1 files changed, 216 insertions, 0 deletions
diff --git a/src/lib/libcrypto/ct/ct_local.h b/src/lib/libcrypto/ct/ct_local.h
new file mode 100644
index 0000000000..9f983c91be
--- /dev/null
+++ b/src/lib/libcrypto/ct/ct_local.h
@@ -0,0 +1,216 @@
+/*
+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include <stddef.h>
+#include <openssl/ct.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/safestack.h>
+/*
+ * From RFC6962: opaque SerializedSCT<1..2^16-1>; struct { SerializedSCT
+ * sct_list <1..2^16-1>; } SignedCertificateTimestampList;
+ */
+# define MAX_SCT_SIZE            65535
+# define MAX_SCT_LIST_SIZE       MAX_SCT_SIZE
+/*
+ * Macros to read and write integers in network-byte order.
+ */
+#define n2s(c,s)        ((s=(((unsigned int)((c)[0]))<< 8)| \
+                            (((unsigned int)((c)[1]))    )),c+=2)
+#define s2n(s,c)        ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
+                          c[1]=(unsigned char)(((s)    )&0xff)),c+=2)
+#define l2n3(l,c)       ((c[0]=(unsigned char)(((l)>>16)&0xff), \
+                          c[1]=(unsigned char)(((l)>> 8)&0xff), \
+                          c[2]=(unsigned char)(((l)    )&0xff)),c+=3)
+#define n2l8(c,l)       (l =((uint64_t)(*((c)++)))<<56, \
+                         l|=((uint64_t)(*((c)++)))<<48, \
+                         l|=((uint64_t)(*((c)++)))<<40, \
+                         l|=((uint64_t)(*((c)++)))<<32, \
+                         l|=((uint64_t)(*((c)++)))<<24, \
+                         l|=((uint64_t)(*((c)++)))<<16, \
+                         l|=((uint64_t)(*((c)++)))<< 8, \
+                         l|=((uint64_t)(*((c)++))))
+#define l2n8(l,c)       (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>48)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>40)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>32)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>24)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+                         *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+                         *((c)++)=(unsigned char)(((l)    )&0xff))
+/* Signed Certificate Timestamp */
+struct sct_st {
+    sct_version_t version;
+    /* If version is not SCT_VERSION_V1, this contains the encoded SCT */
+    unsigned char *sct;
+    size_t sct_len;
+    /* If version is SCT_VERSION_V1, fields below contain components of the SCT */
+    unsigned char *log_id;
+    size_t log_id_len;
+    /*
+    * Note, we cannot distinguish between an unset timestamp, and one
+    * that is set to 0.  However since CT didn't exist in 1970, no real
+    * SCT should ever be set as such.
+    */
+    uint64_t timestamp;
+    unsigned char *ext;
+    size_t ext_len;
+    unsigned char hash_alg;
+    unsigned char sig_alg;
+    unsigned char *sig;
+    size_t sig_len;
+    /* Log entry type */
+    ct_log_entry_type_t entry_type;
+    /* Where this SCT was found, e.g. certificate, OCSP response, etc. */
+    sct_source_t source;
+    /* The result of the last attempt to validate this SCT. */
+    sct_validation_status_t validation_status;
+};
+/* Miscellaneous data that is useful when verifying an SCT  */
+struct sct_ctx_st {
+    /* Public key */
+    EVP_PKEY *pkey;
+    /* Hash of public key */
+    unsigned char *pkeyhash;
+    size_t pkeyhashlen;
+    /* For pre-certificate: issuer public key hash */
+    unsigned char *ihash;
+    size_t ihashlen;
+    /* certificate encoding */
+    unsigned char *certder;
+    size_t certderlen;
+    /* pre-certificate encoding */
+    unsigned char *preder;
+    size_t prederlen;
+    /* milliseconds since epoch (to check that the SCT isn't from the future) */
+    uint64_t epoch_time_in_ms;
+};
+/* Context when evaluating whether a Certificate Transparency policy is met */
+struct ct_policy_eval_ctx_st {
+    X509 *cert;
+    X509 *issuer;
+    CTLOG_STORE *log_store;
+    /* milliseconds since epoch (to check that SCTs aren't from the future) */
+    uint64_t epoch_time_in_ms;
+};
+/*
+ * Creates a new context for verifying an SCT.
