hostap/src/tls/tlsv1_client_ocsp.c

488 lines
14 KiB
C
Raw Normal View History

/*
* TLSv1 client - OCSP
* Copyright (c) 2015, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "crypto/tls.h"
#include "crypto/sha1.h"
#include "asn1.h"
#include "x509v3.h"
#include "tlsv1_common.h"
#include "tlsv1_record.h"
#include "tlsv1_client.h"
#include "tlsv1_client_i.h"
/* RFC 6960, 4.2.1: OCSPResponseStatus ::= ENUMERATED */
enum ocsp_response_status {
OCSP_RESP_STATUS_SUCCESSFUL = 0,
OCSP_RESP_STATUS_MALFORMED_REQ = 1,
OCSP_RESP_STATUS_INT_ERROR = 2,
OCSP_RESP_STATUS_TRY_LATER = 3,
/* 4 not used */
OCSP_RESP_STATUS_SIG_REQUIRED = 5,
OCSP_RESP_STATUS_UNAUTHORIZED = 6,
};
static int is_oid_basic_ocsp_resp(struct asn1_oid *oid)
{
return oid->len == 10 &&
oid->oid[0] == 1 /* iso */ &&
oid->oid[1] == 3 /* identified-organization */ &&
oid->oid[2] == 6 /* dod */ &&
oid->oid[3] == 1 /* internet */ &&
oid->oid[4] == 5 /* security */ &&
oid->oid[5] == 5 /* mechanisms */ &&
oid->oid[6] == 7 /* id-pkix */ &&
oid->oid[7] == 48 /* id-ad */ &&
oid->oid[8] == 1 /* id-pkix-ocsp */ &&
oid->oid[9] == 1 /* id-pkix-ocsp-basic */;
}
static int ocsp_responder_id_match(struct x509_certificate *signer,
struct x509_name *name, const u8 *key_hash)
{
if (key_hash) {
u8 hash[SHA1_MAC_LEN];
const u8 *addr[1] = { signer->public_key };
size_t len[1] = { signer->public_key_len };
if (sha1_vector(1, addr, len, hash) < 0)
return 0;
return os_memcmp(hash, key_hash, SHA1_MAC_LEN) == 0;
}
return x509_name_compare(&signer->subject, name) == 0;
}
static enum tls_ocsp_result
tls_process_basic_ocsp_response(struct tlsv1_client *conn, const u8 *resp,
size_t len)
{
struct asn1_hdr hdr;
const u8 *pos, *end;
const u8 *resp_data, *sign_value, *key_hash = NULL, *responses;
const u8 *resp_data_signed;
size_t resp_data_len, sign_value_len, responses_len;
size_t resp_data_signed_len;
struct x509_algorithm_identifier alg;
struct x509_certificate *certs = NULL, *last_cert = NULL;
struct x509_certificate *issuer, *signer;
struct x509_name name; /* used if key_hash == NULL */
char buf[100];
os_time_t produced_at;
wpa_hexdump(MSG_MSGDUMP, "OCSP: BasicOCSPResponse", resp, len);
os_memset(&name, 0, sizeof(name));
/*
* RFC 6960, 4.2.1:
* BasicOCSPResponse ::= SEQUENCE {
* tbsResponseData ResponseData,
* signatureAlgorithm AlgorithmIdentifier,
* signature BIT STRING,
* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
*/
if (asn1_get_next(resp, len, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (BasicOCSPResponse) - found class %d tag 0x%x",
hdr.class, hdr.tag);
return TLS_OCSP_INVALID;
}
pos = hdr.payload;
end = hdr.payload + hdr.length;
/* ResponseData ::= SEQUENCE */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (ResponseData) - found class %d tag 0x%x",
hdr.class, hdr.tag);
return TLS_OCSP_INVALID;
}
resp_data = hdr.payload;
resp_data_len = hdr.length;
resp_data_signed = pos;
pos = hdr.payload + hdr.length;
resp_data_signed_len = pos - resp_data_signed;
/* signatureAlgorithm AlgorithmIdentifier */
if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos))
return TLS_OCSP_INVALID;
/* signature BIT STRING */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_BITSTRING) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected BITSTRING (signature) - found class %d tag 0x%x",
hdr.class, hdr.tag);
return TLS_OCSP_INVALID;
}
if (hdr.length < 1)
return TLS_OCSP_INVALID;
pos = hdr.payload;
if (*pos) {
wpa_printf(MSG_DEBUG, "OCSP: BITSTRING - %d unused bits", *pos);
/* PKCS #1 v1.5 10.2.1:
* It is an error if the length in bits of the signature S is
* not a multiple of eight.
