From dbee0b6951a0cae5f37f2de8e51139a012650159 Mon Sep 17 00:00:00 2001 From: FX Coudert Date: Sat, 30 Mar 2024 17:33:01 +0100 Subject: [PATCH] Migrate libcurl/libgit2/libssh2 to OpenSSL (#8377) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * LibSSH2: use OpenSSL * LibGit2: use OpenSSL Also, disable linking to mbedTLS Co-authored-by: Mosè Giordano * LibCURL: use OpenSSL --------- Co-authored-by: Mosè Giordano --- L/LibCURL/LibCURL@8/build_tarballs.jl | 2 + L/LibCURL/common.jl | 8 +- L/LibGit2/build_tarballs.jl | 18 ++- L/LibSSH2/build_tarballs.jl | 13 ++- ...more-size_t-to-sync-up-with-crypto.h.patch | 105 ------------------ 5 files changed, 26 insertions(+), 120 deletions(-) delete mode 100644 L/LibSSH2/bundled/patches/0001-mbedtls-use-more-size_t-to-sync-up-with-crypto.h.patch diff --git a/L/LibCURL/LibCURL@8/build_tarballs.jl b/L/LibCURL/LibCURL@8/build_tarballs.jl index f35ea9cf02a..1889566d72d 100644 --- a/L/LibCURL/LibCURL@8/build_tarballs.jl +++ b/L/LibCURL/LibCURL@8/build_tarballs.jl @@ -1,3 +1,5 @@ include("../common.jl") build_libcurl(ARGS, "LibCURL", v"8.7.1") + +# Build trigger: 2 diff --git a/L/LibCURL/common.jl b/L/LibCURL/common.jl index a78d3b68216..a516e8e80b0 100644 --- a/L/LibCURL/common.jl +++ b/L/LibCURL/common.jl @@ -74,8 +74,8 @@ function build_libcurl(ARGS, name::String, version::VersionNumber) export CFLAGS=-mmacosx-version-min=10.11 fi else - # On all other systems, we use MbedTLS - FLAGS+=(--with-mbedtls=${prefix}) + # On all other systems, we use OpenSSL + FLAGS+=(--with-openssl) fi if false; then @@ -128,9 +128,7 @@ function build_libcurl(ARGS, name::String, version::VersionNumber) Dependency("LibSSH2_jll"), Dependency("Zlib_jll"), Dependency("nghttp2_jll"), - # Note that while we unconditionally list MbedTLS as a dependency, - # we default to schannel/SecureTransport on Windows/MacOS. - Dependency("MbedTLS_jll"; compat="~2.28.0", platforms=filter(p->Sys.islinux(p) || Sys.isfreebsd(p), platforms)), + Dependency("OpenSSL_jll"; compat="3.0.8", platforms=filter(p->Sys.islinux(p) || Sys.isfreebsd(p), platforms)), # Dependency("Kerberos_krb5_jll"; platforms=filter(p->Sys.islinux(p) || Sys.isfreebsd(p), platforms)), BuildDependency(PackageSpec(name="LLVMCompilerRT_jll", uuid="4e17d02c-6bf5-513e-be62-445f41c75a11", version=llvm_version); platforms=filter(p -> sanitize(p)=="memory", platforms)), diff --git a/L/LibGit2/build_tarballs.jl b/L/LibGit2/build_tarballs.jl index 9d36d1ea646..b5797eeee8a 100644 --- a/L/LibGit2/build_tarballs.jl +++ b/L/LibGit2/build_tarballs.jl @@ -17,10 +17,18 @@ BUILD_FLAGS=( -DCMAKE_BUILD_TYPE=Release -DUSE_THREADS=ON -DUSE_BUNDLED_ZLIB=ON + -DUSE_HTTPS=OpenSSL + -DUSE_SHA1=CollisionDetection -DUSE_SSH=ON -DBUILD_CLI=OFF "-DCMAKE_INSTALL_PREFIX=${prefix}" "-DCMAKE_TOOLCHAIN_FILE="${CMAKE_TARGET_TOOLCHAIN}"" + # Make sure we don't link to mbedTLS: + # . + # TODO: this hack can be removed when we'll link to a newer version of libssh2 which + # doesn't link to mbedTLS. + -DLIBSSH2_LDFLAGS="-L${libdir};-lssh2" + -DLIBSSH2_LIBRARIES="ssh2" ) if [[ ${bb_full_target} == *-sanitize+memory* ]]; then @@ -37,9 +45,11 @@ if [[ ${target} == *-mingw* ]]; then # For some reason, CMake fails to find libssh2 using pkg-config. BUILD_FLAGS+=(-Dssh2_RESOLVED=${bindir}/libssh2.dll) -elif [[ ${target} == *linux* ]] || [[ ${target} == *freebsd* ]]; then - # If we're on Linux or FreeBSD, explicitly ask for mbedTLS instead of OpenSSL - BUILD_FLAGS+=(-DUSE_HTTPS=mbedTLS -DUSE_SHA1=CollisionDetection -DCMAKE_INSTALL_RPATH="\$ORIGIN") +fi + +# Necessary for cmake to find openssl on Windows +if [[ ${target} == x86_64-*-mingw* ]]; then + export OPENSSL_ROOT_DIR=${prefix}/lib64 fi mkdir build && cd build @@ -63,8 +73,8 @@ llvm_version = v"13.0.1" # Dependencies that must be installed before this package can be built dependencies = [ - Dependency("MbedTLS_jll"; compat="~2.28.0"), Dependency("LibSSH2_jll"; compat="1.11.0"), + Dependency("OpenSSL_jll"; compat="3.0.8"), BuildDependency(PackageSpec(name="LLVMCompilerRT_jll", uuid="4e17d02c-6bf5-513e-be62-445f41c75a11", version=llvm_version); platforms=filter(p -> sanitize(p)=="memory", platforms)), ] diff --git a/L/LibSSH2/build_tarballs.jl b/L/LibSSH2/build_tarballs.jl index 999423d3e67..8d1db876a3c 100644 --- a/L/LibSSH2/build_tarballs.jl +++ b/L/LibSSH2/build_tarballs.jl @@ -9,24 +9,25 @@ version = v"1.11.0" sources = [ ArchiveSource("https://github.com/libssh2/libssh2/releases/download/libssh2-$(version)/libssh2-$(version).tar.gz", "3736161e41e2693324deb38c26cfdc3efe6209d634ba4258db1cecff6a5ad461"), - DirectorySource("./bundled"), ] # Bash recipe for building across all platforms script = raw""" cd $WORKSPACE/srcdir/libssh2*/ -# Apply patch from https://github.com/libssh2/libssh2/pull/1054 -atomic_patch -p1 ../patches/0001-mbedtls-use-more-size_t-to-sync-up-with-crypto.h.patch - if [[ ${bb_full_target} == *-sanitize+memory* ]]; then # Install msan runtime (for clang) cp -rL ${libdir}/linux/* /opt/x86_64-linux-musl/lib/clang/*/lib/linux/ fi +# Necessary for cmake to find openssl on Windows +if [[ ${target} == x86_64-*-mingw* ]]; then + export OPENSSL_ROOT_DIR=${prefix}/lib64 +fi + BUILD_FLAGS=( -DCMAKE_BUILD_TYPE=Release - -DCRYPTO_BACKEND=mbedTLS + -DCRYPTO_BACKEND=OpenSSL -DBUILD_SHARED_LIBS=ON -DBUILD_STATIC_LIBS=OFF -DBUILD_EXAMPLES=OFF @@ -57,7 +58,7 @@ llvm_version = v"13.0.1" # Dependencies that must be installed before this package can be built dependencies = [ - Dependency("MbedTLS_jll"; compat="~2.28.0"), + Dependency("OpenSSL_jll"; compat="3.0.8"), BuildDependency(PackageSpec(name="LLVMCompilerRT_jll", uuid="4e17d02c-6bf5-513e-be62-445f41c75a11", version=llvm_version); platforms=filter(p -> sanitize(p)=="memory", platforms)), ] diff --git a/L/LibSSH2/bundled/patches/0001-mbedtls-use-more-size_t-to-sync-up-with-crypto.h.patch b/L/LibSSH2/bundled/patches/0001-mbedtls-use-more-size_t-to-sync-up-with-crypto.h.patch deleted file mode 100644 index 502adf6bdf4..00000000000 --- a/L/LibSSH2/bundled/patches/0001-mbedtls-use-more-size_t-to-sync-up-with-crypto.h.