grpc 1.9.1 → 1.10.0.pre1

data/third_party/boringssl/crypto/cpu-ppc64le.c

@@ -22,19 +22,17 @@
 
 
 #if !defined(PPC_FEATURE2_HAS_VCRYPTO)
-/* PPC_FEATURE2_HAS_VCRYPTO was taken from section 4.1.2.3 of the “OpenPOWER
- * ABI for Linux Supplement”. */
+// PPC_FEATURE2_HAS_VCRYPTO was taken from section 4.1.2.3 of the “OpenPOWER
+// ABI for Linux Supplement”.
 #define PPC_FEATURE2_HAS_VCRYPTO 0x02000000
 #endif
 
-static unsigned long g_ppc64le_hwcap2 = 0;
-
 void OPENSSL_cpuid_setup(void) {
-  g_ppc64le_hwcap2 = getauxval(AT_HWCAP2);
+  OPENSSL_ppc64le_hwcap2 = getauxval(AT_HWCAP2);
 }
 
 int CRYPTO_is_PPC64LE_vcrypto_capable(void) {
-  return (g_ppc64le_hwcap2 & PPC_FEATURE2_HAS_VCRYPTO) != 0;
+  return (OPENSSL_ppc64le_hwcap2 & PPC_FEATURE2_HAS_VCRYPTO) != 0;
 }
 
-#endif  /* OPENSSL_PPC64LE */
+#endif  // OPENSSL_PPC64LE

data/third_party/boringssl/crypto/crypto.c

@@ -23,14 +23,14 @@
     (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
      defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) || \
      defined(OPENSSL_PPC64LE))
-/* x86, x86_64, the ARMs and ppc64le need to record the result of a
- * cpuid/getauxval call for the asm to work correctly, unless compiled without
- * asm code. */
+// x86, x86_64, the ARMs and ppc64le need to record the result of a
+// cpuid/getauxval call for the asm to work correctly, unless compiled without
+// asm code.
 #define NEED_CPUID
 
 #else
 
-/* Otherwise, don't emit a static initialiser. */
+// Otherwise, don't emit a static initialiser.
 
 #if !defined(BORINGSSL_NO_STATIC_INITIALIZER)
 #define BORINGSSL_NO_STATIC_INITIALIZER
@@ -40,23 +40,29 @@
                                OPENSSL_ARM || OPENSSL_AARCH64) */
 
 
-/* The capability variables are defined in this file in order to work around a
- * linker bug. When linking with a .a, if no symbols in a .o are referenced
- * then the .o is discarded, even if it has constructor functions.
- *
- * This still means that any binaries that don't include some functionality
- * that tests the capability values will still skip the constructor but, so
- * far, the init constructor function only sets the capability variables. */
+// The capability variables are defined in this file in order to work around a
+// linker bug. When linking with a .a, if no symbols in a .o are referenced
+// then the .o is discarded, even if it has constructor functions.
+//
+// This still means that any binaries that don't include some functionality
+// that tests the capability values will still skip the constructor but, so
+// far, the init constructor function only sets the capability variables.
 
 #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
-/* This value must be explicitly initialised to zero in order to work around a
- * bug in libtool or the linker on OS X.
- *
- * If not initialised then it becomes a "common symbol". When put into an
- * archive, linking on OS X will fail to resolve common symbols. By
- * initialising it to zero, it becomes a "data symbol", which isn't so
- * affected. */
+
+// This value must be explicitly initialised to zero in order to work around a
+// bug in libtool or the linker on OS X.
+//
+// If not initialised then it becomes a "common symbol". When put into an
+// archive, linking on OS X will fail to resolve common symbols. By
+// initialising it to zero, it becomes a "data symbol", which isn't so
+// affected.
 uint32_t OPENSSL_ia32cap_P[4] = {0};
+
+#elif defined(OPENSSL_PPC64LE)
+
+unsigned long OPENSSL_ppc64le_hwcap2 = 0;
+
 #elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
 
 #include <openssl/arm_arch.h>
@@ -67,16 +73,16 @@ uint32_t OPENSSL_armcap_P =
 #if defined(OPENSSL_STATIC_ARMCAP_NEON) || defined(__ARM_NEON__)
     ARMV7_NEON |
 #endif
-#if defined(OPENSSL_STATIC_ARMCAP_AES)
+#if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_CRYPTO)
     ARMV8_AES |
 #endif
-#if defined(OPENSSL_STATIC_ARMCAP_SHA1)
+#if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_CRYPTO)
     ARMV8_SHA1 |
 #endif
-#if defined(OPENSSL_STATIC_ARMCAP_SHA256)
+#if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_CRYPTO)
     ARMV8_SHA256 |
 #endif
-#if defined(OPENSSL_STATIC_ARMCAP_PMULL)
+#if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_CRYPTO)
     ARMV8_PMULL |
 #endif
     0;
@@ -87,6 +93,11 @@ uint32_t OPENSSL_armcap_P = 0;
 
 #endif
 
+#if defined(BORINGSSL_FIPS)
+// In FIPS mode, the power-on self-test function calls |CRYPTO_library_init|
+// because we have to ensure that CPUID detection occurs first.
+#define BORINGSSL_NO_STATIC_INITIALIZER
+#endif
 
 #if defined(OPENSSL_WINDOWS) && !defined(BORINGSSL_NO_STATIC_INITIALIZER)
 #define OPENSSL_CDECL __cdecl
@@ -96,7 +107,7 @@ uint32_t OPENSSL_armcap_P = 0;
 
 #if defined(BORINGSSL_NO_STATIC_INITIALIZER)
 static CRYPTO_once_t once = CRYPTO_ONCE_INIT;
-#elif defined(OPENSSL_WINDOWS)
+#elif defined(_MSC_VER)
 #pragma section(".CRT$XCU", read)
 static void __cdecl do_library_init(void);
 __declspec(allocate(".CRT$XCU")) void(*library_init_constructor)(void) =
@@ -105,21 +116,21 @@ __declspec(allocate(".CRT$XCU")) void(*library_init_constructor)(void) =
 static void do_library_init(void) __attribute__ ((constructor));
 #endif
 
-/* do_library_init is the actual initialization function. If
- * BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static
- * initializer. Otherwise, it is called by CRYPTO_library_init. */
+// do_library_init is the actual initialization function. If
+// BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static
+// initializer. Otherwise, it is called by CRYPTO_library_init.
 static void OPENSSL_CDECL do_library_init(void) {
- /* WARNING: this function may only configure the capability variables. See the
-  * note above about the linker bug. */
+ // WARNING: this function may only configure the capability variables. See the
+ // note above about the linker bug.
 #if defined(NEED_CPUID)
   OPENSSL_cpuid_setup();
 #endif
 }
 
 void CRYPTO_library_init(void) {
-  /* TODO(davidben): It would be tidier if this build knob could be replaced
-   * with an internal lazy-init mechanism that would handle things correctly
-   * in-library. https://crbug.com/542879 */
+  // TODO(davidben): It would be tidier if this build knob could be replaced
+  // with an internal lazy-init mechanism that would handle things correctly
+  // in-library. https://crbug.com/542879
 #if defined(BORINGSSL_NO_STATIC_INITIALIZER)
   CRYPTO_once(&once, do_library_init);
 #endif
@@ -145,10 +156,18 @@ const char *SSLeay_version(int unused) {
   return "BoringSSL";
 }
 
+const char *OpenSSL_version(int unused) {
+  return "BoringSSL";
+}
+
 unsigned long SSLeay(void) {
   return OPENSSL_VERSION_NUMBER;
 }
 
+unsigned long OpenSSL_version_num(void) {
+  return OPENSSL_VERSION_NUMBER;
+}
+
 int CRYPTO_malloc_init(void) {
   return 1;
 }
@@ -161,4 +180,7 @@ int ENGINE_register_all_complete(void) {
 
 void OPENSSL_load_builtin_modules(void) {}
 
-int FIPS_mode(void) { return 0; }
+int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {
+  CRYPTO_library_init();
+  return 1;
+}

data/third_party/boringssl/crypto/curve25519/curve25519.c

@@ -12,12 +12,12 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-/* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
- * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
- * public domain but this file has the ISC license just to keep licencing
- * simple.
- *
- * The field functions are shared by Ed25519 and X25519 where possible. */
+// This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
+// 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
+// public domain but this file has the ISC license just to keep licencing
+// simple.
+//
+// The field functions are shared by Ed25519 and X25519 where possible.
 
 #include <openssl/curve25519.h>
 
@@ -55,7 +55,7 @@ static uint64_t load_4(const uint8_t *in) {
 }
 
 static void fe_frombytes(fe h, const uint8_t *s) {
-  /* Ignores top bit of h. */
+  // Ignores top bit of h.
   int64_t h0 = load_4(s);
   int64_t h1 = load_3(s + 4) << 6;
   int64_t h2 = load_3(s + 7) << 5;
@@ -101,28 +101,28 @@ static void fe_frombytes(fe h, const uint8_t *s) {
   h[9] = h9;
 }
 
-/* Preconditions:
- *  |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- *
- * Write p=2^255-19; q=floor(h/p).
- * Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
- *
- * Proof:
- *   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
- *   Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
- *
- *   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
- *   Then 0<y<1.
- *
- *   Write r=h-pq.
- *   Have 0<=r<=p-1=2^255-20.
- *   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
- *
- *   Write x=r+19(2^-255)r+y.
- *   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
- *
- *   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
- *   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. */
+// Preconditions:
+//  |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Write p=2^255-19; q=floor(h/p).
+// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
+//
+// Proof:
+//   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
+//   Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
+//
+//   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
+//   Then 0<y<1.
+//
+//   Write r=h-pq.
+//   Have 0<=r<=p-1=2^255-20.
+//   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
+//
+//   Write x=r+19(2^-255)r+y.
+//   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
+//
+//   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
+//   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
 static void fe_tobytes(uint8_t *s, const fe h) {
   int32_t h0 = h[0];
   int32_t h1 = h[1];
@@ -148,9 +148,9 @@ static void fe_tobytes(uint8_t *s, const fe h) {
   q = (h8 + q) >> 26;
   q = (h9 + q) >> 25;
 
-  /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
+  // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
   h0 += 19 * q;
-  /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
+  // Goal: Output h-2^255 q, which is between 0 and 2^255-20.
 
   h1 += h0 >> 26; h0 &= kBottom26Bits;
   h2 += h1 >> 25; h1 &= kBottom25Bits;
@@ -162,12 +162,12 @@ static void fe_tobytes(uint8_t *s, const fe h) {
   h8 += h7 >> 25; h7 &= kBottom25Bits;
   h9 += h8 >> 26; h8 &= kBottom26Bits;
                   h9 &= kBottom25Bits;
-                  /* h10 = carry9 */
+                  // h10 = carry9
 
-  /* Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
-   * Have h0+...+2^230 h9 between 0 and 2^255-1;
-   * evidently 2^255 h10-2^255 q = 0.
-   * Goal: Output h0+...+2^230 h9.  */
+  // Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
+  // Have h0+...+2^230 h9 between 0 and 2^255-1;
+  // evidently 2^255 h10-2^255 q = 0.
+  // Goal: Output h0+...+2^230 h9.
 
   s[0] = h0 >> 0;
   s[1] = h0 >> 8;
@@ -203,29 +203,29 @@ static void fe_tobytes(uint8_t *s, const fe h) {
   s[31] = h9 >> 18;
 }
 
-/* h = f */
+// h = f
 static void fe_copy(fe h, const fe f) {
   OPENSSL_memmove(h, f, sizeof(int32_t) * 10);
 }
 
-/* h = 0 */
+// h = 0
 static void fe_0(fe h) { OPENSSL_memset(h, 0, sizeof(int32_t) * 10); }
 
-/* h = 1 */
+// h = 1
 static void fe_1(fe h) {
   OPENSSL_memset(h, 0, sizeof(int32_t) * 10);
   h[0] = 1;
 }
 
-/* h = f + g
- * Can overlap h with f or g.
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// h = f + g
+// Can overlap h with f or g.
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 static void fe_add(fe h, const fe f, const fe g) {
   unsigned i;
   for (i = 0; i < 10; i++) {
@@ -233,15 +233,15 @@ static void fe_add(fe h, const fe f, const fe g) {
   }
 }
 
-/* h = f - g
- * Can overlap h with f or g.
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// h = f - g
+// Can overlap h with f or g.
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//    |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 static void fe_sub(fe h, const fe f, const fe g) {
   unsigned i;
   for (i = 0; i < 10; i++) {
@@ -249,33 +249,33 @@ static void fe_sub(fe h, const fe f, const fe g) {
   }
 }
 
-/* h = f * g
- * Can overlap h with f or g.
- *
- * Preconditions:
- *    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *    |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * Notes on implementation strategy:
- *
- * Using schoolbook multiplication.
- * Karatsuba would save a little in some cost models.
- *
- * Most multiplications by 2 and 19 are 32-bit precomputations;
- * cheaper than 64-bit postcomputations.
- *
- * There is one remaining multiplication by 19 in the carry chain;
- * one *19 precomputation can be merged into this,
- * but the resulting data flow is considerably less clean.
- *
- * There are 12 carries below.
- * 10 of them are 2-way parallelizable and vectorizable.
- * Can get away with 11 carries, but then data flow is much deeper.
- *
- * With tighter constraints on inputs can squeeze carries into int32. */
+// h = f * g
+// Can overlap h with f or g.
+//
+// Preconditions:
+//    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//    |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// Notes on implementation strategy:
+//
+// Using schoolbook multiplication.
+// Karatsuba would save a little in some cost models.
+//
+// Most multiplications by 2 and 19 are 32-bit precomputations;
+// cheaper than 64-bit postcomputations.
+//
+// There is one remaining multiplication by 19 in the carry chain;
+// one *19 precomputation can be merged into this,
+// but the resulting data flow is considerably less clean.
+//
+// There are 12 carries below.
+// 10 of them are 2-way parallelizable and vectorizable.
+// Can get away with 11 carries, but then data flow is much deeper.
+//
+// With tighter constraints on inputs can squeeze carries into int32.
 static void fe_mul(fe h, const fe f, const fe g) {
   int32_t f0 = f[0];
   int32_t f1 = f[1];
@@ -297,8 +297,8 @@ static void fe_mul(fe h, const fe f, const fe g) {
   int32_t g7 = g[7];
   int32_t g8 = g[8];
   int32_t g9 = g[9];
-  int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
-  int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
+  int32_t g1_19 = 19 * g1;  // 1.959375*2^29
+  int32_t g2_19 = 19 * g2;  // 1.959375*2^30; still ok
   int32_t g3_19 = 19 * g3;
   int32_t g4_19 = 19 * g4;
   int32_t g5_19 = 19 * g5;
@@ -432,53 +432,53 @@ static void fe_mul(fe h, const fe f, const fe g) {
   int64_t carry8;
   int64_t carry9;
 
