Remove unused depdendencies from vendor

Signed-off-by: Daniel Nephin <dnephin@docker.com>
This commit is contained in:
Daniel Nephin 2017-09-01 11:02:00 -04:00
parent a0113c3a44
commit 724f03bb23
14 changed files with 1 additions and 1771 deletions

View File

@ -6,21 +6,19 @@ github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76
github.com/docker/distribution edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c github.com/docker/distribution edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c
github.com/docker/docker 184cea5ff710abde25547749e5608b24a255ba09 github.com/docker/docker 184cea5ff710abde25547749e5608b24a255ba09
github.com/docker/docker-credential-helpers v0.5.1 github.com/docker/docker-credential-helpers v0.5.1
github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
# the docker/go package contains a customized version of canonical/json # the docker/go package contains a customized version of canonical/json
# and is used by Notary. The package is periodically rebased on current Go versions. # and is used by Notary. The package is periodically rebased on current Go versions.
github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06 github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06
github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1 github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1
github.com/docker/libnetwork 19ac3ea7f52bb46e0eb10669756cdae0c441a5b1
github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a
github.com/docker/notary v0.4.2-sirupsen https://github.com/simonferquel/notary.git github.com/docker/notary v0.4.2-sirupsen https://github.com/simonferquel/notary.git
github.com/docker/swarmkit 0554c9bc9a485025e89b8e5c2c1f0d75961906a2 github.com/docker/swarmkit 0554c9bc9a485025e89b8e5c2c1f0d75961906a2
github.com/flynn-archive/go-shlex 3f9db97f856818214da2e1057f8ad84803971cff github.com/flynn-archive/go-shlex 3f9db97f856818214da2e1057f8ad84803971cff
github.com/gogo/protobuf v0.4 github.com/gogo/protobuf v0.4
github.com/golang/protobuf 7a211bcf3bce0e3f1d74f9894916e6f116ae83b4 github.com/golang/protobuf 7a211bcf3bce0e3f1d74f9894916e6f116ae83b4
github.com/google/certificate-transparency 0f6e3d1d1ba4d03fdaab7cd716f36255c2e48341
github.com/gorilla/context v1.1 github.com/gorilla/context v1.1
github.com/gorilla/mux v1.1 github.com/gorilla/mux v1.1
github.com/gotestyourself/gotestyourself v1.0.0 github.com/gotestyourself/gotestyourself v1.0.0

View File

@ -1,202 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

View File

@ -1,89 +0,0 @@
# libnetwork - networking for containers
[![Circle CI](https://circleci.com/gh/docker/libnetwork/tree/master.svg?style=svg)](https://circleci.com/gh/docker/libnetwork/tree/master) [![Coverage Status](https://coveralls.io/repos/docker/libnetwork/badge.svg)](https://coveralls.io/r/docker/libnetwork) [![GoDoc](https://godoc.org/github.com/docker/libnetwork?status.svg)](https://godoc.org/github.com/docker/libnetwork)
Libnetwork provides a native Go implementation for connecting containers
The goal of libnetwork is to deliver a robust Container Network Model that provides a consistent programming interface and the required network abstractions for applications.
#### Design
Please refer to the [design](docs/design.md) for more information.
#### Using libnetwork
There are many networking solutions available to suit a broad range of use-cases. libnetwork uses a driver / plugin model to support all of these solutions while abstracting the complexity of the driver implementations by exposing a simple and consistent Network Model to users.
```go
func main() {
if reexec.Init() {
return
}
// Select and configure the network driver
networkType := "bridge"
// Create a new controller instance
driverOptions := options.Generic{}
genericOption := make(map[string]interface{})
genericOption[netlabel.GenericData] = driverOptions
controller, err := libnetwork.New(config.OptionDriverConfig(networkType, genericOption))
if err != nil {
log.Fatalf("libnetwork.New: %s", err)
}
// Create a network for containers to join.
// NewNetwork accepts Variadic optional arguments that libnetwork and Drivers can use.
network, err := controller.NewNetwork(networkType, "network1", "")
if err != nil {
log.Fatalf("controller.NewNetwork: %s", err)
}
// For each new container: allocate IP and interfaces. The returned network
// settings will be used for container infos (inspect and such), as well as
// iptables rules for port publishing. This info is contained or accessible
// from the returned endpoint.
ep, err := network.CreateEndpoint("Endpoint1")
if err != nil {
log.Fatalf("network.CreateEndpoint: %s", err)
}
// Create the sandbox for the container.
// NewSandbox accepts Variadic optional arguments which libnetwork can use.
sbx, err := controller.NewSandbox("container1",
libnetwork.OptionHostname("test"),
libnetwork.OptionDomainname("docker.io"))
if err != nil {
log.Fatalf("controller.NewSandbox: %s", err)
}
// A sandbox can join the endpoint via the join api.
err = ep.Join(sbx)
if err != nil {
log.Fatalf("ep.Join: %s", err)
}
// libnetwork client can check the endpoint's operational data via the Info() API
epInfo, err := ep.DriverInfo()
if err != nil {
log.Fatalf("ep.DriverInfo: %s", err)
}
macAddress, ok := epInfo[netlabel.MacAddress]
if !ok {
log.Fatalf("failed to get mac address from endpoint info")
}
fmt.Printf("Joined endpoint %s (%s) to sandbox %s (%s)\n", ep.Name(), macAddress, sbx.ContainerID(), sbx.Key())
}
```
## Future
Please refer to [roadmap](ROADMAP.md) for more information.
## Contributing
Want to hack on libnetwork? [Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md) apply.
## Copyright and license
Code and documentation copyright 2015 Docker, inc. Code released under the Apache 2.0 license. Docs released under Creative commons.

