Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	sbin/iked/ocsp.c	Lines:	0	245	0.0 %
Date:	2017-11-07	Branches:	0	154	0.0 %


/*	$OpenBSD: ocsp.c,v 1.8 2015/12/07 12:46:37 reyk Exp $ */

/*
 * Copyright (c) 2014 Markus Friedl
 * Copyright (c) 2005 Marco Pfatschbacher
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <sys/queue.h>
#include <sys/socket.h>
#include <sys/uio.h>
#include <sys/stat.h>

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#include <netdb.h>

#include <openssl/pem.h>
#include <openssl/ocsp.h>
#include <openssl/err.h>
#include <openssl/ssl.h>

#include <event.h>

#include "iked.h"

struct iked_ocsp {
	struct iked		*ocsp_env;	/* back pointer to env */
	struct iked_sahdr	 ocsp_sh;	/* ike sa */
	uint8_t			 ocsp_type;	/* auth type */
	struct iked_socket	*ocsp_sock;	/* socket to ocsp responder */
	BIO			*ocsp_cbio;	/* matching OpenSSL obj */
	OCSP_CERTID		*ocsp_id;	/* ocsp-id for cert */
	OCSP_REQUEST		*ocsp_req;	/* ocsp-request */
	OCSP_REQ_CTX		*ocsp_req_ctx;	/* async ocsp-request */
};

struct ocsp_connect {
	struct iked_socket	 oc_sock;
	char			*oc_path;
};

/* priv */
void		 ocsp_connect_cb(int, short, void *);
int		 ocsp_connect_finish(struct iked *, int, struct ocsp_connect *);

/* unpriv */
void		 ocsp_free(struct iked_ocsp *);
void		 ocsp_callback(int, short, void *);
void		 ocsp_parse_response(struct iked_ocsp *, OCSP_RESPONSE *);
STACK_OF(X509)	*ocsp_load_certs(const char *);
int		 ocsp_validate_finish(struct iked_ocsp *, int);


/* priv */

/* async connect to configure ocsp-responder */
int
ocsp_connect(struct iked *env)
{
	struct ocsp_connect	*oc = NULL;
	struct addrinfo		 hints, *res0 = NULL, *res;
	char			*host = NULL, *port = NULL, *path = NULL;
	int			use_ssl, fd = -1, ret = -1, error;

	if (env->sc_ocsp_url == 0) {
		log_warnx("%s: no ocsp url", __func__);
		goto done;
	}
	if (!OCSP_parse_url(env->sc_ocsp_url, &host, &port, &path, &use_ssl)) {
		log_warnx("%s: error parsing OCSP-request-URL: %s", __func__,
		    env->sc_ocsp_url);
		goto done;
	}

	if ((fd = socket(AF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0)) < 0) {
		log_debug("%s: socket failed", __func__);
		goto done;
	}
	if ((oc = calloc(1, sizeof(*oc))) == NULL) {
		log_debug("%s: calloc failed", __func__);
		goto done;
	}

	bzero(&hints, sizeof(struct addrinfo));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	error = getaddrinfo(host, port, &hints, &res0);
	if (error) {
		log_debug("%s: getaddrinfo(%s, %s) failed",
		    __func__, host, port);
		goto done;
	}
	/* XXX just pick the first answer. we could loop instead */
	for (res = res0; res; res = res->ai_next)
		if (res->ai_family == AF_INET)
			break;
	if (res == NULL) {
		log_debug("%s: no addr to connect to for %s:%s",
		    __func__, host, port);
		goto done;
	}

	oc->oc_sock.sock_fd = fd;
	oc->oc_sock.sock_env = env;
	oc->oc_path = path;
	path = NULL;

	log_debug("%s: connect(%s, %s)", __func__, host, port);
	if (connect(fd, res->ai_addr, res->ai_addrlen) == -1) {
		/* register callback for ansync connect */
		if (errno == EINPROGRESS) {
			event_set(&oc->oc_sock.sock_ev, fd, EV_WRITE,
			    ocsp_connect_cb, oc);
			event_add(&oc->oc_sock.sock_ev, NULL);
			ret = 0;
		} else
			log_debug("%s: error while connecting: %s", __func__,
			    strerror(errno));
	} else {
		ocsp_connect_finish(env, fd, oc);
		ret = 0;
	}
 done:
	if (res0)
		freeaddrinfo(res0);
	free(host);
	free(port);
	free(path);
	if (ret == -1) {
		ocsp_connect_finish(env, -1, oc);
		if (fd >= 0)
			close(fd);
	}
	return (ret);
}

