Bugs item #3456322, was opened at 2011-12-10 06:41
Message generated for change (Settings changed) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3456322&group_id=976
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: portability problem
>Status: Pending
>Resolution: Invalid
Priority: 4
Private: No
Submitted By: Boris (borisgz910)
Assigned to: Daniel Stenberg (bagder)
Summary: Compile error CyaSSL when NO_FILESYSTEM is defined
Initial Comment:
Hello!
LibCurl version used: 7.23.1
CyaSSL version used: 2.0.2
When defining the NO_FILESYSTEM for CyaSSL Library (and also for LibCurl to use the right functions from CyaSSL) , the libcurl does not compile and of course doesn't link:
libcurl file cyassl.c:
Line 181:
if(CyaSSL_no_filesystem_verify(conssl->ctx)!= SSL_SUCCESS) {
return CURLE_SSL_CONNECT_ERROR;
}
error when compiling:
curl\cyassl.c(181): warning C4013: 'CyaSSL_no_filesystem_verify' undefined; assuming extern returning int
error when linking:
LibCurl.lib(cyassl.obj) : error LNK2019: unresolved external symbol _CyaSSL_no_filesystem_verify referenced in function _cyassl_connect_step1
How can it be fixed?
Regards,
Boris.
----------------------------------------------------------------------
Comment By: Dan Fandrich (dfandrich)
Date: 2011-12-17 22:30
Message:
This patch just adds to libcurl the code that was previously in CyaSSL. Why
would someone compile CyaSSL with NO_FILESYSTEM and then expect to have
their certificates checked that are stored in a filesystem? I'd be happy
just documenting that libcurl requires a CyaSSL compiled without
NO_FILESYSTEM since that removes functions required by it.
----------------------------------------------------------------------
Comment By: Boris (borisgz910)
Date: 2011-12-17 07:55
Message:
Hello.
I have written a code to make libcurl compile when NO_FILESYSTEM is
defined.
Looks like it works fine, but I will be happy if you make sure.
Here is the diff from version 7.23.1 for cyassl.c in unified format
[code]
--- curl-7.23.1\lib\cyassl.c Sat Nov 05 00:32:56 2011
+++ curl\cyassl.c Sat Dec 17 17:41:44 2011
@@ -68,6 +68,48 @@
if(Curl_raw_equal(type, "DER"))
return SSL_FILETYPE_ASN1;
return -1;
+}
+
+static int read_to_buffer(char *fname, void **buffer, long *buffer_size)
+{
+ void *cert_buffer = NULL;
+ long cert_size = 0;
+ FILE *file = NULL;
+
+ /* check arguments */
+ if ( (NULL == fname)
+ || (NULL == buffer)
+ || (NULL == buffer_size))
+ {
+ return SSL_FAILURE;
+ }
+
+ file = fopen(fname, "rb");
+
+ if (NULL == file)
+ {
+ return SSL_FAILURE;
+ }
+
+ /* get file size */
+ fseek(file, 0, SEEK_END);
+ cert_size = ftell(file);
+ cert_buffer = calloc(cert_size, 1);
+ if (NULL == cert_buffer)
+ {
+ fclose(file);
+ return SSL_FAILURE;
+ }
+
+ /* read to buffer */
+ rewind(file);
+ fread(cert_buffer, cert_size, 1, file);
+ fclose(file);
+
+ *buffer = cert_buffer;
+ *buffer_size = cert_size;
+
+ return SSL_SUCCESS;
}
/*
@@ -178,9 +220,91 @@
}
}
#else
- if(CyaSSL_no_filesystem_verify(conssl->ctx)!= SSL_SUCCESS) {
- return CURLE_SSL_CONNECT_ERROR;
- }
+ /* load trusted cacert */
+ if(data->set.str[STRING_SSL_CAFILE])
+ {
+ void *ca_buffer = NULL;
+ long ca_size = 0;
+ int read_result = SSL_FAILURE;
+ int load_result = SSL_FAILURE;
+
+ read_result =
read_to_buffer(data->set.str[STRING_SSL_CAFILE], &ca_buffer, &ca_size);
+ if (SSL_SUCCESS == read_result)
+ load_result =
CyaSSL_CTX_load_verify_buffer(conssl->ctx, ca_buffer, ca_size,
SSL_FILETYPE_PEM);
+
+ free(ca_buffer);
+
+ if (SSL_SUCCESS != load_result)
+ {
+ if(data->set.ssl.verifypeer) {
+ /* Fail if we insiste on successfully
verifying the server. */
+ failf(data,"error setting certificate
verify locations:\n"
+ " CAfile: %s\n CApath: %s\n",
+
data->set.str[STRING_SSL_CAFILE]?
+ data->set.str[STRING_SSL_CAFILE]:
"none",
+
data->set.str[STRING_SSL_CAPATH]?
+ data->set.str[STRING_SSL_CAPATH]
: "none");
+ return CURLE_SSL_CACERT_BADFILE;
+ }
+ else {
+ /* Just continue with a warning if no
strict certificate
+ verification is required. */
+ infof(data, "error setting certificate
verify locations,"
+ " continuing anyway:\n");
+ }
+ }
+ else {
+ /* Everything is fine. */
+ infof(data, "successfully set certificate verify
locations:\n");
+ }
+ infof(data,
+ " CAfile: %s\n"
+ " CApath: %s\n",
+ data->set.str[STRING_SSL_CAFILE] ?
data->set.str[STRING_SSL_CAFILE]:
+ "none",
+ data->set.str[STRING_SSL_CAPATH] ?
data->set.str[STRING_SSL_CAPATH]:
+ "none");
+ }
+ /* Load the client certificate, and private key */
+ if(data->set.str[STRING_CERT] && data->set.str[STRING_KEY])
+ {
+ void *cert_buffer = NULL;
+ long cert_size = 0;
+ int read_result = SSL_FAILURE;
+ int load_result = SSL_FAILURE;
+ int file_type =
do_file_type(data->set.str[STRING_CERT_TYPE]);
+
+ read_result = read_to_buffer(data->set.str[STRING_CERT],
&cert_buffer, &cert_size);
+ if (SSL_SUCCESS == read_result)
+ load_result =
CyaSSL_CTX_use_certificate_buffer(conssl->ctx, cert_buffer, cert_size,
file_type);
+
+ free(cert_buffer);
+ cert_buffer = NULL;
+ cert_size = 0;
+
+ if (SSL_SUCCESS != load_result)
+ {
+ failf(data, "unable to use client certificate (no
key or wrong pass"
+ " phrase?)");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+ read_result = SSL_FAILURE;
+ load_result = SSL_FAILURE;
+ file_type = do_file_type(data->set.str[STRING_KEY_TYPE]);
+
+ read_result = read_to_buffer(data->set.str[STRING_KEY],
&cert_buffer, &cert_size);
+ if (SSL_SUCCESS == read_result)
+ load_result =
CyaSSL_CTX_use_PrivateKey_buffer(conssl->ctx, cert_buffer, cert_size,
file_type);
+
+ free(cert_buffer);
+
+ if (SSL_SUCCESS != load_result)
+ {
+ failf(data, "unable to set private key");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
#endif /* NO_FILESYSTEM */
/* SSL always tries to verify the peer, this only says whether it
should
[/code]
Boris.
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2011-12-17 06:16
Message:
As you seem to already know what to do, can you please provide us with a
patch that makes libcurl build when NO_FILESYSTEM is enabled?
----------------------------------------------------------------------
Comment By: Boris (borisgz910)
Date: 2011-12-16 09:11
Message:
The source code adaption layer for cyassl does figure out that
NO_FILESYSTEM is enabled, that is why it does try to call
CyaSSL_no_filesystem_verify.
It looks like CyaSSL_no_filesystem_verify is not defined anywhere. Not in
the cyassl library sources and not in the libcurl sources.
From what I understand reading the sources of CyaSSL library, there is an
option to use buffer certificates like this:
buff is a pointer to certificate in memory
sz is the size of the buffer in buff
Loading CA:
if (type == CYASSL_CA) {
if (CyaSSL_CTX_load_verify_buffer(ctx, buff, sz, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
err_sys("can't load buffer ca file");
}
Using certificate from buffer:
if (type == CYASSL_CERT) {
if (CyaSSL_CTX_use_certificate_buffer(ctx, buff, sz,
SSL_FILETYPE_PEM) != SSL_SUCCESS)
err_sys("can't load buffer cert file");
}
Using key from buffer:
if (type == CYASSL_KEY) {
if (CyaSSL_CTX_use_PrivateKey_buffer(ctx, buff, sz,
SSL_FILETYPE_PEM) != SSL_SUCCESS)
err_sys("can't load buffer key file");
}
Using these it looks to be almost as easy and identical to implement and
use as with the already code already implemented in the cyassl adaptation
layer in libcurl. (lib\cyassl.c lines 126-184)
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2011-12-11 05:16
Message:
I imagine the libcurl source code adaption layer for cyassl needs to figure
out if NO_FILESYSTEM is enabled, and then act accordingly.
I don't know cyassl enough to tell you exactly how, but I figure you should
be able to read up their docs or source code to learn what libcurl should
do.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3456322&group_id=976
Received on 2012-01-18
Mailing List 
Page updated January 05, 2012.