From ded0fb44b17024c2b5e8a1f4cd088dbfffaf58fc Mon Sep 17 00:00:00 2001 From: Ted Poole Date: Thu, 6 Nov 2025 09:18:46 +0000 Subject: [PATCH] Convert bssl-compat build from cmake to bazel Signed-off-by: Ted Poole --- WORKSPACE | 6 + bazel/BUILD | 6 +- bazel/external/llvm.BUILD | 20 + bazel/repositories.bzl | 4 +- bssl-compat/BUILD | 930 ++++++++++++++++++++++++- bssl-compat/CMakeLists.txt | 801 --------------------- bssl-compat/WORKSPACE | 1 + bssl-compat/bazel/rules.bzl | 175 +++++ bssl-compat/cmake/boringssl.cmake | 74 -- bssl-compat/cmake/openssl.cmake | 9 - bssl-compat/filter_out_shared_libs.bzl | 58 -- bssl-compat/prefixer/BUILD | 11 + bssl-compat/prefixer/CMakeLists.txt | 20 - bssl-compat/prefixer/prefixer.cpp | 17 +- bssl-compat/source/SHA256.cc | 37 - bssl-compat/tools/BUILD | 6 + bssl-compat/tools/do-asan.sh | 10 - bssl-compat/tools/do-clang-tidy.sh | 11 - bssl-compat/tools/do-msan.sh | 10 - bssl-compat/tools/do-tsan.sh | 10 - bssl-compat/tools/generate.c.sh | 3 +- bssl-compat/tools/generate.h.sh | 73 -- openssl/bazelrc | 5 - 23 files changed, 1133 insertions(+), 1164 deletions(-) create mode 100644 bazel/external/llvm.BUILD delete mode 100644 bssl-compat/CMakeLists.txt create mode 100644 bssl-compat/WORKSPACE create mode 100644 bssl-compat/bazel/rules.bzl delete mode 100644 bssl-compat/cmake/boringssl.cmake delete mode 100644 bssl-compat/cmake/openssl.cmake delete mode 100644 bssl-compat/filter_out_shared_libs.bzl create mode 100644 bssl-compat/prefixer/BUILD delete mode 100644 bssl-compat/prefixer/CMakeLists.txt delete mode 100644 bssl-compat/source/SHA256.cc create mode 100644 bssl-compat/tools/BUILD delete mode 100755 bssl-compat/tools/do-asan.sh delete mode 100755 bssl-compat/tools/do-clang-tidy.sh delete mode 100755 bssl-compat/tools/do-msan.sh delete mode 100755 bssl-compat/tools/do-tsan.sh delete mode 100755 bssl-compat/tools/generate.h.sh diff --git a/WORKSPACE b/WORKSPACE index 5ba82ccdeec..f3e9f2b23ba 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -5,6 +5,12 @@ local_repository( path = "bssl-compat", ) +new_local_repository( + name = "llvm", + path = "/opt/llvm", + build_file = "//bazel/external:llvm.BUILD", +) + load("//bazel:api_binding.bzl", "envoy_api_binding") envoy_api_binding() diff --git a/bazel/BUILD b/bazel/BUILD index 529fe84d9d3..20da861b0cd 100644 --- a/bazel/BUILD +++ b/bazel/BUILD @@ -572,12 +572,12 @@ config_setting( # Alias pointing to the selected version of BoringSSL: alias( name = "boringssl", - actual = "@envoy//bssl-compat:ssl" + actual = "@bssl-compat//:ssl" ) - + alias( name = "boringcrypto", - actual = "@envoy//bssl-compat:crypto" + actual = "@bssl-compat//:crypto" ) config_setting( diff --git a/bazel/external/llvm.BUILD b/bazel/external/llvm.BUILD new file mode 100644 index 00000000000..490c4717022 --- /dev/null +++ b/bazel/external/llvm.BUILD @@ -0,0 +1,20 @@ +load("@rules_cc//cc:defs.bzl", "cc_library") + +licenses(["notice"]) # Apache 2 + +# libclang-cpp from llvm, used by the bssl-compat prefixer tool. +cc_library( + name = "libclang-cpp", + srcs = glob(["lib/libclang-cpp.*"]), + hdrs = glob(["include/**/*"]), + includes = ["include"], + linkopts = ["-lstdc++"], + visibility = ["//visibility:public"], +) + +# The clang compiler built-in headers (stdef.h, limits.h etc) +filegroup( + name = "clang-headers", + srcs = glob(["lib/clang/*/include/**/*.h"]), + visibility = ["//visibility:public"], +) \ No newline at end of file diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl index 6284c4bba19..ff099efc42f 100644 --- a/bazel/repositories.bzl +++ b/bazel/repositories.bzl @@ -140,11 +140,11 @@ def envoy_dependencies(skip_targets = []): # Binding to an alias pointing to the bssl-compat layer native.bind( name = "ssl", - actual = "@envoy//bssl-compat:ssl", + actual = "@bssl-compat//:ssl", ) native.bind( name = "crypto", - actual = "@envoy//bssl-compat:crypto", + actual = "@bssl-compat//:crypto", ) # The long repo names (`com_github_fmtlib_fmt` instead of `fmtlib`) are diff --git a/bssl-compat/BUILD b/bssl-compat/BUILD index 9272e32f184..29635a9ec26 100644 --- a/bssl-compat/BUILD +++ b/bssl-compat/BUILD @@ -1,53 +1,917 @@ -load("@rules_foreign_cc//foreign_cc:defs.bzl", "cmake") -load(":filter_out_shared_libs.bzl", "filter_out_shared_libs") - -filegroup( - name = "srcs", - srcs = glob(["**"]), -) +load("@rules_cc//cc:defs.bzl", "cc_library", "cc_test") +load("//:bazel/rules.bzl", "bssl_headers", "bssl_sources", "bssl_mappings") licenses(["notice"]) # Apache 2 -cmake( - name = "bssl-compat-build", - lib_source = ":srcs", - out_shared_libs = [], - out_static_libs = ["libbssl-compat.a"], +# This genrule runs the prefixer tool to process OpenSSL headers. +# It generates: +# - source/ossl.c: Forwarding functions that call OpenSSL via dlopen/dlsym +# - include/ossl.h: Header declaring the ossl struct with function pointers +# - include/ossl/openssl/*.h: Prefixed OpenSSL headers with ossl_ prefix +genrule( + name = "ossl_generated", + srcs = [ + "@openssl//:openssl", + "@llvm//:clang-headers", + ], + outs = [ + "source/ossl.c", + "include/ossl.h", + "include/ossl/openssl/aes.h", + "include/ossl/openssl/asn1.h", + "include/ossl/openssl/asn1err.h", + "include/ossl/openssl/asn1t.h", + "include/ossl/openssl/async.h", + "include/ossl/openssl/asyncerr.h", + "include/ossl/openssl/bio.h", + "include/ossl/openssl/bioerr.h", + "include/ossl/openssl/blowfish.h", + "include/ossl/openssl/bn.h", + "include/ossl/openssl/bnerr.h", + "include/ossl/openssl/buffer.h", + "include/ossl/openssl/buffererr.h", + "include/ossl/openssl/camellia.h", + "include/ossl/openssl/cast.h", + "include/ossl/openssl/cmac.h", + "include/ossl/openssl/cmp.h", + "include/ossl/openssl/cmp_util.h", + "include/ossl/openssl/cmperr.h", + "include/ossl/openssl/cms.h", + "include/ossl/openssl/cmserr.h", + "include/ossl/openssl/comp.h", + "include/ossl/openssl/comperr.h", + "include/ossl/openssl/conf.h", + "include/ossl/openssl/conf_api.h", + "include/ossl/openssl/conferr.h", + "include/ossl/openssl/configuration.h", + "include/ossl/openssl/conftypes.h", + "include/ossl/openssl/core.h", + "include/ossl/openssl/core_dispatch.h", + "include/ossl/openssl/core_names.h", + "include/ossl/openssl/core_object.h", + "include/ossl/openssl/crmf.h", + "include/ossl/openssl/crmferr.h", + "include/ossl/openssl/crypto.h", + "include/ossl/openssl/cryptoerr.h", + "include/ossl/openssl/cryptoerr_legacy.h", + "include/ossl/openssl/ct.h", + "include/ossl/openssl/cterr.h", + "include/ossl/openssl/decoder.h", + "include/ossl/openssl/decodererr.h", + "include/ossl/openssl/des.h", + "include/ossl/openssl/dh.h", + "include/ossl/openssl/dherr.h", + "include/ossl/openssl/dsa.h", + "include/ossl/openssl/dsaerr.h", + "include/ossl/openssl/dtls1.h", + "include/ossl/openssl/e_os2.h", + "include/ossl/openssl/ebcdic.h", + "include/ossl/openssl/ec.h", + "include/ossl/openssl/ecdh.h", + "include/ossl/openssl/ecdsa.h", + "include/ossl/openssl/ecerr.h", + "include/ossl/openssl/encoder.h", + "include/ossl/openssl/encodererr.h", + "include/ossl/openssl/engine.h", + "include/ossl/openssl/engineerr.h", + "include/ossl/openssl/err.h", + "include/ossl/openssl/ess.h", + "include/ossl/openssl/esserr.h", + "include/ossl/openssl/evp.h", + "include/ossl/openssl/evperr.h", + "include/ossl/openssl/fips_names.h", + "include/ossl/openssl/fipskey.h", + "include/ossl/openssl/hmac.h", + "include/ossl/openssl/http.h", + "include/ossl/openssl/httperr.h", + "include/ossl/openssl/idea.h", + "include/ossl/openssl/kdf.h", + "include/ossl/openssl/kdferr.h", + "include/ossl/openssl/lhash.h", + "include/ossl/openssl/macros.h", + "include/ossl/openssl/md2.h", + "include/ossl/openssl/md4.h", + "include/ossl/openssl/md5.h", + "include/ossl/openssl/mdc2.h", + "include/ossl/openssl/modes.h", + "include/ossl/openssl/obj_mac.h", + "include/ossl/openssl/objects.h", + "include/ossl/openssl/objectserr.h", + "include/ossl/openssl/ocsp.h", + "include/ossl/openssl/ocsperr.h", + "include/ossl/openssl/opensslconf.h", + "include/ossl/openssl/opensslv.h", + "include/ossl/openssl/ossl_typ.h", + "include/ossl/openssl/param_build.h", + "include/ossl/openssl/params.h", + "include/ossl/openssl/pem.h", + "include/ossl/openssl/pem2.h", + "include/ossl/openssl/pemerr.h", + "include/ossl/openssl/pkcs12.h", + "include/ossl/openssl/pkcs12err.h", + "include/ossl/openssl/pkcs7.h", + "include/ossl/openssl/pkcs7err.h", + "include/ossl/openssl/prov_ssl.h", + "include/ossl/openssl/proverr.h", + "include/ossl/openssl/provider.h", + "include/ossl/openssl/rand.h", + "include/ossl/openssl/randerr.h", + "include/ossl/openssl/rc2.h", + "include/ossl/openssl/rc4.h", + "include/ossl/openssl/rc5.h", + "include/ossl/openssl/ripemd.h", + "include/ossl/openssl/rsa.h", + "include/ossl/openssl/rsaerr.h", + "include/ossl/openssl/safestack.h", + "include/ossl/openssl/seed.h", + "include/ossl/openssl/self_test.h", + "include/ossl/openssl/sha.h", + "include/ossl/openssl/srp.h", + "include/ossl/openssl/srtp.h", + "include/ossl/openssl/ssl.h", + "include/ossl/openssl/ssl2.h", + "include/ossl/openssl/ssl3.h", + "include/ossl/openssl/sslerr.h", + "include/ossl/openssl/sslerr_legacy.h", + "include/ossl/openssl/stack.h", + "include/ossl/openssl/store.h", + "include/ossl/openssl/storeerr.h", + "include/ossl/openssl/symhacks.h", + "include/ossl/openssl/tls1.h", + "include/ossl/openssl/trace.h", + "include/ossl/openssl/ts.h", + "include/ossl/openssl/tserr.h", + "include/ossl/openssl/txt_db.h", + "include/ossl/openssl/types.h", + "include/ossl/openssl/ui.h", + "include/ossl/openssl/uierr.h", + "include/ossl/openssl/whrlpool.h", + "include/ossl/openssl/x509.h", + "include/ossl/openssl/x509_vfy.h", + "include/ossl/openssl/x509err.h", + "include/ossl/openssl/x509v3.h", + "include/ossl/openssl/x509v3err.h", + ], + cmd = """ + # The @openssl//:openssl target provides the include + # directory for the OpenSSL headers to be prefixed. + OPENSSL_INCLUDE_DIR="" + for f in $(locations @openssl//:openssl); do + if [[ "$$f" == */include ]]; then + OPENSSL_INCLUDE_DIR="$$(cd "$$f" && pwd)" + break + fi + done + + # The @llvm//:clang-headers target provides the include + # directory for the Clang compiler headers that are + # required to satisfy #includes in the OpenSSL headers. + CLANG_INCLUDE_DIR="" + for f in $(locations @llvm//:clang-headers); do + if [[ "$$f" == */stddef.h ]]; then + CLANG_INCLUDE_DIR="$$(cd "$$(dirname "$$f")" && pwd)" + break + fi + done + + # Run the prefixer with absolute source path and relative output path + $(location //prefixer:prefixer) \ + --src-path "$$OPENSSL_INCLUDE_DIR" \ + --src-incl "openssl/*.h" \ + --src-skip "openssl/asn1_mac.h" \ + --src-skip "openssl/opensslconf-*.h" \ + --include "$$CLANG_INCLUDE_DIR" \ + --output $(RULEDIR) \ + --prefix ossl 2>&1 + """, + tools = [ + "//prefixer:prefixer", + ], visibility = ["//visibility:private"], - generate_crosstool_file = False, - out_binaries = ["utests-bssl-compat"], - build_args = [ "-j" ], - deps = ["@openssl//:openssl"], - cache_entries = {"OPENSSL_ROOT_DIR": "$$EXT_BUILD_DEPS/openssl"}, - # Add the OpenSSL shared libraries as a *data* dependency, so they get - # propagated to dependant targets, and made available in their runfiles - # directory when they run, so libbssl-compat.a can dlopen() them. - data = ["@openssl//:libs"], ) -filegroup( - name = "utests-bssl-compat", - srcs = [":bssl-compat-build"], - output_group = "utests-bssl-compat", - visibility = ["//visibility:public"], -) +# Create rules for processing all BoringSSL headers. +# This creates one genrule per header file, which copies that header from +# BoringSSL, applying any necessary patches. This also creates a filegroup +# called :bssl_processed_headers which contains all the processed headers. +bssl_headers([ + "include/openssl/aead.h", + "include/openssl/aes.h", + "include/openssl/arm_arch.h", + "include/openssl/asm_base.h", + "include/openssl/asn1.h", + "include/openssl/asn1_mac.h", + "include/openssl/asn1t.h", + "include/openssl/base.h", + "include/openssl/base64.h", + "include/openssl/bcm_public.h", + "include/openssl/bio.h", + "include/openssl/blake2.h", + "include/openssl/blowfish.h", + "include/openssl/bn.h", + "include/openssl/buf.h", + "include/openssl/buffer.h", + "include/openssl/bytestring.h", + "include/openssl/cast.h", + "include/openssl/chacha.h", + "include/openssl/cipher.h", + "include/openssl/cmac.h", + "include/openssl/conf.h", + "include/openssl/cpu.h", + "include/openssl/crypto.h", + "include/openssl/curve25519.h", + "include/openssl/des.h", + "include/openssl/dh.h", + "include/openssl/digest.h", + "include/openssl/dsa.h", + "include/openssl/dtls1.h", + "include/openssl/e_os2.h", + "include/openssl/ec.h", + "include/openssl/ec_key.h", + "include/openssl/ecdh.h", + "include/openssl/ecdsa.h", + "include/openssl/engine.h", + "include/openssl/err.h", + "include/openssl/evp.h", + "include/openssl/evp_errors.h", + "include/openssl/ex_data.h", + "include/openssl/experimental/kyber.h", + "include/openssl/hkdf.h", + "include/openssl/hmac.h", + "include/openssl/hpke.h", + "include/openssl/hrss.h", + "include/openssl/is_boringssl.h", + "include/openssl/kdf.h", + "include/openssl/lhash.h", + "include/openssl/md4.h", + "include/openssl/md5.h", + "include/openssl/mem.h", + "include/openssl/mlkem.h", + "include/openssl/nid.h", + "include/openssl/obj.h", + "include/openssl/obj_mac.h", + "include/openssl/objects.h", + "include/openssl/opensslconf.h", + "include/openssl/opensslv.h", + "include/openssl/ossl_typ.h", + "include/openssl/pem.h", + "include/openssl/pkcs12.h", + "include/openssl/pkcs7.h", + "include/openssl/pkcs8.h", + "include/openssl/pki/certificate.h", + "include/openssl/pki/signature_verify_cache.h", + "include/openssl/pki/verify.h", + "include/openssl/pki/verify_error.h", + "include/openssl/poly1305.h", + "include/openssl/pool.h", + "include/openssl/posix_time.h", + "include/openssl/rand.h", + "include/openssl/rc4.h", + "include/openssl/ripemd.h", + "include/openssl/rsa.h", + "include/openssl/safestack.h", + "include/openssl/service_indicator.h", + "include/openssl/sha.h", + "include/openssl/siphash.h", + "include/openssl/slhdsa.h", + "include/openssl/span.h", + "include/openssl/srtp.h", + "include/openssl/ssl.h", + "include/openssl/ssl3.h", + "include/openssl/stack.h", + "include/openssl/target.h", + "include/openssl/thread.h", + "include/openssl/tls1.h", + "include/openssl/trust_token.h", + "include/openssl/type_check.h", + "include/openssl/x509.h", + "include/openssl/x509_vfy.h", + "include/openssl/x509v3.h", + "include/openssl/x509v3_errors.h", +]) + +# Create rules for processing all BoringSSL sources. +# This creates one genrule per source file, which copies that source from +# BoringSSL, applying any necessary patches. This also creates a filegroup +# called :bssl_processed_sources which contains all the processed sources. +bssl_sources([ + "crypto/internal.h", + "crypto/mem.cc", + "crypto/bytestring/cbs.cc", + "crypto/bytestring/cbb.cc", + "ssl/ssl_x509.cc", +]) -# This target is identical to :bssl-compat-build but with the OpenSSL shared -# libraries dependency filtered out, to stop dependants linking against them. -filter_out_shared_libs( +# List of mapping functions +# For each listed mapping function, either a hand-written source file exists in +# source/{function}.c/.cc, or a genrule is created that generates a source file +# which implements simple direct call forwarding. This also creates a filegroup +# called :bssl_mapping_sources which contains all the source files. +bssl_mappings([ + "ASN1_ENUMERATED_to_BN", + "ASN1_IA5STRING_free", + "ASN1_IA5STRING_new", + "ASN1_INTEGER_free", + "ASN1_INTEGER_new", + "ASN1_INTEGER_to_BN", + "ASN1_OBJECT_free", + "ASN1_STRING_data", + "ASN1_STRING_free", + "ASN1_STRING_get0_data", + "ASN1_STRING_length", + "ASN1_STRING_set", + "ASN1_STRING_to_UTF8", + "ASN1_TIME_adj", + "ASN1_TIME_diff", + "ASN1_TIME_free", + "ASN1_TIME_new", + "ASN1_TIME_set", + "BASIC_CONSTRAINTS_free", + "BASIC_CONSTRAINTS_new", + "BIO_clear_flags", + "BIO_clear_retry_flags", + "BIO_ctrl_get_read_request", + "BIO_ctrl_get_write_guarantee", + "BIO_ctrl", + "BIO_eof", + "BIO_free_all", + "BIO_free", + "BIO_get_data", + "BIO_get_init", + "BIO_get_mem_data", + "BIO_get_mem_ptr", + "BIO_get_shutdown", + "BIO_gets", + "BIO_mem_contents", + "BIO_meth_new", + "BIO_meth_set_create", + "BIO_meth_set_ctrl", + "BIO_meth_set_destroy", + "BIO_meth_set_read", + "BIO_meth_set_write", + "BIO_new_bio_pair", + "BIO_new_connect", + "BIO_new_fd", + "BIO_new_file", + "BIO_new_fp", + "BIO_new_mem_buf", + "BIO_new_socket", + "BIO_new", + "BIO_pending", + "BIO_printf", + "BIO_puts", + "BIO_read_asn1", + "BIO_read_filename", + "BIO_read", + "BIO_reset", + "BIO_s_file", + "BIO_s_mem", + "BIO_s_socket", + "BIO_set_data", + "BIO_set_init", + "BIO_set_mem_eof_return", + "BIO_set_retry_read", + "BIO_set_retry_write", + "BIO_set_shutdown", + "BIO_should_read", + "BIO_should_retry", + "BIO_should_write", + "BIO_shutdown_wr", + "BIO_snprintf", + "BIO_up_ref", + "BIO_vfree", + "BIO_wpending", + "BIO_write", + "BN_add_word", + "BN_bin2bn", + "BN_bn2dec", + "BN_bn2hex", + "BN_cmp_word", + "BN_dup", + "BN_free", + "BN_hex2bn", + "BN_new", + "BN_num_bits", + "BN_set_word", + "BN_ucmp", + "c2i_ASN1_INTEGER", + "CRYPTO_BUFFER_free", + "CRYPTO_BUFFER_new", + "CRYPTO_memcmp", + "d2i_GENERAL_NAME", + "d2i_PKCS12_bio", + "d2i_SSL_SESSION", + "d2i_X509", + "DTLS_method", + "EC_GROUP_get_curve_name", + "EC_GROUP_get_degree", + "EC_GROUP_get0_order", + "EC_KEY_check_fips", + "EC_KEY_free", + "EC_KEY_get0_group", + "EC_KEY_get0_private_key", + "EC_KEY_new_by_curve_name", + "EC_KEY_parse_private_key", + "EC_KEY_set_private_key", + "EC_KEY_set_public_key_affine_coordinate", + "EC_KEY_set_public_key_affine_coordinates", + "EC_KEY_set_public_key", + "EC_POINT_free", + "EC_POINT_mul", + "EC_POINT_new", + "ECDSA_do_verify", + "ECDSA_SIG_free", + "ECDSA_SIG_get0", + "ECDSA_SIG_new", + "ECDSA_SIG_set0", + "ECDSA_sign", + "ECDSA_size", + "ECDSA_verify", + "ED25519_verify", + "ERR_clear_error", + "ERR_func_error_string", + "ERR_get_error", + "ERR_lib_error_string", + "ERR_peek_last_error", + "ERR_print_errors_fp", + "ERR_print_errors", + "ERR_put_error", + "ERR_reason_error_string", + "EVP_aes_128_gcm", + "EVP_aes_256_cbc", + "EVP_aes_256_gcm", + "EVP_CIPHER_block_size", + "EVP_CIPHER_CTX_ctrl", + "EVP_CIPHER_CTX_free", + "EVP_CIPHER_CTX_new", + "EVP_CIPHER_iv_length", + "EVP_CIPHER_key_length", + "EVP_DecodeBase64", + "EVP_DecodedLength", + "EVP_DecryptFinal_ex", + "EVP_DecryptInit_ex", + "EVP_DecryptUpdate", + "EVP_Digest", + "EVP_DigestFinal_ex", + "EVP_DigestFinal", + "EVP_DigestInit_ex", + "EVP_DigestInit", + "EVP_DigestSignFinal", + "EVP_DigestSignInit", + "EVP_DigestSignUpdate", + "EVP_DigestUpdate", + "EVP_DigestVerify", + "EVP_DigestVerifyFinal", + "EVP_DigestVerifyInit", + "EVP_DigestVerifyUpdate", + "EVP_EncryptFinal_ex", + "EVP_EncryptInit_ex", + "EVP_EncryptUpdate", + "EVP_get_digestbyname", + "EVP_MD_CTX_copy_ex", + "EVP_MD_CTX_create", + "EVP_MD_CTX_destroy", + "EVP_MD_CTX_free", + "EVP_MD_CTX_init", + "EVP_MD_CTX_move", + "EVP_MD_CTX_new", + "EVP_MD_nid", + "EVP_MD_size", + "EVP_MD_type", + "EVP_md4", + "EVP_md5_sha1", + "EVP_md5", + "EVP_parse_public_key", + "EVP_PKEY_assign_EC_KEY", + "EVP_PKEY_assign_RSA", + "EVP_PKEY_cmp", + "EVP_PKEY_CTX_set_rsa_mgf1_md", + "EVP_PKEY_CTX_set_rsa_padding", + "EVP_PKEY_free", + "EVP_PKEY_get_raw_public_key", + "EVP_PKEY_get0_EC_KEY", + "EVP_PKEY_get0_RSA", + "EVP_PKEY_get1_EC_KEY", + "EVP_PKEY_get1_RSA", + "EVP_PKEY_id", + "EVP_PKEY_new", + "EVP_PKEY_set1_RSA", + "EVP_PKEY_size", + "EVP_PKEY_up_ref", + "EVP_sha1", + "EVP_sha224", + "EVP_sha256", + "EVP_sha384", + "EVP_sha512", + "EVP_SignFinal", + "EVP_SignInit_ex", + "EVP_SignUpdate", + "FIPS_mode", + "GENERAL_NAME_free", + "GENERAL_NAME_new", + "GENERAL_NAME_set0_value", + "GENERAL_NAMES_free", + "GENERAL_NAMES_new", + "GENERAL_SUBTREE_free", + "GENERAL_SUBTREE_new", + "HMAC_CTX_free", + "HMAC_CTX_new", + "HMAC_Final", + "HMAC_Init_ex", + "HMAC_Update", + "HMAC", + "i2d_ASN1_OCTET_STRING", + "i2d_SSL_SESSION", + "i2d_X509_NAME", + "i2d_X509_PUBKEY", + "i2d_X509", + "MD5", + "NAME_CONSTRAINTS_free", + "NAME_CONSTRAINTS_new", + "OBJ_cmp", + "OBJ_obj2nid", + "OBJ_obj2txt", + "OBJ_txt2obj", + "OPENSSL_free", + "OPENSSL_init_ssl", + "OPENSSL_malloc", + "OPENSSL_memdup", + "OPENSSL_realloc", + "OPENSSL_sk_free", + "OPENSSL_sk_new_null", + "OPENSSL_sk_new", + "OPENSSL_sk_num", + "OPENSSL_sk_pop", + "OPENSSL_sk_push", + "OPENSSL_sk_value", + "PEM_bytes_read_bio", + "PEM_read_bio_PrivateKey", + "PEM_read_bio_PUBKEY", + "PEM_read_bio_RSAPrivateKey", + "PEM_read_bio_X509_AUX", + "PEM_read_bio_X509_CRL", + "PEM_read_bio_X509", + "PEM_write_bio_X509", + "PEM_X509_INFO_read_bio", + "PKCS12_free", + "PKCS12_get_key_and_certs", + "PKCS12_parse", + "PKCS12_verify_mac", + "RAND_bytes", + "RAND_enable_fork_unsafe_buffering", + "RSA_bits", + "RSA_check_fips", + "RSA_check_key", + "RSA_decrypt", + "RSA_encrypt", + "RSA_free", + "RSA_generate_key_ex", + "RSA_get0_crt_params", + "RSA_get0_d", + "RSA_get0_dmp1", + "RSA_get0_dmq1", + "RSA_get0_e", + "RSA_get0_factors", + "RSA_get0_iqmp", + "RSA_get0_key", + "RSA_get0_n", + "RSA_get0_p", + "RSA_get0_q", + "RSA_new", + "RSA_private_key_from_bytes", + "RSA_public_key_from_bytes", + "RSA_set0_crt_params", + "RSA_set0_factors", + "RSA_set0_key", + "RSA_sign_pss_mgf1", + "RSA_sign", + "RSA_size", + "RSA_verify", + "SHA1", + "SHA224", + "SHA256_Final", + "SHA256_Init", + "SHA256_Update", + "SHA256", + "SHA384", + "SHA512", + "SSL_accept", + "SSL_add_file_cert_subjects_to_stack", + "SSL_alert_desc_string_long", + "SSL_CIPHER_get_auth_nid", + "SSL_CIPHER_get_cipher_nid", + "SSL_CIPHER_get_digest_nid", + "SSL_CIPHER_get_handshake_digest", + "SSL_CIPHER_get_id", + "SSL_CIPHER_get_kx_nid", + "SSL_CIPHER_get_min_version", + "SSL_CIPHER_get_name", + "SSL_CIPHER_get_prf_nid", + "SSL_CIPHER_get_version", + "SSL_CIPHER_standard_name", + "SSL_clear", + "SSL_connect", + "SSL_CTX_add_extra_chain_cert", + "SSL_CTX_check_private_key", + "SSL_CTX_free", + "SSL_CTX_get_cert_store", + "SSL_CTX_get_ciphers", + "SSL_CTX_get_client_CA_list", + "SSL_CTX_get_ex_data", + "SSL_CTX_get_ex_new_index", + "SSL_CTX_get_max_proto_version", + "SSL_CTX_get_min_proto_version", + "SSL_CTX_get_options", + "SSL_CTX_get_session_cache_mode", + "SSL_CTX_get_verify_mode", + "SSL_CTX_get0_certificate", + "SSL_CTX_get0_param", + "SSL_CTX_load_verify_locations", + "SSL_CTX_new", + "SSL_CTX_sess_set_new_cb", + "SSL_CTX_set_alpn_protos", + "SSL_CTX_set_alpn_select_cb", + "SSL_CTX_set_cert_store", + "SSL_CTX_set_cert_verify_callback", + "SSL_CTX_set_cipher_list", + "SSL_CTX_set_client_CA_list", + "SSL_CTX_set_compliance_policy", + "SSL_CTX_set_custom_verify", + "SSL_CTX_set_ex_data", + "SSL_CTX_set_keylog_callback", + "SSL_CTX_set_max_proto_version", + "SSL_CTX_set_min_proto_version", + "SSL_CTX_set_next_proto_select_cb", + "SSL_CTX_set_next_protos_advertised_cb", + "SSL_CTX_set_options", + "SSL_CTX_set_private_key_method", + "SSL_CTX_set_select_certificate_cb", + "SSL_CTX_set_session_cache_mode", + "SSL_CTX_set_session_id_context", + "SSL_CTX_set_strict_cipher_list", + "SSL_CTX_set_timeout", + "SSL_CTX_set_tlsext_servername_arg", + "SSL_CTX_set_tlsext_servername_callback", + "SSL_CTX_set_tlsext_status_cb", + "SSL_CTX_set_tlsext_ticket_key_cb", + "SSL_CTX_set_tlsext_ticket_keys", + "SSL_CTX_set_tmp_ecdh", + "SSL_CTX_set_verify_algorithm_prefs", + "SSL_CTX_set_verify_depth", + "SSL_CTX_set_verify", + "SSL_CTX_set1_curves_list", + "SSL_CTX_set1_sigalgs_list", + "SSL_CTX_use_certificate_chain_file", + "SSL_CTX_use_certificate_file", + "SSL_CTX_use_certificate", + "SSL_CTX_use_PrivateKey_file", + "SSL_CTX_use_PrivateKey", + "SSL_do_handshake", + "SSL_early_callback_ctx_extension_get", + "SSL_enable_ocsp_stapling", + "SSL_error_description", + "SSL_free", + "SSL_get_all_cipher_names", + "SSL_get_all_signature_algorithm_names", + "SSL_get_all_version_names", + "SSL_get_certificate", + "SSL_get_cipher_by_value", + "SSL_get_ciphers", + "SSL_get_client_CA_list", + "SSL_get_current_cipher", + "SSL_get_curve_id", + "SSL_get_error", + "SSL_get_ex_data_X509_STORE_CTX_idx", + "SSL_get_ex_data", + "SSL_get_ex_new_index", + "SSL_get_peer_cert_chain", + "SSL_get_peer_certificate", + "SSL_get_peer_full_cert_chain", + "SSL_get_peer_signature_algorithm", + "SSL_get_rbio", + "SSL_get_servername", + "SSL_get_session", + "SSL_get_signature_algorithm_digest", + "SSL_get_signature_algorithm_key_type", + "SSL_get_signature_algorithm_name", + "SSL_get_SSL_CTX", + "SSL_get_verify_result", + "SSL_get_version", + "SSL_get_wbio", + "SSL_get0_alpn_selected", + "SSL_get0_next_proto_negotiated", + "SSL_get0_ocsp_response", + "SSL_get0_peer_certificates", + "SSL_get0_peer_verify_algorithms", + "SSL_get1_session", + "SSL_is_init_finished", + "SSL_is_server", + "SSL_is_signature_algorithm_rsa_pss", + "SSL_new", + "SSL_read", + "SSL_select_next_proto", + "SSL_send_fatal_alert", + "SSL_SESSION_free", + "SSL_SESSION_from_bytes", + "SSL_SESSION_get_id", + "SSL_SESSION_get_ticket_lifetime_hint", + "SSL_SESSION_get_version", + "SSL_SESSION_is_resumable", + "SSL_SESSION_new", + "SSL_session_reused", + "SSL_SESSION_set_protocol_version", + "SSL_SESSION_should_be_single_use", + "SSL_SESSION_to_bytes", + "SSL_SESSION_up_ref", + "SSL_set_accept_state", + "SSL_set_alpn_protos", + "SSL_set_bio", + "SSL_set_cert_cb", + "SSL_set_chain_and_key", + "SSL_set_cipher_list", + "SSL_set_client_CA_list", + "SSL_set_connect_state", + "SSL_set_ex_data", + "SSL_set_fd", + "SSL_set_info_callback", + "SSL_set_ocsp_response", + "SSL_set_quiet_shutdown", + "SSL_set_renegotiate_mode", + "SSL_set_session_id_context", + "SSL_set_session", + "SSL_set_SSL_CTX", + "SSL_set_tlsext_host_name", + "SSL_set_verify", + "SSL_set0_CA_names", + "SSL_set0_rbio", + "SSL_set0_wbio", + "SSL_set1_curves_list", + "SSL_shutdown", + "SSL_state_string_long", + "SSL_state_string", + "SSL_version", + "SSL_write", + "TLS_client_method", + "TLS_method", + "TLS_server_method", + "TLS_VERSION_to_string", + "TLS_with_buffers_method", + "X509_add1_ext_i2d", + "X509_alias_get0", + "X509_cmp", + "X509_CRL_cmp", + "X509_CRL_dup", + "X509_CRL_free", + "X509_CRL_get_ext_by_NID", + "X509_CRL_get_ext", + "X509_CRL_get_issuer", + "X509_CRL_get0_by_cert", + "X509_CRL_up_ref", + "X509_CRL_verify", + "X509_digest", + "X509_EXTENSION_get_data", + "X509_EXTENSION_get_object", + "X509_free", + "X509_get_ext_by_NID", + "X509_get_ext_by_OBJ", + "X509_get_ext_count", + "X509_get_ext_d2i", + "X509_get_ext", + "X509_get_extension_flags", + "X509_get_issuer_name", + "X509_get_key_usage", + "X509_get_pathlen", + "X509_get_pubkey", + "X509_get_serialNumber", + "X509_get_subject_name", + "X509_get_X509_PUBKEY", + "X509_get0_notAfter", + "X509_get0_notBefore", + "X509_getm_notAfter", + "X509_getm_notBefore", + "X509_INFO_free", + "X509_NAME_add_entry_by_txt", + "X509_NAME_cmp", + "X509_NAME_digest", + "X509_NAME_dup", + "X509_NAME_entry_count", + "X509_NAME_ENTRY_get_data", + "X509_NAME_ENTRY_get_object", + "X509_NAME_ENTRY_set", + "X509_NAME_free", + "X509_NAME_get_entry", + "X509_NAME_get_index_by_NID", + "X509_NAME_new", + "X509_NAME_oneline", + "X509_NAME_print_ex", + "X509_new", + "X509_PUBKEY_get", + "X509_PUBKEY_get0_param", + "X509_set_issuer_name", + "X509_set_pubkey", + "X509_set_subject_name", + "X509_set_version", + "X509_sign", + "X509_STORE_add_cert", + "X509_STORE_add_crl", + "X509_STORE_CTX_free", + "X509_STORE_CTX_get_current_cert", + "X509_STORE_CTX_get_error_depth", + "X509_STORE_CTX_get_error", + "X509_STORE_CTX_get_ex_data", + "X509_STORE_CTX_get0_cert", + "X509_STORE_CTX_get0_chain", + "X509_STORE_CTX_get0_param", + "X509_STORE_CTX_get0_untrusted", + "X509_STORE_CTX_init", + "X509_STORE_CTX_new", + "X509_STORE_CTX_set_default", + "X509_STORE_CTX_set_error", + "X509_STORE_CTX_set_flags", + "X509_STORE_CTX_set_verify_cb", + "X509_STORE_CTX_set0_crls", + "X509_STORE_CTX_set0_trusted_stack", + "X509_STORE_free", + "X509_STORE_get0_param", + "X509_STORE_load_locations", + "X509_STORE_new", + "X509_STORE_set_flags", + "X509_STORE_set_verify_cb", + "X509_STORE_up_ref", + "X509_up_ref", + "X509_verify_cert_error_string", + "X509_verify_cert", + "X509_VERIFY_PARAM_clear_flags", + "X509_VERIFY_PARAM_get_flags", + "X509_VERIFY_PARAM_set_depth", + "X509_VERIFY_PARAM_set_flags", + "X509_VERIFY_PARAM_set_time_posix", + "X509_VERIFY_PARAM_set1", + "X509_verify", +]) + +# Full bssl-compat library +cc_library( name = "bssl-compat", - dep = ":bssl-compat-build", + srcs = [ + # Generated by prefixer + ":ossl_generated", + # Processed BoringSSL headers + ":bssl_processed_headers", + # Processed BoringSSL sources + ":bssl_processed_sources", + # Mapping functions + ":bssl_mapping_sources", + # Misc sources + "include/ext/openssl/ssl.h", + "source/CRYPTO_BUFFER.h", + "source/err.cc", + "source/ext_SSL_get_all_async_fds.c", + "source/iana_2_ossl_names.cc", + "source/iana_2_ossl_names.h", + "source/internal.h", + "source/log.c", + "source/log.h", + "source/ossl_dlopen.c", + "source/ossl_dlopen.h", + "source/override.cc", + "source/override.h", + "source/SSL_CTX_set_select_certificate_cb.h", + "source/SSL_get_curve_name.cc", + "source/stack.c", + ], + hdrs = [], + includes = [ + "source", + "include", + "third_party/boringssl/src/include", + "third_party/boringssl/src/crypto", + "third_party/boringssl/src", + ], + copts = [ + "-Wno-deprecated-declarations", + "-Dossl_OPENSSL_SUPPRESS_DEPRECATED", + ], + linkopts = [ + "-ldl", + ], visibility = ["//visibility:public"], + + # Add the OpenSSL shared libraries as a *data* dependency, so they get + # propagated to dependant targets, and made available in their runfiles + # directory when they run, so libbssl-compat.a can dlopen() them. + data = ["@openssl//:libs"], ) +# Aliases for compatibility alias( - name = "crypto", + name = "ssl", actual = ":bssl-compat", visibility = ["//visibility:public"], ) alias( - name = "ssl", + name = "crypto", actual = ":bssl-compat", visibility = ["//visibility:public"], ) diff --git a/bssl-compat/CMakeLists.txt b/bssl-compat/CMakeLists.txt deleted file mode 100644 index 0422b55cfee..00000000000 --- a/bssl-compat/CMakeLists.txt +++ /dev/null @@ -1,801 +0,0 @@ -cmake_minimum_required(VERSION 3.20 FATAL_ERROR) - -include(FetchContent) -include(GoogleTest) - -if(POLICY CMP0135) - cmake_policy(SET CMP0135 NEW) -endif() - -set(CMAKE_C_STANDARD 11) -set(CMAKE_CXX_STANDARD 17) - -# Produce a compilation database in json -set(CMAKE_EXPORT_COMPILE_COMMANDS ON) - -project(bssl-compat VERSION 0.1 LANGUAGES C CXX) - -include(cmake/boringssl.cmake) -include(cmake/openssl.cmake) - -add_subdirectory(prefixer) -add_custom_command(DEPENDS prefixer OpenSSL - COMMENT "Prefixing OpenSSL files" - OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/source/ossl.c - ${CMAKE_CURRENT_BINARY_DIR}/include/ossl.h - ${CMAKE_CURRENT_BINARY_DIR}/include/ossl/openssl/err.h - COMMAND prefixer --src-path "${OPENSSL_INCLUDE_DIR}" - --src-incl "openssl/*.h" - --src-skip "openssl/asn1_mac.h" - --src-skip "openssl/opensslconf-*.h" - --output "${CMAKE_CURRENT_BINARY_DIR}" - --prefix ossl) -add_custom_target(ossl-gen DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/include/ossl.h) -add_dependencies(bssl-gen ossl-gen) # generate ossl headers before bssl headers - -# custom mappings -add_library(bssl-compat STATIC - source/ossl_dlopen.c - source/ASN1_TIME_free.cc - source/BASIC_CONSTRAINTS_free.cc - source/BASIC_CONSTRAINTS_new.cc - source/BIO_free.cc - source/BIO_gets.c - source/BIO_mem_contents.cc - source/BIO_meth_set_create.cc - source/BIO_meth_set_ctrl.cc - source/BIO_meth_set_destroy.cc - source/BIO_meth_set_read.cc - source/BIO_meth_set_write.cc - source/BIO_new_bio_pair.cc - source/BIO_pending.cc - source/BIO_printf.cc - source/BIO_read.cc - source/BIO_read_asn1.c - source/BIO_snprintf.cc - source/BIO_vfree.cc - source/BIO_wpending.c - source/BIO_write.cc - source/BN_cmp_word.cc - source/BN_bn2hex.cc - source/BN_bin2bn.cc - source/c2i_ASN1_INTEGER.cc - source/CRYPTO_BUFFER_free.c - source/CRYPTO_BUFFER.h - source/CRYPTO_BUFFER_new.c - source/d2i_GENERAL_NAME.cc - source/ECDSA_do_verify.cc - source/ECDSA_sign.cc - source/ECDSA_verify.cc - source/EC_KEY_check_fips.cc - source/EC_KEY_parse_private_key.cc - source/EC_KEY_set_public_key_affine_coordinate.cc - source/ED25519_verify.cc - source/err.cc - source/EVP_DecodeBase64.c - source/EVP_DecodedLength.c - source/EVP_DigestVerifyFinal.cc - source/EVP_DigestSignFinal.cc - source/EVP_get_digestbyname.cc - source/EVP_MD_CTX_init.cc - source/EVP_MD_CTX_move.cc - source/EVP_parse_public_key.cc - source/EVP_PKEY_get0_EC_KEY.cc - source/EVP_PKEY_get0_RSA.cc - source/EVP_PKEY_get1_EC_KEY.cc - source/EVP_PKEY_get1_RSA.cc - source/EVP_PKEY_id.cc - source/ext_SSL_get_all_async_fds.c - source/FIPS_mode.cc - source/GENERAL_NAME_free.cc - source/GENERAL_NAME_new.cc - source/GENERAL_NAMES_free.cc - source/GENERAL_NAMES_new.cc - source/GENERAL_SUBTREE_free.cc - source/GENERAL_SUBTREE_new.cc - source/HMAC_Init_ex.cc - source/i2d_X509.c - source/i2d_X509_PUBKEY.cc - source/iana_2_ossl_names.cc - source/internal.h - source/log.c - source/log.h - source/NAME_CONSTRAINTS_free.cc - source/NAME_CONSTRAINTS_new.cc - source/OPENSSL_sk_num.c - source/ossl.c - source/override.h - source/override.cc - source/PEM_read_bio_PrivateKey.cc - source/PEM_read_bio_RSAPrivateKey.c - source/PEM_read_bio_X509.cc - source/PEM_read_bio_X509_AUX.cc - source/PEM_read_bio_X509_CRL.cc - source/PEM_read_bio_PUBKEY.cc - source/PEM_write_bio_X509.cc - source/PEM_X509_INFO_read_bio.cc - source/PKCS12_get_key_and_certs.cc - source/PKCS12_parse.cc - source/PKCS12_verify_mac.cc - source/RAND_bytes.cc - source/RAND_enable_fork_unsafe_buffering.c - source/RSA_check_fips.cc - source/RSA_check_key.cc - source/RSA_decrypt.cc - source/RSA_encrypt.cc - source/RSA_generate_key_ex.cc - source/RSA_private_key_from_bytes.cc - source/RSA_public_key_from_bytes.cc - source/RSA_sign_pss_mgf1.cc - source/SHA256.cc - source/SSL_add_file_cert_subjects_to_stack.cc - source/SSL_set0_CA_names.cc - source/SSL_CIPHER_get_kx_nid.cc - source/SSL_CIPHER_get_min_version.cc - source/SSL_CIPHER_get_prf_nid.cc - source/SSL_CTX_get_ciphers.cc - source/SSL_CTX_get_client_CA_list.cc - source/SSL_CTX_get_max_proto_version.cc - source/SSL_CTX_get_min_proto_version.cc - source/SSL_CTX_get_ex_new_index.cc - source/SSL_CTX_get_session_cache_mode.cc - source/SSL_CTX_sess_set_new_cb.cc - source/SSL_CTX_set_alpn_select_cb.cc - source/SSL_CTX_set_cert_verify_callback.cc - source/SSL_CTX_set_client_CA_list.cc - source/SSL_CTX_set_custom_verify.cc - source/SSL_CTX_set_next_protos_advertised_cb.cc - source/SSL_CTX_set_private_key_method.cc - source/SSL_CTX_set_select_certificate_cb.cc - source/SSL_CTX_set_select_certificate_cb.h - source/SSL_CTX_set_strict_cipher_list.cc - source/SSL_CTX_set_tlsext_servername_callback.cc - source/SSL_CTX_set_tlsext_status_cb.c - source/SSL_CTX_set_tlsext_ticket_key_cb.cc - source/SSL_CTX_set_tlsext_ticket_keys.cc - source/SSL_CTX_set_verify_algorithm_prefs.cc - source/SSL_CTX_set_keylog_callback.cc - source/SSL_CTX_set_next_proto_select_cb.cc - source/SSL_CTX_set_verify.cc - source/SSL_CTX_use_certificate.cc - source/SSL_CTX_set_compliance_policy.cc - source/SSL_CTX_use_PrivateKey.cc - source/SSL_early_callback_ctx_extension_get.c - source/SSL_enable_ocsp_stapling.cc - source/SSL_error_description.cc - source/SSL_get0_ocsp_response.c - source/SSL_get0_peer_certificates.cc - source/SSL_get0_peer_verify_algorithms.cc - source/SSL_get_all_signature_algorithm_names.cc - source/SSL_get_all_version_names.c - source/SSL_get_all_cipher_names.cc - source/SSL_get_cipher_by_value.c - source/SSL_get_client_CA_list.cc - source/SSL_get_ciphers.cc - source/SSL_get_curve_id.c - source/SSL_get_curve_name.cc - source/SSL_get_ex_new_index.cc - source/SSL_get_peer_cert_chain.cc - source/SSL_get_peer_full_cert_chain.cc - source/SSL_get_peer_signature_algorithm.c - source/SSL_get_servername.cc - source/SSL_get_signature_algorithm_digest.cc - source/SSL_get_signature_algorithm_key_type.cc - source/SSL_get_signature_algorithm_name.c - source/SSL_is_signature_algorithm_rsa_pss.cc - source/SSL_send_fatal_alert.cc - source/SSL_SESSION_from_bytes.c - source/SSL_SESSION_get_ticket_lifetime_hint.cc - source/SSL_SESSION_get_version.cc - source/SSL_SESSION_new.cc - source/SSL_SESSION_should_be_single_use.cc - source/SSL_SESSION_to_bytes.c - source/SSL_set_cert_cb.cc - source/SSL_set_chain_and_key.cc - source/SSL_set_client_CA_list.cc - source/SSL_set_ocsp_response.cc - source/SSL_set_renegotiate_mode.cc - source/SSL_set_info_callback.cc - source/SSL_set_verify.cc - source/stack.c - source/TLS_VERSION_to_string.cc - source/TLS_with_buffers_method.cc - source/X509_EXTENSION_get_object.cc - source/X509_EXTENSION_get_data.cc - source/X509_alias_get0.cc - source/X509_get_pubkey.cc - source/X509_sign.cc - source/X509_STORE_CTX_get0_untrusted.cc - source/X509_STORE_CTX_init.cc - source/X509_STORE_CTX_get0_chain.cc - source/X509_STORE_CTX_set0_crls.cc - source/X509_STORE_CTX_set0_trusted_stack.cc - source/X509_STORE_CTX_set_verify_cb.cc - source/X509_verify_cert.c - source/X509_verify_cert_error_string.cc - source/X509_VERIFY_PARAM_set_time_posix.cc -) - -target_add_bssl_include(bssl-compat - include/openssl/aead.h - include/openssl/aes.h - include/openssl/arm_arch.h - include/openssl/asn1.h - include/openssl/asn1_mac.h - include/openssl/asn1t.h - include/openssl/asm_base.h - include/openssl/base64.h - include/openssl/base.h - include/openssl/bcm_public.h - include/openssl/bio.h - include/openssl/blake2.h - include/openssl/blowfish.h - include/openssl/bn.h - include/openssl/buffer.h - include/openssl/buf.h - include/openssl/bytestring.h - include/openssl/cast.h - include/openssl/chacha.h - include/openssl/cipher.h - include/openssl/cmac.h - include/openssl/conf.h - include/openssl/cpu.h - include/openssl/crypto.h - include/openssl/curve25519.h - include/openssl/des.h - include/openssl/dh.h - include/openssl/digest.h - include/openssl/dsa.h - include/openssl/dtls1.h - include/openssl/ecdh.h - include/openssl/ecdsa.h - include/openssl/ec.h - include/openssl/ec_key.h - include/openssl/engine.h - include/openssl/e_os2.h - include/openssl/err.h - include/openssl/evp_errors.h - include/openssl/evp.h - include/openssl/ex_data.h - include/openssl/hkdf.h - include/openssl/hmac.h - include/openssl/hpke.h - include/openssl/hrss.h - include/openssl/is_boringssl.h - include/openssl/kdf.h - include/openssl/lhash.h - include/openssl/md4.h - include/openssl/md5.h - include/openssl/mem.h - include/openssl/mlkem.h - include/openssl/mem.h - include/openssl/nid.h - include/openssl/objects.h - include/openssl/obj.h - include/openssl/obj_mac.h - include/openssl/opensslconf.h - include/openssl/opensslv.h - include/openssl/ossl_typ.h - include/openssl/pem.h - include/openssl/pkcs12.h - include/openssl/pkcs7.h - include/openssl/pkcs8.h - include/openssl/poly1305.h - include/openssl/pool.h - include/openssl/posix_time.h - include/openssl/rand.h - include/openssl/rc4.h - include/openssl/ripemd.h - include/openssl/rsa.h - include/openssl/safestack.h - include/openssl/service_indicator.h - include/openssl/sha.h - include/openssl/siphash.h - include/openssl/slhdsa.h - include/openssl/span.h - include/openssl/srtp.h - include/openssl/ssl3.h - include/openssl/ssl.h - include/openssl/stack.h - include/openssl/thread.h - include/openssl/target.h - include/openssl/tls1.h - include/openssl/trust_token.h - include/openssl/type_check.h - include/openssl/x509.h - include/openssl/x509v3.h - include/openssl/x509v3_errors.h - include/openssl/x509_vfy.h - include/openssl/experimental/kyber.h - include/openssl/pki/certificate.h - include/openssl/pki/signature_verify_cache.h - include/openssl/pki/verify_error.h - include/openssl/pki/verify.h -) - -# Case where simple mapping exists -target_add_bssl_function(bssl-compat - ASN1_ENUMERATED_to_BN - ASN1_IA5STRING_free - ASN1_IA5STRING_new - ASN1_IA5STRING_new - ASN1_IA5STRING_new - ASN1_INTEGER_free - ASN1_INTEGER_new - ASN1_INTEGER_to_BN - ASN1_OBJECT_free - ASN1_STRING_data - ASN1_STRING_free - ASN1_STRING_get0_data - ASN1_STRING_length - ASN1_STRING_set - ASN1_STRING_to_UTF8 - ASN1_TIME_adj - ASN1_TIME_diff - ASN1_TIME_new - ASN1_TIME_set - BIO_clear_flags - BIO_clear_retry_flags - BIO_clear_flags - BIO_ctrl - BIO_ctrl_get_read_request - BIO_ctrl_get_write_guarantee - BIO_eof - BIO_get_data - BIO_get_init - BIO_get_mem_ptr - BIO_get_shutdown - BIO_meth_new - BIO_new - BIO_new_connect - BIO_new_file - BIO_new_fd - BIO_new_fp - BIO_new_socket - BIO_new_mem_buf - BIO_puts - BIO_read_filename - BIO_reset - BIO_get_mem_data - BIO_s_file - BIO_set_data - BIO_set_init - BIO_set_mem_eof_return - BIO_set_retry_read - BIO_set_retry_write - BIO_set_shutdown - BIO_s_mem - BIO_s_socket - BIO_should_read - BIO_should_retry - BIO_should_write - BIO_shutdown_wr - BIO_up_ref - BIO_free_all - BN_add_word - BN_add_word - BN_add_word - BN_bn2dec - BN_dup - BN_free - BN_hex2bn - BN_new - BN_num_bits - BN_set_word - BN_ucmp - CRYPTO_memcmp - d2i_PKCS12_bio - d2i_SSL_SESSION - d2i_X509 - DTLS_method - EC_GROUP_get_curve_name - EC_GROUP_get_degree - EC_GROUP_get0_order - EC_KEY_new_by_curve_name - EC_KEY_free - EC_KEY_get0_group - EC_KEY_get0_private_key - EC_KEY_set_public_key - EC_KEY_set_private_key - EC_POINT_free - EC_POINT_mul - EC_POINT_new - ECDSA_size - ECDSA_SIG_free - ECDSA_SIG_get0 - ECDSA_SIG_new - ECDSA_SIG_set0 - ERR_clear_error - ERR_print_errors - ERR_print_errors_fp - ERR_put_error - EVP_aes_256_cbc - EVP_aes_128_gcm - EVP_aes_256_gcm - EVP_CIPHER_CTX_free - EVP_CIPHER_CTX_new - EVP_CIPHER_CTX_ctrl - EVP_CIPHER_block_size - EVP_CIPHER_iv_length - EVP_CIPHER_key_length - EVP_DecryptFinal_ex - EVP_DecryptInit_ex - EVP_DecryptUpdate - EVP_Digest - EVP_DigestFinal - EVP_DigestFinal_ex - EVP_DigestInit - EVP_DigestInit_ex - EVP_DigestSignInit - EVP_DigestSignUpdate - EVP_DigestUpdate - EVP_DigestVerify - EVP_DigestVerifyUpdate - EVP_DigestVerifyInit - EVP_EncryptFinal_ex - EVP_EncryptInit_ex - EVP_EncryptUpdate - EVP_MD_CTX_copy_ex - EVP_MD_CTX_create - EVP_MD_CTX_free - EVP_MD_CTX_new - EVP_MD_CTX_destroy - EVP_MD_nid - EVP_MD_size - EVP_MD_type - EVP_md4 - EVP_md5 - EVP_md5_sha1 - EVP_PKEY_assign_EC_KEY - EVP_PKEY_assign_RSA - EVP_PKEY_cmp - EVP_PKEY_CTX_set_rsa_mgf1_md - EVP_PKEY_CTX_set_rsa_padding - EVP_PKEY_free - EVP_PKEY_up_ref - EVP_PKEY_get_raw_public_key - EVP_PKEY_new - EVP_PKEY_set1_RSA - EVP_PKEY_size - EVP_sha1 - EVP_sha224 - EVP_sha256 - EVP_sha384 - EVP_sha512 - EVP_SignInit_ex - EVP_SignUpdate - EVP_SignFinal - GENERAL_NAME_set0_value - HMAC - HMAC_CTX_free - HMAC_CTX_new - HMAC_Final - HMAC_Update - i2d_ASN1_OCTET_STRING - i2d_SSL_SESSION - i2d_X509_NAME - MD5 - OBJ_cmp - OBJ_txt2obj - OBJ_obj2txt - OBJ_obj2nid - OPENSSL_free - OPENSSL_malloc - OPENSSL_memdup - OPENSSL_realloc - OPENSSL_init_ssl - OPENSSL_sk_free - OPENSSL_sk_new_null - OPENSSL_sk_pop - OPENSSL_sk_push - OPENSSL_sk_value - PEM_bytes_read_bio - PKCS12_free - RSA_bits - RSA_free - RSA_get0_d - RSA_get0_dmp1 - RSA_get0_dmq1 - RSA_get0_e - RSA_get0_iqmp - RSA_get0_n - RSA_get0_p - RSA_get0_q - RSA_get0_crt_params - RSA_get0_factors - RSA_get0_key - RSA_new - RSA_set0_crt_params - RSA_set0_factors - RSA_set0_key - RSA_sign - RSA_size - RSA_verify - SHA1 - SHA224 - SHA256 - SHA384 - SHA512 - SSL_accept - SSL_accept - SSL_alert_desc_string_long - SSL_clear - SSL_CIPHER_get_auth_nid - SSL_CIPHER_get_cipher_nid - SSL_CIPHER_get_digest_nid - SSL_CIPHER_get_handshake_digest - SSL_CIPHER_get_id - SSL_CIPHER_get_name - SSL_CIPHER_standard_name - SSL_CIPHER_get_version - SSL_connect - SSL_CTX_add_extra_chain_cert - SSL_CTX_check_private_key - SSL_CTX_set_tmp_ecdh - SSL_get0_next_proto_negotiated - SSL_CTX_free - SSL_CTX_get_cert_store - SSL_CTX_set_cert_store - SSL_CTX_get_ex_data - SSL_CTX_get_options - SSL_CTX_get_verify_mode - SSL_CTX_get0_certificate - SSL_CTX_get0_param - SSL_CTX_load_verify_locations - SSL_CTX_new - SSL_CTX_set_alpn_protos - SSL_CTX_set_cipher_list - SSL_CTX_set_ex_data - SSL_CTX_set_max_proto_version - SSL_CTX_set_min_proto_version - SSL_CTX_set_options - SSL_CTX_set_session_cache_mode - SSL_CTX_set_session_id_context - SSL_CTX_set_timeout - SSL_CTX_set_tlsext_servername_arg - SSL_CTX_set_verify_depth - SSL_CTX_set1_curves_list - SSL_CTX_set1_sigalgs_list - SSL_CTX_use_certificate_chain_file - SSL_CTX_use_certificate_file - SSL_CTX_use_PrivateKey_file - SSL_do_handshake - SSL_free - SSL_get_certificate - SSL_get_current_cipher - SSL_get_error - SSL_get_ex_data - SSL_get_ex_data_X509_STORE_CTX_idx - SSL_get_peer_certificate - SSL_get_session - SSL_get_SSL_CTX - SSL_get_version - SSL_get_wbio - SSL_get_rbio - SSL_get_verify_result - SSL_get0_alpn_selected - SSL_get1_session - SSL_is_server - SSL_is_init_finished - SSL_new - SSL_read - SSL_select_next_proto - SSL_SESSION_free - SSL_SESSION_get_id - SSL_SESSION_is_resumable - SSL_session_reused - SSL_SESSION_set_protocol_version - SSL_SESSION_up_ref - SSL_set_accept_state - SSL_set_alpn_protos - SSL_set_bio - SSL_set_cipher_list - SSL_set_connect_state - SSL_set_ex_data - SSL_set_fd - SSL_set_quiet_shutdown - SSL_set_session - SSL_set_session_id_context - SSL_set_SSL_CTX - SSL_set_tlsext_host_name - SSL_set0_rbio - SSL_set0_rbio - SSL_set0_wbio - SSL_set0_wbio - SSL_set1_curves_list - SSL_state_string_long - SSL_state_string - SSL_shutdown - SSL_version - SSL_write - TLS_client_method - TLS_method - TLS_server_method - X509_add1_ext_i2d - X509_cmp - X509_CRL_cmp - X509_CRL_dup - X509_CRL_free - X509_CRL_get0_by_cert - X509_CRL_get_ext - X509_CRL_get_ext_by_NID - X509_CRL_get_issuer - X509_CRL_up_ref - X509_CRL_verify - X509_digest - X509_free - X509_get_ext - X509_get_ext_by_NID - X509_get_ext_by_OBJ - X509_get_ext_count - X509_get_ext_d2i - X509_get_extension_flags - X509_get_issuer_name - X509_get_key_usage - X509_get_pathlen - X509_get_serialNumber - X509_get_subject_name - X509_get_X509_PUBKEY - X509_get0_notAfter - X509_get0_notBefore - X509_getm_notAfter - X509_getm_notBefore - X509_INFO_free - X509_NAME_add_entry_by_txt - X509_NAME_cmp - X509_NAME_digest - X509_NAME_dup - X509_NAME_entry_count - X509_NAME_ENTRY_get_data - X509_NAME_ENTRY_get_object - X509_NAME_ENTRY_set - X509_NAME_free - X509_NAME_get_entry - X509_NAME_get_index_by_NID - X509_NAME_new - X509_NAME_oneline - X509_NAME_print_ex - X509_new - X509_PUBKEY_get - X509_PUBKEY_get0_param - X509_set_issuer_name - X509_set_subject_name - X509_set_pubkey - X509_set_version - X509_STORE_add_cert - X509_STORE_add_crl - X509_STORE_CTX_free - X509_STORE_CTX_get_current_cert - X509_STORE_CTX_get_error - X509_STORE_CTX_get_error_depth - X509_STORE_CTX_get_ex_data - X509_STORE_CTX_get0_cert - X509_STORE_CTX_get0_param - X509_STORE_CTX_new - X509_STORE_CTX_set_default - X509_STORE_CTX_set_error - X509_STORE_CTX_set_flags - X509_STORE_free - X509_STORE_get0_param - X509_STORE_load_locations - X509_STORE_new - X509_STORE_up_ref - X509_STORE_set_flags - X509_STORE_set_verify_cb - X509_up_ref - X509_verify - X509_VERIFY_PARAM_clear_flags - X509_VERIFY_PARAM_get_flags - X509_VERIFY_PARAM_set_flags - X509_VERIFY_PARAM_set_depth - X509_VERIFY_PARAM_set1 -) - -target_add_bssl_source(bssl-compat - source/crypto/internal.h - source/crypto/mem.cc - source/crypto/bytestring/cbs.cc - source/crypto/bytestring/cbb.cc - source/ssl/ssl_x509.cc -) -target_compile_definitions(bssl-compat PUBLIC ossl_OPENSSL_SUPPRESS_DEPRECATED) -target_include_directories(bssl-compat PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/include) -target_include_directories(bssl-compat PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/source) -target_include_directories(bssl-compat PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/include) -target_include_directories(bssl-compat PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/source) -target_link_libraries(bssl-compat INTERFACE ${CMAKE_DL_LIBS}) - -################################################################################ -# Intallation -################################################################################ - -set(INSTALL_GTEST OFF) -install(TARGETS bssl-compat ARCHIVE DESTINATION lib) -install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/include DESTINATION . FILES_MATCHING PATTERN "*.h") -install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/include/ossl DESTINATION include FILES_MATCHING PATTERN "*.h") -install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/include/openssl DESTINATION include FILES_MATCHING PATTERN "*.h") -install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/include/openssl/pki DESTINATION include FILES_MATCHING PATTERN "*.h") -install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/include/openssl/experimental DESTINATION include FILES_MATCHING PATTERN "*.h") -install(FILES ${CMAKE_CURRENT_BINARY_DIR}/include/ossl.h DESTINATION include) -################################################################################ -# Unit Tests -################################################################################ - -FetchContent_Declare(googletest URL ${CMAKE_SOURCE_DIR}/vendor/googletest-5376968f6948923e2411081fd9372e71a59d8e77.zip) -FetchContent_MakeAvailable(googletest) -enable_testing() - -set(utests-bssl-source-list - # Tests copied/patched from BoringSSL - source/crypto/bio/bio_test.cc - source/crypto/digest/digest_test.cc - source/crypto/err/err_test.cc - source/crypto/hmac/hmac_test.cc - source/crypto/pkcs8/pkcs12_test.cc - source/crypto/rand/rand_test.cc - source/crypto/rsa/rsa_test.cc - source/crypto/stack/stack_test.cc - source/crypto/test/file_test_gtest.cc - source/crypto/test/file_test.cc - source/crypto/test/file_test.h - source/crypto/test/file_util.cc - source/crypto/test/file_util.h - source/crypto/test/test_data.cc - source/crypto/test/test_data.h - source/crypto/internal.h - source/crypto/bcm_support.h - source/crypto/test/test_util.cc - source/crypto/test/test_util.h - source/crypto/x509/x509_test.cc - source/ssl/ssl_c_test.c - source/ssl/ssl_test.cc -) - -set(utests-source-list - # Our hand written bssl-compat tests - source/test/test_asn1.cc - source/test/test_bn.cc - source/test/test_cipher.cc - source/test/test_crypto.cc - source/test/test_ec_key.cc - source/test/test_err.cc - source/test/test_evp.cc - source/test/test_hmac.cc - source/test/test_misc.cc - source/test/test_rsa.cc - source/test/test_ssl.cc - source/test/test_stack.cc - source/test/test_x509.cc - source/test/test_x509v3.cc - source/test/test_pem.cc - source/test/test_sha256.cc - # Test data copied from BoringSSL - source/crypto/test/crypto_test_data.cc -) -################################################################################ -# Unit Tests built on bssl-compat -################################################################################ -add_executable(utests-bssl-compat ${utests-source-list} source/test/main.cc) -target_add_bssl_source(utests-bssl-compat ${utests-bssl-source-list}) -set_source_files_properties(source/extra/err_extra.c PROPERTIES COMPILE_FLAGS -Wno-deprecated-declarations) -# Add env variable SANITIZE_OPTIONS for optional sanitizers -target_link_options(utests-bssl-compat PRIVATE "$ENV{SANITIZE_OPTIONS}" ) -target_link_libraries(utests-bssl-compat PRIVATE stdc++ GTest::gtest bssl-compat) -set_target_properties(utests-bssl-compat PROPERTIES BUILD_RPATH "${OPENSSL_LIBRARY_DIR}") -gtest_discover_tests(utests-bssl-compat) -install(TARGETS utests-bssl-compat DESTINATION bin) - -################################################################################ -# Unit Tests built on BoringSSL -################################################################################ -if(BUILD_BORINGSSL) - add_executable(utests-boring ${utests-source-list}) - target_add_bssl_source(utests-boring ${utests-bssl-source-list}) - target_include_directories(utests-boring PRIVATE ${CMAKE_CURRENT_BINARY_DIR}/source) - # Add env variable SANITIZE_OPTIONS for optional sanitizers - target_link_options(utests-boring PRIVATE "$ENV{SANITIZE_OPTIONS}" ) - target_link_libraries(utests-boring PRIVATE BoringSSL::SSL BoringSSL::Crypto) - target_link_libraries(utests-boring PRIVATE stdc++ GTest::gtest_main) - gtest_discover_tests(utests-boring) - install(TARGETS utests-boring DESTINATION bin) -endif(BUILD_BORINGSSL) diff --git a/bssl-compat/WORKSPACE b/bssl-compat/WORKSPACE new file mode 100644 index 00000000000..a71497f5092 --- /dev/null +++ b/bssl-compat/WORKSPACE @@ -0,0 +1 @@ +workspace(name = "bssl-compat") diff --git a/bssl-compat/bazel/rules.bzl b/bssl-compat/bazel/rules.bzl new file mode 100644 index 00000000000..d2898c34580 --- /dev/null +++ b/bssl-compat/bazel/rules.bzl @@ -0,0 +1,175 @@ +"""Bazel macros for bssl-compat library.""" + +def _bssl_header_impl(name, src_file, dst_file): + """Generate a genrule for processing one BoringSSL header. + + Args: + name: Unique name for this genrule + src_file: Source path relative to third_party/boringssl/src/ (e.g., "include/openssl/aes.h") + dst_file: Destination path (e.g., "include/openssl/aes.h") + """ + # Tools that are always needed + tools = [ + "//tools:uncomment.sh", + ] + + # Source file from BoringSSL + srcs = ["third_party/boringssl/src/" + src_file] + + # Optional patch script + patch_script = "patch/" + dst_file + ".sh" + + # Optional patch file + patch_file = "patch/" + dst_file + ".patch" + + native.genrule( + name = name, + srcs = srcs + native.glob([patch_script, patch_file]), + outs = [dst_file], + cmd = """ + # Set up paths - all paths need to be relative to bssl-compat package + SRC_FILE="$(location third_party/boringssl/src/{src_file})" + DST_FILE="$(location {dst_file})" + # Patch files are in the package, so use relative paths from execroot + PATCH_SCRIPT="external/bssl-compat/patch/{dst_file}.sh" + PATCH_FILE="external/bssl-compat/patch/{dst_file}.patch" + + # Create output directory + mkdir -p "$$(dirname $$DST_FILE)" + + # Create temporary directory + TMP_DIR="$$DST_FILE.tmp" + mkdir -p "$$TMP_DIR" + trap 'rm -rf $$TMP_DIR' EXIT + + # Copy source file to working file + WORKING="$$TMP_DIR/working.h" + cp "$$SRC_FILE" "$$WORKING" + chmod +w "$$WORKING" + + # Apply patch file if it exists + if [ -f "$$PATCH_FILE" ]; then + patch -s -f "$$WORKING" "$$PATCH_FILE" -o "$$TMP_DIR/applied.patch.h" + cp "$$TMP_DIR/applied.patch.h" "$$WORKING" + fi + + # Apply patch script if it exists, otherwise comment out the whole file + if [ -f "$$PATCH_SCRIPT" ]; then + TOOLS_DIR="$$(dirname "$(location //tools:uncomment.sh)")" + PATH="$$TOOLS_DIR:$$PATH" bash "$$PATCH_SCRIPT" "$$WORKING" + cp "$$WORKING" "$$TMP_DIR/applied.script.h" + else + bash $(location //tools:uncomment.sh) "$$WORKING" --comment + fi + + # Copy result to destination + cp "$$WORKING" "$$DST_FILE" + """.format(src_file = src_file, dst_file = dst_file), + tools = tools, + visibility = ["//visibility:private"], + ) + +def bssl_headers(headers): + """Process multiple BoringSSL headers. + + Args: + headers: List of header paths (e.g., ["include/openssl/aes.h", "include/openssl/bio.h"]) + """ + # Generate individual header processing rules + header_targets = [] + for h in headers: + # Generate a unique name from the path + name = "bssl_header_" + h.replace("/", "_").replace(".", "_") + _bssl_header_impl(name, h, h) + header_targets.append(":" + name) + + # Create a filegroup containing all processed headers + native.filegroup( + name = "bssl_processed_headers", + srcs = header_targets, + visibility = ["//visibility:public"], + ) + +def bssl_sources(sources): + """Process BoringSSL source files. + + Similar to bssl_headers, but for source files (.cc, .c) from BoringSSL + that need to be processed with patches. + + Args: + sources: List of source paths relative to "source/" directory + (e.g., ["crypto/mem.cc", "ssl/ssl_x509.cc"]) + """ + source_targets = [] + for src in sources: + # Generate a unique name from the path + name = "bssl_source_" + src.replace("/", "_").replace(".", "_") + # src is relative to "source/", so the BoringSSL source is at third_party/boringssl/src/{src} + src_file = src # e.g., "crypto/mem.cc" + dst_file = "source/" + src # e.g., "source/crypto/mem.cc" + _bssl_header_impl(name, src_file, dst_file) + source_targets.append(":" + name) + + # Create a filegroup containing all processed source files + native.filegroup( + name = "bssl_processed_sources", + srcs = source_targets, + visibility = ["//visibility:public"], + ) + +def bssl_mappings(functions): + """Find or generate mapping functions for BoringSSL API. + + For each function name, this either: + 1. Uses an existing hand-written source/function.c or source/function.cc if it exists, OR + 2. Creates a genrule that searches BoringSSL headers for the function signature + and generates a .c file with a forwarding function that calls ossl_ + + Args: + functions: List of function names (e.g., ["BIO_new", "BIO_free", "SSL_new"]) + """ + function_targets = [] + for func in functions: + name = "bssl_func_" + func + + # Check if hand-written implementation exists (.c or .cc) + hand_written_c = native.glob(["source/" + func + ".c"]) + hand_written_cc = native.glob(["source/" + func + ".cc"]) + + if hand_written_c or hand_written_cc: + # Create an alias to the source file so it has a consistent target name + native.filegroup( + name = name, + srcs = [hand_written_c[0] if hand_written_c else hand_written_cc[0]], + visibility = ["//visibility:private"], + ) + else: + # Generate the function using generate.c.sh + out = "source/" + func + ".c" + native.genrule( + name = name, + srcs = native.glob(["third_party/boringssl/src/include/openssl/*.h"]), + outs = [out], + cmd = """ + mkdir -p "$$(dirname $(location {out}))" + + # Deduce the include directory from the first include file + FIRST_INCLUDE="$$(echo $(SRCS) | awk '{{print $$1}}')" + BORINGSSL_INCLUDE_DIR="$$(dirname "$$(dirname "$$FIRST_INCLUDE")")" + + # Run generate.c.sh with the BoringSSL include directory + $(location //tools:generate.c.sh) "{func}" "$(location {out})" "$$BORINGSSL_INCLUDE_DIR" + """.format(func = func, out = out), + tools = [ + "//tools:generate.c.sh", + ], + visibility = ["//visibility:private"], + ) + function_targets.append(":" + name) + + # Create a filegroup containing all function implementations (both hand-written and generated) + native.filegroup( + name = "bssl_mapping_sources", + srcs = function_targets, + visibility = ["//visibility:public"], + ) diff --git a/bssl-compat/cmake/boringssl.cmake b/bssl-compat/cmake/boringssl.cmake deleted file mode 100644 index 8a0e66d1c17..00000000000 --- a/bssl-compat/cmake/boringssl.cmake +++ /dev/null @@ -1,74 +0,0 @@ -if(BUILD_BORINGSSL) - include(ExternalProject) - - ExternalProject_Add(BoringSSL - PREFIX "${CMAKE_CURRENT_BINARY_DIR}/third_party/boringssl/src" - SOURCE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/third_party/boringssl/src" - CMAKE_ARGS -DCMAKE_INSTALL_PREFIX:PATH= - -DCMAKE_INSTALL_LIBDIR=lib - -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER} - -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER} - ) - - ExternalProject_Get_Property(BoringSSL INSTALL_DIR) - file(MAKE_DIRECTORY ${INSTALL_DIR}/include) - - add_library(BoringSSL::SSL STATIC IMPORTED GLOBAL) - set_property(TARGET BoringSSL::SSL PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib/libssl.a) - set_property(TARGET BoringSSL::SSL PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include) - add_dependencies(BoringSSL::SSL BoringSSL) - - add_library(BoringSSL::Crypto STATIC IMPORTED GLOBAL) - set_property(TARGET BoringSSL::Crypto PROPERTY IMPORTED_LOCATION ${INSTALL_DIR}/lib/libcrypto.a) - set_property(TARGET BoringSSL::Crypto PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${INSTALL_DIR}/include) - add_dependencies(BoringSSL::Crypto BoringSSL) -endif(BUILD_BORINGSSL) - -add_custom_target(bssl-gen) - -function(_target_add_bssl_file target src-file dst-file) - target_sources(${target} PRIVATE ${dst-file}) - set(generate-cmd "${CMAKE_CURRENT_SOURCE_DIR}/tools/generate.h.sh" "${CMAKE_CURRENT_SOURCE_DIR}" "${CMAKE_CURRENT_BINARY_DIR}" "${src-file}" "${dst-file}") - foreach(dependency "third_party/boringssl/src/${src-file}" "patch/${dst-file}.sh" "patch/${dst-file}.patch") - if(EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/${dependency}") - set(dependencies ${dependencies} "${CMAKE_CURRENT_SOURCE_DIR}/${dependency}") - endif() - endforeach() - set(dependencies ${dependencies} "${CMAKE_CURRENT_SOURCE_DIR}/tools/generate.h.sh") - set(dependencies ${dependencies} "${CMAKE_CURRENT_SOURCE_DIR}/tools/uncomment.sh") - add_custom_command(COMMAND ${generate-cmd} DEPENDS ${dependencies} OUTPUT "${dst-file}") - string(MAKE_C_IDENTIFIER "${dst-file}" dst-file-target) - if(NOT TARGET ${dst-file-target}) - add_custom_target(${dst-file-target} DEPENDS "${dst-file}") - add_dependencies(bssl-gen ${dst-file-target}) - endif() -endfunction() - -function(target_add_bssl_include target) - foreach(src-file ${ARGN}) - _target_add_bssl_file(${target} "${src-file}" "${src-file}") - endforeach() -endfunction() - -function(target_add_bssl_source target) - foreach(dst-file ${ARGN}) - cmake_path(RELATIVE_PATH dst-file BASE_DIRECTORY "source" OUTPUT_VARIABLE src-file) - _target_add_bssl_file(${target} "${src-file}" "${dst-file}") - endforeach() -endfunction() - -function(target_add_bssl_function target) - set(gen-c-sh ${CMAKE_CURRENT_SOURCE_DIR}/tools/generate.c.sh) - foreach(function ${ARGN}) - set(gen-file source/${function}.c) - set(gen-cmd flock ${gen-c-sh} -c "${gen-c-sh} ${function} ${gen-file}") - target_sources(${target} PRIVATE ${gen-file}) - add_custom_command(OUTPUT ${gen-file} COMMAND ${gen-cmd} DEPENDS ${gen-c-sh}) - endforeach() -endfunction() - -add_custom_command(OUTPUT source/crypto/test/crypto_test_data.cc - DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/third_party/boringssl/crypto_test_data.cc - COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/third_party/boringssl/crypto_test_data.cc - source/crypto/test/crypto_test_data.cc -) \ No newline at end of file diff --git a/bssl-compat/cmake/openssl.cmake b/bssl-compat/cmake/openssl.cmake deleted file mode 100644 index 9219189db90..00000000000 --- a/bssl-compat/cmake/openssl.cmake +++ /dev/null @@ -1,9 +0,0 @@ -find_package(OpenSSL 3.0 COMPONENTS Crypto SSL) - -if(OpenSSL_FOUND) - add_custom_target(OpenSSL) - get_filename_component(OPENSSL_LIBRARY_DIR ${OPENSSL_CRYPTO_LIBRARY} DIRECTORY) - message(STATUS "Found OpenSSL ${OPENSSL_VERSION} (${OPENSSL_LIBRARY_DIR})") -else() - message(FATAL_ERROR "OpenSSL 3.0 not found. Aborting.") -endif() diff --git a/bssl-compat/filter_out_shared_libs.bzl b/bssl-compat/filter_out_shared_libs.bzl deleted file mode 100644 index ffca8c76999..00000000000 --- a/bssl-compat/filter_out_shared_libs.bzl +++ /dev/null @@ -1,58 +0,0 @@ -"""Rule to filter out shared libraries from a cc target's dependencies.""" - -def _filter_out_shared_libs_impl(ctx): - dep = ctx.attr.dep - cc_info = dep[CcInfo] - - # Get the original linking context - linking_context = cc_info.linking_context - - # Filter out shared libraries from linker inputs - filtered_linker_inputs = [] - for linker_input in linking_context.linker_inputs.to_list(): - # Only keep static libraries - filtered_libraries = [] - for lib in linker_input.libraries: - if lib.static_library or lib.pic_static_library: - filtered_libraries.append(lib) - - if filtered_libraries: - filtered_linker_inputs.append( - cc_common.create_linker_input( - owner = linker_input.owner, - libraries = depset(filtered_libraries), - user_link_flags = depset(linker_input.user_link_flags), - ) - ) - - # Create new linking context with filtered inputs - new_linking_context = cc_common.create_linking_context( - linker_inputs = depset(filtered_linker_inputs), - ) - - # Create new CcInfo with filtered linking context - new_cc_info = CcInfo( - compilation_context = cc_info.compilation_context, - linking_context = new_linking_context, - ) - - default_info = dep[DefaultInfo] - return [ - new_cc_info, - DefaultInfo( - files = default_info.files, - data_runfiles = default_info.data_runfiles, - default_runfiles = default_info.default_runfiles, - ), - ] - -filter_out_shared_libs = rule( - implementation = _filter_out_shared_libs_impl, - attrs = { - "dep": attr.label( - mandatory = True, - providers = [CcInfo], - ), - }, - provides = [CcInfo], -) diff --git a/bssl-compat/prefixer/BUILD b/bssl-compat/prefixer/BUILD new file mode 100644 index 00000000000..d11f188a26e --- /dev/null +++ b/bssl-compat/prefixer/BUILD @@ -0,0 +1,11 @@ +load("@rules_cc//cc:defs.bzl", "cc_binary") + +licenses(["notice"]) # Apache 2 + +cc_binary( + name = "prefixer", + srcs = ["prefixer.cpp"], + copts = ["-fno-rtti"], # Required by libclang-cpp + deps = ["@llvm//:libclang-cpp"], + visibility = ["//visibility:public"], +) diff --git a/bssl-compat/prefixer/CMakeLists.txt b/bssl-compat/prefixer/CMakeLists.txt deleted file mode 100644 index 5e3d74c095e..00000000000 --- a/bssl-compat/prefixer/CMakeLists.txt +++ /dev/null @@ -1,20 +0,0 @@ -project(prefixer) - -# https://llvm.org/docs/CMake.html#embedding-llvm-in-your-project - -find_package(Clang REQUIRED CONFIG) -find_package(LLVM REQUIRED CONFIG) - -message(STATUS "Found LLVM ${LLVM_PACKAGE_VERSION} (${LLVM_INSTALL_PREFIX},${LLVM_ENABLE_EH},${LLVM_ENABLE_RTTI},${LLVM_LINK_LLVM_DYLIB})") - -list(APPEND CMAKE_MODULE_PATH ${LLVM_CMAKE_DIR}) -include(AddLLVM) # For llvm_update_compile_flags() - -add_executable(prefixer prefixer.cpp) -llvm_update_compile_flags(prefixer) # Adds appropriate exception & rtti flags -llvm_setup_rpath(prefixer) -target_compile_definitions(prefixer PRIVATE LLVM_LIBRARY_DIR=\"${LLVM_LIBRARY_DIR}\") -target_include_directories(prefixer PRIVATE "${LLVM_INCLUDE_DIRS}") -target_link_directories(prefixer PRIVATE "${LLVM_LIBRARY_DIRS}") -target_link_libraries(prefixer PRIVATE clang-cpp $<$:LLVM>) -target_link_libraries(prefixer PRIVATE stdc++ stdc++fs) diff --git a/bssl-compat/prefixer/prefixer.cpp b/bssl-compat/prefixer/prefixer.cpp index c7f2b0e6e15..1f35fe10f09 100644 --- a/bssl-compat/prefixer/prefixer.cpp +++ b/bssl-compat/prefixer/prefixer.cpp @@ -23,6 +23,7 @@ namespace opt { static std::set srcpaths; static std::set srcincl; static std::set srcskip; + static std::set includes; static std::filesystem::path output = std::filesystem::current_path(); static std::string prefix = "ossl"; static bool verbose = false; @@ -400,13 +401,11 @@ class CompilationDatabase : public clang::tooling::CompilationDatabase std::vector cmdline = { "dummy", std::string("-I") + opt::incdir().string(), - // Some versions of clang ship with the full version string in the include path, others only with the major version number. - "-I" LLVM_LIBRARY_DIR "/clang/" LLVM_VERSION_STRING "/include/", - "-I" LLVM_LIBRARY_DIR "/clang/" + std::to_string(LLVM_VERSION_MAJOR) + "/include/", - // RHEL ships with a different path for the Clang headers - "-I/usr/lib/clang/" + std::to_string(LLVM_VERSION_MAJOR) + "/include", - file.str() }; + for (const auto &inc : opt::includes) { + cmdline.push_back(std::string("-I") + inc); + } + cmdline.push_back(file.str()); return { clang::tooling::CompileCommand(".", file, cmdline, "") }; } }; @@ -638,6 +637,7 @@ static bool usage(int exitcode) { << " --src-path Directory containing the openssl headers e.g. /usr/include" << std::endl << " --src-incl Header files to be prefixed e.g. openssl/*.h" << std::endl << " --src-skip Header files to be skipped e.g. openssl/asn1_mac.h" << std::endl + << " --include Directory to search for #includes" << std::endl << " --prefix The prefix to be applied to functions, types & macros" << std::endl << " --output Output directory for generated files" << std::endl << " --verbose Print more info about what's being done" << std::endl @@ -681,11 +681,14 @@ int main(int argc, const char **argv) { else if ((arg == "--src-skip") && ((++i < argc) || usage(-1))) { opt::srcskip.insert(argv[i]); } + else if ((arg == "--include") && ((++i < argc) || usage(-1))) { + opt::includes.insert(argv[i]); + } else if ((arg == "--prefix") && ((++i < argc) || usage(-1))) { opt::prefix = argv[i]; } else if ((arg == "--output") && ((++i < argc) || usage(-1))) { - opt::output = argv[i]; + opt::output = std::filesystem::absolute(argv[i]); } else if (arg == "--verbose") { opt::verbose = true; diff --git a/bssl-compat/source/SHA256.cc b/bssl-compat/source/SHA256.cc deleted file mode 100644 index 1f0a6e36684..00000000000 --- a/bssl-compat/source/SHA256.cc +++ /dev/null @@ -1,37 +0,0 @@ -/* - * OpenSSL 3.0 source has the SHA256 functions marked as deprecated. - * - * OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c); - * OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c, - * const void *data, size_t len); - * OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md, SHA256_CTX *c); - * OSSL_DEPRECATEDIN_3_0 void SHA256_Transform(SHA256_CTX *c, - * const unsigned char *data); - * - * Explicitly mapping functions here to ensure that any move to OpenSSL 3.1 - * and potential BoringSSL divergence from OpenSSL of these functions is noted. - */ -#include -#include - -// SHA256_Init initialises |sha| and returns 1. -extern "C" { -int SHA256_Init(SHA256_CTX *sha) { - // BoringSSL and OpenSSL have same success return value - return ossl.ossl_SHA256_Init(sha); -} - -// SHA256_Update adds |len| bytes from |data| to |sha| and returns 1. -int SHA256_Update(SHA256_CTX *sha, const void *data, size_t len) { - return ossl.ossl_SHA256_Update(sha, data, len); -} - -// SHA256_Final adds the final padding to |sha| and writes the resulting digest -// to |out|, which must have at least |SHA256_DIGEST_LENGTH| bytes of space. It -// returns one on success and zero on programmer error. -int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], - SHA256_CTX *sha) { - return ossl.ossl_SHA256_Final(reinterpret_cast(out), sha); -} - -} diff --git a/bssl-compat/tools/BUILD b/bssl-compat/tools/BUILD new file mode 100644 index 00000000000..16af3e55f0d --- /dev/null +++ b/bssl-compat/tools/BUILD @@ -0,0 +1,6 @@ +licenses(["notice"]) # Apache 2 + +exports_files([ + "uncomment.sh", + "generate.c.sh", +]) diff --git a/bssl-compat/tools/do-asan.sh b/bssl-compat/tools/do-asan.sh deleted file mode 100755 index 8c192bc7801..00000000000 --- a/bssl-compat/tools/do-asan.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -set -e - -# Enable address sanitiser option -export SANITIZE_OPTIONS=-fsanitize=address -cmake .. -make -B -export SANITIZE_OPTIONS= - diff --git a/bssl-compat/tools/do-clang-tidy.sh b/bssl-compat/tools/do-clang-tidy.sh deleted file mode 100755 index 8ea4fb55e24..00000000000 --- a/bssl-compat/tools/do-clang-tidy.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -set -e - -# Build with clint tool clang-tidy -CC=clang CXX=clang++ cmake \ - -DCMAKE_CXX_CLANG_TIDY="clang-tidy;-warnings-as-errors=*;-header-filter=$(realpath ..)" \ - .. - -# "-k" : continue as much as possible after an error -make -k diff --git a/bssl-compat/tools/do-msan.sh b/bssl-compat/tools/do-msan.sh deleted file mode 100755 index 8cdf1743e2e..00000000000 --- a/bssl-compat/tools/do-msan.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -set -e - -# Enable memory sanitiser option -export SANITIZE_OPTIONS=-fsanitize=memory -cmake .. -make -B -k -export SANITIZE_OPTIONS= - diff --git a/bssl-compat/tools/do-tsan.sh b/bssl-compat/tools/do-tsan.sh deleted file mode 100755 index 92b8bc4123f..00000000000 --- a/bssl-compat/tools/do-tsan.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -set -e - -# Enable thread sanitiser option -export SANITIZE_OPTIONS=-fsanitize=thread -cmake .. -make -B -export SANITIZE_OPTIONS= - diff --git a/bssl-compat/tools/generate.c.sh b/bssl-compat/tools/generate.c.sh index 5ae6fd77906..f9c773985d5 100755 --- a/bssl-compat/tools/generate.c.sh +++ b/bssl-compat/tools/generate.c.sh @@ -25,7 +25,8 @@ function error { exit 1 } -INCLUDE_DIR="$TOP_DIR/third_party/boringssl/src/include" +# Accept optional third argument for include directory (for Bazel builds) +INCLUDE_DIR="${3:-$TOP_DIR/third_party/boringssl/src/include}" [[ -d "$INCLUDE_DIR" ]] || error "INCLUDE_DIR $INCLUDE_DIR does not exist" ################################################################################ diff --git a/bssl-compat/tools/generate.h.sh b/bssl-compat/tools/generate.h.sh deleted file mode 100755 index f7019f37f7a..00000000000 --- a/bssl-compat/tools/generate.h.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash - -set -e # Quit on error -#set -x # Echo commands - -function status { - cmake -E cmake_echo_color --blue "$1" -} - -function warn { - cmake -E cmake_echo_color --yellow "$1" -} - -function error { - cmake -E cmake_echo_color --red "$1" - exit 1 -} - - -# -# Get command line args -# -CMAKE_CURRENT_SOURCE_DIR="${1?"CMAKE_CURRENT_SOURCE_DIR not specified"}" -CMAKE_CURRENT_BINARY_DIR="${2?"CMAKE_CURRENT_BINARY_DIR not specified"}" -SRC_FILE="${3?"SRC_FILE not specified"}" # e.g. crypto/err/internal.h -DST_FILE="${4?"DST_FILE not specified"}" # e.g. source/crypto/err/internal.h - -SRC_DIR="$CMAKE_CURRENT_SOURCE_DIR/third_party/boringssl/src" -PATCH_DIR="$CMAKE_CURRENT_SOURCE_DIR/patch" - -# -# Check/Ensure the inputs and outputs exist -# -[[ -d "$SRC_DIR" ]] || error "SRC_DIR $SRC_DIR does not exist" -[[ -f "$SRC_DIR/$SRC_FILE" ]] || error "SRC_FILE $SRC_FILE does not exist in $SRC_DIR" -[[ -d "$PATCH_DIR" ]] || error "PATCH_DIR $PATCH_DIR does not exist" -mkdir -p "$(dirname "$CMAKE_CURRENT_BINARY_DIR/$DST_FILE")" - - -GEN_APPLIED_SCRIPT_FOR_PATCH="$CMAKE_CURRENT_BINARY_DIR/$DST_FILE.applied.script" -cp "$SRC_DIR/$SRC_FILE" "$GEN_APPLIED_SCRIPT_FOR_PATCH" - -# -# Apply patch file from $PATCH_DIR -# ================================ -# -PATCH_FILE="$PATCH_DIR/$DST_FILE.patch" -GEN_APPLIED_PATCH="$CMAKE_CURRENT_BINARY_DIR/$DST_FILE.1.applied.patch" -if [ -f "$PATCH_FILE" ]; then - patch -s -f "$GEN_APPLIED_SCRIPT_FOR_PATCH" "$PATCH_FILE" -o "$GEN_APPLIED_PATCH" -else - cp "$SRC_DIR/$SRC_FILE" "$GEN_APPLIED_PATCH" -fi - - -# -# Apply script file from $PATCH_DIR -# ================================= -# -PATCH_SCRIPT="$PATCH_DIR/$DST_FILE.sh" -GEN_APPLIED_SCRIPT="$CMAKE_CURRENT_BINARY_DIR/$DST_FILE.2.applied.script" -cp "$GEN_APPLIED_PATCH" "$GEN_APPLIED_SCRIPT" -if [ -f "$PATCH_SCRIPT" ]; then - PATH="$(dirname "$0"):$PATH" "$PATCH_SCRIPT" "$GEN_APPLIED_SCRIPT" -else # Comment out the whole file contents - "$(dirname "$0")/uncomment.sh" "$GEN_APPLIED_SCRIPT" --comment -fi - -# -# Copy result to the destination -# ============================== -# -cp "$GEN_APPLIED_SCRIPT" "$CMAKE_CURRENT_BINARY_DIR/$DST_FILE" diff --git a/openssl/bazelrc b/openssl/bazelrc index 0a807b556fe..59d91df85ba 100644 --- a/openssl/bazelrc +++ b/openssl/bazelrc @@ -1,8 +1,6 @@ # This file is sourced from %workspace%/.bazelrc, and includes additional # configuration specific to building envoy on openssl/bssl-compat -#build:clang --linkopt=-latomic - test --test_env=ENVOY_IP_TEST_VERSIONS=v4only # As of today we do not support QUIC/HTTP3, hence we exclude it from the build, always. @@ -20,6 +18,3 @@ test --test_tag_filters=-nofips # Arch-specific build flags, triggered with --config=$ARCH in bazel build command build:s390x --//source/extensions/filters/common/lua:luajit2=1 --copt=-DTOOLCHAIN_MISS_ASM_HWCAP_H --host_copt=-DTOOLCHAIN_MISS_ASM_HWCAP_H --action_env=BAZEL_LINKLIBS=-lstdc++ build:ppc --//source/extensions/filters/common/lua:luajit2=1 --copt=-DTOOLCHAIN_MISS_ASM_HWCAP_H --host_copt=-DTOOLCHAIN_MISS_ASM_HWCAP_H --action_env=BAZEL_LINKLIBS=-lstdc++ - -common --action_env=Clang_DIR=/opt/llvm -common --action_env=LLVM_DIR=/opt/llvm