search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge commit '9992e6a682b1c35b4385c3b512db329ec8ab9ede'
[unleashed.git] / bin / openssl / certhash.c
blob5838f0209b2b5fd13fcaad5e0a1cdbf8bb75ce31
1 /*
2 * Copyright (c) 2014, 2015 Joel Sing <jsing@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17 #include <sys/types.h>
18 #include <sys/stat.h>
19
20 #include <errno.h>
21 #include <dirent.h>
22 #include <fcntl.h>
23 #include <limits.h>
24 #include <stdio.h>
25 #include <string.h>
26 #include <unistd.h>
27
28 #include <openssl/bio.h>
29 #include <openssl/evp.h>
30 #include <openssl/pem.h>
31 #include <openssl/x509.h>
32
33 #include "apps.h"
34
35 static struct {
36 int dryrun;
37 int verbose;
38 } certhash_config;
39
40 struct option certhash_options[] = {
41 {
42 .name = "n",
43 .desc = "Perform a dry-run - do not make any changes",
44 .type = OPTION_FLAG,
45 .opt.flag = &certhash_config.dryrun,
46 },
47 {
48 .name = "v",
49 .desc = "Verbose",
50 .type = OPTION_FLAG,
51 .opt.flag = &certhash_config.verbose,
52 },
53 { NULL },
54 };
55
56 struct hashinfo {
57 char *filename;
58 char *target;
59 unsigned long hash;
60 unsigned int index;
61 unsigned char fingerprint[EVP_MAX_MD_SIZE];
62 int is_crl;
63 int is_dup;
64 int exists;
65 int changed;
66 struct hashinfo *reference;
67 struct hashinfo *next;
68 };
69
70 static struct hashinfo *
71 hashinfo(const char *filename, unsigned long hash, unsigned char *fingerprint)
72 {
73 struct hashinfo *hi;
74
75 if ((hi = calloc(1, sizeof(*hi))) == NULL)
76 return (NULL);
77 if (filename != NULL) {
78 if ((hi->filename = strdup(filename)) == NULL) {
79 free(hi);
80 return (NULL);
81 }
82 }
83 hi->hash = hash;
84 if (fingerprint != NULL)
85 memcpy(hi->fingerprint, fingerprint, sizeof(hi->fingerprint));
86
87 return (hi);
88 }
89
90 static void
91 hashinfo_free(struct hashinfo *hi)
92 {
93 if (hi == NULL)
94 return;
95
96 free(hi->filename);
97 free(hi->target);
98 free(hi);
99 }
100
101 #ifdef DEBUG
102 static void
103 hashinfo_print(struct hashinfo *hi)
104 {
105 int i;
106
107 printf("hashinfo %s %08lx %u %i\n", hi->filename, hi->hash,
108 hi->index, hi->is_crl);
109 for (i = 0; i < (int)EVP_MAX_MD_SIZE; i++) {
110 printf("%02X%c", hi->fingerprint[i],
111 (i + 1 == (int)EVP_MAX_MD_SIZE) ? '\n' : ':');
112 }
113 }
114 #endif
115
116 static int
117 hashinfo_compare(const void *a, const void *b)
118 {
119 struct hashinfo *hia = *(struct hashinfo **)a;
120 struct hashinfo *hib = *(struct hashinfo **)b;
121 int rv;
122
123 rv = hia->hash < hib->hash ? -1 : hia->hash > hib->hash;
124 if (rv != 0)
125 return (rv);
126 rv = memcmp(hia->fingerprint, hib->fingerprint,
127 sizeof(hia->fingerprint));
128 if (rv != 0)
129 return (rv);
130 return strcmp(hia->filename, hib->filename);
131 }
132
133 static struct hashinfo *
134 hashinfo_chain(struct hashinfo *head, struct hashinfo *entry)
135 {
136 struct hashinfo *hi = head;
137
138 if (hi == NULL)
139 return (entry);
140 while (hi->next != NULL)
141 hi = hi->next;
142 hi->next = entry;
143
144 return (head);
145 }
146
147 static void
148 hashinfo_chain_free(struct hashinfo *hi)
149 {
150 struct hashinfo *next;
151
152 while (hi != NULL) {
153 next = hi->next;
154 hashinfo_free(hi);
155 hi = next;
156 }
157 }
158
159 static size_t
160 hashinfo_chain_length(struct hashinfo *hi)
161 {
162 int len = 0;
163
164 while (hi != NULL) {
165 len++;
166 hi = hi->next;
167 }
168 return (len);
169 }
170
171 static int
172 hashinfo_chain_sort(struct hashinfo **head)
173 {
174 struct hashinfo **list, *entry;
175 size_t len;
176 int i;
177
178 if (*head == NULL)
179 return (0);
180
181 len = hashinfo_chain_length(*head);
182 if ((list = reallocarray(NULL, len, sizeof(struct hashinfo *))) == NULL)
183 return (-1);
184
185 for (entry = *head, i = 0; entry != NULL; entry = entry->next, i++)
186 list[i] = entry;
187 qsort(list, len, sizeof(struct hashinfo *), hashinfo_compare);
188
189 *head = entry = list[0];
190 for (i = 1; i < len; i++) {
191 entry->next = list[i];
192 entry = list[i];
193 }
194 entry->next = NULL;
195
196 free(list);
197 return (0);
198 }
199
200 static char *
201 hashinfo_linkname(struct hashinfo *hi)
202 {
203 char *filename;
204
205 if (asprintf(&filename, "%08lx.%s%u", hi->hash,
206 (hi->is_crl ? "r" : ""), hi->index) == -1)
207 return (NULL);
208
209 return (filename);
210 }
211
212 static int
213 filename_is_hash(const char *filename)
214 {
215 const char *p = filename;
216
217 while ((*p >= '0' && *p <= '9') || (*p >= 'a' && *p <= 'f'))
218 p++;
219 if (*p++ != '.')
220 return (0);
221 if (*p == 'r') /* CRL format. */
222 p++;
223 while (*p >= '0' && *p <= '9')
224 p++;
225 if (*p != '\0')
226 return (0);
227
228 return (1);
229 }
230
231 static int
232 filename_is_pem(const char *filename)
233 {
234 const char *q, *p = filename;
235
236 if ((q = strchr(p, '\0')) == NULL)
237 return (0);
238 if ((q - p) < 4)
239 return (0);
240 if (strncmp((q - 4), ".pem", 4) != 0)
241 return (0);
242
243 return (1);
244 }
245
246 static struct hashinfo *
247 hashinfo_from_linkname(const char *linkname, const char *target)
248 {
249 struct hashinfo *hi = NULL;
250 const char *errstr;
251 char *l, *p, *ep;
252 long long val;
253
254 if ((l = strdup(linkname)) == NULL)
255 goto err;
256 if ((p = strchr(l, '.')) == NULL)
257 goto err;
258 *p++ = '\0';
259
260 if ((hi = hashinfo(linkname, 0, NULL)) == NULL)
261 goto err;
262 if ((hi->target = strdup(target)) == NULL)
263 goto err;
264
265 errno = 0;
266 val = strtoll(l, &ep, 16);
267 if (l[0] == '\0' || *ep != '\0')
268 goto err;
269 if (errno == ERANGE && (val == LLONG_MAX || val == LLONG_MIN))
270 goto err;
271 if (val < 0 || val > ULONG_MAX)
272 goto err;
273 hi->hash = (unsigned long)val;
274
275 if (*p == 'r') {
276 hi->is_crl = 1;
277 p++;
278 }
279
280 val = strtonum(p, 0, 0xffffffff, &errstr);
281 if (errstr != NULL)
282 goto err;
283
284 hi->index = (unsigned int)val;
285
286 goto done;
287
288 err:
289 hashinfo_free(hi);
290 hi = NULL;
291
292 done:
293 free(l);
294
295 return (hi);
296 }
297
298 static struct hashinfo *
299 certhash_cert(BIO *bio, const char *filename)
300 {
301 unsigned char fingerprint[EVP_MAX_MD_SIZE];
302 struct hashinfo *hi = NULL;
