Openssl and certificate directory

Openssl and certificate directory

[Andreas Enge]

[-- Attachment #1: Type: text/plain, Size: 1199 bytes --]

Hello,

the attached patch does the same thing as we just pushed for gnutls:
It sets the global certificate store to files and directories inside
/etc/ssl. It should be applied after the update to 1.0.2, which I am
trying to have built by hydra on the wip-openssl branch (except that hydra
refuses to evaluate this for the last few hours, did I make a mistake?).

I tried youtube-dl with it, and it works now out of the box with the
certificates that debian puts into /etc/ssl/certs/.

Unless there are complaints, I would like to push it to master once hydra
has built enough packages with it.

In the long run, we might wish to apply a mixture of the two attached
patches from nix: They take the certificate location from the environment
variable OPENSSL_X509_CERT_FILE if it is defined, and only if the binary
is not setuid. The patch concerns only the cert file, a file with lots
of certificates concatenated; I would rather be in favour of patching the
next function, X509_get_default_cert_dir_env, which defines a directory
with lots of separate certificates. These could come from separate
certificate packages. We could then also add a search path to set the
environment variable.

Andreas


[-- Attachment #2: 0001-gnu-openssl-Use-etc-ssl-as-the-base-directory-for-ce.patch --]
[-- Type: text/plain, Size: 1298 bytes --]

From 7e54dd89d698d1209f9cc2cfde95f9f6fd0ecbaf Mon Sep 17 00:00:00 2001
From: Andreas Enge <andreas@enge.fr>
Date: Sat, 7 Feb 2015 13:14:27 +0100
Subject: [PATCH] gnu: openssl: Use /etc/ssl as the base directory for
 certificates.

* gnu/packages/openssl.scm (openssl)[source]: Add a snippet to use
    /etc/ssl/certs/ as the directory and /etc/ssl/cert.pem as the
    file where certificates are searched.
---
 gnu/packages/openssl.scm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/openssl.scm b/gnu/packages/openssl.scm
index 34e1351..b6dfe6d 100644
--- a/gnu/packages/openssl.scm
+++ b/gnu/packages/openssl.scm
@@ -36,7 +36,13 @@
                                 ".tar.gz"))
             (sha256
              (base32
-              "1s988w1h1yxh7lhrhh164hv6vil94lkwzh6g2rfm03dypbrvlj4c"))))
+              "1s988w1h1yxh7lhrhh164hv6vil94lkwzh6g2rfm03dypbrvlj4c"))
+            (modules '((guix build utils))) ; for substitute*
+            (snippet
+              '(begin
+                 ;; Use /etc/ssl as the base directory for certificates.
+                 (substitute* "crypto/cryptlib.h"
+                   (("OPENSSLDIR") "\"/etc/ssl\""))))))
    (build-system gnu-build-system)
    (native-inputs `(("perl" ,perl)))
    (arguments
-- 
2.2.1


[-- Attachment #3: cert-file.patch --]
[-- Type: text/plain, Size: 1084 bytes --]

diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c
--- openssl-1.0.0e-orig/crypto/x509/x509_def.c	1999-09-11 19:54:11.000000000 +0200
+++ openssl-1.0.0e/crypto/x509/x509_def.c	2011-09-12 18:30:59.386501609 +0200
@@ -57,6 +57,10 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <unistd.h>
+#include <sys/types.h>
 #include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
@@ -71,7 +75,25 @@
 	{ return(X509_CERT_DIR); }
 
 const char *X509_get_default_cert_file(void)
-	{ return(X509_CERT_FILE); }
+	{
+	static char buf[PATH_MAX] = X509_CERT_FILE;
+	static int init = 0;
+	if (!init) {
+	    init = 1;
+	    char * s = getenv("OPENSSL_X509_CERT_FILE");
+	    if (s) {
+#ifndef OPENSSL_SYS_WINDOWS
+	        if (getuid() == geteuid()) {
+#endif
+		        strncpy(buf, s, sizeof(buf));
+		        buf[sizeof(buf) - 1] = 0;
+#ifndef OPENSSL_SYS_WINDOWS
+	        }
+#endif
+	    }
+	}
+	return buf;
+	}
 
 const char *X509_get_default_cert_dir_env(void)
 	{ return(X509_CERT_DIR_EVP); }

[-- Attachment #4: cert-file-path-max.patch --]
[-- Type: text/plain, Size: 1038 bytes --]

This patch, to be applied after `cert-file.patch', fixes compilation
on GNU/Hurd where `PATH_MAX' is not defined.

