Run the comment converter on libcrypto.
crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL
style.
Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c
Reviewed-on: https://boringssl-review.googlesource.com/19504
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/base64/base64.c b/crypto/base64/base64.c
index d5450fc..b701b0d 100644
--- a/crypto/base64/base64.c
+++ b/crypto/base64/base64.c
@@ -65,29 +65,29 @@
#include "../internal.h"
-/* constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|
- * arguments for a slightly simpler implementation. */
+// constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|
+// arguments for a slightly simpler implementation.
static inline uint8_t constant_time_lt_args_8(uint8_t a, uint8_t b) {
crypto_word_t aw = a;
crypto_word_t bw = b;
- /* |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same
- * MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1. */
+ // |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same
+ // MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1.
return constant_time_msb_w(aw - bw);
}
-/* constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|
- * and |CONSTTIME_FALSE_8| otherwise. */
+// constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|
+// and |CONSTTIME_FALSE_8| otherwise.
static inline uint8_t constant_time_in_range_8(uint8_t a, uint8_t min,
uint8_t max) {
a -= min;
return constant_time_lt_args_8(a, max - min + 1);
}
-/* Encoding. */
+// Encoding.
static uint8_t conv_bin2ascii(uint8_t a) {
- /* Since PEM is sometimes used to carry private keys, we encode base64 data
- * itself in constant-time. */
+ // Since PEM is sometimes used to carry private keys, we encode base64 data
+ // itself in constant-time.
a &= 0x3f;
uint8_t ret = constant_time_select_8(constant_time_eq_8(a, 62), '+', '/');
ret =
@@ -183,8 +183,8 @@
ctx->data_used = (unsigned)in_len;
if (total > INT_MAX) {
- /* We cannot signal an error, but we can at least avoid making *out_len
- * negative. */
+ // We cannot signal an error, but we can at least avoid making *out_len
+ // negative.
total = 0;
}
*out_len = (int)total;
@@ -201,8 +201,8 @@
out[encoded] = '\0';
ctx->data_used = 0;
- /* ctx->data_used is bounded by sizeof(ctx->data), so this does not
- * overflow. */
+ // ctx->data_used is bounded by sizeof(ctx->data), so this does not
+ // overflow.
assert(encoded <= INT_MAX);
*out_len = (int)encoded;
}
@@ -240,7 +240,7 @@
}
-/* Decoding. */
+// Decoding.
int EVP_DecodedLength(size_t *out_len, size_t len) {
if (len % 4 != 0) {
@@ -256,8 +256,8 @@
}
static uint8_t base64_ascii_to_bin(uint8_t a) {
- /* Since PEM is sometimes used to carry private keys, we decode base64 data
- * itself in constant-time. */
+ // Since PEM is sometimes used to carry private keys, we decode base64 data
+ // itself in constant-time.
const uint8_t is_upper = constant_time_in_range_8(a, 'A', 'Z');
const uint8_t is_lower = constant_time_in_range_8(a, 'a', 'z');
const uint8_t is_digit = constant_time_in_range_8(a, '0', '9');
@@ -265,21 +265,21 @@
const uint8_t is_slash = constant_time_eq_8(a, '/');
const uint8_t is_equals = constant_time_eq_8(a, '=');
- uint8_t ret = 0xff; /* 0xff signals invalid. */
- ret = constant_time_select_8(is_upper, a - 'A', ret); /* [0,26) */
- ret = constant_time_select_8(is_lower, a - 'a' + 26, ret); /* [26,52) */
- ret = constant_time_select_8(is_digit, a - '0' + 52, ret); /* [52,62) */
+ uint8_t ret = 0xff; // 0xff signals invalid.
+ ret = constant_time_select_8(is_upper, a - 'A', ret); // [0,26)
+ ret = constant_time_select_8(is_lower, a - 'a' + 26, ret); // [26,52)
+ ret = constant_time_select_8(is_digit, a - '0' + 52, ret); // [52,62)
ret = constant_time_select_8(is_plus, 62, ret);
ret = constant_time_select_8(is_slash, 63, ret);
- /* Padding maps to zero, to be further handled by the caller. */
+ // Padding maps to zero, to be further handled by the caller.
ret = constant_time_select_8(is_equals, 0, ret);
return ret;
}
-/* base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
- * data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
- * number of bytes written, which will be less than three if the quad ended
- * with padding. It returns one on success or zero on error. */
+// base64_decode_quad decodes a single “quad” (i.e. four characters) of base64
+// data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the
+// number of bytes written, which will be less than three if the quad ended
+// with padding. It returns one on success or zero on error.
static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,
const uint8_t *in) {
const uint8_t a = base64_ascii_to_bin(in[0]);
@@ -300,20 +300,20 @@
switch (padding_pattern) {
case 0:
- /* The common case of no padding. */
+ // The common case of no padding.
*out_num_bytes = 3;
out[0] = v >> 16;
out[1] = v >> 8;
out[2] = v;
break;
- case 1: /* xxx= */
+ case 1: // xxx=
*out_num_bytes = 2;
out[0] = v >> 16;
out[1] = v >> 8;
break;
- case 3: /* xx== */
+ case 3: // xx==
*out_num_bytes = 1;
out[0] = v >> 16;
break;
@@ -424,7 +424,7 @@
}
int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {
- /* Trim spaces and tabs from the beginning of the input. */
+ // Trim spaces and tabs from the beginning of the input.
while (src_len > 0) {
if (src[0] != ' ' && src[0] != '\t') {
break;
@@ -434,7 +434,7 @@
src_len--;
}
- /* Trim newlines, spaces and tabs from the end of the line. */
+ // Trim newlines, spaces and tabs from the end of the line.
while (src_len > 0) {
switch (src[src_len-1]) {
case ' ':
@@ -455,8 +455,8 @@
return -1;
}
- /* EVP_DecodeBlock does not take padding into account, so put the
- * NULs back in... so the caller can strip them back out. */
+ // EVP_DecodeBlock does not take padding into account, so put the
+ // NULs back in... so the caller can strip them back out.
while (dst_len % 3 != 0) {
dst[dst_len++] = '\0';
}
diff --git a/crypto/base64/base64_test.cc b/crypto/base64/base64_test.cc
index 108c782..28b5c8e 100644
--- a/crypto/base64/base64_test.cc
+++ b/crypto/base64/base64_test.cc
@@ -280,9 +280,9 @@
out_len += bytes_written;
if (i == encoded_len ||
(i + 1 == encoded_len && t.encoded[i] == '\n') ||
- /* If there was an '-' in the input (which means “EOF”) then
- * this loop will continue to test that |EVP_DecodeUpdate| will
- * ignore the remainder of the input. */
+ // If there was an '-' in the input (which means “EOF”) then
+ // this loop will continue to test that |EVP_DecodeUpdate| will
+ // ignore the remainder of the input.
strchr(t.encoded, '-') != nullptr) {
break;
}
diff --git a/crypto/bio/bio.c b/crypto/bio/bio.c
index cffd05b..4e88966 100644
--- a/crypto/bio/bio.c
+++ b/crypto/bio/bio.c
@@ -409,14 +409,14 @@
ERR_print_errors_cb(print_bio, bio);
}
-/* bio_read_all reads everything from |bio| and prepends |prefix| to it. On
- * success, |*out| is set to an allocated buffer (which should be freed with
- * |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
- * buffer will contain |prefix| followed by the contents of |bio|. On failure,
- * zero is returned.
- *
- * The function will fail if the size of the output would equal or exceed
- * |max_len|. */
+// bio_read_all reads everything from |bio| and prepends |prefix| to it. On
+// success, |*out| is set to an allocated buffer (which should be freed with
+// |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
+// buffer will contain |prefix| followed by the contents of |bio|. On failure,
+// zero is returned.
+//
+// The function will fail if the size of the output would equal or exceed
+// |max_len|.
static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
const uint8_t *prefix, size_t prefix_len,
size_t max_len) {
@@ -480,20 +480,20 @@
const uint8_t length_byte = header[1];
if ((tag & 0x1f) == 0x1f) {
- /* Long form tags are not supported. */
+ // Long form tags are not supported.
return 0;
}
size_t len, header_len;
if ((length_byte & 0x80) == 0) {
- /* Short form length. */
+ // Short form length.
len = length_byte;
header_len = kInitialHeaderLen;
} else {
const size_t num_bytes = length_byte & 0x7f;
if ((tag & 0x20 /* constructed */) != 0 && num_bytes == 0) {
- /* indefinite length. */
+ // indefinite length.
return bio_read_all(bio, out, out_len, header, kInitialHeaderLen,
max_len);
}
@@ -516,12 +516,12 @@
}
if (len32 < 128) {
- /* Length should have used short-form encoding. */
+ // Length should have used short-form encoding.
return 0;
}
if ((len32 >> ((num_bytes-1)*8)) == 0) {
- /* Length should have been at least one byte shorter. */
+ // Length should have been at least one byte shorter.
return 0;
}
diff --git a/crypto/bio/bio_mem.c b/crypto/bio/bio_mem.c
index 1cba8a8..08dd6e9 100644
--- a/crypto/bio/bio_mem.c
+++ b/crypto/bio/bio_mem.c
@@ -82,16 +82,16 @@
}
b = (BUF_MEM *)ret->ptr;
- /* BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to. */
+ // BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to.
b->data = (void *)buf;
b->length = size;
b->max = size;
ret->flags |= BIO_FLAGS_MEM_RDONLY;
- /* |num| is used to store the value that this BIO will return when it runs
- * out of data. If it's negative then the retry flags will also be set. Since
- * this is static data, retrying wont help */
+ // |num| is used to store the value that this BIO will return when it runs
+ // out of data. If it's negative then the retry flags will also be set. Since
+ // this is static data, retrying wont help
ret->num = 0;
return ret;
@@ -105,8 +105,8 @@
return 0;
}
- /* |shutdown| is used to store the close flag: whether the BIO has ownership
- * of the BUF_MEM. */
+ // |shutdown| is used to store the close flag: whether the BIO has ownership
+ // of the BUF_MEM.
bio->shutdown = 1;
bio->init = 1;
bio->num = -1;
@@ -214,8 +214,8 @@
}
}
- /* i is now the max num of bytes to copy, either j or up to and including the
- * first newline */
+ // i is now the max num of bytes to copy, either j or up to and including the
+ // first newline
i = mem_read(bio, buf, i);
if (i > 0) {
@@ -233,7 +233,7 @@
switch (cmd) {
case BIO_CTRL_RESET:
if (b->data != NULL) {
- /* For read only case reset to the start again */
+ // For read only case reset to the start again
if (bio->flags & BIO_FLAGS_MEM_RDONLY) {
b->data -= b->max - b->length;
b->length = b->max;
diff --git a/crypto/bio/connect.c b/crypto/bio/connect.c
index d40dd53..0b60f6a 100644
--- a/crypto/bio/connect.c
+++ b/crypto/bio/connect.c
@@ -98,12 +98,12 @@
struct sockaddr_storage them;
socklen_t them_length;
- /* the file descriptor is kept in bio->num in order to match the socket
- * BIO. */
+ // the file descriptor is kept in bio->num in order to match the socket
+ // BIO.
- /* info_callback is called when the connection is initially made
- * callback(BIO,state,ret); The callback should return 'ret', state is for
- * compatibility with the SSL info_callback. */
+ // info_callback is called when the connection is initially made
+ // callback(BIO,state,ret); The callback should return 'ret', state is for
+ // compatibility with the SSL info_callback.
int (*info_callback)(const BIO *bio, int state, int ret);
} BIO_CONNECT;
@@ -113,9 +113,9 @@
}
#endif
-/* split_host_and_port sets |*out_host| and |*out_port| to the host and port
- * parsed from |name|. It returns one on success or zero on error. Even when
- * successful, |*out_port| may be NULL on return if no port was specified. */
+// split_host_and_port sets |*out_host| and |*out_port| to the host and port
+// parsed from |name|. It returns one on success or zero on error. Even when
+// successful, |*out_port| may be NULL on return if no port was specified.
static int split_host_and_port(char **out_host, char **out_port, const char *name) {
const char *host, *port = NULL;
size_t host_len = 0;
@@ -123,24 +123,24 @@
*out_host = NULL;
*out_port = NULL;
- if (name[0] == '[') { /* bracketed IPv6 address */
+ if (name[0] == '[') { // bracketed IPv6 address
const char *close = strchr(name, ']');
if (close == NULL) {
return 0;
}
host = name + 1;
host_len = close - host;
- if (close[1] == ':') { /* [IP]:port */
+ if (close[1] == ':') { // [IP]:port
port = close + 2;
} else if (close[1] != 0) {
return 0;
}
} else {
const char *colon = strchr(name, ':');
- if (colon == NULL || strchr(colon + 1, ':') != NULL) { /* IPv6 address */
+ if (colon == NULL || strchr(colon + 1, ':') != NULL) { // IPv6 address
host = name;
host_len = strlen(name);
- } else { /* host:port */
+ } else { // host:port
host = name;
host_len = colon - name;
port = colon + 1;
@@ -175,9 +175,9 @@
for (;;) {
switch (c->state) {
case BIO_CONN_S_BEFORE:
- /* If there's a hostname and a port, assume that both are
- * exactly what they say. If there is only a hostname, try
- * (just once) to split it into a hostname and port. */
+ // If there's a hostname and a port, assume that both are
+ // exactly what they say. If there is only a hostname, try
+ // (just once) to split it into a hostname and port.
if (c->param_hostname == NULL) {
OPENSSL_PUT_ERROR(BIO, BIO_R_NO_HOSTNAME_SPECIFIED);
@@ -330,7 +330,7 @@
return;
}
- /* Only do a shutdown if things were established */
+ // Only do a shutdown if things were established
if (c->state == BIO_CONN_S_OK) {
shutdown(bio->num, 2);
}
@@ -415,7 +415,7 @@
bio->flags = 0;
break;
case BIO_C_DO_STATE_MACHINE:
- /* use this one to start the connection */
+ // use this one to start the connection
if (data->state != BIO_CONN_S_OK) {
ret = (long)conn_state(bio, data);
} else {
diff --git a/crypto/bio/fd.c b/crypto/bio/fd.c
index 4e9eeac..37840a7 100644
--- a/crypto/bio/fd.c
+++ b/crypto/bio/fd.c
@@ -138,7 +138,7 @@
}
static int fd_new(BIO *bio) {
- /* num is used to store the file descriptor. */
+ // num is used to store the file descriptor.
bio->num = -1;
return 1;
}
diff --git a/crypto/bio/file.c b/crypto/bio/file.c
index 3580cd1..25c1dbd 100644
--- a/crypto/bio/file.c
+++ b/crypto/bio/file.c
@@ -55,18 +55,17 @@
* [including the GNU Public Licence.] */
#if defined(__linux) || defined(__sun) || defined(__hpux)
-/* Following definition aliases fopen to fopen64 on above mentioned
- * platforms. This makes it possible to open and sequentially access
- * files larger than 2GB from 32-bit application. It does not allow to
- * traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
- * 32-bit platform permits that, not with fseek/ftell. Not to mention
- * that breaking 2GB limit for seeking would require surgery to *our*
- * API. But sequential access suffices for practical cases when you
- * can run into large files, such as fingerprinting, so we can let API
- * alone. For reference, the list of 32-bit platforms which allow for
- * sequential access of large files without extra "magic" comprise *BSD,
- * Darwin, IRIX...
- */
+// Following definition aliases fopen to fopen64 on above mentioned
+// platforms. This makes it possible to open and sequentially access
+// files larger than 2GB from 32-bit application. It does not allow to
+// traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
+// 32-bit platform permits that, not with fseek/ftell. Not to mention
+// that breaking 2GB limit for seeking would require surgery to *our*
+// API. But sequential access suffices for practical cases when you
+// can run into large files, such as fingerprinting, so we can let API
+// alone. For reference, the list of 32-bit platforms which allow for
+// sequential access of large files without extra "magic" comprise *BSD,
+// Darwin, IRIX...
#ifndef _FILE_OFFSET_BITS
#define _FILE_OFFSET_BITS 64
#endif
@@ -157,7 +156,7 @@
return -1;
}
- /* fread reads at most |outl| bytes, so |ret| fits in an int. */
+ // fread reads at most |outl| bytes, so |ret| fits in an int.
return (int)ret;
}
@@ -232,7 +231,7 @@
b->init = 1;
break;
case BIO_C_GET_FILE_PTR:
- /* the ptr parameter is actually a FILE ** in this case. */
+ // the ptr parameter is actually a FILE ** in this case.
if (ptr != NULL) {
fpp = (FILE **)ptr;
*fpp = (FILE *)b->ptr;
diff --git a/crypto/bio/hexdump.c b/crypto/bio/hexdump.c
index d55df62..6d928bc 100644
--- a/crypto/bio/hexdump.c
+++ b/crypto/bio/hexdump.c
@@ -62,12 +62,12 @@
#include "../internal.h"
-/* hexdump_ctx contains the state of a hexdump. */
+// hexdump_ctx contains the state of a hexdump.
struct hexdump_ctx {
BIO *bio;
- char right_chars[18]; /* the contents of the right-hand side, ASCII dump. */
- unsigned used; /* number of bytes in the current line. */
- size_t n; /* number of bytes total. */
+ char right_chars[18]; // the contents of the right-hand side, ASCII dump.
+ unsigned used; // number of bytes in the current line.
+ size_t n; // number of bytes total.
unsigned indent;
};
@@ -84,21 +84,20 @@
return b;
}
-/* hexdump_write adds |len| bytes of |data| to the current hex dump described by
- * |ctx|. */
+// hexdump_write adds |len| bytes of |data| to the current hex dump described by
+// |ctx|.
static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,
size_t len) {
char buf[10];
unsigned l;
- /* Output lines look like:
- * 00000010 2e 2f 30 31 32 33 34 35 36 37 38 ... 3c 3d // |./0123456789:;<=|
- * ^ offset ^ extra space ^ ASCII of line
- */
+ // Output lines look like:
+ // 00000010 2e 2f 30 31 32 33 34 35 36 37 38 ... 3c 3d // |./0123456789:;<=|
+ // ^ offset ^ extra space ^ ASCII of line
for (size_t i = 0; i < len; i++) {
if (ctx->used == 0) {
- /* The beginning of a line. */
+ // The beginning of a line.
BIO_indent(ctx->bio, ctx->indent, UINT_MAX);
hexbyte(&buf[0], ctx->n >> 24);
@@ -115,12 +114,12 @@
buf[2] = ' ';
l = 3;
if (ctx->used == 7) {
- /* There's an additional space after the 8th byte. */
+ // There's an additional space after the 8th byte.
buf[3] = ' ';
l = 4;
} else if (ctx->used == 15) {
- /* At the end of the line there's an extra space and the bar for the
- * right column. */
+ // At the end of the line there's an extra space and the bar for the
+ // right column.
buf[3] = ' ';
buf[4] = '|';
l = 5;
@@ -145,9 +144,9 @@
return 1;
}
-/* finish flushes any buffered data in |ctx|. */
+// finish flushes any buffered data in |ctx|.
static int finish(struct hexdump_ctx *ctx) {
- /* See the comments in |hexdump| for the details of this format. */
+ // See the comments in |hexdump| for the details of this format.
const unsigned n_bytes = ctx->used;
unsigned l;
char buf[5];
diff --git a/crypto/bio/internal.h b/crypto/bio/internal.h
index 4ec77fa..8ed27da 100644
--- a/crypto/bio/internal.h
+++ b/crypto/bio/internal.h
@@ -61,7 +61,7 @@
#if !defined(OPENSSL_WINDOWS)
#if defined(OPENSSL_PNACL)
-/* newlib uses u_short in socket.h without defining it. */
+// newlib uses u_short in socket.h without defining it.
typedef unsigned short u_short;
#endif
#include <sys/types.h>
@@ -78,34 +78,34 @@
#endif
-/* BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
- * and |*out_addr_length| with the correct values for connecting to |hostname|
- * on |port_str|. It returns one on success or zero on error. */
+// BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|
+// and |*out_addr_length| with the correct values for connecting to |hostname|
+// on |port_str|. It returns one on success or zero on error.
int bio_ip_and_port_to_socket_and_addr(int *out_sock,
struct sockaddr_storage *out_addr,
socklen_t *out_addr_length,
const char *hostname,
const char *port_str);
-/* BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
- * success and zero otherwise. */
+// BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on
+// success and zero otherwise.
int bio_socket_nbio(int sock, int on);
-/* BIO_clear_socket_error clears the last system socket error.
- *
- * TODO(fork): remove all callers of this. */
+// BIO_clear_socket_error clears the last system socket error.
+//
+// TODO(fork): remove all callers of this.
void bio_clear_socket_error(void);
-/* BIO_sock_error returns the last socket error on |sock|. */
+// BIO_sock_error returns the last socket error on |sock|.
int bio_sock_error(int sock);
-/* BIO_fd_should_retry returns non-zero if |return_value| indicates an error
- * and |errno| indicates that it's non-fatal. */
+// BIO_fd_should_retry returns non-zero if |return_value| indicates an error
+// and |errno| indicates that it's non-fatal.
int bio_fd_should_retry(int return_value);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_BIO_INTERNAL_H */
+#endif // OPENSSL_HEADER_BIO_INTERNAL_H
diff --git a/crypto/bio/pair.c b/crypto/bio/pair.c
index 8ba382d..f5057ed 100644
--- a/crypto/bio/pair.c
+++ b/crypto/bio/pair.c
@@ -63,22 +63,22 @@
struct bio_bio_st {
- BIO *peer; /* NULL if buf == NULL.
- * If peer != NULL, then peer->ptr is also a bio_bio_st,
- * and its "peer" member points back to us.
- * peer != NULL iff init != 0 in the BIO. */
+ BIO *peer; // NULL if buf == NULL.
+ // If peer != NULL, then peer->ptr is also a bio_bio_st,
+ // and its "peer" member points back to us.
+ // peer != NULL iff init != 0 in the BIO.
- /* This is for what we write (i.e. reading uses peer's struct): */
- int closed; /* valid iff peer != NULL */
- size_t len; /* valid iff buf != NULL; 0 if peer == NULL */
- size_t offset; /* valid iff buf != NULL; 0 if len == 0 */
+ // This is for what we write (i.e. reading uses peer's struct):
+ int closed; // valid iff peer != NULL
+ size_t len; // valid iff buf != NULL; 0 if peer == NULL
+ size_t offset; // valid iff buf != NULL; 0 if len == 0
size_t size;
- uint8_t *buf; /* "size" elements (if != NULL) */
+ uint8_t *buf; // "size" elements (if != NULL)
- size_t request; /* valid iff peer != NULL; 0 if len != 0,
- * otherwise set by peer to number of bytes
- * it (unsuccessfully) tried to read,
- * never more than buffer space (size-len) warrants. */
+ size_t request; // valid iff peer != NULL; 0 if len != 0,
+ // otherwise set by peer to number of bytes
+ // it (unsuccessfully) tried to read,
+ // never more than buffer space (size-len) warrants.
};
static int bio_new(BIO *bio) {
@@ -90,7 +90,7 @@
}
OPENSSL_memset(b, 0, sizeof(struct bio_bio_st));
- b->size = 17 * 1024; /* enough for one TLS record (just a default) */
+ b->size = 17 * 1024; // enough for one TLS record (just a default)
bio->ptr = b;
return 1;
}
@@ -165,7 +165,7 @@
assert(peer_b != NULL);
assert(peer_b->buf != NULL);
- peer_b->request = 0; /* will be set in "retry_read" situation */
+ peer_b->request = 0; // will be set in "retry_read" situation
if (buf == NULL || size == 0) {
return 0;
@@ -173,30 +173,30 @@
if (peer_b->len == 0) {
if (peer_b->closed) {
- return 0; /* writer has closed, and no data is left */
+ return 0; // writer has closed, and no data is left
} else {
- BIO_set_retry_read(bio); /* buffer is empty */
+ BIO_set_retry_read(bio); // buffer is empty
if (size <= peer_b->size) {
peer_b->request = size;
} else {
- /* don't ask for more than the peer can
- * deliver in one write */
+ // don't ask for more than the peer can
+ // deliver in one write
peer_b->request = peer_b->size;
}
return -1;
}
}
- /* we can read */
+ // we can read
if (peer_b->len < size) {
size = peer_b->len;
}
- /* now read "size" bytes */
+ // now read "size" bytes
rest = size;
assert(rest > 0);
- /* one or two iterations */
+ // one or two iterations
do {
size_t chunk;
@@ -204,7 +204,7 @@
if (peer_b->offset + rest <= peer_b->size) {
chunk = rest;
} else {
- /* wrap around ring buffer */
+ // wrap around ring buffer
chunk = peer_b->size - peer_b->offset;
}
assert(peer_b->offset + chunk <= peer_b->size);
@@ -220,7 +220,7 @@
}
buf += chunk;
} else {
- /* buffer now empty, no need to advance "buf" */
+ // buffer now empty, no need to advance "buf"
assert(chunk == rest);
peer_b->offset = 0;
}
@@ -248,7 +248,7 @@
b->request = 0;
if (b->closed) {
- /* we already closed */
+ // we already closed
OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
return -1;
}
@@ -256,20 +256,20 @@
assert(b->len <= b->size);
if (b->len == b->size) {
- BIO_set_retry_write(bio); /* buffer is full */
+ BIO_set_retry_write(bio); // buffer is full
return -1;
}
- /* we can write */
+ // we can write
if (num > b->size - b->len) {
num = b->size - b->len;
}
- /* now write "num" bytes */
+ // now write "num" bytes
rest = num;
assert(rest > 0);
- /* one or two iterations */
+ // one or two iterations
do {
size_t write_offset;
size_t chunk;
@@ -280,12 +280,12 @@
if (write_offset >= b->size) {
write_offset -= b->size;
}
- /* b->buf[write_offset] is the first byte we can write to. */
+ // b->buf[write_offset] is the first byte we can write to.
if (write_offset + rest <= b->size) {
chunk = rest;
} else {
- /* wrap around ring buffer */
+ // wrap around ring buffer
chunk = b->size - write_offset;
}
@@ -363,15 +363,15 @@
assert(b != NULL);
switch (cmd) {
- /* specific CTRL codes */
+ // specific CTRL codes
case BIO_C_GET_WRITE_BUF_SIZE:
ret = (long)b->size;
break;
case BIO_C_GET_WRITE_GUARANTEE:
- /* How many bytes can the caller feed to the next write
- * without having to keep any? */
+ // How many bytes can the caller feed to the next write
+ // without having to keep any?
if (b->peer == NULL || b->closed) {
ret = 0;
} else {
@@ -380,28 +380,28 @@
break;
case BIO_C_GET_READ_REQUEST:
- /* If the peer unsuccessfully tried to read, how many bytes
- * were requested? (As with BIO_CTRL_PENDING, that number
- * can usually be treated as boolean.) */
+ // If the peer unsuccessfully tried to read, how many bytes
+ // were requested? (As with BIO_CTRL_PENDING, that number
+ // can usually be treated as boolean.)
ret = (long)b->request;
break;
case BIO_C_RESET_READ_REQUEST:
- /* Reset request. (Can be useful after read attempts
- * at the other side that are meant to be non-blocking,
- * e.g. when probing SSL_read to see if any data is
- * available.) */
+ // Reset request. (Can be useful after read attempts
+ // at the other side that are meant to be non-blocking,
+ // e.g. when probing SSL_read to see if any data is
+ // available.)
b->request = 0;
ret = 1;
break;
case BIO_C_SHUTDOWN_WR:
- /* similar to shutdown(..., SHUT_WR) */
+ // similar to shutdown(..., SHUT_WR)
b->closed = 1;
ret = 1;
break;
- /* standard CTRL codes follow */
+ // standard CTRL codes follow
case BIO_CTRL_GET_CLOSE:
ret = bio->shutdown;
@@ -453,7 +453,7 @@
static const BIO_METHOD methods_biop = {
BIO_TYPE_BIO, "BIO pair", bio_write, bio_read, NULL /* puts */,
- NULL /* gets */, bio_ctrl, bio_new, bio_free, NULL /* callback_ctrl */
+ NULL /* gets */, bio_ctrl, bio_new, bio_free, NULL /* callback_ctrl */,
};
static const BIO_METHOD *bio_s_bio(void) { return &methods_biop; }
diff --git a/crypto/bio/printf.c b/crypto/bio/printf.c
index f59a15f..28162e6 100644
--- a/crypto/bio/printf.c
+++ b/crypto/bio/printf.c
@@ -55,7 +55,7 @@
* [including the GNU Public Licence.] */
#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L /* for snprintf, vprintf etc */
+#define _POSIX_C_SOURCE 201410L // for snprintf, vprintf etc
#endif
#include <openssl/bio.h>
@@ -77,8 +77,8 @@
va_end(args);
#if defined(OPENSSL_WINDOWS)
- /* On Windows, vsnprintf returns -1 rather than the requested length on
- * truncation */
+ // On Windows, vsnprintf returns -1 rather than the requested length on
+ // truncation
if (out_len < 0) {
va_start(args, format);
out_len = _vscprintf(format, args);
@@ -93,9 +93,9 @@
if ((size_t) out_len >= sizeof(buf)) {
const int requested_len = out_len;
- /* The output was truncated. Note that vsnprintf's return value
- * does not include a trailing NUL, but the buffer must be sized
- * for it. */
+ // The output was truncated. Note that vsnprintf's return value
+ // does not include a trailing NUL, but the buffer must be sized
+ // for it.
out = OPENSSL_malloc(requested_len + 1);
out_malloced = 1;
if (out == NULL) {
diff --git a/crypto/bn_extra/bn_asn1.c b/crypto/bn_extra/bn_asn1.c
index efb2335..8b939da 100644
--- a/crypto/bn_extra/bn_asn1.c
+++ b/crypto/bn_extra/bn_asn1.c
@@ -31,7 +31,7 @@
return 0;
}
- /* INTEGERs must be minimal. */
+ // INTEGERs must be minimal.
if (CBS_data(&child)[0] == 0x00 &&
CBS_len(&child) > 1 &&
!(CBS_data(&child)[1] & 0x80)) {
@@ -50,16 +50,16 @@
return 0;
}
- /* This function intentionally does not reject negative numbers or non-minimal
- * encodings. Estonian IDs issued between September 2014 to September 2015 are
- * broken. See https://crbug.com/532048 and https://crbug.com/534766.
- *
- * TODO(davidben): Remove this code and callers in March 2016. */
+ // This function intentionally does not reject negative numbers or non-minimal
+ // encodings. Estonian IDs issued between September 2014 to September 2015 are
+ // broken. See https://crbug.com/532048 and https://crbug.com/534766.
+ //
+ // TODO(davidben): Remove this code and callers in March 2016.
return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;
}
int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {
- /* Negative numbers are unsupported. */
+ // Negative numbers are unsupported.
if (BN_is_negative(bn)) {
OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
return 0;
@@ -67,8 +67,8 @@
CBB child;
if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER) ||
- /* The number must be padded with a leading zero if the high bit would
- * otherwise be set or if |bn| is zero. */
+ // The number must be padded with a leading zero if the high bit would
+ // otherwise be set or if |bn| is zero.
(BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) ||
!BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) ||
!CBB_flush(cbb)) {
diff --git a/crypto/bn_extra/convert.c b/crypto/bn_extra/convert.c
index b48a971..6f3a062 100644
--- a/crypto/bn_extra/convert.c
+++ b/crypto/bn_extra/convert.c
@@ -96,7 +96,7 @@
int z = 0;
for (int i = bn->top - 1; i >= 0; i--) {
for (int j = BN_BITS2 - 8; j >= 0; j -= 8) {
- /* strip leading zeros */
+ // strip leading zeros
int v = ((int)(bn->d[i] >> (long)j)) & 0xff;
if (z || v != 0) {
*(p++) = hextable[v >> 4];
@@ -110,20 +110,20 @@
return buf;
}
-/* decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|. */
+// decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|.
static int decode_hex(BIGNUM *bn, const char *in, int in_len) {
if (in_len > INT_MAX/4) {
OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);
return 0;
}
- /* |in_len| is the number of hex digits. */
+ // |in_len| is the number of hex digits.
if (!bn_expand(bn, in_len * 4)) {
return 0;
}
int i = 0;
while (in_len > 0) {
- /* Decode one |BN_ULONG| at a time. */
+ // Decode one |BN_ULONG| at a time.
int todo = BN_BYTES * 2;
if (todo > in_len) {
todo = in_len;
@@ -143,7 +143,7 @@
hex = c - 'A' + 10;
} else {
hex = 0;
- /* This shouldn't happen. The caller checks |isxdigit|. */
+ // This shouldn't happen. The caller checks |isxdigit|.
assert(0);
}
word = (word << 4) | hex;
@@ -157,12 +157,12 @@
return 1;
}
-/* decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|. */
+// decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|.
static int decode_dec(BIGNUM *bn, const char *in, int in_len) {
int i, j;
BN_ULONG l = 0;
- /* Decode |BN_DEC_NUM| digits at a time. */
+ // Decode |BN_DEC_NUM| digits at a time.
j = BN_DEC_NUM - (in_len % BN_DEC_NUM);
if (j == BN_DEC_NUM) {
j = 0;
@@ -207,7 +207,7 @@
return num;
}
- /* in is the start of the hex digits, and it is 'i' long */
+ // in is the start of the hex digits, and it is 'i' long
if (*outp == NULL) {
ret = BN_new();
if (ret == NULL) {
@@ -243,8 +243,8 @@
}
char *BN_bn2dec(const BIGNUM *a) {
- /* It is easier to print strings little-endian, so we assemble it in reverse
- * and fix at the end. */
+ // It is easier to print strings little-endian, so we assemble it in reverse
+ // and fix at the end.
BIGNUM *copy = NULL;
CBB cbb;
if (!CBB_init(&cbb, 16) ||
@@ -290,7 +290,7 @@
goto cbb_err;
}
- /* Reverse the buffer. */
+ // Reverse the buffer.
for (size_t i = 0; i < len/2; i++) {
uint8_t tmp = data[i];
data[i] = data[len - 1 - i];
@@ -349,7 +349,7 @@
for (i = a->top - 1; i >= 0; i--) {
for (j = BN_BITS2 - 4; j >= 0; j -= 4) {
- /* strip leading zeros */
+ // strip leading zeros
v = ((int)(a->d[i] >> (long)j)) & 0x0f;
if (z || v != 0) {
if (BIO_write(bp, &hextable[v], 1) != 1) {
@@ -384,8 +384,8 @@
size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
const size_t bits = BN_num_bits(in);
const size_t bytes = (bits + 7) / 8;
- /* If the number of bits is a multiple of 8, i.e. if the MSB is set,
- * prefix with a zero byte. */
+ // If the number of bits is a multiple of 8, i.e. if the MSB is set,
+ // prefix with a zero byte.
int extend = 0;
if (bytes != 0 && (bits & 0x07) == 0) {
extend = 1;
@@ -395,8 +395,8 @@
if (len < bytes ||
4 + len < len ||
(len & 0xffffffff) != len) {
- /* If we cannot represent the number then we emit zero as the interface
- * doesn't allow an error to be signalled. */
+ // If we cannot represent the number then we emit zero as the interface
+ // doesn't allow an error to be signalled.
if (out) {
OPENSSL_memset(out, 0, 4);
}
diff --git a/crypto/buf/buf.c b/crypto/buf/buf.c
index f1fcae6..1305c58 100644
--- a/crypto/buf/buf.c
+++ b/crypto/buf/buf.c
@@ -97,14 +97,14 @@
size_t n = cap + 3;
if (n < cap) {
- /* overflow */
+ // overflow
OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
return 0;
}
n = n / 3;
size_t alloc_size = n * 4;
if (alloc_size / 4 != n) {
- /* overflow */
+ // overflow
OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
return 0;
}
@@ -185,7 +185,7 @@
alloc_size = size + 1;
if (alloc_size < size) {
- /* overflow */
+ // overflow
OPENSSL_PUT_ERROR(BUF, ERR_R_MALLOC_FAILURE);
return NULL;
}
diff --git a/crypto/bytestring/ber.c b/crypto/bytestring/ber.c
index 54bac59..4dc94f6 100644
--- a/crypto/bytestring/ber.c
+++ b/crypto/bytestring/ber.c
@@ -21,13 +21,13 @@
#include "../internal.h"
-/* kMaxDepth is a just a sanity limit. The code should be such that the length
- * of the input being processes always decreases. None the less, a very large
- * input could otherwise cause the stack to overflow. */
+// kMaxDepth is a just a sanity limit. The code should be such that the length
+// of the input being processes always decreases. None the less, a very large
+// input could otherwise cause the stack to overflow.
static const unsigned kMaxDepth = 2048;
-/* is_string_type returns one if |tag| is a string type and zero otherwise. It
- * ignores the constructed bit. */
+// is_string_type returns one if |tag| is a string type and zero otherwise. It
+// ignores the constructed bit.
static int is_string_type(unsigned tag) {
if ((tag & 0xc0) != 0) {
return 0;
@@ -52,10 +52,10 @@
}
}
-/* cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
- * depending on whether an indefinite length element or constructed string was
- * found. The value of |orig_in| is not changed. It returns one on success (i.e.
- * |*ber_found| was set) and zero on error. */
+// cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|
+// depending on whether an indefinite length element or constructed string was
+// found. The value of |orig_in| is not changed. It returns one on success (i.e.
+// |*ber_found| was set) and zero on error.
static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
CBS in;
@@ -77,13 +77,13 @@
if (CBS_len(&contents) == header_len &&
header_len > 0 &&
CBS_data(&contents)[header_len-1] == 0x80) {
- /* Found an indefinite-length element. */
+ // Found an indefinite-length element.
*ber_found = 1;
return 1;
}
if (tag & CBS_ASN1_CONSTRUCTED) {
if (is_string_type(tag)) {
- /* Constructed strings are only legal in BER and require conversion. */
+ // Constructed strings are only legal in BER and require conversion.
*ber_found = 1;
return 1;
}
@@ -97,20 +97,20 @@
return 1;
}
-/* is_eoc returns true if |header_len| and |contents|, as returned by
- * |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value. */
+// is_eoc returns true if |header_len| and |contents|, as returned by
+// |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value.
static char is_eoc(size_t header_len, CBS *contents) {
return header_len == 2 && CBS_len(contents) == 2 &&
OPENSSL_memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
}
-/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
- * |string_tag| is non-zero, then all elements must match |string_tag| up to the
- * constructed bit and primitive element bodies are written to |out| without
- * element headers. This is used when concatenating the fragments of a
- * constructed string. If |looking_for_eoc| is set then any EOC elements found
- * will cause the function to return after consuming it. It returns one on
- * success and zero on error. */
+// cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
+// |string_tag| is non-zero, then all elements must match |string_tag| up to the
+// constructed bit and primitive element bodies are written to |out| without
+// element headers. This is used when concatenating the fragments of a
+// constructed string. If |looking_for_eoc| is set then any EOC elements found
+// will cause the function to return after consuming it. It returns one on
+// success and zero on error.
static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag,
char looking_for_eoc, unsigned depth) {
assert(!(string_tag & CBS_ASN1_CONSTRUCTED));
@@ -134,9 +134,9 @@
}
if (string_tag != 0) {
- /* This is part of a constructed string. All elements must match
- * |string_tag| up to the constructed bit and get appended to |out|
- * without a child element. */
+ // This is part of a constructed string. All elements must match
+ // |string_tag| up to the constructed bit and get appended to |out|
+ // without a child element.
if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) {
return 0;
}
@@ -144,8 +144,8 @@
} else {
unsigned out_tag = tag;
if ((tag & CBS_ASN1_CONSTRUCTED) && is_string_type(tag)) {
- /* If a constructed string, clear the constructed bit and inform
- * children to concatenate bodies. */
+ // If a constructed string, clear the constructed bit and inform
+ // children to concatenate bodies.
out_tag &= ~CBS_ASN1_CONSTRUCTED;
child_string_tag = out_tag;
}
@@ -157,7 +157,7 @@
if (CBS_len(&contents) == header_len && header_len > 0 &&
CBS_data(&contents)[header_len - 1] == 0x80) {
- /* This is an indefinite length element. */
+ // This is an indefinite length element.
if (!cbs_convert_ber(in, out_contents, child_string_tag,
1 /* looking for eoc */, depth + 1) ||
!CBB_flush(out)) {
@@ -171,13 +171,13 @@
}
if (tag & CBS_ASN1_CONSTRUCTED) {
- /* Recurse into children. */
+ // Recurse into children.
if (!cbs_convert_ber(&contents, out_contents, child_string_tag,
0 /* not looking for eoc */, depth + 1)) {
return 0;
}
} else {
- /* Copy primitive contents as-is. */
+ // Copy primitive contents as-is.
if (!CBB_add_bytes(out_contents, CBS_data(&contents),
CBS_len(&contents))) {
return 0;
@@ -195,8 +195,8 @@
int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len) {
CBB cbb;
- /* First, do a quick walk to find any indefinite-length elements. Most of the
- * time we hope that there aren't any and thus we can quickly return. */
+ // First, do a quick walk to find any indefinite-length elements. Most of the
+ // time we hope that there aren't any and thus we can quickly return.
char conversion_needed;
if (!cbs_find_ber(in, &conversion_needed, 0)) {
return 0;
@@ -225,14 +225,14 @@
assert(is_string_type(inner_tag));
if (CBS_peek_asn1_tag(in, outer_tag)) {
- /* Normal implicitly-tagged string. */
+ // Normal implicitly-tagged string.
*out_storage = NULL;
return CBS_get_asn1(in, out, outer_tag);
}
- /* Otherwise, try to parse an implicitly-tagged constructed string.
- * |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
- * of nesting. */
+ // Otherwise, try to parse an implicitly-tagged constructed string.
+ // |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep
+ // of nesting.
CBB result;
CBS child;
if (!CBB_init(&result, CBS_len(in)) ||
diff --git a/crypto/bytestring/cbb.c b/crypto/bytestring/cbb.c
index 14116be..5576fa9 100644
--- a/crypto/bytestring/cbb.c
+++ b/crypto/bytestring/cbb.c
@@ -27,7 +27,7 @@
}
static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
- /* This assumes that |cbb| has already been zeroed. */
+ // This assumes that |cbb| has already been zeroed.
struct cbb_buffer_st *base;
base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
@@ -75,8 +75,8 @@
void CBB_cleanup(CBB *cbb) {
if (cbb->base) {
- /* Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
- * are implicitly discarded when the parent is flushed or cleaned up. */
+ // Only top-level |CBB|s are cleaned up. Child |CBB|s are non-owning. They
+ // are implicitly discarded when the parent is flushed or cleaned up.
assert(cbb->is_top_level);
if (cbb->base->can_resize) {
@@ -97,7 +97,7 @@
newlen = base->len + len;
if (newlen < base->len) {
- /* Overflow */
+ // Overflow
goto err;
}
@@ -137,7 +137,7 @@
if (!cbb_buffer_reserve(base, out, len)) {
return 0;
}
- /* This will not overflow or |cbb_buffer_reserve| would have failed. */
+ // This will not overflow or |cbb_buffer_reserve| would have failed.
base->len += len;
return 1;
}
@@ -176,7 +176,7 @@
}
if (cbb->base->can_resize && (out_data == NULL || out_len == NULL)) {
- /* |out_data| and |out_len| can only be NULL if the CBB is fixed. */
+ // |out_data| and |out_len| can only be NULL if the CBB is fixed.
return 0;
}
@@ -191,15 +191,15 @@
return 1;
}
-/* CBB_flush recurses and then writes out any pending length prefix. The
- * current length of the underlying base is taken to be the length of the
- * length-prefixed data. */
+// CBB_flush recurses and then writes out any pending length prefix. The
+// current length of the underlying base is taken to be the length of the
+// length-prefixed data.
int CBB_flush(CBB *cbb) {
size_t child_start, i, len;
- /* If |cbb->base| has hit an error, the buffer is in an undefined state, so
- * fail all following calls. In particular, |cbb->child| may point to invalid
- * memory. */
+ // If |cbb->base| has hit an error, the buffer is in an undefined state, so
+ // fail all following calls. In particular, |cbb->child| may point to invalid
+ // memory.
if (cbb->base == NULL || cbb->base->error) {
return 0;
}
@@ -219,16 +219,16 @@
len = cbb->base->len - child_start;
if (cbb->child->pending_is_asn1) {
- /* For ASN.1 we assume that we'll only need a single byte for the length.
- * If that turned out to be incorrect, we have to move the contents along
- * in order to make space. */
+ // For ASN.1 we assume that we'll only need a single byte for the length.
+ // If that turned out to be incorrect, we have to move the contents along
+ // in order to make space.
uint8_t len_len;
uint8_t initial_length_byte;
assert (cbb->child->pending_len_len == 1);
if (len > 0xfffffffe) {
- /* Too large. */
+ // Too large.
goto err;
} else if (len > 0xffffff) {
len_len = 5;
@@ -249,7 +249,7 @@
}
if (len_len != 1) {
- /* We need to move the contents along in order to make space. */
+ // We need to move the contents along in order to make space.
size_t extra_bytes = len_len - 1;
if (!cbb_buffer_add(cbb->base, NULL, extra_bytes)) {
goto err;
@@ -331,14 +331,14 @@
int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
if (tag > 0xff ||
(tag & 0x1f) == 0x1f) {
- /* Long form identifier octets are not supported. Further, all current valid
- * tag serializations are 8 bits. */
+ // Long form identifier octets are not supported. Further, all current valid
+ // tag serializations are 8 bits.
cbb->base->error = 1;
return 0;
}
if (!CBB_flush(cbb) ||
- /* |tag|'s representation matches the DER encoding. */
+ // |tag|'s representation matches the DER encoding.
!CBB_add_u8(cbb, (uint8_t)tag)) {
return 0;
}
@@ -451,11 +451,11 @@
uint8_t byte = (value >> 8*(7-i)) & 0xff;
if (!started) {
if (byte == 0) {
- /* Don't encode leading zeros. */
+ // Don't encode leading zeros.
continue;
}
- /* If the high bit is set, add a padding byte to make it
- * unsigned. */
+ // If the high bit is set, add a padding byte to make it
+ // unsigned.
if ((byte & 0x80) && !CBB_add_u8(&child, 0)) {
return 0;
}
@@ -466,7 +466,7 @@
}
}
- /* 0 is encoded as a single 0, not the empty string. */
+ // 0 is encoded as a single 0, not the empty string.
if (!started && !CBB_add_u8(&child, 0)) {
return 0;
}
diff --git a/crypto/bytestring/cbs.c b/crypto/bytestring/cbs.c
index 8328b7f..ec495d2 100644
--- a/crypto/bytestring/cbs.c
+++ b/crypto/bytestring/cbs.c
@@ -190,13 +190,13 @@
return 0;
}
- /* ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
- * number no greater than 30.
- *
- * If the number portion is 31 (0x1f, the largest value that fits in the
- * allotted bits), then the tag is more than one byte long and the
- * continuation bytes contain the tag number. This parser only supports tag
- * numbers less than 31 (and thus single-byte tags). */
+ // ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag
+ // number no greater than 30.
+ //
+ // If the number portion is 31 (0x1f, the largest value that fits in the
+ // allotted bits), then the tag is more than one byte long and the
+ // continuation bytes contain the tag number. This parser only supports tag
+ // numbers less than 31 (and thus single-byte tags).
if ((tag & 0x1f) == 0x1f) {
return 0;
}
@@ -206,52 +206,51 @@
}
size_t len;
- /* The format for the length encoding is specified in ITU-T X.690 section
- * 8.1.3. */
+ // The format for the length encoding is specified in ITU-T X.690 section
+ // 8.1.3.
if ((length_byte & 0x80) == 0) {
- /* Short form length. */
+ // Short form length.
len = ((size_t) length_byte) + 2;
if (out_header_len != NULL) {
*out_header_len = 2;
}
} else {
- /* The high bit indicate that this is the long form, while the next 7 bits
- * encode the number of subsequent octets used to encode the length (ITU-T
- * X.690 clause 8.1.3.5.b). */
+ // The high bit indicate that this is the long form, while the next 7 bits
+ // encode the number of subsequent octets used to encode the length (ITU-T
+ // X.690 clause 8.1.3.5.b).
const size_t num_bytes = length_byte & 0x7f;
uint32_t len32;
if (ber_ok && (tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
- /* indefinite length */
+ // indefinite length
if (out_header_len != NULL) {
*out_header_len = 2;
}
return CBS_get_bytes(cbs, out, 2);
}
- /* ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
- * used as the first byte of the length. If this parser encounters that
- * value, num_bytes will be parsed as 127, which will fail the check below.
- */
+ // ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be
+ // used as the first byte of the length. If this parser encounters that
+ // value, num_bytes will be parsed as 127, which will fail the check below.
if (num_bytes == 0 || num_bytes > 4) {
return 0;
}
if (!cbs_get_u(&header, &len32, num_bytes)) {
return 0;
}
- /* ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
- * with the minimum number of octets. */
+ // ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
+ // with the minimum number of octets.
if (len32 < 128) {
- /* Length should have used short-form encoding. */
+ // Length should have used short-form encoding.
return 0;
}
if ((len32 >> ((num_bytes-1)*8)) == 0) {
- /* Length should have been at least one byte shorter. */
+ // Length should have been at least one byte shorter.
return 0;
}
len = len32;
if (len + 2 + num_bytes < len) {
- /* Overflow. */
+ // Overflow.
return 0;
}
len += 2 + num_bytes;
@@ -338,23 +337,23 @@
size_t len = CBS_len(&bytes);
if (len == 0) {
- /* An INTEGER is encoded with at least one octet. */
+ // An INTEGER is encoded with at least one octet.
return 0;
}
if ((data[0] & 0x80) != 0) {
- /* Negative number. */
+ // Negative number.
return 0;
}
if (data[0] == 0 && len > 1 && (data[1] & 0x80) == 0) {
- /* Extra leading zeros. */
+ // Extra leading zeros.
return 0;
}
for (size_t i = 0; i < len; i++) {
if ((*out >> 56) != 0) {
- /* Too large to represent as a uint64_t. */
+ // Too large to represent as a uint64_t.
return 0;
}
*out <<= 8;
@@ -462,7 +461,7 @@
return 1;
}
- /* All num_unused_bits bits must exist and be zeros. */
+ // All num_unused_bits bits must exist and be zeros.
uint8_t last;
if (!CBS_get_last_u8(&in, &last) ||
(last & ((1 << num_unused_bits) - 1)) != 0) {
@@ -480,9 +479,9 @@
const unsigned byte_num = (bit >> 3) + 1;
const unsigned bit_num = 7 - (bit & 7);
- /* Unused bits are zero, and this function does not distinguish between
- * missing and unset bits. Thus it is sufficient to do a byte-level length
- * check. */
+ // Unused bits are zero, and this function does not distinguish between
+ // missing and unset bits. Thus it is sufficient to do a byte-level length
+ // check.
return byte_num < CBS_len(cbs) &&
(CBS_data(cbs)[byte_num] & (1 << bit_num)) != 0;
}
diff --git a/crypto/bytestring/internal.h b/crypto/bytestring/internal.h
index 2fed413..f6ac32c 100644
--- a/crypto/bytestring/internal.h
+++ b/crypto/bytestring/internal.h
@@ -22,54 +22,54 @@
#endif
-/* CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
- * indefinite-length elements or constructed strings then it converts the BER
- * data to DER and sets |*out| and |*out_length| to describe a malloced buffer
- * containing the DER data. Additionally, |*in| will be advanced over the BER
- * element.
- *
- * If it doesn't find any indefinite-length elements or constructed strings then
- * it sets |*out| to NULL and |*in| is unmodified.
- *
- * This function should successfully process any valid BER input, however it
- * will not convert all of BER's deviations from DER. BER is ambiguous between
- * implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
- * strings. Implicitly-tagged strings must be parsed with
- * |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
- * must also account for BER variations in the contents of a primitive.
- *
- * It returns one on success and zero otherwise. */
+// CBS_asn1_ber_to_der reads a BER element from |in|. If it finds
+// indefinite-length elements or constructed strings then it converts the BER
+// data to DER and sets |*out| and |*out_length| to describe a malloced buffer
+// containing the DER data. Additionally, |*in| will be advanced over the BER
+// element.
+//
+// If it doesn't find any indefinite-length elements or constructed strings then
+// it sets |*out| to NULL and |*in| is unmodified.
+//
+// This function should successfully process any valid BER input, however it
+// will not convert all of BER's deviations from DER. BER is ambiguous between
+// implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed
+// strings. Implicitly-tagged strings must be parsed with
+// |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller
+// must also account for BER variations in the contents of a primitive.
+//
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, uint8_t **out, size_t *out_len);
-/* CBS_get_asn1_implicit_string parses a BER string of primitive type
- * |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
- * contents. If concatenation was needed, it sets |*out_storage| to a buffer
- * which the caller must release with |OPENSSL_free|. Otherwise, it sets
- * |*out_storage| to NULL.
- *
- * This function does not parse all of BER. It requires the string be
- * definite-length. Constructed strings are allowed, but all children of the
- * outermost element must be primitive. The caller should use
- * |CBS_asn1_ber_to_der| before running this function.
- *
- * It returns one on success and zero otherwise. */
+// CBS_get_asn1_implicit_string parses a BER string of primitive type
+// |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the
+// contents. If concatenation was needed, it sets |*out_storage| to a buffer
+// which the caller must release with |OPENSSL_free|. Otherwise, it sets
+// |*out_storage| to NULL.
+//
+// This function does not parse all of BER. It requires the string be
+// definite-length. Constructed strings are allowed, but all children of the
+// outermost element must be primitive. The caller should use
+// |CBS_asn1_ber_to_der| before running this function.
+//
+// It returns one on success and zero otherwise.
OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out,
uint8_t **out_storage,
unsigned outer_tag,
unsigned inner_tag);
-/* CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
- * with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
- * and |*outp| is advanced just past the output. It returns the number of bytes
- * in the result, whether written or not, or a negative value on error. On
- * error, it calls |CBB_cleanup| on |cbb|.
- *
- * This function may be used to help implement legacy i2d ASN.1 functions. */
+// CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized
+// with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|
+// and |*outp| is advanced just past the output. It returns the number of bytes
+// in the result, whether written or not, or a negative value on error. On
+// error, it calls |CBB_cleanup| on |cbb|.
+//
+// This function may be used to help implement legacy i2d ASN.1 functions.
int CBB_finish_i2d(CBB *cbb, uint8_t **outp);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_BYTESTRING_INTERNAL_H */
+#endif // OPENSSL_HEADER_BYTESTRING_INTERNAL_H
diff --git a/crypto/chacha/chacha.c b/crypto/chacha/chacha.c
index fe32596..646ef7a 100644
--- a/crypto/chacha/chacha.c
+++ b/crypto/chacha/chacha.c
@@ -12,7 +12,7 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* Adapted from the public domain, estream code by D. Bernstein. */
+// Adapted from the public domain, estream code by D. Bernstein.
#include <openssl/chacha.h>
@@ -32,7 +32,7 @@
(defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
-/* ChaCha20_ctr32 is defined in asm/chacha-*.pl. */
+// ChaCha20_ctr32 is defined in asm/chacha-*.pl.
void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,
const uint32_t key[8], const uint32_t counter[4]);
@@ -48,7 +48,7 @@
const uint32_t *key_ptr = (const uint32_t *)key;
#if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64)
- /* The assembly expects the key to be four-byte aligned. */
+ // The assembly expects the key to be four-byte aligned.
uint32_t key_u32[8];
if ((((uintptr_t)key) & 3) != 0) {
key_u32[0] = U8TO32_LITTLE(key + 0);
@@ -69,7 +69,7 @@
#else
-/* sigma contains the ChaCha constants, which happen to be an ASCII string. */
+// sigma contains the ChaCha constants, which happen to be an ASCII string.
static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
'2', '-', 'b', 'y', 't', 'e', ' ', 'k' };
@@ -83,15 +83,15 @@
(p)[3] = (v >> 24) & 0xff; \
}
-/* QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. */
+// QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round.
#define QUARTERROUND(a, b, c, d) \
x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \
x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \
x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 8); \
x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 7);
-/* chacha_core performs 20 rounds of ChaCha on the input words in
- * |input| and writes the 64 output bytes to |output|. */
+// chacha_core performs 20 rounds of ChaCha on the input words in
+// |input| and writes the 64 output bytes to |output|.
static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
uint32_t x[16];
int i;
diff --git a/crypto/cipher_extra/aead_test.cc b/crypto/cipher_extra/aead_test.cc
index a699890..a40d673 100644
--- a/crypto/cipher_extra/aead_test.cc
+++ b/crypto/cipher_extra/aead_test.cc
@@ -393,14 +393,14 @@
9999 /* a silly tag length to trigger an error */, NULL /* ENGINE */));
ERR_clear_error();
- /* Running a second, failed _init should not cause a memory leak. */
+ // Running a second, failed _init should not cause a memory leak.
ASSERT_FALSE(EVP_AEAD_CTX_init(
&ctx, aead(), key, key_len,
9999 /* a silly tag length to trigger an error */, NULL /* ENGINE */));
ERR_clear_error();
- /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
- * no-op. */
+ // Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
+ // no-op.
EVP_AEAD_CTX_cleanup(&ctx);
}
diff --git a/crypto/cipher_extra/e_aesctrhmac.c b/crypto/cipher_extra/e_aesctrhmac.c
index 3034b8f..9c357f4 100644
--- a/crypto/cipher_extra/e_aesctrhmac.c
+++ b/crypto/cipher_extra/e_aesctrhmac.c
@@ -66,13 +66,13 @@
if (key_len < hmac_key_len) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
const size_t aes_key_len = key_len - hmac_key_len;
if (aes_key_len != 16 && aes_key_len != 32) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
@@ -131,7 +131,7 @@
SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
SHA256_Update(&sha256, ad, ad_len);
- /* Pad with zeros to the end of the SHA-256 block. */
+ // Pad with zeros to the end of the SHA-256 block.
const unsigned num_padding =
(SHA256_CBLOCK - ((sizeof(uint64_t)*2 +
EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN + ad_len) %
@@ -154,8 +154,8 @@
static void aead_aes_ctr_hmac_sha256_crypt(
const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, uint8_t *out,
const uint8_t *in, size_t len, const uint8_t *nonce) {
- /* Since the AEAD operation is one-shot, keeping a buffer of unused keystream
- * bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it. */
+ // Since the AEAD operation is one-shot, keeping a buffer of unused keystream
+ // bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it.
uint8_t partial_block_buffer[AES_BLOCK_SIZE];
unsigned partial_block_offset = 0;
OPENSSL_memset(partial_block_buffer, 0, sizeof(partial_block_buffer));
@@ -184,7 +184,7 @@
const uint64_t in_len_64 = in_len;
if (in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) {
- /* This input is so large it would overflow the 32-bit block counter. */
+ // This input is so large it would overflow the 32-bit block counter.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
@@ -242,10 +242,10 @@
static const EVP_AEAD aead_aes_128_ctr_hmac_sha256 = {
16 /* AES key */ + 32 /* HMAC key */,
- 12, /* nonce length */
- EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* overhead */
- EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 12, // nonce length
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // overhead
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_ctr_hmac_sha256_init,
NULL /* init_with_direction */,
@@ -259,10 +259,10 @@
static const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {
32 /* AES key */ + 32 /* HMAC key */,
- 12, /* nonce length */
- EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* overhead */
- EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 12, // nonce length
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // overhead
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_ctr_hmac_sha256_init,
NULL /* init_with_direction */,
diff --git a/crypto/cipher_extra/e_aesgcmsiv.c b/crypto/cipher_extra/e_aesgcmsiv.c
index 6adcf17..8c6589d 100644
--- a/crypto/cipher_extra/e_aesgcmsiv.c
+++ b/crypto/cipher_extra/e_aesgcmsiv.c
@@ -29,20 +29,20 @@
#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
-/* Optimised AES-GCM-SIV */
+// Optimised AES-GCM-SIV
struct aead_aes_gcm_siv_asm_ctx {
alignas(16) uint8_t key[16*15];
int is_128_bit;
};
-/* aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
- * |out_expanded_key|. */
+// aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
+// |out_expanded_key|.
extern void aes128gcmsiv_aes_ks(
const uint8_t key[16], uint8_t out_expanded_key[16*15]);
-/* aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
- * |out_expanded_key|. */
+// aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to
+// |out_expanded_key|.
extern void aes256gcmsiv_aes_ks(
const uint8_t key[16], uint8_t out_expanded_key[16*15]);
@@ -52,7 +52,7 @@
if (key_bits != 128 && key_bits != 256) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
@@ -70,7 +70,7 @@
return 0;
}
- /* malloc should return a 16-byte-aligned address. */
+ // malloc should return a 16-byte-aligned address.
assert((((uintptr_t)gcm_siv_ctx) & 15) == 0);
if (key_bits == 128) {
@@ -92,123 +92,123 @@
OPENSSL_free(gcm_siv_asm_ctx);
}
-/* aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to
- * include a number (|in_blocks|) of 16-byte blocks of data from |in|, given
- * the POLYVAL key in |key|. */
+// aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to
+// include a number (|in_blocks|) of 16-byte blocks of data from |in|, given
+// the POLYVAL key in |key|.
extern void aesgcmsiv_polyval_horner(const uint8_t in_out_poly[16],
const uint8_t key[16], const uint8_t *in,
size_t in_blocks);
-/* aesgcmsiv_htable_init writes powers 1..8 of |auth_key| to |out_htable|. */
+// aesgcmsiv_htable_init writes powers 1..8 of |auth_key| to |out_htable|.
extern void aesgcmsiv_htable_init(uint8_t out_htable[16 * 8],
const uint8_t auth_key[16]);
-/* aesgcmsiv_htable6_init writes powers 1..6 of |auth_key| to |out_htable|. */
+// aesgcmsiv_htable6_init writes powers 1..6 of |auth_key| to |out_htable|.
extern void aesgcmsiv_htable6_init(uint8_t out_htable[16 * 6],
const uint8_t auth_key[16]);
-/* aesgcmsiv_htable_polyval updates the POLYVAL value in |in_out_poly| to
- * include |in_len| bytes of data from |in|. (Where |in_len| must be a multiple
- * of 16.) It uses the precomputed powers of the key given in |htable|. */
+// aesgcmsiv_htable_polyval updates the POLYVAL value in |in_out_poly| to
+// include |in_len| bytes of data from |in|. (Where |in_len| must be a multiple
+// of 16.) It uses the precomputed powers of the key given in |htable|.
extern void aesgcmsiv_htable_polyval(const uint8_t htable[16 * 8],
const uint8_t *in, size_t in_len,
uint8_t in_out_poly[16]);
-/* aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to
- * |in|. (The full value of |in_len| is still used to find the authentication
- * tag appended to the ciphertext, however, so must not be pre-masked.)
- *
- * |in| and |out| may be equal, but must not otherwise overlap.
- *
- * While decrypting, it updates the POLYVAL value found at the beginning of
- * |in_out_calculated_tag_and_scratch| and writes the updated value back before
- * return. During executation, it may use the whole of this space for other
- * purposes. In order to decrypt and update the POLYVAL value, it uses the
- * expanded key from |key| and the table of powers in |htable|. */
+// aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to
+// |in|. (The full value of |in_len| is still used to find the authentication
+// tag appended to the ciphertext, however, so must not be pre-masked.)
+//
+// |in| and |out| may be equal, but must not otherwise overlap.
+//
+// While decrypting, it updates the POLYVAL value found at the beginning of
+// |in_out_calculated_tag_and_scratch| and writes the updated value back before
+// return. During executation, it may use the whole of this space for other
+// purposes. In order to decrypt and update the POLYVAL value, it uses the
+// expanded key from |key| and the table of powers in |htable|.
extern void aes128gcmsiv_dec(const uint8_t *in, uint8_t *out,
uint8_t in_out_calculated_tag_and_scratch[16 * 8],
const uint8_t htable[16 * 6],
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes256gcmsiv_dec acts like |aes128gcmsiv_dec|, but for AES-256. */
+// aes256gcmsiv_dec acts like |aes128gcmsiv_dec|, but for AES-256.
extern void aes256gcmsiv_dec(const uint8_t *in, uint8_t *out,
uint8_t in_out_calculated_tag_and_scratch[16 * 8],
const uint8_t htable[16 * 6],
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes128gcmsiv_kdf performs the AES-GCM-SIV KDF given the expanded key from
- * |key_schedule| and the nonce in |nonce|. Note that, while only 12 bytes of
- * the nonce are used, 16 bytes are read and so the value must be
- * right-padded. */
+// aes128gcmsiv_kdf performs the AES-GCM-SIV KDF given the expanded key from
+// |key_schedule| and the nonce in |nonce|. Note that, while only 12 bytes of
+// the nonce are used, 16 bytes are read and so the value must be
+// right-padded.
extern void aes128gcmsiv_kdf(const uint8_t nonce[16],
uint64_t out_key_material[8],
const uint8_t *key_schedule);
-/* aes256gcmsiv_kdf acts like |aes128gcmsiv_kdf|, but for AES-256. */
+// aes256gcmsiv_kdf acts like |aes128gcmsiv_kdf|, but for AES-256.
extern void aes256gcmsiv_kdf(const uint8_t nonce[16],
uint64_t out_key_material[12],
const uint8_t *key_schedule);
-/* aes128gcmsiv_aes_ks_enc_x1 performs a key expansion of the AES-128 key in
- * |key|, writes the expanded key to |out_expanded_key| and encrypts a single
- * block from |in| to |out|. */
+// aes128gcmsiv_aes_ks_enc_x1 performs a key expansion of the AES-128 key in
+// |key|, writes the expanded key to |out_expanded_key| and encrypts a single
+// block from |in| to |out|.
extern void aes128gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16],
uint8_t out_expanded_key[16 * 15],
const uint64_t key[2]);
-/* aes256gcmsiv_aes_ks_enc_x1 acts like |aes128gcmsiv_aes_ks_enc_x1|, but for
- * AES-256. */
+// aes256gcmsiv_aes_ks_enc_x1 acts like |aes128gcmsiv_aes_ks_enc_x1|, but for
+// AES-256.
extern void aes256gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16],
uint8_t out_expanded_key[16 * 15],
const uint64_t key[4]);
-/* aes128gcmsiv_ecb_enc_block encrypts a single block from |in| to |out| using
- * the expanded key in |expanded_key|. */
+// aes128gcmsiv_ecb_enc_block encrypts a single block from |in| to |out| using
+// the expanded key in |expanded_key|.
extern void aes128gcmsiv_ecb_enc_block(
const uint8_t in[16], uint8_t out[16],
const struct aead_aes_gcm_siv_asm_ctx *expanded_key);
-/* aes256gcmsiv_ecb_enc_block acts like |aes128gcmsiv_ecb_enc_block|, but for
- * AES-256. */
+// aes256gcmsiv_ecb_enc_block acts like |aes128gcmsiv_ecb_enc_block|, but for
+// AES-256.
extern void aes256gcmsiv_ecb_enc_block(
const uint8_t in[16], uint8_t out[16],
const struct aead_aes_gcm_siv_asm_ctx *expanded_key);
-/* aes128gcmsiv_enc_msg_x4 encrypts |in_len| bytes from |in| to |out| using the
- * expanded key from |key|. (The value of |in_len| must be a multiple of 16.)
- * The |in| and |out| buffers may be equal but must not otherwise overlap. The
- * initial counter is constructed from the given |tag| as required by
- * AES-GCM-SIV. */
+// aes128gcmsiv_enc_msg_x4 encrypts |in_len| bytes from |in| to |out| using the
+// expanded key from |key|. (The value of |in_len| must be a multiple of 16.)
+// The |in| and |out| buffers may be equal but must not otherwise overlap. The
+// initial counter is constructed from the given |tag| as required by
+// AES-GCM-SIV.
extern void aes128gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out,
const uint8_t *tag,
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes256gcmsiv_enc_msg_x4 acts like |aes128gcmsiv_enc_msg_x4|, but for
- * AES-256. */
+// aes256gcmsiv_enc_msg_x4 acts like |aes128gcmsiv_enc_msg_x4|, but for
+// AES-256.
extern void aes256gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out,
const uint8_t *tag,
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes128gcmsiv_enc_msg_x8 acts like |aes128gcmsiv_enc_msg_x4|, but is
- * optimised for longer messages. */
+// aes128gcmsiv_enc_msg_x8 acts like |aes128gcmsiv_enc_msg_x4|, but is
+// optimised for longer messages.
extern void aes128gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out,
const uint8_t *tag,
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* aes256gcmsiv_enc_msg_x8 acts like |aes256gcmsiv_enc_msg_x4|, but is
- * optimised for longer messages. */
+// aes256gcmsiv_enc_msg_x8 acts like |aes256gcmsiv_enc_msg_x4|, but is
+// optimised for longer messages.
extern void aes256gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out,
const uint8_t *tag,
const struct aead_aes_gcm_siv_asm_ctx *key,
size_t in_len);
-/* gcm_siv_asm_polyval evaluates POLYVAL at |auth_key| on the given plaintext
- * and AD. The result is written to |out_tag|. */
+// gcm_siv_asm_polyval evaluates POLYVAL at |auth_key| on the given plaintext
+// and AD. The result is written to |out_tag|.
static void gcm_siv_asm_polyval(uint8_t out_tag[16], const uint8_t *in,
size_t in_len, const uint8_t *ad, size_t ad_len,
const uint8_t auth_key[16],
@@ -268,10 +268,10 @@
out_tag[15] &= 0x7f;
}
-/* aead_aes_gcm_siv_asm_crypt_last_block handles the encryption/decryption
- * (same thing in CTR mode) of the final block of a plaintext/ciphertext. It
- * writes |in_len| & 15 bytes to |out| + |in_len|, based on an initial counter
- * derived from |tag|. */
+// aead_aes_gcm_siv_asm_crypt_last_block handles the encryption/decryption
+// (same thing in CTR mode) of the final block of a plaintext/ciphertext. It
+// writes |in_len| & 15 bytes to |out| + |in_len|, based on an initial counter
+// derived from |tag|.
static void aead_aes_gcm_siv_asm_crypt_last_block(
int is_128_bit, uint8_t *out, const uint8_t *in, size_t in_len,
const uint8_t tag[16],
@@ -299,8 +299,8 @@
}
}
-/* aead_aes_gcm_siv_kdf calculates the record encryption and authentication
- * keys given the |nonce|. */
+// aead_aes_gcm_siv_kdf calculates the record encryption and authentication
+// keys given the |nonce|.
static void aead_aes_gcm_siv_kdf(
int is_128_bit, const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx,
uint64_t out_record_auth_key[2], uint64_t out_record_enc_key[4],
@@ -433,8 +433,8 @@
} else {
aes256gcmsiv_aes_ks((const uint8_t *) record_enc_key, &expanded_key.key[0]);
}
- /* calculated_tag is 16*8 bytes, rather than 16 bytes, because
- * aes[128|256]gcmsiv_dec uses the extra as scratch space. */
+ // calculated_tag is 16*8 bytes, rather than 16 bytes, because
+ // aes[128|256]gcmsiv_dec uses the extra as scratch space.
alignas(16) uint8_t calculated_tag[16 * 8] = {0};
OPENSSL_memset(calculated_tag, 0, EVP_AEAD_AES_GCM_SIV_TAG_LEN);
@@ -507,11 +507,11 @@
}
static const EVP_AEAD aead_aes_128_gcm_siv_asm = {
- 16, /* key length */
- EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 16, // key length
+ EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_gcm_siv_asm_init,
NULL /* init_with_direction */,
@@ -524,11 +524,11 @@
};
static const EVP_AEAD aead_aes_256_gcm_siv_asm = {
- 32, /* key length */
- EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 32, // key length
+ EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_gcm_siv_asm_init,
NULL /* init_with_direction */,
@@ -540,7 +540,7 @@
NULL /* tag_len */,
};
-#endif /* X86_64 && !NO_ASM */
+#endif // X86_64 && !NO_ASM
struct aead_aes_gcm_siv_ctx {
union {
@@ -557,7 +557,7 @@
if (key_bits != 128 && key_bits != 256) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
@@ -590,13 +590,13 @@
OPENSSL_free(gcm_siv_ctx);
}
-/* gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from
- * |in| to |out|, using the block function |enc_block| with |key| in counter
- * mode, starting at |initial_counter|. This differs from the traditional
- * counter mode code in that the counter is handled little-endian, only the
- * first four bytes are used and the GCM-SIV tweak to the final byte is
- * applied. The |in| and |out| pointers may be equal but otherwise must not
- * alias. */
+// gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from
+// |in| to |out|, using the block function |enc_block| with |key| in counter
+// mode, starting at |initial_counter|. This differs from the traditional
+// counter mode code in that the counter is handled little-endian, only the
+// first four bytes are used and the GCM-SIV tweak to the final byte is
+// applied. The |in| and |out| pointers may be equal but otherwise must not
+// alias.
static void gcm_siv_crypt(uint8_t *out, const uint8_t *in, size_t in_len,
const uint8_t initial_counter[AES_BLOCK_SIZE],
block128_f enc_block, const AES_KEY *key) {
@@ -626,8 +626,8 @@
}
}
-/* gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and
- * AD. The result is written to |out_tag|. */
+// gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and
+// AD. The result is written to |out_tag|.
static void gcm_siv_polyval(
uint8_t out_tag[16], const uint8_t *in, size_t in_len, const uint8_t *ad,
size_t ad_len, const uint8_t auth_key[16],
@@ -671,7 +671,7 @@
out_tag[15] &= 0x7f;
}
-/* gcm_siv_record_keys contains the keys used for a specific GCM-SIV record. */
+// gcm_siv_record_keys contains the keys used for a specific GCM-SIV record.
struct gcm_siv_record_keys {
uint8_t auth_key[16];
union {
@@ -681,8 +681,8 @@
block128_f enc_block;
};
-/* gcm_siv_keys calculates the keys for a specific GCM-SIV record with the
- * given nonce and writes them to |*out_keys|. */
+// gcm_siv_keys calculates the keys for a specific GCM-SIV record with the
+// given nonce and writes them to |*out_keys|.
static void gcm_siv_keys(
const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx,
struct gcm_siv_record_keys *out_keys,
@@ -793,11 +793,11 @@
}
static const EVP_AEAD aead_aes_128_gcm_siv = {
- 16, /* key length */
- EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 16, // key length
+ EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_gcm_siv_init,
NULL /* init_with_direction */,
@@ -810,11 +810,11 @@
};
static const EVP_AEAD aead_aes_256_gcm_siv = {
- 32, /* key length */
- EVP_AEAD_AES_GCM_SIV_NONCE_LEN, /* nonce length */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
- EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ 32, // key length
+ EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead
+ EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length
+ 0, // seal_scatter_supports_extra_in
aead_aes_gcm_siv_init,
NULL /* init_with_direction */,
@@ -859,4 +859,4 @@
return &aead_aes_256_gcm_siv;
}
-#endif /* X86_64 && !NO_ASM */
+#endif // X86_64 && !NO_ASM
diff --git a/crypto/cipher_extra/e_chacha20poly1305.c b/crypto/cipher_extra/e_chacha20poly1305.c
index 8946f1f..d80a910 100644
--- a/crypto/cipher_extra/e_chacha20poly1305.c
+++ b/crypto/cipher_extra/e_chacha20poly1305.c
@@ -120,7 +120,7 @@
}
if (key_len != sizeof(c20_ctx->key)) {
- return 0; /* internal error - EVP_AEAD_CTX_init should catch this. */
+ return 0; // internal error - EVP_AEAD_CTX_init should catch this.
}
c20_ctx = OPENSSL_malloc(sizeof(struct aead_chacha20_poly1305_ctx));
@@ -152,7 +152,7 @@
CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
}
-/* calc_tag fills |tag| with the authentication tag for the given inputs. */
+// calc_tag fills |tag| with the authentication tag for the given inputs.
static void calc_tag(uint8_t tag[POLY1305_TAG_LEN],
const struct aead_chacha20_poly1305_ctx *c20_ctx,
const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,
@@ -164,7 +164,7 @@
CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
c20_ctx->key, nonce, 0);
- static const uint8_t padding[16] = { 0 }; /* Padding is all zeros. */
+ static const uint8_t padding[16] = { 0 }; // Padding is all zeros.
poly1305_state ctx;
CRYPTO_poly1305_init(&ctx, poly1305_key);
CRYPTO_poly1305_update(&ctx, ad, ad_len);
@@ -203,12 +203,12 @@
return 0;
}
- /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
- * individual operations that work on more than 256GB at a time.
- * |in_len_64| is needed because, on 32-bit platforms, size_t is only
- * 32-bits and this produces a warning because it's always false.
- * Casting to uint64_t inside the conditional is not sufficient to stop
- * the warning. */
+ // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
+ // individual operations that work on more than 256GB at a time.
+ // |in_len_64| is needed because, on 32-bit platforms, size_t is only
+ // 32-bits and this produces a warning because it's always false.
+ // Casting to uint64_t inside the conditional is not sufficient to stop
+ // the warning.
const uint64_t in_len_64 = in_len;
if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
@@ -220,8 +220,8 @@
return 0;
}
- /* The the extra input is given, it is expected to be very short and so is
- * encrypted byte-by-byte first. */
+ // The the extra input is given, it is expected to be very short and so is
+ // encrypted byte-by-byte first.
if (extra_in_len) {
static const size_t kChaChaBlockSize = 64;
uint32_t block_counter = 1 + (in_len / kChaChaBlockSize);
@@ -275,12 +275,12 @@
return 0;
}
- /* |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
- * individual operations that work on more than 256GB at a time.
- * |in_len_64| is needed because, on 32-bit platforms, size_t is only
- * 32-bits and this produces a warning because it's always false.
- * Casting to uint64_t inside the conditional is not sufficient to stop
- * the warning. */
+ // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow
+ // individual operations that work on more than 256GB at a time.
+ // |in_len_64| is needed because, on 32-bit platforms, size_t is only
+ // 32-bits and this produces a warning because it's always false.
+ // Casting to uint64_t inside the conditional is not sufficient to stop
+ // the warning.
const uint64_t in_len_64 = in_len;
if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
@@ -307,20 +307,20 @@
}
static const EVP_AEAD aead_chacha20_poly1305 = {
- 32, /* key len */
- 12, /* nonce len */
- POLY1305_TAG_LEN, /* overhead */
- POLY1305_TAG_LEN, /* max tag length */
- 1, /* seal_scatter_supports_extra_in */
+ 32, // key len
+ 12, // nonce len
+ POLY1305_TAG_LEN, // overhead
+ POLY1305_TAG_LEN, // max tag length
+ 1, // seal_scatter_supports_extra_in
aead_chacha20_poly1305_init,
- NULL, /* init_with_direction */
+ NULL, // init_with_direction
aead_chacha20_poly1305_cleanup,
NULL /* open */,
aead_chacha20_poly1305_seal_scatter,
aead_chacha20_poly1305_open_gather,
- NULL, /* get_iv */
- NULL, /* tag_len */
+ NULL, // get_iv
+ NULL, // tag_len
};
const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
diff --git a/crypto/cipher_extra/e_rc2.c b/crypto/cipher_extra/e_rc2.c
index a18229c..dc42dd5 100644
--- a/crypto/cipher_extra/e_rc2.c
+++ b/crypto/cipher_extra/e_rc2.c
@@ -317,7 +317,7 @@
unsigned int c, d;
k = (uint8_t *)&key->data[0];
- *k = 0; /* for if there is a zero length key */
+ *k = 0; // for if there is a zero length key
if (len > 128) {
len = 128;
@@ -333,7 +333,7 @@
k[i] = data[i];
}
- /* expand table */
+ // expand table
d = k[len - 1];
j = 0;
for (i = len; i < 128; i++, j++) {
@@ -341,7 +341,7 @@
k[i] = d;
}
- /* hmm.... key reduction to 'bits' bits */
+ // hmm.... key reduction to 'bits' bits
j = (bits + 7) >> 3;
i = 128 - j;
@@ -354,7 +354,7 @@
k[i] = d;
}
- /* copy from bytes into uint16_t's */
+ // copy from bytes into uint16_t's
ki = &(key->data[63]);
for (i = 127; i >= 0; i -= 2) {
*(ki--) = ((k[i] << 8) | k[i - 1]) & 0xffff;
@@ -362,8 +362,8 @@
}
typedef struct {
- int key_bits; /* effective key bits */
- RC2_KEY ks; /* key schedule */
+ int key_bits; // effective key bits
+ RC2_KEY ks; // key schedule
} EVP_RC2_KEY;
static int rc2_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
@@ -399,8 +399,8 @@
key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8;
return 1;
case EVP_CTRL_SET_RC2_KEY_BITS:
- /* Should be overridden by later call to |EVP_CTRL_INIT|, but
- * people call it, so it may as well work. */
+ // Should be overridden by later call to |EVP_CTRL_INIT|, but
+ // people call it, so it may as well work.
key->key_bits = arg;
return 1;
diff --git a/crypto/cipher_extra/e_ssl3.c b/crypto/cipher_extra/e_ssl3.c
index dc43713..61f25ca 100644
--- a/crypto/cipher_extra/e_ssl3.c
+++ b/crypto/cipher_extra/e_ssl3.c
@@ -40,8 +40,8 @@
size_t md_size = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
size_t pad_len = (md_size == 20) ? 40 : 48;
- /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
- * length for legacy ciphers. */
+ // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+ // length for legacy ciphers.
uint8_t ad_extra[2];
ad_extra[0] = (uint8_t)(in_len >> 8);
ad_extra[1] = (uint8_t)(in_len & 0xff);
@@ -135,8 +135,8 @@
}
const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
- /* An overflow of |in_len + digest_len| doesn't affect the result mod
- * |block_size|, provided that |block_size| is a smaller power of two. */
+ // An overflow of |in_len + digest_len| doesn't affect the result mod
+ // |block_size|, provided that |block_size| is a smaller power of two.
assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
const size_t pad_len = block_size - ((in_len + digest_len) % block_size);
return digest_len + pad_len;
@@ -153,13 +153,13 @@
AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
if (!ssl3_ctx->cipher_ctx.encrypt) {
- /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+ // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
return 0;
}
if (in_len > INT_MAX) {
- /* EVP_CIPHER takes int as input. */
+ // EVP_CIPHER takes int as input.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
@@ -179,15 +179,15 @@
return 0;
}
- /* Compute the MAC. This must be first in case the operation is being done
- * in-place. */
+ // Compute the MAC. This must be first in case the operation is being done
+ // in-place.
uint8_t mac[EVP_MAX_MD_SIZE];
unsigned mac_len;
if (!ssl3_mac(ssl3_ctx, mac, &mac_len, ad, ad_len, in, in_len)) {
return 0;
}
- /* Encrypt the input. */
+ // Encrypt the input.
int len;
if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in,
(int)in_len)) {
@@ -196,9 +196,9 @@
const size_t block_size = EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx);
- /* Feed the MAC into the cipher in two steps. First complete the final partial
- * block from encrypting the input and split the result between |out| and
- * |out_tag|. Then encrypt the remainder. */
+ // Feed the MAC into the cipher in two steps. First complete the final partial
+ // block from encrypting the input and split the result between |out| and
+ // |out_tag|. Then encrypt the remainder.
size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;
if (early_mac_len != 0) {
@@ -225,7 +225,7 @@
assert(block_size <= 256);
assert(EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
- /* Compute padding and feed that into the cipher. */
+ // Compute padding and feed that into the cipher.
uint8_t padding[256];
size_t padding_len = block_size - ((in_len + mac_len) % block_size);
OPENSSL_memset(padding, 0, padding_len - 1);
@@ -255,7 +255,7 @@
AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
if (ssl3_ctx->cipher_ctx.encrypt) {
- /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+ // Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
return 0;
}
@@ -267,8 +267,8 @@
}
if (max_out_len < in_len) {
- /* This requires that the caller provide space for the MAC, even though it
- * will always be removed on return. */
+ // This requires that the caller provide space for the MAC, even though it
+ // will always be removed on return.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
@@ -284,12 +284,12 @@
}
if (in_len > INT_MAX) {
- /* EVP_CIPHER takes int as input. */
+ // EVP_CIPHER takes int as input.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
- /* Decrypt to get the plaintext + MAC + padding. */
+ // Decrypt to get the plaintext + MAC + padding.
size_t total = 0;
int len;
if (!EVP_DecryptUpdate(&ssl3_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
@@ -302,9 +302,9 @@
total += len;
assert(total == in_len);
- /* Remove CBC padding and MAC. This would normally be timing-sensitive, but
- * SSLv3 CBC ciphers are already broken. Support will be removed eventually.
- * https://www.openssl.org/~bodo/ssl-poodle.pdf */
+ // Remove CBC padding and MAC. This would normally be timing-sensitive, but
+ // SSLv3 CBC ciphers are already broken. Support will be removed eventually.
+ // https://www.openssl.org/~bodo/ssl-poodle.pdf
size_t data_len;
if (EVP_CIPHER_CTX_mode(&ssl3_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
unsigned padding_length = out[total - 1];
@@ -312,7 +312,7 @@
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
}
- /* The padding must be minimal. */
+ // The padding must be minimal.
if (padding_length + 1 > EVP_CIPHER_CTX_block_size(&ssl3_ctx->cipher_ctx)) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
@@ -322,7 +322,7 @@
data_len = total - mac_len;
}
- /* Compute the MAC and compare against the one in the record. */
+ // Compute the MAC and compare against the one in the record.
uint8_t mac[EVP_MAX_MD_SIZE];
if (!ssl3_mac(ssl3_ctx, mac, NULL, ad, ad_len, out, data_len)) {
return 0;
@@ -378,70 +378,70 @@
}
static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
- SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
- 0, /* nonce len */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 16 + 16, // key len (SHA1 + AES128 + IV)
+ 0, // nonce len
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_128_cbc_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_open,
aead_ssl3_seal_scatter,
- NULL, /* open_gather */
+ NULL, // open_gather
aead_ssl3_get_iv,
aead_ssl3_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
- SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
- 0, /* nonce len */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 32 + 16, // key len (SHA1 + AES256 + IV)
+ 0, // nonce len
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_open,
aead_ssl3_seal_scatter,
- NULL, /* open_gather */
+ NULL, // open_gather
aead_ssl3_get_iv,
aead_ssl3_tag_len,
};
static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
- SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
- 0, /* nonce len */
- 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 24 + 8, // key len (SHA1 + 3DES + IV)
+ 0, // nonce len
+ 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_des_ede3_cbc_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_open,
aead_ssl3_seal_scatter,
- NULL, /* open_gather */
+ NULL, // open_gather
aead_ssl3_get_iv,
aead_ssl3_tag_len,
};
static const EVP_AEAD aead_null_sha1_ssl3 = {
- SHA_DIGEST_LENGTH, /* key len */
- 0, /* nonce len */
- SHA_DIGEST_LENGTH, /* overhead (SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH, // key len
+ 0, // nonce len
+ SHA_DIGEST_LENGTH, // overhead (SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_null_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_open,
aead_ssl3_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_ssl3_tag_len,
};
diff --git a/crypto/cipher_extra/e_tls.c b/crypto/cipher_extra/e_tls.c
index ca206ab..4b87983 100644
--- a/crypto/cipher_extra/e_tls.c
+++ b/crypto/cipher_extra/e_tls.c
@@ -33,12 +33,12 @@
typedef struct {
EVP_CIPHER_CTX cipher_ctx;
HMAC_CTX hmac_ctx;
- /* mac_key is the portion of the key used for the MAC. It is retained
- * separately for the constant-time CBC code. */
+ // mac_key is the portion of the key used for the MAC. It is retained
+ // separately for the constant-time CBC code.
uint8_t mac_key[EVP_MAX_MD_SIZE];
uint8_t mac_key_len;
- /* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
- * IV. */
+ // implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
+ // IV.
char implicit_iv;
} AEAD_TLS_CTX;
@@ -111,8 +111,8 @@
}
const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
- /* An overflow of |in_len + hmac_len| doesn't affect the result mod
- * |block_size|, provided that |block_size| is a smaller power of two. */
+ // An overflow of |in_len + hmac_len| doesn't affect the result mod
+ // |block_size|, provided that |block_size| is a smaller power of two.
assert(block_size != 0 && (block_size & (block_size - 1)) == 0);
const size_t pad_len = block_size - (in_len + hmac_len) % block_size;
return hmac_len + pad_len;
@@ -129,13 +129,13 @@
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
if (!tls_ctx->cipher_ctx.encrypt) {
- /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+ // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
return 0;
}
if (in_len > INT_MAX) {
- /* EVP_CIPHER takes int as input. */
+ // EVP_CIPHER takes int as input.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
@@ -155,14 +155,14 @@
return 0;
}
- /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
- * length for legacy ciphers. */
+ // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+ // length for legacy ciphers.
uint8_t ad_extra[2];
ad_extra[0] = (uint8_t)(in_len >> 8);
ad_extra[1] = (uint8_t)(in_len & 0xff);
- /* Compute the MAC. This must be first in case the operation is being done
- * in-place. */
+ // Compute the MAC. This must be first in case the operation is being done
+ // in-place.
uint8_t mac[EVP_MAX_MD_SIZE];
unsigned mac_len;
if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||
@@ -173,14 +173,14 @@
return 0;
}
- /* Configure the explicit IV. */
+ // Configure the explicit IV.
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
!tls_ctx->implicit_iv &&
!EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
return 0;
}
- /* Encrypt the input. */
+ // Encrypt the input.
int len;
if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
return 0;
@@ -188,9 +188,9 @@
unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);
- /* Feed the MAC into the cipher in two steps. First complete the final partial
- * block from encrypting the input and split the result between |out| and
- * |out_tag|. Then feed the rest. */
+ // Feed the MAC into the cipher in two steps. First complete the final partial
+ // block from encrypting the input and split the result between |out| and
+ // |out_tag|. Then feed the rest.
const size_t early_mac_len =
(block_size - (in_len % block_size) % block_size);
@@ -218,7 +218,7 @@
assert(block_size <= 256);
assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);
- /* Compute padding and feed that into the cipher. */
+ // Compute padding and feed that into the cipher.
uint8_t padding[256];
unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
OPENSSL_memset(padding, padding_len - 1, padding_len);
@@ -232,7 +232,7 @@
if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) {
return 0;
}
- assert(len == 0); /* Padding is explicit. */
+ assert(len == 0); // Padding is explicit.
assert(tag_len == aead_tls_tag_len(ctx, in_len, extra_in_len));
*out_tag_len = tag_len;
@@ -246,7 +246,7 @@
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
if (tls_ctx->cipher_ctx.encrypt) {
- /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+ // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);
return 0;
}
@@ -257,8 +257,8 @@
}
if (max_out_len < in_len) {
- /* This requires that the caller provide space for the MAC, even though it
- * will always be removed on return. */
+ // This requires that the caller provide space for the MAC, even though it
+ // will always be removed on return.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
@@ -274,19 +274,19 @@
}
if (in_len > INT_MAX) {
- /* EVP_CIPHER takes int as input. */
+ // EVP_CIPHER takes int as input.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
- /* Configure the explicit IV. */
+ // Configure the explicit IV.
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
!tls_ctx->implicit_iv &&
!EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {
return 0;
}
- /* Decrypt to get the plaintext + MAC + padding. */
+ // Decrypt to get the plaintext + MAC + padding.
size_t total = 0;
int len;
if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {
@@ -299,8 +299,8 @@
total += len;
assert(total == in_len);
- /* Remove CBC padding. Code from here on is timing-sensitive with respect to
- * |padding_ok| and |data_plus_mac_len| for CBC ciphers. */
+ // Remove CBC padding. Code from here on is timing-sensitive with respect to
+ // |padding_ok| and |data_plus_mac_len| for CBC ciphers.
size_t data_plus_mac_len;
crypto_word_t padding_ok;
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
@@ -308,32 +308,32 @@
&padding_ok, &data_plus_mac_len, out, total,
EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),
HMAC_size(&tls_ctx->hmac_ctx))) {
- /* Publicly invalid. This can be rejected in non-constant time. */
+ // Publicly invalid. This can be rejected in non-constant time.
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
}
} else {
padding_ok = CONSTTIME_TRUE_W;
data_plus_mac_len = total;
- /* |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
- * already been checked against the MAC size at the top of the function. */
+ // |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has
+ // already been checked against the MAC size at the top of the function.
assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
}
size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
- /* At this point, if the padding is valid, the first |data_plus_mac_len| bytes
- * after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
- * still large enough to extract a MAC, but it will be irrelevant. */
+ // At this point, if the padding is valid, the first |data_plus_mac_len| bytes
+ // after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
+ // still large enough to extract a MAC, but it will be irrelevant.
- /* To allow for CBC mode which changes cipher length, |ad| doesn't include the
- * length for legacy ciphers. */
+ // To allow for CBC mode which changes cipher length, |ad| doesn't include the
+ // length for legacy ciphers.
uint8_t ad_fixed[13];
OPENSSL_memcpy(ad_fixed, ad, 11);
ad_fixed[11] = (uint8_t)(data_len >> 8);
ad_fixed[12] = (uint8_t)(data_len & 0xff);
ad_len += 2;
- /* Compute the MAC and extract the one in the record. */
+ // Compute the MAC and extract the one in the record.
uint8_t mac[EVP_MAX_MD_SIZE];
size_t mac_len;
uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];
@@ -351,8 +351,8 @@
record_mac = record_mac_tmp;
EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);
} else {
- /* We should support the constant-time path for all CBC-mode ciphers
- * implemented. */
+ // We should support the constant-time path for all CBC-mode ciphers
+ // implemented.
assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);
unsigned mac_len_u;
@@ -368,10 +368,10 @@
record_mac = &out[data_len];
}
- /* Perform the MAC check and the padding check in constant-time. It should be
- * safe to simply perform the padding check first, but it would not be under a
- * different choice of MAC location on padding failure. See
- * EVP_tls_cbc_remove_padding. */
+ // Perform the MAC check and the padding check in constant-time. It should be
+ // safe to simply perform the padding check first, but it would not be under a
+ // different choice of MAC location on padding failure. See
+ // EVP_tls_cbc_remove_padding.
crypto_word_t good =
constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);
good &= padding_ok;
@@ -380,7 +380,7 @@
return 0;
}
- /* End of timing-sensitive code. */
+ // End of timing-sensitive code.
*out_len = data_len;
return 1;
@@ -474,172 +474,172 @@
}
static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
- SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + AES128) */
- 16, /* nonce len (IV) */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 16, // key len (SHA1 + AES128)
+ 16, // nonce len (IV)
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_128_cbc_sha1_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
- SHA_DIGEST_LENGTH + 16 + 16, /* key len (SHA1 + AES128 + IV) */
- 0, /* nonce len */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 16 + 16, // key len (SHA1 + AES128 + IV)
+ 0, // nonce len
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_128_cbc_sha1_tls_implicit_iv_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- aead_tls_get_iv, /* get_iv */
+ NULL, // open_gather
+ aead_tls_get_iv, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
- SHA256_DIGEST_LENGTH + 16, /* key len (SHA256 + AES128) */
- 16, /* nonce len (IV) */
- 16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
- SHA256_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA256_DIGEST_LENGTH + 16, // key len (SHA256 + AES128)
+ 16, // nonce len (IV)
+ 16 + SHA256_DIGEST_LENGTH, // overhead (padding + SHA256)
+ SHA256_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_128_cbc_sha256_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
- SHA_DIGEST_LENGTH + 32, /* key len (SHA1 + AES256) */
- 16, /* nonce len (IV) */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 32, // key len (SHA1 + AES256)
+ 16, // nonce len (IV)
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha1_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
- SHA_DIGEST_LENGTH + 32 + 16, /* key len (SHA1 + AES256 + IV) */
- 0, /* nonce len */
- 16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 32 + 16, // key len (SHA1 + AES256 + IV)
+ 0, // nonce len
+ 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha1_tls_implicit_iv_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- aead_tls_get_iv, /* get_iv */
+ NULL, // open_gather
+ aead_tls_get_iv, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
- SHA256_DIGEST_LENGTH + 32, /* key len (SHA256 + AES256) */
- 16, /* nonce len (IV) */
- 16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
- SHA256_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA256_DIGEST_LENGTH + 32, // key len (SHA256 + AES256)
+ 16, // nonce len (IV)
+ 16 + SHA256_DIGEST_LENGTH, // overhead (padding + SHA256)
+ SHA256_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha256_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
- SHA384_DIGEST_LENGTH + 32, /* key len (SHA384 + AES256) */
- 16, /* nonce len (IV) */
- 16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */
- SHA384_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA384_DIGEST_LENGTH + 32, // key len (SHA384 + AES256)
+ 16, // nonce len (IV)
+ 16 + SHA384_DIGEST_LENGTH, // overhead (padding + SHA384)
+ SHA384_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_aes_256_cbc_sha384_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
- SHA_DIGEST_LENGTH + 24, /* key len (SHA1 + 3DES) */
- 8, /* nonce len (IV) */
- 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 24, // key len (SHA1 + 3DES)
+ 8, // nonce len (IV)
+ 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_des_ede3_cbc_sha1_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
- SHA_DIGEST_LENGTH + 24 + 8, /* key len (SHA1 + 3DES + IV) */
- 0, /* nonce len */
- 8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH + 24 + 8, // key len (SHA1 + 3DES + IV)
+ 0, // nonce len
+ 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- aead_tls_get_iv, /* get_iv */
+ NULL, // open_gather
+ aead_tls_get_iv, // get_iv
aead_tls_tag_len,
};
static const EVP_AEAD aead_null_sha1_tls = {
- SHA_DIGEST_LENGTH, /* key len */
- 0, /* nonce len */
- SHA_DIGEST_LENGTH, /* overhead (SHA1) */
- SHA_DIGEST_LENGTH, /* max tag length */
- 0, /* seal_scatter_supports_extra_in */
+ SHA_DIGEST_LENGTH, // key len
+ 0, // nonce len
+ SHA_DIGEST_LENGTH, // overhead (SHA1)
+ SHA_DIGEST_LENGTH, // max tag length
+ 0, // seal_scatter_supports_extra_in
- NULL, /* init */
+ NULL, // init
aead_null_sha1_tls_init,
aead_tls_cleanup,
aead_tls_open,
aead_tls_seal_scatter,
- NULL, /* open_gather */
- NULL, /* get_iv */
+ NULL, // open_gather
+ NULL, // get_iv
aead_tls_tag_len,
};
diff --git a/crypto/cipher_extra/internal.h b/crypto/cipher_extra/internal.h
index 7136195..1d2c4e1 100644
--- a/crypto/cipher_extra/internal.h
+++ b/crypto/cipher_extra/internal.h
@@ -66,53 +66,53 @@
#endif
-/* EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
- * record in |in|. This decrypted record should not include any "decrypted"
- * explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
- * it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
- * padding is valid and zero otherwise. It then sets |*out_len| to the length
- * with the padding removed or |in_len| if invalid.
- *
- * If the function returns one, it runs in time independent of the contents of
- * |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
- * |EVP_tls_cbc_copy_mac|'s precondition. */
+// EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC
+// record in |in|. This decrypted record should not include any "decrypted"
+// explicit IV. If the record is publicly invalid, it returns zero. Otherwise,
+// it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the
+// padding is valid and zero otherwise. It then sets |*out_len| to the length
+// with the padding removed or |in_len| if invalid.
+//
+// If the function returns one, it runs in time independent of the contents of
+// |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying
+// |EVP_tls_cbc_copy_mac|'s precondition.
int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
const uint8_t *in, size_t in_len,
size_t block_size, size_t mac_size);
-/* EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
- * |in_len| bytes of |in| to |out| in constant time (independent of the concrete
- * value of |in_len|, which may vary within a 256-byte window). |in| must point
- * to a buffer of |orig_len| bytes.
- *
- * On entry:
- * orig_len >= in_len >= md_size
- * md_size <= EVP_MAX_MD_SIZE */
+// EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first
+// |in_len| bytes of |in| to |out| in constant time (independent of the concrete
+// value of |in_len|, which may vary within a 256-byte window). |in| must point
+// to a buffer of |orig_len| bytes.
+//
+// On entry:
+// orig_len >= in_len >= md_size
+// md_size <= EVP_MAX_MD_SIZE
void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,
size_t in_len, size_t orig_len);
-/* EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
- * which EVP_tls_cbc_digest_record supports. */
+// EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function
+// which EVP_tls_cbc_digest_record supports.
int EVP_tls_cbc_record_digest_supported(const EVP_MD *md);
-/* EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
- * record.
- *
- * md: the hash function used in the HMAC.
- * EVP_tls_cbc_record_digest_supported must return true for this hash.
- * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
- * md_out_size: the number of output bytes is written here.
- * header: the 13-byte, TLS record header.
- * data: the record data itself
- * data_plus_mac_size: the secret, reported length of the data and MAC
- * once the padding has been removed.
- * data_plus_mac_plus_padding_size: the public length of the whole
- * record, including padding.
- *
- * On entry: by virtue of having been through one of the remove_padding
- * functions, above, we know that data_plus_mac_size is large enough to contain
- * a padding byte and MAC. (If the padding was invalid, it might contain the
- * padding too. ) */
+// EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS
+// record.
+//
+// md: the hash function used in the HMAC.
+// EVP_tls_cbc_record_digest_supported must return true for this hash.
+// md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
+// md_out_size: the number of output bytes is written here.
+// header: the 13-byte, TLS record header.
+// data: the record data itself
+// data_plus_mac_size: the secret, reported length of the data and MAC
+// once the padding has been removed.
+// data_plus_mac_plus_padding_size: the public length of the whole
+// record, including padding.
+//
+// On entry: by virtue of having been through one of the remove_padding
+// functions, above, we know that data_plus_mac_size is large enough to contain
+// a padding byte and MAC. (If the padding was invalid, it might contain the
+// padding too. )
int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
size_t *md_out_size, const uint8_t header[13],
const uint8_t *data, size_t data_plus_mac_size,
@@ -122,7 +122,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H */
+#endif // OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H
diff --git a/crypto/cipher_extra/tls_cbc.c b/crypto/cipher_extra/tls_cbc.c
index 2372c5c..6f95130 100644
--- a/crypto/cipher_extra/tls_cbc.c
+++ b/crypto/cipher_extra/tls_cbc.c
@@ -62,13 +62,13 @@
#include "../fipsmodule/cipher/internal.h"
-/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
- * field. (SHA-384/512 have 128-bit length.) */
+// MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
+// field. (SHA-384/512 have 128-bit length.)
#define MAX_HASH_BIT_COUNT_BYTES 16
-/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
- * Currently SHA-384/512 has a 128-byte block size and that's the largest
- * supported by TLS.) */
+// MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
+// Currently SHA-384/512 has a 128-byte block size and that's the largest
+// supported by TLS.)
#define MAX_HASH_BLOCK_SIZE 128
int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,
@@ -76,7 +76,7 @@
size_t block_size, size_t mac_size) {
const size_t overhead = 1 /* padding length byte */ + mac_size;
- /* These lengths are all public so we can test them in non-constant time. */
+ // These lengths are all public so we can test them in non-constant time.
if (overhead > in_len) {
return 0;
}
@@ -84,16 +84,16 @@
size_t padding_length = in[in_len - 1];
crypto_word_t good = constant_time_ge_w(in_len, overhead + padding_length);
- /* The padding consists of a length byte at the end of the record and
- * then that many bytes of padding, all with the same value as the
- * length byte. Thus, with the length byte included, there are i+1
- * bytes of padding.
- *
- * We can't check just |padding_length+1| bytes because that leaks
- * decrypted information. Therefore we always have to check the maximum
- * amount of padding possible. (Again, the length of the record is
- * public information so we can use it.) */
- size_t to_check = 256; /* maximum amount of padding, inc length byte. */
+ // The padding consists of a length byte at the end of the record and
+ // then that many bytes of padding, all with the same value as the
+ // length byte. Thus, with the length byte included, there are i+1
+ // bytes of padding.
+ //
+ // We can't check just |padding_length+1| bytes because that leaks
+ // decrypted information. Therefore we always have to check the maximum
+ // amount of padding possible. (Again, the length of the record is
+ // public information so we can use it.)
+ size_t to_check = 256; // maximum amount of padding, inc length byte.
if (to_check > in_len) {
to_check = in_len;
}
@@ -101,19 +101,19 @@
for (size_t i = 0; i < to_check; i++) {
uint8_t mask = constant_time_ge_8(padding_length, i);
uint8_t b = in[in_len - 1 - i];
- /* The final |padding_length+1| bytes should all have the value
- * |padding_length|. Therefore the XOR should be zero. */
+ // The final |padding_length+1| bytes should all have the value
+ // |padding_length|. Therefore the XOR should be zero.
good &= ~(mask & (padding_length ^ b));
}
- /* If any of the final |padding_length+1| bytes had the wrong value,
- * one or more of the lower eight bits of |good| will be cleared. */
+ // If any of the final |padding_length+1| bytes had the wrong value,
+ // one or more of the lower eight bits of |good| will be cleared.
good = constant_time_eq_w(0xff, good & 0xff);
- /* Always treat |padding_length| as zero on error. If, assuming block size of
- * 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16
- * and returned -1, distinguishing good MAC and bad padding from bad MAC and
- * bad padding would give POODLE's padding oracle. */
+ // Always treat |padding_length| as zero on error. If, assuming block size of
+ // 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16
+ // and returned -1, distinguishing good MAC and bad padding from bad MAC and
+ // bad padding would give POODLE's padding oracle.
padding_length = good & (padding_length + 1);
*out_len = in_len - padding_length;
*out_padding_ok = good;
@@ -126,7 +126,7 @@
uint8_t *rotated_mac = rotated_mac1;
uint8_t *rotated_mac_tmp = rotated_mac2;
- /* mac_end is the index of |in| just after the end of the MAC. */
+ // mac_end is the index of |in| just after the end of the MAC.
size_t mac_end = in_len;
size_t mac_start = mac_end - md_size;
@@ -134,10 +134,10 @@
assert(in_len >= md_size);
assert(md_size <= EVP_MAX_MD_SIZE);
- /* scan_start contains the number of bytes that we can ignore because
- * the MAC's position can only vary by 255 bytes. */
+ // scan_start contains the number of bytes that we can ignore because
+ // the MAC's position can only vary by 255 bytes.
size_t scan_start = 0;
- /* This information is public so it's safe to branch based on it. */
+ // This information is public so it's safe to branch based on it.
if (orig_len > md_size + 255 + 1) {
scan_start = orig_len - (md_size + 255 + 1);
}
@@ -153,15 +153,15 @@
mac_started |= is_mac_start;
uint8_t mac_ended = constant_time_ge_8(i, mac_end);
rotated_mac[j] |= in[i] & mac_started & ~mac_ended;
- /* Save the offset that |mac_start| is mapped to. */
+ // Save the offset that |mac_start| is mapped to.
rotate_offset |= j & is_mac_start;
}
- /* Now rotate the MAC. We rotate in log(md_size) steps, one for each bit
- * position. */
+ // Now rotate the MAC. We rotate in log(md_size) steps, one for each bit
+ // position.
for (size_t offset = 1; offset < md_size; offset <<= 1, rotate_offset >>= 1) {
- /* Rotate by |offset| iff the corresponding bit is set in
- * |rotate_offset|, placing the result in |rotated_mac_tmp|. */
+ // Rotate by |offset| iff the corresponding bit is set in
+ // |rotate_offset|, placing the result in |rotated_mac_tmp|.
const uint8_t skip_rotate = (rotate_offset & 1) - 1;
for (size_t i = 0, j = offset; i < md_size; i++, j++) {
if (j >= md_size) {
@@ -171,9 +171,9 @@
constant_time_select_8(skip_rotate, rotated_mac[i], rotated_mac[j]);
}
- /* Swap pointers so |rotated_mac| contains the (possibly) rotated value.
- * Note the number of iterations and thus the identity of these pointers is
- * public information. */
+ // Swap pointers so |rotated_mac| contains the (possibly) rotated value.
+ // Note the number of iterations and thus the identity of these pointers is
+ // public information.
uint8_t *tmp = rotated_mac;
rotated_mac = rotated_mac_tmp;
rotated_mac_tmp = tmp;
@@ -182,8 +182,8 @@
OPENSSL_memcpy(out, rotated_mac, md_size);
}
-/* u32toBE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
- * big-endian order. The value of p is advanced by four. */
+// u32toBE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
+// big-endian order. The value of p is advanced by four.
#define u32toBE(n, p) \
do { \
*((p)++) = (uint8_t)((n) >> 24); \
@@ -192,8 +192,8 @@
*((p)++) = (uint8_t)((n)); \
} while (0)
-/* u64toBE serialises an unsigned, 64-bit number (n) as eight bytes at (p) in
- * big-endian order. The value of p is advanced by eight. */
+// u64toBE serialises an unsigned, 64-bit number (n) as eight bytes at (p) in
+// big-endian order. The value of p is advanced by eight.
#define u64toBE(n, p) \
do { \
*((p)++) = (uint8_t)((n) >> 56); \
@@ -224,9 +224,9 @@
SHA512_Transform(&ctx->sha512, block);
}
-/* These functions serialize the state of a hash and thus perform the standard
- * "final" operation without adding the padding and length that such a function
- * typically does. */
+// These functions serialize the state of a hash and thus perform the standard
+// "final" operation without adding the padding and length that such a function
+// typically does.
static void tls1_sha1_final_raw(HASH_CTX *ctx, uint8_t *md_out) {
SHA_CTX *sha1 = &ctx->sha1;
u32toBE(sha1->h[0], md_out);
@@ -272,13 +272,13 @@
void (*md_final_raw)(HASH_CTX *ctx, uint8_t *md_out);
void (*md_transform)(HASH_CTX *ctx, const uint8_t *block);
unsigned md_size, md_block_size = 64;
- /* md_length_size is the number of bytes in the length field that terminates
- * the hash. */
+ // md_length_size is the number of bytes in the length field that terminates
+ // the hash.
unsigned md_length_size = 8;
- /* Bound the acceptable input so we can forget about many possible overflows
- * later in this function. This is redundant with the record size limits in
- * TLS. */
+ // Bound the acceptable input so we can forget about many possible overflows
+ // later in this function. This is redundant with the record size limits in
+ // TLS.
if (data_plus_mac_plus_padding_size >= 1024 * 1024) {
assert(0);
return 0;
@@ -309,8 +309,8 @@
break;
default:
- /* EVP_tls_cbc_record_digest_supported should have been called first to
- * check that the hash function is supported. */
+ // EVP_tls_cbc_record_digest_supported should have been called first to
+ // check that the hash function is supported.
assert(0);
*md_out_size = 0;
return 0;
@@ -322,45 +322,45 @@
static const size_t kHeaderLength = 13;
- /* kVarianceBlocks is the number of blocks of the hash that we have to
- * calculate in constant time because they could be altered by the
- * padding value.
- *
- * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
- * required to be minimal. Therefore we say that the final six blocks
- * can vary based on the padding. */
+ // kVarianceBlocks is the number of blocks of the hash that we have to
+ // calculate in constant time because they could be altered by the
+ // padding value.
+ //
+ // TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
+ // required to be minimal. Therefore we say that the final six blocks
+ // can vary based on the padding.
static const size_t kVarianceBlocks = 6;
- /* From now on we're dealing with the MAC, which conceptually has 13
- * bytes of `header' before the start of the data. */
+ // From now on we're dealing with the MAC, which conceptually has 13
+ // bytes of `header' before the start of the data.
size_t len = data_plus_mac_plus_padding_size + kHeaderLength;
- /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
- * |header|, assuming that there's no padding. */
+ // max_mac_bytes contains the maximum bytes of bytes in the MAC, including
+ // |header|, assuming that there's no padding.
size_t max_mac_bytes = len - md_size - 1;
- /* num_blocks is the maximum number of hash blocks. */
+ // num_blocks is the maximum number of hash blocks.
size_t num_blocks =
(max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
- /* In order to calculate the MAC in constant time we have to handle
- * the final blocks specially because the padding value could cause the
- * end to appear somewhere in the final |kVarianceBlocks| blocks and we
- * can't leak where. However, |num_starting_blocks| worth of data can
- * be hashed right away because no padding value can affect whether
- * they are plaintext. */
+ // In order to calculate the MAC in constant time we have to handle
+ // the final blocks specially because the padding value could cause the
+ // end to appear somewhere in the final |kVarianceBlocks| blocks and we
+ // can't leak where. However, |num_starting_blocks| worth of data can
+ // be hashed right away because no padding value can affect whether
+ // they are plaintext.
size_t num_starting_blocks = 0;
- /* k is the starting byte offset into the conceptual header||data where
- * we start processing. */
+ // k is the starting byte offset into the conceptual header||data where
+ // we start processing.
size_t k = 0;
- /* mac_end_offset is the index just past the end of the data to be
- * MACed. */
+ // mac_end_offset is the index just past the end of the data to be
+ // MACed.
size_t mac_end_offset = data_plus_mac_size + kHeaderLength - md_size;
- /* c is the index of the 0x80 byte in the final hash block that
- * contains application data. */
+ // c is the index of the 0x80 byte in the final hash block that
+ // contains application data.
size_t c = mac_end_offset % md_block_size;
- /* index_a is the hash block number that contains the 0x80 terminating
- * value. */
+ // index_a is the hash block number that contains the 0x80 terminating
+ // value.
size_t index_a = mac_end_offset / md_block_size;
- /* index_b is the hash block number that contains the 64-bit hash
- * length, in bits. */
+ // index_b is the hash block number that contains the 64-bit hash
+ // length, in bits.
size_t index_b = (mac_end_offset + md_length_size) / md_block_size;
if (num_blocks > kVarianceBlocks) {
@@ -368,13 +368,13 @@
k = md_block_size * num_starting_blocks;
}
- /* bits is the hash-length in bits. It includes the additional hash
- * block for the masked HMAC key. */
- size_t bits = 8 * mac_end_offset; /* at most 18 bits to represent */
+ // bits is the hash-length in bits. It includes the additional hash
+ // block for the masked HMAC key.
+ size_t bits = 8 * mac_end_offset; // at most 18 bits to represent
- /* Compute the initial HMAC block. */
+ // Compute the initial HMAC block.
bits += 8 * md_block_size;
- /* hmac_pad is the masked HMAC key. */
+ // hmac_pad is the masked HMAC key.
uint8_t hmac_pad[MAX_HASH_BLOCK_SIZE];
OPENSSL_memset(hmac_pad, 0, md_block_size);
assert(mac_secret_length <= sizeof(hmac_pad));
@@ -385,7 +385,7 @@
md_transform(&md_state, hmac_pad);
- /* The length check means |bits| fits in four bytes. */
+ // The length check means |bits| fits in four bytes.
uint8_t length_bytes[MAX_HASH_BIT_COUNT_BYTES];
OPENSSL_memset(length_bytes, 0, md_length_size - 4);
length_bytes[md_length_size - 4] = (uint8_t)(bits >> 24);
@@ -394,7 +394,7 @@
length_bytes[md_length_size - 1] = (uint8_t)bits;
if (k > 0) {
- /* k is a multiple of md_block_size. */
+ // k is a multiple of md_block_size.
uint8_t first_block[MAX_HASH_BLOCK_SIZE];
OPENSSL_memcpy(first_block, header, 13);
OPENSSL_memcpy(first_block + 13, data, md_block_size - 13);
@@ -407,10 +407,10 @@
uint8_t mac_out[EVP_MAX_MD_SIZE];
OPENSSL_memset(mac_out, 0, sizeof(mac_out));
- /* We now process the final hash blocks. For each block, we construct
- * it in constant time. If the |i==index_a| then we'll include the 0x80
- * bytes and zero pad etc. For each block we selectively copy it, in
- * constant time, to |mac_out|. */
+ // We now process the final hash blocks. For each block, we construct
+ // it in constant time. If the |i==index_a| then we'll include the 0x80
+ // bytes and zero pad etc. For each block we selectively copy it, in
+ // constant time, to |mac_out|.
for (size_t i = num_starting_blocks;
i <= num_starting_blocks + kVarianceBlocks; i++) {
uint8_t block[MAX_HASH_BLOCK_SIZE];
@@ -427,24 +427,24 @@
uint8_t is_past_c = is_block_a & constant_time_ge_8(j, c);
uint8_t is_past_cp1 = is_block_a & constant_time_ge_8(j, c + 1);
- /* If this is the block containing the end of the
- * application data, and we are at the offset for the
- * 0x80 value, then overwrite b with 0x80. */
+ // If this is the block containing the end of the
+ // application data, and we are at the offset for the
+ // 0x80 value, then overwrite b with 0x80.
b = constant_time_select_8(is_past_c, 0x80, b);
- /* If this the the block containing the end of the
- * application data and we're past the 0x80 value then
- * just write zero. */
+ // If this the the block containing the end of the
+ // application data and we're past the 0x80 value then
+ // just write zero.
b = b & ~is_past_cp1;
- /* If this is index_b (the final block), but not
- * index_a (the end of the data), then the 64-bit
- * length didn't fit into index_a and we're having to
- * add an extra block of zeros. */
+ // If this is index_b (the final block), but not
+ // index_a (the end of the data), then the 64-bit
+ // length didn't fit into index_a and we're having to
+ // add an extra block of zeros.
b &= ~is_block_b | is_block_a;
- /* The final bytes of one of the blocks contains the
- * length. */
+ // The final bytes of one of the blocks contains the
+ // length.
if (j >= md_block_size - md_length_size) {
- /* If this is index_b, write a length byte. */
+ // If this is index_b, write a length byte.
b = constant_time_select_8(
is_block_b, length_bytes[j - (md_block_size - md_length_size)], b);
}
@@ -453,7 +453,7 @@
md_transform(&md_state, block);
md_final_raw(&md_state, block);
- /* If this is index_b, copy the hash value to |mac_out|. */
+ // If this is index_b, copy the hash value to |mac_out|.
for (size_t j = 0; j < md_size; j++) {
mac_out[j] |= block[j] & is_block_b;
}
@@ -466,7 +466,7 @@
return 0;
}
- /* Complete the HMAC in the standard manner. */
+ // Complete the HMAC in the standard manner.
for (size_t i = 0; i < md_block_size; i++) {
hmac_pad[i] ^= 0x6a;
}
diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c
index a9a527d..fb4e69c 100644
--- a/crypto/cmac/cmac.c
+++ b/crypto/cmac/cmac.c
@@ -60,13 +60,13 @@
struct cmac_ctx_st {
EVP_CIPHER_CTX cipher_ctx;
- /* k1 and k2 are the CMAC subkeys. See
- * https://tools.ietf.org/html/rfc4493#section-2.3 */
+ // k1 and k2 are the CMAC subkeys. See
+ // https://tools.ietf.org/html/rfc4493#section-2.3
uint8_t k1[AES_BLOCK_SIZE];
uint8_t k2[AES_BLOCK_SIZE];
- /* Last (possibly partial) scratch */
+ // Last (possibly partial) scratch
uint8_t block[AES_BLOCK_SIZE];
- /* block_used contains the number of valid bytes in |block|. */
+ // block_used contains the number of valid bytes in |block|.
unsigned block_used;
};
@@ -124,20 +124,20 @@
OPENSSL_free(ctx);
}
-/* binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)
- * with a hard-coded reduction polynomial and sets |out| as x times the
- * input.
- *
- * See https://tools.ietf.org/html/rfc4493#section-2.3 */
+// binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)
+// with a hard-coded reduction polynomial and sets |out| as x times the
+// input.
+//
+// See https://tools.ietf.org/html/rfc4493#section-2.3
static void binary_field_mul_x(uint8_t out[16], const uint8_t in[16]) {
unsigned i;
- /* Shift |in| to left, including carry. */
+ // Shift |in| to left, including carry.
for (i = 0; i < 15; i++) {
out[i] = (in[i] << 1) | (in[i+1] >> 7);
}
- /* If MSB set fixup with R. */
+ // If MSB set fixup with R.
const uint8_t carry = in[0] >> 7;
out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);
}
@@ -152,7 +152,7 @@
EVP_CIPHER_key_length(cipher) != key_len ||
!EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL, key, kZeroIV) ||
!EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, AES_BLOCK_SIZE) ||
- /* Reset context again ready for first data. */
+ // Reset context again ready for first data.
!EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {
return 0;
}
@@ -183,11 +183,11 @@
in_len -= todo;
ctx->block_used += todo;
- /* If |in_len| is zero then either |ctx->block_used| is less than
- * |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|
- * is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the
- * latter case we don't want to process this block now because it might be
- * the last block and that block is treated specially. */
+ // If |in_len| is zero then either |ctx->block_used| is less than
+ // |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|
+ // is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the
+ // latter case we don't want to process this block now because it might be
+ // the last block and that block is treated specially.
if (in_len == 0) {
return 1;
}
@@ -199,7 +199,7 @@
}
}
- /* Encrypt all but one of the remaining blocks. */
+ // Encrypt all but one of the remaining blocks.
while (in_len > AES_BLOCK_SIZE) {
if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, AES_BLOCK_SIZE)) {
return 0;
@@ -223,8 +223,8 @@
const uint8_t *mask = ctx->k1;
if (ctx->block_used != AES_BLOCK_SIZE) {
- /* If the last block is incomplete, terminate it with a single 'one' bit
- * followed by zeros. */
+ // If the last block is incomplete, terminate it with a single 'one' bit
+ // followed by zeros.
ctx->block[ctx->block_used] = 0x80;
OPENSSL_memset(ctx->block + ctx->block_used + 1, 0,
AES_BLOCK_SIZE - (ctx->block_used + 1));
diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c
index 00172f5..f8ff613 100644
--- a/crypto/conf/conf.c
+++ b/crypto/conf/conf.c
@@ -69,8 +69,8 @@
#include "../internal.h"
-/* The maximum length we can grow a value to after variable expansion. 64k
- * should be more than enough for all reasonable uses. */
+// The maximum length we can grow a value to after variable expansion. 64k
+// should be more than enough for all reasonable uses.
#define MAX_CONF_VALUE_LENGTH 65536
static uint32_t conf_value_hash(const CONF_VALUE *v) {
@@ -263,7 +263,7 @@
} else if (IS_EOF(conf, *from)) {
break;
} else if (*from == '$') {
- /* try to expand it */
+ // try to expand it
rrp = NULL;
s = &(from[1]);
if (*s == '{') {
@@ -303,14 +303,14 @@
}
e++;
}
- /* So at this point we have
- * np which is the start of the name string which is
- * '\0' terminated.
- * cp which is the start of the section string which is
- * '\0' terminated.
- * e is the 'next point after'.
- * r and rr are the chars replaced by the '\0'
- * rp and rrp is where 'r' and 'rr' came from. */
+ // So at this point we have
+ // np which is the start of the name string which is
+ // '\0' terminated.
+ // cp which is the start of the section string which is
+ // '\0' terminated.
+ // e is the 'next point after'.
+ // r and rr are the chars replaced by the '\0'
+ // rp and rrp is where 'r' and 'rr' came from.
p = NCONF_get_string(conf, cp, np);
if (rrp != NULL) {
*rrp = rr;
@@ -566,25 +566,25 @@
i--;
}
}
- /* we removed some trailing stuff so there is a new
- * line on the end. */
+ // we removed some trailing stuff so there is a new
+ // line on the end.
if (ii && i == ii) {
- again = 1; /* long line */
+ again = 1; // long line
} else {
p[i] = '\0';
- eline++; /* another input line */
+ eline++; // another input line
}
- /* we now have a line with trailing \r\n removed */
+ // we now have a line with trailing \r\n removed
- /* i is the number of bytes */
+ // i is the number of bytes
bufnum += i;
v = NULL;
- /* check for line continuation */
+ // check for line continuation
if (bufnum >= 1) {
- /* If we have bytes and the last char '\\' and
- * second last char is not '\\' */
+ // If we have bytes and the last char '\\' and
+ // second last char is not '\\'
p = &(buff->data[bufnum - 1]);
if (IS_ESC(conf, p[0]) && ((bufnum <= 1) || !IS_ESC(conf, p[-1]))) {
bufnum--;
@@ -600,7 +600,7 @@
clear_comments(conf, buf);
s = eat_ws(conf, buf);
if (IS_EOF(conf, *s)) {
- continue; /* blank line */
+ continue; // blank line
}
if (*s == '[') {
char *ss;
diff --git a/crypto/conf/internal.h b/crypto/conf/internal.h
index 03d1a8f..3e0e57d 100644
--- a/crypto/conf/internal.h
+++ b/crypto/conf/internal.h
@@ -20,12 +20,12 @@
#endif
-/* CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|. */
+// CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|.
CONF_VALUE *CONF_VALUE_new(void);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CRYPTO_CONF_INTERNAL_H */
+#endif // OPENSSL_HEADER_CRYPTO_CONF_INTERNAL_H
diff --git a/crypto/cpu-aarch64-linux.c b/crypto/cpu-aarch64-linux.c
index 1b0f395..f9fa6c5 100644
--- a/crypto/cpu-aarch64-linux.c
+++ b/crypto/cpu-aarch64-linux.c
@@ -28,8 +28,8 @@
void OPENSSL_cpuid_setup(void) {
unsigned long hwcap = getauxval(AT_HWCAP);
- /* See /usr/include/asm/hwcap.h on an aarch64 installation for the source of
- * these values. */
+ // See /usr/include/asm/hwcap.h on an aarch64 installation for the source of
+ // these values.
static const unsigned long kNEON = 1 << 1;
static const unsigned long kAES = 1 << 3;
static const unsigned long kPMULL = 1 << 4;
@@ -37,8 +37,8 @@
static const unsigned long kSHA256 = 1 << 6;
if ((hwcap & kNEON) == 0) {
- /* Matching OpenSSL, if NEON is missing, don't report other features
- * either. */
+ // Matching OpenSSL, if NEON is missing, don't report other features
+ // either.
return;
}
@@ -58,4 +58,4 @@
}
}
-#endif /* OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP */
+#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP
diff --git a/crypto/cpu-arm-linux.c b/crypto/cpu-arm-linux.c
index 95bb5ee..a5f1f8a 100644
--- a/crypto/cpu-arm-linux.c
+++ b/crypto/cpu-arm-linux.c
@@ -34,15 +34,15 @@
#define HWCAP_NEON (1 << 12)
-/* See /usr/include/asm/hwcap.h on an ARM installation for the source of
- * these values. */
+// See /usr/include/asm/hwcap.h on an ARM installation for the source of
+// these values.
#define HWCAP2_AES (1 << 0)
#define HWCAP2_PMULL (1 << 1)
#define HWCAP2_SHA1 (1 << 2)
#define HWCAP2_SHA2 (1 << 3)
-/* |getauxval| is not available on Android until API level 20. Link it as a weak
- * symbol and use other methods as fallback. */
+// |getauxval| is not available on Android until API level 20. Link it as a weak
+// symbol and use other methods as fallback.
unsigned long getauxval(unsigned long type) __attribute__((weak));
static int open_eintr(const char *path, int flags) {
@@ -61,8 +61,8 @@
return ret;
}
-/* read_full reads exactly |len| bytes from |fd| to |out|. On error or end of
- * file, it returns zero. */
+// read_full reads exactly |len| bytes from |fd| to |out|. On error or end of
+// file, it returns zero.
static int read_full(int fd, void *out, size_t len) {
char *outp = out;
while (len > 0) {
@@ -76,9 +76,9 @@
return 1;
}
-/* read_file opens |path| and reads until end-of-file. On success, it returns
- * one and sets |*out_ptr| and |*out_len| to a newly-allocated buffer with the
- * contents. Otherwise, it returns zero. */
+// read_file opens |path| and reads until end-of-file. On success, it returns
+// one and sets |*out_ptr| and |*out_len| to a newly-allocated buffer with the
+// contents. Otherwise, it returns zero.
static int read_file(char **out_ptr, size_t *out_len, const char *path) {
int fd = open_eintr(path, O_RDONLY);
if (fd < 0) {
@@ -128,7 +128,7 @@
return ret;
}
-/* getauxval_proc behaves like |getauxval| but reads from /proc/self/auxv. */
+// getauxval_proc behaves like |getauxval| but reads from /proc/self/auxv.
static unsigned long getauxval_proc(unsigned long type) {
int fd = open_eintr("/proc/self/auxv", O_RDONLY);
if (fd < 0) {
@@ -164,16 +164,16 @@
return a->len == b_len && OPENSSL_memcmp(a->data, b, b_len) == 0;
}
-/* STRING_PIECE_split finds the first occurence of |sep| in |in| and, if found,
- * sets |*out_left| and |*out_right| to |in| split before and after it. It
- * returns one if |sep| was found and zero otherwise. */
+// STRING_PIECE_split finds the first occurence of |sep| in |in| and, if found,
+// sets |*out_left| and |*out_right| to |in| split before and after it. It
+// returns one if |sep| was found and zero otherwise.
static int STRING_PIECE_split(STRING_PIECE *out_left, STRING_PIECE *out_right,
const STRING_PIECE *in, char sep) {
const char *p = OPENSSL_memchr(in->data, sep, in->len);
if (p == NULL) {
return 0;
}
- /* |out_left| or |out_right| may alias |in|, so make a copy. */
+ // |out_left| or |out_right| may alias |in|, so make a copy.
STRING_PIECE in_copy = *in;
out_left->data = in_copy.data;
out_left->len = p - in_copy.data;
@@ -182,7 +182,7 @@
return 1;
}
-/* STRING_PIECE_trim removes leading and trailing whitespace from |s|. */
+// STRING_PIECE_trim removes leading and trailing whitespace from |s|.
static void STRING_PIECE_trim(STRING_PIECE *s) {
while (s->len != 0 && (s->data[0] == ' ' || s->data[0] == '\t')) {
s->data++;
@@ -194,12 +194,12 @@
}
}
-/* extract_cpuinfo_field extracts a /proc/cpuinfo field named |field| from
- * |in|. If found, it sets |*out| to the value and returns one. Otherwise, it
- * returns zero. */
+// extract_cpuinfo_field extracts a /proc/cpuinfo field named |field| from
+// |in|. If found, it sets |*out| to the value and returns one. Otherwise, it
+// returns zero.
static int extract_cpuinfo_field(STRING_PIECE *out, const STRING_PIECE *in,
const char *field) {
- /* Process |in| one line at a time. */
+ // Process |in| one line at a time.
STRING_PIECE remaining = *in, line;
while (STRING_PIECE_split(&line, &remaining, &remaining, '\n')) {
STRING_PIECE key, value;
@@ -224,8 +224,8 @@
STRING_PIECE_equals(&extracted, value);
}
-/* has_list_item treats |list| as a space-separated list of items and returns
- * one if |item| is contained in |list| and zero otherwise. */
+// has_list_item treats |list| as a space-separated list of items and returns
+// one if |item| is contained in |list| and zero otherwise.
static int has_list_item(const STRING_PIECE *list, const char *item) {
STRING_PIECE remaining = *list, feature;
while (STRING_PIECE_split(&feature, &remaining, &remaining, ' ')) {
@@ -238,11 +238,11 @@
static unsigned long get_hwcap_cpuinfo(const STRING_PIECE *cpuinfo) {
if (cpuinfo_field_equals(cpuinfo, "CPU architecture", "8")) {
- /* This is a 32-bit ARM binary running on a 64-bit kernel. NEON is always
- * available on ARMv8. Linux omits required features, so reading the
- * "Features" line does not work. (For simplicity, use strict equality. We
- * assume everything running on future ARM architectures will have a
- * working |getauxval|.) */
+ // This is a 32-bit ARM binary running on a 64-bit kernel. NEON is always
+ // available on ARMv8. Linux omits required features, so reading the
+ // "Features" line does not work. (For simplicity, use strict equality. We
+ // assume everything running on future ARM architectures will have a
+ // working |getauxval|.)
return HWCAP_NEON;
}
@@ -276,8 +276,8 @@
return ret;
}
-/* has_broken_neon returns one if |in| matches a CPU known to have a broken
- * NEON unit. See https://crbug.com/341598. */
+// has_broken_neon returns one if |in| matches a CPU known to have a broken
+// NEON unit. See https://crbug.com/341598.
static int has_broken_neon(const STRING_PIECE *cpuinfo) {
return cpuinfo_field_equals(cpuinfo, "CPU implementer", "0x51") &&
cpuinfo_field_equals(cpuinfo, "CPU architecture", "7") &&
@@ -300,13 +300,13 @@
cpuinfo.data = cpuinfo_data;
cpuinfo.len = cpuinfo_len;
- /* |getauxval| is not available on Android until API level 20. If it is
- * unavailable, read from /proc/self/auxv as a fallback. This is unreadable
- * on some versions of Android, so further fall back to /proc/cpuinfo.
- *
- * See
- * https://android.googlesource.com/platform/ndk/+/882ac8f3392858991a0e1af33b4b7387ec856bd2
- * and b/13679666 (Google-internal) for details. */
+ // |getauxval| is not available on Android until API level 20. If it is
+ // unavailable, read from /proc/self/auxv as a fallback. This is unreadable
+ // on some versions of Android, so further fall back to /proc/cpuinfo.
+ //
+ // See
+ // https://android.googlesource.com/platform/ndk/+/882ac8f3392858991a0e1af33b4b7387ec856bd2
+ // and b/13679666 (Google-internal) for details.
unsigned long hwcap = 0;
if (getauxval != NULL) {
hwcap = getauxval(AT_HWCAP);
@@ -318,18 +318,18 @@
hwcap = get_hwcap_cpuinfo(&cpuinfo);
}
- /* Clear NEON support if known broken. */
+ // Clear NEON support if known broken.
g_has_broken_neon = has_broken_neon(&cpuinfo);
if (g_has_broken_neon) {
hwcap &= ~HWCAP_NEON;
}
- /* Matching OpenSSL, only report other features if NEON is present. */
+ // Matching OpenSSL, only report other features if NEON is present.
if (hwcap & HWCAP_NEON) {
OPENSSL_armcap_P |= ARMV7_NEON;
- /* Some ARMv8 Android devices don't expose AT_HWCAP2. Fall back to
- * /proc/cpuinfo. See https://crbug.com/596156. */
+ // Some ARMv8 Android devices don't expose AT_HWCAP2. Fall back to
+ // /proc/cpuinfo. See https://crbug.com/596156.
unsigned long hwcap2 = 0;
if (getauxval != NULL) {
hwcap2 = getauxval(AT_HWCAP2);
@@ -357,4 +357,4 @@
int CRYPTO_has_broken_NEON(void) { return g_has_broken_neon; }
-#endif /* OPENSSL_ARM && !OPENSSL_STATIC_ARMCAP */
+#endif // OPENSSL_ARM && !OPENSSL_STATIC_ARMCAP
diff --git a/crypto/cpu-intel.c b/crypto/cpu-intel.c
index 0100089..127fa57 100644
--- a/crypto/cpu-intel.c
+++ b/crypto/cpu-intel.c
@@ -78,9 +78,9 @@
#include "internal.h"
-/* OPENSSL_cpuid runs the cpuid instruction. |leaf| is passed in as EAX and ECX
- * is set to zero. It writes EAX, EBX, ECX, and EDX to |*out_eax| through
- * |*out_edx|. */
+// OPENSSL_cpuid runs the cpuid instruction. |leaf| is passed in as EAX and ECX
+// is set to zero. It writes EAX, EBX, ECX, and EDX to |*out_eax| through
+// |*out_edx|.
static void OPENSSL_cpuid(uint32_t *out_eax, uint32_t *out_ebx,
uint32_t *out_ecx, uint32_t *out_edx, uint32_t leaf) {
#if defined(_MSC_VER)
@@ -91,8 +91,8 @@
*out_ecx = (uint32_t)tmp[2];
*out_edx = (uint32_t)tmp[3];
#elif defined(__pic__) && defined(OPENSSL_32_BIT)
- /* Inline assembly may not clobber the PIC register. For 32-bit, this is EBX.
- * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=47602. */
+ // Inline assembly may not clobber the PIC register. For 32-bit, this is EBX.
+ // See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=47602.
__asm__ volatile (
"xor %%ecx, %%ecx\n"
"mov %%ebx, %%edi\n"
@@ -111,8 +111,8 @@
#endif
}
-/* OPENSSL_xgetbv returns the value of an Intel Extended Control Register (XCR).
- * Currently only XCR0 is defined by Intel so |xcr| should always be zero. */
+// OPENSSL_xgetbv returns the value of an Intel Extended Control Register (XCR).
+// Currently only XCR0 is defined by Intel so |xcr| should always be zero.
static uint64_t OPENSSL_xgetbv(uint32_t xcr) {
#if defined(_MSC_VER)
return (uint64_t)_xgetbv(xcr);
@@ -123,8 +123,8 @@
#endif
}
-/* handle_cpu_env applies the value from |in| to the CPUID values in |out[0]|
- * and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this. */
+// handle_cpu_env applies the value from |in| to the CPUID values in |out[0]|
+// and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this.
static void handle_cpu_env(uint32_t *out, const char *in) {
const int invert = in[0] == '~';
uint64_t v;
@@ -143,7 +143,7 @@
}
void OPENSSL_cpuid_setup(void) {
- /* Determine the vendor and maximum input value. */
+ // Determine the vendor and maximum input value.
uint32_t eax, ebx, ecx, edx;
OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 0);
@@ -158,8 +158,8 @@
int has_amd_xop = 0;
if (is_amd) {
- /* AMD-specific logic.
- * See http://developer.amd.com/wordpress/media/2012/10/254811.pdf */
+ // AMD-specific logic.
+ // See http://developer.amd.com/wordpress/media/2012/10/254811.pdf
OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 0x80000000);
uint32_t num_extended_ids = eax;
if (num_extended_ids >= 0x80000001) {
@@ -176,23 +176,23 @@
extended_features = ebx;
}
- /* Determine the number of cores sharing an L1 data cache to adjust the
- * hyper-threading bit. */
+ // Determine the number of cores sharing an L1 data cache to adjust the
+ // hyper-threading bit.
uint32_t cores_per_cache = 0;
if (is_amd) {
- /* AMD CPUs never share an L1 data cache between threads but do set the HTT
- * bit on multi-core CPUs. */
+ // AMD CPUs never share an L1 data cache between threads but do set the HTT
+ // bit on multi-core CPUs.
cores_per_cache = 1;
} else if (num_ids >= 4) {
- /* TODO(davidben): The Intel manual says this CPUID leaf enumerates all
- * caches using ECX and doesn't say which is first. Does this matter? */
+ // TODO(davidben): The Intel manual says this CPUID leaf enumerates all
+ // caches using ECX and doesn't say which is first. Does this matter?
OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 4);
cores_per_cache = 1 + ((eax >> 14) & 0xfff);
}
OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 1);
- /* Adjust the hyper-threading bit. */
+ // Adjust the hyper-threading bit.
if (edx & (1 << 28)) {
uint32_t num_logical_cores = (ebx >> 16) & 0xff;
if (cores_per_cache == 1 || num_logical_cores <= 1) {
@@ -200,17 +200,17 @@
}
}
- /* Reserved bit #20 was historically repurposed to control the in-memory
- * representation of RC4 state. Always set it to zero. */
+ // Reserved bit #20 was historically repurposed to control the in-memory
+ // representation of RC4 state. Always set it to zero.
edx &= ~(1 << 20);
- /* Reserved bit #30 is repurposed to signal an Intel CPU. */
+ // Reserved bit #30 is repurposed to signal an Intel CPU.
if (is_intel) {
edx |= (1 << 30);
- /* Clear the XSAVE bit on Knights Landing to mimic Silvermont. This enables
- * some Silvermont-specific codepaths which perform better. See OpenSSL
- * commit 64d92d74985ebb3d0be58a9718f9e080a14a8e7f. */
+ // Clear the XSAVE bit on Knights Landing to mimic Silvermont. This enables
+ // some Silvermont-specific codepaths which perform better. See OpenSSL
+ // commit 64d92d74985ebb3d0be58a9718f9e080a14a8e7f.
if ((eax & 0x0fff0ff0) == 0x00050670 /* Knights Landing */ ||
(eax & 0x0fff0ff0) == 0x00080650 /* Knights Mill (per SDE) */) {
ecx &= ~(1 << 26);
@@ -219,7 +219,7 @@
edx &= ~(1 << 30);
}
- /* The SDBG bit is repurposed to denote AMD XOP support. */
+ // The SDBG bit is repurposed to denote AMD XOP support.
if (has_amd_xop) {
ecx |= (1 << 11);
} else {
@@ -228,31 +228,31 @@
uint64_t xcr0 = 0;
if (ecx & (1 << 27)) {
- /* XCR0 may only be queried if the OSXSAVE bit is set. */
+ // XCR0 may only be queried if the OSXSAVE bit is set.
xcr0 = OPENSSL_xgetbv(0);
}
- /* See Intel manual, volume 1, section 14.3. */
+ // See Intel manual, volume 1, section 14.3.
if ((xcr0 & 6) != 6) {
- /* YMM registers cannot be used. */
- ecx &= ~(1 << 28); /* AVX */
- ecx &= ~(1 << 12); /* FMA */
- ecx &= ~(1 << 11); /* AMD XOP */
- /* Clear AVX2 and AVX512* bits.
- *
- * TODO(davidben): Should bits 17 and 26-28 also be cleared? Upstream
- * doesn't clear those. */
+ // YMM registers cannot be used.
+ ecx &= ~(1 << 28); // AVX
+ ecx &= ~(1 << 12); // FMA
+ ecx &= ~(1 << 11); // AMD XOP
+ // Clear AVX2 and AVX512* bits.
+ //
+ // TODO(davidben): Should bits 17 and 26-28 also be cleared? Upstream
+ // doesn't clear those.
extended_features &=
~((1 << 5) | (1 << 16) | (1 << 21) | (1 << 30) | (1 << 31));
}
- /* See Intel manual, volume 1, section 15.2. */
+ // See Intel manual, volume 1, section 15.2.
if ((xcr0 & 0xe6) != 0xe6) {
- /* Clear AVX512F. Note we don't touch other AVX512 extensions because they
- * can be used with YMM. */
+ // Clear AVX512F. Note we don't touch other AVX512 extensions because they
+ // can be used with YMM.
extended_features &= ~(1 << 16);
}
- /* Disable ADX instructions on Knights Landing. See OpenSSL commit
- * 64d92d74985ebb3d0be58a9718f9e080a14a8e7f. */
+ // Disable ADX instructions on Knights Landing. See OpenSSL commit
+ // 64d92d74985ebb3d0be58a9718f9e080a14a8e7f.
if ((ecx & (1 << 26)) == 0) {
extended_features &= ~(1 << 19);
}
@@ -268,15 +268,15 @@
return;
}
- /* OPENSSL_ia32cap can contain zero, one or two values, separated with a ':'.
- * Each value is a 64-bit, unsigned value which may start with "0x" to
- * indicate a hex value. Prior to the 64-bit value, a '~' may be given.
- *
- * If '~' isn't present, then the value is taken as the result of the CPUID.
- * Otherwise the value is inverted and ANDed with the probed CPUID result.
- *
- * The first value determines OPENSSL_ia32cap_P[0] and [1]. The second [2]
- * and [3]. */
+ // OPENSSL_ia32cap can contain zero, one or two values, separated with a ':'.
+ // Each value is a 64-bit, unsigned value which may start with "0x" to
+ // indicate a hex value. Prior to the 64-bit value, a '~' may be given.
+ //
+ // If '~' isn't present, then the value is taken as the result of the CPUID.
+ // Otherwise the value is inverted and ANDed with the probed CPUID result.
+ //
+ // The first value determines OPENSSL_ia32cap_P[0] and [1]. The second [2]
+ // and [3].
handle_cpu_env(&OPENSSL_ia32cap_P[0], env1);
env2 = strchr(env1, ':');
@@ -285,4 +285,4 @@
}
}
-#endif /* !OPENSSL_NO_ASM && (OPENSSL_X86 || OPENSSL_X86_64) */
+#endif // !OPENSSL_NO_ASM && (OPENSSL_X86 || OPENSSL_X86_64)
diff --git a/crypto/cpu-ppc64le.c b/crypto/cpu-ppc64le.c
index 54571bd..6cc8aee 100644
--- a/crypto/cpu-ppc64le.c
+++ b/crypto/cpu-ppc64le.c
@@ -22,8 +22,8 @@
#if !defined(PPC_FEATURE2_HAS_VCRYPTO)
-/* PPC_FEATURE2_HAS_VCRYPTO was taken from section 4.1.2.3 of the “OpenPOWER
- * ABI for Linux Supplement”. */
+// PPC_FEATURE2_HAS_VCRYPTO was taken from section 4.1.2.3 of the “OpenPOWER
+// ABI for Linux Supplement”.
#define PPC_FEATURE2_HAS_VCRYPTO 0x02000000
#endif
@@ -35,4 +35,4 @@
return (OPENSSL_ppc64le_hwcap2 & PPC_FEATURE2_HAS_VCRYPTO) != 0;
}
-#endif /* OPENSSL_PPC64LE */
+#endif // OPENSSL_PPC64LE
diff --git a/crypto/crypto.c b/crypto/crypto.c
index f74ef66..aee3521 100644
--- a/crypto/crypto.c
+++ b/crypto/crypto.c
@@ -23,14 +23,14 @@
(defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) || \
defined(OPENSSL_PPC64LE))
-/* x86, x86_64, the ARMs and ppc64le need to record the result of a
- * cpuid/getauxval call for the asm to work correctly, unless compiled without
- * asm code. */
+// x86, x86_64, the ARMs and ppc64le need to record the result of a
+// cpuid/getauxval call for the asm to work correctly, unless compiled without
+// asm code.
#define NEED_CPUID
#else
-/* Otherwise, don't emit a static initialiser. */
+// Otherwise, don't emit a static initialiser.
#if !defined(BORINGSSL_NO_STATIC_INITIALIZER)
#define BORINGSSL_NO_STATIC_INITIALIZER
@@ -40,23 +40,23 @@
OPENSSL_ARM || OPENSSL_AARCH64) */
-/* The capability variables are defined in this file in order to work around a
- * linker bug. When linking with a .a, if no symbols in a .o are referenced
- * then the .o is discarded, even if it has constructor functions.
- *
- * This still means that any binaries that don't include some functionality
- * that tests the capability values will still skip the constructor but, so
- * far, the init constructor function only sets the capability variables. */
+// The capability variables are defined in this file in order to work around a
+// linker bug. When linking with a .a, if no symbols in a .o are referenced
+// then the .o is discarded, even if it has constructor functions.
+//
+// This still means that any binaries that don't include some functionality
+// that tests the capability values will still skip the constructor but, so
+// far, the init constructor function only sets the capability variables.
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
-/* This value must be explicitly initialised to zero in order to work around a
- * bug in libtool or the linker on OS X.
- *
- * If not initialised then it becomes a "common symbol". When put into an
- * archive, linking on OS X will fail to resolve common symbols. By
- * initialising it to zero, it becomes a "data symbol", which isn't so
- * affected. */
+// This value must be explicitly initialised to zero in order to work around a
+// bug in libtool or the linker on OS X.
+//
+// If not initialised then it becomes a "common symbol". When put into an
+// archive, linking on OS X will fail to resolve common symbols. By
+// initialising it to zero, it becomes a "data symbol", which isn't so
+// affected.
uint32_t OPENSSL_ia32cap_P[4] = {0};
#elif defined(OPENSSL_PPC64LE)
@@ -94,8 +94,8 @@
#endif
#if defined(BORINGSSL_FIPS)
-/* In FIPS mode, the power-on self-test function calls |CRYPTO_library_init|
- * because we have to ensure that CPUID detection occurs first. */
+// In FIPS mode, the power-on self-test function calls |CRYPTO_library_init|
+// because we have to ensure that CPUID detection occurs first.
#define BORINGSSL_NO_STATIC_INITIALIZER
#endif
@@ -116,21 +116,21 @@
static void do_library_init(void) __attribute__ ((constructor));
#endif
-/* do_library_init is the actual initialization function. If
- * BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static
- * initializer. Otherwise, it is called by CRYPTO_library_init. */
+// do_library_init is the actual initialization function. If
+// BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static
+// initializer. Otherwise, it is called by CRYPTO_library_init.
static void OPENSSL_CDECL do_library_init(void) {
- /* WARNING: this function may only configure the capability variables. See the
- * note above about the linker bug. */
+ // WARNING: this function may only configure the capability variables. See the
+ // note above about the linker bug.
#if defined(NEED_CPUID)
OPENSSL_cpuid_setup();
#endif
}
void CRYPTO_library_init(void) {
- /* TODO(davidben): It would be tidier if this build knob could be replaced
- * with an internal lazy-init mechanism that would handle things correctly
- * in-library. https://crbug.com/542879 */
+ // TODO(davidben): It would be tidier if this build knob could be replaced
+ // with an internal lazy-init mechanism that would handle things correctly
+ // in-library. https://crbug.com/542879
#if defined(BORINGSSL_NO_STATIC_INITIALIZER)
CRYPTO_once(&once, do_library_init);
#endif
diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c
index c91e78e..e49a8b3 100644
--- a/crypto/curve25519/curve25519.c
+++ b/crypto/curve25519/curve25519.c
@@ -12,12 +12,12 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
- * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
- * public domain but this file has the ISC license just to keep licencing
- * simple.
- *
- * The field functions are shared by Ed25519 and X25519 where possible. */
+// This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
+// 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
+// public domain but this file has the ISC license just to keep licencing
+// simple.
+//
+// The field functions are shared by Ed25519 and X25519 where possible.
#include <openssl/curve25519.h>
@@ -55,7 +55,7 @@
}
static void fe_frombytes(fe h, const uint8_t *s) {
- /* Ignores top bit of h. */
+ // Ignores top bit of h.
int64_t h0 = load_4(s);
int64_t h1 = load_3(s + 4) << 6;
int64_t h2 = load_3(s + 7) << 5;
@@ -101,28 +101,28 @@
h[9] = h9;
}
-/* Preconditions:
- * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- *
- * Write p=2^255-19; q=floor(h/p).
- * Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
- *
- * Proof:
- * Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
- * Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
- *
- * Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
- * Then 0<y<1.
- *
- * Write r=h-pq.
- * Have 0<=r<=p-1=2^255-20.
- * Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
- *
- * Write x=r+19(2^-255)r+y.
- * Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
- *
- * Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
- * so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. */
+// Preconditions:
+// |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Write p=2^255-19; q=floor(h/p).
+// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
+//
+// Proof:
+// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
+// Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
+//
+// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
+// Then 0<y<1.
+//
+// Write r=h-pq.
+// Have 0<=r<=p-1=2^255-20.
+// Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
+//
+// Write x=r+19(2^-255)r+y.
+// Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
+//
+// Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
+// so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
static void fe_tobytes(uint8_t *s, const fe h) {
int32_t h0 = h[0];
int32_t h1 = h[1];
@@ -148,9 +148,9 @@
q = (h8 + q) >> 26;
q = (h9 + q) >> 25;
- /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
+ // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
h0 += 19 * q;
- /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
+ // Goal: Output h-2^255 q, which is between 0 and 2^255-20.
h1 += h0 >> 26; h0 &= kBottom26Bits;
h2 += h1 >> 25; h1 &= kBottom25Bits;
@@ -162,12 +162,12 @@
h8 += h7 >> 25; h7 &= kBottom25Bits;
h9 += h8 >> 26; h8 &= kBottom26Bits;
h9 &= kBottom25Bits;
- /* h10 = carry9 */
+ // h10 = carry9
- /* Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
- * Have h0+...+2^230 h9 between 0 and 2^255-1;
- * evidently 2^255 h10-2^255 q = 0.
- * Goal: Output h0+...+2^230 h9. */
+ // Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
+ // Have h0+...+2^230 h9 between 0 and 2^255-1;
+ // evidently 2^255 h10-2^255 q = 0.
+ // Goal: Output h0+...+2^230 h9.
s[0] = h0 >> 0;
s[1] = h0 >> 8;
@@ -203,29 +203,29 @@
s[31] = h9 >> 18;
}
-/* h = f */
+// h = f
static void fe_copy(fe h, const fe f) {
OPENSSL_memmove(h, f, sizeof(int32_t) * 10);
}
-/* h = 0 */
+// h = 0
static void fe_0(fe h) { OPENSSL_memset(h, 0, sizeof(int32_t) * 10); }
-/* h = 1 */
+// h = 1
static void fe_1(fe h) {
OPENSSL_memset(h, 0, sizeof(int32_t) * 10);
h[0] = 1;
}
-/* h = f + g
- * Can overlap h with f or g.
- *
- * Preconditions:
- * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- * |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// h = f + g
+// Can overlap h with f or g.
+//
+// Preconditions:
+// |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+// |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+// |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
static void fe_add(fe h, const fe f, const fe g) {
unsigned i;
for (i = 0; i < 10; i++) {
@@ -233,15 +233,15 @@
}
}
-/* h = f - g
- * Can overlap h with f or g.
- *
- * Preconditions:
- * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- * |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// h = f - g
+// Can overlap h with f or g.
+//
+// Preconditions:
+// |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+// |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+// |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
static void fe_sub(fe h, const fe f, const fe g) {
unsigned i;
for (i = 0; i < 10; i++) {
@@ -249,33 +249,33 @@
}
}
-/* h = f * g
- * Can overlap h with f or g.
- *
- * Preconditions:
- * |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- * |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * Notes on implementation strategy:
- *
- * Using schoolbook multiplication.
- * Karatsuba would save a little in some cost models.
- *
- * Most multiplications by 2 and 19 are 32-bit precomputations;
- * cheaper than 64-bit postcomputations.
- *
- * There is one remaining multiplication by 19 in the carry chain;
- * one *19 precomputation can be merged into this,
- * but the resulting data flow is considerably less clean.
- *
- * There are 12 carries below.
- * 10 of them are 2-way parallelizable and vectorizable.
- * Can get away with 11 carries, but then data flow is much deeper.
- *
- * With tighter constraints on inputs can squeeze carries into int32. */
+// h = f * g
+// Can overlap h with f or g.
+//
+// Preconditions:
+// |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+// |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+// |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// Notes on implementation strategy:
+//
+// Using schoolbook multiplication.
+// Karatsuba would save a little in some cost models.
+//
+// Most multiplications by 2 and 19 are 32-bit precomputations;
+// cheaper than 64-bit postcomputations.
+//
+// There is one remaining multiplication by 19 in the carry chain;
+// one *19 precomputation can be merged into this,
+// but the resulting data flow is considerably less clean.
+//
+// There are 12 carries below.
+// 10 of them are 2-way parallelizable and vectorizable.
+// Can get away with 11 carries, but then data flow is much deeper.
+//
+// With tighter constraints on inputs can squeeze carries into int32.
static void fe_mul(fe h, const fe f, const fe g) {
int32_t f0 = f[0];
int32_t f1 = f[1];
@@ -297,8 +297,8 @@
int32_t g7 = g[7];
int32_t g8 = g[8];
int32_t g9 = g[9];
- int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
- int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
+ int32_t g1_19 = 19 * g1; // 1.959375*2^29
+ int32_t g2_19 = 19 * g2; // 1.959375*2^30; still ok
int32_t g3_19 = 19 * g3;
int32_t g4_19 = 19 * g4;
int32_t g5_19 = 19 * g5;
@@ -432,53 +432,53 @@
int64_t carry8;
int64_t carry9;
- /* |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
- * i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
- * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
- * i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 */
+ // |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
+ // i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
+ // |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
+ // i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
- /* |h0| <= 2^25 */
- /* |h4| <= 2^25 */
- /* |h1| <= 1.71*2^59 */
- /* |h5| <= 1.71*2^59 */
+ // |h0| <= 2^25
+ // |h4| <= 2^25
+ // |h1| <= 1.71*2^59
+ // |h5| <= 1.71*2^59
carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
- /* |h1| <= 2^24; from now on fits into int32 */
- /* |h5| <= 2^24; from now on fits into int32 */
- /* |h2| <= 1.41*2^60 */
- /* |h6| <= 1.41*2^60 */
+ // |h1| <= 2^24; from now on fits into int32
+ // |h5| <= 2^24; from now on fits into int32
+ // |h2| <= 1.41*2^60
+ // |h6| <= 1.41*2^60
carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
- /* |h2| <= 2^25; from now on fits into int32 unchanged */
- /* |h6| <= 2^25; from now on fits into int32 unchanged */
- /* |h3| <= 1.71*2^59 */
- /* |h7| <= 1.71*2^59 */
+ // |h2| <= 2^25; from now on fits into int32 unchanged
+ // |h6| <= 2^25; from now on fits into int32 unchanged
+ // |h3| <= 1.71*2^59
+ // |h7| <= 1.71*2^59
carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
- /* |h3| <= 2^24; from now on fits into int32 unchanged */
- /* |h7| <= 2^24; from now on fits into int32 unchanged */
- /* |h4| <= 1.72*2^34 */
- /* |h8| <= 1.41*2^60 */
+ // |h3| <= 2^24; from now on fits into int32 unchanged
+ // |h7| <= 2^24; from now on fits into int32 unchanged
+ // |h4| <= 1.72*2^34
+ // |h8| <= 1.41*2^60
carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
- /* |h4| <= 2^25; from now on fits into int32 unchanged */
- /* |h8| <= 2^25; from now on fits into int32 unchanged */
- /* |h5| <= 1.01*2^24 */
- /* |h9| <= 1.71*2^59 */
+ // |h4| <= 2^25; from now on fits into int32 unchanged
+ // |h8| <= 2^25; from now on fits into int32 unchanged
+ // |h5| <= 1.01*2^24
+ // |h9| <= 1.71*2^59
carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
- /* |h9| <= 2^24; from now on fits into int32 unchanged */
- /* |h0| <= 1.1*2^39 */
+ // |h9| <= 2^24; from now on fits into int32 unchanged
+ // |h0| <= 1.1*2^39
carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
- /* |h0| <= 2^25; from now on fits into int32 unchanged */
- /* |h1| <= 1.01*2^24 */
+ // |h0| <= 2^25; from now on fits into int32 unchanged
+ // |h1| <= 1.01*2^24
h[0] = h0;
h[1] = h1;
@@ -492,16 +492,16 @@
h[9] = h9;
}
-/* h = f * f
- * Can overlap h with f.
- *
- * Preconditions:
- * |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * See fe_mul.c for discussion of implementation strategy. */
+// h = f * f
+// Can overlap h with f.
+//
+// Preconditions:
+// |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+// |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// See fe_mul.c for discussion of implementation strategy.
static void fe_sq(fe h, const fe f) {
int32_t f0 = f[0];
int32_t f1 = f[1];
@@ -521,11 +521,11 @@
int32_t f5_2 = 2 * f5;
int32_t f6_2 = 2 * f6;
int32_t f7_2 = 2 * f7;
- int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
- int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
- int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
- int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
- int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+ int32_t f5_38 = 38 * f5; // 1.959375*2^30
+ int32_t f6_19 = 19 * f6; // 1.959375*2^30
+ int32_t f7_38 = 38 * f7; // 1.959375*2^30
+ int32_t f8_19 = 19 * f8; // 1.959375*2^30
+ int32_t f9_38 = 38 * f9; // 1.959375*2^30
int64_t f0f0 = f0 * (int64_t) f0;
int64_t f0f1_2 = f0_2 * (int64_t) f1;
int64_t f0f2_2 = f0_2 * (int64_t) f2;
@@ -691,13 +691,13 @@
fe_mul(out, t1, t0);
}
-/* h = -f
- *
- * Preconditions:
- * |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
+// h = -f
+//
+// Preconditions:
+// |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
static void fe_neg(fe h, const fe f) {
unsigned i;
for (i = 0; i < 10; i++) {
@@ -705,10 +705,10 @@
}
}
-/* Replace (f,g) with (g,g) if b == 1;
- * replace (f,g) with (f,g) if b == 0.
- *
- * Preconditions: b in {0,1}. */
+// Replace (f,g) with (g,g) if b == 1;
+// replace (f,g) with (f,g) if b == 0.
+//
+// Preconditions: b in {0,1}.
static void fe_cmov(fe f, const fe g, unsigned b) {
b = 0-b;
unsigned i;
@@ -719,11 +719,11 @@
}
}
-/* return 0 if f == 0
- * return 1 if f != 0
- *
- * Preconditions:
- * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// return 0 if f == 0
+// return 1 if f != 0
+//
+// Preconditions:
+// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
static int fe_isnonzero(const fe f) {
uint8_t s[32];
fe_tobytes(s, f);
@@ -732,27 +732,27 @@
return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;
}
-/* return 1 if f is in {1,3,5,...,q-2}
- * return 0 if f is in {0,2,4,...,q-1}
- *
- * Preconditions:
- * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// return 1 if f is in {1,3,5,...,q-2}
+// return 0 if f is in {0,2,4,...,q-1}
+//
+// Preconditions:
+// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
static int fe_isnegative(const fe f) {
uint8_t s[32];
fe_tobytes(s, f);
return s[0] & 1;
}
-/* h = 2 * f * f
- * Can overlap h with f.
- *
- * Preconditions:
- * |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- * |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * See fe_mul.c for discussion of implementation strategy. */
+// h = 2 * f * f
+// Can overlap h with f.
+//
+// Preconditions:
+// |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+// |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// See fe_mul.c for discussion of implementation strategy.
static void fe_sq2(fe h, const fe f) {
int32_t f0 = f[0];
int32_t f1 = f[1];
@@ -772,11 +772,11 @@
int32_t f5_2 = 2 * f5;
int32_t f6_2 = 2 * f6;
int32_t f7_2 = 2 * f7;
- int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
- int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
- int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
- int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
- int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+ int32_t f5_38 = 38 * f5; // 1.959375*2^30
+ int32_t f6_19 = 19 * f6; // 1.959375*2^30
+ int32_t f7_38 = 38 * f7; // 1.959375*2^30
+ int32_t f8_19 = 19 * f8; // 1.959375*2^30
+ int32_t f9_38 = 38 * f9; // 1.959375*2^30
int64_t f0f0 = f0 * (int64_t) f0;
int64_t f0f1_2 = f0_2 * (int64_t) f1;
int64_t f0f2_2 = f0_2 * (int64_t) f2;
@@ -993,24 +993,24 @@
fe_1(h->Z);
fe_sq(u, h->Y);
fe_mul(v, u, d);
- fe_sub(u, u, h->Z); /* u = y^2-1 */
- fe_add(v, v, h->Z); /* v = dy^2+1 */
+ fe_sub(u, u, h->Z); // u = y^2-1
+ fe_add(v, v, h->Z); // v = dy^2+1
fe_sq(v3, v);
- fe_mul(v3, v3, v); /* v3 = v^3 */
+ fe_mul(v3, v3, v); // v3 = v^3
fe_sq(h->X, v3);
fe_mul(h->X, h->X, v);
- fe_mul(h->X, h->X, u); /* x = uv^7 */
+ fe_mul(h->X, h->X, u); // x = uv^7
- fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
+ fe_pow22523(h->X, h->X); // x = (uv^7)^((q-5)/8)
fe_mul(h->X, h->X, v3);
- fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
+ fe_mul(h->X, h->X, u); // x = uv^3(uv^7)^((q-5)/8)
fe_sq(vxx, h->X);
fe_mul(vxx, vxx, v);
- fe_sub(check, vxx, u); /* vx^2-u */
+ fe_sub(check, vxx, u); // vx^2-u
if (fe_isnonzero(check)) {
- fe_add(check, vxx, u); /* vx^2+u */
+ fe_add(check, vxx, u); // vx^2+u
if (fe_isnonzero(check)) {
return -1;
}
@@ -1051,7 +1051,7 @@
fe_0(h->xy2d);
}
-/* r = p */
+// r = p
static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
fe_copy(r->X, p->X);
fe_copy(r->Y, p->Y);
@@ -1061,7 +1061,7 @@
static const fe d2 = {-21827239, -5839606, -30745221, 13898782, 229458,
15978800, -12551817, -6495438, 29715968, 9444199};
-/* r = p */
+// r = p
void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
fe_add(r->YplusX, p->Y, p->X);
fe_sub(r->YminusX, p->Y, p->X);
@@ -1069,14 +1069,14 @@
fe_mul(r->T2d, p->T, d2);
}
-/* r = p */
+// r = p
void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) {
fe_mul(r->X, p->X, p->T);
fe_mul(r->Y, p->Y, p->Z);
fe_mul(r->Z, p->Z, p->T);
}
-/* r = p */
+// r = p
void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {
fe_mul(r->X, p->X, p->T);
fe_mul(r->Y, p->Y, p->Z);
@@ -1084,14 +1084,14 @@
fe_mul(r->T, p->X, p->Y);
}
-/* r = p */
+// r = p
static void ge_p1p1_to_cached(ge_cached *r, const ge_p1p1 *p) {
ge_p3 t;
x25519_ge_p1p1_to_p3(&t, p);
x25519_ge_p3_to_cached(r, &t);
}
-/* r = 2 * p */
+// r = 2 * p
static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {
fe t0;
@@ -1106,14 +1106,14 @@
fe_sub(r->T, r->T, r->Z);
}
-/* r = 2 * p */
+// r = 2 * p
static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) {
ge_p2 q;
ge_p3_to_p2(&q, p);
ge_p2_dbl(r, &q);
}
-/* r = p + q */
+// r = p + q
static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
fe t0;
@@ -1129,7 +1129,7 @@
fe_sub(r->T, t0, r->T);
}
-/* r = p - q */
+// r = p - q
static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
fe t0;
@@ -1145,7 +1145,7 @@
fe_add(r->T, t0, r->T);
}
-/* r = p + q */
+// r = p + q
void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
fe t0;
@@ -1162,7 +1162,7 @@
fe_sub(r->T, t0, r->T);
}
-/* r = p - q */
+// r = p - q
void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
fe t0;
@@ -1182,10 +1182,10 @@
static uint8_t equal(signed char b, signed char c) {
uint8_t ub = b;
uint8_t uc = c;
- uint8_t x = ub ^ uc; /* 0: yes; 1..255: no */
- uint32_t y = x; /* 0: yes; 1..255: no */
- y -= 1; /* 4294967295: yes; 0..254: no */
- y >>= 31; /* 1: yes; 0: no */
+ uint8_t x = ub ^ uc; // 0: yes; 1..255: no
+ uint32_t y = x; // 0: yes; 1..255: no
+ y -= 1; // 4294967295: yes; 0..254: no
+ y >>= 31; // 1: yes; 0: no
return y;
}
@@ -1197,8 +1197,8 @@
void x25519_ge_scalarmult_small_precomp(
ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]) {
- /* precomp_table is first expanded into matching |ge_precomp|
- * elements. */
+ // precomp_table is first expanded into matching |ge_precomp|
+ // elements.
ge_precomp multiples[15];
unsigned i;
@@ -1215,9 +1215,9 @@
fe_mul(out->xy2d, out->xy2d, d2);
}
- /* See the comment above |k25519SmallPrecomp| about the structure of the
- * precomputed elements. This loop does 64 additions and 64 doublings to
- * calculate the result. */
+ // See the comment above |k25519SmallPrecomp| about the structure of the
+ // precomputed elements. This loop does 64 additions and 64 doublings to
+ // calculate the result.
ge_p3_0(h);
for (i = 63; i < 64; i--) {
@@ -1249,14 +1249,14 @@
#if defined(OPENSSL_SMALL)
-/* This block of code replaces the standard base-point table with a much smaller
- * one. The standard table is 30,720 bytes while this one is just 960.
- *
- * This table contains 15 pairs of group elements, (x, y), where each field
- * element is serialised with |fe_tobytes|. If |i| is the index of the group
- * element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀
- * is the most significant bit). The value of the group element is then:
- * (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator. */
+// This block of code replaces the standard base-point table with a much smaller
+// one. The standard table is 30,720 bytes while this one is just 960.
+//
+// This table contains 15 pairs of group elements, (x, y), where each field
+// element is serialised with |fe_tobytes|. If |i| is the index of the group
+// element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀
+// is the most significant bit). The value of the group element is then:
+// (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator.
static const uint8_t k25519SmallPrecomp[15 * 2 * 32] = {
0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
@@ -1346,7 +1346,7 @@
#else
-/* k25519Precomp[i][j] = (j+1)*256^i*B */
+// k25519Precomp[i][j] = (j+1)*256^i*B
static const ge_precomp k25519Precomp[32][8] = {
{
{
@@ -3464,7 +3464,7 @@
static uint8_t negative(signed char b) {
uint32_t x = b;
- x >>= 31; /* 1: yes; 0: no */
+ x >>= 31; // 1: yes; 0: no
return x;
}
@@ -3488,12 +3488,12 @@
cmov(t, &minust, bnegative);
}
-/* h = a * B
- * where a = a[0]+256*a[1]+...+256^31 a[31]
- * B is the Ed25519 base point (x,4/5) with x positive.
- *
- * Preconditions:
- * a[31] <= 127 */
+// h = a * B
+// where a = a[0]+256*a[1]+...+256^31 a[31]
+// B is the Ed25519 base point (x,4/5) with x positive.
+//
+// Preconditions:
+// a[31] <= 127
void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
signed char e[64];
signed char carry;
@@ -3506,8 +3506,8 @@
e[2 * i + 0] = (a[i] >> 0) & 15;
e[2 * i + 1] = (a[i] >> 4) & 15;
}
- /* each e[i] is between 0 and 15 */
- /* e[63] is between 0 and 7 */
+ // each e[i] is between 0 and 15
+ // e[63] is between 0 and 7
carry = 0;
for (i = 0; i < 63; ++i) {
@@ -3517,7 +3517,7 @@
e[i] -= carry << 4;
}
e[63] += carry;
- /* each e[i] is between -8 and 8 */
+ // each e[i] is between -8 and 8
ge_p3_0(h);
for (i = 1; i < 64; i += 2) {
@@ -3551,8 +3551,8 @@
fe_cmov(t->T2d, u->T2d, b);
}
-/* r = scalar * A.
- * where a = a[0]+256*a[1]+...+256^31 a[31]. */
+// r = scalar * A.
+// where a = a[0]+256*a[1]+...+256^31 a[31].
void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) {
ge_p2 Ai_p2[8];
ge_cached Ai[16];
@@ -3706,15 +3706,15 @@
},
};
-/* r = a * A + b * B
- * where a = a[0]+256*a[1]+...+256^31 a[31].
- * and b = b[0]+256*b[1]+...+256^31 b[31].
- * B is the Ed25519 base point (x,4/5) with x positive. */
+// r = a * A + b * B
+// where a = a[0]+256*a[1]+...+256^31 a[31].
+// and b = b[0]+256*b[1]+...+256^31 b[31].
+// B is the Ed25519 base point (x,4/5) with x positive.
static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
const ge_p3 *A, const uint8_t *b) {
signed char aslide[256];
signed char bslide[256];
- ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
+ ge_cached Ai[8]; // A,3A,5A,7A,9A,11A,13A,15A
ge_p1p1 t;
ge_p3 u;
ge_p3 A2;
@@ -3779,16 +3779,16 @@
}
}
-/* The set of scalars is \Z/l
- * where l = 2^252 + 27742317777372353535851937790883648493. */
+// The set of scalars is \Z/l
+// where l = 2^252 + 27742317777372353535851937790883648493.
-/* Input:
- * s[0]+256*s[1]+...+256^63*s[63] = s
- *
- * Output:
- * s[0]+256*s[1]+...+256^31*s[31] = s mod l
- * where l = 2^252 + 27742317777372353535851937790883648493.
- * Overwrites s in place. */
+// Input:
+// s[0]+256*s[1]+...+256^63*s[63] = s
+//
+// Output:
+// s[0]+256*s[1]+...+256^31*s[31] = s mod l
+// where l = 2^252 + 27742317777372353535851937790883648493.
+// Overwrites s in place.
void x25519_sc_reduce(uint8_t *s) {
int64_t s0 = 2097151 & load_3(s);
int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
@@ -4122,14 +4122,14 @@
s[31] = s11 >> 17;
}
-/* Input:
- * a[0]+256*a[1]+...+256^31*a[31] = a
- * b[0]+256*b[1]+...+256^31*b[31] = b
- * c[0]+256*c[1]+...+256^31*c[31] = c
- *
- * Output:
- * s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
- * where l = 2^252 + 27742317777372353535851937790883648493. */
+// Input:
+// a[0]+256*a[1]+...+256^31*a[31] = a
+// b[0]+256*b[1]+...+256^31*b[31] = b
+// c[0]+256*c[1]+...+256^31*c[31] = c
+//
+// Output:
+// s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
+// where l = 2^252 + 27742317777372353535851937790883648493.
static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
const uint8_t *c) {
int64_t a0 = 2097151 & load_3(a);
@@ -4716,10 +4716,10 @@
#else
-/* Replace (f,g) with (g,f) if b == 1;
- * replace (f,g) with (f,g) if b == 0.
- *
- * Preconditions: b in {0,1}. */
+// Replace (f,g) with (g,f) if b == 1;
+// replace (f,g) with (f,g) if b == 0.
+//
+// Preconditions: b in {0,1}.
static void fe_cswap(fe f, fe g, unsigned int b) {
b = 0-b;
unsigned i;
@@ -4731,14 +4731,14 @@
}
}
-/* h = f * 121666
- * Can overlap h with f.
- *
- * Preconditions:
- * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- *
- * Postconditions:
- * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
+// h = f * 121666
+// Can overlap h with f.
+//
+// Preconditions:
+// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Postconditions:
+// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
static void fe_mul121666(fe h, fe f) {
int32_t f0 = f[0];
int32_t f1 = f[1];
@@ -4858,25 +4858,25 @@
x25519_scalar_mult_generic(out, scalar, point);
}
-#endif /* BORINGSSL_X25519_X86_64 */
+#endif // BORINGSSL_X25519_X86_64
void X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) {
RAND_bytes(out_private_key, 32);
- /* All X25519 implementations should decode scalars correctly (see
- * https://tools.ietf.org/html/rfc7748#section-5). However, if an
- * implementation doesn't then it might interoperate with random keys a
- * fraction of the time because they'll, randomly, happen to be correctly
- * formed.
- *
- * Thus we do the opposite of the masking here to make sure that our private
- * keys are never correctly masked and so, hopefully, any incorrect
- * implementations are deterministically broken.
- *
- * This does not affect security because, although we're throwing away
- * entropy, a valid implementation of scalarmult should throw away the exact
- * same bits anyway. */
+ // All X25519 implementations should decode scalars correctly (see
+ // https://tools.ietf.org/html/rfc7748#section-5). However, if an
+ // implementation doesn't then it might interoperate with random keys a
+ // fraction of the time because they'll, randomly, happen to be correctly
+ // formed.
+ //
+ // Thus we do the opposite of the masking here to make sure that our private
+ // keys are never correctly masked and so, hopefully, any incorrect
+ // implementations are deterministically broken.
+ //
+ // This does not affect security because, although we're throwing away
+ // entropy, a valid implementation of scalarmult should throw away the exact
+ // same bits anyway.
out_private_key[0] |= 7;
out_private_key[31] &= 63;
out_private_key[31] |= 128;
@@ -4888,15 +4888,15 @@
const uint8_t peer_public_value[32]) {
static const uint8_t kZeros[32] = {0};
x25519_scalar_mult(out_shared_key, private_key, peer_public_value);
- /* The all-zero output results when the input is a point of small order. */
+ // The all-zero output results when the input is a point of small order.
return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
}
#if defined(BORINGSSL_X25519_X86_64)
-/* When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
- * the Montgomery ladder because it's faster. Otherwise it's done using the
- * Ed25519 tables. */
+// When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
+// the Montgomery ladder because it's faster. Otherwise it's done using the
+// Ed25519 tables.
void X25519_public_from_private(uint8_t out_public_value[32],
const uint8_t private_key[32]) {
@@ -4925,8 +4925,8 @@
ge_p3 A;
x25519_ge_scalarmult_base(&A, e);
- /* We only need the u-coordinate of the curve25519 point. The map is
- * u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */
+ // We only need the u-coordinate of the curve25519 point. The map is
+ // u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y).
fe zplusy, zminusy, zminusy_inv;
fe_add(zplusy, A.Z, A.Y);
fe_sub(zminusy, A.Z, A.Y);
@@ -4935,4 +4935,4 @@
fe_tobytes(out_public_value, zplusy);
}
-#endif /* BORINGSSL_X25519_X86_64 */
+#endif // BORINGSSL_X25519_X86_64
diff --git a/crypto/curve25519/internal.h b/crypto/curve25519/internal.h
index ee865bd..9487a6c 100644
--- a/crypto/curve25519/internal.h
+++ b/crypto/curve25519/internal.h
@@ -32,15 +32,15 @@
#if defined(OPENSSL_ARM) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_APPLE)
#define BORINGSSL_X25519_NEON
-/* x25519_NEON is defined in asm/x25519-arm.S. */
+// x25519_NEON is defined in asm/x25519-arm.S.
void x25519_NEON(uint8_t out[32], const uint8_t scalar[32],
const uint8_t point[32]);
#endif
-/* fe means field element. Here the field is \Z/(2^255-19). An element t,
- * entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
- * t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
- * context. */
+// fe means field element. Here the field is \Z/(2^255-19). An element t,
+// entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
+// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
+// context.
typedef int32_t fe[10];
/* ge means group element.
@@ -103,7 +103,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CURVE25519_INTERNAL_H */
+#endif // OPENSSL_HEADER_CURVE25519_INTERNAL_H
diff --git a/crypto/curve25519/spake25519.c b/crypto/curve25519/spake25519.c
index 5b794b3..8ebedf9 100644
--- a/crypto/curve25519/spake25519.c
+++ b/crypto/curve25519/spake25519.c
@@ -25,80 +25,82 @@
#include "../internal.h"
-/* The following precomputation tables are for the following
- * points used in the SPAKE2 protocol.
- *
- * N:
- * x: 49918732221787544735331783592030787422991506689877079631459872391322455579424
- * y: 54629554431565467720832445949441049581317094546788069926228343916274969994000
- * encoded: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778
- *
- * M:
- * x: 31406539342727633121250288103050113562375374900226415211311216773867585644232
- * y: 21177308356423958466833845032658859666296341766942662650232962324899758529114
- * encoded: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e
- *
- * These points and their precomputation tables are generated with the
- * following Python code. For a description of the precomputation table,
- * see curve25519.c in this directory.
- *
- * Exact copies of the source code are kept in bug 27296743.
- *
- * import hashlib
- * import ed25519 as E # http://ed25519.cr.yp.to/python/ed25519.py
- *
- * SEED_N = 'edwards25519 point generation seed (N)'
- * SEED_M = 'edwards25519 point generation seed (M)'
- *
- * def genpoint(seed):
- * v = hashlib.sha256(seed).digest()
- * it = 1
- * while True:
- * try:
- * x,y = E.decodepoint(v)
- * except Exception, e:
- * print e
- * it += 1
- * v = hashlib.sha256(v).digest()
- * continue
- * print "Found in %d iterations:" % it
- * print " x = %d" % x
- * print " y = %d" % y
- * print " Encoded (hex)"
- * print E.encodepoint((x,y)).encode('hex')
- * return (x,y)
- *
- * def gentable(P):
- * t = []
- * for i in range(1,16):
- * k = (i >> 3 & 1) * (1 << 192) + \
- * (i >> 2 & 1) * (1 << 128) + \
- * (i >> 1 & 1) * (1 << 64) + \
- * (i & 1)
- * t.append(E.scalarmult(P, k))
- * return ''.join(E.encodeint(x) + E.encodeint(y) for (x,y) in t)
- *
- * def printtable(table, name):
- * print "static const uint8_t %s[15 * 2 * 32] = {" % name,
- * for i in range(15 * 2 * 32):
- * if i % 12 == 0:
- * print "\n ",
- * print " 0x%02x," % ord(table[i]),
- * print "\n};"
- *
- * if __name__ == "__main__":
- * print "Searching for N"
- * N = genpoint(SEED_N)
- * print "Generating precomputation table for N"
- * Ntable = gentable(N)
- * printtable(Ntable, "kSpakeNSmallPrecomp")
- *
- * print "Searching for M"
- * M = genpoint(SEED_M)
- * print "Generating precomputation table for M"
- * Mtable = gentable(M)
- * printtable(Mtable, "kSpakeMSmallPrecomp")
- */
+// The following precomputation tables are for the following
+// points used in the SPAKE2 protocol.
+//
+// N:
+// x: 49918732221787544735331783592030787422991506689877079631459872391322455579424
+// y: 54629554431565467720832445949441049581317094546788069926228343916274969994000
+// encoded: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778
+//
+// M:
+// x: 31406539342727633121250288103050113562375374900226415211311216773867585644232
+// y: 21177308356423958466833845032658859666296341766942662650232962324899758529114
+// encoded: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e
+//
+// These points and their precomputation tables are generated with the
+// following Python code. For a description of the precomputation table,
+// see curve25519.c in this directory.
+//
+// Exact copies of the source code are kept in bug 27296743.
+//
+// import hashlib
+// import ed25519 as E # http://ed25519.cr.yp.to/python/ed25519.py
+//
+// SEED_N = 'edwards25519 point generation seed (N)'
+// SEED_M = 'edwards25519 point generation seed (M)'
+
+/*
+def genpoint(seed):
+ v = hashlib.sha256(seed).digest()
+ it = 1
+ while True:
+ try:
+ x,y = E.decodepoint(v)
+ except Exception, e:
+ print e
+ it += 1
+ v = hashlib.sha256(v).digest()
+ continue
+ print "Found in %d iterations:" % it
+ print " x = %d" % x
+ print " y = %d" % y
+ print " Encoded (hex)"
+ print E.encodepoint((x,y)).encode('hex')
+ return (x,y)
+
+def gentable(P):
+ t = []
+ for i in range(1,16):
+ k = (i >> 3 & 1) * (1 << 192) + \
+ (i >> 2 & 1) * (1 << 128) + \
+ (i >> 1 & 1) * (1 << 64) + \
+ (i & 1)
+ t.append(E.scalarmult(P, k))
+ return ''.join(E.encodeint(x) + E.encodeint(y) for (x,y) in t)
+
+def printtable(table, name):
+ print "static const uint8_t %s[15 * 2 * 32] = {" % name,
+ for i in range(15 * 2 * 32):
+ if i % 12 == 0:
+ print "\n ",
+ print " 0x%02x," % ord(table[i]),
+ print "\n};"
+
+if __name__ == "__main__":
+ print "Searching for N"
+ N = genpoint(SEED_N)
+ print "Generating precomputation table for N"
+ Ntable = gentable(N)
+ printtable(Ntable, "kSpakeNSmallPrecomp")
+
+ print "Searching for M"
+ M = genpoint(SEED_M)
+ print "Generating precomputation table for M"
+ Mtable = gentable(M)
+ printtable(Mtable, "kSpakeMSmallPrecomp")
+*/
+
static const uint8_t kSpakeNSmallPrecomp[15 * 2 * 32] = {
0x20, 0x1b, 0xc5, 0xb3, 0x43, 0x17, 0x71, 0x10, 0x44, 0x1e, 0x73, 0xb3,
0xae, 0x3f, 0xbf, 0x9f, 0xf5, 0x44, 0xc8, 0x13, 0x8f, 0xd1, 0x01, 0xc2,
@@ -317,8 +319,8 @@
OPENSSL_free(ctx);
}
-/* left_shift_3 sets |n| to |n|*8, where |n| is represented in little-endian
- * order. */
+// left_shift_3 sets |n| to |n|*8, where |n| is represented in little-endian
+// order.
static void left_shift_3(uint8_t n[32]) {
uint8_t carry = 0;
unsigned i;
@@ -344,15 +346,15 @@
uint8_t private_tmp[64];
RAND_bytes(private_tmp, sizeof(private_tmp));
x25519_sc_reduce(private_tmp);
- /* Multiply by the cofactor (eight) so that we'll clear it when operating on
- * the peer's point later in the protocol. */
+ // Multiply by the cofactor (eight) so that we'll clear it when operating on
+ // the peer's point later in the protocol.
left_shift_3(private_tmp);
OPENSSL_memcpy(ctx->private_key, private_tmp, sizeof(ctx->private_key));
ge_p3 P;
x25519_ge_scalarmult_base(&P, ctx->private_key);
- /* mask = h(password) * <N or M>. */
+ // mask = h(password) * <N or M>.
uint8_t password_tmp[SHA512_DIGEST_LENGTH];
SHA512(password, password_len, password_tmp);
OPENSSL_memcpy(ctx->password_hash, password_tmp, sizeof(ctx->password_hash));
@@ -365,13 +367,13 @@
? kSpakeMSmallPrecomp
: kSpakeNSmallPrecomp);
- /* P* = P + mask. */
+ // P* = P + mask.
ge_cached mask_cached;
x25519_ge_p3_to_cached(&mask_cached, &mask);
ge_p1p1 Pstar;
x25519_ge_add(&Pstar, &P, &mask_cached);
- /* Encode P* */
+ // Encode P*
ge_p2 Pstar_proj;
x25519_ge_p1p1_to_p2(&Pstar_proj, &Pstar);
x25519_ge_tobytes(ctx->my_msg, &Pstar_proj);
@@ -408,11 +410,11 @@
ge_p3 Qstar;
if (0 != x25519_ge_frombytes_vartime(&Qstar, their_msg)) {
- /* Point received from peer was not on the curve. */
+ // Point received from peer was not on the curve.
return 0;
}
- /* Unmask peer's value. */
+ // Unmask peer's value.
ge_p3 peers_mask;
x25519_ge_scalarmult_small_precomp(&peers_mask, ctx->password_scalar,
ctx->my_role == spake2_role_alice
diff --git a/crypto/curve25519/spake25519_test.cc b/crypto/curve25519/spake25519_test.cc
index 97f17b7..cdf4ff5 100644
--- a/crypto/curve25519/spake25519_test.cc
+++ b/crypto/curve25519/spake25519_test.cc
@@ -25,7 +25,7 @@
#include "../internal.h"
-/* TODO(agl): add tests with fixed vectors once SPAKE2 is nailed down. */
+// TODO(agl): add tests with fixed vectors once SPAKE2 is nailed down.
struct SPAKE2Run {
bool Run() {
diff --git a/crypto/curve25519/x25519-x86_64.c b/crypto/curve25519/x25519-x86_64.c
index 9c3d414..d677b52 100644
--- a/crypto/curve25519/x25519-x86_64.c
+++ b/crypto/curve25519/x25519-x86_64.c
@@ -12,12 +12,12 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
- * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
- * public domain but this file has the ISC license just to keep licencing
- * simple.
