include/systools/curlinit.hxx

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
   2 /*
   3  * This file is part of the LibreOffice project.
   4  *
   5  * This Source Code Form is subject to the terms of the Mozilla Public
   6  * License, v. 2.0. If a copy of the MPL was not distributed with this
   7  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
   8  */
   9
  10 #pragma once
  11
  12 #include <curl/curl.h>
  13
  14 #include <officecfg/Office/Security.hxx>
  15
  16 // curl is built with --with-secure-transport on macOS and iOS so doesn't need these
  17 // certs. Windows doesn't need them either, but let's assume everything else does
  18 #if !defined(SYSTEM_OPENSSL) && !defined(_WIN32) && !defined(MACOSX) && !defined(IOS)
  19 #include <com/sun/star/uno/RuntimeException.hpp>
  20
  21 #define LO_CURL_NEEDS_CA_BUNDLE
  22 #include "opensslinit.hxx"
  23 #endif
  24
  25 #include <rtl/string.hxx>
  26 #include <sal/log.hxx>
  27
  28 #include <config_version.h>
  29
  30 static void InitCurl_easy(CURL* const pCURL)
  31 {
  32     CURLcode rc;
  33
  34 #if defined(LO_CURL_NEEDS_CA_BUNDLE)
  35     char const* const path = GetCABundleFile();
  36     if (path == nullptr)
  37     {
  38 #if defined EMSCRIPTEN
  39         SAL_WARN("ucb.ucp.webdav.curl", "no OpenSSL CA certificate bundle found");
  40 #else
  41         throw css::uno::RuntimeException(u"no OpenSSL CA certificate bundle found"_ustr);
  42 #endif
  43     }
  44     else
  45     {
  46         rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path);
  47         if (rc != CURLE_OK) // only if OOM?
  48         {
  49             throw css::uno::RuntimeException(u"CURLOPT_CAINFO failed"_ustr);
  50         }
  51     }
  52 #endif
  53
  54     // curl: "If you have a CA cert for the server stored someplace else than
  55     // in the default bundle, then the CURLOPT_CAPATH option might come handy
  56     // for you"
  57     if (char const* const capath = getenv("LO_CERTIFICATE_AUTHORITY_PATH"))
  58     {
  59         rc = curl_easy_setopt(pCURL, CURLOPT_CAPATH, capath);
  60         if (rc != CURLE_OK)
  61         {
  62             throw css::uno::RuntimeException("CURLOPT_CAPATH failed");
  63         }
  64     }
  65
  66     if (!officecfg::Office::Security::Net::AllowInsecureProtocols::get())
  67     {
  68         rc = curl_easy_setopt(pCURL, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
  69         assert(rc == CURLE_OK);
  70         rc = curl_easy_setopt(pCURL, CURLOPT_PROXY_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
  71         assert(rc == CURLE_OK);
  72 #if (LIBCURL_VERSION_MAJOR > 7) || (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 85)
  73         rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS_STR, "https");
  74         assert(rc == CURLE_OK);
  75         rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS_STR, "https");
  76         assert(rc == CURLE_OK);
  77 #else
  78         rc = curl_easy_setopt(pCURL, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
  79         assert(rc == CURLE_OK);
  80         rc = curl_easy_setopt(pCURL, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
  81         assert(rc == CURLE_OK);
  82 #endif
  83     }
  84
  85     curl_version_info_data const* const pVersion(curl_version_info(CURLVERSION_NOW));
  86     assert(pVersion);
  87     SAL_INFO("ucb.ucp.webdav.curl",
  88              "curl version: " << pVersion->version << " " << pVersion->host
  89                               << " features: " << ::std::hex << pVersion->features << " ssl: "
  90                               << pVersion->ssl_version << " libz: " << pVersion->libz_version);
  91     // Make sure a User-Agent header is always included, as at least
  92     // en.wikipedia.org:80 forces back 403 "Scripts should use an informative
  93     // User-Agent string with contact information, or they may be IP-blocked
  94     // without notice" otherwise:
  95     OString const useragent(
  96         OString::Concat("LibreOffice " LIBO_VERSION_DOTTED " denylistedbackend/")
  97         + pVersion->version + " " + pVersion->ssl_version);
  98     // looks like an explicit "User-Agent" header in CURLOPT_HTTPHEADER
  99     // will override CURLOPT_USERAGENT, see Curl_http_useragent(), so no need
 100     // to check anything here
 101     rc = curl_easy_setopt(pCURL, CURLOPT_USERAGENT, useragent.getStr());
 102     assert(rc == CURLE_OK);
 103 }
 104
 105 #undef LO_CURL_NEEDS_CA_BUNDLE
 106
 107 /* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */