1 /* 2 * HTTP wrapper for libcurl 3 * Copyright (c) 2012-2014, Qualcomm Atheros, Inc. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <curl/curl.h> 11 #ifdef EAP_TLS_OPENSSL 12 #include <openssl/ssl.h> 13 #include <openssl/asn1.h> 14 #include <openssl/asn1t.h> 15 #include <openssl/x509v3.h> 16 17 #ifdef SSL_set_tlsext_status_type 18 #ifndef OPENSSL_NO_TLSEXT 19 #define HAVE_OCSP 20 #include <openssl/err.h> 21 #include <openssl/ocsp.h> 22 #endif /* OPENSSL_NO_TLSEXT */ 23 #endif /* SSL_set_tlsext_status_type */ 24 #endif /* EAP_TLS_OPENSSL */ 25 26 #include "common.h" 27 #include "xml-utils.h" 28 #include "http-utils.h" 29 #ifdef EAP_TLS_OPENSSL 30 #include "crypto/tls_openssl.h" 31 #endif /* EAP_TLS_OPENSSL */ 32 33 34 struct http_ctx { 35 void *ctx; 36 struct xml_node_ctx *xml; 37 CURL *curl; 38 struct curl_slist *curl_hdr; 39 char *svc_address; 40 char *svc_ca_fname; 41 char *svc_username; 42 char *svc_password; 43 char *svc_client_cert; 44 char *svc_client_key; 45 char *curl_buf; 46 size_t curl_buf_len; 47 48 int (*cert_cb)(void *ctx, struct http_cert *cert); 49 void *cert_cb_ctx; 50 51 enum { 52 NO_OCSP, OPTIONAL_OCSP, MANDATORY_OCSP 53 } ocsp; 54 X509 *peer_cert; 55 X509 *peer_issuer; 56 X509 *peer_issuer_issuer; 57 58 const char *last_err; 59 }; 60 61 62 static void clear_curl(struct http_ctx *ctx) 63 { 64 if (ctx->curl) { 65 curl_easy_cleanup(ctx->curl); 66 ctx->curl = NULL; 67 } 68 if (ctx->curl_hdr) { 69 curl_slist_free_all(ctx->curl_hdr); 70 ctx->curl_hdr = NULL; 71 } 72 } 73 74 75 static void clone_str(char **dst, const char *src) 76 { 77 os_free(*dst); 78 if (src) 79 *dst = os_strdup(src); 80 else 81 *dst = NULL; 82 } 83 84 85 static void debug_dump(struct http_ctx *ctx, const char *title, 86 const char *buf, size_t len) 87 { 88 char *txt; 89 size_t i; 90 91 for (i = 0; i < len; i++) { 92 if (buf[i] < 32 && buf[i] != '\t' && buf[i] != '\n' && 93 buf[i] != '\r') { 94 wpa_hexdump_ascii(MSG_MSGDUMP, title, buf, len); 95 return; 96 } 97 } 98 99 txt = os_malloc(len + 1); 100 if (txt == NULL) 101 return; 102 os_memcpy(txt, buf, len); 103 txt[len] = '\0'; 104 while (len > 0) { 105 len--; 106 if (txt[len] == '\n' || txt[len] == '\r') 107 txt[len] = '\0'; 108 else 109 break; 110 } 111 wpa_printf(MSG_MSGDUMP, "%s[%s]", title, txt); 112 os_free(txt); 113 } 114 115 116 static int curl_cb_debug(CURL *curl, curl_infotype info, char *buf, size_t len, 117 void *userdata) 118 { 119 struct http_ctx *ctx = userdata; 120 switch (info) { 121 case CURLINFO_TEXT: 122 debug_dump(ctx, "CURLINFO_TEXT", buf, len); 123 break; 124 case CURLINFO_HEADER_IN: 125 debug_dump(ctx, "CURLINFO_HEADER_IN", buf, len); 126 break; 127 case CURLINFO_HEADER_OUT: 128 debug_dump(ctx, "CURLINFO_HEADER_OUT", buf, len); 129 break; 130 case CURLINFO_DATA_IN: 131 debug_dump(ctx, "CURLINFO_DATA_IN", buf, len); 132 break; 133 case CURLINFO_DATA_OUT: 134 debug_dump(ctx, "CURLINFO_DATA_OUT", buf, len); 135 break; 136 case CURLINFO_SSL_DATA_IN: 137 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_IN - %d", 138 (int) len); 139 break; 140 case CURLINFO_SSL_DATA_OUT: 141 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_OUT - %d", 142 (int) len); 143 break; 144 case CURLINFO_END: 145 wpa_printf(MSG_DEBUG, "debug - CURLINFO_END - %d", 146 (int) len); 147 break; 148 } 149 return 0; 150 } 151 152 153 static size_t curl_cb_write(void *ptr, size_t size, size_t nmemb, 154 void *userdata) 155 { 156 struct http_ctx *ctx = userdata; 157 char *n; 158 n = os_realloc(ctx->curl_buf, ctx->curl_buf_len + size * nmemb + 1); 159 if (n == NULL) 160 return 0; 161 ctx->curl_buf = n; 162 os_memcpy(n + ctx->curl_buf_len, ptr, size * nmemb); 163 n[ctx->curl_buf_len + size * nmemb] = '\0'; 164 ctx->curl_buf_len += size * nmemb; 165 return size * nmemb; 166 } 167 168 169 #ifdef EAP_TLS_OPENSSL 170 171 static void debug_dump_cert(const char *title, X509 *cert) 172 { 173 BIO *out; 174 char *txt; 175 size_t rlen; 176 177 out = BIO_new(BIO_s_mem()); 178 if (!out) 179 return; 180 181 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT); 182 rlen = BIO_ctrl_pending(out); 183 txt = os_malloc(rlen + 1); 184 if (txt) { 185 int res = BIO_read(out, txt, rlen); 186 if (res > 0) { 187 txt[res] = '\0'; 188 wpa_printf(MSG_MSGDUMP, "%s:\n%s", title, txt); 189 } 190 os_free(txt); 191 } 192 BIO_free(out); 193 } 194 195 196 static void add_alt_name_othername(struct http_ctx *ctx, struct http_cert *cert, 197 OTHERNAME *o) 198 { 199 char txt[100]; 200 int res; 201 struct http_othername *on; 202 ASN1_TYPE *val; 203 204 on = os_realloc_array(cert->othername, cert->num_othername + 1, 205 sizeof(struct http_othername)); 206 if (on == NULL) 207 return; 208 cert->othername = on; 209 on = &on[cert->num_othername]; 210 os_memset(on, 0, sizeof(*on)); 211 212 res = OBJ_obj2txt(txt, sizeof(txt), o->type_id, 1); 213 if (res < 0 || res >= (int) sizeof(txt)) 214 return; 215 216 on->oid = os_strdup(txt); 217 if (on->oid == NULL) 218 return; 219 220 val = o->value; 221 on->data = val->value.octet_string->data; 222 on->len = val->value.octet_string->length; 223 224 cert->num_othername++; 225 } 226 227 228 static void add_alt_name_dns(struct http_ctx *ctx, struct http_cert *cert, 229 ASN1_STRING *name) 230 { 231 char *buf; 232 char **n; 233 234 buf = NULL; 235 if (ASN1_STRING_to_UTF8((unsigned char **) &buf, name) < 0) 236 return; 237 238 n = os_realloc_array(cert->dnsname, cert->num_dnsname + 1, 239 sizeof(char *)); 240 if (n == NULL) 241 return; 242 243 cert->dnsname = n; 244 n[cert->num_dnsname] = buf; 245 cert->num_dnsname++; 246 } 247 248 249 static void add_alt_name(struct http_ctx *ctx, struct http_cert *cert, 250 const GENERAL_NAME *name) 251 { 252 switch (name->type) { 253 case GEN_OTHERNAME: 254 add_alt_name_othername(ctx, cert, name->d.otherName); 255 break; 256 case GEN_DNS: 257 add_alt_name_dns(ctx, cert, name->d.dNSName); 258 break; 259 } 260 } 261 262 263 static void add_alt_names(struct http_ctx *ctx, struct http_cert *cert, 264 GENERAL_NAMES *names) 265 { 266 int num, i; 267 268 num = sk_GENERAL_NAME_num(names); 269 for (i = 0; i < num; i++) { 270 const GENERAL_NAME *name; 271 name = sk_GENERAL_NAME_value(names, i); 272 add_alt_name(ctx, cert, name); 