Use safestack.h exclusively internally.

[openssl.git] / crypto / ct / ct_vfy.c

diff --git a/crypto/ct/ct_vfy.c b/crypto/ct/ct_vfy.c
index 8305ce678eae24eaee83674343d9919efc0c0b8b..cabcf5782aa445a49a2a771d1354172a3b818c12 100644 (file)
--- a/crypto/ct/ct_vfy.c
+++ b/crypto/ct/ct_vfy.c
@@ -93,7 +93,7 @@ static int sct_ctx_update(EVP_MD_CTX *ctx, const SCT_CTX *sctx, const SCT *sct)
     return 1;
 }
 
-int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
+int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct)
 {
     EVP_MD_CTX *ctx = NULL;
     int ret = 0;
@@ -101,16 +101,20 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
     if (!SCT_is_complete(sct) || sctx->pkey == NULL ||
         sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||
         (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_NOT_SET);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_NOT_SET);
         return 0;
     }
     if (sct->version != SCT_VERSION_V1) {
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
         return 0;
     }
     if (sct->log_id_len != sctx->pkeyhashlen ||
         memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
+        return 0;
+    }
+    if (sct->timestamp > sctx->epoch_time_in_ms) {
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_FUTURE_TIMESTAMP);
         return 0;
     }
 
@@ -128,45 +132,9 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
     ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);
     /* If ret < 0 some other error: fall through without setting error */
     if (ret == 0)
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_INVALID_SIGNATURE);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_INVALID_SIGNATURE);
 
 end:
     EVP_MD_CTX_free(ctx);
     return ret;
 }
-
-int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
-                  X509_PUBKEY *log_pubkey, X509 *issuer_cert)
-{
-    int ret = 0;
-    SCT_CTX *sctx = NULL;
-
-    if (!SCT_is_complete(sct)) {
-        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_NOT_SET);
-        return 0;
-    }
-
-    if (sct->version != 0) {
-        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_UNSUPPORTED_VERSION);
-        return 0;
-    }
-
-    sctx = SCT_CTX_new();
-    if (sctx == NULL)
-        goto done;
-
-    if (!SCT_CTX_set1_pubkey(sctx, log_pubkey))
-        goto done;
-
-    if (!SCT_CTX_set1_cert(sctx, cert, preissuer))
-        goto done;
-
-    if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT &&
-        !SCT_CTX_set1_issuer(sctx, issuer_cert))
-        goto done;
-
-    ret = SCT_verify(sctx, sct);
-done:
-    SCT_CTX_free(sctx);
-    return ret;
-}