public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* OpenSSL: Allow the location of the X509 certificate file (the CA

Browse Source 
bundle) to be set through the environment variable
  ‘OPENSSL_X509_CERT_FILE’.  This is necessary because the default
  location ($out/ssl/cert.pem) doesn't exist, and hardcoding something
  like /etc/ssl/cert.pem is impure and cannot be overriden
  per-process.  For security, the environment variable is ignored for
  setuid binaries.

svn path=/nixpkgs/trunk/; revision=29224
This commit is contained in:
Eelco Dolstra 2011-09-12 16:57:34 +00:00
parent c88d870123
commit 17925a9d3c
2 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkgs/development/libraries/openssl/1.0.0e.nix
View File

@ -14,7 +14,17 @@ stdenv.mkDerivation rec {
sha256 = "1xw0ffzmr4wbnb0glywgks375dvq8x87pgxmwx6vhgvkflkxqqg3"; sha256 = "1xw0ffzmr4wbnb0glywgks375dvq8x87pgxmwx6vhgvkflkxqqg3";
}; };
patches = stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch; patches =
[ # Allow the location of the X509 certificate file (the CA
# bundle) to be set through the environment variable
# OPENSSL_X509_CERT_FILE. This is necessary because the
# default location ($out/ssl/cert.pem) doesn't exist, and
# hardcoding something like /etc/ssl/cert.pem is impure and
# cannot be overriden per-process. For security, the
# environment variable is ignored for setuid binaries.
./cert-file.patch
]
++ stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch;
buildNativeInputs = [ perl ]; buildNativeInputs = [ perl ];

35
pkgs/development/libraries/openssl/cert-file.patch Normal file
View File

@ -0,0 +1,35 @@
diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c
--- openssl-1.0.0e-orig/crypto/x509/x509_def.c 1999-09-11 19:54:11.000000000 +0200
+++ openssl-1.0.0e/crypto/x509/x509_def.c 2011-09-12 18:30:59.386501609 +0200
@@ -57,6 +57,10 @@
*/
#include <stdio.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <unistd.h>
+#include <sys/types.h>
#include "cryptlib.h"
#include <openssl/crypto.h>
#include <openssl/x509.h>
@@ -71,7 +75,19 @@
{ return(X509_CERT_DIR); }
const char *X509_get_default_cert_file(void)
- { return(X509_CERT_FILE); }
+ {
+ static char buf[PATH_MAX] = X509_CERT_FILE;
+ static int init = 0;
+ if (!init) {
+ init = 1;
+ char * s = getenv("OPENSSL_X509_CERT_FILE");
+ if (s && getuid() == geteuid()) {
+ strncpy(buf, s, sizeof(buf));
+ buf[sizeof(buf) - 1] = 0;
+ }
+ }
+ return buf;
+ }
const char *X509_get_default_cert_dir_env(void)
{ return(X509_CERT_DIR_EVP); }