[PATCH] gnu: curl: Make libcurl respect SSL_CERT_{DIR,FILE}

  • Done
  • quality assurance status badge
Details
2 participants
  • Jakub K?dzio?ka
  • Marius Bakke
Owner
unassigned
Submitted by
Jakub K?dzio?ka
Severity
normal
J
J
Jakub K?dzio?ka wrote on 2 Jan 2020 18:18
(address . guix-patches@gnu.org)
20200102171826.v4j3d35ocx7tvp2j@zdrowyportier.kadziolka.net
* gnu/packages/curl.scm (curl-7.66.0): Use patch.
* gnu/packages/patches/libcurl-use-ssl-cert-env.patch: New file.

This fixes the SSL errors occuring when trying to use rust:cargo's
download functionality.

As an additional advantage, this will probably allow removing some
package-specific work-arounds that have already been made. I have
found such work-arounds in cmake and kodi, but am not familiar enough
with either to confidently remove them.
---
gnu/packages/curl.scm | 4 +-
.../patches/libcurl-use-ssl-cert-env.patch | 61 +++++++++++++++++++
2 files changed, 64 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libcurl-use-ssl-cert-env.patch

Toggle diff (91 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index aa5d24c401..c5cd88ec2e 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -9,6 +9,7 @@
;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2018 Roel Janssen <roel@gnu.org>
;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020 Jakub K?dzio?ka <kuba@kadziolka.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -153,7 +154,8 @@ tunneling, and so on.")
version ".tar.xz"))
(sha256
(base32
- "1hcqxpibhknhjy56wcxz5vd6m9ggx3ykwp3wp5wx05ih36481d6v"))))))
+ "1hcqxpibhknhjy56wcxz5vd6m9ggx3ykwp3wp5wx05ih36481d6v"))
+ (patches (search-patches "libcurl-use-ssl-cert-env.patch"))))))
(define-public kurly
(package
diff --git a/gnu/packages/patches/libcurl-use-ssl-cert-env.patch b/gnu/packages/patches/libcurl-use-ssl-cert-env.patch
new file mode 100644
index 0000000000..a68e64adc1
--- /dev/null
+++ b/gnu/packages/patches/libcurl-use-ssl-cert-env.patch
@@ -0,0 +1,61 @@
+Make libcurl respect the SSL_CERT_{DIR,FILE} variables by default. The variables
+are fetched during initialization to preserve thread-safety (curl_global_init(3)
+must be called when no other threads exist).
+===================================================================
+--- curl-7.66.0.orig/lib/easy.c 2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/easy.c 2020-01-02 16:18:54.691882797 +0100
+@@ -134,6 +134,9 @@
+ # pragma warning(default:4232) /* MSVC extension, dllimport identity */
+ #endif
+
++char * Curl_ssl_cert_dir = NULL;
++char * Curl_ssl_cert_file = NULL;
++
+ /**
+ * curl_global_init() globally initializes curl given a bitwise set of the
+ * different features of what to initialize.
+@@ -155,6 +158,9 @@
+ #endif
+ }
+
++ Curl_ssl_cert_dir = curl_getenv("SSL_CERT_DIR");
++ Curl_ssl_cert_file = curl_getenv("SSL_CERT_FILE");
++
+ if(!Curl_ssl_init()) {
+ DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n"));
+ return CURLE_FAILED_INIT;
+@@ -260,6 +266,9 @@
+ Curl_ssl_cleanup();
+ Curl_resolver_global_cleanup();
+
++ free(Curl_ssl_cert_dir);
++ free(Curl_ssl_cert_file);
++
+ #ifdef WIN32
+ Curl_win32_cleanup(init_flags);
+ #endif
+diff -ur curl-7.66.0.orig/lib/url.c curl-7.66.0/lib/url.c
+--- curl-7.66.0.orig/lib/url.c 2020-01-02 15:43:11.883921171 +0100
++++ curl-7.66.0/lib/url.c 2020-01-02 16:21:11.563880346 +0100
+@@ -524,6 +524,21 @@
+ if(result)
+ return result;
+ #endif
++ extern char * Curl_ssl_cert_dir;
++ extern char * Curl_ssl_cert_file;
++ if(Curl_ssl_cert_dir) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], Curl_ssl_cert_dir))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_PROXY], Curl_ssl_cert_dir))
++ return result;
++ }
++
++ if(Curl_ssl_cert_file) {
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], Curl_ssl_cert_file))
++ return result;
++ if(result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_PROXY], Curl_ssl_cert_file))
++ return result;
++ }
+ }
+
+ set->wildcard_enabled = FALSE;
--
2.24.1
J
J
Jakub K?dzio?ka wrote on 12 Jan 2020 17:32
Patch submitted upstream
(address . 38873@debbugs.gnu.org)
20200112163247.vu7gkehob3cpcql3@zdrowyportier.kadziolka.net
For reference: I have submitted this patch to curl itself, it seems that
they find this unnecessary to have upstream:
M
M
Marius Bakke wrote on 13 Jan 2020 23:57
Re: [bug#38873] [PATCH] gnu: curl: Make libcurl respect SSL_CERT_{DIR, FILE}
871rs3vuav.fsf@devup.no
Jakub K?dzio?ka <kuba@kadziolka.net> writes:

Toggle quote (11 lines)
> * gnu/packages/curl.scm (curl-7.66.0): Use patch.
> * gnu/packages/patches/libcurl-use-ssl-cert-env.patch: New file.
>
> This fixes the SSL errors occuring when trying to use rust:cargo's
> download functionality.
>
> As an additional advantage, this will probably allow removing some
> package-specific work-arounds that have already been made. I have
> found such work-arounds in cmake and kodi, but am not familiar enough
> with either to confidently remove them.

Thanks! We should probably adjust the (native-search-paths ...) field
of cURL to account for these new variables too. Can you also rebase it
on 'core-updates'?

From reading the upstream discussion, there does not seem to be any
inherent problems with the patch. So, LGTM. Are you willing to
maintain it when it inevitably requires porting to newer versions? :-)
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl4c9dgACgkQoqBt8qM6
VPoYIQgAzZvo3VWMAcId3YFlqfyG6XbYz0jsue7a/25aImQ/UU2lJ3nGs6tpCL7x
wulW/Cd7CRa/Pnbn4IqAv3hZqt4DrDsA/d4qVFAUNbBrtm5NzgIJc53UqavzxVpj
g2AVrgex4QjQONnOatwdXtPUF/dJ9steAodmstVlrFE8xZMM09x+S62ng6S18g0L
GewVkzbk/jAO6hytItwq6TsXFXiY4uH5B9naVRiRoSB7pDIKPm4623jAIPiNgzrs
0toARGrTxQ4HeXDAYuLPk957Be533z1VtHteo2kN+JgdYZTq4W/8dI59Pf+65SjB
fBgt2dk/NsdYQPJUbXthCjJfh1I3qQ==
=lDnc
-----END PGP SIGNATURE-----

J
J
Jakub K?dzio?ka wrote on 14 Jan 2020 17:59
[PATCH v2 core-updates] curl: Make libcurl respect SSL_CERT_DIR, SSL_CERT_FILE
(address . 38873@debbugs.gnu.org)
20200114165921.epqysoaydxxqm5ye@zdrowyportier.kadziolka.net
Attachment: file
M
M
Marius Bakke wrote on 15 Jan 2020 00:37
87r201vccv.fsf@devup.no
Jakub K?dzio?ka <kuba@kadziolka.net> writes:

Toggle quote (11 lines)
> * gnu/packages/patches/libcurl-use-ssl-cert-env.patch: New file.
> * gnu/packages/curl.scm (curl)[source]: Use the patch.
> [native-search-paths]: Add the new variables.
> ---
> gnu/packages/curl.scm | 20 ++++--
> .../patches/cmake-curl-certificates.patch | 2 +
> .../kodi-set-libcurl-ssl-parameters.patch | 2 +
> .../patches/libcurl-use-ssl-cert-env.patch | 64 +++++++++++++++++++
> 4 files changed, 84 insertions(+), 4 deletions(-)
> create mode 100644 gnu/packages/patches/libcurl-use-ssl-cert-env.patch

The commit message forgot to mention the changed patches. However I
opted to remove them, as the Kodi and CMake patches are harmless even
with your patch, but will encourage you to fix them regardless. ;-)

Also added the new patch to gnu/local.mk and adjusted indentation of the
cURL comments.

Pushed as a76a343082d61d5303b61a9e4cbde4ab8515a1e7, thanks!
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl4eULAACgkQoqBt8qM6
VPrnFQf/Q8cUcbNr+0ayf/kCq8ERjMvKzWOf7t9sHYfdmdK+goLU4NmhbsXMtAV3
JgWodly7tUqd+EjU7Ub7115fOqIdLh1ilpZ9p1H4hnJ5I9yM+1mOT+DEcKmwsjWN
HsKcy+LrhMjzsPIU5vmi7/0Ha+ypSLNM2GcO0+jPJEtpzHPIW/7Fm5MBDIshU4Vp
abIv56AkAVqapqwVapLwFjuQ1MUZGJ4pvYillAG6sV8cKQniNKfR8TR17zH1+huy
+Zyzzoq/22xHyZz6drv0PoBzWPiaUdDhm+vIwdaFWDpDek201u81DPQp1qToX6ct
tYww3FZ3fGwVP+aM4YIHg7HfO4+YTQ==
=XjBq
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 38873@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 38873
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch