[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Wed Aug 24 13:01:14 UTC 2016


The branch master has been updated
       via  cfd20f64cc4bd440cfc8fe59f2daaa575015af3d (commit)
       via  ea4b7ded521134492a323b6b0c27e671cadca979 (commit)
       via  513a3cb16b256a5289f8441c21eebbc7f5feef9a (commit)
       via  e12981019aa44d162a5ec553a1cfadf3b5754c9a (commit)
       via  a0a9f36ebf70c4705d08eb93e23ae64bd28a0bbd (commit)
       via  76bfd2ccc37e65d33e6c14aac9c1174bc43059eb (commit)
       via  5edcadb12770744f912512054c9458c096aab6b7 (commit)
       via  0e74d7ca440a3a7fbb7ddd6873e2f494d87f8d0e (commit)
       via  a8d5d13a5f19cde07c189f5ca05d673a4e0c7653 (commit)
       via  4cfdabbb09273aa9abeb8e51d8771f41196e5d75 (commit)
       via  882babda464ace7ec0d6dc9e68f6da29be86c1c1 (commit)
       via  4a388d1e05530fd922d8dce2d04d976468523106 (commit)
       via  32fa3da8b1333043632962de9eb0b13a12ce36a1 (commit)
       via  e469945f2c884428b448a32154dc99f8b61d92fc (commit)
       via  4eabbe9d595451f40d85588ab1c8c98c1f67b1f9 (commit)
       via  7a2c739c0066f0ad41f1fd8ee2d0670724032c1b (commit)
       via  6c3e9a71ab5814ed3e603f92450041e9182d89b9 (commit)
       via  cb8145ff4a9e2bc629cbb3b5beb01620d5b7053d (commit)
       via  ae97a654cadef86d063b4917fdf67f81f5e71f19 (commit)
       via  8b12a3e75b5f41d5dee3613ce083b0acd0944124 (commit)
       via  b4a986163cca7cf3abc30f178ce6c61ad79e3002 (commit)
       via  efa00a46c5cac115654a4e00b8e2ec3533ebe739 (commit)
       via  0620ecdcd2f4e5dabb4b0d0380d4f11ef519d96c (commit)
       via  6b13bd1dc236126644ee91b0b52ee00d1e6347ea (commit)
       via  56f3f714ef3f347898706826daae56eb4b2682ed (commit)
      from  c42b8a6e4bced8f6ecf0a0d9a0107e6e989da0c2 (commit)


- Log -----------------------------------------------------------------
commit cfd20f64cc4bd440cfc8fe59f2daaa575015af3d
Author: Rob Percival <robpercival at google.com>
Date:   Wed Aug 24 10:11:15 2016 +0100

    Typo fixes
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit ea4b7ded521134492a323b6b0c27e671cadca979
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 23 18:41:18 2016 +0100

    Updates the CT_POLICY_EVAL_CTX POD
    
    Ownership semantics and function names have changed.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 513a3cb16b256a5289f8441c21eebbc7f5feef9a
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 23 18:30:18 2016 +0100

    Correct documentation about SCT setters resetting validation status
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit e12981019aa44d162a5ec553a1cfadf3b5754c9a
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 23 18:11:13 2016 +0100

    Removes the SCT_verify* POD
    
    SCT_verify_v1 has been removed and SCT_verify is no longer part of the
    public API.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit a0a9f36ebf70c4705d08eb93e23ae64bd28a0bbd
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 23 18:05:28 2016 +0100

    Documents the SCT validation functions
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 76bfd2ccc37e65d33e6c14aac9c1174bc43059eb
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 23 17:39:53 2016 +0100

    Removes {o2i,i2o}_SCT_signature from PODs
    
    These functions have been removed from the public API.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 5edcadb12770744f912512054c9458c096aab6b7
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 23 16:51:57 2016 +0100

    Documents the CTLOG functions
    
    CTLOG_new_null() has been removed from the code, so it has also been
    removed from this POD.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 0e74d7ca440a3a7fbb7ddd6873e2f494d87f8d0e
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 23 16:17:09 2016 +0100

    Document the i2o and o2i SCT functions
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit a8d5d13a5f19cde07c189f5ca05d673a4e0c7653
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 23 16:16:32 2016 +0100

    Removes d2i_SCT_LIST.pod
    
    This is covered by d2i_X509.pod.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 4cfdabbb09273aa9abeb8e51d8771f41196e5d75
Author: Rob Percival <robpercival at google.com>
Date:   Fri Aug 5 13:40:05 2016 +0100

    Document that SCT_set_source returns 0 on failure.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 882babda464ace7ec0d6dc9e68f6da29be86c1c1
Author: Rob Percival <robpercival at google.com>
Date:   Thu Aug 4 18:41:23 2016 +0100

    Clarifies the format of a log's public key in the CONF file
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 4a388d1e05530fd922d8dce2d04d976468523106
Author: Rob Percival <robpercival at google.com>
Date:   Thu Aug 4 17:05:18 2016 +0100

    Refer to OPENSSLDIR rather than "the OpenSSL install directory"
    
