Merge pull request #21194 from muxi/boringssl-prefix-header

Revamp how BoringSSL generate prefix header on ObjC

.gitignore

@@ -150,4 +150,3 @@ BenchmarkDotNet.Artifacts/
 
 # pyenv config
 .python-version
-

BUILD

@@ -1862,7 +1862,6 @@ grpc_cc_library(
     deps = [
         "alts_util",
         "grpc_base",
-        "grpc_shadow_boringssl",
         "grpc_transport_chttp2_alpn",
         "tsi",
     ],
@@ -2103,7 +2102,6 @@ grpc_cc_library(
     deps = [
         "gpr",
         "grpc_base",
-        "grpc_shadow_boringssl",
         "tsi_interface",
     ],
 )
@@ -2172,7 +2170,6 @@ grpc_cc_library(
         "alts_util",
         "gpr",
         "grpc_base",
-        "grpc_shadow_boringssl",
         "grpc_transport_chttp2_client_insecure",
         "tsi_interface",
     ],
@@ -2465,13 +2462,6 @@ grpc_cc_library(
     ],
 )
 
-grpc_cc_library(
-    name = "grpc_shadow_boringssl",
-    hdrs = [
-        "src/core/tsi/grpc_shadow_boringssl.h",
-    ],
-)
-
 # Once upb code-gen issue is resolved, use the targets commented below to replace the ones using
 # upb-generated files.
 

BUILD.gn

@@ -948,7 +948,6 @@ config("grpc_config") {
         "src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h",
         "src/core/tsi/fake_transport_security.cc",
         "src/core/tsi/fake_transport_security.h",
-        "src/core/tsi/grpc_shadow_boringssl.h",
         "src/core/tsi/local_transport_security.cc",
         "src/core/tsi/local_transport_security.h",
         "src/core/tsi/ssl/session_cache/ssl_session.h",

build_autogenerated.yaml

@@ -720,7 +720,6 @@ libs:
   - src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.h
   - src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h
   - src/core/tsi/fake_transport_security.h
-  - src/core/tsi/grpc_shadow_boringssl.h
   - src/core/tsi/local_transport_security.h
   - src/core/tsi/ssl/session_cache/ssl_session.h
   - src/core/tsi/ssl/session_cache/ssl_session_cache.h

gRPC-C++.podspec

@@ -600,7 +600,6 @@ Pod::Spec.new do |s|
                       'src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.h',
                       'src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h',
                       'src/core/tsi/fake_transport_security.h',
-                      'src/core/tsi/grpc_shadow_boringssl.h',
                       'src/core/tsi/local_transport_security.h',
                       'src/core/tsi/ssl/session_cache/ssl_session.h',
                       'src/core/tsi/ssl/session_cache/ssl_session_cache.h',
@@ -1053,7 +1052,6 @@ Pod::Spec.new do |s|
                               'src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.h',
                               'src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h',
                               'src/core/tsi/fake_transport_security.h',
-                              'src/core/tsi/grpc_shadow_boringssl.h',
                               'src/core/tsi/local_transport_security.h',
                               'src/core/tsi/ssl/session_cache/ssl_session.h',
                               'src/core/tsi/ssl/session_cache/ssl_session_cache.h',

gRPC-Core.podspec

@@ -172,7 +172,7 @@ Pod::Spec.new do |s|
     ss.header_mappings_dir = '.'
     ss.libraries = 'z'
     ss.dependency "#{s.name}/Interface", version
-    ss.dependency 'BoringSSL-GRPC', '0.0.7'
+    ss.dependency 'BoringSSL-GRPC', '0.0.8'
     abseil_version = '1.20200225.0'
     ss.dependency 'abseil/container/inlined_vector', abseil_version
     ss.dependency 'abseil/memory/memory', abseil_version
@@ -180,7 +180,7 @@ Pod::Spec.new do |s|
     ss.dependency 'abseil/strings/strings', abseil_version
     ss.dependency 'abseil/time/time', abseil_version
     ss.dependency 'abseil/types/optional', abseil_version
-    ss.compiler_flags = '-DGRPC_SHADOW_BORINGSSL_SYMBOLS'
+    ss.compiler_flags = '-DBORINGSSL_PREFIX=GRPC'
 
