From 6684653b682bae0be75ea62bb473b126923952f1 Mon Sep 17 00:00:00 2001 From: Philipp Waehnert Date: Wed, 25 Jul 2018 11:00:15 +0200 Subject: configure: add option to disable automatic OpenSSL config loading Sometimes it may be considered a security risk to load an external OpenSSL configuration automatically inside curl_global_init(). The configuration option --disable-ssl-auto-load-config disables this automatism. The Windows build scripts winbuild/Makefile.vs provide a corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean value. Setting neither of these options corresponds to the previous behavior loading the external OpenSSL configuration automatically. Fixes #2724 Closes #2791 --- configure.ac | 14 ++++++++++++++ lib/vtls/openssl.c | 2 ++ winbuild/Makefile.vc | 6 ++++++ winbuild/MakefileBuild.vc | 3 +++ 4 files changed, 25 insertions(+) diff --git a/configure.ac b/configure.ac index ff8f5df9b..1e068cb37 100755 --- a/configure.ac +++ b/configure.ac @@ -1876,6 +1876,20 @@ if test "$OPENSSL_ENABLED" = "1"; then ]) fi +dnl --- +dnl Whether the OpenSSL configuration will be loaded automatically +dnl --- +if test X"$OPENSSL_ENABLED" = X"1"; then +AC_ARG_ENABLE(openssl-auto-load-config, +AC_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration]) +AC_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]), +[ if test X"$enableval" = X"no"; then + AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled]) + AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically]) + fi +]) +fi + dnl ---------------------------------------------------- dnl check for GnuTLS dnl ---------------------------------------------------- diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index ce890fe3c..d257d9490 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -994,9 +994,11 @@ static int Curl_ossl_init(void) #define CONF_MFLAGS_DEFAULT_SECTION 0x0 #endif +#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG CONF_modules_load_file(NULL, NULL, CONF_MFLAGS_DEFAULT_SECTION| CONF_MFLAGS_IGNORE_MISSING_FILE); +#endif #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) diff --git a/winbuild/Makefile.vc b/winbuild/Makefile.vc index a874b77f8..7b42e1bdb 100644 --- a/winbuild/Makefile.vc +++ b/winbuild/Makefile.vc @@ -53,6 +53,8 @@ CFGSET=true !MESSAGE ENABLE_IPV6= - Enable IPv6, defaults to yes !MESSAGE ENABLE_SSPI= - Enable SSPI support, defaults to yes !MESSAGE ENABLE_WINSSL= - Enable native Windows SSL support, defaults to yes +!MESSAGE ENABLE_OPENSSL_AUTO_LOAD_CONFIG= +!MESSAGE - Whether the OpenSSL configuration will be loaded automatically, defaults to yes !MESSAGE GEN_PDB= - Generate Program Database (debug symbols for release build) !MESSAGE DEBUG= - Debug builds !MESSAGE MACHINE= - Target architecture (default x64 on AMD64, x86 on others) @@ -130,6 +132,10 @@ USE_WINSSL = true USE_WINSSL = false !ENDIF +!IFNDEF ENABLE_OPENSSL_AUTO_LOAD_CONFIG +ENABLE_OPENSSL_AUTO_LOAD_CONFIG = true +!ENDIF + CONFIG_NAME_LIB = libcurl !IF "$(WITH_SSL)"=="dll" diff --git a/winbuild/MakefileBuild.vc b/winbuild/MakefileBuild.vc index 019a414a0..2b4087d58 100644 --- a/winbuild/MakefileBuild.vc +++ b/winbuild/MakefileBuild.vc @@ -152,6 +152,9 @@ SSL_CFLAGS = /DUSE_OPENSSL /I"$(SSL_INC_DIR)" !IF EXISTS("$(SSL_INC_DIR)\is_boringssl.h") SSL_CFLAGS = $(SSL_CFLAGS) /DHAVE_BORINGSSL !ENDIF +!IF "$(ENABLE_OPENSSL_AUTO_LOAD_CONFIG)"=="false" +SSL_CFLAGS = $(SSL_CFLAGS) /DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG +!ENDIF !ENDIF -- cgit v1.2.3