Search for suitable system CA bundle path

TheAssassin · TheAssassin · commit 71d8df44f10d · 2022-06-02T22:29:07.000+02:00
Significantly improves the compatibility of zsync2 and libzsync2 on random Linux distributions, which is really important when embedding it inside cross-platform bundles like AppImages.
diff --git a/src/legacy_http.c b/src/legacy_http.c
@@ -134,6 +134,11 @@ void setup_curl_handle(CURL *handle)
     if (verbose!=NULL){
         curl_easy_setopt(handle, CURLOPT_VERBOSE, 1L);
     }
+
+    const char* ca_bundle = ca_bundle_path();
+    if (ca_bundle != NULL) {
+        curl_easy_setopt(handle, CURLOPT_CAINFO, ca_bundle);
+    }
 }
 
 
@@ -785,3 +790,77 @@ void range_fetch_end(struct range_fetch *rf) {
     free(rf->url);
     free(rf);
 }
+
+// returns non-zero ("true") on success, 0 ("false") on failure
+int file_exists(const char* path) {
+    struct stat statbuf = {};
+
+    if (stat(path, &statbuf) == 0) {
+        return 1;
+    }
+
+    const int error = errno;
+    if (error != ENOENT) {
+        fprintf(stderr, "zsync2: Unknown error while checking whether file %s exists: %s\n", path, strerror(error));
+    }
+
+    return 0;
+}
+
+// memory returned by this function must not be freed by the user
+const char* ca_bundle_path() {
+    // in case the user specifies a custom file, we use this one instead
+    // TODO: consider merging the user-specified file with the system CA bundle into a temp file
+    const char* path_from_environment = getenv("SSL_CERT_FILE");
+
+    if (path_from_environment != NULL) {
+        return path_from_environment;
+    }
+
+#if CURL_AT_LEAST_VERSION(7, 84, 0)
+    {
+        // (very) recent libcurl versions provide us with a way to query the build-time search path they
+        // use to find a suitable (distro-provided) CA certificate bundle they can hardcode
+        // we can use this value to search for a bundle dynamically in the application
+        CURL* curl = curl_easy_init();
+
+        if (curl != NULL) {
+            CURLcode res;
+            char* curl_provided_path = NULL;
+
+            curl_easy_getinfo(curl, CURLINFO_CAINFO, &curl_provided_path);
+
+            // should be safe to delete the handle and use the returned value, since it is allocated statically within libcurl
+            curl_easy_cleanup(curl);
+
+            if (curl_provided_path != NULL) {
+                if (file_exists(curl_provided_path)) {
+                    return curl_provided_path;
+                }
+            }
+        }
+    }
+#endif
+
+    // this list is a compilation of other AppImage projects' lists and the one used in libcurl's build system's autodiscovery
+    // should cover most Linux distributions
+    static const char* const possible_ca_bundle_paths[] = {
+        "/etc/pki/tls/cacert.pem",
+        "/etc/pki/tls/cert.pem",
+        "/etc/pki/tls/certs/ca-bundle.crt",
+        "/etc/ssl/ca-bundle.pem",
+        "/etc/ssl/cert.pem",
+        "/etc/ssl/certs/ca-certificates.crt",
+        "/usr/local/share/certs/ca-root-nss.crt",
+        "/usr/share/ssl/certs/ca-bundle.crt",
+    };
+
+    for (size_t i = 0; i < sizeof(possible_ca_bundle_paths); ++i) {
+        const char* path_to_check = possible_ca_bundle_paths[i];
+        if (file_exists(path_to_check)) {
+            return path_to_check;
+        }
+    }
+
+    return NULL;
+}
diff --git a/src/legacy_http.h b/src/legacy_http.h
@@ -23,3 +23,4 @@ void range_fetch_addranges(struct range_fetch* rf, off_t* ranges, int nranges);
 int get_range_block(struct range_fetch* rf, off_t* offset, unsigned char* data, size_t dlen);
 off_t range_fetch_bytes_down(const struct range_fetch* rf);
 void range_fetch_end(struct range_fetch* rf);
+const char* ca_bundle_path();
diff --git a/src/zsclient.cpp b/src/zsclient.cpp
@@ -4,7 +4,7 @@
 // system includes
 #include <algorithm>
 #include <deque>
-#include <fstream>
+#include <filesystem>
 #include <fcntl.h>
 #include <iostream>
 #include <set>
@@ -13,6 +13,7 @@
 #include <utime.h>
 
 // library includes
+#include <curl/curl.h>
 #include <cpr/cpr.h>
 
 extern "C" {
@@ -271,17 +272,17 @@ namespace zsync2 {
                 // request so-called Instance Digest (RFC 3230, RFC 5843)
                 session.SetHeader(cpr::Header{{"want-digest", "sha-512;q=1, sha-256;q=0.9, sha;q=0.2, md5;q=0.1"}});
 
-                // cURL hardcodes the current distro's CA bundle path
+                // cURL hardcodes the current distro's CA bundle path at build time
                 // in order to use libzsync2 on other distributions (e.g., when used in an AppImage), the right path
-                // must be passed to cURL
-                // we could do this within the library, but it is probably easier to have the caller provide the right
-                // path, since we can just pass one additional path
-                // note that in upstream releases of AppImageUpdate and zsync2, we use cURL versions which search for
-                // a CA bundle in multiple locations
+                // to the system CA bundle must be passed to cURL
                 {
-                    char* caBundlePath = getenv("SSL_CERT_FILE");
+                    const auto* caBundlePath = ca_bundle_path();
 
                     if (caBundlePath != nullptr) {
+                        // maybe the legacy C code should log this again, but then again, this function should return
+                        // the same result over and over again unless someone deletes a file in the background
+                        issueStatusMessage("Using CA bundle found on system: " + std::string(caBundlePath));
+
                         auto sslOptions = cpr::SslOptions{};
                         sslOptions.SetOption({cpr::ssl::CaInfo{caBundlePath}});
                         session.SetOption(sslOptions);
