summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorbeck <>2021-11-20 01:10:49 +0000
committerbeck <>2021-11-20 01:10:49 +0000
commit945f084e2204432f02dc67409d640c082c7d12b1 (patch)
tree09562d0baf42f60ea370c64468465708195ec887 /src/lib
parent3d755921799d0394eade3c0043ddc31a5a71be7c (diff)
downloadopenbsd-945f084e2204432f02dc67409d640c082c7d12b1.tar.gz
openbsd-945f084e2204432f02dc67409d640c082c7d12b1.tar.bz2
openbsd-945f084e2204432f02dc67409d640c082c7d12b1.zip
Make these files compile - not hooked up to build yet.
ok jsing@ tb@
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/ct/ct.h60
-rw-r--r--src/lib/libcrypto/ct/ct_b64.c35
-rw-r--r--src/lib/libcrypto/ct/ct_err.c34
-rw-r--r--src/lib/libcrypto/ct/ct_local.h33
-rw-r--r--src/lib/libcrypto/ct/ct_log.c73
-rw-r--r--src/lib/libcrypto/ct/ct_oct.c74
-rw-r--r--src/lib/libcrypto/ct/ct_policy.c12
-rw-r--r--src/lib/libcrypto/ct/ct_prn.c36
-rw-r--r--src/lib/libcrypto/ct/ct_sct.c74
-rw-r--r--src/lib/libcrypto/ct/ct_sct_ctx.c34
-rw-r--r--src/lib/libcrypto/ct/ct_vfy.c14
-rw-r--r--src/lib/libcrypto/ct/ct_x509v3.c10
-rw-r--r--src/lib/libcrypto/ct/cterr.h10
13 files changed, 279 insertions, 220 deletions
diff --git a/src/lib/libcrypto/ct/ct.h b/src/lib/libcrypto/ct/ct.h
index ac981fa0b5..9665880464 100644
--- a/src/lib/libcrypto/ct/ct.h
+++ b/src/lib/libcrypto/ct/ct.h
@@ -17,11 +17,10 @@
17#include <openssl/safestack.h> 17#include <openssl/safestack.h>
18#include <openssl/x509.h> 18#include <openssl/x509.h>
19#include <openssl/cterr.h> 19#include <openssl/cterr.h>
20#ifdef __cplusplus 20#ifdef __cplusplus
21extern "C" { 21extern "C" {
22#endif 22#endif
23 23
24
25/* Minimum RSA key size, from RFC6962 */ 24/* Minimum RSA key size, from RFC6962 */
26#define SCT_MIN_RSA_BITS 2048 25#define SCT_MIN_RSA_BITS 2048
27 26
@@ -55,8 +54,8 @@ typedef enum {
55 SCT_VALIDATION_STATUS_UNKNOWN_VERSION 54 SCT_VALIDATION_STATUS_UNKNOWN_VERSION
56} sct_validation_status_t; 55} sct_validation_status_t;
57 56
58DEFINE_STACK_OF(SCT) 57DECLARE_STACK_OF(SCT)
59DEFINE_STACK_OF(CTLOG) 58DECLARE_STACK_OF(CTLOG)
60 59
61/****************************************** 60/******************************************
62 * CT policy evaluation context functions * 61 * CT policy evaluation context functions *
@@ -128,12 +127,9 @@ SCT *SCT_new(void);
128 * Creates a new SCT from some base64-encoded strings. 127 * Creates a new SCT from some base64-encoded strings.
129 * The caller is responsible for calling SCT_free when finished with the SCT. 128 * The caller is responsible for calling SCT_free when finished with the SCT.
130 */ 129 */
131SCT *SCT_new_from_base64(unsigned char version, 130SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64,
132 const char *logid_base64, 131 ct_log_entry_type_t entry_type, uint64_t timestamp,
133 ct_log_entry_type_t entry_type, 132 const char *extensions_base64, const char *signature_base64);
134 uint64_t timestamp,
135 const char *extensions_base64,
136 const char *signature_base64);
137 133
138/* 134/*
139 * Frees the SCT and the underlying data structures. 135 * Frees the SCT and the underlying data structures.
@@ -155,7 +151,7 @@ sct_version_t SCT_get_version(const SCT *sct);
155 * Set the version of an SCT. 151 * Set the version of an SCT.
156 * Returns 1 on success, 0 if the version is unrecognized. 152 * Returns 1 on success, 0 if the version is unrecognized.
157 */ 153 */
158__owur int SCT_set_version(SCT *sct, sct_version_t version); 154int SCT_set_version(SCT *sct, sct_version_t version);
159 155
160/* 156/*
161 * Returns the log entry type of the SCT. 157 * Returns the log entry type of the SCT.
@@ -166,7 +162,7 @@ ct_log_entry_type_t SCT_get_log_entry_type(const SCT *sct);
166 * Set the log entry type of an SCT. 162 * Set the log entry type of an SCT.
167 * Returns 1 on success, 0 otherwise. 163 * Returns 1 on success, 0 otherwise.
168 */ 164 */
169__owur int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type); 165int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type);
170 166
171/* 167/*
172 * Gets the ID of the log that an SCT came from. 168 * Gets the ID of the log that an SCT came from.
@@ -180,14 +176,14 @@ size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id);
180 * The SCT takes ownership of the specified pointer. 176 * The SCT takes ownership of the specified pointer.
181 * Returns 1 on success, 0 otherwise. 177 * Returns 1 on success, 0 otherwise.
182 */ 178 */
183__owur int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len); 179int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
184 180
185/* 181/*
186 * Set the log ID of an SCT. 182 * Set the log ID of an SCT.
187 * This makes a copy of the log_id. 183 * This makes a copy of the log_id.
188 * Returns 1 on success, 0 otherwise. 184 * Returns 1 on success, 0 otherwise.
189 */ 185 */
190__owur int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, 186int SCT_set1_log_id(SCT *sct, const unsigned char *log_id,
191 size_t log_id_len); 187 size_t log_id_len);
192 188
193/* 189/*
@@ -213,7 +209,7 @@ int SCT_get_signature_nid(const SCT *sct);
213 * NID_ecdsa_with_SHA256. 209 * NID_ecdsa_with_SHA256.
214 * Returns 1 on success, 0 otherwise. 210 * Returns 1 on success, 0 otherwise.
215 */ 211 */
216__owur int SCT_set_signature_nid(SCT *sct, int nid); 212int SCT_set_signature_nid(SCT *sct, int nid);
217 213
218/* 214/*
219 * Set *ext to point to the extension data for the SCT. ext must not be NULL. 215 * Set *ext to point to the extension data for the SCT. ext must not be NULL.
@@ -233,7 +229,7 @@ void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len);
233 * This takes a copy of the ext. 229 * This takes a copy of the ext.
234 * Returns 1 on success, 0 otherwise. 230 * Returns 1 on success, 0 otherwise.
235 */ 231 */
236__owur int SCT_set1_extensions(SCT *sct, const unsigned char *ext, 232int SCT_set1_extensions(SCT *sct, const unsigned char *ext,
237 size_t ext_len); 233 size_t ext_len);
238 234
239/* 235/*
@@ -253,8 +249,8 @@ void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len);
253 * Set the signature of an SCT to be a copy of the *sig specified. 249 * Set the signature of an SCT to be a copy of the *sig specified.
254 * Returns 1 on success, 0 otherwise. 250 * Returns 1 on success, 0 otherwise.
255 */ 251 */
256__owur int SCT_set1_signature(SCT *sct, const unsigned char *sig, 252int SCT_set1_signature(SCT *sct, const unsigned char *sig,
257 size_t sig_len); 253 size_t sig_len);
258 254
259/* 255/*
260 * The origin of this SCT, e.g. TLS extension, OCSP response, etc. 256 * The origin of this SCT, e.g. TLS extension, OCSP response, etc.
@@ -265,7 +261,7 @@ sct_source_t SCT_get_source(const SCT *sct);
265 * Set the origin of this SCT, e.g. TLS extension, OCSP response, etc. 261 * Set the origin of this SCT, e.g. TLS extension, OCSP response, etc.
266 * Returns 1 on success, 0 otherwise. 262 * Returns 1 on success, 0 otherwise.
267 */ 263 */
268__owur int SCT_set_source(SCT *sct, sct_source_t source); 264int SCT_set_source(SCT *sct, sct_source_t source);
269 265
270/* 266/*
271 * Returns a text string describing the validation status of |sct|. 267 * Returns a text string describing the validation status of |sct|.
@@ -303,7 +299,7 @@ sct_validation_status_t SCT_get_validation_status(const SCT *sct);
303 * Returns 0 if the SCT is invalid or could not be verified. 299 * Returns 0 if the SCT is invalid or could not be verified.
304 * Returns -1 if an error occurs. 300 * Returns -1 if an error occurs.
305 */ 301 */
306__owur int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); 302int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
307 303
308/* 304/*
309 * Validates the given list of SCTs with the provided context. 305 * Validates the given list of SCTs with the provided context.
@@ -312,7 +308,7 @@ __owur int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
312 * Returns 0 if at least one SCT is invalid or could not be verified. 308 * Returns 0 if at least one SCT is invalid or could not be verified.
313 * Returns a negative integer if an error occurs. 309 * Returns a negative integer if an error occurs.
314 */ 310 */
315__owur int SCT_LIST_validate(const STACK_OF(SCT) *scts, 311int SCT_LIST_validate(const STACK_OF(SCT) *scts,
316 CT_POLICY_EVAL_CTX *ctx); 312 CT_POLICY_EVAL_CTX *ctx);
317 313
318 314
@@ -332,7 +328,7 @@ __owur int SCT_LIST_validate(const STACK_OF(SCT) *scts,
332 * Returns < 0 on error, >= 0 indicating bytes written (or would have been) 328 * Returns < 0 on error, >= 0 indicating bytes written (or would have been)
333 * on success. 329 * on success.
334 */ 330 */
335__owur int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp); 331int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
336 332
337/* 333/*
338 * Convert TLS format SCT list to a stack of SCTs. 334 * Convert TLS format SCT list to a stack of SCTs.
