1*8fb009dcSAndroid Build Coastguard Worker# BoringSSL Style Guide 2*8fb009dcSAndroid Build Coastguard Worker 3*8fb009dcSAndroid Build Coastguard WorkerBoringSSL usually follows the 4*8fb009dcSAndroid Build Coastguard Worker[Google C++ style guide](https://google.github.io/styleguide/cppguide.html), 5*8fb009dcSAndroid Build Coastguard WorkerThe rest of this document describes differences and clarifications on 6*8fb009dcSAndroid Build Coastguard Workertop of the base guide. 7*8fb009dcSAndroid Build Coastguard Worker 8*8fb009dcSAndroid Build Coastguard Worker 9*8fb009dcSAndroid Build Coastguard Worker## Legacy code 10*8fb009dcSAndroid Build Coastguard Worker 11*8fb009dcSAndroid Build Coastguard WorkerAs a derivative of OpenSSL, BoringSSL contains a lot of legacy code that 12*8fb009dcSAndroid Build Coastguard Workerdoes not follow this style guide. Particularly where public API is 13*8fb009dcSAndroid Build Coastguard Workerconcerned, balance consistency within a module with the benefits of a 14*8fb009dcSAndroid Build Coastguard Workergiven rule. Module-wide deviations on naming should be respected while 15*8fb009dcSAndroid Build Coastguard Workerinteger and return value conventions take precedence over consistency. 16*8fb009dcSAndroid Build Coastguard Worker 17*8fb009dcSAndroid Build Coastguard WorkerModules from OpenSSL's legacy ASN.1 and X.509 stack are retained for 18*8fb009dcSAndroid Build Coastguard Workercompatibility and left largely unmodified. To ease importing patches from 19*8fb009dcSAndroid Build Coastguard Workerupstream, they match OpenSSL's new indentation style. For Emacs, 20*8fb009dcSAndroid Build Coastguard Worker`doc/openssl-c-indent.el` from OpenSSL may be helpful in this. 21*8fb009dcSAndroid Build Coastguard Worker 22*8fb009dcSAndroid Build Coastguard Worker 23*8fb009dcSAndroid Build Coastguard Worker## Language 24*8fb009dcSAndroid Build Coastguard Worker 25*8fb009dcSAndroid Build Coastguard WorkerThe majority of the project is in C, so C++-specific rules in the 26*8fb009dcSAndroid Build Coastguard WorkerGoogle style guide do not apply. Support for C99 features depends on 27*8fb009dcSAndroid Build Coastguard Workerour target platforms. Typically, Chromium's target MSVC is the most 28*8fb009dcSAndroid Build Coastguard Workerrestrictive. 29*8fb009dcSAndroid Build Coastguard Worker 30*8fb009dcSAndroid Build Coastguard WorkerVariable declarations in the middle of a function or inside a `for` loop are 31*8fb009dcSAndroid Build Coastguard Workerallowed and preferred where possible. Note that the common `goto err` cleanup 32*8fb009dcSAndroid Build Coastguard Workerpattern requires lifting some variable declarations. 33*8fb009dcSAndroid Build Coastguard Worker 34*8fb009dcSAndroid Build Coastguard WorkerComments should be `// C99-style` for consistency with C++. 35*8fb009dcSAndroid Build Coastguard Worker 36*8fb009dcSAndroid Build Coastguard WorkerWhen declaring pointer types, `*` should be placed next to the variable name, 37*8fb009dcSAndroid Build Coastguard Workernot the type. So 38*8fb009dcSAndroid Build Coastguard Worker 39*8fb009dcSAndroid Build Coastguard Worker uint8_t *ptr; 40*8fb009dcSAndroid Build Coastguard Worker 41*8fb009dcSAndroid Build Coastguard Workernot 42*8fb009dcSAndroid Build Coastguard Worker 43*8fb009dcSAndroid Build Coastguard Worker uint8_t* ptr; 44*8fb009dcSAndroid Build Coastguard Worker 45*8fb009dcSAndroid Build Coastguard WorkerRather than `malloc()` and `free()`, use the wrappers `OPENSSL_malloc()` 46*8fb009dcSAndroid Build Coastguard Workerand `OPENSSL_free()`. Use the standard C `assert()` function freely. 