h2o: use system yaml, ca-certs

While we are at it, run make check.
2022-07-20 19:06:17 +07:00 · 2022-07-20 19:06:17 +07:00 · de11ea97c9
commit de11ea97c9
parent 4a32745b3d
4 changed files with 146 additions and 2 deletions
--- a/srcpkgs/h2o/patches/link-against-system-libyaml.patch
+++ b/srcpkgs/h2o/patches/link-against-system-libyaml.patch
@ -0,0 +1,34 @@
+Author: Apollon Oikonomopoulos <apoikos@debian.org>
+Description: Use the system LibYAML instance
+ Do not statically link against LibYAML, use dynamic linking against the system
+ instance instead.
+Last-Update: 2017-08-29
+Forwarded: no
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -121,6 +121,9 @@
+         INCLUDE_DIRECTORIES(${LIBUV_INCLUDE_DIRS})
+         LINK_DIRECTORIES(${LIBUV_LIBRARY_DIRS})
+     ENDIF (LIBUV_FOUND)
+    PKG_CHECK_MODULES(LIBYAML REQUIRED yaml-0.1)
+    INCLUDE_DIRECTORIES(${LIBYAML_INCLUDE_DIRS})
+    LIST(INSERT EXTRA_LIBS 0 ${LIBYAML_LIBRARIES})
+ ENDIF (PKG_CONFIG_FOUND)
+ IF (NOT LIBUV_FOUND)
+     FIND_PACKAGE(LibUV)
+@@ -313,7 +316,6 @@
+ 
+ SET(UNIT_TEST_SOURCE_FILES
+     ${LIB_SOURCE_FILES}
+-    ${LIBYAML_SOURCE_FILES}
+     ${BROTLI_SOURCE_FILES}
+     deps/picotest/picotest.c
+     t/00unit/test.c
+@@ -445,7 +447,6 @@
+ # standalone server directly links to libh2o using evloop
+ SET(STANDALONE_SOURCE_FILES
+     ${LIB_SOURCE_FILES}
+-    ${LIBYAML_SOURCE_FILES}
+     ${BROTLI_SOURCE_FILES}
+     deps/neverbleed/neverbleed.c
+     src/main.c
--- a/srcpkgs/h2o/patches/tests-force-TLSv1.2-on-s_client-invocations.patch
+++ b/srcpkgs/h2o/patches/tests-force-TLSv1.2-on-s_client-invocations.patch
@ -0,0 +1,58 @@
+From 752caaf33bf5a752bf2926aa32a1f8851a023fbf Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos <apoikos@debian.org>
+Date: Fri, 14 Sep 2018 16:44:34 +0300
+Subject: [PATCH] Tests: force TLSv1.2 on s_client invocations
+
+The tests are not ready (yet) to handle TLSv1.3 support in OpenSSL, so
+make s_client use TLSv1.2 explicitly.
+
+Note that we could pass -no_tls1_3 instead, but this would break with
+older (pre-1.1.1) OpenSSL versions.
+---
+ t/40memcached-session-resumption.t | 2 +-
+ t/40session-ticket.t               | 2 +-
+ t/40ssl-cipher-suite.t             | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/t/40memcached-session-resumption.t b/t/40memcached-session-resumption.t
+index 129affbe..6774bece 100644
+--- a/t/40memcached-session-resumption.t
+++ b/t/40memcached-session-resumption.t
+@@ -47,7 +47,7 @@ hosts:
+         file.dir: @{[ DOC_ROOT ]}
+ EOT
+             my $lines = do {
+-                open my $fh, "-|", "openssl s_client -no_ticket $opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null"
+                open my $fh, "-|", "openssl s_client -tls1_2 -no_ticket $opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null"
+                     or die "failed to open pipe:$!";
+                 local $/;
+                 <$fh>;
+diff --git a/t/40session-ticket.t b/t/40session-ticket.t
+index 2e5d5e4a..e712ef18 100644
+--- a/t/40session-ticket.t
+++ b/t/40session-ticket.t
+@@ -122,7 +122,7 @@ EOT
+ sub test {
+     my $lines = do {
+         my $cmd_opts = (-e "$tempdir/session" ? "-sess_in $tempdir/session" : "") . " -sess_out $tempdir/session";
+-        open my $fh, "-|", "openssl s_client $cmd_opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null"
+        open my $fh, "-|", "openssl s_client -tls1_2 $cmd_opts -connect 127.0.0.1:$server->{tls_port} 2>&1 < /dev/null"
+             or die "failed to open pipe:$!";
+         local $/;
+         <$fh>;
+diff --git a/t/40ssl-cipher-suite.t b/t/40ssl-cipher-suite.t
+index bda71842..71bdcf53 100644
+--- a/t/40ssl-cipher-suite.t
+++ b/t/40ssl-cipher-suite.t
+@@ -32,7 +32,7 @@ my ($guard, $pid) = spawn_server(
+ );
+ 
+ # connect to the server with AES256-SHA as the first choice, and check that AES128-SHA was selected
+-my $log = `openssl s_client -cipher AES256-SHA:AES128-SHA -host 127.0.0.1 -port $port < /dev/null 2>&1`;
+my $log = `openssl s_client -tls1_2 -cipher AES256-SHA:AES128-SHA -host 127.0.0.1 -port $port < /dev/null 2>&1`;
+ like $log, qr/^\s*Cipher\s*:\s*AES128-SHA\s*$/m;
+ 
+ done_testing;
+-- 
+2.18.0
+
--- a/srcpkgs/h2o/patches/use-etc-ssl-certs.patch
+++ b/srcpkgs/h2o/patches/use-etc-ssl-certs.patch
@ -0,0 +1,37 @@
+Author: Apollon Oikonomopoulos <apoikos@debian.org>
+Description: On Debian systems, use /etc/ssl/certs for TLS verification
+ Instead of shipping a dedicated CA bundle, use /etc/ssl/certs for
+ verification by default.