@@ -359,7 +355,7 @@ STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
359 * Returns < 0 on error, >= 0 indicating bytes written (or would have been) 355 * Returns < 0 on error, >= 0 indicating bytes written (or would have been)
360 * on success. 356 * on success.
361 */ 357 */
362__owur int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp); 358int i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
363 359
364/* 360/*
365 * Parses an SCT list in DER format and returns it. 361 * Parses an SCT list in DER format and returns it.
@@ -383,7 +379,7 @@ STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
383 * to it. 379 * to it.
384 * The length of the SCT in TLS format will be returned. 380 * The length of the SCT in TLS format will be returned.
385 */ 381 */
386__owur int i2o_SCT(const SCT *sct, unsigned char **out); 382int i2o_SCT(const SCT *sct, unsigned char **out);
387 383
388/* 384/*
389 * Parses an SCT in TLS format and returns it. 385 * Parses an SCT in TLS format and returns it.
@@ -416,8 +412,8 @@ CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name);
416 * Returns 1 on success, 0 on failure. 412 * Returns 1 on success, 0 on failure.
417 * Should be deleted by the caller using CTLOG_free when no longer needed. 413 * Should be deleted by the caller using CTLOG_free when no longer needed.
418 */ 414 */
419int CTLOG_new_from_base64(CTLOG ** ct_log, 415int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64,
420 const char *pkey_base64, const char *name); 416 const char *name);
421 417
422/* 418/*
423 * Deletes a CT log instance and its fields. 419 * Deletes a CT log instance and its fields.
@@ -428,7 +424,7 @@ void CTLOG_free(CTLOG *log);
428const char *CTLOG_get0_name(const CTLOG *log); 424const char *CTLOG_get0_name(const CTLOG *log);
429/* Gets the ID of the CT log */ 425/* Gets the ID of the CT log */
430void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id, 426void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id,
431 size_t *log_id_len); 427 size_t *log_id_len);
432/* Gets the public key of the CT log */ 428/* Gets the public key of the CT log */
433EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log); 429EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log);
434 430
@@ -458,16 +454,16 @@ const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store,
458 * Loads a CT log list into a |store| from a |file|. 454 * Loads a CT log list into a |store| from a |file|.
459 * Returns 1 if loading is successful, or 0 otherwise. 455 * Returns 1 if loading is successful, or 0 otherwise.
460 */ 456 */
461__owur int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file); 457int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file);
462 458
463/* 459/*
464 * Loads the default CT log list into a |store|. 460 * Loads the default CT log list into a |store|.
465 * Returns 1 if loading is successful, or 0 otherwise. 461 * Returns 1 if loading is successful, or 0 otherwise.
466 */ 462 */
467__owur int CTLOG_STORE_load_default_file(CTLOG_STORE *store); 463int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
468 464
469# ifdef __cplusplus 465#ifdef __cplusplus
470} 466}
471# endif 467#endif
472# endif 468#endif
473#endif 469#endif
diff --git a/src/lib/libcrypto/ct/ct_b64.c b/src/lib/libcrypto/ct/ct_b64.c
index 8ca5f469df..da182c9626 100644
--- a/src/lib/libcrypto/ct/ct_b64.c
+++ b/src/lib/libcrypto/ct/ct_b64.c
@@ -34,19 +34,22 @@ ct_base64_decode(const char *in, unsigned char **out)
34 } 34 }
35 35
36 outlen = (inlen / 4) * 3; 36 outlen = (inlen / 4) * 3;
37 outbuf = OPENSSL_malloc(outlen); 37 outbuf = malloc(outlen);
38 if (outbuf == NULL) { 38 if (outbuf == NULL) {
39 CTerr(CT_F_CT_BASE64_DECODE, ERR_R_MALLOC_FAILURE); 39 CTerror(ERR_R_MALLOC_FAILURE);
40 goto err; 40 goto err;
41 } 41 }
42 42
43 outlen = EVP_DecodeBlock(outbuf, (unsigned char *)in, inlen); 43 outlen = EVP_DecodeBlock(outbuf, (unsigned char *)in, inlen);
44 if (outlen < 0) { 44 if (outlen < 0) {
45 CTerr(CT_F_CT_BASE64_DECODE, CT_R_BASE64_DECODE_ERROR); 45 CTerror(CT_R_BASE64_DECODE_ERROR);
46 goto err; 46 goto err;
47 } 47 }
48 48
49 /* Subtract padding bytes from |outlen|. Any more than 2 is malformed. */ 49 /*
50 * Subtract padding bytes from |outlen|.
51 * Any more than 2 is malformed.
52 */
50 i = 0; 53 i = 0;
51 while (in[--inlen] == '=') { 54 while (in[--inlen] == '=') {
52 --outlen; 55 --outlen;
@@ -57,7 +60,7 @@ ct_base64_decode(const char *in, unsigned char **out)
57 *out = outbuf; 60 *out = outbuf;
58 return outlen; 61 return outlen;
59 err: 62 err:
60 OPENSSL_free(outbuf); 63 free(outbuf);
61 return -1; 64 return -1;
62} 65}
63 66
@@ -72,7 +75,7 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64,
72 int declen; 75 int declen;
73 76
74 if (sct == NULL) { 77 if (sct == NULL) {
75 CTerr(CT_F_SCT_NEW_FROM_BASE64, ERR_R_MALLOC_FAILURE); 78 CTerror(ERR_R_MALLOC_FAILURE);
76 return NULL; 79 return NULL;
77 } 80 }
78 81
@@ -81,13 +84,13 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64,
81 * can only construct SCT versions that have been defined. 84 * can only construct SCT versions that have been defined.
82 */ 85 */
83 if (!SCT_set_version(sct, version)) { 86 if (!SCT_set_version(sct, version)) {
84 CTerr(CT_F_SCT_NEW_FROM_BASE64, CT_R_SCT_UNSUPPORTED_VERSION); 87 CTerror(CT_R_SCT_UNSUPPORTED_VERSION);
85 goto err; 88 goto err;
86 } 89 }
87 90
88 declen = ct_base64_decode(logid_base64, &dec); 91 declen = ct_base64_decode(logid_base64, &dec);
89 if (declen < 0) { 92 if (declen < 0) {
90 CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); 93 CTerror(X509_R_BASE64_DECODE_ERROR);
91 goto err; 94 goto err;
92 } 95 }
93 if (!SCT_set0_log_id(sct, dec, declen)) 96 if (!SCT_set0_log_id(sct, dec, declen))
@@ -96,7 +99,7 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64,
96 99
97 declen = ct_base64_decode(extensions_base64, &dec); 100 declen = ct_base64_decode(extensions_base64, &dec);
98 if (declen < 0) { 101 if (declen < 0) {
99 CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); 102 CTerror(X509_R_BASE64_DECODE_ERROR);
100 goto err; 103 goto err;
101 } 104 }
102 SCT_set0_extensions(sct, dec, declen); 105 SCT_set0_extensions(sct, dec, declen);
@@ -104,14 +107,14 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64,
104 107
105 declen = ct_base64_decode(signature_base64, &dec); 108 declen = ct_base64_decode(signature_base64, &dec);
106 if (declen < 0) { 109 if (declen < 0) {
107 CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR); 110 CTerror(X509_R_BASE64_DECODE_ERROR);
108 goto err; 111 goto err;
109 } 112 }
110 113
111 p = dec; 114 p = dec;
112 if (o2i_SCT_signature(sct, &p, declen) <= 0) 115 if (o2i_SCT_signature(sct, &p, declen) <= 0)
113 goto err; 116 goto err;
114 OPENSSL_free(dec); 117 free(dec);
115 dec = NULL; 118 dec = NULL;
116 119
117 SCT_set_timestamp(sct, timestamp); 120 SCT_set_timestamp(sct, timestamp);
@@ -122,7 +125,7 @@ SCT_new_from_base64(unsigned char version, const char *logid_base64,
122 return sct; 125 return sct;
123 126
124 err: 127 err:
125 OPENSSL_free(dec); 128 free(dec);
126 SCT_free(sct); 129 SCT_free(sct);
127 return NULL; 130 return NULL;
128} 131}
@@ -142,21 +145,21 @@ CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64, const char *name)
142 EVP_PKEY *pkey = NULL; 145 EVP_PKEY *pkey = NULL;
143 146
144 if (ct_log == NULL) { 147 if (ct_log == NULL) {
145 CTerr(CT_F_CTLOG_NEW_FROM_BASE64, ERR_R_PASSED_INVALID_ARGUMENT); 148 CTerror(ERR_R_PASSED_NULL_PARAMETER);
146 return 0; 149 return 0;
147 } 150 }
148 151
149 pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der); 152 pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der);
150 if (pkey_der_len < 0) { 153 if (pkey_der_len < 0) {
151 CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY); 154 CTerror(CT_R_LOG_CONF_INVALID_KEY);
152 return 0; 155 return 0;
153 } 156 }
154 157
155 p = pkey_der; 158 p = pkey_der;
156 pkey = d2i_PUBKEY(NULL, &p, pkey_der_len); 159 pkey = d2i_PUBKEY(NULL, &p, pkey_der_len);
157 OPENSSL_free(pkey_der); 160 free(pkey_der);
158 if (pkey == NULL) { 161 if (pkey == NULL) {
159 CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY); 162 CTerror(CT_R_LOG_CONF_INVALID_KEY);
160 return 0; 163 return 0;
161 } 164 }
162 165
diff --git a/src/lib/libcrypto/ct/ct_err.c b/src/lib/libcrypto/ct/ct_err.c
index ab49f58e5a..f15e90891c 100644
--- a/src/lib/libcrypto/ct/ct_err.c
+++ b/src/lib/libcrypto/ct/ct_err.c
@@ -13,11 +13,12 @@
13 13
14#ifndef OPENSSL_NO_ERR 14#ifndef OPENSSL_NO_ERR
15 15
16static const ERR_STRING_DATA CT_str_functs[] = { 16static ERR_STRING_DATA CT_str_functs[] = {
17 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW, 0), "CTLOG_new"}, 17 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW, 0), "CTLOG_new"},
18 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_BASE64, 0), 18 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_BASE64, 0),
19 "CTLOG_new_from_base64"}, 19 "CTLOG_new_from_base64"},
20 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_CONF, 0), "ctlog_new_from_conf"}, 20 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_CONF, 0),
21 "ctlog_new_from_conf"},
21 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_LOAD_CTX_NEW, 0), 22 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_LOAD_CTX_NEW, 0),
