openssl: Support async cert verify callback

- Update the OpenSSL connect state machine to handle
  SSL_ERROR_WANT_RETRY_VERIFY.

This allows libcurl users that are using custom certificate validation
to suspend processing while waiting for external I/O during certificate
validation.

Closes https://github.com/curl/curl/pull/11499

diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
index 7d4e688c4031cec6c3b72753c4e4125ae849344f..11806de81750303a6bfd55ada7932362f195aa49 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
@@ -61,6 +61,9 @@ necessary. For example, you can use this function to call library-specific
 callbacks to add additional validation code for certificates, and even to
 change the actual URI of an HTTPS request.
 
+For OpenSSL, asynchronous certificate verification via
+\fISSL_set_retry_verify\fP is supported. (Added in 8.3.0)
+
 WARNING: The \fICURLOPT_SSL_CTX_FUNCTION(3)\fP callback allows the application
 to reach in and modify SSL details in the connection without libcurl itself
 knowing anything about it, which then subsequently can lead to libcurl

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index ae33147d0c115853d0d36b4253ef1322d79fbe2f..51f7b26f851a5d844c3574b9375f0cfc06ef2977 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3864,7 +3864,13 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
       return CURLE_OK;
     }
 #endif
-    else if(backend->io_result == CURLE_AGAIN) {
+#ifdef SSL_ERROR_WANT_RETRY_VERIFY
+    if(SSL_ERROR_WANT_RETRY_VERIFY == detail) {
+      connssl->connecting_state = ssl_connect_2;
+      return CURLE_OK;
+    }
+#endif
+    if(backend->io_result == CURLE_AGAIN) {
       return CURLE_OK;
     }
     else {