iPXE
validator.c
Go to the documentation of this file.
00001 /*
00002  * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
00003  *
00004  * This program is free software; you can redistribute it and/or
00005  * modify it under the terms of the GNU General Public License as
00006  * published by the Free Software Foundation; either version 2 of the
00007  * License, or (at your option) any later version.
00008  *
00009  * This program is distributed in the hope that it will be useful, but
00010  * WITHOUT ANY WARRANTY; without even the implied warranty of
00011  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00012  * General Public License for more details.
00013  *
00014  * You should have received a copy of the GNU General Public License
00015  * along with this program; if not, write to the Free Software
00016  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
00017  * 02110-1301, USA.
00018  *
00019  * You can also choose to distribute this program under the terms of
00020  * the Unmodified Binary Distribution Licence (as given in the file
00021  * COPYING.UBDL), provided that you have satisfied its requirements.
00022  */
00023 
00024 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
00025 
00026 #include <string.h>
00027 #include <stdio.h>
00028 #include <errno.h>
00029 #include <ipxe/refcnt.h>
00030 #include <ipxe/malloc.h>
00031 #include <ipxe/interface.h>
00032 #include <ipxe/xfer.h>
00033 #include <ipxe/open.h>
00034 #include <ipxe/iobuf.h>
00035 #include <ipxe/xferbuf.h>
00036 #include <ipxe/process.h>
00037 #include <ipxe/x509.h>
00038 #include <ipxe/settings.h>
00039 #include <ipxe/dhcp.h>
00040 #include <ipxe/base64.h>
00041 #include <ipxe/crc32.h>
00042 #include <ipxe/ocsp.h>
00043 #include <ipxe/validator.h>
00044 #include <config/crypto.h>
00045 
00046 /** @file
00047  *
00048  * Certificate validator
00049  *
00050  */
00051 
00052 /** A certificate validator */
00053 struct validator {
00054         /** Reference count */
00055         struct refcnt refcnt;
00056         /** Job control interface */
00057         struct interface job;
00058         /** Data transfer interface */
00059         struct interface xfer;
00060 
00061         /** Process */
00062         struct process process;
00063 
00064         /** X.509 certificate chain */
00065         struct x509_chain *chain;
00066         /** OCSP check */
00067         struct ocsp_check *ocsp;
00068         /** Data buffer */
00069         struct xfer_buffer buffer;
00070         /** Action to take upon completed transfer */
00071         int ( * done ) ( struct validator *validator, const void *data,
00072                          size_t len );
00073 };
00074 
00075 /**
00076  * Free certificate validator
00077  *
00078  * @v refcnt            Reference count
00079  */
00080 static void validator_free ( struct refcnt *refcnt ) {
00081         struct validator *validator =
00082                 container_of ( refcnt, struct validator, refcnt );
00083 
00084         DBGC2 ( validator, "VALIDATOR %p freed\n", validator );
00085         x509_chain_put ( validator->chain );
00086         ocsp_put ( validator->ocsp );
00087         xferbuf_free ( &validator->buffer );
00088         free ( validator );
00089 }
00090 
00091 /**
00092  * Mark certificate validation as finished
00093  *
00094  * @v validator         Certificate validator
00095  * @v rc                Reason for finishing
00096  */
00097 static void validator_finished ( struct validator *validator, int rc ) {
00098 
00099         /* Remove process */
00100         process_del ( &validator->process );
00101 
00102         /* Close all interfaces */
00103         intf_shutdown ( &validator->xfer, rc );
00104         intf_shutdown ( &validator->job, rc );
00105 }
00106 
00107 /****************************************************************************
00108  *
00109  * Job control interface
00110  *
00111  */
00112 
00113 /** Certificate validator job control interface operations */
00114 static struct interface_operation validator_job_operations[] = {
00115         INTF_OP ( intf_close, struct validator *, validator_finished ),
00116 };
00117 
00118 /** Certificate validator job control interface descriptor */
00119 static struct interface_descriptor validator_job_desc =
00120         INTF_DESC ( struct validator, job, validator_job_operations );
00121 
00122 /****************************************************************************
00123  *
00124  * Cross-signing certificates
00125  *
00126  */
00127 
00128 /** Cross-signed certificate source setting */
00129 const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={
00130         .name = "crosscert",
00131         .description = "Cross-signed certificate source",
00132         .tag = DHCP_EB_CROSS_CERT,
00133         .type = &setting_type_string,
00134 };
00135 
00136 /** Default cross-signed certificate source */
00137 static const char crosscert_default[] = CROSSCERT;
00138 
00139 /**
00140  * Append cross-signing certificates to certificate chain
00141  *
00142  * @v validator         Certificate validator
00143  * @v data              Raw cross-signing certificate data
00144  * @v len               Length of raw data
00145  * @ret rc              Return status code
00146  */
00147 static int validator_append ( struct validator *validator,
00148                               const void *data, size_t len ) {
00149         struct asn1_cursor cursor;
00150         struct x509_chain *certs;
00151         struct x509_certificate *cert;
00152         struct x509_certificate *last;
00153         int rc;
00154 
00155         /* Allocate certificate list */
00156         certs = x509_alloc_chain();
00157         if ( ! certs ) {
00158                 rc = -ENOMEM;
00159                 goto err_alloc_certs;
00160         }
00161 
00162         /* Initialise cursor */
00163         cursor.data = data;
00164         cursor.len = len;
00165 
00166         /* Enter certificateSet */
00167         if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
00168                 DBGC ( validator, "VALIDATOR %p could not enter "
00169                        "certificateSet: %s\n", validator, strerror ( rc ) );
00170                 goto err_certificateset;
00171         }
00172 
00173         /* Add each certificate to list */
00174         while ( cursor.len ) {
00175 
00176                 /* Add certificate to chain */
00177                 if ( ( rc = x509_append_raw ( certs, cursor.data,
00178                                               cursor.len ) ) != 0 ) {
00179                         DBGC ( validator, "VALIDATOR %p could not append "
00180                                "certificate: %s\n",
00181                                validator, strerror ( rc) );
00182                         DBGC_HDA ( validator, 0, cursor.data, cursor.len );
00183                         return rc;
00184                 }
00185                 cert = x509_last ( certs );
00186                 DBGC ( validator, "VALIDATOR %p found certificate %s\n",
00187                        validator, x509_name ( cert ) );
00188 
00189                 /* Move to next certificate */
00190                 asn1_skip_any ( &cursor );
00191         }
00192 
00193         /* Append certificates to chain */
00194         last = x509_last ( validator->chain );
00195         if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
00196                 DBGC ( validator, "VALIDATOR %p could not append "
00197                        "certificates: %s\n", validator, strerror ( rc ) );
00198                 goto err_auto_append;
00199         }
00200 
00201         /* Check that at least one certificate has been added */
00202         if ( last == x509_last ( validator->chain ) ) {
00203                 DBGC ( validator, "VALIDATOR %p failed to append any "
00204                        "applicable certificates\n", validator );
00205                 rc = -EACCES;
00206                 goto err_no_progress;
00207         }
00208 
00209         /* Drop reference to certificate list */
00210         x509_chain_put ( certs );
00211 
00212         return 0;
00213 
00214  err_no_progress:
00215  err_auto_append:
00216  err_certificateset:
00217         x509_chain_put ( certs );
00218  err_alloc_certs:
00219         return rc;
00220 }
00221 
00222 /**
00223  * Start download of cross-signing certificate
00224  *
00225  * @v validator         Certificate validator
00226  * @v issuer            Required issuer
00227  * @ret rc              Return status code
00228  */
00229 static int validator_start_download ( struct validator *validator,
00230                                       const struct asn1_cursor *issuer ) {
00231         const char *crosscert;
00232         char *crosscert_copy;
00233         char *uri_string;
00234         size_t uri_string_len;
00235         uint32_t crc;
00236         int len;
00237         int rc;
00238 
00239         /* Determine cross-signed certificate source */
00240         fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
00241         crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
00242         if ( ! crosscert[0] ) {
00243                 rc = -EINVAL;
00244                 goto err_check_uri_string;
00245         }
00246 
00247         /* Allocate URI string */
00248         uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
00249                            + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
00250         uri_string = zalloc ( uri_string_len );
00251         if ( ! uri_string ) {
00252                 rc = -ENOMEM;
00253                 goto err_alloc_uri_string;
00254         }
00255 
00256         /* Generate CRC32 */
00257         crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
00258 
00259         /* Generate URI string */
00260         len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",
00261                          crosscert, crc );
00262         base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
00263                         ( uri_string_len - len ) );
00264         DBGC ( validator, "VALIDATOR %p downloading cross-signed certificate "
00265                "from %s\n", validator, uri_string );
00266 
00267         /* Set completion handler */
00268         validator->done = validator_append;
00269 
00270         /* Open URI */
00271         if ( ( rc = xfer_open_uri_string ( &validator->xfer,
00272                                            uri_string ) ) != 0 ) {
00273                 DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
00274                        validator, uri_string, strerror ( rc ) );
00275                 goto err_open_uri_string;
00276         }
00277 
00278         /* Success */
00279         rc = 0;
00280 
00281  err_open_uri_string:
00282         free ( uri_string );
00283  err_alloc_uri_string:
00284  err_check_uri_string:
00285         free ( crosscert_copy );
00286         return rc;
00287 }
00288 
00289 /****************************************************************************
00290  *
00291  * OCSP checks
00292  *
00293  */
00294 
00295 /**
00296  * Validate OCSP response
00297  *
00298  * @v validator         Certificate validator
00299  * @v data              Raw OCSP response
00300  * @v len               Length of raw data
00301  * @ret rc              Return status code
00302  */
00303 static int validator_ocsp_validate ( struct validator *validator,
00304                                      const void *data, size_t len ) {
00305         time_t now;
00306         int rc;
00307 
00308         /* Record OCSP response */
00309         if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
00310                 DBGC ( validator, "VALIDATOR %p could not record OCSP "
00311                        "response: %s\n", validator, strerror ( rc ) );
00312                 return rc;
00313         }
00314 
00315         /* Validate OCSP response */
00316         now = time ( NULL );
00317         if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
00318                 DBGC ( validator, "VALIDATOR %p could not validate OCSP "
00319                        "response: %s\n", validator, strerror ( rc ) );
00320                 return rc;
00321         }
00322 
00323         /* Drop reference to OCSP check */
00324         ocsp_put ( validator->ocsp );
00325         validator->ocsp = NULL;
00326 
00327         return 0;
00328 }
00329 
00330 /**
00331  * Start OCSP check
00332  *
00333  * @v validator         Certificate validator
00334  * @v cert              Certificate to check
00335  * @v issuer            Issuing certificate
00336  * @ret rc              Return status code
00337  */
00338 static int validator_start_ocsp ( struct validator *validator,
00339                                   struct x509_certificate *cert,
00340                                   struct x509_certificate *issuer ) {
00341         const char *uri_string;
00342         int rc;
00343 
00344         /* Create OCSP check */
00345         assert ( validator->ocsp == NULL );
00346         if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
00347                 DBGC ( validator, "VALIDATOR %p could not create OCSP check: "
00348                        "%s\n", validator, strerror ( rc ) );
00349                 return rc;
00350         }
00351 
00352         /* Set completion handler */
00353         validator->done = validator_ocsp_validate;
00354 
00355         /* Open URI */
00356         uri_string = validator->ocsp->uri_string;
00357         DBGC ( validator, "VALIDATOR %p performing OCSP check at %s\n",
00358                validator, uri_string );
00359         if ( ( rc = xfer_open_uri_string ( &validator->xfer,
00360                                            uri_string ) ) != 0 ) {
00361                 DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
00362                        validator, uri_string, strerror ( rc ) );
00363                 return rc;
00364         }
00365 
00366         return 0;
00367 }
00368 
00369 /****************************************************************************
00370  *
00371  * Data transfer interface
00372  *
00373  */
00374 
00375 /**
00376  * Close data transfer interface
00377  *
00378  * @v validator         Certificate validator
00379  * @v rc                Reason for close
00380  */
00381 static void validator_xfer_close ( struct validator *validator, int rc ) {
00382 
00383         /* Close data transfer interface */
00384         intf_restart ( &validator->xfer, rc );
00385 
00386         /* Check for errors */
00387         if ( rc != 0 ) {
00388                 DBGC ( validator, "VALIDATOR %p transfer failed: %s\n",
00389                        validator, strerror ( rc ) );
00390                 goto err_transfer;
00391         }
00392         DBGC2 ( validator, "VALIDATOR %p transfer complete\n", validator );
00393 
00394         /* Process completed download */
00395         assert ( validator->done != NULL );
00396         if ( ( rc = validator->done ( validator, validator->buffer.data,
00397                                        validator->buffer.len ) ) != 0 )
00398                 goto err_append;
00399 
00400         /* Free downloaded data */
00401         xferbuf_free ( &validator->buffer );
00402 
00403         /* Resume validation process */
00404         process_add ( &validator->process );
00405 
00406         return;
00407 
00408  err_append:
00409  err_transfer:
00410         validator_finished ( validator, rc );
00411 }
00412 
00413 /**
00414  * Receive data
00415  *
00416  * @v validator         Certificate validator
00417  * @v iobuf             I/O buffer
00418  * @v meta              Data transfer metadata
00419  * @ret rc              Return status code
00420  */
00421 static int validator_xfer_deliver ( struct validator *validator,
00422                                     struct io_buffer *iobuf,
00423                                     struct xfer_metadata *meta ) {
00424         int rc;
00425 
00426         /* Add data to buffer */
00427         if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
00428                                       meta ) ) != 0 ) {
00429                 DBGC ( validator, "VALIDATOR %p could not receive data: %s\n",
00430                        validator, strerror ( rc ) );
00431                 validator_finished ( validator, rc );
00432                 return rc;
00433         }
00434 
00435         return 0;
00436 }
00437 
00438 /** Certificate validator data transfer interface operations */
00439 static struct interface_operation validator_xfer_operations[] = {
00440         INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
00441         INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
00442 };
00443 
00444 /** Certificate validator data transfer interface descriptor */
00445 static struct interface_descriptor validator_xfer_desc =
00446         INTF_DESC ( struct validator, xfer, validator_xfer_operations );
00447 
00448 /****************************************************************************
00449  *
00450  * Validation process
00451  *
00452  */
00453 
00454 /**
00455  * Certificate validation process
00456  *
00457  * @v validator         Certificate validator
00458  */
00459 static void validator_step ( struct validator *validator ) {
00460         struct x509_link *link;
00461         struct x509_certificate *cert;
00462         struct x509_certificate *issuer = NULL;
00463         struct x509_certificate *last;
00464         time_t now;
00465         int rc;
00466 
00467         /* Try validating chain.  Try even if the chain is incomplete,
00468          * since certificates may already have been validated
00469          * previously.
