1 /* 2 * TLSv1 client - OCSP 3 * Copyright (c) 2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/tls.h" 13 #include "crypto/sha1.h" 14 #include "asn1.h" 15 #include "x509v3.h" 16 #include "tlsv1_common.h" 17 #include "tlsv1_record.h" 18 #include "tlsv1_client.h" 19 #include "tlsv1_client_i.h" 20 21 22 /* RFC 6960, 4.2.1: OCSPResponseStatus ::= ENUMERATED */ 23 enum ocsp_response_status { 24 OCSP_RESP_STATUS_SUCCESSFUL = 0, 25 OCSP_RESP_STATUS_MALFORMED_REQ = 1, 26 OCSP_RESP_STATUS_INT_ERROR = 2, 27 OCSP_RESP_STATUS_TRY_LATER = 3, 28 /* 4 not used */ 29 OCSP_RESP_STATUS_SIG_REQUIRED = 5, 30 OCSP_RESP_STATUS_UNAUTHORIZED = 6, 31 }; 32 33 34 static int is_oid_basic_ocsp_resp(struct asn1_oid *oid) 35 { 36 return oid->len == 10 && 37 oid->oid[0] == 1 /* iso */ && 38 oid->oid[1] == 3 /* identified-organization */ && 39 oid->oid[2] == 6 /* dod */ && 40 oid->oid[3] == 1 /* internet */ && 41 oid->oid[4] == 5 /* security */ && 42 oid->oid[5] == 5 /* mechanisms */ && 43 oid->oid[6] == 7 /* id-pkix */ && 44 oid->oid[7] == 48 /* id-ad */ && 45 oid->oid[8] == 1 /* id-pkix-ocsp */ && 46 oid->oid[9] == 1 /* id-pkix-ocsp-basic */; 47 } 48 49 50 static int ocsp_responder_id_match(struct x509_certificate *signer, 51 struct x509_name *name, const u8 *key_hash) 52 { 53 if (key_hash) { 54 u8 hash[SHA1_MAC_LEN]; 55 const u8 *addr[1] = { signer->public_key }; 56 size_t len[1] = { signer->public_key_len }; 57 58 if (sha1_vector(1, addr, len, hash) < 0) 59 return 0; 60 return os_memcmp(hash, key_hash, SHA1_MAC_LEN) == 0; 61 } 62 63 return x509_name_compare(&signer->subject, name) == 0; 64 } 65 66 67 static unsigned int ocsp_hash_data(struct asn1_oid *alg, const u8 *data, 68 size_t data_len, u8 *hash) 69 { 70 const u8 *addr[1] = { data }; 71 size_t len[1] = { data_len }; 72 char buf[100]; 73 74 if (x509_sha1_oid(alg)) { 75 if (sha1_vector(1, addr, len, hash) < 0) 76 return 0; 77 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA1)", hash, 20); 78 return 20; 79 } 80 81 if (x509_sha256_oid(alg)) { 82 if (sha256_vector(1, addr, len, hash) < 0) 83 return 0; 84 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA256)", hash, 32); 85 return 32; 86 } 87 88 if (x509_sha384_oid(alg)) { 89 if (sha384_vector(1, addr, len, hash) < 0) 90 return 0; 91 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA384)", hash, 48); 92 return 48; 93 } 94 95 if (x509_sha512_oid(alg)) { 96 if (sha512_vector(1, addr, len, hash) < 0) 97 return 0; 98 wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA512)", hash, 64); 99 return 64; 100 } 101 102 103 asn1_oid_to_str(alg, buf, sizeof(buf)); 104 wpa_printf(MSG_DEBUG, "OCSP: Could not calculate hash with alg %s", 105 buf); 106 return 0; 107 } 108 109 110 static int tls_process_ocsp_single_response(struct tlsv1_client *conn, 111 struct x509_certificate *cert, 112 struct x509_certificate *issuer, 113 const u8 *resp, size_t len, 114 enum tls_ocsp_result *res) 115 { 116 struct asn1_hdr hdr; 117 const u8 *pos, *end; 118 struct x509_algorithm_identifier alg; 119 const u8 *name_hash, *key_hash; 120 size_t name_hash_len, key_hash_len; 121 const u8 *serial_number; 122 size_t serial_number_len; 123 u8 hash[64]; 124 unsigned int hash_len; 125 unsigned int cert_status; 126 os_time_t