vtls: allow selecting which SSL backend to use at runtime

When building software for the masses, it is sometimes not possible to
decide for all users which SSL backend is appropriate.

Git for Windows, for example,  uses cURL to perform clones, fetches and
pushes via HTTPS, and some users strongly prefer OpenSSL, while other
users really need to use Secure Channel because it offers
enterprise-ready tools to manage credentials via Windows' Credential
Store.

The current Git for Windows versions use the ugly work-around of
building libcurl once with OpenSSL support and once with Secure Channel
support, and switching out the binaries in the installer depending on
the user's choice.

Needless to say, this is a super ugly workaround that actually only
works in some cases: Git for Windows also comes in a portable form, and
in a form intended for third-party applications requiring Git
functionality, in which cases this "swap out libcurl-4.dll" simply is
not an option.

Therefore, the Git for Windows project has a vested interest in teaching
cURL to make the SSL backend a *runtime* option.

This patch makes that possible.

By running ./configure with multiple --with-<backend> options, cURL will
be built with multiple backends.

For the moment, the backend can be configured using the environment
variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
"schannel").

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

11 files changed, 143 insertions, 18 deletions

diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c
index 65f3b2409..cfdb1b70f 100644
--- a/lib/vtls/axtls.c
+++ b/lib/vtls/axtls.c
@@ -740,6 +740,4 @@ const struct Curl_ssl Curl_ssl_axtls = {
   NULL                            /* sha256sum */
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_axtls;
-
 #endif /* USE_AXTLS */
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
index 01ed678df..d679752fb 100644
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -1015,6 +1015,4 @@ const struct Curl_ssl Curl_ssl_cyassl = {
   Curl_cyassl_sha256sum            /* sha256sum */
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_cyassl;
-
 #endif
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index f65e93d86..b2ca52cb7 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -2927,8 +2927,6 @@ const struct Curl_ssl Curl_ssl_darwinssl = {
   Curl_darwinssl_sha256sum            /* sha256sum */
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_darwinssl;
-
 #ifdef __clang__
 #pragma clang diagnostic pop
 #endif
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index 9d5568cf9..a1599dd5f 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -1388,6 +1388,4 @@ const struct Curl_ssl Curl_ssl_gskit = {
   NULL                            /* sha256sum */
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_gskit;
-
 #endif /* USE_GSKIT */
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index f63f5460f..498634b29 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -1839,5 +1839,4 @@ const struct Curl_ssl Curl_ssl_gnutls = {
   Curl_gtls_sha256sum            /* sha256sum */
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_gnutls;
 #endif /* USE_GNUTLS */
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 61eee09bc..d7e16177b 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -1072,6 +1072,4 @@ const struct Curl_ssl Curl_ssl_mbedtls = {
   Curl_mbedtls_sha256sum            /* sha256sum */
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_mbedtls;
-
 #endif /* USE_MBEDTLS */
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 14dd15423..91f6530af 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -2378,5 +2378,4 @@ const struct Curl_ssl Curl_ssl_nss = {
   Curl_nss_sha256sum            /* sha256sum */
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_nss;
 #endif /* USE_NSS */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index a96604dd6..136d8e475 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3453,6 +3453,4 @@ const struct Curl_ssl Curl_ssl_openssl = {
 #endif
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_openssl;
-
 #endif /* USE_OPENSSL */
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index ae3f6f814..9d4aeacfb 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -937,6 +937,4 @@ const struct Curl_ssl Curl_ssl_polarssl = {
   Curl_polarssl_sha256sum            /* sha256sum */
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_polarssl;
-
 #endif /* USE_POLARSSL */
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index b1cd60e11..bd7a85bae 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -1849,6 +1849,4 @@ const struct Curl_ssl Curl_ssl_schannel = {
   NULL                               /* sha256sum */
 };
 
-const struct Curl_ssl *Curl_ssl = &Curl_ssl_schannel;
-
 #endif /* USE_SCHANNEL */
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index 3e52220fc..ed43e1d46 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -130,9 +130,14 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
   Curl_safefree(sslc->clientcert);
 }
 
+#ifdef USE_SSL
+static int multissl_init(void);
+#endif
+
 int Curl_ssl_backend(void)
 {
 #ifdef USE_SSL
+  multissl_init();
   return Curl_ssl->id;
 #else
   return (int)CURLSSLBACKEND_NONE;
@@ -1049,4 +1054,142 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
   return CURLE_OK;
 }
 
