mark all block comments that need format preserving so that

indent will not alter them when reformatting comments (cherry picked from commit 1d97c8435171a7af575f73c526d79e1ef0ee5960) Conflicts: crypto/bn/bn_lcl.h crypto/bn/bn_prime.c crypto/engine/eng_all.c crypto/rc4/rc4_utl.c crypto/sha/sha.h ssl/kssl.c ssl/t1_lib.c Reviewed-by: Tim Hudson <tjh@openssl.org>
author: Tim Hudson <tjh@openssl.org> 2014-12-28 12:48:40 +1000
committer: Matt Caswell <matt@openssl.org> 2015-01-22 09:23:04 +0000
commit: 6977c7e2baf291278aee7632f1a68581b7c4d1f9 (patch)
tree: ae6c4def1c5f7f4a3c4cb9bb7e63ec0ebf27b7f7 /ssl
parent: 43257b9f51de749262258668c77c2f0f99d7a15b (diff)
18 files changed, 331 insertions, 267 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index a2a39baa60..ea42b8488b 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -574,7 +574,8 @@ static int dtls1_preprocess_fragment(SSL *s,struct hm_header_st *msg_hdr,int max
 static int
 dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 	{
-	/* (0) check whether the desired fragment is available
+	/*-
+	 * (0) check whether the desired fragment is available
 	 * if so:
 	 * (1) copy over the fragment to s->init_buf->data[]
 	 * (2) update s->init_num
@@ -964,7 +965,8 @@ f_err:
 	return(-1);
 	}
 
-/* for these 2 messages, we need to
+/*-
+ * for these 2 messages, we need to
  * ssl->enc_read_ctx			re-init
  * ssl->s3->read_sequence		zero
  * ssl->s3->read_mac_secret		re-init
@@ -1165,7 +1167,7 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
 	struct dtls1_retransmit_state saved_state;
 	unsigned char save_write_sequence[8];
 
-	/*
+	/*-
 	  OPENSSL_assert(s->init_num == 0);
 	  OPENSSL_assert(s->init_off == 0);
 	 */
@@ -1491,7 +1493,8 @@ dtls1_heartbeat(SSL *s)
 	 */
 	OPENSSL_assert(payload + padding <= 16381);
 
-	/* Create HeartBeat message, we just use a sequence number
+	/*-
+	 * Create HeartBeat message, we just use a sequence number
 	 * as payload to distuingish different messages and add
 	 * some random stuff.
 	 *  - Message Type, 1 byte
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 082b3fbf8b..78d7a4a201 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -525,7 +525,8 @@ printf("\n");
 		}
 
 	rr->off=0;
-	/* So at this point the following is true
+	/*-
+	 * So at this point the following is true
 	 * ssl->s3->rrec.type 	is the type of record
 	 * ssl->s3->rrec.length	== number of bytes in record
 	 * ssl->s3->rrec.off	== offset to first valid byte
@@ -544,7 +545,8 @@ err:
 }
 
 
-/* Call this to get a new input record.
+/*-
+ * Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
  * When it finishes, one packet has been decoded and can be found in
@@ -729,7 +731,8 @@ again:
 
 	}
 
-/* Return up to 'len' payload bytes received in 'type' records.
+/*-
+ * Return up to 'len' payload bytes received in 'type' records.
  * 'type' is one of the following:
  *
  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
@@ -807,10 +810,12 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 start:
 	s->rwstate=SSL_NOTHING;
 
-	/* s->s3->rrec.type	    - is the type of record
+	/*-
+	 * s->s3->rrec.type	    - is the type of record
 	 * s->s3->rrec.data,    - data
 	 * s->s3->rrec.off,     - offset into 'data' for next read
-	 * s->s3->rrec.length,  - number of bytes. */
+	 * s->s3->rrec.length,  - number of bytes. 
+	 */
 	rr = &(s->s3->rrec);
 
