| changeset 28: | 242002f9f098 |
|---|---|
| parent 27: | 529419ac94f3 |
| child 29: | 7e640cebeada |
| author: | ellis <ellis@rwest.io> |
| date: | Tue, 06 Jun 2023 20:21:08 -0400 |
| files: | tools/dep.sh tools/deps.sh |
| description: | deps |
1.1--- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2+++ b/tools/dep.sh Tue Jun 06 20:21:08 2023 -0400 1.3@@ -0,0 +1,592 @@ 1.4+#!/usr/bin/sh 1.5+# install demo build dependencies 1.6+set -u 1.7+PKG_URL_ROOT="${PKG_URL_ROOT:-https://rwest.io/otom8/packy/bundle}" 1.8+PKG_NAME="demo_build_deps" 1.9+check_proc() { 1.10+ # Check for /proc by looking for the /proc/self/exe link 1.11+ # This only run on Linux 1.12+ if ! test -L /proc/self/exe ; then 1.13+ err "fatal: Unable to find /proc/self/exe. Is /proc mounted?" 1.14+ fi 1.15+} 1.16+ 1.17+get_bitness() { 1.18+ need_cmd head 1.19+ # Architecture detection without dependencies beyond coreutils. 1.20+ # ELF files start out "\x7fELF", and the following byte is 1.21+ # 0x01 for 32-bit and 1.22+ # 0x02 for 64-bit. 1.23+ # The printf builtin on some shells like dash only supports octal 1.24+ # escape sequences, so we use those. 1.25+ local _current_exe_head 1.26+ _current_exe_head=$(head -c 5 /proc/self/exe ) 1.27+ if [ "$_current_exe_head" = "$(printf '\177ELF\001')" ]; then 1.28+ echo 32 1.29+ elif [ "$_current_exe_head" = "$(printf '\177ELF\002')" ]; then 1.30+ echo 64 1.31+ else 1.32+ err "unknown platform bitness" 1.33+ fi 1.34+} 1.35+ 1.36+is_host_amd64_elf() { 1.37+ need_cmd head 1.38+ need_cmd tail 1.39+ # ELF e_machine detection without dependencies beyond coreutils. 1.40+ # Two-byte field at offset 0x12 indicates the CPU, 1.41+ # but we're interested in it being 0x3E to indicate amd64, or not that. 1.42+ local _current_exe_machine 1.43+ _current_exe_machine=$(head -c 19 /proc/self/exe | tail -c 1) 1.44+ [ "$_current_exe_machine" = "$(printf '\076')" ] 1.45+} 1.46+ 1.47+get_endianness() { 1.48+ local cputype=$1 1.49+ local suffix_eb=$2 1.50+ local suffix_el=$3 1.51+ 1.52+ # detect endianness without od/hexdump, like get_bitness() does. 1.53+ need_cmd head 1.54+ need_cmd tail 1.55+ 1.56+ local _current_exe_endianness 1.57+ _current_exe_endianness="$(head -c 6 /proc/self/exe | tail -c 1)" 1.58+ if [ "$_current_exe_endianness" = "$(printf '\001')" ]; then 1.59+ echo "${cputype}${suffix_el}" 1.60+ elif [ "$_current_exe_endianness" = "$(printf '\002')" ]; then 1.61+ echo "${cputype}${suffix_eb}" 1.62+ else 1.63+ err "unknown platform endianness" 1.64+ fi 1.65+} 1.66+ 1.67+get_architecture() { 1.68+ local _ostype _cputype _bitness _arch _clibtype 1.69+ _ostype="$(uname -s)" 1.70+ _cputype="$(uname -m)" 1.71+ _clibtype="gnu" 1.72+ 1.73+ if [ "$_ostype" = Linux ]; then 1.74+ if [ "$(uname -o)" = Android ]; then 1.75+ _ostype=Android 1.76+ fi 1.77+ if ldd --version 2>&1 | grep -q 'musl'; then 1.78+ _clibtype="musl" 1.79+ fi 1.80+ fi 1.81+ 1.82+ if [ "$_ostype" = Darwin ] && [ "$_cputype" = i386 ]; then 1.83+ # Darwin `uname -m` lies 1.84+ if sysctl hw.optional.x86_64 | grep -q ': 1'; then 1.85+ _cputype=x86_64 1.86+ fi 1.87+ fi 1.88+ 1.89+ if [ "$_ostype" = SunOS ]; then 1.90+ # Both Solaris and illumos presently announce as "SunOS" in "uname -s" 1.91+ # so use "uname -o" to disambiguate. We use the full path to the 1.92+ # system uname in case the user has coreutils uname first in PATH, 1.93+ # which has historically sometimes printed the wrong value here. 1.94+ if [ "$(/usr/bin/uname -o)" = illumos ]; then 1.95+ _ostype=illumos 1.96+ fi 1.97+ 1.98+ # illumos systems have multi-arch userlands, and "uname -m" reports the 1.99+ # machine hardware name; e.g., "i86pc" on both 32- and 64-bit x86 1.100+ # systems. Check for the native (widest) instruction set on the 1.101+ # running kernel: 1.102+ if [ "$_cputype" = i86pc ]; then 1.103+ _cputype="$(isainfo -n)" 1.104+ fi 1.105+ fi 1.106+ 1.107+ case "$_ostype" in 1.108+ 1.109+ Android) 1.110+ _ostype=linux-android 1.111+ ;; 1.112+ 1.113+ Linux) 1.114+ check_proc 1.115+ _ostype=unknown-linux-$_clibtype 1.116+ _bitness=$(get_bitness) 1.117+ ;; 1.118+ 1.119+ FreeBSD) 1.120+ _ostype=unknown-freebsd 1.121+ ;; 1.122+ 1.123+ NetBSD) 1.124+ _ostype=unknown-netbsd 1.125+ ;; 1.126+ 1.127+ DragonFly) 1.128+ _ostype=unknown-dragonfly 1.129+ ;; 1.130+ 1.131+ Darwin) 1.132+ _ostype=apple-darwin 1.133+ ;; 1.134+ 1.135+ illumos) 1.136+ _ostype=unknown-illumos 1.137+ ;; 1.138+ 1.139+ MINGW* | MSYS* | CYGWIN*) 1.140+ _ostype=pc-windows-gnu 1.141+ ;; 1.142+ 1.143+ *) 1.144+ err "unrecognized OS type: $_ostype" 1.145+ ;; 1.146+ 1.147+ esac 1.148+ 1.149+ case "$_cputype" in 1.150+ 1.151+ i386 | i486 | i686 | i786 | x86) 1.152+ _cputype=i686 1.153+ ;; 1.154+ 1.155+ xscale | arm) 1.156+ _cputype=arm 1.157+ if [ "$_ostype" = "linux-android" ]; then 1.158+ _ostype=linux-androideabi 1.159+ fi 1.160+ ;; 1.161+ 1.162+ armv6l) 1.163+ _cputype=arm 1.164+ if [ "$_ostype" = "linux-android" ]; then 1.165+ _ostype=linux-androideabi 1.166+ else 1.167+ _ostype="${_ostype}eabihf" 1.168+ fi 1.169+ ;; 1.170+ 1.171+ armv7l | armv8l) 1.172+ _cputype=armv7 1.173+ if [ "$_ostype" = "linux-android" ]; then 1.174+ _ostype=linux-androideabi 1.175+ else 1.176+ _ostype="${_ostype}eabihf" 1.177+ fi 1.178+ ;; 1.179+ 1.180+ aarch64 | arm64) 1.181+ _cputype=aarch64 1.182+ ;; 1.183+ 1.184+ x86_64 | x86-64 | x64 | amd64) 1.185+ _cputype=x86_64 1.186+ ;; 1.187+ 1.188+ mips) 1.189+ _cputype=$(get_endianness mips '' el) 1.190+ ;; 1.191+ 1.192+ mips64) 1.193+ if [ "$_bitness" -eq 64 ]; then 1.194+ # only n64 ABI is supported for now 1.195+ _ostype="${_ostype}abi64" 1.196+ _cputype=$(get_endianness mips64 '' el) 1.197+ fi 1.198+ ;; 1.199+ 1.200+ ppc) 1.201+ _cputype=powerpc 1.202+ ;; 1.203+ 1.204+ ppc64) 1.205+ _cputype=powerpc64 1.206+ ;; 1.207+ 1.208+ ppc64le) 1.209+ _cputype=powerpc64le 1.210+ ;; 1.211+ 1.212+ s390x) 1.213+ _cputype=s390x 1.214+ ;; 1.215+ riscv64) 1.216+ _cputype=riscv64gc 1.217+ ;; 1.218+ *) 1.219+ err "unknown CPU type: $_cputype" 1.220+ 1.221+ esac 1.222+ 1.223+ # Detect 64-bit linux with 32-bit userland 1.224+ if [ "${_ostype}" = unknown-linux-gnu ] && [ "${_bitness}" -eq 32 ]; then 1.225+ case $_cputype in 1.226+ x86_64) 1.227+ if [ -n "${BABEL_CPUTYPE:-}" ]; then 1.228+ _cputype="$BABEL_CPUTYPE" 1.229+ else { 1.230+ # 32-bit executable for amd64 = x32 1.231+ if is_host_amd64_elf; then { 1.232+ echo "This host is running an x32 userland; as it stands, x32 support is poor," 1>&2 1.233+ echo "and there isn't a native toolchain -- you will have to install" 1>&2 1.234+ echo "multiarch compatibility with i686 and/or amd64, then select one" 1>&2 1.235+ echo "by re-running this script with the BABEL_CPUTYPE environment variable" 1>&2 1.236+ echo "set to i686 or x86_64, respectively." 