1 /* 2 * TLSv1 client - OCSP 3 * Copyright (c) 2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/tls.h" 13 #include "crypto/sha1.h" 14 #include "asn1.h" 15 #include "x509v3.h" 16 #include "tlsv1_common.h" 17 #include "tlsv1_record.h" 18 #include "tlsv1_client.h" 19 #include "tlsv1_client_i.h" 20 21 22 /* RFC 6960, 4.2.1: OCSPResponseStatus ::= ENUMERATED */ 23 enum ocsp_response_status { 24 OCSP_RESP_STATUS_SUCCESSFUL = 0, 25 OCSP_RESP_STATUS_MALFORMED_REQ = 1, 26 OCSP_RESP_STATUS_INT_ERROR = 2, 27 OCSP_RESP_STATUS_TRY_LATER = 3, 28 /* 4 not used */ 29 OCSP_RESP_STATUS_SIG_REQUIRED = 5, 30 OCSP_RESP_STATUS_UNAUTHORIZED = 6, 31 }; 32 33 34 static int is_oid_basic_ocsp_resp(struct asn1_oid *oid) 35 { 36 return oid->len == 10 && 37 oid->oid[0] == 1 /* iso */ && 38 oid->oid[1] == 3 /* identified-organization */ && 39 oid->oid[2] == 6 /* dod */ && 40 oid->oid[3] == 1 /* internet */ && 41 oid->oid[4] == 5 /* security */ && 42 oid->oid[5] == 5 /* mechanisms */ && 43 oid->oid[6] == 7 /* id-pkix */ && 44 oid->oid[7] == 48 /* id-ad */ && 45 oid->oid[8] == 1 /* id-pkix-ocsp */ && 46 oid->oid[9] == 1 /* id-pkix-ocsp-basic */; 47 } 48 49 50 static int ocsp_responder_id_match(struct x509_certificate *signer, 51 struct x509_name *name, const u8 *key_hash) 52 { 53 if (key_hash) { 54 u8 hash[SHA1_MAC_LEN]; 55 const u8 *addr[1] = { signer->public_key }; 56 size_t len[1] = { signer->public_key_len }; 57 58 if (sha1_vector(1, addr, len, hash) < 0) 59 return 0; 60 return os_memcmp(hash, key_hash, SHA1_MAC_LEN) == 0; 61 } 62 63 return x509_name_compare(&signer->subject, name) == 0; 64 } 65 66 67 static unsigned int ocsp_hash_data(struct asn1_oid *alg, const u8 *data, 68 size_t data_len, u8 *hash) 69 { 70 const u8 *addr[1] = { data }; 71 size_t len[1] = { data_len }; 72 char buf[100]; 73 74 if (x509_sha1_oid(alg)) { 75 if (sha1_vector(1, addr, len, hash) < 0) 76 return 0; 77 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA1)", hash, 20); 78 return 20; 79 } 80 81 if (x509_sha256_oid(alg)) { 82 if (sha256_vector(1, addr, len, hash) < 0) 83 return 0; 84 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA256)", hash, 32); 85 return 32; 86 } 87 88 if (x509_sha384_oid(alg)) { 89 if (sha384_vector(1, addr, len, hash) < 0) 90 return 0; 91 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA384)", hash, 48); 92 return 48; 93 } 94 95 if (x509_sha512_oid(alg)) { 96 if (sha512_vector(1, addr, len, hash) < 0) 97 return 0; 98 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA512)", hash, 64); 99 return 64; 100 } 101 102 103 asn1_oid_to_str(alg, buf, sizeof(buf)); 104 wpa_printf(MSG_DEBUG, "OCSP: Could not calculate hash with alg %s", 105 buf); 106 return 0; 107 } 108 109 110 static int tls_process_ocsp_single_response(struct tlsv1_client *conn, 111 struct x509_certificate *cert, 112 struct x509_certificate *issuer, 113 const u8 *resp, size_t len, 114 enum tls_ocsp_result *res) 115 { 116 struct asn1_hdr hdr; 117 const u8 *pos, *end; 118 struct x509_algorithm_identifier alg; 119 const u8 *name_hash, *key_hash; 120 size_t