summaryrefslogtreecommitdiff
path: root/include/systools/curlinit.hxx
blob: 7d842a8e4c0193e71ba3d0d3fd742f6be25e0530 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
/*
 * This file is part of the LibreOffice project.
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */

#pragma once

#include <curl/curl.h>

#include <officecfg/Office/Security.hxx>

// curl is built with --with-secure-transport on macOS and iOS so doesn't need these
// certs. Windows doesn't need them either, but let's assume everything else does
#if !defined(SYSTEM_OPENSSL) && !defined(_WIN32) && !defined(MACOSX) && !defined(IOS)
#include <com/sun/star/uno/RuntimeException.hpp>

#define LO_CURL_NEEDS_CA_BUNDLE
#include "opensslinit.hxx"
#endif

#include <rtl/string.hxx>
#include <sal/log.hxx>

#include <config_version.h>

static void InitCurl_easy(CURL* const pCURL)
{
    CURLcode rc;

#if defined(LO_CURL_NEEDS_CA_BUNDLE)
    char const* const path = GetCABundleFile();
    if (path == nullptr)
    {
#if defined EMSCRIPTEN
        SAL_WARN("ucb.ucp.webdav.curl", "no OpenSSL CA certificate bundle found");
#else
        throw css::uno::RuntimeException(u"no OpenSSL CA certificate bundle found"_ustr);
#endif
    }
    else
    {
        rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
        if (rc != CURLE_OK) // only if OOM?
        {
            throw css::uno::RuntimeException(u"CURLOPT_CAINFO failed"_ustr);
        }
    }
#endif

    // curl: "If you have a CA cert for the server stored someplace else than
    // in the default bundle, then the CURLOPT_CAPATH option might come handy
    // for you"
    if (char const* const capath = getenv("LO_CERTIFICATE_AUTHORITY_PATH"))
    {
        rc = curl_easy_setopt(pCURL, CURLOPT_CAPATH, capath);
        if (rc != CURLE_OK)
        {
            throw css::uno::RuntimeException("CURLOPT_CAPATH failed");
        }
    }

    if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
    {
        rc = curl_easy_setopt(pCURL, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
        assert(rc == CURLE_OK);
        rc = curl_easy_setopt(pCURL, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
        assert(rc == CURLE_OK);
#if (LIBCURL_VERSION_MAJOR > 7) || (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 85)
        rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS_STR, "https");
        assert(rc == CURLE_OK);
        rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS_STR, "https");
        assert(rc == CURLE_OK);
#else
        rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
        assert(rc == CURLE_OK);
        rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
        assert(rc == CURLE_OK);
#endif
    }

    curl_version_info_data const* const pVersion(curl_version_info(CURLVERSION_NOW));
    assert(pVersion);
    SAL_INFO("ucb.ucp.webdav.curl",
             "curl version: " << pVersion->version << " " << pVersion->host
                              << " features: " << ::std::hex << pVersion->features << " ssl: "
                              << pVersion->ssl_version << " libz: " << pVersion->libz_version);
    // Make sure a User-Agent header is always included, as at least
    // en.wikipedia.org:80 forces back 403 "Scripts should use an informative
    // User-Agent string with contact information, or they may be IP-blocked
    // without notice" otherwise:
    OString const useragent(
        OString::Concat("LibreOffice " LIBO_VERSION_DOTTED " denylistedbackend/")
        + pVersion->version + " " + pVersion->ssl_version);
    // looks like an explicit "User-Agent" header in CURLOPT_HTTPHEADER
    // will override CURLOPT_USERAGENT, see Curl_http_useragent(), so no need
    // to check anything here
    rc = curl_easy_setopt(pCURL, CURLOPT_USERAGENT, useragent.getStr());
    assert(rc == CURLE_OK);
}

#undef LO_CURL_NEEDS_CA_BUNDLE

/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */