1 files changed, 16 insertions, 214 deletions
diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h
index 0397fb8b08..cb372e6616 100644
--- a/src/lib/libcrypto/ts/ts.h
+++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.h,v 1.18 2022/07/24 20:02:04 tb Exp $ */
+/* $OpenBSD: ts.h,v 1.19 2022/09/11 17:31:19 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
 * project 2002, 2003, 2004.
 */
@@ -93,99 +93,12 @@ extern "C" {
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-/*
+typedef struct TS_msg_imprint_st TS_MSG_IMPRINT;
-MessageImprint ::= SEQUENCE  {
+typedef struct TS_req_st TS_REQ;
-     hashAlgorithm                AlgorithmIdentifier,
+typedef struct TS_accuracy_st TS_ACCURACY;
-     hashedMessage                OCTET STRING  }
+typedef struct TS_tst_info_st TS_TST_INFO;
-*/
-typedef struct TS_msg_imprint_st {
-        X509_ALGOR *hash_algo;
-        ASN1_OCTET_STRING *hashed_msg;
-} TS_MSG_IMPRINT;
-/*
-TimeStampReq ::= SEQUENCE  {
-   version                  INTEGER  { v1(1) },
-   messageImprint           MessageImprint,
-     --a hash algorithm OID and the hash value of the data to be
-     --time-stamped
-   reqPolicy                TSAPolicyId                OPTIONAL,
-   nonce                    INTEGER                    OPTIONAL,
-   certReq                  BOOLEAN                    DEFAULT FALSE,
-   extensions               [0] IMPLICIT Extensions    OPTIONAL  }
-*/
-typedef struct TS_req_st {
-        ASN1_INTEGER *version;
-        TS_MSG_IMPRINT *msg_imprint;
-        ASN1_OBJECT *policy_id;         /* OPTIONAL */
-        ASN1_INTEGER *nonce;            /* OPTIONAL */
-        ASN1_BOOLEAN cert_req;          /* DEFAULT FALSE */
-        STACK_OF(X509_EXTENSION) *extensions;   /* [0] OPTIONAL */
-} TS_REQ;
-/*
-Accuracy ::= SEQUENCE {
-                seconds        INTEGER           OPTIONAL,
-                millis     [0] INTEGER  (1..999) OPTIONAL,
-                micros     [1] INTEGER  (1..999) OPTIONAL  }
-*/
-typedef struct TS_accuracy_st {
-        ASN1_INTEGER *seconds;
-        ASN1_INTEGER *millis;
-        ASN1_INTEGER *micros;
-} TS_ACCURACY;
-/*
-TSTInfo ::= SEQUENCE  {
-    version                      INTEGER  { v1(1) },
-    policy                       TSAPolicyId,
-    messageImprint               MessageImprint,
-      -- MUST have the same value as the similar field in
-      -- TimeStampReq
-    serialNumber                 INTEGER,
-     -- Time-Stamping users MUST be ready to accommodate integers
-     -- up to 160 bits.
-    genTime                      GeneralizedTime,
-    accuracy                     Accuracy                 OPTIONAL,
-    ordering                     BOOLEAN             DEFAULT FALSE,
-    nonce                        INTEGER                  OPTIONAL,
-      -- MUST be present if the similar field was present
-      -- in TimeStampReq.  In that case it MUST have the same value.
-    tsa                          [0] GeneralName          OPTIONAL,
-    extensions                   [1] IMPLICIT Extensions  OPTIONAL   }
-*/
-typedef struct TS_tst_info_st {
-        ASN1_INTEGER *version;
-        ASN1_OBJECT *policy_id;
-        TS_MSG_IMPRINT *msg_imprint;
-        ASN1_INTEGER *serial;
-        ASN1_GENERALIZEDTIME *time;
-        TS_ACCURACY *accuracy;
-        ASN1_BOOLEAN ordering;
-        ASN1_INTEGER *nonce;
-        GENERAL_NAME *tsa;
-        STACK_OF(X509_EXTENSION) *extensions;
-} TS_TST_INFO;
-/*
-PKIStatusInfo ::= SEQUENCE {
-    status        PKIStatus,
-    statusString  PKIFreeText     OPTIONAL,
-    failInfo      PKIFailureInfo  OPTIONAL  }
-From RFC 1510 - section 3.1.1:
-PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
-        -- text encoded as UTF-8 String (note:  each UTF8String SHOULD
-        -- include an RFC 1766 language tag to indicate the language
-        -- of the contained text)
-*/
-/* Possible values for status. See ts_rsp_print.c && ts_rsp_verify.c. */
+/* Possible values for status. */
 #define TS_STATUS_GRANTED                       0
 #define TS_STATUS_GRANTED_WITH_MODS             1
 #define TS_STATUS_REJECTION                     2
@@ -193,8 +106,7 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
 #define TS_STATUS_REVOCATION_WARNING            4
 #define TS_STATUS_REVOCATION_NOTIFICATION       5
-/* Possible values for failure_info. See ts_rsp_print.c && ts_rsp_verify.c */
+/* Possible values for failure_info. */
 #define TS_INFO_BAD_ALG                 0
 #define TS_INFO_BAD_REQUEST             2
 #define TS_INFO_BAD_DATA_FORMAT         5
@@ -204,72 +116,21 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
 #define TS_INFO_ADD_INFO_NOT_AVAILABLE  17
 #define TS_INFO_SYSTEM_FAILURE          25
-typedef struct TS_status_info_st {
+typedef struct TS_status_info_st TS_STATUS_INFO;
-        ASN1_INTEGER *status;
-        STACK_OF(ASN1_UTF8STRING) *text;
-        ASN1_BIT_STRING *failure_info;
-} TS_STATUS_INFO;
 DECLARE_STACK_OF(ASN1_UTF8STRING)
-/*
+typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
-TimeStampResp ::= SEQUENCE  {
+typedef struct ESS_cert_id ESS_CERT_ID;
-     status                  PKIStatusInfo,
-     timeStampToken          TimeStampToken     OPTIONAL }
-*/
-typedef struct TS_resp_st {
-        TS_STATUS_INFO *status_info;
-        PKCS7 *token;
-        TS_TST_INFO *tst_info;
-} TS_RESP;
-/* The structure below would belong to the ESS component. */
-/*
-IssuerSerial ::= SEQUENCE {
-        issuer                   GeneralNames,
-        serialNumber             CertificateSerialNumber
-        }
-*/
-typedef struct ESS_issuer_serial {
-        STACK_OF(GENERAL_NAME)  *issuer;
-        ASN1_INTEGER            *serial;
-} ESS_ISSUER_SERIAL;
-/*
-ESSCertID ::=  SEQUENCE {
-        certHash                 Hash,
-        issuerSerial             IssuerSerial OPTIONAL
-}
-*/
-typedef struct ESS_cert_id {
-        ASN1_OCTET_STRING *hash;        /* Always SHA-1 digest. */
-        ESS_ISSUER_SERIAL *issuer_serial;
-} ESS_CERT_ID;
 DECLARE_STACK_OF(ESS_CERT_ID)
+typedef struct ESS_signing_cert ESS_SIGNING_CERT;
-/*
-SigningCertificate ::=  SEQUENCE {
-       certs        SEQUENCE OF ESSCertID,
-       policies     SEQUENCE OF PolicyInformation OPTIONAL
-}
-*/
-typedef struct ESS_signing_cert {
-        STACK_OF(ESS_CERT_ID) *cert_ids;
-        STACK_OF(POLICYINFO) *policy_info;
-} ESS_SIGNING_CERT;
-#ifdef LIBRESSL_INTERNAL
 typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2;
 DECLARE_STACK_OF(ESS_CERT_ID_V2)
 typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2;
-#endif /* LIBRESSL_INTERNAL */
+typedef struct TS_resp_st TS_RESP;
 TS_REQ  *TS_REQ_new(void);
 void    TS_REQ_free(TS_REQ *a);
@@ -398,13 +259,11 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a);
 int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *info);
 TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a);
-#if defined(LIBRESSL_INTERNAL)
 const ASN1_UTF8STRING *TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO *si);
 const STACK_OF(ASN1_UTF8STRING) *
    TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si);
 const ASN1_INTEGER *TS_STATUS_INFO_get0_status(const TS_STATUS_INFO *si);
 int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i);
-#endif
 /* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
