op public repos

Blob

Date:: Wed Aug 23 17:38:49 2023 UTC
Message:: bundle libtls gmid (like all other daemons that want to do privsep crypto) has a very close relationship with libtls and need to stay in sync with it. OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD instead of the older ECDSA_METHOD, on the gmid side we have to do the same otherwise failures happens at runtime. In a similar manner, privsep crypto is silently broken in the current libretls (next version should fix it.) The proper solution would be to complete the signer APIs so that applications don't need to dive into the library' internals, but that's a mid-term goal, for the immediate bundling the 'little' libtls is the lesser evil. The configure script has gained a new (undocumented for the time being) flag `--with-libtls=bundled|system' to control which libtls to use. It defaults to `bundled' except for OpenBSD where it uses the `system' one. Note that OpenBSD versions before 7.3 (inclusive) ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
Actions:: History | Blame | Raw File
1 /*	$OpenBSD: tls_ocsp.c,v 1.23 2023/05/14 07:26:25 op Exp $ */
2 /*
3  * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
4  * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include "config.h"
20 
21 #include <sys/types.h>
22 
23 #include <arpa/inet.h>
24 #include <netinet/in.h>
25 
26 #include <string.h>
27 
28 #include <openssl/err.h>
29 #include <openssl/ocsp.h>
30 #include <openssl/x509.h>
31 
32 #include <tls.h>
33 #include "tls_internal.h"
34 
35 #define MAXAGE_SEC (14*24*60*60)
36 #define JITTER_SEC (60)
37 
38 /*
39  * State for request.
40  */
41 
42 static struct tls_ocsp *
43 tls_ocsp_new(void)
44 {
45 	return (calloc(1, sizeof(struct tls_ocsp)));
46 }
47 
48 void
49 tls_ocsp_free(struct tls_ocsp *ocsp)
50 {
51 	if (ocsp == NULL)
52 		return;
53 
54 	X509_free(ocsp->main_cert);
55 	free(ocsp->ocsp_result);
56 	free(ocsp->ocsp_url);
57 
58 	free(ocsp);
59 }
60 
61 static int
62 tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_time)
63 {
64 	struct tm tm;
65 
66 	if (gt == NULL)
67 		return -1;
68 	/* RFC 6960 specifies that all times in OCSP must be GENERALIZEDTIME */
69 	if (ASN1_time_parse(gt->data, gt->length, &tm,
70 		V_ASN1_GENERALIZEDTIME) == -1)
71 		return -1;
72 	if ((*gt_time = timegm(&tm)) == -1)
73 		return -1;
74 	return 0;
75 }
76 
77 static int
78 tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
79     int crl_reason, ASN1_GENERALIZEDTIME *revtime,
80     ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd)
81 {
82 	struct tls_ocsp_result *info = NULL;
83 
84 	free(ctx->ocsp->ocsp_result);
85 	ctx->ocsp->ocsp_result = NULL;
86 
87 	if ((info = calloc(1, sizeof (struct tls_ocsp_result))) == NULL) {
88 		tls_set_error(ctx, "calloc");
89 		return -1;
90 	}
91 	info->response_status = response_status;
92 	info->cert_status = cert_status;
93 	info->crl_reason = crl_reason;
94 	if (info->response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
95 		info->result_msg =
96 		    OCSP_response_status_str(info->response_status);
97 	} else if (info->cert_status != V_OCSP_CERTSTATUS_REVOKED) {
98 		info->result_msg = OCSP_cert_status_str(info->cert_status);
99 	} else {
100 		info->result_msg = OCSP_crl_reason_str(info->crl_reason);
101 	}
102 	info->revocation_time = info->this_update = info->next_update = -1;
103 	if (revtime != NULL &&
104 	    tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
