Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 1d6bf427f4769edb60865a3999d01eeb8f8fcb19 / . / src / utils / http_curl.c
blob: 9c49680c1dd84cfc77fd011cc4df08b8a7c330b4 [file] [log] [blame]
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1/*
2 * HTTP wrapper for libcurl
Dmitry Shmidt6cb1f652014-03-21 10:54:03 -0700[diff] [blame]3 * Copyright (c) 2012-2014, Qualcomm Atheros, Inc.
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10#include <curl/curl.h>
11#ifdef EAP_TLS_OPENSSL
12#include <openssl/ssl.h>
13#include <openssl/asn1.h>
14#include <openssl/asn1t.h>
15#include <openssl/x509v3.h>
16
17#ifdef SSL_set_tlsext_status_type
18#ifndef OPENSSL_NO_TLSEXT
19#define HAVE_OCSP
20#include <openssl/err.h>
21#include <openssl/ocsp.h>
22#endif /* OPENSSL_NO_TLSEXT */
23#endif /* SSL_set_tlsext_status_type */
24#endif /* EAP_TLS_OPENSSL */
25
26#include "common.h"
27#include "xml-utils.h"
28#include "http-utils.h"
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]29#ifdef EAP_TLS_OPENSSL
30#include "crypto/tls_openssl.h"
31#endif /* EAP_TLS_OPENSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]32
33
34struct http_ctx {
35 void *ctx;
36 struct xml_node_ctx *xml;
37 CURL *curl;
38 struct curl_slist *curl_hdr;
39 char *svc_address;
40 char *svc_ca_fname;
41 char *svc_username;
42 char *svc_password;
43 char *svc_client_cert;
44 char *svc_client_key;
45 char *curl_buf;
46 size_t curl_buf_len;
47
48 int (*cert_cb)(void *ctx, struct http_cert *cert);
49 void *cert_cb_ctx;
50
51 enum {
52 NO_OCSP, OPTIONAL_OCSP, MANDATORY_OCSP
53 } ocsp;
54 X509 *peer_cert;
55 X509 *peer_issuer;
56 X509 *peer_issuer_issuer;
57
58 const char *last_err;
59};
60
61
62static void clear_curl(struct http_ctx *ctx)
63{
64 if (ctx->curl) {
65 curl_easy_cleanup(ctx->curl);
66 ctx->curl = NULL;
67 }
68 if (ctx->curl_hdr) {
69 curl_slist_free_all(ctx->curl_hdr);
70 ctx->curl_hdr = NULL;
71 }
72}
73
74
75static void clone_str(char **dst, const char *src)
76{
77 os_free(*dst);
78 if (src)
79 *dst = os_strdup(src);
80 else
81 *dst = NULL;
82}
83
84
85static void debug_dump(struct http_ctx *ctx, const char *title,
86 const char *buf, size_t len)
87{
Dmitry Shmidt6cb1f652014-03-21 10:54:03 -0700[diff] [blame]88 char *txt;
89 size_t i;
90
91 for (i = 0; i < len; i++) {
92 if (buf[i] < 32 && buf[i] != '\t' && buf[i] != '\n' &&
93 buf[i] != '\r') {
94 wpa_hexdump_ascii(MSG_MSGDUMP, title, buf, len);
95 return;
96 }
97 }
98
99 txt = os_malloc(len + 1);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]100 if (txt == NULL)
101 return;
102 os_memcpy(txt, buf, len);
103 txt[len] = '\0';
104 while (len > 0) {
105 len--;
Dmitry Shmidt6cb1f652014-03-21 10:54:03 -0700[diff] [blame]106 if (txt[len] == '\n' || txt[len] == '\r')
107 txt[len] = '\0';
108 else
109 break;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]110 }
111 wpa_printf(MSG_MSGDUMP, "%s[%s]", title, txt);
112 os_free(txt);
113}
114
115
116static int curl_cb_debug(CURL *curl, curl_infotype info, char *buf, size_t len,
117 void *userdata)
118{
119 struct http_ctx *ctx = userdata;
120 switch (info) {
121 case CURLINFO_TEXT:
122 debug_dump(ctx, "CURLINFO_TEXT", buf, len);
123 break;
124 case CURLINFO_HEADER_IN:
125 debug_dump(ctx, "CURLINFO_HEADER_IN", buf, len);
126 break;
127 case CURLINFO_HEADER_OUT:
128 debug_dump(ctx, "CURLINFO_HEADER_OUT", buf, len);
129 break;
130 case CURLINFO_DATA_IN:
131 debug_dump(ctx, "CURLINFO_DATA_IN", buf, len);
132 break;
133 case CURLINFO_DATA_OUT:
134 debug_dump(ctx, "CURLINFO_DATA_OUT", buf, len);
135 break;
136 case CURLINFO_SSL_DATA_IN:
137 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_IN - %d",
138 (int) len);
139 break;
140 case CURLINFO_SSL_DATA_OUT:
141 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_OUT - %d",
142 (int) len);
143 break;
144 case CURLINFO_END:
145 wpa_printf(MSG_DEBUG, "debug - CURLINFO_END - %d",
146 (int) len);
147 break;
148 }
149 return 0;
150}
151
152
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]153static size_t curl_cb_write(void *ptr, size_t size, size_t nmemb,
154 void *userdata)
155{
156 struct http_ctx *ctx = userdata;
157 char *n;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]158 n = os_realloc(ctx->curl_buf, ctx->curl_buf_len + size * nmemb + 1);
159 if (n == NULL)
160 return 0;
161 ctx->curl_buf = n;
162 os_memcpy(n + ctx->curl_buf_len, ptr, size * nmemb);
163 n[ctx->curl_buf_len + size * nmemb] = '\0';
164 ctx->curl_buf_len += size * nmemb;
165 return size * nmemb;
166}
167
168
169#ifdef EAP_TLS_OPENSSL
170
171static void debug_dump_cert(const char *title, X509 *cert)
172{
173 BIO *out;
174 char *txt;
175 size_t rlen;
176
177 out = BIO_new(BIO_s_mem());
178 if (!out)
179 return;
180
181 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
182 rlen = BIO_ctrl_pending(out);
183 txt = os_malloc(rlen + 1);
184 if (txt) {
185 int res = BIO_read(out, txt, rlen);
186 if (res > 0) {
187 txt[res] = '\0';
188 wpa_printf(MSG_MSGDUMP, "%s:\n%s", title, txt);
189 }
190 os_free(txt);
191 }
192 BIO_free(out);
193}
194
195
196static void add_alt_name_othername(struct http_ctx *ctx, struct http_cert *cert,
197 OTHERNAME *o)
198{
199 char txt[100];
200 int res;
201 struct http_othername *on;
202 ASN1_TYPE *val;
203
204 on = os_realloc_array(cert->othername, cert->num_othername + 1,
205 sizeof(struct http_othername));
206 if (on == NULL)
207 return;
208 cert->othername = on;
209 on = &on[cert->num_othername];
210 os_memset(on, 0, sizeof(*on));
211
212 res = OBJ_obj2txt(txt, sizeof(txt), o->type_id, 1);
213 if (res < 0 || res >= (int) sizeof(txt))
214 return;
215
216 on->oid = os_strdup(txt);
217 if (on->oid == NULL)
218 return;
219
220 val = o->value;
221 on->data = val->value.octet_string->data;
222 on->len = val->value.octet_string->length;
223
224 cert->num_othername++;
225}
226
227
228static void add_alt_name_dns(struct http_ctx *ctx, struct http_cert *cert,
229 ASN1_STRING *name)
230{
231 char *buf;
232 char **n;
233
234 buf = NULL;
235 if (ASN1_STRING_to_UTF8((unsigned char **) &buf, name) < 0)
236 return;
237
238 n = os_realloc_array(cert->dnsname, cert->num_dnsname + 1,
239 sizeof(char *));
240 if (n == NULL)
241 return;
242
243 cert->dnsname = n;
244 n[cert->num_dnsname] = buf;
245 cert->num_dnsname++;
246}
247
248
249static void add_alt_name(struct http_ctx *ctx, struct http_cert *cert,
250 const GENERAL_NAME *name)
251{
252 switch (name->type) {
253 case GEN_OTHERNAME:
254 add_alt_name_othername(ctx, cert, name->d.otherName);
255 break;
256 case GEN_DNS:
257 add_alt_name_dns(ctx, cert, name->d.dNSName);
258 break;
259 }
260}
261
262
263static void add_alt_names(struct http_ctx *ctx, struct http_cert *cert,
264 GENERAL_NAMES *names)
265{
266 int num, i;
267
268 num = sk_GENERAL_NAME_num(names);
269 for (i = 0; i < num; i++) {
270 const GENERAL_NAME *name;
271 name = sk_GENERAL_NAME_value(names, i);
272 add_alt_name(ctx, cert, name);
273 }
274}
275
276
277/* RFC 3709 */
278
279typedef struct {
280 X509_ALGOR *hashAlg;
281 ASN1_OCTET_STRING *hashValue;
282} HashAlgAndValue;
283
284typedef struct {
285 STACK_OF(HashAlgAndValue) *refStructHash;
286 STACK_OF(ASN1_IA5STRING) *refStructURI;
287} LogotypeReference;
288
289typedef struct {
290 ASN1_IA5STRING *mediaType;
291 STACK_OF(HashAlgAndValue) *logotypeHash;
292 STACK_OF(ASN1_IA5STRING) *logotypeURI;
293} LogotypeDetails;
294
295typedef struct {
296 int type;
297 union {
298 ASN1_INTEGER *numBits;
299 ASN1_INTEGER *tableSize;
300 } d;
301} LogotypeImageResolution;
302
303typedef struct {
304 ASN1_INTEGER *type; /* LogotypeImageType ::= INTEGER */
305 ASN1_INTEGER *fileSize;
306 ASN1_INTEGER *xSize;
307 ASN1_INTEGER *ySize;
308 LogotypeImageResolution *resolution;
309 ASN1_IA5STRING *language;
310} LogotypeImageInfo;
311
312typedef struct {
313 LogotypeDetails *imageDetails;
314 LogotypeImageInfo *imageInfo;
315} LogotypeImage;
316
317typedef struct {
318 ASN1_INTEGER *fileSize;
319 ASN1_INTEGER *playTime;
320 ASN1_INTEGER *channels;
321 ASN1_INTEGER *sampleRate;
322 ASN1_IA5STRING *language;
323} LogotypeAudioInfo;
324
325typedef struct {
326 LogotypeDetails *audioDetails;
327 LogotypeAudioInfo *audioInfo;
328} LogotypeAudio;
329
330typedef struct {
331 STACK_OF(LogotypeImage) *image;
332 STACK_OF(LogotypeAudio) *audio;
333} LogotypeData;
334
335typedef struct {
336 int type;
337 union {
338 LogotypeData *direct;
339 LogotypeReference *indirect;
340 } d;
341} LogotypeInfo;
342
343typedef struct {
344 ASN1_OBJECT *logotypeType;
345 LogotypeInfo *info;
346} OtherLogotypeInfo;
347
348typedef struct {
349 STACK_OF(LogotypeInfo) *communityLogos;
350 LogotypeInfo *issuerLogo;
351 LogotypeInfo *subjectLogo;
352 STACK_OF(OtherLogotypeInfo) *otherLogos;
353} LogotypeExtn;
354
355ASN1_SEQUENCE(HashAlgAndValue) = {
356 ASN1_SIMPLE(HashAlgAndValue, hashAlg, X509_ALGOR),
357 ASN1_SIMPLE(HashAlgAndValue, hashValue, ASN1_OCTET_STRING)
358} ASN1_SEQUENCE_END(HashAlgAndValue);
359
360ASN1_SEQUENCE(LogotypeReference) = {
361 ASN1_SEQUENCE_OF(LogotypeReference, refStructHash, HashAlgAndValue),
362 ASN1_SEQUENCE_OF(LogotypeReference, refStructURI, ASN1_IA5STRING)
363} ASN1_SEQUENCE_END(LogotypeReference);
364
365ASN1_SEQUENCE(LogotypeDetails) = {
366 ASN1_SIMPLE(LogotypeDetails, mediaType, ASN1_IA5STRING),
367 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeHash, HashAlgAndValue),
368 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeURI, ASN1_IA5STRING)
369} ASN1_SEQUENCE_END(LogotypeDetails);
370
371ASN1_CHOICE(LogotypeImageResolution) = {
372 ASN1_IMP(LogotypeImageResolution, d.numBits, ASN1_INTEGER, 1),
373 ASN1_IMP(LogotypeImageResolution, d.tableSize, ASN1_INTEGER, 2)
374} ASN1_CHOICE_END(LogotypeImageResolution);
375
376ASN1_SEQUENCE(LogotypeImageInfo) = {
377 ASN1_IMP_OPT(LogotypeImageInfo, type, ASN1_INTEGER, 0),
378 ASN1_SIMPLE(LogotypeImageInfo, fileSize, ASN1_INTEGER),
379 ASN1_SIMPLE(LogotypeImageInfo, xSize, ASN1_INTEGER),
380 ASN1_SIMPLE(LogotypeImageInfo, ySize, ASN1_INTEGER),
381 ASN1_OPT(LogotypeImageInfo, resolution, LogotypeImageResolution),
382 ASN1_IMP_OPT(LogotypeImageInfo, language, ASN1_IA5STRING, 4),
383} ASN1_SEQUENCE_END(LogotypeImageInfo);
384
385ASN1_SEQUENCE(LogotypeImage) = {
386 ASN1_SIMPLE(LogotypeImage, imageDetails, LogotypeDetails),
387 ASN1_OPT(LogotypeImage, imageInfo, LogotypeImageInfo)
388} ASN1_SEQUENCE_END(LogotypeImage);
389
390ASN1_SEQUENCE(LogotypeAudioInfo) = {
391 ASN1_SIMPLE(LogotypeAudioInfo, fileSize, ASN1_INTEGER),
392 ASN1_SIMPLE(LogotypeAudioInfo, playTime, ASN1_INTEGER),
393 ASN1_SIMPLE(LogotypeAudioInfo, channels, ASN1_INTEGER),
394 ASN1_IMP_OPT(LogotypeAudioInfo, sampleRate, ASN1_INTEGER, 3),
395 ASN1_IMP_OPT(LogotypeAudioInfo, language, ASN1_IA5STRING, 4)
396} ASN1_SEQUENCE_END(LogotypeAudioInfo);
397
398ASN1_SEQUENCE(LogotypeAudio) = {
399 ASN1_SIMPLE(LogotypeAudio, audioDetails, LogotypeDetails),
400 ASN1_OPT(LogotypeAudio, audioInfo, LogotypeAudioInfo)
401} ASN1_SEQUENCE_END(LogotypeAudio);
402
403ASN1_SEQUENCE(LogotypeData) = {
404 ASN1_SEQUENCE_OF_OPT(LogotypeData, image, LogotypeImage),
405 ASN1_IMP_SEQUENCE_OF_OPT(LogotypeData, audio, LogotypeAudio, 1)
406} ASN1_SEQUENCE_END(LogotypeData);
407
408ASN1_CHOICE(LogotypeInfo) = {
409 ASN1_IMP(LogotypeInfo, d.direct, LogotypeData, 0),
410 ASN1_IMP(LogotypeInfo, d.indirect, LogotypeReference, 1)
411} ASN1_CHOICE_END(LogotypeInfo);
412
413ASN1_SEQUENCE(OtherLogotypeInfo) = {
414 ASN1_SIMPLE(OtherLogotypeInfo, logotypeType, ASN1_OBJECT),
415 ASN1_SIMPLE(OtherLogotypeInfo, info, LogotypeInfo)
416} ASN1_SEQUENCE_END(OtherLogotypeInfo);
417
418ASN1_SEQUENCE(LogotypeExtn) = {
419 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, communityLogos, LogotypeInfo, 0),
420 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 1),
421 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 2),
422 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, otherLogos, OtherLogotypeInfo, 3)
423} ASN1_SEQUENCE_END(LogotypeExtn);
424
425IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn);
426
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]427#ifdef OPENSSL_IS_BORINGSSL
428#define sk_LogotypeInfo_num(st) \
429sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeInfo) *, (st)))
430#define sk_LogotypeInfo_value(st, i) (LogotypeInfo *) \
431sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeInfo) *, (st)), (i))
432#define sk_LogotypeImage_num(st) \
433sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeImage) *, (st)))
434#define sk_LogotypeImage_value(st, i) (LogotypeImage *) \
435sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeImage) *, (st)), (i))
436#define sk_LogotypeAudio_num(st) \
437sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeAudio) *, (st)))
438#define sk_LogotypeAudio_value(st, i) (LogotypeAudio *) \
439sk_value(CHECK_CAST(_STACK *, const STACK_OF(LogotypeAudio) *, (st)), (i))
440#define sk_HashAlgAndValue_num(st) \
441sk_num(CHECKED_CAST(_STACK *, STACK_OF(HashAlgAndValue) *, (st)))
442#define sk_HashAlgAndValue_value(st, i) (HashAlgAndValue *) \
443sk_value(CHECKED_CAST(_STACK *, const STACK_OF(HashAlgAndValue) *, (st)), (i))
444#define sk_ASN1_IA5STRING_num(st) \
445sk_num(CHECKED_CAST(_STACK *, STACK_OF(ASN1_IA5STRING) *, (st)))
446#define sk_ASN1_IA5STRING_value(st, i) (ASN1_IA5STRING *) \
447sk_value(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_IA5STRING) *, (st)), (i))
448#else /* OPENSSL_IS_BORINGSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]449#define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st))
450#define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i))
451#define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st))
452#define sk_LogotypeImage_value(st, i) SKM_sk_value(LogotypeImage, (st), (i))
453#define sk_LogotypeAudio_num(st) SKM_sk_num(LogotypeAudio, (st))
454#define sk_LogotypeAudio_value(st, i) SKM_sk_value(LogotypeAudio, (st), (i))
455#define sk_HashAlgAndValue_num(st) SKM_sk_num(HashAlgAndValue, (st))
456#define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i))
457#define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st))
458#define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i))
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]459#endif /* OPENSSL_IS_BORINGSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]460
461
462static void add_logo(struct http_ctx *ctx, struct http_cert *hcert,
463 HashAlgAndValue *hash, ASN1_IA5STRING *uri)
464{
465 char txt[100];
466 int res, len;
467 struct http_logo *n;
468
469 if (hash == NULL || uri == NULL)
470 return;
471
472 res = OBJ_obj2txt(txt, sizeof(txt), hash->hashAlg->algorithm, 1);
473 if (res < 0 || res >= (int) sizeof(txt))
474 return;
475
476 n = os_realloc_array(hcert->logo, hcert->num_logo + 1,
477 sizeof(struct http_logo));
478 if (n == NULL)
479 return;
480 hcert->logo = n;
481 n = &hcert->logo[hcert->num_logo];
482 os_memset(n, 0, sizeof(*n));
483
484 n->alg_oid = os_strdup(txt);
485 if (n->alg_oid == NULL)
486 return;
487
488 n->hash_len = ASN1_STRING_length(hash->hashValue);
489 n->hash = os_malloc(n->hash_len);
490 if (n->hash == NULL) {
491 os_free(n->alg_oid);
492 return;
493 }
494 os_memcpy(n->hash, ASN1_STRING_data(hash->hashValue), n->hash_len);
495
496 len = ASN1_STRING_length(uri);
497 n->uri = os_malloc(len + 1);
498 if (n->uri == NULL) {
499 os_free(n->alg_oid);
500 os_free(n->hash);
501 return;
502 }
503 os_memcpy(n->uri, ASN1_STRING_data(uri), len);
504 n->uri[len] = '\0';
505
506 hcert->num_logo++;
507}
508
509
510static void add_logo_direct(struct http_ctx *ctx, struct http_cert *hcert,
511 LogotypeData *data)
512{
513 int i, num;
514
515 if (data->image == NULL)
516 return;
517
518 num = sk_LogotypeImage_num(data->image);
519 for (i = 0; i < num; i++) {
520 LogotypeImage *image;
521 LogotypeDetails *details;
522 int j, hash_num, uri_num;
523 HashAlgAndValue *found_hash = NULL;
524
525 image = sk_LogotypeImage_value(data->image, i);
526 if (image == NULL)
527 continue;
528
529 details = image->imageDetails;
530 if (details == NULL)
531 continue;
532
533 hash_num = sk_HashAlgAndValue_num(details->logotypeHash);
534 for (j = 0; j < hash_num; j++) {
535 HashAlgAndValue *hash;
536 char txt[100];
537 int res;
538 hash = sk_HashAlgAndValue_value(details->logotypeHash,
539 j);
540 if (hash == NULL)
541 continue;
542 res = OBJ_obj2txt(txt, sizeof(txt),
543 hash->hashAlg->algorithm, 1);
544 if (res < 0 || res >= (int) sizeof(txt))
545 continue;
546 if (os_strcmp(txt, "2.16.840.1.101.3.4.2.1") == 0) {
547 found_hash = hash;
548 break;
549 }
550 }
551
552 if (!found_hash) {
553 wpa_printf(MSG_DEBUG, "OpenSSL: No SHA256 hash found for the logo");
554 continue;
555 }
556
557 uri_num = sk_ASN1_IA5STRING_num(details->logotypeURI);
558 for (j = 0; j < uri_num; j++) {
559 ASN1_IA5STRING *uri;
560 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, j);
561 add_logo(ctx, hcert, found_hash, uri);
562 }
563 }
564}
565
566
567static void add_logo_indirect(struct http_ctx *ctx, struct http_cert *hcert,
568 LogotypeReference *ref)
569{
570 int j, hash_num, uri_num;
571
572 hash_num = sk_HashAlgAndValue_num(ref->refStructHash);
573 uri_num = sk_ASN1_IA5STRING_num(ref->refStructURI);
574 if (hash_num != uri_num) {
575 wpa_printf(MSG_INFO, "Unexpected LogotypeReference array size difference %d != %d",
576 hash_num, uri_num);
577 return;
578 }
579
580 for (j = 0; j < hash_num; j++) {
581 HashAlgAndValue *hash;
582 ASN1_IA5STRING *uri;
583 hash = sk_HashAlgAndValue_value(ref->refStructHash, j);
584 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, j);
585 add_logo(ctx, hcert, hash, uri);
586 }
587}
588
589
590static void i2r_HashAlgAndValue(HashAlgAndValue *hash, BIO *out, int indent)
591{
592 int i;
593 const unsigned char *data;
594
595 BIO_printf(out, "%*shashAlg: ", indent, "");
596 i2a_ASN1_OBJECT(out, hash->hashAlg->algorithm);
597 BIO_printf(out, "\n");
598
599 BIO_printf(out, "%*shashValue: ", indent, "");
600 data = hash->hashValue->data;
601 for (i = 0; i < hash->hashValue->length; i++)
602 BIO_printf(out, "%s%02x", i > 0 ? ":" : "", data[i]);
603 BIO_printf(out, "\n");
604}
605
606static void i2r_LogotypeDetails(LogotypeDetails *details, BIO *out, int indent)
607{
608 int i, num;
609
610 BIO_printf(out, "%*sLogotypeDetails\n", indent, "");
611 if (details->mediaType) {
612 BIO_printf(out, "%*smediaType: ", indent, "");
613 ASN1_STRING_print(out, details->mediaType);
614 BIO_printf(out, "\n");
615 }
616
617 num = details->logotypeHash ?
