2 * HTTP wrapper for libcurl
3 * Copyright (c) 2012-2014, Qualcomm Atheros, Inc.
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
10 #include <curl/curl.h>
11 #ifdef EAP_TLS_OPENSSL
12 #include <openssl/ssl.h>
13 #include <openssl/asn1.h>
14 #include <openssl/asn1t.h>
15 #include <openssl/x509v3.h>
17 #ifdef SSL_set_tlsext_status_type
18 #ifndef OPENSSL_NO_TLSEXT
20 #include <openssl/err.h>
21 #include <openssl/ocsp.h>
22 #endif /* OPENSSL_NO_TLSEXT */
23 #endif /* SSL_set_tlsext_status_type */
24 #endif /* EAP_TLS_OPENSSL */
27 #include "xml-utils.h"
28 #include "http-utils.h"
29 #ifdef EAP_TLS_OPENSSL
30 #include "crypto/tls_openssl.h"
31 #endif /* EAP_TLS_OPENSSL */
36 struct xml_node_ctx
*xml
;
38 struct curl_slist
*curl_hdr
;
43 char *svc_client_cert
;
48 int (*cert_cb
)(void *ctx
, struct http_cert
*cert
);
52 NO_OCSP
, OPTIONAL_OCSP
, MANDATORY_OCSP
56 X509
*peer_issuer_issuer
;
62 static void clear_curl(struct http_ctx
*ctx
)
65 curl_easy_cleanup(ctx
->curl
);
69 curl_slist_free_all(ctx
->curl_hdr
);
75 static void clone_str(char **dst
, const char *src
)
79 *dst
= os_strdup(src
);
85 static void debug_dump(struct http_ctx
*ctx
, const char *title
,
86 const char *buf
, size_t len
)
91 for (i
= 0; i
< len
; i
++) {
92 if (buf
[i
] < 32 && buf
[i
] != '\t' && buf
[i
] != '\n' &&
94 wpa_hexdump_ascii(MSG_MSGDUMP
, title
, buf
, len
);
99 txt
= os_malloc(len
+ 1);
102 os_memcpy(txt
, buf
, len
);
106 if (txt
[len
] == '\n' || txt
[len
] == '\r')
111 wpa_printf(MSG_MSGDUMP
, "%s[%s]", title
, txt
);
116 static int curl_cb_debug(CURL
*curl
, curl_infotype info
, char *buf
, size_t len
,
119 struct http_ctx
*ctx
= userdata
;
122 debug_dump(ctx
, "CURLINFO_TEXT", buf
, len
);
124 case CURLINFO_HEADER_IN
:
125 debug_dump(ctx
, "CURLINFO_HEADER_IN", buf
, len
);
127 case CURLINFO_HEADER_OUT
:
128 debug_dump(ctx
, "CURLINFO_HEADER_OUT", buf
, len
);
130 case CURLINFO_DATA_IN
:
131 debug_dump(ctx
, "CURLINFO_DATA_IN", buf
, len
);
133 case CURLINFO_DATA_OUT
:
134 debug_dump(ctx
, "CURLINFO_DATA_OUT", buf
, len
);
136 case CURLINFO_SSL_DATA_IN
:
137 wpa_printf(MSG_DEBUG
, "debug - CURLINFO_SSL_DATA_IN - %d",
140 case CURLINFO_SSL_DATA_OUT
:
141 wpa_printf(MSG_DEBUG
, "debug - CURLINFO_SSL_DATA_OUT - %d",
145 wpa_printf(MSG_DEBUG
, "debug - CURLINFO_END - %d",
153 static size_t curl_cb_write(void *ptr
, size_t size
, size_t nmemb
,
156 struct http_ctx
*ctx
= userdata
;
158 n
= os_realloc(ctx
->curl_buf
, ctx
->curl_buf_len
+ size
* nmemb
+ 1);
162 os_memcpy(n
+ ctx
->curl_buf_len
, ptr
, size
* nmemb
);
163 n
[ctx
->curl_buf_len
+ size
* nmemb
] = '\0';
164 ctx
->curl_buf_len
+= size
* nmemb
;
169 #ifdef EAP_TLS_OPENSSL
171 static void debug_dump_cert(const char *title
, X509
*cert
)
177 out
= BIO_new(BIO_s_mem());
181 X509_print_ex(out
, cert
, XN_FLAG_COMPAT
, X509_FLAG_COMPAT
);
182 rlen
= BIO_ctrl_pending(out
);
183 txt
= os_malloc(rlen
+ 1);
185 int res
= BIO_read(out
, txt
, rlen
);
188 wpa_printf(MSG_MSGDUMP
, "%s:\n%s", title
, txt
);
196 static void add_alt_name_othername(struct http_ctx
*ctx
, struct http_cert
*cert
,
201 struct http_othername
*on
;
204 on
= os_realloc_array(cert
->othername
, cert
->num_othername
+ 1,
205 sizeof(struct http_othername
));
208 cert
->othername
= on
;
209 on
= &on
[cert
->num_othername
];
210 os_memset(on
, 0, sizeof(*on
));
212 res
= OBJ_obj2txt(txt
, sizeof(txt
), o
->type_id
, 1);
213 if (res
< 0 || res
>= (int) sizeof(txt
))
216 on
->oid
= os_strdup(txt
);
221 on
->data
= val
->value
.octet_string
->data
;
222 on
->len
= val
->value
.octet_string
->length
;
224 cert
->num_othername
++;
228 static void add_alt_name_dns(struct http_ctx
*ctx
, struct http_cert
*cert
,
235 if (ASN1_STRING_to_UTF8((unsigned char **) &buf
, name
) < 0)
238 n
= os_realloc_array(cert
->dnsname
, cert
->num_dnsname
+ 1,
244 n
[cert
->num_dnsname
] = buf
;
249 static void add_alt_name(struct http_ctx
*ctx
, struct http_cert
*cert
,
250 const GENERAL_NAME
*name
)
252 switch (name
->type
) {
254 add_alt_name_othername(ctx
, cert
, name
->d
.otherName
);
257 add_alt_name_dns(ctx
, cert
, name
->d
.dNSName
);
263 static void add_alt_names(struct http_ctx
*ctx
, struct http_cert
*cert
,
264 GENERAL_NAMES
*names
)
268 num
= sk_GENERAL_NAME_num(names
);
269 for (i
= 0; i
< num
; i
++) {
270 const GENERAL_NAME
*name
;
271 name
= sk_GENERAL_NAME_value(names
, i
);
272 add_alt_name(ctx
, cert
, name
);
281 ASN1_OCTET_STRING
*hashValue
;
285 STACK_OF(HashAlgAndValue
) *refStructHash
;
286 STACK_OF(ASN1_IA5STRING
) *refStructURI
;
290 ASN1_IA5STRING
*mediaType
;
291 STACK_OF(HashAlgAndValue
) *logotypeHash
;
292 STACK_OF(ASN1_IA5STRING
) *logotypeURI
;
298 ASN1_INTEGER
*numBits
;
299 ASN1_INTEGER
*tableSize
;
301 } LogotypeImageResolution
;
304 ASN1_INTEGER
*type
; /* LogotypeImageType ::= INTEGER */
305 ASN1_INTEGER
*fileSize
;
308 LogotypeImageResolution
*resolution
;
309 ASN1_IA5STRING