22 "ctlog_store_load_ctx_new"}, 23 "ctlog_store_load_ctx_new"},
23 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_LOAD_FILE, 0), 24 {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_STORE_LOAD_FILE, 0),
@@ -39,11 +40,14 @@ static const ERR_STRING_DATA CT_str_functs[] = {
39 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_CTX_NEW, 0), "SCT_CTX_new"}, 40 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_CTX_NEW, 0), "SCT_CTX_new"},
40 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_CTX_VERIFY, 0), "SCT_CTX_verify"}, 41 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_CTX_VERIFY, 0), "SCT_CTX_verify"},
41 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_NEW, 0), "SCT_new"}, 42 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_NEW, 0), "SCT_new"},
42 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_NEW_FROM_BASE64, 0), "SCT_new_from_base64"}, 43 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_NEW_FROM_BASE64, 0),
44 "SCT_new_from_base64"},
43 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET0_LOG_ID, 0), "SCT_set0_log_id"}, 45 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET0_LOG_ID, 0), "SCT_set0_log_id"},
44 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_EXTENSIONS, 0), "SCT_set1_extensions"}, 46 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_EXTENSIONS, 0),
47 "SCT_set1_extensions"},
45 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_LOG_ID, 0), "SCT_set1_log_id"}, 48 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_LOG_ID, 0), "SCT_set1_log_id"},
46 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_SIGNATURE, 0), "SCT_set1_signature"}, 49 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET1_SIGNATURE, 0),
50 "SCT_set1_signature"},
47 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET_LOG_ENTRY_TYPE, 0), 51 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET_LOG_ENTRY_TYPE, 0),
48 "SCT_set_log_entry_type"}, 52 "SCT_set_log_entry_type"},
49 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET_SIGNATURE_NID, 0), 53 {ERR_PACK(ERR_LIB_CT, CT_F_SCT_SET_SIGNATURE_NID, 0),
@@ -52,8 +56,9 @@ static const ERR_STRING_DATA CT_str_functs[] = {
52 {0, NULL} 56 {0, NULL}
53}; 57};
54 58
55static const ERR_STRING_DATA CT_str_reasons[] = { 59static ERR_STRING_DATA CT_str_reasons[] = {
56 {ERR_PACK(ERR_LIB_CT, 0, CT_R_BASE64_DECODE_ERROR), "base64 decode error"}, 60 {ERR_PACK(ERR_LIB_CT, 0, CT_R_BASE64_DECODE_ERROR),
61 "base64 decode error"},
57 {ERR_PACK(ERR_LIB_CT, 0, CT_R_INVALID_LOG_ID_LENGTH), 62 {ERR_PACK(ERR_LIB_CT, 0, CT_R_INVALID_LOG_ID_LENGTH),
58 "invalid log id length"}, 63 "invalid log id length"},
59 {ERR_PACK(ERR_LIB_CT, 0, CT_R_LOG_CONF_INVALID), "log conf invalid"}, 64 {ERR_PACK(ERR_LIB_CT, 0, CT_R_LOG_CONF_INVALID), "log conf invalid"},
@@ -70,7 +75,8 @@ static const ERR_STRING_DATA CT_str_reasons[] = {
70 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_INVALID_SIGNATURE), 75 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_INVALID_SIGNATURE),
71 "sct invalid signature"}, 76 "sct invalid signature"},
72 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_LIST_INVALID), "sct list invalid"}, 77 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_LIST_INVALID), "sct list invalid"},
73 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_LOG_ID_MISMATCH), "sct log id mismatch"}, 78 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_LOG_ID_MISMATCH),
79 "sct log id mismatch"},
74 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_NOT_SET), "sct not set"}, 80 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_NOT_SET), "sct not set"},
75 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_UNSUPPORTED_VERSION), 81 {ERR_PACK(ERR_LIB_CT, 0, CT_R_SCT_UNSUPPORTED_VERSION),
76 "sct unsupported version"}, 82 "sct unsupported version"},
@@ -78,19 +84,19 @@ static const ERR_STRING_DATA CT_str_reasons[] = {
78 "unrecognized signature nid"}, 84 "unrecognized signature nid"},
79 {ERR_PACK(ERR_LIB_CT, 0, CT_R_UNSUPPORTED_ENTRY_TYPE), 85 {ERR_PACK(ERR_LIB_CT, 0, CT_R_UNSUPPORTED_ENTRY_TYPE),
80 "unsupported entry type"}, 86 "unsupported entry type"},
81 {ERR_PACK(ERR_LIB_CT, 0, CT_R_UNSUPPORTED_VERSION), "unsupported version"}, 87 {ERR_PACK(ERR_LIB_CT, 0, CT_R_UNSUPPORTED_VERSION),
88 "unsupported version"},
82 {0, NULL} 89 {0, NULL}
83}; 90};
84 91
85#endif 92#endif
86 93
87int ERR_load_CT_strings(void) 94int
95ERR_load_CT_strings(void)
88{ 96{
89#ifndef OPENSSL_NO_ERR
90 if (ERR_func_error_string(CT_str_functs[0].error) == NULL) { 97 if (ERR_func_error_string(CT_str_functs[0].error) == NULL) {
91 ERR_load_strings_const(CT_str_functs); 98 ERR_load_strings(0, CT_str_functs);
92 ERR_load_strings_const(CT_str_reasons); 99 ERR_load_strings(0, CT_str_reasons);
93 } 100 }
94#endif
95 return 1; 101 return 1;
96} 102}
diff --git a/src/lib/libcrypto/ct/ct_local.h b/src/lib/libcrypto/ct/ct_local.h
index 75ff4d8f75..d06ab15347 100644
--- a/src/lib/libcrypto/ct/ct_local.h
+++ b/src/lib/libcrypto/ct/ct_local.h
@@ -59,7 +59,10 @@ struct sct_st {
59 /* If version is not SCT_VERSION_V1, this contains the encoded SCT */ 59 /* If version is not SCT_VERSION_V1, this contains the encoded SCT */
60 unsigned char *sct; 60 unsigned char *sct;
61 size_t sct_len; 61 size_t sct_len;
62 /* If version is SCT_VERSION_V1, fields below contain components of the SCT */ 62 /*
63 * If version is SCT_VERSION_V1, fields below contain components of
64 * the SCT
65 */
63 unsigned char *log_id; 66 unsigned char *log_id;
64 size_t log_id_len; 67 size_t log_id_len;
65 /* 68 /*
@@ -98,7 +101,10 @@ struct sct_ctx_st {
98 /* pre-certificate encoding */ 101 /* pre-certificate encoding */
99 unsigned char *preder; 102 unsigned char *preder;
100 size_t prederlen; 103 size_t prederlen;
101 /* milliseconds since epoch (to check that the SCT isn't from the future) */ 104 /*
105 * milliseconds since epoch (to check that the SCT isn't from the
106 * future)
107 */
102 uint64_t epoch_time_in_ms; 108 uint64_t epoch_time_in_ms;
103}; 109};
104 110
@@ -107,7 +113,10 @@ struct ct_policy_eval_ctx_st {
107 X509 *cert; 113 X509 *cert;
108 X509 *issuer; 114 X509 *issuer;
109 CTLOG_STORE *log_store; 115 CTLOG_STORE *log_store;
110 /* milliseconds since epoch (to check that SCTs aren't from the future) */ 116 /*
117 * milliseconds since epoch (to check that the SCT isn't from the
118 * future)
119 */
111 uint64_t epoch_time_in_ms; 120 uint64_t epoch_time_in_ms;
112}; 121};
113 122
@@ -129,7 +138,7 @@ void SCT_CTX_free(SCT_CTX *sctx);
129 * extension, both must have one. 138 * extension, both must have one.
130 * Returns 1 on success, 0 on failure. 139 * Returns 1 on success, 0 on failure.
131 */ 140 */
132__owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner); 141int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
133 142
134/* 143/*
135 * Sets the issuer of the certificate that the SCT was created for. 144 * Sets the issuer of the certificate that the SCT was created for.
@@ -138,7 +147,7 @@ __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
138 * Issuer must not be NULL. 147 * Issuer must not be NULL.
139 * Returns 1 on success, 0 on failure. 148 * Returns 1 on success, 0 on failure.
140 */ 149 */
141__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer); 150int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
142 151
143/* 152/*
144 * Sets the public key of the issuer of the certificate that the SCT was created 153 * Sets the public key of the issuer of the certificate that the SCT was created
@@ -146,13 +155,13 @@ __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
146 * The public key must not be NULL. 155 * The public key must not be NULL.
147 * Returns 1 on success, 0 on failure. 156 * Returns 1 on success, 0 on failure.
148 */ 157 */
149__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); 158int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
150 159
151/* 160/*
152 * Sets the public key of the CT log that the SCT is from. 161 * Sets the public key of the CT log that the SCT is from.
153 * Returns 1 on success, 0 on failure. 162 * Returns 1 on success, 0 on failure.
154 */ 163 */
155__owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); 164int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
156 165
157/* 166/*
158 * Sets the time to evaluate the SCT against, in milliseconds since the Unix 167 * Sets the time to evaluate the SCT against, in milliseconds since the Unix
@@ -168,13 +177,13 @@ void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms);
168 * Returns 1 if the SCT verifies successfully; any other value indicates 177 * Returns 1 if the SCT verifies successfully; any other value indicates
169 * failure. See EVP_DigestVerifyFinal() for the meaning of those values. 178 * failure. See EVP_DigestVerifyFinal() for the meaning of those values.
170 */ 179 */
171__owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct); 180int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct);
172 181
173/* 182/*
174 * Does this SCT have the minimum fields populated to be usable? 183 * Does this SCT have the minimum fields populated to be usable?
175 * Returns 1 if so, 0 otherwise. 184 * Returns 1 if so, 0 otherwise.
