generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'sct-viewer-master' of https://github.com/robstradling/openssl into sct-viewer

Browse Source
This commit is contained in:
Ben Laurie 2014-02-19 17:17:14 +00:00
commit 765e9ba911
13 changed files with 233 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/ocsp.c
View File

@ -174,6 +174,7 @@ int MAIN(int argc, char **argv)
goto end; goto end;
SSL_load_error_strings(); SSL_load_error_strings();
OpenSSL_add_ssl_algorithms(); OpenSSL_add_ssl_algorithms();
X509V3_EXT_add_rfc6962();
args = argv + 1; args = argv + 1;
reqnames = sk_OPENSSL_STRING_new_null(); reqnames = sk_OPENSSL_STRING_new_null();
ids = sk_OCSP_CERTID_new_null(); ids = sk_OCSP_CERTID_new_null();
@ -970,6 +971,7 @@ end:
OPENSSL_free(path); OPENSSL_free(path);
} }
X509V3_EXT_cleanup();
OPENSSL_EXIT(ret); OPENSSL_EXIT(ret);
} }

3
apps/s_client.c
View File

@ -713,6 +713,8 @@ static char *jpake_secret = NULL;
c_msg=0; c_msg=0;
c_showcerts=0; c_showcerts=0;
X509V3_EXT_add_rfc6962();
if (bio_err == NULL) if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
@ -2193,6 +2195,7 @@ end:
BIO_free(bio_c_msg); BIO_free(bio_c_msg);
bio_c_msg=NULL; bio_c_msg=NULL;
} }
X509V3_EXT_cleanup();
apps_shutdown(); apps_shutdown();
OPENSSL_EXIT(ret); OPENSSL_EXIT(ret);
} }

4
apps/x509.c
View File

@ -73,6 +73,7 @@
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
#include <openssl/objects.h> #include <openssl/objects.h>
#include <openssl/pem.h> #include <openssl/pem.h>
#include <openssl/ssl.h>
#ifndef OPENSSL_NO_RSA #ifndef OPENSSL_NO_RSA
#include <openssl/rsa.h> #include <openssl/rsa.h>
#endif #endif
@ -224,6 +225,8 @@ int MAIN(int argc, char **argv)
apps_startup(); apps_startup();
X509V3_EXT_add_rfc6962();
if (bio_err == NULL) if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
@ -1155,6 +1158,7 @@ end:
sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
if (passin) OPENSSL_free(passin); if (passin) OPENSSL_free(passin);
X509V3_EXT_cleanup();
apps_shutdown(); apps_shutdown();
OPENSSL_EXIT(ret); OPENSSL_EXIT(ret);
} }

4
crypto/Makefile
View File

@ -44,8 +44,8 @@ LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o \
SRC= $(LIBSRC) SRC= $(LIBSRC)
EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \ EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
ossl_typ.h ossl_typ.h o_time.h
HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER) HEADER= cryptlib.h buildinf.h md32_common.h o_str.h o_dir.h $(EXHEADER)
ALL= $(GENERAL) $(SRC) $(HEADER) ALL= $(GENERAL) $(SRC) $(HEADER)

22
crypto/bio/b_dump.c
View File

@ -185,3 +185,25 @@ int BIO_dump_indent(BIO *bp, const char *s, int len, int indent)
return BIO_dump_indent_cb(write_bio, bp, s, len, indent); return BIO_dump_indent_cb(write_bio, bp, s, len, indent);
} }
int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data,
int datalen)
{
int i, j = 0;
if (datalen < 1)
return 1;
for (i = 0; i < datalen - 1; i++)
{
if (i && !j) BIO_printf(out, "%*s", indent, "");
BIO_printf(out, "%02X:", data[i]);
j = (j + 1) % width;
if (!j) BIO_printf(out, "\n");
}
if (i && !j) BIO_printf(out, "%*s", indent, "");
BIO_printf(out, "%02X", data[datalen - 1]);
return 1;
}

