Build embedded BoringSSL with symbol prefix #702
Merged
Commits on Aug 14, 2020
-
Build embedded BoringSSL with symbol prefix
When building with ENGINE=boringssl, Soter embeds BoringSSL into its libraries, including static ones. This enables the users to link only against libthemis.a and libsoter.a, without having to salvage the BoringSSL binaries from the build directory (which are *not* included into packages). What is the issue here? ----------------------- However, embedding BoringSSL has a side effect. Due to the way static linkage works, all BoringSSL symbols from "libsoter.a" are indistinguishable from Soter symbols for exporting purposes. That is, any binary linked against "libsoter.a" will by default include and export all BoringSSL symbols. This is problematic because it can cause symbol conflicts. Dynamic libraries are not affected by this because we control what symbols are exported. That way BoringSSL stays inside Soter library and does not cause conflicts. In order to avoid conflicts, start using BoringSSL's symbol renaming facility. EVP_sha256() will be renamed into SOTER_0_14_0_EVP_sha256() and all call sites from Soter will refer to this new symbol instead. This makes Soter's BoringSSL copy independent of any WhateverSSL is there in the binary. How renaming works ------------------ Bad news here is that renaming requires building BoringSSL twice. First we build it to enumerate the symbols to rename, then it is built again, now with renamed symbols. All symbols need to be renamed, not only those used by Soter, because the entire BoringSSL library is embedded into Soter. We cannot simply enumerate and hardcode what we use. After building BoringSSL with renamed symbols, Soter needs to use them in renamed form. For that it needs to be built with BORINGSSL_PREFIX define and <boringssl_prefix_symbols.h> in its include path. That header will perform actual renaming using C preprocessor. Other build details ------------------- Previously Soter did not care about build order, but now BoringSSL needs to be built (possibly renamed) before Soter can be built. Note that extracting symbols with BoringSSL tool requires Go. BoringSSL build itself requires Go so this is not a new dependency.
-
Disable BoringSSL renaming for certain systems
Enable BoringSSL symbol renaming by default for Linux and macOS desktop builds and disable it for WebAssembly builds. AndroidThemis also uses BoringSSL, but it does not use Themis Makefile for that. It does not use renaming either. Renaming is important only for the case of static libraries, and only desktop systems provide them in packages. Mobile systems use dynamic linkage for the most part and avoid symbol conflicts. The default can be overridden from the command line: make ENGINE=boringssl RENAME_BORINGSSL_SYMBOLS=no or "yes" to enable it. -
Commits on Aug 17, 2020
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.