Updated to hostap_2_6

[mech_eap.git] / libeap / src / utils / http_curl.c

diff --git a/libeap/src/utils/http_curl.c b/libeap/src/utils/http_curl.c
index 653eb54..a06aae8 100644 (file)
--- a/libeap/src/utils/http_curl.c
+++ b/libeap/src/utils/http_curl.c
@@ -26,6 +26,9 @@
 #include "common.h"
 #include "xml-utils.h"
 #include "http-utils.h"
+#ifdef EAP_TLS_OPENSSL
+#include "crypto/tls_openssl.h"
+#endif /* EAP_TLS_OPENSSL */
 
 
 struct http_ctx {
@@ -421,6 +424,28 @@ ASN1_SEQUENCE(LogotypeExtn) = {
 
 IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn);
 
+#ifdef OPENSSL_IS_BORINGSSL
+#define sk_LogotypeInfo_num(st) \
+sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeInfo) *, (st)))
+#define sk_LogotypeInfo_value(st, i) (LogotypeInfo *) \
+sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeInfo) *, (st)), (i))
+#define sk_LogotypeImage_num(st) \
+sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeImage) *, (st)))
+#define sk_LogotypeImage_value(st, i) (LogotypeImage *) \
+sk_value(CHECKED_CAST(_STACK *, const STACK_OF(LogotypeImage) *, (st)), (i))
+#define sk_LogotypeAudio_num(st) \
+sk_num(CHECKED_CAST(_STACK *, STACK_OF(LogotypeAudio) *, (st)))
+#define sk_LogotypeAudio_value(st, i) (LogotypeAudio *) \
+sk_value(CHECK_CAST(_STACK *, const STACK_OF(LogotypeAudio) *, (st)), (i))
+#define sk_HashAlgAndValue_num(st) \
+sk_num(CHECKED_CAST(_STACK *, STACK_OF(HashAlgAndValue) *, (st)))
+#define sk_HashAlgAndValue_value(st, i) (HashAlgAndValue *) \
+sk_value(CHECKED_CAST(_STACK *, const STACK_OF(HashAlgAndValue) *, (st)), (i))
+#define sk_ASN1_IA5STRING_num(st) \
+sk_num(CHECKED_CAST(_STACK *, STACK_OF(ASN1_IA5STRING) *, (st)))
+#define sk_ASN1_IA5STRING_value(st, i) (ASN1_IA5STRING *) \
+sk_value(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_IA5STRING) *, (st)), (i))
+#else /* OPENSSL_IS_BORINGSSL */
 #define sk_LogotypeInfo_num(st) SKM_sk_num(LogotypeInfo, (st))
 #define sk_LogotypeInfo_value(st, i) SKM_sk_value(LogotypeInfo, (st), (i))
 #define sk_LogotypeImage_num(st) SKM_sk_num(LogotypeImage, (st))
@@ -431,6 +456,7 @@ IMPLEMENT_ASN1_FUNCTIONS(LogotypeExtn);
 #define sk_HashAlgAndValue_value(st, i) SKM_sk_value(HashAlgAndValue, (st), (i))
 #define sk_ASN1_IA5STRING_num(st) SKM_sk_num(ASN1_IA5STRING, (st))
 #define sk_ASN1_IA5STRING_value(st, i) SKM_sk_value(ASN1_IA5STRING, (st), (i))
+#endif /* OPENSSL_IS_BORINGSSL */
 
 
 static void add_logo(struct http_ctx *ctx, struct http_cert *hcert,
@@ -618,13 +644,25 @@ static void i2r_LogotypeImageInfo(LogotypeImageInfo *info, BIO *out, int indent)
        } else {
                BIO_printf(out, "%*stype: default (1)\n", indent, "");
        }
+       val = ASN1_INTEGER_get(info->fileSize);
+       BIO_printf(out, "%*sfileSize: %ld\n", indent, "", val);
        val = ASN1_INTEGER_get(info->xSize);
        BIO_printf(out, "%*sxSize: %ld\n", indent, "", val);
        val = ASN1_INTEGER_get(info->ySize);
        BIO_printf(out, "%*sySize: %ld\n", indent, "", val);
        if (info->resolution) {
-               BIO_printf(out, "%*sresolution\n", indent, "");
-               /* TODO */
+               BIO_printf(out, "%*sresolution [%d]\n", indent, "",
+                          info->resolution->type);
+               switch (info->resolution->type) {
+               case 0:
+                       val = ASN1_INTEGER_get(info->resolution->d.numBits);
+                       BIO_printf(out, "%*snumBits: %ld\n", indent, "", val);
+                       break;
+               case 1:
+                       val = ASN1_INTEGER_get(info->resolution->d.tableSize);
+                       BIO_printf(out, "%*stableSize: %ld\n", indent, "", val);
+                       break;
+               }
        }
        if (info->language) {
                BIO_printf(out, "%*slanguage: ", indent, "");
@@ -981,6 +1019,26 @@ static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
        if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
                return 0;
 
+#ifdef OPENSSL_IS_BORINGSSL
+       if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) {
+               enum ocsp_result res;
+
+               res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer,
+                                     ctx->peer_issuer_issuer);
+               if (res == OCSP_REVOKED) {
+                       preverify_ok = 0;
+                       wpa_printf(MSG_INFO, "OCSP: certificate revoked");
+                       if (err == X509_V_OK)
+                               X509_STORE_CTX_set_error(
+                                       x509_ctx, X509_V_ERR_CERT_REVOKED);
+               } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) {
+                       preverify_ok = 0;
+                       wpa_printf(MSG_INFO,
+                                  "OCSP: bad certificate status response");
+               }
+       }
+#endif /* OPENSSL_IS_BORINGSSL */
+
        if (!preverify_ok)
                ctx->last_err = "TLS validation failed";
 
@@ -1156,6 +1214,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
                wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
                           (ctx->ocsp == MANDATORY_OCSP) ? "" :
                           " (OCSP not required)");
+               OCSP_CERTID_free(id);
                OCSP_BASICRESP_free(basic);
                OCSP_RESPONSE_free(rsp);
                if (ctx->ocsp == MANDATORY_OCSP)
@@ -1163,6 +1222,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
                        ctx->last_err = "Could not find current server certificate from OCSP response";
                return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
        }
+       OCSP_CERTID_free(id);
 
        if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
                tls_show_errors(__func__, "OpenSSL: OCSP status times invalid");
@@ -1273,6 +1333,16 @@ static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
 #ifdef EAP_TLS_OPENSSL
                curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
                curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
+#ifdef OPENSSL_IS_BORINGSSL
+               /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
+                * with BoringSSL since the OpenSSL specific callback hack to
+                * enable OCSP is not available with BoringSSL. The OCSP
+                * implementation within libcurl is not sufficient for the
+                * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
+                */
+               if (ctx->ocsp != NO_OCSP)
+                       curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
+#endif /* OPENSSL_IS_BORINGSSL */
 #endif /* EAP_TLS_OPENSSL */
        } else {
                curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);