• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1BoringSSL Style Guide.
2
3BoringSSL usually follows the Google C++ style guide, found below. The
4rest of this document describes differences and clarifications on top
5of the base guide.
6
7https://google-styleguide.googlecode.com/svn/trunk/cppguide.html
8
9
10Legacy code.
11
12As a derivative of OpenSSL, BoringSSL contains a lot of legacy code
13that does not follow this style guide. Particularly where public API
14is concerned, balance consistency within a module with the benefits of
15a given rule. Module-wide deviations on naming should be respected
16while integer and return value conventions take precedence over
17consistency.
18
19Some modules have seen few changes, so they still retain the original
20indentation style for now. When editing these, try to retain the
21original style. For Emacs, doc/c-indentation.el from OpenSSL may be
22helpful in this.
23
24
25Language.
26
27The majority of the project is in C, so C++-specific rules in the
28Google style guide do not apply. Support for C99 features depends on
29our target platforms. Typically, Chromium's target MSVC is the most
30restrictive.
31
32Variable declarations in the middle of a function are allowed.
33
34Comments should be /* C-style */ for consistency.
35
36When declaration pointer types, * should be placed next to the variable
37name, not the type. So
38
39  uint8_t *ptr;
40
41not
42
43  uint8_t* ptr;
44
45Rather than malloc() and free(), use the wrappers OPENSSL_malloc() and
46OPENSSL_free(). Use the standard C assert() function freely.
47
48For new constants, prefer enums when the values are sequential and typed
49constants for flags. If adding values to an existing set of #defines, continue
50with #define.
51
52
53Formatting.
54
55Single-statement blocks are not allowed. All conditions and loops must
56use braces:
57
58  if (foo) {
59    do_something();
60  }
61
62not
63
64  if (foo)
65    do_something();
66
67
68Integers.
69
70Prefer using explicitly-sized integers where appropriate rather than
71generic C ones. For instance, to represent a byte, use uint8_t, not
72unsigned char. Likewise, represent a two-byte field as uint16_t, not
73unsigned short.
74
75Sizes are represented as size_t.
76
77Within a struct that is retained across the lifetime of an SSL
78connection, if bounds of a size are known and it's easy, use a smaller
79integer type like uint8_t. This is a "free" connection footprint
80optimization for servers. Don't make code significantly more complex
81for it, and do still check the bounds when passing in and out of the
82struct. This narrowing should not propagate to local variables and
83function parameters.
84
85When doing arithmetic, account for overflow conditions.
86
87Except with platform APIs, do not use ssize_t. MSVC lacks it, and
88prefer out-of-band error signaling for size_t (see Return values).
89
90
91Naming.
92
93Follow Google naming conventions in C++ files. In C files, use the
94following naming conventions for consistency with existing OpenSSL and C
95styles:
96
97Define structs with typedef named TYPE_NAME. The corresponding struct
98should be named struct type_name_st.
99
100Name public functions as MODULE_function_name, unless the module
101already uses a different naming scheme for legacy reasons. The module
102name should be a type name if the function is a method of a particular
103type.
104
105Some types are allocated within the library while others are
106initialized into a struct allocated by the caller, often on the
107stack. Name these functions TYPE_NAME_new/TYPE_NAME_free and
108TYPE_NAME_init/TYPE_NAME_cleanup, respectively. All TYPE_NAME_free
109functions must do nothing on NULL input.
110
111If a variable is the length of a pointer value, it has the suffix
112_len. An output parameter is named out or has an out_ prefix. For
113instance, For instance:
114
115  uint8_t *out,
116  size_t *out_len,
117  const uint8_t *in,
118  size_t in_len,
119
120Name public headers like include/openssl/evp.h with header guards like
121OPENSSL_HEADER_EVP_H. Name internal headers like crypto/ec/internal.h
122with header guards like OPENSSL_HEADER_EC_INTERNAL_H.
123
124Name enums like unix_hacker_t. For instance:
125
126enum should_free_handshake_buffer_t {
127  free_handshake_buffer,
128  dont_free_handshake_buffer,
129};
130
131
132Return values.
133
134As even malloc may fail in BoringSSL, the vast majority of functions
135will have a failure case. Functions should return int with one on
136success and zero on error. Do not overload the return value to both
137signal success/failure and output an integer. For example:
138
139  OPENSSL_EXPORT int CBS_get_u16(CBS *cbs, uint16_t *out);
140
141If a function needs more than a true/false result code, define an enum
142rather than arbitrarily assigning meaning to int values.
143
144If a function outputs a pointer to an object on success and there are no
145other outputs, return the pointer directly and NULL on error.
146
147
148Parameters.
149
150Where not constrained by legacy code, parameter order should be:
151
1521. context parameters
1532. output parameters
1543. input parameters
155
156For example,
157
158/* CBB_add_asn sets |*out_contents| to a |CBB| into which the contents of an
159 * ASN.1 object can be written. The |tag| argument will be used as the tag for
160 * the object. It returns one on success or zero on error. */
161OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, uint8_t tag);
162
163
164Documentation.
165
166All public symbols must have a documentation comment in their header
167file. The style is based on that of Go. The first sentence begins with
168the symbol name, optionally prefixed with "A" or "An". Apart from the
169initial mention of symbol, references to other symbols or parameter
170names should be surrounded by |pipes|.
171
172Documentation should be concise but completely describe the exposed
173behavior of the function. Pay special note to success/failure behaviors
174and caller obligations on object lifetimes. If this sacrifices
175conciseness, consider simplifying the function's behavior.
176
177/* EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
178 * will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
179 * zero otherwise. */
180OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data,
181                                          size_t len);
182
183Explicitly mention any surprising edge cases or deviations from common
184return value patterns in legacy functions.
185
186/* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
187 * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
188 * least |RSA_size| bytes of space. It returns the number of bytes written, or
189 * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
190 * values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
191 *
192 * WARNING: this function is dangerous because it breaks the usual return value
193 * convention. Use |RSA_sign_raw| instead. */
194OPENSSL_EXPORT int RSA_private_encrypt(int flen, const uint8_t *from,
195                                       uint8_t *to, RSA *rsa, int padding);
196
197Document private functions in their internal.h header or, if static,
198where defined.
199