Author: eelco Date: Mon Sep 12 16:57:34 2011 New Revision: 29224 URL: https://ssl.nixos.org/websvn/nix/?rev=29224&sc=1
Log: * OpenSSL: Allow the location of the X509 certificate file (the CA bundle) to be set through the environment variable ‘OPENSSL_X509_CERT_FILE’. This is necessary because the default location ($out/ssl/cert.pem) doesn't exist, and hardcoding something like /etc/ssl/cert.pem is impure and cannot be overriden per-process. For security, the environment variable is ignored for setuid binaries. Added: nixpkgs/trunk/pkgs/development/libraries/openssl/cert-file.patch Modified: nixpkgs/trunk/pkgs/development/libraries/openssl/1.0.0e.nix Modified: nixpkgs/trunk/pkgs/development/libraries/openssl/1.0.0e.nix ============================================================================== --- nixpkgs/trunk/pkgs/development/libraries/openssl/1.0.0e.nix Mon Sep 12 16:46:14 2011 (r29223) +++ nixpkgs/trunk/pkgs/development/libraries/openssl/1.0.0e.nix Mon Sep 12 16:57:34 2011 (r29224) @@ -14,7 +14,17 @@ sha256 = "1xw0ffzmr4wbnb0glywgks375dvq8x87pgxmwx6vhgvkflkxqqg3"; }; - patches = stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch; + patches = + [ # Allow the location of the X509 certificate file (the CA + # bundle) to be set through the environment variable + # ‘OPENSSL_X509_CERT_FILE’. This is necessary because the + # default location ($out/ssl/cert.pem) doesn't exist, and + # hardcoding something like /etc/ssl/cert.pem is impure and + # cannot be overriden per-process. For security, the + # environment variable is ignored for setuid binaries. + ./cert-file.patch + ] + ++ stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch; buildNativeInputs = [ perl ]; Added: nixpkgs/trunk/pkgs/development/libraries/openssl/cert-file.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ nixpkgs/trunk/pkgs/development/libraries/openssl/cert-file.patch Mon Sep 12 16:57:34 2011 (r29224) @@ -0,0 +1,35 @@ +diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c +--- openssl-1.0.0e-orig/crypto/x509/x509_def.c 1999-09-11 19:54:11.000000000 +0200 ++++ openssl-1.0.0e/crypto/x509/x509_def.c 2011-09-12 18:30:59.386501609 +0200 +@@ -57,6 +57,10 @@ + */ + + #include <stdio.h> ++#include <stdlib.h> ++#include <limits.h> ++#include <unistd.h> ++#include <sys/types.h> + #include "cryptlib.h" + #include <openssl/crypto.h> + #include <openssl/x509.h> +@@ -71,7 +75,19 @@ + { return(X509_CERT_DIR); } + + const char *X509_get_default_cert_file(void) +- { return(X509_CERT_FILE); } ++ { ++ static char buf[PATH_MAX] = X509_CERT_FILE; ++ static int init = 0; ++ if (!init) { ++ init = 1; ++ char * s = getenv("OPENSSL_X509_CERT_FILE"); ++ if (s && getuid() == geteuid()) { ++ strncpy(buf, s, sizeof(buf)); ++ buf[sizeof(buf) - 1] = 0; ++ } ++ } ++ return buf; ++ } + + const char *X509_get_default_cert_dir_env(void) + { return(X509_CERT_DIR_EVP); } _______________________________________________ nix-commits mailing list nix-comm...@cs.uu.nl http://mail.cs.uu.nl/mailman/listinfo/nix-commits