diff -ubB --show-c-function openssl-1.0.0e/crypto/x509/x509_def.c.orig openssl-1.0.0e/crypto/x509/x509_def.c
--- openssl-1.0.0e/crypto/x509/x509_def.c.orig	2012-01-06 00:08:48.000000000 +0100
+++ openssl-1.0.0e/crypto/x509/x509_def.c	2012-01-06 00:11:29.000000000 +0100
@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <limits.h>
 #include <unistd.h>
 #include <sys/types.h>
@@ -76,14 +77,16 @@ const char *X509_get_default_cert_dir(vo
 
 const char *X509_get_default_cert_file(void)
 	{
-	static char buf[PATH_MAX] = X509_CERT_FILE;
+	static char *buf;
 	static int init = 0;
 	if (!init) {
 	    init = 1;
 	    char * s = getenv("OPENSSL_X509_CERT_FILE");
 	    if (s && getuid() == geteuid()) {
-		strncpy(buf, s, sizeof(buf));
-		buf[sizeof(buf) - 1] = 0;
+	         buf = strdup(s);
+	    }
+	    if (!s) {
+	         buf = strdup(X509_CERT_FILE);
 	    }
 	}
 	return buf;

Re: Openssl and certificate directory

[Mark H Weaver]

Andreas Enge <andreas@enge.fr> writes:

> the attached patch does the same thing as we just pushed for gnutls:
> It sets the global certificate store to files and directories inside
> /etc/ssl.

Unlike GnuTLS, OpenSSL supports setting the trust store location using
environment variables, specifically SSL_CERT_DIR and SSL_CERT_FILE.
Shouldn't we just use those?

> It should be applied after the update to 1.0.2, which I am
> trying to have built by hydra on the wip-openssl branch (except that hydra
> refuses to evaluate this for the last few hours, did I make a mistake?).

If we were to apply this patch, I'd rather have just one rebuild rather
than two, especially since our MIPS build slave is unable to keep up as
it is.  What do you think?

     Best,
      Mark

Re: Openssl and certificate directory

[Andreas Enge]

On Sat, Feb 07, 2015 at 08:57:32PM -0500, Mark H Weaver wrote:
> Unlike GnuTLS, OpenSSL supports setting the trust store location using
> environment variables, specifically SSL_CERT_DIR and SSL_CERT_FILE.
> Shouldn't we just use those?

I had read about these, but the documentation mentions them only in the
context of c_rehash. So I thought they were not generally applicable. But
indeed they are, I just tried SSL_CERT_DIR with youtube-dl. Also, it can be
a ":" separated list of directories. So we should probably encourage its
usage by defining a search path with our (future) certificate packages.

> If we were to apply this patch, I'd rather have just one rebuild rather
> than two, especially since our MIPS build slave is unable to keep up as
> it is.  What do you think?

So maybe we do not need it at all? What do you think? Concerning the rebuilds,
I would say that the aim of continuous integration would be to determine
exactly the place where something goes wrong, so in general, I am rather
in favour of more rebuilds. As the one mips machine cannot keep up, it would
then be reasonable to abort earlier builds.

Andreas

Re: Openssl and certificate directory

[Ludovic Courtès]

Andreas Enge <andreas@enge.fr> skribis:

> On Sat, Feb 07, 2015 at 08:57:32PM -0500, Mark H Weaver wrote:
>> Unlike GnuTLS, OpenSSL supports setting the trust store location using
>> environment variables, specifically SSL_CERT_DIR and SSL_CERT_FILE.
>> Shouldn't we just use those?
>
> I had read about these, but the documentation mentions them only in the
> context of c_rehash. So I thought they were not generally applicable. But
> indeed they are, I just tried SSL_CERT_DIR with youtube-dl. Also, it can be
> a ":" separated list of directories. So we should probably encourage its
> usage by defining a search path with our (future) certificate packages.

[...]

> So maybe we do not need it at all? What do you think?

I agree, we should just use SSL_CERT_DIR and SSL_CERT_FILE.

We could indeed add a ‘search-path-specification’ in OpenSSL for
SSL_CERT_DIR.

Thanks,
Ludo’.

Re: Openssl and certificate directory

[Mark H Weaver]

ludo@gnu.org (Ludovic Courtès) writes:

> Andreas Enge <andreas@enge.fr> skribis:
>
>> On Sat, Feb 07, 2015 at 08:57:32PM -0500, Mark H Weaver wrote:
>>> Unlike GnuTLS, OpenSSL supports setting the trust store location using
>>> environment variables, specifically SSL_CERT_DIR and SSL_CERT_FILE.
>>> Shouldn't we just use those?
>>
>> I had read about these, but the documentation mentions them only in the
>> context of c_rehash. So I thought they were not generally applicable. But
>> indeed they are, I just tried SSL_CERT_DIR with youtube-dl. Also, it can be
>> a ":" separated list of directories. So we should probably encourage its
>> usage by defining a search path with our (future) certificate packages.
>
> [...]
>
>> So maybe we do not need it at all? What do you think?
>
> I agree, we should just use SSL_CERT_DIR and SSL_CERT_FILE.
>
> We could indeed add a ‘search-path-specification’ in OpenSSL for
> SSL_CERT_DIR.

Sounds good to me!

    Thanks!
      Mark