common/pkg/Proxmox/Lib/SslProbe.pm

   1 package Proxmox::Lib::SslProbe;
   2
   3 use strict;
   4 use warnings;
   5
   6 =head1 Environment Variable Safety
   7
   8 Perl's handling of environment variables was completely messed up until v5.38.
   9 Using `setenv` such as use din the `openssl-probe` crate would cause it to
  10 crash later on, therefore we provide a perl-version of env var probing instead,
  11 and override the crate with one that doesn't replace the variables if they are
  12 already set correctly.
  13
  14 =cut
  15
  16 BEGIN {
  17     # Copied from openssl-probe
  18     my @cert_dirs = (
  19         "/var/ssl",
  20         "/usr/share/ssl",
  21         "/usr/local/ssl",
  22         "/usr/local/openssl",
  23         "/usr/local/etc/openssl",
  24         "/usr/local/share",
  25         "/usr/lib/ssl",
  26         "/usr/ssl",
  27         "/etc/openssl",
  28         "/etc/pki/ca-trust/extracted/pem",
  29         "/etc/pki/tls",
  30         "/etc/ssl",
  31         "/etc/certs",
  32         "/opt/etc/ssl",
  33         "/data/data/com.termux/files/usr/etc/tls",
  34         "/boot/system/data/ssl",
  35     );
  36
  37     # Copied from openssl-probe
  38     my @cert_file_names = (
  39         "cert.pem",
  40         "certs.pem",
  41         "ca-bundle.pem",
  42         "cacert.pem",
  43         "ca-certificates.crt",
  44         "certs/ca-certificates.crt",
  45         "certs/ca-root-nss.crt",
  46         "certs/ca-bundle.crt",
  47         "CARootCertificates.pem",
  48         "tls-ca-bundle.pem",
  49     );
  50
  51     my $probed_ssl_vars = 0;
  52
  53     # The algorithm here is taken from the `openssl-probe` crate and should
  54     # produce the exact same result in order to ensure the rust code does not
  55     # call `setenv()`.
  56     my sub probe_ssl_vars : prototype() {
  57         return if $probed_ssl_vars;
  58         $probed_ssl_vars = 1;
  59
  60         my $result_file = $ENV{SSL_CERT_FILE};
  61         my $result_file_changed = 0;
  62         my $result_dir = $ENV{SSL_CERT_DIR};
  63         my $result_dir_changed = 0;
  64
  65         for my $certs_dir (@cert_dirs) {
  66             if (!defined($result_file)) {
  67                 for my $file (@cert_file_names) {
  68                     my $path = "$certs_dir/$file";
  69                     if (-e $path) {
  70                         $result_file = $path;
  71                         $result_file_changed = 1;
  72                         last;
  73                     }
  74                 }
  75             }
  76             if (!defined($result_dir)) {
  77                 for my $file (@cert_file_names) {
  78                     my $path = "$certs_dir/certs";
  79                     if (-d $path) {
  80                         $result_dir = $path;
  81                         $result_dir_changed = 1;
  82                         last;
  83                     }
  84                 }
  85             }
  86             last if defined($result_file) && defined($result_dir);
  87         }
  88
  89         if ($result_file_changed && defined($result_file)) {
  90             $ENV{SSL_CERT_FILE} = $result_file;
  91         }
  92         if ($result_dir_changed && defined($result_dir)) {
  93             $ENV{SSL_CERT_DIR} = $result_dir;
  94         }
  95     }
  96
  97     probe_ssl_vars();
  98 }
  99
 100 1;