1 /*
2 * TLSv1 client - OCSP
3 * Copyright (c) 2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/tls.h"
13 #include "crypto/sha1.h"
14 #include "asn1.h"
15 #include "x509v3.h"
16 #include "tlsv1_common.h"
17 #include "tlsv1_record.h"
18 #include "tlsv1_client.h"
19 #include "tlsv1_client_i.h"
20
21
22 /* RFC 6960, 4.2.1: OCSPResponseStatus ::= ENUMERATED */
23 enum ocsp_response_status {
24 OCSP_RESP_STATUS_SUCCESSFUL = 0,
25 OCSP_RESP_STATUS_MALFORMED_REQ = 1,
26 OCSP_RESP_STATUS_INT_ERROR = 2,
27 OCSP_RESP_STATUS_TRY_LATER = 3,
28 /* 4 not used */
29 OCSP_RESP_STATUS_SIG_REQUIRED = 5,
30 OCSP_RESP_STATUS_UNAUTHORIZED = 6,
31 };
32
33
is_oid_basic_ocsp_resp(struct asn1_oid * oid)34 static int is_oid_basic_ocsp_resp(struct asn1_oid *oid)
35 {
36 return oid->len == 10 &&
37 oid->oid[0] == 1 /* iso */ &&
38 oid->oid[1] == 3 /* identified-organization */ &&
39 oid->oid[2] == 6 /* dod */ &&
40 oid->oid[3] == 1 /* internet */ &&
41 oid->oid[4] == 5 /* security */ &&
42 oid->oid[5] == 5 /* mechanisms */ &&
43 oid->oid[6] == 7 /* id-pkix */ &&
44 oid->oid[7] == 48 /* id-ad */ &&
45 oid->oid[8] == 1 /* id-pkix-ocsp */ &&
46 oid->oid[9] == 1 /* id-pkix-ocsp-basic */;
47 }
48
49
ocsp_responder_id_match(struct x509_certificate * signer,struct x509_name * name,const u8 * key_hash)50 static int ocsp_responder_id_match(struct x509_certificate *signer,
51 struct x509_name *name, const u8 *key_hash)
52 {
53 if (key_hash) {
54 u8 hash[SHA1_MAC_LEN];
55 const u8 *addr[1] = { signer->public_key };
56 size_t len[1] = { signer->public_key_len };
57
58 if (sha1_vector(1, addr, len, hash) < 0)
59 return 0;
60 return os_memcmp(hash, key_hash, SHA1_MAC_LEN) == 0;
61 }
62
63 return x509_name_compare(&signer->subject, name) == 0;
64 }
65
66
ocsp_hash_data(struct asn1_oid * alg,const u8 * data,size_t data_len,u8 * hash)67 static unsigned int ocsp_hash_data(struct asn1_oid *alg, const u8 *data,
68 size_t data_len, u8 *hash)
69 {
70 const u8 *addr[1] = { data };
71 size_t len[1] = { data_len };
72 char buf[100];
73
74 if (x509_sha1_oid(alg)) {
75 if (sha1_vector(1, addr, len, hash) < 0)
76 return 0;
77 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA1)", hash, 20);
78 return 20;
79 }
80
81 if (x509_sha256_oid(alg)) {
82 if (sha256_vector(1, addr, len, hash) < 0)
83 return 0;
84 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA256)", hash, 32);
85 return 32;
86 }
87
88 if (x509_sha384_oid(alg)) {
89 if (sha384_vector(1, addr, len, hash) < 0)
90 return 0;
91 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA384)", hash, 48);
92 return 48;
93 }
94
95 if (x509_sha512_oid(alg)) {
96 if (sha512_vector(1, addr, len, hash) < 0)
97 return 0;
98 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA512)", hash, 64);
99 return 64;
100 }
101
102
103 asn1_oid_to_str(alg, buf, sizeof(buf));
104 wpa_printf(MSG_DEBUG, "OCSP: Could not calculate hash with alg %s",
105 buf);
106 return 0;
107 }
108
109
tls_process_ocsp_single_response(struct tlsv1_client * conn,struct x509_certificate * cert,struct x509_certificate * issuer,const u8 * resp,size_t len,enum tls_ocsp_result * res)110 static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
111 struct x509_certificate *cert,
112 struct x509_certificate *issuer,
