1 /* 2 * HTTP wrapper for libcurl 3 * Copyright (c) 2012-2014, Qualcomm Atheros, Inc. 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <curl/curl.h> 11 #ifdef EAP_TLS_OPENSSL 12 #include <openssl/ssl.h> 13 #include <openssl/asn1.h> 14 #include <openssl/asn1t.h> 15 #include <openssl/x509v3.h> 16 17 #ifdef SSL_set_tlsext_status_type 18 #ifndef OPENSSL_NO_TLSEXT 19 #define HAVE_OCSP 20 #include <openssl/err.h> 21 #include <openssl/ocsp.h> 22 #endif /* OPENSSL_NO_TLSEXT */ 23 #endif /* SSL_set_tlsext_status_type */ 24 #endif /* EAP_TLS_OPENSSL */ 25 26 #include "common.h" 27 #include "xml-utils.h" 28 #include "http-utils.h" 29 #ifdef EAP_TLS_OPENSSL 30 #include "crypto/tls_openssl.h" 31 #endif /* EAP_TLS_OPENSSL */ 32 33 34 #if OPENSSL_VERSION_NUMBER < 0x10100000L 35 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x) 36 { 37 return ASN1_STRING_data((ASN1_STRING *) x); 38 } 39 #endif /* OpenSSL < 1.1.0 */ 40 41 42 struct http_ctx { 43 void *ctx; 44 struct xml_node_ctx *xml; 45 CURL *curl; 46 struct curl_slist *curl_hdr; 47 char *svc_address; 48 char *svc_ca_fname; 49 char *svc_username; 50 char *svc_password; 51 char *svc_client_cert; 52 char *svc_client_key; 53 char *curl_buf; 54 size_t curl_buf_len; 55 56 int (*cert_cb)(void *ctx, struct http_cert *cert); 57 void *cert_cb_ctx; 58 59 enum { 60 NO_OCSP, OPTIONAL_OCSP, MANDATORY_OCSP 61 } ocsp; 62 X509 *peer_cert; 63 X509 *peer_issuer; 64 X509 *peer_issuer_issuer; 65 66 const char *last_err; 67 const char *url; 68 }; 69 70 71 static void clear_curl(struct http_ctx *ctx) 72 { 73 if (ctx->curl) { 74 curl_easy_cleanup(ctx->curl); 75 ctx->curl = NULL; 76 } 77 if (ctx->curl_hdr) { 78 curl_slist_free_all(ctx->curl_hdr); 79 ctx->curl_hdr = NULL; 80 } 81 } 82 83 84 static void clone_str(char **dst, const char *src) 85 { 86 os_free(*dst); 87 if (src) 88 *dst = os_strdup(src); 89 else 90 *dst = NULL; 91 } 92 93 94 static void debug_dump(struct http_ctx *ctx, const char *title, 95 const char *buf, size_t len) 96 { 97 char *txt; 98 size_t i; 99 100 for (i = 0; i < len; i++) { 101 if (buf[i] < 32 && buf[i] != '\t' && buf[i] != '\n' && 102 buf[i] != '\r') { 103 wpa_hexdump_ascii(MSG_MSGDUMP, title, buf, len); 104 return; 105 } 106 } 107 108 txt = os_malloc(len + 1); 109 if (txt == NULL) 110 return; 111 os_memcpy(txt, buf, len); 112 txt[len] = '\0'; 113 while (len > 0) { 114 len--; 115 if (txt[len] == '\n' || txt[len] == '\r') 116 txt[len] = '\0'; 117 else 118 break; 119 } 120 wpa_printf(MSG_MSGDUMP, "%s[%s]", title, txt); 121 os_free(txt); 122 } 123 124 125 static int curl_cb_debug(CURL *curl, curl_infotype info, char *buf, size_t len, 126 void *userdata) 127 { 128 struct http_ctx *ctx = userdata; 129 switch (info) { 130 case CURLINFO_TEXT: 131 debug_dump(ctx, "CURLINFO_TEXT", buf, len); 132 break; 133 case CURLINFO_HEADER_IN: 134 debug_dump(ctx, "CURLINFO_HEADER_IN", buf, len); 135 break; 136 case CURLINFO_HEADER_OUT: 137 debug_dump(ctx, "CURLINFO_HEADER_OUT", buf, len); 138 break; 139 case CURLINFO_DATA_IN: 140 debug_dump(ctx, "CURLINFO_DATA_IN", buf, len); 141 break; 142 case CURLINFO_DATA_OUT: 143 debug_dump(ctx, "CURLINFO_DATA_OUT", buf, len); 144 break; 145 case CURLINFO_SSL_DATA_IN: 146 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_IN - %d", 147 (int) len); 148 break; 149 case CURLINFO_SSL_DATA_OUT: 150 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_OUT - %d", 151 (int) len); 152 break; 153 case CURLINFO_END: 154 wpa_printf(MSG_DEBUG, "debug - CURLINFO_END - %d", 155 (int) len); 156 break; 157 } 158 return 0; 159 } 160 161 162 static size_t curl_cb_write(void *ptr, size_t size, size_t nmemb, 163 void *userdata) 164 { 165 struct http_ctx *ctx = userdata; 166 char *n; 167 n = os_realloc(ctx->curl_buf, ctx->curl_buf_len + size * nmemb + 1); 168 if (n == NULL) 169 return 0; 170 ctx->curl_buf = n; 171 os_memcpy(n + ctx->curl_buf_len, ptr, size * nmemb); 172 n[ctx->curl_buf_len + size * nmemb] = '\0'; 173 ctx->curl_buf_len += size * nmemb; 174 return size * nmemb; 175 } 176 177 178 #ifdef EAP_TLS_OPENSSL 179 180 static void debug_dump_cert(const char *title, X509 *cert) 181 { 182 BIO *out; 183 char *txt; 184 size_t rlen; 185 186 out = BIO_new(BIO_s_mem()); 187 if (!out) 188 return; 189 190 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT); 191 rlen = BIO_ctrl_pending(out); 192 txt = os_malloc(rlen + 1); 193 if (txt) { 194 int res = BIO_read(out, txt, rlen); 195 if (res > 0) { 196 txt[res] = '\0'; 197 wpa_printf(MSG_MSGDUMP, "%s:\n%s", title, txt); 198 } 199 os_free(txt); 200 } 201 BIO_free(out); 202 } 203 204 205 static void add_alt_name_othername(struct http_ctx *ctx, struct http_cert *cert, 206 OTHERNAME *o) 207 { 208 char txt[100]; 209 int res; 210 struct http_othername *on; 211 ASN1_TYPE *val; 212 213 on = os_realloc_array(cert->othername, cert->num_othername + 1, 214 sizeof(struct http_othername)); 215 if (on == NULL) 216 return; 217 cert->othername = on; 218 on = &on[cert->num_othername]; 219 os_memset(on, 0, sizeof(*on)); 220 221 res = OBJ_obj2txt(txt, sizeof(txt), o->type_id, 1); 222 if (res < 0 || res >= (int) sizeof(txt)) 223 return; 224 225 on->oid = os_strdup(txt); 226 if (on->oid == NULL) 227 return; 228 229 val = o->value; 230 on->data = val->value.octet_string->data; 231 on->len = val->value.octet_string->length; 232 233 cert->num_othername++; 234 } 235 236 237 static void add_alt_name_dns(struct http_ctx *ctx, struct http_cert *cert, 238 ASN1_STRING *name) 239 { 240 char *buf; 241 char **n; 242 243 buf = NULL; 244 if (ASN1_STRING_to_UTF8((unsigned char **) &buf, name) < 0) 245 return; 246 247 n = os_realloc_array(cert->dnsname, cert->num_dnsname + 1, 248 sizeof(char *)); 249 if (n == NULL) 250 return; 251 252 cert->dnsname = n; 253 n[cert->num_dnsname] = buf; 254 cert->num_dnsname++; 255 } 256 257 258 static void add_alt_name(struct http_ctx *ctx, struct http_cert *cert, 259 const GENERAL_NAME *name) 260 { 261 switch (name->type) { 262 case GEN_OTHERNAME: 263 add_alt_name_othername(ctx, cert, name->d.otherName); 264 break; 265 case GEN_DNS: 266 add_alt_name_dns(ctx, cert, name->d.dNSName); 267 break; 268 } 269 } 270 271 272 static void add_alt_names(struct http_ctx *ctx, struct http_cert *cert, 273 GENERAL_NAMES *names) 274 { 275 int num, i; 276 277 num = sk_GENERAL_NAME_num(names); 278 for (i = 0; i < num; i++) { 279 const GENERAL_NAME *name; 280 name = sk_GENERAL_NAME_value(names, i); 281 add_alt_name(ctx, cert, name); 282 } 283 } 284 285 286 /* RFC 3709 */ 287 288 typedef struct { 289 X509_ALGOR *hashAlg; 290 ASN1_OCTET_STRING *hashValue; 291 } HashAlgAndValue; 292 293 typedef struct { 294 STACK_OF(HashAlgAndValue) *refStructHash; 295 STACK_OF(ASN1_IA5STRING) *refStructURI; 296 } LogotypeReference; 297 298 typedef struct { 299 ASN1_IA5STRING *mediaType; 300 STACK_OF(HashAlgAndValue) *logotypeHash; 301 STACK_OF(ASN1_IA5STRING) *logotypeURI; 302 } LogotypeDetails; 303 304 typedef struct { 305 int type; 306 union { 307 ASN1_INTEGER *numBits; 308 ASN1_INTEGER *tableSize; 309 } d; 310 } LogotypeImageResolution; 311 312 typedef struct { 313 ASN1_INTEGER *type; /* LogotypeImageType ::= INTEGER */ 314 ASN1_INTEGER *fileSize; 315 ASN1_INTEGER *xSize; 316 ASN1_INTEGER *ySize; 317 LogotypeImageResolution *resolution; 318 ASN1_IA5STRING *language; 319 } LogotypeImageInfo; 320 321 typedef struct { 322 LogotypeDetails *imageDetails; 323 LogotypeImageInfo *imageInfo; 324 } LogotypeImage; 325 326 typedef struct { 327 ASN1_INTEGER *fileSize; 328 ASN1_INTEGER *playTime; 329 ASN1_INTEGER *channels; 330 ASN1_INTEGER *sampleRate; 331 ASN1_IA5STRING *language; 332 } LogotypeAudioInfo; 333 334 typedef struct { 335 LogotypeDetails *audioDetails; 336 LogotypeAudioInfo *audioInfo; 337 } LogotypeAudio; 338 339 typedef struct { 340 STACK_OF(LogotypeImage) *image; 341 STACK_OF(LogotypeAudio) *audio; 342 } LogotypeData; 343 344 typedef struct { 345 int type; 346 union { 347 LogotypeData *direct; 348 LogotypeReference *indirect; 349 } d; 350 } LogotypeInfo; 351 352 typedef struct { 353 ASN1_OBJECT *logotypeType; 354 LogotypeInfo *info; 355 } OtherLogotypeInfo; 356 357 typedef struct { 358 STACK_OF(LogotypeInfo) *communityLogos; 359 LogotypeInfo *issuerLogo; 360 LogotypeInfo *subjectLogo; 361 STACK_OF(OtherLogotypeInfo) *otherLogos; 362 } LogotypeExtn; 363 364 ASN1_SEQUENCE(HashAlgAndValue) = { 365 ASN1_SIMPLE(HashAlgAndValue, hashAlg, X509_ALGOR), 366 ASN1_SIMPLE(HashAlgAndValue, hashValue, ASN1_OCTET_STRING) 367 } ASN1_SEQUENCE_END(HashAlgAndValue); 368 369 ASN1_SEQUENCE(LogotypeReference) = { 370 ASN1_SEQUENCE_OF(LogotypeReference, refStructHash, HashAlgAndValue), 371 ASN1_SEQUENCE_OF(LogotypeReference, refStructURI, ASN1_IA5STRING) 372 } ASN1_SEQUENCE_END(LogotypeReference); 373 374 ASN1_SEQUENCE(LogotypeDetails) = { 375 ASN1_SIMPLE(LogotypeDetails, mediaType, ASN1_IA5STRING), 376 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeHash, HashAlgAndValue), 377 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeURI, ASN1_IA5STRING) 378 } ASN1_SEQUENCE_END(LogotypeDetails); 379 380 ASN1_CHOICE(LogotypeImageResolution) = { 381 ASN1_IMP(LogotypeImageResolution, d.numBits, ASN1_INTEGER, 1), 382 ASN1_IMP(LogotypeImageResolution, d.tableSize, ASN1_INTEGER, 2) 383 } ASN1_CHOICE_END(LogotypeImageResolution); 384 385 ASN1_SEQUENCE(LogotypeImageInfo) = { 386 ASN1_IMP_OPT(LogotypeImageInfo, type, ASN1_INTEGER, 0), 387 ASN1_SIMPLE(LogotypeImageInfo, fileSize, ASN1_INTEGER), 388 ASN1_SIMPLE(LogotypeImageInfo, xSize, ASN1_INTEGER), 389 ASN1_SIMPLE(LogotypeImageInfo, ySize, ASN1_INTEGER), 390 ASN1_OPT(LogotypeImageInfo, resolution, LogotypeImageResolution), 391 ASN1_IMP_OPT(LogotypeImageInfo, language, ASN1_IA5STRING, 4), 392 } ASN1_SEQUENCE_END(LogotypeImageInfo); 393 394 ASN1_SEQUENCE(LogotypeImage) = { 395 ASN1_SIMPLE(LogotypeImage, imageDetails, LogotypeDetails), 396 ASN1_OPT(LogotypeImage, imageInfo, LogotypeImageInfo) 397 } ASN1_SEQUENCE_END(LogotypeImage); 398 399 ASN1_SEQUENCE(LogotypeAudioInfo) = { 400 ASN1_SIMPLE(LogotypeAudioInfo, fileSize, ASN1_INTEGER), 401 ASN1_SIMPLE(LogotypeAudioInfo, playTime, ASN1_INTEGER), 402 ASN1_SIMPLE(LogotypeAudioInfo, channels, ASN1_INTEGER), 403 ASN1_IMP_OPT(LogotypeAudioInfo, sampleRate, ASN1_INTEGER, 3), 404 ASN1_IMP_OPT(LogotypeAudioInfo, language, ASN1_IA5STRING, 4) 405 } ASN1_SEQUENCE_END(LogotypeAudioInfo); 406 407 ASN1_SEQUENCE(LogotypeAudio) = { 408 ASN1_SIMPLE(LogotypeAudio, audioDetails, LogotypeDetails), 409 ASN1_OPT(LogotypeAudio, audioInfo, LogotypeAudioInfo) 410 } ASN1_SEQUENCE_END(LogotypeAudio); 411 412 ASN1_SEQUENCE(LogotypeData) = { 413 ASN1_SEQUENCE_OF_OPT(LogotypeData, image, LogotypeImage), 414 ASN1_IMP_SEQUENCE_OF_OPT(LogotypeData, audio, LogotypeAudio, 1) 415 } ASN1_SEQUENCE_END(LogotypeData); 416 417 ASN1_CHOICE(LogotypeInfo) = { 418 ASN1_IMP(LogotypeInfo, d.direct, LogotypeData, 0), 419 ASN1_IMP(LogotypeInfo, d.indirect, LogotypeReference, 1) 420 } ASN1_CHOICE_END(LogotypeInfo); 421 422 ASN1_SEQUENCE(OtherLogotypeInfo) = { 423 ASN1_SIMPLE(OtherLogotypeInfo, logotypeType, ASN1_OBJECT), 424 ASN1_SIMPLE(OtherLogotypeInfo, info, LogotypeInfo) 425 } ASN1_SEQUENCE_END(OtherLogotypeInfo); 426 427 ASN1_SEQUENCE(LogotypeExtn) = { 428 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, communityLogos, LogotypeInfo, 0), 429 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 1), 430 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 2), 431 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, otherLogos, OtherLogotypeInfo, 3) 432 } ASN1_SEQUENCE_END(LogotypeExtn); 433 434 IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn); 435 436 #if OPENSSL_VERSION_NUMBER < 0x10100000L 437 #define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st)) 438 #define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i)) 439 #define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st)) 440 #define sk_LogotypeImage_value(st, i) SKM_sk_value(LogotypeImage, (st), (i)) 441 #define sk_LogotypeAudio_num(st) SKM_sk_num(LogotypeAudio, (st)) 442 #define sk_LogotypeAudio_value(st, i) SKM_sk_value(LogotypeAudio, (st), (i)) 443 #define sk_HashAlgAndValue_num(st) SKM_sk_num(HashAlgAndValue, (st)) 444 #define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i)) 445 #define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st)) 446 #define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i)) 447 #else 448 DEFINE_STACK_OF(LogotypeInfo) 449 DEFINE_STACK_OF(LogotypeImage) 450 DEFINE_STACK_OF(LogotypeAudio) 451 DEFINE_STACK_OF(HashAlgAndValue) 452 DEFINE_STACK_OF(ASN1_IA5STRING) 453 #endif 454 455 456 static void add_logo(struct http_ctx *ctx, struct http_cert *hcert, 457 HashAlgAndValue *hash, ASN1_IA5STRING *uri) 458 { 459 char txt[100]; 460 int res, len; 461 struct http_logo *n; 462 463 if (hash == NULL || uri == NULL) 464 return; 465 466 res = OBJ_obj2txt(txt, sizeof(txt), hash->hashAlg->algorithm, 1); 467 if (res < 0 || res >= (int) sizeof(txt)) 468 return; 469 470 n = os_realloc_array(hcert->logo, hcert->num_logo + 1, 471 sizeof(struct http_logo)); 472 if (n == NULL) 473 return; 474 hcert->logo = n; 475 n = &hcert->logo[hcert->num_logo]; 476 os_memset(n, 0, sizeof(*n)); 477 478 n->alg_oid = os_strdup(txt); 479 if (n->alg_oid == NULL) 480 return; 481 482 n->hash_len = ASN1_STRING_length(hash->hashValue); 483 n->hash = os_memdup(ASN1_STRING_get0_data(hash->hashValue), 484 n->hash_len); 485 if (n->hash == NULL) { 486 os_free(n->alg_oid); 487 return; 488 } 489 490 len = ASN1_STRING_length(uri); 491 n->uri = os_malloc(len + 1); 492 if (n->uri == NULL) { 493 os_free(n->alg_oid); 494 os_free(n->hash); 495 return; 496 } 497 os_memcpy(n->uri, ASN1_STRING_get0_data(uri), len); 498 n->uri[len] = '\0'; 499 500 hcert->num_logo++; 501 } 502 503 504 static void add_logo_direct(struct http_ctx *ctx, struct http_cert *hcert, 505 LogotypeData *data) 506 { 507 int i, num; 508 509 if (data->image == NULL) 510 return; 511 512 num = sk_LogotypeImage_num(data->image); 513 for (i = 0; i < num; i++) { 514 LogotypeImage *image; 515 LogotypeDetails *details; 516 int j, hash_num, uri_num; 517 HashAlgAndValue *found_hash = NULL; 518 519 image = sk_LogotypeImage_value(data->image, i); 520 if (image == NULL) 521 continue; 522 523 details = image->imageDetails; 524 if (details == NULL) 525 continue; 526 527 hash_num = sk_HashAlgAndValue_num(details->logotypeHash); 528 for (j = 0; j < hash_num; j++) { 529 HashAlgAndValue *hash; 530 char txt[100]; 531 int res; 532 hash = sk_HashAlgAndValue_value(details->logotypeHash, 533 j); 534 if (hash == NULL) 535 continue; 536 res = OBJ_obj2txt(txt, sizeof(txt), 537 hash->hashAlg->algorithm, 1); 538 if (res < 0 || res >= (int) sizeof(txt)) 539 continue; 540 if (os_strcmp(txt, "2.16.840.1.101.3.4.2.1") == 0) { 541 found_hash = hash; 542 break; 543 } 544 } 545 546 if (!found_hash) { 547 wpa_printf(MSG_DEBUG, "OpenSSL: No SHA256 hash found for the logo"); 548 continue; 549 } 550 551 uri_num = sk_ASN1_IA5STRING_num(details->logotypeURI); 552 for (j = 0; j < uri_num; j++) { 553 ASN1_IA5STRING *uri; 554 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, j); 555 add_logo(ctx, hcert, found_hash, uri); 556 } 557 } 558 } 559 560 561 static void add_logo_indirect(struct http_ctx *ctx, struct http_cert *hcert, 562 LogotypeReference *ref) 563 { 564 int j, hash_num, uri_num; 565 566 hash_num = sk_HashAlgAndValue_num(ref->refStructHash); 567 uri_num = sk_ASN1_IA5STRING_num(ref->refStructURI); 568 if (hash_num != uri_num) { 569 wpa_printf(MSG_INFO, "Unexpected LogotypeReference array size difference %d != %d", 570 hash_num, uri_num); 571 return; 572 } 573 574 for (j = 0; j < hash_num; j++) { 575 HashAlgAndValue *hash; 576 ASN1_IA5STRING *uri; 577 hash = sk_HashAlgAndValue_value(ref->refStructHash, j); 578 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, j); 579 add_logo(ctx, hcert, hash, uri); 580 } 581 } 582 583 584 static void i2r_HashAlgAndValue(HashAlgAndValue *hash, BIO *out, int indent) 585 { 586 int i; 587 const unsigned char *data; 588 589 BIO_printf(out, "%*shashAlg: ", indent, ""); 590 i2a_ASN1_OBJECT(out, hash->hashAlg->algorithm); 591 BIO_printf(out, "\n"); 592 593 BIO_printf(out, "%*shashValue: ", indent, ""); 594 data = hash->hashValue->data; 595 for (i = 0; i < hash->hashValue->length; i++) 596 BIO_printf(out, "%s%02x", i > 0 ? ":" : "", data[i]); 597 BIO_printf(out, "\n"); 598 } 599 600 static void i2r_LogotypeDetails(LogotypeDetails *details, BIO *out, int indent) 601 { 602 int i, num; 603 604 BIO_printf(out, "%*sLogotypeDetails\n", indent, ""); 605 if (details->mediaType) { 606 BIO_printf(out, "%*smediaType: ", indent, ""); 607 ASN1_STRING_print(out, details->mediaType); 608 BIO_printf(out, "\n"); 609 } 610 611 num = details->logotypeHash ? 612 sk_HashAlgAndValue_num(details->logotypeHash) : 0; 613 for (i = 0; i < num; i++) { 614 HashAlgAndValue *hash; 615 hash = sk_HashAlgAndValue_value(details->logotypeHash, i); 616 i2r_HashAlgAndValue(hash, out, indent); 617 } 618 619 num = details->logotypeURI ? 620 sk_ASN1_IA5STRING_num(details->logotypeURI) : 0; 621 for (i = 0; i < num; i++) { 622 ASN1_IA5STRING *uri; 623 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, i); 624 BIO_printf(out, "%*slogotypeURI: ", indent, ""); 625 ASN1_STRING_print(out, uri); 626 BIO_printf(out, "\n"); 627 } 628 } 629 630 static void i2r_LogotypeImageInfo(LogotypeImageInfo *info, BIO *out, int indent) 631 { 632 long val; 633 634 BIO_printf(out, "%*sLogotypeImageInfo\n", indent, ""); 635 if (info->type) { 636 val = ASN1_INTEGER_get(info->type); 637 BIO_printf(out, "%*stype: %ld\n", indent, "", val); 638 } else { 639 BIO_printf(out, "%*stype: default (1)\n", indent, ""); 640 } 641 val = ASN1_INTEGER_get(info->fileSize); 642 BIO_printf(out, "%*sfileSize: %ld\n", indent, "", val); 643 val = ASN1_INTEGER_get(info->xSize); 644 BIO_printf(out, "%*sxSize: %ld\n", indent, "", val); 645 val = ASN1_INTEGER_get(info->ySize); 646 BIO_printf(out, "%*sySize: %ld\n", indent, "", val); 647 if (info->resolution) { 648 BIO_printf(out, "%*sresolution [%d]\n", indent, "", 649 info->resolution->type); 650 switch (info->resolution->type) { 651 case 0: 652 val = ASN1_INTEGER_get(info->resolution->d.numBits); 653 BIO_printf(out, "%*snumBits: %ld\n", indent, "", val); 654 break; 655 case 1: 656 val = ASN1_INTEGER_get(info->resolution->d.tableSize); 657 BIO_printf(out, "%*stableSize: %ld\n", indent, "", val); 658 break; 659 } 660 } 661 if (info->language) { 662 BIO_printf(out, "%*slanguage: ", indent, ""); 663 ASN1_STRING_print(out, info->language); 664 BIO_printf(out, "\n"); 665 } 666 } 