From a19bd423c1e4d2f5552bab090ba2650c38fa7192 Mon Sep 17 00:00:00 2001 From: Gokul Singaraju Date: Tue, 19 Dec 2017 12:31:40 -0500 Subject: Implement TLS over HTTP Issue-ID: CERT-10 Change-Id: I25421331f249ea0a33fe9280534df8e66d08463f Signed-off-by: Gokul Singaraju --- .../evel/evel-library/code/evel_library/evel.c | 58 ++++++++++ .../evel/evel-library/code/evel_library/evel.h | 14 +++ .../code/evel_library/evel_event_mgr.c | 125 +++++++++++++++++++++ .../evel-library/code/evel_library/evel_internal.h | 16 +++ 4 files changed, 213 insertions(+) (limited to 'vnfs/VES5.0/evel/evel-library/code') diff --git a/vnfs/VES5.0/evel/evel-library/code/evel_library/evel.c b/vnfs/VES5.0/evel/evel-library/code/evel_library/evel.c index 246ed5de..c6ead7ad 100644 --- a/vnfs/VES5.0/evel/evel-library/code/evel_library/evel.c +++ b/vnfs/VES5.0/evel/evel-library/code/evel_library/evel.c @@ -67,8 +67,15 @@ char *functional_role = NULL; * @param path The optional path (may be NULL). * @param topic The optional topic part of the URL (may be NULL). * @param secure Whether to use HTTPS (0=HTTP, 1=HTTPS) + * @param cert_file_path Path to client certificate file + * @param key_file_path Path to client key file + * @param ca_info Path to CA cert file + * @param ca_file_path Path to CA cert files + * @param verify_peer SSL verification of peer 0 or 1 + * @param verify_host SSL verification of host 0 or 1 * @param username Username for Basic Authentication of requests. * @param password Password for Basic Authentication of requests. + * @param source_ip The ip of node we represent (NULL for default ip). * @param source_type The kind of node we represent. * @param role The role this node undertakes. * @param verbosity 0 for normal operation, positive values for chattier @@ -83,8 +90,15 @@ EVEL_ERR_CODES evel_initialize(const char * const fqdn, const char * const path, const char * const topic, int secure, + const char * const cert_file_path, + const char * const key_file_path, + const char * const ca_info, + const char * const ca_file_path, + long verify_peer, + long verify_host, const char * const username, const char * const password, + const char * const source_ip, EVEL_SOURCE_TYPES source_type, const char * const role, int verbosity @@ -134,6 +148,42 @@ EVEL_ERR_CODES evel_initialize(const char * const fqdn, } EVEL_INFO("API transport is: %s", secure ? "HTTPS" : "HTTP"); + if( secure ) { + assert( verify_peer >= 0 ); + assert( verify_host >= 0 ); + if (cert_file_path != NULL) + { + EVEL_INFO("Client cert is: %s", cert_file_path); + } + else + { + EVEL_INFO("No Client cert"); + } + if (key_file_path != NULL) + { + EVEL_INFO("Key file is: %s", key_file_path); + } + else + { + EVEL_INFO("No Key file"); + } + if (ca_file_path != NULL) + { + EVEL_INFO("Client CA certs path is: %s", ca_file_path); + } + else + { + EVEL_INFO("No CA certs path"); + } + if (ca_info != NULL) + { + EVEL_INFO("Client CA cert file is: %s", ca_info); + } + else + { + EVEL_INFO("No CA cert file"); + } + } EVEL_INFO("Event Source Type is: %d", source_type); EVEL_INFO("Functional Role is: %s", role); EVEL_INFO("Log verbosity is: %d", verbosity); @@ -200,6 +250,14 @@ EVEL_ERR_CODES evel_initialize(const char * const fqdn, /***************************************************************************/ rc = event_handler_initialize(event_api_url, throt_api_url, + source_ip, + secure, + cert_file_path, + key_file_path, + ca_info, + ca_file_path, + verify_peer, + verify_host, username, password, verbosity); diff --git a/vnfs/VES5.0/evel/evel-library/code/evel_library/evel.h b/vnfs/VES5.0/evel/evel-library/code/evel_library/evel.h index 6b7a8720..1c0bea74 100644 --- a/vnfs/VES5.0/evel/evel-library/code/evel_library/evel.h +++ b/vnfs/VES5.0/evel/evel-library/code/evel_library/evel.h @@ -1401,8 +1401,15 @@ typedef struct copyright { * @param path The optional path (may be NULL). * @param topic The optional topic part of the URL (may be NULL). * @param secure Whether to use HTTPS (0=HTTP, 1=HTTPS). + * @param cert_file_path Path to client certificate file + * @param key_file_path Path to client key file + * @param ca_info Path to CA info + * @param ca_file_path Path to CA file + * @param verify_peer SSL verification of peer 0 or 1 + * @param verify_host SSL verification of host 0 or 1 * @param username Username for Basic Authentication of requests. * @param password Password for Basic Authentication of requests. + * @param source_ip The ip of node we represent.