/* callback triggered if connection to ocsp-responder completes/fails */
void
ocsp_connect_cb(int fd, short event, void *arg)
{
	struct ocsp_connect	*oc = arg;
	int			 error, send_fd = -1;
	socklen_t		 len;

	len = sizeof(error);
	if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
		log_warn("%s: getsockopt SOL_SOCKET SO_ERROR", __func__);
	} else if (error) {
		log_debug("%s: error while connecting: %s", __func__,
		    strerror(error));
	} else {
		send_fd = fd;
	}
	ocsp_connect_finish(oc->oc_sock.sock_env, send_fd, oc);

	/* if we did not send the fd, we need to close it ourself */
	if (send_fd == -1)
		close(fd);
}

/* send FD+path or error back to CA process */
int
ocsp_connect_finish(struct iked *env, int fd, struct ocsp_connect *oc)
{
	struct iovec		 iov[1];
	int			 iovcnt = 1, ret;

	if (oc && fd >= 0) {
		/* the imsg framework will close the FD after send */
		iov[0].iov_base = oc->oc_path;
		iov[0].iov_len = strlen(oc->oc_path);
		ret = proc_composev_imsg(&env->sc_ps, PROC_CERT, -1,
		    IMSG_OCSP_FD, -1, fd, iov, iovcnt);
	} else {
		ret = proc_compose_imsg(&env->sc_ps, PROC_CERT, -1,
		    IMSG_OCSP_FD, -1, -1, NULL, 0);
		if (fd >= 0)
			close(fd);
	}
	if (oc) {
		free(oc->oc_path);
		free(oc);
	}
	return (ret);
}


/* unpriv */

/* validate the certifcate stored in 'data' by querying the ocsp-responder */
int
ocsp_validate_cert(struct iked *env, struct iked_static_id *id,
    void *data, size_t len, struct iked_sahdr sh, uint8_t type)
{
	struct iked_ocsp_entry	*ioe;
	struct iked_ocsp	*ocsp;
	BIO			*rawcert = NULL, *bissuer = NULL;
	X509			*cert = NULL, *issuer = NULL;

	if ((ioe = calloc(1, sizeof(*ioe))) == NULL)
		return (-1);
	if ((ocsp = calloc(1, sizeof(*ocsp))) == NULL) {
		free(ioe);
		return (-1);
	}

	ocsp->ocsp_env = env;
	ocsp->ocsp_sh = sh;
	ocsp->ocsp_type = type;

	if ((rawcert = BIO_new_mem_buf(data, len)) == NULL ||
	    (cert = d2i_X509_bio(rawcert, NULL)) == NULL ||
	    (bissuer = BIO_new_file(IKED_OCSP_ISSUER, "r")) == NULL ||
	    (issuer = PEM_read_bio_X509(bissuer, NULL, NULL, NULL)) == NULL ||
	    (ocsp->ocsp_cbio = BIO_new(BIO_s_socket())) == NULL ||
	    (ocsp->ocsp_req = OCSP_REQUEST_new()) == NULL ||
	    !(ocsp->ocsp_id = OCSP_cert_to_id(NULL, cert, issuer)) ||
	    !OCSP_request_add0_id(ocsp->ocsp_req, ocsp->ocsp_id))
		goto err;

	BIO_free(rawcert);
	BIO_free(bissuer);
	X509_free(cert);
	X509_free(issuer);

	ioe->ioe_ocsp = ocsp;
	TAILQ_INSERT_TAIL(&env->sc_ocsp, ioe, ioe_entry);

	/* request connection to ocsp-responder */
	proc_compose(&env->sc_ps, PROC_PARENT, IMSG_OCSP_FD, NULL, 0);
	return (0);

 err:
	ca_sslerror(__func__);
	free(ioe);
	if (rawcert != NULL)
		BIO_free(rawcert);
	if (cert != NULL)
		X509_free(cert);
	if (bissuer != NULL)
		BIO_free(bissuer);
	if (issuer != NULL)
		X509_free(issuer);
	ocsp_validate_finish(ocsp, 0);	/* failed */
	return (-1);
}

/* free ocsp query context */
void
ocsp_free(struct iked_ocsp *ocsp)
{
	if (ocsp != NULL) {
		if (ocsp->ocsp_sock != NULL) {
			close(ocsp->ocsp_sock->sock_fd);
			free(ocsp->ocsp_sock);
		}
		if (ocsp->ocsp_cbio != NULL)
			BIO_free_all(ocsp->ocsp_cbio);
		if (ocsp->ocsp_id != NULL)
			OCSP_CERTID_free(ocsp->ocsp_id);

		/* XXX not sure about ownership XXX */
		if (ocsp->ocsp_req_ctx != NULL)
			OCSP_REQ_CTX_free(ocsp->ocsp_req_ctx);
		else if (ocsp->ocsp_req != NULL)
			OCSP_REQUEST_free(ocsp->ocsp_req);

		free(ocsp);
	}
}

/* we got a connection to the ocsp responder */
int
ocsp_receive_fd(struct iked *env, struct imsg *imsg)
{
	struct iked_ocsp_entry	*ioe = NULL;
	struct iked_ocsp	*ocsp = NULL;
	struct iked_socket	*sock;
	char			*path = NULL;
	int			 ret = -1;

	log_debug("%s: received socket fd %d", __func__, imsg->fd);
	if ((ioe = TAILQ_FIRST(&env->sc_ocsp)) == NULL) {
		log_debug("%s: oops, no request for", __func__);
		close(imsg->fd);
		return (-1);
	}
	TAILQ_REMOVE(&env->sc_ocsp, ioe, ioe_entry);
	ocsp = ioe->ioe_ocsp;
	free(ioe);

	if ((sock = calloc(1, sizeof(*sock))) == NULL)
		fatal("ocsp_receive_fd: calloc sock");

	/* note that sock_addr is not set */
	sock->sock_fd = imsg->fd;
	sock->sock_env = env;
	ocsp->ocsp_sock = sock;

	/* fetch 'path' and 'fd' from imsg */
	if ((path = get_string(imsg->data, IMSG_DATA_SIZE(imsg))) == NULL)
		goto done;

	BIO_set_fd(ocsp->ocsp_cbio, imsg->fd, BIO_NOCLOSE);

	if ((ocsp->ocsp_req_ctx = OCSP_sendreq_new(ocsp->ocsp_cbio,
	    path, NULL, -1)) == NULL)
		goto done;
	if (!OCSP_REQ_CTX_set1_req(ocsp->ocsp_req_ctx, ocsp->ocsp_req))
		goto done;

	event_set(&sock->sock_ev, sock->sock_fd, EV_WRITE, ocsp_callback, ocsp);
	event_add(&sock->sock_ev, NULL);
	ret = 0;
 done:
	if (ret == -1)
		ocsp_validate_finish(ocsp, 0);	/* failed */
	free(path);
	return (ret);
}

/* load a stack of x509 certificates */
STACK_OF(X509)*
ocsp_load_certs(const char *file)
{
	BIO			*bio = NULL;
	STACK_OF(X509)		*certs = NULL;
	STACK_OF(X509_INFO)	*xis = NULL;
	X509_INFO		*xi;
	int			 i;

	if ((bio = BIO_new_file(file, "r")) == NULL) {
		log_warn("%s: BIO_new_file failed for %s",
		    __func__, file);
		return (NULL);
	}
	if ((xis = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)) == NULL) {
		ca_sslerror(__func__);
		goto done;
	}
	if ((certs = sk_X509_new_null()) == NULL) {
		log_debug("%s: sk_X509_new_null failed for %s", __func__, file);
		goto done;
	}
	for (i = 0; i < sk_X509_INFO_num(xis); i++) {
		xi = sk_X509_INFO_value(xis, i);
		if (xi->x509) {
			if (!sk_X509_push(certs, xi->x509))
				goto done;
			xi->x509 = NULL;
		}
	}

 done:
	if (bio)
		BIO_free(bio);
	if (xis)
		sk_X509_INFO_pop_free(xis, X509_INFO_free);
	if (certs && sk_X509_num(certs) <= 0) {
		sk_X509_pop_free(certs, X509_free);
		certs = NULL;
	}
	return (certs);
}

/* read/write callback that sends the requests and reads the ocsp response */
void
ocsp_callback(int fd, short event, void *arg)
{
	struct iked_ocsp	*ocsp = arg;
	struct iked_socket	*sock = ocsp->ocsp_sock;
	OCSP_RESPONSE		*resp = NULL;

	/*
	 * Only call OCSP_sendreq_nbio() if should_read/write is
	 * either not requested or read/write can be called.
	 */
	if ((!BIO_should_read(ocsp->ocsp_cbio) || (event & EV_READ)) &&
	    (!BIO_should_write(ocsp->ocsp_cbio) || (event & EV_WRITE)) &&
	    OCSP_sendreq_nbio(&resp, ocsp->ocsp_req_ctx) != -1 ) {
		ocsp_parse_response(ocsp, resp);
		return;
	}
	if (BIO_should_read(ocsp->ocsp_cbio))
		event_set(&sock->sock_ev, sock->sock_fd, EV_READ,
		    ocsp_callback, ocsp);
	else if (BIO_should_write(ocsp->ocsp_cbio))
		event_set(&sock->sock_ev, sock->sock_fd, EV_WRITE,
		    ocsp_callback, ocsp);
	event_add(&sock->sock_ev, NULL);
}

