1 /* 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdlib.h> 11 #include <string.h> 12 13 #include <openssl/conf.h> 14 #include <openssl/ct.h> 15 #include <openssl/err.h> 16 #include <openssl/evp.h> 17 #include <openssl/safestack.h> 18 19 #include "internal/cryptlib.h" 20 21 /* 22 * Information about a CT log server. 23 */ 24 struct ctlog_st { 25 char *name; 26 uint8_t log_id[CT_V1_HASHLEN]; 27 EVP_PKEY *public_key; 28 }; 29 30 /* 31 * A store for multiple CTLOG instances. 32 * It takes ownership of any CTLOG instances added to it. 33 */ 34 struct ctlog_store_st { 35 STACK_OF(CTLOG) *logs; 36 }; 37 38 /* The context when loading a CT log list from a CONF file. */ 39 typedef struct ctlog_store_load_ctx_st { 40 CTLOG_STORE *log_store; 41 CONF *conf; 42 size_t invalid_log_entries; 43 } CTLOG_STORE_LOAD_CTX; 44 45 /* 46 * Creates an empty context for loading a CT log store. 47 * It should be populated before use. 48 */ 49 static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(void); 50 51 /* 52 * Deletes a CT log store load context. 53 * Does not delete any of the fields. 54 */ 55 static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx); 56 57 static CTLOG_STORE_LOAD_CTX *ctlog_store_load_ctx_new(void) 58 { 59 CTLOG_STORE_LOAD_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); 60 61 if (ctx == NULL) 62 CTerr(CT_F_CTLOG_STORE_LOAD_CTX_NEW, ERR_R_MALLOC_FAILURE); 63 64 return ctx; 65 } 66 67 static void ctlog_store_load_ctx_free(CTLOG_STORE_LOAD_CTX* ctx) 68 { 69 OPENSSL_free(ctx); 70 } 71 72 /* Converts a log's public key into a SHA256 log ID */ 73 static int ct_v1_log_id_from_pkey(EVP_PKEY *pkey, 74 unsigned char log_id[CT_V1_HASHLEN]) 75 { 76 int ret = 0; 77 unsigned char *pkey_der = NULL; 78 int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der); 79 80 if (pkey_der_len <= 0) { 81 CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID); 82 goto err; 83 } 84 85 SHA256(pkey_der, pkey_der_len, log_id); 86 ret = 1; 87 err: 88 OPENSSL_free(pkey_der); 89 return ret; 90 } 91 92 CTLOG_STORE *CTLOG_STORE_new(void) 93 { 94 CTLOG_STORE *ret = OPENSSL_zalloc(sizeof(*ret)); 95 96 if (ret == NULL) { 97 CTerr(CT_F_CTLOG_STORE_NEW, ERR_R_MALLOC_FAILURE); 98 return NULL; 99 } 100 101 ret->logs = sk_CTLOG_new_null(); 102 if (ret->logs == NULL) 103 goto err; 104 105 return ret; 106 err: 107 OPENSSL_free(ret); 108 return NULL; 109 } 110 111 void CTLOG_STORE_free(CTLOG_STORE *store) 112 { 113 if (store != NULL) { 114 sk_CTLOG_pop_free(store->logs, CTLOG_free); 115 OPENSSL_free(store); 116 } 117 } 118 119 static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *section) 120 { 121 const char *description = NCONF_get_string(conf, section, "description"); 122 char *pkey_base64; 123 124 if (description == NULL) { 125 CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_DESCRIPTION); 126 return 0; 127 } 128 129 pkey_base64 = NCONF_get_string(conf, section, "key"); 130 if (pkey_base64 == NULL) { 131 CTerr(CT_F_CTLOG_NEW_FROM_CONF, CT_R_LOG_CONF_MISSING_KEY); 132 return 0; 133 } 134 135 return CTLOG_new_from_base64(ct_log, pkey_base64, description); 136 } 137 138 int CTLOG_STORE_load_default_file(CTLOG_STORE *store) 139 { 140 const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP); 141 142 if (fpath == NULL) 143 fpath = CTLOG_FILE; 144 145 return CTLOG_STORE_load_file(store, fpath); 146 } 147 148 /* 149 * Called by CONF_parse_list, which stops if this returns <= 0, 150 * Otherwise, one bad log entry would stop loading of any of 151 * the following log entries. 152 * It may stop parsing and returns -1 on any internal (malloc) error. 153 */ 154 static int ctlog_store_load_log(const char *log_name, int log_name_len, 155 void *arg) 156 { 157 CTLOG_STORE_LOAD_CTX *load_ctx = arg; 158 CTLOG *ct_log = NULL; 159 /* log_name may not be null-terminated, so fix that before using it */ 160 char *tmp; 161 int ret = 0; 162 163 /* log_name will be NULL for empty list entries */ 164 if (log_name == NULL) 165 return 1; 166 167 tmp = OPENSSL_strndup(log_name, log_name_len); 168 if (tmp == NULL) 169 goto mem_err; 170 171 ret = ctlog_new_from_conf(&ct_log, load_ctx->conf, tmp); 172 OPENSSL_free(tmp); 173 174 if (ret < 0) { 175 /* Propagate any internal error */ 176 return ret; 177 } 178 if (ret == 0) { 179 /* If we can't load this log, record that fact and skip it */ 180 ++load_ctx->invalid_log_entries; 181 return 1; 182 } 183 184 if (!sk_CTLOG_push(load_ctx->log_store->logs, ct_log)) { 185 goto mem_err; 186 } 187 return 1; 188 189 mem_err: 190 CTLOG_free(ct_log); 191 CTerr(CT_F_CTLOG_STORE_LOAD_LOG, ERR_R_MALLOC_FAILURE); 192 return -1; 193 } 194 195 int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file) 196 { 197 int ret = 0; 198 char *enabled_logs; 199 CTLOG_STORE_LOAD_CTX* load_ctx = ctlog_store_load_ctx_new(); 200 201 if (load_ctx == NULL) 202 return 0; 203 load_ctx->log_store = store; 204 load_ctx->conf = NCONF_new(NULL); 205 if (load_ctx->conf == NULL) 206 goto end; 207 208 if (NCONF_load(load_ctx->conf, file, NULL) <= 0) { 209 CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); 210 goto end; 211 } 212 213 enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs"); 214 if (enabled_logs == NULL) { 215 CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); 216 goto end; 217 } 218 219 if (!CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx) || 220 load_ctx->invalid_log_entries > 0) { 221 CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); 222 goto end; 223 } 224 225 ret = 1; 226 end: 227 NCONF_free(load_ctx->conf); 228 ctlog_store_load_ctx_free(load_ctx); 229 return ret; 230 } 231 232 /* 233 * Initialize a new CTLOG object. 234 * Takes ownership of the public key. 235 * Copies the name. 236 */ 237 CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name) 238 { 239 CTLOG *ret = OPENSSL_zalloc(sizeof(*ret)); 240 241 if (ret == NULL) { 242 CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); 243 return NULL; 244 } 245 246 ret->name = OPENSSL_strdup(name); 247 if (ret->name == NULL) { 248 CTerr(CT_F_CTLOG_NEW, ERR_R_MALLOC_FAILURE); 249 goto err; 250 } 251 252 if (ct_v1_log_id_from_pkey(public_key, ret->log_id) != 1) 253 goto err; 254 255 ret->public_key = public_key; 256 return ret; 257 err: 258 CTLOG_free(ret); 259 return NULL; 260 } 261 262 /* Frees CT log and associated structures */ 263 void CTLOG_free(CTLOG *log) 264 { 265 if (log != NULL) { 266 OPENSSL_free(log->name); 267 EVP_PKEY_free(log->public_key); 268 OPENSSL_free(log); 269 } 270 } 271 272 const char *CTLOG_get0_name(const CTLOG *log) 273 { 274 return log->name; 275 } 276 277 void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id, 278 size_t *log_id_len) 279 { 280 *log_id = log->log_id; 281 *log_id_len = CT_V1_HASHLEN; 282 } 283 284 EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log) 285 { 286 return log->public_key; 287 } 288 289 /* 290 * Given a log ID, finds the matching log. 291 * Returns NULL if no match found. 292 */ 293 const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, 294 const uint8_t *log_id, 295 size_t log_id_len) 296 { 297 int i; 298 299 for (i = 0; i < sk_CTLOG_num(store->logs); ++i) { 300 const CTLOG *log = sk_CTLOG_value(store->logs, i); 301 if (memcmp(log->log_id, log_id, log_id_len) == 0) 302 return log; 303 } 304 305 return NULL; 306 } 307