Adding the possibility to use windows openssl backend instead of schannel (#466)

ETKNeil · web-flow · commit b62fa94e0cb1 · 2022-09-30T09:24:55.000-05:00
* Add the possibility to use windows openssl backend instead of schannel

* Make the windows static ssl build first evaluated
diff --git a/Cargo.toml b/Cargo.toml
@@ -47,6 +47,7 @@ spnego = ["curl-sys/spnego"]
 rustls = ["curl-sys/rustls"]
 static-curl = ["curl-sys/static-curl"]
 static-ssl = ["curl-sys/static-ssl"]
+windows-static-ssl = ["static-curl", "curl-sys/windows-static-ssl"]
 force-system-lib-on-osx = ['curl-sys/force-system-lib-on-osx']
 protocol-ftp = ["curl-sys/protocol-ftp"]
 zlib-ng-compat = ["curl-sys/zlib-ng-compat", "static-curl"]
@@ -72,6 +73,11 @@ name = "ssl_cert_blob"
 path = "examples/ssl_cert_blob.rs"
 required-features = ["ssl"]
 
+[[example]]
+name = "ssl_client_auth"
+path = "examples/ssl_client_auth.rs"
+required-features = []
+
 [[example]]
 name = "aws_sigv4"
 path = "examples/aws_sigv4.rs"
diff --git a/README.md b/README.md
@@ -133,6 +133,16 @@ with various Cargo features:
 - `upkeep_7_62_0`: Enable curl_easy_upkeep() support, introduced in curl 7.62.0. Disabled by default.
 - `poll_7_68_0`: Enable curl_multi_poll()/curl_multi_wakeup() support, requires curl 7.68.0 or later. Disabled by default.
 - `ntlm`: Enable NTLM support in curl. Disabled by default.
+- `windows-static-ssl`: Enable Openssl support on Windows via the static build provided by vcpkg. Incompatible with `ssl` (use `--no-default-features`). Disabled by default.
+
+  Note that to install openssl on windows via vcpkg the following commands needs to be ran:
+  ```shell
+  git clone https://github.com/microsoft/vcpkg
+  cd vcpkg
+  ./bootstrap-vcpkg.bat -disableMetrics
+  ./vcpkg.exe integrate install
+  ./vcpkg.exe install openssl:x64-windows-static-md
+  ```
 
 ## Version Support
 
diff --git a/curl-sys/Cargo.toml b/curl-sys/Cargo.toml
@@ -49,6 +49,7 @@ http2 = ["libnghttp2-sys"]
 mesalink = []
 rustls = ["rustls-ffi"]
 static-curl = []
+windows-static-ssl = []
 static-ssl = ["openssl-sys/vendored"]
 spnego = []
 force-system-lib-on-osx = []
diff --git a/curl-sys/build.rs b/curl-sys/build.rs
@@ -274,6 +274,26 @@ fn main() {
         cfg.define("USE_RUSTLS", None)
             .file("curl/lib/vtls/rustls.c")
             .include(env::var_os("DEP_RUSTLS_FFI_INCLUDE").unwrap());
+    } else if cfg!(feature = "windows-static-ssl") {
+        if windows {
+            cfg.define("USE_OPENSSL", None)
+                .file("curl/lib/vtls/openssl.c");
+            // We need both openssl and zlib
+            // Those can be installed with
+            // ```shell
+            // git clone https://github.com/microsoft/vcpkg
+            // cd vcpkg
+            // ./bootstrap-vcpkg.bat -disableMetrics
+            // ./vcpkg.exe integrate install
+            // ./vcpkg.exe install openssl:x64-windows-static-md
+            // ```
+            #[cfg(target_env = "msvc")]
+            vcpkg::Config::new().find_package("openssl").ok();
+            #[cfg(target_env = "msvc")]
+            vcpkg::Config::new().find_package("zlib").ok();
+        } else {
+            panic!("Not available on non windows platform")
+        }
     } else if cfg!(feature = "ssl") {
         if windows {
             // For windows, spnego feature is auto on in case ssl feature is on.
diff --git a/examples/ssl_cert_blob.rs b/examples/ssl_cert_blob.rs
@@ -16,11 +16,21 @@ fn read_file(path: impl AsRef<Path>) -> Result<Vec<u8>> {
 fn main() -> Result<()> {
     let argv = env::args().collect::<Vec<_>>();
     if argv.len() < 4 {
-        bail!("usage: ssl_cert_blob URL CERT KEY");
+        bail!("usage: ssl_cert_blob URL CERT KEY CAINFO? PASSWORD?");
     }
     let url = &argv[1];
     let cert_path = &argv[2];
     let key_path = &argv[3];
+    let cainfo = if argv.len() >= 5 {
+        Some(&argv[4])
+    } else {
+        None
+    };
+    let password = if argv.len() >= 6 {
+        Some(&argv[5])
+    } else {
+        None
+    };
 
     let mut handle = Easy::new();
 
@@ -33,9 +43,20 @@ fn main() -> Result<()> {
 
     let cert_blob = read_file(cert_path)?;
     let key_blob = read_file(key_path)?;
+    let ca_blob = if let Some(cainfo) = cainfo {
+        Some(read_file(cainfo)?)
+    } else {
+        None
+    };
 
     handle.ssl_cert_blob(&cert_blob)?;
     handle.ssl_key_blob(&key_blob)?;
+    if let Some(password) = password {
+        handle.key_password(password)?;
+    }
+    if let Some(ca_blob) = ca_blob {
+        handle.ssl_cainfo_blob(&ca_blob)?;
+    }
 
     handle.perform()?;
     Ok(())
diff --git a/examples/ssl_client_auth.rs b/examples/ssl_client_auth.rs
@@ -0,0 +1,46 @@
+use std::env;
+use std::io::{stdout, Write};
+
+use anyhow::{bail, Result};
+use curl::easy::Easy;
+
+fn main() -> Result<()> {
+    let argv = env::args().collect::<Vec<_>>();
+    if argv.len() < 4 {
+        bail!("usage: ssl_client_auth URL CERT KEY CAINFO? PASSWORD?");
+    }
+    let url = &argv[1];
+    let cert_path = &argv[2];
+    let key_path = &argv[3];
+    let cainfo = if argv.len() >= 5 {
+        Some(&argv[4])
+    } else {
+        None
+    };
+    let password = if argv.len() >= 6 {
+        Some(&argv[5])
+    } else {
+        None
+    };
+
+    let mut handle = Easy::new();
+
+    handle.url(url)?;
+    handle.verbose(true)?;
+    handle.write_function(|data| {
+        stdout().write_all(data).unwrap();
+        Ok(data.len())
+    })?;
+
+    handle.ssl_cert(&cert_path)?;
+    handle.ssl_key(&key_path)?;
+    if let Some(password) = password {
+        handle.key_password(password)?;
+    }
+    if let Some(cainfo) = cainfo {
+        handle.cainfo(cainfo)?;
+    }
+
+    handle.perform()?;
+    Ok(())
+}
