# HG changeset patch # User Olaf Wintermann # Date 1456654865 -3600 # Node ID f448fc8c9191fc765b10a1178f74ba614342a0b6 # Parent 44054c452de1d005ddc5c1721f1c7dcb6a08294a enabled cert verification libcurl peer and host verification is now enabled. Also added new configuration elements for repositories. Additional certs can be added with certfile and cert verification can be disabled with false. Also added a new cmd option to dav to disable verification. diff -r 44054c452de1 -r f448fc8c9191 dav/config.c --- a/dav/config.c Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/config.c Sun Feb 28 11:21:05 2016 +0100 @@ -160,6 +160,7 @@ repo->encrypt_content = false; repo->decrypt_name = false; repo->decrypt_content = true; + repo->verification = true; repo->ssl_version = CURL_SSLVERSION_DEFAULT; repo->authmethods = CURLAUTH_BASIC; return repo; @@ -232,6 +233,13 @@ repo->decrypt_content = util_getboolean(value); } else if(xstreq(key, "decrypt-name")) { repo->decrypt_name = util_getboolean(value); + } else if(xstreq(key, "cert")) { + char *configdir = util_concat_path(ENV_HOME, ".dav"); + char *certfile = util_concat_path(configdir, value); + repo->cert = certfile; + free(configdir); + } else if(xstreq(key, "verification")) { + repo->verification = util_getboolean(value); } else if(xstreq(key, "ssl-version")) { if(xstrEQ(value, "TLSv1")) { repo->ssl_version = CURL_SSLVERSION_TLSv1; diff -r 44054c452de1 -r f448fc8c9191 dav/config.h --- a/dav/config.h Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/config.h Sun Feb 28 11:21:05 2016 +0100 @@ -58,6 +58,8 @@ char *user; char *password; char *default_key; + char *cert; + bool verification; bool encrypt_content; bool encrypt_name; bool decrypt_content; diff -r 44054c452de1 -r f448fc8c9191 dav/main.c --- a/dav/main.c Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/main.c Sun Feb 28 11:21:05 2016 +0100 @@ -183,7 +183,8 @@ fprintf(stderr, " -t print content type\n"); fprintf(stderr, " -O override resources\n"); fprintf(stderr, " -n specify namespace uri\n"); - fprintf(stderr, " -v verbose output\n"); + fprintf(stderr, " -i disable cert verification (all commands)\n"); + fprintf(stderr, " -v verbose output (all commands)\n"); fprintf(stderr, "\n"); fprintf(stderr, "Config commands:\n"); fprintf(stderr, " add-repository\n"); @@ -299,12 +300,19 @@ return 0; } -static DavSession* connect_to_repo(Repository *repo) { +static DavSession* connect_to_repo(Repository *repo, CmdArgs *a) { DavSession *sn = dav_session_new_auth(ctx, repo->url, repo->user, repo->password); sn->flags = get_repository_flags(repo); sn->key = dav_context_get_key(ctx, repo->default_key); curl_easy_setopt(sn->handle, CURLOPT_HTTPAUTH, repo->authmethods); curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version); + if(repo->cert) { + curl_easy_setopt(sn->handle, CURLOPT_CAINFO, repo->cert); + } + if(!repo->verification || cmd_getoption(a, "insecure")) { + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYHOST, 0); + } return sn; } @@ -317,7 +325,7 @@ char *url = a->argv[0]; char *path = NULL; Repository *repo = url2repo(url, &path); - DavSession *sn = connect_to_repo(repo); + DavSession *sn = connect_to_repo(repo, a); if(set_session_config(sn, a)) { return -1; @@ -550,7 +558,7 @@ char *url = a->argv[0]; char *path = NULL; Repository *repo = url2repo(url, &path); - DavSession *sn = connect_to_repo(repo); + DavSession *sn = connect_to_repo(repo, a); if(set_session_config(sn, a)) { return -1; @@ -672,7 +680,7 @@ char *file = a->argv[1]; char *path = NULL; Repository *repo = url2repo(url, &path); - DavSession *sn = connect_to_repo(repo); + DavSession *sn = connect_to_repo(repo, a); if(set_session_config(sn, a)) { return -1; @@ -809,7 +817,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1; @@ -840,7 +848,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1; @@ -891,7 +899,7 @@ char *path2 = NULL; Repository *repo2 = url2repo(url2, &path2); - DavSession *sn = connect_to_repo(repo1); + DavSession *sn = connect_to_repo(repo1, a); if(set_session_config(sn, a)) { return -1; } @@ -911,7 +919,7 @@ char *server1 = util_url_base(repo1->url); char *server2 = util_url_base(repo2->url); if(!strcmp(server1, server2)) { - DavSession *sn2 = connect_to_repo(repo2); + DavSession *sn2 = connect_to_repo(repo2, a); if(set_session_config(sn2, a)) { return -1; } @@ -967,7 +975,7 @@ } else if (a->argc == 1) { char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); DavResource *res = dav_resource_new(sn, path); char *date = NULL; @@ -995,7 +1003,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1; @@ -1039,7 +1047,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1; @@ -1089,7 +1097,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1; diff -r 44054c452de1 -r f448fc8c9191 dav/optparser.c --- a/dav/optparser.c Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/optparser.c Sun Feb 28 11:21:05 2016 +0100 @@ -105,6 +105,10 @@ ucx_map_cstr_put(a->options, "override", NOARG); break; } + case 'i': { + ucx_map_cstr_put(a->options, "insecure", NOARG); + break; + } case 'o': { if(!option) { option = "output"; diff -r 44054c452de1 -r f448fc8c9191 dav/sync.c --- a/dav/sync.c Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/sync.c Sun Feb 28 11:21:05 2016 +0100 @@ -153,9 +153,17 @@ url, repo->user, repo->password); - curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version); sn->flags = get_repository_flags(repo); sn->key = dav_context_get_key(ctx, repo->default_key); + curl_easy_setopt(sn->handle, CURLOPT_HTTPAUTH, repo->authmethods); + curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version); + if(repo->cert) { + curl_easy_setopt(sn->handle, CURLOPT_CAPATH, repo->cert); + } + if(!repo->verification) { + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYHOST, 0); + } return sn; } diff -r 44054c452de1 -r f448fc8c9191 libidav/session.c --- a/libidav/session.c Sat Feb 27 21:04:37 2016 +0100 +++ b/libidav/session.c Sun Feb 28 11:21:05 2016 +0100 @@ -65,8 +65,6 @@ } sn->handle = curl_easy_init(); curl_easy_setopt(sn->handle, CURLOPT_FOLLOWLOCATION, 1L); - - curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0); // TODO: remove // set proxy DavProxy *proxy = sstrprefix(url, S("https")) ? context->https_proxy