fixate openssl-probe dependency, probe env vars in perl

This fixes an issue with `openssl-probe` calling `setenv` when (issued via the `native-tls` crate with the ACME client) which crashes perl. Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2023-12-06 11:19:30 +01:00 · 2023-12-06 11:19:30 +01:00 · 089e555d51
commit 089e555d51
parent b9185327f4
2 changed files with 85 additions and 0 deletions
--- a/common/pkg/Proxmox/Lib/Common.pm
+++ b/common/pkg/Proxmox/Lib/Common.pm
@ -40,4 +40,88 @@ BEGIN {
    }
 }

+=head1 Environment Variable Safety
+
+Perl's handling of environment variables was completely messed up until v5.38.
+Using `setenv` such as use din the `openssl-probe` crate would cause it to
+crash later on, therefore we provide a perl-version of env var probing instead,
+and override the crate with one that doesn't replace the variables if they are
+already set correctly.
+
+=cut
+
+# Copied from openssl-probe
+my @cert_dirs = (
+    "/var/ssl",
+    "/usr/share/ssl",
+    "/usr/local/ssl",
+    "/usr/local/openssl",
+    "/usr/local/etc/openssl",
+    "/usr/local/share",
+    "/usr/lib/ssl",
+    "/usr/ssl",
+    "/etc/openssl",
+    "/etc/pki/ca-trust/extracted/pem",
+    "/etc/pki/tls",
+    "/etc/ssl",
+    "/etc/certs",
+    "/opt/etc/ssl",
+    "/data/data/com.termux/files/usr/etc/tls",
+    "/boot/system/data/ssl",
+);
+
+# Copied from openssl-probe
+my @cert_file_names = (
+    "cert.pem",
+    "certs.pem",
+    "ca-bundle.pem",
+    "cacert.pem",
+    "ca-certificates.crt",
+    "certs/ca-certificates.crt",
+    "certs/ca-root-nss.crt",
+    "certs/ca-bundle.crt",
+    "CARootCertificates.pem",
+    "tls-ca-bundle.pem",
+);
+
+my sub probe_ssl_vars : prototype() {
+    my $result_file = $ENV{SSL_CERT_FILE};
+    my $result_file_changed = 0;
+    my $result_dir = $ENV{SSL_CERT_DIR};
+    my $result_dir_changed = 0;
+
+    for my $certs_dir (@cert_dirs) {
+	if (!defined($result_file)) {
+	    for my $file (@cert_file_names) {
+		my $path = "$certs_dir/$file";
+		if (-e $path) {
+		    $result_file = $path;
+		    $result_file_changed = 1;
+		    last;
+		}
+	    }
+	}
+	if (!defined($result_dir)) {
+	    for my $file (@cert_file_names) {
+		my $path = "$certs_dir/certs";
+		if (-d $path) {
+		    $result_dir = $path;
+		    $result_dir_changed = 1;
+		    last;
+		}
+	    }
+	}
+	last if defined($result_file) && defined($result_dir);
+    }
+
+    if ($result_file_changed && defined($result_file)) {
+	$ENV{SSL_CERT_FILE} = $result_file;
+    }
+    if ($result_dir_changed && defined($result_dir)) {
+	$ENV{SSL_CERT_DIR} = $result_dir;
+    }
+}
+
+probe_ssl_vars();
+
 1;
--- a/pmg-rs/debian/control
+++ b/pmg-rs/debian/control
@ -3,6 +3,7 @@ Section: perl
 Priority: optional
 Build-Depends: cargo:native <!nocheck>,
               debhelper-compat (= 13),
+               librust-openssl-probe-dev (= 0.1.5-1~bpo12+pve1),
               dh-cargo (>= 25),
               librust-anyhow-1+default-dev,
               librust-env-logger-0.10+default-dev,