remove comment

client/core/protocols/ikev2VpnProtocolMacos.mm

@@ -22,9 +22,6 @@
 
 namespace {
 
-// macOS rejects password-less PKCS#12 containers on import, so the client p12
-// (exported by the Amnezia server without a password) is re-wrapped with a known
-// password using legacy 3DES/SHA1 algorithms that Apple's importer accepts.
 const char *kRepackedP12Password = "amnezia";
 
 const char *kVpnSystemKeychainPath = "/Library/Keychains/System.keychain";
@@ -42,9 +39,6 @@ const char *vpnStatusName(int status)
     }
 }
 
-// Parses the password-less client p12, re-wraps the identity with a password and
-// also extracts the CA certificate (DER) bundled in the p12 chain, which is needed
-// to validate the self-signed server certificate.
 bool prepareIdentity(const QByteArray &source, const QString &friendlyName, QByteArray &repackedP12, QByteArray &caCertDer)
 {
     const unsigned char *cursor = reinterpret_cast<const unsigned char *>(source.constData());
@@ -124,10 +118,6 @@ void removeIdentityFromLoginKeychain(const QString &label)
     SecItemDelete((__bridge CFDictionaryRef)query);
 }
 
-// Imports the client identity into the user's login keychain with an access list
-// that grants this app and the VPN agent (neagent) access. Setting the ACL at
-// creation time (legacy SecAccess) avoids the System keychain admin prompt and the
-// partition-list authorization that cannot be satisfied on the System keychain.
 bool importIdentityToLoginKeychain(const QByteArray &p12, const QString &label)
 {
     SecKeychainRef loginKeychain = NULL;
@@ -179,9 +169,6 @@ bool importIdentityToLoginKeychain(const QByteArray &p12, const QString &label)
     return true;
 }
 
-// Looks up the persistent reference of the client identity in the login keychain.
-// The search is restricted to the login keychain so a stale identity that an earlier
-// build left in the System keychain (same label) can never be picked instead.
 NSData *copyIdentityPersistentRef(const QString &label)
 {
     SecKeychainRef loginKeychain = NULL;
@@ -254,7 +241,6 @@ void runPrivilegedSecurity(const QString &label, const QStringList &arguments)
     qInfo() << "[IKEv2-mac]" << label << "started" << started << "finished" << finished
             << "| out:" << out.trimmed() << "| err:" << err.trimmed();
 }
-
 }  // namespace
 
 Ikev2ProtocolMacos::Ikev2ProtocolMacos(const QJsonObject &configuration, QObject *parent)
@@ -285,9 +271,6 @@ void Ikev2ProtocolMacos::readIkev2Configuration(const QJsonObject &configuration
 
 bool Ikev2ProtocolMacos::storeClientIdentity()
 {
-    // Already installed for this client: reuse it. Re-importing on every connect
-    // churns the key, re-triggers the neagent keychain prompt and disturbs the key
-    // an active (tearing-down) connection still references during a reconnect.
     if (copyIdentityPersistentRef(m_clientId) != nil) {
         qInfo() << "[IKEv2-mac] client identity already in login keychain, reusing it";
         return true;
@@ -302,14 +285,11 @@ bool Ikev2ProtocolMacos::storeClientIdentity()
         return false;
     }
 
-    // Install the client identity into the user's login keychain with an ACL granting
-    // neagent access. No admin rights are needed and no System keychain prompt appears.
     removeIdentityFromLoginKeychain(m_clientId);
     if (!importIdentityToLoginKeychain(repackedP12, m_clientId)) {
         return false;
     }
 
-    // Install and trust the CA so the self-signed server certificate validates.
     if (!caCertDer.isEmpty()) {
         QTemporaryFile caFile(QDir::tempPath() + "/amnezia-ikev2-ca-XXXXXX.cer");
         caFile.setAutoRemove(false);
@@ -458,9 +438,6 @@ ErrorCode Ikev2ProtocolMacos::start()
                                         Qt::QueuedConnection);
                               }];
 
-              // If a previous connection is still active or tearing down, stop it first
-              // and start only once it reaches Disconnected. Otherwise our fresh start
-              // races with the old teardown and gets dropped immediately.
               NEVPNStatus current = manager.connection.status;
               if (current == NEVPNStatusDisconnected || current == NEVPNStatusInvalid) {
                   qInfo() << "[IKEv2-mac] preferences saved, connection is"
@@ -489,9 +466,6 @@ void Ikev2ProtocolMacos::stop()
     stopHandshakeTimeoutTimer();
     m_startWhenDisconnected = false;
 
-    // stop() runs synchronously because VpnConnection destroys this object right after
-    // it returns. Any async work (dispatch_async) would be dropped when the object dies,
-    // leaving the tunnel up and the UI stuck on "Disconnecting".
     NEVPNManager *manager = [NEVPNManager sharedManager];
     NEVPNStatus status = manager.connection.status;
     qInfo() << "[IKEv2-mac] stop(): current NEVPNStatus =" << (int)status;
@@ -531,8 +505,6 @@ void Ikev2ProtocolMacos::handleStatusChange(int rawStatus)
             << "| lastStatus:" << vpnStatusName(m_lastVpnStatus)
             << "| waitingToStart:" << m_startWhenDisconnected;
 
-    // While waiting for a previous connection to finish tearing down, swallow its
-    // teardown events and launch our tunnel only once it is fully Disconnected.
     if (m_startWhenDisconnected) {
         if (vpnStatus == NEVPNStatusDisconnecting) {
             return;