47*8fb009dcSAndroid Build Coastguard Worker 48*8fb009dcSAndroid Build Coastguard WorkerUse the following wrappers, found in `crypto/internal.h` instead of the 49*8fb009dcSAndroid Build Coastguard Workercorresponding C standard library functions. They behave the same but avoid 50*8fb009dcSAndroid Build Coastguard Workerconfusing undefined behavior. 51*8fb009dcSAndroid Build Coastguard Worker 52*8fb009dcSAndroid Build Coastguard Worker* `OPENSSL_memchr` 53*8fb009dcSAndroid Build Coastguard Worker* `OPENSSL_memcmp` 54*8fb009dcSAndroid Build Coastguard Worker* `OPENSSL_memcpy` 55*8fb009dcSAndroid Build Coastguard Worker* `OPENSSL_memmove` 56*8fb009dcSAndroid Build Coastguard Worker* `OPENSSL_memset` 57*8fb009dcSAndroid Build Coastguard Worker 58*8fb009dcSAndroid Build Coastguard WorkerFor new constants, prefer enums when the values are sequential and typed 59*8fb009dcSAndroid Build Coastguard Workerconstants for flags. If adding values to an existing set of `#define`s, 60*8fb009dcSAndroid Build Coastguard Workercontinue with `#define`. 61*8fb009dcSAndroid Build Coastguard Worker 62*8fb009dcSAndroid Build Coastguard Worker 63*8fb009dcSAndroid Build Coastguard Worker## libssl 64*8fb009dcSAndroid Build Coastguard Worker 65*8fb009dcSAndroid Build Coastguard Workerlibssl was originally written in C but is being incrementally rewritten in 66*8fb009dcSAndroid Build Coastguard WorkerC++11. As of writing, much of the style matches our C conventions rather than 67*8fb009dcSAndroid Build Coastguard WorkerGoogle C++. Additionally, libssl on Linux currently may not depend on the C++ 68*8fb009dcSAndroid Build Coastguard Workerruntime. See the C++ utilities in `ssl/internal.h` for replacements for 69*8fb009dcSAndroid Build Coastguard Workerproblematic C++ constructs. The `util/check_imported_libraries.go` script may be 70*8fb009dcSAndroid Build Coastguard Workerused with a shared library build to check if a new construct is okay. 71*8fb009dcSAndroid Build Coastguard Worker 72*8fb009dcSAndroid Build Coastguard WorkerIf unsure, match surrounding code. Discrepancies between it and Google C++ style 73*8fb009dcSAndroid Build Coastguard Workerwill be fixed over time. 74*8fb009dcSAndroid Build Coastguard Worker 75*8fb009dcSAndroid Build Coastguard Worker 76*8fb009dcSAndroid Build Coastguard Worker## Formatting 77*8fb009dcSAndroid Build Coastguard Worker 78*8fb009dcSAndroid Build Coastguard WorkerSingle-statement blocks are not allowed. All conditions and loops must 79*8fb009dcSAndroid Build Coastguard Workeruse braces: 80*8fb009dcSAndroid Build Coastguard Worker 81*8fb009dcSAndroid Build Coastguard Worker if (foo) { 82*8fb009dcSAndroid Build Coastguard Worker do_something(); 83*8fb009dcSAndroid Build Coastguard Worker } 84*8fb009dcSAndroid Build Coastguard Worker 85*8fb009dcSAndroid Build Coastguard Workernot 86*8fb009dcSAndroid Build Coastguard Worker 87*8fb009dcSAndroid Build Coastguard Worker if (foo) 88*8fb009dcSAndroid Build Coastguard Worker do_something(); 89*8fb009dcSAndroid Build Coastguard Worker 90*8fb009dcSAndroid Build Coastguard Worker 91*8fb009dcSAndroid Build Coastguard Worker## Integers 92*8fb009dcSAndroid Build Coastguard Worker 93*8fb009dcSAndroid Build Coastguard WorkerPrefer using explicitly-sized integers where appropriate rather than 94*8fb009dcSAndroid Build Coastguard Workergeneric C ones. For instance, to represent a byte, use `uint8_t`, not 95*8fb009dcSAndroid Build Coastguard Worker`unsigned char`. Likewise, represent a two-byte field as `uint16_t`, not 96*8fb009dcSAndroid Build Coastguard Worker`unsigned short`. 97*8fb009dcSAndroid Build Coastguard Worker 98*8fb009dcSAndroid Build Coastguard WorkerSizes are represented as `size_t`. 