 	/* We are not handshaking and have no data yet,
diff --git a/ssl/heartbeat_test.c b/ssl/heartbeat_test.c
index a98372f959..6c66ce5f5b 100644
--- a/ssl/heartbeat_test.c
+++ b/ssl/heartbeat_test.c
@@ -1,5 +1,5 @@
 /* test/heartbeat_test.c */
-/*
+/*-
  * Unit test for TLS heartbeats.
  *
  * Acts as a regression test against the Heartbleed bug (CVE-2014-0160).
diff --git a/ssl/kssl.c b/ssl/kssl.c
index 950a0c56f1..fbb20e1871 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -56,15 +56,16 @@
  */
 
 
-/*  ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
-**
-**  19990701	VRS 	Started.
-**  200011??	Jeffrey Altman, Richard Levitte
-**          		Generalized for Heimdal, Newer MIT, & Win32.
-**          		Integrated into main OpenSSL 0.9.7 snapshots.
-**  20010413	Simon Wilkinson, VRS
-**          		Real RFC2712 KerberosWrapper replaces AP_REQ.
-*/
+/*-
+ * ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
+ *
+ *  19990701	VRS 	Started.
+ *  200011??	Jeffrey Altman, Richard Levitte
+ *          		Generalized for Heimdal, Newer MIT, & Win32.
+ *          		Integrated into main OpenSSL 0.9.7 snapshots.
+ *  20010413	Simon Wilkinson, VRS
+ *          		Real RFC2712 KerberosWrapper replaces AP_REQ.
+ */
 
 #include <openssl/opensslconf.h>
 
@@ -808,10 +809,10 @@ char
         }
 
 /*	Given KRB5 enctype (basically DES or 3DES),
-**	return closest match openssl EVP_ encryption algorithm.
-**	Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
-**	Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
-*/
+ *	return closest match openssl EVP_ encryption algorithm.
+ *	Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
+ *	Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
+ */
 const EVP_CIPHER *
 kssl_map_enc(krb5_enctype enctype)
         {
@@ -836,10 +837,10 @@ kssl_map_enc(krb5_enctype enctype)
 
 
 /*	Return true:1 if p "looks like" the start of the real authenticator
-**	described in kssl_skip_confound() below.  The ASN.1 pattern is
-**	"62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
-**	xx and yy are possibly multi-byte length fields.
-*/
+ *	described in kssl_skip_confound() below.  The ASN.1 pattern is
+ *	"62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
+ *	xx and yy are possibly multi-byte length fields.
+ */
 static int 	kssl_test_confound(unsigned char *p)
 	{
 	int 	len = 2;
@@ -866,15 +867,15 @@ static int 	kssl_test_confound(unsigned char *p)
 	}
 
 /*	Allocate, fill, and return cksumlens array of checksum lengths.
-**	This array holds just the unique elements from the krb5_cksumarray[].
-**	array[n] == 0 signals end of data.
-**
-**      The krb5_cksumarray[] was an internal variable that has since been
-**      replaced by a more general method for storing the data.  It should
-**      not be used.  Instead we use real API calls and make a guess for 
-**      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
-**      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
-*/
+ *	This array holds just the unique elements from the krb5_cksumarray[].
+ *	array[n] == 0 signals end of data.
+ *
+ *      The krb5_cksumarray[] was an internal variable that has since been
+ *      replaced by a more general method for storing the data.  It should
+ *      not be used.  Instead we use real API calls and make a guess for 
+ *      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
+ *      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
+ */
 static size_t  *populate_cksumlens(void)
 	{
 	int 		i, j, n;
@@ -907,12 +908,12 @@ static size_t  *populate_cksumlens(void)
 	}
 
