729ba2ebbd
--HG-- branch : develop
385 lines
9.6 KiB
C++
385 lines
9.6 KiB
C++
// Ryzom - MMORPG Framework <http://dev.ryzom.com/projects/ryzom/>
|
|
// Copyright (C) 2010 Winch Gate Property Limited
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as
|
|
// published by the Free Software Foundation, either version 3 of the
|
|
// License, or (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
//#include <crtdbg.h>
|
|
|
|
#include "stdpch.h"
|
|
#include "nel/gui/curl_certificates.h"
|
|
|
|
#include <openssl/x509.h>
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/err.h>
|
|
|
|
#include <curl/curl.h>
|
|
|
|
// for compatibility with older versions
|
|
#ifndef CURL_AT_LEAST_VERSION
|
|
#define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|z)
|
|
#define CURL_AT_LEAST_VERSION(x,y,z) \
|
|
(LIBCURL_VERSION_NUM >= CURL_VERSION_BITS(x, y, z))
|
|
#endif
|
|
|
|
|
|
using namespace std;
|
|
using namespace NLMISC;
|
|
|
|
#ifdef DEBUG_NEW
|
|
#define new DEBUG_NEW
|
|
#endif
|
|
|
|
namespace NLGUI
|
|
{
|
|
//
|
|
// x509CertList lifetime manager
|
|
//
|
|
class SX509Certificates
|
|
{
|
|
public:
|
|
struct CertEntry
|
|
{
|
|
X509 *cert;
|
|
std::string name;
|
|
std::string file;
|
|
|
|
bool operator == (const std::string &str)
|
|
{
|
|
return file == str;
|
|
}
|
|
};
|
|
|
|
std::vector<CertEntry> CertList;
|
|
|
|
bool isUsingOpenSSLBackend;
|
|
bool isInitialized;
|
|
|
|
SX509Certificates():isUsingOpenSSLBackend(false), isInitialized(false)
|
|
{
|
|
init();
|
|
}
|
|
|
|
~SX509Certificates()
|
|
{
|
|
for (uint i = 0; i < CertList.size(); ++i)
|
|
{
|
|
X509_free(CertList[i].cert);
|
|
}
|
|
|
|
CertList.clear();
|
|
}
|
|
|
|
void init()
|
|
{
|
|
// init CURL
|
|
CURL *curl = curl_easy_init();
|
|
if (!curl) return;
|
|
|
|
// get information on CURL
|
|
curl_version_info_data *data = curl_version_info(CURLVERSION_NOW);
|
|
|
|
bool useOpenSSLBackend = false;
|
|
|
|
#if CURL_AT_LEAST_VERSION(7, 34, 0)
|
|
// get more information on CURL session
|
|
curl_tlssessioninfo *sessionInfo;
|
|
|
|
CURLINFO info;
|
|
|
|
#if CURL_AT_LEAST_VERSION(7, 48, 0)
|
|
info = CURLINFO_TLS_SSL_PTR;
|
|
#else
|
|
info = CURLINFO_TLS_SESSION;
|
|
#endif
|
|
|
|
CURLcode res = curl_easy_getinfo(curl, info, &sessionInfo);
|
|
|
|
// CURL using OpenSSL backend
|
|
if ((res == CURLE_OK) && sessionInfo && sessionInfo->backend == CURLSSLBACKEND_OPENSSL) useOpenSSLBackend = true;
|
|
#elif CURL_AT_LEAST_VERSION(7, 12, 3)
|
|
// get a list of OpenSSL engines
|
|
struct curl_slist *engines;
|
|
|
|
CURLcode res = curl_easy_getinfo(curl, CURLINFO_SSL_ENGINES, &engines);
|
|
|
|
// CURL using OpenSSL backend
|
|
// With OpenSSL compiled without any engine, engines will too return NULL
|
|
// Fortunately, if OpenSSL isn't compiled with engines means we compiled it ourself and CURL is a recent version
|
|
if ((res == CURLE_OK) && engines)
|
|
{
|
|
// free engines
|
|
curl_slist_free_all(engines);
|
|
|
|
useOpenSSLBackend = true;
|
|
}
|
|
#else
|
|
// TODO: implement an equivalent, but CURL 7.12 was released in 2004
|
|
#endif
|
|
|
|
// only use OpenSSL callback if not using Windows SSPI and using OpenSSL backend
|
|
if (useOpenSSLBackend && !(data && data->features & CURL_VERSION_SSPI))
|
|
{
|
|
#ifdef NL_OS_WINDOWS
|
|
// load native Windows CA Certs
|
|
addCertificatesFrom("CA");
|
|
