search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Ported to MinGW
[libisds.git] / src / soap.c
blob6412ffabf67166e35a6de1984c81076ea2d85677
1 #include "isds_priv.h"
2 #include "soap.h"
3 #include "utils.h"
4 #include <stdlib.h>
5 #include <string.h>
6 #include <strings.h> /* strncasecmp(3) */
7 #include "system.h"
8
9 /* Private structure for write_body() call back */
10 struct soap_body {
11 void *data;
12 size_t length;
13 };
14
15 /* Private structure for write_header() call back */
16 struct auth_headers {
17 _Bool is_complete; /* Response has finished, next iteration is new
18 response, values become obsolete. */
19 char *last_header; /* Temporary storage for previous unfinished header */
20 char *method; /* WWW-Authenticate value */
21 char *code; /* X-Response-message-code value */
22 isds_otp_resolution resolution; /* Decoded .code member */
23 char *message; /* X-Response-message-text value */
24 char *redirect; /* Redirect URL */
25 };
26
27
28 /* Deallocate content of struct auth_headers */
29 static void auth_headers_free(struct auth_headers *headers) {
30 zfree(headers->last_header);
31 zfree(headers->method);
32 zfree(headers->code);
33 zfree(headers->message);
34 zfree(headers->redirect);
35 }
36
37
38 /* If given @line is HTTP header of @name,
39 * return pointer to the header value. Otherwise return NULL.
40 * @name is header name without name---value separator, terminated with 0. */
41 static const char *header_value(const char *line, const char *name) {
42 const char *value;
43 if (line == NULL || name == NULL) return NULL;
44
45 for (value = line; ; value++, name++) {
46 if (*value == '\0') return NULL; /* Line too short */
47 if (*name == '\0') break; /* Name matches */
48 if (*name != *value) return NULL; /* Name does not match */
49 }
50
51 /* Check separator. RFC2616, section 4.2 requires collon only. */
52 if (*value++ != ':') return NULL;
53
54 return value;
55 }
56
57
58 /* Try to decode header value per RFC 2047.
59 * @prepend_space is true if a space should be inserted before decoded word
60 * into @output in case the word has been decoded successfully.
61 * @input is zero terminated input, it's updated to point all consumed
62 * input - 1.
63 * @output is buffer to store decoded value, it's updated to point after last
64 * written character. The buffer must be preallocated.
65 * @return 0 if input has been successfully decoded, then @input and @output
66 * poineres will be updated. Otherwise return non-zero value and keeps
67 * argument pointers and memory unchanged. */
68 static int try_rfc2047_decode(_Bool prepend_space, const char **input,
69 char **output) {
70 const char *encoded;
71 const char *charset_start, *encoding, *end;
72 size_t charset_length;
73 char *charset = NULL;
74 /* ISDS prescribes B encoding only, but RFC 2047 requires to support Q
75 * encoding too. ISDS prescribes UTF-8 charset only, RFC requiers to
76 * support any MIME charset. */
77 if (input == NULL || *input == NULL || output == NULL || *output == NULL)
78 return -1;
79
80 /* Start is "=?" */
81 encoded = *input;
82 if (encoded[0] != '=' || encoded[1] != '?')
83 return -1;
84
85 /* Then is "CHARSET?" */
86 charset_start = (encoded += 2);
87 while (*encoded != '?') {
88 if (*encoded == '\0')
89 return -1;
90 if (*encoded == ' ' || *encoded == '\t' || *encoded == '\r' || *encoded == '\n')
91 return -1;
92 encoded++;
93 }
94 encoded++;
95
96 /* Then is "ENCODING?", where ENCODING is /[BbQq]/ */
97 if (*encoded == '\0') return -1;
98 encoding = encoded++;
99 if (*encoded != '?')
100 return -1;
101 encoded++;
102
103 /* Then is "ENCODED_TEXT?=" */
104 while (*encoded != '?') {
105 if (*encoded == '\0')
106 return -1;
107 if (*encoded == ' ' || *encoded == '\t' || *encoded == '\r' || *encoded == '\n')
108 return -1;
109 encoded++;
110 }
111 end = encoded;
112 if (*(++encoded) != '=') return -1;
113
114 /* Now pointers are:
115 * "=?CHARSET?E?ENCODED_TEXT?="
116 * | | | ||
117 * | | | |\- encoded
118 * | | | \- end
119 * | | \- encoding
120 * | \- charset_start
121 * \- *input
122 */
123
124 charset_length = encoding - charset_start - 1;
125 if (charset_length < 1)
126 return -1;
127 charset = strndup(charset_start, charset_length);
128 if (charset == NULL)
129 return -1;
130
131 /* Decode encoding */
132 char *bit_stream = NULL;
133 size_t bit_length = 0;
134 size_t encoding_length = end - encoding - 2;
135
136 if (*encoding == 'B') {
137 /* Decode Base-64 */
138 char *b64_stream = NULL;
139 if (NULL == (b64_stream =
140 malloc((encoding_length + 1) * sizeof(*encoding)))) {
141 free(charset);
142 return -1;
143 }
144 memcpy(b64_stream, encoding + 2, encoding_length);
145 b64_stream[encoding_length] = '\0';
146 bit_length = _isds_b64decode(b64_stream, (void **)&bit_stream);
147 free(b64_stream);
148 if (bit_length == (size_t) -1) {
149 free(charset);
150 return -1;
151 }
152 } else if (*encoding == 'Q') {
153 /* Decode Quoted-printable-like */
154 if (NULL == (bit_stream =
155 malloc((encoding_length) * sizeof(*encoding)))) {
156 free(charset);
157 return -1;
158 }
159 for (size_t q = 2; q < encoding_length + 2; q++) {
160 if (encoding[q] == '_') {
161 bit_stream[bit_length] = '\x20';
162 } else if (encoding[q] == '=') {
163 int ordinar;
164 /* Validate "=HH", where H is hexadecimal digit */
165 if (q + 2 >= encoding_length + 2 ) {
166 free(bit_stream);
167 free(charset);
168 return -1;
169 }
170 /* Convert =HH */
171 if ((ordinar = _isds_hex2i(encoding[++q])) < 0) {
172 free(bit_stream);
173 free(charset);
174 return -1;
175 }
176 bit_stream[bit_length] = (ordinar << 4);
177 if ((ordinar = _isds_hex2i(encoding[++q])) < 0) {
178 free(bit_stream);
179 free(charset);
180 return -1;
181 }
182 bit_stream[bit_length] += ordinar;
183 } else {
184 bit_stream[bit_length] = encoding[q];
185 }
186 bit_length++;
187 }
188 } else {
189 /* Unknown encoding */
190 free(charset);
191 return -1;
192 }
193
194 /* Convert to UTF-8 */
195 char *utf_stream = NULL;
196 size_t utf_length;
197 utf_length = _isds_any2any(charset, "UTF-8", bit_stream, bit_length,
198 (void **)&utf_stream);
199 free(bit_stream);
200 free(charset);
201 if (utf_length == (size_t) -1) {
202 return -1;
203 }
204
205 /* Copy UTF-8 stream to output buffer */
206 if (prepend_space) {
207 **output = ' ';
208 (*output)++;
209 }
210 memcpy(*output, utf_stream, utf_length);
211 free(utf_stream);
212 *output += utf_length;
213
214 *input = encoded;
215 return 0;
216 }
217
218
219 /* Decode HTTP header value per RFC 2047.
220 * @encoded_value is encoded HTTP header value terminated with NUL. It can
221 * contain HTTP LWS separators that will be replaced with a space.
222 * @return newly allocated decoded value without EOL, or return NULL. */
223 static char *decode_header_value(const char *encoded_value) {
224 char *decoded = NULL, *decoded_cursor;
225 size_t content_length;
226 _Bool text_started = 0, lws_seen = 0, encoded_word_seen = 0;
227
228 if (encoded_value == NULL) return NULL;
229 content_length = strlen(encoded_value);
230
231 /* A character can occupy up to 6 bytes in UTF-8 */
232 decoded = malloc(content_length * 6 + 1);
233 if (decoded == NULL) {
234 /* ENOMEM */
235 return NULL;
236 }
237
238 /* Decode */
239 /* RFC 2616, section 4.2: Remove surrounding LWS, replace inner ones with
240 * a space. */
241 /* RFC 2047, section 6.2: LWS between adjacent encoded words is ignored.
242 * */
243 for (decoded_cursor = decoded; *encoded_value; encoded_value++) {
244 if (*encoded_value == '\r' || *encoded_value == '\n' ||
245 *encoded_value == '\t' || *encoded_value == ' ') {
246 lws_seen = 1;
247 continue;
248 }
249 if (*encoded_value == '=' &&
250 !try_rfc2047_decode(
251 lws_seen && text_started && !encoded_word_seen,
252 &encoded_value, &decoded_cursor)) {
253 encoded_word_seen = 1;
254 } else {
255 if (lws_seen && text_started)
256 *(decoded_cursor++) = ' ';
257 *(decoded_cursor++) = *encoded_value;
258 encoded_word_seen = 0;
259 }
260 lws_seen = 0;
261 text_started = 1;
262 }
263 *decoded_cursor = '\0';
264
265 return decoded;
266 }
267
268
269 /* Return true, if server requests OTP authorization method that client
270 * requested. Otherwise return false.
271 * @client_method is method client requested
272 * @server_method is value of WWW-Authenticate header */
273 /*static _Bool otp_method_matches(const isds_otp_method client_method,
274 const char *server_method) {
275 char *method_name = NULL;
276
277 switch (client_method) {
278 case OTP_HMAC: method_name = "hotp"; break;
279 case OTP_TIME: method_name = "totp"; break;
280 default: return 0;
281 }
282
283 if (!strncmp(server_method, method_name, 4) && (
284 server_method[4] == '\0' || server_method[4] == ' ' ||
285 server_method[4] == '\t'))
286 return 1;
287 return 0;
288 }*/
289
290
291 /* Convert UTF-8 @string to HTTP OTP resolution enum type.
292 * @Return corresponding value or OTP_RESOLUTION_UNKNOWN if @string is not
293 * defined or unknown value. */
294 static isds_otp_resolution string2isds_otp_resolution(const char *string) {
295 if (string == NULL)
296 return OTP_RESOLUTION_UNKNOWN;
297 else if (!strcmp(string, "authentication.info.totpSended"))
298 return OTP_RESOLUTION_TOTP_SENT;
299 else if (!strcmp(string, "authentication.error.userIsNotAuthenticated"))
300 return OTP_RESOLUTION_BAD_AUTHENTICATION;
301 else if (!strcmp(string, "authentication.error.intruderDetected"))
302 return OTP_RESOLUTION_ACCESS_BLOCKED;
303 else if (!strcmp(string, "authentication.error.paswordExpired"))
304 return OTP_RESOLUTION_PASSWORD_EXPIRED;
305 else if (!strcmp(string, "authentication.info.cannotSendQuickly"))
306 return OTP_RESOLUTION_TO_FAST;
307 else if (!strcmp(string, "authentication.error.badRole"))
308 return OTP_RESOLUTION_UNAUTHORIZED;
309 else if (!strcmp(string, "authentication.info.totpNotSended"))
310 return OTP_RESOLUTION_TOTP_NOT_SENT;
311 else
312 return OTP_RESOLUTION_UNKNOWN;
313 }
314
315
316 /* Close connection to server and destroy CURL handle associated
317 * with @context */
318 _hidden isds_error _isds_close_connection(struct isds_ctx *context) {
319 if (!context) return IE_INVALID_CONTEXT;
320
321 if (context->curl) {
322 curl_easy_cleanup(context->curl);
323 context->curl = NULL;
324 isds_log(ILF_HTTP, ILL_DEBUG, _("Connection to server %s closed\n"),
325 context->url);
326 return IE_SUCCESS;
327 } else {
328 return IE_CONNECTION_CLOSED;
329 }
330 }
331
332
333 /* Remove username and password from context CURL handle. */
334 static isds_error unset_http_authorization(struct isds_ctx *context) {
335 isds_error error = IE_SUCCESS;
336
337 if (context == NULL) return IE_INVALID_CONTEXT;
338 if (context->curl == NULL) return IE_CONNECTION_CLOSED;
339
340 #if HAVE_DECL_CURLOPT_USERNAME /* Since curl-7.19.1 */
341 if (curl_easy_setopt(context->curl, CURLOPT_USERNAME, NULL))
342 error = IE_ERROR;
343 if (curl_easy_setopt(context->curl, CURLOPT_PASSWORD, NULL))
344 error = IE_ERROR;
345 #else
346 if (curl_easy_setopt(context->curl, CURLOPT_USERPWD, NULL))
347 error = IE_ERROR;
348 #endif /* not HAVE_DECL_CURLOPT_USERNAME */
349
350 if (error)
351 isds_log(ILF_HTTP, ILL_ERR, _("Error while unsetting user name and "
352 "password from CURL handle for connection to server %s.\n"),
353 context->url);
354 else
355 isds_log(ILF_HTTP, ILL_DEBUG, _("User name and password for server %s "
356 "have been unset from CURL handle.\n"), context->url);
357 return error;
358 }
359
360
361 /* CURL call back function called when chunk of HTTP response body is available.
362 * @buffer points to new data
363 * @size * @nmemb is length of the chunk in bytes. Zero means empty body.
364 * @userp is private structure.
365 * Must return the length of the chunk, otherwise CURL will signal
366 * CURL_WRITE_ERROR. */
367 static size_t write_body(void *buffer, size_t size, size_t nmemb, void *userp) {
368 struct soap_body *body = (struct soap_body *) userp;
369 void *new_data;
370
371 /* FIXME: Check for (size * nmemb + body->lengt) !> SIZE_T_MAX.
372 * Precompute the product then. */
373
374 if (!body) return 0; /* This should never happen */
375 if (0 == (size * nmemb)) return 0; /* Empty body */
376
377 new_data = realloc(body->data, body->length + size * nmemb);
378 if (!new_data) return 0;
379
380 memcpy(new_data + body->length, buffer, size * nmemb);
381
382 body->data = new_data;
383 body->length += size * nmemb;
384
385 return (size * nmemb);
386 }
387
388
389 /* CURL call back function called when a HTTP response header is available.
390 * This is called for each header even if reply consists of more responses.
391 * @buffer points to new header (no zero terminator, but HTTP EOL is included)
392 * @size * @nmemb is length of the header in bytes
393 * @userp is private structure.
394 * Must return the length of the header, otherwise CURL will signal
395 * CURL_WRITE_ERROR. */
396 static size_t write_header(void *buffer, size_t size, size_t nmemb, void *userp) {
397 struct auth_headers *headers = (struct auth_headers *) userp;
398 size_t length;
399 const char *value;
400
401 /* FIXME: Check for (size * nmemb) !> SIZE_T_MAX.
