diff options
Diffstat (limited to 'crypto/ct')
| -rw-r--r-- | crypto/ct/ct_b64.c | 38 | ||||
| -rw-r--r-- | crypto/ct/ct_err.c | 61 | ||||
| -rw-r--r-- | crypto/ct/ct_local.h | 19 | ||||
| -rw-r--r-- | crypto/ct/ct_log.c | 96 | ||||
| -rw-r--r-- | crypto/ct/ct_oct.c | 48 | ||||
| -rw-r--r-- | crypto/ct/ct_policy.c | 25 | ||||
| -rw-r--r-- | crypto/ct/ct_prn.c | 4 | ||||
| -rw-r--r-- | crypto/ct/ct_sct.c | 26 | ||||
| -rw-r--r-- | crypto/ct/ct_sct_ctx.c | 43 | ||||
| -rw-r--r-- | crypto/ct/ct_vfy.c | 17 | ||||
| -rw-r--r-- | crypto/ct/ct_x509v3.c | 6 |
11 files changed, 218 insertions, 165 deletions
diff --git a/crypto/ct/ct_b64.c b/crypto/ct/ct_b64.c index 4abe11ca298b..d3f783962aec 100644 --- a/crypto/ct/ct_b64.c +++ b/crypto/ct/ct_b64.c @@ -1,7 +1,7 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -35,13 +35,13 @@ static int ct_base64_decode(const char *in, unsigned char **out) outlen = (inlen / 4) * 3; outbuf = OPENSSL_malloc(outlen); if (outbuf == NULL) { - CTerr(CT_F_CT_BASE64_DECODE, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); goto err; } outlen = EVP_DecodeBlock(outbuf, (unsigned char *)in, inlen); if (outlen < 0) { - CTerr(CT_F_CT_BASE64_DECODE, CT_R_BASE64_DECODE_ERROR); + ERR_raise(ERR_LIB_CT, CT_R_BASE64_DECODE_ERROR); goto err; } @@ -71,7 +71,7 @@ SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64, int declen; if (sct == NULL) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return NULL; } @@ -80,13 +80,13 @@ SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64, * can only construct SCT versions that have been defined. */ if (!SCT_set_version(sct, version)) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, CT_R_SCT_UNSUPPORTED_VERSION); + ERR_raise(ERR_LIB_CT, CT_R_SCT_UNSUPPORTED_VERSION); goto err; } declen = ct_base64_decode(logid_base64, &dec); if (declen < 0) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); + ERR_raise(ERR_LIB_CT, X509_R_BASE64_DECODE_ERROR); goto err; } if (!SCT_set0_log_id(sct, dec, declen)) @@ -95,7 +95,7 @@ SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64, declen = ct_base64_decode(extensions_base64, &dec); if (declen < 0) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); + ERR_raise(ERR_LIB_CT, X509_R_BASE64_DECODE_ERROR); goto err; } SCT_set0_extensions(sct, dec, declen); @@ -103,7 +103,7 @@ SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64, declen = ct_base64_decode(signature_base64, &dec); if (declen < 0) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); + ERR_raise(ERR_LIB_CT, X509_R_BASE64_DECODE_ERROR); goto err; } @@ -132,7 +132,9 @@ SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64, * 0 on decoding failure, or invalid parameter if any * -1 on internal (malloc) failure */ -int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64, const char *name) +int CTLOG_new_from_base64_ex(CTLOG **ct_log, const char *pkey_base64, + const char *name, OSSL_LIB_CTX *libctx, + const char *propq) { unsigned char *pkey_der = NULL; int pkey_der_len; @@ -140,25 +142,25 @@ int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64, const char *n EVP_PKEY *pkey = NULL; if (ct_log == NULL) { - CTerr(CT_F_CTLOG_NEW_FROM_BASE64, ERR_R_PASSED_INVALID_ARGUMENT); + ERR_raise(ERR_LIB_CT, ERR_R_PASSED_INVALID_ARGUMENT); return 0; } pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der); if (pkey_der_len < 0) { - CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY); + ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_INVALID_KEY); return 0; } p = pkey_der; - pkey = d2i_PUBKEY(NULL, &p, pkey_der_len); + pkey = d2i_PUBKEY_ex(NULL, &p, pkey_der_len, libctx, propq); OPENSSL_free(pkey_der); if (pkey == NULL) { - CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY); + ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_INVALID_KEY); return 0; } - *ct_log = CTLOG_new(pkey, name); + *ct_log = CTLOG_new_ex(pkey, name, libctx, propq); if (*ct_log == NULL) { EVP_PKEY_free(pkey); return 0; @@ -166,3 +168,9 @@ int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64, const char *n return 1; } + +int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64, + const char *name) +{ + return CTLOG_new_from_base64_ex(ct_log, pkey_base64, name, NULL, NULL); +} diff --git a/crypto/ct/ct_err.c b/crypto/ct/ct_err.c index c0c62fee6c6a..c4dd05119eba 100644 --- a/crypto/ct/ct_err.c +++ b/crypto/ct/ct_err.c @@ -1,8 +1,8 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -10,47 +10,11 @@ #include <openssl/err.h> #include <openssl/cterr.h> +#include "crypto/cterr.h" -#ifndef OPENSSL_NO_ERR +#ifndef OPENSSL_NO_CT -static const ERR_STRING_DATA CT_str_functs[] = { - {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW, 0), "CTLOG_new"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_BASE64, 0), - "CTLOG_new_from_base64"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_CONF, 0), "ctlog_new_from_conf"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_LOAD_CTX_NEW, 0), - "ctlog_store_load_ctx_new"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_LOAD_FILE, 0), - "CTLOG_STORE_load_file"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_LOAD_LOG, 0), - "ctlog_store_load_log"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_NEW, 0), "CTLOG_STORE_new"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CT_BASE64_DECODE, 0), "ct_base64_decode"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CT_POLICY_EVAL_CTX_NEW, 0), - "CT_POLICY_EVAL_CTX_new"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CT_V1_LOG_ID_FROM_PKEY, 0), - "ct_v1_log_id_from_pkey"}, - {ERR_PACK(ERR_LIB_CT, CT_F_I2O_SCT, 0), "i2o_SCT"}, - {ERR_PACK(ERR_LIB_CT, CT_F_I2O_SCT_LIST, 0), "i2o_SCT_LIST"}, - {ERR_PACK(ERR_LIB_CT, CT_F_I2O_SCT_SIGNATURE, 0), "i2o_SCT_signature"}, - {ERR_PACK(ERR_LIB_CT, CT_F_O2I_SCT, 0), "o2i_SCT"}, - {ERR_PACK(ERR_LIB_CT, CT_F_O2I_SCT_LIST, 0), "o2i_SCT_LIST"}, - {ERR_PACK(ERR_LIB_CT, CT_F_O2I_SCT_SIGNATURE, 0), "o2i_SCT_signature"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_CTX_NEW, 0), "SCT_CTX_new"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_CTX_VERIFY, 0), "SCT_CTX_verify"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_NEW, 0), "SCT_new"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_NEW_FROM_BASE64, 0), "SCT_new_from_base64"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET0_LOG_ID, 0), "SCT_set0_log_id"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_EXTENSIONS, 0), "SCT_set1_extensions"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_LOG_ID, 0), "SCT_set1_log_id"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_SIGNATURE, 0), "SCT_set1_signature"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET_LOG_ENTRY_TYPE, 0), - "SCT_set_log_entry_type"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET_SIGNATURE_NID, 0), - "SCT_set_signature_nid"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET_VERSION, 0), "SCT_set_version"}, - {0, NULL} -}; +# ifndef OPENSSL_NO_ERR static const ERR_STRING_DATA CT_str_reasons[] = { {ERR_PACK(ERR_LIB_CT, 0, CT_R_BASE64_DECODE_ERROR), "base64 decode error"}, @@ -82,15 +46,16 @@ static const ERR_STRING_DATA CT_str_reasons[] = { {0, NULL} }; -#endif +# endif -int ERR_load_CT_strings(void) +int ossl_err_load_CT_strings(void) { -#ifndef OPENSSL_NO_ERR - if (ERR_func_error_string(CT_str_functs[0].error) == NULL) { - ERR_load_strings_const(CT_str_functs); +# ifndef OPENSSL_NO_ERR + if (ERR_reason_error_string(CT_str_reasons[0].error) == NULL) ERR_load_strings_const(CT_str_reasons); - } -#endif +# endif return 1; } +#else +NON_EMPTY_TRANSLATION_UNIT +#endif diff --git a/crypto/ct/ct_local.h b/crypto/ct/ct_local.h index 9f983c91beae..e5614ddf5eb4 100644 --- a/crypto/ct/ct_local.h +++ b/crypto/ct/ct_local.h @@ -1,7 +1,7 @@ /* - * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -100,6 +100,9 @@ struct sct_ctx_st { size_t prederlen; /* milliseconds since epoch (to check that the SCT isn't from the future) */ uint64_t epoch_time_in_ms; + + OSSL_LIB_CTX *libctx; + char *propq; }; /* Context when evaluating whether a Certificate Transparency policy is met */ @@ -109,12 +112,15 @@ struct ct_policy_eval_ctx_st { CTLOG_STORE *log_store; /* milliseconds since epoch (to check that SCTs aren't from the future) */ uint64_t epoch_time_in_ms; + + OSSL_LIB_CTX *libctx; + char *propq; }; /* * Creates a new context for verifying an SCT. */ -SCT_CTX *SCT_CTX_new(void); +SCT_CTX *SCT_CTX_new(OSSL_LIB_CTX *ctx, const char *propq); /* * Deletes an SCT verification context. */ @@ -185,11 +191,6 @@ __owur int SCT_is_complete(const SCT *sct); __owur int SCT_signature_is_complete(const SCT *sct); /* - * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature - * and o2i_SCT_signature conform to the i2d/d2i conventions. - */ - -/* * Serialize (to TLS format) an |sct| signature and write it to |out|. * If |out| is null, no signature will be output but the length will be returned. * If |out| points to a null pointer, a string will be allocated to hold the @@ -213,4 +214,4 @@ __owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len); /* * Handlers for Certificate Transparency X509v3/OCSP extensions */ -extern const X509V3_EXT_METHOD v3_ct_scts[3]; +extern const X509V3_EXT_METHOD ossl_v3_ct_scts[3]; diff --git a/crypto/ct/ct_log.c b/crypto/ct/ct_log.c index c1bca3e1415e..d19dda2cd2f2 100644 --- a/crypto/ct/ct_log.c +++ b/crypto/ct/ct_log.c @@ -1,7 +1,7 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -22,6 +22,8 @@ * Information about a CT log server. */ struct ctlog_st { + OSSL_LIB_CTX *libctx; + char *propq; char *name; uint8_t log_id[CT_V1_HASHLEN]; EVP_PKEY *public_key; @@ -32,6 +34,8 @@ struct ctlog_st { * It takes ownership of any CTLOG instances added to it. */ struct ctlog_store_st { + OSSL_LIB_CTX *libctx; + char *propq; STACK_OF(CTLOG) *logs; }; @@ -59,7 +63,7 @@ static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(void) CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) - CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return ctx; } @@ -70,69 +74,95 @@ static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx) } /* Converts a log's public key into a SHA256 log ID */ -static int ct_v1_log_id_from_pkey(EVP_PKEY *pkey, - unsigned char log_id[CT_V1_HASHLEN]) +static int ct_v1_log_id_from_pkey(CTLOG *log, EVP_PKEY *pkey) { int ret = 0; unsigned char *pkey_der = NULL; int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der); + unsigned int len; + EVP_MD *sha256 = NULL; if (pkey_der_len <= 0) { - CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_LOG_KEY_INVALID); + goto err; + } + sha256 = EVP_MD_fetch(log->libctx, "SHA2-256", log->propq); + if (sha256 == NULL) { + ERR_raise(ERR_LIB_CT, ERR_R_EVP_LIB); goto err; } - SHA256(pkey_der, pkey_der_len, log_id); - ret = 1; + ret = EVP_Digest(pkey_der, pkey_der_len, log->log_id, &len, sha256, + NULL); err: + EVP_MD_free(sha256); OPENSSL_free(pkey_der); return ret; } -CTLOG_STORE *CTLOG_STORE_new(void) +CTLOG_STORE *CTLOG_STORE_new_ex(OSSL_LIB_CTX *libctx, const char *propq) { CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { - CTerr(CT_F_CTLOG_STORE_NEW, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return NULL; } + ret->libctx = libctx; + if (propq != NULL) { + ret->propq = OPENSSL_strdup(propq); + if (ret->propq == NULL) { + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); + goto err; + } + } + ret->logs = sk_CTLOG_new_null(); - if (ret->logs == NULL) + if (ret->logs == NULL) { + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); goto