Add autogenerated releases for OpenSSL, Crypto++ and Botan

Author: quapka

fetchReleases.py

@@ -0,0 +1,140 @@
+#!/usr/bin/env python3
+
+import argparse
+
+import json
+import jinja2
+import re
+import requests
+
+import subprocess as sp
+
+from base64 import b32encode, b32decode, b64encode, b16decode
+from bs4 import BeautifulSoup
+
+env = jinja2.Environment()
+
+all_versions_template = env.from_string("""{
+  buildECTesterStandalone
+}:
+{ {% for version in pkg_versions %}
+  {{ version }} {% endfor %}
+}""")
+
+def get_source_hash(url, unpack=False):
+    digest_type = "sha256"
+
+    cmd = ["nix-prefetch-url"]
+    if unpack:
+        cmd.append("--unpack")
+    cmd.extend(["--type", digest_type, url])
+
+    digest_nixbase32 = sp.check_output(cmd, stderr=sp.DEVNULL).strip()
+    digest_sri = sp.check_output(["nix", "hash", "to-sri", "--type", digest_type, digest_nixbase32.decode()], stderr=sp.DEVNULL).strip().decode()
+    return digest_sri
+
+def fetch_botan():
+    # NOTE: this way omits the older releases at https://botan.randombit.net/releases/old
+    release_list = "https://botan.randombit.net/releases/"
+    download_url = "https://botan.randombit.net/releases/{version}"
+    resp = requests.get(release_list)
+    soup = BeautifulSoup(resp.content, 'html.parser')
+
+    single_version_template = env.from_string("""{{ flat_version }} = buildECTesterStandalone {
+    {{ pkg }} = { version="{{ version }}"; source_extension="{{ ext }}"; hash="{{ digest }}"; };
+  };""")
+
+    renders = []
+    for link in soup.find_all("a"):
+        if link.text.startswith("Botan") and not link.text.endswith('.asc'):
+            download_link = download_url.format(version=link['href'])
+
+            match = re.match(r"Botan-(?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\.(?P<ext>.*)", link.text)
+            version = f"{match['major']}.{match['minor']}.{match['patch']}"
+            ext = f"{match['ext']}"
+
+            digest = get_source_hash(download_link)
+            # NOTE: use underscore to separate the versions?
+            flat_version = f"v{match['major']}{match['minor']}{match['patch']}"
+
+            rendered = single_version_template.render(pkg="botan", digest=digest, ext=ext, flat_version=flat_version, version=version).strip()
+            renders.append(rendered)
+
+    all_versions = all_versions_template.render(pkg_versions=renders).strip()
+    with open("./nix/botan_pkg_versions.nix", "w") as handle:
+        handle.write(all_versions)
+
+def fetch_cryptopp():
+    owner = "weidai11"
+    repo = "cryptopp"
+    release_url = f"https://api.github.com/repos/{owner}/{repo}/releases"
+    resp = requests.get(release_url)
+
+    single_version_template = env.from_string("""{{ flat_version }} = buildECTesterStandalone {
+    {{ pkg }} = { version="{{ version }}"; hash="{{ digest }}"; };
+  };""")
+    renders = []
+    for release in resp.json():
+        if not release['draft'] and not release['prerelease']:
+            _, *version_values = release['tag_name'].split('_')
+            underscored_version = '_'.join(version_values)
+            flat_version = "v" + "".join(version_values)
+            download_url = f"https://github.com/{owner}/{repo}/archive/{release['tag_name']}.tar.gz"
+            digest = get_source_hash(download_url, unpack=True)
+
+
+            rendered = single_version_template.render(pkg="cryptopp", digest=digest, flat_version=flat_version, version=underscored_version).strip()
+            renders.append(rendered)
+
+    all_versions = all_versions_template.render(pkg_versions=renders).strip()
+    with open("./nix/cryptopp_pkg_versions.nix", "w") as handle:
+        handle.write(all_versions)
+
+def fetch_openssl():
+    pkg = "openssl"
+    owner = "openssl"
+    repo = "openssl"
+    release_url = f"https://api.github.com/repos/{owner}/{repo}/releases"
+    resp = requests.get(release_url)
+
+    single_version_template = env.from_string("""{{ flat_version }} = buildECTesterStandalone {
+    {{ pkg }} = { version="{{ version }}"; hash="{{ digest }}"; };
+  };""")
+    renders = []
+    for release in resp.json():
+        if not release['draft'] and not release['prerelease']:
+            try: 
+                _, dotted_version = release['tag_name'].split('-')
+            except ValueError:
+                continue
+            flat_version = "v" + "".join(dotted_version.split('.'))
+            download_url = f"https://github.com/{owner}/{repo}/archive/{release['tag_name']}.tar.gz"
+            digest = get_source_hash(download_url)
+
+
+            rendered = single_version_template.render(pkg=pkg, digest=digest, flat_version=flat_version, version=dotted_version).strip()
+            renders.append(rendered)
+
+    all_versions = all_versions_template.render(pkg_versions=renders).strip()
+    with open(f"./nix/{pkg}_pkg_versions.nix", "w") as handle:
+        handle.write(all_versions)
+
+
+
+
+def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument("lib")
+    args = parser.parse_args()
+
+    match args.lib:
+        case "botan":
+            fetch_botan()
+        case "cryptopp":
+            fetch_cryptopp()
+        case "openssl":
+            fetch_openssl()
+
+
+if __name__ == '__main__':
+    main()

flake.nix

@@ -45,15 +45,25 @@
           '';
         });
         # FIXME: `nix develeop` now has different version than `nix run`
-        openssl = { version ? "", hash ? "" }: (pkgs.openssl.override { static = true; }).overrideAttrs (final: prev: rec {
+        opensslBuilder = { version ? null, hash ? null }: (pkgs.openssl.override { static = true; }).overrideAttrs (final: prev: rec {
           pname = "openssl";
-          src = if version != "" then pkgs.fetchurl {
+          src = if version != null then pkgs.fetchurl {
             url = "https://www.openssl.org/source/openssl-${version}.tar.gz";
             hash = hash;
           } else prev.src;
           # FIXME Removing patches might cause unwanted things; this should be version based!
           patches = [];
         });
+        botan2Builder = { version, source_extension, hash }: pkgs.botan2.overrideAttrs (final: prev: {
+          src = if ( version == null ) then prev.src else
+            pkgs.fetchurl {
+              urls = [
+                 "http://botan.randombit.net/releases/Botan-${version}.${source_extension}"
+              ];
+              inherit hash;
+            };
+        });
+
         libgcrypt = pkgs.libgcrypt.overrideAttrs (final: prev: {
           configureFlags = ( prev.configureFlags or [] ) ++ [ "--enable-static" ];
         });
@@ -96,7 +106,15 @@
         nettle = pkgs.nettle.overrideAttrs (final: prev: {
           configureFlags = ( prev.configureFlags or [] ) ++ [ "--enable-static" ];
         });
-        cryptopp = pkgs.cryptopp.override { enableStatic = true; };
+        cryptoppBuilder = { version, hash }: (pkgs.cryptopp.override { enableStatic = true; }).overrideAttrs (final: prev: {
+          src = if version == null then prev.src else
+            pkgs.fetchFromGitHub {
+              owner = "weidai11";
+              repo = "cryptopp";
+              rev = "CRYPTOPP_${version}";
+              inherit hash;
+          };
+        });
         libressl = (pkgs.libressl.override { buildShared = false; } ).overrideAttrs (_old: rec {
           patches = [
             (pkgs.fetchpatch {
@@ -135,10 +153,10 @@
 