/* parse the actual OCSP response */
void
ocsp_parse_response(struct iked_ocsp *ocsp, OCSP_RESPONSE *resp)
{
	int status;
	X509_STORE *store = NULL;
	STACK_OF(X509) *verify_other = NULL;
	OCSP_BASICRESP *bs = NULL;
	int verify_flags = 0;
	ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
	int reason = 0;
	int error = 1;

	if (!resp) {
		log_warnx("%s: error querying OCSP responder", __func__);
		goto done;
	}

	status = OCSP_response_status(resp);
	if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
		log_warnx("%s: responder error: %s (%i)\n", __func__,
		    OCSP_response_status_str(status), status);
		goto done;
	}

	verify_other = ocsp_load_certs(IKED_OCSP_RESPCERT);
	verify_flags |= OCSP_TRUSTOTHER;
	if (!verify_other)
		goto done;

	bs = OCSP_response_get1_basic(resp);
	if (!bs) {
		log_warnx("%s: error parsing response", __func__);
		goto done;
	}

	status = OCSP_check_nonce(ocsp->ocsp_req, bs);
	if (status <= 0) {
		if (status == -1)
			log_warnx("%s: no nonce in response", __func__);
		else {
			log_warnx("%s: nonce verify error", __func__);
			goto done;
		}
	}

	store = X509_STORE_new();
	status = OCSP_basic_verify(bs, verify_other, store, verify_flags);
	if (status < 0)
		status = OCSP_basic_verify(bs, NULL, store, 0);

	if (status <= 0) {
		ca_sslerror(__func__);
		log_warnx("%s: response verify failure", __func__);
		goto done;
	} else
		log_debug("%s: response verify ok", __func__);

	if (!OCSP_resp_find_status(bs, ocsp->ocsp_id, &status, &reason,
	    &rev, &thisupd, &nextupd)) {
		log_warnx("%s: no status found", __func__);
		goto done;
	}
	log_debug("%s: status: %s", __func__, OCSP_cert_status_str(status));

	if (status == V_OCSP_CERTSTATUS_GOOD)
		error = 0;

 done:
	if (store)
		X509_STORE_free(store);
	if (verify_other)
		sk_X509_pop_free(verify_other, X509_free);
	if (resp)
		OCSP_RESPONSE_free(resp);
	if (bs)
		OCSP_BASICRESP_free(bs);

	ocsp_validate_finish(ocsp, error == 0);
}

/*
 * finish the ocsp_validate_cert() RPC by sending the appropriate
 * message back to the IKEv2 process
 */
int
ocsp_validate_finish(struct iked_ocsp *ocsp, int valid)
{
	struct iked		*env = ocsp->ocsp_env;
	struct iovec		 iov[2];
	int			 iovcnt = 2, ret, cmd;

	iov[0].iov_base = &ocsp->ocsp_sh;
	iov[0].iov_len = sizeof(ocsp->ocsp_sh);
	iov[1].iov_base = &ocsp->ocsp_type;
	iov[1].iov_len = sizeof(ocsp->ocsp_type);

	cmd = valid ? IMSG_CERTVALID : IMSG_CERTINVALID;
	ret = proc_composev(&env->sc_ps, PROC_IKEV2, cmd, iov, iovcnt);