name_hash_len, key_hash_len; 121 const u8 *serial_number; 122 size_t serial_number_len; 123 u8 hash[64]; 124 unsigned int hash_len; 125 unsigned int cert_status; 126 os_time_t update; 127 struct os_time now; 128 129 wpa_hexdump(MSG_MSGDUMP, "OCSP: SingleResponse", resp, len); 130 131 /* 132 * SingleResponse ::= SEQUENCE { 133 * certID CertID, 134 * certStatus CertStatus, 135 * thisUpdate GeneralizedTime, 136 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 137 * singleExtensions [1] EXPLICIT Extensions OPTIONAL } 138 */ 139 140 /* CertID ::= SEQUENCE */ 141 if (asn1_get_next(resp, len, &hdr) < 0 || 142 hdr.class != ASN1_CLASS_UNIVERSAL || 143 hdr.tag != ASN1_TAG_SEQUENCE) { 144 wpa_printf(MSG_DEBUG, 145 "OCSP: Expected SEQUENCE (CertID) - found class %d tag 0x%x", 146 hdr.class, hdr.tag); 147 return -1; 148 } 149 pos = hdr.payload; 150 end = hdr.payload + hdr.length; 151 152 /* 153 * CertID ::= SEQUENCE { 154 * hashAlgorithm AlgorithmIdentifier, 155 * issuerNameHash OCTET STRING, 156 * issuerKeyHash OCTET STRING, 157 * serialNumber CertificateSerialNumber } 158 */ 159 160 /* hashAlgorithm AlgorithmIdentifier */ 161 if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos)) 162 return -1; 163 164 /* issuerNameHash OCTET STRING */ 165 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 166 hdr.class != ASN1_CLASS_UNIVERSAL || 167 hdr.tag != ASN1_TAG_OCTETSTRING) { 168 wpa_printf(MSG_DEBUG, 169 "OCSP: Expected OCTET STRING (issuerNameHash) - found class %d tag 0x%x", 170 hdr.class, hdr.tag); 171 return -1; 172 } 173 name_hash = hdr.payload; 174 name_hash_len = hdr.length; 175 wpa_hexdump(MSG_DEBUG, "OCSP: issuerNameHash", 176 name_hash, name_hash_len); 177 pos = hdr.payload + hdr.length; 178 179 wpa_hexdump(MSG_DEBUG, "OCSP: Issuer subject DN", 180 issuer->subject_dn, issuer->subject_dn_len); 181 hash_len = ocsp_hash_data(&alg.oid, issuer->subject_dn, 182 issuer->subject_dn_len, hash); 183 if (hash_len == 0 || name_hash_len != hash_len || 184 os_memcmp(name_hash, hash, hash_len) != 0) { 185 wpa_printf(MSG_DEBUG, "OCSP: issuerNameHash mismatch"); 186 wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerNameHash", 187 hash, hash_len); 188 return -1; 189 } 190 191 /* issuerKeyHash OCTET STRING */ 192 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 193 hdr.class != ASN1_CLASS_UNIVERSAL || 194 hdr.tag != ASN1_TAG_OCTETSTRING) { 195 wpa_printf(MSG_DEBUG, 196 "OCSP: Expected OCTET STRING (issuerKeyHash) - found class %d tag 0x%x", 197 hdr.class, hdr.tag); 198 return -1; 199 } 200 key_hash = hdr.payload; 201 key_hash_len = hdr.length; 202 wpa_hexdump(MSG_DEBUG, "OCSP: issuerKeyHash", key_hash, key_hash_len); 203 pos = hdr.payload + hdr.length; 204 205 hash_len = ocsp_hash_data(&alg.oid, issuer->public_key, 206 issuer->public_key_len, hash); 207 if (hash_len == 0 || key_hash_len != hash_len || 208 os_memcmp(key_hash, hash, hash_len) != 0) { 209 wpa_printf(MSG_DEBUG, "OCSP: issuerKeyHash mismatch"); 210 wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerKeyHash", 211 hash, hash_len); 212 return -1; 213 } 214 215 /* serialNumber