Revert 102322 - For the SSL cert status, convert anonymous enum that gives bit values into a typedefed uint32. This allows code all over Chromium to use an explicit type instead of "int". (This isn't possible by simply naming the enum as technically the enum doesn't define all of the possible combinations of bits.) This also means the individual named bit constants themselves have the same explicit type. I find the resulting code to be noticeably clearer. This also exposed a bug in SSLErrorInfo::GetErrorsForCertStatus() where not having an explicit type allowed a function argument ordering bug to creep in, so I claim this is safer too.

I also added CERT_STATUS_NO_ERROR in place of "0" as a magic number.

Normally this makes things like DCHECK_EQ() unhappy, but when I'd originally tested this I didn't seem to need to make any changes due to that. Will be watching the trybots...

The original motiviation for this change was to find a way to eliminate some cases of passing anonymous-typed values as template arguments (which happens when you use a value from the enum in e.g. EXPECT_EQ()), which is technically illegal in C++03, though we don't warn about it. Simply naming the enum would have done this, but this would have encouraged readers to actually use the enum name as a type, which for a bitfield is inappropriate for the reason given in the first paragraph.

BUG=92247
TEST=Compiles
Review URL: http://codereview.chromium.org/7819009

TBR=pkasting@chromium.org
Review URL: http://codereview.chromium.org/7995014

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@102325 0039d316-1c4b-4281-b951-d872f2087c98

18 files changed, 63 insertions, 70 deletions

diff --git a/net/base/cert_status_flags.cc b/net/base/cert_status_flags.cc
index c34eb1b..a6bdce4 100644
--- a/net/base/cert_status_flags.cc
+++ b/net/base/cert_status_flags.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -9,7 +9,7 @@
 
 namespace net {
 
-CertStatus MapNetErrorToCertStatus(int error) {
+int MapNetErrorToCertStatus(int error) {
   switch (error) {
     case ERR_CERT_COMMON_NAME_INVALID:
       return CERT_STATUS_COMMON_NAME_INVALID;
@@ -40,7 +40,7 @@ CertStatus MapNetErrorToCertStatus(int error) {
   }
 }
 
-int MapCertStatusToNetError(CertStatus cert_status) {
+int MapCertStatusToNetError(int cert_status) {
   // A certificate may have multiple errors.  We report the most
   // serious error.
 
diff --git a/net/base/cert_status_flags.h b/net/base/cert_status_flags.h
index 7ad90be..5303af1 100644
--- a/net/base/cert_status_flags.h
+++ b/net/base/cert_status_flags.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,49 +6,45 @@
 #define NET_BASE_CERT_STATUS_FLAGS_H_
 #pragma once
 
