diff options
| author | tobhe <tobhe@cvs.openbsd.org> | 2020-08-18 21:02:50 +0000 |
|---|---|---|
| committer | tobhe <tobhe@cvs.openbsd.org> | 2020-08-18 21:02:50 +0000 |
| commit | af5d7b6b36abeeddc857571ceedf89702d59712d (patch) | |
| tree | d07f53f5277bcfe2403018031331f08d16faab90 /sbin | |
| parent | 557c3b146818b6bbb96428438e6534955f27c3f8 (diff) | |
Add optional time-stamp validaten for ocsp. The new optional 'tolerate'
parameter specifies how many seconds leeway are allowed in the check.
The optional maxage parameter indicates the allowed maximum age of
the `thisUpdate' OCSP attribute value.
ok patrick@
Diffstat (limited to 'sbin')
| -rw-r--r-- | sbin/iked/ca.c | 4 | ||||
| -rw-r--r-- | sbin/iked/config.c | 54 | ||||
| -rw-r--r-- | sbin/iked/iked.conf.5 | 23 | ||||
| -rw-r--r-- | sbin/iked/iked.h | 4 | ||||
| -rw-r--r-- | sbin/iked/ocsp.c | 25 | ||||
| -rw-r--r-- | sbin/iked/parse.y | 27 | ||||
| -rw-r--r-- | sbin/iked/types.h | 4 |
7 files changed, 113 insertions, 28 deletions
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index 1a92249094d..007420b8a69 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.67 2020/08/16 09:09:16 tobhe Exp $ */ +/* $OpenBSD: ca.c,v 1.68 2020/08/18 21:02:49 tobhe Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> @@ -220,7 +220,7 @@ ca_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg) case IMSG_OCSP_FD: ocsp_receive_fd(env, imsg); break; - case IMSG_OCSP_URL: + case IMSG_OCSP_CFG: config_getocsp(env, imsg); break; case IMSG_PRIVKEY: diff --git a/sbin/iked/config.c b/sbin/iked/config.c index dd37b90dcef..918b1d2f7e6 100644 --- a/sbin/iked/config.c +++ b/sbin/iked/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.60 2020/08/16 09:09:17 tobhe Exp $ */ +/* $OpenBSD: config.c,v 1.61 2020/08/18 21:02:49 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -904,25 +904,61 @@ config_getfragmentation(struct iked *env, struct imsg *imsg) int config_setocsp(struct iked *env) { + struct iovec iov[3]; + int iovcnt = 0; + if (env->sc_opts & IKED_OPT_NOACTION) return (0); - proc_compose(&env->sc_ps, PROC_CERT, - IMSG_OCSP_URL, env->sc_ocsp_url, - env->sc_ocsp_url ? strlen(env->sc_ocsp_url) : 0); - return (0); + iov[0].iov_base = &env->sc_ocsp_tolerate; + iov[0].iov_len = sizeof(env->sc_ocsp_tolerate); + iovcnt++; + iov[1].iov_base = &env->sc_ocsp_maxage; + iov[1].iov_len = sizeof(env->sc_ocsp_maxage); + iovcnt++; + if (env->sc_ocsp_url) { + iov[2].iov_base = env->sc_ocsp_url; + iov[2].iov_len = strlen(env->sc_ocsp_url); + iovcnt++; + } + return (proc_composev(&env->sc_ps, PROC_CERT, IMSG_OCSP_CFG, + iov, iovcnt)); } int config_getocsp(struct iked *env, struct imsg *imsg) { + size_t have, need; + u_int8_t *ptr; + free(env->sc_ocsp_url); - if (IMSG_DATA_SIZE(imsg) > 0) - env->sc_ocsp_url = get_string(imsg->data, IMSG_DATA_SIZE(imsg)); + ptr = (u_int8_t *)imsg->data; + have = IMSG_DATA_SIZE(imsg); + + /* get tolerate */ + need = sizeof(env->sc_ocsp_tolerate); + if (have < need) + fatalx("bad 'tolerate' length imsg received"); + memcpy(&env->sc_ocsp_tolerate, ptr, need); + ptr += need; + have -= need; + + /* get maxage */ + need = sizeof(env->sc_ocsp_maxage); + if (have < need) + fatalx("bad 'maxage' length imsg