[glib-openssl] tls: fall back to the default openssl ca file if none is specified otherwise

[Christoph Reiter <creiter src gnome org>]

commit f3e52c5ab8f09b0fb604864b302223daf692e6ef
Author: Christoph Reiter <reiter christoph gmail com>
Date:   Mon May 21 14:46:01 2018 +0200

    tls: fall back to the default openssl ca file if none is specified otherwise
    
    openssl provides X509_get_default_cert_file_env() which gives the env var (SSL_CERT_FILE)
    to use for configuring the ca file path at runtime and X509_get_default_cert_file() which
    gives a default path.
    
    Assuming openssl is properly configured this makes glib-openssl work without setting
    any path.
    
    One remaining problem on Windows is that while under MSYS2 openssl is patched to be
    relocatable this is not the case for all Windows openssl users. For that introduce
    a G_TLS_OPENSSL_HANDLE_CERT_RELOCATABLE env var which when set uses a hardcoded relative
    path, as was the default before.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=795782

 tls/openssl/gtlsbackend-openssl.c |   37 +++++++++++++++++++++++--------------
 1 files changed, 23 insertions(+), 14 deletions(-)
---
diff --git a/tls/openssl/gtlsbackend-openssl.c b/tls/openssl/gtlsbackend-openssl.c
index 287404b..6515c77 100644
--- a/tls/openssl/gtlsbackend-openssl.c
+++ b/tls/openssl/gtlsbackend-openssl.c
@@ -186,23 +186,32 @@ g_tls_backend_openssl_real_create_database (GTlsBackendOpenssl  *self,
   GTlsDatabase *database;
 
 #ifdef G_OS_WIN32
-  gchar *module_dir;
-  gchar *cert_path;
+  if (g_getenv ("G_TLS_OPENSSL_HANDLE_CERT_RELOCATABLE") != NULL)
+    {
+      gchar *module_dir;
 
-  module_dir = g_win32_get_package_installation_directory_of_module (NULL);
-  cert_path = g_build_filename (module_dir, "bin", "cert.pem", NULL);
-  g_free (module_dir);
+      module_dir = g_win32_get_package_installation_directory_of_module (NULL);
+      anchor_file = g_build_filename (module_dir, "bin", "cert.pem", NULL);
+      g_free (module_dir);
+    }
+#endif
 
-  if (g_file_test (cert_path, G_FILE_TEST_IS_REGULAR))
-    anchor_file = cert_path;
-  else
-    g_free (cert_path);
-#else
-# ifdef GTLS_SYSTEM_CA_FILE
-  anchor_file = g_strdup (GTLS_SYSTEM_CA_FILE);
-# endif
+#ifdef GTLS_SYSTEM_CA_FILE
+  if (anchor_file == NULL)
+    anchor_file = g_strdup (GTLS_SYSTEM_CA_FILE);
 #endif
 
+  if (anchor_file == NULL)
+    {
+      const gchar *openssl_cert_file;
+
+      openssl_cert_file = g_getenv (X509_get_default_cert_file_env ());
+      if (openssl_cert_file == NULL)
+        openssl_cert_file = X509_get_default_cert_file ();
+
+      anchor_file = g_strdup (openssl_cert_file);
+    }
+
   database = g_tls_file_database_new (anchor_file, error);
   g_free (anchor_file);