Add new 'set cert_partial_chain' config option to allow verification of

partial certificate chains if a trusted intermediate CA is found in
/etc/iked/ca/.

ok patrick@

8 files changed, 55 insertions, 9 deletions

diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c
index 0f1949a8e7d..c9d5c831402 100644
--- a/sbin/iked/ca.c
+++ b/sbin/iked/ca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ca.c,v 1.70 2020/09/08 20:20:30 tobhe Exp $	*/
+/*	$OpenBSD: ca.c,v 1.71 2020/09/23 14:25:54 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -227,6 +227,9 @@ ca_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 	case IMSG_PUBKEY:
 		config_getkey(env, imsg);
 		break;
+	case IMSG_CERT_PARTIAL_CHAIN:
+		config_getcertpartialchain(env, imsg);
+		break;
 	default:
 		return (-1);
 	}
@@ -1530,6 +1533,8 @@ ca_validate_cert(struct iked *env, struct iked_static_id *id,
 		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
 		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
 	}
+	if (env->sc_cert_partial_chain)
+		X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_PARTIAL_CHAIN);
 
 	result = X509_verify_cert(&csc);
 	error = csc.error;
diff --git a/sbin/iked/config.c b/sbin/iked/config.c
index b834b8a5455..4a888b55b86 100644
--- a/sbin/iked/config.c
+++ b/sbin/iked/config.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.65 2020/08/26 14:49:48 tobhe Exp $	*/
+/*	$OpenBSD: config.c,v 1.66 2020/09/23 14:25:55 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -941,6 +941,28 @@ config_getocsp(struct iked *env, struct imsg *imsg)
 }
 
 int
+config_setcertpartialchain(struct iked *env)
+{
+	unsigned int boolval;
+
+	boolval = env->sc_cert_partial_chain;
+	proc_compose(&env->sc_ps, PROC_CERT, IMSG_CERT_PARTIAL_CHAIN,
+	    &boolval, sizeof(boolval));
+	return (0);
+}
+
+int
+config_getcertpartialchain(struct iked *env, struct imsg *imsg)
+{
+	unsigned int boolval;
+
+	IMSG_SIZE_CHECK(imsg, &boolval);
+	memcpy(&boolval, imsg->data, sizeof(boolval));
+	env->sc_cert_partial_chain = boolval;
+	return (0);
+}
+
+int
 config_setkeys(struct iked *env)
 {
 	FILE			*fp = NULL;
diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c
index 82db9f8c6da..4afd376253d 100644
--- a/sbin/iked/iked.c
+++ b/sbin/iked/iked.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.c,v 1.47 2020/08/24 21:00:21 tobhe Exp $	*/
+/*	$OpenBSD: iked.c,v 1.48 2020/09/23 14:25:55 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -266,6 +266,7 @@ parent_configure(struct iked *env)
 	config_setstatic(env);
 	config_setcoupled(env, env->sc_decoupled ? 0 : 1);
 	config_setocsp(env);
+	config_setcertpartialchain(env);
 	/* Must be last */
 	config_setmode(env, env->sc_passive ? 1 : 0);
 
@@ -298,6 +299,7 @@ parent_reload(struct iked *env, int reset, const char *filename)
 		config_setstatic(env);
 		config_setcoupled(env, env->sc_decoupled ? 0 : 1);
 		config_setocsp(env);
+		config_setcertpartialchain(env);
  		/* Must be last */
 		config_setmode(env, env->sc_passive ? 1 : 0);
 	} else {
diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5
index 231c4f87e1a..bf109c8de41 100644
--- a/sbin/iked/iked.conf.5
+++ b/sbin/iked/iked.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.conf.5,v 1.77 2020/08/26 14:49:48 tobhe Exp $
+.\" $OpenBSD: iked.conf.5,v 1.78 2020/09/23 14:25:55 tobhe Exp $
 .\"
 .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2004 Mathieu Sauve-Frankel  All rights reserved.
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 26 2020 $
+.Dd $Mdocdate: September 23 2020 $
 .Dt IKED.CONF 5
 .Os
 .Sh NAME
@@ -179,6 +179,9 @@ Currently
 only supports MOBIKE when acting as a responder.
 .It Ic set nomobike
 Disables MOBIKE support.
+.It Ic set cert_partial_chain
+Allow partial certificate chain if at least one certificate is a trusted CA from
+.Pa /etc/iked/ca/ .
 .It Ic set ocsp Ar URL Op Ic tolerate Ar time Op Ic maxage Ar time
 Enable OCSP and set the fallback URL of the OCSP responder.
 This fallback will be used if the trusted CA from
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index 496d80c6e74..4f9d44b4480 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.165 2020/09/16 21:37:35 tobhe Exp $	*/
+/*	$OpenBSD: iked.h,v 1.166 2020/09/23 14:25:55 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -756,6 +756,7 @@ struct iked {
 	struct iked_addrpool		 sc_addrpool;
 	struct iked_addrpool6		 sc_addrpool6;
 
