enabled cert verification

Sun, 28 Feb 2016 11:21:05 +0100

author
Olaf Wintermann <olaf.wintermann@gmail.com>
date
Sun, 28 Feb 2016 11:21:05 +0100
changeset 199
f448fc8c9191
parent 198
44054c452de1
child 200
cc474cf2c2f5

enabled cert verification

libcurl peer and host verification is now enabled. Also added new configuration elements for repositories. Additional certs can be added with <cert>certfile</cert> and cert verification can be disabled with <verification>false</verification>. Also added a new cmd option to dav to disable verification.

dav/config.c file | annotate | diff | comparison | revisions
dav/config.h file | annotate | diff | comparison | revisions
dav/main.c file | annotate | diff | comparison | revisions
dav/optparser.c file | annotate | diff | comparison | revisions
dav/sync.c file | annotate | diff | comparison | revisions
libidav/session.c file | annotate | diff | comparison | revisions
--- a/dav/config.c	Sat Feb 27 21:04:37 2016 +0100
+++ b/dav/config.c	Sun Feb 28 11:21:05 2016 +0100
@@ -160,6 +160,7 @@
     repo->encrypt_content = false;
     repo->decrypt_name = false;
     repo->decrypt_content = true;
+    repo->verification = true;
     repo->ssl_version = CURL_SSLVERSION_DEFAULT;
     repo->authmethods = CURLAUTH_BASIC;
     return repo;
@@ -232,6 +233,13 @@
         repo->decrypt_content = util_getboolean(value);
     } else if(xstreq(key, "decrypt-name")) {
         repo->decrypt_name = util_getboolean(value);
+    } else if(xstreq(key, "cert")) {
+        char *configdir = util_concat_path(ENV_HOME, ".dav");
+        char *certfile = util_concat_path(configdir, value);
+        repo->cert = certfile;
+        free(configdir);
+    } else if(xstreq(key, "verification")) {
+        repo->verification = util_getboolean(value);
     } else if(xstreq(key, "ssl-version")) {
         if(xstrEQ(value, "TLSv1")) {
             repo->ssl_version = CURL_SSLVERSION_TLSv1;
--- a/dav/config.h	Sat Feb 27 21:04:37 2016 +0100
+++ b/dav/config.h	Sun Feb 28 11:21:05 2016 +0100
@@ -58,6 +58,8 @@
     char *user;
     char *password;
     char *default_key;
+    char *cert;
+    bool verification;
     bool encrypt_content;
     bool encrypt_name;
     bool decrypt_content;
--- a/dav/main.c	Sat Feb 27 21:04:37 2016 +0100
+++ b/dav/main.c	Sun Feb 28 11:21:05 2016 +0100
@@ -183,7 +183,8 @@
     fprintf(stderr, "        -t         print content type\n");
     fprintf(stderr, "        -O         override resources\n");
     fprintf(stderr, "        -n <uri>   specify namespace uri\n");
-    fprintf(stderr, "        -v         verbose output\n");
+    fprintf(stderr, "        -i         disable cert verification (all commands)\n");
+    fprintf(stderr, "        -v         verbose output (all commands)\n");
     fprintf(stderr, "\n");
     fprintf(stderr, "Config commands:\n");
     fprintf(stderr, "        add-repository\n");
@@ -299,12 +300,19 @@
     return 0;
 }
 
-static DavSession* connect_to_repo(Repository *repo) {
+static DavSession* connect_to_repo(Repository *repo, CmdArgs *a) {
     DavSession *sn = dav_session_new_auth(ctx, repo->url, repo->user, repo->password);
     sn->flags = get_repository_flags(repo);
     sn->key = dav_context_get_key(ctx, repo->default_key);
     curl_easy_setopt(sn->handle, CURLOPT_HTTPAUTH, repo->authmethods);
     curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version);
+    if(repo->cert) {
+        curl_easy_setopt(sn->handle, CURLOPT_CAINFO, repo->cert);
+    }
+    if(!repo->verification || cmd_getoption(a, "insecure")) {
+        curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0);
+        curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYHOST, 0);
+    }
     return sn;
 }
 
