crypto/ct/ct_policy.c

   1 /*
   2  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #ifdef OPENSSL_NO_CT
  11 # error "CT is disabled"
  12 #endif
  13
  14 #include <openssl/ct.h>
  15 #include <openssl/err.h>
  16 #include <time.h>
  17
  18 #include "ct_local.h"
  19
  20 /*
  21  * Number of seconds in the future that an SCT timestamp can be, by default,
  22  * without being considered invalid. This is added to time() when setting a
  23  * default value for CT_POLICY_EVAL_CTX.epoch_time_in_ms.
  24  * It can be overridden by calling CT_POLICY_EVAL_CTX_set_time().
  25  */
  26 static const time_t SCT_CLOCK_DRIFT_TOLERANCE = 300;
  27
  28 CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new_with_libctx(OPENSSL_CTX *libctx,
  29                                                        const char *propq)
  30 {
  31     CT_POLICY_EVAL_CTX *ctx = OPENSSL_zalloc(sizeof(CT_POLICY_EVAL_CTX));
  32
  33     if (ctx == NULL) {
  34         CTerr(0, ERR_R_MALLOC_FAILURE);
  35         return NULL;
  36     }
  37
  38     ctx->libctx = libctx;
  39     if (propq != NULL) {
  40         ctx->propq = OPENSSL_strdup(propq);
  41         if (ctx->propq == NULL) {
  42             CTerr(0, ERR_R_MALLOC_FAILURE);
  43             return NULL;
  44         }
  45     }
  46
  47     /* time(NULL) shouldn't ever fail, so don't bother checking for -1. */
  48     ctx->epoch_time_in_ms = (uint64_t)(time(NULL) + SCT_CLOCK_DRIFT_TOLERANCE) *
  49             1000;
  50
  51     return ctx;
  52 }
  53
  54 CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void)
  55 {
  56     return CT_POLICY_EVAL_CTX_new_with_libctx(NULL, NULL);
  57 }
  58
  59 void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx)
  60 {
  61     if (ctx == NULL)
  62         return;
  63     X509_free(ctx->cert);
  64     X509_free(ctx->issuer);
  65     OPENSSL_free(ctx->propq);
  66     OPENSSL_free(ctx);
  67 }
  68
  69 int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert)
  70 {
  71     if (!X509_up_ref(cert))
  72         return 0;
  73     ctx->cert = cert;
  74     return 1;
  75 }
  76
  77 int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer)
  78 {
  79     if (!X509_up_ref(issuer))
  80         return 0;
  81     ctx->issuer = issuer;
  82     return 1;
  83 }
  84
  85 void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx,
  86                                                CTLOG_STORE *log_store)
  87 {
  88     ctx->log_store = log_store;
  89 }
  90
  91 void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms)
  92 {
  93     ctx->epoch_time_in_ms = time_in_ms;
  94 }
  95
  96 X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx)
  97 {
  98     return ctx->cert;
  99 }
 100
 101 X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx)
 102 {
 103     return ctx->issuer;
 104 }
 105
 106 const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx)
 107 {
 108     return ctx->log_store;
 109 }
 110
 111 uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx)
 112 {
 113     return ctx->epoch_time_in_ms;
 114 }