search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests: Fix a GCC 9.2.1 warning about NULL %s value
[libisds.git] / src / soap.c
blob9ff04fef75d379e6bbadf9b2d07e28ecf26c0e1f
1 #include "isds_priv.h"
2 #include "soap.h"
3 #include "utils.h"
4 #include <stdlib.h>
5 #include <string.h>
6 #include <strings.h> /* strncasecmp(3) */
7 #include "system.h"
8
9 /* Private structure for write_body() call back */
10 struct soap_body {
11 void *data;
12 size_t length;
13 };
14
15 /* Private structure for write_header() call back */
16 struct auth_headers {
17 _Bool is_complete; /* Response has finished, next iteration is new
18 response, values become obsolete. */
19 char *last_header; /* Temporary storage for previous unfinished header */
20 char *method; /* WWW-Authenticate value */
21 char *code; /* X-Response-message-code value */
22 isds_otp_resolution resolution; /* Decoded .code member */
23 char *message; /* X-Response-message-text value */
24 char *redirect; /* Redirect URL */
25 };
26
27
28 /* Deallocate content of struct auth_headers */
29 static void auth_headers_free(struct auth_headers *headers) {
30 zfree(headers->last_header);
31 zfree(headers->method);
32 zfree(headers->code);
33 zfree(headers->message);
34 zfree(headers->redirect);
35 }
36
37
38 /* If given @line is HTTP header of @name,
39 * return pointer to the header value. Otherwise return NULL.
40 * @name is header name without name---value separator, terminated with 0. */
41 static const char *header_value(const char *line, const char *name) {
42 const char *value;
43 if (line == NULL || name == NULL) return NULL;
44
45 for (value = line; ; value++, name++) {
46 if (*value == '\0') return NULL; /* Line too short */
47 if (*name == '\0') break; /* Name matches */
48 if (*name != *value) return NULL; /* Name does not match */
49 }
50
51 /* Check separator. RFC2616, section 4.2 requires collon only. */
52 if (*value++ != ':') return NULL;
53
54 return value;
55 }
56
57
58 /* Try to decode header value per RFC 2047.
59 * @prepend_space is true if a space should be inserted before decoded word
60 * into @output in case the word has been decoded successfully.
61 * @input is zero terminated input, it's updated to point all consumed
62 * input - 1.
63 * @output is buffer to store decoded value, it's updated to point after last
64 * written character. The buffer must be preallocated.
65 * @return 0 if input has been successfully decoded, then @input and @output
66 * poineres will be updated. Otherwise return non-zero value and keeps
67 * argument pointers and memory unchanged. */
68 static int try_rfc2047_decode(_Bool prepend_space, const char **input,
69 char **output) {
70 const char *encoded;
71 const char *charset_start, *encoding, *end;
72 size_t charset_length;
73 char *charset = NULL;
74 /* ISDS prescribes B encoding only, but RFC 2047 requires to support Q
75 * encoding too. ISDS prescribes UTF-8 charset only, RFC requiers to
76 * support any MIME charset. */
77 if (input == NULL || *input == NULL || output == NULL || *output == NULL)
78 return -1;
79
80 /* Start is "=?" */
81 encoded = *input;
82 if (encoded[0] != '=' || encoded[1] != '?')
83 return -1;
84
85 /* Then is "CHARSET?" */
86 charset_start = (encoded += 2);
87 while (*encoded != '?') {
88 if (*encoded == '\0')
89 return -1;
90 if (*encoded == ' ' || *encoded == '\t' || *encoded == '\r' || *encoded == '\n')
91 return -1;
92 encoded++;
93 }
94 encoded++;
95
96 /* Then is "ENCODING?", where ENCODING is /[BbQq]/ */
97 if (*encoded == '\0') return -1;
98 encoding = encoded++;
99 if (*encoded != '?')
100 return -1;
101 encoded++;
102
103 /* Then is "ENCODED_TEXT?=" */
104 while (*encoded != '?') {
105 if (*encoded == '\0')
106 return -1;
107 if (*encoded == ' ' || *encoded == '\t' || *encoded == '\r' || *encoded == '\n')
108 return -1;
109 encoded++;
110 }
111 end = encoded;
112 if (*(++encoded) != '=') return -1;
113
114 /* Now pointers are:
115 * "=?CHARSET?E?ENCODED_TEXT?="
116 * | | | ||
117 * | | | |\- encoded
118 * | | | \- end
119 * | | \- encoding
120 * | \- charset_start
121 * \- *input
122 */
123
124 charset_length = encoding - charset_start - 1;
125 if (charset_length < 1)
126 return -1;
127 charset = strndup(charset_start, charset_length);
128 if (charset == NULL)
129 return -1;
130
131 /* Decode encoding */
132 char *bit_stream = NULL;
133 size_t bit_length = 0;
134 size_t encoding_length = end - encoding - 2;
135
136 if (*encoding == 'B') {
137 /* Decode Base-64 */
138 char *b64_stream = NULL;
139 if (NULL == (b64_stream =
140 malloc((encoding_length + 1) * sizeof(*encoding)))) {
141 free(charset);
142 return -1;
143 }
144 memcpy(b64_stream, encoding + 2, encoding_length);
145 b64_stream[encoding_length] = '\0';
146 bit_length = _isds_b64decode(b64_stream, (void **)&bit_stream);
147 free(b64_stream);
148 if (bit_length == (size_t) -1) {
149 free(charset);
150 return -1;
151 }
152 } else if (*encoding == 'Q') {
153 /* Decode Quoted-printable-like */
154 if (NULL == (bit_stream =
155 malloc((encoding_length) * sizeof(*encoding)))) {
156 free(charset);
157 return -1;
158 }
159 for (size_t q = 2; q < encoding_length + 2; q++) {
160 if (encoding[q] == '_') {
161 bit_stream[bit_length] = '\x20';
162 } else if (encoding[q] == '=') {
163 int ordinar;
164 /* Validate "=HH", where H is hexadecimal digit */
165 if (q + 2 >= encoding_length + 2 ) {
166 free(bit_stream);
167 free(charset);
168 return -1;
169 }
170 /* Convert =HH */
171 if ((ordinar = _isds_hex2i(encoding[++q])) < 0) {
172 free(bit_stream);
173 free(charset);
174 return -1;
175 }
176 bit_stream[bit_length] = (ordinar << 4);
177 if ((ordinar = _isds_hex2i(encoding[++q])) < 0) {
178 free(bit_stream);
179 free(charset);
180 return -1;
181 }
182 bit_stream[bit_length] += ordinar;
183 } else {
184 bit_stream[bit_length] = encoding[q];
185 }
186 bit_length++;
187 }
188 } else {
189 /* Unknown encoding */
190 free(charset);
191 return -1;
192 }
193
194 /* Convert to UTF-8 */
195 char *utf_stream = NULL;
196 size_t utf_length;
197 utf_length = _isds_any2any(charset, "UTF-8", bit_stream, bit_length,
198 (void **)&utf_stream);
199 free(bit_stream);
200 free(charset);
201 if (utf_length == (size_t) -1) {
202 return -1;
203 }
204
205 /* Copy UTF-8 stream to output buffer */
206 if (prepend_space) {
207 **output = ' ';
208 (*output)++;
209 }
210 memcpy(*output, utf_stream, utf_length);
211 free(utf_stream);
212 *output += utf_length;
213
214 *input = encoded;
215 return 0;
216 }
217
218
219 /* Decode HTTP header value per RFC 2047.
220 * @encoded_value is encoded HTTP header value terminated with NUL. It can
221 * contain HTTP LWS separators that will be replaced with a space.
222 * @return newly allocated decoded value without EOL, or return NULL. */
223 static char *decode_header_value(const char *encoded_value) {
224 char *decoded = NULL, *decoded_cursor;
225 size_t content_length;
226 _Bool text_started = 0, lws_seen = 0, encoded_word_seen = 0;
227
228 if (encoded_value == NULL) return NULL;
229 content_length = strlen(encoded_value);
230
231 /* A character can occupy up to 6 bytes in UTF-8 */
232 decoded = malloc(content_length * 6 + 1);
233 if (decoded == NULL) {
234 /* ENOMEM */
235 return NULL;
236 }
237
238 /* Decode */
239 /* RFC 2616, section 4.2: Remove surrounding LWS, replace inner ones with
240 * a space. */
241 /* RFC 2047, section 6.2: LWS between adjacent encoded words is ignored.
242 * */
243 for (decoded_cursor = decoded; *encoded_value; encoded_value++) {
244 if (*encoded_value == '\r' || *encoded_value == '\n' ||
245 *encoded_value == '\t' || *encoded_value == ' ') {
246 lws_seen = 1;
247 continue;
248 }
249 if (*encoded_value == '=' &&
250 !try_rfc2047_decode(
251 lws_seen && text_started && !encoded_word_seen,
252 &encoded_value, &decoded_cursor)) {
253 encoded_word_seen = 1;
254 } else {
255 if (lws_seen && text_started)
256 *(decoded_cursor++) = ' ';
257 *(decoded_cursor++) = *encoded_value;
258 encoded_word_seen = 0;
259 }
260 lws_seen = 0;
261 text_started = 1;
262 }
263 *decoded_cursor = '\0';
264
265 return decoded;
266 }
267
268
269 /* Return true, if server requests OTP authorization method that client
270 * requested. Otherwise return false.
271 * @client_method is method client requested
272 * @server_method is value of WWW-Authenticate header */
273 /*static _Bool otp_method_matches(const isds_otp_method client_method,
274 const char *server_method) {
275 char *method_name = NULL;
276
277 switch (client_method) {
278 case OTP_HMAC: method_name = "hotp"; break;
279 case OTP_TIME: method_name = "totp"; break;
280 default: return 0;
281 }
282
283 if (!strncmp(server_method, method_name, 4) && (
284 server_method[4] == '\0' || server_method[4] == ' ' ||
285 server_method[4] == '\t'))
286 return 1;
287 return 0;
288 }*/
289
290
291 /* Convert UTF-8 @string to HTTP OTP resolution enum type.
292 * @Return corresponding value or OTP_RESOLUTION_UNKNOWN if @string is not
293 * defined or unknown value. */
294 static isds_otp_resolution string2isds_otp_resolution(const char *string) {
295 if (string == NULL)
296 return OTP_RESOLUTION_UNKNOWN;
297 else if (!strcmp(string, "authentication.info.totpSended"))
298 return OTP_RESOLUTION_TOTP_SENT;
299 else if (!strcmp(string, "authentication.error.userIsNotAuthenticated"))
300 return OTP_RESOLUTION_BAD_AUTHENTICATION;
301 else if (!strcmp(string, "authentication.error.intruderDetected"))
302 return OTP_RESOLUTION_ACCESS_BLOCKED;
303 else if (!strcmp(string, "authentication.error.paswordExpired"))
304 return OTP_RESOLUTION_PASSWORD_EXPIRED;
305 else if (!strcmp(string, "authentication.info.cannotSendQuickly"))
306 return OTP_RESOLUTION_TO_FAST;
307 else if (!strcmp(string, "authentication.error.badRole"))
308 return OTP_RESOLUTION_UNAUTHORIZED;
309 else if (!strcmp(string, "authentication.info.totpNotSended"))
310 return OTP_RESOLUTION_TOTP_NOT_SENT;
311 else
312 return OTP_RESOLUTION_UNKNOWN;
313 }
314
315
316 /* Close connection to server and destroy CURL handle associated
317 * with @context */
318 _hidden isds_error _isds_close_connection(struct isds_ctx *context) {
319 if (!context) return IE_INVALID_CONTEXT;
320
321 if (context->curl) {
322 curl_easy_cleanup(context->curl);
323 context->curl = NULL;
324 isds_log(ILF_HTTP, ILL_DEBUG, _("Connection to server %s closed\n"),
325 context->url);
326 return IE_SUCCESS;
327 } else {
328 return IE_CONNECTION_CLOSED;
329 }
330 }
331
332
333 /* Remove username and password from context CURL handle. */
334 static isds_error unset_http_authorization(struct isds_ctx *context) {
335 isds_error error = IE_SUCCESS;
336
337 if (context == NULL) return IE_INVALID_CONTEXT;
338 if (context->curl == NULL) return IE_CONNECTION_CLOSED;
339
340 #if HAVE_DECL_CURLOPT_USERNAME /* Since curl-7.19.1 */
341 if (curl_easy_setopt(context->curl, CURLOPT_USERNAME, NULL))
342 error = IE_ERROR;
343 if (curl_easy_setopt(context->curl, CURLOPT_PASSWORD, NULL))
344 error = IE_ERROR;
345 #else
346 if (curl_easy_setopt(context->curl, CURLOPT_USERPWD, NULL))
347 error = IE_ERROR;
348 #endif /* not HAVE_DECL_CURLOPT_USERNAME */
349
350 if (error)
351 isds_log(ILF_HTTP, ILL_ERR, _("Error while unsetting user name and "
352 "password from CURL handle for connection to server %s.\n"),
353 context->url);
354 else
355 isds_log(ILF_HTTP, ILL_DEBUG, _("User name and password for server %s "
356 "have been unset from CURL handle.\n"), context->url);
357 return error;
358 }
359
360
361 /* CURL call back function called when chunk of HTTP response body is available.
362 * @buffer points to new data
363 * @size * @nmemb is length of the chunk in bytes. Zero means empty body.
364 * @userp is private structure.
365 * Must return the length of the chunk, otherwise CURL will signal
366 * CURL_WRITE_ERROR. */
367 static size_t write_body(void *buffer, size_t size, size_t nmemb, void *userp) {
368 struct soap_body *body = (struct soap_body *) userp;
369 void *new_data;
370
371 /* FIXME: Check for (size * nmemb + body->lengt) !> SIZE_T_MAX.
372 * Precompute the product then. */
373
374 if (!body) return 0; /* This should never happen */
375 if (0 == (size * nmemb)) return 0; /* Empty body */
376
377 new_data = realloc(body->data, body->length + size * nmemb);
378 if (!new_data) return 0;
379
380 memcpy(new_data + body->length, buffer, size * nmemb);
381
382 body->data = new_data;
383 body->length += size * nmemb;
384
385 return (size * nmemb);
386 }
387
388
389 /* CURL call back function called when a HTTP response header is available.
390 * This is called for each header even if reply consists of more responses.
391 * @buffer points to new header (no zero terminator, but HTTP EOL is included)
392 * @size * @nmemb is length of the header in bytes
393 * @userp is private structure.
394 * Must return the length of the header, otherwise CURL will signal
395 * CURL_WRITE_ERROR. */
396 static size_t write_header(void *buffer, size_t size, size_t nmemb, void *userp) {
397 struct auth_headers *headers = (struct auth_headers *) userp;
398 size_t length;
399 const char *value;
400
401 /* FIXME: Check for (size * nmemb) !> SIZE_T_MAX.
402 * Precompute the product then. */
403 length = size * nmemb;
404
405 if (NULL == headers) return 0; /* This should never happen */
406 if (0 == length) {
407 /* ??? Is this the empty line delimiter? */
408 return 0; /* Empty headers */
409 }
410
411 /* New response, invalide authentication headers. */
412 /* XXX: Chunked encoding trailer is not supported */
413 if (headers->is_complete) auth_headers_free(headers);
414
415 /* Append continuation to multi-line header */
416 if (*(char *)buffer == ' ' || *(char *)buffer == '\t') {
417 if (headers->last_header != NULL) {
418 size_t old_length = strlen(headers->last_header);
419 char *longer_header = realloc(headers->last_header, old_length + length);
420 if (longer_header == NULL) {
421 /* ENOMEM */
422 return 0;
423 }
424 strncpy(longer_header + old_length, (char*)buffer + 1, length - 1);
425 longer_header[old_length + length - 1] = '\0';
426 headers->last_header = longer_header;
427 } else {
428 /* Invalid continuation without starting header will be skipped. */
429 isds_log(ILF_HTTP, ILL_WARNING,
430 _("HTTP header continuation without starting header has "
431 "been encountered. Skipping invalid HTTP response "
432 "line.\n"));
433 }
434 goto leave;
435 }
436
437 /* Decode last header */
438 value = header_value(headers->last_header, "WWW-Authenticate");
439 if (value != NULL) {
440 free(headers->method);
441 if (NULL == (headers->method = decode_header_value(value))) {
442 /* TODO: Set IE_NOMEM to context */
443 return 0;
444 }
445 goto store;
446 }
447
448 value = header_value(headers->last_header, "X-Response-message-code");
449 if (value != NULL) {
450 free(headers->code);
451 if (NULL == (headers->code = decode_header_value(value))) {
452 /* TODO: Set IE_NOMEM to context */
453 return 0;
454 }
455 goto store;
456 }
457
458 value = header_value(headers->last_header, "X-Response-message-text");
459 if (value != NULL) {
460 free(headers->message);
461 if (NULL == (headers->message = decode_header_value(value))) {
462 /* TODO: Set IE_NOMEM to context */
463 return 0;
464 }
465 goto store;
466 }
467
468 store:
469 /* Last header decoded, free it */
470 zfree(headers->last_header);
471
472 if (!strncmp(buffer, "\r\n", length)) {
473 /* Current line is header---body separator */
474 headers->is_complete = 1;
475 goto leave;
476 } else {
477 /* Current line is new header, store it */
478 headers->last_header = malloc(length + 1);
479 if (headers->last_header == NULL) {
480 /* TODO: Set IE_NOMEM to context */
481 return 0;
482 }
483 memcpy(headers->last_header, buffer, length);
484 headers->last_header[length] = '\0';
485 }
486
487 leave:
488 return (length);
489 }
490
491
492 /* CURL progress callback proxy to rearrange arguments.
493 * @curl_data is session context */
494 static int progress_proxy(void *curl_data, double download_total,
495 double download_current, double upload_total, double upload_current) {
496 struct isds_ctx *context = (struct isds_ctx *) curl_data;
497 int abort = 0;
498
499 if (context && context->progress_callback) {
500 abort = context->progress_callback(
501 upload_total, upload_current,
502 download_total, download_current,
503 context->progress_callback_data);
504 if (abort) {
505 isds_log(ILF_HTTP, ILL_INFO,
506 _("Application aborted HTTP transfer"));
507 }
508 }
509
510 return abort;
511 }
512
513
514 /* CURL call back function called when curl has something to log.
515 * @curl is cURL context
516 * @type is cURL log facility
517 * @buffer points to log data, XXX: not zero-terminated
518 * @size is length of log data
519 * @userp is private structure.
520 * Must return 0. */
521 static int log_curl(CURL *curl, curl_infotype type, char *buffer, size_t size,
522 void *userp) {
523 /* Silent warning about usused arguments.
524 * This prototype is cURL's debug_callback type. */
525 (void)curl;
526 (void)userp;
527
528 if (!buffer || 0 == size) return 0;
529 if (type == CURLINFO_TEXT || type == CURLINFO_HEADER_IN ||
530 type == CURLINFO_HEADER_OUT)
531 isds_log(ILF_HTTP, ILL_DEBUG, "%*s", size, buffer);
532 return 0;
533 }
534
535
536 /* Do HTTP request.
537 * @context holds the base URL,
538 * @url is a (CGI) file of SOAP URL,
539 * @use_get is a false to do a POST request, true to do a GET request.
540 * @request is body for POST request
541 * @request_length is length of @request in bytes
542 * @reponse is automatically reallocated() buffer to fit HTTP response with
543 * @response_length (does not need to match allocated memory exactly). You must
544 * free() the @response.
545 * @mime_type is automatically allocated MIME type send by server (*NULL if not
546 * sent). Set NULL if you don't care.
547 * @charset is charset of the body signaled by server. The same constrains
548 * like on @mime_type apply.
549 * @http_code is final HTTP code returned by server. This can be 200, 401, 500
550 * or any other one. Pass NULL if you don't interest.
551 * In case of error, the response memory, MIME type, charset and length will be
552 * deallocated and zeroed automatically. Thus be sure they are preallocated or
553 * they points to NULL.
554 * @response_otp_headers is pre-allocated structure for OTP authentication
555 * headers sent by server. Members must be valid pointers or NULLs.
556 * Pass NULL if you don't interest.
557 * Be ware that successful return value does not mean the HTTP request has
558 * been accepted by the server. You must consult @http_code. OTOH, failure
559 * return value means the request could not been sent (e.g. SSL error).
560 * Side effect: message buffer */
561 static isds_error http(struct isds_ctx *context,
562 const char *url, _Bool use_get,
563 const void *request, const size_t request_length,
564 void **response, size_t *response_length,
565 char **mime_type, char **charset, long *http_code,
566 struct auth_headers *response_otp_headers) {
567
568 CURLcode curl_err;
569 isds_error err = IE_SUCCESS;
570 struct soap_body body;
571 char *content_type;
572 struct curl_slist *headers = NULL;
573
574
575 if (!context) return IE_INVALID_CONTEXT;
576 if (!url) return IE_INVAL;
577 if (request_length > 0 && !request) return IE_INVAL;
578 if (!response || !response_length) return IE_INVAL;
579
580 /* Clean authentication headers */
581
582 /* Set the body here to allow deallocation in leave block */
583 body.data = *response;
584 body.length = 0;
585
586 /* Set Request-URI */
587 curl_err = curl_easy_setopt(context->curl, CURLOPT_URL, url);
588
589 /* Set TLS options */
590 if (!curl_err && context->tls_verify_server) {
591 if (!*context->tls_verify_server)
592 isds_log(ILF_SEC, ILL_WARNING,
593 _("Disabling server identity verification. "
594 "That was your decision.\n"));
595 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSL_VERIFYPEER,
596 (*context->tls_verify_server)? 1L : 0L);
597 if (!curl_err) {
598 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSL_VERIFYHOST,
599 (*context->tls_verify_server)? 2L : 0L);
600 }
601 }
602 if (!curl_err && context->tls_ca_file) {
603 isds_log(ILF_SEC, ILL_INFO,
604 _("CA certificates will be searched in `%s' file since now\n"),
605 context->tls_ca_file);
606 curl_err = curl_easy_setopt(context->curl, CURLOPT_CAINFO,
607 context->tls_ca_file);
608 }
609 if (!curl_err && context->tls_ca_dir) {
610 isds_log(ILF_SEC, ILL_INFO,
611 _("CA certificates will be searched in `%s' directory "
612 "since now\n"), context->tls_ca_dir);
613 curl_err = curl_easy_setopt(context->curl, CURLOPT_CAPATH,
614 context->tls_ca_dir);
615 }
616 if (!curl_err && context->tls_crl_file) {
617 #if HAVE_DECL_CURLOPT_CRLFILE /* Since curl-7.19.0 */
618 isds_log(ILF_SEC, ILL_INFO,
619 _("CRLs will be searched in `%s' file since now\n"),
620 context->tls_crl_file);
621 curl_err = curl_easy_setopt(context->curl, CURLOPT_CRLFILE,
622 context->tls_crl_file);
623 #else
624 isds_log(ILF_SEC, ILL_WARNING,
625 _("Your curl library cannot pass certificate revocation "
626 "list to cryptographic library.\n"
627 "Make sure cryptographic library default setting "
628 "delivers proper CRLs,\n"
629 "or upgrade curl.\n"));
630 #endif /* not HAVE_DECL_CURLOPT_CRLFILE */
631 }
632
633
634 if ((NULL == context->mep_credentials) || (NULL == context->mep_credentials->intermediate_uri)) {
635 /* Don't set credentials in intermediate mobile key login state. */
636 /* Set credentials */
637 #if HAVE_DECL_CURLOPT_USERNAME /* Since curl-7.19.1 */
638 if (!curl_err && context->username) {
639 curl_err = curl_easy_setopt(context->curl, CURLOPT_USERNAME,
640 context->username);
641 }
642 if (!curl_err && context->password) {
643 curl_err = curl_easy_setopt(context->curl, CURLOPT_PASSWORD,
644 context->password);
645 }
646 #else
647 if (!curl_err && (context->username || context->password)) {
648 char *userpwd =
649 _isds_astrcat3(context->username, ":", context->password);
650 if (!userpwd) {
651 isds_log_message(context, _("Could not pass credentials to CURL"));
652 err = IE_NOMEM;
653 goto leave;
654 }
655 curl_err = curl_easy_setopt(context->curl, CURLOPT_USERPWD, userpwd);
656 free(userpwd);
657 }
658 #endif /* not HAVE_DECL_CURLOPT_USERNAME */
659 }
660
661 /* Set PKI credentials */
662 if (!curl_err && (context->pki_credentials)) {
663 if (context->pki_credentials->engine) {
664 /* Select SSL engine */
665 isds_log(ILF_SEC, ILL_INFO,
666 _("Cryptographic engine `%s' will be used for "
667 "key or certificate\n"),
668 context->pki_credentials->engine);
669 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLENGINE,
670 context->pki_credentials->engine);
671 }
672
673 if (!curl_err) {
674 /* Select certificate format */
675 #if HAVE_DECL_CURLOPT_SSLCERTTYPE /* since curl-7.9.3 */
676 if (context->pki_credentials->certificate_format ==
677 PKI_FORMAT_ENG) {
678 /* XXX: It's valid to have certificate in engine without name.
