[Networking] Search for CA roots if libcurl doesn't know where they are.

al45tair · al45tair · commit c62fb452be19 · 2024-02-22T10:49:02.000Z
Normally, distro maintainers will tell libcurl where to look when they
build it, and up to now we've been relying on that.  That doesn't work
for the fully static Linux build, where we're building our own libcurl,
and where the idea is that we'll run on any old Linux system.

To make TLS work under that circumstance, we'll need to look in a few
likely places for CA root files.  We only do this if libcurl doesn't
already know where to look.

rdar://123434144
diff --git a/CoreFoundation/URL.subproj/CFURLSessionInterface.c b/CoreFoundation/URL.subproj/CFURLSessionInterface.c
@@ -586,6 +586,7 @@ CFURLSessionInfo const CFURLSessionInfoFTP_ENTRY_PATH = { CURLINFO_FTP_ENTRY_PAT
 CFURLSessionInfo const CFURLSessionInfoREDIRECT_URL = { CURLINFO_REDIRECT_URL };
 CFURLSessionInfo const CFURLSessionInfoPRIMARY_IP = { CURLINFO_PRIMARY_IP };
 CFURLSessionInfo const CFURLSessionInfoAPPCONNECT_TIME = { CURLINFO_APPCONNECT_TIME };
+CFURLSessionInfo const CFURLSessionInfoCAINFO = { CURLINFO_CAINFO };
 CFURLSessionInfo const CFURLSessionInfoCERTINFO = { CURLINFO_CERTINFO };
 CFURLSessionInfo const CFURLSessionInfoCONDITION_UNMET = { CURLINFO_CONDITION_UNMET };
 CFURLSessionInfo const CFURLSessionInfoRTSP_SESSION_ID = { CURLINFO_RTSP_SESSION_ID };
diff --git a/CoreFoundation/URL.subproj/CFURLSessionInterface.h b/CoreFoundation/URL.subproj/CFURLSessionInterface.h
@@ -445,6 +445,7 @@ CF_EXPORT CFURLSessionInfo const CFURLSessionInfoFTP_ENTRY_PATH; // CURLINFO_FTP
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoREDIRECT_URL; // CURLINFO_REDIRECT_URL
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoPRIMARY_IP; // CURLINFO_PRIMARY_IP
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoAPPCONNECT_TIME; // CURLINFO_APPCONNECT_TIME
+CF_EXPORT CFURLSessionInfo const CFURLSessionInfoCAINFO; // CURLINFO_CAINFO
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoCERTINFO; // CURLINFO_CERTINFO
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoCONDITION_UNMET; // CURLINFO_CONDITION_UNMET
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoRTSP_SESSION_ID; // CURLINFO_RTSP_SESSION_ID
diff --git a/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift b/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift
@@ -182,17 +182,17 @@ extension _EasyHandle {
         _config = config
     }
 
-    /// Set allowed protocols
+    /// Set the CA bundle path automatically if it isn't set
     ///
-    /// - Note: This has security implications. Not limiting this, someone could
-    /// redirect a HTTP request into one of the many other protocols that libcurl
-    /// supports.
-    /// - SeeAlso: https://curl.haxx.se/libcurl/c/CURLOPT_PROTOCOLS.html
-    /// - SeeAlso: https://curl.haxx.se/libcurl/c/CURLOPT_REDIR_PROTOCOLS.html
-    func setAllowedProtocolsToHTTPAndHTTPS() {
-        let protocols = (CFURLSessionProtocolHTTP | CFURLSessionProtocolHTTPS)
-        try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionPROTOCOLS, protocols).asError()
-        try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionREDIR_PROTOCOLS, protocols).asError()
+    /// Curl does not necessarily know where to find the CA root bundle,
+    /// and in that case we need to specify where it is.  There was a hack
+    /// to do this automatically for Android but allowing an environment
+    /// variable to control the location of the CA root bundle seems like
+    /// a security issue in general.
+    ///
+    /// Rather than doing that, we have a list of places we might expect
+    /// to find it, and search those until we locate a suitable file.
+    func setCARootBundlePath() {
 #if os(Android)
         // See https://curl.haxx.se/docs/sslcerts.html
         // For SSL on Android you need a "cacert.pem" to be
@@ -205,8 +205,56 @@ extension _EasyHandle {
             else {
                 try! CFURLSession_easy_setopt_ptr(rawHandle, CFURLSessionOptionCAINFO, caInfo).asError()
             }
+            return
+        }
+#endif
+
+#if !os(Windows) && !os(macOS) && !os(iOS) && !os(watchOS) && !os(tvOS)
+        // Check if there is a default path; if there is, it will already
+        // be set, so leave things alone
+        var p: UnsafeMutablePointer<Int8>? = nil
+
+        try! CFURLSession_easy_getinfo_charp(rawHandle, CFURLSessionInfoCAINFO, &p).asError()
+
+        if p != nil {
+          return
+        }
+
+        // Otherwise, search a list of known paths
+        let paths = [
+            "/etc/ssl/certs/ca-certificates.crt",
+            "/etc/pki/tls/certs/ca-bundle.crt",
+            "/usr/share/ssl/certs/ca-bundle.crt",
+            "/usr/local/share/certs/ca-root-nss.crt",
+            "/etc/ssl/cert.pem"
+        ]
+
+        for path in paths {
+            var isDirectory: ObjCBool = false
+            if FileManager.default.fileExists(atPath: path,
+                                              isDirectory: &isDirectory)
+                 && !isDirectory.boolValue {
+              path.withCString { pathPtr in
+                try! CFURLSession_easy_setopt_ptr(rawHandle, CFURLSessionOptionCAINFO, UnsafeMutablePointer(mutating: pathPtr)).asError()
+              }
+              return
+          }
         }
 #endif
+    }
+
+    /// Set allowed protocols
+    ///
+    /// - Note: This has security implications. Not limiting this, someone could
+    /// redirect a HTTP request into one of the many other protocols that libcurl
+    /// supports.
+    /// - SeeAlso: https://curl.haxx.se/libcurl/c/CURLOPT_PROTOCOLS.html
+    /// - SeeAlso: https://curl.haxx.se/libcurl/c/CURLOPT_REDIR_PROTOCOLS.html
+    func setAllowedProtocolsToHTTPAndHTTPS() {
+        let protocols = (CFURLSessionProtocolHTTP | CFURLSessionProtocolHTTPS)
+        try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionPROTOCOLS, protocols).asError()
+        try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionREDIR_PROTOCOLS, protocols).asError()
+        setCARootBundlePath()
         //TODO: Added in libcurl 7.45.0
         //TODO: Set default protocol for schemeless URLs
         //CURLOPT_DEFAULT_PROTOCOL available only in libcurl 7.45.0
@@ -217,6 +265,7 @@ extension _EasyHandle {
         let redirectProtocols = (CFURLSessionProtocolHTTP | CFURLSessionProtocolHTTPS)
         try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionPROTOCOLS, protocols).asError()
         try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionREDIR_PROTOCOLS, redirectProtocols).asError()
+        setCARootBundlePath()
     }
     
     //TODO: Proxy setting, namely CFURLSessionOptionPROXY, CFURLSessionOptionPROXYPORT,