*language
;
313 LogotypeDetails
*imageDetails
;
314 LogotypeImageInfo
*imageInfo
;
318 ASN1_INTEGER
*fileSize
;
319 ASN1_INTEGER
*playTime
;
320 ASN1_INTEGER
*channels
;
321 ASN1_INTEGER
*sampleRate
;
322 ASN1_IA5STRING
*language
;
326 LogotypeDetails
*audioDetails
;
327 LogotypeAudioInfo
*audioInfo
;
331 STACK_OF(LogotypeImage
) *image
;
332 STACK_OF(LogotypeAudio
) *audio
;
338 LogotypeData
*direct
;
339 LogotypeReference
*indirect
;
344 ASN1_OBJECT
*logotypeType
;
349 STACK_OF(LogotypeInfo
) *communityLogos
;
350 LogotypeInfo
*issuerLogo
;
351 LogotypeInfo
*subjectLogo
;
352 STACK_OF(OtherLogotypeInfo
) *otherLogos
;
355 ASN1_SEQUENCE(HashAlgAndValue
) = {
356 ASN1_SIMPLE(HashAlgAndValue
, hashAlg
, X509_ALGOR
),
357 ASN1_SIMPLE(HashAlgAndValue
, hashValue
, ASN1_OCTET_STRING
)
358 } ASN1_SEQUENCE_END(HashAlgAndValue
);
360 ASN1_SEQUENCE(LogotypeReference
) = {
361 ASN1_SEQUENCE_OF(LogotypeReference
, refStructHash
, HashAlgAndValue
),
362 ASN1_SEQUENCE_OF(LogotypeReference
, refStructURI
, ASN1_IA5STRING
)
363 } ASN1_SEQUENCE_END(LogotypeReference
);
365 ASN1_SEQUENCE(LogotypeDetails
) = {
366 ASN1_SIMPLE(LogotypeDetails
, mediaType
, ASN1_IA5STRING
),
367 ASN1_SEQUENCE_OF(LogotypeDetails
, logotypeHash
, HashAlgAndValue
),
368 ASN1_SEQUENCE_OF(LogotypeDetails
, logotypeURI
, ASN1_IA5STRING
)
369 } ASN1_SEQUENCE_END(LogotypeDetails
);
371 ASN1_CHOICE(LogotypeImageResolution
) = {
372 ASN1_IMP(LogotypeImageResolution
, d
.numBits
, ASN1_INTEGER
, 1),
373 ASN1_IMP(LogotypeImageResolution
, d
.tableSize
, ASN1_INTEGER
, 2)
374 } ASN1_CHOICE_END(LogotypeImageResolution
);
376 ASN1_SEQUENCE(LogotypeImageInfo
) = {
377 ASN1_IMP_OPT(LogotypeImageInfo
, type
, ASN1_INTEGER
, 0),
378 ASN1_SIMPLE(LogotypeImageInfo
, fileSize
, ASN1_INTEGER
),
379 ASN1_SIMPLE(LogotypeImageInfo
, xSize
, ASN1_INTEGER
),
380 ASN1_SIMPLE(LogotypeImageInfo
, ySize
, ASN1_INTEGER
),
381 ASN1_OPT(LogotypeImageInfo
, resolution
, LogotypeImageResolution
),
382 ASN1_IMP_OPT(LogotypeImageInfo
, language
, ASN1_IA5STRING
, 4),
383 } ASN1_SEQUENCE_END(LogotypeImageInfo
);
385 ASN1_SEQUENCE(LogotypeImage
) = {
386 ASN1_SIMPLE(LogotypeImage
, imageDetails
, LogotypeDetails
),
387 ASN1_OPT(LogotypeImage
, imageInfo
, LogotypeImageInfo
)
388 } ASN1_SEQUENCE_END(LogotypeImage
);
390 ASN1_SEQUENCE(LogotypeAudioInfo
) = {
391 ASN1_SIMPLE(LogotypeAudioInfo
, fileSize
, ASN1_INTEGER
),
392 ASN1_SIMPLE(LogotypeAudioInfo
, playTime
, ASN1_INTEGER
),
393 ASN1_SIMPLE(LogotypeAudioInfo
, channels
, ASN1_INTEGER
),
394 ASN1_IMP_OPT(LogotypeAudioInfo
, sampleRate
, ASN1_INTEGER
, 3),
395 ASN1_IMP_OPT(LogotypeAudioInfo
, language
, ASN1_IA5STRING
, 4)
396 } ASN1_SEQUENCE_END(LogotypeAudioInfo
);
398 ASN1_SEQUENCE(LogotypeAudio
) = {
399 ASN1_SIMPLE(LogotypeAudio
, audioDetails
, LogotypeDetails
),
400 ASN1_OPT(LogotypeAudio
, audioInfo
, LogotypeAudioInfo
)
401 } ASN1_SEQUENCE_END(LogotypeAudio
);
403 ASN1_SEQUENCE(LogotypeData
) = {
404 ASN1_SEQUENCE_OF_OPT(LogotypeData
, image
, LogotypeImage
),
405 ASN1_IMP_SEQUENCE_OF_OPT(LogotypeData
, audio
, LogotypeAudio
, 1)
406 } ASN1_SEQUENCE_END(LogotypeData
);
408 ASN1_CHOICE(LogotypeInfo
) = {
409 ASN1_IMP(LogotypeInfo
, d
.direct
, LogotypeData
, 0),
410 ASN1_IMP(LogotypeInfo
, d
.indirect
, LogotypeReference
, 1)
411 } ASN1_CHOICE_END(LogotypeInfo
);
413 ASN1_SEQUENCE(OtherLogotypeInfo
) = {
414 ASN1_SIMPLE(OtherLogotypeInfo
, logotypeType
, ASN1_OBJECT
),
415 ASN1_SIMPLE(OtherLogotypeInfo
, info
, LogotypeInfo
)
416 } ASN1_SEQUENCE_END(OtherLogotypeInfo
);
418 ASN1_SEQUENCE(LogotypeExtn
) = {
419 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn
, communityLogos
, LogotypeInfo
, 0),
420 ASN1_EXP_OPT(LogotypeExtn
, issuerLogo
, LogotypeInfo
, 1),
421 ASN1_EXP_OPT(LogotypeExtn
, issuerLogo
, LogotypeInfo
, 2),
422 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn
, otherLogos
, OtherLogotypeInfo
, 3)
423 } ASN1_SEQUENCE_END(LogotypeExtn
);
425 IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn
);
427 #ifdef OPENSSL_IS_BORINGSSL
428 #define sk_LogotypeInfo_num(st) \
429 sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeInfo) *, (st)))
430 #define sk_LogotypeInfo_value(st, i) (LogotypeInfo *) \
431 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeInfo) *, (st)), (i))
432 #define sk_LogotypeImage_num(st) \
433 sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeImage) *, (st)))
434 #define sk_LogotypeImage_value(st, i) (LogotypeImage *) \
435 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeImage) *, (st)), (i))
436 #define sk_LogotypeAudio_num(st) \
437 sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeAudio) *, (st)))
438 #define sk_LogotypeAudio_value(st, i) (LogotypeAudio *) \
439 sk_value(CHECK_CAST(_STACK *, const STACK_OF(LogotypeAudio) *, (st)), (i))
440 #define sk_HashAlgAndValue_num(st) \
441 sk_num(CHECKED_CAST(_STACK *, STACK_OF(HashAlgAndValue) *, (st)))