176 */ 185 */
177__owur int SCT_is_complete(const SCT *sct); 186int SCT_is_complete(const SCT *sct);
178 187
179/* 188/*
180 * Does this SCT have the signature-related fields populated? 189 * Does this SCT have the signature-related fields populated?
@@ -182,7 +191,7 @@ __owur int SCT_is_complete(const SCT *sct);
182 * This checks that the signature and hash algorithms are set to supported 191 * This checks that the signature and hash algorithms are set to supported
183 * values and that the signature field is set. 192 * values and that the signature field is set.
184 */ 193 */
185__owur int SCT_signature_is_complete(const SCT *sct); 194int SCT_signature_is_complete(const SCT *sct);
186 195
187/* 196/*
188 * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature 197 * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature
@@ -197,7 +206,7 @@ __owur int SCT_signature_is_complete(const SCT *sct);
197* If |out| points to an allocated string, the signature will be written to it. 206* If |out| points to an allocated string, the signature will be written to it.
198* The length of the signature in TLS format will be returned. 207* The length of the signature in TLS format will be returned.
199*/ 208*/
200__owur int i2o_SCT_signature(const SCT *sct, unsigned char **out); 209int i2o_SCT_signature(const SCT *sct, unsigned char **out);
201 210
202/* 211/*
203* Parses an SCT signature in TLS format and populates the |sct| with it. 212* Parses an SCT signature in TLS format and populates the |sct| with it.
@@ -208,7 +217,7 @@ __owur int i2o_SCT_signature(const SCT *sct, unsigned char **out);
208* If an error occurs, the SCT's signature NID may be updated whilst the 217* If an error occurs, the SCT's signature NID may be updated whilst the
209* signature field itself remains unset. 218* signature field itself remains unset.
210*/ 219*/
211__owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len); 220int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len);
212 221
213/* 222/*
214 * Handlers for Certificate Transparency X509v3/OCSP extensions 223 * Handlers for Certificate Transparency X509v3/OCSP extensions
diff --git a/src/lib/libcrypto/ct/ct_log.c b/src/lib/libcrypto/ct/ct_log.c
index ee44de2bfc..1eca056b89 100644
--- a/src/lib/libcrypto/ct/ct_log.c
+++ b/src/lib/libcrypto/ct/ct_log.c
@@ -16,7 +16,8 @@
16#include <openssl/evp.h> 16#include <openssl/evp.h>
17#include <openssl/safestack.h> 17#include <openssl/safestack.h>
18 18
19#include "internal/cryptlib.h" 19#include "cryptlib.h"
20
20 21
21/* 22/*
22 * Information about a CT log server. 23 * Information about a CT log server.
@@ -52,23 +53,23 @@ static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(void);
52 * Deletes a CT log store load context. 53 * Deletes a CT log store load context.
53 * Does not delete any of the fields. 54 * Does not delete any of the fields.
54 */ 55 */
55static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx); 56static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX *ctx);
56 57
57static CTLOG_STORE_LOAD_CTX * 58static CTLOG_STORE_LOAD_CTX *
58ctlog_store_load_ctx_new(void) 59ctlog_store_load_ctx_new(void)
59{ 60{
60 CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); 61 CTLOG_STORE_LOAD_CTX *ctx = calloc(1, sizeof(*ctx));
61 62
62 if (ctx == NULL) 63 if (ctx == NULL)
63 CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE); 64 CTerror(ERR_R_MALLOC_FAILURE);
64 65
65 return ctx; 66 return ctx;
66} 67}
67 68
68static void 69static void
69ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx) 70ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX *ctx)
70{ 71{
71 OPENSSL_free(ctx); 72 free(ctx);
72} 73}
73 74
74/* Converts a log's public key into a SHA256 log ID */ 75/* Converts a log's public key into a SHA256 log ID */
@@ -80,24 +81,24 @@ ct_v1_log_id_from_pkey(EVP_PKEY *pkey, unsigned char log_id[CT_V1_HASHLEN])
80 int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der); 81 int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der);
81 82
82 if (pkey_der_len <= 0) { 83 if (pkey_der_len <= 0) {
83 CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID); 84 CTerror(CT_R_LOG_KEY_INVALID);
84 goto err; 85 goto err;
85 } 86 }
86 87
87 SHA256(pkey_der, pkey_der_len, log_id); 88 SHA256(pkey_der, pkey_der_len, log_id);
88 ret = 1; 89 ret = 1;
89 err: 90 err:
90 OPENSSL_free(pkey_der); 91 free(pkey_der);
91 return ret; 92 return ret;
92} 93}
93 94
94CTLOG_STORE * 95CTLOG_STORE *
95CTLOG_STORE_new(void) 96CTLOG_STORE_new(void)
96{ 97{
97 CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret)); 98 CTLOG_STORE *ret = calloc(1, sizeof(*ret));
98 99
99 if (ret == NULL) { 100 if (ret == NULL) {
100 CTerr(CT_F_CTLOG_STORE_NEW, ERR_R_MALLOC_FAILURE); 101 CTerror(ERR_R_MALLOC_FAILURE);
101 return NULL; 102 return NULL;
102 } 103 }
103 104
@@ -106,8 +107,8 @@ CTLOG_STORE_new(void)
106 goto err; 107 goto err;
107 108
108 return ret; 109 return ret;
109err: 110 err:
110 OPENSSL_free(ret); 111 free(ret);
111 return NULL; 112 return NULL;
112} 113}
113 114
@@ -116,24 +117,25 @@ CTLOG_STORE_free(CTLOG_STORE *store)
116{ 117{
117 if (store != NULL) { 118 if (store != NULL) {
118 sk_CTLOG_pop_free(store->logs, CTLOG_free); 119 sk_CTLOG_pop_free(store->logs, CTLOG_free);
119 OPENSSL_free(store); 120 free(store);
120 } 121 }
121} 122}
122 123
123static int 124static int
124ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section) 125ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section)
125{ 126{
126 const char *description = NCONF_get_string(conf, section, "description"); 127 const char *description = NCONF_get_string(conf, section,
128 "description");
127 char *pkey_base64; 129 char *pkey_base64;
128 130
129 if (description == NULL) { 131 if (description == NULL) {
130 CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION); 132 CTerror(CT_R_LOG_CONF_MISSING_DESCRIPTION);
131 return 0; 133 return 0;
132 } 134 }
133 135
134 pkey_base64 = NCONF_get_string(conf, section, "key"); 136 pkey_base64 = NCONF_get_string(conf, section, "key");
135 if (pkey_base64 == NULL) { 137 if (pkey_base64 == NULL) {
136 CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY); 138 CTerror(CT_R_LOG_CONF_MISSING_KEY);
137 return 0; 139 return 0;
138 } 140 }
139 141
@@ -143,12 +145,7 @@ ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section)
143int 145int
144CTLOG_STORE_load_default_file(CTLOG_STORE *store) 146CTLOG_STORE_load_default_file(CTLOG_STORE *store)
145{ 147{
146 const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP); 148 return CTLOG_STORE_load_file(store, CTLOG_FILE);
147
148 if (fpath == NULL)
149 fpath = CTLOG_FILE;
150
151 return CTLOG_STORE_load_file(store, fpath);
152} 149}
153 150
154/* 151/*
@@ -170,12 +167,12 @@ ctlog_store_load_log(const char *log_name, int log_name_len, void *arg)
170 if (log_name == NULL) 167 if (log_name == NULL)
171 return 1; 168 return 1;
172 169
173 tmp = OPENSSL_strndup(log_name, log_name_len); 170 tmp = strndup(log_name, log_name_len);
174 if (tmp == NULL) 171 if (tmp == NULL)
175 goto mem_err; 172 goto mem_err;
176 173
177 ret = ctlog_new_from_conf(&ct_log, load_ctx->conf, tmp); 174 ret = ctlog_new_from_conf(&ct_log, load_ctx->conf, tmp);
178 OPENSSL_free(tmp); 175 free(tmp);
179 176
180 if (ret < 0) { 177 if (ret < 0) {
181 /* Propagate any internal error */ 178 /* Propagate any internal error */
@@ -192,9 +189,9 @@ ctlog_store_load_log(const char *log_name, int log_name_len, void *arg)
192 } 189 }
193 return 1; 190 return 1;
194 191
195mem_err: 192 mem_err:
196 CTLOG_free(ct_log); 193 CTLOG_free(ct_log);
197 CTerr(CT_F_CTLOG_STORE_LOAD_LOG, ERR_R_MALLOC_FAILURE); 194 CTerror(ERR_R_MALLOC_FAILURE);
198 return -1; 195 return -1;
199} 196}
200 197
@@ -213,24 +210,24 @@ CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file)
213 goto end; 210 goto end;
214 211
215 if (NCONF_load(load_ctx->conf, file, NULL) <= 0) { 212 if (NCONF_load(load_ctx->conf, file, NULL) <= 0) {
216 CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); 213 CTerror(CT_R_LOG_CONF_INVALID);
217 goto end; 214 goto end;
218 } 215 }
219 216
220 enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs"); 217 enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs");
221 if (enabled_logs == NULL) { 218 if (enabled_logs == NULL) {
222 CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); 219 CTerror(CT_R_LOG_CONF_INVALID);
223 goto end; 220 goto end;
224 } 221 }
225 222
226 if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) || 223 if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) ||
227 load_ctx->invalid_log_entries > 0) { 224 load_ctx->invalid_log_entries > 0) {
228 CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); 225 CTerror(CT_R_LOG_CONF_INVALID);
229 goto end; 226 goto end;
230 } 227 }
231 228
232 ret = 1; 229 ret = 1;
233end: 230 end:
234 NCONF_free(load_ctx->conf); 231 NCONF_free(load_ctx->conf);
235 ctlog_store_load_ctx_free(load_ctx); 232 ctlog_store_load_ctx_free(load_ctx);
236 return ret; 233 return ret;
@@ -244,16 +241,16 @@ end:
244CTLOG * 241CTLOG *
245CTLOG_new(EVP_PKEY *public_key, const char *name) 242CTLOG_new(EVP_PKEY *public_key, const char *name)
246{ 243{
247 CTLOG *ret = OPENSSL_zalloc(sizeof(*ret)); 244 CTLOG *ret = calloc(1, sizeof(*ret));
248 245
249 if (ret == NULL) { 246 if (ret == NULL) {
250 CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); 247 CTerror(ERR_R_MALLOC_FAILURE);
251 return NULL; 248 return NULL;
252 } 249 }
253 250
254 ret->name = OPENSSL_strdup(name); 251 ret->name = strdup(name);
255 if (ret->name == NULL) { 252 if (ret->name == NULL) {
256 CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); 253 CTerror(ERR_R_MALLOC_FAILURE);
257 goto err; 254 goto err;
258 } 255 }
259 256
@@ -272,9 +269,9 @@ void
272CTLOG_free(CTLOG *log) 269CTLOG_free(CTLOG *log)
273{ 270{
274 if (log != NULL) { 271 if (log != NULL) {
275 OPENSSL_free(log->name); 272 free(log->name);
276 EVP_PKEY_free(log->public_key); 273 EVP_PKEY_free(log->public_key);
277 OPENSSL_free(log); 274 free(log);
278 } 275 }
279} 276}
280 277
@@ -301,8 +298,8 @@ CTLOG_get0_public_key(const CTLOG *log)
301 * Given a log ID, finds the matching log. 298 * Given a log ID, finds the matching log.
