[openssl-commits] [openssl] master update
Emilia Kasper
emilia at openssl.org
Fri Oct 9 10:05:09 UTC 2015
The branch master has been updated
via 3149baf83cb703f060b1e6eeb440a45e010a626b (commit)
from 329428708d6836676f6a7078aa2e2a1db9a1addb (commit)
- Log -----------------------------------------------------------------
commit 3149baf83cb703f060b1e6eeb440a45e010a626b
Author: Adam Eijdenberg <eijdenberg at google.com>
Date: Tue Sep 15 09:13:48 2015 -0700
Initial commit for Certificate Transparency support
Original authors:
Rob Stradling <rob at comodo.com>
Dr. Stephen Henson <steve at openssl.org>
Reviewed-by: Emilia Kasper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
Makefile.org | 2 +-
crypto/ct/Makefile | 83 +++++++++++
crypto/{ecdh/ech_err.c => ct/ct_err.c} | 37 ++---
crypto/ct/ct_lib.c | 208 ++++++++++++++++++++++++++++
crypto/ct/ct_locl.h | 242 +++++++++++++++++++++++++++++++++
crypto/err/openssl.ec | 1 +
crypto/x509v3/Makefile | 2 +-
crypto/x509v3/v3_lib.c | 2 +-
crypto/x509v3/v3_scts.c | 52 ++-----
include/openssl/err.h | 2 +
10 files changed, 572 insertions(+), 59 deletions(-)
create mode 100644 crypto/ct/Makefile
copy crypto/{ecdh/ech_err.c => ct/ct_err.c} (73%)
create mode 100644 crypto/ct/ct_lib.c
create mode 100644 crypto/ct/ct_locl.h
diff --git a/Makefile.org b/Makefile.org
index b6bce44..3ecc5c5 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -143,7 +143,7 @@ SDIRS= \
bn ec rsa dsa ecdsa dh ecdh dso engine \
buffer bio stack lhash rand err \
evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui \
- cms pqueue ts jpake srp store cmac
+ cms pqueue ts jpake srp store cmac ct
# keep in mind that the above list is adjusted by ./Configure
# according to no-xxx arguments...
diff --git a/crypto/ct/Makefile b/crypto/ct/Makefile
new file mode 100644
index 0000000..ce3a6b1
--- /dev/null
+++ b/crypto/ct/Makefile
@@ -0,0 +1,83 @@
+#
+# OpenSSL/crypto/ct/Makefile
+#
+
+DIR= ct
+TOP= ../..
+CC= cc
+INCLUDES= -I.. -I$(TOP) -I../../include
+CFLAG=-g
+MAKEFILE= Makefile
+AR= ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile
+
+LIB=$(TOP)/libcrypto.a
+LIBSRC= ct_lib.c
+LIBOBJ= ct_lib.o
+
+SRC= $(LIBSRC)
+
+HEADER= ct_lcl.h
+
+ALL= $(GENERAL) $(SRC) $(HEADER)
+
+top:
+ (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
+
+test:
+
+all: lib
+
+lib: $(LIBOBJ)
+ $(AR) $(LIB) $(LIBOBJ)
+ $(RANLIB) $(LIB) || echo Never mind.