    The prior wording was less accurate.
    See https://github.com/openssl/openssl/pull/1372#discussion_r73127000.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 32fa3da8b1333043632962de9eb0b13a12ce36a1
Author: Rob Percival <robpercival at google.com>
Date:   Thu Aug 4 16:42:42 2016 +0100

    Adds history section to CT PODs
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit e469945f2c884428b448a32154dc99f8b61d92fc
Author: Rob Percival <robpercival at google.com>
Date:   Thu Aug 4 11:37:35 2016 +0100

    Fixes final issue in CT PODs highlighted by util/find-doc-nits.pl
    
    Fixes complaint "ct missing from SYNOPSIS".
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 4eabbe9d595451f40d85588ab1c8c98c1f67b1f9
Author: Rob Percival <robpercival at google.com>
Date:   Thu Aug 4 11:36:11 2016 +0100

    Renames CT_POLICY_EVAL_CTX.pod to CT_POLICY_EVAL_CTX_new.pod
    
    util/fix-doc-nits.pl complains that
    "CT_POLICY_EVAL_CTX (filename) missing from NAME section".
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 7a2c739c0066f0ad41f1fd8ee2d0670724032c1b
Author: Rob Percival <robpercival at google.com>
Date:   Thu Aug 4 11:29:36 2016 +0100

    Adds copyright section to ct.pod
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 6c3e9a71ab5814ed3e603f92450041e9182d89b9
Author: Rob Percival <robpercival at google.com>
Date:   Thu Aug 4 11:29:23 2016 +0100

    Adds newline after =cut in PODs
    
    util/find-doc-nits.pl complains that the file "doesn't end with =cut".
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit cb8145ff4a9e2bc629cbb3b5beb01620d5b7053d
Author: Rob Percival <robpercival at google.com>
Date:   Thu Aug 4 11:28:04 2016 +0100

    Adds missing function names to NAME section of PODs
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit ae97a654cadef86d063b4917fdf67f81f5e71f19
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 2 15:39:41 2016 +0100

    Add enum definitions to CT pods
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 8b12a3e75b5f41d5dee3613ce083b0acd0944124
Author: Rob Percival <robpercival at google.com>
Date:   Tue Aug 2 15:39:23 2016 +0100

    Remove unnecessary bold tags in CT pods
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit b4a986163cca7cf3abc30f178ce6c61ad79e3002
Author: Rob Percival <robpercival at google.com>
Date:   Mon Aug 1 20:08:11 2016 +0100

    Add comment about calling CT_POLICY_EVAL_CTX_free
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit efa00a46c5cac115654a4e00b8e2ec3533ebe739
Author: Rob Percival <robpercival at google.com>
Date:   Mon Aug 1 20:07:15 2016 +0100

    Fix comment about what SCT_LIST_validate does.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 0620ecdcd2f4e5dabb4b0d0380d4f11ef519d96c
Author: Rob Percival <robpercival at google.com>
Date:   Mon Aug 1 15:37:10 2016 +0100

    Add SSL_get0_peer_scts to ssl.pod
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 6b13bd1dc236126644ee91b0b52ee00d1e6347ea
Author: Rob Percival <robpercival at google.com>
Date:   Mon Aug 1 15:36:38 2016 +0100

    Fix comment about return value of ct_extract_tls_extension_scts
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

commit 56f3f714ef3f347898706826daae56eb4b2682ed
Author: Rob Percival <robpercival at google.com>
Date:   Thu Apr 28 07:37:24 2016 +0100

    First draft of CT documentation
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/crypto/CTLOG_STORE_get0_log_by_id.pod |  49 ++++++++
 doc/crypto/CTLOG_STORE_new.pod            |  79 ++++++++++++
 doc/crypto/CTLOG_new.pod                  |  72 +++++++++++
 doc/crypto/CT_POLICY_EVAL_CTX_new.pod     |  96 +++++++++++++++
 doc/crypto/SCT_new.pod                    | 194 ++++++++++++++++++++++++++++++
 doc/crypto/SCT_print.pod                  |  52 ++++++++
 doc/crypto/SCT_validate.pod               |  96 +++++++++++++++
 doc/crypto/ct.pod                         |  55 +++++++++
 doc/crypto/o2i_SCT_LIST.pod               |  48 ++++++++
 doc/ssl/SSL_CTX_set_ctlog_list_file.pod   |  20 +--
 doc/ssl/ssl.pod                           |   7 ++
 include/openssl/ct.h                      |  11 +-
 ssl/ssl_lib.c                             |   2 +-
 13 files changed, 762 insertions(+), 19 deletions(-)
 create mode 100644 doc/crypto/CTLOG_STORE_get0_log_by_id.pod
 create mode 100644 doc/crypto/CTLOG_STORE_new.pod
 create mode 100644 doc/crypto/CTLOG_new.pod
 create mode 100644 doc/crypto/CT_POLICY_EVAL_CTX_new.pod
 create mode 100644 doc/crypto/SCT_new.pod
 create mode 100644 doc/crypto/SCT_print.pod
 create mode 100644 doc/crypto/SCT_validate.pod
 create mode 100644 doc/crypto/ct.pod
 create mode 100644 doc/crypto/o2i_SCT_LIST.pod

