Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 59fa4b44b84301ac01b937a6a0e687cf5dd3593a / . / src / utils / http_curl.c
blob: 30b07f23d1f8b62810aabd795cf3ba677469ddae [file] [log] [blame]
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1/*
2 * HTTP wrapper for libcurl
Dmitry Shmidt6cb1f652014-03-21 10:54:03 -0700[diff] [blame]3 * Copyright (c) 2012-2014, Qualcomm Atheros, Inc.
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10#include <curl/curl.h>
11#ifdef EAP_TLS_OPENSSL
12#include <openssl/ssl.h>
13#include <openssl/asn1.h>
14#include <openssl/asn1t.h>
15#include <openssl/x509v3.h>
16
17#ifdef SSL_set_tlsext_status_type
18#ifndef OPENSSL_NO_TLSEXT
19#define HAVE_OCSP
20#include <openssl/err.h>
21#include <openssl/ocsp.h>
22#endif /* OPENSSL_NO_TLSEXT */
23#endif /* SSL_set_tlsext_status_type */
24#endif /* EAP_TLS_OPENSSL */
25
26#include "common.h"
27#include "xml-utils.h"
28#include "http-utils.h"
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]29#ifdef EAP_TLS_OPENSSL
30#include "crypto/tls_openssl.h"
31#endif /* EAP_TLS_OPENSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]32
33
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]34#if OPENSSL_VERSION_NUMBER < 0x10100000L
35static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
36{
37 return ASN1_STRING_data((ASN1_STRING *) x);
38}
39#endif /* OpenSSL < 1.1.0 */
40
41
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]42struct http_ctx {
43 void *ctx;
44 struct xml_node_ctx *xml;
45 CURL *curl;
46 struct curl_slist *curl_hdr;
47 char *svc_address;
48 char *svc_ca_fname;
49 char *svc_username;
50 char *svc_password;
51 char *svc_client_cert;
52 char *svc_client_key;
53 char *curl_buf;
54 size_t curl_buf_len;
55
56 int (*cert_cb)(void *ctx, struct http_cert *cert);
57 void *cert_cb_ctx;
58
59 enum {
60 NO_OCSP, OPTIONAL_OCSP, MANDATORY_OCSP
61 } ocsp;
62 X509 *peer_cert;
63 X509 *peer_issuer;
64 X509 *peer_issuer_issuer;
65
66 const char *last_err;
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]67 const char *url;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]68};
69
70
71static void clear_curl(struct http_ctx *ctx)
72{
73 if (ctx->curl) {
74 curl_easy_cleanup(ctx->curl);
75 ctx->curl = NULL;
76 }
77 if (ctx->curl_hdr) {
78 curl_slist_free_all(ctx->curl_hdr);
79 ctx->curl_hdr = NULL;
80 }
81}
82
83
84static void clone_str(char **dst, const char *src)
85{
86 os_free(*dst);
87 if (src)
88 *dst = os_strdup(src);
89 else
90 *dst = NULL;
91}
92
93
94static void debug_dump(struct http_ctx *ctx, const char *title,
95 const char *buf, size_t len)
96{
Dmitry Shmidt6cb1f652014-03-21 10:54:03 -0700[diff] [blame]97 char *txt;
98 size_t i;
99
100 for (i = 0; i < len; i++) {
101 if (buf[i] < 32 && buf[i] != '\t' && buf[i] != '\n' &&
102 buf[i] != '\r') {
103 wpa_hexdump_ascii(MSG_MSGDUMP, title, buf, len);
104 return;
105 }
106 }
107
108 txt = os_malloc(len + 1);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]109 if (txt == NULL)
110 return;
111 os_memcpy(txt, buf, len);
112 txt[len] = '\0';
113 while (len > 0) {
114 len--;
Dmitry Shmidt6cb1f652014-03-21 10:54:03 -0700[diff] [blame]115 if (txt[len] == '\n' || txt[len] == '\r')
116 txt[len] = '\0';
117 else
118 break;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]119 }
120 wpa_printf(MSG_MSGDUMP, "%s[%s]", title, txt);
121 os_free(txt);
122}
123
124
125static int curl_cb_debug(CURL *curl, curl_infotype info, char *buf, size_t len,
126 void *userdata)
127{
128 struct http_ctx *ctx = userdata;
129 switch (info) {
130 case CURLINFO_TEXT:
131 debug_dump(ctx, "CURLINFO_TEXT", buf, len);
132 break;
133 case CURLINFO_HEADER_IN:
134 debug_dump(ctx, "CURLINFO_HEADER_IN", buf, len);
135 break;
136 case CURLINFO_HEADER_OUT:
137 debug_dump(ctx, "CURLINFO_HEADER_OUT", buf, len);
138 break;
139 case CURLINFO_DATA_IN:
140 debug_dump(ctx, "CURLINFO_DATA_IN", buf, len);
141 break;
142 case CURLINFO_DATA_OUT:
143 debug_dump(ctx, "CURLINFO_DATA_OUT", buf, len);
144 break;
145 case CURLINFO_SSL_DATA_IN:
146 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_IN - %d",
147 (int) len);
148 break;
149 case CURLINFO_SSL_DATA_OUT:
150 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_OUT - %d",
151 (int) len);
152 break;
153 case CURLINFO_END:
154 wpa_printf(MSG_DEBUG, "debug - CURLINFO_END - %d",
155 (int) len);
156 break;
157 }
158 return 0;
159}
160
161
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]162static size_t curl_cb_write(void *ptr, size_t size, size_t nmemb,
163 void *userdata)
164{
165 struct http_ctx *ctx = userdata;
166 char *n;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]167 n = os_realloc(ctx->curl_buf, ctx->curl_buf_len + size * nmemb + 1);
168 if (n == NULL)
169 return 0;
170 ctx->curl_buf = n;
171 os_memcpy(n + ctx->curl_buf_len, ptr, size * nmemb);
172 n[ctx->curl_buf_len + size * nmemb] = '\0';
173 ctx->curl_buf_len += size * nmemb;
174 return size * nmemb;
175}
176
177
178#ifdef EAP_TLS_OPENSSL
179
180static void debug_dump_cert(const char *title, X509 *cert)
181{
182 BIO *out;
183 char *txt;
184 size_t rlen;
185
186 out = BIO_new(BIO_s_mem());
187 if (!out)
188 return;
189
190 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
191 rlen = BIO_ctrl_pending(out);
192 txt = os_malloc(rlen + 1);
193 if (txt) {
194 int res = BIO_read(out, txt, rlen);
195 if (res > 0) {
196 txt[res] = '\0';
197 wpa_printf(MSG_MSGDUMP, "%s:\n%s", title, txt);
198 }
199 os_free(txt);
200 }
201 BIO_free(out);
202}
203
204
205static void add_alt_name_othername(struct http_ctx *ctx, struct http_cert *cert,
206 OTHERNAME *o)
207{
208 char txt[100];
209 int res;
210 struct http_othername *on;
211 ASN1_TYPE *val;
212
213 on = os_realloc_array(cert->othername, cert->num_othername + 1,
214 sizeof(struct http_othername));
215 if (on == NULL)
216 return;
217 cert->othername = on;
218 on = &on[cert->num_othername];
219 os_memset(on, 0, sizeof(*on));
220
221 res = OBJ_obj2txt(txt, sizeof(txt), o->type_id, 1);
222 if (res < 0 || res >= (int) sizeof(txt))
223 return;
224
225 on->oid = os_strdup(txt);
226 if (on->oid == NULL)
227 return;
228
229 val = o->value;
230 on->data = val->value.octet_string->data;
231 on->len = val->value.octet_string->length;
232
233 cert->num_othername++;
234}
235
236
237static void add_alt_name_dns(struct http_ctx *ctx, struct http_cert *cert,
238 ASN1_STRING *name)
239{
240 char *buf;
241 char **n;
242
243 buf = NULL;
244 if (ASN1_STRING_to_UTF8((unsigned char **) &buf, name) < 0)
245 return;
246
