From 8f614f8543b57222d0c74c63e029fd4e3326c9d9 Mon Sep 17 00:00:00 2001
From: Ziya Suzen <ziya@suzen.net>
Date: Thu, 6 Mar 2025 12:36:09 +0000
Subject: [PATCH 1/3] [FIXED] SSL callback

Remove openssl dependency in nats.h.
---
 src/conn.c  |  7 ++++++-
 src/nats.h  | 43 ++++++++++++++++++++++++++++++++-----------
 src/natsp.h | 12 ++++++------
 src/opts.c  |  2 +-
 test/test.c |  9 ++++++++-
 5 files changed, 53 insertions(+), 20 deletions(-)

diff --git a/src/conn.c b/src/conn.c
index 2fb659480..ad77ab0c7 100644
--- a/src/conn.c
+++ b/src/conn.c
@@ -736,7 +736,12 @@ _makeTLSConn(natsConnection *nc)
                     s = nats_setError(NATS_SSL_ERROR, "unable to set expected hostname '%s'", nc->tlsName);
             }
             if (s == NATS_OK)
-                SSL_set_verify(ssl, SSL_VERIFY_PEER, nc->opts->sslCtx->callback != NULL ? nc->opts->sslCtx->callback : _collectSSLErr);
+            {
+                if (nc->opts->sslCtx->callback != NULL)
+                    nc->opts->sslCtx->callback(ssl);
+                else
+                    SSL_set_verify(ssl, SSL_VERIFY_PEER, _collectSSLErr);
+            }
         }
     }
 #if defined(NATS_USE_OPENSSL_1_1)
diff --git a/src/nats.h b/src/nats.h
index 2bd9f9b00..368ea91e7 100644
--- a/src/nats.h
+++ b/src/nats.h
@@ -27,13 +27,6 @@ extern "C" {
 #include "status.h"
 #include "version.h"
 
-#if defined(NATS_HAS_TLS)
-#include <openssl/ssl.h>
-#include <openssl/x509v3.h>
-#else
-#define X509_STORE_CTX void
-typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX* x509_ctx);
-#endif
 
 /** \def NATS_EXTERN
  *  \brief Needed for shared library.
@@ -1768,6 +1761,33 @@ typedef void (*natsOnCompleteCB)(void *closure);
  */
 typedef int64_t (*natsCustomReconnectDelayHandler)(natsConnection *nc, int attempts, void *closure);
 
+/** \brief Callback used to setup SSL on connection.
+ *
+ * This callback is used to allow the user to customize the SSL setup for a connection
+ * typically to set up custom certificate verification. The user should cast the
+ * ssl pointer to the appropriate SSL type and then set up the additional SSL
+ * callbacks as needed.
+ *
+ * \code{.unparsed}
+ * #include <openssl/ssl.h>
+ *
+ * int _sslVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
+ * {
+ *     // Custom verification code here...
+ * }
+ *
+ * void _sslCallback(void *ssl)
+ * {
+ *     SSL_set_verify((SSL *)ssl, SSL_VERIFY_PEER, _sslVerifyCallback);
+ * }
+ * \endcode
+ *
+ * see also https://docs.openssl.org/master/man3/SSL_CTX_set_verify/
+ *
+ * @param ssl the pointer to the SSL struct. Must be cast to the SSL type.
+ */
+typedef void (*natsCustomSSLHandler)(void *ssl);
+
 #ifdef BUILD_IN_DOXYGEN
 /** \brief Callback used to process asynchronous publish errors from JetStream.
  *
@@ -2628,17 +2648,18 @@ natsOptions_SetExpectedHostname(natsOptions *opts, const char *hostname);
 NATS_EXTERN natsStatus
 natsOptions_SkipServerVerification(natsOptions *opts, bool skip);
 
-/** \brief Sets the certificate validation callback.
+/** \brief Sets the SSL callback.
  *
- * Sets a callback used to verify the SSL certificate.
+ * Sets a callback used to create additional SSL setup for the connection such as
+ * setting up custom certificate verification.
  *
  * \note Setting a callback will enable SSL verification if disabled via natsOptions_SkipServerVerification().
  *
  * @param opts the pointer to the #natsOptions object.
- * @param callback the custom SSL verification handler to invoke. see https://docs.openssl.org/master/man3/SSL_CTX_set_verify/
+ * @param callback the custom SSL handler to invoke. See the #natsCustomSSLHandler prototype.
  */
 NATS_EXTERN natsStatus
-natsOptions_SetSSLVerificationCallback(natsOptions *opts, SSL_verify_cb callback);
+natsOptions_SetSSLCallback(natsOptions *opts, natsCustomSSLHandler callback);
 