diff --git a/doc/crypto/CTLOG_STORE_get0_log_by_id.pod b/doc/crypto/CTLOG_STORE_get0_log_by_id.pod
new file mode 100644
index 0000000..c517e95
--- /dev/null
+++ b/doc/crypto/CTLOG_STORE_get0_log_by_id.pod
@@ -0,0 +1,49 @@
+=pod
+
+=head1 NAME
+
+CTLOG_STORE_get0_log_by_id -
+Get a Certificate Transparency log from a CTLOG_STORE
+
+=head1 SYNOPSIS
+
+ #include <openssl/ct.h>
+
+ const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store,
+                                         const uint8_t *log_id,
+                                         size_t log_id_len);
+
+=head1 DESCRIPTION
+
+A Signed Certificate Timestamp (SCT) identifies the Certificate Transparency
+(CT) log that issued it using the log's LogID (see RFC 6962, Section 3.2).
+Therefore, it is useful to be able to look up more information about a log
+(e.g. its public key) using this LogID.
+
+CTLOG_STORE_get0_log_by_id() provides a way to do this. It will find a CTLOG
+in a CTLOG_STORE that has a given LogID.
+
+=head1 RETURN VALUES
+
+B<CTLOG_STORE_get0_log_by_id> returns a CTLOG with the given LogID, if it
+exists in the given CTLOG_STORE, otherwise it returns NULL.
+
+=head1 SEE ALSO
+
+L<ct(3)>,
+L<CTLOG_STORE_new(3)>
+
+=head1 HISTORY
+
+This function was added in OpenSSL 1.1.0.
+
+=head1 COPYRIGHT
+
+Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/CTLOG_STORE_new.pod b/doc/crypto/CTLOG_STORE_new.pod
new file mode 100644
index 0000000..2a38f26
--- /dev/null
+++ b/doc/crypto/CTLOG_STORE_new.pod
@@ -0,0 +1,79 @@
+=pod
+
+=head1 NAME
+
+CTLOG_STORE_new, CTLOG_STORE_free,
+CTLOG_STORE_load_default_file, CTLOG_STORE_load_file -
+Create and populate a Certificate Transparency log list
+
+=head1 SYNOPSIS
+
+ #include <openssl/ct.h>
+
+ CTLOG_STORE *CTLOG_STORE_new(void);
+ void CTLOG_STORE_free(CTLOG_STORE *store);
+
+ int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
+ int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file);
+
+=head1 DESCRIPTION
+
+A CTLOG_STORE is a container for a list of CTLOGs (Certificate Transparency
+logs). The list can be loaded from one or more files and then searched by LogID
+(see RFC 6962, Section 3.2, for the definition of a LogID).
+
+CTLOG_STORE_new() creates an empty list of CT logs. This is then populated
+by CTLOG_STORE_load_default_file() or CTLOG_STORE_load_file().
+CTLOG_STORE_load_default_file() loads from the default file, which is named
+"ct_log_list.cnf" in OPENSSLDIR (see the output of L<version>). This can be
+overridden using an environment variable named "CTLOG_FILE".
+CTLOG_STORE_load_file() loads from a caller-specified file path instead.
+Both of these functions append any loaded CT logs to the CTLOG_STORE.
+
+The expected format of the file is:
+
+ enabled_logs=foo,bar
+
+ [foo]
+ description = Log 1
+ key = <base64-encoded DER SubjectPublicKeyInfo here>
+
+ [bar]
+ description = Log 2
+ key = <base64-encoded DER SubjectPublicKeyInfo here>
+
+Once a CTLOG_STORE is no longer required, it should be passed to
+CTLOG_STORE_free(). This will delete all of the CTLOGs stored within, along
+with the CTLOG_STORE itself.
+
+=head1 NOTES
+
+If there are any invalid CT logs in a file, they are skipped and the remaining
+valid logs will still be added to the CTLOG_STORE. A CT log will be considered
+invalid if it is missing a "key" or "description" field.
+
+=head1 RETURN VALUES
+
+Both B<CTLOG_STORE_load_default_file> and B<CTLOG_STORE_load_file> return 1 if
+all CT logs in the file are successfully parsed and loaded, 0 otherwise.
+
+=head1 SEE ALSO
+
+L<ct(3)>,
+L<CTLOG_STORE_get0_log_by_id(3)>,
+L<SSL_CTX_set_ctlog_list_file(3)>
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 1.1.0.
+
+=head1 COPYRIGHT
+
+Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/CTLOG_new.pod b/doc/crypto/CTLOG_new.pod
new file mode 100644
index 0000000..ccda6b9
--- /dev/null
+++ b/doc/crypto/CTLOG_new.pod
@@ -0,0 +1,72 @@
+=pod
+
+=head1 NAME
+
+CTLOG_new, CTLOG_new_from_base64, CTLOG_free,
+CTLOG_get0_name, CTLOG_get0_log_id, CTLOG_get0_public_key -
+encapsulates information about a Certificate Transparency log
+
+=head1 SYNOPSIS
+
+ #include <openssl/ct.h>
+
+ CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name);
+ int CTLOG_new_from_base64(CTLOG ** ct_log,
+                           const char *pkey_base64, const char *name);
+ void CTLOG_free(CTLOG *log);
+ const char *CTLOG_get0_name(const CTLOG *log);
+ void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id,
+                        size_t *log_id_len);
+ EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log);
+
+=head1 DESCRIPTION
+
+CTLOG_new() returns a new CTLOG that represents the Certificate Transparency
+(CT) log with the given public key. A name must also be provided that can be
+used to help users identify this log. Ownership of the public key is
+transferred.
+
+CTLOG_new_from_base64() also creates a new CTLOG, but takes the public key in
+base64-encoded DER form and sets the ct_log pointer to point to the new CTLOG.
+The base64 will be decoded and the public key parsed.
+
+Regardless of whether CTLOG_new() or CTLOG_new_from_base64() is used, it is the
+caller's responsibility to pass the CTLOG to CTLOG_free() once it is no longer
+needed. This will delete it and, if created by CTLOG_new(), the EVP_PKEY that
+was passed to it.
+
+CTLOG_get0_name() returns the name of the log, as provided when the CTLOG was
+created. Ownership of the string remains with the CTLOG.
+
+CTLOG_get0_log_id() sets *log_id to point to a string containing that log's
+LogID (see RFC 6962). It sets *log_id_len to the length of that LogID. For a
+v1 CT log, the LogID will be a SHA-256 hash (i.e. 32 bytes long). Ownership of
+the string remains with the CTLOG.
+
+CTLOG_get0_public_key() returns the public key of the CT log. Ownership of the
+EVP_PKEY remains with the CTLOG.
+
+=head1 RETURN VALUES
+
+CTLOG_new() will return NULL if an error occurs.
+
+CTLOG_new_from_base64() will return 1 on success, 0 otherwise.
+
+=head1 SEE ALSO
+
+L<ct(3)>
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 1.1.0.
+
+=head1 COPYRIGHT
+
+Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/CT_POLICY_EVAL_CTX_new.pod b/doc/crypto/CT_POLICY_EVAL_CTX_new.pod
new file mode 100644
index 0000000..6279299
--- /dev/null
+++ b/doc/crypto/CT_POLICY_EVAL_CTX_new.pod
@@ -0,0 +1,96 @@
+=pod
+
+=head1 NAME
+
+CT_POLICY_EVAL_CTX_new, CT_POLICY_EVAL_CTX_free,
+CT_POLICY_EVAL_CTX_get0_cert, CT_POLICY_EVAL_CTX_set1_cert,
+CT_POLICY_EVAL_CTX_get0_issuer, CT_POLICY_EVAL_CTX_set1_issuer,
+CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE -
+Encapsulates the data required to evaluate whether SCTs meet a Certificate Transparency policy
+
+=head1 SYNOPSIS
+
+ #include <openssl/ct.h>
+
+ CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void);
+ void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx);
+ X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx);
+ int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert);
+ X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx);
+ int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer);
+ const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx);
+ void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx, CTLOG_STORE *log_store);
+
+=head1 DESCRIPTION
+
+A B<CT_POLICY_EVAL_CTX> is used by functions that evaluate whether Signed
+Certificate Timestamps (SCTs) fulfil a Certificate Transparency (CT) policy.
+This policy may be, for example, that at least one valid SCT is available. To
+determine this, an SCT's signature must be verified. This requires:
+
+=over
+
+=item * the public key of the log that issued the SCT
+
+=item * the certificate that the SCT was issued for
+
+=item * the issuer certificate (if the SCT was issued for a pre-certificate)
+
+=back
+
+The above requirements are met using the setters described below.
+
+CT_POLICY_EVAL_CTX_new() creates an empty policy evaluation context. This
+should then be populated using:
+
+=over
+
+=item * CT_POLICY_EVAL_CTX_set1_cert() to provide the certificate the SCTs were issued for
+
+Increments the reference count of the certificate.
+
+=item * CT_POLICY_EVAL_CTX_set1_issuer() to provide the issuer certificate
+
+Increments the reference count of the certificate.
+
+=item * CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE() to provide a list of logs that are trusted as sources of SCTs
+
+Holds a pointer to the CTLOG_STORE, so the CTLOG_STORE must outlive the
+CT_POLICY_EVAL_CTX.
+
+=back
+
+Each setter has a matching getter for accessing the current value.
+
+When no longer required, the B<CT_POLICY_EVAL_CTX> should be passed to
+CT_POLICY_EVAL_CTX_free() to delete it.
+
+=head1 NOTES
+
+The issuer certificate only needs to be provided if at least one of the SCTs
+was issued for a pre-certificate. This will be the case for SCTs embedded in a
+certificate (i.e. those in an X.509 extension), but may not be the case for SCTs
+found in the TLS SCT extension or OCSP response.
+
+=head1 RETURN VALUES
+
+CT_POLICY_EVAL_CTX_new() will return NULL if malloc fails.
+
+=head1 SEE ALSO
+
+L<ct(3)>
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 1.1.0.
+
+=head1 COPYRIGHT
+
+Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/SCT_new.pod b/doc/crypto/SCT_new.pod
