From 85b9494d96161cd0800efb6c254b3a4573df860b Mon Sep 17 00:00:00 2001 From: Charlie Fenton Date: Mon, 11 Oct 2021 04:04:03 -0700 Subject: [PATCH 1/2] Mac curl: build curl to use Secure Transport instead of OpenSSL so it uses MacOS maintained certificates instead of ca-bundle.crt --- client/http_curl.cpp | 11 ------- mac_build/buildcurl.sh | 57 ++++++++++++++++++++-------------- mac_installer/release_boinc.sh | 4 +-- mac_installer/release_brand.sh | 3 -- 4 files changed, 34 insertions(+), 41 deletions(-) diff --git a/client/http_curl.cpp b/client/http_curl.cpp index b5b43cf76b..85b57cb6b2 100644 --- a/client/http_curl.cpp +++ b/client/http_curl.cpp @@ -483,17 +483,6 @@ int HTTP_OP::libcurl_exec( curl_easy_setopt(curlEasy, CURLOPT_SSL_VERIFYPEER, 1L); //curl_easy_setopt(curlEasy, CURLOPT_SSL_VERIFYPEER, FALSE); - // if the above is nonzero, you need the following: - // -#ifndef _WIN32 - if (boinc_file_exists(CA_BUNDLE_FILENAME)) { - // call this only if a local copy of ca-bundle.crt exists; - // otherwise, let's hope that it exists in the default place - // - curl_easy_setopt(curlEasy, CURLOPT_CAINFO, CA_BUNDLE_FILENAME); - } -#endif - // set the user agent as this boinc client & version // curl_easy_setopt(curlEasy, CURLOPT_USERAGENT, g_user_agent_string); diff --git a/mac_build/buildcurl.sh b/mac_build/buildcurl.sh index 29f02a1240..1c8c7a4715 100644 --- a/mac_build/buildcurl.sh +++ b/mac_build/buildcurl.sh @@ -39,6 +39,8 @@ # Updated 8/22/20 TO build Apple Silicon / arm64 and x86_64 Universal binary # Updated 12/24/20 for curl 7.73.0 # Updated 5/18/21 for compatibility with zsh +# Updated 10/11/21 to use Secure Transport instead of OpenSSL (uses MacOS certificate store +# instead of ca-bundle.crt) # ## This script requires OS 10.8 or later # @@ -60,10 +62,14 @@ # function patch_curl_config { - # Patch curl_config.h to not use clock_gettime(), which is - # defined in OS 10.12 SDK but was not available before OS 10.12. - # If building with an older SDK or an older version of Xcode, these - # patches will fail because config has already set our desired values. + # If building with some SDKs or version of Xcode, either or + # both of these patches will fail because config has already + # set our desired values. + # + # The __builtin_available() function may cause problems in + # static libraries or older versions of MacOS. It's unclear + # to me whether this is still an issue, but I'm keeping this + # patch in here for now to be safe. - CF 10/11/21 rm -f /tmp/curl_config_h_diff1 cat >> /tmp/curl_config_h_diff1 << ENDOFFILE --- lib/curl_config.h 2018-02-22 04:21:52.000000000 -0800 @@ -81,6 +87,9 @@ ENDOFFILE rm -f /tmp/curl_config_h_diff1 rm -f lib/curl_config.h.rej + # Patch curl_config.h to not use clock_gettime(), which is + # defined in OS 10.12 SDK but was not available before OS 10.12. + rm -f /tmp/curl_config_h_diff2 cat >> /tmp/curl_config_h_diff2 << ENDOFFILE --- lib/curl_config.h 2018-02-22 04:21:52.000000000 -0800 +++ lib/curl_config2.h.in 2018-02-22 04:30:21.000000000 -0800 @@ -200,20 +209,20 @@ fi export PATH=/usr/local/bin:$PATH export CC="${GCCPATH}";export CXX="${GPPPATH}" export SDKROOT="${SDKPATH}" -export MACOSX_DEPLOYMENT_TARGET=10.7 -export MAC_OS_X_VERSION_MAX_ALLOWED=1070 -export MAC_OS_X_VERSION_MIN_REQUIRED=1070 +export MACOSX_DEPLOYMENT_TARGET=10.9 +export MAC_OS_X_VERSION_MAX_ALLOWED=1090 +export MAC_OS_X_VERSION_MIN_REQUIRED=1090 if [ "x${lprefix}" != "x" ]; then export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,x86_64" export CPPFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++" export CXXFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++" export CFLAGS="-isysroot ${SDKPATH} -arch x86_64" - PKG_CONFIG_PATH="${lprefix}/lib/pkgconfig" ./configure --prefix=${lprefix} --enable-ares --enable-shared=NO --without-libidn --without-libidn2 --without-nghttp2 --host=x86_64 + PKG_CONFIG_PATH="${lprefix}/lib/pkgconfig" ./configure --prefix=${lprefix} --enable-ares --disable-shared --with-secure-transport --host=x86_64-apple-darwin if [ $? -ne 0 ]; then return 1; fi else - # Get the names of the current versions of c-ares and openssl from - # the dependencyNames.sh file in the same directory as this script. + # Get the name of the current versions of c-ares from the + # dependencyNames.sh file in the same directory as this script. myScriptPath="${BASH_SOURCE[0]}" if [ -z ${myScriptPath} ]; then myScriptPath="$0" # for zsh @@ -232,11 +241,11 @@ else cd "${CURL_DIR}" || return 1 fi - export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,x86_64 -L${CURL_DIR}/../${opensslDirName} " - export CPPFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++ -I${CURL_DIR}/../${opensslDirName}/include" - export CXXFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++ -I${CURL_DIR}/../${opensslDirName}/include" + export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,x86_64" + export CPPFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++" + export CXXFLAGS="-isysroot ${SDKPATH} -arch x86_64 -stdlib=libc++" export CFLAGS="-isysroot ${SDKPATH} -arch x86_64" - ./configure --enable-shared=NO --enable-ares="${libcares}" --without-libidn --without-libidn2 --without-nghttp2 --host=x86_64 + ./configure --disable-shared --with-secure-transport --enable-ares="${libcares}" --host=x86_64-apple-darwin if [ $? -ne 0 ]; then return 1; fi echo "" fi @@ -263,19 +272,19 @@ if [ $GCC_can_build_arm64 = "yes" ]; then # for a sanity check on size of long and socklen_t. But these are identical for # x86_64 and arm64, so this is not currently an issue. ## cp -f ../"${caresDirName}"/ares_build_arm.h /tmp/installed-c-ares/include/ares_build.h - if [ "x${lprefix}" != "x" ]; then export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,arm64" - export CPPFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7 -stdlib=libc++" - export CXXFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7 -stdlib=libc++" - export CFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7" - PKG_CONFIG_PATH="${lprefix}/lib/pkgconfig" ./configure --prefix=${lprefix} --enable-ares --enable-shared=NO --without-libidn --without-libidn2 --without-nghttp2 --host=arm + export CPPFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos -stdlib=libc++" + export CXXFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos -stdlib=libc++" + export CFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos" + PKG_CONFIG_PATH="${lprefix}/lib/pkgconfig" ./configure --prefix=${lprefix} --enable-ares --disable-shared --with-secure-transport --host=arm-apple-darwin else - export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,arm64 -L${CURL_DIR}/../${opensslDirName} " - export CPPFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7 -stdlib=libc++ -I${CURL_DIR}/../${opensslDirName}/include" - export CXXFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7 -stdlib=libc++ -I${CURL_DIR}/../${opensslDirName}/include" - export CFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos10.7" - ./configure --enable-shared=NO --enable-ares="${libcares}" --without-libidn --without-libidn2 --without-nghttp2 --host=arm + export LDFLAGS="-Wl,-syslibroot,${SDKPATH},-arch,arm64" + export CPPFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos -stdlib=libc++" + export CXXFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos -stdlib=libc++" + export CFLAGS="-isysroot ${SDKPATH} -target arm64-apple-macos" + ./configure --disable-shared --with-secure-transport --enable-ares="${libcares}" --host=arm-apple-darwin + echo "" fi diff --git a/mac_installer/release_boinc.sh b/mac_installer/release_boinc.sh index fb46701685..910bce49a1 100644 --- a/mac_installer/release_boinc.sh +++ b/mac_installer/release_boinc.sh @@ -55,6 +55,7 @@ ## Updated 11/26/20 by Charlie Fenton to let installer show message if MacOS too old ## Updated 5/27/21 to support zsh & detecting X86_64 features emulated by