667 668 static void i2r_LogotypeImage(LogotypeImage *image, BIO *out, int indent) 669 { 670 BIO_printf(out, "%*sLogotypeImage\n", indent, ""); 671 if (image->imageDetails) { 672 i2r_LogotypeDetails(image->imageDetails, out, indent + 4); 673 } 674 if (image->imageInfo) { 675 i2r_LogotypeImageInfo(image->imageInfo, out, indent + 4); 676 } 677 } 678 679 static void i2r_LogotypeData(LogotypeData *data, const char *title, BIO *out, 680 int indent) 681 { 682 int i, num; 683 684 BIO_printf(out, "%*s%s - LogotypeData\n", indent, "", title); 685 686 num = data->image ? sk_LogotypeImage_num(data->image) : 0; 687 for (i = 0; i < num; i++) { 688 LogotypeImage *image = sk_LogotypeImage_value(data->image, i); 689 i2r_LogotypeImage(image, out, indent + 4); 690 } 691 692 num = data->audio ? sk_LogotypeAudio_num(data->audio) : 0; 693 for (i = 0; i < num; i++) { 694 BIO_printf(out, "%*saudio: TODO\n", indent, ""); 695 } 696 } 697 698 static void i2r_LogotypeReference(LogotypeReference *ref, const char *title, 699 BIO *out, int indent) 700 { 701 int i, hash_num, uri_num; 702 703 BIO_printf(out, "%*s%s - LogotypeReference\n", indent, "", title); 704 705 hash_num = ref->refStructHash ? 706 sk_HashAlgAndValue_num(ref->refStructHash) : 0; 707 uri_num = ref->refStructURI ? 708 sk_ASN1_IA5STRING_num(ref->refStructURI) : 0; 709 if (hash_num != uri_num) { 710 BIO_printf(out, "%*sUnexpected LogotypeReference array size difference %d != %d\n", 711 indent, "", hash_num, uri_num); 712 return; 713 } 714 715 for (i = 0; i < hash_num; i++) { 716 HashAlgAndValue *hash; 717 ASN1_IA5STRING *uri; 718 719 hash = sk_HashAlgAndValue_value(ref->refStructHash, i); 720 i2r_HashAlgAndValue(hash, out, indent); 721 722 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, i); 723 BIO_printf(out, "%*srefStructURI: ", indent, ""); 724 ASN1_STRING_print(out, uri); 725 BIO_printf(out, "\n"); 726 } 727 } 728 729 static void i2r_LogotypeInfo(LogotypeInfo *info, const char *title, BIO *out, 730 int indent) 731 { 732 switch (info->type) { 733 case 0: 734 i2r_LogotypeData(info->d.direct, title, out, indent); 735 break; 736 case 1: 737 i2r_LogotypeReference(info->d.indirect, title, out, indent); 738 break; 739 } 740 } 741 742 static void debug_print_logotypeext(LogotypeExtn *logo) 743 { 744 BIO *out; 745 int i, num; 746 int indent = 0; 747 748 out = BIO_new_fp(stdout, BIO_NOCLOSE); 749 if (out == NULL) 750 return; 751 752 if (logo->communityLogos) { 753 num = sk_LogotypeInfo_num(logo->communityLogos); 754 for (i = 0; i < num; i++) { 755 LogotypeInfo *info; 756 info = sk_LogotypeInfo_value(logo->communityLogos, i); 757 i2r_LogotypeInfo(info, "communityLogo", out, indent); 758 } 759 } 760 761 if (logo->issuerLogo) { 762 i2r_LogotypeInfo(logo->issuerLogo, "issuerLogo", out, indent ); 763 } 764 765 if (logo->subjectLogo) { 766 i2r_LogotypeInfo(logo->subjectLogo, "subjectLogo", out, indent); 767 } 768 769 if (logo->otherLogos) { 770 BIO_printf(out, "%*sotherLogos - TODO\n", indent, ""); 771 } 772 773 BIO_free(out); 774 } 775 776 777 static void add_logotype_ext(struct http_ctx *ctx, struct http_cert *hcert, 778 X509 *cert) 779 { 780 ASN1_OBJECT *obj; 781 int pos; 782 X509_EXTENSION *ext; 783 ASN1_OCTET_STRING *os; 784 LogotypeExtn *logo; 785 const unsigned char *data; 786 int i, num; 787 788 obj = OBJ_txt2obj("1.3.6.1.5.5.7.1.12", 0); 789 if (obj == NULL) 790 return; 791 792 pos = X509_get_ext_by_OBJ(cert, obj, -1); 793 if (pos < 0) { 794 wpa_printf(MSG_INFO, "No logotype extension included"); 795 return; 796 } 797 798 wpa_printf(MSG_INFO, "Parsing logotype extension"); 799 ext = X509_get_ext(cert, pos); 800 if (!ext) { 801 wpa_printf(MSG_INFO, "Could not get logotype extension"); 802 return; 803 } 804 805 os = X509_EXTENSION_get_data(ext); 806 if (os == NULL) { 807 wpa_printf(MSG_INFO, "Could not get logotype extension data"); 808 return; 809 } 810 811 wpa_hexdump(MSG_DEBUG, "logotypeExtn", 812 ASN1_STRING_get0_data(os), ASN1_STRING_length(os)); 813 814 data = ASN1_STRING_get0_data(os); 815 logo = d2i_LogotypeExtn(NULL, &data, ASN1_STRING_length(os)); 816 if (logo == NULL) { 817 wpa_printf(MSG_INFO, "Failed to parse logotypeExtn"); 818 return; 819 } 820 821 if (wpa_debug_level < MSG_INFO) 822 debug_print_logotypeext(logo); 823 824 if (!logo->communityLogos) { 825 wpa_printf(MSG_INFO, "No communityLogos included"); 826 LogotypeExtn_free(logo); 827 return; 828 } 829 830 num = sk_LogotypeInfo_num(logo->communityLogos); 831 for (i = 0; i < num; i++) { 832 LogotypeInfo *info; 833 info = sk_LogotypeInfo_value(logo->communityLogos, i); 834 switch (info->type) { 835 case 0: 836 add_logo_direct(ctx, hcert, info->d.direct); 837 break; 838 case 1: 839 add_logo_indirect(ctx, hcert, info->d.indirect); 840 break; 841 } 842 } 843 844 LogotypeExtn_free(logo); 845 } 846 847 848 static void parse_cert(struct http_ctx *ctx, struct http_cert *hcert, 849 X509 *cert, GENERAL_NAMES **names) 850 { 851 os_memset(hcert, 0, sizeof(*hcert)); 852 hcert->url = ctx->url ? ctx->url : ctx->svc_address; 853 854 *names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 855 if (*names) 856 add_alt_names(ctx, hcert, *names); 857 858 add_logotype_ext(ctx, hcert, cert); 859 } 860 861 862 static void parse_cert_free(struct http_cert *hcert, GENERAL_NAMES *names) 863 { 864 unsigned int i; 865 866 for (i = 0; i < hcert->num_dnsname; i++) 867 OPENSSL_free(hcert->dnsname[i]); 868 os_free(hcert->dnsname); 869 870 for (i = 0; i < hcert->num_othername; i++) 871 os_free(hcert->othername[i].oid); 872 os_free(hcert->othername); 873 874 for (i = 0; i < hcert->num_logo; i++) { 875 os_free(hcert->logo[i].alg_oid); 876 os_free(hcert->logo[i].hash); 877 os_free(hcert->logo[i].uri); 878 } 879 os_free(hcert->logo); 880 881 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); 882 } 883 884 885 static int validate_server_cert(struct http_ctx *ctx, X509 *cert) 886 { 887 GENERAL_NAMES *names; 888 struct http_cert hcert; 889 int ret; 890 891 if (ctx->cert_cb == NULL) { 892 wpa_printf(MSG_DEBUG, "%s: no cert_cb configured", __func__); 893 return 0; 894 } 895 896 if (0) { 897 BIO *out; 898 out = BIO_new_fp(stdout, BIO_NOCLOSE); 899 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT); 