• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <stdlib.h>
11 #include <string.h>
12 
13 #include <openssl/conf.h>
14 #include <openssl/ct.h>
15 #include <openssl/err.h>
16 #include <openssl/evp.h>
17 #include <openssl/safestack.h>
18 
19 #include "internal/cryptlib.h"
20 
21 /*
22  * Information about a CT log server.
23  */
24 struct ctlog_st {
25     char *name;
26     uint8_t log_id[CT_V1_HASHLEN];
27     EVP_PKEY *public_key;
28 };
29 
30 /*
31  * A store for multiple CTLOG instances.
32  * It takes ownership of any CTLOG instances added to it.
33  */
34 struct ctlog_store_st {
35     STACK_OF(CTLOG) *logs;
36 };
37 
38 /* The context when loading a CT log list from a CONF file. */
39 typedef struct ctlog_store_load_ctx_st {
40     CTLOG_STORE *log_store;
41     CONF *conf;
42     size_t invalid_log_entries;
43 } CTLOG_STORE_LOAD_CTX;
44 
45 /*
46  * Creates an empty context for loading a CT log store.
47  * It should be populated before use.
48  */
49 static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(void);
50 
51 /*
52  * Deletes a CT log store load context.
53  * Does not delete any of the fields.
54  */
55 static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx);
56 
ctlog_store_load_ctx_new(void)57 static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(void)
58 {
59     CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
60 
61     if (ctx == NULL)
62         CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE);
63 
64     return ctx;
65 }
66 
ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX * ctx)67 static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx)
68 {
69     OPENSSL_free(ctx);
70 }
71 
72 /* Converts a log's public key into a SHA256 log ID */
ct_v1_log_id_from_pkey(EVP_PKEY * pkey,unsigned char log_id[CT_V1_HASHLEN])73 static int ct_v1_log_id_from_pkey(EVP_PKEY *pkey,
74                                   unsigned char log_id[CT_V1_HASHLEN])
75 {
76     int ret = 0;
77     unsigned char *pkey_der = NULL;
78     int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der);
79 
80     if (pkey_der_len <= 0) {
81         CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID);
82         goto err;
83     }
84 
85     SHA256(pkey_der, pkey_der_len, log_id);
86     ret = 1;
87 err:
88     OPENSSL_free(pkey_der);
89     return ret;
90 }
91 
CTLOG_STORE_new(void)92 CTLOG_STORE *CTLOG_STORE_new(void)
93 {
94     CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret));
95 
96     if (ret == NULL) {
97         CTerr(CT_F_CTLOG_STORE_NEW, ERR_R_MALLOC_FAILURE);
98         return NULL;
99     }
100 
101     ret->logs = sk_CTLOG_new_null();
102     if (ret->logs == NULL)
103         goto err;
104 
105     return ret;
106 err:
107     OPENSSL_free(ret);
108     return NULL;
109 }
110 
CTLOG_STORE_free(CTLOG_STORE * store)111 void CTLOG_STORE_free(CTLOG_STORE *store)
112 {
113     if (store != NULL) {
114         sk_CTLOG_pop_free(store->logs, CTLOG_free);
115         OPENSSL_free(store);
116     }
117 }
118 
ctlog_new_from_conf(CTLOG ** ct_log,const CONF * conf,const char * section)119 static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section)
120 {
121     const char *description = NCONF_get_string(conf, section, "description");
122     char *pkey_base64;
123 
124     if (description == NULL) {
125         CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION);
126         return 0;
127     }
128 
129     pkey_base64 = NCONF_get_string(conf, section, "key");
130     if (pkey_base64 == NULL) {
131         CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY);
132         return 0;
133     }
134 
135     return CTLOG_new_from_base64(ct_log, pkey_base64, description);
136 }
137 
CTLOG_STORE_load_default_file(CTLOG_STORE * store)138 int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
139 {
140     const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP);
141 
142     if (fpath == NULL)
143       fpath = CTLOG_FILE;
144 
145     return CTLOG_STORE_load_file(store, fpath);
146 }
147 
148 /*
149  * Called by CONF_parse_list, which stops if this returns <= 0,
150  * Otherwise, one bad log entry would stop loading of any of
151  * the following log entries.
152  * It may stop parsing and returns -1 on any internal (malloc) error.
