OpenSSL config load fixes

- fix to _really_ disable OpenSSL automatic config loading in curl and libcurl. original commit with same intention, but wrong macro name: fb80105 curl commit implementing this feature: curl/curl@6684653 - fix OpenSSL build to use the non-world-writable prefix `C:/Windows/System32/OpenSSL/` for config/certificate/engine/etc paths hard-coded into OpenSSL binaries. The build uses a minor patch to OpenSSL's ./Configure script to make it recognize a Windows absolute path as an absolute one. The default path `/usr/local` may result in privilege escalation. Note that above OpenSSL patch is NOT confirmed or endorsed by upstream at this time. However, due to the weight of the issue, it was decided to make this exception from curl-for-win's local-patching policy.
curl · Jun 20, 2019 · 51b658a · 51b658a
1 parent 830c0de
commit 51b658a
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 13 deletions.
diff --git a/_dl.sh b/_dl.sh
@@ -28,7 +28,7 @@ export OSSLSIGNCODE_HASH=f9a8cdb38b9c309326764ebc937cba1523a3a751a7ab05df3ecc99d
 # NOTE: Set _REV to empty after bumping CURL_VER_, and
 #       set it to 1 then increment by 1 each time bumping a dependency
 #       version or pushing a CI rebuild for the master branch.
-export _REV='1'
+export _REV='2'
 
 [ -z "${_REV}" ] || _REV="_${_REV}"
 

diff --git a/curl.sh b/curl.sh
@@ -1,6 +1,6 @@
 #!/bin/sh -ex
 
-# Copyright 2014-2018 Viktor Szakats <https://vszakats.net/>
+# Copyright 2014-2019 Viktor Szakats <https://vszakats.net/>
 # See LICENSE.md
 
 export _NAM
@@ -49,7 +49,7 @@ _cpu="$2"
   # public libcurl functions being marked as 'exported'. It's useful to
   # avoid the chance of libcurl functions getting exported from final
   # binaries when linked against static libcurl lib.
-  export CURL_CFLAG_EXTRAS='-DCURL_STATICLIB -fno-ident -DCURL_DISABLE_SSL_AUTO_LOAD_CONFIG'
+  export CURL_CFLAG_EXTRAS='-DCURL_STATICLIB -fno-ident'
   [ "${_cpu}" = '32' ] && CURL_CFLAG_EXTRAS="${CURL_CFLAG_EXTRAS} -fno-asynchronous-unwind-tables"
   export CURL_LDFLAG_EXTRAS='-static-libgcc -Wl,--nxcompat -Wl,--dynamicbase'
   export CURL_LDFLAG_EXTRAS_EXE
@@ -91,6 +91,7 @@ _cpu="$2"
 
   [ -d ../openssl ] && export OPENSSL_PATH=../../openssl
   if [ -n "${OPENSSL_PATH}" ]; then
+    CURL_CFLAG_EXTRAS="${CURL_CFLAG_EXTRAS} -DCURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG"
     options="${options}-ssl"
     export OPENSSL_INCLUDE="${OPENSSL_PATH}/include"
     export OPENSSL_LIBPATH="${OPENSSL_PATH}"

diff --git a/libssh2_cmake.sh b/libssh2_cmake.sh
@@ -1,6 +1,6 @@
 #!/bin/sh -ex
 
-# Copyright 2014-2018 Viktor Szakats <https://vszakats.net/>
+# Copyright 2014-2019 Viktor Szakats <https://vszakats.net/>
 # See LICENSE.md
 
 export _NAM
@@ -68,10 +68,10 @@ _cpu="$2"
     options="${options} -DZLIB_INCLUDE_DIR:PATH=$(pwd)/../zlib/pkg/usr/local/include"
     options="${options} -DZLIB_LIBRARY:FILEPATH=$(pwd)/../zlib/pkg/usr/local/lib/libz.a"
     options="${options} -DCRYPTO_BACKEND=OpenSSL"
-    options="${options} -DOPENSSL_ROOT_DIR=$(pwd)/../openssl/pkg/usr/local/"
-    options="${options} -DOPENSSL_INCLUDE_DIR=$(pwd)/../openssl/pkg/usr/local/include"
-    options="${options} -DOPENSSL_LIBRARIES=$(pwd)/../openssl/pkg/usr/local/lib"
-    options="${options} -DOPENSSL_CRYPTO_LIBRARY=$(pwd)/../openssl/pkg/usr/local/lib"
+    options="${options} -DOPENSSL_ROOT_DIR=$(pwd)/../openssl/pkg/C:/Windows/System32/OpenSSL/"
+    options="${options} -DOPENSSL_INCLUDE_DIR=$(pwd)/../openssl/pkg/C:/Windows/System32/OpenSSL/include"
+    options="${options} -DOPENSSL_LIBRARIES=$(pwd)/../openssl/pkg/C:/Windows/System32/OpenSSL/lib"
+    options="${options} -DOPENSSL_CRYPTO_LIBRARY=$(pwd)/../openssl/pkg/C:/Windows/System32/OpenSSL/lib"
     options="${options} -DCMAKE_RC_COMPILER=${_CCPREFIX}windres"
     options="${options} -DCMAKE_INSTALL_MESSAGE=NEVER"
     options="${options} -DCMAKE_INSTALL_PREFIX=/usr/local"

diff --git a/openssl.sh b/openssl.sh
@@ -1,6 +1,6 @@
 #!/bin/sh -ex
 
-# Copyright 2014-2018 Viktor Szakats <https://vszakats.net/>
+# Copyright 2014-2019 Viktor Szakats <https://vszakats.net/>
 # See LICENSE.md
 
 export _NAM
@@ -62,22 +62,35 @@ _cpu="$2"
   # AR=, NM=, RANLIB=
   unset CC
 
+  # Patch OpenSSL ./Configure to make it accept Windows-style absolute
+  # paths as --prefix. Without the patch it misidentifies all such
+  # absolute paths as relative ones and aborts.
+  sed 's|die "Directory given with --prefix|print "Directory given with --prefix|g' \
+    < ./Configure > ./Configure-patched
+  chmod +x ./Configure-patched
+
+  # Space or backslash not allowed. Needs to be a folder restricted
+  # to Administrators across majority of Windows installations, versions
+  # and configurations.
+  _prefix='C:/Windows/System32/OpenSSL'
+
   # shellcheck disable=SC2086
-  ./Configure ${options} shared \
+  ./Configure-patched ${options} shared \
     "--cross-compile-prefix=${_CCPREFIX}" \
     -fno-ident \
     -Wl,--nxcompat -Wl,--dynamicbase \
     no-unit-test \
     no-idea \
     no-tests \
     no-makedepend \
-    '--prefix=/usr/local'
+    "--prefix=${_prefix}"
   SOURCE_DATE_EPOCH=${unixts} TZ=UTC make
   # Install it so that it can be detected by CMake
-  make install "DESTDIR=$(pwd)/pkg" > /dev/null # 2>&1
+  # (ending slash required)
+  make install "DESTDIR=$(pwd)/pkg/" > /dev/null # 2>&1
 
   # DESTDIR= + --prefix=
-  _pkg='pkg/usr/local'
+  _pkg="pkg/${_prefix}"
 
   # Make steps for determinism