[Git][NTPsec/ntpsec][omnisplat2] wafhelpers: (ab)Use new openssl check.
James Browning
gitlab at mg.gitlab.com
Sun Dec 20 01:03:41 UTC 2020
James Browning pushed to branch omnisplat2 at NTPsec / ntpsec
Commits:
86fe8c9e by James Browning at 2020-12-19T05:21:26-08:00
wafhelpers: (ab)Use new openssl check.
- - - - -
6 changed files:
- tests/option-tester.sh
- tests/python2-tester.sh
- tests/python3-tester.sh
- wafhelpers/openssl.py
- − wafhelpers/tlscheck.py
- wscript
Changes:
=====================================
tests/option-tester.sh
=====================================
@@ -38,7 +38,7 @@ then
DISABLE_NTS="--disable-nts"
fi
else
- if ! $PYTHON ../wafhelpers/tlscheck.py
+ if ! $PYTHON ../wafhelpers/openssl.py
then
DISABLE_NTS="--disable-nts"
fi
=====================================
tests/python2-tester.sh
=====================================
@@ -18,12 +18,26 @@ then
set -o pipefail
fi
+DISABLE_NTS=""
+if pkg-config --version 2>/dev/null 1>/dev/null
+then
+ if ! pkg-config openssl --atleast-version=1.1.1
+ then
+ DISABLE_NTS="--disable-nts"
+ fi
+else
+ if ! $PYTHON ../wafhelpers/openssl.py
+ then
+ DISABLE_NTS="--disable-nts"
+ fi
+fi
+
doit ()
{
DIR=test-$1
[ ! -d $DIR ] && mkdir $DIR
rm -rf $DIR/*
- python2 ./waf configure --out=$DIR $2 2>&1 | tee $DIR/test.log
+ python2 ./waf configure $DISABLE_NTS --out=$DIR $2 2>&1 | tee $DIR/test.log
WAF1=$?
WAF2=0
WAF3=0
=====================================
tests/python3-tester.sh
=====================================
@@ -18,12 +18,26 @@ then
set -o pipefail
fi
+DISABLE_NTS=""
+if pkg-config --version 2>/dev/null 1>/dev/null
+then
+ if ! pkg-config openssl --atleast-version=1.1.1
+ then
+ DISABLE_NTS="--disable-nts"
+ fi
+else
+ if ! $PYTHON ../wafhelpers/openssl.py
+ then
+ DISABLE_NTS="--disable-nts"
+ fi
+fi
+
doit ()
{
DIR=test-$1
[ ! -d $DIR ] && mkdir $DIR
rm -rf $DIR/*
- python3 ./waf configure --out=$DIR $2 2>&1 | tee $DIR/test.log
+ python3 ./waf configure $DISABLE_NTS --out=$DIR $2 2>&1 | tee $DIR/test.log
WAF1=$?
WAF2=0
WAF3=0
=====================================
wafhelpers/openssl.py
=====================================
@@ -1,3 +1,28 @@
+#! /usr/bin/env python
+
+"""openssl - Helper for checking SSL library bits."""
+import ctypes
+import ctypes.util
+import sys
+ver, vers = 0, []
+try:
+ tls = ctypes.CDLL(ctypes.util.find_library('ssl'))
+except OSError:
+ sys.stderr.write('Could not find SSL library.\n')
+ sys.exit(1)
+
+tls.OpenSSL_version_num.restype = ctypes.c_ulong
+tls.OpenSSL_version.argtypes = [ctypes.c_int]
+tls.OpenSSL_version.restype = ctypes.c_char_p
+
+ver = tls.OpenSSL_version_num() # unsigned long OpenSSL_version_num();
+
+_ = '%08x' % ver
+# OPENSSL_VERSION_NUMBER is a numeric release version identifier:
+# MNNFFPPS: major minor fix patch status
+for a, b in ((0, 1), (1, 3), (3, 5), (5, 7), (7, 8)):
+ vers.append(int(_[a:b], 16))
+
SNIP_LIBSSL_TLS13_CHECK = """
#include <openssl/tls1.h>
@@ -10,31 +35,110 @@ int main(void) {
}
"""
+if str is bytes:
+ polystr = str
+else:
+ def polystr(string):
+ """Convert bytes into a string."""
+ return str(string, encoding='latin-1')
+
+
+def yesno(it):
+ """Return a string depending on a (maybe) boolean."""
+ if not it:
+ return 'not found'
+ if it is True:
+ return 'yes'
+ return it
+
def check_libssl_tls13(ctx):
+ """Check if the OpenSSL define for TLS1.3 exists.."""
ctx.check_cc(
- fragment=SNIP_LIBSSL_TLS13_CHECK,
- use="SSL CRYPTO",
- msg="Checking for OpenSSL with TLSv1.3 support",
+ fragment=SNIP_LIBSSL_TLS13_CHECK,
+ use="SSL CRYPTO",
+ msg="Checking for OpenSSL with TLSv1.3 support",
)
-SNIP_OPENSSL_BAD_VERSION_CHECK = """
-#include <openssl/opensslv.h>
+def configure(cfg):
+ """Pull in modules checks."""
