[OE-core][PATCH] curl: allow configuration of default CA bundle location

[OE-core][PATCH] curl: allow configuration of default CA bundle location

[Jim Broadus]

Add a CA_BUNDLE variable to set the built-in CA bundle location. By default,
don't set anything for curl-native since that target's sysconfdir is a
location in the recipe's native sysroot directory.

Signed-off-by: Jim Broadus <jbroadus@xevo.com>
---
 meta/recipes-support/curl/curl_7.69.1.bb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index e854e8d4bd..a291227db1 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -49,11 +49,15 @@ PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threade
 PACKAGECONFIG[verbose] = "--enable-verbose,--disable-verbose"
 PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_LIBDIR}/../,--without-zlib,zlib"
 
+DEFAULT_CA_BUNDLE = "${sysconfdir}/ssl/certs/ca-certificates.crt"
+DEFAULT_CA_BUNDLE_class-native = ""
+CA_BUNDLE ?= "${DEFAULT_CA_BUNDLE}"
+
 EXTRA_OECONF = " \
     --disable-libcurl-option \
     --disable-ntlm-wb \
     --enable-crypto-auth \
-    --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \
+    --with-ca-bundle=${CA_BUNDLE} \
     --without-libmetalink \
     --without-libpsl \
 "
-- 
2.25.1

Re: [OE-core][PATCH] curl: allow configuration of default CA bundle location

[Richard Purdie]

On Sun, 2020-04-05 at 23:00 -0700, Jim Broadus wrote:
> Add a CA_BUNDLE variable to set the built-in CA bundle location. By default,
> don't set anything for curl-native since that target's sysconfdir is a
> location in the recipe's native sysroot directory.
> 
> Signed-off-by: Jim Broadus <jbroadus@xevo.com>

That is a huge change in behaviour with potentially quite serious side
effects. As far as I remember we deliberately make our native utils
self contained rather than relying on the host system (which may or may
not have cert files).

We point at sysconfdir in the native case since we install ca-
certificates there if I remember correctly?

Cheers,

Richard

Re: [OE-core][PATCH] curl: allow configuration of default CA bundle location

[jbroadus]

On 4/6/20 5:00 AM, Richard Purdie wrote:
> On Sun, 2020-04-05 at 23:00 -0700, Jim Broadus wrote:
>> Add a CA_BUNDLE variable to set the built-in CA bundle location. By default,
>> don't set anything for curl-native since that target's sysconfdir is a
>> location in the recipe's native sysroot directory.
>>
>> Signed-off-by: Jim Broadus <jbroadus@xevo.com>
> 
> That is a huge change in behaviour with potentially quite serious side
> effects. As far as I remember we deliberately make our native utils
> self contained rather than relying on the host system (which may or may
> not have cert files).
> 
> We point at sysconfdir in the native case since we install ca-
> certificates there if I remember correctly?
> 
> Cheers,
> 
> Richard
> 

Hi Richard. Currently, I don't see the certs installed in the native 
sysroot, so maybe this was broken recently. If that was the intended 
behavior, I can look for a fix for that instead.

Thanks,
Jim

Re: [OE-core][PATCH] curl: allow configuration of default CA bundle location

[Yann Dirson]

[-- Attachment #1: Type: text/plain, Size: 2754 bytes --]

The problem motivating this patch may be the same that motivated a hack of
mine which I never
cleaned up for submit: at least in some early warrior versions curl was
attempting to use cacerts
from the host.

This is a hand-edited copypaste and may not apply cleanly, but you should
get the idea: make it
so curl-native uses its own certs and not the host ones.

commit fde6fcfaae0021d33e917cae81581dbfdb6618de
Author: Yann Dirson <yann@blade-group.com>
Date:   Mon Jun 24 18:18:06 2019 +0200

    curl-native: use a wrapper script to locate cacert

diff --git a/meta-blade/recipes-support/curl/curl_%.bbappend
b/meta-blade/recipes-support/curl/curl_%.bbappend
index 01b203e..650a764 100644
--- a/meta-blade/recipes-support/curl/curl_%.bbappend
+++ b/meta-blade/recipes-support/curl/curl_%.bbappend
@@ -1,3 +1,20 @@
+# install a wrapper script to locate cacert
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI += "file://curl.in"
+
+do_install_append_class-native () {
+    mv ${D}${bindir}/curl ${D}${bindir}/curl.real
+    sed s:@STAGING@:${STAGING_DIR_NATIVE}: < ${WORKDIR}/curl.in >
${D}${bindir}/curl
+    chmod 755 ${D}${bindir}/curl
+}
+
+FILES_${BPN}-native += "${bindir}/curl.real"
diff --git a/meta-blade/recipes-support/curl/files/curl.in
b/meta-blade/recipes-support/curl/files/curl.in
new file mode 100644
index 0000000..cfb4456
--- /dev/null
+++ b/meta-blade/recipes-support/curl/files/curl.in
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec $0.real --cacert @STAGING@/etc/ssl/certs/ca-certificates.crt "$@"

Le lun. 6 avr. 2020 à 22:36, Jim Broadus <jbroadus@xevo.com> a écrit :

> On 4/6/20 5:00 AM, Richard Purdie wrote:
> > On Sun, 2020-04-05 at 23:00 -0700, Jim Broadus wrote:
> >> Add a CA_BUNDLE variable to set the built-in CA bundle location. By
> default,
> >> don't set anything for curl-native since that target's sysconfdir is a
> >> location in the recipe's native sysroot directory.
> >>
> >> Signed-off-by: Jim Broadus <jbroadus@xevo.com>
> >
> > That is a huge change in behaviour with potentially quite serious side
> > effects. As far as I remember we deliberately make our native utils
> > self contained rather than relying on the host system (which may or may
> > not have cert files).
> >
> > We point at sysconfdir in the native case since we install ca-
> > certificates there if I remember correctly?
> >
> > Cheers,
> >
> > Richard
> >
>
> Hi Richard. Currently, I don't see the certs installed in the native
> sysroot, so maybe this was broken recently. If that was the intended
> behavior, I can look for a fix for that instead.
>
> Thanks,
> Jim
>
> 
>


-- 
Yann Dirson <yann@blade-group.com>
Blade / Shadow -- http://shadow.tech

[-- Attachment #2: Type: text/html, Size: 3834 bytes --]

Re: [OE-core][PATCH] curl: allow configuration of default CA bundle location

[Richard Purdie]

On Mon, 2020-04-06 at 22:58 +0200, Yann Dirson wrote:
> The problem motivating this patch may be the same that motivated a
> hack of mine which I never
> cleaned up for submit: at least in some early warrior versions curl
> was attempting to use cacerts
> from the host.
> 
> This is a hand-edited copypaste and may not apply cleanly, but you
> should get the idea: make it
> so curl-native uses its own certs and not the host ones.

This should have been the case from 2014:

http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=92cad721d764ec28c3570dfe4a80847c3df19453

You can see fallout from that such as:

http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=754a9c31232979b3f0c28906c28191af55e96be2

where we had to fix curl in nativesdk to have the certs present.

So something odd is going on somewhere but I think OE-Core is fairly
consistent and has been for a few years.

Cheers,

Richard