robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[tls] Display cross-certificate and OCSP status messages 

TLS connections will almost always create background connections to
perform cross-signed certificate downloads and OCSP checks.  There is
currently no direct visibility into which checks are taking place,
which makes troubleshooting difficult in the absence of either a
packet capture or a debug build.

Use the job progress message buffer to report the current cross-signed
certificate download or OCSP status check, where applicable.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 5 years ago
parent
447e5cd447
commit
b28ccfc725
2 changed files with 82 additions and 8 deletions
Unified View Show Diff Stats
  1. 20
    0
      src/net/tls.c
  2. 62
    8
      src/net/validator.c

+ 20
- 0
src/net/tls.c View File

47 
 #include <ipxe/certstore.h>
 47 
 #include <ipxe/certstore.h>
48 
 #include <ipxe/rbg.h>
 48 
 #include <ipxe/rbg.h>
49 
 #include <ipxe/validator.h>
 49 
 #include <ipxe/validator.h>
50 
+#include <ipxe/job.h>
50 
 #include <ipxe/tls.h>
 51 
 #include <ipxe/tls.h>
51
52
52 
 /* Disambiguate the various error causes */
 53 
 /* Disambiguate the various error causes */
2570 
 	return rc;
 2571 
 	return rc;
2571 
 }
 2572 
 }
2572
2573
2574 
+/**
2575 
+ * Report job progress
2576 
+ *
2577 
+ * @v tls		TLS connection
2578 
+ * @v progress		Progress report to fill in
2579 
+ * @ret ongoing_rc	Ongoing job status code (if known)
2580 
+ */
2581 
+static int tls_progress ( struct tls_connection *tls,
2582 
+			  struct job_progress *progress ) {
2583 
+
2584 
+	/* Return cipherstream or validator progress as applicable */
2585 
+	if ( tls_ready ( tls ) ) {
2586 
+		return job_progress ( &tls->cipherstream, progress );
2587 
+	} else {
2588 
+		return job_progress ( &tls->validator, progress );
2589 
+	}
2590 
+}
2591 
+
2573 
 /** TLS plaintext stream interface operations */
 2592 
 /** TLS plaintext stream interface operations */
2574 
 static struct interface_operation tls_plainstream_ops[] = {
 2593 
 static struct interface_operation tls_plainstream_ops[] = {
2575 
 	INTF_OP ( xfer_deliver, struct tls_connection *,
 2594 
 	INTF_OP ( xfer_deliver, struct tls_connection *,
2576 
 		  tls_plainstream_deliver ),
 2595 
 		  tls_plainstream_deliver ),
2577 
 	INTF_OP ( xfer_window, struct tls_connection *,
 2596 
 	INTF_OP ( xfer_window, struct tls_connection *,
2578 
 		  tls_plainstream_window ),
 2597 
 		  tls_plainstream_window ),
2598 
+	INTF_OP ( job_progress, struct tls_connection *, tls_progress ),
2579 
 	INTF_OP ( intf_close, struct tls_connection *, tls_close ),
 2599 
 	INTF_OP ( intf_close, struct tls_connection *, tls_close ),
2580 
 };
 2600 
 };
2581
2601

