You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

validator.c 15KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576
  1. /*
  2. * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
  3. *
  4. * This program is free software; you can redistribute it and/or
  5. * modify it under the terms of the GNU General Public License as
  6. * published by the Free Software Foundation; either version 2 of the
  7. * License, or (at your option) any later version.
  8. *
  9. * This program is distributed in the hope that it will be useful, but
  10. * WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  12. * General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program; if not, write to the Free Software
  16. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  17. * 02110-1301, USA.
  18. */
  19. FILE_LICENCE ( GPL2_OR_LATER );
  20. #include <string.h>
  21. #include <stdio.h>
  22. #include <errno.h>
  23. #include <ipxe/refcnt.h>
  24. #include <ipxe/malloc.h>
  25. #include <ipxe/interface.h>
  26. #include <ipxe/xfer.h>
  27. #include <ipxe/open.h>
  28. #include <ipxe/iobuf.h>
  29. #include <ipxe/xferbuf.h>
  30. #include <ipxe/process.h>
  31. #include <ipxe/x509.h>
  32. #include <ipxe/settings.h>
  33. #include <ipxe/dhcp.h>
  34. #include <ipxe/base64.h>
  35. #include <ipxe/crc32.h>
  36. #include <ipxe/ocsp.h>
  37. #include <ipxe/validator.h>
  38. /** @file
  39. *
  40. * Certificate validator
  41. *
  42. */
  43. /** A certificate validator */
  44. struct validator {
  45. /** Reference count */
  46. struct refcnt refcnt;
  47. /** Job control interface */
  48. struct interface job;
  49. /** Data transfer interface */
  50. struct interface xfer;
  51. /** Process */
  52. struct process process;
  53. /** X.509 certificate chain */
  54. struct x509_chain *chain;
  55. /** OCSP check */
  56. struct ocsp_check *ocsp;
  57. /** Data buffer */
  58. struct xfer_buffer buffer;
  59. /** Action to take upon completed transfer */
  60. int ( * done ) ( struct validator *validator, const void *data,
  61. size_t len );
  62. };
  63. /**
  64. * Free certificate validator
  65. *
  66. * @v refcnt Reference count
  67. */
  68. static void validator_free ( struct refcnt *refcnt ) {
  69. struct validator *validator =
  70. container_of ( refcnt, struct validator, refcnt );
  71. DBGC2 ( validator, "VALIDATOR %p freed\n", validator );
  72. x509_chain_put ( validator->chain );
  73. ocsp_put ( validator->ocsp );
  74. xferbuf_done ( &validator->buffer );
  75. free ( validator );
  76. }
  77. /**
  78. * Mark certificate validation as finished
  79. *
  80. * @v validator Certificate validator
  81. * @v rc Reason for finishing
  82. */
  83. static void validator_finished ( struct validator *validator, int rc ) {
  84. /* Remove process */
  85. process_del ( &validator->process );
  86. /* Close all interfaces */
  87. intf_shutdown ( &validator->xfer, rc );
  88. intf_shutdown ( &validator->job, rc );
  89. }
  90. /****************************************************************************
  91. *
  92. * Job control interface
  93. *
  94. */
  95. /** Certificate validator job control interface operations */
  96. static struct interface_operation validator_job_operations[] = {
  97. INTF_OP ( intf_close, struct validator *, validator_finished ),
  98. };
  99. /** Certificate validator job control interface descriptor */
  100. static struct interface_descriptor validator_job_desc =
  101. INTF_DESC ( struct validator, job, validator_job_operations );
  102. /****************************************************************************
  103. *
  104. * Cross-signing certificates
  105. *
  106. */
  107. /** Cross-signed certificate source setting */
  108. struct setting crosscert_setting __setting ( SETTING_CRYPTO ) = {
  109. .name = "crosscert",
  110. .description = "Cross-signed certificate source",
  111. .tag = DHCP_EB_CROSS_CERT,
  112. .type = &setting_type_string,
  113. };
  114. /** Default cross-signed certificate source */
  115. static const char crosscert_default[] = "http://ca.ipxe.org/auto";
  116. /**
  117. * Append cross-signing certificates to certificate chain
  118. *
  119. * @v validator Certificate validator
  120. * @v data Raw cross-signing certificate data
  121. * @v len Length of raw data
  122. * @ret rc Return status code
  123. */
  124. static int validator_append ( struct validator *validator,
  125. const void *data, size_t len ) {
  126. struct asn1_cursor cursor;
  127. struct x509_chain *certs;
  128. struct x509_certificate *cert;
  129. struct x509_certificate *last;
  130. int rc;
  131. /* Allocate certificate list */
  132. certs = x509_alloc_chain();
  133. if ( ! certs ) {
  134. rc = -ENOMEM;
  135. goto err_alloc_certs;
  136. }
  137. /* Initialise cursor */
  138. cursor.data = data;
  139. cursor.len = len;
  140. /* Enter certificateSet */
  141. if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
  142. DBGC ( validator, "VALIDATOR %p could not enter "
  143. "certificateSet: %s\n", validator, strerror ( rc ) );
  144. goto err_certificateset;
  145. }
  146. /* Add each certificate to list */
  147. while ( cursor.len ) {
  148. /* Add certificate to chain */
  149. if ( ( rc = x509_append_raw ( certs, cursor.data,
  150. cursor.len ) ) != 0 ) {
  151. DBGC ( validator, "VALIDATOR %p could not append "
  152. "certificate: %s\n",
  153. validator, strerror ( rc) );
  154. DBGC_HDA ( validator, 0, cursor.data, cursor.len );
  155. return rc;
  156. }
  157. cert = x509_last ( certs );
  158. DBGC ( validator, "VALIDATOR %p found certificate %s\n",
  159. validator, cert->subject.name );
  160. /* Move to next certificate */
  161. asn1_skip_any ( &cursor );
  162. }
  163. /* Append certificates to chain */
  164. last = x509_last ( validator->chain );
  165. if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
  166. DBGC ( validator, "VALIDATOR %p could not append "
  167. "certificates: %s\n", validator, strerror ( rc ) );
  168. goto err_auto_append;
  169. }
  170. /* Check that at least one certificate has been added */
  171. if ( last == x509_last ( validator->chain ) ) {
  172. DBGC ( validator, "VALIDATOR %p failed to append any "
  173. "applicable certificates\n", validator );
  174. rc = -EACCES;
  175. goto err_no_progress;
  176. }
  177. /* Drop reference to certificate list */
  178. x509_chain_put ( certs );
  179. return 0;
  180. err_no_progress:
  181. err_auto_append:
  182. err_certificateset:
  183. x509_chain_put ( certs );
  184. err_alloc_certs:
  185. return rc;
  186. }
  187. /**
  188. * Start download of cross-signing certificate
  189. *
  190. * @v validator Certificate validator
  191. * @v issuer Required issuer
  192. * @ret rc Return status code
  193. */
  194. static int validator_start_download ( struct validator *validator,
  195. const struct asn1_cursor *issuer ) {
  196. const char *crosscert;
  197. char *crosscert_copy;
  198. char *uri_string;
  199. size_t uri_string_len;
  200. uint32_t crc;
  201. int len;
  202. int rc;
  203. /* Determine cross-signed certificate source */
  204. len = fetch_string_setting_copy ( NULL, &crosscert_setting,
  205. &crosscert_copy );
  206. if ( len < 0 ) {
  207. rc = len;
  208. DBGC ( validator, "VALIDATOR %p could not fetch crosscert "
  209. "setting: %s\n", validator, strerror ( rc ) );
  210. goto err_fetch_crosscert;
  211. }
  212. crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
  213. /* Allocate URI string */
  214. uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
  215. + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
  216. uri_string = zalloc ( uri_string_len );
  217. if ( ! uri_string ) {
  218. rc = -ENOMEM;
  219. goto err_alloc_uri_string;
  220. }
  221. /* Generate CRC32 */
  222. crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
  223. /* Generate URI string */
  224. len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",
  225. crosscert, crc );
  226. base64_encode ( issuer->data, issuer->len, ( uri_string + len ) );
  227. DBGC ( validator, "VALIDATOR %p downloading cross-signed certificate "
  228. "from %s\n", validator, uri_string );
  229. /* Set completion handler */
  230. validator->done = validator_append;
  231. /* Open URI */
  232. if ( ( rc = xfer_open_uri_string ( &validator->xfer,
  233. uri_string ) ) != 0 ) {
  234. DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
  235. validator, uri_string, strerror ( rc ) );
  236. goto err_open_uri_string;
  237. }
  238. /* Success */
  239. rc = 0;
  240. err_open_uri_string:
  241. free ( uri_string );
  242. err_alloc_uri_string:
  243. free ( crosscert_copy );
  244. err_fetch_crosscert:
  245. return rc;
  246. }
  247. /****************************************************************************
  248. *
  249. * OCSP checks
  250. *
  251. */
  252. /**
  253. * Validate OCSP response
  254. *
  255. * @v validator Certificate validator
  256. * @v data Raw OCSP response
  257. * @v len Length of raw data
  258. * @ret rc Return status code
  259. */
  260. static int validator_ocsp_validate ( struct validator *validator,
  261. const void *data, size_t len ) {
  262. time_t now;
  263. int rc;
  264. /* Record OCSP response */
  265. if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
  266. DBGC ( validator, "VALIDATOR %p could not record OCSP "
  267. "response: %s\n", validator, strerror ( rc ) );
  268. return rc;
  269. }
  270. /* Validate OCSP response */
  271. now = time ( NULL );
  272. if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
  273. DBGC ( validator, "VALIDATOR %p could not validate OCSP "
  274. "response: %s\n", validator, strerror ( rc ) );
  275. return rc;
  276. }
  277. /* Drop reference to OCSP check */
  278. ocsp_put ( validator->ocsp );
  279. validator->ocsp = NULL;
  280. return 0;
  281. }
  282. /**
  283. * Start OCSP check
  284. *
  285. * @v validator Certificate validator
  286. * @v cert Certificate to check
  287. * @v issuer Issuing certificate
  288. * @ret rc Return status code
  289. */
  290. static int validator_start_ocsp ( struct validator *validator,
  291. struct x509_certificate *cert,
  292. struct x509_certificate *issuer ) {
  293. const char *uri_string;
  294. int rc;
  295. /* Create OCSP check */
  296. assert ( validator->ocsp == NULL );
  297. if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
  298. DBGC ( validator, "VALIDATOR %p could not create OCSP check: "
  299. "%s\n", validator, strerror ( rc ) );
  300. return rc;
  301. }
  302. /* Set completion handler */
  303. validator->done = validator_ocsp_validate;
  304. /* Open URI */
  305. uri_string = validator->ocsp->uri_string;
  306. DBGC ( validator, "VALIDATOR %p performing OCSP check at %s\n",
  307. validator, uri_string );
  308. if ( ( rc = xfer_open_uri_string ( &validator->xfer,
  309. uri_string ) ) != 0 ) {
  310. DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
  311. validator, uri_string, strerror ( rc ) );
  312. return rc;
  313. }
  314. return 0;
  315. }
  316. /****************************************************************************
  317. *
  318. * Data transfer interface
  319. *
  320. */
  321. /**
  322. * Close data transfer interface
  323. *
  324. * @v validator Certificate validator
  325. * @v rc Reason for close
  326. */
  327. static void validator_xfer_close ( struct validator *validator, int rc ) {
  328. /* Close data transfer interface */
  329. intf_restart ( &validator->xfer, rc );
  330. /* Check for errors */
  331. if ( rc != 0 ) {
  332. DBGC ( validator, "VALIDATOR %p transfer failed: %s\n",
  333. validator, strerror ( rc ) );
  334. goto err_transfer;
  335. }
  336. DBGC2 ( validator, "VALIDATOR %p transfer complete\n", validator );
  337. /* Process completed download */
  338. assert ( validator->done != NULL );
  339. if ( ( rc = validator->done ( validator, validator->buffer.data,
  340. validator->buffer.len ) ) != 0 )
  341. goto err_append;
  342. /* Free downloaded data */
  343. xferbuf_done ( &validator->buffer );
  344. /* Resume validation process */
  345. process_add ( &validator->process );
  346. return;
  347. err_append:
  348. err_transfer:
  349. validator_finished ( validator, rc );
  350. }
  351. /**
  352. * Receive data
  353. *
  354. * @v validator Certificate validator
  355. * @v iobuf I/O buffer
  356. * @v meta Data transfer metadata
  357. * @ret rc Return status code
  358. */
  359. static int validator_xfer_deliver ( struct validator *validator,
  360. struct io_buffer *iobuf,
  361. struct xfer_metadata *meta ) {
  362. int rc;
  363. /* Add data to buffer */
  364. if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
  365. meta ) ) != 0 ) {
  366. DBGC ( validator, "VALIDATOR %p could not receive data: %s\n",
  367. validator, strerror ( rc ) );
  368. validator_finished ( validator, rc );
  369. return rc;
  370. }
  371. return 0;
  372. }
  373. /** Certificate validator data transfer interface operations */
  374. static struct interface_operation validator_xfer_operations[] = {
  375. INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
  376. INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
  377. };
  378. /** Certificate validator data transfer interface descriptor */
  379. static struct interface_descriptor validator_xfer_desc =
  380. INTF_DESC ( struct validator, xfer, validator_xfer_operations );
  381. /****************************************************************************
  382. *
  383. * Validation process
  384. *
  385. */
  386. /**
  387. * Certificate validation process
  388. *
  389. * @v validator Certificate validator
  390. */
  391. static void validator_step ( struct validator *validator ) {
  392. struct x509_link *link;
  393. struct x509_certificate *cert;
  394. struct x509_certificate *issuer = NULL;
  395. struct x509_certificate *last;
  396. time_t now;
  397. int rc;
  398. /* Try validating chain. Try even if the chain is incomplete,
  399. * since certificates may already have been validated
  400. * previously.
