narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[crypto] Do not allow build-time cryptography settings to be overridden 

If a root certificate has been explicitly specified at build time
using TRUST=/path/to/cert then do not allow this to be overridden even
from a trustworthy settings source (such as VMware GuestInfo).

Similarly, if a client certificate (and private key) has been
explicitly specified at build time, then do not allow it to be
overridden at runtime.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/6/head
Michael Brown 2012-04-24 16:10:22 +01:00
parent 63d9cc28b9
commit bd16deaa87
2 changed files with 99 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
src/crypto/clientcert.c
View File

@ -47,6 +47,13 @@ FILE_LICENCE ( GPL2_OR_LATER );
#warning "Attempting to embed private key with no corresponding certificate" #warning "Attempting to embed private key with no corresponding certificate"
#endif #endif
/* Allow client certificates to be overridden if not explicitly specified */
#ifdef CERTIFICATE
#define ALLOW_CERT_OVERRIDE 0
#else
#define ALLOW_CERT_OVERRIDE 1
#endif
/* Raw client certificate data */ /* Raw client certificate data */
extern char client_certificate_data[]; extern char client_certificate_data[];
extern char client_certificate_len[]; extern char client_certificate_len[];
@ -72,13 +79,19 @@ __asm__ ( ".section \".rodata\", \"a\", @progbits\n\t"
".previous\n\t" ); ".previous\n\t" );
/** Client certificate */ /** Client certificate */
struct client_certificate client_certificate; struct client_certificate client_certificate = {
.data = client_certificate_data,
.len = ( ( size_t ) client_certificate_len ),
};
/** Client private key */ /** Client private key */
struct client_private_key client_private_key; struct client_private_key client_private_key = {
.data = client_private_key_data,
.len = ( ( size_t ) client_private_key_len ),
};
/** Client certificate setting */ /** Client certificate setting */
struct setting cert_setting __setting ( SETTING_CRYPTO ) = { static struct setting cert_setting __setting ( SETTING_CRYPTO ) = {
.name = "cert", .name = "cert",
.description = "Client certificate", .description = "Client certificate",
.tag = DHCP_EB_CERT, .tag = DHCP_EB_CERT,
@ -86,7 +99,7 @@ struct setting cert_setting __setting ( SETTING_CRYPTO ) = {
}; };
/** Client private key setting */ /** Client private key setting */
struct setting key_setting __setting ( SETTING_CRYPTO ) = { static struct setting key_setting __setting ( SETTING_CRYPTO ) = {
.name = "key", .name = "key",
.description = "Client private key", .description = "Client private key",
.tag = DHCP_EB_KEY, .tag = DHCP_EB_KEY,
@ -99,45 +112,51 @@ struct setting key_setting __setting ( SETTING_CRYPTO ) = {
* @ret rc Return status code * @ret rc Return status code
*/ */
static int clientcert_apply_settings ( void ) { static int clientcert_apply_settings ( void ) {
static void *cert; static void *cert = NULL;
static void *key; static void *key = NULL;
int len; int len;
int rc; int rc;
/* Restore default client certificate */ /* Allow client certificate to be overridden only if
client_certificate.data = client_certificate_data; * not explicitly specified at build time.
client_certificate.len = ( ( size_t ) client_certificate_len ); */
if ( ALLOW_CERT_OVERRIDE ) {
/* Fetch new client certificate, if any */ /* Restore default client certificate */
free ( cert ); client_certificate.data = client_certificate_data;
len = fetch_setting_copy ( NULL, &cert_setting, &cert ); client_certificate.len = ( ( size_t ) client_certificate_len );
if ( len < 0 ) {
rc = len;
DBGC ( &client_certificate, "CLIENTCERT cannot fetch client "
"certificate: %s\n", strerror ( rc ) );
return rc;
}
if ( cert ) {
client_certificate.data = cert;
client_certificate.len = len;
}
/* Restore default client private key */ /* Fetch new client certificate, if any */
client_private_key.data = client_private_key_data; free ( cert );
client_private_key.len = ( ( size_t ) client_private_key_len ); len = fetch_setting_copy ( NULL, &cert_setting, &cert );
if ( len < 0 ) {
rc = len;
DBGC ( &client_certificate, "CLIENTCERT cannot fetch "
"client certificate: %s\n", strerror ( rc ) );
return rc;
}
if ( cert ) {
client_certificate.data = cert;
client_certificate.len = len;
}
/* Fetch new client private key, if any */ /* Restore default client private key */
free ( key ); client_private_key.data = client_private_key_data;
len = fetch_setting_copy ( NULL, &key_setting, &key ); client_private_key.len = ( ( size_t ) client_private_key_len );
if ( len < 0 ) {
rc = len; /* Fetch new client private key, if any */
DBGC ( &client_certificate, "CLIENTCERT cannot fetch client " free ( key );
"private key: %s\n", strerror ( rc ) ); len = fetch_setting_copy ( NULL, &key_setting, &key );
return rc; if ( len < 0 ) {
} rc = len;
if ( key ) { DBGC ( &client_certificate, "CLIENTCERT cannot fetch "
client_private_key.data = key; "client private key: %s\n", strerror ( rc ) );
client_private_key.len = len; return rc;
}
if ( key ) {
client_private_key.data = key;
client_private_key.len = len;
}
} }
/* Debug */ /* Debug */