View File

@ -1,44 +0,0 @@
github.com/Azure/go-ansiterm 19f72df4d05d31cbe1c56bfc8045c96babff6c7e
github.com/BurntSushi/toml f706d00e3de6abe700c994cdd545a1a4915af060
github.com/Microsoft/go-winio ce2922f643c8fd76b46cadc7f404a06282678b34
github.com/Microsoft/hcsshim v0.6.1
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
github.com/boltdb/bolt c6ba97b89e0454fec9aa92e1d33a4e2c5fc1f631
github.com/codegangsta/cli a65b733b303f0055f8d324d805f393cd3e7a7904
github.com/coreos/etcd 925d1d74cec8c3b169c52fd4b2dc234a35934fce
github.com/coreos/go-systemd b4a58d95188dd092ae20072bac14cece0e67c388
github.com/deckarep/golang-set ef32fa3046d9f249d399f98ebaf9be944430fd1d
github.com/docker/docker 2cac43e3573893cf8fd816e0ad5615426acb87f4 https://github.com/dmcgowan/docker.git
github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
github.com/docker/go-units 8e2d4523730c73120e10d4652f36ad6010998f4e
github.com/docker/libkv 1d8431073ae03cdaedb198a89722f3aab6d418ef
github.com/godbus/dbus 5f6efc7ef2759c81b7ba876593971bfce311eab3
github.com/gogo/protobuf 8d70fb3182befc465c4a1eac8ad4d38ff49778e2
github.com/golang/protobuf f7137ae6b19afbfd61a94b746fda3b3fe0491874
github.com/gorilla/context 215affda49addc4c8ef7e2534915df2c8c35c6cd
github.com/gorilla/mux 8096f47503459bcc74d1f4c487b7e6e42e5746b5
github.com/hashicorp/consul 954aec66231b79c161a4122b023fbcad13047f79
github.com/hashicorp/go-msgpack 71c2886f5a673a35f909803f38ece5810165097b
github.com/hashicorp/go-multierror 2167c8ec40776024589f483a6b836489e47e1049
github.com/hashicorp/memberlist v0.1.0
github.com/sean-/seed e2103e2c35297fb7e17febb81e49b312087a2372
github.com/hashicorp/go-sockaddr acd314c5781ea706c710d9ea70069fd2e110d61d
github.com/hashicorp/serf 598c54895cc5a7b1a24a398d635e8c0ea0959870
github.com/mattn/go-shellwords 525bedee691b5a8df547cb5cf9f86b7fb1883e24
github.com/miekg/dns d27455715200c7d3e321a1e5cadb27c9ee0b0f02
github.com/opencontainers/runc 8694d576ea3ce3c9e2c804b7f91b4e1e9a575d1c https://github.com/dmcgowan/runc.git
github.com/samuel/go-zookeeper d0e0d8e11f318e000a8cc434616d69e329edc374
github.com/seccomp/libseccomp-golang 1b506fc7c24eec5a3693cdcbed40d9c226cfc6a1
github.com/sirupsen/logrus v1.0.1
github.com/stretchr/testify dab07ac62d4905d3e48d17dc549c684ac3b7c15a
github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
github.com/ugorji/go f1f1a805ed361a0e078bb537e4ea78cd37dcf065
github.com/vishvananda/netlink bd6d5de5ccef2d66b0a26177928d0d8895d7f969
github.com/vishvananda/netns 604eaf189ee867d8c147fafc28def2394e878d25
golang.org/x/net c427ad74c6d7a814201695e9ffde0c5d400a7674
golang.org/x/sys 8f0908ab3b2457e2e15403d3697c9ef5cb4b57a9
github.com/pkg/errors 839d9e913e063e28dfd0e6c7b7512793e0a48be9

View File

@ -1,202 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

View File

@ -1,91 +0,0 @@
## Quickstart on Fedora 22 ##
Please attempt to use the GClient build as documented in the
[main readme](README.md) as this is an easier process and will be
maintained in future.
If GClient works and tests pass then the following procedures are not
required.
## Deprecated Manual Build Process ##
Note: This assumes a Workstation install for x64. The additional dependency
packages that need to be installed may vary if you are starting with a
different base system.
Install Dependencies:
```bash
sudo dnf update
sudo dnf install cmake gcc-g++ libevent-devel golang autoconf pkgconfig \
json-c-devel gflags-devel glog-devel protobuf-devel leveldb-devel \
openssl-devel gperftools-devel protobuf-compiler sqlite-devel ant \
java-1.8.0-openjdk-devel protobuf-java python-gflags protobuf-python \
python-ecdsa python-mock python-httplib2 git ldns-devel automake \
libtool shtool libunwind-devel
```
Other Libraries
The `gflags` in Fedora is v2.1 and is using the new default namespace option of
gflags rather than google so we need to build our own version.
```bash
git clone https://github.com/gflags/gflags.git
cd gflags
cmake -DGFLAGS_NAMESPACE:STRING=google \
-DCMAKE_CXX_FLAGS:STRING=-fPIC .
make
cd ..
```
Next, we need `libevhtp` version `1.2.10` which is not packaged in Fedora, so
we build from source:
```bash
wget https://github.com/ellzey/libevhtp/archive/1.2.10.zip
unzip 1.2.10.zip
cd libevhtp-1.2.10/
cmake -DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC .
make
cd ..
```
And let's get our own Google Test / Google Mock as these vary in incompatible
ways between packaged releases:
```bash
wget https://googlemock.googlecode.com/files/gmock-1.7.0.zip
unzip gmock-1.7.0.zip
```
Now, clone the CT repo:
```bash
git clone https://github.com/google/certificate-transparency.git
cd certificate-transparency/
```
One-time setup for Go:
```bash
export GOPATH=$PWD/go
mkdir -p $GOPATH/src/github.com/google
ln -s $PWD $GOPATH/src/github.com/google
go get -v -d ./...
```
Build CT server C++ code:
```bash
./autogen.sh
./configure GTEST_DIR=../gmock-1.7.0/gtest GMOCK_DIR=../gmock-1.7.0 \
CPPFLAGS="-I../libevhtp-1.2.10 -I../libevhtp-1.2.10/evthr \
-I../libevhtp-1.2.10/htparse -I../gflags/include" \
LDFLAGS=”-L../libevhtp-1.2.10 -L../gflags/lib”
make check
```
The remainder of the Java, Go and Python steps should be very similar to those
documented for Ubuntu in the [main readme file](README.md).

