This commit was manufactured by cvs2git to create tag 'tb_20250414'.tb_20250414

author: cvs2svn <admin@example.com> 2025-04-14 17:32:06 +0000
committer: cvs2svn <admin@example.com> 2025-04-14 17:32:06 +0000
commit: b1ddde874c215cc8891531ed92876f091b7eb83e (patch)
tree: edb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libtls/tls_ocsp.c
parent: f0a36529837a161734c802ae4c42e84e42347be2 (diff)
download: openbsd-tb_20250414.tar.gz
openbsd-tb_20250414.tar.bz2
openbsd-tb_20250414.zip
1 files changed, 0 insertions, 473 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
deleted file mode 100644
index bfd06e3c6a..0000000000
--- a/src/lib/libtls/tls_ocsp.c
+++ /dev/null
@@ -1,473 +0,0 @@
-/*      $OpenBSD: tls_ocsp.c,v 1.26 2024/03/26 06:24:52 joshua Exp $ */
-/*
- * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
- * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <sys/types.h>
-#include <arpa/inet.h>
-#include <netinet/in.h>
-#include <string.h>
-#include <openssl/err.h>
-#include <openssl/ocsp.h>
-#include <openssl/posix_time.h>
-#include <openssl/x509.h>
-#include <tls.h>
-#include "tls_internal.h"
-#define MAXAGE_SEC (14*24*60*60)
-#define JITTER_SEC (60)
-/*
- * State for request.
- */
-static struct tls_ocsp *
-tls_ocsp_new(void)
-{
-        return (calloc(1, sizeof(struct tls_ocsp)));
-}
-void
-tls_ocsp_free(struct tls_ocsp *ocsp)
-{
-        if (ocsp == NULL)
-                return;
-        X509_free(ocsp->main_cert);
-        free(ocsp->ocsp_result);
-        free(ocsp->ocsp_url);
-        free(ocsp);
-}
-static int
-tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_time)
-{
-        struct tm tm;
-        if (gt == NULL)
-                return -1;
-        /* RFC 6960 specifies that all times in OCSP must be GENERALIZEDTIME */
-        if (!ASN1_GENERALIZEDTIME_check(gt))
-                return -1;
-        if (!ASN1_TIME_to_tm(gt, &tm))
-                return -1;
-        if (!OPENSSL_timegm(&tm, gt_time))
-                return -1;
-        return 0;
-}
-static int
-tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
-    int crl_reason, ASN1_GENERALIZEDTIME *revtime,
-    ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd)
-{
-        struct tls_ocsp_result *info = NULL;
-        free(ctx->ocsp->ocsp_result);
-        ctx->ocsp->ocsp_result = NULL;
-        if ((info = calloc(1, sizeof (struct tls_ocsp_result))) == NULL) {
-                tls_set_error(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
-                return -1;
-        }
-        info->response_status = response_status;
-        info->cert_status = cert_status;
-        info->crl_reason = crl_reason;
-        if (info->response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
-                info->result_msg =
-                    OCSP_response_status_str(info->response_status);
-        } else if (info->cert_status != V_OCSP_CERTSTATUS_REVOKED) {
-                info->result_msg = OCSP_cert_status_str(info->cert_status);
-        } else {
-                info->result_msg = OCSP_crl_reason_str(info->crl_reason);
-        }
-        info->revocation_time = info->this_update = info->next_update = -1;
-        if (revtime != NULL &&
-            tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
-                    "unable to parse revocation time in OCSP reply");
-                goto err;
-        }
-        if (thisupd != NULL &&
-            tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
-                    "unable to parse this update time in OCSP reply");
-                goto err;
-        }
-        if (nextupd != NULL &&
-            tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
-                    "unable to parse next update time in OCSP reply");
-                goto err;
-        }
-        ctx->ocsp->ocsp_result = info;
-        return 0;
- err:
-        free(info);
-        return -1;
-}
-static OCSP_CERTID *
-tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs,
-    SSL_CTX *ssl_ctx)
-{
-        X509_NAME *issuer_name;
-        X509 *issuer;
-        X509_STORE_CTX *storectx = NULL;
-        X509_OBJECT *obj = NULL;
-        OCSP_CERTID *cid = NULL;
-        X509_STORE *store;
-        if ((issuer_name = X509_get_issuer_name(main_cert)) == NULL)
-                goto out;
-        if (extra_certs != NULL) {
-                issuer = X509_find_by_subject(extra_certs, issuer_name);
-                if (issuer != NULL) {
-                        cid = OCSP_cert_to_id(NULL, main_cert, issuer);
-                        goto out;
-                }
-        }
-        if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL)
-                goto out;
-        if ((storectx = X509_STORE_CTX_new()) == NULL)
-                goto out;
-        if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1)
-                goto out;
-        if ((obj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509,
-            issuer_name)) == NULL)
-                goto out;
-        cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(obj));
- out:
-        X509_STORE_CTX_free(storectx);
-        X509_OBJECT_free(obj);
-        return cid;
-}
-struct tls_ocsp *
-tls_ocsp_setup_from_peer(struct tls *ctx)
-{
-        struct tls_ocsp *ocsp = NULL;
-        STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
-        if ((ocsp = tls_ocsp_new()) == NULL)
-                goto err;
-        /* steal state from ctx struct */
-        ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn);
-        ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn);
-        if (ocsp->main_cert == NULL) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
-                    "no peer certificate for OCSP");
-                goto err;
-        }
-        ocsp_urls = X509_get1_ocsp(ocsp->main_cert);
-        if (ocsp_urls == NULL) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
-                    "no OCSP URLs in peer certificate");
-                goto err;
-        }
-        ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0));
-        if (ocsp->ocsp_url == NULL) {
-                tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
-                goto err;
-        }
-        X509_email_free(ocsp_urls);
-        return ocsp;
- err:
-        tls_ocsp_free(ocsp);
-        X509_email_free(ocsp_urls);
-        return NULL;
-}
-static int
-tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
-{
-        OCSP_BASICRESP *br = NULL;
-        ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, *nextupd = NULL;
-        OCSP_CERTID *cid = NULL;
-        STACK_OF(X509) *combined = NULL;
-        int response_status=0, cert_status=0, crl_reason=0;
-        int ret = -1;
-        unsigned long flags;
-        if ((br = OCSP_response_get1_basic(resp)) == NULL) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "cannot load ocsp reply");
-                goto err;
-        }
-        /*
-         * Skip validation of 'extra_certs' as this should be done
-         * already as part of main handshake.
-         */
-        flags = OCSP_TRUSTOTHER;
-        /* now verify */
-        if (OCSP_basic_verify(br, ctx->ocsp->extra_certs,
-                SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ocsp verify failed");
-                goto err;
-        }
-        /* signature OK, look inside */
-        response_status = OCSP_response_status(resp);
-        if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
-                    "ocsp verify failed: response - %s",
-                    OCSP_response_status_str(response_status));
-                goto err;
-        }
-        cid = tls_ocsp_get_certid(ctx->ocsp->main_cert,
-            ctx->ocsp->extra_certs, ctx->ssl_ctx);
-        if (cid == NULL) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
-                    "ocsp verify failed: no issuer cert");
-                goto err;
-        }
-        if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason,
-            &revtime, &thisupd, &nextupd) != 1) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
-                    "ocsp verify failed: no result for cert");
-                goto err;
-        }
-        if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC,
-            MAXAGE_SEC) != 1) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
-                    "ocsp verify failed: ocsp response not current");
-                goto err;
-        }
-        if (tls_ocsp_fill_info(ctx, response_status, cert_status,
-            crl_reason, revtime, thisupd, nextupd) != 0)
-                goto err;
-        /* finally can look at status */
-        if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status !=
-            V_OCSP_CERTSTATUS_UNKNOWN) {
-                tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
-                    "ocsp verify failed: revoked cert - %s",
-                    OCSP_crl_reason_str(crl_reason));
-                goto err;
-        }
-        ret = 0;
- err:
-        sk_X509_free(combined);
-        OCSP_CERTID_free(cid);
-        OCSP_BASICRESP_free(br);
-        return ret;
-}
-/*
- * Process a raw OCSP response from an OCSP server request.