	ocsp_free(ocsp);
	return (ret);
}


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: ocsp.c,v 1.8 2015/12/07 12:46:37 reyk Exp $ */
2
3			/*
4			* Copyright (c) 2014 Markus Friedl
5			* Copyright (c) 2005 Marco Pfatschbacher
6			*
7			* Permission to use, copy, modify, and distribute this software for any
8			* purpose with or without fee is hereby granted, provided that the above
9			* copyright notice and this permission notice appear in all copies.
10			*
11			* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12			* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13			* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14			* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15			* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16			* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17			* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18			*/
19
20			#include <sys/queue.h>
21			#include <sys/socket.h>
22			#include <sys/uio.h>
23			#include <sys/stat.h>
24
25			#include <stdio.h>
26			#include <string.h>
27			#include <stdlib.h>
28			#include <errno.h>
29			#include <fcntl.h>
30			#include <unistd.h>
31			#include <netdb.h>
32
33			#include <openssl/pem.h>
34			#include <openssl/ocsp.h>
35			#include <openssl/err.h>
36			#include <openssl/ssl.h>
37
38			#include <event.h>
39
40			#include "iked.h"
41
42			struct iked_ocsp {
43			struct iked ocsp_env; / back pointer to env */
44			struct iked_sahdr ocsp_sh; /* ike sa */
45			uint8_t ocsp_type; /* auth type */
46			struct iked_socket ocsp_sock; / socket to ocsp responder */
47			BIO ocsp_cbio; / matching OpenSSL obj */
48			OCSP_CERTID ocsp_id; / ocsp-id for cert */
49			OCSP_REQUEST ocsp_req; / ocsp-request */
50			OCSP_REQ_CTX ocsp_req_ctx; / async ocsp-request */
51			};
52
53			struct ocsp_connect {
54			struct iked_socket oc_sock;
55			char *oc_path;
56			};
57
58			/* priv */
59			void ocsp_connect_cb(int, short, void *);
60			int ocsp_connect_finish(struct iked , int, struct ocsp_connect );
61
62			/* unpriv */
63			void ocsp_free(struct iked_ocsp *);
64			void ocsp_callback(int, short, void *);
65			void ocsp_parse_response(struct iked_ocsp , OCSP_RESPONSE );
66			STACK_OF(X509) ocsp_load_certs(const char );
67			int ocsp_validate_finish(struct iked_ocsp *, int);
68
69
70			/* priv */
71
72			/* async connect to configure ocsp-responder */
73			int
74			ocsp_connect(struct iked *env)
75			{
76			struct ocsp_connect *oc = NULL;
77			struct addrinfo hints, res0 = NULL, res;
78			char host = NULL, port = NULL, *path = NULL;
79			int use_ssl, fd = -1, ret = -1, error;
80
81			if (env->sc_ocsp_url == 0) {
82			log_warnx("%s: no ocsp url", __func__);
83			goto done;
84			}
85			if (!OCSP_parse_url(env->sc_ocsp_url, &host, &port, &path, &use_ssl)) {
86			log_warnx("%s: error parsing OCSP-request-URL: %s", __func__,
87			env->sc_ocsp_url);
88			goto done;
89			}
90
91			if ((fd = socket(AF_INET, SOCK_STREAM \| SOCK_NONBLOCK, 0)) < 0) {
92			log_debug("%s: socket failed", __func__);
93			goto done;
94			}
95			if ((oc = calloc(1, sizeof(*oc))) == NULL) {
96			log_debug("%s: calloc failed", __func__);
97			goto done;
98			}
99
100			bzero(&hints, sizeof(struct addrinfo));
101			hints.ai_family = PF_UNSPEC;
102			hints.ai_socktype = SOCK_STREAM;
103			error = getaddrinfo(host, port, &hints, &res0);
104			if (error) {
105			log_debug("%s: getaddrinfo(%s, %s) failed",
106			__func__, host, port);
107			goto done;
108			}
109			/* XXX just pick the first answer. we could loop instead */
110			for (res = res0; res; res = res->ai_next)
111			if (res->ai_family == AF_INET)
112			break;
113			if (res == NULL) {
114			log_debug("%s: no addr to connect to for %s:%s",
115			__func__, host, port);
116			goto done;
117			}
118
119			oc->oc_sock.sock_fd = fd;
120			oc->oc_sock.sock_env = env;