113 const u8 *resp, size_t len,
114 enum tls_ocsp_result *res)
115 {
116 struct asn1_hdr hdr;
117 const u8 *pos, *end;
118 struct x509_algorithm_identifier alg;
119 const u8 *name_hash, *key_hash;
120 size_t name_hash_len, key_hash_len;
121 const u8 *serial_number;
122 size_t serial_number_len;
123 u8 hash[64];
124 unsigned int hash_len;
125 unsigned int cert_status;
126 os_time_t update;
127 struct os_time now;
128
129 wpa_hexdump(MSG_MSGDUMP, "OCSP: SingleResponse", resp, len);
130
131 /*
132 * SingleResponse ::= SEQUENCE {
133 * certID CertID,
134 * certStatus CertStatus,
135 * thisUpdate GeneralizedTime,
136 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
137 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
138 */
139
140 /* CertID ::= SEQUENCE */
141 if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
142 asn1_unexpected(&hdr, "OCSP: Expected SEQUENCE (CertID)");
143 return -1;
144 }
145 pos = hdr.payload;
146 end = hdr.payload + hdr.length;
147
148 /*
149 * CertID ::= SEQUENCE {
150 * hashAlgorithm AlgorithmIdentifier,
151 * issuerNameHash OCTET STRING,
152 * issuerKeyHash OCTET STRING,
153 * serialNumber CertificateSerialNumber }
154 */
155
156 /* hashAlgorithm AlgorithmIdentifier */
157 if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos))
158 return -1;
159
160 /* issuerNameHash OCTET STRING */
161 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
162 !asn1_is_octetstring(&hdr)) {
163 asn1_unexpected(&hdr,
164 "OCSP: Expected OCTET STRING (issuerNameHash)");
165 return -1;
166 }
167 name_hash = hdr.payload;
168 name_hash_len = hdr.length;
169 wpa_hexdump(MSG_DEBUG, "OCSP: issuerNameHash",
170 name_hash, name_hash_len);
171 pos = hdr.payload + hdr.length;
172
173 wpa_hexdump(MSG_DEBUG, "OCSP: Issuer subject DN",
174 issuer->subject_dn, issuer->subject_dn_len);
175 hash_len = ocsp_hash_data(&alg.oid, issuer->subject_dn,
176 issuer->subject_dn_len, hash);
177 if (hash_len == 0 || name_hash_len != hash_len ||
178 os_memcmp(name_hash, hash, hash_len) != 0) {
179 wpa_printf(MSG_DEBUG, "OCSP: issuerNameHash mismatch");
180 wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerNameHash",
181 hash, hash_len);
182 return -1;
183 }
184
185 /* issuerKeyHash OCTET STRING */
186 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
187 !asn1_is_octetstring(&hdr)) {
188 asn1_unexpected(&hdr,
189 "OCSP: Expected OCTET STRING (issuerKeyHash)");
190 return -1;
191 }
192 key_hash = hdr.payload;
193 key_hash_len = hdr.length;
194 wpa_hexdump(MSG_DEBUG, "OCSP: issuerKeyHash", key_hash, key_hash_len);
195 pos = hdr.payload + hdr.length;
196
197 hash_len = ocsp_hash_data(&alg.oid, issuer->public_key,
198 issuer->public_key_len, hash);
199 if (hash_len == 0 || key_hash_len != hash_len ||
200 os_memcmp(key_hash, hash, hash_len) != 0) {
201 wpa_printf(MSG_DEBUG, "OCSP: issuerKeyHash mismatch");
202 wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerKeyHash",
203 hash, hash_len);
204 return -1;
205 }
206
207 /* serialNumber CertificateSerialNumber ::= INTEGER */
208 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
209 !asn1_is_integer(&hdr) ||
210 hdr.length < 1 || hdr.length > X509_MAX_SERIAL_NUM_LEN) {
211 asn1_unexpected(&hdr,
212 "OCSP: No INTEGER tag found for serialNumber");