- * OCSP details can then be retrieved with tls_peer_ocsp_* functions.
- * returns 0 if certificate ok, -1 otherwise.
- */
-static int
-tls_ocsp_process_response_internal(struct tls *ctx, const unsigned char *response,
-    size_t size)
-{
-        int ret;
-        OCSP_RESPONSE *resp;
-        resp = d2i_OCSP_RESPONSE(NULL, &response, size);
-        if (resp == NULL) {
-                tls_ocsp_free(ctx->ocsp);
-                ctx->ocsp = NULL;
-                tls_set_error(ctx, TLS_ERROR_UNKNOWN,
-                    "unable to parse OCSP response");
-                return -1;
-        }
-        ret = tls_ocsp_verify_response(ctx, resp);
-        OCSP_RESPONSE_free(resp);
-        return ret;
-}
-/* TLS handshake verification callback for stapled requests */
-int
-tls_ocsp_verify_cb(SSL *ssl, void *arg)
-{
-        const unsigned char *raw = NULL;
-        int size, res = -1;
-        struct tls *ctx;
-        if ((ctx = SSL_get_app_data(ssl)) == NULL)
-                return -1;
-        size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw);
-        if (size <= 0) {
-                if (ctx->config->ocsp_require_stapling) {
-                        tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
-                            "no stapled OCSP response provided");
-                        return 0;
-                }
-                return 1;
-        }
-        tls_ocsp_free(ctx->ocsp);
-        if ((ctx->ocsp = tls_ocsp_setup_from_peer(ctx)) == NULL)
-                return 0;
-        if (ctx->config->verify_cert == 0 || ctx->config->verify_time == 0)
-                return 1;
-        res = tls_ocsp_process_response_internal(ctx, raw, size);
-        return (res == 0) ? 1 : 0;
-}
-/* Staple the OCSP information in ctx->ocsp to the server handshake. */
-int
-tls_ocsp_stapling_cb(SSL *ssl, void *arg)
-{
-        int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-        unsigned char *ocsp_staple = NULL;
-        struct tls *ctx;
-        if ((ctx = SSL_get_app_data(ssl)) == NULL)
-                goto err;
-        if (ctx->keypair == NULL || ctx->keypair->ocsp_staple == NULL ||
-            ctx->keypair->ocsp_staple_len == 0)
-                return SSL_TLSEXT_ERR_NOACK;
-        if ((ocsp_staple = malloc(ctx->keypair->ocsp_staple_len)) == NULL)
-                goto err;
-        memcpy(ocsp_staple, ctx->keypair->ocsp_staple,
-            ctx->keypair->ocsp_staple_len);
-        if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple,
-            ctx->keypair->ocsp_staple_len) != 1)
-                goto err;
-        ret = SSL_TLSEXT_ERR_OK;
- err:
-        if (ret != SSL_TLSEXT_ERR_OK)
-                free(ocsp_staple);
-        return ret;
-}
-/*
- * Public API
- */
-/* Retrieve OCSP URL from peer certificate, if present. */
-const char *
-tls_peer_ocsp_url(struct tls *ctx)
-{
-        if (ctx->ocsp == NULL)
-                return NULL;
-        return ctx->ocsp->ocsp_url;
-}
-const char *
-tls_peer_ocsp_result(struct tls *ctx)
-{
-        if (ctx->ocsp == NULL)
-                return NULL;
-        if (ctx->ocsp->ocsp_result == NULL)
-                return NULL;
-        return ctx->ocsp->ocsp_result->result_msg;
-}
-int
-tls_peer_ocsp_response_status(struct tls *ctx)
-{
-        if (ctx->ocsp == NULL)
-                return -1;
-        if (ctx->ocsp->ocsp_result == NULL)
-                return -1;
-        return ctx->ocsp->ocsp_result->response_status;
-}
-int
-tls_peer_ocsp_cert_status(struct tls *ctx)
-{
-        if (ctx->ocsp == NULL)
-                return -1;
-        if (ctx->ocsp->ocsp_result == NULL)
-                return -1;
-        return ctx->ocsp->ocsp_result->cert_status;
-}
-int
-tls_peer_ocsp_crl_reason(struct tls *ctx)
-{
-        if (ctx->ocsp == NULL)