err; + } return ret; err: - OPENSSL_free(ret); + CTLOG_STORE_free(ret); return NULL; } +CTLOG_STORE *CTLOG_STORE_new(void) +{ + return CTLOG_STORE_new_ex(NULL, NULL); +} + void CTLOG_STORE_free(CTLOG_STORE *store) { if (store != NULL) { + OPENSSL_free(store->propq); sk_CTLOG_pop_free(store->logs, CTLOG_free); OPENSSL_free(store); } } -static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section) +static int ctlog_new_from_conf(CTLOG_STORE *store, CTLOG **ct_log, + const CONF *conf, const char *section) { const char *description = NCONF_get_string(conf, section, "description"); char *pkey_base64; if (description == NULL) { - CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION); + ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_MISSING_DESCRIPTION); return 0; } pkey_base64 = NCONF_get_string(conf, section, "key"); if (pkey_base64 == NULL) { - CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY); + ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_MISSING_KEY); return 0; } - return CTLOG_new_from_base64(ct_log, pkey_base64, description); + return CTLOG_new_from_base64_ex(ct_log, pkey_base64, description, + store->libctx, store->propq); } int CTLOG_STORE_load_default_file(CTLOG_STORE *store) @@ -168,7 +198,7 @@ static int ctlog_store_load_log(const char *log_name, int log_name_len, if (tmp == NULL) goto mem_err; - ret = ctlog_new_from_conf(&ct_log, load_ctx->conf, tmp); + ret = ctlog_new_from_conf(load_ctx->log_store, &ct_log, load_ctx->conf, tmp); OPENSSL_free(tmp); if (ret < 0) { @@ -188,7 +218,7 @@ static int ctlog_store_load_log(const char *log_name, int log_name_len, mem_err: CTLOG_free(ct_log); - CTerr(CT_F_CTLOG_STORE_LOAD_LOG, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return -1; } @@ -206,19 +236,19 @@ int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file) goto end; if (NCONF_load(load_ctx->conf, file, NULL) <= 0) { - CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_INVALID); goto end; } enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs"); if (enabled_logs == NULL) { - CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_INVALID); goto end; } if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) || load_ctx->invalid_log_entries > 0) { - CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_INVALID); goto end; } @@ -234,22 +264,32 @@ end: * Takes ownership of the public key. * Copies the name. */ -CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name) +CTLOG *CTLOG_new_ex(EVP_PKEY *public_key, const char *name, OSSL_LIB_CTX *libctx, + const char *propq) { CTLOG *ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { - CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return NULL; } + ret->libctx = libctx; + if (propq != NULL) { + ret->propq = OPENSSL_strdup(propq); + if (ret->propq == NULL) { + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); + goto err; + } + } + ret->name = OPENSSL_strdup(name); if (ret->name == NULL) { - CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); goto err; } - if (ct_v1_log_id_from_pkey(public_key, ret->log_id) != 1) + if (ct_v1_log_id_from_pkey(ret, public_key) != 1) goto err; ret->public_key = public_key; @@ -259,12 +299,18 @@ err: return NULL; } +CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name) +{ + return CTLOG_new_ex(public_key, name, NULL, NULL); +} + /* Frees CT log and associated structures */ void CTLOG_free(CTLOG *log) { if (log != NULL) { OPENSSL_free(log->name); EVP_PKEY_free(log->public_key); + OPENSSL_free(log->propq); OPENSSL_free(log); } } diff --git a/crypto/ct/ct_oct.c b/crypto/ct/ct_oct.c index d4b6645af48d..72a43374797c 100644 --- a/crypto/ct/ct_oct.c +++ b/crypto/ct/ct_oct.c @@ -1,7 +1,7 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -28,7 +28,7 @@ int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len) const unsigned char *p; if (sct->version != SCT_VERSION_V1) { - CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_UNSUPPORTED_VERSION); + ERR_raise(ERR_LIB_CT, CT_R_UNSUPPORTED_VERSION); return -1; } /* @@ -39,7 +39,7 @@ int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len) * all supported algorithms. */ if (len <= 4) { - CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); + ERR_raise(ERR_LIB_CT, CT_R_SCT_INVALID_SIGNATURE); return -1; } @@ -48,14 +48,14 @@ int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len) sct->hash_alg = *p++; sct->sig_alg = *p++; if (SCT_get_signature_nid(sct) == NID_undef) { - CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); + ERR_raise(ERR_LIB_CT, CT_R_SCT_INVALID_SIGNATURE); return -1; } /* Retrieve signature and check it is consistent with the buffer length */ n2s(p, siglen); len_remaining -= (p - *in); if (siglen > len_remaining) { - CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); + ERR_raise(ERR_LIB_CT, CT_R_SCT_INVALID_SIGNATURE); return -1; } @@ -73,7 +73,7 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len) const unsigned char *p; if (len == 0 || len > MAX_SCT_SIZE) { - CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_SCT_INVALID); goto err; } @@ -96,12 +96,12 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len) * } */ if (len < 43) { - CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_SCT_INVALID); goto err; } len -= 43; p++; - sct->log_id = BUF_memdup(p, CT_V1_HASHLEN); + sct->log_id = OPENSSL_memdup(p, CT_V1_HASHLEN); if (sct->log_id == NULL) goto err; sct->log_id_len = CT_V1_HASHLEN; @@ -111,11 +111,11 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len) n2s(p, len2); if (len < len2) { - CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_SCT_INVALID); goto err; } if (len2 > 0) { - sct->ext = BUF_memdup(p, len2); + sct->ext = OPENSSL_memdup(p, len2); if (sct->ext == NULL) goto err; } @@ -125,14 +125,14 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len) sig_len = o2i_SCT_signature(sct, &p, len); if (sig_len <= 0) { - CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_SCT_INVALID); goto err; } len -= sig_len; *in = p + len; } else { /* If not V1 just cache encoding */ - sct->sct = BUF_memdup(p, len); + sct->sct = OPENSSL_memdup(p, len); if (sct->sct == NULL) goto err; sct->sct_len = len; @@ -156,12 +156,12 @@ int i2o_SCT_signature(const SCT *sct, unsigned char **out) unsigned char *p = NULL, *pstart = NULL; if (!SCT_signature_is_complete(sct)) { - CTerr(CT_F_I2O_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); + ERR_raise(ERR_LIB_CT, CT_R_SCT_INVALID_SIGNATURE); goto err; } if (sct->version != SCT_VERSION_V1) { - CTerr(CT_F_I2O_SCT_SIGNATURE, CT_R_UNSUPPORTED_VERSION); + ERR_raise(ERR_LIB_CT, CT_R_UNSUPPORTED_VERSION); goto err; } @@ -179,7 +179,7 @@ int i2o_SCT_signature(const SCT *sct, unsigned char **out) } else { pstart = p = OPENSSL_malloc(len); if (p == NULL) { - CTerr(CT_F_I2O_SCT_SIGNATURE, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); goto err; } *out = p; @@ -203,7 +203,7 @@ int i2o_SCT(const SCT *sct, unsigned char **out) unsigned char *p = NULL, *pstart = NULL; if (!SCT_is_complete(sct)) { - CTerr(CT_F_I2O_SCT, CT_R_SCT_NOT_SET); + ERR_raise(ERR_LIB_CT, CT_R_SCT_NOT_SET); goto err; } /* @@ -226,7 +226,7 @@ int i2o_SCT(const SCT *sct, unsigned char **out) } else { pstart = p = OPENSSL_malloc(len); if (p == NULL) { - CTerr(CT_F_I2O_SCT, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); goto err; } *out = p; @@ -261,13 +261,13 @@ STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, size_t list_len, sct_len; if (len < 2 || len > MAX_SCT_LIST_SIZE) { - CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_SCT_LIST_INVALID); return NULL; } n2s(*pp, list_len); if (list_len != len - 2) { - CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_SCT_LIST_INVALID); return