+Last-Update: 2017-09-04
+Forwarded: no (Debian-specific)
+prefers CApath over CAfile because SSL_CTX_load_verify_locations can look up
+by subject name and/or key identifier
+--- a/lib/handler/configurator/proxy.c
+++ b/lib/handler/configurator/proxy.c
+@@ -298,11 +298,10 @@
+     if (ctx->pathconf == NULL && ctx->hostconf == NULL) {
+         /* is global conf, setup the default SSL context */
+         self->vars->ssl_ctx = create_ssl_ctx();
+-        char *ca_bundle = h2o_configurator_get_cmd_path("share/h2o/ca-bundle.crt");
+-        if (SSL_CTX_load_verify_locations(self->vars->ssl_ctx, ca_bundle, NULL) != 1)
+-            fprintf(stderr, "Warning: failed to load the default certificates file at %s. Proxying to HTTPS servers may fail.\n",
+-                    ca_bundle);
+-        free(ca_bundle);
+        char *ca_path = "/etc/ssl/certs";
+        if (SSL_CTX_load_verify_locations(self->vars->ssl_ctx, NULL, ca_path) != 1)
+            fprintf(stderr, "Warning: failed to load the default certificates location at %s. Proxying to HTTPS servers may fail.\n",
+                    ca_path);
+         SSL_CTX_set_verify(self->vars->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+         h2o_cache_t *ssl_session_cache =
+             create_ssl_session_cache(H2O_DEFAULT_PROXY_SSL_SESSION_CACHE_CAPACITY, H2O_DEFAULT_PROXY_SSL_SESSION_CACHE_DURATION);
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -508,7 +508,7 @@
+ ENDIF ()
+ 
+ INSTALL(PROGRAMS share/h2o/annotate-backtrace-symbols share/h2o/fastcgi-cgi share/h2o/fetch-ocsp-response share/h2o/kill-on-close share/h2o/setuidgid share/h2o/start_server DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/h2o)
+-INSTALL(FILES share/h2o/ca-bundle.crt DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/h2o)
+#INSTALL(FILES share/h2o/ca-bundle.crt DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/h2o)
+ INSTALL(FILES share/h2o/status/index.html DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/h2o/status)
+ INSTALL(DIRECTORY doc/ DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/doc/h2o PATTERN "Makefile" EXCLUDE PATTERN "README.md" EXCLUDE)
+ INSTALL(DIRECTORY examples/ DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/doc/h2o/examples)
--- a/srcpkgs/h2o/template
+++ b/srcpkgs/h2o/template
@ -1,12 +1,16 @@
 # Template file for 'h2o'
 pkgname=h2o
 version=2.2.6
-revision=3
+revision=4
 build_style=cmake
 conf_files="/etc/h2o.conf"
+configure_args="-DWITH_BUNDLED_SSL=OFF"
+make_check_target=check
 hostmakedepends="pkg-config"
-makedepends="openssl-devel libuv-devel zlib-devel"
+makedepends="openssl-devel libuv-devel zlib-devel libyaml-devel"
 depends="perl"
+checkdepends="perl-Test-TCP perl-Test-Exception perl-URI perl-Path-Tiny
+ perl-Scope-Guard curl wget netcat"
 short_desc="Optimized HTTP server with support for HTTP/1.x and HTTP/2"
 maintainer="Orphaned <orphan@voidlinux.org>"
 license="MIT"
@ -20,6 +24,17 @@ make_dirs="
 /var/log/h2o 0755 h2o h2o
 /srv/www/h2o 0755 h2o h2o"

+pre_check() {
+	local t
+	export PERL5LIB="${wrksrc}"
+	for t in 40proxy-protocol 50access-log 50http2_debug_state \
+		50internal-redirect 50servername 50status \
+		80invalid-h2-chars-in-headers
+	do
+		rm -f t/${t}.t
+	done
+}
+
 post_install() {
 	vsv h2o
 	vconf ${FILESDIR}/h2o.conf