[Cloud]Embed cacert.pem into binary

OFFTKP · Dec 17, 2023 · 8346191 · 8346191
1 parent 187242d
commit 8346191
Show file tree

Hide file tree

Showing 12 changed files with 18,956 additions and 7,133 deletions.
diff --git a/.github/workflows/deploy_web.yml b/.github/workflows/deploy_web.yml
@@ -1,9 +1,5 @@
 name: Build Web & Deploy to GH
 on: [push,pull_request]
-permissions:
-  contents: write
-  pull-requests: write
-  issues: write
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/deploy_win.yml b/.github/workflows/deploy_win.yml
@@ -9,6 +9,7 @@ jobs:
       - name: Get latest CMake and ninja
         # Using 'latest' branch, the most recent CMake and ninja are installed.
         uses: lukka/get-cmake@latest
+
       - name: Build 🔧 
         run: |
           mkdir build

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -339,8 +339,10 @@ set(LINK_LIBS ${LINK_LIBS} sokol ${ALSA_LIBRARIES})
 
 if(NOT EMSCRIPTEN)
   target_include_directories(${PROJECT_NAME} PRIVATE src/openssl/include)
+  # OpenSSL autogenerates some header file such as openssl/opensslconf.h and we want to include them
+  target_include_directories(${PROJECT_NAME} PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/src/openssl/include)
   target_include_directories(${PROJECT_NAME} PRIVATE src/curl/include)
-  set(LINK_LIBS ${LINK_LIBS} libcurl_static)
+  set(LINK_LIBS ${LINK_LIBS} libcurl_static ssl crypto)
 endif()
 
 set(CAPSTONE_BUILD_TESTS OFF CACHE BOOL "Build capstone tests" FORCE)

diff --git a/src/cacert_pem.h b/src/cacert_pem.h
diff --git a/src/cloud.cpp b/src/cloud.cpp
@@ -28,6 +28,11 @@ const char* se_get_pref_path();
 #ifndef EMSCRIPTEN
 #include "httplib.h" // for server only
 #include <curl/curl.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+extern "C" {
+#include "res.h"
+}
 #else
 #include <emscripten.h>
 #endif
@@ -264,36 +269,50 @@ enum class http_request_e
     PATCH,
 };
 
-const char* get_ca_path()
+#ifndef EMSCRIPTEN
+// See cacertinmem.c example from libcurl
+CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm)
 {
-    static std::string ca_path;
-#ifdef SE_PLATFORM_ANDROID
-    if (ca_path.empty())
-    {
-        ANativeActivity* activity = (ANativeActivity*)sapp_android_get_native_activity();
-        JavaVM* pJavaVM = activity->vm;
-        JNIEnv* pJNIEnv = activity->env;
-        jint nResult = pJavaVM->AttachCurrentThread(&pJNIEnv, NULL);
-        if (nResult != JNI_ERR) 
-        {
-            jobject nativeActivity = activity->clazz;
-            jclass ClassNativeActivity = pJNIEnv->GetObjectClass(nativeActivity);
-            jmethodID MethodGetCertificatePath = pJNIEnv->GetMethodID(ClassNativeActivity, "getCertificatePath", "()Ljava/lang/String;");
-            jstring jstrCertificatePath = (jstring)pJNIEnv->CallObjectMethod(nativeActivity, MethodGetCertificatePath);
-            const char* strCertificatePath = pJNIEnv->GetStringUTFChars(jstrCertificatePath, NULL);
-            ca_path = std::string(strCertificatePath);
-            pJNIEnv->ReleaseStringUTFChars(jstrCertificatePath, strCertificatePath);
-            pJavaVM->DetachCurrentThread();
-        }
+    CURLcode rv = CURLE_ABORTED_BY_CALLBACK;
+
+    uint64_t cacert_pem_len;
+    const uint8_t* cacert_pem = se_get_resource(SE_CACERT_PEM, &cacert_pem_len);
+
+    BIO *cbio = BIO_new_mem_buf(cacert_pem, cacert_pem_len);
+    X509_STORE  *cts = SSL_CTX_get_cert_store((SSL_CTX *)sslctx);
+    int i;
+    STACK_OF(X509_INFO) *inf;
+    (void)curl;
+    (void)parm;
+
+    if(!cts || !cbio) {
+        return rv;
     }
-#elif defined(SE_PLATFORM_IOS)
-    if (ca_path.empty())
-    {
-        ca_path = se_ios_get_certificate_path();
+
+    inf = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL);
+
+    if(!inf) {
+        BIO_free(cbio);
+        return rv;
     }
-#endif
-    return ca_path.c_str();
+
+    for(i = 0; i < sk_X509_INFO_num(inf); i++) {
+        X509_INFO *itmp = sk_X509_INFO_value(inf, i);
+        if(itmp->x509) {
+        X509_STORE_add_cert(cts, itmp->x509);
+        }
+        if(itmp->crl) {
+        X509_STORE_add_crl(cts, itmp->crl);
+        }
+    }
+
+    sk_X509_INFO_pop_free(inf, X509_INFO_free);
+    BIO_free(cbio);
+
+    rv = CURLE_OK;
+    return rv;
 }
+#endif
 