402 * Precompute the product then. */
403 length = size * nmemb;
404
405 if (NULL == headers) return 0; /* This should never happen */
406 if (0 == length) {
407 /* ??? Is this the empty line delimiter? */
408 return 0; /* Empty headers */
409 }
410
411 /* New response, invalide authentication headers. */
412 /* XXX: Chunked encoding trailer is not supported */
413 if (headers->is_complete) auth_headers_free(headers);
414
415 /* Append continuation to multi-line header */
416 if (*(char *)buffer == ' ' || *(char *)buffer == '\t') {
417 if (headers->last_header != NULL) {
418 size_t old_length = strlen(headers->last_header);
419 char *longer_header = realloc(headers->last_header, old_length + length);
420 if (longer_header == NULL) {
421 /* ENOMEM */
422 return 0;
423 }
424 strncpy(longer_header + old_length, (char*)buffer + 1, length - 1);
425 longer_header[old_length + length - 1] = '\0';
426 headers->last_header = longer_header;
427 } else {
428 /* Invalid continuation without starting header will be skipped. */
429 isds_log(ILF_HTTP, ILL_WARNING,
430 _("HTTP header continuation without starting header has "
431 "been encountered. Skipping invalid HTTP response "
432 "line.\n"));
433 }
434 goto leave;
435 }
436
437 /* Decode last header */
438 value = header_value(headers->last_header, "WWW-Authenticate");
439 if (value != NULL) {
440 free(headers->method);
441 if (NULL == (headers->method = decode_header_value(value))) {
442 /* TODO: Set IE_NOMEM to context */
443 return 0;
444 }
445 goto store;
446 }
447
448 value = header_value(headers->last_header, "X-Response-message-code");
449 if (value != NULL) {
450 free(headers->code);
451 if (NULL == (headers->code = decode_header_value(value))) {
452 /* TODO: Set IE_NOMEM to context */
453 return 0;
454 }
455 goto store;
456 }
457
458 value = header_value(headers->last_header, "X-Response-message-text");
459 if (value != NULL) {
460 free(headers->message);
461 if (NULL == (headers->message = decode_header_value(value))) {
462 /* TODO: Set IE_NOMEM to context */
463 return 0;
464 }
465 goto store;
466 }
467
468 store:
469 /* Last header decoded, free it */
470 zfree(headers->last_header);
471
472 if (!strncmp(buffer, "\r\n", length)) {
473 /* Current line is header---body separator */
474 headers->is_complete = 1;
475 goto leave;
476 } else {
477 /* Current line is new header, store it */
478 headers->last_header = malloc(length + 1);
479 if (headers->last_header == NULL) {
480 /* TODO: Set IE_NOMEM to context */
481 return 0;
482 }
483 memcpy(headers->last_header, buffer, length);
484 headers->last_header[length] = '\0';
485 }
486
487 leave:
488 return (length);
489 }
490
491
492 /* CURL progress callback proxy to rearrange arguments.
493 * @curl_data is session context */
494 static int progress_proxy(void *curl_data, double download_total,
495 double download_current, double upload_total, double upload_current) {
496 struct isds_ctx *context = (struct isds_ctx *) curl_data;
497 int abort = 0;
498
499 if (context && context->progress_callback) {
500 abort = context->progress_callback(
501 upload_total, upload_current,
502 download_total, download_current,
503 context->progress_callback_data);
504 if (abort) {
505 isds_log(ILF_HTTP, ILL_INFO,
506 _("Application aborted HTTP transfer"));
507 }
508 }
509
510 return abort;
511 }
512
513
514 /* CURL call back function called when curl has something to log.
515 * @curl is cURL context
516 * @type is cURL log facility
517 * @buffer points to log data, XXX: not zero-terminated
518 * @size is length of log data
519 * @userp is private structure.
520 * Must return 0. */
521 static int log_curl(CURL *curl, curl_infotype type, char *buffer, size_t size,
522 void *userp) {
523 if (!buffer || 0 == size) return 0;
524 if (type == CURLINFO_TEXT || type == CURLINFO_HEADER_IN ||
525 type == CURLINFO_HEADER_OUT)
526 isds_log(ILF_HTTP, ILL_DEBUG, "%*s", size, buffer);
527 return 0;
528 }
529
530
531 /* Do HTTP request.
532 * @context holds the base URL,
533 * @url is a (CGI) file of SOAP URL,
534 * @use_get is a false to do a POST request, true to do a GET request.
535 * @request is body for POST request
536 * @request_length is length of @request in bytes
537 * @reponse is automatically reallocated() buffer to fit HTTP response with
538 * @response_length (does not need to match allocated memory exactly). You must
539 * free() the @response.
540 * @mime_type is automatically allocated MIME type send by server (*NULL if not
541 * sent). Set NULL if you don't care.
542 * @charset is charset of the body signaled by server. The same constrains
543 * like on @mime_type apply.
544 * @http_code is final HTTP code returned by server. This can be 200, 401, 500
545 * or any other one. Pass NULL if you don't interest.
546 * In case of error, the response memory, MIME type, charset and length will be
547 * deallocated and zeroed automatically. Thus be sure they are preallocated or
548 * they points to NULL.
549 * @response_otp_headers is pre-allocated structure for OTP authentication
550 * headers sent by server. Members must be valid pointers or NULLs.
551 * Pass NULL if you don't interest.
552 * Be ware that successful return value does not mean the HTTP request has
553 * been accepted by the server. You must consult @http_code. OTOH, failure
554 * return value means the request could not been sent (e.g. SSL error).
555 * Side effect: message buffer */
556 static isds_error http(struct isds_ctx *context,
557 const char *url, _Bool use_get,
558 const void *request, const size_t request_length,
559 void **response, size_t *response_length,
560 char **mime_type, char **charset, long *http_code,
561 struct auth_headers *response_otp_headers) {
562
563 CURLcode curl_err;
564 isds_error err = IE_SUCCESS;
565 struct soap_body body;
566 char *content_type;
567 struct curl_slist *headers = NULL;
568
569
570 if (!context) return IE_INVALID_CONTEXT;
571 if (!url) return IE_INVAL;
572 if (request_length > 0 && !request) return IE_INVAL;
573 if (!response || !response_length) return IE_INVAL;
574
575 /* Clean authentication headers */
576
577 /* Set the body here to allow deallocation in leave block */
578 body.data = *response;
579 body.length = 0;
580
581 /* Set Request-URI */
582 curl_err = curl_easy_setopt(context->curl, CURLOPT_URL, url);
583
584 /* Set TLS options */
585 if (!curl_err && context->tls_verify_server) {
586 if (!*context->tls_verify_server)
587 isds_log(ILF_SEC, ILL_WARNING,
588 _("Disabling server identity verification. "
589 "That was your decision.\n"));
590 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSL_VERIFYPEER,
591 (*context->tls_verify_server)? 1L : 0L);
592 if (!curl_err) {
593 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSL_VERIFYHOST,
594 (*context->tls_verify_server)? 2L : 0L);
595 }
596 }
597 if (!curl_err && context->tls_ca_file) {
598 isds_log(ILF_SEC, ILL_INFO,
599 _("CA certificates will be searched in `%s' file since now\n"),
600 context->tls_ca_file);
601 curl_err = curl_easy_setopt(context->curl, CURLOPT_CAINFO,
602 context->tls_ca_file);
603 }
604 if (!curl_err && context->tls_ca_dir) {
605 isds_log(ILF_SEC, ILL_INFO,
606 _("CA certificates will be searched in `%s' directory "
607 "since now\n"), context->tls_ca_dir);
608 curl_err = curl_easy_setopt(context->curl, CURLOPT_CAPATH,
609 context->tls_ca_dir);
610 }
611 if (!curl_err && context->tls_crl_file) {
612 #if HAVE_DECL_CURLOPT_CRLFILE /* Since curl-7.19.0 */
613 isds_log(ILF_SEC, ILL_INFO,
614 _("CRLs will be searched in `%s' file since now\n"),
615 context->tls_crl_file);
616 curl_err = curl_easy_setopt(context->curl, CURLOPT_CRLFILE,
617 context->tls_crl_file);
618 #else
619 isds_log(ILF_SEC, ILL_WARNING,
620 _("Your curl library cannot pass certificate revocation "
621 "list to cryptographic library.\n"
622 "Make sure cryptographic library default setting "
623 "delivers proper CRLs,\n"
624 "or upgrade curl.\n"));
625 #endif /* not HAVE_DECL_CURLOPT_CRLFILE */
626 }
627
628
629 /* Set credentials */
630 #if HAVE_DECL_CURLOPT_USERNAME /* Since curl-7.19.1 */
631 if (!curl_err && context->username) {
632 curl_err = curl_easy_setopt(context->curl, CURLOPT_USERNAME,
633 context->username);
634 }
635 if (!curl_err && context->password) {
636 curl_err = curl_easy_setopt(context->curl, CURLOPT_PASSWORD,
637 context->password);
638 }
639 #else
640 if (!curl_err && (context->username || context->password)) {
641 char *userpwd =
642 _isds_astrcat3(context->username, ":", context->password);
643 if (!userpwd) {
644 isds_log_message(context, _("Could not pass credentials to CURL"));
645 err = IE_NOMEM;
646 goto leave;
647 }
648 curl_err = curl_easy_setopt(context->curl, CURLOPT_USERPWD, userpwd);
649 free(userpwd);
650 }
651 #endif /* not HAVE_DECL_CURLOPT_USERNAME */
652
653 /* Set PKI credentials */
654 if (!curl_err && (context->pki_credentials)) {
655 if (context->pki_credentials->engine) {
656 /* Select SSL engine */
657 isds_log(ILF_SEC, ILL_INFO,
658 _("Cryptographic engine `%s' will be used for "
659 "key or certificate\n"),
660 context->pki_credentials->engine);
661 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLENGINE,
662 context->pki_credentials->engine);
663 }
664
665 if (!curl_err) {
666 /* Select certificate format */
667 #if HAVE_DECL_CURLOPT_SSLCERTTYPE /* since curl-7.9.3 */
668 if (context->pki_credentials->certificate_format ==
669 PKI_FORMAT_ENG) {
670 /* XXX: It's valid to have certificate in engine without name.
671 * Engines can select certificate according private key and
672 * vice versa. */
673 if (context->pki_credentials->certificate)
674 isds_log(ILF_SEC, ILL_INFO, _("Client `%s' certificate "
675 "will be read from `%s' engine\n"),
676 context->pki_credentials->certificate,
677 context->pki_credentials->engine);
678 else
679 isds_log(ILF_SEC, ILL_INFO, _("Client certificate "
680 "will be read from `%s' engine\n"),
681 context->pki_credentials->engine);
682 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLCERTTYPE,
683 "ENG");
684 } else if (context->pki_credentials->certificate) {
685 isds_log(ILF_SEC, ILL_INFO, _("Client %s certificate "
686 "will be read from `%s' file\n"),
687 (context->pki_credentials->certificate_format ==
688 PKI_FORMAT_DER) ? _("DER") : _("PEM"),
689 context->pki_credentials->certificate);
690 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLCERTTYPE,
691 (context->pki_credentials->certificate_format ==
692 PKI_FORMAT_DER) ? "DER" : "PEM");
693 }
694 #else
695 if ((context->pki_credentials->certificate_format ==
696 PKI_FORMAT_ENG ||
697 context->pki_credentials->certificate))
698 isds_log(ILF_SEC, ILL_WARNING,
699 _("Your curl library cannot distinguish certificate "
700 "formats. Make sure your cryptographic library\n"
701 "understands your certificate file by default, "
702 "or upgrade curl.\n"));
703 #endif /* not HAVE_DECL_CURLOPT_SSLCERTTYPE */
704 }
705
706 if (!curl_err && context->pki_credentials->certificate) {
707 /* Select certificate */
708 if (!curl_err)
709 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLCERT,
710 context->pki_credentials->certificate);
711 }
712
713 if (!curl_err) {
714 /* Select key format */
715 if (context->pki_credentials->key_format == PKI_FORMAT_ENG) {
716 if (context->pki_credentials->key)
717 isds_log(ILF_SEC, ILL_INFO, _("Client private key `%s' "
718 "from `%s' engine will be used\n"),
719 context->pki_credentials->key,
720 context->pki_credentials->engine);
721 else
722 isds_log(ILF_SEC, ILL_INFO, _("Client private key "
723 "from `%s' engine will be used\n"),
724 context->pki_credentials->engine);
725 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLKEYTYPE,
726 "ENG");
727 } else if (context->pki_credentials->key) {
728 isds_log(ILF_SEC, ILL_INFO, _("Client %s private key will be "
729 "read from `%s' file\n"),
730 (context->pki_credentials->key_format ==
731 PKI_FORMAT_DER) ? _("DER") : _("PEM"),
732 context->pki_credentials->key);
733 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLKEYTYPE,
734 (context->pki_credentials->key_format ==
735 PKI_FORMAT_DER) ? "DER" : "PEM");
736 }
737
738 if (!curl_err)
739 /* Select key */
740 curl_err = curl_easy_setopt(context->curl, CURLOPT_SSLKEY,
741 context->pki_credentials->key);
742
743 if (!curl_err) {
744 /* Pass key pass-phrase */
745 #if HAVE_DECL_CURLOPT_KEYPASSWD /* since curl-7.16.5 */
746 curl_err = curl_easy_setopt(context->curl,
747 CURLOPT_KEYPASSWD,
748 context->pki_credentials->passphrase);
749 #elif HAVE_DECL_CURLOPT_SSLKEYPASSWD /* up to curl-7.16.4 */
750 curl_err = curl_easy_setopt(context->curl,
751 CURLOPT_SSLKEYPASSWD,
752 context->pki_credentials->passphrase);
753 #else /* up to curl-7.9.2 */
754 curl_err = curl_easy_setopt(context->curl,
755 CURLOPT_SSLCERTPASSWD,
756 context->pki_credentials->passphrase);
757 #endif
758 }
759 }
760 }
761
762 /* Set authorization cookie for OTP session */
763 if (!curl_err && context->otp) {
764 isds_log(ILF_SEC, ILL_INFO,
765 _("Cookies will be stored and sent "
766 "because context has been authorized by OTP.\n"));
767 curl_err = curl_easy_setopt(context->curl, CURLOPT_COOKIEFILE, "");
768 }
769
770 /* Set timeout */
771 if (!curl_err) {
772 curl_err = curl_easy_setopt(context->curl, CURLOPT_NOSIGNAL, 1);
773 }
774 if (!curl_err && context->timeout) {
775 #if HAVE_DECL_CURLOPT_TIMEOUT_MS /* Since curl-7.16.2 */
776 curl_err = curl_easy_setopt(context->curl, CURLOPT_TIMEOUT_MS,
777 context->timeout);
778 #else
779 curl_err = curl_easy_setopt(context->curl, CURLOPT_TIMEOUT,
780 context->timeout / 1000);
781 #endif /* not HAVE_DECL_CURLOPT_TIMEOUT_MS */
782 }
783
784 /* Register callback */
785 if (context->progress_callback) {
786 if (!curl_err) {
787 curl_err = curl_easy_setopt(context->curl, CURLOPT_NOPROGRESS, 0);
788 }
789 if (!curl_err) {
790 curl_err = curl_easy_setopt(context->curl,
791 CURLOPT_PROGRESSFUNCTION, progress_proxy);
792 }
793 if (!curl_err) {
794 curl_err = curl_easy_setopt(context->curl, CURLOPT_PROGRESSDATA,
795 context);
796 }
797 }
798
799 /* Set other CURL features */
800 if (!curl_err) {
801 curl_err = curl_easy_setopt(context->curl, CURLOPT_FAILONERROR, 0);
802 }
803
804 /* Set get-response function */
805 if (!curl_err) {
806 curl_err = curl_easy_setopt(context->curl, CURLOPT_WRITEFUNCTION,
807 write_body);
808 }
809 if (!curl_err) {
810 curl_err = curl_easy_setopt(context->curl, CURLOPT_WRITEDATA, &body);
811 }
812
813 /* Set get-response-headers function if needed.
814 * XXX: Both CURLOPT_HEADERFUNCTION and CURLOPT_WRITEHEADER must be set or
815 * unset at the same time (see curl_easy_setopt(3)) ASAP, otherwise old
816 * invalid CURLOPT_WRITEHEADER value could be derefenced. */
817 if (!curl_err) {
818 curl_err = curl_easy_setopt(context->curl, CURLOPT_HEADERFUNCTION,
819 (response_otp_headers == NULL) ? NULL: write_header);
820 }
821 if (!curl_err) {
822 curl_err = curl_easy_setopt(context->curl, CURLOPT_WRITEHEADER,
823 response_otp_headers);
824 }
825
826 /* Set MIME types and headers requires by SOAP 1.1.
827 * SOAP 1.1 requires text/xml, SOAP 1.2 requires application/soap+xml */
828 if (!curl_err) {
829 headers = curl_slist_append(headers,
830 "Accept: application/soap+xml,application/xml,text/xml");
831 if (!headers) {
832 err = IE_NOMEM;
833 goto leave;
834 }
835 headers = curl_slist_append(headers, "Content-Type: text/xml");
836 if (!headers) {
837 err = IE_NOMEM;
838 goto leave;
839 }
840 headers = curl_slist_append(headers, "SOAPAction: ");
841 if (!headers) {
842 err = IE_NOMEM;
843 goto leave;
844 }
845 curl_err = curl_easy_setopt(context->curl, CURLOPT_HTTPHEADER, headers);
846 }
847 if (!curl_err) {
848 /* Set user agent identification */
849 curl_err = curl_easy_setopt(context->curl, CURLOPT_USERAGENT,
850 "libisds/" PACKAGE_VERSION);
851 }
852
853 if (use_get) {
854 /* Set GET request */
855 if (!curl_err) {
856 curl_err = curl_easy_setopt(context->curl, CURLOPT_HTTPGET, 1);
857 }
858 } else {
859 /* Set POST request body */
860 if (!curl_err) {
861 curl_err = curl_easy_setopt(context->curl, CURLOPT_POST, 1);
862 }
863 if (!curl_err) {
864 curl_err = curl_easy_setopt(context->curl, CURLOPT_POSTFIELDS, request);
865 }
866 if (!curl_err) {
867 curl_err = curl_easy_setopt(context->curl, CURLOPT_POSTFIELDSIZE,
868 request_length);
869 }
870 }
871
872 /* Check for errors so far */
873 if (curl_err) {
874 isds_log_message(context, curl_easy_strerror(curl_err));
875 err = IE_NETWORK;
876 goto leave;
877 }
878
879 isds_log(ILF_HTTP, ILL_DEBUG, _("Sending %s request to <%s>\n"),
880 use_get ? "GET" : "POST", url);
881 if (!use_get) {
882 isds_log(ILF_HTTP, ILL_DEBUG,
883 _("POST body length: %zu, content follows:\n"), request_length);
884 isds_log(ILF_HTTP, ILL_DEBUG, "%.*s\n", request_length, request);
885 isds_log(ILF_HTTP, ILL_DEBUG, _("End of POST body\n"));
886 }
887 if ((log_facilities & ILF_HTTP) && (log_level >= ILL_DEBUG) ) {
888 curl_easy_setopt(context->curl, CURLOPT_VERBOSE, 1);
889 curl_easy_setopt(context->curl, CURLOPT_DEBUGFUNCTION, log_curl);
890 } else {
891 curl_easy_setopt(context->curl, CURLOPT_VERBOSE, 0);
892 curl_easy_setopt(context->curl, CURLOPT_DEBUGFUNCTION, NULL);
893 }
894
895
896 /* Do the request */
897 curl_err = curl_easy_perform(context->curl);
898
899 if (!curl_err)
900 curl_err = curl_easy_getinfo(context->curl, CURLINFO_CONTENT_TYPE,
901 &content_type);
902
903 if (curl_err) {
904 /* TODO: Use curl_easy_setopt(CURLOPT_ERRORBUFFER) to obtain detailed
905 * error message. */
906 /* TODO: CURL is not internationalized yet. Collect CURL messages for
907 * I18N. */
908 isds_printf_message(context,
909 _("%s: %s"), url, _(curl_easy_strerror(curl_err)));
910 if (curl_err == CURLE_ABORTED_BY_CALLBACK)
911 err = IE_ABORTED;
912 else if (
913 curl_err == CURLE_SSL_CONNECT_ERROR ||
914 curl_err == CURLE_SSL_ENGINE_NOTFOUND ||
915 curl_err == CURLE_SSL_ENGINE_SETFAILED ||
916 curl_err == CURLE_SSL_CERTPROBLEM ||
917 curl_err == CURLE_SSL_CIPHER ||
918 curl_err == CURLE_SSL_CACERT ||
919 curl_err == CURLE_USE_SSL_FAILED ||
920 curl_err == CURLE_SSL_ENGINE_INITFAILED ||
921 curl_err == CURLE_SSL_CACERT_BADFILE ||
922 curl_err == CURLE_SSL_SHUTDOWN_FAILED ||
923 curl_err == CURLE_SSL_CRL_BADFILE ||
924 curl_err == CURLE_SSL_ISSUER_ERROR
925 )
926 err = IE_SECURITY;
927 else
928 err = IE_NETWORK;
929 goto leave;
930 }
931
932 isds_log(ILF_HTTP, ILL_DEBUG, _("Final response to %s received\n"), url);
933 isds_log(ILF_HTTP, ILL_DEBUG,
934 _("Response body length: %zu, content follows:\n"),
935 body.length);
936 isds_log(ILF_HTTP, ILL_DEBUG, "%.*s\n", body.length, body.data);
937 isds_log(ILF_HTTP, ILL_DEBUG, _("End of response body\n"));
938
939
940 /* Extract MIME type and charset */
941 if (content_type) {
942 char *sep;
943 size_t offset;
944
945 sep = strchr(content_type, ';');
946 if (sep) offset = (size_t) (sep - content_type);
947 else offset = strlen(content_type);
948
949 if (mime_type) {
950 *mime_type = malloc(offset + 1);
951 if (!*mime_type) {
952 err = IE_NOMEM;
953 goto leave;
954 }
955 memcpy(*mime_type, content_type, offset);
956 (*mime_type)[offset] = '\0';
957 }
958
959 if (charset) {
960 if (!sep) {
961 *charset = NULL;
962 } else {
963 sep = strstr(sep, "charset=");
964 if (!sep) {
965 *charset = NULL;
966 } else {
967 *charset = strdup(sep + 8);
968 if (!*charset) {
969 err = IE_NOMEM;
970 goto leave;
971 }
972 }
973 }
974 }
975 }
976
977 /* Get HTTP response code */
978 if (http_code) {
979 curl_err = curl_easy_getinfo(context->curl,
980 CURLINFO_RESPONSE_CODE, http_code);
981 if (curl_err) {
982 err = IE_ERROR;
983 goto leave;
984 }
985 }
986
987 /* Store OTP authentication results */
988 if (response_otp_headers && response_otp_headers->is_complete) {
989 isds_log(ILF_SEC, ILL_DEBUG,
990 _("OTP authentication headers received: "
991 "method=%s, code=%s, message=%s\n"),
992 response_otp_headers->method, response_otp_headers->code,
993 response_otp_headers->message);
994
995 /* XXX: Don't make unknown code fatal. Missing code can be succcess if
996 * HTTP code is 302. This is checked in _isds_soap(). */
997 response_otp_headers->resolution =
998 string2isds_otp_resolution(response_otp_headers->code);
999
1000 if (response_otp_headers->message != NULL) {
1001 char *message_locale = _isds_utf82locale(response_otp_headers->message);
1002 /* _isds_utf82locale() return NULL on inconverable string. Do not
1003 * panic on it.
1004 * TODO: Escape such characters.