1>&2 1.237+ echo 1>&2 1.238+ exit 1 1.239+ }; else 1.240+ _cputype=i686 1.241+ fi 1.242+ }; fi 1.243+ ;; 1.244+ mips64) 1.245+ _cputype=$(get_endianness mips '' el) 1.246+ ;; 1.247+ powerpc64) 1.248+ _cputype=powerpc 1.249+ ;; 1.250+ aarch64) 1.251+ _cputype=armv7 1.252+ if [ "$_ostype" = "linux-android" ]; then 1.253+ _ostype=linux-androideabi 1.254+ else 1.255+ _ostype="${_ostype}eabihf" 1.256+ fi 1.257+ ;; 1.258+ riscv64gc) 1.259+ err "riscv64 with 32-bit userland unsupported" 1.260+ ;; 1.261+ esac 1.262+ fi 1.263+ 1.264+ # Detect armv7 but without the CPU features Rust needs in that build, 1.265+ # and fall back to arm. 1.266+ # See https://github.com/rust-lang/rustup.rs/issues/587. 1.267+ if [ "$_ostype" = "unknown-linux-gnueabihf" ] && [ "$_cputype" = armv7 ]; then 1.268+ if ensure grep '^Features' /proc/cpuinfo | grep -q -v neon; then 1.269+ # At least one processor does not have NEON. 1.270+ _cputype=arm 1.271+ fi 1.272+ fi 1.273+ 1.274+ _arch="${_cputype}-${_ostype}" 1.275+ 1.276+ RETVAL="$_arch" 1.277+} 1.278+say() { 1.279+ printf 'dep.sh: %s\n' "$1" 1.280+} 1.281+err() { 1.282+ say "$1" >&2; exit 1 1.283+} 1.284+need_cmd() { 1.285+ if ! check_cmd "$1"; then 1.286+ err "need '$1' (command not found)" 1.287+ fi 1.288+} 1.289+check_cmd() { 1.290+ command -v "$1" > /dev/null 2>&1 1.291+} 1.292+assert_nz() { 1.293+ if [ -z "$1" ]; then err "assert_nz $2"; fi 1.294+} 1.295+ensure() { 1.296+ if ! "$@"; then err "command failed: $*"; fi 1.297+} 1.298+ignore() { 1.299+ "$@" 1.300+} 1.301+main () { 1.302+ need_cmd chmod 1.303+ need_cmd mkdir 1.304+ need_cmd rm 1.305+ 1.306+ get_architecture || return 1 1.307+ local _arch="$RETVAL" 1.308+ assert_nz "$_arch" "arch" 1.309+ 1.310+ # no extension unless on windows 1.311+ local _ext="" 1.312+ case "$_arch" in 1.313+ *windows*) 1.314+ _ext=".exe" 1.315+ ;; 1.316+ esac 1.317+ 1.318+ local _url="${PKG_URL_ROOT}/bin/dist/${_arch}/${PKG_NAME}${_ext}" 1.319+ 1.320+ local _dir 1.321+ _dir="$(ensure mktemp -d)" 1.322+ local _file="${_dir}/${PKG_NAME}${_ext}" 1.323+ 1.324+ local _ansi_escapes_are_valid=false 1.325+ if [ -t 2 ]; then 1.326+ if [ "${TERM+set}" = 'set' ]; then 1.327+ case "$TERM" in 1.328+ xterm*|rxvt*|urxvt*|linux*|vt*) 1.329+ _ansi_escapes_are_valid=true 1.330+ ;; 1.331+ esac 1.332+ fi 1.333+ fi 1.334+ 1.335+ # check if we have to use /dev/tty to prompt the user 1.336+ local need_tty=yes 1.337+ for arg in "$@"; do 1.338+ case "$arg" in 1.339+ q) 1.340+ # user wants to skip the prompt -- 1.341+ # we don't need /dev/tty 1.342+ need_tty=no 1.343+ ;; 1.344+ *) 1.345+ ;; 1.346+ esac 1.347+ done 1.348+ 1.349+ if $_ansi_escapes_are_valid; then 1.350+ printf "\33[1minfo:\33[0m downloading $PKG_NAME\n" 1>&2 1.351+ else 1.352+ printf '%s\n' 'info: downloading $PKG_NAME' 1>&2 1.353+ fi 1.354+ 1.355+ ensure mkdir -p "$_dir" 1.356+ ensure dl "$_url" "$_file" "$_arch" 1.357+ ensure chmod u+x "$_file" 1.358+ if [ ! -x "$_file" ]; then 1.359+ printf '%s\n' "Cannot execute $_file (likely because of mounting /tmp as noexec)." 1>&2 1.360+ printf '%s\n' "Please copy the file to a location where you can execute binaries and run ./${PKG_NAME}${_ext}." 1>&2 1.361+ exit 1 1.362+ fi 1.363+ 1.364+ if [ "$need_tty" = "yes" ]; then 1.365+ # The installer is going to want to ask for confirmation by 1.366+ # reading stdin. This script was piped into `sh` though and 1.367+ # doesn't have stdin to pass to its children. Instead we're going 1.368+ # to explicitly connect /dev/tty to the installer's stdin. 1.369+ if [ ! -t 1 ]; then 1.370+ err "Unable to run interactively. Run with -y to accept defaults" 1.371+ fi 1.372+ 1.373+ ignore "$_file" "$@" < /dev/tty 1.374+ else 1.375+ ignore "$_file" "$@" 1.376+ fi 1.377+ 1.378+ local _retval=$? 1.379+ 1.380+ ignore rm "$_file" 1.381+ ignore rmdir "$_dir" 1.382+ 1.383+ return "$_retval" 1.384+} 1.385+ 1.386+dl() { # curl || wget 1.387+ local _dld 1.388+ local _ciphersuites 1.389+ local _err 1.390+ local _status 1.391+ if check_cmd curl; then 1.392+ _dld=curl 1.393+ elif check_cmd wget; then 1.394+ _dld=wget 1.395+ else 1.396+ _dld='curl or wget' # to be used in error message of need_cmd 1.397+ fi 1.398+ 1.399+ if [ "$1" = --check ]; then 1.400+ need_cmd "$_dld" 1.401+ elif [ "$_dld" = curl ]; then 1.402+ get_ciphersuites_for_curl 1.403+ _ciphersuites="$RETVAL" 1.404+ if [ -n "$_ciphersuites" ]; then 1.405+ _err=$(curl --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1) 1.406+ _status=$? 1.407+ else 1.408+ echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 1.409+ if ! check_help_for "$3" curl --proto --tlsv1.2; then 1.410+ echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 1.411+ _err=$(curl --silent --show-error --fail --location "$1" --output "$2" 2>&1) 1.412+ _status=$? 1.413+ else 1.414+ _err=$(curl --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1) 1.415+ _status=$? 1.416+ fi 1.417+ fi 1.418+ if [ -n "$_err" ]; then 1.419+ echo "$_err" >&2 1.420+ if echo "$_err" | grep -q 404$; then 1.421+ err "installer for platform '$3' not found 8^C - ask ellis to support your platform" 1.422+ fi 1.423+ fi 1.424+ return $_status 1.425+ elif [ "$_dld" = wget ]; then 1.426+ get_ciphersuites_for_wget 1.427+ _ciphersuites="$RETVAL" 1.428+ if [ -n "$_ciphersuites" ]; then 1.429+ _err=$(wget --https-only --secure-protocol=TLSv1_2 --ciphers "$_ciphersuites" "$1" -O "$2" 2>&1) 1.430+ _status=$? 1.431+ else 1.432+ echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 1.433+ if ! check_help_for "$3" wget --https-only --secure-protocol; then 1.434+ echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 1.435+ _err=$(wget "$1" -O "$2" 2>&1) 1.436+ _status=$? 1.437+ else 1.438+ _err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1) 1.439+ _status=$? 1.440+ fi 1.441+ fi 1.442+ if [ -n "$_err" ]; then 1.443+ echo "$_err" >&2 1.444+ if echo "$_err" | grep -q ' 404 Not Found$'; then 1.445+ err "installer for platform '$3' not found!" 1.446+ fi 1.447+ fi 1.448+ return $_status 1.449+ else 1.450+ err "Unknown dl program" # should not reach here 1.451+ fi 1.452+} 1.453+ 1.454+check_help_for() { 1.455+ local _arch 1.456+ local _cmd 1.457+ local _arg 1.458+ _arch="$1" 1.459+ shift 1.460+ _cmd="$1" 1.461+ shift 1.462+ 1.463+ local _category 1.464+ if "$_cmd" --help | grep -q 'For all options use the manual or "--help all".'; then 1.465+ _category="all" 1.466+ else 1.467+ _category="" 1.468+ fi 1.469+ 1.470+ case "$_arch" in 1.471+ 1.472+ *darwin*) 1.473+ if check_cmd sw_vers; then 1.474+ case $(sw_vers -productVersion) in 1.475+ 10.*) 1.476+ # If we're running on macOS, older than 10.13, then we always 1.477+ # fail to find these options to force fallback 1.478+ if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then 1.479+ # Older than 10.13 1.480+ echo "Warning: Detected macOS platform older than 10.13" 1.481+ return 1 1.482+ fi 1.483+ ;; 1.484+ 11.*) 1.485+ # We assume Big Sur will be OK for now 1.486+ ;; 1.487+ *) 1.488+ # Unknown product version, warn and continue 1.489+ echo "Warning: Detected unknown macOS major version: $(sw_vers -productVersion)" 1.490+ echo "Warning TLS capabilities detection may fail" 1.491+ ;; 1.492+ esac 1.493+ fi 1.494+ ;; 1.495+ 1.496+ esac 1.497+ 1.498+ for _arg in "$@"; do 1.499+ if ! "$_cmd" --help $_category | grep -q -- "$_arg"; then 1.500+ return 1 1.501+ fi 1.502+ done 1.503+ 1.504+ true # not strictly needed 1.505+} 1.506+ 1.507+# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 1.508+# if support by local tools is detected. Detection currently supports these curl backends: 1.509+# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 1.510+get_ciphersuites_for_curl() { 1.511+ if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then 1.512+ # user specified custom cipher suites, assume they know what they're doing 1.513+ RETVAL="$BABEL_TLS_CIPHERSUITES" 1.514+ return 1.515+ fi 1.516+ 1.517+ local _openssl_syntax="no" 1.518+ local _gnutls_syntax="no" 1.519+ local _backend_supported="yes" 1.520+ if curl -V | grep -q ' OpenSSL/'; then 1.521+ _openssl_syntax="yes" 1.522+ elif curl -V | grep -iq ' LibreSSL/'; then 1.523+ _openssl_syntax="yes" 1.524+ elif curl -V | grep -iq ' BoringSSL/'; then 1.525+ _openssl_syntax="yes" 1.526+ elif curl -V | grep -iq ' GnuTLS/'; then 1.527+ _gnutls_syntax="yes" 1.528+ else 1.529+ _backend_supported="no" 1.530+ fi 1.531+ 1.532+ local _args_supported="no" 1.533+ if [ "$_backend_supported" = "yes" ]; then 1.534+ # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 1.535+ if check_help_for "notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then 1.536+ _args_supported="yes" 1.537+ fi 1.538+ fi 1.539+ 1.540+ local _cs="" 1.541+ if [ "$_args_supported" = "yes" ]; then 1.542+ if [ "$_openssl_syntax" = "yes" ]; then 1.543+ _cs=$(get_strong_ciphersuites_for "openssl") 1.544+ elif [ "$_gnutls_syntax" = "yes" ]; then 1.545+ _cs=$(get_strong_ciphersuites_for "gnutls") 1.546+ fi 1.547+ fi 1.548+ 1.549+ RETVAL="$_cs" 1.550+} 1.551+ 1.552+# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 1.553+# if support by local tools is detected. Detection currently supports these wget backends: 1.554+# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 1.555+get_ciphersuites_for_wget() { 1.556+ if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then 1.557+ # user specified custom cipher suites, assume they know what they're doing 1.558+ RETVAL="$BABEL_TLS_CIPHERSUITES" 1.559+ return 1.560+ fi 1.561+ 1.562+ local _cs="" 1.563+ if wget -V | grep -q '\-DHAVE_LIBSSL'; then 1.564+ # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 1.565+ if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 1.566+ _cs=$(get_strong_ciphersuites_for "openssl") 1.567+ fi 1.568+ elif wget -V | grep -q '\-DHAVE_LIBGNUTLS'; then 1.569+ # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 1.570+ if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 1.571+ _cs=$(get_strong_ciphersuites_for "gnutls") 1.572+ fi 1.573+ fi 1.574+ 1.575+ RETVAL="$_cs" 1.576+} 1.577+ 1.578+# Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2 1.579+# excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad 1.580+# DH params often found on servers (see RFC 7919). Sequence matches or is 1.581+# similar to Firefox 68 ESR with weak cipher suites disabled via about:config. 1.582+# $1 must be openssl or gnutls. 1.583+get_strong_ciphersuites_for() { 1.584+ if [ "$1" = "openssl" ]; then 1.585+ # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet. 1.586+ echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" 1.587+ elif [ "$1" = "gnutls" ]; then 1.588+ # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't. 1.589+ # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order. 1.590+ echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM" 1.591+ fi 1.592+} 1.593+ 1.594+main "$@" || exit 1 1.595+
2.1--- a/tools/deps.sh Tue Jun 06 18:55:17 2023 -0400 2.2+++ /dev/null Thu Jan 01 00:00:00 1970 +0000 2.3@@ -1,309 +0,0 @@ 2.4-#!/usr/bin/sh 2.5-# install demo build dependencies 2.6-set -u 2.7-PKG_URL_ROOT="${PKG_URL_ROOT:-https://rwest.io/otom8/packy/bundle}" 2.8-PKG_NAME="demo_build_deps" 2.9-say() {printf 'babel-installer: %s\n' "$1"} 2.10-err() {say "$1" >&2; exit 1} 2.11-need_cmd() { 2.12- if ! check_cmd "$1"; then 2.13- err "need '$1' (command not found)" 2.14- fi} 2.15-check_cmd() {command -v "$1" > /dev/null 2>&1} 2.16-ensure() {if ! "$@"; then err "command failed: $*"; fi} 2.17-ignore() {"$@"} 2.18- 2.19-main () { 2.20- need_cmd chmod 2.21- need_cmd mkdir 2.22- need_cmd rm 2.23- 2.24- get_architecture || return 1 2.25- local _arch="$RETVAL" 2.26- assert_nz "$_arch" "arch" 2.27- 2.28- # no extension unless on windows 2.29- local _ext="" 2.30- case "$_arch" in 2.31- *windows*) 2.32- _ext=".exe" 2.33- ;; 2.34- esac 2.35- 2.36- local _url="${PKG_URL_ROOT}/bin/dist/${_arch}/${PKG_NAME}${_ext}" 2.37- 2.38- local _dir 2.39- _dir="$(ensure mktemp -d)" 2.40- local _file="${_dir}/${PKG_NAME}${_ext}" 2.41- 2.42- local _ansi_escapes_are_valid=false 2.43- if [ -t 2 ]; then 2.44- if [ "${TERM+set}" = 'set' ]; then 2.45- case "$TERM" in 2.46- xterm*|rxvt*|urxvt*|linux*|vt*) 2.47- _ansi_escapes_are_valid=true 2.48- ;; 2.49- esac 2.50- fi 2.51- fi 2.52- 2.53- # check if we have to use /dev/tty to prompt the user 2.54- local need_tty=yes 2.55- for arg in "$@"; do 2.56- case "$arg" in 2.57- q) 2.58- # user wants to skip the prompt -- 2.59- # we don't need /dev/tty 2.60- need_tty=no 2.61- ;; 2.62- *) 2.63- ;; 2.64- esac 2.65- done 2.66- 2.67- if $_ansi_escapes_are_valid; then 2.68- printf "\33[1minfo:\33[0m downloading $PKG_NAME\n" 1>&2 2.69- else 2.70- printf '%s\n' 'info: downloading $PKG_NAME' 1>&2 2.71- fi 2.72- 2.73- ensure mkdir -p "$_dir" 2.74- ensure downloader "$_url" "$_file" "$_arch" 2.75- ensure chmod u+x "$_file" 2.76- if [ ! -x "$_file" ]; then 2.77- printf '%s\n' "Cannot execute $_file (likely because of mounting /tmp as noexec)." 1>&2 2.78- printf '%s\n' "Please copy the file to a location where you can execute binaries and run ./${PKG_NAME}${_ext}." 1>&2 2.79- exit 1 2.80- fi 2.81- 2.82- if [ "$need_tty" = "yes" ]; then 2.83- # The installer is going to want to ask for confirmation by 2.84- # reading stdin. This script was piped into `sh` though and 2.85- # doesn't have stdin to pass to its children. Instead we're going 2.86- # to explicitly connect /dev/tty to the installer's stdin. 2.87- if [ ! -t 1 ]; then 2.88- err "Unable to run interactively. Run with -y to accept defaults" 2.89- fi 2.90- 2.91- ignore "$_file" "$@" < /dev/tty 2.92- else 2.93- ignore "$_file" "$@" 2.94- fi 2.95- 2.96- local _retval=$? 