src/crypto/tls_openssl_ocsp.c

   1 /*
   2  * SSL/TLS interface functions for OpenSSL - BoringSSL OCSP
   3  * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include <openssl/ssl.h>
  12 #include <openssl/err.h>
  13 #include <openssl/x509v3.h>
  14 #ifdef OPENSSL_IS_BORINGSSL
  15 #include <openssl/asn1.h>
  16 #include <openssl/asn1t.h>
  17 #endif /* OPENSSL_IS_BORINGSSL */
  18
  19 #include "common.h"
  20 #include "tls_openssl.h"
  21
  22
  23 #ifdef OPENSSL_IS_BORINGSSL
  24
  25 static void tls_show_errors(int level, const char *func, const char *txt)
  26 {
  27         unsigned long err;
  28
  29         wpa_printf(level, "OpenSSL: %s - %s %s",
  30                    func, txt, ERR_error_string(ERR_get_error(), NULL));
  31
  32         while ((err = ERR_get_error())) {
  33                 wpa_printf(MSG_INFO, "OpenSSL: pending error: %s",
  34                            ERR_error_string(err, NULL));
  35         }
  36 }
  37
  38
  39 /*
  40  * CertID ::= SEQUENCE {
  41  *     hashAlgorithm      AlgorithmIdentifier,
  42  *     issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
  43  *     issuerKeyHash      OCTET STRING, -- Hash of Issuer's public key
  44  *     serialNumber       CertificateSerialNumber }
  45  */
  46 typedef struct {
  47         X509_ALGOR *hashAlgorithm;
  48         ASN1_OCTET_STRING *issuerNameHash;
  49         ASN1_OCTET_STRING *issuerKeyHash;
  50         ASN1_INTEGER *serialNumber;
  51 } CertID;
  52
  53 /*
  54  * ResponseBytes ::=       SEQUENCE {
  55  *     responseType   OBJECT IDENTIFIER,
  56  *     response       OCTET STRING }
  57  */
  58 typedef struct {
  59         ASN1_OBJECT *responseType;
  60         ASN1_OCTET_STRING *response;
  61 } ResponseBytes;
  62
  63 /*
  64  * OCSPResponse ::= SEQUENCE {
  65  *    responseStatus         OCSPResponseStatus,
  66  *    responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
  67  */
  68 typedef struct {
  69         ASN1_ENUMERATED *responseStatus;
  70         ResponseBytes *responseBytes;
  71 } OCSPResponse;
  72
  73 ASN1_SEQUENCE(ResponseBytes) = {
  74         ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT),
  75         ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING)
  76 } ASN1_SEQUENCE_END(ResponseBytes);
  77
  78 ASN1_SEQUENCE(OCSPResponse) = {
  79         ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED),
  80         ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0)
  81 } ASN1_SEQUENCE_END(OCSPResponse);
  82
  83 IMPLEMENT_ASN1_FUNCTIONS(OCSPResponse);
  84
  85 /*
  86  * ResponderID ::= CHOICE {
  87  *    byName               [1] Name,
  88  *    byKey                [2] KeyHash }
  89  */
  90 typedef struct {
  91         int type;
  92         union {
  93                 X509_NAME *byName;
  94                 ASN1_OCTET_STRING *byKey;
  95         } value;
  96 } ResponderID;
  97
  98 /*
  99  * RevokedInfo ::= SEQUENCE {
 100  *     revocationTime              GeneralizedTime,
 101  *     revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }
 102  */
 103 typedef struct {
 104         ASN1_GENERALIZEDTIME *revocationTime;
 105         ASN1_ENUMERATED *revocationReason;
 106 } RevokedInfo;
 107
 108 /*
 109  * CertStatus ::= CHOICE {
 110  *     good        [0]     IMPLICIT NULL,
 111  *     revoked     [1]     IMPLICIT RevokedInfo,
 112  *     unknown     [2]     IMPLICIT UnknownInfo }
 113  */
 114 typedef struct {
 115         int type;
 116         union {
 117                 ASN1_NULL *good;
 118                 RevokedInfo *revoked;
 119                 ASN1_NULL *unknown;
 120         } value;
 121 } CertStatus;
 122
 123 /*
 124  * SingleResponse ::= SEQUENCE {
 125  *    certID                       CertID,
 126  *    certStatus                   CertStatus,
 127  *    thisUpdate                   GeneralizedTime,
 128  *    nextUpdate         [0]       EXPLICIT GeneralizedTime OPTIONAL,
 129  *    singleExtensions   [1]       EXPLICIT Extensions OPTIONAL }
 130  */
 131 typedef struct {
 132         CertID *certID;
 133         CertStatus *certStatus;
 134         ASN1_GENERALIZEDTIME *thisUpdate;
 135         ASN1_GENERALIZEDTIME *nextUpdate;
 136         STACK_OF(X509_EXTENSION) *singleExtensions;
 137 } SingleResponse;
 138
 139 /*
 140  * ResponseData ::= SEQUENCE {
 141  *   version              [0] EXPLICIT Version DEFAULT v1,
 142  *   responderID              ResponderID,
 143  *   producedAt               GeneralizedTime,
 144  *   responses                SEQUENCE OF SingleResponse,
 145  *   responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
 146  */
 147 typedef struct {
 148         ASN1_INTEGER *version;
 149         ResponderID *responderID;
 150         ASN1_GENERALIZEDTIME *producedAt;
 151         STACK_OF(SingleResponse) *responses;
 152         STACK_OF(X509_EXTENSION) *responseExtensions;
 153 } ResponseData;
 154
 155 /*
 156  * BasicOCSPResponse       ::= SEQUENCE {
 157  *   tbsResponseData      ResponseData,
 158  *   signatureAlgorithm   AlgorithmIdentifier,
 159  *   signature            BIT STRING,
 160  *   certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
 161  */
 162 typedef struct {
 163         ResponseData *tbsResponseData;
 164         X509_ALGOR *signatureAlgorithm;
 165         ASN1_BIT_STRING *signature;
 166         STACK_OF(X509) *certs;
 167 } BasicOCSPResponse;
 168
 169 ASN1_SEQUENCE(CertID) = {
 170         ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR),
 171         ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING),
 172         ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING),
 173         ASN1_SIMPLE(CertID, serialNumber, ASN1_INTEGER)
 174 } ASN1_SEQUENCE_END(CertID);
 175
 176 ASN1_CHOICE(ResponderID) = {
 177         ASN1_EXP(ResponderID, value.byName, X509_NAME, 1),
 178         ASN1_EXP(ResponderID, value.byKey, ASN1_OCTET_STRING, 2)
 179 } ASN1_CHOICE_END(ResponderID);
 180
 181 ASN1_SEQUENCE(RevokedInfo) = {
 182         ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME),
 183         ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0)
 184 } ASN1_SEQUENCE_END(RevokedInfo);
 185
 186 ASN1_CHOICE(CertStatus) = {
 187         ASN1_IMP(CertStatus, value.good, ASN1_NULL, 0),
 188         ASN1_IMP(CertStatus, value.revoked, RevokedInfo, 1),
 189         ASN1_IMP(CertStatus, value.unknown, ASN1_NULL, 2)
 190 } ASN1_CHOICE_END(CertStatus);
 191
 192 ASN1_SEQUENCE(SingleResponse) = {
 193         ASN1_SIMPLE(SingleResponse, certID, CertID),
 194         ASN1_SIMPLE(SingleResponse, certStatus, CertStatus),
 195         ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME),
 196         ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0),
 197         ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions,
 198                                  X509_EXTENSION, 1)
 199 } ASN1_SEQUENCE_END(SingleResponse);
 200
 201 ASN1_SEQUENCE(ResponseData) = {
 202         ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0),
 203         ASN1_SIMPLE(ResponseData, responderID, ResponderID),
 204         ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME),
 205         ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse),
 206         ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions,
 207                                  X509_EXTENSION, 1)
 208 } ASN1_SEQUENCE_END(ResponseData);
 209
 210 ASN1_SEQUENCE(BasicOCSPResponse) = {
 211         ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData),
 212         ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR),
 213         ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING),
 214         ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0)
 215 } ASN1_SEQUENCE_END(BasicOCSPResponse);
 216
 217 IMPLEMENT_ASN1_FUNCTIONS(BasicOCSPResponse);
 218
 219 #define sk_SingleResponse_num(sk) \
 220 sk_num(CHECKED_CAST(_STACK *, STACK_OF(SingleResponse) *, sk))
 221
 222 #define sk_SingleResponse_value(sk, i) \
 223         ((SingleResponse *)                                             \
 224          sk_value(CHECKED_CAST(_STACK *, STACK_OF(SingleResponse) *, sk), (i)))
 225
 226
 227 static char * mem_bio_to_str(BIO *out)
 228 {
 229         char *txt;
 230         size_t rlen;
 231         int res;
 232
 233         rlen = BIO_ctrl_pending(out);
 234         txt = os_malloc(rlen + 1);
 235         if (!txt) {
 236                 BIO_free(out);
 237                 return NULL;
 238         }
 239
 240         res = BIO_read(out, txt, rlen);
 241         BIO_free(out);
 242         if (res < 0) {
 243                 os_free(txt);
 244                 return NULL;
 245         }
 246
 247         txt[res] = '\0';
 248         return txt;
 249 }
 250
 251
 252 static char * generalizedtime_str(ASN1_GENERALIZEDTIME *t)
 253 {
 254         BIO *out;
 255
 256         out = BIO_new(BIO_s_mem());
 257         if (!out)
 258                 return NULL;
 259
 260         if (!ASN1_GENERALIZEDTIME_print(out, t)) {
 261                 BIO_free(out);
 262                 return NULL;
 263         }
 264
 265         return mem_bio_to_str(out);
 266 }
 267
 268
 269 static char * responderid_str(ResponderID *rid)
 270 {
 271         BIO *out;
 272
 273         out = BIO_new(BIO_s_mem());
 274         if (!out)
 275                 return NULL;
 276
 277         switch (rid->type) {
 278         case 0:
 279                 X509_NAME_print_ex(out, rid->value.byName, 0, XN_FLAG_ONELINE);
 280                 break;
 281         case 1:
 282                 i2a_ASN1_STRING(out, rid->value.byKey, V_ASN1_OCTET_STRING);
 283                 break;
 284         default:
 285                 BIO_free(out);
 286                 return NULL;
 287         }
 288
 289         return mem_bio_to_str(out);
 290 }
 291
 292
 293 static char * octet_string_str(ASN1_OCTET_STRING *o)
 294 {
 295         BIO *out;
 296
 297         out = BIO_new(BIO_s_mem());
 298         if (!out)
 299                 return NULL;
 300
 301         i2a_ASN1_STRING(out, o, V_ASN1_OCTET_STRING);
 302         return mem_bio_to_str(out);
 303 }
 304
 305
 306 static char * integer_str(ASN1_INTEGER *i)
 307 {
 308         BIO *out;
 309
 310         out = BIO_new(BIO_s_mem());
 311         if (!out)
 312                 return NULL;
 313
 314         i2a_ASN1_INTEGER(out, i);
 315         return mem_bio_to_str(out);
 316 }
 317
 318
 319 static char * algor_str(X509_ALGOR *alg)
 320 {
 321         BIO *out;
 322
 323         out = BIO_new(BIO_s_mem());
 324         if (!out)
 325                 return NULL;
 326
 327         i2a_ASN1_OBJECT(out, alg->algorithm);
 328         return mem_bio_to_str(out);
 329 }
 330
 331
 332 static char * extensions_str(const char *title, STACK_OF(X509_EXTENSION) *ext)
 333 {
 334         BIO *out;
 335
 336         if (!ext)
 337                 return NULL;
 338
 339         out = BIO_new(BIO_s_mem());
 340         if (!out)
 341                 return NULL;
 342
 343         if (!X509V3_extensions_print(out, title, ext, 0, 0)) {
 344                 BIO_free(out);
 345                 return NULL;
 346         }
 347         return mem_bio_to_str(out);
 348 }
 349
 350
 351 static int ocsp_resp_valid(ASN1_GENERALIZEDTIME *thisupd,
 352                            ASN1_GENERALIZEDTIME *nextupd)
 353 {
 354         time_t now, tmp;
 355
 356         if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
 357                 wpa_printf(MSG_DEBUG,
 358                            "OpenSSL: Invalid OCSP response thisUpdate");
 359                 return 0;
 360         }
 361
 362         time(&now);
 363         tmp = now + 5 * 60; /* allow five minute clock difference */
 364         if (X509_cmp_time(thisupd, &tmp) > 0) {
 365                 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response not yet valid");
 366                 return 0;
 367         }
 368
 369         if (!nextupd)
 370                 return 1; /* OK - no limit on response age */
 371
