2 * HTTP wrapper for libcurl
3 * Copyright (c) 2012-2014, Qualcomm Atheros, Inc.
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
10 #include <curl/curl.h>
11 #ifdef EAP_TLS_OPENSSL
12 #include <openssl/ssl.h>
13 #include <openssl/asn1.h>
14 #include <openssl/asn1t.h>
15 #include <openssl/x509v3.h>
17 #ifdef SSL_set_tlsext_status_type
18 #ifndef OPENSSL_NO_TLSEXT
20 #include <openssl/err.h>
21 #include <openssl/ocsp.h>
22 #endif /* OPENSSL_NO_TLSEXT */
23 #endif /* SSL_set_tlsext_status_type */
24 #endif /* EAP_TLS_OPENSSL */
27 #include "xml-utils.h"
28 #include "http-utils.h"
29 #ifdef EAP_TLS_OPENSSL
30 #include "crypto/tls_openssl.h"
31 #endif /* EAP_TLS_OPENSSL */
34 #if OPENSSL_VERSION_NUMBER < 0x10100000L
35 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
37 return ASN1_STRING_data((ASN1_STRING *) x);
39 #endif /* OpenSSL < 1.1.0 */
44 struct xml_node_ctx *xml;
46 struct curl_slist *curl_hdr;
51 char *svc_client_cert;
56 int (*cert_cb)(void *ctx, struct http_cert *cert);
60 NO_OCSP, OPTIONAL_OCSP, MANDATORY_OCSP
64 X509 *peer_issuer_issuer;
70 static void clear_curl(struct http_ctx *ctx)
73 curl_easy_cleanup(ctx->curl);
77 curl_slist_free_all(ctx->curl_hdr);
83 static void clone_str(char **dst, const char *src)
87 *dst = os_strdup(src);
93 static void debug_dump(struct http_ctx *ctx, const char *title,
94 const char *buf, size_t len)
99 for (i = 0; i < len; i++) {
100 if (buf[i] < 32 && buf[i] != '\t' && buf[i] != '\n' &&
102 wpa_hexdump_ascii(MSG_MSGDUMP, title, buf, len);
107 txt = os_malloc(len + 1);
110 os_memcpy(txt, buf, len);
114 if (txt[len] == '\n' || txt[len] == '\r')
119 wpa_printf(MSG_MSGDUMP, "%s[%s]", title, txt);
124 static int curl_cb_debug(CURL *curl, curl_infotype info, char *buf, size_t len,
127 struct http_ctx *ctx = userdata;
130 debug_dump(ctx, "CURLINFO_TEXT", buf, len);
132 case CURLINFO_HEADER_IN:
133 debug_dump(ctx, "CURLINFO_HEADER_IN", buf, len);
135 case CURLINFO_HEADER_OUT:
136 debug_dump(ctx, "CURLINFO_HEADER_OUT", buf, len);
138 case CURLINFO_DATA_IN:
139 debug_dump(ctx, "CURLINFO_DATA_IN", buf, len);
141 case CURLINFO_DATA_OUT:
142 debug_dump(ctx, "CURLINFO_DATA_OUT", buf, len);
144 case CURLINFO_SSL_DATA_IN:
145 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_IN - %d",
148 case CURLINFO_SSL_DATA_OUT:
149 wpa_printf(MSG_DEBUG, "debug - CURLINFO_SSL_DATA_OUT - %d",
153 wpa_printf(MSG_DEBUG, "debug - CURLINFO_END - %d",
161 static size_t curl_cb_write(void *ptr, size_t size, size_t nmemb,
164 struct http_ctx *ctx = userdata;
166 n = os_realloc(ctx->curl_buf, ctx->curl_buf_len + size * nmemb + 1);
170 os_memcpy(n + ctx->curl_buf_len, ptr, size * nmemb);
171 n[ctx->curl_buf_len + size * nmemb] = '\0';
172 ctx->curl_buf_len += size * nmemb;
177 #ifdef EAP_TLS_OPENSSL
179 static void debug_dump_cert(const char *title, X509 *cert)
185 out = BIO_new(BIO_s_mem());
189 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
190 rlen = BIO_ctrl_pending(out);
191 txt = os_malloc(rlen + 1);
193 int res = BIO_read(out, txt, rlen);
196 wpa_printf(MSG_MSGDUMP, "%s:\n%s", title, txt);
204 static void add_alt_name_othername(struct http_ctx *ctx, struct http_cert *cert,
209 struct http_othername *on;
212 on = os_realloc_array(cert->othername, cert->num_othername + 1,
213 sizeof(struct http_othername));
216 cert->othername = on;
217 on = &on[cert->num_othername];
218 os_memset(on, 0, sizeof(*on));
220 res = OBJ_obj2txt(txt, sizeof(txt), o->type_id, 1);
221 if (res < 0 || res >= (int) sizeof(txt))
224 on->oid = os_strdup(txt);
229 on->data = val->value.octet_string->data;
230 on->len = val->value.octet_string->length;
232 cert->num_othername++;
236 static void add_alt_name_dns(struct http_ctx *ctx, struct http_cert *cert,
243 if (ASN1_STRING_to_UTF8((unsigned char **) &buf, name) < 0)
246 n = os_realloc_array(cert->dnsname, cert->num_dnsname + 1,
252 n[cert->num_dnsname] = buf;
257 static void add_alt_name(struct http_ctx *ctx, struct http_cert *cert,
258 const GENERAL_NAME *name)
260 switch (name->type) {
262 add_alt_name_othername(ctx, cert, name->d.otherName);
265 add_alt_name_dns(ctx, cert, name->d.dNSName);
271 static void add_alt_names(struct http_ctx *ctx, struct http_cert *cert,
272 GENERAL_NAMES *names)
276 num = sk_GENERAL_NAME_num(names);
277 for (i = 0; i < num; i++) {
278 const GENERAL_NAME *name;
279 name = sk_GENERAL_NAME_value(names, i);
280 add_alt_name(ctx, cert, name);
289 ASN1_OCTET_STRING *hashValue;
293 STACK_OF(HashAlgAndValue) *refStructHash;
294 STACK_OF(ASN1_IA5STRING) *refStructURI;
298 ASN1_IA5STRING *mediaType;
299 STACK_OF(HashAlgAndValue) *logotypeHash;
300 STACK_OF(ASN1_IA5STRING) *logotypeURI;
306 ASN1_INTEGER *numBits;
307 ASN1_INTEGER *tableSize;
309 } LogotypeImageResolution;
312 ASN1_INTEGER *type; /* LogotypeImageType ::= INTEGER */
313 ASN1_INTEGER *fileSize;
316 LogotypeImageResolution *resolution;
317 ASN1_IA5STRING *language;
321 LogotypeDetails *imageDetails;
322 LogotypeImageInfo *imageInfo;
326 ASN1_INTEGER *fileSize;
327 ASN1_INTEGER *playTime;
328 ASN1_INTEGER *channels;
329 ASN1_INTEGER *sampleRate;
330 ASN1_IA5STRING *language;
334 LogotypeDetails *audioDetails;
335 LogotypeAudioInfo *audioInfo;
339 STACK_OF(LogotypeImage) *image;
340 STACK_OF(LogotypeAudio) *audio;
346 LogotypeData *direct;
347 LogotypeReference *indirect;
352 ASN1_OBJECT *logotypeType;
357 STACK_OF(LogotypeInfo) *communityLogos;
358 LogotypeInfo *issuerLogo;
359 LogotypeInfo *subjectLogo;
360 STACK_OF(OtherLogotypeInfo) *otherLogos;
363 ASN1_SEQUENCE(HashAlgAndValue) = {
364 ASN1_SIMPLE(HashAlgAndValue, hashAlg, X509_ALGOR),
365 ASN1_SIMPLE(HashAlgAndValue, hashValue, ASN1_OCTET_STRING)
366 } ASN1_SEQUENCE_END(HashAlgAndValue);
368 ASN1_SEQUENCE(LogotypeReference) = {
369 ASN1_SEQUENCE_OF(LogotypeReference, refStructHash, HashAlgAndValue),
370 ASN1_SEQUENCE_OF(LogotypeReference, refStructURI, ASN1_IA5STRING)
371 } ASN1_SEQUENCE_END(LogotypeReference);
373 ASN1_SEQUENCE(LogotypeDetails) = {
374 ASN1_SIMPLE(LogotypeDetails, mediaType, ASN1_IA5STRING),
375 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeHash, HashAlgAndValue),
376 ASN1_SEQUENCE_OF(LogotypeDetails, logotypeURI, ASN1_IA5STRING)
377 } ASN1_SEQUENCE_END(LogotypeDetails);
379 ASN1_CHOICE(LogotypeImageResolution) = {
380 ASN1_IMP(LogotypeImageResolution, d.numBits, ASN1_INTEGER, 1),
381 ASN1_IMP(LogotypeImageResolution, d.tableSize, ASN1_INTEGER, 2)
382 } ASN1_CHOICE_END(LogotypeImageResolution);
384 ASN1_SEQUENCE(LogotypeImageInfo) = {
385 ASN1_IMP_OPT(LogotypeImageInfo, type, ASN1_INTEGER, 0),
386 ASN1_SIMPLE(LogotypeImageInfo, fileSize, ASN1_INTEGER),
387 ASN1_SIMPLE(LogotypeImageInfo, xSize, ASN1_INTEGER),
388 ASN1_SIMPLE(LogotypeImageInfo, ySize, ASN1_INTEGER),
389 ASN1_OPT(LogotypeImageInfo, resolution, LogotypeImageResolution),
390 ASN1_IMP_OPT(LogotypeImageInfo, language, ASN1_IA5STRING, 4),
391 } ASN1_SEQUENCE_END(LogotypeImageInfo);
393 ASN1_SEQUENCE(LogotypeImage) = {
394 ASN1_SIMPLE(LogotypeImage, imageDetails, LogotypeDetails),
395 ASN1_OPT(LogotypeImage, imageInfo, LogotypeImageInfo)
396 } ASN1_SEQUENCE_END(LogotypeImage);
398 ASN1_SEQUENCE(LogotypeAudioInfo) = {
399 ASN1_SIMPLE(LogotypeAudioInfo, fileSize, ASN1_INTEGER),
400 ASN1_SIMPLE(LogotypeAudioInfo, playTime, ASN1_INTEGER),
401 ASN1_SIMPLE(LogotypeAudioInfo, channels, ASN1_INTEGER),
402 ASN1_IMP_OPT(LogotypeAudioInfo, sampleRate, ASN1_INTEGER, 3),
403 ASN1_IMP_OPT(LogotypeAudioInfo, language, ASN1_IA5STRING, 4)
404 } ASN1_SEQUENCE_END(LogotypeAudioInfo);
406 ASN1_SEQUENCE(LogotypeAudio) = {
407 ASN1_SIMPLE(LogotypeAudio, audioDetails, LogotypeDetails),
408 ASN1_OPT(LogotypeAudio, audioInfo, LogotypeAudioInfo)
409 } ASN1_SEQUENCE_END(LogotypeAudio);
411 ASN1_SEQUENCE(LogotypeData) = {
412 ASN1_SEQUENCE_OF_OPT(LogotypeData, image, LogotypeImage),
413 ASN1_IMP_SEQUENCE_OF_OPT(LogotypeData, audio, LogotypeAudio, 1)
414 } ASN1_SEQUENCE_END(LogotypeData);
416 ASN1_CHOICE(LogotypeInfo) = {
417 ASN1_IMP(LogotypeInfo, d.direct, LogotypeData, 0),
418 ASN1_IMP(LogotypeInfo, d.indirect, LogotypeReference, 1)
419 } ASN1_CHOICE_END(LogotypeInfo);
421 ASN1_SEQUENCE(OtherLogotypeInfo) = {
422 ASN1_SIMPLE(OtherLogotypeInfo, logotypeType, ASN1_OBJECT),
423 ASN1_SIMPLE(OtherLogotypeInfo, info, LogotypeInfo)
424 } ASN1_SEQUENCE_END(OtherLogotypeInfo);
426 ASN1_SEQUENCE(LogotypeExtn) = {
427 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, communityLogos, LogotypeInfo, 0),
428 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 1),
429 ASN1_EXP_OPT(LogotypeExtn, issuerLogo, LogotypeInfo, 2),
430 ASN1_EXP_SEQUENCE_OF_OPT(LogotypeExtn, otherLogos, OtherLogotypeInfo, 3)
431 } ASN1_SEQUENCE_END(LogotypeExtn);
433 IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn);
435 #ifdef OPENSSL_IS_BORINGSSL
436 #define sk_LogotypeInfo_num(st) \
437 sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeInfo) *, (st)))
438 #define sk_LogotypeInfo_value(st, i) (LogotypeInfo *) \
439 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeInfo) *, (st)), (i))
440 #define sk_LogotypeImage_num(st) \
441 sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeImage) *, (st)))
442 #define sk_LogotypeImage_value(st, i) (LogotypeImage *) \
443 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeImage) *, (st)), (i))
444 #define sk_LogotypeAudio_num(st) \
445 sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeAudio) *, (st)))
446 #define sk_LogotypeAudio_value(st, i) (LogotypeAudio *) \
447 sk_value(CHECK_CAST(_STACK *, const STACK_OF(LogotypeAudio) *, (st)), (i))
