1 | /* |
2 | * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <stdlib.h> |
11 | #include <string.h> |
12 | |
13 | #include <openssl/conf.h> |
14 | #include <openssl/ct.h> |
15 | #include <openssl/err.h> |
16 | #include <openssl/evp.h> |
17 | #include <openssl/safestack.h> |
18 | |
19 | #include "internal/cryptlib.h" |
20 | |
21 | /* |
22 | * Information about a CT log server. |
23 | */ |
24 | struct ctlog_st { |
25 | char *name; |
26 | uint8_t log_id[CT_V1_HASHLEN]; |
27 | EVP_PKEY *public_key; |
28 | }; |
29 | |
30 | /* |
31 | * A store for multiple CTLOG instances. |
32 | * It takes ownership of any CTLOG instances added to it. |
33 | */ |
34 | struct ctlog_store_st { |
35 | STACK_OF(CTLOG) *logs; |
36 | }; |
37 | |
38 | /* The context when loading a CT log list from a CONF file. */ |
39 | typedef struct ctlog_store_load_ctx_st { |
40 | CTLOG_STORE *log_store; |
41 | CONF *conf; |
42 | size_t invalid_log_entries; |
43 | } CTLOG_STORE_LOAD_CTX; |
44 | |
45 | /* |
46 | * Creates an empty context for loading a CT log store. |
47 | * It should be populated before use. |
48 | */ |
49 | static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(void); |
50 | |
51 | /* |
52 | * Deletes a CT log store load context. |
53 | * Does not delete any of the fields. |
54 | */ |
55 | static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx); |
56 | |
57 | static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(void) |
58 | { |
59 | CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); |
60 | |
61 | if (ctx == NULL) |
62 | CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE); |
63 | |
64 | return ctx; |
65 | } |
66 | |
67 | static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx) |
68 | { |
69 | OPENSSL_free(ctx); |
70 | } |
71 | |
72 | /* Converts a log's public key into a SHA256 log ID */ |
73 | static int ct_v1_log_id_from_pkey(EVP_PKEY *pkey, |
74 | unsigned char log_id[CT_V1_HASHLEN]) |
75 | { |
76 | int ret = 0; |
77 | unsigned char *pkey_der = NULL; |
78 | int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der); |
79 | |
80 | if (pkey_der_len <= 0) { |
81 | CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID); |
82 | goto err; |
83 | } |
84 | |
85 | SHA256(pkey_der, pkey_der_len, log_id); |
86 | ret = 1; |
87 | err: |
88 | OPENSSL_free(pkey_der); |
89 | return ret; |
90 | } |
91 | |
92 | CTLOG_STORE *CTLOG_STORE_new(void) |
93 | { |
94 | CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret)); |
95 | |
96 | if (ret == NULL) { |
97 | CTerr(CT_F_CTLOG_STORE_NEW, ERR_R_MALLOC_FAILURE); |
98 | return NULL; |
99 | } |
100 | |
101 | ret->logs = sk_CTLOG_new_null(); |
102 | if (ret->logs == NULL) |
103 | goto err; |
104 | |
105 | return ret; |
106 | err: |
107 | OPENSSL_free(ret); |
108 | return NULL; |
109 | } |
110 | |
111 | void CTLOG_STORE_free(CTLOG_STORE *store) |
112 | { |
113 | if (store != NULL) { |
114 | sk_CTLOG_pop_free(store->logs, CTLOG_free); |
115 | OPENSSL_free(store); |
116 | } |
117 | } |
118 | |
119 | static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section) |
120 | { |
121 | const char *description = NCONF_get_string(conf, section, "description" ); |
122 | char *pkey_base64; |
123 | |
124 | if (description == NULL) { |
125 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION); |
126 | return 0; |
127 | } |
128 | |
129 | pkey_base64 = NCONF_get_string(conf, section, "key" ); |
130 | if (pkey_base64 == NULL) { |
131 | CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY); |
132 | return 0; |
133 | } |
134 | |
135 | return CTLOG_new_from_base64(ct_log, pkey_base64, description); |
136 | } |
137 | |
138 | int CTLOG_STORE_load_default_file(CTLOG_STORE *store) |
139 | { |
140 | const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP); |
141 | |
142 | if (fpath == NULL) |
143 | fpath = CTLOG_FILE; |
144 | |
145 | return CTLOG_STORE_load_file(store, fpath); |
146 | } |
147 | |
148 | /* |
149 | * Called by CONF_parse_list, which stops if this returns <= 0, |
150 | * Otherwise, one bad log entry would stop loading of any of |
151 | * the following log entries. |
152 | * It may stop parsing and returns -1 on any internal (malloc) error. |
153 | */ |
154 | static int ctlog_store_load_log(const char *log_name, int log_name_len, |
155 | void *arg) |
156 | { |
157 | CTLOG_STORE_LOAD_CTX *load_ctx = arg; |
158 | CTLOG *ct_log = NULL; |
159 | /* log_name may not be null-terminated, so fix that before using it */ |
160 | char *tmp; |
161 | int ret = 0; |
162 | |
163 | /* log_name will be NULL for empty list entries */ |
164 | if (log_name == NULL) |
165 | return 1; |
166 | |
167 | tmp = OPENSSL_strndup(log_name, log_name_len); |
168 | if (tmp == NULL) |
169 | goto mem_err; |
170 | |
171 | ret = ctlog_new_from_conf(&ct_log, load_ctx->conf, tmp); |
172 | OPENSSL_free(tmp); |
173 | |
174 | if (ret < 0) { |
175 | /* Propagate any internal error */ |
176 | return ret; |
177 | } |
178 | if (ret == 0) { |
179 | /* If we can't load this log, record that fact and skip it */ |
180 | ++load_ctx->invalid_log_entries; |
181 | return 1; |
182 | } |
183 | |
184 | if (!sk_CTLOG_push(load_ctx->log_store->logs, ct_log)) { |
185 | goto mem_err; |
186 | } |
187 | return 1; |
188 | |
189 | mem_err: |
190 | CTLOG_free(ct_log); |
191 | CTerr(CT_F_CTLOG_STORE_LOAD_LOG, ERR_R_MALLOC_FAILURE); |
192 | return -1; |
193 | } |
194 | |
195 | int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file) |
196 | { |
197 | int ret = 0; |
198 | char *enabled_logs; |
199 | CTLOG_STORE_LOAD_CTX* load_ctx = ctlog_store_load_ctx_new(); |
200 | |
201 | if (load_ctx == NULL) |
202 | return 0; |
203 | load_ctx->log_store = store; |
204 | load_ctx->conf = NCONF_new(NULL); |
205 | if (load_ctx->conf == NULL) |
206 | goto end; |
207 | |
208 | if (NCONF_load(load_ctx->conf, file, NULL) <= 0) { |
209 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); |
210 | goto end; |
211 | } |
212 | |
213 | enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs" ); |
214 | if (enabled_logs == NULL) { |
215 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); |
216 | goto end; |
217 | } |
218 | |
219 | if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) || |
220 | load_ctx->invalid_log_entries > 0) { |
221 | CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); |
222 | goto end; |
223 | } |
224 | |
225 | ret = 1; |
226 | end: |
227 | NCONF_free(load_ctx->conf); |
228 | ctlog_store_load_ctx_free(load_ctx); |
229 | return ret; |
230 | } |
231 | |
232 | /* |
233 | * Initialize a new CTLOG object. |
234 | * Takes ownership of the public key. |
235 | * Copies the name. |
236 | */ |
237 | CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name) |
238 | { |
239 | CTLOG *ret = OPENSSL_zalloc(sizeof(*ret)); |
240 | |
241 | if (ret == NULL) { |
242 | CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); |
243 | return NULL; |
244 | } |
245 | |
246 | ret->name = OPENSSL_strdup(name); |
247 | if (ret->name == NULL) { |
248 | CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); |
249 | goto err; |
250 | } |
251 | |
252 | if (ct_v1_log_id_from_pkey(public_key, ret->log_id) != 1) |
253 | goto err; |
254 | |
255 | ret->public_key = public_key; |
256 | return ret; |
257 | err: |
258 | CTLOG_free(ret); |
259 | return NULL; |
260 | } |
261 | |
262 | /* Frees CT log and associated structures */ |
263 | void CTLOG_free(CTLOG *log) |
264 | { |
265 | if (log != NULL) { |
266 | OPENSSL_free(log->name); |
267 | EVP_PKEY_free(log->public_key); |
268 | OPENSSL_free(log); |
269 | } |
270 | } |
271 | |
272 | const char *CTLOG_get0_name(const CTLOG *log) |
273 | { |
274 | return log->name; |
275 | } |
276 | |
277 | void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id, |
278 | size_t *log_id_len) |
279 | { |
280 | *log_id = log->log_id; |
281 | *log_id_len = CT_V1_HASHLEN; |
282 | } |
283 | |
284 | EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log) |
285 | { |
286 | return log->public_key; |
287 | } |
288 | |
289 | /* |
290 | * Given a log ID, finds the matching log. |
291 | * Returns NULL if no match found. |
292 | */ |
293 | const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, |
294 | const uint8_t *log_id, |
295 | size_t log_id_len) |
296 | { |
297 | int i; |
298 | |
299 | for (i = 0; i < sk_CTLOG_num(store->logs); ++i) { |
300 | const CTLOG *log = sk_CTLOG_value(store->logs, i); |
301 | if (memcmp(log->log_id, log_id, log_id_len) == 0) |
302 | return log; |
303 | } |
304 | |
305 | return NULL; |
306 | } |
307 | |