DepperDan/build_functions/build_openssl.py

# (c) 2025 by Stephan Menzel
# Licensed under the Apache License, Version 2.0.
# See attached file LICENSE for full details

import os
import zipfile
from pathlib import Path
import requests
from build_functions.build_utils import run_in_shell, print_banner, file_and_console_log
from common.azure import write_package_version_batch
from common.directory_helpers import pushd, get_local_prefix
from common.git_helpers import clone_git_tag
import common.settings
from package.package_info import get_package_info


def build_openssl(prefix: Path, sbom: dict):

    print_banner("Building OpenSSL")

    package_info = get_package_info("openssl")
    package_info.add_to_sbom(sbom)

    zlib_install_path = package_info.dependency_path("zlib")

    zlib_include_path = zlib_install_path / "include"
    zlib_library_path = zlib_install_path / "lib" / common.settings.zlib_static_lib_name

    openssl_dir = clone_git_tag(package_info, recursive=False)

    with pushd(openssl_dir):

        install_prefix = package_info.install_location()

        if not common.settings.rebuild and Path("built_and_installed.txt").exists():
            file_and_console_log("already built, exiting")
            return install_prefix

        # In the azure devops pipeline there's no Perl available, yet we need it to compile OpenSSL
        # So I download the portable package and use this
        perl_package_filename = "strawberry-perl-5.38.2.2-64bit-portable.zip"
        url = f"https://github.com/StrawberryPerl/Perl-Dist-Strawberry/releases/download/SP_53822_64bit/{perl_package_filename}"
        r = requests.get(url, allow_redirects=True)
        with open(perl_package_filename, "wb") as package_file:
            package_file.write(r.content)
        with zipfile.ZipFile(perl_package_filename, "r") as zip_ref:
            os.mkdir("perl_portable")
            zip_ref.extractall("perl_portable")

        path_amend = Path("./perl_portable/c/bin").resolve()
        os.environ["PATH"] += os.pathsep + str(path_amend)

        # This requires not only perl but also assumes we are in a "Developer Shell" on Windows,
        # meaning we have nmake in the path

        if os.name == "nt":
            run_in_shell("perl.exe .\\Configure no-shared no-legacy zlib no-zlib-dynamic "
                         "threads no-unit-test no-egd "
                         f"--with-zlib-include={str(zlib_include_path)} "
                         f"--with-zlib-lib={str(zlib_library_path)} "
                         f"--prefix={str(install_prefix)} --openssldir={str(install_prefix)} "
                         "VC-WIN64A")

            # OpenSSL always assumes /MT when building statically. Looks like this cannot be overridden
            # So we change the makefile by replacing the occurrences
            #
            # Update: This trick used to work but no longer does with 3.2.1 / recent MSVC
            #         I have failed to find a solution but found this source: https://github.com/openssl/openssl/discussions/22668
            #         arguing this is not necessary (anymore?) because of the /Zl switch which defers the selection
            #         of the runtime to executable link time. I'm not really buying it but there's little
            #         I can do about that right now and I will try if it really works when we use OpenSSL with static
            #         runtime selection. We we only relly know once the egm links against this warning free and works.
            #         If such is not the case and you end up here looking at this, try again to modify the selected
            #         runtime like I do below.
            #
            with open('makefile', 'r') as file:
                filedata = file.read()

            # Replace the MT flags
            filedata = filedata.replace("/MT", "/MD")

            # Write the file out again
            with open('makefile', 'w') as lockfile:
                lockfile.write(filedata)

            # If you are here debugging why this doesn't work, you are probably not starting
            # this in a x64 native tools command prompt shell
            run_in_shell("nmake install")

            # I know, dirty, but building openssl takes for evah
            with open("built_and_installed.txt", "w") as lockfile:
                lockfile.write("built")

        elif os.name == "posix":
            run_in_shell("perl ./Configure no-shared zlib no-zlib-dynamic threads no-unit-test "
                         f"--with-zlib-include={str(zlib_include_path)} "
                         f"--with-zlib-lib={str(zlib_library_path)} "
                         f"--prefix={str(install_prefix)} --openssldir={str(install_prefix)} "
                         "")
            run_in_shell(f"make -j{common.settings.num_cores} install")

            with open("built_and_installed.txt", "w") as lockfile:
                lockfile.write("built")

    write_package_version_batch(package_info.version)

    return install_prefix