // 0], or things won't be thread-safe). if (copy) { SSL_SESSION_up_ref(session.get()); } - /* Add the externally cached session to the internal cache if necessary. */ + // Add the externally cached session to the internal cache if necessary. if (!(ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) { SSL_CTX_add_session(ssl->session_ctx, session.get()); @@ -719,7 +719,7 @@ static enum ssl_hs_wait_t ssl_lookup_session( } if (session && !ssl_session_is_time_valid(ssl, session.get())) { - /* The session was from the cache, so remove it. */ + // The session was from the cache, so remove it. SSL_CTX_remove_session(ssl->session_ctx, session.get()); session.reset(); } @@ -733,12 +733,12 @@ enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl, int *out_tickets_supported, int *out_renew_ticket, const SSL_CLIENT_HELLO *client_hello) { - /* This is used only by servers. */ + // This is used only by servers. assert(ssl->server); UniquePtr session; int renew_ticket = 0; - /* If tickets are disabled, always behave as if no tickets are present. */ + // If tickets are disabled, always behave as if no tickets are present. const uint8_t *ticket = NULL; size_t ticket_len = 0; const int tickets_supported = @@ -761,7 +761,7 @@ enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl, return ssl_hs_pending_ticket; } } else { - /* The client didn't send a ticket, so the session ID is a real ID. */ + // The client didn't send a ticket, so the session ID is a real ID. enum ssl_hs_wait_t lookup_ret = ssl_lookup_session( ssl, &session, client_hello->session_id, client_hello->session_id_len); if (lookup_ret != ssl_hs_ok) { @@ -817,16 +817,16 @@ void ssl_set_session(SSL *ssl, SSL_SESSION *session) { } } -/* locked by SSL_CTX in the calling function */ +// locked by SSL_CTX in the calling function static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) { if (session->next == NULL || session->prev == NULL) { return; } if (session->next == (SSL_SESSION *)&ctx->session_cache_tail) { - /* last element in list */ + // last element in list if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) { - /* only one element in list */ + // only one element in list ctx->session_cache_head = NULL; ctx->session_cache_tail = NULL; } else { @@ -835,10 +835,10 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) { } } else { if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) { - /* first element in list */ + // first element in list ctx->session_cache_head = session->next; session->next->prev = (SSL_SESSION *)&(ctx->session_cache_head); - } else { /* middle of list */ + } else { // middle of list session->next->prev = session->prev; session->prev->next = session->next; } @@ -913,7 +913,7 @@ uint32_t SSL_SESSION_get_timeout(const SSL_SESSION *session) { uint64_t SSL_SESSION_get_time(const SSL_SESSION *session) { if (session == NULL) { - /* NULL should crash, but silently accept it here for compatibility. */ + // NULL should crash, but silently accept it here for compatibility. return 0; } return session->time; @@ -925,7 +925,7 @@ X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) { size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out, size_t max_out) { - /* TODO(davidben): Fix master_key_length's type and remove these casts. */ + // TODO(davidben): Fix master_key_length's type and remove these casts. if (max_out == 0) { return (size_t)session->master_key_length; } @@ -974,9 +974,9 @@ SSL_SESSION *SSL_magic_pending_session_ptr(void) { } SSL_SESSION *SSL_get_session(const SSL *ssl) { - /* Once the handshake completes we return the established session. Otherwise - * we return the intermediate session, either |session| (for resumption) or - * |new_session| if doing a full handshake. */ + // Once the handshake completes we return the established session. Otherwise + // we return the intermediate session, either |session| (for resumption) or + // |new_session| if doing a full handshake. if (!SSL_in_init(ssl)) { return ssl->s3->established_session; } @@ -1019,8 +1019,8 @@ void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx) { } int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) { - /* Although |session| is inserted into two structures (a doubly-linked list - * and the hash table), |ctx| only takes one reference. */ + // Although |session| is inserted into two structures (a doubly-linked list + // and the hash table), |ctx| only takes one reference. SSL_SESSION_up_ref(session); SSL_SESSION *old_session; @@ -1033,21 +1033,21 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) { if (old_session != NULL) { if (old_session == session) { - /* |session| was already in the cache. */ + // |session| was already in the cache. CRYPTO_MUTEX_unlock_write(&ctx->lock); SSL_SESSION_free(old_session); return 0; } - /* There was a session ID collision. |old_session| must be removed from - * the linked list and released. */ + // There was a session ID collision. |old_session| must be removed from + // the linked list and released. SSL_SESSION_list_remove(ctx, old_session); SSL_SESSION_free(old_session); } SSL_SESSION_list_add(ctx, session); - /* Enforce any cache size limits. */ + // Enforce any cache size limits. if (SSL_CTX_sess_get_cache_size(ctx) > 0) { while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) { if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) { @@ -1065,7 +1065,7 @@ int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session) { } int SSL_set_session(SSL *ssl, SSL_SESSION *session) { - /* SSL_set_session may only be called before the handshake has started. */ + // SSL_set_session may only be called before the handshake has started. if (ssl->s3->initial_handshake_complete || ssl->s3->hs == NULL || ssl->s3->hs->state != 0) { @@ -1081,7 +1081,7 @@ uint32_t SSL_CTX_set_timeout(SSL_CTX *ctx, uint32_t timeout) { return 0; } - /* Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|. */ + // Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|. if (timeout == 0) { timeout = SSL_DEFAULT_SESSION_TIMEOUT; } @@ -1115,9 +1115,8 @@ static void timeout_doall_arg(SSL_SESSION *session, void *void_param) { if (param->time == 0 || session->time + session->timeout < session->time || param->time > (session->time + session->timeout)) { - /* timeout */ - /* The reason we don't call SSL_CTX_remove_session() is to - * save on locking overhead */ + // The reason we don't call SSL_CTX_remove_session() is to + // save on locking overhead (void) lh_SSL_SESSION_delete(param->cache, session); SSL_SESSION_list_remove(param->ctx, session); if (param->ctx->remove_session_cb != NULL) { diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index ddac86a9..dd795a6f 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc @@ -40,7 +40,7 @@ #include "../crypto/test/test_util.h" #if defined(OPENSSL_WINDOWS) -/* Windows defines struct timeval in winsock2.h. */ +// Windows defines struct timeval in winsock2.h. OPENSSL_MSVC_PRAGMA(warning(push, 3)) #include OPENSSL_MSVC_PRAGMA(warning(pop)) @@ -1538,9 +1538,9 @@ static bool ConnectClientAndServer(bssl::UniquePtr *out_client, return true; } -/* SSLVersionTest executes its test cases under all available protocol versions. - * Test cases call |Connect| to create a connection using context objects with - * the protocol version fixed to the current version under test. */ +// SSLVersionTest executes its test cases under all available protocol versions. +// Test cases call |Connect| to create a connection using context objects with +// the protocol version fixed to the current version under test. class SSLVersionTest : public ::testing::TestWithParam { protected: SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {} @@ -2192,7 +2192,7 @@ static bssl::UniquePtr ExpectSessionRenewed(SSL_CTX *client_ctx, static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key, bool changed) { uint8_t new_key[kTicketKeyLen]; - /* May return 0, 1 or 48. */ + // May return 0, 1 or 48. ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1); if (changed) { ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key)); @@ -2493,8 +2493,8 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) { g_current_time.tv_sec = kStartTime; uint8_t ticket_key[kTicketKeyLen]; - /* We use session reuse as a proxy for ticket decryption success, hence - * disable session timeouts. */ + // We use session reuse as a proxy for ticket decryption success, hence + // disable session timeouts. SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits::max()); SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(), std::numeric_limits::max()); @@ -2505,11 +2505,11 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) { SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF); - /* Initialize ticket_key with the current key. */ + // Initialize ticket_key with the current key. TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, true /* changed */)); - /* Verify ticket resumption actually works. */ + // Verify ticket resumption actually works. bssl::UniquePtr client, server; bssl::UniquePtr session = CreateClientSession(client_ctx_.get(), server_ctx_.get()); @@ -2517,21 +2517,21 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) { TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), session.get(), true /* reused */)); - /* Advance time to just before key rotation. */ + // Advance time to just before key rotation. g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1; TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), session.get(), true /* reused */)); TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, false /* NOT changed */)); - /* Force key rotation. */ + // Force key rotation. g_current_time.tv_sec += 1; bssl::UniquePtr new_session = CreateClientSession(client_ctx_.get(), server_ctx_.get()); TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, true /* changed */)); - /* Resumption with both old and new ticket should work. */ + // Resumption with both old and new ticket should work. TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), session.get(), true /* reused */)); TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), @@ -2539,14 +2539,14 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) { TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, false /* NOT changed */)); - /* Force key rotation again. Resumption with the old ticket now fails. */ + // Force key rotation again. Resumption with the old ticket now fails. g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL; TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), session.get(), false /* NOT reused */)); TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, true /* changed */)); - /* But resumption with the newer session still works. */ + // But resumption with the newer session still works. TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), new_session.get(), true /* reused */)); } diff --git a/ssl/ssl_transcript.cc b/ssl/ssl_transcript.cc index 2dfaf76f..81d85daf 100644 --- a/ssl/ssl_transcript.cc +++ b/ssl/ssl_transcript.cc @@ -167,8 +167,8 @@ bool SSLTranscript::Init() { return true; } -/* InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then - * writes the data in |buf| to it. */ +// InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then +// writes the data in |buf| to it. static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md, const BUF_MEM *buf) { if (!EVP_DigestInit_ex(ctx, md, NULL)) { @@ -181,9 +181,9 @@ static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md, bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) { const EVP_MD *md = ssl_get_handshake_digest(version, cipher); - /* To support SSL 3.0's Finished and CertificateVerify constructions, - * EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed, - * we can simplify this. */ + // To support SSL 3.0's Finished and CertificateVerify constructions, + // EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed, + // we can simplify this. if (md == EVP_md5_sha1()) { if (!InitDigestWithData(md5_.get(), EVP_md5(), buffer_.get())) { return false; @@ -210,8 +210,8 @@ const EVP_MD *SSLTranscript::Digest() const { } bool SSLTranscript::Update(const uint8_t *in, size_t in_len) { - /* Depending on the state of the handshake, either the handshake buffer may be - * active, the rolling hash, or both. */ + // Depending on the state of the handshake, either the handshake buffer may be + // active, the rolling hash, or both. if (buffer_) { size_t new_len = buffer_->length + in_len; if (new_len < in_len) { @@ -351,8 +351,8 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len, return true; } - /* At this point, the handshake should have released the handshake buffer on - * its own. */ + // At this point, the handshake should have released the handshake buffer on + // its own. assert(!buffer_); const char *label = TLS_MD_CLIENT_FINISH_CONST; diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc index 0b13781d..184eb44f 100644 --- a/ssl/ssl_versions.cc +++ b/ssl/ssl_versions.cc @@ -41,7 +41,7 @@ int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { return 1; case DTLS1_VERSION: - /* DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. */ + // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. *out = TLS1_1_VERSION; return 1; @@ -54,8 +54,8 @@ int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { } } -/* The follow arrays are the supported versions for TLS and DTLS, in order of - * decreasing preference. */ +// The follow arrays are the supported versions for TLS and DTLS, in order of +// decreasing preference. static const uint16_t kTLSVersions[] = { TLS1_3_EXPERIMENT_VERSION, @@ -98,9 +98,9 @@ static int method_supports_version(const SSL_PROTOCOL_METHOD *method, static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out, uint16_t version) { - /* The public API uses wire versions, except we use |TLS1_3_VERSION| - * everywhere to refer to any draft TLS 1.3 versions. In this direction, we - * map it to some representative TLS 1.3 draft version. */ + // The public API uses wire versions, except we use |TLS1_3_VERSION| + // everywhere to refer to any draft TLS 1.3 versions. In this direction, we + // map it to some representative TLS 1.3 draft version. if (version == TLS1_3_DRAFT_VERSION || version == TLS1_3_EXPERIMENT_VERSION || version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) { @@ -122,9 +122,9 @@ static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out, static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, uint16_t version) { - /* Zero is interpreted as the default minimum version. */ + // Zero is interpreted as the default minimum version. if (version == 0) { - /* SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. */ + // SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION; return 1; } @@ -134,7 +134,7 @@ static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, uint16_t version) { - /* Zero is interpreted as the default maximum version. */ + // Zero is interpreted as the default maximum version. if (version == 0) { *out = TLS1_2_VERSION; return 1; @@ -156,8 +156,8 @@ const struct { int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, uint16_t *out_max_version) { - /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but - * DTLS 1.0 should be mapped to TLS 1.1. */ + // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but + // DTLS 1.0 should be mapped to TLS 1.1. uint32_t options = ssl->options; if (SSL_is_dtls(ssl)) { options &= ~SSL_OP_NO_TLSv1_1; @@ -169,19 +169,19 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, uint16_t min_version = ssl->conf_min_version; uint16_t max_version = ssl->conf_max_version; - /* OpenSSL's API for controlling versions entails blacklisting individual - * protocols. This has two problems. First, on the client, the protocol can - * only express a contiguous range of versions. Second, a library consumer - * trying to set a maximum version cannot disable protocol versions that get - * added in a future version of the library. - * - * To account for both of these, OpenSSL interprets the client-side bitmask - * as a min/max range by picking the lowest contiguous non-empty range of - * enabled protocols. Note that this means it is impossible to set a maximum - * version of the higest supported TLS version in a future-proof way. */ + // OpenSSL's API for controlling versions entails blacklisting individual + // protocols. This has two problems. First, on the client, the protocol can + // only express a contiguous range of versions. Second, a library consumer + // trying to set a maximum version cannot disable protocol versions that get + // added in a future version of the library. + // + // To account for both of these, OpenSSL interprets the client-side bitmask + // as a min/max range by picking the lowest contiguous non-empty range of + // enabled protocols. Note that this means it is impossible to set a maximum + // version of the higest supported TLS version in a future-proof way. int any_enabled = 0; for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) { - /* Only look at the versions already enabled. */ + // Only look at the versions already enabled. if (min_version > kProtocolVersions[i].version) { continue; } @@ -190,7 +190,7 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, } if (!(options & kProtocolVersions[i].flag)) { - /* The minimum version is the first enabled version. */ + // The minimum version is the first enabled version. if (!any_enabled) { any_enabled = 1; min_version = kProtocolVersions[i].version; @@ -198,8 +198,8 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, continue; } - /* If there is a disabled version after the first enabled one, all versions - * after it are implicitly disabled. */ + // If there is a disabled version after the first enabled one, all versions + // after it are implicitly disabled. if (any_enabled) { max_version = kProtocolVersions[i-1].version; break; @@ -217,7 +217,7 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, } static uint16_t ssl_version(const SSL *ssl) { - /* In early data, we report the predicted version. */ + // In early data, we report the predicted version. if (SSL_in_early_data(ssl) && !ssl->server) { return ssl->s3->hs->early_session->ssl_version; } @@ -226,7 +226,7 @@ static uint16_t ssl_version(const SSL *ssl) { static const char *ssl_version_to_string(uint16_t version) { switch (version) { - /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */ + // Report TLS 1.3 draft version as TLS 1.3 in the public API. case TLS1_3_DRAFT_VERSION: case TLS1_3_EXPERIMENT_VERSION: case TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION: @@ -259,7 +259,7 @@ uint16_t ssl3_protocol_version(const SSL *ssl) { assert(ssl->s3->have_version); uint16_t version; if (!ssl_protocol_version_from_wire(&version, ssl->version)) { - /* |ssl->version| will always be set to a valid version. */ + // |ssl->version| will always be set to a valid version. assert(0); return 0; } @@ -269,9 +269,9 @@ uint16_t ssl3_protocol_version(const SSL *ssl) { int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) { SSL *const ssl = hs->ssl; - /* As a client, only allow the configured TLS 1.3 variant. As a server, - * support all TLS 1.3 variants as long as tls13_variant is set to a - * non-default value. */ + // As a client, only allow the configured TLS 1.3 variant. As a server, + // support all TLS 1.3 variants as long as tls13_variant is set to a + // non-default value. if (ssl->server) { if (ssl->tls13_variant == tls13_default && (version == TLS1_3_EXPERIMENT_VERSION || @@ -363,7 +363,7 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { int SSL_version(const SSL *ssl) { uint16_t ret = ssl_version(ssl); - /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */ + // Report TLS 1.3 draft version as TLS 1.3 in the public API. if (ret == TLS1_3_DRAFT_VERSION || ret == TLS1_3_EXPERIMENT_VERSION || ret == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) { return TLS1_3_VERSION; diff --git a/ssl/ssl_x509.cc b/ssl/ssl_x509.cc index e442dfb7..7ff6a893 100644 --- a/ssl/ssl_x509.cc +++ b/ssl/ssl_x509.cc @@ -157,21 +157,21 @@ namespace bssl { -/* check_ssl_x509_method asserts that |ssl| has the X509-based method - * installed. Calling an X509-based method on an |ssl| with a different method - * will likely misbehave and possibly crash or leak memory. */ +// check_ssl_x509_method asserts that |ssl| has the X509-based method +// installed. Calling an X509-based method on an |ssl| with a different method +// will likely misbehave and possibly crash or leak memory. static void check_ssl_x509_method(const SSL *ssl) { assert(ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method); } -/* check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an - * |SSL_CTX|. */ +// check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an +// |SSL_CTX|. static void check_ssl_ctx_x509_method(const SSL_CTX *ctx) { assert(ctx == NULL || ctx->x509_method == &ssl_crypto_x509_method); } -/* x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised - * contents of |x509|. */ +// x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised +// contents of |x509|. static UniquePtr x509_to_buffer(X509 *x509) { uint8_t *buf = NULL; int cert_len = i2d_X509(x509, &buf); @@ -185,7 +185,7 @@ static UniquePtr x509_to_buffer(X509 *x509) { return buffer; } -/* new_leafless_chain returns a fresh stack of buffers set to {NULL}. */ +// new_leafless_chain returns a fresh stack of buffers set to {NULL}. static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) { STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null(); if (chain == NULL) { @@ -200,10 +200,10 @@ static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) { return chain; } -/* ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised - * forms of elements of |chain|. It returns one on success or zero on error, in - * which case no change to |cert->chain| is made. It preverses the existing - * leaf from |cert->chain|, if any. */ +// ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised +// forms of elements of |chain|. It returns one on success or zero on error, in +// which case no change to |cert->chain| is made. It preverses the existing +// leaf from |cert->chain|, if any. static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) { UniquePtr new_chain; @@ -217,7 +217,7 @@ static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) { if (!sk_CRYPTO_BUFFER_push(new_chain.get(), leaf)) { return 0; } - /* |leaf| might be NULL if it's a “leafless” chain. */ + // |leaf| might be NULL if it's a “leafless” chain. if (leaf != NULL) { CRYPTO_BUFFER_up_ref(leaf); } @@ -439,13 +439,13 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, return 0; } - /* We need to inherit the verify parameters. These can be determined by the - * context: if its a server it will verify SSL client certificates or vice - * versa. */ + // We need to inherit the verify parameters. These can be determined by the + // context: if its a server it will verify SSL client certificates or vice + // versa. X509_STORE_CTX_set_default(ctx.get(), ssl->server ? "ssl_client" : "ssl_server"); - /* Anything non-default in "param" should overwrite anything in the ctx. */ + // Anything non-default in "param" should overwrite anything in the ctx. X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param); if (ssl->verify_callback) { @@ -462,7 +462,7 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, session->verify_result = ctx->error; - /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */ + // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) { *out_alert = ssl_verify_alarm_type(ctx->error); return 0; @@ -497,8 +497,8 @@ static void ssl_crypto_x509_ssl_free(SSL *ssl) { } static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) { - /* Only build a chain if there are no intermediates configured and the feature - * isn't disabled. */ + // Only build a chain if there are no intermediates configured and the feature + // isn't disabled. if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || !ssl_has_certificate(ssl) || ssl->cert->chain == NULL || @@ -519,11 +519,11 @@ static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) { return 0; } - /* Attempt to build a chain, ignoring the result. */ + // Attempt to build a chain, ignoring the result. X509_verify_cert(ctx.get()); ERR_clear_error(); - /* Remove the leaf from the generated chain. */ + // Remove the leaf from the generated chain. X509_free(sk_X509_shift(ctx->chain)); if (!ssl_cert_set_chain(ssl->cert, ctx->chain)) { @@ -605,8 +605,8 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { return session->x509_chain; } - /* OpenSSL historically didn't include the leaf certificate in the returned - * certificate chain, but only for servers. */ + // OpenSSL historically didn't include the leaf certificate in the returned + // certificate chain, but only for servers. if (session->x509_chain_without_leaf == NULL) { session->x509_chain_without_leaf = sk_X509_new_null(); if (session->x509_chain_without_leaf == NULL) { @@ -800,8 +800,8 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) { return ssl_use_certificate(ctx->cert, x); } -/* ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the - * first element of |cert->chain|. */ +// ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the +// first element of |cert->chain|. static int ssl_cert_cache_leaf_cert(CERT *cert) { assert(cert->x509_method); @@ -963,8 +963,8 @@ int SSL_clear_chain_certs(SSL *ssl) { return SSL_set0_chain(ssl, NULL); } -/* ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of - * |cert->chain|. */ +// ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of +// |cert->chain|. static int ssl_cert_cache_chain_certs(CERT *cert) { assert(cert->x509_method); @@ -1140,11 +1140,11 @@ static STACK_OF(X509_NAME) * STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) { check_ssl_x509_method(ssl); - /* For historical reasons, this function is used both to query configuration - * state on a server as well as handshake state on a client. However, whether - * |ssl| is a client or server is not known until explicitly configured with - * |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an - * indeterminate mode and |ssl->server| is unset. */ + // For historical reasons, this function is used both to query configuration + // state on a server as well as handshake state on a client. However, whether + // |ssl| is a client or server is not known until explicitly configured with + // |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an + // indeterminate mode and |ssl->server| is unset. if (ssl->do_handshake != NULL && !ssl->server) { if (ssl->s3->hs != NULL) { return buffer_names_to_x509(ssl->s3->hs->ca_names.get(), @@ -1163,8 +1163,8 @@ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) { STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { check_ssl_ctx_x509_method(ctx); - /* This is a logically const operation that may be called on multiple threads, - * so it needs to lock around updating |cached_x509_client_CA|. */ + // This is a logically const operation that may be called on multiple threads, + // so it needs to lock around updating |cached_x509_client_CA|. CRYPTO_MUTEX_lock_write((CRYPTO_MUTEX *) &ctx->lock); STACK_OF(X509_NAME) *ret = buffer_names_to_x509( ctx->client_CA, (STACK_OF(X509_NAME) **)&ctx->cached_x509_client_CA); @@ -1259,7 +1259,7 @@ void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey)) { check_ssl_ctx_x509_method(ctx); - /* Emulate the old client certificate callback with the new one. */ + // Emulate the old client certificate callback with the new one. SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL); ctx->client_cert_cb = cb; } @@ -1277,10 +1277,10 @@ static int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store, } int SSL_get_ex_data_X509_STORE_CTX_idx(void) { - /* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the - * reserved app_data slot. Before ex_data was introduced, app_data was used. - * Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data| - * works. */ + // The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the + // reserved app_data slot. Before ex_data was introduced, app_data was used. + // Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data| + // works. return 0; } diff --git a/ssl/t1_enc.cc b/ssl/t1_enc.cc index d4a6ee9f..f917ed76 100644 --- a/ssl/t1_enc.cc +++ b/ssl/t1_enc.cc @@ -154,10 +154,10 @@ namespace bssl { -/* tls1_P_hash computes the TLS P_ function as described in RFC 5246, - * section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and - * |secret| as the secret. |seed1| through |seed3| are concatenated to form the - * seed parameter. It returns one on success and zero on failure. */ +// tls1_P_hash computes the TLS P_ function as described in RFC 5246, +// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and +// |secret| as the secret. |seed1| through |seed3| are concatenated to form the +// seed parameter. It returns one on success and zero on failure. static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, const uint8_t *secret, size_t secret_len, const uint8_t *seed1, size_t seed1_len, @@ -184,7 +184,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, uint8_t hmac[EVP_MAX_MD_SIZE]; if (!HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) || !HMAC_Update(ctx.get(), A1, A1_len) || - /* Save a copy of |ctx| to compute the next A1 value below. */ + // Save a copy of |ctx| to compute the next A1 value below. (out_len > chunk && !HMAC_CTX_copy_ex(ctx_tmp.get(), ctx.get())) || !HMAC_Update(ctx.get(), seed1, seed1_len) || !HMAC_Update(ctx.get(), seed2, seed2_len) || @@ -194,7 +194,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, } assert(len == chunk); - /* XOR the result into |out|. */ + // XOR the result into |out|. if (len > out_len) { len = out_len; } @@ -209,7 +209,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, break; } - /* Calculate the next A1 value. */ + // Calculate the next A1 value. if (!HMAC_Final(ctx_tmp.get(), A1, &A1_len)) { goto err; } @@ -233,8 +233,8 @@ int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len, OPENSSL_memset(out, 0, out_len); if (digest == EVP_md5_sha1()) { - /* If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and - * MD5, MD5 first. */ + // If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and + // MD5, MD5 first. size_t secret_half = secret_len - (secret_len / 2); if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half, (const uint8_t *)label, label_len, seed1, seed1_len, seed2, @@ -242,7 +242,7 @@ int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len, return 0; } - /* Note that, if |secret_len| is odd, the two halves share a byte. */ + // Note that, if |secret_len| is odd, the two halves share a byte. secret = secret + (secret_len - secret_half); secret_len = secret_half; @@ -272,7 +272,7 @@ static int ssl3_prf(uint8_t *out, size_t out_len, const uint8_t *secret, for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) { k++; if (k > sizeof(buf)) { - /* bug: 'buf' is too small for this ciphersuite */ + // bug: 'buf' is too small for this ciphersuite OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; } @@ -287,7 +287,7 @@ static int ssl3_prf(uint8_t *out, size_t out_len, const uint8_t *secret, } EVP_DigestUpdate(sha1.get(), buf, k); EVP_DigestUpdate(sha1.get(), secret, secret_len); - /* |label| is ignored for SSLv3. */ + // |label| is ignored for SSLv3. if (seed1_len) { EVP_DigestUpdate(sha1.get(), seed1, seed1_len); } @@ -338,9 +338,9 @@ static int tls1_setup_key_block(SSL_HANDSHAKE *hs) { } size_t key_len = EVP_AEAD_key_length(aead); if (mac_secret_len > 0) { - /* For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the - * key length reported by |EVP_AEAD_key_length| will include the MAC key - * bytes and initial implicit IV. */ + // For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the + // key length reported by |EVP_AEAD_key_length| will include the MAC key + // bytes and initial implicit IV. if (key_len < mac_secret_len + fixed_iv_len) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; @@ -377,17 +377,17 @@ static int tls1_setup_key_block(SSL_HANDSHAKE *hs) { int tls1_change_cipher_state(SSL_HANDSHAKE *hs, int which) { SSL *const ssl = hs->ssl; - /* Ensure the key block is set up. */ + // Ensure the key block is set up. if (!tls1_setup_key_block(hs)) { return 0; } - /* is_read is true if we have just read a ChangeCipherSpec message - i.e. we - * need to update the read cipherspec. Otherwise we have just written one. */ + // is_read is true if we have just read a ChangeCipherSpec message - i.e. we + // need to update the read cipherspec. Otherwise we have just written one. const char is_read = (which & SSL3_CC_READ) != 0; - /* use_client_keys is true if we wish to use the keys for the "client write" - * direction. This is the case if we're a client sending a ChangeCipherSpec, - * or a server reading a client's ChangeCipherSpec. */ + // use_client_keys is true if we wish to use the keys for the "client write" + // direction. This is the case if we're a client sending a ChangeCipherSpec, + // or a server reading a client's ChangeCipherSpec. const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE || which == SSL3_CHANGE_CIPHER_SERVER_READ; @@ -506,7 +506,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, return 0; } - /* Exporters may not be used in the middle of a renegotiation. */ + // Exporters may not be used in the middle of a renegotiation. if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) { return 0; } diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc index 7527a98e..0ff5a098 100644 --- a/ssl/t1_lib.cc +++ b/ssl/t1_lib.cc @@ -142,17 +142,17 @@ static int compare_uint16_t(const void *p1, const void *p2) { } } -/* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be - * more than one extension of the same type in a ClientHello or ServerHello. - * This function does an initial scan over the extensions block to filter those - * out. */ +// Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be +// more than one extension of the same type in a ClientHello or ServerHello. +// This function does an initial scan over the extensions block to filter those +// out. static int tls1_check_duplicate_extensions(const CBS *cbs) { CBS extensions = *cbs; size_t num_extensions = 0, i = 0; uint16_t *extension_types = NULL; int ret = 0; - /* First pass: count the extensions. */ + // First pass: count the extensions. while (CBS_len(&extensions) > 0) { uint16_t type; CBS extension; @@ -176,20 +176,20 @@ static int tls1_check_duplicate_extensions(const CBS *cbs) { goto done; } - /* Second pass: gather the extension types. */ + // Second pass: gather the extension types. extensions = *cbs; for (i = 0; i < num_extensions; i++) { CBS extension; if (!CBS_get_u16(&extensions, &extension_types[i]) || !CBS_get_u16_length_prefixed(&extensions, &extension)) { - /* This should not happen. */ + // This should not happen. goto done; } } assert(CBS_len(&extensions) == 0); - /* Sort the extensions and make sure there are no duplicates. */ + // Sort the