From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andreas Enge Subject: Openssl and certificate directory Date: Sat, 7 Feb 2015 16:17:48 +0100 Message-ID: <20150207151748.GA6943@debian> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="d6Gm4EdcadzBjdND" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59078) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YK78w-0007Pe-DN for guix-devel@gnu.org; Sat, 07 Feb 2015 10:18:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YK78q-0008S5-2K for guix-devel@gnu.org; Sat, 07 Feb 2015 10:17:58 -0500 Received: from mout.kundenserver.de ([212.227.126.131]:60495) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YK78p-0008Rx-Q5 for guix-devel@gnu.org; Sat, 07 Feb 2015 10:17:52 -0500 Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello, the attached patch does the same thing as we just pushed for gnutls: It sets the global certificate store to files and directories inside /etc/ssl. It should be applied after the update to 1.0.2, which I am trying to have built by hydra on the wip-openssl branch (except that hydra refuses to evaluate this for the last few hours, did I make a mistake?). I tried youtube-dl with it, and it works now out of the box with the certificates that debian puts into /etc/ssl/certs/. Unless there are complaints, I would like to push it to master once hydra has built enough packages with it. In the long run, we might wish to apply a mixture of the two attached patches from nix: They take the certificate location from the environment variable OPENSSL_X509_CERT_FILE if it is defined, and only if the binary is not setuid. The patch concerns only the cert file, a file with lots of certificates concatenated; I would rather be in favour of patching the next function, X509_get_default_cert_dir_env, which defines a directory with lots of separate certificates. These could come from separate certificate packages. We could then also add a search path to set the environment variable. Andreas --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-openssl-Use-etc-ssl-as-the-base-directory-for-ce.patch" >From 7e54dd89d698d1209f9cc2cfde95f9f6fd0ecbaf Mon Sep 17 00:00:00 2001 From: Andreas Enge Date: Sat, 7 Feb 2015 13:14:27 +0100 Subject: [PATCH] gnu: openssl: Use /etc/ssl as the base directory for certificates. * gnu/packages/openssl.scm (openssl)[source]: Add a snippet to use /etc/ssl/certs/ as the directory and /etc/ssl/cert.pem as the file where certificates are searched. --- gnu/packages/openssl.scm | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/gnu/packages/openssl.scm b/gnu/packages/openssl.scm index 34e1351..b6dfe6d 100644 --- a/gnu/packages/openssl.scm +++ b/gnu/packages/openssl.scm @@ -36,7 +36,13 @@ ".tar.gz")) (sha256 (base32 - "1s988w1h1yxh7lhrhh164hv6vil94lkwzh6g2rfm03dypbrvlj4c")))) + "1s988w1h1yxh7lhrhh164hv6vil94lkwzh6g2rfm03dypbrvlj4c")) + (modules '((guix build utils))) ; for substitute* + (snippet + '(begin + ;; Use /etc/ssl as the base directory for certificates. + (substitute* "crypto/cryptlib.h" + (("OPENSSLDIR") "\"/etc/ssl\"")))))) (build-system gnu-build-system) (native-inputs `(("perl" ,perl))) (arguments -- 2.2.1 --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="cert-file.patch" diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c --- openssl-1.0.0e-orig/crypto/x509/x509_def.c 1999-09-11 19:54:11.000000000 +0200 +++ openssl-1.0.0e/crypto/x509/x509_def.c 2011-09-12 18:30:59.386501609 +0200 @@ -57,6 +57,10 @@ */ #include +#include +#include +#include +#include #include "cryptlib.h" #include #include @@ -71,7 +75,25 @@ { return(X509_CERT_DIR); } const char *X509_get_default_cert_file(void) - { return(X509_CERT_FILE); } + { + static char buf[PATH_MAX] = X509_CERT_FILE; + static int init = 0; + if (!init) { + init = 1; + char * s = getenv("OPENSSL_X509_CERT_FILE"); + if (s) { +#ifndef OPENSSL_SYS_WINDOWS + if (getuid() == geteuid()) { +#endif + strncpy(buf, s, sizeof(buf)); + buf[sizeof(buf) - 1] = 0; +#ifndef OPENSSL_SYS_WINDOWS + } +#endif + } + } + return buf; + } const char *X509_get_default_cert_dir_env(void) { return(X509_CERT_DIR_EVP); } --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="cert-file-path-max.patch" This patch, to be applied after `cert-file.patch', fixes compilation on GNU/Hurd where `PATH_MAX' is not defined. diff -ubB --show-c-function openssl-1.0.0e/crypto/x509/x509_def.c.orig openssl-1.0.0e/crypto/x509/x509_def.c --- openssl-1.0.0e/crypto/x509/x509_def.c.orig 2012-01-06 00:08:48.000000000 +0100 +++ openssl-1.0.0e/crypto/x509/x509_def.c 2012-01-06 00:11:29.000000000 +0100 @@ -58,6 +58,7 @@ #include #include +#include #include #include #include @@ -76,14 +77,16 @@ const char *X509_get_default_cert_dir(vo const char *X509_get_default_cert_file(void) { - static char buf[PATH_MAX] = X509_CERT_FILE; + static char *buf; static int init = 0; if (!init) { init = 1; char * s = getenv("OPENSSL_X509_CERT_FILE"); if (s && getuid() == geteuid()) { - strncpy(buf, s, sizeof(buf)); - buf[sizeof(buf) - 1] = 0; + buf = strdup(s); + } + if (!s) { + buf = strdup(X509_CERT_FILE); } } return buf; --d6Gm4EdcadzBjdND--