diff options
| author | Rob Percival <robpercival@google.com> | 2016-09-08 16:02:46 +0100 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-11-15 16:12:41 -0500 |
| commit | 1fa9ffd934429f140edcfbaf76d2f32cc21e449b (patch) | |
| tree | 6fb2ae2a0d3e11febb094acc8e3df03621000ab1 /include/openssl/ct.h | |
| parent | 7b176a549ea374fc9b64c3fa7f0812239528b696 (diff) | |
| download | openssl-1fa9ffd934429f140edcfbaf76d2f32cc21e449b.zip openssl-1fa9ffd934429f140edcfbaf76d2f32cc21e449b.tar.gz openssl-1fa9ffd934429f140edcfbaf76d2f32cc21e449b.tar.bz2 | |
Check that SCT timestamps are not in the future
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Diffstat (limited to 'include/openssl/ct.h')
| -rw-r--r-- | include/openssl/ct.h | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/include/openssl/ct.h b/include/openssl/ct.h index 6c63265..a87dd7f 100644 --- a/include/openssl/ct.h +++ b/include/openssl/ct.h @@ -98,6 +98,21 @@ const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *c void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx, CTLOG_STORE *log_store); +/* + * Gets the time, in milliseconds since the Unix epoch, that will be used as the + * current time when checking whether an SCT was issued in the future. + * Such SCTs will fail validation, as required by RFC6962. + */ +uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx); + +/* + * Sets the current time, in milliseconds since the Unix epoch. + * The timestamps of the SCTs will be compared to this, to check that they were + * not issued in the future. RFC6962 states that "TLS clients MUST reject SCTs + * whose timestamp is in the future", so an SCT will not validate in this case. + */ +void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms); + /***************** * SCT functions * *****************/ @@ -482,6 +497,7 @@ int ERR_load_CT_strings(void); # define CT_F_O2I_SCT_LIST 111 # define CT_F_O2I_SCT_SIGNATURE 112 # define CT_F_SCT_CTX_NEW 126 +# define CT_F_SCT_CTX_VERIFY 128 # define CT_F_SCT_NEW 100 # define CT_F_SCT_NEW_FROM_BASE64 127 # define CT_F_SCT_SET0_LOG_ID 101 @@ -491,7 +507,6 @@ int ERR_load_CT_strings(void); # define CT_F_SCT_SET_LOG_ENTRY_TYPE 102 # define CT_F_SCT_SET_SIGNATURE_NID 103 # define CT_F_SCT_SET_VERSION 104 -# define CT_F_SCT_CTX_VERIFY 128 /* Reason codes. */ # define CT_R_BASE64_DECODE_ERROR 108 @@ -501,6 +516,7 @@ int ERR_load_CT_strings(void); # define CT_R_LOG_CONF_MISSING_DESCRIPTION 111 # define CT_R_LOG_CONF_MISSING_KEY 112 # define CT_R_LOG_KEY_INVALID 113 +# define CT_R_SCT_FUTURE_TIMESTAMP 116 # define CT_R_SCT_INVALID 104 # define CT_R_SCT_INVALID_SIGNATURE 107 # define CT_R_SCT_LIST_INVALID 105 |