00470          */
00471         now = time ( NULL );
00472         if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
00473                                           NULL ) ) == 0 ) {
00474                 validator_finished ( validator, 0 );
00475                 return;
00476         }
00477 
00478         /* If there is a certificate that could be validated using
00479          * OCSP, try it.
00480          */
00481         list_for_each_entry ( link, &validator->chain->links, list ) {
00482                 cert = issuer;
00483                 issuer = link->cert;
00484                 if ( ! cert )
00485                         continue;
00486                 if ( ! x509_is_valid ( issuer ) )
00487                         continue;
00488                 /* The issuer is valid, but this certificate is not
00489                  * yet valid.  If OCSP is applicable, start it.
00490                  */
00491                 if ( ocsp_required ( cert ) ) {
00492                         /* Start OCSP */
00493                         if ( ( rc = validator_start_ocsp ( validator, cert,
00494                                                            issuer ) ) != 0 ) {
00495                                 validator_finished ( validator, rc );
00496                                 return;
00497                         }
00498                         return;
00499                 }
00500                 /* Otherwise, this is a permanent failure */
00501                 validator_finished ( validator, rc );
00502                 return;
00503         }
00504 
00505         /* If chain ends with a self-issued certificate, then there is
00506          * nothing more to do.
00507          */
00508         last = x509_last ( validator->chain );
00509         if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {
00510                 validator_finished ( validator, rc );
00511                 return;
00512         }
00513 
00514         /* Otherwise, try to download a suitable cross-signing
00515          * certificate.
00516          */
00517         if ( ( rc = validator_start_download ( validator,
00518                                                &last->issuer.raw ) ) != 0 ) {
00519                 validator_finished ( validator, rc );
00520                 return;
00521         }
00522 }
00523 
00524 /** Certificate validator process descriptor */
00525 static struct process_descriptor validator_process_desc =
00526         PROC_DESC_ONCE ( struct validator, process, validator_step );
00527 
00528 /****************************************************************************
00529  *
00530  * Instantiator
00531  *
00532  */
00533 
00534 /**
00535  * Instantiate a certificate validator
00536  *
00537  * @v job               Job control interface
00538  * @v chain             X.509 certificate chain
00539  * @ret rc              Return status code
00540  */
00541 int create_validator ( struct interface *job, struct x509_chain *chain ) {
00542         struct validator *validator;
00543         int rc;
00544 
00545         /* Sanity check */
00546         if ( ! chain ) {
00547                 rc = -EINVAL;
00548                 goto err_sanity;
00549         }
00550 
00551         /* Allocate and initialise structure */
00552         validator = zalloc ( sizeof ( *validator ) );
00553         if ( ! validator ) {
00554                 rc = -ENOMEM;
00555                 goto err_alloc;
00556         }
00557         ref_init ( &validator->refcnt, validator_free );
00558         intf_init ( &validator->job, &validator_job_desc,
00559                     &validator->refcnt );
00560         intf_init ( &validator->xfer, &validator_xfer_desc,
00561                     &validator->refcnt );
00562         process_init ( &validator->process, &validator_process_desc,
00563                        &validator->refcnt );
00564         validator->chain = x509_chain_get ( chain );
00565         xferbuf_malloc_init ( &validator->buffer );
00566 
00567         /* Attach parent interface, mortalise self, and return */
00568         intf_plug_plug ( &validator->job, job );
00569         ref_put ( &validator->refcnt );
00570         DBGC2 ( validator, "VALIDATOR %p validating X509 chain %p\n",
00571                 validator, validator->chain );
00572         return 0;
00573 
00574         validator_finished ( validator, rc );
00575         ref_put ( &validator->refcnt );
00576  err_alloc:
00577  err_sanity:
00578         return rc;
00579 }