448 #define sk_HashAlgAndValue_num(st) \
449 sk_num(CHECKED_CAST(_STACK *, STACK_OF(HashAlgAndValue) *, (st)))
450 #define sk_HashAlgAndValue_value(st, i) (HashAlgAndValue *) \
451 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(HashAlgAndValue) *, (st)), (i))
452 #define sk_ASN1_IA5STRING_num(st) \
453 sk_num(CHECKED_CAST(_STACK *, STACK_OF(ASN1_IA5STRING) *, (st)))
454 #define sk_ASN1_IA5STRING_value(st, i) (ASN1_IA5STRING *) \
455 sk_value(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_IA5STRING) *, (st)), (i))
456 #else /* OPENSSL_IS_BORINGSSL */
457 #if OPENSSL_VERSION_NUMBER < 0x10100000L
458 #define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st))
459 #define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i))
460 #define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st))
461 #define sk_LogotypeImage_value(st, i) SKM_sk_value(LogotypeImage, (st), (i))
462 #define sk_LogotypeAudio_num(st) SKM_sk_num(LogotypeAudio, (st))
463 #define sk_LogotypeAudio_value(st, i) SKM_sk_value(LogotypeAudio, (st), (i))
464 #define sk_HashAlgAndValue_num(st) SKM_sk_num(HashAlgAndValue, (st))
465 #define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i))
466 #define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st))
467 #define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i))
469 DEFINE_STACK_OF(LogotypeInfo)
470 DEFINE_STACK_OF(LogotypeImage)
471 DEFINE_STACK_OF(LogotypeAudio)
472 DEFINE_STACK_OF(HashAlgAndValue)
473 DEFINE_STACK_OF(ASN1_IA5STRING)
475 #endif /* OPENSSL_IS_BORINGSSL */
478 static void add_logo(struct http_ctx *ctx, struct http_cert *hcert,
479 HashAlgAndValue *hash, ASN1_IA5STRING *uri)
485 if (hash == NULL || uri == NULL)
488 res = OBJ_obj2txt(txt, sizeof(txt), hash->hashAlg->algorithm, 1);
489 if (res < 0 || res >= (int) sizeof(txt))
492 n = os_realloc_array(hcert->logo, hcert->num_logo + 1,
493 sizeof(struct http_logo));
497 n = &hcert->logo[hcert->num_logo];
498 os_memset(n, 0, sizeof(*n));
500 n->alg_oid = os_strdup(txt);
501 if (n->alg_oid == NULL)
504 n->hash_len = ASN1_STRING_length(hash->hashValue);
505 n->hash = os_memdup(ASN1_STRING_get0_data(hash->hashValue),
507 if (n->hash == NULL) {
512 len = ASN1_STRING_length(uri);
513 n->uri = os_malloc(len + 1);
514 if (n->uri == NULL) {
519 os_memcpy(n->uri, ASN1_STRING_get0_data(uri), len);
526 static void add_logo_direct(struct http_ctx *ctx, struct http_cert *hcert,
531 if (data->image == NULL)
534 num = sk_LogotypeImage_num(data->image);
535 for (i = 0; i < num; i++) {
536 LogotypeImage *image;
537 LogotypeDetails *details;
538 int j, hash_num, uri_num;
539 HashAlgAndValue *found_hash = NULL;
541 image = sk_LogotypeImage_value(data->image, i);
545 details = image->imageDetails;
549 hash_num = sk_HashAlgAndValue_num(details->logotypeHash);
550 for (j = 0; j < hash_num; j++) {
551 HashAlgAndValue *hash;
554 hash = sk_HashAlgAndValue_value(details->logotypeHash,
558 res = OBJ_obj2txt(txt, sizeof(txt),
559 hash->hashAlg->algorithm, 1);
560 if (res < 0 || res >= (int) sizeof(txt))
562 if (os_strcmp(txt, "2.16.840.1.101.3.4.2.1") == 0) {
569 wpa_printf(MSG_DEBUG, "OpenSSL: No SHA256 hash found for the logo");
573 uri_num = sk_ASN1_IA5STRING_num(details->logotypeURI);
574 for (j = 0; j < uri_num; j++) {
576 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, j);
577 add_logo(ctx, hcert, found_hash, uri);
583 static void add_logo_indirect(struct http_ctx *ctx, struct http_cert *hcert,
584 LogotypeReference *ref)
586 int j, hash_num, uri_num;
588 hash_num = sk_HashAlgAndValue_num(ref->refStructHash);
589 uri_num = sk_ASN1_IA5STRING_num(ref->refStructURI);
590 if (hash_num != uri_num) {
591 wpa_printf(MSG_INFO, "Unexpected LogotypeReference array size difference %d != %d",
596 for (j = 0; j < hash_num; j++) {
597 HashAlgAndValue *hash;
599 hash = sk_HashAlgAndValue_value(ref->refStructHash, j);
600 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, j);
601 add_logo(ctx, hcert, hash, uri);
606 static void i2r_HashAlgAndValue(HashAlgAndValue *hash, BIO *out, int indent)
609 const unsigned char *data;
611 BIO_printf(out, "%*shashAlg: ", indent, "");
612 i2a_ASN1_OBJECT(out, hash->hashAlg->algorithm);
613 BIO_printf(out, "\n");
615 BIO_printf(out, "%*shashValue: ", indent, "");
616 data = hash->hashValue->data;
617 for (i = 0; i < hash->hashValue->length; i++)
618 BIO_printf(out, "%s%02x", i > 0 ? ":" : "", data[i]);
619 BIO_printf(out, "\n");
622 static void i2r_LogotypeDetails(LogotypeDetails *details, BIO *out, int indent)
626 BIO_printf(out, "%*sLogotypeDetails\n", indent, "");
627 if (details->mediaType) {
628 BIO_printf(out, "%*smediaType: ", indent, "");
629 ASN1_STRING_print(out, details->mediaType);
630 BIO_printf(out, "\n");
633 num = details->logotypeHash ?