1005 * if (message_locale == NULL) {
1006 err = IE_NOMEM;
1007 goto leave;
1008 }*/
1009 isds_printf_message(context,
1010 _("Server returned OTP authentication message: %s"),
1011 message_locale);
1012 free(message_locale);
1013 }
1014
1015 char *next_url = NULL; /* Weak pointer managed by cURL */
1016 curl_err = curl_easy_getinfo(context->curl, CURLINFO_REDIRECT_URL,
1017 &next_url);
1018 if (curl_err) {
1019 err = IE_ERROR;
1020 goto leave;
1021 }
1022 if (next_url != NULL) {
1023 isds_log(ILF_SEC, ILL_DEBUG,
1024 _("OTP authentication headers redirect to: <%s>\n"),
1025 next_url);
1026 free(response_otp_headers->redirect);
1027 response_otp_headers->redirect = strdup(next_url);
1028 if (response_otp_headers->redirect == NULL) {
1029 err = IE_NOMEM;
1030 goto leave;
1031 }
1032 }
1033 }
1034 leave:
1035 curl_slist_free_all(headers);
1036
1037 if (err) {
1038 free(body.data);
1039 body.data = NULL;
1040 body.length = 0;
1041
1042 if (mime_type) {
1043 free(*mime_type);
1044 *mime_type = NULL;
1045 }
1046 if (charset) {
1047 free(*charset);
1048 *charset = NULL;
1049 }
1050
1051 if (err != IE_ABORTED) _isds_close_connection(context);
1052 }
1053
1054 *response = body.data;
1055 *response_length = body.length;
1056
1057 return err;
1058 }
1059
1060
1061 /* Do SOAP request.
1062 * @context holds the base URL,
1063 * @file is a (CGI) file of SOAP URL,
1064 * @request is XML node set with SOAP request body.
1065 * @file must be NULL, @request should be NULL rather than empty, if they should
1066 * not be signaled in the SOAP request.
1067 * @reponse is automatically allocated() node set with SOAP response body.
1068 * You must xmlFreeNodeList() it. This is literal body, empty (NULL), one node
1069 * or more nodes can be returned.
1070 * @raw_response is automatically allocated bit stream with response body. Use
1071 * NULL if you don't care
1072 * @raw_response_length is size of @raw_response in bytes
1073 * In case of error the response will be deallocated automatically.
1074 * Side effect: message buffer */
1075 _hidden isds_error _isds_soap(struct isds_ctx *context, const char *file,
1076 const xmlNodePtr request, xmlNodePtr *response,
1077 void **raw_response, size_t *raw_response_length) {
1078
1079 isds_error err = IE_SUCCESS;
1080 char *url = NULL;
1081 char *mime_type = NULL;
1082 long http_code = 0;
1083 struct auth_headers response_otp_headers;
1084 xmlBufferPtr http_request = NULL;
1085 xmlSaveCtxtPtr save_ctx = NULL;
1086 xmlDocPtr request_soap_doc = NULL;
1087 xmlNodePtr request_soap_envelope = NULL, request_soap_body = NULL;
1088 xmlNsPtr soap_ns = NULL;
1089 void *http_response = NULL;
1090 size_t response_length = 0;
1091 xmlDocPtr response_soap_doc = NULL;
1092 xmlNodePtr response_root = NULL;
1093 xmlXPathContextPtr xpath_ctx = NULL;
1094 xmlXPathObjectPtr response_soap_headers = NULL, response_soap_body = NULL,
1095 response_soap_fault = NULL;
1096
1097
1098 if (!context) return IE_INVALID_CONTEXT;
1099 if (!response) return IE_INVAL;
1100 if (!raw_response_length && raw_response) return IE_INVAL;
1101
1102 xmlFreeNodeList(*response);
1103 *response = NULL;
1104 if (raw_response) *raw_response = NULL;
1105
1106 url = _isds_astrcat(context->url, file);
1107 if (!url) return IE_NOMEM;
1108
1109 /* Build SOAP request envelope */
1110 request_soap_doc = xmlNewDoc(BAD_CAST "1.0");
1111 if (!request_soap_doc) {
1112 isds_log_message(context, _("Could not build SOAP request document"));
1113 err = IE_ERROR;
1114 goto leave;
1115 }
1116 request_soap_envelope = xmlNewNode(NULL, BAD_CAST "Envelope");
1117 if (!request_soap_envelope) {
1118 isds_log_message(context, _("Could not build SOAP request envelope"));
1119 err = IE_ERROR;
1120 goto leave;
1121 }
1122 xmlDocSetRootElement(request_soap_doc, request_soap_envelope);
1123 /* Only this way we get namespace definition as @xmlns:soap,
1124 * otherwise we get namespace prefix without definition */
1125 soap_ns = xmlNewNs(request_soap_envelope, BAD_CAST SOAP_NS, NULL);
1126 if(!soap_ns) {
1127 isds_log_message(context, _("Could not create SOAP name space"));
1128 err = IE_ERROR;
1129 goto leave;
1130 }
1131 xmlSetNs(request_soap_envelope, soap_ns);
1132 request_soap_body = xmlNewChild(request_soap_envelope, NULL,
1133 BAD_CAST "Body", NULL);
1134 if (!request_soap_body) {
1135 isds_log_message(context,
1136 _("Could not add Body to SOAP request envelope"));
1137 err = IE_ERROR;
1138 goto leave;
1139 }
1140
1141 /* Append request XML node set to SOAP body if request is not empty */
1142 /* XXX: Copy of request must be used, otherwise xmlFreeDoc(request_soap_doc)
1143 * would destroy this outer structure. */
1144 if (request) {
1145 xmlNodePtr request_copy = xmlCopyNodeList(request);
1146 if (!request_copy) {
1147 isds_log_message(context,
1148 _("Could not copy request content"));
1149 err = IE_ERROR;
1150 goto leave;
1151 }
1152 if (!xmlAddChildList(request_soap_body, request_copy)) {
1153 xmlFreeNodeList(request_copy);
1154 isds_log_message(context,
1155 _("Could not add request content to SOAP "
1156 "request envelope"));
1157 err = IE_ERROR;
1158 goto leave;
1159 }
1160 }
1161
1162
1163 /* Serialize the SOAP request into HTTP request body */
1164 http_request = xmlBufferCreate();
1165 if (!http_request) {
1166 isds_log_message(context,
1167 _("Could not create xmlBuffer for HTTP request body"));
1168 err = IE_ERROR;
1169 goto leave;
1170 }
1171 /* Last argument 1 means format the XML tree. This is pretty but it breaks
1172 * XML document transport as it adds text nodes (indentiation) between
1173 * elements. */
1174 save_ctx = xmlSaveToBuffer(http_request, "UTF-8", 0);
1175 if (!save_ctx) {
1176 isds_log_message(context,
1177 _("Could not create XML serializer"));
1178 err = IE_ERROR;
1179 goto leave;
1180 }
1181 /* XXX: According LibXML documentation, this function does not return
1182 * meaningful value yet */
1183 xmlSaveDoc(save_ctx, request_soap_doc);
1184 if (-1 == xmlSaveFlush(save_ctx)) {
1185 isds_log_message(context,
1186 _("Could not serialize SOAP request to HTTP request body"));
1187 err = IE_ERROR;
1188 goto leave;
1189 }
1190
1191 if (context->otp_credentials != NULL)
1192 memset(&response_otp_headers, 0, sizeof(response_otp_headers));
1193 redirect:
1194 if (context->otp_credentials != NULL)
1195 auth_headers_free(&response_otp_headers);
1196 isds_log(ILF_SOAP, ILL_DEBUG,
1197 _("SOAP request to sent to %s:\n%.*s\nEnd of SOAP request\n"),
1198 url, http_request->use, http_request->content);
1199
1200 err = http(context, url, 0, http_request->content, http_request->use,
1201 &http_response, &response_length,
1202 &mime_type, NULL, &http_code,
1203 (context->otp_credentials == NULL) ? NULL: &response_otp_headers);
1204
1205 /* TODO: HTTP binding for SOAP prescribes non-200 HTTP return codes
1206 * to be processed too. */
1207
1208 if (err) {
1209 goto leave;
1210 }
1211
1212 if (NULL != context->otp_credentials)
1213 context->otp_credentials->resolution = response_otp_headers.resolution;
1214
1215 /* Check for HTTP return code */
1216 isds_log(ILF_SOAP, ILL_DEBUG, _("Server returned %ld HTTP code\n"),
1217 http_code);
1218 switch (http_code) {