900 BIO_free(out); 901 } 902 903 parse_cert(ctx, &hcert, cert, &names); 904 ret = ctx->cert_cb(ctx->cert_cb_ctx, &hcert); 905 parse_cert_free(&hcert, names); 906 907 return ret; 908 } 909 910 911 void http_parse_x509_certificate(struct http_ctx *ctx, const char *fname) 912 { 913 BIO *in, *out; 914 X509 *cert; 915 GENERAL_NAMES *names; 916 struct http_cert hcert; 917 unsigned int i; 918 919 in = BIO_new_file(fname, "r"); 920 if (in == NULL) { 921 wpa_printf(MSG_ERROR, "Could not read '%s'", fname); 922 return; 923 } 924 925 cert = d2i_X509_bio(in, NULL); 926 BIO_free(in); 927 928 if (cert == NULL) { 929 wpa_printf(MSG_ERROR, "Could not parse certificate"); 930 return; 931 } 932 933 out = BIO_new_fp(stdout, BIO_NOCLOSE); 934 if (out) { 935 X509_print_ex(out, cert, XN_FLAG_COMPAT, 936 X509_FLAG_COMPAT); 937 BIO_free(out); 938 } 939 940 wpa_printf(MSG_INFO, "Additional parsing information:"); 941 parse_cert(ctx, &hcert, cert, &names); 942 for (i = 0; i < hcert.num_othername; i++) { 943 if (os_strcmp(hcert.othername[i].oid, 944 "1.3.6.1.4.1.40808.1.1.1") == 0) { 945 char *name = os_zalloc(hcert.othername[i].len + 1); 946 if (name) { 947 os_memcpy(name, hcert.othername[i].data, 948 hcert.othername[i].len); 949 wpa_printf(MSG_INFO, 950 "id-wfa-hotspot-friendlyName: %s", 951 name); 952 os_free(name); 953 } 954 wpa_hexdump_ascii(MSG_INFO, 955 "id-wfa-hotspot-friendlyName", 956 hcert.othername[i].data, 957 hcert.othername[i].len); 958 } else { 959 wpa_printf(MSG_INFO, "subjAltName[othername]: oid=%s", 960 hcert.othername[i].oid); 961 wpa_hexdump_ascii(MSG_INFO, "unknown othername", 962 hcert.othername[i].data, 963 hcert.othername[i].len); 964 } 965 } 966 parse_cert_free(&hcert, names); 967 968 X509_free(cert); 969 } 970 971 972 static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx) 973 { 974 struct http_ctx *ctx; 975 X509 *cert; 976 int err, depth; 977 char buf[256]; 978 X509_NAME *name; 979 const char *err_str; 980 SSL *ssl; 981 SSL_CTX *ssl_ctx; 982 983 ssl = X509_STORE_CTX_get_ex_data(x509_ctx, 984 SSL_get_ex_data_X509_STORE_CTX_idx()); 985 ssl_ctx = SSL_get_SSL_CTX(ssl); 986 ctx = SSL_CTX_get_app_data(ssl_ctx); 987 988 wpa_printf(MSG_DEBUG, "curl_cb_ssl_verify, preverify_ok: %d", 989 preverify_ok); 990 991 err = X509_STORE_CTX_get_error(x509_ctx); 992 err_str = X509_verify_cert_error_string(err); 993 depth = X509_STORE_CTX_get_error_depth(x509_ctx); 994 cert = X509_STORE_CTX_get_current_cert(x509_ctx); 995 if (!cert) { 996 wpa_printf(MSG_INFO, "No server certificate available"); 997 ctx->last_err = "No server certificate available"; 998 return 0; 999 } 1000 1001 if (depth == 0) 1002 ctx->peer_cert = cert; 1003 else if (depth == 1) 1004 ctx->peer_issuer = cert; 1005 else if (depth == 2) 1006 ctx->peer_issuer_issuer = cert; 1007 1008 name = X509_get_subject_name(cert); 1009 X509_NAME_oneline(name, buf, sizeof(buf)); 1010 wpa_printf(MSG_INFO, "Server certificate chain - depth=%d err=%d (%s) subject=%s", 1011 depth, err, err_str, buf); 1012 debug_dump_cert("Server certificate chain - certificate", cert); 1013 1014 if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0) 1015 return 0; 1016 1017 #ifdef OPENSSL_IS_BORINGSSL 1018 if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) { 1019 enum ocsp_result res; 1020 1021 res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer, 1022 ctx->peer_issuer_issuer); 1023 if (res == OCSP_REVOKED) { 1024 preverify_ok = 0; 1025 wpa_printf(MSG_INFO, "OCSP: certificate revoked"); 1026 if (err == X509_V_OK) 1027 X509_STORE_CTX_set_error( 1028 x509_ctx, X509_V_ERR_CERT_REVOKED); 1029 } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) { 1030 preverify_ok = 0; 1031 wpa_printf(MSG_INFO, 1032 "OCSP: bad certificate status response"); 1033 } 1034 } 1035 #endif /* OPENSSL_IS_BORINGSSL */ 1036 1037 if (!preverify_ok) 1038 ctx->last_err = "TLS validation failed"; 1039 1040 return preverify_ok; 1041 } 1042 1043 1044 #ifdef HAVE_OCSP 1045 1046 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp) 1047 { 1048 BIO *out; 1049 size_t rlen; 1050 char *txt; 1051 int res; 1052 1053 out = BIO_new(BIO_s_mem()); 1054 if (!out) 1055 return; 1056 1057 OCSP_RESPONSE_print(out, rsp, 0); 1058 rlen = BIO_ctrl_pending(out); 1059 txt = os_malloc(rlen + 1); 1060 if (!txt) { 1061 BIO_free(out); 1062 return; 1063 } 1064 1065 res = BIO_read(out, txt, rlen); 1066 if (res > 0) { 1067 txt[res] = '\0'; 1068 wpa_printf(MSG_MSGDUMP, "OpenSSL: OCSP Response\n%s", txt); 1069 } 1070 os_free(txt); 1071 BIO_free(out); 1072 } 1073 1074 1075 static void tls_show_errors(const char *func, const char *txt) 1076 { 1077 unsigned long err; 1078 1079 wpa_printf(MSG_DEBUG, "OpenSSL: %s - %s %s", 1080 func, txt, ERR_error_string(ERR_get_error(), NULL)); 1081 1082 while ((err = ERR_get_error())) { 1083 wpa_printf(MSG_DEBUG, "OpenSSL: pending error: %s", 1084 ERR_error_string(err, NULL)); 1085 } 1086 } 1087 1088 1089 static int ocsp_resp_cb(SSL *s, void *arg) 1090 { 1091 struct http_ctx *ctx = arg; 1092 const unsigned char *p; 1093 int len, status, reason, res; 1094 OCSP_RESPONSE *rsp; 1095 OCSP_BASICRESP *basic; 1096 OCSP_CERTID *id; 1097 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update; 1098 X509_STORE *store; 1099 STACK_OF(X509) *certs = NULL; 1100 1101 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 1102 if (!p) { 1103 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received"); 1104 if (ctx->ocsp == MANDATORY_OCSP) 1105 ctx->last_err = "No OCSP response received"; 1106 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1; 1107 } 1108 1109 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len); 1110 1111 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 1112 if (!rsp) { 1113 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response"); 1114 ctx->last_err = "Failed to parse OCSP response"; 1115 return 0; 1116 } 1117 1118 ocsp_debug_print_resp(rsp); 1119 1120 status = OCSP_response_status(rsp); 1121 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { 1122 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)", 1123 status, OCSP_response_status_str(status)); 1124 ctx->last_err = "OCSP responder error"; 1125 