]>
Commit | Line | Data |
---|---|---|
d2e9e320 RS |
1 | /* |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
8c6afbc5 | 3 | * |
d2e9e320 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8c6afbc5 RP |
8 | */ |
9 | ||
0dfd6cf9 RP |
10 | #include <stdlib.h> |
11 | #include <string.h> | |
12 | ||
8c6afbc5 RP |
13 | #include <openssl/conf.h> |
14 | #include <openssl/ct.h> | |
15 | #include <openssl/err.h> | |
16 | #include <openssl/evp.h> | |
17 | #include <openssl/safestack.h> | |
18 | ||
19 | #include "internal/cryptlib.h" | |
20 | ||
21 | /* | |
22 | * Information about a CT log server. | |
23 | */ | |
24 | struct ctlog_st { | |
25 | char *name; | |
26 | uint8_t log_id[CT_V1_HASHLEN]; | |
27 | EVP_PKEY *public_key; | |
28 | }; | |
29 | ||
30 | /* | |
31 | * A store for multiple CTLOG instances. | |
32 | * It takes ownership of any CTLOG instances added to it. | |
33 | */ | |
34 | struct ctlog_store_st { | |
35 | STACK_OF(CTLOG) *logs; | |
36 | }; | |
37 | ||
38 | /* The context when loading a CT log list from a CONF file. */ | |
39 | typedef struct ctlog_store_load_ctx_st { | |
40 | CTLOG_STORE *log_store; | |
41 | CONF *conf; | |
a930afb6 | 42 | size_t invalid_log_entries; |
8c6afbc5 RP |
43 | } CTLOG_STORE_LOAD_CTX; |
44 | ||
45 | /* | |
46 | * Creates an empty context for loading a CT log store. | |
47 | * It should be populated before use. | |
48 | */ | |
0dfd6cf9 | 49 | static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(); |
8c6afbc5 RP |
50 | |
51 | /* | |
52 | * Deletes a CT log store load context. | |
53 | * Does not delete any of the fields. | |
54 | */ | |
0dfd6cf9 | 55 | static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx); |
8c6afbc5 | 56 | |
0dfd6cf9 | 57 | static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new() |
8c6afbc5 | 58 | { |
0dfd6cf9 RP |
59 | CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); |
60 | ||
e57036f2 | 61 | if (ctx == NULL) |
8c6afbc5 | 62 | CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE); |
8c6afbc5 RP |
63 | |
64 | return ctx; | |
8c6afbc5 RP |
65 | } |
66 | ||
0dfd6cf9 | 67 | static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx) |
8c6afbc5 | 68 | { |
8c6afbc5 RP |
69 | OPENSSL_free(ctx); |
70 | } | |
71 | ||
72 | /* Converts a log's public key into a SHA256 log ID */ | |
0dfd6cf9 | 73 | static int ct_v1_log_id_from_pkey(EVP_PKEY *pkey, |
8c6afbc5 RP |
74 | unsigned char log_id[CT_V1_HASHLEN]) |
75 | { | |
76 | int ret = 0; | |
77 | unsigned char *pkey_der = NULL; | |
78 | int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der); | |
0dfd6cf9 | 79 | |
8c6afbc5 RP |
80 | if (pkey_der_len <= 0) { |
81 | CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID); | |
82 | goto err; | |
83 | } | |
0dfd6cf9 | 84 | |
8c6afbc5 RP |
85 | SHA256(pkey_der, pkey_der_len, log_id); |
86 | ret = 1; | |
87 | err: | |
88 | OPENSSL_free(pkey_der); | |
89 | return ret; | |
90 | } | |
91 | ||
92 | CTLOG_STORE *CTLOG_STORE_new(void) | |
93 | { | |
0dfd6cf9 RP |
94 | CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret)); |
95 | ||
e57036f2 F |
96 | if (ret == NULL) { |
97 | CTerr(CT_F_CTLOG_STORE_NEW, ERR_R_MALLOC_FAILURE); | |
98 | return NULL; | |
99 | } | |
0dfd6cf9 | 100 | |
8c6afbc5 RP |
101 | ret->logs = sk_CTLOG_new_null(); |
102 | if (ret->logs == NULL) | |
103 | goto err; | |
0dfd6cf9 | 104 | |
8c6afbc5 RP |
105 | return ret; |
106 | err: | |
e57036f2 | 107 | OPENSSL_free(ret); |
8c6afbc5 RP |
108 | return NULL; |
109 | } | |
110 | ||
111 | void CTLOG_STORE_free(CTLOG_STORE *store) | |
112 | { | |
113 | if (store != NULL) { | |
114 | sk_CTLOG_pop_free(store->logs, CTLOG_free); | |
115 | OPENSSL_free(store); | |
116 | } | |
117 | } | |
118 | ||
0dfd6cf9 | 119 | static CTLOG *ctlog_new_from_conf(const CONF *conf, const char *section) |
8c6afbc5 RP |
120 | { |
121 | CTLOG *ret = NULL; | |
e57036f2 | 122 | const char *description = NCONF_get_string(conf, section, "description"); |
8c6afbc5 | 123 | char *pkey_base64; |
8c6afbc5 RP |
124 | |
125 | if (description == NULL) { | |
126 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION); | |
127 | goto end; | |
128 | } | |
129 | ||
130 | pkey_base64 = NCONF_get_string(conf, section, "key"); | |
8c6afbc5 RP |
131 | if (pkey_base64 == NULL) { |
132 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY); | |
133 | goto end; | |
134 | } | |
135 | ||
136 | ret = CTLOG_new_from_base64(pkey_base64, description); | |
137 | if (ret == NULL) { | |
138 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_INVALID); | |
139 | goto end; | |
140 | } | |
141 | ||
142 | end: | |
143 | return ret; | |
144 | } | |
145 | ||
146 | int CTLOG_STORE_load_default_file(CTLOG_STORE *store) | |
147 | { | |
0dfd6cf9 RP |
148 | const char *fpath = getenv(CTLOG_FILE_EVP); |
149 | ||
8c6afbc5 RP |
150 | if (fpath == NULL) |
151 | fpath = CTLOG_FILE; | |
0dfd6cf9 | 152 | |
8c6afbc5 RP |
153 | return CTLOG_STORE_load_file(store, fpath); |
154 | } | |
155 | ||
a930afb6 RP |
156 | /* |
157 | * Called by CONF_parse_list, which stops if this returns <= 0, so don't unless | |
158 | * something very bad happens. Otherwise, one bad log entry would stop loading | |
159 | * of any of the following log entries. | |
160 | */ | |
161 | static int ctlog_store_load_log(const char *log_name, int log_name_len, | |
162 | void *arg) | |
8c6afbc5 RP |
163 | { |
164 | CTLOG_STORE_LOAD_CTX *load_ctx = arg; | |
e57036f2 | 165 | CTLOG *ct_log = NULL; |
8c6afbc5 | 166 | /* log_name may not be null-terminated, so fix that before using it */ |
2508c047 | 167 | char *tmp; |
0dfd6cf9 | 168 | |
2508c047 RP |
169 | /* log_name will be NULL for empty list entries */ |
170 | if (log_name == NULL) | |
171 | return 1; | |
172 | ||
173 | tmp = OPENSSL_strndup(log_name, log_name_len); | |
e57036f2 F |
174 | if (tmp == NULL) |
175 | goto mem_err; | |
176 | ||
0dfd6cf9 | 177 | ct_log = ctlog_new_from_conf(load_ctx->conf, tmp); |
8c6afbc5 | 178 | OPENSSL_free(tmp); |
a930afb6 | 179 | if (ct_log == NULL) { |
e57036f2 | 180 | /* TODO: split invalid input case from internal failure */ |
a930afb6 RP |
181 | /* If we can't load this log, record that fact and skip it */ |
182 | ++load_ctx->invalid_log_entries; | |
183 | return 1; | |
184 | } | |
8c6afbc5 | 185 | |
68efafc5 | 186 | if (!sk_CTLOG_push(load_ctx->log_store->logs, ct_log)) { |
e57036f2 | 187 | goto mem_err; |
68efafc5 | 188 | } |
8c6afbc5 | 189 | return 1; |
e57036f2 F |
190 | |
191 | mem_err: | |
192 | CTLOG_free(ct_log); | |
193 | CTerr(CT_F_CTLOG_STORE_LOAD_LOG, ERR_R_MALLOC_FAILURE); | |
194 | return -1; | |
8c6afbc5 RP |
195 | } |
196 | ||
197 | int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file) | |
198 | { | |
a930afb6 | 199 | int ret = 0; |
8c6afbc5 | 200 | char *enabled_logs; |
0dfd6cf9 RP |
201 | CTLOG_STORE_LOAD_CTX* load_ctx = ctlog_store_load_ctx_new(); |
202 | ||
8c6afbc5 RP |
203 | load_ctx->log_store = store; |
204 | load_ctx->conf = NCONF_new(NULL); | |
205 | if (load_ctx->conf == NULL) | |
206 | goto end; | |
207 | ||