View File

@ -1,57 +0,0 @@
## OSX Builds Now Use GClient ##
We recommend that you use GClient to build on OSX. Please follow the
instructions in the [main readme](README.md) file.
## Trusted root certificates ##
The CT code requires a set of trusted root certificates in order to:
1. Validate outbound HTTPS connections
2. (In the case of the log-server) decide whether to accept a certificate
chain for inclusion.
On OSX, the system version of OpenSSL (0.9.8gz at time of writing) contains
Apple-provided patches which intercept failed chain validations and re-attempts
them using roots obtained from the system keychain. Since we use a much more
recent (and unpatched) version of OpenSSL this behaviour is unsupported and so
a PEM file containing the trusted root certs must be used.
## Specifying root certificates to be used
To use a certificate PEM bundle file with the CT C++ code, the following
methods may be used:
### For verifying outbound HTTPS connections:
Either set the
`--trusted_roots_certs' flag, or the `SSL_CERT_FILE` environment variable, to
point to the location of the PEM file containing the root certificates to be
used to verify the outbound HTTPS connection.
### Incoming inclusion requests (ct-server only)
Set the `--trusted_cert_file` flag to point to the location of the PEM file
containing the set of root certificates whose chains should be accepted for
inclusion into the log.
## Sources of trusted roots
Obviously the choice of root certificates to trust for outbound HTTPS
connections and incoming inclusion requests are a matter of operating policy,
but it is often useful to have a set of common roots for testing and
development at the very least.
While OSX ships with a set of common trusted roots, they are not directly
available to OpenSSL and must be exported from the keychain first. This can be
achieved with the following command:
```bash
security find-certificates -a -p /Library/Keychains/System.keychain > certs.pem
security find-certificates -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> certs.pem
```
## Deprecated Build Process ##
This may be out of date and is not guaranteed to work.
gtest: install from source.