-                return -1;
-        if (ctx->ocsp->ocsp_result == NULL)
-                return -1;
-        return ctx->ocsp->ocsp_result->crl_reason;
-}
-time_t
-tls_peer_ocsp_this_update(struct tls *ctx)
-{
-        if (ctx->ocsp == NULL)
-                return -1;
-        if (ctx->ocsp->ocsp_result == NULL)
-                return -1;
-        return ctx->ocsp->ocsp_result->this_update;
-}
-time_t
-tls_peer_ocsp_next_update(struct tls *ctx)
-{
-        if (ctx->ocsp == NULL)
-                return -1;
-        if (ctx->ocsp->ocsp_result == NULL)
-                return -1;
-        return ctx->ocsp->ocsp_result->next_update;
-}
-time_t
-tls_peer_ocsp_revocation_time(struct tls *ctx)
-{
-        if (ctx->ocsp == NULL)
-                return -1;
-        if (ctx->ocsp->ocsp_result == NULL)
-                return -1;
-        return ctx->ocsp->ocsp_result->revocation_time;
-}
-int
-tls_ocsp_process_response(struct tls *ctx, const unsigned char *response,
-    size_t size)
-{
-        if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0)
-                return -1;
-        return tls_ocsp_process_response_internal(ctx, response, size);
-}
author	cvs2svn <admin@example.com>	2025-04-14 17:32:06 +0000
committer	cvs2svn <admin@example.com>	2025-04-14 17:32:06 +0000
commit	b1ddde874c215cc8891531ed92876f091b7eb83e (patch)
tree	edb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libtls/tls_ocsp.c
parent	f0a36529837a161734c802ae4c42e84e42347be2 (diff)
download	openbsd-tb_20250414.tar.gz openbsd-tb_20250414.tar.bz2 openbsd-tb_20250414.zip

diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c deleted file mode 100644 index bfd06e3c6a..0000000000 --- a/src/lib/libtls/tls_ocsp.c +++ /dev/null
@@ -1,473 +0,0 @@
1	/* $OpenBSD: tls_ocsp.c,v 1.26 2024/03/26 06:24:52 joshua Exp $ */
2	/*
3	* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
4	* Copyright (c) 2016 Bob Beck <beck@openbsd.org>
5	*
6	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <sys/types.h>
20
21	#include <arpa/inet.h>
22	#include <netinet/in.h>
23
24	#include <string.h>
25
26	#include <openssl/err.h>
27	#include <openssl/ocsp.h>
28	#include <openssl/posix_time.h>
29	#include <openssl/x509.h>
30
31	#include <tls.h>
32	#include "tls_internal.h"
33
34	#define MAXAGE_SEC (142460*60)
35	#define JITTER_SEC (60)
36
37	/*
38	* State for request.
39	*/
40
41	static struct tls_ocsp *
42	tls_ocsp_new(void)
43	{
44	return (calloc(1, sizeof(struct tls_ocsp)));
45	}
46
47	void
48	tls_ocsp_free(struct tls_ocsp *ocsp)
49	{
50	if (ocsp == NULL)
51	return;
52
53	X509_free(ocsp->main_cert);
54	free(ocsp->ocsp_result);
55	free(ocsp->ocsp_url);
56
57	free(ocsp);
58	}
59
60	static int
61	tls_ocsp_asn1_parse_time(struct tls ctx, ASN1_GENERALIZEDTIME gt, time_t *gt_time)
62	{
63	struct tm tm;
64
65	if (gt == NULL)
66	return -1;
67	/* RFC 6960 specifies that all times in OCSP must be GENERALIZEDTIME */
68	if (!ASN1_GENERALIZEDTIME_check(gt))
69	return -1;
70	if (!ASN1_TIME_to_tm(gt, &tm))
71	return -1;
72	if (!OPENSSL_timegm(&tm, gt_time))
73	return -1;
74	return 0;
75	}
76
77	static int
78	tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
79	int crl_reason, ASN1_GENERALIZEDTIME *revtime,
80	ASN1_GENERALIZEDTIME thisupd, ASN1_GENERALIZEDTIME nextupd)
81	{
82	struct tls_ocsp_result *info = NULL;
83
84	free(ctx->ocsp->ocsp_result);
85	ctx->ocsp->ocsp_result = NULL;
86
87	if ((info = calloc(1, sizeof (struct tls_ocsp_result))) == NULL) {
88	tls_set_error(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
89	return -1;
90	}
91	info->response_status = response_status;
92	info->cert_status = cert_status;
93	info->crl_reason = crl_reason;
94	if (info->response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
95	info->result_msg =
96	OCSP_response_status_str(info->response_status);
