check reviewer --reviewer=emilia

Remove 'log' field from SCT and related accessors

In order to still have access to an SCT's CTLOG when calling SCT_print,
SSL_CTX_get0_ctlog_store has been added.

Improved documentation for some CT functions in openssl/ssl.h.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

4 files changed, 20 insertions, 35 deletions

diff --git a/crypto/ct/ct_locl.h b/crypto/ct/ct_locl.h
index 3625e5039c..66a6d1cfcd 100644
--- a/crypto/ct/ct_locl.h
+++ b/crypto/ct/ct_locl.h
@@ -125,8 +125,6 @@ struct sct_st {
     ct_log_entry_type_t entry_type;
     /* Where this SCT was found, e.g. certificate, OCSP response, etc. */
     sct_source_t source;
-    /* The CT log that produced this SCT. */
-    const CTLOG *log;
     /* The result of the last attempt to validate this SCT. */
     sct_validation_status_t validation_status;
 };
diff --git a/crypto/ct/ct_prn.c b/crypto/ct/ct_prn.c
index c2e11b1e24..239ffc832c 100644
--- a/crypto/ct/ct_prn.c
+++ b/crypto/ct/ct_prn.c
@@ -96,7 +96,7 @@ static void timestamp_print(uint64_t timestamp, BIO *out)
     ASN1_GENERALIZEDTIME_free(gen);
 }
 
-void SCT_print(const SCT *sct, BIO *out, int indent)
+void SCT_print(const SCT *sct, BIO *out, int indent, const CTLOG *log)
 {
     BIO_printf(out, "%*sSigned Certificate Timestamp:", indent, "");
     BIO_printf(out, "\n%*sVersion   : ", indent + 4, "");
@@ -109,9 +109,9 @@ void SCT_print(const SCT *sct, BIO *out, int indent)
 
     BIO_printf(out, "v1 (0x0)");
 
-    if (sct->log != NULL) {
+    if (log != NULL) {
         BIO_printf(out, "\n%*sLog       : %s", indent + 4, "",
-                   SCT_get0_log_name(sct));
+                   CTLOG_get0_name(log));
     }
 
     BIO_printf(out, "\n%*sLog ID    : ", indent + 4, "");
@@ -133,13 +133,20 @@ void SCT_print(const SCT *sct, BIO *out, int indent)
 }
 
 void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
-                    const char *separator)
+                    const char *separator, const CTLOG_STORE *log_store)
 {
     int i;
 
     for (i = 0; i < sk_SCT_num(sct_list); ++i) {
         SCT *sct = sk_SCT_value(sct_list, i);
-        SCT_print(sct, out, indent);
+        const CTLOG *log = NULL;
+
+        if (log_store != NULL) {
+            log = CTLOG_STORE_get0_log_by_id(log_store, sct->log_id,
+                                             sct->log_id_len);
+        }
+
+        SCT_print(sct, out, indent, log);
         if (i < sk_SCT_num(sct_list) - 1)
             BIO_printf(out, "%s", separator);
     }
diff --git a/crypto/ct/ct_sct.c b/crypto/ct/ct_sct.c
index f83e155281..9eefa0caf0 100644
--- a/crypto/ct/ct_sct.c
+++ b/crypto/ct/ct_sct.c
@@ -251,11 +251,6 @@ size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id)
     return sct->log_id_len;
 }
 
-const char *SCT_get0_log_name(const SCT *sct)
-{
-    return CTLOG_get0_name(sct->log);
-}
-
 uint64_t SCT_get_timestamp(const SCT *sct)
 {
     return sct->timestamp;
@@ -327,18 +322,6 @@ int SCT_set_source(SCT *sct, sct_source_t source)
     }
 }
 
-const CTLOG *SCT_get0_log(const SCT *sct)
-{
-    return sct->log;
-}
-
-int SCT_set0_log(SCT *sct, const CTLOG_STORE *ct_logs)
-{
-    sct->log = CTLOG_STORE_get0_log_by_id(ct_logs, sct->log_id, sct->log_id_len);
-
-    return sct->log != NULL;
-}
-
 sct_validation_status_t SCT_get_validation_status(const SCT *sct)
 {
     return sct->validation_status;
@@ -349,20 +332,17 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
     int is_sct_valid = -1;
     SCT_CTX *sctx = NULL;
     X509_PUBKEY *pub = NULL, *log_pkey = NULL;
+    const CTLOG *log;
 
-    switch (sct->version) {
-    case SCT_VERSION_V1:
-        if (sct->log == NULL)
-            sct->log = CTLOG_STORE_get0_log_by_id(ctx->log_store,
-                                                  sct->log_id,
-                                                  CT_V1_HASHLEN);
-        break;
-    default:
+    if (sct->version != SCT_VERSION_V1) {
         sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_VERSION;
         goto end;
     }
 
-    if (sct->log == NULL) {
+    log = CTLOG_STORE_get0_log_by_id(ctx->log_store,
+                                     sct->log_id, sct->log_id_len);
+
+    if (log == NULL) {
         sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_LOG;
         goto end;
     }
@@ -371,7 +351,7 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
     if (sctx == NULL)
         goto err;
 
-    if (X509_PUBKEY_set(&log_pkey, CTLOG_get0_public_key(sct->log)) != 1)
+    if (X509_PUBKEY_set(&log_pkey, CTLOG_get0_public_key(log)) != 1)
         goto err;
     if (SCT_CTX_set1_pubkey(sctx, log_pkey) != 1)
         goto err;
diff --git a/crypto/ct/ct_x509v3.c b/crypto/ct/ct_x509v3.c
index 2617f13d28..db2c0e4875 100644
--- a/crypto/ct/ct_x509v3.c
+++ b/crypto/ct/ct_x509v3.c
@@ -75,7 +75,7 @@ static char *i2s_poison(const X509V3_EXT_METHOD *method, void *val)
 static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
                  BIO *out, int indent)
 {
-    SCT_LIST_print(sct_list, out, indent, "\n");
+    SCT_LIST_print(sct_list, out, indent, "\n", NULL);
     return 1;
 }