xref: /freebsd/contrib/wpa/src/tls/tlsv1_client_ocsp.c (revision a3266ba2697a383d2ede56803320d941866c7e76)
1 /*
2  * TLSv1 client - OCSP
3  * Copyright (c) 2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/tls.h"
13 #include "crypto/sha1.h"
14 #include "asn1.h"
15 #include "x509v3.h"
16 #include "tlsv1_common.h"
17 #include "tlsv1_record.h"
18 #include "tlsv1_client.h"
19 #include "tlsv1_client_i.h"
20 
21 
22 /* RFC 6960, 4.2.1: OCSPResponseStatus ::= ENUMERATED */
23 enum ocsp_response_status {
24 	OCSP_RESP_STATUS_SUCCESSFUL = 0,
25 	OCSP_RESP_STATUS_MALFORMED_REQ = 1,
26 	OCSP_RESP_STATUS_INT_ERROR = 2,
27 	OCSP_RESP_STATUS_TRY_LATER = 3,
28 	/* 4 not used */
29 	OCSP_RESP_STATUS_SIG_REQUIRED = 5,
30 	OCSP_RESP_STATUS_UNAUTHORIZED = 6,
31 };
32 
33 
34 static int is_oid_basic_ocsp_resp(struct asn1_oid *oid)
35 {
36 	return oid->len == 10 &&
37 		oid->oid[0] == 1 /* iso */ &&
38 		oid->oid[1] == 3 /* identified-organization */ &&
39 		oid->oid[2] == 6 /* dod */ &&
40 		oid->oid[3] == 1 /* internet */ &&
41 		oid->oid[4] == 5 /* security */ &&
42 		oid->oid[5] == 5 /* mechanisms */ &&
43 		oid->oid[6] == 7 /* id-pkix */ &&
44 		oid->oid[7] == 48 /* id-ad */ &&
45 		oid->oid[8] == 1 /* id-pkix-ocsp */ &&
46 		oid->oid[9] == 1 /* id-pkix-ocsp-basic */;
47 }
48 
49 
50 static int ocsp_responder_id_match(struct x509_certificate *signer,
51 				   struct x509_name *name, const u8 *key_hash)
52 {
53 	if (key_hash) {
54 		u8 hash[SHA1_MAC_LEN];
55 		const u8 *addr[1] = { signer->public_key };
56 		size_t len[1] = { signer->public_key_len };
57 
58 		if (sha1_vector(1, addr, len, hash) < 0)
59 			return 0;
60 		return os_memcmp(hash, key_hash, SHA1_MAC_LEN) == 0;
61 	}
62 
63 	return x509_name_compare(&signer->subject, name) == 0;
64 }
65 
66 
67 static unsigned int ocsp_hash_data(struct asn1_oid *alg, const u8 *data,
68 				   size_t data_len, u8 *hash)
69 {
70 	const u8 *addr[1] = { data };
71 	size_t len[1] = { data_len };
72 	char buf[100];
73 
74 	if (x509_sha1_oid(alg)) {
75 		if (sha1_vector(1, addr, len, hash) < 0)
76 			return 0;
77 		wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA1)", hash, 20);
78 		return 20;
79 	}
80 
81 	if (x509_sha256_oid(alg)) {
82 		if (sha256_vector(1, addr, len, hash) < 0)
83 			return 0;
84 		wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA256)", hash, 32);
85 		return 32;
86 	}
87 
88 	if (x509_sha384_oid(alg)) {
89 		if (sha384_vector(1, addr, len, hash) < 0)
90 			return 0;
91 		wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA384)", hash, 48);
92 		return 48;
93 	}
94 
95 	if (x509_sha512_oid(alg)) {
96 		if (sha512_vector(1, addr, len, hash) < 0)
97 			return 0;
98 		wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA512)", hash, 64);
99 		return 64;
100 	}
101 
102 
103 	asn1_oid_to_str(alg, buf, sizeof(buf));
104 	wpa_printf(MSG_DEBUG, "OCSP: Could not calculate hash with alg %s",
105 		   buf);
106 	return 0;
107 }
108 
109 
110 static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
111 					    struct x509_certificate *cert,
112 					    struct x509_certificate *issuer,