302 * Returns NULL if no match found. 299 * Returns NULL if no match found.
303 */ 300 */
304const CTLOG 301const CTLOG *
305*CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, const uint8_t *log_id, 302CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, const uint8_t *log_id,
306 size_t log_id_len) 303 size_t log_id_len)
307{ 304{
308 int i; 305 int i;
diff --git a/src/lib/libcrypto/ct/ct_oct.c b/src/lib/libcrypto/ct/ct_oct.c
index 7a45bdb5bf..bd15ab0e92 100644
--- a/src/lib/libcrypto/ct/ct_oct.c
+++ b/src/lib/libcrypto/ct/ct_oct.c
@@ -29,7 +29,7 @@ o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len)
29 const unsigned char *p; 29 const unsigned char *p;
30 30
31 if (sct->version != SCT_VERSION_V1) { 31 if (sct->version != SCT_VERSION_V1) {
32 CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_UNSUPPORTED_VERSION); 32 CTerror(CT_R_UNSUPPORTED_VERSION);
33 return -1; 33 return -1;
34 } 34 }
35 /* 35 /*
@@ -40,7 +40,7 @@ o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len)
40 * all supported algorithms. 40 * all supported algorithms.
41 */ 41 */
42 if (len <= 4) { 42 if (len <= 4) {
43 CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); 43 CTerror(CT_R_SCT_INVALID_SIGNATURE);
44 return -1; 44 return -1;
45 } 45 }
46 46
@@ -49,14 +49,17 @@ o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len)
49 sct->hash_alg = *p++; 49 sct->hash_alg = *p++;
50 sct->sig_alg = *p++; 50 sct->sig_alg = *p++;
51 if (SCT_get_signature_nid(sct) == NID_undef) { 51 if (SCT_get_signature_nid(sct) == NID_undef) {
52 CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); 52 CTerror(CT_R_SCT_INVALID_SIGNATURE);
53 return -1; 53 return -1;
54 } 54 }
55 /* Retrieve signature and check it is consistent with the buffer length */ 55 /*
56 * Retrieve signature and check it is consistent with the buffer
57 * length
58 */
56 n2s(p, siglen); 59 n2s(p, siglen);
57 len_remaining -= (p - *in); 60 len_remaining -= (p - *in);
58 if (siglen > len_remaining) { 61 if (siglen > len_remaining) {
59 CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); 62 CTerror(CT_R_SCT_INVALID_SIGNATURE);
60 return -1; 63 return -1;
61 } 64 }
62 65
@@ -68,13 +71,19 @@ o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len)
68 return len - len_remaining; 71 return len - len_remaining;
69} 72}
70 73
71SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len) 74SCT *
75o2i_SCT(SCT **psct, const unsigned char **in, size_t len)
72{ 76{
73 SCT *sct = NULL; 77 SCT *sct = NULL;
74 const unsigned char *p; 78 const unsigned char *p;
75 79
80 /*
81 * XXX paging Dr Sing. please report to this function for an emergency
82 * CBS/CBB implantation surgery. Stat.
83 */
84
76 if (len == 0 || len > MAX_SCT_SIZE) { 85 if (len == 0 || len > MAX_SCT_SIZE) {
77 CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); 86 CTerror(CT_R_SCT_INVALID);
78 goto err; 87 goto err;
79 } 88 }
80 89
@@ -97,14 +106,15 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len)
97 * } 106 * }
98 */ 107 */
99 if (len < 43) { 108 if (len < 43) {
100 CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); 109 CTerror(CT_R_SCT_INVALID);
101 goto err; 110 goto err;
102 } 111 }
103 len -= 43; 112 len -= 43;
104 p++; 113 p++;
105 sct->log_id = BUF_memdup(p, CT_V1_HASHLEN); 114 sct->log_id = malloc(CT_V1_HASHLEN);
106 if (sct->log_id == NULL) 115 if (sct->log_id == NULL)
107 goto err; 116 goto err;
117 memcpy(sct->log_id, p, CT_V1_HASHLEN);
108 sct->log_id_len = CT_V1_HASHLEN; 118 sct->log_id_len = CT_V1_HASHLEN;
109 p += CT_V1_HASHLEN; 119 p += CT_V1_HASHLEN;
110 120
@@ -112,13 +122,14 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len)
112 122
113 n2s(p, len2); 123 n2s(p, len2);
114 if (len < len2) { 124 if (len < len2) {
115 CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); 125 CTerror(CT_R_SCT_INVALID);
116 goto err; 126 goto err;
117 } 127 }
118 if (len2 > 0) { 128 if (len2 > 0) {
119 sct->ext = BUF_memdup(p, len2); 129 sct->ext = malloc(len2);
120 if (sct->ext == NULL) 130 if (sct->ext == NULL)
121 goto err; 131 goto err;
132 memcpy(sct->ext, p, len2);
122 } 133 }
123 sct->ext_len = len2; 134 sct->ext_len = len2;
124 p += len2; 135 p += len2;
@@ -126,16 +137,17 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len)
126 137
127 sig_len = o2i_SCT_signature(sct, &p, len); 138 sig_len = o2i_SCT_signature(sct, &p, len);
128 if (sig_len <= 0) { 139 if (sig_len <= 0) {
129 CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID); 140 CTerror(CT_R_SCT_INVALID);
130 goto err; 141 goto err;
131 } 142 }
132 len -= sig_len; 143 len -= sig_len;
133 *in = p + len; 144 *in = p + len;
134 } else { 145 } else {
135 /* If not V1 just cache encoding */ 146 /* If not V1 just cache encoding */
136 sct->sct = BUF_memdup(p, len); 147 sct->sct = malloc(len);
137 if (sct->sct == NULL) 148 if (sct->sct == NULL)
138 goto err; 149 goto err;
150 memcpy(sct->sct, p, len);
139 sct->sct_len = len; 151 sct->sct_len = len;
140 *in = p + len; 152 *in = p + len;
141 } 153 }
@@ -158,12 +170,12 @@ i2o_SCT_signature(const SCT *sct, unsigned char **out)
158 unsigned char *p = NULL, *pstart = NULL; 170 unsigned char *p = NULL, *pstart = NULL;
159 171
160 if (!SCT_signature_is_complete(sct)) { 172 if (!SCT_signature_is_complete(sct)) {
161 CTerr(CT_F_I2O_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE); 173 CTerror(CT_R_SCT_INVALID_SIGNATURE);
162 goto err; 174 goto err;
163 } 175 }
164 176
165 if (sct->version != SCT_VERSION_V1) { 177 if (sct->version != SCT_VERSION_V1) {
166 CTerr(CT_F_I2O_SCT_SIGNATURE, CT_R_UNSUPPORTED_VERSION); 178 CTerror(CT_R_UNSUPPORTED_VERSION);
167 goto err; 179 goto err;
168 } 180 }
169 181
@@ -179,9 +191,9 @@ i2o_SCT_signature(const SCT *sct, unsigned char **out)
179 p = *out; 191 p = *out;
180 *out += len; 192 *out += len;
181 } else { 193 } else {
182 pstart = p = OPENSSL_malloc(len); 194 pstart = p = malloc(len);
183 if (p == NULL) { 195 if (p == NULL) {
184 CTerr(CT_F_I2O_SCT_SIGNATURE, ERR_R_MALLOC_FAILURE); 196 CTerror(ERR_R_MALLOC_FAILURE);
185 goto err; 197 goto err;
186 } 198 }
187 *out = p; 199 *out = p;
@@ -195,7 +207,7 @@ i2o_SCT_signature(const SCT *sct, unsigned char **out)
195 207
196 return len; 208 return len;
197 err: 209 err:
198 OPENSSL_free(pstart); 210 free(pstart);
199 return -1; 211 return -1;
200} 212}
201 213
@@ -206,7 +218,7 @@ i2o_SCT(const SCT *sct, unsigned char **out)
206 unsigned char *p = NULL, *pstart = NULL; 218 unsigned char *p = NULL, *pstart = NULL;
207 219
208 if (!SCT_is_complete(sct)) { 220 if (!SCT_is_complete(sct)) {
209 CTerr(CT_F_I2O_SCT, CT_R_SCT_NOT_SET); 221 CTerror(CT_R_SCT_NOT_SET);
210 goto err; 222 goto err;
211 } 223 }
212 /* 224 /*