2.97- 2.98- ignore rm "$_file" 2.99- ignore rmdir "$_dir" 2.100- 2.101- return "$_retval" 2.102-} 2.103- 2.104-dl() { # curl || wget 2.105- local _dld 2.106- local _ciphersuites 2.107- local _err 2.108- local _status 2.109- if check_cmd curl; then 2.110- _dld=curl 2.111- elif check_cmd wget; then 2.112- _dld=wget 2.113- else 2.114- _dld='curl or wget' # to be used in error message of need_cmd 2.115- fi 2.116- 2.117- if [ "$1" = --check ]; then 2.118- need_cmd "$_dld" 2.119- elif [ "$_dld" = curl ]; then 2.120- get_ciphersuites_for_curl 2.121- _ciphersuites="$RETVAL" 2.122- if [ -n "$_ciphersuites" ]; then 2.123- _err=$(curl --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1) 2.124- _status=$? 2.125- else 2.126- echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 2.127- if ! check_help_for "$3" curl --proto --tlsv1.2; then 2.128- echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 2.129- _err=$(curl --silent --show-error --fail --location "$1" --output "$2" 2>&1) 2.130- _status=$? 2.131- else 2.132- _err=$(curl --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1) 2.133- _status=$? 2.134- fi 2.135- fi 2.136- if [ -n "$_err" ]; then 2.137- echo "$_err" >&2 2.138- if echo "$_err" | grep -q 404$; then 2.139- err "installer for platform '$3' not found 8^C - ask ellis to support your platform" 2.140- fi 2.141- fi 2.142- return $_status 2.143- elif [ "$_dld" = wget ]; then 2.144- get_ciphersuites_for_wget 2.145- _ciphersuites="$RETVAL" 2.146- if [ -n "$_ciphersuites" ]; then 2.147- _err=$(wget --https-only --secure-protocol=TLSv1_2 --ciphers "$_ciphersuites" "$1" -O "$2" 2>&1) 2.148- _status=$? 2.149- else 2.150- echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 2.151- if ! check_help_for "$3" wget --https-only --secure-protocol; then 2.152- echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 2.153- _err=$(wget "$1" -O "$2" 2>&1) 2.154- _status=$? 2.155- else 2.156- _err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1) 2.157- _status=$? 2.158- fi 2.159- fi 2.160- if [ -n "$_err" ]; then 2.161- echo "$_err" >&2 2.162- if echo "$_err" | grep -q ' 404 Not Found$'; then 2.163- err "installer for platform '$3' not found!" 2.164- fi 2.165- fi 2.166- return $_status 2.167- else 2.168- err "Unknown downloader" # should not reach here 2.169- fi 2.170-} 2.171- 2.172-check_help_for() { 2.173- local _arch 2.174- local _cmd 2.175- local _arg 2.176- _arch="$1" 2.177- shift 2.178- _cmd="$1" 2.179- shift 2.180- 2.181- local _category 2.182- if "$_cmd" --help | grep -q 'For all options use the manual or "--help all".'; then 2.183- _category="all" 2.184- else 2.185- _category="" 2.186- fi 2.187- 2.188- case "$_arch" in 2.189- 2.190- *darwin*) 2.191- if check_cmd sw_vers; then 2.192- case $(sw_vers -productVersion) in 2.193- 10.*) 2.194- # If we're running on macOS, older than 10.13, then we always 2.195- # fail to find these options to force fallback 2.196- if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then 2.197- # Older than 10.13 2.198- echo "Warning: Detected macOS platform older than 10.13" 2.199- return 1 2.200- fi 2.201- ;; 2.202- 11.*) 2.203- # We assume Big Sur will be OK for now 2.204- ;; 2.205- *) 2.206- # Unknown product version, warn and continue 2.207- echo "Warning: Detected unknown macOS major version: $(sw_vers -productVersion)" 2.208- echo "Warning TLS capabilities detection may fail" 2.209- ;; 2.210- esac 2.211- fi 2.212- ;; 2.213- 2.214- esac 2.215- 2.216- for _arg in "$@"; do 2.217- if ! "$_cmd" --help $_category | grep -q -- "$_arg"; then 2.218- return 1 2.219- fi 2.220- done 2.221- 2.222- true # not strictly needed 2.223-} 2.224- 