From 32d9a10fc195af3fa109b62258783b73659673c8 Mon Sep 17 00:00:00 2001 From: beck Date: Sat, 20 Nov 2021 01:10:49 +0000 Subject: [PATCH] Make these files compile - not hooked up to build yet. ok jsing@ tb@ --- lib/libcrypto/ct/ct.h | 60 +++++++++++++--------------- lib/libcrypto/ct/ct_b64.c | 35 +++++++++-------- lib/libcrypto/ct/ct_err.c | 34 +++++++++------- lib/libcrypto/ct/ct_local.h | 33 ++++++++++------ lib/libcrypto/ct/ct_log.c | 73 +++++++++++++++++----------------- lib/libcrypto/ct/ct_oct.c | 74 ++++++++++++++++++++--------------- lib/libcrypto/ct/ct_policy.c | 12 +++--- lib/libcrypto/ct/ct_prn.c | 36 +++++++++++++++-- lib/libcrypto/ct/ct_sct.c | 74 +++++++++++++++++++---------------- lib/libcrypto/ct/ct_sct_ctx.c | 34 ++++++++-------- lib/libcrypto/ct/ct_vfy.c | 14 ++++--- lib/libcrypto/ct/ct_x509v3.c | 10 +++-- lib/libcrypto/ct/cterr.h | 10 ++--- 13 files changed, 279 insertions(+), 220 deletions(-) diff --git a/lib/libcrypto/ct/ct.h b/lib/libcrypto/ct/ct.h index ac981fa0b5c..9665880464f 100644 --- a/lib/libcrypto/ct/ct.h +++ b/lib/libcrypto/ct/ct.h @@ -17,11 +17,10 @@ #include #include #include -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif - /* Minimum RSA key size, from RFC6962 */ #define SCT_MIN_RSA_BITS 2048 @@ -55,8 +54,8 @@ typedef enum { SCT_VALIDATION_STATUS_UNKNOWN_VERSION } sct_validation_status_t; -DEFINE_STACK_OF(SCT) -DEFINE_STACK_OF(CTLOG) +DECLARE_STACK_OF(SCT) +DECLARE_STACK_OF(CTLOG) /****************************************** * CT policy evaluation context functions * @@ -128,12 +127,9 @@ SCT *SCT_new(void); * Creates a new SCT from some base64-encoded strings. * The caller is responsible for calling SCT_free when finished with the SCT. */ -SCT *SCT_new_from_base64(unsigned char version, - const char *logid_base64, - ct_log_entry_type_t entry_type, - uint64_t timestamp, - const char *extensions_base64, - const char *signature_base64); +SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64, + ct_log_entry_type_t entry_type, uint64_t timestamp, + const char *extensions_base64, const char *signature_base64); /* * Frees the SCT and the underlying data structures. @@ -155,7 +151,7 @@ sct_version_t SCT_get_version(const SCT *sct); * Set the version of an SCT. * Returns 1 on success, 0 if the version is unrecognized. */ -__owur int SCT_set_version(SCT *sct, sct_version_t version); +int SCT_set_version(SCT *sct, sct_version_t version); /* * Returns the log entry type of the SCT. @@ -166,7 +162,7 @@ ct_log_entry_type_t SCT_get_log_entry_type(const SCT *sct); * Set the log entry type of an SCT. * Returns 1 on success, 0 otherwise. */ -__owur int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type); +int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type); /* * Gets the ID of the log that an SCT came from. @@ -180,14 +176,14 @@ size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id); * The SCT takes ownership of the specified pointer. * Returns 1 on success, 0 otherwise. */ -__owur int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len); +int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len); /* * Set the log ID of an SCT. * This makes a copy of the log_id. * Returns 1 on success, 0 otherwise. */ -__owur int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, +int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len); /* @@ -213,7 +209,7 @@ int SCT_get_signature_nid(const SCT *sct); * NID_ecdsa_with_SHA256. * Returns 1 on success, 0 otherwise. */ -__owur int SCT_set_signature_nid(SCT *sct, int nid); +int SCT_set_signature_nid(SCT *sct, int nid); /* * Set *ext to point to the extension data for the SCT. ext must not be NULL. @@ -233,7 +229,7 @@ void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len); * This takes a copy of the ext. * Returns 1 on success, 0 otherwise. */ -__owur int SCT_set1_extensions(SCT *sct, const unsigned char *ext, +int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len); /* @@ -253,8 +249,8 @@ void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len); * Set the signature of an SCT to be a copy of the *sig specified. * Returns 1 on success, 0 otherwise. */ -__owur int SCT_set1_signature(SCT *sct, const unsigned char *sig, - size_t sig_len); +int SCT_set1_signature(SCT *sct, const unsigned char *sig, + size_t sig_len); /* * The origin of this SCT, e.g. TLS extension, OCSP response, etc. @@ -265,7 +261,7 @@ sct_source_t SCT_get_source(const SCT *sct); * Set the origin of this SCT, e.g. TLS extension, OCSP response, etc. * Returns 1 on success, 0 otherwise. */ -__owur int SCT_set_source(SCT *sct, sct_source_t source); +int SCT_set_source(SCT *sct, sct_source_t source); /* * Returns a text string describing the validation status of |sct|. @@ -303,7 +299,7 @@ sct_validation_status_t SCT_get_validation_status(const SCT *sct); * Returns 0 if the SCT is invalid or could not be verified. * Returns -1 if an error occurs. */ -__owur int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); +int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); /* * Validates the given list of SCTs with the provided context. @@ -312,7 +308,7 @@ __owur int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); * Returns 0 if at least one SCT is invalid or could not be verified. * Returns a negative integer if an error occurs. */ -__owur int SCT_LIST_validate(const STACK_OF(SCT) *scts, +int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx); @@ -332,7 +328,7 @@ __owur int SCT_LIST_validate(const STACK_OF(SCT) *scts, * Returns < 0 on error, >= 0 indicating bytes written (or would have been) * on success. */ -__owur int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp); +int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp); /* * Convert TLS format SCT list to a stack of SCTs. @@ -359,7 +355,7 @@ STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, * Returns < 0 on error, >= 0 indicating bytes written (or would have been) * on success. */ -__owur int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp); +int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp); /* * Parses an SCT list in DER format and returns it. @@ -383,7 +379,7 @@ STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, * to it. * The length of the SCT in TLS format will be returned. */ -__owur int i2o_SCT(const SCT *sct, unsigned char **out); +int i2o_SCT(const SCT *sct, unsigned char **out); /* * Parses an SCT in TLS format and returns it. @@ -416,8 +412,8 @@ CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name); * Returns 1 on success, 0 on failure. * Should be deleted by the caller using CTLOG_free when no longer needed. */ -int CTLOG_new_from_base64(CTLOG ** ct_log, - const char *pkey_base64, const char *name); +int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64, + const char *name); /* * Deletes a CT log instance and its fields. @@ -428,7 +424,7 @@ void CTLOG_free(CTLOG *log); const char *CTLOG_get0_name(const CTLOG *log); /* Gets the ID of the CT log */ void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id, - size_t *log_id_len); + size_t *log_id_len); /* Gets the public key of the CT log */ EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log); @@ -458,16 +454,16 @@ const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, * Loads a CT log list into a |store| from a |file|. * Returns 1 if loading is successful, or 0 otherwise. */ -__owur int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file); +int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file); /* * Loads the default CT log list into a |store|. * Returns 1 if loading is successful, or 0 otherwise. */ -__owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store); +int CTLOG_STORE_load_default_file(CTLOG_STORE *store); -# ifdef __cplusplus +#ifdef __cplusplus } -# endif -# endif +#endif +#endif #endif diff --git a/lib/libcrypto/ct/ct_b64.c b/lib/libcrypto/ct/ct_b64.c index 8ca5f469dfe..da182c96264 100644 --- a/lib/libcrypto/ct/ct_b64.c +++ b/lib/libcrypto/ct/ct_b64.c @@ -34,19 +34,22 @@ ct_base64_decode(const char *in, unsigned char **out) } outlen = (inlen / 4) * 3; - outbuf = OPENSSL_malloc(outlen); + outbuf = malloc(outlen); if (outbuf == NULL) { - CTerr(CT_F_CT_BASE64_DECODE, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); goto err; } outlen = EVP_DecodeBlock(outbuf, (unsigned char *)in, inlen); if (outlen < 0) { - CTerr(CT_F_CT_BASE64_DECODE, CT_R_BASE64_DECODE_ERROR); + CTerror(CT_R_BASE64_DECODE_ERROR); goto err; } - /* Subtract padding bytes from |outlen|. Any more than 2 is malformed. */ + /* + * Subtract padding bytes from |outlen|. + * Any more than 2 is malformed. + */ i = 0; while (in[--inlen] == '=') { --outlen; @@ -57,7 +60,7 @@ ct_base64_decode(const char *in, unsigned char **out) *out = outbuf; return outlen; err: - OPENSSL_free(outbuf); + free(outbuf); return -1; } @@ -72,7 +75,7 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64, int declen; if (sct == NULL) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return NULL; } @@ -81,13 +84,13 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64, * can only construct SCT versions that have been defined. */ if (!SCT_set_version(sct, version)) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, CT_R_SCT_UNSUPPORTED_VERSION); + CTerror(CT_R_SCT_UNSUPPORTED_VERSION); goto err; } declen = ct_base64_decode(logid_base64, &dec); if (declen < 0) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); + CTerror(X509_R_BASE64_DECODE_ERROR); goto err; } if (!SCT_set0_log_id(sct, dec, declen)) @@ -96,7 +99,7 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64, declen = ct_base64_decode(extensions_base64, &dec); if (declen < 0) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); + CTerror(X509_R_BASE64_DECODE_ERROR); goto err; } SCT_set0_extensions(sct, dec, declen); @@ -104,14 +107,14 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64, declen = ct_base64_decode(signature_base64, &dec); if (declen < 0) { - CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); + CTerror(X509_R_BASE64_DECODE_ERROR); goto err; } p = dec; if (o2i_SCT_signature(sct, &p, declen) <= 0) goto err; - OPENSSL_free(dec); + free(dec); dec = NULL; SCT_set_timestamp(sct, timestamp); @@ -122,7 +125,7 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64, return sct; err: - OPENSSL_free(dec); + free(dec); SCT_free(sct); return NULL; } @@ -142,21 +145,21 @@ CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64, const char *name) EVP_PKEY *pkey = NULL; if (ct_log == NULL) { - CTerr(CT_F_CTLOG_NEW_FROM_BASE64, ERR_R_PASSED_INVALID_ARGUMENT); + CTerror(ERR_R_PASSED_NULL_PARAMETER); return 0; } pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der); if (pkey_der_len < 0) { - CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY); + CTerror(CT_R_LOG_CONF_INVALID_KEY); return 0; } p = pkey_der; pkey = d2i_PUBKEY(NULL, &p, pkey_der_len); - OPENSSL_free(pkey_der); + free(pkey_der); if (pkey == NULL) { - CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY); + CTerror(CT_R_LOG_CONF_INVALID_KEY); return 0; } diff --git a/lib/libcrypto/ct/ct_err.c b/lib/libcrypto/ct/ct_err.c index ab49f58e5a3..f15e90891c4 100644 --- a/lib/libcrypto/ct/ct_err.c +++ b/lib/libcrypto/ct/ct_err.c @@ -13,11 +13,12 @@ #ifndef OPENSSL_NO_ERR -static const ERR_STRING_DATA CT_str_functs[] = { +static ERR_STRING_DATA CT_str_functs[] = { {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW, 0), "CTLOG_new"}, {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_BASE64, 0), "CTLOG_new_from_base64"}, - {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_CONF, 0), "ctlog_new_from_conf"}, + {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_CONF, 0), + "ctlog_new_from_conf"}, {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_LOAD_CTX_NEW, 0), "ctlog_store_load_ctx_new"}, {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_LOAD_FILE, 0), @@ -39,11 +40,14 @@ static const ERR_STRING_DATA CT_str_functs[] = { {ERR_PACK(ERR_LIB_CT, CT_F_SCT_CTX_NEW, 0), "SCT_CTX_new"}, {ERR_PACK(ERR_LIB_CT, CT_F_SCT_CTX_VERIFY, 0), "SCT_CTX_verify"}, {ERR_PACK(ERR_LIB_CT, CT_F_SCT_NEW, 0), "SCT_new"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_NEW_FROM_BASE64, 0), "SCT_new_from_base64"}, + {ERR_PACK(ERR_LIB_CT, CT_F_SCT_NEW_FROM_BASE64, 0), + "SCT_new_from_base64"}, {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET0_LOG_ID, 0), "SCT_set0_log_id"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_EXTENSIONS, 0), "SCT_set1_extensions"}, + {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_EXTENSIONS, 0), + "SCT_set1_extensions"}, {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_LOG_ID, 0), "SCT_set1_log_id"}, - {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_SIGNATURE, 0), "SCT_set1_signature"}, + {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_SIGNATURE, 0), + "SCT_set1_signature"}, {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET_LOG_ENTRY_TYPE, 0), "SCT_set_log_entry_type"}, {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET_SIGNATURE_NID, 0), @@ -52,8 +56,9 @@ static const ERR_STRING_DATA CT_str_functs[] = { {0, NULL} }; -static const ERR_STRING_DATA CT_str_reasons[] = { - {ERR_PACK(ERR_LIB_CT, 0, CT_R_BASE64_DECODE_ERROR), "base64 decode error"}, +static ERR_STRING_DATA CT_str_reasons[] = { + {ERR_PACK(ERR_LIB_CT, 0, CT_R_BASE64_DECODE_ERROR), + "base64 decode error"}, {ERR_PACK(ERR_LIB_CT, 0, CT_R_INVALID_LOG_ID_LENGTH), "invalid log id length"}, {ERR_PACK(ERR_LIB_CT, 0, CT_R_LOG_CONF_INVALID), "log conf invalid"}, @@ -70,7 +75,8 @@ static const ERR_STRING_DATA CT_str_reasons[] = { {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_INVALID_SIGNATURE), "sct invalid signature"}, {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_LIST_INVALID), "sct list invalid"}, - {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_LOG_ID_MISMATCH), "sct log id mismatch"}, + {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_LOG_ID_MISMATCH), + "sct log id mismatch"}, {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_NOT_SET), "sct not set"}, {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_UNSUPPORTED_VERSION), "sct unsupported version"}, @@ -78,19 +84,19 @@ static const ERR_STRING_DATA CT_str_reasons[] = { "unrecognized signature nid"}, {ERR_PACK(ERR_LIB_CT, 0, CT_R_UNSUPPORTED_ENTRY_TYPE), "unsupported entry type"}, - {ERR_PACK(ERR_LIB_CT, 0, CT_R_UNSUPPORTED_VERSION), "unsupported version"}, + {ERR_PACK(ERR_LIB_CT, 0, CT_R_UNSUPPORTED_VERSION), + "unsupported version"}, {0, NULL} }; #endif -int ERR_load_CT_strings(void) +int +ERR_load_CT_strings(void) { -#ifndef OPENSSL_NO_ERR if (ERR_func_error_string(CT_str_functs[0].error) == NULL) { - ERR_load_strings_const(CT_str_functs); - ERR_load_strings_const(CT_str_reasons); + ERR_load_strings(0, CT_str_functs); + ERR_load_strings(0, CT_str_reasons); } -#endif return 1; } diff --git a/lib/libcrypto/ct/ct_local.h b/lib/libcrypto/ct/ct_local.h index 75ff4d8f75f..d06ab153479 100644 --- a/lib/libcrypto/ct/ct_local.h +++ b/lib/libcrypto/ct/ct_local.h @@ -59,7 +59,10 @@ struct sct_st { /* If version is not SCT_VERSION_V1, this contains the encoded SCT */ unsigned char *sct; size_t sct_len; - /* If version is SCT_VERSION_V1, fields below contain components of the SCT */ + /* + * If version is SCT_VERSION_V1, fields below contain components of + * the SCT + */ unsigned char *log_id; size_t log_id_len; /* @@ -98,7 +101,10 @@ struct sct_ctx_st { /* pre-certificate encoding */ unsigned char *preder; size_t prederlen; - /* milliseconds since epoch (to check that the SCT isn't from the future) */ + /* + * milliseconds since epoch (to check that the SCT isn't from the + * future) + */ uint64_t epoch_time_in_ms; }; @@ -107,7 +113,10 @@ struct ct_policy_eval_ctx_st { X509 *cert; X509 *issuer; CTLOG_STORE *log_store; - /* milliseconds since epoch (to check that SCTs aren't from the future) */ + /* + * milliseconds since epoch (to check that the SCT isn't from the + * future) + */ uint64_t epoch_time_in_ms; }; @@ -129,7 +138,7 @@ void SCT_CTX_free(SCT_CTX *sctx); * extension, both must have one. * Returns 1 on success, 0 on failure. */ -__owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner); +int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner); /* * Sets the issuer of the certificate that the SCT was created for. @@ -138,7 +147,7 @@ __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner); * Issuer must not be NULL. * Returns 1 on success, 0 on failure. */ -__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer); +int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer); /* * Sets the public key of the issuer of the certificate that the SCT was created @@ -146,13 +155,13 @@ __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer); * The public