@@ -227,9 +239,9 @@ i2o_SCT(const SCT *sct, unsigned char **out)
227 p = *out; 239 p = *out;
228 *out += len; 240 *out += len;
229 } else { 241 } else {
230 pstart = p = OPENSSL_malloc(len); 242 pstart = p = malloc(len);
231 if (p == NULL) { 243 if (p == NULL) {
232 CTerr(CT_F_I2O_SCT, ERR_R_MALLOC_FAILURE); 244 CTerror(ERR_R_MALLOC_FAILURE);
233 goto err; 245 goto err;
234 } 246 }
235 *out = p; 247 *out = p;
@@ -253,7 +265,7 @@ i2o_SCT(const SCT *sct, unsigned char **out)
253 265
254 return len; 266 return len;
255 err: 267 err:
256 OPENSSL_free(pstart); 268 free(pstart);
257 return -1; 269 return -1;
258} 270}
259 271
@@ -264,13 +276,13 @@ o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, size_t len)
264 size_t list_len, sct_len; 276 size_t list_len, sct_len;
265 277
266 if (len < 2 || len > MAX_SCT_LIST_SIZE) { 278 if (len < 2 || len > MAX_SCT_LIST_SIZE) {
267 CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); 279 CTerror(CT_R_SCT_LIST_INVALID);
268 return NULL; 280 return NULL;
269 } 281 }
270 282
271 n2s(*pp, list_len); 283 n2s(*pp, list_len);
272 if (list_len != len - 2) { 284 if (list_len != len - 2) {
273 CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); 285 CTerror(CT_R_SCT_LIST_INVALID);
274 return NULL; 286 return NULL;
275 } 287 }
276 288
@@ -291,14 +303,14 @@ o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, size_t len)
291 SCT *sct; 303 SCT *sct;
292 304
293 if (list_len < 2) { 305 if (list_len < 2) {
294 CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); 306 CTerror(CT_R_SCT_LIST_INVALID);
295 goto err; 307 goto err;
296 } 308 }
297 n2s(*pp, sct_len); 309 n2s(*pp, sct_len);
298 list_len -= 2; 310 list_len -= 2;
299 311
300 if (sct_len == 0 || sct_len > list_len) { 312 if (sct_len == 0 || sct_len > list_len) {
301 CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID); 313 CTerror(CT_R_SCT_LIST_INVALID);
302 goto err; 314 goto err;
303 } 315 }
304 list_len -= sct_len; 316 list_len -= sct_len;
@@ -331,11 +343,11 @@ i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp)
331 if (pp != NULL) { 343 if (pp != NULL) {
332 if (*pp == NULL) { 344 if (*pp == NULL) {
333 if ((len = i2o_SCT_LIST(a, NULL)) == -1) { 345 if ((len = i2o_SCT_LIST(a, NULL)) == -1) {
334 CTerr(CT_F_I2O_SCT_LIST, CT_R_SCT_LIST_INVALID); 346 CTerror(CT_R_SCT_LIST_INVALID);
335 return -1; 347 return -1;
336 } 348 }
337 if ((*pp = OPENSSL_malloc(len)) == NULL) { 349 if ((*pp = malloc(len)) == NULL) {
338 CTerr(CT_F_I2O_SCT_LIST, ERR_R_MALLOC_FAILURE); 350 CTerror(ERR_R_MALLOC_FAILURE);
339 return -1; 351 return -1;
340 } 352 }
341 is_pp_new = 1; 353 is_pp_new = 1;
@@ -371,7 +383,7 @@ i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp)
371 383
372 err: 384 err:
373 if (is_pp_new) { 385 if (is_pp_new) {
374 OPENSSL_free(*pp); 386 free(*pp);
375 *pp = NULL; 387 *pp = NULL;
376 } 388 }
377 return -1; 389 return -1;
@@ -407,6 +419,6 @@ i2d_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **out)
407 return -1; 419 return -1;
408 420
409 len = i2d_ASN1_OCTET_STRING(&oct, out); 421 len = i2d_ASN1_OCTET_STRING(&oct, out);
410 OPENSSL_free(oct.data); 422 free(oct.data);
411 return len; 423 return len;
412} 424}
diff --git a/src/lib/libcrypto/ct/ct_policy.c b/src/lib/libcrypto/ct/ct_policy.c
index 43ea6fa093..9940f768b6 100644
--- a/src/lib/libcrypto/ct/ct_policy.c
+++ b/src/lib/libcrypto/ct/ct_policy.c
@@ -28,10 +28,10 @@ static const time_t SCT_CLOCK_DRIFT_TOLERANCE = 300;
28CT_POLICY_EVAL_CTX * 28CT_POLICY_EVAL_CTX *
29CT_POLICY_EVAL_CTX_new(void) 29CT_POLICY_EVAL_CTX_new(void)
30{ 30{
31 CT_POLICY_EVAL_CTX *ctx = OPENSSL_zalloc(sizeof(CT_POLICY_EVAL_CTX)); 31 CT_POLICY_EVAL_CTX *ctx = calloc(1, sizeof(CT_POLICY_EVAL_CTX));
32 32
33 if (ctx == NULL) { 33 if (ctx == NULL) {
34 CTerr(CT_F_CT_POLICY_EVAL_CTX_NEW, ERR_R_MALLOC_FAILURE); 34 CTerror(ERR_R_MALLOC_FAILURE);
35 return NULL; 35 return NULL;
36 } 36 }
37 37
@@ -49,7 +49,7 @@ CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx)
49 return; 49 return;
50 X509_free(ctx->cert); 50 X509_free(ctx->cert);
51 X509_free(ctx->issuer); 51 X509_free(ctx->issuer);
52 OPENSSL_free(ctx); 52 free(ctx);
53} 53}
54 54
55int 55int
@@ -83,13 +83,13 @@ CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms)
83 ctx->epoch_time_in_ms = time_in_ms; 83 ctx->epoch_time_in_ms = time_in_ms;
84} 84}
85 85
86X509* 86X509 *
87CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx) 87CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx)
88{ 88{
89 return ctx->cert; 89 return ctx->cert;
90} 90}
91 91
92X509* 92X509 *
93CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx) 93CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx)
94{ 94{
95 return ctx->issuer; 95 return ctx->issuer;
@@ -98,7 +98,7 @@ CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx)
98const CTLOG_STORE * 98const CTLOG_STORE *
99CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx) 99CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx)
100{ 100{
101 return ctx->log_store; 101 return ctx->log_store;
102} 102}
103 103
104uint64_t 104uint64_t
diff --git a/src/lib/libcrypto/ct/ct_prn.c b/src/lib/libcrypto/ct/ct_prn.c
index 3cd9b8e838..3b1be71394 100644
--- a/src/lib/libcrypto/ct/ct_prn.c
+++ b/src/lib/libcrypto/ct/ct_prn.c
@@ -16,6 +16,36 @@
16 16
17#include "ct_local.h" 17#include "ct_local.h"
18 18
19/*
20 * XXX public api in OpenSSL 1.1.0 but this is the only thing that uses it.
21 * so I am stuffing it here for the moment.
22 */
23static int
24BIO_hex_string(BIO *out, int indent, int width, unsigned char *data,
25 int datalen)
26{
27 int i, j = 0;
28
29 if (datalen < 1)
30 return 1;
31
32 for (i = 0; i < datalen - 1; i++) {
33 if (i && !j)
34 BIO_printf(out, "%*s", indent, "");
35
36 BIO_printf(out, "%02X:", data[i]);
37
38 j = (j + 1) % width;
39 if (!j)
40 BIO_printf(out, "\n");
41 }
42
43 if (i && !j)
44 BIO_printf(out, "%*s", indent, "");
45 BIO_printf(out, "%02X", data[datalen - 1]);
46 return 1;
47}
48
19static void 49static void
20SCT_signature_algorithms_print(const SCT *sct, BIO *out) 50SCT_signature_algorithms_print(const SCT *sct, BIO *out)
21{ 51{
@@ -35,13 +65,13 @@ timestamp_print(uint64_t timestamp, BIO *out)
35 65
36 if (gen == NULL) 66 if (gen == NULL)
37 return; 67 return;
38 ASN1_GENERALIZEDTIME_adj(gen, (time_t)0,(int)(timestamp / 86400000), 68 ASN1_GENERALIZEDTIME_adj(gen, (time_t)0, (int)(timestamp / 86400000),
39 (timestamp % 86400000) / 1000); 69 (timestamp % 86400000) / 1000);
40 /* 70 /*
41 * Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15 71 * Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15
42 * characters long with a final Z. Update it with fractional seconds. 72 * characters long with a final Z. Update it with fractional seconds.
43 */ 73 */
44 BIO_snprintf(genstr, sizeof(genstr), "%.14s.%03dZ", 74 snprintf(genstr, sizeof(genstr), "%.14s.%03dZ",
45 ASN1_STRING_get0_data(gen), (unsigned int)(timestamp % 1000)); 75 ASN1_STRING_get0_data(gen), (unsigned int)(timestamp % 1000));
46 if (ASN1_GENERALIZEDTIME_set_string(gen, genstr)) 76 if (ASN1_GENERALIZEDTIME_set_string(gen, genstr))
47 ASN1_GENERALIZEDTIME_print(out, gen); 77 ASN1_GENERALIZEDTIME_print(out, gen);
@@ -63,7 +93,7 @@ SCT_validation_status_string(const SCT *sct)
63 case SCT_VALIDATION_STATUS_INVALID: 93 case SCT_VALIDATION_STATUS_INVALID:
64 return "invalid"; 94 return "invalid";
65 case SCT_VALIDATION_STATUS_VALID: 95 case SCT_VALIDATION_STATUS_VALID:
66 return "valid"; 96 return "valid";
67 } 97 }
68 return "unknown status"; 98 return "unknown status";
69} 99}
diff --git a/src/lib/libcrypto/ct/ct_sct.c b/src/lib/libcrypto/ct/ct_sct.c
index ca915b763e..5108f39d66 100644
--- a/src/lib/libcrypto/ct/ct_sct.c
+++ b/src/lib/libcrypto/ct/ct_sct.c
@@ -17,15 +17,17 @@
17#include <openssl/tls1.h> 17#include <openssl/tls1.h>
18#include <openssl/x509.h> 18#include <openssl/x509.h>
19 19
20#include <string.h>
21
20#include "ct_local.h" 22#include "ct_local.h"
21 23
22SCT * 24SCT *
23SCT_new(void) 25SCT_new(void)
24{ 26{
25 SCT *sct = OPENSSL_zalloc(sizeof(*sct)); 27 SCT *sct = calloc(1, sizeof(*sct));
26 28
27 if (sct == NULL) { 29 if (sct == NULL) {
28 CTerr(CT_F_SCT_NEW, ERR_R_MALLOC_FAILURE); 30 CTerror(ERR_R_MALLOC_FAILURE);
29 return NULL; 31 return NULL;
30 } 32 }
31 33
@@ -40,11 +42,11 @@ SCT_free(SCT *sct)
40 if (sct == NULL) 42 if (sct == NULL)
41 return; 43 return;
42 44
43 OPENSSL_free(sct->log_id); 45 free(sct->log_id);
44 OPENSSL_free(sct->ext); 46 free(sct->ext);
45 OPENSSL_free(sct->sig); 47 free(sct->sig);
46 OPENSSL_free(sct->sct); 48 free(sct->sct);
47 OPENSSL_free(sct); 49 free(sct);
48} 50}
49 51
50void 52void
@@ -57,7 +59,7 @@ int
57SCT_set_version(SCT *sct, sct_version_t version) 59SCT_set_version(SCT *sct, sct_version_t version)
58{ 60{
59 if (version != SCT_VERSION_V1) { 61 if (version != SCT_VERSION_V1) {
60 CTerr(CT_F_SCT_SET_VERSION, CT_R_UNSUPPORTED_VERSION); 62 CTerror(CT_R_UNSUPPORTED_VERSION);
61 return 0; 63 return 0;
62 } 64 }
63 sct->version = version; 65 sct->version = version;
@@ -78,7 +80,7 @@ SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type)
78 case CT_LOG_ENTRY_TYPE_NOT_SET: 80 case CT_LOG_ENTRY_TYPE_NOT_SET:
79 break; 81 break;
80 } 82 }
81 CTerr(CT_F_SCT_SET_LOG_ENTRY_TYPE, CT_R_UNSUPPORTED_ENTRY_TYPE); 83 CTerror(CT_R_UNSUPPORTED_ENTRY_TYPE);
82 return 0; 84 return 0;
83} 85}
84 86
@@ -86,11 +88,11 @@ int
86SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len) 88SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len)
87{ 89{
88 if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) { 90 if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) {
89 CTerr(CT_F_SCT_SET0_LOG_ID, CT_R_INVALID_LOG_ID_LENGTH); 91 CTerror(CT_R_INVALID_LOG_ID_LENGTH);
90 return 0; 92 return 0;
91 } 93 }
92 94
93 OPENSSL_free(sct->log_id); 95 free(sct->log_id);
94 sct->log_id = log_id; 96 sct->log_id = log_id;
95 sct->log_id_len = log_id_len; 97 sct->log_id_len = log_id_len;
96 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 98 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
@@ -101,21 +103,22 @@ int
101SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len) 103SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len)
102{ 104{
103 if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) { 105 if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) {
104 CTerr(CT_F_SCT_SET1_LOG_ID, CT_R_INVALID_LOG_ID_LENGTH); 106 CTerror(CT_R_INVALID_LOG_ID_LENGTH);
105 return 0; 107 return 0;
106 } 108 }
107 109
108 OPENSSL_free(sct->log_id); 110 free(sct->log_id);
109 sct->log_id = NULL; 111 sct->log_id = NULL;
110 sct->log_id_len = 0; 112 sct->log_id_len = 0;
111 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 113 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
112 114
113 if (log_id != NULL && log_id_len > 0) { 115 if (log_id != NULL && log_id_len > 0) {
114 sct->log_id = OPENSSL_memdup(log_id, log_id_len); 116 sct->log_id = malloc(log_id_len);
115 if (sct->log_id == NULL) { 117 if (sct->log_id == NULL) {
116 CTerr(CT_F_SCT_SET1_LOG_ID, ERR_R_MALLOC_FAILURE); 118 CTerror(ERR_R_MALLOC_FAILURE);
117 return 0; 119 return 0;
118 } 120 }
121 memcpy(sct->log_id, log_id, log_id_len);
119 sct->log_id_len = log_id_len; 122 sct->log_id_len = log_id_len;
120 } 123 }
121 return 1; 124 return 1;
@@ -134,17 +137,17 @@ SCT_set_signature_nid(SCT *sct, int nid)
134{ 137{
135 switch (nid) { 138 switch (nid) {
136 case NID_sha256WithRSAEncryption: 139 case NID_sha256WithRSAEncryption:
137 sct->hash_alg = TLSEXT_hash_sha256; 140 sct->hash_alg = 4; /* XXX */
138 sct->sig_alg = TLSEXT_signature_rsa; 141 sct->sig_alg = 1; /* XXX */
139 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 142 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
140 return 1; 143 return 1;
141 case NID_ecdsa_with_SHA256: 144 case NID_ecdsa_with_SHA256:
142 sct->hash_alg = TLSEXT_hash_sha256; 145 sct->hash_alg = 4; /* XXX */
143 sct->sig_alg = TLSEXT_signature_ecdsa; 146 sct->sig_alg = 3; /* XXX */
144 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 147 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
145 return 1; 148 return 1;
146 default: 149 default:
147 CTerr(CT_F_SCT_SET_SIGNATURE_NID, CT_R_UNRECOGNIZED_SIGNATURE_NID); 150 CTerror(CT_R_UNRECOGNIZED_SIGNATURE_NID);
148 return 0; 151 return 0;
149 } 152 }
150} 153}
@@ -152,7 +155,7 @@ SCT_set_signature_nid(SCT *sct, int nid)
152void 155void
153SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len) 156SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len)
154{ 157{
155 OPENSSL_free(sct->ext); 158 free(sct->ext);
156 sct->ext = ext; 159 sct->ext = ext;
157 sct->ext_len = ext_len; 160 sct->ext_len = ext_len;
158 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 161 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
@@ -161,17 +164,18 @@ SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len)
161int 164int
162SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len) 165SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len)
163{ 166{
164 OPENSSL_free(sct->ext); 167 free(sct->ext);
165 sct->ext = NULL; 168 sct->ext = NULL;
166 sct->ext_len = 0; 169 sct->ext_len = 0;
167 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 170 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
168 171
169 if (ext != NULL && ext_len > 0) { 172 if (ext != NULL && ext_len > 0) {
170 sct->ext = OPENSSL_memdup(ext, ext_len); 173 sct->ext = malloc(ext_len);
171 if (sct->ext == NULL) { 174 if (sct->ext == NULL) {
172 CTerr(CT_F_SCT_SET1_EXTENSIONS, ERR_R_MALLOC_FAILURE); 175 CTerror(ERR_R_MALLOC_FAILURE);
173 return 0; 176 return 0;
174 } 177 }
178 memcpy(sct->ext, ext, ext_len);
175 sct->ext_len = ext_len; 179 sct->ext_len = ext_len;
176 } 180 }
177 return 1; 181 return 1;
@@ -180,7 +184,7 @@ SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len)
180void 184void
181SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len) 185SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len)
182{ 186{
183 OPENSSL_free(sct->sig); 187 free(sct->sig);
184 sct->sig = sig; 188 sct->sig = sig;
185 sct->sig_len = sig_len; 189 sct->sig_len = sig_len;
186 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 190 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
@@ -189,17 +193,18 @@ SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len)
189int 193int
190SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len) 194SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len)
191{ 195{
192 OPENSSL_free(sct->sig); 196 free(sct->sig);
193 sct->sig = NULL; 197 sct->sig = NULL;
194 sct->sig_len = 0; 198 sct->sig_len = 0;
195 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 199 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
196 200
197 if (sig != NULL && sig_len > 0) { 201 if (sig != NULL && sig_len > 0) {
198 sct->sig = OPENSSL_memdup(sig, sig_len); 202 sct->sig = malloc(sig_len);
199 if (sct->sig == NULL) { 203 if (sct->sig == NULL) {
200 CTerr(CT_F_SCT_SET1_SIGNATURE, ERR_R_MALLOC_FAILURE); 204 CTerror(ERR_R_MALLOC_FAILURE);
201 return 0; 205 return 0;
202 } 206 }
207 memcpy(sct->sig, sig, sig_len);
203 sct->sig_len = sig_len; 208 sct->sig_len = sig_len;
204 } 209 }
205 return 1; 210 return 1;
@@ -234,14 +239,15 @@ int
234SCT_get_signature_nid(const SCT *sct) 239SCT_get_signature_nid(const SCT *sct)
235{ 240{
236 if (sct->version == SCT_VERSION_V1) { 241 if (sct->version == SCT_VERSION_V1) {
237 if (sct->hash_alg == TLSEXT_hash_sha256) { 242 /* XXX sigalg numbers */
243 if (sct->hash_alg == 4) {
238 switch (sct->sig_alg) { 244 switch (sct->sig_alg) {
239 case TLSEXT_signature_ecdsa: 245 case 3:
240 return NID_ecdsa_with_SHA256; 246 return NID_ecdsa_with_SHA256;
241 case TLSEXT_signature_rsa: 247 case 1:
242 return NID_sha256WithRSAEncryption; 248 return NID_sha256WithRSAEncryption;
243 default: 249 default:
244 return NID_undef; 250 return NID_undef;
245 } 251 }
246 } 252 }
247 } 253 }
@@ -278,8 +284,8 @@ SCT_is_complete(const SCT *sct)
278int 284int
279SCT_signature_is_complete(const SCT *sct) 285SCT_signature_is_complete(const SCT *sct)
280{ 286{
281 return SCT_get_signature_nid(sct) != NID_undef && sct->sig != NULL && 287 return SCT_get_signature_nid(sct) != NID_undef &&
282 sct->sig_len > 0; 288 sct->sig != NULL && sct->sig_len > 0;
283} 289}
284 290
285sct_source_t 291sct_source_t
diff --git a/src/lib/libcrypto/ct/ct_sct_ctx.c b/src/lib/libcrypto/ct/ct_sct_ctx.c
index 4283cb88aa..2752bd6bbe 100644
--- a/src/lib/libcrypto/ct/ct_sct_ctx.c
+++ b/src/lib/libcrypto/ct/ct_sct_ctx.c
@@ -23,10 +23,10 @@
23SCT_CTX * 23SCT_CTX *
24SCT_CTX_new(void) 24SCT_CTX_new(void)
25{ 25{
26 SCT_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx)); 26 SCT_CTX *sctx = calloc(1, sizeof(*sctx));
27 27
28 if (sctx == NULL) 28 if (sctx == NULL)
29 CTerr(CT_F_SCT_CTX_NEW, ERR_R_MALLOC_FAILURE); 29 CTerror(ERR_R_MALLOC_FAILURE);
30 30
31 return sctx; 31 return sctx;
32} 32}
@@ -37,11 +37,11 @@ SCT_CTX_free(SCT_CTX *sctx)
37 if (sctx == NULL) 37 if (sctx == NULL)
38 return; 38 return;
39 EVP_PKEY_free(sctx->pkey); 39 EVP_PKEY_free(sctx->pkey);
40 OPENSSL_free(sctx->pkeyhash); 40 free(sctx->pkeyhash);
41 OPENSSL_free(sctx->ihash); 41 free(sctx->ihash);
42 OPENSSL_free(sctx->certder); 42 free(sctx->certder);
43 OPENSSL_free(sctx->preder); 43 free(sctx->preder);
44 OPENSSL_free(sctx); 44 free(sctx);
45} 45}
46 46
47/* 47/*
@@ -66,7 +66,7 @@ ct_x509_get_ext(X509 *cert, int nid, int *is_duplicated)
66 * AKID from the presigner certificate, if necessary. 66 * AKID from the presigner certificate, if necessary.