  401. */
  402. now = time ( NULL );
  403. if ( ( rc = x509_validate_chain ( validator->chain, now,
  404. NULL ) ) == 0 ) {
  405. validator_finished ( validator, 0 );
  406. return;
  407. }
  408. /* If there is a certificate that could be validated using
  409. * OCSP, try it.
  410. */
  411. list_for_each_entry ( link, &validator->chain->links, list ) {
  412. cert = issuer;
  413. issuer = link->cert;
  414. if ( ! cert )
  415. continue;
  416. if ( ! issuer->valid )
  417. continue;
  418. /* The issuer is valid, but this certificate is not
  419. * yet valid. If OCSP is applicable, start it.
  420. */
  421. if ( cert->extensions.auth_info.ocsp.uri &&
  422. ( ! cert->extensions.auth_info.ocsp.good ) ) {
  423. /* Start OCSP */
  424. if ( ( rc = validator_start_ocsp ( validator, cert,
  425. issuer ) ) != 0 ) {
  426. validator_finished ( validator, rc );
  427. return;
  428. }
  429. return;
  430. }
  431. /* Otherwise, this is a permanent failure */
  432. validator_finished ( validator, rc );
  433. return;
  434. }
  435. /* If chain ends with a self-issued certificate, then there is
  436. * nothing more to do.
  437. */
  438. last = x509_last ( validator->chain );
  439. if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {
  440. validator_finished ( validator, rc );
  441. return;
  442. }
  443. /* Otherwise, try to download a suitable cross-signing
  444. * certificate.
  445. */
  446. if ( ( rc = validator_start_download ( validator,
  447. &last->issuer.raw ) ) != 0 ) {
  448. validator_finished ( validator, rc );
  449. return;
  450. }
  451. }
  452. /** Certificate validator process descriptor */
  453. static struct process_descriptor validator_process_desc =
  454. PROC_DESC_ONCE ( struct validator, process, validator_step );
  455. /****************************************************************************
  456. *
  457. * Instantiator
  458. *
  459. */
  460. /**
  461. * Instantiate a certificate validator
  462. *
  463. * @v job Job control interface
  464. * @v chain X.509 certificate chain
  465. * @ret rc Return status code
  466. */
  467. int create_validator ( struct interface *job, struct x509_chain *chain ) {
  468. struct validator *validator;
  469. int rc;
  470. /* Sanity check */
  471. if ( ! chain ) {
  472. rc = -EINVAL;
  473. goto err_sanity;
  474. }
  475. /* Allocate and initialise structure */
  476. validator = zalloc ( sizeof ( *validator ) );
  477. if ( ! validator ) {
  478. rc = -ENOMEM;
  479. goto err_alloc;
  480. }
  481. ref_init ( &validator->refcnt, validator_free );
  482. intf_init ( &validator->job, &validator_job_desc,
  483. &validator->refcnt );
  484. intf_init ( &validator->xfer, &validator_xfer_desc,
  485. &validator->refcnt );
  486. process_init ( &validator->process, &validator_process_desc,
  487. &validator->refcnt );
  488. validator->chain = x509_chain_get ( chain );
  489. /* Attach parent interface, mortalise self, and return */
  490. intf_plug_plug ( &validator->job, job );
  491. ref_put ( &validator->refcnt );
  492. DBGC2 ( validator, "VALIDATOR %p validating X509 chain %p\n",
  493. validator, validator->chain );
  494. return 0;
  495. validator_finished ( validator, rc );
  496. ref_put ( &validator->refcnt );
  497. err_alloc:
  498. err_sanity:
  499. return rc;
  500. }