Openssl and certificate directory

[Andreas Enge <andreas@enge.fr>]

[-- Attachment #1: Type: text/plain, Size: 1199 bytes --]

Hello,

the attached patch does the same thing as we just pushed for gnutls:
It sets the global certificate store to files and directories inside
/etc/ssl. It should be applied after the update to 1.0.2, which I am
trying to have built by hydra on the wip-openssl branch (except that hydra
refuses to evaluate this for the last few hours, did I make a mistake?).

I tried youtube-dl with it, and it works now out of the box with the
certificates that debian puts into /etc/ssl/certs/.

Unless there are complaints, I would like to push it to master once hydra
has built enough packages with it.

In the long run, we might wish to apply a mixture of the two attached
patches from nix: They take the certificate location from the environment
variable OPENSSL_X509_CERT_FILE if it is defined, and only if the binary
is not setuid. The patch concerns only the cert file, a file with lots
of certificates concatenated; I would rather be in favour of patching the
next function, X509_get_default_cert_dir_env, which defines a directory
with lots of separate certificates. These could come from separate
certificate packages. We could then also add a search path to set the
environment variable.

Andreas


[-- Attachment #2: 0001-gnu-openssl-Use-etc-ssl-as-the-base-directory-for-ce.patch --]
[-- Type: text/plain, Size: 1298 bytes --]

From 7e54dd89d698d1209f9cc2cfde95f9f6fd0ecbaf Mon Sep 17 00:00:00 2001
From: Andreas Enge <andreas@enge.fr>
Date: Sat, 7 Feb 2015 13:14:27 +0100
Subject: [PATCH] gnu: openssl: Use /etc/ssl as the base directory for
 certificates.

* gnu/packages/openssl.scm (openssl)[source]: Add a snippet to use
    /etc/ssl/certs/ as the directory and /etc/ssl/cert.pem as the
    file where certificates are searched.
---
 gnu/packages/openssl.scm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/openssl.scm b/gnu/packages/openssl.scm
index 34e1351..b6dfe6d 100644
--- a/gnu/packages/openssl.scm
+++ b/gnu/packages/openssl.scm
@@ -36,7 +36,13 @@
                                 ".tar.gz"))
             (sha256
              (base32
-              "1s988w1h1yxh7lhrhh164hv6vil94lkwzh6g2rfm03dypbrvlj4c"))))
+              "1s988w1h1yxh7lhrhh164hv6vil94lkwzh6g2rfm03dypbrvlj4c"))
+            (modules '((guix build utils))) ; for substitute*
+            (snippet
+              '(begin
+                 ;; Use /etc/ssl as the base directory for certificates.
+                 (substitute* "crypto/cryptlib.h"
+                   (("OPENSSLDIR") "\"/etc/ssl\""))))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))
    (arguments
-- 
2.2.1


[-- Attachment #3: cert-file.patch --]
[-- Type: text/plain, Size: 1084 bytes --]

diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c
--- openssl-1.0.0e-orig/crypto/x509/x509_def.c	1999-09-11 19:54:11.000000000 +0200
+++ openssl-1.0.0e/crypto/x509/x509_def.c	2011-09-12 18:30:59.386501609 +0200
@@ -57,6 +57,10 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <unistd.h>
+#include <sys/types.h>
 #include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
@@ -71,7 +75,25 @@
 	{ return(X509_CERT_DIR); }
 
 const char *X509_get_default_cert_file(void)
-	{ return(X509_CERT_FILE); }
+	{
+	static char buf[PATH_MAX] = X509_CERT_FILE;
+	static int init = 0;
+	if (!init) {
+	    init = 1;
+	    char * s = getenv("OPENSSL_X509_CERT_FILE");
+	    if (s) {
+#ifndef OPENSSL_SYS_WINDOWS
+	        if (getuid() == geteuid()) {
+#endif
+		        strncpy(buf, s, sizeof(buf));
+		        buf[sizeof(buf) - 1] = 0;
+#ifndef OPENSSL_SYS_WINDOWS
+	        }
+#endif
+	    }
+	}
+	return buf;
+	}
 
 const char *X509_get_default_cert_dir_env(void)
 	{ return(X509_CERT_DIR_EVP); }

[-- Attachment #4: cert-file-path-max.patch --]
[-- Type: text/plain, Size: 1038 bytes --]

This patch, to be applied after `cert-file.patch', fixes compilation
on GNU/Hurd where `PATH_MAX' is not defined.

diff -ubB --show-c-function openssl-1.0.0e/crypto/x509/x509_def.c.orig openssl-1.0.0e/crypto/x509/x509_def.c
--- openssl-1.0.0e/crypto/x509/x509_def.c.orig	2012-01-06 00:08:48.000000000 +0100
+++ openssl-1.0.0e/crypto/x509/x509_def.c	2012-01-06 00:11:29.000000000 +0100
@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <limits.h>
 #include <unistd.h>
 #include <sys/types.h>
@@ -76,14 +77,16 @@ const char *X509_get_default_cert_dir(vo
 
 const char *X509_get_default_cert_file(void)
 	{
-	static char buf[PATH_MAX] = X509_CERT_FILE;
+	static char *buf;
 	static int init = 0;
 	if (!init) {
 	    init = 1;
 	    char * s = getenv("OPENSSL_X509_CERT_FILE");
 	    if (s && getuid() == geteuid()) {
-		strncpy(buf, s, sizeof(buf));
-		buf[sizeof(buf) - 1] = 0;
+	         buf = strdup(s);
+	    }
+	    if (!s) {
+	         buf = strdup(X509_CERT_FILE);
 	    }
 	}
 	return buf;