+static int Curl_multissl_init(void)
+{
+  if(multissl_init())
+    return 1;
+  return Curl_ssl->init();
+}
+
+static size_t Curl_multissl_version(char *buffer, size_t size)
+{
+  if(multissl_init())
+    return 0;
+  return Curl_ssl->version(buffer, size);
+}
+
+static CURLcode Curl_multissl_connect(struct connectdata *conn, int sockindex)
+{
+  if(multissl_init())
+    return CURLE_FAILED_INIT;
+  return Curl_ssl->connect(conn, sockindex);
+}
+
+static CURLcode Curl_multissl_connect_nonblocking(struct connectdata *conn,
+                                                  int sockindex, bool *done)
+{
+  if(multissl_init())
+    return CURLE_FAILED_INIT;
+  return Curl_ssl->connect_nonblocking(conn, sockindex, done);
+}
+
+static void *Curl_multissl_get_internals(struct ssl_connect_data *connssl,
+                                         CURLINFO info)
+{
+  if(multissl_init())
+    return NULL;
+  return Curl_ssl->get_internals(connssl, info);
+}
+
+static void Curl_multissl_close(struct connectdata *conn, int sockindex)
+{
+  if(multissl_init())
+    return;
+  Curl_ssl->close(conn, sockindex);
+}
+
+static const struct Curl_ssl Curl_ssl_multi = {
+  "multi",                           /* name */
+  CURLSSLBACKEND_NONE,
+
+  0, /* have_ca_path */
+  0, /* have_certinfo */
+  0, /* have_pinnedpubkey */
+  0, /* have_ssl_ctx */
+  0, /* support_https_proxy */
+
+  (size_t)-1, /* something insanely large to be on the safe side */
+
+  Curl_multissl_init,                /* init */
+  Curl_none_cleanup,                 /* cleanup */
+  Curl_multissl_version,             /* version */
+  Curl_none_check_cxn,               /* check_cxn */
+  Curl_none_shutdown,                /* shutdown */
+  Curl_none_data_pending,            /* data_pending */
+  Curl_none_random,                  /* random */
+  Curl_none_cert_status_request,     /* cert_status_request */
+  Curl_multissl_connect,             /* connect */
+  Curl_multissl_connect_nonblocking, /* connect_nonblocking */
+  Curl_multissl_get_internals,       /* get_internals */
+  Curl_multissl_close,               /* close */
+  Curl_none_close_all,               /* close_all */
+  Curl_none_session_free,            /* session_free */
+  Curl_none_set_engine,              /* set_engine */
+  Curl_none_set_engine_default,      /* set_engine_default */
+  Curl_none_engines_list,            /* engines_list */
+  Curl_none_false_start,             /* false_start */
+  Curl_none_md5sum,                  /* md5sum */
+  NULL                               /* sha256sum */
+};
+
+const struct Curl_ssl *Curl_ssl = &Curl_ssl_multi;
+
+static const struct Curl_ssl *available_backends[] = {
+#if defined(USE_AXTLS)
+  &Curl_ssl_axtls,
+#endif
+#if defined(USE_CYASSL)
+  &Curl_ssl_cyassl,
+#endif
+#if defined(USE_DARWINSSL)
+  &Curl_ssl_darwinssl,
+#endif
+#if defined(USE_GNUTLS)
+  &Curl_ssl_gnutls,
+#endif
+#if defined(USE_GSKIT)
+  &Curl_ssl_gskit,
+#endif
+#if defined(USE_MBEDTLS)
+  &Curl_ssl_mbedtls,
+#endif
+#if defined(USE_NSS)
+  &Curl_ssl_nss,
+#endif
+#if defined(USE_OPENSSL)
+  &Curl_ssl_openssl,
+#endif
+#if defined(USE_POLARSSL)
+  &Curl_ssl_polarssl,
+#endif
+#if defined(USE_SCHANNEL)
+  &Curl_ssl_schannel,
+#endif
+  NULL
+};
+
+static int multissl_init(void)
+{
+  const char *env;
+  int i;
+
+  if(Curl_ssl != &Curl_ssl_multi)
+    return 1;
+
+  if(!available_backends[0])
+    return 1;
+
+  env = getenv("CURL_SSL_BACKEND");
+  if(env)
+    for(i = 0; available_backends[i]; i++)
+      if(!strcmp(env, available_backends[i]->name)) {
+        Curl_ssl = available_backends[i];
+        return 0;
+      }
+
+  /* Fall back to first available backend */
+  Curl_ssl = available_backends[0];
+  return 0;
+}
+
 #endif /* USE_SSL */