WIP curl ca bundle

src/utils/downloader.c

@@ -49,6 +49,13 @@
 #ifndef CURLPIPE_MULTIPLEX
 #define CURLPIPE_MULTIPLEX 0
 #endif
+
+#if !defined(__GNUC__)
+# if defined(_WIN32_WCE) || defined (WIN32)
+#pragma comment(lib, "libcurl")
+# endif
+#endif
+
 #else
 #undef GPAC_HAS_CURL
 #endif
@@ -1545,10 +1552,27 @@ void *gf_dm_ssl_init(GF_DownloadManager *dm, u32 mode)
 	SSL_CTX_set_verify(dm->ssl_ctx, SSL_VERIFY_NONE, NULL);
 
 	const char* ca_bundle = gf_opts_get_key("core", "ca-bundle");
-	if (ca_bundle) {
+	fprintf(stderr, "ca_bundle = %s\n", ca_bundle);
+
+	if (ca_bundle && gf_file_exists(ca_bundle)) {
 		X509_STORE* xs = SSL_CTX_get_cert_store(dm->ssl_ctx);
 		X509_STORE_load_locations(xs, ca_bundle, NULL);
 	}
+	else {
+		const char* ossl_bundle = X509_get_default_cert_file();
+		fprintf(stderr, "ossl_bundle = %s\n", ossl_bundle);
+
+		if (!ossl_bundle || !gf_file_exists(ossl_bundle)) {
+
+			const char* ca_bundle_default = gf_opts_get_key("core", "ca-bundle-default");
+			fprintf(stderr, "ca_bundle_default = %s\n", ca_bundle_default);
+
+			if (ca_bundle_default) {
+				X509_STORE* xs = SSL_CTX_get_cert_store(dm->ssl_ctx);
+				X509_STORE_load_locations(xs, ca_bundle_default, NULL);
+			}
+		}
+	}
 
 #ifndef GPAC_DISABLE_LOG
 	if (gf_log_tool_level_on(GF_LOG_NETWORK, GF_LOG_DEBUG) ) {
@@ -2837,7 +2861,7 @@ static size_t curl_on_data(char *ptr, size_t size, size_t nmemb, void *clientp)
 #endif
 
 #ifdef GPAC_HAS_CURL
-static GF_Err curl_setup_session(GF_DownloadSession *sess)
+static GF_Err curl_setup_session(GF_DownloadSession* sess)
 {
 	CURLcode res;
 	sess->curl_hnd = curl_easy_init();
@@ -2871,10 +2895,41 @@ static GF_Err curl_setup_session(GF_DownloadSession *sess)
 	if (!res) res = curl_easy_setopt(sess->curl_hnd, CURLOPT_CONNECTTIMEOUT_MS, sess->conn_timeout);
 	if (!res) res = curl_easy_setopt(sess->curl_hnd, CURLOPT_ACCEPTTIMEOUT_MS, sess->conn_timeout);
 	if (!res) res = curl_easy_setopt(sess->curl_hnd, CURLOPT_NOSIGNAL, 1);
-	if ( gf_opts_get_bool("core", "broken-cert")) {
-		if (!res) res = curl_easy_setopt(sess->curl_hnd,  CURLOPT_SSL_VERIFYPEER, 0);
-		if (!res) res = curl_easy_setopt(sess->curl_hnd,  CURLOPT_SSL_VERIFYHOST, 0);
+	if (gf_opts_get_bool("core", "broken-cert")) {
+		if (!res) res = curl_easy_setopt(sess->curl_hnd, CURLOPT_SSL_VERIFYPEER, 0);
+		if (!res) res = curl_easy_setopt(sess->curl_hnd, CURLOPT_SSL_VERIFYHOST, 0);
+	}
+
+
+	char* cainfo = NULL;
+	curl_easy_getinfo(sess->curl_hnd, CURLINFO_CAINFO, &cainfo);
+	fprintf(stderr, "%s:%d CURLINFO_CAINFO %s \n", __FILE__, __LINE__, cainfo);
+
+	const char* ca_bundle = gf_opts_get_key("core", "ca-bundle");
+	fprintf(stderr, "ca_bundle = %s\n", ca_bundle);
+
+	if (ca_bundle && gf_file_exists(ca_bundle)) {
+		curl_easy_setopt(sess->curl_hnd, CURLOPT_CAINFO, ca_bundle);
 	}
+#if CURL_AT_LEAST_VERSION(7,84,0)
+	else {
+		char* curl_bundle = NULL;
+		curl_easy_getinfo(sess->curl_hnd, CURLINFO_CAINFO, &curl_bundle);
+		fprintf(stderr, "%s:%d CURLINFO_CAINFO %s \n", __FILE__, __LINE__, curl_bundle);
+
+		if (!curl_bundle || !gf_file_exists(curl_bundle)) {
+
+			const char* ca_bundle_default = gf_opts_get_key("core", "ca-bundle-default");
+			fprintf(stderr, "ca_bundle_default = %s\n", ca_bundle_default);
+
+			if (ca_bundle_default) {
+				curl_easy_setopt(sess->curl_hnd, CURLOPT_CAINFO, ca_bundle_default);
+			}
+
+		}
+	}
+#endif
+
 	//set HTTP version
 	if (!res) {
 		curl_version_info_data *ver = curl_version_info(CURLVERSION_NOW);

