diff -up comm/third_party/moz.build.D161379.diff comm/third_party/moz.build --- comm/third_party/moz.build.D161379.diff 2022-10-14 21:45:15.000000000 +0200 +++ comm/third_party/moz.build 2022-11-10 11:49:44.194016978 +0100 @@ -11,9 +11,11 @@ if CONFIG["TB_LIBOTR_PREBUILT"]: if CONFIG["MZLA_LIBRNP"]: DIRS += [ - "botan", "bzip2", "json-c", "rnp", "zlib", ] + if CONFIG["MZLA_LIBRNP_BACKEND"] == "botan": + DIRS += [ "botan" ] + diff -up comm/third_party/openpgp.configure.D161379.diff comm/third_party/openpgp.configure --- comm/third_party/openpgp.configure.D161379.diff 2022-11-10 11:49:37.605024129 +0100 +++ comm/third_party/openpgp.configure 2022-11-10 11:49:44.194016978 +0100 @@ -199,16 +199,136 @@ with only_when(in_tree_librnp): set_config("MZLA_BZIP2_CFLAGS", bzip2_flags.cflags) set_config("MZLA_BZIP2_LIBS", bzip2_flags.ldflags) - # BOTAN --with-system-botan - system_lib_option( - "--with-system-botan", - help="Use system Botan for librnp (located with pkgconfig)", - ) - - botan_pkg = pkg_check_modules( - "MZLA_BOTAN", "botan-2 >= 2.8.0", when="--with-system-botan" - ) - set_config("MZLA_SYSTEM_BOTAN", depends_if(botan_pkg)(lambda _: True)) + # librnp crypto backend selection + option("--with-librnp-backend", + help="Build librnp with the selected backend: {botan, openssl}", + default="botan") + + @depends("--with-librnp-backend") + def librnp_backend(backend): + allowed = ("botan", "openssl") + if backend[0] in allowed: + return backend[0] + else: + die(f"Unsupported librnp backend {backend[0]}.") + + set_config("MZLA_LIBRNP_BACKEND", librnp_backend) + + @depends(librnp_backend) + def rnp_botan(backend): + return backend == "botan" + + @depends(librnp_backend) + def rnp_openssl(backend): + return backend == "openssl" + + # Botan backend (--with-system-botan) + with only_when(rnp_botan): + system_lib_option( + "--with-system-botan", + help="Use system Botan for librnp (located with pkgconfig)", + ) + + botan_pkg = pkg_check_modules( + "MZLA_BOTAN", "botan-2 >= 2.8.0", when="--with-system-botan" + ) + set_config("MZLA_SYSTEM_BOTAN", depends_if(botan_pkg)(lambda _: True)) + + + # OpenSSL backend + with only_when(rnp_openssl): + option( + "--with-openssl", + nargs=1, + help="OpenSSL library prefix (when not found by pkgconfig)" + ) + openssl_pkg = pkg_check_modules( + "MZLA_LIBRNP_OPENSSL", + "openssl > 1.1.1", + allow_missing=True, + config=False + ) + @depends_if("--with-openssl", openssl_pkg) + @imports(_from="os.path", _import="isdir") + @imports(_from="os.path", _import="join") + def openssl_flags(openssl_prefix, openssl_pkg): + if openssl_prefix: + openssl_prefix = openssl_prefix[0] + include = join(openssl_prefix, "include") + lib = join(openssl_prefix, "lib") + if not isdir(lib): + lib = join(openssl_prefix, "lib64") + if isdir(include) and isdir(lib): + log.info(f"Using OpenSSL at {openssl_prefix}.") + return namespace( + cflags=(f"-I{include}",), + ldflags=(f"-L{lib}", "-lssl", "-lcrypto"), + ) + if openssl_pkg: + return