commit 7e7f19d292e28fc9f2e4bd4196c4553d9429baf7
author Jeongik Cha <jeongik@google.com> Thu Oct 31 20:50:24 2024 +0900
committer Jeongik Cha <jeongik@google.com> Thu Oct 31 22:55:52 2024 +0900
tree bb5592b0645398c093d4d882af1614ce3649983c
parent 17e0cee39d129c68fb5201f17fe4051cbce81498

build ttyd with client cert patch

client cert doesn't work as intented, so added patch for that, and then
made it build during build

in addition, fixed the bug in reading client cert logic as well(actually
alias isn't set in p12, so need to enumerate and get the first one),
BTW, this logic will be removed very soon with the logic which generates
key on the fly

Bug: 363235314
Test: run ttyd and check if client cert works well
Change-Id: I5d08f3d11cf4846677f19137e860236c42b9c9d8

build/debian/ttyd/client_cert.patch

diff --git a/build/debian/ttyd/client_cert.patch b/build/debian/ttyd/client_cert.patch
new file mode 100644
index 0000000..93b8aed
--- /dev/null
+++ b/build/debian/ttyd/client_cert.patch
@@ -0,0 +1,41 @@
+diff --git a/lib/tls/mbedtls/mbedtls-server.c b/lib/tls/mbedtls/mbedtls-server.c
+index efd7fc8b..ca5ebc15 100644
+--- a/lib/tls/mbedtls/mbedtls-server.c
++++ b/lib/tls/mbedtls/mbedtls-server.c
+@@ -39,7 +39,7 @@ lws_tls_server_client_cert_verify_config(struct lws_vhost *vh)
+ 	}
+ 
+ 	if (!lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
+-		verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
++		verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+ 
+ 	lwsl_notice("%s: vh %s requires client cert %d\n", __func__, vh->name,
+ 		    verify_options);
+diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+index 3879e977..e47d4c13 100755
+--- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
++++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+@@ -255,9 +255,9 @@ static int ssl_pm_reload_crt(SSL *ssl)
+     struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
+     struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
+ 
+-    if (ssl->verify_mode == SSL_VERIFY_PEER)
++    if ((ssl->verify_mode & SSL_VERIFY_PEER) > 0)
+         mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+-    else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
++    else if ((ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) > 0)
+         mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+     else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
+         mode = MBEDTLS_SSL_VERIFY_UNSET;
+@@ -980,9 +980,9 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
+ 
+ #if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
+ 
+-	if (ctx->verify_mode == SSL_VERIFY_PEER)
++	if ((ctx->verify_mode & SSL_VERIFY_PEER) > 0)
+ 		mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+-	else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
++	else if ((ctx->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) > 0)
+ 		mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+ 	else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)
+ 		mode = MBEDTLS_SSL_VERIFY_UNSET;

build/debian/ttyd/cross-build.sh

diff --git a/build/debian/ttyd/cross-build.sh b/build/debian/ttyd/cross-build.sh
new file mode 100755
index 0000000..dda8f78
--- /dev/null
+++ b/build/debian/ttyd/cross-build.sh
@@ -0,0 +1,193 @@
+#!/bin/bash
+#
+# Example:
+#         env BUILD_TARGET=mips ./scripts/cross-build.sh
+#
+set -eo pipefail
+
+CROSS_ROOT="${CROSS_ROOT:-/tmp/cross}"
+STAGE_ROOT="${STAGE_ROOT:-/tmp/stage}"
+BUILD_ROOT="${BUILD_ROOT:-/tmp/build}"
+BUILD_TARGET="${BUILD_TARGET:-x86_64}"
+
+ZLIB_VERSION="${ZLIB_VERSION:-1.3.1}"
+JSON_C_VERSION="${JSON_C_VERSION:-0.17}"
+MBEDTLS_VERSION="${MBEDTLS_VERSION:-2.28.5}"
+LIBUV_VERSION="${LIBUV_VERSION:-1.44.2}"
+LIBWEBSOCKETS_VERSION="${LIBWEBSOCKETS_VERSION:-4.3.3}"
+
+build_zlib() {
+    echo "=== Building zlib-${ZLIB_VERSION} (${TARGET})..."
+    curl -fSsLo- "https://zlib.net/zlib-${ZLIB_VERSION}.tar.gz" | tar xz -C "${BUILD_DIR}"
+    pushd "${BUILD_DIR}"/zlib-"${ZLIB_VERSION}"
+        env CHOST="${TARGET}" ./configure --static --archs="-fPIC" --prefix="${STAGE_DIR}"
+        make -j"$(nproc)" install
+    popd
+}
+
+build_json-c() {
+    echo "=== Building json-c-${JSON_C_VERSION} (${TARGET})..."
+    curl -fSsLo- "https://s3.amazonaws.com/json-c_releases/releases/json-c-${JSON_C_VERSION}.tar.gz" | tar xz -C "${BUILD_DIR}"
+    pushd "${BUILD_DIR}/json-c-${JSON_C_VERSION}"
+        rm -rf build && mkdir -p build && cd build
+        cmake -DCMAKE_TOOLCHAIN_FILE="${BUILD_DIR}/cross-${TARGET}.cmake" \
+            -DCMAKE_BUILD_TYPE=RELEASE \
+            -DCMAKE_INSTALL_PREFIX="${STAGE_DIR}" \
+            -DBUILD_SHARED_LIBS=OFF \
+            -DBUILD_TESTING=OFF \
+            -DDISABLE_THREAD_LOCAL_STORAGE=ON \
+            ..
+        make -j"$(nproc)" install
+    popd
+}
+
+build_mbedtls() {
+    echo "=== Building mbedtls-${MBEDTLS_VERSION} (${TARGET})..."
+    curl -fSsLo- "https://github.com/ARMmbed/mbedtls/archive/v${MBEDTLS_VERSION}.tar.gz" | tar xz -C "${BUILD_DIR}"
+    pushd "${BUILD_DIR}/mbedtls-${MBEDTLS_VERSION}"
+        rm -rf build && mkdir -p build && cd build
+        cmake -DCMAKE_TOOLCHAIN_FILE="${BUILD_DIR}/cross-${TARGET}.cmake" \
+            -DCMAKE_BUILD_TYPE=RELEASE \
+            -DCMAKE_INSTALL_PREFIX="${STAGE_DIR}" \
+            -DENABLE_TESTING=OFF \
+            ..
+        make -j"$(nproc)" install
+    popd
+}
+
+build_libuv() {
+    echo "=== Building libuv-${LIBUV_VERSION} (${TARGET})..."
+    curl -fSsLo- "https://dist.libuv.org/dist/v${LIBUV_VERSION}/libuv-v${LIBUV_VERSION}.tar.gz" | tar xz -C "${BUILD_DIR}"
+    pushd "${BUILD_DIR}/libuv-v${LIBUV_VERSION}"
+        ./autogen.sh
+        env CFLAGS=-fPIC ./configure --disable-shared --enable-static --prefix="${STAGE_DIR}" --host="${TARGET}"
+        make -j"$(nproc)" install
+    popd
+}
+
+install_cmake_cross_file() {
+    cat << EOF > "${BUILD_DIR}/cross-${TARGET}.cmake"
+SET(CMAKE_SYSTEM_NAME $1)
+
+set(CMAKE_C_COMPILER "${TARGET}-gcc")
+set(CMAKE_CXX_COMPILER "${TARGET}-g++")
+
+set(CMAKE_FIND_ROOT_PATH "${STAGE_DIR}")
+set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
+set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
+set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
+
+set(OPENSSL_USE_STATIC_LIBS TRUE)
+EOF
+}
+
+build_libwebsockets() {
+    echo "=== Building libwebsockets-${LIBWEBSOCKETS_VERSION} (${TARGET})..."
+    curl -fSsLo- "https://github.com/warmcat/libwebsockets/archive/v${LIBWEBSOCKETS_VERSION}.tar.gz" | tar xz -C "${BUILD_DIR}"
+    cp "$(dirname $0)/client_cert.patch" ${BUILD_DIR}/libwebsockets-${LIBWEBSOCKETS_VERSION}