 void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info);
@@ -494,35 +353,7 @@ typedef	int (*TS_time_cb)(struct TS_resp_ctx *, void *, time_t *sec, long *usec)
 */
 typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *);
-typedef struct TS_resp_ctx {
+typedef struct TS_resp_ctx TS_RESP_CTX;
-        X509            *signer_cert;
-        EVP_PKEY        *signer_key;
-        STACK_OF(X509)  *certs; /* Certs to include in signed data. */
-        STACK_OF(ASN1_OBJECT)   *policies;      /* Acceptable policies. */
-        ASN1_OBJECT     *default_policy; /* It may appear in policies, too. */
-        STACK_OF(EVP_MD)        *mds;   /* Acceptable message digests. */
-        ASN1_INTEGER    *seconds;       /* accuracy, 0 means not specified. */
-        ASN1_INTEGER    *millis;        /* accuracy, 0 means not specified. */
-        ASN1_INTEGER    *micros;        /* accuracy, 0 means not specified. */
-        unsigned        clock_precision_digits; /* fraction of seconds in
-                                                   time stamp token. */
-        unsigned        flags;          /* Optional info, see values above. */
-        /* Callback functions. */
-        TS_serial_cb serial_cb;
-        void *serial_cb_data;   /* User data for serial_cb. */
-        TS_time_cb time_cb;
-        void *time_cb_data;     /* User data for time_cb. */
-        TS_extension_cb extension_cb;
-        void *extension_cb_data;        /* User data for extension_cb. */
-        /* These members are used only while creating the response. */
-        TS_REQ          *request;
-        TS_RESP         *response;
-        TS_TST_INFO     *tst_info;
-} TS_RESP_CTX;
 DECLARE_STACK_OF(EVP_MD)
@@ -567,10 +398,8 @@ void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
 /* Default callback always returns a constant. */
 void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data);
-#if defined(LIBRESSL_INTERNAL)
 /* Default callback uses gettimeofday() and gmtime(). */
 void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data);
-#endif
 /* Default callback rejects all extensions. The extension callback is called
 * when the TS_TST_INFO object is already set up and not signed yet. */
@@ -646,32 +475,7 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
                                 | TS_VFY_SIGNER        \
                                 | TS_VFY_TSA_NAME)
-typedef struct TS_verify_ctx {
+typedef struct TS_verify_ctx TS_VERIFY_CTX;
-        /* Set this to the union of TS_VFY_... flags you want to carry out. */
-        unsigned        flags;
-        /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
-        X509_STORE      *store;
-        STACK_OF(X509)  *certs;
-        /* Must be set only with TS_VFY_POLICY. */
-        ASN1_OBJECT     *policy;
-        /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
-           the algorithm from the response is used. */
-        X509_ALGOR      *md_alg;
-        unsigned char   *imprint;
-        unsigned        imprint_len;
-        /* Must be set only with TS_VFY_DATA. */
-        BIO             *data;
-        /* Must be set only with TS_VFY_TSA_NAME. */
-        ASN1_INTEGER    *nonce;
-        /* Must be set only with TS_VFY_TSA_NAME. */
-        GENERAL_NAME    *tsa_name;
-} TS_VERIFY_CTX;
 int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response);
 int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token);
@@ -687,7 +491,6 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
-#if defined(LIBRESSL_INTERNAL)
 int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);
 int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);
 BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio);
@@ -698,7 +501,6 @@ STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx,
    STACK_OF(X509) *certs);
 unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
    unsigned char *imprint, long imprint_len);
-#endif
 /*
 * If ctx is NULL, it allocates and returns a new object, otherwise
@@ -712,7 +514,7 @@ unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
 * imprint, imprint_len = imprint from request
 * data = NULL
 * nonce, nonce_len = nonce from the request or NULL if absent (in this case
- *      TS_VFY_NONCE is cleared from flags as well)
+ *      TS_VFY_NONCE is cleared from flags as well)
 * tsa_name = NULL
 * Important: after calling this method TS_VFY_SIGNATURE should be added!
