Merge pull request #1599 from AntelopeIO/boringssl

Replace OpenSSL dependency with pinned BoringSSL
AntelopeIO · Sep 28, 2023 · 2384713 · 2384713
2 parents cecfcf4 + 705fd14
commit 2384713
Show file tree

Hide file tree

Showing 16 changed files with 68 additions and 47 deletions.
diff --git a/.cicd/platforms/ubuntu20.Dockerfile b/.cicd/platforms/ubuntu20.Dockerfile
@@ -9,7 +9,6 @@ RUN apt-get update && apt-get upgrade -y && \
                        jq                   \
                        libcurl4-openssl-dev \
                        libgmp-dev           \
-                       libssl-dev           \
                        llvm-11-dev          \
                        ninja-build          \
                        python3-numpy        \

diff --git a/.cicd/platforms/ubuntu22.Dockerfile b/.cicd/platforms/ubuntu22.Dockerfile
@@ -8,7 +8,6 @@ RUN apt-get update && apt-get upgrade -y && \
                        jq                   \
                        libcurl4-openssl-dev \
                        libgmp-dev           \
-                       libssl-dev           \
                        llvm-11-dev          \
                        ninja-build          \
                        python3-numpy        \

diff --git a/.gitmodules b/.gitmodules
@@ -37,3 +37,6 @@
 [submodule "libraries/boost"]
 	path = libraries/boost
 	url = https://github.com/boostorg/boost.git
+[submodule "libraries/libfc/libraries/boringssl/boringssl"]
+	path = libraries/libfc/libraries/boringssl/boringssl
+	url = https://github.com/AntelopeIO/boringssl-build
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -54,15 +54,6 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS "ON")
 set(BUILD_DOXYGEN FALSE CACHE BOOL "Build doxygen documentation on every make")
 set(ENABLE_MULTIVERSION_PROTOCOL_TEST FALSE CACHE BOOL "Enable nodeos multiversion protocol test")
 
-# add defaults for openssl
-if(APPLE AND UNIX AND "${OPENSSL_ROOT_DIR}" STREQUAL "")
-   if(CMAKE_SYSTEM_PROCESSOR STREQUAL "arm64")
-      set(OPENSSL_ROOT_DIR "/opt/homebrew/opt/openssl@3;/opt/homebrew/opt/[email protected]")
-   else()
-      set(OPENSSL_ROOT_DIR "/usr/local/opt/openssl@3;/usr/local/opt/[email protected]")
-   endif()
-endif()
-
 option(ENABLE_OC "Enable eosvm-oc on supported platforms" ON)
 
 # WASM runtimes to enable. Each runtime in this list will have:
@@ -180,6 +171,10 @@ if( ENABLE_TCMALLOC )
     set(CMAKE_CXX_STANDARD_LIBRARIES "${CMAKE_CXX_STANDARD_LIBRARIES} ${GPERFTOOLS_TCMALLOC}")
 endif()
 
+# leap includes a bundled BoringSSL which conflicts with OpenSSL. Make sure any other bundled libraries (such as boost)
+# do not attempt to use an external OpenSSL in any manner
+set(CMAKE_DISABLE_FIND_PACKAGE_OpenSSL On)
+
 add_subdirectory( libraries )
 add_subdirectory( plugins )
 add_subdirectory( programs )
@@ -226,6 +221,7 @@ configure_file(libraries/eos-vm/LICENSE                                    licen
 configure_file(libraries/prometheus/prometheus-cpp/LICENSE                 licenses/leap/LICENSE.prom      COPYONLY)
 configure_file(programs/cleos/LICENSE.CLI11                                licenses/leap/LICENSE.CLI11     COPYONLY)
 configure_file(libraries/libfc/libraries/bls12-381/LICENSE                 licenses/leap/LICENSE.bls12-381 COPYONLY)
+configure_file(libraries/libfc/libraries/boringssl/boringssl/src/LICENSE   licenses/leap/LICENSE.boringssl COPYONLY)
 
 install(DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/licenses/leap" DESTINATION "${CMAKE_INSTALL_FULL_DATAROOTDIR}/licenses/" COMPONENT base)
 

diff --git a/CMakeModules/EosioTester.cmake.in b/CMakeModules/EosioTester.cmake.in
@@ -37,6 +37,7 @@ endif ( APPLE )
 
 set( Boost_USE_MULTITHREADED      ON )
 set( Boost_USE_STATIC_LIBS ON CACHE STRING "ON or OFF" )
+set( BOOST_EXCLUDE_LIBRARIES "mysql" )
 
 add_subdirectory( @CMAKE_INSTALL_FULL_DATAROOTDIR@/leap_boost ${PROJECT_BINARY_DIR}/libraries/boost EXCLUDE_FROM_ALL)
 