1219 /* XXX: We must see which code is used for not permitted ISDS
1220 * operation like downloading message without proper user
1221 * permissions. In that case we should keep connection opened. */
1222 case 200:
1223 if (NULL != context->otp_credentials) {
1224 if (context->otp_credentials->resolution ==
1225 OTP_RESOLUTION_UNKNOWN)
1226 context->otp_credentials->resolution =
1227 OTP_RESOLUTION_SUCCESS;
1228 }
1229 break;
1230 case 302:
1231 if (NULL != context->otp_credentials) {
1232 if (context->otp_credentials->resolution ==
1233 OTP_RESOLUTION_UNKNOWN)
1234 context->otp_credentials->resolution =
1235 OTP_RESOLUTION_SUCCESS;
1236 err = IE_PARTIAL_SUCCESS;
1237 isds_printf_message(context,
1238 _("Server redirects on <%s> because OTP authentication "
1239 "succeeded."),
1240 url);
1241 if (context->otp_credentials->otp_code != NULL &&
1242 response_otp_headers.redirect != NULL) {
1243 /* XXX: If OTP code is known, this must be second OTP phase, so
1244 * send final POST request and unset Basic authentication
1245 * from cURL context as cookie is used instead. */
1246 free(url);
1247 url = response_otp_headers.redirect;
1248 response_otp_headers.redirect = NULL;
1249 _isds_discard_credentials(context, 0);
1250 err = unset_http_authorization(context);
1251 if (err) {
1252 isds_log_message(context, _("Could not remove "
1253 "credentials from CURL handle."));
1254 goto leave;
1255 }
1256 goto redirect;
1257 } else {
1258 /* XXX: Otherwise bail out to ask application for OTP code. */
1259 goto leave;
1260 }
1261 } else {
1262 err = IE_HTTP;
1263 isds_printf_message(context,
1264 _("Code 302: Server redirects on <%s> request. "
1265 "Redirection is forbidden in stateless mode."),
1266 url);
1267 goto leave;
1268 }
1269 break;
1270 case 401: /* ISDS server returns 401 even if Authorization
1271 presents. */
1272 case 403: /* HTTP/1.0 prescribes 403 if Authorization presents. */
1273 err = IE_NOT_LOGGED_IN;
1274 isds_log_message(context, _("Authentication failed"));
1275 goto leave;
1276 break;
1277 case 404:
1278 err = IE_HTTP;
1279 isds_printf_message(context,
1280 _("Code 404: Document (%s) not found on server"), url);
1281 goto leave;
1282 break;
1283 /* 500 should return standard SOAP message */
1284 }
1285
1286 /* Check for Content-Type: text/xml.
1287 * Do it after HTTP code check because 401 Unauthorized returns HTML web
1288 * page for browsers. */
1289 if (mime_type && strcmp(mime_type, "text/xml")
1290 && strcmp(mime_type, "application/soap+xml")
1291 && strcmp(mime_type, "application/xml")) {
1292 char *mime_type_locale = _isds_utf82locale(mime_type);
1293 isds_printf_message(context,
1294 _("%s: bad MIME type sent by server: %s"), url,
1295 mime_type_locale);
1296 free(mime_type_locale);
1297 err = IE_SOAP;
1298 goto leave;
1299 }
1300
1301 /* TODO: Convert returned body into XML default encoding */
1302
1303 /* Parse the HTTP body as XML */
1304 response_soap_doc = xmlParseMemory(http_response, response_length);
1305 if (!response_soap_doc) {
1306 err = IE_XML;
1307 goto leave;
1308 }
1309
1310 xpath_ctx = xmlXPathNewContext(response_soap_doc);
1311 if (!xpath_ctx) {
1312 err = IE_ERROR;
1313 goto leave;
1314 }
1315
1316 if (_isds_register_namespaces(xpath_ctx, MESSAGE_NS_UNSIGNED)) {
1317 err = IE_ERROR;
1318 goto leave;
1319 }
1320
1321 isds_log(ILF_SOAP, ILL_DEBUG,
1322 _("SOAP response received:\n%.*s\nEnd of SOAP response\n"),
1323 response_length, http_response);
1324
1325
1326 /* Check for SOAP version */
1327 response_root = xmlDocGetRootElement(response_soap_doc);
1328 if (!response_root) {
1329 isds_log_message(context, "SOAP response has no root element");
1330 err = IE_SOAP;
1331 goto leave;
1332 }
1333 if (xmlStrcmp(response_root->name, BAD_CAST "Envelope") ||
1334 xmlStrcmp(response_root->ns->href, BAD_CAST SOAP_NS)) {
1335 isds_log_message(context, "SOAP response is not SOAP 1.1 document");
1336 err = IE_SOAP;
1337 goto leave;
1338 }
1339
1340 /* Check for SOAP Headers */
1341 response_soap_headers = xmlXPathEvalExpression(
1342 BAD_CAST "/soap:Envelope/soap:Header/"
1343 "*[@soap:mustUnderstand/text() = true()]", xpath_ctx);
1344 if (!response_soap_headers) {
1345 err = IE_ERROR;
1346 goto leave;
1347 }
1348 if (!xmlXPathNodeSetIsEmpty(response_soap_headers->nodesetval)) {
1349 isds_log_message(context,
1350 _("SOAP response requires unsupported feature"));
1351 /* TODO: log the headers
1352 * xmlChar *fragment = NULL;
1353 * fragment = xmlXPathCastNodeSetToSting(response_soap_headers->nodesetval);*/
1354 err = IE_NOTSUP;
1355 goto leave;
1356 }
1357
1358 /* Get SOAP Body */
1359 response_soap_body = xmlXPathEvalExpression(
1360 BAD_CAST "/soap:Envelope/soap:Body", xpath_ctx);
1361 if (!response_soap_body) {
1362 err = IE_ERROR;
1363 goto leave;
1364 }
1365 if (xmlXPathNodeSetIsEmpty(response_soap_body->nodesetval)) {
1366 isds_log_message(context,
1367 _("SOAP response does not contain SOAP Body element"));
1368 err = IE_SOAP;
1369 goto leave;
1370 }
1371 if (response_soap_body->nodesetval->nodeNr > 1) {
1372 isds_log_message(context,
1373 _("SOAP response has more than one Body element"));
1374 err = IE_SOAP;
1375 goto leave;
1376 }
1377
1378 /* Check for SOAP Fault */
1379 response_soap_fault = xmlXPathEvalExpression(
1380 BAD_CAST "/soap:Envelope/soap:Body/soap:Fault", xpath_ctx);
1381 if (!response_soap_fault) {
1382 err = IE_ERROR;
1383 goto leave;
1384 }
1385 if (!xmlXPathNodeSetIsEmpty(response_soap_fault->nodesetval)) {
1386 /* Server signals Fault. Gather error message and croak. */
1387 /* XXX: Only first message is passed */
1388 char *message = NULL, *message_locale = NULL;
1389 xpath_ctx->node = response_soap_fault->nodesetval->nodeTab[0];
1390 xmlXPathFreeObject(response_soap_fault);
1391 /* XXX: faultstring and faultcode are in no name space according
1392 * ISDS specification */
1393 /* First more verbose faultstring */
1394 response_soap_fault = xmlXPathEvalExpression(
1395 BAD_CAST "faultstring[1]/text()", xpath_ctx);
1396 if (response_soap_fault &&
1397 !xmlXPathNodeSetIsEmpty(response_soap_fault->nodesetval)) {
1398 message = (char *)
1399 xmlXPathCastNodeSetToString(response_soap_fault->nodesetval);
1400 message_locale = _isds_utf82locale(message);
1401 }
1402 /* If not available, try shorter faultcode */
1403 if (!message_locale) {
1404 free(message);
1405 xmlXPathFreeObject(response_soap_fault);
1406 response_soap_fault = xmlXPathEvalExpression(
1407 BAD_CAST "faultcode[1]/text()", xpath_ctx);
1408 if (response_soap_fault &&
1409 !xmlXPathNodeSetIsEmpty(response_soap_fault->nodesetval)) {
1410 message = (char *)
1411 xmlXPathCastNodeSetToString(
1412 response_soap_fault->nodesetval);
1413 message_locale = _isds_utf82locale(message);
1414 }
1415 }
1416
1417 /* Croak */
1418 if (message_locale)
1419 isds_printf_message(context, _("SOAP response signals Fault: %s"),
1420 message_locale);
1421 else
1422 isds_log_message(context, _("SOAP response signals Fault"));
1423
1424 free(message_locale);
1425 free(message);
1426
1427 err = IE_SOAP;
1428 goto leave;
1429 }
1430
1431
1432 /* Extract XML Tree with ISDS response from SOAP envelope and return it.
