From 4d44167e34d346d72e576be3fc85836f080475c3 Mon Sep 17 00:00:00 2001
From: Suvendhu Hansa <suvendhu.hansa@iopsys.eu>
Date: Thu, 27 Feb 2025 18:22:18 +0530
Subject: [PATCH] Added client authentication via ssl cert

---
 docs/api/uci/cwmp.md | 34 ++++++++++++++++++++++++++++++++++
 src/common.h         |  3 ++-
 src/config.c         |  5 +++++
 src/config.h         |  2 ++
 src/http.c           |  6 ++++++
 5 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/docs/api/uci/cwmp.md b/docs/api/uci/cwmp.md
index 5156fdc..cb1811e 100644
--- a/docs/api/uci/cwmp.md
+++ b/docs/api/uci/cwmp.md
@@ -949,6 +949,40 @@
                       <div class="td_row_even">If set to **1**, icwmp will skip datatype validation on SPV operations.</div>
                     </td>
                   </tr>
+                  <tr>
+                    <td class="td_row_odd">
+                      <div class="td_row_odd">ssl_cert_path</div>
+                    </td>
+                    <td class="td_row_odd">
+                      <div class="td_row_odd">string</div>
+                    </td>
+                    <td class="td_row_odd">
+                      <div class="td_row_odd">no</div>
+                    </td>
+                    <td class="td_row_odd">
+                      <div class="td_row_odd"></div>
+                    </td>
+                    <td class="td_row_odd">
+                      <div class="td_row_odd">Full path of SSL certificate in pem format, icwmp will send this certificate to ACS server for authentication.</div>
+                    </td>
+                  </tr>
+                  <tr>
+                    <td class="td_row_even">
+                      <div class="td_row_even">ssl_key_path</div>
+                    </td>
+                    <td class="td_row_even">
+                      <div class="td_row_even">string</div>
+                    </td>
+                    <td class="td_row_even">
+                      <div class="td_row_even">no</div>
+                    </td>
+                    <td class="td_row_even">
+                      <div class="td_row_even"></div>
+                    </td>
+                    <td class="td_row_even">
+                      <div class="td_row_even">Full path of the pem file that has stored the key</div>
+                    </td>
+                  </tr>
                 </tbody>
               </table>
             </td>
diff --git a/src/common.h b/src/common.h
index 75b7540..662c112 100644
--- a/src/common.h
+++ b/src/common.h
@@ -170,7 +170,8 @@ typedef struct config {
 	char auto_cdu_result_type[BUF_SIZE_16];
 	char auto_cdu_fault_code[BUF_SIZE_16];
 	char default_wan_iface[BUF_SIZE_32];
-
+	char cpe_ssl_certpath[BUF_SIZE_256];
+	char cpe_ssl_keypath[BUF_SIZE_256];
 } config;
 
 struct deviceid {
diff --git a/src/config.c b/src/config.c
index 17abee9..931b85b 100755
--- a/src/config.c
+++ b/src/config.c
@@ -76,8 +76,13 @@ int get_preinit_config()
 
 	cwmp_ctx.conf.supported_amd_version = cwmp_ctx.conf.amd_version;
 
+	get_uci_path_value(NULL, UCI_CPE_SSL_CERT_PATH, cwmp_ctx.conf.cpe_ssl_certpath, BUF_SIZE_256);
+	get_uci_path_value(NULL, UCI_CPE_SSL_KEY_PATH, cwmp_ctx.conf.cpe_ssl_keypath, BUF_SIZE_256);
+
 	CWMP_LOG(DEBUG, "CWMP CONFIG - default wan interface: %s", cwmp_ctx.conf.default_wan_iface);
 	CWMP_LOG(DEBUG, "CWMP CONFIG - amendement version: %d", cwmp_ctx.conf.amd_version);
+	CWMP_LOG(DEBUG, "CWMP CONFIG - cpe cert path: %s", cwmp_ctx.conf.cpe_ssl_certpath);
+	CWMP_LOG(DEBUG, "CWMP CONFIG - cpe key path: %s", cwmp_ctx.conf.cpe_ssl_keypath);
 
 	return CWMP_OK;
 }
diff --git a/src/config.h b/src/config.h
index ad4988f..e2bd4d1 100755
--- a/src/config.h
+++ b/src/config.h
@@ -22,6 +22,8 @@
 #define UCI_CPE_DEFAULT_WAN_IFACE "cwmp.cpe.default_wan_interface"
 #define UCI_CPE_INCOMING_RULE "cwmp.cpe.incoming_rule"
 #define UCI_CPE_AMD_VERSION "cwmp.cpe.amd_version"
+#define UCI_CPE_SSL_CERT_PATH "cwmp.cpe.ssl_cert_path"
+#define UCI_CPE_SSL_KEY_PATH "cwmp.cpe.ssl_key_path"
 
 int cwmp_get_deviceid();
 int cwmp_config_reload();
diff --git a/src/http.c b/src/http.c
index c18437e..8bed6e4 100644
--- a/src/http.c
+++ b/src/http.c
@@ -117,6 +117,12 @@ static void http_set_security_options()
 		curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, false);
 		curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
 	}
+
+	if (CWMP_STRLEN(cwmp_ctx.conf.cpe_ssl_certpath) != 0 && file_exists(cwmp_ctx.conf.cpe_ssl_certpath) &&
+	    CWMP_STRLEN(cwmp_ctx.conf.cpe_ssl_keypath) != 0 && file_exists(cwmp_ctx.conf.cpe_ssl_keypath)) {
+		curl_easy_setopt(curl, CURLOPT_SSLCERT, cwmp_ctx.conf.cpe_ssl_certpath);
+		curl_easy_setopt(curl, CURLOPT_SSLKEY, cwmp_ctx.conf.cpe_ssl_keypath);
+	}
 }
 
 static void http_set_connection_options()