Google Git
Sign in
boringssl/boringssl/9d753853ec1379e4b4c7e4e37ad9bcbf3c4b31ba^!/.
commit
9d753853ec1379e4b4c7e4e37ad9bcbf3c4b31ba
[log]
author
Rudolf Polzer <rpolzer@google.com>
Tue Dec 30 02:23:22 2025 -0800
committer
Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Fri Jan 09 04:44:13 2026 -0800
tree
a0d9b97580273d64113b8637d32c721a5bc7283c
parent
803832d57e892d9017bc9588e832d5dae9b6f066 [diff]
Namespace crypto/pkcs8's internal symbols.

Down from 898 to 891 unintended exported symbols.

Bug: 42220000
Change-Id: Ia2f74b478f3378f1b8d8b7f91a09734e2b5eb15e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/86348
Reviewed-by: Xiangfei Ding <xfding@google.com>
Commit-Queue: Rudolf Polzer <rpolzer@google.com>

diff --git a/crypto/pkcs8/internal.h b/crypto/pkcs8/internal.h
index e36730b..89cdf9c 100644
--- a/crypto/pkcs8/internal.h
+++ b/crypto/pkcs8/internal.h

@@ -18,10 +18,6 @@
 #include <openssl/base.h>
 #include <openssl/stack.h>
 
-#if defined(__cplusplus)
-extern "C" {
-#endif
-
 
 struct pkcs8_priv_key_info_st {
   ASN1_INTEGER *version;
@@ -30,6 +26,8 @@
   STACK_OF(X509_ATTRIBUTE) *attributes;
 };
 
+BSSL_NAMESPACE_BEGIN
+
 // pkcs8_pbe_decrypt decrypts |in| using the PBE scheme described by
 // |algorithm|, which should be a serialized AlgorithmIdentifier structure. On
 // success, it sets |*out| to a newly-allocated buffer containing the decrypted
@@ -95,9 +93,6 @@
 // number of PBKDF2 iterations and zero otherwise.
 int pkcs12_iterations_acceptable(uint64_t iterations);
 
-
-#if defined(__cplusplus)
-}  // extern C
-#endif
+BSSL_NAMESPACE_END
 
 #endif  // OPENSSL_HEADER_CRYPTO_PKCS8_INTERNAL_H

diff --git a/crypto/pkcs8/p5_pbev2.cc b/crypto/pkcs8/p5_pbev2.cc
index d1a9d1c..e1307bd 100644
--- a/crypto/pkcs8/p5_pbev2.cc
+++ b/crypto/pkcs8/p5_pbev2.cc

@@ -25,10 +25,12 @@
 #include <openssl/nid.h>
 #include <openssl/rand.h>
 
-#include "internal.h"
 #include "../internal.h"
+#include "internal.h"
 
 
+using namespace bssl;
+
 // 1.2.840.113549.1.5.12
 static const uint8_t kPBKDF2[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
                                   0x0d, 0x01, 0x05, 0x0c};
@@ -100,7 +102,7 @@
   return 0;
 }
 
-const EVP_CIPHER *pkcs5_pbe2_nid_to_cipher(int nid) {
+const EVP_CIPHER *bssl::pkcs5_pbe2_nid_to_cipher(int nid) {
   for (const auto &cipher : kCipherOIDs) {
     if (cipher.nid == nid) {
       return cipher.cipher_func();
@@ -127,10 +129,10 @@
   return ret;
 }
 
-int PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx,
-                            const EVP_CIPHER *cipher, uint32_t iterations,
-                            const char *pass, size_t pass_len,
-                            const uint8_t *salt, size_t salt_len) {
+int bssl::PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx,
+                                  const EVP_CIPHER *cipher, uint32_t iterations,
+                                  const char *pass, size_t pass_len,
+                                  const uint8_t *salt, size_t salt_len) {
   int cipher_nid = EVP_CIPHER_nid(cipher);
   if (cipher_nid == NID_undef) {
     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
@@ -177,8 +179,9 @@
                                 EVP_CIPHER_iv_length(cipher), 1 /* encrypt */);
 }
 
-int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,
-                            const char *pass, size_t pass_len, CBS *param) {
+int bssl::PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite,
+                                  EVP_CIPHER_CTX *ctx, const char *pass,
+                                  size_t pass_len, CBS *param) {
   CBS pbe_param, kdf, kdf_obj, enc_scheme, enc_obj;
   if (!CBS_get_asn1(param, &pbe_param, CBS_ASN1_SEQUENCE) ||
       CBS_len(param) != 0 ||

diff --git a/crypto/pkcs8/pkcs8.cc b/crypto/pkcs8/pkcs8.cc
index f000e25..e7f388a 100644
--- a/crypto/pkcs8/pkcs8.cc
+++ b/crypto/pkcs8/pkcs8.cc