442 #define sk_HashAlgAndValue_value(st, i) (HashAlgAndValue *) \
443 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(HashAlgAndValue) *, (st)), (i))
444 #define sk_ASN1_IA5STRING_num(st) \
445 sk_num(CHECKED_CAST(_STACK *, STACK_OF(ASN1_IA5STRING) *, (st)))
446 #define sk_ASN1_IA5STRING_value(st, i) (ASN1_IA5STRING *) \
447 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_IA5STRING) *, (st)), (i))
448 #else /* OPENSSL_IS_BORINGSSL */
449 #define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st))
450 #define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i))
451 #define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st))
452 #define sk_LogotypeImage_value(st, i) SKM_sk_value(LogotypeImage, (st), (i))
453 #define sk_LogotypeAudio_num(st) SKM_sk_num(LogotypeAudio, (st))
454 #define sk_LogotypeAudio_value(st, i) SKM_sk_value(LogotypeAudio, (st), (i))
455 #define sk_HashAlgAndValue_num(st) SKM_sk_num(HashAlgAndValue, (st))
456 #define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i))
457 #define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st))
458 #define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i))
459 #endif /* OPENSSL_IS_BORINGSSL */
462 static void add_logo(struct http_ctx
*ctx
, struct http_cert
*hcert
,
463 HashAlgAndValue
*hash
, ASN1_IA5STRING
*uri
)
469 if (hash
== NULL
|| uri
== NULL
)
472 res
= OBJ_obj2txt(txt
, sizeof(txt
), hash
->hashAlg
->algorithm
, 1);
473 if (res
< 0 || res
>= (int) sizeof(txt
))
476 n
= os_realloc_array(hcert
->logo
, hcert
->num_logo
+ 1,
477 sizeof(struct http_logo
));
481 n
= &hcert
->logo
[hcert
->num_logo
];
482 os_memset(n
, 0, sizeof(*n
));
484 n
->alg_oid
= os_strdup(txt
);
485 if (n
->alg_oid
== NULL
)
488 n
->hash_len
= ASN1_STRING_length(hash
->hashValue
);
489 n
->hash
= os_malloc(n
->hash_len
);
490 if (n
->hash
== NULL
) {
494 os_memcpy(n
->hash
, ASN1_STRING_data(hash
->hashValue
), n
->hash_len
);
496 len
= ASN1_STRING_length(uri
);
497 n
->uri
= os_malloc(len
+ 1);
498 if (n
->uri
== NULL
) {
503 os_memcpy(n
->uri
, ASN1_STRING_data(uri
), len
);
510 static void add_logo_direct(struct http_ctx
*ctx
, struct http_cert
*hcert
,
515 if (data
->image
== NULL
)
518 num
= sk_LogotypeImage_num(data
->image
);
519 for (i
= 0; i
< num
; i
++) {
520 LogotypeImage
*image
;
521 LogotypeDetails
*details
;
522 int j
, hash_num
, uri_num
;
523 HashAlgAndValue
*found_hash
= NULL
;
525 image
= sk_LogotypeImage_value(data
->image
, i
);
529 details
= image
->imageDetails
;
533 hash_num
= sk_HashAlgAndValue_num(details
->logotypeHash
);
534 for (j
= 0; j
< hash_num
; j
++) {
535 HashAlgAndValue
*hash
;
538 hash
= sk_HashAlgAndValue_value(details
->logotypeHash
,
542 res
= OBJ_obj2txt(txt
, sizeof(txt
),
543 hash
->hashAlg
->algorithm
, 1);
544 if (res
< 0 || res
>= (int) sizeof(txt
))
546 if (os_strcmp(txt
, "2.16.840.1.101.3.4.2.1") == 0) {
553 wpa_printf(MSG_DEBUG
, "OpenSSL: No SHA256 hash found for the logo");
557 uri_num
= sk_ASN1_IA5STRING_num(details
->logotypeURI
);
558 for (j
= 0; j
< uri_num
; j
++) {
560 uri
= sk_ASN1_IA5STRING_value(details
->logotypeURI
, j
);
561 add_logo(ctx
, hcert
, found_hash
, uri
);
567 static void add_logo_indirect(struct http_ctx
*ctx
, struct http_cert
*hcert
,
568 LogotypeReference
*ref
)
570 int j
, hash_num
, uri_num
;
572 hash_num
= sk_HashAlgAndValue_num(ref
->refStructHash
);
573 uri_num
= sk_ASN1_IA5STRING_num(ref
->refStructURI
);
574 if (hash_num
!= uri_num
) {
575 wpa_printf(MSG_INFO
, "Unexpected LogotypeReference array size difference %d != %d",
580 for (j
= 0; j
< hash_num
; j
++) {
581 HashAlgAndValue
*hash
;
583 hash
= sk_HashAlgAndValue_value(ref
->refStructHash
, j
);
584 uri
= sk_ASN1_IA5STRING_value(ref
->refStructURI
, j
);
585 add_logo(ctx
, hcert
, hash
, uri
);
590 static void i2r_HashAlgAndValue(HashAlgAndValue
*hash
, BIO
*out
, int indent
)
593 const unsigned char *data
;
595 BIO_printf(out
, "%*shashAlg: ", indent
, "");
596 i2a_ASN1_OBJECT(out
, hash
->hashAlg
->algorithm
);
597 BIO_printf(out
, "\n");
599 BIO_printf(out
, "%*shashValue: ", indent
, "");
600 data
= hash
->hashValue
->data
;
601 for (i
= 0; i
< hash
->hashValue
->length
; i
++)
602 BIO_printf(out
, "%s%02x", i
> 0 ? ":" : "", data
[i
]);
603 BIO_printf(out
, "\n");
606 static void i2r_LogotypeDetails(LogotypeDetails
*details
, BIO
*out
, int indent
)
610 BIO_printf(out
, "%*sLogotypeDetails\n", indent
, "");
611 if (details
->mediaType
) {
612 BIO_printf(out
, "%*smediaType: ", indent
, "");
613 ASN1_STRING_print(out
, details
->mediaType
);
614 BIO_printf(out
, "\n");
617 num
= details
->logotypeHash
?
618 sk_HashAlgAndValue_num(details
->logotypeHash
) : 0;
619 for (i
= 0; i
< num
; i
++) {
620 HashAlgAndValue
*hash
;
621 hash
= sk_HashAlgAndValue_value(details
->logotypeHash
, i
);
622 i2r_HashAlgAndValue(hash
, out
, indent
);
625 num
= details
->logotypeURI
?
