From 2eca2d319bf8d1247edf38facfdd501e0e2f0030 Mon Sep 17 00:00:00 2001 From: Andrii Kurdiumov Date: Sun, 15 Jan 2023 13:15:22 +0600 Subject: [PATCH] Add ability statically link OpenSSL (#80380) * Add ability statically link OpenSSL This setup works if I apply this as local customizations, I do not sure that I use OpenSSL in most secure way, I do not competent. This setup and StaticExecutable=true allow package just EXE file + /etc/ssl/certs/ folder in Docker * Share build scripts across Globalization and OpenSSL * Add warning Co-authored-by: Adeel Mujahid <3840695+am11@users.noreply.github.com> --- .../Microsoft.NETCore.Native.Unix.targets | 15 +++++++++-- src/coreclr/nativeaot/docs/compiling.md | 27 +++++++++++++++++++ .../Microsoft.DotNet.ILCompiler.pkgproj | 2 ++ .../CMakeLists.txt | 14 ++++++++++ .../local_build.sh => build-local.sh} | 7 ++--- 5 files changed, 60 insertions(+), 5 deletions(-) rename src/native/libs/{System.Globalization.Native/local_build.sh => build-local.sh} (72%) diff --git a/src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets b/src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets index 3edc4be7ea3db..8ed556c0fae8f 100644 --- a/src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets +++ b/src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets @@ -58,7 +58,7 @@ The .NET Foundation licenses this file to you under the MIT license. - + @@ -77,6 +77,14 @@ The .NET Foundation licenses this file to you under the MIT license. + + + + + + + + @@ -85,7 +93,9 @@ The .NET Foundation licenses this file to you under the MIT license. - + + + @@ -112,6 +122,7 @@ The .NET Foundation licenses this file to you under the MIT license. + diff --git a/src/coreclr/nativeaot/docs/compiling.md b/src/coreclr/nativeaot/docs/compiling.md index f45f57183040a..b8915706c1297 100644 --- a/src/coreclr/nativeaot/docs/compiling.md +++ b/src/coreclr/nativeaot/docs/compiling.md @@ -90,3 +90,30 @@ Ubuntu (20.04+) ``` sudo apt-get install libicu-dev cmake ``` + +Alpine +``` +apk add cmake icu-static icu-dev +``` + +## Using statically linked OpenSSL +This feature can statically link OpenSSL libraries (such as libssl.a and libcrypto.a) into your applications at build time. +NativeAOT binaries built with this feature can run even when OpenSSL libraries are not installed. +**WARNING:** *This is scenario for advanced users, please use with extreme caution. Incorrect usage of this feature, can cause security vulnerabilities in your product* + +You can use this feature by adding the `StaticOpenSslLinking` property to your project file as follows: + +```xml + + true + +``` + +This feature is only supported on Linux. This feature is not supported when crosscompiling. + +### Prerequisites + +Alpine +``` +apk add cmake openssl-dev openssl-libs-static +``` diff --git a/src/installer/pkg/projects/Microsoft.DotNet.ILCompiler/Microsoft.DotNet.ILCompiler.pkgproj b/src/installer/pkg/projects/Microsoft.DotNet.ILCompiler/Microsoft.DotNet.ILCompiler.pkgproj index 45683a898eb9b..506ef417bef67 100644 --- a/src/installer/pkg/projects/Microsoft.DotNet.ILCompiler/Microsoft.DotNet.ILCompiler.pkgproj +++ b/src/installer/pkg/projects/Microsoft.DotNet.ILCompiler/Microsoft.DotNet.ILCompiler.pkgproj @@ -18,6 +18,8 @@ + + diff --git a/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt b/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt index a9987063b5416..3d55bb8cab8ca 100644 --- a/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt +++ b/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt @@ -44,6 +44,20 @@ set(NATIVECRYPTO_SOURCES pal_x509ext.c ) +if (LOCAL_BUILD) + add_definitions(-DLOCAL_BUILD) + add_definitions(-DPALEXPORT=EXTERN_C) + add_definitions(-DTARGET_UNIX) + # For minipal files + include_directories(../../) + include_directories(../Common) + include_directories(${CMAKE_CURRENT_BINARY_DIR}) + configure_file( + ../Common/pal_config.h.in + ${CMAKE_CURRENT_BINARY_DIR}/pal_config.h) +endif() + + # Always build portable on macOS because OpenSSL is not a system component # and our prebuilts should not assume a specific ABI version for the types # that use OpenSSL at runtime. diff --git a/src/native/libs/System.Globalization.Native/local_build.sh b/src/native/libs/build-local.sh similarity index 72% rename from src/native/libs/System.Globalization.Native/local_build.sh rename to src/native/libs/build-local.sh index 91e9548ba71a7..a885243f1ccb7 100755 --- a/src/native/libs/System.Globalization.Native/local_build.sh +++ b/src/native/libs/build-local.sh @@ -4,7 +4,7 @@ # The .NET Foundation licenses this file to you under the MIT license. # -# This script is used only for building libSystem.Globalization.Native.a +# This script is used only for building native libraries # in the end-user's computer for NativeAOT purposes (static linking). # This file is not used during the dotnet runtime build. @@ -12,16 +12,17 @@ SHIM_SOURCE_DIR="$1"/native/src INTERMEDIATE_OUTPUT_PATH="$2" +TARGET_LIBRARY="$3" if [ -d "$SHIM_SOURCE_DIR" ]; then - LOCAL_SHIM_DIR="$INTERMEDIATE_OUTPUT_PATH"/libs/System.Globalization.Native/build + LOCAL_SHIM_DIR="$INTERMEDIATE_OUTPUT_PATH"/libs/$TARGET_LIBRARY/build if ! { mkdir -p "$LOCAL_SHIM_DIR" && cd "$LOCAL_SHIM_DIR"; }; then echo "local_build.sh::ERROR: Cannot use local build directory" exit 1 fi - if ! cmake -S "$SHIM_SOURCE_DIR/libs/System.Globalization.Native/" -DLOCAL_BUILD:STRING=1 -DCLR_CMAKE_TARGET_UNIX:STRING=1; then + if ! cmake -S "$SHIM_SOURCE_DIR/libs/$TARGET_LIBRARY/" -DLOCAL_BUILD:STRING=1 -DCLR_CMAKE_TARGET_UNIX:STRING=1; then echo "local_build.sh::ERROR: cmake failed" exit 1 fi