1433 * XXX: response_soap_body is Body, we need children which may not exist
1434 * (i.e. empty Body). */
1435 /* TODO: Destroy SOAP response but Body children. This is more memory
1436 * friendly than copying (potentially) fat body */
1437 if (response_soap_body->nodesetval->nodeTab[0]->children) {
1438 *response = xmlDocCopyNodeList(response_soap_doc,
1439 response_soap_body->nodesetval->nodeTab[0]->children);
1440 if (!*response) {
1441 err = IE_NOMEM;
1442 goto leave;
1443 }
1444 } else *response = NULL;
1445
1446 /* Save raw response */
1447 if (raw_response) {
1448 *raw_response = http_response;
1449 *raw_response_length = response_length;
1450 http_response = NULL;
1451 }
1452
1453
1454 leave:
1455 if (err) {
1456 xmlFreeNodeList(*response);
1457 *response = NULL;
1458 }
1459
1460 xmlXPathFreeObject(response_soap_fault);
1461 xmlXPathFreeObject(response_soap_body);
1462 xmlXPathFreeObject(response_soap_headers);
1463 xmlXPathFreeContext(xpath_ctx);
1464 xmlFreeDoc(response_soap_doc);
1465 if (context->otp_credentials != NULL)
1466 auth_headers_free(&response_otp_headers);
1467 free(mime_type);
1468 free(http_response);
1469 xmlSaveClose(save_ctx);
1470 xmlBufferFree(http_request);
1471 xmlFreeDoc(request_soap_doc); /* recursive, frees request_body, soap_ns*/
1472 free(url);
1473
1474 return err;
1475 }
1476
1477
1478 /* Build new URL from current @context and template.
1479 * @context is context carrying an URL
1480 * @template is printf(3) format string. First argument is string of base URL
1481 * found in @context, second argument is length of the base URL.
1482 * @new_url is newly allocated URL built from @template. Caller must free it.
1483 * Return IE_SUCCESS, or corresponding error code and @new_url will not be
1484 * allocated.
1485 * */
1486 _hidden isds_error _isds_build_url_from_context(struct isds_ctx *context,
1487 const char *template, char **new_url) {
1488 int length, slashes;
1489
1490 if (NULL != new_url) *new_url = NULL;
1491 if (NULL == context) return IE_INVALID_CONTEXT;
1492 if (NULL == template) return IE_INVAL;
1493 if (NULL == new_url) return IE_INVAL;
1494
1495 /* Find length of base URL from context URL */
1496 if (NULL == context->url) {
1497 isds_log_message(context, _("Base URL could not have been determined "
1498 "from context URL because there was no URL set in the "
1499 "context"));
1500 return IE_ERROR;
1501 }
1502 for (length = 0, slashes = 0; context->url[length] != '\0'; length++) {
1503 if (context->url[length] == '/') slashes++;
1504 if (slashes == 3) break;
1505 }
1506 if (slashes != 3) {
1507 isds_log_message(context, _("Base URL could not have been determined "
1508 "from context URL"));
1509 return IE_ERROR;
1510 }
1511 length++;
1512
1513 /* Build new URL */
1514 if (-1 == isds_asprintf(new_url, template, context->url, length))
1515 return IE_NOMEM;
1516
1517 return IE_SUCCESS;
1518 }
1519
1520
1521 /* Invalidate session cookie for otp authenticated @context */
1522 _hidden isds_error _isds_invalidate_otp_cookie(struct isds_ctx *context) {
1523 isds_error err;
1524 char *url = NULL;
1525 long http_code;
1526 void *response = NULL;
1527 size_t response_length;
1528
1529 if (context == NULL || !context->otp) return IE_INVALID_CONTEXT;
1530 if (context->curl == NULL) return IE_CONNECTION_CLOSED;
1531
1532 /* Build logout URL */
1533 /*"https://DOMAINNAME/as/processLogout?uri=https://DOMAINNAME/apps/DS/WEB_SERVICE_ENDPOINT"*/
1534 err = _isds_build_url_from_context(context,
1535 "%1$.*2$sas/processLogout?uri=%1$sDS/dz", &url);
1536 if (err) return err;
1537
1538 /* Invalidate the cookie by GET request */
1539 err = http(context,
1540 url, 1,
1541 NULL, 0,
1542 &response, &response_length,
1543 NULL, NULL, &http_code,
1544 NULL);
1545 free(response);
1546 free(url);
1547 if (err) {
1548 /* long message set by http() */
1549 } else if (http_code != 200) {
1550 /* TODO: Specification does not define response for this request.
1551 * Especially it does not state whether direct 200 or 302 redirect is
1552 * sent. We need to check real implementation. */
1553 err = IE_ISDS;
1554 isds_printf_message(context, _("Cookie for OTP authenticated "
1555 "connection to <%s> could not been invalidated"),
1556 context->url);
1557 } else {
1558 isds_log(ILF_SEC, ILL_DEBUG, _("Cookie for OTP authenticated "
1559 "connection to <%s> has been invalidated.\n"),
1560 context->url);
1561 }
1562 return err;
1563 }
1564
1565
1566 /* LibXML functions:
1567 *
1568 * void xmlInitParser(void)
1569 * Initialization function for the XML parser. This is not reentrant. Call
1570 * once before processing in case of use in multithreaded programs.
1571 *
1572 * int xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
1573 * Initialize a parser context
1574 *
1575 * xmlDocPtr xmlCtxtReadDoc(xmlParserCtxtPtr ctxt, const xmlChar * cur,
1576 * const * char URL, const char * encoding, int options);
1577 * Parse in-memory NULL-terminated document @cur.
1578 *
1579 * xmlDocPtr xmlParseMemory(const char * buffer, int size)
1580 * Parse an XML in-memory block and build a tree.
1581 *
1582 * xmlParserCtxtPtr xmlCreateMemoryParserCtxt(const char * buffer, int
1583 * size);
1584 * Create a parser context for an XML in-memory document.
1585 *
1586 * xmlParserCtxtPtr xmlCreateDocParserCtxt(const xmlChar * cur)
1587 * Creates a parser context for an XML in-memory document.
1588 *
1589 * xmlDocPtr xmlCtxtReadMemory(xmlParserCtxtPtr ctxt,
1590 * const char * buffer, int size, const char * URL, const char * encoding,
1591 * int options)
1592 * Parse an XML in-memory document and build a tree. This reuses the existing
1593 * @ctxt parser context.
1594
1595 * void xmlCleanupParser(void)
1596 * Cleanup function for the XML library. It tries to reclaim all parsing
1597 * related glob document related memory. Calling this function should not
1598 * prevent reusing the libr finished using the library or XML document built
1599 * with it.
1600 *
1601 * void xmlClearParserCtxt(xmlParserCtxtPtr ctxt)
1602 * Clear (release owned resources) and reinitialize a parser context.
1603 *
1604 * void xmlCtxtReset(xmlParserCtxtPtr ctxt)
1605 * Reset a parser context
1606 *
1607 * void xmlFreeParserCtxt(xmlParserCtxtPtr ctxt)
1608 * Free all the memory used by a parser context. However the parsed document
1609 * in ctxt->myDoc is not freed.
1610 *
1611 * void xmlFreeDoc(xmlDocPtr cur)
1612 * Free up all the structures used by a document, tree included.
1613 */
Client library for ISDS