Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl: add options for safe/no CA bundle search (Windows) #14582

Closed
wants to merge 4 commits into from

Conversation

vszakats
Copy link
Member

@vszakats vszakats commented Aug 18, 2024

Add CURL_CA_SEARCH_SAFE build-time option to enable CA bundle search
in the curl tool directory. The lookup method was already used to find
.curlrc and _curlrc (on Windows). On Windows it overrides the unsafe
default SearchPath() method.

Enable with:

  • cmake: -DCURL_CA_SEARCH_SAFE=ON
  • autotools: --enable-ca-search-safe
  • raw: CPPFLAGS=-DCURL_CA_SEARCH_SAFE

On Windows, before this patch the whole PATH was searched for
a CA bundle. PATH may contain unwanted or world-writable locations,
including the current directory. Searching them all is convenient to
pick up any CA bundle, but not secure.

The Muldersoft curl distro implements such CA search via a custom
patch for Windows:
https://github.com/lordmulder/cURL-build-win32/blob/cd652d4792c177c98b08b4309d3cac2b8dbbf9b0/patch/curl_tool_doswin.diff#L50

MSYS2/mingw-w64 distro has also been rolling a patch solving this:
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/0001-Make-cURL-relocatable.patch
https://github.com/msys2/MINGW-packages/blob/master/mingw-w64-curl/pathtools.c

Also add option to fully disable Windows CA search:

  • cmake: -DCURL_DISABLE_CA_SEARCH=ON
  • autotools: --disable-ca-search
  • raw: CPPFLAGS=-DCURL_DISABLE_CA_SEARCH.

Both options are considered EXPERIMENTAL, with possible incompatible
changes or even (partial) removal in the future, depending on feedback.

An alternative, secure option is to embed the CA bundle into the binary.

Safe search can be extended to other platforms if necessary or useful,
by using _NSGetExecutablePath() (macOS),
/proc/self/exe (Linux/Cygwin), or argv[0].


w/o whitespace: https://github.com/curl/curl/pull/14582/files?w=1

  • also look for cacert.pem? [SKIP]
  • consider making this the default on Windows? [FUTURE]
  • enable safe search in curl-for-win [→ curl/curl-for-win@1ed5908]
  • find a better word for "safe"? [FUTURE, if we get to extend this to non-Windows]
  • delete the newly added portable codepath from Curl_execpath()?
  • use _NSGetExecutablePath() on macOS? [FUTURE]
  • reflect both options in tests/server/disabled.
  • move disable logic from src to standard config.h. Though these only affect src, we need these flags in tests/server/disabled too. This can also avoid the unpleasant tricks in test1165.pl.
  • refix test1165 again. This disable option is passed directly not via config.h (because it only applies to src). This makes the checker confused after test1165: check if curl_config.h.cmake lists all DISABLED options #14754.
  • add CMake/autotools option for -DCURL_DISABLE_CA_SEARCH.
  • do not enable safe search for UWP by default. Keep it like before this patch (= no search).
  • add option to disable CA search.
  • make it an option for non-Windows?
  • with a runtime option to switch on the unsafe SearchPath method? [NOPE]
  • add cmake/autotools-level option wrapper?
  • auto-enable for UWP builds. [NO]

@github-actions github-actions bot added the CI Continuous Integration label Aug 18, 2024
@vszakats vszakats changed the title curl: add option for safe CA bundle lookup on Windows curl: add option for safe CA bundle search on Windows Aug 18, 2024
@vszakats
Copy link
Member Author

Tested OK in a local build.

@vszakats vszakats added the feature-window A merge of this requires an open feature window label Aug 19, 2024
@vszakats vszakats force-pushed the wnd-disable-searchpath branch 2 times, most recently from feecb41 to 739d930 Compare August 29, 2024 09:26
@vszakats vszakats changed the title curl: add option for safe CA bundle search on Windows curl: add option for safe CA bundle search Aug 29, 2024
@vszakats vszakats removed the Windows Windows-specific label Aug 29, 2024
@vszakats
Copy link
Member Author

Made this option available for all platforms (was: Windows-only). I figure it might be useful to allow picking up curl-ca-bundle.crt in the curl binary directory on other platforms too, for parity with Windows (thinking of curl-for-win), as an off-by-default option.

@vszakats vszakats added the Windows Windows-specific label Aug 29, 2024
src/tool_util.c Fixed Show resolved Hide resolved
vszakats added a commit to curl/curl-for-win that referenced this pull request Aug 29, 2024
The CA bundle is about to be shipped embedded in the curl tool starting
the next release. It can be extracted with the `--dump-ca-embed` option.