addCertificatesFrom("AuthRoot");
|
|
addCertificatesFrom("ROOT");
|
|
#endif
|
|
|
|
isUsingOpenSSLBackend = true;
|
|
}
|
|
else
|
|
{
|
|
// if CURL is using SSPI or SChannel under Windows or DarwinSSL under OS X, we'll use native system CA Certs
|
|
isUsingOpenSSLBackend = false;
|
|
}
|
|
|
|
// clean up CURL
|
|
curl_easy_cleanup(curl);
|
|
|
|
isInitialized = true;
|
|
}
|
|
|
|
static std::string getCertName(X509 *cert)
|
|
{
|
|
// NULL certificate
|
|
if (!cert) return "";
|
|
|
|
X509_NAME *subject = X509_get_subject_name(cert);
|
|
|
|
std::string name;
|
|
unsigned char *tmp = NULL;
|
|
|
|
// construct a multiline string with name
|
|
for (int j = 0, jlen = X509_NAME_entry_count(subject); j < jlen; ++j)
|
|
{
|
|
X509_NAME_ENTRY *e = X509_NAME_get_entry(subject, j);
|
|
ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
|
|
|
|
if (ASN1_STRING_to_UTF8(&tmp, d) > 0)
|
|
{
|
|
name += NLMISC::toString("%s\n", tmp);
|
|
|
|
OPENSSL_free(tmp);
|
|
}
|
|
}
|
|
|
|
return name;
|
|
}
|
|
|
|
#ifdef NL_OS_WINDOWS
|
|
void addCertificatesFrom(LPCSTR root)
|
|
{
|
|
HCERTSTORE hStore;
|
|
PCCERT_CONTEXT pContext = NULL;
|
|
X509 *x509;
|
|
hStore = CertOpenSystemStore(NULL, root);
|
|
if (hStore)
|
|
{
|
|
while (pContext = CertEnumCertificatesInStore(hStore, pContext))
|
|
{
|
|
x509 = NULL;
|
|
x509 = d2i_X509(NULL, (const unsigned char **)&pContext->pbCertEncoded, pContext->cbCertEncoded);
|
|
|
|
if (x509)
|
|
{
|
|
CertEntry entry;
|
|
entry.cert = x509;
|
|
entry.file = root;
|
|
entry.name = getCertName(x509);
|
|
|
|
CertList.push_back(entry);
|
|
}
|
|
}
|
|
|
|
CertFreeCertificateContext(pContext);
|
|
CertCloseStore(hStore, 0);
|
|
}
|
|
|
|
// this is called before debug context is set and log ends up in log.log
|
|
//nlinfo("Loaded %d certificates from '%s' certificate store", (int)CertList.size(), root);
|
|
}
|
|
#endif
|
|
|
|
void addCertificatesFromFile(const std::string &cert)
|
|
{
|
|
if (!isInitialized)
|
|
{
|
|
nlwarning("CURL not initialized! Check if there are another errors");
|
|
return;
|
|
}
|
|
|
|
if (!isUsingOpenSSLBackend)
|
|
{
|
|
nlinfo("CURL not using OpenSSL backend! Unable to use custom certificates");
|
|
return;
|
|
}
|
|
else
|
|
{
|
|
nlinfo("CURL using OpenSSL backend!");
|
|
}
|
|
|
|
// this file was already loaded
|
|
if (std::find(CertList.begin(), CertList.end(), cert) != CertList.end()) return;
|
|
|
|
// look for certificate in search paths
|
|
string path = CPath::lookup(cert, false);
|
|
|
|
if (path.empty())
|
|
{
|
|
nlwarning("Unable to find %s", cert.c_str());
|
|
return;
|
|
}
|
|
|
|
nlinfo("CURL CA bundle '%s'", path.c_str());
|
|
|
|
CIFile file;
|
|
|
|
// open certificate
|
|
if (!file.open(path))
|
|
{
|
|
nlwarning("Unable to open %s", path.c_str());
|
|
return;
|
|
}
|
|
|
|
// load certificate content into memory
|
|
std::vector<uint8> buffer(file.getFileSize());
|
|
file.serialBuffer(&buffer[0], file.getFileSize());
|
|
|
|
// get a BIO
|
|
BIO *bio = BIO_new_mem_buf(&buffer[0], file.getFileSize());
|
|
|
|
if (bio)
|
|
{
|
|
// use it to read the PEM formatted certificate from memory into an X509
|
|
// structure that SSL can use
|
|
STACK_OF(X509_INFO) *info = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
|
|
|
|
if (info)
|
|
{
|
|
// iterate over all entries from the PEM file, add them to the x509_store one by one