 /** \brief Sets the verbose mode.
  *
diff --git a/src/natsp.h b/src/natsp.h
index 224b7c41b..eb9f49f09 100644
--- a/src/natsp.h
+++ b/src/natsp.h
@@ -182,12 +182,12 @@ typedef struct __natsServerInfo
 
 typedef struct __natsSSLCtx
 {
-    natsMutex       *lock;
-    int             refs;
-    SSL_CTX         *ctx;
-    char            *expectedHostname;
-    bool            skipVerify;
-    SSL_verify_cb   callback;
+    natsMutex              *lock;
+    int                    refs;
+    SSL_CTX                *ctx;
+    char                   *expectedHostname;
+    bool                   skipVerify;
+    natsCustomSSLHandler   callback;
 
 } natsSSLCtx;
 
diff --git a/src/opts.c b/src/opts.c
index 058d80b29..337cff86d 100644
--- a/src/opts.c
+++ b/src/opts.c
@@ -707,7 +707,7 @@ natsOptions_SkipServerVerification(natsOptions *opts, bool skip)
 }
 
 natsStatus
-natsOptions_SetSSLVerificationCallback(natsOptions *opts, SSL_verify_cb callback)
+natsOptions_SetSSLCallback(natsOptions *opts, natsCustomSSLHandler callback)
 {
     natsStatus s = NATS_OK;
 
diff --git a/test/test.c b/test/test.c
index b7b5684e9..819ceda10 100644
--- a/test/test.c
+++ b/test/test.c
@@ -21191,6 +21191,13 @@ _sslVerifyCallback(int preverify_ok, X509_STORE_CTX *ctx)
     testf("verfiy result: %d\n", result);
     return result;
 }
+
+static void
+_sslCallback(void *ssl)
+{
+    SSL_set_verify((SSL *)ssl, SSL_VERIFY_PEER, _sslVerifyCallback);
+}
+
 #endif // NATS_HAS_TLS
 
 void test_SSLVerificationCallback(void)
@@ -21217,7 +21224,7 @@ void test_SSLVerificationCallback(void)
 
     test("Check that connect succeeds with validation callback:\n");
     s = natsOptions_SetURL(opts, "nats://127.0.0.1:4443");
-    IFOK(s, natsOptions_SetSSLVerificationCallback(opts, _sslVerifyCallback));
+    IFOK(s, natsOptions_SetSSLCallback(opts, _sslCallback));
     IFOK(s, natsConnection_Connect(&nc, opts));
     testCond(s == NATS_OK);
     natsConnection_Destroy(nc);

From 13b4f93f309b301ae2ec922a93c8de31e023f607 Mon Sep 17 00:00:00 2001
From: Ziya Suzen <ziya@suzen.net>
Date: Thu, 6 Mar 2025 13:13:35 +0000
Subject: [PATCH 2/3] Fixed no tls build

---
 src/opts.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/opts.c b/src/opts.c
index 337cff86d..62df62c61 100644
--- a/src/opts.c
+++ b/src/opts.c
@@ -787,7 +787,7 @@ natsOptions_SkipServerVerification(natsOptions *opts, bool skip)
 }
 
 natsStatus
-natsOptions_SetSSLVerificationCallback(natsOptions *opts, SSL_verify_cb callback)
+natsOptions_SetSSLCallback(natsOptions *opts, natsCustomSSLHandler callback)
 {
     return nats_setError(NATS_ILLEGAL_STATE, "%s", NO_SSL_ERR);
 }

From 5d02704b481561ccae2fa08a865675c213a49200 Mon Sep 17 00:00:00 2001
From: Ziya Suzen <ziya@suzen.net>
Date: Thu, 6 Mar 2025 14:45:01 +0000
Subject: [PATCH 3/3] Cast ssl to void in SSL callback invocation

This is to comply with the callback definition.
---
 src/conn.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conn.c b/src/conn.c
index ad77ab0c7..54d8174f0 100644
--- a/src/conn.c
+++ b/src/conn.c
@@ -738,7 +738,7 @@ _makeTLSConn(natsConnection *nc)
             if (s == NATS_OK)
             {
                 if (nc->opts->sslCtx->callback != NULL)
-                    nc->opts->sslCtx->callback(ssl);
+                    nc->opts->sslCtx->callback((void*)ssl);
                 else
                     SSL_set_verify(ssl, SSL_VERIFY_PEER, _collectSSLErr);
             }