rest_client: allow disabling of SSL remote host verifications

* with the new *ssl_verifypeer* and *ssl_verifyhost* modparams
OpenSIPS · Mar 5, 2014 · 15423bb · 15423bb
1 parent 277f587
commit 15423bb
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 26 deletions.
diff --git a/modules/rest_client/rest_client.c b/modules/rest_client/rest_client.c
@@ -43,6 +43,12 @@
 long connection_timeout = 20;
 long curl_timeout = 20;
 
+char *ssl_ca_path;
+
+/* libcurl enables these by default */
+int ssl_verifypeer = 1;
+int ssl_verifyhost = 1;
+
 /*
  * Module initialization and cleanup
  */
@@ -96,6 +102,9 @@ static cmd_export_t cmds[] = {
 static param_export_t params[] = {
 	{ "connection_timeout",	INT_PARAM, &connection_timeout	},
 	{ "curl_timeout",		INT_PARAM, &curl_timeout		},
+	{ "ssl_ca_path",		STR_PARAM, &ssl_ca_path			},
+	{ "ssl_verifypeer",		INT_PARAM, &ssl_verifypeer		},
+	{ "ssl_verifyhost",		INT_PARAM, &ssl_verifyhost		},
 	{ 0, 0, 0 }
 };
 

diff --git a/modules/rest_client/rest_methods.c b/modules/rest_client/rest_methods.c
@@ -34,6 +34,15 @@
 static char err_buff[CURL_ERROR_SIZE];
 static char print_buff[MAX_CONTENT_TYPE_LEN];
 
+#define w_curl_easy_setopt(h, opt, value) \
+	do { \
+		rc = curl_easy_setopt(h, opt, value); \
+		if (rc != CURLE_OK) { \
+			LM_ERR("setopt operation %d failed (%d)\n", opt, rc); \
+			goto error; \
+		} \
+	} while (0)
+
 /**
  * rest_get_method - performs an HTTP GET request, stores results in pvars
  * @msg:		sip message struct
@@ -58,21 +67,30 @@ int rest_get_method(struct sip_msg *msg, char *url,
 		return -1;
 	}
 
-	curl_easy_setopt(handle, CURLOPT_URL, url);
+	w_curl_easy_setopt(handle, CURLOPT_URL, url);
+
+	w_curl_easy_setopt(handle, CURLOPT_CONNECTTIMEOUT, connection_timeout);
+	w_curl_easy_setopt(handle, CURLOPT_TIMEOUT, curl_timeout);
+
+	w_curl_easy_setopt(handle, CURLOPT_VERBOSE, 1);
+	w_curl_easy_setopt(handle, CURLOPT_FAILONERROR, 1);
+	w_curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, err_buff);
+	w_curl_easy_setopt(handle, CURLOPT_STDERR, stdout);
+
+	w_curl_easy_setopt(handle, CURLOPT_WRITEFUNCTION, write_func);
+	w_curl_easy_setopt(handle, CURLOPT_WRITEDATA, &body);
 
-	curl_easy_setopt(handle, CURLOPT_CONNECTTIMEOUT, connection_timeout);
-	curl_easy_setopt(handle, CURLOPT_TIMEOUT, curl_timeout);
+	w_curl_easy_setopt(handle, CURLOPT_HEADERFUNCTION, header_func);
+	w_curl_easy_setopt(handle, CURLOPT_WRITEHEADER, &st);
 
-	curl_easy_setopt(handle, CURLOPT_VERBOSE, 1);
-	curl_easy_setopt(handle, CURLOPT_FAILONERROR, 1);
-	curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, err_buff);
-	curl_easy_setopt(handle, CURLOPT_STDERR, stdout);
+	if (ssl_ca_path)
+		w_curl_easy_setopt(handle, CURLOPT_CAPATH, ssl_ca_path);
 
-	curl_easy_setopt(handle, CURLOPT_WRITEFUNCTION, write_func);
-	curl_easy_setopt(handle, CURLOPT_WRITEDATA, &body);
+	if (!ssl_verifypeer)
+		w_curl_easy_setopt(handle, CURLOPT_SSL_VERIFYPEER, 0L);
 
-	curl_easy_setopt(handle, CURLOPT_HEADERFUNCTION, header_func);
-	curl_easy_setopt(handle, CURLOPT_WRITEHEADER, &st);
+	if (!ssl_verifyhost)
+		w_curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, 0L);
 
 	rc = curl_easy_perform(handle);
 	if (rc != CURLE_OK) {
@@ -156,27 +174,36 @@ int rest_post_method(struct sip_msg *msg, char *url, char *ctype, char *body,
 	if (ctype) {
 		sprintf(print_buff, "Content-Type: %s", ctype);
 		list = curl_slist_append(list, print_buff);
-		curl_easy_setopt(handle, CURLOPT_HTTPHEADER, list);
+		w_curl_easy_setopt(handle, CURLOPT_HTTPHEADER, list);
 	}
 
-	curl_easy_setopt(handle, CURLOPT_URL, url);
+	w_curl_easy_setopt(handle, CURLOPT_URL, url);
 
-	curl_easy_setopt(handle, CURLOPT_POST, 1);
-	curl_easy_setopt(handle, CURLOPT_POSTFIELDS, body);
+	w_curl_easy_setopt(handle, CURLOPT_POST, 1);
+	w_curl_easy_setopt(handle, CURLOPT_POSTFIELDS, body);
 
-	curl_easy_setopt(handle, CURLOPT_CONNECTTIMEOUT, connection_timeout);
-	curl_easy_setopt(handle, CURLOPT_TIMEOUT, curl_timeout);
+	w_curl_easy_setopt(handle, CURLOPT_CONNECTTIMEOUT, connection_timeout);
+	w_curl_easy_setopt(handle, CURLOPT_TIMEOUT, curl_timeout);
 
-	curl_easy_setopt(handle, CURLOPT_VERBOSE, 1);
-	curl_easy_setopt(handle, CURLOPT_STDERR, stdout);
-	curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, err_buff);
-	curl_easy_setopt(handle, CURLOPT_FAILONERROR, 1);
+	w_curl_easy_setopt(handle, CURLOPT_VERBOSE, 1);
+	w_curl_easy_setopt(handle, CURLOPT_STDERR, stdout);
+	w_curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, err_buff);
+	w_curl_easy_setopt(handle, CURLOPT_FAILONERROR, 1);
 
-	curl_easy_setopt(handle, CURLOPT_WRITEFUNCTION, write_func);
-	curl_easy_setopt(handle, CURLOPT_WRITEDATA, &res_body);
+	w_curl_easy_setopt(handle, CURLOPT_WRITEFUNCTION, write_func);
+	w_curl_easy_setopt(handle, CURLOPT_WRITEDATA, &res_body);
 
-	curl_easy_setopt(handle, CURLOPT_HEADERFUNCTION, header_func);
-	curl_easy_setopt(handle, CURLOPT_WRITEHEADER, &st);
+	w_curl_easy_setopt(handle, CURLOPT_HEADERFUNCTION, header_func);
+	w_curl_easy_setopt(handle, CURLOPT_WRITEHEADER, &st);
+
+	if (ssl_ca_path)
+		w_curl_easy_setopt(handle, CURLOPT_CAPATH, ssl_ca_path);
+
+	if (!ssl_verifypeer)
+		w_curl_easy_setopt(handle, CURLOPT_SSL_VERIFYPEER, 0L);
+
+	if (!ssl_verifyhost)
+		w_curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, 0L);
 
 	rc = curl_easy_perform(handle);
 	curl_slist_free_all(list);
@@ -231,4 +258,3 @@ int rest_post_method(struct sip_msg *msg, char *url, char *ctype, char *body,
 	curl_easy_cleanup(handle);
 	return -1;
 }
-
diff --git a/modules/rest_client/rest_methods.h b/modules/rest_client/rest_methods.h
@@ -35,6 +35,10 @@
 extern long connection_timeout;
 extern long curl_timeout;
 
+extern char *ssl_ca_path;
+extern int ssl_verifypeer;
+extern int ssl_verifyhost;
+
 int rest_get_method(struct sip_msg *msg, char *url,
                     pv_spec_p body_pv, pv_spec_p ctype_pv, pv_spec_p code_pv);
 int rest_post_method(struct sip_msg *msg, char *url, char *ctype, char *body,