View File

@ -1,269 +0,0 @@
certificate-transparency
========================
#Auditing for TLS certificates#
[![Build Status](https://travis-ci.org/google/certificate-transparency.svg?branch=master)](https://travis-ci.org/google/certificate-transparency)
## Build With GClient ##
This is now the recommended method for all supported platforms. It gives you
a reproducible build and avoids the need to build some dependencies manually.
Known to work on FreeBSD 10, OS X (10.10) [tested with XCode + brew installation
of deps listed below], and Ubuntu 14.04. Tested on Fedora 22 but may require
manual override of compiler options as documented below. Tested on CentOS 7
with similar caveats.
### Install Dependencies ###
Depending on which platform you have the exact packages required will vary.
The following tools must be available for the GClient build to succeed:
- autoconf/automake etc.
- clang++ (>=3.4)
- cmake (>=v3.1.2)
- git
- GNU make
- libtool
- shtool
- Tcl
- pkgconf
- python27
- [depot_tools](https://www.chromium.org/developers/how-tos/install-depot-tools)
### Building with gclient ###
```bash
export CXX=clang++ CC=clang
mkdir ct # or whatever directory you prefer
cd ct
gclient config --name="certificate-transparency" https://github.com/google/certificate-transparency.git
gclient sync
# substitute gmake or gnumake below if that's what your platform calls it:
make -C certificate-transparency check
```
If you're trying to clone from a branch on the CT repo then you'll need to
substitute the following command for the `gclient config` command above,
replacing `branch` as appropriate
```bash
gclient config --name="certificate-transparency" https://github.com/google/certificate-transparency.git@branch
```
### Platform Specific Notes ###
#### Fedora / CentOS ####
When you issue the `gclient sync` command you may need to set compiler options
in order to build successfully. If the build fails to work try using:
```bash
CXXFLAGS="-O2 -Wno-error=unused-variable" gclient sync
```
If this gives an error about an unused typedef in a `glog` header file try this:
```bash
CXXFLAGS="-O2 -Wno-error=unused-variable -Wno-error=unused-local-typedefs" gclient sync
```
When changing `CXXFLAGS` it's safer to remove the existing build directories
in case not all dependencies are properly accounted for and rebuilt. If
problems persist check that the Makefile in `certificate-transparency`
contains the options that were passed in `CXXFLAGS`.
If there are still problems using GClient then an older style build can be
attempted. The process should be similar to the one documented for Ubuntu
below or in the [Fedora README](README.Fedora) depending on platform.
## Deprecated: Quickstart on Ubuntu ##
This should no longer be needed as the instructions above should work. But in
case of difficulties the dependencies can be built manually. The following
steps will checkout the code and build it on a clean Ubuntu 14.04 LTS
installation. It has also been tested on an Ubuntu 15.04 installation.
First, install packaged dependencies:
sudo apt-get update -qq
sudo apt-get install -qq unzip cmake g++ libevent-dev golang-go autoconf pkg-config \
libjson-c-dev libgflags-dev libgoogle-glog-dev libprotobuf-dev libleveldb-dev \
libssl-dev libgoogle-perftools-dev protobuf-compiler libsqlite3-dev ant openjdk-7-jdk \
libprotobuf-java python-gflags python-protobuf python-ecdsa python-mock \
python-httplib2 git libldns-dev
Next, we need `libevhtp` version `1.2.10` which is not packaged in Ubuntu yet, so we build from source:
wget https://github.com/ellzey/libevhtp/archive/1.2.10.zip
unzip 1.2.10.zip
cd libevhtp-1.2.10/
cmake -DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC .
make
cd ..
And let's get our own Google Test / Google Mock as these vary in incompatible ways between packaged releases:
wget https://googlemock.googlecode.com/files/gmock-1.7.0.zip
unzip gmock-1.7.0.zip
Now, clone the CT repo:
git clone https://github.com/google/certificate-transparency.git
cd certificate-transparency/
One-time setup for Go:
export GOPATH=$PWD/go
mkdir -p $GOPATH/src/github.com/google
ln -s $PWD $GOPATH/src/github.com/google
go get -v -d ./...
Build CT server C++ code:
./autogen.sh
./configure GTEST_DIR=../gmock-1.7.0/gtest GMOCK_DIR=../gmock-1.7.0 \
CPPFLAGS="-I../libevhtp-1.2.10 -I../libevhtp-1.2.10/evthr \
-I../libevhtp-1.2.10/htparse" LDFLAGS=-L../libevhtp-1.2.10
make check
Build and test Java code:
ant build test
Build and test Python code:
make -C python test
Best and test Go code:
go test -v ./go/...
## Deprecated: Older Build Method ##
- [OpenSSL](https://www.openssl.org/source/), at least 1.0.0q,
preferably 1.0.1l or 1.0.2 (and up)
The checking of SCTs included in the
[RFC 6962](http://tools.ietf.org/html/rfc6962) TLS extension is only
included in OpenSSL 1.0.2. As of this writing, this version is not yet
released, so this means hand building the `OpenSSL_1_0_2-stable`
branch from the
[OpenSSL git repository](https://www.openssl.org/source/repos.html).
- [googlemock](https://github.com/google/googlemock) (tested with 1.7.0)
Gmock provides a bundled version of gtest, which will also be used.
Unpack googlemock, but do not build it. Upstream recommends to build a
new copy from source for each package to be tested. We follow this
advice in our `Makefile`, which builds gmock/gtest automatically.
Some systems make the googlemock source available as a package; on
Debian, this is in the google-mock package, which puts it in
`/usr/src/gmock`. Our `Makefile` looks in that location by default,
but if your googlemock sources are in a different location, set the
`GMOCK_DIR` environment variable to point at them.
If you are on FreeBSD, you may need to apply the patch in gtest.patch
to the gtest subdirectory of gmock.
- [protobuf](https://github.com/google/protobuf) (tested with 2.5.0)
- [gflags](https://github.com/gflags/gflags) (tested with 1.6
and 2.0)
- [glog](https://github.com/google/glog) (tested with 0.3.1)
Make sure to install glog **after** gflags, to avoid linking errors.
- [sqlite3](http://www.sqlite.org/)
- [leveldb](https://github.com/google/leveldb)
- [JSON-C](https://github.com/json-c/json-c/), at least 0.11
You can specify a JSON-C library in a non-standard location using the
`JSONCLIBDIR` environment variable. Version 0.10 would work as well,
except the `json_object_iterator.h` header is not properly copied when
installing. If you can install the missing header manually, it should
work.
- [libevent](http://libevent.org/) (tested with 2.0.21-stable)
- [libevhtp](https://github.com/ellzey/libevhtp) (tested with 1.2.10)
If building libevhtp from source, you may need to disable the regex support
with the following cmake flag: `-DEVHTP_DISABLE_REGEX:STRING=ON`
You can specify a non-installed locally built library using the
`LIBEVENTDIR` environment variable to point to the local build. Note
that the FreeBSD port version 2.0.21_2 does not appear to work
correctly (it only listens on IPv6 for the HTTP server) - for that
platform we had to build from the source, specifically commit
6dba1694c89119c44cef03528945e5a5978ab43a.
- [ldns](http://www.nlnetlabs.nl/projects/ldns/)
- [ant](http://ant.apache.org/)
- Python libraries:
- pyasn1 and pyasn1-modules (optional, needed for `upload_server_cert.sh`)
- [dnspython](http://www.dnspython.org/)
### Building ###
You can build the log server with the following commands:
$ ./autogen.sh # only necessary if you're building from git
$ ./configure
$ make
You can give the `configure` script extra parameters, to set
compilation flags, or point to custom versions of some dependencies
(notably, googlemock often needs this). For example, to compile with
Clang, using googlemock in `$HOME/gmock`, and a custom libevent in
`$HOME/libevent`:
$ ./configure CXX=clang++ GMOCK_DIR=$HOME CPPFLAGS="-I$HOME/libevent/include" LDFLAGS="-L$HOME/libevent/.libs"
Running `./configure --help` provides more information about various
variables that can be set.
## Running Unit Tests ##
Run unit tests with this command
$ make check
If the build still fails because of missing libraries, you may need to
set the environment variable `LD_LIBRARY_PATH`. On Linux, if you did
not change the default installation path (such as `/usr/local/lib`),
running
$ ldconfig
or, if needed,
$ sudo ldconfig
should resolve the problem.
## End-To-End Tests ##
For end-to-end server-client tests, you will need to install Apache
and point the tests to it. See `test/README` for how to do so.
## Testing and Logging Options ##
Note that several tests write files on disk. The default directory for
storing temporary testdata is `/tmp`. You can change this by setting
`TMPDIR=<tmpdir>` for make.
End-to-end tests also create temporary certificate and server files in
`test/tmp`. All these files are cleaned up after a successful test
run.
For logging options, see
http://google-glog.googlecode.com/svn/trunk/doc/glog.html
By default, unit tests log to stderr, and log only messages with a FATAL level
(i.e., those that result in abnormal program termination).
You can override the defaults with command-line flags.
End-to-end tests log everything at INFO level and above.