634 sk_HashAlgAndValue_num(details->logotypeHash) : 0;
635 for (i = 0; i < num; i++) {
636 HashAlgAndValue *hash;
637 hash = sk_HashAlgAndValue_value(details->logotypeHash, i);
638 i2r_HashAlgAndValue(hash, out, indent);
641 num = details->logotypeURI ?
642 sk_ASN1_IA5STRING_num(details->logotypeURI) : 0;
643 for (i = 0; i < num; i++) {
645 uri = sk_ASN1_IA5STRING_value(details->logotypeURI, i);
646 BIO_printf(out, "%*slogotypeURI: ", indent, "");
647 ASN1_STRING_print(out, uri);
648 BIO_printf(out, "\n");
652 static void i2r_LogotypeImageInfo(LogotypeImageInfo *info, BIO *out, int indent)
656 BIO_printf(out, "%*sLogotypeImageInfo\n", indent, "");
658 val = ASN1_INTEGER_get(info->type);
659 BIO_printf(out, "%*stype: %ld\n", indent, "", val);
661 BIO_printf(out, "%*stype: default (1)\n", indent, "");
663 val = ASN1_INTEGER_get(info->fileSize);
664 BIO_printf(out, "%*sfileSize: %ld\n", indent, "", val);
665 val = ASN1_INTEGER_get(info->xSize);
666 BIO_printf(out, "%*sxSize: %ld\n", indent, "", val);
667 val = ASN1_INTEGER_get(info->ySize);
668 BIO_printf(out, "%*sySize: %ld\n", indent, "", val);
669 if (info->resolution) {
670 BIO_printf(out, "%*sresolution [%d]\n", indent, "",
671 info->resolution->type);
672 switch (info->resolution->type) {
674 val = ASN1_INTEGER_get(info->resolution->d.numBits);
675 BIO_printf(out, "%*snumBits: %ld\n", indent, "", val);
678 val = ASN1_INTEGER_get(info->resolution->d.tableSize);
679 BIO_printf(out, "%*stableSize: %ld\n", indent, "", val);
683 if (info->language) {
684 BIO_printf(out, "%*slanguage: ", indent, "");
685 ASN1_STRING_print(out, info->language);
686 BIO_printf(out, "\n");
690 static void i2r_LogotypeImage(LogotypeImage *image, BIO *out, int indent)
692 BIO_printf(out, "%*sLogotypeImage\n", indent, "");
693 if (image->imageDetails) {
694 i2r_LogotypeDetails(image->imageDetails, out, indent + 4);
696 if (image->imageInfo) {
697 i2r_LogotypeImageInfo(image->imageInfo, out, indent + 4);
701 static void i2r_LogotypeData(LogotypeData *data, const char *title, BIO *out,
706 BIO_printf(out, "%*s%s - LogotypeData\n", indent, "", title);
708 num = data->image ? sk_LogotypeImage_num(data->image) : 0;
709 for (i = 0; i < num; i++) {
710 LogotypeImage *image = sk_LogotypeImage_value(data->image, i);
711 i2r_LogotypeImage(image, out, indent + 4);
714 num = data->audio ? sk_LogotypeAudio_num(data->audio) : 0;
715 for (i = 0; i < num; i++) {
716 BIO_printf(out, "%*saudio: TODO\n", indent, "");
720 static void i2r_LogotypeReference(LogotypeReference *ref, const char *title,
721 BIO *out, int indent)
723 int i, hash_num, uri_num;
725 BIO_printf(out, "%*s%s - LogotypeReference\n", indent, "", title);
727 hash_num = ref->refStructHash ?
728 sk_HashAlgAndValue_num(ref->refStructHash) : 0;
729 uri_num = ref->refStructURI ?
730 sk_ASN1_IA5STRING_num(ref->refStructURI) : 0;
731 if (hash_num != uri_num) {
732 BIO_printf(out, "%*sUnexpected LogotypeReference array size difference %d != %d\n",
733 indent, "", hash_num, uri_num);
737 for (i = 0; i < hash_num; i++) {
738 HashAlgAndValue *hash;
741 hash = sk_HashAlgAndValue_value(ref->refStructHash, i);
742 i2r_HashAlgAndValue(hash, out, indent);
744 uri = sk_ASN1_IA5STRING_value(ref->refStructURI, i);
745 BIO_printf(out, "%*srefStructURI: ", indent, "");
746 ASN1_STRING_print(out, uri);
747 BIO_printf(out, "\n");
751 static void i2r_LogotypeInfo(LogotypeInfo *info, const char *title, BIO *out,
754 switch (info->type) {
756 i2r_LogotypeData(info->d.direct, title, out, indent);
759 i2r_LogotypeReference(info->d.indirect, title, out, indent);
764 static void debug_print_logotypeext(LogotypeExtn *logo)
770 out = BIO_new_fp(stdout, BIO_NOCLOSE);
774 if (logo->communityLogos) {
775 num = sk_LogotypeInfo_num(logo->communityLogos);
776 for (i = 0; i < num; i++) {
778 info = sk_LogotypeInfo_value(logo->communityLogos, i);
779 i2r_LogotypeInfo(info, "communityLogo", out, indent);
783 if (logo->issuerLogo) {
784 i2r_LogotypeInfo(logo->issuerLogo, "issuerLogo", out, indent );
787 if (logo->subjectLogo) {
788 i2r_LogotypeInfo(logo->subjectLogo, "subjectLogo", out, indent);
791 if (logo->otherLogos) {
792 BIO_printf(out, "%*sotherLogos - TODO\n", indent, "");
799 static void add_logotype_ext(struct http_ctx *ctx, struct http_cert *hcert,
805 ASN1_OCTET_STRING *os;
807 const unsigned char *data;
810 obj = OBJ_txt2obj("1.3.6.1.5.5.7.1.12", 0);
814 pos = X509_get_ext_by_OBJ(cert, obj, -1);
816 wpa_printf(MSG_INFO, "No logotype extension included");
820 wpa_printf(MSG_INFO, "Parsing logotype extension");
821 ext = X509_get_ext(cert, pos);
823 wpa_printf(MSG_INFO, "Could not get logotype extension");
827 os = X509_EXTENSION_get_data(ext);
829 wpa_printf(MSG_INFO, "Could not get logotype extension data");
833 wpa_hexdump(MSG_DEBUG, "logotypeExtn",
834 ASN1_STRING_get0_data(os), ASN1_STRING_length(os));
836 data = ASN1_STRING_get0_data(os);
837 logo = d2i_LogotypeExtn(NULL, &data, ASN1_STRING_length(os));
839 wpa_printf(MSG_INFO, "Failed to parse logotypeExtn");
843 if (wpa_debug_level < MSG_INFO)
844 debug_print_logotypeext(logo);
846 if (!logo->communityLogos) {
847 wpa_printf(MSG_INFO, "No communityLogos included");
848 LogotypeExtn_free(logo);
852 num = sk_LogotypeInfo_num(logo->communityLogos);
853 for (i = 0; i < num; i++) {
855 info = sk_LogotypeInfo_value(logo->communityLogos, i);
856 switch (info->type) {
858 add_logo_direct(ctx, hcert, info->d.direct);
