[ipoib] Avoid unnecessary path record lookup for broadcast address
[ipxe.git] / src / net / validator.c
1 /*
2 * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.
3 *
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU General Public License as
6 * published by the Free Software Foundation; either version 2 of the
7 * License, or (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17 * 02110-1301, USA.
18 *
19 * You can also choose to distribute this program under the terms of
20 * the Unmodified Binary Distribution Licence (as given in the file
21 * COPYING.UBDL), provided that you have satisfied its requirements.
22 */
23
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25
26 #include <string.h>
27 #include <stdio.h>
28 #include <errno.h>
29 #include <ipxe/refcnt.h>
30 #include <ipxe/malloc.h>
31 #include <ipxe/interface.h>
32 #include <ipxe/xfer.h>
33 #include <ipxe/open.h>
34 #include <ipxe/iobuf.h>
35 #include <ipxe/xferbuf.h>
36 #include <ipxe/process.h>
37 #include <ipxe/x509.h>
38 #include <ipxe/settings.h>
39 #include <ipxe/dhcp.h>
40 #include <ipxe/base64.h>
41 #include <ipxe/crc32.h>
42 #include <ipxe/ocsp.h>
43 #include <ipxe/validator.h>
44
45 /** @file
46 *
47 * Certificate validator
48 *
49 */
50
51 /** A certificate validator */
52 struct validator {
53 /** Reference count */
54 struct refcnt refcnt;
55 /** Job control interface */
56 struct interface job;
57 /** Data transfer interface */
58 struct interface xfer;
59
60 /** Process */
61 struct process process;
62
63 /** X.509 certificate chain */
64 struct x509_chain *chain;
65 /** OCSP check */
66 struct ocsp_check *ocsp;
67 /** Data buffer */
68 struct xfer_buffer buffer;
69 /** Action to take upon completed transfer */
70 int ( * done ) ( struct validator *validator, const void *data,
71 size_t len );
72 };
73
74 /**
75 * Free certificate validator
76 *
77 * @v refcnt Reference count
78 */
79 static void validator_free ( struct refcnt *refcnt ) {
80 struct validator *validator =
81 container_of ( refcnt, struct validator, refcnt );
82
83 DBGC2 ( validator, "VALIDATOR %p freed\n", validator );
84 x509_chain_put ( validator->chain );
85 ocsp_put ( validator->ocsp );
86 xferbuf_free ( &validator->buffer );
87 free ( validator );
88 }
89
90 /**
91 * Mark certificate validation as finished
92 *
93 * @v validator Certificate validator
94 * @v rc Reason for finishing
95 */
96 static void validator_finished ( struct validator *validator, int rc ) {
97
98 /* Remove process */
99 process_del ( &validator->process );
100
101 /* Close all interfaces */
102 intf_shutdown ( &validator->xfer, rc );
103 intf_shutdown ( &validator->job, rc );
104 }
105
106 /****************************************************************************
107 *
108 * Job control interface
109 *
110 */
111
112 /** Certificate validator job control interface operations */
113 static struct interface_operation validator_job_operations[] = {
114 INTF_OP ( intf_close, struct validator *, validator_finished ),
115 };
116
117 /** Certificate validator job control interface descriptor */
118 static struct interface_descriptor validator_job_desc =
119 INTF_DESC ( struct validator, job, validator_job_operations );
120
121 /****************************************************************************
122 *
123 * Cross-signing certificates
124 *
125 */
126
127 /** Cross-signed certificate source setting */
128 const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={
129 .name = "crosscert",
130 .description = "Cross-signed certificate source",
131 .tag = DHCP_EB_CROSS_CERT,
132 .type = &setting_type_string,
133 };
134
135 /** Default cross-signed certificate source */
136 static const char crosscert_default[] = "http://ca.ipxe.org/auto";
137
138 /**
139 * Append cross-signing certificates to certificate chain
140 *
141 * @v validator Certificate validator
142 * @v data Raw cross-signing certificate data
143 * @v len Length of raw data
144 * @ret rc Return status code
145 */
146 static int validator_append ( struct validator *validator,
147 const void *data, size_t len ) {
148 struct asn1_cursor cursor;
149 struct x509_chain *certs;
150 struct x509_certificate *cert;
151 struct x509_certificate *last;
152 int rc;
153
154 /* Allocate certificate list */
155 certs = x509_alloc_chain();
156 if ( ! certs ) {
