search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
OpenSSL: update to 1.0.2a
[tomato.git] / release / src / router / openssl / crypto / x509v3 / v3_scts.c
blob9a4c3eba0bdd5fcc0e414d8ad211ef93bf97a466
1 /* v3_scts.c */
2 /*
3 * Written by Rob Stradling (rob@comodo.com) for the OpenSSL project 2014.
4 */
5 /* ====================================================================
6 * Copyright (c) 2014 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59 #include <stdio.h>
60 #include "cryptlib.h"
61 #include <openssl/asn1.h>
62 #include <openssl/x509v3.h>
63 #include "../ssl/ssl_locl.h"
64
65 #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
66 # define SCT_TIMESTAMP unsigned __int64
67 #elif defined(__arch64__)
68 # define SCT_TIMESTAMP unsigned long
69 #else
70 # define SCT_TIMESTAMP unsigned long long
71 #endif
72
73 #define n2l8(c,l) (l =((SCT_TIMESTAMP)(*((c)++)))<<56, \
74 l|=((SCT_TIMESTAMP)(*((c)++)))<<48, \
75 l|=((SCT_TIMESTAMP)(*((c)++)))<<40, \
76 l|=((SCT_TIMESTAMP)(*((c)++)))<<32, \
77 l|=((SCT_TIMESTAMP)(*((c)++)))<<24, \
78 l|=((SCT_TIMESTAMP)(*((c)++)))<<16, \
79 l|=((SCT_TIMESTAMP)(*((c)++)))<< 8, \
80 l|=((SCT_TIMESTAMP)(*((c)++))))
81
82 typedef struct SCT_st {
83 /* The encoded SCT */
84 unsigned char *sct;
85 unsigned short sctlen;
86 /*
87 * Components of the SCT. "logid", "ext" and "sig" point to addresses
88 * inside "sct".
89 */
90 unsigned char version;
91 unsigned char *logid;
92 unsigned short logidlen;
93 SCT_TIMESTAMP timestamp;
94 unsigned char *ext;
95 unsigned short extlen;
96 unsigned char hash_alg;
97 unsigned char sig_alg;
98 unsigned char *sig;
99 unsigned short siglen;
100 } SCT;
101
102 DECLARE_STACK_OF(SCT)
103
104 static void SCT_LIST_free(STACK_OF(SCT) *a);
105 static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
106 const unsigned char **pp, long length);
107 static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
108 BIO *out, int indent);
109
110 const X509V3_EXT_METHOD v3_ct_scts[] = {
111 {NID_ct_precert_scts, 0, NULL,
112 0, (X509V3_EXT_FREE)SCT_LIST_free,
113 (X509V3_EXT_D2I)d2i_SCT_LIST, 0,
114 0, 0, 0, 0,
115 (X509V3_EXT_I2R)i2r_SCT_LIST, 0,
116 NULL},
117
118 {NID_ct_cert_scts, 0, NULL,
119 0, (X509V3_EXT_FREE)SCT_LIST_free,
120 (X509V3_EXT_D2I)d2i_SCT_LIST, 0,
121 0, 0, 0, 0,
122 (X509V3_EXT_I2R)i2r_SCT_LIST, 0,
123 NULL},
124 };
125
126 static void tls12_signature_print(BIO *out, const unsigned char hash_alg,
127 const unsigned char sig_alg)
128 {
129 int nid = NID_undef;
130 /* RFC6962 only permits two signature algorithms */
131 if (hash_alg == TLSEXT_hash_sha256) {
132 if (sig_alg == TLSEXT_signature_rsa)
133 nid = NID_sha256WithRSAEncryption;
134 else if (sig_alg == TLSEXT_signature_ecdsa)
135 nid = NID_ecdsa_with_SHA256;
136 }
137 if (nid == NID_undef)
138 BIO_printf(out, "%02X%02X", hash_alg, sig_alg);
139 else
140 BIO_printf(out, "%s", OBJ_nid2ln(nid));
141 }
142
143 static void timestamp_print(BIO *out, SCT_TIMESTAMP timestamp)
144 {
145 ASN1_GENERALIZEDTIME *gen;
146 char genstr[20];
147 gen = ASN1_GENERALIZEDTIME_new();
148 ASN1_GENERALIZEDTIME_adj(gen, (time_t)0,
149 (int)(timestamp / 86400000),
150 (timestamp % 86400000) / 1000);
151 /*
152 * Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15
153 * characters long with a final Z. Update it with fractional seconds.