-  /* |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
-   *   i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
-   * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
-   *   i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 */
+  // |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
+  //   i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
+  // |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
+  //   i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
 
   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
-  /* |h0| <= 2^25 */
-  /* |h4| <= 2^25 */
-  /* |h1| <= 1.71*2^59 */
-  /* |h5| <= 1.71*2^59 */
+  // |h0| <= 2^25
+  // |h4| <= 2^25
+  // |h1| <= 1.71*2^59
+  // |h5| <= 1.71*2^59
 
   carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
   carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
-  /* |h1| <= 2^24; from now on fits into int32 */
-  /* |h5| <= 2^24; from now on fits into int32 */
-  /* |h2| <= 1.41*2^60 */
-  /* |h6| <= 1.41*2^60 */
+  // |h1| <= 2^24; from now on fits into int32
+  // |h5| <= 2^24; from now on fits into int32
+  // |h2| <= 1.41*2^60
+  // |h6| <= 1.41*2^60
 
   carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
   carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
-  /* |h2| <= 2^25; from now on fits into int32 unchanged */
-  /* |h6| <= 2^25; from now on fits into int32 unchanged */
-  /* |h3| <= 1.71*2^59 */
-  /* |h7| <= 1.71*2^59 */
+  // |h2| <= 2^25; from now on fits into int32 unchanged
+  // |h6| <= 2^25; from now on fits into int32 unchanged
+  // |h3| <= 1.71*2^59
+  // |h7| <= 1.71*2^59
 
   carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
   carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
-  /* |h3| <= 2^24; from now on fits into int32 unchanged */
-  /* |h7| <= 2^24; from now on fits into int32 unchanged */
-  /* |h4| <= 1.72*2^34 */
-  /* |h8| <= 1.41*2^60 */
+  // |h3| <= 2^24; from now on fits into int32 unchanged
+  // |h7| <= 2^24; from now on fits into int32 unchanged
+  // |h4| <= 1.72*2^34
+  // |h8| <= 1.41*2^60
 
   carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
   carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
-  /* |h4| <= 2^25; from now on fits into int32 unchanged */
-  /* |h8| <= 2^25; from now on fits into int32 unchanged */
-  /* |h5| <= 1.01*2^24 */
-  /* |h9| <= 1.71*2^59 */
+  // |h4| <= 2^25; from now on fits into int32 unchanged
+  // |h8| <= 2^25; from now on fits into int32 unchanged
+  // |h5| <= 1.01*2^24
+  // |h9| <= 1.71*2^59
 
   carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
-  /* |h9| <= 2^24; from now on fits into int32 unchanged */
-  /* |h0| <= 1.1*2^39 */
+  // |h9| <= 2^24; from now on fits into int32 unchanged
+  // |h0| <= 1.1*2^39
 
   carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
-  /* |h0| <= 2^25; from now on fits into int32 unchanged */
-  /* |h1| <= 1.01*2^24 */
+  // |h0| <= 2^25; from now on fits into int32 unchanged
+  // |h1| <= 1.01*2^24
 
   h[0] = h0;
   h[1] = h1;
@@ -492,16 +492,16 @@ static void fe_mul(fe h, const fe f, const fe g) {
   h[9] = h9;
 }
 
-/* h = f * f
- * Can overlap h with f.
- *
- * Preconditions:
- *    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * See fe_mul.c for discussion of implementation strategy. */
+// h = f * f
+// Can overlap h with f.
+//
+// Preconditions:
+//    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// See fe_mul.c for discussion of implementation strategy.
 static void fe_sq(fe h, const fe f) {
   int32_t f0 = f[0];
   int32_t f1 = f[1];
@@ -521,11 +521,11 @@ static void fe_sq(fe h, const fe f) {
   int32_t f5_2 = 2 * f5;
   int32_t f6_2 = 2 * f6;
   int32_t f7_2 = 2 * f7;
-  int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
-  int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
-  int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
-  int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
-  int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+  int32_t f5_38 = 38 * f5;  // 1.959375*2^30
+  int32_t f6_19 = 19 * f6;  // 1.959375*2^30
+  int32_t f7_38 = 38 * f7;  // 1.959375*2^30
+  int32_t f8_19 = 19 * f8;  // 1.959375*2^30
+  int32_t f9_38 = 38 * f9;  // 1.959375*2^30
   int64_t f0f0    = f0   * (int64_t) f0;
   int64_t f0f1_2  = f0_2 * (int64_t) f1;
   int64_t f0f2_2  = f0_2 * (int64_t) f2;
@@ -691,13 +691,13 @@ static void fe_invert(fe out, const fe z) {
   fe_mul(out, t1, t0);
 }
 
