From: Pablo Busse <pabusse@microsoft.com>
Date: Thu, 22 Jun 2023 06:13:07 +0000 (+0000)
Subject: openssl: Support async cert verify callback
X-Git-Tag: curl-8_3_0~258
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11d46bcfb2c813809d6bd63532e81c990e65cf9e;p=thirdparty%2Fcurl.git

openssl: Support async cert verify callback

- Update the OpenSSL connect state machine to handle
  SSL_ERROR_WANT_RETRY_VERIFY.

This allows libcurl users that are using custom certificate validation
to suspend processing while waiting for external I/O during certificate
validation.

Closes https://github.com/curl/curl/pull/11499
---

diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
index 7d4e688c40..11806de817 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3
@@ -61,6 +61,9 @@ necessary. For example, you can use this function to call library-specific
 callbacks to add additional validation code for certificates, and even to
 change the actual URI of an HTTPS request.
 
+For OpenSSL, asynchronous certificate verification via
+\fISSL_set_retry_verify\fP is supported. (Added in 8.3.0)
+
 WARNING: The \fICURLOPT_SSL_CTX_FUNCTION(3)\fP callback allows the application
 to reach in and modify SSL details in the connection without libcurl itself
 knowing anything about it, which then subsequently can lead to libcurl
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index ae33147d0c..51f7b26f85 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3864,7 +3864,13 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
       return CURLE_OK;
     }
 #endif
-    else if(backend->io_result == CURLE_AGAIN) {
+#ifdef SSL_ERROR_WANT_RETRY_VERIFY
+    if(SSL_ERROR_WANT_RETRY_VERIFY == detail) {
+      connssl->connecting_state = ssl_connect_2;
+      return CURLE_OK;
+    }
+#endif
+    if(backend->io_result == CURLE_AGAIN) {
       return CURLE_OK;
     }
     else {