+ @touch lib
+
+files:
+ $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+tags:
+ ctags $(SRC)
+
+lint:
+ lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+update: depend
+
+depend:
+ @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
+ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+
+dclean:
+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+ mv -f Makefile.new $(MAKEFILE)
+
+clean:
+ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+ct_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ct_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+ct_lib.o: ../../include/openssl/comp.h ../../include/openssl/crypto.h
+ct_lib.o: ../../include/openssl/dsa.h ../../include/openssl/dtls1.h
+ct_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ct_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+ct_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+ct_lib.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
+ct_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ct_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ct_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
+ct_lib.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
+ct_lib.o: ../../include/openssl/pqueue.h ../../include/openssl/rsa.h
+ct_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ct_lib.o: ../../include/openssl/srtp.h ../../include/openssl/ssl.h
+ct_lib.o: ../../include/openssl/ssl2.h ../../include/openssl/ssl3.h
+ct_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ct_lib.o: ../../include/openssl/tls1.h ../../include/openssl/x509.h
+ct_lib.o: ../../include/openssl/x509_vfy.h ../../ssl/packet_locl.h
+ct_lib.o: ../../ssl/record/record.h ../../ssl/ssl_locl.h
+ct_lib.o: ../include/internal/cryptlib.h ct_lib.c ct_locl.h
diff --git a/crypto/ecdh/ech_err.c b/crypto/ct/ct_err.c
similarity index 73%
copy from crypto/ecdh/ech_err.c
copy to crypto/ct/ct_err.c
index 4781076..d2781c5 100644
--- a/crypto/ecdh/ech_err.c
+++ b/crypto/ct/ct_err.c
@@ -1,6 +1,6 @@
-/* crypto/ecdh/ech_err.c */
+/* crypto/ct/ct_err.c */
/* ====================================================================
- * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -61,36 +61,41 @@
#include <stdio.h>
#include <openssl/err.h>
-#include <openssl/ecdh.h>
+#include <openssl/ct_locl.h>
/* BEGIN ERROR CODES */
#ifndef OPENSSL_NO_ERR
-# define ERR_FUNC(func) ERR_PACK(ERR_LIB_ECDH,func,0)
-# define ERR_REASON(reason) ERR_PACK(ERR_LIB_ECDH,0,reason)
+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_CT,func,0)
+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_CT,0,reason)
-static ERR_STRING_DATA ECDH_str_functs[] = {
- {ERR_FUNC(ECDH_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},
- {ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_new_method"},
+static ERR_STRING_DATA CT_str_functs[] = {
+ {ERR_FUNC(CT_F_SCT_NEW), "SCT_new"},
+ {ERR_FUNC(CT_F_SCT_SET0_LOG_ID), "SCT_set0_log_id"},
+ {ERR_FUNC(CT_F_SCT_SET_LOG_ENTRY_TYPE), "SCT_set_log_entry_type"},
+ {ERR_FUNC(CT_F_SCT_SET_SIGNATURE_NID), "SCT_set_signature_nid"},
+ {ERR_FUNC(CT_F_SCT_SET_VERSION), "SCT_set_version"},
{0, NULL}
};
-static ERR_STRING_DATA ECDH_str_reasons[] = {
- {ERR_REASON(ECDH_R_KDF_FAILED), "KDF failed"},
- {ERR_REASON(ECDH_R_NO_PRIVATE_VALUE), "no private value"},
- {ERR_REASON(ECDH_R_POINT_ARITHMETIC_FAILURE), "point arithmetic failure"},
+static ERR_STRING_DATA CT_str_reasons[] = {
+ {ERR_REASON(CT_R_INVALID_LOG_ID_LENGTH), "invalid log id length"},
+ {ERR_REASON(CT_R_UNRECOGNIZED_SIGNATURE_NID),
+ "unrecognized signature nid"},
+ {ERR_REASON(CT_R_UNSUPPORTED_ENTRY_TYPE), "unsupported entry type"},
+ {ERR_REASON(CT_R_UNSUPPORTED_VERSION), "unsupported version"},
{0, NULL}
};
#endif
-void ERR_load_ECDH_strings(void)
+void ERR_load_CT_strings(void)
{
#ifndef OPENSSL_NO_ERR
- if (ERR_func_error_string(ECDH_str_functs[0].error) == NULL) {
- ERR_load_strings(0, ECDH_str_functs);
- ERR_load_strings(0, ECDH_str_reasons);
+ if (ERR_func_error_string(CT_str_functs[0].error) == NULL) {
+ ERR_load_strings(0, CT_str_functs);
+ ERR_load_strings(0, CT_str_reasons);
}
#endif
}
diff --git a/crypto/ct/ct_lib.c b/crypto/ct/ct_lib.c
new file mode 100644
index 0000000..7945745
--- /dev/null
+++ b/crypto/ct/ct_lib.c
@@ -0,0 +1,208 @@
+/*
+ * Written by Rob Stradling (rob at comodo.com) and Stephen Henson
+ * (steve at openssl.org) for the OpenSSL project 2014.