679 * Engines can select certificate according private key and
680 * vice versa. */
681 if (context->pki_credentials->certificate)
682 isds_log(ILF_SEC, ILL_INFO, _("Client `%s' certificate "
683 "will be read from `%s' engine\n"),
684 context->pki_credentials->certificate,
685 context->pki_credentials->engine);
686 else
687 isds_log(ILF_SEC, ILL_INFO, _("Client certificate "
688 "will be read from `%s' engine\n"),
689 context->pki_credentials->engine);
690 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLCERTTYPE,
691 "ENG");
692 } else if (context->pki_credentials->certificate) {
693 isds_log(ILF_SEC, ILL_INFO, _("Client %s certificate "
694 "will be read from `%s' file\n"),
695 (context->pki_credentials->certificate_format ==
696 PKI_FORMAT_DER) ? _("DER") : _("PEM"),
697 context->pki_credentials->certificate);
698 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLCERTTYPE,
699 (context->pki_credentials->certificate_format ==
700 PKI_FORMAT_DER) ? "DER" : "PEM");
701 }
702 #else
703 if ((context->pki_credentials->certificate_format ==
704 PKI_FORMAT_ENG ||
705 context->pki_credentials->certificate))
706 isds_log(ILF_SEC, ILL_WARNING,
707 _("Your curl library cannot distinguish certificate "
708 "formats. Make sure your cryptographic library\n"
709 "understands your certificate file by default, "
710 "or upgrade curl.\n"));
711 #endif /* not HAVE_DECL_CURLOPT_SSLCERTTYPE */
712 }
713
714 if (!curl_err && context->pki_credentials->certificate) {
715 /* Select certificate */
716 if (!curl_err)
717 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLCERT,
718 context->pki_credentials->certificate);
719 }
720
721 if (!curl_err) {
722 /* Select key format */
723 if (context->pki_credentials->key_format == PKI_FORMAT_ENG) {
724 if (context->pki_credentials->key)
725 isds_log(ILF_SEC, ILL_INFO, _("Client private key `%s' "
726 "from `%s' engine will be used\n"),
727 context->pki_credentials->key,
728 context->pki_credentials->engine);
729 else
730 isds_log(ILF_SEC, ILL_INFO, _("Client private key "
731 "from `%s' engine will be used\n"),
732 context->pki_credentials->engine);
733 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLKEYTYPE,
734 "ENG");
735 } else if (context->pki_credentials->key) {
736 isds_log(ILF_SEC, ILL_INFO, _("Client %s private key will be "
737 "read from `%s' file\n"),
738 (context->pki_credentials->key_format ==
739 PKI_FORMAT_DER) ? _("DER") : _("PEM"),
740 context->pki_credentials->key);
741 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLKEYTYPE,
742 (context->pki_credentials->key_format ==
743 PKI_FORMAT_DER) ? "DER" : "PEM");
744 }
745
746 if (!curl_err)
747 /* Select key */
748 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLKEY,
749 context->pki_credentials->key);
750
751 if (!curl_err) {
752 /* Pass key pass-phrase */
753 #if HAVE_DECL_CURLOPT_KEYPASSWD /* since curl-7.16.5 */
754 curl_err = curl_easy_setopt(context->curl,
755 CURLOPT_KEYPASSWD,
756 context->pki_credentials->passphrase);
757 #elif HAVE_DECL_CURLOPT_SSLKEYPASSWD /* up to curl-7.16.4 */
758 curl_err = curl_easy_setopt(context->curl,
759 CURLOPT_SSLKEYPASSWD,
760 context->pki_credentials->passphrase);
761 #else /* up to curl-7.9.2 */
762 curl_err = curl_easy_setopt(context->curl,
763 CURLOPT_SSLCERTPASSWD,
764 context->pki_credentials->passphrase);
765 #endif
766 }
767 }
768 }
769
770 /* Set authorization cookie for OTP session */
771 if (!curl_err && (context->otp || context->mep)) {
772 isds_log(ILF_SEC, ILL_INFO,
773 _("Cookies will be stored and sent "
774 "because context has been authorized by OTP or mobile key.\n"));
775 curl_err = curl_easy_setopt(context->curl, CURLOPT_COOKIEFILE, "");
776 }
777
778 /* Set timeout */
779 if (!curl_err) {
780 curl_err = curl_easy_setopt(context->curl, CURLOPT_NOSIGNAL, 1);
781 }
782 if (!curl_err && context->timeout) {
783 #if HAVE_DECL_CURLOPT_TIMEOUT_MS /* Since curl-7.16.2 */
784 curl_err = curl_easy_setopt(context->curl, CURLOPT_TIMEOUT_MS,
785 context->timeout);
786 #else
787 curl_err = curl_easy_setopt(context->curl, CURLOPT_TIMEOUT,
788 context->timeout / 1000);
789 #endif /* not HAVE_DECL_CURLOPT_TIMEOUT_MS */
790 }
791
792 /* Register callback */
793 if (context->progress_callback) {
794 if (!curl_err) {
795 curl_err = curl_easy_setopt(context->curl, CURLOPT_NOPROGRESS, 0);
796 }
797 if (!curl_err) {
798 curl_err = curl_easy_setopt(context->curl,
799 CURLOPT_PROGRESSFUNCTION, progress_proxy);
800 }
801 if (!curl_err) {
802 curl_err = curl_easy_setopt(context->curl, CURLOPT_PROGRESSDATA,
803 context);
804 }
805 }
806
807 /* Set other CURL features */
808 if (!curl_err) {
809 curl_err = curl_easy_setopt(context->curl, CURLOPT_FAILONERROR, 0);
810 }
811
812 /* Set get-response function */
813 if (!curl_err) {
814 curl_err = curl_easy_setopt(context->curl, CURLOPT_WRITEFUNCTION,
815 write_body);
816 }
817 if (!curl_err) {
818 curl_err = curl_easy_setopt(context->curl, CURLOPT_WRITEDATA, &body);
819 }
820
821 /* Set get-response-headers function if needed.
822 * XXX: Both CURLOPT_HEADERFUNCTION and CURLOPT_WRITEHEADER must be set or
823 * unset at the same time (see curl_easy_setopt(3)) ASAP, otherwise old
824 * invalid CURLOPT_WRITEHEADER value could be derefenced. */
825 if (!curl_err) {
826 curl_err = curl_easy_setopt(context->curl, CURLOPT_HEADERFUNCTION,
827 (response_otp_headers == NULL) ? NULL: write_header);
828 }
829 if (!curl_err) {
830 curl_err = curl_easy_setopt(context->curl, CURLOPT_WRITEHEADER,
831 response_otp_headers);
832 }
833
834 /* Set MIME types and headers requires by SOAP 1.1.
835 * SOAP 1.1 requires text/xml, SOAP 1.2 requires application/soap+xml.
836 * But suppress sending the headers to proxies first if supported. */
837 #if HAVE_DECL_CURLOPT_HEADEROPT /* since curl-7.37.0 */
838 if (!curl_err) {
839 curl_err = curl_easy_setopt(context->curl, CURLOPT_HEADEROPT,
840 CURLHEADER_SEPARATE);
841 }
842 #endif /* HAVE_DECL_CURLOPT_HEADEROPT */
843 if (!curl_err) {
844 headers = curl_slist_append(headers,
845 "Accept: application/soap+xml,application/xml,text/xml");
846 if (!headers) {
847 err = IE_NOMEM;
848 goto leave;
849 }
850 headers = curl_slist_append(headers, "Content-Type: text/xml");
851 if (!headers) {
852 err = IE_NOMEM;
853 goto leave;
854 }
855 headers = curl_slist_append(headers, "SOAPAction: ");
856 if (!headers) {
857 err = IE_NOMEM;
858 goto leave;
859 }
860 curl_err = curl_easy_setopt(context->curl, CURLOPT_HTTPHEADER, headers);
861 }
862 if (!curl_err) {
863 /* Set user agent identification */
864 curl_err = curl_easy_setopt(context->curl, CURLOPT_USERAGENT,
865 "libisds/" PACKAGE_VERSION);
866 }
867
868 if (use_get) {
869 /* Set GET request */
870 if (!curl_err) {
871 curl_err = curl_easy_setopt(context->curl, CURLOPT_HTTPGET, 1);
872 }
873 } else {
874 /* Set POST request body */
875 if (!curl_err) {
876 curl_err = curl_easy_setopt(context->curl, CURLOPT_POST, 1);
877 }
878 if (!curl_err) {
879 curl_err = curl_easy_setopt(context->curl, CURLOPT_POSTFIELDS, request);
880 }
881 if (!curl_err) {
882 curl_err = curl_easy_setopt(context->curl, CURLOPT_POSTFIELDSIZE,
883 request_length);
884 }
885 }
886
887 {
888 /* Debug cURL if requested */
889 _Bool debug_curl =
890 ((log_facilities & ILF_HTTP) && (log_level >= ILL_DEBUG));
891 if (!curl_err) {
892 curl_err = curl_easy_setopt(context->curl, CURLOPT_VERBOSE,
893 (debug_curl) ? 1 : 0);
894 }
895 if (!curl_err) {
896 curl_err = curl_easy_setopt(context->curl, CURLOPT_DEBUGFUNCTION,
897 (debug_curl) ? log_curl : NULL);
898 }
899 }
900
901 /* Check for errors so far */
902 if (curl_err) {
903 isds_log_message(context, curl_easy_strerror(curl_err));
904 err = IE_NETWORK;
905 goto leave;
906 }
907
908 isds_log(ILF_HTTP, ILL_DEBUG, _("Sending %s request to <%s>\n"),
909 use_get ? "GET" : "POST", url);
910 if (!use_get) {
911 isds_log(ILF_HTTP, ILL_DEBUG,
912 _("POST body length: %zu, content follows:\n"), request_length);
913 if (_isds_sizet2int(request_length) >= 0 ) {
914 isds_log(ILF_HTTP, ILL_DEBUG, "%.*s\n",
915 _isds_sizet2int(request_length), request);
916 }
917 isds_log(ILF_HTTP, ILL_DEBUG, _("End of POST body\n"));
918 }
919
920
921 /* Do the request */
922 curl_err = curl_easy_perform(context->curl);
923
924 if (!curl_err)
925 curl_err = curl_easy_getinfo(context->curl, CURLINFO_CONTENT_TYPE,
926 &content_type);
927
928 if (curl_err) {
929 /* TODO: Use curl_easy_setopt(CURLOPT_ERRORBUFFER) to obtain detailed
930 * error message. */
931 /* TODO: CURL is not internationalized yet. Collect CURL messages for
932 * I18N. */
933 isds_printf_message(context,
934 _("%s: %s"), url, _(curl_easy_strerror(curl_err)));
935 if (curl_err == CURLE_ABORTED_BY_CALLBACK)
936 err = IE_ABORTED;
937 else if (
938 curl_err == CURLE_SSL_CONNECT_ERROR ||
939 curl_err == CURLE_SSL_ENGINE_NOTFOUND ||
940 curl_err == CURLE_SSL_ENGINE_SETFAILED ||
941 curl_err == CURLE_SSL_CERTPROBLEM ||
942 curl_err == CURLE_SSL_CIPHER ||
943 curl_err == CURLE_SSL_CACERT ||
944 curl_err == CURLE_USE_SSL_FAILED ||
945 curl_err == CURLE_SSL_ENGINE_INITFAILED ||
946 curl_err == CURLE_SSL_CACERT_BADFILE ||
947 curl_err == CURLE_SSL_SHUTDOWN_FAILED ||
948 curl_err == CURLE_SSL_CRL_BADFILE ||
949 curl_err == CURLE_SSL_ISSUER_ERROR
950 )
951 err = IE_SECURITY;
952 else
953 err = IE_NETWORK;
954 goto leave;
955 }
956
957 isds_log(ILF_HTTP, ILL_DEBUG, _("Final response to %s received\n"), url);
958 isds_log(ILF_HTTP, ILL_DEBUG,
959 _("Response body length: %zu, content follows:\n"),
960 body.length);
961 if (_isds_sizet2int(body.length) >= 0) {
962 isds_log(ILF_HTTP, ILL_DEBUG, "%.*s\n",
963 _isds_sizet2int(body.length), body.data);
964 }
965 isds_log(ILF_HTTP, ILL_DEBUG, _("End of response body\n"));
966
967
968 /* Extract MIME type and charset */
969 if (content_type) {
970 char *sep;
971 size_t offset;
972
973 sep = strchr(content_type, ';');
974 if (sep) offset = (size_t) (sep - content_type);
975 else offset = strlen(content_type);
976
977 if (mime_type) {
978 *mime_type = malloc(offset + 1);
979 if (!*mime_type) {
980 err = IE_NOMEM;
981 goto leave;
982 }
983 memcpy(*mime_type, content_type, offset);
984 (*mime_type)[offset] = '\0';
985 }
986
987 if (charset) {
988 if (!sep) {
989 *charset = NULL;
990 } else {
991 sep = strstr(sep, "charset=");
992 if (!sep) {
993 *charset = NULL;
994 } else {
995 *charset = strdup(sep + 8);
996 if (!*charset) {
997 err = IE_NOMEM;
998 goto leave;
999 }
1000 }
1001 }
1002 }
1003 }
1004
1005 /* Get HTTP response code */
1006 if (http_code) {
1007 curl_err = curl_easy_getinfo(context->curl,
1008 CURLINFO_RESPONSE_CODE, http_code);
1009 if (curl_err) {
1010 err = IE_ERROR;
1011 goto leave;
1012 }
1013 }
1014
1015 /* Store OTP authentication results */
1016 if (response_otp_headers && response_otp_headers->is_complete) {
1017 isds_log(ILF_SEC, ILL_DEBUG,
1018 _("OTP authentication headers received: "
1019 "method=%s, code=%s, message=%s\n"),
1020 response_otp_headers->method, response_otp_headers->code,
1021 response_otp_headers->message);
1022
1023 /* XXX: Don't make unknown code fatal. Missing code can be success if
1024 * HTTP code is 302. This is checked in _isds_soap(). */
1025 response_otp_headers->resolution =
1026 string2isds_otp_resolution(response_otp_headers->code);
1027
1028 if (response_otp_headers->message != NULL) {
1029 char *message_locale = _isds_utf82locale(response_otp_headers->message);
1030 /* _isds_utf82locale() return NULL on inconverable string. Do not
1031 * panic on it.
1032 * TODO: Escape such characters.
1033 * if (message_locale == NULL) {
1034 err = IE_NOMEM;
1035 goto leave;
1036 }*/
1037 isds_printf_message(context,
1038 _("Server returned OTP authentication message: %s"),
1039 message_locale);
1040 free(message_locale);
1041 }
1042
1043 char *next_url = NULL; /* Weak pointer managed by cURL */
1044 curl_err = curl_easy_getinfo(context->curl, CURLINFO_REDIRECT_URL,
1045 &next_url);
1046 if (curl_err) {
1047 err = IE_ERROR;
1048 goto leave;
1049 }
1050 if (next_url != NULL) {
1051 isds_log(ILF_SEC, ILL_DEBUG,
1052 _("OTP authentication headers redirect to: <%s>\n"),
1053 next_url);
1054 free(response_otp_headers->redirect);
1055 response_otp_headers->redirect = strdup(next_url);
1056 if (response_otp_headers->redirect == NULL) {
1057 err = IE_NOMEM;
1058 goto leave;
1059 }
1060 }
1061 }
1062 leave:
1063 curl_slist_free_all(headers);
1064
1065 if (err) {
1066 free(body.data);
1067 body.data = NULL;
1068 body.length = 0;
1069
1070 if (mime_type) {
1071 free(*mime_type);
1072 *mime_type = NULL;
1073 }
1074 if (charset) {
1075 free(*charset);
1076 *charset = NULL;
1077 }
1078
1079 if (err != IE_ABORTED) _isds_close_connection(context);
1080 }
1081
1082 *response = body.data;
1083 *response_length = body.length;
1084
1085 return err;
1086 }
1087
1088 /* Converts numeric server response when periodically checking for MEP
1089 * authentication status.
1090 * @str String containing the numeric server response value
1091 * @len String length
1092 * @return server response code or MEP_RESOLUTION_UNKNOWN if the code was not
1093 * recognised. */
1094 static isds_mep_resolution mep_ws_state_response(const char *str, size_t len) {
1095 isds_mep_resolution res = MEP_RESOLUTION_UNKNOWN; /* Default error. */
1096
1097 if ((str == NULL) || (len == 0)) {
1098 return res;
1099 }
1100 /* Ensure trailing '\0' character. */
1101 char *tmp_str = malloc(len + 1);
1102 if (tmp_str == NULL) {
1103 return res;
1104 }
1105 memcpy(tmp_str, str, len);
1106 tmp_str[len] = '\0';
1107
1108 char *endptr;
1109 long num = strtol(tmp_str, &endptr, 10);
1110 if (*endptr != '\0' || LONG_MIN == num || LONG_MAX == num) {
1111 return res;
1112 }
1113
1114 switch (num) {
1115 case -1:
1116 res = MEP_RESOLUTION_UNRECOGNISED;
1117 break;
1118 case 1:
1119 res = MEP_RESOLUTION_ACK_REQUESTED;
1120 break;
1121 case 2:
1122 res = MEP_RESOLUTION_ACK;
1123 break;
1124 case 3:
1125 res = MEP_RESOLUTION_ACK_EXPIRED;
1126 break;
1127 default:
1128 break;
1129 }
1130
1131 free(tmp_str);
1132
1133 return res;
1134 }
1135
1136
1137 /* Build SOAP request.
1138 * @context needed for error logging,
1139 * @request is XML node set with SOAP request body,
1140 * @http_request_ptr the address of a pointer to an automatically allocated
1141 * buffer to which the request data are written.
