summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--desktop/source/app/updater.cxx4
-rw-r--r--desktop/source/minidump/minidump.cxx4
-rw-r--r--extensions/source/update/check/download.cxx4
-rw-r--r--include/curlinit.hxx59
-rw-r--r--lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx5
-rw-r--r--linguistic/source/translate.cxx4
-rw-r--r--svl/source/crypto/cryptosign.cxx6
-rw-r--r--ucb/source/ucp/cmis/cmis_content.cxx5
-rw-r--r--ucb/source/ucp/ftp/ftploaderthread.cxx4
-rw-r--r--ucb/source/ucp/webdav-curl/CurlSession.cxx2
10 files changed, 97 insertions, 0 deletions
diff --git a/desktop/source/app/updater.cxx b/desktop/source/app/updater.cxx
index 92f060b976e2..7ff6234b4555 100644
--- a/desktop/source/app/updater.cxx
+++ b/desktop/source/app/updater.cxx
@@ -37,6 +37,8 @@
#include <orcus/json_document_tree.hpp>
#include <orcus/config.hpp>
#include <orcus/pstring.hpp>
+
+#include <curlinit.hxx>
#include <comphelper/hash.hxx>
#include <com/sun/star/container/XNameAccess.hpp>
@@ -546,6 +548,8 @@ std::string download_content(const OString& rURL, bool bFile, OUString& rHash)
if (!curl)
return std::string();
+ ::InitCurl_easy(curl.get());
+
curl_easy_setopt(curl.get(), CURLOPT_URL, rURL.getStr());
curl_easy_setopt(curl.get(), CURLOPT_USERAGENT, kUserAgent);
bool bUseProxy = false;
diff --git a/desktop/source/minidump/minidump.cxx b/desktop/source/minidump/minidump.cxx
index 0bf20f2aa419..7fbb0884987d 100644
--- a/desktop/source/minidump/minidump.cxx
+++ b/desktop/source/minidump/minidump.cxx
@@ -17,6 +17,8 @@
#include <curl/curl.h>
+#include <curlinit.hxx>
+
#ifdef _WIN32
#include <memory>
#include <windows.h>
@@ -95,6 +97,8 @@ static bool uploadContent(std::map<std::string, std::string>& parameters, std::s
if (!curl)
return false;
+ ::InitCurl_easy(curl);
+
std::string proxy, proxy_user_pwd, ca_certificate_file, file, url, version;
getProperty("Proxy", proxy, parameters);
diff --git a/extensions/source/update/check/download.cxx b/extensions/source/update/check/download.cxx
index 8f090ed9b6dd..2124ee5a0512 100644
--- a/extensions/source/update/check/download.cxx
+++ b/extensions/source/update/check/download.cxx
@@ -23,6 +23,8 @@
#include <curl/curl.h>
+#include <curlinit.hxx>
+
#include <o3tl/string_view.hxx>
#include <osl/diagnose.h>
#include <osl/file.h>
@@ -222,6 +224,8 @@ static bool curl_run(std::u16string_view rURL, OutData& out, const OString& aPro
if( nullptr != pCURL )
{
+ ::InitCurl_easy(pCURL);
+
out.curl = pCURL;
OString aURL(OUStringToOString(rURL, RTL_TEXTENCODING_UTF8));
diff --git a/include/curlinit.hxx b/include/curlinit.hxx
new file mode 100644
index 000000000000..8b3a9968419d
--- /dev/null
+++ b/include/curlinit.hxx
@@ -0,0 +1,59 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+#include <curl/curl.h>
+
+#if defined(LINUX) && !defined(SYSTEM_CURL)
+#include <com/sun/star/uno/RuntimeException.hpp>
+
+#include <unistd.h>
+
+static char const* GetCABundleFile()
+{
+ // try system ones first; inspired by:
+ // https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+ auto const candidates = {
+ "/etc/pki/tls/certs/ca-bundle.crt",
+ "/etc/pki/tls/certs/ca-bundle.trust.crt",
+ "/etc/ssl/certs/ca-certificates.crt",
+ "/var/lib/ca-certificates/ca-bundle.pem",
+ };
+ for (char const* const candidate : candidates)
+ {
+ if (access(candidate, R_OK) == 0)
+ {
+ return candidate;
+ }
+ }
+
+ throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found");
+}
+
+static void InitCurl_easy(CURL* const pCURL)
+{
+ char const* const path = GetCABundleFile();
+ auto rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
+ if (rc != CURLE_OK) // only if OOM?
