iPXE
certstore.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2014 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  *
19  * You can also choose to distribute this program under the terms of
20  * the Unmodified Binary Distribution Licence (as given in the file
21  * COPYING.UBDL), provided that you have satisfied its requirements.
22  */
23 
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25 
26 #include <string.h>
27 #include <stdlib.h>
28 #include <ipxe/init.h>
29 #include <ipxe/dhcp.h>
30 #include <ipxe/settings.h>
31 #include <ipxe/malloc.h>
32 #include <ipxe/crypto.h>
33 #include <ipxe/asn1.h>
34 #include <ipxe/x509.h>
35 #include <ipxe/certstore.h>
36 
37 /** @file
38  *
39  * Certificate store
40  *
41  */
42 
43 /** Raw certificate data for all permanent stored certificates */
44 #undef CERT
45 #define CERT( _index, _path ) \
46  extern char stored_cert_ ## _index ## _data[]; \
47  extern char stored_cert_ ## _index ## _len[]; \
48  __asm__ ( ".section \".rodata\", \"a\", " PROGBITS "\n\t" \
49  "\nstored_cert_" #_index "_data:\n\t" \
50  ".incbin \"" _path "\"\n\t" \
51  "\nstored_cert_" #_index "_end:\n\t" \
52  ".equ stored_cert_" #_index "_len, " \
53  "( stored_cert_" #_index "_end - " \
54  " stored_cert_" #_index "_data )\n\t" \
55  ".previous\n\t" );
56 CERT_ALL
57 
58 /** Raw certificate cursors for all permanent stored certificates */
59 #undef CERT
60 #define CERT( _index, _path ) { \
61  .data = stored_cert_ ## _index ## _data, \
62  .len = ( size_t ) stored_cert_ ## _index ## _len, \
63 },
64 static struct asn1_cursor certstore_raw[] = {
65  CERT_ALL
66 };
67 
68 /** X.509 certificate structures for all permanent stored certificates */
69 static struct x509_certificate certstore_certs[ sizeof ( certstore_raw ) /
70  sizeof ( certstore_raw[0] ) ];
71 
72 /**
73  * Mark stored certificate as most recently used
74  *
75  * @v store Certificate store
76  * @v cert X.509 certificate
77  */
78 static void certstore_found ( struct x509_chain *store,
79  struct x509_certificate *cert ) {
80 
81  /* Mark as most recently used */
82  list_del ( &cert->store.list );
83  list_add ( &cert->store.list, &store->links );
84  DBGC2 ( store, "CERTSTORE found certificate %s\n",
85  x509_name ( cert ) );
86 }
87 
88 /** Certificate store */
91  .links = LIST_HEAD_INIT ( certstore.links ),
92  .found = certstore_found,
93 };
94 
95 /**
96  * Add certificate to store
97  *
98  * @v cert X.509 certificate
99  */
100 void certstore_add ( struct x509_certificate *cert ) {
101 
102  /* Add certificate to store */
103  cert->store.cert = cert;
104  x509_get ( cert );
105  list_add ( &cert->store.list, &certstore.links );
106  DBGC ( &certstore, "CERTSTORE added certificate %s\n",
107  x509_name ( cert ) );
108 }
109 
110 /**
111  * Remove certificate from store
112  *
113  * @v cert X.509 certificate
114  */
115 void certstore_del ( struct x509_certificate *cert ) {
116 
117  /* Ignore attempts to remove permanent certificates */
118  if ( cert->flags & X509_FL_PERMANENT )
119  return;
120 
121  /* Remove certificate from store */
122  DBGC ( &certstore, "CERTSTORE removed certificate %s\n",
123  x509_name ( cert ) );
124  list_del ( &cert->store.list );
125  x509_put ( cert );
126 }
127 
128 /**
129  * Discard a stored certificate
130  *
131  * @ret discarded Number of cached items discarded
132  */
133 static unsigned int certstore_discard ( void ) {
134  struct x509_certificate *cert;
135 
136  /* Discard the least recently used certificate for which the
137  * only reference is held by the store itself.
138  */
140 
141  /* Skip certificates for which another reference is held */
142  if ( cert->refcnt.count > 0 )
143  continue;
144 
145  /* Skip certificates that were added at build time or
146  * added explicitly at run time.