Rosetta 2 ## Updated 6/24/21 allow installing BOINC on arm64 Macs without Rosetta 2 installed +## Updated 10/10/21 to eliminate ca-bundle.crt ## ## NOTE: This script requires Mac OS 10.7 or later, and uses XCode developer ## tools. So you must have installed XCode Developer Tools on the Mac @@ -306,8 +307,6 @@ cd "${BOINCPath}/clientgui/skins" cp -fpRL Default ../../../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/skins/ cd "${BOINCPath}" -cp -fp curl/ca-bundle.crt ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/ - cp -fp win_build/installerv2/redist/all_projects_list.xml ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/installer_projects_list.xml cp -fp clientscr/res/boinc_logo_black.jpg ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/ @@ -537,7 +536,6 @@ mkdir -p ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darw cp -fpRL "${BUILDPATH}/boinc" ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/ cp -fpRL "${BUILDPATH}/boinccmd" ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/ cp -fpRL "${BUILDPATH}/detect_rosetta_cpu" ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/ -cp -fpRL curl/ca-bundle.crt ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/ mkdir -p ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/switcher cp -fpRL "${BUILDPATH}/switcher" ../BOINC_Installer/New_Release_$1_$2_$3/boinc_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/switcher/ diff --git a/mac_installer/release_brand.sh b/mac_installer/release_brand.sh index 758d351c72..4b73d3fe85 100755 --- a/mac_installer/release_brand.sh +++ b/mac_installer/release_brand.sh @@ -262,8 +262,6 @@ cp -fpRL Default ../../../BOINC_Installer/Pkg_Root/Library/Application\ Support/ cp -fpRL "${SKINDIR}" ../../../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/skins/ cd "${BOINCPath}" -cp -fp curl/ca-bundle.crt ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/ - cp -fp win_build/installerv2/redist/all_projects_list.xml ../BOINC_Installer/Pkg_Root/Library/Application\ Support/BOINC\ Data/installer_projects_list.xml if [ -n "${NEWVERSIONCHECKDIR}" ]; then @@ -474,7 +472,6 @@ mkdir -p ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDN cp -fpRL "${BUILDPATH}/boinc" ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/ cp -fpRL "${BUILDPATH}/boinccmd" ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/ cp -fpRL "${BUILDPATH}/detect_rosetta_cpu" ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/ -cp -fpRL curl/ca-bundle.crt ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/ mkdir -p ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/switcher cp -fpRL "${BUILDPATH}/switcher" ../BOINC_Installer/New_Release_${SHORTBRANDNAME}_$1_$2_$3/${SHORTBRANDNAME}_$1.$2.$3_$arch-apple-darwin/move_to_boinc_dir/switcher/ From e853a007d3e63999c392e8b152924681d460414f Mon Sep 17 00:00:00 2001 From: Charlie Fenton Date: Mon, 11 Oct 2021 04:23:40 -0700 Subject: [PATCH 2/2] Platforms other than Mac and Windows may still use ca-bundle.crt --- client/http_curl.cpp | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/client/http_curl.cpp b/client/http_curl.cpp index 85b57cb6b2..69013a4c81 100644 --- a/client/http_curl.cpp +++ b/client/http_curl.cpp @@ -483,6 +483,19 @@ int HTTP_OP::libcurl_exec( curl_easy_setopt(curlEasy, CURLOPT_SSL_VERIFYPEER, 1L); //curl_easy_setopt(curlEasy, CURLOPT_SSL_VERIFYPEER, FALSE); + // MSW now uses schannel and Mac now uses Secure Transport + // so neither uses ca-bundle.crt +#if (!defined(_WIN32) && !defined(__APPLE__)) + // if the above is nonzero, you need the following: + // + if (boinc_file_exists(CA_BUNDLE_FILENAME)) { + // call this only if a local copy of ca-bundle.crt exists; + // otherwise, let's hope that it exists in the default place + // + curl_easy_setopt(curlEasy, CURLOPT_CAINFO, CA_BUNDLE_FILENAME); + } +#endif + // set the user agent as this boinc client & version // curl_easy_setopt(curlEasy, CURLOPT_USERAGENT, g_user_agent_string);