+ */
+/* ====================================================================
+ * Copyright (c) 2014 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#ifndef OPENSSL_NO_CT
+
+# include <limits.h>
+# include "internal/cryptlib.h"
+# include "../ssl/ssl_locl.h"
+# include "ct_locl.h"
+
+SCT *SCT_new(void)
+{
+ SCT *sct = OPENSSL_zalloc(sizeof(SCT));
+ if (sct == NULL) {
+ CTerr(CT_F_SCT_NEW, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
+ sct->entry_type = UNSET_ENTRY;
+ sct->version = UNSET_VERSION;
+ return sct;
+}
+
+void SCT_free(SCT *sct)
+{
+ if (sct) {
+ OPENSSL_free(sct->log_id);
+ OPENSSL_free(sct->ext);
+ OPENSSL_free(sct->sig);
+ OPENSSL_free(sct->sct);
+ OPENSSL_free(sct);
+ }
+}
+
+int SCT_set_version(SCT *sct, sct_version_t version)
+{
+ if (version != SCT_V1) {
+ CTerr(CT_F_SCT_SET_VERSION, CT_R_UNSUPPORTED_VERSION);
+ return 0;
+ }
+ sct->version = version;
+ return 1;
+}
+
+int SCT_set_log_entry_type(SCT *sct, log_entry_type_t entry_type)
+{
+ if (entry_type != X509_ENTRY && entry_type != PRECERT_ENTRY) {
+ CTerr(CT_F_SCT_SET_LOG_ENTRY_TYPE, CT_R_UNSUPPORTED_ENTRY_TYPE);
+ return 0;
+ }
+ sct->entry_type = entry_type;
+ return 1;
+}
+
+int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len)
+{
+ /* Currently only SHA-256 allowed so length must be SCT_V1_HASHLEN */
+ if (log_id_len != SCT_V1_HASHLEN) {
+ CTerr(CT_F_SCT_SET0_LOG_ID, CT_R_INVALID_LOG_ID_LENGTH);
+ return 0;
+ }
+ OPENSSL_free(sct->log_id);
+ sct->log_id = log_id;
+ sct->log_id_len = log_id_len;
+ return 1;
+}
+
+void SCT_set_timestamp(SCT *sct, uint64_t timestamp)
+{
+ sct->timestamp = timestamp;
+}
+
+int SCT_set_signature_nid(SCT *sct, int nid)
+{
+ switch (nid) {
+ case NID_sha256WithRSAEncryption:
+ sct->hash_alg = TLSEXT_hash_sha256;
+ sct->sig_alg = TLSEXT_signature_rsa;
+ return 1;
+ case NID_ecdsa_with_SHA256:
+ sct->hash_alg = TLSEXT_hash_sha256;
+ sct->sig_alg = TLSEXT_signature_ecdsa;
+ return 1;
+ default:
+ CTerr(CT_F_SCT_SET_SIGNATURE_NID, CT_R_UNRECOGNIZED_SIGNATURE_NID);
+ return 0;
+ }
+}
+
+void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len)
+{
+ OPENSSL_free(sct->ext);
+ sct->ext = ext;
+ sct->ext_len = ext_len;
+}
+
+void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len)
+{
+ OPENSSL_free(sct->sig);
+ sct->sig = sig;
+ sct->sig_len = sig_len;
+}
+
+sct_version_t SCT_get_version(const SCT *sct)
+{
+ return sct->version;
+}
+
+log_entry_type_t SCT_get_log_entry_type(const SCT *sct)
+{
+ return sct->entry_type;
+}
+
+size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id)
+{
+ *log_id = sct->log_id;
+ return sct->log_id_len;
+}
+
+uint64_t SCT_get_timestamp(const SCT *sct)
+{
+ return sct->timestamp;
+}
+
+int SCT_get_signature_nid(const SCT *sct)
+{
+ if (sct->version == SCT_V1) {
+ if (sct->hash_alg == TLSEXT_hash_sha256) {
+ switch (sct->sig_alg) {
+ case TLSEXT_signature_ecdsa:
+ return NID_ecdsa_with_SHA256;
+ case TLSEXT_signature_rsa:
+ return NID_sha256WithRSAEncryption;
+ default:
+ return NID_undef;
+ }
+ }
+ }
+ return NID_undef;
+}
+
+size_t SCT_get0_extensions(const SCT *sct, unsigned char **ext)
+{
+ *ext = sct->ext;
+ return sct->ext_len;
+}
+
+size_t SCT_get0_signature(const SCT *sct, unsigned char **sig)
+{
+ *sig = sct->sig;
+ return sct->sig_len;
+}
+
+#endif
diff --git a/crypto/ct/ct_locl.h b/crypto/ct/ct_locl.h
new file mode 100644
index 0000000..a616433
--- /dev/null
+++ b/crypto/ct/ct_locl.h
@@ -0,0 +1,242 @@
+/* crypto/ct/ct_locl.h */
+/*
+ * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project