3
crypto/bio/bio.h
View File

@ -707,6 +707,9 @@ int BIO_dump_indent(BIO *b,const char *bytes,int len,int indent);
int BIO_dump_fp(FILE *fp, const char *s, int len); int BIO_dump_fp(FILE *fp, const char *s, int len);
int BIO_dump_indent_fp(FILE *fp, const char *s, int len, int indent); int BIO_dump_indent_fp(FILE *fp, const char *s, int len, int indent);
#endif #endif
int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data,
int datalen);
struct hostent *BIO_gethostbyname(const char *name); struct hostent *BIO_gethostbyname(const char *name);
/* We might want a thread-safe interface too: /* We might want a thread-safe interface too:
* struct hostent *BIO_gethostbyname_r(const char *name, * struct hostent *BIO_gethostbyname_r(const char *name,

34
crypto/objects/obj_dat.h
View File

@ -62,12 +62,12 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
#define NUM_NID 951 #define NUM_NID 955
#define NUM_SN 944 #define NUM_SN 948
#define NUM_LN 944 #define NUM_LN 948
#define NUM_OBJ 883 #define NUM_OBJ 887
static const unsigned char lvalues[6188]={ static const unsigned char lvalues[6228]={
0x00, /* [ 0] OBJ_undef */ 0x00, /* [ 0] OBJ_undef */
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */
@ -951,6 +951,10 @@ static const unsigned char lvalues[6188]={
0x2B,0x81,0x04,0x01,0x0E,0x01, /* [6169] OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme */ 0x2B,0x81,0x04,0x01,0x0E,0x01, /* [6169] OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme */
0x2B,0x81,0x04,0x01,0x0E,0x02, /* [6175] OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme */ 0x2B,0x81,0x04,0x01,0x0E,0x02, /* [6175] OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme */
0x2B,0x81,0x04,0x01,0x0E,0x03, /* [6181] OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme */ 0x2B,0x81,0x04,0x01,0x0E,0x03, /* [6181] OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme */
0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,/* [6187] OBJ_ct_precert_scts */
0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x03,/* [6197] OBJ_ct_precert_poison */
0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x04,/* [6207] OBJ_ct_precert_signer */
0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x05,/* [6217] OBJ_ct_cert_scts */
}; };
static const ASN1_OBJECT nid_objs[NUM_NID]={ static const ASN1_OBJECT nid_objs[NUM_NID]={
@ -2500,6 +2504,14 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
NID_aes_192_cbc_hmac_sha256,0,NULL,0}, NID_aes_192_cbc_hmac_sha256,0,NULL,0},
{"AES-256-CBC-HMAC-SHA256","aes-256-cbc-hmac-sha256", {"AES-256-CBC-HMAC-SHA256","aes-256-cbc-hmac-sha256",
NID_aes_256_cbc_hmac_sha256,0,NULL,0}, NID_aes_256_cbc_hmac_sha256,0,NULL,0},
{"ct_precert_scts","CT Precertificate SCTs",NID_ct_precert_scts,10,
&(lvalues[6187]),0},
{"ct_precert_poison","CT Precertificate Poison",NID_ct_precert_poison,
10,&(lvalues[6197]),0},
{"ct_precert_signer","CT Precertificate Signer",NID_ct_precert_signer,
10,&(lvalues[6207]),0},
{"ct_cert_scts","CT Certificate SCTs",NID_ct_cert_scts,10,
&(lvalues[6217]),0},
}; };
static const unsigned int sn_objs[NUM_SN]={ static const unsigned int sn_objs[NUM_SN]={
@ -2777,6 +2789,10 @@ static const unsigned int sn_objs[NUM_SN]={
884, /* "crossCertificatePair" */ 884, /* "crossCertificatePair" */
806, /* "cryptocom" */ 806, /* "cryptocom" */
805, /* "cryptopro" */ 805, /* "cryptopro" */
954, /* "ct_cert_scts" */
952, /* "ct_precert_poison" */
951, /* "ct_precert_scts" */
953, /* "ct_precert_signer" */
500, /* "dITRedirect" */ 500, /* "dITRedirect" */
451, /* "dNSDomain" */ 451, /* "dNSDomain" */
495, /* "dSAQuality" */ 495, /* "dSAQuality" */
@ -3460,6 +3476,10 @@ static const unsigned int ln_objs[NUM_LN]={
285, /* "Biometric Info" */ 285, /* "Biometric Info" */
179, /* "CA Issuers" */ 179, /* "CA Issuers" */
785, /* "CA Repository" */ 785, /* "CA Repository" */
954, /* "CT Certificate SCTs" */
952, /* "CT Precertificate Poison" */
951, /* "CT Precertificate SCTs" */
953, /* "CT Precertificate Signer" */
131, /* "Code Signing" */ 131, /* "Code Signing" */
783, /* "Diffie-Hellman based MAC" */ 783, /* "Diffie-Hellman based MAC" */
382, /* "Directory" */ 382, /* "Directory" */
@ -5202,6 +5222,10 @@ static const unsigned int obj_objs[NUM_OBJ]={
138, /* OBJ_ms_efs 1 3 6 1 4 1 311 10 3 4 */ 138, /* OBJ_ms_efs 1 3 6 1 4 1 311 10 3 4 */
648, /* OBJ_ms_smartcard_login 1 3 6 1 4 1 311 20 2 2 */ 648, /* OBJ_ms_smartcard_login 1 3 6 1 4 1 311 20 2 2 */
649, /* OBJ_ms_upn 1 3 6 1 4 1 311 20 2 3 */ 649, /* OBJ_ms_upn 1 3 6 1 4 1 311 20 2 3 */
951, /* OBJ_ct_precert_scts 1 3 6 1 4 1 11129 2 4 2 */
952, /* OBJ_ct_precert_poison 1 3 6 1 4 1 11129 2 4 3 */
953, /* OBJ_ct_precert_signer 1 3 6 1 4 1 11129 2 4 4 */
954, /* OBJ_ct_cert_scts 1 3 6 1 4 1 11129 2 4 5 */
751, /* OBJ_camellia_128_cbc 1 2 392 200011 61 1 1 1 2 */ 751, /* OBJ_camellia_128_cbc 1 2 392 200011 61 1 1 1 2 */
752, /* OBJ_camellia_192_cbc 1 2 392 200011 61 1 1 1 3 */ 752, /* OBJ_camellia_192_cbc 1 2 392 200011 61 1 1 1 3 */
753, /* OBJ_camellia_256_cbc 1 2 392 200011 61 1 1 1 4 */ 753, /* OBJ_camellia_256_cbc 1 2 392 200011 61 1 1 1 4 */

