Replace OpenSSL dependency with pinned BoringSSL

.cicd/platforms/ubuntu20.Dockerfile

@@ -9,7 +9,6 @@ RUN apt-get update && apt-get upgrade -y && \
                        jq                   \
                        libcurl4-openssl-dev \
                        libgmp-dev           \
-                       libssl-dev           \
                        llvm-11-dev          \
                        ninja-build          \
                        python3-numpy        \

.cicd/platforms/ubuntu22.Dockerfile

@@ -8,7 +8,6 @@ RUN apt-get update && apt-get upgrade -y && \
                        jq                   \
                        libcurl4-openssl-dev \
                        libgmp-dev           \
-                       libssl-dev           \
                        llvm-11-dev          \
                        ninja-build          \
                        python3-numpy        \

.github/workflows/build.yaml

@@ -49,6 +49,30 @@ jobs:
       packages: write
       contents: read
 
+  regen-boringssl:
+    name: Check BoringSSL Files
+    runs-on: ubuntu-latest
+    needs: platforms
+    container: ${{fromJSON(needs.platforms.outputs.p)['ubuntu22'].image}}
+    env:
+      GOPATH: /go
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+      - name: Install Go 1.21
+        run: |
+          apt-get install curl
+          curl -L https://dl.google.com/go/go1.21.0.linux-amd64.tar.gz | tar -C /usr/local -xz
+          echo /usr/local/go/bin:$GOPATH/bin >> $GITHUB_PATH
+      - name: Regen & check BoringSSL files
+        run: |
+          # https://github.com/actions/runner/issues/2033
+          chown -R $(id -u):$(id -g) $PWD
+          cmake -B build
+          cmake --build build --target regenerate_boringssl
+          git diff --quiet
+
   v:
     name: Discover Versions
     runs-on: ubuntu-latest

.gitmodules

@@ -37,3 +37,6 @@
 [submodule "libraries/boost"]
 	path = libraries/boost
 	url = https://github.com/boostorg/boost.git
+[submodule "libraries/libfc/libraries/boringssl/boringssl/src"]
+	path = libraries/libfc/libraries/boringssl/boringssl/src
+	url = https://github.com/AntelopeIO/boringssl/

CMakeLists.txt

@@ -54,15 +54,6 @@ set(CMAKE_EXPORT_COMPILE_COMMANDS "ON")
 set(BUILD_DOXYGEN FALSE CACHE BOOL "Build doxygen documentation on every make")
 set(ENABLE_MULTIVERSION_PROTOCOL_TEST FALSE CACHE BOOL "Enable nodeos multiversion protocol test")
 
-# add defaults for openssl
-if(APPLE AND UNIX AND "${OPENSSL_ROOT_DIR}" STREQUAL "")
-   if(CMAKE_SYSTEM_PROCESSOR STREQUAL "arm64")
-      set(OPENSSL_ROOT_DIR "/opt/homebrew/opt/openssl@3;/opt/homebrew/opt/[email protected]")
-   else()
-      set(OPENSSL_ROOT_DIR "/usr/local/opt/openssl@3;/usr/local/opt/[email protected]")
-   endif()
-endif()
-
 option(ENABLE_OC "Enable eosvm-oc on supported platforms" ON)
 
 # WASM runtimes to enable. Each runtime in this list will have:
@@ -226,6 +217,7 @@ configure_file(libraries/eos-vm/LICENSE                                    licen
 configure_file(libraries/prometheus/prometheus-cpp/LICENSE                 licenses/leap/LICENSE.prom      COPYONLY)
 configure_file(programs/cleos/LICENSE.CLI11                                licenses/leap/LICENSE.CLI11     COPYONLY)
 configure_file(libraries/libfc/libraries/bls12-381/LICENSE                 licenses/leap/LICENSE.bls12-381 COPYONLY)
+configure_file(libraries/libfc/libraries/boringssl/boringssl/src/LICENSE   licenses/leap/LICENSE.boringssl COPYONLY)
 
 install(DIRECTORY "${CMAKE_CURRENT_BINARY_DIR}/licenses/leap" DESTINATION "${CMAKE_INSTALL_FULL_DATAROOTDIR}/licenses/" COMPONENT base)
 

CMakeModules/EosioTester.cmake.in

@@ -37,6 +37,7 @@ endif ( APPLE )
 
 set( Boost_USE_MULTITHREADED      ON )
 set( Boost_USE_STATIC_LIBS ON CACHE STRING "ON or OFF" )
+set( BOOST_EXCLUDE_LIBRARIES "mysql" )
 
 add_subdirectory( @CMAKE_INSTALL_FULL_DATAROOTDIR@/leap_boost ${PROJECT_BINARY_DIR}/libraries/boost EXCLUDE_FROM_ALL)
 
@@ -52,8 +53,8 @@ find_library(libwast WAST @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(libir IR     @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(liblogging Logging @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(libsoftfloat softfloat @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
-get_filename_component(cryptodir @OPENSSL_CRYPTO_LIBRARY@ DIRECTORY)
-find_library(liboscrypto crypto "${cryptodir}" NO_DEFAULT_PATH)
+find_library(libbscrypto bscrypto @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
+find_library(libdecrepit decrepit @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(libchainbase chainbase @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 find_library(libbuiltins builtins @CMAKE_INSTALL_FULL_LIBDIR@ NO_DEFAULT_PATH)
 
@@ -77,7 +78,8 @@ macro(add_eosio_test_executable test_name)
        ${libwasm}
        ${libir}
        ${libsoftfloat}
-       ${liboscrypto}
+       ${libbscrypto}
+       ${libdecrepit}
        ${liblogging}
        ${libchainbase}
        ${libbuiltins}
@@ -113,10 +115,10 @@ macro(add_eosio_test_executable test_name)
    endif()
 
    target_include_directories( ${test_name} PUBLIC
-                               @OPENSSL_INCLUDE_DIR@
                                @CMAKE_INSTALL_PREFIX@
                                @CMAKE_INSTALL_FULL_INCLUDEDIR@
                                @CMAKE_INSTALL_FULL_INCLUDEDIR@/wasm-jit
+                               @CMAKE_INSTALL_FULL_INCLUDEDIR@/leapboringssl
                                @CMAKE_INSTALL_FULL_INCLUDEDIR@/softfloat )
 
 endmacro()

CMakeModules/EosioTesterBuild.cmake.in

@@ -34,6 +34,7 @@ endif ( APPLE )
 
 set( Boost_USE_MULTITHREADED      ON )
 set( Boost_USE_STATIC_LIBS ON CACHE STRING "ON or OFF" )
+set( BOOST_EXCLUDE_LIBRARIES "mysql" )
 
 add_subdirectory( @CMAKE_SOURCE_DIR@/libraries/boost ${PROJECT_BINARY_DIR}/libraries/boost EXCLUDE_FROM_ALL)
 
@@ -49,8 +50,8 @@ find_library(libwast WAST @CMAKE_BINARY_DIR@/libraries/wasm-jit/Source/WAST NO_D
 find_library(libir IR     @CMAKE_BINARY_DIR@/libraries/wasm-jit/Source/IR NO_DEFAULT_PATH)
 find_library(liblogging Logging @CMAKE_BINARY_DIR@/libraries/wasm-jit/Source/Logging NO_DEFAULT_PATH)
 find_library(libsoftfloat softfloat @CMAKE_BINARY_DIR@/libraries/softfloat NO_DEFAULT_PATH)
-get_filename_component(cryptodir @OPENSSL_CRYPTO_LIBRARY@ DIRECTORY)
-find_library(liboscrypto crypto "${cryptodir}" NO_DEFAULT_PATH)
+find_library(libbscrypto bscrypto @CMAKE_BINARY_DIR@/libraries/libfc/libraries/boringssl/boringssl NO_DEFAULT_PATH)
+find_library(libdecrepit decrepit @CMAKE_BINARY_DIR@/libraries/libfc/libraries/boringssl/boringssl NO_DEFAULT_PATH)
 find_library(libchainbase chainbase @CMAKE_BINARY_DIR@/libraries/chainbase NO_DEFAULT_PATH)
 find_library(libbuiltins builtins @CMAKE_BINARY_DIR@/libraries/builtins NO_DEFAULT_PATH)
 
@@ -74,7 +75,8 @@ macro(add_eosio_test_executable test_name)
        ${libwasm}
        ${libir}
        ${libsoftfloat}
-       ${liboscrypto}
+       ${libbscrypto}
+       ${libdecrepit}
        ${liblogging}
        ${libchainbase}
        ${libbuiltins}
@@ -110,10 +112,10 @@ macro(add_eosio_test_executable test_name)
    endif()
 
    target_include_directories( ${test_name} PUBLIC
-                               @OPENSSL_INCLUDE_DIR@
                                @CMAKE_SOURCE_DIR@/libraries/chain/include
                                @CMAKE_BINARY_DIR@/libraries/chain/include
                                @CMAKE_SOURCE_DIR@/libraries/libfc/include
+                               @CMAKE_SOURCE_DIR@/libraries/libfc/libraries/boringssl/boringssl/src/include
                                @CMAKE_SOURCE_DIR@/libraries/softfloat/source/include
                                @CMAKE_SOURCE_DIR@/libraries/appbase/include
                                @CMAKE_SOURCE_DIR@/libraries/chainbase/include

README.md

@@ -47,7 +47,6 @@ Requirements to build:
 - CMake 3.16+
 - LLVM 7 - 11 - for Linux only
   - newer versions do not work
-- openssl 1.1+
 - libcurl 7.40.0+
 - git
 - GMP
@@ -133,7 +132,6 @@ sudo apt-get install -y \
         git \
         libcurl4-openssl-dev \
         libgmp-dev \
-        libssl-dev \
         llvm-11-dev \
         python3-numpy \
         file \

docs/00_install/01_build-from-source/00_build-unsupported-os.md

@@ -23,7 +23,6 @@ pkg update && pkg install   \
     curl                    \
     boost-all               \
     python3                 \
-    openssl                 \
     llvm11                  \
     pkgconf
 ```

libraries/CMakeLists.txt

@@ -7,6 +7,8 @@ set(BN256_INSTALL_COMPONENT "dev")
 
 set( Boost_USE_MULTITHREADED      ON )
 set( Boost_USE_STATIC_LIBS ON CACHE STRING "ON or OFF" )
+# don't include boost mysql library as it does a find_package(OpenSSL) thus finding the system openssl which could conflict with the bundled boringssl
+set( BOOST_EXCLUDE_LIBRARIES "mysql" )
 add_subdirectory( boost EXCLUDE_FROM_ALL )
 
 add_subdirectory( libfc )

libraries/libfc/CMakeLists.txt

@@ -1,12 +1,12 @@
 add_subdirectory( secp256k1 )
 add_subdirectory( libraries/bn256/src )
 add_subdirectory( libraries/bls12-381 )
+add_subdirectory( libraries/boringssl )
 
 set(CMAKE_THREAD_PREFER_PTHREAD TRUE)
 set(THREADS_PREFER_PTHREAD_FLAG TRUE)
 find_package(Threads)
 
-find_package(OpenSSL REQUIRED)
 
 set( fc_sources
      src/uint128.cpp
@@ -114,11 +114,7 @@ if(APPLE)
 endif()
 target_link_libraries( fc PUBLIC Boost::date_time Boost::chrono Boost::iostreams Boost::interprocess Boost::multi_index Boost::dll
                                  Boost::multiprecision Boost::beast Boost::asio Boost::thread Boost::unit_test_framework Threads::Threads
-                                 OpenSSL::Crypto ZLIB::ZLIB ${PLATFORM_SPECIFIC_LIBS} ${CMAKE_DL_LIBS} secp256k1 bls12-381 ${security_framework} ${corefoundation_framework})
-
-# Critically, this ensures that OpenSSL 1.1 & 3.0 both have a variant of BN_zero() with void return value. But it also allows access
-#  to some obsoleted AES functions in 3.0 too, since 3.0's API_COMPAT is effectively 3.0 by default
-target_compile_definitions(fc PUBLIC "OPENSSL_API_COMPAT=0x10100000L" "OPENSSL_NO_DEPRECATED")
+                                 boringssl ZLIB::ZLIB ${PLATFORM_SPECIFIC_LIBS} ${CMAKE_DL_LIBS} secp256k1 bls12-381 ${security_framework} ${corefoundation_framework})
 
 add_subdirectory( test )
 

libraries/libfc/libraries/boringssl/CMakeLists.txt

@@ -0,0 +1,37 @@
+find_package(Python COMPONENTS Interpreter)
+add_custom_target(regenerate_boringssl COMMAND "${Python_EXECUTABLE}" src/util/generate_build_files.py cmake WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/boringssl")
+
+#avoid erroring out the cmake project generation when boringssl's generated files do not exist. The overall build would still fail, of
+# course, but the 'regenerate_boringssl' target still will be alive to use
+if(NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/boringssl/CMakeLists.txt")
+   return()
+endif()
+
+add_subdirectory(boringssl EXCLUDE_FROM_ALL)
+target_compile_options(fipsmodule PRIVATE -Wno-error)
+target_compile_options(crypto PRIVATE -Wno-error)
+target_compile_options(decrepit PRIVATE -Wno-error)
+
+#paranoia for when a dependent library depends on openssl (such as libcurl)
+set_target_properties(fipsmodule PROPERTIES C_VISIBILITY_PRESET hidden)
+set_target_properties(crypto PROPERTIES C_VISIBILITY_PRESET hidden)
+set_target_properties(decrepit PROPERTIES C_VISIBILITY_PRESET hidden)
+
+add_library(boringssl INTERFACE)
+target_link_libraries(boringssl INTERFACE crypto decrepit)
+target_include_directories(boringssl INTERFACE boringssl/src/include)
+
+# avoid conflict with system lib
+set_target_properties(crypto PROPERTIES PREFIX libbs)
+
+install( TARGETS crypto 
+   LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL
+   ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL
+)
+
+install( TARGETS decrepit 
+   LIBRARY DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL
+   ARCHIVE DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR} COMPONENT dev EXCLUDE_FROM_ALL
+)
+
+install( DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/boringssl/src/include/" DESTINATION "${CMAKE_INSTALL_FULL_INCLUDEDIR}/leapboringssl" COMPONENT dev EXCLUDE_FROM_ALL )