extensions and make sure there are no duplicates. qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t); for (i = 1; i < num_extensions; i++) { if (extension_types[i - 1] == extension_types[i]) { @@ -225,7 +225,7 @@ int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out, out->session_id = CBS_data(&session_id); out->session_id_len = CBS_len(&session_id); - /* Skip past DTLS cookie */ + // Skip past DTLS cookie if (SSL_is_dtls(out->ssl)) { CBS cookie; if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) || @@ -247,15 +247,15 @@ int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out, out->compression_methods = CBS_data(&compression_methods); out->compression_methods_len = CBS_len(&compression_methods); - /* If the ClientHello ends here then it's valid, but doesn't have any - * extensions. (E.g. SSLv3.) */ + // If the ClientHello ends here then it's valid, but doesn't have any + // extensions. (E.g. SSLv3.) if (CBS_len(&client_hello) == 0) { out->extensions = NULL; out->extensions_len = 0; return 1; } - /* Extract extensions and check it is valid. */ + // Extract extensions and check it is valid. CBS extensions; if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) || !tls1_check_duplicate_extensions(&extensions) || @@ -274,7 +274,7 @@ int ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello, CBS extensions; CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len); while (CBS_len(&extensions) != 0) { - /* Decode the next extension. */ + // Decode the next extension. uint16_t type; CBS extension; if (!CBS_get_u16(&extensions, &type) || @@ -315,14 +315,14 @@ int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) { size_t groups_len, pref_len, supp_len; tls1_get_grouplist(ssl, &groups, &groups_len); - /* Clients are not required to send a supported_groups extension. In this - * case, the server is free to pick any group it likes. See RFC 4492, - * section 4, paragraph 3. - * - * However, in the interests of compatibility, we will skip ECDH if the - * client didn't send an extension because we can't be sure that they'll - * support our favoured group. Thus we do not special-case an emtpy - * |peer_supported_group_list|. */ + // Clients are not required to send a supported_groups extension. In this + // case, the server is free to pick any group it likes. See RFC 4492, + // section 4, paragraph 3. + // + // However, in the interests of compatibility, we will skip ECDH if the + // client didn't send an extension because we can't be sure that they'll + // support our favoured group. Thus we do not special-case an emtpy + // |peer_supported_group_list|. if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { pref = groups; @@ -425,14 +425,14 @@ int tls1_check_group_id(SSL *ssl, uint16_t group_id) { return 0; } -/* kVerifySignatureAlgorithms is the default list of accepted signature - * algorithms for verifying. - * - * For now, RSA-PSS signature algorithms are not enabled on Android's system - * BoringSSL. Once the change in Chrome has stuck and the values are finalized, - * restore them. */ +// kVerifySignatureAlgorithms is the default list of accepted signature +// algorithms for verifying. +// +// For now, RSA-PSS signature algorithms are not enabled on Android's system +// BoringSSL. Once the change in Chrome has stuck and the values are finalized, +// restore them. static const uint16_t kVerifySignatureAlgorithms[] = { - /* List our preferred algorithms first. */ + // List our preferred algorithms first. SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP256R1_SHA256, #if !defined(BORINGSSL_ANDROID_SYSTEM) @@ -440,14 +440,14 @@ static const uint16_t kVerifySignatureAlgorithms[] = { #endif SSL_SIGN_RSA_PKCS1_SHA256, - /* Larger hashes are acceptable. */ + // Larger hashes are acceptable. SSL_SIGN_ECDSA_SECP384R1_SHA384, #if !defined(BORINGSSL_ANDROID_SYSTEM) SSL_SIGN_RSA_PSS_SHA384, #endif SSL_SIGN_RSA_PKCS1_SHA384, - /* TODO(davidben): Remove this. */ + // TODO(davidben): Remove this. #if defined(BORINGSSL_ANDROID_SYSTEM) SSL_SIGN_ECDSA_SECP521R1_SHA512, #endif @@ -456,19 +456,19 @@ static const uint16_t kVerifySignatureAlgorithms[] = { #endif SSL_SIGN_RSA_PKCS1_SHA512, - /* For now, SHA-1 is still accepted but least preferable. */ + // For now, SHA-1 is still accepted but least preferable. SSL_SIGN_RSA_PKCS1_SHA1, }; -/* kSignSignatureAlgorithms is the default list of supported signature - * algorithms for signing. - * - * For now, RSA-PSS signature algorithms are not enabled on Android's system - * BoringSSL. Once the change in Chrome has stuck and the values are finalized, - * restore them. */ +// kSignSignatureAlgorithms is the default list of supported signature +// algorithms for signing. +// +// For now, RSA-PSS signature algorithms are not enabled on Android's system +// BoringSSL. Once the change in Chrome has stuck and the values are finalized, +// restore them. static const uint16_t kSignSignatureAlgorithms[] = { - /* List our preferred algorithms first. */ + // List our preferred algorithms first. SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP256R1_SHA256, #if !defined(BORINGSSL_ANDROID_SYSTEM) @@ -476,9 +476,9 @@ static const uint16_t kSignSignatureAlgorithms[] = { #endif SSL_SIGN_RSA_PKCS1_SHA256, - /* If needed, sign larger hashes. - * - * TODO(davidben): Determine which of these may be pruned. */ + // If needed, sign larger hashes. + // + // TODO(davidben): Determine which of these may be pruned. SSL_SIGN_ECDSA_SECP384R1_SHA384, #if !defined(BORINGSSL_ANDROID_SYSTEM) SSL_SIGN_RSA_PSS_SHA384, @@ -491,7 +491,7 @@ static const uint16_t kSignSignatureAlgorithms[] = { #endif SSL_SIGN_RSA_PKCS1_SHA512, - /* If the peer supports nothing else, sign with SHA-1. */ + // If the peer supports nothing else, sign with SHA-1. SSL_SIGN_ECDSA_SHA1, SSL_SIGN_RSA_PKCS1_SHA1, }; @@ -542,21 +542,21 @@ int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg) { return 0; } -/* tls_extension represents a TLS extension that is handled internally. The - * |init| function is called for each handshake, before any other functions of - * the extension. Then the add and parse callbacks are called as needed. - * - * The parse callbacks receive a |CBS| that contains the contents of the - * extension (i.e. not including the type and length bytes). If an extension is - * not received then the parse callbacks will be called with a NULL CBS so that - * they can do any processing needed to handle the absence of an extension. - * - * The add callbacks receive a |CBB| to which the extension can be appended but - * the function is responsible for appending the type and length bytes too. - * - * All callbacks return one for success and zero for error. If a parse function - * returns zero then a fatal alert with value |*out_alert| will be sent. If - * |*out_alert| isn't set, then a |decode_error| alert will be sent. */ +// tls_extension represents a TLS extension that is handled internally. The +// |init| function is called for each handshake, before any other functions of +// the extension. Then the add and parse callbacks are called as needed. +// +// The parse callbacks receive a |CBS| that contains the contents of the +// extension (i.e. not including the type and length bytes). If an extension is +// not received then the parse callbacks will be called with a NULL CBS so that +// they can do any processing needed to handle the absence of an extension. +// +// The add callbacks receive a |CBB| to which the extension can be appended but +// the function is responsible for appending the type and length bytes too. +// +// All callbacks return one for success and zero for error. If a parse function +// returns zero then a fatal alert with value |*out_alert| will be sent. If +// |*out_alert| isn't set, then a |decode_error| alert will be sent. struct tls_extension { uint16_t value; void (*init)(SSL_HANDSHAKE *hs); @@ -573,7 +573,7 @@ struct tls_extension { static int forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) { if (contents != NULL) { - /* Servers MUST NOT send this extension. */ + // Servers MUST NOT send this extension. *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); return 0; @@ -584,7 +584,7 @@ static int forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, static int ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) { - /* This extension from the client is handled elsewhere. */ + // This extension from the client is handled elsewhere. return 1; } @@ -592,9 +592,9 @@ static int dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return 1; } -/* Server name indication (SNI). - * - * https://tools.ietf.org/html/rfc6066#section-3. */ +// Server name indication (SNI). +// +// https://tools.ietf.org/html/rfc6066#section-3. static int ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -652,13 +652,13 @@ static int ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, uint8_t name_type; if (!CBS_get_u16_length_prefixed(contents, &server_name_list) || !CBS_get_u8(&server_name_list, &name_type) || - /* Although the server_name extension was intended to be extensible to - * new name types and multiple names, OpenSSL 1.0.x had a bug which meant - * different name types will cause an error. Further, RFC 4366 originally - * defined syntax inextensibly. RFC 6066 corrected this mistake, but - * adding new name types is no longer feasible. - * - * Act as if the extensibility does not exist to simplify parsing. */ + // Although the server_name extension was intended to be extensible to + // new name types and multiple names, OpenSSL 1.0.x had a bug which meant + // different name types will cause an error. Further, RFC 4366 originally + // defined syntax inextensibly. RFC 6066 corrected this mistake, but + // adding new name types is no longer feasible. + // + // Act as if the extensibility does not exist to simplify parsing. !CBS_get_u16_length_prefixed(&server_name_list, &host_name) || CBS_len(&server_name_list) != 0 || CBS_len(contents) != 0) { @@ -673,7 +673,7 @@ static int ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* Copy the hostname as a string. */ + // Copy the hostname as a string. char *hostname_raw = nullptr; if (!CBS_strdup(&host_name, &hostname_raw)) { *out_alert = SSL_AD_INTERNAL_ERROR; @@ -700,13 +700,13 @@ static int ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Renegotiation indication. - * - * https://tools.ietf.org/html/rfc5746 */ +// Renegotiation indication. +// +// https://tools.ietf.org/html/rfc5746 static int ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; - /* Renegotiation indication is not necessary in TLS 1.3. */ + // Renegotiation indication is not necessary in TLS 1.3. if (hs->min_version >= TLS1_3_VERSION) { return 1; } @@ -735,8 +735,8 @@ static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* Servers may not switch between omitting the extension and supporting it. - * See RFC 5746, sections 3.5 and 4.2. */ + // Servers may not switch between omitting the extension and supporting it. + // See RFC 5746, sections 3.5 and 4.2. if (ssl->s3->initial_handshake_complete && (contents != NULL) != ssl->s3->send_connection_binding) { *out_alert = SSL_AD_HANDSHAKE_FAILURE; @@ -745,20 +745,20 @@ static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, } if (contents == NULL) { - /* Strictly speaking, if we want to avoid an attack we should *always* see - * RI even on initial ServerHello because the client doesn't see any - * renegotiation during an attack. However this would mean we could not - * connect to any server which doesn't support RI. - * - * OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in - * practical terms every client sets it so it's just assumed here. */ + // Strictly speaking, if we want to avoid an attack we should *always* see + // RI even on initial ServerHello because the client doesn't see any + // renegotiation during an attack. However this would mean we could not + // connect to any server which doesn't support RI. + // + // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in + // practical terms every client sets it so it's just assumed here. return 1; } const size_t expected_len = ssl->s3->previous_client_finished_len + ssl->s3->previous_server_finished_len; - /* Check for logic errors */ + // Check for logic errors assert(!expected_len || ssl->s3->previous_client_finished_len); assert(!expected_len || ssl->s3->previous_server_finished_len); assert(ssl->s3->initial_handshake_complete == @@ -766,7 +766,7 @@ static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, assert(ssl->s3->initial_handshake_complete == (ssl->s3->previous_server_finished_len != 0)); - /* Parse out the extension contents. */ + // Parse out the extension contents. CBS renegotiated_connection; if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) || CBS_len(contents) != 0) { @@ -775,7 +775,7 @@ static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* Check that the extension matches. */ + // Check that the extension matches. if (CBS_len(&renegotiated_connection) != expected_len) { OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); *out_alert = SSL_AD_HANDSHAKE_FAILURE; @@ -813,8 +813,8 @@ static int ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, static int ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) { SSL *const ssl = hs->ssl; - /* Renegotiation isn't supported as a server so this function should never be - * called after the initial handshake. */ + // Renegotiation isn't supported as a server so this function should never be + // called after the initial handshake. assert(!ssl->s3->initial_handshake_complete); if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { @@ -832,8 +832,8 @@ static int ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* Check that the extension matches. We do not support renegotiation as a - * server, so this must be empty. */ + // Check that the extension matches. We do not support renegotiation as a + // server, so this must be empty. if (CBS_len(&renegotiated_connection) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); *out_alert = SSL_AD_HANDSHAKE_FAILURE; @@ -847,8 +847,8 @@ static int ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, static int ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; - /* Renegotiation isn't supported as a server so this function should never be - * called after the initial handshake. */ + // Renegotiation isn't supported as a server so this function should never be + // called after the initial handshake. assert(!ssl->s3->initial_handshake_complete); if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { @@ -865,12 +865,12 @@ static int ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Extended Master Secret. - * - * https://tools.ietf.org/html/rfc7627 */ +// Extended Master Secret. +// +// https://tools.ietf.org/html/rfc7627 static int ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { - /* Extended master secret is not necessary in TLS 1.3. */ + // Extended master secret is not necessary in TLS 1.3. if (hs->min_version >= TLS1_3_VERSION || hs->max_version <= SSL3_VERSION) { return 1; } @@ -897,7 +897,7 @@ static int ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, hs->extended_master_secret = 1; } - /* Whether EMS is negotiated may not change on renegotiation. */ + // Whether EMS is negotiated may not change on renegotiation. if (ssl->s3->established_session != NULL && hs->extended_master_secret != ssl->s3->established_session->extended_master_secret) { @@ -943,13 +943,13 @@ static int ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Session tickets. - * - * https://tools.ietf.org/html/rfc5077 */ +// Session tickets. +// +// https://tools.ietf.org/html/rfc5077 static int ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; - /* TLS 1.3 uses a different ticket extension. */ + // TLS 1.3 uses a different ticket extension. if (hs->min_version >= TLS1_3_VERSION || SSL_get_options(ssl) & SSL_OP_NO_TICKET) { return 1; @@ -958,14 +958,14 @@ static int ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { const uint8_t *ticket_data = NULL; int ticket_len = 0; - /* Renegotiation does not participate in session resumption. However, still - * advertise the extension to avoid potentially breaking servers which carry - * over the state from the previous handshake, such as OpenSSL servers - * without upstream's 3c3f0259238594d77264a78944d409f2127642c4. */ + // Renegotiation does not participate in session resumption. However, still + // advertise the extension to avoid potentially breaking servers which carry + // over the state from the previous handshake, such as OpenSSL servers + // without upstream's 3c3f0259238594d77264a78944d409f2127642c4. if (!ssl->s3->initial_handshake_complete && ssl->session != NULL && ssl->session->tlsext_tick != NULL && - /* Don't send TLS 1.3 session tickets in the ticket extension. */ + // Don't send TLS 1.3 session tickets in the ticket extension. SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION) { ticket_data = ssl->session->tlsext_tick; ticket_len = ssl->session->tlsext_ticklen; @@ -993,9 +993,9 @@ static int ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* If |SSL_OP_NO_TICKET| is set then no extension will have been sent and - * this function should never be called, even if the server tries to send the - * extension. */ + // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and + // this function should never be called, even if the server tries to send the + // extension. assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0); if (CBS_len(contents) != 0) { @@ -1011,7 +1011,7 @@ static int ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return 1; } - /* If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true. */ + // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true. assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0); if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) || @@ -1023,9 +1023,9 @@ static int ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Signature Algorithms. - * - * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ +// Signature Algorithms. +// +// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 static int ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -1067,9 +1067,9 @@ static int ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, } -/* OCSP Stapling. - * - * https://tools.ietf.org/html/rfc6066#section-8 */ +// OCSP Stapling. +// +// https://tools.ietf.org/html/rfc6066#section-8 static int ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -1097,20 +1097,20 @@ static int ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 1; } - /* TLS 1.3 OCSP responses are included in the Certificate extensions. */ + // TLS 1.3 OCSP responses are included in the Certificate extensions. if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { return 0; } - /* OCSP stapling is forbidden on non-certificate ciphers. */ + // OCSP stapling is forbidden on non-certificate ciphers. if (CBS_len(contents) != 0 || !ssl_cipher_uses_certificate_auth(hs->new_cipher)) { return 0; } - /* Note this does not check for resumption in TLS 1.2. Sending - * status_request here does not make sense, but OpenSSL does so and the - * specification does not say anything. Tolerate it but ignore it. */ + // Note this does not check for resumption in TLS 1.2. Sending + // status_request here does not make sense, but OpenSSL does so and the + // specification does not say anything. Tolerate it but ignore it. hs->certificate_status_expected = 1; return 1; @@ -1127,8 +1127,8 @@ static int ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* We cannot decide whether OCSP stapling will occur yet because the correct - * SSL_CTX might not have been selected. */ + // We cannot decide whether OCSP stapling will occur yet because the correct + // SSL_CTX might not have been selected. hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp; return 1; @@ -1151,9 +1151,9 @@ static int ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Next protocol negotiation. - * - * https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html */ +// Next protocol negotiation. +// +// https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html static int ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -1182,15 +1182,15 @@ static int ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* If any of these are false then we should never have sent the NPN - * extension in the ClientHello and thus this function should never have been - * called. */ + // If any of these are false then we should never have sent the NPN + // extension in the ClientHello and thus this function should never have been + // called. assert(!ssl->s3->initial_handshake_complete); assert(!SSL_is_dtls(ssl)); assert(ssl->ctx->next_proto_select_cb != NULL); if (ssl->s3->alpn_selected != NULL) { - /* NPN and ALPN may not be negotiated in the same connection. */ + // NPN and ALPN may not be negotiated in the same connection. *out_alert = SSL_AD_ILLEGAL_PARAMETER; OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN); return 0; @@ -1254,8 +1254,8 @@ static int ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, static int ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; - /* |next_proto_neg_seen| might have been cleared when an ALPN extension was - * parsed. */ + // |next_proto_neg_seen| might have been cleared when an ALPN extension was + // parsed. if (!hs->next_proto_neg_seen) { return 1; } @@ -1282,9 +1282,9 @@ static int ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Signed certificate timestamps. - * - * https://tools.ietf.org/html/rfc6962#section-3.3.1 */ +// Signed certificate timestamps. +// +// https://tools.ietf.org/html/rfc6962#section-3.3.1 static int ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -1307,14 +1307,14 @@ static int ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 1; } - /* TLS 1.3 SCTs are included in the Certificate extensions. */ + // TLS 1.3 SCTs are included in the Certificate extensions. if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { *out_alert = SSL_AD_DECODE_ERROR; return 0; } - /* If this is false then we should never have sent the SCT extension in the - * ClientHello and thus this function should never have been called. */ + // If this is false then we should never have sent the SCT extension in the + // ClientHello and thus this function should never have been called. assert(ssl->signed_cert_timestamps_enabled); if (!ssl_is_sct_list_valid(contents)) { @@ -1322,11 +1322,11 @@ static int ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* Session resumption uses the original session information. The extension - * should not be sent on resumption, but RFC 6962 did not make it a - * requirement, so tolerate this. - * - * TODO(davidben): Enforce this anyway. */ + // Session resumption uses the original session information. The extension + // should not be sent on resumption, but RFC 6962 did not make it a + // requirement, so tolerate this. + // + // TODO(davidben): Enforce this anyway. if (!ssl->s3->session_reused) { CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list); hs->new_session->signed_cert_timestamp_list = @@ -1356,7 +1356,7 @@ static int ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, static int ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; - /* The extension shouldn't be sent when resuming sessions. */ + // The extension shouldn't be sent when resuming sessions. if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused || ssl->cert->signed_cert_timestamp_list == NULL) { @@ -1374,9 +1374,9 @@ static int ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Application-level Protocol Negotiation. - * - * https://tools.ietf.org/html/rfc7301 */ +// Application-level Protocol Negotiation. +// +// https://tools.ietf.org/html/rfc7301 static int ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -1409,26 +1409,26 @@ static int ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, assert(ssl->alpn_client_proto_list != NULL); if (hs->next_proto_neg_seen) { - /* NPN and ALPN may not be negotiated in the same connection. */ + // NPN and ALPN may not be negotiated in the same connection. *out_alert = SSL_AD_ILLEGAL_PARAMETER; OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN); return 0; } - /* The extension data consists of a ProtocolNameList which must have - * exactly one ProtocolName. Each of these is length-prefixed. */ + // The extension data consists of a ProtocolNameList which must have + // exactly one ProtocolName. Each of these is length-prefixed. CBS protocol_name_list, protocol_name; if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) || CBS_len(contents) != 0 || !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) || - /* Empty protocol names are forbidden. */ + // Empty protocol names are forbidden. CBS_len(&protocol_name) == 0 || CBS_len(&protocol_name_list) != 0) { return 0; } if (!ssl->ctx->allow_unknown_alpn_protos) { - /* Check that the protocol name is one of the ones we advertised. */ + // Check that the protocol name is one of the ones we advertised. int protocol_ok = 0; CBS client_protocol_name_list, client_protocol_name; CBS_init(&client_protocol_name_list, ssl->alpn_client_proto_list, @@ -1473,11 +1473,11 @@ int ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert, !ssl_client_hello_get_extension( client_hello, &contents, TLSEXT_TYPE_application_layer_protocol_negotiation)) { - /* Ignore ALPN if not configured or no extension was supplied. */ + // Ignore ALPN if not configured or no extension was supplied. return 1; } - /* ALPN takes precedence over NPN. */ + // ALPN takes precedence over NPN. hs->next_proto_neg_seen = 0; CBS protocol_name_list; @@ -1489,13 +1489,13 @@ int ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* Validate the protocol list. */ + // Validate the protocol list. CBS protocol_name_list_copy = protocol_name_list; while (CBS_len(&protocol_name_list_copy) > 0) { CBS protocol_name; if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) || - /* Empty protocol names are forbidden. */ + // Empty protocol names are forbidden. CBS_len(&protocol_name) == 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); *out_alert = SSL_AD_DECODE_ERROR; @@ -1542,9 +1542,9 @@ static int ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Channel ID. - * - * https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 */ +// Channel ID. +// +// https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 static void ext_channel_id_init(SSL_HANDSHAKE *hs) { hs->ssl->s3->tlsext_channel_id_valid = 0; @@ -1615,9 +1615,9 @@ static int ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Secure Real-time Transport Protocol (SRTP) extension. - * - * https://tools.ietf.org/html/rfc5764 */ +// Secure Real-time Transport Protocol (SRTP) extension. +// +// https://tools.ietf.org/html/rfc5764 static void ext_srtp_init(SSL_HANDSHAKE *hs) { @@ -1660,10 +1660,10 @@ static int ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 1; } - /* The extension consists of a u16-prefixed profile ID list containing a - * single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field. - * - * See https://tools.ietf.org/html/rfc5764#section-4.1.1 */ + // The extension consists of a u16-prefixed profile ID list containing a + // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field. + // + // See https://tools.ietf.org/html/rfc5764#section-4.1.1 CBS profile_ids, srtp_mki; uint16_t profile_id; if (!CBS_get_u16_length_prefixed(contents, &profile_ids) || @@ -1676,7 +1676,7 @@ static int ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, } if (CBS_len(&srtp_mki) != 0) { - /* Must be no MKI, since we never offer one. */ + // Must be no MKI, since we never offer one. OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE); *out_alert = SSL_AD_ILLEGAL_PARAMETER; return 0; @@ -1684,8 +1684,8 @@ static int ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl); - /* Check to see if the server gave us something we support (and presumably - * offered). */ + // Check to see if the server gave us something we support (and presumably + // offered). for (const SRTP_PROTECTION_PROFILE *profile : profiles) { if (profile->id == profile_id) { ssl->srtp_profile = profile; @@ -1713,12 +1713,12 @@ static int ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); return 0; } - /* Discard the MKI value for now. */ + // Discard the MKI value for now. const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles = SSL_get_srtp_profiles(ssl); - /* Pick the server's most preferred profile. */ + // Pick the server's most preferred profile. for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) { CBS profile_ids_tmp; CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids)); @@ -1759,9 +1759,9 @@ static int ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* EC point formats. - * - * https://tools.ietf.org/html/rfc4492#section-5.1.2 */ +// EC point formats. +// +// https://tools.ietf.org/html/rfc4492#section-5.1.2 static int ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) { CBB contents, formats; @@ -1777,7 +1777,7 @@ static int ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) { } static int ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { - /* The point format extension is unneccessary in TLS 1.3. */ + // The point format extension is unneccessary in TLS 1.3. if (hs->min_version >= TLS1_3_VERSION) { return 1; } @@ -1801,8 +1801,8 @@ static int ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return 0; } - /* Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed - * point format. */ + // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed + // point format. if (OPENSSL_memchr(CBS_data(&ec_point_format_list), TLSEXT_ECPOINTFORMAT_uncompressed, CBS_len(&ec_point_format_list)) == NULL) { @@ -1840,9 +1840,9 @@ static int ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Pre Shared Key - * - * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6 */ +// Pre Shared Key +// +// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6 static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; @@ -1867,8 +1867,8 @@ static int ext_pre_shared_key_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time); uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add; - /* Fill in a placeholder zero binder of the appropriate length. It will be - * computed and filled in later after length prefixes are computed. */ + // Fill in a placeholder zero binder of the appropriate length. It will be + // computed and filled in later after length prefixes are computed. uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0}; size_t binder_len = EVP_MD_size(SSL_SESSION_get_digest(ssl->session)); @@ -1901,7 +1901,7 @@ int ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs, return 0; } - /* We only advertise one PSK identity, so the only legal index is zero. */ + // We only advertise one PSK identity, so the only legal index is zero. if (psk_id != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND); *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY; @@ -1914,7 +1914,7 @@ int ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs, int ssl_ext_pre_shared_key_parse_clienthello( SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders, uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) { - /* We only process the first PSK identity since we don't support pure PSK. */ + // We only process the first PSK identity since we don't support pure PSK. CBS identities, binders; if (!CBS_get_u16_length_prefixed(contents, &identities) || !CBS_get_u16_length_prefixed(&identities, out_ticket) || @@ -1929,7 +1929,7 @@ int ssl_ext_pre_shared_key_parse_clienthello( *out_binders = binders; - /* Check the syntax of the remaining identities, but do not process them. */ + // Check the syntax of the remaining identities, but do not process them. size_t num_identities = 1; while (CBS_len(&identities) != 0) { CBS unused_ticket; @@ -1944,8 +1944,8 @@ int ssl_ext_pre_shared_key_parse_clienthello( num_identities++; } - /* Check the syntax of the binders. The value will be checked later if - * resuming. */ + // Check the syntax of the binders. The value will be checked later if + // resuming. size_t num_binders = 0; while (CBS_len(&binders) != 0) { CBS binder; @@ -1975,7 +1975,7 @@ int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { CBB contents; if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) || !CBB_add_u16_length_prefixed(out, &contents) || - /* We only consider the first identity for resumption */ + // We only consider the first identity for resumption !CBB_add_u16(&contents, 0) || !CBB_flush(out)) { return 0; @@ -1985,9 +1985,9 @@ int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Pre-Shared Key Exchange Modes - * - * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7 */ +// Pre-Shared Key Exchange Modes +// +// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7 static int ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { @@ -2021,7 +2021,7 @@ static int ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs, return 0; } - /* We only support tickets with PSK_DHE_KE. */ + // We only support tickets with PSK_DHE_KE. hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE, CBS_len(&ke_modes)) != NULL; @@ -2029,9 +2029,9 @@ static int ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs, } -/* Early Data Indication - * - * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8 */ +// Early Data Indication +// +// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8 static int ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2108,9 +2108,9 @@ static int ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Key Share - * - * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5 */ +// Key Share +// +// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5 static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2127,8 +2127,8 @@ static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { uint16_t group_id = hs->retry_group; if (hs->received_hello_retry_request) { - /* We received a HelloRetryRequest without a new curve, so there is no new - * share to append. Leave |hs->key_share| as-is. */ + // We received a HelloRetryRequest without a new curve, so there is no new + // share to append. Leave |hs->key_share| as-is. if (group_id == 0 && !CBB_add_bytes(&kse_bytes, hs->key_share_bytes, hs->key_share_bytes_len)) { @@ -2141,7 +2141,7 @@ static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { return CBB_flush(out); } } else { - /* Add a fake group. See draft-davidben-tls-grease-01. */ + // Add a fake group. See draft-davidben-tls-grease-01. if (ssl->ctx->grease_enabled && (!CBB_add_u16(&kse_bytes, ssl_get_grease_value(ssl, ssl_grease_group)) || @@ -2150,7 +2150,7 @@ static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { return 0; } - /* Predict the most preferred group. */ + // Predict the most preferred group. const uint16_t *groups; size_t groups_len; tls1_get_grouplist(ssl, &groups, &groups_len); @@ -2173,8 +2173,8 @@ static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { } if (!hs->received_hello_retry_request) { - /* Save