/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */ /* * This file is part of the LibreOffice project. * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #pragma once #include #include // curl is built with --with-secure-transport on macOS and iOS so doesn't need these // certs. Windows doesn't need them either, but let's assume everything else does #if !defined(SYSTEM_OPENSSL) && !defined(_WIN32) && !defined(MACOSX) && !defined(IOS) #include #define LO_CURL_NEEDS_CA_BUNDLE #include "opensslinit.hxx" #endif #include #include #include static void InitCurl_easy(CURL* const pCURL) { CURLcode rc; #if defined(LO_CURL_NEEDS_CA_BUNDLE) char const* const path = GetCABundleFile(); if (path == nullptr) { #if defined EMSCRIPTEN SAL_WARN("ucb.ucp.webdav.curl", "no OpenSSL CA certificate bundle found"); #else throw css::uno::RuntimeException(u"no OpenSSL CA certificate bundle found"_ustr); #endif } else { rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path); if (rc != CURLE_OK) // only if OOM? { throw css::uno::RuntimeException(u"CURLOPT_CAINFO failed"_ustr); } } #endif // curl: "If you have a CA cert for the server stored someplace else than // in the default bundle, then the CURLOPT_CAPATH option might come handy // for you" if (char const* const capath = getenv("LO_CERTIFICATE_AUTHORITY_PATH")) { rc = curl_easy_setopt(pCURL, CURLOPT_CAPATH, capath); if (rc != CURLE_OK) { throw css::uno::RuntimeException("CURLOPT_CAPATH failed"); } } if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get()) { rc = curl_easy_setopt(pCURL, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); assert(rc == CURLE_OK); rc = curl_easy_setopt(pCURL, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_2); assert(rc == CURLE_OK); #if (LIBCURL_VERSION_MAJOR > 7) || (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 85) rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS_STR, "https"); assert(rc == CURLE_OK); rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS_STR, "https"); assert(rc == CURLE_OK); #else rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS); assert(rc == CURLE_OK); rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS); assert(rc == CURLE_OK); #endif } curl_version_info_data const* const pVersion(curl_version_info(CURLVERSION_NOW)); assert(pVersion); SAL_INFO("ucb.ucp.webdav.curl", "curl version: " << pVersion->version << " " << pVersion->host << " features: " << ::std::hex << pVersion->features << " ssl: " << pVersion->ssl_version << " libz: " << pVersion->libz_version); // Make sure a User-Agent header is always included, as at least // en.wikipedia.org:80 forces back 403 "Scripts should use an informative // User-Agent string with contact information, or they may be IP-blocked // without notice" otherwise: OString const useragent( OString::Concat("LibreOffice " LIBO_VERSION_DOTTED " denylistedbackend/") + pVersion->version + " " + pVersion->ssl_version); // looks like an explicit "User-Agent" header in CURLOPT_HTTPHEADER // will override CURLOPT_USERAGENT, see Curl_http_useragent(), so no need // to check anything here rc = curl_easy_setopt(pCURL, CURLOPT_USERAGENT, useragent.getStr()); assert(rc == CURLE_OK); } #undef LO_CURL_NEEDS_CA_BUNDLE /* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */