SVACE stopped working after commit 98b38e89 ("cmake: allow to
bundle static dependencies in main project") changed the bundled libs
directory layout. To fix this, let's introduce the new cmake option
BUNDLED_LIBS_INSTALL_DIR and set it in static-build/CMakeLists.txt to
the legacy location. Also, let's use the legacy directories for each
external project's PREFIX, SOURCE_DIR, BINARY_DIR, and STAMP_DIR.

Follow-up #9242

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

(cherry picked from commit 37b1c287)

Instead of using ctest, let's simply run the CheckDependencies.cmake as
a post build command if Tarantool was built without dependencies. The
good thing about it is that the check will run even if the static build
is created directly, without the /static-build/CMakeLists.txt wrapper.

Part of #9242

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

(cherry picked from commit fa4939bd)

Currently, the BUILD_STATIC and BUILD_STATIC_WITH_BUNDLED_LIBS cmake
options don't enable static linking of the OpenSSL library so we have
to set OPENSSL_USE_STATIC_LIBS explicitly. Let's enable static linking
of OpenSSL by default because we enable it anyway in all our official
builds.

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

(cherry picked from commit edadffd7)

The BUILD_STATIC cmake config option forces the build system link
Tarantool binary statically with its dependencies. It expects that all
static libraries on which Tarantool binary depends are available at
build time.

We don't use this option directly to create static binaries because it
would produce different results on different build systems. Instead, we
use the separate cmake config located in the static-build directory,
which fetches all Tarantool dependencies from a predefined location
before building a static binary.

Having a separate cmake config is inconvenient. Let's enable bundling of
static binary dependencies right in the main project cmake config, like
we bundle, for example, libcurl. To achieve that, the new build option
was introduced BUILD_STATIC_WITH_BUNDLED_LIBS. It implies BUILD_STATIC
and also fetches and builds all required dependencies, like the
static-build cmake config used to. The latter doesn't do it anymore;
from now on, it just sets BUILD_STATIC_WITH_BUNDLED_LIBS when building
Tarantool. We can't remove the static-build cmake config yet because
there are quire a few CI workflows depending on it.

Note that, just like BUILD_STATIC, BUILD_STATIC_WITH_BUNDLED_LIBS
doesn't imply OPENSSL_USE_STATIC_LIBS so the latter should be set
explicitly if one wants to use the static openssl library. However,
setting OPENSSL_USE_STATIC_LIBS with BUILD_STATIC_WITH_BUNDLED_LIBS will
force the build system use bundled static openssl library.

This patch is relatively straightforward. It just moves the external
projects from /static-build/cmake/AddDependencyProjects.cmake to /cmake
adding build dependencies where required and setting variables that are
set by the corresponding /cmake/FindXXX.cmake configs.

There are a few things that should be noted separately though:
 - We dropped the ZLIB_FOUND check from the main project cmake config.
   It was used for building EE but the latter is going to be broken
   anyway once this patch is committed. We'll fix it in following
   commits.
 - FindLibUnwind referenced zlib library by ZLIB::ZLIB. We don't set
   it for bundled zlib so let's use ZLIB_LIBRARIES instead.
 - We don't need to detect dependency cflags while building bundled
   libraries as we can reuse the flags set by the main project.
 - We don't use HARDENING_LDFLAGS because it makes no sense when
   building static libraries.

Closes #9242

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

(cherry picked from commit 98b38e89)

The tests are TAP compatible and applicable to all Tarantool builds so
there's no need to run them with ctest. We just need to add a couple
skip conditions:
 - The luarocks test shouldn't be run on dynamic builds because luarocks
   modules aren't embedded there.
 - The traceback test should be run only if ENABLE_BACKTRACE was set at
   build time.

Part of #9242

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

(cherry picked from commit 1eb98ef3)

luarocks version updated to version 3.9.2

Closes #6597

NO_DOC=The engine has been updated, the functionality has not changed
NO_TEST=see NO_DOC

(cherry picked from commit 1dc8cd81)

Download the readline and libiconv archives from the backup storage to
avoid network issues with accessing https://ftp.gnu.org in the future.