626 sk_ASN1_IA5STRING_num(details
->logotypeURI
) : 0;
627 for (i
= 0; i
< num
; i
++) {
629 uri
= sk_ASN1_IA5STRING_value(details
->logotypeURI
, i
);
630 BIO_printf(out
, "%*slogotypeURI: ", indent
, "");
631 ASN1_STRING_print(out
, uri
);
632 BIO_printf(out
, "\n");
636 static void i2r_LogotypeImageInfo(LogotypeImageInfo
*info
, BIO
*out
, int indent
)
640 BIO_printf(out
, "%*sLogotypeImageInfo\n", indent
, "");
642 val
= ASN1_INTEGER_get(info
->type
);
643 BIO_printf(out
, "%*stype: %ld\n", indent
, "", val
);
645 BIO_printf(out
, "%*stype: default (1)\n", indent
, "");
647 val
= ASN1_INTEGER_get(info
->fileSize
);
648 BIO_printf(out
, "%*sfileSize: %ld\n", indent
, "", val
);
649 val
= ASN1_INTEGER_get(info
->xSize
);
650 BIO_printf(out
, "%*sxSize: %ld\n", indent
, "", val
);
651 val
= ASN1_INTEGER_get(info
->ySize
);
652 BIO_printf(out
, "%*sySize: %ld\n", indent
, "", val
);
653 if (info
->resolution
) {
654 BIO_printf(out
, "%*sresolution [%d]\n", indent
, "",
655 info
->resolution
->type
);
656 switch (info
->resolution
->type
) {
658 val
= ASN1_INTEGER_get(info
->resolution
->d
.numBits
);
659 BIO_printf(out
, "%*snumBits: %ld\n", indent
, "", val
);
662 val
= ASN1_INTEGER_get(info
->resolution
->d
.tableSize
);
663 BIO_printf(out
, "%*stableSize: %ld\n", indent
, "", val
);
667 if (info
->language
) {
668 BIO_printf(out
, "%*slanguage: ", indent
, "");
669 ASN1_STRING_print(out
, info
->language
);
670 BIO_printf(out
, "\n");
674 static void i2r_LogotypeImage(LogotypeImage
*image
, BIO
*out
, int indent
)
676 BIO_printf(out
, "%*sLogotypeImage\n", indent
, "");
677 if (image
->imageDetails
) {
678 i2r_LogotypeDetails(image
->imageDetails
, out
, indent
+ 4);
680 if (image
->imageInfo
) {
681 i2r_LogotypeImageInfo(image
->imageInfo
, out
, indent
+ 4);
685 static void i2r_LogotypeData(LogotypeData
*data
, const char *title
, BIO
*out
,
690 BIO_printf(out
, "%*s%s - LogotypeData\n", indent
, "", title
);
692 num
= data
->image
? sk_LogotypeImage_num(data
->image
) : 0;
693 for (i
= 0; i
< num
; i
++) {
694 LogotypeImage
*image
= sk_LogotypeImage_value(data
->image
, i
);
695 i2r_LogotypeImage(image
, out
, indent
+ 4);
698 num
= data
->audio
? sk_LogotypeAudio_num(data
->audio
) : 0;
699 for (i
= 0; i
< num
; i
++) {
700 BIO_printf(out
, "%*saudio: TODO\n", indent
, "");
704 static void i2r_LogotypeReference(LogotypeReference
*ref
, const char *title
,
705 BIO
*out
, int indent
)
707 int i
, hash_num
, uri_num
;
709 BIO_printf(out
, "%*s%s - LogotypeReference\n", indent
, "", title
);
711 hash_num
= ref
->refStructHash
?
712 sk_HashAlgAndValue_num(ref
->refStructHash
) : 0;
713 uri_num
= ref
->refStructURI
?
714 sk_ASN1_IA5STRING_num(ref
->refStructURI
) : 0;
715 if (hash_num
!= uri_num
) {
716 BIO_printf(out
, "%*sUnexpected LogotypeReference array size difference %d != %d\n",
717 indent
, "", hash_num
, uri_num
);
721 for (i
= 0; i
< hash_num
; i
++) {
722 HashAlgAndValue
*hash
;
725 hash
= sk_HashAlgAndValue_value(ref
->refStructHash
, i
);
726 i2r_HashAlgAndValue(hash
, out
, indent
);
728 uri
= sk_ASN1_IA5STRING_value(ref
->refStructURI
, i
);
729 BIO_printf(out
, "%*srefStructURI: ", indent
, "");
730 ASN1_STRING_print(out
, uri
);
731 BIO_printf(out
, "\n");
735 static void i2r_LogotypeInfo(LogotypeInfo
*info
, const char *title
, BIO
*out
,
738 switch (info
->type
) {
740 i2r_LogotypeData(info
->d
.direct
, title
, out
, indent
);
743 i2r_LogotypeReference(info
->d
.indirect
, title
, out
, indent
);
748 static void debug_print_logotypeext(LogotypeExtn
*logo
)
754 out
= BIO_new_fp(stdout
, BIO_NOCLOSE
);
758 if (logo
->communityLogos
) {
759 num
= sk_LogotypeInfo_num(logo
->communityLogos
);
760 for (i
= 0; i
< num
; i
++) {
762 info
= sk_LogotypeInfo_value(logo
->communityLogos
, i
);
763 i2r_LogotypeInfo(info
, "communityLogo", out
, indent
);
767 if (logo
->issuerLogo
) {
768 i2r_LogotypeInfo(logo
->issuerLogo
, "issuerLogo", out
, indent
);
771 if (logo
->subjectLogo
) {
772 i2r_LogotypeInfo(logo
->subjectLogo
, "subjectLogo", out
, indent
);
775 if (logo
->otherLogos
) {
776 BIO_printf(out
, "%*sotherLogos - TODO\n", indent
, "");
783 static void add_logotype_ext(struct http_ctx
*ctx
, struct http_cert
*hcert
,
789 ASN1_OCTET_STRING
*os
;
791 const unsigned char *data
;
794 obj
= OBJ_txt2obj("1.3.6.1.5.5.7.1.12", 0);
798 pos
= X509_get_ext_by_OBJ(cert
, obj
, -1);
800 wpa_printf(MSG_INFO
, "No logotype extension included");
804 wpa_printf(MSG_INFO
, "Parsing logotype extension");
805 ext
= X509_get_ext(cert
, pos
);
807 wpa_printf(MSG_INFO
, "Could not get logotype extension");
811 os
= X509_EXTENSION_get_data(ext
);
813 wpa_printf(MSG_INFO
, "Could not get logotype extension data");
817 wpa_hexdump(MSG_DEBUG
, "logotypeExtn",
818 ASN1_STRING_data(os
), ASN1_STRING_length(os
));
820 data
= ASN1_STRING_data(os
);
821 logo
= d2i_LogotypeExtn(NULL
, &data
, ASN1_STRING_length(os
));
823 wpa_printf(MSG_INFO
, "Failed to parse logotypeExtn");
827 if (wpa_debug_level
< MSG_INFO
)
828 debug_print_logotypeext(logo
);
830 if (!logo
->communityLogos
) {
831 wpa_printf(MSG_INFO
, "No communityLogos included");
832 LogotypeExtn_free(logo
);
836 num
= sk_LogotypeInfo_num(logo
->communityLogos
);
837 for (i
= 0; i
< num
; i
++) {
839 info
= sk_LogotypeInfo_value(logo
->communityLogos
, i
);
840 switch (info
->type
) {
842 add_logo_direct(ctx
, hcert
, info
->d
.direct
);
845 add_logo_indirect(ctx
