freecwmp
[Top] [All Lists]

[PATCH] freecwmp: add libcurl support for SSL

To: freecwmp@linux-mips.org
Subject: [PATCH] freecwmp: add libcurl support for SSL
From: Kaspar Schleiser <kaspar@schleiser.de>
Date: Thu, 23 Feb 2012 19:07:18 +0100
Cc: Kaspar Schleiser <kaspar@schleiser.de>
Original-recipient: rfc822;freecwmp@linux-mips.org
Sender: freecwmp-bounce@linux-mips.org
Hey,

this patch adds SSL certificate verification support.
Only works when using libcurl.

Kaspar

Signed-off-by: Kaspar Schleiser <kaspar@schleiser.de>
---
 src/config.c    |   21 +++++++++++++++++
 src/cwmp/acs.c  |   67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/cwmp/acs.h  |    9 +++++++
 src/http/http.c |   27 +++++++++++++++++++++-
 src/http/http.h |    3 ++
 5 files changed, 126 insertions(+), 1 deletions(-)

diff --git a/src/config.c b/src/config.c
index 20aa685..d5ac79f 100644
--- a/src/config.c
+++ b/src/config.c
@@ -176,6 +176,27 @@ section_found:
                        goto next;
                }
                
+        /* ssl_cert */
+               status = strcmp((uci_to_option(e))->e.name, "ssl_cert");
+               if (status == FC_SUCCESS) {
+                       acs_set_ssl_cert((uci_to_option(e))->v.string);
+                       goto next;
+               }
+               
+               /* ssl_cacert */
+               status = strcmp((uci_to_option(e))->e.name, "ssl_cacert");
+               if (status == FC_SUCCESS) {
+                       acs_set_ssl_cacert((uci_to_option(e))->v.string);
+                       goto next;
+               }
+               
+               /* ssl_verify */
+               status = strcmp((uci_to_option(e))->e.name, "ssl_verify");
+               if (status == FC_SUCCESS) {
+                       acs_set_ssl_verify((uci_to_option(e))->v.string);
+                       goto next;
+               }
+
         /* cwmp version */
                status = strcmp((uci_to_option(e))->e.name, "cwmp_version");
                if (status == FC_SUCCESS) {
diff --git a/src/cwmp/acs.c b/src/cwmp/acs.c
index e379049..10193d9 100644
--- a/src/cwmp/acs.c
+++ b/src/cwmp/acs.c
@@ -27,6 +27,9 @@ acs_init()
        acs.port = 0;
        acs.path = NULL;
     acs.cwmp_version = V1_2;
+       acs.ssl_cacert = NULL;
+       acs.ssl_cert = NULL;
+       acs.ssl_verify = NULL;
 
        FC_DEVEL_DEBUG("exit");
 }
@@ -46,6 +49,12 @@ acs_clean()
        acs.password = NULL;
        if (acs.hostname) free(acs.hostname);
        acs.hostname = NULL;
+       if (acs.ssl_cert) free(acs.ssl_cert);
+       acs.ssl_cert = NULL;
+       if (acs.ssl_cacert) free(acs.ssl_cacert);
+       acs.ssl_cacert = NULL;
+       if (acs.ssl_verify) free(acs.ssl_verify);
+       acs.ssl_verify = NULL;
        acs.port = 0;
        if (acs.path) free(acs.path);
        acs.path = NULL;
@@ -183,3 +192,61 @@ acs_set_cwmp_version(enum cwmp_version version)
 
        FC_DEVEL_DEBUG("exit");
 }
+
+char *
+acs_get_ssl_cert(void)
+{
+       FC_DEVEL_DEBUG("enter & exit");
+       return acs.ssl_cert;
+}
+
+void
+acs_set_ssl_cert(char *c)
+{
+       FC_DEVEL_DEBUG("enter");
+
+       if (acs.ssl_cert)
+               free(acs.ssl_cert);
+       acs.ssl_cert = strdup(c);
+
+       FC_DEVEL_DEBUG("exit");
+}
+
+char *
+acs_get_ssl_cacert(void)
+{
+       FC_DEVEL_DEBUG("enter & exit");
+       return acs.ssl_cacert;
+}
+
+void
+acs_set_ssl_cacert(char *c)
+{
+       FC_DEVEL_DEBUG("enter");
+
+       if (acs.ssl_cacert)
+               free(acs.ssl_cacert);
+       acs.ssl_cacert = strdup(c);
+
+       FC_DEVEL_DEBUG("exit");
+}
+
+char *
+acs_get_ssl_verify(void)
+{
+       FC_DEVEL_DEBUG("enter & exit");
+       return acs.ssl_verify;
+}
+
+void
+acs_set_ssl_verify(char *c)
+{
+       FC_DEVEL_DEBUG("enter");
+
+       if (acs.ssl_verify)
+               free(acs.ssl_verify);
+       acs.ssl_verify = strdup(c);
+
+       FC_DEVEL_DEBUG("exit");
+}
+
diff --git a/src/cwmp/acs.h b/src/cwmp/acs.h
index 3a51a46..c63e084 100644
--- a/src/cwmp/acs.h
+++ b/src/cwmp/acs.h
@@ -21,6 +21,9 @@ struct acs
        char *hostname;
        uint16_t port;
        char *path;
+       char *ssl_cert;
+       char *ssl_cacert;
+       char *ssl_verify;
     enum cwmp_version cwmp_version;
 };
 
