cyassl: add SSL context callback support for CyaSSL

Adds support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL, and better handles CyaSSL instances using NO_FILESYSTEM.
2015-03-27 07:22:32 -04:00 · 2015-03-27 07:22:32 -04:00 · d2feb71752
parent 211f1e3c6b
commit d2feb71752
4 changed files with 25 additions and 4 deletions
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3
@ -38,7 +38,7 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
 .SH EXAMPLE
 TODO
 .SH AVAILABILITY
-Added in 7.11.0. Only used with the OpenSSL backend.
+Added in 7.11.0. Only used with the OpenSSL and WolfSSL/CyaSSL backend.
 .SH RETURN VALUE
 Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
 .SH "SEE ALSO"
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
@ -32,8 +32,8 @@ CURLcode ssl_ctx_callback(CURL *curl, void *ssl_ctx, void *userptr);
 CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_CTX_FUNCTION,
                          ssl_ctx_callback);
 .SH DESCRIPTION
-This option only works for libcurl powered by OpenSSL. If libcurl was built
-against another SSL library, this functionality is absent.
+This option only works for libcurl powered by OpenSSL and WolfSSL/CyaSSL.
+If libcurl was built against another SSL library, this functionality is absent.

 Pass a pointer to your callback function, which should match the prototype
 shown above.
@ -63,7 +63,7 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
 .SH EXAMPLE
 TODO
 .SH AVAILABILITY
-Added in 7.11.0. Only supported when built with OpenSSL.
+Added in 7.11.0. Only supported when built with OpenSSL and WolfSSL/CyaSSL.
 .SH RETURN VALUE
 Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
 .SH "SEE ALSO"
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@ -201,6 +201,24 @@ cyassl_connect_step1(struct connectdata *conn,
                     data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE,
                     NULL);

+  /* give application a chance to interfere with SSL set up. */
+  if(data->set.ssl.fsslctx) {
+    CURLcode result = CURLE_OK;
+    result = (*data->set.ssl.fsslctx)(data, conssl->ctx,
+                                       data->set.ssl.fsslctxp);
+    if(result) {
+      failf(data, "error signaled by ssl ctx callback");
+      return result;
+    }
+  }
+#ifdef NO_FILESYSTEM
+  else if(data->set.ssl.verifypeer) {
+    failf(data, "CyaSSL: unable to verify certificate; no certificate",
+          " authorities registered");
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+#endif
+
  /* Let's make an SSL structure */
  if(conssl->handle)
    SSL_free(conssl->handle);
--- a/lib/vtls/cyassl.h
+++ b/lib/vtls/cyassl.h
@ -46,6 +46,9 @@ int Curl_cyassl_random(struct SessionHandle *data,
 /* Set the API backend definition to Schannel */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_CYASSL

+/* this backend suppots CURLOPT_SSL_CTX_FUNCTION */
+#define have_curlssl_ssl_ctx 1
+
 /* API setup for CyaSSL */
 #define curlssl_init Curl_cyassl_init
 #define curlssl_cleanup() Curl_nop_stmt