 /*	Return pointer to start of real authenticator within authenticator, or
-**	return NULL on error.
-**	Decrypted authenticator looks like this:
-**		[0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
-**	This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
-**	krb5_auth_con_getcksumtype() function advertised in its krb5.h.
-*/
+ *	return NULL on error.
+ *	Decrypted authenticator looks like this:
+ *		[0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
+ *	This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
+ *	krb5_auth_con_getcksumtype() function advertised in its krb5.h.
+ */
 unsigned char	*kssl_skip_confound(krb5_enctype etype, unsigned char *a)
 	{
 	int 		i, conlen;
@@ -934,8 +935,8 @@ unsigned char	*kssl_skip_confound(krb5_enctype etype, unsigned char *a)
 
 
 /*	Set kssl_err error info when reason text is a simple string
-**		kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
-*/
+ *		kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
+ */
 void
 kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
         {
@@ -1024,8 +1025,8 @@ print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
 
 
 /*	Display contents of krb5_principal_data struct, for debugging
-**	(krb5_principal is typedef'd == krb5_principal_data *)
-*/
+ *	(krb5_principal is typedef'd == krb5_principal_data *)
+ */
 static void
 print_krb5_princ(char *label, krb5_principal_data *princ)
         {
@@ -1047,16 +1048,16 @@ print_krb5_princ(char *label, krb5_principal_data *princ)
         }
 
 
-/*	Given krb5 service (typically "kssl") and hostname in kssl_ctx,
-**	Return encrypted Kerberos ticket for service @ hostname.
-**	If authenp is non-NULL, also return encrypted authenticator,
-**	whose data should be freed by caller.
-**	(Originally was: Create Kerberos AP_REQ message for SSL Client.)
-**
-**	19990628	VRS 	Started; Returns Kerberos AP_REQ message.
-**	20010409	VRS 	Modified for RFC2712; Returns enc tkt.
-**	20010606	VRS 	May also return optional authenticator.
-*/
+/*-	Given krb5 service (typically "kssl") and hostname in kssl_ctx,
+ *	Return encrypted Kerberos ticket for service @ hostname.
+ *	If authenp is non-NULL, also return encrypted authenticator,
+ *	whose data should be freed by caller.
+ *	(Originally was: Create Kerberos AP_REQ message for SSL Client.)
+ *
+ *	19990628	VRS 	Started; Returns Kerberos AP_REQ message.
+ *	20010409	VRS 	Modified for RFC2712; Returns enc tkt.
+ *	20010606	VRS 	May also return optional authenticator.
+ */
 krb5_error_code
 kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
                 /* OUT    */	krb5_data **enc_ticketp,
@@ -1141,8 +1142,8 @@ kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
 	krb5rc = KRB5KRB_ERR_GENERIC;
 	/*	caller should free data of krb5_app_req  */
 	/*  20010406 VRS deleted for real KerberosWrapper
-	**  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
-	*/
+	 *  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
+	 */
 	krb5_app_req.length = 0;
 	if (authenp)
                 {
@@ -1214,17 +1215,18 @@ kssl_cget_tkt(	/* UPDATE */	KSSL_CTX *kssl_ctx,
 	}
 
 
-/*  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
-**  Return Kerberos error code and kssl_err struct on error.
-**  Allocates krb5_ticket and krb5_principal; caller should free these.
-**
-**	20010410	VRS	Implemented krb5_decode_ticket() as
-**				old_krb5_decode_ticket(). Missing from MIT1.0.6.
-**	20010615	VRS 	Re-cast as openssl/asn1 d2i_*() functions.
-**				Re-used some of the old krb5_decode_ticket()
-**				code here.  This tkt should alloc/free just
-**				like the real thing.
-*/
+/*-
+ *  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
+ *  Return Kerberos error code and kssl_err struct on error.
+ *  Allocates krb5_ticket and krb5_principal; caller should free these.
+ *
+ *	20010410	VRS	Implemented krb5_decode_ticket() as
+ *				old_krb5_decode_ticket(). Missing from MIT1.0.6.
+ *	20010615	VRS 	Re-cast as openssl/asn1 d2i_*() functions.
+ *				Re-used some of the old krb5_decode_ticket()
+ *				code here.  This tkt should alloc/free just
+ *				like the real thing.
+ */
 static krb5_error_code
 kssl_TKT2tkt(	/* IN     */	krb5_context	krb5context,
 		/* IN     */	KRB5_TKTBODY	*asn1ticket,
@@ -1299,12 +1301,12 @@ kssl_TKT2tkt(	/* IN     */	krb5_context	krb5context,
 
