curl-library
[PATCH 2/2] cyassl: add SSL context callback support for CyaSSL
From: kylehuff <code_at_curetheitch.com>
Date: Fri, 27 Mar 2015 18:39:53 -0400
Date: Fri, 27 Mar 2015 18:39:53 -0400
Add support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL
and better handle CyaSSL NO_FILESYSTEM builds.
--- docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 | 3 ++- docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 | 31 ++++++++++++++-------------- lib/vtls/cyassl.c | 20 ++++++++++++++++++ lib/vtls/cyassl.h | 3 +++ 4 files changed, 41 insertions(+), 16 deletions(-) diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 index 4873cdd..977cc12 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 @@ -38,7 +38,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc. .SH EXAMPLE TODO .SH AVAILABILITY -Added in 7.11.0. Only used with the OpenSSL backend. +Added in 7.11.0 for OpenSSL. Added in 7.42.0 for wolfSSL/CyaSSL. Other SSL +backends not supported. .SH RETURN VALUE Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. .SH "SEE ALSO" diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 index 1e8dbe5..e3e0170 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 @@ -22,7 +22,7 @@ .\" .TH CURLOPT_SSL_CTX_FUNCTION 3 "19 Jun 2014" "libcurl 7.37.0" "curl_easy_setopt options" .SH NAME -CURLOPT_SSL_CTX_FUNCTION \- openssl specific callback to do SSL magic +CURLOPT_SSL_CTX_FUNCTION \- SSL context callback for OpenSSL or wolfSSL/CyaSSL .SH SYNOPSIS .nf #include <curl/curl.h> @@ -32,28 +32,28 @@ CURLcode ssl_ctx_callback(CURL *curl, void *ssl_ctx, void *userptr); CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_CTX_FUNCTION, ssl_ctx_callback); .SH DESCRIPTION -This option only works for libcurl powered by OpenSSL. If libcurl was built -against another SSL library, this functionality is absent. +This option only works for libcurl powered by OpenSSL or wolfSSL/CyaSSL. If +libcurl was built against another SSL library this functionality is absent. Pass a pointer to your callback function, which should match the prototype shown above. This callback function gets called by libcurl just before the initialization -of a SSL connection after having processed all other SSL related options to -give a last chance to an application to modify the behaviour of openssl's ssl -initialization. The \fIsslctx\fP parameter is actually a pointer to an openssl -\fISSL_CTX\fP. If an error is returned from the callback, no attempt to -establish a connection is made and the perform operation will return the error -code. Set the \fIuserptr\fP argument with the \fICURLOPT_SSL_CTX_DATA(3)\fP -option. +of an SSL connection after having processed all other SSL related options to +give a last chance to an application to modify the behaviour of the SSL +initialization. The \fIssl_ctx\fP parameter is actually a pointer to the SSL +library's \fISSL_CTX\fP. If an error is returned from the callback no attempt +to establish a connection is made and the perform operation will return the +callback's error code. Set the \fIuserptr\fP argument with the +\fICURLOPT_SSL_CTX_DATA(3)\fP option. This function will get called on all new connections made to a server, during the SSL negotiation. The SSL_CTX pointer will be a new one every time. -To use this properly, a non-trivial amount of knowledge of the openssl -libraries is necessary. For example, using this function allows you to use -openssl callbacks to add additional validation code for certificates, and even -to change the actual URI of a HTTPS request (example used in the lib509 test +To use this properly, a non-trivial amount of knowledge of your SSL library +is necessary. For example, you can use this function to call library-specific +callbacks to add additional validation code for certificates, and even to +change the actual URI of a HTTPS request (example used in the lib509 test case). See also the example section for a replacement of the key, certificate and trust file settings. .SH DEFAULT @@ -63,7 +63,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc. .SH EXAMPLE TODO .SH AVAILABILITY -Added in 7.11.0. Only supported when built with OpenSSL. +Added in 7.11.0 for OpenSSL. Added in 7.42.0 for wolfSSL/CyaSSL. Other SSL +backends not supported. .SH RETURN VALUE Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not. .SH "SEE ALSO" diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 285d64a..a8c1ba5 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -201,6 +201,26 @@ cyassl_connect_step1(struct connectdata *conn, data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE, NULL); + /* give application a chance to interfere with SSL set up. */ + if(data->set.ssl.fsslctx) { + CURLcode result = CURLE_OK; + result = (*data->set.ssl.fsslctx)(data, conssl->ctx, + data->set.ssl.fsslctxp); + if(result) { + failf(data, "error signaled by ssl ctx callback"); + return result; + } + } +#ifdef NO_FILESYSTEM + else if(data->set.ssl.verifypeer) { + failf(data, "SSL: Certificates couldn't be loaded because CyaSSL was built" + " with \"no filesystem\". Either disable peer verification" + " (insecure) or if you are building an application with libcurl you" + " can load certificates via CURLOPT_SSL_CTX_FUNCTION."); + return CURLE_SSL_CONNECT_ERROR; + } +#endif + /* Let's make an SSL structure */ if(conssl->handle) SSL_free(conssl->handle); diff --git a/lib/vtls/cyassl.h b/lib/vtls/cyassl.h index b492ffa..12638a7 100644 --- a/lib/vtls/cyassl.h +++ b/lib/vtls/cyassl.h @@ -46,6 +46,9 @@ int Curl_cyassl_random(struct SessionHandle *data, /* Set the API backend definition to Schannel */ #define CURL_SSL_BACKEND CURLSSLBACKEND_CYASSL +/* this backend supports CURLOPT_SSL_CTX_* */ +#define have_curlssl_ssl_ctx 1 + /* API setup for CyaSSL */ #define curlssl_init Curl_cyassl_init #define curlssl_cleanup() Curl_nop_stmt -- 1.9.5.msysgit.0 --------------090406070007040805070306 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLQpMaXN0IGFkbWluOiBodHRwOi8vY29vbC5oYXh4LnNlL2xpc3QvbGlzdGluZm8v Y3VybC1saWJyYXJ5CkV0aXF1ZXR0ZTogIGh0dHA6Ly9jdXJsLmhheHguc2UvbWFpbC9ldGlxdWV0 dGUuaHRtbA== --------------090406070007040805070306--Received on 2001-09-17