70073f3e | 208 | if (NCONF_load(load_ctx->conf, file, NULL) <= 0) { |
8c6afbc5 RP |
209 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); |
210 | goto end; | |
211 | } | |
212 | ||
213 | enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs"); | |
0c6ea565 | 214 | if (enabled_logs == NULL) { |
0c6ea565 RP |
215 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); |
216 | goto end; | |
217 | } | |
218 | ||
70073f3e RP |
219 | if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) || |
220 | load_ctx->invalid_log_entries > 0) { | |
a930afb6 RP |
221 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); |
222 | goto end; | |
223 | } | |
8c6afbc5 | 224 | |
70073f3e | 225 | ret = 1; |
8c6afbc5 RP |
226 | end: |
227 | NCONF_free(load_ctx->conf); | |
0dfd6cf9 | 228 | ctlog_store_load_ctx_free(load_ctx); |
8c6afbc5 RP |
229 | return ret; |
230 | } | |
231 | ||
232 | /* | |
233 | * Initialize a new CTLOG object. | |
234 | * Takes ownership of the public key. | |
235 | * Copies the name. | |
236 | */ | |
237 | CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name) | |
238 | { | |
0dfd6cf9 RP |
239 | CTLOG *ret = CTLOG_new_null(); |
240 | ||
8c6afbc5 | 241 | if (ret == NULL) |
e57036f2 | 242 | return NULL; |
0dfd6cf9 | 243 | |
8c6afbc5 | 244 | ret->name = OPENSSL_strdup(name); |
e57036f2 F |
245 | if (ret->name == NULL) { |
246 | CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); | |
8c6afbc5 | 247 | goto err; |
e57036f2 | 248 | } |
0dfd6cf9 | 249 | |
8c6afbc5 | 250 | ret->public_key = public_key; |
0dfd6cf9 | 251 | if (ct_v1_log_id_from_pkey(public_key, ret->log_id) != 1) |
8c6afbc5 | 252 | goto err; |
0dfd6cf9 | 253 | |
8c6afbc5 RP |
254 | return ret; |
255 | err: | |
256 | CTLOG_free(ret); | |
257 | return NULL; | |
258 | } | |
259 | ||
260 | CTLOG *CTLOG_new_null(void) | |
261 | { | |
0dfd6cf9 RP |
262 | CTLOG *ret = OPENSSL_zalloc(sizeof(*ret)); |
263 | ||
8c6afbc5 RP |
264 | if (ret == NULL) |
265 | CTerr(CT_F_CTLOG_NEW_NULL, ERR_R_MALLOC_FAILURE); | |
0dfd6cf9 | 266 | |
8c6afbc5 RP |
267 | return ret; |
268 | } | |
269 | ||
270 | /* Frees CT log and associated structures */ | |
271 | void CTLOG_free(CTLOG *log) | |
272 | { | |
273 | if (log != NULL) { | |
274 | OPENSSL_free(log->name); | |
8c6afbc5 | 275 | EVP_PKEY_free(log->public_key); |
8c6afbc5 RP |
276 | OPENSSL_free(log); |
277 | } | |
278 | } | |
279 | ||
8c92c4ea | 280 | const char *CTLOG_get0_name(const CTLOG *log) |
8c6afbc5 RP |
281 | { |
282 | return log->name; | |
283 | } | |
284 | ||
8c92c4ea RP |
285 | void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id, |
286 | size_t *log_id_len) | |
8c6afbc5 RP |
287 | { |
288 | *log_id = log->log_id; | |
289 | *log_id_len = CT_V1_HASHLEN; | |
290 | } | |
291 | ||
8c92c4ea | 292 | EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log) |
8c6afbc5 RP |
293 | { |
294 | return log->public_key; | |
295 | } | |
296 | ||
297 | /* | |
298 | * Given a log ID, finds the matching log. | |
299 | * Returns NULL if no match found. | |
300 | */ | |
12d2d281 RP |
301 | const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, |
302 | const uint8_t *log_id, | |
303 | size_t log_id_len) | |
8c6afbc5 RP |
304 | { |
305 | int i; | |
0dfd6cf9 | 306 | |
8c6afbc5 | 307 | for (i = 0; i < sk_CTLOG_num(store->logs); ++i) { |
12d2d281 | 308 | const CTLOG *log = sk_CTLOG_value(store->logs, i); |
8c6afbc5 RP |
309 | if (memcmp(log->log_id, log_id, log_id_len) == 0) |
310 | return log; | |
311 | } | |
0dfd6cf9 | 312 | |
8c6afbc5 RP |
313 | return NULL; |
314 | } |