273 } 274 } 275 276 277 /* RFC 3709 */ 278 279 typedef struct { 280 X509_ALGOR *hashAlg; 281 ASN1_OCTET_STRING *hashValue; 282 } HashAlgAndValue; 283 284 typedef struct { 285 STACK_OF(HashAlgAndValue) *refStructHash; 286 STACK_OF(ASN1_IA5STRING) *refStructURI; 287 } LogotypeReference; 288 289 typedef struct { 290 ASN1_IA5STRING *mediaType; 291 STACK_OF(HashAlgAndValue) *logotypeHash; 292 STACK_OF(ASN1_IA5STRING) *logotypeURI; 293 } LogotypeDetails; 294 295 typedef struct { 296 int type; 297 union { 298 ASN1_INTEGER *numBits; 299 ASN1_INTEGER *tableSize; 300 } d; 301 } LogotypeImageResolution; 302 303 typedef struct { 304 ASN1_INTEGER *type; /* LogotypeImageType ::= INTEGER */ 305 ASN1_INTEGER *fileSize; 306 ASN1_INTEGER *xSize; 307 ASN1_INTEGER *ySize; 308 LogotypeImageResolution *resolution; 309 ASN1_IA5STRING *language; 310 } LogotypeImageInfo; 311 312 typedef struct { 313 LogotypeDetails *imageDetails; 314 LogotypeImageInfo *imageInfo; 315 } LogotypeImage; 316 317 typedef struct { 318 ASN1_INTEGER *fileSize; 319 ASN1_INTEGER *playTime; 320 ASN1_INTEGER *channels; 321 ASN1_INTEGER *sampleRate; 322 ASN1_IA5STRING *language; 323 } LogotypeAudioInfo; 324 325 typedef struct { 326 LogotypeDetails *audioDetails; 327 LogotypeAudioInfo *audioInfo; 328 } LogotypeAudio; 329 330 typedef struct { 331 STACK_OF(LogotypeImage) *image; 332 STACK_OF(LogotypeAudio) *audio; 333 } LogotypeData; 334 335 typedef struct { 336 int type; 337 union { 338 LogotypeData *direct; 339 LogotypeReference *indirect; 340 } d; 341 } LogotypeInfo; 342 343 typedef struct { 344 ASN1_OBJECT *logotypeType; 345 LogotypeInfo *info; 346 } OtherLogotypeInfo; 347 348 typedef struct { 349 STACK_OF(LogotypeInfo) *communityLogos; 350 LogotypeInfo *issuerLogo; 351 LogotypeInfo *subjectLogo; 352 STACK_OF(OtherLogotypeInfo) *otherLogos; 353 } LogotypeExtn; 354 355 ASN1_SEQUENCE(HashAlgAndValue) = { 356 ASN1_SIMPLE(HashAlgAndValue, hashAlg, X509_ALGOR), 357 ASN1_SIMPLE(HashAlgAndValue, hashValue, ASN1_OCTET_STRING) 358 } ASN1_SEQUENCE_END(HashAlgAndValue); 359 360 ASN1_SEQUENCE(LogotypeReference) = { 361 ASN1_SEQUENCE_OF(LogotypeReference, refStructHash, HashAlgAndValue), 362 ASN1_SEQUENCE_OF(LogotypeReference, refStructURI, ASN1_IA5STRING) 363 } ASN1_SEQUENCE_END(LogotypeReference); 364 365 ASN1_SEQUENCE(LogotypeDetails) = { 366 ASN1_SIMPLE(LogotypeDetails, mediaType, ASN1_IA5STRING), 367 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeHash, HashAlgAndValue), 368 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeURI, ASN1_IA5STRING) 369 } ASN1_SEQUENCE_END(LogotypeDetails); 370 371 ASN1_CHOICE(LogotypeImageResolution) = { 372 ASN1_IMP(LogotypeImageResolution, d.numBits, ASN1_INTEGER, 1), 373 ASN1_IMP(LogotypeImageResolution, d.tableSize, ASN1_INTEGER, 2) 374 } ASN1_CHOICE_END(LogotypeImageResolution); 375 376 ASN1_SEQUENCE(LogotypeImageInfo) = { 377 ASN1_IMP_OPT(LogotypeImageInfo, type, ASN1_INTEGER, 0), 378 ASN1_SIMPLE(LogotypeImageInfo, fileSize, ASN1_INTEGER), 379 ASN1_SIMPLE(LogotypeImageInfo, xSize, ASN1_INTEGER), 380 ASN1_SIMPLE(LogotypeImageInfo, ySize, ASN1_INTEGER), 381 ASN1_OPT(LogotypeImageInfo, resolution, LogotypeImageResolution), 382 ASN1_IMP_OPT(LogotypeImageInfo, language, ASN1_IA5STRING, 4), 383 } ASN1_SEQUENCE_END(LogotypeImageInfo); 384 385 ASN1_SEQUENCE(LogotypeImage) = { 386 ASN1_SIMPLE(LogotypeImage, imageDetails, LogotypeDetails), 387 ASN1_OPT(LogotypeImage, imageInfo, LogotypeImageInfo) 388 } ASN1_SEQUENCE_END(LogotypeImage); 389 390 ASN1_SEQUENCE(LogotypeAudioInfo) = { 391 ASN1_SIMPLE(LogotypeAudioInfo, fileSize, ASN1_INTEGER), 392 ASN1_SIMPLE(LogotypeAudioInfo, playTime, ASN1_INTEGER), 393 ASN1_SIMPLE(LogotypeAudioInfo, channels, ASN1_INTEGER), 394 ASN1_IMP_OPT(LogotypeAudioInfo, sampleRate, ASN1_INTEGER, 3), 395 ASN1_IMP_OPT(LogotypeAudioInfo, language, ASN1_IA5STRING, 4) 396 } ASN1_SEQUENCE_END(LogotypeAudioInfo); 397 398 ASN1_SEQUENCE(LogotypeAudio) = { 399 ASN1_SIMPLE(LogotypeAudio, audioDetails, LogotypeDetails), 400 ASN1_OPT(LogotypeAudio, audioInfo, LogotypeAudioInfo) 401 } ASN1_SEQUENCE_END(LogotypeAudio); 402 403 ASN1_SEQUENCE(LogotypeData) = { 404 ASN1_SEQUENCE_OF_OPT(LogotypeData, image, LogotypeImage), 405 ASN1_IMP_SEQUENCE_OF_OPT(LogotypeData, audio, LogotypeAudio, 1) 406 } ASN1_SEQUENCE_END(LogotypeData); 407 408 ASN1_CHOICE(LogotypeInfo) = { 409 ASN1_IMP(LogotypeInfo, d.direct, LogotypeData, 0), 410 ASN1_IMP(LogotypeInfo, d.indirect, LogotypeReference, 1) 411 } ASN1_CHOICE_END(LogotypeInfo); 412 413 ASN1_SEQUENCE(OtherLogotypeInfo) = { 414 ASN1_SIMPLE(OtherLogotypeInfo, logotypeType, ASN1_OBJECT), 415 ASN1_SIMPLE(OtherLogotypeInfo, info, LogotypeInfo) 416 } ASN1_SEQUENCE_END(OtherLogotypeInfo); 417 418 ASN1_SEQUENCE(LogotypeExtn) = { 419 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, communityLogos, LogotypeInfo, 0), 420 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 1), 421 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 2), 422 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, otherLogos, OtherLogotypeInfo, 3) 423 } ASN1_SEQUENCE_END(LogotypeExtn); 424 425 IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn); 426 427 #ifdef OPENSSL_IS_BORINGSSL 428 #define sk_LogotypeInfo_num(st) \ 429 sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeInfo) *, (st))) 430 #define sk_LogotypeInfo_value(st, i) (LogotypeInfo *) \ 431 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeInfo) *, (st)), (i)) 432 #define sk_LogotypeImage_num(st) \ 433 sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeImage) *, (st))) 434 #define sk_LogotypeImage_value(st, i) (LogotypeImage *) \ 435 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeImage) *, (st)), (i)) 436 #define sk_LogotypeAudio_num(st) \ 437 sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeAudio) *, (st))) 438 #define sk_LogotypeAudio_value(st, i) (LogotypeAudio *) \ 439 sk_value(CHECK_CAST(_STACK *, const STACK_OF(LogotypeAudio) *, (st)), (i)) 440 #define sk_HashAlgAndValue_num(st) \ 441 sk_num(CHECKED_CAST(_STACK *, STACK_OF(HashAlgAndValue) *, (st))) 442 #define sk_HashAlgAndValue_value(st, i) (HashAlgAndValue *) \ 443 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(HashAlgAndValue) *, (st)), (i)) 