Merge pull request #4947 from al45tair/eng/PR-123434144-6.0

shahmishal · web-flow · commit ac1af6485834 · 2024-05-03T18:14:06.000-07:00
[6.0][Networking] Search for CA roots if libcurl doesn't know where they are.
diff --git a/CoreFoundation/CMakeLists.txt b/CoreFoundation/CMakeLists.txt
@@ -441,6 +441,10 @@ if(NOT CMAKE_SYSTEM_NAME STREQUAL Darwin)
   if((NS_CURL_ASSUME_FEATURES_MISSING) OR (CURL_VERSION_STRING VERSION_LESS "7.30.0"))
     add_compile_definitions($<$<COMPILE_LANGUAGE:C>:NS_CURL_MISSING_MAX_HOST_CONNECTIONS>)
   endif()
+
+  if((NS_CURL_ASSUME_FEATURES_MISSING) OR (CURL_VERSION_STRING VERSION_LESS "7.84.0"))
+    add_compile_definitions($<$<COMPILE_LANGUAGE:C>:NS_CURL_MISSING_CURLINFO_CAINFO>)
+  endif()
 endif()
 
 add_framework(CFURLSessionInterface
diff --git a/CoreFoundation/URL.subproj/CFURLSessionInterface.c b/CoreFoundation/URL.subproj/CFURLSessionInterface.c
@@ -586,6 +586,9 @@ CFURLSessionInfo const CFURLSessionInfoFTP_ENTRY_PATH = { CURLINFO_FTP_ENTRY_PAT
 CFURLSessionInfo const CFURLSessionInfoREDIRECT_URL = { CURLINFO_REDIRECT_URL };
 CFURLSessionInfo const CFURLSessionInfoPRIMARY_IP = { CURLINFO_PRIMARY_IP };
 CFURLSessionInfo const CFURLSessionInfoAPPCONNECT_TIME = { CURLINFO_APPCONNECT_TIME };
+#if !NS_CURL_MISSING_CURLINFO_CAINFO
+CFURLSessionInfo const CFURLSessionInfoCAINFO = { CURLINFO_CAINFO };
+#endif
 CFURLSessionInfo const CFURLSessionInfoCERTINFO = { CURLINFO_CERTINFO };
 CFURLSessionInfo const CFURLSessionInfoCONDITION_UNMET = { CURLINFO_CONDITION_UNMET };
 CFURLSessionInfo const CFURLSessionInfoRTSP_SESSION_ID = { CURLINFO_RTSP_SESSION_ID };
diff --git a/CoreFoundation/URL.subproj/CFURLSessionInterface.h b/CoreFoundation/URL.subproj/CFURLSessionInterface.h
@@ -445,6 +445,7 @@ CF_EXPORT CFURLSessionInfo const CFURLSessionInfoFTP_ENTRY_PATH; // CURLINFO_FTP
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoREDIRECT_URL; // CURLINFO_REDIRECT_URL
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoPRIMARY_IP; // CURLINFO_PRIMARY_IP
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoAPPCONNECT_TIME; // CURLINFO_APPCONNECT_TIME
+CF_EXPORT CFURLSessionInfo const CFURLSessionInfoCAINFO; // CURLINFO_CAINFO
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoCERTINFO; // CURLINFO_CERTINFO
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoCONDITION_UNMET; // CURLINFO_CONDITION_UNMET
 CF_EXPORT CFURLSessionInfo const CFURLSessionInfoRTSP_SESSION_ID; // CURLINFO_RTSP_SESSION_ID
diff --git a/Sources/FoundationNetworking/CMakeLists.txt b/Sources/FoundationNetworking/CMakeLists.txt
@@ -15,6 +15,10 @@ if(NOT CMAKE_SYSTEM_NAME STREQUAL Darwin)
   if((NS_CURL_ASSUME_FEATURES_MISSING) OR (CURL_VERSION_STRING VERSION_LESS "7.30.0"))
     add_compile_definitions(NS_CURL_MISSING_MAX_HOST_CONNECTIONS)
   endif()
+
+  if((NS_CURL_ASSUME_FEATURES_MISSING) OR (CURL_VERSION_STRING VERSION_LESS "7.84.0"))
+    add_compile_definitions(NS_CURL_MISSING_CURLINFO_CAINFO)
+  endif()
 endif()
 
 add_library(FoundationNetworking
diff --git a/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift b/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift
@@ -182,17 +182,17 @@ extension _EasyHandle {
         _config = config
     }
 
-    /// Set allowed protocols
+    /// Set the CA bundle path automatically if it isn't set
     ///
-    /// - Note: This has security implications. Not limiting this, someone could
-    /// redirect a HTTP request into one of the many other protocols that libcurl
-    /// supports.
-    /// - SeeAlso: https://curl.haxx.se/libcurl/c/CURLOPT_PROTOCOLS.html
-    /// - SeeAlso: https://curl.haxx.se/libcurl/c/CURLOPT_REDIR_PROTOCOLS.html
-    func setAllowedProtocolsToHTTPAndHTTPS() {
-        let protocols = (CFURLSessionProtocolHTTP | CFURLSessionProtocolHTTPS)
-        try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionPROTOCOLS, protocols).asError()
-        try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionREDIR_PROTOCOLS, protocols).asError()
+    /// Curl does not necessarily know where to find the CA root bundle,
+    /// and in that case we need to specify where it is.  There was a hack
+    /// to do this automatically for Android but allowing an environment
+    /// variable to control the location of the CA root bundle seems like
+    /// a security issue in general.
+    ///
+    /// Rather than doing that, we have a list of places we might expect
+    /// to find it, and search those until we locate a suitable file.
+    func setCARootBundlePath() {
 #if os(Android)
         // See https://curl.haxx.se/docs/sslcerts.html
         // For SSL on Android you need a "cacert.pem" to be
@@ -205,8 +205,58 @@ extension _EasyHandle {
             else {
                 try! CFURLSession_easy_setopt_ptr(rawHandle, CFURLSessionOptionCAINFO, caInfo).asError()
             }
+            return
         }
 #endif
+
+#if !NS_CURL_MISSING_CURLINFO_CAINFO
+#if !os(Windows) && !os(macOS) && !os(iOS) && !os(watchOS) && !os(tvOS)
+        // Check if there is a default path; if there is, it will already
+        // be set, so leave things alone
+        var p: UnsafeMutablePointer<Int8>? = nil
+
+        try! CFURLSession_easy_getinfo_charp(rawHandle, CFURLSessionInfoCAINFO, &p).asError()
+
+        if p != nil {
+          return
+        }
+
+        // Otherwise, search a list of known paths
+        let paths = [
+            "/etc/ssl/certs/ca-certificates.crt",
+            "/etc/pki/tls/certs/ca-bundle.crt",
+            "/usr/share/ssl/certs/ca-bundle.crt",
+            "/usr/local/share/certs/ca-root-nss.crt",
+            "/etc/ssl/cert.pem"
+        ]
+
+        for path in paths {
+            var isDirectory: ObjCBool = false
+            if FileManager.default.fileExists(atPath: path,
+                                              isDirectory: &isDirectory)
+                 && !isDirectory.boolValue {
+              path.withCString { pathPtr in
+                try! CFURLSession_easy_setopt_ptr(rawHandle, CFURLSessionOptionCAINFO, UnsafeMutablePointer(mutating: pathPtr)).asError()
+              }
+              return
+          }
+        }
+#endif // !os(Windows) && !os(macOS) && !os(iOS) && !os(watchOS) && !os(tvOS)
+#endif // !NS_CURL_MISSING_CURLINFO_CAINFO
+    }
+
+    /// Set allowed protocols
+    ///
+    /// - Note: This has security implications. Not limiting this, someone could
+    /// redirect a HTTP request into one of the many other protocols that libcurl
+    /// supports.
+    /// - SeeAlso: https://curl.haxx.se/libcurl/c/CURLOPT_PROTOCOLS.html
+    /// - SeeAlso: https://curl.haxx.se/libcurl/c/CURLOPT_REDIR_PROTOCOLS.html
+    func setAllowedProtocolsToHTTPAndHTTPS() {
+        let protocols = (CFURLSessionProtocolHTTP | CFURLSessionProtocolHTTPS)
+        try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionPROTOCOLS, protocols).asError()
+        try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionREDIR_PROTOCOLS, protocols).asError()
+        setCARootBundlePath()
         //TODO: Added in libcurl 7.45.0
         //TODO: Set default protocol for schemeless URLs
         //CURLOPT_DEFAULT_PROTOCOL available only in libcurl 7.45.0
@@ -217,6 +267,7 @@ extension _EasyHandle {
         let redirectProtocols = (CFURLSessionProtocolHTTP | CFURLSessionProtocolHTTPS)
         try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionPROTOCOLS, protocols).asError()
         try! CFURLSession_easy_setopt_long(rawHandle, CFURLSessionOptionREDIR_PROTOCOLS, redirectProtocols).asError()
+        setCARootBundlePath()
     }
     
     //TODO: Proxy setting, namely CFURLSessionOptionPROXY, CFURLSessionOptionPROXYPORT,
