From c27d1fdbb579f0e6690bb20bbae2d38ececcb362 Mon Sep 17 00:00:00 2001 From: UrosG Date: Sun, 16 Feb 2025 13:24:25 +0100 Subject: [PATCH 1/8] server_certificate_verifier extended to reuse built-in verifier --- httplib.h | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/httplib.h b/httplib.h index 593beb5015..a9fb06aeab 100644 --- a/httplib.h +++ b/httplib.h @@ -435,6 +435,12 @@ struct scope_exit { } // namespace detail +enum SSLVerifierResponse { + Verified, // connection certificate is verified and accepted + CheckAgain, // use the built-in certificate checker again + Declined // connection certificate was process but is declined +}; + enum StatusCode { // Information responses Continue_100 = 100, @@ -1483,7 +1489,7 @@ class ClientImpl { #ifdef CPPHTTPLIB_OPENSSL_SUPPORT void enable_server_certificate_verification(bool enabled); void enable_server_hostname_verification(bool enabled); - void set_server_certificate_verifier(std::function verifier); + void set_server_certificate_verifier(std::function verifier); #endif void set_logger(Logger logger); @@ -1600,7 +1606,7 @@ class ClientImpl { #ifdef CPPHTTPLIB_OPENSSL_SUPPORT bool server_certificate_verification_ = true; bool server_hostname_verification_ = true; - std::function server_certificate_verifier_; + std::function server_certificate_verifier_; #endif Logger logger_; @@ -1913,7 +1919,7 @@ class Client { #ifdef CPPHTTPLIB_OPENSSL_SUPPORT void enable_server_certificate_verification(bool enabled); void enable_server_hostname_verification(bool enabled); - void set_server_certificate_verifier(std::function verifier); + void set_server_certificate_verifier(std::function verifier); #endif void set_logger(Logger logger); @@ -9009,7 +9015,7 @@ inline void ClientImpl::enable_server_hostname_verification(bool enabled) { } inline void ClientImpl::set_server_certificate_verifier( - std::function verifier) { + std::function verifier) { server_certificate_verifier_ = verifier; } #endif @@ -9623,12 +9629,20 @@ inline bool SSLClient::initialize_ssl(Socket &socket, Error &error) { } if (server_certificate_verification_) { - if (server_certificate_verifier_) { - if (!server_certificate_verifier_(ssl2)) { - error = Error::SSLServerVerification; - return false; - } - } else { + // set default status to CheckAgain + SSLVerifierResponse verificationStatus = SSLVerifierResponse::CheckAgain; + + if (server_certificate_verifier_) + verificationStatus = server_certificate_verifier_(ssl2); + + if (verificationStatus == SSLVerifierResponse::Declined) + { + error = Error::SSLServerVerification; + return false; + } + + if (verificationStatus == SSLVerifierResponse::CheckAgain) + { verify_result_ = SSL_get_verify_result(ssl2); if (verify_result_ != X509_V_OK) { @@ -10389,7 +10403,7 @@ inline void Client::enable_server_hostname_verification(bool enabled) { } inline void Client::set_server_certificate_verifier( - std::function verifier) { + std::function verifier) { cli_->set_server_certificate_verifier(verifier); } #endif From 1be86c83289c40d7666959c86fef3d9ddac9dfb0 Mon Sep 17 00:00:00 2001 From: UrosG Date: Mon, 17 Feb 2025 09:51:14 +0100 Subject: [PATCH 2/8] code cleanup and SSLVerifierResponse enum clarification as per @falbrechtskirchinger comment --- httplib.h | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/httplib.h b/httplib.h index a9fb06aeab..7cd34ad1c0 100644 --- a/httplib.h +++ b/httplib.h @@ -436,9 +436,9 @@ struct scope_exit { } // namespace detail enum SSLVerifierResponse { - Verified, // connection certificate is verified and accepted - CheckAgain, // use the built-in certificate checker again - Declined // connection certificate was process but is declined + NoDecisionMade, // no decision has been made, use the built-in certificate verifier + CertificateAccepted, // connection certificate is verified and accepted + CertificateRejected // connection certificate was processed but is rejected }; enum StatusCode { @@ -9630,18 +9630,20 @@ inline bool SSLClient::initialize_ssl(Socket &socket, Error &error) { if (server_certificate_verification_) { // set default status to CheckAgain - SSLVerifierResponse verificationStatus = SSLVerifierResponse::CheckAgain; + SSLVerifierResponse verification_status_ = SSLVerifierResponse::NoDecisionMade; if (server_certificate_verifier_) - verificationStatus = server_certificate_verifier_(ssl2); + { + verification_status_ = server_certificate_verifier_(ssl2); + } - if (verificationStatus == SSLVerifierResponse::Declined) + if (verification_status_ == SSLVerifierResponse::CertificateRejected) { error = Error::SSLServerVerification; return false; } - if (verificationStatus == SSLVerifierResponse::CheckAgain) + if (verification_status_ == SSLVerifierResponse::NoDecisionMade) { verify_result_ = SSL_get_verify_result(ssl2); From 59888ae700515438e34f66f016c5455b7388d213 Mon Sep 17 00:00:00 2001 From: UrosG Date: Mon, 17 Feb 2025 09:54:33 +0100 Subject: [PATCH 3/8] cleanup --- httplib.h | 1 - 1 file changed, 1 deletion(-) diff --git a/httplib.h b/httplib.h index 7cd34ad1c0..f2b4dc66c7 100644 --- a/httplib.h +++ b/httplib.h @@ -9629,7 +9629,6 @@ inline bool SSLClient::initialize_ssl(Socket &socket, Error &error) { } if (server_certificate_verification_) { - // set default status to CheckAgain SSLVerifierResponse verification_status_ = SSLVerifierResponse::NoDecisionMade; if (server_certificate_verifier_) From d62d1cb3a808b6c29117b0068277455d0fb5d920 Mon Sep 17 00:00:00 2001 From: UrosG Date: Mon, 17 Feb 2025 18:49:32 +0100 Subject: [PATCH 4/8] clang-format --- httplib.h | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/httplib.h b/httplib.h index f2b4dc66c7..7549fb1aa3 100644 --- a/httplib.h +++ b/httplib.h @@ -436,9 +436,12 @@ struct scope_exit { } // namespace detail enum SSLVerifierResponse { - NoDecisionMade, // no decision has been made, use the built-in certificate verifier - CertificateAccepted, // connection certificate is verified and accepted - CertificateRejected // connection certificate was processed but is rejected + // no decision has been made, use the built-in certificate verifier + NoDecisionMade, + // connection certificate is verified and accepted + CertificateAccepted, + // connection certificate was processed but is rejected + CertificateRejected }; enum StatusCode { @@ -1489,7 +1492,8 @@ class ClientImpl { #ifdef CPPHTTPLIB_OPENSSL_SUPPORT void enable_server_certificate_verification(bool enabled); void enable_server_hostname_verification(bool enabled); - void set_server_certificate_verifier(std::function verifier); + void set_server_certificate_verifier( + std::function verifier); #endif void set_logger(Logger logger); @@ -1919,7 +1923,8 @@ class Client { #ifdef CPPHTTPLIB_OPENSSL_SUPPORT void enable_server_certificate_verification(bool enabled); void enable_server_hostname_verification(bool enabled); - void set_server_certificate_verifier(std::function verifier); + void set_server_certificate_verifier( + std::function verifier); #endif void set_logger(Logger logger); @@ -9629,21 +9634,20 @@ inline bool SSLClient::initialize_ssl(Socket &socket, Error &error) { } if (server_certificate_verification_) { - SSLVerifierResponse verification_status_ = SSLVerifierResponse::NoDecisionMade; + SSLVerifierResponse verification_status_ = + SSLVerifierResponse::NoDecisionMade; - if (server_certificate_verifier_) - { + if (server_certificate_verifier_) { verification_status_ = server_certificate_verifier_(ssl2); } - if (verification_status_ == SSLVerifierResponse::CertificateRejected) - { + if (verification_status_ == + SSLVerifierResponse::CertificateRejected) { error = Error::SSLServerVerification; return false; } - if (verification_status_ == SSLVerifierResponse::NoDecisionMade) - { + if (verification_status_ == SSLVerifierResponse::NoDecisionMade) { verify_result_ = SSL_get_verify_result(ssl2); if (verify_result_ != X509_V_OK) { From c45f3448101ee05b2c4c311f53c828c8d316e7ba Mon Sep 17 00:00:00 2001 From: UrosG Date: Mon, 17 Feb 2025 19:31:20 +0100 Subject: [PATCH 5/8] change local var verification_status_ declaration to auto --- httplib.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/httplib.h b/httplib.h index 7549fb1aa3..cdb902289a 100644 --- a/httplib.h +++ b/httplib.h @@ -9634,7 +9634,7 @@ inline bool SSLClient::initialize_ssl(Socket &socket, Error &error) { } if (server_certificate_verification_) { - SSLVerifierResponse verification_status_ = + auto verification_status_ = SSLVerifierResponse::NoDecisionMade; if (server_certificate_verifier_) { From ce7dc7af7469e56da6f987b31554a9bec7893e91 Mon Sep 17 00:00:00 2001 From: UrosG Date: Mon, 17 Feb 2025 19:56:25 +0100 Subject: [PATCH 6/8] change local var verification_status_ to verification_status --- httplib.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/httplib.h b/httplib.h index cdb902289a..f348e6a160 100644 --- a/httplib.h +++ b/httplib.h @@ -9634,20 +9634,20 @@ inline bool SSLClient::initialize_ssl(Socket &socket, Error &error) { } if (server_certificate_verification_) { - auto verification_status_ = + auto verification_status = SSLVerifierResponse::NoDecisionMade; if (server_certificate_verifier_) { - verification_status_ = server_certificate_verifier_(ssl2); + verification_status = server_certificate_verifier_(ssl2); } - if (verification_status_ == + if (verification_status == SSLVerifierResponse::CertificateRejected) { error = Error::SSLServerVerification; return false; } - if (verification_status_ == SSLVerifierResponse::NoDecisionMade) { + if (verification_status == SSLVerifierResponse::NoDecisionMade) { verify_result_ = SSL_get_verify_result(ssl2); if (verify_result_ != X509_V_OK) { From a46b28782ea7a27e301ca62aecbe02a1e241f50e Mon Sep 17 00:00:00 2001 From: UrosG Date: Mon, 17 Feb 2025 20:11:22 +0100 Subject: [PATCH 7/8] clang-format --- httplib.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/httplib.h b/httplib.h index f348e6a160..3951ad84d9 100644 --- a/httplib.h +++ b/httplib.h @@ -9634,8 +9634,7 @@ inline bool SSLClient::initialize_ssl(Socket &socket, Error &error) { } if (server_certificate_verification_) { - auto verification_status = - SSLVerifierResponse::NoDecisionMade; + auto verification_status = SSLVerifierResponse::NoDecisionMade; if (server_certificate_verifier_) { verification_status = server_certificate_verifier_(ssl2); From 5c2bce6e5e58d7682a2e23292a4798318f3ba9e3 Mon Sep 17 00:00:00 2001 From: UrosG Date: Mon, 17 Feb 2025 20:29:42 +0100 Subject: [PATCH 8/8] clang-format --- httplib.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/httplib.h b/httplib.h index 3951ad84d9..1e626e2d9e 100644 --- a/httplib.h +++ b/httplib.h @@ -9640,8 +9640,7 @@ inline bool SSLClient::initialize_ssl(Socket &socket, Error &error) { verification_status = server_certificate_verifier_(ssl2); } - if (verification_status == - SSLVerifierResponse::CertificateRejected) { + if (verification_status == SSLVerifierResponse::CertificateRejected) { error = Error::SSLServerVerification; return false; }