Internalizes SCT_verify and removes SCT_verify_v1

author Rob Percival <robpercival@google.com>

Tue, 23 Aug 2016 11:52:43 +0000 (12:52 +0100)

committer Matt Caswell <matt@openssl.org>

Tue, 23 Aug 2016 19:12:25 +0000 (20:12 +0100)
author Rob Percival <robpercival@google.com>
Tue, 23 Aug 2016 11:52:43 +0000 (12:52 +0100)
committer Matt Caswell <matt@openssl.org>
Tue, 23 Aug 2016 19:12:25 +0000 (20:12 +0100)
diff --git a/crypto/ct/ct_err.c b/crypto/ct/ct_err.c

index 4349eb45e7eac9178ca8baaa42587cb2a2b5b572..df232dc488eb93ce66f3d6eb8716408051abe31e 100644 (file)
--- a/crypto/ct/ct_err.c
+++ b/crypto/ct/ct_err.c
@@ -45,8 +45,7 @@ static ERR_STRING_DATA CT_str_functs[] = {
      {ERR_FUNC(CT_F_SCT_SET_LOG_ENTRY_TYPE), "SCT_set_log_entry_type"},
      {ERR_FUNC(CT_F_SCT_SET_SIGNATURE_NID), "SCT_set_signature_nid"},
      {ERR_FUNC(CT_F_SCT_SET_VERSION), "SCT_set_version"},
      {ERR_FUNC(CT_F_SCT_SET_LOG_ENTRY_TYPE), "SCT_set_log_entry_type"},
      {ERR_FUNC(CT_F_SCT_SET_SIGNATURE_NID), "SCT_set_signature_nid"},
      {ERR_FUNC(CT_F_SCT_SET_VERSION), "SCT_set_version"},
-    {ERR_FUNC(CT_F_SCT_VERIFY), "SCT_verify"},
-    {ERR_FUNC(CT_F_SCT_VERIFY_V1), "SCT_verify_v1"},
+    {ERR_FUNC(CT_F_SCT_CTX_VERIFY), "SCT_CTX_verify"},
      {0, NULL}
  };
  
      {0, NULL}
  };
  
diff --git a/crypto/ct/ct_locl.h b/crypto/ct/ct_locl.h

index 1180455e1a907612fbc035ae05e9bc159fdeff8c..6b2fa3ef0c818257e350575ae133ca04f2500e4d 100644 (file)
--- a/crypto/ct/ct_locl.h
+++ b/crypto/ct/ct_locl.h
@@ -150,6 +150,13 @@ __owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
   */
  __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
  
   */
  __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
  
+/*
+ * Verifies an SCT with the given context.
+ * Returns 1 if the SCT verifies successfully; any other value indicates
+ * failure. See EVP_DigestVerifyFinal() for the meaning of those values.
+ */
+__owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct);
+
  /*
   * Does this SCT have the minimum fields populated to be usable?
   * Returns 1 if so, 0 otherwise.
  /*
   * Does this SCT have the minimum fields populated to be usable?
   * Returns 1 if so, 0 otherwise.
diff --git a/crypto/ct/ct_sct.c b/crypto/ct/ct_sct.c

index 08676805bd2dc6c3f7ec197da611f140b720210f..65a20c669b3d6c61ff37849085ebaf40afa782a7 100644 (file)
--- a/crypto/ct/ct_sct.c
+++ b/crypto/ct/ct_sct.c
@@ -349,7 +349,7 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
      if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1)
          sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
      else
      if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1)
          sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
      else
-        sct->validation_status = SCT_verify(sctx, sct) == 1 ?
+        sct->validation_status = SCT_CTX_verify(sctx, sct) == 1 ?
              SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID;
  
  end:
              SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID;
  
  end:
diff --git a/crypto/ct/ct_vfy.c b/crypto/ct/ct_vfy.c

index 8305ce678eae24eaee83674343d9919efc0c0b8b..724f65579bca1f3f7a668fe94bb97f323fdc42f3 100644 (file)
--- a/crypto/ct/ct_vfy.c
+++ b/crypto/ct/ct_vfy.c
@@ -93,7 +93,7 @@ static int sct_ctx_update(EVP_MD_CTX *ctx, const SCT_CTX *sctx, const SCT *sct)
      return 1;
  }
  
      return 1;
  }
  
-int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
+int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct)
  {
      EVP_MD_CTX *ctx = NULL;
      int ret = 0;
  {
      EVP_MD_CTX *ctx = NULL;
      int ret = 0;
@@ -101,16 +101,16 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
      if (!SCT_is_complete(sct) || sctx->pkey == NULL ||
          sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||
          (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {
      if (!SCT_is_complete(sct) || sctx->pkey == NULL ||
          sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||
          (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_NOT_SET);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_NOT_SET);
          return 0;
      }
      if (sct->version != SCT_VERSION_V1) {
          return 0;
      }
      if (sct->version != SCT_VERSION_V1) {
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
          return 0;
      }
      if (sct->log_id_len != sctx->pkeyhashlen ||
          memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {
          return 0;
      }
      if (sct->log_id_len != sctx->pkeyhashlen ||
          memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
          return 0;
      }
  
          return 0;
      }
  
@@ -128,45 +128,9 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
      ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);
      /* If ret < 0 some other error: fall through without setting error */
      if (ret == 0)
      ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);
      /* If ret < 0 some other error: fall through without setting error */
      if (ret == 0)
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_INVALID_SIGNATURE);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_INVALID_SIGNATURE);
  
  end:
      EVP_MD_CTX_free(ctx);
      return ret;
  }
  
  end:
      EVP_MD_CTX_free(ctx);
      return ret;
  }
-
-int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
-                  X509_PUBKEY *log_pubkey, X509 *issuer_cert)
-{
-    int ret = 0;
-    SCT_CTX *sctx = NULL;
-
-    if (!SCT_is_complete(sct)) {
-        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_NOT_SET);
-        return 0;
-    }
-
-    if (sct->version != 0) {
-        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_UNSUPPORTED_VERSION);
-        return 0;
-    }
-
-    sctx = SCT_CTX_new();
-    if (sctx == NULL)
-        goto done;
-
-    if (!SCT_CTX_set1_pubkey(sctx, log_pubkey))
-        goto done;
-
-    if (!SCT_CTX_set1_cert(sctx, cert, preissuer))
-        goto done;
-
-    if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT &&
-        !SCT_CTX_set1_issuer(sctx, issuer_cert))
-        goto done;
-
-    ret = SCT_verify(sctx, sct);
-done:
-    SCT_CTX_free(sctx);
-    return ret;
-}
diff --git a/include/openssl/ct.h b/include/openssl/ct.h

index e753fc94b8ba403aa79ef4bc149a97bab73767d8..a0314f01e44dd4209f234b97732b75a4f744dc77 100644 (file)
--- a/include/openssl/ct.h
+++ b/include/openssl/ct.h
@@ -270,19 +270,6 @@ void SCT_print(const SCT *sct, BIO *out, int indent, const CTLOG_STORE *logs);
  void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
                      const char *separator, const CTLOG_STORE *logs);
  
  void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
                      const char *separator, const CTLOG_STORE *logs);
  
-/*
- * Verifies an SCT with the given context.
- * Returns 1 if the SCT verifies successfully, 0 otherwise.
- */
-__owur int SCT_verify(const SCT_CTX *sctx, const SCT *sct);
-
-/*
- * Verifies an SCT against the provided data.
- * Returns 1 if the SCT verifies successfully, 0 otherwise.
- */
-__owur int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
-                  X509_PUBKEY *log_pubkey, X509 *issuer_cert);
-
  /*
   * Gets the last result of validating this SCT.
   * If it has not been validated yet, returns SCT_VALIDATION_STATUS_NOT_SET.
  /*
   * Gets the last result of validating this SCT.
   * If it has not been validated yet, returns SCT_VALIDATION_STATUS_NOT_SET.
@@ -518,8 +505,7 @@ int ERR_load_CT_strings(void);
  # define CT_F_SCT_SET_LOG_ENTRY_TYPE                      102
  # define CT_F_SCT_SET_SIGNATURE_NID                       103
  # define CT_F_SCT_SET_VERSION                             104
  # define CT_F_SCT_SET_LOG_ENTRY_TYPE                      102
  # define CT_F_SCT_SET_SIGNATURE_NID                       103
  # define CT_F_SCT_SET_VERSION                             104
-# define CT_F_SCT_VERIFY                                  128
-# define CT_F_SCT_VERIFY_V1                               129
+# define CT_F_SCT_CTX_VERIFY                              128
  