20
crypto/objects/obj_mac.h
View File

@ -4158,3 +4158,23 @@
#define SN_dh_cofactor_kdf "dh-cofactor-kdf" #define SN_dh_cofactor_kdf "dh-cofactor-kdf"
#define NID_dh_cofactor_kdf 947 #define NID_dh_cofactor_kdf 947
#define SN_ct_precert_scts "ct_precert_scts"
#define LN_ct_precert_scts "CT Precertificate SCTs"
#define NID_ct_precert_scts 951
#define OBJ_ct_precert_scts 1L,3L,6L,1L,4L,1L,11129L,2L,4L,2L
#define SN_ct_precert_poison "ct_precert_poison"
#define LN_ct_precert_poison "CT Precertificate Poison"
#define NID_ct_precert_poison 952
#define OBJ_ct_precert_poison 1L,3L,6L,1L,4L,1L,11129L,2L,4L,3L
#define SN_ct_precert_signer "ct_precert_signer"
#define LN_ct_precert_signer "CT Precertificate Signer"
#define NID_ct_precert_signer 953
#define OBJ_ct_precert_signer 1L,3L,6L,1L,4L,1L,11129L,2L,4L,4L
#define SN_ct_cert_scts "ct_cert_scts"
#define LN_ct_cert_scts "CT Certificate SCTs"
#define NID_ct_cert_scts 954
#define OBJ_ct_cert_scts 1L,3L,6L,1L,4L,1L,11129L,2L,4L,5L

4
crypto/objects/obj_mac.num
View File

@ -948,3 +948,7 @@ dh_cofactor_kdf 947
aes_128_cbc_hmac_sha256 948 aes_128_cbc_hmac_sha256 948
aes_192_cbc_hmac_sha256 949 aes_192_cbc_hmac_sha256 949
aes_256_cbc_hmac_sha256 950 aes_256_cbc_hmac_sha256 950
ct_precert_scts 951
ct_precert_poison 952
ct_precert_signer 953
ct_cert_scts 954

6
crypto/objects/objects.txt
View File

@ -1335,3 +1335,9 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme
# NIDs for use with lookup tables. # NIDs for use with lookup tables.
: dh-std-kdf : dh-std-kdf
: dh-cofactor-kdf : dh-cofactor-kdf
# RFC 6962 Extension OIDs (see http://www.ietf.org/rfc/rfc6962.txt)
1 3 6 1 4 1 11129 2 4 2 : ct_precert_scts : CT Precertificate SCTs
1 3 6 1 4 1 11129 2 4 3 : ct_precert_poison : CT Precertificate Poison
1 3 6 1 4 1 11129 2 4 4 : ct_precert_signer : CT Precertificate Signer
1 3 6 1 4 1 11129 2 4 5 : ct_cert_scts : CT Certificate SCTs

3
ssl/ssl.h
View File

@ -2557,6 +2557,9 @@ void SSL_trace(int write_p, int version, int content_type,
const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c); const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
#endif #endif
/* RFC6962 Signed Certificate Timestamp List X.509 extension parser */
int X509V3_EXT_add_rfc6962(void);
/* BEGIN ERROR CODES */ /* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes /* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run. * made after this point may be overwritten when the script is next run.

9
ssl/ssl_locl.h
View File

@ -231,6 +231,15 @@
l|=((BN_ULLONG)(*((c)++)))<< 8, \ l|=((BN_ULLONG)(*((c)++)))<< 8, \
l|=((BN_ULLONG)(*((c)++)))) l|=((BN_ULLONG)(*((c)++))))
#define n2l8(c,l) (l =((BN_ULLONG)(*((c)++)))<<56, \
l|=((BN_ULLONG)(*((c)++)))<<48, \
l|=((BN_ULLONG)(*((c)++)))<<40, \
l|=((BN_ULLONG)(*((c)++)))<<32, \
l|=((BN_ULLONG)(*((c)++)))<<24, \
l|=((BN_ULLONG)(*((c)++)))<<16, \
l|=((BN_ULLONG)(*((c)++)))<< 8, \
l|=((BN_ULLONG)(*((c)++))))
/* NOTE - c is not incremented as per l2c */ /* NOTE - c is not incremented as per l2c */
#define l2cn(l1,l2,c,n) { \ #define l2cn(l1,l2,c,n) { \
c+=n; \ c+=n; \