303 const EVP_MD *digest;
304 X509 *cert = NULL;
305 unsigned long hash;
306 unsigned int len;
307
308 if ((cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
309 goto err;
310
311 hash = X509_subject_name_hash(cert);
312
313 digest = EVP_sha256();
314 if (X509_digest(cert, digest, fingerprint, &len) != 1) {
315 fprintf(stderr, "out of memory\n");
316 goto err;
317 }
318
319 hi = hashinfo(filename, hash, fingerprint);
320
321 err:
322 X509_free(cert);
323
324 return (hi);
325 }
326
327 static struct hashinfo *
328 certhash_crl(BIO *bio, const char *filename)
329 {
330 unsigned char fingerprint[EVP_MAX_MD_SIZE];
331 struct hashinfo *hi = NULL;
332 const EVP_MD *digest;
333 X509_CRL *crl = NULL;
334 unsigned long hash;
335 unsigned int len;
336
337 if ((crl = PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL)) == NULL)
338 return (NULL);
339
340 hash = X509_NAME_hash(X509_CRL_get_issuer(crl));
341
342 digest = EVP_sha256();
343 if (X509_CRL_digest(crl, digest, fingerprint, &len) != 1) {
344 fprintf(stderr, "out of memory\n");
345 goto err;
346 }
347
348 hi = hashinfo(filename, hash, fingerprint);
349
350 err:
351 X509_CRL_free(crl);
352
353 return (hi);
354 }
355
356 static int
357 certhash_addlink(struct hashinfo **links, struct hashinfo *hi)
358 {
359 struct hashinfo *link = NULL;
360
361 if ((link = hashinfo(NULL, hi->hash, hi->fingerprint)) == NULL)
362 goto err;
363
364 if ((link->filename = hashinfo_linkname(hi)) == NULL)
365 goto err;
366
367 link->reference = hi;
368 link->changed = 1;
369 *links = hashinfo_chain(*links, link);
370 hi->reference = link;
371
372 return (0);
373
374 err:
375 hashinfo_free(link);
376 return (-1);
377 }
378
379 static void
380 certhash_findlink(struct hashinfo *links, struct hashinfo *hi)
381 {
382 struct hashinfo *link;
383
384 for (link = links; link != NULL; link = link->next) {
385 if (link->is_crl == hi->is_crl &&
386 link->hash == hi->hash &&
387 link->index == hi->index &&
388 link->reference == NULL) {
389 link->reference = hi;
390 if (link->target == NULL ||
391 strcmp(link->target, hi->filename) != 0)
392 link->changed = 1;
393 hi->reference = link;
394 break;
395 }
396 }
397 }
398
399 static void
400 certhash_index(struct hashinfo *head, const char *name)
401 {
402 struct hashinfo *last, *entry;
403 int index = 0;
404
405 last = NULL;
406 for (entry = head; entry != NULL; entry = entry->next) {
407 if (last != NULL) {
408 if (entry->hash == last->hash) {
409 if (memcmp(entry->fingerprint,
410 last->fingerprint,
411 sizeof(entry->fingerprint)) == 0) {
412 fprintf(stderr, "WARNING: duplicate %s "
413 "in %s (using %s), ignoring...\n",
414 name, entry->filename,
415 last->filename);
416 entry->is_dup = 1;
417 continue;
418 }
419 index++;
420 } else {
421 index = 0;
422 }
423 }
424 entry->index = index;
425 last = entry;
426 }
427 }
428
429 static int
430 certhash_merge(struct hashinfo **links, struct hashinfo **certs,
431 struct hashinfo **crls)
432 {
433 struct hashinfo *cert, *crl;
434
435 /* Pass 1 - sort and index entries. */
436 if (hashinfo_chain_sort(certs) == -1)
437 return (-1);
438 if (hashinfo_chain_sort(crls) == -1)
439 return (-1);
440 certhash_index(*certs, "certificate");
441 certhash_index(*crls, "CRL");
442
443 /* Pass 2 - map to existing links. */
444 for (cert = *certs; cert != NULL; cert = cert->next) {
445 if (cert->is_dup == 1)
446 continue;
447 certhash_findlink(*links, cert);
448 }
449 for (crl = *crls; crl != NULL; crl = crl->next) {
450 if (crl->is_dup == 1)
451 continue;
452 certhash_findlink(*links, crl);
453 }
454
455 /* Pass 3 - determine missing links. */
456 for (cert = *certs; cert != NULL; cert = cert->next) {
457 if (cert->is_dup == 1 || cert->reference != NULL)
458 continue;
459 if (certhash_addlink(links, cert) == -1)
460 return (-1);
461 }
462 for (crl = *crls; crl != NULL; crl = crl->next) {
463 if (crl->is_dup == 1 || crl->reference != NULL)
464 continue;
465 if (certhash_addlink(links, crl) == -1)
466 return (-1);
467 }
468
469 return (0);
470 }
471
472 static int
473 certhash_link(struct dirent *dep, struct hashinfo **links)
474 {
475 struct hashinfo *hi = NULL;
476 char target[PATH_MAX];
477 struct stat sb;
478 int n;
479
480 if (lstat(dep->d_name, &sb) == -1) {
481 fprintf(stderr, "failed to stat %s\n", dep->d_name);
482 return (-1);
483 }
484 if (!S_ISLNK(sb.st_mode))
485 return (0);
486
487 n = readlink(dep->d_name, target, sizeof(target) - 1);
488 if (n == -1) {
489 fprintf(stderr, "failed to readlink %s\n", dep->d_name);
490 return (-1);
491 }
492 target[n] = '\0';
493
494 hi = hashinfo_from_linkname(dep->d_name, target);
495 if (hi == NULL) {
496 fprintf(stderr, "failed to get hash info %s\n", dep->d_name);
497 return (-1);
498 }
499 hi->exists = 1;
500 *links = hashinfo_chain(*links, hi);
501
502 return (0);
503 }
504
505 static int
506 certhash_file(struct dirent *dep, struct hashinfo **certs,
507 struct hashinfo **crls)
508 {
509 struct hashinfo *hi = NULL;
510 int has_cert, has_crl;
511 int ret = -1;
512 BIO *bio = NULL;
513 FILE *f;
514
515 has_cert = has_crl = 0;
516
517 if ((f = fopen(dep->d_name, "r")) == NULL) {
518 fprintf(stderr, "failed to fopen %s\n", dep->d_name);
519 goto err;
520 }
521 if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
522 fprintf(stderr, "failed to create bio\n");
523 fclose(f);
524 goto err;
525 }
526
527 if ((hi = certhash_cert(bio, dep->d_name)) != NULL) {
528 has_cert = 1;
529 *certs = hashinfo_chain(*certs, hi);
530 }
531
532 if (BIO_reset(bio) != 0) {
533 fprintf(stderr, "BIO_reset failed\n");
534 goto err;
535 }
536
537 if ((hi = certhash_crl(bio, dep->d_name)) != NULL) {
538 has_crl = hi->is_crl = 1;
539 *crls = hashinfo_chain(*crls, hi);
540 }
541
542 if (!has_cert && !has_crl)
543 fprintf(stderr, "PEM file %s does not contain a certificate "
544 "or CRL, ignoring...\n", dep->d_name);
545
546 ret = 0;
547
548 err:
549 BIO_free(bio);
550
551 return (ret);
552 }
553
554 static int
555 certhash_directory(const char *path)
556 {
557 struct hashinfo *links = NULL, *certs = NULL, *crls = NULL, *link;
558 int ret = 0;
559 struct dirent *dep;
560 DIR *dip = NULL;
561
562 if ((dip = opendir(".")) == NULL) {