, hcert
, info
->d
.indirect
);
850 LogotypeExtn_free(logo
);
854 static void parse_cert(struct http_ctx
*ctx
, struct http_cert
*hcert
,
855 X509
*cert
, GENERAL_NAMES
**names
)
857 os_memset(hcert
, 0, sizeof(*hcert
));
859 *names
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
861 add_alt_names(ctx
, hcert
, *names
);
863 add_logotype_ext(ctx
, hcert
, cert
);
867 static void parse_cert_free(struct http_cert
*hcert
, GENERAL_NAMES
*names
)
871 for (i
= 0; i
< hcert
->num_dnsname
; i
++)
872 OPENSSL_free(hcert
->dnsname
[i
]);
873 os_free(hcert
->dnsname
);
875 for (i
= 0; i
< hcert
->num_othername
; i
++)
876 os_free(hcert
->othername
[i
].oid
);
877 os_free(hcert
->othername
);
879 for (i
= 0; i
< hcert
->num_logo
; i
++) {
880 os_free(hcert
->logo
[i
].alg_oid
);
881 os_free(hcert
->logo
[i
].hash
);
882 os_free(hcert
->logo
[i
].uri
);
884 os_free(hcert
->logo
);
886 sk_GENERAL_NAME_pop_free(names
, GENERAL_NAME_free
);
890 static int validate_server_cert(struct http_ctx
*ctx
, X509
*cert
)
892 GENERAL_NAMES
*names
;
893 struct http_cert hcert
;
896 if (ctx
->cert_cb
== NULL
) {
897 wpa_printf(MSG_DEBUG
, "%s: no cert_cb configured", __func__
);
903 out
= BIO_new_fp(stdout
, BIO_NOCLOSE
);
904 X509_print_ex(out
, cert
, XN_FLAG_COMPAT
, X509_FLAG_COMPAT
);
908 parse_cert(ctx
, &hcert
, cert
, &names
);
909 ret
= ctx
->cert_cb(ctx
->cert_cb_ctx
, &hcert
);
910 parse_cert_free(&hcert
, names
);
916 void http_parse_x509_certificate(struct http_ctx
*ctx
, const char *fname
)
920 GENERAL_NAMES
*names
;
921 struct http_cert hcert
;
924 in
= BIO_new_file(fname
, "r");
926 wpa_printf(MSG_ERROR
, "Could not read '%s'", fname
);
930 cert
= d2i_X509_bio(in
, NULL
);
934 wpa_printf(MSG_ERROR
, "Could not parse certificate");
938 out
= BIO_new_fp(stdout
, BIO_NOCLOSE
);
940 X509_print_ex(out
, cert
, XN_FLAG_COMPAT
,
945 wpa_printf(MSG_INFO
, "Additional parsing information:");
946 parse_cert(ctx
, &hcert
, cert
, &names
);
947 for (i
= 0; i
< hcert
.num_othername
; i
++) {
948 if (os_strcmp(hcert
.othername
[i
].oid
,
949 "1.3.6.1.4.1.40808.1.1.1") == 0) {
950 char *name
= os_zalloc(hcert
.othername
[i
].len
+ 1);
952 os_memcpy(name
, hcert
.othername
[i
].data
,
953 hcert
.othername
[i
].len
);
955 "id-wfa-hotspot-friendlyName: %s",
959 wpa_hexdump_ascii(MSG_INFO
,
960 "id-wfa-hotspot-friendlyName",
961 hcert
.othername
[i
].data
,
962 hcert
.othername
[i
].len
);
964 wpa_printf(MSG_INFO
, "subjAltName[othername]: oid=%s",
965 hcert
.othername
[i
].oid
);
966 wpa_hexdump_ascii(MSG_INFO
, "unknown othername",
967 hcert
.othername
[i
].data
,
968 hcert
.othername
[i
].len
);
971 parse_cert_free(&hcert
, names
);
977 static int curl_cb_ssl_verify(int preverify_ok
, X509_STORE_CTX
*x509_ctx
)
979 struct http_ctx
*ctx
;
988 ssl
= X509_STORE_CTX_get_ex_data(x509_ctx
,
989 SSL_get_ex_data_X509_STORE_CTX_idx());
991 ctx
= SSL_CTX_get_app_data(ssl_ctx
);
993 wpa_printf(MSG_DEBUG
, "curl_cb_ssl_verify, preverify_ok: %d",
996 err
= X509_STORE_CTX_get_error(x509_ctx
);
997 err_str
= X509_verify_cert_error_string(err
);
998 depth
= X509_STORE_CTX_get_error_depth(x509_ctx
);
999 cert
= X509_STORE_CTX_get_current_cert(x509_ctx
);
1001 wpa_printf(MSG_INFO
, "No server certificate available");
1002 ctx
->last_err
= "No server certificate available";
1007 ctx
->peer_cert
= cert
;
1008 else if (depth
== 1)
1009 ctx
->peer_issuer
= cert
;
1010 else if (depth
== 2)
1011 ctx
->peer_issuer_issuer
= cert
;
1013 name
= X509_get_subject_name(cert
);
1014 X509_NAME_oneline(name
, buf
, sizeof(buf
));
1015 wpa_printf(MSG_INFO
, "Server certificate chain - depth=%d err=%d (%s) subject=%s",
1016 depth
, err
, err_str
, buf
);
1017 debug_dump_cert("Server certificate chain - certificate", cert
);
1019 if (depth
== 0 && preverify_ok
&& validate_server_cert(ctx
, cert
) < 0)
1022 #ifdef OPENSSL_IS_BORINGSSL
1023 if (depth
== 0 && ctx
->ocsp
!= NO_OCSP
&& preverify_ok
) {
1024 enum ocsp_result res
;
1026 res
= check_ocsp_resp(ssl_ctx
, ssl
, cert
, ctx
->peer_issuer
,
1027 ctx
->peer_issuer_issuer
);
1028 if (res
== OCSP_REVOKED
) {
1030 wpa_printf(MSG_INFO
, "OCSP: certificate revoked");
1031 if (err
== X509_V_OK
)
1032 X509_STORE_CTX_set_error(
1033 x509_ctx
, X509_V_ERR_CERT_REVOKED
);
1034 } else if (res
!= OCSP_GOOD
&& (ctx
->ocsp
== MANDATORY_OCSP
)) {
1036 wpa_printf(MSG_INFO
,
1037 "OCSP: bad certificate status response");
1040 #endif /* OPENSSL_IS_BORINGSSL */
1043 ctx
->last_err
= "TLS validation failed";
1045 return preverify_ok
;
1051 static void ocsp_debug_print_resp(OCSP_RESPONSE
*rsp
)
1058 out
= BIO_new(BIO_s_mem());
1062 OCSP_RESPONSE_print(out
, rsp
, 0);
1063 rlen
= BIO_ctrl_pending(out
);
1064 txt
= os_malloc(rlen
+ 1);
1070 res
= BIO_read(out
, txt
, rlen
);
1073 wpa_printf(MSG_MSGDUMP
, "OpenSSL: OCSP Response\n%s", txt
);
1080 static void tls_show_errors(const char *func
, const char *txt
)
1084 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - %s %s",
1085 func
, txt
, ERR_error_string(ERR_get_error(), NULL
));
1087 while ((err
= ERR_get_error())) {
1088 wpa_printf(MSG_DEBUG
, "OpenSSL: pending error: %s",
1089 ERR_error_string(err
, NULL
));
1094 static int ocsp_resp_cb(SSL
*s
, void *arg
)
1096 struct http_ctx
*ctx
= arg
;
1097 const unsigned char *p
;
1098 int len
, status
, reason
;
1100 OCSP_BASICRESP
*basic
;
1102 ASN1_GENERALIZEDTIME
*produced_at
, *this_update
, *next_update
;
1104 STACK_OF(X509
) *certs
