Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / f3cee1d6af174eebdf3aeb767d72c8da9148f639 / . / src / utils / http_curl.c
blob: a1e88bcb6027aa3bf0d0dddc54dc42cd9d4ed8ec [file] [log] [blame]
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1/*
2 * HTTP wrapper for libcurl
Dmitry Shmidt6cb1f652014-03-21 10:54:03 -0700[diff] [blame]3 * Copyright (c) 2012-2014, Qualcomm Atheros, Inc.
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10#include <curl/curl.h>
11#ifdef EAP_TLS_OPENSSL
12#include <openssl/ssl.h>
13#include <openssl/asn1.h>
14#include <openssl/asn1t.h>
15#include <openssl/x509v3.h>
16
17#ifdef SSL_set_tlsext_status_type
18#ifndef OPENSSL_NO_TLSEXT
19#define HAVE_OCSP
20#include <openssl/err.h>
21#include <openssl/ocsp.h>
22#endif /* OPENSSL_NO_TLSEXT */
23#endif /* SSL_set_tlsext_status_type */
24#endif /* EAP_TLS_OPENSSL */
25
26#include "common.h"
27#include "xml-utils.h"
28#include "http-utils.h"
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]29#ifdef EAP_TLS_OPENSSL
30#include "crypto/tls_openssl.h"
31#endif /* EAP_TLS_OPENSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]32
33
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]34#if OPENSSL_VERSION_NUMBER < 0x10100000L
35static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
36{
37 return ASN1_STRING_data((ASN1_STRING *) x);
38}
39#endif /* OpenSSL < 1.1.0 */
40
41
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]42struct http_ctx {
43 void *ctx;
44 struct xml_node_ctx *xml;
45 CURL *curl;
46 struct curl_slist *curl_hdr;
47 char *svc_address;
48 char *svc_ca_fname;
49 char *svc_username;
50 char *svc_password;
51 char *svc_client_cert;
52 char *svc_client_key;
53 char *curl_buf;
54 size_t curl_buf_len;
55
56 int (*cert_cb)(void *ctx, struct http_cert *cert);
57 void *cert_cb_ctx;
58
59 enum {
60 NO_OCSP, OPTIONAL_OCSP, MANDATORY_OCSP
61 } ocsp;
62 X509 *peer_cert;
63 X509 *peer_issuer;
64 X509 *peer_issuer_issuer;
65
66 const char *last_err;
67};
68
69
70static void clear_curl(struct http_ctx *ctx)
71{
72 if (ctx->curl) {
73 curl_easy_cleanup(ctx->curl);
74 ctx->curl = NULL;
75 }
76 if (ctx->curl_hdr) {
77 curl_slist_free_all(ctx->curl_hdr);
78 ctx->curl_hdr = NULL;
79 }
80}
81
82
83static void clone_str(char **dst, const char *src)
84{
85 os_free(*dst);
86 if (src)
87 *dst = os_strdup(src);
88 else
89 *dst = NULL;
90}
91
92
93static void debug_dump(struct http_ctx *ctx, const char *title,
94 const char *buf, size_t len)
95{
Dmitry Shmidt6cb1f652014-03-21 10:54:03 -0700[diff] [blame]96 char *txt;
97 size_t i;
98
99 for (i = 0; i < len; i++) {
100 if (buf[i] < 32 && buf[i] != '\t' && buf[i] != '\n' &&
101 buf[i] != '\r') {
102 wpa_hexdump_ascii(MSG_MSGDUMP, title, buf, len);
103 return;
104 }
105 }
106
107 txt = os_malloc(len + 1);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]108 if (txt == NULL)
109 return;
110 os_memcpy(txt, buf, len);
111 txt[len] = '\0';
112 while (len > 0) {
113 len--;
Dmitry Shmidt6cb1f652014-03-21 10:54:03 -0700[diff] [blame]114 if (txt[len] == '\n' || txt[len] == '\r')
115 txt[len] = '\0';
116 else
117 break;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]118 }
119 wpa_printf(MSG_MSGDUMP, "%s[%s]", title, txt);
120 os_free(txt);
121}
122
123
124static int curl_cb_debug(CURL *curl, curl_infotype info, char *buf, size_t len,
125 void *userdata)
126{
127 struct http_ctx *ctx = userdata;
128 switch (info) {
129 case CURLINFO_TEXT:
130 debug_dump(ctx, "CURLINFO_TEXT", buf, len);
131 break;
132 case CURLINFO_HEADER_IN:
133 debug_dump(ctx, "CURLINFO_HEADER_IN", buf, len);
134 break;
135 case CURLINFO_HEADER_OUT:
136 debug_dump(ctx, "CURLINFO_HEADER_OUT", buf, len);
137 break;
138 case CURLINFO_DATA_IN:
139 debug_dump(ctx, "CURLINFO_DATA_IN", buf, len);
140 break;
141 case CURLINFO_DATA_OUT:
142 debug_dump(ctx, "CURLINFO_DATA_OUT", buf, len);
143 break;
144 case CURLINFO_SSL_DATA_IN:
145 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_IN - %d",
146 (int) len);
147 break;
148 case CURLINFO_SSL_DATA_OUT:
149 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_OUT - %d",
150 (int) len);
151 break;
152 case CURLINFO_END:
153 wpa_printf(MSG_DEBUG, "debug - CURLINFO_END - %d",
154 (int) len);
155 break;
156 }
157 return 0;
158}
159
160
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]161static size_t curl_cb_write(void *ptr, size_t size, size_t nmemb,
162 void *userdata)
163{
164 struct http_ctx *ctx = userdata;
165 char *n;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]166 n = os_realloc(ctx->curl_buf, ctx->curl_buf_len + size * nmemb + 1);
167 if (n == NULL)
168 return 0;
169 ctx->curl_buf = n;
170 os_memcpy(n + ctx->curl_buf_len, ptr, size * nmemb);
171 n[ctx->curl_buf_len + size * nmemb] = '\0';
172 ctx->curl_buf_len += size * nmemb;
173 return size * nmemb;
174}
175
176
177#ifdef EAP_TLS_OPENSSL
178
179static void debug_dump_cert(const char *title, X509 *cert)
180{
181 BIO *out;
182 char *txt;
183 size_t rlen;
184
185 out = BIO_new(BIO_s_mem());
186 if (!out)
187 return;
188
189 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
190 rlen = BIO_ctrl_pending(out);
191 txt = os_malloc(rlen + 1);
192 if (txt) {
193 int res = BIO_read(out, txt, rlen);
194 if (res > 0) {
195 txt[res] = '\0';
196 wpa_printf(MSG_MSGDUMP, "%s:\n%s", title, txt);
197 }
198 os_free(txt);
199 }
200 BIO_free(out);
201}
202
203
204static void add_alt_name_othername(struct http_ctx *ctx, struct http_cert *cert,
205 OTHERNAME *o)
206{
207 char txt[100];
208 int res;
209 struct http_othername *on;
210 ASN1_TYPE *val;
211
212 on = os_realloc_array(cert->othername, cert->num_othername + 1,
213 sizeof(struct http_othername));
214 if (on == NULL)
215 return;
216 cert->othername = on;
217 on = &on[cert->num_othername];
218 os_memset(on, 0, sizeof(*on));
219
220 res = OBJ_obj2txt(txt, sizeof(txt), o->type_id, 1);
221 if (res < 0 || res >= (int) sizeof(txt))
222 return;
223
224 on->oid = os_strdup(txt);
225 if (on->oid == NULL)
226 return;
227
228 val = o->value;
229 on->data = val->value.octet_string->data;