-/* h = -f
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
+// h = -f
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
 static void fe_neg(fe h, const fe f) {
   unsigned i;
   for (i = 0; i < 10; i++) {
@@ -705,10 +705,10 @@ static void fe_neg(fe h, const fe f) {
   }
 }
 
-/* Replace (f,g) with (g,g) if b == 1;
- * replace (f,g) with (f,g) if b == 0.
- *
- * Preconditions: b in {0,1}. */
+// Replace (f,g) with (g,g) if b == 1;
+// replace (f,g) with (f,g) if b == 0.
+//
+// Preconditions: b in {0,1}.
 static void fe_cmov(fe f, const fe g, unsigned b) {
   b = 0-b;
   unsigned i;
@@ -719,11 +719,11 @@ static void fe_cmov(fe f, const fe g, unsigned b) {
   }
 }
 
-/* return 0 if f == 0
- * return 1 if f != 0
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// return 0 if f == 0
+// return 1 if f != 0
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 static int fe_isnonzero(const fe f) {
   uint8_t s[32];
   fe_tobytes(s, f);
@@ -732,27 +732,27 @@ static int fe_isnonzero(const fe f) {
   return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;
 }
 
-/* return 1 if f is in {1,3,5,...,q-2}
- * return 0 if f is in {0,2,4,...,q-1}
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
+// return 1 if f is in {1,3,5,...,q-2}
+// return 0 if f is in {0,2,4,...,q-1}
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 static int fe_isnegative(const fe f) {
   uint8_t s[32];
   fe_tobytes(s, f);
   return s[0] & 1;
 }
 
-/* h = 2 * f * f
- * Can overlap h with f.
- *
- * Preconditions:
- *    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
- *
- * See fe_mul.c for discussion of implementation strategy. */
+// h = 2 * f * f
+// Can overlap h with f.
+//
+// Preconditions:
+//    |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
+//
+// See fe_mul.c for discussion of implementation strategy.
 static void fe_sq2(fe h, const fe f) {
   int32_t f0 = f[0];
   int32_t f1 = f[1];
@@ -772,11 +772,11 @@ static void fe_sq2(fe h, const fe f) {
   int32_t f5_2 = 2 * f5;
   int32_t f6_2 = 2 * f6;
   int32_t f7_2 = 2 * f7;
-  int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
-  int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
-  int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
-  int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
-  int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+  int32_t f5_38 = 38 * f5;  // 1.959375*2^30
+  int32_t f6_19 = 19 * f6;  // 1.959375*2^30
+  int32_t f7_38 = 38 * f7;  // 1.959375*2^30
+  int32_t f8_19 = 19 * f8;  // 1.959375*2^30
+  int32_t f9_38 = 38 * f9;  // 1.959375*2^30
   int64_t f0f0    = f0   * (int64_t) f0;
   int64_t f0f1_2  = f0_2 * (int64_t) f1;
   int64_t f0f2_2  = f0_2 * (int64_t) f2;
@@ -993,24 +993,24 @@ int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) {
   fe_1(h->Z);
   fe_sq(u, h->Y);
   fe_mul(v, u, d);
-  fe_sub(u, u, h->Z); /* u = y^2-1 */
-  fe_add(v, v, h->Z); /* v = dy^2+1 */
+  fe_sub(u, u, h->Z);  // u = y^2-1
+  fe_add(v, v, h->Z);  // v = dy^2+1
 
   fe_sq(v3, v);
-  fe_mul(v3, v3, v); /* v3 = v^3 */
+  fe_mul(v3, v3, v);  // v3 = v^3
   fe_sq(h->X, v3);
   fe_mul(h->X, h->X, v);
-  fe_mul(h->X, h->X, u); /* x = uv^7 */
+  fe_mul(h->X, h->X, u);  // x = uv^7
 
-  fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
+  fe_pow22523(h->X, h->X);  // x = (uv^7)^((q-5)/8)
   fe_mul(h->X, h->X, v3);
-  fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
+  fe_mul(h->X, h->X, u);  // x = uv^3(uv^7)^((q-5)/8)
 
   fe_sq(vxx, h->X);
   fe_mul(vxx, vxx, v);
-  fe_sub(check, vxx, u); /* vx^2-u */
+  fe_sub(check, vxx, u);  // vx^2-u
   if (fe_isnonzero(check)) {
-    fe_add(check, vxx, u); /* vx^2+u */
+    fe_add(check, vxx, u);  // vx^2+u
     if (fe_isnonzero(check)) {
       return -1;
     }
@@ -1051,7 +1051,7 @@ static void ge_precomp_0(ge_precomp *h) {
   fe_0(h->xy2d);
 }
 
-/* r = p */
+// r = p
 static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
   fe_copy(r->X, p->X);
   fe_copy(r->Y, p->Y);
@@ -1061,7 +1061,7 @@ static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
 static const fe d2 = {-21827239, -5839606,  -30745221, 13898782, 229458,
                       15978800,  -12551817, -6495438,  29715968, 9444199};
 
-/* r = p */
+// r = p
 void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
   fe_add(r->YplusX, p->Y, p->X);
   fe_sub(r->YminusX, p->Y, p->X);
@@ -1069,14 +1069,14 @@ void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
   fe_mul(r->T2d, p->T, d2);
 }
 
-/* r = p */
+// r = p
 void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) {
   fe_mul(r->X, p->X, p->T);
   fe_mul(r->Y, p->Y, p->Z);
   fe_mul(r->Z, p->Z, p->T);
 }
 
-/* r = p */
+// r = p
 void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {
   fe_mul(r->X, p->X, p->T);
   fe_mul(r->Y, p->Y, p->Z);
@@ -1084,14 +1084,14 @@ void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {
   fe_mul(r->T, p->X, p->Y);
 }
 
-/* r = p */
+// r = p
 static void ge_p1p1_to_cached(ge_cached *r, const ge_p1p1 *p) {
   ge_p3 t;
   x25519_ge_p1p1_to_p3(&t, p);
   x25519_ge_p3_to_cached(r, &t);
 }
 
-/* r = 2 * p */
+// r = 2 * p
 static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {
   fe t0;
 
@@ -1106,14 +1106,14 @@ static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {
   fe_sub(r->T, r->T, r->Z);
 }
 
-/* r = 2 * p */
+// r = 2 * p
 static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) {
   ge_p2 q;
   ge_p3_to_p2(&q, p);
   ge_p2_dbl(r, &q);
 }
 
-/* r = p + q */
+// r = p + q
 static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
   fe t0;
 
@@ -1129,7 +1129,7 @@ static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
   fe_sub(r->T, t0, r->T);
 }
 
-/* r = p - q */
+// r = p - q
 static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
   fe t0;
 
@@ -1145,7 +1145,7 @@ static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
   fe_add(r->T, t0, r->T);
 }
 
-/* r = p + q */
+// r = p + q
 void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
   fe t0;
 
@@ -1162,7 +1162,7 @@ void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
   fe_sub(r->T, t0, r->T);
 }
 
-/* r = p - q */
+// r = p - q
 void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
   fe t0;
 
@@ -1182,10 +1182,10 @@ void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
 static uint8_t equal(signed char b, signed char c) {
   uint8_t ub = b;
   uint8_t uc = c;
-  uint8_t x = ub ^ uc; /* 0: yes; 1..255: no */
-  uint32_t y = x;      /* 0: yes; 1..255: no */
-  y -= 1;              /* 4294967295: yes; 0..254: no */
-  y >>= 31;            /* 1: yes; 0: no */
+  uint8_t x = ub ^ uc;  // 0: yes; 1..255: no
+  uint32_t y = x;       // 0: yes; 1..255: no
+  y -= 1;               // 4294967295: yes; 0..254: no
+  y >>= 31;             // 1: yes; 0: no
   return y;
 }
 
@@ -1197,8 +1197,8 @@ static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) {
 
 void x25519_ge_scalarmult_small_precomp(
     ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]) {
-  /* precomp_table is first expanded into matching |ge_precomp|
-   * elements. */
+  // precomp_table is first expanded into matching |ge_precomp|
+  // elements.
   ge_precomp multiples[15];
 
   unsigned i;
@@ -1215,9 +1215,9 @@ void x25519_ge_scalarmult_small_precomp(
     fe_mul(out->xy2d, out->xy2d, d2);
   }
 
-  /* See the comment above |k25519SmallPrecomp| about the structure of the
-   * precomputed elements. This loop does 64 additions and 64 doublings to
-   * calculate the result. */
+  // See the comment above |k25519SmallPrecomp| about the structure of the
+  // precomputed elements. This loop does 64 additions and 64 doublings to
+  // calculate the result.
   ge_p3_0(h);
 
   for (i = 63; i < 64; i--) {
@@ -1249,14 +1249,14 @@ void x25519_ge_scalarmult_small_precomp(
 
 #if defined(OPENSSL_SMALL)
 
-/* This block of code replaces the standard base-point table with a much smaller
- * one. The standard table is 30,720 bytes while this one is just 960.
- *
- * This table contains 15 pairs of group elements, (x, y), where each field
- * element is serialised with |fe_tobytes|. If |i| is the index of the group
- * element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀
- * is the most significant bit). The value of the group element is then:
- * (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator. */
+// This block of code replaces the standard base-point table with a much smaller
+// one. The standard table is 30,720 bytes while this one is just 960.
+//
+// This table contains 15 pairs of group elements, (x, y), where each field
+// element is serialised with |fe_tobytes|. If |i| is the index of the group
+// element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀
+// is the most significant bit). The value of the group element is then:
+// (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator.
 static const uint8_t k25519SmallPrecomp[15 * 2 * 32] = {
     0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
     0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
@@ -1346,7 +1346,7 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {
 
 #else
 
-/* k25519Precomp[i][j] = (j+1)*256^i*B */
+// k25519Precomp[i][j] = (j+1)*256^i*B
 static const ge_precomp k25519Precomp[32][8] = {
     {
         {
@@ -3464,7 +3464,7 @@ static const ge_precomp k25519Precomp[32][8] = {
 
 static uint8_t negative(signed char b) {
   uint32_t x = b;
-  x >>= 31; /* 1: yes; 0: no */
+  x >>= 31;  // 1: yes; 0: no
   return x;
 }
 
@@ -3488,12 +3488,12 @@ static void table_select(ge_precomp *t, int pos, signed char b) {
   cmov(t, &minust, bnegative);
 }
 
-/* h = a * B
- * where a = a[0]+256*a[1]+...+256^31 a[31]
- * B is the Ed25519 base point (x,4/5) with x positive.
- *
- * Preconditions:
- *   a[31] <= 127 */
+// h = a * B
+// where a = a[0]+256*a[1]+...+256^31 a[31]
+// B is the Ed25519 base point (x,4/5) with x positive.
+//
+// Preconditions:
+//   a[31] <= 127
 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
   signed char e[64];
   signed char carry;
@@ -3506,8 +3506,8 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
     e[2 * i + 0] = (a[i] >> 0) & 15;
     e[2 * i + 1] = (a[i] >> 4) & 15;
   }
-  /* each e[i] is between 0 and 15 */
-  /* e[63] is between 0 and 7 */
+  // each e[i] is between 0 and 15
+  // e[63] is between 0 and 7
 
   carry = 0;
   for (i = 0; i < 63; ++i) {
@@ -3517,7 +3517,7 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
     e[i] -= carry << 4;
   }
   e[63] += carry;
-  /* each e[i] is between -8 and 8 */
+  // each e[i] is between -8 and 8
 
   ge_p3_0(h);
   for (i = 1; i < 64; i += 2) {
@@ -3551,8 +3551,8 @@ static void cmov_cached(ge_cached *t, ge_cached *u, uint8_t b) {
   fe_cmov(t->T2d, u->T2d, b);
 }
 
-/* r = scalar * A.
- * where a = a[0]+256*a[1]+...+256^31 a[31]. */
+// r = scalar * A.
+// where a = a[0]+256*a[1]+...+256^31 a[31].
 void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) {
   ge_p2 Ai_p2[8];
   ge_cached Ai[16];
@@ -3706,15 +3706,15 @@ static const ge_precomp Bi[8] = {
     },
 };
 
-/* r = a * A + b * B
- * where a = a[0]+256*a[1]+...+256^31 a[31].
- * and b = b[0]+256*b[1]+...+256^31 b[31].
- * B is the Ed25519 base point (x,4/5) with x positive. */
+// r = a * A + b * B
+// where a = a[0]+256*a[1]+...+256^31 a[31].
+// and b = b[0]+256*b[1]+...+256^31 b[31].
+// B is the Ed25519 base point (x,4/5) with x positive.
 static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
                                          const ge_p3 *A, const uint8_t *b) {
   signed char aslide[256];
   signed char bslide[256];
-  ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
+  ge_cached Ai[8];  // A,3A,5A,7A,9A,11A,13A,15A
   ge_p1p1 t;
   ge_p3 u;
   ge_p3 A2;
@@ -3779,16 +3779,16 @@ static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
   }
 }
 
-/* The set of scalars is \Z/l
- * where l = 2^252 + 27742317777372353535851937790883648493. */
+// The set of scalars is \Z/l
+// where l = 2^252 + 27742317777372353535851937790883648493.
 
-/* Input:
- *   s[0]+256*s[1]+...+256^63*s[63] = s
- *
- * Output:
- *   s[0]+256*s[1]+...+256^31*s[31] = s mod l
- *   where l = 2^252 + 27742317777372353535851937790883648493.
- *   Overwrites s in place. */
+// Input:
+//   s[0]+256*s[1]+...+256^63*s[63] = s
+//
+// Output:
+//   s[0]+256*s[1]+...+256^31*s[31] = s mod l
+//   where l = 2^252 + 27742317777372353535851937790883648493.
+//   Overwrites s in place.
 void x25519_sc_reduce(uint8_t *s) {
   int64_t s0 = 2097151 & load_3(s);
   int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
@@ -4122,14 +4122,14 @@ void x25519_sc_reduce(uint8_t *s) {
   s[31] = s11 >> 17;
 }
 
