xref: /freebsd/contrib/wpa/src/utils/http_curl.c (revision 1f4bcc459a76b7aa664f3fd557684cd0ba6da352)
1 /*
2  * HTTP wrapper for libcurl
3  * Copyright (c) 2012-2014, Qualcomm Atheros, Inc.
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 #include <curl/curl.h>
11 #ifdef EAP_TLS_OPENSSL
12 #include <openssl/ssl.h>
13 #include <openssl/asn1.h>
14 #include <openssl/asn1t.h>
15 #include <openssl/x509v3.h>
16 
17 #ifdef SSL_set_tlsext_status_type
18 #ifndef OPENSSL_NO_TLSEXT
19 #define HAVE_OCSP
20 #include <openssl/err.h>
21 #include <openssl/ocsp.h>
22 #endif /* OPENSSL_NO_TLSEXT */
23 #endif /* SSL_set_tlsext_status_type */
24 #endif /* EAP_TLS_OPENSSL */
25 
26 #include "common.h"
27 #include "xml-utils.h"
28 #include "http-utils.h"
29 
30 
31 struct http_ctx {
32 	void *ctx;
33 	struct xml_node_ctx *xml;
34 	CURL *curl;
35 	struct curl_slist *curl_hdr;
36 	char *svc_address;
37 	char *svc_ca_fname;
38 	char *svc_username;
39 	char *svc_password;
40 	char *svc_client_cert;
41 	char *svc_client_key;
42 	char *curl_buf;
43 	size_t curl_buf_len;
44 
45 	int (*cert_cb)(void *ctx, struct http_cert *cert);
46 	void *cert_cb_ctx;
47 
48 	enum {
49 		NO_OCSP, OPTIONAL_OCSP, MANDATORY_OCSP
50 	} ocsp;
51 	X509 *peer_cert;
52 	X509 *peer_issuer;
53 	X509 *peer_issuer_issuer;
54 
55 	const char *last_err;
56 };
57 
58 
59 static void clear_curl(struct http_ctx *ctx)
60 {
61 	if (ctx->curl) {
62 		curl_easy_cleanup(ctx->curl);
63 		ctx->curl = NULL;
64 	}
65 	if (ctx->curl_hdr) {
66 		curl_slist_free_all(ctx->curl_hdr);
67 		ctx->curl_hdr = NULL;
68 	}
69 }
70 
71 
72 static void clone_str(char **dst, const char *src)
73 {
74 	os_free(*dst);
75 	if (src)
76 		*dst = os_strdup(src);
77 	else
78 		*dst = NULL;
79 }
80 
81 
82 static void debug_dump(struct http_ctx *ctx, const char *title,
83 		       const char *buf, size_t len)
84 {
85 	char *txt;
86 	size_t i;
87 
88 	for (i = 0; i < len; i++) {
89 		if (buf[i] < 32 && buf[i] != '\t' && buf[i] != '\n' &&
90 		    buf[i] != '\r') {
91 			wpa_hexdump_ascii(MSG_MSGDUMP, title, buf, len);
92 			return;
93 		}
94 	}
95 
96 	txt = os_malloc(len + 1);
97 	if (txt == NULL)
98 		return;
99 	os_memcpy(txt, buf, len);
100 	txt[len] = '\0';
101 	while (len > 0) {
102 		len--;
103 		if (txt[len] == '\n' || txt[len] == '\r')
104 			txt[len] = '\0';
105 		else
106 			break;
107 	}
108 	wpa_printf(MSG_MSGDUMP, "%s[%s]", title, txt);
109 	os_free(txt);
110 }
111 
112 
113 static int curl_cb_debug(CURL *curl, curl_infotype info, char *buf, size_t len,
114 			 void *userdata)
115 {
116 	struct http_ctx *ctx = userdata;
117 	switch (info) {
118 	case CURLINFO_TEXT:
119 		debug_dump(ctx, "CURLINFO_TEXT", buf, len);
120 		break;
121 	case CURLINFO_HEADER_IN:
122 		debug_dump(ctx, "CURLINFO_HEADER_IN", buf, len);
123 		break;
124 	case CURLINFO_HEADER_OUT:
125 		debug_dump(ctx, "CURLINFO_HEADER_OUT", buf, len);
126 		break;
127 	case CURLINFO_DATA_IN:
128 		debug_dump(ctx, "CURLINFO_DATA_IN", buf, len);
129 		break;
130 	case CURLINFO_DATA_OUT:
131 		debug_dump(ctx, "CURLINFO_DATA_OUT", buf, len);
132 		break;
133 	case CURLINFO_SSL_DATA_IN:
134 		wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_IN - %d",
135 			   (int) len);
136 		break;
137 	case CURLINFO_SSL_DATA_OUT:
138 		wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_OUT - %d",
139 			   (int) len);
140 		break;
141 	case CURLINFO_END:
142 		wpa_printf(MSG_DEBUG, "debug - CURLINFO_END - %d",
143 			   (int) len);
144 		break;
145 	}
146 	return 0;
147 }
148 
149 
150 static size_t curl_cb_write(void *ptr, size_t size, size_t nmemb,
151 			    void *userdata)
152 {
153 	struct http_ctx *ctx = userdata;
154 	char *n;
155 	n = os_realloc(ctx->curl_buf, ctx->curl_buf_len + size * nmemb + 1);
156 	if (n == NULL)
157 		return 0;
158 	ctx->curl_buf = n;
159 	os_memcpy(n + ctx->curl_buf_len, ptr, size * nmemb);
160 	n[ctx->curl_buf_len + size * nmemb] = '\0';
161 	ctx->curl_buf_len += size * nmemb;
162 	return size * nmemb;
163 }
164 
165 
166 #ifdef EAP_TLS_OPENSSL
167 
168 static void debug_dump_cert(const char *title, X509 *cert)
169 {
170 	BIO *out;
171 	char *txt;
172 	size_t rlen;
173 
174 	out = BIO_new(BIO_s_mem());
175 	if (!out)
176 		return;
177 
178 	X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
179 	rlen = BIO_ctrl_pending(out);
180 	txt = os_malloc(rlen + 1);
181 	if (txt) {
182 		int res = BIO_read(out, txt, rlen);
183 		if (res > 0) {
184 			txt[res] = '\0';
185 			wpa_printf(MSG_MSGDUMP, "%s:\n%s", title, txt);
186 		}
187 		os_free(txt);
188 	}
189 	BIO_free(out);
190 }
191 
192 
193 static void add_alt_name_othername(struct http_ctx *ctx, struct http_cert *cert,
194 				   OTHERNAME *o)
195 {
196 	char txt[100];
197 	int res;
198 	struct http_othername *on;
199 	ASN1_TYPE *val;
200 
201 	on = os_realloc_array(cert->othername, cert->num_othername + 1,
202 			      sizeof(struct http_othername));
203 	if (on == NULL)
204 		return;
205 	cert->othername = on;
206 	on = &on[cert->num_othername];
207 	os_memset(on, 0, sizeof(*on));
208 
209 	res = OBJ_obj2txt(txt, sizeof(txt), o->type_id, 1);
210 	if (res < 0 || res >= (int) sizeof(txt))
211 		return;
212 
213 	on->oid = os_strdup(txt);
214 	if (on->oid == NULL)
215 		return;
216 
217 	val = o->value;
218 	on->data = val->value.octet_string->data;
219 	on->len = val->value.octet_string->length;
220 
221 	cert->num_othername++;
222 }
223 
224 
225 static void add_alt_name_dns(struct http_ctx *ctx, struct http_cert *cert,
226 			     ASN1_STRING *name)
227 {
228 	char *buf;
229 	char **n;
230 
231 	buf = NULL;
232 	if (ASN1_STRING_to_UTF8((unsigned char **) &buf, name) < 0)
233 		return;
234 
235 	n = os_realloc_array(cert->dnsname, cert->num_dnsname + 1,
236 			     sizeof(char *));
237 	if (n == NULL)
238 		return;
239 
240 	cert->dnsname = n;
241 	n[cert->num_dnsname] = buf;
242 	cert->num_dnsname++;
243 }
244 
245 
246 static void add_alt_name(struct http_ctx *ctx, struct http_cert *cert,
247 			 const GENERAL_NAME *name)
248 {
249 	switch (name->type) {
250 	case GEN_OTHERNAME:
251 		add_alt_name_othername(ctx, cert, name->d.otherName);
252 		break;
253 	case GEN_DNS:
254 		add_alt_name_dns(ctx, cert, name->d.dNSName);
255 		break;
256 	}
257 }
258 
259 
260 static void add_alt_names(struct http_ctx *ctx, struct http_cert *cert,
261 			  GENERAL_NAMES *names)
262 {
263 	int num, i;
264 
265 	num = sk_GENERAL_NAME_num(names);
266 	for (i = 0; i < num; i++) {
267 		const GENERAL_NAME *name;
268 		name = sk_GENERAL_NAME_value(names, i);
269 		add_alt_name(ctx, cert, name);
270 	}
271 }
272 
273 
274 /* RFC 3709 */
275 
276 typedef struct {
277 	X509_ALGOR *hashAlg;
278 	ASN1_OCTET_STRING *hashValue;
279 } HashAlgAndValue;
280 
281 typedef struct {
282 	STACK_OF(HashAlgAndValue) *refStructHash;
283 	STACK_OF(ASN1_IA5STRING) *refStructURI;
284 } LogotypeReference;
285 
286 typedef struct {
287 	ASN1_IA5STRING *mediaType;
288 	STACK_OF(HashAlgAndValue) *logotypeHash;
289 	STACK_OF(ASN1_IA5STRING) *logotypeURI;
290 } LogotypeDetails;
291 
292 typedef struct {
293 	int type;
294 	union {
295 		ASN1_INTEGER *numBits;
296 		ASN1_INTEGER *tableSize;
297 	} d;
298 } LogotypeImageResolution;
299 
300 typedef struct {
301 	ASN1_INTEGER *type; /* LogotypeImageType ::= INTEGER */
302 	ASN1_INTEGER *fileSize;
303 	ASN1_INTEGER *xSize;
304 	ASN1_INTEGER *ySize;
305 	LogotypeImageResolution *resolution;
306 	ASN1_IA5STRING *language;
307 } LogotypeImageInfo;
308 
309 typedef struct {
310 	LogotypeDetails *imageDetails;
311 	LogotypeImageInfo *imageInfo;
312 } LogotypeImage;
313 
314 typedef struct {
315 	ASN1_INTEGER *fileSize;
316 	ASN1_INTEGER *playTime;
317 	ASN1_INTEGER *channels;
318 	ASN1_INTEGER *sampleRate;
319 	ASN1_IA5STRING *language;
320 } LogotypeAudioInfo;
321 
322 typedef struct {
323 	LogotypeDetails *audioDetails;
324 	LogotypeAudioInfo *audioInfo;
325 } LogotypeAudio;
326 
327 typedef struct {
328 	STACK_OF(LogotypeImage) *image;
329 	STACK_OF(LogotypeAudio) *audio;
330 } LogotypeData;
331 
332 typedef struct {
333 	int type;
334 	union {
335 		LogotypeData *direct;
336 		LogotypeReference *indirect;
337 	} d;
338 } LogotypeInfo;
339 
340 typedef struct {
341 	ASN1_OBJECT *logotypeType;
342 	LogotypeInfo *info;
343 } OtherLogotypeInfo;
344 
345 typedef struct {
346 	STACK_OF(LogotypeInfo) *communityLogos;
347 	LogotypeInfo *issuerLogo;
348 	LogotypeInfo *subjectLogo;
349 	STACK_OF(OtherLogotypeInfo) *otherLogos;
350 } LogotypeExtn;
351 
352 ASN1_SEQUENCE(HashAlgAndValue) = {
353 	ASN1_SIMPLE(HashAlgAndValue, hashAlg, X509_ALGOR),
354 	ASN1_SIMPLE(HashAlgAndValue, hashValue, ASN1_OCTET_STRING)
355 } ASN1_SEQUENCE_END(HashAlgAndValue);
356 
357 ASN1_SEQUENCE(LogotypeReference) = {
358 	ASN1_SEQUENCE_OF(LogotypeReference, refStructHash, HashAlgAndValue),
359 	ASN1_SEQUENCE_OF(LogotypeReference, refStructURI, ASN1_IA5STRING)
360 } ASN1_SEQUENCE_END(LogotypeReference);
361 
362 ASN1_SEQUENCE(LogotypeDetails) = {
363 	ASN1_SIMPLE(LogotypeDetails, mediaType, ASN1_IA5STRING),
364 	ASN1_SEQUENCE_OF(LogotypeDetails, logotypeHash, HashAlgAndValue),
365 	ASN1_SEQUENCE_OF(LogotypeDetails, logotypeURI, ASN1_IA5STRING)
366 } ASN1_SEQUENCE_END(LogotypeDetails);
367 
368 ASN1_CHOICE(LogotypeImageResolution) = {
369 	ASN1_IMP(LogotypeImageResolution, d.numBits, ASN1_INTEGER, 1),
370 	ASN1_IMP(LogotypeImageResolution, d.tableSize, ASN1_INTEGER, 2)
371 } ASN1_CHOICE_END(LogotypeImageResolution);
372 
373 ASN1_SEQUENCE(LogotypeImageInfo) = {
374 	ASN1_IMP_OPT(LogotypeImageInfo, type, ASN1_INTEGER, 0),
375 	ASN1_SIMPLE(LogotypeImageInfo, fileSize, ASN1_INTEGER),
376 	ASN1_SIMPLE(LogotypeImageInfo, xSize, ASN1_INTEGER),
377 	ASN1_SIMPLE(LogotypeImageInfo, ySize, ASN1_INTEGER),
378 	ASN1_OPT(LogotypeImageInfo, resolution, LogotypeImageResolution),
379 	ASN1_IMP_OPT(LogotypeImageInfo, language, ASN1_IA5STRING, 4),
380 } ASN1_SEQUENCE_END(LogotypeImageInfo);
381 
382 ASN1_SEQUENCE(LogotypeImage) = {
383 	ASN1_SIMPLE(LogotypeImage, imageDetails, LogotypeDetails),
384 	ASN1_OPT(LogotypeImage, imageInfo, LogotypeImageInfo)
385 } ASN1_SEQUENCE_END(LogotypeImage);
386 
387 ASN1_SEQUENCE(LogotypeAudioInfo) = {
388 	ASN1_SIMPLE(LogotypeAudioInfo, fileSize, ASN1_INTEGER),
389 	ASN1_SIMPLE(LogotypeAudioInfo, playTime, ASN1_INTEGER),
390 	ASN1_SIMPLE(LogotypeAudioInfo, channels, ASN1_INTEGER),
391 	ASN1_IMP_OPT(LogotypeAudioInfo, sampleRate, ASN1_INTEGER, 3),
392 	ASN1_IMP_OPT(LogotypeAudioInfo, language, ASN1_IA5STRING, 4)
393 } ASN1_SEQUENCE_END(LogotypeAudioInfo);
394 
395 ASN1_SEQUENCE(LogotypeAudio) = {
396 	ASN1_SIMPLE(LogotypeAudio, audioDetails, LogotypeDetails),
397 	ASN1_OPT(LogotypeAudio, audioInfo, LogotypeAudioInfo)
398 } ASN1_SEQUENCE_END(LogotypeAudio);
399 
400 ASN1_SEQUENCE(LogotypeData) = {
401 	ASN1_SEQUENCE_OF_OPT(LogotypeData, image, LogotypeImage),
402 	ASN1_IMP_SEQUENCE_OF_OPT(LogotypeData, audio, LogotypeAudio, 1)
403 } ASN1_SEQUENCE_END(LogotypeData);
404 
405 ASN1_CHOICE(LogotypeInfo) = {
406 	ASN1_IMP(LogotypeInfo, d.direct, LogotypeData, 0),
407 	ASN1_IMP(LogotypeInfo, d.indirect, LogotypeReference, 1)
408 } ASN1_CHOICE_END(LogotypeInfo);
409 
410 ASN1_SEQUENCE(OtherLogotypeInfo) = {
411 	ASN1_SIMPLE(OtherLogotypeInfo, logotypeType, ASN1_OBJECT),
412 	ASN1_SIMPLE(OtherLogotypeInfo, info, LogotypeInfo)