861 add_logo_indirect(ctx, hcert, info->d.indirect);
866 LogotypeExtn_free(logo);
870 static void parse_cert(struct http_ctx *ctx, struct http_cert *hcert,
871 X509 *cert, GENERAL_NAMES **names)
873 os_memset(hcert, 0, sizeof(*hcert));
875 *names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
877 add_alt_names(ctx, hcert, *names);
879 add_logotype_ext(ctx, hcert, cert);
883 static void parse_cert_free(struct http_cert *hcert, GENERAL_NAMES *names)
887 for (i = 0; i < hcert->num_dnsname; i++)
888 OPENSSL_free(hcert->dnsname[i]);
889 os_free(hcert->dnsname);
891 for (i = 0; i < hcert->num_othername; i++)
892 os_free(hcert->othername[i].oid);
893 os_free(hcert->othername);
895 for (i = 0; i < hcert->num_logo; i++) {
896 os_free(hcert->logo[i].alg_oid);
897 os_free(hcert->logo[i].hash);
898 os_free(hcert->logo[i].uri);
900 os_free(hcert->logo);
902 sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
906 static int validate_server_cert(struct http_ctx *ctx, X509 *cert)
908 GENERAL_NAMES *names;
909 struct http_cert hcert;
912 if (ctx->cert_cb == NULL) {
913 wpa_printf(MSG_DEBUG, "%s: no cert_cb configured", __func__);
919 out = BIO_new_fp(stdout, BIO_NOCLOSE);
920 X509_print_ex(out, cert, XN_FLAG_COMPAT, X509_FLAG_COMPAT);
924 parse_cert(ctx, &hcert, cert, &names);
925 ret = ctx->cert_cb(ctx->cert_cb_ctx, &hcert);
926 parse_cert_free(&hcert, names);
932 void http_parse_x509_certificate(struct http_ctx *ctx, const char *fname)
936 GENERAL_NAMES *names;
937 struct http_cert hcert;
940 in = BIO_new_file(fname, "r");
942 wpa_printf(MSG_ERROR, "Could not read '%s'", fname);
946 cert = d2i_X509_bio(in, NULL);
950 wpa_printf(MSG_ERROR, "Could not parse certificate");
954 out = BIO_new_fp(stdout, BIO_NOCLOSE);
956 X509_print_ex(out, cert, XN_FLAG_COMPAT,
961 wpa_printf(MSG_INFO, "Additional parsing information:");
962 parse_cert(ctx, &hcert, cert, &names);
963 for (i = 0; i < hcert.num_othername; i++) {
964 if (os_strcmp(hcert.othername[i].oid,
965 "1.3.6.1.4.1.40808.1.1.1") == 0) {
966 char *name = os_zalloc(hcert.othername[i].len + 1);
968 os_memcpy(name, hcert.othername[i].data,
969 hcert.othername[i].len);
971 "id-wfa-hotspot-friendlyName: %s",
975 wpa_hexdump_ascii(MSG_INFO,
976 "id-wfa-hotspot-friendlyName",
977 hcert.othername[i].data,
978 hcert.othername[i].len);
980 wpa_printf(MSG_INFO, "subjAltName[othername]: oid=%s",
981 hcert.othername[i].oid);
982 wpa_hexdump_ascii(MSG_INFO, "unknown othername",
983 hcert.othername[i].data,
984 hcert.othername[i].len);
987 parse_cert_free(&hcert, names);
993 static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
995 struct http_ctx *ctx;
1000 const char *err_str;
1004 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
1005 SSL_get_ex_data_X509_STORE_CTX_idx());
1006 ssl_ctx = SSL_get_SSL_CTX(ssl);
1007 ctx = SSL_CTX_get_app_data(ssl_ctx);
1009 wpa_printf(MSG_DEBUG, "curl_cb_ssl_verify, preverify_ok: %d",
1012 err = X509_STORE_CTX_get_error(x509_ctx);
1013 err_str = X509_verify_cert_error_string(err);
1014 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
1015 cert = X509_STORE_CTX_get_current_cert(x509_ctx);
1017 wpa_printf(MSG_INFO, "No server certificate available");
1018 ctx->last_err = "No server certificate available";
1023 ctx->peer_cert = cert;
1024 else if (depth == 1)
1025 ctx->peer_issuer = cert;
1026 else if (depth == 2)
1027 ctx->peer_issuer_issuer = cert;
1029 name = X509_get_subject_name(cert);
1030 X509_NAME_oneline(name, buf, sizeof(buf));
1031 wpa_printf(MSG_INFO, "Server certificate chain - depth=%d err=%d (%s) subject=%s",
1032 depth, err, err_str, buf);
1033 debug_dump_cert("Server certificate chain - certificate", cert);
1035 if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
1038 #ifdef OPENSSL_IS_BORINGSSL
1039 if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) {
1040 enum ocsp_result res;
1042 res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer,
1043 ctx->peer_issuer_issuer);
1044 if (res == OCSP_REVOKED) {
1046 wpa_printf(MSG_INFO, "OCSP: certificate revoked");
1047 if (err == X509_V_OK)
1048 X509_STORE_CTX_set_error(
1049 x509_ctx, X509_V_ERR_CERT_REVOKED);
1050 } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) {
1052 wpa_printf(MSG_INFO,
1053 "OCSP: bad certificate status response");
1056 #endif /* OPENSSL_IS_BORINGSSL */
1059 ctx->last_err = "TLS validation failed";
1061 return preverify_ok;
1067 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
1074 out = BIO_new(BIO_s_mem());
1078 OCSP_RESPONSE_print(out, rsp, 0);
1079 rlen = BIO_ctrl_pending(out);
1080 txt = os_malloc(rlen + 1);
1086 res = BIO_read(out, txt, rlen);
1089 wpa_printf(MSG_MSGDUMP, "OpenSSL: OCSP Response\n%s", txt);
1096 static void tls_show_errors(const char *func, const char *txt)
1100 wpa_printf(MSG_DEBUG, "OpenSSL: %s - %s %s",
1101 func, txt, ERR_error_string(ERR_get_error(), NULL));
1103 while ((err = ERR_get_error())) {
1104 wpa_printf(MSG_DEBUG, "OpenSSL: pending error: %s",
1105 ERR_error_string(err, NULL));
1110 static int ocsp_resp_cb(SSL *s, void *arg)
1112 struct http_ctx *ctx = arg;
1113 const unsigned char *p;
1114 int len, status, reason, res;
1116 OCSP_BASICRESP *basic;
1118 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
1120 STACK_OF(X509) *certs = NULL;
1122 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
1124 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
1125 if (ctx->ocsp == MANDATORY_OCSP)
1126 ctx->last_err = "No OCSP response received";
1127 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1130 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
1132 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1134 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
1135 ctx->last_err = "Failed to parse OCSP response";
1139 ocsp_debug_print_resp(rsp);
1141 status = OCSP_response_status(rsp);
1142 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1143 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
1144 status, OCSP_response_status_str(status));
1145 ctx->last_err = "OCSP responder error";
1149 basic = OCSP_response_get1_basic(rsp);
1151 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
1152 ctx->last_err = "Could not find BasicOCSPResponse";
1156 store = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s));
1157 if (ctx->peer_issuer) {
1158 wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer");
1159 debug_dump_cert("OpenSSL: Issuer certificate",
1162 if (X509_STORE_add_cert(store, ctx->peer_issuer) != 1) {
1163 tls_show_errors(__func__,
1164 "OpenSSL: Could not add issuer to certificate store");
1166 certs = sk_X509_new_null();
1169 cert = X509_dup(ctx->peer_issuer);
1170 if (cert && !sk_X509_push(certs, cert)) {
1173 "OpenSSL: Could not add issuer to OCSP responder trust store");
1175 sk_X509_free(certs);
1178 if (certs && ctx->peer_issuer_issuer) {
1179 cert = X509_dup(ctx->peer_issuer_issuer);
1180 if (cert && !sk_X509_push(certs, cert)) {
1183 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
1190 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
1191 sk_X509_pop_free(certs, X509_free);
1193 tls_show_errors(__func__,
1194 "OpenSSL: OCSP response failed verification");
1195 OCSP_BASICRESP_free(basic);
1196 OCSP_RESPONSE_free(rsp);
1197 ctx->last_err = "OCSP response failed verification";
1201 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
1203 if (!ctx->peer_cert) {
1204 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
1205 OCSP_BASICRESP_free(basic);
1206 OCSP_RESPONSE_free(rsp);
1207 ctx->last_err = "Peer certificate not available for OCSP status check";
1211 if (!ctx->peer_issuer) {
1212 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
1213 OCSP_BASICRESP_free(basic);
1214 OCSP_RESPONSE_free(rsp);
1215 ctx->last_err = "Peer issuer certificate not available for OCSP status check";
1219 id = OCSP_cert_to_id(EVP_sha256(), ctx->peer_cert, ctx->peer_issuer);
1221 wpa_printf(MSG_DEBUG,
1222 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
1223 OCSP_BASICRESP_free(basic);
1224 OCSP_RESPONSE_free(rsp);
1225 ctx->last_err = "Could not create OCSP certificate identifier";
1229 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
1230 &this_update, &next_update);
1232 id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer);
1234 wpa_printf(MSG_DEBUG,
1235 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
1236 OCSP_BASICRESP_free(basic);
1237 OCSP_RESPONSE_free(rsp);
1239 "Could not create OCSP certificate identifier";
1243 res = OCSP_resp_find_status(basic, id, &status, &reason,
1244 &produced_at, &this_update,
1249 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
1250 (ctx->ocsp == MANDATORY_OCSP) ? "" :
1251 " (OCSP not required)");
1252 OCSP_CERTID_free(id);
1253 OCSP_BASICRESP_free(basic);
1254 OCSP_RESPONSE_free(rsp);
1255 if (ctx->ocsp == MANDATORY_OCSP)
1257 ctx->last_err = "Could not find current server certificate from OCSP response";
1258 return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
1260 OCSP_CERTID_free(id);
1262 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
1263 tls_show_errors(__func__, "OpenSSL: OCSP status times invalid");
1264 OCSP_BASICRESP_free(basic);
1265 OCSP_RESPONSE_free(rsp);
1266 ctx->last_err = "OCSP status times invalid";
1270 OCSP_BASICRESP_free(basic);
1271 OCSP_RESPONSE_free(rsp);
1273 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
1274 OCSP_cert_status_str(status));
1276 if (status == V_OCSP_CERTSTATUS_GOOD)
1278 if (status == V_OCSP_CERTSTATUS_REVOKED) {
1279 ctx->last_err = "Server certificate has been revoked";
1282 if (ctx->ocsp == MANDATORY_OCSP) {
1283 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
1284 ctx->last_err = "OCSP status unknown";
1287 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
1292 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1293 static SSL_METHOD patch_ssl_method;
1294 static const SSL_METHOD *real_ssl_method;
1296 static int curl_patch_ssl_new(SSL *s)
1298 SSL_CTX *ssl = SSL_get_SSL_CTX(s);
1301 ssl->method = real_ssl_method;
1302 s->method = real_ssl_method;
1304 ret = s->method->ssl_new(s);
1305 SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp);
1309 #endif /* OpenSSL < 1.1.0 */
1311 #endif /* HAVE_OCSP */
1314 static CURLcode curl_cb_ssl(CURL *curl, void *sslctx, void *parm)
1316 struct http_ctx *ctx = parm;
1317 SSL_CTX *ssl = sslctx;
1319 wpa_printf(MSG_DEBUG, "curl_cb_ssl");
1320 SSL_CTX_set_app_data(ssl, ctx);
1321 SSL_CTX_set_verify(ssl, SSL_VERIFY_PEER, curl_cb_ssl_verify);
1324 if (ctx->ocsp != NO_OCSP) {
1325 SSL_CTX_set_tlsext_status_cb(ssl, ocsp_resp_cb);
1326 SSL_CTX_set_tlsext_status_arg(ssl, ctx);
1328 #if OPENSSL_VERSION_NUMBER < 0x10100000L
1330 * Use a temporary SSL_METHOD to get a callback on SSL_new()
1331 * from libcurl since there is no proper callback registration
1332 * available for this.