CertificateSerialNumber ::= INTEGER */ 216 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 217 hdr.class != ASN1_CLASS_UNIVERSAL || 218 hdr.tag != ASN1_TAG_INTEGER || 219 hdr.length < 1 || hdr.length > X509_MAX_SERIAL_NUM_LEN) { 220 wpa_printf(MSG_DEBUG, "OCSP: No INTEGER tag found for serialNumber; class=%d tag=0x%x length=%u", 221 hdr.class, hdr.tag, hdr.length); 222 return -1; 223 } 224 serial_number = hdr.payload; 225 serial_number_len = hdr.length; 226 while (serial_number_len > 0 && serial_number[0] == 0) { 227 serial_number++; 228 serial_number_len--; 229 } 230 wpa_hexdump(MSG_MSGDUMP, "OCSP: serialNumber", serial_number, 231 serial_number_len); 232 233 if (serial_number_len != cert->serial_number_len || 234 os_memcmp(serial_number, cert->serial_number, 235 serial_number_len) != 0) { 236 wpa_printf(MSG_DEBUG, "OCSP: serialNumber mismatch"); 237 return -1; 238 } 239 240 pos = end; 241 end = resp + len; 242 243 /* certStatus CertStatus ::= CHOICE */ 244 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 245 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) { 246 wpa_printf(MSG_DEBUG, 247 "OCSP: Expected CHOICE (CertStatus) - found class %d tag 0x%x", 248 hdr.class, hdr.tag); 249 return -1; 250 } 251 cert_status = hdr.tag; 252 wpa_printf(MSG_DEBUG, "OCSP: certStatus=%u", cert_status); 253 wpa_hexdump(MSG_DEBUG, "OCSP: CertStatus additional data", 254 hdr.payload, hdr.length); 255 pos = hdr.payload + hdr.length; 256 257 os_get_time(&now); 258 /* thisUpdate GeneralizedTime */ 259 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 260 hdr.class != ASN1_CLASS_UNIVERSAL || 261 hdr.tag != ASN1_TAG_GENERALIZEDTIME || 262 x509_parse_time(hdr.payload, hdr.length, hdr.tag, &update) < 0) { 263 wpa_printf(MSG_DEBUG, "OCSP: Failed to parse thisUpdate"); 264 return -1; 265 } 266 wpa_printf(MSG_DEBUG, "OCSP: thisUpdate %lu", (unsigned long) update); 267 pos = hdr.payload + hdr.length; 268 if ((unsigned long) now.sec < (unsigned long) update) { 269 wpa_printf(MSG_DEBUG, 270 "OCSP: thisUpdate time in the future (response not yet valid)"); 271 return -1; 272 } 273 274 /* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL */ 275 if (pos < end) { 276 if (asn1_get_next(pos, end - pos, &hdr) < 0) 277 return -1; 278 if (hdr.class == ASN1_CLASS_CONTEXT_SPECIFIC && hdr.tag == 0) { 279 const u8 *next = hdr.payload + hdr.length; 280 281 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 || 282 hdr.class != ASN1_CLASS_UNIVERSAL || 283 hdr.tag != ASN1_TAG_GENERALIZEDTIME || 284 x509_parse_time(hdr.payload, hdr.length, hdr.tag, 285 &update) < 0) { 286 wpa_printf(MSG_DEBUG, 287 "OCSP: Failed to parse nextUpdate"); 288 return -1; 289 } 290 wpa_printf(MSG_DEBUG, "OCSP: nextUpdate %lu", 291 (unsigned long) update); 292 pos = next; 293 if ((unsigned long) now.sec > (unsigned long) update) { 294 wpa_printf(MSG_DEBUG, "OCSP: nextUpdate time in the past (response has expired)"); 295 return -1; 296 } 297 } 298 } 299 300 /* singleExtensions [1] EXPLICIT Extensions OPTIONAL */ 301 if (pos < end) { 302 wpa_hexdump(MSG_MSGDUMP, "OCSP: singleExtensions", 303 pos, end - pos); 304 /* Ignore for now */ 305 } 306 307 if (cert_status == 0 /* good */) 308 *res = TLS_OCSP_GOOD; 309 else if (cert_status == 1 /* revoked */) 310 *res = TLS_OCSP_REVOKED; 311 else 312 return -1; 313 return 0; 314 } 315 316 317 static enum tls_ocsp_result 318 tls_process_ocsp_responses(struct tlsv1_client *conn, 319 struct x509_certificate *cert, 320 struct x509_certificate *issuer, const u8 *resp, 321 size_t len) 322 { 323 struct asn1_hdr hdr; 324 const u8 *pos, *end; 325 enum tls_ocsp_result res; 326 327 pos = resp; 328 end = resp + len; 329 while (pos < end) { 330 /* SingleResponse ::= SEQUENCE */ 331 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 332 hdr.class != ASN1_CLASS_UNIVERSAL || 333 hdr.tag != ASN1_TAG_SEQUENCE) { 334 wpa_printf(MSG_DEBUG, 335 "OCSP: Expected SEQUENCE (SingleResponse) - found class %d tag 0x%x", 336 hdr.class, hdr.tag); 337 return TLS_OCSP_INVALID; 338 } 339 if (tls_process_ocsp_single_response(conn, cert, issuer, 340 hdr.payload, hdr.length, 341 &res) == 0) 342 return res; 343 pos = hdr.payload + hdr.length; 344 } 345 346 wpa_printf(MSG_DEBUG, 347 "OCSP: Did not find a response matching the server certificate"); 348 return TLS_OCSP_NO_RESPONSE; 349 } 350 351 352 static enum tls_ocsp_result 353 tls_process_basic_ocsp_response(struct tlsv1_client *conn, 354 struct x509_certificate *srv_cert, 355 const u8 *resp, size_t len) 356 { 357 struct asn1_hdr hdr; 358 const u8 *pos, *end; 359 const u8 *resp_data, *sign_value, *key_hash = NULL, *responses; 360 const u8 *resp_data_signed; 361 size_t resp_data_len, sign_value_len, responses_len; 362 size_t resp_data_signed_len; 363 struct x509_algorithm_identifier alg; 364 struct x509_certificate *certs = NULL, *last_cert = NULL; 365 struct x509_certificate *issuer, *signer; 366 struct x509_name name; /* used if key_hash == NULL */ 367 char buf[100]; 368 os_time_t produced_at; 369 enum tls_ocsp_result res; 370 371 wpa_hexdump(MSG_MSGDUMP, "OCSP: BasicOCSPResponse", resp, len); 372 373 os_memset(&name, 0, sizeof(name)); 374 375 /* 376 * RFC 6960, 4.2.1: 377 * BasicOCSPResponse ::= SEQUENCE { 378 * tbsResponseData ResponseData, 379 * signatureAlgorithm AlgorithmIdentifier, 380 * signature BIT STRING, 381 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 382 */ 383 384 if (asn1_get_next(resp, len, &hdr) < 0 || 385 hdr.class != ASN1_CLASS_UNIVERSAL || 386 hdr.tag != ASN1_TAG_SEQUENCE) { 387 wpa_printf(MSG_DEBUG, 388 "OCSP: Expected SEQUENCE (BasicOCSPResponse) - found class %d tag 0x%x", 389 hdr.class, hdr.tag); 390 return TLS_OCSP_INVALID; 391 } 392 pos = hdr.payload; 393 end = hdr.payload + hdr.length; 394 395 /* ResponseData ::= SEQUENCE */ 396 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 397 hdr.class != ASN1_CLASS_UNIVERSAL || 398 hdr.tag != ASN1_TAG_SEQUENCE) { 399 wpa_printf(MSG_DEBUG, 400 "OCSP: Expected SEQUENCE (ResponseData) - found class %d tag 0x%x", 401 hdr.class, hdr.tag); 402 return TLS_OCSP_INVALID; 403 } 404 resp_data = hdr.payload; 405 resp_data_len = hdr.length; 406 