Internalizes SCT_verify and removes SCT_verify_v1

SCT_verify is impossible to call through the public API (SCT_CTX_new() is not part of the public API), so rename it to SCT_CTX_verify and move it out of the public API. SCT_verify_v1 is redundant, since SCT_validate does the same verification (by calling SCT_verify) and more. The API is less confusing with a single verification function (SCT_validate). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2024-11-27 05:21:51 +08:00 · 2016-08-23 12:52:43 +01:00 · 2016-08-23 12:52:43 +01:00 · cdb2a60347
commit cdb2a60347
parent 5579eab9ef
6 changed files with 15 additions and 61 deletions
--- a/crypto/ct/ct_err.c
+++ b/crypto/ct/ct_err.c
@ -45,8 +45,7 @@ static ERR_STRING_DATA CT_str_functs[] = {
    {ERR_FUNC(CT_F_SCT_SET_LOG_ENTRY_TYPE), "SCT_set_log_entry_type"},
    {ERR_FUNC(CT_F_SCT_SET_SIGNATURE_NID), "SCT_set_signature_nid"},
    {ERR_FUNC(CT_F_SCT_SET_VERSION), "SCT_set_version"},
-    {ERR_FUNC(CT_F_SCT_VERIFY), "SCT_verify"},
-    {ERR_FUNC(CT_F_SCT_VERIFY_V1), "SCT_verify_v1"},
+    {ERR_FUNC(CT_F_SCT_CTX_VERIFY), "SCT_CTX_verify"},
    {0, NULL}
 };

--- a/crypto/ct/ct_locl.h
+++ b/crypto/ct/ct_locl.h
@ -150,6 +150,13 @@ __owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
 */
 __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);

+/*
+ * Verifies an SCT with the given context.
+ * Returns 1 if the SCT verifies successfully; any other value indicates
+ * failure. See EVP_DigestVerifyFinal() for the meaning of those values.
+ */
+__owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct);
+
 /*
 * Does this SCT have the minimum fields populated to be usable?
 * Returns 1 if so, 0 otherwise.
--- a/crypto/ct/ct_sct.c
+++ b/crypto/ct/ct_sct.c
@ -349,7 +349,7 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
    if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1)
        sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
    else
-        sct->validation_status = SCT_verify(sctx, sct) == 1 ?
+        sct->validation_status = SCT_CTX_verify(sctx, sct) == 1 ?
            SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID;

 end:
--- a/crypto/ct/ct_vfy.c
+++ b/crypto/ct/ct_vfy.c
@ -93,7 +93,7 @@ static int sct_ctx_update(EVP_MD_CTX *ctx, const SCT_CTX *sctx, const SCT *sct)
    return 1;
 }

-int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
+int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct)
 {
    EVP_MD_CTX *ctx = NULL;
    int ret = 0;
@ -101,16 +101,16 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
    if (!SCT_is_complete(sct) || sctx->pkey == NULL ||
        sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||
        (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_NOT_SET);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_NOT_SET);
        return 0;
    }
    if (sct->version != SCT_VERSION_V1) {
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
        return 0;
    }
    if (sct->log_id_len != sctx->pkeyhashlen ||
        memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
        return 0;
    }

@ -128,45 +128,9 @@ int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
    ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);
    /* If ret < 0 some other error: fall through without setting error */
    if (ret == 0)
-        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_INVALID_SIGNATURE);
+        CTerr(CT_F_SCT_CTX_VERIFY, CT_R_SCT_INVALID_SIGNATURE);

 end:
    EVP_MD_CTX_free(ctx);
    return ret;
 }
-
-int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
-                  X509_PUBKEY *log_pubkey, X509 *issuer_cert)
-{
-    int ret = 0;
-    SCT_CTX *sctx = NULL;
-
-    if (!SCT_is_complete(sct)) {
-        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_NOT_SET);
-        return 0;
-    }
-
-    if (sct->version != 0) {
-        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_UNSUPPORTED_VERSION);
-        return 0;
-    }
-
-    sctx = SCT_CTX_new();
-    if (sctx == NULL)
-        goto done;
-
-    if (!SCT_CTX_set1_pubkey(sctx, log_pubkey))
-        goto done;
-
-    if (!SCT_CTX_set1_cert(sctx, cert, preissuer))
-        goto done;
-
-    if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT &&
-        !SCT_CTX_set1_issuer(sctx, issuer_cert))
-        goto done;
-
-    ret = SCT_verify(sctx, sct);
-done:
-    SCT_CTX_free(sctx);
-    return ret;
-}
--- a/include/openssl/ct.h
+++ b/include/openssl/ct.h
@ -270,19 +270,6 @@ void SCT_print(const SCT *sct, BIO *out, int indent, const CTLOG_STORE *logs);
 void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
                    const char *separator, const CTLOG_STORE *logs);

-/*
- * Verifies an SCT with the given context.
- * Returns 1 if the SCT verifies successfully, 0 otherwise.
- */
-__owur int SCT_verify(const SCT_CTX *sctx, const SCT *sct);
-
-/*
- * Verifies an SCT against the provided data.
- * Returns 1 if the SCT verifies successfully, 0 otherwise.
- */
-__owur int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
-                  X509_PUBKEY *log_pubkey, X509 *issuer_cert);
-
 /*
 * Gets the last result of validating this SCT.
 * If it has not been validated yet, returns SCT_VALIDATION_STATUS_NOT_SET.
@ -518,8 +505,7 @@ int ERR_load_CT_strings(void);
 # define CT_F_SCT_SET_LOG_ENTRY_TYPE                      102
 # define CT_F_SCT_SET_SIGNATURE_NID                       103
 # define CT_F_SCT_SET_VERSION                             104
-# define CT_F_SCT_VERIFY                                  128
-# define CT_F_SCT_VERIFY_V1                               129
+# define CT_F_SCT_CTX_VERIFY                              128

 /* Reason codes. */
 # define CT_R_BASE64_DECODE_ERROR                         108
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@ -570,7 +570,6 @@ CRYPTO_cts128_encrypt_block             569	1_1_0	EXIST::FUNCTION:
 ASN1_digest                             570	1_1_0	EXIST::FUNCTION:
 ERR_load_X509V3_strings                 571	1_1_0	EXIST::FUNCTION:
 EVP_PKEY_meth_get_cleanup               572	1_1_0	EXIST::FUNCTION:
-SCT_verify                              573	1_1_0	EXIST::FUNCTION:CT
 d2i_X509                                574	1_1_0	EXIST::FUNCTION:
 a2i_ASN1_STRING                         575	1_1_0	EXIST::FUNCTION:
 EC_GROUP_get_mont_data                  576	1_1_0	EXIST::FUNCTION:EC
@ -596,7 +595,6 @@ RAND_query_egd_bytes                    596	1_1_0	EXIST::FUNCTION:EGD
 i2d_ASN1_PRINTABLE                      597	1_1_0	EXIST::FUNCTION:
 ENGINE_cmd_is_executable                598	1_1_0	EXIST::FUNCTION:ENGINE
 BIO_puts                                599	1_1_0	EXIST::FUNCTION:
-SCT_verify_v1                           600	1_1_0	EXIST::FUNCTION:CT
 RSAPublicKey_it                         601	1_1_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
 RSAPublicKey_it                         601	1_1_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
 ISSUING_DIST_POINT_new                  602	1_1_0	EXIST::FUNCTION: