diff options
| author | Rob Percival <robpercival@google.com> | 2016-03-03 16:06:59 +0000 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-03-04 10:50:10 -0500 |
| commit | a930afb6986fb8e22a59b2bfc5f1a19a8dc3388d (patch) | |
| tree | 11271c1601aac23f4ef80e6c5ceed0f71bc26d29 /crypto/ct | |
| parent | dd696a55a2554cc8c89dd64f7e1171ce211dfc5c (diff) | |
If a CT log entry in CTLOG_FILE is invalid, skip it and continue loading
Previously, the remaining CT log entries would not be loaded.
Also, CTLOG_STORE_load_file would return 1 even if a log entry was
invalid, resulting in no errors being shown.
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/ct')
| -rw-r--r-- | crypto/ct/ct_log.c | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/crypto/ct/ct_log.c b/crypto/ct/ct_log.c index 14f3bcc1fd..f5a01fdbd3 100644 --- a/crypto/ct/ct_log.c +++ b/crypto/ct/ct_log.c @@ -85,6 +85,7 @@ struct ctlog_store_st { typedef struct ctlog_store_load_ctx_st { CTLOG_STORE *log_store; CONF *conf; + size_t invalid_log_entries; } CTLOG_STORE_LOAD_CTX; /* @@ -201,7 +202,13 @@ int CTLOG_STORE_load_default_file(CTLOG_STORE *store) return CTLOG_STORE_load_file(store, fpath); } -static int ctlog_store_load_log(const char *log_name, int log_name_len, void *arg) +/* + * Called by CONF_parse_list, which stops if this returns <= 0, so don't unless + * something very bad happens. Otherwise, one bad log entry would stop loading + * of any of the following log entries. + */ +static int ctlog_store_load_log(const char *log_name, int log_name_len, + void *arg) { CTLOG_STORE_LOAD_CTX *load_ctx = arg; CTLOG *ct_log; @@ -210,8 +217,11 @@ static int ctlog_store_load_log(const char *log_name, int log_name_len, void *ar ct_log = ctlog_new_from_conf(load_ctx->conf, tmp); OPENSSL_free(tmp); - if (ct_log == NULL) - return 0; + if (ct_log == NULL) { + /* If we can't load this log, record that fact and skip it */ + ++load_ctx->invalid_log_entries; + return 1; + } sk_CTLOG_push(load_ctx->log_store->logs, ct_log); return 1; @@ -219,7 +229,7 @@ static int ctlog_store_load_log(const char *log_name, int log_name_len, void *ar int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file) { - int ret = -1; + int ret = 0; char *enabled_logs; CTLOG_STORE_LOAD_CTX* load_ctx = ctlog_store_load_ctx_new(); @@ -235,7 +245,12 @@ int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file) } enabled_logs = NCONF_get_string(load_ctx->conf, NULL, "enabled_logs"); - CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx); + ret = CONF_parse_list(enabled_logs, ',', 1, ctlog_store_load_log, load_ctx); + if (ret == 1 && load_ctx->invalid_log_entries > 0) { + ret = 0; + CTerr(CT_F_CTLOG_STORE_LOAD_FILE, CT_R_LOG_CONF_INVALID); + goto end; + } end: NCONF_free(load_ctx->conf); |