View File

@ -1,214 +0,0 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at http://curl.haxx.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
/* This file is an amalgamation of hostcheck.c and most of rawstr.c
from cURL. The contents of the COPYING file mentioned above are:
COPYRIGHT AND PERMISSION NOTICE
Copyright (c) 1996 - 2013, Daniel Stenberg, <daniel@haxx.se>.
All rights reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
OR OTHER DEALINGS IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not
be used in advertising or otherwise to promote the sale, use or other dealings
in this Software without prior written authorization of the copyright holder.
*/
#include "hostcheck.h"
#include <string.h>
/* Portable, consistent toupper (remember EBCDIC). Do not use toupper() because
its behavior is altered by the current locale. */
static char Curl_raw_toupper(char in) {
switch (in) {
case 'a':
return 'A';
case 'b':
return 'B';
case 'c':
return 'C';
case 'd':
return 'D';
case 'e':
return 'E';
case 'f':
return 'F';
case 'g':
return 'G';
case 'h':
return 'H';
case 'i':
return 'I';
case 'j':
return 'J';
case 'k':
return 'K';
case 'l':
return 'L';
case 'm':
return 'M';
case 'n':
return 'N';
case 'o':
return 'O';
case 'p':
return 'P';
case 'q':
return 'Q';
case 'r':
return 'R';
case 's':
return 'S';
case 't':
return 'T';
case 'u':
return 'U';
case 'v':
return 'V';
case 'w':
return 'W';
case 'x':
return 'X';
case 'y':
return 'Y';
case 'z':
return 'Z';
}
return in;
}
/*
* Curl_raw_equal() is for doing "raw" case insensitive strings. This is meant
* to be locale independent and only compare strings we know are safe for
* this. See http://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for
* some further explanation to why this function is necessary.
*
* The function is capable of comparing a-z case insensitively even for
* non-ascii.
*/
static int Curl_raw_equal(const char *first, const char *second) {
while (*first && *second) {
if (Curl_raw_toupper(*first) != Curl_raw_toupper(*second))
/* get out of the loop as soon as they don't match */
break;
first++;
second++;
}
/* we do the comparison here (possibly again), just to make sure that if the
loop above is skipped because one of the strings reached zero, we must not
return this as a successful match */
return (Curl_raw_toupper(*first) == Curl_raw_toupper(*second));
}
static int Curl_raw_nequal(const char *first, const char *second, size_t max) {
while (*first && *second && max) {
if (Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) {
break;
}
max--;
first++;
second++;
}
if (0 == max)
return 1; /* they are equal this far */
return Curl_raw_toupper(*first) == Curl_raw_toupper(*second);
}
/*
* Match a hostname against a wildcard pattern.
* E.g.
* "foo.host.com" matches "*.host.com".
*
* We use the matching rule described in RFC6125, section 6.4.3.
* http://tools.ietf.org/html/rfc6125#section-6.4.3
*/
static int hostmatch(const char *hostname, const char *pattern) {
const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
int wildcard_enabled;
size_t prefixlen, suffixlen;
pattern_wildcard = strchr(pattern, '*');
if (pattern_wildcard == NULL)
return Curl_raw_equal(pattern, hostname) ? CURL_HOST_MATCH
: CURL_HOST_NOMATCH;
/* We require at least 2 dots in pattern to avoid too wide wildcard
match. */
wildcard_enabled = 1;
pattern_label_end = strchr(pattern, '.');
if (pattern_label_end == NULL ||
strchr(pattern_label_end + 1, '.') == NULL ||
pattern_wildcard > pattern_label_end ||
Curl_raw_nequal(pattern, "xn--", 4)) {
wildcard_enabled = 0;
}
if (!wildcard_enabled)
return Curl_raw_equal(pattern, hostname) ? CURL_HOST_MATCH
: CURL_HOST_NOMATCH;
hostname_label_end = strchr(hostname, '.');
if (hostname_label_end == NULL ||
!Curl_raw_equal(pattern_label_end, hostname_label_end))
return CURL_HOST_NOMATCH;
/* The wildcard must match at least one character, so the left-most
label of the hostname is at least as large as the left-most label
of the pattern. */
if (hostname_label_end - hostname < pattern_label_end - pattern)
return CURL_HOST_NOMATCH;
prefixlen = pattern_wildcard - pattern;
suffixlen = pattern_label_end - (pattern_wildcard + 1);
return Curl_raw_nequal(pattern, hostname, prefixlen) &&
Curl_raw_nequal(pattern_wildcard + 1,
hostname_label_end - suffixlen, suffixlen)
? CURL_HOST_MATCH
: CURL_HOST_NOMATCH;
}
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) {
if (!match_pattern || !*match_pattern || !hostname ||
!*hostname) /* sanity check */
return 0;
if (Curl_raw_equal(hostname, match_pattern)) /* trivial case */
return 1;
if (hostmatch(hostname, match_pattern) == CURL_HOST_MATCH)
return 1;
return 0;
}