NULL; } @@ -288,14 +288,14 @@ STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, SCT *sct; if (list_len < 2) { - CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_SCT_LIST_INVALID); goto err; } n2s(*pp, sct_len); list_len -= 2; if (sct_len == 0 || sct_len > list_len) { - CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_SCT_LIST_INVALID); goto err; } list_len -= sct_len; @@ -327,11 +327,11 @@ int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp) if (pp != NULL) { if (*pp == NULL) { if ((len = i2o_SCT_LIST(a, NULL)) == -1) { - CTerr(CT_F_I2O_SCT_LIST, CT_R_SCT_LIST_INVALID); + ERR_raise(ERR_LIB_CT, CT_R_SCT_LIST_INVALID); return -1; } if ((*pp = OPENSSL_malloc(len)) == NULL) { - CTerr(CT_F_I2O_SCT_LIST, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return -1; } is_pp_new = 1; diff --git a/crypto/ct/ct_policy.c b/crypto/ct/ct_policy.c index df66e8a494d0..80a8baabe163 100644 --- a/crypto/ct/ct_policy.c +++ b/crypto/ct/ct_policy.c @@ -1,7 +1,7 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -25,15 +25,26 @@ */ static const time_t SCT_CLOCK_DRIFT_TOLERANCE = 300; -CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void) +CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new_ex(OSSL_LIB_CTX *libctx, + const char *propq) { CT_POLICY_EVAL_CTX *ctx = OPENSSL_zalloc(sizeof(CT_POLICY_EVAL_CTX)); if (ctx == NULL) { - CTerr(CT_F_CT_POLICY_EVAL_CTX_NEW, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return NULL; } + ctx->libctx = libctx; + if (propq != NULL) { + ctx->propq = OPENSSL_strdup(propq); + if (ctx->propq == NULL) { + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); + OPENSSL_free(ctx); + return NULL; + } + } + /* time(NULL) shouldn't ever fail, so don't bother checking for -1. */ ctx->epoch_time_in_ms = (uint64_t)(time(NULL) + SCT_CLOCK_DRIFT_TOLERANCE) * 1000; @@ -41,12 +52,18 @@ CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void) return ctx; } +CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void) +{ + return CT_POLICY_EVAL_CTX_new_ex(NULL, NULL); +} + void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx) { if (ctx == NULL) return; X509_free(ctx->cert); X509_free(ctx->issuer); + OPENSSL_free(ctx->propq); OPENSSL_free(ctx); } diff --git a/crypto/ct/ct_prn.c b/crypto/ct/ct_prn.c index e6584b57f391..374235b7ec57 100644 --- a/crypto/ct/ct_prn.c +++ b/crypto/ct/ct_prn.c @@ -1,7 +1,7 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html diff --git a/crypto/ct/ct_sct.c b/crypto/ct/ct_sct.c index 4ff36e2fbd49..10a67ed6d68d 100644 --- a/crypto/ct/ct_sct.c +++ b/crypto/ct/ct_sct.c @@ -1,7 +1,7 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -24,7 +24,7 @@ SCT *SCT_new(void) SCT *sct = OPENSSL_zalloc(sizeof(*sct)); if (sct == NULL) { - CTerr(CT_F_SCT_NEW, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return NULL; } @@ -53,7 +53,7 @@ void SCT_LIST_free(STACK_OF(SCT) *a) int SCT_set_version(SCT *sct, sct_version_t version) { if (version != SCT_VERSION_V1) { - CTerr(CT_F_SCT_SET_VERSION, CT_R_UNSUPPORTED_VERSION); + ERR_raise(ERR_LIB_CT, CT_R_UNSUPPORTED_VERSION); return 0; } sct->version = version; @@ -73,14 +73,14 @@ int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type) case CT_LOG_ENTRY_TYPE_NOT_SET: break; } - CTerr(CT_F_SCT_SET_LOG_ENTRY_TYPE, CT_R_UNSUPPORTED_ENTRY_TYPE); + ERR_raise(ERR_LIB_CT, CT_R_UNSUPPORTED_ENTRY_TYPE); return 0; } int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len) { if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) { - CTerr(CT_F_SCT_SET0_LOG_ID, CT_R_INVALID_LOG_ID_LENGTH); + ERR_raise(ERR_LIB_CT, CT_R_INVALID_LOG_ID_LENGTH); return 0; } @@ -94,7 +94,7 @@ int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len) int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len) { if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) { - CTerr(CT_F_SCT_SET1_LOG_ID, CT_R_INVALID_LOG_ID_LENGTH); + ERR_raise(ERR_LIB_CT, CT_R_INVALID_LOG_ID_LENGTH); return 