+ * 2015.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing at OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ */
+#ifndef HEADER_CT_LOCL_H
+# define HEADER_CT_LOCL_H
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+
+# ifndef OPENSSL_NO_CT
+
+/* All hashes are currently SHA256 */
+# define SCT_V1_HASHLEN 32
+/* Minimum RSA key size, from RFC6962 */
+# define SCT_MIN_RSA_BITS 2048
+
+/*
+ * From RFC6962: opaque SerializedSCT<1..2^16-1>; struct { SerializedSCT
+ * sct_list <1..2^16-1>; } SignedCertificateTimestampList;
+ */
+
+# define MAX_SCT_SIZE 65535
+# define MAX_SCT_LIST_SIZE MAX_SCT_SIZE
+
+typedef enum {
+ UNSET_ENTRY = -1,
+ X509_ENTRY = 0,
+ PRECERT_ENTRY = 1
+} log_entry_type_t;
+
+typedef enum {
+ UNSET_VERSION = -1,
+ SCT_V1 = 0
+} sct_version_t;
+
+typedef struct {
+ sct_version_t version;
+ /* If version is not SCT_V1 this contains the encoded SCT */
+ unsigned char *sct;
+ size_t sct_len;
+ /*
+ * If version is SCT_V1 fields below contain components of the SCT. "logid",
+ * "ext" and "sig" point to buffers allocated with OPENSSL_malloc().
+ */
+ unsigned char *log_id;
+ size_t log_id_len;
+
+ /*
+ * Note, we cannot distinguish between an unset timestamp, and one
+ * that is set to 0. However since CT didn't exist in 1970, no real
+ * SCT should ever be set as such.
+ */
+ uint64_t timestamp;
+ unsigned char *ext;
+ size_t ext_len;
+ unsigned char hash_alg;
+ unsigned char sig_alg;
+ unsigned char *sig;
+ size_t sig_len;
+ /* Log entry type */
+ log_entry_type_t entry_type;
+} SCT;
+
+DECLARE_STACK_OF(SCT)
+
+/*
+ * Allocate new SCT.
+ * Caller is responsible for calling SCT_free when done.
+ */
+SCT *SCT_new(void);
+
+/*
+ * Free SCT and underlying datastructures.
+ */
+void SCT_free(SCT *sct);
+
+/*
+ * Set the version of an SCT.
+ * Returns 1 on success, 0 if the version is unrecognized.
+ */
+int SCT_set_version(SCT *sct, sct_version_t version);
+
+/*
+ * Set the log entry type of an SCT.
+ * Returns 1 on success.
+ */
+int SCT_set_log_entry_type(SCT *sct, log_entry_type_t entry_type);
+
+/*
+ * Set the log id of an SCT to point directly to the *logid specified.
+ * The SCT takes ownership of the specified pointer.
+ * Returns 1 on success.
+ */
+int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
+
+/*
+ * Set the timestamp of an SCT.
+ */
+void SCT_set_timestamp(SCT *sct, uint64_t timestamp);
+
+/*
+ * Set the signature type of an SCT
+ * Currently NID_sha256WithRSAEncryption or NID_ecdsa_with_SHA256.
+ * Returns 1 on success.
+ */
+int SCT_set_signature_nid(SCT *sct, int nid);
+
+/*
+ * Set the extensions of an SCT to point directly to the *ext specified.
+ * The SCT takes ownership of the specified pointer.
+ */
+void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len);
+
+/*
+ * Set the signature of an SCT to point directly to the *sig specified.
+ * The SCT takes ownership of the specified pointer.
+ */
+void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len);
+
+/*
+ * Returns the version of the SCT.
+ */
+sct_version_t SCT_get_version(const SCT *sct);
+
+/*
+ * Returns the log entry type of the SCT.
+ */
+log_entry_type_t SCT_get_log_entry_type(const SCT *sct);
+
+/*
+ * Set *logid to point to the log id for the SCT. logid must not be NULL.
+ * The SCT retains ownership of this pointer.
+ * Returns length of the data pointed to.
+ */
+size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id);
+
+/*
+ * Returns the timestamp for the SCT.
+ */
+uint64_t SCT_get_timestamp(const SCT *sct);
+
+/*
+ * Return the nid for the signature used by the SCT.
