summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremie Courreges-Anglas <jca@cvs.openbsd.org>2014-05-19 20:03:17 +0000
committerJeremie Courreges-Anglas <jca@cvs.openbsd.org>2014-05-19 20:03:17 +0000
commitc3b842617f42ed705bb35f60442de876b0ffc03a (patch)
tree677c219664059f5e39d6155b1749e6ca90209bab
parentcc01ff69c2cebfffcc95695cd0374f5fc472f8ae (diff)
HTTPS connections may see redirects, so initialize libcrypto and libssl
only once, and reuse the crafted SSL_CTX for further connections. ok lteo@
-rw-r--r--usr.bin/ftp/fetch.c71
1 files changed, 49 insertions, 22 deletions
diff --git a/usr.bin/ftp/fetch.c b/usr.bin/ftp/fetch.c
index 25c6ebb2b19..23857593120 100644
--- a/usr.bin/ftp/fetch.c
+++ b/usr.bin/ftp/fetch.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: fetch.c,v 1.118 2014/04/09 10:10:57 jca Exp $ */
+/* $OpenBSD: fetch.c,v 1.119 2014/05/19 20:03:16 jca Exp $ */
/* $NetBSD: fetch.c,v 1.14 1997/08/18 10:20:20 lukem Exp $ */
/*-
@@ -87,6 +87,7 @@ int ssl_match_hostname(char *, char *);
int ssl_check_subject_altname(X509 *, char *);
int ssl_check_common_name(X509 *, char *);
int ssl_check_hostname(X509 *, char *);
+SSL_CTX *ssl_get_ssl_ctx(void);
#endif /* !SMALL */
#define FTP_URL "ftp://" /* ftp URL prefix */
@@ -329,6 +330,52 @@ ssl_check_hostname(X509 *cert, char *host)
return ssl_check_common_name(cert, host);
}
+
+SSL_CTX *
+ssl_get_ssl_ctx(void)
+{
+ static SSL_CTX *ssl_ctx;
+ static int libssl_loaded;
+
+ if (ssl_ctx != NULL)
+ return ssl_ctx;
+
+ if (!libssl_loaded) {
+ SSL_library_init();
+ SSL_load_error_strings();
+ libssl_loaded = 1;
+ }
+
+ ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+ if (ssl_ctx == NULL)
+ goto err;
+
+ if (ssl_verify) {
+ if (ssl_ca_file == NULL && ssl_ca_path == NULL)
+ ssl_ca_file = _PATH_SSL_CAFILE;
+
+ if (SSL_CTX_load_verify_locations(ssl_ctx,
+ ssl_ca_file, ssl_ca_path) != 1)
+ goto err;
+
+ SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+ if (ssl_verify_depth != -1)
+ SSL_CTX_set_verify_depth(ssl_ctx,
+ ssl_verify_depth);
+ }
+
+ if (ssl_ciphers != NULL &&
+ SSL_CTX_set_cipher_list(ssl_ctx, ssl_ciphers) == -1)
+ goto err;
+
+ return ssl_ctx;
+err:
+ if (ssl_ctx != NULL) {
+ SSL_CTX_free(ssl_ctx);
+ ssl_ctx = NULL;
+ }
+ return NULL;
+}
#endif
/*
@@ -769,31 +816,11 @@ again:
proxyurl = NULL;
path = sslpath;
}
- SSL_library_init();
- SSL_load_error_strings();
- ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+ ssl_ctx = ssl_get_ssl_ctx();
if (ssl_ctx == NULL) {
ERR_print_errors_fp(ttyout);
goto cleanup_url_get;
}
- if (ssl_verify) {
- if (ssl_ca_file == NULL && ssl_ca_path == NULL)
- ssl_ca_file = _PATH_SSL_CAFILE;
- if (SSL_CTX_load_verify_locations(ssl_ctx,
- ssl_ca_file, ssl_ca_path) != 1) {
- ERR_print_errors_fp(ttyout);
- goto cleanup_url_get;
- }
- SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
- if (ssl_verify_depth != -1)
- SSL_CTX_set_verify_depth(ssl_ctx,
- ssl_verify_depth);
- }
- if (ssl_ciphers != NULL &&
- SSL_CTX_set_cipher_list(ssl_ctx, ssl_ciphers) == -1) {
- ERR_print_errors_fp(ttyout);
- goto cleanup_url_get;
- }
ssl = SSL_new(ssl_ctx);
if (ssl == NULL) {
ERR_print_errors_fp(ttyout);