+ */
+SCT_CTX *SCT_CTX_new(void);
+/*
+ * Deletes an SCT verification context.
+ */
+void SCT_CTX_free(SCT_CTX *sctx);
+/*
+ * Sets the certificate that the SCT was created for.
+ * If *cert does not have a poison extension, presigner must be NULL.
+ * If *cert does not have a poison extension, it may have a single SCT
+ * (NID_ct_precert_scts) extension.
+ * If either *cert or *presigner have an AKID (NID_authority_key_identifier)
+ * extension, both must have one.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
+/*
+ * Sets the issuer of the certificate that the SCT was created for.
+ * This is just a convenience method to save extracting the public key and
+ * calling SCT_CTX_set1_issuer_pubkey().
+ * Issuer must not be NULL.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
+/*
+ * Sets the public key of the issuer of the certificate that the SCT was created
+ * for.
+ * The public key must not be NULL.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+/*
+ * Sets the public key of the CT log that the SCT is from.
+ * Returns 1 on success, 0 on failure.
+ */
+__owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+/*
+ * Sets the time to evaluate the SCT against, in milliseconds since the Unix
+ * epoch. If the SCT's timestamp is after this time, it will be interpreted as
+ * having been issued in the future. RFC6962 states that "TLS clients MUST
+ * reject SCTs whose timestamp is in the future", so an SCT will not validate
+ * in this case.
+ */
+void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms);
+/*
+ * Verifies an SCT with the given context.
+ * Returns 1 if the SCT verifies successfully; any other value indicates
+ * failure. See EVP_DigestVerifyFinal() for the meaning of those values.
+ */
+__owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct);
+/*
+ * Does this SCT have the minimum fields populated to be usable?
+ * Returns 1 if so, 0 otherwise.
+ */
+__owur int SCT_is_complete(const SCT *sct);
+/*
+ * Does this SCT have the signature-related fields populated?
+ * Returns 1 if so, 0 otherwise.
+ * This checks that the signature and hash algorithms are set to supported
+ * values and that the signature field is set.
+ */
+__owur int SCT_signature_is_complete(const SCT *sct);
+/*
+ * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature
+ * and o2i_SCT_signature conform to the i2d/d2i conventions.
+ */
+/*
+* Serialize (to TLS format) an |sct| signature and write it to |out|.
+* If |out| is null, no signature will be output but the length will be returned.
+* If |out| points to a null pointer, a string will be allocated to hold the
+* TLS-format signature. It is the responsibility of the caller to free it.
+* If |out| points to an allocated string, the signature will be written to it.
+* The length of the signature in TLS format will be returned.
+*/
+__owur int i2o_SCT_signature(const SCT *sct, unsigned char **out);
+/*
+* Parses an SCT signature in TLS format and populates the |sct| with it.
+* |in| should be a pointer to a string containing the TLS-format signature.
+* |in| will be advanced to the end of the signature if parsing succeeds.
+* |len| should be the length of the signature in |in|.
+* Returns the number of bytes parsed, or a negative integer if an error occurs.
+* If an error occurs, the SCT's signature NID may be updated whilst the
+* signature field itself remains unset.
+*/
+__owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len);
+/*
+ * Handlers for Certificate Transparency X509v3/OCSP extensions
+ */
+extern const X509V3_EXT_METHOD v3_ct_scts[3];

diff --git a/src/lib/libcrypto/ct/ct_local.h b/src/lib/libcrypto/ct/ct_local.h new file mode 100644 index 0000000000..9f983c91be --- /dev/null +++ b/src/lib/libcrypto/ct/ct_local.h
@@ -0,0 +1,216 @@
	1	/*
	2	* Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <stddef.h>
	11	#include <openssl/ct.h>
	12	#include <openssl/evp.h>
	13	#include <openssl/x509.h>
	14	#include <openssl/x509v3.h>
	15	#include <openssl/safestack.h>
	16
	17	/*
	18	* From RFC6962: opaque SerializedSCT<1..2^16-1>; struct { SerializedSCT
	19	* sct_list <1..2^16-1>; } SignedCertificateTimestampList;
	20	*/
	21	# define MAX_SCT_SIZE 65535
	22	# define MAX_SCT_LIST_SIZE MAX_SCT_SIZE
	23
	24	/*
	25	* Macros to read and write integers in network-byte order.
	26	*/
	27
	28	#define n2s(c,s) ((s=(((unsigned int)((c)[0]))<< 8)\| \
	29	(((unsigned int)((c)[1])) )),c+=2)
	30
	31	#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
	32	c[1]=(unsigned char)(((s) )&0xff)),c+=2)
	33
	34	#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \
	35	c[1]=(unsigned char)(((l)>> 8)&0xff), \
	36	c[2]=(unsigned char)(((l) )&0xff)),c+=3)
	37
	38	#define n2l8(c,l) (l =((uint64_t)(*((c)++)))<<56, \
	39	l\|=((uint64_t)(*((c)++)))<<48, \
	40	l\|=((uint64_t)(*((c)++)))<<40, \
	41	l\|=((uint64_t)(*((c)++)))<<32, \
	42	l\|=((uint64_t)(*((c)++)))<<24, \
	43	l\|=((uint64_t)(*((c)++)))<<16, \
	44	l\|=((uint64_t)(*((c)++)))<< 8, \
	45	l\|=((uint64_t)(*((c)++))))
	46
	47	#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
	48	*((c)++)=(unsigned char)(((l)>>48)&0xff), \
	49	*((c)++)=(unsigned char)(((l)>>40)&0xff), \
	50	*((c)++)=(unsigned char)(((l)>>32)&0xff), \
	51	*((c)++)=(unsigned char)(((l)>>24)&0xff), \
	52	*((c)++)=(unsigned char)(((l)>>16)&0xff), \
	53	*((c)++)=(unsigned char)(((l)>> 8)&0xff), \
	54	*((c)++)=(unsigned char)(((l) )&0xff))
	55
	56	/* Signed Certificate Timestamp */
	57	struct sct_st {
	58	sct_version_t version;
	59	/* If version is not SCT_VERSION_V1, this contains the encoded SCT */
	60	unsigned char *sct;
	61	size_t sct_len;
	62	/* If version is SCT_VERSION_V1, fields below contain components of the SCT */
	63	unsigned char *log_id;
	64	size_t log_id_len;
	65	/*
	66	* Note, we cannot distinguish between an unset timestamp, and one
	67	* that is set to 0. However since CT didn't exist in 1970, no real
	68	* SCT should ever be set as such.
	69	*/
	70	uint64_t timestamp;
	71	unsigned char *ext;
	72	size_t ext_len;
	73	unsigned char hash_alg;
	74	unsigned char sig_alg;
	75	unsigned char *sig;
	76	size_t sig_len;
	77	/* Log entry type */
	78	ct_log_entry_type_t entry_type;
	79	/* Where this SCT was found, e.g. certificate, OCSP response, etc. */
	80	sct_source_t source;
	81	/* The result of the last attempt to validate this SCT. */
	82	sct_validation_status_t validation_status;
	83	};
	84
	85	/* Miscellaneous data that is useful when verifying an SCT */
	86	struct sct_ctx_st {
	87	/* Public key */
	88	EVP_PKEY *pkey;
	89	/* Hash of public key */
	90	unsigned char *pkeyhash;
	91	size_t pkeyhashlen;
	92	/* For pre-certificate: issuer public key hash */
	93	unsigned char *ihash;
	94	size_t ihashlen;
	95	/* certificate encoding */
	96	unsigned char *certder;
	97	size_t certderlen;
	98	/* pre-certificate encoding */
	99	unsigned char *preder;
	100	size_t prederlen;
	101	/* milliseconds since epoch (to check that the SCT isn't from the future) */
	102	uint64_t epoch_time_in_ms;
	103	};
	104
	105	/* Context when evaluating whether a Certificate Transparency policy is met */
	106	struct ct_policy_eval_ctx_st {
	107	X509 *cert;
	108	X509 *issuer;
	109	CTLOG_STORE *log_store;
	110	/* milliseconds since epoch (to check that SCTs aren't from the future) */
	111	uint64_t epoch_time_in_ms;
	112	};
	113
	114	/*
	115	* Creates a new context for verifying an SCT.
	116	*/
	117	SCT_CTX *SCT_CTX_new(void);
	118	/*
	119	* Deletes an SCT verification context.
	120	*/
	121	void SCT_CTX_free(SCT_CTX *sctx);
	122
	123	/*
	124	* Sets the certificate that the SCT was created for.
	125	* If *cert does not have a poison extension, presigner must be NULL.
	126	* If *cert does not have a poison extension, it may have a single SCT
	127	* (NID_ct_precert_scts) extension.
	128	* If either cert or presigner have an AKID (NID_authority_key_identifier)
	129	* extension, both must have one.
	130	* Returns 1 on success, 0 on failure.
	131	*/
	132	__owur int SCT_CTX_set1_cert(SCT_CTX sctx, X509 cert, X509 *presigner);
	133
	134	/*
	135	* Sets the issuer of the certificate that the SCT was created for.
	136	* This is just a convenience method to save extracting the public key and
	137	* calling SCT_CTX_set1_issuer_pubkey().
	138	* Issuer must not be NULL.
	139	* Returns 1 on success, 0 on failure.
	140	*/
	141	__owur int SCT_CTX_set1_issuer(SCT_CTX sctx, const X509 issuer);
	142
	143	/*
	144	* Sets the public key of the issuer of the certificate that the SCT was created
	145	* for.
	146	* The public key must not be NULL.
	147	* Returns 1 on success, 0 on failure.
	148	*/
	149	__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX sctx, X509_PUBKEY pubkey);
	150
	151	/*
	152	* Sets the public key of the CT log that the SCT is from.
	153	* Returns 1 on success, 0 on failure.
	154	*/
	155	__owur int SCT_CTX_set1_pubkey(SCT_CTX sctx, X509_PUBKEY pubkey);
	156
	157	/*
	158	* Sets the time to evaluate the SCT against, in milliseconds since the Unix
	159	* epoch. If the SCT's timestamp is after this time, it will be interpreted as
	160	* having been issued in the future. RFC6962 states that "TLS clients MUST
	161	* reject SCTs whose timestamp is in the future", so an SCT will not validate
	162	* in this case.
	163	*/
	164	void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms);
	165
	166	/*
	167	* Verifies an SCT with the given context.
	168	* Returns 1 if the SCT verifies successfully; any other value indicates
	169	* failure. See EVP_DigestVerifyFinal() for the meaning of those values.
	170	*/
	171	__owur int SCT_CTX_verify(const SCT_CTX sctx, const SCT sct);
	172
	173	/*
	174	* Does this SCT have the minimum fields populated to be usable?
	175	* Returns 1 if so, 0 otherwise.
	176	*/
	177	__owur int SCT_is_complete(const SCT *sct);
	178
	179	/*
	180	* Does this SCT have the signature-related fields populated?
	181	* Returns 1 if so, 0 otherwise.
	182	* This checks that the signature and hash algorithms are set to supported
	183	* values and that the signature field is set.
	184	*/
	185	__owur int SCT_signature_is_complete(const SCT *sct);
	186
	187	/*
	188	* TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature
	189	* and o2i_SCT_signature conform to the i2d/d2i conventions.
	190	*/
	191
	192	/*
	193	* Serialize (to TLS format) an \|sct\| signature and write it to \|out\|.
	194	* If \|out\| is null, no signature will be output but the length will be returned.
	195	* If \|out\| points to a null pointer, a string will be allocated to hold the
	196	* TLS-format signature. It is the responsibility of the caller to free it.
	197	* If \|out\| points to an allocated string, the signature will be written to it.
	198	* The length of the signature in TLS format will be returned.
	199	*/
	200	__owur int i2o_SCT_signature(const SCT sct, unsigned char *out);
	201
	202	/*
	203	* Parses an SCT signature in TLS format and populates the \|sct\| with it.
	204	* \|in\| should be a pointer to a string containing the TLS-format signature.
	205	* \|in\| will be advanced to the end of the signature if parsing succeeds.
	206	* \|len\| should be the length of the signature in \|in\|.
	207	* Returns the number of bytes parsed, or a negative integer if an error occurs.
	208	* If an error occurs, the SCT's signature NID may be updated whilst the
	209	* signature field itself remains unset.
	210	*/
	211	__owur int o2i_SCT_signature(SCT sct, const unsigned char *in, size_t len);
	212
	213	/*
	214	* Handlers for Certificate Transparency X509v3/OCSP extensions
	215	*/
	216	extern const X509V3_EXT_METHOD v3_ct_scts[3];