123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573 |
- /*
- * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
- * 02110-1301, USA.
- *
- * You can also choose to distribute this program under the terms of
- * the Unmodified Binary Distribution Licence (as given in the file
- * COPYING.UBDL), provided that you have satisfied its requirements.
- */
-
- FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
-
- #include <string.h>
- #include <stdio.h>
- #include <errno.h>
- #include <ipxe/refcnt.h>
- #include <ipxe/malloc.h>
- #include <ipxe/interface.h>
- #include <ipxe/xfer.h>
- #include <ipxe/open.h>
- #include <ipxe/iobuf.h>
- #include <ipxe/xferbuf.h>
- #include <ipxe/process.h>
- #include <ipxe/x509.h>
- #include <ipxe/settings.h>
- #include <ipxe/dhcp.h>
- #include <ipxe/base64.h>
- #include <ipxe/crc32.h>
- #include <ipxe/ocsp.h>
- #include <ipxe/validator.h>
-
- /** @file
- *
- * Certificate validator
- *
- */
-
- /** A certificate validator */
- struct validator {
- /** Reference count */
- struct refcnt refcnt;
- /** Job control interface */
- struct interface job;
- /** Data transfer interface */
- struct interface xfer;
-
- /** Process */
- struct process process;
-
- /** X.509 certificate chain */
- struct x509_chain *chain;
- /** OCSP check */
- struct ocsp_check *ocsp;
- /** Data buffer */
- struct xfer_buffer buffer;
- /** Action to take upon completed transfer */
- int ( * done ) ( struct validator *validator, const void *data,
- size_t len );
- };
-
- /**
- * Free certificate validator
- *
- * @v refcnt Reference count
- */
- static void validator_free ( struct refcnt *refcnt ) {
- struct validator *validator =
- container_of ( refcnt, struct validator, refcnt );
-
- DBGC2 ( validator, "VALIDATOR %p freed\n", validator );
- x509_chain_put ( validator->chain );
- ocsp_put ( validator->ocsp );
- xferbuf_done ( &validator->buffer );
- free ( validator );
- }
-
- /**
- * Mark certificate validation as finished
- *
- * @v validator Certificate validator
- * @v rc Reason for finishing
- */
- static void validator_finished ( struct validator *validator, int rc ) {
-
- /* Remove process */
- process_del ( &validator->process );
-
- /* Close all interfaces */
- intf_shutdown ( &validator->xfer, rc );
- intf_shutdown ( &validator->job, rc );
- }
-
- /****************************************************************************
- *
- * Job control interface
- *
- */
-
- /** Certificate validator job control interface operations */
- static struct interface_operation validator_job_operations[] = {
- INTF_OP ( intf_close, struct validator *, validator_finished ),
- };
-
- /** Certificate validator job control interface descriptor */
- static struct interface_descriptor validator_job_desc =
- INTF_DESC ( struct validator, job, validator_job_operations );
-
- /****************************************************************************
- *
- * Cross-signing certificates
- *
- */
-
- /** Cross-signed certificate source setting */
- const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={
- .name = "crosscert",
- .description = "Cross-signed certificate source",
- .tag = DHCP_EB_CROSS_CERT,
- .type = &setting_type_string,
- };
-
- /** Default cross-signed certificate source */
- static const char crosscert_default[] = "http://ca.ipxe.org/auto";
-
- /**
- * Append cross-signing certificates to certificate chain
- *
- * @v validator Certificate validator
- * @v data Raw cross-signing certificate data
- * @v len Length of raw data
- * @ret rc Return status code
- */
- static int validator_append ( struct validator *validator,
- const void *data, size_t len ) {
- struct asn1_cursor cursor;
- struct x509_chain *certs;
- struct x509_certificate *cert;
- struct x509_certificate *last;
- int rc;
-
- /* Allocate certificate list */
- certs = x509_alloc_chain();
- if ( ! certs ) {
- rc = -ENOMEM;
- goto err_alloc_certs;
- }
-
- /* Initialise cursor */
- cursor.data = data;
- cursor.len = len;
-
- /* Enter certificateSet */
- if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not enter "
- "certificateSet: %s\n", validator, strerror ( rc ) );
- goto err_certificateset;
- }
-
- /* Add each certificate to list */
- while ( cursor.len ) {
-
- /* Add certificate to chain */
- if ( ( rc = x509_append_raw ( certs, cursor.data,
- cursor.len ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not append "
- "certificate: %s\n",
- validator, strerror ( rc) );
- DBGC_HDA ( validator, 0, cursor.data, cursor.len );
- return rc;
- }
- cert = x509_last ( certs );
- DBGC ( validator, "VALIDATOR %p found certificate %s\n",
- validator, x509_name ( cert ) );
-
- /* Move to next certificate */
- asn1_skip_any ( &cursor );
- }
-
- /* Append certificates to chain */
- last = x509_last ( validator->chain );
- if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not append "
- "certificates: %s\n", validator, strerror ( rc ) );
- goto err_auto_append;
- }
-
- /* Check that at least one certificate has been added */
- if ( last == x509_last ( validator->chain ) ) {
- DBGC ( validator, "VALIDATOR %p failed to append any "
- "applicable certificates\n", validator );
- rc = -EACCES;
- goto err_no_progress;
- }
-
- /* Drop reference to certificate list */
- x509_chain_put ( certs );
-
- return 0;
-
- err_no_progress:
- err_auto_append:
- err_certificateset:
- x509_chain_put ( certs );
- err_alloc_certs:
- return rc;
- }
-
- /**
- * Start download of cross-signing certificate
- *
- * @v validator Certificate validator
- * @v issuer Required issuer
- * @ret rc Return status code
- */
- static int validator_start_download ( struct validator *validator,
- const struct asn1_cursor *issuer ) {
- const char *crosscert;
- char *crosscert_copy;
- char *uri_string;
- size_t uri_string_len;
- uint32_t crc;
- int len;
- int rc;
-
- /* Determine cross-signed certificate source */
- fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
- crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
-
- /* Allocate URI string */
- uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
- + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
- uri_string = zalloc ( uri_string_len );
- if ( ! uri_string ) {
- rc = -ENOMEM;
- goto err_alloc_uri_string;
- }
-
- /* Generate CRC32 */
- crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
-
- /* Generate URI string */
- len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",
- crosscert, crc );
- base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
- ( uri_string_len - len ) );
- DBGC ( validator, "VALIDATOR %p downloading cross-signed certificate "
- "from %s\n", validator, uri_string );
-
- /* Set completion handler */
- validator->done = validator_append;
-
- /* Open URI */
- if ( ( rc = xfer_open_uri_string ( &validator->xfer,
- uri_string ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
- validator, uri_string, strerror ( rc ) );
- goto err_open_uri_string;
- }
-
- /* Success */
- rc = 0;
-
- err_open_uri_string:
- free ( uri_string );
- err_alloc_uri_string:
- free ( crosscert_copy );
- return rc;
- }
-
- /****************************************************************************
- *
- * OCSP checks
- *
- */
-
- /**
- * Validate OCSP response
- *
- * @v validator Certificate validator
- * @v data Raw OCSP response
- * @v len Length of raw data
- * @ret rc Return status code
- */
- static int validator_ocsp_validate ( struct validator *validator,
- const void *data, size_t len ) {
- time_t now;
- int rc;
-
- /* Record OCSP response */
- if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not record OCSP "
- "response: %s\n", validator, strerror ( rc ) );
- return rc;
- }
-
- /* Validate OCSP response */
- now = time ( NULL );
- if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not validate OCSP "
- "response: %s\n", validator, strerror ( rc ) );
- return rc;
- }
-
- /* Drop reference to OCSP check */
- ocsp_put ( validator->ocsp );
- validator->ocsp = NULL;
-
- return 0;
- }
-
- /**
- * Start OCSP check
- *
- * @v validator Certificate validator
- * @v cert Certificate to check
- * @v issuer Issuing certificate
- * @ret rc Return status code
- */
- static int validator_start_ocsp ( struct validator *validator,
- struct x509_certificate *cert,
- struct x509_certificate *issuer ) {
- const char *uri_string;
- int rc;
-
- /* Create OCSP check */
- assert ( validator->ocsp == NULL );
- if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not create OCSP check: "
- "%s\n", validator, strerror ( rc ) );
- return rc;
- }
-
- /* Set completion handler */
- validator->done = validator_ocsp_validate;
-
- /* Open URI */
- uri_string = validator->ocsp->uri_string;
- DBGC ( validator, "VALIDATOR %p performing OCSP check at %s\n",
- validator, uri_string );
- if ( ( rc = xfer_open_uri_string ( &validator->xfer,
- uri_string ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
- validator, uri_string, strerror ( rc ) );
- return rc;
- }
-
- return 0;
- }
-
- /****************************************************************************
- *
- * Data transfer interface
- *
- */
-
- /**
- * Close data transfer interface
- *
- * @v validator Certificate validator
- * @v rc Reason for close
- */
- static void validator_xfer_close ( struct validator *validator, int rc ) {
-
- /* Close data transfer interface */
- intf_restart ( &validator->xfer, rc );
-
- /* Check for errors */
- if ( rc != 0 ) {
- DBGC ( validator, "VALIDATOR %p transfer failed: %s\n",
- validator, strerror ( rc ) );
- goto err_transfer;
- }
- DBGC2 ( validator, "VALIDATOR %p transfer complete\n", validator );
-
- /* Process completed download */
- assert ( validator->done != NULL );