+ {
+ throw css::uno::RuntimeException("CURLOPT_CAINFO failed");
+ }
+}
+
+#else
+
+static void InitCurl_easy(CURL* const)
+{
+ // these don't use OpenSSL so CAs work out of the box
+}
+
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
diff --git a/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx b/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx
index 79d061e42c85..45b4f9df6bdc 100644
--- a/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx
+++ b/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx
@@ -41,6 +41,9 @@
#include <boost/property_tree/json_parser.hpp>
#include <algorithm>
#include <string_view>
+
+#include <curlinit.hxx>
+
#include <sal/log.hxx>
#include <tools/color.hxx>
#include <tools/long.hxx>
@@ -130,6 +133,8 @@ std::string makeHttpRequest_impl(std::u16string_view aURL, HTTP_METHOD method,
return {}; // empty string
}
+ ::InitCurl_easy(curl.get());
+
// Same useragent string as in CurlSession (ucp/webdav-curl/CurlSession.cxx)
curl_version_info_data const* const pVersion(curl_version_info(CURLVERSION_NOW));
assert(pVersion);
diff --git a/linguistic/source/translate.cxx b/linguistic/source/translate.cxx
index 12f5491e2129..fdd95fca2988 100644
--- a/linguistic/source/translate.cxx
+++ b/linguistic/source/translate.cxx
@@ -4,6 +4,7 @@
#include <rtl/string.h>
#include <boost/property_tree/ptree.hpp>
#include <boost/property_tree/json_parser.hpp>
+#include <curlinit.hxx>
#include <vcl/htmltransferable.hxx>
#include <tools/long.hxx>
@@ -16,6 +17,9 @@ OString Translate(const OString& rTargetLang, const OString& rAPIUrl, const OStr
std::unique_ptr<CURL, std::function<void(CURL*)>> curl(curl_easy_init(),
[](CURL* p) { curl_easy_cleanup(p); });
+
+ ::InitCurl_easy(curl.get());
+
(void)curl_easy_setopt(curl.get(), CURLOPT_URL, rAPIUrl.getStr());
(void)curl_easy_setopt(curl.get(), CURLOPT_FAILONERROR, 1L);
(void)curl_easy_setopt(curl.get(), CURLOPT_TIMEOUT, CURL_TIMEOUT);
diff --git a/svl/source/crypto/cryptosign.cxx b/svl/source/crypto/cryptosign.cxx
index e68ccb8aafda..378a62f1ea56 100644
--- a/svl/source/crypto/cryptosign.cxx
+++ b/svl/source/crypto/cryptosign.cxx
@@ -15,6 +15,10 @@
#include <svl/sigstruct.hxx>
#include <config_crypto.h>
+#if USE_CRYPTO_NSS
+#include <curlinit.hxx>
+#endif
+
#include <rtl/character.hxx>
#include <rtl/strbuf.hxx>
#include <rtl/string.hxx>
@@ -1086,6 +1090,8 @@ bool Signing::Sign(OStringBuffer& rCMSHexBuffer)
return false;
}
+ ::InitCurl_easy(curl);
+
SAL_INFO("svl.crypto", "Setting curl to verbose: " << (curl_easy_setopt(curl, CURLOPT_VERBOSE, 1) == CURLE_OK ? "OK" : "FAIL"));
if ((rc = curl_easy_setopt(curl, CURLOPT_URL, OUStringToOString(m_aSignTSA, RTL_TEXTENCODING_UTF8).getStr())) != CURLE_OK)
diff --git a/ucb/source/ucp/cmis/cmis_content.cxx b/ucb/source/ucp/cmis/cmis_content.cxx
index b5ad2cb738ce..b8ef0b77f734 100644
--- a/ucb/source/ucp/cmis/cmis_content.cxx
+++ b/ucb/source/ucp/cmis/cmis_content.cxx
@@ -56,6 +56,8 @@
#include <ucbhelper/proxydecider.hxx>
#include <ucbhelper/macros.hxx>
#include <sax/tools/converter.hxx>
+#include <curlinit.hxx>
+
#include <utility>
#include "auth_provider.hxx"
@@ -332,6 +334,9 @@ namespace cmis
new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) );
libcmis::SessionFactory::setCertificateValidationHandler( certHandler );
+ // init libcurl callback
+ libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy);
+
// Get the auth credentials
AuthProvider aAuthProvider(xEnv, m_xIdentifier->getContentIdentifier(), m_aURL.getBindingUrl());
AuthProvider::setXEnv( xEnv );
diff --git a/ucb/source/ucp/ftp/ftploaderthread.cxx b/ucb/source/ucp/ftp/ftploaderthread.cxx
index f5ebfe36cdda..91130fc1bc9c 100644
--- a/ucb/source/ucp/ftp/ftploaderthread.cxx
+++ b/ucb/source/ucp/ftp/ftploaderthread.cxx
@@ -25,6 +25,8 @@
#include "ftploaderthread.hxx"
#include "curl.hxx"
+#include <curlinit.hxx>
+
using namespace ftp;
@@ -75,6 +77,8 @@ CURL* FTPLoaderThread::handle() {
if(!ret) {
ret = curl_easy_init();
if (ret != nullptr) {
+ ::InitCurl_easy(ret);
+
// Make sure curl is not internally using environment variables like
// "ftp_proxy":
if (curl_easy_setopt(ret, CURLOPT_PROXY, "") != CURLE_OK) {
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index a881a1703dec..1d85d5df0ca5 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -35,6 +35,7 @@
#include <rtl/uri.hxx>
#include <rtl/strbuf.hxx>
#include <rtl/ustrbuf.hxx>
+#include <curlinit.hxx>
#include <config_version.h>
#include <map>
@@ -680,6 +681,7 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext,
assert(rc == CURLE_OK);
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback);
assert(rc == CURLE_OK);
+ ::InitCurl_easy(m_pCurl.get());
// tdf#149921 by default, with schannel (WNT) connection fails if revocation
// lists cannot be checked; try to limit the checking to when revocation
// lists can actually be retrieved (usually not the case for self-signed CA)