1334 os_memset(&patch_ssl_method, 0, sizeof(patch_ssl_method));
1335 patch_ssl_method.ssl_new = curl_patch_ssl_new;
1336 real_ssl_method = ssl->method;
1337 ssl->method = &patch_ssl_method;
1338 #endif /* OpenSSL < 1.1.0 */
1340 #endif /* HAVE_OCSP */
1345 #endif /* EAP_TLS_OPENSSL */
1348 static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
1349 const char *ca_fname, const char *username,
1350 const char *password, const char *client_cert,
1351 const char *client_key)
1354 #ifdef EAP_TLS_OPENSSL
1355 const char *extra = " tls=openssl";
1356 #else /* EAP_TLS_OPENSSL */
1357 const char *extra = "";
1358 #endif /* EAP_TLS_OPENSSL */
1360 wpa_printf(MSG_DEBUG, "Start HTTP client: address=%s ca_fname=%s "
1361 "username=%s%s", address, ca_fname, username, extra);
1363 curl = curl_easy_init();
1367 curl_easy_setopt(curl, CURLOPT_URL, address);
1368 curl_easy_setopt(curl, CURLOPT_POST, 1L);
1370 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1371 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1372 #ifdef EAP_TLS_OPENSSL
1373 curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
1374 curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
1375 #if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER >= 0x10100000L)
1376 /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
1377 * with BoringSSL since the OpenSSL specific callback hack to
1378 * enable OCSP is not available with BoringSSL. The OCSP
1379 * implementation within libcurl is not sufficient for the
1380 * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
1382 if (ctx->ocsp != NO_OCSP)
1383 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
1384 #endif /* OPENSSL_IS_BORINGSSL */
1385 #endif /* EAP_TLS_OPENSSL */
1387 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1389 if (client_cert && client_key) {
1390 curl_easy_setopt(curl, CURLOPT_SSLCERT, client_cert);
1391 curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key);
1393 /* TODO: use curl_easy_getinfo() with CURLINFO_CERTINFO to fetch
1394 * information about the server certificate */
1395 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1396 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1397 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
1398 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_cb_write);
1399 curl_easy_setopt(curl, CURLOPT_WRITEDATA, ctx);
1400 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1402 curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANYSAFE);
1403 curl_easy_setopt(curl, CURLOPT_USERNAME, username);
1404 curl_easy_setopt(curl, CURLOPT_PASSWORD, password);
1411 static int post_init_client(struct http_ctx *ctx, const char *address,
1412 const char *ca_fname, const char *username,
1413 const char *password, const char *client_cert,
1414 const char *client_key)
1419 clone_str(&ctx->svc_address, address);
1420 clone_str(&ctx->svc_ca_fname, ca_fname);
1421 clone_str(&ctx->svc_username, username);
1422 clone_str(&ctx->svc_password, password);
1423 clone_str(&ctx->svc_client_cert, client_cert);
1424 clone_str(&ctx->svc_client_key, client_key);
1427 * Workaround for Apache "Hostname 'FOO' provided via SNI and hostname
1428 * 'foo' provided via HTTP are different.
1430 for (count = 0, pos = ctx->svc_address; count < 3 && pos && *pos;
1434 *pos = tolower(*pos);
1437 ctx->curl = setup_curl_post(ctx, ctx->svc_address, ca_fname, username,
1438 password, client_cert, client_key);
1439 if (ctx->curl == NULL)
1446 int soap_init_client(struct http_ctx *ctx, const char *address,
1447 const char *ca_fname, const char *username,
1448 const char *password, const char *client_cert,
1449 const char *client_key)
1451 if (post_init_client(ctx, address, ca_fname, username, password,
1452 client_cert, client_key) < 0)
1455 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr,
1456 "Content-Type: application/soap+xml");
1457 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "SOAPAction: ");
1458 ctx->curl_hdr = curl_slist_append(ctx->curl_hdr, "Expect:");
1459 curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, ctx->curl_hdr);
1465 int soap_reinit_client(struct http_ctx *ctx)
1467 char *address = NULL;
1468 char *ca_fname = NULL;
1469 char *username = NULL;
1470 char *password = NULL;
1471 char *client_cert = NULL;
1472 char *client_key = NULL;
1477 clone_str(&address, ctx->svc_address);
1478 clone_str(&ca_fname, ctx->svc_ca_fname);
1479 clone_str(&username, ctx->svc_username);
1480 clone_str(&password, ctx->svc_password);
1481 clone_str(&client_cert, ctx->svc_client_cert);
1482 clone_str(&client_key, ctx->svc_client_key);
1484 ret = soap_init_client(ctx, address, ca_fname, username, password,
1485 client_cert, client_key);
1488 str_clear_free(username);
1489 str_clear_free(password);
1490 os_free(client_cert);
1491 os_free(client_key);
1496 static void free_curl_buf(struct http_ctx *ctx)
1498 os_free(ctx->curl_buf);
1499 ctx->curl_buf = NULL;
1500 ctx->curl_buf_len = 0;
1504 xml_node_t * soap_send_receive(struct http_ctx *ctx, xml_node_t *node)
1507 xml_node_t *envelope, *ret, *resp, *n;
1511 ctx->last_err = NULL;