= NULL
;
1106 len
= SSL_get_tlsext_status_ocsp_resp(s
, &p
);
1108 wpa_printf(MSG_DEBUG
, "OpenSSL: No OCSP response received");
1109 if (ctx
->ocsp
== MANDATORY_OCSP
)
1110 ctx
->last_err
= "No OCSP response received";
1111 return (ctx
->ocsp
== MANDATORY_OCSP
) ? 0 : 1;
1114 wpa_hexdump(MSG_DEBUG
, "OpenSSL: OCSP response", p
, len
);
1116 rsp
= d2i_OCSP_RESPONSE(NULL
, &p
, len
);
1118 wpa_printf(MSG_INFO
, "OpenSSL: Failed to parse OCSP response");
1119 ctx
->last_err
= "Failed to parse OCSP response";
1123 ocsp_debug_print_resp(rsp
);
1125 status
= OCSP_response_status(rsp
);
1126 if (status
!= OCSP_RESPONSE_STATUS_SUCCESSFUL
) {
1127 wpa_printf(MSG_INFO
, "OpenSSL: OCSP responder error %d (%s)",
1128 status
, OCSP_response_status_str(status
));
1129 ctx
->last_err
= "OCSP responder error";
1133 basic
= OCSP_response_get1_basic(rsp
);
1135 wpa_printf(MSG_INFO
, "OpenSSL: Could not find BasicOCSPResponse");
1136 ctx
->last_err
= "Could not find BasicOCSPResponse";
1140 store
= SSL_CTX_get_cert_store(s
->ctx
);
1141 if (ctx
->peer_issuer
) {
1142 wpa_printf(MSG_DEBUG
, "OpenSSL: Add issuer");
1143 debug_dump_cert("OpenSSL: Issuer certificate",
1146 if (X509_STORE_add_cert(store
, ctx
->peer_issuer
) != 1) {
1147 tls_show_errors(__func__
,
1148 "OpenSSL: Could not add issuer to certificate store");
1150 certs
= sk_X509_new_null();
1153 cert
= X509_dup(ctx
->peer_issuer
);
1154 if (cert
&& !sk_X509_push(certs
, cert
)) {
1157 "OpenSSL: Could not add issuer to OCSP responder trust store");
1159 sk_X509_free(certs
);
1162 if (certs
&& ctx
->peer_issuer_issuer
) {
1163 cert
= X509_dup(ctx
->peer_issuer_issuer
);
1164 if (cert
&& !sk_X509_push(certs
, cert
)) {
1167 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
1174 status
= OCSP_basic_verify(basic
, certs
, store
, OCSP_TRUSTOTHER
);
1175 sk_X509_pop_free(certs
, X509_free
);
1177 tls_show_errors(__func__
,
1178 "OpenSSL: OCSP response failed verification");
1179 OCSP_BASICRESP_free(basic
);
1180 OCSP_RESPONSE_free(rsp
);
1181 ctx
->last_err
= "OCSP response failed verification";
1185 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP response verification succeeded");
1187 if (!ctx
->peer_cert
) {
1188 wpa_printf(MSG_DEBUG
, "OpenSSL: Peer certificate not available for OCSP status check");
1189 OCSP_BASICRESP_free(basic
);
1190 OCSP_RESPONSE_free(rsp
);
1191 ctx
->last_err
= "Peer certificate not available for OCSP status check";
1195 if (!ctx
->peer_issuer
) {
1196 wpa_printf(MSG_DEBUG
, "OpenSSL: Peer issuer certificate not available for OCSP status check");
1197 OCSP_BASICRESP_free(basic
);
1198 OCSP_RESPONSE_free(rsp
);
1199 ctx
->last_err
= "Peer issuer certificate not available for OCSP status check";
1203 id
= OCSP_cert_to_id(NULL
, ctx
->peer_cert
, ctx
->peer_issuer
);
1205 wpa_printf(MSG_DEBUG
, "OpenSSL: Could not create OCSP certificate identifier");
1206 OCSP_BASICRESP_free(basic
);
1207 OCSP_RESPONSE_free(rsp
);
1208 ctx
->last_err
= "Could not create OCSP certificate identifier";
1212 if (!OCSP_resp_find_status(basic
, id
, &status
, &reason
, &produced_at
,
1213 &this_update
, &next_update
)) {
1214 wpa_printf(MSG_INFO
, "OpenSSL: Could not find current server certificate from OCSP response%s",
1215 (ctx
->ocsp
== MANDATORY_OCSP
) ? "" :
1216 " (OCSP not required)");
1217 OCSP_CERTID_free(id
);
1218 OCSP_BASICRESP_free(basic
);
1219 OCSP_RESPONSE_free(rsp
);
1220 if (ctx
->ocsp
== MANDATORY_OCSP
)
1222 ctx
->last_err
= "Could not find current server certificate from OCSP response";
1223 return (ctx
->ocsp
== MANDATORY_OCSP
) ? 0 : 1;
1225 OCSP_CERTID_free(id
);
1227 if (!OCSP_check_validity(this_update
, next_update
, 5 * 60, -1)) {
1228 tls_show_errors(__func__
, "OpenSSL: OCSP status times invalid");
1229 OCSP_BASICRESP_free(basic
);
1230 OCSP_RESPONSE_free(rsp
);
1231 ctx
->last_err
= "OCSP status times invalid";
1235 OCSP_BASICRESP_free(basic
);
1236 OCSP_RESPONSE_free(rsp
);
1238 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP status for server certificate: %s",
1239 OCSP_cert_status_str(status
));
1241 if (status
== V_OCSP_CERTSTATUS_GOOD
)
1243 if (status
== V_OCSP_CERTSTATUS_REVOKED
) {
1244 ctx
->last_err
= "Server certificate has been revoked";
1247 if (ctx
->ocsp
== MANDATORY_OCSP
) {
1248 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP status unknown, but OCSP required");
1249 ctx
->last_err
= "OCSP status unknown";
1252 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
1257 static SSL_METHOD patch_ssl_method
;
1258 static const SSL_METHOD
*real_ssl_method
;
1260 static int curl_patch_ssl_new(SSL
*s
)
1262 SSL_CTX
*ssl
= s
->ctx
;
1265 ssl
->method
= real_ssl_method
;
1266 s
->method
= real_ssl_method
;
1268 ret
= s
->method
->ssl_new(s
);
1269 SSL_set_tlsext_status_type(s
, TLSEXT_STATUSTYPE_ocsp
);
1274 #endif /* HAVE_OCSP */
1277 static CURLcode
curl_cb_ssl(CURL
*curl
, void *sslctx
, void *parm
)
1279 struct http_ctx
*ctx
= parm
;
1280 SSL_CTX
*ssl
= sslctx
;
1282 wpa_printf(MSG_DEBUG
, "curl_cb_ssl");
1283 SSL_CTX_set_app_data(ssl
, ctx
);
1284 SSL_CTX_set_verify(ssl
, SSL_VERIFY_PEER
, curl_cb_ssl_verify
);
1287 if (ctx
->ocsp
!= NO_OCSP
) {
1288 SSL_CTX_set_tlsext_status_cb(ssl
, ocsp_resp_cb
);
1289 SSL_CTX_set_tlsext_status_arg(ssl
, ctx
);
1292 * Use a temporary SSL_METHOD to get a callback on SSL_new()
1293 * from libcurl since there is no proper callback registration
1294 * available for this.
