]>
Commit | Line | Data |
---|---|---|
d2e9e320 RS |
1 | /* |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. | |
8c6afbc5 | 3 | * |
d2e9e320 RS |
4 | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy | |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8c6afbc5 RP |
8 | */ |
9 | ||
0dfd6cf9 RP |
10 | #include <stdlib.h> |
11 | #include <string.h> | |
12 | ||
8c6afbc5 RP |
13 | #include <openssl/conf.h> |
14 | #include <openssl/ct.h> | |
15 | #include <openssl/err.h> | |
16 | #include <openssl/evp.h> | |
17 | #include <openssl/safestack.h> | |
18 | ||
19 | #include "internal/cryptlib.h" | |
20 | ||
21 | /* | |
22 | * Information about a CT log server. | |
23 | */ | |
24 | struct ctlog_st { | |
25 | char *name; | |
26 | uint8_t log_id[CT_V1_HASHLEN]; | |
27 | EVP_PKEY *public_key; | |
28 | }; | |
29 | ||
30 | /* | |
31 | * A store for multiple CTLOG instances. | |
32 | * It takes ownership of any CTLOG instances added to it. | |
33 | */ | |
34 | struct ctlog_store_st { | |
35 | STACK_OF(CTLOG) *logs; | |
36 | }; | |
37 | ||
38 | /* The context when loading a CT log list from a CONF file. */ | |
39 | typedef struct ctlog_store_load_ctx_st { | |
40 | CTLOG_STORE *log_store; | |
41 | CONF *conf; | |
a930afb6 | 42 | size_t invalid_log_entries; |
8c6afbc5 RP |
43 | } CTLOG_STORE_LOAD_CTX; |
44 | ||
45 | /* | |
46 | * Creates an empty context for loading a CT log store. | |
47 | * It should be populated before use. | |
48 | */ | |
0dfd6cf9 | 49 | static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(); |
8c6afbc5 RP |
50 | |
51 | /* | |
52 | * Deletes a CT log store load context. | |
53 | * Does not delete any of the fields. | |
54 | */ | |
0dfd6cf9 | 55 | static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx); |
8c6afbc5 | 56 | |
0dfd6cf9 | 57 | static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new() |
8c6afbc5 | 58 | { |
0dfd6cf9 RP |
59 | CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); |
60 | ||
8c6afbc5 RP |
61 | if (ctx == NULL) { |
62 | CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE); | |
63 | goto err; | |
64 | } | |
65 | ||
66 | return ctx; | |
8c6afbc5 | 67 | err: |
0dfd6cf9 | 68 | ctlog_store_load_ctx_free(ctx); |
8c6afbc5 RP |
69 | return NULL; |
70 | } | |
71 | ||
0dfd6cf9 | 72 | static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx) |
8c6afbc5 | 73 | { |
8c6afbc5 RP |
74 | OPENSSL_free(ctx); |
75 | } | |
76 | ||
77 | /* Converts a log's public key into a SHA256 log ID */ | |
0dfd6cf9 | 78 | static int ct_v1_log_id_from_pkey(EVP_PKEY *pkey, |
8c6afbc5 RP |
79 | unsigned char log_id[CT_V1_HASHLEN]) |
80 | { | |
81 | int ret = 0; | |
82 | unsigned char *pkey_der = NULL; | |
83 | int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der); | |
0dfd6cf9 | 84 | |
8c6afbc5 RP |
85 | if (pkey_der_len <= 0) { |
86 | CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID); | |
87 | goto err; | |
88 | } | |
0dfd6cf9 | 89 | |
8c6afbc5 RP |
90 | SHA256(pkey_der, pkey_der_len, log_id); |
91 | ret = 1; | |
92 | err: | |
93 | OPENSSL_free(pkey_der); | |
94 | return ret; | |
95 | } | |
96 | ||
97 | CTLOG_STORE *CTLOG_STORE_new(void) | |
98 | { | |
0dfd6cf9 RP |
99 | CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret)); |
100 | ||
8c6afbc5 RP |
101 | if (ret == NULL) |
102 | goto err; | |
0dfd6cf9 | 103 | |
8c6afbc5 RP |
104 | ret->logs = sk_CTLOG_new_null(); |
105 | if (ret->logs == NULL) | |
106 | goto err; | |
0dfd6cf9 | 107 | |
8c6afbc5 RP |
108 | return ret; |
109 | err: | |
110 | CTLOG_STORE_free(ret); | |
111 | return NULL; | |
112 | } | |
113 | ||
114 | void CTLOG_STORE_free(CTLOG_STORE *store) | |
115 | { | |
116 | if (store != NULL) { | |
117 | sk_CTLOG_pop_free(store->logs, CTLOG_free); | |
118 | OPENSSL_free(store); | |
119 | } | |
120 | } | |
121 | ||
0dfd6cf9 | 122 | static CTLOG *ctlog_new_from_conf(const CONF *conf, const char *section) |
8c6afbc5 RP |
123 | { |
124 | CTLOG *ret = NULL; | |
0dfd6cf9 | 125 | char *description = NCONF_get_string(conf, section, "description"); |
8c6afbc5 | 126 | char *pkey_base64; |
8c6afbc5 RP |
127 | |
128 | if (description == NULL) { | |
129 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION); | |
130 | goto end; | |
131 | } | |
132 | ||
133 | pkey_base64 = NCONF_get_string(conf, section, "key"); | |
8c6afbc5 RP |
134 | if (pkey_base64 == NULL) { |
135 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY); | |
136 | goto end; | |
137 | } | |
138 | ||
139 | ret = CTLOG_new_from_base64(pkey_base64, description); | |
140 | if (ret == NULL) { | |
141 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_INVALID); | |
142 | goto end; | |
143 | } | |
144 | ||
145 | end: | |
146 | return ret; | |
147 | } | |
148 | ||
149 | int CTLOG_STORE_load_default_file(CTLOG_STORE *store) | |
150 | { | |
0dfd6cf9 RP |
151 | const char *fpath = getenv(CTLOG_FILE_EVP); |
152 | ||
8c6afbc5 RP |
153 | if (fpath == NULL) |
154 | fpath = CTLOG_FILE; | |
0dfd6cf9 | 155 | |
8c6afbc5 RP |
156 | return CTLOG_STORE_load_file(store, fpath); |
157 | } | |
158 | ||
a930afb6 RP |
159 | /* |
160 | * Called by CONF_parse_list, which stops if this returns <= 0, so don't unless | |
161 | * something very bad happens. Otherwise, one bad log entry would stop loading | |
162 | * of any of the following log entries. | |
163 | */ | |
164 | static int ctlog_store_load_log(const char *log_name, int log_name_len, | |
165 | void *arg) | |
8c6afbc5 RP |
166 | { |
167 | CTLOG_STORE_LOAD_CTX *load_ctx = arg; | |
168 | CTLOG *ct_log; | |
8c6afbc5 | 169 | /* log_name may not be null-terminated, so fix that before using it */ |
2508c047 | 170 | char *tmp; |
0dfd6cf9 | 171 | |
2508c047 RP |
172 | /* log_name will be NULL for empty list entries */ |
173 | if (log_name == NULL) | |
174 | return 1; | |
175 | ||
176 | tmp = OPENSSL_strndup(log_name, log_name_len); | |
0dfd6cf9 | 177 | ct_log = ctlog_new_from_conf(load_ctx->conf, tmp); |
8c6afbc5 | 178 | OPENSSL_free(tmp); |
a930afb6 RP |
179 | if (ct_log == NULL) { |
180 | /* If we can't load this log, record that fact and skip it */ | |
181 | ++load_ctx->invalid_log_entries; | |
182 | return 1; | |
183 | } | |
8c6afbc5 RP |
184 | |
185 | sk_CTLOG_push(load_ctx->log_store->logs, ct_log); | |
186 | return 1; | |
187 | } | |
188 | ||
189 | int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file) | |
190 | { | |
a930afb6 | 191 | int ret = 0; |
8c6afbc5 | 192 | char *enabled_logs; |
0dfd6cf9 RP |
193 | CTLOG_STORE_LOAD_CTX* load_ctx = ctlog_store_load_ctx_new(); |
194 | ||
8c6afbc5 RP |
195 | load_ctx->log_store = store; |
196 | load_ctx->conf = NCONF_new(NULL); | |
197 | if (load_ctx->conf == NULL) | |
198 | goto end; | |
199 | ||
70073f3e | 200 | if (NCONF_load(load_ctx->conf, file, NULL) <= 0) { |
8c6afbc5 RP |
201 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); |
202 | goto end; | |
203 | } | |
204 | ||
205 | enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs"); | |
0c6ea565 | 206 | if (enabled_logs == NULL) { |
0c6ea565 RP |
207 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); |
208 | goto end; | |
209 | } | |
210 | ||
70073f3e RP |
211 | if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) || |
212 | load_ctx->invalid_log_entries > 0) { | |
a930afb6 RP |
213 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); |
214 | goto end; | |
215 | } | |
8c6afbc5 | 216 | |
70073f3e | 217 | ret = 1; |
8c6afbc5 RP |
218 | end: |
219 | NCONF_free(load_ctx->conf); | |
0dfd6cf9 | 220 | ctlog_store_load_ctx_free(load_ctx); |
8c6afbc5 RP |
221 | return ret; |
222 | } | |
223 | ||
224 | /* | |
225 | * Initialize a new CTLOG object. | |
226 | * Takes ownership of the public key. | |
227 | * Copies the name. | |
228 | */ | |
229 | CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name) | |
230 | { | |
0dfd6cf9 RP |
231 | CTLOG *ret = CTLOG_new_null(); |
232 | ||
8c6afbc5 RP |
233 | if (ret == NULL) |
234 | goto err; | |
0dfd6cf9 | 235 | |
8c6afbc5 RP |
236 | ret->name = OPENSSL_strdup(name); |
237 | if (ret->name == NULL) | |
238 | goto err; | |
0dfd6cf9 | 239 | |
8c6afbc5 | 240 | ret->public_key = public_key; |
0dfd6cf9 | 241 | if (ct_v1_log_id_from_pkey(public_key, ret->log_id) != 1) |
8c6afbc5 | 242 | goto err; |
0dfd6cf9 | 243 | |
8c6afbc5 RP |
244 | return ret; |
245 | err: | |
246 | CTLOG_free(ret); | |
247 | return NULL; | |
248 | } | |
249 | ||
250 | CTLOG *CTLOG_new_null(void) | |
251 | { | |
0dfd6cf9 RP |
252 | CTLOG *ret = OPENSSL_zalloc(sizeof(*ret)); |
253 | ||
8c6afbc5 RP |
254 | if (ret == NULL) |
255 | CTerr(CT_F_CTLOG_NEW_NULL, ERR_R_MALLOC_FAILURE); | |
0dfd6cf9 | 256 | |
8c6afbc5 RP |
257 | return ret; |
258 | } | |
259 | ||
260 | /* Frees CT log and associated structures */ | |
261 | void CTLOG_free(CTLOG *log) | |
262 | { | |
263 | if (log != NULL) { | |
264 | OPENSSL_free(log->name); | |
8c6afbc5 | 265 | EVP_PKEY_free(log->public_key); |
8c6afbc5 RP |
266 | OPENSSL_free(log); |
267 | } | |
268 | } | |
269 | ||
8c92c4ea | 270 | const char *CTLOG_get0_name(const CTLOG *log) |
8c6afbc5 RP |
271 | { |
272 | return log->name; | |
273 | } | |
274 | ||
8c92c4ea RP |
275 | void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id, |
276 | size_t *log_id_len) | |
8c6afbc5 RP |
277 | { |
278 | *log_id = log->log_id; | |
279 | *log_id_len = CT_V1_HASHLEN; | |
280 | } | |
281 | ||
8c92c4ea | 282 | EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log) |
8c6afbc5 RP |
283 | { |
284 | return log->public_key; | |
285 | } | |
286 | ||
287 | /* | |
288 | * Given a log ID, finds the matching log. | |
289 | * Returns NULL if no match found. | |
290 | */ | |
12d2d281 RP |
291 | const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, |
292 | const uint8_t *log_id, | |
293 | size_t log_id_len) | |
8c6afbc5 RP |
294 | { |
295 | int i; | |
0dfd6cf9 | 296 | |
8c6afbc5 | 297 | for (i = 0; i < sk_CTLOG_num(store->logs); ++i) { |
12d2d281 | 298 | const CTLOG *log = sk_CTLOG_value(store->logs, i); |
8c6afbc5 RP |
299 | if (memcmp(log->log_id, log_id, log_id_len) == 0) |
300 | return log; | |
301 | } | |
0dfd6cf9 | 302 | |
8c6afbc5 RP |
303 | return NULL; |
304 | } |