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

(cherry picked from commit e41c47a8)

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

(cherry picked from commit bb74d6c9)

The ability to support backtraces is checked in cmake/compiler.cmake,
it makes no sense to duplicate the check in rpm/tarantool.spec. Also do
not enable backtraces unconditionally in apk/APKBUILD and static-build.

Part of #6998

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

(cherry picked from commit f7c4a34a)

An autoconf-generated configure script doesn't enable compiler
optimization flags if CFLAGS / CXXFLAGS options are set explicitly.
We started setting CFLAGS / CXXFLAGS in commit e6abe1c9
("cmake: add extra security compiler options"). As a result, users
started experiencing performance degradation issues, like the one
described in tarantool/tarantool-ee#440.

Let's set -O2 in CFLAGS / CXXFLAGS explicitly to fix that.

Closes #8606
Needed for tarantool/tarantool-ee#440

NO_DOC=build
NO_TEST=build

(cherry picked from commit 52f6ed4d)

Method `getDangiCalZoneAstroCalc` is used to calculate an argument for
base class constructor when it is not built yet. Fortunately, it does not
use class fields - let's make it static to use it before class
initialization legitimately.

Closes tarantool/security#96

NO_TEST=no behaviour changes
NO_CHANGELOG=no behaviour changes
NO_DOC=no behaviour changes

(cherry picked from commit 4305d397)

This patch fixes potential read of uninitialized variable
in history_truncate_file()

Fixed in upstream:
https://git.savannah.gnu.org/cgit/readline.git/commit/?h=devel&id=b4ebdc06601fb54297435d2e286d901cba1cd6c6

Closes tarantool/security#95

NO_DOC=security
NO_TEST=security
NO_CHANGELOG=security

n_ssl3_mac(): Fix possible divide by zero.
Fixed in openssl3:
https://github.com/openssl/openssl/commit/624efd2ba6f1dabdcdecf17c77bd206c421efdaf

Closes tarantool/security#90

NO_DOC=security
NO_TEST=security
NO_CHANGELOG=security

If `dynamic_cast` fails, then NULL is returned. Even thought
assertion is set, we cannot rely on it, as we don't use debug
version of icu. Let's check if `rbnf` variable is not NULL
explicitly.

If it somehow turned out to be NULL, then memory allocation
error will be thrown.

Closes tarantool/security#61

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<third-party security fix>

According to the business logic and assertions `idx` and `data32`
variables cannot be equal to NULL at the same time. However, we
cannot rely on assertions.

Let's check that explicitly. If this situation occurs somehow
the function exits as we cannot recover from this situation: we
don't have sources, from which values for enumeration can be taken.
Moreover, continuing of the code execution is such situation may
lead to accessing NULL if `c<limit`.

Closes tarantool/security#59

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<third-party security fix>

`set_client_ciphersuite` can potentially dereference NULL if the session's
cipher is not set — add a check for this condition.

Closes tarantool/security#27

NO_CHANGELOG=<security fix>
NO_DOC=<security fix>
NO_TEST=<third-party security fix>

The problem is if cat fails, because a patch file doesn't exist
PATH_COMMAND written like this won't detect it, because the last
command (patch) will complete successfully (apply existing patches
found by cat):

  cat XXX.patch YYY.patch | patch -p1

The proper way is to use PATCH_COMMAND continuation:

  PATCH_COMMAND patch -p1 -i XXX.patch
  COMMAND       patch -p1 -i YYY.patch

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

tls_construct_ctos_session_ticket() has a potential
NULL pointer dereference.

Closes tarantool/security#54

NO_DOC=security
NO_TEST=security
NO_CHANGELOG=security

Added bounds check after conversion of a string key to int to avoid
potential out-of-bounds access.

Closes tarantool/security#45

NO_TEST=trivial
NO_CHANGELOG=internal
NO_DOC=internal

We're going to add a whole bunch of them. Putting them all in
a sub-directory will help keeping the file tree organized.

Note, we have to update .gitignore so that the patches/ sub-directory
is ignored only at the top level (it's used by quilt).

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=build

The `tarantool_version` symbol identifies the binary as Tarantool (see also
https://github.com/tarantool/tarantool/blob/f991f7c0be73558f0710f0af871d07e8bd506efe/tools/tarabrt.sh#L179-L180

).
It is not exported and thus can be optimized away by LTO — add it to the
exports list.

Closes #8129

Acked-by: Aleksandr Lyapunov <alyapunov@tarantool.org>

NO_CHANGELOG=<internal change>
NO_DOC=<internal change>
NO_TEST=<no convenient way to test devtools>

Recently, ffi select was broken on M1 in commit ec1a71ff
("box: introduce pagination to memtx_tree and tuple position methods").
It turned out that ffi on M1 poorly supports a big quantity of arguments.
Fortunately, there is a workaround - we can pass only 64-bit integer
arguments beyond the 8th argument. Let's do it.

Closes #7946

NO_TEST=reflected in existing tests
NO_CHANGELOG=bugfix for unreleased feature
NO_DOC=bugfix

ICU symbol renaming was disabled in EE build by commit
https://github.com/tarantool/tarantool-ee/commit/f51346d682e3afd93592023d0dedfb1e45167c7a
("static-build: disable symbols renaming for libicu"), because EE build
exports ICU symbols so that they can be used by Lua modules. It isn't
necessary in CE build, but since we're planning to reuse the CE cmake
config in the EE repository, we should do that.

Needed for https://github.com/tarantool/tarantool-ee/issues/185

NO_DOC=no functional changes
NO_TEST=no functional changes
NO_CHANGELOG=no functional changes

Split it so that it can be reused in the EE repository:

 - static-build/cmake/AddDependencyProjects.cmake
   Adds the external projects that are required to build tarantool.
   The project names are stored in the TARANTOOL_DEPENDS variable.

 - static-build/cmake/AddTarantoolProject.cmake
   Should be called after AddDependencyProjects.cmake, because it
   uses the TARANTOOL_DEPENDS variable. Adds the Tarantool external
   project and sets the TARANTOOL_BINARY to the path to the built
   tarantool binary.

 - static-build/cmake/AddTests.cmake
   Should be called after AddTarantoolProject.cmake, because it uses
   the TARANTOOL_BINARY variable. Adds cmake tests for the static
   binary.

Now, static-build/CMakeLists.txt just includes the three helper files.
The helper files are designed in such a way that they can be included
from the EE repository's CMakeLists.txt. We split the original config
into the three helper files, because in the EE repository, we need to
add extra dependency projects and extra tests.

While we are at it, we also move the cmake tests from
static-build/test/static-build to static-build/test and
static-build/test/CheckDependencies.cmake to
static-build/cmake/CheckDependencies.cmake.

This commit introduces no functional changes - it just moves the code.

Needed for https://github.com/tarantool/tarantool-ee/issues/185

NO_DOC=refactoring
NO_TEST=refactoring
NO_CHANGELOG=refactoring

Since commit f6ea7180 ("Try to load several variants of libssl.")
the digest module uses an internal version of SHA1. Back then, we didn't
link the OpenSSL library. Instead, we tried to load it dynamically.
Since on some distributions the library could be missing, it was decided
to implement an internal version of SHA1, see #405.

However, since commit 59a55740 ("Link against libssl and libcrypto.
Issue #1382") we link the OpenSSL library unconditionally so there's no
need in having an internal implementation of SHA1. Let's drop it and
switch the digest module to the version of SHA1 implemented by the
crypto module using OpenSSL.

Part of #7987

NO_DOC=code cleanup
NO_TEST=code cleanup
NO_CHANGELOG=code cleanup

The `-Wa,--debug-prefix-map` compiler flag breaks GNU-based LTO, and also
we cannot reliably test this feature.

Follow-up 256da010

NO_CHANGELOG=bugfix
NO_DOC=bugfix
NO_TEST=bugfix

`dlsym` is known to be buggy in FreeBSD. See #7640.

NO_DOC=internal
NO_CHANGELOG=internal

See [1] for some details on why the code for log configuration needs
some care. In short log config validity checks are spread thru many
places, on some code paths we use one checks and on other code paths
other checks. And we make repetitive validity checks many times in
runtime on single configure call.

We can also reuse code for setting default values, checking options
type and resetting values to default.

- As a side effect of refactoring one can now reset values to default thru
  `log.cfg()` so now `log.cfg()` is on par with `box.cfg` in this respect.

- This patch also drops conversion `log_level` from string to number.

  Before (shorten):

    tarantool> box.cfg{log_level='warn'}
    tarantool> box.cfg.log_level
    - info
    tarantool> log.cfg.level
    - 5

  Also:
    tarantool> log.cfg{level='info'}
    tarantool> log.cfg.level
    - 5
    tarantool> box.cfg{}
    tarantool> box.cfg.log_level
    - 5

  After patch if `log_level`/`level` is given as string than it is saved
  and returned as string too. I guess it should not affect users but looks
  more handy.

- Also fixed issue with inconsistent setting `log_nonblock` thru
  `box.cfg()` and `log.cfg()`. In former case `nil` means setting default
  depending on logger type. In the latter case `nil` meant setting
  `nonblock` to `false`.

- Also patch fixes #7447.

Closes #7447.

[1] PR for this refactoring
https://github.com/tarantool/tarantool/pull/7454

NO_DOC=refactoring/tiny API improvemnent

Since our diagnostics use the `__FILE__` macro, they provide absolute
paths, which is kind of redundant and inconsistent: replace them with
relative ones.

As for debugging information, replacing absolute paths with relative ones
also requires an extra command to tell the debugger where to find the
source files, which is not convenient for developers: provide a new
`DEV_BUILD` option (turned off by default), which replaces absolute paths
with relative ones in debugging information if turned off.

Strip the prefix map flags from compiler flags exported to tarantool via
`src/trvia/config.h`.

Closes #7808

NO_DOC=<verbosity>
NO_TEST=<verbosity>

Setting hardening compiler flags is used in three places: default build,
static build and enterprise build — refactor it into a separate module.

Follow-up e6abe1c9

NO_CHANGELOG=refactoring
NO_DOC=refactoring
NO_TEST=refactoring

Introduce cmake option ENABLE_HARDENING, which is TRUE by default for
non-debug regular and static builds, excluding AArch64 and FreeBSD.
It passess compiler flags that harden Tarantool (including the bundled
libraries) against memory corruption attacks. The following flags are
passed:

* -Wformat - Check calls to printf and scanf, etc., to make sure that
  the arguments supplied have types appropriate to the format string
  specified.

* -Wformat-security -Werror=format-security - Warn about uses of format
  functions that represent possible security problems. And make the
  warning into an error.

* -fstack-protector-strong - Emit extra code to check for buffer
  overflows, such as stack smashing attacks.

* -fPIC -pie - Generate position-independent code (PIC). It allows to
  take advantage of the Address Space Layout Randomization (ASLR).

* -z relro -z now - Resolve all dynamically linked functions at the
  beginning of the execution, and then make the GOT read-only.

Also do not disable hardening for Debian and RPM-based Linux distros.

Closes #5372
Closes #7536

NO_DOC=build
NO_TEST=build

Currently `make` in `static-build` doesn't rebuild Tarantool when source
files are changed. Fix this by setting BUILD_ALWAYS option, which forces
rescan for changes of the external project [1]:

> This option is not normally needed unless developers are expected to
> modify something the external project's build depends on in a way that
> is not detectable via the step target dependencies (e.g. SOURCE_DIR is
> used without a download method and developers might modify the sources
> in SOURCE_DIR).

It is available since CMake 3.1, so update cmake_minimum_required, as we
already require it (fa8d70ca).

[1] https://cmake.org/cmake/help/latest/module/ExternalProject.html

Part of #7536

NO_DOC=build
NO_TEST=build
NO_CHANGELOG=minor

Commit ed16c1e5 ("build: fix bundled
libcurl and c-ares build on OS X") fixed building libcurl with ares by
adding a dependency on libresolv for Mac OS X. It was forgotten to add
libresolv to check-dependencies exceptions for static build. Do this now.

NO_DOC=CI stuff
NO_TEST=CI stuff
NO_CHANGELOG=CI stuff

NO_DOC=build
NO_TEST=build

The static build for Linux leans on glibc provided iconv functions. On
Mac OS it links GNU libiconv statically. This patch updates the libiconv
version from 1.16 (released in 2019) to 1.17 (released in 2022).

It is just regular maintenance update. No behaviour changes are
expected. The libiconv 1.17 changelog (see the NEWS file in the archive)
does not mention anything that may have influence on behavior of
tarantool's iconv built-in module.

NO_DOC=no user-visible changes
NO_TEST=no user-visible changes
NO_CHANGELOG=no user-visible changes

Without `-isysroot <SDK_PATH>` the build fails:

```
/Library/Developer/CommandLineTools/usr/bin/make[4]: Making `all' in   \
    `makeconv'
/Library/Developer/CommandLineTools/usr/bin/c++ -O2 -W -Wall -pedantic \
    -Wpointer-arith -Wwrite-strings -Wno-long-long -std=c++11          \
    -Wno-ambiguous-reversed-operator     -o ../../bin/makeconv         \
    gencnvex.o genmbcs.o makeconv.o ucnvstat.o -L../../lib -licutu     \
    -L../../lib -licui18n -L../../lib -licuuc -L../../stubdata         \
    -licudata -lpthread -lm
ld: library not found for -lpthread
clang: error: linker command failed with exit code 1 (use -v to see    \
    invocation)
```

ICU is written on C++, so we should pass `CXXFLAGS`, not only `CFLAGS`.

Note: `CPPFLAGS` stands for C preprocessor flags, not C++ flags.

Fixes #7459

NO_DOC=it fixes a build failure for one of build types, nothing to
       document
NO_TEST=it will be tested in a next commit by enabling corresponding
        GitHub Action workflow

Just regular update to bring readline security fixes into tarantool.

Added a patch to fix file descriptor leak with zero-length history file.

Source of patch: https://ftp.gnu.org/gnu/readline/readline-8.0-patches/
Announcement: https://lists.gnu.org/archive/html/bug-readline/2019-08/msg00004.html

NO_TEST=security update of a dependency
NO_DOC=security update of a dependency

Just regular update to bring ncurses security fixes into tarantool.

New version brings a number of functional and security fixes:
- ncurses 6.3 before patch 20220416 has an out-of-bounds read and
segmentation violation in convert_strings in tinfo/read_entry.c in the
terminfo library (CVE-2022-29458).
- ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based
buffer overflow (CVE-2021-39537).

CVE-2022-29458 Detail: https://nvd.nist.gov/vuln/detail/CVE-2022-29458
CVE-2021-39537 Detail: https://nvd.nist.gov/vuln/detail/CVE-2021-39537
Release announcement: https://lists.gnu.org/archive/html/bug-ncurses/2022-07/msg00008.html

NOTE: Build system uses a link to tarball on a local storage instead of
official mirror [1].

1. https://invisible-mirror.net/archives/ncurses/current/

NO_TEST=security update of a dependency
NO_DOC=security update of a dependency

Just regular update to bring openssl security fixes into tarantool.

Added a patch for Mac OS to fix a build failure, see
https://github.com/openssl/openssl/issues/18720.

Changelog: https://www.openssl.org/news/cl111.txt
Vulnerabilities: https://www.openssl.org/news/vulnerabilities.html

NO_TEST=security update of a dependency
NO_DOC=security update of a dependency

Just regular update to bring openssl security fixes into tarantool.

Fixes #6947

NO_TEST=security update of a dependency
NO_DOC=security update of a dependency