strepsirrhini/office-gobmx
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
office-gobmx/include/systools/curlinit.hxx
Caolán McNamara 31d2e0e7b4 map LO_CERTIFICATE_AUTHORITY_PATH to CURLOPT_CAPATH 
curl has both CURLOPT_CAINFO for the single-file collection
of certificates case and CURLOPT_CAPATH for the multi-file
exploder view of certificates, this adds support to
use CURLOPT_CAPATH as well as CURLOPT_CAINFO

Change-Id: I28163bbe81fa389eea70ef1289ed04a50a029c5f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/168825
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/172327
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
2024-08-23 21:52:02 +02:00

107 lines
4 KiB
C++
Raw Blame History

/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
/*
* This file is part of the LibreOffice project.
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
#pragma once
#include <curl/curl.h>
#include <officecfg/Office/Security.hxx>
// curl is built with --with-secure-transport on macOS and iOS so doesn't need these
// certs. Windows doesn't need them either, but let's assume everything else does
#if !defined(SYSTEM_OPENSSL) && !defined(_WIN32) && !defined(MACOSX) && !defined(IOS)
#include <com/sun/star/uno/RuntimeException.hpp>
#define LO_CURL_NEEDS_CA_BUNDLE
#include "opensslinit.hxx"
#endif
#include <rtl/string.hxx>
#include <sal/log.hxx>
#include <config_version.h>
static void InitCurl_easy(CURL* const pCURL)
{
CURLcode rc;
#if defined(LO_CURL_NEEDS_CA_BUNDLE)
char const* const path = GetCABundleFile();
if (path == nullptr)
{
#if defined EMSCRIPTEN
SAL_WARN("ucb.ucp.webdav.curl", "no OpenSSL CA certificate bundle found");
#else
throw css::uno::RuntimeException(u"no OpenSSL CA certificate bundle found"_ustr);
#endif
}
else
{
rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
if (rc != CURLE_OK) // only if OOM?
{
throw css::uno::RuntimeException(u"CURLOPT_CAINFO failed"_ustr);
}
}
#endif
// curl: "If you have a CA cert for the server stored someplace else than
// in the default bundle, then the CURLOPT_CAPATH option might come handy
// for you"
if (char const* const capath = getenv("LO_CERTIFICATE_AUTHORITY_PATH"))
{
rc = curl_easy_setopt(pCURL, CURLOPT_CAPATH, capath);
if (rc != CURLE_OK)
{
throw css::uno::RuntimeException("CURLOPT_CAPATH failed");
}
}
if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
{
rc = curl_easy_setopt(pCURL, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
assert(rc == CURLE_OK);
rc = curl_easy_setopt(pCURL, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
assert(rc == CURLE_OK);
#if (LIBCURL_VERSION_MAJOR > 7) || (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 85)
rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS_STR, "https");
assert(rc == CURLE_OK);
rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS_STR, "https");
assert(rc == CURLE_OK);
#else
rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
assert(rc == CURLE_OK);
rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
assert(rc == CURLE_OK);
#endif
}
curl_version_info_data const* const pVersion(curl_version_info(CURLVERSION_NOW));
assert(pVersion);
SAL_INFO("ucb.ucp.webdav.curl",
"curl version: " << pVersion->version << " " << pVersion->host
<< " features: " << ::std::hex << pVersion->features << " ssl: "
<< pVersion->ssl_version << " libz: " << pVersion->libz_version);
// Make sure a User-Agent header is always included, as at least
// en.wikipedia.org:80 forces back 403 "Scripts should use an informative
// User-Agent string with contact information, or they may be IP-blocked
// without notice" otherwise:
OString const useragent(
OString::Concat("LibreOffice " LIBO_VERSION_DOTTED " denylistedbackend/")
+ pVersion->version + " " + pVersion->ssl_version);
// looks like an explicit "User-Agent" header in CURLOPT_HTTPHEADER
// will override CURLOPT_USERAGENT, see Curl_http_useragent(), so no need
// to check anything here
rc = curl_easy_setopt(pCURL, CURLOPT_USERAGENT, useragent.getStr());
assert(rc == CURLE_OK);
}
#undef LO_CURL_NEEDS_CA_BUNDLE
/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
Reference in a new issue View git blame Copy permalink