resp_data_signed = pos; 407 pos = hdr.payload + hdr.length; 408 resp_data_signed_len = pos - resp_data_signed; 409 410 /* signatureAlgorithm AlgorithmIdentifier */ 411 if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos)) 412 return TLS_OCSP_INVALID; 413 414 /* signature BIT STRING */ 415 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 416 hdr.class != ASN1_CLASS_UNIVERSAL || 417 hdr.tag != ASN1_TAG_BITSTRING) { 418 wpa_printf(MSG_DEBUG, 419 "OCSP: Expected BITSTRING (signature) - found class %d tag 0x%x", 420 hdr.class, hdr.tag); 421 return TLS_OCSP_INVALID; 422 } 423 if (hdr.length < 1) 424 return TLS_OCSP_INVALID; 425 pos = hdr.payload; 426 if (*pos) { 427 wpa_printf(MSG_DEBUG, "OCSP: BITSTRING - %d unused bits", *pos); 428 /* PKCS #1 v1.5 10.2.1: 429 * It is an error if the length in bits of the signature S is 430 * not a multiple of eight. 431 */ 432 return TLS_OCSP_INVALID; 433 } 434 sign_value = pos + 1; 435 sign_value_len = hdr.length - 1; 436 pos += hdr.length; 437 wpa_hexdump(MSG_MSGDUMP, "OCSP: signature", sign_value, sign_value_len); 438 439 /* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL */ 440 if (pos < end) { 441 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 442 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC || 443 hdr.tag != 0) { 444 wpa_printf(MSG_DEBUG, 445 "OCSP: Expected [0] EXPLICIT (certs) - found class %d tag 0x%x", 446 hdr.class, hdr.tag); 447 return TLS_OCSP_INVALID; 448 } 449 wpa_hexdump(MSG_MSGDUMP, "OCSP: certs", 450 hdr.payload, hdr.length); 451 pos = hdr.payload; 452 end = hdr.payload + hdr.length; 453 while (pos < end) { 454 struct x509_certificate *cert; 455 456 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 457 hdr.class != ASN1_CLASS_UNIVERSAL || 458 hdr.tag != ASN1_TAG_SEQUENCE) { 459 wpa_printf(MSG_DEBUG, 460 "OCSP: Expected SEQUENCE (Certificate) - found class %d tag 0x%x", 461 hdr.class, hdr.tag); 462 goto fail; 463 } 464 465 cert = x509_certificate_parse(hdr.payload, hdr.length); 466 if (!cert) 467 goto fail; 468 if (last_cert) { 469 last_cert->next = cert; 470 last_cert = cert; 471 } else { 472 last_cert = certs = cert; 473 } 474 pos = hdr.payload + hdr.length; 475 } 476 } 477 478 /* 479 * ResponseData ::= SEQUENCE { 480 * version [0] EXPLICIT Version DEFAULT v1, 481 * responderID ResponderID, 482 * producedAt GeneralizedTime, 483 * responses SEQUENCE OF SingleResponse, 484 * responseExtensions [1] EXPLICIT Extensions OPTIONAL } 485 */ 486 pos = resp_data; 487 end = resp_data + resp_data_len; 488 wpa_hexdump(MSG_MSGDUMP, "OCSP: ResponseData", pos, end - pos); 489 490 /* 491 * version [0] EXPLICIT Version DEFAULT v1 492 * Version ::= INTEGER { v1(0) } 493 */ 494 if (asn1_get_next(pos, end - pos, &hdr) < 0 && 495 hdr.class == ASN1_CLASS_CONTEXT_SPECIFIC && 496 hdr.tag == 0) { 497 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 498 hdr.class != ASN1_CLASS_UNIVERSAL || 499 hdr.tag != ASN1_TAG_INTEGER || 500 hdr.length != 1) { 501 wpa_printf(MSG_DEBUG, 502 "OCSP: No INTEGER (len=1) tag found for version field - found class %d tag 0x%x