*/
return TLS_OCSP_INVALID;
}
sign_value = pos + 1;
sign_value_len = hdr.length - 1;
pos += hdr.length;
wpa_hexdump(MSG_MSGDUMP, "OCSP: signature", sign_value, sign_value_len);
/* certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL */
if (pos < end) {
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
hdr.tag != 0) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected [0] EXPLICIT (certs) - found class %d tag 0x%x",
hdr.class, hdr.tag);
return TLS_OCSP_INVALID;
}
wpa_hexdump(MSG_MSGDUMP, "OCSP: certs",
hdr.payload, hdr.length);
pos = hdr.payload;
end = hdr.payload + hdr.length;
while (pos < end) {
struct x509_certificate *cert;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (Certificate) - found class %d tag 0x%x",
hdr.class, hdr.tag);
goto fail;
}
cert = x509_certificate_parse(hdr.payload, hdr.length);
if (!cert)
goto fail;
if (last_cert) {
last_cert->next = cert;
last_cert = cert;
} else {
last_cert = certs = cert;
}
pos = hdr.payload + hdr.length;
}
}
/*
* ResponseData ::= SEQUENCE {
* version [0] EXPLICIT Version DEFAULT v1,
* responderID ResponderID,
* producedAt GeneralizedTime,
* responses SEQUENCE OF SingleResponse,
* responseExtensions [1] EXPLICIT Extensions OPTIONAL }
*/
pos = resp_data;
end = resp_data + resp_data_len;
wpa_hexdump(MSG_MSGDUMP, "OCSP: ResponseData", pos, end - pos);
/*
* version [0] EXPLICIT Version DEFAULT v1
* Version ::= INTEGER { v1(0) }
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 &&
hdr.class == ASN1_CLASS_CONTEXT_SPECIFIC &&
hdr.tag == 0) {
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_INTEGER ||
hdr.length != 1) {
wpa_printf(MSG_DEBUG,
"OCSP: No INTEGER (len=1) tag found for version field - found class %d tag 0x%x length %d",
hdr.class, hdr.tag, hdr.length);
goto fail;
}
wpa_printf(MSG_DEBUG, "OCSP: ResponseData version %u",
hdr.payload[0]);
if (hdr.payload[0] != 0) {
wpa_printf(MSG_DEBUG,
"OCSP: Unsupported ResponseData version %u",
hdr.payload[0]);
goto no_resp;
}
pos = hdr.payload + hdr.length;
} else {
wpa_printf(MSG_DEBUG,
"OCSP: Default ResponseData version (v1)");
}
/*
* ResponderID ::= CHOICE {
* byName [1] Name,
* byKey [2] KeyHash }
*/
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected CHOICE (ResponderID) - found class %d tag 0x%x",
hdr.class, hdr.tag);
goto fail;
}
if (hdr.tag == 1) {
/* Name */
if (x509_parse_name(hdr.payload, hdr.length, &name, &pos) < 0)
goto fail;
x509_name_string(&name, buf, sizeof(buf));
wpa_printf(MSG_DEBUG, "OCSP: ResponderID byName Name: %s", buf);
} else if (hdr.tag == 2) {
/* KeyHash ::= OCTET STRING */
if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected OCTET STRING (KeyHash) - found class %d tag 0x%x",
hdr.class, hdr.tag);
goto fail;
}
key_hash = hdr.payload;
wpa_hexdump(MSG_DEBUG, "OCSP: ResponderID byKey KeyHash",
key_hash, hdr.length);
if (hdr.length != SHA1_MAC_LEN) {
wpa_printf(MSG_DEBUG,
"OCSP: Unexpected byKey KeyHash length %u - expected %u for SHA-1",
hdr.length, SHA1_MAC_LEN);
goto fail;
}
pos = hdr.payload + hdr.length;
} else {
wpa_printf(MSG_DEBUG, "OCSP: Unexpected ResponderID CHOICE %u",
hdr.tag);
goto fail;
}
/* producedAt GeneralizedTime */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_GENERALIZEDTIME ||
x509_parse_time(hdr.payload, hdr.length, hdr.tag,
&produced_at) < 0) {
wpa_printf(MSG_DEBUG, "OCSP: Failed to parse producedAt");
goto fail;
}
wpa_printf(MSG_DEBUG, "OCSP: producedAt %lu",
(unsigned long) produced_at);
pos = hdr.payload + hdr.length;
/* responses SEQUENCE OF SingleResponse */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (responses) - found class %d tag 0x%x",
hdr.class, hdr.tag);
goto fail;
}
responses = hdr.payload;
responses_len = hdr.length;
wpa_hexdump(MSG_MSGDUMP, "OCSP: responses", responses, responses_len);
pos = hdr.payload + hdr.length;
if (pos < end) {
/* responseExtensions [1] EXPLICIT Extensions OPTIONAL */
wpa_hexdump(MSG_MSGDUMP, "OCSP: responseExtensions",
pos, end - pos);
/* Ignore for now. */
}
if (!conn->server_cert) {
wpa_printf(MSG_DEBUG,
"OCSP: Server certificate not known - cannot check OCSP response");
goto no_resp;
}
if (conn->server_cert->next) {
/* Issuer has already been verified in the chain */
issuer = conn->server_cert->next;
} else {
