iPXE
validator.c
Go to the documentation of this file.
00001 /*
00002  * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
00003  *
00004  * This program is free software; you can redistribute it and/or
00005  * modify it under the terms of the GNU General Public License as
00006  * published by the Free Software Foundation; either version 2 of the
00007  * License, or (at your option) any later version.
00008  *
00009  * This program is distributed in the hope that it will be useful, but
00010  * WITHOUT ANY WARRANTY; without even the implied warranty of
00011  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
00012  * General Public License for more details.
00013  *
00014  * You should have received a copy of the GNU General Public License
00015  * along with this program; if not, write to the Free Software
00016  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
00017  * 02110-1301, USA.
00018  *
00019  * You can also choose to distribute this program under the terms of
00020  * the Unmodified Binary Distribution Licence (as given in the file
00021  * COPYING.UBDL), provided that you have satisfied its requirements.
00022  */
00023 
00024 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
00025 
00026 #include <string.h>
00027 #include <stdio.h>
00028 #include <errno.h>
00029 #include <ipxe/refcnt.h>
00030 #include <ipxe/malloc.h>
00031 #include <ipxe/interface.h>
00032 #include <ipxe/xfer.h>
00033 #include <ipxe/open.h>
00034 #include <ipxe/iobuf.h>
00035 #include <ipxe/xferbuf.h>
00036 #include <ipxe/process.h>
00037 #include <ipxe/x509.h>
00038 #include <ipxe/settings.h>
00039 #include <ipxe/dhcp.h>
00040 #include <ipxe/base64.h>
00041 #include <ipxe/crc32.h>
00042 #include <ipxe/ocsp.h>
00043 #include <ipxe/job.h>
00044 #include <ipxe/validator.h>
00045 #include <config/crypto.h>
00046 
00047 /** @file
00048  *
00049  * Certificate validator
00050  *
00051  */
00052 
00053 struct validator;
00054 
00055 /** A certificate validator action */
00056 struct validator_action {
00057         /** Name */
00058         const char *name;
00059         /** Action to take upon completed transfer */
00060         int ( * done ) ( struct validator *validator, const void *data,
00061                          size_t len );
00062 };
00063 
00064 /** A certificate validator */
00065 struct validator {
00066         /** Reference count */
00067         struct refcnt refcnt;
00068         /** Job control interface */
00069         struct interface job;
00070         /** Data transfer interface */
00071         struct interface xfer;
00072 
00073         /** Process */
00074         struct process process;
00075 
00076         /** X.509 certificate chain */
00077         struct x509_chain *chain;
00078         /** OCSP check */
00079         struct ocsp_check *ocsp;
00080         /** Data buffer */
00081         struct xfer_buffer buffer;
00082 
00083         /** Current action */
00084         const struct validator_action *action;
00085         /** Current certificate
00086          *
00087          * This will always be present within the certificate chain
00088          * and so this pointer does not hold a reference to the
00089          * certificate.
00090          */
00091         struct x509_certificate *cert;
00092 };
00093 
00094 /**
00095  * Get validator name (for debug messages)
00096  *
00097  * @v validator         Certificate validator
00098  * @ret name            Validator name
00099  */
00100 static const char * validator_name ( struct validator *validator ) {
00101 
00102         /* Use name of first certificate in chain */
00103         return x509_name ( x509_first ( validator->chain ) );
00104 }
00105 
00106 /**
00107  * Free certificate validator
00108  *
00109  * @v refcnt            Reference count
00110  */
00111 static void validator_free ( struct refcnt *refcnt ) {
00112         struct validator *validator =
00113                 container_of ( refcnt, struct validator, refcnt );
00114 
00115         DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",
00116                 validator, validator_name ( validator ) );
00117         x509_chain_put ( validator->chain );
00118         ocsp_put ( validator->ocsp );
00119         xferbuf_free ( &validator->buffer );
00120         free ( validator );
00121 }
00122 
00123 /**
00124  * Mark certificate validation as finished
00125  *
00126  * @v validator         Certificate validator
00127  * @v rc                Reason for finishing
00128  */
00129 static void validator_finished ( struct validator *validator, int rc ) {
00130 
00131         /* Remove process */
00132         process_del ( &validator->process );
00133 
00134         /* Close all interfaces */
00135         intf_shutdown ( &validator->xfer, rc );
00136         intf_shutdown ( &validator->job, rc );
00137 }
00138 
00139 /****************************************************************************
00140  *
00141  * Job control interface
00142  *
00143  */
00144 
00145 /**
00146  * Report job progress
00147  *
00148  * @v validator         Certificate validator
00149  * @v progress          Progress report to fill in
00150  * @ret ongoing_rc      Ongoing job status code (if known)
00151  */
00152 static int validator_progress ( struct validator *validator,
00153                                 struct job_progress *progress ) {
00154 
00155         /* Report current action, if applicable */
00156         if ( validator->action ) {
00157                 snprintf ( progress->message, sizeof ( progress->message ),
00158                            "%s %s", validator->action->name,
00159                            x509_name ( validator->cert ) );
00160         }
00161 
00162         return 0;
00163 }
00164 
00165 /** Certificate validator job control interface operations */
00166 static struct interface_operation validator_job_operations[] = {
00167         INTF_OP ( job_progress, struct validator *, validator_progress ),
00168         INTF_OP ( intf_close, struct validator *, validator_finished ),
00169 };
00170 
00171 /** Certificate validator job control interface descriptor */
00172 static struct interface_descriptor validator_job_desc =
00173         INTF_DESC ( struct validator, job, validator_job_operations );
00174 
00175 /****************************************************************************
00176  *
00177  * Cross-signing certificates
00178  *
00179  */
00180 
00181 /** Cross-signed certificate source setting */
00182 const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={
00183         .name = "crosscert",
00184         .description = "Cross-signed certificate source",
00185         .tag = DHCP_EB_CROSS_CERT,
00186         .type = &setting_type_string,
00187 };
00188 
00189 /** Default cross-signed certificate source */
00190 static const char crosscert_default[] = CROSSCERT;
00191 
00192 /**
00193  * Append cross-signing certificates to certificate chain
00194  *
00195  * @v validator         Certificate validator
00196  * @v data              Raw cross-signing certificate data
00197  * @v len               Length of raw data
00198  * @ret rc              Return status code
00199  */
00200 static int validator_append ( struct validator *validator,
00201                               const void *data, size_t len ) {
00202         struct asn1_cursor cursor;
00203         struct x509_chain *certs;
00204         struct x509_certificate *cert;
00205         struct x509_certificate *last;
00206         int rc;
00207 
00208         /* Allocate certificate list */
00209         certs = x509_alloc_chain();
00210         if ( ! certs ) {
00211                 rc = -ENOMEM;
00212                 goto err_alloc_certs;
00213         }
00214 
00215         /* Initialise cursor */
00216         cursor.data = data;
00217         cursor.len = len;
00218 
00219         /* Enter certificateSet */
00220         if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
00221                 DBGC ( validator, "VALIDATOR %p \"%s\" could not enter "
00222                        "certificateSet: %s\n", validator,
00223                        validator_name ( validator ), strerror ( rc ) );
00224                 goto err_certificateset;
00225         }
00226 
00227         /* Add each certificate to list */
00228         while ( cursor.len ) {
00229 
00230                 /* Add certificate to chain */
00231                 if ( ( rc = x509_append_raw ( certs, cursor.data,
00232                                               cursor.len ) ) != 0 ) {
00233                         DBGC ( validator, "VALIDATOR %p \"%s\" could not "
00234                                "append certificate: %s\n", validator,
00235                                validator_name ( validator ), strerror ( rc) );
00236                         DBGC_HDA ( validator, 0, cursor.data, cursor.len );
00237                         return rc;
00238                 }
00239                 cert = x509_last ( certs );
00240                 DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ",
00241                        validator, validator_name ( validator ) );
00242                 DBGC ( validator, "%s\n", x509_name ( cert ) );
00243 
00244                 /* Move to next certificate */
00245                 asn1_skip_any ( &cursor );
00246         }
00247 
00248         /* Append certificates to chain */
00249         last = x509_last ( validator->chain );
00250         if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
00251                 DBGC ( validator, "VALIDATOR %p \"%s\" could not append "
00252                        "certificates: %s\n", validator,
00253                        validator_name ( validator ), strerror ( rc ) );
00254                 goto err_auto_append;
00255         }
00256 
00257         /* Check that at least one certificate has been added */
00258         if ( last == x509_last ( validator->chain ) ) {
00259                 DBGC ( validator, "VALIDATOR %p \"%s\" failed to append any "
00260                        "applicable certificates\n", validator,
00261                        validator_name ( validator ) );
00262                 rc = -EACCES;
00263                 goto err_no_progress;
00264         }
00265 
00266         /* Drop reference to certificate list */
00267         x509_chain_put ( certs );
00268 
00269         return 0;
00270 
00271  err_no_progress:
00272  err_auto_append:
00273  err_certificateset:
00274         x509_chain_put ( certs );
00275  err_alloc_certs:
00276         return rc;
00277 }
00278 
00279 /** Cross-signing certificate download validator action */
00280 static const struct validator_action validator_crosscert = {
00281         .name = "XCRT",
00282         .done = validator_append,
00283 };
00284 
00285 /**
00286  * Start download of cross-signing certificate
00287  *
00288  * @v validator         Certificate validator
00289  * @v cert              X.509 certificate
00290  * @ret rc              Return status code
00291  */
00292 static int validator_start_download ( struct validator *validator,
00293                                       struct x509_certificate *cert ) {
00294         const struct asn1_cursor *issuer = &cert->issuer.raw;
00295         const char *crosscert;
00296         char *crosscert_copy;
00297         char *uri_string;
00298         size_t uri_string_len;
00299         uint32_t crc;
00300         int len;
00301         int rc;
00302 
00303         /* Determine cross-signed certificate source */
00304         fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
00305         crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
00306         if ( ! crosscert[0] ) {
00307                 rc = -EINVAL;
00308                 goto err_check_uri_string;
00309         }
00310 
00311         /* Allocate URI string */
00312         uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
00313                            + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
00314         uri_string = zalloc ( uri_string_len );
00315         if ( ! uri_string ) {
00316                 rc = -ENOMEM;
00317                 goto err_alloc_uri_string;
00318         }
00319 
00320         /* Generate CRC32 */
00321         crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
00322 
00323         /* Generate URI string */
00324         len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",
00325                          crosscert, crc );
00326         base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
00327                         ( uri_string_len - len ) );
00328         DBGC ( validator, "VALIDATOR %p \"%s\" downloading ",
00329                validator, validator_name ( validator ) );
00330         DBGC ( validator, "\"%s\" cross-signature from %s\n",
00331                x509_name ( cert ), uri_string );
00332 
00333         /* Set completion handler */
00334         validator->action = &validator_crosscert;
00335         validator->cert = cert;
00336 
00337         /* Open URI */
00338         if ( ( rc = xfer_open_uri_string ( &validator->xfer,
00339                                            uri_string ) ) != 0 ) {
00340                 DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
00341                        "%s\n", validator, validator_name ( validator ),
00342                        uri_string, strerror ( rc ) );
00343                 goto err_open_uri_string;
00344         }
00345 
00346         /* Success */
00347         rc = 0;
00348 
00349  err_open_uri_string:
00350         free ( uri_string );
00351  err_alloc_uri_string:
00352  err_check_uri_string:
00353         free ( crosscert_copy );
00354         return rc;
00355 }
00356 
00357 /****************************************************************************
00358  *
00359  * OCSP checks
00360  *
00361  */
00362 
00363 /**
00364  * Validate OCSP response
00365  *
00366  * @v validator         Certificate validator
00367  * @v data              Raw OCSP response
00368  * @v len               Length of raw data
00369  * @ret rc              Return status code
00370  */
00371 static int validator_ocsp_validate ( struct validator *validator,
00372                                      const void *data, size_t len ) {
00373         time_t now;
00374         int rc;
00375 
00376         /* Record OCSP response */
00377         if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
00378                 DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP "
00379                        "response: %s\n", validator,
00380                        validator_name ( validator ),strerror ( rc ) );
00381                 return rc;
00382         }
00383 
00384         /* Validate OCSP response */
00385         now = time ( NULL );
00386         if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
00387                 DBGC ( validator, "VALIDATOR %p \"%s\" could not validate "
00388                        "OCSP response: %s\n", validator,
00389                        validator_name ( validator ), strerror ( rc ) );
00390                 return rc;
00391         }
00392 
00393         /* Drop reference to OCSP check */
00394         ocsp_put ( validator->ocsp );
00395         validator->ocsp = NULL;
00396 
00397         return 0;
00398 }
00399 
00400 /** OCSP validator action */
00401 static const struct validator_action validator_ocsp = {
00402         .name = "OCSP",
00403         .done = validator_ocsp_validate,
00404 };
00405 
00406 /**
00407  * Start OCSP check
00408  *
00409  * @v validator         Certificate validator
00410  * @v cert              Certificate to check
00411  * @v issuer            Issuing certificate
00412  * @ret rc              Return status code
00413  */
00414 static int validator_start_ocsp ( struct validator *validator,
00415                                   struct x509_certificate *cert,
00416                                   struct x509_certificate *issuer ) {
00417         const char *uri_string;
00418         int rc;
00419 
00420         /* Create OCSP check */
00421         assert ( validator->ocsp == NULL );
00422         if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
00423                 DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP "
00424                        "check: %s\n", validator, validator_name ( validator ),
00425                        strerror ( rc ) );
00426                 return rc;
00427         }
00428 
00429         /* Set completion handler */
00430         validator->action = &validator_ocsp;
00431         validator->cert = cert;
00432 
00433         /* Open URI */
00434         uri_string = validator->ocsp->uri_string;
00435         DBGC ( validator, "VALIDATOR %p \"%s\" checking ",
00436                validator, validator_name ( validator ) );
00437         DBGC ( validator, "\"%s\" via %s\n",
00438                x509_name ( cert ), uri_string );
00439         if ( ( rc = xfer_open_uri_string ( &validator->xfer,
00440                                            uri_string ) ) != 0 ) {
00441                 DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "
00442                        "%s\n", validator, validator_name ( validator ),
00443                        uri_string, strerror ( rc ) );
00444                 return rc;
00445         }
00446 
00447         return 0;
00448 }
00449 
00450 /****************************************************************************
00451  *
00452  * Data transfer interface
00453  *
00454  */
00455 
00456 /**
00457  * Close data transfer interface
00458  *
00459  * @v validator         Certificate validator
00460  * @v rc                Reason for close
00461  */
00462 static void validator_xfer_close ( struct validator *validator, int rc ) {
00463 
00464         /* Close data transfer interface */
00465         intf_restart ( &validator->xfer, rc );
00466 
00467         /* Check for errors */
00468         if ( rc != 0 ) {
00469                 DBGC ( validator, "VALIDATOR %p \"%s\" transfer failed: %s\n",
00470                        validator, validator_name ( validator ),
00471                        strerror ( rc ) );
00472                 goto err_transfer;
00473         }
00474         DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n",
00475                 validator, validator_name ( validator ) );
00476 
00477         /* Process completed download */
00478         assert ( validator->action != NULL );
00479         if ( ( rc = validator->action->done ( validator, validator->buffer.data,
00480                                               validator->buffer.len ) ) != 0 )
00481                 goto err_append;
00482 
00483         /* Free downloaded data */
00484         xferbuf_free ( &validator->buffer );
00485 
00486         /* Resume validation process */
00487         process_add ( &validator->process );
00488 
00489         return;
00490 
00491  err_append:
00492  err_transfer:
00493         validator_finished ( validator, rc );
00494 }
00495 
00496 /**
00497  * Receive data
00498  *
00499  * @v validator         Certificate validator
00500  * @v iobuf             I/O buffer
00501  * @v meta              Data transfer metadata
00502  * @ret rc              Return status code
00503  */
00504 static int validator_xfer_deliver ( struct validator *validator,
00505                                     struct io_buffer *iobuf,
00506                                     struct xfer_metadata *meta ) {
00507         int rc;
00508 
00509         /* Add data to buffer */
00510         if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
00511                                       meta ) ) != 0 ) {
00512                 DBGC ( validator, "VALIDATOR %p \"%s\" could not receive "
00513                        "data: %s\n", validator, validator_name ( validator ),
00514                        strerror ( rc ) );
00515                 validator_finished ( validator, rc );
00516                 return rc;
00517         }
00518 
00519         return 0;
00520 }
00521 
00522 /** Certificate validator data transfer interface operations */
00523 static struct interface_operation validator_xfer_operations[] = {
00524         INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
00525         INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
00526 };
00527 
00528 /** Certificate validator data transfer interface descriptor */
00529 static struct interface_descriptor validator_xfer_desc =
00530         INTF_DESC ( struct validator, xfer, validator_xfer_operations );
00531 
00532 /****************************************************************************
00533  *
00534  * Validation process
00535  *
00536  */
00537 
00538 /**
00539  * Certificate validation process
00540  *
00541  * @v validator         Certificate validator
00542  */
00543 static void validator_step ( struct validator *validator ) {
00544         struct x509_link *link;
00545         struct x509_certificate *cert;
00546         struct x509_certificate *issuer = NULL;
00547         struct x509_certificate *last;
00548         time_t now;
00549         int rc;
00550 
00551         /* Try validating chain.  Try even if the chain is incomplete,
00552          * since certificates may already have been validated
00553          * previously.