length %d", 503 hdr.class, hdr.tag, hdr.length); 504 goto fail; 505 } 506 wpa_printf(MSG_DEBUG, "OCSP: ResponseData version %u", 507 hdr.payload[0]); 508 if (hdr.payload[0] != 0) { 509 wpa_printf(MSG_DEBUG, 510 "OCSP: Unsupported ResponseData version %u", 511 hdr.payload[0]); 512 goto no_resp; 513 } 514 pos = hdr.payload + hdr.length; 515 } else { 516 wpa_printf(MSG_DEBUG, 517 "OCSP: Default ResponseData version (v1)"); 518 } 519 520 /* 521 * ResponderID ::= CHOICE { 522 * byName [1] Name, 523 * byKey [2] KeyHash } 524 */ 525 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 526 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) { 527 wpa_printf(MSG_DEBUG, 528 "OCSP: Expected CHOICE (ResponderID) - found class %d tag 0x%x", 529 hdr.class, hdr.tag); 530 goto fail; 531 } 532 533 if (hdr.tag == 1) { 534 /* Name */ 535 if (x509_parse_name(hdr.payload, hdr.length, &name, &pos) < 0) 536 goto fail; 537 x509_name_string(&name, buf, sizeof(buf)); 538 wpa_printf(MSG_DEBUG, "OCSP: ResponderID byName Name: %s", buf); 539 } else if (hdr.tag == 2) { 540 /* KeyHash ::= OCTET STRING */ 541 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 || 542 hdr.class != ASN1_CLASS_UNIVERSAL || 543 hdr.tag != ASN1_TAG_OCTETSTRING) { 544 wpa_printf(MSG_DEBUG, 545 "OCSP: Expected OCTET STRING (KeyHash) - found class %d tag 0x%x", 546 hdr.class, hdr.tag); 547 goto fail; 548 } 549 key_hash = hdr.payload; 550 wpa_hexdump(MSG_DEBUG, "OCSP: ResponderID byKey KeyHash", 551 key_hash, hdr.length); 552 if (hdr.length != SHA1_MAC_LEN) { 553 wpa_printf(MSG_DEBUG, 554 "OCSP: Unexpected byKey KeyHash length %u - expected %u for SHA-1", 555 hdr.length, SHA1_MAC_LEN); 556 goto fail; 557 } 558 pos = hdr.payload + hdr.length; 559 } else { 560 wpa_printf(MSG_DEBUG, "OCSP: Unexpected ResponderID CHOICE %u", 561 hdr.tag); 562 goto fail; 563 } 564 565 /* producedAt GeneralizedTime */ 566 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 567 hdr.class != ASN1_CLASS_UNIVERSAL || 568 hdr.tag != ASN1_TAG_GENERALIZEDTIME || 569 x509_parse_time(hdr.payload, hdr.length, hdr.tag, 570 &produced_at) < 0) { 571 wpa_printf(MSG_DEBUG, "OCSP: Failed to parse producedAt"); 572 goto fail; 573 } 574 wpa_printf(MSG_DEBUG, "OCSP: producedAt %lu", 575 (unsigned long) produced_at); 576 pos = hdr.payload + hdr.length; 577 578 /* responses SEQUENCE OF SingleResponse */ 579 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 580 hdr.class != ASN1_CLASS_UNIVERSAL || 581 hdr.tag != ASN1_TAG_SEQUENCE) { 582 wpa_printf(MSG_DEBUG, 583 "OCSP: Expected SEQUENCE (responses) - found class %d tag 0x%x", 584 hdr.class, hdr.tag); 585 goto fail; 586 } 587 responses = hdr.payload; 588 responses_len = hdr.length; 589 wpa_hexdump(MSG_MSGDUMP, "OCSP: responses", responses, responses_len); 590 pos = hdr.payload + hdr.length; 591 592 if (pos < end) { 593 /* responseExtensions [1] EXPLICIT Extensions OPTIONAL */ 594 wpa_hexdump(MSG_MSGDUMP, "OCSP: responseExtensions", 595 pos, end - pos); 596 /* Ignore for now. */ 597 } 598 599 if (!srv_cert) { 600 wpa_printf(MSG_DEBUG, 601 "OCSP: Server