impl: add experimental support for providing an SSL_CTX_FUNCTION (#15088)

Author: scotthart

google/cloud/internal/curl_handle_factory.cc

@@ -17,8 +17,10 @@
 #include "google/cloud/internal/curl_options.h"
 #include "google/cloud/internal/make_status.h"
 #include "google/cloud/log.h"
+#ifndef _WIN32
 #include <openssl/err.h>
 #include <openssl/ssl.h>
+#endif
 #include <algorithm>
 #include <iterator>
 
@@ -42,7 +44,8 @@ struct X509InfoPtrCleanup {
 };
 
 using X509InfoPtr = std::unique_ptr<STACK_OF(X509_INFO), X509InfoPtrCleanup>;
-
+#else
+using SSL_CTX = void;
 #endif
 
 Status SetCurlCAInMemory(CurlHandleFactory const& factory, SSL_CTX* ssl_ctx) {
@@ -91,7 +94,7 @@ Status SetCurlCAInMemory(CurlHandleFactory const& factory, SSL_CTX* ssl_ctx) {
 
 extern "C" {
 
-static CURLcode SslCtxFunction(  // NOLINT(misc-use-anonymous-namespace)
+static CURLcode SslCtxCAInMemory(  // NOLINT(misc-use-anonymous-namespace)
     CURL*, void* ssl_ctx, void* userdata) {
   auto* handle_factory = reinterpret_cast<CurlHandleFactory*>(userdata);
   auto result = SetCurlCAInMemory(*handle_factory, (SSL_CTX*)ssl_ctx);
@@ -101,6 +104,13 @@ static CURLcode SslCtxFunction(  // NOLINT(misc-use-anonymous-namespace)
   }
   return CURLE_OK;
 }
+
+static CURLcode SslCtxSanitized(  // NOLINT(misc-use-anonymous-namespace)
+    CURL*, void* ssl_ctx, void* userdata) {
+  auto* handle_factory = reinterpret_cast<CurlHandleFactory*>(userdata);
+  return (CURLcode)handle_factory->ssl_ctx_callback()(nullptr, ssl_ctx,
+                                                      nullptr);
+}
 }
 
 void CurlHandleFactory::SetCurlStringOption(CURL* handle, CURLoption option_tag,
@@ -125,18 +135,24 @@ std::shared_ptr<CurlHandleFactory> GetDefaultCurlHandleFactory(
 }
 
 DefaultCurlHandleFactory::DefaultCurlHandleFactory(Options const& o) {
+  if (o.has<experimental::SslCtxCallbackOption>()) {
+    ssl_ctx_callback_ = o.get<experimental::SslCtxCallbackOption>();
+    return;
+  }
+
   if (o.has<experimental::CAInMemoryOption>()) {
     ca_certs_ = o.get<experimental::CAInMemoryOption>();
     if (ca_certs_.empty()) {
       GCP_LOG(FATAL) << internal::InvalidArgumentError(
           "No CA certificates specified", GCP_ERROR_INFO());
     }
-  } else {
-    if (o.has<CARootsFilePathOption>()) {
-      cainfo_ = o.get<CARootsFilePathOption>();
-    }
-    if (o.has<CAPathOption>()) capath_ = o.get<CAPathOption>();
+    return;
   }
+
+  if (o.has<CARootsFilePathOption>()) {
+    cainfo_ = o.get<CARootsFilePathOption>();
+  }
+  if (o.has<CAPathOption>()) capath_ = o.get<CAPathOption>();
 }
 
 CurlPtr DefaultCurlHandleFactory::CreateHandle() {
@@ -166,7 +182,7 @@ void DefaultCurlHandleFactory::CleanupMultiHandle(CurlMulti m,
 }
 
 void DefaultCurlHandleFactory::SetCurlOptions(CURL* handle) {
-  if (!ca_certs_.empty()) {
+  if (ssl_ctx_callback_) {
     SetCurlStringOption(handle, CURLOPT_CAINFO, nullptr);
     SetCurlStringOption(handle, CURLOPT_CAPATH, nullptr);
     auto result = curl_easy_setopt(handle, CURLOPT_SSL_CTX_DATA, this);
@@ -175,27 +191,61 @@ void DefaultCurlHandleFactory::SetCurlOptions(CURL* handle) {
                                                 GCP_ERROR_INFO());
     }
     result =
-        curl_easy_setopt(handle, CURLOPT_SSL_CTX_FUNCTION, &SslCtxFunction);
+        curl_easy_setopt(handle, CURLOPT_SSL_CTX_FUNCTION, &SslCtxSanitized);
     if (result != CURLE_OK) {
       GCP_LOG(FATAL) << internal::InternalError(curl_easy_strerror(result),
                                                 GCP_ERROR_INFO());
     }
-  } else {
-    if (cainfo_) {
-      SetCurlStringOption(handle, CURLOPT_CAINFO, cainfo_->c_str());
+    return;
+  }
+
+  if (!ca_certs_.empty()) {
+    SetCurlStringOption(handle, CURLOPT_CAINFO, nullptr);
+    SetCurlStringOption(handle, CURLOPT_CAPATH, nullptr);
+    auto result = curl_easy_setopt(handle, CURLOPT_SSL_CTX_DATA, this);
+    if (result != CURLE_OK) {
+      GCP_LOG(FATAL) << internal::InternalError(curl_easy_strerror(result),
+                                                GCP_ERROR_INFO());
     }
-    if (capath_) {
-      SetCurlStringOption(handle, CURLOPT_CAPATH, capath_->c_str());
+    result =
+        curl_easy_setopt(handle, CURLOPT_SSL_CTX_FUNCTION, &SslCtxCAInMemory);
+    if (result != CURLE_OK) {
+      GCP_LOG(FATAL) << internal::InternalError(curl_easy_strerror(result),
+                                                GCP_ERROR_INFO());
     }
+    return;
+  }
+
+  if (cainfo_) {
+    SetCurlStringOption(handle, CURLOPT_CAINFO, cainfo_->c_str());
+  }
+  if (capath_) {
+    SetCurlStringOption(handle, CURLOPT_CAPATH, capath_->c_str());
   }
 }
 
 PooledCurlHandleFactory::PooledCurlHandleFactory(std::size_t maximum_size,
                                                  Options const& o)
-    : maximum_size_(maximum_size),
-      cainfo_(CAInfo(o)),
-      capath_(CAPath(o)),
-      ca_certs_(CACerts(o)) {}
+    : maximum_size_(maximum_size) {
+  if (o.has<experimental::SslCtxCallbackOption>()) {
+    ssl_ctx_callback_ = o.get<experimental::SslCtxCallbackOption>();
+    return;
+  }
+
+  if (o.has<experimental::CAInMemoryOption>()) {
+    ca_certs_ = o.get<experimental::CAInMemoryOption>();
+    if (ca_certs_.empty()) {
+      GCP_LOG(FATAL) << internal::InvalidArgumentError(
+          "No CA certificates specified", GCP_ERROR_INFO());
+    }
+    return;
+  }
+
+  if (o.has<CARootsFilePathOption>()) {
+    cainfo_ = o.get<CARootsFilePathOption>();
+  }
+  if (o.has<CAPathOption>()) capath_ = o.get<CAPathOption>();
+}
 
 PooledCurlHandleFactory::~PooledCurlHandleFactory() = default;
 
@@ -303,7 +353,7 @@ void PooledCurlHandleFactory::CleanupMultiHandle(CurlMulti m,
 }
 
 void PooledCurlHandleFactory::SetCurlOptions(CURL* handle) {
-  if (!ca_certs_.empty()) {
+  if (ssl_ctx_callback_) {
     SetCurlStringOption(handle, CURLOPT_CAINFO, nullptr);
     SetCurlStringOption(handle, CURLOPT_CAPATH, nullptr);
     auto result = curl_easy_setopt(handle, CURLOPT_SSL_CTX_DATA, this);
@@ -312,39 +362,37 @@ void PooledCurlHandleFactory::SetCurlOptions(CURL* handle) {
                                                 GCP_ERROR_INFO());
     }
     result =
-        curl_easy_setopt(handle, CURLOPT_SSL_CTX_FUNCTION, &SslCtxFunction);
+        curl_easy_setopt(handle, CURLOPT_SSL_CTX_FUNCTION, &SslCtxSanitized);
     if (result != CURLE_OK) {
       GCP_LOG(FATAL) << internal::InternalError(curl_easy_strerror(result),
                                                 GCP_ERROR_INFO());
     }
-  } else {
-    if (cainfo_) {
-      SetCurlStringOption(handle, CURLOPT_CAINFO, cainfo_->c_str());
+    return;
+  }
+
+  if (!ca_certs_.empty()) {
+    SetCurlStringOption(handle, CURLOPT_CAINFO, nullptr);
+    SetCurlStringOption(handle, CURLOPT_CAPATH, nullptr);
+    auto result = curl_easy_setopt(handle, CURLOPT_SSL_CTX_DATA, this);
+    if (result != CURLE_OK) {
+      GCP_LOG(FATAL) << internal::InternalError(curl_easy_strerror(result),
+                                                GCP_ERROR_INFO());
     }
-    if (capath_) {
-      SetCurlStringOption(handle, CURLOPT_CAPATH, capath_->c_str());
+    result =
+        curl_easy_setopt(handle, CURLOPT_SSL_CTX_FUNCTION, &SslCtxCAInMemory);
+    if (result != CURLE_OK) {
+      GCP_LOG(FATAL) << internal::InternalError(curl_easy_strerror(result),
+                                                GCP_ERROR_INFO());
     }
+    return;
   }
-}
-
-absl::optional<std::string> PooledCurlHandleFactory::CAInfo(Options const& o) {
-  if (!o.has<CARootsFilePathOption>()) return absl::nullopt;
-  return o.get<CARootsFilePathOption>();
-}
-
-absl::optional<std::string> PooledCurlHandleFactory::CAPath(Options const& o) {
-  if (!o.has<CAPathOption>()) return absl::nullopt;
-  return o.get<CAPathOption>();
-}
 
-std::vector<absl::string_view> PooledCurlHandleFactory::CACerts(
-    Options const& o) {
-  if (!o.has<experimental::CAInMemoryOption>()) return {};
-  if (o.get<experimental::CAInMemoryOption>().empty()) {
-    GCP_LOG(FATAL) << internal::InvalidArgumentError(
-        "No CA certificates specified", GCP_ERROR_INFO());
+  if (cainfo_) {
+    SetCurlStringOption(handle, CURLOPT_CAINFO, cainfo_->c_str());
+  }
+  if (capath_) {
+    SetCurlStringOption(handle, CURLOPT_CAPATH, capath_->c_str());
   }
-  return o.get<experimental::CAInMemoryOption>();
 }
 
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END

google/cloud/internal/curl_handle_factory.h

@@ -17,6 +17,7 @@
 
 #include "google/cloud/internal/curl_wrappers.h"
 #include "google/cloud/options.h"
+#include "google/cloud/rest_options.h"
 #include "google/cloud/version.h"
 #include "absl/strings/string_view.h"
 #include "absl/types/optional.h"
@@ -57,6 +58,7 @@ class CurlHandleFactory {
   virtual absl::optional<std::string> cainfo() const = 0;
   virtual absl::optional<std::string> capath() const = 0;
   virtual std::vector<absl::string_view> const& ca_certs() const = 0;
+  virtual experimental::SslCtxCallback ssl_ctx_callback() const = 0;
 
  protected:
   // Only virtual for testing purposes.
@@ -96,6 +98,9 @@ class DefaultCurlHandleFactory : public CurlHandleFactory {
   std::vector<absl::string_view> const& ca_certs() const override {
     return ca_certs_;
   }
+  experimental::SslCtxCallback ssl_ctx_callback() const override {
+    return ssl_ctx_callback_;
+  }
 
  private:
   void SetCurlOptions(CURL* handle);
@@ -105,6 +110,7 @@ class DefaultCurlHandleFactory : public CurlHandleFactory {
   absl::optional<std::string> cainfo_;
   absl::optional<std::string> capath_;
   std::vector<absl::string_view> ca_certs_;
+  experimental::SslCtxCallback ssl_ctx_callback_;
 };
 
 /**
@@ -147,18 +153,19 @@ class PooledCurlHandleFactory : public CurlHandleFactory {
   std::vector<absl::string_view> const& ca_certs() const override {
     return ca_certs_;
   }
+  experimental::SslCtxCallback ssl_ctx_callback() const override {
+    return ssl_ctx_callback_;
+  }
 
  private:
   void SetCurlOptions(CURL* handle);
-  static absl::optional<std::string> CAInfo(Options const& o);
-  static absl::optional<std::string> CAPath(Options const& o);
-  static std::vector<absl::string_view> CACerts(Options const& o);
-
   // These are constant after initialization and thus need no locking.
   std::size_t const maximum_size_;
-  absl::optional<std::string> const cainfo_;
-  absl::optional<std::string> const capath_;
+
+  absl::optional<std::string> cainfo_;
+  absl::optional<std::string> capath_;
   std::vector<absl::string_view> ca_certs_;
+  experimental::SslCtxCallback ssl_ctx_callback_;
 
   mutable std::mutex handles_mu_;
   std::deque<CurlPtr> handles_;

google/cloud/rest_options.h

@@ -25,6 +25,48 @@
 namespace google {
 namespace cloud {
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_BEGIN
+namespace experimental {
+
+/**
+ * Function signature for the libcurl SSL context callback.
+ *
+ * This signature matches the prototype declared by libcurl, but its invocation
+ * is wrapped by the Cloud C++ SDK. This is a precaution to prevent the CURL
+ * handle from being altered in ways that would cause the SDK to malfunction.
+ *
+ * The callback should return CURLE_OK on success and CURLE_ABORTED_BY_CALLBACK
+ * on error.
+ *
+ * @note While the callback defines three pointer parameters, only the ssl_ctx
+ * pointer will have a non-NULL value when the callback is called.
+ */
+using SslCtxCallback = std::function<int(void*, void* ssl_ctx, void*)>;
+
+/**
+ * This option allows the user to specify a function that is registered with
+ * libcurl as the CURLOPT_SSL_CTX_FUNCTION.
+ *
+ * @note This is an advanced option and should only be used when other options
+ * such as:
+ *   - CAInMemoryOption
+ *   - CAPathOption
+ *   - CARootsFilePathOption
+ *   - ClientSslCertificateOption
+ * are insufficient.
+ *
+ * @note Setting this option causes the following Options to be ignored:
+ *   - CAInMemoryOption
+ *   - CAPathOption
+ *   - CARootsFilePathOption
+ *
+ * @note This Option is not currently supported on Windows.
+ * @note This Option requires libcurl 7.10.6 or higher.
+ */
+struct SslCtxCallbackOption {
+  using Type = SslCtxCallback;
+};
+
+}  // namespace experimental
 
 /**
  * Timeout for the server to finish processing the request. This system param
@@ -62,7 +104,8 @@ struct Interface {
 /// The complete list of options accepted by `CurlRestClient`
 using RestOptionList =
     ::google::cloud::OptionList<QuotaUserOption, RestTracingOptionsOption,
-                                ServerTimeoutOption, UserIpOption, Interface>;
+                                ServerTimeoutOption, UserIpOption, Interface,
+                                experimental::SslCtxCallbackOption>;
 
 GOOGLE_CLOUD_CPP_INLINE_NAMESPACE_END
 }  // namespace cloud