return 0; 1126 } 1127 1128 basic = OCSP_response_get1_basic(rsp); 1129 if (!basic) { 1130 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse"); 1131 ctx->last_err = "Could not find BasicOCSPResponse"; 1132 return 0; 1133 } 1134 1135 store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)); 1136 if (ctx->peer_issuer) { 1137 wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer"); 1138 debug_dump_cert("OpenSSL: Issuer certificate", 1139 ctx->peer_issuer); 1140 1141 if (X509_STORE_add_cert(store, ctx->peer_issuer) != 1) { 1142 tls_show_errors(__func__, 1143 "OpenSSL: Could not add issuer to certificate store"); 1144 } 1145 certs = sk_X509_new_null(); 1146 if (certs) { 1147 X509 *cert; 1148 cert = X509_dup(ctx->peer_issuer); 1149 if (cert && !sk_X509_push(certs, cert)) { 1150 tls_show_errors( 1151 __func__, 1152 "OpenSSL: Could not add issuer to OCSP responder trust store"); 1153 X509_free(cert); 1154 sk_X509_free(certs); 1155 certs = NULL; 1156 } 1157 if (certs && ctx->peer_issuer_issuer) { 1158 cert = X509_dup(ctx->peer_issuer_issuer); 1159 if (cert && !sk_X509_push(certs, cert)) { 1160 tls_show_errors( 1161 __func__, 1162 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store"); 1163 X509_free(cert); 1164 } 1165 } 1166 } 1167 } 1168 1169 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER); 1170 sk_X509_pop_free(certs, X509_free); 1171 if (status <= 0) { 1172 tls_show_errors(__func__, 1173 "OpenSSL: OCSP response failed verification"); 1174 OCSP_BASICRESP_free(basic); 1175 OCSP_RESPONSE_free(rsp); 1176 ctx->last_err = "OCSP response failed verification"; 1177 return 0; 1178 } 1179 1180 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded"); 1181 1182 if (!ctx->peer_cert) { 1183 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check"); 1184 OCSP_BASICRESP_free(basic); 1185 OCSP_RESPONSE_free(rsp); 1186 ctx->last_err = "Peer certificate not available for OCSP status check"; 1187 return 0; 1188 } 1189 1190 if (!ctx->peer_issuer) { 1191 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check"); 1192 OCSP_BASICRESP_free(basic); 1193 OCSP_RESPONSE_free(rsp); 1194 ctx->last_err = "Peer issuer certificate not available for OCSP status check"; 1195 return 0; 1196 } 1197 1198 id = OCSP_cert_to_id(EVP_sha256(), ctx->peer_cert, ctx->peer_issuer); 1199 if (!id) { 1200 wpa_printf(MSG_DEBUG, 1201 "OpenSSL: Could not create OCSP certificate identifier (SHA256)"); 1202 OCSP_BASICRESP_free(basic); 1203 OCSP_RESPONSE_free(rsp); 1204 ctx->last_err = "Could not create OCSP certificate identifier"; 1205 return 0; 1206 } 1207 1208 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at, 1209 &this_update, &next_update); 1210 if (!res) { 1211 id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer); 1212 if (!id) { 1213 wpa_printf(MSG_DEBUG, 1214 "OpenSSL: Could not create OCSP certificate identifier (SHA1)"); 1215 OCSP_BASICRESP_free(basic); 1216 OCSP_RESPONSE_free(rsp); 1217 ctx->last_err = 1218 "Could not create OCSP certificate identifier"; 1219 return 0; 1220 } 1221 1222 res = OCSP_resp_find_status(basic, id, &status, &reason, 1223 &produced_at, &this_update, 1224 &next_update); 1225 } 1226 1227 if (!res) { 1228 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s", 1229 (ctx->ocsp == MANDATORY_OCSP) ? "" : 1230 " (OCSP not required)"); 1231 OCSP_CERTID_free(id); 1232 OCSP_BASICRESP_free(basic); 1233 OCSP_RESPONSE_free(rsp); 1234 if (ctx->ocsp == MANDATORY_OCSP) 1235 1236 ctx->last_err = "Could not find current server certificate from OCSP response"; 1237 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1; 1238 } 1239 OCSP_CERTID_free(id); 1240 1241 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) { 1242 tls_show_errors(__func__, "OpenSSL: OCSP status times invalid"); 1243 OCSP_BASICRESP_free(basic); 1244 OCSP_RESPONSE_free(rsp); 1245 ctx->last_err = "OCSP status times invalid"; 1246 return 0; 1247 } 1248 1249 OCSP_BASICRESP_free(basic); 1250 OCSP_RESPONSE_free(rsp); 1251 1252 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s", 1253 OCSP_cert_status_str(status)); 1254 1255 if (status == V_OCSP_CERTSTATUS_GOOD) 1256 return 1; 1257 if (status == V_OCSP_CERTSTATUS_REVOKED) { 1258 ctx->last_err = "Server certificate has been revoked"; 1259 return 0; 1260 } 1261 if (ctx->ocsp == MANDATORY_OCSP) { 1262 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required"); 1263 ctx->last_err = "OCSP status unknown"; 1264 return 0; 1265 } 1266 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue"); 1267 return 1; 1268 } 1269 1270 1271 #if OPENSSL_VERSION_NUMBER < 0x10100000L 1272 static SSL_METHOD patch_ssl_method; 1273 static const SSL_METHOD *real_ssl_method; 1274 1275 static int curl_patch_ssl_new(SSL *s) 1276 { 1277 SSL_CTX *ssl = SSL_get_SSL_CTX(s); 1278 int ret; 1279 1280 ssl->method = real_ssl_method; 1281 s->method = real_ssl_method; 1282 1283 ret = s->method->ssl_new(s); 1284 SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp); 1285 1286 return ret; 1287 } 1288 #endif /* OpenSSL < 1.1.0 */ 1289 1290 #endif /* HAVE_OCSP */ 1291 1292 1293 static CURLcode curl_cb_ssl(CURL *curl, void *sslctx, void *parm) 1294 { 1295 struct http_ctx *ctx = parm; 1296 SSL_CTX *ssl = sslctx; 1297 1298 wpa_printf(MSG_DEBUG, "curl_cb_ssl"); 1299 SSL_CTX_set_app_data(ssl, ctx); 1300 SSL_CTX_set_verify(ssl, SSL_VERIFY_PEER, curl_cb_ssl_verify); 1301 1302 #ifdef HAVE_OCSP 1303 if (ctx->ocsp != NO_OCSP) { 1304 SSL_CTX_set_tlsext_status_cb(ssl, ocsp_resp_cb); 1305 SSL_CTX_set_tlsext_status_arg(ssl, ctx); 1306 1307 #if OPENSSL_VERSION_NUMBER < 0x10100000L 1308 /* 1309 * Use a temporary SSL_METHOD to get a callback on SSL_new() 1310 * from libcurl since there is no proper callback registration 1311 * available for this. 1312 */ 1313 os_memset(&patch_ssl_method, 0, sizeof(patch_ssl_method)); 1314 patch_ssl_method.ssl_new = curl_patch_ssl_new; 1315 real_ssl_method = ssl->method; 1316 ssl->method = &patch_ssl_method; 1317 #endif /* OpenSSL < 1.1.0 */ 1318 } 1319 #endif /* HAVE_OCSP */ 1320 1321 return CURLE_OK; 1322 } 1323 1324 #endif /* EAP_TLS_OPENSSL */ 1325 1326 1327 static CURL * setup_curl_post(struct http_ctx *ctx, const char *address, 1328 const char *ca_fname, const char *username, 1329 const char *password, const char *client_cert, 1330 const char *client_key) 1331 { 1332 CURL *curl; 1333 #ifdef EAP_TLS_OPENSSL 1334 const char *extra = " tls=openssl"; 1335 #else /* EAP_TLS_OPENSSL */ 1336 const char *extra = ""; 1337 #endif /* EAP_TLS_OPENSSL */ 1338 1339 wpa_printf(MSG_DEBUG, "Start HTTP client: address=%s ca_fname=%s " 1340 "username=%s%s", address, ca_fname, username, extra); 1341 1342 curl = curl_easy_init(); 1343 if (curl == NULL) 1344 return NULL; 1345 1346 curl_easy_setopt(curl, CURLOPT_URL, address); 1347 curl_easy_setopt(curl, CURLOPT_POST, 1L); 1348 if (ca_fname) { 1349 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname); 1350 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); 1351 #ifdef EAP_TLS_OPENSSL 1352 curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl); 1353 curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx); 1354 #if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x10100000L) 1355 /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only 1356 * with BoringSSL since the OpenSSL specific callback hack to 1357 * enable OCSP is not available with BoringSSL. The OCSP 1358 * implementation within libcurl is not sufficient for the 1359 * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL. 1360 */ 1361 if (ctx->ocsp != NO_OCSP) 1362 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L); 1363 #endif /* OPENSSL_IS_BORINGSSL */ 1364 #endif /* EAP_TLS_OPENSSL */ 1365 } else { 1366 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); 1367 } 1368 if (client_cert && client_key) { 1369 curl_easy_setopt(curl, CURLOPT_SSLCERT, client_cert); 1370 curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key); 1371 } 1372 /* TODO: use curl_easy_getinfo() with CURLINFO_CERTINFO to fetch 1373 * information about the server certificate */ 1374 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L); 1375 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug); 1376 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx); 1377 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_cb_write); 1378 curl_easy_setopt(curl, CURLOPT_WRITEDATA, ctx); 1379 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); 1380 if (username) { 1381 curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANYSAFE); 1382 curl_easy_setopt(curl, CURLOPT_USERNAME, username); 1383 curl_easy_setopt(curl, CURLOPT_PASSWORD, password); 1384 } 1385 1386 return curl; 1387 } 1388 1389 1390 static int post_init_client(struct http_ctx *ctx, const char *address, 1391 const char *ca_fname, const char *username, 1392 const char *password, const char *client_cert, 1393 const char *client_key) 1394 { 1395 char *pos; 1396 int count; 1397 1398 clone_str(&ctx->svc_address, address); 1399 clone_str(&ctx->svc_ca_fname, ca_fname); 1400 clone_str(&ctx->svc_username, username); 1401 clone_str(&ctx->svc_password, password); 1402 clone_str(&ctx->svc_client_cert, client_cert); 1403 clone_str(&ctx->svc_client_key, client_key); 1404 1405 /* 1406 * Workaround for Apache "Hostname 'FOO' provided via SNI and hostname 1407 * 'foo' provided via HTTP are different. 1408 */ 1409 for (count = 0, pos = ctx->svc_address; count < 3 && pos && *pos; 1410 pos++) { 1411 if (*pos == '/') 1412 count++; 1413 *pos = tolower(*pos); 1414 } 1415 1416 ctx->curl = setup_curl_post(ctx, ctx->svc_address, ca_fname, username, 1417 password, client_cert, client_key); 1418 if (ctx->curl == NULL) 1419 return -1; 1420 1421 return 0; 1422 } 1423 1424 1425 int soap_init_client(struct http_ctx *ctx, const char *address, 1426 const char *ca_fname, const char *username, 1427 const char *password, const char *client_cert, 1428 const char *client_key) 1429 { 1430 if (post_init_client(ctx, address, ca_fname, username, password, 1431 client_cert, client_key) < 0) 1432 return -1; 1433 1434 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, 1435 "Content-Type: application/soap+xml"); 1436 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "SOAPAction: "); 1437 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "Expect:"); 1438 curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, ctx->curl_hdr); 1439 1440 return 0; 1441 } 1442 1443 1444 int soap_reinit_client(struct http_ctx *ctx) 1445 { 1446 char *address = NULL; 1447 char *ca_fname = NULL; 1448 char *username = NULL; 1449 char *password = NULL; 1450 char *client_cert = NULL; 1451 char *client_key = NULL; 1452 int ret; 1453 1454 clear_curl(ctx); 1455 1456 clone_str(&address, ctx->svc_address); 1457 clone_str(&ca_fname, ctx->svc_ca_fname); 1458 clone_str(&username, ctx->svc_username); 1459 clone_str(&password, ctx->svc_password); 1460 clone_str(&client_cert, ctx->svc_client_cert); 1461 clone_str(&client_key, ctx->svc_client_key); 1462 1463 ret = soap_init_client(ctx, address, ca_fname, username, password, 1464 client_cert, client_key); 1465 os_free(address); 1466 os_free(ca_fname); 1467 str_clear_free(username); 1468 str_clear_free(password); 1469 os_free(client_cert); 1470 os_free(client_key); 1471 return ret; 1472 } 1473 1474 1475 static void free_curl_buf(struct http_ctx *ctx) 1476 { 1477 os_free(ctx->curl_buf); 1478 ctx->curl_buf = NULL; 1479 ctx->curl_buf_len = 0; 1480 } 1481 1482 1483 xml_node_t * soap_send_receive(struct http_ctx *ctx, xml_node_t *node) 1484 { 1485 char *str; 1486 xml_node_t *envelope, *ret, *resp, *n; 1487 CURLcode res; 1488 long http = 0; 1489 1490 ctx->last_err = NULL; 1491 1492 wpa_printf(MSG_DEBUG, "SOAP: Sending message"); 1493 envelope = soap_build_envelope(ctx->xml, node); 1494 str = xml_node_to_str(ctx->xml, envelope); 1495 xml_node_free(ctx->xml, envelope); 1496 wpa_printf(MSG_MSGDUMP, "SOAP[%s]", str); 1497 1498 curl_easy_setopt(ctx->curl, CURLOPT_POSTFIELDS, str); 1499 free_curl_buf(ctx); 1500 1501 res = curl_easy_perform(ctx->curl); 1502 if (res != CURLE_OK) { 1503 if (!ctx->last_err) 1504 ctx->last_err = curl_easy_strerror(res); 1505 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s", 1506 ctx->last_err); 1507 os_free(str); 1508 free_curl_buf(ctx); 1509 return NULL; 1510 } 1511 os_free(str); 1512 1513 curl_easy_getinfo(ctx->curl, CURLINFO_RESPONSE_CODE, &http); 1514 wpa_printf(MSG_DEBUG, "SOAP: Server response code %ld", http); 1515 if (http != 200) { 1516 ctx->last_err = "HTTP download failed"; 1517 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http); 1518 free_curl_buf(ctx); 1519 return NULL; 1520 } 1521 1522 if (ctx->curl_buf == NULL) 1523 return NULL; 1524 1525 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ctx->curl_buf); 1526 resp = xml_node_from_buf(ctx->xml, ctx->curl_buf); 1527 free_curl_buf(ctx); 1528 if (resp == NULL) { 1529 wpa_printf(MSG_INFO, "Could not parse SOAP response"); 1530 ctx->last_err = "Could not parse SOAP response"; 1531 return NULL; 1532 } 1533 1534 ret = soap_get_body(ctx->xml, resp); 1535 if (ret == NULL) { 1536 wpa_printf(MSG_INFO, "Could not get SOAP body"); 1537 ctx->last_err = "Could not get SOAP body"; 1538 return NULL; 1539 } 1540 1541 wpa_printf(MSG_DEBUG, "SOAP body localname: '%s'", 1542 xml_node_get_localname(ctx->xml, ret)); 1543 n = xml_node_copy(ctx->xml, ret); 1544 xml_node_free(ctx->xml, resp); 1545 1546 return n; 1547 } 1548 1549 1550 struct http_ctx * http_init_ctx(void *upper_ctx, struct xml_node_ctx *xml_ctx) 1551 { 1552 struct http_ctx *ctx; 1553 1554 ctx = os_zalloc(sizeof(*ctx)); 1555 if (ctx == NULL) 1556 return NULL; 1557 ctx->ctx = upper_ctx; 1558 ctx->xml = xml_ctx; 1559 ctx->ocsp = OPTIONAL_OCSP; 1560 1561 curl_global_init(CURL_GLOBAL_ALL); 1562 1563 return ctx; 1564 } 1565 1566 1567 void http_ocsp_set(struct http_ctx *ctx, int val) 1568 { 1569 if (val == 0) 1570 ctx->ocsp = NO_OCSP; 1571 else if (val == 1) 1572 ctx->ocsp = OPTIONAL_OCSP; 1573 if (val == 2) 1574 ctx->ocsp = MANDATORY_OCSP; 1575 } 1576 1577 1578 void http_deinit_ctx(struct http_ctx *ctx) 1579 { 1580 clear_curl(ctx); 1581 os_free(ctx->curl_buf); 1582 curl_global_cleanup(); 1583 1584 os_free(ctx->svc_address); 1585 os_free(ctx->svc_ca_fname); 1586 str_clear_free(ctx->svc_username); 1587 str_clear_free(ctx->svc_password); 1588 os_free(ctx->svc_client_cert); 1589 os_free(ctx->svc_client_key); 1590 1591 os_free(ctx); 1592 } 1593 1594 1595 int http_download_file(struct http_ctx *ctx, const char *url, 1596 const char *fname, const char *ca_fname) 1597 { 1598 CURL *curl; 1599 FILE *f = NULL; 1600 CURLcode res; 1601 long http = 0; 1602 int ret = -1; 1603 1604 ctx->last_err = NULL; 1605 ctx->url = url; 1606 1607 wpa_printf(MSG_DEBUG, "curl: Download file from %s to %s (ca=%s)", 1608 url, fname, ca_fname); 1609 curl = curl_easy_init(); 1610 if (curl == NULL) 1611 goto fail; 1612 1613 f = fopen(fname, "wb"); 1614 if (!f) 1615 goto fail; 1616 1617 curl_easy_setopt(curl, CURLOPT_URL, url); 1618 if (ca_fname) { 1619 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname); 1620 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); 1621 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L); 1622 } else { 1623 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); 1624 } 1625 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug); 1626 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx); 1627 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fwrite); 1628 curl_easy_setopt(curl, CURLOPT_WRITEDATA, f); 1629 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); 1630 1631 res = curl_easy_perform(curl); 1632 if (res != CURLE_OK) { 1633 if (!ctx->last_err) 1634 ctx->last_err = curl_easy_strerror(res); 1635 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s", 1636 ctx->last_err); 1637 goto fail; 1638 } 1639 1640 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http); 1641 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http); 1642 if (http != 200) { 1643 ctx->last_err = "HTTP download failed"; 1644 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http); 1645 goto fail; 1646 } 1647 1648 ret = 0; 1649 1650 fail: 1651 ctx->url = NULL; 1652 if (curl) 1653 curl_easy_cleanup(curl); 1654 if (f) 1655 fclose(f); 1656 1657 return ret; 1658 } 1659 1660 1661 char * http_post(struct http_ctx *ctx, const char *url, const char *data, 1662 const char *content_type, const char *ext_hdr, 1663 const char *ca_fname, 1664 const char *username, const char *password, 1665 const char *client_cert, const char *client_key, 1666 size_t *resp_len) 1667 { 1668 long http = 0; 1669 CURLcode res; 1670 char *ret = NULL; 1671 CURL *curl; 1672 struct curl_slist *curl_hdr = NULL; 1673 1674 ctx->last_err = NULL; 1675 ctx->url = url; 1676 wpa_printf(MSG_DEBUG, "curl: HTTP POST to %s", url); 1677 curl = setup_curl_post(ctx, url, ca_fname, username, password, 1678 client_cert, client_key); 1679 if (curl == NULL) 1680 goto fail; 1681 1682 if (content_type) { 1683 char ct[200]; 1684 snprintf(ct, sizeof(ct), "Content-Type: %s", content_type); 1685 curl_hdr = curl_slist_append(curl_hdr, ct); 1686 } 1687 if (ext_hdr) 1688 curl_hdr = curl_slist_append(curl_hdr, ext_hdr); 1689 curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curl_hdr); 1690 1691 curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data); 1692 free_curl_buf(ctx); 1693 1694 res = curl_easy_perform(curl); 1695 if (res != CURLE_OK) { 1696 if (!ctx->last_err) 1697 ctx->last_err = curl_easy_strerror(res); 1698 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s", 1699 ctx->last_err); 1700 goto fail; 1701 } 1702 1703 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http); 1704 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http); 1705 if (http != 200) { 1706 ctx->last_err = "HTTP POST failed"; 1707 wpa_printf(MSG_INFO, "HTTP POST failed - code %ld", http); 1708 goto fail; 1709 } 1710 1711 if (ctx->curl_buf == NULL) 1712 goto fail; 1713 1714 ret = ctx->curl_buf; 1715 if (resp_len) 1716 *resp_len = ctx->curl_buf_len; 1717 ctx->curl_buf = NULL; 1718 ctx->curl_buf_len = 0; 1719 1720 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ret); 1721 1722 fail: 1723 free_curl_buf(ctx); 1724 ctx->url = NULL; 1725 return ret; 1726 } 1727 1728 1729 void http_set_cert_cb(struct http_ctx *ctx, 1730 int (*cb)(void *ctx, struct http_cert *cert), 1731 void *cb_ctx) 1732 { 1733 ctx->cert_cb = cb; 1734 ctx->cert_cb_ctx = cb_ctx; 1735 } 1736 1737 1738 const char * http_get_err(struct http_ctx *ctx) 1739 { 1740 return ctx->last_err; 1741 } 1742