From cbc3aaeed8dfbc4dc5c257d2d5626a91a04d0309 Mon Sep 17 00:00:00 2001
From: Patrick Lodder <patricklodder@users.noreply.github.com>
Date: Mon, 20 Sep 2021 04:13:52 +0200
Subject: [PATCH] depends: Remove export of glibc 2.17 secure_getenv

Patches openssl 1.0.2's usage of secure_getenv to always use the
fallback OPENSSL_issetugid() instead, to remove reliance on a
higher glibc than the minimum we currently support (2.11)

See depends/patches/openssl/secure_getenv.patch for a full
description of the patch.
---
 depends/packages/openssl.mk                 |  2 ++
 depends/patches/openssl/secure_getenv.patch | 37 +++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 depends/patches/openssl/secure_getenv.patch

diff --git a/depends/packages/openssl.mk b/depends/packages/openssl.mk
index c4df5cfea..2a5d1fcf3 100644
--- a/depends/packages/openssl.mk
+++ b/depends/packages/openssl.mk
@@ -4,6 +4,7 @@ $(package)_version_suffix=u
 $(package)_download_path=https://www.openssl.org/source/old/$($(package)_version)
 $(package)_file_name=$(package)-$($(package)_version)$($(package)_version_suffix).tar.gz
 $(package)_sha256_hash=ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16
+$(package)_patches=secure_getenv.patch
 
 define $(package)_set_vars
 $(package)_config_env=AR="$($(package)_ar)" RANLIB="$($(package)_ranlib)" CC="$($(package)_cc)"
@@ -58,6 +59,7 @@ $(package)_config_opts_i686_mingw32=mingw
 endef
 
 define $(package)_preprocess_cmds
+  patch -p1 < $($(package)_patch_dir)/secure_getenv.patch && \
   sed -i.old "/define DATE/d" util/mkbuildinf.pl && \
   sed -i.old "s|engines apps test|engines|" Makefile.org
 endef
diff --git a/depends/patches/openssl/secure_getenv.patch b/depends/patches/openssl/secure_getenv.patch
new file mode 100644
index 000000000..5c7cf68eb
--- /dev/null
+++ b/depends/patches/openssl/secure_getenv.patch
@@ -0,0 +1,37 @@
+Solves export of glibc 2.17 secure_getenv because we support down to 2.11
+
+Patches openssl 1.0.2's usage of secure_getenv from glibc 2.17 to instead
+always use the fallback OPENSSL_issetugid(), which essentially does the
+same thing on linux, with the only difference that the glibc version makes
+decisions on startup, whereas the openssl version does the same check each
+time the environment is read.
+
+glibc check: https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/enbl-secure.c;h=9e47526bd3e444e1a19a8ea9fd310b6f47c4db52;hb=HEAD
+glibc implementation: https://sourceware.org/git/?p=glibc.git;a=blob;f=stdlib/secure-getenv.c;h=a394eebcf794c1279d66e5bcb71d4b15725e6e5a;hb=HEAD
+
+openssl check: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2u/crypto/uid.c
+
+This patch can be removed when glibc 2.17 is the minimum version supported
+
+Author: Patrick Lodder <patricklodder@users.noreply.github.com>
+
+diff -dur a/crypto/getenv.c b/crypto/getenv.c
+--- a/crypto/getenv.c	2019-12-20 13:02:41.000000000 +0000
++++ b/crypto/getenv.c	2021-09-20 03:02:04.125747397 +0000
+@@ -16,16 +16,7 @@
+
+ char *ossl_safe_getenv(const char *name)
+ {
+-#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
+-# if __GLIBC_PREREQ(2, 17)
+-#  define SECURE_GETENV
+-    return secure_getenv(name);
+-# endif
+-#endif
+-
+-#ifndef SECURE_GETENV
+     if (OPENSSL_issetugid())
+         return NULL;
+     return getenv(name);
+-#endif
+ }