230 on->len = val->value.octet_string->length;
231
232 cert->num_othername++;
233}
234
235
236static void add_alt_name_dns(struct http_ctx *ctx, struct http_cert *cert,
237 ASN1_STRING *name)
238{
239 char *buf;
240 char **n;
241
242 buf = NULL;
243 if (ASN1_STRING_to_UTF8((unsigned char **) &buf, name) < 0)
244 return;
245
246 n = os_realloc_array(cert->dnsname, cert->num_dnsname + 1,
247 sizeof(char *));
248 if (n == NULL)
249 return;
250
251 cert->dnsname = n;
252 n[cert->num_dnsname] = buf;
253 cert->num_dnsname++;
254}
255
256
257static void add_alt_name(struct http_ctx *ctx, struct http_cert *cert,
258 const GENERAL_NAME *name)
259{
260 switch (name->type) {
261 case GEN_OTHERNAME:
262 add_alt_name_othername(ctx, cert, name->d.otherName);
263 break;
264 case GEN_DNS:
265 add_alt_name_dns(ctx, cert, name->d.dNSName);
266 break;
267 }
268}
269
270
271static void add_alt_names(struct http_ctx *ctx, struct http_cert *cert,
272 GENERAL_NAMES *names)
273{
274 int num, i;
275
276 num = sk_GENERAL_NAME_num(names);
277 for (i = 0; i < num; i++) {
278 const GENERAL_NAME *name;
279 name = sk_GENERAL_NAME_value(names, i);
280 add_alt_name(ctx, cert, name);
281 }
282}
283
284
285/* RFC 3709 */
286
287typedef struct {
288 X509_ALGOR *hashAlg;
289 ASN1_OCTET_STRING *hashValue;
290} HashAlgAndValue;
291
292typedef struct {
293 STACK_OF(HashAlgAndValue) *refStructHash;
294 STACK_OF(ASN1_IA5STRING) *refStructURI;
295} LogotypeReference;
296
297typedef struct {
298 ASN1_IA5STRING *mediaType;
299 STACK_OF(HashAlgAndValue) *logotypeHash;
300 STACK_OF(ASN1_IA5STRING) *logotypeURI;
301} LogotypeDetails;
302
303typedef struct {
304 int type;
305 union {
306 ASN1_INTEGER *numBits;
307 ASN1_INTEGER *tableSize;
308 } d;
309} LogotypeImageResolution;
310
311typedef struct {
312 ASN1_INTEGER *type; /* LogotypeImageType ::= INTEGER */
313 ASN1_INTEGER *fileSize;
314 ASN1_INTEGER *xSize;
315 ASN1_INTEGER *ySize;
316 LogotypeImageResolution *resolution;
317 ASN1_IA5STRING *language;
318} LogotypeImageInfo;
319
320typedef struct {
321 LogotypeDetails *imageDetails;
322 LogotypeImageInfo *imageInfo;
323} LogotypeImage;
324
325typedef struct {
326 ASN1_INTEGER *fileSize;
327 ASN1_INTEGER *playTime;
328 ASN1_INTEGER *channels;
329 ASN1_INTEGER *sampleRate;
330 ASN1_IA5STRING *language;
331} LogotypeAudioInfo;
332
333typedef struct {
334 LogotypeDetails *audioDetails;
335 LogotypeAudioInfo *audioInfo;
336} LogotypeAudio;
337
338typedef struct {
339 STACK_OF(LogotypeImage) *image;
340 STACK_OF(LogotypeAudio) *audio;
341} LogotypeData;
342
343typedef struct {
344 int type;
345 union {
346 LogotypeData *direct;
347 LogotypeReference *indirect;
348 } d;
349} LogotypeInfo;
350
351typedef struct {
352 ASN1_OBJECT *logotypeType;
353 LogotypeInfo *info;
354} OtherLogotypeInfo;
355
356typedef struct {
357 STACK_OF(LogotypeInfo) *communityLogos;
358 LogotypeInfo *issuerLogo;
359 LogotypeInfo *subjectLogo;
360 STACK_OF(OtherLogotypeInfo) *otherLogos;
361} LogotypeExtn;
362
363ASN1_SEQUENCE(HashAlgAndValue) = {
364 ASN1_SIMPLE(HashAlgAndValue, hashAlg, X509_ALGOR),
365 ASN1_SIMPLE(HashAlgAndValue, hashValue, ASN1_OCTET_STRING)
366} ASN1_SEQUENCE_END(HashAlgAndValue);
367
368ASN1_SEQUENCE(LogotypeReference) = {
369 ASN1_SEQUENCE_OF(LogotypeReference, refStructHash, HashAlgAndValue),
370 ASN1_SEQUENCE_OF(LogotypeReference, refStructURI, ASN1_IA5STRING)
371} ASN1_SEQUENCE_END(LogotypeReference);
372
373ASN1_SEQUENCE(LogotypeDetails) = {
374 ASN1_SIMPLE(LogotypeDetails, mediaType, ASN1_IA5STRING),
375 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeHash, HashAlgAndValue),
376 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeURI, ASN1_IA5STRING)
377} ASN1_SEQUENCE_END(LogotypeDetails);
378
379ASN1_CHOICE(LogotypeImageResolution) = {
380 ASN1_IMP(LogotypeImageResolution, d.numBits, ASN1_INTEGER, 1),
381 ASN1_IMP(LogotypeImageResolution, d.tableSize, ASN1_INTEGER, 2)
382} ASN1_CHOICE_END(LogotypeImageResolution);
383
384ASN1_SEQUENCE(LogotypeImageInfo) = {
385 ASN1_IMP_OPT(LogotypeImageInfo, type, ASN1_INTEGER, 0),
386 ASN1_SIMPLE(LogotypeImageInfo, fileSize, ASN1_INTEGER),
387 ASN1_SIMPLE(LogotypeImageInfo, xSize, ASN1_INTEGER),
388 ASN1_SIMPLE(LogotypeImageInfo, ySize, ASN1_INTEGER),
389 ASN1_OPT(LogotypeImageInfo, resolution, LogotypeImageResolution),
390 ASN1_IMP_OPT(LogotypeImageInfo, language, ASN1_IA5STRING, 4),
391} ASN1_SEQUENCE_END(LogotypeImageInfo);
392
393ASN1_SEQUENCE(LogotypeImage) = {
394 ASN1_SIMPLE(LogotypeImage, imageDetails, LogotypeDetails),
395 ASN1_OPT(LogotypeImage, imageInfo, LogotypeImageInfo)
396} ASN1_SEQUENCE_END(LogotypeImage);
397
398ASN1_SEQUENCE(LogotypeAudioInfo) = {
399 ASN1_SIMPLE(LogotypeAudioInfo, fileSize, ASN1_INTEGER),
400 ASN1_SIMPLE(LogotypeAudioInfo, playTime, ASN1_INTEGER),
401 ASN1_SIMPLE(LogotypeAudioInfo, channels, ASN1_INTEGER),
402 ASN1_IMP_OPT(LogotypeAudioInfo, sampleRate, ASN1_INTEGER, 3),
403 ASN1_IMP_OPT(LogotypeAudioInfo, language, ASN1_IA5STRING, 4)
404} ASN1_SEQUENCE_END(LogotypeAudioInfo);
405
406ASN1_SEQUENCE(LogotypeAudio) = {
407 ASN1_SIMPLE(LogotypeAudio, audioDetails, LogotypeDetails),
408 ASN1_OPT(LogotypeAudio, audioInfo, LogotypeAudioInfo)
409} ASN1_SEQUENCE_END(LogotypeAudio);
410
411ASN1_SEQUENCE(LogotypeData) = {
412 ASN1_SEQUENCE_OF_OPT(LogotypeData, image, LogotypeImage),
413 ASN1_IMP_SEQUENCE_OF_OPT(LogotypeData, audio, LogotypeAudio, 1)
414} ASN1_SEQUENCE_END(LogotypeData);
415
416ASN1_CHOICE(LogotypeInfo) = {
417 ASN1_IMP(LogotypeInfo, d.direct, LogotypeData, 0),
418 ASN1_IMP(LogotypeInfo, d.indirect, LogotypeReference, 1)
419} ASN1_CHOICE_END(LogotypeInfo);
420
421ASN1_SEQUENCE(OtherLogotypeInfo) = {
422 ASN1_SIMPLE(OtherLogotypeInfo, logotypeType, ASN1_OBJECT),
423 ASN1_SIMPLE(OtherLogotypeInfo, info, LogotypeInfo)
424} ASN1_SEQUENCE_END(OtherLogotypeInfo);
425
426ASN1_SEQUENCE(LogotypeExtn) = {
427 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, communityLogos, LogotypeInfo, 0),
428 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 1),
429 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 2),
