diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 7cff2fccec..2ca7cd601f 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -500,7 +500,7 @@ jobs: plat: 'windows' type: 'Debug' tflags: '~1516 ~2301 ~2302 ~2303 ~2307' - config: '-DENABLE_DEBUG=ON -DENABLE_UNICODE=OFF -DCURL_USE_SCHANNEL=OFF -DCURL_BROTLI=ON -DCURL_ZSTD=ON -DBUILD_SHARED_LIBS=OFF -DCURL_USE_LIBSSH2=ON -DCURL_USE_OPENSSL=ON' + config: '-DENABLE_DEBUG=ON -DENABLE_UNICODE=OFF -DCURL_USE_SCHANNEL=OFF -DCURL_BROTLI=ON -DCURL_ZSTD=ON -DBUILD_SHARED_LIBS=OFF -DCURL_USE_LIBSSH2=ON -DCURL_USE_OPENSSL=ON -DCURL_CA_SEARCH_SAFE=ON' - name: 'boringssl-ECH' install: 'brotli zlib zstd libpsl nghttp2 boringssl libssh2[core,zlib]' arch: 'x64' diff --git a/CMakeLists.txt b/CMakeLists.txt index 3853673508..9ec7dd433a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1345,6 +1345,11 @@ if(_curl_ca_bundle_supported) endif() endif() +if(WIN32) + option(CURL_DISABLE_CA_SEARCH "Disable unsafe CA bundle search in PATH on Windows" OFF) + option(CURL_CA_SEARCH_SAFE "Enable safe CA bundle search (within the curl tool directory) on Windows" OFF) +endif() + # Check for header files if(WIN32) set(CURL_INCLUDES ${CURL_INCLUDES} "winsock2.h") diff --git a/configure.ac b/configure.ac index eb7e9b353d..ca6e4c66e0 100644 --- a/configure.ac +++ b/configure.ac @@ -2184,6 +2184,50 @@ fi AM_CONDITIONAL(CURL_CA_EMBED_SET, test "x$CURL_CA_EMBED" != "x") +dnl ---------------------- +dnl check unsafe CA search +dnl ---------------------- + +if test "$curl_cv_native_windows" = "yes"; then + AC_MSG_CHECKING([whether to enable unsafe CA bundle search in PATH on Windows]) + AC_ARG_ENABLE(ca-search, +AS_HELP_STRING([--enable-ca-search],[Enable unsafe CA bundle search in PATH on Windows (default)]) +AS_HELP_STRING([--disable-ca-search],[Disable unsafe CA bundle search in PATH on Windows]), + [ case "$enableval" in + no) + AC_MSG_RESULT([no]) + AC_DEFINE(CURL_DISABLE_CA_SEARCH, 1, [If unsafe CA bundle search in PATH on Windows is disabled]) + ;; + *) + AC_MSG_RESULT([yes]) + ;; + esac ], + AC_MSG_RESULT([yes]) + ) +fi + +dnl -------------------- +dnl check safe CA search +dnl -------------------- + +if test "$curl_cv_native_windows" = "yes"; then + AC_MSG_CHECKING([whether to enable safe CA bundle search (within the curl tool directory) on Windows]) + AC_ARG_ENABLE(ca-search-safe, +AS_HELP_STRING([--enable-ca-search-safe],[Enable safe CA bundle search]) +AS_HELP_STRING([--disable-ca-search-safe],[Disable safe CA bundle search (default)]), + [ case "$enableval" in + yes) + AC_MSG_RESULT([yes]) + AC_DEFINE(CURL_CA_SEARCH_SAFE, 1, [If safe CA bundle search is enabled]) + ;; + *) + AC_MSG_RESULT([no]) + ;; + esac ], + AC_MSG_RESULT([no]) + ) +fi + dnl ********************************************************************** dnl Check for libpsl dnl ********************************************************************** diff --git a/docs/CURL-DISABLE.md b/docs/CURL-DISABLE.md index 32ae025fc4..7962832fad 100644 --- a/docs/CURL-DISABLE.md +++ b/docs/CURL-DISABLE.md @@ -42,6 +42,10 @@ Disable support for the negotiate authentication methods. Disable **AWS-SIG4** support. +## `CURL_DISABLE_CA_SEARCH` + +Disable unsafe CA bundle search in PATH on Windows. + ## `CURL_DISABLE_DICT` Disable the DICT protocol diff --git a/docs/SSLCERTS.md b/docs/SSLCERTS.md index b6d7a6e751..300039c736 100644 --- a/docs/SSLCERTS.md +++ b/docs/SSLCERTS.md @@ -65,6 +65,9 @@ cert file named `curl-ca-bundle.crt` in these directories and in this order: 4. Windows Directory (e.g. C:\Windows) 5. all directories along %PATH% +curl 8.11.0 added a build-time option to disable this search behavior, and +another option to restrict search to the application's directory. + ### Use the native store In several environments, in particular on Windows, you can ask curl to use the diff --git a/docs/cmdline-opts/cacert.md b/docs/cmdline-opts/cacert.md index 1b34ce5b4d..00c277e2e1 100644 --- a/docs/cmdline-opts/cacert.md +++ b/docs/cmdline-opts/cacert.md @@ -27,10 +27,13 @@ curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is set and the TLS backend is not Schannel, and uses the given path as a path to a CA cert bundle. This option overrides that variable. -The Windows version of curl automatically looks for a CA certs file named +(Windows) curl automatically looks for a CA certs file named 'curl-ca-bundle.crt', either in the same directory as curl.exe, or in the Current Working Directory, or in any folder along your PATH. +curl 8.11.0 added a build-time option to disable this search behavior, and +another option to restrict search to the application's directory. + (iOS and macOS only) If curl is built against Secure Transport, then this option is supported for backward compatibility with other SSL engines, but it should not be set. If the option is not set, then curl uses the certificates diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake index f247272a8a..6e5fe4fcb2 100644 --- a/lib/curl_config.h.cmake +++ b/lib/curl_config.h.cmake @@ -160,6 +160,12 @@ /* disables verbose strings */ #cmakedefine CURL_DISABLE_VERBOSE_STRINGS 1 +/* disables unsafe CA bundle search on Windows from the curl tool */ +#cmakedefine CURL_DISABLE_CA_SEARCH 1 + +/* safe CA bundle search (within the curl tool directory) on Windows */ +#cmakedefine CURL_CA_SEARCH_SAFE 1 + /* to make a symbol visible */ #cmakedefine CURL_EXTERN_SYMBOL ${CURL_EXTERN_SYMBOL} /* Ensure using CURL_EXTERN_SYMBOL is possible */ diff --git a/src/tool_doswin.c b/src/tool_doswin.c index fd9325476d..369f7e3703 100644 --- a/src/tool_doswin.c +++ b/src/tool_doswin.c @@ -600,6 +600,8 @@ char **__crt0_glob_function(char *arg) #ifdef _WIN32 +#if !defined(CURL_WINDOWS_UWP) && \ + !defined(CURL_DISABLE_CA_SEARCH) && !defined(CURL_CA_SEARCH_SAFE) /* Search and set the CA cert file for Windows. * * Do not call this function if Schannel is the selected SSL backend. We allow @@ -623,11 +625,6 @@ CURLcode FindWin32CACert(struct OperationConfig *config, const TCHAR *bundle_file) { CURLcode result = CURLE_OK; - -#ifdef CURL_WINDOWS_UWP - (void)config; - (void)bundle_file; -#else DWORD res_len; TCHAR buf[PATH_MAX]; TCHAR *ptr = NULL; @@ -644,11 +641,10 @@ CURLcode FindWin32CACert(struct OperationConfig *config, if(!config->cacert) result = CURLE_OUT_OF_MEMORY; } -#endif return result; } - +#endif /* Get a list of all loaded modules with full paths. * Returns slist on success or NULL on error. diff --git a/src/tool_doswin.h b/src/tool_doswin.h index f16fc33ac8..b86959e9b8 100644 --- a/src/tool_doswin.h +++ b/src/tool_doswin.h @@ -59,8 +59,11 @@ char **__crt0_glob_function(char *arg); #ifdef _WIN32 +#if !defined(CURL_WINDOWS_UWP) && \ + !defined(CURL_DISABLE_CA_SEARCH) && !defined(CURL_CA_SEARCH_SAFE) CURLcode FindWin32CACert(struct OperationConfig *config, const TCHAR *bundle_file); +#endif struct curl_slist *GetLoadedModulePaths(void); CURLcode win32_init(void); diff --git a/src/tool_operate.c b/src/tool_operate.c index 289ce588df..b49e9fd06f 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -3083,8 +3083,18 @@ static CURLcode transfer_per_config(struct GlobalConfig *global, } #ifdef _WIN32 - if(!env) + if(!env) { +#if defined(CURL_CA_SEARCH_SAFE) + char *cacert = NULL; + FILE *cafile = Curl_execpath("curl-ca-bundle.crt", &cacert); + if(cafile) { + fclose(cafile); + config->cacert = strdup(cacert); + } +#elif !defined(CURL_WINDOWS_UWP) && !defined(CURL_DISABLE_CA_SEARCH) result = FindWin32CACert(config, TEXT("curl-ca-bundle.crt")); +#endif + } #endif } curl_easy_cleanup(curltls); diff --git a/src/tool_parsecfg.c b/src/tool_parsecfg.c index 72fd67af8b..a267dccbe7 100644 --- a/src/tool_parsecfg.c +++ b/src/tool_parsecfg.c @@ -31,6 +31,7 @@ #include "tool_findfile.h" #include "tool_msgs.h" #include "tool_parsecfg.h" +#include "tool_util.h" #include "dynbuf.h" #include "memdebug.h" /* keep this as LAST include */ @@ -44,37 +45,6 @@ static const char *unslashquote(const char *line, char *param); #define MAX_CONFIG_LINE_LENGTH (10*1024*1024) static bool my_get_line(FILE *fp, struct curlx_dynbuf *, bool *error); -#ifdef _WIN32 -static FILE *execpath(const char *filename, char **pathp) -{ - static char filebuffer[512]; - /* Get the filename of our executable. GetModuleFileName is already declared - * via inclusions done in setup header file. We assume that we are using - * the ASCII version here. - */ - unsigned long len = GetModuleFileNameA(0, filebuffer, sizeof(filebuffer)); - if(len > 0 && len < sizeof(filebuffer)) { - /* We got a valid filename - get the directory part */ - char *lastdirchar = strrchr(filebuffer, '\\'); - if(lastdirchar) { - size_t remaining; - *lastdirchar = 0; - /* If we have enough space, build the RC filename */ - remaining = sizeof(filebuffer) - strlen(filebuffer); - if(strlen(filename) < remaining - 1) { - FILE *f; - msnprintf(lastdirchar, remaining, "%s%s", DIR_CHAR, filename); - *pathp = filebuffer; - f = fopen(filebuffer, FOPEN_READTEXT); - return f; - } - } - } - - return NULL; -} -#endif - /* return 0 on everything-is-fine, and non-zero otherwise */ int parseconfig(const char *filename, struct GlobalConfig *global) @@ -100,9 +70,9 @@ int parseconfig(const char *filename, struct GlobalConfig *global) else { char *fullp; /* check for .curlrc then _curlrc in the dir of the executable */ - file = execpath(".curlrc", &fullp); + file = Curl_execpath(".curlrc", &fullp); if(!file) - file = execpath("_curlrc", &fullp); + file = Curl_execpath("_curlrc", &fullp); if(file) /* this is the filename we read from */ filename = fullp; diff --git a/src/tool_util.c b/src/tool_util.c index b185799da5..e657dacf0c 100644 --- a/src/tool_util.c +++ b/src/tool_util.c @@ -29,6 +29,7 @@ #include "tool_util.h" +#include "curlx.h" #include "memdebug.h" /* keep this as LAST include */ #if defined(_WIN32) @@ -188,3 +189,33 @@ int tool_ftruncate64(int fd, curl_off_t where) } #endif /* USE_TOOL_FTRUNCATE */ + +#ifdef _WIN32 +FILE *Curl_execpath(const char *filename, char **pathp) +{ + static char filebuffer[512]; + unsigned long len; + /* Get the filename of our executable. GetModuleFileName is already declared + * via inclusions done in setup header file. We assume that we are using + * the ASCII version here. + */ + len = GetModuleFileNameA(0, filebuffer, sizeof(filebuffer)); + if(len > 0 && len < sizeof(filebuffer)) { + /* We got a valid filename - get the directory part */ + char *lastdirchar = strrchr(filebuffer, DIR_CHAR[0]); + if(lastdirchar) { + size_t remaining; + *lastdirchar = 0; + /* If we have enough space, build the RC filename */ + remaining = sizeof(filebuffer) - strlen(filebuffer); + if(strlen(filename) < remaining - 1) { + msnprintf(lastdirchar, remaining, "%s%s", DIR_CHAR, filename); + *pathp = filebuffer; + return fopen(filebuffer, FOPEN_READTEXT); + } + } + } + + return NULL; +} +#endif diff --git a/src/tool_util.h b/src/tool_util.h index d68867265c..9fec7e8737 100644 --- a/src/tool_util.h +++ b/src/tool_util.h @@ -39,4 +39,8 @@ long tvdiff(struct timeval t1, struct timeval t2); int struplocompare(const char *p1, const char *p2); int struplocompare4sort(const void *p1, const void *p2); +#ifdef _WIN32 +FILE *Curl_execpath(const char *filename, char **pathp); +#endif + #endif /* HEADER_CURL_TOOL_UTIL_H */ diff --git a/tests/server/disabled.c b/tests/server/disabled.c index fe500137d4..057ab36fc6 100644 --- a/tests/server/disabled.c +++ b/tests/server/disabled.c @@ -103,6 +103,15 @@ static const char *disabled[]={ #endif #ifndef CURL_HAVE_SHA512_256 "sha512-256", +#endif +#ifdef _WIN32 +#if defined(CURL_WINDOWS_UWP) || \ + defined(CURL_DISABLE_CA_SEARCH) || defined(CURL_CA_SEARCH_SAFE) + "win32-ca-searchpath", +#endif +#ifndef CURL_CA_SEARCH_SAFE + "win32-ca-search-safe", +#endif #endif NULL };