1296 os_memset(&patch_ssl_method
, 0, sizeof(patch_ssl_method
));
1297 patch_ssl_method
.ssl_new
= curl_patch_ssl_new
;
1298 real_ssl_method
= ssl
->method
;
1299 ssl
->method
= &patch_ssl_method
;
1301 #endif /* HAVE_OCSP */
1306 #endif /* EAP_TLS_OPENSSL */
1309 static CURL
* setup_curl_post(struct http_ctx
*ctx
, const char *address
,
1310 const char *ca_fname
, const char *username
,
1311 const char *password
, const char *client_cert
,
1312 const char *client_key
)
1315 #ifdef EAP_TLS_OPENSSL
1316 const char *extra
= " tls=openssl";
1317 #else /* EAP_TLS_OPENSSL */
1318 const char *extra
= "";
1319 #endif /* EAP_TLS_OPENSSL */
1321 wpa_printf(MSG_DEBUG
, "Start HTTP client: address=%s ca_fname=%s "
1322 "username=%s%s", address
, ca_fname
, username
, extra
);
1324 curl
= curl_easy_init();
1328 curl_easy_setopt(curl
, CURLOPT_URL
, address
);
1329 curl_easy_setopt(curl
, CURLOPT_POST
, 1L);
1331 curl_easy_setopt(curl
, CURLOPT_CAINFO
, ca_fname
);
1332 curl_easy_setopt(curl
, CURLOPT_SSL_VERIFYPEER
, 1L);
1333 #ifdef EAP_TLS_OPENSSL
1334 curl_easy_setopt(curl
, CURLOPT_SSL_CTX_FUNCTION
, curl_cb_ssl
);
1335 curl_easy_setopt(curl
, CURLOPT_SSL_CTX_DATA
, ctx
);
1336 #ifdef OPENSSL_IS_BORINGSSL
1337 /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
1338 * with BoringSSL since the OpenSSL specific callback hack to
1339 * enable OCSP is not available with BoringSSL. The OCSP
1340 * implementation within libcurl is not sufficient for the
1341 * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
1343 if (ctx
->ocsp
!= NO_OCSP
)
1344 curl_easy_setopt(curl
, CURLOPT_SSL_VERIFYSTATUS
, 1L);
1345 #endif /* OPENSSL_IS_BORINGSSL */
1346 #endif /* EAP_TLS_OPENSSL */
1348 curl_easy_setopt(curl
, CURLOPT_SSL_VERIFYPEER
, 0L);
1350 if (client_cert
&& client_key
) {
1351 curl_easy_setopt(curl
, CURLOPT_SSLCERT
, client_cert
);
1352 curl_easy_setopt(curl
, CURLOPT_SSLKEY
, client_key
);
1354 /* TODO: use curl_easy_getinfo() with CURLINFO_CERTINFO to fetch
1355 * information about the server certificate */
1356 curl_easy_setopt(curl
, CURLOPT_CERTINFO
, 1L);
1357 curl_easy_setopt(curl
, CURLOPT_DEBUGFUNCTION
, curl_cb_debug
);
1358 curl_easy_setopt(curl
, CURLOPT_DEBUGDATA
, ctx
);
1359 curl_easy_setopt(curl
, CURLOPT_WRITEFUNCTION
, curl_cb_write
);
1360 curl_easy_setopt(curl
, CURLOPT_WRITEDATA
, ctx
);
1361 curl_easy_setopt(curl
, CURLOPT_VERBOSE
, 1L);
1363 curl_easy_setopt(curl
, CURLOPT_HTTPAUTH
, CURLAUTH_ANYSAFE
);
1364 curl_easy_setopt(curl
, CURLOPT_USERNAME
, username
);
1365 curl_easy_setopt(curl
, CURLOPT_PASSWORD
, password
);
1372 static int post_init_client(struct http_ctx
*ctx
, const char *address
,
1373 const char *ca_fname
, const char *username
,
1374 const char *password
, const char *client_cert
,
1375 const char *client_key
)
1380 clone_str(&ctx
->svc_address
, address
);
1381 clone_str(&ctx
->svc_ca_fname
, ca_fname
);
1382 clone_str(&ctx
->svc_username
, username
);
1383 clone_str(&ctx
->svc_password
, password
);
1384 clone_str(&ctx
->svc_client_cert
, client_cert
);
1385 clone_str(&ctx
->svc_client_key
, client_key
);
1388 * Workaround for Apache "Hostname 'FOO' provided via SNI and hostname
1389 * 'foo' provided via HTTP are different.
1391 for (count
= 0, pos
= ctx
->svc_address
; count
< 3 && pos
&& *pos
;
1395 *pos
= tolower(*pos
);
1398 ctx
->curl
= setup_curl_post(ctx
, ctx
->svc_address
, ca_fname
, username
,
1399 password
, client_cert
, client_key
);
1400 if (ctx
->curl
== NULL
)
1407 int soap_init_client(struct http_ctx
*ctx
, const char *address
,
1408 const char *ca_fname
, const char *username
,
1409 const char *password
, const char *client_cert
,
1410 const char *client_key
)
1412 if (post_init_client(ctx
, address
, ca_fname
, username
, password
,
1413 client_cert
, client_key
) < 0)
1416 ctx
->curl_hdr
= curl_slist_append(ctx
->curl_hdr
,
1417 "Content-Type: application/soap+xml");
1418 ctx
->curl_hdr
= curl_slist_append(ctx
->curl_hdr
, "SOAPAction: ");
1419 ctx
->curl_hdr
= curl_slist_append(ctx
->curl_hdr
, "Expect:");
1420 curl_easy_setopt(ctx
->curl
, CURLOPT_HTTPHEADER
, ctx
->curl_hdr
);
1426 int soap_reinit_client(struct http_ctx
*ctx
)
1428 char *address
= NULL
;
1429 char *ca_fname
= NULL
;
1430 char *username
= NULL
;
1431 char *password
= NULL
;
1432 char *client_cert
= NULL
;
1433 char *client_key
= NULL
;
1438 clone_str(&address
, ctx
->svc_address
);
1439 clone_str(&ca_fname
, ctx
->svc_ca_fname
);
1440 clone_str(&username
, ctx
->svc_username
);
1441 clone_str(&password
, ctx
->svc_password
);
1442 clone_str(&client_cert
, ctx
->svc_client_cert
);
1443 clone_str(&client_key
, ctx
->svc_client_key
);
1445 ret
= soap_init_client(ctx
, address
, ca_fname
, username
, password
,
1446 client_cert
, client_key
);
1449 str_clear_free(username
);
1450 str_clear_free(password
);
1451 os_free(client_cert
);
1452 os_free(client_key
);
1457 static void free_curl_buf(struct http_ctx
*ctx
)
1459 os_free(ctx
->curl_buf
);
1460 ctx
->curl_buf
= NULL
;
1461 ctx
->curl_buf_len
= 0;
1465 xml_node_t
* soap_send_receive(struct http_ctx
*ctx
, xml_node_t
*node
)
1468 xml_node_t
*envelope
, *ret
, *resp
, *n
;
1472 ctx
->last_err
= NULL
;
1474 wpa_printf(MSG_DEBUG
