-
-
Notifications
You must be signed in to change notification settings - Fork 224
Expand file tree
/
Copy pathopenssl.sh
More file actions
executable file
·220 lines (183 loc) · 8.07 KB
/
openssl.sh
File metadata and controls
executable file
·220 lines (183 loc) · 8.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
#!/usr/bin/env bash
# Copyright (C) Viktor Szakats. See LICENSE.md
# SPDX-License-Identifier: MIT
# shellcheck disable=SC3040,SC2039
set -o xtrace -o errexit -o nounset; [ -n "${BASH:-}${ZSH_NAME:-}" ] && set -o pipefail
export _NAM _VER _OUT _BAS _DST
_NAM="$(basename "$0" | cut -f 1 -d '.')"
_VER="$1"
(
cd "${_NAM}" || exit 0
# Required on MSYS2 for pod2man and pod2html in 'make install' phase
[ "${_HOST}" = 'win' ] && export PATH="${PATH}:/usr/bin/core_perl"
readonly _ref='CHANGES.md'
case "${_HOST}" in
bsd|mac) unixts="$(TZ=UTC stat -f '%m' "${_ref}")";;
*) unixts="$(TZ=UTC stat -c '%Y' "${_ref}")";;
esac
# Build
rm -r -f "${_PKGDIR:?}" "${_BLDDIR:?}"
options=''
if [ "${_OS}" = 'win' ]; then
[ "${_CPU}" = 'x86' ] && options+=' mingw'
[ "${_CPU}" = 'x64' ] && options+=' mingw64'
[ "${_CPU}" = 'a64' ] && options+=' mingwarm64'
elif [ "${_OS}" = 'mac' ]; then
[ "${_CPU}" = 'x64' ] && options+=' darwin64-x86_64'
[ "${_CPU}" = 'a64' ] && options+=' darwin64-arm64'
elif [ "${_OS}" = 'linux' ]; then
[ "${_CPU}" = 'x64' ] && options+=' linux-x86_64'
[ "${_CPU}" = 'a64' ] && options+=' linux-aarch64'
[ "${_CPU}" = 'r64' ] && options+=' linux64-riscv64 no-asm' # FIXME: disabled ASM to avoid 'AES_set_encrypt_key' relocation errors at link time
fi
options+=" ${_LDFLAGS_GLOBAL} ${_CFLAGS_GLOBAL_CMAKE} ${_CFLAGS_GLOBAL} ${_CPPFLAGS_GLOBAL}"
if [ "${_OS}" = 'win' ]; then
options+=' -DUSE_BCRYPTGENRANDOM -lbcrypt' # default for MSVC Vista+ targets. Enable manually for mingw-w64.
fi
[ "${_CPU}" = 'x86' ] || options+=' enable-ec_nistp_64_gcc_128'
if false; then
if [ -n "${_ZLIB}" ] && [ -d "../${_ZLIB}/${_PP}" ]; then
options+=" --with-zlib-lib=${_TOP}/${_ZLIB}/${_PP}/lib"
options+=" --with-zlib-include=${_TOP}/${_ZLIB}/${_PP}/include"
options+=' zlib'
fi
if [[ "${_DEPS}" = *'brotli'* ]] && [ -d "../brotli/${_PP}" ]; then
options+=" --with-brotli-lib=${_TOP}/brotli/${_PP}/lib"
options+=" --with-brotli-include=${_TOP}/brotli/${_PP}/include"
options+=' brotli'
fi
if [[ "${_DEPS}" = *'zstd'* ]] && [ -d "../zstd/${_PP}" ]; then
options+=" --with-zstd-lib=${_TOP}/zstd/${_PP}/lib"
options+=" --with-zstd-include=${_TOP}/zstd/${_PP}/include"
options+=' zstd'
fi
else
options+=' no-comp'
fi
# TODO: consider disabling this option for all musl builds.
# Workaround for musl builds missing Linux header (as of OpenSSL v3.1.2):
# ../crypto/mem_sec.c:60:13: fatal error: linux/mman.h: No such file or directory
# Linux cross-builds from other systems (e.g. macOS) are unlikely to provide
# Linux headers.
if [ "${_CRT}" = 'musl' ] && [ "${_HOST}" != 'linux' ]; then
options+=' no-secure-memory'
fi
# Enabling `no-deprecated` requires walking a fine line. It needs:
# - libssh2 1.11.1
# - curl with an alternate system TLS-backend, it means Windows builds with Schannel
# enabled.
# Or, curl without NTLM support if there is no alternate system TLS-backend,
# e.g. on Linux and macOS.
# - other OpenSSL dependents playing well with `no-deprecated`: ngtcp2
# - other OpenSSL dependents broken with `no-deprecated`: libssh
if [[ "${_DEPS}" != *'libssh1'* && \
( \
"${_OS}" = 'win' || \
( "${_OS}" = 'mac' && "${_OSVER}" -lt '1015' ) || \
( "${_OS}" = 'linux' && "${_CONFIG}" = *'pico'* )) ]]; then
options+=' no-deprecated'
fi
export CC="${_CC_GLOBAL}"
