Changeset 78066 in vbox

Timestamp:

Apr 9, 2019 4:02:32 PM (5 years ago)

Author:

vboxsync

Message:

IPRT,GUI: Workaround for certificate downloads getting redirected to https.

Location:

trunk

Files:

• include/iprt/http.h (modified) (2 diffs)
• include/iprt/mangling.h (modified) (1 diff)
• src/VBox/Frontends/VirtualBox/src/net/UINetworkReply.cpp (modified) (3 diffs)
• src/VBox/Frontends/VirtualBox/src/net/tstSSLCertDownloads.cpp (modified) (2 diffs)
• src/VBox/Runtime/generic/http-curl.cpp (modified) (6 diffs)

trunk/include/iprt/http.h

@@ -319 +319 @@
 
 /**
+ * Gets the follow redirect setting.
+ *
+ * @returns cMaxRedirects value, 0 means not to follow.
+ * @param   hHttp           The HTTP client handle.
+ */
+RTR3DECL(uint32_t) RTHttpGetFollowRedirects(RTHTTP hHttp);
+
+/**
  * Set custom raw headers.
  *
@@ -468 +476 @@
  */
 RTR3DECL(int) RTHttpGatherCaCertsInFile(const char *pszCaFile, uint32_t fFlags, PRTERRINFO pErrInfo);
+
+/**
+ * Set whether to verify the peer's SSL certificate.
+ *
+ * The default is to verify it.  It can however sometimes be useful or even
+ * necessary to skip this.
+ *
+ * @returns iprt status code.
+ *
+ * @param   hHttp           The HTTP client handle.
+ * @param   fVerify         Verify the certificate if @a true.
+ */
+RTR3DECL(int) RTHttpSetVerifyPeer(RTHTTP hHttp, bool fVerify);
+
+/**
+ * Get the state of the peer's SSL certificate setting.
+ *
+ * @returns  true if we verify the SSL certificate, false if not.
+ * @param   hHttp           The HTTP client handle.
+ */
+RTR3DECL(bool) RTHttpGetVerifyPeer(RTHTTP hHttp);
 
 /**

trunk/include/iprt/mangling.h

@@ -1131 +1131 @@
 # define RTHeapSimpleSize                               RT_MANGLER(RTHeapSimpleSize)
 # define RTHttpGetFile                                  RT_MANGLER(RTHttpGetFile)
+# define RTHttpGetFollowRedirects                       RT_MANGLER(RTHttpGetFollowRedirects)
 # define RTHttpSetFollowRedirects                       RT_MANGLER(RTHttpSetFollowRedirects)
+# define RTHttpGetVerifyPeer                            RT_MANGLER(RTHttpGetVerifyPeer)
+# define RTHttpSetVerifyPeer                            RT_MANGLER(RTHttpSetVerifyPeer)
 # define RTHttpUseSystemProxySettings                   RT_MANGLER(RTHttpUseSystemProxySettings)
 # define RTIniFileCreateFromVfsFile                     RT_MANGLER(RTIniFileCreateFromVfsFile)

trunk/src/VBox/Frontends/VirtualBox/src/net/UINetworkReply.cpp

@@ -777 +777 @@
     NOREF(pStaticErrInfo);
     int rc;
+
+    /*
+     * Must disable SSL certification verification here as we cannot use the
+     * SSL certificates before we've downloaded them.   We must also enable
+     * redirections in case the certificates moves around.
+     */
+    bool const     fSavedVerifyPeer   = RTHttpGetVerifyPeer(hHttp);
+    uint32_t const cSavedMaxRedirects = RTHttpGetFollowRedirects(hHttp);
+    RTHttpSetVerifyPeer(hHttp, false);
+    RTHttpSetFollowRedirects(hHttp, 8);
 
     /*
@@ -810 +820 @@
                                 {
                                     RTHttpFreeResponse(pvRootsZip);
+                                    RTHttpSetVerifyPeer(hHttp, fSavedVerifyPeer);
+                                    RTHttpSetFollowRedirects(hHttp, cSavedMaxRedirects);
                                     return;
                                 }
@@ -845 +857 @@
                 }
         }
+
+    RTHttpSetVerifyPeer(hHttp, fSavedVerifyPeer);
+    RTHttpSetFollowRedirects(hHttp, cSavedMaxRedirects);
 }
 

trunk/src/VBox/Frontends/VirtualBox/src/net/tstSSLCertDownloads.cpp

@@ -57 +57 @@
     int rc;
 