121			oc->oc_path = path;
122			path = NULL;
123
124			log_debug("%s: connect(%s, %s)", __func__, host, port);
125			if (connect(fd, res->ai_addr, res->ai_addrlen) == -1) {
126			/* register callback for ansync connect */
127			if (errno == EINPROGRESS) {
128			event_set(&oc->oc_sock.sock_ev, fd, EV_WRITE,
129			ocsp_connect_cb, oc);
130			event_add(&oc->oc_sock.sock_ev, NULL);
131			ret = 0;
132			} else
133			log_debug("%s: error while connecting: %s", __func__,
134			strerror(errno));
135			} else {
136			ocsp_connect_finish(env, fd, oc);
137			ret = 0;
138			}
139			done:
140			if (res0)
141			freeaddrinfo(res0);
142			free(host);
143			free(port);
144			free(path);
145			if (ret == -1) {
146			ocsp_connect_finish(env, -1, oc);
147			if (fd >= 0)
148			close(fd);
149			}
150			return (ret);
151			}
152
153			/* callback triggered if connection to ocsp-responder completes/fails */
154			void
155			ocsp_connect_cb(int fd, short event, void *arg)
156			{
157			struct ocsp_connect *oc = arg;
158			int error, send_fd = -1;
159			socklen_t len;
160
161			len = sizeof(error);
162			if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
163			log_warn("%s: getsockopt SOL_SOCKET SO_ERROR", __func__);
164			} else if (error) {
165			log_debug("%s: error while connecting: %s", __func__,
166			strerror(error));
167			} else {
168			send_fd = fd;
169			}
170			ocsp_connect_finish(oc->oc_sock.sock_env, send_fd, oc);
171
172			/* if we did not send the fd, we need to close it ourself */
173			if (send_fd == -1)
174			close(fd);
175			}
176
177			/* send FD+path or error back to CA process */
178			int
179			ocsp_connect_finish(struct iked env, int fd, struct ocsp_connect oc)
180			{
181			struct iovec iov[1];
182			int iovcnt = 1, ret;
183
184			if (oc && fd >= 0) {
185			/* the imsg framework will close the FD after send */
186			iov[0].iov_base = oc->oc_path;
187			iov[0].iov_len = strlen(oc->oc_path);
188			ret = proc_composev_imsg(&env->sc_ps, PROC_CERT, -1,
189			IMSG_OCSP_FD, -1, fd, iov, iovcnt);
190			} else {
191			ret = proc_compose_imsg(&env->sc_ps, PROC_CERT, -1,
192			IMSG_OCSP_FD, -1, -1, NULL, 0);
193			if (fd >= 0)
194			close(fd);
195			}
196			if (oc) {
197			free(oc->oc_path);
198			free(oc);
199			}
200			return (ret);
201			}
202
203
204			/* unpriv */
205
206			/* validate the certifcate stored in 'data' by querying the ocsp-responder */
207			int
208			ocsp_validate_cert(struct iked env, struct iked_static_id id,
209			void *data, size_t len, struct iked_sahdr sh, uint8_t type)
210			{
211			struct iked_ocsp_entry *ioe;
212			struct iked_ocsp *ocsp;
213			BIO rawcert = NULL, bissuer = NULL;
214			X509 cert = NULL, issuer = NULL;
215
216			if ((ioe = calloc(1, sizeof(*ioe))) == NULL)
217			return (-1);
218			if ((ocsp = calloc(1, sizeof(*ocsp))) == NULL) {
219			free(ioe);
220			return (-1);
221			}
222
223			ocsp->ocsp_env = env;
224			ocsp->ocsp_sh = sh;
225			ocsp->ocsp_type = type;
226
227			if ((rawcert = BIO_new_mem_buf(data, len)) == NULL \|\|
228			(cert = d2i_X509_bio(rawcert, NULL)) == NULL \|\|
229			(bissuer = BIO_new_file(IKED_OCSP_ISSUER, "r")) == NULL \|\|
230			(issuer = PEM_read_bio_X509(bissuer, NULL, NULL, NULL)) == NULL \|\|
231			(ocsp->ocsp_cbio = BIO_new(BIO_s_socket())) == NULL \|\|
232			(ocsp->ocsp_req = OCSP_REQUEST_new()) == NULL \|\|
233			!(ocsp->ocsp_id = OCSP_cert_to_id(NULL, cert, issuer)) \|\|
234			!OCSP_request_add0_id(ocsp->ocsp_req, ocsp->ocsp_id))
235			goto err;
236
237			BIO_free(rawcert);
238			BIO_free(bissuer);
239			X509_free(cert);
240			X509_free(issuer);
241
242			ioe->ioe_ocsp = ocsp;
243			TAILQ_INSERT_TAIL(&env->sc_ocsp, ioe, ioe_entry);
244
245			/* request connection to ocsp-responder */
246			proc_compose(&env->sc_ps, PROC_PARENT, IMSG_OCSP_FD, NULL, 0);
247			return (0);
248
249			err:
250			ca_sslerror(__func__);
251			free(ioe);
252			if (rawcert != NULL)
253			BIO_free(rawcert);
254			if (cert != NULL)
255			X509_free(cert);
256			if (bissuer != NULL)
257			BIO_free(bissuer);
258			if (issuer != NULL)
259			X509_free(issuer);
260			ocsp_validate_finish(ocsp, 0); /* failed */
261			return (-1);
262			}
263
264			/* free ocsp query context */
265			void
266			ocsp_free(struct iked_ocsp *ocsp)
267			{
268			if (ocsp != NULL) {
269			if (ocsp->ocsp_sock != NULL) {
270			close(ocsp->ocsp_sock->sock_fd);
271			free(ocsp->ocsp_sock);
272			}
273			if (ocsp->ocsp_cbio != NULL)
274			BIO_free_all(ocsp->ocsp_cbio);
275			if (ocsp->ocsp_id != NULL)
276			OCSP_CERTID_free(ocsp->ocsp_id);
277
278			/* XXX not sure about ownership XXX */
279			if (ocsp->ocsp_req_ctx != NULL)
280			OCSP_REQ_CTX_free(ocsp->ocsp_req_ctx);
281			else if (ocsp->ocsp_req != NULL)
282			OCSP_REQUEST_free(ocsp->ocsp_req);
283
284			free(ocsp);
285			}
286			}
287
288			/* we got a connection to the ocsp responder */
289			int
290			ocsp_receive_fd(struct iked env, struct imsg imsg)
291			{
292			struct iked_ocsp_entry *ioe = NULL;
293			struct iked_ocsp *ocsp = NULL;
294			struct iked_socket *sock;
295			char *path = NULL;
296			int ret = -1;
297
298			log_debug("%s: received socket fd %d", __func__, imsg->fd);
299			if ((ioe = TAILQ_FIRST(&env->sc_ocsp)) == NULL) {
300			log_debug("%s: oops, no request for", __func__);
301			close(imsg->fd);
302			return (-1);
303			}
304			TAILQ_REMOVE(&env->sc_ocsp, ioe, ioe_entry);
305			ocsp = ioe->ioe_ocsp;
306			free(ioe);
307
308			if ((sock = calloc(1, sizeof(*sock))) == NULL)
309			fatal("ocsp_receive_fd: calloc sock");
310
311			/* note that sock_addr is not set */
312			sock->sock_fd = imsg->fd;
313			sock->sock_env = env;
314			ocsp->ocsp_sock = sock;
315
316			/* fetch 'path' and 'fd' from imsg */
317			if ((path = get_string(imsg->data, IMSG_DATA_SIZE(imsg))) == NULL)
318			goto done;
319
320			BIO_set_fd(ocsp->ocsp_cbio, imsg->fd, BIO_NOCLOSE);
321
322			if ((ocsp->ocsp_req_ctx = OCSP_sendreq_new(ocsp->ocsp_cbio,
323			path, NULL, -1)) == NULL)
324			goto done;
325			if (!OCSP_REQ_CTX_set1_req(ocsp->ocsp_req_ctx, ocsp->ocsp_req))
326			goto done;
327
328			event_set(&sock->sock_ev, sock->sock_fd, EV_WRITE, ocsp_callback, ocsp);
329			event_add(&sock->sock_ev, NULL);
330			ret = 0;
331			done:
332			if (ret == -1)
333			ocsp_validate_finish(ocsp, 0); /* failed */
334			free(path);
335			return (ret);
336			}
337
338			/* load a stack of x509 certificates */
339			STACK_OF(X509)*
340			ocsp_load_certs(const char *file)
341			{
342			BIO *bio = NULL;
343			STACK_OF(X509) *certs = NULL;
344			STACK_OF(X509_INFO) *xis = NULL;
345			X509_INFO *xi;
346			int i;
347
348			if ((bio = BIO_new_file(file, "r")) == NULL) {
349			log_warn("%s: BIO_new_file failed for %s",
350			__func__, file);
351			return (NULL);
352			}
353			if ((xis = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL)) == NULL) {
354			ca_sslerror(__func__);
355			goto done;
356			}
357			if ((certs = sk_X509_new_null()) == NULL) {
358			log_debug("%s: sk_X509_new_null failed for %s", __func__, file);
359			goto done;
360			}
361			for (i = 0; i < sk_X509_INFO_num(xis); i++) {
362			xi = sk_X509_INFO_value(xis, i);
363			if (xi->x509) {
364			if (!sk_X509_push(certs, xi->x509))
365			goto done;
366			xi->x509 = NULL;
367			}
368			}
369
370			done:
371			if (bio)
372			BIO_free(bio);
373			if (xis)
374			sk_X509_INFO_pop_free(xis, X509_INFO_free);
375			if (certs && sk_X509_num(certs) <= 0) {
376			sk_X509_pop_free(certs, X509_free);
377			certs = NULL;
378			}
379			return (certs);
380			}
381
382			/* read/write callback that sends the requests and reads the ocsp response */
383			void
384			ocsp_callback(int fd, short event, void *arg)
