Skip to content
Permalink
Browse files

OpenSSL config load fixes

- fix to _really_ disable OpenSSL automatic config loading in curl
  and libcurl.
  original commit with same intention, but wrong macro name:
    fb80105
  curl commit implementing this feature:
    curl/curl@6684653
- fix OpenSSL build to use the non-world-writable prefix
  `C:/Windows/System32/OpenSSL/` for config/certificate/engine/etc
  paths hard-coded into OpenSSL binaries.
  The build uses a minor patch to OpenSSL's ./Configure script to make
  it recognize a Windows absolute path as an absolute one.
  The default path `/usr/local` may result in privilege escalation.
  Note that above OpenSSL patch is NOT confirmed or endorsed by upstream
  at this time. However, due to the weight of the issue, it was decided
  to make this exception from curl-for-win's local-patching policy.
  • Loading branch information...
vszakats committed Jun 20, 2019
1 parent 830c0de commit 51b658a76594942cf1d6f227d8fc4732bb8ec277
Showing with 27 additions and 13 deletions.
  1. +1 −1 _dl.sh
  2. +3 −2 curl.sh
  3. +5 −5 libssh2_cmake.sh
  4. +18 −5 openssl.sh
2 _dl.sh
@@ -28,7 +28,7 @@ export OSSLSIGNCODE_HASH=f9a8cdb38b9c309326764ebc937cba1523a3a751a7ab05df3ecc99d
# NOTE: Set _REV to empty after bumping CURL_VER_, and
# set it to 1 then increment by 1 each time bumping a dependency
# version or pushing a CI rebuild for the master branch.
export _REV='1'
export _REV='2'

[ -z "${_REV}" ] || _REV="_${_REV}"

@@ -1,6 +1,6 @@
#!/bin/sh -ex

# Copyright 2014-2018 Viktor Szakats <https://vszakats.net/>
# Copyright 2014-2019 Viktor Szakats <https://vszakats.net/>
# See LICENSE.md

export _NAM
@@ -49,7 +49,7 @@ _cpu="$2"
# public libcurl functions being marked as 'exported'. It's useful to
# avoid the chance of libcurl functions getting exported from final
# binaries when linked against static libcurl lib.
export CURL_CFLAG_EXTRAS='-DCURL_STATICLIB -fno-ident -DCURL_DISABLE_SSL_AUTO_LOAD_CONFIG'
export CURL_CFLAG_EXTRAS='-DCURL_STATICLIB -fno-ident'
[ "${_cpu}" = '32' ] && CURL_CFLAG_EXTRAS="${CURL_CFLAG_EXTRAS} -fno-asynchronous-unwind-tables"
export CURL_LDFLAG_EXTRAS='-static-libgcc -Wl,--nxcompat -Wl,--dynamicbase'
export CURL_LDFLAG_EXTRAS_EXE
@@ -91,6 +91,7 @@ _cpu="$2"

[ -d ../openssl ] && export OPENSSL_PATH=../../openssl
if [ -n "${OPENSSL_PATH}" ]; then
CURL_CFLAG_EXTRAS="${CURL_CFLAG_EXTRAS} -DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG"
options="${options}-ssl"
export OPENSSL_INCLUDE="${OPENSSL_PATH}/include"
export OPENSSL_LIBPATH="${OPENSSL_PATH}"
@@ -1,6 +1,6 @@
#!/bin/sh -ex

# Copyright 2014-2018 Viktor Szakats <https://vszakats.net/>
# Copyright 2014-2019 Viktor Szakats <https://vszakats.net/>
# See LICENSE.md

export _NAM
@@ -68,10 +68,10 @@ _cpu="$2"
options="${options} -DZLIB_INCLUDE_DIR:PATH=$(pwd)/../zlib/pkg/usr/local/include"
options="${options} -DZLIB_LIBRARY:FILEPATH=$(pwd)/../zlib/pkg/usr/local/lib/libz.a"
options="${options} -DCRYPTO_BACKEND=OpenSSL"
options="${options} -DOPENSSL_ROOT_DIR=$(pwd)/../openssl/pkg/usr/local/"
options="${options} -DOPENSSL_INCLUDE_DIR=$(pwd)/../openssl/pkg/usr/local/include"
options="${options} -DOPENSSL_LIBRARIES=$(pwd)/../openssl/pkg/usr/local/lib"
options="${options} -DOPENSSL_CRYPTO_LIBRARY=$(pwd)/../openssl/pkg/usr/local/lib"
options="${options} -DOPENSSL_ROOT_DIR=$(pwd)/../openssl/pkg/C:/Windows/System32/OpenSSL/"
options="${options} -DOPENSSL_INCLUDE_DIR=$(pwd)/../openssl/pkg/C:/Windows/System32/OpenSSL/include"
options="${options} -DOPENSSL_LIBRARIES=$(pwd)/../openssl/pkg/C:/Windows/System32/OpenSSL/lib"
options="${options} -DOPENSSL_CRYPTO_LIBRARY=$(pwd)/../openssl/pkg/C:/Windows/System32/OpenSSL/lib"
options="${options} -DCMAKE_RC_COMPILER=${_CCPREFIX}windres"
options="${options} -DCMAKE_INSTALL_MESSAGE=NEVER"
options="${options} -DCMAKE_INSTALL_PREFIX=/usr/local"
@@ -1,6 +1,6 @@
#!/bin/sh -ex

# Copyright 2014-2018 Viktor Szakats <https://vszakats.net/>
# Copyright 2014-2019 Viktor Szakats <https://vszakats.net/>
# See LICENSE.md

export _NAM
@@ -62,22 +62,35 @@ _cpu="$2"
# AR=, NM=, RANLIB=
unset CC

# Patch OpenSSL ./Configure to make it accept Windows-style absolute
# paths as --prefix. Without the patch it misidentifies all such
# absolute paths as relative ones and aborts.
sed 's|die "Directory given with --prefix|print "Directory given with --prefix|g' \
< ./Configure > ./Configure-patched
chmod +x ./Configure-patched

# Space or backslash not allowed. Needs to be a folder restricted
# to Administrators across majority of Windows installations, versions
# and configurations.
_prefix='C:/Windows/System32/OpenSSL'

# shellcheck disable=SC2086
./Configure ${options} shared \
./Configure-patched ${options} shared \
"--cross-compile-prefix=${_CCPREFIX}" \
-fno-ident \
-Wl,--nxcompat -Wl,--dynamicbase \
no-unit-test \
no-idea \
no-tests \
no-makedepend \
'--prefix=/usr/local'
"--prefix=${_prefix}"
SOURCE_DATE_EPOCH=${unixts} TZ=UTC make
# Install it so that it can be detected by CMake
make install "DESTDIR=$(pwd)/pkg" > /dev/null # 2>&1
# (ending slash required)
make install "DESTDIR=$(pwd)/pkg/" > /dev/null # 2>&1

# DESTDIR= + --prefix=
_pkg='pkg/usr/local'
_pkg="pkg/${_prefix}"

# Make steps for determinism

0 comments on commit 51b658a

Please sign in to comment.
You can’t perform that action at this time.