update; 127 struct os_time now; 128 129 wpa_hexdump(MSG_MSGDUMP, "OCSP: SingleResponse", resp, len); 130 131 /* 132 * SingleResponse ::= SEQUENCE { 133 * certID CertID, 134 * certStatus CertStatus, 135 * thisUpdate GeneralizedTime, 136 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, 137 * singleExtensions [1] EXPLICIT Extensions OPTIONAL } 138 */ 139 140 /* CertID ::= SEQUENCE */ 141 if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) { 142 asn1_unexpected(&hdr, "OCSP: Expected SEQUENCE (CertID)"); 143 return -1; 144 } 145 pos = hdr.payload; 146 end = hdr.payload + hdr.length; 147 148 /* 149 * CertID ::= SEQUENCE { 150 * hashAlgorithm AlgorithmIdentifier, 151 * issuerNameHash OCTET STRING, 152 * issuerKeyHash OCTET STRING, 153 * serialNumber CertificateSerialNumber } 154 */ 155 156 /* hashAlgorithm AlgorithmIdentifier */ 157 if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos)) 158 return -1; 159 160 /* issuerNameHash OCTET STRING */ 161 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 162 !asn1_is_octetstring(&hdr)) { 163 asn1_unexpected(&hdr, 164 "OCSP: Expected OCTET STRING (issuerNameHash)"); 165 return -1; 166 } 167 name_hash = hdr.payload; 168 name_hash_len = hdr.length; 169 wpa_hexdump(MSG_DEBUG, "OCSP: issuerNameHash", 170 name_hash, name_hash_len); 171 pos = hdr.payload + hdr.length; 172 173 wpa_hexdump(MSG_DEBUG, "OCSP: Issuer subject DN", 174 issuer->subject_dn, issuer->subject_dn_len); 175 hash_len = ocsp_hash_data(&alg.oid, issuer->subject_dn, 176 issuer->subject_dn_len, hash); 177 if (hash_len == 0 || name_hash_len != hash_len || 178 os_memcmp(name_hash, hash, hash_len) != 0) { 179 wpa_printf(MSG_DEBUG, "OCSP: issuerNameHash mismatch"); 180 wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerNameHash", 181 hash, hash_len); 182 return -1; 183 } 184 185 /* issuerKeyHash OCTET STRING */ 186 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 187 !asn1_is_octetstring(&hdr)) { 188 asn1_unexpected(&hdr, 189 "OCSP: Expected OCTET STRING (issuerKeyHash)"); 190 return -1; 191 } 192 key_hash = hdr.payload; 193 key_hash_len = hdr.length; 194 wpa_hexdump(MSG_DEBUG, "OCSP: issuerKeyHash", key_hash, key_hash_len); 195 pos = hdr.payload + hdr.length; 196 197 hash_len = ocsp_hash_data(&alg.oid, issuer->public_key, 198 issuer->public_key_len, hash); 199 if (hash_len == 0 || key_hash_len != hash_len || 200 os_memcmp(key_hash, hash, hash_len) != 0) { 201 wpa_printf(MSG_DEBUG, "OCSP: issuerKeyHash mismatch"); 202 wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerKeyHash", 203 hash, hash_len); 204 return -1; 205 } 206 207 /* serialNumber CertificateSerialNumber ::= INTEGER */ 208 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 209 !asn1_is_integer(&hdr) || 210 hdr.length < 1 || hdr.length > X509_MAX_SERIAL_NUM_LEN) { 211 asn1_unexpected(&hdr, 212 "OCSP: No INTEGER tag found for serialNumber"); 213 return -1; 214 } 215 serial_number = hdr.payload; 216 serial_number_len = hdr.length; 217 while (serial_number_len > 0 && serial_number[0] == 0) { 218 serial_number++; 219 serial_number_len--; 220 } 221 wpa_hexdump(MSG_MSGDUMP, "OCSP: serialNumber", serial_number, 222 serial_number_len); 223 224 if (serial_number_len != cert->serial_number_len || 