aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--etc/brep-module.conf21
-rw-r--r--mod/build-config.cxx3
-rw-r--r--mod/mod-build-result.cxx4
-rw-r--r--mod/mod-build-task.cxx4
-rw-r--r--mod/options.cli15
5 files changed, 44 insertions, 3 deletions
diff --git a/etc/brep-module.conf b/etc/brep-module.conf
index 6499d4b..dd8f048 100644
--- a/etc/brep-module.conf
+++ b/etc/brep-module.conf
@@ -172,6 +172,27 @@ menu About=?about
# openssl-option
+# Environment variable to be set (<name>=<value>) or unset (just <name>) for
+# the openssl program (see openssl for details). Repeat this option to specify
+# multiple openssl variables. Note that unspecified variables are inherited
+# from the web server process.
+#
+# You need to at least set the RANDFILE environment variable to change the
+# default location of the openssl program seed file and maybe also the
+# OPENSSL_CONF variable if you would like to use a custom openssl configuration
+# file.
+#
+# openssl-envvar RANDFILE=/home/brep/www-data-openssl.rnd
+# openssl-envvar OPENSSL_CONF=/home/brep/www-data-openssl.cnf
+#
+# To create www-data-openssl.rnd with suitable permissions, run (as user brep):
+#
+# $ touch www-data-openssl.rnd
+# $ sudo chgrp www-data www-data-openssl.rnd
+# $ chmod g+rw www-data-openssl.rnd
+#
+
+
# Trace verbosity. Disabled by default.
#
# verbosity 0
diff --git a/mod/build-config.cxx b/mod/build-config.cxx
index 9e30b64..6b59e54 100644
--- a/mod/build-config.cxx
+++ b/mod/build-config.cxx
@@ -71,7 +71,8 @@ namespace brep
p = d / de.path ();
openssl os (p, path ("-"), 2,
- o.openssl (), "pkey",
+ process_env (o.openssl (), o.openssl_envvar ()),
+ "pkey",
o.openssl_option (), "-pubin", "-outform", "DER");
vector<char> k (os.in.read_binary ());
diff --git a/mod/mod-build-result.cxx b/mod/mod-build-result.cxx
index 41bfb2b..21e1de6 100644
--- a/mod/mod-build-result.cxx
+++ b/mod/mod-build-result.cxx
@@ -293,7 +293,9 @@ handle (request& rq, response&)
{
openssl os (print_args,
path ("-"), fdstream_mode::text, 2,
- options_->openssl (), "rsautl",
+ process_env (options_->openssl (),
+ options_->openssl_envvar ()),
+ "rsautl",
options_->openssl_option (),
"-verify", "-pubin", "-inkey", i->second);
diff --git a/mod/mod-build-task.cxx b/mod/mod-build-task.cxx
index c018b65..dc9910f 100644
--- a/mod/mod-build-task.cxx
+++ b/mod/mod-build-task.cxx
@@ -271,7 +271,9 @@ handle (request& rq, response& rs)
openssl os (print_args,
nullfd, path ("-"), 2,
- options_->openssl (), "rand",
+ process_env (options_->openssl (),
+ options_->openssl_envvar ()),
+ "rand",
options_->openssl_option (), 64);
vector<char> nonce (os.in.read_binary ());
diff --git a/mod/options.cli b/mod/options.cli
index e6beb6e..7460ef7 100644
--- a/mod/options.cli
+++ b/mod/options.cli
@@ -71,6 +71,21 @@ namespace brep
\cb{openssl} for details). Repeat this option to specify multiple
openssl options."
}
+
+ strings openssl-envvar
+ {
+ "<name>[=value]",
+ "Environment variable to be set (<name>=<value>) or unset (just
+ <name>) for the openssl program (see \cb{openssl} for details).
+ Repeat this option to specify multiple openssl variables. Note
+ that unspecified variables are inherited from the web server
+ process.
+
+ You need to at least set the \cb{RANDFILE} environment variable
+ to change the default location of the openssl program seed file
+ and maybe also the \cb{OPENSSL_CONF} variable if you would like
+ to use a custom openssl configuration file."
+ }
};
class package_db