]>
Commit | Line | Data |
---|---|---|
8c6afbc5 RP |
1 | /* Author: Adam Eijdenberg <adam.eijdenberg@gmail.com>. */ |
2 | /* ==================================================================== | |
3 | * Copyright (c) 1998-2016 The OpenSSL Project. All rights reserved. | |
4 | * | |
5 | * Redistribution and use in source and binary forms, with or without | |
6 | * modification, are permitted provided that the following conditions | |
7 | * are met: | |
8 | * | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in | |
14 | * the documentation and/or other materials provided with the | |
15 | * distribution. | |
16 | * | |
17 | * 3. All advertising materials mentioning features or use of this | |
18 | * software must display the following acknowledgment: | |
19 | * "This product includes software developed by the OpenSSL Project | |
20 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
21 | * | |
22 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
23 | * endorse or promote products derived from this software without | |
24 | * prior written permission. For written permission, please contact | |
25 | * openssl-core@openssl.org. | |
26 | * | |
27 | * 5. Products derived from this software may not be called "OpenSSL" | |
28 | * nor may "OpenSSL" appear in their names without prior written | |
29 | * permission of the OpenSSL Project. | |
30 | * | |
31 | * 6. Redistributions of any form whatsoever must retain the following | |
32 | * acknowledgment: | |
33 | * "This product includes software developed by the OpenSSL Project | |
34 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
35 | * | |
36 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
37 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
38 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
39 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
40 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
41 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
42 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
43 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
44 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
45 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
46 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
47 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
48 | * ==================================================================== | |
49 | * | |
50 | * This product includes cryptographic software written by Eric Young | |
51 | * (eay@cryptsoft.com). This product includes software written by Tim | |
52 | * Hudson (tjh@cryptsoft.com). | |
53 | * | |
54 | */ | |
55 | ||
56 | #include <openssl/conf.h> | |
57 | #include <openssl/ct.h> | |
58 | #include <openssl/err.h> | |
59 | #include <openssl/evp.h> | |
60 | #include <openssl/safestack.h> | |
61 | ||
62 | #include "internal/cryptlib.h" | |
63 | ||
64 | /* | |
65 | * Information about a CT log server. | |
66 | */ | |
67 | struct ctlog_st { | |
68 | char *name; | |
69 | uint8_t log_id[CT_V1_HASHLEN]; | |
70 | EVP_PKEY *public_key; | |
71 | }; | |
72 | ||
73 | /* | |
74 | * A store for multiple CTLOG instances. | |
75 | * It takes ownership of any CTLOG instances added to it. | |
76 | */ | |
77 | struct ctlog_store_st { | |
78 | STACK_OF(CTLOG) *logs; | |
79 | }; | |
80 | ||
81 | /* The context when loading a CT log list from a CONF file. */ | |
82 | typedef struct ctlog_store_load_ctx_st { | |
83 | CTLOG_STORE *log_store; | |
84 | CONF *conf; | |
85 | } CTLOG_STORE_LOAD_CTX; | |
86 | ||
87 | /* | |
88 | * Creates an empty context for loading a CT log store. | |
89 | * It should be populated before use. | |
90 | */ | |
91 | static CTLOG_STORE_LOAD_CTX *CTLOG_STORE_LOAD_CTX_new(); | |
92 | ||
93 | /* | |
94 | * Deletes a CT log store load context. | |
95 | * Does not delete any of the fields. | |
96 | */ | |
97 | static void CTLOG_STORE_LOAD_CTX_free(CTLOG_STORE_LOAD_CTX* ctx); | |
98 | ||
99 | static CTLOG_STORE_LOAD_CTX *CTLOG_STORE_LOAD_CTX_new() | |
100 | { | |
101 | CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(CTLOG_STORE_LOAD_CTX)); | |
102 | if (ctx == NULL) { | |
103 | CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE); | |
104 | goto err; | |
105 | } | |
106 | ||
107 | return ctx; | |
108 | ||
109 | err: | |
110 | CTLOG_STORE_LOAD_CTX_free(ctx); | |
111 | return NULL; | |
112 | } | |
113 | ||
114 | static void CTLOG_STORE_LOAD_CTX_free(CTLOG_STORE_LOAD_CTX* ctx) | |
115 | { | |
116 | if (ctx == NULL) | |
117 | return; | |
118 | ||
119 | OPENSSL_free(ctx); | |
120 | } | |
121 | ||
122 | /* Converts a log's public key into a SHA256 log ID */ | |
123 | static int CT_v1_log_id_from_pkey(EVP_PKEY *pkey, | |
124 | unsigned char log_id[CT_V1_HASHLEN]) | |
125 | { | |
126 | int ret = 0; | |
127 | unsigned char *pkey_der = NULL; | |
128 | int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der); | |
129 | if (pkey_der_len <= 0) { | |
130 | CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID); | |
131 | goto err; | |
132 | } | |
133 | SHA256(pkey_der, pkey_der_len, log_id); | |
134 | ret = 1; | |
135 | err: | |
136 | OPENSSL_free(pkey_der); | |
137 | return ret; | |
138 | } | |
139 | ||
140 | CTLOG_STORE *CTLOG_STORE_new(void) | |
141 | { | |
142 | CTLOG_STORE *ret = OPENSSL_malloc(sizeof(CTLOG_STORE)); | |
143 | if (ret == NULL) | |
144 | goto err; | |
145 | ret->logs = sk_CTLOG_new_null(); | |
146 | if (ret->logs == NULL) | |
147 | goto err; | |
148 | return ret; | |
149 | err: | |
150 | CTLOG_STORE_free(ret); | |
151 | return NULL; | |
152 | } | |
153 | ||
154 | void CTLOG_STORE_free(CTLOG_STORE *store) | |
155 | { | |
156 | if (store != NULL) { | |
157 | sk_CTLOG_pop_free(store->logs, CTLOG_free); | |
158 | OPENSSL_free(store); | |
159 | } | |
160 | } | |
161 | ||
162 | static CTLOG *CTLOG_new_from_conf(const CONF *conf, const char *section) | |
163 | { | |
164 | CTLOG *ret = NULL; | |
165 | char *description; | |
166 | char *pkey_base64; | |
167 | if (conf == NULL || section == NULL) { | |
168 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, ERR_R_PASSED_NULL_PARAMETER); | |
169 | goto end; | |
170 | } | |
171 | ||
172 | description = NCONF_get_string(conf, section, "description"); | |
173 | ||
174 | if (description == NULL) { | |
175 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION); | |
176 | goto end; | |
177 | } | |
178 | ||
179 | pkey_base64 = NCONF_get_string(conf, section, "key"); | |
180 | ||
181 | if (pkey_base64 == NULL) { | |
182 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY); | |
183 | goto end; | |
184 | } | |
185 | ||
186 | ret = CTLOG_new_from_base64(pkey_base64, description); | |
187 | if (ret == NULL) { | |
188 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_INVALID); | |
189 | goto end; | |
190 | } | |
191 | ||
192 | end: | |
193 | return ret; | |
194 | } | |
195 | ||
196 | int CTLOG_STORE_load_default_file(CTLOG_STORE *store) | |
197 | { | |
198 | char *fpath = (char *)getenv(CTLOG_FILE_EVP); | |
199 | if (fpath == NULL) | |
200 | fpath = CTLOG_FILE; | |
201 | return CTLOG_STORE_load_file(store, fpath); | |
202 | } | |
203 | ||
204 | static int CTLOG_STORE_load_log(const char *log_name, int log_name_len, void *arg) | |
205 | { | |
206 | CTLOG_STORE_LOAD_CTX *load_ctx = arg; | |
207 | CTLOG *ct_log; | |
208 | ||
209 | /* log_name may not be null-terminated, so fix that before using it */ | |
