2 files changed, 20 insertions, 0 deletions

diff --git a/configure.ac b/configure.ac
index fd50721..8397914 100644
--- a/configure.ac
+++ b/configure.ac
@@ -16,56 +16,70 @@ AC_WITH_PKGCONFIG
 PKG_CHECK_MODULES([OPENSSL],[openssl],,[
  AC_MSG_ERROR([no openssl library found. get one from http://www.openssl.org/])
 ])
 
 WANT_KONFORKA="yes"
 AC_ARG_ENABLE([konforka],
  AC_HELP_STRING([--disable-konforka],[do not use konforka library (default: use if found)]),
  [
   test "${enableval}" = "no" && WANT_KONFORKA="no"
  ]
 )
 if test "${WANT_KONFORKA}" = "yes" ; then
  PKG_CHECK_MODULES([KONFORKA],[konforka],[
   AC_SUBST([KONFORKA_CFLAGS])
   AC_SUBST([KONFORKA_LIBS])
   AC_DEFINE([HAVE_KONFORKA],,[defined in presence of konforka library])
   AC_DEFINE([OPKELE_HAVE_KONFORKA],,[defined in presence of konforka library])
   AC_SUBST([KONFORKA_KONFORKA],[konforka])
  ],[true])
 fi
 
 WANT_DOXYGEN="yes"
 AC_ARG_ENABLE([doxygen],
  AC_HELP_STRING([--disable-doxygen],[do not generate documentation]),
  [
   test "${enableval}" = "no" && WANT_DOXYGEN="no"
  ]
 )
 if test "${WANT_DOXYGEN}" = "yes" ; then
  AC_WITH_DOXYGEN
  AC_WITH_DOT
 else
  AM_CONDITIONAL([HAVE_DOXYGEN],[false])
  AM_CONDITIONAL([HAVE_DOT],[false])
 fi
 
 LIBCURL_CHECK_CONFIG(,,,[
  AC_MSG_ERROR([no required libcurl library. get one from http://curl.haxx.se/])
 ])
 AC_WITH_PCRE([
   AC_WITH_PCREPP(,[
    AC_MSG_ERROR([no pcre++ library found. get one at http://www.daemon.de/PCRE])
   ])
  ],[
   AC_MSG_ERROR([no pcre library found. get one at http://www.pcre.org/])
  ]
 )
 
+curl_ssl_verify_host="true"
+AC_ARG_ENABLE([ssl-verify-host],
+ AC_HELP_STRING([--disable-ssl-verify-host],[disable cURL cert/host relationships verification]),
+ [ test "${enableval}" = "no" && curl_ssl_verify_host="false" ]
+)
+${curl_ssl_verify_host} || AC_DEFINE([DISABLE_CURL_SSL_VERIFYHOST],,[defined if cURL is not to verify cert/host])
+
+curl_ssl_verify_peer="true"
+AC_ARG_ENABLE([ssl-verify-peer],
+ AC_HELP_STRING([--disable-ssl-verify-peer],[disable cURL cert validity verification]),
+ [ test "${enableval}" = "no" && curl_ssl_verify_peer="false" ]
+)
+${curl_ssl_verify_peer} || AC_DEFINE([DISABLE_CURL_SSL_VERIFYPEER],,[defined if cURL is not to verify cert validity])
+
 AC_CONFIG_FILES([
  Makefile
   libopkele.pc
   Doxyfile
  include/Makefile
  lib/Makefile
 ])
 AC_OUTPUT
diff --git a/lib/consumer.cc b/lib/consumer.cc
index 331b1e9..dc49405 100644
--- a/lib/consumer.cc
+++ b/lib/consumer.cc
@@ -1,88 +1,94 @@
 #include <algorithm>
 #include <cassert>
 #include <opkele/util.h>
 #include <opkele/exception.h>
 #include <opkele/data.h>
 #include <opkele/consumer.h>
 #include <openssl/sha.h>
 #include <openssl/hmac.h>
 #include <curl/curl.h>
 #include <pcre++.h>
 
 #include <iostream>
 
 #include "config.h"
 
 namespace opkele {
     using namespace std;
 
     class curl_t {
 	public:
 	    CURL *_c;
 
 	    curl_t() : _c(0) { }
 	    curl_t(CURL *c) : _c(c) { }
 	    ~curl_t() throw() { if(_c) curl_easy_cleanup(_c); }
 
 	    curl_t& operator=(CURL *c) { if(_c) curl_easy_cleanup(_c); _c=c; return *this; }
 
 	    operator const CURL*(void) const { return _c; }
 	    operator CURL*(void) { return _c; }
     };
 
     static CURLcode curl_misc_sets(CURL* c) {
 	CURLcode r;
 	(r=curl_easy_setopt(c,CURLOPT_FOLLOWLOCATION,1))
 	|| (r=curl_easy_setopt(c,CURLOPT_MAXREDIRS,5))
 	|| (r=curl_easy_setopt(c,CURLOPT_DNS_CACHE_TIMEOUT,120))
 	|| (r=curl_easy_setopt(c,CURLOPT_DNS_USE_GLOBAL_CACHE,1))
 	|| (r=curl_easy_setopt(c,CURLOPT_USERAGENT,PACKAGE_NAME"/"PACKAGE_VERSION))
 	|| (r=curl_easy_setopt(c,CURLOPT_TIMEOUT,20))
+#ifdef	DISABLE_CURL_SSL_VERIFYHOST
+	|| (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYHOST,0))
+#endif
+#ifdef	DISABLE_CURL_SSL_VERYPEER
+	|| (r=curl_easy_setopt(c,CURLOPT_SSL_VERIFYPEER,0))
+#endif
 	;
 	return r;
     }
 
     static size_t _curl_tostring(void *ptr,size_t size,size_t nmemb,void *stream) {
 	string *str = (string*)stream;
 	size_t bytes = size*nmemb;
 	size_t get = min(16384-str->length(),bytes);
 	str->append((const char*)ptr,get);
 	return get;
     }
 
     assoc_t consumer_t::associate(const string& server) {
 	util::dh_t dh = DH_new();
 	if(!dh)
 	    throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
 	dh->p = util::dec_to_bignum(data::_default_p);
 	dh->g = util::dec_to_bignum(data::_default_g);
 	if(!DH_generate_key(dh))
 	    throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
 	string request = 
 	    "openid.mode=associate"
 	    "&openid.assoc_type=HMAC-SHA1"
 	    "&openid.session_type=DH-SHA1"
 	    "&openid.dh_consumer_public=";
 	request += util::url_encode(util::bignum_to_base64(dh->pub_key));
 	curl_t curl = curl_easy_init();
 	if(!curl)
 	    throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()");
 	string response;
 	CURLcode r;
 	(r=curl_misc_sets(curl))
 	|| (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str()))
 	|| (r=curl_easy_setopt(curl,CURLOPT_POST,1))
 	|| (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data()))
 	|| (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length()))
 	|| (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring))
 	|| (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response))
 	;
 	if(r)
 	    throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r);
 	if(r=curl_easy_perform(curl))
 	    throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r);
 	params_t p; p.parse_keyvalues(response);
 	if(p.has_param("assoc_type") && p.get_param("assoc_type")!="HMAC-SHA1")
 	    throw bad_input(OPKELE_CP_ "unsupported assoc_type");
 	string st;
 	if(p.has_param("session_type")) st = p.get_param("session_type");