the contents of the extension to repeat it in the second - * ClientHello. */ + // Save the contents of the extension to repeat it in the second + // ClientHello. hs->key_share_bytes_len = CBB_len(&kse_bytes); hs->key_share_bytes = (uint8_t *)BUF_memdup(CBB_data(&kse_bytes), CBB_len(&kse_bytes)); @@ -2233,7 +2233,7 @@ int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found, return 0; } - /* Find the corresponding key share. */ + // Find the corresponding key share. int found = 0; CBS peer_key; while (CBS_len(&key_shares) > 0) { @@ -2254,7 +2254,7 @@ int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found, found = 1; peer_key = peer_key_tmp; - /* Continue parsing the structure to keep peers honest. */ + // Continue parsing the structure to keep peers honest. } } @@ -2265,7 +2265,7 @@ int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found, return 1; } - /* Compute the DH secret. */ + // Compute the DH secret. uint8_t *secret = NULL; size_t secret_len; ScopedCBB public_key; @@ -2310,9 +2310,9 @@ int ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Supported Versions - * - * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1 */ +// Supported Versions +// +// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1 static int ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2327,7 +2327,7 @@ static int ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { return 0; } - /* Add a fake version. See draft-davidben-tls-grease-01. */ + // Add a fake version. See draft-davidben-tls-grease-01. if (ssl->ctx->grease_enabled && !CBB_add_u16(&versions, ssl_get_grease_value(ssl, ssl_grease_version))) { return 0; @@ -2342,9 +2342,9 @@ static int ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Cookie - * - * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2 */ +// Cookie +// +// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2 static int ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { if (hs->cookie == NULL) { @@ -2360,7 +2360,7 @@ static int ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { return 0; } - /* The cookie is no longer needed in memory. */ + // The cookie is no longer needed in memory. OPENSSL_free(hs->cookie); hs->cookie = NULL; hs->cookie_len = 0; @@ -2368,10 +2368,10 @@ static int ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { } -/* Negotiated Groups - * - * https://tools.ietf.org/html/rfc4492#section-5.1.2 - * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4 */ +// Negotiated Groups +// +// https://tools.ietf.org/html/rfc4492#section-5.1.2 +// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4 static int ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; @@ -2382,7 +2382,7 @@ static int ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { return 0; } - /* Add a fake group. See draft-davidben-tls-grease-01. */ + // Add a fake group. See draft-davidben-tls-grease-01. if (ssl->ctx->grease_enabled && !CBB_add_u16(&groups_bytes, ssl_get_grease_value(ssl, ssl_grease_group))) { @@ -2405,8 +2405,8 @@ static int ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { static int ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) { - /* This extension is not expected to be echoed by servers in TLS 1.2, but some - * BigIP servers send it nonetheless, so do not enforce this. */ + // This extension is not expected to be echoed by servers in TLS 1.2, but some + // BigIP servers send it nonetheless, so do not enforce this. return 1; } @@ -2453,12 +2453,12 @@ err: } static int ext_supported_groups_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { - /* Servers don't echo this extension. */ + // Servers don't echo this extension. return 1; } -/* kExtensions contains all the supported extensions. */ +// kExtensions contains all the supported extensions. static const struct tls_extension kExtensions[] = { { TLSEXT_TYPE_renegotiate, @@ -2489,7 +2489,7 @@ static const struct tls_extension kExtensions[] = { NULL, ext_ticket_add_clienthello, ext_ticket_parse_serverhello, - /* Ticket extension client parsing is handled in ssl_session.c */ + // Ticket extension client parsing is handled in ssl_session.c ignore_parse_clienthello, ext_ticket_add_serverhello, }, @@ -2530,7 +2530,7 @@ static const struct tls_extension kExtensions[] = { NULL, ext_alpn_add_clienthello, ext_alpn_parse_serverhello, - /* ALPN is negotiated late in |ssl_negotiate_alpn|. */ + // ALPN is negotiated late in |ssl_negotiate_alpn|. ignore_parse_clienthello, ext_alpn_add_serverhello, }, @@ -2598,9 +2598,9 @@ static const struct tls_extension kExtensions[] = { ignore_parse_clienthello, dont_add_serverhello, }, - /* The final extension must be non-empty. WebSphere Application Server 7.0 is - * intolerant to the last extension being zero-length. See - * https://crbug.com/363583. */ + // The final extension must be non-empty. WebSphere Application Server 7.0 is + // intolerant to the last extension being zero-length. See + // https://crbug.com/363583. { TLSEXT_TYPE_supported_groups, NULL, @@ -2635,7 +2635,7 @@ static const struct tls_extension *tls_extension_find(uint32_t *out_index, int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) { SSL *const ssl = hs->ssl; - /* Don't add extensions for SSLv3 unless doing secure renegotiation. */ + // Don't add extensions for SSLv3 unless doing secure renegotiation. if (hs->client_version == SSL3_VERSION && !ssl->s3->send_connection_binding) { return 1; @@ -2658,7 +2658,7 @@ int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) { uint16_t grease_ext1 = 0; if (ssl->ctx->grease_enabled) { - /* Add a fake empty extension. See draft-davidben-tls-grease-01. */ + // Add a fake empty extension. See draft-davidben-tls-grease-01. grease_ext1 = ssl_get_grease_value(ssl, ssl_grease_extension1); if (!CBB_add_u16(&extensions, grease_ext1) || !CBB_add_u16(&extensions, 0 /* zero length */)) { @@ -2686,12 +2686,12 @@ int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) { } if (ssl->ctx->grease_enabled) { - /* Add a fake non-empty extension. See draft-davidben-tls-grease-01. */ + // Add a fake non-empty extension. See draft-davidben-tls-grease-01. uint16_t grease_ext2 = ssl_get_grease_value(ssl, ssl_grease_extension2); - /* The two fake extensions must not have the same value. GREASE values are - * of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different - * one. */ + // The two fake extensions must not have the same value. GREASE values are + // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different + // one. if (grease_ext1 == grease_ext2) { grease_ext2 ^= 0x1010; } @@ -2708,15 +2708,15 @@ int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) { size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs); header_len += 2 + CBB_len(&extensions) + psk_extension_len; if (header_len > 0xff && header_len < 0x200) { - /* Add padding to workaround bugs in F5 terminators. See RFC 7685. - * - * NB: because this code works out the length of all existing extensions - * it MUST always appear last. */ + // Add padding to workaround bugs in F5 terminators. See RFC 7685. + // + // NB: because this code works out the length of all existing extensions + // it MUST always appear last. size_t padding_len = 0x200 - header_len; - /* Extensions take at least four bytes to encode. Always include at least - * one byte of data if including the extension. WebSphere Application - * Server 7.0 is intolerant to the last extension being zero-length. See - * https://crbug.com/363583. */ + // Extensions take at least four bytes to encode. Always include at least + // one byte of data if including the extension. WebSphere Application + // Server 7.0 is intolerant to the last extension being zero-length. See + // https://crbug.com/363583. if (padding_len >= 4 + 1) { padding_len -= 4; } else { @@ -2735,13 +2735,13 @@ int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) { } } - /* The PSK extension must be last, including after the padding. */ + // The PSK extension must be last, including after the padding. if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; } - /* Discard empty extensions blocks. */ + // Discard empty extensions blocks. if (CBB_len(&extensions) == 0) { CBB_discard_child(out); } @@ -2758,7 +2758,7 @@ int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) { for (unsigned i = 0; i < kNumExtensions; i++) { if (!(hs->extensions.received & (1u << i))) { - /* Don't send extensions that were not received. */ + // Don't send extensions that were not received. continue; } @@ -2773,7 +2773,7 @@ int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) { goto err; } - /* Discard empty extensions blocks before TLS 1.3. */ + // Discard empty extensions blocks before TLS 1.3. if (ssl3_protocol_version(ssl) < TLS1_3_VERSION && CBB_len(&extensions) == 0) { CBB_discard_child(out); @@ -2804,15 +2804,15 @@ static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs, uint16_t type; CBS extension; - /* Decode the next extension. */ + // Decode the next extension. if (!CBS_get_u16(&extensions, &type) || !CBS_get_u16_length_prefixed(&extensions, &extension)) { *out_alert = SSL_AD_DECODE_ERROR; return 0; } - /* RFC 5746 made the existence of extensions in SSL 3.0 somewhat - * ambiguous. Ignore all but the renegotiation_info extension. */ + // RFC 5746 made the existence of extensions in SSL 3.0 somewhat + // ambiguous. Ignore all but the renegotiation_info extension. if (ssl->version == SSL3_VERSION && type != TLSEXT_TYPE_renegotiate) { continue; } @@ -2849,16 +2849,16 @@ static int ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs, if (kExtensions[i].value == TLSEXT_TYPE_renegotiate && ssl_client_cipher_list_contains_cipher(client_hello, SSL3_CK_SCSV & 0xffff)) { - /* The renegotiation SCSV was received so pretend that we received a - * renegotiation extension. */ + // The renegotiation SCSV was received so pretend that we received a + // renegotiation extension. CBS_init(&fake_contents, kFakeRenegotiateExtension, sizeof(kFakeRenegotiateExtension)); contents = &fake_contents; hs->extensions.received |= (1u << i); } - /* Extension wasn't observed so call the callback with a NULL - * parameter. */ + // Extension wasn't observed so call the callback with a NULL + // parameter. uint8_t alert = SSL_AD_DECODE_ERROR; if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) { OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION); @@ -2891,12 +2891,12 @@ int ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs, static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs, int *out_alert) { SSL *const ssl = hs->ssl; - /* Before TLS 1.3, ServerHello extensions blocks may be omitted if empty. */ + // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty. if (CBS_len(cbs) == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) { return 1; } - /* Decode the extensions block and check it is valid. */ + // Decode the extensions block and check it is valid. CBS extensions; if (!CBS_get_u16_length_prefixed(cbs, &extensions) || !tls1_check_duplicate_extensions(&extensions)) { @@ -2909,7 +2909,7 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs, uint16_t type; CBS extension; - /* Decode the next extension. */ + // Decode the next extension. if (!CBS_get_u16(&extensions, &type) || !CBS_get_u16_length_prefixed(&extensions, &extension)) { *out_alert = SSL_AD_DECODE_ERROR; @@ -2933,8 +2933,8 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs, if (!(hs->extensions.sent & (1u << ext_index)) && type != TLSEXT_TYPE_renegotiate) { - /* If the extension was never sent then it is illegal, except for the - * renegotiation extension which, in SSL 3.0, is signaled via SCSV. */ + // If the extension was never sent then it is illegal, except for the + // renegotiation extension which, in SSL 3.0, is signaled via SCSV. OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); ERR_add_error_dataf("extension :%u", (unsigned)type); *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; @@ -2954,8 +2954,8 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs, for (size_t i = 0; i < kNumExtensions; i++) { if (!(received & (1u << i))) { - /* Extension wasn't observed so call the callback with a NULL - * parameter. */ + // Extension wasn't observed so call the callback with a NULL + // parameter. uint8_t alert = SSL_AD_DECODE_ERROR; if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) { OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION); @@ -3012,11 +3012,11 @@ static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx( HMAC_CTX *hmac_ctx, const uint8_t *ticket, size_t ticket_len) { size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx); - /* Check the MAC at the end of the ticket. */ + // Check the MAC at the end of the ticket. uint8_t mac[EVP_MAX_MD_SIZE]; size_t mac_len = HMAC_size(hmac_ctx); if (ticket_len < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) { - /* The ticket must be large enough for key name, IV, data, and MAC. */ + // The ticket must be large enough for key name, IV, data, and MAC. return ssl_ticket_aead_ignore_ticket; } HMAC_Update(hmac_ctx, ticket, ticket_len - mac_len); @@ -3030,7 +3030,7 @@ static enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx( return ssl_ticket_aead_ignore_ticket; } - /* Decrypt the session data. */ + // Decrypt the session data. const uint8_t *ciphertext = ticket + SSL_TICKET_KEY_NAME_LEN + iv_len; size_t ciphertext_len = ticket_len - SSL_TICKET_KEY_NAME_LEN - iv_len - mac_len; @@ -3090,12 +3090,12 @@ static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys( assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH); SSL_CTX *ctx = ssl->session_ctx; - /* Rotate the ticket key if necessary. */ + // Rotate the ticket key if necessary. if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) { return ssl_ticket_aead_error; } - /* Pick the matching ticket key and decrypt. */ + // Pick the matching ticket key and decrypt. ScopedEVP_CIPHER_CTX cipher_ctx; ScopedHMAC_CTX hmac_ctx; { @@ -3167,10 +3167,10 @@ enum ssl_ticket_aead_result_t ssl_process_ticket( result = ssl_decrypt_ticket_with_method( ssl, &plaintext, &plaintext_len, out_renew_ticket, ticket, ticket_len); } else { - /* Ensure there is room for the key name and the largest IV - * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower, - * but the maximum IV length should be well under the minimum size for the - * session material and HMAC. */ + // Ensure there is room for the key name and the largest IV + // |tlsext_ticket_key_cb| may try to consume. The real limit may be lower, + // but the maximum IV length should be well under the minimum size for the + // session material and HMAC. if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) { return ssl_ticket_aead_ignore_ticket; } @@ -3187,18 +3187,18 @@ enum ssl_ticket_aead_result_t ssl_process_ticket( return result; } - /* Decode the session. */ + // Decode the session. UniquePtr session( SSL_SESSION_from_bytes(plaintext, plaintext_len, ssl->ctx)); OPENSSL_free(plaintext); if (!session) { - ERR_clear_error(); /* Don't leave an error on the queue. */ + ERR_clear_error(); // Don't leave an error on the queue. return ssl_ticket_aead_ignore_ticket; } - /* Copy the client's session ID into the new session, to denote the ticket has - * been accepted. */ + // Copy the client's session ID into the new session, to denote the ticket has + // been accepted. OPENSSL_memcpy(session->session_id, session_id, session_id_len); session->session_id_length = session_id_len; @@ -3207,7 +3207,7 @@ enum ssl_ticket_aead_result_t ssl_process_ticket( } int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) { - /* Extension ignored for inappropriate versions */ + // Extension ignored for inappropriate versions if (ssl3_protocol_version(hs->ssl) < TLS1_2_VERSION) { return 1; } @@ -3222,14 +3222,14 @@ int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) { } num_sigalgs /= 2; - /* supported_signature_algorithms in the certificate request is - * allowed to be empty. */ + // supported_signature_algorithms in the certificate request is + // allowed to be empty. if (num_sigalgs == 0) { return 1; } - /* This multiplication doesn't overflow because sizeof(uint16_t) is two - * and we just divided |num_sigalgs| by two. */ + // This multiplication doesn't overflow because sizeof(uint16_t) is two + // and we just divided |num_sigalgs| by two. hs->peer_sigalgs = (uint16_t *)OPENSSL_malloc(num_sigalgs * sizeof(uint16_t)); if (hs->peer_sigalgs == NULL) { return 0; @@ -3264,8 +3264,8 @@ int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) { SSL *const ssl = hs->ssl; CERT *cert = ssl->cert; - /* Before TLS 1.2, the signature algorithm isn't negotiated as part of the - * handshake. */ + // Before TLS 1.2, the signature algorithm isn't negotiated as part of the + // handshake. if (ssl3_protocol_version(ssl) < TLS1_2_VERSION) { if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS); @@ -3284,9 +3284,9 @@ int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) { const uint16_t *peer_sigalgs = hs->peer_sigalgs; size_t num_peer_sigalgs = hs->num_peer_sigalgs; if (num_peer_sigalgs == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) { - /* If the client didn't specify any signature_algorithms extension then - * we can assume that it supports SHA1. See - * http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ + // If the client didn't specify any signature_algorithms extension then + // we can assume that it supports SHA1. See + // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1, SSL_SIGN_ECDSA_SHA1}; peer_sigalgs = kDefaultPeerAlgorithms; @@ -3295,8 +3295,8 @@ int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) { for (size_t i = 0; i < num_sigalgs; i++) { uint16_t sigalg = sigalgs[i]; - /* SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be - * negotiated. */ + // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be + // negotiated. if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 || !ssl_private_key_supports_signature_algorithm(hs, sigalgs[i])) { continue; @@ -3316,8 +3316,8 @@ int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) { int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) { SSL *const ssl = hs->ssl; - /* A Channel ID handshake message is structured to contain multiple - * extensions, but the only one that can be present is Channel ID. */ + // A Channel ID handshake message is structured to contain multiple + // extensions, but the only one that can be present is Channel ID. uint16_t extension_type; CBS channel_id = msg.body, extension; if (!CBS_get_u16(&channel_id, &extension_type) || @@ -3474,14 +3474,14 @@ int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) { return 1; } -/* tls1_record_handshake_hashes_for_channel_id records the current handshake - * hashes in |hs->new_session| so that Channel ID resumptions can sign that - * data. */ +// tls1_record_handshake_hashes_for_channel_id records the current handshake +// hashes in |hs->new_session| so that Channel ID resumptions can sign that +// data. int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* This function should never be called for a resumed session because the - * handshake hashes that we wish to record are for the original, full - * handshake. */ + // This function should never be called for a resumed session because the + // handshake hashes that we wish to record are for the original, full + // handshake. if (ssl->session != NULL) { return 0; } @@ -3512,7 +3512,7 @@ int ssl_do_channel_id_callback(SSL *ssl) { EVP_PKEY *key = NULL; ssl->ctx->channel_id_cb(ssl, &key); if (key == NULL) { - /* The caller should try again later. */ + // The caller should try again later. return 1; } @@ -3522,9 +3522,9 @@ int ssl_do_channel_id_callback(SSL *ssl) { } int ssl_is_sct_list_valid(const CBS *contents) { - /* Shallow parse the SCT list for sanity. By the RFC - * (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any - * of the SCTs may be empty. */ + // Shallow parse the SCT list for sanity. By the RFC + // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any + // of the SCTs may be empty. CBS copy = *contents; CBS sct_list; if (!CBS_get_u16_length_prefixed(©, &sct_list) || diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc index 8daa1056..d86efab1 100644 --- a/ssl/test/bssl_shim.cc +++ b/ssl/test/bssl_shim.cc @@ -1040,8 +1040,8 @@ static void MessageCallback(int is_write, int version, int content_type, uint8_t type; uint32_t msg_len; if (!CBS_get_u8(&cbs, &type) || - /* TODO(davidben): Reporting on entire messages would be more - * consistent than fragments. */ + // TODO(davidben): Reporting on entire messages would be more + // consistent than fragments. (config->is_dtls && !CBS_skip(&cbs, 3 /* total */ + 2 /* seq */ + 3 /* frag_off */)) || !CBS_get_u24(&cbs, &msg_len) || @@ -2421,7 +2421,7 @@ int main(int argc, char **argv) { StderrDelimiter delimiter; #if defined(OPENSSL_WINDOWS) - /* Initialize Winsock. */ + // Initialize Winsock. WORD wsa_version = MAKEWORD(2, 2); WSADATA wsa_data; int wsa_err = WSAStartup(wsa_version, &wsa_data); diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc index 509079d1..1b031d55 100644 --- a/ssl/tls13_both.cc +++ b/ssl/tls13_both.cc @@ -32,9 +32,9 @@ namespace bssl { -/* kMaxKeyUpdates is the number of consecutive KeyUpdates that will be - * processed. Without this limit an attacker could force unbounded processing - * without being able to return application data. */ +// kMaxKeyUpdates is the number of consecutive KeyUpdates that will be +// processed. Without this limit an attacker could force unbounded processing +// without being able to return application data. static const uint8_t kMaxKeyUpdates = 32; int tls13_get_cert_verify_signature_input( @@ -56,7 +56,7 @@ int tls13_get_cert_verify_signature_input( const uint8_t *context; size_t context_len; if (cert_verify_context == ssl_cert_verify_server) { - /* Include the NUL byte. */ + // Include the NUL byte. static const char kContext[] = "TLS 1.3, server CertificateVerify"; context = (const uint8_t *)kContext; context_len = sizeof(kContext); @@ -130,15 +130,15 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); return 0; } - /* TLS 1.3 always uses certificate keys for signing thus the correct - * keyUsage is enforced. */ + // TLS 1.3 always uses certificate keys for signing thus the correct + // keyUsage is enforced. if (!ssl_cert_check_digital_signature_key_usage(&certificate)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return 0; } if (retain_sha256) { - /* Retain the hash of the leaf certificate if requested. */ + // Retain the hash of the leaf certificate if requested. SHA256(CBS_data(&certificate), CBS_len(&certificate), hs->new_session->peer_sha256); } @@ -153,7 +153,7 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, return 0; } - /* Parse out the extensions. */ + // Parse out the extensions. int have_status_request = 0, have_sct = 0; CBS status_request, sct; const SSL_EXTENSION_TYPE ext_types[] = { @@ -169,8 +169,8 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, return 0; } - /* All Certificate extensions are parsed, but only the leaf extensions are - * stored. */ + // All Certificate extensions are parsed, but only the leaf extensions are + // stored. if (have_status_request) { if (ssl->server || !ssl->ocsp_stapling_enabled) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); @@ -225,8 +225,8 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, } } - /* Store a null certificate list rather than an empty one if the peer didn't - * send certificates. */ + // Store a null certificate list rather than an empty one if the peer didn't + // send certificates. if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) { certs.reset(); } @@ -249,11 +249,11 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, return 0; } - /* OpenSSL returns X509_V_OK when no certificates are requested. This is - * classed by them as a bug, but it's assumed by at least NGINX. */ + // OpenSSL returns X509_V_OK when no certificates are requested. This is + // classed by them as a bug, but it's assumed by at least NGINX. hs->new_session->verify_result = X509_V_OK; - /* No certificate, so nothing more to do. */ + // No certificate, so nothing more to do. return 1; } @@ -347,7 +347,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) { ScopedCBB cbb; CBB body, certificate_list; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) || - /* The request context is always empty in the handshake. */ + // The request context is always empty in the handshake. !CBB_add_u8(&body, 0) || !CBB_add_u24_length_prefixed(&body, &certificate_list)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -430,7 +430,7 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) { return ssl_private_key_failure; } - /* Sign the digest. */ + // Sign the digest. CBB child; const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); uint8_t *sig; @@ -503,7 +503,7 @@ static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) { return 0; } - /* Acknowledge the KeyUpdate */ + // Acknowledge the KeyUpdate if (key_update_request == SSL_KEY_UPDATE_REQUESTED && !ssl->s3->key_update_pending) { ScopedCBB cbb; @@ -516,10 +516,10 @@ static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) { return 0; } - /* Suppress KeyUpdate acknowledgments until this change is written to the - * wire. This prevents us from accumulating write obligations when read and - * write progress at different rates. See draft-ietf-tls-tls13-18, section - * 4.5.3. */ + // Suppress KeyUpdate acknowledgments until this change is written to the + // wire. This prevents us from accumulating write obligations when read and + // write progress at different rates. See draft-ietf-tls-tls13-18, section + // 4.5.3. ssl->s3->key_update_pending = 1; } diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc index 82213681..51d275ca 100644 --- a/ssl/tls13_client.cc +++ b/ssl/tls13_client.cc @@ -66,7 +66,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { uint16_t server_version; if (!CBS_get_u16(&body, &server_version) || !CBS_get_u16_length_prefixed(&body, &extensions) || - /* HelloRetryRequest may not be empty. */ + // HelloRetryRequest may not be empty. CBS_len(&extensions) == 0 || CBS_len(&body) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); @@ -112,7 +112,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* The group must be supported. */ + // The group must be supported. const uint16_t *groups; size_t groups_len; tls1_get_grouplist(ssl, &groups, &groups_len); @@ -130,8 +130,8 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Check that the HelloRetryRequest does not request the key share that - * was provided in the initial ClientHello. */ + // Check that the HelloRetryRequest does not request the key share that + // was provided in the initial ClientHello. if (hs->key_share->GroupID() == group_id) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); @@ -149,7 +149,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { ssl->method->next_message(ssl); hs->received_hello_retry_request = 1; hs->tls13_state = state_send_second_client_hello; - /* 0-RTT is rejected if we receive a HelloRetryRequest. */ + // 0-RTT is rejected if we receive a HelloRetryRequest. if (hs->in_early_data) { return ssl_hs_early_data_rejected; } @@ -158,7 +158,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* Restore the null cipher. We may have switched due to 0-RTT. */ + // Restore the null cipher. We may have switched due to 0-RTT. bssl::UniquePtr null_ctx = SSLAEADContext::CreateNullCipher(); if (!null_ctx || !ssl->method->set_write_state(ssl, std::move(null_ctx)) || @@ -217,7 +217,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Check if the cipher is a TLS 1.3 cipher. */ + // Check if the cipher is a TLS 1.3 cipher. if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) || SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); @@ -225,7 +225,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Parse out the extensions. */ + // Parse out the extensions. int have_key_share = 0, have_pre_shared_key = 0, have_supported_versions = 0; CBS key_share, pre_shared_key, supported_versions; const SSL_EXTENSION_TYPE ext_types[] = { @@ -243,8 +243,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* supported_versions is parsed in handshake_client to select the experimental - * TLS 1.3 version. */ + // supported_versions is parsed in handshake_client to select the experimental + // TLS 1.3 version. if (have_supported_versions && ssl->version != TLS1_3_EXPERIMENT_VERSION) { OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); @@ -278,7 +278,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { } if (!ssl_session_is_context_valid(ssl, ssl->session)) { - /* This is actually a client application bug. */ + // This is actually a client application bug. OPENSSL_PUT_ERROR(SSL, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); @@ -286,7 +286,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { } ssl->s3->session_reused = 1; - /* Only authentication information carries over in TLS 1.3. */ + // Only authentication information carries over in TLS 1.3. hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY); if (!hs->new_session) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); @@ -294,7 +294,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { } ssl_set_session(ssl, NULL); - /* Resumption incorporates fresh key material, so refresh the timeout. */ + // Resumption incorporates fresh key material, so refresh the timeout. ssl_session_renew_timeout(ssl, hs->new_session.get(), ssl->session_ctx->session_psk_dhe_timeout); } else if (!ssl_get_new_session(hs, 0)) { @@ -305,12 +305,12 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { hs->new_session->cipher = cipher; hs->new_cipher = cipher; - /* The PRF hash is now known. Set up the key schedule. */ + // The PRF hash is now known. Set up the key schedule. if (!tls13_init_key_schedule(hs)) { return ssl_hs_error; } - /* Incorporate the PSK into the running secret. */ + // Incorporate the PSK into the running secret. if (ssl->s3->session_reused) { if (!tls13_advance_key_schedule(hs, hs->new_session->master_key, hs->new_session->master_key_length)) { @@ -321,13 +321,13 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { } if (!have_key_share) { - /* We do not support psk_ke and thus always require a key share. */ + // We do not support psk_ke and thus always require a key share. OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION); return ssl_hs_error; } - /* Resolve ECDHE and incorporate it into the secret. */ + // Resolve ECDHE and incorporate it into the secret. uint8_t *dhe_secret; size_t dhe_secret_len; alert = SSL_AD_DECODE_ERROR; @@ -363,8 +363,8 @@ static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) { } if (!hs->early_data_offered) { - /* If not sending early data, set client traffic keys now so that alerts are - * encrypted. */ + // If not sending early data, set client traffic keys now so that alerts are + // encrypted. if ((ssl->version == TLS1_3_EXPERIMENT_VERSION && !ssl3_add_change_cipher_spec(ssl)) || !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret, @@ -398,7 +398,7 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Store the negotiated ALPN in the session. */ + // Store the negotiated ALPN in the session. if (ssl->s3->alpn_selected != NULL) { hs->new_session->early_alpn = (uint8_t *)BUF_memdup( ssl->s3->alpn_selected, ssl->s3->alpn_selected_len); @@ -437,7 +437,7 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* CertificateRequest may only be sent in non-resumption handshakes. */ + // CertificateRequest may only be sent in non-resumption handshakes. if (ssl->s3->session_reused) { hs->tls13_state = state_read_server_finished; return ssl_hs_ok; @@ -448,7 +448,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { return ssl_hs_read_message; } - /* CertificateRequest is optional. */ + // CertificateRequest is optional. if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) { hs->tls13_state = state_read_server_certificate; return ssl_hs_ok; @@ -456,7 +456,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { CBS body = msg.body, context, supported_signature_algorithms; if (!CBS_get_u8_length_prefixed(&body, &context) || - /* The request context is always empty during the handshake. */ + // The request context is always empty during the handshake. CBS_len(&context) != 0 || !CBS_get_u16_length_prefixed(&body, &supported_signature_algorithms) || CBS_len(&supported_signature_algorithms) == 0 || @@ -474,7 +474,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Ignore extensions. */ + // Ignore extensions. CBS extensions; if (!CBS_get_u16_length_prefixed(&body, &extensions) || CBS_len(&body) != 0) { @@ -550,7 +550,7 @@ static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) { if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) || !tls13_process_finished(hs, msg, 0 /* don't use saved value */) || !ssl_hash_message(hs, msg) || - /* Update the secret to the master secret and derive traffic keys. */ + // Update the secret to the master secret and derive traffic keys. !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) || !tls13_derive_application_secrets(hs)) { return ssl_hs_error; @@ -588,13 +588,13 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* The peer didn't request a certificate. */ + // The peer didn't request a certificate. if (!hs->cert_request) { hs->tls13_state = state_complete_second_flight; return ssl_hs_ok; } - /* Call cert_cb to update the certificate. */ + // Call cert_cb to update the certificate. if (ssl->cert->cert_cb != NULL) { int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); if (rv == 0) { @@ -619,7 +619,7 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* Don't send CertificateVerify if there is no certificate. */ + // Don't send CertificateVerify if there is no certificate. if (!ssl_has_certificate(ssl)) { hs->tls13_state = state_complete_second_flight; return ssl_hs_ok; @@ -645,7 +645,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* Send a Channel ID assertion if necessary. */ + // Send a Channel ID assertion if necessary. if (ssl->s3->tlsext_channel_id_valid) { if (!ssl_do_channel_id_callback(ssl)) { hs->tls13_state = state_complete_second_flight; @@ -665,12 +665,12 @@ static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) { } } - /* Send a Finished message. */ + // Send a Finished message. if (!tls13_add_finished(hs)) { return ssl_hs_error; } - /* Derive the final keys and enable them. */ + // Derive the final keys and enable them. if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0, hs->hash_len) || !