225 os_memcmp(serial_number, cert->serial_number, 226 serial_number_len) != 0) { 227 wpa_printf(MSG_DEBUG, "OCSP: serialNumber mismatch"); 228 return -1; 229 } 230 231 pos = end; 232 end = resp + len; 233 234 /* certStatus CertStatus ::= CHOICE 235 * 236 * CertStatus ::= CHOICE { 237 * good [0] IMPLICIT NULL, 238 * revoked [1] IMPLICIT RevokedInfo, 239 * unknown [2] IMPLICIT UnknownInfo } 240 */ 241 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 242 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) { 243 asn1_unexpected(&hdr, "OCSP: Expected CHOICE (CertStatus)"); 244 return -1; 245 } 246 cert_status = hdr.tag; 247 wpa_printf(MSG_DEBUG, "OCSP: certStatus=%u", cert_status); 248 wpa_hexdump(MSG_DEBUG, "OCSP: CertStatus additional data", 249 hdr.payload, hdr.length); 250 pos = hdr.payload + hdr.length; 251 252 os_get_time(&now); 253 /* thisUpdate GeneralizedTime */ 254 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 255 !asn1_is_generalizedtime(&hdr) || 256 x509_parse_time(hdr.payload, hdr.length, hdr.tag, &update) < 0) { 257 wpa_printf(MSG_DEBUG, "OCSP: Failed to parse thisUpdate"); 258 return -1; 259 } 260 wpa_printf(MSG_DEBUG, "OCSP: thisUpdate %lu", (unsigned long) update); 261 pos = hdr.payload + hdr.length; 262 if ((unsigned long) now.sec < (unsigned long) update) { 263 wpa_printf(MSG_DEBUG, 264 "OCSP: thisUpdate time in the future (response not yet valid)"); 265 return -1; 266 } 267 268 /* nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL */ 269 if (pos < end) { 270 if (asn1_get_next(pos, end - pos, &hdr) < 0) 271 return -1; 272 if (asn1_is_cs_tag(&hdr, 0) && hdr.constructed) { 273 const u8 *next = hdr.payload + hdr.length; 274 275 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 || 276 !asn1_is_generalizedtime(&hdr) || 277 x509_parse_time(hdr.payload, hdr.length, hdr.tag, 278 &update) < 0) { 279 wpa_printf(MSG_DEBUG, 280 "OCSP: Failed to parse nextUpdate"); 281 return -1; 282 } 283 wpa_printf(MSG_DEBUG, "OCSP: nextUpdate %lu", 284 (unsigned long) update); 285 pos = next; 286 if ((unsigned long) now.sec > (unsigned long) update) { 287 wpa_printf(MSG_DEBUG, "OCSP: nextUpdate time in the past (response has expired)"); 288 return -1; 289 } 290 } 291 } 292 293 /* singleExtensions [1] EXPLICIT Extensions OPTIONAL */ 294 if (pos < end) { 295 wpa_hexdump(MSG_MSGDUMP, "OCSP: singleExtensions", 296 pos, end - pos); 297 /* Ignore for now */ 298 } 299 300 if (cert_status == 0 /* good */) 301 *res = TLS_OCSP_GOOD; 302 else if (cert_status == 1 /* revoked */) 303 *res = TLS_OCSP_REVOKED; 304 else 305 return -1; 306 return 0; 307 } 308 309 310 static enum tls_ocsp_result 311 tls_process_ocsp_responses(struct tlsv1_client *conn, 312 struct x509_certificate *cert, 313 struct x509_certificate *issuer, const u8 *resp, 314 size_t len) 315 { 316 struct asn1_hdr hdr; 317 const u8 *pos, *end; 318 enum tls_ocsp_result res; 319 320 pos = resp; 321 end = resp + len; 322 while (pos < end) { 323 /* SingleResponse ::= SEQUENCE */ 324 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 325 !asn1_is_sequence(&hdr)) { 326 asn1_unexpected(&hdr, 327 "OCSP: Expected SEQUENCE (SingleResponse)"); 328 return TLS_OCSP_INVALID; 329 } 330 if (tls_process_ocsp_single_response(conn, cert, issuer, 