[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Wed Mar 9 16:36:32 UTC 2016
The branch master has been updated
via 1bee9d6b6c3bf9519bf46fd1a67d5f07eb2c9cb3 (commit)
via 9ddff1e83c4240b52c0e920f0372d3fb972362c2 (commit)
via dc919c6935e263eb8dcb22488435063ed09f2f95 (commit)
via eac84e8127154fc4c19d1602e3f1df985ed77eff (commit)
via 14db9bbd710ac8aaaee89280e9b5ffb5afedb712 (commit)
via 21b908a8f95a4b2e095c64876c6991020e6c099e (commit)
via 12d2d2818566561cbdda82a6ad1b3aab687fc020 (commit)
via 98af73106444d23982e759e0d3684700a97092d8 (commit)
via e5a7ac446b799cb2f24189c1367c8f3c32c2dd24 (commit)
via 5c081a8f748b9de3320fa9c242e43bd6282c89af (commit)
via 6d7fd9c14287c30271924d85f3dda22f8c1a6225 (commit)
via 9c812014c84c10419f39183e9aa7dd57b29edbcc (commit)
via 70279a81a79f546fb5d86fd710d87f4cf55e8bf8 (commit)
via 70073f3e3aeb3b7dd15f20b557a8340a197d976e (commit)
via 8c92c4eac091e1a588a980514e7f5fd2a517fefc (commit)
via 5da65ef23ce30285e87652469298ce6513560032 (commit)
via 8fbb93d0e24da283a21bb48c4361e20a17bba955 (commit)
from aeb5b95576025d651c4941e7a5c157351094de84 (commit)
- Log -----------------------------------------------------------------
commit 1bee9d6b6c3bf9519bf46fd1a67d5f07eb2c9cb3
Author: Richard Levitte <levitte at openssl.org>
Date: Wed Mar 9 14:10:05 2016 +0100
Fix ct_test to not assume it's in the source directory
ct_test assumed it's run in the source directory and failed when built
elsewhere. It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.
Test recipe updated to match.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 9ddff1e83c4240b52c0e920f0372d3fb972362c2
Author: Rob Percival <robpercival at google.com>
Date: Wed Mar 9 15:23:58 2016 +0000
Document importance of CTLOG_STORE outliving SCT if SCT_set0_log is used
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit dc919c6935e263eb8dcb22488435063ed09f2f95
Author: Rob Percival <robpercival at google.com>
Date: Wed Mar 9 02:46:15 2016 +0000
Make SCT literals into const variables in ct_test.c
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit eac84e8127154fc4c19d1602e3f1df985ed77eff
Author: Rob Percival <robpercival at google.com>
Date: Tue Mar 8 19:20:22 2016 +0000
Makes STACK_OF(SCT)* parameter of i2d_SCT_LIST const
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 14db9bbd710ac8aaaee89280e9b5ffb5afedb712
Author: Rob Percival <robpercival at google.com>
Date: Tue Mar 8 19:09:06 2016 +0000
Removes SCT_LIST_set_source and SCT_LIST_set0_logs
Both of these functions can easily be implemented by callers instead.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 21b908a8f95a4b2e095c64876c6991020e6c099e
Author: Rob Percival <robpercival at google.com>
Date: Tue Mar 8 18:58:03 2016 +0000
Makes SCT_get0_log return const CTLOG*
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 12d2d2818566561cbdda82a6ad1b3aab687fc020
Author: Rob Percival <robpercival at google.com>
Date: Tue Mar 8 18:55:55 2016 +0000
Makes CTLOG_STORE_get0_log_by_id return const CTLOG*
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 98af73106444d23982e759e0d3684700a97092d8
Author: Rob Percival <robpercival at google.com>
Date: Tue Mar 8 18:37:16 2016 +0000
Improved documentation of SCT_CTX_* functions
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit e5a7ac446b799cb2f24189c1367c8f3c32c2dd24
Author: Rob Percival <robpercival at google.com>
Date: Tue Mar 8 18:07:10 2016 +0000
Updates ct_err.c
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 5c081a8f748b9de3320fa9c242e43bd6282c89af
Author: Rob Percival <robpercival at google.com>
Date: Tue Mar 8 17:38:41 2016 +0000
Remove unnecessary call to SCT_set1_extensions(sct, "", 0) in ct_test.c
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 6d7fd9c14287c30271924d85f3dda22f8c1a6225
Author: Rob Percival <robpercival at google.com>
Date: Tue Mar 8 17:35:40 2016 +0000
Reset SCT validation_status if the SCT is modified
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 9c812014c84c10419f39183e9aa7dd57b29edbcc
Author: Rob Percival <robpercival at google.com>
Date: Mon Mar 7 18:41:43 2016 +0000
Use SCT_VERSION_V1 in place of literal 0 in ct_test.c
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 70279a81a79f546fb5d86fd710d87f4cf55e8bf8
Author: Rob Percival <robpercival at google.com>
Date: Mon Mar 7 18:38:17 2016 +0000
Fixes "usuable" typo in ct_locl.h
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 70073f3e3aeb3b7dd15f20b557a8340a197d976e
Author: Rob Percival <robpercival at google.com>