430 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, otherLogos, OtherLogotypeInfo, 3)
431} ASN1_SEQUENCE_END(LogotypeExtn);
432
433IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn);
434
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]435#if OPENSSL_VERSION_NUMBER < 0x10100000L
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]436#define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st))
437#define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i))
438#define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st))
439#define sk_LogotypeImage_value(st, i) SKM_sk_value(LogotypeImage, (st), (i))
440#define sk_LogotypeAudio_num(st) SKM_sk_num(LogotypeAudio, (st))
441#define sk_LogotypeAudio_value(st, i) SKM_sk_value(LogotypeAudio, (st), (i))
442#define sk_HashAlgAndValue_num(st) SKM_sk_num(HashAlgAndValue, (st))
443#define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i))
444#define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st))
445#define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i))
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]446#else
447DEFINE_STACK_OF(LogotypeInfo)
448DEFINE_STACK_OF(LogotypeImage)
449DEFINE_STACK_OF(LogotypeAudio)
450DEFINE_STACK_OF(HashAlgAndValue)
451DEFINE_STACK_OF(ASN1_IA5STRING)
452#endif
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]453
454
455static void add_logo(struct http_ctx *ctx, struct http_cert *hcert,
456 HashAlgAndValue *hash, ASN1_IA5STRING *uri)
457{
458 char txt[100];
459 int res, len;
460 struct http_logo *n;
461
462 if (hash == NULL || uri == NULL)
463 return;
464
465 res = OBJ_obj2txt(txt, sizeof(txt), hash->hashAlg->algorithm, 1);
466 if (res < 0 || res >= (int) sizeof(txt))
467 return;
468
469 n = os_realloc_array(hcert->logo, hcert->num_logo + 1,
470 sizeof(struct http_logo));
471 if (n == NULL)
472 return;
473 hcert->logo = n;
474 n = &hcert->logo[hcert->num_logo];
475 os_memset(n, 0, sizeof(*n));
476
477 n->alg_oid = os_strdup(txt);
478 if (n->alg_oid == NULL)
479 return;
480
481 n->hash_len = ASN1_STRING_length(hash->hashValue);
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]482 n->hash = os_memdup(ASN1_STRING_get0_data(hash->hashValue),
483 n->hash_len);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]484 if (n->hash == NULL) {
485 os_free(n->alg_oid);
486 return;
487 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]488
489 len = ASN1_STRING_length(uri);
490 n->uri = os_malloc(len + 1);
491 if (n->uri == NULL) {
492 os_free(n->alg_oid);
493 os_free(n->hash);
494 return;
495 }
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]496 os_memcpy(n->uri, ASN1_STRING_get0_data(uri), len);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]497 n->uri[len] = '\0';
498
499 hcert->num_logo++;
500}
501
502
503static void add_logo_direct(struct http_ctx *ctx, struct http_cert *hcert,
504 LogotypeData *data)
505{
506 int i, num;
507
508 if (data->image == NULL)
509 return;
510
511 num = sk_LogotypeImage_num(data->image);
512 for (i = 0; i < num; i++) {
513 LogotypeImage *image;
514 LogotypeDetails *details;
515 int j, hash_num, uri_num;
516 HashAlgAndValue *found_hash = NULL;
517
518 image = sk_LogotypeImage_value(data->image, i);
519 if (image == NULL)
520 continue;
521
522 details = image->imageDetails;
523 if (details == NULL)
524 continue;
525
526 hash_num = sk_HashAlgAndValue_num(details->logotypeHash);
527 for (j = 0; j < hash_num; j++) {
528 HashAlgAndValue *hash;
529 char txt[100];
530 int res;
531 hash = sk_HashAlgAndValue_value(details->logotypeHash,
532 j);
533 if (hash == NULL)
534 continue;
535 res = OBJ_obj2txt(txt, sizeof(txt),
536 hash->hashAlg->algorithm, 1);
537 if (res < 0 || res >= (int) sizeof(txt))
538 continue;
539 if (os_strcmp(txt, "2.16.840.1.101.3.4.2.1") == 0) {
540 found_hash = hash;
541 break;
542 }
543 }
544
545 if (!found_hash) {
546 wpa_printf(MSG_DEBUG, "OpenSSL: No SHA256 hash found for the logo");
547 continue;
548 }
549
550 uri_num = sk_ASN1_IA5STRING_num(details->logotypeURI);
551 for (j = 0; j < uri_num; j++) {
552 ASN1_IA5STRING *uri;
553 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, j);
554 add_logo(ctx, hcert, found_hash, uri);
555 }
556 }
557}
558
559
560static void add_logo_indirect(struct http_ctx *ctx, struct http_cert *hcert,
561 LogotypeReference *ref)
562{
563 int j, hash_num, uri_num;
564
565 hash_num = sk_HashAlgAndValue_num(ref->refStructHash);
566 uri_num = sk_ASN1_IA5STRING_num(ref->refStructURI);
567 if (hash_num != uri_num) {
568 wpa_printf(MSG_INFO, "Unexpected LogotypeReference array size difference %d != %d",
569 hash_num, uri_num);
570 return;
571 }
572
573 for (j = 0; j < hash_num; j++) {
574 HashAlgAndValue *hash;
575 ASN1_IA5STRING *uri;
576 hash = sk_HashAlgAndValue_value(ref->refStructHash, j);
577 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, j);
578 add_logo(ctx, hcert, hash, uri);
579 }
580}
581
582
583static void i2r_HashAlgAndValue(HashAlgAndValue *hash, BIO *out, int indent)
584{
585 int i;
586 const unsigned char *data;
587
588 BIO_printf(out, "%*shashAlg: ", indent, "");
589 i2a_ASN1_OBJECT(out, hash->hashAlg->algorithm);
590 BIO_printf(out, "\n");
591
592 BIO_printf(out, "%*shashValue: ", indent, "");
593 data = hash->hashValue->data;
594 for (i = 0; i < hash->hashValue->length; i++)
595 BIO_printf(out, "%s%02x", i > 0 ? ":" : "", data[i]);
596 BIO_printf(out, "\n");
597}
598
599static void i2r_LogotypeDetails(LogotypeDetails *details, BIO *out, int indent)
600{
601 int i, num;
602
603 BIO_printf(out, "%*sLogotypeDetails\n", indent, "");
604 if (details->mediaType) {
605 BIO_printf(out, "%*smediaType: ", indent, "");
606 ASN1_STRING_print(out, details->mediaType);
607 BIO_printf(out, "\n");
608 }
609
610 num = details->logotypeHash ?
611 sk_HashAlgAndValue_num(details->logotypeHash) : 0;
612 for (i = 0; i < num; i++) {
613 HashAlgAndValue *hash;
614 hash = sk_HashAlgAndValue_value(details->logotypeHash, i);
615 i2r_HashAlgAndValue(hash, out, indent);
616 }
617
618 num = details->logotypeURI ?