|
|
for (sint i = 0; i < sk_X509_INFO_num(info); ++i)
|
|
{
|
|
X509_INFO *itmp = sk_X509_INFO_value(info, i);
|
|
|
|
if (itmp && itmp->x509)
|
|
{
|
|
CertEntry entry;
|
|
entry.cert = X509_dup(itmp->x509);
|
|
entry.file = cert;
|
|
entry.name = getCertName(entry.cert);
|
|
|
|
CertList.push_back(entry);
|
|
}
|
|
}
|
|
|
|
// cleanup
|
|
sk_X509_INFO_pop_free(info, X509_INFO_free);
|
|
}
|
|
else
|
|
{
|
|
nlwarning("Unable to read PEM info");
|
|
}
|
|
|
|
// decrease reference counts
|
|
BIO_free(bio);
|
|
}
|
|
else
|
|
{
|
|
nlwarning("Unable to allocate BIO buffer for certificates");
|
|
}
|
|
}
|
|
};
|
|
|
|
/// this will be initialized on startup and cleared on exit
|
|
static SX509Certificates x509CertListManager;
|
|
|
|
// cURL SSL certificate loading
|
|
static CURLcode sslCtxFunction(CURL *curl, void *sslctx, void *parm)
|
|
{
|
|
CURLcode res = CURLE_OK;
|
|
|
|
if (x509CertListManager.CertList.size() > 0)
|
|
{
|
|
SSL_CTX *ctx = (SSL_CTX*)sslctx;
|
|
X509_STORE *x509store = SSL_CTX_get_cert_store(ctx);
|
|
if (x509store)
|
|
{
|
|
char errorBuffer[1024];
|
|
|
|
for (uint i = 0, ilen = x509CertListManager.CertList.size(); i < ilen; ++i)
|
|
{
|
|
SX509Certificates::CertEntry entry = x509CertListManager.CertList[i];
|
|
|
|
// add our certificate to this store
|
|
if (X509_STORE_add_cert(x509store, entry.cert) == 0)
|
|
{
|
|
uint errCode = ERR_get_error();
|
|
|
|
// ignore already in hash table errors
|
|
if (ERR_GET_LIB(errCode) != ERR_LIB_X509 || ERR_GET_REASON(errCode) != X509_R_CERT_ALREADY_IN_HASH_TABLE)
|
|
{
|
|
ERR_error_string_n(errCode, errorBuffer, 1024);
|
|
nlwarning("Error adding certificate %s: %s", entry.name.c_str(), errorBuffer);
|
|
res = CURLE_SSL_CACERT;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
nldebug("Added certificate %s", entry.name.c_str());
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
nlwarning("SSL_CTX_get_cert_store returned NULL");
|
|
}
|
|
}
|
|
else
|
|
{
|
|
res = CURLE_SSL_CACERT;
|
|
}
|
|
|
|
return res;
|
|
}
|
|
|
|
// ***************************************************************************
|
|
// static
|
|
void CCurlCertificates::addCertificateFile(const std::string &cert)
|
|
{
|
|
x509CertListManager.addCertificatesFromFile(cert);
|
|
}
|
|
|
|
// ***************************************************************************
|
|
// static
|
|
void CCurlCertificates::useCertificates(CURL *curl)
|
|
{
|
|
// CURL must be valid, using OpenSSL backend and certificates must be loaded, else return
|
|
if (!curl || !x509CertListManager.isInitialized || !x509CertListManager.isUsingOpenSSLBackend || x509CertListManager.CertList.empty()) return;
|
|
|
|
curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");
|
|
|
|
// would allow to provide the CA in memory instead of using CURLOPT_CAINFO, but needs to include and link OpenSSL
|
|
if (curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, &sslCtxFunction) != CURLE_OK)
|
|
{
|
|
nlwarning("Unable to support CURLOPT_SSL_CTX_FUNCTION, curl not compiled with OpenSSL ?");
|
|
}
|
|
|
|
// set both CURLOPT_CAINFO and CURLOPT_CAPATH to NULL to be sure we won't use default values (these files can be missing and generate errors)
|
|
curl_easy_setopt(curl, CURLOPT_CAINFO, NULL);
|
|
curl_easy_setopt(curl, CURLOPT_CAPATH, NULL);
|
|
}
|
|
|
|
}// namespace
|
|
|