331 hdr.payload, hdr.length, 332 &res) == 0) 333 return res; 334 pos = hdr.payload + hdr.length; 335 } 336 337 wpa_printf(MSG_DEBUG, 338 "OCSP: Did not find a response matching the server certificate"); 339 return TLS_OCSP_NO_RESPONSE; 340 } 341 342 343 static enum tls_ocsp_result 344 tls_process_basic_ocsp_response(struct tlsv1_client *conn, 345 struct x509_certificate *srv_cert, 346 const u8 *resp, size_t len) 347 { 348 struct asn1_hdr hdr; 349 const u8 *pos, *end; 350 const u8 *resp_data, *sign_value, *key_hash = NULL, *responses; 351 const u8 *resp_data_signed; 352 size_t resp_data_len, sign_value_len, responses_len; 353 size_t resp_data_signed_len; 354 struct x509_algorithm_identifier alg; 355 struct x509_certificate *certs = NULL, *last_cert = NULL; 356 struct x509_certificate *issuer, *signer; 357 struct x509_name name; /* used if key_hash == NULL */ 358 char buf[100]; 359 os_time_t produced_at; 360 enum tls_ocsp_result res; 361 362 wpa_hexdump(MSG_MSGDUMP, "OCSP: BasicOCSPResponse", resp, len); 363 364 os_memset(&name, 0, sizeof(name)); 365 366 /* 367 * RFC 6960, 4.2.1: 368 * BasicOCSPResponse ::= SEQUENCE { 369 * tbsResponseData ResponseData, 370 * signatureAlgorithm AlgorithmIdentifier, 371 * signature BIT STRING, 372 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } 373 */ 374 375 if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) { 376 asn1_unexpected(&hdr, 377 "OCSP: Expected SEQUENCE (BasicOCSPResponse)"); 378 return TLS_OCSP_INVALID; 379 } 380 pos = hdr.payload; 381 end = hdr.payload + hdr.length; 382 383 /* ResponseData ::= SEQUENCE */ 384 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 385 !asn1_is_sequence(&hdr)) { 386 asn1_unexpected(&hdr, 387 "OCSP: Expected SEQUENCE (ResponseData)"); 388 return TLS_OCSP_INVALID; 389 } 390 resp_data = hdr.payload; 391 resp_data_len = hdr.length; 392 resp_data_signed = pos; 393 pos = hdr.payload + hdr.length; 394 resp_data_signed_len = pos - resp_data_signed; 395 396 /* signatureAlgorithm AlgorithmIdentifier */ 397 if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos)) 398 return TLS_OCSP_INVALID; 399 400 /* signature BIT STRING */ 401 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 402 !asn1_is_bitstring(&hdr)) { 403 asn1_unexpected(&hdr, 404 "OCSP: Expected BITSTRING (signature)"); 405 return TLS_OCSP_INVALID; 406 } 407 if (hdr.length < 1) 408 return TLS_OCSP_INVALID; 409 pos = hdr.payload; 410 if (*pos) { 411 wpa_printf(MSG_DEBUG, "OCSP: BITSTRING - %d unused bits", *pos); 412 /* PKCS #1 v1.5 10.2.1: 413 * It is an error if the length in bits of the signature S is 414 * not a multiple of eight. 415 */ 416 return TLS_OCSP_INVALID; 417 } 418 sign_value = pos + 1; 419 sign_value_len = hdr.length - 1; 420 pos += hdr.length; 421 wpa_hexdump(MSG_MSGDUMP, "OCSP: signature", sign_value, sign_value_len); 422 423 /* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL */ 424 if (pos < end) { 425 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 426 !hdr.constructed || !asn1_is_cs_tag(&hdr, 0)) { 427 asn1_unexpected(&hdr, 428 "OCSP: Expected [0] EXPLICIT (certs)"); 429 return TLS_OCSP_INVALID; 430 } 431 wpa_hexdump(MSG_MSGDUMP, "OCSP: certs", 432 hdr.payload, hdr.length); 433 pos = hdr.payload; 434 end = hdr.payload + hdr.length; 435 while (pos < end) { 436 struct x509_certificate *cert; 437 438 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 439 !asn1_is_sequence(&hdr)) { 440 asn1_unexpected(&hdr, 441 "OCSP: Expected SEQUENCE (Certificate)"); 442 goto fail; 443 } 444 445 cert = x509_certificate_parse(hdr.payload, hdr.length); 446 if (!cert) 447 goto fail; 448 if (last_cert) { 449 last_cert->next = cert; 450 last_cert = cert; 451 } else { 452 last_cert = certs = cert; 453 } 454 pos = hdr.payload + hdr.length; 455 } 456 } 457 458 /* 459 * ResponseData ::= SEQUENCE { 460 * version [0] EXPLICIT Version DEFAULT v1, 461 * responderID ResponderID, 462 * producedAt GeneralizedTime, 463 * responses SEQUENCE OF SingleResponse, 464 * responseExtensions [1] EXPLICIT Extensions OPTIONAL } 465 */ 466 pos = resp_data; 467 end = resp_data + resp_data_len; 468 wpa_hexdump(MSG_MSGDUMP, "OCSP: ResponseData", pos, end - pos); 469 470 /* 471 * version [0] EXPLICIT Version DEFAULT v1 472 * Version ::= INTEGER { v1(0) } 473 */ 474 if (asn1_get_next(pos, end - pos, &hdr) == 0 && hdr.constructed && 475 asn1_is_cs_tag(&hdr, 0)) { 476 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 477 !asn1_is_integer(&hdr) || hdr.length != 1) { 478 asn1_unexpected(&hdr, 479 "OCSP: No INTEGER (len=1) tag found for version field"); 480 goto fail; 481 } 482 wpa_printf(MSG_DEBUG, "OCSP: ResponseData version %u", 483 hdr.payload[0]); 484 if (hdr.payload[0] != 0) { 485 wpa_printf(MSG_DEBUG, 486 "OCSP: Unsupported ResponseData version %u", 487 hdr.payload[0]); 488 goto no_resp; 489 } 490 pos = hdr.payload + hdr.length; 491 } else { 492 wpa_printf(MSG_DEBUG, 493 "OCSP: Default ResponseData version (v1)"); 494 } 495 496 /* 497 * ResponderID ::= CHOICE { 498 * byName [1] Name, 499 * byKey [2] KeyHash } 500 */ 501 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 502 hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) { 503 asn1_unexpected(&hdr, "OCSP: Expected CHOICE (ResponderID)"); 504 goto fail; 505 } 506 507 if (hdr.tag == 1) { 508 /* Name */ 509 if (x509_parse_name(hdr.payload, hdr.length, &name, &pos) < 0) 510 goto fail; 511 x509_name_string(&name, buf, sizeof(buf)); 512 wpa_printf(MSG_DEBUG, "OCSP: ResponderID byName Name: %s", buf); 513 } else if (hdr.tag == 2) { 514 /* KeyHash ::= OCTET STRING */ 515 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 || 516 !asn1_is_octetstring(&hdr)) { 517 asn1_unexpected(&hdr, 518 "OCSP: Expected OCTET STRING (KeyHash)"); 519 goto fail; 520 } 521 key_hash = hdr.payload; 522 wpa_hexdump(MSG_DEBUG, "OCSP: ResponderID byKey KeyHash", 523 key_hash, hdr.length); 524 if (hdr.length != SHA1_MAC_LEN) { 525 wpa_printf(MSG_DEBUG, 526 "OCSP: Unexpected byKey KeyHash length %u - expected %u for SHA-1", 527 hdr.length, SHA1_MAC_LEN); 528 goto fail; 529 } 530 pos = hdr.payload + hdr.length; 531 } else { 532 wpa_printf(MSG_DEBUG, "OCSP: Unexpected ResponderID CHOICE %u", 533 hdr.tag); 534 goto fail; 535 } 536 537 /* producedAt GeneralizedTime */ 538 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 539 !asn1_is_generalizedtime(&hdr) || 540 x509_parse_time(hdr.payload, hdr.length, hdr.tag, 541 &produced_at) < 0) { 542 wpa_printf(MSG_DEBUG, "OCSP: Failed to parse producedAt"); 543 goto fail; 544 } 545 wpa_printf(MSG_DEBUG, "OCSP: producedAt %lu", 546 (unsigned long) produced_at); 547 pos = hdr.payload + hdr.length; 548 549 /* responses SEQUENCE OF SingleResponse */ 550 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 551 !asn1_is_sequence(&hdr)) { 552 asn1_unexpected(&hdr, 553 "OCSP: Expected SEQUENCE (responses)"); 554 goto fail; 555 } 556 responses = hdr.payload; 557 responses_len = hdr.length; 558 wpa_hexdump(MSG_MSGDUMP, "OCSP: responses", responses, responses_len); 559 pos = hdr.payload + hdr.length; 560 561 if (pos < end) { 562 /* responseExtensions [1] EXPLICIT Extensions OPTIONAL */ 563 wpa_hexdump(MSG_MSGDUMP, "OCSP: responseExtensions", 564 pos, end - pos); 565 /* Ignore for now. */ 566 } 567 568 if (!srv_cert) { 569 wpa_printf(MSG_DEBUG, 570 "OCSP: Server certificate not known - cannot check OCSP response"); 571 goto no_resp; 572 } 573 574 if (srv_cert->next) { 575 /* Issuer has already been verified in the chain */ 576 issuer = srv_cert->next; 577 } else { 578 /* Find issuer from the set of trusted certificates */ 579 for (issuer = conn->cred ? conn->cred->trusted_certs : NULL; 580 issuer; issuer = issuer->next) { 581 if (x509_name_compare(&srv_cert->issuer, 582 &issuer->subject) == 0) 583 break; 584 } 585 } 586 if (!issuer) { 587 wpa_printf(MSG_DEBUG, 588 "OCSP: Server certificate issuer not known - cannot check OCSP response"); 589 goto no_resp; 590 } 591 592 if (ocsp_responder_id_match(issuer, &name, key_hash)) { 593 wpa_printf(MSG_DEBUG, 594 "OCSP: Server certificate issuer certificate matches ResponderID"); 595 signer = issuer; 596 } else { 597 for (signer = certs; signer; signer = signer->next) { 598 if (!ocsp_responder_id_match(signer, &name, key_hash) || 599 x509_name_compare(&srv_cert->issuer, 600 &issuer->subject) != 0 || 601 !(signer->ext_key_usage & 602 X509_EXT_KEY_USAGE_OCSP) || 603 x509_certificate_check_signature(issuer, signer) < 604 0) 605 continue; 606 wpa_printf(MSG_DEBUG, 607 "OCSP: An extra certificate from the response matches ResponderID and is trusted as an OCSP signer"); 608 break; 609 } 610 if (!signer) { 611 wpa_printf(MSG_DEBUG, 612 "OCSP: Could not find OCSP signer certificate"); 613 goto no_resp; 614 } 615 } 616 617 x509_free_name(&name); 618 os_memset(&name, 0, sizeof(name)); 619 x509_certificate_chain_free(certs); 620 certs = NULL; 621 622 if (x509_check_signature(signer, &alg, sign_value, sign_value_len, 623 resp_data_signed, resp_data_signed_len) < 0) { 624 wpa_printf(MSG_DEBUG, "OCSP: Invalid signature"); 625 return TLS_OCSP_INVALID; 626 } 627 628 res = tls_process_ocsp_responses(conn, srv_cert, issuer, 629 responses, responses_len); 630 if (res == TLS_OCSP_REVOKED) 631 srv_cert->ocsp_revoked = 1; 632 else if (res == TLS_OCSP_GOOD) 633 srv_cert->ocsp_good = 1; 634 return res; 635 636 no_resp: 637 x509_free_name(&name); 638 x509_certificate_chain_free(certs); 639 return TLS_OCSP_NO_RESPONSE; 640 641 fail: 642 x509_free_name(&name); 643 x509_certificate_chain_free(certs); 644 return TLS_OCSP_INVALID; 645 } 646 647 648 enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn, 649 const u8 *resp, size_t len) 650 { 651 struct asn1_hdr hdr; 652 const u8 *pos, *end; 653 u8 