619 sk_ASN1_IA5STRING_num(details->logotypeURI) : 0;
620 for (i = 0; i < num; i++) {
621 ASN1_IA5STRING *uri;
622 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, i);
623 BIO_printf(out, "%*slogotypeURI: ", indent, "");
624 ASN1_STRING_print(out, uri);
625 BIO_printf(out, "\n");
626 }
627}
628
629static void i2r_LogotypeImageInfo(LogotypeImageInfo *info, BIO *out, int indent)
630{
631 long val;
632
633 BIO_printf(out, "%*sLogotypeImageInfo\n", indent, "");
634 if (info->type) {
635 val = ASN1_INTEGER_get(info->type);
636 BIO_printf(out, "%*stype: %ld\n", indent, "", val);
637 } else {
638 BIO_printf(out, "%*stype: default (1)\n", indent, "");
639 }
Dmitry Shmidtb97e4282016-02-08 10:16:07 -0800[diff] [blame]640 val = ASN1_INTEGER_get(info->fileSize);
641 BIO_printf(out, "%*sfileSize: %ld\n", indent, "", val);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]642 val = ASN1_INTEGER_get(info->xSize);
643 BIO_printf(out, "%*sxSize: %ld\n", indent, "", val);
644 val = ASN1_INTEGER_get(info->ySize);
645 BIO_printf(out, "%*sySize: %ld\n", indent, "", val);
646 if (info->resolution) {
Dmitry Shmidtb97e4282016-02-08 10:16:07 -0800[diff] [blame]647 BIO_printf(out, "%*sresolution [%d]\n", indent, "",
648 info->resolution->type);
649 switch (info->resolution->type) {
650 case 0:
651 val = ASN1_INTEGER_get(info->resolution->d.numBits);
652 BIO_printf(out, "%*snumBits: %ld\n", indent, "", val);
653 break;
654 case 1:
655 val = ASN1_INTEGER_get(info->resolution->d.tableSize);
656 BIO_printf(out, "%*stableSize: %ld\n", indent, "", val);
657 break;
658 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]659 }
660 if (info->language) {
661 BIO_printf(out, "%*slanguage: ", indent, "");
662 ASN1_STRING_print(out, info->language);
663 BIO_printf(out, "\n");
664 }
665}
666
667static void i2r_LogotypeImage(LogotypeImage *image, BIO *out, int indent)
668{
669 BIO_printf(out, "%*sLogotypeImage\n", indent, "");
670 if (image->imageDetails) {
671 i2r_LogotypeDetails(image->imageDetails, out, indent + 4);
672 }
673 if (image->imageInfo) {
674 i2r_LogotypeImageInfo(image->imageInfo, out, indent + 4);
675 }
676}
677
678static void i2r_LogotypeData(LogotypeData *data, const char *title, BIO *out,
679 int indent)
680{
681 int i, num;
682
683 BIO_printf(out, "%*s%s - LogotypeData\n", indent, "", title);
684
685 num = data->image ? sk_LogotypeImage_num(data->image) : 0;
686 for (i = 0; i < num; i++) {
687 LogotypeImage *image = sk_LogotypeImage_value(data->image, i);
688 i2r_LogotypeImage(image, out, indent + 4);
689 }
690
691 num = data->audio ? sk_LogotypeAudio_num(data->audio) : 0;
692 for (i = 0; i < num; i++) {
693 BIO_printf(out, "%*saudio: TODO\n", indent, "");
694 }
695}
696
697static void i2r_LogotypeReference(LogotypeReference *ref, const char *title,
698 BIO *out, int indent)
699{
700 int i, hash_num, uri_num;
701
702 BIO_printf(out, "%*s%s - LogotypeReference\n", indent, "", title);
703
704 hash_num = ref->refStructHash ?
705 sk_HashAlgAndValue_num(ref->refStructHash) : 0;
706 uri_num = ref->refStructURI ?
707 sk_ASN1_IA5STRING_num(ref->refStructURI) : 0;
708 if (hash_num != uri_num) {
709 BIO_printf(out, "%*sUnexpected LogotypeReference array size difference %d != %d\n",
710 indent, "", hash_num, uri_num);
711 return;
712 }
713
714 for (i = 0; i < hash_num; i++) {
715 HashAlgAndValue *hash;
716 ASN1_IA5STRING *uri;
717
718 hash = sk_HashAlgAndValue_value(ref->refStructHash, i);
719 i2r_HashAlgAndValue(hash, out, indent);
720
721 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, i);
722 BIO_printf(out, "%*srefStructURI: ", indent, "");
723 ASN1_STRING_print(out, uri);
724 BIO_printf(out, "\n");
725 }
726}
727
728static void i2r_LogotypeInfo(LogotypeInfo *info, const char *title, BIO *out,
729 int indent)
730{
731 switch (info->type) {
732 case 0:
733 i2r_LogotypeData(info->d.direct, title, out, indent);
734 break;
735 case 1:
736 i2r_LogotypeReference(info->d.indirect, title, out, indent);
737 break;
738 }
739}
740
741static void debug_print_logotypeext(LogotypeExtn *logo)
742{
743 BIO *out;
744 int i, num;
745 int indent = 0;
746
747 out = BIO_new_fp(stdout, BIO_NOCLOSE);
748 if (out == NULL)
749 return;
750
751 if (logo->communityLogos) {
752 num = sk_LogotypeInfo_num(logo->communityLogos);
753 for (i = 0; i < num; i++) {
754 LogotypeInfo *info;
755 info = sk_LogotypeInfo_value(logo->communityLogos, i);
756 i2r_LogotypeInfo(info, "communityLogo", out, indent);
757 }
758 }
759
760 if (logo->issuerLogo) {
761 i2r_LogotypeInfo(logo->issuerLogo, "issuerLogo", out, indent );
762 }
763
764 if (logo->subjectLogo) {
765 i2r_LogotypeInfo(logo->subjectLogo, "subjectLogo", out, indent);
766 }
767
768 if (logo->otherLogos) {
769 BIO_printf(out, "%*sotherLogos - TODO\n", indent, "");
770 }
771
772 BIO_free(out);
773}
774
775
776static void add_logotype_ext(struct http_ctx *ctx, struct http_cert *hcert,
777 X509 *cert)
778{
779 ASN1_OBJECT *obj;
780 int pos;
781 X509_EXTENSION *ext;
782 ASN1_OCTET_STRING *os;
783 LogotypeExtn *logo;
784 const unsigned char *data;
785 int i, num;
786
787 obj = OBJ_txt2obj("1.3.6.1.5.5.7.1.12", 0);
788 if (obj == NULL)
789 return;
790
791 pos = X509_get_ext_by_OBJ(cert, obj, -1);
792 if (pos < 0) {
793 wpa_printf(MSG_INFO, "No logotype extension included");
794 return;
795 }
796
797 wpa_printf(MSG_INFO, "Parsing logotype extension");
798 ext = X509_get_ext(cert, pos);
799 if (!ext) {
800 wpa_printf(MSG_INFO, "Could not get logotype extension");
801 return;
802 }
803
804 os = X509_EXTENSION_get_data(ext);
805 if (os == NULL) {
806 wpa_printf(MSG_INFO, "Could not get logotype extension data");
807 return;
808 }
809
810 wpa_hexdump(MSG_DEBUG, "logotypeExtn",
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]811 ASN1_STRING_get0_data(os), ASN1_STRING_length(os));
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]812
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]813 data = ASN1_STRING_get0_data(os);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]814 logo = d2i_LogotypeExtn(NULL, &data, ASN1_STRING_length(os));
815 if (logo == NULL) {
816 wpa_printf(MSG_INFO, "Failed to parse logotypeExtn");
817 return;
818 }
819
820 if (wpa_debug_level < MSG_INFO)
821 debug_print_logotypeext(logo);
822
823 if (!logo->communityLogos) {
824 wpa_printf(MSG_INFO, "No communityLogos included");
825 LogotypeExtn_free(logo);
826 return;
827 }
828
829 num = sk_LogotypeInfo_num(logo->communityLogos);
830 for (i = 0; i < num; i++) {
831 LogotypeInfo *info;
832 info = sk_LogotypeInfo_value(logo->communityLogos, i);
833 switch (info->type) {
834 case 0:
835 add_logo_direct(ctx, hcert, info->d.direct);
836 break;
837 case 1:
838 add_logo_indirect(ctx, hcert, info->d.indirect);
839 break;
840 }
841 }
842
843 LogotypeExtn_free(logo);
844}
845
846
847static void parse_cert(struct http_ctx *ctx, struct http_cert *hcert,
848 X509 *cert, GENERAL_NAMES **names)
849{
850 os_memset(hcert, 0, sizeof(*hcert));
851
852 *names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
Dmitry Shmidtd5ab1b52016-06-21 12:38:41 -0700[diff] [blame]853 if (*names)
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]854 add_alt_names(ctx, hcert, *names);
855
856 add_logotype_ext(ctx, hcert, cert);
857}
858
859
860static void parse_cert_free(struct http_cert *hcert, GENERAL_NAMES *names)
861{
862 unsigned int i;
863
864 for (i = 0; i < hcert->num_dnsname; i++)
865 OPENSSL_free(hcert->dnsname[i]);