 372         if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
 373                 wpa_printf(MSG_DEBUG,
 374                            "OpenSSL: Invalid OCSP response nextUpdate");
 375                 return 0;
 376         }
 377
 378         tmp = now - 5 * 60; /* allow five minute clock difference */
 379         if (X509_cmp_time(nextupd, &tmp) < 0) {
 380                 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response expired");
 381                 return 0;
 382         }
 383
 384         if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
 385                 wpa_printf(MSG_DEBUG,
 386                            "OpenSSL: OCSP response nextUpdate before thisUpdate");
 387                 return 0;
 388         }
 389
 390         /* Both thisUpdate and nextUpdate are valid */
 391         return -1;
 392 }
 393
 394
 395 static int issuer_match(X509 *cert, X509 *issuer, CertID *certid)
 396 {
 397         X509_NAME *iname;
 398         ASN1_BIT_STRING *ikey;
 399         const EVP_MD *dgst;
 400         unsigned int len;
 401         unsigned char md[EVP_MAX_MD_SIZE];
 402         ASN1_OCTET_STRING *hash;
 403         char *txt;
 404
 405         dgst = EVP_get_digestbyobj(certid->hashAlgorithm->algorithm);
 406         if (!dgst) {
 407                 wpa_printf(MSG_DEBUG,
 408                            "OpenSSL: Could not find matching hash algorithm for OCSP");
 409                 return -1;
 410         }
 411
 412         iname = X509_get_issuer_name(cert);
 413         if (!X509_NAME_digest(iname, dgst, md, &len))
 414                 return -1;
 415         hash = ASN1_OCTET_STRING_new();
 416         if (!hash)
 417                 return -1;
 418         if (!ASN1_OCTET_STRING_set(hash, md, len)) {
 419                 ASN1_OCTET_STRING_free(hash);
 420                 return -1;
 421         }
 422
 423         txt = octet_string_str(hash);
 424         if (txt) {
 425                 wpa_printf(MSG_DEBUG, "OpenSSL: calculated issuerNameHash: %s",
 426                            txt);
 427                 os_free(txt);
 428         }
 429
 430         if (ASN1_OCTET_STRING_cmp(certid->issuerNameHash, hash)) {
 431                 ASN1_OCTET_STRING_free(hash);
 432                 return -1;
 433         }
 434
 435         ikey = X509_get0_pubkey_bitstr(issuer);
 436         if (!ikey ||
 437             !EVP_Digest(ikey->data, ikey->length, md, &len, dgst, NULL) ||
 438             !ASN1_OCTET_STRING_set(hash, md, len)) {
 439                 ASN1_OCTET_STRING_free(hash);
 440                 return -1;
 441         }
 442
 443         txt = octet_string_str(hash);
 444         if (txt) {
 445                 wpa_printf(MSG_DEBUG, "OpenSSL: calculated issuerKeyHash: %s",
 446                            txt);
 447                 os_free(txt);
 448         }
 449
 450         if (ASN1_OCTET_STRING_cmp(certid->issuerKeyHash, hash)) {
 451                 ASN1_OCTET_STRING_free(hash);
 452                 return -1;
 453         }
 454
 455         ASN1_OCTET_STRING_free(hash);
 456         return 0;
 457 }
 458
 459
 460 static X509 * ocsp_find_signer(STACK_OF(X509) *certs, ResponderID *rid)
 461 {
 462         unsigned int i;
 463         unsigned char hash[SHA_DIGEST_LENGTH];
 464
 465         if (rid->type == 0) {
 466                 /* byName */
 467                 return X509_find_by_subject(certs, rid->value.byName);
 468         }
 469
 470         /* byKey */
 471         if (rid->value.byKey->length != SHA_DIGEST_LENGTH)
 472                 return NULL;
 473         for (i = 0; i < sk_X509_num(certs); i++) {
 474                 X509 *x = sk_X509_value(certs, i);
 475
 476                 X509_pubkey_digest(x, EVP_sha1(), hash, NULL);
 477                 if (os_memcmp(rid->value.byKey->data, hash,
 478                               SHA_DIGEST_LENGTH) == 0)
 479                         return x;
 480         }
 481
 482         return NULL;
 483 }
 484
 485