 
 /*	Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
-**		and krb5 AP_REQ message & message length,
-**	Return Kerberos session key and client principle
-**		to SSL Server in KSSL_CTX *kssl_ctx.
-**
-**	19990702	VRS 	Started.
-*/
+ *		and krb5 AP_REQ message & message length,
+ *	Return Kerberos session key and client principle
+ *		to SSL Server in KSSL_CTX *kssl_ctx.
+ *
+ *	19990702	VRS 	Started.
+ */
 krb5_error_code
 kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 		/* IN     */	krb5_data		*indata,
@@ -1419,19 +1421,20 @@ kssl_sget_tkt(	/* UPDATE */	KSSL_CTX		*kssl_ctx,
 			}
 		}
 
-	/*	Actual Kerberos5 krb5_recvauth() has initial conversation here
-	**	o	check KRB5_SENDAUTH_BADAUTHVERS
-	**		unless KRB5_RECVAUTH_SKIP_VERSION
-	**	o	check KRB5_SENDAUTH_BADAPPLVERS
-	**	o	send "0" msg if all OK
-	*/
+	/*-	Actual Kerberos5 krb5_recvauth() has initial conversation here
+	 *	o	check KRB5_SENDAUTH_BADAUTHVERS
+	 *		unless KRB5_RECVAUTH_SKIP_VERSION
+	 *	o	check KRB5_SENDAUTH_BADAPPLVERS
+	 *	o	send "0" msg if all OK
+	 */
 
-	/*  20010411 was using AP_REQ instead of true KerberosWrapper
-	**
-	**  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
-	**			&krb5in_data, krb5server, krb5keytab,
-	**			&ap_option, &krb5ticket)) != 0)  { Error }
-	*/
+	/*- 
+	 * 20010411 was using AP_REQ instead of true KerberosWrapper
+	 *
+	 *  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
+	 *			&krb5in_data, krb5server, krb5keytab,
+	 *			&ap_option, &krb5ticket)) != 0)  { Error }
+	 */
 
 	p = (unsigned char *)indata->data;
 	if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
@@ -1568,8 +1571,8 @@ kssl_ctx_new(void)
 
 
 /*	Frees a kssl_ctx struct and any allocated memory it holds.
-**	Returns NULL.
-*/
+ *	Returns NULL.
+ */
 KSSL_CTX	*
 kssl_ctx_free(KSSL_CTX *kssl_ctx)
         {
@@ -1589,9 +1592,9 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
 
 
 /*	Given an array of (krb5_data *) entity (and optional realm),
-**	set the plain (char *) client_princ or service_host member
-**	of the kssl_ctx struct.
-*/
+ *	set the plain (char *) client_princ or service_host member
+ *	of the kssl_ctx struct.
+ */
 krb5_error_code
 kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
         krb5_data *realm, krb5_data *entity, int nentities)
@@ -1644,11 +1647,11 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
         }
 
 
-/*	Set one of the plain (char *) string members of the kssl_ctx struct.
-**	Default values should be:
-**		which == KSSL_SERVICE	=>	"khost" (KRB5SVC)
-**		which == KSSL_KEYTAB	=>	"/etc/krb5.keytab" (KRB5KEYTAB)
-*/
+/*-	Set one of the plain (char *) string members of the kssl_ctx struct.
+ *	Default values should be:
+ *		which == KSSL_SERVICE	=>	"khost" (KRB5SVC)
+ *		which == KSSL_KEYTAB	=>	"/etc/krb5.keytab" (KRB5KEYTAB)
+ */
 krb5_error_code
 kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
         {
@@ -1682,8 +1685,8 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
 