certificate not known - cannot check OCSP response"); 602 goto no_resp; 603 } 604 605 if (srv_cert->next) { 606 /* Issuer has already been verified in the chain */ 607 issuer = srv_cert->next; 608 } else { 609 /* Find issuer from the set of trusted certificates */ 610 for (issuer = conn->cred ? conn->cred->trusted_certs : NULL; 611 issuer; issuer = issuer->next) { 612 if (x509_name_compare(&srv_cert->issuer, 613 &issuer->subject) == 0) 614 break; 615 } 616 } 617 if (!issuer) { 618 wpa_printf(MSG_DEBUG, 619 "OCSP: Server certificate issuer not known - cannot check OCSP response"); 620 goto no_resp; 621 } 622 623 if (ocsp_responder_id_match(issuer, &name, key_hash)) { 624 wpa_printf(MSG_DEBUG, 625 "OCSP: Server certificate issuer certificate matches ResponderID"); 626 signer = issuer; 627 } else { 628 for (signer = certs; signer; signer = signer->next) { 629 if (!ocsp_responder_id_match(signer, &name, key_hash) || 630 x509_name_compare(&srv_cert->issuer, 631 &issuer->subject) != 0 || 632 !(signer->ext_key_usage & 633 X509_EXT_KEY_USAGE_OCSP) || 634 x509_certificate_check_signature(issuer, signer) < 635 0) 636 continue; 637 wpa_printf(MSG_DEBUG, 638 "OCSP: An extra certificate from the response matches ResponderID and is trusted as an OCSP signer"); 639 break; 640 } 641 if (!signer) { 642 wpa_printf(MSG_DEBUG, 643 "OCSP: Could not find OCSP signer certificate"); 644 goto no_resp; 645 } 646 } 647 648 x509_free_name(&name); 649 os_memset(&name, 0, sizeof(name)); 650 x509_certificate_chain_free(certs); 651 certs = NULL; 652 653 if (x509_check_signature(signer, &alg, sign_value, sign_value_len, 654 resp_data_signed, resp_data_signed_len) < 0) { 655 wpa_printf(MSG_DEBUG, "OCSP: Invalid signature"); 656 return TLS_OCSP_INVALID; 657 } 658 659 res = tls_process_ocsp_responses(conn, srv_cert, issuer, 660 responses, responses_len); 661 if (res == TLS_OCSP_REVOKED) 662 srv_cert->ocsp_revoked = 1; 663 else if (res == TLS_OCSP_GOOD) 664 srv_cert->ocsp_good = 1; 665 return res; 666 667 no_resp: 668 x509_free_name(&name); 669 x509_certificate_chain_free(certs); 670 return TLS_OCSP_NO_RESPONSE; 671 672 fail: 673 x509_free_name(&name); 674 x509_certificate_chain_free(certs); 675 return TLS_OCSP_INVALID; 676 } 677 678 679 enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn, 680 const u8 *resp, size_t len) 681 { 682 struct asn1_hdr hdr; 683 const u8 *pos, *end; 684 u8 resp_status; 685 struct asn1_oid oid; 686 char obuf[80]; 687 struct x509_certificate *cert; 688 enum tls_ocsp_result res = TLS_OCSP_NO_RESPONSE; 689 enum tls_ocsp_result res_first = res; 690 691 wpa_hexdump(MSG_MSGDUMP, "TLSv1: OCSPResponse", resp, len); 692 693 /* 694 * RFC 6960, 4.2.1: 695 * OCSPResponse ::= SEQUENCE { 696 * responseStatus OCSPResponseStatus, 697 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 698 */ 699 700 if (asn1_get_next(resp, len, &hdr) < 0 || 701 hdr.class != ASN1_CLASS_UNIVERSAL || 702 hdr.tag != ASN1_TAG_SEQUENCE) { 703 wpa_printf(MSG_DEBUG, 704 "OCSP: Expected SEQUENCE (OCSPResponse) - found class %d tag 0x%x", 705 hdr.class, hdr.tag); 706 return TLS_OCSP_INVALID; 707 } 708 pos = hdr.payload; 709 end = hdr.payload + hdr.length; 710 711 /* OCSPResponseStatus ::= ENUMERATED */ 712 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 713 hdr.class != ASN1_CLASS_UNIVERSAL || 714 hdr.tag != ASN1_TAG_ENUMERATED || 715 hdr.length != 1) { 716 wpa_printf(MSG_DEBUG, 717 "OCSP: Expected ENUMERATED (responseStatus) - found class %d tag 0x%x length %u", 718 hdr.class, hdr.tag, hdr.length); 719 return TLS_OCSP_INVALID; 720 } 721 resp_status = hdr.payload[0]; 722 wpa_printf(MSG_DEBUG, "OCSP: responseStatus %u", resp_status); 723 pos = hdr.payload + hdr.length; 724 if (resp_status != OCSP_RESP_STATUS_SUCCESSFUL) { 725 wpa_printf(MSG_DEBUG, "OCSP: No stapling result"); 726 return TLS_OCSP_NO_RESPONSE; 727 } 728 729 /* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL */ 730 if (pos == end) 731 return TLS_OCSP_NO_RESPONSE; 732 733 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 734 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC || 735 hdr.tag != 0) { 736 wpa_printf(MSG_DEBUG, 737 "OCSP: Expected [0] EXPLICIT (responseBytes) - found class %d tag 0x%x", 738 hdr.class, hdr.tag); 739 return TLS_OCSP_INVALID; 740 } 741 742 /* 743 * ResponseBytes ::= SEQUENCE { 744 * responseType OBJECT IDENTIFIER, 745 * response OCTET STRING } 746 */ 747 748 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 || 749 hdr.class != ASN1_CLASS_UNIVERSAL || 750 hdr.tag != ASN1_TAG_SEQUENCE) { 751 wpa_printf(MSG_DEBUG, 752 "OCSP: Expected SEQUENCE (ResponseBytes) - found class %d tag 0x%x", 753 hdr.class, hdr.tag); 754 return TLS_OCSP_INVALID; 755 } 756 pos = hdr.payload; 757 end = hdr.payload + hdr.length; 758 759 /* responseType OBJECT IDENTIFIER */ 760 if (asn1_get_oid(pos, end - pos, &oid, &pos)) { 761 wpa_printf(MSG_DEBUG, 762 "OCSP: Failed to parse OID (responseType)"); 763 return TLS_OCSP_INVALID; 764 } 765 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 766 wpa_printf(MSG_DEBUG, "OCSP: responseType %s", obuf); 767 if (!is_oid_basic_ocsp_resp(&oid)) { 768 wpa_printf(MSG_DEBUG, "OCSP: Ignore unsupported response type"); 769 return TLS_OCSP_NO_RESPONSE; 770 } 771 772 /* response OCTET STRING */ 773 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 774 hdr.class != ASN1_CLASS_UNIVERSAL || 775 hdr.tag != ASN1_TAG_OCTETSTRING) { 776 wpa_printf(MSG_DEBUG, 777 "OCSP: Expected OCTET STRING (response) - found class %d tag 0x%x", 778 hdr.class, hdr.tag); 779 return TLS_OCSP_INVALID; 780 } 781 782 cert = conn->server_cert; 783 while (cert) { 784 if (!cert->ocsp_good && !cert->ocsp_revoked) { 785 char sbuf[128]; 786 787 x509_name_string(&cert->subject, sbuf, sizeof(sbuf)); 788 wpa_printf(MSG_DEBUG, 789 "OCSP: Trying to find certificate status for %s", 790 sbuf); 791 792 res = tls_process_basic_ocsp_response(conn, cert, 793 hdr.payload, 794 hdr.length); 795 if (cert == conn->server_cert) 796 res_first = res; 797 } 798 if (res == TLS_OCSP_REVOKED || cert->issuer_trusted) 799 break; 800 cert = cert->next; 801 } 802 return res == TLS_OCSP_REVOKED ? res : res_first; 803 } 804