1513 wpa_printf(MSG_DEBUG, "SOAP: Sending message");
1514 envelope = soap_build_envelope(ctx->xml, node);
1515 str = xml_node_to_str(ctx->xml, envelope);
1516 xml_node_free(ctx->xml, envelope);
1517 wpa_printf(MSG_MSGDUMP, "SOAP[%s]", str);
1519 curl_easy_setopt(ctx->curl, CURLOPT_POSTFIELDS, str);
1522 res = curl_easy_perform(ctx->curl);
1523 if (res != CURLE_OK) {
1525 ctx->last_err = curl_easy_strerror(res);
1526 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1534 curl_easy_getinfo(ctx->curl, CURLINFO_RESPONSE_CODE, &http);
1535 wpa_printf(MSG_DEBUG, "SOAP: Server response code %ld", http);
1537 ctx->last_err = "HTTP download failed";
1538 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1543 if (ctx->curl_buf == NULL)
1546 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ctx->curl_buf);
1547 resp = xml_node_from_buf(ctx->xml, ctx->curl_buf);
1550 wpa_printf(MSG_INFO, "Could not parse SOAP response");
1551 ctx->last_err = "Could not parse SOAP response";
1555 ret = soap_get_body(ctx->xml, resp);
1557 wpa_printf(MSG_INFO, "Could not get SOAP body");
1558 ctx->last_err = "Could not get SOAP body";
1562 wpa_printf(MSG_DEBUG, "SOAP body localname: '%s'",
1563 xml_node_get_localname(ctx->xml, ret));
1564 n = xml_node_copy(ctx->xml, ret);
1565 xml_node_free(ctx->xml, resp);
1571 struct http_ctx * http_init_ctx(void *upper_ctx, struct xml_node_ctx *xml_ctx)
1573 struct http_ctx *ctx;
1575 ctx = os_zalloc(sizeof(*ctx));
1578 ctx->ctx = upper_ctx;
1580 ctx->ocsp = OPTIONAL_OCSP;
1582 curl_global_init(CURL_GLOBAL_ALL);
1588 void http_ocsp_set(struct http_ctx *ctx, int val)
1591 ctx->ocsp = NO_OCSP;
1593 ctx->ocsp = OPTIONAL_OCSP;
1595 ctx->ocsp = MANDATORY_OCSP;
1599 void http_deinit_ctx(struct http_ctx *ctx)
1602 os_free(ctx->curl_buf);
1603 curl_global_cleanup();
1605 os_free(ctx->svc_address);
1606 os_free(ctx->svc_ca_fname);
1607 str_clear_free(ctx->svc_username);
1608 str_clear_free(ctx->svc_password);
1609 os_free(ctx->svc_client_cert);
1610 os_free(ctx->svc_client_key);
1616 int http_download_file(struct http_ctx *ctx, const char *url,
1617 const char *fname, const char *ca_fname)
1624 ctx->last_err = NULL;
1626 wpa_printf(MSG_DEBUG, "curl: Download file from %s to %s (ca=%s)",
1627 url, fname, ca_fname);
1628 curl = curl_easy_init();
1632 f = fopen(fname, "wb");
1634 curl_easy_cleanup(curl);
1638 curl_easy_setopt(curl, CURLOPT_URL, url);
1640 curl_easy_setopt(curl, CURLOPT_CAINFO, ca_fname);
1641 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
1642 curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L);
1644 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
1646 curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, curl_cb_debug);
1647 curl_easy_setopt(curl, CURLOPT_DEBUGDATA, ctx);
1648 curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, fwrite);
1649 curl_easy_setopt(curl, CURLOPT_WRITEDATA, f);
1650 curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
1652 res = curl_easy_perform(curl);
1653 if (res != CURLE_OK) {
1655 ctx->last_err = curl_easy_strerror(res);
1656 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1658 curl_easy_cleanup(curl);
1663 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1664 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1666 ctx->last_err = "HTTP download failed";
1667 wpa_printf(MSG_INFO, "HTTP download failed - code %ld", http);
1668 curl_easy_cleanup(curl);
1673 curl_easy_cleanup(curl);
1680 char * http_post(struct http_ctx *ctx, const char *url, const char *data,
1681 const char *content_type, const char *ext_hdr,
1682 const char *ca_fname,
1683 const char *username, const char *password,
1684 const char *client_cert, const char *client_key,
1691 struct curl_slist *curl_hdr = NULL;
1693 ctx->last_err = NULL;
1694 wpa_printf(MSG_DEBUG, "curl: HTTP POST to %s", url);
1695 curl = setup_curl_post(ctx, url, ca_fname, username, password,
1696 client_cert, client_key);
1702 snprintf(ct, sizeof(ct), "Content-Type: %s", content_type);
1703 curl_hdr = curl_slist_append(curl_hdr, ct);
1706 curl_hdr = curl_slist_append(curl_hdr, ext_hdr);
1707 curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curl_hdr);
1709 curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data);
1712 res = curl_easy_perform(curl);
1713 if (res != CURLE_OK) {
1715 ctx->last_err = curl_easy_strerror(res);
1716 wpa_printf(MSG_ERROR, "curl_easy_perform() failed: %s",
1722 curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http);
1723 wpa_printf(MSG_DEBUG, "curl: Server response code %ld", http);
1725 ctx->last_err = "HTTP POST failed";
1726 wpa_printf(MSG_INFO, "HTTP POST failed - code %ld", http);
1731 if (ctx->curl_buf == NULL)
1734 ret = ctx->curl_buf;
1736 *resp_len = ctx->curl_buf_len;
1737 ctx->curl_buf = NULL;
1738 ctx->curl_buf_len = 0;
1740 wpa_printf(MSG_MSGDUMP, "Server response:\n%s", ret);
1746 void http_set_cert_cb(struct http_ctx *ctx,
1747 int (*cb)(void *ctx, struct http_cert *cert),
1751 ctx->cert_cb_ctx = cb_ctx;
1755 const char * http_get_err(struct http_ctx *ctx)
1757 return ctx->last_err;
projects / FreeBSD / FreeBSD.git / blob