113 					    const u8 *resp, size_t len,
114 					    enum tls_ocsp_result *res)
115 {
116 	struct asn1_hdr hdr;
117 	const u8 *pos, *end;
118 	struct x509_algorithm_identifier alg;
119 	const u8 *name_hash, *key_hash;
120 	size_t name_hash_len, key_hash_len;
121 	const u8 *serial_number;
122 	size_t serial_number_len;
123 	u8 hash[64];
124 	unsigned int hash_len;
125 	unsigned int cert_status;
126 	os_time_t update;
127 	struct os_time now;
128 
129 	wpa_hexdump(MSG_MSGDUMP, "OCSP: SingleResponse", resp, len);
130 
131 	/*
132 	 * SingleResponse ::= SEQUENCE {
133 	 *    certID                       CertID,
134 	 *    certStatus                   CertStatus,
135 	 *    thisUpdate                   GeneralizedTime,
136 	 *    nextUpdate         [0]       EXPLICIT GeneralizedTime OPTIONAL,
137 	 *    singleExtensions   [1]       EXPLICIT Extensions OPTIONAL }
138 	 */
139 
140 	/* CertID ::= SEQUENCE */
141 	if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
142 		asn1_unexpected(&hdr, "OCSP: Expected SEQUENCE (CertID)");
143 		return -1;
144 	}
145 	pos = hdr.payload;
146 	end = hdr.payload + hdr.length;
147 
148 	/*
149 	 * CertID ::= SEQUENCE {
150 	 *    hashAlgorithm           AlgorithmIdentifier,
151 	 *    issuerNameHash          OCTET STRING,
152 	 *    issuerKeyHash           OCTET STRING,
153 	 *    serialNumber            CertificateSerialNumber }
154 	 */
155 
156 	/* hashAlgorithm  AlgorithmIdentifier */
157 	if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos))
158 		return -1;
159 
160 	/* issuerNameHash  OCTET STRING */
161 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
162 	    !asn1_is_octetstring(&hdr)) {
163 		asn1_unexpected(&hdr,
164 				"OCSP: Expected OCTET STRING (issuerNameHash)");
165 		return -1;
166 	}
167 	name_hash = hdr.payload;
168 	name_hash_len = hdr.length;
169 	wpa_hexdump(MSG_DEBUG, "OCSP: issuerNameHash",
170 		    name_hash, name_hash_len);
171 	pos = hdr.payload + hdr.length;
172 
173 	wpa_hexdump(MSG_DEBUG, "OCSP: Issuer subject DN",
174 		    issuer->subject_dn, issuer->subject_dn_len);
175 	hash_len = ocsp_hash_data(&alg.oid, issuer->subject_dn,
176 				  issuer->subject_dn_len, hash);
177 	if (hash_len == 0 || name_hash_len != hash_len ||
178 	    os_memcmp(name_hash, hash, hash_len) != 0) {
179 		wpa_printf(MSG_DEBUG, "OCSP: issuerNameHash mismatch");
180 		wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerNameHash",
181 			    hash, hash_len);
182 		return -1;
183 	}
184 
185 	/* issuerKeyHash  OCTET STRING */
186 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
187 	    !asn1_is_octetstring(&hdr)) {
188 		asn1_unexpected(&hdr,
189 				"OCSP: Expected OCTET STRING (issuerKeyHash)");
190 		return -1;
191 	}
192 	key_hash = hdr.payload;
193 	key_hash_len = hdr.length;
194 	wpa_hexdump(MSG_DEBUG, "OCSP: issuerKeyHash", key_hash, key_hash_len);
195 	pos = hdr.payload + hdr.length;
196 
197 	hash_len = ocsp_hash_data(&alg.oid, issuer->public_key,
198 				  issuer->public_key_len, hash);
199 	if (hash_len == 0 || key_hash_len != hash_len ||
