From 17925a9d3ce0d83d3b4eba3b2b9bc4280408d772 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 12 Sep 2011 16:57:34 +0000
Subject: [PATCH] =?UTF-8?q?*=20OpenSSL:=20Allow=20the=20location=20of=20th?=
 =?UTF-8?q?e=20X509=20certificate=20file=20(the=20CA=20=20=20bundle)=20to?=
 =?UTF-8?q?=20be=20set=20through=20the=20environment=20variable=20=20=20?=
 =?UTF-8?q?=E2=80=98OPENSSL=5FX509=5FCERT=5FFILE=E2=80=99.=20=20This=20is?=
 =?UTF-8?q?=20necessary=20because=20the=20default=20=20=20location=20($out?=
 =?UTF-8?q?/ssl/cert.pem)=20doesn't=20exist,=20and=20hardcoding=20somethin?=
 =?UTF-8?q?g=20=20=20like=20/etc/ssl/cert.pem=20is=20impure=20and=20cannot?=
 =?UTF-8?q?=20be=20overriden=20=20=20per-process.=20=20For=20security,=20t?=
 =?UTF-8?q?he=20environment=20variable=20is=20ignored=20for=20=20=20setuid?=
 =?UTF-8?q?=20binaries.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

svn path=/nixpkgs/trunk/; revision=29224
---
 pkgs/development/libraries/openssl/1.0.0e.nix | 12 ++++++-
 .../libraries/openssl/cert-file.patch         | 35 +++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/development/libraries/openssl/cert-file.patch

diff --git a/pkgs/development/libraries/openssl/1.0.0e.nix b/pkgs/development/libraries/openssl/1.0.0e.nix
index e1a550dc525..b1e1c3aa1d0 100644
--- a/pkgs/development/libraries/openssl/1.0.0e.nix
+++ b/pkgs/development/libraries/openssl/1.0.0e.nix
@@ -14,7 +14,17 @@ stdenv.mkDerivation rec {
     sha256 = "1xw0ffzmr4wbnb0glywgks375dvq8x87pgxmwx6vhgvkflkxqqg3";
   };
 
-  patches = stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch;
+  patches =
+    [ # Allow the location of the X509 certificate file (the CA
+      # bundle) to be set through the environment variable
+      # ‘OPENSSL_X509_CERT_FILE’.  This is necessary because the
+      # default location ($out/ssl/cert.pem) doesn't exist, and
+      # hardcoding something like /etc/ssl/cert.pem is impure and
+      # cannot be overriden per-process.  For security, the
+      # environment variable is ignored for setuid binaries.
+      ./cert-file.patch
+    ]
+    ++ stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch;
 
   buildNativeInputs = [ perl ];
   
diff --git a/pkgs/development/libraries/openssl/cert-file.patch b/pkgs/development/libraries/openssl/cert-file.patch
new file mode 100644
index 00000000000..6b7a60e9026
--- /dev/null
+++ b/pkgs/development/libraries/openssl/cert-file.patch
@@ -0,0 +1,35 @@
+diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c
+--- openssl-1.0.0e-orig/crypto/x509/x509_def.c	1999-09-11 19:54:11.000000000 +0200
++++ openssl-1.0.0e/crypto/x509/x509_def.c	2011-09-12 18:30:59.386501609 +0200
+@@ -57,6 +57,10 @@
+  */
+ 
+ #include <stdio.h>
++#include <stdlib.h>
++#include <limits.h>
++#include <unistd.h>
++#include <sys/types.h>
+ #include "cryptlib.h"
+ #include <openssl/crypto.h>
+ #include <openssl/x509.h>
+@@ -71,7 +75,19 @@
+ 	{ return(X509_CERT_DIR); }
+ 
+ const char *X509_get_default_cert_file(void)
+-	{ return(X509_CERT_FILE); }
++	{
++	static char buf[PATH_MAX] = X509_CERT_FILE;
++	static int init = 0;
++	if (!init) {
++	    init = 1;
++	    char * s = getenv("OPENSSL_X509_CERT_FILE");
++	    if (s && getuid() == geteuid()) {
++		strncpy(buf, s, sizeof(buf));
++		buf[sizeof(buf) - 1] = 0;
++	    }
++	}
++	return buf;
++	}
+ 
+ const char *X509_get_default_cert_dir_env(void)
+ 	{ return(X509_CERT_DIR_EVP); }