Add options for controlling SSL certificate verifying

Add options RAPTOR_OPTION_WWW_SSL_VERIFY_PEER
for controlling verifying an SSL peer.  Takes an integer value:
non-0 to verify peer SSL certificate (default 1)

Add option RAPTOR_OPTION_WWW_SSL_VERIFY_HOST
for controlling verifying an SSL host.  Takes an integer value:
0 none, 1 CN match, 2 host match (default). Other values are ignored.

(raptor_www_set_ssl_verify_options): Added to set the verify options
on the raptor_www object.

Fixes Issue #0000469
http://bugs.librdf.org/mantis/view.php?id=469

7 files changed, 83 insertions, 3 deletions

diff --git a/src/raptor2.h.in b/src/raptor2.h.in
index 823420e3..88d2d637 100644
--- a/src/raptor2.h.in
+++ b/src/raptor2.h.in
@@ -525,6 +525,8 @@ typedef struct {
  * @RAPTOR_OPTION_WWW_CERT_FILENAME: String. SSL client certificate filename
  * @RAPTOR_OPTION_WWW_CERT_TYPE: String. SSL client certificate type
  * @RAPTOR_OPTION_WWW_CERT_PASSPHRASE: String. SSL client certificate passphrase
+ * @RAPTOR_OPTION_WWW_SSL_VERIFY_PEER:  Integer. SSL verify peer - non-0 to verify peer SSL certificate (default)
+ * @RAPTOR_OPTION_WWW_SSL_VERIFY_HOST: Integer. SSL verify host - 0 none, 1 CN match, 2 host match (default). Other values are ignored.
  * @RAPTOR_OPTION_NO_FILE: Deny file reading requests inside other requests.
  * @RAPTOR_OPTION_LAST: Internal
  *
@@ -570,7 +572,9 @@ typedef enum {
   RAPTOR_OPTION_WWW_CERT_TYPE,
   RAPTOR_OPTION_WWW_CERT_PASSPHRASE,
   RAPTOR_OPTION_NO_FILE,
-  RAPTOR_OPTION_LAST = RAPTOR_OPTION_NO_FILE
+  RAPTOR_OPTION_WWW_SSL_VERIFY_PEER,
+  RAPTOR_OPTION_WWW_SSL_VERIFY_HOST,
+  RAPTOR_OPTION_LAST = RAPTOR_OPTION_WWW_SSL_VERIFY_HOST
 } raptor_option;
 
 
@@ -1379,6 +1383,8 @@ void raptor_free_www(raptor_www *www);
 RAPTOR_API
 int raptor_www_set_ssl_cert_options(raptor_www* www, const char* cert_filename, const char* cert_type, const char* cert_passphrase);
 RAPTOR_API
+int raptor_www_set_ssl_verify_options(raptor_www* www, int verify_peer, int verify_host);
+RAPTOR_API
 void raptor_www_set_user_agent(raptor_www *www, const char *user_agent);
 RAPTOR_API
 void raptor_www_set_proxy(raptor_www *www, const char *proxy);
diff --git a/src/raptor_internal.h b/src/raptor_internal.h
index ce7d7118..b1c5e811 100644
--- a/src/raptor_internal.h
+++ b/src/raptor_internal.h
@@ -987,6 +987,7 @@ void raptor_www_curl_init(raptor_www *www);
 void raptor_www_curl_free(raptor_www *www);
 int raptor_www_curl_fetch(raptor_www *www);
 int raptor_www_curl_set_ssl_cert_options(raptor_www* www, const char* cert_filename, const char* cert_type, const char* cert_passphrase);
+int raptor_www_curl_set_ssl_verify_options(raptor_www* www, int verify_peer, int verify_host);
 
 void raptor_www_libfetch_init(raptor_www *www);
 void raptor_www_libfetch_free(raptor_www *www);
diff --git a/src/raptor_option.c b/src/raptor_option.c
index 2faecea0..6a151b9d 100644
--- a/src/raptor_option.c
+++ b/src/raptor_option.c
@@ -284,6 +284,18 @@ static const struct
     "noFile",
     "Parsers and SAX2 deny internal file requests."
   },
+  { RAPTOR_OPTION_WWW_SSL_VERIFY_PEER,
+    RAPTOR_OPTION_AREA_PARSER,
+    RAPTOR_OPTION_VALUE_TYPE_INT,
+    "wwwSslVerifyPeer",
+    "SSL verify peer certficate"
+  },
+  { RAPTOR_OPTION_WWW_SSL_VERIFY_HOST,
+    RAPTOR_OPTION_AREA_PARSER,
+    RAPTOR_OPTION_VALUE_TYPE_INT,
+    "wwwSslVerifyHost",
+    "SSL verify host matching"
+  }
 };
 
 
diff --git a/src/raptor_parse.c b/src/raptor_parse.c
index 397212b1..b4182895 100644
--- a/src/raptor_parse.c
+++ b/src/raptor_parse.c
@@ -351,8 +351,14 @@ raptor_new_parser(raptor_world* world, const char *name)
   
   raptor_object_options_init(&rdf_parser->options, RAPTOR_OPTION_AREA_PARSER);
 
-  /* Initialise default (lax) option values */
+  /* Initialise defaults */
+
+  /* lax (no strict) parsing */
   raptor_parser_set_option(rdf_parser, RAPTOR_OPTION_STRICT, NULL, 0);
+  /* SSL verify peers */
+  raptor_parser_set_option(rdf_parser, RAPTOR_OPTION_WWW_SSL_VERIFY_PEER, NULL, 1);
+  /* SSL fully verify hosts */
+  raptor_parser_set_option(rdf_parser, RAPTOR_OPTION_WWW_SSL_VERIFY_HOST, NULL, 2);
 
   if(factory->init(rdf_parser, name)) {
     raptor_free_parser(rdf_parser);
@@ -722,7 +728,9 @@ raptor_parser_parse_uri_with_connection(raptor_parser* rdf_parser,
   char* cert_filename = NULL;
   char* cert_type = NULL;
   char* cert_passphrase = NULL;
-  
+  int ssl_verify_peer;
+  int ssl_verify_host;
+
   if(connection) {
     if(rdf_parser->www)
       raptor_free_www(rdf_parser->www);
@@ -784,6 +792,13 @@ raptor_parser_parse_uri_with_connection(raptor_parser* rdf_parser,
     raptor_www_set_ssl_cert_options(rdf_parser->www, cert_filename,
                                     cert_type, cert_passphrase);
   
+  ssl_verify_peer = RAPTOR_OPTIONS_GET_NUMERIC(rdf_parser,
+                                               RAPTOR_OPTION_WWW_SSL_VERIFY_PEER);
+  ssl_verify_host = RAPTOR_OPTIONS_GET_NUMERIC(rdf_parser,
+                                               RAPTOR_OPTION_WWW_SSL_VERIFY_HOST);
+  raptor_www_set_ssl_verify_options(rdf_parser->www, ssl_verify_peer,
+                                    ssl_verify_host);
+
   ret = raptor_www_fetch(rdf_parser->www, uri);
   
   if(!rpbc.started && !ret)
diff --git a/src/raptor_turtle_writer.c b/src/raptor_turtle_writer.c
index 57683510..7701d314 100644
--- a/src/raptor_turtle_writer.c
+++ b/src/raptor_turtle_writer.c
@@ -733,6 +733,8 @@ raptor_turtle_writer_set_option(raptor_turtle_writer *turtle_writer,
     case RAPTOR_OPTION_WWW_CERT_FILENAME:
     case RAPTOR_OPTION_WWW_CERT_TYPE:
     case RAPTOR_OPTION_WWW_CERT_PASSPHRASE:
+    case RAPTOR_OPTION_WWW_SSL_VERIFY_PEER:
+    case RAPTOR_OPTION_WWW_SSL_VERIFY_HOST:
       
     default:
       return -1;
@@ -855,6 +857,8 @@ raptor_turtle_writer_get_option(raptor_turtle_writer *turtle_writer,
     case RAPTOR_OPTION_WWW_CERT_FILENAME:
     case RAPTOR_OPTION_WWW_CERT_TYPE:
     case RAPTOR_OPTION_WWW_CERT_PASSPHRASE:
+    case RAPTOR_OPTION_WWW_SSL_VERIFY_PEER:
+    case RAPTOR_OPTION_WWW_SSL_VERIFY_HOST:
       
     default:
       break;
diff --git a/src/raptor_www.c b/src/raptor_www.c
index bb9f5a7c..f70dcfe0 100644
--- a/src/raptor_www.c
+++ b/src/raptor_www.c
@@ -494,6 +494,33 @@ raptor_www_set_ssl_cert_options(raptor_www* www,
 
 
 /**
+ * raptor_www_set_ssl_verify_options:
+ * @www: WWW object
+ * @verify_peer: SSL verify peer - non-0 to verify peer SSL certificate (default)
+ * @verify_host: SSL verify host - 0 none, 1 CN match, 2 host match (default). Other values are ignored.
+ * 
+ * Set whether SSL verifies the authenticity of the peer's certificate
+ *
+ * These options correspond to setting the curl
+ * CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST options.
+ *
+ * Return value: non-0 on failure
+ **/
+int
+raptor_www_set_ssl_verify_options(raptor_www* www, int verify_peer,
+                                  int verify_host)
+{
+#ifdef RAPTOR_WWW_LIBCURL
+  return raptor_www_curl_set_ssl_verify_options(www, verify_peer,
+                                                verify_host);
+#else
+  return 1;
+#endif
+}
+
+
+
+/**
  * raptor_www_get_connection:
  * @www: #raptor_www object 
  *
diff --git a/src/raptor_www_curl.c b/src/raptor_www_curl.c
index 5d010eef..03399565 100644
--- a/src/raptor_www_curl.c
+++ b/src/raptor_www_curl.c
@@ -282,4 +282,19 @@ raptor_www_curl_set_ssl_cert_options(raptor_www* www,
 }
 
 
+int
+raptor_www_curl_set_ssl_verify_options(raptor_www* www, int verify_peer,
+                                       int verify_host)
+{
+  if(verify_peer)
+    verify_peer = 1;
+  curl_easy_setopt(www->curl_handle, CURLOPT_SSL_VERIFYPEER, verify_peer);
+
+  if(verify_host >= 0 && verify_host <= 2)
+    curl_easy_setopt(www->curl_handle, CURLOPT_SSL_VERIFYHOST, verify_host);
+
+  return 0;
+}
+
+
 #endif /* RAPTOR_WWW_LIBCURL */