configure: add option to disable automatic OpenSSL config loading

pwaehnert · bagder · commit 6684653b682b · 2018-09-07T09:38:33.000+02:00
Sometimes it may be considered a security risk to load an external OpenSSL configuration automatically inside curl_global_init(). The configuration option --disable-ssl-auto-load-config disables this automatism. The Windows build scripts winbuild/Makefile.vs provide a corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean value. Setting neither of these options corresponds to the previous behavior loading the external OpenSSL configuration automatically. Fixes #2724 Closes #2791
diff --git a/configure.ac b/configure.ac
@@ -1876,6 +1876,20 @@ if test "$OPENSSL_ENABLED" = "1"; then
    ])
 fi
 
+dnl ---
+dnl Whether the OpenSSL configuration will be loaded automatically
+dnl ---
+if test X"$OPENSSL_ENABLED" = X"1"; then
+AC_ARG_ENABLE(openssl-auto-load-config,
+AC_HELP_STRING([--enable-openssl-auto-load-config],[Enable automatic loading of OpenSSL configuration])
+AC_HELP_STRING([--disable-openssl-auto-load-config],[Disable automatic loading of OpenSSL configuration]),
+[ if test X"$enableval" = X"no"; then
+    AC_MSG_NOTICE([automatic loading of OpenSSL configuration disabled])
+    AC_DEFINE(CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG, 1, [if the OpenSSL configuration won't be loaded automatically])
+  fi
+])
+fi
+
 dnl ----------------------------------------------------
 dnl check for GnuTLS
 dnl ----------------------------------------------------
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
@@ -994,9 +994,11 @@ static int Curl_ossl_init(void)
 #define CONF_MFLAGS_DEFAULT_SECTION 0x0
 #endif
 
+#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
   CONF_modules_load_file(NULL, NULL,
                          CONF_MFLAGS_DEFAULT_SECTION|
                          CONF_MFLAGS_IGNORE_MISSING_FILE);
+#endif
 
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
     !defined(LIBRESSL_VERSION_NUMBER)
diff --git a/winbuild/Makefile.vc b/winbuild/Makefile.vc
@@ -53,6 +53,8 @@ CFGSET=true
 !MESSAGE   ENABLE_IPV6=<yes or no>        - Enable IPv6, defaults to yes
 !MESSAGE   ENABLE_SSPI=<yes or no>        - Enable SSPI support, defaults to yes
 !MESSAGE   ENABLE_WINSSL=<yes or no>      - Enable native Windows SSL support, defaults to yes
+!MESSAGE   ENABLE_OPENSSL_AUTO_LOAD_CONFIG=<yes or no>
+!MESSAGE                                  - Whether the OpenSSL configuration will be loaded automatically, defaults to yes
 !MESSAGE   GEN_PDB=<yes or no>            - Generate Program Database (debug symbols for release build)
 !MESSAGE   DEBUG=<yes or no>              - Debug builds
 !MESSAGE   MACHINE=<x86 or x64>           - Target architecture (default x64 on AMD64, x86 on others)
@@ -130,6 +132,10 @@ USE_WINSSL = true
 USE_WINSSL = false
 !ENDIF
 
+!IFNDEF ENABLE_OPENSSL_AUTO_LOAD_CONFIG
+ENABLE_OPENSSL_AUTO_LOAD_CONFIG = true
+!ENDIF
+
 CONFIG_NAME_LIB = libcurl
 
 !IF "$(WITH_SSL)"=="dll"
diff --git a/winbuild/MakefileBuild.vc b/winbuild/MakefileBuild.vc
@@ -152,6 +152,9 @@ SSL_CFLAGS   = /DUSE_OPENSSL /I"$(SSL_INC_DIR)"
 !IF EXISTS("$(SSL_INC_DIR)\is_boringssl.h")
 SSL_CFLAGS   = $(SSL_CFLAGS) /DHAVE_BORINGSSL
 !ENDIF
+!IF "$(ENABLE_OPENSSL_AUTO_LOAD_CONFIG)"=="false"
+SSL_CFLAGS   = $(SSL_CFLAGS) /DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
+!ENDIF
 !ENDIF
 
 
