From db328891d5f684be3564ae1cb0288e4b8e2f289b Mon Sep 17 00:00:00 2001
From: Rick Winter <rick.winter@microsoft.com>
Date: Fri, 28 Jul 2023 09:39:05 -0700
Subject: [PATCH] Support root cert validation on CURL (#4821)

* Only CURL >= 7.44 supports root cert validation

* Update Changelog
---
 sdk/core/azure-core/CHANGELOG.md                          | 2 ++
 .../azure-core/inc/azure/core/http/curl_transport.hpp     | 2 ++
 sdk/core/azure-core/src/http/curl/curl.cpp                | 8 ++++++++
 3 files changed, 12 insertions(+)

diff --git a/sdk/core/azure-core/CHANGELOG.md b/sdk/core/azure-core/CHANGELOG.md
index c7b4ad5a5..34379d81b 100644
--- a/sdk/core/azure-core/CHANGELOG.md
+++ b/sdk/core/azure-core/CHANGELOG.md
@@ -8,6 +8,8 @@
 
 ### Bugs Fixed
 
+- [[#4792]](https://github.com/Azure/azure-sdk-for-cpp/issues/4792) Only support CURL's root cert validation when CURL version is >= 7.77.0.
+
 ### Other Changes
 
 ## 1.10.1 (2023-07-06)
diff --git a/sdk/core/azure-core/inc/azure/core/http/curl_transport.hpp b/sdk/core/azure-core/inc/azure/core/http/curl_transport.hpp
index 5cea94eaa..d0fb2b4e8 100644
--- a/sdk/core/azure-core/inc/azure/core/http/curl_transport.hpp
+++ b/sdk/core/azure-core/inc/azure/core/http/curl_transport.hpp
@@ -62,6 +62,8 @@ namespace Azure { namespace Core { namespace Http {
      * @remark More about this option:
      * https://curl.se/libcurl/c/CURLOPT_CAINFO_BLOB.html
      *
+     * @warning Requires libcurl >= 7.44.0
+     *
      */
     std::string PemEncodedExpectedRootCertificates;
   };
diff --git a/sdk/core/azure-core/src/http/curl/curl.cpp b/sdk/core/azure-core/src/http/curl/curl.cpp
index c01af5c07..b8703eac0 100644
--- a/sdk/core/azure-core/src/http/curl/curl.cpp
+++ b/sdk/core/azure-core/src/http/curl/curl.cpp
@@ -307,11 +307,13 @@ Azure::Core::Http::CurlTransportOptions CurlTransportOptionsFromTransportOptions
   curlOptions.SslOptions.EnableCertificateRevocationListCheck
       = transportOptions.EnableCertificateRevocationListCheck;
 
+#if LIBCURL_VERSION_NUM >= 0x074D00 // 7.77.0
   if (!transportOptions.ExpectedTlsRootCertificate.empty())
   {
     curlOptions.SslOptions.PemEncodedExpectedRootCertificates
         = PemEncodeFromBase64(transportOptions.ExpectedTlsRootCertificate, "CERTIFICATE");
   }
+#endif
   curlOptions.SslVerifyPeer = !transportOptions.DisableTlsCertificateValidation;
   return curlOptions;
 }
@@ -1297,10 +1299,14 @@ inline std::string GetConnectionKey(std::string const& host, CurlTransportOption
   key.append(",");
   key.append(options.SslOptions.AllowFailedCrlRetrieval ? "FC" : "0");
   key.append(",");
+#if LIBCURL_VERSION_NUM >= 0x074D00 // 7.77.0
   key.append(
       !options.SslOptions.PemEncodedExpectedRootCertificates.empty() ? std::to_string(
           std::hash<std::string>{}(options.SslOptions.PemEncodedExpectedRootCertificates))
                                                                      : "0");
+#else
+  key.append("0");
+#endif
   key.append(",");
   // using DefaultConnectionTimeout or 0 result in the same setting
   key.append(
@@ -2308,6 +2314,7 @@ CurlConnection::CurlConnection(
     }
   }
 
+#if LIBCURL_VERSION_NUM >= 0x074D00 // 7.77.0
   if (!options.SslOptions.PemEncodedExpectedRootCertificates.empty())
   {
     curl_blob rootCertBlob
@@ -2323,6 +2330,7 @@ CurlConnection::CurlConnection(
           + std::string(curl_easy_strerror(result)));
     }
   }
+#endif
 
 #if defined(AZ_PLATFORM_WINDOWS)
   long sslOption = 0;