- if ( ( rc = validator->done ( validator, validator->buffer.data,
- validator->buffer.len ) ) != 0 )
- goto err_append;
-
- /* Free downloaded data */
- xferbuf_done ( &validator->buffer );
-
- /* Resume validation process */
- process_add ( &validator->process );
-
- return;
-
- err_append:
- err_transfer:
- validator_finished ( validator, rc );
- }
-
- /**
- * Receive data
- *
- * @v validator Certificate validator
- * @v iobuf I/O buffer
- * @v meta Data transfer metadata
- * @ret rc Return status code
- */
- static int validator_xfer_deliver ( struct validator *validator,
- struct io_buffer *iobuf,
- struct xfer_metadata *meta ) {
- int rc;
-
- /* Add data to buffer */
- if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
- meta ) ) != 0 ) {
- DBGC ( validator, "VALIDATOR %p could not receive data: %s\n",
- validator, strerror ( rc ) );
- validator_finished ( validator, rc );
- return rc;
- }
-
- return 0;
- }
-
- /** Certificate validator data transfer interface operations */
- static struct interface_operation validator_xfer_operations[] = {
- INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
- INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
- };
-
- /** Certificate validator data transfer interface descriptor */
- static struct interface_descriptor validator_xfer_desc =
- INTF_DESC ( struct validator, xfer, validator_xfer_operations );
-
- /****************************************************************************
- *
- * Validation process
- *
- */
-
- /**
- * Certificate validation process
- *
- * @v validator Certificate validator
- */
- static void validator_step ( struct validator *validator ) {
- struct x509_link *link;
- struct x509_certificate *cert;
- struct x509_certificate *issuer = NULL;
- struct x509_certificate *last;
- time_t now;
- int rc;
-
- /* Try validating chain. Try even if the chain is incomplete,
- * since certificates may already have been validated
- * previously.
- */
- now = time ( NULL );
- if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
- NULL ) ) == 0 ) {
- validator_finished ( validator, 0 );
- return;
- }
-
- /* If there is a certificate that could be validated using
- * OCSP, try it.
- */
- list_for_each_entry ( link, &validator->chain->links, list ) {
- cert = issuer;
- issuer = link->cert;
- if ( ! cert )
- continue;
- if ( ! issuer->valid )
- continue;
- /* The issuer is valid, but this certificate is not
- * yet valid. If OCSP is applicable, start it.
- */
- if ( cert->extensions.auth_info.ocsp.uri.len &&
- ( ! cert->extensions.auth_info.ocsp.good ) ) {
- /* Start OCSP */
- if ( ( rc = validator_start_ocsp ( validator, cert,
- issuer ) ) != 0 ) {
- validator_finished ( validator, rc );
- return;
- }
- return;
- }
- /* Otherwise, this is a permanent failure */
- validator_finished ( validator, rc );
- return;
- }
-
- /* If chain ends with a self-issued certificate, then there is
- * nothing more to do.
- */
- last = x509_last ( validator->chain );
- if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {
- validator_finished ( validator, rc );
- return;
- }
-
- /* Otherwise, try to download a suitable cross-signing
- * certificate.
- */
- if ( ( rc = validator_start_download ( validator,
- &last->issuer.raw ) ) != 0 ) {
- validator_finished ( validator, rc );
- return;
- }
- }
-
- /** Certificate validator process descriptor */
- static struct process_descriptor validator_process_desc =
- PROC_DESC_ONCE ( struct validator, process, validator_step );
-
- /****************************************************************************
- *
- * Instantiator
- *
- */
-
- /**
- * Instantiate a certificate validator
- *
- * @v job Job control interface
- * @v chain X.509 certificate chain
- * @ret rc Return status code
- */
- int create_validator ( struct interface *job, struct x509_chain *chain ) {
- struct validator *validator;
- int rc;
-
- /* Sanity check */
- if ( ! chain ) {
- rc = -EINVAL;
- goto err_sanity;
- }
-
- /* Allocate and initialise structure */
- validator = zalloc ( sizeof ( *validator ) );
- if ( ! validator ) {
- rc = -ENOMEM;
- goto err_alloc;
- }
- ref_init ( &validator->refcnt, validator_free );
- intf_init ( &validator->job, &validator_job_desc,
- &validator->refcnt );
- intf_init ( &validator->xfer, &validator_xfer_desc,
- &validator->refcnt );
- process_init ( &validator->process, &validator_process_desc,
- &validator->refcnt );
- validator->chain = x509_chain_get ( chain );
-
- /* Attach parent interface, mortalise self, and return */
- intf_plug_plug ( &validator->job, job );
- ref_put ( &validator->refcnt );
- DBGC2 ( validator, "VALIDATOR %p validating X509 chain %p\n",
- validator, validator->chain );
- return 0;
-
- validator_finished ( validator, rc );
- ref_put ( &validator->refcnt );
- err_alloc:
- err_sanity:
- return rc;
- }
|