search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch '138-toggle-free-look-with-hotkey' into 'main/atys-live'
[ryzomcore.git] / nel / src / web / curl_certificates.cpp
blob52f04fe25d2fe6702ad93985d0b0d08df439f114
1 // Ryzom - MMORPG Framework <http://dev.ryzom.com/projects/ryzom/>
2 // Copyright (C) 2010-2019 Winch Gate Property Limited
3 //
4 // This source file has been modified by the following contributors:
5 // Copyright (C) 2019-2020 Jan BOON (Kaetemi) <jan.boon@kaetemi.be>
6 //
7 // This program is free software: you can redistribute it and/or modify
8 // it under the terms of the GNU Affero General Public License as
9 // published by the Free Software Foundation, either version 3 of the
10 // License, or (at your option) any later version.
11 //
12 // This program is distributed in the hope that it will be useful,
13 // but WITHOUT ANY WARRANTY; without even the implied warranty of
14 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 // GNU Affero General Public License for more details.
16 //
17 // You should have received a copy of the GNU Affero General Public License
18 // along with this program. If not, see <http://www.gnu.org/licenses/>.
19
20 #include "stdweb.h"
21 #include <nel/web/curl_certificates.h>
22
23 #include <nel/misc/common.h>
24 #include <nel/misc/debug.h>
25 #include <nel/misc/path.h>
26 #include <nel/misc/file.h>
27
28 // for compatibility with older versions
29 #ifndef CURL_AT_LEAST_VERSION
30 #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|z)
31 #define CURL_AT_LEAST_VERSION(x,y,z) \
32 (LIBCURL_VERSION_NUM >= CURL_VERSION_BITS(x, y, z))
33 #endif
34
35
36 using namespace std;
37 using namespace NLMISC;
38 using namespace NLWEB;
39
40 #ifdef DEBUG_NEW
41 #define new DEBUG_NEW
42 #endif
43
44 namespace NLWEB
45 {
46 //
47 // x509CertList lifetime manager
48 //
49 class SX509Certificates
50 {
51 public:
52 struct CertEntry
53 {
54 X509 *cert;
55 std::string name;
56 std::string file;
57
58 bool operator == (const std::string &str)
59 {
60 return file == str;
61 }
62 };
63
64 std::vector<CertEntry> CertList;
65
66 bool isUsingOpenSSLBackend;
67 bool isInitialized;
68
69 SX509Certificates():isUsingOpenSSLBackend(false), isInitialized(false)
70 {
71 init();
72 }
73
74 ~SX509Certificates()
75 {
76 for (uint i = 0; i < CertList.size(); ++i)
77 {
78 X509_free(CertList[i].cert);
79 }
80
81 CertList.clear();
82 }
83
84 void init()
85 {
86 // init CURL
87 CURL *curl = curl_easy_init();
88 if (!curl) return;
89
90 // get information on CURL
91 curl_version_info_data *data = curl_version_info(CURLVERSION_NOW);
92
93 bool useOpenSSLBackend = false;
94
95 #if CURL_AT_LEAST_VERSION(7, 34, 0)
96 // get more information on CURL session
97 curl_tlssessioninfo *sessionInfo;
98
99 CURLINFO info;
100
101 #if CURL_AT_LEAST_VERSION(7, 48, 0)
102 info = CURLINFO_TLS_SSL_PTR;
103 #else
104 info = CURLINFO_TLS_SESSION;
105 #endif
106
107 CURLcode res = curl_easy_getinfo(curl, info, &sessionInfo);
108
109 // CURL using OpenSSL backend
110 if ((res == CURLE_OK) && sessionInfo && sessionInfo->backend == CURLSSLBACKEND_OPENSSL) useOpenSSLBackend = true;
111 #elif CURL_AT_LEAST_VERSION(7, 12, 3)
112 // get a list of OpenSSL engines
113 struct curl_slist *engines;
114
115 CURLcode res = curl_easy_getinfo(curl, CURLINFO_SSL_ENGINES, &engines);
116
117 // CURL using OpenSSL backend
118 // With OpenSSL compiled without any engine, engines will too return NULL
119 // Fortunately, if OpenSSL isn't compiled with engines means we compiled it ourself and CURL is a recent version
120 if ((res == CURLE_OK) && engines)
121 {
122 // free engines
123 curl_slist_free_all(engines);
124
125 useOpenSSLBackend = true;
126 }
127 #else
128 // TODO: implement an equivalent, but CURL 7.12 was released in 2004
129 #endif
130
131 // only use OpenSSL callback if not using Windows SSPI and using OpenSSL backend
132 if (useOpenSSLBackend && !(data && data->features & CURL_VERSION_SSPI))
133 {
134 isUsingOpenSSLBackend = true;
135 }
136 else
137 {
138 // if CURL is using SSPI or SChannel under Windows or DarwinSSL under OS X, we'll use native system CA Certs
139 isUsingOpenSSLBackend = false;
140 }
141
142 // clean up CURL
143 curl_easy_cleanup(curl);
144
145 isInitialized = true;
146 }
147
148 static std::string getCertName(X509 *cert)
149 {
150 // NULL certificate
151 if (!cert) return "";
152
153 X509_NAME *subject = X509_get_subject_name(cert);
154
155 std::string name;
156 unsigned char *tmp = NULL;
157
158 // construct a multiline string with name
159 for (int j = 0, jlen = X509_NAME_entry_count(subject); j < jlen; ++j)
160 {
161 X509_NAME_ENTRY *e = X509_NAME_get_entry(subject, j);
162 ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
163
164 if (ASN1_STRING_to_UTF8(&tmp, d) > 0)
165 {
166 name += NLMISC::toString("%s\n", tmp);
167
168 OPENSSL_free(tmp);
169 }
170 }
171
172 return name;
173 }
174
175 void addCertificatesFromFile(const std::string &cert)
176 {
177 if (!isInitialized)
178 {
179 nlwarning("CURL not initialized! Check if there are another errors");
180 return;
181 }
182
183 if (!isUsingOpenSSLBackend)
184 {
185 nlinfo("CURL not using OpenSSL backend! Unable to use custom certificates");
186 return;
187 }
188 else
189 {
190 nlinfo("CURL using OpenSSL backend!");
191 }
192
193 // this file was already loaded
194 if (std::find(CertList.begin(), CertList.end(), cert) != CertList.end()) return;
195
196 // look for certificate in search paths
197 string path = CPath::lookup(cert, false);
198
199 if (path.empty())
200 {
201 nlwarning("Unable to find %s", cert.c_str());
202 return;
203 }
204
205 nlinfo("CURL CA bundle '%s'", path.c_str());
206
207 CIFile file;
208
209 // open certificate
210 if (!file.open(path))
211 {
212 nlwarning("Unable to open %s", path.c_str());
213 return;
214 }
215
216 // load certificate content into memory
217 std::vector<uint8> buffer(file.getFileSize());
218 file.serialBuffer(&buffer[0], file.getFileSize());
219
220 // get a BIO
221 BIO *bio = BIO_new_mem_buf(&buffer[0], file.getFileSize());
222
223 if (bio)
224 {
225 // use it to read the PEM formatted certificate from memory into an X509
226 // structure that SSL can use
227 STACK_OF(X509_INFO) *info = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
228
229 if (info)
230 {
231 // iterate over all entries from the PEM file, add them to the x509_store one by one
232 for (sint i = 0; i < sk_X509_INFO_num(info); ++i)
233 {
234 X509_INFO *itmp = sk_X509_INFO_value(info, i);
235
236 if (itmp && itmp->x509)
237 {
238 CertEntry entry;
239 entry.cert = X509_dup(itmp->x509);
240 entry.file = cert;
241 entry.name = getCertName(entry.cert);
242
243 CertList.push_back(entry);
244 }
245 }
246
247 // cleanup
248 sk_X509_INFO_pop_free(info, X509_INFO_free);
249 }
250 else
251 {
252 nlwarning("Unable to read PEM info");
253 }
254
255 // decrease reference counts
256 BIO_free(bio);
257 }
258 else
259 {
260 nlwarning("Unable to allocate BIO buffer for certificates");
261 }
262 }
263 };
264
265 /// this will be initialized on startup and cleared on exit
266 static SX509Certificates x509CertListManager;
267
268 // cURL SSL certificate loading
269 static CURLcode sslCtxFunction(CURL *curl, void *sslctx, void *parm)
270 {
271 CURLcode res = CURLE_OK;
272
273 if (x509CertListManager.CertList.size() > 0)
274 {
275 SSL_CTX *ctx = (SSL_CTX*)sslctx;
276 X509_STORE *x509store = SSL_CTX_get_cert_store(ctx);
277 if (x509store)
278 {
279 char errorBuffer[1024];
280
281 for (uint i = 0, ilen = x509CertListManager.CertList.size(); i < ilen; ++i)
282 {
283 SX509Certificates::CertEntry entry = x509CertListManager.CertList[i];
284
285 // add our certificate to this store
286 if (X509_STORE_add_cert(x509store, entry.cert) == 0)
287 {
288 uint errCode = ERR_get_error();
289
290 // ignore already in hash table errors
291 if (ERR_GET_LIB(errCode) != ERR_LIB_X509 || ERR_GET_REASON(errCode) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
292 {
293 ERR_error_string_n(errCode, errorBuffer, 1024);
294 nlwarning("Error adding certificate %s: %s", entry.name.c_str(), errorBuffer);
295 // There seems to be intermittent issues (on windows) where cert loading will fail for same 3 to 5 certs
296 // with an 'SSL_shutdown while in init' error. It does not seem to be fatal for connection.
297 //res = CURLE_SSL_CACERT;
298 }
299 }
300 else
301 {
302 // nldebug("Added certificate %s", entry.name.c_str());
303 }
304 }
305 }
306 else
307 {
308 nlwarning("SSL_CTX_get_cert_store returned NULL");
309 }
310 }
311 else
312 {
313 res = CURLE_SSL_CACERT;
314 }
315
316 return res;
317 }
318
319 // ***************************************************************************
320 // static
321 void CCurlCertificates::addCertificateFile(const std::string &cert)
322 {
323 x509CertListManager.addCertificatesFromFile(cert);
324 }
325
326 // ***************************************************************************
327 // static
328 void CCurlCertificates::useCertificates(CURL *curl)
329 {
330 // CURL must be valid, using OpenSSL backend and certificates must be loaded, else return
331 if (!curl || !x509CertListManager.isInitialized || !x509CertListManager.isUsingOpenSSLBackend || x509CertListManager.CertList.empty()) return;
332
333 curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");
334
335 // would allow to provide the CA in memory instead of using CURLOPT_CAINFO, but needs to include and link OpenSSL
336 if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, &sslCtxFunction) != CURLE_OK)
337 {
338 nlwarning("Unable to support CURLOPT_SSL_CTX_FUNCTION, curl not compiled with OpenSSL ?");
339 }
340
341 // set both CURLOPT_CAINFO and CURLOPT_CAPATH to NULL to be sure we won't use default values (these files can be missing and generate errors)
342 curl_easy_setopt(curl, CURLOPT_CAINFO, NULL);
343 curl_easy_setopt(curl, CURLOPT_CAPATH, NULL);
344 }
345
346 }// namespace
347
348 /* end of file */