diff --git a/CASA-auth-token/non-java/TODO b/CASA-auth-token/non-java/TODO index d0dbcf9b..ca5a4629 100644 --- a/CASA-auth-token/non-java/TODO +++ b/CASA-auth-token/non-java/TODO @@ -13,4 +13,5 @@ details outstanding items at the project level. OUTSTANDING ITEMS -- Allow the Windows client to be built under Cygwin. +- Add mechanism to try communicating with ATS over port 443 if communications + over port 2645 fail. diff --git a/CASA-auth-token/non-java/client/client.conf b/CASA-auth-token/non-java/client/client.conf index 4daf0b74..46c0d85f 100644 --- a/CASA-auth-token/non-java/client/client.conf +++ b/CASA-auth-token/non-java/client/client.conf @@ -83,4 +83,6 @@ AllowInvalidCerts true # Note: This parameter has no effect if the setting AllowInvalidCerts # is set to true. # +# THIS FUNCTIONALITY HAS NOT BEEN IMPLEMENTED +# #UsersCannotAllowInvalidCerts true diff --git a/CASA-auth-token/non-java/client/linux/Makefile.am b/CASA-auth-token/non-java/client/linux/Makefile.am index 6668e29b..36347e62 100644 --- a/CASA-auth-token/non-java/client/linux/Makefile.am +++ b/CASA-auth-token/non-java/client/linux/Makefile.am @@ -55,6 +55,7 @@ CFILES = ../authmech.c \ ../getpolicymsg.c \ ../gettokenmsg.c \ ../util.c \ + ../invalidcert.c \ rpc.c \ platform.c diff --git a/CASA-auth-token/non-java/client/linux/rpc.c b/CASA-auth-token/non-java/client/linux/rpc.c index 49f44036..253dbaed 100644 --- a/CASA-auth-token/non-java/client/linux/rpc.c +++ b/CASA-auth-token/non-java/client/linux/rpc.c @@ -29,9 +29,6 @@ //===[ Type definitions ]================================================== -#define INITIAL_RESPONSE_DATA_BUF_SIZE 1028 -#define INCREMENT_RESPONSE_DATA_BUF_SIZE 256 - #define MAX_RPC_RETRIES 3 //===[ Function prototypes ]=============================================== @@ -310,13 +307,14 @@ InternalRpc( // L2 //=======================================================================-- { +#define CASA_STATUS_INVALID_SERVER_CERTIFICATE CASA_STATUS_UNSUCCESSFUL // temporary until casa_status.h is updated + CasaStatus retStatus; char *pPartialUrl; int partialUrlLen; char *pUrl; CURLcode curlResult; - DbgTrace(1, "-InternalRpc- Start\n", 0); // Initialize output parameters @@ -328,13 +326,42 @@ InternalRpc( { pPartialUrl = pSession->pPartialHttpsUrl; partialUrlLen = pSession->partialHttpsUrlLen; + + // Check if we need to ignore invalid CERTS + if (flags & ALLOW_INVALID_CERTS_RPC_FLAG) + { + if ((curlResult = curl_easy_setopt(pSession->hCurl, CURLOPT_SSL_VERIFYPEER, 0)) != CURLE_OK) + { + DbgTrace(0, "-InternalRpc- Error setting CURLOPT_SSL_VERIFYPEER, code = %d\n", curlResult); + } + + if ((curlResult = curl_easy_setopt(pSession->hCurl, CURLOPT_SSL_VERIFYHOST, 0)) != CURLE_OK) + { + DbgTrace(0, "-InternalRpc- Error setting CURLOPT_SSL_VERIFYHOST, code = %d\n", curlResult); + } + } + else + { + if ((curlResult = curl_easy_setopt(pSession->hCurl, CURLOPT_SSL_VERIFYPEER, 1)) != CURLE_OK) + { + DbgTrace(0, "-InternalRpc- Error setting CURLOPT_SSL_VERIFYPEER, code = %d\n", curlResult); + } + + if ((curlResult = curl_easy_setopt(pSession->hCurl, CURLOPT_SSL_VERIFYHOST, 2)) != CURLE_OK) + { + DbgTrace(0, "-InternalRpc- Error setting CURLOPT_SSL_VERIFYHOST, code = %d\n", curlResult); + } + } + } else { pPartialUrl = pSession->pPartialHttpUrl; partialUrlLen = pSession->partialHttpUrlLen; } + pUrl = (char*) malloc(partialUrlLen + strlen(pMethod) + 1); + if (pUrl) { strcpy(pUrl, pPartialUrl); diff --git a/CASA-auth-token/non-java/client/windows/rpc.c b/CASA-auth-token/non-java/client/windows/rpc.c index 3b4fcf6d..e792a883 100644 --- a/CASA-auth-token/non-java/client/windows/rpc.c +++ b/CASA-auth-token/non-java/client/windows/rpc.c @@ -636,6 +636,10 @@ InternalRpc( { DbgTrace(1, "-InternalRpc- User approved invalid certificate from %s\n", pSession->pHostName); + // tbd - Investigate if there is a way to set the accepted certificate in a store so that + // it can be utilized by the SSL stack directly. This would be a better method for dealing with + // this issue. + AllowInvalidCertsFromHost(pSession->pHostName); // Try to retry the request