444 #define sk_ASN1_IA5STRING_num(st) \ 445 sk_num(CHECKED_CAST(_STACK *, STACK_OF(ASN1_IA5STRING) *, (st))) 446 #define sk_ASN1_IA5STRING_value(st, i) (ASN1_IA5STRING *) \ 447 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_IA5STRING) *, (st)), (i)) 448 #else /* OPENSSL_IS_BORINGSSL */ 449 #define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st)) 450 #define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i)) 451 #define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st)) 452 #define sk_LogotypeImage_value(st, i) SKM_sk_value(LogotypeImage, (st), (i)) 453 #define sk_LogotypeAudio_num(st) SKM_sk_num(LogotypeAudio, (st)) 454 #define sk_LogotypeAudio_value(st, i) SKM_sk_value(LogotypeAudio, (st), (i)) 455 #define sk_HashAlgAndValue_num(st) SKM_sk_num(HashAlgAndValue, (st)) 456 #define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i)) 457 #define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st)) 458 #define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i)) 459 #endif /* OPENSSL_IS_BORINGSSL */ 460 461 462 static void add_logo(struct http_ctx *ctx, struct http_cert *hcert, 463 HashAlgAndValue *hash, ASN1_IA5STRING *uri) 464 { 465 char txt[100]; 466 int res, len; 467 struct http_logo *n; 468 469 if (hash == NULL || uri == NULL) 470 return; 471 472 res = OBJ_obj2txt(txt, sizeof(txt), hash->hashAlg->algorithm, 1); 473 if (res < 0 || res >= (int) sizeof(txt)) 474 return; 475 476 n = os_realloc_array(hcert->logo, hcert->num_logo + 1, 477 sizeof(struct http_logo)); 478 if (n == NULL) 479 return; 480 hcert->logo = n; 481 n = &hcert->logo[hcert->num_logo]; 482 os_memset(n, 0, sizeof(*n)); 483 484 n->alg_oid = os_strdup(txt); 485 if (n->alg_oid == NULL) 486 return; 487 488 n->hash_len = ASN1_STRING_length(hash->hashValue); 489 n->hash = os_malloc(n->hash_len); 490 if (n->hash == NULL) { 491 os_free(n->alg_oid); 492 return; 493 } 494 os_memcpy(n->hash, ASN1_STRING_data(hash->hashValue), n->hash_len); 495 496 len = ASN1_STRING_length(uri); 497 n->uri = os_malloc(len + 1); 498 if (n->uri == NULL) { 499 os_free(n->alg_oid); 500 os_free(n->hash); 501 return; 502 } 503 os_memcpy(n->uri, ASN1_STRING_data(uri), len); 504 n->uri[len] = '\0'; 505 506 hcert->num_logo++; 507 } 508 509 510 static void add_logo_direct(struct http_ctx *ctx, struct http_cert *hcert, 511 LogotypeData *data) 512 { 513 int i, num; 514 515 if (data->image == NULL) 516 return; 517 518 num = sk_LogotypeImage_num(data->image); 519 for (i = 0; i < num; i++) { 520 LogotypeImage *image; 521 LogotypeDetails *details; 522 int j, hash_num, uri_num; 523 HashAlgAndValue *found_hash = NULL; 524 525 image = sk_LogotypeImage_value(data->image, i); 526 if (image == NULL) 527 continue; 528 529 details = image->imageDetails; 530 if (details == NULL) 531 continue; 532 533 hash_num = sk_HashAlgAndValue_num(details->logotypeHash); 534 for (j = 0; j < hash_num; j++) { 535 HashAlgAndValue *hash; 536 char txt[100]; 537 int res; 538 hash = sk_HashAlgAndValue_value(details->logotypeHash, 539 j); 540 if (hash == NULL) 541 continue; 542 res = OBJ_obj2txt(txt, sizeof(txt), 543 hash->hashAlg->algorithm, 1); 544 if (res < 0 || res >= (int) sizeof(txt)) 545 continue; 546 if (os_strcmp(txt, "2.16.840.1.101.3.4.2.1") == 0) { 547 found_hash = hash; 548 break; 549 } 550 } 551 552 if (!found_hash) { 553 wpa_printf(MSG_DEBUG, "OpenSSL: No SHA256 hash found for the logo"); 554 continue; 555 } 556 557 uri_num = sk_ASN1_IA5STRING_num(details->logotypeURI); 558 for (j = 0; j < uri_num; j++) { 559 ASN1_IA5STRING *uri; 560 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, j); 561 add_logo(ctx, hcert, found_hash, uri); 562 } 563 } 564 } 565 566 567 static void add_logo_indirect(struct http_ctx *ctx, struct http_cert *hcert, 568 LogotypeReference *ref) 569 { 570 int j, hash_num, uri_num; 571 572 hash_num = sk_HashAlgAndValue_num(ref->refStructHash); 573 uri_num = sk_ASN1_IA5STRING_num(ref->refStructURI); 574 if (hash_num != uri_num) { 575 wpa_printf(MSG_INFO, "Unexpected LogotypeReference array size difference %d != %d", 576 hash_num, uri_num); 577 return; 578 } 579 580 for (j = 0; j < hash_num; j++) { 581 HashAlgAndValue *hash; 582 ASN1_IA5STRING *uri; 583 hash = sk_HashAlgAndValue_value(ref->refStructHash, j); 584 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, j); 585 add_logo(ctx, hcert, hash, uri); 586 } 587 } 588 589 590 static void i2r_HashAlgAndValue(HashAlgAndValue *hash, BIO *out, int indent) 591 { 592 int i; 593 const unsigned char *data; 594 595 BIO_printf(out, "%*shashAlg: ", indent, ""); 596 i2a_ASN1_OBJECT(out, hash->hashAlg->algorithm); 597 BIO_printf(out, "\n"); 598 599 BIO_printf(out, "%*shashValue: ", indent, ""); 600 data = hash->hashValue->data; 601 for (i = 0; i < hash->hashValue->length; i++) 602 BIO_printf(out, "%s%02x", i > 0 ? ":" : "", data[i]); 603 BIO_printf(out, "\n"); 604 } 605 606 static void i2r_LogotypeDetails(LogotypeDetails *details, BIO *out, int indent) 607 { 608 int i, num; 609 610 BIO_printf(out, "%*sLogotypeDetails\n", indent, ""); 611 if (details->mediaType) { 612 BIO_printf(out, "%*smediaType: ", indent, ""); 613 ASN1_STRING_print(out, details->mediaType); 614 BIO_printf(out, "\n"); 615 } 616 617 num = details->logotypeHash ? 618 sk_HashAlgAndValue_num(details->logotypeHash) : 0; 619 for (i = 0; i < num; i++) { 620 HashAlgAndValue *hash; 621 hash = sk_HashAlgAndValue_value(details->logotypeHash, i); 622 i2r_HashAlgAndValue(hash, out, indent); 623 } 624 625 num = details->logotypeURI ? 626 sk_ASN1_IA5STRING_num(details->logotypeURI) : 0; 627 for (i = 0; i < num; i++) { 628 ASN1_IA5STRING *uri; 629 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, i); 630 BIO_printf(out, "%*slogotypeURI: ", indent, ""); 631 ASN1_STRING_print(out, uri); 632 BIO_printf(out, "\n"); 633 } 634 } 635 636 static void i2r_LogotypeImageInfo(LogotypeImageInfo *info, BIO *out, int indent) 637 { 638 long val; 639 640 BIO_printf(out, "%*sLogotypeImageInfo\n", indent, ""); 641 if (info->type) { 642 val = ASN1_INTEGER_get(info->type); 643 BIO_printf(out, "%*stype: %ld\n", indent, "", val); 644 } else { 645 BIO_printf(out, "%*stype: default (1)\n", indent, ""); 646 } 647 val = ASN1_INTEGER_get(info->fileSize); 648 BIO_printf(out, "%*sfileSize: %ld\n", indent, "", val); 649 val = ASN1_INTEGER_get(info->xSize); 650 BIO_printf(out, "%*sxSize: %ld\n", indent, "", val); 651 val = ASN1_INTEGER_get(info->ySize); 652 BIO_printf(out, "%*sySize: %ld\n", indent, "", val); 653 if (info->resolution) { 654 BIO_printf(out, "%*sresolution [%d]\n", indent, "", 655 info->resolution->type); 656 switch (info->resolution->type) { 657 case 0: 658 val = ASN1_INTEGER_get(info->resolution->d.numBits); 659 BIO_printf(out, "%*snumBits: %ld\n", indent, "", val); 660 break; 661 case 1: 662 val = ASN1_INTEGER_get(info->resolution->d.tableSize); 663 BIO_printf(out, "%*stableSize: %ld\n", indent, "", val); 664 break; 665 } 666 } 667 if (info->language) { 668 BIO_printf(out, "%*slanguage: ", indent, ""); 669 ASN1_STRING_print(out, info->language); 670 BIO_printf(out, "\n"); 671 } 672 } 673 674 static void i2r_LogotypeImage(LogotypeImage *image, BIO *out, int indent) 675 { 676 BIO_printf(out, "%*sLogotypeImage\n", indent, ""); 677 if (image->imageDetails) { 678 i2r_LogotypeDetails(image->imageDetails, out, indent + 4); 679 } 680 if (image->imageInfo) { 681 i2r_LogotypeImageInfo(image->imageInfo, out, indent + 4); 682 } 683 } 684 685 static void i2r_LogotypeData(LogotypeData *data, const char *title, BIO *out, 686 int indent) 687 { 688 int i, num; 689 690 BIO_printf(out, "%*s%s - LogotypeData\n", indent, "", title); 691 692 num = data->image ? sk_LogotypeImage_num(data->image) : 0; 693 for (i = 0; i < num; i++) { 694 LogotypeImage *image = sk_LogotypeImage_value(data->image, i); 695 i2r_LogotypeImage(image, out, indent + 4); 696 } 697 698 num = data->audio ? sk_LogotypeAudio_num(data->audio) : 0; 699 for (i = 0; i < num; i++) { 700 BIO_printf(out, "%*saudio: TODO\n", indent, ""); 701 } 702 } 703 704 static void i2r_LogotypeReference(LogotypeReference *ref, const char *title, 705 BIO *out, int indent) 706 { 707 int i, hash_num, uri_num; 708 709 BIO_printf(out, "%*s%s - LogotypeReference\n", indent, "", title); 710 711 hash_num = ref->refStructHash ? 712 sk_HashAlgAndValue_num(ref->refStructHash) : 0; 713 uri_num = ref->refStructURI ? 714 sk_ASN1_IA5STRING_num(ref->refStructURI) : 0; 715 if (hash_num != uri_num) { 716 BIO_printf(out, "%*sUnexpected LogotypeReference array size difference %d != %d\n", 717 indent, "", hash_num, uri_num); 718 return; 719 } 720 721 for (i = 0; i < hash_num; i++) { 722 HashAlgAndValue *hash; 723 ASN1_IA5STRING *uri; 724 725 hash = sk_HashAlgAndValue_value(ref->refStructHash, i); 726 i2r_HashAlgAndValue(hash, out, indent); 727 728 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, i); 729 BIO_printf(out, "%*srefStructURI: ", indent, ""); 730 ASN1_STRING_print(out, uri); 731 BIO_printf(out, "\n"); 732 } 733 } 734 735 static void i2r_LogotypeInfo(LogotypeInfo *info, const char *title, BIO *out, 736 int indent) 737 { 738 switch (info->type) { 739 case 0: 740 i2r_LogotypeData(info->d.direct, title, out, indent); 741 break; 742 case 1: 743 i2r_LogotypeReference(info->d.indirect, title, out, indent); 744 break; 745 } 746 } 747 748 static void debug_print_logotypeext(LogotypeExtn *logo) 749 { 750 BIO *out; 751 int i, num; 752 int indent = 0; 753 754 out = BIO_new_fp(stdout, BIO_NOCLOSE); 755 if (out == NULL) 756 return; 757 758 if (logo->communityLogos) { 759 num = sk_LogotypeInfo_num(logo->communityLogos); 760 for (i = 0; i < num; i++) { 761 LogotypeInfo *info; 762 info = sk_LogotypeInfo_value(logo->communityLogos, i); 763 i2r_LogotypeInfo(info, "communityLogo", out, indent); 764 } 765 } 766 767 if (logo->issuerLogo) { 768 i2r_LogotypeInfo(logo->issuerLogo, "issuerLogo", out, indent ); 769 } 770 771 if (logo->subjectLogo) { 772 i2r_LogotypeInfo(logo->subjectLogo, "subjectLogo", out, indent); 773 } 774 775 if (logo->otherLogos) { 776 BIO_printf(out, "%*sotherLogos - TODO\n", indent, ""); 777 } 778 779 BIO_free(out); 780 } 781 782 783 static void add_logotype_ext(struct http_ctx *ctx, struct http_cert *hcert, 784 X509 *cert) 785 { 786 ASN1_OBJECT *obj; 787 int pos; 788 X509_EXTENSION *ext; 789 ASN1_OCTET_STRING *os; 790 LogotypeExtn *logo; 791 const unsigned char *data; 792 int i, num; 793 794 obj = OBJ_txt2obj("1.3.6.1.5.5.7.1.12", 0); 795 if (obj == NULL) 796 return; 797 798 pos = X509_get_ext_by_OBJ(cert, obj, -1); 799 if (pos < 0) { 800 wpa_printf(MSG_INFO, "No logotype extension included"); 801 return; 802 } 803 804 wpa_printf(MSG_INFO, "Parsing logotype extension"); 805 ext = X509_get_ext(cert, pos); 806 if (!ext) { 807 wpa_printf(MSG_INFO, "Could not get logotype extension"); 808 return; 809 } 810 811 os = X509_EXTENSION_get_data(ext); 812 if (os == NULL) { 813 wpa_printf(MSG_INFO, "Could not get logotype extension data"); 814 return; 815 } 816 817 wpa_hexdump(MSG_DEBUG, "logotypeExtn", 818 ASN1_STRING_data(os), ASN1_STRING_length(os)); 819 820 data = ASN1_STRING_data(os); 821 logo = d2i_LogotypeExtn(NULL, &data, ASN1_STRING_length(os)); 822 if (logo == NULL) { 823 wpa_printf(MSG_INFO, "Failed to parse logotypeExtn"); 824 return; 825 } 826 827 if (wpa_debug_level < MSG_INFO) 828 debug_print_logotypeext(logo); 829 830 if (!logo->communityLogos) { 831 wpa_printf(MSG_INFO, "No communityLogos included"); 832 LogotypeExtn_free(logo); 833 return; 834 } 835 836 num = sk_LogotypeInfo_num(logo->communityLogos); 837 for (i = 0; i < num; i++) { 838 LogotypeInfo *info; 839 info = sk_LogotypeInfo_value(logo->communityLogos, i); 840 switch (info->type) { 841 case 0: 842 add_logo_direct(ctx, hcert, info->d.direct); 843 break; 844 case 1: 845 add_logo_indirect(ctx, hcert, info->d.indirect); 846 break; 847 } 848 } 849 850 LogotypeExtn_free(logo); 851 } 852 853 854 static void parse_cert(struct http_ctx *ctx, struct http_cert *hcert, 855 X509 *cert, GENERAL_NAMES **names) 856 { 857 os_memset(hcert, 0, sizeof(*hcert)); 858 859 *names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 860 if (*names) { 861 add_alt_names(ctx, hcert, *names); 862 sk_GENERAL_NAME_pop_free(*names, GENERAL_NAME_free); 863 } 864 865 add_logotype_ext(ctx, hcert, cert); 866 } 867 868 869 static void parse_cert_free(struct http_cert *hcert, GENERAL_NAMES *names) 870 { 871 unsigned int i; 872 873 for (i = 0; i < hcert->num_dnsname; i++) 874 OPENSSL_free(hcert->dnsname[i]); 875 os_free(hcert->dnsname); 876 877 for (i = 0; i < hcert->num_othername; i++) 878 os_free(hcert->othername[i].oid); 879 os_free(hcert->othername); 880 881 for (i = 0; i < hcert->num_logo; i++) { 882 os_free(hcert->logo[i].alg_oid); 883 os_free(hcert->logo[i].hash); 884 os_free(hcert->logo[i].uri); 885 } 886 os_free(hcert->logo); 887 888 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); 889 } 890 891 892 static int validate_server_cert(struct http_ctx *ctx, X509 *cert) 893 { 894 GENERAL_NAMES *names; 895 struct http_cert hcert; 896 int ret; 897 898 if (ctx->cert_cb == NULL) { 899 wpa_printf(MSG_DEBUG, "%s: no cert_cb configured", __func__); 900 return 0; 901 } 902 903 if (0) { 904 BIO *out; 905 out = BIO_new_fp(stdout, BIO_NOCLOSE); 906 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT); 907 BIO_free(out); 908 } 909 910 parse_cert(ctx, &hcert, cert, &names); 911 ret = ctx->cert_cb(ctx->cert_cb_ctx, &hcert); 912 parse_cert_free(&hcert, names); 913 914 return ret; 915 } 916 917 918 void http_parse_x509_certificate(struct http_ctx *ctx, const char *fname) 919 { 920 BIO *in, *out; 921 X509 *cert; 922 GENERAL_NAMES *names; 923 struct http_cert hcert; 924 unsigned int i; 925 926 in = BIO_new_file(fname, "r"); 927 if (in == NULL) { 928 wpa_printf(MSG_ERROR, "Could not read '%s'", fname); 929 return; 930 } 931 932 cert = d2i_X509_bio(in, NULL); 933 BIO_free(in); 934 935 if (cert == NULL) { 936 wpa_printf(MSG_ERROR, "Could not parse certificate"); 937 return; 938 } 939 940 out = BIO_new_fp(stdout, BIO_NOCLOSE); 941 if (out) { 942 X509_print_ex(out, cert, XN_FLAG_COMPAT, 943 X509_FLAG_COMPAT); 944 BIO_free(out); 945 } 946 947 wpa_printf(MSG_INFO, "Additional parsing information:"); 948 parse_cert(ctx, &hcert, cert, &names); 949 for (i = 0; i < hcert.num_othername; i++) { 950 if (os_strcmp(hcert.othername[i].oid, 951 "1.3.6.1.4.1.40808.1.1.1") == 0) { 952 char *name = os_zalloc(hcert.othername[i].len + 1); 953 if (name) { 954 os_memcpy(name, hcert.othername[i].data, 955 hcert.othername[i].len); 956 wpa_printf(MSG_INFO, 957 "id-wfa-hotspot-friendlyName: %s", 958 name); 959 os_free(name); 960 } 961 wpa_hexdump_ascii(MSG_INFO, 962 "id-wfa-hotspot-friendlyName", 963 hcert.othername[i].data, 964 hcert.othername[i].len); 965 } else { 966 wpa_printf(MSG_INFO, "subjAltName[othername]: oid=%s", 967 hcert.othername[i].oid); 968 wpa_hexdump_ascii(MSG_INFO, "unknown othername", 969 hcert.othername[i].data, 970 hcert.othername[i].len); 971 } 972 } 973 parse_cert_free(&hcert, names); 974 975 X509_free(cert); 976 } 977 978 979 static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx) 980 { 981 struct http_ctx *ctx; 982 X509 *cert; 983 int err, depth; 984 char buf[256]; 985 X509_NAME *name; 986 const char *err_str; 987 SSL *ssl; 988 SSL_CTX *ssl_ctx; 989 990 ssl = X509_STORE_CTX_get_ex_data(x509_ctx, 991 SSL_get_ex_data_X509_STORE_CTX_idx()); 992 ssl_ctx = ssl->ctx; 993 ctx = SSL_CTX_get_app_data(ssl_ctx); 994 995 wpa_printf(MSG_DEBUG, "curl_cb_ssl_verify, preverify_ok: %d", 996 preverify_ok); 997 998 err = X509_STORE_CTX_get_error(x509_ctx); 999 err_str = X509_verify_cert_error_string(err); 1000 depth = X509_STORE_CTX_get_error_depth(x509_ctx); 1001 cert = X509_STORE_CTX_get_current_cert(x509_ctx); 1002 if (!cert) { 1003 wpa_printf(MSG_INFO, "No server certificate available"); 1004 ctx->last_err = "No server certificate available"; 1005 return 0; 1006 } 1007 1008 if (depth == 0) 1009 ctx->peer_cert = cert; 1010 else if (depth == 1) 1011 ctx->peer_issuer = cert; 1012 else if (depth == 2) 1013 ctx->peer_issuer_issuer = cert; 1014 1015 name = X509_get_subject_name(cert); 1016 X509_NAME_oneline(name, buf, sizeof(buf)); 1017 wpa_printf(MSG_INFO, "Server certificate chain - depth=%d err=%d (%s) subject=%s", 1018 depth, err, err_str, buf); 1019 debug_dump_cert("Server certificate chain - certificate", cert); 1020 1021 if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0) 1022 return 0; 1023 1024 #ifdef OPENSSL_IS_BORINGSSL 1025 if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) { 1026 enum ocsp_result res; 1027 1028 res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer, 1029 ctx->peer_issuer_issuer); 1030 if (res == OCSP_REVOKED) { 1031 preverify_ok = 0; 1032 wpa_printf(MSG_INFO, "OCSP: certificate revoked"); 1033 if (err == X509_V_OK) 1034 X509_STORE_CTX_set_error( 1035 x509_ctx, X509_V_ERR_CERT_REVOKED); 1036 } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) { 1037 preverify_ok = 0; 1038 wpa_printf(MSG_INFO, 1039 "OCSP: bad certificate status response"); 1040 } 1041 } 1042 #endif /* OPENSSL_IS_BORINGSSL */ 1043 1044 if (!preverify_ok) 1045 ctx->last_err = "TLS validation failed"; 1046 1047 return preverify_ok; 1048 } 1049 1050 1051 #ifdef HAVE_OCSP 1052 1053 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp) 1054 { 1055 BIO *out; 1056 size_t rlen; 1057 char *txt; 1058 int res; 1059 1060 out = BIO_new(BIO_s_mem()); 1061 if (!out) 1062 return; 1063 1064 OCSP_RESPONSE_print(out, rsp, 0); 1065 rlen = BIO_ctrl_pending(out); 1066 txt = os_malloc(rlen + 1); 1067 if (!txt) { 1068 BIO_free(out); 1069 return; 1070 } 1071 1072 res = BIO_read(out, txt, rlen); 1073 if (res > 0) { 1074 txt[res] = '\0'; 1075 wpa_printf(MSG_MSGDUMP, "OpenSSL: OCSP Response\n%s", txt); 1076 } 1077 os_free(txt); 1078 BIO_free(out); 1079 } 1080 1081 1082 static void tls_show_errors(const char *func, const char *txt) 1083 { 1084 unsigned long err; 1085 1086 wpa_printf(MSG_DEBUG, "OpenSSL: %s - %s %s", 1087 func, txt, ERR_error_string(ERR_get_error(), NULL)); 1088 1089 while ((err = ERR_get_error())) { 1090 wpa_printf(MSG_DEBUG, "OpenSSL: pending error: %s", 1091 ERR_error_string(err, NULL)); 1092 } 1093 } 1094 1095 1096 static int ocsp_resp_cb(SSL *s, void *arg) 1097 { 1098 struct http_ctx *ctx = arg; 1099 const unsigned char *p; 1100 int len, status, reason; 1101 OCSP_RESPONSE *rsp; 1102 OCSP_BASICRESP *basic; 1103 OCSP_CERTID *id; 1104 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update; 1105 X509_STORE *store; 1106 STACK_OF(X509) *certs = NULL; 1107 1108 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 1109 if (!p) { 