866 os_free(hcert->dnsname);
867
868 for (i = 0; i < hcert->num_othername; i++)
869 os_free(hcert->othername[i].oid);
870 os_free(hcert->othername);
871
872 for (i = 0; i < hcert->num_logo; i++) {
873 os_free(hcert->logo[i].alg_oid);
874 os_free(hcert->logo[i].hash);
875 os_free(hcert->logo[i].uri);
876 }
877 os_free(hcert->logo);
878
879 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
880}
881
882
883static int validate_server_cert(struct http_ctx *ctx, X509 *cert)
884{
885 GENERAL_NAMES *names;
886 struct http_cert hcert;
887 int ret;
888
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]889 if (ctx->cert_cb == NULL) {
890 wpa_printf(MSG_DEBUG, "%s: no cert_cb configured", __func__);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]891 return 0;
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]892 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]893
894 if (0) {
895 BIO *out;
896 out = BIO_new_fp(stdout, BIO_NOCLOSE);
897 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
898 BIO_free(out);
899 }
900
901 parse_cert(ctx, &hcert, cert, &names);
902 ret = ctx->cert_cb(ctx->cert_cb_ctx, &hcert);
903 parse_cert_free(&hcert, names);
904
905 return ret;
906}
907
908
909void http_parse_x509_certificate(struct http_ctx *ctx, const char *fname)
910{
911 BIO *in, *out;
912 X509 *cert;
913 GENERAL_NAMES *names;
914 struct http_cert hcert;
915 unsigned int i;
916
917 in = BIO_new_file(fname, "r");
918 if (in == NULL) {
919 wpa_printf(MSG_ERROR, "Could not read '%s'", fname);
920 return;
921 }
922
923 cert = d2i_X509_bio(in, NULL);
924 BIO_free(in);
925
926 if (cert == NULL) {
927 wpa_printf(MSG_ERROR, "Could not parse certificate");
928 return;
929 }
930
931 out = BIO_new_fp(stdout, BIO_NOCLOSE);
932 if (out) {
933 X509_print_ex(out, cert, XN_FLAG_COMPAT,
934 X509_FLAG_COMPAT);
935 BIO_free(out);
936 }
937
938 wpa_printf(MSG_INFO, "Additional parsing information:");
939 parse_cert(ctx, &hcert, cert, &names);
940 for (i = 0; i < hcert.num_othername; i++) {
941 if (os_strcmp(hcert.othername[i].oid,
942 "1.3.6.1.4.1.40808.1.1.1") == 0) {
943 char *name = os_zalloc(hcert.othername[i].len + 1);
944 if (name) {
945 os_memcpy(name, hcert.othername[i].data,
946 hcert.othername[i].len);
947 wpa_printf(MSG_INFO,
948 "id-wfa-hotspot-friendlyName: %s",
949 name);
950 os_free(name);
951 }
952 wpa_hexdump_ascii(MSG_INFO,
953 "id-wfa-hotspot-friendlyName",
954 hcert.othername[i].data,
955 hcert.othername[i].len);
956 } else {
957 wpa_printf(MSG_INFO, "subjAltName[othername]: oid=%s",
958 hcert.othername[i].oid);
959 wpa_hexdump_ascii(MSG_INFO, "unknown othername",
960 hcert.othername[i].data,
961 hcert.othername[i].len);
962 }
963 }
964 parse_cert_free(&hcert, names);
965
966 X509_free(cert);
967}
968
969
970static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
971{
972 struct http_ctx *ctx;
973 X509 *cert;
974 int err, depth;
975 char buf[256];
976 X509_NAME *name;
977 const char *err_str;
978 SSL *ssl;
979 SSL_CTX *ssl_ctx;
980
981 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
982 SSL_get_ex_data_X509_STORE_CTX_idx());
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]983 ssl_ctx = SSL_get_SSL_CTX(ssl);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]984 ctx = SSL_CTX_get_app_data(ssl_ctx);
985
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]986 wpa_printf(MSG_DEBUG, "curl_cb_ssl_verify, preverify_ok: %d",
987 preverify_ok);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]988
989 err = X509_STORE_CTX_get_error(x509_ctx);
990 err_str = X509_verify_cert_error_string(err);
991 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
992 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
993 if (!cert) {
994 wpa_printf(MSG_INFO, "No server certificate available");
995 ctx->last_err = "No server certificate available";
996 return 0;
997 }
998
999 if (depth == 0)
1000 ctx->peer_cert = cert;
1001 else if (depth == 1)
1002 ctx->peer_issuer = cert;
1003 else if (depth == 2)
1004 ctx->peer_issuer_issuer = cert;
1005
1006 name = X509_get_subject_name(cert);
1007 X509_NAME_oneline(name, buf, sizeof(buf));
1008 wpa_printf(MSG_INFO, "Server certificate chain - depth=%d err=%d (%s) subject=%s",
1009 depth, err, err_str, buf);
1010 debug_dump_cert("Server certificate chain - certificate", cert);
1011
1012 if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
1013 return 0;
1014
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]1015#ifdef OPENSSL_IS_BORINGSSL
1016 if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) {
1017 enum ocsp_result res;
1018
1019 res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer,
1020 ctx->peer_issuer_issuer);
1021 if (res == OCSP_REVOKED) {
1022 preverify_ok = 0;
1023 wpa_printf(MSG_INFO, "OCSP: certificate revoked");
1024 if (err == X509_V_OK)
1025 X509_STORE_CTX_set_error(
1026 x509_ctx, X509_V_ERR_CERT_REVOKED);
1027 } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) {
1028 preverify_ok = 0;
1029 wpa_printf(MSG_INFO,
1030 "OCSP: bad certificate status response");
1031 }
1032 }
1033#endif /* OPENSSL_IS_BORINGSSL */
1034
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1035 if (!preverify_ok)
1036 ctx->last_err = "TLS validation failed";
1037
1038 return preverify_ok;
1039}
1040
1041
1042#ifdef HAVE_OCSP
1043
1044static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
1045{
1046 BIO *out;
1047 size_t rlen;
1048 char *txt;
1049 int res;
1050
1051 out = BIO_new(BIO_s_mem());
1052 if (!out)
1053 return;
1054
1055 OCSP_RESPONSE_print(out, rsp, 0);
1056 rlen = BIO_ctrl_pending(out);
1057 txt = os_malloc(rlen + 1);
1058 if (!txt) {
1059 BIO_free(out);
1060 return;
1061 }
1062
1063 res = BIO_read(out, txt, rlen);
1064 if (res > 0) {
1065 txt[res] = '\0';
1066 wpa_printf(MSG_MSGDUMP, "OpenSSL: OCSP Response\n%s", txt);
1067 }
1068 os_free(txt);
1069 BIO_free(out);
1070}
1071
1072
1073static void tls_show_errors(const char *func, const char *txt)
1074{
1075 unsigned long err;
1076
1077 wpa_printf(MSG_DEBUG, "OpenSSL: %s - %s %s",
1078 func, txt, ERR_error_string(ERR_get_error(), NULL));
1079
1080 while ((err = ERR_get_error())) {
1081 wpa_printf(MSG_DEBUG, "OpenSSL: pending error: %s",
1082 ERR_error_string(err, NULL));
1083 }
1084}
1085
1086
1087static int ocsp_resp_cb(SSL *s, void *arg)
1088{
1089 struct http_ctx *ctx = arg;
1090 const unsigned char *p;
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]1091 int len, status, reason, res;
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1092 OCSP_RESPONSE *rsp;
1093 OCSP_BASICRESP *basic;
1094 OCSP_CERTID *id;
1095 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
1096 X509_STORE *store;
1097 STACK_OF(X509) *certs = NULL;
1098
1099 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1100 if (!p) {
1101 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
1102 if (ctx->ocsp == MANDATORY_OCSP)
1103 ctx->last_err = "No OCSP response received";
1104 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1105 }
1106
1107 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
1108
1109 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1110 if (!rsp) {
1111 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
1112 ctx->last_err = "Failed to parse OCSP response";
1113 return 0;
1114 }
1115
1116 ocsp_debug_print_resp(rsp);
1117
1118 status = OCSP_response_status(rsp);
1119 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1120 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
1121 status, OCSP_response_status_str(status));
1122 ctx->last_err = "OCSP responder error";
1123 return 0;
1124 }
1125
1126 basic = OCSP_response_get1_basic(rsp);
1127 if (!basic) {
1128 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
1129 ctx->last_err = "Could not find BasicOCSPResponse";
1130 return 0;
1131 }
1132
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1133 store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s));
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1134 if (ctx->peer_issuer) {
1135 wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer");
1136 debug_dump_cert("OpenSSL: Issuer certificate",
1137 ctx->peer_issuer);
1138
1139 if (X509_STORE_add_cert(store, ctx->peer_issuer) != 1) {
1140 tls_show_errors(__func__,
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1141 "OpenSSL: Could not add issuer to certificate store");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1142 }
1143 certs = sk_X509_new_null();
1144 if (certs) {
1145 X509 *cert;
1146 cert = X509_dup(ctx->peer_issuer);
1147 if (cert && !sk_X509_push(certs, cert)) {
1148 tls_show_errors(
1149 __func__,
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1150 "OpenSSL: Could not add issuer to OCSP responder trust store");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1151 X509_free(cert);
1152 sk_X509_free(certs);
1153 certs = NULL;
1154 }
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1155 if (certs && ctx->peer_issuer_issuer) {
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1156 cert = X509_dup(ctx->peer_issuer_issuer);
1157 if (cert && !sk_X509_push(certs, cert)) {
1158 tls_show_errors(
1159 __func__,
Dmitry Shmidt7f656022015-02-25 14:36:37 -0800[diff] [blame]1160 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1161 X509_free(cert);
1162 }
1163 }
1164 }
1165 }
1166
1167 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
1168 sk_X509_pop_free(certs, X509_free);
1169 if (status <= 0) {
1170 tls_show_errors(__func__,
1171 "OpenSSL: OCSP response failed verification");
1172 OCSP_BASICRESP_free(basic);
1173 OCSP_RESPONSE_free(rsp);
1174 ctx->last_err = "OCSP response failed verification";
1175 return 0;
1176 }
1177
1178 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
1179
1180 if (!ctx->peer_cert) {
1181 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
1182 OCSP_BASICRESP_free(basic);
1183 OCSP_RESPONSE_free(rsp);
1184 ctx->last_err = "Peer certificate not available for OCSP status check";
1185 return 0;
1186 }
1187
1188 if (!ctx->peer_issuer) {
1189 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
1190 OCSP_BASICRESP_free(basic);
1191 OCSP_RESPONSE_free(rsp);
1192 ctx->last_err = "Peer issuer certificate not available for OCSP status check";
1193 return 0;
1194 }
1195
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]1196 id = OCSP_cert_to_id(EVP_sha256(), ctx->peer_cert, ctx->peer_issuer);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1197 if (!id) {
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]1198 wpa_printf(MSG_DEBUG,
1199 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1200 OCSP_BASICRESP_free(basic);
1201 OCSP_RESPONSE_free(rsp);
1202 ctx->last_err = "Could not create OCSP certificate identifier";
1203 return 0;
1204 }
1205
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700[diff] [blame]1206 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
1207 &this_update, &next_update);
1208 if (!res) {
1209 id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer);
1210 if (!id) {
1211 wpa_printf(MSG_DEBUG,
1212 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
1213 OCSP_BASICRESP_free(basic);
1214 OCSP_RESPONSE_free(rsp);
1215 ctx->last_err =
1216 "Could not create OCSP certificate identifier";
1217 return 0;
1218 }
1219
1220 res = OCSP_resp_find_status(basic, id, &status, &reason,
1221 &produced_at, &this_update,
1222 &next_update);
1223 }
1224
1225 if (!res) {
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1226 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
1227 (ctx->ocsp == MANDATORY_OCSP) ? "" :
1228 " (OCSP not required)");
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800[diff] [blame]1229 OCSP_CERTID_free(id);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1230 OCSP_BASICRESP_free(basic);
1231 OCSP_RESPONSE_free(rsp);
1232 if (ctx->ocsp == MANDATORY_OCSP)
1233
1234 ctx->last_err = "Could not find current server certificate from OCSP response";
1235 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1236 }
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800[diff] [blame]1237 OCSP_CERTID_free(id);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1238
1239 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
1240 tls_show_errors(__func__, "OpenSSL: OCSP status times invalid");
1241 OCSP_BASICRESP_free(basic);
1242 OCSP_RESPONSE_free(rsp);
1243 ctx->last_err = "OCSP status times invalid";
1244 return 0;
1245 }
1246
1247 OCSP_BASICRESP_free(basic);
1248 OCSP_RESPONSE_free(rsp);
1249
1250 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
1251 OCSP_cert_status_str(status));
1252
1253 if (status == V_OCSP_CERTSTATUS_GOOD)
1254 return 1;
Dmitry Shmidt661b4f72014-09-29 14:58:27 -0700[diff] [blame]1255 if (status == V_OCSP_CERTSTATUS_REVOKED) {
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1256 ctx->last_err = "Server certificate has been revoked";
1257 return 0;
Dmitry Shmidt661b4f72014-09-29 14:58:27 -0700[diff] [blame]1258 }
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1259 if (ctx->ocsp == MANDATORY_OCSP) {
1260 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
1261 ctx->last_err = "OCSP status unknown";
1262 return 0;
1263 }
1264 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
1265 return 1;
1266}
1267
1268
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1269#if OPENSSL_VERSION_NUMBER < 0x10100000L
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1270static SSL_METHOD patch_ssl_method;
1271static const SSL_METHOD *real_ssl_method;
1272
1273static int curl_patch_ssl_new(SSL *s)
1274{
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1275 SSL_CTX *ssl = SSL_get_SSL_CTX(s);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1276 int ret;
1277
1278 ssl->method = real_ssl_method;
1279 s->method = real_ssl_method;
1280
1281 ret = s->method->ssl_new(s);
1282 SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp);
1283
1284 return ret;
1285}
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1286#endif /* OpenSSL < 1.1.0 */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1287
1288#endif /* HAVE_OCSP */
1289
1290
1291static CURLcode curl_cb_ssl(CURL *curl, void *sslctx, void *parm)
1292{
1293 struct http_ctx *ctx = parm;
1294 SSL_CTX *ssl = sslctx;
1295
1296 wpa_printf(MSG_DEBUG, "curl_cb_ssl");
1297 SSL_CTX_set_app_data(ssl, ctx);
1298 SSL_CTX_set_verify(ssl, SSL_VERIFY_PEER, curl_cb_ssl_verify);
1299
1300#ifdef HAVE_OCSP
1301 if (ctx->ocsp != NO_OCSP) {
1302 SSL_CTX_set_tlsext_status_cb(ssl, ocsp_resp_cb);
1303 SSL_CTX_set_tlsext_status_arg(ssl, ctx);
1304
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1305#if OPENSSL_VERSION_NUMBER < 0x10100000L
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1306 /*
1307 * Use a temporary SSL_METHOD to get a callback on SSL_new()
1308 * from libcurl since there is no proper callback registration
1309 * available for this.
