cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH 2/2] cyassl: add SSL context callback support for CyaSSL

From: kylehuff <code_at_curetheitch.com>
Date: Fri, 27 Mar 2015 18:39:53 -0400

Add support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL
and better handle CyaSSL NO_FILESYSTEM builds.

---
 docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3     |  3 ++-
 docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 | 31 ++++++++++++++--------------
 lib/vtls/cyassl.c                            | 20 ++++++++++++++++++
 lib/vtls/cyassl.h                            |  3 +++
 4 files changed, 41 insertions(+), 16 deletions(-)
diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3
index 4873cdd..977cc12 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3
@@ -38,7 +38,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
 .SH EXAMPLE
 TODO
 .SH AVAILABILITY
-Added in 7.11.0. Only used with the OpenSSL backend.
+Added in 7.11.0 for OpenSSL. Added in 7.42.0 for wolfSSL/CyaSSL. Other SSL
+backends not supported.
 .SH RETURN VALUE
 Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
 .SH "SEE ALSO"
diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
index 1e8dbe5..e3e0170 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
@@ -22,7 +22,7 @@
 .\"
 .TH CURLOPT_SSL_CTX_FUNCTION 3 "19 Jun 2014" "libcurl 7.37.0" "curl_easy_setopt options"
 .SH NAME
-CURLOPT_SSL_CTX_FUNCTION \- openssl specific callback to do SSL magic
+CURLOPT_SSL_CTX_FUNCTION \- SSL context callback for OpenSSL or wolfSSL/CyaSSL
 .SH SYNOPSIS
 .nf
 #include <curl/curl.h>
@@ -32,28 +32,28 @@ CURLcode ssl_ctx_callback(CURL *curl, void *ssl_ctx, void *userptr);
 CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_CTX_FUNCTION,
                           ssl_ctx_callback);
 .SH DESCRIPTION
-This option only works for libcurl powered by OpenSSL. If libcurl was built
-against another SSL library, this functionality is absent.
+This option only works for libcurl powered by OpenSSL or wolfSSL/CyaSSL. If
+libcurl was built against another SSL library this functionality is absent.
 
 Pass a pointer to your callback function, which should match the prototype
 shown above.
 
 This callback function gets called by libcurl just before the initialization
-of a SSL connection after having processed all other SSL related options to
-give a last chance to an application to modify the behaviour of openssl's ssl
-initialization. The \fIsslctx\fP parameter is actually a pointer to an openssl
-\fISSL_CTX\fP. If an error is returned from the callback, no attempt to
-establish a connection is made and the perform operation will return the error
-code.  Set the \fIuserptr\fP argument with the \fICURLOPT_SSL_CTX_DATA(3)\fP
-option.
+of an SSL connection after having processed all other SSL related options to
+give a last chance to an application to modify the behaviour of the SSL
+initialization. The \fIssl_ctx\fP parameter is actually a pointer to the SSL
+library's \fISSL_CTX\fP. If an error is returned from the callback no attempt
+to establish a connection is made and the perform operation will return the
+callback's error code. Set the \fIuserptr\fP argument with the
+\fICURLOPT_SSL_CTX_DATA(3)\fP option.
 
 This function will get called on all new connections made to a server, during
 the SSL negotiation. The SSL_CTX pointer will be a new one every time.
 
-To use this properly, a non-trivial amount of knowledge of the openssl
-libraries is necessary. For example, using this function allows you to use
-openssl callbacks to add additional validation code for certificates, and even
-to change the actual URI of a HTTPS request (example used in the lib509 test
+To use this properly, a non-trivial amount of knowledge of your SSL library
+is necessary. For example, you can use this function to call library-specific
+callbacks to add additional validation code for certificates, and even to
+change the actual URI of a HTTPS request (example used in the lib509 test
 case).  See also the example section for a replacement of the key, certificate
 and trust file settings.
 .SH DEFAULT
@@ -63,7 +63,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
 .SH EXAMPLE
 TODO
 .SH AVAILABILITY
-Added in 7.11.0. Only supported when built with OpenSSL.
+Added in 7.11.0 for OpenSSL. Added in 7.42.0 for wolfSSL/CyaSSL. Other SSL
+backends not supported.
 .SH RETURN VALUE
 Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
 .SH "SEE ALSO"
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
index 285d64a..a8c1ba5 100644
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -201,6 +201,26 @@ cyassl_connect_step1(struct connectdata *conn,
                      data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE,
                      NULL);
 
+  /* give application a chance to interfere with SSL set up. */
+  if(data->set.ssl.fsslctx) {
+    CURLcode result = CURLE_OK;
+    result = (*data->set.ssl.fsslctx)(data, conssl->ctx,
+                                      data->set.ssl.fsslctxp);
+    if(result) {
+      failf(data, "error signaled by ssl ctx callback");
+      return result;
+    }
+  }
+#ifdef NO_FILESYSTEM
+  else if(data->set.ssl.verifypeer) {
+    failf(data, "SSL: Certificates couldn't be loaded because CyaSSL was built"
+          " with \"no filesystem\". Either disable peer verification"
+          " (insecure) or if you are building an application with libcurl you"
+          " can load certificates via CURLOPT_SSL_CTX_FUNCTION.");
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+#endif
+
   /* Let's make an SSL structure */
   if(conssl->handle)
     SSL_free(conssl->handle);
diff --git a/lib/vtls/cyassl.h b/lib/vtls/cyassl.h
index b492ffa..12638a7 100644
--- a/lib/vtls/cyassl.h
+++ b/lib/vtls/cyassl.h
@@ -46,6 +46,9 @@ int Curl_cyassl_random(struct SessionHandle *data,
 /* Set the API backend definition to Schannel */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_CYASSL
 
+/* this backend supports CURLOPT_SSL_CTX_* */
+#define have_curlssl_ssl_ctx 1
+
 /* API setup for CyaSSL */
 #define curlssl_init Curl_cyassl_init
 #define curlssl_cleanup() Curl_nop_stmt
-- 
1.9.5.msysgit.0
--------------090406070007040805070306
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLQpMaXN0IGFkbWluOiBodHRwOi8vY29vbC5oYXh4LnNlL2xpc3QvbGlzdGluZm8v
Y3VybC1saWJyYXJ5CkV0aXF1ZXR0ZTogIGh0dHA6Ly9jdXJsLmhheHguc2UvbWFpbC9ldGlxdWV0
dGUuaHRtbA==
--------------090406070007040805070306--

Received on 2001-09-17

This message: [ Message body ]
Next message: Ray Satiro via curl-library: "Re: [PATCH] cyassl: remove undefined reference to CyaSSL_no_filesystem_verify & add support for CURLOPT_SSL_CTX_FUNCTION"
Previous message: kylehuff: "[PATCH 1/2] cyassl: remove undefined reference to CyaSSL_no_filesystem_verify"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]