3 * Copyright (C) 2006-2012 Sawtooth Consulting Ltd.
5 * This file is part of CyaSSL.
7 * CyaSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * CyaSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
28 #include <cyassl/error.h>
29 #include <cyassl/ocsp.h>
30 #include <cyassl/internal.h>
36 #include <netinet/in.h>
37 #include <netinet/tcp.h>
38 #include <arpa/inet.h>
39 #include <sys/ioctl.h>
41 #include <sys/types.h>
42 #include <sys/socket.h>
45 CYASSL_API int ocsp_test(unsigned char* buf, int sz);
46 #define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */
47 #define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL
50 typedef struct sockaddr_in SOCKADDR_IN_T;
51 #define AF_INET_V AF_INET
52 #define SOCKET_T unsigned int
55 int CyaSSL_OCSP_Init(CYASSL_OCSP* ocsp)
58 XMEMSET(ocsp, 0, sizeof(*ocsp));
66 static void FreeOCSP_Entry(OCSP_Entry* ocspe)
68 CertStatus* tmp = ocspe->status;
70 CYASSL_ENTER("FreeOCSP_Entry");
73 CertStatus* next = tmp->next;
74 XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_STATUS);
80 void CyaSSL_OCSP_Cleanup(CYASSL_OCSP* ocsp)
82 OCSP_Entry* tmp = ocsp->ocspList;
86 OCSP_Entry* next = tmp->next;
88 XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
94 static int decode_url(const char* url, int urlSz,
95 char* outName, char* outPath, int* outPort)
97 if (outName != NULL && outPath != NULL && outPort != NULL)
99 if (url == NULL || urlSz == 0)
109 /* need to break the url down into scheme, address, and port */
110 /* "http://example.com:8080/" */
111 if (XSTRNCMP(url, "http://", 7) == 0) {
116 while (url[cur] != 0 && url[cur] != ':' && url[cur] != '/') {
117 outName[i++] = url[cur++];
120 /* Need to pick out the path after the domain name */
122 if (cur < urlSz && url[cur] == ':') {
127 while (cur < urlSz && url[cur] != 0 && url[cur] != '/' &&
129 port[i++] = url[cur++];
133 for (j = 0; j < i; j++) {
134 if (port[j] < '0' || port[j] > '9') return -1;
135 *outPort = (*outPort * 10) + (port[j] - '0');
141 if (cur < urlSz && url[cur] == '/') {
143 while (cur < urlSz && url[cur] != 0 && i < 80) {
144 outPath[i++] = url[cur++];
159 int CyaSSL_OCSP_set_override_url(CYASSL_OCSP* ocsp, const char* url)
162 int urlSz = strlen(url);
163 decode_url(url, urlSz,
164 ocsp->overrideName, ocsp->overridePath, &ocsp->overridePort);
172 static INLINE void tcp_socket(SOCKET_T* sockfd, SOCKADDR_IN_T* addr,
173 const char* peer, word16 port)
175 const char* host = peer;
177 /* peer could be in human readable form */
178 if (peer != INADDR_ANY && isalpha(peer[0])) {
179 struct hostent* entry = gethostbyname(peer);
182 struct sockaddr_in tmp;
183 memset(&tmp, 0, sizeof(struct sockaddr_in));
184 memcpy(&tmp.sin_addr.s_addr, entry->h_addr_list[0],
186 host = inet_ntoa(tmp.sin_addr);
189 CYASSL_MSG("no entry for host");
193 *sockfd = socket(AF_INET_V, SOCK_STREAM, 0);
194 memset(addr, 0, sizeof(SOCKADDR_IN_T));
196 addr->sin_family = AF_INET_V;
197 addr->sin_port = htons(port);
198 if (host == INADDR_ANY)
199 addr->sin_addr.s_addr = INADDR_ANY;
201 addr->sin_addr.s_addr = inet_addr(host);
205 static INLINE void tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port)