 
 /*	Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
-**	struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
-*/
+ *	struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
+ */
 krb5_error_code
 kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
         {
@@ -1897,12 +1900,12 @@ void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
 
 
 /*  Given pointers to KerberosTime and struct tm structs, convert the
-**  KerberosTime string to struct tm.  Note that KerberosTime is a
-**  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
-**  seconds as defined in RFC 1510.
-**  Return pointer to the (partially) filled in struct tm on success,
-**  return NULL on failure.
-*/
+ *  KerberosTime string to struct tm.  Note that KerberosTime is a
+ *  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
+ *  seconds as defined in RFC 1510.
+ *  Return pointer to the (partially) filled in struct tm on success,
+ *  return NULL on failure.
+ */
 static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
 	{
 	char 		c, *p;
@@ -1925,10 +1928,10 @@ static struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
 
 
 /*  Helper function for kssl_validate_times().
-**  We need context->clockskew, but krb5_context is an opaque struct.
-**  So we try to sneek the clockskew out through the replay cache.
-**	If that fails just return a likely default (300 seconds).
-*/
+ *  We need context->clockskew, but krb5_context is an opaque struct.
+ *  So we try to sneek the clockskew out through the replay cache.
+ *	If that fails just return a likely default (300 seconds).
+ */
 static krb5_deltat get_rc_clockskew(krb5_context context)
 	{
 	krb5_rcache 	rc;
@@ -1945,15 +1948,15 @@ static krb5_deltat get_rc_clockskew(krb5_context context)
 
 
 /*  kssl_validate_times() combines (and more importantly exposes)
-**  the MIT KRB5 internal function krb5_validate_times() and the
-**  in_clock_skew() macro.  The authenticator client time is checked
-**  to be within clockskew secs of the current time and the current
-**  time is checked to be within the ticket start and expire times.
-**  Either check may be omitted by supplying a NULL value.
-**  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
-**  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
-**  20010420 VRS
-*/
+ *  the MIT KRB5 internal function krb5_validate_times() and the
+ *  in_clock_skew() macro.  The authenticator client time is checked
+ *  to be within clockskew secs of the current time and the current
+ *  time is checked to be within the ticket start and expire times.
+ *  Either check may be omitted by supplying a NULL value.
+ *  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
+ *  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
+ *  20010420 VRS
+ */
 krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 					krb5_ticket_times *ttimes)
 	{
@@ -1985,12 +1988,12 @@ krb5_error_code  kssl_validate_times(	krb5_timestamp atime,
 
 
 /*  Decode and decrypt given DER-encoded authenticator, then pass
-**  authenticator ctime back in *atimep (or 0 if time unavailable).
-**  Returns krb5_error_code and kssl_err on error.  A NULL 
-**  authenticator (authentp->length == 0) is not considered an error.
-**  Note that kssl_check_authent() makes use of the KRB5 session key;
-**  you must call kssl_sget_tkt() to get the key before calling this routine.
-*/
+ *  authenticator ctime back in *atimep (or 0 if time unavailable).
+ *  Returns krb5_error_code and kssl_err on error.  A NULL 
+ *  authenticator (authentp->length == 0) is not considered an error.
+ *  Note that kssl_check_authent() makes use of the KRB5 session key;
+ *  you must call kssl_sget_tkt() to get the key before calling this routine.
+ */
 krb5_error_code  kssl_check_authent(
 			/* IN     */	KSSL_CTX	*kssl_ctx,
                         /* IN     */   	krb5_data	*authentp,
@@ -2069,9 +2072,9 @@ krb5_error_code  kssl_check_authent(
 	if (enc == NULL)
 		{
 		/*  Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
-		**  This enctype indicates the authenticator was encrypted
-		**  using key-usage derived keys which openssl cannot decrypt.
-		*/
+		 *  This enctype indicates the authenticator was encrypted
+		 *  using key-usage derived keys which openssl cannot decrypt.
+		 */
 		goto err;
 		}
 