97	} else if (info->cert_status != V_OCSP_CERTSTATUS_REVOKED) {
98	info->result_msg = OCSP_cert_status_str(info->cert_status);
99	} else {
100	info->result_msg = OCSP_crl_reason_str(info->crl_reason);
101	}
102	info->revocation_time = info->this_update = info->next_update = -1;
103	if (revtime != NULL &&
104	tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
105	tls_set_error(ctx, TLS_ERROR_UNKNOWN,
106	"unable to parse revocation time in OCSP reply");
107	goto err;
108	}
109	if (thisupd != NULL &&
110	tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
111	tls_set_error(ctx, TLS_ERROR_UNKNOWN,
112	"unable to parse this update time in OCSP reply");
113	goto err;
114	}
115	if (nextupd != NULL &&
116	tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
117	tls_set_error(ctx, TLS_ERROR_UNKNOWN,
118	"unable to parse next update time in OCSP reply");
119	goto err;
120	}
121	ctx->ocsp->ocsp_result = info;
122	return 0;
123
124	err:
125	free(info);
126	return -1;
127	}
128
129	static OCSP_CERTID *
130	tls_ocsp_get_certid(X509 main_cert, STACK_OF(X509) extra_certs,
131	SSL_CTX *ssl_ctx)
132	{
133	X509_NAME *issuer_name;
134	X509 *issuer;
135	X509_STORE_CTX *storectx = NULL;
136	X509_OBJECT *obj = NULL;
137	OCSP_CERTID *cid = NULL;
138	X509_STORE *store;
139
140	if ((issuer_name = X509_get_issuer_name(main_cert)) == NULL)
141	goto out;
142
143	if (extra_certs != NULL) {
144	issuer = X509_find_by_subject(extra_certs, issuer_name);
145	if (issuer != NULL) {
146	cid = OCSP_cert_to_id(NULL, main_cert, issuer);
147	goto out;
148	}
149	}
150
151	if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL)
152	goto out;
153	if ((storectx = X509_STORE_CTX_new()) == NULL)
154	goto out;
155	if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1)
156	goto out;
157	if ((obj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509,
158	issuer_name)) == NULL)
159	goto out;
160
161	cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(obj));
162
163	out:
164	X509_STORE_CTX_free(storectx);
165	X509_OBJECT_free(obj);
166
167	return cid;
168	}
169
170	struct tls_ocsp *
171	tls_ocsp_setup_from_peer(struct tls *ctx)
172	{
173	struct tls_ocsp *ocsp = NULL;
174	STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
175
176	if ((ocsp = tls_ocsp_new()) == NULL)
177	goto err;
178
179	/* steal state from ctx struct */
180	ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn);
181	ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn);
182	if (ocsp->main_cert == NULL) {
183	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
184	"no peer certificate for OCSP");
185	goto err;
186	}
187
188	ocsp_urls = X509_get1_ocsp(ocsp->main_cert);
189	if (ocsp_urls == NULL) {
190	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
191	"no OCSP URLs in peer certificate");
192	goto err;
193	}
194
195	ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0));
196	if (ocsp->ocsp_url == NULL) {
197	tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
198	goto err;
199	}
200
201	X509_email_free(ocsp_urls);
202	return ocsp;
203
204	err:
205	tls_ocsp_free(ocsp);
206	X509_email_free(ocsp_urls);
207	return NULL;
208	}
209
210	static int
211	tls_ocsp_verify_response(struct tls ctx, OCSP_RESPONSE resp)
212	{
213	OCSP_BASICRESP *br = NULL;
214	ASN1_GENERALIZEDTIME revtime = NULL, thisupd = NULL, *nextupd = NULL;
215	OCSP_CERTID *cid = NULL;
216	STACK_OF(X509) *combined = NULL;
217	int response_status=0, cert_status=0, crl_reason=0;
218	int ret = -1;
219	unsigned long flags;
220
221	if ((br = OCSP_response_get1_basic(resp)) == NULL) {
222	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "cannot load ocsp reply");
223	goto err;
224	}
225
226	/*
227	* Skip validation of 'extra_certs' as this should be done
228	* already as part of main handshake.
