Merged the hostap_2.6 updates, and the Leap of Faith work, from the hostap_update...

[mech_eap.git] / libeap / hs20 / server / www / est.php

diff --git a/libeap/hs20/server/www/est.php b/libeap/hs20/server/www/est.php
new file mode 100644 (file)
index 0000000..a45648b
--- /dev/null
+++ b/libeap/hs20/server/www/est.php
@@ -0,0 +1,198 @@
+<?php
+
+require('config.php');
+
+$params = split("/", $_SERVER["PATH_INFO"], 3);
+$realm = $params[1];
+$cmd = $params[2];
+$method = $_SERVER["REQUEST_METHOD"];
+
+unset($user);
+unset($rowid);
+
+if (!empty($_SERVER['PHP_AUTH_DIGEST'])) {
+  $needed = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1,
+                 'uri'=>1, 'response'=>1);
+  $data = array();
+  $keys = implode('|', array_keys($needed));
+  preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@',
+                $_SERVER['PHP_AUTH_DIGEST'], $matches, PREG_SET_ORDER);
+  foreach ($matches as $m) {
+    $data[$m[1]] = $m[3] ? $m[3] : $m[4];
+    unset($needed[$m[1]]);
+  }
+  if ($needed) {
+    error_log("EST: Missing auth parameter");
+    die('Authentication failed');
+  }
+  $user = $data['username'];
+  if (strlen($user) < 1) {
+    error_log("EST: Empty username");
+    die('Authentication failed');
+  }
+
+  $db = new PDO($osu_db);
+  if (!$db) {
+    error_log("EST: Could not access database");
+    die("Could not access database");
+  }
+
+  $sql = "SELECT rowid,password,operation FROM sessions " .
+    "WHERE user='$user' AND realm='$realm'";
+  $q = $db->query($sql);
+  if (!$q) {
+    error_log("EST: Session not found for user=$user realm=$realm");
+    die("Session not found");
+  }
+  $row = $q->fetch();
+  if (!$row) {
+    error_log("EST: Session fetch failed for user=$user realm=$realm");
+    die('Session not found');
+  }
+  $rowid = $row['rowid'];
+
+  $oper = $row['operation'];
+  if ($oper != '5') {
+    error_log("EST: Unexpected operation $oper for user=$user realm=$realm");
+    die("Session not found");
+  }
+  $pw = $row['password'];
+  if (strlen($pw) < 1) {
+    error_log("EST: Empty password for user=$user realm=$realm");
+    die('Authentication failed');
+  }
+
+  $A1 = md5($user . ':' . $realm . ':' . $pw);
+  $A2 = md5($method . ':' . $data['uri']);
+  $resp = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' .
+             $data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
+  if ($data['response'] != $resp) {
+    error_log("EST: Incorrect authentication response for user=$user realm=$realm");
+    die('Authentication failed');
+  }
+}
+
+
+if ($method == "GET" && $cmd == "cacerts") {
+  $fname = "$osu_root/est/$realm-cacerts.pkcs7";
+  if (!file_exists($fname)) {
+    error_log("EST: cacerts - unknown realm $realm");
+    die("Unknown realm");
+  }
+
+  header("Content-Transfer-Encoding: base64");
+  header("Content-Type: application/pkcs7-mime");
+
+  $data = file_get_contents($fname);
+  echo wordwrap(base64_encode($data), 72, "\n", true);
+  echo "\n";
+  error_log("EST: cacerts");
+} else if ($method == "GET" && $cmd == "csrattrs") {
+  header("Content-Transfer-Encoding: base64");
+  header("Content-Type: application/csrattrs");
+  readfile("$osu_root/est/est-attrs.b64");
+  error_log("EST: csrattrs");
+} else if ($method == "POST" && $cmd == "simpleenroll") {
+  if (!isset($user) || strlen($user) == 0) {
+    header('HTTP/1.1 401 Unauthorized');
+    header('WWW-Authenticate: Digest realm="'.$realm.
+          '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
+    error_log("EST: simpleenroll - require authentication");
+    die('Authentication required');
+  }
+  if (!isset($_SERVER["CONTENT_TYPE"])) {
+    error_log("EST: simpleenroll without Content-Type");
+    die("Missing Content-Type");
+  }
+  if (!stristr($_SERVER["CONTENT_TYPE"], "application/pkcs10")) {
+    error_log("EST: simpleenroll - unexpected Content-Type: " .
+             $_SERVER["CONTENT_TYPE"]);
+    die("Unexpected Content-Type");
+  }
+
+  $data = file_get_contents("php://input");
+  error_log("EST: simpleenroll - POST data from php://input: " . $data);
+  $req = base64_decode($data);
+  if ($req == FALSE) {
+    error_log("EST: simpleenroll - Invalid base64-encoded PKCS#10 data");
+    die("Invalid base64-encoded PKCS#10 data");
+  }
+  $cadir = "$osu_root/est";
+  $reqfile = "$cadir/tmp/cert-req.pkcs10";
+  $f = fopen($reqfile, "wb");
+  fwrite($f, $req);
+  fclose($f);
+
+  $req_pem = "$reqfile.pem";
+  if (file_exists($req_pem))
+    unlink($req_pem);
+  exec("openssl req -in $reqfile -inform DER -out $req_pem -outform PEM");
+  if (!file_exists($req_pem)) {
+    error_log("EST: simpleenroll - Failed to parse certificate request");
+    die("Failed to parse certificate request");
+  }
+
+  /* FIX: validate request and add HS 2.0 extensions to cert */
+  $cert_pem = "$cadir/tmp/req-signed.pem";
+  if (file_exists($cert_pem))
+    unlink($cert_pem);
+  exec("openssl x509 -req -in $req_pem -CAkey $cadir/cakey.pem -out $cert_pem -CA $cadir/cacert.pem -CAserial $cadir/serial -days 365 -text");
+  if (!file_exists($cert_pem)) {
+    error_log("EST: simpleenroll - Failed to sign certificate");
+    die("Failed to sign certificate");
+  }
+
+  $cert = file_get_contents($cert_pem);
+  $handle = popen("openssl x509 -in $cert_pem -serial -noout", "r");
+  $serial = fread($handle, 200);
+  pclose($handle);
+  $pattern = "/serial=(?P<snhex>[0-9a-fA-F:]*)/m";
+  preg_match($pattern, $serial, $matches);
+  if (!isset($matches['snhex']) || strlen($matches['snhex']) < 1) {
+    error_log("EST: simpleenroll - Could not get serial number");
+    die("Could not get serial number");
+  }
+  $sn = str_replace(":", "", strtoupper($matches['snhex']));
+
+  $user = "cert-$sn";
+  error_log("EST: user = $user");
+
+  $cert_der = "$cadir/tmp/req-signed.der";
+  if (file_exists($cert_der))
+    unlink($cert_der);
+  exec("openssl x509 -in $cert_pem -inform PEM -out $cert_der -outform DER");
+  if (!file_exists($cert_der)) {
+    error_log("EST: simpleenroll - Failed to convert certificate");
+    die("Failed to convert certificate");
+  }
+  $der = file_get_contents($cert_der);
+  $fingerprint = hash("sha256", $der);
+
+  $pkcs7 = "$cadir/tmp/est-client.pkcs7";
+  if (file_exists($pkcs7))
+    unlink($pkcs7);
+  exec("openssl crl2pkcs7 -nocrl -certfile $cert_pem -out $pkcs7 -outform DER");
+  if (!file_exists($pkcs7)) {
+    error_log("EST: simpleenroll - Failed to prepare PKCS#7 file");
+    die("Failed to prepare PKCS#7 file");
+  }
+
+  if (!$db->exec("UPDATE sessions SET user='$user', cert='$fingerprint', cert_pem='$cert' WHERE rowid=$rowid")) {
+    error_log("EST: simpleenroll - Failed to update session database");
+    die("Failed to update session database");
+  }
+
+  header("Content-Transfer-Encoding: base64");
+  header("Content-Type: application/pkcs7-mime");
+
+  $data = file_get_contents($pkcs7);
+  $resp = wordwrap(base64_encode($data), 72, "\n", true);
+  echo $resp . "\n";
+  error_log("EST: simpleenroll - PKCS#7 response: " . $resp);
+} else {
+  header("HTTP/1.0 404 Not Found");
+  error_log("EST: Unexpected method or path");
+  die("Unexpected method or path");
+}
+
+?>