From 4eb845bc58de7d3c904804ec489dee7c71555e0d Mon Sep 17 00:00:00 2001
From: Jim Hague <jim@sinodun.com>
Date: Tue, 20 Nov 2018 15:55:34 +0000
Subject: [PATCH] Move internal-only functions from public pubkey-pinning
 interface.

The interface now only exposes functions used by the main getdns code.
---
 src/Makefile.in                       |  2 +-
 src/openssl/pubkey-pinning-internal.h | 51 +++++++++++++++++++++++++++
 src/openssl/pubkey-pinning.c          |  2 ++
 src/pubkey-pinning.h                  | 14 +-------
 4 files changed, 55 insertions(+), 14 deletions(-)
 create mode 100644 src/openssl/pubkey-pinning-internal.h

diff --git a/src/Makefile.in b/src/Makefile.in
index b17efd85..72e5002c 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -525,7 +525,7 @@ pubkey-pinning.lo pubkey-pinning.o: $(srcdir)/openssl/pubkey-pinning.c \
  $(srcdir)/extension/default_eventloop.h $(srcdir)/extension/poll_eventloop.h \
  $(srcdir)/types-internal.h $(srcdir)/ub_loop.h $(srcdir)/server.h $(srcdir)/rr-iter.h $(srcdir)/rr-dict.h $(srcdir)/gldns/gbuffer.h \
  $(srcdir)/gldns/pkthdr.h $(srcdir)/anchor.h $(srcdir)/tls.h $(srcdir)/openssl/tls-internal.h $(srcdir)/util-internal.h \
- $(srcdir)/context.h
+ $(srcdir)/context.h $(srcdir)/openssl/pubkey-pinning-internal.h
 tls.lo tls.o: $(srcdir)/openssl/tls.c config.h \
  $(srcdir)/debug.h $(srcdir)/context.h \
  getdns/getdns.h \
diff --git a/src/openssl/pubkey-pinning-internal.h b/src/openssl/pubkey-pinning-internal.h
new file mode 100644
index 00000000..3313dffd
--- /dev/null
+++ b/src/openssl/pubkey-pinning-internal.h
@@ -0,0 +1,51 @@
+/**
+ *
+ * /brief internal functions for dealing with pubkey pinsets
+ *
+ */
+
+/*
+ * Copyright (c) 2015 ACLU
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ *   notice, this list of conditions and the following disclaimer in the
+ *   documentation and/or other materials provided with the distribution.
+ * * Neither the names of the copyright holders nor the
+ *   names of its contributors may be used to endorse or promote products
+ *   derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef PUBKEY_PINNING_INTERNAL_H_
+#define PUBKEY_PINNING_INTERNAL_H_
+
+#include <openssl/x509.h>
+
+/* internal functions for associating X.509 verification processes in
+ * OpenSSL with getdns_upstream objects. */
+
+getdns_upstream*
+_getdns_upstream_from_x509_store(X509_STORE_CTX *store);
+
+
+getdns_return_t
+_getdns_verify_pinset_match(const sha256_pin_t *pinset,
+			    X509_STORE_CTX *store);
+
+#endif
+/* pubkey-pinning-internal.h */
diff --git a/src/openssl/pubkey-pinning.c b/src/openssl/pubkey-pinning.c
index 09cb2c70..8f10ee6f 100644
--- a/src/openssl/pubkey-pinning.c
+++ b/src/openssl/pubkey-pinning.c
@@ -56,6 +56,8 @@
 #include "context.h"
 #include "util-internal.h"
 
+#include "pubkey-pinning-internal.h"
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 #define X509_STORE_CTX_get0_untrusted(store) store->untrusted
 #endif
diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h
index 5f0e4840..4e8a31e5 100644
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@@ -1,6 +1,6 @@
 /**
  *
- * /brief internal functions for dealing with pubkey pinsets
+ * /brief functions for dealing with pubkey pinsets
  *
  */
 
@@ -49,21 +49,9 @@ _getdns_get_pubkey_pinset_list(getdns_context *ctx,
 			       const sha256_pin_t *pinset_in,
 			       getdns_list **pinset_list);
 
-
-/* internal functions for associating X.509 verification processes in
- * OpenSSL with getdns_upstream objects. */
-
-getdns_upstream*
-_getdns_upstream_from_x509_store(X509_STORE_CTX *store);
-
-
 getdns_return_t
 _getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
 					   getdns_upstream *upstream);
 
-getdns_return_t
-_getdns_verify_pinset_match(const sha256_pin_t *pinset,
-			    X509_STORE_CTX *store);
-
 #endif
 /* pubkey-pinning.h */