99*8fb009dcSAndroid Build Coastguard Worker 100*8fb009dcSAndroid Build Coastguard WorkerWithin a struct that is retained across the lifetime of an SSL 101*8fb009dcSAndroid Build Coastguard Workerconnection, if bounds of a size are known and it's easy, use a smaller 102*8fb009dcSAndroid Build Coastguard Workerinteger type like `uint8_t`. This is a "free" connection footprint 103*8fb009dcSAndroid Build Coastguard Workeroptimization for servers. Don't make code significantly more complex for 104*8fb009dcSAndroid Build Coastguard Workerit, and do still check the bounds when passing in and out of the 105*8fb009dcSAndroid Build Coastguard Workerstruct. This narrowing should not propagate to local variables and 106*8fb009dcSAndroid Build Coastguard Workerfunction parameters. 107*8fb009dcSAndroid Build Coastguard Worker 108*8fb009dcSAndroid Build Coastguard WorkerWhen doing arithmetic, account for overflow conditions. 109*8fb009dcSAndroid Build Coastguard Worker 110*8fb009dcSAndroid Build Coastguard WorkerExcept with platform APIs, do not use `ssize_t`. MSVC lacks it, and 111*8fb009dcSAndroid Build Coastguard Workerprefer out-of-band error signaling for `size_t` (see Return values). 112*8fb009dcSAndroid Build Coastguard Worker 113*8fb009dcSAndroid Build Coastguard Worker 114*8fb009dcSAndroid Build Coastguard Worker## Naming 115*8fb009dcSAndroid Build Coastguard Worker 116*8fb009dcSAndroid Build Coastguard WorkerFollow Google naming conventions in C++ files. In C files, use the 117*8fb009dcSAndroid Build Coastguard Workerfollowing naming conventions for consistency with existing OpenSSL and C 118*8fb009dcSAndroid Build Coastguard Workerstyles: 119*8fb009dcSAndroid Build Coastguard Worker 120*8fb009dcSAndroid Build Coastguard WorkerDefine structs with typedef named `TYPE_NAME`. The corresponding struct 121*8fb009dcSAndroid Build Coastguard Workershould be named `struct type_name_st`. 122*8fb009dcSAndroid Build Coastguard Worker 123*8fb009dcSAndroid Build Coastguard WorkerName public functions as `MODULE_function_name`, unless the module 124*8fb009dcSAndroid Build Coastguard Workeralready uses a different naming scheme for legacy reasons. The module 125*8fb009dcSAndroid Build Coastguard Workername should be a type name if the function is a method of a particular 126*8fb009dcSAndroid Build Coastguard Workertype. 127*8fb009dcSAndroid Build Coastguard Worker 128*8fb009dcSAndroid Build Coastguard WorkerSome types are allocated within the library while others are initialized 129*8fb009dcSAndroid Build Coastguard Workerinto a struct allocated by the caller, often on the stack. Name these 130*8fb009dcSAndroid Build Coastguard Workerfunctions `TYPE_NAME_new`/`TYPE_NAME_free` and 131*8fb009dcSAndroid Build Coastguard Worker`TYPE_NAME_init`/`TYPE_NAME_cleanup`, respectively. All `TYPE_NAME_free` 132*8fb009dcSAndroid Build Coastguard Workerfunctions must do nothing on `NULL` input. 133*8fb009dcSAndroid Build Coastguard Worker 134*8fb009dcSAndroid Build Coastguard WorkerIf a variable is the length of a pointer value, it has the suffix 135*8fb009dcSAndroid Build Coastguard Worker`_len`. An output parameter is named `out` or has an `out_` prefix. For 136*8fb009dcSAndroid Build Coastguard Workerinstance, For instance: 137*8fb009dcSAndroid Build Coastguard Worker 138*8fb009dcSAndroid Build Coastguard Worker uint8_t *out, 139*8fb009dcSAndroid Build Coastguard Worker size_t *out_len, 140*8fb009dcSAndroid Build Coastguard Worker const uint8_t *in, 141*8fb009dcSAndroid Build Coastguard Worker size_t in_len, 142*8fb009dcSAndroid Build Coastguard Worker 143*8fb009dcSAndroid Build Coastguard WorkerName public headers like `include/openssl/evp.h` with header guards like 144*8fb009dcSAndroid Build Coastguard Worker`OPENSSL_HEADER_EVP_H`. Name internal headers like 145*8fb009dcSAndroid Build Coastguard Worker`crypto/ec/internal.h` with header guards like 146*8fb009dcSAndroid Build Coastguard Worker`OPENSSL_HEADER_EC_INTERNAL_H`. 