 486 enum ocsp_result check_ocsp_resp(SSL_CTX *ssl_ctx, SSL *ssl, X509 *cert,
 487                                  X509 *issuer, X509 *issuer_issuer)
 488 {
 489         const uint8_t *resp_data;
 490         size_t resp_len;
 491         OCSPResponse *resp;
 492         int status;
 493         ResponseBytes *bytes;
 494         const u8 *basic_data;
 495         size_t basic_len;
 496         BasicOCSPResponse *basic;
 497         ResponseData *rd;
 498         char *txt;
 499         int i, num;
 500         unsigned int j, num_resp;
 501         SingleResponse *matching_resp = NULL, *cmp_sresp;
 502         enum ocsp_result result = OCSP_INVALID;
 503         X509_STORE *store;
 504         STACK_OF(X509) *untrusted = NULL, *certs = NULL, *chain = NULL;
 505         X509_STORE_CTX ctx;
 506         X509 *signer, *tmp_cert;
 507         int signer_trusted = 0;
 508         EVP_PKEY *skey;
 509         int ret;
 510         char buf[256];
 511
 512         txt = integer_str(X509_get_serialNumber(cert));
 513         if (txt) {
 514                 wpa_printf(MSG_DEBUG,
 515                            "OpenSSL: Searching OCSP response for peer certificate serialNumber: %s", txt);
 516                 os_free(txt);
 517         }
 518
 519         SSL_get0_ocsp_response(ssl, &resp_data, &resp_len);
 520         if (resp_data == NULL || resp_len == 0) {
 521                 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
 522                 return OCSP_NO_RESPONSE;
 523         }
 524
 525         wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", resp_data, resp_len);
 526
 527         resp = d2i_OCSPResponse(NULL, &resp_data, resp_len);
 528         if (!resp) {
 529                 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSPResponse");
 530                 return OCSP_INVALID;
 531         }
 532
 533         status = ASN1_ENUMERATED_get(resp->responseStatus);
 534         if (status != 0) {
 535                 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d",
 536                            status);
 537                 return OCSP_INVALID;
 538         }
 539
 540         bytes = resp->responseBytes;
 541
 542         if (!bytes ||
 543             OBJ_obj2nid(bytes->responseType) != NID_id_pkix_OCSP_basic) {
 544                 wpa_printf(MSG_INFO,
 545                            "OpenSSL: Could not find BasicOCSPResponse");
 546                 return OCSP_INVALID;
 547         }
 548
 549         basic_data = ASN1_STRING_data(bytes->response);
 550         basic_len = ASN1_STRING_length(bytes->response);
 551         wpa_hexdump(MSG_DEBUG, "OpenSSL: BasicOCSPResponse",
 552                     basic_data, basic_len);
 553
 554         basic = d2i_BasicOCSPResponse(NULL, &basic_data, basic_len);
 555         if (!basic) {
 556                 wpa_printf(MSG_INFO,
 557                            "OpenSSL: Could not parse BasicOCSPResponse");
 558                 OCSPResponse_free(resp);
 559                 return OCSP_INVALID;
 560         }
 561
 562         rd = basic->tbsResponseData;
 563
 564         if (basic->certs) {
 565                 untrusted = sk_X509_dup(basic->certs);
 566                 if (!untrusted)
 567                         goto fail;
 568
 569                 num = sk_X509_num(basic->certs);
 570                 for (i = 0; i < num; i++) {
 571                         X509 *extra_cert;
 572
 573                         extra_cert = sk_X509_value(basic->certs, i);
 574                         X509_NAME_oneline(X509_get_subject_name(extra_cert),
 575                                           buf, sizeof(buf));
 576                         wpa_printf(MSG_DEBUG,
 577                                    "OpenSSL: BasicOCSPResponse cert %s", buf);
 578
 579                         if (!sk_X509_push(untrusted, extra_cert)) {
 580                                 wpa_printf(MSG_DEBUG,
 581                                            "OpenSSL: Could not add certificate to the untrusted stack");
 582                         }
 583                 }
 584         }
 585
 586         store = SSL_CTX_get_cert_store(ssl_ctx);
 587         if (issuer) {
 588                 if (X509_STORE_add_cert(store, issuer) != 1) {
 589                         tls_show_errors(MSG_INFO, __func__,
 590                                         "OpenSSL: Could not add issuer to certificate store");
 591                 }
 592                 certs = sk_X509_new_null();
 593                 if (certs) {
 594                         tmp_cert = X509_dup(issuer);
 595                         if (tmp_cert && !sk_X509_push(certs, tmp_cert)) {
 596                                 tls_show_errors(
 597                                         MSG_INFO, __func__,
 598                                         "OpenSSL: Could not add issuer to OCSP responder trust store");
 599                                 X509_free(tmp_cert);
 600                                 sk_X509_free(certs);
 601                                 certs = NULL;
 602                         }
 603                         if (certs && issuer_issuer) {
 604                                 tmp_cert = X509_dup(issuer_issuer);
 605                                 if (tmp_cert &&
 606                                     !sk_X509_push(certs, tmp_cert)) {
 607                                         tls_show_errors(
 608                                                 MSG_INFO, __func__,
 609                                                 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
 610                                         X509_free(tmp_cert);
 611                                 }
 612                         }
 613                 }
 614         }
 615
 616         signer = ocsp_find_signer(certs, rd->responderID);
 617         if (!signer)
 618                 signer = ocsp_find_signer(untrusted, rd->responderID);
 619         else
 620                 signer_trusted = 1;
 621         if (!signer) {
 622                 wpa_printf(MSG_DEBUG,
 623                            "OpenSSL: Could not find OCSP signer certificate");
 624                 goto fail;
 625         }
 626
 627         skey = X509_get_pubkey(signer);
 628         if (!skey) {
 629                 wpa_printf(MSG_DEBUG,
 630                            "OpenSSL: Could not get OCSP signer public key");
 631                 goto fail;
 632         }
 633         if (ASN1_item_verify(ASN1_ITEM_rptr(ResponseData),
 634                              basic->signatureAlgorithm, basic->signature,
 635                              basic->tbsResponseData, skey) <= 0) {
 636                 wpa_printf(MSG_DEBUG,
 637                            "OpenSSL: BasicOCSPResponse signature is invalid");
 638                 goto fail;
 639         }
 640
 641         X509_NAME_oneline(X509_get_subject_name(signer), buf, sizeof(buf));
 642         wpa_printf(MSG_DEBUG,
 643                    "OpenSSL: Found OCSP signer certificate %s and verified BasicOCSPResponse signature",
 644                    buf);
 645
 646         if (!X509_STORE_CTX_init(&ctx, store, signer, untrusted))
 647                 goto fail;
 648         X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
 649         ret = X509_verify_cert(&ctx);
 650         chain = X509_STORE_CTX_get1_chain(&ctx);
 651         X509_STORE_CTX_cleanup(&ctx);
 652         if (ret <= 0) {
 653                 wpa_printf(MSG_DEBUG,
 654                            "OpenSSL: Could not validate OCSP signer certificate");
 655                 goto fail;
 656         }
 657
 658         if (!chain || sk_X509_num(chain) <= 0) {
 659                 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP signer chain found");
 660                 goto fail;
 661         }
 662
 663         if (!signer_trusted) {
 664                 X509_check_purpose(signer, -1, 0);
 665                 if ((signer->ex_flags & EXFLAG_XKUSAGE) &&
 666                     (signer->ex_xkusage & XKU_OCSP_SIGN)) {
 667                         wpa_printf(MSG_DEBUG,
 668                                    "OpenSSL: OCSP signer certificate delegation OK");
 669                 } else {
 670                         tmp_cert = sk_X509_value(chain, sk_X509_num(chain) - 1);
 671                         if (X509_check_trust(tmp_cert, NID_OCSP_sign, 0) !=
 672                             X509_TRUST_TRUSTED) {
 673                                 wpa_printf(MSG_DEBUG,
 674                                            "OpenSSL: OCSP signer certificate not trusted");
 675                                 result = OCSP_NO_RESPONSE;
 676                                 goto fail;
 677                         }
 678                 }
 679         }
 680
 681         wpa_printf(MSG_DEBUG, "OpenSSL: OCSP version: %lu",
 682                    ASN1_INTEGER_get(rd->version));
 683
 684         txt = responderid_str(rd->responderID);
 685         if (txt) {
 686                 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP responderID: %s",
 687                            txt);
 688                 os_free(txt);
 689         }
 690
 691         txt = generalizedtime_str(rd->producedAt);
 692         if (txt) {
 693                 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP producedAt: %s",
 694                            txt);
 695                 os_free(txt);
 696         }
 697
 698         num_resp = sk_SingleResponse_num(rd->responses);
 699         if (num_resp == 0) {
 700                 wpa_printf(MSG_DEBUG,
 701                            "OpenSSL: No OCSP SingleResponse within BasicOCSPResponse");
 702                 result = OCSP_NO_RESPONSE;
 703                 goto fail;
 704         }
 705         cmp_sresp = sk_SingleResponse_value(rd->responses, 0);
 706         for (j = 0; j < num_resp; j++) {
 707                 SingleResponse *sresp;
 708                 CertID *cid1, *cid2;
 709
 710                 sresp = sk_SingleResponse_value(rd->responses, j);
 711                 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP SingleResponse %u/%u",
 712                            j + 1, num_resp);
 713
 714                 txt = algor_str(sresp->certID->hashAlgorithm);
 715                 if (txt) {
 716                         wpa_printf(MSG_DEBUG,
 717                                    "OpenSSL: certID hashAlgorithm: %s", txt);
 718                         os_free(txt);
 719                 }
 720
 721                 txt = octet_string_str(sresp->certID->issuerNameHash);
 722                 if (txt) {
 723                         wpa_printf(MSG_DEBUG,
 724                                    "OpenSSL: certID issuerNameHash: %s", txt);
 725                         os_free(txt);
 726                 }
 727
 728                 txt = octet_string_str(sresp->certID->issuerKeyHash);
 729                 if (txt) {
 730                         wpa_printf(MSG_DEBUG,
 731                                    "OpenSSL: certID issuerKeyHash: %s", txt);
 732                         os_free(txt);
 733                 }
 734
 735                 txt = integer_str(sresp->certID->serialNumber);
 736                 if (txt) {
 737                         wpa_printf(MSG_DEBUG,
 738                                    "OpenSSL: certID serialNumber: %s", txt);
 739                         os_free(txt);
 740                 }
 741
 742                 switch (sresp->certStatus->type) {
 743                 case 0:
 744                         wpa_printf(MSG_DEBUG, "OpenSSL: certStatus: good");
 745                         break;
 746                 case 1:
 747                         wpa_printf(MSG_DEBUG, "OpenSSL: certStatus: revoked");
 748                         break;
 749                 default:
 750                         wpa_printf(MSG_DEBUG, "OpenSSL: certStatus: unknown");
 751                         break;
 752                 }
 753
 754                 txt = generalizedtime_str(sresp->thisUpdate);
 755                 if (txt) {