-#include "base/basictypes.h"
-
 namespace net {
 
-// Bitmask of status flags of a certificate, representing any errors, as well as
-// other non-error status information such as whether the certificate is EV.
-typedef uint32 CertStatus;
-
-// The possible status bits for CertStatus.
-// NOTE: Because these names have appeared in bug reports, we preserve them as
-// MACRO_STYLE for continuity, instead of renaming them to kConstantStyle as
-// befits most static consts.
-// Bits 0 to 15 are for errors.
-static const CertStatus CERT_STATUS_ALL_ERRORS                 = 0xFFFF;
-static const CertStatus CERT_STATUS_COMMON_NAME_INVALID        = 1 << 0;
-static const CertStatus CERT_STATUS_DATE_INVALID               = 1 << 1;
-static const CertStatus CERT_STATUS_AUTHORITY_INVALID          = 1 << 2;
-// 1 << 3 is reserved for ERR_CERT_CONTAINS_ERRORS (not useful with WinHTTP).
-static const CertStatus CERT_STATUS_NO_REVOCATION_MECHANISM    = 1 << 4;
-static const CertStatus CERT_STATUS_UNABLE_TO_CHECK_REVOCATION = 1 << 5;
-static const CertStatus CERT_STATUS_REVOKED                    = 1 << 6;
-static const CertStatus CERT_STATUS_INVALID                    = 1 << 7;
-static const CertStatus CERT_STATUS_WEAK_SIGNATURE_ALGORITHM   = 1 << 8;
-static const CertStatus CERT_STATUS_NOT_IN_DNS                 = 1 << 9;
-static const CertStatus CERT_STATUS_NON_UNIQUE_NAME            = 1 << 10;
-
-// Bits 16 to 31 are for non-error statuses.
-static const CertStatus CERT_STATUS_IS_EV                      = 1 << 16;
-static const CertStatus CERT_STATUS_REV_CHECKING_ENABLED       = 1 << 17;
-static const CertStatus CERT_STATUS_IS_DNSSEC                  = 1 << 18;
+// Status flags, such as errors and extended validation.
+enum {
+  // Bits 0 to 15 are for errors.
+  CERT_STATUS_ALL_ERRORS                 = 0xFFFF,
+  CERT_STATUS_COMMON_NAME_INVALID        = 1 << 0,
+  CERT_STATUS_DATE_INVALID               = 1 << 1,
+  CERT_STATUS_AUTHORITY_INVALID          = 1 << 2,
+  // 1 << 3 is reserved for ERR_CERT_CONTAINS_ERRORS (not useful with WinHTTP).
+  CERT_STATUS_NO_REVOCATION_MECHANISM    = 1 << 4,
+  CERT_STATUS_UNABLE_TO_CHECK_REVOCATION = 1 << 5,
+  CERT_STATUS_REVOKED                    = 1 << 6,
+  CERT_STATUS_INVALID                    = 1 << 7,
+  CERT_STATUS_WEAK_SIGNATURE_ALGORITHM   = 1 << 8,
+  CERT_STATUS_NOT_IN_DNS                 = 1 << 9,
+  CERT_STATUS_NON_UNIQUE_NAME            = 1 << 10,
+
+  // Bits 16 to 30 are for non-error statuses.
+  CERT_STATUS_IS_EV                      = 1 << 16,
+  CERT_STATUS_REV_CHECKING_ENABLED       = 1 << 17,
+  CERT_STATUS_IS_DNSSEC                  = 1 << 18,
+
+  // 1 << 31 (the sign bit) is reserved so that the cert status will never be
+  // negative.
+};
 
 // Returns true if the specified cert status has an error set.
-static inline bool IsCertStatusError(CertStatus status) {
+static inline bool IsCertStatusError(int status) {
   return (CERT_STATUS_ALL_ERRORS & status) != 0;
 }
 
 // Maps a network error code to the equivalent certificate status flag.  If
 // the error code is not a certificate error, it is mapped to 0.
-CertStatus MapNetErrorToCertStatus(int error);
+int MapNetErrorToCertStatus(int error);
 
 // Maps the most serious certificate error in the certificate status flags
 // to the equivalent network error code.
-int MapCertStatusToNetError(CertStatus cert_status);
+int MapCertStatusToNetError(int cert_status);
 
 }  // namespace net
 
diff --git a/net/base/cert_verify_result.h b/net/base/cert_verify_result.h
index e038b57..aa65500 100644
--- a/net/base/cert_verify_result.h
+++ b/net/base/cert_verify_result.h
@@ -8,7 +8,6 @@
 
 #include <vector>
 
-#include "net/base/cert_status_flags.h"
 #include "net/base/net_export.h"
 #include "base/memory/ref_counted.h"
 #include "net/base/x509_cert_types.h"
@@ -37,7 +36,7 @@ class NET_EXPORT CertVerifyResult {
   // these status flags apply to the certificate chain returned in
   // |verified_cert|, rather than the originally supplied certificate
   // chain.
-  CertStatus cert_status;
+  int cert_status;
 
   // Properties of the certificate chain.
   bool has_md5;
diff --git a/net/base/ssl_config_service.cc b/net/base/ssl_config_service.cc
index 8631bc9..29e1b79 100644
--- a/net/base/ssl_config_service.cc
+++ b/net/base/ssl_config_service.cc
@@ -26,7 +26,7 @@ SSLConfig::~SSLConfig() {
 }
 
 bool SSLConfig::IsAllowedBadCert(X509Certificate* cert,
-                                 CertStatus* cert_status) const {
+                                 int* cert_status) const {
   std::string der_cert;
   if (!cert->GetDEREncoded(&der_cert))
     return false;
@@ -34,7 +34,7 @@ bool SSLConfig::IsAllowedBadCert(X509Certificate* cert,
 }
 
 bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert,
-                                 CertStatus* cert_status) const {
+                                 int* cert_status) const {
   for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
     if (der_cert == allowed_bad_certs[i].der_cert) {
       if (cert_status)
diff --git a/net/base/ssl_config_service.h b/net/base/ssl_config_service.h
index 3e32587..b5c4a54 100644
--- a/net/base/ssl_config_service.h
+++ b/net/base/ssl_config_service.h
@@ -12,7 +12,6 @@
 #include "base/memory/ref_counted.h"
 #include "base/observer_list.h"
 #include "base/string_piece.h"
-#include "net/base/cert_status_flags.h"
 #include "net/base/net_export.h"
 #include "net/base/x509_certificate.h"
 
@@ -28,12 +27,12 @@ struct NET_EXPORT SSLConfig {
   // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
   // The expected cert status is written to |cert_status|. |*cert_status| can
   // be NULL if user doesn't care about the cert status.
-  bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
+  bool IsAllowedBadCert(X509Certificate* cert, int* cert_status) const;
 
   // Same as above except works with DER encoded certificates instead
   // of X509Certificate.
   bool IsAllowedBadCert(const base::StringPiece& der_cert,
-                        CertStatus* cert_status) const;
+                        int* cert_status) const;
 
   bool rev_checking_enabled;  // True if server certificate revocation
                               // checking is enabled.
@@ -78,7 +77,7 @@ struct NET_EXPORT SSLConfig {
     ~CertAndStatus();
 
     std::string der_cert;
-    CertStatus cert_status;
+    int cert_status;
   };
 
   // Add any known-bad SSL certificate (with its cert status) to
diff --git a/net/base/ssl_info.h b/net/base/ssl_info.h
index 369784f..9adc76d 100644
--- a/net/base/ssl_info.h
+++ b/net/base/ssl_info.h
@@ -9,7 +9,6 @@
 #include <vector>
 
 #include "base/memory/ref_counted.h"
-#include "net/base/cert_status_flags.h"
 #include "net/base/net_export.h"
 #include "net/base/x509_cert_types.h"
 
@@ -47,7 +46,7 @@ class NET_EXPORT SSLInfo {
   // Bitmask of status info of |cert|, representing, for example, known errors
   // and extended validation (EV) status.
   // See cert_status_flags.h for values.
-  CertStatus cert_status;
+  int cert_status;
 
   // The security strength, in bits, of the SSL cipher suite.
   // 0 means the connection is not encrypted.
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 2c95981..a83e22a 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -56,7 +56,7 @@ int NetErrorFromOSStatus(OSStatus status) {
   }
 }
 
-CertStatus CertStatusFromOSStatus(OSStatus status) {
+int CertStatusFromOSStatus(OSStatus status) {
   switch (status) {
     case noErr:
       return 0;
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index c226132..3b23f93 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -172,7 +172,7 @@ int MapSecurityError(int err) {
 }
 
 // Map PORT_GetError() return values to our cert status flags.
-CertStatus MapCertErrorToCertStatus(int err) {
+int MapCertErrorToCertStatus(int err) {
   switch (err) {
     case SSL_ERROR_BAD_CERT_DOMAIN:
       return CERT_STATUS_COMMON_NAME_INVALID;
@@ -952,9 +952,9 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
     // CERT_PKIXVerifyCert rerports the wrong error code for
     // expired certificates (NSS bug 491174)
     if (err == SEC_ERROR_CERT_NOT_VALID &&
-        (verify_result->cert_status & CERT_STATUS_DATE_INVALID))
+        (verify_result->cert_status & CERT_STATUS_DATE_INVALID) != 0)
       err = SEC_ERROR_EXPIRED_CERTIFICATE;
-    CertStatus cert_status = MapCertErrorToCertStatus(err);
+    int cert_status = MapCertErrorToCertStatus(err);
     if (cert_status) {
       verify_result->cert_status |= cert_status;
       return MapCertStatusToNetError(verify_result->cert_status);
diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc
index 0092577..c824dc3 100644
--- a/net/base/x509_certificate_openssl.cc
+++ b/net/base/x509_certificate_openssl.cc
@@ -134,7 +134,7 @@ void ParseSubjectAltName(X509Certificate::OSCertHandle cert,
 }
 