563 fprintf(stderr, "failed to open directory %s\n", path);
564 goto err;
565 }
566
567 if (certhash_config.verbose)
568 fprintf(stdout, "scanning directory %s\n", path);
569
570 /* Create lists of existing hash links, certs and CRLs. */
571 while ((dep = readdir(dip)) != NULL) {
572 if (filename_is_hash(dep->d_name)) {
573 if (certhash_link(dep, &links) == -1)
574 goto err;
575 }
576 if (filename_is_pem(dep->d_name)) {
577 if (certhash_file(dep, &certs, &crls) == -1)
578 goto err;
579 }
580 }
581
582 if (certhash_merge(&links, &certs, &crls) == -1) {
583 fprintf(stderr, "certhash merge failed\n");
584 goto err;
585 }
586
587 /* Remove spurious links. */
588 for (link = links; link != NULL; link = link->next) {
589 if (link->exists == 0 ||
590 (link->reference != NULL && link->changed == 0))
591 continue;
592 if (certhash_config.verbose)
593 fprintf(stdout, "%s link %s -> %s\n",
594 (certhash_config.dryrun ? "would remove" :
595 "removing"), link->filename, link->target);
596 if (certhash_config.dryrun)
597 continue;
598 if (unlink(link->filename) == -1) {
599 fprintf(stderr, "failed to remove link %s\n",
600 link->filename);
601 goto err;
602 }
603 }
604
605 /* Create missing links. */
606 for (link = links; link != NULL; link = link->next) {
607 if (link->exists == 1 && link->changed == 0)
608 continue;
609 if (certhash_config.verbose)
610 fprintf(stdout, "%s link %s -> %s\n",
611 (certhash_config.dryrun ? "would create" :
612 "creating"), link->filename,
613 link->reference->filename);
614 if (certhash_config.dryrun)
615 continue;
616 if (symlink(link->reference->filename, link->filename) == -1) {
617 fprintf(stderr, "failed to create link %s -> %s\n",
618 link->filename, link->reference->filename);
619 goto err;
620 }
621 }
622
623 goto done;
624
625 err:
626 ret = 1;
627
628 done:
629 hashinfo_chain_free(certs);
630 hashinfo_chain_free(crls);
631 hashinfo_chain_free(links);
632
633 if (dip != NULL)
634 closedir(dip);
635 return (ret);
636 }
637
638 static void
639 certhash_usage(void)
640 {
641 fprintf(stderr, "usage: certhash [-nv] dir ...\n");
642 options_usage(certhash_options);
643 }
644
645 int
646 certhash_main(int argc, char **argv)
647 {
648 int argsused;
649 int i, cwdfd, ret = 0;
650
651 if (single_execution) {
652 if (pledge("stdio cpath wpath rpath", NULL) == -1) {
653 perror("pledge");
654 exit(1);
655 }
656 }
657
658 memset(&certhash_config, 0, sizeof(certhash_config));
659
660 if (options_parse(argc, argv, certhash_options, NULL, &argsused) != 0) {
661 certhash_usage();
662 return (1);
663 }
664
665 if ((cwdfd = open(".", O_RDONLY)) == -1) {
666 perror("failed to open current directory");
667 return (1);
668 }
669
670 for (i = argsused; i < argc; i++) {
671 if (chdir(argv[i]) == -1) {
672 fprintf(stderr,
673 "failed to change to directory %s: %s\n",
674 argv[i], strerror(errno));
675 ret = 1;
676 continue;
677 }
678 ret |= certhash_directory(argv[i]);
679 if (fchdir(cwdfd) == -1) {
680 perror("failed to restore current directory");
681 ret = 1;
682 break; /* can't continue safely */
683 }
684 }
685 close(cwdfd);
686
687 return (ret);
688 }
Unleashed OS