 756                         wpa_printf(MSG_DEBUG, "OpenSSL: thisUpdate: %s", txt);
 757                         os_free(txt);
 758                 }
 759
 760                 if (sresp->nextUpdate) {
 761                         txt = generalizedtime_str(sresp->nextUpdate);
 762                         if (txt) {
 763                                 wpa_printf(MSG_DEBUG, "OpenSSL: nextUpdate: %s",
 764                                            txt);
 765                                 os_free(txt);
 766                         }
 767                 }
 768
 769                 txt = extensions_str("singleExtensions",
 770                                      sresp->singleExtensions);
 771                 if (txt) {
 772                         wpa_printf(MSG_DEBUG, "OpenSSL: %s", txt);
 773                         os_free(txt);
 774                 }
 775
 776                 cid1 = cmp_sresp->certID;
 777                 cid2 = sresp->certID;
 778                 if (j > 0 &&
 779                     (OBJ_cmp(cid1->hashAlgorithm->algorithm,
 780                              cid2->hashAlgorithm->algorithm) != 0 ||
 781                      ASN1_OCTET_STRING_cmp(cid1->issuerNameHash,
 782                                            cid2->issuerNameHash) != 0 ||
 783                      ASN1_OCTET_STRING_cmp(cid1->issuerKeyHash,
 784                                            cid2->issuerKeyHash) != 0)) {
 785                         wpa_printf(MSG_DEBUG,
 786                                    "OpenSSL: Different OCSP response issuer information between SingleResponse values within BasicOCSPResponse");
 787                         goto fail;
 788                 }
 789
 790                 if (!matching_resp && issuer &&
 791                     ASN1_INTEGER_cmp(sresp->certID->serialNumber,
 792                                      X509_get_serialNumber(cert)) == 0 &&
 793                     issuer_match(cert, issuer, sresp->certID) == 0) {
 794                         wpa_printf(MSG_DEBUG,
 795                                    "OpenSSL: This response matches peer certificate");
 796                         matching_resp = sresp;
 797                 }
 798         }
 799
 800         txt = extensions_str("responseExtensions", rd->responseExtensions);
 801         if (txt) {
 802                 wpa_printf(MSG_DEBUG, "OpenSSL: %s", txt);
 803                 os_free(txt);
 804         }
 805
 806         if (!matching_resp) {
 807                 wpa_printf(MSG_DEBUG,
 808                            "OpenSSL: Could not find OCSP response that matches the peer certificate");
 809                 result = OCSP_NO_RESPONSE;
 810                 goto fail;
 811         }
 812
 813         if (!ocsp_resp_valid(matching_resp->thisUpdate,
 814                              matching_resp->nextUpdate)) {
 815                 wpa_printf(MSG_DEBUG,
 816                            "OpenSSL: OCSP response not valid at this time");
 817                 goto fail;
 818         }
 819
 820         if (matching_resp->certStatus->type == 1) {
 821                 wpa_printf(MSG_DEBUG,
 822                            "OpenSSL: OCSP response indicated that the peer certificate has been revoked");
 823                 result = OCSP_REVOKED;
 824                 goto fail;
 825         }
 826
 827         if (matching_resp->certStatus->type != 0) {
 828                 wpa_printf(MSG_DEBUG,
 829                            "OpenSSL: OCSP response did not indicate good status");
 830                 result = OCSP_NO_RESPONSE;
 831                 goto fail;
 832         }
 833
 834         /* OCSP response indicated the certificate is good. */
 835         result = OCSP_GOOD;
 836 fail:
 837         sk_X509_pop_free(chain, X509_free);
 838         sk_X509_free(untrusted);
 839         sk_X509_pop_free(certs, X509_free);
 840         BasicOCSPResponse_free(basic);
 841         OCSPResponse_free(resp);
 842
 843         return result;
 844 }
 845
 846 #endif /* OPENSSL_IS_BORINGSSL */