208 tcp_socket(sockfd, &addr, ip, port);
210 if (connect(*sockfd, (const struct sockaddr*)&addr, sizeof(addr)) != 0) {
211 CYASSL_MSG("tcp connect failed");
216 static int build_http_request(const char* domainName, const char* path,
217 int ocspReqSz, byte* buf, int bufSize)
219 return snprintf((char*)buf, bufSize,
220 "POST %s HTTP/1.1\r\n"
222 "Content-Length: %d\r\n"
223 "Content-Type: application/ocsp-request\r\n"
225 path, domainName, ocspReqSz);
229 static int decode_http_response(byte* httpBuf, int httpBufSz, byte** dst)
234 byte* contentType = NULL;
235 byte* contentLength = NULL;
236 char* buf = (char*)httpBuf; /* kludge so I'm not constantly casting */
238 if (strncasecmp(buf, "HTTP/1", 6) != 0)
241 idx = 9; /* sets to the first byte after "HTTP/1.X ", which should be the
242 * HTTP result code */
244 if (strncasecmp(&buf[idx], "200 OK", 6) != 0)
249 while (idx < httpBufSz && !stop) {
250 if (buf[idx] == '\r' && buf[idx+1] == '\n') {
255 if (contentType == NULL &&
256 strncasecmp(&buf[idx], "Content-Type:", 13) == 0) {
258 if (buf[idx] == ' ') idx++;
259 if (strncasecmp(&buf[idx], "application/ocsp-response", 25) != 0)
262 } else if (contentLength == NULL &&
263 strncasecmp(&buf[idx], "Content-Length:", 15) == 0) {
265 if (buf[idx] == ' ') idx++;
266 while (buf[idx] >= '0' && buf[idx] <= '9' && idx < httpBufSz) {
267 len = (len * 10) + (buf[idx] - '0');
270 idx += 2; /* skip the crlf */
272 /* Advance idx past the next \r\n */
273 char* end = strstr(&buf[idx], "\r\n");
281 *dst = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_IN_BUFFER);
282 XMEMCPY(*dst, httpBuf + idx, len);
289 static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert)
291 CYASSL_ENTER("InitOCSP_Entry");
294 XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE);
295 XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE);
296 ocspe->status = NULL;
297 ocspe->totalStatus = 0;
303 static OCSP_Entry* find_ocsp_entry(CYASSL_OCSP* ocsp, DecodedCert* cert)
305 OCSP_Entry* entry = ocsp->ocspList;
309 if (XMEMCMP(entry->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0
310 && XMEMCMP(entry->issuerKeyHash, cert->issuerKeyHash,
311 SHA_DIGEST_SIZE) == 0)
313 CYASSL_MSG("Found OCSP responder");
324 CYASSL_MSG("Add a new OCSP entry");
325 entry = (OCSP_Entry*)XMALLOC(sizeof(OCSP_Entry),
326 NULL, DYNAMIC_TYPE_OCSP_ENTRY);
329 InitOCSP_Entry(entry, cert);
330 entry->next = ocsp->ocspList;
331 ocsp->ocspList = entry;
339 static CertStatus* find_cert_status(OCSP_Entry* ocspe, DecodedCert* cert)
341 CertStatus* stat = ocspe->status;
345 if(stat->serialSz == cert->serialSz &&
346 (XMEMCMP(stat->serial, cert->serial, cert->serialSz) == 0))
357 stat = (CertStatus*)XMALLOC(sizeof(CertStatus),
358 NULL, DYNAMIC_TYPE_OCSP_STATUS);
361 XMEMCPY(stat->serial, cert->serial, cert->serialSz);
362 stat->serialSz = cert->serialSz;
364 stat->nextDate[0] = 0;
365 ocspe->totalStatus++;
367 stat->next = ocspe->status;
368 ocspe->status = stat;
376 #define SCRATCH_BUFFER_SIZE 2048
378 static int http_ocsp_transaction(CYASSL_OCSP* ocsp, DecodedCert* cert,