105 		tls_set_error(ctx,
106 		    "unable to parse revocation time in OCSP reply");
107 		goto err;
108 	}
109 	if (thisupd != NULL &&
110 	    tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
111 		tls_set_error(ctx,
112 		    "unable to parse this update time in OCSP reply");
113 		goto err;
114 	}
115 	if (nextupd != NULL &&
116 	    tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
117 		tls_set_error(ctx,
118 		    "unable to parse next update time in OCSP reply");
119 		goto err;
120 	}
121 	ctx->ocsp->ocsp_result = info;
122 	return 0;
123 
124  err:
125 	free(info);
126 	return -1;
127 }
128 
129 static OCSP_CERTID *
130 tls_ocsp_get_certid(X509 *main_cert, STACK_OF(X509) *extra_certs,
131     SSL_CTX *ssl_ctx)
132 {
133 	X509_NAME *issuer_name;
134 	X509 *issuer;
135 	X509_STORE_CTX *storectx = NULL;
136 	X509_OBJECT *obj = NULL;
137 	OCSP_CERTID *cid = NULL;
138 	X509_STORE *store;
139 
140 	if ((issuer_name = X509_get_issuer_name(main_cert)) == NULL)
141 		goto out;
142 
143 	if (extra_certs != NULL) {
144 		issuer = X509_find_by_subject(extra_certs, issuer_name);
145 		if (issuer != NULL) {
146 			cid = OCSP_cert_to_id(NULL, main_cert, issuer);
147 			goto out;
148 		}
149 	}
150 
151 	if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL)
152 		goto out;
153 	if ((storectx = X509_STORE_CTX_new()) == NULL)
154 		goto out;
155 	if (X509_STORE_CTX_init(storectx, store, main_cert, extra_certs) != 1)
156 		goto out;
157 	if ((obj = X509_STORE_CTX_get_obj_by_subject(storectx, X509_LU_X509,
158 	    issuer_name)) == NULL)
159 		goto out;
160 
161 	cid = OCSP_cert_to_id(NULL, main_cert, X509_OBJECT_get0_X509(obj));
162 
163  out:
164 	X509_STORE_CTX_free(storectx);
165 	X509_OBJECT_free(obj);
166 
167 	return cid;
168 }
169 
170 struct tls_ocsp *
171 tls_ocsp_setup_from_peer(struct tls *ctx)
172 {
173 	struct tls_ocsp *ocsp = NULL;
174 	STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
175 
176 	if ((ocsp = tls_ocsp_new()) == NULL)
177 		goto err;
178 
179 	/* steal state from ctx struct */
180 	ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn);
181 	ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn);
182 	if (ocsp->main_cert == NULL) {
183 		tls_set_errorx(ctx, "no peer certificate for OCSP");
184 		goto err;
185 	}
186 
187 	ocsp_urls = X509_get1_ocsp(ocsp->main_cert);
188 	if (ocsp_urls == NULL) {
189 		tls_set_errorx(ctx, "no OCSP URLs in peer certificate");
190 		goto err;
191 	}
192 
193 	ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0));
194 	if (ocsp->ocsp_url == NULL) {
195 		tls_set_errorx(ctx, "out of memory");
196 		goto err;
197 	}
198 
199 	X509_email_free(ocsp_urls);
200 	return ocsp;
201 
202  err:
203 	tls_ocsp_free(ocsp);
204 	X509_email_free(ocsp_urls);
205 	return NULL;
206 }
207 
208 static int
209 tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
210 {
211 	OCSP_BASICRESP *br = NULL;
212 	ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, *nextupd = NULL;
213 	OCSP_CERTID *cid = NULL;
214 	STACK_OF(X509) *combined = NULL;
215 	int response_status=0, cert_status=0, crl_reason=0;
216 	int ret = -1;
217 	unsigned long flags;
218 
219 	if ((br = OCSP_response_get1_basic(resp)) == NULL) {
220 		tls_set_errorx(ctx, "cannot load ocsp reply");
221 		goto err;
222 	}
223 
224 	/*
225 	 * Skip validation of 'extra_certs' as this should be done
226 	 * already as part of main handshake.