Date: Mon Mar 7 18:38:06 2016 +0000
Treat boolean functions as booleans
Use "!x" instead of "x <= 0", as these functions never return a negative
value.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 8c92c4eac091e1a588a980514e7f5fd2a517fefc
Author: Rob Percival <robpercival at google.com>
Date: Fri Mar 4 19:52:45 2016 +0000
Make parameters of CTLOG_get* const
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 5da65ef23ce30285e87652469298ce6513560032
Author: Rob Percival <robpercival at google.com>
Date: Fri Mar 4 19:51:43 2016 +0000
Extensive application of __owur to CT functions that return a boolean
Also improves some documentation of those functions.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 8fbb93d0e24da283a21bb48c4361e20a17bba955
Author: Rob Percival <robpercival at google.com>
Date: Fri Mar 4 20:37:28 2016 +0000
Makes SCT_LIST_set_source return the number of successes
No longer terminates on first error, but instead tries to set the source
of every SCT regardless of whether an error occurs with some.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
apps/apps.h | 7 ++--
apps/s_client.c | 2 +-
crypto/ct/ct_err.c | 10 +++---
crypto/ct/ct_locl.h | 49 +++++++++++++++++++-------
crypto/ct/ct_log.c | 25 +++++++------
crypto/ct/ct_oct.c | 2 +-
crypto/ct/ct_prn.c | 2 +-
crypto/ct/ct_sct.c | 44 +++++++----------------
crypto/ct/ct_sct_ctx.c | 41 ++++++++++++---------
crypto/ct/ct_vfy.c | 21 +++++------
include/openssl/ct.h | 90 +++++++++++++++++++++--------------------------
test/ct_test.c | 64 +++++++++++++++++++++++----------
test/recipes/80-test_ct.t | 1 -
util/libcrypto.num | 4 +--
14 files changed, 195 insertions(+), 167 deletions(-)
diff --git a/apps/apps.h b/apps/apps.h
index ebf696b..0fcac07 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -487,9 +487,10 @@ int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
const char *pass, const char *cert_descrip);
X509_STORE *setup_verify(char *CAfile, char *CApath,
int noCAfile, int noCApath);
-int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
- const char *CApath, int noCAfile, int noCApath);
-int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
+__owur int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
+ const char *CApath, int noCAfile,
+ int noCApath);
+__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
# ifdef OPENSSL_NO_ENGINE
# define setup_engine(engine, debug) NULL
diff --git a/apps/s_client.c b/apps/s_client.c
index 725dcd3..25f5148 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1669,7 +1669,7 @@ int s_client_main(int argc, char **argv)
goto end;
}
- if (ctx_set_ctlog_list_file(ctx, ctlog_file) <= 0) {
+ if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
ERR_print_errors(bio_err);
goto end;
}
diff --git a/crypto/ct/ct_err.c b/crypto/ct/ct_err.c
index c55677c..9d4548c 100644
--- a/crypto/ct/ct_err.c
+++ b/crypto/ct/ct_err.c
@@ -71,12 +71,12 @@
static ERR_STRING_DATA CT_str_functs[] = {
{ERR_FUNC(CT_F_CTLOG_NEW), "CTLOG_new"},
{ERR_FUNC(CT_F_CTLOG_NEW_FROM_BASE64), "CTLOG_new_from_base64"},
- {ERR_FUNC(CT_F_CTLOG_NEW_FROM_CONF), "CTLOG_new_from_conf"},
+ {ERR_FUNC(CT_F_CTLOG_NEW_FROM_CONF), "ctlog_new_from_conf"},
{ERR_FUNC(CT_F_CTLOG_NEW_NULL), "CTLOG_new_null"},
{ERR_FUNC(CT_F_CTLOG_STORE_GET0_LOG_BY_ID), "CTLOG_STORE_get0_log_by_id"},
- {ERR_FUNC(CT_F_CTLOG_STORE_LOAD_CTX_NEW), "CTLOG_STORE_LOAD_CTX_new"},
+ {ERR_FUNC(CT_F_CTLOG_STORE_LOAD_CTX_NEW), "ctlog_store_load_ctx_new"},
{ERR_FUNC(CT_F_CTLOG_STORE_LOAD_FILE), "CTLOG_STORE_load_file"},
- {ERR_FUNC(CT_F_CT_BASE64_DECODE), "CT_base64_decode"},
+ {ERR_FUNC(CT_F_CT_BASE64_DECODE), "ct_base64_decode"},
{ERR_FUNC(CT_F_CT_POLICY_EVAL_CTX_GET0_CERT),
"CT_POLICY_EVAL_CTX_get0_cert"},
{ERR_FUNC(CT_F_CT_POLICY_EVAL_CTX_GET0_ISSUER),
@@ -90,7 +90,7 @@ static ERR_STRING_DATA CT_str_functs[] = {
"CT_POLICY_EVAL_CTX_set0_issuer"},
{ERR_FUNC(CT_F_CT_POLICY_EVAL_CTX_SET0_LOG_STORE),
"CT_POLICY_EVAL_CTX_set0_log_store"},
- {ERR_FUNC(CT_F_CT_V1_LOG_ID_FROM_PKEY), "CT_v1_log_id_from_pkey"},
+ {ERR_FUNC(CT_F_CT_V1_LOG_ID_FROM_PKEY), "ct_v1_log_id_from_pkey"},
{ERR_FUNC(CT_F_CT_VERIFY_AT_LEAST_ONE_GOOD_SCT),
"CT_verify_at_least_one_good_sct"},
{ERR_FUNC(CT_F_CT_VERIFY_NO_BAD_SCTS), "CT_verify_no_bad_scts"},
@@ -113,7 +113,7 @@ static ERR_STRING_DATA CT_str_functs[] = {
{ERR_FUNC(CT_F_SCT_SET_LOG_ENTRY_TYPE), "SCT_set_log_entry_type"},
{ERR_FUNC(CT_F_SCT_SET_SIGNATURE_NID), "SCT_set_signature_nid"},
{ERR_FUNC(CT_F_SCT_SET_VERSION), "SCT_set_version"},
- {ERR_FUNC(CT_F_SCT_SIGNATURE_IS_VALID), "SCT_signature_is_valid"},
+ {ERR_FUNC(CT_F_SCT_SIGNATURE_IS_VALID), "SCT_SIGNATURE_IS_VALID"},
{ERR_FUNC(CT_F_SCT_VALIDATE), "SCT_validate"},
{ERR_FUNC(CT_F_SCT_VERIFY), "SCT_verify"},
{ERR_FUNC(CT_F_SCT_VERIFY_V1), "SCT_verify_v1"},
diff --git a/crypto/ct/ct_locl.h b/crypto/ct/ct_locl.h
index b82fabc..3625e50 100644
--- a/crypto/ct/ct_locl.h
+++ b/crypto/ct/ct_locl.h
@@ -126,7 +126,7 @@ struct sct_st {
/* Where this SCT was found, e.g. certificate, OCSP response, etc. */
sct_source_t source;
/* The CT log that produced this SCT. */
- CTLOG *log;
+ const CTLOG *log;
/* The result of the last attempt to validate this SCT. */
sct_validation_status_t validation_status;
};
@@ -167,20 +167,45 @@ SCT_CTX *SCT_CTX_new(void);
*/
void SCT_CTX_free(SCT_CTX *sctx);
-/* Sets the certificate that the SCT is related to */
-int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
-/* Sets the issuer of the certificate that the SCT is related to */
-int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
-/* Sets the public key of the issuer of the certificate that the SCT relates to */
-int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
-/* Sets the public key of the CT log that the SCT is from */
-int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+/*
+ * Sets the certificate that the SCT was created for.
+ * If *cert does not have a poison extension, presigner must be NULL.
+ * If *cert does not have a poison extension, it may have a single SCT
+ * (NID_ct_precert_scts) extension.
+ * If either *cert or *presigner have an AKID (NID_authority_key_identifier)
+ * extension, both must have one.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
+
+/*
+ * Sets the issuer of the certificate that the SCT was created for.
+ * This is just a convenience method to save extracting the public key and
+ * calling SCT_CTX_set1_issuer_pubkey().
+ * Issuer must not be NULL.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
+
+/*
+ * Sets the public key of the issuer of the certificate that the SCT was created
+ * for.
+ * The public key must not be NULL.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+
+/*
+ * Sets the public key of the CT log that the SCT is from.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
/*
- * Does this SCT have the minimum fields populated to be usuable?
+ * Does this SCT have the minimum fields populated to be usable?
* Returns 1 if so, 0 otherwise.
*/
-int SCT_is_complete(const SCT *sct);
+__owur int SCT_is_complete(const SCT *sct);
/*
* Does this SCT have the signature-related fields populated?
@@ -188,6 +213,6 @@ int SCT_is_complete(const SCT *sct);
* This checks that the signature and hash algorithms are set to supported
* values and that the signature field is set.
*/
-int SCT_signature_is_complete(const SCT *sct);
+__owur int SCT_signature_is_complete(const SCT *sct);
diff --git a/crypto/ct/ct_log.c b/crypto/ct/ct_log.c
index 03cb51f..47bd08f 100644
--- a/crypto/ct/ct_log.c
+++ b/crypto/ct/ct_log.c
@@ -243,26 +243,24 @@ int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file)
if (load_ctx->conf == NULL)
goto end;
- ret = NCONF_load(load_ctx->conf, file, NULL);
- if (ret <= 0) {
+ if (NCONF_load(load_ctx->conf, file, NULL) <= 0) {
CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID);
goto end;
}
enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs");
if (enabled_logs == NULL) {
- ret = 0;
CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID);
goto end;
}
- ret = CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx);
- if (ret == 1 && load_ctx->invalid_log_entries > 0) {
- ret = 0;
+ if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) ||
+ load_ctx->invalid_log_entries > 0) {
CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID);
goto end;
}
+ ret = 1;
end:
NCONF_free(load_ctx->conf);
ctlog_store_load_ctx_free(load_ctx);
@@ -315,18 +313,19 @@ void CTLOG_free(CTLOG *log)
}
}
-const char *CTLOG_get0_name(CTLOG *log)
+const char *CTLOG_get0_name(const CTLOG *log)
{
return log->name;
}
-void CTLOG_get0_log_id(CTLOG *log, uint8_t **log_id, size_t *log_id_len)
+void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id,
+ size_t *log_id_len)
{
*log_id = log->log_id;
*log_id_len = CT_V1_HASHLEN;
}
-EVP_PKEY *CTLOG_get0_public_key(CTLOG *log)
+EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log)
{
return log->public_key;
}
@@ -335,14 +334,14 @@ EVP_PKEY *CTLOG_get0_public_key(CTLOG *log)
* Given a log ID, finds the matching log.
* Returns NULL if no match found.
*/
-CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store,
- const uint8_t *log_id,
- size_t log_id_len)
+const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store,
+ const uint8_t *log_id,
+ size_t log_id_len)
{
int i;
for (i = 0; i < sk_CTLOG_num(store->logs); ++i) {
- CTLOG *log = sk_CTLOG_value(store->logs, i);
+ const CTLOG *log = sk_CTLOG_value(store->logs, i);
if (memcmp(log->log_id, log_id, log_id_len) == 0)
return log;
}
diff --git a/crypto/ct/ct_oct.c b/crypto/ct/ct_oct.c
index d9fa68a..620edab 100644
--- a/crypto/ct/ct_oct.c
+++ b/crypto/ct/ct_oct.c
@@ -442,7 +442,7 @@ STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
return sk;
}
-int i2d_SCT_LIST(STACK_OF(SCT) *a, unsigned char **out)
+int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **out)
{
ASN1_OCTET_STRING oct;
int len;
diff --git a/crypto/ct/ct_prn.c b/crypto/ct/ct_prn.c
index 3983c3c..bb669d5 100644
--- a/crypto/ct/ct_prn.c
+++ b/crypto/ct/ct_prn.c
@@ -69,7 +69,7 @@ static void SCT_signature_algorithms_print(const SCT *sct, BIO *out)
{
int nid = SCT_get_signature_nid(sct);
- if (nid <= 0)
+ if (nid == NID_undef)
BIO_printf(out, "%02X%02X", sct->hash_alg, sct->sig_alg);
else
BIO_printf(out, "%s", OBJ_nid2ln(nid));
diff --git a/crypto/ct/ct_sct.c b/crypto/ct/ct_sct.c
index 2b7211d..f83e155 100644
--- a/crypto/ct/ct_sct.c
+++ b/crypto/ct/ct_sct.c
@@ -101,11 +101,14 @@ int SCT_set_version(SCT *sct, sct_version_t version)
return 0;
}
sct->version = version;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
return 1;
}
int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type)
{
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
+
switch (entry_type) {
case CT_LOG_ENTRY_TYPE_X509:
case CT_LOG_ENTRY_TYPE_PRECERT:
@@ -127,6 +130,7 @@ int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len)
OPENSSL_free(sct->log_id);
sct->log_id = log_id;
sct->log_id_len = log_id_len;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
return 1;
}
@@ -140,6 +144,7 @@ int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len)
OPENSSL_free(sct->log_id);
sct->log_id = NULL;
sct->log_id_len = 0;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
if (log_id != NULL && log_id_len > 0) {
sct->log_id = OPENSSL_memdup(log_id, log_id_len);
@@ -156,6 +161,7 @@ int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len)
void SCT_set_timestamp(SCT *sct, uint64_t timestamp)
{
sct->timestamp = timestamp;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
}
int SCT_set_signature_nid(SCT *sct, int nid)
@@ -164,10 +170,12 @@ int SCT_set_signature_nid(SCT *sct, int nid)
case NID_sha256WithRSAEncryption:
sct->hash_alg = TLSEXT_hash_sha256;
sct->sig_alg = TLSEXT_signature_rsa;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
return 1;
case NID_ecdsa_with_SHA256:
sct->hash_alg = TLSEXT_hash_sha256;
sct->sig_alg = TLSEXT_signature_ecdsa;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
return 1;
default:
CTerr(CT_F_SCT_SET_SIGNATURE_NID, CT_R_UNRECOGNIZED_SIGNATURE_NID);
@@ -180,6 +188,7 @@ void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len)
OPENSSL_free(sct->ext);
sct->ext = ext;
sct->ext_len = ext_len;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
}
int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len)
@@ -187,6 +196,7 @@ int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len)
OPENSSL_free(sct->ext);
sct->ext = NULL;
sct->ext_len = 0;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
if (ext != NULL && ext_len > 0) {
sct->ext = OPENSSL_memdup(ext, ext_len);
@@ -204,6 +214,7 @@ void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len)
OPENSSL_free(sct->sig);
sct->sig = sig;
sct->sig_len = sig_len;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
}
int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len)
@@ -211,6 +222,7 @@ int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len)
OPENSSL_free(sct->sig);
sct->sig = NULL;
sct->sig_len = 0;
+ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
if (sig != NULL && sig_len > 0) {
sct->sig = OPENSSL_memdup(sig, sig_len);
@@ -315,20 +327,7 @@ int SCT_set_source(SCT *sct, sct_source_t source)
}
}
-int SCT_LIST_set_source(const STACK_OF(SCT) *scts, sct_source_t source)
-{
- int i, ret = 1;
-
- for (i = 0; i < sk_SCT_num(scts); ++i) {
- ret = SCT_set_source(sk_SCT_value(scts, i), source);
- if (ret != 1)
- break;
- }
-
- return ret;
-}
-
-CTLOG *SCT_get0_log(const SCT *sct)
+const CTLOG *SCT_get0_log(const SCT *sct)
{
return sct->log;
}
@@ -340,23 +339,6 @@ int SCT_set0_log(SCT *sct, const CTLOG_STORE *ct_logs)
return sct->log != NULL;
}
-int SCT_LIST_set0_logs(STACK_OF(SCT) *sct_list, const CTLOG_STORE *ct_logs)
-{
- int sct_logs_found = 0;
- int i;
-
- for (i = 0; i < sk_SCT_num(sct_list); ++i) {
- SCT *sct = sk_SCT_value(sct_list, i);
-
- if (sct->log == NULL)
- SCT_set0_log(sct, ct_logs);
- if (sct->log != NULL)
- ++sct_logs_found;
- }
-
- return sct_logs_found;
-}
-
sct_validation_status_t SCT_get_validation_status(const SCT *sct)
{
return sct->validation_status;
diff --git a/crypto/ct/ct_sct_ctx.c b/crypto/ct/ct_sct_ctx.c
index 7c50c91..13937c7 100644
--- a/crypto/ct/ct_sct_ctx.c
+++ b/crypto/ct/ct_sct_ctx.c
@@ -111,7 +111,7 @@ static int ct_x509_get_ext(X509 *cert, int nid, int *is_duplicated)
* AKID from the presigner certificate, if necessary.
