Add LRO_SSLVERIFYPEER and LRO_SSLVERIFYHOST options (RhBug: 1093014)

librepo/handle.c

@@ -59,6 +59,8 @@ lr_get_curl_handle()
     curl_easy_setopt(h, CURLOPT_CONNECTTIMEOUT, LRO_CONNECTTIMEOUT_DEFAULT);
     curl_easy_setopt(h, CURLOPT_LOW_SPEED_TIME, LRO_LOWSPEEDTIME_DEFAULT);
     curl_easy_setopt(h, CURLOPT_LOW_SPEED_LIMIT, LRO_LOWSPEEDLIMIT_DEFAULT);
+    curl_easy_setopt(h, CURLOPT_SSL_VERIFYHOST, 2);
+    curl_easy_setopt(h, CURLOPT_SSL_VERIFYPEER, 1);
     return h;
 }
 
@@ -97,6 +99,8 @@ lr_handle_init()
     handle->maxparalleldownloads = LRO_MAXPARALLELDOWNLOADS_DEFAULT;
     handle->maxdownloadspermirror = LRO_MAXDOWNLOADSPERMIRROR_DEFAULT;
     handle->lowspeedlimit = LRO_LOWSPEEDLIMIT_DEFAULT;
+    handle->sslverifypeer = 1;
+    handle->sslverifyhost = 2;
 
     return handle;
 }
@@ -542,6 +546,16 @@ lr_handle_setopt(LrHandle *handle,
         handle->hmfcb = va_arg(arg, LrHandleMirrorFailureCb);
         break;
 
+    case LRO_SSLVERIFYPEER:
+        handle->sslverifypeer = va_arg(arg, long) ? 1 : 0;
+        c_rc = curl_easy_setopt(c_h, CURLOPT_SSL_VERIFYPEER, handle->sslverifypeer);
+        break;
+
+    case LRO_SSLVERIFYHOST:
+        handle->sslverifyhost = va_arg(arg, long) ? 2 : 0;
+        c_rc = curl_easy_setopt(c_h, CURLOPT_SSL_VERIFYPEER, handle->sslverifyhost);
+        break;
+
     default:
         g_set_error(err, LR_HANDLE_ERROR, LRE_BADOPTARG,
                     "Unknown option");
@@ -1236,6 +1250,17 @@ lr_handle_getinfo(LrHandle *handle,
         break;
     }
 
+    case LRI_SSLVERIFYPEER:
+        lnum = va_arg(arg, long *);
+        *lnum = (long) handle->sslverifypeer;
+        break;
+
+    case LRI_SSLVERIFYHOST:
+        lnum = va_arg(arg, long *);
+        *lnum = (long) (handle->sslverifyhost ? 1 : 0);
+        break;
+
+
     default:
         rc = FALSE;
         g_set_error(err, LR_HANDLE_ERROR, LRE_UNKNOWNOPT,

librepo/handle.h

@@ -237,11 +237,21 @@ typedef enum {
         Do not download this specified records from repomd (blacklist).
         Note: Last element of the list must be NULL! */
 
-    LRO_HMFCB, /* (LrHandleMirrorFailureCb)
+    LRO_HMFCB, /*!< (LrHandleMirrorFailureCb)
         Handle specific mirror failure callaback.
         Callback called when a repodata download from a mirror fails.
         This callback gets the user data setted by LRO_PROGRESSDATA */
 
+    LRO_SSLVERIFYPEER, /*!< (long 1 or 0)
+        This option determines whether librepo verifies the authenticity
+        of the peer's certificate.
+        This trust is based on a chain of digital signatures,
+        rooted in certification authority (CA) certificates. */
+
+    LRO_SSLVERIFYHOST, /*!< (long 1 or 0)
+        This option determines whether librepo verifies that
+        the server cert is for the server it is known as. */
+
     LRO_SENTINEL,    /*!< Sentinel */
 
 } LrHandleOption; /*!< Handle config options */
@@ -291,6 +301,8 @@ typedef enum {
     LRI_FASTESTMIRRORCACHE,     /*!< (char **) */
     LRI_FASTESTMIRRORMAXAGE,    /*!< (long *) */
     LRI_HMFCB,                  /*!< (LrHandleMirrorFailureCb) */
+    LRI_SSLVERIFYPEER,          /*!< (long *) */
+    LRI_SSLVERIFYHOST,          /*!< (long *) */
     LRI_SENTINEL,
 } LrHandleInfoOption; /*!< Handle info options */
 

librepo/handle_internal.h

@@ -96,9 +96,6 @@ struct _LrHandle {
     LrInternalMirrorlist *mirrors;  /*!<
         Mirrors from metalink or mirrorlist */
 
-//    int mirrorlist_fd;  /*!<
-//        Raw downloaded file */
-
     int local; /*!<
         Do not duplicate local data */
 
@@ -162,6 +159,13 @@ struct _LrHandle {
 
     gint64 maxspeed; /*!<
         Max speed in bytes per sec */
+
+    long sslverifypeer; /*!<
+        Determines whether verify the autenticity of the peer's certificate */
+
+    long sslverifyhost; /*!<
+        Determines whether the server name should be checked agains the name
+        in the certificate */
 };
 
 /** Return new CURL easy handle with some default options setted.

librepo/python/__init__.py

@@ -250,6 +250,18 @@
     Call of this callback doesn't mean that whole downloading failed.
     If there are other mirrors on the list, these mirrors will be tried.
 
