From 8042939c08bf50a5817d82dcc5a7bacded8672f8 Mon Sep 17 00:00:00 2001
From: jca <jca@openbsd.org>
Date: Mon, 19 May 2014 20:03:16 +0000
Subject: [PATCH] HTTPS connections may see redirects, so initialize libcrypto
 and libssl only once, and reuse the crafted SSL_CTX for further connections.
 ok lteo@

---
 usr.bin/ftp/fetch.c | 71 +++++++++++++++++++++++++++++++--------------
 1 file changed, 49 insertions(+), 22 deletions(-)

diff --git a/usr.bin/ftp/fetch.c b/usr.bin/ftp/fetch.c
index 25c6ebb2b19..23857593120 100644
--- a/usr.bin/ftp/fetch.c
+++ b/usr.bin/ftp/fetch.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: fetch.c,v 1.118 2014/04/09 10:10:57 jca Exp $	*/
+/*	$OpenBSD: fetch.c,v 1.119 2014/05/19 20:03:16 jca Exp $	*/
 /*	$NetBSD: fetch.c,v 1.14 1997/08/18 10:20:20 lukem Exp $	*/
 
 /*-
@@ -87,6 +87,7 @@ int		ssl_match_hostname(char *, char *);
 int		ssl_check_subject_altname(X509 *, char *);
 int		ssl_check_common_name(X509 *, char *);
 int		ssl_check_hostname(X509 *, char *);
+SSL_CTX		*ssl_get_ssl_ctx(void);
 #endif /* !SMALL */
 
 #define	FTP_URL		"ftp://"	/* ftp URL prefix */
@@ -329,6 +330,52 @@ ssl_check_hostname(X509 *cert, char *host)
 
 	return ssl_check_common_name(cert, host);
 }
+
+SSL_CTX *
+ssl_get_ssl_ctx(void)
+{
+	static SSL_CTX	*ssl_ctx;
+	static int	 libssl_loaded;
+
+ 	if (ssl_ctx != NULL)
+		return ssl_ctx;
+
+	if (!libssl_loaded) {
+		SSL_library_init();
+		SSL_load_error_strings();
+		libssl_loaded = 1;
+	}
+
+	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+	if (ssl_ctx == NULL)
+		goto err;
+
+	if (ssl_verify) {
+		if (ssl_ca_file == NULL && ssl_ca_path == NULL)
+			ssl_ca_file = _PATH_SSL_CAFILE;
+
+		if (SSL_CTX_load_verify_locations(ssl_ctx,
+		    ssl_ca_file, ssl_ca_path) != 1)
+			goto err;
+
+		SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+		if (ssl_verify_depth != -1)
+			SSL_CTX_set_verify_depth(ssl_ctx,
+			    ssl_verify_depth);
+	}
+
+	if (ssl_ciphers != NULL &&
+	    SSL_CTX_set_cipher_list(ssl_ctx, ssl_ciphers) == -1)
+		goto err;
+
+	return ssl_ctx;
+err:
+	if (ssl_ctx != NULL) {
+		SSL_CTX_free(ssl_ctx);
+		ssl_ctx = NULL;
+	}
+	return NULL;
+}
 #endif
 
 /*
@@ -769,31 +816,11 @@ again:
 			proxyurl = NULL;
 			path = sslpath;
 		}
-		SSL_library_init();
-		SSL_load_error_strings();
-		ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+		ssl_ctx = ssl_get_ssl_ctx();
 		if (ssl_ctx == NULL) {
 			ERR_print_errors_fp(ttyout);
 			goto cleanup_url_get;
 		}
-		if (ssl_verify) {
-			if (ssl_ca_file == NULL && ssl_ca_path == NULL)
-				ssl_ca_file = _PATH_SSL_CAFILE;
-			if (SSL_CTX_load_verify_locations(ssl_ctx,
-			    ssl_ca_file, ssl_ca_path) != 1) {
-				ERR_print_errors_fp(ttyout);
-				goto cleanup_url_get;
-			}
-			SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
-			if (ssl_verify_depth != -1)
-				SSL_CTX_set_verify_depth(ssl_ctx,
-				    ssl_verify_depth);
-		}
-		if (ssl_ciphers != NULL &&
-		    SSL_CTX_set_cipher_list(ssl_ctx, ssl_ciphers) == -1) {
-			ERR_print_errors_fp(ttyout);
-			goto cleanup_url_get;
-		}
 		ssl = SSL_new(ssl_ctx);
 		if (ssl == NULL) {
 			ERR_print_errors_fp(ttyout);
-- 
2.20.1