1310 */
1311 os_memset(&patch_ssl_method, 0, sizeof(patch_ssl_method));
1312 patch_ssl_method.ssl_new = curl_patch_ssl_new;
1313 real_ssl_method = ssl->method;
1314 ssl->method = &patch_ssl_method;
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1315#endif /* OpenSSL < 1.1.0 */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1316 }
1317#endif /* HAVE_OCSP */
1318
1319 return CURLE_OK;
1320}
1321
1322#endif /* EAP_TLS_OPENSSL */
1323
1324
1325static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
1326 const char *ca_fname, const char *username,
1327 const char *password, const char *client_cert,
1328 const char *client_key)
1329{
1330 CURL *curl;
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]1331#ifdef EAP_TLS_OPENSSL
1332 const char *extra = " tls=openssl";
1333#else /* EAP_TLS_OPENSSL */
1334 const char *extra = "";
1335#endif /* EAP_TLS_OPENSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1336
1337 wpa_printf(MSG_DEBUG, "Start HTTP client: address=%s ca_fname=%s "
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -0700[diff] [blame]1338 "username=%s%s", address, ca_fname, username, extra);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1339
1340 curl = curl_easy_init();
1341 if (curl == NULL)
1342 return NULL;
1343
1344 curl_easy_setopt(curl, CURLOPT_URL, address);
1345 curl_easy_setopt(curl, CURLOPT_POST, 1L);
1346 if (ca_fname) {
1347 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1348 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1349#ifdef EAP_TLS_OPENSSL
1350 curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
1351 curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
Hai Shalom74f70d42019-02-11 14:42:39 -0800[diff] [blame]1352#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x10100000L)
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800[diff] [blame]1353 /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
1354 * with BoringSSL since the OpenSSL specific callback hack to
1355 * enable OCSP is not available with BoringSSL. The OCSP
1356 * implementation within libcurl is not sufficient for the
1357 * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
1358 */
1359 if (ctx->ocsp != NO_OCSP)
1360 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
1361#endif /* OPENSSL_IS_BORINGSSL */
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1362#endif /* EAP_TLS_OPENSSL */
1363 } else {
1364 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1365 }
1366 if (client_cert && client_key) {
1367 curl_easy_setopt(curl, CURLOPT_SSLCERT, client_cert);
1368 curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key);
1369 }
1370 /* TODO: use curl_easy_getinfo() with CURLINFO_CERTINFO to fetch
1371 * information about the server certificate */
1372 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1373 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1374 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1375 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_cb_write);
1376 curl_easy_setopt(curl, CURLOPT_WRITEDATA, ctx);
1377 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1378 if (username) {
1379 curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANYSAFE);
1380 curl_easy_setopt(curl, CURLOPT_USERNAME, username);
1381 curl_easy_setopt(curl, CURLOPT_PASSWORD, password);
1382 }
1383
1384 return curl;
1385}
1386
1387
1388static int post_init_client(struct http_ctx *ctx, const char *address,
1389 const char *ca_fname, const char *username,
1390 const char *password, const char *client_cert,
1391 const char *client_key)
1392{
1393 char *pos;
1394 int count;
1395
1396 clone_str(&ctx->svc_address, address);
1397 clone_str(&ctx->svc_ca_fname, ca_fname);
1398 clone_str(&ctx->svc_username, username);
1399 clone_str(&ctx->svc_password, password);
1400 clone_str(&ctx->svc_client_cert, client_cert);
1401 clone_str(&ctx->svc_client_key, client_key);
1402
1403 /*
1404 * Workaround for Apache "Hostname 'FOO' provided via SNI and hostname
1405 * 'foo' provided via HTTP are different.
1406 */
1407 for (count = 0, pos = ctx->svc_address; count < 3 && pos && *pos;
1408 pos++) {
1409 if (*pos == '/')
1410 count++;
1411 *pos = tolower(*pos);
1412 }
1413
1414 ctx->curl = setup_curl_post(ctx, ctx->svc_address, ca_fname, username,
1415 password, client_cert, client_key);
1416 if (ctx->curl == NULL)
1417 return -1;
1418
1419 return 0;
1420}
1421
1422
1423int soap_init_client(struct http_ctx *ctx, const char *address,
1424 const char *ca_fname, const char *username,
1425 const char *password, const char *client_cert,
1426 const char *client_key)
1427{
1428 if (post_init_client(ctx, address, ca_fname, username, password,
1429 client_cert, client_key) < 0)
1430 return -1;
1431
1432 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr,
1433 "Content-Type: application/soap+xml");
1434 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "SOAPAction: ");
1435 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "Expect:");
1436 curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, ctx->curl_hdr);
1437
1438 return 0;
1439}
1440
1441
1442int soap_reinit_client(struct http_ctx *ctx)
1443{
1444 char *address = NULL;
1445 char *ca_fname = NULL;
1446 char *username = NULL;
1447 char *password = NULL;
1448 char *client_cert = NULL;
1449 char *client_key = NULL;
1450 int ret;
1451
1452 clear_curl(ctx);
1453
1454 clone_str(&address, ctx->svc_address);
1455 clone_str(&ca_fname, ctx->svc_ca_fname);
1456 clone_str(&username, ctx->svc_username);
1457 clone_str(&password, ctx->svc_password);
1458 clone_str(&client_cert, ctx->svc_client_cert);
1459 clone_str(&client_key, ctx->svc_client_key);
1460
1461 ret = soap_init_client(ctx, address, ca_fname, username, password,
1462 client_cert, client_key);
1463 os_free(address);
1464 os_free(ca_fname);
Dmitry Shmidtc2817022014-07-02 10:32:10 -0700[diff] [blame]1465 str_clear_free(username);
1466 str_clear_free(password);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1467 os_free(client_cert);
1468 os_free(client_key);
1469 return ret;
1470}
1471
1472
1473static void free_curl_buf(struct http_ctx *ctx)
1474{
1475 os_free(ctx->curl_buf);
1476 ctx->curl_buf = NULL;
1477 ctx->curl_buf_len = 0;
1478}
1479
1480
1481xml_node_t * soap_send_receive(struct http_ctx *ctx, xml_node_t *node)
1482{
1483 char *str;
1484 xml_node_t *envelope, *ret, *resp, *n;
1485 CURLcode res;
1486 long http = 0;
1487
1488 ctx->last_err = NULL;
1489
1490 wpa_printf(MSG_DEBUG, "SOAP: Sending message");
1491 envelope = soap_build_envelope(ctx->xml, node);
1492 str = xml_node_to_str(ctx->xml, envelope);
1493 xml_node_free(ctx->xml, envelope);
1494 wpa_printf(MSG_MSGDUMP, "SOAP[%s]", str);
1495