- *
- * The field functions are shared by Ed25519 and X25519 where possible. */
+// This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
+// 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
+// public domain but this file has the ISC license just to keep licencing
+// simple.
+//
+// The field functions are shared by Ed25519 and X25519 where possible.
#include <openssl/curve25519.h>
@@ -31,7 +31,7 @@
typedef struct { uint64_t v[5]; } fe25519;
-/* These functions are defined in asm/x25519-x86_64.S */
+// These functions are defined in asm/x25519-x86_64.S
void x25519_x86_64_work_cswap(fe25519 *, uint64_t);
void x25519_x86_64_mul(fe25519 *out, const fe25519 *a, const fe25519 *b);
void x25519_x86_64_square(fe25519 *out, const fe25519 *a);
@@ -46,7 +46,7 @@
r->v[4] = 0;
}
-/* Assumes input x being reduced below 2^255 */
+// Assumes input x being reduced below 2^255
static void fe25519_pack(unsigned char r[32], const fe25519 *x) {
fe25519 t;
t = *x;
@@ -244,4 +244,4 @@
fe25519_pack(out, &t);
}
-#endif /* BORINGSSL_X25519_X86_64 */
+#endif // BORINGSSL_X25519_X86_64
diff --git a/crypto/dh/check.c b/crypto/dh/check.c
index 55fc1c3..454ad44 100644
--- a/crypto/dh/check.c
+++ b/crypto/dh/check.c
@@ -70,7 +70,7 @@
int ok = 0;
- /* Check |pub_key| is greater than 1. */
+ // Check |pub_key| is greater than 1.
BIGNUM *tmp = BN_CTX_get(ctx);
if (tmp == NULL ||
!BN_set_word(tmp, 1)) {
@@ -80,7 +80,7 @@
*out_flags |= DH_CHECK_PUBKEY_TOO_SMALL;
}
- /* Check |pub_key| is less than |dh->p| - 1. */
+ // Check |pub_key| is less than |dh->p| - 1.
if (!BN_copy(tmp, dh->p) ||
!BN_sub_word(tmp, 1)) {
goto err;
@@ -90,9 +90,9 @@
}
if (dh->q != NULL) {
- /* Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
- * groups which are not safe primes but pick a generator on a prime-order
- * subgroup of size |dh->q|. */
+ // Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114
+ // groups which are not safe primes but pick a generator on a prime-order
+ // subgroup of size |dh->q|.
if (!BN_mod_exp_mont(tmp, pub_key, dh->q, dh->p, ctx, NULL)) {
goto err;
}
@@ -111,13 +111,12 @@
int DH_check(const DH *dh, int *out_flags) {
- /* Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
- * suitable generator where:
- * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5
- * for 5, p mod 10 == 3 or 7
- * should hold.
- */
+ // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a
+ // suitable generator where:
+ // for 2, p mod 24 == 11
+ // for 3, p mod 12 == 5
+ // for 5, p mod 10 == 3 or 7
+ // should hold.
int ok = 0, r;
BN_CTX *ctx = NULL;
BN_ULONG l;
@@ -144,7 +143,7 @@
} else if (BN_cmp(dh->g, dh->p) >= 0) {
*out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;
} else {
- /* Check g^q == 1 mod p */
+ // Check g^q == 1 mod p
if (!BN_mod_exp_mont(t1, dh->g, dh->q, dh->p, ctx, NULL)) {
goto err;
}
@@ -159,7 +158,7 @@
if (!r) {
*out_flags |= DH_CHECK_Q_NOT_PRIME;
}
- /* Check p == 1 mod q i.e. q divides p - 1 */
+ // Check p == 1 mod q i.e. q divides p - 1
if (!BN_div(t1, t2, dh->p, dh->q, ctx)) {
goto err;
}
diff --git a/crypto/dh/dh.c b/crypto/dh/dh.c
index c884ae3..3356776 100644
--- a/crypto/dh/dh.c
+++ b/crypto/dh/dh.c
@@ -138,32 +138,30 @@
}
int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *cb) {
- /* We generate DH parameters as follows
- * find a prime q which is prime_bits/2 bits long.
- * p=(2*q)+1 or (p-1)/2 = q
- * For this case, g is a generator if
- * g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
- * Since the factors of p-1 are q and 2, we just need to check
- * g^2 mod p != 1 and g^q mod p != 1.
- *
- * Having said all that,
- * there is another special case method for the generators 2, 3 and 5.
- * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5 <<<<< does not work for safe primes.
- * for 5, p mod 10 == 3 or 7
- *
- * Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
- * special generators and for answering some of my questions.
- *
- * I've implemented the second simple method :-).
- * Since DH should be using a safe prime (both p and q are prime),
- * this generator function can take a very very long time to run.
- */
+ // We generate DH parameters as follows
+ // find a prime q which is prime_bits/2 bits long.
+ // p=(2*q)+1 or (p-1)/2 = q
+ // For this case, g is a generator if
+ // g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.
+ // Since the factors of p-1 are q and 2, we just need to check
+ // g^2 mod p != 1 and g^q mod p != 1.
+ //
+ // Having said all that,
+ // there is another special case method for the generators 2, 3 and 5.
+ // for 2, p mod 24 == 11
+ // for 3, p mod 12 == 5 <<<<< does not work for safe primes.
+ // for 5, p mod 10 == 3 or 7
+ //
+ // Thanks to Phil Karn <karn@qualcomm.com> for the pointers about the
+ // special generators and for answering some of my questions.
+ //
+ // I've implemented the second simple method :-).
+ // Since DH should be using a safe prime (both p and q are prime),
+ // this generator function can take a very very long time to run.
- /* Actually there is no reason to insist that 'generator' be a generator.
- * It's just as OK (and in some sense better) to use a generator of the
- * order-q subgroup.
- */
+ // Actually there is no reason to insist that 'generator' be a generator.
+ // It's just as OK (and in some sense better) to use a generator of the
+ // order-q subgroup.
BIGNUM *t1, *t2;
int g, ok = 0;
@@ -180,7 +178,7 @@
goto err;
}
- /* Make sure |dh| has the necessary elements */
+ // Make sure |dh| has the necessary elements
if (dh->p == NULL) {
dh->p = BN_new();
if (dh->p == NULL) {
@@ -213,14 +211,14 @@
if (!BN_set_word(t2, 3)) {
goto err;
}
- /* BN_set_word(t3,7); just have to miss
- * out on these ones :-( */
+ // BN_set_word(t3,7); just have to miss
+ // out on these ones :-(
g = 5;
} else {
- /* in the general case, don't worry if 'generator' is a
- * generator or not: since we are using safe primes,
- * it will generate either an order-q or an order-2q group,
- * which both is OK */
+ // in the general case, don't worry if 'generator' is a
+ // generator or not: since we are using safe primes,
+ // it will generate either an order-q or an order-2q group,
+ // which both is OK
if (!BN_set_word(t1, 2)) {
goto err;
}
@@ -299,7 +297,7 @@
goto err;
}
} else {
- /* secret exponent length */
+ // secret exponent length
unsigned priv_bits = dh->priv_length;
if (priv_bits == 0) {
const unsigned p_bits = BN_num_bits(dh->p);
diff --git a/crypto/dh/dh_asn1.c b/crypto/dh/dh_asn1.c
index 1a147ee..9d32180 100644
--- a/crypto/dh/dh_asn1.c
+++ b/crypto/dh/dh_asn1.c
@@ -76,7 +76,7 @@
static int marshal_integer(CBB *cbb, BIGNUM *bn) {
if (bn == NULL) {
- /* A DH object may be missing some components. */
+ // A DH object may be missing some components.
OPENSSL_PUT_ERROR(DH, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
diff --git a/crypto/digest_extra/digest_extra.c b/crypto/digest_extra/digest_extra.c
index b18759a..ab7ff59 100644
--- a/crypto/digest_extra/digest_extra.c
+++ b/crypto/digest_extra/digest_extra.c
@@ -82,11 +82,11 @@
{NID_sha384, EVP_sha384, SN_sha384, LN_sha384},
{NID_sha512, EVP_sha512, SN_sha512, LN_sha512},
{NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1},
- /* As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
- * hash function when given a signature OID. To avoid unintended lax parsing
- * of hash OIDs, this is no longer supported for lookup by OID or NID.
- * Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to
- * consumers so we retain it there. */
+ // As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding
+ // hash function when given a signature OID. To avoid unintended lax parsing
+ // of hash OIDs, this is no longer supported for lookup by OID or NID.
+ // Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to
+ // consumers so we retain it there.
{NID_undef, EVP_sha1, SN_dsaWithSHA, LN_dsaWithSHA},
{NID_undef, EVP_sha1, SN_dsaWithSHA1, LN_dsaWithSHA1},
{NID_undef, EVP_sha1, SN_ecdsa_with_SHA1, NULL},
@@ -104,7 +104,7 @@
const EVP_MD* EVP_get_digestbynid(int nid) {
if (nid == NID_undef) {
- /* Skip the |NID_undef| entries in |nid_to_digest_mapping|. */
+ // Skip the |NID_undef| entries in |nid_to_digest_mapping|.
return NULL;
}
@@ -122,19 +122,19 @@
uint8_t oid_len;
const EVP_MD *(*md_func) (void);
} kMDOIDs[] = {
- /* 1.2.840.113549.2.4 */
+ // 1.2.840.113549.2.4
{ {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, EVP_md4 },
- /* 1.2.840.113549.2.5 */
+ // 1.2.840.113549.2.5
{ {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, EVP_md5 },
- /* 1.3.14.3.2.26 */
+ // 1.3.14.3.2.26
{ {0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, EVP_sha1 },
- /* 2.16.840.1.101.3.4.2.1 */
+ // 2.16.840.1.101.3.4.2.1
{ {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, EVP_sha256 },
- /* 2.16.840.1.101.3.4.2.2 */
+ // 2.16.840.1.101.3.4.2.2
{ {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, EVP_sha384 },
- /* 2.16.840.1.101.3.4.2.3 */
+ // 2.16.840.1.101.3.4.2.3
{ {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, EVP_sha512 },
- /* 2.16.840.1.101.3.4.2.4 */
+ // 2.16.840.1.101.3.4.2.4
{ {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, EVP_sha224 },
};
@@ -151,7 +151,7 @@
}
const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj) {
- /* Handle objects with no corresponding OID. */
+ // Handle objects with no corresponding OID.
if (obj->nid != NID_undef) {
return EVP_get_digestbynid(obj->nid);
}
@@ -175,10 +175,10 @@
return NULL;
}
- /* The parameters, if present, must be NULL. Historically, whether the NULL
- * was included or omitted was not well-specified. When parsing an
- * AlgorithmIdentifier, we allow both. (Note this code is not used when
- * verifying RSASSA-PKCS1-v1_5 signatures.) */
+ // The parameters, if present, must be NULL. Historically, whether the NULL
+ // was included or omitted was not well-specified. When parsing an
+ // AlgorithmIdentifier, we allow both. (Note this code is not used when
+ // verifying RSASSA-PKCS1-v1_5 signatures.)
if (CBS_len(&algorithm) > 0) {
CBS param;
if (!CBS_get_asn1(&algorithm, ¶m, CBS_ASN1_NULL) ||
diff --git a/crypto/digest_extra/internal.h b/crypto/digest_extra/internal.h
index 264405f..1df200e 100644
--- a/crypto/digest_extra/internal.h
+++ b/crypto/digest_extra/internal.h
@@ -26,7 +26,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_DIGEST_EXTRA_INTERNAL */
+#endif // OPENSSL_HEADER_DIGEST_EXTRA_INTERNAL
diff --git a/crypto/dsa/dsa.c b/crypto/dsa/dsa.c
index d445f14..1dfc567 100644
--- a/crypto/dsa/dsa.c
+++ b/crypto/dsa/dsa.c
@@ -78,8 +78,8 @@
#define OPENSSL_DSA_MAX_MODULUS_BITS 10000
-/* Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
- * Rabin-Miller */
+// Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of
+// Rabin-Miller
#define DSS_prime_checks 50
static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
@@ -186,7 +186,7 @@
return 0;
}
if (seed_len > (size_t)qsize) {
- /* Only consume as much seed as is expected. */
+ // Only consume as much seed as is expected.
seed_len = qsize;
}
OPENSSL_memcpy(seed, seed_in, seed_len);
@@ -217,9 +217,9 @@
}
for (;;) {
- /* Find q. */
+ // Find q.
for (;;) {
- /* step 1 */
+ // step 1
if (!BN_GENCB_call(cb, 0, m++)) {
goto err;
}
@@ -230,12 +230,12 @@
goto err;
}
} else {
- /* If we come back through, use random seed next time. */
+ // If we come back through, use random seed next time.
seed_in = NULL;
}
OPENSSL_memcpy(buf, seed, qsize);
OPENSSL_memcpy(buf2, seed, qsize);
- /* precompute "SEED + 1" for step 7: */
+ // precompute "SEED + 1" for step 7:
for (i = qsize - 1; i < qsize; i--) {
buf[i]++;
if (buf[i] != 0) {
@@ -243,7 +243,7 @@
}
}
- /* step 2 */
+ // step 2
if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||
!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {
goto err;
@@ -252,14 +252,14 @@
md[i] ^= buf2[i];
}
- /* step 3 */
+ // step 3
md[0] |= 0x80;
md[qsize - 1] |= 0x01;
if (!BN_bin2bn(md, qsize, q)) {
goto err;
}
- /* step 4 */
+ // step 4
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed, cb);
if (r > 0) {
break;
@@ -268,17 +268,17 @@
goto err;
}
- /* do a callback call */
- /* step 5 */
+ // do a callback call
+ // step 5
}
if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {
goto err;
}
- /* step 6 */
+ // step 6
counter = 0;
- /* "offset = 2" */
+ // "offset = 2"
n = (bits - 1) / 160;
@@ -287,11 +287,11 @@
goto err;
}
- /* step 7 */
+ // step 7
BN_zero(W);
- /* now 'buf' contains "SEED + offset - 1" */
+ // now 'buf' contains "SEED + offset - 1"
for (k = 0; k <= n; k++) {
- /* obtain "SEED + offset + k" by incrementing: */
+ // obtain "SEED + offset + k" by incrementing:
for (i = qsize - 1; i < qsize; i--) {
buf[i]++;
if (buf[i] != 0) {
@@ -303,7 +303,7 @@
goto err;
}
- /* step 8 */
+ // step 8
if (!BN_bin2bn(md, qsize, r0) ||
!BN_lshift(r0, r0, (qsize << 3) * k) ||
!BN_add(W, W, r0)) {
@@ -311,14 +311,14 @@
}
}
- /* more of step 8 */
+ // more of step 8
if (!BN_mask_bits(W, bits - 1) ||
!BN_copy(X, W) ||
!BN_add(X, X, test)) {
goto err;
}
- /* step 9 */
+ // step 9
if (!BN_lshift1(r0, q) ||
!BN_mod(c, X, r0, ctx) ||
!BN_sub(r0, c, BN_value_one()) ||
@@ -326,23 +326,23 @@
goto err;
}
- /* step 10 */
+ // step 10
if (BN_cmp(p, test) >= 0) {
- /* step 11 */
+ // step 11
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);
if (r > 0) {
- goto end; /* found it */
+ goto end; // found it
}
if (r != 0) {
goto err;
}
}
- /* step 13 */
+ // step 13
counter++;
- /* "offset = offset + n + 1" */
+ // "offset = offset + n + 1"
- /* step 14 */
+ // step 14
if (counter >= 4096) {
break;
}
@@ -353,8 +353,8 @@
goto err;
}
- /* We now need to generate g */
- /* Set r0=(p-1)/q */
+ // We now need to generate g
+ // Set r0=(p-1)/q
if (!BN_sub(test, p, BN_value_one()) ||
!BN_div(r0, NULL, test, q, ctx)) {
goto err;
@@ -366,7 +366,7 @@
}
for (;;) {
- /* g=test^r0%p */
+ // g=test^r0%p
if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {
goto err;
}
@@ -544,9 +544,9 @@
}
if (digest_len > BN_num_bytes(dsa->q)) {
- /* if the digest length is greater than the size of q use the
- * BN_num_bits(dsa->q) leftmost bits of the digest, see
- * fips 186-3, 4.2 */
+ // if the digest length is greater than the size of q use the
+ // BN_num_bits(dsa->q) leftmost bits of the digest, see
+ // fips 186-3, 4.2
digest_len = BN_num_bytes(dsa->q);
}
@@ -554,12 +554,12 @@
goto err;
}
- /* Compute s = inv(k) (m + xr) mod q */
+ // Compute s = inv(k) (m + xr) mod q
if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) {
- goto err; /* s = xr */
+ goto err; // s = xr
}
if (!BN_add(s, &xr, &m)) {
- goto err; /* s = m + xr */
+ goto err; // s = m + xr
}
if (BN_cmp(s, dsa->q) > 0) {
if (!BN_sub(s, s, dsa->q)) {
@@ -570,8 +570,8 @@
goto err;
}
- /* Redo if r or s is zero as required by FIPS 186-3: this is
- * very unlikely. */
+ // Redo if r or s is zero as required by FIPS 186-3: this is
+ // very unlikely.
if (BN_is_zero(r) || BN_is_zero(s)) {
if (noredo) {
reason = DSA_R_NEED_NEW_SETUP_VALUES;
@@ -624,7 +624,7 @@
}
i = BN_num_bits(dsa->q);
- /* fips 186-3 allows only different sizes for q */
+ // fips 186-3 allows only different sizes for q
if (i != 160 && i != 224 && i != 256) {
OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);
return 0;
@@ -655,17 +655,17 @@
goto err;
}
- /* Calculate W = inv(S) mod Q
- * save W in u2 */
+ // Calculate W = inv(S) mod Q
+ // save W in u2
if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {
goto err;
}
- /* save M in u1 */
+ // save M in u1
if (digest_len > (i >> 3)) {
- /* if the digest length is greater than the size of q use the
- * BN_num_bits(dsa->q) leftmost bits of the digest, see
- * fips 186-3, 4.2 */
+ // if the digest length is greater than the size of q use the
+ // BN_num_bits(dsa->q) leftmost bits of the digest, see
+ // fips 186-3, 4.2
digest_len = (i >> 3);
}
@@ -673,12 +673,12 @@
goto err;
}
- /* u1 = M * w mod q */
+ // u1 = M * w mod q
if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {
goto err;
}
- /* u2 = r * w mod q */
+ // u2 = r * w mod q
if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {
goto err;
}
@@ -694,14 +694,14 @@
goto err;
}
- /* BN_copy(&u1,&t1); */
- /* let u1 = u1 mod q */
+ // BN_copy(&u1,&t1);
+ // let u1 = u1 mod q
if (!BN_mod(&u1, &t1, dsa->q, ctx)) {
goto err;
}
- /* V is now in u1. If the signature is correct, it will be
- * equal to R. */
+ // V is now in u1. If the signature is correct, it will be
+ // equal to R.
*out_valid = BN_ucmp(&u1, sig->r) == 0;
ret = 1;
@@ -758,7 +758,7 @@
goto err;
}
- /* Ensure that the signature uses DER and doesn't have trailing garbage. */
+ // Ensure that the signature uses DER and doesn't have trailing garbage.
int der_len = i2d_DSA_SIG(s, &der);
if (der_len < 0 || (size_t)der_len != sig_len ||
OPENSSL_memcmp(sig, der, sig_len)) {
@@ -773,8 +773,8 @@
return ret;
}
-/* der_len_len returns the number of bytes needed to represent a length of |len|
- * in DER. */
+// der_len_len returns the number of bytes needed to represent a length of |len|
+// in DER.
static size_t der_len_len(size_t len) {
if (len < 0x80) {
return 1;
@@ -789,18 +789,18 @@
int DSA_size(const DSA *dsa) {
size_t order_len = BN_num_bytes(dsa->q);
- /* Compute the maximum length of an |order_len| byte integer. Defensively
- * assume that the leading 0x00 is included. */
+ // Compute the maximum length of an |order_len| byte integer. Defensively
+ // assume that the leading 0x00 is included.
size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
if (integer_len < order_len) {
return 0;
}
- /* A DSA signature is two INTEGERs. */
+ // A DSA signature is two INTEGERs.
size_t value_len = 2 * integer_len;
if (value_len < integer_len) {
return 0;
}
- /* Add the header. */
+ // Add the header.
size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
if (ret < value_len) {
return 0;
@@ -835,7 +835,7 @@
goto err;
}
- /* Get random k */
+ // Get random k
if (!BN_rand_range_ex(&k, 1, dsa->q)) {
goto err;
}
@@ -849,16 +849,16 @@
goto err;
}
- /* Compute r = (g^k mod p) mod q */
+ // Compute r = (g^k mod p) mod q
if (!BN_copy(&kq, &k)) {
goto err;
}
- /* We do not want timing information to leak the length of k,
- * so we compute g^k using an equivalent exponent of fixed length.
- *
- * (This is a kludge that we need because the BN_mod_exp_mont()
- * does not let us specify the desired timing behaviour.) */
+ // We do not want timing information to leak the length of k,
+ // so we compute g^k using an equivalent exponent of fixed length.
+ //
+ // (This is a kludge that we need because the BN_mod_exp_mont()
+ // does not let us specify the desired timing behaviour.)
if (!BN_add(&kq, &kq, dsa->q)) {
goto err;
@@ -875,8 +875,8 @@
goto err;
}
- /* Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little
- * Theorem. */
+ // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little
+ // Theorem.
kinv = BN_new();
if (kinv == NULL ||
!bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) {
diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c
index ff5ee00..97fd07f 100644
--- a/crypto/dsa/dsa_asn1.c
+++ b/crypto/dsa/dsa_asn1.c
@@ -75,7 +75,7 @@
static int marshal_integer(CBB *cbb, BIGNUM *bn) {
if (bn == NULL) {
- /* A DSA object may be missing some components. */
+ // A DSA object may be missing some components.
OPENSSL_PUT_ERROR(DSA, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
diff --git a/crypto/dsa/dsa_test.cc b/crypto/dsa/dsa_test.cc
index 63b7803..295a7fd 100644
--- a/crypto/dsa/dsa_test.cc
+++ b/crypto/dsa/dsa_test.cc
@@ -71,8 +71,8 @@
#include "../internal.h"
-/* The following values are taken from the updated Appendix 5 to FIPS PUB 186
- * and also appear in Appendix 5 to FIPS PUB 186-1. */
+// The following values are taken from the updated Appendix 5 to FIPS PUB 186
+// and also appear in Appendix 5 to FIPS PUB 186-1.
static const uint8_t seed[20] = {
0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b,
@@ -121,7 +121,7 @@
0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d,
};
-/* fips_sig is a DER-encoded version of the r and s values in FIPS PUB 186-1. */
+// fips_sig is a DER-encoded version of the r and s values in FIPS PUB 186-1.
static const uint8_t fips_sig[] = {
0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10,
0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92,
@@ -130,7 +130,7 @@
0xdc, 0xd8, 0xc8,
};
-/* fips_sig_negative is fips_sig with r encoded as a negative number. */
+// fips_sig_negative is fips_sig with r encoded as a negative number.
static const uint8_t fips_sig_negative[] = {
0x30, 0x2c, 0x02, 0x14, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10, 0x43,
0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92, 0xb3,
@@ -139,7 +139,7 @@
0xd8, 0xc8,
};
-/* fip_sig_extra is fips_sig with trailing data. */
+// fip_sig_extra is fips_sig with trailing data.
static const uint8_t fips_sig_extra[] = {
0x30, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64, 0x10,
0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92,
@@ -148,7 +148,7 @@
0xdc, 0xd8, 0xc8, 0x00,
};
-/* fips_sig_lengths is fips_sig with a non-minimally encoded length. */
+// fips_sig_lengths is fips_sig with a non-minimally encoded length.
static const uint8_t fips_sig_bad_length[] = {
0x30, 0x81, 0x2d, 0x02, 0x15, 0x00, 0x8b, 0xac, 0x1a, 0xb6, 0x64,
0x10, 0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c,
@@ -157,7 +157,7 @@
0xb6, 0xdc, 0xd8, 0xc8, 0x00,
};
-/* fips_sig_bad_r is fips_sig with a bad r value. */
+// fips_sig_bad_r is fips_sig with a bad r value.
static const uint8_t fips_sig_bad_r[] = {
0x30, 0x2d, 0x02, 0x15, 0x00, 0x8c, 0xac, 0x1a, 0xb6, 0x64, 0x10,
0x43, 0x5c, 0xb7, 0x18, 0x1f, 0x95, 0xb1, 0x6a, 0xb9, 0x7c, 0x92,
@@ -299,7 +299,7 @@
return false;
}
- /* Clear any errors from a test with expected failure. */
+ // Clear any errors from a test with expected failure.
ERR_clear_error();
return true;
}
diff --git a/crypto/ec_extra/ec_asn1.c b/crypto/ec_extra/ec_asn1.c
index 0772506..dc710a8 100644
--- a/crypto/ec_extra/ec_asn1.c
+++ b/crypto/ec_extra/ec_asn1.c
@@ -83,14 +83,14 @@
return NULL;
}
- /* Parse the optional parameters field. */
+ // Parse the optional parameters field.
EC_GROUP *inner_group = NULL;
EC_KEY *ret = NULL;
if (CBS_peek_asn1_tag(&ec_private_key, kParametersTag)) {
- /* Per SEC 1, as an alternative to omitting it, one is allowed to specify
- * this field and put in a NULL to mean inheriting this value. This was
- * omitted in a previous version of this logic without problems, so leave it
- * unimplemented. */
+ // Per SEC 1, as an alternative to omitting it, one is allowed to specify
+ // this field and put in a NULL to mean inheriting this value. This was
+ // omitted in a previous version of this logic without problems, so leave it
+ // unimplemented.
CBS child;
if (!CBS_get_asn1(&ec_private_key, &child, kParametersTag)) {
OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);
@@ -103,7 +103,7 @@
if (group == NULL) {
group = inner_group;
} else if (EC_GROUP_cmp(group, inner_group, NULL) != 0) {
- /* If a group was supplied externally, it must match. */
+ // If a group was supplied externally, it must match.
OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);
goto err;
}
@@ -123,9 +123,9 @@
goto err;
}
- /* Although RFC 5915 specifies the length of the key, OpenSSL historically
- * got this wrong, so accept any length. See upstream's
- * 30cd4ff294252c4b6a4b69cbef6a5b4117705d22. */
+ // Although RFC 5915 specifies the length of the key, OpenSSL historically
+ // got this wrong, so accept any length. See upstream's
+ // 30cd4ff294252c4b6a4b69cbef6a5b4117705d22.
ret->priv_key =
BN_bin2bn(CBS_data(&private_key), CBS_len(&private_key), NULL);
ret->pub_key = EC_POINT_new(group);
@@ -143,12 +143,12 @@
uint8_t padding;
if (!CBS_get_asn1(&ec_private_key, &child, kPublicKeyTag) ||
!CBS_get_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||
- /* As in a SubjectPublicKeyInfo, the byte-encoded public key is then
- * encoded as a BIT STRING with bits ordered as in the DER encoding. */
+ // As in a SubjectPublicKeyInfo, the byte-encoded public key is then
+ // encoded as a BIT STRING with bits ordered as in the DER encoding.
!CBS_get_u8(&public_key, &padding) ||
padding != 0 ||
- /* Explicitly check |public_key| is non-empty to save the conversion
- * form later. */
+ // Explicitly check |public_key| is non-empty to save the conversion
+ // form later.
CBS_len(&public_key) == 0 ||
!EC_POINT_oct2point(group, ret->pub_key, CBS_data(&public_key),
CBS_len(&public_key), NULL) ||
@@ -157,17 +157,17 @@
goto err;
}
- /* Save the point conversion form.
- * TODO(davidben): Consider removing this. */
+ // Save the point conversion form.
+ // TODO(davidben): Consider removing this.
ret->conv_form =
(point_conversion_form_t)(CBS_data(&public_key)[0] & ~0x01);
} else {
- /* Compute the public key instead. */
+ // Compute the public key instead.
if (!EC_POINT_mul(group, ret->pub_key, ret->priv_key, NULL, NULL, NULL)) {
goto err;
}
- /* Remember the original private-key-only encoding.
- * TODO(davidben): Consider removing this. */
+ // Remember the original private-key-only encoding.
+ // TODO(davidben): Consider removing this.
ret->enc_flag |= EC_PKEY_NO_PUBKEY;
}
@@ -176,7 +176,7 @@
goto err;
}
- /* Ensure the resulting key is valid. */
+ // Ensure the resulting key is valid.
if (!EC_KEY_check_key(ret)) {
goto err;
}
@@ -218,13 +218,13 @@
}
}
- /* TODO(fork): replace this flexibility with sensible default? */
+ // TODO(fork): replace this flexibility with sensible default?
if (!(enc_flags & EC_PKEY_NO_PUBKEY) && key->pub_key != NULL) {
CBB child, public_key;
if (!CBB_add_asn1(&ec_private_key, &child, kPublicKeyTag) ||
!CBB_add_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||
- /* As in a SubjectPublicKeyInfo, the byte-encoded public key is then
- * encoded as a BIT STRING with bits ordered as in the DER encoding. */
+ // As in a SubjectPublicKeyInfo, the byte-encoded public key is then
+ // encoded as a BIT STRING with bits ordered as in the DER encoding.
!CBB_add_u8(&public_key, 0 /* padding */) ||
!EC_POINT_point2cbb(&public_key, key->group, key->pub_key,
key->conv_form, NULL) ||
@@ -242,8 +242,8 @@
return 1;
}
-/* is_unsigned_integer returns one if |cbs| is a valid unsigned DER INTEGER and
- * zero otherwise. */
+// is_unsigned_integer returns one if |cbs| is a valid unsigned DER INTEGER and
+// zero otherwise.
static int is_unsigned_integer(const CBS *cbs) {
if (CBS_len(cbs) == 0) {
return 0;
@@ -251,20 +251,20 @@
uint8_t byte = CBS_data(cbs)[0];
if ((byte & 0x80) ||
(byte == 0 && CBS_len(cbs) > 1 && (CBS_data(cbs)[1] & 0x80) == 0)) {
- /* Negative or not minimally-encoded. */
+ // Negative or not minimally-encoded.
return 0;
}
return 1;
}
-/* kPrimeFieldOID is the encoding of 1.2.840.10045.1.1. */
+// kPrimeFieldOID is the encoding of 1.2.840.10045.1.1.
static const uint8_t kPrimeField[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01};
static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a,
CBS *out_b, CBS *out_base_x,
CBS *out_base_y, CBS *out_order) {
- /* See RFC 3279, section 2.3.5. Note that RFC 3279 calls this structure an
- * ECParameters while RFC 5480 calls it a SpecifiedECDomain. */
+ // See RFC 3279, section 2.3.5. Note that RFC 3279 calls this structure an
+ // ECParameters while RFC 5480 calls it a SpecifiedECDomain.
CBS params, field_id, field_type, curve, base;
uint64_t version;
if (!CBS_get_asn1(in, ¶ms, CBS_ASN1_SEQUENCE) ||
@@ -280,7 +280,7 @@
!CBS_get_asn1(¶ms, &curve, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1(&curve, out_a, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&curve, out_b, CBS_ASN1_OCTETSTRING) ||
- /* |curve| has an optional BIT STRING seed which we ignore. */
+ // |curve| has an optional BIT STRING seed which we ignore.
!CBS_get_asn1(¶ms, &base, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(¶ms, out_order, CBS_ASN1_INTEGER) ||
!is_unsigned_integer(out_order)) {
@@ -288,11 +288,11 @@
return 0;
}
- /* |params| has an optional cofactor which we ignore. With the optional seed
- * in |curve|, a group already has arbitrarily many encodings. Parse enough to
- * uniquely determine the curve. */
+ // |params| has an optional cofactor which we ignore. With the optional seed
+ // in |curve|, a group already has arbitrarily many encodings. Parse enough to
+ // uniquely determine the curve.
- /* Require that the base point use uncompressed form. */
+ // Require that the base point use uncompressed form.
uint8_t form;
if (!CBS_get_u8(&base, &form) || form != POINT_CONVERSION_UNCOMPRESSED) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FORM);
@@ -310,10 +310,10 @@
return 1;
}
-/* integers_equal returns one if |a| and |b| are equal, up to leading zeros, and
- * zero otherwise. */
+// integers_equal returns one if |a| and |b| are equal, up to leading zeros, and
+// zero otherwise.
static int integers_equal(const CBS *a, const uint8_t *b, size_t b_len) {
- /* Remove leading zeros from |a| and |b|. */
+ // Remove leading zeros from |a| and |b|.
CBS a_copy = *a;
while (CBS_len(&a_copy) > 0 && CBS_data(&a_copy)[0] == 0) {
CBS_skip(&a_copy, 1);
@@ -332,7 +332,7 @@
return NULL;
}
- /* Look for a matching curve. */
+ // Look for a matching curve.
const struct built_in_curves *const curves = OPENSSL_built_in_curves();
for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {
const struct built_in_curve *curve = &curves->curves[i];
@@ -374,26 +374,26 @@
return EC_KEY_parse_curve_name(cbs);
}
- /* OpenSSL sometimes produces ECPrivateKeys with explicitly-encoded versions
- * of named curves.
- *
- * TODO(davidben): Remove support for this. */
+ // OpenSSL sometimes produces ECPrivateKeys with explicitly-encoded versions
+ // of named curves.
+ //
+ // TODO(davidben): Remove support for this.
CBS prime, a, b, base_x, base_y, order;
if (!parse_explicit_prime_curve(cbs, &prime, &a, &b, &base_x, &base_y,
&order)) {
return NULL;
}
- /* Look for a matching prime curve. */
+ // Look for a matching prime curve.
const struct built_in_curves *const curves = OPENSSL_built_in_curves();
for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) {
const struct built_in_curve *curve = &curves->curves[i];
const unsigned param_len = curve->param_len;
- /* |curve->params| is ordered p, a, b, x, y, order, each component
- * zero-padded up to the field length. Although SEC 1 states that the
- * Field-Element-to-Octet-String conversion also pads, OpenSSL mis-encodes
- * |a| and |b|, so this comparison must allow omitting leading zeros. (This
- * is relevant for P-521 whose |b| has a leading 0.) */
+ // |curve->params| is ordered p, a, b, x, y, order, each component
+ // zero-padded up to the field length. Although SEC 1 states that the
+ // Field-Element-to-Octet-String conversion also pads, OpenSSL mis-encodes
+ // |a| and |b|, so this comparison must allow omitting leading zeros. (This
+ // is relevant for P-521 whose |b| has a leading 0.)
if (integers_equal(&prime, curve->params, param_len) &&
integers_equal(&a, curve->params + param_len, param_len) &&
integers_equal(&b, curve->params + param_len * 2, param_len) &&
@@ -420,8 +420,8 @@
}
EC_KEY *d2i_ECPrivateKey(EC_KEY **out, const uint8_t **inp, long len) {
- /* This function treats its |out| parameter differently from other |d2i|
- * functions. If supplied, take the group from |*out|. */
+ // This function treats its |out| parameter differently from other |d2i|
+ // functions. If supplied, take the group from |*out|.
const EC_GROUP *group = NULL;
if (out != NULL && *out != NULL) {
group = EC_KEY_get0_group(*out);
@@ -515,7 +515,7 @@
OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);
return NULL;
}
- /* save the point conversion form */
+ // save the point conversion form
ret->conv_form = (point_conversion_form_t)(*inp[0] & ~0x01);
*inp += len;
return ret;
@@ -534,7 +534,7 @@
0, NULL);
if (outp == NULL || buf_len == 0) {
- /* out == NULL => just return the length of the octet string */
+ // out == NULL => just return the length of the octet string
return buf_len;
}
diff --git a/crypto/ecdh/ecdh.c b/crypto/ecdh/ecdh.c
index 22b216e..f38de2f 100644
--- a/crypto/ecdh/ecdh.c
+++ b/crypto/ecdh/ecdh.c
@@ -138,7 +138,7 @@
goto err;
}
} else {
- /* no KDF, just copy as much as we can */
+ // no KDF, just copy as much as we can
if (buflen < outlen) {
outlen = buflen;
}
diff --git a/crypto/ecdsa_extra/ecdsa_asn1.c b/crypto/ecdsa_extra/ecdsa_asn1.c
index 5d827dc..8d0bc41 100644
--- a/crypto/ecdsa_extra/ecdsa_asn1.c
+++ b/crypto/ecdsa_extra/ecdsa_asn1.c
@@ -120,17 +120,17 @@
int ret = 0;
uint8_t *der = NULL;
- /* Decode the ECDSA signature. */
+ // Decode the ECDSA signature.
s = ECDSA_SIG_from_bytes(sig, sig_len);
if (s == NULL) {
goto err;
}
- /* Defend against potential laxness in the DER parser. */
+ // Defend against potential laxness in the DER parser.
size_t der_len;
if (!ECDSA_SIG_to_bytes(&der, &der_len, s) ||
der_len != sig_len || OPENSSL_memcmp(sig, der, sig_len) != 0) {
- /* This should never happen. crypto/bytestring is strictly DER. */
+ // This should never happen. crypto/bytestring is strictly DER.
OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);
goto err;
}
@@ -219,8 +219,8 @@
return 1;
}
-/* der_len_len returns the number of bytes needed to represent a length of |len|
- * in DER. */
+// der_len_len returns the number of bytes needed to represent a length of |len|
+// in DER.
static size_t der_len_len(size_t len) {
if (len < 0x80) {
return 1;
@@ -234,18 +234,18 @@
}
size_t ECDSA_SIG_max_len(size_t order_len) {
- /* Compute the maximum length of an |order_len| byte integer. Defensively
- * assume that the leading 0x00 is included. */
+ // Compute the maximum length of an |order_len| byte integer. Defensively
+ // assume that the leading 0x00 is included.
size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;
if (integer_len < order_len) {
return 0;
}
- /* An ECDSA signature is two INTEGERs. */
+ // An ECDSA signature is two INTEGERs.
size_t value_len = 2 * integer_len;
if (value_len < integer_len) {
return 0;
}
- /* Add the header. */
+ // Add the header.
size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;
if (ret < value_len) {
return 0;
diff --git a/crypto/engine/engine.c b/crypto/engine/engine.c
index 141ed23..875f148 100644
--- a/crypto/engine/engine.c
+++ b/crypto/engine/engine.c
@@ -42,15 +42,15 @@
}
void ENGINE_free(ENGINE *engine) {
- /* Methods are currently required to be static so are not unref'ed. */
+ // Methods are currently required to be static so are not unref'ed.
OPENSSL_free(engine);
}
-/* set_method takes a pointer to a method and its given size and sets
- * |*out_member| to point to it. This function might want to be extended in the
- * future to support making a copy of the method so that a stable ABI for
- * ENGINEs can be supported. But, for the moment, all *_METHODS must be
- * static. */
+// set_method takes a pointer to a method and its given size and sets
+// |*out_member| to point to it. This function might want to be extended in the
+// future to support making a copy of the method so that a stable ABI for
+// ENGINEs can be supported. But, for the moment, all *_METHODS must be
+// static.
static int set_method(void **out_member, const void *method, size_t method_size,
size_t compiled_size) {
const struct openssl_method_common_st *common = method;
diff --git a/crypto/err/err.c b/crypto/err/err.c
index cbb1260..2c567ce 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -129,7 +129,7 @@
extern const size_t kOpenSSLReasonValuesLen;
extern const char kOpenSSLReasonStringData[];
-/* err_clear_data frees the optional |data| member of the given error. */
+// err_clear_data frees the optional |data| member of the given error.
static void err_clear_data(struct err_error_st *error) {
if ((error->flags & ERR_FLAG_MALLOCED) != 0) {
OPENSSL_free(error->data);
@@ -138,17 +138,17 @@
error->flags &= ~ERR_FLAG_MALLOCED;
}
-/* err_clear clears the given queued error. */
+// err_clear clears the given queued error.
static void err_clear(struct err_error_st *error) {
err_clear_data(error);
OPENSSL_memset(error, 0, sizeof(struct err_error_st));
}
-/* global_next_library contains the next custom library value to return. */
+// global_next_library contains the next custom library value to return.
static int global_next_library = ERR_NUM_LIBS;
-/* global_next_library_mutex protects |global_next_library| from concurrent
- * updates. */
+// global_next_library_mutex protects |global_next_library| from concurrent
+// updates.
static struct CRYPTO_STATIC_MUTEX global_next_library_mutex =
CRYPTO_STATIC_MUTEX_INIT;
@@ -167,7 +167,7 @@
OPENSSL_free(state);
}
-/* err_get_state gets the ERR_STATE object for the current thread. */
+// err_get_state gets the ERR_STATE object for the current thread.
static ERR_STATE *err_get_state(void) {
ERR_STATE *state = CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_ERR);
if (state == NULL) {
@@ -199,7 +199,7 @@
if (top) {
assert(!inc);
- /* last error */
+ // last error
i = state->top;
} else {
i = (state->bottom + 1) % ERR_NUM_ERRORS;
@@ -229,11 +229,11 @@
if (flags != NULL) {
*flags = error->flags & ERR_FLAG_PUBLIC_MASK;
}
- /* If this error is being removed, take ownership of data from
- * the error. The semantics are such that the caller doesn't
- * take ownership either. Instead the error system takes
- * ownership and retains it until the next call that affects the
- * error queue. */
+ // If this error is being removed, take ownership of data from
+ // the error. The semantics are such that the caller doesn't
+ // take ownership either. Instead the error system takes
+ // ownership and retains it until the next call that affects the
+ // error queue.
if (inc) {
if (error->flags & ERR_FLAG_MALLOCED) {
OPENSSL_free(state->to_free);
@@ -342,13 +342,13 @@
static char buf[ERR_ERROR_STRING_BUF_LEN];
if (ret == NULL) {
- /* TODO(fork): remove this. */
+ // TODO(fork): remove this.
ret = buf;
}
#if !defined(NDEBUG)
- /* This is aimed to help catch callers who don't provide
- * |ERR_ERROR_STRING_BUF_LEN| bytes of space. */
+ // This is aimed to help catch callers who don't provide
+ // |ERR_ERROR_STRING_BUF_LEN| bytes of space.
OPENSSL_memset(ret, 0, ERR_ERROR_STRING_BUF_LEN);
#endif
@@ -386,15 +386,15 @@
packed_error, lib_str, reason_str);
if (strlen(buf) == len - 1) {
- /* output may be truncated; make sure we always have 5 colon-separated
- * fields, i.e. 4 colons. */
+ // output may be truncated; make sure we always have 5 colon-separated
+ // fields, i.e. 4 colons.
static const unsigned num_colons = 4;
unsigned i;
char *s = buf;
if (len <= num_colons) {
- /* In this situation it's not possible to ensure that the correct number
- * of colons are included in the output. */
+ // In this situation it's not possible to ensure that the correct number
+ // of colons are included in the output.
return;
}
@@ -403,10 +403,10 @@
char *last_pos = &buf[len - 1] - num_colons + i;
if (colon == NULL || colon > last_pos) {
- /* set colon |i| at last possible position (buf[len-1] is the
- * terminating 0). If we're setting this colon, then all whole of the
- * rest of the string must be colons in order to have the correct
- * number. */
+ // set colon |i| at last possible position (buf[len-1] is the
+ // terminating 0). If we're setting this colon, then all whole of the
+ // rest of the string must be colons in order to have the correct
+ // number.
OPENSSL_memset(last_pos, ':', num_colons - i);
break;
}
@@ -431,25 +431,25 @@
}
}
-/* err_string_lookup looks up the string associated with |lib| and |key| in
- * |values| and |string_data|. It returns the string or NULL if not found. */
+// err_string_lookup looks up the string associated with |lib| and |key| in
+// |values| and |string_data|. It returns the string or NULL if not found.
static const char *err_string_lookup(uint32_t lib, uint32_t key,
const uint32_t *values,
size_t num_values,
const char *string_data) {
- /* |values| points to data in err_data.h, which is generated by
- * err_data_generate.go. It's an array of uint32_t values. Each value has the
- * following structure:
- * | lib | key | offset |
- * |6 bits| 11 bits | 15 bits |
- *
- * The |lib| value is a library identifier: one of the |ERR_LIB_*| values.
- * The |key| is a reason code, depending on the context.
- * The |offset| is the number of bytes from the start of |string_data| where
- * the (NUL terminated) string for this value can be found.
- *
- * Values are sorted based on treating the |lib| and |key| part as an
- * unsigned integer. */
+ // |values| points to data in err_data.h, which is generated by
+ // err_data_generate.go. It's an array of uint32_t values. Each value has the
+ // following structure:
+ // | lib | key | offset |
+ // |6 bits| 11 bits | 15 bits |
+ //
+ // The |lib| value is a library identifier: one of the |ERR_LIB_*| values.
+ // The |key| is a reason code, depending on the context.
+ // The |offset| is the number of bytes from the start of |string_data| where
+ // the (NUL terminated) string for this value can be found.
+ //
+ // Values are sorted based on treating the |lib| and |key| part as an
+ // unsigned integer.
if (lib >= (1 << 6) || key >= (1 << 11)) {
return NULL;
}
@@ -465,38 +465,38 @@
static const char *const kLibraryNames[ERR_NUM_LIBS] = {
"invalid library (0)",
- "unknown library", /* ERR_LIB_NONE */
- "system library", /* ERR_LIB_SYS */
- "bignum routines", /* ERR_LIB_BN */
- "RSA routines", /* ERR_LIB_RSA */
- "Diffie-Hellman routines", /* ERR_LIB_DH */
- "public key routines", /* ERR_LIB_EVP */
- "memory buffer routines", /* ERR_LIB_BUF */
- "object identifier routines", /* ERR_LIB_OBJ */
- "PEM routines", /* ERR_LIB_PEM */
- "DSA routines", /* ERR_LIB_DSA */
- "X.509 certificate routines", /* ERR_LIB_X509 */
- "ASN.1 encoding routines", /* ERR_LIB_ASN1 */
- "configuration file routines", /* ERR_LIB_CONF */
- "common libcrypto routines", /* ERR_LIB_CRYPTO */
- "elliptic curve routines", /* ERR_LIB_EC */
- "SSL routines", /* ERR_LIB_SSL */
- "BIO routines", /* ERR_LIB_BIO */
- "PKCS7 routines", /* ERR_LIB_PKCS7 */
- "PKCS8 routines", /* ERR_LIB_PKCS8 */
- "X509 V3 routines", /* ERR_LIB_X509V3 */
- "random number generator", /* ERR_LIB_RAND */
- "ENGINE routines", /* ERR_LIB_ENGINE */
- "OCSP routines", /* ERR_LIB_OCSP */
- "UI routines", /* ERR_LIB_UI */
- "COMP routines", /* ERR_LIB_COMP */
- "ECDSA routines", /* ERR_LIB_ECDSA */
- "ECDH routines", /* ERR_LIB_ECDH */
- "HMAC routines", /* ERR_LIB_HMAC */
- "Digest functions", /* ERR_LIB_DIGEST */
- "Cipher functions", /* ERR_LIB_CIPHER */
- "HKDF functions", /* ERR_LIB_HKDF */
- "User defined functions", /* ERR_LIB_USER */
+ "unknown library", // ERR_LIB_NONE
+ "system library", // ERR_LIB_SYS
+ "bignum routines", // ERR_LIB_BN
+ "RSA routines", // ERR_LIB_RSA
+ "Diffie-Hellman routines", // ERR_LIB_DH
+ "public key routines", // ERR_LIB_EVP
+ "memory buffer routines", // ERR_LIB_BUF
+ "object identifier routines", // ERR_LIB_OBJ
+ "PEM routines", // ERR_LIB_PEM
+ "DSA routines", // ERR_LIB_DSA
+ "X.509 certificate routines", // ERR_LIB_X509
+ "ASN.1 encoding routines", // ERR_LIB_ASN1
+ "configuration file routines", // ERR_LIB_CONF
+ "common libcrypto routines", // ERR_LIB_CRYPTO
+ "elliptic curve routines", // ERR_LIB_EC
+ "SSL routines", // ERR_LIB_SSL
+ "BIO routines", // ERR_LIB_BIO
+ "PKCS7 routines", // ERR_LIB_PKCS7
+ "PKCS8 routines", // ERR_LIB_PKCS8
+ "X509 V3 routines", // ERR_LIB_X509V3
+ "random number generator", // ERR_LIB_RAND
+ "ENGINE routines", // ERR_LIB_ENGINE
+ "OCSP routines", // ERR_LIB_OCSP
+ "UI routines", // ERR_LIB_UI
+ "COMP routines", // ERR_LIB_COMP
+ "ECDSA routines", // ERR_LIB_ECDSA
+ "ECDH routines", // ERR_LIB_ECDH
+ "HMAC routines", // ERR_LIB_HMAC
+ "Digest functions", // ERR_LIB_DIGEST
+ "Cipher functions", // ERR_LIB_CIPHER
+ "HKDF functions", // ERR_LIB_HKDF
+ "User defined functions", // ERR_LIB_USER
};
const char *ERR_lib_error_string(uint32_t packed_error) {
@@ -555,8 +555,8 @@
int line, flags;
uint32_t packed_error;
- /* thread_hash is the least-significant bits of the |ERR_STATE| pointer value
- * for this thread. */
+ // thread_hash is the least-significant bits of the |ERR_STATE| pointer value
+ // for this thread.
const unsigned long thread_hash = (uintptr_t) err_get_state();
for (;;) {
@@ -585,8 +585,8 @@
ERR_print_errors_cb(print_errors_to_file, file);
}
-/* err_set_error_data sets the data on the most recent error. The |flags|
- * argument is a combination of the |ERR_FLAG_*| values. */
+// err_set_error_data sets the data on the most recent error. The |flags|
+// argument is a combination of the |ERR_FLAG_*| values.
static void err_set_error_data(char *data, int flags) {
ERR_STATE *const state = err_get_state();
struct err_error_st *error;
@@ -634,9 +634,9 @@
error->packed = ERR_PACK(library, reason);
}
-/* ERR_add_error_data_vdata takes a variable number of const char* pointers,
- * concatenates them and sets the result as the data on the most recent
- * error. */
+// ERR_add_error_data_vdata takes a variable number of const char* pointers,
+// concatenates them and sets the result as the data on the most recent
+// error.
static void err_add_error_vdata(unsigned num, va_list args) {
size_t alloced, new_len, len = 0, substr_len;
char *buf;
@@ -661,7 +661,7 @@
char *new_buf;
if (alloced + 20 + 1 < alloced) {
- /* overflow. */
+ // overflow.
OPENSSL_free(buf);
return;
}
@@ -695,9 +695,9 @@
char *buf;
static const unsigned buf_len = 256;
- /* A fixed-size buffer is used because va_copy (which would be needed in
- * order to call vsnprintf twice and measure the buffer) wasn't defined until
- * C99. */
+ // A fixed-size buffer is used because va_copy (which would be needed in
+ // order to call vsnprintf twice and measure the buffer) wasn't defined until
+ // C99.
buf = OPENSSL_malloc(buf_len + 1);
if (buf == NULL) {
return;
diff --git a/crypto/err/err_test.cc b/crypto/err/err_test.cc
index 8e820b8..5d04ae2 100644
--- a/crypto/err/err_test.cc
+++ b/crypto/err/err_test.cc
@@ -30,9 +30,9 @@
for (unsigned i = 0; i < ERR_NUM_ERRORS - 1; i++) {
SCOPED_TRACE(i);
uint32_t err = ERR_get_error();
- /* Errors are returned in order they were pushed, with the least recent ones
- * removed, up to |ERR_NUM_ERRORS - 1| errors. So the errors returned are
- * |ERR_NUM_ERRORS + 2| through |ERR_NUM_ERRORS * 2|, inclusive. */
+ // Errors are returned in order they were pushed, with the least recent ones
+ // removed, up to |ERR_NUM_ERRORS - 1| errors. So the errors returned are
+ // |ERR_NUM_ERRORS + 2| through |ERR_NUM_ERRORS * 2|, inclusive.
EXPECT_NE(0u, err);
EXPECT_EQ(static_cast<int>(i + ERR_NUM_ERRORS + 2), ERR_GET_REASON(err));
}
diff --git a/crypto/evp/digestsign.c b/crypto/evp/digestsign.c
index de41f87..6e4d305 100644
--- a/crypto/evp/digestsign.c
+++ b/crypto/evp/digestsign.c
@@ -196,8 +196,8 @@
int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len,
const uint8_t *data, size_t data_len) {
if (uses_prehash(ctx, evp_sign)) {
- /* If |out_sig| is NULL, the caller is only querying the maximum output
- * length. |data| should only be incorporated in the final call. */
+ // If |out_sig| is NULL, the caller is only querying the maximum output
+ // length. |data| should only be incorporated in the final call.
if (out_sig != NULL &&
!EVP_DigestSignUpdate(ctx, data, data_len)) {
return 0;
diff --git a/crypto/evp/evp.c b/crypto/evp/evp.c
index 117e774..ad5f85b 100644
--- a/crypto/evp/evp.c
+++ b/crypto/evp/evp.c
@@ -127,7 +127,7 @@
if (a->ameth) {
int ret;
- /* Compare parameters if the algorithm has them */
+ // Compare parameters if the algorithm has them
if (a->ameth->param_cmp) {
ret = a->ameth->param_cmp(a, b);
if (ret <= 0) {
@@ -187,9 +187,9 @@
return pkey->type;
}
-/* evp_pkey_asn1_find returns the ASN.1 method table for the given |nid|, which
- * should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is
- * unknown. */
+// evp_pkey_asn1_find returns the ASN.1 method table for the given |nid|, which
+// should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is
+// unknown.
static const EVP_PKEY_ASN1_METHOD *evp_pkey_asn1_find(int nid) {
switch (nid) {
case EVP_PKEY_RSA:
diff --git a/crypto/evp/evp_asn1.c b/crypto/evp/evp_asn1.c
index 1f8d3eb..bcb86d7 100644
--- a/crypto/evp/evp_asn1.c
+++ b/crypto/evp/evp_asn1.c
@@ -94,7 +94,7 @@
}
EVP_PKEY *EVP_parse_public_key(CBS *cbs) {
- /* Parse the SubjectPublicKeyInfo. */
+ // Parse the SubjectPublicKeyInfo.
CBS spki, algorithm, key;
int type;
uint8_t padding;
@@ -103,22 +103,22 @@
!parse_key_type(&algorithm, &type) ||
!CBS_get_asn1(&spki, &key, CBS_ASN1_BITSTRING) ||
CBS_len(&spki) != 0 ||
- /* Every key type defined encodes the key as a byte string with the same
- * conversion to BIT STRING. */
+ // Every key type defined encodes the key as a byte string with the same
+ // conversion to BIT STRING.
!CBS_get_u8(&key, &padding) ||
padding != 0) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
return NULL;
}
- /* Set up an |EVP_PKEY| of the appropriate type. */
+ // Set up an |EVP_PKEY| of the appropriate type.
EVP_PKEY *ret = EVP_PKEY_new();
if (ret == NULL ||
!EVP_PKEY_set_type(ret, type)) {
goto err;
}
- /* Call into the type-specific SPKI decoding function. */
+ // Call into the type-specific SPKI decoding function.
if (ret->ameth->pub_decode == NULL) {
OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
goto err;
@@ -144,7 +144,7 @@
}
EVP_PKEY *EVP_parse_private_key(CBS *cbs) {
- /* Parse the PrivateKeyInfo. */
+ // Parse the PrivateKeyInfo.
CBS pkcs8, algorithm, key;
uint64_t version;
int type;
@@ -158,16 +158,16 @@
return NULL;
}
- /* A PrivateKeyInfo ends with a SET of Attributes which we ignore. */
+ // A PrivateKeyInfo ends with a SET of Attributes which we ignore.
- /* Set up an |EVP_PKEY| of the appropriate type. */
+ // Set up an |EVP_PKEY| of the appropriate type.
EVP_PKEY *ret = EVP_PKEY_new();
if (ret == NULL ||
!EVP_PKEY_set_type(ret, type)) {
goto err;
}
- /* Call into the type-specific PrivateKeyInfo decoding function. */
+ // Call into the type-specific PrivateKeyInfo decoding function.
if (ret->ameth->priv_decode == NULL) {
OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);
goto err;
@@ -240,12 +240,12 @@
return NULL;
}
- /* Parse with the legacy format. */
+ // Parse with the legacy format.
CBS cbs;
CBS_init(&cbs, *inp, (size_t)len);
EVP_PKEY *ret = old_priv_decode(&cbs, type);
if (ret == NULL) {
- /* Try again with PKCS#8. */
+ // Try again with PKCS#8.
ERR_clear_error();
CBS_init(&cbs, *inp, (size_t)len);
ret = EVP_parse_private_key(&cbs);
@@ -267,8 +267,8 @@
return ret;
}
-/* num_elements parses one SEQUENCE from |in| and returns the number of elements
- * in it. On parse error, it returns zero. */
+// num_elements parses one SEQUENCE from |in| and returns the number of elements
+// in it. On parse error, it returns zero.
static size_t num_elements(const uint8_t *in, size_t in_len) {
CBS cbs, sequence;
CBS_init(&cbs, in, (size_t)in_len);
@@ -295,7 +295,7 @@
return NULL;
}
- /* Parse the input as a PKCS#8 PrivateKeyInfo. */
+ // Parse the input as a PKCS#8 PrivateKeyInfo.
CBS cbs;
CBS_init(&cbs, *inp, (size_t)len);
EVP_PKEY *ret = EVP_parse_private_key(&cbs);
@@ -309,7 +309,7 @@
}
ERR_clear_error();
- /* Count the elements to determine the legacy key format. */
+ // Count the elements to determine the legacy key format.
switch (num_elements(*inp, (size_t)len)) {
case 4:
return d2i_PrivateKey(EVP_PKEY_EC, out, inp, len);
diff --git a/crypto/evp/evp_ctx.c b/crypto/evp/evp_ctx.c
index 8d092ee..3599f77 100644
--- a/crypto/evp/evp_ctx.c
+++ b/crypto/evp/evp_ctx.c
@@ -369,11 +369,11 @@
return 0;
}
- /* ran@cryptocom.ru: For clarity. The error is if parameters in peer are
- * present (!missing) but don't match. EVP_PKEY_cmp_parameters may return
- * 1 (match), 0 (don't match) and -2 (comparison is not defined). -1
- * (different key types) is impossible here because it is checked earlier.
- * -2 is OK for us here, as well as 1, so we can check for 0 only. */
+ // ran@cryptocom.ru: For clarity. The error is if parameters in peer are
+ // present (!missing) but don't match. EVP_PKEY_cmp_parameters may return
+ // 1 (match), 0 (don't match) and -2 (comparison is not defined). -1
+ // (different key types) is impossible here because it is checked earlier.
