diff --git a/src/config.h b/src/config.h index cc50c08..2629e74 100644 --- a/src/config.h +++ b/src/config.h @@ -53,6 +53,8 @@ typedef struct { char *proxy_username; /** \brief HTTP proxy password */ char *proxy_password; + /** \brief HTTP proxy certificate file */ + char *proxy_cafile; /** \brief HTTP maximum connection count */ long max_conns; /** \brief HTTP user agent*/ @@ -63,6 +65,8 @@ typedef struct { int no_range_check; /** \brief Disable TLS certificate verification */ int insecure_tls; + /** \brief Server certificate file */ + char *cafile; /*--------------- Cache related ---------------*/ /** \brief Whether cache mode is enabled */ int cache_enabled; diff --git a/src/link.c b/src/link.c index dc8bb47..1742dbf 100644 --- a/src/link.c +++ b/src/link.c @@ -95,6 +95,25 @@ static CURL *Link_to_curl(Link *link) if (ret) { lprintf(error, "%s", curl_easy_strerror(ret)); } + if (CONFIG.cafile) { + /* + * Having been given a certificate file, disable any search directory + * built into libcurl, so that we exclusively use the explicitly given + * certificate(s). + * + * If we ever add a CAPATH option, we should do the mirror for CAINFO, + * too: disable both and then enable whichever one(s) were given. + */ + ret = curl_easy_setopt(curl, CURLOPT_CAPATH, NULL); + if (ret) { + lprintf(error, "%s", curl_easy_strerror(ret)); + } + + ret = curl_easy_setopt(curl, CURLOPT_CAINFO, CONFIG.cafile); + if (ret) { + lprintf(error, "%s", curl_easy_strerror(ret)); + } + } if (CONFIG.insecure_tls) { ret = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0); if (ret) { @@ -146,6 +165,20 @@ static CURL *Link_to_curl(Link *link) } } + if (CONFIG.proxy_cafile) { + /* See CONFIG.cafile above */ + ret = curl_easy_setopt(curl, CURLOPT_PROXY_CAPATH, NULL); + if (ret) { + lprintf(error, "%s", curl_easy_strerror(ret)); + } + + ret = curl_easy_setopt(curl, CURLOPT_PROXY_CAINFO, + CONFIG.proxy_cafile); + if (ret) { + lprintf(error, "%s", curl_easy_strerror(ret)); + } + } + return curl; } diff --git a/src/main.c b/src/main.c index 8ceacda..5093b99 100644 --- a/src/main.c +++ b/src/main.c @@ -199,6 +199,8 @@ parse_arg_list(int argc, char **argv, char ***fuse_argv, int *fuse_argc) { "insecure-tls", no_argument, NULL, 'L' }, /* 20 */ { "config", required_argument, NULL, 'L' }, /* 21 */ { "single-file-mode", required_argument, NULL, 'L' }, /* 22 */ + { "cacert", required_argument, NULL, 'L' }, /* 23 */ + { "proxy-cacert", required_argument, NULL, 'L' }, /* 24 */ { 0, 0, 0, 0 } }; while ((c = @@ -296,6 +298,12 @@ parse_arg_list(int argc, char **argv, char ***fuse_argv, int *fuse_argc) case 22: CONFIG.mode = SINGLE; break; + case 23: + CONFIG.cafile = strdup(optarg); + break; + case 24: + CONFIG.proxy_cafile = strdup(optarg); + break; default: fprintf(stderr, "see httpdirfs -h for usage\n"); return 1; @@ -347,9 +355,11 @@ HTTPDirFS options:\n\ https://curl.haxx.se/libcurl/c/CURLOPT_PROXY.html\n\ --proxy-username Username for the proxy\n\ --proxy-password Password for the proxy\n\ + --proxy-cacert Certificate authority for the proxy\n\ --cache Enable cache (default: off)\n\ --cache-location Set a custom cache location\n\ (default: \"${XDG_CACHE_HOME}/httpdirfs\")\n\ + --cacert Certificate authority for the server\n\ --dl-seg-size Set cache download segment size, in MB (default: 8)\n\ Note: this setting is ignored if previously\n\ cached data is found for the requested file.\n\