Quellcode durchsuchen

[tls] Display cross-certificate and OCSP status messages

TLS connections will almost always create background connections to
perform cross-signed certificate downloads and OCSP checks.  There is
currently no direct visibility into which checks are taking place,
which makes troubleshooting difficult in the absence of either a
packet capture or a debug build.

Use the job progress message buffer to report the current cross-signed
certificate download or OCSP status check, where applicable.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown vor 5 Jahren
Ursprung
Commit
b28ccfc725
2 geänderte Dateien mit 82 neuen und 8 gelöschten Zeilen
  1. 20
    0
      src/net/tls.c
  2. 62
    8
      src/net/validator.c

+ 20
- 0
src/net/tls.c Datei anzeigen

@@ -47,6 +47,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
47 47
 #include <ipxe/certstore.h>
48 48
 #include <ipxe/rbg.h>
49 49
 #include <ipxe/validator.h>
50
+#include <ipxe/job.h>
50 51
 #include <ipxe/tls.h>
51 52
 
52 53
 /* Disambiguate the various error causes */
@@ -2570,12 +2571,31 @@ static int tls_plainstream_deliver ( struct tls_connection *tls,
2570 2571
 	return rc;
2571 2572
 }
2572 2573
 
2574
+/**
2575
+ * Report job progress
2576
+ *
2577
+ * @v tls		TLS connection
2578
+ * @v progress		Progress report to fill in
2579
+ * @ret ongoing_rc	Ongoing job status code (if known)
2580
+ */
2581
+static int tls_progress ( struct tls_connection *tls,
2582
+			  struct job_progress *progress ) {
2583
+
2584
+	/* Return cipherstream or validator progress as applicable */
2585
+	if ( tls_ready ( tls ) ) {
2586
+		return job_progress ( &tls->cipherstream, progress );
2587
+	} else {
2588
+		return job_progress ( &tls->validator, progress );
2589
+	}
2590
+}
2591
+
2573 2592
 /** TLS plaintext stream interface operations */
2574 2593
 static struct interface_operation tls_plainstream_ops[] = {
2575 2594
 	INTF_OP ( xfer_deliver, struct tls_connection *,
2576 2595
 		  tls_plainstream_deliver ),
2577 2596
 	INTF_OP ( xfer_window, struct tls_connection *,
2578 2597
 		  tls_plainstream_window ),
2598
+	INTF_OP ( job_progress, struct tls_connection *, tls_progress ),
2579 2599
 	INTF_OP ( intf_close, struct tls_connection *, tls_close ),
2580 2600
 };
2581 2601
 

+ 62
- 8
src/net/validator.c Datei anzeigen

@@ -40,6 +40,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
40 40
 #include <ipxe/base64.h>
41 41
 #include <ipxe/crc32.h>
42 42
 #include <ipxe/ocsp.h>
43
+#include <ipxe/job.h>
43 44
 #include <ipxe/validator.h>
44 45
 #include <config/crypto.h>
45 46
 
@@ -49,6 +50,17 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
49 50
  *
50 51
  */
51 52
 
53
+struct validator;
54
+
55
+/** A certificate validator action */
56
+struct validator_action {
57
+	/** Name */
58
+	const char *name;
59
+	/** Action to take upon completed transfer */
60
+	int ( * done ) ( struct validator *validator, const void *data,
61
+			 size_t len );
62
+};
63
+
52 64
 /** A certificate validator */
53 65
 struct validator {
54 66
 	/** Reference count */
@@ -67,9 +79,16 @@ struct validator {
67 79
 	struct ocsp_check *ocsp;
68 80
 	/** Data buffer */
69 81
 	struct xfer_buffer buffer;
70
-	/** Action to take upon completed transfer */
71
-	int ( * done ) ( struct validator *validator, const void *data,
72
-			 size_t len );
82
+
83
+	/** Current action */
84
+	const struct validator_action *action;
85
+	/** Current certificate
86
+	 *
87
+	 * This will always be present within the certificate chain
88
+	 * and so this pointer does not hold a reference to the
89
+	 * certificate.
90
+	 */
91
+	struct x509_certificate *cert;
73 92
 };
74 93
 
75 94
 /**
@@ -123,8 +142,29 @@ static void validator_finished ( struct validator *validator, int rc ) {
123 142
  *
124 143
  */
125 144
 
145
+/**
146
+ * Report job progress
147
+ *
148
+ * @v validator		Certificate validator
149
+ * @v progress		Progress report to fill in
150
+ * @ret ongoing_rc	Ongoing job status code (if known)
151
+ */
152
+static int validator_progress ( struct validator *validator,
153
+				struct job_progress *progress ) {
154
+
155
+	/* Report current action, if applicable */
156
+	if ( validator->action ) {
157
+		snprintf ( progress->message, sizeof ( progress->message ),
158
+			   "%s %s", validator->action->name,
159
+			   x509_name ( validator->cert ) );
160
+	}
161
+
162
+	return 0;
163
+}
164
+
126 165
 /** Certificate validator job control interface operations */
127 166
 static struct interface_operation validator_job_operations[] = {
167
+	INTF_OP ( job_progress, struct validator *, validator_progress ),
128 168
 	INTF_OP ( intf_close, struct validator *, validator_finished ),
129 169
 };
130 170
 
@@ -236,6 +276,12 @@ static int validator_append ( struct validator *validator,
236 276
 	return rc;
237 277
 }
238 278
 
279
+/** Cross-signing certificate download validator action */
280
+static const struct validator_action validator_crosscert = {
281
+	.name = "XCRT",
282
+	.done = validator_append,
283
+};
284
+
239 285
 /**
240 286
  * Start download of cross-signing certificate
241 287
  *
@@ -285,7 +331,8 @@ static int validator_start_download ( struct validator *validator,
285 331
 	       x509_name ( cert ), uri_string );
286 332
 
287 333
 	/* Set completion handler */
288
-	validator->done = validator_append;
334
+	validator->action = &validator_crosscert;
335
+	validator->cert = cert;
289 336
 
290 337
 	/* Open URI */
291 338
 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,
@@ -350,6 +397,12 @@ static int validator_ocsp_validate ( struct validator *validator,
350 397
 	return 0;
351 398
 }
352 399
 
400
+/** OCSP validator action */
401
+static const struct validator_action validator_ocsp = {
402
+	.name = "OCSP",
403
+	.done = validator_ocsp_validate,
404
+};
405
+
353 406
 /**
354 407
  * Start OCSP check
355 408
  *
@@ -374,7 +427,8 @@ static int validator_start_ocsp ( struct validator *validator,
374 427
 	}
375 428
 
376 429
 	/* Set completion handler */
377
-	validator->done = validator_ocsp_validate;
430
+	validator->action = &validator_ocsp;
431
+	validator->cert = cert;
378 432
 
379 433
 	/* Open URI */
380 434
 	uri_string = validator->ocsp->uri_string;
@@ -421,9 +475,9 @@ static void validator_xfer_close ( struct validator *validator, int rc ) {
421 475
 		validator, validator_name ( validator ) );
422 476
 
423 477
 	/* Process completed download */
424
-	assert ( validator->done != NULL );
425
-	if ( ( rc = validator->done ( validator, validator->buffer.data,
426
-				       validator->buffer.len ) ) != 0 )
478
+	assert ( validator->action != NULL );
479
+	if ( ( rc = validator->action->done ( validator, validator->buffer.data,
480
+					      validator->buffer.len ) ) != 0 )
427 481
 		goto err_append;
428 482
 
429 483
 	/* Free downloaded data */

Laden…
Abbrechen
Speichern