[331] | 1 | /*
|
---|
| 2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <stdlib.h>
|
---|
| 11 | #include <string.h>
|
---|
| 12 |
|
---|
| 13 | #include <openssl/conf.h>
|
---|
| 14 | #include <openssl/ct.h>
|
---|
| 15 | #include <openssl/err.h>
|
---|
| 16 | #include <openssl/evp.h>
|
---|
| 17 | #include <openssl/safestack.h>
|
---|
| 18 |
|
---|
| 19 | #include "internal/cryptlib.h"
|
---|
| 20 |
|
---|
| 21 | /*
|
---|
| 22 | * Information about a CT log server.
|
---|
| 23 | */
|
---|
| 24 | struct ctlog_st {
|
---|
| 25 | char *name;
|
---|
| 26 | uint8_t log_id[CT_V1_HASHLEN];
|
---|
| 27 | EVP_PKEY *public_key;
|
---|
| 28 | };
|
---|
| 29 |
|
---|
| 30 | /*
|
---|
| 31 | * A store for multiple CTLOG instances.
|
---|
| 32 | * It takes ownership of any CTLOG instances added to it.
|
---|
| 33 | */
|
---|
| 34 | struct ctlog_store_st {
|
---|
| 35 | STACK_OF(CTLOG) *logs;
|
---|
| 36 | };
|
---|
| 37 |
|
---|
| 38 | /* The context when loading a CT log list from a CONF file. */
|
---|
| 39 | typedef struct ctlog_store_load_ctx_st {
|
---|
| 40 | CTLOG_STORE *log_store;
|
---|
| 41 | CONF *conf;
|
---|
| 42 | size_t invalid_log_entries;
|
---|
| 43 | } CTLOG_STORE_LOAD_CTX;
|
---|
| 44 |
|
---|
| 45 | /*
|
---|
| 46 | * Creates an empty context for loading a CT log store.
|
---|
| 47 | * It should be populated before use.
|
---|
| 48 | */
|
---|
| 49 | static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new();
|
---|
| 50 |
|
---|
| 51 | /*
|
---|
| 52 | * Deletes a CT log store load context.
|
---|
| 53 | * Does not delete any of the fields.
|
---|
| 54 | */
|
---|
| 55 | static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx);
|
---|
| 56 |
|
---|
| 57 | static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new()
|
---|
| 58 | {
|
---|
| 59 | CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
|
---|
| 60 |
|
---|
| 61 | if (ctx == NULL)
|
---|
| 62 | CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE);
|
---|
| 63 |
|
---|
| 64 | return ctx;
|
---|
| 65 | }
|
---|
| 66 |
|
---|
| 67 | static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx)
|
---|
| 68 | {
|
---|
| 69 | OPENSSL_free(ctx);
|
---|
| 70 | }
|
---|
| 71 |
|
---|
| 72 | /* Converts a log's public key into a SHA256 log ID */
|
---|
| 73 | static int ct_v1_log_id_from_pkey(EVP_PKEY *pkey,
|
---|
| 74 | unsigned char log_id[CT_V1_HASHLEN])
|
---|
| 75 | {
|
---|
| 76 | int ret = 0;
|
---|
| 77 | unsigned char *pkey_der = NULL;
|
---|
| 78 | int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der);
|
---|
| 79 |
|
---|
| 80 | if (pkey_der_len <= 0) {
|
---|
| 81 | CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID);
|
---|
| 82 | goto err;
|
---|
| 83 | }
|
---|
| 84 |
|
---|
| 85 | SHA256(pkey_der, pkey_der_len, log_id);
|
---|
| 86 | ret = 1;
|
---|
| 87 | err:
|
---|
| 88 | OPENSSL_free(pkey_der);
|
---|
| 89 | return ret;
|
---|
| 90 | }
|
---|
| 91 |
|
---|
| 92 | CTLOG_STORE *CTLOG_STORE_new(void)
|
---|
| 93 | {
|
---|
| 94 | CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret));
|
---|
| 95 |
|
---|
| 96 | if (ret == NULL) {
|
---|
| 97 | CTerr(CT_F_CTLOG_STORE_NEW, ERR_R_MALLOC_FAILURE);
|
---|
| 98 | return NULL;
|
---|
| 99 | }
|
---|
| 100 |
|
---|
| 101 | ret->logs = sk_CTLOG_new_null();
|
---|
| 102 | if (ret->logs == NULL)
|
---|
| 103 | goto err;
|
---|
| 104 |
|
---|
| 105 | return ret;
|
---|
| 106 | err:
|
---|
| 107 | OPENSSL_free(ret);
|
---|
| 108 | return NULL;
|
---|
| 109 | }
|
---|
| 110 |
|
---|
| 111 | void CTLOG_STORE_free(CTLOG_STORE *store)
|
---|
| 112 | {
|
---|
| 113 | if (store != NULL) {
|
---|
| 114 | sk_CTLOG_pop_free(store->logs, CTLOG_free);
|
---|
| 115 | OPENSSL_free(store);
|
---|
| 116 | }
|
---|
| 117 | }
|
---|
| 118 |
|
---|
| 119 | static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section)
|
---|
| 120 | {
|
---|
| 121 | const char *description = NCONF_get_string(conf, section, "description");
|
---|
| 122 | char *pkey_base64;
|
---|
| 123 |
|
---|
| 124 | if (description == NULL) {
|
---|
| 125 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION);
|
---|
| 126 | return 0;
|
---|
| 127 | }
|
---|
| 128 |
|
---|
| 129 | pkey_base64 = NCONF_get_string(conf, section, "key");
|
---|
| 130 | if (pkey_base64 == NULL) {
|
---|
| 131 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY);
|
---|
| 132 | return 0;
|
---|
| 133 | }
|
---|
| 134 |
|
---|
| 135 | return CTLOG_new_from_base64(ct_log, pkey_base64, description);
|
---|
| 136 | }
|
---|
| 137 |
|
---|
| 138 | int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
|
---|
| 139 | {
|
---|
| 140 | const char *fpath = getenv(CTLOG_FILE_EVP);
|
---|
| 141 |
|
---|
| 142 | if (fpath == NULL)
|
---|
| 143 | fpath = CTLOG_FILE;
|
---|
| 144 |
|
---|
| 145 | return CTLOG_STORE_load_file(store, fpath);
|
---|
| 146 | }
|
---|
| 147 |
|
---|
| 148 | /*
|
---|
| 149 | * Called by CONF_parse_list, which stops if this returns <= 0,
|
---|
| 150 | * Otherwise, one bad log entry would stop loading of any of
|
---|
| 151 | * the following log entries.
|
---|
| 152 | * It may stop parsing and returns -1 on any internal (malloc) error.
|
---|
| 153 | */
|
---|
| 154 | static int ctlog_store_load_log(const char *log_name, int log_name_len,
|
---|
| 155 | void *arg)
|
---|
| 156 | {
|
---|
| 157 | CTLOG_STORE_LOAD_CTX *load_ctx = arg;
|
---|
| 158 | CTLOG *ct_log = NULL;
|
---|
| 159 | /* log_name may not be null-terminated, so fix that before using it */
|
---|
| 160 | char *tmp;
|
---|
| 161 | int ret = 0;
|
---|
| 162 |
|
---|
| 163 | /* log_name will be NULL for empty list entries */
|
---|
| 164 | if (log_name == NULL)
|
---|
| 165 | return 1;
|
---|
| 166 |
|
---|
| 167 | tmp = OPENSSL_strndup(log_name, log_name_len);
|
---|
| 168 | if (tmp == NULL)
|
---|
| 169 | goto mem_err;
|
---|
| 170 |
|
---|
| 171 | ret = ctlog_new_from_conf(&ct_log, load_ctx->conf, tmp);
|
---|
| 172 | OPENSSL_free(tmp);
|
---|
| 173 |
|
---|
| 174 | if (ret < 0) {
|
---|
| 175 | /* Propagate any internal error */
|
---|
| 176 | return ret;
|
---|
| 177 | }
|
---|
| 178 | if (ret == 0) {
|
---|
| 179 | /* If we can't load this log, record that fact and skip it */
|
---|
| 180 | ++load_ctx->invalid_log_entries;
|
---|
| 181 | return 1;
|
---|
| 182 | }
|
---|
| 183 |
|
---|
| 184 | if (!sk_CTLOG_push(load_ctx->log_store->logs, ct_log)) {
|
---|
| 185 | goto mem_err;
|
---|
| 186 | }
|
---|
| 187 | return 1;
|
---|
| 188 |
|
---|
| 189 | mem_err:
|
---|
| 190 | CTLOG_free(ct_log);
|
---|
| 191 | CTerr(CT_F_CTLOG_STORE_LOAD_LOG, ERR_R_MALLOC_FAILURE);
|
---|
| 192 | return -1;
|
---|
| 193 | }
|
---|
| 194 |
|
---|
| 195 | int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file)
|
---|
| 196 | {
|
---|
| 197 | int ret = 0;
|
---|
| 198 | char *enabled_logs;
|
---|
| 199 | CTLOG_STORE_LOAD_CTX* load_ctx = ctlog_store_load_ctx_new();
|
---|
| 200 |
|
---|
| 201 | load_ctx->log_store = store;
|
---|
| 202 | load_ctx->conf = NCONF_new(NULL);
|
---|
| 203 | if (load_ctx->conf == NULL)
|
---|
| 204 | goto end;
|
---|
| 205 |
|
---|
| 206 | if (NCONF_load(load_ctx->conf, file, NULL) <= 0) {
|
---|
| 207 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID);
|
---|
| 208 | goto end;
|
---|
| 209 | }
|
---|
| 210 |
|
---|
| 211 | enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs");
|
---|
| 212 | if (enabled_logs == NULL) {
|
---|
| 213 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID);
|
---|
| 214 | goto end;
|
---|
| 215 | }
|
---|
| 216 |
|
---|
| 217 | if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) ||
|
---|
| 218 | load_ctx->invalid_log_entries > 0) {
|
---|
| 219 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID);
|
---|
| 220 | goto end;
|
---|
| 221 | }
|
---|
| 222 |
|
---|
| 223 | ret = 1;
|
---|
| 224 | end:
|
---|
| 225 | NCONF_free(load_ctx->conf);
|
---|
| 226 | ctlog_store_load_ctx_free(load_ctx);
|
---|
| 227 | return ret;
|
---|
| 228 | }
|
---|
| 229 |
|
---|
| 230 | /*
|
---|
| 231 | * Initialize a new CTLOG object.
|
---|
| 232 | * Takes ownership of the public key.
|
---|
| 233 | * Copies the name.
|
---|
| 234 | */
|
---|
| 235 | CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name)
|
---|
| 236 | {
|
---|
| 237 | CTLOG *ret = OPENSSL_zalloc(sizeof(*ret));
|
---|
| 238 |
|
---|
| 239 | if (ret == NULL) {
|
---|
| 240 | CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE);
|
---|
| 241 | return NULL;
|
---|
| 242 | }
|
---|
| 243 |
|
---|
| 244 | ret->name = OPENSSL_strdup(name);
|
---|
| 245 | if (ret->name == NULL) {
|
---|
| 246 | CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE);
|
---|
| 247 | goto err;
|
---|
| 248 | }
|
---|
| 249 |
|
---|
| 250 | if (ct_v1_log_id_from_pkey(public_key, ret->log_id) != 1)
|
---|
| 251 | goto err;
|
---|
| 252 |
|
---|
| 253 | ret->public_key = public_key;
|
---|
| 254 | return ret;
|
---|
| 255 | err:
|
---|
| 256 | CTLOG_free(ret);
|
---|
| 257 | return NULL;
|
---|
| 258 | }
|
---|
| 259 |
|
---|
| 260 | /* Frees CT log and associated structures */
|
---|
| 261 | void CTLOG_free(CTLOG *log)
|
---|
| 262 | {
|
---|
| 263 | if (log != NULL) {
|
---|
| 264 | OPENSSL_free(log->name);
|
---|
| 265 | EVP_PKEY_free(log->public_key);
|
---|
| 266 | OPENSSL_free(log);
|
---|
| 267 | }
|
---|
| 268 | }
|
---|
| 269 |
|
---|
| 270 | const char *CTLOG_get0_name(const CTLOG *log)
|
---|
| 271 | {
|
---|
| 272 | return log->name;
|
---|
| 273 | }
|
---|
| 274 |
|
---|
| 275 | void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id,
|
---|
| 276 | size_t *log_id_len)
|
---|
| 277 | {
|
---|
| 278 | *log_id = log->log_id;
|
---|
| 279 | *log_id_len = CT_V1_HASHLEN;
|
---|
| 280 | }
|
---|
| 281 |
|
---|
| 282 | EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log)
|
---|
| 283 | {
|
---|
| 284 | return log->public_key;
|
---|
| 285 | }
|
---|
| 286 |
|
---|
| 287 | /*
|
---|
| 288 | * Given a log ID, finds the matching log.
|
---|
| 289 | * Returns NULL if no match found.
|
---|
| 290 | */
|
---|
| 291 | const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store,
|
---|
| 292 | const uint8_t *log_id,
|
---|
| 293 | size_t log_id_len)
|
---|
| 294 | {
|
---|
| 295 | int i;
|
---|
| 296 |
|
---|
| 297 | for (i = 0; i < sk_CTLOG_num(store->logs); ++i) {
|
---|
| 298 | const CTLOG *log = sk_CTLOG_value(store->logs, i);
|
---|
| 299 | if (memcmp(log->log_id, log_id, log_id_len) == 0)
|
---|
| 300 | return log;
|
---|
| 301 | }
|
---|
| 302 |
|
---|
| 303 | return NULL;
|
---|
| 304 | }
|
---|