@@ -52,8 +53,8 @@ find_library(libwast WAST @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(libir IR     @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(liblogging Logging @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(libsoftfloat softfloat @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
-get_filename_component(cryptodir @OPENSSL_CRYPTO_LIBRARY@ DIRECTORY)
-find_library(liboscrypto crypto "${cryptodir}" NO_DEFAULT_PATH)
+find_library(libbscrypto bscrypto @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
+find_library(libdecrepit decrepit @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(libchainbase chainbase @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(libbuiltins builtins @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 
@@ -76,7 +77,8 @@ target_link_libraries(EosioChain INTERFACE
    ${libwasm}
    ${libir}
    ${libsoftfloat}
-   ${liboscrypto}
+   ${libbscrypto}
+   ${libdecrepit}
    ${liblogging}
    ${libchainbase}
    ${libbuiltins}
@@ -110,6 +112,7 @@ target_include_directories(EosioChain INTERFACE
                               @CMAKE_INSTALL_PREFIX@
                               @CMAKE_INSTALL_FULL_INCLUDEDIR@
                               @CMAKE_INSTALL_FULL_INCLUDEDIR@/wasm-jit
+                              @CMAKE_INSTALL_FULL_INCLUDEDIR@/leapboringssl
                               @CMAKE_INSTALL_FULL_INCLUDEDIR@/softfloat )
 
 #adds -ltr. Ubuntu eosio.contracts build breaks without this

diff --git a/CMakeModules/EosioTesterBuild.cmake.in b/CMakeModules/EosioTesterBuild.cmake.in
@@ -34,6 +34,7 @@ endif ( APPLE )
 
 set( Boost_USE_MULTITHREADED      ON )
 set( Boost_USE_STATIC_LIBS ON CACHE STRING "ON or OFF" )
+set( BOOST_EXCLUDE_LIBRARIES "mysql" )
 
 add_subdirectory( @CMAKE_SOURCE_DIR@/libraries/boost ${PROJECT_BINARY_DIR}/libraries/boost EXCLUDE_FROM_ALL)
 
@@ -49,8 +50,8 @@ find_library(libwast WAST @CMAKE_BINARY_DIR@/libraries/wasm-jit/Source/WAST NO_D
 find_library(libir IR     @CMAKE_BINARY_DIR@/libraries/wasm-jit/Source/IR NO_DEFAULT_PATH)
 find_library(liblogging Logging @CMAKE_BINARY_DIR@/libraries/wasm-jit/Source/Logging NO_DEFAULT_PATH)
 find_library(libsoftfloat softfloat @CMAKE_BINARY_DIR@/libraries/softfloat NO_DEFAULT_PATH)
-get_filename_component(cryptodir @OPENSSL_CRYPTO_LIBRARY@ DIRECTORY)
-find_library(liboscrypto crypto "${cryptodir}" NO_DEFAULT_PATH)
+find_library(libbscrypto bscrypto @CMAKE_BINARY_DIR@/libraries/libfc/libraries/boringssl/boringssl NO_DEFAULT_PATH)
+find_library(libdecrepit decrepit @CMAKE_BINARY_DIR@/libraries/libfc/libraries/boringssl/boringssl NO_DEFAULT_PATH)
 find_library(libchainbase chainbase @CMAKE_BINARY_DIR@/libraries/chainbase NO_DEFAULT_PATH)
 find_library(libbuiltins builtins @CMAKE_BINARY_DIR@/libraries/builtins NO_DEFAULT_PATH)
 
@@ -73,7 +74,8 @@ target_link_libraries(EosioChain INTERFACE
    ${libwasm}
    ${libir}
    ${libsoftfloat}
-   ${liboscrypto}
+   ${libbscrypto}
+   ${libdecrepit}
    ${liblogging}
    ${libchainbase}
    ${libbuiltins}
@@ -107,6 +109,7 @@ target_include_directories(EosioChain INTERFACE
                               @CMAKE_SOURCE_DIR@/libraries/chain/include
                               @CMAKE_BINARY_DIR@/libraries/chain/include
                               @CMAKE_SOURCE_DIR@/libraries/libfc/include
+                              @CMAKE_SOURCE_DIR@/libraries/libfc/libraries/boringssl/boringssl/src/include
                               @CMAKE_SOURCE_DIR@/libraries/softfloat/source/include
                               @CMAKE_SOURCE_DIR@/libraries/appbase/include
                               @CMAKE_SOURCE_DIR@/libraries/chainbase/include

diff --git a/README.md b/README.md
@@ -47,7 +47,6 @@ Requirements to build:
 - CMake 3.16+
 - LLVM 7 - 11 - for Linux only
   - newer versions do not work
-- openssl 1.1+
 - libcurl 7.40.0+
 - git
 - GMP
@@ -133,7 +132,6 @@ sudo apt-get install -y \
         git \
         libcurl4-openssl-dev \
         libgmp-dev \
-        libssl-dev \
         llvm-11-dev \
         python3-numpy \
         file \