385			{
386			struct iked_ocsp *ocsp = arg;
387			struct iked_socket *sock = ocsp->ocsp_sock;
388			OCSP_RESPONSE *resp = NULL;
389
390			/*
391			* Only call OCSP_sendreq_nbio() if should_read/write is
392			* either not requested or read/write can be called.
393			*/
394			if ((!BIO_should_read(ocsp->ocsp_cbio) \|\| (event & EV_READ)) &&
395			(!BIO_should_write(ocsp->ocsp_cbio) \|\| (event & EV_WRITE)) &&
396			OCSP_sendreq_nbio(&resp, ocsp->ocsp_req_ctx) != -1 ) {
397			ocsp_parse_response(ocsp, resp);
398			return;
399			}
400			if (BIO_should_read(ocsp->ocsp_cbio))
401			event_set(&sock->sock_ev, sock->sock_fd, EV_READ,
402			ocsp_callback, ocsp);
403			else if (BIO_should_write(ocsp->ocsp_cbio))
404			event_set(&sock->sock_ev, sock->sock_fd, EV_WRITE,
405			ocsp_callback, ocsp);
406			event_add(&sock->sock_ev, NULL);
407			}
408
409			/* parse the actual OCSP response */
410			void
411			ocsp_parse_response(struct iked_ocsp ocsp, OCSP_RESPONSE resp)
412			{
413			int status;
414			X509_STORE *store = NULL;
415			STACK_OF(X509) *verify_other = NULL;
416			OCSP_BASICRESP *bs = NULL;
417			int verify_flags = 0;
418			ASN1_GENERALIZEDTIME rev, thisupd, *nextupd;
419			int reason = 0;
420			int error = 1;
421
422			if (!resp) {
423			log_warnx("%s: error querying OCSP responder", __func__);
424			goto done;
425			}
426
427			status = OCSP_response_status(resp);
428			if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
429			log_warnx("%s: responder error: %s (%i)\n", __func__,
430			OCSP_response_status_str(status), status);
431			goto done;
432			}
433
434			verify_other = ocsp_load_certs(IKED_OCSP_RESPCERT);
435			verify_flags \|= OCSP_TRUSTOTHER;
436			if (!verify_other)
437			goto done;
438
439			bs = OCSP_response_get1_basic(resp);
440			if (!bs) {
441			log_warnx("%s: error parsing response", __func__);
442			goto done;
443			}
444
445			status = OCSP_check_nonce(ocsp->ocsp_req, bs);
446			if (status <= 0) {
447			if (status == -1)
448			log_warnx("%s: no nonce in response", __func__);
449			else {
450			log_warnx("%s: nonce verify error", __func__);
451			goto done;
452			}
453			}
454
455			store = X509_STORE_new();
456			status = OCSP_basic_verify(bs, verify_other, store, verify_flags);
457			if (status < 0)
458			status = OCSP_basic_verify(bs, NULL, store, 0);
459
460			if (status <= 0) {
461			ca_sslerror(__func__);
462			log_warnx("%s: response verify failure", __func__);
463			goto done;
464			} else
465			log_debug("%s: response verify ok", __func__);
466
467			if (!OCSP_resp_find_status(bs, ocsp->ocsp_id, &status, &reason,
468			&rev, &thisupd, &nextupd)) {
469			log_warnx("%s: no status found", __func__);
470			goto done;
471			}
472			log_debug("%s: status: %s", __func__, OCSP_cert_status_str(status));
473
474			if (status == V_OCSP_CERTSTATUS_GOOD)
475			error = 0;
476
477			done:
478			if (store)
479			X509_STORE_free(store);
480			if (verify_other)
481			sk_X509_pop_free(verify_other, X509_free);
482			if (resp)
483			OCSP_RESPONSE_free(resp);
484			if (bs)
485			OCSP_BASICRESP_free(bs);
486
487			ocsp_validate_finish(ocsp, error == 0);
488			}
489
490			/*
491			* finish the ocsp_validate_cert() RPC by sending the appropriate
492			* message back to the IKEv2 process
493			*/
494			int
495			ocsp_validate_finish(struct iked_ocsp *ocsp, int valid)
496			{
497			struct iked *env = ocsp->ocsp_env;
498			struct iovec iov[2];
499			int iovcnt = 2, ret, cmd;
500
501			iov[0].iov_base = &ocsp->ocsp_sh;
502			iov[0].iov_len = sizeof(ocsp->ocsp_sh);
503			iov[1].iov_base = &ocsp->ocsp_type;
504			iov[1].iov_len = sizeof(ocsp->ocsp_type);
505
506			cmd = valid ? IMSG_CERTVALID : IMSG_CERTINVALID;
507			ret = proc_composev(&env->sc_ps, PROC_IKEV2, cmd, iov, iovcnt);
508
509			ocsp_free(ocsp);
510			return (ret);
511			}