Tree - source-git/openssl - CentOS Git server

source-git / openssl

Blame crypto/ct/ct_vfy.c

Blob History Raw

Packit	c4476c	`/*`
Packit	c4476c	`* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.`
Packit	c4476c	`*`
Packit	c4476c	`* Licensed under the OpenSSL license (the "License"). You may not use`
Packit	c4476c	`* this file except in compliance with the License. You can obtain a copy`
Packit	c4476c	`* in the file LICENSE in the source distribution or at`
Packit	c4476c	`* https://www.openssl.org/source/license.html`
Packit	c4476c	`*/`
Packit	c4476c
Packit	c4476c	`#include <string.h>`
Packit	c4476c
Packit	c4476c	`#include <openssl/ct.h>`
Packit	c4476c	`#include <openssl/err.h>`
Packit	c4476c	`#include <openssl/evp.h>`
Packit	c4476c	`#include <openssl/x509.h>`
Packit	c4476c
Packit	c4476c	`#include "ct_local.h"`
Packit	c4476c
Packit	c4476c	`typedef enum sct_signature_type_t {`
Packit	c4476c	`SIGNATURE_TYPE_NOT_SET = -1,`
Packit	c4476c	`SIGNATURE_TYPE_CERT_TIMESTAMP,`
Packit	c4476c	`SIGNATURE_TYPE_TREE_HASH`
Packit	c4476c	`} SCT_SIGNATURE_TYPE;`
Packit	c4476c
Packit	c4476c	`/*`
Packit	c4476c	`* Update encoding for SCT signature verification/generation to supplied`
Packit	c4476c	`* EVP_MD_CTX.`
Packit	c4476c	`*/`
Packit	c4476c	`static int sct_ctx_update(EVP_MD_CTX ctx, const SCT_CTX sctx, const SCT *sct)`
Packit	c4476c	`{`
Packit	c4476c	`unsigned char tmpbuf[12];`
Packit	c4476c	`unsigned char p, der;`
Packit	c4476c	`size_t derlen;`
Packit	c4476c	`/*+`
Packit	c4476c	`* digitally-signed struct {`
Packit	c4476c	`* (1 byte) Version sct_version;`
Packit	c4476c	`* (1 byte) SignatureType signature_type = certificate_timestamp;`
Packit	c4476c	`* (8 bytes) uint64 timestamp;`
Packit	c4476c	`* (2 bytes) LogEntryType entry_type;`
Packit	c4476c	`* (? bytes) select(entry_type) {`
Packit	c4476c	`* case x509_entry: ASN.1Cert;`
Packit	c4476c	`* case precert_entry: PreCert;`
Packit	c4476c	`* } signed_entry;`
Packit	c4476c	`* (2 bytes + sct->ext_len) CtExtensions extensions;`
Packit	c4476c	`* }`
Packit	c4476c	`*/`
Packit	c4476c	`if (sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET)`
Packit	c4476c	`return 0;`
Packit	c4476c	`if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`p = tmpbuf;`
Packit	c4476c	`*p++ = sct->version;`
Packit	c4476c	`*p++ = SIGNATURE_TYPE_CERT_TIMESTAMP;`
Packit	c4476c	`l2n8(sct->timestamp, p);`
Packit	c4476c	`s2n(sct->entry_type, p);`
Packit	c4476c
Packit	c4476c	`if (!EVP_DigestUpdate(ctx, tmpbuf, p - tmpbuf))`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`if (sct->entry_type == CT_LOG_ENTRY_TYPE_X509) {`
Packit	c4476c	`der = sctx->certder;`
Packit	c4476c	`derlen = sctx->certderlen;`
Packit	c4476c	`} else {`
Packit	c4476c	`if (!EVP_DigestUpdate(ctx, sctx->ihash, sctx->ihashlen))`
Packit	c4476c	`return 0;`
Packit	c4476c	`der = sctx->preder;`
Packit	c4476c	`derlen = sctx->prederlen;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`/* If no encoding available, fatal error */`
Packit	c4476c	`if (der == NULL)`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`/* Include length first */`
Packit	c4476c	`p = tmpbuf;`
Packit	c4476c	`l2n3(derlen, p);`
Packit	c4476c
Packit	c4476c	`if (!EVP_DigestUpdate(ctx, tmpbuf, 3))`
Packit	c4476c	`return 0;`
Packit	c4476c	`if (!EVP_DigestUpdate(ctx, der, derlen))`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`/* Add any extensions */`
Packit	c4476c	`p = tmpbuf;`
Packit	c4476c	`s2n(sct->ext_len, p);`
Packit	c4476c	`if (!EVP_DigestUpdate(ctx, tmpbuf, 2))`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`if (sct->ext_len && !EVP_DigestUpdate(ctx, sct->ext, sct->ext_len))`
Packit	c4476c	`return 0;`
Packit	c4476c
Packit	c4476c	`return 1;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`int SCT_CTX_verify(const SCT_CTX sctx, const SCT sct)`
Packit	c4476c	`{`
Packit	c4476c	`EVP_MD_CTX *ctx = NULL;`
Packit	c4476c	`int ret = 0;`
Packit	c4476c
Packit	c4476c	`if (!SCT_is_complete(sct) \|\| sctx->pkey == NULL \|\|`
Packit	c4476c	`sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET \|\|`
Packit	c4476c	`(sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {`
Packit	c4476c	`CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_NOT_SET);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`if (sct->version != SCT_VERSION_V1) {`
Packit	c4476c	`CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`if (sct->log_id_len != sctx->pkeyhashlen \|\|`
Packit	c4476c	`memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {`
Packit	c4476c	`CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c	`if (sct->timestamp > sctx->epoch_time_in_ms) {`
Packit	c4476c	`CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_FUTURE_TIMESTAMP);`
Packit	c4476c	`return 0;`
Packit	c4476c	`}`
Packit	c4476c
Packit	c4476c	`ctx = EVP_MD_CTX_new();`
Packit	c4476c	`if (ctx == NULL)`
Packit	c4476c	`goto end;`
Packit	c4476c
Packit	c4476c	`if (!EVP_DigestVerifyInit(ctx, NULL, EVP_sha256(), NULL, sctx->pkey))`
Packit	c4476c	`goto end;`
Packit	c4476c
Packit	c4476c	`if (!sct_ctx_update(ctx, sctx, sct))`
Packit	c4476c	`goto end;`
Packit	c4476c
Packit	c4476c	`/* Verify signature */`
Packit	c4476c	`ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);`
Packit	c4476c	`/* If ret < 0 some other error: fall through without setting error */`
Packit	c4476c	`if (ret == 0)`
Packit	c4476c	`CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_INVALID_SIGNATURE);`
Packit	c4476c
Packit	c4476c	`end:`
Packit	c4476c	`EVP_MD_CTX_free(ctx);`
Packit	c4476c	`return ret;`
Packit	c4476c	`}`

source-git / openssl

Source Code

Blame crypto/ct/ct_vfy.c