413 } ASN1_SEQUENCE_END(OtherLogotypeInfo);
414 
415 ASN1_SEQUENCE(LogotypeExtn) = {
416 	ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, communityLogos, LogotypeInfo, 0),
417 	ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 1),
418 	ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 2),
419 	ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, otherLogos, OtherLogotypeInfo, 3)
420 } ASN1_SEQUENCE_END(LogotypeExtn);
421 
422 IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn);
423 
424 #define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st))
425 #define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i))
426 #define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st))
427 #define sk_LogotypeImage_value(st, i) SKM_sk_value(LogotypeImage, (st), (i))
428 #define sk_LogotypeAudio_num(st) SKM_sk_num(LogotypeAudio, (st))
429 #define sk_LogotypeAudio_value(st, i) SKM_sk_value(LogotypeAudio, (st), (i))
430 #define sk_HashAlgAndValue_num(st) SKM_sk_num(HashAlgAndValue, (st))
431 #define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i))
432 #define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st))
433 #define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i))
434 
435 
436 static void add_logo(struct http_ctx *ctx, struct http_cert *hcert,
437 		     HashAlgAndValue *hash, ASN1_IA5STRING *uri)
438 {
439 	char txt[100];
440 	int res, len;
441 	struct http_logo *n;
442 
443 	if (hash == NULL || uri == NULL)
444 		return;
445 
446 	res = OBJ_obj2txt(txt, sizeof(txt), hash->hashAlg->algorithm, 1);
447 	if (res < 0 || res >= (int) sizeof(txt))
448 		return;
449 
450 	n = os_realloc_array(hcert->logo, hcert->num_logo + 1,
451 			     sizeof(struct http_logo));
452 	if (n == NULL)
453 		return;
454 	hcert->logo = n;
455 	n = &hcert->logo[hcert->num_logo];
456 	os_memset(n, 0, sizeof(*n));
457 
458 	n->alg_oid = os_strdup(txt);
459 	if (n->alg_oid == NULL)
460 		return;
461 
462 	n->hash_len = ASN1_STRING_length(hash->hashValue);
463 	n->hash = os_malloc(n->hash_len);
464 	if (n->hash == NULL) {
465 		os_free(n->alg_oid);
466 		return;
467 	}
468 	os_memcpy(n->hash, ASN1_STRING_data(hash->hashValue), n->hash_len);
469 
470 	len = ASN1_STRING_length(uri);
471 	n->uri = os_malloc(len + 1);
472 	if (n->uri == NULL) {
473 		os_free(n->alg_oid);
474 		os_free(n->hash);
475 		return;
476 	}
477 	os_memcpy(n->uri, ASN1_STRING_data(uri), len);
478 	n->uri[len] = '\0';
479 
480 	hcert->num_logo++;
481 }
482 
483 
484 static void add_logo_direct(struct http_ctx *ctx, struct http_cert *hcert,
485 			    LogotypeData *data)
486 {
487 	int i, num;
488 
489 	if (data->image == NULL)
490 		return;
491 
492 	num = sk_LogotypeImage_num(data->image);
493 	for (i = 0; i < num; i++) {
494 		LogotypeImage *image;
495 		LogotypeDetails *details;
496 		int j, hash_num, uri_num;
497 		HashAlgAndValue *found_hash = NULL;
498 
499 		image = sk_LogotypeImage_value(data->image, i);
500 		if (image == NULL)
501 			continue;
502 
503 		details = image->imageDetails;
504 		if (details == NULL)
505 			continue;
506 
507 		hash_num = sk_HashAlgAndValue_num(details->logotypeHash);
508 		for (j = 0; j < hash_num; j++) {
509 			HashAlgAndValue *hash;
510 			char txt[100];
511 			int res;
512 			hash = sk_HashAlgAndValue_value(details->logotypeHash,
513 							j);
514 			if (hash == NULL)
515 				continue;
516 			res = OBJ_obj2txt(txt, sizeof(txt),
517 					  hash->hashAlg->algorithm, 1);
518 			if (res < 0 || res >= (int) sizeof(txt))
519 				continue;
520 			if (os_strcmp(txt, "2.16.840.1.101.3.4.2.1") == 0) {
521 				found_hash = hash;
522 				break;
523 			}
524 		}
525 
526 		if (!found_hash) {
527 			wpa_printf(MSG_DEBUG, "OpenSSL: No SHA256 hash found for the logo");
528 			continue;
529 		}
530 
531 		uri_num = sk_ASN1_IA5STRING_num(details->logotypeURI);
532 		for (j = 0; j < uri_num; j++) {
533 			ASN1_IA5STRING *uri;
534 			uri = sk_ASN1_IA5STRING_value(details->logotypeURI, j);
535 			add_logo(ctx, hcert, found_hash, uri);
536 		}
537 	}
538 }
539 
540 
541 static void add_logo_indirect(struct http_ctx *ctx, struct http_cert *hcert,
542 			      LogotypeReference *ref)
543 {
544 	int j, hash_num, uri_num;
545 
546 	hash_num = sk_HashAlgAndValue_num(ref->refStructHash);
547 	uri_num = sk_ASN1_IA5STRING_num(ref->refStructURI);
548 	if (hash_num != uri_num) {
549 		wpa_printf(MSG_INFO, "Unexpected LogotypeReference array size difference %d != %d",
550 			   hash_num, uri_num);
551 		return;
552 	}
553 
554 	for (j = 0; j < hash_num; j++) {
555 		HashAlgAndValue *hash;
556 		ASN1_IA5STRING *uri;
557 		hash = sk_HashAlgAndValue_value(ref->refStructHash, j);
558 		uri = sk_ASN1_IA5STRING_value(ref->refStructURI, j);
559 		add_logo(ctx, hcert, hash, uri);
560 	}
561 }
562 
563 
564 static void i2r_HashAlgAndValue(HashAlgAndValue *hash, BIO *out, int indent)
565 {
566 	int i;
567 	const unsigned char *data;
568 
569 	BIO_printf(out, "%*shashAlg: ", indent, "");
570 	i2a_ASN1_OBJECT(out, hash->hashAlg->algorithm);
571 	BIO_printf(out, "\n");
572 
573 	BIO_printf(out, "%*shashValue: ", indent, "");
574 	data = hash->hashValue->data;
575 	for (i = 0; i < hash->hashValue->length; i++)
576 		BIO_printf(out, "%s%02x", i > 0 ? ":" : "", data[i]);
577 	BIO_printf(out, "\n");
578 }
579 
580 static void i2r_LogotypeDetails(LogotypeDetails *details, BIO *out, int indent)
581 {
582 	int i, num;
583 
584 	BIO_printf(out, "%*sLogotypeDetails\n", indent, "");
585 	if (details->mediaType) {
586 		BIO_printf(out, "%*smediaType: ", indent, "");
587 		ASN1_STRING_print(out, details->mediaType);
588 		BIO_printf(out, "\n");
589 	}
590 
591 	num = details->logotypeHash ?