key must not be NULL. * Returns 1 on success, 0 on failure. */ -__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); +int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); /* * Sets the public key of the CT log that the SCT is from. * Returns 1 on success, 0 on failure. */ -__owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); +int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); /* * Sets the time to evaluate the SCT against, in milliseconds since the Unix @@ -168,13 +177,13 @@ void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms); * Returns 1 if the SCT verifies successfully; any other value indicates * failure. See EVP_DigestVerifyFinal() for the meaning of those values. */ -__owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct); +int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct); /* * Does this SCT have the minimum fields populated to be usable? * Returns 1 if so, 0 otherwise. */ -__owur int SCT_is_complete(const SCT *sct); +int SCT_is_complete(const SCT *sct); /* * Does this SCT have the signature-related fields populated? @@ -182,7 +191,7 @@ __owur int SCT_is_complete(const SCT *sct); * This checks that the signature and hash algorithms are set to supported * values and that the signature field is set. */ -__owur int SCT_signature_is_complete(const SCT *sct); +int SCT_signature_is_complete(const SCT *sct); /* * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature @@ -197,7 +206,7 @@ __owur int SCT_signature_is_complete(const SCT *sct); * If |out| points to an allocated string, the signature will be written to it. * The length of the signature in TLS format will be returned. */ -__owur int i2o_SCT_signature(const SCT *sct, unsigned char **out); +int i2o_SCT_signature(const SCT *sct, unsigned char **out); /* * Parses an SCT signature in TLS format and populates the |sct| with it. @@ -208,7 +217,7 @@ __owur int i2o_SCT_signature(const SCT *sct, unsigned char **out); * If an error occurs, the SCT's signature NID may be updated whilst the * signature field itself remains unset. */ -__owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len); +int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len); /* * Handlers for Certificate Transparency X509v3/OCSP extensions diff --git a/lib/libcrypto/ct/ct_log.c b/lib/libcrypto/ct/ct_log.c index ee44de2bfca..1eca056b896 100644 --- a/lib/libcrypto/ct/ct_log.c +++ b/lib/libcrypto/ct/ct_log.c @@ -16,7 +16,8 @@ #include #include -#include "internal/cryptlib.h" +#include "cryptlib.h" + /* * Information about a CT log server. @@ -52,23 +53,23 @@ static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(void); * Deletes a CT log store load context. * Does not delete any of the fields. */ -static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx); +static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX *ctx); static CTLOG_STORE_LOAD_CTX * ctlog_store_load_ctx_new(void) { - CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); + CTLOG_STORE_LOAD_CTX *ctx = calloc(1, sizeof(*ctx)); if (ctx == NULL) - CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return ctx; } static void -ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx) +ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX *ctx) { - OPENSSL_free(ctx); + free(ctx); } /* Converts a log's public key into a SHA256 log ID */ @@ -80,24 +81,24 @@ ct_v1_log_id_from_pkey(EVP_PKEY *pkey, unsigned char log_id[CT_V1_HASHLEN]) int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der); if (pkey_der_len <= 0) { - CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID); + CTerror(CT_R_LOG_KEY_INVALID); goto err; } SHA256(pkey_der, pkey_der_len, log_id); ret = 1; err: - OPENSSL_free(pkey_der); + free(pkey_der); return ret; } CTLOG_STORE * CTLOG_STORE_new(void) { - CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret)); + CTLOG_STORE *ret = calloc(1, sizeof(*ret)); if (ret == NULL) { - CTerr(CT_F_CTLOG_STORE_NEW, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return NULL; } @@ -106,8 +107,8 @@ CTLOG_STORE_new(void) goto err; return ret; -err: - OPENSSL_free(ret); + err: + free(ret); return NULL; } @@ -116,24 +117,25 @@ CTLOG_STORE_free(CTLOG_STORE *store) { if (store != NULL) { sk_CTLOG_pop_free(store->logs, CTLOG_free); - OPENSSL_free(store); + free(store); } } static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section) { - const char *description = NCONF_get_string(conf, section, "description"); + const char *description = NCONF_get_string(conf, section, + "description"); char *pkey_base64; if (description == NULL) { - CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION); + CTerror(CT_R_LOG_CONF_MISSING_DESCRIPTION); return 0; } pkey_base64 = NCONF_get_string(conf, section, "key"); if (pkey_base64 == NULL) { - CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY); + CTerror(CT_R_LOG_CONF_MISSING_KEY); return 0; } @@ -143,12 +145,7 @@ ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section) int CTLOG_STORE_load_default_file(CTLOG_STORE *store) { - const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP); - - if (fpath == NULL) - fpath = CTLOG_FILE; - - return CTLOG_STORE_load_file(store, fpath); + return CTLOG_STORE_load_file(store, CTLOG_FILE); } /* @@ -170,12 +167,12 @@ ctlog_store_load_log(const char *log_name, int log_name_len, void *arg) if (log_name == NULL) return 1; - tmp = OPENSSL_strndup(log_name, log_name_len); + tmp = strndup(log_name, log_name_len); if (tmp == NULL) goto mem_err; ret = ctlog_new_from_conf(&ct_log, load_ctx->conf, tmp); - OPENSSL_free(tmp); + free(tmp); if (ret < 