vcl,openssl: set SSL_CERT_FILE for bundled OpenSSL

OpenSSL may read a CA certificate file from $SSL_CERT_FILE, if the client library calls SSL_CTX_set_default_verify_paths(); python's ssl module does it but apparently libcurl does not. So split the code from commit 3fc632c0261c75fb4079a5305e814698e791f75c and set the environment variable in ImplSVMain(), hopefully before any threads are spawned; seems to work for PyMailSMTPService. This needs to have SYSTEM_OPENSSL available in a config header. Change-Id: I63b747cb61bb236cf4f605bb9858e5b0083388fe Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159149 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
2023-11-08 14:50:26 +01:00
parent a2fabc78a4
commit 1472e2d68b
5 changed files with 68 additions and 22 deletions
--- a/config_host/config_crypto.h.in
+++ b/config_host/config_crypto.h.in
@@ -33,4 +33,6 @@

 #endif

+#undef SYSTEM_OPENSSL
+
 /* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
--- a/configure.ac
+++ b/configure.ac
@@ -11097,6 +11097,9 @@ if test "$enable_openssl" = "yes"; then
        OPENSSL_LIBS="-lssl -lcrypto"
    else
        libo_CHECK_SYSTEM_MODULE([openssl],[OPENSSL],[openssl])
+        if test -n "${SYSTEM_OPENSSL}"; then
+            AC_DEFINE([SYSTEM_OPENSSL])
+        fi
    fi
    if test "$with_system_openssl" = "yes"; then
        AC_MSG_CHECKING([whether openssl supports SHA512])
--- a/include/curlinit.hxx
+++ b/include/curlinit.hxx
@@ -16,28 +16,7 @@
 #if defined(LINUX) && !defined(SYSTEM_CURL)
 #include <com/sun/star/uno/RuntimeException.hpp>

-#include <unistd.h>
-
-static char const* GetCABundleFile()
-{
-    // try system ones first; inspired by:
-    // https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
-    auto const candidates = {
-        "/etc/pki/tls/certs/ca-bundle.crt",
-        "/etc/pki/tls/certs/ca-bundle.trust.crt",
-        "/etc/ssl/certs/ca-certificates.crt",
-        "/var/lib/ca-certificates/ca-bundle.pem",
-    };
-    for (char const* const candidate : candidates)
-    {
-        if (access(candidate, R_OK) == 0)
-        {
-            return candidate;
-        }
-    }
-
-    throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found");
-}
+#include "opensslinit.hxx"
 #endif

 static void InitCurl_easy(CURL* const pCURL)
--- a/include/opensslinit.hxx
+++ b/include/opensslinit.hxx
@@ -0,0 +1,41 @@
+/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
+/*
+ * This file is part of the LibreOffice project.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+#pragma once
+
+#include <config_crypto.h>
+
+#if defined(LINUX) && !defined(SYSTEM_OPENSSL)
+#include <com/sun/star/uno/RuntimeException.hpp>
+
+#include <unistd.h>
+
+static char const* GetCABundleFile()
+{
+    // try system ones first; inspired by:
+    // https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
+    auto const candidates = {
+        "/etc/pki/tls/certs/ca-bundle.crt",
+        "/etc/pki/tls/certs/ca-bundle.trust.crt",
+        "/etc/ssl/certs/ca-certificates.crt",
+        "/var/lib/ca-certificates/ca-bundle.pem",
+    };
+    for (char const* const candidate : candidates)
+    {
+        if (access(candidate, R_OK) == 0)
+        {
+            return candidate;
+        }
+    }
+
+    throw css::uno::RuntimeException("no OpenSSL CA certificate bundle found");
+}
+#endif
+
+/* vim:set shiftwidth=4 softtabstop=4 expandtab cinoptions=b1,g0,N-s cinkeys+=0=break: */
--- a/vcl/source/app/svmain.cxx
+++ b/vcl/source/app/svmain.cxx
@@ -82,6 +82,7 @@

 #include <config_features.h>
 #include <config_feature_opencl.h>
+#include <opensslinit.hxx>

 #include <osl/process.h>
 #include <com/sun/star/lang/XComponent.hpp>
@@ -192,6 +193,26 @@ int ImplSVMain()
    int nReturn = EXIT_FAILURE;

    const bool bWasInitVCL = IsVCLInit();
+
+#if defined(LINUX) && !defined(SYSTEM_OPENSSL)
+    if (!bWasInitVCL)
+    {
+        try // to point bundled OpenSSL to some system certificate file
+        {   // ... this only works if the client actually calls
+            // SSL_CTX_set_default_verify_paths() or similar; e.g. python ssl.
+            char const*const path = GetCABundleFile();
+            OUString constexpr name(u"SSL_CERT_FILE"_ustr);
+            OUString const filepath(::rtl::OStringToOUString(
+                ::std::string_view(path), osl_getThreadTextEncoding()));
+            osl_setEnvironment(name.pData, filepath.pData);
+        }
+        catch (uno::RuntimeException const& e)
+        {
+            SAL_WARN("vcl", e.Message);
+        }
+    }
+#endif
+
    const bool bInit = bWasInitVCL || InitVCL();
    int nRet = 0;
    if (!bWasInitVCL && bInit && pSVData->mpDefInst->SVMainHook(&nRet))