@@ -37,6 +40,12 @@ uint16_t acs_get_port(void);
 void acs_set_port(char *c);
 char * acs_get_path(void);
 void acs_set_path(char *c);
+char * acs_get_ssl_cert(void);
+void acs_set_ssl_cert(char *c);
+char * acs_get_ssl_cacert(void);
+void acs_set_ssl_cacert(char *c);
+char * acs_get_ssl_noverify(void);
+void acs_set_ssl_noverify(char *c);
 enum cwmp_version acs_get_cwmp_version(void);
 void acs_set_cwmp_version(enum cwmp_version version);
 
diff --git a/src/http/http.c b/src/http/http.c
index b626068..8f36d05 100644
--- a/src/http/http.c
+++ b/src/http/http.c
@@ -42,7 +42,7 @@ http_client_init(void)
 
        int8_t status;
        uint8_t len;
-       char *scheme, *username, *password, *hostname, *path;
+       char *scheme, *username, *password, *hostname, *path, *ssl_verify;
        uint16_t port;
        scheme = acs_get_scheme();
        username = acs_get_username();
@@ -50,6 +50,18 @@ http_client_init(void)
        hostname = acs_get_hostname();
        port = acs_get_port();
        path = acs_get_path();
+       http_c.ssl_cacert = acs_get_ssl_cacert();
+       http_c.ssl_cert = acs_get_ssl_cert();
+
+       ssl_verify = acs_get_ssl_verify();
+       if (ssl_verify) {
+               if (strcmp(ssl_verify, "disable") == 0) 
+                       http_c.ssl_verify = 0;
+               else 
+                       http_c.ssl_verify = 1;
+               
+               free (ssl_verify);
+       }
 
        len = snprintf(NULL, 0, "%s://%s:%s@%s:%d%s",
                        scheme,
@@ -73,6 +85,12 @@ http_client_init(void)
 #ifdef DEBUG
        printf("+++ HTTP CLIENT CONFIGURATION +++\n");
        printf("URL: '%s'\n", http_c.url);
+       if (http_c.ssl_cert)
+       printf("ssl_cert: '%s\n", http_c.ssl_cert);
+       if (http_c.ssl_cacert)
+       printf("ssl_cacert: '%s\n", http_c.ssl_cacert);
+       if (!http_c.ssl_verify)
+       printf("ssl_verify: SSL certificate validation disabled.\n");
        printf("--- HTTP CLIENT CONFIGURATION ---\n");
 #endif
 
@@ -207,6 +225,13 @@ http_send_message(char *msg_out, char **msg_in)
        else
                curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, 0);
 
+       if (http_c.ssl_cacert)
+               curl_easy_setopt(curl, CURLOPT_CAINFO, http_c.ssl_cacert);
+       if (http_c.ssl_cert)
+               curl_easy_setopt(curl, CURLOPT_SSLCERT, http_c.ssl_cert);
+       if (!http_c.ssl_verify)
+               curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+
        curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, http_get_response);
        curl_easy_setopt(curl, CURLOPT_WRITEDATA, msg_in);
 
diff --git a/src/http/http.h b/src/http/http.h
index e60f1ac..2f1eb71 100644
--- a/src/http/http.h
+++ b/src/http/http.h
@@ -36,6 +36,9 @@ struct http_client
        zstream_t *stream;
 #endif
        char *url;
+    char *ssl_cert;
+    char *ssl_cacert;
+    int ssl_verify;
 };
 
 struct http_server
-- 
1.7.9


<Prev in Thread] Current Thread [Next in Thread>