1142 */
1143 static isds_error build_http_request(struct isds_ctx *context,
1144 const xmlNodePtr request, xmlBufferPtr *http_request_ptr) {
1145
1146 isds_error err = IE_SUCCESS;
1147 xmlBufferPtr http_request = NULL;
1148 xmlSaveCtxtPtr save_ctx = NULL;
1149 xmlDocPtr request_soap_doc = NULL;
1150 xmlNodePtr request_soap_envelope = NULL, request_soap_body = NULL;
1151 xmlNsPtr soap_ns = NULL;
1152
1153 if (NULL == context) {
1154 return IE_INVALID_CONTEXT;
1155 }
1156 if (NULL == http_request_ptr) {
1157 return IE_ERROR;
1158 }
1159
1160
1161 /* Build SOAP request envelope */
1162 request_soap_doc = xmlNewDoc(BAD_CAST "1.0");
1163 if (NULL == request_soap_doc) {
1164 isds_log_message(context, _("Could not build SOAP request document"));
1165 err = IE_ERROR;
1166 goto leave;
1167 }
1168 request_soap_envelope = xmlNewNode(NULL, BAD_CAST "Envelope");
1169 if (NULL == request_soap_envelope) {
1170 isds_log_message(context, _("Could not build SOAP request envelope"));
1171 err = IE_ERROR;
1172 goto leave;
1173 }
1174 xmlDocSetRootElement(request_soap_doc, request_soap_envelope);
1175 /* Only this way we get namespace definition as @xmlns:soap,
1176 * otherwise we get namespace prefix without definition */
1177 soap_ns = xmlNewNs(request_soap_envelope, BAD_CAST SOAP_NS, NULL);
1178 if(NULL == soap_ns) {
1179 isds_log_message(context, _("Could not create SOAP name space"));
1180 err = IE_ERROR;
1181 goto leave;
1182 }
1183 xmlSetNs(request_soap_envelope, soap_ns);
1184 request_soap_body = xmlNewChild(request_soap_envelope, NULL,
1185 BAD_CAST "Body", NULL);
1186 if (NULL == request_soap_body) {
1187 isds_log_message(context,
1188 _("Could not add Body to SOAP request envelope"));
1189 err = IE_ERROR;
1190 goto leave;
1191 }
1192
1193
1194 /* Append request XML node set to SOAP body if request is not empty */
1195 /* XXX: Copy of request must be used, otherwise xmlFreeDoc(request_soap_doc)
1196 * would destroy this outer structure. */
1197 if (NULL != request) {
1198 xmlNodePtr request_copy = xmlCopyNodeList(request);
1199 if (NULL == request_copy) {
1200 isds_log_message(context,
1201 _("Could not copy request content"));
1202 err = IE_ERROR;
1203 goto leave;
1204 }
1205 if (NULL == xmlAddChildList(request_soap_body, request_copy)) {
1206 xmlFreeNodeList(request_copy);
1207 isds_log_message(context,
1208 _("Could not add request content to SOAP "
1209 "request envelope"));
1210 err = IE_ERROR;
1211 goto leave;
1212 }
1213 }
1214
1215
1216 /* Serialize the SOAP request into HTTP request body */
1217 http_request = xmlBufferCreate();
1218 if (NULL == http_request) {
1219 isds_log_message(context,
1220 _("Could not create xmlBuffer for HTTP request body"));
1221 err = IE_ERROR;
1222 goto leave;
1223 }
1224 /* Last argument 1 means format the XML tree. This is pretty but it breaks
1225 * XML document transport as it adds text nodes (indentation) between
1226 * elements. */
1227 save_ctx = xmlSaveToBuffer(http_request, "UTF-8", 0);
1228 if (NULL == save_ctx) {
1229 isds_log_message(context,
1230 _("Could not create XML serializer"));
1231 err = IE_ERROR;
1232 goto leave;
1233 }
1234 /* XXX: According LibXML documentation, this function does not return
1235 * meaningful value yet */
1236 xmlSaveDoc(save_ctx, request_soap_doc);
1237 if (-1 == xmlSaveFlush(save_ctx)) {
1238 isds_log_message(context,
1239 _("Could not serialize SOAP request to HTTP request body"));
1240 err = IE_ERROR;
1241 goto leave;
1242 }
1243
1244 leave:
1245 xmlSaveClose(save_ctx);
1246 if (err == IE_SUCCESS) {
1247 /* Pass buffer to caller when successfully written. */
1248 *http_request_ptr = http_request;
1249 } else {
1250 xmlBufferFree(http_request);
1251 }
1252 xmlFreeDoc(request_soap_doc); /* recursive, frees request_body, soap_ns*/
1253 return err;
1254 }
1255
1256 /* Process SOAP response.
1257 * @context needed for error logging,
1258 * @response is a pointer to a buffer where response data are held,
1259 * @response_length is the size of the response,
1260 * @response_document is an automatically allocated XML document whose sub-tree
1261 * identified by @response_node_list holds the SOAP response body content. You
1262 * must xmlFreeDoc() it. If you don't care pass NULL and also
1263 * NULL @response_node_list.
1264 * @response_node_list is a pointer to node set with SOAP response body
1265 * content. The returned pointer points into @response_document to the first
1266 * child of SOAP Body element. Pass NULL and NULL @response_document, if you
1267 * don't care.
1268 */
1269 static
1270 isds_error process_http_response(struct isds_ctx *context,
1271 const void *response, size_t response_length,
1272 xmlDocPtr *response_document, xmlNodePtr *response_node_list) {
1273
1274 isds_error err = IE_SUCCESS;
1275 xmlDocPtr response_soap_doc = NULL;
1276 xmlNodePtr response_root = NULL;
1277 xmlXPathContextPtr xpath_ctx = NULL;
1278 xmlXPathObjectPtr response_soap_headers = NULL, response_soap_body = NULL,
1279 response_soap_fault = NULL;
1280
1281 if (NULL == context) {
1282 return IE_INVALID_CONTEXT;
1283 }
1284 if ((NULL == response_document && NULL != response_node_list) ||
1285 (NULL != response_document && NULL == response_node_list)) {
1286 return IE_INVAL;
1287 }
1288
1289 /* TODO: Convert returned body into XML default encoding */
1290
1291 /* Parse the HTTP body as XML */
1292 response_soap_doc = xmlParseMemory(response, response_length);
1293 if (NULL == response_soap_doc) {
1294 err = IE_XML;
1295 goto leave;
1296 }
1297
1298 xpath_ctx = xmlXPathNewContext(response_soap_doc);
1299 if (NULL == xpath_ctx) {
1300 err = IE_ERROR;
1301 goto leave;
1302 }
1303
1304 if (IE_SUCCESS !=
1305 _isds_register_namespaces(xpath_ctx, MESSAGE_NS_UNSIGNED)) {
1306 err = IE_ERROR;
1307 goto leave;
1308 }
1309
1310 if (_isds_sizet2int(response_length) >= 0) {
1311 isds_log(ILF_SOAP, ILL_DEBUG,
1312 _("SOAP response received:\n%.*s\nEnd of SOAP response\n"),
1313 _isds_sizet2int(response_length), response);
1314 }
1315
1316 /* Check for SOAP version */
1317 response_root = xmlDocGetRootElement(response_soap_doc);
1318 if (NULL == response_root) {
1319 isds_log_message(context, "SOAP response has no root element");
1320 err = IE_SOAP;
1321 goto leave;
1322 }
1323 if (xmlStrcmp(response_root->name, BAD_CAST "Envelope") ||
1324 xmlStrcmp(response_root->ns->href, BAD_CAST SOAP_NS)) {
1325 isds_log_message(context, "SOAP response is not SOAP 1.1 document");
1326 err = IE_SOAP;
1327 goto leave;
1328 }
1329
1330 /* Check for SOAP Headers */
1331 response_soap_headers = xmlXPathEvalExpression(
1332 BAD_CAST "/soap:Envelope/soap:Header/"
1333 "*[@soap:mustUnderstand/text() = true()]", xpath_ctx);
1334 if (NULL == response_soap_headers) {
1335 err = IE_ERROR;
1336 goto leave;
1337 }
1338 if (!xmlXPathNodeSetIsEmpty(response_soap_headers->nodesetval)) {
1339 isds_log_message(context,
1340 _("SOAP response requires unsupported feature"));
1341 /* TODO: log the headers
1342 * xmlChar *fragment = NULL;
1343 * fragment = xmlXPathCastNodeSetToSting(response_soap_headers->nodesetval);*/
1344 err = IE_NOTSUP;
1345 goto leave;
1346 }
1347
1348 /* Get SOAP Body */
1349 response_soap_body = xmlXPathEvalExpression(
1350 BAD_CAST "/soap:Envelope/soap:Body", xpath_ctx);
1351 if (NULL == response_soap_body) {
1352 err = IE_ERROR;
1353 goto leave;
1354 }
1355 if (xmlXPathNodeSetIsEmpty(response_soap_body->nodesetval)) {
1356 isds_log_message(context,
1357 _("SOAP response does not contain SOAP Body element"));
1358 err = IE_SOAP;
1359 goto leave;
1360 }
1361 if (response_soap_body->nodesetval->nodeNr > 1) {
1362 isds_log_message(context,
1363 _("SOAP response has more than one Body element"));
1364 err = IE_SOAP;
1365 goto leave;
1366 }
1367
1368 /* Check for SOAP Fault */
1369 response_soap_fault = xmlXPathEvalExpression(
1370 BAD_CAST "/soap:Envelope/soap:Body/soap:Fault", xpath_ctx);
1371 if (NULL == response_soap_fault) {
1372 err = IE_ERROR;
1373 goto leave;
1374 }
1375 if (!xmlXPathNodeSetIsEmpty(response_soap_fault->nodesetval)) {
1376 /* Server signals Fault. Gather error message and croak. */
1377 /* XXX: Only first message is passed */
1378 char *message = NULL, *message_locale = NULL;
1379 xpath_ctx->node = response_soap_fault->nodesetval->nodeTab[0];
1380 xmlXPathFreeObject(response_soap_fault);
1381 /* XXX: faultstring and faultcode are in no name space according
1382 * ISDS specification */
1383 /* First more verbose faultstring */
1384 response_soap_fault = xmlXPathEvalExpression(
1385 BAD_CAST "faultstring[1]/text()", xpath_ctx);
1386 if ((NULL != response_soap_fault) &&
1387 !xmlXPathNodeSetIsEmpty(response_soap_fault->nodesetval)) {
1388 message = (char *)
1389 xmlXPathCastNodeSetToString(response_soap_fault->nodesetval);
1390 message_locale = _isds_utf82locale(message);
1391 }
1392 /* If not available, try shorter faultcode */
1393 if (NULL == message_locale) {
1394 free(message);
1395 xmlXPathFreeObject(response_soap_fault);
1396 response_soap_fault = xmlXPathEvalExpression(
1397 BAD_CAST "faultcode[1]/text()", xpath_ctx);
1398 if ((NULL != response_soap_fault) &&
1399 !xmlXPathNodeSetIsEmpty(response_soap_fault->nodesetval)) {
1400 message = (char *)
1401 xmlXPathCastNodeSetToString(
1402 response_soap_fault->nodesetval);
1403 message_locale = _isds_utf82locale(message);
1404 }
1405 }
1406
1407 /* Croak */
1408 if (NULL != message_locale) {
1409 isds_printf_message(context, _("SOAP response signals Fault: %s"),
1410 message_locale);
1411 } else {
1412 isds_log_message(context, _("SOAP response signals Fault"));
1413 }
1414
1415 free(message_locale);
1416 free(message);
1417
1418 err = IE_SOAP;
1419 goto leave;
1420 }
1421
1422
1423 /* Extract XML tree with ISDS response from SOAP envelope and return it.