src/utils/os_config_init.c

@@ -885,7 +885,7 @@ static GF_Config *create_default_config(char *file_path, const char *profile)
 		}
 
 		sprintf(gui_path, "%s%cres%cca-bundle.crt", szPath, GF_PATH_SEPARATOR, GF_PATH_SEPARATOR);
-		gf_cfg_set_key(cfg, "core", "ca-bundle", gui_path);
+		gf_cfg_set_key(cfg, "core", "ca-bundle-default", gui_path);
 
 		/*shaders are at the same location*/
 		sprintf(gui_path, "%s%cshaders%cvertex.glsl", szPath, GF_PATH_SEPARATOR, GF_PATH_SEPARATOR);
@@ -1182,14 +1182,14 @@ static GF_Config *gf_cfg_init(const char *profile)
 				gf_opts_set_key("core", "rescan-fonts", "yes");
 
 			// if ca-bundle is not set or explicitly disabled (empty string), set to default
-			const char* ca_bundle = gf_cfg_get_key(cfg, "core", "ca-bundle");
+			const char* ca_bundle = gf_cfg_get_key(cfg, "core", "ca-bundle-default");
 			if (!ca_bundle) {
 				char szShare[GF_MAX_PATH];
 				if (get_default_install_path(szShare, GF_PATH_SHARE)) {
 					char gui_path[GF_MAX_PATH + 100];
 
 					sprintf(gui_path, "%s%cres%cca-bundle.crt", szShare, GF_PATH_SEPARATOR, GF_PATH_SEPARATOR);
-					gf_cfg_set_key(cfg, "core", "ca-bundle", gui_path);
+					gf_cfg_set_key(cfg, "core", "ca-bundle-default", gui_path);
 				}
 			}
 		}
@@ -1537,6 +1537,7 @@ GF_GPACArg GPAC_Args[] = {
  GF_DEF_ARG("req-timeout", NULL, "time in milliseconds to wait on HTTP/RTSP request before error (0 disables timeout)", "10000", NULL, GF_ARG_INT, GF_ARG_HINT_EXPERT|GF_ARG_SUBSYS_HTTP),
  GF_DEF_ARG("no-timeout", NULL, "ignore HTTP 1.1 timeout in keep-alive", "false", NULL, GF_ARG_BOOL, GF_ARG_HINT_EXPERT|GF_ARG_SUBSYS_HTTP),
  GF_DEF_ARG("broken-cert", NULL, "enable accepting broken SSL certificates", NULL, NULL, GF_ARG_BOOL, GF_ARG_HINT_EXPERT|GF_ARG_SUBSYS_HTTP),
+ GF_DEF_ARG("ca-bundle", NULL, "path to a custom CA certificates bundle file", NULL, NULL, GF_ARG_STRING, GF_ARG_HINT_EXPERT | GF_ARG_SUBSYS_HTTP),
  GF_DEF_ARG("user-agent", "ua", "set user agent name for HTTP/RTSP", NULL, NULL, GF_ARG_STRING, GF_ARG_HINT_ADVANCED|GF_ARG_SUBSYS_HTTP),
  GF_DEF_ARG("user-profileid", NULL, "set user profile ID (through **X-UserProfileID** entity header) in HTTP requests", NULL, NULL, GF_ARG_STRING, GF_ARG_HINT_EXPERT|GF_ARG_SUBSYS_HTTP),
  GF_DEF_ARG("user-profile", NULL, "set user profile filename. Content of file is appended as body to HTTP HEAD/GET requests, associated Mime is **text/xml**", NULL, NULL, GF_ARG_STRING, GF_ARG_HINT_EXPERT|GF_ARG_SUBSYS_HTTP),