diff options
-rw-r--r-- | desktop/source/app/updater.cxx | 4 | ||||
-rw-r--r-- | desktop/source/minidump/minidump.cxx | 4 | ||||
-rw-r--r-- | extensions/source/update/check/download.cxx | 4 | ||||
-rw-r--r-- | include/curlinit.hxx | 59 | ||||
-rw-r--r-- | lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx | 5 | ||||
-rw-r--r-- | linguistic/source/translate.cxx | 4 | ||||
-rw-r--r-- | svl/source/crypto/cryptosign.cxx | 6 | ||||
-rw-r--r-- | ucb/source/ucp/cmis/cmis_content.cxx | 5 | ||||
-rw-r--r-- | ucb/source/ucp/ftp/ftploaderthread.cxx | 4 | ||||
-rw-r--r-- | ucb/source/ucp/webdav-curl/CurlSession.cxx | 2 |
10 files changed, 97 insertions, 0 deletions
diff --git a/desktop/source/app/updater.cxx b/desktop/source/app/updater.cxx index 92f060b976e2..7ff6234b4555 100644 --- a/desktop/source/app/updater.cxx +++ b/desktop/source/app/updater.cxx @@ -37,6 +37,8 @@ #include <orcus/json_document_tree.hpp> #include <orcus/config.hpp> #include <orcus/pstring.hpp> + +#include <curlinit.hxx> #include <comphelper/hash.hxx> #include <com/sun/star/container/XNameAccess.hpp> @@ -546,6 +548,8 @@ std::string download_content(const OString& rURL, bool bFile, OUString& rHash) if (!curl) return std::string(); + ::InitCurl_easy(curl.get()); + curl_easy_setopt(curl.get(), CURLOPT_URL, rURL.getStr()); curl_easy_setopt(curl.get(), CURLOPT_USERAGENT, kUserAgent); bool bUseProxy = false; diff --git a/desktop/source/minidump/minidump.cxx b/desktop/source/minidump/minidump.cxx index 0bf20f2aa419..7fbb0884987d 100644 --- a/desktop/source/minidump/minidump.cxx +++ b/desktop/source/minidump/minidump.cxx @@ -17,6 +17,8 @@ #include <curl/curl.h> +#include <curlinit.hxx> + #ifdef _WIN32 #include <memory> #include <windows.h> @@ -95,6 +97,8 @@ static bool uploadContent(std::map<std::string, std::string>& parameters, std::s if (!curl) return false; + ::InitCurl_easy(curl); + std::string proxy, proxy_user_pwd, ca_certificate_file, file, url, version; getProperty("Proxy", proxy, parameters); diff --git a/extensions/source/update/check/download.cxx b/extensions/source/update/check/download.cxx index 8f090ed9b6dd..2124ee5a0512 100644 --- a/extensions/source/update/check/download.cxx +++ b/extensions/source/update/check/download.cxx @@ -23,6 +23,8 @@ #include <curl/curl.h> +#include <curlinit.hxx> + #include <o3tl/string_view.hxx> #include <osl/diagnose.h> #include <osl/file.h> @@ -222,6 +224,8 @@ static bool curl_run(std::u16string_view rURL, OutData& out, const OString& aPro if( nullptr != pCURL ) { + ::InitCurl_easy(pCURL); + out.curl = pCURL; OString aURL(OUStringToOString(rURL, RTL_TEXTENCODING_UTF8)); diff --git a/include/curlinit.hxx b/include/curlinit.hxx new file mode 100644 index 000000000000..8b3a9968419d --- /dev/null +++ b/include/curlinit.hxx @@ -0,0 +1,59 @@ +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */ +/* + * This file is part of the LibreOffice project. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +#pragma once + +#include <curl/curl.h> + +#if defined(LINUX) && !defined(SYSTEM_CURL) +#include <com/sun/star/uno/RuntimeException.hpp> + +#include <unistd.h> + +static char const* GetCABundleFile() +{ + // try system ones first; inspired by: + // https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + auto const candidates = { + "/etc/pki/tls/certs/ca-bundle.crt", + "/etc/pki/tls/certs/ca-bundle.trust.crt", + "/etc/ssl/certs/ca-certificates.crt", + "/var/lib/ca-certificates/ca-bundle.pem", + }; + for (char const* const candidate : candidates) + { + if (access(candidate, R_OK) == 0) + { + return candidate; + } + } + + throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found"); +} + +static void InitCurl_easy(CURL* const pCURL) +{ + char const* const path = GetCABundleFile(); + auto rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path); + if (rc != CURLE_OK) // only if OOM? + { + throw css::uno::RuntimeException("CURLOPT_CAINFO failed"); + } +} + +#else + +static void InitCurl_easy(CURL* const) +{ + // these don't use OpenSSL so CAs work out of the box +} + +#endif + +/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */ diff --git a/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx b/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx index 79d061e42c85..45b4f9df6bdc 100644 --- a/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx +++ b/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx @@ -41,6 +41,9 @@ #include <boost/property_tree/json_parser.hpp> #include <algorithm> #include <string_view> + +#include <curlinit.hxx> + #include <sal/log.hxx> #include <tools/color.hxx> #include <tools/long.hxx> @@ -130,6 +133,8 @@ std::string makeHttpRequest_impl(std::u16string_view aURL, HTTP_METHOD method, return {}; // empty string } + ::InitCurl_easy(curl.get()); + // Same useragent string as in CurlSession (ucp/webdav-curl/CurlSession.cxx) curl_version_info_data const* const pVersion(curl_version_info(CURLVERSION_NOW)); assert(pVersion); diff --git a/linguistic/source/translate.cxx b/linguistic/source/translate.cxx index 12f5491e2129..fdd95fca2988 100644 --- a/linguistic/source/translate.cxx +++ b/linguistic/source/translate.cxx @@ -4,6 +4,7 @@ #include <rtl/string.h> #include <boost/property_tree/ptree.hpp> #include <boost/property_tree/json_parser.hpp> +#include <curlinit.hxx> #include <vcl/htmltransferable.hxx> #include <tools/long.hxx> @@ -16,6 +17,9 @@ OString Translate(const OString& rTargetLang, const OString& rAPIUrl, const OStr std::unique_ptr<CURL, std::function<void(CURL*)>> curl(curl_easy_init(), [](CURL* p) { curl_easy_cleanup(p); }); + + ::InitCurl_easy(curl.get()); + (void)curl_easy_setopt(curl.get(), CURLOPT_URL, rAPIUrl.getStr()); (void)curl_easy_setopt(curl.get(), CURLOPT_FAILONERROR, 1L); (void)curl_easy_setopt(curl.get(), CURLOPT_TIMEOUT, CURL_TIMEOUT); diff --git a/svl/source/crypto/cryptosign.cxx b/svl/source/crypto/cryptosign.cxx index e68ccb8aafda..378a62f1ea56 100644 --- a/svl/source/crypto/cryptosign.cxx +++ b/svl/source/crypto/cryptosign.cxx @@ -15,6 +15,10 @@ #include <svl/sigstruct.hxx> #include <config_crypto.h> +#if USE_CRYPTO_NSS +#include <curlinit.hxx> +#endif + #include <rtl/character.hxx> #include <rtl/strbuf.hxx> #include <rtl/string.hxx> @@ -1086,6 +1090,8 @@ bool Signing::Sign(OStringBuffer& rCMSHexBuffer) return false; } + ::InitCurl_easy(curl); + SAL_INFO("svl.crypto", "Setting curl to verbose: " << (curl_easy_setopt(curl, CURLOPT_VERBOSE, 1) == CURLE_OK ? "OK" : "FAIL")); if ((rc = curl_easy_setopt(curl, CURLOPT_URL, OUStringToOString(m_aSignTSA, RTL_TEXTENCODING_UTF8).getStr())) != CURLE_OK) diff --git a/ucb/source/ucp/cmis/cmis_content.cxx b/ucb/source/ucp/cmis/cmis_content.cxx index b5ad2cb738ce..b8ef0b77f734 100644 --- a/ucb/source/ucp/cmis/cmis_content.cxx +++ b/ucb/source/ucp/cmis/cmis_content.cxx @@ -56,6 +56,8 @@ #include <ucbhelper/proxydecider.hxx> #include <ucbhelper/macros.hxx> #include <sax/tools/converter.hxx> +#include <curlinit.hxx> + #include <utility> #include "auth_provider.hxx" @@ -332,6 +334,9 @@ namespace cmis new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) ); libcmis::SessionFactory::setCertificateValidationHandler( certHandler ); + // init libcurl callback + libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy); + // Get the auth credentials AuthProvider aAuthProvider(xEnv, m_xIdentifier->getContentIdentifier(), m_aURL.getBindingUrl()); AuthProvider::setXEnv( xEnv ); diff --git a/ucb/source/ucp/ftp/ftploaderthread.cxx b/ucb/source/ucp/ftp/ftploaderthread.cxx index f5ebfe36cdda..91130fc1bc9c 100644 --- a/ucb/source/ucp/ftp/ftploaderthread.cxx +++ b/ucb/source/ucp/ftp/ftploaderthread.cxx @@ -25,6 +25,8 @@ #include "ftploaderthread.hxx" #include "curl.hxx" +#include <curlinit.hxx> + using namespace ftp; @@ -75,6 +77,8 @@ CURL* FTPLoaderThread::handle() { if(!ret) { ret = curl_easy_init(); if (ret != nullptr) { + ::InitCurl_easy(ret); + // Make sure curl is not internally using environment variables like // "ftp_proxy": if (curl_easy_setopt(ret, CURLOPT_PROXY, "") != CURLE_OK) { diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index a881a1703dec..1d85d5df0ca5 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -35,6 +35,7 @@ #include <rtl/uri.hxx> #include <rtl/strbuf.hxx> #include <rtl/ustrbuf.hxx> +#include <curlinit.hxx> #include <config_version.h> #include <map> @@ -680,6 +681,7 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext, assert(rc == CURLE_OK); rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback); assert(rc == CURLE_OK); + ::InitCurl_easy(m_pCurl.get()); // tdf#149921 by default, with schannel (WNT) connection fails if revocation // lists cannot be checked; try to limit the checking to when revocation // lists can actually be retrieved (usually not the case for self-signed CA) |