mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
Bump OpenSSL to 1.1.1r (#17927)
Bump the OpenSSL version used by libfido2, add a HEAD check to build-fido2-macos.sh and fix trap usage. Release notes: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1r/CHANGES.
This commit is contained in:
parent
b5db7001f7
commit
80addec0ca
|
@ -27,9 +27,9 @@ RUN git clone --depth=1 https://github.com/illiliti/libudev-zero.git -b 1.0.1 &&
|
|||
# Instal openssl.
|
||||
# Pulled from source because repository versions are too old.
|
||||
# install_sw install only binaries, skips docs.
|
||||
RUN git clone --depth=1 git://git.openssl.org/openssl.git -b OpenSSL_1_1_1q && \
|
||||
RUN git clone --depth=1 git://git.openssl.org/openssl.git -b OpenSSL_1_1_1r && \
|
||||
cd openssl && \
|
||||
[ "$(git rev-parse HEAD)" = "29708a562a1887a91de0fa6ca668c71871accde9" ] && \
|
||||
[ "$(git rev-parse HEAD)" = "fbda8a9e3b6266da377a6f57d597d657257d9cff" ] && \
|
||||
./config --release && \
|
||||
make && \
|
||||
make install_sw
|
||||
|
|
|
@ -15,8 +15,11 @@ readonly MACOS_VERSION_MIN=10.13
|
|||
|
||||
# Note: versions are the same as the corresponding git tags for each repo.
|
||||
readonly CBOR_VERSION=v0.9.0
|
||||
readonly CRYPTO_VERSION=OpenSSL_1_1_1q
|
||||
readonly CBOR_COMMIT=58b3319b8c3ec15171cb00f01a3a1e9d400899e1
|
||||
readonly CRYPTO_VERSION=OpenSSL_1_1_1r
|
||||
readonly CRYPTO_COMMIT=fbda8a9e3b6266da377a6f57d597d657257d9cff
|
||||
readonly FIDO2_VERSION=1.12.0
|
||||
readonly FIDO2_COMMIT=659a02679f99fd34a44e06e35dce90794f6ecc86
|
||||
|
||||
readonly LIB_CACHE="/tmp/teleport-fido2-cache"
|
||||
readonly PKGFILE_DIR="$LIB_CACHE/fido2-${FIDO2_VERSION}_cbor-${CBOR_VERSION}_crypto-${CRYPTO_VERSION}"
|
||||
|
@ -26,19 +29,22 @@ readonly CBOR_PATH="$LIB_CACHE/cbor-$CBOR_VERSION"
|
|||
readonly CRYPTO_PATH="$LIB_CACHE/crypto-$CRYPTO_VERSION"
|
||||
readonly FIDO2_PATH="$LIB_CACHE/fido2-$FIDO2_VERSION"
|
||||
|
||||
# List of folders/files to remove on exit.
|
||||
# See cleanup and main.
|
||||
CLEANUPS=()
|
||||
|
||||
fetch_and_build() {
|
||||
local name="$1" # eg, cbor
|
||||
local version="$2" # eg, v0.9.0
|
||||
local url="$3" # eg, https://github.com/...
|
||||
local buildcmd="$4" # eg, cbor_build, a bash function name
|
||||
local commit="$3" # eg, 58b3319b8c3ec15171cb00f01a3a1e9d400899e1
|
||||
local url="$4" # eg, https://github.com/...
|
||||
local buildcmd="$5" # eg, cbor_build, a bash function name
|
||||
echo "$name: fetch and build" >&2
|
||||
|
||||
mkdir -p "$LIB_CACHE"
|
||||
local tmp=''
|
||||
tmp="$(mktemp -d "$LIB_CACHE/build.XXXXXX")"
|
||||
# Early expansion on purpose.
|
||||
#shellcheck disable=SC2064
|
||||
trap "rm -fr '$tmp'" EXIT
|
||||
CLEANUPS+=("$tmp")
|
||||
|
||||
local fullname="$name-$version"
|
||||
local install_path="$tmp/$fullname"
|
||||
|
@ -46,6 +52,13 @@ fetch_and_build() {
|
|||
cd "$tmp"
|
||||
git clone --depth=1 -b "$version" "$url"
|
||||
cd "$(ls)" # a single folder exists at this point
|
||||
local head
|
||||
head="$(git rev-parse HEAD)"
|
||||
if [[ "$head" != "$commit" ]]; then
|
||||
echo "Found unexpected HEAD commit for $name, aborting: $head" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p "$install_path"
|
||||
eval "$buildcmd '$PWD' '$install_path'"
|
||||
|
||||
|
@ -83,7 +96,8 @@ cbor_build() {
|
|||
|
||||
cbor_fetch_and_build() {
|
||||
fetch_and_build \
|
||||
cbor "$CBOR_VERSION" 'https://github.com/pjk/libcbor.git' cbor_build
|
||||
cbor "$CBOR_VERSION" "$CBOR_COMMIT" 'https://github.com/pjk/libcbor.git' \
|
||||
cbor_build
|
||||
}
|
||||
|
||||
crypto_build() {
|
||||
|
@ -109,7 +123,8 @@ crypto_build() {
|
|||
|
||||
crypto_fetch_and_build() {
|
||||
fetch_and_build \
|
||||
crypto "$CRYPTO_VERSION" 'https://github.com/openssl/openssl.git' \
|
||||
crypto "$CRYPTO_VERSION" "$CRYPTO_COMMIT" \
|
||||
'https://github.com/openssl/openssl.git' \
|
||||
crypto_build
|
||||
}
|
||||
|
||||
|
@ -135,15 +150,15 @@ fido2_build() {
|
|||
|
||||
fido2_fetch_and_build() {
|
||||
fetch_and_build \
|
||||
fido2 "$FIDO2_VERSION" 'https://github.com/Yubico/libfido2.git' fido2_build
|
||||
fido2 "$FIDO2_VERSION" "$FIDO2_COMMIT" \
|
||||
'https://github.com/Yubico/libfido2.git' \
|
||||
fido2_build
|
||||
}
|
||||
|
||||
fido2_compile_toy() {
|
||||
local toydir=''
|
||||
toydir="$(mktemp -d)"
|
||||
# Early expansion on purpose.
|
||||
#shellcheck disable=SC2064
|
||||
trap "rm -fr '$toydir'" EXIT
|
||||
CLEANUPS+=("$toydir")
|
||||
|
||||
cat >"$toydir/toy.c" <<EOF
|
||||
#include <fido.h>
|
||||
|
@ -184,9 +199,7 @@ build() {
|
|||
if [[ ! -f "$pkgfile" ]]; then
|
||||
local tmp=''
|
||||
tmp="$(mktemp)" # file, not dir!
|
||||
# Early expansion on purpose.
|
||||
#shellcheck disable=SC2064
|
||||
trap "rm -f '$tmp'" EXIT
|
||||
CLEANUPS+=("$tmp")
|
||||
|
||||
# Write libfido2-static.pc to tmp.
|
||||
cat >"$tmp" <<EOF
|
||||
|
@ -212,11 +225,19 @@ EOF
|
|||
fi
|
||||
}
|
||||
|
||||
cleanup() {
|
||||
for path in "${CLEANUPS[@]}"; do
|
||||
echo "Removing: $path" >&2
|
||||
rm -fr "$path"
|
||||
done
|
||||
}
|
||||
|
||||
main() {
|
||||
if [[ $# -ne 1 ]]; then
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
trap cleanup EXIT
|
||||
|
||||
case "$1" in
|
||||
build)
|
||||
|
|
Loading…
Reference in a new issue