[PATCH] libopkg: Add support for client certificate authentication

Jean Thomas jean.thomas at wifirst.fr
Wed Jun 21 07:59:41 PDT 2023


Add support for the `--certificate` option of `wget`, which allows
to authenticate using a client certificate to a server requesting
it. This is useful in order to be able to serve OpenWrt packages,
but only to authenticated devices.

>From `man wget`:
--certificate=file: Use the client certificate stored in file.
This is needed for servers that are configured to require certificates
from the clients that connect to them. Normally a certificate is not
required and this switch is optional.

Signed-off-by: Jean Thomas <jean.thomas at wifirst.fr>
---
 libopkg/opkg_conf.c     | 1 +
 libopkg/opkg_conf.h     | 1 +
 libopkg/opkg_download.c | 6 +++++-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/libopkg/opkg_conf.c b/libopkg/opkg_conf.c
index 0cbd1cc..e82a58a 100644
--- a/libopkg/opkg_conf.c
+++ b/libopkg/opkg_conf.c
@@ -55,6 +55,7 @@ opkg_option_t options[] = {
 	{"force_checksum", OPKG_OPT_TYPE_BOOL, &_conf.force_checksum},
 	{"check_signature", OPKG_OPT_TYPE_BOOL, &_conf.check_signature},
 	{"no_check_certificate", OPKG_OPT_TYPE_BOOL, &_conf.no_check_certificate},
+	{"client_certificate", OPKG_OPT_TYPE_STRING, &_conf.client_certificate},
 	{"ftp_proxy", OPKG_OPT_TYPE_STRING, &_conf.ftp_proxy},
 	{"http_proxy", OPKG_OPT_TYPE_STRING, &_conf.http_proxy},
 	{"http_timeout", OPKG_OPT_TYPE_STRING, &_conf.http_timeout},
diff --git a/libopkg/opkg_conf.h b/libopkg/opkg_conf.h
index 781c8f4..d60245b 100644
--- a/libopkg/opkg_conf.h
+++ b/libopkg/opkg_conf.h
@@ -80,6 +80,7 @@ struct opkg_conf {
 	int check_signature;
 	int force_signature;
 	int no_check_certificate;
+	char *client_certificate;
 	int nodeps;		/* do not follow dependencies */
 	int nocase;		/* perform case insensitive matching */
 	char *offline_root;
diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index af91f12..1347617 100644
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -154,7 +154,7 @@ opkg_download(const char *src, const char *dest_file_name,
 
 	{
 		int res;
-		const char *argv[11];
+		const char *argv[13];
 		int i = 0;
 
 		argv[i++] = "wget";
@@ -162,6 +162,10 @@ opkg_download(const char *src, const char *dest_file_name,
 		if (conf->no_check_certificate) {
 			argv[i++] = "--no-check-certificate";
 		}
+		if (conf->client_certificate) {
+			argv[i++] = "--certificate";
+			argv[i++] = conf->client_certificate;
+		}
 		if (conf->http_timeout) {
 			argv[i++] = "--timeout";
 			argv[i++] = conf->http_timeout;
-- 
2.39.2




More information about the openwrt-devel mailing list