[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Tue Aug 23 19:15:10 UTC 2016
The branch master has been updated
via cdb2a60347f988037d29adc7e4415e9c66c8a5a5 (commit)
from 5579eab9efd2c8e2f21340f9b9fe20ee89f25857 (commit)
- Log -----------------------------------------------------------------
commit cdb2a60347f988037d29adc7e4415e9c66c8a5a5
Author: Rob Percival <robpercival at google.com>
Date: Tue Aug 23 12:52:43 2016 +0100
Internalizes SCT_verify and removes SCT_verify_v1
SCT_verify is impossible to call through the public API (SCT_CTX_new() is
not part of the public API), so rename it to SCT_CTX_verify and move it
out of the public API.
SCT_verify_v1 is redundant, since SCT_validate does the same verification
(by calling SCT_verify) and more. The API is less confusing with a single
verification function (SCT_validate).
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/ct/ct_err.c | 3 +--
crypto/ct/ct_locl.h | 7 +++++++
crypto/ct/ct_sct.c | 2 +-
crypto/ct/ct_vfy.c | 46 +++++-----------------------------------------
include/openssl/ct.h | 16 +---------------
util/libcrypto.num | 2 --
6 files changed, 15 insertions(+), 61 deletions(-)
diff --git a/crypto/ct/ct_err.c b/crypto/ct/ct_err.c
index 4349eb4..df232dc 100644
--- a/crypto/ct/ct_err.c
+++ b/crypto/ct/ct_err.c
@@ -45,8 +45,7 @@ static ERR_STRING_DATA CT_str_functs[] = {
{ERR_FUNC(CT_F_SCT_SET_LOG_ENTRY_TYPE), "SCT_set_log_entry_type"},
{ERR_FUNC(CT_F_SCT_SET_SIGNATURE_NID), "SCT_set_signature_nid"},
{ERR_FUNC(CT_F_SCT_SET_VERSION), "SCT_set_version"},
- {ERR_FUNC(CT_F_SCT_VERIFY), "SCT_verify"},
- {ERR_FUNC(CT_F_SCT_VERIFY_V1), "SCT_verify_v1"},
+ {ERR_FUNC(CT_F_SCT_CTX_VERIFY), "SCT_CTX_verify"},
{0, NULL}
};
diff --git a/crypto/ct/ct_locl.h b/crypto/ct/ct_locl.h
index 1180455..6b2fa3e 100644
--- a/crypto/ct/ct_locl.h
+++ b/crypto/ct/ct_locl.h
@@ -151,6 +151,13 @@ __owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
__owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
/*
+ * Verifies an SCT with the given context.
+ * Returns 1 if the SCT verifies successfully; any other value indicates
+ * failure. See EVP_DigestVerifyFinal() for the meaning of those values.
+ */
+__owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct);
+
+/*
* Does this SCT have the minimum fields populated to be usable?
* Returns 1 if so, 0 otherwise.
*/
diff --git a/crypto/ct/ct_sct.c b/crypto/ct/ct_sct.c
index 0867680..65a20c6 100644
--- a/crypto/ct/ct_sct.c
+++ b/crypto/ct/ct_sct.c
@@ -349,7 +349,7 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1)
sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
else
- sct->validation_status = SCT_verify(sctx, sct) == 1 ?
+ sct->validation_status = SCT_CTX_verify(sctx, sct) == 1 ?
SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID;
end:
diff --git a/crypto/ct/ct_vfy.c b/crypto/ct/ct_vfy.c
index 8305ce6..724f655 100644
--- a/crypto/ct/ct_vfy.c
+++ b/crypto/ct/ct_vfy.c
@@ -93,7 +93,7 @@ static int sct_ctx_update(EVP_MD_CTX *ctx, const SCT_CTX *sctx, const SCT *sct)
return 1;
}
-int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
+int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct)
{
EVP_MD_CTX *ctx = NULL;
int ret = 0;
@@ -101,16 +101,16 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
if (!SCT_is_complete(sct) || sctx->pkey == NULL ||
sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||
(sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {
- CTerr(CT_F_SCT_VERIFY, CT_R_SCT_NOT_SET);
+ CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_NOT_SET);
return 0;
}
if (sct->version != SCT_VERSION_V1) {
- CTerr(CT_F_SCT_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
+ CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
return 0;
}
if (sct->log_id_len != sctx->pkeyhashlen ||
memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {
- CTerr(CT_F_SCT_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
+ CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
return 0;
}
@@ -128,45 +128,9 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);
/* If ret < 0 some other error: fall through without setting error */
if (ret == 0)
- CTerr(CT_F_SCT_VERIFY, CT_R_SCT_INVALID_SIGNATURE);
+ CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_INVALID_SIGNATURE);
end:
EVP_MD_CTX_free(ctx);
return ret;
}
-
-int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
- X509_PUBKEY *log_pubkey, X509 *issuer_cert)
-{
- int ret = 0;
- SCT_CTX *sctx = NULL;
-
- if (!SCT_is_complete(sct)) {
- CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_NOT_SET);
- return 0;
- }
-
- if (sct->version != 0) {
- CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_UNSUPPORTED_VERSION);
- return 0;
- }
-
- sctx = SCT_CTX_new();
- if (sctx == NULL)
- goto done;
-
- if (!SCT_CTX_set1_pubkey(sctx, log_pubkey))
- goto done;
-
- if (!SCT_CTX_set1_cert(sctx, cert, preissuer))
- goto done;
-
- if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT &&
- !SCT_CTX_set1_issuer(sctx, issuer_cert))
- goto done;
-
- ret = SCT_verify(sctx, sct);
-done:
- SCT_CTX_free(sctx);
- return ret;
-}
diff --git a/include/openssl/ct.h b/include/openssl/ct.h
index e753fc9..a0314f0 100644
--- a/include/openssl/ct.h
+++ b/include/openssl/ct.h
@@ -271,19 +271,6 @@ void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
const char *separator, const CTLOG_STORE *logs);
/*
- * Verifies an SCT with the given context.
- * Returns 1 if the SCT verifies successfully, 0 otherwise.
- */
-__owur int SCT_verify(const SCT_CTX *sctx, const SCT *sct);
-
-/*
- * Verifies an SCT against the provided data.
- * Returns 1 if the SCT verifies successfully, 0 otherwise.
- */
-__owur int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
- X509_PUBKEY *log_pubkey, X509 *issuer_cert);
-
-/*
* Gets the last result of validating this SCT.
* If it has not been validated yet, returns SCT_VALIDATION_STATUS_NOT_SET.
*/
@@ -518,8 +505,7 @@ int ERR_load_CT_strings(void);
# define CT_F_SCT_SET_LOG_ENTRY_TYPE 102
# define CT_F_SCT_SET_SIGNATURE_NID 103
# define CT_F_SCT_SET_VERSION 104
-# define CT_F_SCT_VERIFY 128
-# define CT_F_SCT_VERIFY_V1 129
+# define CT_F_SCT_CTX_VERIFY 128
/* Reason codes. */
# define CT_R_BASE64_DECODE_ERROR 108
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 7a93915..e9709f6 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -570,7 +570,6 @@ CRYPTO_cts128_encrypt_block 569 1_1_0 EXIST::FUNCTION:
ASN1_digest 570 1_1_0 EXIST::FUNCTION:
ERR_load_X509V3_strings 571 1_1_0 EXIST::FUNCTION:
EVP_PKEY_meth_get_cleanup 572 1_1_0 EXIST::FUNCTION:
-SCT_verify 573 1_1_0 EXIST::FUNCTION:CT
d2i_X509 574 1_1_0 EXIST::FUNCTION:
a2i_ASN1_STRING 575 1_1_0 EXIST::FUNCTION:
EC_GROUP_get_mont_data 576 1_1_0 EXIST::FUNCTION:EC
@@ -596,7 +595,6 @@ RAND_query_egd_bytes 596 1_1_0 EXIST::FUNCTION:EGD
i2d_ASN1_PRINTABLE 597 1_1_0 EXIST::FUNCTION:
ENGINE_cmd_is_executable 598 1_1_0 EXIST::FUNCTION:ENGINE
BIO_puts 599 1_1_0 EXIST::FUNCTION:
-SCT_verify_v1 600 1_1_0 EXIST::FUNCTION:CT
RSAPublicKey_it 601 1_1_0 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
RSAPublicKey_it 601 1_1_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
ISSUING_DIST_POINT_new 602 1_1_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list