commit 562df401d3904dedb16c8e2357bf0c1c011e836c
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Aug 08 18:09:14 2017 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Aug 08 18:17:53 2017 +0200
tree 031d84edfb0b52b1b70c193f9813f15c5f255fdb
parent ea2dc14c0caeaf82b24ada110fc5a99699deaac0

Improve some comments, fix some typos+whitespace

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index aeeb109..4187223 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1893,7 +1893,6 @@
  * Return 0 if yes, -1 if not.
  *
  * top means parent is a locally-trusted certificate
- * bottom means child is the end entity cert
  */
 static int x509_crt_check_parent( const mbedtls_x509_crt *child,
                                   const mbedtls_x509_crt *parent,
@@ -1935,9 +1934,9 @@
  *  3. for trusted roots, the signature is correct
  *  4. pathlen constraints are satisfied
  *
- * Stop at the first suitable candidate, except if it's not time-valid (not
- * expired nor future) *and* there is a later suitable candidate that is
- * time-valid.
+ * If there's a suitable candidate which is also time-valid, return the first
+ * such. Otherwise, return the first suitable candidate (or NULL if there is
+ * none).
  *
  * The rationale for this rule is that someone could have a list of trusted
  * roots with two versions on the same root with different validity periods.
@@ -1979,7 +1978,7 @@
             continue;
         }
 
-        /* optionnal time check */
+        /* optional time check */
         if( mbedtls_x509_time_is_past( &parent->valid_to ) ||
             mbedtls_x509_time_is_future( &parent->valid_from ) )
         {
@@ -2059,7 +2058,7 @@
  *
  * Given a peer-provided list of certificates EE, C1, ..., Cn and
  * a list of trusted certs R1, ... Rp, try to build and verify a chain
- *      EE, Ci1, ... Ciq, Rj
+ *      EE, Ci1, ... Ciq [, Rj]
  * such that every cert in the chain is a child of the next one,
  * jumping to a trusted root as early as possible.
  *
@@ -2074,7 +2073,7 @@
  *  - [in] crt: the cert list EE, C1, ..., Cn
  *  - [in] trust_ca: the trusted list R1, ..., Rp
  *  - [in] ca_crl, profile: as in verify_with_profile()
- *  - [out] ver_chain: the built and verified chain
+ *  - [out] ver_chain, chain_len: the built and verified chain
  *
  * Return value:
  *  - non-zero if the chain could not be fully built and examined
@@ -2167,7 +2166,7 @@
 
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
         /* Check trusted CA's CRL for the given crt */
-        *flags |= x509_crt_verifycrl(child, parent, ca_crl, profile );
+        *flags |= x509_crt_verifycrl( child, parent, ca_crl, profile );
 #else
         (void) ca_crl;
 #endif