1110 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received"); 1111 if (ctx->ocsp == MANDATORY_OCSP) 1112 ctx->last_err = "No OCSP response received"; 1113 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1; 1114 } 1115 1116 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len); 1117 1118 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 1119 if (!rsp) { 1120 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response"); 1121 ctx->last_err = "Failed to parse OCSP response"; 1122 return 0; 1123 } 1124 1125 ocsp_debug_print_resp(rsp); 1126 1127 status = OCSP_response_status(rsp); 1128 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { 1129 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)", 1130 status, OCSP_response_status_str(status)); 1131 ctx->last_err = "OCSP responder error"; 1132 return 0; 1133 } 1134 1135 basic = OCSP_response_get1_basic(rsp); 1136 if (!basic) { 1137 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse"); 1138 ctx->last_err = "Could not find BasicOCSPResponse"; 1139 return 0; 1140 } 1141 1142 store = SSL_CTX_get_cert_store(s->ctx); 1143 if (ctx->peer_issuer) { 1144 wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer"); 1145 debug_dump_cert("OpenSSL: Issuer certificate", 1146 ctx->peer_issuer); 1147 1148 if (X509_STORE_add_cert(store, ctx->peer_issuer) != 1) { 1149 tls_show_errors(__func__, 1150 "OpenSSL: Could not add issuer to certificate store"); 1151 } 1152 certs = sk_X509_new_null(); 1153 if (certs) { 1154 X509 *cert; 1155 cert = X509_dup(ctx->peer_issuer); 1156 if (cert && !sk_X509_push(certs, cert)) { 1157 tls_show_errors( 1158 __func__, 1159 "OpenSSL: Could not add issuer to OCSP responder trust store"); 1160 X509_free(cert); 1161 sk_X509_free(certs); 1162 certs = NULL; 1163 } 1164 if (certs && ctx->peer_issuer_issuer) { 1165 cert = X509_dup(ctx->peer_issuer_issuer); 1166 if (cert && !sk_X509_push(certs, cert)) { 1167 tls_show_errors( 1168 __func__, 1169 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store"); 1170 X509_free(cert); 1171 } 1172 } 1173 } 1174 } 1175 1176 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER); 1177 sk_X509_pop_free(certs, X509_free); 1178 if (status <= 0) { 1179 tls_show_errors(__func__, 1180 "OpenSSL: OCSP response failed verification"); 1181 OCSP_BASICRESP_free(basic); 1182 OCSP_RESPONSE_free(rsp); 1183 ctx->last_err = "OCSP response failed verification"; 1184 return 0; 1185 } 1186 1187 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded"); 1188 1189 if (!ctx->peer_cert) { 1190 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check"); 1191 OCSP_BASICRESP_free(basic); 1192 OCSP_RESPONSE_free(rsp); 1193 ctx->last_err = "Peer certificate not available for OCSP status check"; 1194 return 0; 1195 } 1196 1197 if (!ctx->peer_issuer) { 1198 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check"); 1199 OCSP_BASICRESP_free(basic); 1200 OCSP_RESPONSE_free(rsp); 1201 ctx->last_err = "Peer issuer certificate not available for OCSP status check"; 1202 return 0; 1203 } 1204 1205 id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer); 1206 if (!id) { 1207 wpa_printf(MSG_DEBUG, "OpenSSL: Could not create OCSP certificate identifier"); 1208 OCSP_BASICRESP_free(basic); 1209 OCSP_RESPONSE_free(rsp); 1210 ctx->last_err = "Could not create OCSP certificate identifier"; 1211 return 0; 1212 } 1213 1214 if (!OCSP_resp_find_status(basic, id, &status, &reason, &produced_at, 1215 &this_update, &next_update)) { 1216 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s", 1217 (ctx->ocsp == MANDATORY_OCSP) ? "" : 1218 " (OCSP not required)"); 1219 OCSP_CERTID_free(id); 1220 OCSP_BASICRESP_free(basic); 1221 OCSP_RESPONSE_free(rsp); 1222 if (ctx->ocsp == MANDATORY_OCSP) 1223 1224 ctx->last_err = "Could not find current server certificate from OCSP response"; 1225 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1; 1226 } 1227 OCSP_CERTID_free(id); 1228 1229 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) { 1230 tls_show_errors(__func__, "OpenSSL: OCSP status times invalid"); 1231 OCSP_BASICRESP_free(basic); 1232 OCSP_RESPONSE_free(rsp); 1233 ctx->last_err = "OCSP status times invalid"; 1234 return 0; 1235 } 1236 1237 OCSP_BASICRESP_free(basic); 1238 OCSP_RESPONSE_free(rsp); 1239 1240 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s", 1241 OCSP_cert_status_str(status)); 1242 1243 if (status == V_OCSP_CERTSTATUS_GOOD) 1244 return 1; 1245 if (status == V_OCSP_CERTSTATUS_REVOKED) { 1246 ctx->last_err = "Server certificate has been revoked"; 1247 return 0; 1248 } 1249 if (ctx->ocsp == MANDATORY_OCSP) { 1250 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required"); 1251 ctx->last_err = "OCSP status unknown"; 1252 return 0; 1253 } 1254 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue"); 1255 return 1; 1256 } 1257 1258 1259 static SSL_METHOD patch_ssl_method; 1260 static const SSL_METHOD *real_ssl_method; 1261 1262 static int curl_patch_ssl_new(SSL *s) 1263 { 1264 SSL_CTX *ssl = s->ctx; 1265 int ret; 1266 1267 ssl->method = real_ssl_method; 1268 s->method = real_ssl_method; 1269 1270 ret = s->method->ssl_new(s); 1271 SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp); 1272 1273 return ret; 1274 } 1275 1276 #endif /* HAVE_OCSP */ 1277 1278 1279 static CURLcode curl_cb_ssl(CURL *curl, void *sslctx, void *parm) 1280 { 1281 struct http_ctx *ctx = parm; 1282 SSL_CTX *ssl = sslctx; 1283 1284 wpa_printf(MSG_DEBUG, "curl_cb_ssl"); 1285 SSL_CTX_set_app_data(ssl, ctx); 1286 SSL_CTX_set_verify(ssl, SSL_VERIFY_PEER, curl_cb_ssl_verify); 1287 1288 #ifdef HAVE_OCSP 1289 if (ctx->ocsp != NO_OCSP) { 1290 SSL_CTX_set_tlsext_status_cb(ssl, ocsp_resp_cb); 1291 SSL_CTX_set_tlsext_status_arg(ssl, ctx); 1292 1293 /* 1294 * Use a temporary SSL_METHOD to get a callback on SSL_new() 1295 * from libcurl since there is no proper callback registration 1296 * available for this. 1297 */ 1298 os_memset(&patch_ssl_method, 0, sizeof(patch_ssl_method)); 1299 patch_ssl_method.ssl_new = curl_patch_ssl_new; 1300 real_ssl_method = ssl->method; 1301 ssl->method = &patch_ssl_method; 1302 } 1303 #endif /* HAVE_OCSP */ 1304 1305 return CURLE_OK; 1306 } 1307 1308 #endif /* EAP_TLS_OPENSSL */ 1309 