desktop/source/app/updater.cxx | 4 desktop/source/minidump/minidump.cxx | 4 extensions/source/update/check/download.cxx | 4 external/libcmis/0002-HttpSession-add-a-callback-that-can-be-used-to-confi.patch | 142 ++++++++++ external/libcmis/UnpackedTarball_libcmis.mk | 1 include/curlinit.hxx | 59 ++++ lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx | 3 linguistic/source/translate.cxx | 4 svl/source/crypto/cryptosign.cxx | 6 ucb/source/ucp/cmis/cmis_content.cxx | 5 ucb/source/ucp/ftp/ftploaderthread.cxx | 4 ucb/source/ucp/webdav-curl/CurlSession.cxx | 2 12 files changed, 238 insertions(+)
New commits: commit 6bb273876fb608d51f00b20e8cf7393eea6ce6b4 Author: Michael Stahl <[email protected]> AuthorDate: Fri Nov 3 20:16:09 2023 +0100 Commit: Andras Timar <[email protected]> CommitDate: Thu Nov 9 21:22:34 2023 +0100 curl: mitigate migration to OpenSSL on Linux The problem is that curl 8.3.0 removed the NSS backend, so we now have no other choice than to use the bundled OpenSSL on Linux. Currently any curl https connection fails with: CurlSession.cxx:963: curl_easy_perform failed: (60) SSL certificate problem: unable to get local issuer certificate Apparently this requires manually telling curl which CA certificates to trust; there is a configure flag --with-ca-bundle but that is useless as it tries to load the file relative to whatever is the current working directory, and also did i mention that there are at least 3 different locations where a Linux system may store its system trusted CA certificates because ALL ABOUT CHOICE. So add a new header with an init function to try out various file locations listed in this nice blog article and call it from way too many places that independently use curl. https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ TODO: perhaps bundle a cacert.pem as a fallback in case the system chose to innovate by putting its certificates in yet another unexpected place (regression from commit c2930ebff82c4f7ffe8377ab82627131f8544226) Change-Id: Ibf1cc0069bc2ae011ecead9a4c2b455e94b01241 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/158915 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> (cherry picked from commit 11f439b861922b9286b2e47ed326f3508a48d44e) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159218 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Andras Timar <[email protected]> diff --git a/desktop/source/app/updater.cxx b/desktop/source/app/updater.cxx index 5fb18dfad0bf..4e4d2cda413f 100644 --- a/desktop/source/app/updater.cxx +++ b/desktop/source/app/updater.cxx @@ -37,6 +37,8 @@ #include <orcus/json_document_tree.hpp> #include <orcus/config.hpp> #include <orcus/pstring.hpp> + +#include <curlinit.hxx> #include <comphelper/hash.hxx> #include <com/sun/star/container/XNameAccess.hpp> @@ -546,6 +548,8 @@ std::string download_content(const OString& rURL, bool bFile, OUString& rHash) if (!curl) return std::string(); + ::InitCurl_easy(curl.get()); + curl_easy_setopt(curl.get(), CURLOPT_URL, rURL.getStr()); curl_easy_setopt(curl.get(), CURLOPT_USERAGENT, kUserAgent); bool bUseProxy = false; diff --git a/desktop/source/minidump/minidump.cxx b/desktop/source/minidump/minidump.cxx index 0bf20f2aa419..7fbb0884987d 100644 --- a/desktop/source/minidump/minidump.cxx +++ b/desktop/source/minidump/minidump.cxx @@ -17,6 +17,8 @@ #include <curl/curl.h> +#include <curlinit.hxx> + #ifdef _WIN32 #include <memory> #include <windows.h> @@ -95,6 +97,8 @@ static bool uploadContent(std::map<std::string, std::string>& parameters, std::s if (!curl) return false; + ::InitCurl_easy(curl); + std::string proxy, proxy_user_pwd, ca_certificate_file, file, url, version; getProperty("Proxy", proxy, parameters); diff --git a/extensions/source/update/check/download.cxx b/extensions/source/update/check/download.cxx index ba371bdee570..cdbbe2c32734 100644 --- a/extensions/source/update/check/download.cxx +++ b/extensions/source/update/check/download.cxx @@ -23,6 +23,8 @@ #include <curl/curl.h> +#include <curlinit.hxx> + #include <o3tl/string_view.hxx> #include <osl/diagnose.h> #include <osl/file.h> @@ -222,6 +224,8 @@ static bool curl_run(std::u16string_view rURL, OutData& out, const OString& aPro if( nullptr != pCURL ) { + ::InitCurl_easy(pCURL); + out.curl = pCURL; OString aURL(OUStringToOString(rURL, RTL_TEXTENCODING_UTF8)); diff --git a/external/libcmis/0002-HttpSession-add-a-callback-that-can-be-used-to-confi.patch b/external/libcmis/0002-HttpSession-add-a-callback-that-can-be-used-to-confi.patch new file mode 100644 index 000000000000..ae4859af7e0f --- /dev/null +++ b/external/libcmis/0002-HttpSession-add-a-callback-that-can-be-used-to-confi.patch @@ -0,0 +1,142 @@ +From 94012ca5b669e71ea35508159f63576364736dc2 Mon Sep 17 00:00:00 2001 +From: Michael Stahl <[email protected]> +Date: Mon, 6 Nov 2023 14:18:59 +0100 +Subject: [PATCH 2/2] HttpSession: add a callback that can be used to configure + libcurl + +--- + inc/libcmis/session-factory.hxx | 7 +++++++ + src/libcmis/http-session.cxx | 8 +++++++- + src/libcmis/http-session.hxx | 8 +++++++- + src/libcmis/session-factory.cxx | 9 ++++++++- + 4 files changed, 29 insertions(+), 3 deletions(-) + +diff --git a/inc/libcmis/session-factory.hxx b/inc/libcmis/session-factory.hxx +index 45abd8b..227ac4d 100644 +--- a/inc/libcmis/session-factory.hxx ++++ b/inc/libcmis/session-factory.hxx +@@ -38,6 +38,9 @@ + #include "libcmis/repository.hxx" + #include "libcmis/session.hxx" + ++// needed for a callback type ++typedef void CURL; ++ + namespace libcmis + { + /** This callback provides the OAuth2 code or NULL. +@@ -80,6 +83,8 @@ namespace libcmis + }; + typedef boost::shared_ptr< CertValidationHandler > CertValidationHandlerPtr; + ++ typedef void(*CurlInitProtocolsFunction)(CURL *); ++ + class LIBCMIS_API SessionFactory + { + private: +@@ -109,6 +114,8 @@ namespace libcmis + static void setCertificateValidationHandler( CertValidationHandlerPtr handler ) { s_certValidationHandler = handler; } + static CertValidationHandlerPtr getCertificateValidationHandler( ) { return s_certValidationHandler; } + ++ static void setCurlInitProtocolsFunction(CurlInitProtocolsFunction); ++ + static void setProxySettings( std::string proxy, + std::string noProxy, + std::string proxyUser, +diff --git a/src/libcmis/http-session.cxx b/src/libcmis/http-session.cxx +index 9703427..8787c50 100644 +--- a/src/libcmis/http-session.cxx ++++ b/src/libcmis/http-session.cxx +@@ -133,8 +133,10 @@ namespace + } + + HttpSession::HttpSession( string username, string password, bool noSslCheck, +- libcmis::OAuth2DataPtr oauth2, bool verbose ) : ++ libcmis::OAuth2DataPtr oauth2, bool verbose, ++ libcmis::CurlInitProtocolsFunction initProtocols) : + m_curlHandle( NULL ), ++ m_CurlInitProtocolsFunction(initProtocols), + m_no100Continue( false ), + m_oauth2Handler( NULL ), + m_username( username ), +@@ -882,6 +884,10 @@ + const unsigned long protocols = CURLPROTO_HTTP | CURLPROTO_HTTPS; + curl_easy_setopt(m_curlHandle, CURLOPT_PROTOCOLS, protocols); + curl_easy_setopt(m_curlHandle, CURLOPT_REDIR_PROTOCOLS, protocols); ++ if (m_CurlInitProtocolsFunction) ++ { ++ (*m_CurlInitProtocolsFunction)(m_curlHandle); ++ } + } + + const char* CurlException::what( ) const noexcept +diff --git a/src/libcmis/http-session.hxx b/src/libcmis/http-session.hxx +index 6c9ed1b..34223b2 100644 +--- a/src/libcmis/http-session.hxx ++++ b/src/libcmis/http-session.hxx +@@ -43,6 +43,10 @@ + + class OAuth2Handler; + ++namespace libcmis { ++ typedef void(*CurlInitProtocolsFunction)(CURL *); ++} ++ + class CurlException : public std::exception + { + private: +@@ -93,6 +97,7 @@ class HttpSession + { + protected: + CURL* m_curlHandle; ++ libcmis::CurlInitProtocolsFunction m_CurlInitProtocolsFunction = nullptr; + private: + bool m_no100Continue; + protected: +@@ -111,7 +116,8 @@ class HttpSession + HttpSession( std::string username, std::string password, + bool noSslCheck = false, + libcmis::OAuth2DataPtr oauth2 = libcmis::OAuth2DataPtr(), +- bool verbose = false ); ++ bool verbose = false, ++ libcmis::CurlInitProtocolsFunction = nullptr); + + HttpSession( const HttpSession& copy ); + virtual ~HttpSession( ); +diff --git a/src/libcmis/session-factory.cxx b/src/libcmis/session-factory.cxx +index 1222473..47dc1c8 100644 +--- a/src/libcmis/session-factory.cxx ++++ b/src/libcmis/session-factory.cxx +@@ -38,6 +38,7 @@ using namespace std; + + namespace libcmis + { ++ CurlInitProtocolsFunction g_CurlInitProtocolsFunction = 0; + AuthProviderPtr SessionFactory::s_authProvider; + OAuth2AuthCodeProvider SessionFactory::s_oauth2AuthCodeProvider; + +@@ -48,6 +49,11 @@ namespace libcmis + + CertValidationHandlerPtr SessionFactory::s_certValidationHandler; + ++ void SessionFactory::setCurlInitProtocolsFunction(CurlInitProtocolsFunction const initProtocols) ++ { ++ g_CurlInitProtocolsFunction = initProtocols; ++ } ++ + void SessionFactory::setProxySettings( string proxy, string noProxy, + string proxyUser, string proxyPass ) + { +@@ -81,7 +87,8 @@ namespace libcmis + libcmis::HttpResponsePtr response; + boost::shared_ptr< HttpSession> httpSession( + new HttpSession( username, password, +- noSslCheck, oauth2, verbose ) ); ++ noSslCheck, oauth2, verbose, ++ g_CurlInitProtocolsFunction) ); + + try + { +-- +2.41.0 + diff --git a/external/libcmis/UnpackedTarball_libcmis.mk b/external/libcmis/UnpackedTarball_libcmis.mk index f48201d319d0..d224ed6032ee 100644 --- a/external/libcmis/UnpackedTarball_libcmis.mk +++ b/external/libcmis/UnpackedTarball_libcmis.mk @@ -20,6 +20,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,libcmis, \ external/libcmis/libcmis_oauth_pw_as_refreshtoken.patch.1 \ external/libcmis/libcmis_gdrive.patch.1 \ external/libcmis/libcmis-boost-string.patch \ + external/libcmis/0002-HttpSession-add-a-callback-that-can-be-used-to-confi.patch \ )) # vim: set noet sw=4 ts=4: diff --git a/include/curlinit.hxx b/include/curlinit.hxx new file mode 100644 index 000000000000..8b3a9968419d --- /dev/null +++ b/include/curlinit.hxx @@ -0,0 +1,59 @@ +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */ +/* + * This file is part of the LibreOffice project. + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +#pragma once + +#include <curl/curl.h> + +#if defined(LINUX) && !defined(SYSTEM_CURL) +#include <com/sun/star/uno/RuntimeException.hpp> + +#include <unistd.h> + +static char const* GetCABundleFile() +{ + // try system ones first; inspired by: + // https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/ + auto const candidates = { + "/etc/pki/tls/certs/ca-bundle.crt", + "/etc/pki/tls/certs/ca-bundle.trust.crt", + "/etc/ssl/certs/ca-certificates.crt", + "/var/lib/ca-certificates/ca-bundle.pem", + }; + for (char const* const candidate : candidates) + { + if (access(candidate, R_OK) == 0) + { + return candidate; + } + } + + throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found"); +} + +static void InitCurl_easy(CURL* const pCURL) +{ + char const* const path = GetCABundleFile(); + auto rc = curl_easy_setopt(pCURL, CURLOPT_CAINFO, path); + if (rc != CURLE_OK) // only if OOM? + { + throw css::uno::RuntimeException("CURLOPT_CAINFO failed"); + } +} + +#else + +static void InitCurl_easy(CURL* const) +{ + // these don't use OpenSSL so CAs work out of the box +} + +#endif + +/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */ diff --git a/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx b/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx index f7963cd65f30..8ab76f40b3b9 100644 --- a/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx +++ b/lingucomponent/source/spellcheck/languagetool/languagetoolimp.cxx @@ -35,6 +35,7 @@ #include <boost/property_tree/json_parser.hpp> #include <algorithm> #include <string_view> +#include <curlinit.hxx> #include <svtools/languagetoolcfg.hxx> #include <tools/color.hxx> #include <tools/long.hxx> @@ -484,6 +485,8 @@ std::string LanguageToolGrammarChecker::makeHttpRequest(std::string_view aURL, H if (!curl) return {}; // empty string + ::InitCurl_easy(curl.get()); + bool isPremium = false; SvxLanguageToolOptions& rLanguageOpts = SvxLanguageToolOptions::Get(); OString apiKey = OUStringToOString(rLanguageOpts.getApiKey(), RTL_TEXTENCODING_UTF8); diff --git a/linguistic/source/translate.cxx b/linguistic/source/translate.cxx index 12f5491e2129..fdd95fca2988 100644 --- a/linguistic/source/translate.cxx +++ b/linguistic/source/translate.cxx @@ -4,6 +4,7 @@ #include <rtl/string.h> #include <boost/property_tree/ptree.hpp> #include <boost/property_tree/json_parser.hpp> +#include <curlinit.hxx> #include <vcl/htmltransferable.hxx> #include <tools/long.hxx> @@ -16,6 +17,9 @@ OString Translate(const OString& rTargetLang, const OString& rAPIUrl, const OStr std::unique_ptr<CURL, std::function<void(CURL*)>> curl(curl_easy_init(), [](CURL* p) { curl_easy_cleanup(p); }); + + ::InitCurl_easy(curl.get()); + (void)curl_easy_setopt(curl.get(), CURLOPT_URL, rAPIUrl.getStr()); (void)curl_easy_setopt(curl.get(), CURLOPT_FAILONERROR, 1L); (void)curl_easy_setopt(curl.get(), CURLOPT_TIMEOUT, CURL_TIMEOUT); diff --git a/svl/source/crypto/cryptosign.cxx b/svl/source/crypto/cryptosign.cxx index 1d6337845569..b5e2eb0155e1 100644 --- a/svl/source/crypto/cryptosign.cxx +++ b/svl/source/crypto/cryptosign.cxx @@ -15,6 +15,10 @@ #include <svl/sigstruct.hxx> #include <config_crypto.h> +#if USE_CRYPTO_NSS +#include <curlinit.hxx> +#endif + #include <rtl/character.hxx> #include <rtl/strbuf.hxx> #include <rtl/string.hxx> @@ -1081,6 +1085,8 @@ bool Signing::Sign(OStringBuffer& rCMSHexBuffer) return false; } + ::InitCurl_easy(curl); + SAL_INFO("svl.crypto", "Setting curl to verbose: " << (curl_easy_setopt(curl, CURLOPT_VERBOSE, 1) == CURLE_OK ? "OK" : "FAIL")); if ((rc = curl_easy_setopt(curl, CURLOPT_URL, OUStringToOString(m_aSignTSA, RTL_TEXTENCODING_UTF8).getStr())) != CURLE_OK) diff --git a/ucb/source/ucp/cmis/cmis_content.cxx b/ucb/source/ucp/cmis/cmis_content.cxx index 0bd38ea31f65..2ec1c336a706 100644 --- a/ucb/source/ucp/cmis/cmis_content.cxx +++ b/ucb/source/ucp/cmis/cmis_content.cxx @@ -56,6 +56,8 @@ #include <ucbhelper/proxydecider.hxx> #include <ucbhelper/macros.hxx> #include <sax/tools/converter.hxx> +#include <curlinit.hxx> + #include <utility> #include "auth_provider.hxx" @@ -335,6 +337,9 @@ namespace cmis new CertValidationHandler( xEnv, m_xContext, aBindingUrl.GetHost( ) ) ); libcmis::SessionFactory::setCertificateValidationHandler( certHandler ); + // init libcurl callback + libcmis::SessionFactory::setCurlInitProtocolsFunction(&::InitCurl_easy); + // Get the auth credentials AuthProvider aAuthProvider(xEnv, m_xIdentifier->getContentIdentifier(), m_aURL.getBindingUrl()); AuthProvider::setXEnv( xEnv ); diff --git a/ucb/source/ucp/ftp/ftploaderthread.cxx b/ucb/source/ucp/ftp/ftploaderthread.cxx index f5ebfe36cdda..91130fc1bc9c 100644 --- a/ucb/source/ucp/ftp/ftploaderthread.cxx +++ b/ucb/source/ucp/ftp/ftploaderthread.cxx @@ -25,6 +25,8 @@ #include "ftploaderthread.hxx" #include "curl.hxx" +#include <curlinit.hxx> + using namespace ftp; @@ -75,6 +77,8 @@ CURL* FTPLoaderThread::handle() { if(!ret) { ret = curl_easy_init(); if (ret != nullptr) { + ::InitCurl_easy(ret); + // Make sure curl is not internally using environment variables like // "ftp_proxy": if (curl_easy_setopt(ret, CURLOPT_PROXY, "") != CURLE_OK) { diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index e9882f76acf5..9ee1886803fa 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -35,6 +35,7 @@ #include <rtl/uri.hxx> #include <rtl/strbuf.hxx> #include <rtl/ustrbuf.hxx> +#include <curlinit.hxx> #include <config_version.h> #include <map> @@ -680,6 +681,7 @@ CurlSession::CurlSession(uno::Reference<uno::XComponentContext> xContext, assert(rc == CURLE_OK); rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, &header_callback); assert(rc == CURLE_OK); + ::InitCurl_easy(m_pCurl.get()); // tdf#149921 by default, with schannel (WNT) connection fails if revocation // lists cannot be checked; try to limit the checking to when revocation // lists can actually be retrieved (usually not the case for self-signed CA)
