GNU bug report logs - #38873
[PATCH] gnu: curl: Make libcurl respect SSL_CERT_{DIR,FILE}

Previous Next

Package: guix-patches;

Reported by: Jakub Kądziołka <kuba <at> kadziolka.net>

Date: Thu, 2 Jan 2020 17:19:02 UTC

Severity: normal

Tags: patch

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #14 received at 38873 <at> debbugs.gnu.org (full text, mbox):

From: Jakub Kądziołka <kuba <at> kadziolka.net>
To: 38873 <at> debbugs.gnu.org
Subject: [PATCH v2 core-updates] curl: Make libcurl respect SSL_CERT_DIR,
 SSL_CERT_FILE
Date: Tue, 14 Jan 2020 17:59:21 +0100

* gnu/packages/patches/libcurl-use-ssl-cert-env.patch: New file.
* gnu/packages/curl.scm (curl)[source]: Use the patch.
  [native-search-paths]: Add the new variables.
---
 gnu/packages/curl.scm                         | 20 ++++--
 .../patches/cmake-curl-certificates.patch     |  2 +
 .../kodi-set-libcurl-ssl-parameters.patch     |  2 +
 .../patches/libcurl-use-ssl-cert-env.patch    | 64 +++++++++++++++++++
 4 files changed, 84 insertions(+), 4 deletions(-)
 create mode 100644 gnu/packages/patches/libcurl-use-ssl-cert-env.patch

diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index ee1cca449b..074ae32fb5 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me <at> tobias.gr>
 ;;; Copyright © 2018 Roel Janssen <roel <at> gnu.org>
 ;;; Copyright © 2019 Ricardo Wurmus <rekado <at> elephly.net>
+;;; Copyright © 2020 Jakub Kądziołka <kuba <at> kadziolka.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -57,7 +58,8 @@
                                 version ".tar.xz"))
             (sha256
              (base32
-              "0nh3j90w6b97wqcgxjfq55qhkz9s38955fbhwzv2fsi7483j895p"))))
+              "0nh3j90w6b97wqcgxjfq55qhkz9s38955fbhwzv2fsi7483j895p"))
+            (patches (search-patches "libcurl-use-ssl-cert-env.patch"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "doc"))                             ;1.2 MiB of man3 pages
@@ -74,10 +76,20 @@
        ("pkg-config" ,pkg-config)
        ("python" ,python-wrapper)))
    (native-search-paths
-    ;; Note: This search path is respected by the `curl` command-line tool only.
-    ;; Ideally we would bake this into libcurl itself so other users can benefit,
-    ;; but it's not supported upstream due to thread safety concerns.
+    ;; Introduced by libcurl-use-ssl-cert-env.patch
     (list (search-path-specification
+           (variable "SSL_CERT_DIR")
+           (separator #f)                        ;single entry
+           (files '("etc/ssl/certs")))
+          (search-path-specification
+           (variable "SSL_CERT_FILE")
+           (file-type 'regular)
+           (separator #f)                        ;single entry
+           (files '("etc/ssl/certs/ca-certificates.crt")))
+    ;; Note: This search path is respected by the `curl` command-line tool only.
+    ;; Patching libcurl to read it too would bring no advantages and require
+    ;; maintaining a more complex patch.
+          (search-path-specification
            (variable "CURL_CA_BUNDLE")
            (file-type 'regular)
            (separator #f)                         ;single entry
diff --git a/gnu/packages/patches/cmake-curl-certificates.patch b/gnu/packages/patches/cmake-curl-certificates.patch
index 7fe2615271..e8cda5bd96 100644
--- a/gnu/packages/patches/cmake-curl-certificates.patch
+++ b/gnu/packages/patches/cmake-curl-certificates.patch
@@ -4,6 +4,8 @@ at all: <https://issues.guix.gnu.org/issue/37371>.
 This changes CMake such that commands honor SSL_CERT_FILE and SSL_CERT_DIR
 as well as /etc/ssl/certs.
 
+FIXME: This shouldn't be necessary anymore, see libcurl-use-ssl-cert-env.patch
+
 --- cmake-3.13.1/Source/cmCurl.cxx	2019-09-10 17:27:36.926907260 +0200
 +++ cmake-3.13.1/Source/cmCurl.cxx	2019-09-10 17:52:35.475903919 +0200
 @@ -2,11 +2,8 @@
diff --git a/gnu/packages/patches/kodi-set-libcurl-ssl-parameters.patch b/gnu/packages/patches/kodi-set-libcurl-ssl-parameters.patch
index 2f60737e30..98bff50712 100644
--- a/gnu/packages/patches/kodi-set-libcurl-ssl-parameters.patch
+++ b/gnu/packages/patches/kodi-set-libcurl-ssl-parameters.patch
@@ -1,6 +1,8 @@
 Kodi doesn't set the CAPATH and CAINFO parameters for libcurl. To make HTTPS
 connections work we can set them based on SSL_CERT_DIR and SSL_CERT_FILE.
 
+FIXME: This shouldn't be necessary anymore, see libcurl-use-ssl-cert-env.patch
+
 --- a/xbmc/filesystem/CurlFile.cpp
 +++ b/xbmc/filesystem/CurlFile.cpp
 @@ -626,5 +626,9 @@
diff --git a/gnu/packages/patches/libcurl-use-ssl-cert-env.patch b/gnu/packages/patches/libcurl-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..c8e80b4445
--- /dev/null
+++ b/gnu/packages/patches/libcurl-use-ssl-cert-env.patch
@@ -0,0 +1,64 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+
+This fixes network functionality in rust:cargo, and probably removes the need
+for other future workarounds.
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c	2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ #  pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+ 
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+  * curl_global_init() globally initializes curl given a bitwise set of the
+  * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+   }
+ 
++  Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++  Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+   if(!Curl_ssl_init()) {
+     DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+     return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+   Curl_ssl_cleanup();
+   Curl_resolver_global_cleanup();
+ 
++  free(Curl_ssl_cert_dir);
++  free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+   Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c	2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c	2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+     if(result)
+       return result;
+ #endif
++    extern char * Curl_ssl_cert_dir;
++    extern char * Curl_ssl_cert_file;
++    if(Curl_ssl_cert_dir) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], Curl_ssl_cert_dir))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++            return result;
++    }
++
++    if(Curl_ssl_cert_file) {
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], Curl_ssl_cert_file))
++            return result;
++        if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++            return result;
++    }
+   }
+ 
+   set->wildcard_enabled = FALSE;
-- 
2.24.1
This bug report was last modified 5 years and 123 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.