         # Shims and libs
         # Current list of targets: tomcrypt botan cryptopp openssl boringssl gcrypt mbedtls ippcp nettle libressl
-        tomcryptShim = import ./nix/tomcryptshim.nix { inherit pkgs libtomcrypt libtommath; };
-        botanShim = import ./nix/botanshim.nix { inherit pkgs; };
-        cryptoppShim = import ./nix/cryptoppshim.nix { inherit pkgs cryptopp; };
-        opensslShimBuilder = { version, hash }: import ./nix/opensslshim.nix { inherit pkgs; openssl = (openssl { version = version; hash = hash;}); };
+        tomcryptShim = pkgs.callPackage ./nix/tomcryptshim.nix { inherit pkgs libtomcrypt libtommath; };
+        botanShimBuilder = { version, source_extension, hash }: pkgs.callPackage ./nix/botanshim.nix { botan2 = botan2Builder { inherit version source_extension hash; }; };
+        cryptoppShimBuilder = { version, hash}: pkgs.callPackage ./nix/cryptoppshim.nix { cryptopp = cryptoppBuilder { inherit version hash; };};
+        opensslShimBuilder = { version, hash }: import ./nix/opensslshim.nix { inherit pkgs; openssl = (opensslBuilder { version = version; hash = hash;}); };
         boringsslShim = import ./nix/boringsslshim.nix { inherit pkgs; boringssl = boringssl; };
         gcryptShim = import ./nix/gcryptshim.nix { inherit pkgs libgcrypt libgpg-error; };
         mbedtlsShim = import ./nix/mbedtlsshim.nix { pkgs = pkgs; };
@@ -148,9 +166,15 @@
 
         commonLibs = import ./nix/commonlibs.nix { pkgs = pkgs; };
 
-        buildECTesterStandalone = { opensslVersion, opensslHash }: (
+        buildECTesterStandalone = {
+          openssl ? { version = null; hash = null; },
+          botan ? { version = null; source_extension = null; hash = null; },
+          cryptopp ? { version = null; hash = null; },
+        }: (
           let
-            opensslShim = (opensslShimBuilder { version = opensslVersion; hash = opensslHash; });
+            opensslShim = (opensslShimBuilder { inherit (openssl) version hash; });
+            botanShim = botanShimBuilder { inherit (botan) version source_extension hash; };
+            cryptoppShim = cryptoppShimBuilder { inherit (cryptopp) version hash; };
           in
           with pkgs;
             gradle2nix.builders.${system}.buildGradlePackage rec {
@@ -201,20 +225,10 @@
       in
       {
         packages = rec {
-          default = openssl_331;
-          openssl_331 = buildECTesterStandalone {
-            opensslVersion="3.3.1"; opensslHash="sha256-d3zVlihMiDN1oqehG/XSeG/FQTJV76sgxQ1v/m0CC34=";
-          }; 
-          openssl_322 = buildECTesterStandalone {
-            opensslVersion="3.2.2"; opensslHash="sha256-GXFJwY2enyksQ/BACsq6EuX1LKz+BQ89GZJ36nOOwuc=";
-          }; 
-          openssl_316 = buildECTesterStandalone {
-            opensslVersion="3.1.6"; opensslHash="sha256-XSvkA2tHjvPLCoVMqbNTByw6DibYpW+PCrn7btMtONc=";
-          }; 
-          openssl_3014 = buildECTesterStandalone {
-            opensslVersion="3.0.14"; opensslHash="sha256-7soDXU3U6E/CWEbZUtpil0hK+gZQpvhMaC453zpBI8o=";
-          }; 
-          # openssl_111w = buildECTesterStandalone "1.1.1w" "sha256-zzCYlQy02FOtlcCEHx+cbT3BAtzPys1SHZOSUgi3asg=";
+          default = openssl.v331;
+          openssl = pkgs.callPackage ./nix/openssl_pkg_versions.nix { inherit buildECTesterStandalone; };
+          botan = pkgs.callPackage ./nix/botan_pkg_versions.nix { inherit buildECTesterStandalone; };
+          cryptopp = pkgs.callPackage ./nix/cryptopp_pkg_versions.nix { inherit buildECTesterStandalone; };
         };
         devShells.default = with pkgs; mkShell rec {
           nativeBuildInputs = [
@@ -235,7 +249,7 @@
             global-platform-pro
             gradle
             # libraries to test
-            (openssl {})
+            (opensslBuilder {})
             libressl
             # glibc
             boringssl
@@ -280,8 +294,7 @@
             libtomcrypt
             botan2
             cryptopp
-            # (openssl {})
-            (openssl {})
+            (opensslBuilder {})
             boringssl
             libgcrypt
             libgpg-error