build openssl for the musl sysroot

This will be used for Kubernetes clients written in Rust, since our
preferred rustls dependency cannot yet verify identity for subjects
that are IP addresses.

Signed-off-by: Ben Cressey <bcressey@amazon.com>

Dockerfile

@@ -12,8 +12,8 @@ RUN \
     dwarves elfutils-devel libcap-devel openssl-devel \
     createrepo_c e2fsprogs gdisk grub2-tools.$(uname -m) \
     kpartx lz4 veritysetup dosfstools mtools squashfs-tools \
-    perl-FindBin perl-open policycoreutils secilc qemu-img \
-    glib2-devel rpcgen && \
+    perl-FindBin perl-IPC-Cmd perl-open policycoreutils \
+    secilc qemu-img glib2-devel rpcgen && \
   dnf clean all && \
   useradd builder
 COPY ./sdk-fetch /usr/local/bin
@@ -282,6 +282,71 @@ RUN \
 
 # =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
 
+FROM sdk-musl as sdk-musl-openssl
+USER builder
+
+ARG OPENSSLVER="3.0.0"
+
+WORKDIR /home/builder
+COPY ./hashes/openssl ./hashes
+RUN \
+  sdk-fetch hashes && \
+  rpm2cpio openssl-${OPENSSLVER}-*.src.rpm | cpio -idmv && \
+  tar xf openssl-${OPENSSLVER}-hobbled.tar.xz && \
+  mv openssl-${OPENSSLVER} openssl && \
+  for p in *.patch ; do \
+    echo "applying ${p}" ; \
+    patch -d openssl -p1 < "${p}" ; \
+  done && \
+  cp ec_curve.c openssl/crypto/ec
+
+ARG ARCH
+ARG TARGET="${ARCH}-bottlerocket-linux-musl"
+ARG SYSROOT="/${TARGET}/sys-root"
+ARG CFLAGS="-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-clash-protection"
+ARG LDFLAGS="-Wl,-z,relro -Wl,-z,now"
+
+WORKDIR /home/builder/openssl
+RUN \
+  NO_FEATURES="" && \
+  for algorithm in \
+    aria bf blake2 camellia cast des dh dsa idea md4 \
+    mdc2 ocb rc2 rc4 rmd160 scrypt seed siphash siv \
+    sm2 sm3 sm4 whirlpool ; \
+  do \
+    NO_FEATURES+="no-${algorithm} " ; \
+  done && \
+  for feature in \
+    cmp cms deprecated dgram ec2m gost legacy padlockeng \
+    srp srtp ssl ssl-trace stdio tests ts ui-console \
+    dtls dtls1{,-method} dtls1_2{,-method} \
+    tls1{,-method} tls1_1{,-method} \
+    ; \
+  do \
+    NO_FEATURES+="no-${feature} " ; \
+  done && \
+  CC="gcc" \
+  CXX="g++" \
+  CROSS_COMPILE="${TARGET}-" \
+  ./Configure \
+    --prefix="${SYSROOT}/usr" \
+    --libdir="${SYSROOT}/usr/lib" \
+    --cross-compile-prefix="${TARGET}-" \
+    '-DDEVRANDOM="\"/dev/urandom\""' \
+    ${NO_FEATURES} \
+    enable-ec_nistp_64_gcc_128 \
+    "linux-${ARCH}" && \
+   perl configdata.pm --dump && \
+   make -j$(nproc)
+
+USER root
+WORKDIR /home/builder/openssl
+RUN make install_sw
+RUN \
+  install -p -m 0644 -Dt ${SYSROOT}/usr/share/licenses/openssl LICENSE.txt
+
+# =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=   =^..^=
+
 FROM sdk as sdk-libc
 
 ARG ARCH
@@ -580,11 +645,11 @@ WORKDIR /
 # "sdk" has our C/C++ toolchain and kernel headers for both targets.
 COPY --from=sdk / /
 
-# "sdk-musl" has a superset of the above, and includes C library and headers.
+# "sdk-musl-openssl" includes the musl C library and OpenSSL, plus headers.
 # We omit "sdk-gnu" because we expect to build glibc again for the target OS,
 # while we will use the musl artifacts directly to generate static binaries
 # such as migrations.
-COPY --chown=0:0 --from=sdk-musl ${MUSL_SYSROOT}/ ${MUSL_SYSROOT}/
+COPY --chown=0:0 --from=sdk-musl-openssl ${MUSL_SYSROOT}/ ${MUSL_SYSROOT}/
 
 # "sdk-rust" has our Rust toolchain with the required targets.
 COPY --chown=0:0 --from=sdk-rust /usr/libexec/rust/ /usr/libexec/rust/

hashes/openssl

@@ -0,0 +1,2 @@
+# https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/source/tree/Packages/o/openssl-3.0.0-1.fc36.src.rpm
+SHA512 (openssl-3.0.0-1.fc36.src.rpm) = f0aa28ee6c2810e595310221a610c58861ef75b2c2002f6f65f715b25927fb3359b8dd3b0da7ce1d4578bfe9990f42190b8f4e94ed009ac53220dc381417ddf8