227 	 */
228 	flags = OCSP_TRUSTOTHER;
229 
230 	/* now verify */
231 	if (OCSP_basic_verify(br, ctx->ocsp->extra_certs,
232 		SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) {
233 		tls_set_errorx(ctx, "ocsp verify failed");
234 		goto err;
235 	}
236 
237 	/* signature OK, look inside */
238 	response_status = OCSP_response_status(resp);
239 	if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
240 		tls_set_errorx(ctx, "ocsp verify failed: response - %s",
241 		    OCSP_response_status_str(response_status));
242 		goto err;
243 	}
244 
245 	cid = tls_ocsp_get_certid(ctx->ocsp->main_cert,
246 	    ctx->ocsp->extra_certs, ctx->ssl_ctx);
247 	if (cid == NULL) {
248 		tls_set_errorx(ctx, "ocsp verify failed: no issuer cert");
249 		goto err;
250 	}
251 
252 	if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason,
253 	    &revtime, &thisupd, &nextupd) != 1) {
254 		tls_set_errorx(ctx, "ocsp verify failed: no result for cert");
255 		goto err;
256 	}
257 
258 	if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC,
259 	    MAXAGE_SEC) != 1) {
260 		tls_set_errorx(ctx,
261 		    "ocsp verify failed: ocsp response not current");
262 		goto err;
263 	}
264 
265 	if (tls_ocsp_fill_info(ctx, response_status, cert_status,
266 	    crl_reason, revtime, thisupd, nextupd) != 0)
267 		goto err;
268 
269 	/* finally can look at status */
270 	if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status !=
271 	    V_OCSP_CERTSTATUS_UNKNOWN) {
272 		tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s",
273 			       OCSP_crl_reason_str(crl_reason));
274 		goto err;
275 	}
276 	ret = 0;
277 
278  err:
279 	sk_X509_free(combined);
280 	OCSP_CERTID_free(cid);
281 	OCSP_BASICRESP_free(br);
282 	return ret;
283 }
284 
285 /*
286  * Process a raw OCSP response from an OCSP server request.
287  * OCSP details can then be retrieved with tls_peer_ocsp_* functions.
288  * returns 0 if certificate ok, -1 otherwise.
289  */
290 static int
291 tls_ocsp_process_response_internal(struct tls *ctx, const unsigned char *response,
292     size_t size)
293 {
294 	int ret;
295 	OCSP_RESPONSE *resp;
296 
297 	resp = d2i_OCSP_RESPONSE(NULL, &response, size);
298 	if (resp == NULL) {
299 		tls_ocsp_free(ctx->ocsp);
300 		ctx->ocsp = NULL;
301 		tls_set_error(ctx, "unable to parse OCSP response");
302 		return -1;
303 	}
304 	ret = tls_ocsp_verify_response(ctx, resp);
305 	OCSP_RESPONSE_free(resp);
306 	return ret;
307 }
308 
309 /* TLS handshake verification callback for stapled requests */
310 int
311 tls_ocsp_verify_cb(SSL *ssl, void *arg)
312 {
313 	const unsigned char *raw = NULL;
314 	int size, res = -1;
315 	struct tls *ctx;
316 
317 	if ((ctx = SSL_get_app_data(ssl)) == NULL)
318 		return -1;
319 
320 	size = SSL_get_tlsext_status_ocsp_resp(ssl, &raw);
321 	if (size <= 0) {
322 		if (ctx->config->ocsp_require_stapling) {
323 			tls_set_errorx(ctx, "no stapled OCSP response provided");
324 			return 0;
325 		}
326 		return 1;
327 	}
328 
329 	tls_ocsp_free(ctx->ocsp);
330 	if ((ctx->ocsp = tls_ocsp_setup_from_peer(ctx)) == NULL)
331 		return 0;
332 
333 	if (ctx->config->verify_cert == 0 || ctx->config->verify_time == 0)
334 		return 1;
