https: Prevent OpenSSL from namespace-leaking

tiennou · tiennou · commit 22317057a526 · 2017-10-23T20:02:35.000+02:00
diff --git a/src/global.h b/src/global.h
@@ -25,11 +25,6 @@ typedef struct {
 	git_thread *current_thread;
 } git_global_st;
 
-#ifdef GIT_OPENSSL
-# include <openssl/ssl.h>
-extern SSL_CTX *git__ssl_ctx;
-#endif
-
 git_global_st *git__global_state(void);
 
 extern git_mutex git__mwindow_mutex;
diff --git a/src/settings.c b/src/settings.c
@@ -19,6 +19,7 @@
 #include "odb.h"
 #include "refs.h"
 #include "transports/smart.h"
+#include "streams/openssl.h"
 
 void git_libgit2_version(int *major, int *minor, int *rev)
 {
@@ -172,11 +173,7 @@ int git_libgit2_opts(int key, ...)
 		{
 			const char *file = va_arg(ap, const char *);
 			const char *path = va_arg(ap, const char *);
-			if (!SSL_CTX_load_verify_locations(git__ssl_ctx, file, path)) {
-				giterr_set(GITERR_NET, "SSL error: %s",
-					ERR_error_string(ERR_get_error(), NULL));
-				error = -1;
-			}
+			error = git_openssl__set_cert_location(file, path);
 		}
 #else
 		giterr_set(GITERR_NET, "cannot set certificate locations: OpenSSL is not enabled");
diff --git a/src/streams/openssl.c b/src/streams/openssl.c
@@ -628,6 +628,16 @@ int git_openssl_stream_new(git_stream **out, const char *host, const char *port)
 	return error;
 }
 
+int git_openssl__set_cert_location(const char *file, const char *path)
+{
+	if (SSL_CTX_load_verify_locations(git__ssl_ctx, file, path) == 0) {
+		giterr_set(GITERR_SSL, "OpenSSL error: failed to load certificates: %s",
+				   ERR_error_string(ERR_get_error(), NULL));
+		return -1;
+	}
+	return 0;
+}
+
 #else
 
 #include "stream.h"
@@ -654,4 +664,13 @@ int git_openssl_stream_new(git_stream **out, const char *host, const char *port)
 	return -1;
 }
 
+int git_openssl__set_cert_location(const char *file, const char *path)
+{
+	GIT_UNUSED(file);
+	GIT_UNUSED(path);
+
+	giterr_set(GITERR_SSL, "openssl is not supported in this version");
+	return -1;
+}
+
 #endif
diff --git a/src/streams/openssl.h b/src/streams/openssl.h
@@ -15,6 +15,8 @@ extern int git_openssl_stream_global_init(void);
 
 extern int git_openssl_stream_new(git_stream **out, const char *host, const char *port);
 
+extern int git_openssl__set_cert_location(const char *file, const char *path);
+
 /*
  * OpenSSL 1.1 made BIO opaque so we have to use functions to interact with it
  * which do not exist in previous versions. We define these inline functions so

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@`
`19`	`19`	`#include "odb.h"`
`20`	`20`	`#include "refs.h"`
`21`	`21`	`#include "transports/smart.h"`
	`22`	`+#include "streams/openssl.h"`
`22`	`23`
`23`	`24`	`void git_libgit2_version(int major, int minor, int *rev)`
`24`	`25`	`{`
`@@ -172,11 +173,7 @@ int git_libgit2_opts(int key, ...)`
`172`	`173`	`{`
`173`	`174`	`const char file = va_arg(ap, const char );`
`174`	`175`	`const char path = va_arg(ap, const char );`
`175`		`- if (!SSL_CTX_load_verify_locations(git__ssl_ctx, file, path)) {`
`176`		`- giterr_set(GITERR_NET, "SSL error: %s",`
`177`		`- ERR_error_string(ERR_get_error(), NULL));`
`178`		`- error = -1;`
`179`		`- }`
	`176`	`+ error = git_openssl__set_cert_location(file, path);`
`180`	`177`	`}`
`181`	`178`	`#else`
`182`	`179`	`giterr_set(GITERR_NET, "cannot set certificate locations: OpenSSL is not enabled");`