213 return -1;
214 }
215 serial_number = hdr.payload;
216 serial_number_len = hdr.length;
217 while (serial_number_len > 0 && serial_number[0] == 0) {
218 serial_number++;
219 serial_number_len--;
220 }
221 wpa_hexdump(MSG_MSGDUMP, "OCSP: serialNumber", serial_number,
222 serial_number_len);
223
224 if (serial_number_len != cert->serial_number_len ||
225 os_memcmp(serial_number, cert->serial_number,
226 serial_number_len) != 0) {
227 wpa_printf(MSG_DEBUG, "OCSP: serialNumber mismatch");
228 return -1;
229 }
230
231 pos = end;
232 end = resp + len;
233
234 /* certStatus CertStatus ::= CHOICE
235 *
236 * CertStatus ::= CHOICE {
237 * good [0] IMPLICIT NULL,
238 * revoked [1] IMPLICIT RevokedInfo,
239 * unknown [2] IMPLICIT UnknownInfo }
240 */
241 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
242 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {
243 asn1_unexpected(&hdr, "OCSP: Expected CHOICE (CertStatus)");
244 return -1;
245 }
246 cert_status = hdr.tag;
247 wpa_printf(MSG_DEBUG, "OCSP: certStatus=%u", cert_status);
248 wpa_hexdump(MSG_DEBUG, "OCSP: CertStatus additional data",
249 hdr.payload, hdr.length);
250 pos = hdr.payload + hdr.length;
251
252 os_get_time(&now);
253 /* thisUpdate GeneralizedTime */
254 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
255 !asn1_is_generalizedtime(&hdr) ||
256 x509_parse_time(hdr.payload, hdr.length, hdr.tag, &update) < 0) {
257 wpa_printf(MSG_DEBUG, "OCSP: Failed to parse thisUpdate");
258 return -1;
259 }
260 wpa_printf(MSG_DEBUG, "OCSP: thisUpdate %lu", (unsigned long) update);
261 pos = hdr.payload + hdr.length;
262 if ((unsigned long) now.sec < (unsigned long) update) {
263 wpa_printf(MSG_DEBUG,
264 "OCSP: thisUpdate time in the future (response not yet valid)");
265 return -1;
266 }
267
268 /* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL */
269 if (pos < end) {
270 if (asn1_get_next(pos, end - pos, &hdr) < 0)
271 return -1;
272 if (asn1_is_cs_tag(&hdr, 0) && hdr.constructed) {
273 const u8 *next = hdr.payload + hdr.length;
274
275 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
276 !asn1_is_generalizedtime(&hdr) ||
277 x509_parse_time(hdr.payload, hdr.length, hdr.tag,
278 &update) < 0) {
279 wpa_printf(MSG_DEBUG,
280 "OCSP: Failed to parse nextUpdate");
281 return -1;
282 }
283 wpa_printf(MSG_DEBUG, "OCSP: nextUpdate %lu",
284 (unsigned long) update);
285 pos = next;
286 if ((unsigned long) now.sec > (unsigned long) update) {
287 wpa_printf(MSG_DEBUG, "OCSP: nextUpdate time in the past (response has expired)");
288 return -1;
289 }
290 }
291 }
292
293 /* singleExtensions [1] EXPLICIT Extensions OPTIONAL */
294 if (pos < end) {
295 wpa_hexdump(MSG_MSGDUMP, "OCSP: singleExtensions",
296 pos, end - pos);
297 /* Ignore for now */
298 }
299
300 if (cert_status == 0 /* good */)
301 *res = TLS_OCSP_GOOD;
302 else if (cert_status == 1 /* revoked */)
303 *res = TLS_OCSP_REVOKED;
304 else
305 return -1;
306 return 0;
307 }
308
309
310 static enum tls_ocsp_result
tls_process_ocsp_responses(struct tlsv1_client * conn,struct x509_certificate * cert,struct x509_certificate * issuer,const u8 * resp,size_t len)311 tls_process_ocsp_responses(struct tlsv1_client *conn,
312 struct x509_certificate *cert,
