Merge pull request #16358 from muxi/privatize-boringssl

Make symbols of BoringSSL private

7 files changed, 129 insertions, 1 deletions

diff --git a/tools/buildgen/plugins/grpc_shadow_boringssl.py b/tools/buildgen/plugins/grpc_shadow_boringssl.py
new file mode 100644
index 0000000000..da4d8c12af
--- /dev/null
+++ b/tools/buildgen/plugins/grpc_shadow_boringssl.py
@@ -0,0 +1,32 @@
+# Copyright 2018 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Buldigen generate grpc_shadow_boringssl headers
+This script takes the list of symbols from
+src/objective-c/grpc_shadow_boringssl_symbols and populate them in
+settings.grpc_shadow_boringssl_symbols
+"""
+
+
+def mako_plugin(dictionary):
+    with open('src/objective-c/grpc_shadow_boringssl_symbol_list') as f:
+        symbols = f.readlines()
+    # Remove trailing '\n'
+    symbols = [s.strip() for s in symbols]
+    # Remove comments
+    symbols = [s for s in symbols if s[0] != '#']
+    # Remove the commit number
+    del symbols[0]
+
+    settings = dictionary['settings']
+    settings['grpc_shadow_boringssl_symbols'] = symbols
diff --git a/tools/distrib/check_shadow_boringssl_symbol_list.sh b/tools/distrib/check_shadow_boringssl_symbol_list.sh
new file mode 100755
index 0000000000..34ba09e07d
--- /dev/null
+++ b/tools/distrib/check_shadow_boringssl_symbol_list.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+# Copyright 2018 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# Check if the commit version of BoringSSL podspec, BoringSSL submodule, and
+# the shadowed symbol list are all based on the same BoringSSL commit.
+set -e
+
+cd $(dirname $0)
+
+boringssl_podspec_original="../../src/objective-c/BoringSSL-GRPC.podspec"
+symbol_list="../../src/objective-c/grpc_shadow_boringssl_symbol_list"
+
+# Check BoringSSL version matches
+ver1=$(git submodule |grep "boringssl " | awk '{print $1}' | head -n 1)
+ver2=$(cat $boringssl_podspec_original | grep ':commit =>' | sed -E 's/.*"(.*)".*/\1/g')
+ver3=$(cat $symbol_list | sed -n '2 p')
+[ $ver1 == $ver2 ] && [ $ver1 == $ver3 ] || { echo "BoringSSL podspec (src/objective-c/BoringSSL.podspec), BoringSSL submodule (third_party/boringssl), and BoringSSL symbol list (src/objective-c/grpc_shadow_boringssl_symbol_list) commit do not match." ; echo "BoringSSL podspec: $ver1" ; echo "BoringSSL submodule: $ver2" ; echo "BoringSSL symbol list: $ver3" ; exit 1 ; }
+
+exit 0
diff --git a/tools/distrib/generate_grpc_shadow_boringssl_symbol_list.sh b/tools/distrib/generate_grpc_shadow_boringssl_symbol_list.sh
new file mode 100755
index 0000000000..2e5bb44548
--- /dev/null
+++ b/tools/distrib/generate_grpc_shadow_boringssl_symbol_list.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# Copyright 2018 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generate the list of boringssl symbols that need to be shadowed based on the
+# current boringssl submodule. Requires local toolchain to build boringssl.
+set -e
+
+cd $(dirname $0)
+
+symbol_list="../../src/objective-c/grpc_shadow_boringssl_symbol_list"
+
+ssl_lib='../../third_party/boringssl/build/ssl/libssl.a'
+crypto_lib='../../third_party/boringssl/build/crypto/libcrypto.a'
+
+# Generate boringssl archives
+( cd ../../third_party/boringssl ; mkdir -p build ; cd build ; cmake .. ; make )
+
+# Generate shadow_boringssl.h
+outputs="$(nm -C $ssl_lib)"$'\n'"$(nm -C $crypto_lib)"
+symbols=$(echo "$outputs" | 
+          grep '^[0-9a-f]* [A-Z] ' |               # Only public symbols
+          grep -v ' bssl::' |                      # Filter BoringSSL symbols since they are already namespaced
+          sed 's/(.*//g' |                         # Remove parenthesis from C++ symbols
+          grep '^[0-9a-f]* [A-Z] _' |              # Filter symbols that is not prefixed with '_'
+          sed 's/[0-9a-f]* [A-Z] _\(.*\)/\1/g')    # Extract the symbol names
+
+commit=$(git submodule | grep "boringssl " | awk '{print $1}' | head -n 1)
+
+echo "# Automatically generated by tools/distrib/generate_grpc_shadow_boringssl_symbol_list.sh" > $symbol_list
+echo $commit >> $symbol_list
+echo "$symbols" >> $symbol_list
+
+exit 0
diff --git a/tools/dockerfile/grpc_clang_format/clang_format_all_the_things.sh b/tools/dockerfile/grpc_clang_format/clang_format_all_the_things.sh
index 3b901ae4bf..0c8ecc21a0 100755
--- a/tools/dockerfile/grpc_clang_format/clang_format_all_the_things.sh
+++ b/tools/dockerfile/grpc_clang_format/clang_format_all_the_things.sh
@@ -29,7 +29,7 @@ for dir in $DIRS
 do
   for glob in $GLOB
   do
-    files="$files `find ${CLANG_FORMAT_ROOT}/$dir -name $glob -and -not -name '*.generated.*' -and -not -name '*.pb.h' -and -not -name '*.pb.c' -and -not -name '*.pb.cc' -and -not -name '*.pbobjc.h' -and -not -name '*.pbobjc.m' -and -not -name '*.pbrpc.h' -and -not -name '*.pbrpc.m' -and -not -name end2end_tests.cc -and -not -name end2end_nosec_tests.cc -and -not -name public_headers_must_be_c89.c`"
+    files="$files `find ${CLANG_FORMAT_ROOT}/$dir -name $glob -and -not -name '*.generated.*' -and -not -name '*.pb.h' -and -not -name '*.pb.c' -and -not -name '*.pb.cc' -and -not -name '*.pbobjc.h' -and -not -name '*.pbobjc.m' -and -not -name '*.pbrpc.h' -and -not -name '*.pbrpc.m' -and -not -name end2end_tests.cc -and -not -name end2end_nosec_tests.cc -and -not -name public_headers_must_be_c89.c -and -not -name grpc_shadow_boringssl.h`"
   done
 done
 
