Add openssl 3.5 builds

bastelfreak · bastelfreak · commit 7f2167f69fbc · 2026-02-21T23:55:41.000+01:00
diff --git a/configs/components/openssl-3.5.rb b/configs/components/openssl-3.5.rb
@@ -0,0 +1,187 @@
+#####
+# Component release information:
+#   https://github.com/openssl/openssl/releases
+#   3.5 isn't latest openssl, but latest LTS: https://openssl-library.org/policies/releasestrat/index.html
+#####
+component 'openssl' do |pkg, settings, platform|
+  pkg.version '3.5.5'
+  pkg.sha256sum 'b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89'
+  pkg.url "https://github.com/openssl/openssl/releases/download/openssl-#{pkg.get_version}/openssl-#{pkg.get_version}.tar.gz"
+  pkg.mirror "#{settings[:buildsources_url]}/openssl-#{pkg.get_version}.tar.gz"
+
+  #############################
+  # ENVIRONMENT, FLAGS, TARGETS
+  #############################
+
+  if platform.name =~ /^(amazon-|el-|redhat-|redhatfips-|fedora-)/
+    pkg.build_requires 'perl-core'
+  elsif platform.is_solaris?
+    # perl is installed in platform definition
+  else
+    pkg.build_requires 'perl'
+  end
+
+  target = sslflags = ''
+  cflags = settings[:cflags]
+  ldflags = settings[:ldflags]
+
+  if platform.is_windows?
+    pkg.environment 'PATH', "$(shell cygpath -u #{settings[:gcc_bindir]}):$(PATH)"
+    pkg.environment 'CYGWIN', settings[:cygwin]
+    pkg.environment 'MAKE', platform[:make]
+
+    target = platform.architecture == 'x64' ? 'mingw64' : 'mingw'
+  elsif platform.is_aix?
+    # REMIND: why not PATH?
+    pkg.environment 'CC', '/opt/freeware/bin/gcc'
+
+    cflags = "#{settings[:cflags]} -static-libgcc"
+    # see https://github.com/openssl/openssl/issues/18007 about -latomic
+    # see https://www.ibm.com/docs/en/aix/7.2?topic=l-ld-command about -R<path>, which is equivalent to -rpath
+    ldflags = "#{settings[:ldflags]} -Wl,-R#{settings[:libdir]} -latomic -lm"
+    target = 'aix-gcc'
+  elsif platform.is_solaris?
+    pkg.environment 'PATH', '/opt/csw/bin:$(PATH):/usr/local/bin:/usr/ccs/bin:/usr/sfw/bin'
+    if !platform.is_cross_compiled? && platform.architecture == 'sparc'
+      pkg.environment 'CC', '/opt/pl-build-tools/bin/gcc'
+      gcc_lib = "/opt/pl-build-tools/#{settings[:platform_triple]}/lib"
+    else
+      pkg.environment 'CC', '/opt/csw/bin/gcc'
+      gcc_lib = "/opt/csw/#{settings[:platform_triple]}/lib"
+    end
+    cflags = "#{settings[:cflags]} -fPIC"
+    ldflags = "-R#{gcc_lib} -Wl,-rpath=#{settings[:libdir]} -L#{gcc_lib}"
+    target = platform.architecture =~ /86/ ? 'solaris-x86-gcc' : 'solaris-sparcv9-gcc'
+  elsif platform.is_macos?
+    pkg.environment 'PATH', '$(PATH):/opt/homebrew/bin:/usr/local/bin'
+    pkg.environment 'CFLAGS', settings[:cflags]
+    pkg.environment 'CC', settings[:cc]
+    pkg.environment 'MACOSX_DEPLOYMENT_TARGET', settings[:deployment_target]
+
+    target = if platform.architecture == 'arm64'
+               'darwin64-arm64'
+             else
+               'darwin64-x86_64'
+             end
+  elsif platform.is_linux?
+    pkg.environment 'PATH', '/opt/pl-build-tools/bin:$(PATH):/usr/local/bin'
+
+    ldflags = "#{settings[:ldflags]} -Wl,-z,relro"
+    case platform.architecture
+    when /86$/
+      target = 'linux-elf'
+      sslflags = '386'
+    when /aarch64$/
+      target = 'linux-aarch64'
+    when /ppc64le|ppc64el/ # Little-endian
+      target = 'linux-ppc64le'
+    when /64$/
+      target = 'linux-x86_64'
+    when 'armhf'
+      target = 'linux-armv4'
+    end
+  end
+
+  ####################
+  # BUILD REQUIREMENTS
+  ####################
+
+  pkg.build_requires "runtime-#{settings[:runtime_project]}"
+
+  ###########
+  # CONFIGURE
+  ###########
+
+  # Defining --libdir ensures that we avoid the multilib (lib/ vs. lib64/) problem,
+  # since configure uses the existence of a lib64 directory to determine
+  # if it should install its own libs into a multilib dir. Yay OpenSSL!
+  configure_flags = [
+    "--prefix=#{settings[:prefix]}",
+    '--libdir=lib',
+    "--openssldir=#{settings[:prefix]}/ssl",
+    'shared',
+    'no-gost',
+    target,
+    sslflags,
+    'no-camellia',
+    'no-md2',
+    'no-ssl3',
+    'no-ssl3-method',
+    'no-dtls1-method',
+    'no-dtls1_2-method',
+    'no-aria',
+    # 'no-bf', pgcrypto is requires this cipher in postgres for puppetdb
+    # 'no-cast', pgcrypto is requires this cipher in postgres for puppetdb
+    # 'no-des', pgcrypto is requires this cipher in postgres for puppetdb,
+    # should pgcrypto cease needing it, it will also be needed by ntlm
+    # and should only be enabled if "use_legacy_openssl_algos" is true.
+    'no-rc5',
+    'no-mdc2',
+    # 'no-rmd160', this is causing failures with pxp, remove once pxp-agent does not need it
+    'no-whirlpool'
+  ]
+
+  if settings[:use_legacy_openssl_algos]
+    pkg.apply_patch 'resources/patches/openssl/openssl-3-activate-legacy-algos.patch'
+  else
+    configure_flags << 'no-legacy' << 'no-md4'
+  end
+
+  # Individual projects may provide their own openssl configure flags:
+  project_flags = settings[:openssl_extra_configure_flags] || []
+  perl_exec = ''
+  perl_exec = '/opt/freeware/bin/perl' if platform.is_aix?
+  configure_flags << project_flags
+
+  pkg.environment 'CFLAGS', cflags
+  pkg.environment 'LDFLAGS', ldflags
+  pkg.configure do
+    ["#{perl_exec} ./Configure #{configure_flags.join(' ')}"]
+  end
+
+  #######
+  # BUILD
+  #######
+
+  build_commands = []
+
+  if platform.is_windows? && platform.architecture == 'x86'
+    # mingw-w32 5.2.0 has a bug in include/winnt.h that declares GetCurrentFiber
+    # with __CRT_INLINE, which results in the function not being inlined and
+    # generates a linker error: undefined reference to `GetCurrentFiber'.
+    # This only affects 32-bit builds
+    # See https://github.com/openssl/openssl/issues/513
+    # See https://github.com/mingw-w64/mingw-w64/commit/8da1aae7a7ff5bf996878dc8fe30a0e01e210e5a
+    pkg.add_source('file://resources/patches/windows/FORCEINLINE-i686-w64-mingw32-winnt.h')
+    build_commands << "#{platform.patch} --dir #{settings[:gcc_root]}/#{settings[:platform_triple]} --strip=2 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../FORCEINLINE-i686-w64-mingw32-winnt.h"
+  end
+
+  build_commands << "#{platform[:make]} depend"
+  build_commands << platform[:make]
+
+  pkg.build do
+    build_commands
+  end
+
+  #########
+  # INSTALL
+  #########
+
+  install_prefix = platform.is_windows? ? '' : 'INSTALL_PREFIX=/'
+  install_commands = []
+
+  if platform.is_aix?
+    # "Removes any currently unused modules in kernel and library memory."
+    install_commands << 'slibclean'
+  end
+
+  # Skip man and html docs
+  install_commands << "#{platform[:make]} #{install_prefix} install_sw install_ssldirs"
+  install_commands << "rm -f #{settings[:prefix]}/bin/c_rehash"
+
+  pkg.install do
+    install_commands
+  end
+
+  pkg.install_file 'LICENSE.txt', "#{settings[:prefix]}/share/doc/openssl-#{pkg.get_version}/LICENSE"
+end
diff --git a/configs/projects/_shared-agent-settings.rb b/configs/projects/_shared-agent-settings.rb
@@ -148,8 +148,6 @@
 # Load default compiler settings
 instance_eval File.read('configs/projects/_shared-compiler-settings.rb')
 
-proj.setting(:openssl_version, '3.0')
-
 if platform.is_windows?
   proj.setting(:gcc_root, '/usr/x86_64-w64-mingw32/sys-root/mingw')
   proj.setting(:gcc_bindir, "#{proj.gcc_root}/bin")
diff --git a/configs/projects/agent-runtime-main.rb b/configs/projects/agent-runtime-main.rb
@@ -2,6 +2,7 @@
   # Set preferred component versions if they differ from defaults:
   proj.setting :ruby_version, '3.2' # Leave the .Z out for Ruby 3.2
   proj.setting :rubygem_highline_version, '3.0.1'
+  proj.setting :openssl_version, '3.0'
 
   ########
   # Load shared agent settings
diff --git a/configs/projects/agent-runtime-ruby4.rb b/configs/projects/agent-runtime-ruby4.rb
@@ -2,6 +2,7 @@
   # Set preferred component versions if they differ from defaults:
   proj.setting :ruby_version, '4.0' # Leave the .Z out for Ruby 3.2
   proj.setting :rubygem_highline_version, '3.1.2'
+  proj.setting :openssl_version, '3.5'
 
   ########
   # Load shared agent settings
