diff options
author | Etienne Samson <samson.etienne@gmail.com> | 2017-03-21 00:36:32 +0000 |
---|---|---|
committer | Etienne Samson <samson.etienne@gmail.com> | 2017-10-23 20:02:35 +0200 |
commit | 22317057a526e6edbbdd0370f9ab55a8d6c23bed (patch) | |
tree | f1800a4144b614db0c044dffc82abef512627fc1 | |
parent | e93698561145c5d1f66d9f3c8d3b84775a9e5556 (diff) | |
download | libgit2-22317057a526e6edbbdd0370f9ab55a8d6c23bed.tar.gz |
https: Prevent OpenSSL from namespace-leaking
-rw-r--r-- | src/global.h | 5 | ||||
-rw-r--r-- | src/settings.c | 7 | ||||
-rw-r--r-- | src/streams/openssl.c | 19 | ||||
-rw-r--r-- | src/streams/openssl.h | 2 |
4 files changed, 23 insertions, 10 deletions
diff --git a/src/global.h b/src/global.h index b75ad6f56..3c0559c68 100644 --- a/src/global.h +++ b/src/global.h @@ -25,11 +25,6 @@ typedef struct { git_thread *current_thread; } git_global_st; -#ifdef GIT_OPENSSL -# include <openssl/ssl.h> -extern SSL_CTX *git__ssl_ctx; -#endif - git_global_st *git__global_state(void); extern git_mutex git__mwindow_mutex; diff --git a/src/settings.c b/src/settings.c index ba2f6a4db..99d8b9d23 100644 --- a/src/settings.c +++ b/src/settings.c @@ -19,6 +19,7 @@ #include "odb.h" #include "refs.h" #include "transports/smart.h" +#include "streams/openssl.h" void git_libgit2_version(int *major, int *minor, int *rev) { @@ -172,11 +173,7 @@ int git_libgit2_opts(int key, ...) { const char *file = va_arg(ap, const char *); const char *path = va_arg(ap, const char *); - if (!SSL_CTX_load_verify_locations(git__ssl_ctx, file, path)) { - giterr_set(GITERR_NET, "SSL error: %s", - ERR_error_string(ERR_get_error(), NULL)); - error = -1; - } + error = git_openssl__set_cert_location(file, path); } #else giterr_set(GITERR_NET, "cannot set certificate locations: OpenSSL is not enabled"); diff --git a/src/streams/openssl.c b/src/streams/openssl.c index 550b4e10b..56164bf25 100644 --- a/src/streams/openssl.c +++ b/src/streams/openssl.c @@ -628,6 +628,16 @@ out_err: return error; } +int git_openssl__set_cert_location(const char *file, const char *path) +{ + if (SSL_CTX_load_verify_locations(git__ssl_ctx, file, path) == 0) { + giterr_set(GITERR_SSL, "OpenSSL error: failed to load certificates: %s", + ERR_error_string(ERR_get_error(), NULL)); + return -1; + } + return 0; +} + #else #include "stream.h" @@ -654,4 +664,13 @@ int git_openssl_stream_new(git_stream **out, const char *host, const char *port) return -1; } +int git_openssl__set_cert_location(const char *file, const char *path) +{ + GIT_UNUSED(file); + GIT_UNUSED(path); + + giterr_set(GITERR_SSL, "openssl is not supported in this version"); + return -1; +} + #endif diff --git a/src/streams/openssl.h b/src/streams/openssl.h index 202f5674c..2bbad7c68 100644 --- a/src/streams/openssl.h +++ b/src/streams/openssl.h @@ -15,6 +15,8 @@ extern int git_openssl_stream_global_init(void); extern int git_openssl_stream_new(git_stream **out, const char *host, const char *port); +extern int git_openssl__set_cert_location(const char *file, const char *path); + /* * OpenSSL 1.1 made BIO opaque so we have to use functions to interact with it * which do not exist in previous versions. We define these inline functions so |