https: Prevent OpenSSL from namespace-leaking

22317057 · Etienne Samson · e9369856 · 22317057 · 22317057 · 22317057
Commit 22317057 authored Mar 21, 2017 by Etienne Samson
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 10 deletions

src/global.h
+0 -5

src/settings.c
+2 -5

src/streams/openssl.c
+19 -0

src/streams/openssl.h
+2 -0

No files found.
--- a/src/global.h
+++ b/src/global.h
@@ -25,11 +25,6 @@ typedef struct {
 	git_thread *current_thread;
 } git_global_st;

-#ifdef GIT_OPENSSL
-# include <openssl/ssl.h>
-extern SSL_CTX *git__ssl_ctx;
-#endif
-
 git_global_st *git__global_state(void);

 extern git_mutex git__mwindow_mutex;

--- a/src/settings.c
+++ b/src/settings.c
@@ -19,6 +19,7 @@
 #include "odb.h"
 #include "refs.h"
 #include "transports/smart.h"
+#include "streams/openssl.h"

 void git_libgit2_version(int *major, int *minor, int *rev)
 {
@@ -172,11 +173,7 @@ int git_libgit2_opts(int key, ...)
 		{
 			const char *file = va_arg(ap, const char *);
 			const char *path = va_arg(ap, const char *);
-			if (!SSL_CTX_load_verify_locations(git__ssl_ctx, file, path)) {
-				giterr_set(GITERR_NET, "SSL error: %s",
-					ERR_error_string(ERR_get_error(), NULL));
-				error = -1;
-			}
+			error = git_openssl__set_cert_location(file, path);
 		}
 #else
 		giterr_set(GITERR_NET, "cannot set certificate locations: OpenSSL is not enabled");

--- a/src/streams/openssl.c
+++ b/src/streams/openssl.c
@@ -628,6 +628,16 @@ out_err:
 	return error;
 }

+int git_openssl__set_cert_location(const char *file, const char *path)
+{
+	if (SSL_CTX_load_verify_locations(git__ssl_ctx, file, path) == 0) {
+		giterr_set(GITERR_SSL, "OpenSSL error: failed to load certificates: %s",
+				   ERR_error_string(ERR_get_error(), NULL));
+		return -1;
+	}
+	return 0;
+}
+
 #else

 #include "stream.h"
@@ -654,4 +664,13 @@ int git_openssl_stream_new(git_stream **out, const char *host, const char *port)
 	return -1;
 }

+int git_openssl__set_cert_location(const char *file, const char *path)
+{
+	GIT_UNUSED(file);
+	GIT_UNUSED(path);
+
+	giterr_set(GITERR_SSL, "openssl is not supported in this version");
+	return -1;
+}
+
 #endif
--- a/src/streams/openssl.h
+++ b/src/streams/openssl.h
@@ -15,6 +15,8 @@ extern int git_openssl_stream_global_init(void);

 extern int git_openssl_stream_new(git_stream **out, const char *host, const char *port);

+extern int git_openssl__set_cert_location(const char *file, const char *path);
+
 /*
 * OpenSSL 1.1 made BIO opaque so we have to use functions to interact with it
 * which do not exist in previous versions. We define these inline functions so