Bump OpenSSL to 1.1.1r (#17927)

Bump the OpenSSL version used by libfido2, add a HEAD check to build-fido2-macos.sh and fix trap usage. Release notes: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1r/CHANGES.
2024-10-19 16:53:57 +00:00 · 2022-11-01 11:44:34 -03:00 · 2022-11-01 11:44:34 -03:00 · 80addec0ca
parent b5db7001f7
commit 80addec0ca
2 changed files with 38 additions and 17 deletions
--- a/build.assets/Dockerfile-centos7
+++ b/build.assets/Dockerfile-centos7
@ -27,9 +27,9 @@ RUN git clone --depth=1 https://github.com/illiliti/libudev-zero.git -b 1.0.1 &&
 # Instal openssl.
 # Pulled from source because repository versions are too old.
 # install_sw install only binaries, skips docs.
-RUN git clone --depth=1 git://git.openssl.org/openssl.git -b OpenSSL_1_1_1q && \
+RUN git clone --depth=1 git://git.openssl.org/openssl.git -b OpenSSL_1_1_1r && \
    cd openssl && \
-    [ "$(git rev-parse HEAD)" = "29708a562a1887a91de0fa6ca668c71871accde9" ] && \
+    [ "$(git rev-parse HEAD)" = "fbda8a9e3b6266da377a6f57d597d657257d9cff" ] && \
    ./config --release && \
    make && \
    make install_sw
--- a/build.assets/build-fido2-macos.sh
+++ b/build.assets/build-fido2-macos.sh
@ -15,8 +15,11 @@ readonly MACOS_VERSION_MIN=10.13

 # Note: versions are the same as the corresponding git tags for each repo.
 readonly CBOR_VERSION=v0.9.0
-readonly CRYPTO_VERSION=OpenSSL_1_1_1q
+readonly CBOR_COMMIT=58b3319b8c3ec15171cb00f01a3a1e9d400899e1
+readonly CRYPTO_VERSION=OpenSSL_1_1_1r
+readonly CRYPTO_COMMIT=fbda8a9e3b6266da377a6f57d597d657257d9cff
 readonly FIDO2_VERSION=1.12.0
+readonly FIDO2_COMMIT=659a02679f99fd34a44e06e35dce90794f6ecc86

 readonly LIB_CACHE="/tmp/teleport-fido2-cache"
 readonly PKGFILE_DIR="$LIB_CACHE/fido2-${FIDO2_VERSION}_cbor-${CBOR_VERSION}_crypto-${CRYPTO_VERSION}"
@ -26,19 +29,22 @@ readonly CBOR_PATH="$LIB_CACHE/cbor-$CBOR_VERSION"
 readonly CRYPTO_PATH="$LIB_CACHE/crypto-$CRYPTO_VERSION"
 readonly FIDO2_PATH="$LIB_CACHE/fido2-$FIDO2_VERSION"

+# List of folders/files to remove on exit.
+# See cleanup and main.
+CLEANUPS=()
+
 fetch_and_build() {
  local name="$1"      # eg, cbor
  local version="$2"   # eg, v0.9.0
-  local url="$3"       # eg, https://github.com/...
-  local buildcmd="$4"  # eg, cbor_build, a bash function name
+  local commit="$3"    # eg, 58b3319b8c3ec15171cb00f01a3a1e9d400899e1
+  local url="$4"       # eg, https://github.com/...
+  local buildcmd="$5"  # eg, cbor_build, a bash function name
  echo "$name: fetch and build" >&2

  mkdir -p "$LIB_CACHE"
  local tmp=''
  tmp="$(mktemp -d "$LIB_CACHE/build.XXXXXX")"
-  # Early expansion on purpose.
-  #shellcheck disable=SC2064
-  trap "rm -fr '$tmp'" EXIT
+  CLEANUPS+=("$tmp")

  local fullname="$name-$version"
  local install_path="$tmp/$fullname"
@ -46,6 +52,13 @@ fetch_and_build() {
  cd "$tmp"
  git clone --depth=1 -b "$version" "$url"
  cd "$(ls)"  # a single folder exists at this point
+  local head
+  head="$(git rev-parse HEAD)"
+  if [[ "$head" != "$commit" ]]; then
+    echo "Found unexpected HEAD commit for $name, aborting: $head" >&2
+    exit 1
+  fi
+
  mkdir -p "$install_path"
  eval "$buildcmd '$PWD' '$install_path'"

@ -83,7 +96,8 @@ cbor_build() {

 cbor_fetch_and_build() {
  fetch_and_build \
-    cbor "$CBOR_VERSION" 'https://github.com/pjk/libcbor.git' cbor_build
+    cbor "$CBOR_VERSION" "$CBOR_COMMIT" 'https://github.com/pjk/libcbor.git' \
+    cbor_build
 }

 crypto_build() {
@ -109,7 +123,8 @@ crypto_build() {

 crypto_fetch_and_build() {
  fetch_and_build \
-    crypto "$CRYPTO_VERSION" 'https://github.com/openssl/openssl.git' \
+    crypto "$CRYPTO_VERSION" "$CRYPTO_COMMIT" \
+    'https://github.com/openssl/openssl.git' \
    crypto_build
 }

@ -135,15 +150,15 @@ fido2_build() {

 fido2_fetch_and_build() {
  fetch_and_build \
-    fido2 "$FIDO2_VERSION" 'https://github.com/Yubico/libfido2.git' fido2_build
+    fido2 "$FIDO2_VERSION" "$FIDO2_COMMIT" \
+    'https://github.com/Yubico/libfido2.git' \
+    fido2_build
 }

 fido2_compile_toy() {
  local toydir=''
  toydir="$(mktemp -d)"
-  # Early expansion on purpose.
-  #shellcheck disable=SC2064
-  trap "rm -fr '$toydir'" EXIT
+  CLEANUPS+=("$toydir")

  cat >"$toydir/toy.c" <<EOF
 #include <fido.h>
@ -184,9 +199,7 @@ build() {
  if [[ ! -f "$pkgfile" ]]; then
    local tmp=''
    tmp="$(mktemp)"  # file, not dir!
-    # Early expansion on purpose.
-    #shellcheck disable=SC2064
-    trap "rm -f '$tmp'" EXIT
+    CLEANUPS+=("$tmp")

    # Write libfido2-static.pc to tmp.
    cat >"$tmp" <<EOF
@ -212,11 +225,19 @@ EOF
  fi
 }

+cleanup() {
+  for path in "${CLEANUPS[@]}"; do
+    echo "Removing: $path" >&2
+    rm -fr "$path"
+  done
+}
+
 main() {
  if [[ $# -ne 1 ]]; then
    usage
    exit 1
  fi
+  trap cleanup EXIT

  case "$1" in
    build)