/* Find issuer from the set of trusted certificates */
for (issuer = conn->cred ? conn->cred->trusted_certs : NULL;
issuer; issuer = issuer->next) {
if (x509_name_compare(&conn->server_cert->issuer,
&issuer->subject) == 0)
break;
}
}
if (!issuer) {
wpa_printf(MSG_DEBUG,
"OCSP: Server certificate issuer not known - cannot check OCSP response");
goto no_resp;
}
if (ocsp_responder_id_match(issuer, &name, key_hash)) {
wpa_printf(MSG_DEBUG,
"OCSP: Server certificate issuer certificate matches ResponderID");
signer = issuer;
} else {
for (signer = certs; signer; signer = signer->next) {
if (!ocsp_responder_id_match(signer, &name, key_hash) ||
x509_name_compare(&conn->server_cert->issuer,
&issuer->subject) != 0 ||
!(signer->ext_key_usage &
X509_EXT_KEY_USAGE_OCSP) ||
x509_certificate_check_signature(issuer, signer) <
0)
continue;
wpa_printf(MSG_DEBUG,
"OCSP: An extra certificate from the response matches ResponderID and is trusted as an OCSP signer");
break;
}
if (!signer) {
wpa_printf(MSG_DEBUG,
"OCSP: Could not find OCSP signer certificate");
goto no_resp;
}
}
x509_free_name(&name);
os_memset(&name, 0, sizeof(name));
x509_certificate_chain_free(certs);
certs = NULL;
if (x509_check_signature(signer, &alg, sign_value, sign_value_len,
resp_data_signed, resp_data_signed_len) < 0) {
wpa_printf(MSG_DEBUG, "OCSP: Invalid signature");
return TLS_OCSP_INVALID;
}
/* TODO: Check responses */
no_resp:
x509_free_name(&name);
x509_certificate_chain_free(certs);
return TLS_OCSP_NO_RESPONSE;
fail:
x509_free_name(&name);
x509_certificate_chain_free(certs);
return TLS_OCSP_INVALID;
}
enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn,
const u8 *resp, size_t len)
{
struct asn1_hdr hdr;
const u8 *pos, *end;
u8 resp_status;
struct asn1_oid oid;
char obuf[80];
wpa_hexdump(MSG_MSGDUMP, "TLSv1: OCSPResponse", resp, len);
/*
* RFC 6960, 4.2.1:
* OCSPResponse ::= SEQUENCE {
* responseStatus OCSPResponseStatus,
* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
*/
if (asn1_get_next(resp, len, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (OCSPResponse) - found class %d tag 0x%x",
hdr.class, hdr.tag);
return TLS_OCSP_INVALID;
}
pos = hdr.payload;
end = hdr.payload + hdr.length;
/* OCSPResponseStatus ::= ENUMERATED */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_ENUMERATED ||
hdr.length != 1) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected ENUMERATED (responseStatus) - found class %d tag 0x%x length %u",
hdr.class, hdr.tag, hdr.length);
return TLS_OCSP_INVALID;
}
resp_status = hdr.payload[0];
wpa_printf(MSG_DEBUG, "OCSP: responseStatus %u", resp_status);
pos = hdr.payload + hdr.length;
if (resp_status != OCSP_RESP_STATUS_SUCCESSFUL) {
wpa_printf(MSG_DEBUG, "OCSP: No stapling result");
return TLS_OCSP_NO_RESPONSE;
}
/* responseBytes [0] EXPLICIT ResponseBytes OPTIONAL */
if (pos == end)
return TLS_OCSP_NO_RESPONSE;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
hdr.tag != 0) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected [0] EXPLICIT (responseBytes) - found class %d tag 0x%x",
hdr.class, hdr.tag);
return TLS_OCSP_INVALID;
}
/*
* ResponseBytes ::= SEQUENCE {
* responseType OBJECT IDENTIFIER,
* response OCTET STRING }
*/
if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_SEQUENCE) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected SEQUENCE (ResponseBytes) - found class %d tag 0x%x",
hdr.class, hdr.tag);
return TLS_OCSP_INVALID;
}
pos = hdr.payload;
end = hdr.payload + hdr.length;
/* responseType OBJECT IDENTIFIER */
if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
wpa_printf(MSG_DEBUG,
"OCSP: Failed to parse OID (responseType)");
return TLS_OCSP_INVALID;
}
asn1_oid_to_str(&oid, obuf, sizeof(obuf));
wpa_printf(MSG_DEBUG, "OCSP: responseType %s", obuf);
if (!is_oid_basic_ocsp_resp(&oid)) {
wpa_printf(MSG_DEBUG, "OCSP: Ignore unsupported response type");
return TLS_OCSP_NO_RESPONSE;
}
/* response OCTET STRING */
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL ||
hdr.tag != ASN1_TAG_OCTETSTRING) {
wpa_printf(MSG_DEBUG,
"OCSP: Expected OCTET STRING (response) - found class %d tag 0x%x",
hdr.class, hdr.tag);
return TLS_OCSP_INVALID;
}
return tls_process_basic_ocsp_response(conn, hdr.payload, hdr.length);
}