+ check_libssl_tls13(cfg)
+ eventual = bool(ver > 0x1010101f)
+ checks = [['Checking for OpenSSL > 1.1.1a',
+ polystr(tls.OpenSSL_version(0)).split()[1]]]
+ funcs = [
+ 'SSL_CTX_set_alpn_protos',
+ 'SSL_CTX_set_alpn_select_cb',
+ 'SSL_export_keying_material',
+ 'SSL_get0_alpn_selected',
+ ]
+ interim = None
+ for func in funcs:
+ interim = hasattr(tls, func)
+ eventual &= interim
+ checks.append(['Checking ssl for %s' % func, yesno(interim)])
+ for check in checks:
+ cfg.msg(*check)
+ if not eventual:
+ print(vars(tls))
+ cfg.fatal('missing NTS critical functionality')
-#if OPENSSL_VERSION_NUMBER == 0x1010101fL
-#error OpenSSL version must not be 1.1.1a
-#endif
-int main(void) {
- return 0;
-}
-"""
+if __name__ == '__main__':
+ # import os
+ import subprocess
+ import tempfile
+ class fake_context():
+ """Fake having a waf install so all this can run inside waf or out."""
+ right_shift = 0
-def check_openssl_bad_version(ctx):
- ctx.check_cc(
- fragment=SNIP_OPENSSL_BAD_VERSION_CHECK,
- use="SSL CRYPTO",
- msg="Checking for OpenSSL != 1.1.1a",
- )
+ def msg(self, left, right):
+ """Print out useful text messages."""
+ dent = len(left)
+ if dent > self.right_shift:
+ self.right_shift = dent
+ print('{1:{0}s} : {2:s}'.format(self.right_shift, left, right))
+
+ def fatal(self, error):
+ """Die in a fire."""
+ print(error)
+ sys.exit(1)
+
+ def check_cc(self, fragment=None, use=None, msg=None):
+ """compiler C code fragment with uses libraries printing msg.."""
+ # if not (fragment and use and message):
+ # self.fatal('Too dumb to live.')
+ dent = len(msg)
+ if dent > self.right_shift:
+ self.right_shift = dent
+ sys.stdout.write('{1:{0}s} : '.format(self.right_shift, msg))
+ Popen = subprocess.Popen
+ cflags = []
+ for lib in use:
+ p = Popen(['pkg-config', '--cflags-only-I', lib],
+ universal_newlines=True,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
+ if p.returncode:
+ print('no pkg-config %s\n' % lib)
+ sys.exit(1)
+ stdout, _ = p.communicate()
+ cflags.append(stdout.strip())
+ with tempfile.NamedTemporaryFile() as fp:
+ fp.write(bytes(fragment, encoding='latin-1'))
+ p = Popen(['cc', '-c'] + cflags + [fp.name],
+ universal_newlines=True,
+ stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
+ if p.returncode:
+ print('no compile %d\n' % p.returncode)
+ sys.exit(1)
+ print('yes')
+ return 0
+
+ context = fake_context()
+ configure(context)
=====================================
wafhelpers/tlscheck.py deleted
=====================================
@@ -1,53 +0,0 @@
-#! /usr/bin/env python
-
-"""tlscheck - Helper for checking SSL library bits."""
-import ctypes
-import ctypes.util
-import sys
-ver, vers = 0, []
-try:
- tls = ctypes.CDLL(ctypes.util.find_library('ssl'))
-except OSError:
- sys.stderr.write('Could not find SSL library.\n')
- sys.exit(1)
-
-tls.OpenSSL_version_num.restype = ctypes.c_ulong
-tls.OpenSSL_version.argtypes = [ctypes.c_int]
-tls.OpenSSL_version.restype = ctypes.c_char_p
-
-ver = tls.OpenSSL_version_num() # unsigned long OpenSSL_version_num();
-
-_ = '%08x' % ver
-# OPENSSL_VERSION_NUMBER is a numeric release version identifier:
-# MNNFFPPS: major minor fix patch status
-for a, b in ((0, 1), (1, 3), (3, 5), (5, 7), (7, 8)):
- vers.append(int(_[a:b], 16))
-
-polystr = str
-if str is not bytes:
- def polystr(string):
- """Convert bytes into a string."""
- return str(string, encoding='latin-1')
-
-
-def ver_to_int(*va):
- """Split the version number into parts."""
- return int('%x%02x%02x%02x%x' % va, 16)
-
-
-def verstr():
- """Return SSL library version string."""
- return polystr(tls.OpenSSL_version(0))
-
-
-if __name__ == '__main__':
- if vers[0] > 2: # If notionally OpenSSL 3
- sys.exit(0)
- elif vers[0] == 2: # If notionally OpenSSL 2
- sys.exit(1)
- # OPENSSL_VERSION_NUMBER is a numeric release version identifier:
- # major minor fix patch status
- # Check if version is earlier than 1.1.1b
- if ver <= ver_to_int(1, 1, 1, 2, 15):
- sys.exit(1)
- sys.exit(0)
=====================================
wscript
=====================================
@@ -599,6 +599,7 @@ int main(int argc, char **argv) {
check_sizeof(ctx, header, sizeof)
if not ctx.options.disable_nts:
+ ctx.load('openssl', tooldir='wafhelpers/')
# Check via pkg-config first, then fall back to a direct search
if not ctx.check_cfg(
package='libssl', uselib_store='SSL',
@@ -842,12 +843,6 @@ int main(int argc, char **argv) {
msg("WARNING: This system has a 32-bit time_t.")
msg("WARNING: Your ntpd will fail on 2038-01-19T03:14:07Z.")
- if not ctx.env.DISABLE_NTS:
- from wafhelpers.openssl import check_libssl_tls13
- from wafhelpers.openssl import check_openssl_bad_version
- check_libssl_tls13(ctx)
- check_openssl_bad_version(ctx)
-
# before write_config()
if ctx.is_defined("HAVE_LINUX_CAPABILITY"):
droproot_type = "Linux"
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/86fe8c9ebd64bc73ba0fe482f5b48ce03320efc1
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/86fe8c9ebd64bc73ba0fe482f5b48ce03320efc1
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20201220/af446cef/attachment-0001.htm>
More information about the vc
mailing list