@@ -2148,10 +2151,10 @@ krb5_error_code  kssl_check_authent(
 
 
 /*  Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host),
-**  because I dont't know how to stub varargs.
-**  Returns krb5_error_code == ENOMEM on alloc error, otherwise
-**  passes back newly constructed principal, which should be freed by caller.
-*/
+ *  because I don't know how to stub varargs.
+ *  Returns krb5_error_code == ENOMEM on alloc error, otherwise
+ *  passes back newly constructed principal, which should be freed by caller.
+ */
 krb5_error_code  kssl_build_principal_2(
 			/* UPDATE */	krb5_context	context,
 			/* OUT    */	krb5_principal	*princ,
diff --git a/ssl/kssl.h b/ssl/kssl.h
index e4df843073..c3d5492d44 100644
--- a/ssl/kssl.h
+++ b/ssl/kssl.h
@@ -85,9 +85,9 @@ extern "C" {
 #endif
 
 /*
-**	Depending on which KRB5 implementation used, some types from
-**	the other may be missing.  Resolve that here and now
-*/
+ *	Depending on which KRB5 implementation used, some types from
+ *	the other may be missing.  Resolve that here and now
+ */
 #ifdef KRB5_HEIMDAL
 typedef unsigned char krb5_octet;
 #define FAR
@@ -100,10 +100,10 @@ typedef unsigned char krb5_octet;
 #endif
 
 /*	Uncomment this to debug kssl problems or
-**	to trace usage of the Kerberos session key
-**
-**	#define		KSSL_DEBUG
-*/
+ *	to trace usage of the Kerberos session key
+ *
+ *	#define		KSSL_DEBUG
+ */
 
 #ifndef	KRB5SVC
 #define KRB5SVC	"host"
@@ -132,10 +132,10 @@ typedef struct kssl_err_st  {
 	} KSSL_ERR;
 
 
-/*	Context for passing
-**		(1) Kerberos session key to SSL, and
-**		(2)	Config data between application and SSL lib
-*/
+/*-	Context for passing
+ *		(1) Kerberos session key to SSL, and
+ *		(2)	Config data between application and SSL lib
+ */
 typedef struct kssl_ctx_st
         {
                                 /*	used by:    disposition:            */
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 9840d474d5..5576a7dabc 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -453,7 +453,8 @@ int ssl23_get_client_hello(SSL *s)
 		v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
 		v[1] = p[4];
 
-		/* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
+		/*-
+		 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
 		 * header is sent directly on the wire, not wrapped as a TLS
 		 * record. It's format is:
 		 * Byte  Content
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index b4bbd4735d..b4a6a45659 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -294,7 +294,8 @@ f_err:
 	return(0);
 	}
 
-/* for these 2 messages, we need to
+/*-
+ * for these 2 messages, we need to
  * ssl->enc_read_ctx			re-init
  * ssl->s3->read_sequence		zero
  * ssl->s3->read_mac_secret		re-init
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index 4c1a8940b3..c904803687 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -68,14 +68,16 @@
  * supported by TLS.) */
 #define MAX_HASH_BLOCK_SIZE 128
 
-/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
+/*-
+ * ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
  * record in |rec| by updating |rec->length| in constant time.
  *
  * block_size: the block size of the cipher used to encrypt the record.
  * returns:
  *   0: (in non-constant time) if the record is publicly invalid.
  *   1: if the padding was valid
- *  -1: otherwise. */
+ *  -1: otherwise. 
+ */
 int ssl3_cbc_remove_padding(const SSL* s,
 			    SSL3_RECORD *rec,
 			    unsigned block_size,
@@ -99,7 +101,8 @@ int ssl3_cbc_remove_padding(const SSL* s,
 	return constant_time_select_int(good, 1, -1);
 	}
 
-/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
+/*- 
+ * tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
  * record in |rec| in constant time and returns 1 if the padding is valid and
  * -1 otherwise. It also removes any explicit IV from the start of the record
  * without leaking any timing about whether there was enough space after the
@@ -109,7 +112,8 @@ int ssl3_cbc_remove_padding(const SSL* s,
  * returns:
  *   0: (in non-constant time) if the record is publicly invalid.
  *   1: if the padding was valid
- *  -1: otherwise. */
+ *  -1: otherwise. 
+ */
 int tls1_cbc_remove_padding(const SSL* s,
 			    SSL3_RECORD *rec,
 			    unsigned block_size,
@@ -196,7 +200,8 @@ int tls1_cbc_remove_padding(const SSL* s,
 	return constant_time_select_int(good, 1, -1);
 	}
 
-/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
+/*-
+ * ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
  * constant time (independent of the concrete value of rec->length, which may
  * vary within a 256-byte window).
  *
@@ -378,7 +383,8 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
 		}
 	}
 
-/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
+/*-
+ * ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
  * record.
  *
  *   ctx: the EVP_MD_CTX from which we take the hash function.
@@ -396,7 +402,8 @@ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
  * On entry: by virtue of having been through one of the remove_padding
  * functions, above, we know that data_plus_mac_size is large enough to contain
  * a padding byte and MAC. (If the padding was invalid, it might contain the
- * padding too. ) */
+ * padding too. ) 
+ */
 void ssl3_cbc_digest_record(
 	const EVP_MD_CTX *ctx,
 	unsigned char* md_out,
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index dd38732a76..9d7e9529b8 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -726,7 +726,8 @@ int ssl3_client_hello(SSL *s)
 		/* Do the message type and length last */
 		d=p= ssl_handshake_start(s);
 
-		/* version indicates the negotiated version: for example from
+		/*-
+		 * version indicates the negotiated version: for example from
 		 * an SSLv2/v3 compatible client hello). The client_version
 		 * field is the maximum version we permit and it is also
 		 * used in RSA encrypted premaster secrets. Some servers can
@@ -2587,24 +2588,25 @@ int ssl3_send_client_key_exchange(SSL *s)
 				goto err;
 				}
 
-			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
-			**  in place of RFC 2712 KerberosWrapper, as in:
-			**
-			**  Send ticket (copy to *p, set n = length)
-			**  n = krb5_ap_req.length;
-			**  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-			**  if (krb5_ap_req.data)  
-			**    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-			**
-			**  Now using real RFC 2712 KerberosWrapper
-			**  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-			**  Note: 2712 "opaque" types are here replaced
-			**  with a 2-byte length followed by the value.
-			**  Example:
-			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-			**  Where "xx xx" = length bytes.  Shown here with
-			**  optional authenticator omitted.
-			*/
+			/*-
+			 * 20010406 VRS - Earlier versions used KRB5 AP_REQ
+			 * in place of RFC 2712 KerberosWrapper, as in:
+			 *
+			 * Send ticket (copy to *p, set n = length)
+			 * n = krb5_ap_req.length;
+			 * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
+			 * if (krb5_ap_req.data)  
+			 *   kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
+			 *
+			 * Now using real RFC 2712 KerberosWrapper
+			 * (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
+			 * Note: 2712 "opaque" types are here replaced
+			 * with a 2-byte length followed by the value.
+			 * Example:
+			 * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
+			 * Where "xx xx" = length bytes.  Shown here with
+			 * optional authenticator omitted.
+			 */
 
 			/*  KerberosWrapper.Ticket		*/
 			s2n(enc_ticket->length,p);
@@ -2635,12 +2637,13 @@ int ssl3_send_client_key_exchange(SSL *s)
 			    if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
 				goto err;
 
-			/*  20010420 VRS.  Tried it this way; failed.
-			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-			**				kssl_ctx->length);
-			**	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-			*/
+			/*-
+			 * 20010420 VRS.  Tried it this way; failed.
+			 *	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
+			 *	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
+			 *				kssl_ctx->length);
+			 *	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
+			 */
 
 			memset(iv, 0, sizeof iv);  /* per RFC 1510 */
 			EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
@@ -2797,7 +2800,8 @@ int ssl3_send_client_key_exchange(SSL *s)
 			 */
 			if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 
 				{
-				/* XXX: For now, we do not support client
+				/*-
+				 * XXX: For now, we do not support client
 				 * authentication using ECDH certificates.
 				 * To add such support, one needs to add
 				 * code that checks for appropriate 
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 6a2ec5c579..1cd7ee4d47 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -295,7 +295,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
  * ssl3_get_record to loop forever. */
 #define MAX_EMPTY_RECORDS 32
 
-/* Call this to get a new input record.
+/*-
+ * Call this to get a new input record.
  * It will return <= 0 if more data is needed, normally due to an error
  * or non-blocking IO.
  * When it finishes, one packet has been decoded and can be found in
@@ -426,10 +427,12 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
 	rr->data=rr->input;
 
 	enc_err = s->method->ssl3_enc->enc(s,0);
-	/* enc_err is:
+	/*-
+	 * enc_err is:
 	 *    0: (in non-constant time) if the record is publically invalid.
 	 *    1: if the padding is valid
-	 *    -1: if the padding is invalid */
+	 *    -1: if the padding is invalid 
+	 */
 	if (enc_err == 0)
 		{
 		al=SSL_AD_DECRYPTION_FAILED;
@@ -536,7 +539,8 @@ printf("\n");
 		}
 
 	rr->off=0;
-	/* So at this point the following is true
+	/*-
+	 * So at this point the following is true
 	 * ssl->s3->rrec.type 	is the type of record
 	 * ssl->s3->rrec.length	== number of bytes in record
 	 * ssl->s3->rrec.off	== offset to first valid byte
@@ -1132,7 +1136,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
 		}
 	}
 
-/* Return up to 'len' payload bytes received in 'type' records.
+/*-
+ * Return up to 'len' payload bytes received in 'type' records.
  * 'type' is one of the following:
  *
  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
@@ -1214,10 +1219,12 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 start:
 	s->rwstate=SSL_NOTHING;
 
-	/* s->s3->rrec.type	    - is the type of record
+	/*-
+	 * s->s3->rrec.type	    - is the type of record
 	 * s->s3->rrec.data,    - data
 	 * s->s3->rrec.off,     - offset into 'data' for next read
-	 * s->s3->rrec.length,  - number of bytes. */
+	 * s->s3->rrec.length,  - number of bytes. 
+	 */
 	rr = &(s->s3->rrec);
 
 	/* get new packet if necessary */
@@ -1339,9 +1346,11 @@ start:
 			}
 		}
 
-	/* s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
+	/*-
+	 * s->s3->handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
 	 * s->s3->alert_fragment_len == 2      iff  rr->type == SSL3_RT_ALERT.
-	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
+	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) 
+	 */
 
 	/* If we are a client, check for an incoming 'Hello Request': */
 	if ((!s->server) &&
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 230a36f80c..868ab197e6 100644
--- a/
author	Tim Hudson <tjh@openssl.org>	2014-12-28 12:48:40 +1000
committer	Matt Caswell <matt@openssl.org>	2015-01-22 09:23:04 +0000
commit	6977c7e2baf291278aee7632f1a68581b7c4d1f9 (patch)
tree	ae6c4def1c5f7f4a3c4cb9bb7e63ec0ebf27b7f7 /ssl
parent	43257b9f51de749262258668c77c2f0f99d7a15b (diff)