+ * Currently NID_sha256WithRSAEncryption or NID_ecdsa_with_SHA256 (or NID_undef)
+ */
+int SCT_get_signature_nid(const SCT *sct);
+
+/*
+ * Set *ext to point to the extension data for the SCT. ext must not be NULL.
+ * The SCT retains ownership of this pointer.
+ * Returns length of the data pointed to.
+ */
+size_t SCT_get0_extensions(const SCT *sct, unsigned char **ext);
+
+/*
+ * Set *sig to point to the signature for the SCT. sig must not be NULL.
+ * The SCT retains ownership of this pointer.
+ * Returns length of the data pointed to.
+ */
+size_t SCT_get0_signature(const SCT *sct, unsigned char **sig);
+
+
+# endif
+
+/* BEGIN ERROR CODES */
+/*
+ * The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_CT_strings(void);
+
+/* Error codes for the CT functions. */
+
+/* Function codes. */
+# define CT_F_SCT_NEW 100
+# define CT_F_SCT_SET0_LOG_ID 101
+# define CT_F_SCT_SET_LOG_ENTRY_TYPE 102
+# define CT_F_SCT_SET_SIGNATURE_NID 103
+# define CT_F_SCT_SET_VERSION 104
+
+/* Reason codes. */
+# define CT_R_INVALID_LOG_ID_LENGTH 100
+# define CT_R_UNRECOGNIZED_SIGNATURE_NID 101
+# define CT_R_UNSUPPORTED_ENTRY_TYPE 102
+# define CT_R_UNSUPPORTED_VERSION 103
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec
index 8a10b80..08b0c0b 100644
--- a/crypto/err/openssl.ec
+++ b/crypto/err/openssl.ec
@@ -36,6 +36,7 @@ L HMAC include/openssl/hmac.h crypto/hmac/hmac_err.c
L CMS include/openssl/cms.h crypto/cms/cms_err.c
L JPAKE include/openssl/jpake.h crypto/jpake/jpake_err.c
L FIPS include/openssl/fips.h crypto/fips_err.h
+L CT crypto/ct/ct_locl.h crypto/ct/ct_err.c
# additional header files to be scanned for function names
L NONE crypto/x509/x509_vfy.h NONE
diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile
index 5460af4..87fc083 100644
--- a/crypto/x509v3/Makefile
+++ b/crypto/x509v3/Makefile
@@ -523,7 +523,7 @@ v3_purp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
v3_purp.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h
v3_purp.o: ../include/internal/x509_int.h v3_purp.c
-v3_scts.o: ../../e_os.h ../../include/openssl/asn1.h
+v3_scts.o: ../../crypto/ct/ct_locl.h ../../e_os.h ../../include/openssl/asn1.h
v3_scts.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
v3_scts.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
v3_scts.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c
index 5073575..8d42147 100644
--- a/crypto/x509v3/v3_lib.c
+++ b/crypto/x509v3/v3_lib.c
@@ -152,7 +152,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
&v3_idp,
&v3_alt[2],
&v3_freshest_crl,
-#ifndef OPENSSL_NO_SCT
+#ifndef OPENSSL_NO_CT
&v3_ct_scts[0],
&v3_ct_scts[1],
#endif
diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c
index b1505fe..6d3665c 100644
--- a/crypto/x509v3/v3_scts.c
+++ b/crypto/x509v3/v3_scts.c
@@ -61,8 +61,9 @@
#include <openssl/asn1.h>
#include <openssl/x509v3.h>
#include "ext_dat.h"
+#include "crypto/ct/ct_locl.h"
-#ifndef OPENSSL_NO_SCT
+#ifndef OPENSSL_NO_CT
/* Signature and hash algorithms from RFC 5246 */
#define TLSEXT_hash_sha256 4
@@ -82,27 +83,6 @@
l|=((uint64_t)(*((c)++)))<< 8, \
l|=((uint64_t)(*((c)++))))
-typedef struct SCT_st {
- /* The encoded SCT */
- unsigned char *sct;
- unsigned short sctlen;
- /*
- * Components of the SCT. "logid", "ext" and "sig" point to addresses
- * inside "sct".
- */
- unsigned char version;
- unsigned char *logid;
- unsigned short logidlen;
- uint64_t timestamp;
- unsigned char *ext;
- unsigned short extlen;
- unsigned char hash_alg;
- unsigned char sig_alg;
- unsigned char *sig;
- unsigned short siglen;
-} SCT;
-
-DECLARE_STACK_OF(SCT)
static void SCT_LIST_free(STACK_OF(SCT) *a);
static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
@@ -162,14 +142,6 @@ static void timestamp_print(BIO *out, uint64_t timestamp)
ASN1_GENERALIZEDTIME_free(gen);
}
-static void SCT_free(SCT *sct)
-{
- if (!sct)
- return;
- OPENSSL_free(sct->sct);
- OPENSSL_free(sct);
-}
-
static void SCT_LIST_free(STACK_OF(SCT) *a)
{
sk_SCT_pop_free(a, SCT_free);
@@ -219,7 +191,7 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
if (!sct->sct)
goto err;
memcpy(sct->sct, p, sctlen);
- sct->sctlen = sctlen;
+ sct->sct_len = sctlen;
p += sctlen;
p2 = sct->sct;
@@ -237,8 +209,8 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
goto err;
sctlen -= 43;
- sct->logid = p2;
- sct->logidlen = 32;
+ sct->log_id = p2;
+ sct->log_id_len = 32;
p2 += 32;
n2l8(p2, sct->timestamp);
@@ -247,7 +219,7 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
if (sctlen < fieldlen)
goto err;
sct->ext = p2;
- sct->extlen = fieldlen;
+ sct->ext_len = fieldlen;
p2 += fieldlen;
sctlen -= fieldlen;
@@ -267,7 +239,7 @@ static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
if (sctlen != fieldlen)
goto err;
sct->sig = p2;
- sct->siglen = fieldlen;
+ sct->sig_len = fieldlen;
}
}
@@ -298,25 +270,25 @@ static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
BIO_printf(out, "v1(0)");
BIO_printf(out, "\n%*sLog ID : ", indent + 4, "");
- BIO_hex_string(out, indent + 16, 16, sct->logid, sct->logidlen);
+ BIO_hex_string(out, indent + 16, 16, sct->log_id, sct->log_id_len);
BIO_printf(out, "\n%*sTimestamp : ", indent + 4, "");
timestamp_print(out, sct->timestamp);
BIO_printf(out, "\n%*sExtensions: ", indent + 4, "");
- if (sct->extlen == 0)
+ if (sct->ext_len == 0)
BIO_printf(out, "none");
else
- BIO_hex_string(out, indent + 16, 16, sct->ext, sct->extlen);
+ BIO_hex_string(out, indent + 16, 16, sct->ext, sct->ext_len);
BIO_printf(out, "\n%*sSignature : ", indent + 4, "");
tls12_signature_print(out, sct->hash_alg, sct->sig_alg);
BIO_printf(out, "\n%*s ", indent + 4, "");
- BIO_hex_string(out, indent + 16, 16, sct->sig, sct->siglen);
+ BIO_hex_string(out, indent + 16, 16, sct->sig, sct->sig_len);
} else { /* Unknown version */
BIO_printf(out, "unknown\n%*s", indent + 16, "");
- BIO_hex_string(out, indent + 16, 16, sct->sct, sct->sctlen);
+ BIO_hex_string(out, indent + 16, 16, sct->sct, sct->sct_len);
}
if (++i < sk_SCT_num(sct_list))
diff --git a/include/openssl/err.h b/include/openssl/err.h
index e17706c..4c6d8d4 100644
--- a/include/openssl/err.h
+++ b/include/openssl/err.h
@@ -193,6 +193,7 @@ typedef struct err_state_st {
# define ERR_LIB_TS 47
# define ERR_LIB_HMAC 48
# define ERR_LIB_JPAKE 49
+# define ERR_LIB_CT 50
# define ERR_LIB_USER 128
@@ -229,6 +230,7 @@ typedef struct err_state_st {
# define TSerr(f,r) ERR_PUT_error(ERR_LIB_TS,(f),(r),__FILE__,__LINE__)
# define HMACerr(f,r) ERR_PUT_error(ERR_LIB_HMAC,(f),(r),__FILE__,__LINE__)
# define JPAKEerr(f,r) ERR_PUT_error(ERR_LIB_JPAKE,(f),(r),__FILE__,__LINE__)
+# define CTerr(f,r) ERR_PUT_error(ERR_LIB_CT,(f),(r),__FILE__,__LINE__)
/*
* Borland C seems too stupid to be able to shift and do longs in the
More information about the openssl-commits
mailing list