1# Incorporating BoringSSL into a project 2 3**Note**: if your target project is not a Google project then first read the 4[main README](./README.md) about the purpose of BoringSSL. 5 6If you are porting BoringSSL to a new platform see 7["go/boringssl-on-new-platform"](https://goto.corp.google.com/boringssl-on-new-platform) (Google 8Internal) for information about porting BoringSSL to a new platform for a Google 9project. 10 11## Which branch to use 12 13BoringSSL usage typically follows a 14["live at head"](https://abseil.io/about/philosophy#we-recommend-that-you-choose-to-live-at-head) 15model. Projects pin to whatever the current latest of BoringSSL is at the time 16of update, and regularly update it to pick up new changes. 17 18While the BoringSSL repository may contain project-specific branches, e.g. 19`chromium-2214`, those are _not_ supported release branches and must not as 20such. In rare cases, BoringSSL will temporarily maintain a short-lived branch on 21behalf of a project. Most such branches are no longer updated, because the 22corresponding project no longer needs them, and we do not create new ones to 23replace the ones that are no longer updated. E.g., not every Chromium release 24branch has a corresponding BoringSSL `chromium-*` branch. Even while active, the 25branch may not contain all changes relevant to a general BoringSSL consumer. 26 27## Bazel 28 29If you are using [Bazel](https://bazel.build) then you can incorporate 30BoringSSL as an external repository by using a commit from the 31`master-with-bazel` branch. That branch is maintained by a bot from `master` 32and includes the needed generated files and a top-level BUILD file. 33 34For example: 35 36 git_repository( 37 name = "boringssl", 38 commit = "_some commit_", 39 remote = "https://boringssl.googlesource.com/boringssl", 40 ) 41 42You would still need to keep the referenced commit up to date if a specific 43commit is referred to. 44 45## Directory layout 46 47Typically projects create a `third_party/boringssl` directory to put 48BoringSSL-specific files into. The source code of BoringSSL itself goes into 49`third_party/boringssl/src`, either by copying or as a 50[submodule](https://git-scm.com/docs/git-submodule). 51 52It's generally a mistake to put BoringSSL's source code into 53`third_party/boringssl` directly because pre-built files and custom build files 54need to go somewhere and merging these with the BoringSSL source code makes 55updating things more complex. 56 57## Build support 58 59BoringSSL is designed to work with many different build systems. Currently, 60different projects use [GYP](https://gyp.gsrc.io/), 61[GN](https://gn.googlesource.com/gn/+/master/docs/quick_start.md), 62[Bazel](https://bazel.build/) and [Make](https://www.gnu.org/software/make/) to 63build BoringSSL, without too much pain. 64 65The development build system is CMake and the CMake build knows how to 66automatically generate the intermediate files that BoringSSL needs. However, 67outside of the CMake environment, these intermediates are generated once and 68checked into the incorporating project's source repository. This avoids 69incorporating projects needing to support Perl and Go in their build systems. 70 71The script [`util/generate_build_files.py`](./util/generate_build_files.py) 72expects to be run from the `third_party/boringssl` directory and to find the 73BoringSSL source code in `src/`. You should pass it a single argument: the name 74of the build system that you're using. If you don't use any of the supported 75build systems then you should augment `generate_build_files.py` with support 76for it. 77 78The script will pregenerate the intermediate files (see 79[BUILDING.md](./BUILDING.md) for details about which tools will need to be 80installed) and output helper files for that build system. It doesn't generate a 81complete build script, just file and test lists, which change often. For 82example, see the 83[file](https://code.google.com/p/chromium/codesearch#chromium/src/third_party/boringssl/BUILD.generated.gni) 84and 85[test](https://code.google.com/p/chromium/codesearch#chromium/src/third_party/boringssl/BUILD.generated_tests.gni) 86lists generated for GN in Chromium. 87 88Generally one checks in these generated files alongside the hand-written build 89files. Periodically an engineer updates the BoringSSL revision, regenerates 90these files and checks in the updated result. As an example, see how this is 91done [in Chromium](https://code.google.com/p/chromium/codesearch#chromium/src/third_party/boringssl/). 92 93## Defines 94 95BoringSSL does not present a lot of configurability in order to reduce the 96number of configurations that need to be tested. But there are a couple of 97\#defines that you may wish to set: 98 99`OPENSSL_NO_ASM` prevents the use of assembly code (although it's up to you to 100ensure that the build system doesn't link it in if you wish to reduce binary 101size). This will have a significant performance impact but can be useful if you 102wish to use tools like 103[AddressSanitizer](http://clang.llvm.org/docs/AddressSanitizer.html) that 104interact poorly with assembly code. 105 106`OPENSSL_SMALL` removes some code that is especially large at some performance 107cost. 108 109## Symbols 110 111You cannot link multiple versions of BoringSSL or OpenSSL into a single binary 112without dealing with symbol conflicts. If you are statically linking multiple 113versions together, there's not a lot that can be done because C doesn't have a 114module system. 115 116If you are using multiple versions in a single binary, in different shared 117objects, ensure you build BoringSSL with `-fvisibility=hidden` and do not 118export any of BoringSSL's symbols. This will prevent any collisions with other 119verisons that may be included in other shared objects. Note that this requires 120that all callers of BoringSSL APIs live in the same shared object as BoringSSL. 121 122If you require that BoringSSL APIs be used across shared object boundaries, 123continue to build with `-fvisibility=hidden` but define 124`BORINGSSL_SHARED_LIBRARY` in both BoringSSL and consumers. BoringSSL's own 125source files (but *not* consumers' source files) must also build with 126`BORINGSSL_IMPLEMENTATION` defined. This will export BoringSSL's public symbols 127in the resulting shared object while hiding private symbols. However note that, 128as with a static link, this precludes dynamically linking with another version 129of BoringSSL or OpenSSL. 130