+    pushd "${BUILD_DIR}/libwebsockets-${LIBWEBSOCKETS_VERSION}"
+        patch -p1 < client_cert.patch
+        sed -i 's/ websockets_shared//g' cmake/libwebsockets-config.cmake.in
+        sed -i 's/ OR PC_OPENSSL_FOUND//g' lib/tls/CMakeLists.txt
+        sed -i '/PC_OPENSSL/d' lib/tls/CMakeLists.txt
+        rm -rf build && mkdir -p build && cd build
+        cmake -DCMAKE_TOOLCHAIN_FILE="${BUILD_DIR}/cross-${TARGET}.cmake" \
+            -DCMAKE_BUILD_TYPE=RELEASE \
+            -DCMAKE_INSTALL_PREFIX="${STAGE_DIR}" \
+            -DCMAKE_FIND_LIBRARY_SUFFIXES=".a" \
+            -DCMAKE_EXE_LINKER_FLAGS="-static" \
+            -DLWS_WITHOUT_TESTAPPS=ON \
+            -DLWS_WITH_MBEDTLS=ON \
+            -DLWS_WITH_LIBUV=ON \
+            -DLWS_STATIC_PIC=ON \
+            -DLWS_WITH_SHARED=OFF \
+            -DLWS_UNIX_SOCK=ON \
+            -DLWS_IPV6=ON \
+            -DLWS_ROLE_RAW_FILE=OFF \
+            -DLWS_WITH_HTTP2=ON \
+            -DLWS_WITH_HTTP_BASIC_AUTH=OFF \
+            -DLWS_WITH_UDP=OFF \
+            -DLWS_WITHOUT_CLIENT=ON \
+            -DLWS_WITHOUT_EXTENSIONS=OFF \
+            -DLWS_WITH_LEJP=OFF \
+            -DLWS_WITH_LEJP_CONF=OFF \
+            -DLWS_WITH_LWSAC=OFF \
+            -DLWS_WITH_SEQUENCER=OFF \
+            ..
+        make -j"$(nproc)" install
+    popd
+}
+
+build_ttyd() {
+    echo "=== Building ttyd (${TARGET})..."
+    rm -rf build && mkdir -p build && cd build
+    cmake -DCMAKE_TOOLCHAIN_FILE="${BUILD_DIR}/cross-${TARGET}.cmake" \
+        -DCMAKE_INSTALL_PREFIX="${STAGE_DIR}" \
+        -DCMAKE_FIND_LIBRARY_SUFFIXES=".a" \
+        -DCMAKE_C_FLAGS="-Os -ffunction-sections -fdata-sections -fno-unwind-tables -fno-asynchronous-unwind-tables -flto" \
+        -DCMAKE_EXE_LINKER_FLAGS="-static -no-pie -Wl,-s -Wl,-Bsymbolic -Wl,--gc-sections" \
+        -DCMAKE_BUILD_TYPE=RELEASE \
+        ..
+    make install
+}
+
+build() {
+    TARGET="$1"
+    ALIAS="$2"
+    STAGE_DIR="${STAGE_ROOT}/${TARGET}"
+    BUILD_DIR="${BUILD_ROOT}/${TARGET}"
+    MUSL_CC_URL="https://github.com/tsl0922/musl-toolchains/releases/download/2021-11-23"
+    COMPONENTS="1"
+    SYSTEM="Linux"
+
+    if [ "$ALIAS" = "win32" ]; then
+        COMPONENTS=2
+        SYSTEM="Windows"
+    fi
+
+    echo "=== Installing toolchain ${ALIAS} (${TARGET})..."
+
+    mkdir -p "${CROSS_ROOT}" && export PATH="${PATH}:${CROSS_ROOT}/bin"
+    curl -fSsLo- "${MUSL_CC_URL}/${TARGET}-cross.tgz" | tar xz -C "${CROSS_ROOT}" --strip-components=${COMPONENTS}
+
+    echo "=== Building target ${ALIAS} (${TARGET})..."
+
+    rm -rf "${STAGE_DIR}" "${BUILD_DIR}"
+    mkdir -p "${STAGE_DIR}" "${BUILD_DIR}"
+    export PKG_CONFIG_PATH="${STAGE_DIR}/lib/pkgconfig"
+
+    install_cmake_cross_file ${SYSTEM}
+
+    build_zlib
+    build_json-c
+    build_libuv
+    build_mbedtls
+    build_libwebsockets
+    build_ttyd
+}
+
+case ${BUILD_TARGET} in
+    amd64) BUILD_TARGET="x86_64" ;;
+    arm64) BUILD_TARGET="aarch64" ;;
+    armv7) BUILD_TARGET="armv7l" ;;
+esac
+
+case ${BUILD_TARGET} in
+    i686|x86_64|aarch64|mips|mipsel|mips64|mips64el|s390x)
+        build "${BUILD_TARGET}-linux-musl" "${BUILD_TARGET}"
+        ;;
+    arm)
+        build "${BUILD_TARGET}-linux-musleabi" "${BUILD_TARGET}"
+        ;;
+    armhf)
+        build arm-linux-musleabihf "${BUILD_TARGET}"
+        ;;
+    armv7l)
+        build armv7l-linux-musleabihf "${BUILD_TARGET}"
+        ;;
+    win32)
+        build x86_64-w64-mingw32 "${BUILD_TARGET}"
+        ;;
+    *)
+        echo "unknown cross target: ${BUILD_TARGET}" && exit 1
+esac