From 7e60138c3231203a7f61130982560b7db6ec892c Mon Sep 17 00:00:00 2001 From: Karen Arutyunov Date: Tue, 6 Jun 2017 19:01:55 +0300 Subject: Add support for openssl-envvar module option --- etc/brep-module.conf | 21 +++++++++++++++++++++ mod/build-config.cxx | 3 ++- mod/mod-build-result.cxx | 4 +++- mod/mod-build-task.cxx | 4 +++- mod/options.cli | 15 +++++++++++++++ 5 files changed, 44 insertions(+), 3 deletions(-) diff --git a/etc/brep-module.conf b/etc/brep-module.conf index 6499d4b..dd8f048 100644 --- a/etc/brep-module.conf +++ b/etc/brep-module.conf @@ -172,6 +172,27 @@ menu About=?about # openssl-option +# Environment variable to be set (=) or unset (just ) for +# the openssl program (see openssl for details). Repeat this option to specify +# multiple openssl variables. Note that unspecified variables are inherited +# from the web server process. +# +# You need to at least set the RANDFILE environment variable to change the +# default location of the openssl program seed file and maybe also the +# OPENSSL_CONF variable if you would like to use a custom openssl configuration +# file. +# +# openssl-envvar RANDFILE=/home/brep/www-data-openssl.rnd +# openssl-envvar OPENSSL_CONF=/home/brep/www-data-openssl.cnf +# +# To create www-data-openssl.rnd with suitable permissions, run (as user brep): +# +# $ touch www-data-openssl.rnd +# $ sudo chgrp www-data www-data-openssl.rnd +# $ chmod g+rw www-data-openssl.rnd +# + + # Trace verbosity. Disabled by default. # # verbosity 0 diff --git a/mod/build-config.cxx b/mod/build-config.cxx index 9e30b64..6b59e54 100644 --- a/mod/build-config.cxx +++ b/mod/build-config.cxx @@ -71,7 +71,8 @@ namespace brep p = d / de.path (); openssl os (p, path ("-"), 2, - o.openssl (), "pkey", + process_env (o.openssl (), o.openssl_envvar ()), + "pkey", o.openssl_option (), "-pubin", "-outform", "DER"); vector k (os.in.read_binary ()); diff --git a/mod/mod-build-result.cxx b/mod/mod-build-result.cxx index 41bfb2b..21e1de6 100644 --- a/mod/mod-build-result.cxx +++ b/mod/mod-build-result.cxx @@ -293,7 +293,9 @@ handle (request& rq, response&) { openssl os (print_args, path ("-"), fdstream_mode::text, 2, - options_->openssl (), "rsautl", + process_env (options_->openssl (), + options_->openssl_envvar ()), + "rsautl", options_->openssl_option (), "-verify", "-pubin", "-inkey", i->second); diff --git a/mod/mod-build-task.cxx b/mod/mod-build-task.cxx index c018b65..dc9910f 100644 --- a/mod/mod-build-task.cxx +++ b/mod/mod-build-task.cxx @@ -271,7 +271,9 @@ handle (request& rq, response& rs) openssl os (print_args, nullfd, path ("-"), 2, - options_->openssl (), "rand", + process_env (options_->openssl (), + options_->openssl_envvar ()), + "rand", options_->openssl_option (), 64); vector nonce (os.in.read_binary ()); diff --git a/mod/options.cli b/mod/options.cli index e6beb6e..7460ef7 100644 --- a/mod/options.cli +++ b/mod/options.cli @@ -71,6 +71,21 @@ namespace brep \cb{openssl} for details). Repeat this option to specify multiple openssl options." } + + strings openssl-envvar + { + "[=value]", + "Environment variable to be set (=) or unset (just + ) for the openssl program (see \cb{openssl} for details). + Repeat this option to specify multiple openssl variables. Note + that unspecified variables are inherited from the web server + process. + + You need to at least set the \cb{RANDFILE} environment variable + to change the default location of the openssl program seed file + and maybe also the \cb{OPENSSL_CONF} variable if you would like + to use a custom openssl configuration file." + } }; class package_db -- cgit v1.1