592 		sk_HashAlgAndValue_num(details->logotypeHash) : 0;
593 	for (i = 0; i < num; i++) {
594 		HashAlgAndValue *hash;
595 		hash = sk_HashAlgAndValue_value(details->logotypeHash, i);
596 		i2r_HashAlgAndValue(hash, out, indent);
597 	}
598 
599 	num = details->logotypeURI ?
600 		sk_ASN1_IA5STRING_num(details->logotypeURI) : 0;
601 	for (i = 0; i < num; i++) {
602 		ASN1_IA5STRING *uri;
603 		uri = sk_ASN1_IA5STRING_value(details->logotypeURI, i);
604 		BIO_printf(out, "%*slogotypeURI: ", indent, "");
605 		ASN1_STRING_print(out, uri);
606 		BIO_printf(out, "\n");
607 	}
608 }
609 
610 static void i2r_LogotypeImageInfo(LogotypeImageInfo *info, BIO *out, int indent)
611 {
612 	long val;
613 
614 	BIO_printf(out, "%*sLogotypeImageInfo\n", indent, "");
615 	if (info->type) {
616 		val = ASN1_INTEGER_get(info->type);
617 		BIO_printf(out, "%*stype: %ld\n", indent, "", val);
618 	} else {
619 		BIO_printf(out, "%*stype: default (1)\n", indent, "");
620 	}
621 	val = ASN1_INTEGER_get(info->xSize);
622 	BIO_printf(out, "%*sxSize: %ld\n", indent, "", val);
623 	val = ASN1_INTEGER_get(info->ySize);
624 	BIO_printf(out, "%*sySize: %ld\n", indent, "", val);
625 	if (info->resolution) {
626 		BIO_printf(out, "%*sresolution\n", indent, "");
627 		/* TODO */
628 	}
629 	if (info->language) {
630 		BIO_printf(out, "%*slanguage: ", indent, "");
631 		ASN1_STRING_print(out, info->language);
632 		BIO_printf(out, "\n");
633 	}
634 }
635 
636 static void i2r_LogotypeImage(LogotypeImage *image, BIO *out, int indent)
637 {
638 	BIO_printf(out, "%*sLogotypeImage\n", indent, "");
639 	if (image->imageDetails) {
640 		i2r_LogotypeDetails(image->imageDetails, out, indent + 4);
641 	}
642 	if (image->imageInfo) {
643 		i2r_LogotypeImageInfo(image->imageInfo, out, indent + 4);
644 	}
645 }
646 
647 static void i2r_LogotypeData(LogotypeData *data, const char *title, BIO *out,
648 			     int indent)
649 {
650 	int i, num;
651 
652 	BIO_printf(out, "%*s%s - LogotypeData\n", indent, "", title);
653 
654 	num = data->image ? sk_LogotypeImage_num(data->image) : 0;
655 	for (i = 0; i < num; i++) {
656 		LogotypeImage *image = sk_LogotypeImage_value(data->image, i);
657 		i2r_LogotypeImage(image, out, indent + 4);
658 	}
659 
660 	num = data->audio ? sk_LogotypeAudio_num(data->audio) : 0;
661 	for (i = 0; i < num; i++) {
662 		BIO_printf(out, "%*saudio: TODO\n", indent, "");
663 	}
664 }
665 
666 static void i2r_LogotypeReference(LogotypeReference *ref, const char *title,
667 				  BIO *out, int indent)
668 {
669 	int i, hash_num, uri_num;
670 
671 	BIO_printf(out, "%*s%s - LogotypeReference\n", indent, "", title);
672 
673 	hash_num = ref->refStructHash ?
674 		sk_HashAlgAndValue_num(ref->refStructHash) : 0;
675 	uri_num = ref->refStructURI ?
676 		sk_ASN1_IA5STRING_num(ref->refStructURI) : 0;
677 	if (hash_num != uri_num) {
678 		BIO_printf(out, "%*sUnexpected LogotypeReference array size difference %d != %d\n",
679 			   indent, "", hash_num, uri_num);
680 		return;
681 	}
682 
683 	for (i = 0; i < hash_num; i++) {
684 		HashAlgAndValue *hash;
685 		ASN1_IA5STRING *uri;
686 
687 		hash = sk_HashAlgAndValue_value(ref->refStructHash, i);
688 		i2r_HashAlgAndValue(hash, out, indent);
689 
690 		uri = sk_ASN1_IA5STRING_value(ref->refStructURI, i);
691 		BIO_printf(out, "%*srefStructURI: ", indent, "");
692 		ASN1_STRING_print(out, uri);
693 		BIO_printf(out, "\n");
694 	}
695 }
696 
697 static void i2r_LogotypeInfo(LogotypeInfo *info, const char *title, BIO *out,
698 			     int indent)
699 {
700 	switch (info->type) {
701 	case 0:
702 		i2r_LogotypeData(info->d.direct, title, out, indent);
703 		break;
704 	case 1:
705 		i2r_LogotypeReference(info->d.indirect, title, out, indent);
706 		break;
707 	}
708 }
709 
710 static void debug_print_logotypeext(LogotypeExtn *logo)
711 {
712 	BIO *out;
713 	int i, num;
714 	int indent = 0;
715 
716 	out = BIO_new_fp(stdout, BIO_NOCLOSE);
717 	if (out == NULL)
718 		return;
719 
720 	if (logo->communityLogos) {
721 		num = sk_LogotypeInfo_num(logo->communityLogos);
722 		for (i = 0; i < num; i++) {
723 			LogotypeInfo *info;
724 			info = sk_LogotypeInfo_value(logo->communityLogos, i);
725 			i2r_LogotypeInfo(info, "communityLogo", out, indent);
726 		}
727 	}
728 
729 	if (logo->issuerLogo) {
730 		i2r_LogotypeInfo(logo->issuerLogo, "issuerLogo", out, indent );
731 	}
732 
733 	if (logo->subjectLogo) {
734 		i2r_LogotypeInfo(logo->subjectLogo, "subjectLogo", out, indent);
735 	}
736 
737 	if (logo->otherLogos) {
738 		BIO_printf(out, "%*sotherLogos - TODO\n", indent, "");
739 	}
740 
741 	BIO_free(out);
742 }
743 
744 
745 static void add_logotype_ext(struct http_ctx *ctx, struct http_cert *hcert,
746 			     X509 *cert)
747 {
748 	ASN1_OBJECT *obj;
749 	int pos;
750 	X509_EXTENSION *ext;
751 	ASN1_OCTET_STRING *os;
752 	LogotypeExtn *logo;
753 	const unsigned char *data;
754 	int i, num;
755 
756 	obj = OBJ_txt2obj("1.3.6.1.5.5.7.1.12", 0);
757 	if (obj == NULL)
758 		return;
759 
760 	pos = X509_get_ext_by_OBJ(cert, obj, -1);
761 	if (pos < 0) {
762 		wpa_printf(MSG_INFO, "No logotype extension included");
763 		return;
764 	}
765 
766 	wpa_printf(MSG_INFO, "Parsing logotype extension");
767 	ext = X509_get_ext(cert, pos);
768 	if (!ext) {
769 		wpa_printf(MSG_INFO, "Could not get logotype extension");
770 		return;
771 	}
772 
773 	os = X509_EXTENSION_get_data(ext);
774 	if (os == NULL) {
775 		wpa_printf(MSG_INFO, "Could not get logotype extension data");
776 		return;
777 	}
778 
779 	wpa_hexdump(MSG_DEBUG, "logotypeExtn",
780 		    ASN1_STRING_data(os), ASN1_STRING_length(os));
781 
782 	data = ASN1_STRING_data(os);
783 	logo = d2i_LogotypeExtn(NULL, &data, ASN1_STRING_length(os));
784 	if (logo == NULL) {
785 		wpa_printf(MSG_INFO, "Failed to parse logotypeExtn");
786 		return;
787 	}
788 
789 	if (wpa_debug_level < MSG_INFO)
790 		debug_print_logotypeext(logo);
791 
792 	if (!logo->communityLogos) {
793 		wpa_printf(MSG_INFO, "No communityLogos included");
794 		LogotypeExtn_free(logo);
795 		return;
796 	}
797 
798 	num = sk_LogotypeInfo_num(logo->communityLogos);
799 	for (i = 0; i < num; i++) {
800 		LogotypeInfo *info;
801 		info = sk_LogotypeInfo_value(logo->communityLogos, i);
802 		switch (info->type) {
803 		case 0:
804 			add_logo_direct(ctx, hcert, info->d.direct);