new file mode 100644
index 0000000..4ee41a6
--- /dev/null
+++ b/doc/crypto/SCT_new.pod
@@ -0,0 +1,194 @@
+=pod
+
+=head1 NAME
+
+SCT_new, SCT_new_from_base64, SCT_free, SCT_LIST_free,
+SCT_get_version, SCT_set_version,
+SCT_get_log_entry_type, SCT_set_log_entry_type,
+SCT_get0_log_id, SCT_set0_log_id, SCT_set1_log_id,
+SCT_get_timestamp, SCT_set_timestamp,
+SCT_get_signature_nid, SCT_set_signature_nid,
+SCT_get0_signature, SCT_set0_signature, SCT_set1_signature,
+SCT_get0_extensions, SCT_set0_extensions, SCT_set1_extensions,
+SCT_get_source, SCT_set_source
+ - A Certificate Transparency Signed Certificate Timestamp
+
+=head1 SYNOPSIS
+
+ #include <openssl/ct.h>
+
+ typedef enum {
+  CT_LOG_ENTRY_TYPE_NOT_SET = -1,
+  CT_LOG_ENTRY_TYPE_X509 = 0,
+  CT_LOG_ENTRY_TYPE_PRECERT = 1
+ } ct_log_entry_type_t;
+
+ typedef enum {
+  SCT_VERSION_NOT_SET = -1,
+  SCT_VERSION_V1 = 0
+ } sct_version_t;
+
+ typedef enum {
+  SCT_SOURCE_UNKNOWN,
+  SCT_SOURCE_TLS_EXTENSION,
+  SCT_SOURCE_X509V3_EXTENSION,
+  SCT_SOURCE_OCSP_STAPLED_RESPONSE
+ } sct_source_t;
+
+ SCT *SCT_new(void);
+ SCT *SCT_new_from_base64(unsigned char version,
+                          const char *logid_base64,
+                          ct_log_entry_type_t entry_type,
+                          uint64_t timestamp,
+                          const char *extensions_base64,
+                          const char *signature_base64);
+
+ void SCT_free(SCT *sct);
+ void SCT_LIST_free(STACK_OF(SCT) *a);
+
+ sct_version_t SCT_get_version(const SCT *sct);
+ int SCT_set_version(SCT *sct, sct_version_t version);
+
+ ct_log_entry_type_t SCT_get_log_entry_type(const SCT *sct);
+ int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type);
+
+ size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id);
+ int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
+ int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len);
+
+ uint64_t SCT_get_timestamp(const SCT *sct);
+ void SCT_set_timestamp(SCT *sct, uint64_t timestamp);
+
+ int SCT_get_signature_nid(const SCT *sct);
+ int SCT_set_signature_nid(SCT *sct, int nid);
+
+ size_t SCT_get0_signature(const SCT *sct, unsigned char **sig);
+ void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len);
+ int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len);
+
+ size_t SCT_get0_extensions(const SCT *sct, unsigned char **ext);
+ void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len);
+ int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len);
+
+ sct_source_t SCT_get_source(const SCT *sct);
+ int SCT_set_source(SCT *sct, sct_source_t source);
+
+=head1 DESCRIPTION
+
+Signed Certificate Timestamps (SCTs) are defined by RFC 6962, Section 3.2.
+They constitute a promise by a Certificate Transparency (CT) log to publicly
+record a certificate. By cryptographically verifying that a log did indeed issue
+an SCT, some confidence can be gained that the certificate is publicly known.
+
+An internal representation of an SCT can be created in one of two ways.
+The first option is to create a blank SCT, using SCT_new(), and then populate
+it using:
+
+=over
+
+=item * SCT_set_version() to set the SCT version.
+
+Only SCT_VERSION_V1 is currently supported.
+
+=item * SCT_set_log_entry_type() to set the type of certificate the SCT was issued for:
+
+B<CT_LOG_ENTRY_TYPE_X509> for a normal certificate.
+B<CT_LOG_ENTRY_TYPE_PRECERT> for a pre-certificate.
+
+=item * SCT_set0_log_id() or SCT_set1_log_id() to set the LogID of the CT log that the SCT came from.
+
+The former takes ownership, whereas the latter makes a copy.
+See RFC 6962, Section 3.2 for the definition of LogID.
+
+=item * SCT_set_timestamp() to set the time the SCT was issued (epoch time in milliseconds).
+
+=item * SCT_set_signature_nid() to set the NID of the signature.
+
+=item * SCT_set0_signature() or SCT_set1_signature() to set the raw signature value.
+
+The former takes ownership, whereas the latter makes a copy.
+
+=item * SCT_set0_extensions() or B<SCT_set1_extensions> to provide SCT extensions.
+
+The former takes ownership, whereas the latter makes a copy.
+
+=back
+
+Alternatively, the SCT can be pre-populated from the following data using
+SCT_new_from_base64():
+
+=over
+
+=item * The SCT version (only SCT_VERSION_V1 is currently supported).
+
+=item * The LogID (see RFC 6962, Section 3.2), base64 encoded.
+
+=item * The type of certificate the SCT was issued for:
+
+B<CT_LOG_ENTRY_TYPE_X509> for a normal certificate.
+B<CT_LOG_ENTRY_TYPE_PRECERT> for a pre-certificate.
+
+=item * The time that the SCT was issued (epoch time in milliseconds).
+
+=item * The SCT extensions, base64 encoded.