2.225-# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 2.226-# if support by local tools is detected. Detection currently supports these curl backends: 2.227-# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 2.228-get_ciphersuites_for_curl() { 2.229- if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then 2.230- # user specified custom cipher suites, assume they know what they're doing 2.231- RETVAL="$BABEL_TLS_CIPHERSUITES" 2.232- return 2.233- fi 2.234- 2.235- local _openssl_syntax="no" 2.236- local _gnutls_syntax="no" 2.237- local _backend_supported="yes" 2.238- if curl -V | grep -q ' OpenSSL/'; then 2.239- _openssl_syntax="yes" 2.240- elif curl -V | grep -iq ' LibreSSL/'; then 2.241- _openssl_syntax="yes" 2.242- elif curl -V | grep -iq ' BoringSSL/'; then 2.243- _openssl_syntax="yes" 2.244- elif curl -V | grep -iq ' GnuTLS/'; then 2.245- _gnutls_syntax="yes" 2.246- else 2.247- _backend_supported="no" 2.248- fi 2.249- 2.250- local _args_supported="no" 2.251- if [ "$_backend_supported" = "yes" ]; then 2.252- # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 2.253- if check_help_for "notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then 2.254- _args_supported="yes" 2.255- fi 2.256- fi 2.257- 2.258- local _cs="" 2.259- if [ "$_args_supported" = "yes" ]; then 2.260- if [ "$_openssl_syntax" = "yes" ]; then 2.261- _cs=$(get_strong_ciphersuites_for "openssl") 2.262- elif [ "$_gnutls_syntax" = "yes" ]; then 2.263- _cs=$(get_strong_ciphersuites_for "gnutls") 2.264- fi 2.265- fi 2.266- 2.267- RETVAL="$_cs" 2.268-} 2.269- 2.270-# Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 2.271-# if support by local tools is detected. Detection currently supports these wget backends: 2.272-# GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 2.273-get_ciphersuites_for_wget() { 2.274- if [ -n "${BABEL_TLS_CIPHERSUITES-}" ]; then 2.275- # user specified custom cipher suites, assume they know what they're doing 2.276- RETVAL="$BABEL_TLS_CIPHERSUITES" 2.277- return 2.278- fi 2.279- 2.280- local _cs="" 2.281- if wget -V | grep -q '\-DHAVE_LIBSSL'; then 2.282- # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 2.283- if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 2.284- _cs=$(get_strong_ciphersuites_for "openssl") 2.285- fi 2.286- elif wget -V | grep -q '\-DHAVE_LIBGNUTLS'; then 2.287- # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 2.288- if check_help_for "notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 2.289- _cs=$(get_strong_ciphersuites_for "gnutls") 2.290- fi 2.291- fi 2.292- 2.293- RETVAL="$_cs" 2.294-} 2.295- 2.296-# Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2 2.297-# excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad 2.298-# DH params often found on servers (see RFC 7919). Sequence matches or is 2.299-# similar to Firefox 68 ESR with weak cipher suites disabled via about:config. 2.300-# $1 must be openssl or gnutls. 2.301-get_strong_ciphersuites_for() { 2.302- if [ "$1" = "openssl" ]; then 2.303- # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet. 2.304- echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" 2.305- elif [ "$1" = "gnutls" ]; then 2.306- # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't. 2.307- # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order. 2.308- echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM" 2.309- fi 2.310-} 2.311- 2.312-main "$@" || exit 1