313 struct x509_certificate *issuer, const u8 *resp,
314 size_t len)
315 {
316 struct asn1_hdr hdr;
317 const u8 *pos, *end;
318 enum tls_ocsp_result res;
319
320 pos = resp;
321 end = resp + len;
322 while (pos < end) {
323 /* SingleResponse ::= SEQUENCE */
324 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
325 !asn1_is_sequence(&hdr)) {
326 asn1_unexpected(&hdr,
327 "OCSP: Expected SEQUENCE (SingleResponse)");
328 return TLS_OCSP_INVALID;
329 }
330 if (tls_process_ocsp_single_response(conn, cert, issuer,
331 hdr.payload, hdr.length,
332 &res) == 0)
333 return res;
334 pos = hdr.payload + hdr.length;
335 }
336
337 wpa_printf(MSG_DEBUG,
338 "OCSP: Did not find a response matching the server certificate");
339 return TLS_OCSP_NO_RESPONSE;
340 }
341
342
343 static enum tls_ocsp_result
tls_process_basic_ocsp_response(struct tlsv1_client * conn,struct x509_certificate * srv_cert,const u8 * resp,size_t len)344 tls_process_basic_ocsp_response(struct tlsv1_client *conn,
345 struct x509_certificate *srv_cert,
346 const u8 *resp, size_t len)
347 {
348 struct asn1_hdr hdr;
349 const u8 *pos, *end;
350 const u8 *resp_data, *sign_value, *key_hash = NULL, *responses;
351 const u8 *resp_data_signed;
352 size_t resp_data_len, sign_value_len, responses_len;
353 size_t resp_data_signed_len;
354 struct x509_algorithm_identifier alg;
355 struct x509_certificate *certs = NULL, *last_cert = NULL;
356 struct x509_certificate *issuer, *signer;
357 struct x509_name name; /* used if key_hash == NULL */
358 char buf[100];
359 os_time_t produced_at;
360 enum tls_ocsp_result res;
361
362 wpa_hexdump(MSG_MSGDUMP, "OCSP: BasicOCSPResponse", resp, len);
363
364 os_memset(&name, 0, sizeof(name));
365
366 /*
367 * RFC 6960, 4.2.1:
368 * BasicOCSPResponse ::= SEQUENCE {
369 * tbsResponseData ResponseData,
370 * signatureAlgorithm AlgorithmIdentifier,
371 * signature BIT STRING,
372 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
373 */
374
375 if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
376 asn1_unexpected(&hdr,
377 "OCSP: Expected SEQUENCE (BasicOCSPResponse)");
378 return TLS_OCSP_INVALID;
379 }
380 pos = hdr.payload;
381 end = hdr.payload + hdr.length;
382
383 /* ResponseData ::= SEQUENCE */
384 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
385 !asn1_is_sequence(&hdr)) {
386 asn1_unexpected(&hdr,
387 "OCSP: Expected SEQUENCE (ResponseData)");
388 return TLS_OCSP_INVALID;
389 }
390 resp_data = hdr.payload;
391 resp_data_len = hdr.length;
392 resp_data_signed = pos;
393 pos = hdr.payload + hdr.length;
394 resp_data_signed_len = pos - resp_data_signed;
395
396 /* signatureAlgorithm AlgorithmIdentifier */
397 if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos))
398 return TLS_OCSP_INVALID;
399
400 /* signature BIT STRING */
401 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
402 !asn1_is_bitstring(&hdr)) {
403 asn1_unexpected(&hdr,
404 "OCSP: Expected BITSTRING (signature)");
405 return TLS_OCSP_INVALID;
406 }
407 if (hdr.length < 1)
408 return TLS_OCSP_INVALID;
409 pos = hdr.payload;
410 if (*pos) {
411 wpa_printf(MSG_DEBUG, "OCSP: BITSTRING - %d unused bits", *pos);
412 /* PKCS #1 v1.5 10.2.1:
413 * It is an error if the length in bits of the signature S is
414 * not a multiple of eight.