0; } @@ -106,7 +106,7 @@ int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len) if (log_id != NULL && log_id_len > 0) { sct->log_id = OPENSSL_memdup(log_id, log_id_len); if (sct->log_id == NULL) { - CTerr(CT_F_SCT_SET1_LOG_ID, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return 0; } sct->log_id_len = log_id_len; @@ -135,7 +135,7 @@ int SCT_set_signature_nid(SCT *sct, int nid) sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; return 1; default: - CTerr(CT_F_SCT_SET_SIGNATURE_NID, CT_R_UNRECOGNIZED_SIGNATURE_NID); + ERR_raise(ERR_LIB_CT, CT_R_UNRECOGNIZED_SIGNATURE_NID); return 0; } } @@ -158,7 +158,7 @@ int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len) if (ext != NULL && ext_len > 0) { sct->ext = OPENSSL_memdup(ext, ext_len); if (sct->ext == NULL) { - CTerr(CT_F_SCT_SET1_EXTENSIONS, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return 0; } sct->ext_len = ext_len; @@ -184,7 +184,7 @@ int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len) if (sig != NULL && sig_len > 0) { sct->sig = OPENSSL_memdup(sig, sig_len); if (sct->sig == NULL) { - CTerr(CT_F_SCT_SET1_SIGNATURE, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); return 0; } sct->sig_len = sig_len; @@ -312,7 +312,7 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx) return 0; } - sctx = SCT_CTX_new(); + sctx = SCT_CTX_new(ctx->libctx, ctx->propq); if (sctx == NULL) goto err; @@ -343,7 +343,7 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx) * XXX: Potential for optimization. This repeats some idempotent heavy * lifting on the certificate for each candidate SCT, and appears to not * use any information in the SCT itself, only the certificate is - * processed. So it may make more sense to to do this just once, perhaps + * processed. So it may make more sense to do this just once, perhaps * associated with the shared (by all SCTs) policy eval ctx. * * XXX: Failure here is global (SCT independent) and represents either an diff --git a/crypto/ct/ct_sct_ctx.c b/crypto/ct/ct_sct_ctx.c index 841e768033e5..8653684814ee 100644 --- a/crypto/ct/ct_sct_ctx.c +++ b/crypto/ct/ct_sct_ctx.c @@ -1,7 +1,7 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -20,12 +20,24 @@ #include "ct_local.h" -SCT_CTX *SCT_CTX_new(void) +SCT_CTX *SCT_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) { SCT_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx)); - if (sctx == NULL) - CTerr(CT_F_SCT_CTX_NEW, ERR_R_MALLOC_FAILURE); + if (sctx == NULL) { + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); + return NULL; + } + + sctx->libctx = libctx; + if (propq != NULL) { + sctx->propq = OPENSSL_strdup(propq); + if (sctx->propq == NULL) { + ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); + OPENSSL_free(sctx); + return NULL; + } + } return sctx; } @@ -39,6 +51,7 @@ void SCT_CTX_free(SCT_CTX *sctx) OPENSSL_free(sctx->ihash); OPENSSL_free(sctx->certder); OPENSSL_free(sctx->preder); + OPENSSL_free(sctx->propq); OPENSSL_free(sctx); } @@ -155,15 +168,12 @@ int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner) * SCT. */ if (idx >= 0) { - X509_EXTENSION *ext; - /* Take a copy of certificate so we don't modify passed version */ pretmp = X509_dup(cert); if (pretmp == NULL) goto err; - ext = X509_delete_ext(pretmp, idx); - X509_EXTENSION_free(ext); + X509_EXTENSION_free(X509_delete_ext(pretmp, idx)); if (!ct_x509_cert_fixup(pretmp, presigner)) goto err; @@ -191,13 +201,17 @@ err: return 0; } -__owur static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, - size_t *hash_len) +__owur static int ct_public_key_hash(SCT_CTX *sctx, X509_PUBKEY *pkey, + unsigned char **hash, size_t *hash_len) { int ret = 0; unsigned char *md = NULL, *der = NULL; int der_len; unsigned int md_len; + EVP_MD *sha256 = EVP_MD_fetch(sctx->libctx, "SHA2-256", sctx->propq); + + if (sha256 == NULL) + goto err; /* Reuse buffer if possible */ if (*hash != NULL && *hash_len >= SHA256_DIGEST_LENGTH) { @@ -213,7 +227,7 @@ __owur static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, if (der_len <= 0) goto err; - if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha256(), NULL)) + if (!EVP_Digest(der, der_len, md, &md_len, sha256, NULL)) goto err; if (md != *hash) { @@ -225,6 +239,7 @@ __owur static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, md = NULL; ret = 1; err: + EVP_MD_free(sha256); OPENSSL_free(md); OPENSSL_free(der); return ret; @@ -237,7 +252,7 @@ int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer) int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey) { - return ct_public_key_hash(pubkey, &sctx->ihash, &sctx->ihashlen); + return ct_public_key_hash(sctx, pubkey, &sctx->ihash, &sctx->ihashlen); } int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey) @@ -247,7 +262,7 @@ int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey) if (pkey == NULL) return 0; - if (!ct_public_key_hash(pubkey, &sctx->pkeyhash, &sctx->pkeyhashlen)) { + if (!ct_public_key_hash(sctx, pubkey, &sctx->pkeyhash, &sctx->pkeyhashlen)) { EVP_PKEY_free(pkey); return 0; } diff --git a/crypto/ct/ct_vfy.c b/crypto/ct/ct_vfy.c index 74fd34f4154e..27fb79f40383 100644 --- a/crypto/ct/ct_vfy.c +++ b/crypto/ct/ct_vfy.c @@ -1,7 +1,7 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -101,20 +101,20 @@ int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct) if (!SCT_is_complete(sct) || sctx->pkey == NULL || sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET || (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) { - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_NOT_SET); + ERR_raise(ERR_LIB_CT, CT_R_SCT_NOT_SET); return 0; } if (sct->version != SCT_VERSION_V1) { - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION); + ERR_raise(ERR_LIB_CT, CT_R_SCT_UNSUPPORTED_VERSION); return 0; } if (sct->log_id_len != sctx->pkeyhashlen || memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) { - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_LOG_ID_MISMATCH); + ERR_raise(ERR_LIB_CT, CT_R_SCT_LOG_ID_MISMATCH); return 0; } if (sct->timestamp > sctx->epoch_time_in_ms) { - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_FUTURE_TIMESTAMP); + ERR_raise(ERR_LIB_CT, CT_R_SCT_FUTURE_TIMESTAMP); return 0; } @@ -122,7 +122,8 @@ int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct) if (ctx == NULL) goto end; - if (!EVP_DigestVerifyInit(ctx, NULL, EVP_sha256(), NULL, sctx->pkey)) + if (!EVP_DigestVerifyInit_ex(ctx, NULL, "SHA2-256", sctx->libctx, + sctx->propq, sctx->pkey, NULL)) goto end; if (!sct_ctx_update(ctx, sctx, sct)) @@ -132,7 +133,7 @@ int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct) ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len); /* If ret < 0 some other error: fall through without setting error */ if (ret == 0) - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_INVALID_SIGNATURE); + ERR_raise(ERR_LIB_CT, CT_R_SCT_INVALID_SIGNATURE); end: EVP_MD_CTX_free(ctx); diff --git a/crypto/ct/ct_x509v3.c b/crypto/ct/ct_x509v3.c index 19c2a852d24a..1284ec711db9 100644 --- a/crypto/ct/ct_x509v3.c +++ b/crypto/ct/ct_x509v3.c @@ -1,7 +1,7 @@ /* - * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html @@ -75,7 +75,7 @@ static STACK_OF(SCT) *ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, } /* Handlers for X509v3/OCSP Certificate Transparency extensions */ -const X509V3_EXT_METHOD v3_ct_scts[3] = { +const X509V3_EXT_METHOD ossl_v3_ct_scts[3] = { /* X509v3 extension in certificates that contains SCTs */ { NID_ct_precert_scts, 0, NULL, NULL, (X509V3_EXT_FREE)SCT_LIST_free, |