diff --git a/.cicd/platforms/ubuntu20.Dockerfile b/.cicd/platforms/ubuntu20.Dockerfile index 56bf2c8a54..fe7aaea80e 100644 --- a/.cicd/platforms/ubuntu20.Dockerfile +++ b/.cicd/platforms/ubuntu20.Dockerfile @@ -9,7 +9,6 @@ RUN apt-get update && apt-get upgrade -y && \ jq \ libcurl4-openssl-dev \ libgmp-dev \ - libssl-dev \ llvm-11-dev \ ninja-build \ python3-numpy \ diff --git a/.cicd/platforms/ubuntu22.Dockerfile b/.cicd/platforms/ubuntu22.Dockerfile index 57d49fe026..275d52a4c7 100644 --- a/.cicd/platforms/ubuntu22.Dockerfile +++ b/.cicd/platforms/ubuntu22.Dockerfile @@ -8,7 +8,6 @@ RUN apt-get update && apt-get upgrade -y && \ jq \ libcurl4-openssl-dev \ libgmp-dev \ - libssl-dev \ llvm-11-dev \ ninja-build \ python3-numpy \ diff --git a/.gitmodules b/.gitmodules index e4ca16a9fe..6bd697c27f 100644 --- a/.gitmodules +++ b/.gitmodules @@ -37,3 +37,6 @@ [submodule "libraries/boost"] path = libraries/boost url = https://github.com/boostorg/boost.git +[submodule "libraries/libfc/libraries/boringssl/boringssl"] + path = libraries/libfc/libraries/boringssl/boringssl + url = https://github.com/AntelopeIO/boringssl-build diff --git a/CMakeLists.txt b/CMakeLists.txt index 3c8b0a9f46..dbd70a1a1d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -54,15 +54,6 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS "ON") set(BUILD_DOXYGEN FALSE CACHE BOOL "Build doxygen documentation on every make") set(ENABLE_MULTIVERSION_PROTOCOL_TEST FALSE CACHE BOOL "Enable nodeos multiversion protocol test") -# add defaults for openssl -if(APPLE AND UNIX AND "${OPENSSL_ROOT_DIR}" STREQUAL "") - if(CMAKE_SYSTEM_PROCESSOR STREQUAL "arm64") - set(OPENSSL_ROOT_DIR "/opt/homebrew/opt/openssl@3;/opt/homebrew/opt/openssl@1.1") - else() - set(OPENSSL_ROOT_DIR "/usr/local/opt/openssl@3;/usr/local/opt/openssl@1.1") - endif() -endif() - option(ENABLE_OC "Enable eosvm-oc on supported platforms" ON) # WASM runtimes to enable. Each runtime in this list will have: @@ -180,6 +171,10 @@ if( ENABLE_TCMALLOC ) set(CMAKE_CXX_STANDARD_LIBRARIES "${CMAKE_CXX_STANDARD_LIBRARIES} ${GPERFTOOLS_TCMALLOC}") endif() +# leap includes a bundled BoringSSL which conflicts with OpenSSL. Make sure any other bundled libraries (such as boost) +# do not attempt to use an external OpenSSL in any manner +set(CMAKE_DISABLE_FIND_PACKAGE_OpenSSL On) + add_subdirectory( libraries ) add_subdirectory( plugins ) add_subdirectory( programs ) @@ -226,6 +221,7 @@ configure_file(libraries/eos-vm/LICENSE licen configure_file(libraries/prometheus/prometheus-cpp/LICENSE licenses/leap/LICENSE.prom COPYONLY) configure_file(programs/cleos/LICENSE.CLI11 licenses/leap/LICENSE.CLI11 COPYONLY) configure_file(libraries/libfc/libraries/bls12-381/LICENSE licenses/leap/LICENSE.bls12-381 COPYONLY) +configure_file(libraries/libfc/libraries/boringssl/boringssl/src/LICENSE licenses/leap/LICENSE.boringssl COPYONLY) install(DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/licenses/leap" DESTINATION "${CMAKE_INSTALL_FULL_DATAROOTDIR}/licenses/" COMPONENT base) diff --git a/CMakeModules/EosioTester.cmake.in b/CMakeModules/EosioTester.cmake.in index 8c4a5ed566..155819b03f 100644 --- a/CMakeModules/EosioTester.cmake.in +++ b/CMakeModules/EosioTester.cmake.in @@ -37,6 +37,7 @@ endif ( APPLE ) set( Boost_USE_MULTITHREADED ON ) set( Boost_USE_STATIC_LIBS ON CACHE STRING "ON or OFF" ) +set( BOOST_EXCLUDE_LIBRARIES "mysql" ) add_subdirectory( @CMAKE_INSTALL_FULL_DATAROOTDIR@/leap_boost ${PROJECT_BINARY_DIR}/libraries/boost EXCLUDE_FROM_ALL) @@ -52,8 +53,8 @@ find_library(libwast WAST @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH) find_library(libir IR @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH) find_library(liblogging Logging @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH) find_library(libsoftfloat softfloat @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH) -get_filename_component(cryptodir @OPENSSL_CRYPTO_LIBRARY@ DIRECTORY) -find_library(liboscrypto crypto "${cryptodir}" NO_DEFAULT_PATH) +find_library(libbscrypto bscrypto @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH) +find_library(libdecrepit decrepit @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH) find_library(libchainbase chainbase @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH) find_library(libbuiltins builtins @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH) @@ -76,7 +77,8 @@ target_link_libraries(EosioChain INTERFACE ${libwasm} ${libir} ${libsoftfloat} - ${liboscrypto} + ${libbscrypto} + ${libdecrepit} ${liblogging} ${libchainbase} ${libbuiltins} @@ -110,6 +112,7 @@ target_include_directories(EosioChain INTERFACE @CMAKE_INSTALL_PREFIX@ @CMAKE_INSTALL_FULL_INCLUDEDIR@ @CMAKE_INSTALL_FULL_INCLUDEDIR@/wasm-jit + @CMAKE_INSTALL_FULL_INCLUDEDIR@/leapboringssl @CMAKE_INSTALL_FULL_INCLUDEDIR@/softfloat ) #adds -ltr. Ubuntu eosio.contracts build breaks without this diff --git a/CMakeModules/EosioTesterBuild.cmake.in b/CMakeModules/EosioTesterBuild.cmake.in index 5444d7c9a1..91828dc700 100644 --- a/CMakeModules/EosioTesterBuild.cmake.in +++ b/CMakeModules/EosioTesterBuild.cmake.in @@ -34,6 +34,7 @@ endif ( APPLE ) set( Boost_USE_MULTITHREADED ON ) set( Boost_USE_STATIC_LIBS ON CACHE STRING "ON or OFF" ) +set( BOOST_EXCLUDE_LIBRARIES "mysql" ) add_subdirectory( @CMAKE_SOURCE_DIR@/libraries/boost ${PROJECT_BINARY_DIR}/libraries/boost EXCLUDE_FROM_ALL) @@ -49,8 +50,8 @@ find_library(libwast WAST @CMAKE_BINARY_DIR@/libraries/wasm-jit/Source/WAST NO_D find_library(libir IR @CMAKE_BINARY_DIR@/libraries/wasm-jit/Source/IR NO_DEFAULT_PATH) find_library(liblogging Logging @CMAKE_BINARY_DIR@/libraries/wasm-jit/Source/Logging NO_DEFAULT_PATH) find_library(libsoftfloat softfloat @CMAKE_BINARY_DIR@/libraries/softfloat NO_DEFAULT_PATH) -get_filename_component(cryptodir @OPENSSL_CRYPTO_LIBRARY@ DIRECTORY) -find_library(liboscrypto crypto "${cryptodir}" NO_DEFAULT_PATH) +find_library(libbscrypto bscrypto @CMAKE_BINARY_DIR@/libraries/libfc/libraries/boringssl/boringssl NO_DEFAULT_PATH) +find_library(libdecrepit decrepit @CMAKE_BINARY_DIR@/libraries/libfc/libraries/boringssl/boringssl NO_DEFAULT_PATH) find_library(libchainbase