  /* Reason codes. */
  # define CT_R_BASE64_DECODE_ERROR                         108
  
  /* Reason codes. */
  # define CT_R_BASE64_DECODE_ERROR                         108
diff --git a/util/libcrypto.num b/util/libcrypto.num

index 7a9391556da21cb8205dd662360eeb6146dc63bb..e9709f643960e8f45ae4ea3d7d8f36d6c94b9220 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -570,7 +570,6 @@ CRYPTO_cts128_encrypt_block             569 1_1_0   EXIST::FUNCTION:
  ASN1_digest                             570    1_1_0   EXIST::FUNCTION:
  ERR_load_X509V3_strings                 571    1_1_0   EXIST::FUNCTION:
  EVP_PKEY_meth_get_cleanup               572    1_1_0   EXIST::FUNCTION:
  ASN1_digest                             570    1_1_0   EXIST::FUNCTION:
  ERR_load_X509V3_strings                 571    1_1_0   EXIST::FUNCTION:
  EVP_PKEY_meth_get_cleanup               572    1_1_0   EXIST::FUNCTION:
-SCT_verify                              573    1_1_0   EXIST::FUNCTION:CT
  d2i_X509                                574    1_1_0   EXIST::FUNCTION:
  a2i_ASN1_STRING                         575    1_1_0   EXIST::FUNCTION:
  EC_GROUP_get_mont_data                  576    1_1_0   EXIST::FUNCTION:EC
  d2i_X509                                574    1_1_0   EXIST::FUNCTION:
  a2i_ASN1_STRING                         575    1_1_0   EXIST::FUNCTION:
  EC_GROUP_get_mont_data                  576    1_1_0   EXIST::FUNCTION:EC
@@ -596,7 +595,6 @@ RAND_query_egd_bytes                    596 1_1_0   EXIST::FUNCTION:EGD
  i2d_ASN1_PRINTABLE                      597    1_1_0   EXIST::FUNCTION:
  ENGINE_cmd_is_executable                598    1_1_0   EXIST::FUNCTION:ENGINE
  BIO_puts                                599    1_1_0   EXIST::FUNCTION:
  i2d_ASN1_PRINTABLE                      597    1_1_0   EXIST::FUNCTION:
  ENGINE_cmd_is_executable                598    1_1_0   EXIST::FUNCTION:ENGINE
  BIO_puts                                599    1_1_0   EXIST::FUNCTION:
-SCT_verify_v1                           600    1_1_0   EXIST::FUNCTION:CT
  RSAPublicKey_it                         601    1_1_0   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
  RSAPublicKey_it                         601    1_1_0   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
  ISSUING_DIST_POINT_new                  602    1_1_0   EXIST::FUNCTION:
  RSAPublicKey_it                         601    1_1_0   EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
  RSAPublicKey_it                         601    1_1_0   EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
  ISSUING_DIST_POINT_new                  602    1_1_0   EXIST::FUNCTION:
author	Rob Percival <robpercival@google.com>
	Tue, 23 Aug 2016 11:52:43 +0000 (12:52 +0100)
committer	Matt Caswell <matt@openssl.org>
	Tue, 23 Aug 2016 19:12:25 +0000 (20:12 +0100)
crypto/ct/ct_err.c		patch \| blob \| history
crypto/ct/ct_locl.h		patch \| blob \| history
crypto/ct/ct_sct.c		patch \| blob \| history
crypto/ct/ct_vfy.c		patch \| blob \| history
include/openssl/ct.h		patch \| blob \| history
util/libcrypto.num		patch \| blob \| history