147*8fb009dcSAndroid Build Coastguard Worker 148*8fb009dcSAndroid Build Coastguard WorkerName enums like `enum unix_hacker_t`. For instance: 149*8fb009dcSAndroid Build Coastguard Worker 150*8fb009dcSAndroid Build Coastguard Worker enum should_free_handshake_buffer_t { 151*8fb009dcSAndroid Build Coastguard Worker free_handshake_buffer, 152*8fb009dcSAndroid Build Coastguard Worker dont_free_handshake_buffer, 153*8fb009dcSAndroid Build Coastguard Worker }; 154*8fb009dcSAndroid Build Coastguard Worker 155*8fb009dcSAndroid Build Coastguard Worker 156*8fb009dcSAndroid Build Coastguard Worker## Return values 157*8fb009dcSAndroid Build Coastguard Worker 158*8fb009dcSAndroid Build Coastguard WorkerAs even `malloc` may fail in BoringSSL, the vast majority of functions 159*8fb009dcSAndroid Build Coastguard Workerwill have a failure case. Functions should return `int` with one on 160*8fb009dcSAndroid Build Coastguard Workersuccess and zero on error. Do not overload the return value to both 161*8fb009dcSAndroid Build Coastguard Workersignal success/failure and output an integer. For example: 162*8fb009dcSAndroid Build Coastguard Worker 163*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int CBS_get_u16(CBS *cbs, uint16_t *out); 164*8fb009dcSAndroid Build Coastguard Worker 165*8fb009dcSAndroid Build Coastguard WorkerIf a function needs more than a true/false result code, define an enum 166*8fb009dcSAndroid Build Coastguard Workerrather than arbitrarily assigning meaning to int values. 167*8fb009dcSAndroid Build Coastguard Worker 168*8fb009dcSAndroid Build Coastguard WorkerIf a function outputs a pointer to an object on success and there are no 169*8fb009dcSAndroid Build Coastguard Workerother outputs, return the pointer directly and `NULL` on error. 170*8fb009dcSAndroid Build Coastguard Worker 171*8fb009dcSAndroid Build Coastguard Worker 172*8fb009dcSAndroid Build Coastguard Worker## Parameters 173*8fb009dcSAndroid Build Coastguard Worker 174*8fb009dcSAndroid Build Coastguard WorkerWhere not constrained by legacy code, parameter order should be: 175*8fb009dcSAndroid Build Coastguard Worker 176*8fb009dcSAndroid Build Coastguard Worker1. context parameters 177*8fb009dcSAndroid Build Coastguard Worker2. output parameters 178*8fb009dcSAndroid Build Coastguard Worker3. input parameters 179*8fb009dcSAndroid Build Coastguard Worker 180*8fb009dcSAndroid Build Coastguard WorkerFor example, 181*8fb009dcSAndroid Build Coastguard Worker 182*8fb009dcSAndroid Build Coastguard Worker /* CBB_add_asn sets |*out_contents| to a |CBB| into which the contents of an 183*8fb009dcSAndroid Build Coastguard Worker * ASN.1 object can be written. The |tag| argument will be used as the tag for 184*8fb009dcSAndroid Build Coastguard Worker * the object. It returns one on success or zero on error. */ 185*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag); 186*8fb009dcSAndroid Build Coastguard Worker 187*8fb009dcSAndroid Build Coastguard Worker 188*8fb009dcSAndroid Build Coastguard Worker## Documentation 189*8fb009dcSAndroid Build Coastguard Worker 190*8fb009dcSAndroid Build Coastguard WorkerAll public symbols must have a documentation comment in their header 191*8fb009dcSAndroid Build Coastguard Workerfile. The style is based on that of Go. The first sentence begins with 192*8fb009dcSAndroid Build Coastguard Workerthe symbol name, optionally prefixed with "A" or "An". Apart from the 193*8fb009dcSAndroid Build Coastguard Workerinitial mention of symbol, references to other symbols or parameter 194*8fb009dcSAndroid Build Coastguard Workernames should be surrounded by |pipes|. 