chainbase @CMAKE_BINARY_DIR@/libraries/chainbase NO_DEFAULT_PATH) find_library(libbuiltins builtins @CMAKE_BINARY_DIR@/libraries/builtins NO_DEFAULT_PATH) @@ -73,7 +74,8 @@ target_link_libraries(EosioChain INTERFACE ${libwasm} ${libir} ${libsoftfloat} - ${liboscrypto} + ${libbscrypto} + ${libdecrepit} ${liblogging} ${libchainbase} ${libbuiltins} @@ -107,6 +109,7 @@ target_include_directories(EosioChain INTERFACE @CMAKE_SOURCE_DIR@/libraries/chain/include @CMAKE_BINARY_DIR@/libraries/chain/include @CMAKE_SOURCE_DIR@/libraries/libfc/include + @CMAKE_SOURCE_DIR@/libraries/libfc/libraries/boringssl/boringssl/src/include @CMAKE_SOURCE_DIR@/libraries/softfloat/source/include @CMAKE_SOURCE_DIR@/libraries/appbase/include @CMAKE_SOURCE_DIR@/libraries/chainbase/include diff --git a/README.md b/README.md index bac9bfd9d8..a34e91893f 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,6 @@ Requirements to build: - CMake 3.16+ - LLVM 7 - 11 - for Linux only - newer versions do not work -- openssl 1.1+ - libcurl 7.40.0+ - git - GMP @@ -133,7 +132,6 @@ sudo apt-get install -y \ git \ libcurl4-openssl-dev \ libgmp-dev \ - libssl-dev \ llvm-11-dev \ python3-numpy \ file \ diff --git a/docs/00_install/01_build-from-source/00_build-unsupported-os.md b/docs/00_install/01_build-from-source/00_build-unsupported-os.md index e0d3c19331..aada11d7b2 100644 --- a/docs/00_install/01_build-from-source/00_build-unsupported-os.md +++ b/docs/00_install/01_build-from-source/00_build-unsupported-os.md @@ -23,7 +23,6 @@ pkg update && pkg install \ curl \ boost-all \ python3 \ - openssl \ llvm11 \ pkgconf ``` diff --git a/libraries/CMakeLists.txt b/libraries/CMakeLists.txt index e7ad9b144e..c7b83238de 100644 --- a/libraries/CMakeLists.txt +++ b/libraries/CMakeLists.txt @@ -7,6 +7,8 @@ set(BN256_INSTALL_COMPONENT "dev") set( Boost_USE_MULTITHREADED ON ) set( Boost_USE_STATIC_LIBS ON CACHE STRING "ON or OFF" ) +# don't include boost mysql library as it does a find_package(OpenSSL) thus finding the system openssl which could conflict with the bundled boringssl +set( BOOST_EXCLUDE_LIBRARIES "mysql" ) add_subdirectory( boost EXCLUDE_FROM_ALL ) add_subdirectory( libfc ) diff --git a/libraries/libfc/CMakeLists.txt b/libraries/libfc/CMakeLists.txt index 27c1aa4ba0..78a888532f 100644 --- a/libraries/libfc/CMakeLists.txt +++ b/libraries/libfc/CMakeLists.txt @@ -1,12 +1,12 @@ add_subdirectory( secp256k1 ) add_subdirectory( libraries/bn256/src ) add_subdirectory( libraries/bls12-381 ) +add_subdirectory( libraries/boringssl ) set(CMAKE_THREAD_PREFER_PTHREAD TRUE) set(THREADS_PREFER_PTHREAD_FLAG TRUE) find_package(Threads) -find_package(OpenSSL REQUIRED) set( fc_sources src/uint128.cpp @@ -101,11 +101,7 @@ if(APPLE) endif() target_link_libraries( fc PUBLIC Boost::date_time Boost::chrono Boost::iostreams Boost::interprocess Boost::multi_index Boost::dll Boost::multiprecision Boost::beast Boost::asio Boost::thread Boost::unit_test_framework Threads::Threads - OpenSSL::Crypto ZLIB::ZLIB ${PLATFORM_SPECIFIC_LIBS} ${CMAKE_DL_LIBS} secp256k1 bls12-381 ${security_framework} ${corefoundation_framework}) - -# Critically, this ensures that OpenSSL 1.1 & 3.0 both have a variant of BN_zero() with void return value. But it also allows access -# to some obsoleted AES functions in 3.0 too, since 3.0's API_COMPAT is effectively 3.0 by default -target_compile_definitions(fc PUBLIC "OPENSSL_API_COMPAT=0x10100000L" "OPENSSL_NO_DEPRECATED") + boringssl ZLIB::ZLIB ${PLATFORM_SPECIFIC_LIBS} ${CMAKE_DL_LIBS} secp256k1 bls12-381 ${security_framework} ${corefoundation_framework}) add_subdirectory( test ) diff --git a/libraries/libfc/libraries/boringssl/CMakeLists.txt b/libraries/libfc/libraries/boringssl/CMakeLists.txt new file mode 100644 index 0000000000..b67bc6c1f6 --- /dev/null +++ b/libraries/libfc/libraries/boringssl/CMakeLists.txt @@ -0,0 +1,28 @@ +add_subdirectory(boringssl EXCLUDE_FROM_ALL) +target_compile_options(fipsmodule PRIVATE -Wno-error) +target_compile_options(crypto PRIVATE -Wno-error) +target_compile_options(decrepit PRIVATE -Wno-error) + +#paranoia for when a dependent library depends on openssl (such as libcurl) +set_target_properties(fipsmodule PROPERTIES C_VISIBILITY_PRESET hidden) +set_target_properties(crypto PROPERTIES C_VISIBILITY_PRESET hidden) +set_target_properties(decrepit PROPERTIES C_VISIBILITY_PRESET hidden) + +add_library(boringssl INTERFACE) +target_link_libraries(boringssl INTERFACE crypto decrepit) +target_include_directories(boringssl INTERFACE boringssl/src/include) + +# avoid conflict with system lib +set_target_properties(crypto PROPERTIES PREFIX libbs) + +install( TARGETS crypto + LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL + ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL +) + +install( TARGETS decrepit + LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL + ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL +) + +install( DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/boringssl/src/include/" DESTINATION "${CMAKE_INSTALL_FULL_INCLUDEDIR}/leapboringssl" COMPONENT dev EXCLUDE_FROM_ALL ) diff --git a/libraries/libfc/libraries/boringssl/boringssl b/libraries/libfc/libraries/boringssl/boringssl new file mode 160000 index 0000000000..83b08306ba --- /dev/null +++ b/libraries/libfc/libraries/boringssl/boringssl @@ -0,0 +1 @@ +Subproject commit 83b08306ba471bdd18d97a54c2a87db5989b55d6 diff --git a/libraries/libfc/src/crypto/elliptic_common.cpp b/libraries/libfc/src/crypto/elliptic_common.cpp index 4fa0925b93..7b46dfe004 100644 --- a/libraries/libfc/src/crypto/elliptic_common.cpp +++ b/libraries/libfc/src/crypto/elliptic_common.cpp @@ -75,8 +75,8 @@ namespace fc { namespace ecc { ssl_bignum order; FC_ASSERT( EC_GROUP_get_order( group, order, ctx ) ); private_key_secret bin; - FC_ASSERT( BN_num_bytes( order ) == static_cast(bin.data_size()) ); - FC_ASSERT( BN_bn2bin( order, (unsigned char*) bin.data() ) == static_cast(bin.data_size()) ); + FC_ASSERT( BN_num_bytes( order ) == bin.data_size() ); + FC_ASSERT( BN_bn2bin( order, (unsigned char*) bin.data() ) == bin.data_size() ); return bin; } @@ -94,8 +94,8 @@ namespace fc { namespace ecc { FC_ASSERT( EC_GROUP_get_order( group, order, ctx ) ); BN_rshift1( order, order ); private_key_secret bin; - FC_ASSERT( BN_num_bytes( order ) == static_cast(bin.data_size()) ); - FC_ASSERT( BN_bn2bin( order, (unsigned char*) bin.data() ) == static_cast(bin.data_size()) ); + FC_ASSERT( BN_num_bytes( order ) == bin.data_size() ); + FC_ASSERT( BN_bn2bin( order, (unsigned char*) bin.data() ) == bin.data_size() ); return bin; } @@ -196,21 +196,6 @@ namespace fc { namespace ecc { BN_bn2bin(bn, &((unsigned char*)&sec)[32-nbytes] ); return sec; } - - private_key private_key::generate() - { - EC_KEY* k = EC_KEY_new_by_curve_name( NID_secp256k1 ); - if( !k ) FC_THROW_EXCEPTION( exception, "Unable to generate EC key" ); - if( !EC_KEY_generate_key( k ) ) - { - FC_THROW_EXCEPTION( exception, "ecc key generation error" ); - - } - - return private_key( k ); - } - - } void to_variant( const ecc::private_key& var, variant& vo ) diff --git a/libraries/libfc/src/crypto/elliptic_secp256k1.cpp b/libraries/libfc/src/crypto/elliptic_secp256k1.cpp index 459a8d7c86..67404a59f1 100644 --- a/libraries/libfc/src/crypto/elliptic_secp256k1.cpp +++ b/libraries/libfc/src/crypto/elliptic_secp256k1.cpp @@ -4,6 +4,7 @@ #include #include #include +#include #include #include @@ -12,6 +13,8 @@ #include #include +#include + #if _WIN32 # include #elif defined(__FreeBSD__) @@ -79,6 +82,14 @@ namespace fc { namespace ecc { return fc::sha512::hash( serialized_result.begin() + 1, serialized_result.size() - 1 ); } + private_key private_key::generate() + { + private_key ret; + do { + rand_bytes(ret.my->_key.data(), ret.my->_key.data_size()); + } while(!secp256k1_ec_seckey_verify(detail::_get_context(), (const uint8_t*)ret.my->_key.data())); + return ret; + } public_key::public_key() {} diff --git a/package.cmake b/package.cmake index dd1c1b8e57..c9960b5a62 100644 --- a/package.cmake +++ b/package.cmake @@ -65,7 +65,7 @@ set(CPACK_DEBIAN_BASE_FILE_NAME "${CPACK_DEBIAN_FILE_NAME}.deb") string(REGEX REPLACE "^(${CMAKE_PROJECT_NAME})" "\\1-dev" CPACK_DEBIAN_DEV_FILE_NAME "${CPACK_DEBIAN_BASE_FILE_NAME}") #deb package tooling will be unable to detect deps for the dev package. llvm is tricky since we don't know what package could have been used; try to figure it out -set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "libssl-dev, libgmp-dev, python3-distutils, python3-numpy, zlib1g-dev") +set(CPACK_DEBIAN_DEV_PACKAGE_DEPENDS "libgmp-dev, python3-distutils, python3-numpy, zlib1g-dev") find_program(DPKG_QUERY "dpkg-query") if(DPKG_QUERY AND OS_RELEASE MATCHES "\n?ID=\"?ubuntu" AND LLVM_CMAKE_DIR) execute_process(COMMAND "${DPKG_QUERY}" -S "${LLVM_CMAKE_DIR}" COMMAND cut -d: -f1 RESULT_VARIABLE LLVM_PKG_FIND_RESULT OUTPUT_VARIABLE LLVM_PKG_FIND_OUTPUT) diff --git a/scripts/install_deps.sh b/scripts/install_deps.sh index 5dfaff555f..cfe2a5cacd 100755 --- a/scripts/install_deps.sh +++ b/scripts/install_deps.sh @@ -14,7 +14,6 @@ apt-get install -y \ libcurl4-openssl-dev \ libgmp-dev \ libncurses5 \ - libssl-dev \ libtinfo-dev \ libzstd-dev \ python3 \