00554          */
00555         now = time ( NULL );
00556         if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
00557                                           NULL ) ) == 0 ) {
00558                 DBGC ( validator, "VALIDATOR %p \"%s\" validated\n",
00559                        validator, validator_name ( validator ) );
00560                 validator_finished ( validator, 0 );
00561                 return;
00562         }
00563 
00564         /* If there is a certificate that could be validated using
00565          * OCSP, try it.
00566          */
00567         list_for_each_entry ( link, &validator->chain->links, list ) {
00568                 cert = issuer;
00569                 issuer = link->cert;
00570                 if ( ! cert )
00571                         continue;
00572                 if ( ! x509_is_valid ( issuer ) )
00573                         continue;
00574                 /* The issuer is valid, but this certificate is not
00575                  * yet valid.  If OCSP is applicable, start it.
00576                  */
00577                 if ( ocsp_required ( cert ) ) {
00578                         /* Start OCSP */
00579                         if ( ( rc = validator_start_ocsp ( validator, cert,
00580                                                            issuer ) ) != 0 ) {
00581                                 validator_finished ( validator, rc );
00582                                 return;
00583                         }
00584                         return;
00585                 }
00586                 /* Otherwise, this is a permanent failure */
00587                 validator_finished ( validator, rc );
00588                 return;
00589         }
00590 
00591         /* If chain ends with a self-issued certificate, then there is
00592          * nothing more to do.
00593          */
00594         last = x509_last ( validator->chain );
00595         if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {
00596                 validator_finished ( validator, rc );
00597                 return;
00598         }
00599 
00600         /* Otherwise, try to download a suitable cross-signing
00601          * certificate.
00602          */
00603         if ( ( rc = validator_start_download ( validator, last ) ) != 0 ) {
00604                 validator_finished ( validator, rc );
00605                 return;
00606         }
00607 }
00608 
00609 /** Certificate validator process descriptor */
00610 static struct process_descriptor validator_process_desc =
00611         PROC_DESC_ONCE ( struct validator, process, validator_step );
00612 
00613 /****************************************************************************
00614  *
00615  * Instantiator
00616  *
00617  */
00618 
00619 /**
00620  * Instantiate a certificate validator
00621  *
00622  * @v job               Job control interface
00623  * @v chain             X.509 certificate chain
00624  * @ret rc              Return status code
00625  */
00626 int create_validator ( struct interface *job, struct x509_chain *chain ) {
00627         struct validator *validator;
00628         int rc;
00629 
00630         /* Sanity check */
00631         if ( ! chain ) {
00632                 rc = -EINVAL;
00633                 goto err_sanity;
00634         }
00635 
00636         /* Allocate and initialise structure */
00637         validator = zalloc ( sizeof ( *validator ) );
00638         if ( ! validator ) {
00639                 rc = -ENOMEM;
00640                 goto err_alloc;
00641         }
00642         ref_init ( &validator->refcnt, validator_free );
00643         intf_init ( &validator->job, &validator_job_desc,
00644                     &validator->refcnt );
00645         intf_init ( &validator->xfer, &validator_xfer_desc,
00646                     &validator->refcnt );
00647         process_init ( &validator->process, &validator_process_desc,
00648                        &validator->refcnt );
00649         validator->chain = x509_chain_get ( chain );
00650         xferbuf_malloc_init ( &validator->buffer );
00651 
00652         /* Attach parent interface, mortalise self, and return */
00653         intf_plug_plug ( &validator->job, job );
00654         ref_put ( &validator->refcnt );
00655         DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n",
00656                 validator, validator_name ( validator ), validator->chain );
00657         return 0;
00658 
00659         validator_finished ( validator, rc );
00660         ref_put ( &validator->refcnt );
00661  err_alloc:
00662  err_sanity:
00663         return rc;
00664 }