Embed the nix SSL certificate file into the resulting binary.

This writes the SSL certs to a temporary file on startup and then
uses environment variables to control OpenSSL and curl so that
they use them. We have to do this because OSX no longer ships the
normal ca pems, and we statically link with these libraries.
This commit is contained in:
Elliot Glaysher 2019-07-10 13:44:02 -07:00
parent 0657b18e14
commit 1dd274fec3
8 changed files with 54 additions and 10 deletions

View File

@ -11,7 +11,7 @@ let
deps =
with pkgs;
[ curl gmp libsigsegv ncurses openssl zlib lmdb ];
[ curl gmp libsigsegv ncurses openssl zlib lmdb cacert xxd ];
vendor =
[ argon2 softfloat3 ed25519 ent ge-additions h2o scrypt uv murmur3 secp256k1 sni ];

View File

@ -1,6 +1,6 @@
{ env_name, env, deps }:
{ ent, ge-additions, name ? "urbit", debug ? false }:
{ ent, ge-additions, cacert, xxd, name ? "urbit", debug ? false }:
let
@ -21,10 +21,12 @@ env.make_derivation {
CPU_DEBUG = debug;
EVENT_TIME_DEBUG = false;
NCURSES = env.ncurses;
SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
name = "${name}-${env_name}";
exename = name;
src = ../../../pkg/urbit;
cross_inputs = crossdeps ++ vendor ++ [ ent ];
builder = ./release.sh;
name = "${name}-${env_name}";
exename = name;
src = ../../../pkg/urbit;
native_inputs = [ xxd ];
cross_inputs = crossdeps ++ vendor ++ [ ent ];
builder = ./release.sh;
}

View File

@ -21,7 +21,8 @@ let
urbit = env:
import ./pkgs/urbit/release.nix env
{ ent = ent env; ge-additions = ge-additions env; debug = false; name = "urbit"; };
{ ent = ent env; ge-additions = ge-additions env; cacert = nixpkgs.cacert;
xxd = nixpkgs.xxd; debug = false; name = "urbit"; };
builds-for-platform = plat:
plat.deps // {

View File

@ -3,6 +3,7 @@
#
/config.mk
include/config.h
include/ca-bundle.h
#
# Build Outputs
#

View File

@ -7,7 +7,7 @@ daemon = $(wildcard daemon/*.c)
worker = $(wildcard worker/*.c)
common = $(jets) $(noun) $(vere)
headers = $(shell find include -type f)
headers = $(shell find include -type f) include/ca-bundle.h
common_objs = $(shell echo $(common) | sed 's/\.c/.o/g')
daemon_objs = $(shell echo $(daemon) | sed 's/\.c/.o/g')
@ -22,6 +22,9 @@ all_exes = ./mug_tests jam_tests ./hashtable_tests ./urbit ./urbit-worker
# -Wall issues all types of errors. This is off (for now)
CFLAGS := $(CFLAGS)
ifeq ($(SSL_CERT_FILE),)
$(error SSL_CERT_FILE is undefined)
endif
################################################################################
@ -40,10 +43,16 @@ clean:
rm -f ./tags $(all_objs) $(all_exes)
mrproper: clean
rm -f config.mk include/config.h
rm -f config.mk include/config.h include/ca-bundle.h
################################################################################
include/ca-bundle.h:
@echo XXD -i $(SSL_CERT_FILE)
@cat $(SSL_CERT_FILE) > include/ca-bundle.crt
@xxd -i include/ca-bundle.crt > include/ca-bundle.h
@rm include/ca-bundle.crt
hashtable_tests: $(common_objs) tests/hashtable_tests.o
@echo CC -o $@
@$(CC) $^ $(LDFLAGS) -o $@

View File

@ -24,6 +24,8 @@
#include "all.h"
#include "vere/vere.h"
#include "ca-bundle.h"
/* Require unsigned char
*/
STATIC_ASSERT(( 0 == CHAR_MIN && UCHAR_MAX == CHAR_MAX ),
@ -362,6 +364,29 @@ _main_getopt(c3_i argc, c3_c** argv)
return c3y;
}
/* _setup_cert_store: writes our embedded certificate database to a temp file
*/
static void
_setup_cert_store(char* tmp_cert_file_name)
{
errno = 0;
int fd = mkstemp(tmp_cert_file_name);
if (fd < 1) {
printf("boot: failed to write local ssl temporary certificate store: %s\n",
strerror(errno));
exit(1);
}
if (-1 == write(fd, include_ca_bundle_crt, include_ca_bundle_crt_len)) {
printf("boot: failed to write local ssl temporary certificate store: %s\n",
strerror(errno));
exit(1);
}
setenv("SSL_CERT_FILE", tmp_cert_file_name, 1);
}
/* u3_ve_usage(): print usage and exit.
*/
static void
@ -677,6 +702,9 @@ main(c3_i argc,
}
// printf("vere: hostname is %s\n", u3_Host.ops_u.nam_c);
u3K.certs_c = strdup("/tmp/urbit-ca-cert-XXXXXX");
_setup_cert_store(u3K.certs_c);
if ( c3y == u3_Host.ops_u.dem && c3n == u3_Host.ops_u.bat ) {
printf("boot: running as daemon\n");
}
@ -752,5 +780,6 @@ main(c3_i argc,
u3_daemon_commence();
}
return 0;
}

View File

@ -699,6 +699,7 @@
*/
typedef struct _u3_daemon {
c3_c* soc_c; // socket name
c3_c* certs_c; // ssl certificate dump
c3_w len_w; // number used
c3_w all_w; // number allocated
u3_pier** tab_u; // pier table

View File

@ -840,6 +840,7 @@ void
_daemon_loop_exit()
{
unlink(u3K.soc_c);
unlink(u3K.certs_c);
}
/* u3_daemon_commence(): start the daemon