+ // -2 is OK for us here, as well as 1, so we can check for 0 only.
if (!EVP_PKEY_missing_parameters(peer) &&
!EVP_PKEY_cmp_parameters(ctx->pkey, peer)) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_PARAMETERS);
diff --git a/crypto/evp/internal.h b/crypto/evp/internal.h
index 5e9aab0..4aefa35 100644
--- a/crypto/evp/internal.h
+++ b/crypto/evp/internal.h
@@ -71,33 +71,33 @@
uint8_t oid[9];
uint8_t oid_len;
- /* pub_decode decodes |params| and |key| as a SubjectPublicKeyInfo
- * and writes the result into |out|. It returns one on success and zero on
- * error. |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER
- * type field, and |key| is the contents of the subjectPublicKey with the
- * leading padding byte checked and removed. Although X.509 uses BIT STRINGs
- * to represent SubjectPublicKeyInfo, every key type defined encodes the key
- * as a byte string with the same conversion to BIT STRING. */
+ // pub_decode decodes |params| and |key| as a SubjectPublicKeyInfo
+ // and writes the result into |out|. It returns one on success and zero on
+ // error. |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER
+ // type field, and |key| is the contents of the subjectPublicKey with the
+ // leading padding byte checked and removed. Although X.509 uses BIT STRINGs
+ // to represent SubjectPublicKeyInfo, every key type defined encodes the key
+ // as a byte string with the same conversion to BIT STRING.
int (*pub_decode)(EVP_PKEY *out, CBS *params, CBS *key);
- /* pub_encode encodes |key| as a SubjectPublicKeyInfo and appends the result
- * to |out|. It returns one on success and zero on error. */
+ // pub_encode encodes |key| as a SubjectPublicKeyInfo and appends the result
+ // to |out|. It returns one on success and zero on error.
int (*pub_encode)(CBB *out, const EVP_PKEY *key);
int (*pub_cmp)(const EVP_PKEY *a, const EVP_PKEY *b);
- /* priv_decode decodes |params| and |key| as a PrivateKeyInfo and writes the
- * result into |out|. It returns one on success and zero on error. |params| is
- * the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, and |key|
- * is the contents of the OCTET STRING privateKey field. */
+ // priv_decode decodes |params| and |key| as a PrivateKeyInfo and writes the
+ // result into |out|. It returns one on success and zero on error. |params| is
+ // the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, and |key|
+ // is the contents of the OCTET STRING privateKey field.
int (*priv_decode)(EVP_PKEY *out, CBS *params, CBS *key);
- /* priv_encode encodes |key| as a PrivateKeyInfo and appends the result to
- * |out|. It returns one on success and zero on error. */
+ // priv_encode encodes |key| as a PrivateKeyInfo and appends the result to
+ // |out|. It returns one on success and zero on error.
int (*priv_encode)(CBB *out, const EVP_PKEY *key);
- /* pkey_opaque returns 1 if the |pk| is opaque. Opaque keys are backed by
- * custom implementations which do not expose key material and parameters.*/
+ // pkey_opaque returns 1 if the |pk| is opaque. Opaque keys are backed by
+ // custom implementations which do not expose key material and parameters.
int (*pkey_opaque)(const EVP_PKEY *pk);
int (*pkey_size)(const EVP_PKEY *pk);
@@ -130,33 +130,33 @@
#define EVP_PKEY_OP_TYPE_GEN EVP_PKEY_OP_KEYGEN
-/* EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype|
- * arguments can be -1 to specify that any type and operation are acceptable,
- * otherwise |keytype| must match the type of |ctx| and the bits of |optype|
- * must intersect the operation flags set on |ctx|.
- *
- * The |p1| and |p2| arguments depend on the value of |cmd|.
- *
- * It returns one on success and zero on error. */
+// EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype|
+// arguments can be -1 to specify that any type and operation are acceptable,
+// otherwise |keytype| must match the type of |ctx| and the bits of |optype|
+// must intersect the operation flags set on |ctx|.
+//
+// The |p1| and |p2| arguments depend on the value of |cmd|.
+//
+// It returns one on success and zero on error.
OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
int cmd, int p1, void *p2);
#define EVP_PKEY_CTRL_MD 1
#define EVP_PKEY_CTRL_GET_MD 2
-/* EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|:
- * 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key.
- * If the return value is <= 0, the key is rejected.
- * 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a
- * peer key. If the return value is <= 0, the key is rejected.
- * 2: Is called with |p2| == NULL to test whether the peer's key was used.
- * (EC)DH always return one in this case.
- * 3: Is called with |p2| == NULL to set whether the peer's key was used.
- * (EC)DH always return one in this case. This was only used for GOST. */
+// EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|:
+// 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key.
+// If the return value is <= 0, the key is rejected.
+// 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a
+// peer key. If the return value is <= 0, the key is rejected.
+// 2: Is called with |p2| == NULL to test whether the peer's key was used.
+// (EC)DH always return one in this case.
+// 3: Is called with |p2| == NULL to set whether the peer's key was used.
+// (EC)DH always return one in this case. This was only used for GOST.
#define EVP_PKEY_CTRL_PEER_KEY 3
-/* EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl
- * commands are numbered. */
+// EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl
+// commands are numbered.
#define EVP_PKEY_ALG_CTRL 0x1000
#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
@@ -173,17 +173,17 @@
#define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12)
struct evp_pkey_ctx_st {
- /* Method associated with this operation */
+ // Method associated with this operation
const EVP_PKEY_METHOD *pmeth;
- /* Engine that implements this method or NULL if builtin */
+ // Engine that implements this method or NULL if builtin
ENGINE *engine;
- /* Key: may be NULL */
+ // Key: may be NULL
EVP_PKEY *pkey;
- /* Peer key for key agreement, may be NULL */
+ // Peer key for key agreement, may be NULL
EVP_PKEY *peerkey;
- /* operation contains one of the |EVP_PKEY_OP_*| values. */
+ // operation contains one of the |EVP_PKEY_OP_*| values.
int operation;
- /* Algorithm specific data */
+ // Algorithm specific data
void *data;
} /* EVP_PKEY_CTX */;
@@ -226,8 +226,8 @@
union {
uint8_t priv[64];
struct {
- /* Shift the location of the public key to align with where it is in the
- * private key representation. */
+ // Shift the location of the public key to align with where it is in the
+ // private key representation.
uint8_t pad[32];
uint8_t value[32];
} pub;
@@ -246,7 +246,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_EVP_INTERNAL_H */
+#endif // OPENSSL_HEADER_EVP_INTERNAL_H
diff --git a/crypto/evp/p_dsa_asn1.c b/crypto/evp/p_dsa_asn1.c
index 0e5cdee..16d78b7 100644
--- a/crypto/evp/p_dsa_asn1.c
+++ b/crypto/evp/p_dsa_asn1.c
@@ -65,9 +65,9 @@
static int dsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See RFC 3279, section 2.3.2. */
+ // See RFC 3279, section 2.3.2.
- /* Parameters may or may not be present. */
+ // Parameters may or may not be present.
DSA *dsa;
if (CBS_len(params) == 0) {
dsa = DSA_new();
@@ -105,7 +105,7 @@
const DSA *dsa = key->pkey.dsa;
const int has_params = dsa->p != NULL && dsa->q != NULL && dsa->g != NULL;
- /* See RFC 5480, section 2. */
+ // See RFC 5480, section 2.
CBB spki, algorithm, oid, key_bitstring;
if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -125,9 +125,9 @@
}
static int dsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See PKCS#11, v2.40, section 2.5. */
+ // See PKCS#11, v2.40, section 2.5.
- /* Decode parameters. */
+ // Decode parameters.
BN_CTX *ctx = NULL;
DSA *dsa = DSA_parse_parameters(params);
if (dsa == NULL || CBS_len(params) != 0) {
@@ -141,14 +141,14 @@
goto err;
}
- /* Decode the key. */
+ // Decode the key.
if (!BN_parse_asn1_unsigned(key, dsa->priv_key) ||
CBS_len(key) != 0) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
goto err;
}
- /* Calculate the public key. */
+ // Calculate the public key.
ctx = BN_CTX_new();
if (ctx == NULL ||
!BN_mod_exp_mont(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx,
@@ -173,7 +173,7 @@
return 0;
}
- /* See PKCS#11, v2.40, section 2.5. */
+ // See PKCS#11, v2.40, section 2.5.
CBB pkcs8, algorithm, oid, private_key;
if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||
@@ -245,7 +245,7 @@
const EVP_PKEY_ASN1_METHOD dsa_asn1_meth = {
EVP_PKEY_DSA,
- /* 1.2.840.10040.4.1 */
+ // 1.2.840.10040.4.1
{0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x01}, 7,
dsa_pub_decode,
diff --git a/crypto/evp/p_ec.c b/crypto/evp/p_ec.c
index e2502a3..d311d22 100644
--- a/crypto/evp/p_ec.c
+++ b/crypto/evp/p_ec.c
@@ -74,7 +74,7 @@
typedef struct {
- /* message digest */
+ // message digest
const EVP_MD *md;
} EC_PKEY_CTX;
@@ -161,8 +161,8 @@
}
pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
- /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
- * not an error, the result is truncated. */
+ // NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
+ // not an error, the result is truncated.
outlen = *keylen;
@@ -196,7 +196,7 @@
return 1;
case EVP_PKEY_CTRL_PEER_KEY:
- /* Default behaviour is OK */
+ // Default behaviour is OK
return 1;
default:
diff --git a/crypto/evp/p_ec_asn1.c b/crypto/evp/p_ec_asn1.c
index 1f1bf2f..c5828d9 100644
--- a/crypto/evp/p_ec_asn1.c
+++ b/crypto/evp/p_ec_asn1.c
@@ -70,7 +70,7 @@
const EC_GROUP *group = EC_KEY_get0_group(ec_key);
const EC_POINT *public_key = EC_KEY_get0_public_key(ec_key);
- /* See RFC 5480, section 2. */
+ // See RFC 5480, section 2.
CBB spki, algorithm, oid, key_bitstring;
if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -90,9 +90,9 @@
}
static int eckey_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See RFC 5480, section 2. */
+ // See RFC 5480, section 2.
- /* The parameters are a named curve. */
+ // The parameters are a named curve.
EC_POINT *point = NULL;
EC_KEY *eckey = NULL;
EC_GROUP *group = EC_KEY_parse_curve_name(params);
@@ -141,7 +141,7 @@
}
static int eckey_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See RFC 5915. */
+ // See RFC 5915.
EC_GROUP *group = EC_KEY_parse_parameters(params);
if (group == NULL || CBS_len(params) != 0) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
@@ -164,13 +164,13 @@
static int eckey_priv_encode(CBB *out, const EVP_PKEY *key) {
const EC_KEY *ec_key = key->pkey.ec;
- /* Omit the redundant copy of the curve name. This contradicts RFC 5915 but
- * aligns with PKCS #11. SEC 1 only says they may be omitted if known by other
- * means. Both OpenSSL and NSS omit the redundant parameters, so we omit them
- * as well. */
+ // Omit the redundant copy of the curve name. This contradicts RFC 5915 but
+ // aligns with PKCS #11. SEC 1 only says they may be omitted if known by other
+ // means. Both OpenSSL and NSS omit the redundant parameters, so we omit them
+ // as well.
unsigned enc_flags = EC_KEY_get_enc_flags(ec_key) | EC_PKEY_NO_PARAMETERS;
- /* See RFC 5915. */
+ // See RFC 5915.
CBB pkcs8, algorithm, oid, private_key;
if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||
@@ -219,7 +219,7 @@
const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec),
*group_b = EC_KEY_get0_group(b->pkey.ec);
if (EC_GROUP_cmp(group_a, group_b, NULL) != 0) {
- /* mismatch */
+ // mismatch
return 0;
}
return 1;
@@ -233,7 +233,7 @@
const EVP_PKEY_ASN1_METHOD ec_asn1_meth = {
EVP_PKEY_EC,
- /* 1.2.840.10045.2.1 */
+ // 1.2.840.10045.2.1
{0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01}, 7,
eckey_pub_decode,
diff --git a/crypto/evp/p_ed25519.c b/crypto/evp/p_ed25519.c
index 0722624..554a379 100644
--- a/crypto/evp/p_ed25519.c
+++ b/crypto/evp/p_ed25519.c
@@ -20,7 +20,7 @@
#include "internal.h"
-/* Ed25519 has no parameters to copy. */
+// Ed25519 has no parameters to copy.
static int pkey_ed25519_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { return 1; }
static int pkey_ed25519_sign_message(EVP_PKEY_CTX *ctx, uint8_t *sig,
diff --git a/crypto/evp/p_ed25519_asn1.c b/crypto/evp/p_ed25519_asn1.c
index 8cb359e..37aebe0 100644
--- a/crypto/evp/p_ed25519_asn1.c
+++ b/crypto/evp/p_ed25519_asn1.c
@@ -61,9 +61,9 @@
}
static int ed25519_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See draft-ietf-curdle-pkix-04, section 4. */
+ // See draft-ietf-curdle-pkix-04, section 4.
- /* The parameters must be omitted. Public keys have length 32. */
+ // The parameters must be omitted. Public keys have length 32.
if (CBS_len(params) != 0 ||
CBS_len(key) != 32) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
@@ -76,7 +76,7 @@
static int ed25519_pub_encode(CBB *out, const EVP_PKEY *pkey) {
const ED25519_KEY *key = pkey->pkey.ptr;
- /* See draft-ietf-curdle-pkix-04, section 4. */
+ // See draft-ietf-curdle-pkix-04, section 4.
CBB spki, algorithm, oid, key_bitstring;
if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -100,10 +100,10 @@
}
static int ed25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* See draft-ietf-curdle-pkix-04, section 7. */
+ // See draft-ietf-curdle-pkix-04, section 7.
- /* Parameters must be empty. The key is a 32-byte value wrapped in an extra
- * OCTET STRING layer. */
+ // Parameters must be empty. The key is a 32-byte value wrapped in an extra
+ // OCTET STRING layer.
CBS inner;
if (CBS_len(params) != 0 ||
!CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) ||
@@ -113,8 +113,8 @@
return 0;
}
- /* The PKCS#8 encoding stores only the 32-byte seed, so we must recover the
- * full representation which we use from it. */
+ // The PKCS#8 encoding stores only the 32-byte seed, so we must recover the
+ // full representation which we use from it.
uint8_t pubkey[32], privkey[64];
ED25519_keypair_from_seed(pubkey, privkey, CBS_data(&inner));
return set_privkey(out, privkey);
@@ -127,7 +127,7 @@
return 0;
}
- /* See draft-ietf-curdle-pkix-04, section 7. */
+ // See draft-ietf-curdle-pkix-04, section 7.
CBB pkcs8, algorithm, oid, private_key, inner;
if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||
@@ -136,8 +136,8 @@
!CBB_add_bytes(&oid, ed25519_asn1_meth.oid, ed25519_asn1_meth.oid_len) ||
!CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) ||
!CBB_add_asn1(&private_key, &inner, CBS_ASN1_OCTETSTRING) ||
- /* The PKCS#8 encoding stores only the 32-byte seed which is the first 32
- * bytes of the private key. */
+ // The PKCS#8 encoding stores only the 32-byte seed which is the first 32
+ // bytes of the private key.
!CBB_add_bytes(&inner, key->key.priv, 32) ||
!CBB_flush(out)) {
OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);
diff --git a/crypto/evp/p_rsa.c b/crypto/evp/p_rsa.c
index 36aa524..08c01c2 100644
--- a/crypto/evp/p_rsa.c
+++ b/crypto/evp/p_rsa.c
@@ -73,21 +73,21 @@
typedef struct {
- /* Key gen parameters */
+ // Key gen parameters
int nbits;
BIGNUM *pub_exp;
- /* RSA padding mode */
+ // RSA padding mode
int pad_mode;
- /* message digest */
+ // message digest
const EVP_MD *md;
- /* message digest for MGF1 */
+ // message digest for MGF1
const EVP_MD *mgf1md;
- /* PSS salt length */
+ // PSS salt length
int saltlen;
- /* tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
- * It's used to store the output of RSA operations. */
+ // tbuf is a buffer which is either NULL, or is the size of the RSA modulus.
+ // It's used to store the output of RSA operations.
uint8_t *tbuf;
- /* OAEP label */
+ // OAEP label
uint8_t *oaep_label;
size_t oaep_labellen;
} RSA_PKEY_CTX;
@@ -260,7 +260,7 @@
return 0;
}
- /* Assemble the encoded hash, using a placeholder hash value. */
+ // Assemble the encoded hash, using a placeholder hash value.
static const uint8_t kDummyHash[EVP_MAX_MD_SIZE] = {0};
const size_t hash_len = EVP_MD_size(rctx->md);
uint8_t *asn1_prefix;
@@ -278,7 +278,7 @@
if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len,
RSA_PKCS1_PADDING) ||
rslen != asn1_prefix_len ||
- /* Compare all but the hash suffix. */
+ // Compare all but the hash suffix.
CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len - hash_len) != 0) {
ok = 0;
}
diff --git a/crypto/evp/p_rsa_asn1.c b/crypto/evp/p_rsa_asn1.c
index 866fc59..3231ffb 100644
--- a/crypto/evp/p_rsa_asn1.c
+++ b/crypto/evp/p_rsa_asn1.c
@@ -77,7 +77,7 @@
}
static int rsa_pub_encode(CBB *out, const EVP_PKEY *key) {
- /* See RFC 3279, section 2.3.1. */
+ // See RFC 3279, section 2.3.1.
CBB spki, algorithm, oid, null, key_bitstring;
if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -101,9 +101,9 @@
buggy = g_buggy;
CRYPTO_STATIC_MUTEX_unlock_read(&g_buggy_lock);
- /* See RFC 3279, section 2.3.1. */
+ // See RFC 3279, section 2.3.1.
- /* The parameters must be NULL. */
+ // The parameters must be NULL.
CBS null;
if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) ||
CBS_len(&null) != 0 ||
@@ -112,12 +112,12 @@
return 0;
}
- /* Estonian IDs issued between September 2014 to September 2015 are
- * broken. See https://crbug.com/532048 and https://crbug.com/534766.
- *
- * TODO(davidben): Switch this to the strict version in March 2016 or when
- * Chromium can force client certificates down a different codepath, whichever
- * comes first. */
+ // Estonian IDs issued between September 2014 to September 2015 are
+ // broken. See https://crbug.com/532048 and https://crbug.com/534766.
+ //
+ // TODO(davidben): Switch this to the strict version in March 2016 or when
+ // Chromium can force client certificates down a different codepath, whichever
+ // comes first.
RSA *rsa = buggy ? RSA_parse_public_key_buggy(key) : RSA_parse_public_key(key);
if (rsa == NULL || CBS_len(key) != 0) {
OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
@@ -153,7 +153,7 @@
}
static int rsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {
- /* Per RFC 3447, A.1, the parameters have type NULL. */
+ // Per RFC 3447, A.1, the parameters have type NULL.
CBS null;
if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) ||
CBS_len(&null) != 0 ||
@@ -189,7 +189,7 @@
const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {
EVP_PKEY_RSA,
- /* 1.2.840.113549.1.1.1 */
+ // 1.2.840.113549.1.1.1
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01}, 9,
rsa_pub_decode,
diff --git a/crypto/evp/pbkdf.c b/crypto/evp/pbkdf.c
index daebb2d..f23a74b 100644
--- a/crypto/evp/pbkdf.c
+++ b/crypto/evp/pbkdf.c
@@ -65,7 +65,7 @@
int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,
const uint8_t *salt, size_t salt_len, unsigned iterations,
const EVP_MD *digest, size_t key_len, uint8_t *out_key) {
- /* See RFC 8018, section 5.2. */
+ // See RFC 8018, section 5.2.
int ret = 0;
size_t md_len = EVP_MD_size(digest);
uint32_t i = 1;
@@ -88,7 +88,7 @@
i_buf[2] = (uint8_t)((i >> 8) & 0xff);
i_buf[3] = (uint8_t)(i & 0xff);
- /* Compute U_1. */
+ // Compute U_1.
uint8_t digest_tmp[EVP_MAX_MD_SIZE];
if (!HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL) ||
!HMAC_Update(&hctx, salt, salt_len) ||
@@ -99,7 +99,7 @@
OPENSSL_memcpy(out_key, digest_tmp, todo);
for (unsigned j = 1; j < iterations; j++) {
- /* Compute the remaining U_* values and XOR. */
+ // Compute the remaining U_* values and XOR.
if (!HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL) ||
!HMAC_Update(&hctx, digest_tmp, md_len) ||
!HMAC_Final(&hctx, digest_tmp, NULL)) {
@@ -115,17 +115,17 @@
i++;
}
- /* RFC 8018 describes iterations (c) as being a "positive integer", so a
- * value of 0 is an error.
- *
- * Unfortunately not all consumers of PKCS5_PBKDF2_HMAC() check their return
- * value, expecting it to succeed and unconditionally using |out_key|. As a
- * precaution for such callsites in external code, the old behavior of
- * iterations < 1 being treated as iterations == 1 is preserved, but
- * additionally an error result is returned.
- *
- * TODO(eroman): Figure out how to remove this compatibility hack, or change
- * the default to something more sensible like 2048. */
+ // RFC 8018 describes iterations (c) as being a "positive integer", so a
+ // value of 0 is an error.
+ //
+ // Unfortunately not all consumers of PKCS5_PBKDF2_HMAC() check their return
+ // value, expecting it to succeed and unconditionally using |out_key|. As a
+ // precaution for such callsites in external code, the old behavior of
+ // iterations < 1 being treated as iterations == 1 is preserved, but
+ // additionally an error result is returned.
+ //
+ // TODO(eroman): Figure out how to remove this compatibility hack, or change
+ // the default to something more sensible like 2048.
if (iterations == 0) {
goto err;
}
diff --git a/crypto/evp/print.c b/crypto/evp/print.c
index a774087..3621d5f 100644
--- a/crypto/evp/print.c
+++ b/crypto/evp/print.c
@@ -131,7 +131,7 @@
}
}
-/* RSA keys. */
+// RSA keys.
static int do_rsa_print(BIO *out, const RSA *rsa, int off,
int include_private) {
@@ -212,7 +212,7 @@
}
-/* DSA keys. */
+// DSA keys.
static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) {
uint8_t *m = NULL;
@@ -288,7 +288,7 @@
}
-/* EC keys. */
+// EC keys.
static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) {
uint8_t *buffer = NULL;
@@ -379,7 +379,7 @@
if (pub_key_bytes != NULL) {
BIO_hexdump(bp, pub_key_bytes, pub_key_bytes_len, off);
}
- /* TODO(fork): implement */
+ // TODO(fork): implement
/*
if (!ECPKParameters_print(bp, group, off))
goto err; */
diff --git a/crypto/evp/scrypt.c b/crypto/evp/scrypt.c
index 3f10214..ed186ee 100644
--- a/crypto/evp/scrypt.c
+++ b/crypto/evp/scrypt.c
@@ -18,25 +18,25 @@
#include "../internal.h"
-/* This file implements scrypt, described in RFC 7914.
- *
- * Note scrypt refers to both "blocks" and a "block size" parameter, r. These
- * are two different notions of blocks. A Salsa20 block is 64 bytes long,
- * represented in this implementation by 16 |uint32_t|s. |r| determines the
- * number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * |r|
- * Salsa20 blocks. This implementation refers to them as Salsa20 blocks and
- * scrypt blocks, respectively. */
+// This file implements scrypt, described in RFC 7914.
+//
+// Note scrypt refers to both "blocks" and a "block size" parameter, r. These
+// are two different notions of blocks. A Salsa20 block is 64 bytes long,
+// represented in this implementation by 16 |uint32_t|s. |r| determines the
+// number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * |r|
+// Salsa20 blocks. This implementation refers to them as Salsa20 blocks and
+// scrypt blocks, respectively.
-/* A block_t is a Salsa20 block. */
+// A block_t is a Salsa20 block.
typedef struct { uint32_t words[16]; } block_t;
OPENSSL_COMPILE_ASSERT(sizeof(block_t) == 64, block_t_has_padding);
#define R(a, b) (((a) << (b)) | ((a) >> (32 - (b))))
-/* salsa208_word_specification implements the Salsa20/8 core function, also
- * described in RFC 7914, section 3. It modifies the block at |inout|
- * in-place. */
+// salsa208_word_specification implements the Salsa20/8 core function, also
+// described in RFC 7914, section 3. It modifies the block at |inout|
+// in-place.
static void salsa208_word_specification(block_t *inout) {
block_t x;
OPENSSL_memcpy(&x, inout, sizeof(x));
@@ -81,16 +81,16 @@
}
}
-/* xor_block sets |*out| to be |*a| XOR |*b|. */
+// xor_block sets |*out| to be |*a| XOR |*b|.
static void xor_block(block_t *out, const block_t *a, const block_t *b) {
for (size_t i = 0; i < 16; i++) {
out->words[i] = a->words[i] ^ b->words[i];
}
}
-/* scryptBlockMix implements the function described in RFC 7914, section 4. B'
- * is written to |out|. |out| and |B| may not alias and must be each one scrypt
- * block (2 * |r| Salsa20 blocks) long. */
+// scryptBlockMix implements the function described in RFC 7914, section 4. B'
+// is written to |out|. |out| and |B| may not alias and must be each one scrypt
+// block (2 * |r| Salsa20 blocks) long.
static void scryptBlockMix(block_t *out, const block_t *B, uint64_t r) {
assert(out != B);
@@ -100,19 +100,19 @@
xor_block(&X, &X, &B[i]);
salsa208_word_specification(&X);
- /* This implements the permutation in step 3. */
+ // This implements the permutation in step 3.
OPENSSL_memcpy(&out[i / 2 + (i & 1) * r], &X, sizeof(X));
}
}
-/* scryptROMix implements the function described in RFC 7914, section 5. |B| is
- * an scrypt block (2 * |r| Salsa20 blocks) and is modified in-place. |T| and
- * |V| are scratch space allocated by the caller. |T| must have space for one
- * scrypt block (2 * |r| Salsa20 blocks). |V| must have space for |N| scrypt
- * blocks (2 * |r| * |N| Salsa20 blocks). */
+// scryptROMix implements the function described in RFC 7914, section 5. |B| is
+// an scrypt block (2 * |r| Salsa20 blocks) and is modified in-place. |T| and
+// |V| are scratch space allocated by the caller. |T| must have space for one
+// scrypt block (2 * |r| Salsa20 blocks). |V| must have space for |N| scrypt
+// blocks (2 * |r| * |N| Salsa20 blocks).
static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T,
block_t *V) {
- /* Steps 1 and 2. */
+ // Steps 1 and 2.
OPENSSL_memcpy(V, B, 2 * r * sizeof(block_t));
for (uint64_t i = 1; i < N; i++) {
scryptBlockMix(&V[2 * r * i /* scrypt block i */],
@@ -120,9 +120,9 @@
}
scryptBlockMix(B, &V[2 * r * (N - 1) /* scrypt block N-1 */], r);
- /* Step 3. */
+ // Step 3.
for (uint64_t i = 0; i < N; i++) {
- /* Note this assumes |N| <= 2^32 and is a power of 2. */
+ // Note this assumes |N| <= 2^32 and is a power of 2.
uint32_t j = B[2 * r - 1].words[0] & (N - 1);
for (size_t k = 0; k < 2 * r; k++) {
xor_block(&T[k], &B[k], &V[2 * r * j + k]);
@@ -131,16 +131,16 @@
}
}
-/* SCRYPT_PR_MAX is the maximum value of p * r. This is equivalent to the
- * bounds on p in section 6:
- *
- * p <= ((2^32-1) * hLen) / MFLen iff
- * p <= ((2^32-1) * 32) / (128 * r) iff
- * p * r <= (2^30-1) */
+// SCRYPT_PR_MAX is the maximum value of p * r. This is equivalent to the
+// bounds on p in section 6:
+//
+// p <= ((2^32-1) * hLen) / MFLen iff
+// p <= ((2^32-1) * 32) / (128 * r) iff
+// p * r <= (2^30-1)
#define SCRYPT_PR_MAX ((1 << 30) - 1)
-/* SCRYPT_MAX_MEM is the default maximum memory that may be allocated by
- * |EVP_PBE_scrypt|. */
+// SCRYPT_MAX_MEM is the default maximum memory that may be allocated by
+// |EVP_PBE_scrypt|.
#define SCRYPT_MAX_MEM (1024 * 1024 * 32)
int EVP_PBE_scrypt(const char *password, size_t password_len,
@@ -148,18 +148,18 @@
uint64_t p, size_t max_mem, uint8_t *out_key,
size_t key_len) {
if (r == 0 || p == 0 || p > SCRYPT_PR_MAX / r ||
- /* |N| must be a power of two. */
+ // |N| must be a power of two.
N < 2 || (N & (N - 1)) ||
- /* We only support |N| <= 2^32 in |scryptROMix|. */
+ // We only support |N| <= 2^32 in |scryptROMix|.
N > UINT64_C(1) << 32 ||
- /* Check that |N| < 2^(128×r / 8). */
+ // Check that |N| < 2^(128×r / 8).
(16 * r <= 63 && N >= UINT64_C(1) << (16 * r))) {
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS);
return 0;
}
- /* Determine the amount of memory needed. B, T, and V are |p|, 1, and |N|
- * scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s. */
+ // Determine the amount of memory needed. B, T, and V are |p|, 1, and |N|
+ // scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s.
if (max_mem == 0) {
max_mem = SCRYPT_MAX_MEM;
}
@@ -171,8 +171,8 @@
return 0;
}
- /* Allocate and divide up the scratch space. |max_mem| fits in a size_t, which
- * is no bigger than uint64_t, so none of these operations may overflow. */
+ // Allocate and divide up the scratch space. |max_mem| fits in a size_t, which
+ // is no bigger than uint64_t, so none of these operations may overflow.
OPENSSL_COMPILE_ASSERT(UINT64_MAX >= ((size_t)-1), size_t_exceeds_u64);
size_t B_blocks = p * 2 * r;
size_t B_bytes = B_blocks * sizeof(block_t);
diff --git a/crypto/ex_data.c b/crypto/ex_data.c
index 27b9a51..af7e7e2 100644
--- a/crypto/ex_data.c
+++ b/crypto/ex_data.c
@@ -124,8 +124,8 @@
DEFINE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
struct crypto_ex_data_func_st {
- long argl; /* Arbitary long */
- void *argp; /* Arbitary void pointer */
+ long argl; // Arbitary long
+ void *argp; // Arbitary void pointer
CRYPTO_EX_free *free_func;
};
@@ -179,7 +179,7 @@
n = sk_void_num(ad->sk);
- /* Add NULL values until the stack is long enough. */
+ // Add NULL values until the stack is long enough.
for (i = n; i <= index; i++) {
if (!sk_void_push(ad->sk, NULL)) {
OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE);
@@ -198,19 +198,19 @@
return sk_void_value(ad->sk, idx);
}
-/* get_func_pointers takes a copy of the CRYPTO_EX_DATA_FUNCS pointers, if any,
- * for the given class. If there are some pointers, it sets |*out| to point to
- * a fresh stack of them. Otherwise it sets |*out| to NULL. It returns one on
- * success or zero on error. */
+// get_func_pointers takes a copy of the CRYPTO_EX_DATA_FUNCS pointers, if any,
+// for the given class. If there are some pointers, it sets |*out| to point to
+// a fresh stack of them. Otherwise it sets |*out| to NULL. It returns one on
+// success or zero on error.
static int get_func_pointers(STACK_OF(CRYPTO_EX_DATA_FUNCS) **out,
CRYPTO_EX_DATA_CLASS *ex_data_class) {
size_t n;
*out = NULL;
- /* CRYPTO_EX_DATA_FUNCS structures are static once set, so we can take a
- * shallow copy of the list under lock and then use the structures without
- * the lock held. */
+ // CRYPTO_EX_DATA_FUNCS structures are static once set, so we can take a
+ // shallow copy of the list under lock and then use the structures without
+ // the lock held.
CRYPTO_STATIC_MUTEX_lock_read(&ex_data_class->lock);
n = sk_CRYPTO_EX_DATA_FUNCS_num(ex_data_class->meth);
if (n > 0) {
@@ -233,13 +233,13 @@
void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj,
CRYPTO_EX_DATA *ad) {
if (ad->sk == NULL) {
- /* Nothing to do. */
+ // Nothing to do.
return;
}
STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
if (!get_func_pointers(&func_pointers, ex_data_class)) {
- /* TODO(davidben): This leaks memory on malloc error. */
+ // TODO(davidben): This leaks memory on malloc error.
return;
}
diff --git a/crypto/fipsmodule/aes/aes.c b/crypto/fipsmodule/aes/aes.c
index c68a5d5..a988b39 100644
--- a/crypto/fipsmodule/aes/aes.c
+++ b/crypto/fipsmodule/aes/aes.c
@@ -59,16 +59,16 @@
#if defined(OPENSSL_NO_ASM) || \
(!defined(OPENSSL_X86) && !defined(OPENSSL_X86_64) && !defined(OPENSSL_ARM))
-/* Te0[x] = S [x].[02, 01, 01, 03];
- * Te1[x] = S [x].[03, 02, 01, 01];
- * Te2[x] = S [x].[01, 03, 02, 01];
- * Te3[x] = S [x].[01, 01, 03, 02];
- *
- * Td0[x] = Si[x].[0e, 09, 0d, 0b];
- * Td1[x] = Si[x].[0b, 0e, 09, 0d];
- * Td2[x] = Si[x].[0d, 0b, 0e, 09];
- * Td3[x] = Si[x].[09, 0d, 0b, 0e];
- * Td4[x] = Si[x].[01]; */
+// Te0[x] = S [x].[02, 01, 01, 03];
+// Te1[x] = S [x].[03, 02, 01, 01];
+// Te2[x] = S [x].[01, 03, 02, 01];
+// Te3[x] = S [x].[01, 01, 03, 02];
+//
+// Td0[x] = Si[x].[0e, 09, 0d, 0b];
+// Td1[x] = Si[x].[0b, 0e, 09, 0d];
+// Td2[x] = Si[x].[0d, 0b, 0e, 09];
+// Td3[x] = Si[x].[09, 0d, 0b, 0e];
+// Td4[x] = Si[x].[01];
static const uint32_t Te0[256] = {
0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU, 0xfff2f20dU,
@@ -531,7 +531,7 @@
static const uint32_t rcon[] = {
0x01000000, 0x02000000, 0x04000000, 0x08000000, 0x10000000,
0x20000000, 0x40000000, 0x80000000, 0x1B000000, 0x36000000,
- /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
+ // for 128-bit blocks, Rijndael never uses more than 10 rcon values
};
int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) {
@@ -634,7 +634,7 @@
int i, j, status;
uint32_t temp;
- /* first, start with an encryption schedule */
+ // first, start with an encryption schedule
status = AES_set_encrypt_key(key, bits, aeskey);
if (status < 0) {
return status;
@@ -642,7 +642,7 @@
rk = aeskey->rd_key;
- /* invert the order of the round keys: */
+ // invert the order of the round keys:
for (i = 0, j = 4 * aeskey->rounds; i < j; i += 4, j -= 4) {
temp = rk[i];
rk[i] = rk[j];
@@ -657,8 +657,8 @@
rk[i + 3] = rk[j + 3];
rk[j + 3] = temp;
}
- /* apply the inverse MixColumn transform to all round keys but the first and
- * the last: */
+ // apply the inverse MixColumn transform to all round keys but the first and
+ // the last:
for (i = 1; i < (int)aeskey->rounds; i++) {
rk += 4;
rk[0] =
@@ -682,19 +682,19 @@
uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
#ifndef FULL_UNROLL
int r;
-#endif /* ?FULL_UNROLL */
+#endif // ?FULL_UNROLL
assert(in && out && key);
rk = key->rd_key;
- /* map byte array block to cipher state
- * and add initial round key: */
+ // map byte array block to cipher state
+ // and add initial round key:
s0 = GETU32(in) ^ rk[0];
s1 = GETU32(in + 4) ^ rk[1];
s2 = GETU32(in + 8) ^ rk[2];
s3 = GETU32(in + 12) ^ rk[3];
#ifdef FULL_UNROLL
- /* round 1: */
+ // round 1:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[4];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -703,7 +703,7 @@
Te3[s1 & 0xff] ^ rk[6];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[7];
- /* round 2: */
+ // round 2:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[8];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -712,7 +712,7 @@
Te3[t1 & 0xff] ^ rk[10];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[11];
- /* round 3: */
+ // round 3:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[12];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -721,7 +721,7 @@
Te3[s1 & 0xff] ^ rk[14];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[15];
- /* round 4: */
+ // round 4:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[16];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -730,7 +730,7 @@
Te3[t1 & 0xff] ^ rk[18];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[19];
- /* round 5: */
+ // round 5:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[20];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -739,7 +739,7 @@
Te3[s1 & 0xff] ^ rk[22];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[23];
- /* round 6: */
+ // round 6:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[24];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -748,7 +748,7 @@
Te3[t1 & 0xff] ^ rk[26];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[27];
- /* round 7: */
+ // round 7:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[28];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -757,7 +757,7 @@
Te3[s1 & 0xff] ^ rk[30];
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[31];
- /* round 8: */
+ // round 8:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[32];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -766,7 +766,7 @@
Te3[t1 & 0xff] ^ rk[34];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[35];
- /* round 9: */
+ // round 9:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[36];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -776,7 +776,7 @@
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[39];
if (key->rounds > 10) {
- /* round 10: */
+ // round 10:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[40];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -785,7 +785,7 @@
Te3[t1 & 0xff] ^ rk[42];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[43];
- /* round 11: */
+ // round 11:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[44];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -795,7 +795,7 @@
t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^
Te3[s2 & 0xff] ^ rk[47];
if (key->rounds > 12) {
- /* round 12: */
+ // round 12:
s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^
Te3[t3 & 0xff] ^ rk[48];
s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^
@@ -804,7 +804,7 @@
Te3[t1 & 0xff] ^ rk[50];
s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[t2 & 0xff] ^ rk[51];
- /* round 13: */
+ // round 13:
t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
Te3[s3 & 0xff] ^ rk[52];
t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^
@@ -816,10 +816,8 @@
}
}
rk += key->rounds << 2;
-#else /* !FULL_UNROLL */
- /*
- * Nr - 1 full rounds:
- */
+#else // !FULL_UNROLL
+ // Nr - 1 full rounds:
r = key->rounds >> 1;
for (;;) {
t0 = Te0[(s0 >> 24)] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^
@@ -845,8 +843,8 @@
s3 = Te0[(t3 >> 24)] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^
Te3[(t2) & 0xff] ^ rk[3];
}
-#endif /* ?FULL_UNROLL */
- /* apply last round and map cipher state to byte array block: */
+#endif // ?FULL_UNROLL
+ // apply last round and map cipher state to byte array block:
s0 = (Te2[(t0 >> 24)] & 0xff000000) ^ (Te3[(t1 >> 16) & 0xff] & 0x00ff0000) ^
(Te0[(t2 >> 8) & 0xff] & 0x0000ff00) ^ (Te1[(t3) & 0xff] & 0x000000ff) ^
rk[0];
@@ -870,19 +868,19 @@
uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
#ifndef FULL_UNROLL
int r;
-#endif /* ?FULL_UNROLL */
+#endif // ?FULL_UNROLL
assert(in && out && key);
rk = key->rd_key;
- /* map byte array block to cipher state
- * and add initial round key: */
+ // map byte array block to cipher state
+ // and add initial round key:
s0 = GETU32(in) ^ rk[0];
s1 = GETU32(in + 4) ^ rk[1];
s2 = GETU32(in + 8) ^ rk[2];
s3 = GETU32(in + 12) ^ rk[3];
#ifdef FULL_UNROLL
- /* round 1: */
+ // round 1:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[4];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -891,7 +889,7 @@
Td3[s3 & 0xff] ^ rk[6];
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[7];
- /* round 2: */
+ // round 2:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[8];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -900,7 +898,7 @@
Td3[t3 & 0xff] ^ rk[10];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[11];
- /* round 3: */
+ // round 3:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[12];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -909,7 +907,7 @@
Td3[s3 & 0xff] ^ rk[14];
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[15];
- /* round 4: */
+ // round 4:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[16];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -918,7 +916,7 @@
Td3[t3 & 0xff] ^ rk[18];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[19];
- /* round 5: */
+ // round 5:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[20];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -927,7 +925,7 @@
Td3[s3 & 0xff] ^ rk[22];
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[23];
- /* round 6: */
+ // round 6:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[24];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -936,7 +934,7 @@
Td3[t3 & 0xff] ^ rk[26];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[27];
- /* round 7: */
+ // round 7:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[28];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -945,7 +943,7 @@
Td3[s3 & 0xff] ^ rk[30];
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[31];
- /* round 8: */
+ // round 8:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[32];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -954,7 +952,7 @@
Td3[t3 & 0xff] ^ rk[34];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[35];
- /* round 9: */
+ // round 9:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[36];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -964,7 +962,7 @@
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[39];
if (key->rounds > 10) {
- /* round 10: */
+ // round 10:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[40];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -973,7 +971,7 @@
Td3[t3 & 0xff] ^ rk[42];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[43];
- /* round 11: */
+ // round 11:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[44];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -983,7 +981,7 @@
t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^
Td3[s0 & 0xff] ^ rk[47];
if (key->rounds > 12) {
- /* round 12: */
+ // round 12:
s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^
Td3[t1 & 0xff] ^ rk[48];
s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^
@@ -992,7 +990,7 @@
Td3[t3 & 0xff] ^ rk[50];
s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[t0 & 0xff] ^ rk[51];
- /* round 13: */
+ // round 13:
t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
Td3[s1 & 0xff] ^ rk[52];
t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^
@@ -1004,10 +1002,8 @@
}
}
rk += key->rounds << 2;
-#else /* !FULL_UNROLL */
- /*
- * Nr - 1 full rounds:
- */
+#else // !FULL_UNROLL
+ // Nr - 1 full rounds:
r = key->rounds >> 1;
for (;;) {
t0 = Td0[(s0 >> 24)] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^
@@ -1033,9 +1029,9 @@
s3 = Td0[(t3 >> 24)] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^
Td3[(t0) & 0xff] ^ rk[3];
}
-#endif /* ?FULL_UNROLL */
- /* apply last round and
- * map cipher state to byte array block: */
+#endif // ?FULL_UNROLL
+ // apply last round and
+ // map cipher state to byte array block:
s0 = ((uint32_t)Td4[(t0 >> 24)] << 24) ^
((uint32_t)Td4[(t3 >> 16) & 0xff] << 16) ^
((uint32_t)Td4[(t2 >> 8) & 0xff] << 8) ^
@@ -1060,10 +1056,10 @@
#else
-/* In this case several functions are provided by asm code. However, one cannot
- * control asm symbol visibility with command line flags and such so they are
- * always hidden and wrapped by these C functions, which can be so
- * controlled. */
+// In this case several functions are provided by asm code. However, one cannot
+// control asm symbol visibility with command line flags and such so they are
+// always hidden and wrapped by these C functions, which can be so
+// controlled.
void asm_AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);
void AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
@@ -1101,4 +1097,4 @@
}
}
-#endif /* OPENSSL_NO_ASM || (!OPENSSL_X86 && !OPENSSL_X86_64 && !OPENSSL_ARM) */
+#endif // OPENSSL_NO_ASM || (!OPENSSL_X86 && !OPENSSL_X86_64 && !OPENSSL_ARM)
diff --git a/crypto/fipsmodule/aes/internal.h b/crypto/fipsmodule/aes/internal.h
index 01cff84..45db9ee 100644
--- a/crypto/fipsmodule/aes/internal.h
+++ b/crypto/fipsmodule/aes/internal.h
@@ -30,7 +30,7 @@
static int hwaes_capable(void) {
return CRYPTO_is_ARMv8_AES_capable();
}
-#endif /* !NO_ASM && (AES || AARCH64) */
+#endif // !NO_ASM && (AES || AARCH64)
#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_PPC64LE)
#define HWAES
@@ -38,7 +38,7 @@
static int hwaes_capable(void) {
return CRYPTO_is_PPC64LE_vcrypto_capable();
}
-#endif /* !NO_ASM && PPC64LE */
+#endif // !NO_ASM && PPC64LE
#if defined(HWAES)
@@ -56,8 +56,8 @@
#else
-/* If HWAES isn't defined then we provide dummy functions for each of the hwaes
- * functions. */
+// If HWAES isn't defined then we provide dummy functions for each of the hwaes
+// functions.
static int hwaes_capable(void) { return 0; }
static int aes_hw_set_encrypt_key(const uint8_t *user_key, int bits,
@@ -91,10 +91,10 @@
abort();
}
-#endif /* !HWAES */
+#endif // !HWAES
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_AES_INTERNAL_H */
+#endif // OPENSSL_HEADER_AES_INTERNAL_H
diff --git a/crypto/fipsmodule/aes/key_wrap.c b/crypto/fipsmodule/aes/key_wrap.c
index 73de17f..feee0c7 100644
--- a/crypto/fipsmodule/aes/key_wrap.c
+++ b/crypto/fipsmodule/aes/key_wrap.c
@@ -56,7 +56,7 @@
#include "../../internal.h"
-/* kDefaultIV is the default IV value given in RFC 3394, 2.2.3.1. */
+// kDefaultIV is the default IV value given in RFC 3394, 2.2.3.1.
static const uint8_t kDefaultIV[] = {
0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6,
};
@@ -65,7 +65,7 @@
int AES_wrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
const uint8_t *in, size_t in_len) {
- /* See RFC 3394, section 2.2.1. */
+ // See RFC 3394, section 2.2.1.
if (in_len > INT_MAX - 8 || in_len < 8 || in_len % 8 != 0) {
return -1;
@@ -101,7 +101,7 @@
int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
const uint8_t *in, size_t in_len) {
- /* See RFC 3394, section 2.2.2. */
+ // See RFC 3394, section 2.2.2.
if (in_len > INT_MAX || in_len < 16 || in_len % 8 != 0) {
return -1;
diff --git a/crypto/fipsmodule/aes/mode_wrappers.c b/crypto/fipsmodule/aes/mode_wrappers.c
index 4929920..34514db 100644
--- a/crypto/fipsmodule/aes/mode_wrappers.c
+++ b/crypto/fipsmodule/aes/mode_wrappers.c
@@ -92,7 +92,7 @@
asm_AES_cbc_encrypt(in, out, len, key, ivec, enc);
}
-#endif /* OPENSSL_NO_ASM || (!OPENSSL_X86_64 && !OPENSSL_X86) */
+#endif // OPENSSL_NO_ASM || (!OPENSSL_X86_64 && !OPENSSL_X86)
void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t length,
const AES_KEY *key, uint8_t *ivec, int *num) {
diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
index c6ea796..b506b43 100644
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c
@@ -13,7 +13,7 @@
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#if !defined(_GNU_SOURCE)
-#define _GNU_SOURCE /* needed for syscall() on Linux. */
+#define _GNU_SOURCE // needed for syscall() on Linux.
#endif
#include <openssl/aead.h>
@@ -145,7 +145,7 @@
0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,
0x94, 0xc0, 0xbe, 0xb3,
};
- static const uint8_t kE[] = {0x01, 0x00, 0x01}; /* 65537 */
+ static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537
static const uint8_t kD[] = {
0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,
0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,
@@ -288,8 +288,8 @@
}
#if !defined(OPENSSL_ASAN)
-/* These symbols are filled in by delocate.go. They point to the start and end
- * of the module, and the location of the integrity hash, respectively. */
+// These symbols are filled in by delocate.go. They point to the start and end
+// of the module, and the location of the integrity hash, respectively.
extern const uint8_t BORINGSSL_bcm_text_start[];
extern const uint8_t BORINGSSL_bcm_text_end[];
extern const uint8_t BORINGSSL_bcm_text_hash[];
@@ -300,8 +300,8 @@
CRYPTO_library_init();
#if !defined(OPENSSL_ASAN)
- /* Integrity tests cannot run under ASAN because it involves reading the full
- * .text section, which triggers the global-buffer overflow detection. */
+ // Integrity tests cannot run under ASAN because it involves reading the full
+ // .text section, which triggers the global-buffer overflow detection.
const uint8_t *const start = BORINGSSL_bcm_text_start;
const uint8_t *const end = BORINGSSL_bcm_text_end;
@@ -478,7 +478,7 @@
uint8_t aes_iv[16];
uint8_t output[256];
- /* AES-CBC Encryption KAT */
+ // AES-CBC Encryption KAT
memcpy(aes_iv, kAESIV, sizeof(kAESIV));
if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
goto err;
@@ -490,7 +490,7 @@
goto err;
}
- /* AES-CBC Decryption KAT */
+ // AES-CBC Decryption KAT
memcpy(aes_iv, kAESIV, sizeof(kAESIV));
if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {
goto err;
@@ -511,7 +511,7 @@
goto err;
}
- /* AES-GCM Encryption KAT */
+ // AES-GCM Encryption KAT
if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,
EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
kPlaintext, sizeof(kPlaintext), NULL, 0) ||
@@ -520,7 +520,7 @@
goto err;
}
- /* AES-GCM Decryption KAT */
+ // AES-GCM Decryption KAT
if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,
EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),
kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL,
@@ -538,7 +538,7 @@
DES_set_key(&kDESKey2, &des2);
DES_set_key(&kDESKey3, &des3);
- /* 3DES Encryption KAT */
+ // 3DES Encryption KAT
memcpy(&des_iv, &kDESIV, sizeof(des_iv));
DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2,
&des3, &des_iv, DES_ENCRYPT);
@@ -547,7 +547,7 @@
goto err;
}
- /* 3DES Decryption KAT */
+ // 3DES Decryption KAT
memcpy(&des_iv, &kDESIV, sizeof(des_iv));
DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1,
&des2, &des3, &des_iv, DES_DECRYPT);
@@ -556,21 +556,21 @@
goto err;
}
- /* SHA-1 KAT */
+ // SHA-1 KAT
SHA1(kPlaintext, sizeof(kPlaintext), output);
if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1),
"SHA-1 KAT")) {
goto err;
}
- /* SHA-256 KAT */
+ // SHA-256 KAT
SHA256(kPlaintext, sizeof(kPlaintext), output);
if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),
"SHA-256 KAT")) {
goto err;
}
- /* SHA-512 KAT */
+ // SHA-512 KAT
SHA512(kPlaintext, sizeof(kPlaintext), output);
if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),
"SHA-512 KAT")) {
@@ -583,11 +583,11 @@
goto err;
}
- /* RSA Sign KAT */
+ // RSA Sign KAT
unsigned sig_len;
- /* Disable blinding for the power-on tests because it's not needed and
- * triggers an entropy draw. */
+ // Disable blinding for the power-on tests because it's not needed and
+ // triggers an entropy draw.
rsa_key->flags |= RSA_FLAG_NO_BLINDING;
if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output,
@@ -597,7 +597,7 @@
goto err;
}
- /* RSA Verify KAT */
+ // RSA Verify KAT
if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256),
kRSASignature, sizeof(kRSASignature), rsa_key)) {
printf("RSA Verify KAT failed.\n");
@@ -612,9 +612,9 @@
goto err;
}
- /* ECDSA Sign/Verify PWCT */
+ // ECDSA Sign/Verify PWCT
- /* The 'k' value for ECDSA is fixed to avoid an entropy draw. */
+ // The 'k' value for ECDSA is fixed to avoid an entropy draw.
ec_key->fixed_k = BN_new();
if (ec_key->fixed_k == NULL ||
!BN_set_word(ec_key->fixed_k, 42)) {
@@ -641,7 +641,7 @@
ECDSA_SIG_free(sig);
EC_KEY_free(ec_key);
- /* DBRG KAT */
+ // DBRG KAT
CTR_DRBG_STATE drbg;
if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,
sizeof(kDRBGPersonalization)) ||
@@ -676,4 +676,4 @@
exit(1);
}
}
-#endif /* BORINGSSL_FIPS */
+#endif // BORINGSSL_FIPS
diff --git a/crypto/fipsmodule/bn/add.c b/crypto/fipsmodule/bn/add.c
index 5848543..bbe275e 100644
--- a/crypto/fipsmodule/bn/add.c
+++ b/crypto/fipsmodule/bn/add.c
@@ -68,20 +68,19 @@
const BIGNUM *tmp;
int a_neg = a->neg, ret;
- /* a + b a+b
- * a + -b a-b
- * -a + b b-a
- * -a + -b -(a+b)
- */
+ // a + b a+b
+ // a + -b a-b
+ // -a + b b-a
+ // -a + -b -(a+b)
if (a_neg ^ b->neg) {
- /* only one is negative */
+ // only one is negative
if (a_neg) {
tmp = a;
a = b;
b = tmp;
}
- /* we are now a - b */
+ // we are now a - b
if (BN_ucmp(a, b) < 0) {
if (!BN_usub(r, b, a)) {
return 0;
@@ -142,7 +141,7 @@
}
}
if (carry) {
- /* carry != 0 => dif == 0 */
+ // carry != 0 => dif == 0
*rp = 1;
r->top++;
}
@@ -150,7 +149,7 @@
if (dif && rp != ap) {
while (dif--) {
- /* copy remaining words if ap != rp */
+ // copy remaining words if ap != rp
*(rp++) = *(ap++);
}
}
@@ -165,17 +164,17 @@
w &= BN_MASK2;
- /* degenerate case: w is zero */
+ // degenerate case: w is zero
if (!w) {
return 1;
}
- /* degenerate case: a is zero */
+ // degenerate case: a is zero
if (BN_is_zero(a)) {
return BN_set_word(a, w);
}
- /* handle 'a' when negative */
+ // handle 'a' when negative
if (a->neg) {
a->neg = 0;
i = BN_sub_word(a, w);
@@ -206,11 +205,10 @@
int add = 0, neg = 0;
const BIGNUM *tmp;
- /* a - b a-b
- * a - -b a+b
- * -a - b -(a+b)
- * -a - -b b-a
- */
+ // a - b a-b
+ // a - -b a+b
+ // -a - b -(a+b)
+ // -a - -b b-a
if (a->neg) {
if (b->neg) {
tmp = a;
@@ -236,7 +234,7 @@
return 1;
}
- /* We are actually doing a - b :-) */
+ // We are actually doing a - b :-)
max = (a->top > b->top) ? a->top : b->top;
if (!bn_wexpand(r, max)) {
@@ -267,7 +265,7 @@
min = b->top;
dif = max - min;
- if (dif < 0) /* hmm... should not be happening */
+ if (dif < 0) // hmm... should not be happening
{
OPENSSL_PUT_ERROR(BN, BN_R_ARG2_LT_ARG3);
return 0;
@@ -295,10 +293,10 @@
*(rp++) = t1 & BN_MASK2;
}
- if (carry) /* subtracted */
+ if (carry) // subtracted
{
if (!dif) {
- /* error: a < b */
+ // error: a < b
return 0;
}
@@ -329,12 +327,12 @@
w &= BN_MASK2;
- /* degenerate case: w is zero */
+ // degenerate case: w is zero
if (!w) {
return 1;
}
- /* degenerate case: a is zero */
+ // degenerate case: a is zero
if (BN_is_zero(a)) {
i = BN_set_word(a, w);
if (i != 0) {
@@ -343,7 +341,7 @@
return i;
}
- /* handle 'a' when negative */
+ // handle 'a' when negative
if (a->neg) {
a->neg = 0;
i = BN_add_word(a, w);
diff --git a/crypto/fipsmodule/bn/asm/x86_64-gcc.c b/crypto/fipsmodule/bn/asm/x86_64-gcc.c
index 72e7689..a65b86f 100644
--- a/crypto/fipsmodule/bn/asm/x86_64-gcc.c
+++ b/crypto/fipsmodule/bn/asm/x86_64-gcc.c
@@ -52,7 +52,7 @@
#include <openssl/bn.h>
-/* TODO(davidben): Get this file working on Windows x64. */
+// TODO(davidben): Get this file working on Windows x64.
#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__GNUC__)
#include "../internal.h"
@@ -63,11 +63,9 @@
#define asm __asm__
-/*
- * "m"(a), "+m"(r) is the way to favor DirectPath µ-code;
- * "g"(0) let the compiler to decide where does it
- * want to keep the value of zero;
- */
+// "m"(a), "+m"(r) is the way to favor DirectPath µ-code;
+// "g"(0) let the compiler to decide where does it
+// want to keep the value of zero;
#define mul_add(r, a, word, carry) \
do { \
register BN_ULONG high, low; \
@@ -197,7 +195,7 @@
}
asm volatile (
- " subq %0,%0 \n" /* clear carry */
+ " subq %0,%0 \n" // clear carry
" jmp 1f \n"
".p2align 4 \n"
"1:"
@@ -224,7 +222,7 @@
}
asm volatile (
- " subq %0,%0 \n" /* clear borrow */
+ " subq %0,%0 \n" // clear borrow
" jmp 1f \n"
".p2align 4 \n"
"1:"
@@ -241,14 +239,13 @@
return ret & 1;
}
-/* mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) */
-/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
-/* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
-/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)
- */
+// mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0)
+// mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0)
+// sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0)
+// sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)
-/* Keep in mind that carrying into high part of multiplication result can not
- * overflow, because it cannot be all-ones. */
+// Keep in mind that carrying into high part of multiplication result can not
+// overflow, because it cannot be all-ones.
#define mul_add_c(a, b, c0, c1, c2) \
do { \
BN_ULONG t1, t2; \
@@ -539,4 +536,4 @@
#undef mul_add_c2
#undef sqr_add_c2
-#endif /* !NO_ASM && X86_64 && __GNUC__ */
+#endif // !NO_ASM && X86_64 && __GNUC__
diff --git a/crypto/fipsmodule/bn/bn.c b/crypto/fipsmodule/bn/bn.c
index af093e0..9ba1913 100644
--- a/crypto/fipsmodule/bn/bn.c
+++ b/crypto/fipsmodule/bn/bn.c
@@ -175,8 +175,8 @@
out->flags = BN_FLG_STATIC_DATA;
}
-/* BN_num_bits_word returns the minimum number of bits needed to represent the
- * value in |l|. */
+// BN_num_bits_word returns the minimum number of bits needed to represent the
+// value in |l|.
unsigned BN_num_bits_word(BN_ULONG l) {
static const unsigned char bits[256] = {
0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5,
@@ -290,7 +290,7 @@
return 0;
}
OPENSSL_memmove(bn->d, words, num * sizeof(BN_ULONG));
- /* |bn_wexpand| verified that |num| isn't too large. */
+ // |bn_wexpand| verified that |num| isn't too large.
bn->top = (int)num;
bn_correct_top(bn);
bn->neg = 0;
diff --git a/crypto/fipsmodule/bn/bn_test.cc b/crypto/fipsmodule/bn/bn_test.cc
index 3cb5f75..fe03e5f 100644
--- a/crypto/fipsmodule/bn/bn_test.cc
+++ b/crypto/fipsmodule/bn/bn_test.cc
@@ -67,9 +67,9 @@
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
* Laboratories. */
-/* Per C99, various stdint.h and inttypes.h macros (the latter used by bn.h) are
- * unavailable in C++ unless some macros are defined. C++11 overruled this
- * decision, but older Android NDKs still require it. */
+// Per C99, various stdint.h and inttypes.h macros (the latter used by bn.h) are
+// unavailable in C++ unless some macros are defined. C++11 overruled this
+// decision, but older Android NDKs still require it.
#if !defined(__STDC_CONSTANT_MACROS)
#define __STDC_CONSTANT_MACROS
#endif
diff --git a/crypto/fipsmodule/bn/bytes.c b/crypto/fipsmodule/bn/bytes.c
index 0988870..328d56e 100644
--- a/crypto/fipsmodule/bn/bytes.c
+++ b/crypto/fipsmodule/bn/bytes.c
@@ -90,8 +90,8 @@
return NULL;
}
- /* |bn_wexpand| must check bounds on |num_words| to write it into
- * |ret->dmax|. */
+ // |bn_wexpand| must check bounds on |num_words| to write it into
+ // |ret->dmax|.
assert(num_words <= INT_MAX);
ret->top = (int)num_words;
ret->neg = 0;
@@ -105,8 +105,8 @@
}
}
- /* need to call this due to clear byte at top if avoiding having the top bit
- * set (-ve number) */
+ // need to call this due to clear byte at top if avoiding having the top bit
+ // set (-ve number)
bn_correct_top(ret);
return ret;
}
@@ -128,7 +128,7 @@
return ret;
}
- /* Reserve enough space in |ret|. */
+ // Reserve enough space in |ret|.
size_t num_words = ((len - 1) / BN_BYTES) + 1;
if (!bn_wexpand(ret, num_words)) {
BN_free(bn);
@@ -136,11 +136,11 @@
}
ret->top = num_words;
- /* Make sure the top bytes will be zeroed. */
+ // Make sure the top bytes will be zeroed.
ret->d[num_words - 1] = 0;
- /* We only support little-endian platforms, so we can simply memcpy the
- * internal representation. */
+ // We only support little-endian platforms, so we can simply memcpy the
+ // internal representation.
OPENSSL_memcpy(ret->d, in, len);
bn_correct_top(ret);
@@ -160,24 +160,24 @@
}
int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) {
- /* If we don't have enough space, fail out. */
+ // If we don't have enough space, fail out.
size_t num_bytes = BN_num_bytes(in);
if (len < num_bytes) {
return 0;
}
- /* We only support little-endian platforms, so we can simply memcpy into the
- * internal representation. */
+ // We only support little-endian platforms, so we can simply memcpy into the
+ // internal representation.
OPENSSL_memcpy(out, in->d, num_bytes);
- /* Pad out the rest of the buffer with zeroes. */
+ // Pad out the rest of the buffer with zeroes.
OPENSSL_memset(out + num_bytes, 0, len - num_bytes);
return 1;
}
-/* constant_time_select_ulong returns |x| if |v| is 1 and |y| if |v| is 0. Its
- * behavior is undefined if |v| takes any other value. */
+// constant_time_select_ulong returns |x| if |v| is 1 and |y| if |v| is 0. Its
+// behavior is undefined if |v| takes any other value.
static BN_ULONG constant_time_select_ulong(int v, BN_ULONG x, BN_ULONG y) {
BN_ULONG mask = v;
mask--;
@@ -185,35 +185,35 @@
return (~mask & x) | (mask & y);
}
-/* constant_time_le_size_t returns 1 if |x| <= |y| and 0 otherwise. |x| and |y|
- * must not have their MSBs set. */
+// constant_time_le_size_t returns 1 if |x| <= |y| and 0 otherwise. |x| and |y|
+// must not have their MSBs set.
static int constant_time_le_size_t(size_t x, size_t y) {
return ((x - y - 1) >> (sizeof(size_t) * 8 - 1)) & 1;
}
-/* read_word_padded returns the |i|'th word of |in|, if it is not out of
- * bounds. Otherwise, it returns 0. It does so without branches on the size of
- * |in|, however it necessarily does not have the same memory access pattern. If
- * the access would be out of bounds, it reads the last word of |in|. |in| must
- * not be zero. */
+// read_word_padded returns the |i|'th word of |in|, if it is not out of
+// bounds. Otherwise, it returns 0. It does so without branches on the size of
+// |in|, however it necessarily does not have the same memory access pattern. If
+// the access would be out of bounds, it reads the last word of |in|. |in| must
+// not be zero.
static BN_ULONG read_word_padded(const BIGNUM *in, size_t i) {
- /* Read |in->d[i]| if valid. Otherwise, read the last word. */
+ // Read |in->d[i]| if valid. Otherwise, read the last word.
BN_ULONG l = in->d[constant_time_select_ulong(
constant_time_le_size_t(in->dmax, i), in->dmax - 1, i)];
- /* Clamp to zero if above |d->top|. */
+ // Clamp to zero if above |d->top|.
return constant_time_select_ulong(constant_time_le_size_t(in->top, i), 0, l);
}
int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) {
- /* Special case for |in| = 0. Just branch as the probability is negligible. */
+ // Special case for |in| = 0. Just branch as the probability is negligible.
if (BN_is_zero(in)) {
OPENSSL_memset(out, 0, len);
return 1;
}
- /* Check if the integer is too big. This case can exit early in non-constant
- * time. */
+ // Check if the integer is too big. This case can exit early in non-constant
+ // time.
if ((size_t)in->top > (len + (BN_BYTES - 1)) / BN_BYTES) {
return 0;
}
@@ -224,13 +224,13 @@
}
}
- /* Write the bytes out one by one. Serialization is done without branching on
- * the bits of |in| or on |in->top|, but if the routine would otherwise read
- * out of bounds, the memory access pattern can't be fixed. However, for an
- * RSA key of size a multiple of the word size, the probability of BN_BYTES
- * leading zero octets is low.
- *
- * See Falko Stenzke, "Manger's Attack revisited", ICICS 2010. */
+ // Write the bytes out one by one. Serialization is done without branching on
+ // the bits of |in| or on |in->top|, but if the routine would otherwise read
+ // out of bounds, the memory access pattern can't be fixed. However, for an
+ // RSA key of size a multiple of the word size, the probability of BN_BYTES
+ // leading zero octets is low.
+ //
+ // See Falko Stenzke, "Manger's Attack revisited", ICICS 2010.
size_t i = len;
while (i--) {
BN_ULONG l = read_word_padded(in, i / BN_BYTES);
diff --git a/crypto/fipsmodule/bn/cmp.c b/crypto/fipsmodule/bn/cmp.c
index 71c0465..7864707 100644
--- a/crypto/fipsmodule/bn/cmp.c
+++ b/crypto/fipsmodule/bn/cmp.c
@@ -159,14 +159,14 @@
if (dl < 0) {
for (i = dl; i < 0; i++) {
if (b[n - i] != 0) {
- return -1; /* a < b */
+ return -1; // a < b
}
}
}
if (dl > 0) {
for (i = dl; i > 0; i--) {
if (a[n + i] != 0) {
- return 1; /* a > b */
+ return 1; // a > b
}
}
}
diff --git a/crypto/fipsmodule/bn/ctx.c b/crypto/fipsmodule/bn/ctx.c
index 3819775..af50de9 100644
--- a/crypto/fipsmodule/bn/ctx.c
+++ b/crypto/fipsmodule/bn/ctx.c
@@ -62,24 +62,24 @@
#include "../../internal.h"
-/* How many bignums are in each "pool item"; */
+// How many bignums are in each "pool item";
#define BN_CTX_POOL_SIZE 16
-/* The stack frame info is resizing, set a first-time expansion size; */
+// The stack frame info is resizing, set a first-time expansion size;
#define BN_CTX_START_FRAMES 32
-/* A bundle of bignums that can be linked with other bundles */
+// A bundle of bignums that can be linked with other bundles
typedef struct bignum_pool_item {
- /* The bignum values */
+ // The bignum values
BIGNUM vals[BN_CTX_POOL_SIZE];
- /* Linked-list admin */
+ // Linked-list admin
struct bignum_pool_item *prev, *next;
} BN_POOL_ITEM;
typedef struct bignum_pool {
- /* Linked-list admin */
+ // Linked-list admin
BN_POOL_ITEM *head, *current, *tail;
- /* Stack depth and allocation size */
+ // Stack depth and allocation size
unsigned used, size;
} BN_POOL;
@@ -88,15 +88,14 @@
static BIGNUM *BN_POOL_get(BN_POOL *);
static void BN_POOL_release(BN_POOL *, unsigned int);
-/************/
-/* BN_STACK */
-/************/
-/* A wrapper to manage the "stack frames" */
+// BN_STACK
+
+// A wrapper to manage the "stack frames"
typedef struct bignum_ctx_stack {
- /* Array of indexes into the bignum stack */
+ // Array of indexes into the bignum stack
unsigned int *indexes;
- /* Number of stack frames, and the size of the allocated array */
+ // Number of stack frames, and the size of the allocated array
unsigned int depth, size;
} BN_STACK;
@@ -105,21 +104,20 @@
static int BN_STACK_push(BN_STACK *, unsigned int);
static unsigned int BN_STACK_pop(BN_STACK *);
-/**********/
-/* BN_CTX */
-/**********/
-/* The opaque BN_CTX type */
+// BN_CTX
+
+// The opaque BN_CTX type
struct bignum_ctx {
- /* The bignum bundles */
+ // The bignum bundles
BN_POOL pool;
- /* The "stack frames", if you will */
+ // The "stack frames", if you will
BN_STACK stack;
- /* The number of bignums currently assigned */
+ // The number of bignums currently assigned
unsigned int used;
- /* Depth of stack overflow */
+ // Depth of stack overflow
int err_stack;
- /* Block "gets" until an "end" (compatibility behaviour) */
+ // Block "gets" until an "end" (compatibility behaviour)
int too_many;
};
@@ -130,7 +128,7 @@
return NULL;
}
- /* Initialise the structure */
+ // Initialise the structure
BN_POOL_init(&ret->pool);
BN_STACK_init(&ret->stack);
ret->used = 0;
@@ -150,11 +148,11 @@
}
void BN_CTX_start(BN_CTX *ctx) {
- /* If we're already overflowing ... */
+ // If we're already overflowing ...
if (ctx->err_stack || ctx->too_many) {
ctx->err_stack++;
} else if (!BN_STACK_push(&ctx->stack, ctx->used)) {
- /* (Try to) get a new frame pointer */
+ // (Try to) get a new frame pointer
OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
ctx->err_stack++;
}
@@ -168,14 +166,14 @@
ret = BN_POOL_get(&ctx->pool);
if (ret == NULL) {
- /* Setting too_many prevents repeated "get" attempts from
- * cluttering the error stack. */
+ // Setting too_many prevents repeated "get" attempts from
+ // cluttering the error stack.
ctx->too_many = 1;
OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_TEMPORARY_VARIABLES);
return NULL;
}
- /* OK, make sure the returned bignum is "zero" */
+ // OK, make sure the returned bignum is "zero"
BN_zero(ret);
ctx->used++;
return ret;
@@ -186,20 +184,19 @@
ctx->err_stack--;
} else {
unsigned int fp = BN_STACK_pop(&ctx->stack);
- /* Does this stack frame have anything to release? */
+ // Does this stack frame have anything to release?
if (fp < ctx->used) {
BN_POOL_release(&ctx->pool, ctx->used - fp);
}
ctx->used = fp;
- /* Unjam "too_many" in case "get" had failed */
+ // Unjam "too_many" in case "get" had failed
ctx->too_many = 0;
}
}
-/************/
-/* BN_STACK */
-/************/
+
+// BN_STACK
static void BN_STACK_init(BN_STACK *st) {
st->indexes = NULL;
@@ -212,7 +209,7 @@
static int BN_STACK_push(BN_STACK *st, unsigned int idx) {
if (st->depth == st->size) {
- /* Need to expand */
+ // Need to expand
unsigned int newsize =
(st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES);
unsigned int *newitems = OPENSSL_malloc(newsize * sizeof(unsigned int));
@@ -235,6 +232,7 @@
return st->indexes[--(st->depth)];
}
+
static void BN_POOL_init(BN_POOL *p) {
p->head = p->current = p->tail = NULL;
p->used = p->size = 0;
@@ -259,14 +257,14 @@
return NULL;
}
- /* Initialise the structure */
+ // Initialise the structure
for (size_t i = 0; i < BN_CTX_POOL_SIZE; i++) {
BN_init(&item->vals[i]);
}
item->prev = p->tail;
item->next = NULL;
- /* Link it in */
+ // Link it in
if (!p->head) {
p->head = p->current = p->tail = item;
} else {
@@ -277,7 +275,7 @@
p->size += BN_CTX_POOL_SIZE;
p->used++;
- /* Return the first bignum from the new pool */
+ // Return the first bignum from the new pool
return item->vals;
}
diff --git a/crypto/fipsmodule/bn/div.c b/crypto/fipsmodule/bn/div.c
index dae5656..1bcff50 100644
--- a/crypto/fipsmodule/bn/div.c
+++ b/crypto/fipsmodule/bn/div.c
@@ -65,8 +65,8 @@
#if !defined(BN_ULLONG)
-/* bn_div_words divides a double-width |h|,|l| by |d| and returns the result,
- * which must fit in a |BN_ULONG|. */
+// bn_div_words divides a double-width |h|,|l| by |d| and returns the result,
+// which must fit in a |BN_ULONG|.
static BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) {
BN_ULONG dh, dl, q, ret = 0, th, tl, t;
int i, count = 2;
@@ -135,26 +135,26 @@
ret |= q;
return ret;
}
-#endif /* !defined(BN_ULLONG) */
+#endif // !defined(BN_ULLONG)
static inline void bn_div_rem_words(BN_ULONG *quotient_out, BN_ULONG *rem_out,
BN_ULONG n0, BN_ULONG n1, BN_ULONG d0) {
- /* GCC and Clang generate function calls to |__udivdi3| and |__umoddi3| when
- * the |BN_ULLONG|-based C code is used.
- *
- * GCC bugs:
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=14224
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=43721
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54183
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58897
- * * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65668
- *
- * Clang bugs:
- * * https://llvm.org/bugs/show_bug.cgi?id=6397
- * * https://llvm.org/bugs/show_bug.cgi?id=12418
- *
- * These issues aren't specific to x86 and x86_64, so it might be worthwhile
- * to add more assembly language implementations. */
+ // GCC and Clang generate function calls to |__udivdi3| and |__umoddi3| when
+ // the |BN_ULLONG|-based C code is used.
+ //
+ // GCC bugs:
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=14224
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=43721
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54183
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58897
+ // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65668
+ //
+ // Clang bugs:
+ // * https://llvm.org/bugs/show_bug.cgi?id=6397
+ // * https://llvm.org/bugs/show_bug.cgi?id=12418
+ //
+ // These issues aren't specific to x86 and x86_64, so it might be worthwhile
+ // to add more assembly language implementations.
#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__GNUC__)
__asm__ volatile (
"divl %4"
@@ -178,17 +178,17 @@
#endif
}
-/* BN_div computes dv := num / divisor, rounding towards
- * zero, and sets up rm such that dv*divisor + rm = num holds.
- * Thus:
- * dv->neg == num->neg ^ divisor->neg (unless the result is zero)
- * rm->neg == num->neg (unless the remainder is zero)
- * If 'dv' or 'rm' is NULL, the respective value is not returned.
- *
- * This was specifically designed to contain fewer branches that may leak
- * sensitive information; see "New Branch Prediction Vulnerabilities in OpenSSL
- * and Necessary Software Countermeasures" by Onur Acıçmez, Shay Gueron, and
- * Jean-Pierre Seifert. */
+// BN_div computes dv := num / divisor, rounding towards
+// zero, and sets up rm such that dv*divisor + rm = num holds.
+// Thus:
+// dv->neg == num->neg ^ divisor->neg (unless the result is zero)
+// rm->neg == num->neg (unless the remainder is zero)
+// If 'dv' or 'rm' is NULL, the respective value is not returned.
+//
+// This was specifically designed to contain fewer branches that may leak
+// sensitive information; see "New Branch Prediction Vulnerabilities in OpenSSL
+// and Necessary Software Countermeasures" by Onur Acıçmez, Shay Gueron, and
+// Jean-Pierre Seifert.
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX *ctx) {
int norm_shift, i, loop;
@@ -197,8 +197,8 @@
BN_ULONG d0, d1;
int num_n, div_n;
- /* Invalid zero-padding would have particularly bad consequences
- * so don't just rely on bn_check_top() here */
+ // Invalid zero-padding would have particularly bad consequences
+ // so don't just rely on bn_check_top() here
if ((num->top > 0 && num->d[num->top - 1] == 0) ||
(divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
OPENSSL_PUT_ERROR(BN, BN_R_NOT_INITIALIZED);
@@ -223,7 +223,7 @@
goto err;
}
- /* First we normalise the numbers */
+ // First we normalise the numbers
norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
if (!(BN_lshift(sdiv, divisor, norm_shift))) {
goto err;
@@ -235,9 +235,9 @@
}
snum->neg = 0;
- /* Since we don't want to have special-case logic for the case where snum is
- * larger than sdiv, we pad snum with enough zeroes without changing its
- * value. */
+ // Since we don't want to have special-case logic for the case where snum is
+ // larger than sdiv, we pad snum with enough zeroes without changing its
+ // value.
if (snum->top <= sdiv->top + 1) {
if (!bn_wexpand(snum, sdiv->top + 2)) {
goto err;
@@ -257,24 +257,24 @@
div_n = sdiv->top;
num_n = snum->top;
loop = num_n - div_n;
- /* Lets setup a 'window' into snum
- * This is the part that corresponds to the current
- * 'area' being divided */
+ // Lets setup a 'window' into snum
+ // This is the part that corresponds to the current
+ // 'area' being divided
wnum.neg = 0;
wnum.d = &(snum->d[loop]);
wnum.top = div_n;
- /* only needed when BN_ucmp messes up the values between top and max */
- wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
+ // only needed when BN_ucmp messes up the values between top and max
+ wnum.dmax = snum->dmax - loop; // so we don't step out of bounds
- /* Get the top 2 words of sdiv */
- /* div_n=sdiv->top; */
+ // Get the top 2 words of sdiv
+ // div_n=sdiv->top;
d0 = sdiv->d[div_n - 1];
d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
- /* pointer to the 'top' of snum */
+ // pointer to the 'top' of snum
wnump = &(snum->d[num_n - 1]);
- /* Setup to 'res' */
+ // Setup to 'res'
res->neg = (num->neg ^ divisor->neg);
if (!bn_wexpand(res, (loop + 1))) {
goto err;
@@ -282,13 +282,13 @@
res->top = loop - 1;
resp = &(res->d[loop - 1]);
- /* space for temp */
+ // space for temp
if (!bn_wexpand(tmp, (div_n + 1))) {
goto err;
}
- /* if res->top == 0 then clear the neg value otherwise decrease
- * the resp pointer */
+ // if res->top == 0 then clear the neg value otherwise decrease
+ // the resp pointer
if (res->top == 0) {
res->neg = 0;
} else {
@@ -297,8 +297,8 @@
for (i = 0; i < loop - 1; i++, wnump--, resp--) {
BN_ULONG q, l0;
- /* the first part of the loop uses the top two words of snum and sdiv to
- * calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv */
+ // the first part of the loop uses the top two words of snum and sdiv to
+ // calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
BN_ULONG n0, n1, rem = 0;
n0 = wnump[0];
@@ -306,7 +306,7 @@
if (n0 == d0) {
q = BN_MASK2;
} else {
- /* n0 < d0 */
+ // n0 < d0
bn_div_rem_words(&q, &rem, n0, n1, d0);
#ifdef BN_ULLONG
@@ -318,11 +318,11 @@
q--;
rem += d0;
if (rem < d0) {
- break; /* don't let rem overflow */
+ break; // don't let rem overflow
}
t2 -= d1;
}
-#else /* !BN_ULLONG */
+#else // !BN_ULLONG
BN_ULONG t2l, t2h;
BN_UMULT_LOHI(t2l, t2h, d1, q);
for (;;) {
@@ -332,43 +332,41 @@
q--;
rem += d0;
if (rem < d0) {
- break; /* don't let rem overflow */
+ break; // don't let rem overflow
}
if (t2l < d1) {
t2h--;
}
t2l -= d1;
}
-#endif /* !BN_ULLONG */
+#endif // !BN_ULLONG
}
l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
tmp->d[div_n] = l0;
wnum.d--;
- /* ingore top values of the bignums just sub the two
- * BN_ULONG arrays with bn_sub_words */
+ // ingore top values of the bignums just sub the two
+ // BN_ULONG arrays with bn_sub_words
if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
- /* Note: As we have considered only the leading
- * two BN_ULONGs in the calculation of q, sdiv * q
- * might be greater than wnum (but then (q-1) * sdiv
- * is less or equal than wnum)
- */
+ // Note: As we have considered only the leading
+ // two BN_ULONGs in the calculation of q, sdiv * q
+ // might be greater than wnum (but then (q-1) * sdiv
+ // is less or equal than wnum)
q--;
if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) {
- /* we can't have an overflow here (assuming
- * that q != 0, but if q == 0 then tmp is
- * zero anyway) */
+ // we can't have an overflow here (assuming
+ // that q != 0, but if q == 0 then tmp is
+ // zero anyway)
(*wnump)++;
}
}
- /* store part of the result */
+ // store part of the result
*resp = q;
}
bn_correct_top(snum);
if (rm != NULL) {
- /* Keep a copy of the neg flag in num because if rm==num
- * BN_rshift() will overwrite it.
- */
+ // Keep a copy of the neg flag in num because if rm==num
+ // BN_rshift() will overwrite it.
int neg = num->neg;
if (!BN_rshift(rm, snum, norm_shift)) {
goto err;
@@ -394,7 +392,7 @@
return 1;
}
- /* now -|d| < r < 0, so we have to set r := r + |d|. */
+ // now -|d| < r < 0, so we have to set r := r + |d|.
return (d->neg ? BN_sub : BN_add)(r, r, d);
}
@@ -425,8 +423,8 @@
return BN_nnmod(r, r, m, ctx);
}
-/* BN_mod_sub variant that may be used if both a and b are non-negative
- * and less than m */
+// BN_mod_sub variant that may be used if both a and b are non-negative
+// and less than m
int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m) {
if (!BN_sub(r, a, b)) {
@@ -475,7 +473,7 @@
return 0;
}
- /* r->neg == 0, thus we don't need BN_nnmod */
+ // r->neg == 0, thus we don't need BN_nnmod
return BN_mod(r, r, m, ctx);
}
@@ -512,9 +510,9 @@
while (n > 0) {
int max_shift;
- /* 0 < r < m */
+ // 0 < r < m
max_shift = BN_num_bits(m) - BN_num_bits(r);
- /* max_shift >= 0 */
+ // max_shift >= 0
if (max_shift < 0) {
OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);
@@ -537,7 +535,7 @@
--n;
}
- /* BN_num_bits(r) <= BN_num_bits(m) */
+ // BN_num_bits(r) <= BN_num_bits(m)
if (BN_cmp(r, m) >= 0) {
if (!BN_sub(r, r, m)) {
return 0;
@@ -574,7 +572,7 @@
w &= BN_MASK2;
if (!w) {
- /* actually this an error (division by zero) */
+ // actually this an error (division by zero)
return (BN_ULONG) - 1;
}
@@ -582,7 +580,7 @@
return 0;
}
- /* normalize input for |bn_div_rem_words|. */
+ // normalize input for |bn_div_rem_words|.
j = BN_BITS2 - BN_num_bits_word(w);
w <<= j;
if (!BN_lshift(a, a, j)) {
@@ -623,8 +621,8 @@
}
#ifndef BN_ULLONG
- /* If |w| is too long and we don't have |BN_ULLONG| then we need to fall back
- * to using |BN_div_word|. */
+ // If |w| is too long and we don't have |BN_ULLONG| then we need to fall back
+ // to using |BN_div_word|.
if (w > ((BN_ULONG)1 << BN_BITS4)) {
BIGNUM *tmp = BN_dup(a);
if (tmp == NULL) {
@@ -656,27 +654,27 @@
size_t num_words = 1 + ((e - 1) / BN_BITS2);
- /* If |a| definitely has less than |e| bits, just BN_copy. */
+ // If |a| definitely has less than |e| bits, just BN_copy.
if ((size_t) a->top < num_words) {
return BN_copy(r, a) != NULL;
}
- /* Otherwise, first make sure we have enough space in |r|.
- * Note that this will fail if num_words > INT_MAX. */
+ // Otherwise, first make sure we have enough space in |r|.
+ // Note that this will fail if num_words > INT_MAX.
if (!bn_wexpand(r, num_words)) {
return 0;
}
- /* Copy the content of |a| into |r|. */
+ // Copy the content of |a| into |r|.
OPENSSL_memcpy(r->d, a->d, num_words * sizeof(BN_ULONG));
- /* If |e| isn't word-aligned, we have to mask off some of our bits. */
+ // If |e| isn't word-aligned, we have to mask off some of our bits.
size_t top_word_exponent = e % (sizeof(BN_ULONG) * 8);
if (top_word_exponent != 0) {
r->d[num_words - 1] &= (((BN_ULONG) 1) << top_word_exponent) - 1;
}
- /* Fill in the remaining fields of |r|. */
+ // Fill in the remaining fields of |r|.
r->neg = a->neg;
r->top = (int) num_words;
bn_correct_top(r);
@@ -688,41 +686,41 @@
return 0;
}
- /* If the returned value was non-negative, we're done. */
+ // If the returned value was non-negative, we're done.
if (BN_is_zero(r) || !r->neg) {
return 1;
}
size_t num_words = 1 + (e - 1) / BN_BITS2;
- /* Expand |r| to the size of our modulus. */
+ // Expand |r| to the size of our modulus.
if (!bn_wexpand(r, num_words)) {
return 0;
}
- /* Clear the upper words of |r|. */
+ // Clear the upper words of |r|.
OPENSSL_memset(&r->d[r->top], 0, (num_words - r->top) * BN_BYTES);
- /* Set parameters of |r|. */
+ // Set parameters of |r|.
r->neg = 0;
r->top = (int) num_words;
- /* Now, invert every word. The idea here is that we want to compute 2^e-|x|,
- * which is actually equivalent to the twos-complement representation of |x|
- * in |e| bits, which is -x = ~x + 1. */
+ // Now, invert every word. The idea here is that we want to compute 2^e-|x|,
+ // which is actually equivalent to the twos-complement representation of |x|
+ // in |e| bits, which is -x = ~x + 1.
for (int i = 0; i < r->top; i++) {
r->d[i] = ~r->d[i];
}
- /* If our exponent doesn't span the top word, we have to mask the rest. */
+ // If our exponent doesn't span the top word, we have to mask the rest.
size_t top_word_exponent = e % BN_BITS2;
if (top_word_exponent != 0) {
r->d[r->top - 1] &= (((BN_ULONG) 1) << top_word_exponent) - 1;
}
- /* Keep the correct_top invariant for BN_add. */
+ // Keep the correct_top invariant for BN_add.
bn_correct_top(r);
- /* Finally, add one, for the reason described above. */
+ // Finally, add one, for the reason described above.
return BN_add(r, r, BN_value_one());
}
diff --git a/crypto/fipsmodule/bn/exponentiation.c b/crypto/fipsmodule/bn/exponentiation.c
index 187b845..ae78ff9 100644
--- a/crypto/fipsmodule/bn/exponentiation.c
+++ b/crypto/fipsmodule/bn/exponentiation.c
@@ -188,12 +188,12 @@
return ret;
}
-/* maximum precomputation table size for *variable* sliding windows */
+// maximum precomputation table size for *variable* sliding windows
#define TABLE_SIZE 32
typedef struct bn_recp_ctx_st {
- BIGNUM N; /* the divisor */
- BIGNUM Nr; /* the reciprocal */
+ BIGNUM N; // the divisor
+ BIGNUM Nr; // the reciprocal
int num_bits;
int shift;
int flags;
@@ -227,10 +227,10 @@
return 1;
}
-/* len is the expected size of the result We actually calculate with an extra
- * word of precision, so we can do faster division if the remainder is not
- * required.
- * r := 2^len / m */
+// len is the expected size of the result We actually calculate with an extra
+// word of precision, so we can do faster division if the remainder is not
+// required.
+// r := 2^len / m
static int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx) {
int ret = -1;
BIGNUM *t;
@@ -289,34 +289,34 @@
return 1;
}
- /* We want the remainder
- * Given input of ABCDEF / ab
- * we need multiply ABCDEF by 3 digests of the reciprocal of ab */
+ // We want the remainder
+ // Given input of ABCDEF / ab
+ // we need multiply ABCDEF by 3 digests of the reciprocal of ab
- /* i := max(BN_num_bits(m), 2*BN_num_bits(N)) */
+ // i := max(BN_num_bits(m), 2*BN_num_bits(N))
i = BN_num_bits(m);
j = recp->num_bits << 1;
if (j > i) {
i = j;
}
- /* Nr := round(2^i / N) */
+ // Nr := round(2^i / N)
if (i != recp->shift) {
recp->shift =
BN_reciprocal(&(recp->Nr), &(recp->N), i,
- ctx); /* BN_reciprocal returns i, or -1 for an error */
+ ctx); // BN_reciprocal returns i, or -1 for an error
}
if (recp->shift == -1) {
goto err;
}
- /* d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i -
- * BN_num_bits(N)))|
- * = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i -
- * BN_num_bits(N)))|
- * <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|
- * = |m/N| */
+ // d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i -
+ // BN_num_bits(N)))|
+ // = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i -
+ // BN_num_bits(N)))|
+ // <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|
+ // = |m/N|
if (!BN_rshift(a, m, recp->num_bits)) {
goto err;
}
@@ -383,7 +383,7 @@
}
ca = a;
} else {
- ca = x; /* Just do the mod */
+ ca = x; // Just do the mod
}
ret = BN_div_recp(NULL, r, ca, recp, ctx);
@@ -393,29 +393,29 @@
return ret;
}
-/* BN_window_bits_for_exponent_size -- macro for sliding window mod_exp
- * functions
- *
- * For window size 'w' (w >= 2) and a random 'b' bits exponent, the number of
- * multiplications is a constant plus on average
- *
- * 2^(w-1) + (b-w)/(w+1);
- *
- * here 2^(w-1) is for precomputing the table (we actually need entries only
- * for windows that have the lowest bit set), and (b-w)/(w+1) is an
- * approximation for the expected number of w-bit windows, not counting the
- * first one.
- *
- * Thus we should use
- *
- * w >= 6 if b > 671
- * w = 5 if 671 > b > 239
- * w = 4 if 239 > b > 79
- * w = 3 if 79 > b > 23
- * w <= 2 if 23 > b
- *
- * (with draws in between). Very small exponents are often selected
- * with low Hamming weight, so we use w = 1 for b <= 23. */
+// BN_window_bits_for_exponent_size -- macro for sliding window mod_exp
+// functions
+//
+// For window size 'w' (w >= 2) and a random 'b' bits exponent, the number of
+// multiplications is a constant plus on average
+//
+// 2^(w-1) + (b-w)/(w+1);
+//
+// here 2^(w-1) is for precomputing the table (we actually need entries only
+// for windows that have the lowest bit set), and (b-w)/(w+1) is an
+// approximation for the expected number of w-bit windows, not counting the
+// first one.
+//
+// Thus we should use
+//
+// w >= 6 if b > 671
+// w = 5 if 671 > b > 239
+// w = 4 if 239 > b > 79
+// w = 3 if 79 > b > 23
+// w <= 2 if 23 > b
+//
+// (with draws in between). Very small exponents are often selected
+// with low Hamming weight, so we use w = 1 for b <= 23.
#define BN_window_bits_for_exponent_size(b) \
((b) > 671 ? 6 : \
(b) > 239 ? 5 : \
@@ -427,14 +427,14 @@
int i, j, bits, ret = 0, wstart, window;
int start = 1;
BIGNUM *aa;
- /* Table of variables obtained from 'ctx' */
+ // Table of variables obtained from 'ctx'
BIGNUM *val[TABLE_SIZE];
BN_RECP_CTX recp;
bits = BN_num_bits(p);
if (bits == 0) {
- /* x**0 mod 1 is still zero. */
+ // x**0 mod 1 is still zero.
if (BN_is_one(m)) {
BN_zero(r);
return 1;
@@ -451,7 +451,7 @@
BN_RECP_CTX_init(&recp);
if (m->neg) {
- /* ignore sign of 'm' */
+ // ignore sign of 'm'
if (!BN_copy(aa, m)) {
goto err;
}
@@ -466,7 +466,7 @@
}
if (!BN_nnmod(val[0], a, m, ctx)) {
- goto err; /* 1 */
+ goto err; // 1
}
if (BN_is_zero(val[0])) {
BN_zero(r);
@@ -477,7 +477,7 @@
window = BN_window_bits_for_exponent_size(bits);
if (window > 1) {
if (!BN_mod_mul_reciprocal(aa, val[0], val[0], &recp, ctx)) {
- goto err; /* 2 */
+ goto err; // 2
}
j = 1 << (window - 1);
for (i = 1; i < j; i++) {
@@ -488,18 +488,18 @@
}
}
- start = 1; /* This is used to avoid multiplication etc
- * when there is only the value '1' in the
- * buffer. */
- wstart = bits - 1; /* The top bit of the window */
+ start = 1; // This is used to avoid multiplication etc
+ // when there is only the value '1' in the
+ // buffer.
+ wstart = bits - 1; // The top bit of the window
if (!BN_one(r)) {
goto err;
}
for (;;) {
- int wvalue; /* The 'value' of the window */
- int wend; /* The bottom bit of the window */
+ int wvalue; // The 'value' of the window
+ int wend; // The bottom bit of the window
if (BN_is_bit_set(p, wstart) == 0) {
if (!start) {
@@ -514,10 +514,10 @@
continue;
}
- /* We now have wstart on a 'set' bit, we now need to work out
- * how bit a window to do. To do this we need to scan
- * forward until the last set bit before the end of the
- * window */
+ // We now have wstart on a 'set' bit, we now need to work out
+ // how bit a window to do. To do this we need to scan
+ // forward until the last set bit before the end of the
+ // window
wvalue = 1;
wend = 0;
for (i = 1; i < window; i++) {
@@ -531,9 +531,9 @@
}
}
- /* wend is the size of the current window */
+ // wend is the size of the current window
j = wend + 1;
- /* add the 'bytes above' */
+ // add the 'bytes above'
if (!start) {
for (i = 0; i < j; i++) {
if (!BN_mod_mul_reciprocal(r, r, r, &recp, ctx)) {
@@ -542,12 +542,12 @@
}
}
- /* wvalue will be an odd number < 2^window */
+ // wvalue will be an odd number < 2^window
if (!BN_mod_mul_reciprocal(r, r, val[wvalue >> 1], &recp, ctx)) {
goto err;
}
- /* move the 'window' down further */
+ // move the 'window' down further
wstart -= wend + 1;
start = 0;
if (wstart < 0) {
@@ -577,7 +577,7 @@
int start = 1;
BIGNUM *d, *r;
const BIGNUM *aa;
- /* Table of variables obtained from 'ctx' */
+ // Table of variables obtained from 'ctx'
BIGNUM *val[TABLE_SIZE];
BN_MONT_CTX *new_mont = NULL;
@@ -587,7 +587,7 @@
}
bits = BN_num_bits(p);
if (bits == 0) {
- /* x**0 mod 1 is still zero. */
+ // x**0 mod 1 is still zero.
if (BN_is_one(m)) {
BN_zero(rr);
return 1;
@@ -603,7 +603,7 @@
goto err;
}
- /* Allocate a montgomery context if it was not supplied by the caller. */
+ // Allocate a montgomery context if it was not supplied by the caller.
if (mont == NULL) {
new_mont = BN_MONT_CTX_new();
if (new_mont == NULL || !BN_MONT_CTX_set(new_mont, m, ctx)) {
@@ -627,13 +627,13 @@
goto err;
}
if (!BN_to_montgomery(val[0], aa, mont, ctx)) {
- goto err; /* 1 */
+ goto err; // 1
}
window = BN_window_bits_for_exponent_size(bits);
if (window > 1) {
if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) {
- goto err; /* 2 */
+ goto err; // 2
}
j = 1 << (window - 1);
for (i = 1; i < j; i++) {
@@ -644,32 +644,32 @@
}
}
- start = 1; /* This is used to avoid multiplication etc
- * when there is only the value '1' in the
- * buffer. */
- wstart = bits - 1; /* The top bit of the window */
+ start = 1; // This is used to avoid multiplication etc
+ // when there is only the value '1' in the
+ // buffer.
+ wstart = bits - 1; // The top bit of the window
- j = m->top; /* borrow j */
+ j = m->top; // borrow j
if (m->d[j - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
if (!bn_wexpand(r, j)) {
goto err;
}
- /* 2^(top*BN_BITS2) - m */
+ // 2^(top*BN_BITS2) - m
r->d[0] = (0 - m->d[0]) & BN_MASK2;
for (i = 1; i < j; i++) {
r->d[i] = (~m->d[i]) & BN_MASK2;
}
r->top = j;
- /* Upper words will be zero if the corresponding words of 'm'
- * were 0xfff[...], so decrement r->top accordingly. */
+ // Upper words will be zero if the corresponding words of 'm'
+ // were 0xfff[...], so decrement r->top accordingly.
bn_correct_top(r);
} else if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) {
goto err;
}
for (;;) {
- int wvalue; /* The 'value' of the window */
- int wend; /* The bottom bit of the window */
+ int wvalue; // The 'value' of the window
+ int wend; // The bottom bit of the window
if (BN_is_bit_set(p, wstart) == 0) {
if (!start && !BN_mod_mul_montgomery(r, r, r, mont, ctx)) {
@@ -682,9 +682,9 @@
continue;
}
- /* We now have wstart on a 'set' bit, we now need to work out how bit a
- * window to do. To do this we need to scan forward until the last set bit
- * before the end of the window */
+ // We now have wstart on a 'set' bit, we now need to work out how bit a
+ // window to do. To do this we need to scan forward until the last set bit
+ // before the end of the window
wvalue = 1;
wend = 0;
for (i = 1; i < window; i++) {
@@ -698,9 +698,9 @@
}
}
- /* wend is the size of the current window */
+ // wend is the size of the current window
j = wend + 1;
- /* add the 'bytes above' */
+ // add the 'bytes above'
if (!start) {
for (i = 0; i < j; i++) {
if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) {
@@ -709,12 +709,12 @@
}
}
- /* wvalue will be an odd number < 2^window */
+ // wvalue will be an odd number < 2^window
if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) {
goto err;
}
- /* move the 'window' down further */
+ // move the 'window' down further
wstart -= wend + 1;
start = 0;
if (wstart < 0) {
@@ -733,10 +733,10 @@
return ret;
}
-/* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific
- * layout so that accessing any of these table values shows the same access
- * pattern as far as cache lines are concerned. The following functions are
- * used to transfer a BIGNUM from/to that table. */
+// BN_mod_exp_mont_consttime() stores the precomputed powers in a specific
+// layout so that accessing any of these table values shows the same access
+// pattern as far as cache lines are concerned. The following functions are
+// used to transfer a BIGNUM from/to that table.
static int copy_to_prebuf(const BIGNUM *b, int top, unsigned char *buf, int idx,
int window) {
int i, j;
@@ -744,7 +744,7 @@
BN_ULONG *table = (BN_ULONG *) buf;
if (top > b->top) {
- top = b->top; /* this works because 'buf' is explicitly zeroed */
+ top = b->top; // this works because 'buf' is explicitly zeroed
}
for (i = 0, j = idx; i < top; i++, j += width) {
@@ -778,8 +778,8 @@
int xstride = 1 << (window - 2);
BN_ULONG y0, y1, y2, y3;
- i = idx >> (window - 2); /* equivalent of idx / xstride */
- idx &= xstride - 1; /* equivalent of idx % xstride */
+ i = idx >> (window - 2); // equivalent of idx / xstride
+ idx &= xstride - 1; // equivalent of idx % xstride
y0 = (BN_ULONG)0 - (constant_time_eq_int(i, 0) & 1);
y1 = (BN_ULONG)0 - (constant_time_eq_int(i, 1) & 1);
@@ -804,23 +804,23 @@
return 1;
}
-/* BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
- * line width of the target processor is at least the following value. */
+// BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
+// line width of the target processor is at least the following value.
#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH (64)
#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK \
(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1)
-/* Window sizes optimized for fixed window size modular exponentiation
- * algorithm (BN_mod_exp_mont_consttime).
- *
- * To achieve the security goals of BN_mode_exp_mont_consttime, the maximum
- * size of the window must not exceed
- * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH).
- *
- * Window size thresholds are defined for cache line sizes of 32 and 64, cache
- * line sizes where log_2(32)=5 and log_2(64)=6 respectively. A window size of
- * 7 should only be used on processors that have a 128 byte or greater cache
- * line size. */
+// Window sizes optimized for fixed window size modular exponentiation
+// algorithm (BN_mod_exp_mont_consttime).
+//
+// To achieve the security goals of BN_mode_exp_mont_consttime, the maximum
+// size of the window must not exceed
+// log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH).
+//
+// Window size thresholds are defined for cache line sizes of 32 and 64, cache
+// line sizes where log_2(32)=5 and log_2(64)=6 respectively. A window size of
+// 7 should only be used on processors that have a 128 byte or greater cache
+// line size.
#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64
#define BN_window_bits_for_ctime_exponent_size(b) \
@@ -835,19 +835,18 @@
#endif
-/* Given a pointer value, compute the next address that is a cache line
- * multiple. */
+// Given a pointer value, compute the next address that is a cache line
+// multiple.
#define MOD_EXP_CTIME_ALIGN(x_) \
((unsigned char *)(x_) + \
(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - \
(((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
-/* This variant of BN_mod_exp_mont() uses fixed windows and the special
- * precomputation memory layout to limit data-dependency to a minimum
- * to protect secret exponents (cf. the hyper-threading timing attacks
- * pointed out by Colin Percival,
- * http://www.daemonology.net/hyperthreading-considered-harmful/)
- */
+// This variant of BN_mod_exp_mont() uses fixed windows and the special
+// precomputation memory layout to limit data-dependency to a minimum
+// to protect secret exponents (cf. the hyper-threading timing attacks
+// pointed out by Colin Percival,
+// http://www.daemonology.net/hyperthreading-considered-harmful/)
int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
const BN_MONT_CTX *mont) {
@@ -871,7 +870,7 @@
bits = BN_num_bits(p);
if (bits == 0) {
- /* x**0 mod 1 is still zero. */
+ // x**0 mod 1 is still zero.
if (BN_is_one(m)) {
BN_zero(rr);
return 1;
@@ -879,7 +878,7 @@
return BN_one(rr);
}
- /* Allocate a montgomery context if it was not supplied by the caller. */
+ // Allocate a montgomery context if it was not supplied by the caller.
if (mont == NULL) {
new_mont = BN_MONT_CTX_new();
if (new_mont == NULL || !BN_MONT_CTX_set(new_mont, m, ctx)) {
@@ -898,9 +897,9 @@
}
#ifdef RSAZ_ENABLED
- /* If the size of the operands allow it, perform the optimized
- * RSAZ exponentiation. For further information see
- * crypto/bn/rsaz_exp.c and accompanying assembly modules. */
+ // If the size of the operands allow it, perform the optimized
+ // RSAZ exponentiation. For further information see
+ // crypto/bn/rsaz_exp.c and accompanying assembly modules.
if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024) &&
rsaz_avx2_eligible()) {
if (!bn_wexpand(rr, 16)) {
@@ -915,19 +914,18 @@
}
#endif
- /* Get the window size to use with size of p. */
+ // Get the window size to use with size of p.
window = BN_window_bits_for_ctime_exponent_size(bits);
#if defined(OPENSSL_BN_ASM_MONT5)
if (window >= 5) {
- window = 5; /* ~5% improvement for RSA2048 sign, and even for RSA4096 */
- /* reserve space for mont->N.d[] copy */
+ window = 5; // ~5% improvement for RSA2048 sign, and even for RSA4096
+ // reserve space for mont->N.d[] copy
powerbufLen += top * sizeof(mont->N.d[0]);
}
#endif
- /* Allocate a buffer large enough to hold all of the pre-computed
- * powers of am, am itself and tmp.
- */
+ // Allocate a buffer large enough to hold all of the pre-computed
+ // powers of am, am itself and tmp.
numPowers = 1 << window;
powerbufLen +=
sizeof(m->d[0]) *
@@ -953,7 +951,7 @@
}
#endif
- /* lay down tmp and am right after powers table */
+ // lay down tmp and am right after powers table
tmp.d = (BN_ULONG *)(powerbuf + sizeof(m->d[0]) * top * numPowers);
am.d = tmp.d + top;
tmp.top = am.top = 0;
@@ -961,10 +959,10 @@
tmp.neg = am.neg = 0;
tmp.flags = am.flags = BN_FLG_STATIC_DATA;
-/* prepare a^0 in Montgomery domain */
-/* by Shay Gueron's suggestion */
+// prepare a^0 in Montgomery domain
+// by Shay Gueron's suggestion
if (m->d[top - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
- /* 2^(top*BN_BITS2) - m */
+ // 2^(top*BN_BITS2) - m
tmp.d[0] = (0 - m->d[0]) & BN_MASK2;
for (i = 1; i < top; i++) {
tmp.d[i] = (~m->d[i]) & BN_MASK2;
@@ -974,7 +972,7 @@
goto err;
}
- /* prepare a^1 in Montgomery domain */
+ // prepare a^1 in Montgomery domain
assert(!a->neg);
assert(BN_ucmp(a, m) < 0);
if (!BN_to_montgomery(&am, a, mont, ctx)) {
@@ -982,18 +980,18 @@
}
#if defined(OPENSSL_BN_ASM_MONT5)
- /* This optimization uses ideas from http://eprint.iacr.org/2011/239,
- * specifically optimization of cache-timing attack countermeasures
- * and pre-computation optimization. */
+ // This optimization uses ideas from http://eprint.iacr.org/2011/239,
+ // specifically optimization of cache-timing attack countermeasures
+ // and pre-computation optimization.
- /* Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
- * 512-bit RSA is hardly relevant, we omit it to spare size... */
+ // Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
+ // 512-bit RSA is hardly relevant, we omit it to spare size...
if (window == 5 && top > 1) {
const BN_ULONG *n0 = mont->n0;
BN_ULONG *np;
- /* BN_to_montgomery can contaminate words above .top
- * [in BN_DEBUG[_DEBUG] build]... */
+ // BN_to_montgomery can contaminate words above .top
+ // [in BN_DEBUG[_DEBUG] build]...
for (i = am.top; i < top; i++) {
am.d[i] = 0;
}
@@ -1001,7 +999,7 @@
tmp.d[i] = 0;
}
- /* copy mont->N.d[] to improve cache locality */
+ // copy mont->N.d[] to improve cache locality
for (np = am.d + top, i = 0; i < top; i++) {
np[i] = mont->N.d[i];
}
@@ -1011,7 +1009,7 @@
bn_mul_mont(tmp.d, am.d, am.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, 2);
- /* same as above, but uses squaring for 1/2 of operations */
+ // same as above, but uses squaring for 1/2 of operations
for (i = 4; i < 32; i *= 2) {
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, i);
@@ -1042,13 +1040,12 @@
}
bn_gather5(tmp.d, top, powerbuf, wvalue);
- /* At this point |bits| is 4 mod 5 and at least -1. (|bits| is the first bit
- * that has not been read yet.) */
+ // At this point |bits| is 4 mod 5 and at least -1. (|bits| is the first bit
+ // that has not been read yet.)
assert(bits >= -1 && (bits == -1 || bits % 5 == 4));
- /* Scan the exponent one window at a time starting from the most
- * significant bits.
- */
+ // Scan the exponent one window at a time starting from the most
+ // significant bits.
if (top & 7) {
while (bits >= 0) {
for (wvalue = 0, i = 0; i < 5; i++, bits--) {
@@ -1066,16 +1063,16 @@
const uint8_t *p_bytes = (const uint8_t *)p->d;
int max_bits = p->top * BN_BITS2;
assert(bits < max_bits);
- /* |p = 0| has been handled as a special case, so |max_bits| is at least
- * one word. */
+ // |p = 0| has been handled as a special case, so |max_bits| is at least
+ // one word.
assert(max_bits >= 64);
- /* If the first bit to be read lands in the last byte, unroll the first
- * iteration to avoid reading past the bounds of |p->d|. (After the first
- * iteration, we are guaranteed to be past the last byte.) Note |bits|
- * here is the top bit, inclusive. */
+ // If the first bit to be read lands in the last byte, unroll the first
+ // iteration to avoid reading past the bounds of |p->d|. (After the first
+ // iteration, we are guaranteed to be past the last byte.) Note |bits|
+ // here is the top bit, inclusive.
if (bits - 4 >= max_bits - 8) {
- /* Read five bits from |bits-4| through |bits|, inclusive. */
+ // Read five bits from |bits-4| through |bits|, inclusive.
wvalue = p_bytes[p->top * BN_BYTES - 1];
wvalue >>= (bits - 4) & 7;
wvalue &= 0x1f;
@@ -1083,7 +1080,7 @@
bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue);
}
while (bits >= 0) {
- /* Read five bits from |bits-4| through |bits|, inclusive. */
+ // Read five bits from |bits-4| through |bits|, inclusive.
int first_bit = bits - 4;
uint16_t val;
OPENSSL_memcpy(&val, p_bytes + (first_bit >> 3), sizeof(val));
@@ -1101,7 +1098,7 @@
if (!BN_copy(rr, &tmp)) {
ret = 0;
}
- goto err; /* non-zero ret means it's not error */
+ goto err; // non-zero ret means it's not error
}
} else
#endif
@@ -1111,18 +1108,17 @@
goto err;
}
- /* If the window size is greater than 1, then calculate
- * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
- * (even powers could instead be computed as (a^(i/2))^2
- * to use the slight performance advantage of sqr over mul).
- */
+ // If the window size is greater than 1, then calculate
+ // val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
+ // (even powers could instead be computed as (a^(i/2))^2
+ // to use the slight performance advantage of sqr over mul).
if (window > 1) {
if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx) ||
!copy_to_prebuf(&tmp, top, powerbuf, 2, window)) {
goto err;
}
for (i = 3; i < numPowers; i++) {
- /* Calculate a^i = a^(i-1) * a */
+ // Calculate a^i = a^(i-1) * a
if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx) ||
!copy_to_prebuf(&tmp, top, powerbuf, i, window)) {
goto err;
@@ -1138,13 +1134,12 @@
goto err;
}
- /* Scan the exponent one window at a time starting from the most
- * significant bits.
- */
+ // Scan the exponent one window at a time starting from the most
+ // significant bits.
while (bits >= 0) {
- wvalue = 0; /* The 'value' of the window */
+ wvalue = 0; // The 'value' of the window
- /* Scan the window, squaring the result as we go */
+ // Scan the window, squaring the result as we go
for (i = 0; i < window; i++, bits--) {
if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx)) {
goto err;
@@ -1152,19 +1147,19 @@
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
}
- /* Fetch the appropriate pre-computed value from the pre-buf */
+ // Fetch the appropriate pre-computed value from the pre-buf
if (!copy_from_prebuf(&am, top, powerbuf, wvalue, window)) {
goto err;
}
- /* Multiply the result into the intermediate result */
+ // Multiply the result into the intermediate result
if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) {
goto err;
}
}
}
- /* Convert the final result from montgomery to standard format */
+ // Convert the final result from montgomery to standard format
if (!BN_from_montgomery(rr, &tmp, mont, ctx)) {
goto err;
}
@@ -1212,7 +1207,7 @@
int ret = 0;
BN_MONT_CTX *new_mont = NULL;
- /* Allocate a montgomery context if it was not supplied by the caller. */
+ // Allocate a montgomery context if it was not supplied by the caller.
if (mont == NULL) {
new_mont = BN_MONT_CTX_new();
if (new_mont == NULL || !BN_MONT_CTX_set(new_mont, m, ctx)) {
@@ -1221,9 +1216,9 @@
mont = new_mont;
}
- /* BN_mod_mul_montgomery removes one Montgomery factor, so passing one
- * Montgomery-encoded and one non-Montgomery-encoded value gives a
- * non-Montgomery-encoded result. */
+ // BN_mod_mul_montgomery removes one Montgomery factor, so passing one
+ // Montgomery-encoded and one non-Montgomery-encoded value gives a
+ // non-Montgomery-encoded result.
if (!BN_mod_exp_mont(rr, a1, p1, m, ctx, mont) ||
!BN_mod_exp_mont(&tmp, a2, p2, m, ctx, mont) ||
!BN_to_montgomery(rr, rr, mont, ctx) ||
diff --git a/crypto/fipsmodule/bn/gcd.c b/crypto/fipsmodule/bn/gcd.c
index 7c20b8e..850d446 100644
--- a/crypto/fipsmodule/bn/gcd.c
+++ b/crypto/fipsmodule/bn/gcd.c
@@ -118,9 +118,9 @@
BIGNUM *t;
int shifts = 0;
- /* 0 <= b <= a */
+ // 0 <= b <= a
while (!BN_is_zero(b)) {
- /* 0 < b <= a */
+ // 0 < b <= a
if (BN_is_odd(a)) {
if (BN_is_odd(b)) {
@@ -136,7 +136,7 @@
b = t;
}
} else {
- /* a odd - b even */
+ // a odd - b even
if (!BN_rshift1(b, b)) {
goto err;
}
@@ -147,7 +147,7 @@
}
}
} else {
- /* a is even */
+ // a is even
if (BN_is_odd(b)) {
if (!BN_rshift1(a, a)) {
goto err;
@@ -158,7 +158,7 @@
b = t;
}
} else {
- /* a even - b even */
+ // a even - b even
if (!BN_rshift1(a, a)) {
goto err;
}
@@ -168,7 +168,7 @@
shifts++;
}
}
- /* 0 <= b <= a */
+ // 0 <= b <= a
}
if (shifts) {
@@ -224,7 +224,7 @@
return ret;
}
-/* solves ax == 1 (mod n) */
+// solves ax == 1 (mod n)
static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx);
@@ -264,30 +264,29 @@
}
A->neg = 0;
sign = -1;
- /* From B = a mod |n|, A = |n| it follows that
- *
- * 0 <= B < A,
- * -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|).
- */
+ // From B = a mod |n|, A = |n| it follows that
+ //
+ // 0 <= B < A,
+ // -sign*X*a == B (mod |n|),
+ // sign*Y*a == A (mod |n|).
- /* Binary inversion algorithm; requires odd modulus. This is faster than the
- * general algorithm if the modulus is sufficiently small (about 400 .. 500
- * bits on 32-bit systems, but much more on 64-bit systems) */
+ // Binary inversion algorithm; requires odd modulus. This is faster than the
+ // general algorithm if the modulus is sufficiently small (about 400 .. 500
+ // bits on 32-bit systems, but much more on 64-bit systems)
int shift;
while (!BN_is_zero(B)) {
- /* 0 < B < |n|,
- * 0 < A <= |n|,
- * (1) -sign*X*a == B (mod |n|),
- * (2) sign*Y*a == A (mod |n|) */
+ // 0 < B < |n|,
+ // 0 < A <= |n|,
+ // (1) -sign*X*a == B (mod |n|),
+ // (2) sign*Y*a == A (mod |n|)
- /* Now divide B by the maximum possible power of two in the integers,
- * and divide X by the same value mod |n|.
- * When we're done, (1) still holds. */
+ // Now divide B by the maximum possible power of two in the integers,
+ // and divide X by the same value mod |n|.
+ // When we're done, (1) still holds.
shift = 0;
while (!BN_is_bit_set(B, shift)) {
- /* note that 0 < B */
+ // note that 0 < B
shift++;
if (BN_is_odd(X)) {
@@ -295,7 +294,7 @@
goto err;
}
}
- /* now X is even, so we can easily divide it by two */
+ // now X is even, so we can easily divide it by two
if (!BN_rshift1(X, X)) {
goto err;
}
@@ -306,10 +305,10 @@
}
}
- /* Same for A and Y. Afterwards, (2) still holds. */
+ // Same for A and Y. Afterwards, (2) still holds.
shift = 0;
while (!BN_is_bit_set(A, shift)) {
- /* note that 0 < A */
+ // note that 0 < A
shift++;
if (BN_is_odd(Y)) {
@@ -317,7 +316,7 @@
goto err;
}
}
- /* now Y is even */
+ // now Y is even
if (!BN_rshift1(Y, Y)) {
goto err;
}
@@ -328,32 +327,32 @@
}
}
- /* We still have (1) and (2).
- * Both A and B are odd.
- * The following computations ensure that
- *
- * 0 <= B < |n|,
- * 0 < A < |n|,
- * (1) -sign*X*a == B (mod |n|),
- * (2) sign*Y*a == A (mod |n|),
- *
- * and that either A or B is even in the next iteration. */
+ // We still have (1) and (2).
+ // Both A and B are odd.
+ // The following computations ensure that
+ //
+ // 0 <= B < |n|,
+ // 0 < A < |n|,
+ // (1) -sign*X*a == B (mod |n|),
+ // (2) sign*Y*a == A (mod |n|),
+ //
+ // and that either A or B is even in the next iteration.
if (BN_ucmp(B, A) >= 0) {
- /* -sign*(X + Y)*a == B - A (mod |n|) */
+ // -sign*(X + Y)*a == B - A (mod |n|)
if (!BN_uadd(X, X, Y)) {
goto err;
}
- /* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
- * actually makes the algorithm slower */
+ // NB: we could use BN_mod_add_quick(X, X, Y, n), but that
+ // actually makes the algorithm slower
if (!BN_usub(B, B, A)) {
goto err;
}
} else {
- /* sign*(X + Y)*a == A - B (mod |n|) */
+ // sign*(X + Y)*a == A - B (mod |n|)
if (!BN_uadd(Y, Y, X)) {
goto err;
}
- /* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
+ // as above, BN_mod_add_quick(Y, Y, X, n) would slow things down
if (!BN_usub(A, A, B)) {
goto err;
}
@@ -366,20 +365,20 @@
goto err;
}
- /* The while loop (Euclid's algorithm) ends when
- * A == gcd(a,n);
- * we have
- * sign*Y*a == A (mod |n|),
- * where Y is non-negative. */
+ // The while loop (Euclid's algorithm) ends when
+ // A == gcd(a,n);
+ // we have
+ // sign*Y*a == A (mod |n|),
+ // where Y is non-negative.
if (sign < 0) {
if (!BN_sub(Y, n, Y)) {
goto err;
}
}
- /* Now Y*a == A (mod |n|). */
+ // Now Y*a == A (mod |n|).
- /* Y*a == 1 (mod |n|) */
+ // Y*a == 1 (mod |n|)
if (!Y->neg && BN_ucmp(Y, n) < 0) {
if (!BN_copy(R, Y)) {
goto err;
@@ -470,11 +469,11 @@
return ret;
}
-/* bn_mod_inverse_general is the general inversion algorithm that works for
- * both even and odd |n|. It was specifically designed to contain fewer
- * branches that may leak sensitive information; see "New Branch Prediction
- * Vulnerabilities in OpenSSL and Necessary Software Countermeasures" by
- * Onur Acıçmez, Shay Gueron, and Jean-Pierre Seifert. */
+// bn_mod_inverse_general is the general inversion algorithm that works for
+// both even and odd |n|. It was specifically designed to contain fewer
+// branches that may leak sensitive information; see "New Branch Prediction
+// Vulnerabilities in OpenSSL and Necessary Software Countermeasures" by
+// Onur Acıçmez, Shay Gueron, and Jean-Pierre Seifert.
static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx) {
@@ -505,58 +504,53 @@
A->neg = 0;
sign = -1;
- /* From B = a mod |n|, A = |n| it follows that
- *
- * 0 <= B < A,
- * -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|).
- */
+ // From B = a mod |n|, A = |n| it follows that
+ //
+ // 0 <= B < A,
+ // -sign*X*a == B (mod |n|),
+ // sign*Y*a == A (mod |n|).
while (!BN_is_zero(B)) {
BIGNUM *tmp;
- /*
- * 0 < B < A,
- * (*) -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|)
- */
+ // 0 < B < A,
+ // (*) -sign*X*a == B (mod |n|),
+ // sign*Y*a == A (mod |n|)
- /* (D, M) := (A/B, A%B) ... */
+ // (D, M) := (A/B, A%B) ...
if (!BN_div(D, M, A, B, ctx)) {
goto err;
}
- /* Now
- * A = D*B + M;
- * thus we have
- * (**) sign*Y*a == D*B + M (mod |n|).
- */
+ // Now
+ // A = D*B + M;
+ // thus we have
+ // (**) sign*Y*a == D*B + M (mod |n|).
- tmp = A; /* keep the BIGNUM object, the value does not matter */
+ tmp = A; // keep the BIGNUM object, the value does not matter
- /* (A, B) := (B, A mod B) ... */
+ // (A, B) := (B, A mod B) ...
A = B;
B = M;
- /* ... so we have 0 <= B < A again */
+ // ... so we have 0 <= B < A again
- /* Since the former M is now B and the former B is now A,
- * (**) translates into
- * sign*Y*a == D*A + B (mod |n|),
- * i.e.
- * sign*Y*a - D*A == B (mod |n|).
- * Similarly, (*) translates into
- * -sign*X*a == A (mod |n|).
- *
- * Thus,
- * sign*Y*a + D*sign*X*a == B (mod |n|),
- * i.e.
- * sign*(Y + D*X)*a == B (mod |n|).
- *
- * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
- * -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|).
- * Note that X and Y stay non-negative all the time.
- */
+ // Since the former M is now B and the former B is now A,
+ // (**) translates into
+ // sign*Y*a == D*A + B (mod |n|),
+ // i.e.
+ // sign*Y*a - D*A == B (mod |n|).
+ // Similarly, (*) translates into
+ // -sign*X*a == A (mod |n|).
+ //
+ // Thus,
+ // sign*Y*a + D*sign*X*a == B (mod |n|),
+ // i.e.
+ // sign*(Y + D*X)*a == B (mod |n|).
+ //
+ // So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
+ // -sign*X*a == B (mod |n|),
+ // sign*Y*a == A (mod |n|).
+ // Note that X and Y stay non-negative all the time.
if (!BN_mul(tmp, D, X, ctx)) {
goto err;
@@ -565,7 +559,7 @@
goto err;
}
- M = Y; /* keep the BIGNUM object, the value does not matter */
+ M = Y; // keep the BIGNUM object, the value does not matter
Y = X;
X = tmp;
sign = -sign;
@@ -577,22 +571,20 @@
goto err;
}
- /*
- * The while loop (Euclid's algorithm) ends when
- * A == gcd(a,n);
- * we have
- * sign*Y*a == A (mod |n|),
- * where Y is non-negative.
- */
+ // The while loop (Euclid's algorithm) ends when
+ // A == gcd(a,n);
+ // we have
+ // sign*Y*a == A (mod |n|),
+ // where Y is non-negative.
if (sign < 0) {
if (!BN_sub(Y, n, Y)) {
goto err;
}
}
- /* Now Y*a == A (mod |n|). */
+ // Now Y*a == A (mod |n|).
- /* Y*a == 1 (mod |n|) */
+ // Y*a == 1 (mod |n|)
if (!Y->neg && BN_ucmp(Y, n) < 0) {
if (!BN_copy(R, Y)) {
goto err;
diff --git a/crypto/fipsmodule/bn/generic.c b/crypto/fipsmodule/bn/generic.c
index 3d98689..b70080f 100644
--- a/crypto/fipsmodule/bn/generic.c
+++ b/crypto/fipsmodule/bn/generic.c
@@ -61,8 +61,8 @@
#include "internal.h"
-/* This file has two other implementations: x86 assembly language in
- * asm/bn-586.pl and x86_64 inline assembly in asm/x86_64-gcc.c. */
+// This file has two other implementations: x86 assembly language in
+// asm/bn-586.pl and x86_64 inline assembly in asm/x86_64-gcc.c.
#if defined(OPENSSL_NO_ASM) || \
!(defined(OPENSSL_X86) || (defined(OPENSSL_X86_64) && defined(__GNUC__)))
@@ -122,7 +122,7 @@
BN_UMULT_LOHI(r0, r1, tmp, tmp); \
} while (0)
-#endif /* !BN_ULLONG */
+#endif // !BN_ULLONG
BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num,
BN_ULONG w) {
@@ -242,7 +242,7 @@
return (BN_ULONG)ll;
}
-#else /* !BN_ULLONG */
+#else // !BN_ULLONG
BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
int n) {
@@ -299,7 +299,7 @@
return (BN_ULONG)c;
}
-#endif /* !BN_ULLONG */
+#endif // !BN_ULLONG
BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
int n) {
@@ -356,15 +356,15 @@
return c;
}
-/* mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) */
-/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */
-/* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
-/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
+// mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0)
+// mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0)
+// sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0)
+// sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)
#ifdef BN_ULLONG
-/* Keep in mind that additions to multiplication result can not overflow,
- * because its high half cannot be all-ones. */
+// Keep in mind that additions to multiplication result can not overflow,
+// because its high half cannot be all-ones.
#define mul_add_c(a, b, c0, c1, c2) \
do { \
BN_ULONG hi; \
@@ -415,8 +415,8 @@
#else
-/* Keep in mind that additions to hi can not overflow, because the high word of
- * a multiplication result cannot be all-ones. */
+// Keep in mind that additions to hi can not overflow, because the high word of
+// a multiplication result cannot be all-ones.
#define mul_add_c(a, b, c0, c1, c2) \
do { \
BN_ULONG ta = (a), tb = (b); \
@@ -456,7 +456,7 @@
#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)
-#endif /* !BN_ULLONG */
+#endif // !BN_ULLONG
void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) {
BN_ULONG c1, c2, c3;
diff --git a/crypto/fipsmodule/bn/internal.h b/crypto/fipsmodule/bn/internal.h
index 092e759..ecd7d6c 100644
--- a/crypto/fipsmodule/bn/internal.h
+++ b/crypto/fipsmodule/bn/internal.h
@@ -141,7 +141,7 @@
#if defined(OPENSSL_64_BIT)
#if !defined(_MSC_VER)
-/* MSVC doesn't support two-word integers on 64-bit. */
+// MSVC doesn't support two-word integers on 64-bit.
#define BN_ULLONG uint128_t
#endif
@@ -168,11 +168,11 @@
#define BN_MASK2l (0xffffUL)
#define BN_MASK2h1 (0xffff8000UL)
#define BN_MASK2h (0xffff0000UL)
-/* On some 32-bit platforms, Montgomery multiplication is done using 64-bit
- * arithmetic with SIMD instructions. On such platforms, |BN_MONT_CTX::n0|
- * needs to be two words long. Only certain 32-bit platforms actually make use
- * of n0[1] and shorter R value would suffice for the others. However,
- * currently only the assembly files know which is which. */
+// On some 32-bit platforms, Montgomery multiplication is done using 64-bit
+// arithmetic with SIMD instructions. On such platforms, |BN_MONT_CTX::n0|
+// needs to be two words long. Only certain 32-bit platforms actually make use
+// of n0[1] and shorter R value would suffice for the others. However,
+// currently only the assembly files know which is which.
#define BN_MONT_CTX_N0_LIMBS 2
#define BN_TBIT (0x80000000UL)
#define BN_DEC_CONV (1000000000UL)
@@ -195,21 +195,21 @@
#define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2)
#endif
-/* bn_correct_top decrements |bn->top| until |bn->d[top-1]| is non-zero or
- * until |top| is zero. If |bn| is zero, |bn->neg| is set to zero. */
+// bn_correct_top decrements |bn->top| until |bn->d[top-1]| is non-zero or
+// until |top| is zero. If |bn| is zero, |bn->neg| is set to zero.
void bn_correct_top(BIGNUM *bn);
-/* bn_wexpand ensures that |bn| has at least |words| works of space without
- * altering its value. It returns one on success or zero on allocation
- * failure. */
+// bn_wexpand ensures that |bn| has at least |words| works of space without
+// altering its value. It returns one on success or zero on allocation
+// failure.
int bn_wexpand(BIGNUM *bn, size_t words);
-/* bn_expand acts the same as |bn_wexpand|, but takes a number of bits rather
- * than a number of words. */
+// bn_expand acts the same as |bn_wexpand|, but takes a number of bits rather
+// than a number of words.
int bn_expand(BIGNUM *bn, size_t bits);
-/* bn_set_words sets |bn| to the value encoded in the |num| words in |words|,
- * least significant word first. */
+// bn_set_words sets |bn| to the value encoded in the |num| words in |words|,
+// least significant word first.
int bn_set_words(BIGNUM *bn, const BN_ULONG *words, size_t num);
BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
@@ -223,14 +223,14 @@
void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
-/* bn_cmp_words returns a value less than, equal to or greater than zero if
- * the, length |n|, array |a| is less than, equal to or greater than |b|. */
+// bn_cmp_words returns a value less than, equal to or greater than zero if
+// the, length |n|, array |a| is less than, equal to or greater than |b|.
int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n);
-/* bn_cmp_words returns a value less than, equal to or greater than zero if the
- * array |a| is less than, equal to or greater than |b|. The arrays can be of
- * different lengths: |cl| gives the minimum of the two lengths and |dl| gives
- * the length of |a| minus the length of |b|. */
+// bn_cmp_words returns a value less than, equal to or greater than zero if the
+// array |a| is less than, equal to or greater than |b|. The arrays can be of
+// different lengths: |cl| gives the minimum of the two lengths and |dl| gives
+// the length of |a| minus the length of |b|.
int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl);
int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
@@ -247,25 +247,25 @@
#error "Either BN_ULLONG or BN_UMULT_LOHI must be defined on every platform."
#endif
-/* bn_mod_inverse_prime sets |out| to the modular inverse of |a| modulo |p|,
- * computed with Fermat's Little Theorem. It returns one on success and zero on
- * error. If |mont_p| is NULL, one will be computed temporarily. */
+// bn_mod_inverse_prime sets |out| to the modular inverse of |a| modulo |p|,
+// computed with Fermat's Little Theorem. It returns one on success and zero on
+// error. If |mont_p| is NULL, one will be computed temporarily.
int bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx, const BN_MONT_CTX *mont_p);
-/* bn_mod_inverse_secret_prime behaves like |bn_mod_inverse_prime| but uses
- * |BN_mod_exp_mont_consttime| instead of |BN_mod_exp_mont| in hopes of
- * protecting the exponent. */
+// bn_mod_inverse_secret_prime behaves like |bn_mod_inverse_prime| but uses
+// |BN_mod_exp_mont_consttime| instead of |BN_mod_exp_mont| in hopes of
+// protecting the exponent.
int bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx, const BN_MONT_CTX *mont_p);
-/* bn_jacobi returns the Jacobi symbol of |a| and |b| (which is -1, 0 or 1), or
- * -2 on error. */
+// bn_jacobi returns the Jacobi symbol of |a| and |b| (which is -1, 0 or 1), or
+// -2 on error.
int bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_BN_INTERNAL_H */
+#endif // OPENSSL_HEADER_BN_INTERNAL_H
diff --git a/crypto/fipsmodule/bn/jacobi.c b/crypto/fipsmodule/bn/jacobi.c
index 93e8fd9..9c909bb 100644
--- a/crypto/fipsmodule/bn/jacobi.c
+++ b/crypto/fipsmodule/bn/jacobi.c
@@ -57,24 +57,24 @@
#include "internal.h"
-/* least significant word */
+// least significant word
#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0])
int bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
- /* In 'tab', only odd-indexed entries are relevant:
- * For any odd BIGNUM n,
- * tab[BN_lsw(n) & 7]
- * is $(-1)^{(n^2-1)/8}$ (using TeX notation).
- * Note that the sign of n does not matter. */
+ // In 'tab', only odd-indexed entries are relevant:
+ // For any odd BIGNUM n,
+ // tab[BN_lsw(n) & 7]
+ // is $(-1)^{(n^2-1)/8}$ (using TeX notation).
+ // Note that the sign of n does not matter.
static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1};
- /* The Jacobi symbol is only defined for odd modulus. */
+ // The Jacobi symbol is only defined for odd modulus.
if (!BN_is_odd(b)) {
OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
return -2;
}
- /* Require b be positive. */
+ // Require b be positive.
if (BN_is_negative(b)) {
OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);
return -2;
@@ -93,22 +93,22 @@
goto end;
}
- /* Adapted from logic to compute the Kronecker symbol, originally implemented
- * according to Henri Cohen, "A Course in Computational Algebraic Number
- * Theory" (algorithm 1.4.10). */
+ // Adapted from logic to compute the Kronecker symbol, originally implemented
+ // according to Henri Cohen, "A Course in Computational Algebraic Number
+ // Theory" (algorithm 1.4.10).
ret = 1;
while (1) {
- /* Cohen's step 3: */
+ // Cohen's step 3:
- /* B is positive and odd */
+ // B is positive and odd
if (BN_is_zero(A)) {
ret = BN_is_one(B) ? ret : 0;
goto end;
}
- /* now A is non-zero */
+ // now A is non-zero
int i = 0;
while (!BN_is_bit_set(A, i)) {
i++;
@@ -118,18 +118,18 @@
goto end;
}
if (i & 1) {
- /* i is odd */
- /* multiply 'ret' by $(-1)^{(B^2-1)/8}$ */
+ // i is odd
+ // multiply 'ret' by $(-1)^{(B^2-1)/8}$
ret = ret * tab[BN_lsw(B) & 7];
}
- /* Cohen's step 4: */
- /* multiply 'ret' by $(-1)^{(A-1)(B-1)/4}$ */
+ // Cohen's step 4:
+ // multiply 'ret' by $(-1)^{(A-1)(B-1)/4}$
if ((A->neg ? ~BN_lsw(A) : BN_lsw(A)) & BN_lsw(B) & 2) {
ret = -ret;
}
- /* (A, B) := (B mod |A|, |A|) */
+ // (A, B) := (B mod |A|, |A|)
if (!BN_nnmod(B, B, A, ctx)) {
ret = -2;
goto end;
diff --git a/crypto/fipsmodule/bn/montgomery.c b/crypto/fipsmodule/bn/montgomery.c
index d70509f..8024e27 100644
--- a/crypto/fipsmodule/bn/montgomery.c
+++ b/crypto/fipsmodule/bn/montgomery.c
@@ -187,18 +187,18 @@
return 0;
}
- /* Save the modulus. */
+ // Save the modulus.
if (!BN_copy(&mont->N, mod)) {
OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR);
return 0;
}
- /* Find n0 such that n0 * N == -1 (mod r).
- *
- * Only certain BN_BITS2<=32 platforms actually make use of n0[1]. For the
- * others, we could use a shorter R value and use faster |BN_ULONG|-based
- * math instead of |uint64_t|-based math, which would be double-precision.
- * However, currently only the assembler files know which is which. */
+ // Find n0 such that n0 * N == -1 (mod r).
+ //
+ // Only certain BN_BITS2<=32 platforms actually make use of n0[1]. For the
+ // others, we could use a shorter R value and use faster |BN_ULONG|-based
+ // math instead of |uint64_t|-based math, which would be double-precision.
+ // However, currently only the assembler files know which is which.
uint64_t n0 = bn_mont_n0(mod);
mont->n0[0] = (BN_ULONG)n0;
#if BN_MONT_CTX_N0_LIMBS == 2
@@ -207,14 +207,14 @@
mont->n0[1] = 0;
#endif
- /* Save RR = R**2 (mod N). R is the smallest power of 2**BN_BITS such that R
- * > mod. Even though the assembly on some 32-bit platforms works with 64-bit
- * values, using |BN_BITS2| here, rather than |BN_MONT_CTX_N0_LIMBS *
- * BN_BITS2|, is correct because R**2 will still be a multiple of the latter
- * as |BN_MONT_CTX_N0_LIMBS| is either one or two.
- *
- * XXX: This is not constant time with respect to |mont->N|, but it should
- * be. */
+ // Save RR = R**2 (mod N). R is the smallest power of 2**BN_BITS such that R
+ // > mod. Even though the assembly on some 32-bit platforms works with 64-bit
+ // values, using |BN_BITS2| here, rather than |BN_MONT_CTX_N0_LIMBS *
+ // BN_BITS2|, is correct because R**2 will still be a multiple of the latter
+ // as |BN_MONT_CTX_N0_LIMBS| is either one or two.
+ //
+ // XXX: This is not constant time with respect to |mont->N|, but it should
+ // be.
unsigned lgBigR = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
if (!bn_mod_exp_base_2_vartime(&mont->RR, lgBigR * 2, &mont->N)) {
return 0;
@@ -272,7 +272,7 @@
return 1;
}
- max = (2 * nl); /* carry is stored separately */
+ max = (2 * nl); // carry is stored separately
if (!bn_wexpand(r, max)) {
return 0;
}
@@ -281,7 +281,7 @@
np = n->d;
rp = r->d;
- /* clear the top words of T */
+ // clear the top words of T
if (max > r->top) {
OPENSSL_memset(&rp[r->top], 0, (max - r->top) * sizeof(BN_ULONG));
}
@@ -311,8 +311,8 @@
uintptr_t m;
v = bn_sub_words(rp, ap, np, nl) - carry;
- /* if subtraction result is real, then trick unconditional memcpy below to
- * perform in-place "refresh" instead of actual copy. */
+ // if subtraction result is real, then trick unconditional memcpy below to
+ // perform in-place "refresh" instead of actual copy.
m = (0u - (uintptr_t)v);
nrp = (BN_ULONG *)(((uintptr_t)rp & ~m) | ((uintptr_t)ap & m));
@@ -371,7 +371,7 @@
#else
int num = mont->N.top;
- /* |bn_mul_mont| requires at least 128 bits of limbs, at least for x86. */
+ // |bn_mul_mont| requires at least 128 bits of limbs, at least for x86.
if (num < (128 / BN_BITS2) ||
a->top != num ||
b->top != num) {
@@ -382,7 +382,7 @@
return 0;
}
if (!bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {
- /* The check above ensures this won't happen. */
+ // The check above ensures this won't happen.
assert(0);
OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR);
return 0;
@@ -417,7 +417,7 @@
}
}
- /* reduce from aRR to aR */
+ // reduce from aRR to aR
if (!BN_from_montgomery_word(r, tmp, mont)) {
goto err;
}
diff --git a/crypto/fipsmodule/bn/montgomery_inv.c b/crypto/fipsmodule/bn/montgomery_inv.c
index aa2574b..c3c788a 100644
--- a/crypto/fipsmodule/bn/montgomery_inv.c
+++ b/crypto/fipsmodule/bn/montgomery_inv.c
@@ -28,47 +28,47 @@
BN_MONT_CTX_N0_LIMBS * sizeof(BN_ULONG),
BN_MONT_CTX_N0_LIMBS_DOES_NOT_MATCH_UINT64_T);
-/* LG_LITTLE_R is log_2(r). */
+// LG_LITTLE_R is log_2(r).
#define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2)
uint64_t bn_mont_n0(const BIGNUM *n) {
- /* These conditions are checked by the caller, |BN_MONT_CTX_set|. */
+ // These conditions are checked by the caller, |BN_MONT_CTX_set|.
assert(!BN_is_zero(n));
assert(!BN_is_negative(n));
assert(BN_is_odd(n));
- /* r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This
- * ensures that we can do integer division by |r| by simply ignoring
- * |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo
- * |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is
- * what makes Montgomery multiplication efficient.
- *
- * As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography
- * with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a
- * multi-limb Montgomery multiplication of |a * b (mod n)|, given the
- * unreduced product |t == a * b|, we repeatedly calculate:
- *
- * t1 := t % r |t1| is |t|'s lowest limb (see previous paragraph).
- * t2 := t1*n0*n
- * t3 := t + t2
- * t := t3 / r copy all limbs of |t3| except the lowest to |t|.
- *
- * In the last step, it would only make sense to ignore the lowest limb of
- * |t3| if it were zero. The middle steps ensure that this is the case:
- *
- * t3 == 0 (mod r)
- * t + t2 == 0 (mod r)
- * t + t1*n0*n == 0 (mod r)
- * t1*n0*n == -t (mod r)
- * t*n0*n == -t (mod r)
- * n0*n == -1 (mod r)
- * n0 == -1/n (mod r)
- *
- * Thus, in each iteration of the loop, we multiply by the constant factor
- * |n0|, the negative inverse of n (mod r). */
+ // r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This
+ // ensures that we can do integer division by |r| by simply ignoring
+ // |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo
+ // |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is
+ // what makes Montgomery multiplication efficient.
+ //
+ // As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography
+ // with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a
+ // multi-limb Montgomery multiplication of |a * b (mod n)|, given the
+ // unreduced product |t == a * b|, we repeatedly calculate:
+ //
+ // t1 := t % r |t1| is |t|'s lowest limb (see previous paragraph).
+ // t2 := t1*n0*n
+ // t3 := t + t2
+ // t := t3 / r copy all limbs of |t3| except the lowest to |t|.
+ //
+ // In the last step, it would only make sense to ignore the lowest limb of
+ // |t3| if it were zero. The middle steps ensure that this is the case:
+ //
+ // t3 == 0 (mod r)
+ // t + t2 == 0 (mod r)
+ // t + t1*n0*n == 0 (mod r)
+ // t1*n0*n == -t (mod r)
+ // t*n0*n == -t (mod r)
+ // n0*n == -1 (mod r)
+ // n0 == -1/n (mod r)
+ //
+ // Thus, in each iteration of the loop, we multiply by the constant factor
+ // |n0|, the negative inverse of n (mod r).
- /* n_mod_r = n % r. As explained above, this is done by taking the lowest
- * |BN_MONT_CTX_N0_LIMBS| limbs of |n|. */
+ // n_mod_r = n % r. As explained above, this is done by taking the lowest
+ // |BN_MONT_CTX_N0_LIMBS| limbs of |n|.
uint64_t n_mod_r = n->d[0];
#if BN_MONT_CTX_N0_LIMBS == 2
if (n->top > 1) {
@@ -79,32 +79,32 @@
return bn_neg_inv_mod_r_u64(n_mod_r);
}
-/* bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v|
- * such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n|
- * must be odd.
- *
- * This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery
- * Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf).
- * It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and
- * Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000"
- * (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21).
- *
- * This is inspired by Joppe W. Bos's "Constant Time Modular Inversion"
- * (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is
- * constant-time with respect to |n|. We assume uint64_t additions,
- * subtractions, shifts, and bitwise operations are all constant time, which
- * may be a large leap of faith on 32-bit targets. We avoid division and
- * multiplication, which tend to be the most problematic in terms of timing
- * leaks.
- *
- * Most GCD implementations return values such that |u*r + v*n == 1|, so the
- * caller would have to negate the resultant |v| for the purpose of Montgomery
- * multiplication. This implementation does the negation implicitly by doing
- * the computations as a difference instead of a sum. */
+// bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v|
+// such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n|
+// must be odd.
+//
+// This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery
+// Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf).
+// It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and
+// Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000"
+// (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21).
+//
+// This is inspired by Joppe W. Bos's "Constant Time Modular Inversion"
+// (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is
+// constant-time with respect to |n|. We assume uint64_t additions,
+// subtractions, shifts, and bitwise operations are all constant time, which
+// may be a large leap of faith on 32-bit targets. We avoid division and
+// multiplication, which tend to be the most problematic in terms of timing
+// leaks.
+//
+// Most GCD implementations return values such that |u*r + v*n == 1|, so the
+// caller would have to negate the resultant |v| for the purpose of Montgomery
+// multiplication. This implementation does the negation implicitly by doing
+// the computations as a difference instead of a sum.
static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
assert(n % 2 == 1);
- /* alpha == 2**(lg r - 1) == r / 2. */
+ // alpha == 2**(lg r - 1) == r / 2.
static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1);
const uint64_t beta = n;
@@ -112,46 +112,46 @@
uint64_t u = 1;
uint64_t v = 0;
- /* The invariant maintained from here on is:
- * 2**(lg r - i) == u*2*alpha - v*beta. */
+ // The invariant maintained from here on is:
+ // 2**(lg r - i) == u*2*alpha - v*beta.
for (size_t i = 0; i < LG_LITTLE_R; ++i) {
#if BN_BITS2 == 64 && defined(BN_ULLONG)
assert((BN_ULLONG)(1) << (LG_LITTLE_R - i) ==
((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
#endif
- /* Delete a common factor of 2 in u and v if |u| is even. Otherwise, set
- * |u = (u + beta) / 2| and |v = (v / 2) + alpha|. */
+ // Delete a common factor of 2 in u and v if |u| is even. Otherwise, set
+ // |u = (u + beta) / 2| and |v = (v / 2) + alpha|.
- uint64_t u_is_odd = UINT64_C(0) - (u & 1); /* Either 0xff..ff or 0. */
+ uint64_t u_is_odd = UINT64_C(0) - (u & 1); // Either 0xff..ff or 0.
- /* The addition can overflow, so use Dietz's method for it.
- *
- * Dietz calculates (x+y)/2 by (x⊕y)>>1 + x&y. This is valid for all
- * (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values
- * (embedded in 64 bits to so that overflow can be ignored):
- *
- * (declare-fun x () (_ BitVec 64))
- * (declare-fun y () (_ BitVec 64))
- * (assert (let (
- * (one (_ bv1 64))
- * (thirtyTwo (_ bv32 64)))
- * (and
- * (bvult x (bvshl one thirtyTwo))
- * (bvult y (bvshl one thirtyTwo))
- * (not (=
- * (bvadd (bvlshr (bvxor x y) one) (bvand x y))
- * (bvlshr (bvadd x y) one)))
- * )))
- * (check-sat) */
- uint64_t beta_if_u_is_odd = beta & u_is_odd; /* Either |beta| or 0. */
+ // The addition can overflow, so use Dietz's method for it.
+ //
+ // Dietz calculates (x+y)/2 by (x⊕y)>>1 + x&y. This is valid for all
+ // (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values
+ // (embedded in 64 bits to so that overflow can be ignored):
+ //
+ // (declare-fun x () (_ BitVec 64))
+ // (declare-fun y () (_ BitVec 64))
+ // (assert (let (
+ // (one (_ bv1 64))
+ // (thirtyTwo (_ bv32 64)))
+ // (and
+ // (bvult x (bvshl one thirtyTwo))
+ // (bvult y (bvshl one thirtyTwo))
+ // (not (=
+ // (bvadd (bvlshr (bvxor x y) one) (bvand x y))
+ // (bvlshr (bvadd x y) one)))
+ // )))
+ // (check-sat)
+ uint64_t beta_if_u_is_odd = beta & u_is_odd; // Either |beta| or 0.
u = ((u ^ beta_if_u_is_odd) >> 1) + (u & beta_if_u_is_odd);
- uint64_t alpha_if_u_is_odd = alpha & u_is_odd; /* Either |alpha| or 0. */
+ uint64_t alpha_if_u_is_odd = alpha & u_is_odd; // Either |alpha| or 0.
v = (v >> 1) + alpha_if_u_is_odd;
}
- /* The invariant now shows that u*r - v*n == 1 since r == 2 * alpha. */
+ // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha.
#if BN_BITS2 == 64 && defined(BN_ULLONG)
assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
#endif
@@ -159,9 +159,9 @@
return v;
}
-/* bn_mod_exp_base_2_vartime calculates r = 2**p (mod n). |p| must be larger
- * than log_2(n); i.e. 2**p must be larger than |n|. |n| must be positive and
- * odd. */
+// bn_mod_exp_base_2_vartime calculates r = 2**p (mod n). |p| must be larger
+// than log_2(n); i.e. 2**p must be larger than |n|. |n| must be positive and
+// odd.
int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n) {
assert(!BN_is_zero(n));
assert(!BN_is_negative(n));
@@ -175,13 +175,13 @@
return 1;
}
- /* Set |r| to the smallest power of two larger than |n|. */
+ // Set |r| to the smallest power of two larger than |n|.
assert(p > n_bits);
if (!BN_set_bit(r, n_bits)) {
return 0;
}
- /* Unconditionally reduce |r|. */
+ // Unconditionally reduce |r|.
assert(BN_cmp(r, n) > 0);
if (!BN_usub(r, r, n)) {
return 0;
@@ -189,10 +189,10 @@
assert(BN_cmp(r, n) < 0);
for (unsigned i = n_bits; i < p; ++i) {
- /* This is like |BN_mod_lshift1_quick| except using |BN_usub|.
- *
- * TODO: Replace this with the use of a constant-time variant of
- * |BN_mod_lshift1_quick|. */
+ // This is like |BN_mod_lshift1_quick| except using |BN_usub|.
+ //
+ // TODO: Replace this with the use of a constant-time variant of
+ // |BN_mod_lshift1_quick|.
if (!BN_lshift1(r, r)) {
return 0;
}
diff --git a/crypto/fipsmodule/bn/mul.c b/crypto/fipsmodule/bn/mul.c
index 36a4060..7cc0e3c 100644
--- a/crypto/fipsmodule/bn/mul.c
+++ b/crypto/fipsmodule/bn/mul.c
@@ -113,15 +113,15 @@
}
#if !defined(OPENSSL_X86) || defined(OPENSSL_NO_ASM)
-/* Here follows specialised variants of bn_add_words() and bn_sub_words(). They
- * have the property performing operations on arrays of different sizes. The
- * sizes of those arrays is expressed through cl, which is the common length (
- * basicall, min(len(a),len(b)) ), and dl, which is the delta between the two
- * lengths, calculated as len(a)-len(b). All lengths are the number of
- * BN_ULONGs... For the operations that require a result array as parameter,
- * it must have the length cl+abs(dl). These functions should probably end up
- * in bn_asm.c as soon as there are assembler counterparts for the systems that
- * use assembler files. */
+// Here follows specialised variants of bn_add_words() and bn_sub_words(). They
+// have the property performing operations on arrays of different sizes. The
+// sizes of those arrays is expressed through cl, which is the common length (
+// basicall, min(len(a),len(b)) ), and dl, which is the delta between the two
+// lengths, calculated as len(a)-len(b). All lengths are the number of
+// BN_ULONGs... For the operations that require a result array as parameter,
+// it must have the length cl+abs(dl). These functions should probably end up
+// in bn_asm.c as soon as there are assembler counterparts for the systems that
+// use assembler files.
static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,
const BN_ULONG *b, int cl, int dl) {
@@ -274,25 +274,24 @@
return c;
}
#else
-/* On other platforms the function is defined in asm. */
+// On other platforms the function is defined in asm.
BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
int cl, int dl);
#endif
-/* Karatsuba recursive multiplication algorithm
- * (cf. Knuth, The Art of Computer Programming, Vol. 2) */
+// Karatsuba recursive multiplication algorithm
+// (cf. Knuth, The Art of Computer Programming, Vol. 2)
-/* r is 2*n2 words in size,
- * a and b are both n2 words in size.
- * n2 must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n2 words in size
- * We calculate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
-/* dnX may not be positive, but n2/2+dnX has to be */
+// r is 2*n2 words in size,
+// a and b are both n2 words in size.
+// n2 must be a power of 2.
+// We multiply and return the result.
+// t must be 2*n2 words in size
+// We calculate
+// a[0]*b[0]
+// a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
+// a[1]*b[1]
+// dnX may not be positive, but n2/2+dnX has to be
static void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
int dna, int dnb, BN_ULONG *t) {
int n = n2 / 2, c1, c2;
@@ -300,15 +299,14 @@
unsigned int neg, zero;
BN_ULONG ln, lo, *p;
- /* Only call bn_mul_comba 8 if n2 == 8 and the
- * two arrays are complete [steve]
- */
+ // Only call bn_mul_comba 8 if n2 == 8 and the
+ // two arrays are complete [steve]
if (n2 == 8 && dna == 0 && dnb == 0) {
bn_mul_comba8(r, a, b);
return;
}
- /* Else do normal multiply */
+ // Else do normal multiply
if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
if ((dna + dnb) < 0) {
@@ -318,21 +316,21 @@
return;
}
- /* r=(a[0]-a[1])*(b[1]-b[0]) */
+ // r=(a[0]-a[1])*(b[1]-b[0])
c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
zero = neg = 0;
switch (c1 * 3 + c2) {
case -4:
- bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
- bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
+ bn_sub_part_words(t, &(a[n]), a, tna, tna - n); // -
+ bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); // -
break;
case -3:
zero = 1;
break;
case -2:
- bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
- bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
+ bn_sub_part_words(t, &(a[n]), a, tna, tna - n); // -
+ bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); // +
neg = 1;
break;
case -1:
@@ -341,8 +339,8 @@
zero = 1;
break;
case 2:
- bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */
- bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
+ bn_sub_part_words(t, a, &(a[n]), tna, n - tna); // +
+ bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); // -
neg = 1;
break;
case 3:
@@ -355,7 +353,7 @@
}
if (n == 4 && dna == 0 && dnb == 0) {
- /* XXX: bn_mul_comba4 could take extra args to do this well */
+ // XXX: bn_mul_comba4 could take extra args to do this well
if (!zero) {
bn_mul_comba4(&(t[n2]), t, &(t[n]));
} else {
@@ -365,7 +363,7 @@
bn_mul_comba4(r, a, b);
bn_mul_comba4(&(r[n2]), &(a[n]), &(b[n]));
} else if (n == 8 && dna == 0 && dnb == 0) {
- /* XXX: bn_mul_comba8 could take extra args to do this well */
+ // XXX: bn_mul_comba8 could take extra args to do this well
if (!zero) {
bn_mul_comba8(&(t[n2]), t, &(t[n]));
} else {
@@ -385,24 +383,24 @@
bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
}
- /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1]) */
+ // t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
if (neg) {
- /* if t[32] is negative */
+ // if t[32] is negative
c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
} else {
- /* Might have a carry */
+ // Might have a carry
c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
}
- /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1])
- * c1 holds the carry bits */
+ // t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
+ // c1 holds the carry bits
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) {
p = &(r[n + n2]);
@@ -410,8 +408,8 @@
ln = (lo + c1) & BN_MASK2;
*p = ln;
- /* The overflow will stop before we over write
- * words we should not overwrite */
+ // The overflow will stop before we over write
+ // words we should not overwrite
if (ln < (BN_ULONG)c1) {
do {
p++;
@@ -423,9 +421,9 @@
}
}
-/* n+tn is the word length
- * t needs to be n*4 is size, as does r */
-/* tnX may not be negative but less than n */
+// n+tn is the word length
+// t needs to be n*4 is size, as does r
+// tnX may not be negative but less than n
static void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
int tna, int tnb, BN_ULONG *t) {
int i, j, n2 = n * 2;
@@ -437,33 +435,33 @@
return;
}
- /* r=(a[0]-a[1])*(b[1]-b[0]) */
+ // r=(a[0]-a[1])*(b[1]-b[0])
c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna);
c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n);
neg = 0;
switch (c1 * 3 + c2) {
case -4:
- bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
- bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
+ bn_sub_part_words(t, &(a[n]), a, tna, tna - n); // -
+ bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); // -
break;
case -3:
- /* break; */
+ // break;
case -2:
- bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */
- bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */
+ bn_sub_part_words(t, &(a[n]), a, tna, tna - n); // -
+ bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); // +
neg = 1;
break;
case -1:
case 0:
case 1:
- /* break; */
+ // break;
case 2:
- bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */
- bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */
+ bn_sub_part_words(t, a, &(a[n]), tna, n - tna); // +
+ bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); // -
neg = 1;
break;
case 3:
- /* break; */
+ // break;
case 4:
bn_sub_part_words(t, a, &(a[n]), tna, n - tna);
bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n);
@@ -480,8 +478,8 @@
bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
bn_mul_recursive(r, a, b, n, 0, 0, p);
i = n / 2;
- /* If there is only a bottom half to the number,
- * just do it */
+ // If there is only a bottom half to the number,
+ // just do it
if (tna > tnb) {
j = tna - i;
} else {
@@ -492,12 +490,12 @@
bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
OPENSSL_memset(&(r[n2 + i * 2]), 0, sizeof(BN_ULONG) * (n2 - i * 2));
} else if (j > 0) {
- /* eg, n == 16, i == 8 and tn == 11 */
+ // eg, n == 16, i == 8 and tn == 11
bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
OPENSSL_memset(&(r[n2 + tna + tnb]), 0,
sizeof(BN_ULONG) * (n2 - tna - tnb));
} else {
- /* (j < 0) eg, n == 16, i == 8 and tn == 5 */
+ // (j < 0) eg, n == 16, i == 8 and tn == 5
OPENSSL_memset(&(r[n2]), 0, sizeof(BN_ULONG) * n2);
if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL &&
tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
@@ -505,9 +503,9 @@
} else {
for (;;) {
i /= 2;
- /* these simplified conditions work
- * exclusively because difference
- * between tna and tnb is 1 or 0 */
+ // these simplified conditions work
+ // exclusively because difference
+ // between tna and tnb is 1 or 0
if (i < tna || i < tnb) {
bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i,
tnb - i, p);
@@ -522,25 +520,24 @@
}
}
- /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1])
- */
+ // t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
if (neg) {
- /* if t[32] is negative */
+ // if t[32] is negative
c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
} else {
- /* Might have a carry */
+ // Might have a carry
c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2));
}
- /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1])
- * c1 holds the carry bits */
+ // t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1])
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
+ // c1 holds the carry bits
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) {
p = &(r[n + n2]);
@@ -548,8 +545,8 @@
ln = (lo + c1) & BN_MASK2;
*p = ln;
- /* The overflow will stop before we over write
- * words we should not overwrite */
+ // The overflow will stop before we over write
+ // words we should not overwrite
if (ln < (BN_ULONG)c1) {
do {
p++;
@@ -627,7 +624,7 @@
}
bn_mul_part_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);
} else {
- /* al <= j || bl <= j */
+ // al <= j || bl <= j
if (!bn_wexpand(t, k * 2)) {
goto err;
}
@@ -659,7 +656,7 @@
return ret;
}
-/* tmp must have 2*n words */
+// tmp must have 2*n words
static void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp) {
int i, j, max;
const BN_ULONG *ap;
@@ -687,23 +684,22 @@
bn_add_words(r, r, r, max);
- /* There will not be a carry */
+ // There will not be a carry
bn_sqr_words(tmp, a, n);
bn_add_words(r, r, tmp, max);
}
-/* r is 2*n words in size,
- * a and b are both n words in size. (There's not actually a 'b' here ...)
- * n must be a power of 2.
- * We multiply and return the result.
- * t must be 2*n words in size
- * We calculate
- * a[0]*b[0]
- * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
- * a[1]*b[1]
- */
+// r is 2*n words in size,
+// a and b are both n words in size. (There's not actually a 'b' here ...)
+// n must be a power of 2.
+// We multiply and return the result.
+// t must be 2*n words in size
+// We calculate
+// a[0]*b[0]
+// a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
+// a[1]*b[1]
static void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t) {
int n = n2 / 2;
int zero, c1;
@@ -720,7 +716,7 @@
bn_sqr_normal(r, a, n2, t);
return;
}
- /* r=(a[0]-a[1])*(a[1]-a[0]) */
+ // r=(a[0]-a[1])*(a[1]-a[0])
c1 = bn_cmp_words(a, &(a[n]), n);
zero = 0;
if (c1 > 0) {
@@ -731,7 +727,7 @@
zero = 1;
}
- /* The result will always be negative unless it is zero */
+ // The result will always be negative unless it is zero
p = &(t[n2 * 2]);
if (!zero) {
@@ -742,19 +738,19 @@
bn_sqr_recursive(r, a, n, p);
bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
- /* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
- * r[10] holds (a[0]*b[0])
- * r[32] holds (b[1]*b[1]) */
+ // t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
+ // r[10] holds (a[0]*b[0])
+ // r[32] holds (b[1]*b[1])
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
- /* t[32] is negative */
+ // t[32] is negative
c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
- /* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
- * r[10] holds (a[0]*a[0])
- * r[32] holds (a[1]*a[1])
- * c1 holds the carry bits */
+ // t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
+ // r[10] holds (a[0]*a[0])
+ // r[32] holds (a[1]*a[1])
+ // c1 holds the carry bits
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) {
p = &(r[n + n2]);
@@ -762,8 +758,8 @@
ln = (lo + c1) & BN_MASK2;
*p = ln;
- /* The overflow will stop before we over write
- * words we should not overwrite */
+ // The overflow will stop before we over write
+ // words we should not overwrite
if (ln < (BN_ULONG)c1) {
do {
p++;
@@ -818,7 +814,7 @@
goto err;
}
- max = 2 * al; /* Non-zero (from above) */
+ max = 2 * al; // Non-zero (from above)
if (!bn_wexpand(rr, max)) {
goto err;
}
@@ -852,8 +848,8 @@
}
rr->neg = 0;
- /* If the most-significant half of the top word of 'a' is zero, then
- * the square of 'a' will max-1 words. */
+ // If the most-significant half of the top word of 'a' is zero, then
+ // the square of 'a' will max-1 words.
if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) {
rr->top = max - 1;
} else {
diff --git a/crypto/fipsmodule/bn/prime.c b/crypto/fipsmodule/bn/prime.c
index 3e2e6f5..691d0cb 100644
--- a/crypto/fipsmodule/bn/prime.c
+++ b/crypto/fipsmodule/bn/prime.c
@@ -113,13 +113,13 @@
#include "internal.h"
-/* The quick sieve algorithm approach to weeding out primes is Philip
- * Zimmermann's, as implemented in PGP. I have had a read of his comments and
- * implemented my own version. */
+// The quick sieve algorithm approach to weeding out primes is Philip
+// Zimmermann's, as implemented in PGP. I have had a read of his comments and
+// implemented my own version.
#define NUMPRIMES 2048
-/* primes contains all the primes that fit into a uint16_t. */
+// primes contains all the primes that fit into a uint16_t.
static const uint16_t primes[NUMPRIMES] = {
2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31,
37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79,
@@ -310,12 +310,12 @@
17851, 17863,
};
-/* BN_prime_checks_for_size returns the number of Miller-Rabin iterations
- * necessary for a 'bits'-bit prime, in order to maintain an error rate greater
- * than the security level for an RSA prime of that many bits (calculated using
- * the FIPS SP 800-57 security level and 186-4 Section F.1; original paper:
- * Damgaard, Landrock, Pomerance: Average case error estimates for the strong
- * probable prime test. -- Math. Comp. 61 (1993) 177-194) */
+// BN_prime_checks_for_size returns the number of Miller-Rabin iterations
+// necessary for a 'bits'-bit prime, in order to maintain an error rate greater
+// than the security level for an RSA prime of that many bits (calculated using
+// the FIPS SP 800-57 security level and 186-4 Section F.1; original paper:
+// Damgaard, Landrock, Pomerance: Average case error estimates for the strong
+// probable prime test. -- Math. Comp. 61 (1993) 177-194)
static int BN_prime_checks_for_size(int bits) {
if (bits >= 3747) {
return 3;
@@ -371,11 +371,11 @@
int checks = BN_prime_checks_for_size(bits);
if (bits < 2) {
- /* There are no prime numbers this small. */
+ // There are no prime numbers this small.
OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
return 0;
} else if (bits == 2 && safe) {
- /* The smallest safe prime (7) is three bits. */
+ // The smallest safe prime (7) is three bits.
OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
return 0;
}
@@ -391,7 +391,7 @@
}
loop:
- /* make a random number and set the top and bottom bits */
+ // make a random number and set the top and bottom bits
if (add == NULL) {
if (!probable_prime(ret, bits)) {
goto err;
@@ -409,7 +409,7 @@
}
if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, c1++)) {
- /* aborted */
+ // aborted
goto err;
}
@@ -421,8 +421,8 @@
goto loop;
}
} else {
- /* for "safe prime" generation, check that (p-1)/2 is prime. Since a prime
- * is odd, We just need to divide by 2 */
+ // for "safe prime" generation, check that (p-1)/2 is prime. Since a prime
+ // is odd, We just need to divide by 2
if (!BN_rshift1(t, ret)) {
goto err;
}
@@ -445,11 +445,11 @@
if (!BN_GENCB_call(cb, i, c1 - 1)) {
goto err;
}
- /* We have a safe prime test pass */
+ // We have a safe prime test pass
}
}
- /* we have a prime :-) */
+ // we have a prime :-)
found = 1;
err:
@@ -487,13 +487,13 @@
return 0;
}
- /* first look for small factors */
+ // first look for small factors
if (!BN_is_odd(a)) {
- /* a is even => a is prime if and only if a == 2 */
+ // a is even => a is prime if and only if a == 2
return BN_is_word(a, 2);
}
- /* Enhanced Miller-Rabin does not work for three. */
+ // Enhanced Miller-Rabin does not work for three.
if (BN_is_word(a, 3)) {
return 1;
}
@@ -539,7 +539,7 @@
int BN_enhanced_miller_rabin_primality_test(
enum bn_primality_result_t *out_result, const BIGNUM *w, int iterations,
BN_CTX *ctx, BN_GENCB *cb) {
- /* Enhanced Miller-Rabin is only valid on odd integers greater than 3. */
+ // Enhanced Miller-Rabin is only valid on odd integers greater than 3.
if (!BN_is_odd(w) || BN_cmp_word(w, 3) <= 0) {
OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT);
return 0;
@@ -561,7 +561,7 @@
goto err;
}
- /* Write w1 as m*2^a (Steps 1 and 2). */
+ // Write w1 as m*2^a (Steps 1 and 2).
int a = 0;
while (!BN_is_bit_set(w1, a)) {
a++;
@@ -585,22 +585,22 @@
goto err;
}
- /* Montgomery setup for computations mod A */
+ // Montgomery setup for computations mod A
mont = BN_MONT_CTX_new();
if (mont == NULL ||
!BN_MONT_CTX_set(mont, w, ctx)) {
goto err;
}
- /* The following loop performs in inner iteration of the Enhanced Miller-Rabin
- * Primality test (Step 4). */
+ // The following loop performs in inner iteration of the Enhanced Miller-Rabin
+ // Primality test (Step 4).
for (int i = 1; i <= iterations; i++) {
- /* Step 4.1-4.2 */
+ // Step 4.1-4.2
if (!BN_rand_range_ex(b, 2, w1)) {
goto err;
}
- /* Step 4.3-4.4 */
+ // Step 4.3-4.4
if (!BN_gcd(g, b, w, ctx)) {
goto err;
}
@@ -610,17 +610,17 @@
goto err;
}
- /* Step 4.5 */
+ // Step 4.5
if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) {
goto err;
}
- /* Step 4.6 */
+ // Step 4.6
if (BN_is_one(z) || BN_cmp(z, w1) == 0) {
goto loop;
}
- /* Step 4.7 */
+ // Step 4.7
for (int j = 1; j < a; j++) {
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
goto err;
@@ -633,18 +633,18 @@
}
}
- /* Step 4.8-4.9 */
+ // Step 4.8-4.9
if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {
goto err;
}
- /* Step 4.10-4.11 */
+ // Step 4.10-4.11
if (!BN_is_one(z) && !BN_copy(x, z)) {
goto err;
}
composite:
- /* Step 4.12-4.14 */
+ // Step 4.12-4.14
if (!BN_copy(x1, x) ||
!BN_sub_word(x1, 1) ||
!BN_gcd(g, x1, w, ctx)) {
@@ -660,7 +660,7 @@
goto err;
loop:
- /* Step 4.15 */
+ // Step 4.15
if (!BN_GENCB_call(cb, 1, i)) {
goto err;
}
@@ -688,7 +688,7 @@
return 0;
}
- /* we now have a random number 'rnd' to test. */
+ // we now have a random number 'rnd' to test.
for (i = 1; i < NUMPRIMES; i++) {
BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
if (mod == (BN_ULONG)-1) {
@@ -696,12 +696,12 @@
}
mods[i] = (uint16_t)mod;
}
- /* If bits is so small that it fits into a single word then we
- * additionally don't want to exceed that many bits. */
+ // If bits is so small that it fits into a single word then we
+ // additionally don't want to exceed that many bits.
if (is_single_word) {
BN_ULONG size_limit;
if (bits == BN_BITS2) {
- /* Avoid undefined behavior. */
+ // Avoid undefined behavior.
size_limit = ~((BN_ULONG)0) - BN_get_word(rnd);
} else {
size_limit = (((BN_ULONG)1) << bits) - BN_get_word(rnd) - 1;
@@ -716,15 +716,15 @@
if (is_single_word) {
BN_ULONG rnd_word = BN_get_word(rnd);
- /* In the case that the candidate prime is a single word then
- * we check that:
- * 1) It's greater than primes[i] because we shouldn't reject
- * 3 as being a prime number because it's a multiple of
- * three.
- * 2) That it's not a multiple of a known prime. We don't
- * check that rnd-1 is also coprime to all the known
- * primes because there aren't many small primes where
- * that's true. */
+ // In the case that the candidate prime is a single word then
+ // we check that:
+ // 1) It's greater than primes[i] because we shouldn't reject
+ // 3 as being a prime number because it's a multiple of
+ // three.
+ // 2) That it's not a multiple of a known prime. We don't
+ // check that rnd-1 is also coprime to all the known
+ // primes because there aren't many small primes where
+ // that's true.
for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
if ((mods[i] + delta) % primes[i] == 0) {
delta += 2;
@@ -736,8 +736,8 @@
}
} else {
for (i = 1; i < NUMPRIMES; i++) {
- /* check that rnd is not a prime and also
- * that gcd(rnd-1,primes) == 1 (except for 2) */
+ // check that rnd is not a prime and also
+ // that gcd(rnd-1,primes) == 1 (except for 2)
if (((mods[i] + delta) % primes[i]) <= 1) {
delta += 2;
if (delta > maxdelta) {
@@ -772,7 +772,7 @@
goto err;
}
- /* we need ((rnd-rem) % add) == 0 */
+ // we need ((rnd-rem) % add) == 0
if (!BN_mod(t1, rnd, add, ctx)) {
goto err;
@@ -789,11 +789,11 @@
goto err;
}
}
- /* we now have a random number 'rand' to test. */
+ // we now have a random number 'rand' to test.
loop:
for (i = 1; i < NUMPRIMES; i++) {
- /* check that rnd is a prime */
+ // check that rnd is a prime
BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]);
if (mod == (BN_ULONG)-1) {
goto err;
@@ -835,7 +835,7 @@
goto err;
}
- /* we need ((rnd-rem) % add) == 0 */
+ // we need ((rnd-rem) % add) == 0
if (!BN_mod(t1, q, qadd, ctx)) {
goto err;
}
@@ -857,7 +857,7 @@
}
}
- /* we now have a random number 'rand' to test. */
+ // we now have a random number 'rand' to test.
if (!BN_lshift1(p, q)) {
goto err;
}
@@ -867,9 +867,9 @@
loop:
for (i = 1; i < NUMPRIMES; i++) {
- /* check that p and q are prime */
- /* check that for p and q
- * gcd(p-1,primes) == 1 (except for 2) */
+ // check that p and q are prime
+ // check that for p and q
+ // gcd(p-1,primes) == 1 (except for 2)
BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]);
BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]);
if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1) {
diff --git a/crypto/fipsmodule/bn/random.c b/crypto/fipsmodule/bn/random.c
index 8aa40cf..64e7605 100644
--- a/crypto/fipsmodule/bn/random.c
+++ b/crypto/fipsmodule/bn/random.c
@@ -158,7 +158,7 @@
goto err;
}
- /* Make a random number and set the top and bottom bits. */
+ // Make a random number and set the top and bottom bits.
RAND_bytes_with_additional_data(buf, bytes, additional_data);
if (top != BN_RAND_TOP_ANY) {
@@ -176,7 +176,7 @@
buf[0] &= ~mask;
- /* Set the bottom bit if requested, */
+ // Set the bottom bit if requested,
if (bottom == BN_RAND_BOTTOM_ODD) {
buf[bytes - 1] |= 1;
}
@@ -212,28 +212,28 @@
return 0;
}
- /* This function is used to implement steps 4 through 7 of FIPS 186-4
- * appendices B.4.2 and B.5.2. When called in those contexts, |max_exclusive|
- * is n and |min_inclusive| is one. */
+ // This function is used to implement steps 4 through 7 of FIPS 186-4
+ // appendices B.4.2 and B.5.2. When called in those contexts, |max_exclusive|
+ // is n and |min_inclusive| is one.
unsigned count = 100;
- unsigned n = BN_num_bits(max_exclusive); /* n > 0 */
+ unsigned n = BN_num_bits(max_exclusive); // n > 0
do {
if (!--count) {
OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
return 0;
}
- if (/* steps 4 and 5 */
+ if (// steps 4 and 5
!bn_rand_with_additional_data(r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY,
additional_data) ||
- /* step 7 */
+ // step 7
!BN_add_word(r, min_inclusive)) {
return 0;
}
- /* Step 6. This loops if |r| >= |max_exclusive|. This is identical to
- * checking |r| > |max_exclusive| - 1 or |r| - 1 > |max_exclusive| - 2, the
- * formulation stated in FIPS 186-4. */
+ // Step 6. This loops if |r| >= |max_exclusive|. This is identical to
+ // checking |r| > |max_exclusive| - 1 or |r| - 1 > |max_exclusive| - 2, the
+ // formulation stated in FIPS 186-4.
} while (BN_cmp(r, max_exclusive) >= 0);
return 1;
@@ -256,22 +256,22 @@
int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
const uint8_t *message, size_t message_len,
BN_CTX *ctx) {
- /* We copy |priv| into a local buffer to avoid furthur exposing its
- * length. */
+ // We copy |priv| into a local buffer to avoid furthur exposing its
+ // length.
uint8_t private_bytes[96];
size_t todo = sizeof(priv->d[0]) * priv->top;
if (todo > sizeof(private_bytes)) {
- /* No reasonable DSA or ECDSA key should have a private key
- * this large and we don't handle this case in order to avoid
- * leaking the length of the private key. */
+ // No reasonable DSA or ECDSA key should have a private key
+ // this large and we don't handle this case in order to avoid
+ // leaking the length of the private key.
OPENSSL_PUT_ERROR(BN, BN_R_PRIVATE_KEY_TOO_LARGE);
return 0;
}
OPENSSL_memcpy(private_bytes, priv->d, todo);
OPENSSL_memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
- /* Pass a SHA512 hash of the private key and message as additional data into
- * the RBG. This is a hardening measure against entropy failure. */
+ // Pass a SHA512 hash of the private key and message as additional data into
+ // the RBG. This is a hardening measure against entropy failure.
OPENSSL_COMPILE_ASSERT(SHA512_DIGEST_LENGTH >= 32,
additional_data_is_too_large_for_sha512);
SHA512_CTX sha;
@@ -281,6 +281,6 @@
SHA512_Update(&sha, message, message_len);
SHA512_Final(digest, &sha);
- /* Select a value k from [1, range-1], following FIPS 186-4 appendix B.5.2. */
+ // Select a value k from [1, range-1], following FIPS 186-4 appendix B.5.2.
return bn_rand_range_with_additional_data(out, 1, range, digest);
}
diff --git a/crypto/fipsmodule/bn/shift.c b/crypto/fipsmodule/bn/shift.c
index 1e41342..d3fcf39 100644
--- a/crypto/fipsmodule/bn/shift.c
+++ b/crypto/fipsmodule/bn/shift.c
@@ -157,7 +157,7 @@
}
} else {
if (n == 0) {
- return 1; /* or the copying loop will go berserk */
+ return 1; // or the copying loop will go berserk
}
}
diff --git a/crypto/fipsmodule/bn/sqrt.c b/crypto/fipsmodule/bn/sqrt.c
index 0342bc0..68ccb91 100644
--- a/crypto/fipsmodule/bn/sqrt.c
+++ b/crypto/fipsmodule/bn/sqrt.c
@@ -60,9 +60,9 @@
BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
- /* Compute a square root of |a| mod |p| using the Tonelli/Shanks algorithm
- * (cf. Henri Cohen, "A Course in Algebraic Computational Number Theory",
- * algorithm 1.5.1). |p| is assumed to be a prime. */
+ // Compute a square root of |a| mod |p| using the Tonelli/Shanks algorithm
+ // (cf. Henri Cohen, "A Course in Algebraic Computational Number Theory",
+ // algorithm 1.5.1). |p| is assumed to be a prime.
BIGNUM *ret = in;
int err = 1;
@@ -125,26 +125,25 @@
goto end;
}
- /* A = a mod p */
+ // A = a mod p
if (!BN_nnmod(A, a, p, ctx)) {
goto end;
}
- /* now write |p| - 1 as 2^e*q where q is odd */
+ // now write |p| - 1 as 2^e*q where q is odd
e = 1;
while (!BN_is_bit_set(p, e)) {
e++;
}
- /* we'll set q later (if needed) */
+ // we'll set q later (if needed)
if (e == 1) {
- /* The easy case: (|p|-1)/2 is odd, so 2 has an inverse
- * modulo (|p|-1)/2, and square roots can be computed
- * directly by modular exponentiation.
- * We have
- * 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
- * so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
- */
+ // The easy case: (|p|-1)/2 is odd, so 2 has an inverse
+ // modulo (|p|-1)/2, and square roots can be computed
+ // directly by modular exponentiation.
+ // We have
+ // 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
+ // so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
if (!BN_rshift(q, p, 2)) {
goto end;
}
@@ -158,39 +157,38 @@
}
if (e == 2) {
- /* |p| == 5 (mod 8)
- *
- * In this case 2 is always a non-square since
- * Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.
- * So if a really is a square, then 2*a is a non-square.
- * Thus for
- * b := (2*a)^((|p|-5)/8),
- * i := (2*a)*b^2
- * we have
- * i^2 = (2*a)^((1 + (|p|-5)/4)*2)
- * = (2*a)^((p-1)/2)
- * = -1;
- * so if we set
- * x := a*b*(i-1),
- * then
- * x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
- * = a^2 * b^2 * (-2*i)
- * = a*(-i)*(2*a*b^2)
- * = a*(-i)*i
- * = a.
- *
- * (This is due to A.O.L. Atkin,
- * <URL:
- *http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
- * November 1992.)
- */
+ // |p| == 5 (mod 8)
+ //
+ // In this case 2 is always a non-square since
+ // Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.
+ // So if a really is a square, then 2*a is a non-square.
+ // Thus for
+ // b := (2*a)^((|p|-5)/8),
+ // i := (2*a)*b^2
+ // we have
+ // i^2 = (2*a)^((1 + (|p|-5)/4)*2)
+ // = (2*a)^((p-1)/2)
+ // = -1;
+ // so if we set
+ // x := a*b*(i-1),
+ // then
+ // x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
+ // = a^2 * b^2 * (-2*i)
+ // = a*(-i)*(2*a*b^2)
+ // = a*(-i)*i
+ // = a.
+ //
+ // (This is due to A.O.L. Atkin,
+ // <URL:
+ //http://listserv.nodak.edu/scripts/wa.exe?A2=ind9211&L=nmbrthry&O=T&P=562>,
+ // November 1992.)
- /* t := 2*a */
+ // t := 2*a
if (!BN_mod_lshift1_quick(t, A, p)) {
goto end;
}
- /* b := (2*a)^((|p|-5)/8) */
+ // b := (2*a)^((|p|-5)/8)
if (!BN_rshift(q, p, 3)) {
goto end;
}
@@ -199,18 +197,18 @@
goto end;
}
- /* y := b^2 */
+ // y := b^2
if (!BN_mod_sqr(y, b, p, ctx)) {
goto end;
}
- /* t := (2*a)*b^2 - 1*/
+ // t := (2*a)*b^2 - 1
if (!BN_mod_mul(t, t, y, p, ctx) ||
!BN_sub_word(t, 1)) {
goto end;
}
- /* x = a*b*t */
+ // x = a*b*t
if (!BN_mod_mul(x, A, b, p, ctx) ||
!BN_mod_mul(x, x, t, p, ctx)) {
goto end;
@@ -223,17 +221,16 @@
goto vrfy;
}
- /* e > 2, so we really have to use the Tonelli/Shanks algorithm.
- * First, find some y that is not a square. */
+ // e > 2, so we really have to use the Tonelli/Shanks algorithm.
+ // First, find some y that is not a square.
if (!BN_copy(q, p)) {
- goto end; /* use 'q' as temp */
+ goto end; // use 'q' as temp
}
q->neg = 0;
i = 2;
do {
- /* For efficiency, try small numbers first;
- * if this fails, try random numbers.
- */
+ // For efficiency, try small numbers first;
+ // if this fails, try random numbers.
if (i < 22) {
if (!BN_set_word(y, i)) {
goto end;
@@ -247,7 +244,7 @@
goto end;
}
}
- /* now 0 <= y < |p| */
+ // now 0 <= y < |p|
if (BN_is_zero(y)) {
if (!BN_set_word(y, i)) {
goto end;
@@ -255,34 +252,33 @@
}
}
- r = bn_jacobi(y, q, ctx); /* here 'q' is |p| */
+ r = bn_jacobi(y, q, ctx); // here 'q' is |p|
if (r < -1) {
goto end;
}
if (r == 0) {
- /* m divides p */
+ // m divides p
OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);
goto end;
}
} while (r == 1 && ++i < 82);
if (r != -1) {
- /* Many rounds and still no non-square -- this is more likely
- * a bug than just bad luck.
- * Even if p is not prime, we should have found some y
- * such that r == -1.
- */
+ // Many rounds and still no non-square -- this is more likely
+ // a bug than just bad luck.
+ // Even if p is not prime, we should have found some y
+ // such that r == -1.
OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);
goto end;
}
- /* Here's our actual 'q': */
+ // Here's our actual 'q':
if (!BN_rshift(q, q, e)) {
goto end;
}
- /* Now that we have some non-square, we can find an element
- * of order 2^e by computing its q'th power. */
+ // Now that we have some non-square, we can find an element
+ // of order 2^e by computing its q'th power.
if (!BN_mod_exp_mont(y, y, q, p, ctx, NULL)) {
goto end;
}
@@ -291,37 +287,36 @@
goto end;
}
- /* Now we know that (if p is indeed prime) there is an integer
- * k, 0 <= k < 2^e, such that
- *
- * a^q * y^k == 1 (mod p).
- *
- * As a^q is a square and y is not, k must be even.
- * q+1 is even, too, so there is an element
- *
- * X := a^((q+1)/2) * y^(k/2),
- *
- * and it satisfies
- *
- * X^2 = a^q * a * y^k
- * = a,
- *
- * so it is the square root that we are looking for.
- */
+ // Now we know that (if p is indeed prime) there is an integer
+ // k, 0 <= k < 2^e, such that
+ //
+ // a^q * y^k == 1 (mod p).
+ //
+ // As a^q is a square and y is not, k must be even.
+ // q+1 is even, too, so there is an element
+ //
+ // X := a^((q+1)/2) * y^(k/2),
+ //
+ // and it satisfies
+ //
+ // X^2 = a^q * a * y^k
+ // = a,
+ //
+ // so it is the square root that we are looking for.
- /* t := (q-1)/2 (note that q is odd) */
+ // t := (q-1)/2 (note that q is odd)
if (!BN_rshift1(t, q)) {
goto end;
}
- /* x := a^((q-1)/2) */
- if (BN_is_zero(t)) /* special case: p = 2^e + 1 */
+ // x := a^((q-1)/2)
+ if (BN_is_zero(t)) // special case: p = 2^e + 1
{
if (!BN_nnmod(t, A, p, ctx)) {
goto end;
}
if (BN_is_zero(t)) {
- /* special case: a == 0 (mod p) */
+ // special case: a == 0 (mod p)
BN_zero(ret);
err = 0;
goto end;
@@ -333,33 +328,32 @@
goto end;
}
if (BN_is_zero(x)) {
- /* special case: a == 0 (mod p) */
+ // special case: a == 0 (mod p)
BN_zero(ret);
err = 0;
goto end;
}
}
- /* b := a*x^2 (= a^q) */
+ // b := a*x^2 (= a^q)
if (!BN_mod_sqr(b, x, p, ctx) ||
!BN_mod_mul(b, b, A, p, ctx)) {
goto end;
}
- /* x := a*x (= a^((q+1)/2)) */
+ // x := a*x (= a^((q+1)/2))
if (!BN_mod_mul(x, x, A, p, ctx)) {
goto end;
}
while (1) {
- /* Now b is a^q * y^k for some even k (0 <= k < 2^E
- * where E refers to the original value of e, which we
- * don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
- *
- * We have a*b = x^2,
- * y^2^(e-1) = -1,
- * b^2^(e-1) = 1.
- */
+ // Now b is a^q * y^k for some even k (0 <= k < 2^E
+ // where E refers to the original value of e, which we
+ // don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
+ //
+ // We have a*b = x^2,
+ // y^2^(e-1) = -1,
+ // b^2^(e-1) = 1.
if (BN_is_one(b)) {
if (!BN_copy(ret, x)) {
@@ -370,7 +364,7 @@
}
- /* find smallest i such that b^(2^i) = 1 */
+ // find smallest i such that b^(2^i) = 1
i = 1;
if (!BN_mod_sqr(t, b, p, ctx)) {
goto end;
@@ -387,7 +381,7 @@
}
- /* t := y^2^(e - i - 1) */
+ // t := y^2^(e - i - 1)
if (!BN_copy(t, y)) {
goto end;
}
@@ -406,8 +400,8 @@
vrfy:
if (!err) {
- /* verify the result -- the input might have been not a square
- * (test added in 0.9.8) */
+ // verify the result -- the input might have been not a square
+ // (test added in 0.9.8)
if (!BN_mod_sqr(x, ret, p, ctx)) {
err = 1;
@@ -457,30 +451,30 @@
goto err;
}
- /* We estimate that the square root of an n-bit number is 2^{n/2}. */
+ // We estimate that the square root of an n-bit number is 2^{n/2}.
if (!BN_lshift(estimate, BN_value_one(), BN_num_bits(in)/2)) {
goto err;
}
- /* This is Newton's method for finding a root of the equation |estimate|^2 -
- * |in| = 0. */
+ // This is Newton's method for finding a root of the equation |estimate|^2 -
+ // |in| = 0.
for (;;) {
- /* |estimate| = 1/2 * (|estimate| + |in|/|estimate|) */
+ // |estimate| = 1/2 * (|estimate| + |in|/|estimate|)
if (!BN_div(tmp, NULL, in, estimate, ctx) ||
!BN_add(tmp, tmp, estimate) ||
!BN_rshift1(estimate, tmp) ||
- /* |tmp| = |estimate|^2 */
+ // |tmp| = |estimate|^2
!BN_sqr(tmp, estimate, ctx) ||
- /* |delta| = |in| - |tmp| */
+ // |delta| = |in| - |tmp|
!BN_sub(delta, in, tmp)) {
OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);
goto err;
}
delta->neg = 0;
- /* The difference between |in| and |estimate| squared is required to always
- * decrease. This ensures that the loop always terminates, but I don't have
- * a proof that it always finds the square root for a given square. */
+ // The difference between |in| and |estimate| squared is required to always
+ // decrease. This ensures that the loop always terminates, but I don't have
+ // a proof that it always finds the square root for a given square.
if (last_delta_valid && BN_cmp(delta, last_delta) >= 0) {
break;
}
diff --git a/crypto/fipsmodule/cipher/aead.c b/crypto/fipsmodule/cipher/aead.c
index ed30209..8d2ad04 100644
--- a/crypto/fipsmodule/cipher/aead.c
+++ b/crypto/fipsmodule/cipher/aead.c
@@ -101,8 +101,8 @@
ctx->aead = NULL;
}
-/* check_alias returns 1 if |out| is compatible with |in| and 0 otherwise. If
- * |in| and |out| alias, we require that |in| == |out|. */
+// check_alias returns 1 if |out| is compatible with |in| and 0 otherwise. If
+// |in| and |out| alias, we require that |in| == |out|.
static int check_alias(const uint8_t *in, size_t in_len, const uint8_t *out,
size_t out_len) {
if (!buffers_alias(in, in_len, out, out_len)) {
@@ -140,8 +140,8 @@
}
error:
- /* In the event of an error, clear the output buffer so that a caller
- * that doesn't check the return value doesn't send raw data. */
+ // In the event of an error, clear the output buffer so that a caller
+ // that doesn't check the return value doesn't send raw data.
OPENSSL_memset(out, 0, max_out_len);
*out_len = 0;
return 0;
@@ -172,8 +172,8 @@
}
error:
- /* In the event of an error, clear the output buffer so that a caller
- * that doesn't check the return value doesn't send raw data. */
+ // In the event of an error, clear the output buffer so that a caller
+ // that doesn't check the return value doesn't send raw data.
OPENSSL_memset(out, 0, in_len);
OPENSSL_memset(out_tag, 0, max_out_tag_len);
*out_tag_len = 0;
@@ -218,9 +218,9 @@
}
error:
- /* In the event of an error, clear the output buffer so that a caller
- * that doesn't check the return value doesn't try and process bad
- * data. */
+ // In the event of an error, clear the output buffer so that a caller
+ // that doesn't check the return value doesn't try and process bad
+ // data.
OPENSSL_memset(out, 0, max_out_len);
*out_len = 0;
return 0;
@@ -247,9 +247,9 @@
}
error:
- /* In the event of an error, clear the output buffer so that a caller
- * that doesn't check the return value doesn't try and process bad
- * data. */
+ // In the event of an error, clear the output buffer so that a caller
+ // that doesn't check the return value doesn't try and process bad
+ // data.
OPENSSL_memset(out, 0, in_len);
return 0;
}
diff --git a/crypto/fipsmodule/cipher/cipher.c b/crypto/fipsmodule/cipher/cipher.c
index d116715..8f0d788 100644
--- a/crypto/fipsmodule/cipher/cipher.c
+++ b/crypto/fipsmodule/cipher/cipher.c
@@ -141,12 +141,12 @@
}
if (cipher) {
- /* Ensure a context left from last time is cleared (the previous check
- * attempted to avoid this if the same ENGINE and EVP_CIPHER could be
- * used). */
+ // Ensure a context left from last time is cleared (the previous check
+ // attempted to avoid this if the same ENGINE and EVP_CIPHER could be
+ // used).
if (ctx->cipher) {
EVP_CIPHER_CTX_cleanup(ctx);
- /* Restore encrypt and flags */
+ // Restore encrypt and flags
ctx->encrypt = enc;
}
@@ -177,7 +177,7 @@
return 0;
}
- /* we assume block size is a power of 2 in *cryptUpdate */
+ // we assume block size is a power of 2 in *cryptUpdate
assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 ||
ctx->cipher->block_size == 16);
@@ -189,7 +189,7 @@
case EVP_CIPH_CFB_MODE:
ctx->num = 0;
- /* fall-through */
+ // fall-through
case EVP_CIPH_CBC_MODE:
assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof(ctx->iv));
@@ -202,7 +202,7 @@
case EVP_CIPH_CTR_MODE:
case EVP_CIPH_OFB_MODE:
ctx->num = 0;
- /* Don't reuse IV for CTR mode */
+ // Don't reuse IV for CTR mode
if (iv) {
OPENSSL_memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
}
@@ -388,8 +388,8 @@
return 0;
}
- /* if we have 'decrypted' a multiple of block size, make sure
- * we have a copy of this last block */
+ // if we have 'decrypted' a multiple of block size, make sure
+ // we have a copy of this last block
if (b > 1 && !ctx->buf_len) {
*out_len -= b;
ctx->final_used = 1;
@@ -437,8 +437,8 @@
}
assert(b <= sizeof(ctx->final));
- /* The following assumes that the ciphertext has been authenticated.
- * Otherwise it provides a padding oracle. */
+ // The following assumes that the ciphertext has been authenticated.
+ // Otherwise it provides a padding oracle.
n = ctx->final[b - 1];
if (n == 0 || n > (int)b) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
diff --git a/crypto/fipsmodule/cipher/e_aes.c b/crypto/fipsmodule/cipher/e_aes.c
index 2c6fc41..bd9847c 100644
--- a/crypto/fipsmodule/cipher/e_aes.c
+++ b/crypto/fipsmodule/cipher/e_aes.c
@@ -68,7 +68,7 @@
#endif
-OPENSSL_MSVC_PRAGMA(warning(disable: 4702)) /* Unreachable code. */
+OPENSSL_MSVC_PRAGMA(warning(disable: 4702)) // Unreachable code.
typedef struct {
union {
@@ -86,14 +86,14 @@
union {
double align;
AES_KEY ks;
- } ks; /* AES key schedule to use */
- int key_set; /* Set if key initialised */
- int iv_set; /* Set if an iv is set */
+ } ks; // AES key schedule to use
+ int key_set; // Set if key initialised
+ int iv_set; // Set if an iv is set
GCM128_CONTEXT gcm;
- uint8_t *iv; /* Temporary IV store */
- int ivlen; /* IV length */
+ uint8_t *iv; // Temporary IV store
+ int ivlen; // IV length
int taglen;
- int iv_gen; /* It is OK to generate IVs */
+ int iv_gen; // It is OK to generate IVs
ctr128_f ctr;
} EVP_AES_GCM_CTX;
@@ -125,8 +125,8 @@
#if defined(BSAES)
-/* On platforms where BSAES gets defined (just above), then these functions are
- * provided by asm. */
+// On platforms where BSAES gets defined (just above), then these functions are
+// provided by asm.
void bsaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
const AES_KEY *key, uint8_t ivec[16], int enc);
void bsaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t len,
@@ -136,8 +136,8 @@
return 0;
}
-/* On other platforms, bsaes_capable() will always return false and so the
- * following will never be called. */
+// On other platforms, bsaes_capable() will always return false and so the
+// following will never be called.
static void bsaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,
const AES_KEY *key, uint8_t ivec[16], int enc) {
abort();
@@ -151,8 +151,8 @@
#endif
#if defined(VPAES)
-/* On platforms where VPAES gets defined (just above), then these functions are
- * provided by asm. */
+// On platforms where VPAES gets defined (just above), then these functions are
+// provided by asm.
int vpaes_set_encrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);
int vpaes_set_decrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);
@@ -166,8 +166,8 @@
return 0;
}
-/* On other platforms, vpaes_capable() will always return false and so the
- * following will never be called. */
+// On other platforms, vpaes_capable() will always return false and so the
+// following will never be called.
static int vpaes_set_encrypt_key(const uint8_t *userKey, int bits,
AES_KEY *key) {
abort();
@@ -203,8 +203,8 @@
#else
-/* On other platforms, aesni_capable() will always return false and so the
- * following will never be called. */
+// On other platforms, aesni_capable() will always return false and so the
+// following will never be called.
static void aesni_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {
abort();
}
@@ -404,7 +404,7 @@
if (key) {
gctx->ctr =
aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm, NULL, key, ctx->key_len);
- /* If we have an iv can set it directly, otherwise use saved IV. */
+ // If we have an iv can set it directly, otherwise use saved IV.
if (iv == NULL && gctx->iv_set) {
iv = gctx->iv;
}
@@ -414,7 +414,7 @@
}
gctx->key_set = 1;
} else {
- /* If key set use IV, otherwise copy */
+ // If key set use IV, otherwise copy
if (gctx->key_set) {
CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
} else {
@@ -434,7 +434,7 @@
}
}
-/* increment counter (64-bit int) by 1 */
+// increment counter (64-bit int) by 1
static void ctr64_inc(uint8_t *counter) {
int n = 8;
uint8_t c;
@@ -467,7 +467,7 @@
return 0;
}
- /* Allocate memory for IV if needed */
+ // Allocate memory for IV if needed
if (arg > EVP_MAX_IV_LENGTH && arg > gctx->ivlen) {
if (gctx->iv != c->iv) {
OPENSSL_free(gctx->iv);
@@ -496,14 +496,14 @@
return 1;
case EVP_CTRL_GCM_SET_IV_FIXED:
- /* Special case: -1 length restores whole IV */
+ // Special case: -1 length restores whole IV
if (arg == -1) {
OPENSSL_memcpy(gctx->iv, ptr, gctx->ivlen);
gctx->iv_gen = 1;
return 1;
}
- /* Fixed field must be at least 4 bytes and invocation field
- * at least 8. */
+ // Fixed field must be at least 4 bytes and invocation field
+ // at least 8.
if (arg < 4 || (gctx->ivlen - arg) < 8) {
return 0;
}
@@ -525,9 +525,9 @@
arg = gctx->ivlen;
}
OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
- /* Invocation field will be at least 8 bytes in size and
- * so no need to check wrap around or increment more than
- * last 8 bytes. */
+ // Invocation field will be at least 8 bytes in size and
+ // so no need to check wrap around or increment more than
+ // last 8 bytes.
ctr64_inc(gctx->iv + gctx->ivlen - 8);
gctx->iv_set = 1;
return 1;
@@ -565,7 +565,7 @@
size_t len) {
EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
- /* If not set up, return error */
+ // If not set up, return error
if (!gctx->key_set) {
return -1;
}
@@ -613,7 +613,7 @@
}
CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, 16);
gctx->taglen = 16;
- /* Don't reuse the IV */
+ // Don't reuse the IV
gctx->iv_set = 0;
return 0;
}
@@ -813,7 +813,7 @@
#if !defined(OPENSSL_NO_ASM) && \
(defined(OPENSSL_X86_64) || defined(OPENSSL_X86))
-/* AES-NI section. */
+// AES-NI section.
static char aesni_capable(void) {
return (OPENSSL_ia32cap_P[1] & (1 << (57 - 32))) != 0;
@@ -880,8 +880,8 @@
aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks);
CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)aesni_encrypt, 1);
gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
- /* If we have an iv can set it directly, otherwise use
- * saved IV. */
+ // If we have an iv can set it directly, otherwise use
+ // saved IV.
if (iv == NULL && gctx->iv_set) {
iv = gctx->iv;
}
@@ -891,7 +891,7 @@
}
gctx->key_set = 1;
} else {
- /* If key set use IV, otherwise copy */
+ // If key set use IV, otherwise copy
if (gctx->key_set) {
CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
} else {
@@ -1104,7 +1104,7 @@
} \
}
-#else /* ^^^ OPENSSL_X86_64 || OPENSSL_X86 */
+#else // ^^^ OPENSSL_X86_64 || OPENSSL_X86
static char aesni_capable(void) {
return 0;
@@ -1158,7 +1158,7 @@
if (key_bits != 128 && key_bits != 256) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
- return 0; /* EVP_AEAD_CTX_init should catch this. */
+ return 0; // EVP_AEAD_CTX_init should catch this.
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
diff --git a/crypto/fipsmodule/cipher/internal.h b/crypto/fipsmodule/cipher/internal.h
index 02335e0..7b5f23f 100644
--- a/crypto/fipsmodule/cipher/internal.h
+++ b/crypto/fipsmodule/cipher/internal.h
@@ -70,10 +70,10 @@
#endif
-/* EVP_CIPH_MODE_MASK contains the bits of |flags| that represent the mode. */
+// EVP_CIPH_MODE_MASK contains the bits of |flags| that represent the mode.
#define EVP_CIPH_MODE_MASK 0x3f
-/* EVP_AEAD represents a specific AEAD algorithm. */
+// EVP_AEAD represents a specific AEAD algorithm.
struct evp_aead_st {
uint8_t key_len;
uint8_t nonce_len;
@@ -81,8 +81,8 @@
uint8_t max_tag_len;
int seal_scatter_supports_extra_in;
- /* init initialises an |EVP_AEAD_CTX|. If this call returns zero then
- * |cleanup| will not be called for that context. */
+ // init initialises an |EVP_AEAD_CTX|. If this call returns zero then
+ // |cleanup| will not be called for that context.
int (*init)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
size_t tag_len);
int (*init_with_direction)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,
@@ -112,18 +112,18 @@
size_t extra_in_len);
};
-/* aes_ctr_set_key initialises |*aes_key| using |key_bytes| bytes from |key|,
- * where |key_bytes| must either be 16, 24 or 32. If not NULL, |*out_block| is
- * set to a function that encrypts single blocks. If not NULL, |*gcm_ctx| is
- * initialised to do GHASH with the given key. It returns a function for
- * optimised CTR-mode, or NULL if CTR-mode should be built using
- * |*out_block|. */
+// aes_ctr_set_key initialises |*aes_key| using |key_bytes| bytes from |key|,
+// where |key_bytes| must either be 16, 24 or 32. If not NULL, |*out_block| is
+// set to a function that encrypts single blocks. If not NULL, |*gcm_ctx| is
+// initialised to do GHASH with the given key. It returns a function for
+// optimised CTR-mode, or NULL if CTR-mode should be built using
+// |*out_block|.
ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
block128_f *out_block, const uint8_t *key,
size_t key_bytes);
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_CIPHER_INTERNAL_H */
+#endif // OPENSSL_HEADER_CIPHER_INTERNAL_H
diff --git a/crypto/fipsmodule/delocate.h b/crypto/fipsmodule/delocate.h
index 0153a4e..065a21c 100644
--- a/crypto/fipsmodule/delocate.h
+++ b/crypto/fipsmodule/delocate.h
@@ -24,12 +24,12 @@
#define DEFINE_BSS_GET(type, name) \
static type name __attribute__((used)); \
type *name##_bss_get(void);
-/* For FIPS builds we require that CRYPTO_ONCE_INIT be zero. */
+// For FIPS builds we require that CRYPTO_ONCE_INIT be zero.
#define DEFINE_STATIC_ONCE(name) DEFINE_BSS_GET(CRYPTO_once_t, name)
-/* For FIPS builds we require that CRYPTO_STATIC_MUTEX_INIT be zero. */
+// For FIPS builds we require that CRYPTO_STATIC_MUTEX_INIT be zero.
#define DEFINE_STATIC_MUTEX(name) \
DEFINE_BSS_GET(struct CRYPTO_STATIC_MUTEX, name)
-/* For FIPS builds we require that CRYPTO_EX_DATA_CLASS_INIT be zero. */
+// For FIPS builds we require that CRYPTO_EX_DATA_CLASS_INIT be zero.
#define DEFINE_STATIC_EX_DATA_CLASS(name) \
DEFINE_BSS_GET(CRYPTO_EX_DATA_CLASS, name)
#else
@@ -60,29 +60,29 @@
} \
static void name##_do_init(type *out)
-/* DEFINE_METHOD_FUNCTION defines a function named |name| which returns a
- * method table of type const |type|*. In FIPS mode, to avoid rel.ro data, it
- * is split into a CRYPTO_once_t-guarded initializer in the module and
- * unhashed, non-module accessor functions to space reserved in the BSS. The
- * method table is initialized by a caller-supplied function which takes a
- * parameter named |out| of type |type|*. The caller should follow the macro
- * invocation with the body of this function:
- *
- * DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md4) {
- * out->type = NID_md4;
- * out->md_size = MD4_DIGEST_LENGTH;
- * out->flags = 0;
- * out->init = md4_init;
- * out->update = md4_update;
- * out->final = md4_final;
- * out->block_size = 64;
- * out->ctx_size = sizeof(MD4_CTX);
- * }
- *
- * This mechanism does not use a static initializer because their execution
- * order is undefined. See FIPS.md for more details. */
+// DEFINE_METHOD_FUNCTION defines a function named |name| which returns a
+// method table of type const |type|*. In FIPS mode, to avoid rel.ro data, it
+// is split into a CRYPTO_once_t-guarded initializer in the module and
+// unhashed, non-module accessor functions to space reserved in the BSS. The
+// method table is initialized by a caller-supplied function which takes a
+// parameter named |out| of type |type|*. The caller should follow the macro
+// invocation with the body of this function:
+//
+// DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md4) {
+// out->type = NID_md4;
+// out->md_size = MD4_DIGEST_LENGTH;
+// out->flags = 0;
+// out->init = md4_init;
+// out->update = md4_update;
+// out->final = md4_final;
+// out->block_size = 64;
+// out->ctx_size = sizeof(MD4_CTX);
+// }
+//
+// This mechanism does not use a static initializer because their execution
+// order is undefined. See FIPS.md for more details.
#define DEFINE_METHOD_FUNCTION(type, name) DEFINE_DATA(type, name, const)
#define DEFINE_LOCAL_DATA(type, name) DEFINE_DATA(type, name, static const)
-#endif /* OPENSSL_HEADER_FIPSMODULE_DELOCATE_H */
+#endif // OPENSSL_HEADER_FIPSMODULE_DELOCATE_H
diff --git a/crypto/fipsmodule/des/des.c b/crypto/fipsmodule/des/des.c
index a6c177c..2b0fdcd 100644
--- a/crypto/fipsmodule/des/des.c
+++ b/crypto/fipsmodule/des/des.c
@@ -62,7 +62,7 @@
static const uint32_t des_skb[8][64] = {
- {/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+ { // for C bits (numbered as per FIPS 46) 1 2 3 4 5 6
0x00000000L, 0x00000010L, 0x20000000L, 0x20000010L, 0x00010000L,
0x00010010L, 0x20010000L, 0x20010010L, 0x00000800L, 0x00000810L,
0x20000800L, 0x20000810L, 0x00010800L, 0x00010810L, 0x20010800L,
@@ -76,7 +76,7 @@
0x20080020L, 0x20080030L, 0x00090020L, 0x00090030L, 0x20090020L,
0x20090030L, 0x00080820L, 0x00080830L, 0x20080820L, 0x20080830L,
0x00090820L, 0x00090830L, 0x20090820L, 0x20090830L, },
- {/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
+ { // for C bits (numbered as per FIPS 46) 7 8 10 11 12 13
0x00000000L, 0x02000000L, 0x00002000L, 0x02002000L, 0x00200000L,
0x02200000L, 0x00202000L, 0x02202000L, 0x00000004L, 0x02000004L,
0x00002004L, 0x02002004L, 0x00200004L, 0x02200004L, 0x00202004L,
@@ -90,7 +90,7 @@
0x10002400L, 0x12002400L, 0x10200400L, 0x12200400L, 0x10202400L,
0x12202400L, 0x10000404L, 0x12000404L, 0x10002404L, 0x12002404L,
0x10200404L, 0x12200404L, 0x10202404L, 0x12202404L, },
- {/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
+ { // for C bits (numbered as per FIPS 46) 14 15 16 17 19 20
0x00000000L, 0x00000001L, 0x00040000L, 0x00040001L, 0x01000000L,
0x01000001L, 0x01040000L, 0x01040001L, 0x00000002L, 0x00000003L,
0x00040002L, 0x00040003L, 0x01000002L, 0x01000003L, 0x01040002L,
@@ -104,7 +104,7 @@
0x08040200L, 0x08040201L, 0x09000200L, 0x09000201L, 0x09040200L,
0x09040201L, 0x08000202L, 0x08000203L, 0x08040202L, 0x08040203L,
0x09000202L, 0x09000203L, 0x09040202L, 0x09040203L, },
- {/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
+ { // for C bits (numbered as per FIPS 46) 21 23 24 26 27 28
0x00000000L, 0x00100000L, 0x00000100L, 0x00100100L, 0x00000008L,
0x00100008L, 0x00000108L, 0x00100108L, 0x00001000L, 0x00101000L,
0x00001100L, 0x00101100L, 0x00001008L, 0x00101008L, 0x00001108L,
@@ -118,7 +118,7 @@
0x04020100L, 0x04120100L, 0x04020008L, 0x04120008L, 0x04020108L,
0x04120108L, 0x04021000L, 0x04121000L, 0x04021100L, 0x04121100L,
0x04021008L, 0x04121008L, 0x04021108L, 0x04121108L, },
- {/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
+ { // for D bits (numbered as per FIPS 46) 1 2 3 4 5 6
0x00000000L, 0x10000000L, 0x00010000L, 0x10010000L, 0x00000004L,
0x10000004L, 0x00010004L, 0x10010004L, 0x20000000L, 0x30000000L,
0x20010000L, 0x30010000L, 0x20000004L, 0x30000004L, 0x20010004L,
@@ -132,7 +132,7 @@
0x00111000L, 0x10111000L, 0x00101004L, 0x10101004L, 0x00111004L,
0x10111004L, 0x20101000L, 0x30101000L, 0x20111000L, 0x30111000L,
0x20101004L, 0x30101004L, 0x20111004L, 0x30111004L, },
- {/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
+ { // for D bits (numbered as per FIPS 46) 8 9 11 12 13 14
0x00000000L, 0x08000000L, 0x00000008L, 0x08000008L, 0x00000400L,
0x08000400L, 0x00000408L, 0x08000408L, 0x00020000L, 0x08020000L,
0x00020008L, 0x08020008L, 0x00020400L, 0x08020400L, 0x00020408L,
@@ -146,7 +146,7 @@
0x02000009L, 0x0A000009L, 0x02000401L, 0x0A000401L, 0x02000409L,
0x0A000409L, 0x02020001L, 0x0A020001L, 0x02020009L, 0x0A020009L,
0x02020401L, 0x0A020401L, 0x02020409L, 0x0A020409L, },
- {/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
+ { // for D bits (numbered as per FIPS 46) 16 17 18 19 20 21
0x00000000L, 0x00000100L, 0x00080000L, 0x00080100L, 0x01000000L,
0x01000100L, 0x01080000L, 0x01080100L, 0x00000010L, 0x00000110L,
0x00080010L, 0x00080110L, 0x01000010L, 0x01000110L, 0x01080010L,
@@ -160,7 +160,7 @@
0x00280200L, 0x00280300L, 0x01200200L, 0x01200300L, 0x01280200L,
0x01280300L, 0x00200210L, 0x00200310L, 0x00280210L, 0x00280310L,
0x01200210L, 0x01200310L, 0x01280210L, 0x01280310L, },
- {/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
+ { // for D bits (numbered as per FIPS 46) 22 23 24 25 27 28
0x00000000L, 0x04000000L, 0x00040000L, 0x04040000L, 0x00000002L,
0x04000002L, 0x00040002L, 0x04040002L, 0x00002000L, 0x04002000L,
0x00042000L, 0x04042000L, 0x00002002L, 0x04002002L, 0x00042002L,
@@ -176,7 +176,7 @@
0x00002822L, 0x04002822L, 0x00042822L, 0x04042822L, }};
static const uint32_t DES_SPtrans[8][64] = {
- {/* nibble 0 */
+ { // nibble 0
0x02080800L, 0x00080000L, 0x02000002L, 0x02080802L, 0x02000000L,
0x00080802L, 0x00080002L, 0x02000002L, 0x00080802L, 0x02080800L,
0x02080000L, 0x00000802L, 0x02000802L, 0x02000000L, 0x00000000L,
@@ -190,7 +190,7 @@
0x02080000L, 0x02000802L, 0x02000000L, 0x00000802L, 0x00080002L,
0x00000000L, 0x00080000L, 0x02000000L, 0x02000802L, 0x02080800L,
0x00000002L, 0x02080002L, 0x00000800L, 0x00080802L, },
- {/* nibble 1 */
+ { // nibble 1
0x40108010L, 0x00000000L, 0x00108000L, 0x40100000L, 0x40000010L,
0x00008010L, 0x40008000L, 0x00108000L, 0x00008000L, 0x40100010L,
0x00000010L, 0x40008000L, 0x00100010L, 0x40108000L, 0x40100000L,
@@ -204,7 +204,7 @@
0x00000000L, 0x40000010L, 0x00000010L, 0x40108010L, 0x00108000L,
0x40100000L, 0x40100010L, 0x00100000L, 0x00008010L, 0x40008000L,
0x40008010L, 0x00000010L, 0x40100000L, 0x00108000L, },
- {/* nibble 2 */
+ { // nibble 2
0x04000001L, 0x04040100L, 0x00000100L, 0x04000101L, 0x00040001L,
0x04000000L, 0x04000101L, 0x00040100L, 0x04000100L, 0x00040000L,
0x04040000L, 0x00000001L, 0x04040101L, 0x00000101L, 0x00000001L,
@@ -218,7 +218,7 @@
0x04000000L, 0x04040101L, 0x00040000L, 0x04000100L, 0x04000101L,
0x00040100L, 0x04000100L, 0x00000000L, 0x04040001L, 0x00000101L,
0x04000001L, 0x00040101L, 0x00000100L, 0x04040000L, },
- {/* nibble 3 */
+ { // nibble 3
0x00401008L, 0x10001000L, 0x00000008L, 0x10401008L, 0x00000000L,
0x10400000L, 0x10001008L, 0x00400008L, 0x10401000L, 0x10000008L,
0x10000000L, 0x00001008L, 0x10000008L, 0x00401008L, 0x00400000L,
@@ -232,7 +232,7 @@
0x00401008L, 0x00400000L, 0x10401008L, 0x00000008L, 0x10001000L,
0x00401008L, 0x00400008L, 0x00401000L, 0x10400000L, 0x10001008L,
0x00001008L, 0x10000000L, 0x10000008L, 0x10401000L, },
- {/* nibble 4 */
+ { // nibble 4
0x08000000L, 0x00010000L, 0x00000400L, 0x08010420L, 0x08010020L,
0x08000400L, 0x00010420L, 0x08010000L, 0x00010000L, 0x00000020L,
0x08000020L, 0x00010400L, 0x08000420L, 0x08010020L, 0x08010400L,
@@ -246,7 +246,7 @@
0x00000000L, 0x08010420L, 0x08010020L, 0x08010400L, 0x00000420L,
0x00010000L, 0x00010400L, 0x08010020L, 0x08000400L, 0x00000420L,
0x00000020L, 0x00010420L, 0x08010000L, 0x08000020L, },
- {/* nibble 5 */
+ { // nibble 5
0x80000040L, 0x00200040L, 0x00000000L, 0x80202000L, 0x00200040L,
0x00002000L, 0x80002040L, 0x00200000L, 0x00002040L, 0x80202040L,
0x00202000L, 0x80000000L, 0x80002000L, 0x80000040L, 0x80200000L,
@@ -260,7 +260,7 @@
0x00200000L, 0x80002040L, 0x80000040L, 0x80200000L, 0x00202040L,
0x00000000L, 0x00002000L, 0x80000040L, 0x80002040L, 0x80202000L,
0x80200000L, 0x00002040L, 0x00000040L, 0x80200040L, },
- {/* nibble 6 */
+ { // nibble 6
0x00004000L, 0x00000200L, 0x01000200L, 0x01000004L, 0x01004204L,
0x00004004L, 0x00004200L, 0x00000000L, 0x01000000L, 0x01000204L,
0x00000204L, 0x01004000L, 0x00000004L, 0x01004200L, 0x01004000L,
@@ -274,7 +274,7 @@
0x01000200L, 0x00004200L, 0x00000204L, 0x00004000L, 0x01004204L,
0x01000000L, 0x01004200L, 0x00000004L, 0x00004004L, 0x01004204L,
0x01000004L, 0x01004200L, 0x01004000L, 0x00004004L, },
- {/* nibble 7 */
+ { // nibble 7
0x20800080L, 0x20820000L, 0x00020080L, 0x00000000L, 0x20020000L,
0x00800080L, 0x20800000L, 0x20820080L, 0x00000080L, 0x20000000L,
0x00820000L, 0x00020080L, 0x00820080L, 0x20020080L, 0x20000080L,
@@ -305,9 +305,9 @@
c2l(in, c);
c2l(in, d);
- /* do PC1 in 47 simple operations :-)
- * Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
- * for the inspiration. :-) */
+ // do PC1 in 47 simple operations :-)
+ // Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
+ // for the inspiration. :-)
PERM_OP(d, c, t, 4, 0x0f0f0f0fL);
HPERM_OP(c, t, -2, 0xcccc0000L);
HPERM_OP(d, t, -2, 0xcccc0000L);
@@ -328,8 +328,8 @@
}
c &= 0x0fffffffL;
d &= 0x0fffffffL;
- /* could be a few less shifts but I am to lazy at this
- * point in time to investigate */
+ // could be a few less shifts but I am to lazy at this
+ // point in time to investigate
s = des_skb[0][(c) & 0x3f] |
des_skb[1][((c >> 6L) & 0x03) | ((c >> 7L) & 0x3c)] |
des_skb[2][((c >> 13L) & 0x0f) | ((c >> 14L) & 0x30)] |
@@ -340,7 +340,7 @@
des_skb[6][(d >> 15L) & 0x3f] |
des_skb[7][((d >> 21L) & 0x0f) | ((d >> 22L) & 0x30)];
- /* table contained 0213 4657 */
+ // table contained 0213 4657
t2 = ((t << 16L) | (s & 0x0000ffffL)) & 0xffffffffL;
schedule->subkeys[i][0] = ROTATE(t2, 30) & 0xffffffffL;
@@ -385,18 +385,18 @@
l = data[1];
IP(r, l);
- /* Things have been modified so that the initial rotate is done outside
- * the loop. This required the DES_SPtrans values in sp.h to be
- * rotated 1 bit to the right. One perl script later and things have a
- * 5% speed up on a sparc2. Thanks to Richard Outerbridge
- * <71755.204@CompuServe.COM> for pointing this out. */
- /* clear the top bits on machines with 8byte longs */
- /* shift left by 2 */
+ // Things have been modified so that the initial rotate is done outside
+ // the loop. This required the DES_SPtrans values in sp.h to be
+ // rotated 1 bit to the right. One perl script later and things have a
+ // 5% speed up on a sparc2. Thanks to Richard Outerbridge
+ // <71755.204@CompuServe.COM> for pointing this out.
+ // clear the top bits on machines with 8byte longs
+ // shift left by 2
r = ROTATE(r, 29) & 0xffffffffL;
l = ROTATE(l, 29) & 0xffffffffL;
- /* I don't know if it is worth the effort of loop unrolling the
- * inner loop */
+ // I don't know if it is worth the effort of loop unrolling the
+ // inner loop
if (enc) {
D_ENCRYPT(ks, l, r, 0);
D_ENCRYPT(ks, r, l, 1);
@@ -433,7 +433,7 @@
D_ENCRYPT(ks, r, l, 0);
}
- /* rotate and clear the top bits on machines with 8byte longs */
+ // rotate and clear the top bits on machines with 8byte longs
l = ROTATE(l, 3) & 0xffffffffL;
r = ROTATE(r, 3) & 0xffffffffL;
@@ -448,17 +448,17 @@
r = data[0];
l = data[1];
- /* Things have been modified so that the initial rotate is done outside the
- * loop. This required the DES_SPtrans values in sp.h to be rotated 1 bit to
- * the right. One perl script later and things have a 5% speed up on a
- * sparc2. Thanks to Richard Outerbridge <71755.204@CompuServe.COM> for
- * pointing this out. */
- /* clear the top bits on machines with 8byte longs */
+ // Things have been modified so that the initial rotate is done outside the
+ // loop. This required the DES_SPtrans values in sp.h to be rotated 1 bit to
+ // the right. One perl script later and things have a 5% speed up on a
+ // sparc2. Thanks to Richard Outerbridge <71755.204@CompuServe.COM> for
+ // pointing this out.
+ // clear the top bits on machines with 8byte longs
r = ROTATE(r, 29) & 0xffffffffL;
l = ROTATE(l, 29) & 0xffffffffL;
- /* I don't know if it is worth the effort of loop unrolling the
- * inner loop */
+ // I don't know if it is worth the effort of loop unrolling the
+ // inner loop
if (enc) {
D_ENCRYPT(ks, l, r, 0);
D_ENCRYPT(ks, r, l, 1);
@@ -494,7 +494,7 @@
D_ENCRYPT(ks, l, r, 1);
D_ENCRYPT(ks, r, l, 0);
}
- /* rotate and clear the top bits on machines with 8byte longs */
+ // rotate and clear the top bits on machines with 8byte longs
data[0] = ROTATE(l, 3) & 0xffffffffL;
data[1] = ROTATE(r, 3) & 0xffffffffL;
}
@@ -764,7 +764,7 @@
}
-/* Deprecated functions. */
+// Deprecated functions.
void DES_set_key_unchecked(const DES_cblock *key, DES_key_schedule *schedule) {
DES_set_key(key, schedule);
diff --git a/crypto/fipsmodule/des/internal.h b/crypto/fipsmodule/des/internal.h
index 21eb933..7bfc45b 100644
--- a/crypto/fipsmodule/des/internal.h
+++ b/crypto/fipsmodule/des/internal.h
@@ -80,7 +80,7 @@
*((c)++) = (unsigned char)(((l) >> 24L) & 0xff); \
} while (0)
-/* NOTE - c is not incremented as per c2l */
+// NOTE - c is not incremented as per c2l
#define c2ln(c, l1, l2, n) \
do { \
(c) += (n); \
@@ -105,7 +105,7 @@
} \
} while (0)
-/* NOTE - c is not incremented as per l2c */
+// NOTE - c is not incremented as per l2c
#define l2cn(l1, l2, c, n) \
do { \
(c) += (n); \
@@ -218,7 +218,7 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_DES_INTERNAL_H */
+#endif // OPENSSL_HEADER_DES_INTERNAL_H
diff --git a/crypto/fipsmodule/digest/digest.c b/crypto/fipsmodule/digest/digest.c
index 00e6d4b..f8a0dd2 100644
--- a/crypto/fipsmodule/digest/digest.c
+++ b/crypto/fipsmodule/digest/digest.c
@@ -123,9 +123,9 @@
}
if (out->digest == in->digest) {
- /* |md_data| will be the correct size in this case so it's removed from
- * |out| at this point so that |EVP_MD_CTX_cleanup| doesn't free it and
- * then it's reused. */
+ // |md_data| will be the correct size in this case so it's removed from
+ // |out| at this point so that |EVP_MD_CTX_cleanup| doesn't free it and
+ // then it's reused.
tmp_buf = out->md_data;
out->md_data = NULL;
}
diff --git a/crypto/fipsmodule/digest/internal.h b/crypto/fipsmodule/digest/internal.h
index e3d812a..2d06ed0 100644
--- a/crypto/fipsmodule/digest/internal.h
+++ b/crypto/fipsmodule/digest/internal.h
@@ -65,48 +65,48 @@
struct env_md_st {
- /* type contains a NID identifing the digest function. (For example,
- * NID_md5.) */
+ // type contains a NID identifing the digest function. (For example,
+ // NID_md5.)
int type;
- /* md_size contains the size, in bytes, of the resulting digest. */
+ // md_size contains the size, in bytes, of the resulting digest.
unsigned md_size;
- /* flags contains the OR of |EVP_MD_FLAG_*| values. */
+ // flags contains the OR of |EVP_MD_FLAG_*| values.
uint32_t flags;
- /* init initialises the state in |ctx->md_data|. */
+ // init initialises the state in |ctx->md_data|.
void (*init)(EVP_MD_CTX *ctx);
- /* update hashes |len| bytes of |data| into the state in |ctx->md_data|. */
+ // update hashes |len| bytes of |data| into the state in |ctx->md_data|.
void (*update)(EVP_MD_CTX *ctx, const void *data, size_t count);
- /* final completes the hash and writes |md_size| bytes of digest to |out|. */
+ // final completes the hash and writes |md_size| bytes of digest to |out|.
void (*final)(EVP_MD_CTX *ctx, uint8_t *out);
- /* block_size contains the hash's native block size. */
+ // block_size contains the hash's native block size.
unsigned block_size;
- /* ctx_size contains the size, in bytes, of the state of the hash function. */
+ // ctx_size contains the size, in bytes, of the state of the hash function.
unsigned ctx_size;
};
-/* evp_md_pctx_ops contains function pointers to allow the |pctx| member of
- * |EVP_MD_CTX| to be manipulated without breaking layering by calling EVP
- * functions. */
+// evp_md_pctx_ops contains function pointers to allow the |pctx| member of
+// |EVP_MD_CTX| to be manipulated without breaking layering by calling EVP
+// functions.
struct evp_md_pctx_ops {
- /* free is called when an |EVP_MD_CTX| is being freed and the |pctx| also
- * needs to be freed. */
+ // free is called when an |EVP_MD_CTX| is being freed and the |pctx| also
+ // needs to be freed.
void (*free) (EVP_PKEY_CTX *pctx);
- /* dup is called when an |EVP_MD_CTX| is copied and so the |pctx| also needs
- * to be copied. */
+ // dup is called when an |EVP_MD_CTX| is copied and so the |pctx| also needs
+ // to be copied.
EVP_PKEY_CTX* (*dup) (EVP_PKEY_CTX *pctx);
};
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
-#endif /* OPENSSL_HEADER_DIGEST_INTERNAL */
+#endif // OPENSSL_HEADER_DIGEST_INTERNAL
diff --git a/crypto/fipsmodule/digest/md32_common.h b/crypto/fipsmodule/digest/md32_common.h
index 7371629..a0c3665 100644
--- a/crypto/fipsmodule/digest/md32_common.h
+++ b/crypto/fipsmodule/digest/md32_common.h
@@ -57,56 +57,55 @@
#endif
-/* This is a generic 32-bit "collector" for message digest algorithms. It
- * collects input character stream into chunks of 32-bit values and invokes the
- * block function that performs the actual hash calculations. To make use of
- * this mechanism, the following macros must be defined before including
- * md32_common.h.
- *
- * One of |DATA_ORDER_IS_BIG_ENDIAN| or |DATA_ORDER_IS_LITTLE_ENDIAN| must be
- * defined to specify the byte order of the input stream.
- *
- * |HASH_CBLOCK| must be defined as the integer block size, in bytes.
- *
- * |HASH_CTX| must be defined as the name of the context structure, which must
- * have at least the following members:
- *
- * typedef struct <name>_state_st {
- * uint32_t h[<chaining length> / sizeof(uint32_t)];
- * uint32_t Nl, Nh;
- * uint8_t data[HASH_CBLOCK];
- * unsigned num;
- * ...
- * } <NAME>_CTX;
- *
- * <chaining length> is the output length of the hash in bytes, before
- * any truncation (e.g. 64 for SHA-224 and SHA-256, 128 for SHA-384 and
- * SHA-512).
- *
- * |HASH_UPDATE| must be defined as the name of the "Update" function to
- * generate.
- *
- * |HASH_TRANSFORM| must be defined as the the name of the "Transform"
- * function to generate.
- *
- * |HASH_FINAL| must be defined as the name of "Final" function to generate.
- *
- * |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function.
- * That function must be implemented manually. It must be capable of operating
- * on *unaligned* input data in its original (data) byte order. It must have
- * this signature:
- *
- * void HASH_BLOCK_DATA_ORDER(uint32_t *state, const uint8_t *data,
- * size_t num);
- *
- * It must update the hash state |state| with |num| blocks of data from |data|,
- * where each block is |HASH_CBLOCK| bytes; i.e. |data| points to a array of
- * |HASH_CBLOCK * num| bytes. |state| points to the |h| member of a |HASH_CTX|,
- * and so will have |<chaining length> / sizeof(uint32_t)| elements.
- *
- * |HASH_MAKE_STRING(c, s)| must be defined as a block statement that converts
- * the hash state |c->h| into the output byte order, storing the result in |s|.
- */
+// This is a generic 32-bit "collector" for message digest algorithms. It
+// collects input character stream into chunks of 32-bit values and invokes the
+// block function that performs the actual hash calculations. To make use of
+// this mechanism, the following macros must be defined before including
+// md32_common.h.
+//
+// One of |DATA_ORDER_IS_BIG_ENDIAN| or |DATA_ORDER_IS_LITTLE_ENDIAN| must be
+// defined to specify the byte order of the input stream.
+//
+// |HASH_CBLOCK| must be defined as the integer block size, in bytes.
+//
+// |HASH_CTX| must be defined as the name of the context structure, which must
+// have at least the following members:
+//
+// typedef struct <name>_state_st {
+// uint32_t h[<chaining length> / sizeof(uint32_t)];
+// uint32_t Nl, Nh;
+// uint8_t data[HASH_CBLOCK];
+// unsigned num;
+// ...
+// } <NAME>_CTX;
+//
+// <chaining length> is the output length of the hash in bytes, before
+// any truncation (e.g. 64 for SHA-224 and SHA-256, 128 for SHA-384 and
+// SHA-512).
+//
+// |HASH_UPDATE| must be defined as the name of the "Update" function to
+// generate.
+//
+// |HASH_TRANSFORM| must be defined as the the name of the "Transform"
+// function to generate.
+//
+// |HASH_FINAL| must be defined as the name of "Final" function to generate.
+//
+// |HASH_BLOCK_DATA_ORDER| must be defined as the name of the "Block" function.
+// That function must be implemented manually. It must be capable of operating
+// on *unaligned* input data in its original (data) byte order. It must have
+// this signature:
+//
+// void HASH_BLOCK_DATA_ORDER(uint32_t *state, const uint8_t *data,
+// size_t num);
+//
+// It must update the hash state |state| with |num| blocks of data from |data|,
+// where each block is |HASH_CBLOCK| bytes; i.e. |data| points to a array of
+// |HASH_CBLOCK * num| bytes. |state| points to the |h| member of a |HASH_CTX|,
+// and so will have |<chaining length> / sizeof(uint32_t)| elements.
+//
+// |HASH_MAKE_STRING(c, s)| must be defined as a block statement that converts
+// the hash state |c->h| into the output byte order, storing the result in |s|.
#if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
#error "DATA_ORDER must be defined!"
@@ -173,7 +172,7 @@
*((c)++) = (uint8_t)(((l) >> 24) & 0xff); \
} while (0)
-#endif /* DATA_ORDER */
+#endif // DATA_ORDER
int HASH_UPDATE(HASH_CTX *c, const void *data_, size_t len) {
const uint8_t *data = data_;
@@ -184,7 +183,7 @@
uint32_t l = c->Nl + (((uint32_t)len) << 3);
if (l < c->Nl) {
- /* Handle carries. */
+ // Handle carries.
c->Nh++;
}
c->Nh += (uint32_t)(len >> 29);
@@ -199,7 +198,7 @@
data += n;
len -= n;
c->num = 0;
- /* Keep |c->data| zeroed when unused. */
+ // Keep |c->data| zeroed when unused.
OPENSSL_memset(c->data, 0, HASH_CBLOCK);
} else {
OPENSSL_memcpy(c->data + n, data, len);
@@ -230,14 +229,14 @@
int HASH_FINAL(uint8_t *md, HASH_CTX *c) {
- /* |c->data| always has room for at least one byte. A full block would have
- * been consumed. */
+ // |c->data| always has room for at least one byte. A full block would have
+ // been consumed.
size_t n = c->num;
assert(n < HASH_CBLOCK);
c->data[n] = 0x80;
n++;
- /* Fill the block with zeros if there isn't room for a 64-bit length. */
+ // Fill the block with zeros if there isn't room for a 64-bit length.
if (n > (HASH_CBLOCK - 8)) {
OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - n);
n = 0;
@@ -245,7 +244,7 @@
}
OPENSSL_memset(c->data + n, 0, HASH_CBLOCK - 8 - n);
- /* Append a 64-bit length to the block and process it. */
+ // Append a 64-bit length to the block and process it.
uint8_t *p = c->data + HASH_CBLOCK - 8;
#if defined(DATA_ORDER_IS_BIG_ENDIAN)
HOST_l2c(c->Nh, p);
@@ -265,5 +264,5 @@
#if defined(__cplusplus)
-} /* extern C */
+} // extern C
#endif
diff --git a/crypto/fipsmodule/ec/ec.c b/crypto/fipsmodule/ec/ec.c
index 55f388d..d82e58f 100644
--- a/crypto/fipsmodule/ec/ec.c
+++ b/crypto/fipsmodule/ec/ec.c
@@ -81,86 +81,86 @@
static const uint8_t kP224Params[6 * 28] = {
- /* p */
+ // p
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01,
- /* a */
+ // a
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFE,
- /* b */
+ // b
0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56,
0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43,
0x23, 0x55, 0xFF, 0xB4,
- /* x */
+ // x
0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9,
0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6,
0x11, 0x5C, 0x1D, 0x21,
- /* y */
+ // y
0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6,
0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99,
0x85, 0x00, 0x7e, 0x34,
- /* order */
+ // order
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45,
0x5C, 0x5C, 0x2A, 0x3D,
};
static const uint8_t kP256Params[6 * 32] = {
- /* p */
+ // p
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- /* a */
+ // a
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
- /* b */
+ // b
0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55,
0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6,
0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B,
- /* x */
+ // x
0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5,
0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0,
0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96,
- /* y */
+ // y
0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a,
0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
- /* order */
+ // order
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51,
};
static const uint8_t kP384Params[6 * 48] = {
- /* p */
+ // p
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
- /* a */
+ // a
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC,
- /* b */
+ // b
0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B,
0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12,
0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D,
0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF,
- /* x */
+ // x
0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E,
0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98,
0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D,
0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7,
- /* y */
+ // y
0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf,
0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c,
0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce,
0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f,
- /* order */
+ // order
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2,
@@ -168,42 +168,42 @@
};
static const uint8_t kP521Params[6 * 66] = {
- /* p */
+ // p
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- /* a */
+ // a
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC,
- /* b */
+ // b
0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A,
0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3,
0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19,
0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1,
0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45,
0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00,
- /* x */
+ // x
0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E,
0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F,
0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B,
0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF,
0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E,
0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66,
- /* y */
+ // y
0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a,
0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee,
0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe,
0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50,
- /* order */
+ // order
0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86,
@@ -212,15 +212,15 @@
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09,
};
-/* MSan appears to have a bug that causes code to be miscompiled in opt mode.
- * While that is being looked at, don't run the uint128_t code under MSan. */
+// MSan appears to have a bug that causes code to be miscompiled in opt mode.
+// While that is being looked at, don't run the uint128_t code under MSan.
#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS) && \
!defined(MEMORY_SANITIZER)
#define BORINGSSL_USE_INT128_CODE
#endif
DEFINE_METHOD_FUNCTION(struct built_in_curves, OPENSSL_built_in_curves) {
- /* 1.3.132.0.35 */
+ // 1.3.132.0.35
static const uint8_t kOIDP521[] = {0x2b, 0x81, 0x04, 0x00, 0x23};
out->curves[0].nid = NID_secp521r1;
out->curves[0].oid = kOIDP521;
@@ -230,7 +230,7 @@
out->curves[0].params = kP521Params;
out->curves[0].method = EC_GFp_mont_method();
- /* 1.3.132.0.34 */
+ // 1.3.132.0.34
static const uint8_t kOIDP384[] = {0x2b, 0x81, 0x04, 0x00, 0x22};
out->curves[1].nid = NID_secp384r1;
out->curves[1].oid = kOIDP384;
@@ -240,7 +240,7 @@
out->curves[1].params = kP384Params;
out->curves[1].method = EC_GFp_mont_method();
- /* 1.2.840.10045.3.1.7 */
+ // 1.2.840.10045.3.1.7
static const uint8_t kOIDP256[] = {0x2a, 0x86, 0x48, 0xce,
0x3d, 0x03, 0x01, 0x07};
out->curves[2].nid = NID_X9_62_prime256v1;
@@ -261,7 +261,7 @@
EC_GFp_mont_method();
#endif
- /* 1.3.132.0.33 */
+ // 1.3.132.0.33
static const uint8_t kOIDP224[] = {0x2b, 0x81, 0x04, 0x00, 0x21};
out->curves[3].nid = NID_secp224r1;
out->curves[3].oid = kOIDP224;
@@ -277,9 +277,9 @@
#endif
}
-/* built_in_curve_scalar_field_monts contains Montgomery contexts for
- * performing inversions in the scalar fields of each of the built-in
- * curves. It's protected by |built_in_curve_scalar_field_monts_once|. */
+// built_in_curve_scalar_field_monts contains Montgomery contexts for
+// performing inversions in the scalar fields of each of the built-in
+// curves. It's protected by |built_in_curve_scalar_field_monts_once|.
DEFINE_LOCAL_DATA(BN_MONT_CTX **, built_in_curve_scalar_field_monts) {
const struct built_in_curves *const curves = OPENSSL_built_in_curves();
@@ -386,12 +386,12 @@
int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
const BIGNUM *order, const BIGNUM *cofactor) {
if (group->curve_name != NID_undef || group->generator != NULL) {
- /* |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by
- * |EC_GROUP_new_curve_GFp| and may only used once on each group. */
+ // |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by
+ // |EC_GROUP_new_curve_GFp| and may only used once on each group.
return 0;
}
- /* Require a cofactor of one for custom curves, which implies prime order. */
+ // Require a cofactor of one for custom curves, which implies prime order.
if (!BN_is_one(cofactor)) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COFACTOR);
return 0;
@@ -579,7 +579,7 @@
int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor,
BN_CTX *ctx) {
- /* All |EC_GROUP|s have cofactor 1. */
+ // All |EC_GROUP|s have cofactor 1.
return BN_set_word(cofactor, 1);
}
@@ -782,9 +782,9 @@
int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) {
- /* Previously, this function set |r| to the point at infinity if there was
- * nothing to multiply. But, nobody should be calling this function with
- * nothing to multiply in the first place. */
+ // Previously, this function set |r| to the point at infinity if there was
+ // nothing to multiply. But, nobody should be calling this function with
+ // nothing to multiply in the first place.
if ((g_scalar == NULL && p_scalar == NULL) ||
((p == NULL) != (p_scalar == NULL))) {
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
diff --git a/crypto/fipsmodule/ec/ec_key.c b/crypto/fipsmodule/ec/ec_key.c
index acabb06..e5e8b1a 100644
--- a/crypto/fipsmodule/ec/ec_key.c
+++ b/crypto/fipsmodule/ec/ec_key.c
@@ -165,9 +165,9 @@
OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
- /* Copy the parameters. */
+ // Copy the parameters.
if (src->group) {
- /* TODO(fork): duplicating the group seems wasteful. */
+ // TODO(fork): duplicating the group seems wasteful.
EC_GROUP_free(dest->group);
dest->group = EC_GROUP_dup(src->group);
if (dest->group == NULL) {
@@ -175,7 +175,7 @@
}
}
- /* Copy the public key. */
+ // Copy the public key.
if (src->pub_key && src->group) {
EC_POINT_free(dest->pub_key);
dest->pub_key = EC_POINT_dup(src->pub_key, src->group);
@@ -184,7 +184,7 @@
}
}
- /* copy the private key */
+ // copy the private key
if (src->priv_key) {
if (dest->priv_key == NULL) {
dest->priv_key = BN_new();
@@ -196,14 +196,14 @@
return NULL;
}
}
- /* copy method/extra data */
+ // copy method/extra data
if (src->ecdsa_meth) {
METHOD_unref(dest->ecdsa_meth);
dest->ecdsa_meth = src->ecdsa_meth;
METHOD_ref(dest->ecdsa_meth);
}
- /* copy the rest */
+ // copy the rest
dest->enc_flag = src->enc_flag;
dest->conv_form = src->conv_form;
@@ -235,13 +235,13 @@
int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) {
EC_GROUP_free(key->group);
- /* TODO(fork): duplicating the group seems wasteful but see
- * |EC_KEY_set_conv_form|. */
+ // TODO(fork): duplicating the group seems wasteful but see
+ // |EC_KEY_set_conv_form|.
key->group = EC_GROUP_dup(group);
if (key->group == NULL) {
return 0;
}
- /* XXX: |BN_cmp| is not constant time. */
+ // XXX: |BN_cmp| is not constant time.
if (key->priv_key != NULL &&
BN_cmp(key->priv_key, EC_GROUP_get0_order(group)) >= 0) {
return 0;
@@ -254,7 +254,7 @@
}
int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) {
- /* XXX: |BN_cmp| is not constant time. */
+ // XXX: |BN_cmp| is not constant time.
if (key->group != NULL &&
BN_cmp(priv_key, EC_GROUP_get0_order(key->group)) >= 0) {
OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER);
@@ -310,16 +310,15 @@
goto err;
}
- /* testing whether the pub_key is on the elliptic curve */
+ // testing whether the pub_key is on the elliptic curve
if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx)) {
OPENSSL_PUT_ERROR(EC, EC_R_POINT_IS_NOT_ON_CURVE);
goto err;
}
- /* in case the priv_key is present :
- * check if generator * priv_key == pub_key
- */
+ // in case the priv_key is present :
+ // check if generator * priv_key == pub_key
if (eckey->priv_key) {
- /* XXX: |BN_cmp| is not constant time. */
+ // XXX: |BN_cmp| is not constant time.
if (BN_cmp(eckey->priv_key, EC_GROUP_get0_order(eckey->group)) >= 0) {
OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER);
goto err;
@@ -345,7 +344,7 @@
int EC_KEY_check_fips(const EC_KEY *key) {
if (EC_KEY_is_opaque(key)) {
- /* Opaque keys can't be checked. */
+ // Opaque keys can't be checked.
OPENSSL_PUT_ERROR(EC, EC_R_PUBLIC_KEY_VALIDATION_FAILED);
return 0;
}
@@ -408,8 +407,8 @@
goto err;
}
- /* Check if retrieved coordinates match originals: if not values
- * are out of range. */
+ // Check if retrieved coordinates match originals: if not values
+ // are out of range.
if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
OPENSSL_PUT_ERROR(EC, EC_R_COORDINATES_OUT_OF_RANGE);
goto err;
@@ -453,14 +452,14 @@
const BIGNUM *order = EC_GROUP_get0_order(eckey->group);
- /* Check that the size of the group order is FIPS compliant (FIPS 186-4
- * B.4.2). */
+ // Check that the size of the group order is FIPS compliant (FIPS 186-4
+ // B.4.2).
if (BN_num_bits(order) < 160) {
OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);
goto err;
}
- /* Generate the private key by testing candidates (FIPS 186-4 B.4.2). */
+ // Generate the private key by testing candidates (FIPS 186-4 B.4.2).
if (!BN_rand_range_ex(priv_key, 1, order)) {
goto err;
}
diff --git a/crypto/fipsmodule/ec/ec_montgomery.c b/crypto/fipsmodule/ec/ec_montgomery.c
index c2afe25..c5f240b 100644
--- a/crypto/fipsmodule/ec/ec_montgomery.c
+++ b/crypto/fipsmodule/ec/ec_montgomery.c
@@ -219,7 +219,7 @@
BN_CTX_start(ctx);
if (BN_cmp(&point->Z, &group->one) == 0) {
- /* |point| is already affine. */
+ // |point| is already affine.
if (x != NULL && !BN_from_montgomery(x, &point->X, group->mont, ctx)) {
goto err;
}
@@ -227,7 +227,7 @@
goto err;
}
} else {
- /* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
+ // transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3)
BIGNUM *Z_1 = BN_CTX_get(ctx);
BIGNUM *Z_2 = BN_CTX_get(ctx);
@@ -238,18 +238,18 @@
goto err;
}
- /* The straightforward way to calculate the inverse of a Montgomery-encoded
- * value where the result is Montgomery-encoded is:
- *
- * |BN_from_montgomery| + invert + |BN_to_montgomery|.
- *
- * This is equivalent, but more efficient, because |BN_from_montgomery|
- * is more efficient (at least in theory) than |BN_to_montgomery|, since it
- * doesn't have to do the multiplication before the reduction.
- *
- * Use Fermat's Little Theorem instead of |BN_mod_inverse_odd| since this
- * inversion may be done as the final step of private key operations.
- * Unfortunately, this is suboptimal for ECDSA verification. */
+ // The straightforward way to calculate the inverse of a Montgomery-encoded
+ // value where the result is Montgomery-encoded is:
+ //
+ // |BN_from_montgomery| + invert + |BN_to_montgomery|.
+ //
+ // This is equivalent, but more efficient, because |BN_from_montgomery|
+ // is more efficient (at least in theory) than |BN_to_montgomery|, since it
+ // doesn't have to do the multiplication before the reduction.
+ //
+ // Use Fermat's Little Theorem instead of |BN_mod_inverse_odd| since this
+ // inversion may be done as the final step of private key operations.
+ // Unfortunately, this is suboptimal for ECDSA verification.
if (!BN_from_montgomery(Z_1, &point->Z, group->mont, ctx) ||
!BN_from_montgomery(Z_1, Z_1, group->mont, ctx) ||
!bn_mod_inverse_prime(Z_1, Z_1, &group->field, ctx, group->mont)) {
@@ -260,10 +260,10 @@
goto err;
}
- /* Instead of using |BN_from_montgomery| to convert the |x| coordinate
- * and then calling |BN_from_montgomery| again to convert the |y|
- * coordinate below, convert the common factor |Z_2| once now, saving one
- * reduction. */
+ // Instead of using |BN_from_montgomery| to convert the |x| coordinate
+ // and then calling |BN_from_montgomery| again to convert the |y|
+ // coordinate below, convert the common factor |Z_2| once now, saving one
+ // reduction.
if (!BN_from_montgomery(Z_2, Z_2, group->mont, ctx)) {
goto err;
}
diff --git a/crypto/fipsmodule/ec/internal.h b/crypto/fipsmodule/ec/internal.h
index 424fe53..39c9349 100644
--- a/crypto/fipsmodule/ec/internal.h
+++ b/crypto/fipsmodule/ec/internal.h
@@ -88,25 +88,25 @@
int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *,
BIGNUM *x, BIGNUM *y, BN_CTX *);
- /* Computes |r = g_scalar*generator + p_scalar*p| if |g_scalar| and |p_scalar|
- * are both non-null. Computes |r = g_scalar*generator| if |p_scalar| is null.
- * Computes |r = p_scalar*p| if g_scalar is null. At least one of |g_scalar|
- * and |p_scalar| must be non-null, and |p| must be non-null if |p_scalar| is
- * non-null. */
+ // Computes |r = g_scalar*generator + p_scalar*p| if |g_scalar| and |p_scalar|
+ // are both non-null. Computes |r = g_scalar*generator| if |p_scalar| is null.
+ // Computes |r = p_scalar*p| if g_scalar is null. At least one of |g_scalar|
+ // and |p_scalar| must be non-null, and |p| must be non-null if |p_scalar| is
+ // non-null.
int (*mul)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx);
- /* 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that the
- * same implementations of point operations can be used with different
- * optimized implementations of expensive field operations: */
+ // 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that the
+ // same implementations of point operations can be used with different
+ // optimized implementations of expensive field operations:
int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *); /* e.g. to Montgomery */
+ BN_CTX *); // e.g. to Montgomery
int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
- BN_CTX *); /* e.g. from Montgomery */
+ BN_CTX *); // e.g. from Montgomery
} /* EC_METHOD */;
const EC_METHOD *EC_GFp_mont_method(void);
@@ -117,22 +117,22 @@
EC_POINT *generator;
BIGNUM order;
- int curve_name; /* optional NID for named curve */
+ int curve_name; // optional NID for named curve
- const BN_MONT_CTX *order_mont; /* data for ECDSA inverse */
+ const BN_MONT_CTX *order_mont; // data for ECDSA inverse
- /* The following members are handled by the method functions,
- * even if they appear generic */
+ // The following members are handled by the method functions,
+ // even if they appear generic
- BIGNUM field; /* For curves over GF(p), this is the modulus. */
+ BIGNUM field; // For curves over GF(p), this is the modulus.
- BIGNUM a, b; /* Curve coefficients. */
+ BIGNUM a, b; // Curve coefficients.
- int a_is_minus3; /* enable optimized point arithmetics for special case */
+ int a_is_minus3; // enable optimized point arithmetics for special case
- BN_MONT_CTX *mont; /* Montgomery structure. */
+ BN_MONT_CTX *mont; // Montgomery structure.
- BIGNUM one; /* The value one. */
+ BIGNUM one; // The value one.
} /* EC_GROUP */;
struct ec_point_st {
@@ -140,22 +140,22 @@
BIGNUM X;
BIGNUM Y;
- BIGNUM Z; /* Jacobian projective coordinates:
- * (X, Y, Z) represents (X/Z^2, Y/Z^3) if Z != 0 */
+ BIGNUM Z; // Jacobian projective coordinates:
+ // (X, Y, Z) represents (X/Z^2, Y/Z^3) if Z != 0
} /* EC_POINT */;
EC_GROUP *ec_group_new(const EC_METHOD *meth);
int ec_group_copy(EC_GROUP *dest, const EC_GROUP *src);
-/* ec_group_get_order_mont returns a Montgomery context for operations modulo
- * |group|'s order. It may return NULL in the case that |group| is not a
- * built-in group. */
+// ec_group_get_order_mont returns a Montgomery context for operations modulo
+// |group|'s order. It may return NULL in the case that |group| is not a
+// built-in group.
const BN_MONT_CTX *ec_group_get_order_mont(const EC_GROUP *group);
int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx);
-/* method functions in simple.c */
+// method functions in simple.c
int ec_GFp_simple_group_init(EC_GROUP *);
void ec_GFp_simple_group_finish(EC_GROUP *);
int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
@@ -200,7 +200,7 @@
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
-/* method functions in montgomery.c */
+// method functions in montgomery.c
int ec_GFp_mont_group_init(EC_GROUP *);
int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
@@ -225,8 +225,8 @@
const EC_METHOD *EC_GFp_nistp224_method(void);
const EC_METHOD *EC_GFp_nistp256_method(void);
-/* EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with
- * x86-64 optimized P256. See http://eprint.iacr.org/2013/816. */
+// EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with
+// x86-64 optimized P256. See http://eprint.iacr.org/2013/816.
const EC_METHOD *EC_GFp_nistz256_method(void);
struct ec_key_st {
@@ -235,8 +235,8 @@
EC_POINT *pub_key;
BIGNUM *priv_key;
- /* fixed_k may contain a specific value of 'k', to be used in ECDSA signing.
- * This is only for the FIPS power-on tests. */
+ // fixed_k may contain a specific value of 'k', to be used in ECDSA signing.
+ // This is only for the FIPS power-on tests.
BIGNUM *fixed_k;