@@ -31,9 +31,11 @@
 #include "internal.h"
 
 
+using namespace bssl;
+
 static int pkcs12_encode_password(const char *in, size_t in_len, uint8_t **out,
                                   size_t *out_len) {
-  bssl::ScopedCBB cbb;
+  ScopedCBB cbb;
   if (!CBB_init(cbb.get(), in_len * 2)) {
     return 0;
   }
@@ -58,9 +60,9 @@
   return 1;
 }
 
-int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt,
-                   size_t salt_len, uint8_t id, uint32_t iterations,
-                   size_t out_len, uint8_t *out, const EVP_MD *md) {
+int bssl::pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt,
+                         size_t salt_len, uint8_t id, uint32_t iterations,
+                         size_t out_len, uint8_t *out, const EVP_MD *md) {
   // See https://tools.ietf.org/html/rfc7292#appendix-B. Quoted parts of the
   // specification have errata applied and other typos fixed.
 
@@ -231,7 +233,7 @@
                                 0 /* decrypt */);
 }
 
-static const struct pbe_suite kBuiltinPBE[] = {
+static const struct bssl::pbe_suite kBuiltinPBE[] = {
     {
         NID_pbe_WithSHA1And40BitRC2_CBC,
         // 1.2.840.113549.1.12.1.6
@@ -270,7 +272,7 @@
     },
 };
 
-static const struct pbe_suite *get_pkcs12_pbe_suite(int pbe_nid) {
+static const struct bssl::pbe_suite *get_pkcs12_pbe_suite(int pbe_nid) {
   for (const auto &pbe : kBuiltinPBE) {
     if (pbe.pbe_nid == pbe_nid &&
         // If |cipher_func| or |md_func| are missing, this is a PBES2 scheme.
@@ -282,10 +284,11 @@
   return nullptr;
 }
 
-int pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg_nid,
-                            const EVP_CIPHER *alg_cipher, uint32_t iterations,
-                            const char *pass, size_t pass_len,
-                            const uint8_t *salt, size_t salt_len) {
+int bssl::pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg_nid,
+                                  const EVP_CIPHER *alg_cipher,
+                                  uint32_t iterations, const char *pass,
+                                  size_t pass_len, const uint8_t *salt,
+                                  size_t salt_len) {
   // TODO(davidben): OpenSSL has since extended |pbe_nid| to control either
   // the PBES1 scheme or the PBES2 PRF. E.g. passing |NID_hmacWithSHA256| will
   // select PBES2 with HMAC-SHA256 as the PRF. Implement this if anything uses
@@ -319,12 +322,12 @@
                                 salt_len, 1 /* encrypt */);
 }
 
-int pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm,
-                      const char *pass, size_t pass_len, const uint8_t *in,
-                      size_t in_len) {
+int bssl::pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm,
+                            const char *pass, size_t pass_len,
+                            const uint8_t *in, size_t in_len) {
   int ret = 0;
   uint8_t *buf = nullptr;
-  bssl::ScopedEVP_CIPHER_CTX ctx;
+  ScopedEVP_CIPHER_CTX ctx;
 
   CBS obj;
   const struct pbe_suite *suite = nullptr;
@@ -404,7 +407,7 @@
   int ret = 0;
   uint8_t *plaintext = nullptr, *salt_buf = nullptr;
   size_t plaintext_len = 0;
-  bssl::ScopedEVP_CIPHER_CTX ctx;
+  ScopedEVP_CIPHER_CTX ctx;
 
   {
     // Generate a random salt if necessary.

diff --git a/crypto/pkcs8/pkcs8_x509.cc b/crypto/pkcs8/pkcs8_x509.cc
index 69fbf79..2bd2a64 100644
--- a/crypto/pkcs8/pkcs8_x509.cc
+++ b/crypto/pkcs8/pkcs8_x509.cc

@@ -37,7 +37,9 @@
 #include "internal.h"
 
 
-int pkcs12_iterations_acceptable(uint64_t iterations) {
+using namespace bssl;
+
+int bssl::pkcs12_iterations_acceptable(uint64_t iterations) {
 #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
   static const uint64_t kIterationsLimit = 2048;
 #else
@@ -1020,7 +1022,7 @@
     return 0;
   }
 
-  bssl::ScopedEVP_CIPHER_CTX ctx;
+  ScopedEVP_CIPHER_CTX ctx;
   CBB content_info, wrapper, encrypted_data, encrypted_content_info,
       encrypted_content;
   if (  // Add the ContentInfo wrapping.