From: Mike Pultz Date: Sat, 9 Nov 2024 19:19:49 +0000 (-0500) Subject: func_curl.c: Add additional CURL options for SSL requests X-Git-Tag: 21.7.0-rc1~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ba7ccef27fed065dd1e180b0e2b0689894a8d2b;p=thirdparty%2Fasterisk.git func_curl.c: Add additional CURL options for SSL requests This patch adds additional CURL TLS options / options to support mTLS authenticated requests: * ssl_verifyhost - perform a host verification on the peer certificate (CURLOPT_SSL_VERIFYHOST) * ssl_cainfo - define a CA certificate file (CURLOPT_CAINFO) * ssl_capath - define a CA certificate directory (CURLOPT_CAPATH) * ssl_cert - define a client certificate for the request (CURLOPT_SSLCERT) * ssl_certtype - specify the client certificate type (CURLOPT_SSLCERTTYPE) * ssl_key - define a client private key for the request (CURLOPT_SSLKEY) * ssl_keytype - specify the client private key type (CURLOPT_SSLKEYTYPE) * ssl_keypasswd - set a password for the private key, if required (CURLOPT_KEYPASSWD) UserNote: The following new configuration options are now available in the res_curl.conf file, and the CURL() function: 'ssl_verifyhost' (CURLOPT_SSL_VERIFYHOST), 'ssl_cainfo' (CURLOPT_CAINFO), 'ssl_capath' (CURLOPT_CAPATH), 'ssl_cert' (CURLOPT_SSLCERT), 'ssl_certtype' (CURLOPT_SSLCERTTYPE), 'ssl_key' (CURLOPT_SSLKEY), 'ssl_keytype', (CURLOPT_SSLKEYTYPE) and 'ssl_keypasswd' (CURLOPT_KEYPASSWD). See the libcurl documentation for more details. (cherry picked from commit 4ee47b48063367972a611cdc393e79235ecdcb90) --- diff --git a/funcs/func_curl.c b/funcs/func_curl.c index b4b98206c4..ba14e3f7f3 100644 --- a/funcs/func_curl.c +++ b/funcs/func_curl.c @@ -173,6 +173,46 @@ Whether to verify the server certificate against a list of known root certificate authorities (boolean). + + Whether to verify the host in the server's TLS certificate. + Set to 2 to verify the host, 0 to ignore the host. + + + Path to a file holding one or more certificates to verify + the peer's certificate with. Only used when ssl_verifypeer + is enabled. + + + Path to a directory holding multiple CA certificates to + verify the peer's certificate with. Only used when ssl_verifypeer + is enabled. + + + Path to a file containing a client certificate. Default format + is PEM, and can be changed with ssl_certtype. + + + The format of the ssl_cert file. + + + + + + + Path to a file containing a client private key. Default format + is PEM, and can be changed with ssl_keytype + + + The format of the ssl_key file. + + + + + + + + The passphrase to use the ssl_key file. + Assuming the responses will be in key1=value1&key2=value2 format, reformat the response such that it can be used @@ -320,6 +360,30 @@ static int parse_curlopt_key(const char *name, CURLoption *key, enum optiontype } else if (!strcasecmp(name, "ssl_verifypeer")) { *key = CURLOPT_SSL_VERIFYPEER; *ot = OT_BOOLEAN; + } else if (!strcasecmp(name, "ssl_verifyhost")) { + *key = CURLOPT_SSL_VERIFYHOST; + *ot = OT_INTEGER; + } else if (!strcasecmp(name, "ssl_cainfo")) { + *key = CURLOPT_CAINFO; + *ot = OT_STRING; + } else if (!strcasecmp(name, "ssl_capath")) { + *key = CURLOPT_CAPATH; + *ot = OT_STRING; + } else if (!strcasecmp(name, "ssl_cert")) { + *key = CURLOPT_SSLCERT; + *ot = OT_STRING; + } else if (!strcasecmp(name, "ssl_certtype")) { + *key = CURLOPT_SSLCERTTYPE; + *ot = OT_STRING; + } else if (!strcasecmp(name, "ssl_key")) { + *key = CURLOPT_SSLKEY; + *ot = OT_STRING; + } else if (!strcasecmp(name, "ssl_keytype")) { + *key = CURLOPT_SSLKEYTYPE; + *ot = OT_STRING; + } else if (!strcasecmp(name, "ssl_keypasswd")) { + *key = CURLOPT_KEYPASSWD; + *ot = OT_STRING; } else if (!strcasecmp(name, "hashcompat")) { *key = CURLOPT_SPECIAL_HASHCOMPAT; *ot = OT_ENUM;