1 /* $OpenBSD: ct_sct.c,v 1.5 2021/12/17 11:25:22 tb Exp $ */ 2 /* 3 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #ifdef OPENSSL_NO_CT 12 # error "CT disabled" 13 #endif 14 15 #include <openssl/ct.h> 16 #include <openssl/err.h> 17 #include <openssl/evp.h> 18 #include <openssl/tls1.h> 19 #include <openssl/x509.h> 20 21 #include <string.h> 22 23 #include "ct_local.h" 24 25 SCT * 26 SCT_new(void) 27 { 28 SCT *sct = calloc(1, sizeof(*sct)); 29 30 if (sct == NULL) { 31 CTerror(ERR_R_MALLOC_FAILURE); 32 return NULL; 33 } 34 35 sct->entry_type = CT_LOG_ENTRY_TYPE_NOT_SET; 36 sct->version = SCT_VERSION_NOT_SET; 37 return sct; 38 } 39 40 void 41 SCT_free(SCT *sct) 42 { 43 if (sct == NULL) 44 return; 45 46 free(sct->log_id); 47 free(sct->ext); 48 free(sct->sig); 49 free(sct->sct); 50 free(sct); 51 } 52 53 void 54 SCT_LIST_free(STACK_OF(SCT) *a) 55 { 56 sk_SCT_pop_free(a, SCT_free); 57 } 58 59 int 60 SCT_set_version(SCT *sct, sct_version_t version) 61 { 62 if (version != SCT_VERSION_V1) { 63 CTerror(CT_R_UNSUPPORTED_VERSION); 64 return 0; 65 } 66 sct->version = version; 67 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 68 return 1; 69 } 70 71 int 72 SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type) 73 { 74 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 75 76 switch (entry_type) { 77 case CT_LOG_ENTRY_TYPE_X509: 78 case CT_LOG_ENTRY_TYPE_PRECERT: 79 sct->entry_type = entry_type; 80 return 1; 81 case CT_LOG_ENTRY_TYPE_NOT_SET: 82 break; 83 } 84 CTerror(CT_R_UNSUPPORTED_ENTRY_TYPE); 85 return 0; 86 } 87 88 int 89 SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len) 90 { 91 if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) { 92 CTerror(CT_R_INVALID_LOG_ID_LENGTH); 93 return 0; 94 } 95 96 free(sct->log_id); 97 sct->log_id = log_id; 98 sct->log_id_len = log_id_len; 99 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 100 return 1; 101 } 102 103 int 104 SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len) 105 { 106 if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) { 107 CTerror(CT_R_INVALID_LOG_ID_LENGTH); 108 return 0; 109 } 110 111 free(sct->log_id); 112 sct->log_id = NULL; 113 sct->log_id_len = 0; 114 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 115 116 if (log_id != NULL && log_id_len > 0) { 117 sct->log_id = malloc(log_id_len); 118 if (sct->log_id == NULL) { 119 CTerror(ERR_R_MALLOC_FAILURE); 120 return 0; 121 } 122 memcpy(sct->log_id, log_id, log_id_len); 123 sct->log_id_len = log_id_len; 124 } 125 return 1; 126 } 127 128 129 void 130 SCT_set_timestamp(SCT *sct, uint64_t timestamp) 131 { 132 sct->timestamp = timestamp; 133 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 134 } 135 136 int 137 SCT_set_signature_nid(SCT *sct, int nid) 138 { 139 switch (nid) { 140 case NID_sha256WithRSAEncryption: 141 sct->hash_alg = 4; /* XXX */ 142 sct->sig_alg = 1; /* XXX */ 143 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 144 return 1; 145 case NID_ecdsa_with_SHA256: 146 sct->hash_alg = 4; /* XXX */ 147 sct->sig_alg = 3; /* XXX */ 148 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 149 return 1; 150 default: 151 CTerror(CT_R_UNRECOGNIZED_SIGNATURE_NID); 152 return 0; 153 } 154 } 155 156 void 157 SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len) 158 { 159 free(sct->ext); 160 sct->ext = ext; 161 sct->ext_len = ext_len; 162 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 163 } 164 165 int 166 SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len) 167 { 168 free(sct->ext); 169 sct->ext = NULL; 170 sct->ext_len = 0; 171 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 172 173 if (ext != NULL && ext_len > 0) { 174 sct->ext = malloc(ext_len); 175 if (sct->ext == NULL) { 176 CTerror(ERR_R_MALLOC_FAILURE); 177 return 0; 178 } 179 memcpy(sct->ext, ext, ext_len); 180 sct->ext_len = ext_len; 181 } 182 return 1; 183 } 184 185 void 186 SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len) 187 { 188 free(sct->sig); 189 sct->sig = sig; 190 sct->sig_len = sig_len; 191 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 192 } 193 194 int 195 SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len) 196 { 197 free(sct->sig); 198 sct->sig = NULL; 199 sct->sig_len = 0; 200 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 201 202 if (sig != NULL && sig_len > 0) { 203 sct->sig = malloc(sig_len); 204 if (sct->sig == NULL) { 205 CTerror(ERR_R_MALLOC_FAILURE); 206 return 0; 207 } 208 memcpy(sct->sig, sig, sig_len); 209 sct->sig_len = sig_len; 210 } 211 return 1; 212 } 213 214 sct_version_t 215 SCT_get_version(const SCT *sct) 216 { 217 return sct->version; 218 } 219 220 ct_log_entry_type_t 221 SCT_get_log_entry_type(const SCT *sct) 222 { 223 return sct->entry_type; 224 } 225 226 size_t 227 SCT_get0_log_id(const SCT *sct, unsigned char **log_id) 228 { 229 *log_id = sct->log_id; 230 return sct->log_id_len; 231 } 232 233 uint64_t 234 SCT_get_timestamp(const SCT *sct) 235 { 236 return sct->timestamp; 237 } 238 239 int 240 SCT_get_signature_nid(const SCT *sct) 241 { 242 if (sct->version == SCT_VERSION_V1) { 243 /* XXX sigalg numbers */ 244 if (sct->hash_alg == 4) { 245 switch (sct->sig_alg) { 246 case 3: 247 return NID_ecdsa_with_SHA256; 248 case 1: 249 return NID_sha256WithRSAEncryption; 250 default: 251 return NID_undef; 252 } 253 } 254 } 255 return NID_undef; 256 } 257 258 size_t 259 SCT_get0_extensions(const SCT *sct, unsigned char **ext) 260 { 261 *ext = sct->ext; 262 return sct->ext_len; 263 } 264 265 size_t 266 SCT_get0_signature(const SCT *sct, unsigned char **sig) 267 { 268 *sig = sct->sig; 269 return sct->sig_len; 270 } 271 272 int 273 SCT_is_complete(const SCT *sct) 274 { 275 switch (sct->version) { 276 case SCT_VERSION_NOT_SET: 277 return 0; 278 case SCT_VERSION_V1: 279 return sct->log_id != NULL && SCT_signature_is_complete(sct); 280 default: 281 return sct->sct != NULL; /* Just need cached encoding */ 282 } 283 } 284 285 int 286 SCT_signature_is_complete(const SCT *sct) 287 { 288 return SCT_get_signature_nid(sct) != NID_undef && 289 sct->sig != NULL && sct->sig_len > 0; 290 } 291 292 sct_source_t 293 SCT_get_source(const SCT *sct) 294 { 295 return sct->source; 296 } 297 298 int 299 SCT_set_source(SCT *sct, sct_source_t source) 300 { 301 sct->source = source; 302 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET; 303 switch (source) { 304 case SCT_SOURCE_TLS_EXTENSION: 305 case SCT_SOURCE_OCSP_STAPLED_RESPONSE: 306 return SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_X509); 307 case SCT_SOURCE_X509V3_EXTENSION: 308 return SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_PRECERT); 309 case SCT_SOURCE_UNKNOWN: 310 break; 311 } 312 /* if we aren't sure, leave the log entry type alone */ 313 return 1; 314 } 315 316 sct_validation_status_t 317 SCT_get_validation_status(const SCT *sct) 318 { 319 return sct->validation_status; 320 } 321 322 int 323 SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx) 324 { 325 int is_sct_valid = -1; 326 SCT_CTX *sctx = NULL; 327 X509_PUBKEY *pub = NULL, *log_pkey = NULL; 328 const CTLOG *log; 329 330 /* 331 * With an unrecognized SCT version we don't know what such an SCT means, 332 * let alone validate one. So we return validation failure (0). 