0) { /* Propagate any internal error */ @@ -192,9 +189,9 @@ ctlog_store_load_log(const char *log_name, int log_name_len, void *arg) } return 1; -mem_err: + mem_err: CTLOG_free(ct_log); - CTerr(CT_F_CTLOG_STORE_LOAD_LOG, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return -1; } @@ -213,24 +210,24 @@ CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file) goto end; if (NCONF_load(load_ctx->conf, file, NULL) <= 0) { - CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); + CTerror(CT_R_LOG_CONF_INVALID); goto end; } enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs"); if (enabled_logs == NULL) { - CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); + CTerror(CT_R_LOG_CONF_INVALID); goto end; } if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) || load_ctx->invalid_log_entries > 0) { - CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); + CTerror(CT_R_LOG_CONF_INVALID); goto end; } ret = 1; -end: + end: NCONF_free(load_ctx->conf); ctlog_store_load_ctx_free(load_ctx); return ret; @@ -244,16 +241,16 @@ end: CTLOG * CTLOG_new(EVP_PKEY *public_key, const char *name) { - CTLOG *ret = OPENSSL_zalloc(sizeof(*ret)); + CTLOG *ret = calloc(1, sizeof(*ret)); if (ret == NULL) { - CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return NULL; } - ret->name = OPENSSL_strdup(name); + ret->name = strdup(name); if (ret->name == NULL) { - CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); goto err; } @@ -272,9 +269,9 @@ void CTLOG_free(CTLOG *log) { if (log != NULL) { - OPENSSL_free(log->name); + free(log->name); EVP_PKEY_free(log->public_key); - OPENSSL_free(log); + free(log); } } @@ -301,8 +298,8 @@ CTLOG_get0_public_key(const CTLOG *log) * Given a log ID, finds the matching log. * Returns NULL if no match found. */ -const CTLOG -*CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, const uint8_t *log_id, +const CTLOG * +CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, const uint8_t *log_id, size_t log_id_len) { int i; diff --git a/lib/libcrypto/ct/ct_oct.c b/lib/libcrypto/ct/ct_oct.c index 7a45bdb5bfb..bd15ab0e925 100644 --- a/lib/libcrypto/ct/ct_oct.c +++ b/lib/libcrypto/ct/ct_oct.c @@ -29,7 +29,7 @@ o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len) const unsigned char *p; if (sct->version != SCT_VERSION_V1) { - CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_UNSUPPORTED_VERSION); + CTerror(CT_R_UNSUPPORTED_VERSION); return -1; } /* @@ -40,7 +40,7 @@ o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len) * all supported algorithms. */ if (len <= 4) { - CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); + CTerror(CT_R_SCT_INVALID_SIGNATURE); return -1; } @@ -49,14 +49,17 @@ o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len) sct->hash_alg = *p++; sct->sig_alg = *p++; if (SCT_get_signature_nid(sct) == NID_undef) { - CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); + CTerror(CT_R_SCT_INVALID_SIGNATURE); return -1; } - /* Retrieve signature and check it is consistent with the buffer length */ + /* + * Retrieve signature and check it is consistent with the buffer + * length + */ n2s(p, siglen); len_remaining -= (p - *in); if (siglen > len_remaining) { - CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); + CTerror(CT_R_SCT_INVALID_SIGNATURE); return -1; } @@ -68,13 +71,19 @@ o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len) return len - len_remaining; } -SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len) +SCT * +o2i_SCT(SCT **psct, const unsigned char **in, size_t len) { SCT *sct = NULL; const unsigned char *p; + /* + * XXX paging Dr Sing. please report to this function for an emergency + * CBS/CBB implantation surgery. Stat. + */ + if (len == 0 || len > MAX_SCT_SIZE) { - CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); + CTerror(CT_R_SCT_INVALID); goto err; } @@ -97,14 +106,15 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len) * } */ if (len < 43) { - CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); + CTerror(CT_R_SCT_INVALID); goto err; } len -= 43; p++; - sct->log_id = BUF_memdup(p, CT_V1_HASHLEN); + sct->log_id = malloc(CT_V1_HASHLEN); if (sct->log_id == NULL) goto err; + memcpy(sct->log_id, p, CT_V1_HASHLEN); sct->log_id_len = CT_V1_HASHLEN; p += CT_V1_HASHLEN; @@ -112,13 +122,14 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len) n2s(p, len2); if (len < len2) { - CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); + CTerror(CT_R_SCT_INVALID); goto err; } if (len2 > 0) { - sct->ext = BUF_memdup(p, len2); + sct->ext = malloc(len2); if (sct->ext == NULL) goto err; + memcpy(sct->ext, p, len2); } sct->ext_len = len2; p += len2; @@ -126,16 +137,17 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len) sig_len = o2i_SCT_signature(sct, &p, len); if (sig_len <= 0) { - CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); + CTerror(CT_R_SCT_INVALID); goto err; } len -= sig_len; *in = p + len; } else { /* If not V1 just cache encoding */ - sct->sct = BUF_memdup(p, len); + sct->sct = malloc(len); if (sct->sct == NULL) goto err; + memcpy(sct->sct, p, len); sct->sct_len = len; *in = p + len; } @@ -158,12 +170,12 @@ i2o_SCT_signature(const SCT *sct, unsigned char **out) unsigned char *p = NULL, *pstart = NULL; if (!SCT_signature_is_complete(sct)) { - CTerr(CT_F_I2O_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); + CTerror(CT_R_SCT_INVALID_SIGNATURE); goto err; } if (sct->version != SCT_VERSION_V1) { - CTerr(CT_F_I2O_SCT_SIGNATURE, CT_R_UNSUPPORTED_VERSION); + CTerror(CT_R_UNSUPPORTED_VERSION); goto err; } @@ -179,9 +191,9 @@ i2o_SCT_signature(const SCT *sct, unsigned char **out) p = *out; *out += len; } else { - pstart = p = OPENSSL_malloc(len); + pstart = p = malloc(len); if (p == NULL) { - CTerr(CT_F_I2O_SCT_SIGNATURE, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); goto err; } *out = p; @@ -195,7 +207,7 @@ i2o_SCT_signature(const SCT *sct, unsigned char **out) return len; err: - OPENSSL_free(pstart); + free(pstart); return -1; } @@ -206,7 +218,7 @@ i2o_SCT(const SCT *sct, unsigned char **out) unsigned char *p = NULL, *pstart = NULL; if (!SCT_is_complete(sct)) { - CTerr(CT_F_I2O_SCT, CT_R_SCT_NOT_SET); + CTerror(CT_R_SCT_NOT_SET); goto err; } /* @@ -227,9 +239,9 @@ i2o_SCT(const SCT *sct, unsigned char **out) p = *out; *out += len; } else { - pstart = p = OPENSSL_malloc(len); + pstart = p = malloc(len); if (p == NULL) { - CTerr(CT_F_I2O_SCT, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); goto err; } *out = p; @@ -253,7 +265,7 @@ i2o_SCT(const SCT *sct, unsigned char **out) return len; err: - OPENSSL_free(pstart); + free(pstart); return -1; } @@ -264,13 +276,13 @@ o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, size_t len) size_t list_len, sct_len; if (len < 2 || len > MAX_SCT_LIST_SIZE) { - CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); + CTerror(CT_R_SCT_LIST_INVALID); return NULL; } n2s(*pp, list_len); if (list_len != len - 2) { - CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); + CTerror(CT_R_SCT_LIST_INVALID); return NULL; } @@ -291,14 +303,14 @@ o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, size_t len) SCT *sct; if (list_len < 2) { - CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); + CTerror(CT_R_SCT_LIST_INVALID); goto err; } n2s(*pp, sct_len); list_len -= 2; if (sct_len == 0 || sct_len > list_len) { - CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); + CTerror(CT_R_SCT_LIST_INVALID); goto err; } list_len -= sct_len; @@ -331,11 +343,11 @@ i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp) if (pp != NULL) { if (*pp == NULL) { if ((len = i2o_SCT_LIST(a, NULL)) == -1) { - CTerr(CT_F_I2O_SCT_LIST, CT_R_SCT_LIST_INVALID); + CTerror(CT_R_SCT_LIST_INVALID); return -1; } - if ((*pp = OPENSSL_malloc(len)) == NULL) { - CTerr(CT_F_I2O_SCT_LIST, ERR_R_MALLOC_FAILURE); + if ((*pp = malloc(len)) == NULL) { + CTerror(ERR_R_MALLOC_FAILURE); return -1; } is_pp_new = 1; @@ -371,7 +383,7 @@ i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp) err: if (is_pp_new) { - OPENSSL_free(*pp); + free(*pp); *pp = NULL; } return -1; @@ -407,6 +419,6 @@ i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **out) return -1; len = i2d_ASN1_OCTET_STRING(&oct, out); - OPENSSL_free(oct.data); + free(oct.data); return len; } diff --git a/lib/libcrypto/ct/ct_policy.c b/lib/libcrypto/ct/ct_policy.c index 43ea6fa0931..9940f768b66 100644 --- a/lib/libcrypto/ct/ct_policy.c +++ b/lib/libcrypto/ct/ct_policy.c @@ -28,10 +28,10 @@ static const time_t SCT_CLOCK_DRIFT_TOLERANCE = 300; CT_POLICY_EVAL_CTX * CT_POLICY_EVAL_CTX_new(void) { - CT_POLICY_EVAL_CTX *ctx = OPENSSL_zalloc(sizeof(CT_POLICY_EVAL_CTX)); + CT_POLICY_EVAL_CTX *ctx = calloc(1, sizeof(CT_POLICY_EVAL_CTX)); if (ctx == NULL) { - CTerr(CT_F_CT_POLICY_EVAL_CTX_NEW, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return NULL; } @@ -49,7 +49,7 @@ CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx) return; X509_free(ctx->cert); X509_free(ctx->issuer); - OPENSSL_free(ctx); + free(ctx); } int @@ -83,13 +83,13 @@ CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms) ctx->epoch_time_in_ms = time_in_ms; } -X509* +X509 * CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx) { return ctx->cert; } -X509* +X509 * CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx) { return ctx->issuer; @@ -98,7 +98,7 @@ CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx) const CTLOG_STORE * CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx) { - return ctx->log_store; + return ctx->log_store; } uint64_t diff --git a/lib/libcrypto/ct/ct_prn.c b/lib/libcrypto/ct/ct_prn.c index 3cd9b8e838b..3b1be713946 100644 --- a/lib/libcrypto/ct/ct_prn.c +++ b/lib/libcrypto/ct/ct_prn.c @@ -16,6 +16,36 @@ #include "ct_local.h" +/* + * XXX public api in OpenSSL 1.1.0 but this is the only thing that uses it. + * so I am stuffing it here for the moment. + */ +static int +BIO_hex_string(BIO *out, int indent, int width, unsigned char *data, + int datalen) +{ + int i, j = 0; + + if (datalen < 1) + return 1; + + for (i = 0; i < datalen - 1; i++) { + if (i && !j) + BIO_printf(out, "%*s", indent, ""); + + BIO_printf(out, "%02X:", data[i]); + + j = (j + 1) % width; + if (!j) + BIO_printf(out, "\n"); + } + + if (i && !j) + BIO_printf(out, "%*s", indent, ""); + BIO_printf(out, "%02X", data[datalen - 1]); + return 1; +} + static void SCT_signature_algorithms_print(const SCT *sct, BIO *out) { @@ -35,13 +65,13 @@ timestamp_print(uint64_t timestamp, BIO *out) if (gen == NULL) return; - ASN1_GENERALIZEDTIME_adj(gen, (time_t)0,(int)(timestamp / 86400000), + ASN1_GENERALIZEDTIME_adj(gen, (time_t)0, (int)(timestamp / 86400000), (timestamp % 86400000) / 1000); /* * Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15 * characters long with a final Z. Update it with fractional seconds. */ - BIO_snprintf(genstr, sizeof(genstr), "%.14s.%03dZ", + snprintf(genstr, sizeof(genstr), "%.14s.%03dZ", ASN1_STRING_get0_data(gen), (unsigned int)(timestamp % 1000)); if (ASN1_GENERALIZEDTIME_set_string(gen, genstr)) ASN1_GENERALIZEDTIME_print(out, gen); @@ -63,7 +93,7 @@ SCT_validation_status_string(const SCT *sct) case SCT_VALIDATION_STATUS_INVALID: return "invalid"; case SCT_VALIDATION_STATUS_VALID: - return "valid"; + return "valid"; } return "unknown status"; } diff --git a/lib/libcrypto/ct/ct_sct.c b/lib/libcrypto/ct/ct_sct.c index ca915b763e1..5108f39d668 100644 --- a/lib/libcrypto/ct/ct_sct.c +++ b/lib/libcrypto/ct/ct_sct.c @@ -17,15 +17,17 @@ #include #include +#include + #include "ct_local.h" SCT * SCT_new(void) { - SCT *sct = OPENSSL_zalloc(sizeof(*sct)); + SCT *sct = calloc(1, sizeof(*sct)); if (sct == NULL) { - CTerr(CT_F_SCT_NEW, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return NULL; } @@ -40,11 +42,11 @@ SCT_free(SCT *sct) if (sct == NULL) return; - OPENSSL_free(sct->log_id); - OPENSSL_free(sct->ext); - OPENSSL_free(sct->sig); - OPENSSL_free(sct->sct); - OPENSSL_free(sct); + free(sct->log_id); + free(sct->ext); + free(sct->sig); + free(sct->sct); + free(sct); } void @@ -57,7 +59,7 @@ int SCT_set_version(SCT *sct, sct_version_t version) { if (version != SCT_VERSION_V1) { - CTerr(CT_F_SCT_SET_VERSION, CT_R_UNSUPPORTED_VERSION); + CTerror(CT_R_UNSUPPORTED_VERSION); return 0; } sct->version = version; @@ -78,7 +80,7 @@ SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type) case CT_LOG_ENTRY_TYPE_NOT_SET: break; } - CTerr(CT_F_SCT_SET_LOG_ENTRY_TYPE, CT_R_UNSUPPORTED_ENTRY_TYPE); + CTerror(CT_R_UNSUPPORTED_ENTRY_TYPE); return 0; } @@ -86,11 +88,11 @@ int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len) { if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) { - CTerr(CT_F_SCT_SET0_LOG_ID, CT_R_INVALID_LOG_ID_LENGTH); + CTerror(CT_R_INVALID_LOG_ID_LENGTH); return 0; } - OPENSSL_free(sct->log_id); + free(sct->log_id); sct->log_id = log_id; sct->log_id_len = log_id_len; sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; @@ -101,21 +103,22 @@ int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len) { if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) { - CTerr(CT_F_SCT_SET1_LOG_ID, CT_R_INVALID_LOG_ID_LENGTH); + CTerror(CT_R_INVALID_LOG_ID_LENGTH); return 0; } - OPENSSL_free(sct->log_id); + free(sct->log_id); sct->log_id = NULL; sct->log_id_len = 0; sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; if (log_id != NULL && log_id_len > 0) { - sct->log_id = OPENSSL_memdup(log_id, log_id_len); + sct->log_id = malloc(log_id_len); if (sct->log_id == NULL) { - CTerr(CT_F_SCT_SET1_LOG_ID, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return 0; } + memcpy(sct->log_id, log_id, log_id_len); sct->log_id_len = log_id_len; } return 1; @@ -134,17 +137,17 @@ SCT_set_signature_nid(SCT *sct, int nid) { switch (nid) { case NID_sha256WithRSAEncryption: - sct->hash_alg = TLSEXT_hash_sha256; - sct->sig_alg = TLSEXT_signature_rsa; + sct->hash_alg = 4; /* XXX */ + sct->sig_alg = 1; /* XXX */ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; return 1; case NID_ecdsa_with_SHA256: - sct->hash_alg = TLSEXT_hash_sha256; - sct->sig_alg = TLSEXT_signature_ecdsa; + sct->hash_alg = 4; /* XXX */ + sct->sig_alg = 3; /* XXX */ sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; return 1; default: - CTerr(CT_F_SCT_SET_SIGNATURE_NID, CT_R_UNRECOGNIZED_SIGNATURE_NID); + CTerror(CT_R_UNRECOGNIZED_SIGNATURE_NID); return 0; } } @@ -152,7 +155,7 @@ SCT_set_signature_nid(SCT *sct, int nid) void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len) { - OPENSSL_free(sct->ext); + free(sct->ext); sct->ext = ext; sct->ext_len = ext_len; sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; @@ -161,17 +164,18 @@ SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len) int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len) { - OPENSSL_free(sct->ext); + free(sct->ext); sct->ext = NULL; sct->ext_len = 0; sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; if (ext != NULL && ext_len > 0) { - sct->ext = OPENSSL_memdup(ext, ext_len); + sct->ext = malloc(ext_len); if (sct->ext == NULL) { - CTerr(CT_F_SCT_SET1_EXTENSIONS, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return 0; } + memcpy(sct->ext, ext, ext_len); sct->ext_len = ext_len; } return 1; @@ -180,7 +184,7 @@ SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len) void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len) { - OPENSSL_free(sct->sig); + free(sct->sig); sct->sig = sig; sct->sig_len = sig_len; sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; @@ -189,17 +193,18 @@ SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len) int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len) { - OPENSSL_free(sct->sig); + free(sct->sig); sct->sig = NULL; sct->sig_len = 0; sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; if (sig != NULL && sig_len > 0) { - sct->sig = OPENSSL_memdup(sig, sig_len); + sct->sig = malloc(sig_len); if (sct->sig == NULL) { - CTerr(CT_F_SCT_SET1_SIGNATURE, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return 0; } + memcpy(sct->sig, sig, sig_len); sct->sig_len = sig_len; } return 1; @@ -234,14 +239,15 @@ int SCT_get_signature_nid(const SCT *sct) { if (sct->version == SCT_VERSION_V1) { - if (sct->hash_alg == TLSEXT_hash_sha256) { + /* XXX sigalg numbers */ + if (sct->hash_alg == 4) { switch (sct->sig_alg) { - case TLSEXT_signature_ecdsa: + case 3: return NID_ecdsa_with_SHA256; - case TLSEXT_signature_rsa: + case 1: return NID_sha256WithRSAEncryption; default: - return NID_undef; + return NID_undef; } } } @@ -278,8 +284,8 @@ SCT_is_complete(const SCT *sct) int SCT_signature_is_complete(const SCT *sct) { - return SCT_get_signature_nid(sct) != NID_undef && sct->sig != NULL && - sct->sig_len > 0; + return SCT_get_signature_nid(sct) != NID_undef && + sct->sig != NULL && sct->sig_len > 0; } sct_source_t diff --git a/lib/libcrypto/ct/ct_sct_ctx.c