Merge pull request #4559 from BOINC/mac_build_curl_without_openssl

Mac: build curl to use Secure Transport instead of OpenSSL
2021-10-12 13:28:09 +02:00 · 2021-10-12 13:28:09 +02:00 · dfa8aed34f
parent 45c6aacbd5 e853a007d3
commit dfa8aed34f
4 changed files with 37 additions and 31 deletions
--- a/client/http_curl.cpp
+++ b/client/http_curl.cpp
@ -483,9 +483,11 @@ int HTTP_OP::libcurl_exec(
    curl_easy_setopt(curlEasy, CURLOPT_SSL_VERIFYPEER, 1L);
    //curl_easy_setopt(curlEasy, CURLOPT_SSL_VERIFYPEER, FALSE);

+    // MSW now uses schannel and Mac now uses Secure Transport
+    // so neither uses ca-bundle.crt
+#if (!defined(_WIN32) && !defined(__APPLE__))
    // if the above is nonzero, you need the following:
    //
-#ifndef _WIN32
    if (boinc_file_exists(CA_BUNDLE_FILENAME)) {
        // call this only if a local copy of ca-bundle.crt exists;
        // otherwise, let's hope that it exists in the default place
--- a/mac_build/buildcurl.sh
+++ b/mac_build/buildcurl.sh
@ -39,6 +39,8 @@
 # Updated 8/22/20 TO build Apple Silicon / arm64 and x86_64 Universal binary
 # Updated 12/24/20 for curl 7.73.0
 # Updated 5/18/21 for compatibility with zsh
+# Updated 10/11/21 to use Secure Transport instead of OpenSSL (uses MacOS certificate store 
+#   instead of ca-bundle.crt)
 #
 ## This script requires OS 10.8 or later
 #
@ -60,10 +62,14 @@
 #

 function patch_curl_config {
-    # Patch curl_config.h to not use clock_gettime(), which is
-    # defined in OS 10.12 SDK but was not available before OS 10.12.
-    # If building with an older SDK or an older version of Xcode, these
-    # patches will fail because config has already set our desired values.
+    # If building with some SDKs or version of Xcode, either or
+    # both of these patches will fail because config has already 
+    # set our desired values.
+    #
+    # The __builtin_available() function may cause problems in 
+    # static libraries or older versions of MacOS. It's unclear
+    # to me whether this is still an issue, but I'm keeping this
+    # patch in here for now to be safe. - CF 10/11/21
    rm -f /tmp/curl_config_h_diff1
    cat >> /tmp/curl_config_h_diff1 << ENDOFFILE
 --- lib/curl_config.h    2018-02-22 04:21:52.000000000 -0800
@ -81,6 +87,9 @@ ENDOFFILE
    rm -f /tmp/curl_config_h_diff1
    rm -f lib/curl_config.h.rej

+    # Patch curl_config.h to not use clock_gettime(), which is
+    # defined in OS 10.12 SDK but was not available before OS 10.12.
+    rm -f /tmp/curl_config_h_diff2
    cat >> /tmp/curl_config_h_diff2 << ENDOFFILE
 --- lib/curl_config.h    2018-02-22 04:21:52.000000000 -0800
 +++ lib/curl_config2.h.in    2018-02-22 04:30:21.000000000 -0800
@ -200,20 +209,20 @@ fi
 export PATH=/usr/local/bin:$PATH
 export CC="${GCCPATH}";export CXX="${GPPPATH}"
 export SDKROOT="${SDKPATH}"
-export MACOSX_DEPLOYMENT_TARGET=10.7
-export MAC_OS_X_VERSION_MAX_ALLOWED=1070
-export MAC_OS_X_VERSION_MIN_REQUIRED=1070
+export MACOSX_DEPLOYMENT_TARGET=10.9
+export MAC_OS_X_VERSION_MAX_ALLOWED=1090
+export MAC_OS_X_VERSION_MIN_REQUIRED=1090

 if [ "x${lprefix}" != "x" ]; then
    export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,x86_64"
    export CPPFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++"
    export CXXFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++"
    export CFLAGS="-isysroot ${SDKPATH} -arch x86_64"
-    PKG_CONFIG_PATH="${lprefix}/lib/pkgconfig" ./configure --prefix=${lprefix} --enable-ares --enable-shared=NO --without-libidn --without-libidn2 --without-nghttp2 --host=x86_64
+    PKG_CONFIG_PATH="${lprefix}/lib/pkgconfig" ./configure --prefix=${lprefix} --enable-ares --disable-shared --with-secure-transport --host=x86_64-apple-darwin
    if [ $? -ne 0 ]; then return 1; fi
 else
-    # Get the names of the current versions of c-ares and openssl from
-    # the dependencyNames.sh file in the same directory as this script.
+    # Get the name of the current versions of c-ares from the
+    # dependencyNames.sh file in the same directory as this script.
    myScriptPath="${BASH_SOURCE[0]}"
    if [ -z ${myScriptPath} ]; then
        myScriptPath="$0"   # for zsh
@ -232,11 +241,11 @@ else
        cd "${CURL_DIR}" || return 1
    fi