247 n = os_realloc_array(cert->dnsname, cert->num_dnsname + 1,
248 sizeof(char *));
249 if (n == NULL)
250 return;
251
252 cert->dnsname = n;
253 n[cert->num_dnsname] = buf;
254 cert->num_dnsname++;
255}
256
257
258static void add_alt_name(struct http_ctx *ctx, struct http_cert *cert,
259 const GENERAL_NAME *name)
260{
261 switch (name->type) {
262 case GEN_OTHERNAME:
263 add_alt_name_othername(ctx, cert, name->d.otherName);
264 break;
265 case GEN_DNS:
266 add_alt_name_dns(ctx, cert, name->d.dNSName);
267 break;
268 }
269}
270
271
272static void add_alt_names(struct http_ctx *ctx, struct http_cert *cert,
273 GENERAL_NAMES *names)
274{
275 int num, i;
276
277 num = sk_GENERAL_NAME_num(names);
278 for (i = 0; i < num; i++) {
279 const GENERAL_NAME *name;
280 name = sk_GENERAL_NAME_value(names, i);
281 add_alt_name(ctx, cert, name);
282 }
283}
284
285
286/* RFC 3709 */
287
288typedef struct {
289 X509_ALGOR *hashAlg;
290 ASN1_OCTET_STRING *hashValue;
291} HashAlgAndValue;
292
293typedef struct {
294 STACK_OF(HashAlgAndValue) *refStructHash;
295 STACK_OF(ASN1_IA5STRING) *refStructURI;
296} LogotypeReference;
297
298typedef struct {
299 ASN1_IA5STRING *mediaType;
300 STACK_OF(HashAlgAndValue) *logotypeHash;
301 STACK_OF(ASN1_IA5STRING) *logotypeURI;
302} LogotypeDetails;
303
304typedef struct {
305 int type;
306 union {
307 ASN1_INTEGER *numBits;
308 ASN1_INTEGER *tableSize;
309 } d;
310} LogotypeImageResolution;
311
312typedef struct {
313 ASN1_INTEGER *type; /* LogotypeImageType ::= INTEGER */
314 ASN1_INTEGER *fileSize;
315 ASN1_INTEGER *xSize;
316 ASN1_INTEGER *ySize;
317 LogotypeImageResolution *resolution;
318 ASN1_IA5STRING *language;
319} LogotypeImageInfo;
320
321typedef struct {
322 LogotypeDetails *imageDetails;
323 LogotypeImageInfo *imageInfo;
324} LogotypeImage;
325
326typedef struct {
327 ASN1_INTEGER *fileSize;
328 ASN1_INTEGER *playTime;
329 ASN1_INTEGER *channels;
330 ASN1_INTEGER *sampleRate;
331 ASN1_IA5STRING *language;
332} LogotypeAudioInfo;
333
334typedef struct {
335 LogotypeDetails *audioDetails;
336 LogotypeAudioInfo *audioInfo;
337} LogotypeAudio;
338
339typedef struct {
340 STACK_OF(LogotypeImage) *image;
341 STACK_OF(LogotypeAudio) *audio;
342} LogotypeData;
343
344typedef struct {
345 int type;
346 union {
347 LogotypeData *direct;
348 LogotypeReference *indirect;
349 } d;
350} LogotypeInfo;
351
352typedef struct {
353 ASN1_OBJECT *logotypeType;
354 LogotypeInfo *info;
355} OtherLogotypeInfo;
356
357typedef struct {
358 STACK_OF(LogotypeInfo) *communityLogos;
359 LogotypeInfo *issuerLogo;
360 LogotypeInfo *subjectLogo;
361 STACK_OF(OtherLogotypeInfo) *otherLogos;
362} LogotypeExtn;
363
364ASN1_SEQUENCE(HashAlgAndValue) = {
365 ASN1_SIMPLE(HashAlgAndValue, hashAlg, X509_ALGOR),
366 ASN1_SIMPLE(HashAlgAndValue, hashValue, ASN1_OCTET_STRING)
367} ASN1_SEQUENCE_END(HashAlgAndValue);
368
369ASN1_SEQUENCE(LogotypeReference) = {
370 ASN1_SEQUENCE_OF(LogotypeReference, refStructHash, HashAlgAndValue),
371 ASN1_SEQUENCE_OF(LogotypeReference, refStructURI, ASN1_IA5STRING)
372} ASN1_SEQUENCE_END(LogotypeReference);
373
374ASN1_SEQUENCE(LogotypeDetails) = {
375 ASN1_SIMPLE(LogotypeDetails, mediaType, ASN1_IA5STRING),
376 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeHash, HashAlgAndValue),
377 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeURI, ASN1_IA5STRING)
378} ASN1_SEQUENCE_END(LogotypeDetails);
379
380ASN1_CHOICE(LogotypeImageResolution) = {
381 ASN1_IMP(LogotypeImageResolution, d.numBits, ASN1_INTEGER, 1),
382 ASN1_IMP(LogotypeImageResolution, d.tableSize, ASN1_INTEGER, 2)
383} ASN1_CHOICE_END(LogotypeImageResolution);
384
385ASN1_SEQUENCE(LogotypeImageInfo) = {
386 ASN1_IMP_OPT(LogotypeImageInfo, type, ASN1_INTEGER, 0),
387 ASN1_SIMPLE(LogotypeImageInfo, fileSize, ASN1_INTEGER),
388 ASN1_SIMPLE(LogotypeImageInfo, xSize, ASN1_INTEGER),
389 ASN1_SIMPLE(LogotypeImageInfo, ySize, ASN1_INTEGER),
390 ASN1_OPT(LogotypeImageInfo, resolution, LogotypeImageResolution),
391 ASN1_IMP_OPT(LogotypeImageInfo, language, ASN1_IA5STRING, 4),
392} ASN1_SEQUENCE_END(LogotypeImageInfo);
393
394ASN1_SEQUENCE(LogotypeImage) = {
395 ASN1_SIMPLE(LogotypeImage, imageDetails, LogotypeDetails),
396 ASN1_OPT(LogotypeImage, imageInfo, LogotypeImageInfo)
397} ASN1_SEQUENCE_END(LogotypeImage);
398
399ASN1_SEQUENCE(LogotypeAudioInfo) = {
400 ASN1_SIMPLE(LogotypeAudioInfo, fileSize, ASN1_INTEGER),
401 ASN1_SIMPLE(LogotypeAudioInfo, playTime, ASN1_INTEGER),
402 ASN1_SIMPLE(LogotypeAudioInfo, channels, ASN1_INTEGER),
403 ASN1_IMP_OPT(LogotypeAudioInfo, sampleRate, ASN1_INTEGER, 3),
404 ASN1_IMP_OPT(LogotypeAudioInfo, language, ASN1_IA5STRING, 4)
405} ASN1_SEQUENCE_END(LogotypeAudioInfo);
406
407ASN1_SEQUENCE(LogotypeAudio) = {
408 ASN1_SIMPLE(LogotypeAudio, audioDetails, LogotypeDetails),
409 ASN1_OPT(LogotypeAudio, audioInfo, LogotypeAudioInfo)
410} ASN1_SEQUENCE_END(LogotypeAudio);
411
412ASN1_SEQUENCE(LogotypeData) = {
413 ASN1_SEQUENCE_OF_OPT(LogotypeData, image, LogotypeImage),
414 ASN1_IMP_SEQUENCE_OF_OPT(LogotypeData, audio, LogotypeAudio, 1)
415} ASN1_SEQUENCE_END(LogotypeData);
416
417ASN1_CHOICE(LogotypeInfo) = {
418 ASN1_IMP(LogotypeInfo, d.direct, LogotypeData, 0),
419 ASN1_IMP(LogotypeInfo, d.indirect, LogotypeReference, 1)
420} ASN1_CHOICE_END(LogotypeInfo);
421
422ASN1_SEQUENCE(OtherLogotypeInfo) = {
423 ASN1_SIMPLE(OtherLogotypeInfo, logotypeType, ASN1_OBJECT),
424 ASN1_SIMPLE(OtherLogotypeInfo, info, LogotypeInfo)
425} ASN1_SEQUENCE_END(OtherLogotypeInfo);
426
427ASN1_SEQUENCE(LogotypeExtn) = {
428 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, communityLogos, LogotypeInfo, 0),
429 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 1),
430 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 2),
431 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, otherLogos, OtherLogotypeInfo, 3)
432} ASN1_SEQUENCE_END(LogotypeExtn);
433
434IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn);
435
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]436#ifdef OPENSSL_IS_BORINGSSL
437#define sk_LogotypeInfo_num(st) \
438sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeInfo) *, (st)))
439#define sk_LogotypeInfo_value(st, i) (LogotypeInfo *) \
440sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeInfo) *, (st)), (i))
441#define sk_LogotypeImage_num(st) \
442sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeImage) *, (st)))
443#define sk_LogotypeImage_value(st, i) (LogotypeImage *) \
444sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeImage) *, (st)), (i))
445#define sk_LogotypeAudio_num(st) \
446sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeAudio) *, (st)))
447#define sk_LogotypeAudio_value(st, i) (LogotypeAudio *) \
448sk_value(CHECK_CAST(_STACK *, const STACK_OF(LogotypeAudio) *, (st)), (i))
449#define sk_HashAlgAndValue_num(st) \
450sk_num(CHECKED_CAST(_STACK *, STACK_OF(HashAlgAndValue) *, (st)))
451#define sk_HashAlgAndValue_value(st, i) (HashAlgAndValue *) \
452sk_value(CHECKED_CAST(_STACK *, const STACK_OF(HashAlgAndValue) *, (st)), (i))
453#define sk_ASN1_IA5STRING_num(st) \
454sk_num(CHECKED_CAST(_STACK *, STACK_OF(ASN1_IA5STRING) *, (st)))
455#define sk_ASN1_IA5STRING_value(st, i) (ASN1_IA5STRING *) \
456sk_value(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_IA5STRING) *, (st)), (i))
457#else /* OPENSSL_IS_BORINGSSL */
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]458#if OPENSSL_VERSION_NUMBER < 0x10100000L
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]459#define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st))
460#define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i))
461#define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st))
462#define sk_LogotypeImage_value(st, i) SKM_sk_value(LogotypeImage, (st), (i))
463#define sk_LogotypeAudio_num(st) SKM_sk_num(LogotypeAudio, (st))
464#define sk_LogotypeAudio_value(st, i) SKM_sk_value(LogotypeAudio, (st), (i))
465#define sk_HashAlgAndValue_num(st) SKM_sk_num(HashAlgAndValue, (st))
466#define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i))
467#define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st))
468#define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i))
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]469#else
470DEFINE_STACK_OF(LogotypeInfo)
471DEFINE_STACK_OF(LogotypeImage)
472DEFINE_STACK_OF(LogotypeAudio)
473DEFINE_STACK_OF(HashAlgAndValue)
474DEFINE_STACK_OF(ASN1_IA5STRING)
475#endif
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]476#endif /* OPENSSL_IS_BORINGSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]477
478
479static void add_logo(struct http_ctx *ctx, struct http_cert *hcert,
480 HashAlgAndValue *hash, ASN1_IA5STRING *uri)
481{
482 char txt[100];
483 int res, len;
484 struct http_logo *n;
485
486 if (hash == NULL || uri == NULL)
487 return;
488
489 res = OBJ_obj2txt(txt, sizeof(txt), hash->hashAlg->algorithm, 1);
490 if (res < 0 || res >= (int) sizeof(txt))
491 return;
492
493 n = os_realloc_array(hcert->logo, hcert->num_logo + 1,
494 sizeof(struct http_logo));
495 if (n == NULL)
496 return;
497 hcert->logo = n;
498 n = &hcert->logo[hcert->num_logo];
499 os_memset(n, 0, sizeof(*n));
500
501 n->alg_oid = os_strdup(txt);
502 if (n->alg_oid == NULL)
503 return;
504
505 n->hash_len = ASN1_STRING_length(hash->hashValue);
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]506 n->hash = os_memdup(ASN1_STRING_get0_data(hash->hashValue),
507 n->hash_len);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]508 if (n->hash == NULL) {
509 os_free(n->alg_oid);
510 return;
511 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]512
513 len = ASN1_STRING_length(uri);
514 n->uri = os_malloc(len + 1);
515 if (n->uri == NULL) {
516 os_free(n->alg_oid);
517 os_free(n->hash);
518 return;
519 }
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]520 os_memcpy(n->uri, ASN1_STRING_get0_data(uri), len);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]521 n->uri[len] = '\0';
522
523 hcert->num_logo++;
524}
525
526
527static void add_logo_direct(struct http_ctx *ctx, struct http_cert *hcert,
528 LogotypeData *data)
529{
530 int i, num;
531
532 if (data->image == NULL)
533 return;
534
535 num = sk_LogotypeImage_num(data->image);
536 for (i = 0; i < num; i++) {
537 LogotypeImage *image;
538 LogotypeDetails *details;
539 int j, hash_num, uri_num;
540 HashAlgAndValue *found_hash = NULL;
541
542 image = sk_LogotypeImage_value(data->image, i);
543 if (image == NULL)
544 continue;
545
546 details = image->imageDetails;
547 if (details == NULL)
548 continue;
549
550 hash_num = sk_HashAlgAndValue_num(details->logotypeHash);
551 for (j = 0; j < hash_num; j++) {
552 HashAlgAndValue *hash;
553 char txt[100];
554 int res;
555 hash = sk_HashAlgAndValue_value(details->logotypeHash,
556 j);
557 if (hash == NULL)
558 continue;
559 res = OBJ_obj2txt(txt, sizeof(txt),
560 hash->hashAlg->algorithm, 1);
561 if (res < 0 || res >= (int) sizeof(txt))
562 continue;
563 if (os_strcmp(txt, "2.16.840.1.101.3.4.2.1") == 0) {
564 found_hash = hash;
565 break;
566 }
567 }
568
569 if (!found_hash) {
570 wpa_printf(MSG_DEBUG, "OpenSSL: No SHA256 hash found for the logo");
571 continue;
572 }
573
574 uri_num = sk_ASN1_IA5STRING_num(details->logotypeURI);
575 for (j = 0; j < uri_num; j++) {
576 ASN1_IA5STRING *uri;
577 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, j);
578 add_logo(ctx, hcert, found_hash, uri);
579 }
580 }
581}
582
583
584static void add_logo_indirect(struct http_ctx *ctx, struct http_cert *hcert,
585 LogotypeReference *ref)
586{
587 int j, hash_num, uri_num;
588
589 hash_num = sk_HashAlgAndValue_num(ref->refStructHash);
590 uri_num = sk_ASN1_IA5STRING_num(ref->refStructURI);
591 if (hash_num != uri_num) {
592 wpa_printf(MSG_INFO, "Unexpected LogotypeReference array size difference %d != %d",
593 hash_num, uri_num);
594 return;
595 }
596
597 for (j = 0; j < hash_num; j++) {
598 HashAlgAndValue *hash;
599 ASN1_IA5STRING *uri;
600 hash = sk_HashAlgAndValue_value(ref->refStructHash, j);
601 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, j);
602 add_logo(ctx, hcert, hash, uri);
603 }
604}
605
606
607static void i2r_HashAlgAndValue(HashAlgAndValue *hash, BIO *out, int indent)
608{
609 int i;
610 const unsigned char *data;
611
612 BIO_printf(out, "%*shashAlg: ", indent, "");
613 i2a_ASN1_OBJECT(out, hash->hashAlg->algorithm);
614 BIO_printf(out, "\n");
615
616 BIO_printf(out, "%*shashValue: ", indent, "");
617 data = hash->hashValue->data;
618 for (i = 0; i < hash->hashValue->length; i++)
619 BIO_printf(out, "%s%02x", i > 0 ? ":" : "", data[i]);
620 BIO_printf(out, "\n");
621}
622
623static void i2r_LogotypeDetails(LogotypeDetails *details, BIO *out, int indent)
624{
625 int i, num;
626
627 BIO_printf(out, "%*sLogotypeDetails\n", indent, "");
628 if (details->mediaType) {
629 BIO_printf(out, "%*smediaType: ", indent, "");
630 ASN1_STRING_print(out, details->mediaType);
631 BIO_printf(out, "\n");
632 }
633
634 num = details->logotypeHash ?
635 sk_HashAlgAndValue_num(details->logotypeHash) : 0;
636 for (i = 0; i < num; i++) {
637 HashAlgAndValue *hash;
638 hash = sk_HashAlgAndValue_value(details->logotypeHash, i);
639 i2r_HashAlgAndValue(hash, out, indent);
640 }
641
642 num = details->logotypeURI ?
643 sk_ASN1_IA5STRING_num(details->logotypeURI) : 0;
644 for (i = 0; i < num; i++) {
645 ASN1_IA5STRING *uri;
646 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, i);
647 BIO_printf(out, "%*slogotypeURI: ", indent, "");
648 ASN1_STRING_print(out, uri);
649 BIO_printf(out, "\n");
650 }
651}
652
653static void i2r_LogotypeImageInfo(LogotypeImageInfo *info, BIO *out, int indent)
654{
655 long val;
656
657 BIO_printf(out, "%*sLogotypeImageInfo\n", indent, "");
658 if (info->type) {
659 val = ASN1_INTEGER_get(info->type);
660 BIO_printf(out, "%*stype: %ld\n", indent, "", val);
661 } else {
662 BIO_printf(out, "%*stype: default (1)\n", indent, "");
663 }
Dmitry Shmidtb97e4282016-02-08 10:16:07 -0800[diff] [blame]664 val = ASN1_INTEGER_get(info->fileSize);
665 BIO_printf(out, "%*sfileSize: %ld\n", indent, "", val);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]666 val = ASN1_INTEGER_get(info->xSize);
667 BIO_printf(out, "%*sxSize: %ld\n", indent, "", val);
668 val = ASN1_INTEGER_get(info->ySize);
669 BIO_printf(out, "%*sySize: %ld\n", indent, "", val);
670 if (info->resolution) {
Dmitry Shmidtb97e4282016-02-08 10:16:07 -0800[diff] [blame]671 BIO_printf(out, "%*sresolution [%d]\n", indent, "",
672 info->resolution->type);
673 switch (info->resolution->type) {
674 case 0:
675 val = ASN1_INTEGER_get(info->resolution->d.numBits);
676 BIO_printf(out, "%*snumBits: %ld\n", indent, "", val);
677 break;
678 case 1:
679 val = ASN1_INTEGER_get(info->resolution->d.tableSize);
680 BIO_printf(out, "%*stableSize: %ld\n", indent, "", val);
681 break;
682 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]683 }
684 if (info->language) {
685 BIO_printf(out, "%*slanguage: ", indent, "");
686 ASN1_STRING_print(out, info->language);
687 BIO_printf(out, "\n");
688 }
689}
690
691static void i2r_LogotypeImage(LogotypeImage *image, BIO *out, int indent)
692{
693 BIO_printf(out, "%*sLogotypeImage\n", indent, "");
694 if (image->imageDetails) {
695 i2r_LogotypeDetails(image->imageDetails, out, indent + 4);
696 }
697 if (image->imageInfo) {
698 i2r_LogotypeImageInfo(image->imageInfo, out, indent + 4);
699 }
700}
701
702static void i2r_LogotypeData(LogotypeData *data, const char *title, BIO *out,
703 int indent)
704{
705 int i, num;
706
707 BIO_printf(out, "%*s%s - LogotypeData\n", indent, "", title);
708
709 num = data->image ? sk_LogotypeImage_num(data->image) : 0;
710 for (i = 0; i < num; i++) {
711 LogotypeImage *image = sk_LogotypeImage_value(data->image, i);
712 i2r_LogotypeImage(image, out, indent + 4);
713 }
714
715 num = data->audio ? sk_LogotypeAudio_num(data->audio) : 0;
716 for (i = 0; i < num; i++) {
717 BIO_printf(out, "%*saudio: TODO\n", indent, "");
718 }
719}
720
721static void i2r_LogotypeReference(LogotypeReference *ref, const char *title,
722 BIO *out, int indent)
723{
724 int i, hash_num, uri_num;
725
726 BIO_printf(out, "%*s%s - LogotypeReference\n", indent, "", title);
727
728 hash_num = ref->refStructHash ?
729 sk_HashAlgAndValue_num(ref->refStructHash) : 0;
730 uri_num = ref->refStructURI ?
731 sk_ASN1_IA5STRING_num(ref->refStructURI) : 0;
732 if (hash_num != uri_num) {
733 BIO_printf(out, "%*sUnexpected LogotypeReference array size difference %d != %d\n",
734 indent, "", hash_num, uri_num);
735 return;
736 }
737
738 for (i = 0; i < hash_num; i++) {
739 HashAlgAndValue *hash;
740 ASN1_IA5STRING *uri;
741
742 hash = sk_HashAlgAndValue_value(ref->refStructHash, i);
743 i2r_HashAlgAndValue(hash, out, indent);
744
745 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, i);
746 BIO_printf(out, "%*srefStructURI: ", indent, "");
747 ASN1_STRING_print(out, uri);
748 BIO_printf(out, "\n");
749 }
750}
751
752static void i2r_LogotypeInfo(LogotypeInfo *info, const char *title, BIO *out,
753 int indent)
754{
755 switch (info->type) {
756 case 0:
757 i2r_LogotypeData(info->d.direct, title, out, indent);
758 break;
759 case 1:
760 i2r_LogotypeReference(info->d.indirect, title, out, indent);
761 break;
762 }
763}
764
765static void debug_print_logotypeext(LogotypeExtn *logo)
766{
767 BIO *out;
768 int i, num;
769 int indent = 0;
770
771 out = BIO_new_fp(stdout, BIO_NOCLOSE);
772 if (out == NULL)
773 return;
774
775 if (logo->communityLogos) {
776 num = sk_LogotypeInfo_num(logo->communityLogos);
777 for (i = 0; i < num; i++) {
778 LogotypeInfo *info;
779 info = sk_LogotypeInfo_value(logo->communityLogos, i);
780 i2r_LogotypeInfo(info, "communityLogo", out, indent);
781 }
782 }
783
784 if (logo->issuerLogo) {
785 i2r_LogotypeInfo(logo->issuerLogo, "issuerLogo", out, indent );
786 }
787
788 if (logo->subjectLogo) {
789 i2r_LogotypeInfo(logo->subjectLogo, "subjectLogo", out, indent);
790 }
791
792 if (logo->otherLogos) {
793 BIO_printf(out, "%*sotherLogos - TODO\n", indent, "");
794 }
795
796 BIO_free(out);
797}
798
799
800static void add_logotype_ext(struct http_ctx *ctx, struct http_cert *hcert,
801 X509 *cert)
802{
803 ASN1_OBJECT *obj;
804 int pos;
805 X509_EXTENSION *ext;
806 ASN1_OCTET_STRING *os;
807 LogotypeExtn *logo;
808 const unsigned char *data;
809 int i, num;
810
811 obj = OBJ_txt2obj("1.3.6.1.5.5.7.1.12", 0);
812 if (obj == NULL)
813 return;
814
815 pos = X509_get_ext_by_OBJ(cert, obj, -1);
816 if (pos < 0) {
817 wpa_printf(MSG_INFO, "No logotype extension included");
818 return;
819 }
820
821 wpa_printf(MSG_INFO, "Parsing logotype extension");
822 ext = X509_get_ext(cert, pos);
823 if (!ext) {
824 wpa_printf(MSG_INFO, "Could not get logotype extension");
825 return;
826 }
827
828 os = X509_EXTENSION_get_data(ext);
829 if (os == NULL) {
830 wpa_printf(MSG_INFO, "Could not get logotype extension data");
831 return;
832 }
833
834 wpa_hexdump(MSG_DEBUG, "logotypeExtn",
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]835 ASN1_STRING_get0_data(os), ASN1_STRING_length(os));
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]836
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]837 data = ASN1_STRING_get0_data(os);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]838 logo = d2i_LogotypeExtn(NULL, &data, ASN1_STRING_length(os));
839 if (logo == NULL) {
840 wpa_printf(MSG_INFO, "Failed to parse logotypeExtn");
841 return;
842 }
843
844 if (wpa_debug_level < MSG_INFO)
845 debug_print_logotypeext(logo);
846
847 if (!logo->communityLogos) {
848 wpa_printf(MSG_INFO, "No communityLogos included");
849 LogotypeExtn_free(logo);
850 return;
851 }
852
853 num = sk_LogotypeInfo_num(logo->communityLogos);
854 for (i = 0; i < num; i++) {
855 LogotypeInfo *info;
856 info = sk_LogotypeInfo_value(logo->communityLogos, i);
857 switch (info->type) {
858 case 0:
859 add_logo_direct(ctx, hcert, info->d.direct);
860 break;
861 case 1:
862 add_logo_indirect(ctx, hcert, info->d.indirect);
863 break;
864 }
865 }
866
867 LogotypeExtn_free(logo);
868}
869
870
871static void parse_cert(struct http_ctx *ctx, struct http_cert *hcert,
872 X509 *cert, GENERAL_NAMES **names)
873{
874 os_memset(hcert, 0, sizeof(*hcert));
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]875 hcert->url = ctx->url ? ctx->url : ctx->svc_address;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]876
877 *names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
Dmitry Shmidtd5ab1b52016-06-21 12:38:41 -0700[diff] [blame]878 if (*names)
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]879 add_alt_names(ctx, hcert, *names);