b/lib/libcrypto/ct/ct_sct_ctx.c index 4283cb88aa9..2752bd6bbe3 100644 --- a/lib/libcrypto/ct/ct_sct_ctx.c +++ b/lib/libcrypto/ct/ct_sct_ctx.c @@ -23,10 +23,10 @@ SCT_CTX * SCT_CTX_new(void) { - SCT_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx)); + SCT_CTX *sctx = calloc(1, sizeof(*sctx)); if (sctx == NULL) - CTerr(CT_F_SCT_CTX_NEW, ERR_R_MALLOC_FAILURE); + CTerror(ERR_R_MALLOC_FAILURE); return sctx; } @@ -37,11 +37,11 @@ SCT_CTX_free(SCT_CTX *sctx) if (sctx == NULL) return; EVP_PKEY_free(sctx->pkey); - OPENSSL_free(sctx->pkeyhash); - OPENSSL_free(sctx->ihash); - OPENSSL_free(sctx->certder); - OPENSSL_free(sctx->preder); - OPENSSL_free(sctx); + free(sctx->pkeyhash); + free(sctx->ihash); + free(sctx->certder); + free(sctx->preder); + free(sctx); } /* @@ -66,7 +66,7 @@ ct_x509_get_ext(X509 *cert, int nid, int *is_duplicated) * AKID from the presigner certificate, if necessary. * Returns 1 on success, 0 otherwise. */ -__owur static int +static int ct_x509_cert_fixup(X509 *cert, X509 *presigner) { int preidx, certidx; @@ -181,23 +181,23 @@ SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner) X509_free(pretmp); - OPENSSL_free(sctx->certder); + free(sctx->certder); sctx->certder = certder; sctx->certderlen = certderlen; - OPENSSL_free(sctx->preder); + free(sctx->preder); sctx->preder = preder; sctx->prederlen = prederlen; return 1; err: - OPENSSL_free(certder); - OPENSSL_free(preder); + free(certder); + free(preder); X509_free(pretmp); return 0; } -__owur static int +static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, size_t *hash_len) { int ret = 0; @@ -209,7 +209,7 @@ ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, size_t *hash_len) if (*hash != NULL && *hash_len >= SHA256_DIGEST_LENGTH) { md = *hash; } else { - md = OPENSSL_malloc(SHA256_DIGEST_LENGTH); + md = malloc(SHA256_DIGEST_LENGTH); if (md == NULL) goto err; } @@ -223,7 +223,7 @@ ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, size_t *hash_len) goto err; if (md != *hash) { - OPENSSL_free(*hash); + free(*hash); *hash = md; *hash_len = SHA256_DIGEST_LENGTH; } @@ -231,8 +231,8 @@ ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, size_t *hash_len) md = NULL; ret = 1; err: - OPENSSL_free(md); - OPENSSL_free(der); + free(md); + free(der); return ret; } diff --git a/lib/libcrypto/ct/ct_vfy.c b/lib/libcrypto/ct/ct_vfy.c index 74642a9304c..bde3534c972 100644 --- a/lib/libcrypto/ct/ct_vfy.c +++ b/lib/libcrypto/ct/ct_vfy.c @@ -32,6 +32,7 @@ sct_ctx_update(EVP_MD_CTX *ctx, const SCT_CTX *sctx, const SCT *sct) unsigned char tmpbuf[12]; unsigned char *p, *der; size_t derlen; + /*+ * digitally-signed struct { * (1 byte) Version sct_version; @@ -102,21 +103,22 @@ SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct) if (!SCT_is_complete(sct) || sctx->pkey == NULL || sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET || - (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) { - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_NOT_SET); + (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && + sctx->ihash == NULL)) { + CTerror(CT_R_SCT_NOT_SET); return 0; } if (sct->version != SCT_VERSION_V1) { - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION); + CTerror(CT_R_SCT_UNSUPPORTED_VERSION); return 0; } if (sct->log_id_len != sctx->pkeyhashlen || memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) { - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_LOG_ID_MISMATCH); + CTerror(CT_R_SCT_LOG_ID_MISMATCH); return 0; } if (sct->timestamp > sctx->epoch_time_in_ms) { - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_FUTURE_TIMESTAMP); + CTerror(CT_R_SCT_FUTURE_TIMESTAMP); return 0; } @@ -134,7 +136,7 @@ SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct) ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len); /* If ret < 0 some other error: fall through without setting error */ if (ret == 0) - CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_INVALID_SIGNATURE); + CTerror(CT_R_SCT_INVALID_SIGNATURE); end: EVP_MD_CTX_free(ctx); diff --git a/lib/libcrypto/ct/ct_x509v3.c b/lib/libcrypto/ct/ct_x509v3.c index 32312e2c6b3..169d6c3b5c5 100644 --- a/lib/libcrypto/ct/ct_x509v3.c +++ b/lib/libcrypto/ct/ct_x509v3.c @@ -11,12 +11,14 @@ # error "CT is disabled" #endif +#include + #include "ct_local.h" static char * i2s_poison(const X509V3_EXT_METHOD *method, void *val) { - return OPENSSL_strdup("NULL"); + return strdup("NULL"); } static void * @@ -63,8 +65,8 @@ x509_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len) return s; } -static STACK_OF(SCT) *o -csp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len) +static STACK_OF(SCT) * +ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len) { STACK_OF(SCT) *s = d2i_SCT_LIST(a, pp, len); @@ -88,7 +90,7 @@ const X509V3_EXT_METHOD v3_ct_scts[3] = { NULL }, /* X509v3 extension to mark a certificate as a pre-certificate */ - { NID_ct_precert_poison, 0, ASN1_ITEM_ref(ASN1_NULL), + { NID_ct_precert_poison, 0, &ASN1_NULL_it, NULL, NULL, NULL, NULL, i2s_poison, s2i_poison, NULL, NULL, diff --git a/lib/libcrypto/ct/cterr.h b/lib/libcrypto/ct/cterr.h index feb7bc56632..4ef1b67f984 100644 --- a/lib/libcrypto/ct/cterr.h +++ b/lib/libcrypto/ct/cterr.h @@ -1,5 +1,4 @@ /* - * Generated by util/mkerr.pl DO NOT EDIT * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use @@ -11,17 +10,14 @@ #ifndef HEADER_CTERR_H # define HEADER_CTERR_H -# ifndef HEADER_SYMHACKS_H -# include -# endif - # include # ifndef OPENSSL_NO_CT -# ifdef __cplusplus +#ifdef __cplusplus extern "C" -# endif +#endif + int ERR_load_CT_strings(void); /* -- 2.20.1