Make X509_VERIFY_PARAM opaque.

Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly. Change-Id: I03ba0d17acc09604c1c20bf8f682e7bbc5642310 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48127 Reviewed-by: Adam Langley <agl@google.com>
4 years ago · 58abd2e6fa
parent 36ea4d1134
commit 58abd2e6fa
2 changed files with 17 additions and 20 deletions
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@ -112,7 +112,10 @@ struct X509_req_st {
  CRYPTO_refcount_t references;
 } /* X509_REQ */;

-struct X509_VERIFY_PARAM_ID_st {
+// TODO(davidben): This was historically a separate struct because
+// |X509_VERIFY_PARAM| used to be exported. Now that it is also opaque, embed it
+// directly.
+typedef struct {
  STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */
  unsigned int hostflags;          /* Flags to control matching features */
  char *peername;                  /* Matching hostname in peer certificate */
@ -121,7 +124,19 @@ struct X509_VERIFY_PARAM_ID_st {
  unsigned char *ip;    /* If not NULL IP address to match */
  size_t iplen;         /* Length of IP address */
  unsigned char poison; /* Fail all verifications */
-};
+} X509_VERIFY_PARAM_ID;
+
+struct X509_VERIFY_PARAM_st {
+  char *name;
+  time_t check_time;                // Time to use
+  unsigned long inh_flags;          // Inheritance flags
+  unsigned long flags;              // Various verify flags
+  int purpose;                      // purpose to check untrusted certificates
+  int trust;                        // trust setting to check
+  int depth;                        // Verify depth
+  STACK_OF(ASN1_OBJECT) *policies;  // Permissible policies
+  X509_VERIFY_PARAM_ID *id;         // opaque ID data
+} /* X509_VERIFY_PARAM */;


 /* RSA-PSS functions. */
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@ -132,24 +132,6 @@ typedef struct x509_lookup_method_st {
                      X509_OBJECT *ret);
 } X509_LOOKUP_METHOD;

-typedef struct X509_VERIFY_PARAM_ID_st X509_VERIFY_PARAM_ID;
-
-// This structure hold all parameters associated with a verify operation
-// by including an X509_VERIFY_PARAM structure in related structures the
-// parameters used can be customized
-
-struct X509_VERIFY_PARAM_st {
-  char *name;
-  time_t check_time;                // Time to use
-  unsigned long inh_flags;          // Inheritance flags
-  unsigned long flags;              // Various verify flags
-  int purpose;                      // purpose to check untrusted certificates
-  int trust;                        // trust setting to check
-  int depth;                        // Verify depth
-  STACK_OF(ASN1_OBJECT) *policies;  // Permissible policies
-  X509_VERIFY_PARAM_ID *id;         // opaque ID data
-};
-
 DEFINE_STACK_OF(X509_VERIFY_PARAM)

 typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);