@@ -317,7 +325,7 @@
     char *url = a->argv[0];
     char *path = NULL;
     Repository *repo = url2repo(url, &path);
-    DavSession *sn = connect_to_repo(repo);
+    DavSession *sn = connect_to_repo(repo, a);
     
     if(set_session_config(sn, a)) {
         return -1;
@@ -550,7 +558,7 @@
     char *url = a->argv[0];
     char *path = NULL;
     Repository *repo = url2repo(url, &path);
-    DavSession *sn = connect_to_repo(repo);
+    DavSession *sn = connect_to_repo(repo, a);
     
     if(set_session_config(sn, a)) {
         return -1;
@@ -672,7 +680,7 @@
     char *file = a->argv[1];
     char *path = NULL;
     Repository *repo = url2repo(url, &path);
-    DavSession *sn = connect_to_repo(repo);
+    DavSession *sn = connect_to_repo(repo, a);
     
     if(set_session_config(sn, a)) {
         return -1;
@@ -809,7 +817,7 @@
     
     char *url = a->argv[0];
     char *path = NULL;
-    DavSession *sn = connect_to_repo(url2repo(url, &path));
+    DavSession *sn = connect_to_repo(url2repo(url, &path), a);
     
     if(set_session_config(sn, a)) {
         return -1;
@@ -840,7 +848,7 @@
     
     char *url = a->argv[0];
     char *path = NULL;
-    DavSession *sn = connect_to_repo(url2repo(url, &path));
+    DavSession *sn = connect_to_repo(url2repo(url, &path), a);
     
     if(set_session_config(sn, a)) {
         return -1;
@@ -891,7 +899,7 @@
     char *path2 = NULL;
     Repository *repo2 = url2repo(url2, &path2);
     
-    DavSession *sn = connect_to_repo(repo1);
+    DavSession *sn = connect_to_repo(repo1, a);
     if(set_session_config(sn, a)) {
         return -1;
     }
@@ -911,7 +919,7 @@
         char *server1 = util_url_base(repo1->url);
         char *server2 = util_url_base(repo2->url);     
         if(!strcmp(server1, server2)) {
-            DavSession *sn2 = connect_to_repo(repo2);
+            DavSession *sn2 = connect_to_repo(repo2, a);
             if(set_session_config(sn2, a)) {
                 return -1;
             }
@@ -967,7 +975,7 @@
     } else if (a->argc == 1) {
         char *url = a->argv[0];
         char *path = NULL;
-        DavSession *sn = connect_to_repo(url2repo(url, &path));
+        DavSession *sn = connect_to_repo(url2repo(url, &path), a);
 
         DavResource *res = dav_resource_new(sn, path);
         char *date = NULL;
@@ -995,7 +1003,7 @@
     
     char *url = a->argv[0];
     char *path = NULL;
-    DavSession *sn = connect_to_repo(url2repo(url, &path));
+    DavSession *sn = connect_to_repo(url2repo(url, &path), a);
     
     if(set_session_config(sn, a)) {
         return -1;
@@ -1039,7 +1047,7 @@
     
     char *url = a->argv[0];
     char *path = NULL;
-    DavSession *sn = connect_to_repo(url2repo(url, &path));
+    DavSession *sn = connect_to_repo(url2repo(url, &path), a);
     
     if(set_session_config(sn, a)) {
         return -1;
@@ -1089,7 +1097,7 @@
     
     char *url = a->argv[0];
     char *path = NULL;
-    DavSession *sn = connect_to_repo(url2repo(url, &path));
+    DavSession *sn = connect_to_repo(url2repo(url, &path), a);
     
     if(set_session_config(sn, a)) {
         return -1;
--- a/dav/optparser.c	Sat Feb 27 21:04:37 2016 +0100
+++ b/dav/optparser.c	Sun Feb 28 11:21:05 2016 +0100
@@ -105,6 +105,10 @@
                         ucx_map_cstr_put(a->options, "override", NOARG);
                         break;
                     }
+                    case 'i': {
+                        ucx_map_cstr_put(a->options, "insecure", NOARG);
+                        break;
+                    }
                     case 'o': {
                         if(!option) {
                             option = "output";
--- a/dav/sync.c	Sat Feb 27 21:04:37 2016 +0100
+++ b/dav/sync.c	Sun Feb 28 11:21:05 2016 +0100
@@ -153,9 +153,17 @@
             url,
             repo->user,
             repo->password);
-    curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version);
     sn->flags = get_repository_flags(repo);
     sn->key = dav_context_get_key(ctx, repo->default_key);
+    curl_easy_setopt(sn->handle, CURLOPT_HTTPAUTH, repo->authmethods);
+    curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version);
+    if(repo->cert) {
+        curl_easy_setopt(sn->handle, CURLOPT_CAPATH, repo->cert);
+    }
+    if(!repo->verification) {
+        curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0);
+        curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYHOST, 0);
+    }
     return sn;
 }
 
--- a/libidav/session.c	Sat Feb 27 21:04:37 2016 +0100
+++ b/libidav/session.c	Sun Feb 28 11:21:05 2016 +0100
@@ -65,8 +65,6 @@
     }
     sn->handle = curl_easy_init();
     curl_easy_setopt(sn->handle, CURLOPT_FOLLOWLOCATION, 1L);
-    
-    curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0); // TODO: remove
 
     // set proxy
     DavProxy *proxy = sstrprefix(url, S("https")) ? context->https_proxy

mercurial