 // Abstraction layer for http requests
 void https_request(http_request_e type, const std::string& url, const std::string& body,
@@ -313,9 +332,15 @@ void https_request(http_request_e type, const std::string& url, const std::strin
     curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
     curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curl_write_data);
     curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void*)&result);
-#if defined(SE_PLATFORM_ANDROID) || defined(SE_PLATFORM_IOS)
-    curl_easy_setopt(curl, CURLOPT_CAINFO, get_ca_path());
-#endif
+
+    /* Turn off the default CA locations, otherwise libcurl will load CA
+     * certificates from the locations that were detected/specified at
+     * build-time
+     */
+    curl_easy_setopt(curl, CURLOPT_CAINFO, NULL);
+    curl_easy_setopt(curl, CURLOPT_CAPATH, NULL);
+
+    curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, sslctx_function);
 
     switch (type)
     {

diff --git a/src/ios_support.m b/src/ios_support.m
@@ -141,8 +141,3 @@ void se_ios_open_url(const char * url){
 
    }];
 }
-const char* se_ios_get_certificate_path(){
-  NSString* path = [[NSBundle mainBundle] pathForResource:@"cacert" ofType:@"pem"];
-  if(path==Nil)return "";
-  return [path cStringUsingEncoding:NSUTF8StringEncoding];
-}
diff --git a/src/main.c b/src/main.c
@@ -5694,10 +5694,10 @@ void se_draw_save_states(bool cloud){
       } else
       se_text(ICON_FK_BAN);
     }
-    if(!emu_state.rom_loaded)se_pop_disabled();
     igEndChildFrame();
     mutex_unlock(cloud_state.save_states_mutex[i]);
   }
+  if(!emu_state.rom_loaded)se_pop_disabled();
 }
 void se_draw_menu_panel(){
   ImGuiStyle *style = igGetStyle();

diff --git a/src/res.c b/src/res.c
@@ -5,6 +5,7 @@
 #include "noto_armenian.h"
 #include "noto_sans.h"
 #endif
+#include "cacert_pem.h"
 #include "sv_basic_manual.h"
 #include "karla.h"
 #include <stdlib.h>
@@ -20,6 +21,7 @@ const uint8_t* se_get_resource(int res_id, uint64_t* size){
     case SE_NOTO_ARMENIAN: *size = noto_armenian_compressed_size; return (uint8_t*)noto_armenian_compressed_data;
     case SE_NOTO_SANS: *size = noto_sans_compressed_size; return (uint8_t*)noto_sans_compressed_data;
 #endif 
+    case SE_CACERT_PEM: *size = cacert_pem_len; return (uint8_t*)cacert_pem;
   }
   *size = 0; 
   return NULL;

diff --git a/src/res.h b/src/res.h
@@ -9,6 +9,7 @@
 #define SE_NOTO_ARMENIAN 3
 #define SE_NOTO_SANS 4
 #define SE_SV_BASIC_MANUAL 5
+#define SE_CACERT_PEM 6
 
 const uint8_t* se_get_resource(int res_id, uint64_t* size);