+openssl portable (#131)

2024-11-10 02:25:18 +03:00 · 2022-09-13 17:53:12 -04:00 · 2022-09-13 17:53:12 -04:00 · cc306dd2f8
parent adaef185d1
commit cc306dd2f8
5 changed files with 125 additions and 11 deletions
--- a/projects/openssl.org/package.yml
+++ b/projects/openssl.org/package.yml
@ -1,3 +1,7 @@
+# NOTE
+# on darwin we use Apple’s provided TLS certs at /etc/certs
+# on linux we grab the curl certs (usually these are package as ca-certificates)
+
 distributable:
  url: https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_1_1_1q.tar.gz
  strip-components: 1
@ -18,26 +22,31 @@ build:
    tea.xyz/gx/make: '*'
    perl.org: 5
    curl.se: '*'  # to download ca-certs on linux
+    git-scm.org: 2
  script: |
-    ./Configure --prefix={{ prefix }} $ARCH no-tests
+    if {{ hw.platform }} = linux; then
+      git apply {{ pkg.pantry-prefix }}/x509_def.c.diff
+    fi
+
+    ./Configure --prefix={{ prefix }} $ARCH no-tests $ARGS
    make --jobs {{ hw.concurrency }}
    make install_sw  # `_sw` avoids installing docs

-    if test {{hw.platform}} = darwin; then
-      # use Apple’s certs ∵ they are very incentivized to get this right
-      rm -f "$CERTDIR"  # for building over the top FIXME DESTDIR for all
-      ln -sf /etc/ssl "$CERTDIR"
-    else
+    if test {{hw.platform}} = linux; then
      #FIXME needs to be a curl.se/ca-certs that gets updates
-      mkdir -p "$CERTDIR"
-      curl https://curl.se/ca/cacert-2022-07-19.pem -o "$CERTDIR"/cert.pem
+      mkdir -p "{{prefix}}/ssl"
+      curl -k https://curl.se/ca/cacert-2022-07-19.pem -o "{{prefix}}/ssl"/cert.pem
    fi
  env:
-    CERTDIR: ${{prefix}}/ssl
    darwin/aarch64: {ARCH: 'darwin64-arm64-cc'}
    darwin/x86-64:  {ARCH: 'darwin64-x86_64-cc'}
    linux/aarch64:  {ARCH: 'linux-aarch64'}
    linux/x86-64:   {ARCH: 'linux-x86_64'}
+    darwin:
+      ARGS: --openssldir=/etc/ssl
+
+#TODO need to test the SSL certs work
+# otherwise we are basically relying on wget etc. to test for it

 test:
  script: |
--- a/projects/openssl.org/x509_def.c.diff
+++ b/projects/openssl.org/x509_def.c.diff
@ -0,0 +1,57 @@
+diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c
+index bfa8d7d..7e83bae 100644
+--- a/crypto/x509/x509_def.c
+++ b/crypto/x509/x509_def.c
+@@ -11,25 +11,48 @@
+ #include "internal/cryptlib.h"
+ #include <openssl/crypto.h>
+ #include <openssl/x509.h>
+#include <dlfcn.h>
+#include <libgen.h>
+
+const char *relocat0r(const char *suffix) {
+    Dl_info info;
+    if (dladdr(relocat0r, &info)) {
+        const char *prefix = dirname(info.dli_fname);
+        char *dir = malloc(strlen(prefix) + strlen(suffix) + 2);
+        if (dir == NULL) { return NULL; }
+        sprintf(dir, "%s/%s", prefix, suffix);
+        return dir;
+    }
+    return NULL;
+}
+
+
+ const char *X509_get_default_private_dir(void)
+ {
+-    return X509_PRIVATE_DIR;
+    static const char *dir = NULL;
+    if (!dir) dir = relocat0r("private");
+    return dir ?: X509_PRIVATE_DIR;
+ }
+
+ const char *X509_get_default_cert_area(void)
+ {
+-    return X509_CERT_AREA;
+    static const char *dir = NULL;
+    if (!dir) dir = relocat0r("ssl");
+    return dir ?: X509_CERT_AREA;
+ }
+
+ const char *X509_get_default_cert_dir(void)
+ {
+-    return X509_CERT_DIR;
+    static const char *dir = NULL;
+    if (!dir) dir = relocat0r("certs");
+    return dir ?: X509_CERT_DIR;
+ }
+
+ const char *X509_get_default_cert_file(void)
+ {
+-    return X509_CERT_FILE;
+    static const char *dir = NULL;
+    if (!dir) dir = relocat0r("cert.pem");
+    return dir ?: X509_CERT_FILE;
+ }
+
+ const char *X509_get_default_cert_dir_env(void)
--- a/scripts/bottle-all.ts
+++ b/scripts/bottle-all.ts
@ -8,7 +8,7 @@ args:
  - --allow-run
  - --allow-read
  - --allow-write={{ tea.prefix }}
-  - --allow-env=GITHUB_TOKEN
+  - --allow-env=GITHUB_TOKEN,TEA_PREFIX
  - --import-map={{ srcroot }}/import-map.json
 ---*/

--- a/scripts/bottle.ts
+++ b/scripts/bottle.ts
@ -81,7 +81,8 @@ export async function bottle({ path: kegdir, pkg }: Installation): Promise<Path>
  const filelist = kegdir
    .join(filesListName)
    .write({
-      text: relativePaths.join("\n")
+      text: relativePaths.join("\n"),
+      force: true
    })
  const tarball = useCache().bottle(pkg)

--- a/scripts/ls-aws-s3.ts
+++ b/scripts/ls-aws-s3.ts
@ -0,0 +1,47 @@
+#!/usr/bin/env -S tea -E
+
+/*---
+args:
+  - deno
+  - run
+  - --allow-env
+  - --allow-net
+  - --import-map={{ srcroot }}/import-map.json
+---*/
+
+import { S3 } from "s3"
+
+const sortByModified = Deno.args.includes("-m")
+const reverse = Deno.args.includes("-r")
+
+const s3 = new S3({
+  accessKeyID: Deno.env.get("AWS_ACCESS_KEY_ID")!,
+  secretKey: Deno.env.get("AWS_SECRET_ACCESS_KEY")!,
+  region: "us-east-1",
+})
+
+const bucket = s3.getBucket(Deno.env.get("AWS_S3_BUCKET")!)
+
+const output: FileInfo[] = []
+
+for await(const obj of bucket.listAllObjects({ batchSize: 200 })) {
+  const { key, lastModified } = obj
+  if (!key?.match(/\.tar.gz$/)) { continue }
+  output.push({ key: key!, lastModified: lastModified! })
+}
+
+output.sort((a, b) => {
+  switch (sortByModified) {
+    case true: return a.lastModified.valueOf() - b.lastModified.valueOf()
+    case false: return a.key < b.key ? -1 : 1
+  }
+})
+
+if (reverse) { output.reverse() }
+
+console.table(output)
+
+interface FileInfo {
+  key: string
+  lastModified: Date
+}