curl-library
[PATCH] ssl: fix engine refs in duphandle/openssl.cnf support
Date: Tue, 23 Apr 2013 17:14:15 -0700
easy: Increment engine reference in curl_easy_duphandle
When external programs (such as git) try to set the SSL engine,
they set the engine in the default handle but subsequently (if
using multi) obtain a duplicate handle to do the actual work.
curl_easy_duphandle did not do anything with state.engine if set;
make it do so by getting the engine ID of the source handle and
incrementing the reference count with another curl_ssl_set_engine call.
To my limited knowledge this is the 'proper' way to handle additional
handles needing a non-default engine. Please advise if otherwise;
handling of the default engine flag across handles is not attempted.
ssluse: Add Petr Pisar's patch to read OpenSSL conf file
In 2010 Petr Pisar supplied a patch to allow curl to parse OpenSSL
configuration files (either default or env-specified), enabling the
use of dynamic engines such as those used for smartcard support.
Original discussion of the patch terminated here:
http://curl.haxx.se/mail/archive-2010-03/0037.html
The patch is included here and credited to Mr. Pisar because it,
in combination with the duphandle fix, allows OpenSSL-compiled
libcurl (and programs which depend upon it such as git) to support
smartcards. Further suggestions on how to implement this
functionality in a safe and useful way are solicited, as the effect
(allowing dynamic engines) is key to enabling smartcard support in
the 'standard' distribution of curl.
Reported-by: Petr Pisar <petr.pisar_at_atlas.cz>
Signed-off-by: Jerry Qassar <jqassar_at_gmail.com>
---
lib/easy.c | 12 ++++++++++++
lib/ssluse.c | 5 +++++
2 files changed, 17 insertions(+)
diff --git a/lib/easy.c b/lib/easy.c
index 72e1206..be93be4 100644
--- a/lib/easy.c
+++ b/lib/easy.c
@@ -613,6 +613,18 @@ CURL *curl_easy_duphandle(CURL *incurl)
data->state.resolver) != CURLE_OK)
goto fail;
+ /* If set, clone the handle to the engine being used. */
+#if defined(USE_SSLEAY) && defined(HAVE_OPENSSL_ENGINE_H)
+ if (data->state.engine) {
+ /* state.engine existing means curl_ossl_set_engine was
+ * previously successful. Because curl_ossl_set_engine worked,
+ * we can query the already-set engine for that handle and use
+ * that to increment a reference:
+ */
+ Curl_ssl_set_engine(outcurl, ENGINE_get_id(data->state.engine));
+ }
+#endif /* USE_SSLEAY */
+
Curl_convert_setup(outcurl);
Curl_easy_initHandleData(outcurl);
diff --git a/lib/ssluse.c b/lib/ssluse.c
index a6709d9..f9dce25 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -679,6 +679,11 @@ int Curl_ossl_init(void)
/* Lets get nice error messages */
SSL_load_error_strings();
+ /* Load config file */
+ OPENSSL_load_builtin_modules();
+ if (CONF_modules_load_file(getenv("OPENSSL_CONF"), NULL, 0) <= 0)
+ return 0;
+
/* Init the global ciphers and digests */
if(!SSLeay_add_ssl_algorithms())
return 0;
--
1.8.2.1.342.gfa7285d.dirty
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-04-24