 */

diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h index 0397fb8b08..cb372e6616 100644 --- a/src/lib/libcrypto/ts/ts.h +++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts.h,v 1.18 2022/07/24 20:02:04 tb Exp $ */	1	/* $OpenBSD: ts.h,v 1.19 2022/09/11 17:31:19 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
3	* project 2002, 2003, 2004.	3	* project 2002, 2003, 2004.
4	*/	4	*/
@@ -93,99 +93,12 @@ extern "C" {
93	#include <openssl/x509.h>	93	#include <openssl/x509.h>
94	#include <openssl/x509v3.h>	94	#include <openssl/x509v3.h>
95		95
96	/*	96	typedef struct TS_msg_imprint_st TS_MSG_IMPRINT;
97	MessageImprint ::= SEQUENCE {	97	typedef struct TS_req_st TS_REQ;
98	hashAlgorithm AlgorithmIdentifier,	98	typedef struct TS_accuracy_st TS_ACCURACY;
99	hashedMessage OCTET STRING }	99	typedef struct TS_tst_info_st TS_TST_INFO;
100	*/
101
102	typedef struct TS_msg_imprint_st {
103	X509_ALGOR *hash_algo;
104	ASN1_OCTET_STRING *hashed_msg;
105	} TS_MSG_IMPRINT;
106
107	/*
108	TimeStampReq ::= SEQUENCE {
109	version INTEGER { v1(1) },
110	messageImprint MessageImprint,
111	--a hash algorithm OID and the hash value of the data to be
112	--time-stamped
113	reqPolicy TSAPolicyId OPTIONAL,
114	nonce INTEGER OPTIONAL,
115	certReq BOOLEAN DEFAULT FALSE,
116	extensions [0] IMPLICIT Extensions OPTIONAL }
117	*/
118
119	typedef struct TS_req_st {
120	ASN1_INTEGER *version;
121	TS_MSG_IMPRINT *msg_imprint;
122	ASN1_OBJECT policy_id; / OPTIONAL */
123	ASN1_INTEGER nonce; / OPTIONAL */
124	ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */
125	STACK_OF(X509_EXTENSION) extensions; / [0] OPTIONAL */
126	} TS_REQ;
127
128	/*
129	Accuracy ::= SEQUENCE {
130	seconds INTEGER OPTIONAL,
131	millis [0] INTEGER (1..999) OPTIONAL,
132	micros [1] INTEGER (1..999) OPTIONAL }
133	*/
134
135	typedef struct TS_accuracy_st {
136	ASN1_INTEGER *seconds;
137	ASN1_INTEGER *millis;
138	ASN1_INTEGER *micros;
139	} TS_ACCURACY;
140
141	/*
142	TSTInfo ::= SEQUENCE {
143	version INTEGER { v1(1) },
144	policy TSAPolicyId,
145	messageImprint MessageImprint,
146	-- MUST have the same value as the similar field in
147	-- TimeStampReq
148	serialNumber INTEGER,
149	-- Time-Stamping users MUST be ready to accommodate integers
150	-- up to 160 bits.
151	genTime GeneralizedTime,
152	accuracy Accuracy OPTIONAL,
153	ordering BOOLEAN DEFAULT FALSE,
154	nonce INTEGER OPTIONAL,
155	-- MUST be present if the similar field was present
156	-- in TimeStampReq. In that case it MUST have the same value.