67
src/crypto/rootcert.c
View File

@ -36,6 +36,13 @@ FILE_LICENCE ( GPL2_OR_LATER );
/** Length of a root certificate fingerprint */ /** Length of a root certificate fingerprint */
#define FINGERPRINT_LEN SHA256_DIGEST_SIZE #define FINGERPRINT_LEN SHA256_DIGEST_SIZE
/* Allow trusted certificates to be overridden if not explicitly specified */
#ifdef TRUSTED
#define ALLOW_TRUST_OVERRIDE 0
#else
#define ALLOW_TRUST_OVERRIDE 1
#endif
/* Use iPXE root CA if no trusted certificates are explicitly specified */ /* Use iPXE root CA if no trusted certificates are explicitly specified */
#ifndef TRUSTED #ifndef TRUSTED
#define TRUSTED \ #define TRUSTED \
@ -50,9 +57,9 @@ FILE_LICENCE ( GPL2_OR_LATER );
static const uint8_t fingerprints[] = { TRUSTED }; static const uint8_t fingerprints[] = { TRUSTED };
/** Root certificate fingerprint setting */ /** Root certificate fingerprint setting */
struct setting trust_setting __setting ( SETTING_CRYPTO ) = { static struct setting trust_setting __setting ( SETTING_CRYPTO ) = {
.name = "trust", .name = "trust",
.description = "Trusted root certificate fingerprint", .description = "Trusted root certificate fingerprints",
.tag = DHCP_EB_TRUST, .tag = DHCP_EB_TRUST,
.type = &setting_type_hex, .type = &setting_type_hex,
}; };
@ -67,38 +74,50 @@ struct x509_root root_certificates = {
/** /**
* Initialise root certificate * Initialise root certificate
* *
* We allow the list of trusted root certificate fingerprints to be * The list of trusted root certificates can be specified at build
* overridden using the "trust" setting, but only at the point of iPXE * time using the TRUST= build parameter. If no certificates are
* specified, then the default iPXE root CA certificate is trusted.
*
* If no certificates were explicitly specified, then we allow the
* list of trusted root certificate fingerprints to be overridden
* using the "trust" setting, but only at the point of iPXE
* initialisation. This prevents untrusted sources of settings * initialisation. This prevents untrusted sources of settings
* (e.g. DHCP) from subverting the chain of trust, while allowing * (e.g. DHCP) from subverting the chain of trust, while allowing
* trustworthy sources (e.g. VMware GuestInfo or non-volatile stored * trustworthy sources (e.g. VMware GuestInfo or non-volatile stored
* options) to change the trusted root certificate without requiring a * options) to specify the trusted root certificate without requiring
* rebuild. * a rebuild.
*/ */
static void rootcert_init ( void ) { static void rootcert_init ( void ) {
void *external; void *external = NULL;
int len; int len;
int rc; int rc;
/* Fetch copy of "trust" setting, if it exists. This memory /* Allow trusted root certificates to be overridden only if
* will never be freed. * not explicitly specified at build time.
*/ */
len = fetch_setting_copy ( NULL, &trust_setting, &external ); if ( ALLOW_TRUST_OVERRIDE ) {
if ( len < 0 ) {
rc = len;
DBGC ( &root_certificates, "ROOTCERT cannot fetch trusted "
"root certificate fingerprints: %s\n", strerror ( rc ) );
/* No way to prevent startup; fail safe by trusting no
* certificates.
*/
root_certificates.count = 0;
return;
}
/* Use certificates from "trust" setting, if present */ /* Fetch copy of "trust" setting, if it exists. This
if ( external ) { * memory will never be freed.
root_certificates.fingerprints = external; */
root_certificates.count = ( len / FINGERPRINT_LEN ); len = fetch_setting_copy ( NULL, &trust_setting, &external );
if ( len < 0 ) {
rc = len;
DBGC ( &root_certificates, "ROOTCERT cannot fetch "
"trusted root certificate fingerprints: %s\n",
strerror ( rc ) );
/* No way to prevent startup; fail safe by
* trusting no certificates.
*/
root_certificates.count = 0;
return;
}
/* Use certificates from "trust" setting, if present */
if ( external ) {
root_certificates.fingerprints = external;
root_certificates.count = ( len / FINGERPRINT_LEN );
}
} }
DBGC ( &root_certificates, "ROOTCERT using %d %s certificate(s):\n", DBGC ( &root_certificates, "ROOTCERT using %d %s certificate(s):\n",