1496 curl_easy_setopt(ctx->curl, CURLOPT_POSTFIELDS, str);
1497 free_curl_buf(ctx);
1498
1499 res = curl_easy_perform(ctx->curl);
1500 if (res != CURLE_OK) {
1501 if (!ctx->last_err)
1502 ctx->last_err = curl_easy_strerror(res);
1503 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1504 ctx->last_err);
1505 os_free(str);
1506 free_curl_buf(ctx);
1507 return NULL;
1508 }
1509 os_free(str);
1510
1511 curl_easy_getinfo(ctx->curl, CURLINFO_RESPONSE_CODE, &http);
1512 wpa_printf(MSG_DEBUG, "SOAP: Server response code %ld", http);
1513 if (http != 200) {
1514 ctx->last_err = "HTTP download failed";
1515 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1516 free_curl_buf(ctx);
1517 return NULL;
1518 }
1519
1520 if (ctx->curl_buf == NULL)
1521 return NULL;
1522
1523 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ctx->curl_buf);
1524 resp = xml_node_from_buf(ctx->xml, ctx->curl_buf);
1525 free_curl_buf(ctx);
1526 if (resp == NULL) {
1527 wpa_printf(MSG_INFO, "Could not parse SOAP response");
1528 ctx->last_err = "Could not parse SOAP response";
1529 return NULL;
1530 }
1531
1532 ret = soap_get_body(ctx->xml, resp);
1533 if (ret == NULL) {
1534 wpa_printf(MSG_INFO, "Could not get SOAP body");
1535 ctx->last_err = "Could not get SOAP body";
1536 return NULL;
1537 }
1538
1539 wpa_printf(MSG_DEBUG, "SOAP body localname: '%s'",
1540 xml_node_get_localname(ctx->xml, ret));
1541 n = xml_node_copy(ctx->xml, ret);
1542 xml_node_free(ctx->xml, resp);
1543
1544 return n;
1545}
1546
1547
1548struct http_ctx * http_init_ctx(void *upper_ctx, struct xml_node_ctx *xml_ctx)
1549{
1550 struct http_ctx *ctx;
1551
1552 ctx = os_zalloc(sizeof(*ctx));
1553 if (ctx == NULL)
1554 return NULL;
1555 ctx->ctx = upper_ctx;
1556 ctx->xml = xml_ctx;
1557 ctx->ocsp = OPTIONAL_OCSP;
1558
1559 curl_global_init(CURL_GLOBAL_ALL);
1560
1561 return ctx;
1562}
1563
1564
1565void http_ocsp_set(struct http_ctx *ctx, int val)
1566{
1567 if (val == 0)
1568 ctx->ocsp = NO_OCSP;
1569 else if (val == 1)
1570 ctx->ocsp = OPTIONAL_OCSP;
1571 if (val == 2)
1572 ctx->ocsp = MANDATORY_OCSP;
1573}
1574
1575
1576void http_deinit_ctx(struct http_ctx *ctx)
1577{
1578 clear_curl(ctx);
1579 os_free(ctx->curl_buf);
1580 curl_global_cleanup();
1581
1582 os_free(ctx->svc_address);
1583 os_free(ctx->svc_ca_fname);
Dmitry Shmidtc2817022014-07-02 10:32:10 -0700[diff] [blame]1584 str_clear_free(ctx->svc_username);
1585 str_clear_free(ctx->svc_password);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1586 os_free(ctx->svc_client_cert);
1587 os_free(ctx->svc_client_key);
1588
1589 os_free(ctx);
1590}
1591
1592
1593int http_download_file(struct http_ctx *ctx, const char *url,
1594 const char *fname, const char *ca_fname)
1595{
1596 CURL *curl;
1597 FILE *f;
1598 CURLcode res;
1599 long http = 0;
1600
1601 ctx->last_err = NULL;
1602
1603 wpa_printf(MSG_DEBUG, "curl: Download file from %s to %s (ca=%s)",
1604 url, fname, ca_fname);
1605 curl = curl_easy_init();
1606 if (curl == NULL)
1607 return -1;
1608
1609 f = fopen(fname, "wb");
1610 if (f == NULL) {
1611 curl_easy_cleanup(curl);
1612 return -1;
1613 }
1614
1615 curl_easy_setopt(curl, CURLOPT_URL, url);
1616 if (ca_fname) {
1617 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1618 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1619 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1620 } else {
1621 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1622 }
1623 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1624 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
Dmitry Shmidtd5dc24e2014-03-12 14:22:04 -0700[diff] [blame]1625 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fwrite);
1626 curl_easy_setopt(curl, CURLOPT_WRITEDATA, f);
1627 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1628
1629 res = curl_easy_perform(curl);
1630 if (res != CURLE_OK) {
1631 if (!ctx->last_err)
1632 ctx->last_err = curl_easy_strerror(res);
1633 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1634 ctx->last_err);
1635 curl_easy_cleanup(curl);
1636 fclose(f);
1637 return -1;
1638 }
1639
1640 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1641 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1642 if (http != 200) {
1643 ctx->last_err = "HTTP download failed";
1644 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1645 curl_easy_cleanup(curl);
1646 fclose(f);
1647 return -1;
1648 }
1649
1650 curl_easy_cleanup(curl);
1651 fclose(f);
1652
1653 return 0;
1654}
1655
1656
1657char * http_post(struct http_ctx *ctx, const char *url, const char *data,
1658 const char *content_type, const char *ext_hdr,
1659 const char *ca_fname,
1660 const char *username, const char *password,
1661 const char *client_cert, const char *client_key,
1662 size_t *resp_len)
1663{
1664 long http = 0;
1665 CURLcode res;
1666 char *ret;
1667 CURL *curl;
1668 struct curl_slist *curl_hdr = NULL;
1669
1670 ctx->last_err = NULL;
1671 wpa_printf(MSG_DEBUG, "curl: HTTP POST to %s", url);
1672 curl = setup_curl_post(ctx, url, ca_fname, username, password,
1673 client_cert, client_key);
1674 if (curl == NULL)
1675 return NULL;
1676
1677 if (content_type) {
1678 char ct[200];
1679 snprintf(ct, sizeof(ct), "Content-Type: %s", content_type);
1680 curl_hdr = curl_slist_append(curl_hdr, ct);
1681 }
1682 if (ext_hdr)
1683 curl_hdr = curl_slist_append(curl_hdr, ext_hdr);
1684 curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curl_hdr);
1685
1686 curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data);
1687 free_curl_buf(ctx);
1688
1689 res = curl_easy_perform(curl);
1690 if (res != CURLE_OK) {
1691 if (!ctx->last_err)
1692 ctx->last_err = curl_easy_strerror(res);
1693 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1694 ctx->last_err);
1695 free_curl_buf(ctx);
1696 return NULL;
1697 }
1698
1699 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1700 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1701 if (http != 200) {
1702 ctx->last_err = "HTTP POST failed";
1703 wpa_printf(MSG_INFO, "HTTP POST failed - code %ld", http);
1704 free_curl_buf(ctx);
1705 return NULL;
1706 }
1707
1708 if (ctx->curl_buf == NULL)
1709 return NULL;
1710
1711 ret = ctx->curl_buf;
1712 if (resp_len)
1713 *resp_len = ctx->curl_buf_len;
1714 ctx->curl_buf = NULL;
1715 ctx->curl_buf_len = 0;
1716
1717 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ret);
1718
1719 return ret;
1720}
1721
1722
1723void http_set_cert_cb(struct http_ctx *ctx,
1724 int (*cb)(void *ctx, struct http_cert *cert),
1725 void *cb_ctx)
1726{
1727 ctx->cert_cb = cb;
1728 ctx->cert_cb_ctx = cb_ctx;
1729}
1730
1731
1732const char * http_get_err(struct http_ctx *ctx)
1733{
1734 return ctx->last_err;
1735}