+.. data:: LRO_SSLVERIFYPEER
+
+    *Boolean*. This option determines whether librepo verifies the
+    authenticity of the peer's certificate. This trust is based on a chain
+    of digital signatures, rooted in certification authority
+    (CA) certificates.
+
+.. data:: LRO_SSLVERIFYHOST
+
+    *Boolean*. This option determines whether librepo verifies that
+    the server cert is for the server it is known as.
+
 .. _handle-info-options-label:
 
 :class:`~.Handle` info options
@@ -280,6 +292,8 @@
 .. data:: LRI_FASTESTMIRRORCACHE
 .. data:: LRI_FASTESTMIRRORMAXAGE
 .. data:: LRI_HMFCB
+.. data:: LRI_SSLVERIFYPEER
+.. data:: LRI_SSLVERIFYHOST
 
 .. _proxy-type-label:
 
@@ -743,6 +757,8 @@
 LRO_YUMDLIST                = _librepo.LRO_YUMDLIST
 LRO_YUMBLIST                = _librepo.LRO_YUMBLIST
 LRO_HMFCB                   = _librepo.LRO_HMFCB
+LRO_SSLVERIFYPEER           = _librepo.LRO_SSLVERIFYPEER
+LRO_SSLVERIFYHOST           = _librepo.LRO_SSLVERIFYHOST
 LRO_SENTINEL                = _librepo.LRO_SENTINEL
 
 ATTR_TO_LRO = {
@@ -785,6 +801,8 @@
     "yumdlist":             LRO_YUMDLIST,
     "yumblist":             LRO_YUMBLIST,
     "hmfcb":                LRO_HMFCB,
+    "sslverifypeer":        LRO_SSLVERIFYPEER,
+    "sslverifyhost":        LRO_SSLVERIFYHOST,
 }
 
 LRI_UPDATE              = _librepo.LRI_UPDATE
@@ -809,6 +827,9 @@
 LRI_FASTESTMIRRORCACHE  = _librepo.LRI_FASTESTMIRRORCACHE
 LRI_FASTESTMIRRORMAXAGE = _librepo.LRI_FASTESTMIRRORMAXAGE
 LRI_HMFCB               = _librepo.LRI_HMFCB
+LRI_SSLVERIFYPEER       = _librepo.LRI_SSLVERIFYPEER
+LRI_SSLVERIFYHOST       = _librepo.LRI_SSLVERIFYHOST
+LRI_SENTINEL            = _librepo.LRI_SENTINEL
 
 ATTR_TO_LRI = {
     "update":               LRI_UPDATE,
@@ -833,6 +854,8 @@
     "fastestmirrorcache":   LRI_FASTESTMIRRORCACHE,
     "fastestmirrormaxage":  LRI_FASTESTMIRRORMAXAGE,
     "hmfcb":                LRI_HMFCB,
+    "sslverifypeer":        LRI_SSLVERIFYPEER,
+    "sslverifyhost":        LRI_SSLVERIFYHOST,
 }
 
 LR_CHECK_GPG        = _librepo.LR_CHECK_GPG
@@ -1179,6 +1202,14 @@ class Handle(_librepo.Handle):
 
         See: :data:`.LRO_HMFCB`
 
+    .. attribute:: sslverifypeer:
+
+        See :data:`.LRO_SSLVERIFYPEER`
+
+    .. attribute:: sslverifyhost:
+
+        See :data:`.LRO_SSLVERIFYHOST`
+
     """
 
     def setopt(self, option, val):

librepo/python/handle-py.c

@@ -332,10 +332,18 @@ py_setopt(_HandleObject *self, PyObject *args)
     case LRO_INTERRUPTIBLE:
     case LRO_FETCHMIRRORS:
     case LRO_FASTESTMIRROR:
+    case LRO_SSLVERIFYPEER:
+    case LRO_SSLVERIFYHOST:
     {
         long d;
 
