Author: eelco
Date: Mon Sep 12 16:57:34 2011
New Revision: 29224
URL: https://ssl.nixos.org/websvn/nix/?rev=29224&sc=1
Log:
* OpenSSL: Allow the location of the X509 certificate file (the CA
bundle) to be set through the environment variable
‘OPENSSL_X509_CERT_FILE’. This is necessary because the default
location ($out/ssl/cert.pem) doesn't exist, and hardcoding something
like /etc/ssl/cert.pem is impure and cannot be overriden
per-process. For security, the environment variable is ignored for
setuid binaries.
Added:
nixpkgs/trunk/pkgs/development/libraries/openssl/cert-file.patch
Modified:
nixpkgs/trunk/pkgs/development/libraries/openssl/1.0.0e.nix
Modified: nixpkgs/trunk/pkgs/development/libraries/openssl/1.0.0e.nix
==============================================================================
--- nixpkgs/trunk/pkgs/development/libraries/openssl/1.0.0e.nix Mon Sep 12
16:46:14 2011 (r29223)
+++ nixpkgs/trunk/pkgs/development/libraries/openssl/1.0.0e.nix Mon Sep 12
16:57:34 2011 (r29224)
@@ -14,7 +14,17 @@
sha256 = "1xw0ffzmr4wbnb0glywgks375dvq8x87pgxmwx6vhgvkflkxqqg3";
};
- patches = stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch;
+ patches =
+ [ # Allow the location of the X509 certificate file (the CA
+ # bundle) to be set through the environment variable
+ # ‘OPENSSL_X509_CERT_FILE’. This is necessary because the
+ # default location ($out/ssl/cert.pem) doesn't exist, and
+ # hardcoding something like /etc/ssl/cert.pem is impure and
+ # cannot be overriden per-process. For security, the
+ # environment variable is ignored for setuid binaries.
+ ./cert-file.patch
+ ]
+ ++ stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch;
buildNativeInputs = [ perl ];
Added: nixpkgs/trunk/pkgs/development/libraries/openssl/cert-file.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ nixpkgs/trunk/pkgs/development/libraries/openssl/cert-file.patch Mon Sep
12 16:57:34 2011 (r29224)
@@ -0,0 +1,35 @@
+diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c
openssl-1.0.0e/crypto/x509/x509_def.c
+--- openssl-1.0.0e-orig/crypto/x509/x509_def.c 1999-09-11 19:54:11.000000000
+0200
++++ openssl-1.0.0e/crypto/x509/x509_def.c 2011-09-12 18:30:59.386501609
+0200
+@@ -57,6 +57,10 @@
+ */
+
+ #include <stdio.h>
++#include <stdlib.h>
++#include <limits.h>
++#include <unistd.h>
++#include <sys/types.h>
+ #include "cryptlib.h"
+ #include <openssl/crypto.h>
+ #include <openssl/x509.h>
+@@ -71,7 +75,19 @@
+ { return(X509_CERT_DIR); }
+
+ const char *X509_get_default_cert_file(void)
+- { return(X509_CERT_FILE); }
++ {
++ static char buf[PATH_MAX] = X509_CERT_FILE;
++ static int init = 0;
++ if (!init) {
++ init = 1;
++ char * s = getenv("OPENSSL_X509_CERT_FILE");
++ if (s && getuid() == geteuid()) {
++ strncpy(buf, s, sizeof(buf));
++ buf[sizeof(buf) - 1] = 0;
++ }
++ }
++ return buf;
++ }
+
+ const char *X509_get_default_cert_dir_env(void)
+ { return(X509_CERT_DIR_EVP); }
_______________________________________________
nix-commits mailing list
nix-comm...@cs.uu.nl
http://mail.cs.uu.nl/mailman/listinfo/nix-commits