1424 * XXX: response_soap_body lists only one Body element here. We need
1425 * children which may not exist (i.e. empty Body) or being more than one
1426 * (this is not the case of ISDS payload, but let's support generic SOAP).
1427 * XXX: We will return the XML document and children as a node list for
1428 * two reasons:
1429 * (1) We won't to do expensive xmlDocCopyNodeList(),
1430 * (2) Any node is unusable after calling xmlFreeDoc() on it's document
1431 * because the document holds a dictionary with identifiers. Caller always
1432 * can do xmlDocCopyNodeList() on a fresh document later. */
1433 if (NULL != response_document && NULL != response_node_list) {
1434 *response_document = response_soap_doc;
1435 *response_node_list =
1436 response_soap_body->nodesetval->nodeTab[0]->children;
1437 response_soap_doc = NULL; /* The document has been passed to the caller. */
1438 }
1439
1440 leave:
1441 xmlXPathFreeObject(response_soap_fault);
1442 xmlXPathFreeObject(response_soap_body);
1443 xmlXPathFreeObject(response_soap_headers);
1444 xmlXPathFreeContext(xpath_ctx);
1445 xmlFreeDoc(response_soap_doc);
1446 return err;
1447 }
1448
1449 /* Do SOAP request.
1450 * @context holds the base URL,
1451 * @file is a (CGI) file of SOAP URL,
1452 * @request is XML node set with SOAP request body.
1453 * @file must be NULL, @request should be NULL rather than empty, if they should
1454 * not be signaled in the SOAP request.
1455 * @response_document is an automatically allocated XML document whose subtree
1456 * identified by @response_node_list holds the SOAP response body content. You
1457 * must xmlFreeDoc() it. If you don't care pass NULL and also
1458 * NULL @response_node_list.
1459 * @response_node_list is a pointer to node set with SOAP response body
1460 * content. The returned pointer points into @response_document to the first
1461 * child of SOAP Body element. Pass NULL and NULL @response_document, if you
1462 * don't care.
1463 * @raw_response is automatically allocated bit stream with response body. Use
1464 * NULL if you don't care
1465 * @raw_response_length is size of @raw_response in bytes
1466 * In case of error the response will be deallocated automatically.
1467 * Side effect: message buffer */
1468 _hidden isds_error _isds_soap(struct isds_ctx *context, const char *file,
1469 const xmlNodePtr request,
1470 xmlDocPtr *response_document, xmlNodePtr *response_node_list,
1471 void **raw_response, size_t *raw_response_length) {
1472
1473 isds_error err = IE_SUCCESS;
1474 char *url = NULL;
1475 char *mime_type = NULL;
1476 long http_code = 0;
1477 struct auth_headers response_otp_headers;
1478 xmlBufferPtr http_request = NULL;
1479 void *http_response = NULL;
1480 size_t response_length = 0;
1481
1482 if (!context) return IE_INVALID_CONTEXT;
1483 if ( (NULL == response_document && NULL != response_node_list) ||
1484 (NULL != response_document && NULL == response_node_list))
1485 return IE_INVAL;
1486 if (!raw_response_length && raw_response) return IE_INVAL;
1487
1488 if (response_document) *response_document = NULL;
1489 if (response_node_list) *response_node_list = NULL;
1490 if (raw_response) *raw_response = NULL;
1491
1492 url = _isds_astrcat(context->url, file);
1493 if (!url) return IE_NOMEM;
1494
1495
1496 err = build_http_request(context, request, &http_request);
1497 if (IE_SUCCESS != err) {
1498 goto leave;
1499 }
1500
1501
1502 if ((context->otp_credentials != NULL) || (context->mep_credentials != NULL)) {
1503 memset(&response_otp_headers, 0, sizeof(response_otp_headers));
1504 }
1505 redirect:
1506 if ((context->otp_credentials != NULL) || (context->mep_credentials != NULL)) {
1507 auth_headers_free(&response_otp_headers);
1508 }
1509 isds_log(ILF_SOAP, ILL_DEBUG,
1510 _("SOAP request to sent to %s:\n%.*s\nEnd of SOAP request\n"),
1511 url, http_request->use, http_request->content);
1512
1513 if ((NULL != context->mep_credentials) && (NULL != context->mep_credentials->intermediate_uri)) {
1514 /* POST does not work for the intermediate URI, using GET here. */
1515 err = http(context, context->mep_credentials->intermediate_uri, 1, NULL, 0,
1516 &http_response, &response_length,
1517 &mime_type, NULL, &http_code,
1518 ((context->otp_credentials == NULL) && (context->mep_credentials == NULL)) ? NULL: &response_otp_headers);
1519 } else {
1520 err = http(context, url, 0, http_request->content, http_request->use,
1521 &http_response, &response_length,
1522 &mime_type, NULL, &http_code,
1523 ((context->otp_credentials == NULL) && (context->mep_credentials == NULL)) ? NULL: &response_otp_headers);
1524 }
1525
1526 /* TODO: HTTP binding for SOAP prescribes non-200 HTTP return codes
1527 * to be processed too. */
1528
1529 if (err) {
1530 goto leave;
1531 }
1532
1533 if (NULL != context->otp_credentials)
1534 context->otp_credentials->resolution = response_otp_headers.resolution;
1535
1536 /* Check for HTTP return code */
1537 isds_log(ILF_SOAP, ILL_DEBUG, _("Server returned %ld HTTP code\n"),
1538 http_code);
1539 switch (http_code) {
1540 /* XXX: We must see which code is used for not permitted ISDS
1541 * operation like downloading message without proper user
1542 * permissions. In that case we should keep connection opened. */
1543 case 200:
1544 if (NULL != context->otp_credentials) {
1545 if (context->otp_credentials->resolution ==
1546 OTP_RESOLUTION_UNKNOWN)
1547 context->otp_credentials->resolution =
1548 OTP_RESOLUTION_SUCCESS;
1549 } else if (NULL != context->mep_credentials) {
1550 /* The server returns just a numerical value in the body, nothing else. */
1551 context->mep_credentials->resolution =
1552 mep_ws_state_response(http_response, response_length);
1553 switch (context->mep_credentials->resolution) {
1554 case MEP_RESOLUTION_ACK_REQUESTED:
1555 /* Waiting for the user to acknowledge the login request
1556 * in the mobile application. This may take a while.
1557 * Return with partial success. Don't close communication
1558 * context. */
1559 err = IE_PARTIAL_SUCCESS;
1560 goto leave;
1561 break;
1562 case MEP_RESOLUTION_ACK:
1563 /* Immediately redirect to login finalisation. */
1564 zfree(context->mep_credentials->intermediate_uri);
1565 err = IE_PARTIAL_SUCCESS;
1566 goto redirect;
1567 break;
1568 default:
1569 zfree(context->mep_credentials->intermediate_uri);
1570 err = IE_NOT_LOGGED_IN;
1571 /* No SOAP data are returned here just plain response code. */
1572 goto leave;
1573 break;
1574 }
1575 }
1576 break;
1577 case 302:
1578 if (NULL != context->otp_credentials) {
1579 if (context->otp_credentials->resolution ==
1580 OTP_RESOLUTION_UNKNOWN)
1581 context->otp_credentials->resolution =
1582 OTP_RESOLUTION_SUCCESS;
1583 err = IE_PARTIAL_SUCCESS;
1584 isds_printf_message(context,
1585 _("Server redirects on <%s> because OTP authentication "
1586 "succeeded."),
1587 url);
1588 if (context->otp_credentials->otp_code != NULL &&
1589 response_otp_headers.redirect != NULL) {
1590 /* XXX: If OTP code is known, this must be second OTP phase, so
1591 * send final POST request and unset Basic authentication
1592 * from cURL context as cookie is used instead. */
1593 free(url);
1594 url = response_otp_headers.redirect;
1595 response_otp_headers.redirect = NULL;
1596 _isds_discard_credentials(context, 0);
1597 err = unset_http_authorization(context);
1598 if (err) {
1599 isds_log_message(context, _("Could not remove "
1600 "credentials from CURL handle."));
1601 goto leave;
1602 }
1603 goto redirect;
1604 } else {
1605 /* XXX: Otherwise bail out to ask application for OTP code. */
1606 goto leave;
1607 }
1608 } else if (NULL != context->mep_credentials) {
1609 if (context->mep_credentials->resolution == MEP_RESOLUTION_UNKNOWN) {
1610 context->mep_credentials->resolution = MEP_RESOLUTION_ACK_REQUESTED;
1611 if ((context->mep_credentials->intermediate_uri == NULL) &&
1612 (response_otp_headers.redirect != NULL)) {
1613 /* This is the first attempt. */
1614 isds_printf_message(context,
1615 _("Server redirects on <%s> because mobile key authentication "
1616 "succeeded."),
1617 url);
1618 context->mep_credentials->intermediate_uri =
1619 _isds_astrcat(response_otp_headers.redirect, NULL);
1620 err = IE_PARTIAL_SUCCESS;
1621 goto redirect;
1622 }
1623 } else if (context->mep_credentials->resolution == MEP_RESOLUTION_ACK) {
1624 /* MEP login succeeded. No SOAP data received even though
1625 * they were requested. */
1626 context->mep_credentials->resolution = MEP_RESOLUTION_SUCCESS;
1627 err = IE_SUCCESS;
1628 goto leave;
1629 }
1630 break;
1631 } else {
1632 err = IE_HTTP;
1633 isds_printf_message(context,
1634 _("Code 302: Server redirects on <%s> request. "
1635 "Redirection is forbidden in stateless mode."),
1636 url);
1637 goto leave;
1638 }
1639 break;
1640 case 400:
1641 if (NULL != context->mep_credentials) {
1642 free(context->mep_credentials->intermediate_uri);
1643 context->mep_credentials->intermediate_uri = NULL;
1644 context->mep_credentials->resolution = MEP_RESOLUTION_UNRECOGNISED;
1645 err = IE_NOT_LOGGED_IN;
1646 isds_printf_message(context,
1647 _("Code 400: Server redirects on <%s> request. "
1648 "MEP communication code was not recognised."), url);
1649 goto leave;
1650 }
1651 break;
1652 case 401: /* ISDS server returns 401 even if Authorization
1653 presents. */
1654 case 403: /* HTTP/1.0 prescribes 403 if Authorization presents. */
1655 err = IE_NOT_LOGGED_IN;
1656 isds_log_message(context, _("Authentication failed"));
1657 goto leave;
1658 break;
1659 case 404:
1660 err = IE_HTTP;
1661 isds_printf_message(context,
1662 _("Code 404: Document (%s) not found on server"), url);
1663 goto leave;
1664 break;
1665 /* 500 should return standard SOAP message */
1666 }
1667
1668 /* Check for Content-Type: text/xml.