diff --git a/docs/00_install/01_build-from-source/00_build-unsupported-os.md b/docs/00_install/01_build-from-source/00_build-unsupported-os.md
@@ -23,7 +23,6 @@ pkg update && pkg install   \
     curl                    \
     boost-all               \
     python3                 \
-    openssl                 \
     llvm11                  \
     pkgconf
 ```

diff --git a/libraries/CMakeLists.txt b/libraries/CMakeLists.txt
@@ -7,6 +7,8 @@ set(BN256_INSTALL_COMPONENT "dev")
 
 set( Boost_USE_MULTITHREADED      ON )
 set( Boost_USE_STATIC_LIBS ON CACHE STRING "ON or OFF" )
+# don't include boost mysql library as it does a find_package(OpenSSL) thus finding the system openssl which could conflict with the bundled boringssl
+set( BOOST_EXCLUDE_LIBRARIES "mysql" )
 add_subdirectory( boost EXCLUDE_FROM_ALL )
 
 add_subdirectory( libfc )

diff --git a/libraries/libfc/CMakeLists.txt b/libraries/libfc/CMakeLists.txt
@@ -1,12 +1,12 @@
 add_subdirectory( secp256k1 )
 add_subdirectory( libraries/bn256/src )
 add_subdirectory( libraries/bls12-381 )
+add_subdirectory( libraries/boringssl )
 
 set(CMAKE_THREAD_PREFER_PTHREAD TRUE)
 set(THREADS_PREFER_PTHREAD_FLAG TRUE)
 find_package(Threads)
 
-find_package(OpenSSL REQUIRED)
 
 set( fc_sources
      src/uint128.cpp
@@ -101,11 +101,7 @@ if(APPLE)
 endif()
 target_link_libraries( fc PUBLIC Boost::date_time Boost::chrono Boost::iostreams Boost::interprocess Boost::multi_index Boost::dll
                                  Boost::multiprecision Boost::beast Boost::asio Boost::thread Boost::unit_test_framework Threads::Threads
-                                 OpenSSL::Crypto ZLIB::ZLIB ${PLATFORM_SPECIFIC_LIBS} ${CMAKE_DL_LIBS} secp256k1 bls12-381 ${security_framework} ${corefoundation_framework})
-
-# Critically, this ensures that OpenSSL 1.1 & 3.0 both have a variant of BN_zero() with void return value. But it also allows access
-#  to some obsoleted AES functions in 3.0 too, since 3.0's API_COMPAT is effectively 3.0 by default
-target_compile_definitions(fc PUBLIC "OPENSSL_API_COMPAT=0x10100000L" "OPENSSL_NO_DEPRECATED")
+                                 boringssl ZLIB::ZLIB ${PLATFORM_SPECIFIC_LIBS} ${CMAKE_DL_LIBS} secp256k1 bls12-381 ${security_framework} ${corefoundation_framework})
 
 add_subdirectory( test )
 

diff --git a/libraries/libfc/libraries/boringssl/CMakeLists.txt b/libraries/libfc/libraries/boringssl/CMakeLists.txt
@@ -0,0 +1,28 @@
+add_subdirectory(boringssl EXCLUDE_FROM_ALL)
+target_compile_options(fipsmodule PRIVATE -Wno-error)
+target_compile_options(crypto PRIVATE -Wno-error)
+target_compile_options(decrepit PRIVATE -Wno-error)
+
+#paranoia for when a dependent library depends on openssl (such as libcurl)
+set_target_properties(fipsmodule PROPERTIES C_VISIBILITY_PRESET hidden)
+set_target_properties(crypto PROPERTIES C_VISIBILITY_PRESET hidden)
+set_target_properties(decrepit PROPERTIES C_VISIBILITY_PRESET hidden)
+
+add_library(boringssl INTERFACE)
+target_link_libraries(boringssl INTERFACE crypto decrepit)
+target_include_directories(boringssl INTERFACE boringssl/src/include)
+
+# avoid conflict with system lib
+set_target_properties(crypto PROPERTIES PREFIX libbs)
+
+install( TARGETS crypto 
+   LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL
+   ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL
+)
+
+install( TARGETS decrepit 
+   LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL
+   ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL
+)
+
+install( DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/boringssl/src/include/" DESTINATION "${CMAKE_INSTALL_FULL_INCLUDEDIR}/leapboringssl" COMPONENT dev EXCLUDE_FROM_ALL )
diff --git a/libraries/libfc/libraries/boringssl/boringssl b/libraries/libfc/libraries/boringssl/boringssl
