diff options
| author | Nirbheek Chauhan <nirbheek@centricular.com> | 2020-03-30 21:57:07 +0530 |
|---|---|---|
| committer | Nirbheek Chauhan <nirbheek@centricular.com> | 2020-03-31 19:53:02 +0530 |
| commit | 839e173640c7aafc24ca6dad3ce7011d83871d56 (patch) | |
| tree | a88135ae43e9ec3d129637cef7c4f1eb4be517a4 /recipes/openssl/0001-Load-ca-certificate.crt-from-PREFIX-etc-ssl-on-macOS.patch | |
| parent | 4656afa3514abdfdd423db53d6fb9180b8f223a0 (diff) | |
openssl.recipe: Load ca-cert bundle from a portable prefix
We only use openssl now, which by default picks up a ca cert bundle
file called `cert.pem` inside `OPENSSLDIR`. Without this all
certificate checks fail with the error `Unacceptable TLS certificate`.
Howeve, we can't just use `OPENSSLDIR` since it's hard-coded and will
break portable prefixes, and also the ca-cert file we install is named
differently.
So now by default we load the default system store from
`PREFIX/etc/ssl/certs/ca-certificates.crt` where `PREFIX` is deduced
from the location of `crypto.dll`, which is in bindir.
Fixes https://gitlab.freedesktop.org/gstreamer/cerbero/issues/256
Diffstat (limited to 'recipes/openssl/0001-Load-ca-certificate.crt-from-PREFIX-etc-ssl-on-macOS.patch')
| -rw-r--r-- | recipes/openssl/0001-Load-ca-certificate.crt-from-PREFIX-etc-ssl-on-macOS.patch | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/recipes/openssl/0001-Load-ca-certificate.crt-from-PREFIX-etc-ssl-on-macOS.patch b/recipes/openssl/0001-Load-ca-certificate.crt-from-PREFIX-etc-ssl-on-macOS.patch new file mode 100644 index 00000000..421bb6b8 --- /dev/null +++ b/recipes/openssl/0001-Load-ca-certificate.crt-from-PREFIX-etc-ssl-on-macOS.patch @@ -0,0 +1,135 @@ +From 903e3b9db2a2425a75f36df4edcc40876e9a0ada Mon Sep 17 00:00:00 2001 +From: Cerbero Build System <cerbero@gstreamer.freedesktop.org> +Date: Tue, 31 Mar 2020 12:41:07 +0530 +Subject: [PATCH] Load ca-certificate.crt from PREFIX/etc/ssl on macOS and + Windows + +PREFIX is automatically detected based on the location of the crypto +library. +--- + crypto/dllmain.c | 31 +++++++++++++++++++++++++++++++ + crypto/x509/by_file.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 71 insertions(+), 1 deletion(-) + +diff --git a/crypto/dllmain.c b/crypto/dllmain.c +index e821789..67568e3 100644 +--- a/crypto/dllmain.c ++++ b/crypto/dllmain.c +@@ -20,6 +20,36 @@ + */ + # endif + ++HMODULE __priv_crypto_dll_handle = NULL; ++ ++char * ++_get_portable_X509_cert_file (void) ++{ ++ int ret; ++ char *p; ++ char filename[MAX_PATH]; ++ char certfile[MAX_PATH]; ++ ++ /* Get absolute location of crypto.dll: PREFIX/bin/crypto.dll */ ++ if (!GetModuleFileNameA(__priv_crypto_dll_handle, filename, MAX_PATH)) ++ return NULL; ++ ++ /* Get DLL directory: PREFIX/bin */ ++ if ((p = strrchr(filename, '\\')) == NULL) ++ return NULL; ++ *p = '\0'; ++ ++ /* Get parent directory: PREFIX */ ++ if ((p = strrchr(filename, '\\')) == NULL) ++ return NULL; ++ *p = '\0'; ++ ++ /* Path to the cert bundle; filename is from the ca-certificates recipe */ ++ if (_snprintf(certfile, MAX_PATH, "%s\\etc\\ssl\\certs\\ca-certificates.crt", filename) < 0) ++ return NULL; ++ return _strdup(certfile); ++} ++ + /* + * All we really need to do is remove the 'error' state when a thread + * detaches +@@ -31,6 +61,7 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) + switch (fdwReason) { + case DLL_PROCESS_ATTACH: + OPENSSL_cpuid_setup(); ++ __priv_crypto_dll_handle = (HMODULE) hinstDLL; + break; + case DLL_THREAD_ATTACH: + break; +diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c +index 237b362..25ce782 100644 +--- a/crypto/x509/by_file.c ++++ b/crypto/x509/by_file.c +@@ -17,6 +17,40 @@ + #include <openssl/pem.h> + #include "x509_local.h" + ++#ifdef _WIN32 ++/* defined in crypto/dllmain.c */ ++char* _get_portable_X509_cert_file (void); ++#elif defined(__APPLE__) ++#include <dlfcn.h> ++char * ++_get_portable_X509_cert_file (void) ++{ ++ char *p; ++ char certfile[PATH_MAX]; ++ ++ Dl_info info; ++ if (!dladdr(_get_portable_X509_cert_file, &info)) ++ return NULL; ++ ++ /* Get dylib directory: PREFIX/lib */ ++ if ((p = strrchr(info.dli_fname, '/')) == NULL) ++ return NULL; ++ *p = '\0'; ++ ++ /* Get parent directory: PREFIX */ ++ if ((p = strrchr(info.dli_fname, '/')) == NULL) ++ return NULL; ++ *p = '\0'; ++ ++ /* Path to the cert bundle; filename is from the ca-certificates recipe */ ++ if (snprintf(certfile, PATH_MAX, "%s/etc/ssl/certs/ca-certificates.crt", info.dli_fname) < 0) ++ return NULL; ++ return strdup(certfile); ++} ++#else ++#define _get_portable_X509_cert_file() NULL ++#endif ++ + static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, + long argl, char **ret); + static X509_LOOKUP_METHOD x509_file_lookup = { +@@ -46,11 +80,15 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, + switch (cmd) { + case X509_L_FILE_LOAD: + if (argl == X509_FILETYPE_DEFAULT) { ++ char *portable_file; + file = ossl_safe_getenv(X509_get_default_cert_file_env()); ++ portable_file = _get_portable_X509_cert_file(); + if (file) + ok = (X509_load_cert_crl_file(ctx, file, + X509_FILETYPE_PEM) != 0); +- ++ else if (portable_file) ++ ok = (X509_load_cert_crl_file(ctx, portable_file, ++ X509_FILETYPE_PEM) != 0); + else + ok = (X509_load_cert_crl_file + (ctx, X509_get_default_cert_file(), +@@ -59,6 +97,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, + if (!ok) { + X509err(X509_F_BY_FILE_CTRL, X509_R_LOADING_DEFAULTS); + } ++ free (portable_file); + } else { + if (argl == X509_FILETYPE_PEM) + ok = (X509_load_cert_crl_file(ctx, argp, +-- +2.21.1 (Apple Git-122.3) + |