157	tsa [0] GeneralName OPTIONAL,
158	extensions [1] IMPLICIT Extensions OPTIONAL }
159	*/
160
161	typedef struct TS_tst_info_st {
162	ASN1_INTEGER *version;
163	ASN1_OBJECT *policy_id;
164	TS_MSG_IMPRINT *msg_imprint;
165	ASN1_INTEGER *serial;
166	ASN1_GENERALIZEDTIME *time;
167	TS_ACCURACY *accuracy;
168	ASN1_BOOLEAN ordering;
169	ASN1_INTEGER *nonce;
170	GENERAL_NAME *tsa;
171	STACK_OF(X509_EXTENSION) *extensions;
172	} TS_TST_INFO;
173
174	/*
175	PKIStatusInfo ::= SEQUENCE {
176	status PKIStatus,
177	statusString PKIFreeText OPTIONAL,
178	failInfo PKIFailureInfo OPTIONAL }
179
180	From RFC 1510 - section 3.1.1:
181	PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
182	-- text encoded as UTF-8 String (note: each UTF8String SHOULD
183	-- include an RFC 1766 language tag to indicate the language
184	-- of the contained text)
185	*/
186
187	/* Possible values for status. See ts_rsp_print.c && ts_rsp_verify.c. */
188		100
		101	/* Possible values for status. */
189	#define TS_STATUS_GRANTED 0	102	#define TS_STATUS_GRANTED 0
190	#define TS_STATUS_GRANTED_WITH_MODS 1	103	#define TS_STATUS_GRANTED_WITH_MODS 1
191	#define TS_STATUS_REJECTION 2	104	#define TS_STATUS_REJECTION 2
@@ -193,8 +106,7 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
193	#define TS_STATUS_REVOCATION_WARNING 4	106	#define TS_STATUS_REVOCATION_WARNING 4
194	#define TS_STATUS_REVOCATION_NOTIFICATION 5	107	#define TS_STATUS_REVOCATION_NOTIFICATION 5
195		108
196	/* Possible values for failure_info. See ts_rsp_print.c && ts_rsp_verify.c */	109	/* Possible values for failure_info. */
197
198	#define TS_INFO_BAD_ALG 0	110	#define TS_INFO_BAD_ALG 0
199	#define TS_INFO_BAD_REQUEST 2	111	#define TS_INFO_BAD_REQUEST 2
200	#define TS_INFO_BAD_DATA_FORMAT 5	112	#define TS_INFO_BAD_DATA_FORMAT 5
@@ -204,72 +116,21 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
204	#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17	116	#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17
205	#define TS_INFO_SYSTEM_FAILURE 25	117	#define TS_INFO_SYSTEM_FAILURE 25
206		118
207	typedef struct TS_status_info_st {	119	typedef struct TS_status_info_st TS_STATUS_INFO;
208	ASN1_INTEGER *status;
209	STACK_OF(ASN1_UTF8STRING) *text;
210	ASN1_BIT_STRING *failure_info;
211	} TS_STATUS_INFO;
212		120
213	DECLARE_STACK_OF(ASN1_UTF8STRING)	121	DECLARE_STACK_OF(ASN1_UTF8STRING)
214		122
215	/*	123	typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
216	TimeStampResp ::= SEQUENCE {	124	typedef struct ESS_cert_id ESS_CERT_ID;
217	status PKIStatusInfo,
218	timeStampToken TimeStampToken OPTIONAL }
219	*/
220
221	typedef struct TS_resp_st {
222	TS_STATUS_INFO *status_info;
223	PKCS7 *token;
224	TS_TST_INFO *tst_info;
225	} TS_RESP;
226
227	/* The structure below would belong to the ESS component. */
228
229	/*
230	IssuerSerial ::= SEQUENCE {
231	issuer GeneralNames,
232	serialNumber CertificateSerialNumber
233	}
234	*/
235
236	typedef struct ESS_issuer_serial {
237	STACK_OF(GENERAL_NAME) *issuer;
238	ASN1_INTEGER *serial;
239	} ESS_ISSUER_SERIAL;
240
241	/*
242	ESSCertID ::= SEQUENCE {
243	certHash Hash,
244	issuerSerial IssuerSerial OPTIONAL
245	}
246	*/
247
248	typedef struct ESS_cert_id {
249	ASN1_OCTET_STRING hash; / Always SHA-1 digest. */
250	ESS_ISSUER_SERIAL *issuer_serial;
251	} ESS_CERT_ID;
252
253	DECLARE_STACK_OF(ESS_CERT_ID)	125	DECLARE_STACK_OF(ESS_CERT_ID)
		126	typedef struct ESS_signing_cert ESS_SIGNING_CERT;
254		127
255	/*
256	SigningCertificate ::= SEQUENCE {
257	certs SEQUENCE OF ESSCertID,
258	policies SEQUENCE OF PolicyInformation OPTIONAL
259	}
260	*/
261
262	typedef struct ESS_signing_cert {
263	STACK_OF(ESS_CERT_ID) *cert_ids;
264	STACK_OF(POLICYINFO) *policy_info;
265	} ESS_SIGNING_CERT;
266
267	#ifdef LIBRESSL_INTERNAL
