From e99505b4d0b9400c83dddf4d4eed3144e45b38c4 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Thu, 3 Dec 2020 11:10:19 +0100
Subject: [PATCH] x509_vfy.c: Improve comments (correcting typos etc.)

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13606)
---
 crypto/x509/x509_vfy.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index fc470d950ee..3a5673b307c 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -154,9 +154,9 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
 
 /*-
  * Inform the verify callback of an error.
- * If B<x> is not NULL it is the error cert, otherwise use the chain cert at
- * B<depth>.
- * If B<err> is not X509_V_OK, that's the error value, otherwise leave
+ * If 'x' is not NULL it is the error cert, otherwise use the chain cert at
+ * 'depth'
+ * If 'err' is not X509_V_OK, that's the error value, otherwise leave
  * unchanged (presumably set by the caller).
  *
  * Returns 0 to abort verification with an error, non-zero to continue.
@@ -501,7 +501,7 @@ static int check_chain(X509_STORE_CTX *ctx)
             CHECK_CB(ret == 0, ctx, x, i, X509_V_ERR_EC_KEY_EXPLICIT_PARAMS);
         }
         /*
-         * Do the following set of checks only if strict checking is requrested
+         * Do the following set of checks only if strict checking is requested
          * and not for self-issued (including self-signed) EE (non-CA) certs
          * because RFC 5280 does not apply to them according RFC 6818 section 2.
          */
@@ -576,7 +576,7 @@ static int check_chain(X509_STORE_CTX *ctx)
         /* check_purpose() makes the callback as needed */
         if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
             return 0;
-        /* Check pathlen */
+        /* Check path length */
         CHECK_CB(i > 1 && x->ex_pathlen != -1
                      && plen > x->ex_pathlen + proxy_path_length,
                  ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED);
@@ -679,7 +679,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
 
             /*
              * Check that the last subject component isn't part of a
-             * multivalued RDN
+             * multi-valued RDN
              */
             if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
                                                         last_object_loc))
@@ -1026,7 +1026,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
             if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD))
                 return 0;
         }
-        /* Ignore expiry of base CRL is delta is valid */
+        /* Ignore expiration of base CRL is delta is valid */
         if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
             if (!notify)
                 return 0;
@@ -1230,7 +1230,7 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
     if (!(crl->flags & EXFLAG_CRITICAL))
         crl_score |= CRL_SCORE_NOCRITICAL;
 
-    /* Check expiry */
+    /* Check expiration */
     if (check_crl_time(ctx, crl, 0))
         crl_score |= CRL_SCORE_TIME;
 
@@ -1351,7 +1351,7 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
 /*
  * RFC3280 says nothing about the relationship between CRL path and
  * certificate path, which could lead to situations where a certificate could
- * be revoked or validated by a CA not authorised to do so. RFC5280 is more
+ * be revoked or validated by a CA not authorized to do so. RFC5280 is more
  * strict and states that the two paths must end in the same trust anchor,
  * though some discussions remain... until this is resolved we use the
  * RFC5280 version
@@ -1804,8 +1804,8 @@ static int internal_verify(X509_STORE_CTX *ctx)
              * step (n) we must check any given key usage extension in a CA cert
              * when preparing the verification of a certificate issued by it.
              * According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3
-             * we must not verify a certifiate signature if the key usage of the
-             * CA certificate that issued the certificate prohibits signing.
+             * we must not verify a certificate signature if the key usage of
+             * the CA certificate that issued the certificate prohibits signing.
              * In case the 'issuing' certificate is the last in the chain and is
              * not a CA certificate but a 'self-issued' end-entity cert (i.e.,
              * xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply
@@ -2009,7 +2009,7 @@ int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
     return 1;
 }
 
-/* Make a delta CRL as the diff between two full CRLs */
+/* Make a delta CRL as the difference between two full CRLs */
 
 X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
                         EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
@@ -3199,7 +3199,7 @@ static int build_chain(X509_STORE_CTX *ctx)
                 }
 
                 /*
-                 * We've added a new trusted certificate to the chain, recheck
+                 * We've added a new trusted certificate to the chain, re-check
                  * trust.  If not done, and not self-signed look deeper.
                  * Whether or not we're doing "trusted first", we no longer
                  * look for untrusted certificates from the peer's chain.
-- 
2.47.2