+    bool const     fSavedVerifyPeer   = RTHttpGetVerifyPeer(TestObj.m_hHttp);
+    uint32_t const cSavedMaxRedirects = RTHttpGetFollowRedirects(TestObj.m_hHttp);
+    RTTESTI_CHECK_RC(RTHttpSetVerifyPeer(TestObj.m_hHttp, false), VINF_SUCCESS);
+    RTTESTI_CHECK_RC(RTHttpSetFollowRedirects(TestObj.m_hHttp, 8), VINF_SUCCESS);
+    RTTESTI_CHECK(RTHttpGetVerifyPeer(TestObj.m_hHttp) == false);
+    RTTESTI_CHECK(RTHttpGetFollowRedirects(TestObj.m_hHttp) == 8);
+
     /* ZIP files: */
     for (uint32_t iUrl = 0; iUrl < RT_ELEMENTS(s_apszRootsZipUrls); iUrl++)
@@ -113 +120 @@
     RTTESTI_CHECK(RTCrStoreRelease(hStore) == 0);
 
+    RTTESTI_CHECK_RC(RTHttpSetVerifyPeer(TestObj.m_hHttp, fSavedVerifyPeer), VINF_SUCCESS);
+    RTTESTI_CHECK_RC(RTHttpSetFollowRedirects(TestObj.m_hHttp, cSavedMaxRedirects), VINF_SUCCESS);
+
     /*
      * Now check the gathering of certificates on the system doesn't crash.

trunk/src/VBox/Runtime/generic/http-curl.cpp

@@ -188 +188 @@
      * Zero if not automatically following (default). */
     uint32_t            cMaxRedirects;
+    /** Whether to check if Peer lies about his SSL certificate. */
+    bool                fVerifyPeer;
     /** @} */
 
@@ -384 +386 @@
                 pThis->fUseSystemProxySettings  = true;
                 pThis->cMaxRedirects            = 0; /* no automatic redir following */
+                pThis->fVerifyPeer              = true;
                 pThis->BodyOutput.pHttp         = pThis;
                 pThis->HeadersOutput.pHttp      = pThis;
@@ -418 +421 @@
     curl_easy_reset(pThis->pCurl);
 
+    /** @todo check if CURLOPT_SSL_VERIFYPEER is affected by curl_easy_reset. */
+
     if (!(fFlags & RTHTTP_RESET_F_KEEP_HEADERS))
         rtHttpFreeHeaders(pThis);
@@ -523 +528 @@
     }
     return VINF_SUCCESS;
+}
+
+
+RTR3DECL(uint32_t) RTHttpGetFollowRedirects(RTHTTP hHttp)
+{
+    PRTHTTPINTERNAL pThis = hHttp;
+    RTHTTP_VALID_RETURN_RC(pThis, 0);
+    return pThis->cMaxRedirects;
 }
 
@@ -2615 +2628 @@
     RT_NOREF_PV(fFlags);
 
-
     /*
      * Add the user store, quitely ignoring any errors.
@@ -2671 +2683 @@
     }
     return rc;
+}
+
+
+RTR3DECL(bool) RTHttpGetVerifyPeer(RTHTTP hHttp)
+{
+    PRTHTTPINTERNAL pThis = hHttp;
+    RTHTTP_VALID_RETURN_RC(pThis, false);
+    return pThis->fVerifyPeer;
+}
+
+
+RTR3DECL(int) RTHttpSetVerifyPeer(RTHTTP hHttp, bool fVerify)
+{
+    PRTHTTPINTERNAL pThis = hHttp;
+    RTHTTP_VALID_RETURN(pThis);
+    AssertReturn(!pThis->fBusy, VERR_WRONG_ORDER);
+
+    if (pThis->fVerifyPeer != fVerify)
+    {
+        int rcCurl = curl_easy_setopt(pThis->pCurl, CURLOPT_SSL_VERIFYPEER, (long)fVerify);
+        AssertMsgReturn(rcCurl == CURLE_OK, ("CURLOPT_SSL_VERIFYPEER=%RTbool: %d (%#x)\n", fVerify, rcCurl, rcCurl),
+                        VERR_HTTP_CURL_ERROR);
+        pThis->fVerifyPeer = fVerify;
+    }
+
+    return VINF_SUCCESS;
 }