* A new string will be malloc'd and assigned to |out|. This will be owned by
* the caller. Do not provide a pre-allocated string in |out|.
*/
-static int CT_base64_decode(const char *in, unsigned char **out)
+static int ct_base64_decode(const char *in, unsigned char **out)
{
- size_t inlen;
+ size_t inlen = strlen(in);
int outlen;
unsigned char *outbuf = NULL;
- if (in == NULL || out == NULL) {
- CTerr(CT_F_CT_BASE64_DECODE, ERR_R_PASSED_NULL_PARAMETER);
- goto err;
- }
-
- inlen = strlen(in);
if (inlen == 0) {
*out = NULL;
return 0;
const char *extensions_base64,
const char *signature_base64)
{
- SCT *sct;
+ SCT *sct = SCT_new();
unsigned char *dec = NULL;
int declen;
- if (logid_base64 == NULL ||
- extensions_base64 == NULL ||
- signature_base64 == NULL) {
- CTerr(CT_F_SCT_NEW_FROM_BASE64, ERR_R_PASSED_NULL_PARAMETER);
- return NULL;
- }
-
- sct = SCT_new();
if (sct == NULL) {
CTerr(CT_F_SCT_NEW_FROM_BASE64, ERR_R_MALLOC_FAILURE);
return NULL;
goto err;
}
- declen = CT_base64_decode(logid_base64, &dec);
+ declen = ct_base64_decode(logid_base64, &dec);
if (declen < 0) {
CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
goto err;
goto err;
dec = NULL;
- declen = CT_base64_decode(extensions_base64, &dec);
+ declen = ct_base64_decode(extensions_base64, &dec);
if (declen < 0) {
CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
goto err;
SCT_set0_extensions(sct, dec, declen);
dec = NULL;
- declen = CT_base64_decode(signature_base64, &dec);
+ declen = ct_base64_decode(signature_base64, &dec);
if (declen < 0) {
CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
goto err;
CTLOG *CTLOG_new_from_base64(const char *pkey_base64, const char *name)
{
unsigned char *pkey_der = NULL;
+ int pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der);
const unsigned char *p;
- int pkey_der_len;
EVP_PKEY *pkey = NULL;
CTLOG *log = NULL;
- pkey_der_len = CT_base64_decode(pkey_base64, &pkey_der);
if (pkey_der_len <= 0) {
CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY);
return NULL;
*
*/
+#include <stdlib.h>
+#include <string.h>
+
#include <openssl/conf.h>
#include <openssl/ct.h>
#include <openssl/err.h>
* Creates an empty context for loading a CT log store.
* It should be populated before use.
*/
-static CTLOG_STORE_LOAD_CTX *CTLOG_STORE_LOAD_CTX_new();
+static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new();
/*
* Deletes a CT log store load context.
* Does not delete any of the fields.
*/
-static void CTLOG_STORE_LOAD_CTX_free(CTLOG_STORE_LOAD_CTX* ctx);
+static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx);
-static CTLOG_STORE_LOAD_CTX *CTLOG_STORE_LOAD_CTX_new()
+static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new()
{
- CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(CTLOG_STORE_LOAD_CTX));
+ CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
if (ctx == NULL) {
CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE);
goto err;
}
return ctx;
-
err:
- CTLOG_STORE_LOAD_CTX_free(ctx);
+ ctlog_store_load_ctx_free(ctx);
return NULL;
}
-static void CTLOG_STORE_LOAD_CTX_free(CTLOG_STORE_LOAD_CTX* ctx)
+static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx)
{
- if (ctx == NULL)
- return;
-
OPENSSL_free(ctx);
}
/* Converts a log's public key into a SHA256 log ID */