268	typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2;	128	typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2;
269	DECLARE_STACK_OF(ESS_CERT_ID_V2)	129	DECLARE_STACK_OF(ESS_CERT_ID_V2)
270		130
271	typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2;	131	typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2;
272	#endif /* LIBRESSL_INTERNAL */	132
		133	typedef struct TS_resp_st TS_RESP;
273		134
274	TS_REQ *TS_REQ_new(void);	135	TS_REQ *TS_REQ_new(void);
275	void TS_REQ_free(TS_REQ *a);	136	void TS_REQ_free(TS_REQ *a);
@@ -398,13 +259,11 @@ int TS_REQ_print_bio(BIO bio, TS_REQ a);
398	int TS_RESP_set_status_info(TS_RESP a, TS_STATUS_INFO info);	259	int TS_RESP_set_status_info(TS_RESP a, TS_STATUS_INFO info);
399	TS_STATUS_INFO TS_RESP_get_status_info(TS_RESP a);	260	TS_STATUS_INFO TS_RESP_get_status_info(TS_RESP a);
400		261
401	#if defined(LIBRESSL_INTERNAL)
402	const ASN1_UTF8STRING TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO si);	262	const ASN1_UTF8STRING TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO si);
403	const STACK_OF(ASN1_UTF8STRING) *	263	const STACK_OF(ASN1_UTF8STRING) *
404	TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si);	264	TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si);
405	const ASN1_INTEGER TS_STATUS_INFO_get0_status(const TS_STATUS_INFO si);	265	const ASN1_INTEGER TS_STATUS_INFO_get0_status(const TS_STATUS_INFO si);
406	int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i);	266	int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i);
407	#endif
408		267
409	/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */	268	/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
410	void TS_RESP_set_tst_info(TS_RESP a, PKCS7 p7, TS_TST_INFO *tst_info);	269	void TS_RESP_set_tst_info(TS_RESP a, PKCS7 p7, TS_TST_INFO *tst_info);
@@ -494,35 +353,7 @@ typedef int (TS_time_cb)(struct TS_resp_ctx , void , time_t sec, long *usec)
494	*/	353	*/
495	typedef int (TS_extension_cb)(struct TS_resp_ctx , X509_EXTENSION , void );	354	typedef int (TS_extension_cb)(struct TS_resp_ctx , X509_EXTENSION , void );
496		355
497	typedef struct TS_resp_ctx {	356	typedef struct TS_resp_ctx TS_RESP_CTX;
498	X509 *signer_cert;
499	EVP_PKEY *signer_key;
500	STACK_OF(X509) certs; / Certs to include in signed data. */
501	STACK_OF(ASN1_OBJECT) policies; / Acceptable policies. */
502	ASN1_OBJECT default_policy; / It may appear in policies, too. */
503	STACK_OF(EVP_MD) mds; / Acceptable message digests. */
504	ASN1_INTEGER seconds; / accuracy, 0 means not specified. */
505	ASN1_INTEGER millis; / accuracy, 0 means not specified. */
506	ASN1_INTEGER micros; / accuracy, 0 means not specified. */
507	unsigned clock_precision_digits; /* fraction of seconds in
508	time stamp token. */
509	unsigned flags; /* Optional info, see values above. */
510
511	/* Callback functions. */
512	TS_serial_cb serial_cb;
513	void serial_cb_data; / User data for serial_cb. */
514
515	TS_time_cb time_cb;
516	void time_cb_data; / User data for time_cb. */
517
518	TS_extension_cb extension_cb;
519	void extension_cb_data; / User data for extension_cb. */
520
521	/* These members are used only while creating the response. */
522	TS_REQ *request;
523	TS_RESP *response;
524	TS_TST_INFO *tst_info;
525	} TS_RESP_CTX;
526		357
527	DECLARE_STACK_OF(EVP_MD)	358	DECLARE_STACK_OF(EVP_MD)
528		359
@@ -567,10 +398,8 @@ void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
567	/* Default callback always returns a constant. */	398	/* Default callback always returns a constant. */
568	void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX ctx, TS_serial_cb cb, void data);	399	void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX ctx, TS_serial_cb cb, void data);
569		400
570	#if defined(LIBRESSL_INTERNAL)
571	/* Default callback uses gettimeofday() and gmtime(). */	401	/* Default callback uses gettimeofday() and gmtime(). */
572	void TS_RESP_CTX_set_time_cb(TS_RESP_CTX ctx, TS_time_cb cb, void data);	402	void TS_RESP_CTX_set_time_cb(TS_RESP_CTX ctx, TS_time_cb cb, void data);
573	#endif
574		403
575	/* Default callback rejects all extensions. The extension callback is called	404	/* Default callback rejects all extensions. The extension callback is called
576	* when the TS_TST_INFO object is already set up and not signed yet. */	405	* when the TS_TST_INFO object is already set up and not signed yet. */
@@ -646,32 +475,7 @@ int TS_RESP_verify_signature(PKCS7 token, STACK_OF(X509) certs,
646	\| TS_VFY_SIGNER \	475	\| TS_VFY_SIGNER \
647	\| TS_VFY_TSA_NAME)	476	\| TS_VFY_TSA_NAME)
648		477
649	typedef struct TS_verify_ctx {	478	typedef struct TS_verify_ctx TS_VERIFY_CTX;
650	/* Set this to the union of TS_VFY_... flags you want to carry out. */
651	unsigned flags;
652
653	/* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
654	X509_STORE *store;
655	STACK_OF(X509) *certs;
656
657	/* Must be set only with TS_VFY_POLICY. */
658	ASN1_OBJECT *policy;
659
660	/* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
661	the algorithm from the response is used. */
662	X509_ALGOR *md_alg;
663	unsigned char *imprint;
664	unsigned imprint_len;
665
666	/* Must be set only with TS_VFY_DATA. */
667	BIO *data;
668
669	/* Must be set only with TS_VFY_TSA_NAME. */
670	ASN1_INTEGER *nonce;
671
672	/* Must be set only with TS_VFY_TSA_NAME. */
673	GENERAL_NAME *tsa_name;
674	} TS_VERIFY_CTX;
675		479
676	int TS_RESP_verify_response(TS_VERIFY_CTX ctx, TS_RESP response);	480	int TS_RESP_verify_response(TS_VERIFY_CTX ctx, TS_RESP response);
677	int TS_RESP_verify_token(TS_VERIFY_CTX ctx, PKCS7 token);	481	int TS_RESP_verify_token(TS_VERIFY_CTX ctx, PKCS7 token);
@@ -687,7 +491,6 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
687	void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);	491	void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
688	void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);	492	void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
689		493
690	#if defined(LIBRESSL_INTERNAL)
691	int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);	494	int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);
692	int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);	495	int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);
693	BIO TS_VERIFY_CTX_set_data(TS_VERIFY_CTX ctx, BIO *bio);	496	BIO TS_VERIFY_CTX_set_data(TS_VERIFY_CTX ctx, BIO *bio);
@@ -698,7 +501,6 @@ STACK_OF(X509) TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX ctx,
698	STACK_OF(X509) *certs);	501	STACK_OF(X509) *certs);
699	unsigned char TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX ctx,	502	unsigned char TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX ctx,
700	unsigned char *imprint, long imprint_len);	503	unsigned char *imprint, long imprint_len);
701	#endif
702		504
703	/*	505	/*
704	* If ctx is NULL, it allocates and returns a new object, otherwise	506	* If ctx is NULL, it allocates and returns a new object, otherwise
@@ -712,7 +514,7 @@ unsigned char TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX ctx,
712	* imprint, imprint_len = imprint from request	514	* imprint, imprint_len = imprint from request
713	* data = NULL	515	* data = NULL
714	* nonce, nonce_len = nonce from the request or NULL if absent (in this case	516	* nonce, nonce_len = nonce from the request or NULL if absent (in this case
715	* TS_VFY_NONCE is cleared from flags as well)	517	* TS_VFY_NONCE is cleared from flags as well)
716	* tsa_name = NULL	518	* tsa_name = NULL
717	* Important: after calling this method TS_VFY_SIGNATURE should be added!	519	* Important: after calling this method TS_VFY_SIGNATURE should be added!
718	*/	520	*/