Merge pull request #109 from nwf-msr/master

Add --cacert and --proxy-cacert
fangfufu · Nov 2, 2022 · bb3b652 · bb3b652
2 parents 61d3ae4 + 12abb7d
commit bb3b652
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 2 deletions.
diff --git a/src/config.h b/src/config.h
@@ -53,6 +53,8 @@ typedef struct {
     char *proxy_username;
     /** \brief HTTP proxy password */
     char *proxy_password;
+    /** \brief HTTP proxy certificate file */
+    char *proxy_cafile;
     /** \brief HTTP maximum connection count */
     long max_conns;
     /** \brief HTTP user agent*/
@@ -63,6 +65,8 @@ typedef struct {
     int no_range_check;
     /** \brief Disable TLS certificate verification */
     int insecure_tls;
+    /** \brief Server certificate file */
+    char *cafile;
     /*--------------- Cache related ---------------*/
     /** \brief Whether cache mode is enabled */
     int cache_enabled;

diff --git a/src/link.c b/src/link.c
@@ -95,6 +95,25 @@ static CURL *Link_to_curl(Link *link)
     if (ret) {
         lprintf(error, "%s", curl_easy_strerror(ret));
     }
+    if (CONFIG.cafile) {
+        /*
+         * Having been given a certificate file, disable any search directory
+         * built into libcurl, so that we exclusively use the explicitly given
+         * certificate(s).
+         *
+         * If we ever add a CAPATH option, we should do the mirror for CAINFO,
+         * too: disable both and then enable whichever one(s) were given.
+         */
+        ret = curl_easy_setopt(curl, CURLOPT_CAPATH, NULL);
+        if (ret) {
+            lprintf(error, "%s", curl_easy_strerror(ret));
+        }
+
+        ret = curl_easy_setopt(curl, CURLOPT_CAINFO, CONFIG.cafile);
+        if (ret) {
+            lprintf(error, "%s", curl_easy_strerror(ret));
+        }
+    }
     if (CONFIG.insecure_tls) {
         ret = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
         if (ret) {
@@ -146,6 +165,20 @@ static CURL *Link_to_curl(Link *link)
         }
     }
 
+    if (CONFIG.proxy_cafile) {
+        /* See CONFIG.cafile above */
+        ret = curl_easy_setopt(curl, CURLOPT_PROXY_CAPATH, NULL);
+        if (ret) {
+            lprintf(error, "%s", curl_easy_strerror(ret));
+        }
+
+        ret = curl_easy_setopt(curl, CURLOPT_PROXY_CAINFO,
+                               CONFIG.proxy_cafile);
+        if (ret) {
+            lprintf(error, "%s", curl_easy_strerror(ret));
+        }
+    }
+
     return curl;
 }
 
@@ -860,7 +893,7 @@ TransferStruct Link_download_full(Link *link)
             lprintf(warning,
                     "cannot retrieve URL: %s, HTTP %ld\n", url, http_resp);
             ts.curr_size = 0;
-            FREE(ts.data);
+            free(ts.data); /* not FREE(); can be NULL on error path! */
             curl_easy_cleanup(curl);
             return ts;
         }

diff --git a/src/main.c b/src/main.c
@@ -199,6 +199,8 @@ parse_arg_list(int argc, char **argv, char ***fuse_argv, int *fuse_argc)
         { "insecure-tls", no_argument, NULL, 'L' },     /* 20 */
         { "config", required_argument, NULL, 'L' },     /* 21 */
         { "single-file-mode", required_argument, NULL, 'L' },   /* 22 */
+        { "cacert", required_argument, NULL, 'L' },     /* 23 */
+        { "proxy-cacert", required_argument, NULL, 'L' },       /* 24 */
         { 0, 0, 0, 0 }
     };
     while ((c =
@@ -296,6 +298,12 @@ parse_arg_list(int argc, char **argv, char ***fuse_argv, int *fuse_argc)
             case 22:
                 CONFIG.mode = SINGLE;
                 break;
+            case 23:
+                CONFIG.cafile = strdup(optarg);
+                break;
+            case 24:
+                CONFIG.proxy_cafile = strdup(optarg);
+                break;
             default:
                 fprintf(stderr, "see httpdirfs -h for usage\n");
                 return 1;
@@ -347,9 +355,11 @@ HTTPDirFS options:\n\
                             https://curl.haxx.se/libcurl/c/CURLOPT_PROXY.html\n\
         --proxy-username    Username for the proxy\n\
         --proxy-password    Password for the proxy\n\
+        --proxy-cacert      Certificate authority for the proxy\n\
         --cache             Enable cache (default: off)\n\
         --cache-location    Set a custom cache location\n\
                             (default: \"${XDG_CACHE_HOME}/httpdirfs\")\n\
+        --cacert            Certificate authority for the server\n\
         --dl-seg-size       Set cache download segment size, in MB (default: 8)\n\
                             Note: this setting is ignored if previously\n\
                             cached data is found for the requested file.\n\

diff --git a/src/util.c b/src/util.c
@@ -143,7 +143,7 @@ void FREE(void *ptr)
     if (ptr) {
         free(ptr);
     } else {
-        lprintf(fatal, "attempted to double free a pointer!\n");
+        lprintf(fatal, "attempted to free NULL ptr!\n");
     }
 }