+ 62
- 8
src/net/validator.c View File

40 
 #include <ipxe/base64.h>
 40 
 #include <ipxe/base64.h>
41 
 #include <ipxe/crc32.h>
 41 
 #include <ipxe/crc32.h>
42 
 #include <ipxe/ocsp.h>
 42 
 #include <ipxe/ocsp.h>
43 
+#include <ipxe/job.h>
43 
 #include <ipxe/validator.h>
 44 
 #include <ipxe/validator.h>
44 
 #include <config/crypto.h>
 45 
 #include <config/crypto.h>
45
46
49 
  *
 50 
  *
50 
  */
 51 
  */
51
52
53 
+struct validator;
54 
+
55 
+/** A certificate validator action */
56 
+struct validator_action {
57 
+	/** Name */
58 
+	const char *name;
59 
+	/** Action to take upon completed transfer */
60 
+	int ( * done ) ( struct validator *validator, const void *data,
61 
+			 size_t len );
62 
+};
63 
+
52 
 /** A certificate validator */
 64 
 /** A certificate validator */
53 
 struct validator {
 65 
 struct validator {
54 
 	/** Reference count */
 66 
 	/** Reference count */
67 
 	struct ocsp_check *ocsp;
 79 
 	struct ocsp_check *ocsp;
68 
 	/** Data buffer */
 80 
 	/** Data buffer */
69 
 	struct xfer_buffer buffer;
 81 
 	struct xfer_buffer buffer;
70 
-	/** Action to take upon completed transfer */
71 
-	int ( * done ) ( struct validator *validator, const void *data,
72 
-			 size_t len );
82 
+
83 
+	/** Current action */
84 
+	const struct validator_action *action;
85 
+	/** Current certificate
86 
+	 *
87 
+	 * This will always be present within the certificate chain
88 
+	 * and so this pointer does not hold a reference to the
89 
+	 * certificate.
90 
+	 */
91 
+	struct x509_certificate *cert;
73 
 };
 92 
 };
74
93
75 
 /**
 94 
 /**
123 
  *
 142 
  *
124 
  */
 143 
  */
125
144
145 
+/**
146 
+ * Report job progress
147 
+ *
148 
+ * @v validator		Certificate validator
149 
+ * @v progress		Progress report to fill in
150 
+ * @ret ongoing_rc	Ongoing job status code (if known)
151 
+ */
152 
+static int validator_progress ( struct validator *validator,
153 
+				struct job_progress *progress ) {
154 
+
155 
+	/* Report current action, if applicable */
156 
+	if ( validator->action ) {
157 
+		snprintf ( progress->message, sizeof ( progress->message ),
158 
+			   "%s %s", validator->action->name,
159 
+			   x509_name ( validator->cert ) );
160 
+	}
161 
+
162 
+	return 0;
163 
+}
164 
+
126 
 /** Certificate validator job control interface operations */
 165 
 /** Certificate validator job control interface operations */
127 
 static struct interface_operation validator_job_operations[] = {
 166 
 static struct interface_operation validator_job_operations[] = {
167 
+	INTF_OP ( job_progress, struct validator *, validator_progress ),
128 
 	INTF_OP ( intf_close, struct validator *, validator_finished ),
 168 
 	INTF_OP ( intf_close, struct validator *, validator_finished ),
129 
 };
 169 
 };
130
170
236 
 	return rc;
 276 
 	return rc;
237 
 }
 277 
 }
238
278
279 
+/** Cross-signing certificate download validator action */
280 
+static const struct validator_action validator_crosscert = {
281 
+	.name = "XCRT",
282 
+	.done = validator_append,
283 
+};
284 
+
239 
 /**
 285 
 /**
240 
  * Start download of cross-signing certificate
 286 
  * Start download of cross-signing certificate
241 
  *
 287 
  *
285 
 	       x509_name ( cert ), uri_string );
 331 
 	       x509_name ( cert ), uri_string );
286
332
287 
 	/* Set completion handler */
 333 
 	/* Set completion handler */
288 
-	validator->done = validator_append;
334 
+	validator->action = &validator_crosscert;
335 
+	validator->cert = cert;
289
336
290 
 	/* Open URI */
 337 
 	/* Open URI */
291 
 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,
 338 
 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,
350 
 	return 0;
 397 
 	return 0;
351 
 }
 398 
 }
352
399
400 
+/** OCSP validator action */
401 
+static const struct validator_action validator_ocsp = {
402 
+	.name = "OCSP",
403 
+	.done = validator_ocsp_validate,
404 
+};
405 
+
353 
 /**
 406 
 /**
354 
  * Start OCSP check
 407 
  * Start OCSP check
355 
  *
 408 
  *
374 
 	}
 427 
 	}
375
428
376 
 	/* Set completion handler */
 429 
 	/* Set completion handler */
377 
-	validator->done = validator_ocsp_validate;
430 
+	validator->action = &validator_ocsp;
431 
+	validator->cert = cert;
378
432
379 
 	/* Open URI */
 433 
 	/* Open URI */
380 
 	uri_string = validator->ocsp->uri_string;
 434 
 	uri_string = validator->ocsp->uri_string;
421 
 		validator, validator_name ( validator ) );
 475 
 		validator, validator_name ( validator ) );
422
476
423 
 	/* Process completed download */
 477 
 	/* Process completed download */
424 
-	assert ( validator->done != NULL );
425 
-	if ( ( rc = validator->done ( validator, validator->buffer.data,
426 
-				       validator->buffer.len ) ) != 0 )
478 
+	assert ( validator->action != NULL );
479 
+	if ( ( rc = validator->action->done ( validator, validator->buffer.data,
480 
+					      validator->buffer.len ) ) != 0 )
427 
 		goto err_append;
 481 
 		goto err_append;
428
482
429 
 	/* Free downloaded data */
 483 
 	/* Free downloaded data */

Write Preview
Loading…
Cancel
Save