-static int CT_v1_log_id_from_pkey(EVP_PKEY *pkey,
+static int ct_v1_log_id_from_pkey(EVP_PKEY *pkey,
unsigned char log_id[CT_V1_HASHLEN])
{
int ret = 0;
unsigned char *pkey_der = NULL;
int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der);
+
if (pkey_der_len <= 0) {
CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID);
goto err;
}
+
SHA256(pkey_der, pkey_der_len, log_id);
ret = 1;
err:
CTLOG_STORE *CTLOG_STORE_new(void)
{
- CTLOG_STORE *ret = OPENSSL_malloc(sizeof(CTLOG_STORE));
+ CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret));
+
if (ret == NULL)
goto err;
+
ret->logs = sk_CTLOG_new_null();
if (ret->logs == NULL)
goto err;
+
return ret;
err:
CTLOG_STORE_free(ret);
}
}
-static CTLOG *CTLOG_new_from_conf(const CONF *conf, const char *section)
+static CTLOG *ctlog_new_from_conf(const CONF *conf, const char *section)
{
CTLOG *ret = NULL;
- char *description;
+ char *description = NCONF_get_string(conf, section, "description");
char *pkey_base64;
- if (conf == NULL || section == NULL) {
- CTerr(CT_F_CTLOG_NEW_FROM_CONF, ERR_R_PASSED_NULL_PARAMETER);
- goto end;
- }
-
- description = NCONF_get_string(conf, section, "description");
if (description == NULL) {
CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION);
}
pkey_base64 = NCONF_get_string(conf, section, "key");
-
if (pkey_base64 == NULL) {
CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY);
goto end;
int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
{
- char *fpath = (char *)getenv(CTLOG_FILE_EVP);
+ const char *fpath = getenv(CTLOG_FILE_EVP);
+
if (fpath == NULL)
fpath = CTLOG_FILE;
+
return CTLOG_STORE_load_file(store, fpath);
}
-static int CTLOG_STORE_load_log(const char *log_name, int log_name_len, void *arg)
+static int ctlog_store_load_log(const char *log_name, int log_name_len, void *arg)
{
CTLOG_STORE_LOAD_CTX *load_ctx = arg;
CTLOG *ct_log;
-
/* log_name may not be null-terminated, so fix that before using it */
char *tmp = OPENSSL_strndup(log_name, log_name_len);
- ct_log = CTLOG_new_from_conf(load_ctx->conf, tmp);
+
+ ct_log = ctlog_new_from_conf(load_ctx->conf, tmp);
OPENSSL_free(tmp);
if (ct_log == NULL)
return 0;
{
int ret = -1;
char *enabled_logs;
- CTLOG_STORE_LOAD_CTX* load_ctx = CTLOG_STORE_LOAD_CTX_new();
+ CTLOG_STORE_LOAD_CTX* load_ctx = ctlog_store_load_ctx_new();
+
load_ctx->log_store = store;
load_ctx->conf = NCONF_new(NULL);
if (load_ctx->conf == NULL)
}
enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs");
- CONF_parse_list(enabled_logs, ',', 1, CTLOG_STORE_load_log, load_ctx);
+ CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx);
end:
NCONF_free(load_ctx->conf);
- CTLOG_STORE_LOAD_CTX_free(load_ctx);
+ ctlog_store_load_ctx_free(load_ctx);
return ret;
}
*/
CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name)
{
- CTLOG *ret = NULL;
- if (public_key == NULL || name == NULL) {
- CTerr(CT_F_CTLOG_NEW, ERR_R_PASSED_NULL_PARAMETER);
- goto err;
- }
- ret = CTLOG_new_null();
+ CTLOG *ret = CTLOG_new_null();
+
if (ret == NULL)
goto err;
+
ret->name = OPENSSL_strdup(name);
if (ret->name == NULL)
goto err;
+
ret->public_key = public_key;
- if (CT_v1_log_id_from_pkey(public_key, ret->log_id) != 1)
+ if (ct_v1_log_id_from_pkey(public_key, ret->log_id) != 1)
goto err;
+
return ret;
err:
CTLOG_free(ret);
CTLOG *CTLOG_new_null(void)
{
- CTLOG *ret = OPENSSL_zalloc(sizeof(CTLOG));
+ CTLOG *ret = OPENSSL_zalloc(sizeof(*ret));
+
if (ret == NULL)
CTerr(CT_F_CTLOG_NEW_NULL, ERR_R_MALLOC_FAILURE);
+
return ret;
}
{
if (log != NULL) {
OPENSSL_free(log->name);
- log->name = NULL;
-
EVP_PKEY_free(log->public_key);
- log->public_key = NULL;
-
OPENSSL_free(log);
}
}
size_t log_id_len)
{
int i;
- if (store == NULL) {
- CTerr(CT_F_CTLOG_STORE_GET0_LOG_BY_ID, ERR_R_PASSED_NULL_PARAMETER);
- goto end;
- }
+
for (i = 0; i < sk_CTLOG_num(store->logs); ++i) {
CTLOG *log = sk_CTLOG_value(store->logs, i);
if (memcmp(log->log_id, log_id, log_id_len) == 0)
return log;
}
-end:
+
return NULL;
}
#include "ct_locl.h"
-#define n2s(c,s) ((s=(((unsigned int)((c)[0]))<< 8)| \
- (((unsigned int)((c)[1])) )),c+=2)
-
-#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
- c[1]=(unsigned char)(((s) )&0xff)),c+=2)
-
-#define n2l8(c,l) (l =((uint64_t)(*((c)++)))<<56, \
- l|=((uint64_t)(*((c)++)))<<48, \
- l|=((uint64_t)(*((c)++)))<<40, \
- l|=((uint64_t)(*((c)++)))<<32, \
- l|=((uint64_t)(*((c)++)))<<24, \
- l|=((uint64_t)(*((c)++)))<<16, \
- l|=((uint64_t)(*((c)++)))<< 8, \
- l|=((uint64_t)(*((c)++))))
-
-#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
- *((c)++)=(unsigned char)(((l)>>48)&0xff), \
- *((c)++)=(unsigned char)(((l)>>40)&0xff), \
- *((c)++)=(unsigned char)(((l)>>32)&0xff), \
- *((c)++)=(unsigned char)(((l)>>24)&0xff), \
- *((c)++)=(unsigned char)(((l)>>16)&0xff), \
- *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
- *((c)++)=(unsigned char)(((l) )&0xff))
-
int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len)
{
size_t siglen;
SCT *SCT_new(void)
{
- SCT *sct = OPENSSL_zalloc(sizeof(SCT));
+ SCT *sct = OPENSSL_zalloc(sizeof(*sct));
if (sct == NULL) {
CTerr(CT_F_SCT_NEW, ERR_R_MALLOC_FAILURE);
int SCT_set0_log(SCT *sct, const CTLOG_STORE *ct_logs)
{
- sct->log =
- CTLOG_STORE_get0_log_by_id(ct_logs, sct->log_id, sct->log_id_len);
+ sct->log = CTLOG_STORE_get0_log_by_id(ct_logs, sct->log_id, sct->log_id_len);
return sct->log != NULL;
}
SCT_CTX *SCT_CTX_new(void)
{
- SCT_CTX *sctx = OPENSSL_zalloc(sizeof(SCT_CTX));
+ SCT_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx));
+
if (sctx == NULL)
CTerr(CT_F_SCT_CTX_NEW, ERR_R_MALLOC_FAILURE);
+
return sctx;
}
OPENSSL_free(sctx);
}
-/* retrieve extension index checking for duplicates */
-static int sct_get_ext(X509 *cert, int nid)
+/*
+ * Finds the index of the first extension with the given NID in cert.
+ * If there is more than one extension with that NID, *is_duplicated is set to
+ * 1, otherwise 0 (unless it is NULL).
+ */
+static int ct_x509_get_ext(X509 *cert, int nid, int *is_duplicated)
{
- int rv = X509_get_ext_by_NID(cert, nid, -1);
- if (rv >= 0 && X509_get_ext_by_NID(cert, nid, rv) >= 0)
- return -2;
- return rv;
+ int ret = X509_get_ext_by_NID(cert, nid, -1);
+
+ if (is_duplicated != NULL)
+ *is_duplicated = ret >= 0 && X509_get_ext_by_NID(cert, nid, ret) >= 0;
+
+ return ret;
}
/*
- * modify certificate by deleting extensions, copying issuer
- * and AKID if necessary.
+ * Modifies a certificate by deleting extensions and copying the issuer and
+ * AKID from the presigner certificate, if necessary.
+ * Returns 1 on success, 0 otherwise.
*/
-static int sct_cert_fixup(X509 *cert, X509 *presigner)
+static int ct_x509_cert_fixup(X509 *cert, X509 *presigner)
{
int preidx, certidx;
+ int pre_akid_ext_is_dup, cert_akid_ext_is_dup;
+
if (presigner == NULL)
return 1;
- preidx = sct_get_ext(presigner, NID_authority_key_identifier);
- certidx = sct_get_ext(cert, NID_authority_key_identifier);
- /* Invalid certificate if duplicate */
- if (preidx == -2 || certidx == -2)
+
+ preidx = ct_x509_get_ext(presigner, NID_authority_key_identifier,
+ &pre_akid_ext_is_dup);
+ certidx = ct_x509_get_ext(cert, NID_authority_key_identifier,
+ &cert_akid_ext_is_dup);
+
+ /* An error occurred whilst searching for the extension */
+ if (preidx < -1 || certidx < -1)
+ return 0;
+ /* Invalid certificate if they contain duplicate extensions */
+ if (pre_akid_ext_is_dup || cert_akid_ext_is_dup)
return 0;
/* AKID must be present in both certificate or absent in both */
if (preidx >= 0 && certidx == -1)
X509_EXTENSION *preext = X509_get_ext(presigner, preidx);
X509_EXTENSION *certext = X509_get_ext(cert, certidx);
ASN1_OCTET_STRING *preextdata;
+
/* Should never happen */
if (preext == NULL || certext == NULL)
return 0;
preextdata = X509_EXTENSION_get_data(preext);
- if (preextdata == NULL || !X509_EXTENSION_set_data(certext, preextdata))
+ if (preextdata == NULL ||
+ !X509_EXTENSION_set_data(certext, preextdata))
return 0;
}
return 1;
unsigned char *certder = NULL, *preder = NULL;
X509 *pretmp = NULL;
int certderlen = 0, prederlen = 0;
- int idx = -1, idxp = -1;
- idxp = sct_get_ext(cert, NID_ct_precert_poison);
+ int idx = -1;
+ int poison_ext_is_dup, sct_ext_is_dup;
+ int poison_idx = ct_x509_get_ext(cert, NID_ct_precert_poison, &poison_ext_is_dup);
+
/* Duplicate poison */
- if (idxp == -2)
+ if (poison_ext_is_dup)
goto err;
- /* If no poison store encoding */
- if (idxp == -1) {
- /* If presigner must have poison */
- if (presigner)
+
+ /* If no poison extension, store encoding */
+ if (poison_idx == -1) {
+ /* presigner must have poison */
+ if (presigner != NULL)
goto err;
+
certderlen = i2d_X509(cert, &certder);
if (certderlen < 0)
goto err;
}
+
/* See if have precert scts extension */
- idx = X509_get_ext_by_NID(cert, NID_ct_precert_scts, -1);
+ idx = ct_x509_get_ext(cert, NID_ct_precert_scts, &sct_ext_is_dup);
/* Duplicate scts */
- if (idx == -2)
+ if (sct_ext_is_dup)
goto err;
+
if (idx >= 0) {
/* Can't have both poison and scts */
- if (idxp >= 0)
+ if (poison_idx >= 0)
goto err;
- } else
- idx = idxp;
+ } else {
+ idx = poison_idx;
+ }
+
if (idx >= 0) {
X509_EXTENSION *ext;
- /*
- * Take a copy of certificate so we don't modify passed version
- */
+
+ /* Take a copy of certificate so we don't modify passed version */
pretmp = X509_dup(cert);
if (pretmp == NULL)
goto err;
+
ext = X509_delete_ext(pretmp, idx);
X509_EXTENSION_free(ext);
- if (!sct_cert_fixup(pretmp, presigner))
+
+ if (!ct_x509_cert_fixup(pretmp, presigner))
goto err;
prederlen = i2d_re_X509_tbs(pretmp, &preder);
sctx->prederlen = prederlen;
return 1;
-
- err:
+err:
OPENSSL_free(certder);
OPENSSL_free(preder);
X509_free(pretmp);
return 0;
}
-static int CT_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash,
+static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash,
size_t *hash_len)
{
int ret = -1;
unsigned char *md = NULL, *der = NULL;
int der_len;
unsigned int md_len;
- if (pkey == NULL)
- goto err;
+
/* Reuse buffer if possible */
if (*hash != NULL && *hash_len >= SHA256_DIGEST_LENGTH) {
md = *hash;
} else {
md = OPENSSL_malloc(SHA256_DIGEST_LENGTH);
if (md == NULL)
- goto err;
+ goto err;
}
/* Calculate key hash */
der_len = i2d_X509_PUBKEY(pkey, &der);
if (der_len <= 0)
goto err;
+
if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha256(), NULL))
goto err;
+
if (md != *hash) {
OPENSSL_free(*hash);
*hash = md;
*hash_len = SHA256_DIGEST_LENGTH;
}
+
md = NULL;
ret = 1;
err:
int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer)
{
- return CT_public_key_hash(X509_get_X509_PUBKEY(issuer), &sctx->ihash,
+ return ct_public_key_hash(X509_get_X509_PUBKEY(issuer), &sctx->ihash,
&sctx->ihashlen);
}
int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey)
{
- return CT_public_key_hash(pubkey, &sctx->ihash, &sctx->ihashlen);
+ return ct_public_key_hash(pubkey, &sctx->ihash, &sctx->ihashlen);
}
int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey)
{
EVP_PKEY *pkey = X509_PUBKEY_get(pubkey);
+
if (pkey == NULL)
return 0;
- if (!CT_public_key_hash(pubkey, &sctx->pkeyhash, &sctx->pkeyhashlen)) {
+ if (!ct_public_key_hash(pubkey, &sctx->pkeyhash, &sctx->pkeyhashlen)) {
EVP_PKEY_free(pkey);
return 0;
}
unsigned char tmpbuf[12];
unsigned char *p, *der;
size_t derlen;
- /*
- * digitally-signed struct { (1 byte) Version sct_version; (1 byte)
- * SignatureType signature_type = certificate_timestamp; (8 bytes) uint64
- * timestamp; (2 bytes) LogEntryType entry_type; (? bytes)
- * select(entry_type) { case x509_entry: ASN.1Cert; case precert_entry:
- * PreCert; } signed_entry; (2 bytes + sct->ext_len) CtExtensions
- * extensions;
+ /*+
+ * digitally-signed struct {
+ * (1 byte) Version sct_version;
+ * (1 byte) SignatureType signature_type = certificate_timestamp;
+ * (8 bytes) uint64 timestamp;
+ * (2 bytes) LogEntryType entry_type;
+ * (? bytes) select(entry_type) {
+ * case x509_entry: ASN.1Cert;
+ * case precert_entry: PreCert;
+ * } signed_entry;
+ * (2 bytes + sct->ext_len) CtExtensions extensions;
+ * }
*/
-
if (sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET)
return 0;
-
if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)
return 0;
p = tmpbuf;
-
*p++ = sct->version;
*p++ = SIGNATURE_TYPE_CERT_TIMESTAMP;
l2n8(sct->timestamp, p);
{
EVP_MD_CTX *ctx = NULL;
int ret = -1;
+
if (!SCT_is_complete(sct) || sctx->pkey == NULL ||
sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||
(sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {
CTerr(CT_F_SCT_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
return 0;
}
+
ctx = EVP_MD_CTX_new();
if (ctx == NULL)
goto end;
if (ret == 0)
CTerr(CT_F_SCT_VERIFY, CT_R_SCT_INVALID_SIGNATURE);
- end:
+end:
EVP_MD_CTX_free(ctx);
return ret;
}
int ret = 0;
SCT_CTX *sctx = NULL;
- if (sct == NULL || cert == NULL || log_pubkey == NULL ||
- (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && issuer_cert == NULL)) {
- CTerr(CT_F_SCT_VERIFY_V1, ERR_R_PASSED_NULL_PARAMETER);
- return -1;
- } else if (!SCT_is_complete(sct)) {
+ if (!SCT_is_complete(sct)) {
CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_NOT_SET);
return -1;
- } else if (sct->version != 0) {
+ }
+
+ if (sct->version != 0) {
CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_UNSUPPORTED_VERSION);
return 0;
}
goto done;
ret = SCT_CTX_set1_pubkey(sctx, log_pubkey);
-
if (ret <= 0)
goto done;
ret = SCT_CTX_set1_cert(sctx, cert, preissuer);
-
if (ret <= 0)
goto done;
ret = SCT_verify(sctx, sct);
- done:
- if (sctx != NULL)
- SCT_CTX_free(sctx);
+done:
+ SCT_CTX_free(sctx);
return ret;
}
projects / openssl.git / commitdiff