# OpenSSL's ./Configure dumps build flags into object `crypto/cversion.o`
# via `crypto/buildin.h` generated by `util/mkbuildinf.pl`. Thus, whitespace
# changes, option order/duplicates do change binary output. Options like
# `--sysroot=` are specific to the build environment, so this feature makes
# it impossible to create reproducible binaries across build environments.
# Patch OpenSSL to omit build options from its binary:
sed -i.bak -E '/mkbuildinf/s/".+/""/' crypto/build.info
if [ "${_OS}" = 'win' ]; then
# Space or backslash not allowed. Needs to be a folder restricted
# to Administrators across Windows installations, versions and
# configurations. We do avoid using the new default prefix set since
# OpenSSL 1.1.1d, because by using the C:\Program Files*\ value, the
# prefix remains vulnerable on localized Windows versions. The default
# below gives a "more secure" configuration for most Windows installations.
# The secure solution would be to disable loading anything from hard-coded
# paths and preferably to detect OS location at runtime and adjust config
# paths accordingly; none supported by OpenSSL.
_my_prefix='C:/Windows/System32/OpenSSL'
if [ "${_OS}" != "${_HOST}" ]; then
# Hack to skip (mis-)checking for an absolute prefix using unixy rules
# while cross-building on a *nix host for Windows. For that, we must
# pass a non-empty CROSS_COMPILE value while making sure that
# CROSS_COMPILE + CC points to our compiler. Take extra care of the
# compiler options we must pass to OpenSSL in the CC value.
export CROSS_COMPILE
CROSS_COMPILE="$(dirname "$(command -v "$(echo "${CC}" | cut -d ' ' -f 1)")")/"
fi
else
_my_prefix='/etc'
fi
_ssldir='ssl'
# no-sm2-precomp: avoid a 3.2.0 optimization that makes libcrypto 0.5MB larger.
options+=' no-docs no-sm2-precomp no-quic'
export OPENSSL_LOCAL_CONFIG_DIR=''
# 'no-dso' implies 'no-dynamic-engine' which in turn compiles in these
# engines non-dynamically. To avoid them, also set `no-engine`.
if [[ "${_VER}" != '4.'* ]]; then
options+=' no-engine'
fi
(
mkdir "${_BLDDIR}"; cd "${_BLDDIR}"
# shellcheck disable=SC2086
../Configure ${options} \
no-filenames \
no-legacy \
no-apps \
no-autoload-config \
no-module \
no-dso \
no-shared \
no-srp no-nextprotoneg \
no-bf no-rc4 no-cast \
no-idea no-cmac no-rc2 no-mdc2 no-whirlpool \
no-dsa \
no-camellia no-ocb no-des no-dh no-ec2m no-gost no-md4 \
no-argon2 no-aria no-blake2 no-rmd160 no-scrypt no-siphash no-sm2 no-sm3 no-sm4 \
no-async no-cmp no-cms no-dgram no-http no-multiblock no-seed no-siv no-srtp no-ts \
no-ocsp \
no-tests \
no-makedepend \
--prefix="${_my_prefix}" \
--openssldir="${_ssldir}"
)
SOURCE_DATE_EPOCH="${unixts}" TZ=UTC make --directory="${_BLDDIR}" --jobs="${_JOBS}"
# Ending slash required.
make --directory="${_BLDDIR}" --jobs="${_JOBS}" install_sw "DESTDIR=$(pwd)/${_PKGDIR}/" >/dev/null # 2>&1
# OpenSSL 3.x does not strip the drive letter anymore:
# ./openssl/${_PKGDIR}/C:/Windows/System32/OpenSSL
# Some tools (e.g. CMake) become weird when colons appear in a filename,
# so move results to a sane, standard path:
mkdir -p "./${_PP}"
mv "${_PKGDIR}/${_my_prefix}"/* "${_PP:?}"
# Rename 'lib64'/'lib-arm64' to 'lib'. This is what most packages expect.
# Not using '--libdir=lib' because that also changes the paths hardwired
# into the binaries, making them different from default builds at runtime.
if [ -d "${_PP}/lib64" ]; then
mv "${_PP}/lib64" "${_PP}/lib"
elif [ -d "${_PP}/lib-arm64" ]; then
mv "${_PP}/lib-arm64" "${_PP}/lib"
fi
# Delete .pc files
rm -r -f "${_PP}"/lib/pkgconfig
# List files created
find "${_PP}" | grep -a -v -F '/share/' | sort
# Make steps for determinism
# shellcheck disable=SC2086
"${_STRIP_LIB}" ${_STRIPFLAGS_LIB} "${_PP}"/lib/*.a
touch -c -r "${_ref}" "${_PP}"/include/openssl/*.h
touch -c -r "${_ref}" "${_PP}"/lib/*.a
# Create package
_OUT="${_NAM}-${_VER}${_REVSUFFIX}${_PKGSUFFIX}"
_BAS="${_NAM}-${_VER}${_PKGSUFFIX}"
_DST="$(pwd)/_pkg"; rm -r -f "${_DST}"
mkdir -p "${_DST}"/include/openssl
mkdir -p "${_DST}"/lib
cp -f -p "${_PP}"/include/openssl/*.h "${_DST}"/include/openssl/
cp -f -p "${_PP}"/lib/*.a "${_DST}"/lib
cp -f -p CHANGES.md "${_DST}"/
cp -f -p LICENSE.txt "${_DST}"/
cp -f -p README.md "${_DST}"/
cp -f -p NEWS.md "${_DST}"/
../_pkg.sh "$(pwd)/${_ref}"
)