Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Search for CA bundles in places other than the one hard-coded at comp… #248

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Search for CA bundles in places other than the one hard-coded at comp… #248

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 84 additions & 1 deletion src/updateinformation/GithubReleasesZsyncUpdateInformation.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,83 @@
#include "GithubReleasesZsyncUpdateInformation.h"

/* Eh, borrowed from zsync2. Why reinvent the wheel? */
#include <sys/stat.h>

// returns non-zero ("true") on success, 0 ("false") on failure
int file_exists(const char* path) {
struct stat statbuf = {};

if (stat(path, &statbuf) == 0) {
return 1;
}

const int error = errno;
if (error != ENOENT) {
fprintf(stderr, "zsync2: Unknown error while checking whether file %s exists: %s\n", path, strerror(error));
}

return 0;
}

// memory returned by this function must not be freed by the user
const char* ca_bundle_path() {
// in case the user specifies a custom file, we use this one instead
// TODO: consider merging the user-specified file with the system CA bundle into a temp file
const char* path_from_environment = getenv("SSL_CERT_FILE");

if (path_from_environment != NULL) {
return path_from_environment;
}

#if CURL_AT_LEAST_VERSION(7, 84, 0)
{
// (very) recent libcurl versions provide us with a way to query the build-time search path they
// use to find a suitable (distro-provided) CA certificate bundle they can hardcode
// we can use this value to search for a bundle dynamically in the application
CURL* curl = curl_easy_init();

if (curl != NULL) {
CURLcode res;
char* curl_provided_path = NULL;

curl_easy_getinfo(curl, CURLINFO_CAINFO, &curl_provided_path);

// should be safe to delete the handle and use the returned value, since it is allocated statically within libcurl
curl_easy_cleanup(curl);

if (curl_provided_path != NULL) {
if (file_exists(curl_provided_path)) {
return curl_provided_path;
}
}
}
}
#endif

// this list is a compilation of other AppImage projects' lists and the one used in libcurl's build system's autodiscovery
// should cover most Linux distributions
static const char* const possible_ca_bundle_paths[] = {
"/etc/pki/tls/cacert.pem",
"/etc/pki/tls/cert.pem",
"/etc/pki/tls/certs/ca-bundle.crt",
"/etc/ssl/ca-bundle.pem",
"/etc/ssl/cert.pem",
"/etc/ssl/certs/ca-certificates.crt",
"/usr/local/share/certs/ca-root-nss.crt",
"/usr/share/ssl/certs/ca-bundle.crt",
};

for (size_t i = 0; i < sizeof(possible_ca_bundle_paths); ++i) {
const char* path_to_check = possible_ca_bundle_paths[i];
if (file_exists(path_to_check)) {
return path_to_check;
}
}

return NULL;
}
/* End of zsync2 code */

namespace appimage::update::updateinformation {

GithubReleasesUpdateInformation::GithubReleasesUpdateInformation(
Expand Down Expand Up @@ -29,7 +107,12 @@ namespace appimage::update::updateinformation {
url << "tags/" << tag;
}

auto response = cpr::Get(cpr::Url{url.str()});
cpr::Session session;
cpr::SslOptions options;
options.ca_info = std::string(ca_bundle_path());
session.SetSslOptions(options);
session.SetUrl(cpr::Url{url.str()});
auto response = session.Get();

nlohmann::json json;

Expand Down