67 * Returns 1 on success, 0 otherwise. 67 * Returns 1 on success, 0 otherwise.
68 */ 68 */
69__owur static int 69static int
70ct_x509_cert_fixup(X509 *cert, X509 *presigner) 70ct_x509_cert_fixup(X509 *cert, X509 *presigner)
71{ 71{
72 int preidx, certidx; 72 int preidx, certidx;
@@ -181,23 +181,23 @@ SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner)
181 181
182 X509_free(pretmp); 182 X509_free(pretmp);
183 183
184 OPENSSL_free(sctx->certder); 184 free(sctx->certder);
185 sctx->certder = certder; 185 sctx->certder = certder;
186 sctx->certderlen = certderlen; 186 sctx->certderlen = certderlen;
187 187
188 OPENSSL_free(sctx->preder); 188 free(sctx->preder);
189 sctx->preder = preder; 189 sctx->preder = preder;
190 sctx->prederlen = prederlen; 190 sctx->prederlen = prederlen;
191 191
192 return 1; 192 return 1;
193 err: 193 err:
194 OPENSSL_free(certder); 194 free(certder);
195 OPENSSL_free(preder); 195 free(preder);
196 X509_free(pretmp); 196 X509_free(pretmp);
197 return 0; 197 return 0;
198} 198}
199 199
200__owur static int 200static int
201ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, size_t *hash_len) 201ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, size_t *hash_len)
202{ 202{
203 int ret = 0; 203 int ret = 0;
@@ -209,7 +209,7 @@ ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, size_t *hash_len)
209 if (*hash != NULL && *hash_len >= SHA256_DIGEST_LENGTH) { 209 if (*hash != NULL && *hash_len >= SHA256_DIGEST_LENGTH) {
210 md = *hash; 210 md = *hash;
211 } else { 211 } else {
212 md = OPENSSL_malloc(SHA256_DIGEST_LENGTH); 212 md = malloc(SHA256_DIGEST_LENGTH);
213 if (md == NULL) 213 if (md == NULL)
214 goto err; 214 goto err;
215 } 215 }
@@ -223,7 +223,7 @@ ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, size_t *hash_len)
223 goto err; 223 goto err;
224 224
225 if (md != *hash) { 225 if (md != *hash) {
226 OPENSSL_free(*hash); 226 free(*hash);
227 *hash = md; 227 *hash = md;
228 *hash_len = SHA256_DIGEST_LENGTH; 228 *hash_len = SHA256_DIGEST_LENGTH;
229 } 229 }
@@ -231,8 +231,8 @@ ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, size_t *hash_len)
231 md = NULL; 231 md = NULL;
232 ret = 1; 232 ret = 1;
233 err: 233 err:
234 OPENSSL_free(md); 234 free(md);
235 OPENSSL_free(der); 235 free(der);
236 return ret; 236 return ret;
237} 237}
238 238
diff --git a/src/lib/libcrypto/ct/ct_vfy.c b/src/lib/libcrypto/ct/ct_vfy.c
index 74642a9304..bde3534c97 100644
--- a/src/lib/libcrypto/ct/ct_vfy.c
+++ b/src/lib/libcrypto/ct/ct_vfy.c
@@ -32,6 +32,7 @@ sct_ctx_update(EVP_MD_CTX *ctx, const SCT_CTX *sctx, const SCT *sct)
32 unsigned char tmpbuf[12]; 32 unsigned char tmpbuf[12];
33 unsigned char *p, *der; 33 unsigned char *p, *der;
34 size_t derlen; 34 size_t derlen;
35
35 /*+ 36 /*+
36 * digitally-signed struct { 37 * digitally-signed struct {
37 * (1 byte) Version sct_version; 38 * (1 byte) Version sct_version;
@@ -102,21 +103,22 @@ SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct)
102 103
103 if (!SCT_is_complete(sct) || sctx->pkey == NULL || 104 if (!SCT_is_complete(sct) || sctx->pkey == NULL ||
104 sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET || 105 sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||
105 (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) { 106 (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT &&
106 CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_NOT_SET); 107 sctx->ihash == NULL)) {
108 CTerror(CT_R_SCT_NOT_SET);
107 return 0; 109 return 0;
108 } 110 }
109 if (sct->version != SCT_VERSION_V1) { 111 if (sct->version != SCT_VERSION_V1) {
110 CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION); 112 CTerror(CT_R_SCT_UNSUPPORTED_VERSION);
111 return 0; 113 return 0;
112 } 114 }
113 if (sct->log_id_len != sctx->pkeyhashlen || 115 if (sct->log_id_len != sctx->pkeyhashlen ||
114 memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) { 116 memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {
115 CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_LOG_ID_MISMATCH); 117 CTerror(CT_R_SCT_LOG_ID_MISMATCH);
116 return 0; 118 return 0;
117 } 119 }
118 if (sct->timestamp > sctx->epoch_time_in_ms) { 120 if (sct->timestamp > sctx->epoch_time_in_ms) {
119 CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_FUTURE_TIMESTAMP); 121 CTerror(CT_R_SCT_FUTURE_TIMESTAMP);
120 return 0; 122 return 0;
121 } 123 }
122 124
@@ -134,7 +136,7 @@ SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct)
134 ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len); 136 ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);
135 /* If ret < 0 some other error: fall through without setting error */ 137 /* If ret < 0 some other error: fall through without setting error */
136 if (ret == 0) 138 if (ret == 0)
137 CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_INVALID_SIGNATURE); 139 CTerror(CT_R_SCT_INVALID_SIGNATURE);
138 140
139 end: 141 end:
140 EVP_MD_CTX_free(ctx); 142 EVP_MD_CTX_free(ctx);
diff --git a/src/lib/libcrypto/ct/ct_x509v3.c b/src/lib/libcrypto/ct/ct_x509v3.c
index 32312e2c6b..169d6c3b5c 100644
--- a/src/lib/libcrypto/ct/ct_x509v3.c
+++ b/src/lib/libcrypto/ct/ct_x509v3.c
@@ -11,12 +11,14 @@
11# error "CT is disabled" 11# error "CT is disabled"
12#endif 12#endif
13 13
14#include <string.h>
15
14#include "ct_local.h" 16#include "ct_local.h"
15 17
16static char * 18static char *
17i2s_poison(const X509V3_EXT_METHOD *method, void *val) 19i2s_poison(const X509V3_EXT_METHOD *method, void *val)
18{ 20{
19 return OPENSSL_strdup("NULL"); 21 return strdup("NULL");
20} 22}
21 23
22static void * 24static void *
@@ -63,8 +65,8 @@ x509_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len)
63 return s; 65 return s;
64} 66}
65 67
66static STACK_OF(SCT) *o 68static STACK_OF(SCT) *
67csp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len) 69ocsp_ext_d2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, long len)
68{ 70{
69 STACK_OF(SCT) *s = d2i_SCT_LIST(a, pp, len); 71 STACK_OF(SCT) *s = d2i_SCT_LIST(a, pp, len);
70 72
@@ -88,7 +90,7 @@ const X509V3_EXT_METHOD v3_ct_scts[3] = {
88 NULL }, 90 NULL },
89 91
90 /* X509v3 extension to mark a certificate as a pre-certificate */ 92 /* X509v3 extension to mark a certificate as a pre-certificate */
91 { NID_ct_precert_poison, 0, ASN1_ITEM_ref(ASN1_NULL), 93 { NID_ct_precert_poison, 0, &ASN1_NULL_it,
92 NULL, NULL, NULL, NULL, 94 NULL, NULL, NULL, NULL,
93 i2s_poison, s2i_poison, 95 i2s_poison, s2i_poison,
94 NULL, NULL, 96 NULL, NULL,
diff --git a/src/lib/libcrypto/ct/cterr.h b/src/lib/libcrypto/ct/cterr.h
index feb7bc5663..4ef1b67f98 100644
--- a/src/lib/libcrypto/ct/cterr.h
+++ b/src/lib/libcrypto/ct/cterr.h
@@ -1,5 +1,4 @@
1/* 1/*
2 * Generated by util/mkerr.pl DO NOT EDIT
3 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * 3 *
5 * Licensed under the OpenSSL license (the "License"). You may not use 4 * Licensed under the OpenSSL license (the "License"). You may not use
@@ -11,17 +10,14 @@
11#ifndef HEADER_CTERR_H 10#ifndef HEADER_CTERR_H
12# define HEADER_CTERR_H 11# define HEADER_CTERR_H
13 12
14# ifndef HEADER_SYMHACKS_H
15# include <openssl/symhacks.h>
16# endif
17
18# include <openssl/opensslconf.h> 13# include <openssl/opensslconf.h>
19 14
20# ifndef OPENSSL_NO_CT 15# ifndef OPENSSL_NO_CT
21 16
22# ifdef __cplusplus 17#ifdef __cplusplus
23extern "C" 18extern "C"
24# endif 19#endif
20
25int ERR_load_CT_strings(void); 21int ERR_load_CT_strings(void);
26 22
27/* 23/*
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 19:29:57 +0000