200 	    os_memcmp(key_hash, hash, hash_len) != 0) {
201 		wpa_printf(MSG_DEBUG, "OCSP: issuerKeyHash mismatch");
202 		wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerKeyHash",
203 			    hash, hash_len);
204 		return -1;
205 	}
206 
207 	/* serialNumber CertificateSerialNumber ::= INTEGER */
208 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
209 	    !asn1_is_integer(&hdr) ||
210 	    hdr.length < 1 || hdr.length > X509_MAX_SERIAL_NUM_LEN) {
211 		asn1_unexpected(&hdr,
212 				"OCSP: No INTEGER tag found for serialNumber");
213 		return -1;
214 	}
215 	serial_number = hdr.payload;
216 	serial_number_len = hdr.length;
217 	while (serial_number_len > 0 && serial_number[0] == 0) {
218 		serial_number++;
219 		serial_number_len--;
220 	}
221 	wpa_hexdump(MSG_MSGDUMP, "OCSP: serialNumber", serial_number,
222 		    serial_number_len);
223 
224 	if (serial_number_len != cert->serial_number_len ||
225 	    os_memcmp(serial_number, cert->serial_number,
226 		      serial_number_len) != 0) {
227 		wpa_printf(MSG_DEBUG, "OCSP: serialNumber mismatch");
228 		return -1;
229 	}
230 
231 	pos = end;
232 	end = resp + len;
233 
234 	/* certStatus CertStatus ::= CHOICE
235 	 *
236 	 * CertStatus ::= CHOICE {
237 	 *     good        [0]     IMPLICIT NULL,
238 	 *     revoked     [1]     IMPLICIT RevokedInfo,
239 	 *     unknown     [2]     IMPLICIT UnknownInfo }
240 	 */
241 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
242 	    hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {
243 		asn1_unexpected(&hdr, "OCSP: Expected CHOICE (CertStatus)");
244 		return -1;
245 	}
246 	cert_status = hdr.tag;
247 	wpa_printf(MSG_DEBUG, "OCSP: certStatus=%u", cert_status);
248 	wpa_hexdump(MSG_DEBUG, "OCSP: CertStatus additional data",
249 		    hdr.payload, hdr.length);
250 	pos = hdr.payload + hdr.length;
251 
252 	os_get_time(&now);
253 	/* thisUpdate  GeneralizedTime */
254 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
255 	    !asn1_is_generalizedtime(&hdr) ||
256 	    x509_parse_time(hdr.payload, hdr.length, hdr.tag, &update) < 0) {
257 		wpa_printf(MSG_DEBUG, "OCSP: Failed to parse thisUpdate");
258 		return -1;
259 	}
260 	wpa_printf(MSG_DEBUG, "OCSP: thisUpdate %lu", (unsigned long) update);
261 	pos = hdr.payload + hdr.length;
262 	if ((unsigned long) now.sec < (unsigned long) update) {
263 		wpa_printf(MSG_DEBUG,
264 			   "OCSP: thisUpdate time in the future (response not yet valid)");
265 		return -1;
266 	}
267 
268 	/* nextUpdate  [0]  EXPLICIT GeneralizedTime OPTIONAL */
269 	if (pos < end) {
270 		if (asn1_get_next(pos, end - pos, &hdr) < 0)
271 			return -1;
272 		if (asn1_is_cs_tag(&hdr, 0) && hdr.constructed) {
273 			const u8 *next = hdr.payload + hdr.length;
274 
275 			if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
276 			    !asn1_is_generalizedtime(&hdr) ||
277 			    x509_parse_time(hdr.payload, hdr.length, hdr.tag,
278 					    &update) < 0) {
279 				wpa_printf(MSG_DEBUG,
280 					   "OCSP: Failed to parse nextUpdate");
281 				return -1;
282 			}
283 			wpa_printf(MSG_DEBUG, "OCSP: nextUpdate %lu",