received"); + memcpy(&env->sc_ocsp_maxage, ptr, need); + ptr += need; + have -= need; + + /* get url */ + if (have > 0) + env->sc_ocsp_url = get_string(ptr, have); else env->sc_ocsp_url = NULL; - log_debug("%s: ocsp_url %s", __func__, - env->sc_ocsp_url ? env->sc_ocsp_url : "none"); + log_debug("%s: ocsp_url %s tolerate %ld maxage %ld", __func__, + env->sc_ocsp_url ? env->sc_ocsp_url : "none", + env->sc_ocsp_tolerate, env->sc_ocsp_maxage); return (0); } diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5 index 87c22d30c20..2e910d710a1 100644 --- a/sbin/iked/iked.conf.5 +++ b/sbin/iked/iked.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: iked.conf.5,v 1.72 2020/07/21 12:33:02 kn Exp $ +.\" $OpenBSD: iked.conf.5,v 1.73 2020/08/18 21:02:49 tobhe Exp $ .\" .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: July 21 2020 $ +.Dd $Mdocdate: August 18 2020 $ .Dt IKED.CONF 5 .Os .Sh NAME @@ -163,13 +163,30 @@ Currently only supports MOBIKE when acting as a responder. .It Ic set nomobike Disables MOBIKE support. -.It Ic set ocsp Ar URL +.It Ic set ocsp Ar URL Op Ic tolerate Ar time Op Ic maxage Ar time Enable OCSP and set the URL of the OCSP responder. Please note that the matching responder and issuer certificates have to be placed in .Pa /etc/iked/ocsp/responder.crt and .Pa /etc/iked/ocsp/issuer.crt . +.Pp +The optional +.Ic tolerate +parameter specifies how much the OCSP reponse attribute +.Sq thisUpdate +may be in the future and how much +.Sq nextUpdate +may be in the past, with respect to the local time. +The optional +.Ic maxage +parameter specifies how much +.Sq thisUpdate +may be in the past. +If +.Ic tolerate +is set to 0 then the times are not verified at all. +This is the default setting. .It Ic user Ar name password .Xr iked 8 supports user-based authentication by tunneling the Extensible diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index 19a09900ff1..5f9f73f7655 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.156 2020/08/16 09:09:17 tobhe Exp $ */ +/* $OpenBSD: iked.h,v 1.157 2020/08/18 21:02:49 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -713,6 +713,8 @@ struct iked { struct iked_ocsp_requests sc_ocsp; char *sc_ocsp_url; + long sc_ocsp_tolerate; + long sc_ocsp_maxage; struct iked_addrpool sc_addrpool; struct iked_addrpool6 sc_addrpool6; diff --git a/sbin/iked/ocsp.c b/sbin/iked/ocsp.c index f4ab20c99f3..b5eff9eaa0d 100644 --- a/sbin/iked/ocsp.c +++ b/sbin/iked/ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.c,v 1.11 2020/08/17 16:49:28 tobhe Exp $ */ +/* $OpenBSD: ocsp.c,v 1.12 2020/08/18 21:02:49 tobhe Exp $ */ /* * Copyright (c) 2014 Markus Friedl @@ -416,14 +416,13 @@ ocsp_callback(int fd, short event, void *arg) void ocsp_parse_response(struct iked_ocsp *ocsp, OCSP_RESPONSE *resp) { - int status; - X509_STORE *store = NULL; - STACK_OF(X509) *verify_other = NULL; - OCSP_BASICRESP *bs = NULL; - int verify_flags = 0; - ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; - int reason = 0; - int error = 1; + struct iked *env = ocsp->ocsp_env; + X509_STORE *store = NULL; + STACK_OF(X509) *verify_other = NULL; + OCSP_BASICRESP *bs = NULL; + ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; + int reason = 0, error = 1, verify_flags = 0; + int status; if (!resp) { log_warnx("%s: error querying OCSP responder", __func__); @@ -475,8 +474,14 @@ ocsp_parse_response(struct iked_ocsp *ocsp, OCSP_RESPONSE *resp) log_warnx("%s: no status found", __func__); goto done; } + if (env->sc_ocsp_tolerate && + !OCSP_check_validity(thisupd, nextupd, env->sc_ocsp_tolerate, + env->sc_ocsp_maxage)) { + log_warnx("%s: status times invalid", __func__); + ca_sslerror(__func__); + goto done; + } log_debug("%s: status: %s", __func__, OCSP_cert_status_str(status)); - if (status == V_OCSP_CERTSTATUS_GOOD) error = 0; diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y index 89530bea216..4c12cdbda2c 100644 --- a/sbin/iked/parse.y +++ b/sbin/iked/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.105 2020/08/14 16:09:32 tobhe Exp $ */ +/* $OpenBSD: parse.y,v 1.106 2020/08/18 21:02:49 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -100,6 +100,8 @@ static int decouple = 0; static int mobike = 1; static int fragmentation = 0; static char *ocsp_url = NULL; +static long ocsp_tolerate = 0; +static long ocsp_maxage = -1; struct ipsec_xf { const char *name; @@ -441,6 +443,7 @@ typedef struct { %token INCLUDE LIFETIME BYTES INET INET6 QUICK SKIP DEFAULT %token IPCOMP OCSP IKELIFETIME MOBIKE NOMOBIKE RDOMAIN %token FRAGMENTATION NOFRAGMENTATION +%token TOLERATE MAXAGE %token <v.string> STRING %token <v.number> NUMBER %type <v.string> string @@ -512,6 +515,21 @@ set : SET ACTIVE { passive = 0; } YYERROR; } } + | SET OCSP STRING TOLERATE time_spec { + if ((ocsp_url = strdup($3)) == NULL) { + yyerror("cannot set ocsp_url"); + YYERROR; + } + ocsp_tolerate = $5; + } + | SET OCSP STRING TOLERATE time_spec MAXAGE time_spec { + if ((ocsp_url = strdup($3)) == NULL) { + yyerror("cannot set ocsp_url"); + YYERROR; + } + ocsp_tolerate = $5; + ocsp_maxage = $7; + } ; user : USER STRING STRING { @@ -1291,6 +1309,7 @@ lookup(char *s) { "ipcomp", IPCOMP }, { "lifetime", LIFETIME }, { "local", LOCAL }, + { "maxage", MAXAGE }, { "mobike", MOBIKE }, { "name", NAME }, { "noesn", NOESN }, @@ -1313,6 +1332,7 @@ lookup(char *s) { "tap", TAP }, { "tcpmd5", TCPMD5 }, { "to", TO }, + { "tolerate", TOLERATE }, { "transport", TRANSPORT }, { "tunnel", TUNNEL }, { "user", USER } @@ -1695,6 +1715,9 @@ parse_config(const char *filename, struct iked *x_env) free(ocsp_url); mobike = 1; + ocsp_tolerate = 0; + ocsp_url = NULL; + ocsp_maxage = -1; fragmentation = 0; decouple = passive = 0; ocsp_url = NULL; @@ -1711,6 +1734,8 @@ parse_config(const char *filename, struct iked *x_env) env->sc_mobike = mobike; env->sc_frag = fragmentation; env->sc_ocsp_url = ocsp_url; + env->sc_ocsp_tolerate = ocsp_tolerate; + env->sc_ocsp_maxage = ocsp_maxage; if (!rules) log_warnx("%s: no valid configuration rules found", diff --git a/sbin/iked/types.h b/sbin/iked/types.h index 1276cea808b..0256ada0d6a 100644 --- a/sbin/iked/types.h +++ b/sbin/iked/types.h @@ -1,4 +1,4 @@ -/* $OpenBSD: types.h,v 1.35 2020/04/09 19:55:20 tobhe Exp $ */ +/* $OpenBSD: types.h,v 1.36 2020/08/18 21:02:49 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> @@ -117,7 +117,7 @@ enum imsg_type { IMSG_CERTVALID, IMSG_CERTINVALID, IMSG_OCSP_FD, - IMSG_OCSP_URL, + IMSG_OCSP_CFG, IMSG_AUTH, IMSG_PRIVKEY, IMSG_PUBKEY |