379 byte* ocspReqBuf, int ocspReqSz, byte** ocspRespBuf)
382 byte httpBuf[SCRATCH_BUFFER_SIZE];
383 int httpBufSz = SCRATCH_BUFFER_SIZE;
384 char domainName[80], path[80];
385 int port, ocspRespSz;
387 if (ocsp->useOverrideUrl || cert->extAuthInfo == NULL) {
388 if (ocsp->overrideName != NULL) {
389 XMEMCPY(domainName, ocsp->overrideName, 80);
390 XMEMCPY(path, ocsp->overridePath, 80);
391 port = ocsp->overridePort;
393 return OCSP_NEED_URL;
395 if (!decode_url((const char*)cert->extAuthInfo, cert->extAuthInfoSz,
396 domainName, path, &port))
397 return OCSP_NEED_URL;
400 httpBufSz = build_http_request(domainName, path, ocspReqSz,
403 tcp_connect(&sfd, domainName, port);
406 written = write(sfd, httpBuf, httpBufSz);
407 if (written == httpBufSz) {
408 written = write(sfd, ocspReqBuf, ocspReqSz);
409 if (written == ocspReqSz) {
410 httpBufSz = read(sfd, httpBuf, SCRATCH_BUFFER_SIZE);
412 ocspRespSz = decode_http_response(httpBuf, httpBufSz,
418 if (ocspRespSz == 0) {
419 CYASSL_MSG("HTTP response was not OK, no OCSP response");
420 return OCSP_LOOKUP_FAIL;
423 CYASSL_MSG("OCSP Responder connection failed");
424 return OCSP_LOOKUP_FAIL;
431 static int xstat2err(int stat)
438 return OCSP_CERT_REVOKED;
441 return OCSP_CERT_UNKNOWN;
447 int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
449 byte ocspReqBuf[SCRATCH_BUFFER_SIZE];
450 int ocspReqSz = SCRATCH_BUFFER_SIZE;
451 byte* ocspRespBuf = NULL;
453 OcspRequest ocspRequest;
454 OcspResponse ocspResponse;
457 CertStatus* certStatus;
459 /* If OCSP lookups are disabled, return success. */
460 if (!ocsp->enabled) {
461 CYASSL_MSG("OCSP lookup disabled, assuming CERT_GOOD");
465 ocspe = find_ocsp_entry(ocsp, cert);
467 CYASSL_MSG("alloc OCSP entry failed");
471 certStatus = find_cert_status(ocspe, cert);
472 if (certStatus == NULL)
474 CYASSL_MSG("alloc OCSP cert status failed");
478 if (certStatus->status != -1)
480 if (!ValidateDate(certStatus->thisDate,
481 certStatus->thisDateFormat, BEFORE) ||
482 (certStatus->nextDate[0] == 0) ||
483 !ValidateDate(certStatus->nextDate,
484 certStatus->nextDateFormat, AFTER))
486 CYASSL_MSG("\tinvalid status date, looking up cert");
487 certStatus->status = -1;
491 CYASSL_MSG("\tusing cached status");
492 result = xstat2err(certStatus->status);
497 InitOcspRequest(&ocspRequest, cert, ocspReqBuf, ocspReqSz);
498 ocspReqSz = EncodeOcspRequest(&ocspRequest);
499 result = http_ocsp_transaction(ocsp, cert,
500 ocspReqBuf, ocspReqSz, &ocspRespBuf);
501 if (result < 0) return result;
502 /* If the transaction failed, return that result. */
504 InitOcspResponse(&ocspResponse, certStatus, ocspRespBuf, ocspRespSz);
505 OcspResponseDecode(&ocspResponse);
507 if (ocspResponse.responseStatus != OCSP_SUCCESSFUL) {
508 CYASSL_MSG("OCSP Responder failure");
509 result = OCSP_LOOKUP_FAIL;
511 if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0)
513 result = xstat2err(ocspResponse.status->status);
517 CYASSL_MSG("OCSP Response incorrect for Request");
518 result = OCSP_LOOKUP_FAIL;
521 if (ocspReqBuf != NULL) {
522 XFREE(ocspRespBuf, NULL, DYNAMIC_TYPE_IN_BUFFER);
529 #endif /* HAVE_OCSP */