1310 1311 static CURL * setup_curl_post(struct http_ctx *ctx, const char *address, 1312 const char *ca_fname, const char *username, 1313 const char *password, const char *client_cert, 1314 const char *client_key) 1315 { 1316 CURL *curl; 1317 #ifdef EAP_TLS_OPENSSL 1318 const char *extra = " tls=openssl"; 1319 #else /* EAP_TLS_OPENSSL */ 1320 const char *extra = ""; 1321 #endif /* EAP_TLS_OPENSSL */ 1322 1323 wpa_printf(MSG_DEBUG, "Start HTTP client: address=%s ca_fname=%s " 1324 "username=%s%s", address, ca_fname, username, extra); 1325 1326 curl = curl_easy_init(); 1327 if (curl == NULL) 1328 return NULL; 1329 1330 curl_easy_setopt(curl, CURLOPT_URL, address); 1331 curl_easy_setopt(curl, CURLOPT_POST, 1L); 1332 if (ca_fname) { 1333 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname); 1334 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); 1335 #ifdef EAP_TLS_OPENSSL 1336 curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl); 1337 curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx); 1338 #ifdef OPENSSL_IS_BORINGSSL 1339 /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only 1340 * with BoringSSL since the OpenSSL specific callback hack to 1341 * enable OCSP is not available with BoringSSL. The OCSP 1342 * implementation within libcurl is not sufficient for the 1343 * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL. 1344 */ 1345 if (ctx->ocsp != NO_OCSP) 1346 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L); 1347 #endif /* OPENSSL_IS_BORINGSSL */ 1348 #endif /* EAP_TLS_OPENSSL */ 1349 } else { 1350 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); 1351 } 1352 if (client_cert && client_key) { 1353 curl_easy_setopt(curl, CURLOPT_SSLCERT, client_cert); 1354 curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key); 1355 } 1356 /* TODO: use curl_easy_getinfo() with CURLINFO_CERTINFO to fetch 1357 * information about the server certificate */ 1358 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L); 1359 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug); 1360 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx); 1361 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_cb_write); 1362 curl_easy_setopt(curl, CURLOPT_WRITEDATA, ctx); 1363 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); 1364 if (username) { 1365 curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANYSAFE); 1366 curl_easy_setopt(curl, CURLOPT_USERNAME, username); 1367 curl_easy_setopt(curl, CURLOPT_PASSWORD, password); 1368 } 1369 1370 return curl; 1371 } 1372 1373 1374 static int post_init_client(struct http_ctx *ctx, const char *address, 1375 const char *ca_fname, const char *username, 1376 const char *password, const char *client_cert, 1377 const char *client_key) 1378 { 1379 char *pos; 1380 int count; 1381 1382 clone_str(&ctx->svc_address, address); 1383 clone_str(&ctx->svc_ca_fname, ca_fname); 1384 clone_str(&ctx->svc_username, username); 1385 clone_str(&ctx->svc_password, password); 1386 clone_str(&ctx->svc_client_cert, client_cert); 1387 clone_str(&ctx->svc_client_key, client_key); 1388 1389 /* 1390 * Workaround for Apache "Hostname 'FOO' provided via SNI and hostname 1391 * 'foo' provided via HTTP are different. 1392 */ 1393 for (count = 0, pos = ctx->svc_address; count < 3 && pos && *pos; 1394 pos++) { 1395 if (*pos == '/') 1396 count++; 1397 *pos = tolower(*pos); 1398 } 1399 1400 ctx->curl = setup_curl_post(ctx, ctx->svc_address, ca_fname, username, 1401 password, client_cert, client_key); 1402 if (ctx->curl == NULL) 1403 return -1; 1404 1405 return 0; 1406 } 1407 1408 1409 int soap_init_client(struct http_ctx *ctx, const char *address, 1410 const char *ca_fname, const char *username, 1411 const char *password, const char *client_cert, 1412 const char *client_key) 1413 { 1414 if (post_init_client(ctx, address, ca_fname, username, password, 1415 client_cert, client_key) < 0) 1416 return -1; 1417 1418 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, 1419 "Content-Type: application/soap+xml"); 1420 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "SOAPAction: "); 1421 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "Expect:"); 1422 curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, ctx->curl_hdr); 1423 1424 return 0; 1425 } 1426 1427 1428 int soap_reinit_client(struct http_ctx *ctx) 1429 { 1430 char *address = NULL; 1431 char *ca_fname = NULL; 1432 char *username = NULL; 1433 char *password = NULL; 1434 char *client_cert = NULL; 1435 char *client_key = NULL; 1436 int ret; 1437 1438 clear_curl(ctx); 1439 1440 clone_str(&address, ctx->svc_address); 1441 clone_str(&ca_fname, ctx->svc_ca_fname); 1442 clone_str(&username, ctx->svc_username); 1443 clone_str(&password, ctx->svc_password); 1444 clone_str(&client_cert, ctx->svc_client_cert); 1445 clone_str(&client_key, ctx->svc_client_key); 1446 1447 ret = soap_init_client(ctx, address, ca_fname, username, password, 1448 client_cert, client_key); 1449 os_free(address); 1450 os_free(ca_fname); 1451 str_clear_free(username); 1452 str_clear_free(password); 1453 os_free(client_cert); 1454 os_free(client_key); 1455 return ret; 1456 } 1457 1458 1459 static void free_curl_buf(struct http_ctx *ctx) 1460 { 1461 os_free(ctx->curl_buf); 1462 ctx->curl_buf = NULL; 1463 ctx->curl_buf_len = 0; 1464 } 1465 1466 1467 xml_node_t * soap_send_receive(struct http_ctx *ctx, xml_node_t *node) 1468 { 1469 char *str; 1470 xml_node_t *envelope, *ret, *resp, *n; 1471 CURLcode res; 1472 long http = 0; 1473 1474 ctx->last_err = NULL; 1475 1476 wpa_printf(MSG_DEBUG, "SOAP: Sending message"); 1477 envelope = soap_build_envelope(ctx->xml, node); 1478 str = xml_node_to_str(ctx->xml, envelope); 1479 xml_node_free(ctx->xml, envelope); 1480 wpa_printf(MSG_MSGDUMP, "SOAP[%s]", str); 1481 1482 curl_easy_setopt(ctx->curl, CURLOPT_POSTFIELDS, str); 1483 free_curl_buf(ctx); 1484 1485 res = curl_easy_perform(ctx->curl); 1486 if (res != CURLE_OK) { 1487 if (!ctx->last_err) 1488 ctx->last_err = curl_easy_strerror(res); 1489 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s", 1490 ctx->last_err); 1491 os_free(str); 1492 free_curl_buf(ctx); 1493 return NULL; 1494 } 1495 os_free(str); 1496 1497 