-/* Input:
- *   a[0]+256*a[1]+...+256^31*a[31] = a
- *   b[0]+256*b[1]+...+256^31*b[31] = b
- *   c[0]+256*c[1]+...+256^31*c[31] = c
- *
- * Output:
- *   s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
- *   where l = 2^252 + 27742317777372353535851937790883648493. */
+// Input:
+//   a[0]+256*a[1]+...+256^31*a[31] = a
+//   b[0]+256*b[1]+...+256^31*b[31] = b
+//   c[0]+256*c[1]+...+256^31*c[31] = c
+//
+// Output:
+//   s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
+//   where l = 2^252 + 27742317777372353535851937790883648493.
 static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
                       const uint8_t *c) {
   int64_t a0 = 2097151 & load_3(a);
@@ -4716,10 +4716,10 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
 
 #else
 
-/* Replace (f,g) with (g,f) if b == 1;
- * replace (f,g) with (f,g) if b == 0.
- *
- * Preconditions: b in {0,1}. */
+// Replace (f,g) with (g,f) if b == 1;
+// replace (f,g) with (f,g) if b == 0.
+//
+// Preconditions: b in {0,1}.
 static void fe_cswap(fe f, fe g, unsigned int b) {
   b = 0-b;
   unsigned i;
@@ -4731,14 +4731,14 @@ static void fe_cswap(fe f, fe g, unsigned int b) {
   }
 }
 
-/* h = f * 121666
- * Can overlap h with f.
- *
- * Preconditions:
- *    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
- *
- * Postconditions:
- *    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
+// h = f * 121666
+// Can overlap h with f.
+//
+// Preconditions:
+//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+//
+// Postconditions:
+//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
 static void fe_mul121666(fe h, fe f) {
   int32_t f0 = f[0];
   int32_t f1 = f[1];
@@ -4858,25 +4858,25 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
   x25519_scalar_mult_generic(out, scalar, point);
 }
 
-#endif  /* BORINGSSL_X25519_X86_64 */
+#endif  // BORINGSSL_X25519_X86_64
 
 
 void X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) {
   RAND_bytes(out_private_key, 32);
 
-  /* All X25519 implementations should decode scalars correctly (see
-   * https://tools.ietf.org/html/rfc7748#section-5). However, if an
-   * implementation doesn't then it might interoperate with random keys a
-   * fraction of the time because they'll, randomly, happen to be correctly
-   * formed.
-   *
-   * Thus we do the opposite of the masking here to make sure that our private
-   * keys are never correctly masked and so, hopefully, any incorrect
-   * implementations are deterministically broken.
-   *
-   * This does not affect security because, although we're throwing away
-   * entropy, a valid implementation of scalarmult should throw away the exact
-   * same bits anyway. */
+  // All X25519 implementations should decode scalars correctly (see
+  // https://tools.ietf.org/html/rfc7748#section-5). However, if an
+  // implementation doesn't then it might interoperate with random keys a
+  // fraction of the time because they'll, randomly, happen to be correctly
+  // formed.
+  //
+  // Thus we do the opposite of the masking here to make sure that our private
+  // keys are never correctly masked and so, hopefully, any incorrect
+  // implementations are deterministically broken.
+  //
+  // This does not affect security because, although we're throwing away
+  // entropy, a valid implementation of scalarmult should throw away the exact
+  // same bits anyway.
   out_private_key[0] |= 7;
   out_private_key[31] &= 63;
   out_private_key[31] |= 128;
@@ -4888,15 +4888,15 @@ int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
            const uint8_t peer_public_value[32]) {
   static const uint8_t kZeros[32] = {0};
   x25519_scalar_mult(out_shared_key, private_key, peer_public_value);
-  /* The all-zero output results when the input is a point of small order. */
+  // The all-zero output results when the input is a point of small order.
   return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
 }
 
 #if defined(BORINGSSL_X25519_X86_64)
 
-/* When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
- * the Montgomery ladder because it's faster. Otherwise it's done using the
- * Ed25519 tables. */
+// When |BORINGSSL_X25519_X86_64| is set, base point multiplication is done with
+// the Montgomery ladder because it's faster. Otherwise it's done using the
+// Ed25519 tables.
 
 void X25519_public_from_private(uint8_t out_public_value[32],
                                 const uint8_t private_key[32]) {
@@ -4925,8 +4925,8 @@ void X25519_public_from_private(uint8_t out_public_value[32],
   ge_p3 A;
   x25519_ge_scalarmult_base(&A, e);
 
-  /* We only need the u-coordinate of the curve25519 point. The map is
-   * u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */
+  // We only need the u-coordinate of the curve25519 point. The map is
+  // u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y).
   fe zplusy, zminusy, zminusy_inv;
   fe_add(zplusy, A.Z, A.Y);
   fe_sub(zminusy, A.Z, A.Y);
@@ -4935,4 +4935,4 @@ void X25519_public_from_private(uint8_t out_public_value[32],
   fe_tobytes(out_public_value, zplusy);
 }
 
-#endif  /* BORINGSSL_X25519_X86_64 */
+#endif  // BORINGSSL_X25519_X86_64