Changes to reduce dependencies in TLS sources/headers#5347
Conversation
There was a problem hiding this comment.
Pull request overview
Reduces compile-time dependencies in TLS sources/headers by replacing includes with forward declarations and moving type-dependent code into .cpp files.
Changes:
- Switched several TLS headers from including
x509cert.h/ PKIX headers to forward declarations. - Moved/despecialized TLS session and TLS 1.3 certificate entry implementations to avoid requiring full X.509 type definitions in headers.
- Updated TLS tests and some TLS implementation
.cppfiles to explicitly includebotan/x509cert.h.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/tests/test_tls_session_manager.cpp | Adds explicit x509cert include required after header dependency reductions. |
| src/tests/test_tls_rfc8448.cpp | Adds explicit x509cert include required after header dependency reductions. |
| src/tests/test_tls.cpp | Adds explicit x509cert include required after header dependency reductions. |
| src/lib/tls/tls_signature_scheme.cpp | Removes an include to reduce dependencies. |
| src/lib/tls/tls_session.h | Replaces x509cert include with forward decls; moves special members out-of-line; changes constructor parameter types. |
| src/lib/tls/tls_session.cpp | Adds x509cert include and defines moved special members/constructors out-of-line. |
| src/lib/tls/tls_server.cpp | Adds explicit x509cert include required after header dependency reductions. |
| src/lib/tls/tls_handshake_transitions.h | Reorders/cleans up vector include placement. |
| src/lib/tls/tls_client.cpp | Adds explicit x509cert include required after header dependency reductions. |
| src/lib/tls/tls_callbacks.h | Replaces PKIX enums include with forward declarations and adds TODO about future dependency removal. |
| src/lib/tls/tls13/tls_server_impl_13.cpp | Adds explicit x509cert include required after header dependency reductions. |
| src/lib/tls/tls13/tls_messages_13.h | Removes x509cert include; reworks certificate storage to avoid requiring complete type in header. |
| src/lib/tls/tls13/tls_client_impl_13.cpp | Adds explicit x509cert include required after header dependency reductions. |
| src/lib/tls/tls13/tls_channel_impl_13.cpp | Adds explicit x509cert include required after header dependency reductions. |
| src/lib/tls/tls13/msg_certificate_13.cpp | Updates implementation for new certificate storage representation and defines special members out-of-line. |
| src/lib/tls/tls12/tls_handshake_state.h | Removes pubkey/pk_keys includes; adds forward decls. |
| src/lib/tls/tls12/msg_server_kex.cpp | Removes unused/avoidable includes to reduce dependencies. |
| src/lib/tls/tls12/msg_cert_verify_12.cpp | Removes pk_keys include to reduce dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/lib/tls/tls13/tls_messages_13.h
Outdated
| /* This is always either empty or not; would have been std::optional but that requires | ||
| that the declaration be visible, which we are trying to avoid here | ||
| */ | ||
| std::vector<X509_Certificate> m_certificate; |
There was a problem hiding this comment.
Using std::vector<X509_Certificate> as a 0/1 optional surrogate makes the invariant non-obvious and introduces indexing ([0]) in multiple places. This is harder to maintain and easier to misuse (e.g., accidentally pushing more than one cert). Consider a representation that encodes the intent more directly while still supporting incomplete types in the header, such as std::unique_ptr<X509_Certificate> (null vs non-null), and/or enforce the 0/1 invariant explicitly (e.g., assertions) where the value is constructed/modified.
There was a problem hiding this comment.
I'm with Copilot here.
Isn't that taking it a little far? Maybe use a unique_ptr for such things so that the extra allocation becomes obvious at least. Also, this won't give the false impression of a 0..n relation.
There was a problem hiding this comment.
Yeah I guess that works too
281ca5d to
59012ac
Compare
src/lib/tls/tls13/tls_messages_13.h
Outdated
| /* This is always either empty or not; would have been std::optional but that requires | ||
| that the declaration be visible, which we are trying to avoid here | ||
| */ | ||
| std::vector<X509_Certificate> m_certificate; |
There was a problem hiding this comment.
I'm with Copilot here.
Isn't that taking it a little far? Maybe use a unique_ptr for such things so that the extra allocation becomes obvious at least. Also, this won't give the false impression of a 0..n relation.
92ef4e9 to
ec96b52
Compare
src/lib/tls/tls12/tls_record.h
Outdated
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
KaganCanSit
left a comment
There was a problem hiding this comment.
I noticed a few things while checking. Although I'm not entirely sure, they can be checked and added to this branch.
I hope this helps.
| @@ -17,10 +17,13 @@ | |||
| #include <botan/tls_session.h> | |||
| #include <botan/tls_signature_scheme.h> | |||
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
Thanks @KaganCanSit |
ec96b52 to
9b32fa2
Compare
9b32fa2 to
f980244
Compare
No description provided.