resp_status; 654 struct asn1_oid oid; 655 char obuf[80]; 656 struct x509_certificate *cert; 657 enum tls_ocsp_result res = TLS_OCSP_NO_RESPONSE; 658 enum tls_ocsp_result res_first = res; 659 660 wpa_hexdump(MSG_MSGDUMP, "TLSv1: OCSPResponse", resp, len); 661 662 /* 663 * RFC 6960, 4.2.1: 664 * OCSPResponse ::= SEQUENCE { 665 * responseStatus OCSPResponseStatus, 666 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } 667 */ 668 669 if (asn1_get_next(resp, len, &hdr) < 0 || !asn1_is_sequence(&hdr)) { 670 asn1_unexpected(&hdr, 671 "OCSP: Expected SEQUENCE (OCSPResponse)"); 672 return TLS_OCSP_INVALID; 673 } 674 pos = hdr.payload; 675 end = hdr.payload + hdr.length; 676 677 /* OCSPResponseStatus ::= ENUMERATED */ 678 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 679 !asn1_is_enumerated(&hdr) || hdr.length != 1) { 680 asn1_unexpected(&hdr, 681 "OCSP: Expected ENUMERATED (responseStatus)"); 682 return TLS_OCSP_INVALID; 683 } 684 resp_status = hdr.payload[0]; 685 wpa_printf(MSG_DEBUG, "OCSP: responseStatus %u", resp_status); 686 pos = hdr.payload + hdr.length; 687 if (resp_status != OCSP_RESP_STATUS_SUCCESSFUL) { 688 wpa_printf(MSG_DEBUG, "OCSP: No stapling result"); 689 return TLS_OCSP_NO_RESPONSE; 690 } 691 692 /* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL */ 693 if (pos == end) 694 return TLS_OCSP_NO_RESPONSE; 695 696 if (asn1_get_next(pos, end - pos, &hdr) < 0 || !hdr.constructed || 697 !asn1_is_cs_tag(&hdr, 0)) { 698 asn1_unexpected(&hdr, 699 "OCSP: Expected [0] EXPLICIT (responseBytes)"); 700 return TLS_OCSP_INVALID; 701 } 702 703 /* 704 * ResponseBytes ::= SEQUENCE { 705 * responseType OBJECT IDENTIFIER, 706 * response OCTET STRING } 707 */ 708 709 if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 || 710 !asn1_is_sequence(&hdr)) { 711 asn1_unexpected(&hdr, 712 "OCSP: Expected SEQUENCE (ResponseBytes)"); 713 return TLS_OCSP_INVALID; 714 } 715 pos = hdr.payload; 716 end = hdr.payload + hdr.length; 717 718 /* responseType OBJECT IDENTIFIER */ 719 if (asn1_get_oid(pos, end - pos, &oid, &pos)) { 720 wpa_printf(MSG_DEBUG, 721 "OCSP: Failed to parse OID (responseType)"); 722 return TLS_OCSP_INVALID; 723 } 724 asn1_oid_to_str(&oid, obuf, sizeof(obuf)); 725 wpa_printf(MSG_DEBUG, "OCSP: responseType %s", obuf); 726 if (!is_oid_basic_ocsp_resp(&oid)) { 727 wpa_printf(MSG_DEBUG, "OCSP: Ignore unsupported response type"); 728 return TLS_OCSP_NO_RESPONSE; 729 } 730 731 /* response OCTET STRING */ 732 if (asn1_get_next(pos, end - pos, &hdr) < 0 || 733 !asn1_is_octetstring(&hdr)) { 734 asn1_unexpected(&hdr, "OCSP: Expected OCTET STRING (response)"); 735 return TLS_OCSP_INVALID; 736 } 737 738 cert = conn->server_cert; 739 while (cert) { 740 if (!cert->ocsp_good && !cert->ocsp_revoked) { 741 char sbuf[128]; 742 743 x509_name_string(&cert->subject, sbuf, sizeof(sbuf)); 744 wpa_printf(MSG_DEBUG, 745 "OCSP: Trying to find certificate status for %s", 746 sbuf); 747 748 res = tls_process_basic_ocsp_response(conn, cert, 749 hdr.payload, 750 hdr.length); 751 if (cert == conn->server_cert) 752 res_first = res; 753 } 754 if (res == TLS_OCSP_REVOKED || cert->issuer_trusted) 755 break; 756 cert = cert->next; 757 } 758 return res == TLS_OCSP_REVOKED ? res : res_first; 759 } 760