153  */
ctlog_store_load_log(const char * log_name,int log_name_len,void * arg)154 static int ctlog_store_load_log(const char *log_name, int log_name_len,
155                                 void *arg)
156 {
157     CTLOG_STORE_LOAD_CTX *load_ctx = arg;
158     CTLOG *ct_log = NULL;
159     /* log_name may not be null-terminated, so fix that before using it */
160     char *tmp;
161     int ret = 0;
162 
163     /* log_name will be NULL for empty list entries */
164     if (log_name == NULL)
165         return 1;
166 
167     tmp = OPENSSL_strndup(log_name, log_name_len);
168     if (tmp == NULL)
169         goto mem_err;
170 
171     ret = ctlog_new_from_conf(&ct_log, load_ctx->conf, tmp);
172     OPENSSL_free(tmp);
173 
174     if (ret < 0) {
175         /* Propagate any internal error */
176         return ret;
177     }
178     if (ret == 0) {
179         /* If we can't load this log, record that fact and skip it */
180         ++load_ctx->invalid_log_entries;
181         return 1;
182     }
183 
184     if (!sk_CTLOG_push(load_ctx->log_store->logs, ct_log)) {
185         goto mem_err;
186     }
187     return 1;
188 
189 mem_err:
190     CTLOG_free(ct_log);
191     CTerr(CT_F_CTLOG_STORE_LOAD_LOG, ERR_R_MALLOC_FAILURE);
192     return -1;
193 }
194 
CTLOG_STORE_load_file(CTLOG_STORE * store,const char * file)195 int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file)
196 {
197     int ret = 0;
198     char *enabled_logs;
199     CTLOG_STORE_LOAD_CTX* load_ctx = ctlog_store_load_ctx_new();
200 
201     if (load_ctx == NULL)
202         return 0;
203     load_ctx->log_store = store;
204     load_ctx->conf = NCONF_new(NULL);
205     if (load_ctx->conf == NULL)
206         goto end;
207 
208     if (NCONF_load(load_ctx->conf, file, NULL) <= 0) {
209         CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID);
210         goto end;
211     }
212 
213     enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs");
214     if (enabled_logs == NULL) {
215         CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID);
216         goto end;
217     }
218 
219     if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) ||
220         load_ctx->invalid_log_entries > 0) {
221         CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID);
222         goto end;
223     }
224 
225     ret = 1;
226 end:
227     NCONF_free(load_ctx->conf);
228     ctlog_store_load_ctx_free(load_ctx);
229     return ret;
230 }
231 
232 /*
233  * Initialize a new CTLOG object.
234  * Takes ownership of the public key.
235  * Copies the name.
236  */
CTLOG_new(EVP_PKEY * public_key,const char * name)237 CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name)
238 {
239     CTLOG *ret = OPENSSL_zalloc(sizeof(*ret));
240 
241     if (ret == NULL) {
242         CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE);
243         return NULL;
244     }
245 
246     ret->name = OPENSSL_strdup(name);
247     if (ret->name == NULL) {
248         CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE);
249         goto err;
250     }
251 
252     if (ct_v1_log_id_from_pkey(public_key, ret->log_id) != 1)
253         goto err;
254 
255     ret->public_key = public_key;
256     return ret;
257 err:
258     CTLOG_free(ret);
259     return NULL;
260 }
261 
262 /* Frees CT log and associated structures */
CTLOG_free(CTLOG * log)263 void CTLOG_free(CTLOG *log)
264 {
265     if (log != NULL) {
266         OPENSSL_free(log->name);
267         EVP_PKEY_free(log->public_key);
268         OPENSSL_free(log);
269     }
270 }
271 
CTLOG_get0_name(const CTLOG * log)272 const char *CTLOG_get0_name(const CTLOG *log)
273 {
274     return log->name;
275 }
276 
CTLOG_get0_log_id(const CTLOG * log,const uint8_t ** log_id,size_t * log_id_len)277 void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id,
278                        size_t *log_id_len)
279 {
280     *log_id = log->log_id;
281     *log_id_len = CT_V1_HASHLEN;
282 }
283 
CTLOG_get0_public_key(const CTLOG * log)284 EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log)
285 {
286     return log->public_key;
287 }
288 
289 /*
290  * Given a log ID, finds the matching log.
291  * Returns NULL if no match found.
292  */
CTLOG_STORE_get0_log_by_id(const CTLOG_STORE * store,const uint8_t * log_id,size_t log_id_len)293 const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store,
294                                         const uint8_t *log_id,
295                                         size_t log_id_len)
296 {
297     int i;
298 
299     for (i = 0; i < sk_CTLOG_num(store->logs); ++i) {
300         const CTLOG *log = sk_CTLOG_value(store->logs, i);
301         if (memcmp(log->log_id, log_id, log_id_len) == 0)
302             return log;
303     }
304 
305     return NULL;
306 }
307