* Returns 1 on success, 0 otherwise.
*/
-static int ct_x509_cert_fixup(X509 *cert, X509 *presigner)
+__owur static int ct_x509_cert_fixup(X509 *cert, X509 *presigner)
{
int preidx, certidx;
int pre_akid_ext_is_dup, cert_akid_ext_is_dup;
@@ -164,13 +164,13 @@ int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner)
int poison_ext_is_dup, sct_ext_is_dup;
int poison_idx = ct_x509_get_ext(cert, NID_ct_precert_poison, &poison_ext_is_dup);
- /* Duplicate poison */
+ /* Duplicate poison extensions are present - error */
if (poison_ext_is_dup)
goto err;
- /* If no poison extension, store encoding */
+ /* If *cert doesn't have a poison extension, it isn't a precert */
if (poison_idx == -1) {
- /* presigner must have poison */
+ /* cert isn't a precert, so we shouldn't have a presigner */
if (presigner != NULL)
goto err;
@@ -179,20 +179,30 @@ int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner)
goto err;
}
- /* See if have precert scts extension */
+ /* See if cert has a precert SCTs extension */
idx = ct_x509_get_ext(cert, NID_ct_precert_scts, &sct_ext_is_dup);
- /* Duplicate scts */
+ /* Duplicate SCT extensions are present - error */
if (sct_ext_is_dup)
goto err;
- if (idx >= 0) {
- /* Can't have both poison and scts */
- if (poison_idx >= 0)
- goto err;
- } else {
+ if (idx >= 0 && poison_idx >= 0) {
+ /*
+ * cert can't both contain SCTs (i.e. have an SCT extension) and be a
+ * precert (i.e. have a poison extension).
+ */
+ goto err;
+ }
+
+ if (idx == -1) {
idx = poison_idx;
}
+ /*
+ * If either a poison or SCT extension is present, remove it before encoding
+ * cert. This, along with ct_x509_cert_fixup(), gets a TBSCertificate (see
+ * RFC5280) from cert, which is what the CT log signed when it produced the
+ * SCT.
+ */
if (idx >= 0) {
X509_EXTENSION *ext;
@@ -230,10 +240,10 @@ err:
return 0;
}
-static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash,
- size_t *hash_len)
+__owur static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash,
+ size_t *hash_len)
{
- int ret = -1;
+ int ret = 0;
unsigned char *md = NULL, *der = NULL;
int der_len;
unsigned int md_len;
@@ -271,8 +281,7 @@ static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash,
int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer)
{
- return ct_public_key_hash(X509_get_X509_PUBKEY(issuer), &sctx->ihash,
- &sctx->ihashlen);
+ return SCT_CTX_set1_issuer_pubkey(sctx, X509_get_X509_PUBKEY(issuer));
}
int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey)
diff --git a/crypto/ct/ct_vfy.c b/crypto/ct/ct_vfy.c
index 2366783..9895231 100644
--- a/crypto/ct/ct_vfy.c
+++ b/crypto/ct/ct_vfy.c
@@ -204,13 +204,13 @@ static int sct_ctx_update(EVP_MD_CTX *ctx, const SCT_CTX *sctx, const SCT *sct)
int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
{
EVP_MD_CTX *ctx = NULL;
- int ret = -1;
+ int ret = 0;
if (!SCT_is_complete(sct) || sctx->pkey == NULL ||
sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||
(sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {
CTerr(CT_F_SCT_VERIFY, CT_R_SCT_NOT_SET);
- return -1;
+ return 0;
}
if (sct->version != SCT_VERSION_V1) {
CTerr(CT_F_SCT_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
@@ -251,7 +251,7 @@ int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
if (!SCT_is_complete(sct)) {
CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_NOT_SET);
- return -1;
+ return 0;
}
if (sct->version != 0) {
@@ -263,22 +263,17 @@ int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
if (sctx == NULL)
goto done;
- ret = SCT_CTX_set1_pubkey(sctx, log_pubkey);
- if (ret <= 0)
+ if (!SCT_CTX_set1_pubkey(sctx, log_pubkey))
goto done;
- ret = SCT_CTX_set1_cert(sctx, cert, preissuer);
- if (ret <= 0)
+ if (!SCT_CTX_set1_cert(sctx, cert, preissuer))
goto done;
- if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT) {
- ret = SCT_CTX_set1_issuer(sctx, issuer_cert);
- if (ret <= 0)
- goto done;
- }
+ if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT &&
+ !SCT_CTX_set1_issuer(sctx, issuer_cert))
+ goto done;
ret = SCT_verify(sctx, sct);
-
done:
SCT_CTX_free(sctx);
return ret;
diff --git a/include/openssl/ct.h b/include/openssl/ct.h
index 6d2182f..b2213d1 100644
--- a/include/openssl/ct.h
+++ b/include/openssl/ct.h
@@ -187,7 +187,7 @@ sct_version_t SCT_get_version(const SCT *sct);
* Set the version of an SCT.
* Returns 1 on success, 0 if the version is unrecognized.
*/
-int SCT_set_version(SCT *sct, sct_version_t version);
+__owur int SCT_set_version(SCT *sct, sct_version_t version);
/*
* Returns the log entry type of the SCT.
@@ -196,9 +196,9 @@ ct_log_entry_type_t SCT_get_log_entry_type(const SCT *sct);
/*
* Set the log entry type of an SCT.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type);
+__owur int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type);
/*
* Gets the ID of the log that an SCT came from.
@@ -210,16 +210,17 @@ size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id);
/*
* Set the log ID of an SCT to point directly to the *log_id specified.
* The SCT takes ownership of the specified pointer.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
+__owur int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
/*
* Set the log ID of an SCT.
* This makes a copy of the log_id.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len);
+__owur int SCT_set1_log_id(SCT *sct, const unsigned char *log_id,
+ size_t log_id_len);
/*
* Gets the name of the log that an SCT came from.
@@ -249,9 +250,9 @@ int SCT_get_signature_nid(const SCT *sct);
* Set the signature type of an SCT
* For CT v1, this should be either NID_sha256WithRSAEncryption or
* NID_ecdsa_with_SHA256.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set_signature_nid(SCT *sct, int nid);
+__owur int SCT_set_signature_nid(SCT *sct, int nid);
/*
* Set *ext to point to the extension data for the SCT. ext must not be NULL.
@@ -269,9 +270,10 @@ void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len);
/*
* Set the extensions of an SCT.
* This takes a copy of the ext.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len);
+__owur int SCT_set1_extensions(SCT *sct, const unsigned char *ext,
+ size_t ext_len);
/*
* Set *sig to point to the signature for the SCT. sig must not be NULL.
@@ -288,9 +290,10 @@ void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len);
/*
* Set the signature of an SCT to be a copy of the *sig specified.
- * Returns 1 on success.
+ * Returns 1 on success, 0 otherwise.
*/
-int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len);
+__owur int SCT_set1_signature(SCT *sct, const unsigned char *sig,
+ size_t sig_len);
/*
* The origin of this SCT, e.g. TLS extension, OCSP response, etc.
@@ -301,34 +304,23 @@ sct_source_t SCT_get_source(const SCT *sct);
* Set the origin of this SCT, e.g. TLS extension, OCSP response, etc.
* Returns 1 on success, 0 otherwise.
*/
-int SCT_set_source(SCT *sct, sct_source_t source);
-
-/*
- * Sets the source of all of the SCTs to the same value.
- * Returns 1 on success.
- */
-int SCT_LIST_set_source(const STACK_OF(SCT) *scts, sct_source_t source);
+__owur int SCT_set_source(SCT *sct, sct_source_t source);
/*
* Gets information about the log the SCT came from, if set.
*/
-CTLOG *SCT_get0_log(const SCT *sct);
+const CTLOG *SCT_get0_log(const SCT *sct);
/*
* Looks up information about the log the SCT came from using a CT log store.
+ * The CTLOG_STORE must outlive the SCT, as ownership of the CTLOG remains with
+ * the CTLOG_STORE.
* Returns 1 if information about the log is found, 0 otherwise.
* The information can be accessed via SCT_get0_log.
*/
int SCT_set0_log(SCT *sct, const CTLOG_STORE* ct_logs);
/*
- * Looks up information about the logs the SCTs came from using a CT log store.
- * Returns the number of SCTs that now have a log set.
- * If any SCTs already have a log set, they will be skipped.
- */
-int SCT_LIST_set0_logs(STACK_OF(SCT) *sct_list, const CTLOG_STORE *ct_logs);
-
-/*
* Pretty-prints an |sct| to |out|.
* It will be indented by the number of spaces specified by |indent|.
*/
@@ -344,17 +336,15 @@ void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
/*
* Verifies an SCT with the given context.
- * Returns 1 if the SCT verifies successfully, 0 if it cannot be verified and a
- * negative integer if an error occurs.
+ * Returns 1 if the SCT verifies successfully, 0 otherwise.
*/
-int SCT_verify(const SCT_CTX *sctx, const SCT *sct);
+__owur int SCT_verify(const SCT_CTX *sctx, const SCT *sct);
/*
* Verifies an SCT against the provided data.
- * Returns 1 if the SCT verifies successfully, 0 if it cannot be verified and a
- * negative integer if an error occurs.
+ * Returns 1 if the SCT verifies successfully, 0 otherwise.
*/
-int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
+__owur int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
X509_PUBKEY *log_pubkey, X509 *issuer_cert);
/*
@@ -370,7 +360,7 @@ sct_validation_status_t SCT_get_validation_status(const SCT *sct);
* Returns 0 if the SCT is invalid or could not be verified.
* Returns -1 if an error occurs.
*/
-int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
+__owur int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
/*
* Validates the given list of SCTs with the provided context.
@@ -379,7 +369,8 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
* Returns 0 if at least one SCT is invalid or could not be verified.
* Returns a negative integer if an error occurs.
*/
-int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx);
+__owur int SCT_LIST_validate(const STACK_OF(SCT) *scts,
+ CT_POLICY_EVAL_CTX *ctx);
/*********************************
@@ -398,7 +389,7 @@ int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx);
* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
* on success.
*/
-int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
+__owur int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
/*
* Convert TLS format SCT list to a stack of SCTs.
@@ -425,7 +416,7 @@ STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
* on success.
*/
-int i2d_SCT_LIST(STACK_OF(SCT) *a, unsigned char **pp);
+__owur int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
/*
* Parses an SCT list in DER format and returns it.
@@ -449,7 +440,7 @@ STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
* to it.
* The length of the SCT in TLS format will be returned.
*/
-int i2o_SCT(const SCT *sct, unsigned char **out);
+__owur int i2o_SCT(const SCT *sct, unsigned char **out);
/*
* Parses an SCT in TLS format and returns it.
@@ -472,7 +463,7 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len);
* If |out| points to an allocated string, the signature will be written to it.
* The length of the signature in TLS format will be returned.
*/
-int i2o_SCT_signature(const SCT *sct, unsigned char **out);
+__owur int i2o_SCT_signature(const SCT *sct, unsigned char **out);
/*
* Parses an SCT signature in TLS format and populates the |sct| with it.
@@ -481,7 +472,7 @@ int i2o_SCT_signature(const SCT *sct, unsigned char **out);
* |len| should be the length of the signature in |in|.
* Returns the number of bytes parsed, or a negative integer if an error occurs.
*/
-int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len);
+__owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len);
/********************
* CT log functions *
@@ -511,11 +502,12 @@ CTLOG *CTLOG_new_from_base64(const char *pkey_base64, const char *name);
void CTLOG_free(CTLOG *log);
/* Gets the name of the CT log */
-const char *CTLOG_get0_name(CTLOG *log);
+const char *CTLOG_get0_name(const CTLOG *log);
/* Gets the ID of the CT log */
-void CTLOG_get0_log_id(CTLOG *log, uint8_t **log_id, size_t *log_id_len);
+void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id,
+ size_t *log_id_len);
/* Gets the public key of the CT log */
-EVP_PKEY *CTLOG_get0_public_key(CTLOG *log);
+EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log);
/**************************
* CT log store functions *
@@ -536,15 +528,15 @@ void CTLOG_STORE_free(CTLOG_STORE *store);
* Finds a CT log in the store based on its log ID.
* Returns the CT log, or NULL if no match is found.
*/
-CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store,
- const uint8_t *log_id,
- size_t log_id_len);
+const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store,
+ const uint8_t *log_id,
+ size_t log_id_len);
/*
* Loads a CT log list into a |store| from a |file|.
* Returns 1 if loading is successful, or 0 otherwise.
*/
-int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file);
+__owur int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file);
/*
* Loads the default CT log list into a |store|.
@@ -552,7 +544,7 @@ int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file);
* consulted to find the default file.
* Returns 1 if loading is successful, or 0 otherwise.
*/
-int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
+__owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
/* BEGIN ERROR CODES */
/*
diff --git a/test/ct_test.c b/test/ct_test.c
index f60be60..fec1694 100644
--- a/test/ct_test.c
+++ b/test/ct_test.c
@@ -82,7 +82,7 @@ typedef struct ct_test_fixture {
char *issuer_file;
int expected_sct_count;
/* Set the following to test handling of SCTs in TLS format */
- const uint8_t *tls_sct;
+ const unsigned char *tls_sct;
size_t tls_sct_len;
SCT *sct;
/*
@@ -340,8 +340,19 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
if (fixture.test_validity) {
int are_scts_validated = 0;
+ int i;
+
scts = X509V3_EXT_d2i(sct_extension);
- SCT_LIST_set_source(scts, SCT_SOURCE_X509V3_EXTENSION);
+ for (i = 0; i < sk_SCT_num(scts); ++i) {
+ SCT *sct_i = sk_SCT_value(scts, i);
+
+ if (!SCT_set_source(sct_i, SCT_SOURCE_X509V3_EXTENSION)) {
+ fprintf(stderr,
+ "Error setting SCT source to X509v3 extension\n");
+ test_failed = 1;
+ goto end;
+ }
+ }
are_scts_validated = SCT_LIST_validate(scts, ct_policy_ctx);
if (are_scts_validated < 0) {
@@ -350,7 +361,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
} else if (!are_scts_validated) {
int invalid_sct_count = 0;
int valid_sct_count = 0;
- int i;
for (i = 0; i < sk_SCT_num(scts); ++i) {
SCT *sct_i = sk_SCT_value(scts, i);