284 				   (unsigned long) update);
285 			pos = next;
286 			if ((unsigned long) now.sec > (unsigned long) update) {
287 				wpa_printf(MSG_DEBUG, "OCSP: nextUpdate time in the past (response has expired)");
288 				return -1;
289 			}
290 		}
291 	}
292 
293 	/* singleExtensions  [1]  EXPLICIT Extensions OPTIONAL */
294 	if (pos < end) {
295 		wpa_hexdump(MSG_MSGDUMP, "OCSP: singleExtensions",
296 			    pos, end - pos);
297 		/* Ignore for now */
298 	}
299 
300 	if (cert_status == 0 /* good */)
301 		*res = TLS_OCSP_GOOD;
302 	else if (cert_status == 1 /* revoked */)
303 		*res = TLS_OCSP_REVOKED;
304 	else
305 		return -1;
306 	return 0;
307 }
308 
309 
310 static enum tls_ocsp_result
311 tls_process_ocsp_responses(struct tlsv1_client *conn,
312 			   struct x509_certificate *cert,
313 			   struct x509_certificate *issuer, const u8 *resp,
314 			   size_t len)
315 {
316 	struct asn1_hdr hdr;
317 	const u8 *pos, *end;
318 	enum tls_ocsp_result res;
319 
320 	pos = resp;
321 	end = resp + len;
322 	while (pos < end) {
323 		/* SingleResponse ::= SEQUENCE */
324 		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
325 		    !asn1_is_sequence(&hdr)) {
326 			asn1_unexpected(&hdr,
327 					"OCSP: Expected SEQUENCE (SingleResponse)");
328 			return TLS_OCSP_INVALID;
329 		}
330 		if (tls_process_ocsp_single_response(conn, cert, issuer,
331 						     hdr.payload, hdr.length,
332 						     &res) == 0)
333 			return res;
334 		pos = hdr.payload + hdr.length;
335 	}
336 
337 	wpa_printf(MSG_DEBUG,
338 		   "OCSP: Did not find a response matching the server certificate");
339 	return TLS_OCSP_NO_RESPONSE;
340 }
341 
342 
343 static enum tls_ocsp_result
344 tls_process_basic_ocsp_response(struct tlsv1_client *conn,
345 				struct x509_certificate *srv_cert,
346 				const u8 *resp, size_t len)
347 {
348 	struct asn1_hdr hdr;
349 	const u8 *pos, *end;
350 	const u8 *resp_data, *sign_value, *key_hash = NULL, *responses;
351 	const u8 *resp_data_signed;
352 	size_t resp_data_len, sign_value_len, responses_len;
353 	size_t resp_data_signed_len;
354 	struct x509_algorithm_identifier alg;
355 	struct x509_certificate *certs = NULL, *last_cert = NULL;
356 	struct x509_certificate *issuer, *signer;
357 	struct x509_name name; /* used if key_hash == NULL */
358 	char buf[100];
359 	os_time_t produced_at;
360 	enum tls_ocsp_result res;
361 
362 	wpa_hexdump(MSG_MSGDUMP, "OCSP: BasicOCSPResponse", resp, len);
363 
364 	os_memset(&name, 0, sizeof(name));
365 
366 	/*
367 	 * RFC 6960, 4.2.1:
368 	 * BasicOCSPResponse       ::= SEQUENCE {
369 	 *    tbsResponseData      ResponseData,
370 	 *    signatureAlgorithm   AlgorithmIdentifier,
371 	 *    signature            BIT STRING,
372 	 *    certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
373 	 */
374 
375 	if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
376 		asn1_unexpected(&hdr,
377 				"OCSP: Expected SEQUENCE (BasicOCSPResponse)");
378 		return TLS_OCSP_INVALID;
379 	}
380 	pos = hdr.payload;
381 	end = hdr.payload + hdr.length;
382 
383 	/* ResponseData ::= SEQUENCE */