333 */ 334 if (sct->version != SCT_VERSION_V1) { 335 sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_VERSION; 336 return 0; 337 } 338 339 log = CTLOG_STORE_get0_log_by_id(ctx->log_store, sct->log_id, 340 sct->log_id_len); 341 342 /* Similarly, an SCT from an unknown log also cannot be validated. */ 343 if (log == NULL) { 344 sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_LOG; 345 return 0; 346 } 347 348 sctx = SCT_CTX_new(); 349 if (sctx == NULL) 350 goto err; 351 352 if (X509_PUBKEY_set(&log_pkey, CTLOG_get0_public_key(log)) != 1) 353 goto err; 354 if (SCT_CTX_set1_pubkey(sctx, log_pkey) != 1) 355 goto err; 356 357 if (SCT_get_log_entry_type(sct) == CT_LOG_ENTRY_TYPE_PRECERT) { 358 EVP_PKEY *issuer_pkey; 359 360 if (ctx->issuer == NULL) { 361 sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED; 362 goto end; 363 } 364 365 issuer_pkey = X509_get0_pubkey(ctx->issuer); 366 367 if (X509_PUBKEY_set(&pub, issuer_pkey) != 1) 368 goto err; 369 if (SCT_CTX_set1_issuer_pubkey(sctx, pub) != 1) 370 goto err; 371 } 372 373 SCT_CTX_set_time(sctx, ctx->epoch_time_in_ms); 374 375 /* 376 * XXX: Potential for optimization. This repeats some idempotent heavy 377 * lifting on the certificate for each candidate SCT, and appears to not 378 * use any information in the SCT itself, only the certificate is 379 * processed. So it may make more sense to to do this just once, perhaps 380 * associated with the shared (by all SCTs) policy eval ctx. 381 * 382 * XXX: Failure here is global (SCT independent) and represents either an 383 * issue with the certificate (e.g. duplicate extensions) or an out of 384 * memory condition. When the certificate is incompatible with CT, we just 385 * mark the SCTs invalid, rather than report a failure to determine the 386 * validation status. That way, callbacks that want to do "soft" SCT 387 * processing will not abort handshakes with false positive internal 388 * errors. Since the function does not distinguish between certificate 389 * issues (peer's fault) and internal problems (out fault) the safe thing 390 * to do is to report a validation failure and let the callback or 391 * application decide what to do. 392 */ 393 if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1) 394 sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED; 395 else 396 sct->validation_status = SCT_CTX_verify(sctx, sct) == 1 ? 397 SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID; 398 399 end: 400 is_sct_valid = sct->validation_status == SCT_VALIDATION_STATUS_VALID; 401 err: 402 X509_PUBKEY_free(pub); 403 X509_PUBKEY_free(log_pkey); 404 SCT_CTX_free(sctx); 405 406 return is_sct_valid; 407 } 408 409 int 410 SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx) 411 { 412 int are_scts_valid = 1; 413 int sct_count = scts != NULL ? sk_SCT_num(scts) : 0; 414 int i; 415 416 for (i = 0; i < sct_count; ++i) { 417 int is_sct_valid = -1; 418 SCT *sct = sk_SCT_value(scts, i); 419 420 if (sct == NULL) 421 continue; 422 423 is_sct_valid = SCT_validate(sct, ctx); 424 if (is_sct_valid < 0) 425 return is_sct_valid; 426 are_scts_valid &= is_sct_valid; 427 } 428 429 return are_scts_valid; 430 } 431