618 sk_HashAlgAndValue_num(details->logotypeHash) : 0;
619 for (i = 0; i < num; i++) {
620 HashAlgAndValue *hash;
621 hash = sk_HashAlgAndValue_value(details->logotypeHash, i);
622 i2r_HashAlgAndValue(hash, out, indent);
623 }
624
625 num = details->logotypeURI ?
626 sk_ASN1_IA5STRING_num(details->logotypeURI) : 0;
627 for (i = 0; i < num; i++) {
628 ASN1_IA5STRING *uri;
629 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, i);
630 BIO_printf(out, "%*slogotypeURI: ", indent, "");
631 ASN1_STRING_print(out, uri);
632 BIO_printf(out, "\n");
633 }
634}
635
636static void i2r_LogotypeImageInfo(LogotypeImageInfo *info, BIO *out, int indent)
637{
638 long val;
639
640 BIO_printf(out, "%*sLogotypeImageInfo\n", indent, "");
641 if (info->type) {
642 val = ASN1_INTEGER_get(info->type);
643 BIO_printf(out, "%*stype: %ld\n", indent, "", val);
644 } else {
645 BIO_printf(out, "%*stype: default (1)\n", indent, "");
646 }
647 val = ASN1_INTEGER_get(info->xSize);
648 BIO_printf(out, "%*sxSize: %ld\n", indent, "", val);
649 val = ASN1_INTEGER_get(info->ySize);
650 BIO_printf(out, "%*sySize: %ld\n", indent, "", val);
651 if (info->resolution) {
652 BIO_printf(out, "%*sresolution\n", indent, "");
653 /* TODO */
654 }
655 if (info->language) {
656 BIO_printf(out, "%*slanguage: ", indent, "");
657 ASN1_STRING_print(out, info->language);
658 BIO_printf(out, "\n");
659 }
660}
661
662static void i2r_LogotypeImage(LogotypeImage *image, BIO *out, int indent)
663{
664 BIO_printf(out, "%*sLogotypeImage\n", indent, "");
665 if (image->imageDetails) {
666 i2r_LogotypeDetails(image->imageDetails, out, indent + 4);
667 }
668 if (image->imageInfo) {
669 i2r_LogotypeImageInfo(image->imageInfo, out, indent + 4);
670 }
671}
672
673static void i2r_LogotypeData(LogotypeData *data, const char *title, BIO *out,
674 int indent)
675{
676 int i, num;
677
678 BIO_printf(out, "%*s%s - LogotypeData\n", indent, "", title);
679
680 num = data->image ? sk_LogotypeImage_num(data->image) : 0;
681 for (i = 0; i < num; i++) {
682 LogotypeImage *image = sk_LogotypeImage_value(data->image, i);
683 i2r_LogotypeImage(image, out, indent + 4);
684 }
685
686 num = data->audio ? sk_LogotypeAudio_num(data->audio) : 0;
687 for (i = 0; i < num; i++) {
688 BIO_printf(out, "%*saudio: TODO\n", indent, "");
689 }
690}
691
692static void i2r_LogotypeReference(LogotypeReference *ref, const char *title,
693 BIO *out, int indent)
694{
695 int i, hash_num, uri_num;
696
697 BIO_printf(out, "%*s%s - LogotypeReference\n", indent, "", title);
698
699 hash_num = ref->refStructHash ?
700 sk_HashAlgAndValue_num(ref->refStructHash) : 0;
701 uri_num = ref->refStructURI ?
702 sk_ASN1_IA5STRING_num(ref->refStructURI) : 0;
703 if (hash_num != uri_num) {
704 BIO_printf(out, "%*sUnexpected LogotypeReference array size difference %d != %d\n",
705 indent, "", hash_num, uri_num);
706 return;
707 }
708
709 for (i = 0; i < hash_num; i++) {
710 HashAlgAndValue *hash;
711 ASN1_IA5STRING *uri;
712
713 hash = sk_HashAlgAndValue_value(ref->refStructHash, i);
714 i2r_HashAlgAndValue(hash, out, indent);
715
716 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, i);
717 BIO_printf(out, "%*srefStructURI: ", indent, "");
718 ASN1_STRING_print(out, uri);
719 BIO_printf(out, "\n");
720 }
721}
722
723static void i2r_LogotypeInfo(LogotypeInfo *info, const char *title, BIO *out,
724 int indent)
725{
726 switch (info->type) {
727 case 0:
728 i2r_LogotypeData(info->d.direct, title, out, indent);
729 break;
730 case 1:
731 i2r_LogotypeReference(info->d.indirect, title, out, indent);
732 break;
733 }
734}
735
736static void debug_print_logotypeext(LogotypeExtn *logo)
737{
738 BIO *out;
739 int i, num;
740 int indent = 0;
741
742 out = BIO_new_fp(stdout, BIO_NOCLOSE);
743 if (out == NULL)
744 return;
745
746 if (logo->communityLogos) {
747 num = sk_LogotypeInfo_num(logo->communityLogos);
748 for (i = 0; i < num; i++) {
749 LogotypeInfo *info;
750 info = sk_LogotypeInfo_value(logo->communityLogos, i);
751 i2r_LogotypeInfo(info, "communityLogo", out, indent);
752 }
753 }
754
755 if (logo->issuerLogo) {
756 i2r_LogotypeInfo(logo->issuerLogo, "issuerLogo", out, indent );
757 }
758
759 if (logo->subjectLogo) {
760 i2r_LogotypeInfo(logo->subjectLogo, "subjectLogo", out, indent);
761 }
762
763 if (logo->otherLogos) {
764 BIO_printf(out, "%*sotherLogos - TODO\n", indent, "");
765 }
766
767 BIO_free(out);
768}
769
770
771static void add_logotype_ext(struct http_ctx *ctx, struct http_cert *hcert,
772 X509 *cert)
773{
774 ASN1_OBJECT *obj;
775 int pos;
776 X509_EXTENSION *ext;
777 ASN1_OCTET_STRING *os;
778 LogotypeExtn *logo;
779 const unsigned char *data;
780 int i, num;
781
782 obj = OBJ_txt2obj("1.3.6.1.5.5.7.1.12", 0);
783 if (obj == NULL)
784 return;
785
786 pos = X509_get_ext_by_OBJ(cert, obj, -1);
787 if (pos < 0) {
788 wpa_printf(MSG_INFO, "No logotype extension included");
789 return;
790 }
791
792 wpa_printf(MSG_INFO, "Parsing logotype extension");
793 ext = X509_get_ext(cert, pos);
794 if (!ext) {
795 wpa_printf(MSG_INFO, "Could not get logotype extension");
796 return;
797 }
798
799 os = X509_EXTENSION_get_data(ext);
800 if (os == NULL) {
801 wpa_printf(MSG_INFO, "Could not get logotype extension data");
802 return;
803 }
804
805 wpa_hexdump(MSG_DEBUG, "logotypeExtn",
806 ASN1_STRING_data(os), ASN1_STRING_length(os));
807
808 data = ASN1_STRING_data(os);
809 logo = d2i_LogotypeExtn(NULL, &data, ASN1_STRING_length(os));
810 if (logo == NULL) {
811 wpa_printf(MSG_INFO, "Failed to parse logotypeExtn");
812 return;
813 }
814
815 if (wpa_debug_level < MSG_INFO)
816 debug_print_logotypeext(logo);
817
818 if (!logo->communityLogos) {
819 wpa_printf(MSG_INFO, "No communityLogos included");
820 LogotypeExtn_free(logo);
821 return;
822 }
823
824 num = sk_LogotypeInfo_num(logo->communityLogos);
825 for (i = 0; i < num; i++) {
826 LogotypeInfo *info;
827 info = sk_LogotypeInfo_value(logo->communityLogos, i);
828 switch (info->type) {
829 case 0:
830 add_logo_direct(ctx, hcert, info->d.direct);
831 break;
832 case 1:
833 add_logo_indirect(ctx, hcert, info->d.indirect);
834 break;
835 }
836 }
837
838 LogotypeExtn_free(logo);
839}
840
841
842static void parse_cert(struct http_ctx *ctx, struct http_cert *hcert,
843 X509 *cert, GENERAL_NAMES **names)
844{
845 os_memset(hcert, 0, sizeof(*hcert));
846
847 *names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
848 if (*names)
849 add_alt_names(ctx, hcert, *names);
850
851 add_logotype_ext(ctx, hcert, cert);
852}
853
854