384 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
385 	    !asn1_is_sequence(&hdr)) {
386 		asn1_unexpected(&hdr,
387 				"OCSP: Expected SEQUENCE (ResponseData)");
388 		return TLS_OCSP_INVALID;
389 	}
390 	resp_data = hdr.payload;
391 	resp_data_len = hdr.length;
392 	resp_data_signed = pos;
393 	pos = hdr.payload + hdr.length;
394 	resp_data_signed_len = pos - resp_data_signed;
395 
396 	/* signatureAlgorithm  AlgorithmIdentifier */
397 	if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos))
398 		return TLS_OCSP_INVALID;
399 
400 	/* signature  BIT STRING */
401 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
402 	    !asn1_is_bitstring(&hdr)) {
403 		asn1_unexpected(&hdr,
404 				"OCSP: Expected BITSTRING (signature)");
405 		return TLS_OCSP_INVALID;
406 	}
407 	if (hdr.length < 1)
408 		return TLS_OCSP_INVALID;
409 	pos = hdr.payload;
410 	if (*pos) {
411 		wpa_printf(MSG_DEBUG, "OCSP: BITSTRING - %d unused bits", *pos);
412 		/* PKCS #1 v1.5 10.2.1:
413 		 * It is an error if the length in bits of the signature S is
414 		 * not a multiple of eight.
415 		 */
416 		return TLS_OCSP_INVALID;
417 	}
418 	sign_value = pos + 1;
419 	sign_value_len = hdr.length - 1;
420 	pos += hdr.length;
421 	wpa_hexdump(MSG_MSGDUMP, "OCSP: signature", sign_value, sign_value_len);
422 
423 	/* certs  [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL */
424 	if (pos < end) {
425 		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
426 		    !hdr.constructed || !asn1_is_cs_tag(&hdr, 0)) {
427 			asn1_unexpected(&hdr,
428 					"OCSP: Expected [0] EXPLICIT (certs)");
429 			return TLS_OCSP_INVALID;
430 		}
431 		wpa_hexdump(MSG_MSGDUMP, "OCSP: certs",
432 			    hdr.payload, hdr.length);
433 		pos = hdr.payload;
434 		end = hdr.payload + hdr.length;
435 		while (pos < end) {
436 			struct x509_certificate *cert;
437 
438 			if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
439 			    !asn1_is_sequence(&hdr)) {
440 				asn1_unexpected(&hdr,
441 						"OCSP: Expected SEQUENCE (Certificate)");
442 				goto fail;
443 			}
444 
445 			cert = x509_certificate_parse(hdr.payload, hdr.length);
446 			if (!cert)
447 				goto fail;
448 			if (last_cert) {
449 				last_cert->next = cert;
450 				last_cert = cert;
451 			} else {
452 				last_cert = certs = cert;
453 			}
454 			pos = hdr.payload + hdr.length;
455 		}
456 	}
457 
458 	/*
459 	 * ResponseData ::= SEQUENCE {
460 	 *    version              [0] EXPLICIT Version DEFAULT v1,
461 	 *    responderID              ResponderID,
462 	 *    producedAt               GeneralizedTime,
463 	 *    responses                SEQUENCE OF SingleResponse,
464 	 *    responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
465 	 */
466 	pos = resp_data;
467 	end = resp_data + resp_data_len;
468 	wpa_hexdump(MSG_MSGDUMP, "OCSP: ResponseData", pos, end - pos);
469 
470 	/*
471 	 * version [0] EXPLICIT Version DEFAULT v1
472 	 * Version ::= INTEGER { v1(0) }
473 	 */
474 	if (asn1_get_next(pos, end - pos, &hdr) == 0 && hdr.constructed &&
475 	    asn1_is_cs_tag(&hdr, 0)) {
476 		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
477 		    !asn1_is_integer(&hdr) || hdr.length != 1) {
478 			asn1_unexpected(&hdr,
479 					"OCSP: No INTEGER (len=1) tag found for version field");
480 			goto fail;
481 		}
482 		wpa_printf(MSG_DEBUG, "OCSP: ResponseData version %u",
483 			   hdr.payload[0]);
484 		if (hdr.payload[0] != 0) {
485 			wpa_printf(MSG_DEBUG,
486 				   "OCSP: Unsupported ResponseData version %u",
487 				   hdr.payload[0]);
488 			goto no_resp;
489 		}
490 		pos = hdr.payload + hdr.length;
491 	} else {
492 		wpa_printf(MSG_DEBUG,
493 			   "OCSP: Default ResponseData version (v1)");
494 	}
495 
496 	/*
497 	 * ResponderID ::= CHOICE {
498 	 *    byName              [1] Name,
499 	 *    byKey               [2] KeyHash }
500 	 */
501 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
502 	    hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {
503 		asn1_unexpected(&hdr, "OCSP: Expected CHOICE (ResponderID)");
504 		goto fail;
505 	}
506 
507 	if (hdr.tag == 1) {
508 		/* Name */
509 		if (x509_parse_name(hdr.payload, hdr.length, &name, &pos) < 0)
510 			goto fail;
511 		x509_name_string(&name, buf, sizeof(buf));
512 		wpa_printf(MSG_DEBUG, "OCSP: ResponderID byName Name: %s", buf);
513 	} else if (hdr.tag == 2) {
514 		/* KeyHash ::= OCTET STRING */
515 		if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
516 		    !asn1_is_octetstring(&hdr)) {
517 			asn1_unexpected(&hdr,
518 					"OCSP: Expected OCTET STRING (KeyHash)");
519 			goto fail;
520 		}
521 		key_hash = hdr.payload;
522 		wpa_hexdump(MSG_DEBUG, "OCSP: ResponderID byKey KeyHash",
523 			    key_hash, hdr.length);
524 		if (hdr.length != SHA1_MAC_LEN) {
525 			wpa_printf(MSG_DEBUG,
526 				   "OCSP: Unexpected byKey KeyHash length %u - expected %u for SHA-1",
527 				   hdr.length, SHA1_MAC_LEN);
528 			goto fail;
529 		}
530 		pos = hdr.payload + hdr.length;
531 	} else {
532 		wpa_printf(MSG_DEBUG, "OCSP: Unexpected ResponderID CHOICE %u",
533 			   hdr.tag);
534 		goto fail;
535 	}
536 
537 	/* producedAt  GeneralizedTime */
538 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
539 	    !asn1_is_generalizedtime(&hdr) ||
540 	    x509_parse_time(hdr.payload, hdr.length, hdr.tag,
541 			    &produced_at) < 0) {
542 		wpa_printf(MSG_DEBUG, "OCSP: Failed to parse producedAt");
543 		goto fail;
544 	}
545 	wpa_printf(MSG_DEBUG, "OCSP: producedAt %lu",
546 		   (unsigned long) produced_at);
547 	pos = hdr.payload + hdr.length;
548 
549 	/* responses  SEQUENCE OF SingleResponse */
550 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
551 	    !asn1_is_sequence(&hdr)) {
552 		asn1_unexpected(&hdr,
553 				"OCSP: Expected SEQUENCE (responses)");
554 		goto fail;
555 	}
556 	responses = hdr.payload;
557 	responses_len = hdr.length;
558 	wpa_hexdump(MSG_MSGDUMP, "OCSP: responses", responses, responses_len);
559 	pos = hdr.payload + hdr.length;
560 
561 	if (pos < end) {
562 		/* responseExtensions  [1] EXPLICIT Extensions OPTIONAL */
563 		wpa_hexdump(MSG_MSGDUMP, "OCSP: responseExtensions",
564 			    pos, end - pos);
565 		/* Ignore for now. */
566 	}
567 
