-
Notifications
You must be signed in to change notification settings - Fork 207
/
boringssl.sh
executable file
·190 lines (159 loc) · 8.5 KB
/
boringssl.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
#!/usr/bin/env bash
# Copyright (C) Viktor Szakats. See LICENSE.md
# SPDX-License-Identifier: MIT
# Requires macOS 10.13
# FIXME (upstream):
# - x64 mingw-w64 pthread ucrt static linking bug -> requires llvm-mingw
# - as of 4fe29ebc hacks are needed to avoid build issues. grep for the hash
# to find them.
# - BoringSSL also supports native-Windows threading, but it uses
# MSVC-specific hacks, thus cannot be enabled for MinGW:
# https://github.com/google/boringssl/blob/master/crypto/thread_win.c
# Possible solution:
# https://github.com/dotnet/runtime/blob/cbca5083d3e69f2bd25e397f8894d94d7763a13a/src/mono/mono/mini/mini-windows-tls-callback.c#L56
# - managed to patch BoringSSL to use native Windows threads and thus be
# able to drop pthreads. curl crashes (with or without this patch.)
# - as of 4fe29ebc, BoringSSL uses C++, so dependents must be built with
# static standard C++ library. static libunwind is also needed e.g. when
# using llvm-mingw. Integrating all of this is non-trivial. When not
# using llvm-mingw, pthreads is necessary again, but it does not trigger
# the static pthreads linking bug (undefined reference to `_setjmp') we
# hit earlier.
# - Building tests takes 3x time per target (on AppVeyor CI, at the time
# of this writing) and consumes 5x the disk space for ${_BLDDIR}, that is
# 17MB -> 79MB (for x64, with ASM and -gddb disabled).
# Disabling them requires patching ./CMakeList.txt.
# This is fixed in AWS-LC fork with a CMake option.
# - Objects built on different OSes result in a few byte differences.
# e.g. windows.c.obj, a_utf8.c.obj. But not a_octet.c.obj.
# https://boringssl.googlesource.com/boringssl/
# https://bugs.chromium.org/p/boringssl/issues/list
# https://chromium.googlesource.com/chromium/src/third_party/boringssl/+/c9aca35314ba018fef141535ca9d4dd39d9bc688%5E%21/
# https://chromium.googlesource.com/chromium/src/third_party/boringssl/
# https://chromium.googlesource.com/chromium/src/+/refs/heads/main/DEPS
# https://github.com/chromium/chromium/commit/6a77772b9bacdf2490948f452bdbc34d3e871be1
# https://github.com/chromium/chromium/tree/main/third_party/boringssl
# https://raw.githubusercontent.com/chromium/chromium/main/DEPS
# shellcheck disable=SC3040,SC2039
set -o xtrace -o errexit -o nounset; [ -n "${BASH:-}${ZSH_NAME:-}" ] && set -o pipefail
export _NAM _VER _OUT _BAS _DST
_NAM="$(basename "$0" | cut -f 1 -d '.')"
_VER="$1"
(
cd "${_NAM}" || exit 0
[ "${CW_DEV_INCREMENTAL:-}" != '1' ] && rm -r -f "${_PKGDIR:?}" "${_BLDDIR:?}"
CFLAGS="-ffile-prefix-map=$(pwd)="
LIBS='-lpthread' # for tests
options=''
[ "${_CPU}" = 'r64' ] && exit 1 # No support as of 2023-10
if false; then
# to avoid (as of 4fe29ebc):
# ld.lld: error: undefined symbol: fiat_p256_adx_mul
# >>> referenced by libcrypto.a(bcm.o):(fiat_p256_mul)
# ld.lld: error: undefined symbol: fiat_p256_adx_sqr
# >>> referenced by libcrypto.a(bcm.o):(fiat_p256_square)
# This is caused by a missing nasm implementation for these,
# yet referencing them for gcc-based x64 builds, also on Windows,
# which always use nasm. mingw-w64 builds hit constellation.
# Fixed via a local patch.
options+=' -DOPENSSL_NO_ASM=ON'
else
if [ "${_OS}" = 'win' ] && [ "${_CPU}" != 'a64' ]; then
# nasm is used for Windows x64 and x86
options+=' -DCMAKE_ASM_NASM_FLAGS=--reproducible'
fi
fi
# Workaround for Windows x64 llvm 16 breakage as of 85081c6b:
# In file included from ./boringssl/crypto/curve25519/curve25519_64_adx.c:17:
# ./boringssl/crypto/curve25519/../../third_party/fiat/curve25519_64_adx.h:40:11: error: call to undeclared function '_umul128'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
# *out1 = _umul128(arg1, arg2, &t);
# ^
if [ "${_OS}" = 'win' ] && [ "${_CPU}" = 'x64' ] && [ "${_CC}" = 'llvm' ]; then
options+=' -DOPENSSL_SMALL=ON'