diff --git a/tools/doxygen/Doxyfile.core.internal b/tools/doxygen/Doxyfile.core.internal
index a08ce0b9ff..c1706fd070 100644
--- a/tools/doxygen/Doxyfile.core.internal
+++ b/tools/doxygen/Doxyfile.core.internal
@@ -1508,6 +1508,7 @@ src/core/tsi/alts_transport_security.cc \
 src/core/tsi/alts_transport_security.h \
 src/core/tsi/fake_transport_security.cc \
 src/core/tsi/fake_transport_security.h \
+src/core/tsi/grpc_shadow_boringssl.h \
 src/core/tsi/local_transport_security.cc \
 src/core/tsi/local_transport_security.h \
 src/core/tsi/ssl/session_cache/ssl_session.h \
diff --git a/tools/run_tests/generated/sources_and_headers.json b/tools/run_tests/generated/sources_and_headers.json
index bff045f786..3cb3fe20da 100644
--- a/tools/run_tests/generated/sources_and_headers.json
+++ b/tools/run_tests/generated/sources_and_headers.json
@@ -9068,6 +9068,7 @@
       "alts_util", 
       "gpr", 
       "grpc_base", 
+      "grpc_shadow_boringssl", 
       "grpc_transport_chttp2_client_insecure", 
       "tsi", 
       "tsi_interface"
@@ -10357,6 +10358,7 @@
       "alts_tsi", 
       "gpr", 
       "grpc_base", 
+      "grpc_shadow_boringssl", 
       "grpc_transport_chttp2_alpn", 
       "tsi"
     ], 
@@ -10473,6 +10475,20 @@
     "type": "filegroup"
   }, 
   {
+    "deps": [], 
+    "headers": [
+      "src/core/tsi/grpc_shadow_boringssl.h"
+    ], 
+    "is_filegroup": true, 
+    "language": "c", 
+    "name": "grpc_shadow_boringssl", 
+    "src": [
+      "src/core/tsi/grpc_shadow_boringssl.h"
+    ], 
+    "third_party": false, 
+    "type": "filegroup"
+  }, 
+  {
     "deps": [
       "cmdline", 
       "gpr", 
@@ -10923,6 +10939,7 @@
     "deps": [
       "gpr", 
       "grpc_base", 
+      "grpc_shadow_boringssl", 
       "grpc_trace", 
       "tsi_interface"
     ], 
diff --git a/tools/run_tests/sanity/sanity_tests.yaml b/tools/run_tests/sanity/sanity_tests.yaml
index 91b53eb38d..fd9b34a198 100644
--- a/tools/run_tests/sanity/sanity_tests.yaml
+++ b/tools/run_tests/sanity/sanity_tests.yaml
@@ -22,4 +22,5 @@
 - script: tools/distrib/pylint_code.sh
 - script: tools/distrib/yapf_code.sh
 - script: tools/distrib/python/check_grpcio_tools.py
+- script: tools/distrib/check_shadow_boringssl_symbol_list.sh
   cpu_cost: 1000