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 6cad964056848d3d78ccc74600fbff6298baddcb Mon Sep 17 00:00:00 2001 -From: Viktor Szakats -Date: Tue, 30 May 2023 17:28:03 +0000 -Subject: [PATCH 1/1] mbedtls: use more size_t to sync up with crypto.h - -Ref: 5a96f494ee0b00282afb2db2e091246fc5e1774a #846 #879 - -Fixes #1053 -Closes #1054 ---- - src/mbedtls.c | 14 ++++++++------ - src/mbedtls.h | 13 ++++++------- - 2 files changed, 14 insertions(+), 13 deletions(-) - -diff --git a/src/mbedtls.c b/src/mbedtls.c -index e387cdb..cd14a4b 100644 ---- a/src/mbedtls.c -+++ b/src/mbedtls.c -@@ -186,7 +186,7 @@ _libssh2_mbedtls_cipher_dtor(_libssh2_cipher_ctx *ctx) - int - _libssh2_mbedtls_hash_init(mbedtls_md_context_t *ctx, - mbedtls_md_type_t mdtype, -- const unsigned char *key, unsigned long keylen) -+ const unsigned char *key, size_t keylen) - { - const mbedtls_md_info_t *md_info; - int ret, hmac; -@@ -221,7 +221,7 @@ _libssh2_mbedtls_hash_final(mbedtls_md_context_t *ctx, unsigned char *hash) - } - - int --_libssh2_mbedtls_hash(const unsigned char *data, unsigned long datalen, -+_libssh2_mbedtls_hash(const unsigned char *data, size_t datalen, - mbedtls_md_type_t mdtype, unsigned char *hash) - { - const mbedtls_md_info_t *md_info; -@@ -497,8 +497,9 @@ int - _libssh2_mbedtls_rsa_sha2_verify(libssh2_rsa_ctx * rsactx, - size_t hash_len, - const unsigned char *sig, -- unsigned long sig_len, -- const unsigned char *m, unsigned long m_len) -+ size_t sig_len, -+ const unsigned char *m, -+ size_t m_len) - { - int ret; - int md_type; -@@ -548,8 +549,9 @@ _libssh2_mbedtls_rsa_sha2_verify(libssh2_rsa_ctx * rsactx, - int - _libssh2_mbedtls_rsa_sha1_verify(libssh2_rsa_ctx * rsactx, - const unsigned char *sig, -- unsigned long sig_len, -- const unsigned char *m, unsigned long m_len) -+ size_t sig_len, -+ const unsigned char *m, -+ size_t m_len) - { - return _libssh2_mbedtls_rsa_sha2_verify(rsactx, SHA_DIGEST_LENGTH, - sig, sig_len, m, m_len); -diff --git a/src/mbedtls.h b/src/mbedtls.h -index d9592f7..03484da 100644 ---- a/src/mbedtls.h -+++ b/src/mbedtls.h -@@ -478,12 +478,12 @@ _libssh2_mbedtls_cipher_dtor(_libssh2_cipher_ctx *ctx); - int - _libssh2_mbedtls_hash_init(mbedtls_md_context_t *ctx, - mbedtls_md_type_t mdtype, -- const unsigned char *key, unsigned long keylen); -+ const unsigned char *key, size_t keylen); - - int - _libssh2_mbedtls_hash_final(mbedtls_md_context_t *ctx, unsigned char *hash); - int --_libssh2_mbedtls_hash(const unsigned char *data, unsigned long datalen, -+_libssh2_mbedtls_hash(const unsigned char *data, size_t datalen, - mbedtls_md_type_t mdtype, unsigned char *hash); - - _libssh2_bn * -@@ -526,9 +526,8 @@ _libssh2_mbedtls_rsa_new_private_frommemory(libssh2_rsa_ctx **rsa, - int - _libssh2_mbedtls_rsa_sha1_verify(libssh2_rsa_ctx *rsa, - const unsigned char *sig, -- unsigned long sig_len, -- const unsigned char *m, -- unsigned long m_len); -+ size_t sig_len, -+ const unsigned char *m, size_t m_len); - int - _libssh2_mbedtls_rsa_sha1_sign(LIBSSH2_SESSION *session, - libssh2_rsa_ctx *rsa, -@@ -540,8 +539,8 @@ int - _libssh2_mbedtls_rsa_sha2_verify(libssh2_rsa_ctx * rsactx, - size_t hash_len, - const unsigned char *sig, -- unsigned long sig_len, -- const unsigned char *m, unsigned long m_len); -+ size_t sig_len, -+ const unsigned char *m, size_t m_len); - int - _libssh2_mbedtls_rsa_sha2_sign(LIBSSH2_SESSION *session, - libssh2_rsa_ctx *rsa, --- -2.31.0 -