195*8fb009dcSAndroid Build Coastguard Worker 196*8fb009dcSAndroid Build Coastguard WorkerDocumentation should be concise but completely describe the exposed 197*8fb009dcSAndroid Build Coastguard Workerbehavior of the function. Pay special note to success/failure behaviors 198*8fb009dcSAndroid Build Coastguard Workerand caller obligations on object lifetimes. If this sacrifices 199*8fb009dcSAndroid Build Coastguard Workerconciseness, consider simplifying the function's behavior. 200*8fb009dcSAndroid Build Coastguard Worker 201*8fb009dcSAndroid Build Coastguard Worker // EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which 202*8fb009dcSAndroid Build Coastguard Worker // will be verified by |EVP_DigestVerifyFinal|. It returns one on success and 203*8fb009dcSAndroid Build Coastguard Worker // zero otherwise. 204*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, 205*8fb009dcSAndroid Build Coastguard Worker size_t len); 206*8fb009dcSAndroid Build Coastguard Worker 207*8fb009dcSAndroid Build Coastguard WorkerExplicitly mention any surprising edge cases or deviations from common 208*8fb009dcSAndroid Build Coastguard Workerreturn value patterns in legacy functions. 209*8fb009dcSAndroid Build Coastguard Worker 210*8fb009dcSAndroid Build Coastguard Worker // RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in 211*8fb009dcSAndroid Build Coastguard Worker // |rsa| and writes the encrypted data to |to|. The |to| buffer must have at 212*8fb009dcSAndroid Build Coastguard Worker // least |RSA_size| bytes of space. It returns the number of bytes written, or 213*8fb009dcSAndroid Build Coastguard Worker // -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| 214*8fb009dcSAndroid Build Coastguard Worker // values. If in doubt, |RSA_PKCS1_PADDING| is the most common. 215*8fb009dcSAndroid Build Coastguard Worker // 216*8fb009dcSAndroid Build Coastguard Worker // WARNING: this function is dangerous because it breaks the usual return value 217*8fb009dcSAndroid Build Coastguard Worker // convention. Use |RSA_sign_raw| instead. 218*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int RSA_private_encrypt(int flen, const uint8_t *from, 219*8fb009dcSAndroid Build Coastguard Worker uint8_t *to, RSA *rsa, int padding); 220*8fb009dcSAndroid Build Coastguard Worker 221*8fb009dcSAndroid Build Coastguard WorkerDocument private functions in their `internal.h` header or, if static, 222*8fb009dcSAndroid Build Coastguard Workerwhere defined. 223*8fb009dcSAndroid Build Coastguard Worker 224*8fb009dcSAndroid Build Coastguard Worker 225*8fb009dcSAndroid Build Coastguard Worker## Build logic 226*8fb009dcSAndroid Build Coastguard Worker 227*8fb009dcSAndroid Build Coastguard WorkerBoringSSL is used by many projects with many different build tools. 228*8fb009dcSAndroid Build Coastguard WorkerReimplementing and maintaining build logic in each downstream build is 229*8fb009dcSAndroid Build Coastguard Workercumbersome, so build logic should be avoided where possible. Platform-specific 230*8fb009dcSAndroid Build Coastguard Workerfiles should be excluded by wrapping the contents in `#ifdef`s, rather than 231*8fb009dcSAndroid Build Coastguard Workercomputing platform-specific file lists. Generated source files such as perlasm 232*8fb009dcSAndroid Build Coastguard Workerand `err_data.c` may be used in the standalone CMake build but, for downstream 233*8fb009dcSAndroid Build Coastguard Workerbuilds, they should be pre-generated in `generate_build_files.py`. 234