 // Maps X509_STORE_CTX_get_error() return values to our cert status flags.
-CertStatus MapCertErrorToCertStatus(int err) {
+int MapCertErrorToCertStatus(int err) {
   switch (err) {
     case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
       return CERT_STATUS_COMMON_NAME_INVALID;
@@ -463,7 +463,7 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
 
   if (X509_verify_cert(ctx.get()) != 1) {
     int x509_error = X509_STORE_CTX_get_error(ctx.get());
-    CertStatus cert_status = MapCertErrorToCertStatus(x509_error);
+    int cert_status = MapCertErrorToCertStatus(x509_error);
     LOG(ERROR) << "X509 Verification error "
         << X509_verify_cert_error_string(x509_error)
         << " : " << x509_error
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index de15a9c..ea71dab 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -236,7 +236,7 @@ void CheckGoogleCert(const scoped_refptr<X509Certificate>& google_cert,
   int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED |
                 X509Certificate::VERIFY_EV_CERT;
   EXPECT_EQ(OK, google_cert->Verify("www.google.com", flags, &verify_result));
-  EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
+  EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV);
 #endif
 }
 
@@ -302,7 +302,7 @@ TEST(X509CertificateTest, WebkitCertParsing) {
                 X509Certificate::VERIFY_EV_CERT;
   CertVerifyResult verify_result;
   EXPECT_EQ(OK, webkit_cert->Verify("webkit.org", flags, &verify_result));
-  EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
+  EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV);
 #endif
 
   // Test that the wildcard cert matches properly.
@@ -365,12 +365,12 @@ TEST(X509CertificateTest, ThawteCertParsing) {
   CertVerifyResult verify_result;
   // EV cert verification requires revocation checking.
   EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result));
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
+  EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_IS_EV);
   // Consequently, if we don't have revocation checking enabled, we can't claim
   // any cert is EV.
   flags = X509Certificate::VERIFY_EV_CERT;
   EXPECT_EQ(OK, thawte_cert->Verify("www.thawte.com", flags, &verify_result));
-  EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_IS_EV);
+  EXPECT_EQ(0, verify_result.cert_status & CERT_STATUS_IS_EV);
 #endif
 }
 
@@ -402,8 +402,8 @@ TEST(X509CertificateTest, PaypalNullCertParsing) {
   // name mismatch, or our certificate blacklist should cause us to report an
   // invalid certificate.
 #if !defined(OS_MACOSX) && !defined(USE_OPENSSL)
-  EXPECT_TRUE(verify_result.cert_status &
-              (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
+  EXPECT_NE(0, verify_result.cert_status &
+            (CERT_STATUS_COMMON_NAME_INVALID | CERT_STATUS_INVALID));
 #endif
 }
 
@@ -499,7 +499,7 @@ TEST(X509CertificateTest, DISABLED_GlobalSignR3EVTest) {
               X509Certificate::VERIFY_EV_CERT;
   int error = cert_chain->Verify("2029.globalsign.com", flags, &verify_result);
   if (error == OK)
-    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV);
+    EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_IS_EV);
   else
     EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
 }
@@ -696,13 +696,13 @@ TEST(X509CertificateTest, InvalidKeyUsage) {
   EXPECT_EQ(ERR_CERT_AUTHORITY_INVALID, error);
 #else
   EXPECT_EQ(ERR_CERT_INVALID, error);
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_INVALID);
+  EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_INVALID);
 #endif
   // TODO(wtc): fix http://crbug.com/75520 to get all the certificate errors
   // from NSS.
 #if !defined(USE_NSS)
   // The certificate is issued by an unknown CA.
-  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+  EXPECT_NE(0, verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
 #endif
 }
 
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 1336f8c..0432d79 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -95,7 +95,7 @@ int MapSecurityError(SECURITY_STATUS err) {
 // Map the errors in the chain_context->TrustStatus.dwErrorStatus returned by
 // CertGetCertificateChain to our certificate status flags.
 int MapCertChainErrorStatusToCertStatus(DWORD error_status) {
-  CertStatus cert_status = 0;
+  int cert_status = 0;
 
   // We don't include CERT_TRUST_IS_NOT_TIME_NESTED because it's obsolete and
   // we wouldn't consider it an error anyway
diff --git a/net/http/http_network_transaction_unittest.cc b/net/http/http_network_transaction_unittest.cc
index 81b8718..b66c269 100644
--- a/net/http/http_network_transaction_unittest.cc
+++ b/net/http/http_network_transaction_unittest.cc
@@ -4227,7 +4227,7 @@ TEST_F(HttpNetworkTransactionTest, ResetStateForRestart) {
   // Setup state in response_
   HttpResponseInfo* response = &trans->response_;
   response->auth_challenge = new AuthChallengeInfo();
-  response->ssl_info.cert_status = static_cast<CertStatus>(-1);  // Nonsensical.
+  response->ssl_info.cert_status = -15;
   response->response_time = base::Time::Now();
   response->was_cached = true;  // (Wouldn't ever actually be true...)
 
diff --git a/net/http/http_response_info.cc b/net/http/http_response_info.cc
index 2496731..a99990b 100644
--- a/net/http/http_response_info.cc
+++ b/net/http/http_response_info.cc
@@ -151,8 +151,8 @@ bool HttpResponseInfo::InitFromPickle(const Pickle& pickle,
       return false;
   }
   if (flags & RESPONSE_INFO_HAS_CERT_STATUS) {
-    CertStatus cert_status;
-    if (!pickle.ReadUInt32(&iter, &cert_status))
+    int cert_status;
+    if (!pickle.ReadInt(&iter, &cert_status))
       return false;
     ssl_info.cert_status = cert_status;
   }
@@ -244,7 +244,7 @@ void HttpResponseInfo::Persist(Pickle* pickle,
 
   if (ssl_info.is_valid()) {
     ssl_info.cert->Persist(pickle);
-    pickle->WriteUInt32(ssl_info.cert_status);
+    pickle->WriteInt(ssl_info.cert_status);
     if (ssl_info.security_bits != -1)
       pickle->WriteInt(ssl_info.security_bits);
     if (ssl_info.connection_status != 0)
diff --git a/net/http/http_transaction_unittest.h b/net/http/http_transaction_unittest.h
index fa6572a..714f263 100644
--- a/net/http/http_transaction_unittest.h
+++ b/net/http/http_transaction_unittest.h
@@ -62,7 +62,7 @@ struct MockTransaction {
   const char* data;
   int test_mode;
   MockTransactionHandler handler;
-  net::CertStatus cert_status;
+  int cert_status;
 };
 
 extern const MockTransaction kSimpleGET_Transaction;
diff --git a/net/socket/ssl_client_socket_mac.cc b/net/socket/ssl_client_socket_mac.cc
index bd13772..96bae2d 100644
--- a/net/socket/ssl_client_socket_mac.cc
+++ b/net/socket/ssl_client_socket_mac.cc
@@ -1141,7 +1141,7 @@ int SSLClientSocketMac::DoVerifyCert() {
   DCHECK(server_cert_);
 
   VLOG(1) << "DoVerifyCert...";
-  CertStatus cert_status;
+  int cert_status;
   if (ssl_config_.IsAllowedBadCert(server_cert_, &cert_status)) {
     VLOG(1) << "Received an expected bad cert with status: " << cert_status;
     server_cert_verify_result_.Reset();
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index cca0591..879689a 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1653,7 +1653,7 @@ int SSLClientSocketNSS::DoVerifyCert(int result) {
   base::StringPiece der_cert(
       reinterpret_cast<char*>(server_cert_nss_->derCert.data),
       server_cert_nss_->derCert.len);
-  CertStatus cert_status;
+  int cert_status;
   if (ssl_config_.IsAllowedBadCert(der_cert, &cert_status)) {
     DCHECK(start_cert_verification_time_.is_null());
     VLOG(1) << "Received an expected bad cert with status: " << cert_status;
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index 52014ea..c0efab5 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -821,7 +821,7 @@ int SSLClientSocketOpenSSL::DoVerifyCert(int result) {
   DCHECK(server_cert_);
   GotoState(STATE_VERIFY_CERT_COMPLETE);
 
-  CertStatus cert_status;
+  int cert_status;
   if (ssl_config_.IsAllowedBadCert(server_cert_, &cert_status)) {
     VLOG(1) << "Received an expected bad cert with status: " << cert_status;
     server_cert_verify_result_.Reset();
diff --git a/net/socket/ssl_client_socket_win.cc b/net/socket/ssl_client_socket_win.cc
index f1f6ec5..f970068 100644
--- a/net/socket/ssl_client_socket_win.cc
+++ b/net/socket/ssl_client_socket_win.cc
@@ -1157,7 +1157,7 @@ int SSLClientSocketWin::DoVerifyCert() {
   next_state_ = STATE_VERIFY_CERT_COMPLETE;
 
   DCHECK(server_cert_);
-  CertStatus cert_status;
+  int cert_status;
   if (ssl_config_.IsAllowedBadCert(server_cert_, &cert_status)) {
     VLOG(1) << "Received an expected bad cert with status: " << cert_status;
     server_cert_verify_result_.Reset();