View File

@ -1,29 +0,0 @@
#ifndef HEADER_CURL_HOSTCHECK_H
#define HEADER_CURL_HOSTCHECK_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at http://curl.haxx.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
#define CURL_HOST_NOMATCH 0
#define CURL_HOST_MATCH 1
int Curl_cert_hostcheck(const char* match_pattern, const char* hostname);
#endif /* HEADER_CURL_HOSTCHECK_H */

View File

@ -1,180 +0,0 @@
/* Obtained from: https://github.com/iSECPartners/ssl-conservatory */
/*
Copyright (C) 2012, iSEC Partners.
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
/*
* Helper functions to perform basic hostname validation using OpenSSL.
*
* Please read "everything-you-wanted-to-know-about-openssl.pdf" before
* attempting to use this code. This whitepaper describes how the code works,
* how it should be used, and what its limitations are.
*
* Author: Alban Diquet
* License: See LICENSE
*
*/
#include <openssl/x509v3.h>
#include <openssl/ssl.h>
#include "third_party/curl/hostcheck.h"
#include "third_party/isec_partners/openssl_hostname_validation.h"
#define HOSTNAME_MAX_SIZE 255
/**
* Tries to find a match for hostname in the certificate's Common Name field.
*
* Returns MatchFound if a match was found.
* Returns MatchNotFound if no matches were found.
* Returns MalformedCertificate if the Common Name had a NUL character embedded
* in it.
* Returns Error if the Common Name could not be extracted.
*/
static HostnameValidationResult matches_common_name(const char *hostname,
const X509 *server_cert) {
int common_name_loc = -1;
X509_NAME_ENTRY *common_name_entry = NULL;
ASN1_STRING *common_name_asn1 = NULL;
char *common_name_str = NULL;
// Find the position of the CN field in the Subject field of the certificate
common_name_loc =
X509_NAME_get_index_by_NID(X509_get_subject_name((X509 *)server_cert),
NID_commonName, -1);
if (common_name_loc < 0) {
return Error;
}
// Extract the CN field
common_name_entry =
X509_NAME_get_entry(X509_get_subject_name((X509 *)server_cert),
common_name_loc);
if (common_name_entry == NULL) {
return Error;
}
// Convert the CN field to a C string
common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
if (common_name_asn1 == NULL) {
return Error;
}
common_name_str = (char *)ASN1_STRING_data(common_name_asn1);
// Make sure there isn't an embedded NUL character in the CN
if ((size_t)ASN1_STRING_length(common_name_asn1) !=
strlen(common_name_str)) {
return MalformedCertificate;
}
// Compare expected hostname with the CN
if (Curl_cert_hostcheck(common_name_str, hostname) == CURL_HOST_MATCH) {
return MatchFound;
} else {
return MatchNotFound;
}
}
/**
* Tries to find a match for hostname in the certificate's Subject Alternative
* Name extension.
*
* Returns MatchFound if a match was found.
* Returns MatchNotFound if no matches were found.
* Returns MalformedCertificate if any of the hostnames had a NUL character
* embedded in it.
* Returns NoSANPresent if the SAN extension was not present in the certificate.
*/
static HostnameValidationResult matches_subject_alternative_name(
const char *hostname, const X509 *server_cert) {
HostnameValidationResult result = MatchNotFound;
int i;
int san_names_nb = -1;
STACK_OF(GENERAL_NAME) *san_names = NULL;
// Try to extract the names within the SAN extension from the certificate
san_names =
X509_get_ext_d2i((X509 *)server_cert, NID_subject_alt_name, NULL, NULL);
if (san_names == NULL) {
return NoSANPresent;
}
san_names_nb = sk_GENERAL_NAME_num(san_names);
// Check each name within the extension
for (i = 0; i < san_names_nb; i++) {
const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
if (current_name->type == GEN_DNS) {
// Current name is a DNS name, let's check it
char *dns_name = (char *)ASN1_STRING_data(current_name->d.dNSName);
// Make sure there isn't an embedded NUL character in the DNS name
if ((size_t)ASN1_STRING_length(current_name->d.dNSName) !=
strlen(dns_name)) {
result = MalformedCertificate;
break;
} else { // Compare expected hostname with the DNS name
if (Curl_cert_hostcheck(dns_name, hostname) == CURL_HOST_MATCH) {
result = MatchFound;
break;
}
}
}
}
sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
return result;
}
/**
* Validates the server's identity by looking for the expected hostname in the
* server's certificate. As described in RFC 6125, it first tries to find a
* match
* in the Subject Alternative Name extension. If the extension is not present in
* the certificate, it checks the Common Name instead.
*
* Returns MatchFound if a match was found.
* Returns MatchNotFound if no matches were found.
* Returns MalformedCertificate if any of the hostnames had a NUL character
* embedded in it.
* Returns Error if there was an error.
*/
HostnameValidationResult validate_hostname(const char *hostname,
const X509 *server_cert) {
HostnameValidationResult result;
if ((hostname == NULL) || (server_cert == NULL))
return Error;
// First try the Subject Alternative Names extension
result = matches_subject_alternative_name(hostname, server_cert);
if (result == NoSANPresent) {
// Extension was not found: try the Common Name
result = matches_common_name(hostname, server_cert);
}
return result;
}

View File

@ -1,59 +0,0 @@
/* Obtained from: https://github.com/iSECPartners/ssl-conservatory */
/*
Copyright (C) 2012, iSEC Partners.
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
/*
* Helper functions to perform basic hostname validation using OpenSSL.
*
* Please read "everything-you-wanted-to-know-about-openssl.pdf" before
* attempting to use this code. This whitepaper describes how the code works,
* how it should be used, and what its limitations are.
*
* Author: Alban Diquet
* License: See LICENSE
*
*/
typedef enum {
MatchFound,
MatchNotFound,
NoSANPresent,
MalformedCertificate,
Error
} HostnameValidationResult;
/**
* Validates the server's identity by looking for the expected hostname in the
* server's certificate. As described in RFC 6125, it first tries to find a
* match
* in the Subject Alternative Name extension. If the extension is not present in
* the certificate, it checks the Common Name instead.
*
* Returns MatchFound if a match was found.
* Returns MatchNotFound if no matches were found.
* Returns MalformedCertificate if any of the hostnames had a NUL character
* embedded in it.
* Returns Error if there was an error.
*/
HostnameValidationResult validate_hostname(const char* hostname,
const X509* server_cert);

View File

@ -1,12 +0,0 @@
#ifndef CERT_TRANS_VERSION_H_
#define CERT_TRANS_VERSION_H_
namespace cert_trans {
extern const char kBuildVersion[];
} // namespace cert_trans
#endif // CERT_TRANS_VERSION_H_

