您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

validator.c 15KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573
  1. /*
  2. * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
  3. *
  4. * This program is free software; you can redistribute it and/or
  5. * modify it under the terms of the GNU General Public License as
  6. * published by the Free Software Foundation; either version 2 of the
  7. * License, or (at your option) any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful, but
  10. * WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  12. * General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program; if not, write to the Free Software
  16. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  17. * 02110-1301, USA.
  18. *
  19. * You can also choose to distribute this program under the terms of
  20. * the Unmodified Binary Distribution Licence (as given in the file
  21. * COPYING.UBDL), provided that you have satisfied its requirements.
  22. */
  23. FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  24. #include <string.h>
  25. #include <stdio.h>
  26. #include <errno.h>
  27. #include <ipxe/refcnt.h>
  28. #include <ipxe/malloc.h>
  29. #include <ipxe/interface.h>
  30. #include <ipxe/xfer.h>
  31. #include <ipxe/open.h>
  32. #include <ipxe/iobuf.h>
  33. #include <ipxe/xferbuf.h>
  34. #include <ipxe/process.h>
  35. #include <ipxe/x509.h>
  36. #include <ipxe/settings.h>
  37. #include <ipxe/dhcp.h>
  38. #include <ipxe/base64.h>
  39. #include <ipxe/crc32.h>
  40. #include <ipxe/ocsp.h>
  41. #include <ipxe/validator.h>
  42. /** @file
  43. *
  44. * Certificate validator
  45. *
  46. */
  47. /** A certificate validator */
  48. struct validator {
  49. /** Reference count */
  50. struct refcnt refcnt;
  51. /** Job control interface */
  52. struct interface job;
  53. /** Data transfer interface */
  54. struct interface xfer;
  55. /** Process */
  56. struct process process;
  57. /** X.509 certificate chain */
  58. struct x509_chain *chain;
  59. /** OCSP check */
  60. struct ocsp_check *ocsp;
  61. /** Data buffer */
  62. struct xfer_buffer buffer;
  63. /** Action to take upon completed transfer */
  64. int ( * done ) ( struct validator *validator, const void *data,
  65. size_t len );
  66. };
  67. /**
  68. * Free certificate validator
  69. *
  70. * @v refcnt Reference count
  71. */
  72. static void validator_free ( struct refcnt *refcnt ) {
  73. struct validator *validator =
  74. container_of ( refcnt, struct validator, refcnt );
  75. DBGC2 ( validator, "VALIDATOR %p freed\n", validator );
  76. x509_chain_put ( validator->chain );
  77. ocsp_put ( validator->ocsp );
  78. xferbuf_done ( &validator->buffer );
  79. free ( validator );
  80. }
  81. /**
  82. * Mark certificate validation as finished
  83. *
  84. * @v validator Certificate validator
  85. * @v rc Reason for finishing
  86. */
  87. static void validator_finished ( struct validator *validator, int rc ) {
  88. /* Remove process */
  89. process_del ( &validator->process );
  90. /* Close all interfaces */
  91. intf_shutdown ( &validator->xfer, rc );
  92. intf_shutdown ( &validator->job, rc );
  93. }
  94. /****************************************************************************
  95. *
  96. * Job control interface
  97. *
  98. */
  99. /** Certificate validator job control interface operations */
  100. static struct interface_operation validator_job_operations[] = {
  101. INTF_OP ( intf_close, struct validator *, validator_finished ),
  102. };
  103. /** Certificate validator job control interface descriptor */
  104. static struct interface_descriptor validator_job_desc =
  105. INTF_DESC ( struct validator, job, validator_job_operations );
  106. /****************************************************************************
  107. *
  108. * Cross-signing certificates
  109. *
  110. */
  111. /** Cross-signed certificate source setting */
  112. const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={
  113. .name = "crosscert",
  114. .description = "Cross-signed certificate source",
  115. .tag = DHCP_EB_CROSS_CERT,
  116. .type = &setting_type_string,
  117. };
  118. /** Default cross-signed certificate source */
  119. static const char crosscert_default[] = "http://ca.ipxe.org/auto";
  120. /**
  121. * Append cross-signing certificates to certificate chain
  122. *
  123. * @v validator Certificate validator
  124. * @v data Raw cross-signing certificate data
  125. * @v len Length of raw data
  126. * @ret rc Return status code
  127. */
  128. static int validator_append ( struct validator *validator,
  129. const void *data, size_t len ) {
  130. struct asn1_cursor cursor;
  131. struct x509_chain *certs;
  132. struct x509_certificate *cert;
  133. struct x509_certificate *last;
  134. int rc;
  135. /* Allocate certificate list */
  136. certs = x509_alloc_chain();
  137. if ( ! certs ) {
  138. rc = -ENOMEM;
  139. goto err_alloc_certs;
  140. }
  141. /* Initialise cursor */
  142. cursor.data = data;
  143. cursor.len = len;
  144. /* Enter certificateSet */
  145. if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
  146. DBGC ( validator, "VALIDATOR %p could not enter "
  147. "certificateSet: %s\n", validator, strerror ( rc ) );
  148. goto err_certificateset;
  149. }
  150. /* Add each certificate to list */
  151. while ( cursor.len ) {
  152. /* Add certificate to chain */
  153. if ( ( rc = x509_append_raw ( certs, cursor.data,
  154. cursor.len ) ) != 0 ) {
  155. DBGC ( validator, "VALIDATOR %p could not append "
  156. "certificate: %s\n",
  157. validator, strerror ( rc) );
  158. DBGC_HDA ( validator, 0, cursor.data, cursor.len );
  159. return rc;
  160. }
  161. cert = x509_last ( certs );
  162. DBGC ( validator, "VALIDATOR %p found certificate %s\n",
  163. validator, x509_name ( cert ) );
  164. /* Move to next certificate */
  165. asn1_skip_any ( &cursor );
  166. }
  167. /* Append certificates to chain */
  168. last = x509_last ( validator->chain );
  169. if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
  170. DBGC ( validator, "VALIDATOR %p could not append "
  171. "certificates: %s\n", validator, strerror ( rc ) );
  172. goto err_auto_append;
  173. }
  174. /* Check that at least one certificate has been added */
  175. if ( last == x509_last ( validator->chain ) ) {
  176. DBGC ( validator, "VALIDATOR %p failed to append any "
  177. "applicable certificates\n", validator );
  178. rc = -EACCES;
  179. goto err_no_progress;
  180. }
  181. /* Drop reference to certificate list */
  182. x509_chain_put ( certs );
  183. return 0;
  184. err_no_progress:
  185. err_auto_append:
  186. err_certificateset:
  187. x509_chain_put ( certs );
  188. err_alloc_certs:
  189. return rc;
  190. }
  191. /**
  192. * Start download of cross-signing certificate
  193. *
  194. * @v validator Certificate validator
  195. * @v issuer Required issuer
  196. * @ret rc Return status code
  197. */
  198. static int validator_start_download ( struct validator *validator,
  199. const struct asn1_cursor *issuer ) {
  200. const char *crosscert;
  201. char *crosscert_copy;
  202. char *uri_string;
  203. size_t uri_string_len;
  204. uint32_t crc;
  205. int len;
  206. int rc;
  207. /* Determine cross-signed certificate source */
  208. fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
  209. crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
  210. /* Allocate URI string */
  211. uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
  212. + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
  213. uri_string = zalloc ( uri_string_len );
  214. if ( ! uri_string ) {
  215. rc = -ENOMEM;
  216. goto err_alloc_uri_string;
  217. }
  218. /* Generate CRC32 */
  219. crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
  220. /* Generate URI string */
  221. len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",
  222. crosscert, crc );
  223. base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
  224. ( uri_string_len - len ) );
  225. DBGC ( validator, "VALIDATOR %p downloading cross-signed certificate "
  226. "from %s\n", validator, uri_string );
  227. /* Set completion handler */
  228. validator->done = validator_append;
  229. /* Open URI */
  230. if ( ( rc = xfer_open_uri_string ( &validator->xfer,
  231. uri_string ) ) != 0 ) {
  232. DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
  233. validator, uri_string, strerror ( rc ) );
  234. goto err_open_uri_string;
  235. }
  236. /* Success */
  237. rc = 0;
  238. err_open_uri_string:
  239. free ( uri_string );
  240. err_alloc_uri_string:
  241. free ( crosscert_copy );
  242. return rc;
  243. }
  244. /****************************************************************************
  245. *
  246. * OCSP checks
  247. *
  248. */
  249. /**
  250. * Validate OCSP response
  251. *
  252. * @v validator Certificate validator
  253. * @v data Raw OCSP response
  254. * @v len Length of raw data
  255. * @ret rc Return status code
  256. */
  257. static int validator_ocsp_validate ( struct validator *validator,
  258. const void *data, size_t len ) {
  259. time_t now;
  260. int rc;
  261. /* Record OCSP response */
  262. if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
  263. DBGC ( validator, "VALIDATOR %p could not record OCSP "
  264. "response: %s\n", validator, strerror ( rc ) );
  265. return rc;
  266. }
  267. /* Validate OCSP response */
  268. now = time ( NULL );
  269. if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
  270. DBGC ( validator, "VALIDATOR %p could not validate OCSP "
  271. "response: %s\n", validator, strerror ( rc ) );
  272. return rc;
  273. }
  274. /* Drop reference to OCSP check */
  275. ocsp_put ( validator->ocsp );
  276. validator->ocsp = NULL;
  277. return 0;
  278. }
  279. /**
  280. * Start OCSP check
  281. *
  282. * @v validator Certificate validator
  283. * @v cert Certificate to check
  284. * @v issuer Issuing certificate
  285. * @ret rc Return status code
  286. */
  287. static int validator_start_ocsp ( struct validator *validator,
  288. struct x509_certificate *cert,
  289. struct x509_certificate *issuer ) {
  290. const char *uri_string;
  291. int rc;
  292. /* Create OCSP check */
  293. assert ( validator->ocsp == NULL );
  294. if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
  295. DBGC ( validator, "VALIDATOR %p could not create OCSP check: "
  296. "%s\n", validator, strerror ( rc ) );
  297. return rc;
  298. }
  299. /* Set completion handler */
  300. validator->done = validator_ocsp_validate;
  301. /* Open URI */
  302. uri_string = validator->ocsp->uri_string;
  303. DBGC ( validator, "VALIDATOR %p performing OCSP check at %s\n",
  304. validator, uri_string );
  305. if ( ( rc = xfer_open_uri_string ( &validator->xfer,
  306. uri_string ) ) != 0 ) {
  307. DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
  308. validator, uri_string, strerror ( rc ) );
  309. return rc;
  310. }
  311. return 0;
  312. }
  313. /****************************************************************************
  314. *
  315. * Data transfer interface
  316. *
  317. */
  318. /**
  319. * Close data transfer interface
  320. *
  321. * @v validator Certificate validator
  322. * @v rc Reason for close
  323. */
  324. static void validator_xfer_close ( struct validator *validator, int rc ) {
  325. /* Close data transfer interface */
  326. intf_restart ( &validator->xfer, rc );
  327. /* Check for errors */
  328. if ( rc != 0 ) {
  329. DBGC ( validator, "VALIDATOR %p transfer failed: %s\n",
  330. validator, strerror ( rc ) );
  331. goto err_transfer;
  332. }
  333. DBGC2 ( validator, "VALIDATOR %p transfer complete\n", validator );
  334. /* Process completed download */
  335. assert ( validator->done != NULL );
  336. if ( ( rc = validator->done ( validator, validator->buffer.data,
  337. validator->buffer.len ) ) != 0 )
  338. goto err_append;
  339. /* Free downloaded data */
  340. xferbuf_done ( &validator->buffer );
  341. /* Resume validation process */
  342. process_add ( &validator->process );
  343. return;
  344. err_append:
  345. err_transfer:
  346. validator_finished ( validator, rc );
  347. }
  348. /**
  349. * Receive data
  350. *
  351. * @v validator Certificate validator
  352. * @v iobuf I/O buffer
  353. * @v meta Data transfer metadata
  354. * @ret rc Return status code
  355. */
  356. static int validator_xfer_deliver ( struct validator *validator,
  357. struct io_buffer *iobuf,
  358. struct xfer_metadata *meta ) {
  359. int rc;
  360. /* Add data to buffer */
  361. if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
  362. meta ) ) != 0 ) {
  363. DBGC ( validator, "VALIDATOR %p could not receive data: %s\n",
  364. validator, strerror ( rc ) );
  365. validator_finished ( validator, rc );
  366. return rc;
  367. }
  368. return 0;
  369. }
  370. /** Certificate validator data transfer interface operations */
  371. static struct interface_operation validator_xfer_operations[] = {
  372. INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
  373. INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
  374. };
  375. /** Certificate validator data transfer interface descriptor */
  376. static struct interface_descriptor validator_xfer_desc =
  377. INTF_DESC ( struct validator, xfer, validator_xfer_operations );
  378. /****************************************************************************
  379. *
  380. * Validation process
  381. *
  382. */
  383. /**
  384. * Certificate validation process
  385. *
  386. * @v validator Certificate validator
  387. */
  388. static void validator_step ( struct validator *validator ) {
  389. struct x509_link *link;
  390. struct x509_certificate *cert;
  391. struct x509_certificate *issuer = NULL;
  392. struct x509_certificate *last;
  393. time_t now;
  394. int rc;
  395. /* Try validating chain. Try even if the chain is incomplete,
  396. * since certificates may already have been validated
  397. * previously.
  398. */
  399. now = time ( NULL );
  400. if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
  401. NULL ) ) == 0 ) {
  402. validator_finished ( validator, 0 );
  403. return;
  404. }
  405. /* If there is a certificate that could be validated using
  406. * OCSP, try it.
  407. */
  408. list_for_each_entry ( link, &validator->chain->links, list ) {
  409. cert = issuer;
  410. issuer = link->cert;
  411. if ( ! cert )
  412. continue;
  413. if ( ! issuer->valid )
  414. continue;
  415. /* The issuer is valid, but this certificate is not
  416. * yet valid. If OCSP is applicable, start it.
  417. */
  418. if ( cert->extensions.auth_info.ocsp.uri.len &&
  419. ( ! cert->extensions.auth_info.ocsp.good ) ) {
  420. /* Start OCSP */
  421. if ( ( rc = validator_start_ocsp ( validator, cert,
  422. issuer ) ) != 0 ) {
  423. validator_finished ( validator, rc );
  424. return;
  425. }
  426. return;
  427. }
  428. /* Otherwise, this is a permanent failure */
  429. validator_finished ( validator, rc );
  430. return;
  431. }
  432. /* If chain ends with a self-issued certificate, then there is
  433. * nothing more to do.
  434. */
  435. last = x509_last ( validator->chain );
  436. if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {
  437. validator_finished ( validator, rc );
  438. return;
  439. }
  440. /* Otherwise, try to download a suitable cross-signing
  441. * certificate.
  442. */
  443. if ( ( rc = validator_start_download ( validator,
  444. &last->issuer.raw ) ) != 0 ) {
  445. validator_finished ( validator, rc );
  446. return;
  447. }
  448. }
  449. /** Certificate validator process descriptor */
  450. static struct process_descriptor validator_process_desc =
  451. PROC_DESC_ONCE ( struct validator, process, validator_step );
  452. /****************************************************************************
  453. *
  454. * Instantiator
  455. *
  456. */
  457. /**
  458. * Instantiate a certificate validator
  459. *
  460. * @v job Job control interface
  461. * @v chain X.509 certificate chain
  462. * @ret rc Return status code
  463. */
  464. int create_validator ( struct interface *job, struct x509_chain *chain ) {
  465. struct validator *validator;
  466. int rc;
  467. /* Sanity check */
  468. if ( ! chain ) {
  469. rc = -EINVAL;
  470. goto err_sanity;
  471. }
  472. /* Allocate and initialise structure */
  473. validator = zalloc ( sizeof ( *validator ) );
  474. if ( ! validator ) {
  475. rc = -ENOMEM;
  476. goto err_alloc;
  477. }
  478. ref_init ( &validator->refcnt, validator_free );
  479. intf_init ( &validator->job, &validator_job_desc,
  480. &validator->refcnt );
  481. intf_init ( &validator->xfer, &validator_xfer_desc,
  482. &validator->refcnt );
  483. process_init ( &validator->process, &validator_process_desc,
  484. &validator->refcnt );
  485. validator->chain = x509_chain_get ( chain );
  486. /* Attach parent interface, mortalise self, and return */
  487. intf_plug_plug ( &validator->job, job );
  488. ref_put ( &validator->refcnt );
  489. DBGC2 ( validator, "VALIDATOR %p validating X509 chain %p\n",
  490. validator, validator->chain );
  491. return 0;
  492. validator_finished ( validator, rc );
  493. ref_put ( &validator->refcnt );
  494. err_alloc:
  495. err_sanity:
  496. return rc;
  497. }