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0, @@ -804,13 +804,13 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) { return 0; } - /* Cap the renewable lifetime by the server advertised value. This avoids - * wasting bandwidth on 0-RTT when we know the server will reject it. */ + // Cap the renewable lifetime by the server advertised value. This avoids + // wasting bandwidth on 0-RTT when we know the server will reject it. if (session->timeout > server_timeout) { session->timeout = server_timeout; } - /* Parse out the extensions. */ + // Parse out the extensions. int have_early_data_info = 0; CBS early_data_info; const SSL_EXTENSION_TYPE ext_types[] = { @@ -840,7 +840,7 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) { if (ssl->ctx->new_session_cb != NULL && ssl->ctx->new_session_cb(ssl, session.get())) { - /* |new_session_cb|'s return value signals that it took ownership. */ + // |new_session_cb|'s return value signals that it took ownership. session.release(); } diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc index 39e80be5..7bd87c58 100644 --- a/ssl/tls13_enc.cc +++ b/ssl/tls13_enc.cc @@ -40,7 +40,7 @@ static int init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version, hs->hash_len = hs->transcript.DigestLen(); - /* Initialize the secret to the zero key. */ + // Initialize the secret to the zero key. OPENSSL_memset(hs->secret, 0, hs->hash_len); return 1; @@ -96,9 +96,9 @@ static int hkdf_expand_label(uint8_t *out, const EVP_MD *digest, return ret; } -/* derive_secret derives a secret of length |len| and writes the result in |out| - * with the given label and the current base secret and most recently-saved - * handshake context. It returns one on success and zero on error. */ +// derive_secret derives a secret of length |len| and writes the result in |out| +// with the given label and the current base secret and most recently-saved +// handshake context. It returns one on success and zero on error. static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len, const uint8_t *label, size_t label_len) { uint8_t context_hash[EVP_MAX_MD_SIZE]; @@ -123,7 +123,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, return 0; } - /* Look up cipher suite properties. */ + // Look up cipher suite properties. const EVP_AEAD *aead; size_t discard; if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher, @@ -133,7 +133,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, const EVP_MD *digest = SSL_SESSION_get_digest(session); - /* Derive the key. */ + // Derive the key. size_t key_len = EVP_AEAD_key_length(aead); uint8_t key[EVP_AEAD_MAX_KEY_LENGTH]; if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len, @@ -141,7 +141,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, return 0; } - /* Derive the IV. */ + // Derive the IV. size_t iv_len = EVP_AEAD_nonce_length(aead); uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH]; if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len, @@ -166,7 +166,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, } } - /* Save the traffic secret. */ + // Save the traffic secret. if (direction == evp_aead_open) { OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret, traffic_secret_len); @@ -279,8 +279,8 @@ int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) { static const char kTLS13LabelFinished[] = "finished"; -/* tls13_verify_data sets |out| to be the HMAC of |context| using a derived - * Finished key for both Finished messages and the PSK binder. */ +// tls13_verify_data sets |out| to be the HMAC of |context| using a derived +// Finished key for both Finished messages and the PSK binder. static int tls13_verify_data(const EVP_MD *digest, uint8_t *out, size_t *out_len, const uint8_t *secret, size_t hash_len, uint8_t *context, @@ -401,15 +401,15 @@ int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session, const SSLMessage &msg, CBS *binders) { size_t hash_len = hs->transcript.DigestLen(); - /* The message must be large enough to exclude the binders. */ + // The message must be large enough to exclude the binders. if (CBS_len(&msg.raw) < CBS_len(binders) + 2) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; } - /* Hash a ClientHello prefix up to the binders. This includes the header. For - * now, this assumes we only ever verify PSK binders on initial - * ClientHellos. */ + // Hash a ClientHello prefix up to the binders. This includes the header. For + // now, this assumes we only ever verify PSK binders on initial + // ClientHellos. uint8_t context[EVP_MAX_MD_SIZE]; unsigned context_len; if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2, @@ -422,7 +422,7 @@ int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session, if (!tls13_psk_binder(verify_data, hs->transcript.Digest(), session->master_key, session->master_key_length, context, context_len, hash_len) || - /* We only consider the first PSK, so compare against the first binder. */ + // We only consider the first PSK, so compare against the first binder. !CBS_get_u8_length_prefixed(binders, &binder)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return 0; diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc index 781d59eb..26ce0e18 100644 --- a/ssl/tls13_server.cc +++ b/ssl/tls13_server.cc @@ -12,9 +12,9 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* Per C99, various stdint.h macros are unavailable in C++ unless some macros - * are defined. C++11 overruled this decision, but older Android NDKs still - * require it. */ +// Per C99, various stdint.h macros are unavailable in C++ unless some macros +// are defined. C++11 overruled this decision, but older Android NDKs still +// require it. #if !defined(__STDC_LIMIT_MACROS) #define __STDC_LIMIT_MACROS #endif @@ -64,7 +64,7 @@ static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, int *out_need_retry, SSL *const ssl = hs->ssl; *out_need_retry = 0; - /* We only support connections that include an ECDHE key exchange. */ + // We only support connections that include an ECDHE key exchange. CBS key_share; if (!ssl_client_hello_get_extension(client_hello, &key_share, TLSEXT_TYPE_key_share)) { @@ -127,7 +127,7 @@ static const SSL_CIPHER *choose_tls13_cipher( return NULL; } - /* Limit to TLS 1.3 ciphers we know about. */ + // Limit to TLS 1.3 ciphers we know about. const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite); if (candidate == NULL || SSL_CIPHER_get_min_version(candidate) > version || @@ -135,8 +135,8 @@ static const SSL_CIPHER *choose_tls13_cipher( continue; } - /* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer - * ChaCha20 if we do not have AES hardware. */ + // TLS 1.3 removes legacy ciphers, so honor the client order, but prefer + // ChaCha20 if we do not have AES hardware. if (aes_is_fine) { return candidate; } @@ -155,12 +155,12 @@ static const SSL_CIPHER *choose_tls13_cipher( static int add_new_session_tickets(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - /* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case - * the client makes several connections before getting a renewal. */ + // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case + // the client makes several connections before getting a renewal. static const int kNumTickets = 2; - /* Rebase the session timestamp so that it is measured from ticket - * issuance. */ + // Rebase the session timestamp so that it is measured from ticket + // issuance. ssl_session_rebase_time(ssl, hs->new_session.get()); for (int i = 0; i < kNumTickets; i++) { @@ -194,7 +194,7 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) { } } - /* Add a fake extension. See draft-davidben-tls-grease-01. */ + // Add a fake extension. See draft-davidben-tls-grease-01. if (!CBB_add_u16(&extensions, ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) || !CBB_add_u16(&extensions, 0 /* empty */)) { @@ -210,8 +210,8 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) { } static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { - /* At this point, most ClientHello extensions have already been processed by - * the common handshake logic. Resolve the remaining non-PSK parameters. */ + // At this point, most ClientHello extensions have already been processed by + // the common handshake logic. Resolve the remaining non-PSK parameters. SSL *const ssl = hs->ssl; SSLMessage msg; if (!ssl->method->get_message(ssl, &msg)) { @@ -228,7 +228,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { client_hello.session_id_len); hs->session_id_len = client_hello.session_id_len; - /* Negotiate the cipher suite. */ + // Negotiate the cipher suite. hs->new_cipher = choose_tls13_cipher(ssl, &client_hello); if (hs->new_cipher == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); @@ -236,16 +236,16 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was - * deferred. Complete it now. */ + // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was + // deferred. Complete it now. uint8_t alert = SSL_AD_DECODE_ERROR; if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); return ssl_hs_error; } - /* The PRF hash is now known. Set up the key schedule and hash the - * ClientHello. */ + // The PRF hash is now known. Set up the key schedule and hash the + // ClientHello. if (!tls13_init_key_schedule(hs) || !ssl_hash_message(hs, msg)) { return ssl_hs_error; @@ -262,7 +262,7 @@ static enum ssl_ticket_aead_result_t select_session( SSL *const ssl = hs->ssl; *out_session = NULL; - /* Decode the ticket if we agreed on a PSK key exchange mode. */ + // Decode the ticket if we agreed on a PSK key exchange mode. CBS pre_shared_key; if (!hs->accept_psk_mode || !ssl_client_hello_get_extension(client_hello, &pre_shared_key, @@ -270,8 +270,8 @@ static enum ssl_ticket_aead_result_t select_session( return ssl_ticket_aead_ignore_ticket; } - /* Verify that the pre_shared_key extension is the last extension in - * ClientHello. */ + // Verify that the pre_shared_key extension is the last extension in + // ClientHello. if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) != client_hello->extensions + client_hello->extensions_len) { OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST); @@ -287,8 +287,8 @@ static enum ssl_ticket_aead_result_t select_session( return ssl_ticket_aead_error; } - /* TLS 1.3 session tickets are renewed separately as part of the - * NewSessionTicket. */ + // TLS 1.3 session tickets are renewed separately as part of the + // NewSessionTicket. int unused_renew; UniquePtr session; enum ssl_ticket_aead_result_t ret = @@ -305,34 +305,34 @@ static enum ssl_ticket_aead_result_t select_session( } if (!ssl_session_is_resumable(hs, session.get()) || - /* Historically, some TLS 1.3 tickets were missing ticket_age_add. */ + // Historically, some TLS 1.3 tickets were missing ticket_age_add. !session->ticket_age_add_valid) { return ssl_ticket_aead_ignore_ticket; } - /* Recover the client ticket age and convert to seconds. */ + // Recover the client ticket age and convert to seconds. client_ticket_age -= session->ticket_age_add; client_ticket_age /= 1000; struct OPENSSL_timeval now; ssl_get_current_time(ssl, &now); - /* Compute the server ticket age in seconds. */ + // Compute the server ticket age in seconds. assert(now.tv_sec >= session->time); uint64_t server_ticket_age = now.tv_sec - session->time; - /* To avoid overflowing |hs->ticket_age_skew|, we will not resume - * 68-year-old sessions. */ + // To avoid overflowing |hs->ticket_age_skew|, we will not resume + // 68-year-old sessions. if (server_ticket_age > INT32_MAX) { return ssl_ticket_aead_ignore_ticket; } - /* TODO(davidben,svaldez): Measure this value to decide on tolerance. For - * now, accept all values. https://crbug.com/boringssl/113. */ + // TODO(davidben,svaldez): Measure this value to decide on tolerance. For + // now, accept all values. https://crbug.com/boringssl/113. *out_ticket_age_skew = (int32_t)client_ticket_age - (int32_t)server_ticket_age; - /* Check the PSK binder. */ + // Check the PSK binder. if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) { *out_alert = SSL_AD_DECRYPT_ERROR; return ssl_ticket_aead_error; @@ -368,21 +368,21 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { break; case ssl_ticket_aead_success: - /* Carry over authentication information from the previous handshake into - * a fresh session. */ + // Carry over authentication information from the previous handshake into + // a fresh session. hs->new_session = SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY); - if (/* Early data must be acceptable for this ticket. */ + if (// Early data must be acceptable for this ticket. ssl->cert->enable_early_data && session->ticket_max_early_data != 0 && - /* The client must have offered early data. */ + // The client must have offered early data. hs->early_data_offered && - /* Channel ID is incompatible with 0-RTT. */ + // Channel ID is incompatible with 0-RTT. !ssl->s3->tlsext_channel_id_valid && - /* Custom extensions is incompatible with 0-RTT. */ + // Custom extensions is incompatible with 0-RTT. hs->custom_extensions.received == 0 && - /* The negotiated ALPN must match the one in the ticket. */ + // The negotiated ALPN must match the one in the ticket. ssl->s3->alpn_selected_len == session->early_alpn_len && OPENSSL_memcmp(ssl->s3->alpn_selected, session->early_alpn, ssl->s3->alpn_selected_len) == 0) { @@ -396,7 +396,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { ssl->s3->session_reused = 1; - /* Resumption incorporates fresh key material, so refresh the timeout. */ + // Resumption incorporates fresh key material, so refresh the timeout. ssl_session_renew_timeout(ssl, hs->new_session.get(), ssl->session_ctx->session_psk_dhe_timeout); break; @@ -410,7 +410,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { return ssl_hs_pending_ticket; } - /* Record connection properties in the new session. */ + // Record connection properties in the new session. hs->new_session->cipher = hs->new_cipher; if (hs->hostname != NULL) { @@ -422,7 +422,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { } } - /* Store the initial negotiated ALPN in the session. */ + // Store the initial negotiated ALPN in the session. if (ssl->s3->alpn_selected != NULL) { hs->new_session->early_alpn = (uint8_t *)BUF_memdup( ssl->s3->alpn_selected, ssl->s3->alpn_selected_len); @@ -435,13 +435,13 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { if (ssl->ctx->dos_protection_cb != NULL && ssl->ctx->dos_protection_cb(&client_hello) == 0) { - /* Connection rejected for DOS reasons. */ + // Connection rejected for DOS reasons. OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return ssl_hs_error; } - /* Incorporate the PSK into the running secret. */ + // Incorporate the PSK into the running secret. if (ssl->s3->session_reused) { if (!tls13_advance_key_schedule(hs, hs->new_session->master_key, hs->new_session->master_key_length)) { @@ -459,7 +459,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { ssl->s3->skip_early_data = 1; } - /* Resolve ECDHE and incorporate it into the secret. */ + // Resolve ECDHE and incorporate it into the secret. int need_retry; if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) { if (need_retry) { @@ -517,7 +517,7 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) { int need_retry; if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) { if (need_retry) { - /* Only send one HelloRetryRequest. */ + // Only send one HelloRetryRequest. ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); } @@ -541,7 +541,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { version = TLS1_2_VERSION; } - /* Send a ServerHello. */ + // Send a ServerHello. ScopedCBB cbb; CBB body, extensions, session_id; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || @@ -567,14 +567,14 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Derive and enable the handshake traffic secrets. */ + // Derive and enable the handshake traffic secrets. if (!tls13_derive_handshake_secrets(hs) || !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret, hs->hash_len)) { return ssl_hs_error; } - /* Send EncryptedExtensions. */ + // Send EncryptedExtensions. if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_ENCRYPTED_EXTENSIONS) || !ssl_add_serverhello_tlsext(hs, &body) || @@ -583,16 +583,16 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { } if (!ssl->s3->session_reused) { - /* Determine whether to request a client certificate. */ + // Determine whether to request a client certificate. hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); - /* Only request a certificate if Channel ID isn't negotiated. */ + // Only request a certificate if Channel ID isn't negotiated. if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) && ssl->s3->tlsext_channel_id_valid) { hs->cert_request = 0; } } - /* Send a CertificateRequest, if necessary. */ + // Send a CertificateRequest, if necessary. if (hs->cert_request) { CBB sigalgs_cbb; if (!ssl->method->init_message(ssl, cbb.get(), &body, @@ -607,7 +607,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { } } - /* Send the server Certificate message, if necessary. */ + // Send the server Certificate message, if necessary. if (!ssl->s3->session_reused) { if (!ssl_has_certificate(ssl)) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); @@ -647,7 +647,7 @@ static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; if (!tls13_add_finished(hs) || - /* Update the secret to the master secret and derive traffic keys. */ + // Update the secret to the master secret and derive traffic keys. !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) || !tls13_derive_application_secrets(hs) || !