(NULL for default ip) * @param source_type The kind of node we represent. * @param role The role this node undertakes. * @param verbosity 0 for normal operation, positive values for chattier @@ -1417,8 +1424,15 @@ EVEL_ERR_CODES evel_initialize(const char * const fqdn, const char * const path, const char * const topic, int secure, + const char * const cert_file_path, + const char * const key_file_path, + const char * const ca_info, + const char * const ca_file_path, + long verify_peer, + long verify_host, const char * const username, const char * const password, + const char * const source_ip, EVEL_SOURCE_TYPES source_type, const char * const role, int verbosity diff --git a/vnfs/VES5.0/evel/evel-library/code/evel_library/evel_event_mgr.c b/vnfs/VES5.0/evel/evel-library/code/evel_library/evel_event_mgr.c index 187a7090..5c6ca4b3 100644 --- a/vnfs/VES5.0/evel/evel-library/code/evel_library/evel_event_mgr.c +++ b/vnfs/VES5.0/evel/evel-library/code/evel_library/evel_event_mgr.c @@ -114,6 +114,14 @@ static char * evel_batch_api_url; * to be. * @param[in] throt_api_url * The URL where the Throttling API is expected to be. + * @param[in] source_ip Source IP of VES Agent + * @param[in] secure Whether Using http or https + * @param[in] cert_file_path Path to Client Certificate file + * @param[in] key_file_path Path to Client key file + * @param[in] ca_info Path to CA info file + * @param[in] ca_file_path Path to CA file + * @param[in] verify_peer Using peer verification or not 0 or 1 + * @param[in] verify_host Using host verification or not 0 or 1 * @param[in] username The username for the Basic Authentication of requests. * @param[in] password The password for the Basic Authentication of requests. * @param verbosity 0 for normal operation, positive values for chattier @@ -121,6 +129,14 @@ static char * evel_batch_api_url; *****************************************************************************/ EVEL_ERR_CODES event_handler_initialize(const char * const event_api_url, const char * const throt_api_url, + const char * const source_ip, + int secure, + const char * const cert_file_path, + const char * const key_file_path, + const char * const ca_info, + const char * const ca_file_path, + long verify_peer, + long verify_host, const char * const username, const char * const password, int verbosity) @@ -128,6 +144,7 @@ EVEL_ERR_CODES event_handler_initialize(const char * const event_api_url, int rc = EVEL_SUCCESS; CURLcode curl_rc = CURLE_OK; char batch_api_url[EVEL_MAX_URL_LEN + 1] = {0}; + char local_address[64]; EVEL_ENTER(); @@ -240,6 +257,114 @@ EVEL_ERR_CODES event_handler_initialize(const char * const event_api_url, goto exit_label; } + /***************************************************************************/ + /* configure local ip address if provided */ + /* Default ip if NULL */ + /***************************************************************************/ + if( source_ip != NULL ) + { + snprintf(local_address,sizeof(local_address),source_ip); + if( local_address[0] != '\0' ) + { + curl_rc = curl_easy_setopt(curl_handle, + CURLOPT_INTERFACE, + local_address); + if (curl_rc != CURLE_OK) + { + rc = EVEL_CURL_LIBRARY_FAIL; + log_error_state("Failed to initialize libCURL with the local address. " + "Error code=%d (%s)", curl_rc, curl_err_string); + goto exit_label; + } + } + } + + /***************************************************************************/ + /* configure SSL options for HTTPS transfers */ + /***************************************************************************/ + if( secure ) + { + if( cert_file_path != NULL ) + { + curl_rc = curl_easy_setopt(curl_handle, + CURLOPT_SSLCERT, + cert_file_path); + if (curl_rc != CURLE_OK) + { + rc = EVEL_CURL_LIBRARY_FAIL; + log_error_state("Failed to initialize libCURL with the client cert. " + "Error code=%d (%s)", curl_rc, curl_err_string); + goto exit_label; + } + } + + if( key_file_path != NULL ) + { + curl_rc = curl_easy_setopt(curl_handle, + CURLOPT_SSLKEY, + key_file_path); + if (curl_rc != CURLE_OK) + { + rc = EVEL_CURL_LIBRARY_FAIL; + log_error_state("Failed to initialize libCURL with the client key. " + "Error code=%d (%s)", curl_rc, curl_err_string); + goto exit_label; + } + } + + if( ca_info != NULL ) + { + curl_rc = curl_easy_setopt(curl_handle, + CURLOPT_CAINFO, + ca_info); + if (curl_rc != CURLE_OK) + { + rc = EVEL_CURL_LIBRARY_FAIL; + log_error_state("Failed to initialize libCURL with the CA cert file. " + "Error code=%d (%s)", curl_rc, curl_err_string); + goto exit_label; + } + } + + if( ca_file_path != NULL ) + { + curl_rc = curl_easy_setopt(curl_handle, + CURLOPT_CAPATH, + ca_file_path); + if (curl_rc != CURLE_OK) + { + rc = EVEL_CURL_LIBRARY_FAIL; + log_error_state("Failed to initialize libCURL with the CA cert path. " + "Error code=%d (%s)", curl_rc, curl_err_string); + goto exit_label; + } + } + + curl_rc = curl_easy_setopt(curl_handle, + CURLOPT_SSL_VERIFYPEER, + verify_peer); + if (curl_rc != CURLE_OK) + { + rc = EVEL_CURL_LIBRARY_FAIL; + log_error_state("Failed to initialize libCURL with SSL Server verification. " + "Error code=%d (%s)", curl_rc, curl_err_string); + goto exit_label; + } + curl_rc = curl_easy_setopt(curl_handle, + CURLOPT_SSL_VERIFYHOST, + verify_host); + if (curl_rc != CURLE_OK) + { + rc = EVEL_CURL_LIBRARY_FAIL; + log_error_state("Failed to initialize libCURL with Client host verification. " + "Error code=%d (%s)", curl_rc, curl_err_string); + goto exit_label; + } + + } + + + /***************************************************************************/ /* some servers don't like requests that are made without a user-agent */ /* field, so we provide one. */ diff --git a/vnfs/VES5.0/evel/evel-library/code/evel_library/evel_internal.h b/vnfs/VES5.0/evel/evel-library/code/evel_library/evel_internal.h index 46f71af1..dd4b4b7c 100644 --- a/vnfs/VES5.0/evel/evel-library/code/evel_library/evel_internal.h +++ b/vnfs/VES5.0/evel/evel-library/code/evel_library/evel_internal.h @@ -174,6 +174,14 @@ typedef struct evel_throttle_spec { * to be. * @param[in] throt_api_url * The URL where the Throttling API is expected to be. + * @param[in] source_ip Source IP of VES Agent + * @param[in] secure Whether Using http or https + * @param[in] cert_file_path Path to Client Certificate file + * @param[in] key_file_path Path to Client key file + * @param[in] ca_info Path to CA info file + * @param[in] ca_file_path Path to CA file + * @param[in] verify_peer Using peer verification or not + * @param[in] verify_host Using host verification or not * @param[in] username The username for the Basic Authentication of requests. * @param[in] password The password for the Basic Authentication of requests. * @param verbosity 0 for normal operation, positive values for chattier @@ -181,6 +189,14 @@ typedef struct evel_throttle_spec { *****************************************************************************/ EVEL_ERR_CODES event_handler_initialize(const char * const event_api_url, const char * const throt_api_url, + const char * const source_ip, + int secure, + const char * const cert_file_path, + const char * const key_file_path, + const char * const ca_info, + const char * const ca_file_path, + long verify_peer, + long verify_host, const char * const username, const char * const password, int verbosity); -- cgit 1.2.3-korg