415 */
416 return TLS_OCSP_INVALID;
417 }
418 sign_value = pos + 1;
419 sign_value_len = hdr.length - 1;
420 pos += hdr.length;
421 wpa_hexdump(MSG_MSGDUMP, "OCSP: signature", sign_value, sign_value_len);
422
423 /* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL */
424 if (pos < end) {
425 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
426 !hdr.constructed || !asn1_is_cs_tag(&hdr, 0)) {
427 asn1_unexpected(&hdr,
428 "OCSP: Expected [0] EXPLICIT (certs)");
429 return TLS_OCSP_INVALID;
430 }
431 wpa_hexdump(MSG_MSGDUMP, "OCSP: certs",
432 hdr.payload, hdr.length);
433 pos = hdr.payload;
434 end = hdr.payload + hdr.length;
435 while (pos < end) {
436 struct x509_certificate *cert;
437
438 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
439 !asn1_is_sequence(&hdr)) {
440 asn1_unexpected(&hdr,
441 "OCSP: Expected SEQUENCE (Certificate)");
442 goto fail;
443 }
444
445 cert = x509_certificate_parse(hdr.payload, hdr.length);
446 if (!cert)
447 goto fail;
448 if (last_cert) {
449 last_cert->next = cert;
450 last_cert = cert;
451 } else {
452 last_cert = certs = cert;
453 }
454 pos = hdr.payload + hdr.length;
455 }
456 }
457
458 /*
459 * ResponseData ::= SEQUENCE {
460 * version [0] EXPLICIT Version DEFAULT v1,
461 * responderID ResponderID,
462 * producedAt GeneralizedTime,
463 * responses SEQUENCE OF SingleResponse,
464 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
465 */
466 pos = resp_data;
467 end = resp_data + resp_data_len;
468 wpa_hexdump(MSG_MSGDUMP, "OCSP: ResponseData", pos, end - pos);
469
470 /*
471 * version [0] EXPLICIT Version DEFAULT v1
472 * Version ::= INTEGER { v1(0) }
473 */
474 if (asn1_get_next(pos, end - pos, &hdr) == 0 && hdr.constructed &&
475 asn1_is_cs_tag(&hdr, 0)) {
476 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
477 !asn1_is_integer(&hdr) || hdr.length != 1) {
478 asn1_unexpected(&hdr,
479 "OCSP: No INTEGER (len=1) tag found for version field");
480 goto fail;
481 }
482 wpa_printf(MSG_DEBUG, "OCSP: ResponseData version %u",
483 hdr.payload[0]);
484 if (hdr.payload[0] != 0) {
485 wpa_printf(MSG_DEBUG,
486 "OCSP: Unsupported ResponseData version %u",
487 hdr.payload[0]);
488 goto no_resp;
489 }
490 pos = hdr.payload + hdr.length;
491 } else {
492 wpa_printf(MSG_DEBUG,
493 "OCSP: Default ResponseData version (v1)");
494 }
495
496 /*
497 * ResponderID ::= CHOICE {
498 * byName [1] Name,
499 * byKey [2] KeyHash }
500 */
501 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
502 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {
503 asn1_unexpected(&hdr, "OCSP: Expected CHOICE (ResponderID)");
504 goto fail;
505 }
506
507 if (hdr.tag == 1) {
508 /* Name */
509 if (x509_parse_name(hdr.payload, hdr.length, &name, &pos) < 0)
510 goto fail;
511 x509_name_string(&name, buf, sizeof(buf));
512 wpa_printf(MSG_DEBUG, "OCSP: ResponderID byName Name: %s", buf);
513 } else if (hdr.tag == 2) {
514 /* KeyHash ::= OCTET STRING */
515 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
516 !asn1_is_octetstring(&hdr)) {
517 asn1_unexpected(&hdr,
518 "OCSP: Expected OCTET STRING (KeyHash)");
519 goto fail;
520 }
521 key_hash = hdr.payload;
522 wpa_hexdump(MSG_DEBUG, "OCSP: ResponderID byKey KeyHash",
523 key_hash, hdr.length);
524 if (hdr.length != SHA1_MAC_LEN) {
525 wpa_printf(MSG_DEBUG,
526 "OCSP: Unexpected byKey KeyHash length %u - expected %u for SHA-1",
527 hdr.length, SHA1_MAC_LEN);
528 goto fail;
529 }
530 pos = hdr.payload + hdr.length;
