Namespace SSL_X509_METHOD.
Change-Id: I19296822354acea9956b9606d2209675151f511d
Reviewed-on: https://boringssl-review.googlesource.com/29524
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/internal.h b/ssl/internal.h
index c6b849c..05b967d 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -173,15 +173,12 @@
#endif
-// TODO(davidben): This is unnamespaced because |SSL_SESSION| was historically
-// public. After 2018-06-13, move it into the namespace.
-typedef struct ssl_x509_method_st SSL_X509_METHOD;
-
namespace bssl {
struct SSL_CONFIG;
struct SSL_HANDSHAKE;
struct SSL_PROTOCOL_METHOD;
+struct SSL_X509_METHOD;
// C++ utilities.
@@ -1971,6 +1968,62 @@
size_t *out_consumed, uint8_t *out_alert,
Span<uint8_t> in);
+struct SSL_X509_METHOD {
+ // check_client_CA_list returns one if |names| is a good list of X.509
+ // distinguished names and zero otherwise. This is used to ensure that we can
+ // reject unparsable values at handshake time when using crypto/x509.
+ int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);
+
+ // cert_clear frees and NULLs all X509 certificate-related state.
+ void (*cert_clear)(CERT *cert);
+ // cert_free frees all X509-related state.
+ void (*cert_free)(CERT *cert);
+ // cert_flush_cached_chain drops any cached |X509|-based certificate chain
+ // from |cert|.
+ // cert_dup duplicates any needed fields from |cert| to |new_cert|.
+ void (*cert_dup)(CERT *new_cert, const CERT *cert);
+ void (*cert_flush_cached_chain)(CERT *cert);
+ // cert_flush_cached_chain drops any cached |X509|-based leaf certificate
+ // from |cert|.
+ void (*cert_flush_cached_leaf)(CERT *cert);
+
+ // session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain|
+ // from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns
+ // one on success or zero on error.
+ int (*session_cache_objects)(SSL_SESSION *session);
+ // session_dup duplicates any needed fields from |session| to |new_session|.
+ // It returns one on success or zero on error.
+ int (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session);
+ // session_clear frees any X509-related state from |session|.
+ void (*session_clear)(SSL_SESSION *session);
+ // session_verify_cert_chain verifies the certificate chain in |session|,
+ // sets |session->verify_result| and returns one on success or zero on
+ // error.
+ int (*session_verify_cert_chain)(SSL_SESSION *session, SSL_HANDSHAKE *ssl,
+ uint8_t *out_alert);
+
+ // hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|.
+ void (*hs_flush_cached_ca_names)(SSL_HANDSHAKE *hs);
+ // ssl_new does any neccessary initialisation of |hs|. It returns one on
+ // success or zero on error.
+ int (*ssl_new)(SSL_HANDSHAKE *hs);
+ // ssl_free frees anything created by |ssl_new|.
+ void (*ssl_config_free)(SSL_CONFIG *cfg);
+ // ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|.
+ void (*ssl_flush_cached_client_CA)(SSL_CONFIG *cfg);
+ // ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if
+ // necessary. On success, it updates |ssl|'s certificate configuration as
+ // needed and returns one. Otherwise, it returns zero.
+ int (*ssl_auto_chain_if_needed)(SSL_HANDSHAKE *hs);
+ // ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on
+ // success or zero on error.
+ int (*ssl_ctx_new)(SSL_CTX *ctx);
+ // ssl_ctx_free frees anything created by |ssl_ctx_new|.
+ void (*ssl_ctx_free)(SSL_CTX *ctx);
+ // ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|.
+ void (*ssl_ctx_flush_cached_client_CA)(SSL_CTX *ssl);
+};
+
// ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using
// crypto/x509.
extern const SSL_X509_METHOD ssl_crypto_x509_method;
@@ -3129,64 +3182,7 @@
const bssl::SSL_PROTOCOL_METHOD *method;
// x509_method contains pointers to functions that might deal with |X509|
// compatibility, or might be a no-op, depending on the application.
- const SSL_X509_METHOD *x509_method;
-};
-
-struct ssl_x509_method_st {
- // check_client_CA_list returns one if |names| is a good list of X.509
- // distinguished names and zero otherwise. This is used to ensure that we can
- // reject unparsable values at handshake time when using crypto/x509.
- int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);
-
- // cert_clear frees and NULLs all X509 certificate-related state.
- void (*cert_clear)(bssl::CERT *cert);
- // cert_free frees all X509-related state.
- void (*cert_free)(bssl::CERT *cert);
- // cert_flush_cached_chain drops any cached |X509|-based certificate chain
- // from |cert|.
- // cert_dup duplicates any needed fields from |cert| to |new_cert|.
- void (*cert_dup)(bssl::CERT *new_cert, const bssl::CERT *cert);
- void (*cert_flush_cached_chain)(bssl::CERT *cert);
- // cert_flush_cached_chain drops any cached |X509|-based leaf certificate
- // from |cert|.
- void (*cert_flush_cached_leaf)(bssl::CERT *cert);
-
- // session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain|
- // from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns
- // one on success or zero on error.
- int (*session_cache_objects)(SSL_SESSION *session);
- // session_dup duplicates any needed fields from |session| to |new_session|.
- // It returns one on success or zero on error.
- int (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session);
- // session_clear frees any X509-related state from |session|.
- void (*session_clear)(SSL_SESSION *session);
- // session_verify_cert_chain verifies the certificate chain in |session|,
- // sets |session->verify_result| and returns one on success or zero on
- // error.
- int (*session_verify_cert_chain)(SSL_SESSION *session,
- bssl::SSL_HANDSHAKE *ssl,
- uint8_t *out_alert);
-
- // hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|.
- void (*hs_flush_cached_ca_names)(bssl::SSL_HANDSHAKE *hs);
- // ssl_new does any neccessary initialisation of |hs|. It returns one on
- // success or zero on error.
- int (*ssl_new)(bssl::SSL_HANDSHAKE *hs);
- // ssl_free frees anything created by |ssl_new|.
- void (*ssl_config_free)(bssl::SSL_CONFIG *cfg);
- // ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|.
- void (*ssl_flush_cached_client_CA)(bssl::SSL_CONFIG *cfg);
- // ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if
- // necessary. On success, it updates |ssl|'s certificate configuration as
- // needed and returns one. Otherwise, it returns zero.
- int (*ssl_auto_chain_if_needed)(bssl::SSL_HANDSHAKE *hs);
- // ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on
- // success or zero on error.
- int (*ssl_ctx_new)(SSL_CTX *ctx);
- // ssl_ctx_free frees anything created by |ssl_ctx_new|.
- void (*ssl_ctx_free)(SSL_CTX *ctx);
- // ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|.
- void (*ssl_ctx_flush_cached_client_CA)(SSL_CTX *ssl);
+ const bssl::SSL_X509_METHOD *x509_method;
};
// The following types back public C-exposed types which must live in the global
@@ -3229,7 +3225,7 @@
// certificate.
STACK_OF(CRYPTO_BUFFER) *certs;
- const SSL_X509_METHOD *x509_method;
+ const bssl::SSL_X509_METHOD *x509_method;
// x509_peer is the peer's certificate.
X509 *x509_peer;