diff --git a/libraries/libfc/src/crypto/elliptic_common.cpp b/libraries/libfc/src/crypto/elliptic_common.cpp
@@ -75,8 +75,8 @@ namespace fc { namespace ecc {
             ssl_bignum order;
             FC_ASSERT( EC_GROUP_get_order( group, order, ctx ) );
             private_key_secret bin;
-            FC_ASSERT( BN_num_bytes( order ) == static_cast<int>(bin.data_size()) );
-            FC_ASSERT( BN_bn2bin( order, (unsigned char*) bin.data() ) == static_cast<int>(bin.data_size()) );
+            FC_ASSERT( BN_num_bytes( order ) == bin.data_size() );
+            FC_ASSERT( BN_bn2bin( order, (unsigned char*) bin.data() ) == bin.data_size() );
             return bin;
         }
 
@@ -94,8 +94,8 @@ namespace fc { namespace ecc {
             FC_ASSERT( EC_GROUP_get_order( group, order, ctx ) );
             BN_rshift1( order, order );
             private_key_secret bin;
-            FC_ASSERT( BN_num_bytes( order ) == static_cast<int>(bin.data_size()) );
-            FC_ASSERT( BN_bn2bin( order, (unsigned char*) bin.data() ) == static_cast<int>(bin.data_size()) );
+            FC_ASSERT( BN_num_bytes( order ) == bin.data_size() );
+            FC_ASSERT( BN_bn2bin( order, (unsigned char*) bin.data() ) == bin.data_size() );
             return bin;
         }
 
@@ -196,21 +196,6 @@ namespace fc { namespace ecc {
        BN_bn2bin(bn, &((unsigned char*)&sec)[32-nbytes] );
        return sec;
     }
-
-    private_key private_key::generate()
-    {
-       EC_KEY* k = EC_KEY_new_by_curve_name( NID_secp256k1 );
-       if( !k ) FC_THROW_EXCEPTION( exception, "Unable to generate EC key" );
-       if( !EC_KEY_generate_key( k ) )
-       {
-          FC_THROW_EXCEPTION( exception, "ecc key generation error" );
-
-       }
-
-       return private_key( k );
-    }
-
-
 }
 
 void to_variant( const ecc::private_key& var,  variant& vo )

diff --git a/libraries/libfc/src/crypto/elliptic_secp256k1.cpp b/libraries/libfc/src/crypto/elliptic_secp256k1.cpp
@@ -13,6 +13,8 @@
 #include <secp256k1.h>
 #include <secp256k1_recovery.h>
 
+#include <openssl/rand.h>
+
 #if _WIN32
 # include <malloc.h>
 #elif defined(__FreeBSD__)
@@ -78,6 +80,14 @@ namespace fc { namespace ecc {
       return fc::sha512::hash( serialized_result.begin() + 1, serialized_result.size() - 1 );
     }
 
+    private_key private_key::generate()
+    {
+       private_key ret;
+       do {
+         rand_bytes(ret.my->_key.data(), ret.my->_key.data_size());
+       } while(!secp256k1_ec_seckey_verify(detail::_get_context(), (const uint8_t*)ret.my->_key.data()));
+       return ret;
+    }
 
     public_key::public_key() {}
 

diff --git a/package.cmake b/package.cmake
@@ -65,7 +65,7 @@ set(CPACK_DEBIAN_BASE_FILE_NAME "${CPACK_DEBIAN_FILE_NAME}.deb")
 string(REGEX REPLACE "^(${CMAKE_PROJECT_NAME})" "\\1-dev" CPACK_DEBIAN_DEV_FILE_NAME "${CPACK_DEBIAN_BASE_FILE_NAME}")
 
 #deb package tooling will be unable to detect deps for the dev package. llvm is tricky since we don't know what package could have been used; try to figure it out
-set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "libssl-dev, libgmp-dev, python3-distutils, python3-numpy, zlib1g-dev")
+set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "libgmp-dev, python3-distutils, python3-numpy, zlib1g-dev")
 find_program(DPKG_QUERY "dpkg-query")
 if(DPKG_QUERY AND OS_RELEASE MATCHES "\n?ID=\"?ubuntu" AND LLVM_CMAKE_DIR)
    execute_process(COMMAND "${DPKG_QUERY}" -S "${LLVM_CMAKE_DIR}" COMMAND cut -d: -f1 RESULT_VARIABLE LLVM_PKG_FIND_RESULT OUTPUT_VARIABLE LLVM_PKG_FIND_OUTPUT)

diff --git a/scripts/install_deps.sh b/scripts/install_deps.sh
@@ -14,7 +14,6 @@ apt-get install -y \
     libcurl4-openssl-dev \
     libgmp-dev \
     libncurses5 \
-    libssl-dev \
     libtinfo-dev \
     libzstd-dev \
     python3 \