Skip to content

Commit

Permalink
Add ability statically link OpenSSL (#80380)
Browse files Browse the repository at this point in the history
* Add ability statically link OpenSSL

This setup works if I apply this as local customizations, I do not sure that I use OpenSSL in most secure way, I do not competent. This setup and StaticExecutable=true allow package just EXE file + /etc/ssl/certs/ folder in Docker

* Share build scripts across Globalization and OpenSSL

* Add warning

Co-authored-by: Adeel Mujahid <[email protected]>
  • Loading branch information
kant2002 and am11 authored Jan 15, 2023
1 parent 968b4f8 commit 2eca2d3
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ The .NET Foundation licenses this file to you under the MIT license.
<NetCoreAppNativeLibrary Include="System.IO.Compression.Native" />
<NetCoreAppNativeLibrary Include="System.Net.Security.Native" />
<NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.Apple" Condition="'$(TargetOS)' == 'osx'" />
<NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.OpenSsl" />
<NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.OpenSsl" Condition="'$(StaticOpenSslLinking)' != 'true'" />
</ItemGroup>

<ItemGroup>
Expand All @@ -77,6 +77,14 @@ The .NET Foundation licenses this file to you under the MIT license.
<StaticICULibs Include="-Wl,-Bdynamic" Condition="'$(StaticExecutable)' != 'true'" />
</ItemGroup>

<ItemGroup Condition="'$(StaticOpenSslLinking)' == 'true' and '$(NativeLib)' != 'Static'">
<NativeLibrary Include="$(IntermediateOutputPath)/libs/System.Security.Cryptography.Native/build/libSystem.Security.Cryptography.Native.OpenSsl.a"/>
<DirectPInvoke Include="libSystem.Security.Cryptography.Native.OpenSsl" />
<StaticSslLibs Include="-Wl,-Bstatic" Condition="'$(StaticExecutable)' != 'true'" />
<StaticSslLibs Include="-lssl -lcrypto" />
<StaticSslLibs Include="-Wl,-Bdynamic" Condition="'$(StaticExecutable)' != 'true'" />
</ItemGroup>

<ItemGroup Condition="'$(TargetOS)' == 'osx'">
<NativeFramework Include="CoreFoundation" />
<NativeFramework Include="CryptoKit" />
Expand All @@ -85,7 +93,9 @@ The .NET Foundation licenses this file to you under the MIT license.
<NativeFramework Include="GSS" />
</ItemGroup>

<Exec Command="$(IlcHostPackagePath)/native/src/libs/System.Globalization.Native/local_build.sh $(IlcHostPackagePath)/ $(IntermediateOutputPath)" Condition="'$(StaticICULinking)' == 'true'"/>
<Exec Command="&quot;$(IlcHostPackagePath)/native/src/libs/build-local.sh&quot; &quot;$(IlcHostPackagePath)/&quot; &quot;$(IntermediateOutputPath)&quot; System.Globalization.Native" Condition="'$(StaticICULinking)' == 'true'"/>

<Exec Command="&quot;$(IlcHostPackagePath)/native/src/libs/build-local.sh&quot; &quot;$(IlcHostPackagePath)/&quot; &quot;$(IntermediateOutputPath)&quot; System.Security.Cryptography.Native" Condition="'$(StaticOpenSslLinking)' == 'true'"/>

<ItemGroup>
<LinkerArg Include="-fuse-ld=lld" Condition="'$(UseLLVMLinker)' == 'true'" />
Expand All @@ -112,6 +122,7 @@ The .NET Foundation licenses this file to you under the MIT license.
<LinkerArg Include="-licucore" Condition="'$(TargetOS)' == 'osx'" />
<LinkerArg Include="-L/usr/lib/swift" Condition="'$(TargetOS)' == 'osx'" />
<LinkerArg Include="@(StaticICULibs)" Condition="'$(StaticICULinking)' == 'true'" />
<LinkerArg Include="@(StaticSslLibs)" Condition="'$(StaticOpenSslLinking)' == 'true'" />
<LinkerArg Include="-dynamiclib" Condition="'$(TargetOS)' == 'osx' and '$(NativeLib)' == 'Shared'" />
<LinkerArg Include="-shared" Condition="'$(TargetOS)' != 'osx' and '$(NativeLib)' == 'Shared'" />
<!-- binskim warning BA3001 PIE disabled on executable -->
Expand Down
27 changes: 27 additions & 0 deletions src/coreclr/nativeaot/docs/compiling.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,3 +90,30 @@ Ubuntu (20.04+)
```
sudo apt-get install libicu-dev cmake
```

Alpine
```
apk add cmake icu-static icu-dev
```

## Using statically linked OpenSSL
This feature can statically link OpenSSL libraries (such as libssl.a and libcrypto.a) into your applications at build time.
NativeAOT binaries built with this feature can run even when OpenSSL libraries are not installed.
**WARNING:** *This is scenario for advanced users, please use with extreme caution. Incorrect usage of this feature, can cause security vulnerabilities in your product*

You can use this feature by adding the `StaticOpenSslLinking` property to your project file as follows:

```xml
<PropertyGroup>
<StaticOpenSslLinking>true</StaticOpenSslLinking>
</PropertyGroup>
```

This feature is only supported on Linux. This feature is not supported when crosscompiling.

### Prerequisites

Alpine
```
apk add cmake openssl-dev openssl-libs-static
```
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
</ItemGroup>
<ItemGroup Condition="'$(PackageTargetRuntime)' != '' and '$(TargetOS)' == 'linux'">
<File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\libs\System.Globalization.Native\*" TargetPath="native/src/libs/System.Globalization.Native"/>
<File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\libs\System.Security.Cryptography.Native\*" TargetPath="native/src/libs/System.Security.Cryptography.Native"/>
<File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\libs\build-local.sh" TargetPath="native/src/libs/build-local.sh"/>
<File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\minipal\*" TargetPath="native/src/minipal"/>
<File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\libs\Common\*" TargetPath="native/src/libs/Common"/>
</ItemGroup>
Expand Down
14 changes: 14 additions & 0 deletions src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,20 @@ set(NATIVECRYPTO_SOURCES
pal_x509ext.c
)

if (LOCAL_BUILD)
add_definitions(-DLOCAL_BUILD)
add_definitions(-DPALEXPORT=EXTERN_C)
add_definitions(-DTARGET_UNIX)
# For minipal files
include_directories(../../)
include_directories(../Common)
include_directories(${CMAKE_CURRENT_BINARY_DIR})
configure_file(
../Common/pal_config.h.in
${CMAKE_CURRENT_BINARY_DIR}/pal_config.h)
endif()


# Always build portable on macOS because OpenSSL is not a system component
# and our prebuilts should not assume a specific ABI version for the types
# that use OpenSSL at runtime.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,25 @@
# The .NET Foundation licenses this file to you under the MIT license.
#

# This script is used only for building libSystem.Globalization.Native.a
# This script is used only for building native libraries
# in the end-user's computer for NativeAOT purposes (static linking).
# This file is not used during the dotnet runtime build.

# Currently, only Linux is supported

SHIM_SOURCE_DIR="$1"/native/src
INTERMEDIATE_OUTPUT_PATH="$2"
TARGET_LIBRARY="$3"

if [ -d "$SHIM_SOURCE_DIR" ]; then
LOCAL_SHIM_DIR="$INTERMEDIATE_OUTPUT_PATH"/libs/System.Globalization.Native/build
LOCAL_SHIM_DIR="$INTERMEDIATE_OUTPUT_PATH"/libs/$TARGET_LIBRARY/build

if ! { mkdir -p "$LOCAL_SHIM_DIR" && cd "$LOCAL_SHIM_DIR"; }; then
echo "local_build.sh::ERROR: Cannot use local build directory"
exit 1
fi

if ! cmake -S "$SHIM_SOURCE_DIR/libs/System.Globalization.Native/" -DLOCAL_BUILD:STRING=1 -DCLR_CMAKE_TARGET_UNIX:STRING=1; then
if ! cmake -S "$SHIM_SOURCE_DIR/libs/$TARGET_LIBRARY/" -DLOCAL_BUILD:STRING=1 -DCLR_CMAKE_TARGET_UNIX:STRING=1; then
echo "local_build.sh::ERROR: cmake failed"
exit 1
fi
Expand Down

0 comments on commit 2eca2d3

Please sign in to comment.