210 | char *tmp = OPENSSL_strndup(log_name, log_name_len); | |
211 | ct_log = CTLOG_new_from_conf(load_ctx->conf, tmp); | |
212 | OPENSSL_free(tmp); | |
213 | if (ct_log == NULL) | |
214 | return 0; | |
215 | ||
216 | sk_CTLOG_push(load_ctx->log_store->logs, ct_log); | |
217 | return 1; | |
218 | } | |
219 | ||
220 | int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file) | |
221 | { | |
222 | int ret = -1; | |
223 | char *enabled_logs; | |
224 | CTLOG_STORE_LOAD_CTX* load_ctx = CTLOG_STORE_LOAD_CTX_new(); | |
225 | load_ctx->log_store = store; | |
226 | load_ctx->conf = NCONF_new(NULL); | |
227 | if (load_ctx->conf == NULL) | |
228 | goto end; | |
229 | ||
230 | ret = NCONF_load(load_ctx->conf, file, NULL); | |
231 | if (ret <= 0) { | |
232 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); | |
233 | goto end; | |
234 | } | |
235 | ||
236 | enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs"); | |
237 | CONF_parse_list(enabled_logs, ',', 1, CTLOG_STORE_load_log, load_ctx); | |
238 | ||
239 | end: | |
240 | NCONF_free(load_ctx->conf); | |
241 | CTLOG_STORE_LOAD_CTX_free(load_ctx); | |
242 | return ret; | |
243 | } | |
244 | ||
245 | /* | |
246 | * Initialize a new CTLOG object. | |
247 | * Takes ownership of the public key. | |
248 | * Copies the name. | |
249 | */ | |
250 | CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name) | |
251 | { | |
252 | CTLOG *ret = NULL; | |
253 | if (public_key == NULL || name == NULL) { | |
254 | CTerr(CT_F_CTLOG_NEW, ERR_R_PASSED_NULL_PARAMETER); | |
255 | goto err; | |
256 | } | |
257 | ret = CTLOG_new_null(); | |
258 | if (ret == NULL) | |
259 | goto err; | |
260 | ret->name = OPENSSL_strdup(name); | |
261 | if (ret->name == NULL) | |
262 | goto err; | |
263 | ret->public_key = public_key; | |
264 | if (CT_v1_log_id_from_pkey(public_key, ret->log_id) != 1) | |
265 | goto err; | |
266 | return ret; | |
267 | err: | |
268 | CTLOG_free(ret); | |
269 | return NULL; | |
270 | } | |
271 | ||
272 | CTLOG *CTLOG_new_null(void) | |
273 | { | |
274 | CTLOG *ret = OPENSSL_zalloc(sizeof(CTLOG)); | |
275 | if (ret == NULL) | |
276 | CTerr(CT_F_CTLOG_NEW_NULL, ERR_R_MALLOC_FAILURE); | |
277 | return ret; | |
278 | } | |
279 | ||
280 | /* Frees CT log and associated structures */ | |
281 | void CTLOG_free(CTLOG *log) | |
282 | { | |
283 | if (log != NULL) { | |
284 | OPENSSL_free(log->name); | |
285 | log->name = NULL; | |
286 | ||
287 | EVP_PKEY_free(log->public_key); | |
288 | log->public_key = NULL; | |
289 | ||
290 | OPENSSL_free(log); | |
291 | } | |
292 | } | |
293 | ||
294 | const char *CTLOG_get0_name(CTLOG *log) | |
295 | { | |
296 | return log->name; | |
297 | } | |
298 | ||
299 | void CTLOG_get0_log_id(CTLOG *log, uint8_t **log_id, size_t *log_id_len) | |
300 | { | |
301 | *log_id = log->log_id; | |
302 | *log_id_len = CT_V1_HASHLEN; | |
303 | } | |
304 | ||
305 | EVP_PKEY *CTLOG_get0_public_key(CTLOG *log) | |
306 | { | |
307 | return log->public_key; | |
308 | } | |
309 | ||
310 | /* | |
311 | * Given a log ID, finds the matching log. | |
312 | * Returns NULL if no match found. | |
313 | */ | |
314 | CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, | |
315 | const uint8_t *log_id, | |
316 | size_t log_id_len) | |
317 | { | |
318 | int i; | |
319 | if (store == NULL) { | |
320 | CTerr(CT_F_CTLOG_STORE_GET0_LOG_BY_ID, ERR_R_PASSED_NULL_PARAMETER); | |
321 | goto end; | |
322 | } | |
323 | for (i = 0; i < sk_CTLOG_num(store->logs); ++i) { | |
324 | CTLOG *log = sk_CTLOG_value(store->logs, i); | |
325 | if (memcmp(log->log_id, log_id, log_id_len) == 0) | |
326 | return log; | |
327 | } | |
328 | end: | |
329 | return NULL; | |
330 | } |