880
881 add_logotype_ext(ctx, hcert, cert);
882}
883
884
885static void parse_cert_free(struct http_cert *hcert, GENERAL_NAMES *names)
886{
887 unsigned int i;
888
889 for (i = 0; i < hcert->num_dnsname; i++)
890 OPENSSL_free(hcert->dnsname[i]);
891 os_free(hcert->dnsname);
892
893 for (i = 0; i < hcert->num_othername; i++)
894 os_free(hcert->othername[i].oid);
895 os_free(hcert->othername);
896
897 for (i = 0; i < hcert->num_logo; i++) {
898 os_free(hcert->logo[i].alg_oid);
899 os_free(hcert->logo[i].hash);
900 os_free(hcert->logo[i].uri);
901 }
902 os_free(hcert->logo);
903
904 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
905}
906
907
908static int validate_server_cert(struct http_ctx *ctx, X509 *cert)
909{
910 GENERAL_NAMES *names;
911 struct http_cert hcert;
912 int ret;
913
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]914 if (ctx->cert_cb == NULL) {
915 wpa_printf(MSG_DEBUG, "%s: no cert_cb configured", __func__);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]916 return 0;
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]917 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]918
919 if (0) {
920 BIO *out;
921 out = BIO_new_fp(stdout, BIO_NOCLOSE);
922 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
923 BIO_free(out);
924 }
925
926 parse_cert(ctx, &hcert, cert, &names);
927 ret = ctx->cert_cb(ctx->cert_cb_ctx, &hcert);
928 parse_cert_free(&hcert, names);
929
930 return ret;
931}
932
933
934void http_parse_x509_certificate(struct http_ctx *ctx, const char *fname)
935{
936 BIO *in, *out;
937 X509 *cert;
938 GENERAL_NAMES *names;
939 struct http_cert hcert;
940 unsigned int i;
941
942 in = BIO_new_file(fname, "r");
943 if (in == NULL) {
944 wpa_printf(MSG_ERROR, "Could not read '%s'", fname);
945 return;
946 }
947
948 cert = d2i_X509_bio(in, NULL);
949 BIO_free(in);
950
951 if (cert == NULL) {
952 wpa_printf(MSG_ERROR, "Could not parse certificate");
953 return;
954 }
955
956 out = BIO_new_fp(stdout, BIO_NOCLOSE);
957 if (out) {
958 X509_print_ex(out, cert, XN_FLAG_COMPAT,
959 X509_FLAG_COMPAT);
960 BIO_free(out);
961 }
962
963 wpa_printf(MSG_INFO, "Additional parsing information:");
964 parse_cert(ctx, &hcert, cert, &names);
965 for (i = 0; i < hcert.num_othername; i++) {
966 if (os_strcmp(hcert.othername[i].oid,
967 "1.3.6.1.4.1.40808.1.1.1") == 0) {
968 char *name = os_zalloc(hcert.othername[i].len + 1);
969 if (name) {
970 os_memcpy(name, hcert.othername[i].data,
971 hcert.othername[i].len);
972 wpa_printf(MSG_INFO,
973 "id-wfa-hotspot-friendlyName: %s",
974 name);
975 os_free(name);
976 }
977 wpa_hexdump_ascii(MSG_INFO,
978 "id-wfa-hotspot-friendlyName",
979 hcert.othername[i].data,
980 hcert.othername[i].len);
981 } else {
982 wpa_printf(MSG_INFO, "subjAltName[othername]: oid=%s",
983 hcert.othername[i].oid);
984 wpa_hexdump_ascii(MSG_INFO, "unknown othername",
985 hcert.othername[i].data,
986 hcert.othername[i].len);
987 }
988 }
989 parse_cert_free(&hcert, names);
990
991 X509_free(cert);
992}
993
994
995static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
996{
997 struct http_ctx *ctx;
998 X509 *cert;
999 int err, depth;
1000 char buf[256];
1001 X509_NAME *name;
1002 const char *err_str;
1003 SSL *ssl;
1004 SSL_CTX *ssl_ctx;
1005
1006 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
1007 SSL_get_ex_data_X509_STORE_CTX_idx());
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]1008 ssl_ctx = SSL_get_SSL_CTX(ssl);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1009 ctx = SSL_CTX_get_app_data(ssl_ctx);
1010
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]1011 wpa_printf(MSG_DEBUG, "curl_cb_ssl_verify, preverify_ok: %d",
1012 preverify_ok);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1013
1014 err = X509_STORE_CTX_get_error(x509_ctx);
1015 err_str = X509_verify_cert_error_string(err);
1016 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
1017 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
1018 if (!cert) {
1019 wpa_printf(MSG_INFO, "No server certificate available");
1020 ctx->last_err = "No server certificate available";
1021 return 0;
1022 }
1023
1024 if (depth == 0)
1025 ctx->peer_cert = cert;
1026 else if (depth == 1)
1027 ctx->peer_issuer = cert;
1028 else if (depth == 2)
1029 ctx->peer_issuer_issuer = cert;
1030
1031 name = X509_get_subject_name(cert);
1032 X509_NAME_oneline(name, buf, sizeof(buf));
1033 wpa_printf(MSG_INFO, "Server certificate chain - depth=%d err=%d (%s) subject=%s",
1034 depth, err, err_str, buf);
1035 debug_dump_cert("Server certificate chain - certificate", cert);
1036
1037 if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
1038 return 0;
1039
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]1040#ifdef OPENSSL_IS_BORINGSSL
1041 if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) {
1042 enum ocsp_result res;
1043
1044 res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer,
1045 ctx->peer_issuer_issuer);
1046 if (res == OCSP_REVOKED) {
1047 preverify_ok = 0;
1048 wpa_printf(MSG_INFO, "OCSP: certificate revoked");
1049 if (err == X509_V_OK)
1050 X509_STORE_CTX_set_error(
1051 x509_ctx, X509_V_ERR_CERT_REVOKED);
1052 } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) {
1053 preverify_ok = 0;
1054 wpa_printf(MSG_INFO,
1055 "OCSP: bad certificate status response");
1056 }
1057 }
1058#endif /* OPENSSL_IS_BORINGSSL */
1059
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1060 if (!preverify_ok)
1061 ctx->last_err = "TLS validation failed";
1062
1063 return preverify_ok;
1064}
1065
1066
1067#ifdef HAVE_OCSP
1068
1069static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
1070{
1071 BIO *out;
1072 size_t rlen;
1073 char *txt;
1074 int res;
1075
1076 out = BIO_new(BIO_s_mem());
1077 if (!out)
1078 return;
1079
1080 OCSP_RESPONSE_print(out, rsp, 0);
1081 rlen = BIO_ctrl_pending(out);
1082 txt = os_malloc(rlen + 1);
1083 if (!txt) {
1084 BIO_free(out);
1085 return;
1086 }
1087
1088 res = BIO_read(out, txt, rlen);
1089 if (res > 0) {
1090 txt[res] = '\0';
1091 wpa_printf(MSG_MSGDUMP, "OpenSSL: OCSP Response\n%s", txt);
1092 }
1093 os_free(txt);
1094 BIO_free(out);
1095}
1096
1097
1098static void tls_show_errors(const char *func, const char *txt)
1099{
1100 unsigned long err;
1101
1102 wpa_printf(MSG_DEBUG, "OpenSSL: %s - %s %s",
1103 func, txt, ERR_error_string(ERR_get_error(), NULL));
1104
1105 while ((err = ERR_get_error())) {
1106 wpa_printf(MSG_DEBUG, "OpenSSL: pending error: %s",
1107 ERR_error_string(err, NULL));
1108 }
1109}
1110
1111
1112static int ocsp_resp_cb(SSL *s, void *arg)
1113{
1114 struct http_ctx *ctx = arg;
1115 const unsigned char *p;
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]1116 int len, status, reason, res;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1117 OCSP_RESPONSE *rsp;
1118 OCSP_BASICRESP *basic;
1119 OCSP_CERTID *id;
1120 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
1121 X509_STORE *store;
1122 STACK_OF(X509) *certs = NULL;
1123
1124 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1125 if (!p) {
1126 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
1127 if (ctx->ocsp == MANDATORY_OCSP)
1128 ctx->last_err = "No OCSP response received";
1129 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1130 }
1131
1132 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
1133
1134 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1135 if (!rsp) {
1136 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
1137 ctx->last_err = "Failed to parse OCSP response";
1138 return 0;