154 */
155 BIO_snprintf(genstr, sizeof(genstr), "%.14s.%03dZ",
156 ASN1_STRING_data(gen), (unsigned int)(timestamp % 1000));
157 ASN1_GENERALIZEDTIME_set_string(gen, genstr);
158 ASN1_GENERALIZEDTIME_print(out, gen);
159 ASN1_GENERALIZEDTIME_free(gen);
160 }
161
162 static void SCT_free(SCT *sct)
163 {
164 if (sct) {
165 if (sct->sct)
166 OPENSSL_free(sct->sct);
167 OPENSSL_free(sct);
168 }
169 }
170
171 static void SCT_LIST_free(STACK_OF(SCT) *a)
172 {
173 sk_SCT_pop_free(a, SCT_free);
174 }
175
176 static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
177 const unsigned char **pp, long length)
178 {
179 ASN1_OCTET_STRING *oct = NULL;
180 STACK_OF(SCT) *sk = NULL;
181 SCT *sct;
182 unsigned char *p, *p2;
183 unsigned short listlen, sctlen = 0, fieldlen;
184
185 if (d2i_ASN1_OCTET_STRING(&oct, pp, length) == NULL)
186 return NULL;
187 if (oct->length < 2)
188 goto done;
189 p = oct->data;
190 n2s(p, listlen);
191 if (listlen != oct->length - 2)
192 goto done;
193
194 if ((sk = sk_SCT_new_null()) == NULL)
195 goto done;
196
197 while (listlen > 0) {
198 if (listlen < 2)
199 goto err;
200 n2s(p, sctlen);
201 listlen -= 2;
202
203 if ((sctlen < 1) || (sctlen > listlen))
204 goto err;
205 listlen -= sctlen;
206
207 sct = OPENSSL_malloc(sizeof(SCT));
208 if (!sct)
209 goto err;
210 if (!sk_SCT_push(sk, sct)) {
211 OPENSSL_free(sct);
212 goto err;
213 }
214
215 sct->sct = OPENSSL_malloc(sctlen);
216 if (!sct->sct)
217 goto err;
218 memcpy(sct->sct, p, sctlen);
219 sct->sctlen = sctlen;
220 p += sctlen;
221 p2 = sct->sct;
222
223 sct->version = *p2++;
224 if (sct->version == 0) { /* SCT v1 */
225 /*-
226 * Fixed-length header:
227 * struct {
228 * (1 byte) Version sct_version;
229 * (32 bytes) LogID id;
230 * (8 bytes) uint64 timestamp;
231 * (2 bytes + ?) CtExtensions extensions;
232 */
233 if (sctlen < 43)
234 goto err;
235 sctlen -= 43;
236
237 sct->logid = p2;
238 sct->logidlen = 32;
239 p2 += 32;
240
241 n2l8(p2, sct->timestamp);
242
243 n2s(p2, fieldlen);
244 if (sctlen < fieldlen)
245 goto err;
246 sct->ext = p2;
247 sct->extlen = fieldlen;
248 p2 += fieldlen;
249 sctlen -= fieldlen;
250
251 /*-
252 * digitally-signed struct header:
253 * (1 byte) Hash algorithm
254 * (1 byte) Signature algorithm
255 * (2 bytes + ?) Signature
256 */
257 if (sctlen < 4)
258 goto err;
259 sctlen -= 4;
260
261 sct->hash_alg = *p2++;
262 sct->sig_alg = *p2++;
263 n2s(p2, fieldlen);
264 if (sctlen != fieldlen)
265 goto err;
266 sct->sig = p2;
267 sct->siglen = fieldlen;
268 }
269 }
270
271 done:
272 ASN1_OCTET_STRING_free(oct);
273 return sk;
274
275 err:
276 SCT_LIST_free(sk);
277 sk = NULL;
278 goto done;
279 }
280
281 static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
282 BIO *out, int indent)
283 {
284 SCT *sct;
285 int i;
286
287 for (i = 0; i < sk_SCT_num(sct_list);) {
288 sct = sk_SCT_value(sct_list, i);
289
290 BIO_printf(out, "%*sSigned Certificate Timestamp:", indent, "");
291 BIO_printf(out, "\n%*sVersion : ", indent + 4, "");
292
293 if (sct->version == 0) { /* SCT v1 */
294 BIO_printf(out, "v1(0)");
295
296 BIO_printf(out, "\n%*sLog ID : ", indent + 4, "");
297 BIO_hex_string(out, indent + 16, 16, sct->logid, sct->logidlen);
298
299 BIO_printf(out, "\n%*sTimestamp : ", indent + 4, "");
300 timestamp_print(out, sct->timestamp);
301
302 BIO_printf(out, "\n%*sExtensions: ", indent + 4, "");
303 if (sct->extlen == 0)
304 BIO_printf(out, "none");
305 else
306 BIO_hex_string(out, indent + 16, 16, sct->ext, sct->extlen);
307
308 BIO_printf(out, "\n%*sSignature : ", indent + 4, "");
309 tls12_signature_print(out, sct->hash_alg, sct->sig_alg);
310 BIO_printf(out, "\n%*s ", indent + 4, "");
311 BIO_hex_string(out, indent + 16, 16, sct->sig, sct->siglen);
312 } else { /* Unknown version */
313
314 BIO_printf(out, "unknown\n%*s", indent + 16, "");
315 BIO_hex_string(out, indent + 16, 16, sct->sct, sct->sctlen);
316 }
317
318 if (++i < sk_SCT_num(sct_list))
319 BIO_printf(out, "\n");
320 }
321
322 return 1;
323 }
Tomato firmware and modifications.