805 			break;
806 		case 1:
807 			add_logo_indirect(ctx, hcert, info->d.indirect);
808 			break;
809 		}
810 	}
811 
812 	LogotypeExtn_free(logo);
813 }
814 
815 
816 static void parse_cert(struct http_ctx *ctx, struct http_cert *hcert,
817 		       X509 *cert, GENERAL_NAMES **names)
818 {
819 	os_memset(hcert, 0, sizeof(*hcert));
820 
821 	*names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
822 	if (*names)
823 		add_alt_names(ctx, hcert, *names);
824 
825 	add_logotype_ext(ctx, hcert, cert);
826 }
827 
828 
829 static void parse_cert_free(struct http_cert *hcert, GENERAL_NAMES *names)
830 {
831 	unsigned int i;
832 
833 	for (i = 0; i < hcert->num_dnsname; i++)
834 		OPENSSL_free(hcert->dnsname[i]);
835 	os_free(hcert->dnsname);
836 
837 	for (i = 0; i < hcert->num_othername; i++)
838 		os_free(hcert->othername[i].oid);
839 	os_free(hcert->othername);
840 
841 	for (i = 0; i < hcert->num_logo; i++) {
842 		os_free(hcert->logo[i].alg_oid);
843 		os_free(hcert->logo[i].hash);
844 		os_free(hcert->logo[i].uri);
845 	}
846 	os_free(hcert->logo);
847 
848 	sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
849 }
850 
851 
852 static int validate_server_cert(struct http_ctx *ctx, X509 *cert)
853 {
854 	GENERAL_NAMES *names;
855 	struct http_cert hcert;
856 	int ret;
857 
858 	if (ctx->cert_cb == NULL) {
859 		wpa_printf(MSG_DEBUG, "%s: no cert_cb configured", __func__);
860 		return 0;
861 	}
862 
863 	if (0) {
864 		BIO *out;
865 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
866 		X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
867 		BIO_free(out);
868 	}
869 
870 	parse_cert(ctx, &hcert, cert, &names);
871 	ret = ctx->cert_cb(ctx->cert_cb_ctx, &hcert);
872 	parse_cert_free(&hcert, names);
873 
874 	return ret;
875 }
876 
877 
878 void http_parse_x509_certificate(struct http_ctx *ctx, const char *fname)
879 {
880 	BIO *in, *out;
881 	X509 *cert;
882 	GENERAL_NAMES *names;
883 	struct http_cert hcert;
884 	unsigned int i;
885 
886 	in = BIO_new_file(fname, "r");
887 	if (in == NULL) {
888 		wpa_printf(MSG_ERROR, "Could not read '%s'", fname);
889 		return;
890 	}
891 
892 	cert = d2i_X509_bio(in, NULL);
893 	BIO_free(in);
894 
895 	if (cert == NULL) {
896 		wpa_printf(MSG_ERROR, "Could not parse certificate");
897 		return;
898 	}
899 
900 	out = BIO_new_fp(stdout, BIO_NOCLOSE);
901 	if (out) {
902 		X509_print_ex(out, cert, XN_FLAG_COMPAT,
903 			      X509_FLAG_COMPAT);
904 		BIO_free(out);
905 	}
906 
907 	wpa_printf(MSG_INFO, "Additional parsing information:");
908 	parse_cert(ctx, &hcert, cert, &names);
909 	for (i = 0; i < hcert.num_othername; i++) {
910 		if (os_strcmp(hcert.othername[i].oid,
911 			      "1.3.6.1.4.1.40808.1.1.1") == 0) {
912 			char *name = os_zalloc(hcert.othername[i].len + 1);
913 			if (name) {
914 				os_memcpy(name, hcert.othername[i].data,
915 					  hcert.othername[i].len);
916 				wpa_printf(MSG_INFO,
917 					   "id-wfa-hotspot-friendlyName: %s",
918 					   name);
919 				os_free(name);
920 			}
921 			wpa_hexdump_ascii(MSG_INFO,
922 					  "id-wfa-hotspot-friendlyName",
923 					  hcert.othername[i].data,
924 					  hcert.othername[i].len);
925 		} else {
926 			wpa_printf(MSG_INFO, "subjAltName[othername]: oid=%s",
927 				   hcert.othername[i].oid);
928 			wpa_hexdump_ascii(MSG_INFO, "unknown othername",
929 					  hcert.othername[i].data,
930 					  hcert.othername[i].len);
931 		}
932 	}
933 	parse_cert_free(&hcert, names);
934 
935 	X509_free(cert);
936 }
937 
938 
939 static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
940 {
941 	struct http_ctx *ctx;
942 	X509 *cert;
943 	int err, depth;
944 	char buf[256];
945 	X509_NAME *name;
946 	const char *err_str;
947 	SSL *ssl;
948 	SSL_CTX *ssl_ctx;
949 
950 	ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
951 					 SSL_get_ex_data_X509_STORE_CTX_idx());
952 	ssl_ctx = ssl->ctx;
953 	ctx = SSL_CTX_get_app_data(ssl_ctx);
954 
955 	wpa_printf(MSG_DEBUG, "curl_cb_ssl_verify, preverify_ok: %d",
956 		   preverify_ok);
957 
958 	err = X509_STORE_CTX_get_error(x509_ctx);
959 	err_str = X509_verify_cert_error_string(err);
960 	depth = X509_STORE_CTX_get_error_depth(x509_ctx);
961 	cert = X509_STORE_CTX_get_current_cert(x509_ctx);
962 	if (!cert) {
963 		wpa_printf(MSG_INFO, "No server certificate available");
964 		ctx->last_err = "No server certificate available";
965 		return 0;
966 	}
967 
968 	if (depth == 0)
969 		ctx->peer_cert = cert;
970 	else if (depth == 1)
971 		ctx->peer_issuer = cert;
972 	else if (depth == 2)
973 		ctx->peer_issuer_issuer = cert;
974 
975 	name = X509_get_subject_name(cert);
976 	X509_NAME_oneline(name, buf, sizeof(buf));
977 	wpa_printf(MSG_INFO, "Server certificate chain - depth=%d err=%d (%s) subject=%s",
978 		   depth, err, err_str, buf);
979 	debug_dump_cert("Server certificate chain - certificate", cert);
980 
981 	if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
982 		return 0;
983 
984 	if (!preverify_ok)
985 		ctx->last_err = "TLS validation failed";
986 
987 	return preverify_ok;
988 }
989 
990 
991 #ifdef HAVE_OCSP
992 
993 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
994 {
995 	BIO *out;
996 	size_t rlen;
997 	char *txt;
998 	int res;
999 
1000 	out = BIO_new(BIO_s_mem());
1001 	if (!out)
1002 		return;
1003 
1004 	OCSP_RESPONSE_print(out, rsp, 0);
1005 	rlen = BIO_ctrl_pending(out);
1006 	txt = os_malloc(rlen + 1);
1007 	if (!txt) {
1008 		BIO_free(out);
1009 		return;
1010 	}
1011 
1012 	res = BIO_read(out, txt, rlen);
1013 	if (res > 0) {
1014 		txt[res] = '\0';
1015 		wpa_printf(MSG_MSGDUMP, "OpenSSL: OCSP Response\n%s", txt);
1016 	}
1017 	os_free(txt);
1018 	BIO_free(out);
1019 }
1020 
1021 
1022 static void tls_show_errors(const char *func, const char *txt)
1023 {
1024 	unsigned long err;
1025 
1026 	wpa_printf(MSG_DEBUG, "OpenSSL: %s - %s %s",
1027 		   func, txt, ERR_error_string(ERR_get_error(), NULL));
1028 
1029 	while ((err = ERR_get_error())) {
1030 		wpa_printf(MSG_DEBUG, "OpenSSL: pending error: %s",
1031 			   ERR_error_string(err, NULL));
1032 	}
1033 }
1034 
1035 
1036 static int ocsp_resp_cb(SSL *s, void *arg)
1037 {
1038 	struct http_ctx *ctx = arg;
1039 	const unsigned char *p;
1040 	int len, status, reason;
1041 	OCSP_RESPONSE *rsp;
1042 	OCSP_BASICRESP *basic;
1043 	OCSP_CERTID *id;