229	*/
230	flags = OCSP_TRUSTOTHER;
231
232	/* now verify */
233	if (OCSP_basic_verify(br, ctx->ocsp->extra_certs,
234	SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) {
235	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ocsp verify failed");
236	goto err;
237	}
238
239	/* signature OK, look inside */
240	response_status = OCSP_response_status(resp);
241	if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
242	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
243	"ocsp verify failed: response - %s",
244	OCSP_response_status_str(response_status));
245	goto err;
246	}
247
248	cid = tls_ocsp_get_certid(ctx->ocsp->main_cert,
249	ctx->ocsp->extra_certs, ctx->ssl_ctx);
250	if (cid == NULL) {
251	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
252	"ocsp verify failed: no issuer cert");
253	goto err;
254	}
255
256	if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason,
257	&revtime, &thisupd, &nextupd) != 1) {
258	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
259	"ocsp verify failed: no result for cert");
260	goto err;
261	}
262
263	if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC,
264	MAXAGE_SEC) != 1) {
265	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
266	"ocsp verify failed: ocsp response not current");
267	goto err;
268	}
269
270	if (tls_ocsp_fill_info(ctx, response_status, cert_status,
271	crl_reason, revtime, thisupd, nextupd) != 0)
272	goto err;
273
274	/* finally can look at status */
275	if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status !=
276	V_OCSP_CERTSTATUS_UNKNOWN) {
277	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
278	"ocsp verify failed: revoked cert - %s",
279	OCSP_crl_reason_str(crl_reason));
280	goto err;
281	}
282	ret = 0;
283
284	err:
285	sk_X509_free(combined);
286	OCSP_CERTID_free(cid);
287	OCSP_BASICRESP_free(br);
288	return ret;
289	}
290
291	/*
292	* Process a raw OCSP response from an OCSP server request.
293	* OCSP details can then be retrieved with tls_peer_ocsp_* functions.
294	* returns 0 if certificate ok, -1 otherwise.
295	*/
296	static int
297	tls_ocsp_process_response_internal(struct tls ctx, const unsigned char response,
298	size_t size)
299	{
300	int ret;
301	OCSP_RESPONSE *resp;
302
303	resp = d2i_OCSP_RESPONSE(NULL, &response, size);
304	if (resp == NULL) {
305	tls_ocsp_free(ctx->ocsp);
306	ctx->ocsp = NULL;
307	tls_set_error(ctx, TLS_ERROR_UNKNOWN,
308	"unable to parse OCSP response");
309	return -1;
310	}
311	ret = tls_ocsp_verify_response(ctx, resp);
312	OCSP_RESPONSE_free(resp);
313	return ret;
314	}
315
316	/* TLS handshake verification callback for stapled requests */
317	int
318	tls_ocsp_verify_cb(SSL ssl, void arg)
319	{
320	const unsigned char *raw = NULL;
321	int size, res = -1;
322	struct tls *ctx;
323
324	if ((ctx = SSL_get_app_data(ssl)) == NULL)
325	return -1;
326
327	size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw);
328	if (size <= 0) {
329	if (ctx->config->ocsp_require_stapling) {
330	tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
331	"no stapled OCSP response provided");
332	return 0;
333	}
334	return 1;
335	}
336
337	tls_ocsp_free(ctx->ocsp);
338	if ((ctx->ocsp = tls_ocsp_setup_from_peer(ctx)) == NULL)