855static void parse_cert_free(struct http_cert *hcert, GENERAL_NAMES *names)
856{
857 unsigned int i;
858
859 for (i = 0; i < hcert->num_dnsname; i++)
860 OPENSSL_free(hcert->dnsname[i]);
861 os_free(hcert->dnsname);
862
863 for (i = 0; i < hcert->num_othername; i++)
864 os_free(hcert->othername[i].oid);
865 os_free(hcert->othername);
866
867 for (i = 0; i < hcert->num_logo; i++) {
868 os_free(hcert->logo[i].alg_oid);
869 os_free(hcert->logo[i].hash);
870 os_free(hcert->logo[i].uri);
871 }
872 os_free(hcert->logo);
873
874 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
875}
876
877
878static int validate_server_cert(struct http_ctx *ctx, X509 *cert)
879{
880 GENERAL_NAMES *names;
881 struct http_cert hcert;
882 int ret;
883
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]884 if (ctx->cert_cb == NULL) {
885 wpa_printf(MSG_DEBUG, "%s: no cert_cb configured", __func__);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]886 return 0;
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]887 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]888
889 if (0) {
890 BIO *out;
891 out = BIO_new_fp(stdout, BIO_NOCLOSE);
892 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
893 BIO_free(out);
894 }
895
896 parse_cert(ctx, &hcert, cert, &names);
897 ret = ctx->cert_cb(ctx->cert_cb_ctx, &hcert);
898 parse_cert_free(&hcert, names);
899
900 return ret;
901}
902
903
904void http_parse_x509_certificate(struct http_ctx *ctx, const char *fname)
905{
906 BIO *in, *out;
907 X509 *cert;
908 GENERAL_NAMES *names;
909 struct http_cert hcert;
910 unsigned int i;
911
912 in = BIO_new_file(fname, "r");
913 if (in == NULL) {
914 wpa_printf(MSG_ERROR, "Could not read '%s'", fname);
915 return;
916 }
917
918 cert = d2i_X509_bio(in, NULL);
919 BIO_free(in);
920
921 if (cert == NULL) {
922 wpa_printf(MSG_ERROR, "Could not parse certificate");
923 return;
924 }
925
926 out = BIO_new_fp(stdout, BIO_NOCLOSE);
927 if (out) {
928 X509_print_ex(out, cert, XN_FLAG_COMPAT,
929 X509_FLAG_COMPAT);
930 BIO_free(out);
931 }
932
933 wpa_printf(MSG_INFO, "Additional parsing information:");
934 parse_cert(ctx, &hcert, cert, &names);
935 for (i = 0; i < hcert.num_othername; i++) {
936 if (os_strcmp(hcert.othername[i].oid,
937 "1.3.6.1.4.1.40808.1.1.1") == 0) {
938 char *name = os_zalloc(hcert.othername[i].len + 1);
939 if (name) {
940 os_memcpy(name, hcert.othername[i].data,
941 hcert.othername[i].len);
942 wpa_printf(MSG_INFO,
943 "id-wfa-hotspot-friendlyName: %s",
944 name);
945 os_free(name);
946 }
947 wpa_hexdump_ascii(MSG_INFO,
948 "id-wfa-hotspot-friendlyName",
949 hcert.othername[i].data,
950 hcert.othername[i].len);
951 } else {
952 wpa_printf(MSG_INFO, "subjAltName[othername]: oid=%s",
953 hcert.othername[i].oid);
954 wpa_hexdump_ascii(MSG_INFO, "unknown othername",
955 hcert.othername[i].data,
956 hcert.othername[i].len);
957 }
958 }
959 parse_cert_free(&hcert, names);
960
961 X509_free(cert);
962}
963
964
965static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
966{
967 struct http_ctx *ctx;
968 X509 *cert;
969 int err, depth;
970 char buf[256];
971 X509_NAME *name;
972 const char *err_str;
973 SSL *ssl;
974 SSL_CTX *ssl_ctx;
975
976 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
977 SSL_get_ex_data_X509_STORE_CTX_idx());
978 ssl_ctx = ssl->ctx;
979 ctx = SSL_CTX_get_app_data(ssl_ctx);
980
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]981 wpa_printf(MSG_DEBUG, "curl_cb_ssl_verify, preverify_ok: %d",
982 preverify_ok);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]983
984 err = X509_STORE_CTX_get_error(x509_ctx);
985 err_str = X509_verify_cert_error_string(err);
986 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
987 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
988 if (!cert) {
989 wpa_printf(MSG_INFO, "No server certificate available");
990 ctx->last_err = "No server certificate available";
991 return 0;
992 }
993
994 if (depth == 0)
995 ctx->peer_cert = cert;
996 else if (depth == 1)
997 ctx->peer_issuer = cert;
998 else if (depth == 2)
999 ctx->peer_issuer_issuer = cert;
1000
1001 name = X509_get_subject_name(cert);
1002 X509_NAME_oneline(name, buf, sizeof(buf));
1003 wpa_printf(MSG_INFO, "Server certificate chain - depth=%d err=%d (%s) subject=%s",
1004 depth, err, err_str, buf);
1005 debug_dump_cert("Server certificate chain - certificate", cert);
1006
1007 if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
1008 return 0;
1009
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]1010#ifdef OPENSSL_IS_BORINGSSL
1011 if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) {
1012 enum ocsp_result res;
1013
1014 res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer,
1015 ctx->peer_issuer_issuer);
1016 if (res == OCSP_REVOKED) {
1017 preverify_ok = 0;
1018 wpa_printf(MSG_INFO, "OCSP: certificate revoked");
1019 if (err == X509_V_OK)
1020 X509_STORE_CTX_set_error(
1021 x509_ctx, X509_V_ERR_CERT_REVOKED);
1022 } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) {
1023 preverify_ok = 0;
1024 wpa_printf(MSG_INFO,
1025 "OCSP: bad certificate status response");
1026 }
1027 }
1028#endif /* OPENSSL_IS_BORINGSSL */
1029
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1030 if (!preverify_ok)
1031 ctx->last_err = "TLS validation failed";
1032
1033 return preverify_ok;
1034}
1035
1036
1037#ifdef HAVE_OCSP
1038
1039static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
1040{
1041 BIO *out;
1042 size_t rlen;
1043 char *txt;
1044 int res;
1045
1046 out = BIO_new(BIO_s_mem());
1047 if (!out)
1048 return;
1049
1050 OCSP_RESPONSE_print(out, rsp, 0);
1051 rlen = BIO_ctrl_pending(out);
1052 txt = os_malloc(rlen + 1);
1053 if (!txt) {
1054 BIO_free(out);
1055 return;
1056 }
1057
1058 res = BIO_read(out, txt, rlen);
1059 if (res > 0) {
1060 txt[res] = '\0';
1061 wpa_printf(MSG_MSGDUMP, "OpenSSL: OCSP Response\n%s", txt);
1062 }
1063 os_free(txt);
1064 BIO_free(out);
1065}
1066
1067
1068static void tls_show_errors(const char *func, const char *txt)
1069{
1070 unsigned long err;
1071
1072 wpa_printf(MSG_DEBUG, "OpenSSL: %s - %s %s",
1073 func, txt, ERR_error_string(ERR_get_error(), NULL));
1074
1075 while ((err = ERR_get_error())) {
1076 wpa_printf(MSG_DEBUG, "OpenSSL: pending error: %s",
1077 ERR_error_string(err, NULL));
1078 }
1079}
1080
1081
1082static int ocsp_resp_cb(SSL *s, void *arg)
1083{
1084 struct http_ctx *ctx = arg;
1085 const unsigned char *p;
1086 int len, status, reason;
1087 OCSP_RESPONSE *rsp;
1088 OCSP_BASICRESP *basic;
1089 OCSP_CERTID *id;