+
+=item * The SCT signature, base64 encoded.
+
+=back
+
+SCT_set_source() can be used to record where the SCT was found
+(TLS extension, X.509 certificate extension or OCSP response). This is not
+required for verifying the SCT.
+
+=head1 NOTES
+
+Some of the setters return int, instead of void. These will all return 1 on
+success, 0 on failure. They will not make changes on failure.
+
+All of the setters will reset the validation status of the SCT to
+SCT_VALIDATION_STATUS_NOT_SET (see L<SCT_validate(3)>).
+
+SCT_set_source() will call SCT_set_log_entry_type() if the type of
+certificate the SCT was issued for can be inferred from where the SCT was found.
+For example, an SCT found in an X.509 extension must have been issued for a pre-
+certificate.
+
+SCT_set_source() will not refuse unknown values.
+
+=head1 RETURN VALUES
+
+SCT_set_version() returns 1 if the specified version is supported, 0 otherwise.
+
+SCT_set_log_entry_type() returns 1 if the specified log entry type is supported, 0 otherwise.
+
+SCT_set0_log_id() and B<SCT_set1_log_id> return 1 if the specified LogID is a
+valid SHA-256 hash, 0 otherwise. Aditionally, B<SCT_set1_log_id> returns 0 if
+malloc fails.
+
+B<SCT_set_signature_nid> returns 1 if the specified NID is supported, 0 otherwise.
+
+B<SCT_set1_extensions> and B<SCT_set1_signature> return 1 if the supplied buffer
+is copied successfully, 0 otherwise (i.e. if malloc fails).
+
+B<SCT_set_source> returns 1 on success, 0 otherwise.
+
+=head1 SEE ALSO
+
+L<ct(3)>,
+L<SCT_verify(3)>,
+L<OBJ_nid2obj(3)>
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 1.1.0.
+
+=head1 COPYRIGHT
+
+Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/SCT_print.pod b/doc/crypto/SCT_print.pod
new file mode 100644
index 0000000..88ad43e
--- /dev/null
+++ b/doc/crypto/SCT_print.pod
@@ -0,0 +1,52 @@
+=pod
+
+=head1 NAME
+
+SCT_print, SCT_LIST_print, SCT_validation_status_string -
+Prints Signed Certificate Timestamps in a human-readable way
+
+=head1 SYNOPSIS
+
+ #include <openssl/ct.h>
+
+ void SCT_print(const SCT *sct, BIO *out, int indent, const CTLOG_STORE *logs);
+ void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
+                     const char *separator, const CTLOG_STORE *logs);
+ const char *SCT_validation_status_string(const SCT *sct);
+
+=head1 DESCRIPTION
+
+SCT_print() prints a single Signed Certificate Timestamp (SCT) to a L<bio> in
+a human-readable format. SCT_LIST_print() prints an entire list of SCTs in a
+similar way. A separator can be specified to delimit each SCT in the output.
+
+The output can be indented by a specified number of spaces. If a B<CTLOG_STORE>
+is provided, it will be used to print the description of the CT log that issued
+each SCT (if that log is in the CTLOG_STORE). Alternatively, NULL can be passed
+as the CTLOG_STORE parameter to disable this feature.
+
+SCT_validation_status_string() will return the validation status of an SCT as
+a human-readable string. Call SCT_validate() or SCT_LIST_validate()
+beforehand in order to set the validation status of an SCT first.
+
+=head1 SEE ALSO
+
+L<ct(3)>,
+L<bio(3)>,
+L<CTLOG_STORE_new(3)>,
+L<SCT_validate(3)>
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 1.1.0.
+
+=head1 COPYRIGHT
+
+Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/SCT_validate.pod b/doc/crypto/SCT_validate.pod
new file mode 100644
index 0000000..713bcd2
--- /dev/null
+++ b/doc/crypto/SCT_validate.pod
@@ -0,0 +1,96 @@
+=pod
+
+=head1 NAME
+
+SCT_validate, SCT_LIST_validate, SCT_get_validation_status -
+checks Signed Certificate Timestamps (SCTs) are valid
+
+=head1 SYNOPSIS
+
+ #include <openssl/ct.h>
+
+ typedef enum {
+  SCT_VALIDATION_STATUS_NOT_SET,
+  SCT_VALIDATION_STATUS_UNKNOWN_LOG,
+  SCT_VALIDATION_STATUS_VALID,
+  SCT_VALIDATION_STATUS_INVALID,
+  SCT_VALIDATION_STATUS_UNVERIFIED,
+  SCT_VALIDATION_STATUS_UNKNOWN_VERSION
+ } sct_validation_status_t;
+
+ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
+ int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx);
+ sct_validation_status_t SCT_get_validation_status(const SCT *sct);
+
+=head1 DESCRIPTION
+
+SCT_validate() will check that an SCT is valid and verify its signature.
+SCT_LIST_validate() performs the same checks on an entire stack of SCTs.
+The result of the validation checks can be obtained by passing the SCT to
+SCT_get_validation_status().
+
+A CT_POLICY_EVAL_CTX must be provided that specifies:
+
+=over
+
+=item * The certificate the SCT was issued for.
+
+Failure to provide the certificate will result in the validation status being
+SCT_VALIDATION_STATUS_UNVERIFIED.
+
