From 9fd2fffcd3408b4ec8942a0bc0a7d26801930c1f Mon Sep 17 00:00:00 2001
From: "imen.bhiri" <imen.bhiri@pivasoftware.com>
Date: Wed, 28 Sep 2016 15:43:24 +0100
Subject: [PATCH] Ticket refs #10256 : Secure file downloads

---
 config.c         | 16 ++++++++++++++++
 config/cwmp      |  2 +-
 external.c       | 11 ++++++++---
 inc/cwmp.h       |  4 +++-
 inc/xml.h        |  1 +
 scripts/icwmp.sh | 13 +++++++++++--
 xml.c            |  1 +
 7 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/config.c b/config.c
index a646bcc..11afdf5 100644
--- a/config.c
+++ b/config.c
@@ -593,6 +593,22 @@ int get_global_config(struct config *conf)
     {
         FREE(conf->acs_ssl_capath);
     }
+    if((error = uci_get_value(UCI_HTTPS_SSL_CAPATH,&value)) == CWMP_OK)
+    {
+        if(value != NULL)
+        {
+            if (conf->https_ssl_capath != NULL)
+            {
+                free(conf->https_ssl_capath);
+            }
+            conf->https_ssl_capath = value;
+            value = NULL;
+        }
+    }
+    else
+    {
+        FREE(conf->https_ssl_capath);
+    }
     if((error = uci_get_value(UCI_ACS_INSECURE_ENABLE,&value)) == CWMP_OK)
     {
         if(value != NULL)
diff --git a/config/cwmp b/config/cwmp
index 5ef6428..e9d4f68 100644
--- a/config/cwmp
+++ b/config/cwmp
@@ -14,7 +14,7 @@ config 'cwmp' 'acs'
 	option retry_min_wait_interval '5'
 	#­ possible configs interval :[1000:65535]
 	option retry_interval_multiplier '2000'
-
+	option https_ssl_capath ''
 config 'cwmp' 'cpe'
 	option 'interface' 'eth0.1'
 	option 'default_wan_interface' 'wan'
diff --git a/external.c b/external.c
index 26eb7f5..0dd9520 100644
--- a/external.c
+++ b/external.c
@@ -29,6 +29,7 @@
 
 #include "external.h"
 #include "cwmp.h"
+#include "xml.h"
 #include "log.h"
 
 #include <stdarg.h>
@@ -254,10 +255,13 @@ int external_simple(char *command, char *arg, int c)
 int external_download(char *url, char *size, char *type, char *user, char *pass, time_t c)
 {
 	DD(INFO,"executing download url '%s'", url);
-
-	json_object *json_obj_out;
 	char *id = NULL;
-
+	char *cert_path = NULL;
+	struct config *conf;
+	json_object *json_obj_out;
+	struct cwmp   *cwmp = &cwmp_main;
+	
+	conf = &(cwmp->conf);
 	if (c) asprintf(&id, "%ld", c);
 	/* send data to the script */
 	json_obj_out = json_object_new_object();
@@ -269,6 +273,7 @@ int external_download(char *url, char *size, char *type, char *user, char *pass,
 	if(user) json_obj_out_add(json_obj_out, "user", user);
 	if(pass) json_obj_out_add(json_obj_out, "pass", pass);
 	if(id) json_obj_out_add(json_obj_out, "ids", id);
+	if(cert_path) json_obj_out_add(json_obj_out, "cert_path", cert_path);
 	external_write_pipe_output(json_object_to_json_string(json_obj_out));
 