1090 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
1091 X509_STORE *store;
1092 STACK_OF(X509) *certs = NULL;
1093
1094 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1095 if (!p) {
1096 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
1097 if (ctx->ocsp == MANDATORY_OCSP)
1098 ctx->last_err = "No OCSP response received";
1099 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1100 }
1101
1102 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
1103
1104 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1105 if (!rsp) {
1106 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
1107 ctx->last_err = "Failed to parse OCSP response";
1108 return 0;
1109 }
1110
1111 ocsp_debug_print_resp(rsp);
1112
1113 status = OCSP_response_status(rsp);
1114 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1115 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
1116 status, OCSP_response_status_str(status));
1117 ctx->last_err = "OCSP responder error";
1118 return 0;
1119 }
1120
1121 basic = OCSP_response_get1_basic(rsp);
1122 if (!basic) {
1123 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
1124 ctx->last_err = "Could not find BasicOCSPResponse";
1125 return 0;
1126 }
1127
1128 store = SSL_CTX_get_cert_store(s->ctx);
1129 if (ctx->peer_issuer) {
1130 wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer");
1131 debug_dump_cert("OpenSSL: Issuer certificate",
1132 ctx->peer_issuer);
1133
1134 if (X509_STORE_add_cert(store, ctx->peer_issuer) != 1) {
1135 tls_show_errors(__func__,
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1136 "OpenSSL: Could not add issuer to certificate store");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1137 }
1138 certs = sk_X509_new_null();
1139 if (certs) {
1140 X509 *cert;
1141 cert = X509_dup(ctx->peer_issuer);
1142 if (cert && !sk_X509_push(certs, cert)) {
1143 tls_show_errors(
1144 __func__,
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1145 "OpenSSL: Could not add issuer to OCSP responder trust store");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1146 X509_free(cert);
1147 sk_X509_free(certs);
1148 certs = NULL;
1149 }
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1150 if (certs && ctx->peer_issuer_issuer) {
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1151 cert = X509_dup(ctx->peer_issuer_issuer);
1152 if (cert && !sk_X509_push(certs, cert)) {
1153 tls_show_errors(
1154 __func__,
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1155 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1156 X509_free(cert);
1157 }
1158 }
1159 }
1160 }
1161
1162 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
1163 sk_X509_pop_free(certs, X509_free);
1164 if (status <= 0) {
1165 tls_show_errors(__func__,
1166 "OpenSSL: OCSP response failed verification");
1167 OCSP_BASICRESP_free(basic);
1168 OCSP_RESPONSE_free(rsp);
1169 ctx->last_err = "OCSP response failed verification";
1170 return 0;
1171 }
1172
1173 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
1174
1175 if (!ctx->peer_cert) {
1176 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
1177 OCSP_BASICRESP_free(basic);
1178 OCSP_RESPONSE_free(rsp);
1179 ctx->last_err = "Peer certificate not available for OCSP status check";
1180 return 0;
1181 }
1182
1183 if (!ctx->peer_issuer) {
1184 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
1185 OCSP_BASICRESP_free(basic);
1186 OCSP_RESPONSE_free(rsp);
1187 ctx->last_err = "Peer issuer certificate not available for OCSP status check";
1188 return 0;
1189 }
1190
1191 id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer);
1192 if (!id) {
1193 wpa_printf(MSG_DEBUG, "OpenSSL: Could not create OCSP certificate identifier");
1194 OCSP_BASICRESP_free(basic);
1195 OCSP_RESPONSE_free(rsp);
1196 ctx->last_err = "Could not create OCSP certificate identifier";
1197 return 0;
1198 }
1199
1200 if (!OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
1201 &this_update, &next_update)) {
1202 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
1203 (ctx->ocsp == MANDATORY_OCSP) ? "" :
1204 " (OCSP not required)");
1205 OCSP_BASICRESP_free(basic);
1206 OCSP_RESPONSE_free(rsp);
1207 if (ctx->ocsp == MANDATORY_OCSP)
1208
1209 ctx->last_err = "Could not find current server certificate from OCSP response";
1210 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1211 }
1212
1213 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
1214 tls_show_errors(__func__, "OpenSSL: OCSP status times invalid");
1215 OCSP_BASICRESP_free(basic);
1216 OCSP_RESPONSE_free(rsp);
1217 ctx->last_err = "OCSP status times invalid";
1218 return 0;
1219 }
1220
1221 OCSP_BASICRESP_free(basic);
1222 OCSP_RESPONSE_free(rsp);
1223
1224 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
1225 OCSP_cert_status_str(status));
1226
1227 if (status == V_OCSP_CERTSTATUS_GOOD)
1228 return 1;
Dmitry Shmidt661b4f72014-09-29 14:58:27 -0700[diff] [blame]1229 if (status == V_OCSP_CERTSTATUS_REVOKED) {
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1230 ctx->last_err = "Server certificate has been revoked";
1231 return 0;
Dmitry Shmidt661b4f72014-09-29 14:58:27 -0700[diff] [blame]1232 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1233 if (ctx->ocsp == MANDATORY_OCSP) {
1234 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
1235 ctx->last_err = "OCSP status unknown";
1236 return 0;
1237 }
1238 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
1239 return 1;
1240}
1241
1242
1243static SSL_METHOD patch_ssl_method;
1244static const SSL_METHOD *real_ssl_method;
1245
1246static int curl_patch_ssl_new(SSL *s)
1247{
1248 SSL_CTX *ssl = s->ctx;
1249 int ret;
1250
1251 ssl->method = real_ssl_method;
1252 s->method = real_ssl_method;
1253
1254 ret = s->method->ssl_new(s);
1255 SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp);
1256
1257 return ret;
1258}
1259
1260#endif /* HAVE_OCSP */
1261
1262
1263static CURLcode curl_cb_ssl(CURL *curl, void *sslctx, void *parm)
1264{
1265 struct http_ctx *ctx = parm;
1266 SSL_CTX *ssl = sslctx;
1267
1268 wpa_printf(MSG_DEBUG, "curl_cb_ssl");
1269 SSL_CTX_set_app_data(ssl, ctx);
1270 SSL_CTX_set_verify(ssl, SSL_VERIFY_PEER, curl_cb_ssl_verify);
1271
1272#ifdef HAVE_OCSP
1273 if (ctx->ocsp != NO_OCSP) {
1274 SSL_CTX_set_tlsext_status_cb(ssl, ocsp_resp_cb);
1275 SSL_CTX_set_tlsext_status_arg(ssl, ctx);
1276
1277 /*
1278 * Use a temporary SSL_METHOD to get a callback on SSL_new()
1279 * from libcurl since there is no proper callback registration
1280 * available for this.
