Commit cdb2a603 authored by Rob Percival's avatar Rob Percival Committed by Matt Caswell
Browse files

Internalizes SCT_verify and removes SCT_verify_v1 



SCT_verify is impossible to call through the public API (SCT_CTX_new() is
not part of the public API), so rename it to SCT_CTX_verify and move it
out of the public API.

SCT_verify_v1 is redundant, since SCT_validate does the same verification
(by calling SCT_verify) and more. The API is less confusing with a single
verification function (SCT_validate).

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent 5579eab9

crypto/ct/ct_err.c

+1 −2
Original line number Diff line number Diff line
@@ -45,8 +45,7 @@ static ERR_STRING_DATA CT_str_functs[] = { 
    {ERR_FUNC(CT_F_SCT_SET_LOG_ENTRY_TYPE), "SCT_set_log_entry_type"},

    {ERR_FUNC(CT_F_SCT_SET_SIGNATURE_NID), "SCT_set_signature_nid"},

    {ERR_FUNC(CT_F_SCT_SET_VERSION), "SCT_set_version"},

    {ERR_FUNC(CT_F_SCT_VERIFY), "SCT_verify"},

    {ERR_FUNC(CT_F_SCT_VERIFY_V1), "SCT_verify_v1"},

    {ERR_FUNC(CT_F_SCT_CTX_VERIFY), "SCT_CTX_verify"},

    {0, NULL}

};

crypto/ct/ct_locl.h

+7 −0
Original line number Diff line number Diff line
@@ -150,6 +150,13 @@ __owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); 
 */

__owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);



/*

 * Verifies an SCT with the given context.

 * Returns 1 if the SCT verifies successfully; any other value indicates

 * failure. See EVP_DigestVerifyFinal() for the meaning of those values.

 */

__owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct);



/*

 * Does this SCT have the minimum fields populated to be usable?

 * Returns 1 if so, 0 otherwise.

crypto/ct/ct_sct.c

+1 −1
Original line number Diff line number Diff line
@@ -349,7 +349,7 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx) 
    if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1)

        sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;

    else

        sct->validation_status = SCT_verify(sctx, sct) == 1 ?

        sct->validation_status = SCT_CTX_verify(sctx, sct) == 1 ?

            SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID;



end:

crypto/ct/ct_vfy.c

+5 −41
Original line number Diff line number Diff line
@@ -93,7 +93,7 @@ static int sct_ctx_update(EVP_MD_CTX *ctx, const SCT_CTX *sctx, const SCT *sct) 
    return 1;

}



int SCT_verify(const SCT_CTX *sctx, const SCT *sct)

int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct)

{

    EVP_MD_CTX *ctx = NULL;

    int ret = 0;
@@ -101,16 +101,16 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct) 
    if (!SCT_is_complete(sct) || sctx->pkey == NULL ||

        sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||

        (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {

        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_NOT_SET);

        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_NOT_SET);

        return 0;

    }

    if (sct->version != SCT_VERSION_V1) {

        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);

        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);

        return 0;

    }

    if (sct->log_id_len != sctx->pkeyhashlen ||

        memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {

        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);

        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);

        return 0;

    }
@@ -128,45 +128,9 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct) 
    ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);

    /* If ret < 0 some other error: fall through without setting error */

    if (ret == 0)

        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_INVALID_SIGNATURE);

        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_INVALID_SIGNATURE);



end:

    EVP_MD_CTX_free(ctx);

    return ret;

}
 


int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,

                  X509_PUBKEY *log_pubkey, X509 *issuer_cert)

{

    int ret = 0;

    SCT_CTX *sctx = NULL;



    if (!SCT_is_complete(sct)) {

        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_NOT_SET);

        return 0;

    }



    if (sct->version != 0) {

        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_UNSUPPORTED_VERSION);

        return 0;

    }



    sctx = SCT_CTX_new();

    if (sctx == NULL)

        goto done;



    if (!SCT_CTX_set1_pubkey(sctx, log_pubkey))

        goto done;



    if (!SCT_CTX_set1_cert(sctx, cert, preissuer))

        goto done;



    if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT &&

        !SCT_CTX_set1_issuer(sctx, issuer_cert))

        goto done;



    ret = SCT_verify(sctx, sct);

done:

    SCT_CTX_free(sctx);

    return ret;

}

include/openssl/ct.h

+1 −15
Original line number Diff line number Diff line
@@ -270,19 +270,6 @@ void SCT_print(const SCT *sct, BIO *out, int indent, const CTLOG_STORE *logs); 
void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,

                    const char *separator, const CTLOG_STORE *logs);



/*

 * Verifies an SCT with the given context.

 * Returns 1 if the SCT verifies successfully, 0 otherwise.

 */

__owur int SCT_verify(const SCT_CTX *sctx, const SCT *sct);



/*

 * Verifies an SCT against the provided data.

 * Returns 1 if the SCT verifies successfully, 0 otherwise.

 */

__owur int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,

                  X509_PUBKEY *log_pubkey, X509 *issuer_cert);



/*

 * Gets the last result of validating this SCT.

 * If it has not been validated yet, returns SCT_VALIDATION_STATUS_NOT_SET.
@@ -518,8 +505,7 @@ int ERR_load_CT_strings(void); 
# define CT_F_SCT_SET_LOG_ENTRY_TYPE                      102

# define CT_F_SCT_SET_SIGNATURE_NID                       103

# define CT_F_SCT_SET_VERSION                             104

# define CT_F_SCT_VERIFY                                  128

# define CT_F_SCT_VERIFY_V1                               129

# define CT_F_SCT_CTX_VERIFY                              128



/* Reason codes. */

# define CT_R_BASE64_DECODE_ERROR                         108