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0, @@ -656,10 +656,10 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { } if (ssl->early_data_accepted) { - /* If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on - * the wire sooner and also avoids triggering a write on |SSL_read| when - * processing the client Finished. This requires computing the client - * Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. */ + // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on + // the wire sooner and also avoids triggering a write on |SSL_read| when + // processing the client Finished. This requires computing the client + // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. size_t finished_len; if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len, 0 /* client */)) { @@ -671,10 +671,10 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* Feed the predicted Finished into the transcript. This allows us to derive - * the resumption secret early and send half-RTT tickets. - * - * TODO(davidben): This will need to be updated for DTLS 1.3. */ + // Feed the predicted Finished into the transcript. This allows us to derive + // the resumption secret early and send half-RTT tickets. + // + // TODO(davidben): This will need to be updated for DTLS 1.3. assert(!SSL_is_dtls(hs->ssl)); assert(hs->hash_len <= 0xff); uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0, @@ -710,8 +710,8 @@ static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) { hs->tls13_state = state_process_change_cipher_spec; - /* If early data was accepted, the ChangeCipherSpec message will be in the - * discarded early data. */ + // If early data was accepted, the ChangeCipherSpec message will be in the + // discarded early data. if (hs->early_data_offered && !hs->ssl->early_data_accepted) { return ssl_hs_ok; } @@ -734,11 +734,11 @@ static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; if (!hs->cert_request) { - /* OpenSSL returns X509_V_OK when no certificates are requested. This is - * classed by them as a bug, but it's assumed by at least NGINX. */ + // OpenSSL returns X509_V_OK when no certificates are requested. This is + // classed by them as a bug, but it's assumed by at least NGINX. hs->new_session->verify_result = X509_V_OK; - /* Skip this state. */ + // Skip this state. hs->tls13_state = state_read_channel_id; return ssl_hs_ok; } @@ -764,7 +764,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify( SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) { - /* Skip this state. */ + // Skip this state. hs->tls13_state = state_read_channel_id; return ssl_hs_ok; } @@ -824,10 +824,10 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { return ssl_hs_read_message; } if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) || - /* If early data was accepted, we've already computed the client Finished - * and derived the resumption secret. */ + // If early data was accepted, we've already computed the client Finished + // and derived the resumption secret. !tls13_process_finished(hs, msg, ssl->early_data_accepted) || - /* evp_aead_seal keys have already been switched. */ + // evp_aead_seal keys have already been switched. !tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0, hs->hash_len)) { return ssl_hs_error; @@ -839,10 +839,10 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - /* We send post-handshake tickets as part of the handshake in 1-RTT. */ + // We send post-handshake tickets as part of the handshake in 1-RTT. hs->tls13_state = state_send_new_session_ticket; } else { - /* We already sent half-RTT tickets. */ + // We already sent half-RTT tickets. hs->tls13_state = state_done; } @@ -851,8 +851,8 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { } static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) { - /* If the client doesn't accept resumption with PSK_DHE_KE, don't send a - * session ticket. */ + // If the client doesn't accept resumption with PSK_DHE_KE, don't send a + // session ticket. if (!hs->accept_psk_mode) { hs->tls13_state = state_done; return ssl_hs_ok; diff --git a/ssl/tls_method.cc b/ssl/tls_method.cc index 2fe4be3b..286bf038 100644 --- a/ssl/tls_method.cc +++ b/ssl/tls_method.cc @@ -70,15 +70,15 @@ namespace bssl { static int ssl3_supports_cipher(const SSL_CIPHER *cipher) { return 1; } static void ssl3_on_handshake_complete(SSL *ssl) { - /* The handshake should have released its final message. */ + // The handshake should have released its final message. assert(!ssl->s3->has_message); - /* During the handshake, |init_buf| is retained. Release if it there is no - * excess in it. - * - * TODO(davidben): The second check is always true but will not be once we - * switch to copying the entire handshake record. Replace this comment with an - * explanation when that happens and a TODO to reject it. */ + // During the handshake, |init_buf| is retained. Release if it there is no + // excess in it. + // + // TODO(davidben): The second check is always true but will not be once we + // switch to copying the entire handshake record. Replace this comment with an + // explanation when that happens and a TODO to reject it. if (ssl->init_buf != NULL && ssl->init_buf->length == 0) { BUF_MEM_free(ssl->init_buf); ssl->init_buf = NULL; @@ -87,7 +87,7 @@ static void ssl3_on_handshake_complete(SSL *ssl) { static int ssl3_set_read_state(SSL *ssl, UniquePtr aead_ctx) { if (ssl->s3->rrec.length != 0) { - /* There may not be unprocessed record data at a cipher change. */ + // There may not be unprocessed record data at a cipher change. OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE); ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); return 0; @@ -212,7 +212,7 @@ const SSL_METHOD *TLS_with_buffers_method(void) { return &kMethod; } -/* Legacy version-locked methods. */ +// Legacy version-locked methods. const SSL_METHOD *TLSv1_2_method(void) { static const SSL_METHOD kMethod = { @@ -250,7 +250,7 @@ const SSL_METHOD *SSLv3_method(void) { return &kMethod; } -/* Legacy side-specific methods. */ +// Legacy side-specific methods. const SSL_METHOD *TLSv1_2_server_method(void) { return TLSv1_2_method(); diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc index f8bb521d..eed64316 100644 --- a/ssl/tls_record.cc +++ b/ssl/tls_record.cc @@ -121,25 +121,25 @@ namespace bssl { -/* kMaxEmptyRecords is the number of consecutive, empty records that will be - * processed. Without this limit an attacker could send empty records at a - * faster rate than we can process and cause record processing to loop - * forever. */ +// kMaxEmptyRecords is the number of consecutive, empty records that will be +// processed. Without this limit an attacker could send empty records at a +// faster rate than we can process and cause record processing to loop +// forever. static const uint8_t kMaxEmptyRecords = 32; -/* kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that - * will be skipped. Without this limit an attacker could send records at a - * faster rate than we can process and cause trial decryption to loop forever. - * This value should be slightly above kMaxEarlyDataAccepted, which is measured - * in plaintext. */ +// kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that +// will be skipped. Without this limit an attacker could send records at a +// faster rate than we can process and cause trial decryption to loop forever. +// This value should be slightly above kMaxEarlyDataAccepted, which is measured +// in plaintext. static const size_t kMaxEarlyDataSkipped = 16384; -/* kMaxWarningAlerts is the number of consecutive warning alerts that will be - * processed. */ +// kMaxWarningAlerts is the number of consecutive warning alerts that will be +// processed. static const uint8_t kMaxWarningAlerts = 4; -/* ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher - * state needs record-splitting and zero otherwise. */ +// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher +// state needs record-splitting and zero otherwise. static int ssl_needs_record_splitting(const SSL *ssl) { #if !defined(BORINGSSL_UNSAFE_FUZZER_MODE) return !ssl->s3->aead_write_ctx->is_null_cipher() && @@ -195,7 +195,7 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, CBS cbs; CBS_init(&cbs, in, in_len); - /* Decode the record header. */ + // Decode the record header. uint8_t type; uint16_t version, ciphertext_len; if (!CBS_get_u8(&cbs, &type) || @@ -207,14 +207,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, int version_ok; if (ssl->s3->aead_read_ctx->is_null_cipher()) { - /* Only check the first byte. Enforcing beyond that can prevent decoding - * version negotiation failure alerts. */ + // Only check the first byte. Enforcing beyond that can prevent decoding + // version negotiation failure alerts. version_ok = (version >> 8) == SSL3_VERSION_MAJOR; } else if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) { - /* Earlier versions of TLS switch the record version. */ + // Earlier versions of TLS switch the record version. version_ok = version == ssl->version; } else { - /* Starting TLS 1.3, the version field is frozen at {3, 1}. */ + // Starting TLS 1.3, the version field is frozen at {3, 1}. version_ok = version == TLS1_VERSION; } @@ -224,14 +224,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, return ssl_open_record_error; } - /* Check the ciphertext length. */ + // Check the ciphertext length. if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) { OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); *out_alert = SSL_AD_RECORD_OVERFLOW; return ssl_open_record_error; } - /* Extract the body. */ + // Extract the body. CBS body; if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) { *out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len; @@ -243,15 +243,15 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, *out_consumed = in_len - CBS_len(&cbs); - /* Skip early data received when expecting a second ClientHello if we rejected - * 0RTT. */ + // Skip early data received when expecting a second ClientHello if we rejected + // 0RTT. if (ssl->s3->skip_early_data && ssl->s3->aead_read_ctx->is_null_cipher() && type == SSL3_RT_APPLICATION_DATA) { goto skipped_data; } - /* Decrypt the body in-place. */ + // Decrypt the body in-place. if (!ssl->s3->aead_read_ctx->Open(out, type, version, ssl->s3->read_sequence, (uint8_t *)CBS_data(&body), CBS_len(&body))) { @@ -272,10 +272,10 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, return ssl_open_record_error; } - /* TLS 1.3 hides the record type inside the encrypted data. */ + // TLS 1.3 hides the record type inside the encrypted data. if (!ssl->s3->aead_read_ctx->is_null_cipher() && ssl->s3->aead_read_ctx->version() >= TLS1_3_VERSION) { - /* The outer record type is always application_data. */ + // The outer record type is always application_data. if (type != SSL3_RT_APPLICATION_DATA) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE); *out_alert = SSL_AD_DECODE_ERROR; @@ -291,14 +291,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, } while (type == 0); } - /* Check the plaintext length. */ + // Check the plaintext length. if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) { OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); *out_alert = SSL_AD_RECORD_OVERFLOW; return ssl_open_record_error; } - /* Limit the number of consecutive empty records. */ + // Limit the number of consecutive empty records. if (CBS_len(out) == 0) { ssl->s3->empty_record_count++; if (ssl->s3->empty_record_count > kMaxEmptyRecords) { @@ -306,14 +306,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, *out_alert = SSL_AD_UNEXPECTED_MESSAGE; return ssl_open_record_error; } - /* Apart from the limit, empty records are returned up to the caller. This - * allows the caller to reject records of the wrong type. */ + // Apart from the limit, empty records are returned up to the caller. This + // allows the caller to reject records of the wrong type. } else { ssl->s3->empty_record_count = 0; } if (type == SSL3_RT_ALERT) { - /* Return end_of_early_data alerts as-is for the caller to process. */ + // Return end_of_early_data alerts as-is for the caller to process. if (CBS_len(out) == 2 && CBS_data(out)[0] == SSL3_AL_WARNING && CBS_data(out)[1] == TLS1_AD_END_OF_EARLY_DATA) { @@ -351,7 +351,7 @@ static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, size_t extra_in_len = 0; if (!ssl->s3->aead_write_ctx->is_null_cipher() && ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) { - /* TLS 1.3 hides the actual record type inside the encrypted data. */ + // TLS 1.3 hides the actual record type inside the encrypted data. extra_in = &type; extra_in_len = 1; } @@ -379,10 +379,10 @@ static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, out_prefix[0] = type; } - /* The TLS record-layer version number is meaningless and, starting in - * TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0 - * ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version - * to change after version negotiation. */ + // The TLS record-layer version number is meaningless and, starting in + // TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0 + // ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version + // to change after version negotiation. uint16_t wire_version = TLS1_VERSION; if (ssl->s3->hs != NULL && ssl->s3->hs->max_version == SSL3_VERSION) { wire_version = SSL3_VERSION; @@ -413,10 +413,10 @@ static size_t tls_seal_scatter_prefix_len(const SSL *ssl, uint8_t type, size_t ret = SSL3_RT_HEADER_LENGTH; if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 && ssl_needs_record_splitting(ssl)) { - /* In the case of record splitting, the 1-byte record (of the 1/n-1 split) - * will be placed in the prefix, as will four of the five bytes of the - * record header for the main record. The final byte will replace the first - * byte of the plaintext that was used in the small record. */ + // In the case of record splitting, the 1-byte record (of the 1/n-1 split) + // will be placed in the prefix, as will four of the five bytes of the + // record header for the main record. The final byte will replace the first + // byte of the plaintext that was used in the small record. ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher()); ret += SSL3_RT_HEADER_LENGTH - 1; } else { @@ -430,26 +430,26 @@ static bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len, size_t extra_in_len = 0; if (!ssl->s3->aead_write_ctx->is_null_cipher() && ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) { - /* TLS 1.3 adds an extra byte for encrypted record type. */ + // TLS 1.3 adds an extra byte for encrypted record type. extra_in_len = 1; } if (type == SSL3_RT_APPLICATION_DATA && // clang-format off in_len > 1 && ssl_needs_record_splitting(ssl)) { - /* With record splitting enabled, the first byte gets sealed into a separate - * record which is written into the prefix. */ + // With record splitting enabled, the first byte gets sealed into a separate + // record which is written into the prefix. in_len -= 1; } return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len); } -/* tls_seal_scatter_record seals a new record of type |type| and body |in| and - * splits it between |out_prefix|, |out|, and |out_suffix|. Exactly - * |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len| - * bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It - * returns one on success and zero on error. If enabled, - * |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and - * may write two records concatenated. */ +// tls_seal_scatter_record seals a new record of type |type| and body |in| and +// splits it between |out_prefix|, |out|, and |out_suffix|. Exactly +// |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len| +// bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It +// returns one on success and zero on error. If enabled, +// |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and +// may write two records concatenated. static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, uint8_t *out_suffix, uint8_t type, const uint8_t *in, size_t in_len) { @@ -458,7 +458,7 @@ static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0); const size_t prefix_len = SSL3_RT_HEADER_LENGTH; - /* Write the 1-byte fragment into |out_prefix|. */ + // Write the 1-byte fragment into |out_prefix|. uint8_t *split_body = out_prefix + prefix_len; uint8_t *split_suffix = split_body + 1; @@ -477,8 +477,8 @@ static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, ssl->s3->aead_write_ctx->cipher()) == split_record_len); - /* Write the n-1-byte fragment. The header gets split between |out_prefix| - * (header[:-1]) and |out| (header[-1:]). */ + // Write the n-1-byte fragment. The header gets split between |out_prefix| + // (header[:-1]) and |out| (header[-1:]). uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH]; if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1, in_len - 1)) { @@ -530,7 +530,7 @@ int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len, enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, const uint8_t *in, size_t in_len) { - /* Alerts records may not contain fragmented or multiple alerts. */ + // Alerts records may not contain fragmented or multiple alerts. if (in_len != 2) { *out_alert = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT); @@ -551,7 +551,7 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, return ssl_open_record_close_notify; } - /* Warning alerts do not exist in TLS 1.3. */ + // Warning alerts do not exist in TLS 1.3. if (ssl->s3->have_version && ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { *out_alert = SSL_AD_DECODE_ERROR; @@ -677,7 +677,7 @@ size_t SSL_max_seal_overhead(const SSL *ssl) { size_t ret = SSL3_RT_HEADER_LENGTH; ret += ssl->s3->aead_write_ctx->MaxOverhead(); - /* TLS 1.3 needs an extra byte for the encrypted record type. */ + // TLS 1.3 needs an extra byte for the encrypted record type. if (!ssl->s3->aead_write_ctx->is_null_cipher() && ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) { ret += 1;