Enable TLS certificate verification

2024-11-14 19:15:05 -05:00 · 2024-05-31 14:46:07 +02:00 · 2024-05-31 14:46:07 +02:00 · b3367d2230
commit b3367d2230
parent a203a11b05
3 changed files with 39 additions and 3 deletions
--- a/loader/CMakeLists.txt
+++ b/loader/CMakeLists.txt
@ -171,6 +171,10 @@ if (GEODE_NO_UNDEFINED_VIRTUALS)
 	target_compile_definitions(${PROJECT_NAME} PUBLIC GEODE_NO_UNDEFINED_VIRTUALS)
 endif()

+# CA Bundle
+CPMAddPackage("gh:geode-sdk/net_libs#b6604c6")
+target_link_libraries(${PROJECT_NAME} ca-bundle)
+
 # Package resources for UI
 package_geode_resources_now(
 	${PROJECT_NAME}
--- a/loader/include/Geode/utils/web2.hpp
+++ b/loader/include/Geode/utils/web2.hpp
@ -41,6 +41,7 @@ namespace geode::utils::web {
        std::string username; // Proxy username
        std::string password; // Proxy password
        bool tunneling = false; // Enable HTTP tunneling
+        bool certVerification = true; // Enable HTTPS certificate verification
    };

    class WebRequest;
@ -112,6 +113,9 @@ namespace geode::utils::web {
        WebRequest& userAgent(std::string_view name);

        WebRequest& timeout(std::chrono::seconds time);
+
+        WebRequest& certVerification(bool enabled);
+        WebRequest& CABundleContent(std::string_view content);
        WebRequest& proxyOpts(ProxyOpts const& proxyOpts);

        WebRequest& body(ByteVector raw);
--- a/loader/src/utils/web2.cpp
+++ b/loader/src/utils/web2.cpp
@ -1,5 +1,6 @@
 #define CURL_STATICLIB
 #include <curl/curl.h>
+#include <ca_bundle.h>

 #include <Geode/utils/web2.hpp>
 #include <Geode/utils/map.hpp>
@ -140,6 +141,8 @@ public:
    std::optional<std::string> m_userAgent;
    std::optional<ByteVector> m_body;
    std::optional<std::chrono::seconds> m_timeout;
+    bool m_certVerification = true;
+    std::string m_CABundleContent;
    ProxyOpts m_proxyOpts = {};

    WebResponse makeError(int code, std::string const& msg) {
@ -240,9 +243,22 @@ WebTask WebRequest::send(std::string_view method, std::string_view url) {
            curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, impl->m_body->size());
        }
        
-        // No need to verify SSL, we trust our domains :-)
-        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
-        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
+        // Cert verification
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, impl->m_certVerification ? 1 : 0);
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
+
+        if (impl->m_certVerification) {
+            curl_blob caBundleBlob = {};
+
+            if (impl->m_CABundleContent.empty()) {
+                impl->m_CABundleContent = CA_BUNDLE_CONTENT;
+            }
+            
+            caBundleBlob.data = reinterpret_cast<void*>(impl->m_CABundleContent.data());
+            caBundleBlob.len = impl->m_CABundleContent.size();
+            caBundleBlob.flags = CURL_BLOB_COPY;
+            curl_easy_setopt(curl, CURLOPT_CAINFO_BLOB, &caBundleBlob);
+        }  

        // Set user agent if provided
        if (impl->m_userAgent) {
@ -272,6 +288,8 @@ WebTask WebRequest::send(std::string_view method, std::string_view url) {
            }

            curl_easy_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, proxyOpts.tunneling ? 1 : 0);
+            curl_easy_setopt(curl, CURLOPT_PROXY_SSL_VERIFYPEER, proxyOpts.certVerification ? 1 : 0);
+            curl_easy_setopt(curl, CURLOPT_PROXY_SSL_VERIFYHOST, 2);
        }

        // Track progress
@ -387,6 +405,16 @@ WebRequest& WebRequest::timeout(std::chrono::seconds time) {
    return *this;
 }

+WebRequest& WebRequest::certVerification(bool enabled) {
+    m_impl->m_certVerification = enabled;
+    return *this;
+}
+
+WebRequest& WebRequest::CABundleContent(std::string_view content) {
+    m_impl->m_CABundleContent = content;
+    return *this;
+}
+
 WebRequest& WebRequest::proxyOpts(ProxyOpts const& proxyOpts) {
    m_impl->m_proxyOpts = proxyOpts;
    return *this;