1281 */
1282 os_memset(&patch_ssl_method, 0, sizeof(patch_ssl_method));
1283 patch_ssl_method.ssl_new = curl_patch_ssl_new;
1284 real_ssl_method = ssl->method;
1285 ssl->method = &patch_ssl_method;
1286 }
1287#endif /* HAVE_OCSP */
1288
1289 return CURLE_OK;
1290}
1291
1292#endif /* EAP_TLS_OPENSSL */
1293
1294
1295static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
1296 const char *ca_fname, const char *username,
1297 const char *password, const char *client_cert,
1298 const char *client_key)
1299{
1300 CURL *curl;
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]1301#ifdef EAP_TLS_OPENSSL
1302 const char *extra = " tls=openssl";
1303#else /* EAP_TLS_OPENSSL */
1304 const char *extra = "";
1305#endif /* EAP_TLS_OPENSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1306
1307 wpa_printf(MSG_DEBUG, "Start HTTP client: address=%s ca_fname=%s "
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]1308 "username=%s%s", address, ca_fname, username, extra);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1309
1310 curl = curl_easy_init();
1311 if (curl == NULL)
1312 return NULL;
1313
1314 curl_easy_setopt(curl, CURLOPT_URL, address);
1315 curl_easy_setopt(curl, CURLOPT_POST, 1L);
1316 if (ca_fname) {
1317 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1318 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1319#ifdef EAP_TLS_OPENSSL
1320 curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
1321 curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]1322#ifdef OPENSSL_IS_BORINGSSL
1323 /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
1324 * with BoringSSL since the OpenSSL specific callback hack to
1325 * enable OCSP is not available with BoringSSL. The OCSP
1326 * implementation within libcurl is not sufficient for the
1327 * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
1328 */
1329 if (ctx->ocsp != NO_OCSP)
1330 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
1331#endif /* OPENSSL_IS_BORINGSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1332#endif /* EAP_TLS_OPENSSL */
1333 } else {
1334 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1335 }
1336 if (client_cert && client_key) {
1337 curl_easy_setopt(curl, CURLOPT_SSLCERT, client_cert);
1338 curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key);
1339 }
1340 /* TODO: use curl_easy_getinfo() with CURLINFO_CERTINFO to fetch
1341 * information about the server certificate */
1342 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1343 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1344 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1345 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_cb_write);
1346 curl_easy_setopt(curl, CURLOPT_WRITEDATA, ctx);
1347 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1348 if (username) {
1349 curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANYSAFE);
1350 curl_easy_setopt(curl, CURLOPT_USERNAME, username);
1351 curl_easy_setopt(curl, CURLOPT_PASSWORD, password);
1352 }
1353
1354 return curl;
1355}
1356
1357
1358static int post_init_client(struct http_ctx *ctx, const char *address,
1359 const char *ca_fname, const char *username,
1360 const char *password, const char *client_cert,
1361 const char *client_key)
1362{
1363 char *pos;
1364 int count;
1365
1366 clone_str(&ctx->svc_address, address);
1367 clone_str(&ctx->svc_ca_fname, ca_fname);
1368 clone_str(&ctx->svc_username, username);
1369 clone_str(&ctx->svc_password, password);
1370 clone_str(&ctx->svc_client_cert, client_cert);
1371 clone_str(&ctx->svc_client_key, client_key);
1372
1373 /*
1374 * Workaround for Apache "Hostname 'FOO' provided via SNI and hostname
1375 * 'foo' provided via HTTP are different.
1376 */
1377 for (count = 0, pos = ctx->svc_address; count < 3 && pos && *pos;
1378 pos++) {
1379 if (*pos == '/')
1380 count++;
1381 *pos = tolower(*pos);
1382 }
1383
1384 ctx->curl = setup_curl_post(ctx, ctx->svc_address, ca_fname, username,
1385 password, client_cert, client_key);
1386 if (ctx->curl == NULL)
1387 return -1;
1388
1389 return 0;
1390}
1391
1392
1393int soap_init_client(struct http_ctx *ctx, const char *address,
1394 const char *ca_fname, const char *username,
1395 const char *password, const char *client_cert,
1396 const char *client_key)
1397{
1398 if (post_init_client(ctx, address, ca_fname, username, password,
1399 client_cert, client_key) < 0)
1400 return -1;
1401
1402 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr,
1403 "Content-Type: application/soap+xml");
1404 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "SOAPAction: ");
1405 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "Expect:");
1406 curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, ctx->curl_hdr);
1407
1408 return 0;
1409}
1410
1411
1412int soap_reinit_client(struct http_ctx *ctx)
1413{
1414 char *address = NULL;
1415 char *ca_fname = NULL;
1416 char *username = NULL;
1417 char *password = NULL;
1418 char *client_cert = NULL;
1419 char *client_key = NULL;
1420 int ret;
1421
1422 clear_curl(ctx);
1423
1424 clone_str(&address, ctx->svc_address);
1425 clone_str(&ca_fname, ctx->svc_ca_fname);
1426 clone_str(&username, ctx->svc_username);
1427 clone_str(&password, ctx->svc_password);
1428 clone_str(&client_cert, ctx->svc_client_cert);
1429 clone_str(&client_key, ctx->svc_client_key);
1430
1431 ret = soap_init_client(ctx, address, ca_fname, username, password,
1432 client_cert, client_key);
1433 os_free(address);
1434 os_free(ca_fname);
Dmitry Shmidtc2817022014-07-02 10:32:10 -0700[diff] [blame]1435 str_clear_free(username);
1436 str_clear_free(password);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1437 os_free(client_cert);
1438 os_free(client_key);
1439 return ret;
1440}
1441
1442
1443static void free_curl_buf(struct http_ctx *ctx)
1444{
1445 os_free(ctx->curl_buf);
1446 ctx->curl_buf = NULL;
1447 ctx->curl_buf_len = 0;
1448}
1449
1450
1451xml_node_t * soap_send_receive(struct http_ctx *ctx, xml_node_t *node)
1452{
1453 char *str;
1454 xml_node_t *envelope, *ret, *resp, *n;
1455 CURLcode res;
1456 long http = 0;
1457
1458 ctx->last_err = NULL;
1459
1460 wpa_printf(MSG_DEBUG, "SOAP: Sending message");
1461 envelope = soap_build_envelope(ctx->xml, node);
1462 str = xml_node_to_str(ctx->xml, envelope);
1463 xml_node_free(ctx->xml, envelope);
1464 wpa_printf(MSG_MSGDUMP, "SOAP[%s]", str);
1465
1466 curl_easy_setopt(ctx->curl, CURLOPT_POSTFIELDS, str);
1467 free_curl_buf(ctx);
1468
1469 res = curl_easy_perform(ctx->curl);