126
ssl/t1_lib.c
View File

@ -110,10 +110,13 @@
*/ */
#include <stdio.h> #include <stdio.h>
#include <time.h>
#include <openssl/bio.h>
#include <openssl/objects.h> #include <openssl/objects.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/hmac.h> #include <openssl/hmac.h>
#include <openssl/ocsp.h> #include <openssl/ocsp.h>
#include <openssl/o_time.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#include "ssl_locl.h" #include "ssl_locl.h"
@ -4432,3 +4435,126 @@ int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
} }
#endif #endif
/* RFC6962 Signed Certificate Timestamp List X.509 extension parser */
int i2r_sctlist(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct,
BIO *out, int indent)
{
BN_ULLONG timestamp;
struct tm tm1;
time_t unix_epoch = 0;
unsigned char* data = oct->data;
char month[4];
unsigned short listlen, sctlen = 0, fieldlen;
int signhash_nid;
if (oct->length < 2)
return 0;
n2s(data, listlen);
if (listlen != oct->length - 2)
return 0;
while (listlen > 0)
{
if (listlen < 2)
return 0;
n2s(data, sctlen);
listlen -= 2;
if ((sctlen < 1) || (sctlen > listlen))
return 0;
listlen -= sctlen;
BIO_printf(out, "%*sSigned Certificate Timestamp:", indent,
"");
if (*data == 0) /* SCT v1 */
{
/* Fixed-length header:
* struct {
* (1 byte) Version sct_version;
* (32 bytes) LogID id;
* (8 bytes) uint64 timestamp;
* (2 bytes + ?) CtExtensions extensions;
*/
if (sctlen < 43)
return 0;
sctlen -= 43;
BIO_printf(out, "\n%*sVersion : v1(0)", indent + 4,
"");
BIO_printf(out, "\n%*sLog ID : ", indent + 4, "");
BIO_hex_string(out, indent + 16, 16, data + 1, 32);
data += 33;
n2l8(data, timestamp);
OPENSSL_gmtime(&unix_epoch, &tm1);
OPENSSL_gmtime_adj(&tm1, timestamp / 86400000,
(timestamp % 86400000) / 1000);
strftime(month, 4, "%b", &tm1);
BIO_printf(out, "\n%*sTimestamp : ", indent + 4, "");
BIO_printf(out, "%s %2d %02d:%02d:%02d.%03u %d UTC",
month, tm1.tm_mday, tm1.tm_hour,
tm1.tm_min, tm1.tm_sec,
(unsigned int)(timestamp % 1000),
tm1.tm_year + 1900);
n2s(data, fieldlen);
if (sctlen < fieldlen)
return 0;
sctlen -= fieldlen;
BIO_printf(out, "\n%*sExtensions: ", indent + 4, "");
if (fieldlen == 0)
BIO_printf(out, "none");
else
BIO_hex_string(out, indent + 16, 16, data,
fieldlen);
data += fieldlen;
/* digitally-signed struct header:
* (1 byte) Hash algorithm
* (1 byte) Signature algorithm
* (2 bytes + ?) Signature
*/
if (sctlen < 4)
return 0;
sctlen -= 4;
tls1_lookup_sigalg(NULL, NULL, &signhash_nid, data);
data += 2;
n2s(data, fieldlen);
if (sctlen != fieldlen)
return 0;
BIO_printf(out, "\n%*sSignature : ", indent + 4, "");
BIO_printf(out, "%s", OBJ_nid2ln(signhash_nid));
BIO_printf(out, "\n%*s ", indent + 4, "");
BIO_hex_string(out, indent + 16, 16, data, fieldlen);
if (listlen > 0) BIO_printf(out, "\n");
data += fieldlen;
}
}
return 1;
}
static X509V3_EXT_METHOD ext_method_ct_precert_scts =
{
NID_ct_precert_scts, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
0, 0, 0, 0, 0, 0, 0, 0, (X509V3_EXT_I2R)i2r_sctlist, NULL, NULL
};
static X509V3_EXT_METHOD ext_method_ct_cert_scts =
{
NID_ct_cert_scts, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
0, 0, 0, 0, 0, 0, 0, 0, (X509V3_EXT_I2R)i2r_sctlist, NULL, NULL
};
int X509V3_EXT_add_rfc6962(void)
{
if (!X509V3_EXT_add(&ext_method_ct_precert_scts))
return 0;
if (!X509V3_EXT_add(&ext_method_ct_cert_scts))
return 0;
return 1;
}