531 } else {
532 wpa_printf(MSG_DEBUG, "OCSP: Unexpected ResponderID CHOICE %u",
533 hdr.tag);
534 goto fail;
535 }
536
537 /* producedAt GeneralizedTime */
538 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
539 !asn1_is_generalizedtime(&hdr) ||
540 x509_parse_time(hdr.payload, hdr.length, hdr.tag,
541 &produced_at) < 0) {
542 wpa_printf(MSG_DEBUG, "OCSP: Failed to parse producedAt");
543 goto fail;
544 }
545 wpa_printf(MSG_DEBUG, "OCSP: producedAt %lu",
546 (unsigned long) produced_at);
547 pos = hdr.payload + hdr.length;
548
549 /* responses SEQUENCE OF SingleResponse */
550 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
551 !asn1_is_sequence(&hdr)) {
552 asn1_unexpected(&hdr,
553 "OCSP: Expected SEQUENCE (responses)");
554 goto fail;
555 }
556 responses = hdr.payload;
557 responses_len = hdr.length;
558 wpa_hexdump(MSG_MSGDUMP, "OCSP: responses", responses, responses_len);
559 pos = hdr.payload + hdr.length;
560
561 if (pos < end) {
562 /* responseExtensions [1] EXPLICIT Extensions OPTIONAL */
563 wpa_hexdump(MSG_MSGDUMP, "OCSP: responseExtensions",
564 pos, end - pos);
565 /* Ignore for now. */
566 }
567
568 if (!srv_cert) {
569 wpa_printf(MSG_DEBUG,
570 "OCSP: Server certificate not known - cannot check OCSP response");
571 goto no_resp;
572 }
573
574 if (srv_cert->next) {
575 /* Issuer has already been verified in the chain */
576 issuer = srv_cert->next;
577 } else {
578 /* Find issuer from the set of trusted certificates */
579 for (issuer = conn->cred ? conn->cred->trusted_certs : NULL;
580 issuer; issuer = issuer->next) {
581 if (x509_name_compare(&srv_cert->issuer,
582 &issuer->subject) == 0)
583 break;
584 }
585 }
586 if (!issuer) {
587 wpa_printf(MSG_DEBUG,
588 "OCSP: Server certificate issuer not known - cannot check OCSP response");
589 goto no_resp;
590 }
591
592 if (ocsp_responder_id_match(issuer, &name, key_hash)) {
593 wpa_printf(MSG_DEBUG,
594 "OCSP: Server certificate issuer certificate matches ResponderID");
595 signer = issuer;
596 } else {
597 for (signer = certs; signer; signer = signer->next) {
598 if (!ocsp_responder_id_match(signer, &name, key_hash) ||
599 x509_name_compare(&srv_cert->issuer,
600 &issuer->subject) != 0 ||
601 !(signer->ext_key_usage &
602 X509_EXT_KEY_USAGE_OCSP) ||
603 x509_certificate_check_signature(issuer, signer) <
604 0)
605 continue;
606 wpa_printf(MSG_DEBUG,
607 "OCSP: An extra certificate from the response matches ResponderID and is trusted as an OCSP signer");
608 break;
609 }
610 if (!signer) {
611 wpa_printf(MSG_DEBUG,
612 "OCSP: Could not find OCSP signer certificate");
613 goto no_resp;
614 }
615 }
616
617 x509_free_name(&name);
618 os_memset(&name, 0, sizeof(name));
619 x509_certificate_chain_free(certs);
620 certs = NULL;
621
622 if (x509_check_signature(signer, &alg, sign_value, sign_value_len,
623 resp_data_signed, resp_data_signed_len) < 0) {
624 wpa_printf(MSG_DEBUG, "OCSP: Invalid signature");
625 return TLS_OCSP_INVALID;
626 }
627
628 res = tls_process_ocsp_responses(conn, srv_cert, issuer,
629 responses, responses_len);
630 if (res == TLS_OCSP_REVOKED)
631 srv_cert->ocsp_revoked = 1;
632 else if (res == TLS_OCSP_GOOD)
633 srv_cert->ocsp_good = 1;
634 return res;
635
636 no_resp:
637 x509_free_name(&name);
638 x509_certificate_chain_free(certs);
639 return TLS_OCSP_NO_RESPONSE;
640
641 fail:
642 x509_free_name(&name);
643 x509_certificate_chain_free(certs);
644 return TLS_OCSP_INVALID;
645 }
646
647