else
options+=' -DOPENSSL_SMALL=OFF' # ON reduces curl binary sizes by ~300 KB
fi
if [ "${CW_DEV_INCREMENTAL:-}" != '1' ] || [ ! -d "${_BLDDIR}" ]; then
# Patch the build to omit debug info. This results in 50% smaller footprint
# for each ${_BLDDIR}. As of llvm 14.0.6, llvm-strip does an imperfect job
# when deleting -ggdb debug info and ends up having ~100 bytes of metadata
# different (e.g. in windows.c.obj, a_utf8.c.obj, but not a_octet.c.obj)
# across build host platforms. Fixed either by patching out this flag here,
# or by running binutils strip on the result. binutils strip do not support
# ARM64, so patch it out in that case.
# Enable it for all targets for consistency.
sed -i.bak 's/ -ggdb//g' ./CMakeLists.txt
# Skip building test components
echo 'set_target_properties(decrepit bssl_shim test_fips boringssl_gtest test_support_lib urandom_test crypto_test ssl_test decrepit_test all_tests pki pki_test run_tests PROPERTIES EXCLUDE_FROM_ALL TRUE)' >> ./CMakeLists.txt
# shellcheck disable=SC2086
cmake -B "${_BLDDIR}" ${_CMAKE_GLOBAL} ${_CMAKE_CXX_GLOBAL} ${options} \
'-DBUILD_SHARED_LIBS=OFF' \
"-DCMAKE_C_FLAGS=${_CFLAGS_GLOBAL_CMAKE} ${_CFLAGS_GLOBAL} ${_CPPFLAGS_GLOBAL} ${CFLAGS} ${_LDFLAGS_GLOBAL} ${LIBS}" \
"-DCMAKE_CXX_FLAGS=${_CFLAGS_GLOBAL_CMAKE} ${_CFLAGS_GLOBAL} ${_CPPFLAGS_GLOBAL} ${CFLAGS} ${_LDFLAGS_GLOBAL} ${LIBS} ${_CXXFLAGS_GLOBAL} ${_LDFLAGS_CXX_GLOBAL}"
fi
cmake --build "${_BLDDIR}" # --verbose
cmake --install "${_BLDDIR}" --prefix "${_PP}"
# List files created
find "${_PP}"
# Make steps for determinism
readonly _ref='README.md'
# FIXME: llvm-strip (as of 14.0.6) has a few bugs:
# - produces different output across build hosts after stripping libs
# compiled with -ggdb.
# - fails to strip the `.file` record from NASM objects.
# (fixed by --reproducible with nasm v2.16)
# - fails to clear timestamps in NASM objects.
# (fixed by --reproducible with nasm v2.15.05)
# Work around them by running it through binutils strip. This works for
# x64 and x86, but not for ARM64.
#
# Most combinations/orders running binutils/llvm strip over the output results
# in different output, and except pure llvm-strip, all seem to be
# deterministic. We chose to run binutils first and llvm second. This way
# llvm creates the result we publish.
#
# <strip sequence> <bytes>
# libcrypto-noggdb.a 2858080
# libcrypto-noggdb-llvm.a 2482620
# libcrypto-noggdb-llvm-binutils.a 2488078
# libcrypto-noggdb-llvm-binutils-llvm.a 2479904
# libcrypto-noggdb-llvm-binutils-llvm-binutils.a 2488078
# libcrypto-noggdb-binutils.a 2465310
# libcrypto-noggdb-binutils-llvm.a 2479888
# libcrypto-noggdb-binutils-llvm-binutils.a 2488078
# libcrypto-ggdb.a 9642542
# libcrypto-ggdb-llvm.a 2482606
# libcrypto-ggdb-llvm-binutils.a 2488066
# libcrypto-ggdb-llvm-binutils-llvm.a 2479890
# libcrypto-ggdb-llvm-binutils-llvm-binutils.a 2488066
# libcrypto-ggdb-binutils.a 2465298
# libcrypto-ggdb-binutils-llvm.a 2479874
# libcrypto-ggdb-binutils-llvm-binutils.a 2488066
# shellcheck disable=SC2086
"${_STRIP_LIB}" ${_STRIPFLAGS_LIB} "${_PP}"/lib/libssl.a
if [ -n "${_STRIP_BINUTILS}" ]; then
# FIXME: llvm-strip corrupts nasm objects as of LLVM v16.0.0
# shellcheck disable=SC2086
# "${_STRIP_LIB}" ${_STRIPFLAGS_LIB} "${_PP}"/lib/libcrypto.a
# FIXME: Use binutils strip instead, directly on objects, to avoid
# binutils strip v2.40 error `invalid operation` when run on
# the whole lib:
../_clean-lib.sh --strip "${_STRIP_BINUTILS}" "${_PP}"/lib/libcrypto.a
else
# shellcheck disable=SC2086
"${_STRIP_LIB}" ${_STRIPFLAGS_LIB} "${_PP}"/lib/libcrypto.a
fi
touch -c -r "${_ref}" "${_PP}"/include/openssl/*.h
touch -c -r "${_ref}" "${_PP}"/lib/*.a
# Create package
_OUT="${_NAM}-${_VER}${_REVSUFFIX}${_PKGSUFFIX}"
_BAS="${_NAM}-${_VER}${_PKGSUFFIX}"
_DST="$(pwd)/_pkg"; rm -r -f "${_DST}"
mkdir -p "${_DST}/include/openssl"
mkdir -p "${_DST}/lib"
cp -f -p "${_PP}"/include/openssl/*.h "${_DST}/include/openssl/"
cp -f -p "${_PP}"/lib/*.a "${_DST}/lib"
cp -f -p LICENSE "${_DST}/LICENSE.txt"
cp -f -p README.md "${_DST}/"
../_pkg.sh "$(pwd)/${_ref}"
)