568 	if (!srv_cert) {
569 		wpa_printf(MSG_DEBUG,
570 			   "OCSP: Server certificate not known - cannot check OCSP response");
571 		goto no_resp;
572 	}
573 
574 	if (srv_cert->next) {
575 		/* Issuer has already been verified in the chain */
576 		issuer = srv_cert->next;
577 	} else {
578 		/* Find issuer from the set of trusted certificates */
579 		for (issuer = conn->cred ? conn->cred->trusted_certs : NULL;
580 		     issuer; issuer = issuer->next) {
581 			if (x509_name_compare(&srv_cert->issuer,
582 					      &issuer->subject) == 0)
583 				break;
584 		}
585 	}
586 	if (!issuer) {
587 		wpa_printf(MSG_DEBUG,
588 			   "OCSP: Server certificate issuer not known - cannot check OCSP response");
589 		goto no_resp;
590 	}
591 
592 	if (ocsp_responder_id_match(issuer, &name, key_hash)) {
593 		wpa_printf(MSG_DEBUG,
594 			   "OCSP: Server certificate issuer certificate matches ResponderID");
595 		signer = issuer;
596 	} else {
597 		for (signer = certs; signer; signer = signer->next) {
598 			if (!ocsp_responder_id_match(signer, &name, key_hash) ||
599 			    x509_name_compare(&srv_cert->issuer,
600 					      &issuer->subject) != 0 ||
601 			    !(signer->ext_key_usage &
602 			      X509_EXT_KEY_USAGE_OCSP) ||
603 			    x509_certificate_check_signature(issuer, signer) <
604 			    0)
605 				continue;
606 			wpa_printf(MSG_DEBUG,
607 				   "OCSP: An extra certificate from the response matches ResponderID and is trusted as an OCSP signer");
608 			break;
609 		}
610 		if (!signer) {
611 			wpa_printf(MSG_DEBUG,
612 				   "OCSP: Could not find OCSP signer certificate");
613 			goto no_resp;
614 		}
615 	}
616 
617 	x509_free_name(&name);
618 	os_memset(&name, 0, sizeof(name));
619 	x509_certificate_chain_free(certs);
620 	certs = NULL;
621 
622 	if (x509_check_signature(signer, &alg, sign_value, sign_value_len,
623 				 resp_data_signed, resp_data_signed_len) < 0) {
624 		    wpa_printf(MSG_DEBUG, "OCSP: Invalid signature");
625 		    return TLS_OCSP_INVALID;
626 	}
627 
628 	res = tls_process_ocsp_responses(conn, srv_cert, issuer,
629 					 responses, responses_len);
630 	if (res == TLS_OCSP_REVOKED)
631 		srv_cert->ocsp_revoked = 1;
632 	else if (res == TLS_OCSP_GOOD)
633 		srv_cert->ocsp_good = 1;
634 	return res;
635 
636 no_resp:
637 	x509_free_name(&name);
638 	x509_certificate_chain_free(certs);
639 	return TLS_OCSP_NO_RESPONSE;
640 
641 fail:
642 	x509_free_name(&name);
643 	x509_certificate_chain_free(certs);
644 	return TLS_OCSP_INVALID;
645 }
646 
647 
648 enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn,
649 					       const u8 *resp, size_t len)
650 {
651 	struct asn1_hdr hdr;
652 	const u8 *pos, *end;
653 	u8 resp_status;
654 	struct asn1_oid oid;
655 	char obuf[80];
656 	struct x509_certificate *cert;
657 	enum tls_ocsp_result res = TLS_OCSP_NO_RESPONSE;
658 	enum tls_ocsp_result res_first = res;
659 
660 	wpa_hexdump(MSG_MSGDUMP, "TLSv1: OCSPResponse", resp, len);
661 
662 	/*
663 	 * RFC 6960, 4.2.1:
664 	 * OCSPResponse ::= SEQUENCE {
665 	 *    responseStatus  OCSPResponseStatus,