tls_process_ocsp_response(struct tlsv1_client * conn,const u8 * resp,size_t len)648 enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn,
649 const u8 *resp, size_t len)
650 {
651 struct asn1_hdr hdr;
652 const u8 *pos, *end;
653 u8 resp_status;
654 struct asn1_oid oid;
655 char obuf[80];
656 struct x509_certificate *cert;
657 enum tls_ocsp_result res = TLS_OCSP_NO_RESPONSE;
658 enum tls_ocsp_result res_first = res;
659
660 wpa_hexdump(MSG_MSGDUMP, "TLSv1: OCSPResponse", resp, len);
661
662 /*
663 * RFC 6960, 4.2.1:
664 * OCSPResponse ::= SEQUENCE {
665 * responseStatus OCSPResponseStatus,
666 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
667 */
668
669 if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
670 asn1_unexpected(&hdr,
671 "OCSP: Expected SEQUENCE (OCSPResponse)");
672 return TLS_OCSP_INVALID;
673 }
674 pos = hdr.payload;
675 end = hdr.payload + hdr.length;
676
677 /* OCSPResponseStatus ::= ENUMERATED */
678 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
679 !asn1_is_enumerated(&hdr) || hdr.length != 1) {
680 asn1_unexpected(&hdr,
681 "OCSP: Expected ENUMERATED (responseStatus)");
682 return TLS_OCSP_INVALID;
683 }
684 resp_status = hdr.payload[0];
685 wpa_printf(MSG_DEBUG, "OCSP: responseStatus %u", resp_status);
686 pos = hdr.payload + hdr.length;
687 if (resp_status != OCSP_RESP_STATUS_SUCCESSFUL) {
688 wpa_printf(MSG_DEBUG, "OCSP: No stapling result");
689 return TLS_OCSP_NO_RESPONSE;
690 }
691
692 /* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL */
693 if (pos == end)
694 return TLS_OCSP_NO_RESPONSE;
695
696 if (asn1_get_next(pos, end - pos, &hdr) < 0 || !hdr.constructed ||
697 !asn1_is_cs_tag(&hdr, 0)) {
698 asn1_unexpected(&hdr,
699 "OCSP: Expected [0] EXPLICIT (responseBytes)");
700 return TLS_OCSP_INVALID;
701 }
702
703 /*
704 * ResponseBytes ::= SEQUENCE {
705 * responseType OBJECT IDENTIFIER,
706 * response OCTET STRING }
707 */
708
709 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
710 !asn1_is_sequence(&hdr)) {
711 asn1_unexpected(&hdr,
712 "OCSP: Expected SEQUENCE (ResponseBytes)");
713 return TLS_OCSP_INVALID;
714 }
715 pos = hdr.payload;
716 end = hdr.payload + hdr.length;
717
718 /* responseType OBJECT IDENTIFIER */
719 if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
720 wpa_printf(MSG_DEBUG,
721 "OCSP: Failed to parse OID (responseType)");
722 return TLS_OCSP_INVALID;
723 }
724 asn1_oid_to_str(&oid, obuf, sizeof(obuf));
725 wpa_printf(MSG_DEBUG, "OCSP: responseType %s", obuf);
726 if (!is_oid_basic_ocsp_resp(&oid)) {
727 wpa_printf(MSG_DEBUG, "OCSP: Ignore unsupported response type");
728 return TLS_OCSP_NO_RESPONSE;
729 }
730
731 /* response OCTET STRING */
732 if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
733 !asn1_is_octetstring(&hdr)) {
734 asn1_unexpected(&hdr, "OCSP: Expected OCTET STRING (response)");
735 return TLS_OCSP_INVALID;
736 }
737
738 cert = conn->server_cert;
739 while (cert) {
740 if (!cert->ocsp_good && !cert->ocsp_revoked) {
741 char sbuf[128];
742
743 x509_name_string(&cert->subject, sbuf, sizeof(sbuf));
744 wpa_printf(MSG_DEBUG,
745 "OCSP: Trying to find certificate status for %s",
746 sbuf);
747
748 res = tls_process_basic_ocsp_response(conn, cert,
749 hdr.payload,
750 hdr.length);
751 if (cert == conn->server_cert)
752 res_first = res;
753 }
754 if (res == TLS_OCSP_REVOKED || cert->issuer_trusted)
755 break;
756 cert = cert->next;
757 }
758 return res == TLS_OCSP_REVOKED ? res : res_first;
759 }
760