changeset
enabled cert verification
Sun, 28 Feb 2016 11:21:05 +0100
- author
- Olaf Wintermann <olaf.wintermann@gmail.com>
- date
- Sun, 28 Feb 2016 11:21:05 +0100
- changeset 199
- f448fc8c9191
- parent 198
- 44054c452de1
- child 200
- cc474cf2c2f5
enabled cert verification
libcurl peer and host verification is now enabled. Also added new configuration elements for repositories. Additional certs can be added with <cert>certfile</cert> and cert verification can be disabled with <verification>false</verification>. Also added a new cmd option to dav to disable verification.
| dav/config.c | file | annotate | diff | comparison | revisions | |
| dav/config.h | file | annotate | diff | comparison | revisions | |
| dav/main.c | file | annotate | diff | comparison | revisions | |
| dav/optparser.c | file | annotate | diff | comparison | revisions | |
| dav/sync.c | file | annotate | diff | comparison | revisions | |
| libidav/session.c | file | annotate | diff | comparison | revisions |
--- a/dav/config.c Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/config.c Sun Feb 28 11:21:05 2016 +0100 @@ -160,6 +160,7 @@ repo->encrypt_content = false; repo->decrypt_name = false; repo->decrypt_content = true; + repo->verification = true; repo->ssl_version = CURL_SSLVERSION_DEFAULT; repo->authmethods = CURLAUTH_BASIC; return repo; @@ -232,6 +233,13 @@ repo->decrypt_content = util_getboolean(value); } else if(xstreq(key, "decrypt-name")) { repo->decrypt_name = util_getboolean(value); + } else if(xstreq(key, "cert")) { + char *configdir = util_concat_path(ENV_HOME, ".dav"); + char *certfile = util_concat_path(configdir, value); + repo->cert = certfile; + free(configdir); + } else if(xstreq(key, "verification")) { + repo->verification = util_getboolean(value); } else if(xstreq(key, "ssl-version")) { if(xstrEQ(value, "TLSv1")) { repo->ssl_version = CURL_SSLVERSION_TLSv1;
--- a/dav/config.h Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/config.h Sun Feb 28 11:21:05 2016 +0100 @@ -58,6 +58,8 @@ char *user; char *password; char *default_key; + char *cert; + bool verification; bool encrypt_content; bool encrypt_name; bool decrypt_content;
--- a/dav/main.c Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/main.c Sun Feb 28 11:21:05 2016 +0100 @@ -183,7 +183,8 @@ fprintf(stderr, " -t print content type\n"); fprintf(stderr, " -O override resources\n"); fprintf(stderr, " -n <uri> specify namespace uri\n"); - fprintf(stderr, " -v verbose output\n"); + fprintf(stderr, " -i disable cert verification (all commands)\n"); + fprintf(stderr, " -v verbose output (all commands)\n"); fprintf(stderr, "\n"); fprintf(stderr, "Config commands:\n"); fprintf(stderr, " add-repository\n"); @@ -299,12 +300,19 @@ return 0; } -static DavSession* connect_to_repo(Repository *repo) { +static DavSession* connect_to_repo(Repository *repo, CmdArgs *a) { DavSession *sn = dav_session_new_auth(ctx, repo->url, repo->user, repo->password); sn->flags = get_repository_flags(repo); sn->key = dav_context_get_key(ctx, repo->default_key); curl_easy_setopt(sn->handle, CURLOPT_HTTPAUTH, repo->authmethods); curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version); + if(repo->cert) { + curl_easy_setopt(sn->handle, CURLOPT_CAINFO, repo->cert); + } + if(!repo->verification || cmd_getoption(a, "insecure")) { + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYHOST, 0); + } return sn; } @@ -317,7 +325,7 @@ char *url = a->argv[0]; char *path = NULL; Repository *repo = url2repo(url, &path); - DavSession *sn = connect_to_repo(repo); + DavSession *sn = connect_to_repo(repo, a); if(set_session_config(sn, a)) { return -1; @@ -550,7 +558,7 @@ char *url = a->argv[0]; char *path = NULL; Repository *repo = url2repo(url, &path); - DavSession *sn = connect_to_repo(repo); + DavSession *sn = connect_to_repo(repo, a); if(set_session_config(sn, a)) { return -1; @@ -672,7 +680,7 @@ char *file = a->argv[1]; char *path = NULL; Repository *repo = url2repo(url, &path); - DavSession *sn = connect_to_repo(repo); + DavSession *sn = connect_to_repo(repo, a); if(set_session_config(sn, a)) { return -1; @@ -809,7 +817,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1; @@ -840,7 +848,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1; @@ -891,7 +899,7 @@ char *path2 = NULL; Repository *repo2 = url2repo(url2, &path2); - DavSession *sn = connect_to_repo(repo1); + DavSession *sn = connect_to_repo(repo1, a); if(set_session_config(sn, a)) { return -1; } @@ -911,7 +919,7 @@ char *server1 = util_url_base(repo1->url); char *server2 = util_url_base(repo2->url); if(!strcmp(server1, server2)) { - DavSession *sn2 = connect_to_repo(repo2); + DavSession *sn2 = connect_to_repo(repo2, a); if(set_session_config(sn2, a)) { return -1; } @@ -967,7 +975,7 @@ } else if (a->argc == 1) { char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); DavResource *res = dav_resource_new(sn, path); char *date = NULL; @@ -995,7 +1003,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1; @@ -1039,7 +1047,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1; @@ -1089,7 +1097,7 @@ char *url = a->argv[0]; char *path = NULL; - DavSession *sn = connect_to_repo(url2repo(url, &path)); + DavSession *sn = connect_to_repo(url2repo(url, &path), a); if(set_session_config(sn, a)) { return -1;
--- a/dav/optparser.c Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/optparser.c Sun Feb 28 11:21:05 2016 +0100 @@ -105,6 +105,10 @@ ucx_map_cstr_put(a->options, "override", NOARG); break; } + case 'i': { + ucx_map_cstr_put(a->options, "insecure", NOARG); + break; + } case 'o': { if(!option) { option = "output";
--- a/dav/sync.c Sat Feb 27 21:04:37 2016 +0100 +++ b/dav/sync.c Sun Feb 28 11:21:05 2016 +0100 @@ -153,9 +153,17 @@ url, repo->user, repo->password); - curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version); sn->flags = get_repository_flags(repo); sn->key = dav_context_get_key(ctx, repo->default_key); + curl_easy_setopt(sn->handle, CURLOPT_HTTPAUTH, repo->authmethods); + curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version); + if(repo->cert) { + curl_easy_setopt(sn->handle, CURLOPT_CAPATH, repo->cert); + } + if(!repo->verification) { + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYHOST, 0); + } return sn; }
--- a/libidav/session.c Sat Feb 27 21:04:37 2016 +0100 +++ b/libidav/session.c Sun Feb 28 11:21:05 2016 +0100 @@ -65,8 +65,6 @@ } sn->handle = curl_easy_init(); curl_easy_setopt(sn->handle, CURLOPT_FOLLOWLOCATION, 1L); - - curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0); // TODO: remove // set proxy DavProxy *proxy = sstrprefix(url, S("https")) ? context->https_proxy