-        if (PyObject_IsTrue(obj) == 1)
+        // Default values for None attribute
+        if (obj == Py_None && (option == LRO_SSLVERIFYPEER ||
+                               option == LRO_SSLVERIFYHOST))
+        {
+            d = 1;
+        // end of default attributes
+        } else if (PyObject_IsTrue(obj) == 1)
             d = 1;
         else if (PyObject_IsTrue(obj) == 0)
             d = 0;
@@ -818,6 +826,8 @@ py_getinfo(_HandleObject *self, PyObject *args)
     case LRI_MAXMIRRORTRIES:
     case LRI_FASTESTMIRROR:
     case LRI_FASTESTMIRRORMAXAGE:
+    case LRI_SSLVERIFYPEER:
+    case LRI_SSLVERIFYHOST:
         res = lr_handle_getinfo(self->handle,
                                 &tmp_err,
                                 (LrHandleInfoOption)option,

librepo/python/librepomodule.c

@@ -260,6 +260,8 @@ init_librepo(void)
     PyModule_AddIntConstant(m, "LRO_YUMDLIST", LRO_YUMDLIST);
     PyModule_AddIntConstant(m, "LRO_YUMBLIST", LRO_YUMBLIST);
     PyModule_AddIntConstant(m, "LRO_HMFCB", LRO_HMFCB);
+    PyModule_AddIntConstant(m, "LRO_SSLVERIFYPEER", LRO_SSLVERIFYPEER);
+    PyModule_AddIntConstant(m, "LRO_SSLVERIFYHOST", LRO_SSLVERIFYHOST);
     PyModule_AddIntConstant(m, "LRO_SENTINEL", LRO_SENTINEL);
 
     // Handle info options
@@ -285,6 +287,9 @@ init_librepo(void)
     PyModule_AddIntConstant(m, "LRI_FASTESTMIRRORCACHE", LRI_FASTESTMIRRORCACHE);
     PyModule_AddIntConstant(m, "LRI_FASTESTMIRRORMAXAGE", LRI_FASTESTMIRRORMAXAGE);
     PyModule_AddIntConstant(m, "LRI_HMFCB", LRI_HMFCB);
+    PyModule_AddIntConstant(m, "LRI_SSLVERIFYPEER", LRI_SSLVERIFYPEER);
+    PyModule_AddIntConstant(m, "LRI_SSLVERIFYHOST", LRI_SSLVERIFYHOST);
+    PyModule_AddIntConstant(m, "LRI_SENTINEL", LRI_SENTINEL);
 
     // Check options
     PyModule_AddIntConstant(m, "LR_CHECK_GPG", LR_CHECK_GPG);

tests/python/tests/test_handle.py

@@ -116,6 +116,18 @@ def test_handle_setopt_getinfo(self):
         h.setopt(librepo.LRO_HMFCB, None)
         self.assertFalse(h.getinfo(librepo.LRI_HMFCB))
 
+        self.assertTrue(h.getinfo(librepo.LRI_SSLVERIFYPEER))
+        h.setopt(librepo.LRO_SSLVERIFYPEER, 0)
+        self.assertEqual(h.getinfo(librepo.LRI_SSLVERIFYPEER), False)
+        h.setopt(librepo.LRO_SSLVERIFYPEER, None)
+        self.assertTrue(h.getinfo(librepo.LRI_SSLVERIFYPEER))
+
+        self.assertTrue(h.getinfo(librepo.LRI_SSLVERIFYHOST))
+        h.setopt(librepo.LRO_SSLVERIFYHOST, 0)
+        self.assertEqual(h.getinfo(librepo.LRI_SSLVERIFYHOST), False)
+        h.setopt(librepo.LRO_SSLVERIFYHOST, None)
+        self.assertTrue(h.getinfo(librepo.LRI_SSLVERIFYHOST))
+
     def test_handle_setget_attr(self):
         """No exception should be raised."""
         h = librepo.Handle()
@@ -222,6 +234,18 @@ def test_handle_setget_attr(self):
         h.hmfcb = None
         self.assertFalse(h.hmfcb)
 
+        self.assertTrue(h.sslverifypeer)
+        h.sslverifypeer = False
+        self.assertEqual(h.sslverifypeer, False)
+        h.sslverifypeer = None
+        self.assertTrue(h.sslverifypeer)
+
+        self.assertTrue(h.sslverifyhost)
+        h.sslverifyhost = False
+        self.assertEqual(h.sslverifyhost, False)
+        h.sslverifyhost = None
+        self.assertTrue(h.sslverifyhost)
+
     def test_handle_setopt_none_value(self):
         """Using None in setopt."""
         h = librepo.Handle()
@@ -304,3 +328,7 @@ def fmcallback(userdata, stage, data):
         h.setopt(librepo.LRO_HMFCB, None)
         h.hmfcb = None
 
+        h.setopt(librepo.LRO_SSLVERIFYPEER, None)
+        h.sslverifypeer = None
+        h.setopt(librepo.LRO_SSLVERIFYHOST, None)
+        h.sslverifyhost = None