, "SOAP: Sending message");
1475 envelope
= soap_build_envelope(ctx
->xml
, node
);
1476 str
= xml_node_to_str(ctx
->xml
, envelope
);
1477 xml_node_free(ctx
->xml
, envelope
);
1478 wpa_printf(MSG_MSGDUMP
, "SOAP[%s]", str
);
1480 curl_easy_setopt(ctx
->curl
, CURLOPT_POSTFIELDS
, str
);
1483 res
= curl_easy_perform(ctx
->curl
);
1484 if (res
!= CURLE_OK
) {
1486 ctx
->last_err
= curl_easy_strerror(res
);
1487 wpa_printf(MSG_ERROR
, "curl_easy_perform() failed: %s",
1495 curl_easy_getinfo(ctx
->curl
, CURLINFO_RESPONSE_CODE
, &http
);
1496 wpa_printf(MSG_DEBUG
, "SOAP: Server response code %ld", http
);
1498 ctx
->last_err
= "HTTP download failed";
1499 wpa_printf(MSG_INFO
, "HTTP download failed - code %ld", http
);
1504 if (ctx
->curl_buf
== NULL
)
1507 wpa_printf(MSG_MSGDUMP
, "Server response:\n%s", ctx
->curl_buf
);
1508 resp
= xml_node_from_buf(ctx
->xml
, ctx
->curl_buf
);
1511 wpa_printf(MSG_INFO
, "Could not parse SOAP response");
1512 ctx
->last_err
= "Could not parse SOAP response";
1516 ret
= soap_get_body(ctx
->xml
, resp
);
1518 wpa_printf(MSG_INFO
, "Could not get SOAP body");
1519 ctx
->last_err
= "Could not get SOAP body";
1523 wpa_printf(MSG_DEBUG
, "SOAP body localname: '%s'",
1524 xml_node_get_localname(ctx
->xml
, ret
));
1525 n
= xml_node_copy(ctx
->xml
, ret
);
1526 xml_node_free(ctx
->xml
, resp
);
1532 struct http_ctx
* http_init_ctx(void *upper_ctx
, struct xml_node_ctx
*xml_ctx
)
1534 struct http_ctx
*ctx
;
1536 ctx
= os_zalloc(sizeof(*ctx
));
1539 ctx
->ctx
= upper_ctx
;
1541 ctx
->ocsp
= OPTIONAL_OCSP
;
1543 curl_global_init(CURL_GLOBAL_ALL
);
1549 void http_ocsp_set(struct http_ctx
*ctx
, int val
)
1552 ctx
->ocsp
= NO_OCSP
;
1554 ctx
->ocsp
= OPTIONAL_OCSP
;
1556 ctx
->ocsp
= MANDATORY_OCSP
;
1560 void http_deinit_ctx(struct http_ctx
*ctx
)
1563 os_free(ctx
->curl_buf
);
1564 curl_global_cleanup();
1566 os_free(ctx
->svc_address
);
1567 os_free(ctx
->svc_ca_fname
);
1568 str_clear_free(ctx
->svc_username
);
1569 str_clear_free(ctx
->svc_password
);
1570 os_free(ctx
->svc_client_cert
);
1571 os_free(ctx
->svc_client_key
);
1577 int http_download_file(struct http_ctx
*ctx
, const char *url
,
1578 const char *fname
, const char *ca_fname
)
1585 ctx
->last_err
= NULL
;
1587 wpa_printf(MSG_DEBUG
, "curl: Download file from %s to %s (ca=%s)",
1588 url
, fname
, ca_fname
);
1589 curl
= curl_easy_init();
1593 f
= fopen(fname
, "wb");
1595 curl_easy_cleanup(curl
);
1599 curl_easy_setopt(curl
, CURLOPT_URL
, url
);
1601 curl_easy_setopt(curl
, CURLOPT_CAINFO
, ca_fname
);
1602 curl_easy_setopt(curl
, CURLOPT_SSL_VERIFYPEER
, 1L);
1603 curl_easy_setopt(curl
, CURLOPT_CERTINFO
, 1L);
1605 curl_easy_setopt(curl
, CURLOPT_SSL_VERIFYPEER
, 0L);
1607 curl_easy_setopt(curl
, CURLOPT_DEBUGFUNCTION
, curl_cb_debug
);
1608 curl_easy_setopt(curl
, CURLOPT_DEBUGDATA
, ctx
);
1609 curl_easy_setopt(curl
, CURLOPT_WRITEFUNCTION
, fwrite
);
1610 curl_easy_setopt(curl
, CURLOPT_WRITEDATA
, f
);
1611 curl_easy_setopt(curl
, CURLOPT_VERBOSE
, 1L);
1613 res
= curl_easy_perform(curl
);
1614 if (res
!= CURLE_OK
) {
1616 ctx
->last_err
= curl_easy_strerror(res
);
1617 wpa_printf(MSG_ERROR
, "curl_easy_perform() failed: %s",
1619 curl_easy_cleanup(curl
);
1624 curl_easy_getinfo(curl
, CURLINFO_RESPONSE_CODE
, &http
);
1625 wpa_printf(MSG_DEBUG
, "curl: Server response code %ld", http
);
1627 ctx
->last_err
= "HTTP download failed";
1628 wpa_printf(MSG_INFO
, "HTTP download failed - code %ld", http
);
1629 curl_easy_cleanup(curl
);
1634 curl_easy_cleanup(curl
);
1641 char * http_post(struct http_ctx
*ctx
, const char *url
, const char *data
,
1642 const char *content_type
, const char *ext_hdr
,
1643 const char *ca_fname
,
1644 const char *username
, const char *password
,
1645 const char *client_cert
, const char *client_key
,
1652 struct curl_slist
*curl_hdr
= NULL
;
1654 ctx
->last_err
= NULL
;
1655 wpa_printf(MSG_DEBUG
, "curl: HTTP POST to %s", url
);
1656 curl
= setup_curl_post(ctx
, url
, ca_fname
, username
, password
,
1657 client_cert
, client_key
);
1663 snprintf(ct
, sizeof(ct
), "Content-Type: %s", content_type
);
1664 curl_hdr
= curl_slist_append(curl_hdr
, ct
);
1667 curl_hdr
= curl_slist_append(curl_hdr
, ext_hdr
);
1668 curl_easy_setopt(curl
, CURLOPT_HTTPHEADER
, curl_hdr
);
1670 curl_easy_setopt(curl
, CURLOPT_POSTFIELDS
, data
);
1673 res
= curl_easy_perform(curl
);
1674 if (res
!= CURLE_OK
) {
1676 ctx
->last_err
= curl_easy_strerror(res
);
1677 wpa_printf(MSG_ERROR
, "curl_easy_perform() failed: %s",
1683 curl_easy_getinfo(curl
, CURLINFO_RESPONSE_CODE
, &http
);
1684 wpa_printf(MSG_DEBUG
, "curl: Server response code %ld", http
);
1686 ctx
->last_err
= "HTTP POST failed";
1687 wpa_printf(MSG_INFO
, "HTTP POST failed - code %ld", http
);
1692 if (ctx
->curl_buf
== NULL
)
1695 ret
= ctx
->curl_buf
;
1697 *resp_len
= ctx
->curl_buf_len
;
1698 ctx
->curl_buf
= NULL
;
1699 ctx
->curl_buf_len
= 0;
1701 wpa_printf(MSG_MSGDUMP
, "Server response:\n%s", ret
);
1707 void http_set_cert_cb(struct http_ctx
*ctx
,
1708 int (*cb
)(void *ctx
, struct http_cert
*cert
),
1712 ctx
->cert_cb_ctx
= cb_ctx
;
1716 const char * http_get_err(struct http_ctx
*ctx
)
1718 return ctx
->last_err
;