1470 if (res != CURLE_OK) {
1471 if (!ctx->last_err)
1472 ctx->last_err = curl_easy_strerror(res);
1473 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1474 ctx->last_err);
1475 os_free(str);
1476 free_curl_buf(ctx);
1477 return NULL;
1478 }
1479 os_free(str);
1480
1481 curl_easy_getinfo(ctx->curl, CURLINFO_RESPONSE_CODE, &http);
1482 wpa_printf(MSG_DEBUG, "SOAP: Server response code %ld", http);
1483 if (http != 200) {
1484 ctx->last_err = "HTTP download failed";
1485 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1486 free_curl_buf(ctx);
1487 return NULL;
1488 }
1489
1490 if (ctx->curl_buf == NULL)
1491 return NULL;
1492
1493 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ctx->curl_buf);
1494 resp = xml_node_from_buf(ctx->xml, ctx->curl_buf);
1495 free_curl_buf(ctx);
1496 if (resp == NULL) {
1497 wpa_printf(MSG_INFO, "Could not parse SOAP response");
1498 ctx->last_err = "Could not parse SOAP response";
1499 return NULL;
1500 }
1501
1502 ret = soap_get_body(ctx->xml, resp);
1503 if (ret == NULL) {
1504 wpa_printf(MSG_INFO, "Could not get SOAP body");
1505 ctx->last_err = "Could not get SOAP body";
1506 return NULL;
1507 }
1508
1509 wpa_printf(MSG_DEBUG, "SOAP body localname: '%s'",
1510 xml_node_get_localname(ctx->xml, ret));
1511 n = xml_node_copy(ctx->xml, ret);
1512 xml_node_free(ctx->xml, resp);
1513
1514 return n;
1515}
1516
1517
1518struct http_ctx * http_init_ctx(void *upper_ctx, struct xml_node_ctx *xml_ctx)
1519{
1520 struct http_ctx *ctx;
1521
1522 ctx = os_zalloc(sizeof(*ctx));
1523 if (ctx == NULL)
1524 return NULL;
1525 ctx->ctx = upper_ctx;
1526 ctx->xml = xml_ctx;
1527 ctx->ocsp = OPTIONAL_OCSP;
1528
1529 curl_global_init(CURL_GLOBAL_ALL);
1530
1531 return ctx;
1532}
1533
1534
1535void http_ocsp_set(struct http_ctx *ctx, int val)
1536{
1537 if (val == 0)
1538 ctx->ocsp = NO_OCSP;
1539 else if (val == 1)
1540 ctx->ocsp = OPTIONAL_OCSP;
1541 if (val == 2)
1542 ctx->ocsp = MANDATORY_OCSP;
1543}
1544
1545
1546void http_deinit_ctx(struct http_ctx *ctx)
1547{
1548 clear_curl(ctx);
1549 os_free(ctx->curl_buf);
1550 curl_global_cleanup();
1551
1552 os_free(ctx->svc_address);
1553 os_free(ctx->svc_ca_fname);
Dmitry Shmidtc2817022014-07-02 10:32:10 -0700[diff] [blame]1554 str_clear_free(ctx->svc_username);
1555 str_clear_free(ctx->svc_password);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1556 os_free(ctx->svc_client_cert);
1557 os_free(ctx->svc_client_key);
1558
1559 os_free(ctx);
1560}
1561
1562
1563int http_download_file(struct http_ctx *ctx, const char *url,
1564 const char *fname, const char *ca_fname)
1565{
1566 CURL *curl;
1567 FILE *f;
1568 CURLcode res;
1569 long http = 0;
1570
1571 ctx->last_err = NULL;
1572
1573 wpa_printf(MSG_DEBUG, "curl: Download file from %s to %s (ca=%s)",
1574 url, fname, ca_fname);
1575 curl = curl_easy_init();
1576 if (curl == NULL)
1577 return -1;
1578
1579 f = fopen(fname, "wb");
1580 if (f == NULL) {
1581 curl_easy_cleanup(curl);
1582 return -1;
1583 }
1584
1585 curl_easy_setopt(curl, CURLOPT_URL, url);
1586 if (ca_fname) {
1587 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1588 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1589 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1590 } else {
1591 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1592 }
1593 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1594 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1595 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fwrite);
1596 curl_easy_setopt(curl, CURLOPT_WRITEDATA, f);
1597 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1598
1599 res = curl_easy_perform(curl);
1600 if (res != CURLE_OK) {
1601 if (!ctx->last_err)
1602 ctx->last_err = curl_easy_strerror(res);
1603 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1604 ctx->last_err);
1605 curl_easy_cleanup(curl);
1606 fclose(f);
1607 return -1;
1608 }
1609
1610 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1611 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1612 if (http != 200) {
1613 ctx->last_err = "HTTP download failed";
1614 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1615 curl_easy_cleanup(curl);
1616 fclose(f);
1617 return -1;
1618 }
1619
1620 curl_easy_cleanup(curl);
1621 fclose(f);
1622
1623 return 0;
1624}
1625
1626
1627char * http_post(struct http_ctx *ctx, const char *url, const char *data,
1628 const char *content_type, const char *ext_hdr,
1629 const char *ca_fname,
1630 const char *username, const char *password,
1631 const char *client_cert, const char *client_key,
1632 size_t *resp_len)
1633{
1634 long http = 0;
1635 CURLcode res;
1636 char *ret;
1637 CURL *curl;
1638 struct curl_slist *curl_hdr = NULL;
1639
1640 ctx->last_err = NULL;
1641 wpa_printf(MSG_DEBUG, "curl: HTTP POST to %s", url);
1642 curl = setup_curl_post(ctx, url, ca_fname, username, password,
1643 client_cert, client_key);
1644 if (curl == NULL)
1645 return NULL;
1646
1647 if (content_type) {
1648 char ct[200];
1649 snprintf(ct, sizeof(ct), "Content-Type: %s", content_type);
1650 curl_hdr = curl_slist_append(curl_hdr, ct);
1651 }
1652 if (ext_hdr)
1653 curl_hdr = curl_slist_append(curl_hdr, ext_hdr);
1654 curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curl_hdr);
1655
1656 curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data);
1657 free_curl_buf(ctx);
1658
1659 res = curl_easy_perform(curl);
1660 if (res != CURLE_OK) {
1661 if (!ctx->last_err)
1662 ctx->last_err = curl_easy_strerror(res);
1663 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1664 ctx->last_err);
1665 free_curl_buf(ctx);
1666 return NULL;
1667 }
1668
1669 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1670 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1671 if (http != 200) {
1672 ctx->last_err = "HTTP POST failed";
1673 wpa_printf(MSG_INFO, "HTTP POST failed - code %ld", http);
1674 free_curl_buf(ctx);
1675 return NULL;
1676 }
1677
1678 if (ctx->curl_buf == NULL)
1679 return NULL;
1680
1681 ret = ctx->curl_buf;
1682 if (resp_len)
1683 *resp_len = ctx->curl_buf_len;
1684 ctx->curl_buf = NULL;
1685 ctx->curl_buf_len = 0;
1686
1687 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ret);
1688
1689 return ret;
1690}
1691
1692
1693void http_set_cert_cb(struct http_ctx *ctx,
1694 int (*cb)(void *ctx, struct http_cert *cert),
1695 void *cb_ctx)
1696{
1697 ctx->cert_cb = cb;
1698 ctx->cert_cb_ctx = cb_ctx;
1699}
1700
1701
1702const char * http_get_err(struct http_ctx *ctx)
1703{
1704 return ctx->last_err;
1705}