Make the certificate transparency code build with the rest of the library

Do not expose it yet, this will wait for an upcoming bump

ok tb@

8 files changed, 86 insertions, 7 deletions

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index fba3871e73..1a026f7c60 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.50 2021/11/20 18:10:52 jsing Exp $
+# $OpenBSD: Makefile,v 1.51 2021/11/24 01:12:43 beck Exp $
 
 LIB=    crypto
 LIBREBUILD=y
@@ -18,7 +18,7 @@ CFLAGS+= -Wall -Wundef
 .if ${COMPILER_VERSION:L} == "clang"
 CFLAGS+= -Werror
 .endif
-CFLAGS+= -DLIBRESSL_INTERNAL
+CFLAGS+= -DLIBRESSL_INTERNAL -DLIBRESSL_CRYPTO_INTERNAL
 
 .if !defined(NOPIC)
 CFLAGS+= -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_FUNOPEN
@@ -112,6 +112,10 @@ SRCS+= comp_lib.c comp_err.c c_rle.c c_zlib.c
 SRCS+= conf_err.c conf_lib.c conf_api.c conf_def.c conf_mod.c
 SRCS+= conf_mall.c conf_sap.c
 
+# ct/
+SRCS += ct_b64.c ct_err.c ct_log.c ct_oct.c ct_policy.c
+SRCS += ct_prn.c ct_sct.c ct_sct_ctx.c ct_vfy.c ct_x509v3.c
+
 # curve25519/
 SRCS+= curve25519.c curve25519-generic.c
 
@@ -301,6 +305,7 @@ SRCS+= pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
         ${LCRYPTO_SRC}/cms \
         ${LCRYPTO_SRC}/comp \
         ${LCRYPTO_SRC}/conf \
+        ${LCRYPTO_SRC}/ct \
         ${LCRYPTO_SRC}/curve25519 \
         ${LCRYPTO_SRC}/des \
         ${LCRYPTO_SRC}/dh \
@@ -360,6 +365,8 @@ HDRS=\
         ${LCRYPTO_SRC}/conf/conf.h \
         ${LCRYPTO_SRC}/conf/conf_api.h \
         ${LCRYPTO_SRC}/crypto.h \
+        ${LCRYPTO_SRC}/ct/ct.h \
+        ${LCRYPTO_SRC}/ct/cterr.h \
         ${LCRYPTO_SRC}/curve25519/curve25519.h \
         ${LCRYPTO_SRC}/des/des.h \
         ${LCRYPTO_SRC}/dh/dh.h \
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index d44738bf3c..6c3731d971 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: cryptlib.h,v 1.25 2016/11/04 17:30:30 miod Exp $ */
+/* $OpenBSD: cryptlib.h,v 1.26 2021/11/24 01:12:43 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -72,6 +72,9 @@ extern "C" {
 #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
 
+#define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
+#define CTLOG_FILE_EVP          "CTLOG_FILE"
+
 void OPENSSL_cpuid_setup(void);
 
 #ifdef  __cplusplus
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index 22cdb2987f..20fa9084a6 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: err.h,v 1.25 2017/02/20 23:21:19 beck Exp $ */
+/* $OpenBSD: err.h,v 1.26 2021/11/24 01:12:43 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -196,6 +196,7 @@ typedef struct err_state_st {
 #define ERR_LIB_HMAC            48
 #define ERR_LIB_JPAKE           49
 #define ERR_LIB_GOST            50
+#define ERR_LIB_CT              51
 
 #define ERR_LIB_USER            128
 
@@ -234,6 +235,7 @@ typedef struct err_state_st {
 #define JPAKEerr(f,r) ERR_PUT_error(ERR_LIB_JPAKE,(f),(r),__FILE__,__LINE__)
 #define GOSTerr(f,r) ERR_PUT_error(ERR_LIB_GOST,(f),(r),__FILE__,__LINE__)
 #define SSLerr(f,r)  ERR_PUT_error(ERR_LIB_SSL,(f),(r),__FILE__,__LINE__)
+#define CTerr(f, r) ERR_PUT_error(ERR_LIB_CT,(f),(r),__FILE__,__LINE__)
 #endif
 
 #ifdef LIBRESSL_INTERNAL
@@ -270,6 +272,7 @@ typedef struct err_state_st {
 #define HMACerror(r) ERR_PUT_error(ERR_LIB_HMAC,(0xfff),(r),__FILE__,__LINE__)
 #define JPAKEerror(r) ERR_PUT_error(ERR_LIB_JPAKE,(0xfff),(r),__FILE__,__LINE__)
 #define GOSTerror(r) ERR_PUT_error(ERR_LIB_GOST,(0xfff),(r),__FILE__,__LINE__)
+#define CTerror(r) ERR_PUT_error(ERR_LIB_CT,(0xfff),(r),__FILE__,__LINE__)
 #endif
 
 #define ERR_PACK(l,f,r)         (((((unsigned long)l)&0xffL)<<24L)| \
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 26d3d458cf..cbde51906e 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -1015,3 +1015,7 @@ id_ct_signedChecklist		1014
 id_kp_bgpsec_router             1015
 tlsfeature      1016
 id_ct_ASPA      1017
+ct_precert_scts 1018
+ct_precert_poison       1019
+ct_precert_signer       1020
+ct_cert_scts            1021
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index b2f1cc6121..33b780ff33 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -1357,6 +1357,12 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme
                  : dh-std-kdf
                  : dh-cofactor-kdf
 
+# RFC 6962 Extension OIDs (see http://www.ietf.org/rfc/rfc6962.txt)
+1 3 6 1 4 1 11129 2 4 2 : ct_precert_scts               : CT Precertificate SCTs
+1 3 6 1 4 1 11129 2 4 3 : ct_precert_poison             : CT Precertificate Poison
+1 3 6 1 4 1 11129 2 4 4 : ct_precert_signer             : CT Precertificate Signer
+1 3 6 1 4 1 11129 2 4 5 : ct_cert_scts                  : CT Certificate SCTs
+
 identified-organization 36              : teletrust
 teletrust 3 3 2 8 1 : brainpool
 brainpool 1 1 : brainpoolP160r1
diff --git a/src/lib/libcrypto/opensslfeatures.h b/src/lib/libcrypto/opensslfeatures.h
index 49a5f15b59..b6b1904003 100644
--- a/src/lib/libcrypto/opensslfeatures.h
+++ b/src/lib/libcrypto/opensslfeatures.h
@@ -40,7 +40,9 @@
 #define OPENSSL_NO_COMP /* XXX */
 /* #define OPENSSL_NO_CRYPTO_MDEBUG */
 /* #define OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE */
-/* #define OPENSSL_NO_CT */
+#ifndef LIBRESSL_CRYPTO_INTERNAL
+#define OPENSSL_NO_CT  /* XXX until we expose it */
+#endif
 /* #define OPENSSL_NO_DECC_INIT */
 /* #define OPENSSL_NO_DES */
 /* #define OPENSSL_NO_DEVCRYPTOENG */
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
index 99f120644f..6463084198 100644
--- a/src/lib/libcrypto/ossl_typ.h
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ossl_typ.h,v 1.14 2021/11/01 20:53:08 tb Exp $ */
+/* $OpenBSD: ossl_typ.h,v 1.15 2021/11/24 01:12:43 beck Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -176,4 +176,12 @@ typedef struct ocsp_req_ctx_st OCSP_REQ_CTX;
 typedef struct ocsp_response_st OCSP_RESPONSE;
 typedef struct ocsp_responder_id_st OCSP_RESPID;
 
+#ifdef LIBRESSL_CRYPTO_INTERNAL
+typedef struct sct_st SCT;
+typedef struct sct_ctx_st SCT_CTX;
+typedef struct ctlog_st CTLOG;
+typedef struct ctlog_store_st CTLOG_STORE;
+typedef struct ct_policy_eval_ctx_st CT_POLICY_EVAL_CTX;
+#endif
+
 #endif /* def HEADER_OPENSSL_TYPES_H */
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index 690912b306..dbcb9ef350 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: safestack.h,v 1.18 2019/08/11 14:14:14 jsing Exp $ */
+/* $OpenBSD: safestack.h,v 1.19 2021/11/24 01:12:43 beck Exp $ */
 /* ====================================================================
  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
@@ -2179,4 +2179,50 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
   LHM_lh_stats_bio(SSL_SESSION,lh,out)
 #define lh_SSL_SESSION_free(lh) LHM_lh_free(SSL_SESSION,lh)
 
+#ifdef LIBRESSL_CRYPTO_INTERNAL
+#define sk_CTLOG_new(cmp) SKM_sk_new(CTLOG, (cmp))
+#define sk_CTLOG_new_null() SKM_sk_new_null(CTLOG)
+#define sk_CTLOG_free(st) SKM_sk_free(CTLOG, (st))
+#define sk_CTLOG_num(st) SKM_sk_num(CTLOG, (st))
+#define sk_CTLOG_value(st, i) SKM_sk_value(CTLOG, (st), (i))
+#define sk_CTLOG_set(st, i, val) SKM_sk_set(CTLOG, (st), (i), (val))
+#define sk_CTLOG_zero(st) SKM_sk_zero(CTLOG, (st))
+#define sk_CTLOG_push(st, val) SKM_sk_push(CTLOG, (st), (val))
+#define sk_CTLOG_unshift(st, val) SKM_sk_unshift(CTLOG, (st), (val))
+#define sk_CTLOG_find(st, val) SKM_sk_find(CTLOG, (st), (val))
+#define sk_CTLOG_find_ex(st, val) SKM_sk_find_ex(CTLOG, (st), (val))
+#define sk_CTLOG_delete(st, i) SKM_sk_delete(CTLOG, (st), (i))
+#define sk_CTLOG_delete_ptr(st, ptr) SKM_sk_delete_ptr(CTLOG, (st), (ptr))
+#define sk_CTLOG_insert(st, val, i) SKM_sk_insert(CTLOG, (st), (val), (i))
+#define sk_CTLOG_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CTLOG, (st), (cmp))
+#define sk_CTLOG_dup(st) SKM_sk_dup(CTLOG, st)
+#define sk_CTLOG_pop_free(st, free_func) SKM_sk_pop_free(CTLOG, (st), (free_func))
+#define sk_CTLOG_shift(st) SKM_sk_shift(CTLOG, (st))
+#define sk_CTLOG_pop(st) SKM_sk_pop(CTLOG, (st))
+#define sk_CTLOG_sort(st) SKM_sk_sort(CTLOG, (st))
+#define sk_CTLOG_is_sorted(st) SKM_sk_is_sorted(CTLOG, (st))
+
+#define sk_SCT_new(cmp) SKM_sk_new(SCT, (cmp))
+#define sk_SCT_new_null() SKM_sk_new_null(SCT)
+#define sk_SCT_free(st) SKM_sk_free(SCT, (st))
+#define sk_SCT_num(st) SKM_sk_num(SCT, (st))
+#define sk_SCT_value(st, i) SKM_sk_value(SCT, (st), (i))
+#define sk_SCT_set(st, i, val) SKM_sk_set(SCT, (st), (i), (val))
+#define sk_SCT_zero(st) SKM_sk_zero(SCT, (st))
+#define sk_SCT_push(st, val) SKM_sk_push(SCT, (st), (val))
+#define sk_SCT_unshift(st, val) SKM_sk_unshift(SCT, (st), (val))
+#define sk_SCT_find(st, val) SKM_sk_find(SCT, (st), (val))
+#define sk_SCT_find_ex(st, val) SKM_sk_find_ex(SCT, (st), (val))
+#define sk_SCT_delete(st, i) SKM_sk_delete(SCT, (st), (i))
+#define sk_SCT_delete_ptr(st, ptr) SKM_sk_delete_ptr(SCT, (st), (ptr))
+#define sk_SCT_insert(st, val, i) SKM_sk_insert(SCT, (st), (val), (i))
+#define sk_SCT_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SCT, (st), (cmp))
+#define sk_SCT_dup(st) SKM_sk_dup(SCT, st)
+#define sk_SCT_pop_free(st, free_func) SKM_sk_pop_free(SCT, (st), (free_func))
+#define sk_SCT_shift(st) SKM_sk_shift(SCT, (st))
+#define sk_SCT_pop(st) SKM_sk_pop(SCT, (st))
+#define sk_SCT_sort(st) SKM_sk_sort(SCT, (st))
+#define sk_SCT_is_sorted(st) SKM_sk_is_sorted(SCT, (st))
+#endif
+
 #endif /* !defined HEADER_SAFESTACK_H */