1139 }
1140
1141 ocsp_debug_print_resp(rsp);
1142
1143 status = OCSP_response_status(rsp);
1144 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1145 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
1146 status, OCSP_response_status_str(status));
1147 ctx->last_err = "OCSP responder error";
1148 return 0;
1149 }
1150
1151 basic = OCSP_response_get1_basic(rsp);
1152 if (!basic) {
1153 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
1154 ctx->last_err = "Could not find BasicOCSPResponse";
1155 return 0;
1156 }
1157
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1158 store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s));
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1159 if (ctx->peer_issuer) {
1160 wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer");
1161 debug_dump_cert("OpenSSL: Issuer certificate",
1162 ctx->peer_issuer);
1163
1164 if (X509_STORE_add_cert(store, ctx->peer_issuer) != 1) {
1165 tls_show_errors(__func__,
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1166 "OpenSSL: Could not add issuer to certificate store");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1167 }
1168 certs = sk_X509_new_null();
1169 if (certs) {
1170 X509 *cert;
1171 cert = X509_dup(ctx->peer_issuer);
1172 if (cert && !sk_X509_push(certs, cert)) {
1173 tls_show_errors(
1174 __func__,
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1175 "OpenSSL: Could not add issuer to OCSP responder trust store");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1176 X509_free(cert);
1177 sk_X509_free(certs);
1178 certs = NULL;
1179 }
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1180 if (certs && ctx->peer_issuer_issuer) {
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1181 cert = X509_dup(ctx->peer_issuer_issuer);
1182 if (cert && !sk_X509_push(certs, cert)) {
1183 tls_show_errors(
1184 __func__,
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1185 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1186 X509_free(cert);
1187 }
1188 }
1189 }
1190 }
1191
1192 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
1193 sk_X509_pop_free(certs, X509_free);
1194 if (status <= 0) {
1195 tls_show_errors(__func__,
1196 "OpenSSL: OCSP response failed verification");
1197 OCSP_BASICRESP_free(basic);
1198 OCSP_RESPONSE_free(rsp);
1199 ctx->last_err = "OCSP response failed verification";
1200 return 0;
1201 }
1202
1203 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
1204
1205 if (!ctx->peer_cert) {
1206 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
1207 OCSP_BASICRESP_free(basic);
1208 OCSP_RESPONSE_free(rsp);
1209 ctx->last_err = "Peer certificate not available for OCSP status check";
1210 return 0;
1211 }
1212
1213 if (!ctx->peer_issuer) {
1214 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
1215 OCSP_BASICRESP_free(basic);
1216 OCSP_RESPONSE_free(rsp);
1217 ctx->last_err = "Peer issuer certificate not available for OCSP status check";
1218 return 0;
1219 }
1220
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]1221 id = OCSP_cert_to_id(EVP_sha256(), ctx->peer_cert, ctx->peer_issuer);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1222 if (!id) {
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]1223 wpa_printf(MSG_DEBUG,
1224 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1225 OCSP_BASICRESP_free(basic);
1226 OCSP_RESPONSE_free(rsp);
1227 ctx->last_err = "Could not create OCSP certificate identifier";
1228 return 0;
1229 }
1230
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]1231 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
1232 &this_update, &next_update);
1233 if (!res) {
1234 id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer);
1235 if (!id) {
1236 wpa_printf(MSG_DEBUG,
1237 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
1238 OCSP_BASICRESP_free(basic);
1239 OCSP_RESPONSE_free(rsp);
1240 ctx->last_err =
1241 "Could not create OCSP certificate identifier";
1242 return 0;
1243 }
1244
1245 res = OCSP_resp_find_status(basic, id, &status, &reason,
1246 &produced_at, &this_update,
1247 &next_update);
1248 }
1249
1250 if (!res) {
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1251 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
1252 (ctx->ocsp == MANDATORY_OCSP) ? "" :
1253 " (OCSP not required)");
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800[diff] [blame]1254 OCSP_CERTID_free(id);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1255 OCSP_BASICRESP_free(basic);
1256 OCSP_RESPONSE_free(rsp);
1257 if (ctx->ocsp == MANDATORY_OCSP)
1258
1259 ctx->last_err = "Could not find current server certificate from OCSP response";
1260 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1261 }
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800[diff] [blame]1262 OCSP_CERTID_free(id);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1263
1264 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
1265 tls_show_errors(__func__, "OpenSSL: OCSP status times invalid");
1266 OCSP_BASICRESP_free(basic);
1267 OCSP_RESPONSE_free(rsp);
1268 ctx->last_err = "OCSP status times invalid";
1269 return 0;
1270 }
1271
1272 OCSP_BASICRESP_free(basic);
1273 OCSP_RESPONSE_free(rsp);
1274
1275 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
1276 OCSP_cert_status_str(status));
1277
1278 if (status == V_OCSP_CERTSTATUS_GOOD)
1279 return 1;
Dmitry Shmidt661b4f72014-09-29 14:58:27 -0700[diff] [blame]1280 if (status == V_OCSP_CERTSTATUS_REVOKED) {
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1281 ctx->last_err = "Server certificate has been revoked";
1282 return 0;
Dmitry Shmidt661b4f72014-09-29 14:58:27 -0700[diff] [blame]1283 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1284 if (ctx->ocsp == MANDATORY_OCSP) {
1285 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
1286 ctx->last_err = "OCSP status unknown";
1287 return 0;
1288 }
1289 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
1290 return 1;
1291}
1292
1293
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1294#if OPENSSL_VERSION_NUMBER < 0x10100000L
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1295static SSL_METHOD patch_ssl_method;
1296static const SSL_METHOD *real_ssl_method;
1297
1298static int curl_patch_ssl_new(SSL *s)
1299{
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1300 SSL_CTX *ssl = SSL_get_SSL_CTX(s);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1301 int ret;
1302
1303 ssl->method = real_ssl_method;
1304 s->method = real_ssl_method;
1305
1306 ret = s->method->ssl_new(s);
1307 SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp);
1308
1309 return ret;
1310}
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1311#endif /* OpenSSL < 1.1.0 */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1312
1313#endif /* HAVE_OCSP */
1314
1315
1316static CURLcode curl_cb_ssl(CURL *curl, void *sslctx, void *parm)
1317{
1318 struct http_ctx *ctx = parm;
1319 SSL_CTX *ssl = sslctx;
1320
1321 wpa_printf(MSG_DEBUG, "curl_cb_ssl");
1322 SSL_CTX_set_app_data(ssl, ctx);
1323 SSL_CTX_set_verify(ssl, SSL_VERIFY_PEER, curl_cb_ssl_verify);
1324
1325#ifdef HAVE_OCSP
1326 if (ctx->ocsp != NO_OCSP) {
1327 SSL_CTX_set_tlsext_status_cb(ssl, ocsp_resp_cb);
1328 SSL_CTX_set_tlsext_status_arg(ssl, ctx);
1329
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1330#if OPENSSL_VERSION_NUMBER < 0x10100000L
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1331 /*
1332 * Use a temporary SSL_METHOD to get a callback on SSL_new()
1333 * from libcurl since there is no proper callback registration
1334 * available for this.
1335 */
1336 os_memset(&patch_ssl_method, 0, sizeof(patch_ssl_method));
1337 patch_ssl_method.ssl_new = curl_patch_ssl_new;
1338 real_ssl_method = ssl->method;
1339 ssl->method = &patch_ssl_method;
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1340#endif /* OpenSSL < 1.1.0 */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1341 }
1342#endif /* HAVE_OCSP */
1343
1344 return CURLE_OK;
1345}
1346
1347#endif /* EAP_TLS_OPENSSL */
1348
1349
1350static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
1351 const char *ca_fname, const char *username,
1352 const char *password, const char *client_cert,
1353 const char *client_key)
1354{
1355 CURL *curl;
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]1356#ifdef EAP_TLS_OPENSSL
1357 const char *extra = " tls=openssl";
1358#else /* EAP_TLS_OPENSSL */
1359 const char *extra = "";
1360#endif /* EAP_TLS_OPENSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1361
1362 wpa_printf(MSG_DEBUG, "Start HTTP client: address=%s ca_fname=%s "
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]1363 "username=%s%s", address, ca_fname, username, extra);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1364
1365 curl = curl_easy_init();
1366 if (curl == NULL)
1367 return NULL;
1368
1369 curl_easy_setopt(curl, CURLOPT_URL, address);
1370 curl_easy_setopt(curl, CURLOPT_POST, 1L);
1371 if (ca_fname) {
1372 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1373 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1374#ifdef EAP_TLS_OPENSSL
1375 curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
1376 curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1377#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x10100000L)
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]1378 /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
1379 * with BoringSSL since the OpenSSL specific callback hack to
1380 * enable OCSP is not available with BoringSSL. The OCSP
1381 * implementation within libcurl is not sufficient for the
1382 * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
1383 */
1384 if (ctx->ocsp != NO_OCSP)
1385 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
1386#endif /* OPENSSL_IS_BORINGSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1387#endif /* EAP_TLS_OPENSSL */
1388 } else {
1389 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1390 }
1391 if (client_cert && client_key) {
1392 curl_easy_setopt(curl, CURLOPT_SSLCERT, client_cert);
1393 curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key);
1394 }
1395 /* TODO: use curl_easy_getinfo() with CURLINFO_CERTINFO to fetch
1396 * information about the server certificate */
1397 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1398 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1399 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1400 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_cb_write);
1401 curl_easy_setopt(curl, CURLOPT_WRITEDATA, ctx);
1402 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1403 if (username) {
1404 curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANYSAFE);
1405 curl_easy_setopt(curl, CURLOPT_USERNAME, username);
1406 curl_easy_setopt(curl, CURLOPT_PASSWORD, password);
1407 }
1408
1409 return curl;
1410}
1411
1412
1413static int post_init_client(struct http_ctx *ctx, const char *address,
1414 const char *ca_fname, const char *username,
1415 const char *password, const char *client_cert,
1416 const char *client_key)
1417{
1418 char *pos;
1419 int count;
1420
1421 clone_str(&ctx->svc_address, address);
1422 clone_str(&ctx->svc_ca_fname, ca_fname);
1423 clone_str(&ctx->svc_username, username);
1424 clone_str(&ctx->svc_password, password);
1425 clone_str(&ctx->svc_client_cert, client_cert);
1426 clone_str(&ctx->svc_client_key, client_key);
1427
1428 /*
1429 * Workaround for Apache "Hostname 'FOO' provided via SNI and hostname
1430 * 'foo' provided via HTTP are different.
1431 */
1432 for (count = 0, pos = ctx->svc_address; count < 3 && pos && *pos;
1433 pos++) {
1434 if (*pos == '/')
1435 count++;
1436 *pos = tolower(*pos);
1437 }
1438
1439 ctx->curl = setup_curl_post(ctx, ctx->svc_address, ca_fname, username,
1440 password, client_cert, client_key);
1441 if (ctx->curl == NULL)
1442 return -1;
1443
1444 return 0;
1445}
1446
1447
1448int soap_init_client(struct http_ctx *ctx, const char *address,
1449 const char *ca_fname, const char *username,
1450 const char *password, const char *client_cert,
1451 const char *client_key)
1452{
1453 if (post_init_client(ctx, address, ca_fname, username, password,
1454 client_cert, client_key) < 0)
1455 return -1;
1456
1457 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr,
1458 "Content-Type: application/soap+xml");
1459 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "SOAPAction: ");
1460 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "Expect:");
1461 curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, ctx->curl_hdr);
1462
1463 return 0;
1464}
1465
1466
1467int soap_reinit_client(struct http_ctx *ctx)
1468{
1469 char *address = NULL;
1470 char *ca_fname = NULL;
1471 char *username = NULL;
1472 char *password = NULL;
1473 char *client_cert = NULL;
1474 char *client_key = NULL;
1475 int ret;
1476
1477 clear_curl(ctx);
1478
1479 clone_str(&address, ctx->svc_address);
1480 clone_str(&ca_fname, ctx->svc_ca_fname);
1481 clone_str(&username, ctx->svc_username);
1482 clone_str(&password, ctx->svc_password);
1483 clone_str(&client_cert, ctx->svc_client_cert);
1484 clone_str(&client_key, ctx->svc_client_key);
1485
1486 ret = soap_init_client(ctx, address, ca_fname, username, password,
1487 client_cert, client_key);
1488 os_free(address);
1489 os_free(ca_fname);
Dmitry Shmidtc2817022014-07-02 10:32:10 -0700[diff] [blame]1490 str_clear_free(username);
1491 str_clear_free(password);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1492 os_free(client_cert);
1493 os_free(client_key);
1494 return ret;
1495}
1496
1497
1498static void free_curl_buf(struct http_ctx *ctx)
1499{
1500 os_free(ctx->curl_buf);
1501 ctx->curl_buf = NULL;
1502 ctx->curl_buf_len = 0;
1503}
1504
1505
1506xml_node_t * soap_send_receive(struct http_ctx *ctx, xml_node_t *node)
1507{
1508 char *str;
1509 xml_node_t *envelope, *ret, *resp, *n;
1510 CURLcode res;
1511 long http = 0;
1512
1513 ctx->last_err = NULL;
1514
1515 wpa_printf(MSG_DEBUG, "SOAP: Sending message");
1516 envelope = soap_build_envelope(ctx->xml, node);
1517 str = xml_node_to_str(ctx->xml, envelope);
1518 xml_node_free(ctx->xml, envelope);
1519 wpa_printf(MSG_MSGDUMP, "SOAP[%s]", str);
1520
1521 curl_easy_setopt(ctx->curl, CURLOPT_POSTFIELDS, str);
1522 free_curl_buf(ctx);
1523
1524 res = curl_easy_perform(ctx->curl);
1525 if (res != CURLE_OK) {
1526 if (!ctx->last_err)
1527 ctx->last_err = curl_easy_strerror(res);
1528 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1529 ctx->last_err);
1530 os_free(str);
1531 free_curl_buf(ctx);
1532 return NULL;
1533 }
1534 os_free(str);
1535
1536 curl_easy_getinfo(ctx->curl, CURLINFO_RESPONSE_CODE, &http);
1537 wpa_printf(MSG_DEBUG, "SOAP: Server response code %ld", http);
1538 if (http != 200) {
1539 ctx->last_err = "HTTP download failed";
1540 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1541 free_curl_buf(ctx);
1542 return NULL;
1543 }
1544
1545 if (ctx->curl_buf == NULL)
1546 return NULL;
1547
1548 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ctx->curl_buf);