666 	 *    responseBytes   [0] EXPLICIT ResponseBytes OPTIONAL }
667 	 */
668 
669 	if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) {
670 		asn1_unexpected(&hdr,
671 				"OCSP: Expected SEQUENCE (OCSPResponse)");
672 		return TLS_OCSP_INVALID;
673 	}
674 	pos = hdr.payload;
675 	end = hdr.payload + hdr.length;
676 
677 	/* OCSPResponseStatus ::= ENUMERATED */
678 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
679 	    !asn1_is_enumerated(&hdr) || hdr.length != 1) {
680 		asn1_unexpected(&hdr,
681 				"OCSP: Expected ENUMERATED (responseStatus)");
682 		return TLS_OCSP_INVALID;
683 	}
684 	resp_status = hdr.payload[0];
685 	wpa_printf(MSG_DEBUG, "OCSP: responseStatus %u", resp_status);
686 	pos = hdr.payload + hdr.length;
687 	if (resp_status != OCSP_RESP_STATUS_SUCCESSFUL) {
688 		wpa_printf(MSG_DEBUG, "OCSP: No stapling result");
689 		return TLS_OCSP_NO_RESPONSE;
690 	}
691 
692 	/* responseBytes   [0] EXPLICIT ResponseBytes OPTIONAL */
693 	if (pos == end)
694 		return TLS_OCSP_NO_RESPONSE;
695 
696 	if (asn1_get_next(pos, end - pos, &hdr) < 0 || !hdr.constructed ||
697 	    !asn1_is_cs_tag(&hdr, 0)) {
698 		asn1_unexpected(&hdr,
699 				"OCSP: Expected [0] EXPLICIT (responseBytes)");
700 		return TLS_OCSP_INVALID;
701 	}
702 
703 	/*
704 	 * ResponseBytes ::= SEQUENCE {
705 	 *     responseType   OBJECT IDENTIFIER,
706 	 *     response       OCTET STRING }
707 	 */
708 
709 	if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
710 	    !asn1_is_sequence(&hdr)) {
711 		asn1_unexpected(&hdr,
712 				"OCSP: Expected SEQUENCE (ResponseBytes)");
713 		return TLS_OCSP_INVALID;
714 	}
715 	pos = hdr.payload;
716 	end = hdr.payload + hdr.length;
717 
718 	/* responseType   OBJECT IDENTIFIER */
719 	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
720 		wpa_printf(MSG_DEBUG,
721 			   "OCSP: Failed to parse OID (responseType)");
722 		return TLS_OCSP_INVALID;
723 	}
724 	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
725 	wpa_printf(MSG_DEBUG, "OCSP: responseType %s", obuf);
726 	if (!is_oid_basic_ocsp_resp(&oid)) {
727 		wpa_printf(MSG_DEBUG, "OCSP: Ignore unsupported response type");
728 		return TLS_OCSP_NO_RESPONSE;
729 	}
730 
731 	/* response       OCTET STRING */
732 	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
733 	    !asn1_is_octetstring(&hdr)) {
734 		asn1_unexpected(&hdr, "OCSP: Expected OCTET STRING (response)");
735 		return TLS_OCSP_INVALID;
736 	}
737 
738 	cert = conn->server_cert;
739 	while (cert) {
740 		if (!cert->ocsp_good && !cert->ocsp_revoked) {
741 			char sbuf[128];
742 
743 			x509_name_string(&cert->subject, sbuf, sizeof(sbuf));
744 			wpa_printf(MSG_DEBUG,
745 				   "OCSP: Trying to find certificate status for %s",
746 				   sbuf);
747 
748 			res = tls_process_basic_ocsp_response(conn, cert,
749 							      hdr.payload,
750 							      hdr.length);
751 			if (cert == conn->server_cert)
752 				res_first = res;
753 		}
754 		if (res == TLS_OCSP_REVOKED || cert->issuer_trusted)
755 			break;
756 		cert = cert->next;
757 	}
758 	return res == TLS_OCSP_REVOKED ? res : res_first;
759 }
760