335 
336 	res = tls_ocsp_process_response_internal(ctx, raw, size);
337 
338 	return (res == 0) ? 1 : 0;
339 }
340 
341 
342 /* Staple the OCSP information in ctx->ocsp to the server handshake. */
343 int
344 tls_ocsp_stapling_cb(SSL *ssl, void *arg)
345 {
346 	int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
347 	unsigned char *ocsp_staple = NULL;
348 	struct tls *ctx;
349 
350 	if ((ctx = SSL_get_app_data(ssl)) == NULL)
351 		goto err;
352 
353 	if (ctx->keypair == NULL || ctx->keypair->ocsp_staple == NULL ||
354 	    ctx->keypair->ocsp_staple_len == 0)
355 		return SSL_TLSEXT_ERR_NOACK;
356 
357 	if ((ocsp_staple = malloc(ctx->keypair->ocsp_staple_len)) == NULL)
358 		goto err;
359 
360 	memcpy(ocsp_staple, ctx->keypair->ocsp_staple,
361 	    ctx->keypair->ocsp_staple_len);
362 
363 	if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple,
364 	    ctx->keypair->ocsp_staple_len) != 1)
365 		goto err;
366 
367 	ret = SSL_TLSEXT_ERR_OK;
368  err:
369 	if (ret != SSL_TLSEXT_ERR_OK)
370 		free(ocsp_staple);
371 
372 	return ret;
373 }
374 
375 /*
376  * Public API
377  */
378 
379 /* Retrieve OCSP URL from peer certificate, if present. */
380 const char *
381 tls_peer_ocsp_url(struct tls *ctx)
382 {
383 	if (ctx->ocsp == NULL)
384 		return NULL;
385 	return ctx->ocsp->ocsp_url;
386 }
387 
388 const char *
389 tls_peer_ocsp_result(struct tls *ctx)
390 {
391 	if (ctx->ocsp == NULL)
392 		return NULL;
393 	if (ctx->ocsp->ocsp_result == NULL)
394 		return NULL;
395 	return ctx->ocsp->ocsp_result->result_msg;
396 }
397 
398 int
399 tls_peer_ocsp_response_status(struct tls *ctx)
400 {
401 	if (ctx->ocsp == NULL)
402 		return -1;
403 	if (ctx->ocsp->ocsp_result == NULL)
404 		return -1;
405 	return ctx->ocsp->ocsp_result->response_status;
406 }
407 
408 int
409 tls_peer_ocsp_cert_status(struct tls *ctx)
410 {
411 	if (ctx->ocsp == NULL)
412 		return -1;
413 	if (ctx->ocsp->ocsp_result == NULL)
414 		return -1;
415 	return ctx->ocsp->ocsp_result->cert_status;
416 }
417 
418 int
419 tls_peer_ocsp_crl_reason(struct tls *ctx)
420 {
421 	if (ctx->ocsp == NULL)
422 		return -1;
423 	if (ctx->ocsp->ocsp_result == NULL)
424 		return -1;
425 	return ctx->ocsp->ocsp_result->crl_reason;
426 }
427 
428 time_t
429 tls_peer_ocsp_this_update(struct tls *ctx)
430 {
431 	if (ctx->ocsp == NULL)
432 		return -1;
433 	if (ctx->ocsp->ocsp_result == NULL)
434 		return -1;
435 	return ctx->ocsp->ocsp_result->this_update;
436 }
437 
438 time_t
439 tls_peer_ocsp_next_update(struct tls *ctx)
440 {
441 	if (ctx->ocsp == NULL)
442 		return -1;
443 	if (ctx->ocsp->ocsp_result == NULL)
444 		return -1;
445 	return ctx->ocsp->ocsp_result->next_update;
446 }
447 
448 time_t
449 tls_peer_ocsp_revocation_time(struct tls *ctx)
450 {
451 	if (ctx->ocsp == NULL)
452 		return -1;
453 	if (ctx->ocsp->ocsp_result == NULL)
454 		return -1;
455 	return ctx->ocsp->ocsp_result->revocation_time;
456 }
457 
458 int
459 tls_ocsp_process_response(struct tls *ctx, const unsigned char *response,
460     size_t size)
461 {
462 	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0)
463 		return -1;
464 	return tls_ocsp_process_response_internal(ctx, response, size);
465 }