1044 	ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
1045 	X509_STORE *store;
1046 	STACK_OF(X509) *certs = NULL;
1047 
1048 	len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1049 	if (!p) {
1050 		wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
1051 		if (ctx->ocsp == MANDATORY_OCSP)
1052 			ctx->last_err = "No OCSP response received";
1053 		return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1054 	}
1055 
1056 	wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
1057 
1058 	rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1059 	if (!rsp) {
1060 		wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
1061 		ctx->last_err = "Failed to parse OCSP response";
1062 		return 0;
1063 	}
1064 
1065 	ocsp_debug_print_resp(rsp);
1066 
1067 	status = OCSP_response_status(rsp);
1068 	if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1069 		wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
1070 			   status, OCSP_response_status_str(status));
1071 		ctx->last_err = "OCSP responder error";
1072 		return 0;
1073 	}
1074 
1075 	basic = OCSP_response_get1_basic(rsp);
1076 	if (!basic) {
1077 		wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
1078 		ctx->last_err = "Could not find BasicOCSPResponse";
1079 		return 0;
1080 	}
1081 
1082 	store = SSL_CTX_get_cert_store(s->ctx);
1083 	if (ctx->peer_issuer) {
1084 		wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer");
1085 		debug_dump_cert("OpenSSL: Issuer certificate",
1086 				ctx->peer_issuer);
1087 
1088 		if (X509_STORE_add_cert(store, ctx->peer_issuer) != 1) {
1089 			tls_show_errors(__func__,
1090 					"OpenSSL: Could not add issuer to certificate store");
1091 		}
1092 		certs = sk_X509_new_null();
1093 		if (certs) {
1094 			X509 *cert;
1095 			cert = X509_dup(ctx->peer_issuer);
1096 			if (cert && !sk_X509_push(certs, cert)) {
1097 				tls_show_errors(
1098 					__func__,
1099 					"OpenSSL: Could not add issuer to OCSP responder trust store");
1100 				X509_free(cert);
1101 				sk_X509_free(certs);
1102 				certs = NULL;
1103 			}
1104 			if (certs && ctx->peer_issuer_issuer) {
1105 				cert = X509_dup(ctx->peer_issuer_issuer);
1106 				if (cert && !sk_X509_push(certs, cert)) {
1107 					tls_show_errors(
1108 						__func__,
1109 						"OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
1110 					X509_free(cert);
1111 				}
1112 			}
1113 		}
1114 	}
1115 
1116 	status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
1117 	sk_X509_pop_free(certs, X509_free);
1118 	if (status <= 0) {
1119 		tls_show_errors(__func__,
1120 				"OpenSSL: OCSP response failed verification");
1121 		OCSP_BASICRESP_free(basic);
1122 		OCSP_RESPONSE_free(rsp);
1123 		ctx->last_err = "OCSP response failed verification";
1124 		return 0;
1125 	}
1126 
1127 	wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
1128 
1129 	if (!ctx->peer_cert) {
1130 		wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
1131 		OCSP_BASICRESP_free(basic);
1132 		OCSP_RESPONSE_free(rsp);
1133 		ctx->last_err = "Peer certificate not available for OCSP status check";
1134 		return 0;
1135 	}
1136 
1137 	if (!ctx->peer_issuer) {
1138 		wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
1139 		OCSP_BASICRESP_free(basic);
1140 		OCSP_RESPONSE_free(rsp);
1141 		ctx->last_err = "Peer issuer certificate not available for OCSP status check";
1142 		return 0;
1143 	}
1144 
1145 	id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer);
1146 	if (!id) {
1147 		wpa_printf(MSG_DEBUG, "OpenSSL: Could not create OCSP certificate identifier");
1148 		OCSP_BASICRESP_free(basic);
1149 		OCSP_RESPONSE_free(rsp);
1150 		ctx->last_err = "Could not create OCSP certificate identifier";
1151 		return 0;
1152 	}
1153 
1154 	if (!OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
1155 				   &this_update, &next_update)) {
1156 		wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
1157 			   (ctx->ocsp == MANDATORY_OCSP) ? "" :
1158 			   " (OCSP not required)");
1159 		OCSP_BASICRESP_free(basic);
1160 		OCSP_RESPONSE_free(rsp);
1161 		if (ctx->ocsp == MANDATORY_OCSP)
1162 
1163 			ctx->last_err = "Could not find current server certificate from OCSP response";
1164 		return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1165 	}
1166 
1167 	if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
1168 		tls_show_errors(__func__, "OpenSSL: OCSP status times invalid");
1169 		OCSP_BASICRESP_free(basic);
1170 		OCSP_RESPONSE_free(rsp);
1171 		ctx->last_err = "OCSP status times invalid";
1172 		return 0;
1173 	}
1174 
1175 	OCSP_BASICRESP_free(basic);
1176 	OCSP_RESPONSE_free(rsp);
1177 
1178 	wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
1179 		   OCSP_cert_status_str(status));
1180 
1181 	if (status == V_OCSP_CERTSTATUS_GOOD)
1182 		return 1;
1183 	if (status == V_OCSP_CERTSTATUS_REVOKED) {
1184 		ctx->last_err = "Server certificate has been revoked";
1185 		return 0;
1186 	}
1187 	if (ctx->ocsp == MANDATORY_OCSP) {
1188 		wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
1189 		ctx->last_err = "OCSP status unknown";
1190 		return 0;
1191 	}
1192 	wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
1193 	return 1;
1194 }
1195 
1196 
1197 static SSL_METHOD patch_ssl_method;
1198 static const SSL_METHOD *real_ssl_method;
1199 
1200 static int curl_patch_ssl_new(SSL *s)
1201 {
1202 	SSL_CTX *ssl = s->ctx;
1203 	int ret;
1204 
1205 	ssl->method = real_ssl_method;
1206 	s->method = real_ssl_method;
1207 
1208 	ret = s->method->ssl_new(s);
1209 	SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp);
1210 
1211 	return ret;
1212 }
1213 
1214 #endif /* HAVE_OCSP */
1215 
1216 
1217 static CURLcode curl_cb_ssl(CURL *curl, void *sslctx, void *parm)
1218 {
1219 	struct http_ctx *ctx = parm;
1220 	SSL_CTX *ssl = sslctx;
1221 
1222 	wpa_printf(MSG_DEBUG, "curl_cb_ssl");
1223 	SSL_CTX_set_app_data(ssl, ctx);
1224 	SSL_CTX_set_verify(ssl, SSL_VERIFY_PEER, curl_cb_ssl_verify);
1225 
1226 #ifdef HAVE_OCSP
1227 	if (ctx->ocsp != NO_OCSP) {
1228 		SSL_CTX_set_tlsext_status_cb(ssl, ocsp_resp_cb);
1229 		SSL_CTX_set_tlsext_status_arg(ssl, ctx);
1230 
1231 		/*
1232 		 * Use a temporary SSL_METHOD to get a callback on SSL_new()
1233 		 * from libcurl since there is no proper callback registration
1234 		 * available for this.
1235 		 */
1236 		os_memset(&patch_ssl_method, 0, sizeof(patch_ssl_method));
1237 		patch_ssl_method.ssl_new = curl_patch_ssl_new;
1238 		real_ssl_method = ssl->method;
1239 		ssl->method = &patch_ssl_method;
1240 	}
1241 #endif /* HAVE_OCSP */
1242 
1243 	return CURLE_OK;
1244 }
1245 
1246 #endif /* EAP_TLS_OPENSSL */
1247 
1248 
1249 static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
1250 			      const char *ca_fname, const char *username,
1251 			      const char *password, const char *client_cert,
1252 			      const char *client_key)
1253 {
1254 	CURL *curl;
1255 #ifdef EAP_TLS_OPENSSL
1256 	const char *extra = " tls=openssl";
1257 #else /* EAP_TLS_OPENSSL */
1258 	const char *extra = "";
1259 #endif /* EAP_TLS_OPENSSL */
1260 
1261 	wpa_printf(MSG_DEBUG, "Start HTTP client: address=%s ca_fname=%s "
1262 		   "username=%s%s", address, ca_fname, username, extra);
1263 
1264 	curl = curl_easy_init();
1265 	if (curl == NULL)
1266 		return NULL;
1267 
1268 	curl_easy_setopt(curl, CURLOPT_URL, address);
1269 	curl_easy_setopt(curl, CURLOPT_POST, 1L);
1270 	if (ca_fname) {
1271 		curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1272 		curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1273 #ifdef EAP_TLS_OPENSSL
1274 		curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
1275 		curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
1276 #endif /* EAP_TLS_OPENSSL */
1277 	} else {
1278 		curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1279 	}
1280 	if (client_cert && client_key) {
1281 		curl_easy_setopt(curl, CURLOPT_SSLCERT, client_cert);
1282 		curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key);
1283 	}
1284 	/* TODO: use curl_easy_getinfo() with CURLINFO_CERTINFO to fetch
1285 	 * information about the server certificate */
1286 	curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1287 	curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1288 	curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
1289 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_cb_write);
1290 	curl_easy_setopt(curl, CURLOPT_WRITEDATA, ctx);
1291 	curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1292 	if (username) {
1293 		curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANYSAFE);
1294 		curl_easy_setopt(curl, CURLOPT_USERNAME, username);
1295 		curl_easy_setopt(curl, CURLOPT_PASSWORD, password);
1296 	}
1297 
1298 	return curl;
1299 }
1300 
1301 
1302 static int post_init_client(struct http_ctx *ctx, const char *address,
1303 			    const char *ca_fname, const char *username,
1304 			    const char *password, const char *client_cert,
1305 			    const char *client_key)
1306 {
1307 	char *pos;
1308 	int count;
1309 
1310 	clone_str(&ctx->svc_address, address);
1311 	clone_str(&ctx->svc_ca_fname, ca_fname);
1312 	clone_str(&ctx->svc_username, username);
1313 	clone_str(&ctx->svc_password, password);
1314 	clone_str(&ctx->svc_client_cert, client_cert);
1315 	clone_str(&ctx->svc_client_key, client_key);
1316 
1317 	/*
1318 	 * Workaround for Apache "Hostname 'FOO' provided via SNI and hostname
1319 	 * 'foo' provided via HTTP are different.
1320 	 */
1321 	for (count = 0, pos = ctx->svc_address; count < 3 && pos && *pos;
1322 	     pos++) {
1323 		if (*pos == '/')
1324 			count++;
1325 		*pos = tolower(*pos);
1326 	}
1327 
1328 	ctx->curl = setup_curl_post(ctx, ctx->svc_address, ca_fname, username,
1329 				    password, client_cert, client_key);
1330 	if (ctx->curl == NULL)
1331 		return -1;
1332 
1333 	return 0;
1334 }
1335 
1336 
1337 int soap_init_client(struct http_ctx *ctx, const char *address,
1338 		     const char *ca_fname, const char *username,
1339 		     const char *password, const char *client_cert,
1340 		     const char *client_key)
1341 {
1342 	if (post_init_client(ctx, address, ca_fname, username, password,
1343 			     client_cert, client_key) < 0)
1344 		return -1;
1345 
1346 	ctx->curl_hdr = curl_slist_append(ctx->curl_hdr,
1347 					  "Content-Type: application/soap+xml");
1348 	ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "SOAPAction: ");
1349 	ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "Expect:");
1350 	curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, ctx->curl_hdr);
1351 
1352 	return 0;
1353 }
1354 
1355 
1356 int soap_reinit_client(struct http_ctx *ctx)
1357 {
1358 	char *address = NULL;
1359 	char *ca_fname = NULL;
1360 	char *username = NULL;
1361 	char *password = NULL;
1362 	char *client_cert = NULL;
1363 	char *client_key = NULL;
1364 	int ret;
1365 
1366 	clear_curl(ctx);
1367 
1368 	clone_str(&address, ctx->svc_address);
1369 	clone_str(&ca_fname, ctx->svc_ca_fname);
1370 	clone_str(&username, ctx->svc_username);
1371 	clone_str(&password, ctx->svc_password);
1372 	clone_str(&client_cert, ctx->svc_client_cert);
1373 	clone_str(&client_key, ctx->svc_client_key);
1374 
1375 	ret = soap_init_client(ctx, address, ca_fname, username, password,
1376 			       client_cert, client_key);
1377 	os_free(address);
1378 	os_free(ca_fname);
1379 	str_clear_free(username);
1380 	str_clear_free(password);
1381 	os_free(client_cert);
1382 	os_free(client_key);
1383 	return ret;
1384 }
1385 
1386 
1387 static void free_curl_buf(struct http_ctx *ctx)
1388 {
1389 	os_free(ctx->curl_buf);
1390 	ctx->curl_buf = NULL;
1391 	ctx->curl_buf_len = 0;
1392 }
1393 
1394 
1395 xml_node_t * soap_send_receive(struct http_ctx *ctx, xml_node_t *node)
1396 {
1397 	char *str;
1398 	xml_node_t *envelope, *ret, *resp, *n;
1399 	CURLcode res;
1400 	long http = 0;
1401 
1402 	ctx->last_err = NULL;
1403 
1404 	wpa_printf(MSG_DEBUG, "SOAP: Sending message");
1405 	envelope = soap_build_envelope(ctx->xml, node);
1406 	str = xml_node_to_str(ctx->xml, envelope);
1407 	xml_node_free(ctx->xml, envelope);
1408 	wpa_printf(MSG_MSGDUMP, "SOAP[%s]", str);
1409 
1410 	curl_easy_setopt(ctx->curl, CURLOPT_POSTFIELDS, str);
1411 	free_curl_buf(ctx);
1412 
1413 	res = curl_easy_perform(ctx->curl);
1414 	if (res != CURLE_OK) {
1415 		if (!ctx->last_err)
1416 			ctx->last_err = curl_easy_strerror(res);
1417 		wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1418 			   ctx->last_err);
1419 		os_free(str);
1420 		free_curl_buf(ctx);
1421 		return NULL;
1422 	}
1423 	os_free(str);
1424 
1425 	curl_easy_getinfo(ctx->curl, CURLINFO_RESPONSE_CODE, &http);
1426 	wpa_printf(MSG_DEBUG, "SOAP: Server response code %ld", http);
1427 	if (http != 200) {
1428 		ctx->last_err = "HTTP download failed";
1429 		wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1430 		free_curl_buf(ctx);
1431 		return NULL;
1432 	}
1433 
1434 	if (ctx->curl_buf == NULL)
1435 		return NULL;
1436 
1437 	wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ctx->curl_buf);
1438 	resp = xml_node_from_buf(ctx->xml, ctx->curl_buf);
1439 	free_curl_buf(ctx);
1440 	if (resp == NULL) {
1441 		wpa_printf(MSG_INFO, "Could not parse SOAP response");
1442 		ctx->last_err = "Could not parse SOAP response";
1443 		return NULL;
1444 	}
1445 
1446 	ret = soap_get_body(ctx->xml, resp);
1447 	if (ret == NULL) {
1448 		wpa_printf(MSG_INFO, "Could not get SOAP body");
1449 		ctx->last_err = "Could not get SOAP body";
1450 		return NULL;
1451 	}
1452 
1453 	wpa_printf(MSG_DEBUG, "SOAP body localname: '%s'",
1454 		   xml_node_get_localname(ctx->xml, ret));
1455 	n = xml_node_copy(ctx->xml, ret);
1456 	xml_node_free(ctx->xml, resp);
1457 
1458 	return n;
1459 }
1460 
1461 
1462 struct http_ctx * http_init_ctx(void *upper_ctx, struct xml_node_ctx *xml_ctx)
1463 {
1464 	struct http_ctx *ctx;
1465 
1466 	ctx = os_zalloc(sizeof(*ctx));
1467 	if (ctx == NULL)
1468 		return NULL;
1469 	ctx->ctx = upper_ctx;
1470 	ctx->xml = xml_ctx;
1471 	ctx->ocsp = OPTIONAL_OCSP;
1472 
1473 	curl_global_init(CURL_GLOBAL_ALL);
1474 
1475 	return ctx;
1476 }
1477 
1478 
1479 void http_ocsp_set(struct http_ctx *ctx, int val)
1480 {
1481 	if (val == 0)
1482 		ctx->ocsp = NO_OCSP;
1483 	else if (val == 1)
1484 		ctx->ocsp = OPTIONAL_OCSP;
1485 	if (val == 2)
1486 		ctx->ocsp = MANDATORY_OCSP;
1487 }
1488 
1489 
1490 void http_deinit_ctx(struct http_ctx *ctx)
1491 {
1492 	clear_curl(ctx);
1493 	os_free(ctx->curl_buf);
1494 	curl_global_cleanup();
1495 
1496 	os_free(ctx->svc_address);
1497 	os_free(ctx->svc_ca_fname);
1498 	str_clear_free(ctx->svc_username);
1499 	str_clear_free(ctx->svc_password);
1500 	os_free(ctx->svc_client_cert);
1501 	os_free(ctx->svc_client_key);
1502 
1503 	os_free(ctx);
1504 }
1505 
1506 
1507 int http_download_file(struct http_ctx *ctx, const char *url,
1508 		       const char *fname, const char *ca_fname)
1509 {
1510 	CURL *curl;
1511 	FILE *f;
1512 	CURLcode res;
1513 	long http = 0;
1514 
1515 	ctx->last_err = NULL;
1516 
1517 	wpa_printf(MSG_DEBUG, "curl: Download file from %s to %s (ca=%s)",
1518 		   url, fname, ca_fname);
1519 	curl = curl_easy_init();
1520 	if (curl == NULL)
1521 		return -1;
1522 
1523 	f = fopen(fname, "wb");
1524 	if (f == NULL) {
1525 		curl_easy_cleanup(curl);
1526 		return -1;
1527 	}
1528 
1529 	curl_easy_setopt(curl, CURLOPT_URL, url);
1530 	if (ca_fname) {
1531 		curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1532 		curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1533 		curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1534 	} else {
1535 		curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1536 	}
1537 	curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1538 	curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
1539 	curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fwrite);
1540 	curl_easy_setopt(curl, CURLOPT_WRITEDATA, f);
1541 	curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1542 
1543 	res = curl_easy_perform(curl);
1544 	if (res != CURLE_OK) {
1545 		if (!ctx->last_err)
1546 			ctx->last_err = curl_easy_strerror(res);
1547 		wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1548 			   ctx->last_err);
1549 		curl_easy_cleanup(curl);
1550 		fclose(f);
1551 		return -1;
1552 	}
1553 
1554 	curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1555 	wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1556 	if (http != 200) {
1557 		ctx->last_err = "HTTP download failed";
1558 		wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1559 		curl_easy_cleanup(curl);
1560 		fclose(f);
1561 		return -1;
1562 	}
1563 
1564 	curl_easy_cleanup(curl);
1565 	fclose(f);
1566 
1567 	return 0;
1568 }
1569 
1570 
1571 char * http_post(struct http_ctx *ctx, const char *url, const char *data,
1572 		 const char *content_type, const char *ext_hdr,
1573 		 const char *ca_fname,
1574 		 const char *username, const char *password,
1575 		 const char *client_cert, const char *client_key,
1576 		 size_t *resp_len)
1577 {
1578 	long http = 0;
1579 	CURLcode res;
1580 	char *ret;
1581 	CURL *curl;
1582 	struct curl_slist *curl_hdr = NULL;
1583 
1584 	ctx->last_err = NULL;
1585 	wpa_printf(MSG_DEBUG, "curl: HTTP POST to %s", url);
1586 	curl = setup_curl_post(ctx, url, ca_fname, username, password,
1587 			       client_cert, client_key);
1588 	if (curl == NULL)
1589 		return NULL;
1590 
1591 	if (content_type) {
1592 		char ct[200];
1593 		snprintf(ct, sizeof(ct), "Content-Type: %s", content_type);
1594 		curl_hdr = curl_slist_append(curl_hdr, ct);
1595 	}
1596 	if (ext_hdr)
1597 		curl_hdr = curl_slist_append(curl_hdr, ext_hdr);
1598 	curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curl_hdr);
1599 
1600 	curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data);
1601 	free_curl_buf(ctx);
1602 
1603 	res = curl_easy_perform(curl);
1604 	if (res != CURLE_OK) {
1605 		if (!ctx->last_err)
1606 			ctx->last_err = curl_easy_strerror(res);
1607 		wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1608 			   ctx->last_err);
1609 		free_curl_buf(ctx);
1610 		return NULL;
1611 	}
1612 
1613 	curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1614 	wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1615 	if (http != 200) {
1616 		ctx->last_err = "HTTP POST failed";
1617 		wpa_printf(MSG_INFO, "HTTP POST failed - code %ld", http);
1618 		free_curl_buf(ctx);
1619 		return NULL;
1620 	}
1621 
1622 	if (ctx->curl_buf == NULL)
1623 		return NULL;
1624 
1625 	ret = ctx->curl_buf;
1626 	if (resp_len)
1627 		*resp_len = ctx->curl_buf_len;
1628 	ctx->curl_buf = NULL;
1629 	ctx->curl_buf_len = 0;
1630 
1631 	wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ret);
1632 
1633 	return ret;
1634 }
1635 
1636 
1637 void http_set_cert_cb(struct http_ctx *ctx,
1638 		      int (*cb)(void *ctx, struct http_cert *cert),
1639 		      void *cb_ctx)
1640 {
1641 	ctx->cert_cb = cb;
1642 	ctx->cert_cb_ctx = cb_ctx;
1643 }
1644 
1645 
1646 const char * http_get_err(struct http_ctx *ctx)
1647 {
1648 	return ctx->last_err;
1649 }
1650