 	json_object_put(json_obj_out);
diff --git a/inc/cwmp.h b/inc/cwmp.h
index a835019..a9e6721 100644
--- a/inc/cwmp.h
+++ b/inc/cwmp.h
@@ -51,7 +51,8 @@
 #define UCI_ACS_PASSWD_PATH					"cwmp.acs.passwd"
 #define UCI_ACS_PARAMETERKEY_PATH			"cwmp.acs.ParameterKey"
 #define UCI_ACS_SSL_CAPATH					"cwmp.acs.ssl_capath"
-#define UCI_ACS_INSECURE_ENABLE				"cwmp.acs.insecure_enable" 
+#define UCI_HTTPS_SSL_CAPATH				"cwmp.acs.https_ssl_capath"
+#define UCI_ACS_INSECURE_ENABLE				"cwmp.acs.insecure_enable"
 #define UCI_ACS_SSL_VERSION			 		"cwmp.acs.ssl_version"
 #define UCI_ACS_COMPRESSION                 "cwmp.acs.compression"
 #define UCI_ACS_RETRY_MIN_WAIT_INTERVAL		"cwmp.acs.retry_min_wait_interval"
@@ -176,6 +177,7 @@ typedef struct config {
     char                                *acs_passwd;
 	char								*acs_ssl_capath;
     char 								*acs_ssl_version;
+	char								*https_ssl_capath;
     char                                *cpe_userid;
     char                                *cpe_passwd;
     char                                *dhcp_url_path;
diff --git a/inc/xml.h b/inc/xml.h
index fcfa258..064bd76 100644
--- a/inc/xml.h
+++ b/inc/xml.h
@@ -19,6 +19,7 @@
 
 #define CWMP_MXML_TAB_SPACE			"  "
 #define DOWNLOAD_PROTOCOL_HTTP		"http://"
+#define DOWNLOAD_PROTOCOL_HTTPS		"https://"
 #define DOWNLOAD_PROTOCOL_FTP		"ftp://"
 #define	MAX_DOWNLOAD_QUEUE			10
 #define	MAX_SCHEDULE_INFORM_QUEUE	10
diff --git a/scripts/icwmp.sh b/scripts/icwmp.sh
index 39a7128..f1ff9f4 100644
--- a/scripts/icwmp.sh
+++ b/scripts/icwmp.sh
@@ -234,15 +234,23 @@ handle_action() {
 	if [ "$action" = "download" ]; then
 		local fault_code="9000"
 		if [ "$__arg4" = "" -o "$__arg5" = "" ];then
-			wget -O /tmp/icwmp_download "$__arg1" 2> /dev/null
+			if [ "$__arg7" != ""];then
+				wget -O /tmp/icwmp_download --ca-directory=$__arg7 "$__arg1" 2> /dev/null
+			else
+				wget -O /tmp/icwmp_download "$__arg1" 2> /dev/null	
+			fi
 			if [ "$?" != "0" ];then
 				let fault_code=$fault_code+$FAULT_CPE_DOWNLOAD_FAILURE
 				icwmp_fault_output "" "$fault_code"
 				return 1
 			fi
 		else
-			local url="http://$__arg4:$__arg5@`echo $__arg1|sed 's/http:\/\///g'`"
+			local url=`echo "$__arg1" | sed -e "s@://@://$__arg4:$__arg5\@@g"`
+			if [ "$__arg7" == ""];then
 			wget -O /tmp/icwmp_download "$url" 2> /dev/null
+			else
+				wget -O /tmp/icwmp_download --ca-directory=$__arg7 "$url" 2> /dev/null
+			fi
 			if [ "$?" != "0" ];then
 				let fault_code=$fault_code+$FAULT_CPE_DOWNLOAD_FAILURE
 				icwmp_fault_output "" "$fault_code"
@@ -419,6 +427,7 @@ handle_action() {
 					json_get_var __arg4 user
 					json_get_var __arg5 pass
 					json_get_var __arg6 ids
+					json_get_var __arg7 cert_path
 					action="download"
 					;;
 				du_download)
diff --git a/xml.c b/xml.c
index 333e400..e430893 100644
--- a/xml.c
+++ b/xml.c
@@ -4148,6 +4148,7 @@ int cwmp_handle_rpc_cpe_download(struct session *session, struct rpc *rpc)
 		error = FAULT_CPE_INVALID_ARGUMENTS;
 	}
 	else if(strncmp(download->url,DOWNLOAD_PROTOCOL_HTTP,strlen(DOWNLOAD_PROTOCOL_HTTP))!=0 &&
+			strncmp(download->url,DOWNLOAD_PROTOCOL_HTTPS,strlen(DOWNLOAD_PROTOCOL_HTTPS))!=0 &&
 			strncmp(download->url,DOWNLOAD_PROTOCOL_FTP,strlen(DOWNLOAD_PROTOCOL_FTP))!=0)
 	{
 		error = FAULT_CPE_FILE_TRANSFER_UNSUPPORTED_PROTOCOL;