339	return 0;
340
341	if (ctx->config->verify_cert == 0 \|\| ctx->config->verify_time == 0)
342	return 1;
343
344	res = tls_ocsp_process_response_internal(ctx, raw, size);
345
346	return (res == 0) ? 1 : 0;
347	}
348
349
350	/* Staple the OCSP information in ctx->ocsp to the server handshake. */
351	int
352	tls_ocsp_stapling_cb(SSL ssl, void arg)
353	{
354	int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
355	unsigned char *ocsp_staple = NULL;
356	struct tls *ctx;
357
358	if ((ctx = SSL_get_app_data(ssl)) == NULL)
359	goto err;
360
361	if (ctx->keypair == NULL \|\| ctx->keypair->ocsp_staple == NULL \|\|
362	ctx->keypair->ocsp_staple_len == 0)
363	return SSL_TLSEXT_ERR_NOACK;
364
365	if ((ocsp_staple = malloc(ctx->keypair->ocsp_staple_len)) == NULL)
366	goto err;
367
368	memcpy(ocsp_staple, ctx->keypair->ocsp_staple,
369	ctx->keypair->ocsp_staple_len);
370
371	if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple,
372	ctx->keypair->ocsp_staple_len) != 1)
373	goto err;
374
375	ret = SSL_TLSEXT_ERR_OK;
376	err:
377	if (ret != SSL_TLSEXT_ERR_OK)
378	free(ocsp_staple);
379
380	return ret;
381	}
382
383	/*
384	* Public API
385	*/
386
387	/* Retrieve OCSP URL from peer certificate, if present. */
388	const char *
389	tls_peer_ocsp_url(struct tls *ctx)
390	{
391	if (ctx->ocsp == NULL)
392	return NULL;
393	return ctx->ocsp->ocsp_url;
394	}
395
396	const char *
397	tls_peer_ocsp_result(struct tls *ctx)
398	{
399	if (ctx->ocsp == NULL)
400	return NULL;
401	if (ctx->ocsp->ocsp_result == NULL)
402	return NULL;
403	return ctx->ocsp->ocsp_result->result_msg;
404	}
405
406	int
407	tls_peer_ocsp_response_status(struct tls *ctx)
408	{
409	if (ctx->ocsp == NULL)
410	return -1;
411	if (ctx->ocsp->ocsp_result == NULL)
412	return -1;
413	return ctx->ocsp->ocsp_result->response_status;
414	}
415
416	int
417	tls_peer_ocsp_cert_status(struct tls *ctx)
418	{
419	if (ctx->ocsp == NULL)
420	return -1;
421	if (ctx->ocsp->ocsp_result == NULL)
422	return -1;
423	return ctx->ocsp->ocsp_result->cert_status;
424	}
425
426	int
427	tls_peer_ocsp_crl_reason(struct tls *ctx)
428	{
429	if (ctx->ocsp == NULL)
430	return -1;
431	if (ctx->ocsp->ocsp_result == NULL)
432	return -1;
433	return ctx->ocsp->ocsp_result->crl_reason;
434	}
435
436	time_t
437	tls_peer_ocsp_this_update(struct tls *ctx)
438	{
439	if (ctx->ocsp == NULL)
440	return -1;
441	if (ctx->ocsp->ocsp_result == NULL)
442	return -1;
443	return ctx->ocsp->ocsp_result->this_update;
444	}
445
446	time_t
447	tls_peer_ocsp_next_update(struct tls *ctx)
448	{
449	if (ctx->ocsp == NULL)
450	return -1;
451	if (ctx->ocsp->ocsp_result == NULL)
452	return -1;
453	return ctx->ocsp->ocsp_result->next_update;
454	}
455
456	time_t
457	tls_peer_ocsp_revocation_time(struct tls *ctx)
458	{
459	if (ctx->ocsp == NULL)
460	return -1;
461	if (ctx->ocsp->ocsp_result == NULL)
462	return -1;
463	return ctx->ocsp->ocsp_result->revocation_time;
464	}
465
466	int
467	tls_ocsp_process_response(struct tls ctx, const unsigned char response,
468	size_t size)
469	{
470	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0)
471	return -1;
472	return tls_ocsp_process_response_internal(ctx, response, size);
473	}