mirror of
https://github.com/curl/curl.git
synced 2026-04-15 01:01:41 +03:00
df70a68984
Build these examples when the necessary dependencies are present:
- cacertinmem, usercertinmem (OpenSSL/fork)
- multi-uv (libuv)
- multithread, threaded-ssl (pthread)
- sessioninfo (GnuTLS)
Indicate the necessary dependency via a `Required:` comment placed in
the source file. A single dependency per source is supported as of now.
The name of the dependency should match the variable used within
the cmake scripts, which in turn matches the macro used in the config
header. E.g. for GnuTLS it's `USE_GNUTLS`.
Also:
- GHA/macos: build examples in two job to test GnuTLS and pthread ones.
- GHA/linux: enable libuv to test it with examples.
Follow-up to 6bb7714032 #18914
Closes #18909
178 lines
6.1 KiB
C
178 lines
6.1 KiB
C
/***************************************************************************
|
|
* _ _ ____ _
|
|
* Project ___| | | | _ \| |
|
|
* / __| | | | |_) | |
|
|
* | (__| |_| | _ <| |___
|
|
* \___|\___/|_| \_\_____|
|
|
*
|
|
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
*
|
|
* This software is licensed as described in the file COPYING, which
|
|
* you should have received as part of this distribution. The terms
|
|
* are also available at https://curl.se/docs/copyright.html.
|
|
*
|
|
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
* copies of the Software, and permit persons to whom the Software is
|
|
* furnished to do so, under the terms of the COPYING file.
|
|
*
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
* KIND, either express or implied.
|
|
*
|
|
* SPDX-License-Identifier: curl
|
|
*
|
|
***************************************************************************/
|
|
/* <DESC>
|
|
* CA cert in memory with OpenSSL to get an HTTPS page.
|
|
* </DESC>
|
|
*/
|
|
|
|
/* Requires: USE_OPENSSL */
|
|
|
|
#include <openssl/err.h>
|
|
#include <openssl/ssl.h>
|
|
#include <curl/curl.h>
|
|
#include <stdio.h>
|
|
|
|
#if defined(__GNUC__) || defined(__clang__)
|
|
#pragma GCC diagnostic ignored "-Woverlength-strings"
|
|
#endif
|
|
/* Silence warning when calling sk_X509_INFO_pop_free() */
|
|
#if defined(__clang__) && __clang_major__ >= 16
|
|
#pragma clang diagnostic push
|
|
#pragma clang diagnostic ignored "-Wcast-function-type-strict"
|
|
#endif
|
|
|
|
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
|
|
typedef size_t ossl_valsize_t;
|
|
#else
|
|
typedef int ossl_valsize_t;
|
|
#endif
|
|
|
|
static size_t writefunction(void *ptr, size_t size, size_t nmemb, void *stream)
|
|
{
|
|
fwrite(ptr, size, nmemb, (FILE *)stream);
|
|
return nmemb * size;
|
|
}
|
|
|
|
static CURLcode sslctx_function(CURL *curl, void *sslctx, void *pointer)
|
|
{
|
|
CURLcode rv = CURLE_ABORTED_BY_CALLBACK;
|
|
|
|
/** This example uses two (fake) certificates **/
|
|
/* replace the XXX with the actual CA certificates */
|
|
static const char mypem[] =
|
|
"-----BEGIN CERTIFICATE-----\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"-----END CERTIFICATE-----\n"
|
|
"-----BEGIN CERTIFICATE-----\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n"
|
|
"-----END CERTIFICATE-----\n";