This makes it redundant to ship it as an external file. Esp. for Linux
and macOS builds which don't pick up the external bundle like Windows
does. This may be fixed in the next next release, pending:
curl/curl#14582
@vszakats vszakats marked this pull request as draft August 31, 2024 12:57
@vszakats vszakats marked this pull request as ready for review September 1, 2024 10:58
@github-actions github-actions bot added the tests label Sep 1, 2024
@vszakats vszakats changed the title curl: add option for safe CA bundle search curl: add options for safe/no CA bundle search Sep 1, 2024
@vszakats vszakats force-pushed the wnd-disable-searchpath branch 2 times, most recently from 465e429 to 678353c Compare September 10, 2024 00:14
@vszakats vszakats changed the title curl: add options for safe/no CA bundle search curl: add options for safe/no CA bundle search (Windows) Sep 10, 2024
@vszakats vszakats force-pushed the wnd-disable-searchpath branch 2 times, most recently from af9e326 to a24229d Compare September 10, 2024 08:34
Add `CURL_WIN32_SAFE_CA_SEARCH` build-time option to restrict implicit
CA bundle search to the `curl.exe` directory. The lookup method was
already used to find `.curlrc` and `_curlrc` on Windows.

You can enable it with:
- cmake: `-DCMAKE_C_FLAGS=-DCURL_WIN32_SAFE_CA_SEARCH`
- autotools: `CPPFLAGS=-DCURL_WIN32_SAFE_CA_SEARCH`

Before this patch the whole `PATH` was searched for a CA bundle.

The `PATH` may contain unwanted or world-writable locations, and while
searching them all is convenient to pick up any CA bundle, it's not
necessarily safe. Note that on Windows `PATH` also includes the current
directory.

confirm it enabled

add verbose message when searching for CA bundle in PATH

add cmake option

auto-enable for UWP builds

UWP builds had no CA bundle load feature at all before this patch,
because the necessary code did not compile.

enabled OK

https://github.com/curl/curl/actions/runs/10441479612/job/28912667429?pr=14582#step:10:364

drop warning, it breaks tests

autotools: add `--with-windows-safe-ca-search` option

update docs

drop macro no longer used in master

simplify C code

make Curl_win32_execpath() portable

allow CURL_WIN32_SAFE_CA_SEARCH on all platforms

rename CURL_WIN32_SAFE_CA_SEARCH to CURL_SAFE_CA_SEARCH

make configure option platform agnostic

rename CURL_SAFE_CA_SEARCH to CURL_CA_SAFE_SEARCH

rename rest of names

add missing curlx.h

enable in autotools/cmake macOS jobs

update docs

(still mentioned near Windows, even though the option supports all
platforms)

checksrc

try fix 1

move tool_argv0 to global config struct

try fix 2

silence unused var

ca safe search -> ca search safe

add option CURL_CA_SEARCH_DISABLE to disable search fully

do not enable safe CA search for UWP by default

am: add option for CA search disable

cmake: add option for CA search disable

configure.ac: safe search option fixup

am: tweak

cm: tweak

am: tweak

make CURL_CA_SEARCH_DISABLE Windows-specific

am: tweak

cm: tweak

am: tweak

am: switch to enable/disable from with/without

rename disable option with "disable" first

am: fixup indent

am: syntax cleanup

update docs

line length

add to CURL-DISABLE

clarify text that PATH search is unsafe

test1165: scan src sources for CURL_DISABLED use

Before this patch, this happened:
```
Not set by configure: CURL_DISABLE_CA_SEARCH (./src/tool_operate.c)
Not set by CMakeLists.txt: CURL_DISABLE_CA_SEARCH (./src/tool_operate.c)
Documented but not in configure: CURL_DISABLE_CA_SEARCH
Documented but not in CMakeLists.txt: CURL_DISABLE_CA_SEARCH
```

accept CURL_DISABLE when passed COMPILE_DEFINITIONS

set/init build options in project root

Both options solely apply to `src`. Initially it seems like a good idea
to reflect that on the build level, but it turns out it introduces too
much of an exception.

Sync these settings with all the existing ones: propagate them via
config.h and catch them in the root CMakeLists.txt.

This allows to drop extra code from test1165.pl, and also make it
possible to add these options to tests/server/disable.

add new options to tests/server/disabled

src: dedupe feature_ssl condition, drop redundant schannel check

limit safe search option to Windows

It's really only safe compared to the default search.
On other platforms nobody asked for this, and it's less safe
than using a well-known system location.

Except for portable MUSL binaries, but for those, the CA embed
option seems like a better solution than looking for new disk
locations. (That's also true for Windows FWIW.)

add new options to tests/server/disabled fixup and limit to _WIN32

CURL_WINDOWS_APP -> CURL_WINDOWS_UWP sync with master
It's not currently used. Also it would be better to replace
the `argv[0]` method with `_NSGetExecutablePath()` on macOS.

Since the functionality isn't Windows-specific, I left this
function in `tool_util.c` (as opposed to `tool_doswin.c`).
vszakats added a commit to curl/curl-for-win that referenced this pull request Sep 22, 2024
@vszakats vszakats closed this in 22652a5 Sep 22, 2024
@vszakats vszakats removed the feature-window A merge of this requires an open feature window label Sep 22, 2024
@vszakats vszakats deleted the wnd-disable-searchpath branch September 22, 2024 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CI Continuous Integration cmdline tool tests TLS Windows Windows-specific
Development

Successfully merging this pull request may close these issues.

1 participant