From: Jan Venekamp <1422460+jan2000@users.noreply.github.com> Date: Sat, 19 Feb 2022 14:34:47 +0000 (+0100) Subject: BearSSL: add CURLOPT_SSL_CTX_FUNCTION support X-Git-Tag: curl-7_83_0~152 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3b4a3530252623466baa054d0ed1c5392eeae8b0;p=thirdparty%2Fcurl.git BearSSL: add CURLOPT_SSL_CTX_FUNCTION support Closes #8478 --- diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 index 77090ac029..5f0bbd9800 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3 @@ -115,8 +115,8 @@ int main(void) } .fi .SH AVAILABILITY -Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL and in 7.54.0 for -mbedTLS. Other SSL backends are not supported. +Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL, in 7.54.0 for mbedTLS, +in 7.83.0 in BearSSL. Other SSL backends are not supported. .SH RETURN VALUE CURLE_OK if supported; or an error such as: diff --git a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 index 5a1353395f..75bfd95e29 100644 --- a/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 +++ b/docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3 @@ -32,8 +32,9 @@ CURLcode ssl_ctx_callback(CURL *curl, void *ssl_ctx, void *userptr); CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_CTX_FUNCTION, ssl_ctx_callback); .SH DESCRIPTION -This option only works for libcurl powered by OpenSSL, wolfSSL or mbedTLS. If -libcurl was built against another SSL library this functionality is absent. +This option only works for libcurl powered by OpenSSL, wolfSSL, mbedTLS or +BearSSL. If libcurl was built against another SSL library this functionality +is absent. Pass a pointer to your callback function, which should match the prototype shown above. @@ -42,8 +43,9 @@ This callback function gets called by libcurl just before the initialization of an SSL connection after having processed all other SSL related options to give a last chance to an application to modify the behavior of the SSL initialization. The \fIssl_ctx\fP parameter is actually a pointer to the SSL -library's \fISSL_CTX\fP for OpenSSL or wolfSSL, and a pointer to -\fImbedtls_ssl_config\fP for mbedTLS. If an error is returned from the +library's \fISSL_CTX\fP for OpenSSL or wolfSSL, a pointer to +\fImbedtls_ssl_config\fP for mbedTLS or a pointer to +\fIbr_ssl_client_context\fP for BearSSL. If an error is returned from the callback no attempt to establish a connection is made and the perform operation will return the callback's error code. Set the \fIuserptr\fP argument with the \fICURLOPT_SSL_CTX_DATA(3)\fP option. @@ -152,8 +154,8 @@ int main(void) } .fi .SH AVAILABILITY -Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL and in 7.54.0 for -mbedTLS. Other SSL backends are not supported. +Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL, in 7.54.0 for mbedTLS, +in 7.83.0 in BearSSL. Other SSL backends are not supported. .SH RETURN VALUE CURLE_OK if supported; or an error such as: diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c index c06f85bdf1..fa1ba34dd5 100644 --- a/lib/vtls/bearssl.c +++ b/lib/vtls/bearssl.c @@ -730,6 +730,18 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, hostname = snihost; } + /* give application a chance to interfere with SSL set up. */ + if(data->set.ssl.fsslctx) { + Curl_set_in_callback(data, true); + ret = (*data->set.ssl.fsslctx)(data, &backend->ctx, + data->set.ssl.fsslctxp); + Curl_set_in_callback(data, false); + if(ret) { + failf(data, "BearSSL: error signaled by ssl ctx callback"); + return ret; + } + } + if(!br_ssl_client_reset(&backend->ctx, hostname, 1)) return CURLE_FAILED_INIT; backend->active = TRUE; @@ -1170,7 +1182,7 @@ static CURLcode bearssl_sha256sum(const unsigned char *input, const struct Curl_ssl Curl_ssl_bearssl = { { CURLSSLBACKEND_BEARSSL, "bearssl" }, /* info */ - SSLSUPP_CAINFO_BLOB, + SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX, sizeof(struct ssl_backend_data), Curl_none_init, /* init */