157 rc = -ENOMEM;
158 goto err_alloc_certs;
159 }
160
161 /* Initialise cursor */
162 cursor.data = data;
163 cursor.len = len;
164
165 /* Enter certificateSet */
166 if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {
167 DBGC ( validator, "VALIDATOR %p could not enter "
168 "certificateSet: %s\n", validator, strerror ( rc ) );
169 goto err_certificateset;
170 }
171
172 /* Add each certificate to list */
173 while ( cursor.len ) {
174
175 /* Add certificate to chain */
176 if ( ( rc = x509_append_raw ( certs, cursor.data,
177 cursor.len ) ) != 0 ) {
178 DBGC ( validator, "VALIDATOR %p could not append "
179 "certificate: %s\n",
180 validator, strerror ( rc) );
181 DBGC_HDA ( validator, 0, cursor.data, cursor.len );
182 return rc;
183 }
184 cert = x509_last ( certs );
185 DBGC ( validator, "VALIDATOR %p found certificate %s\n",
186 validator, x509_name ( cert ) );
187
188 /* Move to next certificate */
189 asn1_skip_any ( &cursor );
190 }
191
192 /* Append certificates to chain */
193 last = x509_last ( validator->chain );
194 if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {
195 DBGC ( validator, "VALIDATOR %p could not append "
196 "certificates: %s\n", validator, strerror ( rc ) );
197 goto err_auto_append;
198 }
199
200 /* Check that at least one certificate has been added */
201 if ( last == x509_last ( validator->chain ) ) {
202 DBGC ( validator, "VALIDATOR %p failed to append any "
203 "applicable certificates\n", validator );
204 rc = -EACCES;
205 goto err_no_progress;
206 }
207
208 /* Drop reference to certificate list */
209 x509_chain_put ( certs );
210
211 return 0;
212
213 err_no_progress:
214 err_auto_append:
215 err_certificateset:
216 x509_chain_put ( certs );
217 err_alloc_certs:
218 return rc;
219 }
220
221 /**
222 * Start download of cross-signing certificate
223 *
224 * @v validator Certificate validator
225 * @v issuer Required issuer
226 * @ret rc Return status code
227 */
228 static int validator_start_download ( struct validator *validator,
229 const struct asn1_cursor *issuer ) {
230 const char *crosscert;
231 char *crosscert_copy;
232 char *uri_string;
233 size_t uri_string_len;
234 uint32_t crc;
235 int len;
236 int rc;
237
238 /* Determine cross-signed certificate source */
239 fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
240 crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
241
242 /* Allocate URI string */
243 uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
244 + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );
245 uri_string = zalloc ( uri_string_len );
246 if ( ! uri_string ) {
247 rc = -ENOMEM;
248 goto err_alloc_uri_string;
249 }
250
251 /* Generate CRC32 */
252 crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );
253
254 /* Generate URI string */
255 len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",
256 crosscert, crc );
257 base64_encode ( issuer->data, issuer->len, ( uri_string + len ),
258 ( uri_string_len - len ) );
259 DBGC ( validator, "VALIDATOR %p downloading cross-signed certificate "
260 "from %s\n", validator, uri_string );
261
262 /* Set completion handler */
263 validator->done = validator_append;
264
265 /* Open URI */
266 if ( ( rc = xfer_open_uri_string ( &validator->xfer,
267 uri_string ) ) != 0 ) {
268 DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
269 validator, uri_string, strerror ( rc ) );
270 goto err_open_uri_string;
271 }
272
273 /* Success */
274 rc = 0;
275
276 err_open_uri_string:
277 free ( uri_string );
278 err_alloc_uri_string:
279 free ( crosscert_copy );
280 return rc;
281 }
282
283 /****************************************************************************
284 *
285 * OCSP checks
286 *
287 */
288
289 /**
290 * Validate OCSP response
291 *
292 * @v validator Certificate validator
293 * @v data Raw OCSP response
294 * @v len Length of raw data
295 * @ret rc Return status code
296 */
297 static int validator_ocsp_validate ( struct validator *validator,
298 const void *data, size_t len ) {
299 time_t now;
300 int rc;
301
302 /* Record OCSP response */
303 if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {
304 DBGC ( validator, "VALIDATOR %p could not record OCSP "
305 "response: %s\n", validator, strerror ( rc ) );
306 return rc;
307 }
308
309 /* Validate OCSP response */
310 now = time ( NULL );
311 if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {
312 DBGC ( validator, "VALIDATOR %p could not validate OCSP "
313 "response: %s\n", validator, strerror ( rc ) );
314 return rc;
315 }
316
317 /* Drop reference to OCSP check */
318 ocsp_put ( validator->ocsp );
319 validator->ocsp = NULL;
320
321 return 0;
322 }
323
324 /**
325 * Start OCSP check
326 *
327 * @v validator Certificate validator
328 * @v cert Certificate to check
329 * @v issuer Issuing certificate
330 * @ret rc Return status code
331 */
332 static int validator_start_ocsp ( struct validator *validator,
333 struct x509_certificate *cert,
334 struct x509_certificate *issuer ) {
335 const char *uri_string;
336 int rc;
337
338 /* Create OCSP check */
339 assert ( validator->ocsp == NULL );
340 if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {
341 DBGC ( validator, "VALIDATOR %p could not create OCSP check: "
342 "%s\n", validator, strerror ( rc ) );
343 return rc;
344 }
345
346 /* Set completion handler */
347 validator->done = validator_ocsp_validate;
348
349 /* Open URI */
350 uri_string = validator->ocsp->uri_string;
351 DBGC ( validator, "VALIDATOR %p performing OCSP check at %s\n",
352 validator, uri_string );
353 if ( ( rc = xfer_open_uri_string ( &validator->xfer,
354 uri_string ) ) != 0 ) {
355 DBGC ( validator, "VALIDATOR %p could not open %s: %s\n",
356 validator, uri_string, strerror ( rc ) );
357 return rc;
358 }
359
360 return 0;
361 }
362
363 /****************************************************************************
364 *
365 * Data transfer interface
366 *
367 */
368
369 /**
370 * Close data transfer interface
371 *
372 * @v validator Certificate validator
373 * @v rc Reason for close
374 */
375 static void validator_xfer_close ( struct validator *validator, int rc ) {
376
377 /* Close data transfer interface */
378 intf_restart ( &validator->xfer, rc );
379
380 /* Check for errors */
381 if ( rc != 0 ) {
382 DBGC ( validator, "VALIDATOR %p transfer failed: %s\n",
383 validator, strerror ( rc ) );
384 goto err_transfer;
385 }
386 DBGC2 ( validator, "VALIDATOR %p transfer complete\n", validator );
387
388 /* Process completed download */
389 assert ( validator->done != NULL );
390 if ( ( rc = validator->done ( validator, validator->buffer.data,
391 validator->buffer.len ) ) != 0 )
392 goto err_append;
393
394 /* Free downloaded data */
395 xferbuf_free ( &validator->buffer );
396
397 /* Resume validation process */
398 process_add ( &validator->process );
399
400 return;
401
402 err_append:
403 err_transfer:
404 validator_finished ( validator, rc );
405 }
406
407 /**
408 * Receive data
409 *
410 * @v validator Certificate validator
411 * @v iobuf I/O buffer
412 * @v meta Data transfer metadata
413 * @ret rc Return status code
414 */
415 static int validator_xfer_deliver ( struct validator *validator,
416 struct io_buffer *iobuf,
417 struct xfer_metadata *meta ) {
418 int rc;
419
420 /* Add data to buffer */
421 if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),
422 meta ) ) != 0 ) {
423 DBGC ( validator, "VALIDATOR %p could not receive data: %s\n",
424 validator, strerror ( rc ) );
425 validator_finished ( validator, rc );
426 return rc;
427 }
428
429 return 0;
430 }
431
432 /** Certificate validator data transfer interface operations */
433 static struct interface_operation validator_xfer_operations[] = {
434 INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),
435 INTF_OP ( intf_close, struct validator *, validator_xfer_close ),
436 };
437
438 /** Certificate validator data transfer interface descriptor */
439 static struct interface_descriptor validator_xfer_desc =
440 INTF_DESC ( struct validator, xfer, validator_xfer_operations );
441
442 /****************************************************************************
443 *
444 * Validation process
445 *
446 */
447
448 /**
449 * Certificate validation process
450 *
451 * @v validator Certificate validator
452 */
453 static void validator_step ( struct validator *validator ) {
454 struct x509_link *link;
455 struct x509_certificate *cert;
456 struct x509_certificate *issuer = NULL;
457 struct x509_certificate *last;
458 time_t now;
459 int rc;
460
461 /* Try validating chain. Try even if the chain is incomplete,
462 * since certificates may already have been validated
463 * previously.
464 */
465 now = time ( NULL );
466 if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,
467 NULL ) ) == 0 ) {
468 validator_finished ( validator, 0 );
469 return;
470 }
471
472 /* If there is a certificate that could be validated using
473 * OCSP, try it.
474 */
475 list_for_each_entry ( link, &validator->chain->links, list ) {
476 cert = issuer;
477 issuer = link->cert;
478 if ( ! cert )
479 continue;
480 if ( ! issuer->valid )
481 continue;
482 /* The issuer is valid, but this certificate is not
483 * yet valid. If OCSP is applicable, start it.
484 */
485 if ( cert->extensions.auth_info.ocsp.uri.len &&
486 ( ! cert->extensions.auth_info.ocsp.good ) ) {
487 /* Start OCSP */
488 if ( ( rc = validator_start_ocsp ( validator, cert,
489 issuer ) ) != 0 ) {
490 validator_finished ( validator, rc );
491 return;
492 }
493 return;
494 }
495 /* Otherwise, this is a permanent failure */
496 validator_finished ( validator, rc );
497 return;
498 }
499
500 /* If chain ends with a self-issued certificate, then there is
501 * nothing more to do.
502 */
503 last = x509_last ( validator->chain );
504 if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {
505 validator_finished ( validator, rc );
506 return;
507 }
508
509 /* Otherwise, try to download a suitable cross-signing
510 * certificate.
511 */
512 if ( ( rc = validator_start_download ( validator,
513 &last->issuer.raw ) ) != 0 ) {
514 validator_finished ( validator, rc );
515 return;
516 }
517 }
518
519 /** Certificate validator process descriptor */
520 static struct process_descriptor validator_process_desc =
521 PROC_DESC_ONCE ( struct validator, process, validator_step );
522
523 /****************************************************************************
524 *
525 * Instantiator
526 *
527 */
528
529 /**
530 * Instantiate a certificate validator
531 *
532 * @v job Job control interface
533 * @v chain X.509 certificate chain
534 * @ret rc Return status code
535 */
536 int create_validator ( struct interface *job, struct x509_chain *chain ) {
537 struct validator *validator;
538 int rc;
539
540 /* Sanity check */
541 if ( ! chain ) {
542 rc = -EINVAL;
543 goto err_sanity;
544 }
545
546 /* Allocate and initialise structure */
547 validator = zalloc ( sizeof ( *validator ) );
548 if ( ! validator ) {
549 rc = -ENOMEM;
550 goto err_alloc;
551 }
552 ref_init ( &validator->refcnt, validator_free );
553 intf_init ( &validator->job, &validator_job_desc,
554 &validator->refcnt );
555 intf_init ( &validator->xfer, &validator_xfer_desc,
556 &validator->refcnt );
557 process_init ( &validator->process, &validator_process_desc,
558 &validator->refcnt );
559 validator->chain = x509_chain_get ( chain );
560 xferbuf_malloc_init ( &validator->buffer );
561
562 /* Attach parent interface, mortalise self, and return */
563 intf_plug_plug ( &validator->job, job );
564 ref_put ( &validator->refcnt );
565 DBGC2 ( validator, "VALIDATOR %p validating X509 chain %p\n",
566 validator, validator->chain );
567 return 0;
568
569 validator_finished ( validator, rc );
570 ref_put ( &validator->refcnt );
571 err_alloc:
572 err_sanity:
573 return rc;
574 }