1669 * Do it after HTTP code check because 401 Unauthorized returns HTML web
1670 * page for browsers. */
1671 if (mime_type && strcmp(mime_type, "text/xml")
1672 && strcmp(mime_type, "application/soap+xml")
1673 && strcmp(mime_type, "application/xml")) {
1674 char *mime_type_locale = _isds_utf82locale(mime_type);
1675 isds_printf_message(context,
1676 _("%s: bad MIME type sent by server: %s"), url,
1677 mime_type_locale);
1678 free(mime_type_locale);
1679 err = IE_SOAP;
1680 goto leave;
1681 }
1682
1683
1684 err = process_http_response(context, http_response, response_length,
1685 response_document, response_node_list);
1686 if (IE_SUCCESS != err) {
1687 goto leave;
1688 }
1689
1690
1691 /* Save raw response */
1692 if (NULL != raw_response) {
1693 *raw_response = http_response;
1694 http_response = NULL;
1695 }
1696 if (NULL != raw_response_length) {
1697 *raw_response_length = response_length;
1698 }
1699
1700 leave:
1701 if ((context->otp_credentials != NULL) || (context->mep_credentials != NULL))
1702 auth_headers_free(&response_otp_headers);
1703 free(mime_type);
1704 free(http_response);
1705 xmlBufferFree(http_request);
1706 free(url);
1707
1708 return err;
1709 }
1710
1711
1712 /* Build new URL from current @context and template.
1713 * @context is context carrying an URL
1714 * @template is printf(3) format string. First argument is length of the base
1715 * URL found in @context, second argument is the base URL, third argument is
1716 * again the base URL.
1717 * XXX: We cannot use "$" formatting character because it's not in the ISO C99.
1718 * @new_url is newly allocated URL built from @template. Caller must free it.
1719 * Return IE_SUCCESS, or corresponding error code and @new_url will not be
1720 * allocated.
1721 * */
1722 _hidden isds_error _isds_build_url_from_context(struct isds_ctx *context,
1723 const char *template, char **new_url) {
1724 int length, slashes;
1725
1726 if (NULL != new_url) *new_url = NULL;
1727 if (NULL == context) return IE_INVALID_CONTEXT;
1728 if (NULL == template) return IE_INVAL;
1729 if (NULL == new_url) return IE_INVAL;
1730
1731 /* Find length of base URL from context URL */
1732 if (NULL == context->url) {
1733 isds_log_message(context, _("Base URL could not have been determined "
1734 "from context URL because there was no URL set in the "
1735 "context"));
1736 return IE_ERROR;
1737 }
1738 for (length = 0, slashes = 0; context->url[length] != '\0'; length++) {
1739 if (context->url[length] == '/') slashes++;
1740 if (slashes == 3) break;
1741 }
1742 if (slashes != 3) {
1743 isds_log_message(context, _("Base URL could not have been determined "
1744 "from context URL"));
1745 return IE_ERROR;
1746 }
1747 length++;
1748
1749 /* Build new URL */
1750 if (-1 == isds_asprintf(new_url, template, length, context->url,
1751 context->url))
1752 return IE_NOMEM;
1753
1754 return IE_SUCCESS;
1755 }
1756
1757
1758 /* Invalidate session cookie for otp authenticated @context */
1759 _hidden isds_error _isds_invalidate_otp_cookie(struct isds_ctx *context) {
1760 isds_error err;
1761 char *url = NULL;
1762 long http_code;
1763 void *response = NULL;
1764 size_t response_length;
1765
1766 if (context == NULL || (!context->otp && !context->mep)) return IE_INVALID_CONTEXT;
1767 if (context->curl == NULL) return IE_CONNECTION_CLOSED;
1768
1769 /* Build logout URL */
1770 /*"https://DOMAINNAME/as/processLogout?uri=https://DOMAINNAME/apps/DS/WEB_SERVICE_ENDPOINT"*/
1771 err = _isds_build_url_from_context(context,
1772 "%.*sas/processLogout?uri=%sDS/dz", &url);
1773 if (err) return err;
1774
1775 /* Invalidate the cookie by GET request */
1776 err = http(context,
1777 url, 1,
1778 NULL, 0,
1779 &response, &response_length,
1780 NULL, NULL, &http_code,
1781 NULL);
1782 free(response);
1783 free(url);
1784 if (err) {
1785 /* long message set by http() */
1786 } else if (http_code != 200) {
1787 /* TODO: Specification does not define response for this request.
1788 * Especially it does not state whether direct 200 or 302 redirect is
1789 * sent. We need to check real implementation. */
1790 err = IE_ISDS;
1791 isds_printf_message(context, _("Cookie for OTP authenticated "
1792 "connection to <%s> could not been invalidated"),
1793 context->url);
1794 } else {
1795 isds_log(ILF_SEC, ILL_DEBUG, _("Cookie for OTP authenticated "
1796 "connection to <%s> has been invalidated.\n"),
1797 context->url);
1798 }
1799 return err;
1800 }
1801
1802
1803 /* LibXML functions:
1804 *
1805 * void xmlInitParser(void)
1806 * Initialization function for the XML parser. This is not reentrant. Call
1807 * once before processing in case of use in multithreaded programs.
1808 *
1809 * int xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
1810 * Initialize a parser context
1811 *
1812 * xmlDocPtr xmlCtxtReadDoc(xmlParserCtxtPtr ctxt, const xmlChar * cur,
1813 * const * char URL, const char * encoding, int options);
1814 * Parse in-memory NULL-terminated document @cur.
1815 *
1816 * xmlDocPtr xmlParseMemory(const char * buffer, int size)
1817 * Parse an XML in-memory block and build a tree.
1818 *
1819 * xmlParserCtxtPtr xmlCreateMemoryParserCtxt(const char * buffer, int
1820 * size);
1821 * Create a parser context for an XML in-memory document.
1822 *
1823 * xmlParserCtxtPtr xmlCreateDocParserCtxt(const xmlChar * cur)
1824 * Creates a parser context for an XML in-memory document.
1825 *
1826 * xmlDocPtr xmlCtxtReadMemory(xmlParserCtxtPtr ctxt,
1827 * const char * buffer, int size, const char * URL, const char * encoding,
1828 * int options)
1829 * Parse an XML in-memory document and build a tree. This reuses the existing
1830 * @ctxt parser context.
1831
1832 * void xmlCleanupParser(void)
1833 * Cleanup function for the XML library. It tries to reclaim all parsing
1834 * related glob document related memory. Calling this function should not
1835 * prevent reusing the libr finished using the library or XML document built
1836 * with it.
1837 *
1838 * void xmlClearParserCtxt(xmlParserCtxtPtr ctxt)
1839 * Clear (release owned resources) and reinitialize a parser context.
1840 *
1841 * void xmlCtxtReset(xmlParserCtxtPtr ctxt)
1842 * Reset a parser context
1843 *
1844 * void xmlFreeParserCtxt(xmlParserCtxtPtr ctxt)
1845 * Free all the memory used by a parser context. However the parsed document
1846 * in ctxt->myDoc is not freed.
1847 *
1848 * void xmlFreeDoc(xmlDocPtr cur)
1849 * Free up all the structures used by a document, tree included.
1850 */
Client library for ISDS