curl_easy_getinfo(ctx->curl, CURLINFO_RESPONSE_CODE, &http); 1498 wpa_printf(MSG_DEBUG, "SOAP: Server response code %ld", http); 1499 if (http != 200) { 1500 ctx->last_err = "HTTP download failed"; 1501 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http); 1502 free_curl_buf(ctx); 1503 return NULL; 1504 } 1505 1506 if (ctx->curl_buf == NULL) 1507 return NULL; 1508 1509 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ctx->curl_buf); 1510 resp = xml_node_from_buf(ctx->xml, ctx->curl_buf); 1511 free_curl_buf(ctx); 1512 if (resp == NULL) { 1513 wpa_printf(MSG_INFO, "Could not parse SOAP response"); 1514 ctx->last_err = "Could not parse SOAP response"; 1515 return NULL; 1516 } 1517 1518 ret = soap_get_body(ctx->xml, resp); 1519 if (ret == NULL) { 1520 wpa_printf(MSG_INFO, "Could not get SOAP body"); 1521 ctx->last_err = "Could not get SOAP body"; 1522 return NULL; 1523 } 1524 1525 wpa_printf(MSG_DEBUG, "SOAP body localname: '%s'", 1526 xml_node_get_localname(ctx->xml, ret)); 1527 n = xml_node_copy(ctx->xml, ret); 1528 xml_node_free(ctx->xml, resp); 1529 1530 return n; 1531 } 1532 1533 1534 struct http_ctx * http_init_ctx(void *upper_ctx, struct xml_node_ctx *xml_ctx) 1535 { 1536 struct http_ctx *ctx; 1537 1538 ctx = os_zalloc(sizeof(*ctx)); 1539 if (ctx == NULL) 1540 return NULL; 1541 ctx->ctx = upper_ctx; 1542 ctx->xml = xml_ctx; 1543 ctx->ocsp = OPTIONAL_OCSP; 1544 1545 curl_global_init(CURL_GLOBAL_ALL); 1546 1547 return ctx; 1548 } 1549 1550 1551 void http_ocsp_set(struct http_ctx *ctx, int val) 1552 { 1553 if (val == 0) 1554 ctx->ocsp = NO_OCSP; 1555 else if (val == 1) 1556 ctx->ocsp = OPTIONAL_OCSP; 1557 if (val == 2) 1558 ctx->ocsp = MANDATORY_OCSP; 1559 } 1560 1561 1562 void http_deinit_ctx(struct http_ctx *ctx) 1563 { 1564 clear_curl(ctx); 1565 os_free(ctx->curl_buf); 1566 curl_global_cleanup(); 1567 1568 os_free(ctx->svc_address); 1569 os_free(ctx->svc_ca_fname); 1570 str_clear_free(ctx->svc_username); 1571 str_clear_free(ctx->svc_password); 1572 os_free(ctx->svc_client_cert); 1573 os_free(ctx->svc_client_key); 1574 1575 os_free(ctx); 1576 } 1577 1578 1579 int http_download_file(struct http_ctx *ctx, const char *url, 1580 const char *fname, const char *ca_fname) 1581 { 1582 CURL *curl; 1583 FILE *f; 1584 CURLcode res; 1585 long http = 0; 1586 1587 ctx->last_err = NULL; 1588 1589 wpa_printf(MSG_DEBUG, "curl: Download file from %s to %s (ca=%s)", 1590 url, fname, ca_fname); 1591 curl = curl_easy_init(); 1592 if (curl == NULL) 1593 return -1; 1594 1595 f = fopen(fname, "wb"); 1596 if (f == NULL) { 1597 curl_easy_cleanup(curl); 1598 return -1; 1599 } 1600 1601 curl_easy_setopt(curl, CURLOPT_URL, url); 1602 if (ca_fname) { 1603 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname); 1604 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); 1605 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L); 1606 } else { 1607 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); 1608 } 1609 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug); 1610 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx); 1611 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fwrite); 1612 curl_easy_setopt(curl, CURLOPT_WRITEDATA, f); 1613 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); 1614 1615 res = curl_easy_perform(curl); 1616 if (res != CURLE_OK) { 1617 if (!ctx->last_err) 1618 ctx->last_err = curl_easy_strerror(res); 1619 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s", 1620 ctx->last_err); 1621 curl_easy_cleanup(curl); 1622 fclose(f); 1623 return -1; 1624 } 1625 1626 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http); 1627 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http); 1628 if (http != 200) { 1629 ctx->last_err = "HTTP download failed"; 1630 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http); 1631 curl_easy_cleanup(curl); 1632 fclose(f); 1633 return -1; 1634 } 1635 1636 curl_easy_cleanup(curl); 1637 fclose(f); 1638 1639 return 0; 1640 } 1641 1642 1643 char * http_post(struct http_ctx *ctx, const char *url, const char *data, 1644 const char *content_type, const char *ext_hdr, 1645 const char *ca_fname, 1646 const char *username, const char *password, 1647 const char *client_cert, const char *client_key, 1648 size_t *resp_len) 1649 { 1650 long http = 0; 1651 CURLcode res; 1652 char *ret; 1653 CURL *curl; 1654 struct curl_slist *curl_hdr = NULL; 1655 1656 ctx->last_err = NULL; 1657 wpa_printf(MSG_DEBUG, "curl: HTTP POST to %s", url); 1658 curl = setup_curl_post(ctx, url, ca_fname, username, password, 1659 client_cert, client_key); 1660 if (curl == NULL) 1661 return NULL; 1662 1663 if (content_type) { 1664 char ct[200]; 1665 snprintf(ct, sizeof(ct), "Content-Type: %s", content_type); 1666 curl_hdr = curl_slist_append(curl_hdr, ct); 1667 } 1668 if (ext_hdr) 1669 curl_hdr = curl_slist_append(curl_hdr, ext_hdr); 1670 curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curl_hdr); 1671 1672 curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data); 1673 free_curl_buf(ctx); 1674 1675 res = curl_easy_perform(curl); 1676 if (res != CURLE_OK) { 1677 if (!ctx->last_err) 1678 ctx->last_err = curl_easy_strerror(res); 1679 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s", 1680 ctx->last_err); 1681 free_curl_buf(ctx); 1682 return NULL; 1683 } 1684 1685 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http); 1686 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http); 1687 if (http != 200) { 1688 ctx->last_err = "HTTP POST failed"; 1689 wpa_printf(MSG_INFO, "HTTP POST failed - code %ld", http); 1690 free_curl_buf(ctx); 1691 return NULL; 1692 } 1693 1694 if (ctx->curl_buf == NULL) 1695 return NULL; 1696 1697 ret = ctx->curl_buf; 1698 if (resp_len) 1699 *resp_len = ctx->curl_buf_len; 1700 ctx->curl_buf = NULL; 1701 ctx->curl_buf_len = 0; 1702 1703 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ret); 1704 1705 return ret; 1706 } 1707 1708 1709 void http_set_cert_cb(struct http_ctx *ctx, 1710 int (*cb)(void *ctx, struct http_cert *cert), 1711 void *cb_ctx) 1712 { 1713 ctx->cert_cb = cb; 1714 ctx->cert_cb_ctx = cb_ctx; 1715 } 1716 1717 1718 const char * http_get_err(struct http_ctx *ctx) 1719 { 1720 return ctx->last_err; 1721 } 1722