|
|
|
|
BIO *cbio = BIO_new_mem_buf(mypem, sizeof(mypem));
|
|
X509_STORE *cts = SSL_CTX_get_cert_store((SSL_CTX *)sslctx);
|
|
ossl_valsize_t i;
|
|
STACK_OF(X509_INFO) *inf;
|
|
|
|
(void)curl;
|
|
(void)pointer;
|
|
|
|
if(!cts || !cbio) {
|
|
return rv;
|
|
}
|
|
|
|
inf = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL);
|
|
|
|
if(!inf) {
|
|
BIO_free(cbio);
|
|
return rv;
|
|
}
|
|
|
|
for(i = 0; i < sk_X509_INFO_num(inf); i++) {
|
|
X509_INFO *itmp = sk_X509_INFO_value(inf, i);
|
|
if(itmp->x509) {
|
|
X509_STORE_add_cert(cts, itmp->x509);
|
|
}
|
|
if(itmp->crl) {
|
|
X509_STORE_add_crl(cts, itmp->crl);
|
|
}
|
|
}
|
|
|
|
sk_X509_INFO_pop_free(inf, X509_INFO_free);
|
|
BIO_free(cbio);
|
|
|
|
rv = CURLE_OK;
|
|
return rv;
|
|
}
|
|
|
|
int main(void)
|
|
{
|
|
CURL *ch;
|
|
CURLcode rv;
|
|
|
|
curl_global_init(CURL_GLOBAL_ALL);
|
|
ch = curl_easy_init();
|
|
curl_easy_setopt(ch, CURLOPT_VERBOSE, 0L);
|
|
curl_easy_setopt(ch, CURLOPT_HEADER, 0L);
|
|
curl_easy_setopt(ch, CURLOPT_NOPROGRESS, 1L);
|
|
curl_easy_setopt(ch, CURLOPT_NOSIGNAL, 1L);
|
|
curl_easy_setopt(ch, CURLOPT_WRITEFUNCTION, writefunction);
|
|
curl_easy_setopt(ch, CURLOPT_WRITEDATA, stdout);
|
|
curl_easy_setopt(ch, CURLOPT_HEADERFUNCTION, writefunction);
|
|
curl_easy_setopt(ch, CURLOPT_HEADERDATA, stderr);
|
|
curl_easy_setopt(ch, CURLOPT_SSLCERTTYPE, "PEM");
|
|
curl_easy_setopt(ch, CURLOPT_SSL_VERIFYPEER, 1L);
|
|
curl_easy_setopt(ch, CURLOPT_URL, "https://www.example.com/");
|
|
|
|
/* Turn off the default CA locations, otherwise libcurl loads CA
|
|
* certificates from the locations that were detected/specified at
|
|
* build-time
|
|
*/
|
|
curl_easy_setopt(ch, CURLOPT_CAINFO, NULL);
|
|
curl_easy_setopt(ch, CURLOPT_CAPATH, NULL);
|
|
|
|
/* first try: retrieve page without ca certificates -> should fail
|
|
* unless libcurl was built --with-ca-fallback enabled at build-time
|
|
*/
|
|
rv = curl_easy_perform(ch);
|
|
if(rv == CURLE_OK)
|
|
printf("*** transfer succeeded ***\n");
|
|
else
|
|
printf("*** transfer failed ***\n");
|
|
|
|
/* use a fresh connection (optional) this option seriously impacts
|
|
* performance of multiple transfers but it is necessary order to
|
|
* demonstrate this example. recall that the ssl ctx callback is only called
|
|
* _before_ an SSL connection is established, therefore it does not affect
|
|
* existing verified SSL connections already in the connection cache
|
|
* associated with this handle. normally you would set the ssl ctx function
|
|
* before making any transfers, and not use this option.
|
|
*/
|
|
curl_easy_setopt(ch, CURLOPT_FRESH_CONNECT, 1L);
|
|
|
|
/* second try: retrieve page using cacerts' certificate -> succeeds to load
|
|
* the certificate by installing a function doing the necessary
|
|
* "modifications" to the SSL CONTEXT just before link init
|
|
*/
|
|
curl_easy_setopt(ch, CURLOPT_SSL_CTX_FUNCTION, sslctx_function);
|
|
rv = curl_easy_perform(ch);
|
|
if(rv == CURLE_OK)
|
|
printf("*** transfer succeeded ***\n");
|
|
else
|
|
printf("*** transfer failed ***\n");
|
|
|
|
curl_easy_cleanup(ch);
|
|
curl_global_cleanup();
|
|
return (int)rv;
|
|
}
|