depends: Remove export of glibc 2.17 secure_getenv

Patches openssl 1.0.2's usage of secure_getenv to always use the fallback OPENSSL_issetugid() instead, to remove reliance on a higher glibc than the minimum we currently support (2.11) See depends/patches/openssl/secure_getenv.patch for a full description of the patch.
2021-09-20 04:13:52 +02:00 · 2021-09-20 04:13:52 +02:00 · cbc3aaeed8
parent 61c1cf3a3c
commit cbc3aaeed8
2 changed files with 39 additions and 0 deletions
--- a/depends/packages/openssl.mk
+++ b/depends/packages/openssl.mk
@ -4,6 +4,7 @@ $(package)_version_suffix=u
 $(package)_download_path=https://www.openssl.org/source/old/$($(package)_version)
 $(package)_file_name=$(package)-$($(package)_version)$($(package)_version_suffix).tar.gz
 $(package)_sha256_hash=ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16
+$(package)_patches=secure_getenv.patch

 define $(package)_set_vars
 $(package)_config_env=AR="$($(package)_ar)" RANLIB="$($(package)_ranlib)" CC="$($(package)_cc)"
@ -58,6 +59,7 @@ $(package)_config_opts_i686_mingw32=mingw
 endef

 define $(package)_preprocess_cmds
+  patch -p1 < $($(package)_patch_dir)/secure_getenv.patch && \
  sed -i.old "/define DATE/d" util/mkbuildinf.pl && \
  sed -i.old "s|engines apps test|engines|" Makefile.org
 endef
--- a/depends/patches/openssl/secure_getenv.patch
+++ b/depends/patches/openssl/secure_getenv.patch
@ -0,0 +1,37 @@
+Solves export of glibc 2.17 secure_getenv because we support down to 2.11
+
+Patches openssl 1.0.2's usage of secure_getenv from glibc 2.17 to instead
+always use the fallback OPENSSL_issetugid(), which essentially does the
+same thing on linux, with the only difference that the glibc version makes
+decisions on startup, whereas the openssl version does the same check each
+time the environment is read.
+
+glibc check: https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/enbl-secure.c;h=9e47526bd3e444e1a19a8ea9fd310b6f47c4db52;hb=HEAD
+glibc implementation: https://sourceware.org/git/?p=glibc.git;a=blob;f=stdlib/secure-getenv.c;h=a394eebcf794c1279d66e5bcb71d4b15725e6e5a;hb=HEAD
+
+openssl check: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2u/crypto/uid.c
+
+This patch can be removed when glibc 2.17 is the minimum version supported
+
+Author: Patrick Lodder <patricklodder@users.noreply.github.com>
+
+diff -dur a/crypto/getenv.c b/crypto/getenv.c
+--- a/crypto/getenv.c	2019-12-20 13:02:41.000000000 +0000
+++ b/crypto/getenv.c	2021-09-20 03:02:04.125747397 +0000
+@@ -16,16 +16,7 @@
+
+ char *ossl_safe_getenv(const char *name)
+ {
+-#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
+-# if __GLIBC_PREREQ(2, 17)
+-#  define SECURE_GETENV
+-    return secure_getenv(name);
+-# endif
+-#endif
+-
+-#ifndef SECURE_GETENV
+     if (OPENSSL_issetugid())
+         return NULL;
+     return getenv(name);
+-#endif
+ }