-    export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,x86_64 -L${CURL_DIR}/../${opensslDirName} "
-    export CPPFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++ -I${CURL_DIR}/../${opensslDirName}/include"
-    export CXXFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++ -I${CURL_DIR}/../${opensslDirName}/include"
+    export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,x86_64"
+    export CPPFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++"
+    export CXXFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++"
    export CFLAGS="-isysroot ${SDKPATH} -arch x86_64"
-    ./configure --enable-shared=NO --enable-ares="${libcares}" --without-libidn --without-libidn2 --without-nghttp2 --host=x86_64
+    ./configure --disable-shared --with-secure-transport --enable-ares="${libcares}" --host=x86_64-apple-darwin
    if [ $? -ne 0 ]; then return 1; fi
    echo ""
 fi
@ -263,19 +272,19 @@ if [ $GCC_can_build_arm64 = "yes" ]; then
 # for a sanity check on size of long and socklen_t. But these are  identical for
 # x86_64 and arm64, so this is not currently an issue. 
 ## cp -f ../"${caresDirName}"/ares_build_arm.h /tmp/installed-c-ares/include/ares_build.h
-
    if [ "x${lprefix}" != "x" ]; then
        export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,arm64"
-        export CPPFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7 -stdlib=libc++"
-        export CXXFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7 -stdlib=libc++"
-        export CFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7"
-        PKG_CONFIG_PATH="${lprefix}/lib/pkgconfig" ./configure --prefix=${lprefix} --enable-ares --enable-shared=NO --without-libidn --without-libidn2 --without-nghttp2 --host=arm
+        export CPPFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos -stdlib=libc++"
+        export CXXFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos -stdlib=libc++"
+        export CFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos"
+        PKG_CONFIG_PATH="${lprefix}/lib/pkgconfig" ./configure --prefix=${lprefix} --enable-ares --disable-shared --with-secure-transport --host=arm-apple-darwin
    else
-        export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,arm64 -L${CURL_DIR}/../${opensslDirName} "
-        export CPPFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7 -stdlib=libc++ -I${CURL_DIR}/../${opensslDirName}/include"
-        export CXXFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7 -stdlib=libc++ -I${CURL_DIR}/../${opensslDirName}/include"
-        export CFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7"
-        ./configure --enable-shared=NO --enable-ares="${libcares}" --without-libidn --without-libidn2 --without-nghttp2 --host=arm
+        export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,arm64"
+        export CPPFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos -stdlib=libc++"
+        export CXXFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos -stdlib=libc++"
+        export CFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos"
+        ./configure --disable-shared --with-secure-transport --enable-ares="${libcares}" --host=arm-apple-darwin
+    
        echo ""
    fi

--- a/mac_installer/release_boinc.sh
+++ b/mac_installer/release_boinc.sh
@ -55,6 +55,7 @@
 ## Updated 11/26/20 by Charlie Fenton to let installer show message if MacOS too old
 ## Updated 5/27/21 to support zsh & detecting X86_64 features emulated by Rosetta 2
 ## Updated 6/24/21 allow installing BOINC on arm64 Macs without Rosetta 2 installed
+## Updated 10/10/21 to eliminate ca-bundle.crt
 ##
 ## NOTE: This script requires Mac OS 10.7 or later, and uses XCode developer
 ##   tools.  So you must have installed XCode Developer Tools on the Mac 
@ -306,8 +307,6 @@ cd "${BOINCPath}/clientgui/skins"
 cp -fpRL Default ../../../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/skins/
 cd "${BOINCPath}"

-cp -fp curl/ca-bundle.crt ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/
-
 cp -fp win_build/installerv2/redist/all_projects_list.xml ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/installer_projects_list.xml

 cp -fp clientscr/res/boinc_logo_black.jpg ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/
@ -537,7 +536,6 @@ mkdir -p ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darw
 cp -fpRL "${BUILDPATH}/boinc" ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/
 cp -fpRL "${BUILDPATH}/boinccmd" ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/
 cp -fpRL "${BUILDPATH}/detect_rosetta_cpu" ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/
-cp -fpRL curl/ca-bundle.crt ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/

 mkdir -p ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/switcher
 cp -fpRL "${BUILDPATH}/switcher" ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/switcher/
--- a/mac_installer/release_brand.sh
+++ b/mac_installer/release_brand.sh
@ -262,8 +262,6 @@ cp -fpRL Default ../../../BOINC_Installer/Pkg_Root/Library/Application\ Support/
 cp -fpRL "${SKINDIR}" ../../../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/skins/
 cd "${BOINCPath}"

-cp -fp curl/ca-bundle.crt ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/
-
 cp -fp win_build/installerv2/redist/all_projects_list.xml ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/installer_projects_list.xml

 if [ -n "${NEWVERSIONCHECKDIR}" ]; then
@ -474,7 +472,6 @@ mkdir -p ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDN
 cp -fpRL "${BUILDPATH}/boinc" ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/
 cp -fpRL "${BUILDPATH}/boinccmd" ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/
 cp -fpRL "${BUILDPATH}/detect_rosetta_cpu" ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/
-cp -fpRL curl/ca-bundle.crt ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/

 mkdir -p ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/switcher
 cp -fpRL "${BUILDPATH}/switcher" ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/switcher/