+=item * The issuer of that certificate.
+
+This is only required if the SCT was issued for a pre-certificate
+(see RFC 6962). If it is required but not provided, the validation status will
+be SCT_VALIDATION_STATUS_UNVERIFIED.
+
+=item * A CTLOG_STORE that contains the CT log that issued this SCT.
+
+If the SCT was issued by a log that is not in this CTLOG_STORE, the validation
+status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG.
+
+=back
+
+If the SCT is of an unsupported version (only v1 is currently supported), the
+validation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION.
+
+If the SCT's signature is incorrect, the validation status will be
+SCT_VALIDATION_STATUS_INVALID. Otherwise, if all checks have passed, the
+validation status will be SCT_VALIDATION_STATUS_VALID.
+
+=head1 NOTES
+
+A return value of 0 from SCT_LIST_validate() should not be interpreted as a
+failure. At a minimum, only one valid SCT may provide sufficient confidence
+that a certificate has been publicly logged.
+
+=head1 RETURN VALUES
+
+SCT_validate() returns a negative integer if an internal error occurs, 0 if the
+SCT fails validation, or 1 if the SCT passes validation.
+
+SCT_LIST_validate() returns a negative integer if an internal error occurs, 0
+if any of SCTs fails validation, or 1 if they all pass validation.
+
+SCT_get_validation_status() returns the validation status of the SCT.
+If SCT_validate() or SCT_LIST_validate() have not been passed that SCT, the
+returned value will be SCT_VALIDATION_STATUS_NOT_SET.
+
+=head1 SEE ALSO
+
+L<ct(3)>
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 1.1.0.
+
+=head1 COPYRIGHT
+
+Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/ct.pod b/doc/crypto/ct.pod
new file mode 100644
index 0000000..bdcda98
--- /dev/null
+++ b/doc/crypto/ct.pod
@@ -0,0 +1,55 @@
+=pod
+
+=for comment openssl_manual_section:7
+
+=head1 NAME
+
+ct - Certificate Transparency
+
+=head1 SYNOPSIS
+
+ #include <openssl/ct.h>
+
+=head1 DESCRIPTION
+
+This library implements Certificate Transparency (CT) verification for TLS
+clients, as defined in RFC 6962. This verification can provide some confidence
+that a certificate has been publicly logged in a set of CT logs.
+
+By default, these checks are disabled. They can be enabled using
+SSL_CTX_ct_enable() or SSL_ct_enable().
+
+This library can also be used to parse and examine CT data structures, such as
+Signed Certificate Timestamps (SCTs), or to read a list of CT logs. There are
+functions for:
+- decoding and encoding SCTs in DER and TLS wire format.
+- printing SCTs.
+- verifying the authenticity of SCTs.
+- loading a CT log list from a CONF file.
+
+=head1 SEE ALSO
+
+L<d2i_SCT_LIST(3)>,
+L<CTLOG_STORE_new(3)>,
+L<CTLOG_STORE_get0_log_by_id(3)>,
+L<SCT_new(3)>,
+L<SCT_print(3)>,
+L<SCT_verify(3)>,
+L<SCT_validate(3)>,
+L<CT_POLICY_EVAL_CTX(3)>,
+L<SSL_CTX_set_ct_validation_callback(3)>
+
+=head1 HISTORY
+
+This library was added in OpenSSL 1.1.0.
+
+=head1 COPYRIGHT
+
+Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/crypto/o2i_SCT_LIST.pod b/doc/crypto/o2i_SCT_LIST.pod
new file mode 100644
index 0000000..82922fc
--- /dev/null
+++ b/doc/crypto/o2i_SCT_LIST.pod
@@ -0,0 +1,48 @@
+=pod
+
+=head1 NAME
+
+o2i_SCT_LIST, i2o_SCT_LIST, o2i_SCT, i2o_SCT -
+decode and encode Signed Certificate Timestamp lists in TLS wire format
+
+=head1 SYNOPSIS
+
+ #include <openssl/ct.h>
+
+ STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, size_t len);
+ int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
+ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len);
+ int i2o_SCT(const SCT *sct, unsigned char **out);
+
+=head1 DESCRIPTION
+
+The SCT_LIST and SCT functions are very similar to the i2d and d2i family of
+functions, except that they convert to and from TLS wire format, as described in
+RFC 6962. See L<d2i_SCT_LIST> for more information about how the parameters are
+treated and the return values.
+
+=head1 RETURN VALUES
+
+All of the functions have return values consistent with those stated for
+L<d2i_SCT_LIST> and L<i2d_SCT_LIST>.
+
+=head1 SEE ALSO
+
+L<ct(3)>,
+L<d2i_SCT_LIST(3)>,
+L<i2d_SCT_LIST(3)>
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 1.1.0.
+
+=head1 COPYRIGHT
+
+Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
index 737dea9..4a2fa94 100644
--- a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
+++ b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
@@ -18,24 +18,13 @@ SSL_CTX_set_default_ctlog_list_file() loads a list of Certificate Transparency
 (CT) logs from the default file location, "ct_log_list.cnf", found in the
 directory where OpenSSL is installed.
 