namespace( + cflags=openssl_pkg.cflags, + ldflags=openssl_pkg.libs, + ) + set_config("MZLA_LIBRNP_OPENSSL_CFLAGS", openssl_flags.cflags) + set_config("MZLA_LIBRNP_OPENSSL_LIBS", openssl_flags.ldflags) + + + @depends(c_compiler, openssl_flags) + @imports(_from="textwrap", _import="dedent") + def openssl_version(compiler, openssl_flags): + log.info("Checking for OpenSSL >= 1.1.1") + if openssl_flags is None: + die("OpenSSL not found. Must be locatable with pkg-config or use --with-openssl.") + + def ossl_hexver(hex_str): + # See opensshlv.h for description of OPENSSL_VERSION_NUMBER + MIN_OSSL_VER = 0x1010100f # Version 1.1.1 + ver_as_int = int(hex_str[:-1], 16) + ossl_major = (ver_as_int & 0xf0000000) >> 28 + ossl_minor = (ver_as_int & 0x0ff00000) >> 20 + ossl_fix = (ver_as_int & 0x000ff000) >> 12 + ossl_patch = chr(96 + (ver_as_int & 0x00000ff0) >> 4) # as a letter a-z + ver_as_str = f"{ossl_major}.{ossl_minor}.{ossl_fix}{ossl_patch}" + if ver_as_int < MIN_OSSL_VER: + die(f"OpenSSL version {ver_as_str} is too old.") + return ver_as_str + + check = dedent( + """\ + #include + #ifdef OPENSSL_VERSION_STR + OPENSSL_VERSION_STR + #elif defined(OPENSSL_VERSION_NUMBER) + OPENSSL_VERSION_NUMBER + #else + #error Unable to determine OpenSSL version. + #endif + """ + ) + result = try_preprocess( + compiler.wrapper + + [compiler.compiler] + + compiler.flags + + list(openssl_flags.cflags), + "C", + check + ) + if result: + openssl_ver = result.splitlines()[-1] + if openssl_ver.startswith("0x"): + # OpenSSL 1.x.x - like 0x1010107fL + openssl_ver = ossl_hexver(openssl_ver) + else: + # OpenSSL 3.x.x - quoted version like "3.0.7" + openssl_ver = openssl_ver.replace('"', "") + major_version = openssl_ver.split(".")[0] + if major_version != "3": + die("Unrecognized OpenSSL version {openssl_version} found. Require >= 1.1.1 or 3.x.x") + + log.info(f"Found OpenSSL {openssl_ver}.") + return openssl_ver + + set_config("MZLA_LIBRNP_OPENSSL_VERSION", openssl_version) # Checks for building librnp itself # ================================= diff -up comm/third_party/rnp/moz.build.D161379.diff comm/third_party/rnp/moz.build --- comm/third_party/rnp/moz.build.D161379.diff 2022-11-10 11:49:43.682017534 +0100 +++ comm/third_party/rnp/moz.build 2022-11-10 11:51:22.878909880 +0100 @@ -36,17 +36,53 @@ if CONFIG["CC_TYPE"] == "clang-cl": "/EHs", ] +LOCAL_INCLUDES = [ + "include", + "src", + "src/common", + "src/lib", +] + +IQuote( + "{}/src/lib".format(OBJDIR), + "{}/src/lib".format(SRCDIR), +) + +# Set up defines for src/lib/config.h rnp_defines = { "HAVE_BZLIB_H": True, "HAVE_ZLIB_H": True, - "CRYPTO_BACKEND_OPENSSL": True, - "ENABLE_AEAD": True, - "ENABLE_TWOFISH": True, - "ENABLE_BRAINPOOL": True, "ENABLE_IDEA": True, "PACKAGE_BUGREPORT": '"https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird"', "PACKAGE_STRING": '"rnp {}"'.format(CONFIG["MZLA_LIBRNP_FULL_VERSION"]) } +if CONFIG["MZLA_LIBRNP_BACKEND"] == "botan": + LOCAL_INCLUDES += ["!../botan/build/include"] + if CONFIG["MZLA_SYSTEM_BOTAN"]: + CXXFLAGS += CONFIG["MZLA_BOTAN_CFLAGS"] + + rnp_defines.update({ + "CRYPTO_BACKEND_BOTAN": True, + "ENABLE_AEAD": True, + "ENABLE_TWOFISH": True, + "ENABLE_BRAINPOOL": True, + }) +elif CONFIG["MZLA_LIBRNP_BACKEND"] == "openssl": + CXXFLAGS += CONFIG["MZLA_LIBRNP_OPENSSL_CFLAGS"] + OS_LIBS += CONFIG["MZLA_LIBRNP_OPENSSL_LIBS"] + + rnp_defines.update({ + "CRYPTO_BACKEND_OPENSSL": True, + # Not supported with RNP+OpenSSL https://github.com/rnpgp/rnp/issues/1642 + "ENABLE_AEAD": False, + # Not supported by OpenSSL https://github.com/openssl/openssl/issues/2046 + "ENABLE_TWOFISH": False, + # Supported, but not with RHEL's OpenSSL, disabled for now; + "ENABLE_BRAINPOOL": False, + }) + if CONFIG["MZLA_LIBRNP_OPENSSL_VERSION"][0] == "3": + rnp_defines["CRYPTO_BACKEND_OPENSSL3"] = True + GeneratedFile( "src/lib/config.h", script="/comm/python/rocbuild/process_cmake_define_files.py", @@ -57,23 +93,6 @@ GeneratedFile( ], ) -LOCAL_INCLUDES = [ - "include", - "src", - "src/common", - "src/lib", -] - -IQuote( - "{}/src/lib".format(OBJDIR), - "{}/src/lib".format(SRCDIR), -) - -if CONFIG["MZLA_SYSTEM_BOTAN"]: - CXXFLAGS += CONFIG["MZLA_BOTAN_CFLAGS"] -else: - LOCAL_INCLUDES += ["!../botan/build/include"] - if CONFIG["MOZ_SYSTEM_ZLIB"]: CXXFLAGS += CONFIG["MOZ_ZLIB_CFLAGS"] else: @@ -109,29 +128,16 @@ SOURCES += [ "src/common/time-utils.cpp", "src/lib/crypto.cpp", "src/lib/crypto/backend_version.cpp", - "src/lib/crypto/bn.cpp", "src/lib/crypto/cipher.cpp", - "src/lib/crypto/cipher_botan.cpp", - "src/lib/crypto/dsa.cpp", - "src/lib/crypto/ec.cpp", "src/lib/crypto/ec_curves.cpp", - "src/lib/crypto/ecdh.cpp", "src/lib/crypto/ecdh_utils.cpp", - "src/lib/crypto/ecdsa.cpp", - "src/lib/crypto/eddsa.cpp", - "src/lib/crypto/elgamal.cpp", - "src/lib/crypto/hash.cpp", "src/lib/crypto/hash_common.cpp", "src/lib/crypto/hash_sha1cd.cpp", - "src/lib/crypto/mem.cpp", "src/lib/crypto/mpi.cpp", - "src/lib/crypto/rng.cpp", - "src/lib/crypto/rsa.cpp", "src/lib/crypto/s2k.cpp", "src/lib/crypto/sha1cd/sha1.c", "src/lib/crypto/sha1cd/ubc_check.c", "src/lib/crypto/signatures.cpp", - "src/lib/crypto/symmetric.cpp", "src/lib/fingerprint.cpp", "src/lib/generate-key.cpp", "src/lib/json-utils.cpp", @@ -159,4 +165,40 @@ SOURCES += [ "src/librepgp/stream-write.cpp", ] +if CONFIG["MZLA_LIBRNP_BACKEND"] == "botan": + SOURCES += [ + "src/lib/crypto/bn.cpp", + "src/lib/crypto/cipher_botan.cpp", + "src/lib/crypto/dsa.cpp", + "src/lib/crypto/ec.cpp", + "src/lib/crypto/ecdh.cpp", + "src/lib/crypto/ecdsa.cpp", + "src/lib/crypto/eddsa.cpp", + "src/lib/crypto/elgamal.cpp", + "src/lib/crypto/hash.cpp", + "src/lib/crypto/mem.cpp", + "src/lib/crypto/rng.cpp", + "src/lib/crypto/rsa.cpp", + "src/lib/crypto/symmetric.cpp", + ] +if CONFIG["MZLA_LIBRNP_BACKEND"] == "openssl": + SOURCES += [ + "src/lib/crypto/bn_ossl.cpp", + "src/lib/crypto/cipher_ossl.cpp", + "src/lib/crypto/dl_ossl.cpp", + "src/lib/crypto/dsa_ossl.cpp", + "src/lib/crypto/ec_ossl.cpp", + "src/lib/crypto/ecdh_ossl.cpp", + "src/lib/crypto/ecdsa_ossl.cpp", + "src/lib/crypto/eddsa_ossl.cpp", + "src/lib/crypto/elgamal_ossl.cpp", + "src/lib/crypto/hash_crc24.cpp", + "src/lib/crypto/hash_ossl.cpp", + "src/lib/crypto/mem_ossl.cpp", + "src/lib/crypto/rng_ossl.cpp", + "src/lib/crypto/rsa_ossl.cpp", + "src/lib/crypto/s2k_ossl.cpp", + "src/lib/crypto/symmetric_ossl.cpp", + ] + DIRS += ["src/rnp", "src/rnpkeys"]