@@ -502,9 +512,7 @@ static int test_verify_multiple_scts()
static int test_decode_tls_sct()
{
- SETUP_CT_TEST_FIXTURE();
- fixture.tls_sct = (unsigned char *)
- "\x00" /* version */
+ const unsigned char tls_sct[] = "\x00" /* version */
/* log ID */
"\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
"\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64"
@@ -513,11 +521,15 @@ static int test_decode_tls_sct()
"" /* extensions */
"\x04\x03" /* hash and signature algorithms */
"\x00\x47" /* signature length */
+ /* signature */
"\x30\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE\x1F\xD6"
"\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3\xE5\xE2"
"\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB"
"\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89"
- "\xED\xBF\x08"; /* signature */
+ "\xED\xBF\x08";
+
+ SETUP_CT_TEST_FIXTURE();
+ fixture.tls_sct = tls_sct;
fixture.tls_sct_len = 118;
fixture.sct_dir = ct_dir;
fixture.sct_text_file = "tls1.sct";
@@ -526,22 +538,36 @@ static int test_decode_tls_sct()
static int test_encode_tls_sct()
{
+ const unsigned char log_id[] = "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9"
+ "\x61\x68\x32\x5D\xDC\x5C\x79\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E"
+ "\x0B\xBD\x3F\x74\xD7\x64";
+
+ const unsigned char signature[] = "\x45\x02\x20\x48\x2F\x67\x51\xAF\x35"
+ "\xDB\xA6\x54\x36\xBE\x1F\xD6\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95"
+ "\x92\x45\x30\x28\x8F\xA3\xE5\xE2\x3E\x06\x02\x21\x00\xE4\xED\xC0"
+ "\xDB\x3A\xC5\x72\xB1\xE2\xF5\xE8\xAB\x6A\x68\x06\x53\x98\x7D\xCF"
+ "\x41\x02\x7D\xFE\xFF\xA1\x05\x51\x9D\x89\xED\xBF\x08";
+
SETUP_CT_TEST_FIXTURE();
SCT *sct = SCT_new();
- SCT_set_version(sct, 0);
- SCT_set1_log_id(sct, (unsigned char *)
- "\xDF\x1C\x2E\xC1\x15\x00\x94\x52\x47\xA9\x61\x68\x32\x5D\xDC\x5C\x79"
- "\x59\xE8\xF7\xC6\xD3\x88\xFC\x00\x2E\x0B\xBD\x3F\x74\xD7\x64", 32);
+ if (!SCT_set_version(sct, SCT_VERSION_V1)) {
+ fprintf(stderr, "Failed to set SCT version\n");
+ return 1;
+ }
+ if (!SCT_set1_log_id(sct, log_id, 32)) {
+ fprintf(stderr, "Failed to set SCT log ID\n");
+ return 1;
+ }
SCT_set_timestamp(sct, 1);
- SCT_set1_extensions(sct, (unsigned char *)"", 0);
- SCT_set_signature_nid(sct, NID_ecdsa_with_SHA256);
- SCT_set1_signature(sct, (unsigned char *)
- "\x45\x02\x20\x48\x2F\x67\x51\xAF\x35\xDB\xA6\x54\x36\xBE"
- "\x1F\xD6\x64\x0F\x3D\xBF\x9A\x41\x42\x94\x95\x92\x45\x30\x28\x8F\xA3"
- "\xE5\xE2\x3E\x06\x02\x21\x00\xE4\xED\xC0\xDB\x3A\xC5\x72\xB1\xE2\xF5"
- "\xE8\xAB\x6A\x68\x06\x53\x98\x7D\xCF\x41\x02\x7D\xFE\xFF\xA1\x05\x51"
- "\x9D\x89\xED\xBF\x08", 71);
+ if (!SCT_set_signature_nid(sct, NID_ecdsa_with_SHA256)) {
+ fprintf(stderr, "Failed to set SCT signature NID\n");
+ return 1;
+ }
+ if (!SCT_set1_signature(sct, signature, 71)) {
+ fprintf(stderr, "Failed to set SCT signature\n");
+ return 1;
+ }
fixture.sct = sct;
fixture.sct_dir = ct_dir;
fixture.sct_text_file = "tls1.sct";
diff --git a/test/recipes/80-test_ct.t b/test/recipes/80-test_ct.t
index 6f1d8fc..ff63fa4 100644
--- a/test/recipes/80-test_ct.t
+++ b/test/recipes/80-test_ct.t
@@ -8,4 +8,3 @@ $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
$ENV{CT_DIR} = srctop_file("test", "ct");
$ENV{CERTS_DIR} = srctop_file("test", "certs");
simple_test("test_ct", "ct_test", "ct", "ec");
-
diff --git a/util/libcrypto.num b/util/libcrypto.num
index ba3060f..bd4518e 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -1300,7 +1300,7 @@ i2d_X509_REVOKED 1260 1_1_0 EXIST::FUNCTION:
CMS_sign 1261 1_1_0 EXIST::FUNCTION:CMS
X509_STORE_add_cert 1262 1_1_0 EXIST::FUNCTION:
EC_GROUP_precompute_mult 1263 1_1_0 EXIST::FUNCTION:EC
-SCT_LIST_set_source 1264 1_1_0 EXIST::FUNCTION:
+SCT_LIST_set_source 1264 1_1_0 NOEXIST::FUNCTION:
d2i_DISPLAYTEXT 1265 1_1_0 EXIST::FUNCTION:
HMAC_CTX_copy 1266 1_1_0 EXIST::FUNCTION:
CRYPTO_gcm128_init 1267 1_1_0 EXIST::FUNCTION:
@@ -1628,7 +1628,7 @@ PEM_write_X509_REQ_NEW 1579 1_1_0 EXIST::FUNCTION:
CONF_imodule_set_usr_data 1580 1_1_0 EXIST::FUNCTION:
d2i_TS_RESP_fp 1581 1_1_0 EXIST::FUNCTION:STDIO
X509_policy_tree_get0_user_policies 1582 1_1_0 EXIST::FUNCTION:
-SCT_LIST_set0_logs 1583 1_1_0 EXIST::FUNCTION:
+SCT_LIST_set0_logs 1583 1_1_0 NOEXIST::FUNCTION:
DSA_do_sign 1584 1_1_0 EXIST::FUNCTION:DSA
EVP_CIPHER_CTX_reset 1585 1_1_0 EXIST::FUNCTION:
OCSP_REVOKEDINFO_new 1586 1_1_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list