+	int				 sc_cert_partial_chain;
 };
 
 struct iked_socket {
@@ -826,6 +827,8 @@ int	 config_setkeys(struct iked *);
 int	 config_getkey(struct iked *, struct imsg *);
 int	 config_setstatic(struct iked *);
 int	 config_getstatic(struct iked *, struct imsg *);
+int	 config_setcertpartialchain(struct iked *);
+int	 config_getcertpartialchain(struct iked *, struct imsg *);
 
 /* policy.c */
 void	 policy_init(struct iked *);
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 7e001b16921..da95868ad10 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.259 2020/09/17 13:22:14 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.260 2020/09/23 14:25:55 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -256,6 +256,8 @@ ikev2_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 		return (config_getcompile(env));
 	case IMSG_CTL_STATIC:
 		return (config_getstatic(env, imsg));
+	case IMSG_CERT_PARTIAL_CHAIN:
+		return(config_getcertpartialchain(env, imsg));
 	default:
 		break;
 	}
diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index d7f1d470b90..45f2e5eb45b 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.113 2020/09/19 20:12:11 tobhe Exp $	*/
+/*	$OpenBSD: parse.y,v 1.114 2020/09/23 14:25:55 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -105,6 +105,7 @@ static int		 dpd_interval = IKED_IKE_SA_ALIVE_TIMEOUT;
 static char		*ocsp_url = NULL;
 static long		 ocsp_tolerate = 0;
 static long		 ocsp_maxage = -1;
+static int		 cert_partial_chain = 0;
 
 struct ipsec_xf {
 	const char	*name;
@@ -454,6 +455,7 @@ typedef struct {
 %token	FRAGMENTATION NOFRAGMENTATION DPD_CHECK_INTERVAL
 %token	ENFORCESINGLEIKESA NOENFORCESINGLEIKESA
 %token	TOLERATE MAXAGE
+%token	CERTPARTIALCHAIN
 %token	<v.string>		STRING
 %token	<v.number>		NUMBER
 %type	<v.string>		string
@@ -542,6 +544,9 @@ set		: SET ACTIVE	{ passive = 0; }
 			ocsp_tolerate = $5;
 			ocsp_maxage = $7;
 		}
+		| SET CERTPARTIALCHAIN		{
+			cert_partial_chain = 1;
+		}
 		| SET DPD_CHECK_INTERVAL NUMBER {
 			if ($3 < 0) {
 				yyerror("timeout outside range");
@@ -1303,6 +1308,7 @@ lookup(char *s)
 		{ "any",		ANY },
 		{ "auth",		AUTHXF },
 		{ "bytes",		BYTES },
+		{ "cert_partial_chain",	CERTPARTIALCHAIN },
 		{ "childsa",		CHILDSA },
 		{ "config",		CONFIG },
 		{ "couple",		COUPLE },
@@ -1738,6 +1744,7 @@ parse_config(const char *filename, struct iked *x_env)
 
 	mobike = 1;
 	enforcesingleikesa = 0;
+	cert_partial_chain = decouple = passive = 0;
 	ocsp_tolerate = 0;
 	ocsp_url = NULL;
 	ocsp_maxage = -1;
@@ -1762,6 +1769,7 @@ parse_config(const char *filename, struct iked *x_env)
 	env->sc_ocsp_url = ocsp_url;
 	env->sc_ocsp_tolerate = ocsp_tolerate;
 	env->sc_ocsp_maxage = ocsp_maxage;
+	env->sc_cert_partial_chain = cert_partial_chain;
 
 	if (!rules)
 		log_warnx("%s: no valid configuration rules found",
diff --git a/sbin/iked/types.h b/sbin/iked/types.h
index 67d173e5252..56970db6894 100644
--- a/sbin/iked/types.h
+++ b/sbin/iked/types.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: types.h,v 1.39 2020/08/24 21:00:21 tobhe Exp $	*/
+/*	$OpenBSD: types.h,v 1.40 2020/09/23 14:25:55 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -113,6 +113,7 @@ enum imsg_type {
 	IMSG_CERT,
 	IMSG_CERTVALID,
 	IMSG_CERTINVALID,
+	IMSG_CERT_PARTIAL_CHAIN,
 	IMSG_OCSP_FD,
 	IMSG_OCSP_CFG,
 	IMSG_AUTH,