147  */
148  if ( cert->flags & ( X509_FL_PERMANENT | X509_FL_EXPLICIT ) )
149  continue;
150 
151  /* Discard certificate */
152  certstore_del ( cert );
153  return 1;
154  }
155 
156  return 0;
157 }
158 
159 /** Certificate store cache discarder */
160 struct cache_discarder certstore_discarder __cache_discarder ( CACHE_NORMAL ) ={
162 };
163 
164 /**
165  * Construct permanent certificate store
166  *
167  */
168 static void certstore_init ( void ) {
169  struct asn1_cursor *raw;
170  struct x509_certificate *cert;
171  int i;
172  int rc;
173 
174  /* Skip if we have no permanent stored certificates */
175  if ( ! sizeof ( certstore_raw ) )
176  return;
177 
178  /* Add certificates */
179  for ( i = 0 ; i < ( int ) ( sizeof ( certstore_raw ) /
180  sizeof ( certstore_raw[0] ) ) ; i++ ) {
181 
182  /* Skip if certificate already present in store */
183  raw = &certstore_raw[i];
184  if ( ( cert = x509_find ( &certstore, raw ) ) != NULL ) {
185  DBGC ( &certstore, "CERTSTORE permanent certificate %d "
186  "is a duplicate of %s\n", i, x509_name ( cert ));
187  continue;
188  }
189 
190  /* Parse certificate */
191  cert = &certstore_certs[i];
192  ref_init ( &cert->refcnt, ref_no_free );
193  if ( ( rc = x509_parse ( cert, raw ) ) != 0 ) {
194  DBGC ( &certstore, "CERTSTORE could not parse "
195  "permanent certificate %d: %s\n",
196  i, strerror ( rc ) );
197  continue;
198  }
199 
200  /* Add certificate to store. Certificate will never
201  * be discarded from the store, since we retain a
202  * permanent reference to it.
203  */
204  certstore_add ( cert );
205  cert->flags |= X509_FL_PERMANENT;
206  DBGC ( &certstore, "CERTSTORE permanent certificate %d is %s\n",
207  i, x509_name ( cert ) );
208  }
209 }
210 
211 /** Certificate store initialisation function */
212 struct init_fn certstore_init_fn __init_fn ( INIT_LATE ) = {
214 };
215 
216 /** Additional certificate setting */
217 static struct setting cert_setting __setting ( SETTING_CRYPTO, cert ) = {
218  .name = "cert",
219  .description = "Certificate",
220  .tag = DHCP_EB_CERT,
221  .type = &setting_type_hex,
222 };
223 
224 /**
225  * Apply certificate store configuration settings
226  *
227  * @ret rc Return status code
228  */
229 static int certstore_apply_settings ( void ) {
230  static struct x509_certificate *cert = NULL;
231  struct x509_certificate *old_cert;
232  void *cert_data;
233  int len;
234  int rc;
235 
236  /* Record any existing additional certificate */
237  old_cert = cert;
238  cert = NULL;
239 
240  /* Add additional certificate, if any */
241  if ( ( len = fetch_raw_setting_copy ( NULL, &cert_setting,
242  &cert_data ) ) >= 0 ) {
243  if ( ( rc = x509_certificate ( cert_data, len, &cert ) ) == 0 ){
244  DBGC ( &certstore, "CERTSTORE added additional "
245  "certificate %s\n", x509_name ( cert ) );
246  } else {
247  DBGC ( &certstore, "CERTSTORE could not parse "
248  "additional certificate: %s\n",
249  strerror ( rc ) );
250  /* Do not fail; leave as an unusable certificate */
251  }
252  free ( cert_data );
253  }
254 
255  /* Free old additional certificiate. Do this after reparsing
256  * the additional certificate; in the common case that the
257  * certificate has not changed, this will allow the stored
258  * certificate to be reused.
259  */
260  x509_put ( old_cert );
261 
262  return 0;
263 }
264 
265 /** Certificate store settings applicator */
266 struct settings_applicator certstore_applicator __settings_applicator = {
268 };
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
Dynamic Host Configuration Protocol.
struct x509_chain certstore
Certificate store.
Definition: certstore.c:89
void(* initialise)(void)
Definition: init.h:15
static struct x509_certificate * x509_get(struct x509_certificate *cert)
Get reference to X.509 certificate.
Definition: x509.h:266
struct refcnt refcnt
Reference count.
Definition: x509.h:217
#define list_add(new, head)
Add a new entry to the head of a list.
Definition: list.h:69
int fetch_raw_setting_copy(struct settings *settings, const struct setting *setting, void **data)
Fetch value of setting.
Definition: settings.c:821
struct list_head links
List of links.
Definition: x509.h:204
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
static struct asn1_cursor certstore_raw[]
Definition: certstore.c:64
#define DBGC(...)
Definition: compiler.h:505
void certstore_add(struct x509_certificate *cert)
Add certificate to store.
Definition: certstore.c:100
A settings applicator.
Definition: settings.h:251
Cryptographic API.
void certstore_del(struct x509_certificate *cert)
Remove certificate from store.
Definition: certstore.c:115
unsigned int flags
Flags.
Definition: x509.h:223
Dynamic memory allocation.
const char * name
Name.
Definition: settings.h:28
struct init_fn certstore_init_fn __init_fn(INIT_LATE)
Certificate store initialisation function.
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
An X.509 certificate chain.
Definition: x509.h:200
Certificate store.
int count
Current reference count.
Definition: refcnt.h:32
An initialisation function.
Definition: init.h:14
static int certstore_apply_settings(void)
Apply certificate store configuration settings.
Definition: certstore.c:229
ASN.1 encoding.
unsigned int(* discard)(void)
Discard some cached data.
Definition: malloc.h:89
#define list_for_each_entry_reverse(pos, head, member)
Iterate over entries in a list in reverse order.
Definition: list.h:444
Configuration settings.
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
An X.509 certificate.
Definition: x509.h:215
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
struct x509_certificate * x509_find(struct x509_chain *store, const struct asn1_cursor *raw)
Identify X.509 certificate by raw certificate data.
Definition: x509.c:1732
A cache discarder.
Definition: malloc.h:83
static void certstore_found(struct x509_chain *store, struct x509_certificate *cert)
Mark stored certificate as most recently used.
Definition: certstore.c:78
X.509 certificates.
struct cache_discarder certstore_discarder __cache_discarder(CACHE_NORMAL)
Certificate store cache discarder.
#define CACHE_NORMAL
Items with a normal replacement cost.
Definition: malloc.h:104
A setting.
Definition: settings.h:23
Certificate was added at build time.
Definition: x509.h:254
static unsigned int certstore_discard(void)
Discard a stored certificate.
Definition: certstore.c:133
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:146
#define DBGC2(...)
Definition: compiler.h:522
#define DHCP_EB_CERT
Client certficate.
Definition: dhcp.h:417
static void x509_put(struct x509_certificate *cert)
Drop reference to X.509 certificate.
Definition: x509.h:277
static struct x509_certificate certstore_certs[sizeof(certstore_raw)/sizeof(certstore_raw[0])]
X.509 certificate structures for all permanent stored certificates.
Definition: certstore.c:69
struct x509_link store
Link in certificate store.
Definition: x509.h:220
#define REF_INIT(free_fn)
Initialise a static reference counter.
Definition: refcnt.h:77
__be32 raw[7]
Definition: CIB_PRM.h:28
int(* apply)(void)
Apply updated settings.
Definition: settings.h:256
#define SETTING_CRYPTO
Cryptography settings.
Definition: settings.h:79
#define INIT_LATE
Late initialisation.
Definition: init.h:31
#define LIST_HEAD_INIT(list)
Initialise a static list head.
Definition: list.h:30
struct settings_applicator certstore_applicator __settings_applicator
Certificate store settings applicator.
Definition: certstore.c:266
static void certstore_init(void)
Construct permanent certificate store.
Definition: certstore.c:168
uint32_t len
Length.
Definition: ena.h:14
void ref_no_free(struct refcnt *refcnt __unused)
Do not free reference-counted object.
Definition: refcnt.c:101
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
Certificate was added explicitly at run time.
Definition: x509.h:256
String functions.
An ASN.1 object cursor.
Definition: asn1.h:20
int x509_parse(struct x509_certificate *cert, const struct asn1_cursor *raw)
Parse X.509 certificate from ASN.1 data.
Definition: x509.c:1004
struct refcnt refcnt
Reference count.
Definition: x509.h:202
static struct setting cert_setting __setting(SETTING_CRYPTO, cert)
Additional certificate setting.