1549 resp = xml_node_from_buf(ctx->xml, ctx->curl_buf);
1550 free_curl_buf(ctx);
1551 if (resp == NULL) {
1552 wpa_printf(MSG_INFO, "Could not parse SOAP response");
1553 ctx->last_err = "Could not parse SOAP response";
1554 return NULL;
1555 }
1556
1557 ret = soap_get_body(ctx->xml, resp);
1558 if (ret == NULL) {
1559 wpa_printf(MSG_INFO, "Could not get SOAP body");
1560 ctx->last_err = "Could not get SOAP body";
1561 return NULL;
1562 }
1563
1564 wpa_printf(MSG_DEBUG, "SOAP body localname: '%s'",
1565 xml_node_get_localname(ctx->xml, ret));
1566 n = xml_node_copy(ctx->xml, ret);
1567 xml_node_free(ctx->xml, resp);
1568
1569 return n;
1570}
1571
1572
1573struct http_ctx * http_init_ctx(void *upper_ctx, struct xml_node_ctx *xml_ctx)
1574{
1575 struct http_ctx *ctx;
1576
1577 ctx = os_zalloc(sizeof(*ctx));
1578 if (ctx == NULL)
1579 return NULL;
1580 ctx->ctx = upper_ctx;
1581 ctx->xml = xml_ctx;
1582 ctx->ocsp = OPTIONAL_OCSP;
1583
1584 curl_global_init(CURL_GLOBAL_ALL);
1585
1586 return ctx;
1587}
1588
1589
1590void http_ocsp_set(struct http_ctx *ctx, int val)
1591{
1592 if (val == 0)
1593 ctx->ocsp = NO_OCSP;
1594 else if (val == 1)
1595 ctx->ocsp = OPTIONAL_OCSP;
1596 if (val == 2)
1597 ctx->ocsp = MANDATORY_OCSP;
1598}
1599
1600
1601void http_deinit_ctx(struct http_ctx *ctx)
1602{
1603 clear_curl(ctx);
1604 os_free(ctx->curl_buf);
1605 curl_global_cleanup();
1606
1607 os_free(ctx->svc_address);
1608 os_free(ctx->svc_ca_fname);
Dmitry Shmidtc2817022014-07-02 10:32:10 -0700[diff] [blame]1609 str_clear_free(ctx->svc_username);
1610 str_clear_free(ctx->svc_password);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1611 os_free(ctx->svc_client_cert);
1612 os_free(ctx->svc_client_key);
1613
1614 os_free(ctx);
1615}
1616
1617
1618int http_download_file(struct http_ctx *ctx, const char *url,
1619 const char *fname, const char *ca_fname)
1620{
1621 CURL *curl;
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1622 FILE *f = NULL;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1623 CURLcode res;
1624 long http = 0;
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1625 int ret = -1;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1626
1627 ctx->last_err = NULL;
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1628 ctx->url = url;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1629
1630 wpa_printf(MSG_DEBUG, "curl: Download file from %s to %s (ca=%s)",
1631 url, fname, ca_fname);
1632 curl = curl_easy_init();
1633 if (curl == NULL)
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1634 goto fail;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1635
1636 f = fopen(fname, "wb");
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1637 if (!f)
1638 goto fail;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1639
1640 curl_easy_setopt(curl, CURLOPT_URL, url);
1641 if (ca_fname) {
1642 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1643 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1644 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1645 } else {
1646 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1647 }
1648 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1649 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1650 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fwrite);
1651 curl_easy_setopt(curl, CURLOPT_WRITEDATA, f);
1652 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1653
1654 res = curl_easy_perform(curl);
1655 if (res != CURLE_OK) {
1656 if (!ctx->last_err)
1657 ctx->last_err = curl_easy_strerror(res);
1658 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1659 ctx->last_err);
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1660 goto fail;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1661 }
1662
1663 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1664 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1665 if (http != 200) {
1666 ctx->last_err = "HTTP download failed";
1667 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1668 goto fail;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1669 }
1670
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1671 ret = 0;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1672
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1673fail:
1674 ctx->url = NULL;
1675 if (curl)
1676 curl_easy_cleanup(curl);
1677 if (f)
1678 fclose(f);
1679
1680 return ret;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1681}
1682
1683
1684char * http_post(struct http_ctx *ctx, const char *url, const char *data,
1685 const char *content_type, const char *ext_hdr,
1686 const char *ca_fname,
1687 const char *username, const char *password,
1688 const char *client_cert, const char *client_key,
1689 size_t *resp_len)
1690{
1691 long http = 0;
1692 CURLcode res;
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1693 char *ret = NULL;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1694 CURL *curl;
1695 struct curl_slist *curl_hdr = NULL;
1696
1697 ctx->last_err = NULL;
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1698 ctx->url = url;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1699 wpa_printf(MSG_DEBUG, "curl: HTTP POST to %s", url);
1700 curl = setup_curl_post(ctx, url, ca_fname, username, password,
1701 client_cert, client_key);
1702 if (curl == NULL)
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1703 goto fail;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1704
1705 if (content_type) {
1706 char ct[200];
1707 snprintf(ct, sizeof(ct), "Content-Type: %s", content_type);
1708 curl_hdr = curl_slist_append(curl_hdr, ct);
1709 }
1710 if (ext_hdr)
1711 curl_hdr = curl_slist_append(curl_hdr, ext_hdr);
1712 curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curl_hdr);
1713
1714 curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data);
1715 free_curl_buf(ctx);
1716
1717 res = curl_easy_perform(curl);
1718 if (res != CURLE_OK) {
1719 if (!ctx->last_err)
1720 ctx->last_err = curl_easy_strerror(res);
1721 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1722 ctx->last_err);
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1723 goto fail;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1724 }
1725
1726 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1727 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1728 if (http != 200) {
1729 ctx->last_err = "HTTP POST failed";
1730 wpa_printf(MSG_INFO, "HTTP POST failed - code %ld", http);
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1731 goto fail;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1732 }
1733
1734 if (ctx->curl_buf == NULL)
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1735 goto fail;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1736
1737 ret = ctx->curl_buf;
1738 if (resp_len)
1739 *resp_len = ctx->curl_buf_len;
1740 ctx->curl_buf = NULL;
1741 ctx->curl_buf_len = 0;
1742
1743 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ret);
1744
Sunil Ravi59fa4b42022-05-02 22:54:18 -0700[diff] [blame^]1745fail:
1746 free_curl_buf(ctx);
1747 ctx->url = NULL;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1748 return ret;
1749}
1750
1751
1752void http_set_cert_cb(struct http_ctx *ctx,
1753 int (*cb)(void *ctx, struct http_cert *cert),
1754 void *cb_ctx)
1755{
1756 ctx->cert_cb = cb;
1757 ctx->cert_cb_ctx = cb_ctx;
1758}
1759
1760
1761const char * http_get_err(struct http_ctx *ctx)
1762{
1763 return ctx->last_err;
1764}