View File

@ -1,320 +0,0 @@
syntax = "proto2";
package ct;
////////////////////////////////////////////////////////////////////////////////
// These protocol buffers should be kept aligned with the I-D. //
////////////////////////////////////////////////////////////////////////////////
// RFC 5246
message DigitallySigned {
enum HashAlgorithm {
NONE = 0;
MD5 = 1;
SHA1 = 2;
SHA224 = 3;
SHA256 = 4;
SHA384 = 5;
SHA512 = 6;
}
enum SignatureAlgorithm {
ANONYMOUS = 0;
RSA = 1;
DSA = 2;
ECDSA = 3;
}
// 1 byte
optional HashAlgorithm hash_algorithm = 1 [ default = NONE ];
// 1 byte
optional SignatureAlgorithm sig_algorithm = 2 [ default = ANONYMOUS ];
// 0..2^16-1 bytes
optional bytes signature = 3;
}
enum LogEntryType {
X509_ENTRY = 0;
PRECERT_ENTRY = 1;
PRECERT_ENTRY_V2 = 2;
// Not part of the I-D, and outside the valid range.
X_JSON_ENTRY = 32768; // Experimental, don't rely on this!
UNKNOWN_ENTRY_TYPE = 65536;
}
message X509ChainEntry {
// For V1 this entry just includes the certificate in the leaf_certificate
// field
// <1..2^24-1>
optional bytes leaf_certificate = 1;
// For V2 it includes the cert and key hash using CertInfo. The
// leaf_certificate field is not used
optional CertInfo cert_info = 3;
// <0..2^24-1>
// A chain from the leaf to a trusted root
// (excluding leaf and possibly root).
repeated bytes certificate_chain = 2;
}
// opaque TBSCertificate<1..2^16-1>;
// struct {
// opaque issuer_key_hash[32];
// TBSCertificate tbs_certificate;
// } PreCert;
// Retained for V1 API compatibility. May be removed in a future release.
message PreCert {
optional bytes issuer_key_hash = 1;
optional bytes tbs_certificate = 2;
}
// In V2 this is used for both certificates and precertificates in SCTs. It
// replaces PreCert and has the same structure. The older message remains for
// compatibility with existing code that depends on this proto.
message CertInfo {
optional bytes issuer_key_hash = 1;
optional bytes tbs_certificate = 2;
}
message PrecertChainEntry {
// <1..2^24-1>
optional bytes pre_certificate = 1;
// <0..2^24-1>
// The chain certifying the precertificate, as submitted by the CA.
repeated bytes precertificate_chain = 2;
// PreCert input to the SCT. Can be computed from the above.
// Store it alongside the entry data so that the signers don't have to
// parse certificates to recompute it.
optional PreCert pre_cert = 3;
// As above for V2 messages. Only one of these fields will be set in a
// valid message
optional CertInfo cert_info = 4;
}
message XJSONEntry {
optional string json = 1;
}
// TODO(alcutter): Consider using extensions here instead.
message LogEntry {
optional LogEntryType type = 1 [ default = UNKNOWN_ENTRY_TYPE ];
optional X509ChainEntry x509_entry = 2;
optional PrecertChainEntry precert_entry = 3;
optional XJSONEntry x_json_entry = 4;
}
enum SignatureType {
CERTIFICATE_TIMESTAMP = 0;
// TODO(ekasper): called tree_hash in I-D.
TREE_HEAD = 1;
}
enum Version {
V1 = 0;
V2 = 1;
// Not part of the I-D, and outside the valid range.
UNKNOWN_VERSION = 256;
}
message LogID {
// 32 bytes
optional bytes key_id = 1;
}
message SctExtension {
// Valid range is 0-65534
optional uint32 sct_extension_type = 1;
// Data is opaque and type specific. <0..2^16-1> bytes
optional bytes sct_extension_data = 2;
}
// TODO(ekasper): implement support for id.
message SignedCertificateTimestamp {
optional Version version = 1 [ default = UNKNOWN_VERSION ];
optional LogID id = 2;
// UTC time in milliseconds, since January 1, 1970, 00:00.
optional uint64 timestamp = 3;
optional DigitallySigned signature = 4;
// V1 extensions
optional bytes extensions = 5;
// V2 extensions <0..2^16-1>. Must be ordered by type (lowest first)
repeated SctExtension sct_extension = 6;
}
message SignedCertificateTimestampList {
// One or more SCTs, <1..2^16-1> bytes each
repeated bytes sct_list = 1;
}
enum MerkleLeafType {
TIMESTAMPED_ENTRY = 0;
UNKNOWN_LEAF_TYPE = 256;
}
message SignedEntry {
// For V1 signed entries either the x509 or precert field will be set
optional bytes x509 = 1;
optional PreCert precert = 2;
optional bytes json = 3;
// For V2 all entries use the CertInfo field and the above fields are
// not set
optional CertInfo cert_info = 4;
}
message TimestampedEntry {
optional uint64 timestamp = 1;
optional LogEntryType entry_type = 2;
optional SignedEntry signed_entry = 3;
// V1 extensions
optional bytes extensions = 4;
// V2 extensions <0..2^16-1>. Must be ordered by type (lowest first)
repeated SctExtension sct_extension = 5;
}
// Stuff that's hashed into a Merkle leaf.
message MerkleTreeLeaf {
// The version of the corresponding SCT.
optional Version version = 1 [ default = UNKNOWN_VERSION ];
optional MerkleLeafType type = 2 [ default = UNKNOWN_LEAF_TYPE ];
optional TimestampedEntry timestamped_entry = 3;
}
// TODO(benl): No longer needed?
//
// Used by cpp/client/ct: it assembles the one from the I-D JSON
// protocol.
//
// Used by cpp/server/blob-server: it uses one to call a variant of
// LogLookup::AuditProof.
message MerkleAuditProof {
optional Version version = 1 [ default = UNKNOWN_VERSION ];
optional LogID id = 2;
optional int64 tree_size = 3;
optional uint64 timestamp = 4;
optional int64 leaf_index = 5;
repeated bytes path_node = 6;
optional DigitallySigned tree_head_signature = 7;
}
message ShortMerkleAuditProof {
required int64 leaf_index = 1;
repeated bytes path_node = 2;
}
////////////////////////////////////////////////////////////////////////////////
// Finally, stuff that's not in the I-D but that we use internally //
// for logging entries and tree head state. //
////////////////////////////////////////////////////////////////////////////////
// TODO(alcutter): Come up with a better name :/
message LoggedEntryPB {
optional int64 sequence_number = 1;
optional bytes merkle_leaf_hash = 2;
message Contents {
optional SignedCertificateTimestamp sct = 1;
optional LogEntry entry = 2;
}
required Contents contents = 3;
}
message SthExtension {
// Valid range is 0-65534
optional uint32 sth_extension_type = 1;
// Data is opaque and type specific <0..2^16-1> bytes
optional bytes sth_extension_data = 2;
}
message SignedTreeHead {
// The version of the tree head signature.
// (Note that each leaf has its own version, so a V2 tree
// can contain V1 leaves, too.
optional Version version = 1 [ default = UNKNOWN_VERSION ];
optional LogID id = 2;
optional uint64 timestamp = 3;
optional int64 tree_size = 4;
optional bytes sha256_root_hash = 5;
optional DigitallySigned signature = 6;
// Only supported in V2. <0..2^16-1>
repeated SthExtension sth_extension = 7;
}
// Stuff the SSL client spits out from a connection.
message SSLClientCTData {
optional LogEntry reconstructed_entry = 1;
optional bytes certificate_sha256_hash = 2;
message SCTInfo {
// There is an entry + sct -> leaf hash mapping.
optional SignedCertificateTimestamp sct = 1;
optional bytes merkle_leaf_hash = 2;
}
repeated SCTInfo attached_sct_info = 3;
}
message ClusterNodeState {
optional string node_id = 1;
optional int64 contiguous_tree_size = 2 [deprecated = true];
optional SignedTreeHead newest_sth = 3;
optional SignedTreeHead current_serving_sth = 4;
// The following host_name/log_port pair are used to allow a log node to
// contact other nodes in the cluster, primarily for the purposes of
// replication.
// hostname/ip which can be used to contact [just] this log node
optional string hostname = 5;
// port on which this log node is listening.
optional int32 log_port = 6;
}
message ClusterControl {
optional bool accept_new_entries = 1 [ default = true ];
}
message ClusterConfig {
/////////////////////////////////
// This section of the config affects the selection of the cluster's current
// serving STH.
// The cluster will always attempt to determine the newest (and
// largest) possible STH which meets the constraints defined below from the
// set of STHs available at the individual cluster nodes.
// (Note that nodes with newer/larger STHs can, of course, serve
// earlier/smaller STHs.)
// The minimum number of nodes which must be able to serve a given STH.
// This setting allows you to configure the level of cluster resiliency
// against data (in the form of node/node database) loss.
// i.e.: Once an STH has been created, it must have been replicated to
// at least this many nodes before being considered as a candidate for
// the overall cluster serving STH.
optional int32 minimum_serving_nodes = 1;
// The minimum fraction of nodes which must be able to serve a given STH.
// This setting allows you to configure the serving capacity redundancy of
// your cluster.
// e.g. you determine you need 3 nodes to serve your expected peak traffic
// levels, but want to be over-provisioned by 25% to ensure the cluster will
// continue to be able to handle the traffic in the case of a single node
// failure, you might set this to 0.75 to ensure that any cluster-wide
// serving STH candidate must be servable from at least 3 of your 4 nodes.
optional double minimum_serving_fraction = 2;
/////////////////////////////////
// When the number of entries in the EtcedConsistentStore exceeds this value,
// the log server will reject all calls to add-[pre-]chain to protect itself
// and etcd.
optional double etcd_reject_add_pending_threshold = 3 [default = 30000];
}
message SequenceMapping {
message Mapping {
optional bytes entry_hash = 1;
optional int64 sequence_number = 2;
}
repeated Mapping mapping = 1;
}