-SSL_CTX_set_ctlog_list_file() loads a list of CT logs from a given path.
-
-The expected format of the log list file is:
-
- enabled_logs=foo,bar
-
- [foo]
- description = Log 1
- key = <base64-encoded public key here>
-
- [bar]
- description = Log 2
- key = <base64-encoded public key here>
+SSL_CTX_set_ctlog_list_file() loads a list of CT logs from a specific path.
+See L<CTLOG_STORE_new(3)> for the file format.
 
 =head1 NOTES
 
 These functions will not clear the existing CT log list - it will be appended
-to.
+to. To replace the existing list, use L<SSL_CTX_set0_ctlog_store> first. 
 
 If an error occurs whilst parsing a particular log entry in the file, that log
 entry will be skipped.
@@ -49,7 +38,8 @@ the case of an error, the log list may have been partially loaded.
 =head1 SEE ALSO
 
 L<ssl(3)>,
-L<ssl_ct_validation_cb(3)>
+L<SSL_CTX_set_ct_validation_callback(3)>,
+L<CTLOG_STORE_new(3)>
 
 =head1 COPYRIGHT
 
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 6d78437..582a276 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -330,6 +330,8 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item void B<SSL_CTX_set_client_cert_cb>(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
 
+=item int B<SSL_CTX_set_ct_validation_callback>(SSL_CTX *ctx, ssl_ct_validation_cb callback, void *arg);
+
 =item void B<SSL_CTX_set_default_passwd_cb>(SSL_CTX *ctx, int (*cb);(void))
 
 =item void B<SSL_CTX_set_default_read_ahead>(SSL_CTX *ctx, int m);
@@ -554,6 +556,8 @@ fresh handle for each connection.
 
 =item X509 *B<SSL_get_peer_certificate>(const SSL *ssl);
 
+=item const STACK_OF(SCT) *B<SSL_get0_peer_scts>(SSL *s);
+
 =item EVP_PKEY *B<SSL_get_privatekey>(const SSL *ssl);
 
 =item int B<SSL_get_quiet_shutdown>(const SSL *ssl);
@@ -630,6 +634,8 @@ fresh handle for each connection.
 
 =item void B<SSL_set_connect_state>(SSL *ssl);
 
+=item int B<SSL_set_ct_validation_callback>(SSL *ssl, ssl_ct_validation_cb callback, void *arg);
+
 =item int B<SSL_set_ex_data>(SSL *ssl, int idx, char *arg);
 
 =item int B<SSL_set_fd>(SSL *ssl, int fd);
@@ -770,6 +776,7 @@ L<SSL_CTX_set_verify(3)>,
 L<SSL_CTX_use_certificate(3)>,
 L<SSL_alert_type_string(3)>,
 L<SSL_do_handshake(3)>,
+L<SSL_enable_ct(3)>,
 L<SSL_get_SSL_CTX(3)>,
 L<SSL_get_ciphers(3)>,
 L<SSL_get_client_CA_list(3)>,
diff --git a/include/openssl/ct.h b/include/openssl/ct.h
index 70a0586..6c63265 100644
--- a/include/openssl/ct.h
+++ b/include/openssl/ct.h
@@ -61,7 +61,11 @@ DEFINE_STACK_OF(CTLOG)
  * CT policy evaluation context functions *
  ******************************************/
 
-/* Creates a new, empty policy evaluation context */
+/*
+ * Creates a new, empty policy evaluation context.
+ * The caller is responsible for calling CT_POLICY_EVAL_CTX_free when finished
+ * with the CT_POLICY_EVAL_CTX.
+ */
 CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void);
 
 /* Deletes a policy evaluation context and anything it owns. */
@@ -72,7 +76,7 @@ X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx);
 
 /*
  * Sets the certificate associated with the received SCTs.
- * Incremenets the reference count of cert.
+ * Increments the reference count of cert.
  * Returns 1 on success, 0 otherwise.
  */
 int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert);
@@ -287,7 +291,7 @@ __owur int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
 
 /*
  * Validates the given list of SCTs with the provided context.
- * Populates the "good_scts" and "bad_scts" of the evaluation context.
+ * Sets the "validation_status" field of each SCT.
  * Returns 1 if there are no invalid SCTs and all signatures verify.
  * Returns 0 if at least one SCT is invalid or could not be verified.
  * Returns a negative integer if an error occurs.
@@ -384,6 +388,7 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len);
 
 /*
  * Creates a new CT log instance with the given |public_key| and |name|.
+ * Takes ownership of |public_key| but copies |name|.
  * Returns NULL if malloc fails or if |public_key| cannot be converted to DER.
  * Should be deleted by the caller using CTLOG_free when no longer needed.
  */
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 3347191..bd0fbf8 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3931,7 +3931,7 @@ static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
 
 /*
  * Look for data collected during ServerHello and parse if found.
- * Return 1 on success, 0 on failure.
+ * Returns the number of SCTs extracted.
  */
 static int ct_extract_tls_extension_scts(SSL *s)
 {


More information about the openssl-commits mailing list