     ss.source_files = 'src/core/ext/filters/census/grpc_context.cc',
                       'src/core/ext/filters/client_channel/backend_metric.cc',
@@ -1001,7 +1001,6 @@ Pod::Spec.new do |s|
                       'src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h',
                       'src/core/tsi/fake_transport_security.cc',
                       'src/core/tsi/fake_transport_security.h',
-                      'src/core/tsi/grpc_shadow_boringssl.h',
                       'src/core/tsi/local_transport_security.cc',
                       'src/core/tsi/local_transport_security.h',
                       'src/core/tsi/ssl/session_cache/ssl_session.h',
@@ -1409,7 +1408,6 @@ Pod::Spec.new do |s|
                               'src/core/tsi/alts/zero_copy_frame_protector/alts_iovec_record_protocol.h',
                               'src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h',
                               'src/core/tsi/fake_transport_security.h',
-                              'src/core/tsi/grpc_shadow_boringssl.h',
                               'src/core/tsi/local_transport_security.h',
                               'src/core/tsi/ssl/session_cache/ssl_session.h',
                               'src/core/tsi/ssl/session_cache/ssl_session_cache.h',

grpc.gemspec

@@ -923,7 +923,6 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h )
   s.files += %w( src/core/tsi/fake_transport_security.cc )
   s.files += %w( src/core/tsi/fake_transport_security.h )
-  s.files += %w( src/core/tsi/grpc_shadow_boringssl.h )
   s.files += %w( src/core/tsi/local_transport_security.cc )
   s.files += %w( src/core/tsi/local_transport_security.h )
   s.files += %w( src/core/tsi/ssl/session_cache/ssl_session.h )

package.xml

@@ -903,7 +903,6 @@
     <file baseinstalldir="/" name="src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/fake_transport_security.cc" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/fake_transport_security.h" role="src" />
-    <file baseinstalldir="/" name="src/core/tsi/grpc_shadow_boringssl.h" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/local_transport_security.cc" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/local_transport_security.h" role="src" />
     <file baseinstalldir="/" name="src/core/tsi/ssl/session_cache/ssl_session.h" role="src" />

src/core/lib/security/credentials/jwt/json_token.h

@@ -21,8 +21,6 @@
 
 #include <grpc/support/port_platform.h>
 
-#include "src/core/tsi/grpc_shadow_boringssl.h"
-
 #include <grpc/slice.h>
 #include <openssl/rsa.h>
 

src/core/lib/security/credentials/jwt/jwt_verifier.cc

@@ -18,8 +18,6 @@
 
 #include <grpc/support/port_platform.h>
 
-#include "src/core/tsi/grpc_shadow_boringssl.h"
-
 #include "src/core/lib/security/credentials/jwt/jwt_verifier.h"
 
 #include <limits.h>

src/core/tsi/alts/crypt/aes_gcm.cc

@@ -18,8 +18,6 @@
 
 #include <grpc/support/port_platform.h>
 
-#include "src/core/tsi/grpc_shadow_boringssl.h"
-
 #include "src/core/tsi/alts/crypt/gsec.h"
 
 #include <openssl/bio.h>

src/core/tsi/ssl/session_cache/ssl_session.h

@@ -21,8 +21,6 @@
 
 #include <grpc/support/port_platform.h>
 
-#include "src/core/tsi/grpc_shadow_boringssl.h"
-
 #include <grpc/slice.h>
 
 extern "C" {

src/core/tsi/ssl/session_cache/ssl_session_cache.h

@@ -21,8 +21,6 @@
 
 #include <grpc/support/port_platform.h>
 
-#include "src/core/tsi/grpc_shadow_boringssl.h"
-
 #include <grpc/slice.h>
 #include <grpc/support/sync.h>
 

src/core/tsi/ssl_transport_security.cc

@@ -18,8 +18,6 @@
 
 #include <grpc/support/port_platform.h>
 
-#include "src/core/tsi/grpc_shadow_boringssl.h"
-
 #include "src/core/tsi/ssl_transport_security.h"
 
 #include <limits.h>

src/core/tsi/ssl_types.h

@@ -29,8 +29,6 @@
 
 #include <grpc/support/port_platform.h>
 
-#include "src/core/tsi/grpc_shadow_boringssl.h"
-
 #include <openssl/ssl.h>
 
 #ifdef OPENSSL_IS_BORINGSSL

src/objective-c/tests/CronetTests/CronetUnitTests.mm

@@ -39,9 +39,6 @@
 #import "test/core/end2end/data/ssl_test_data.h"
 #import "test/core/util/test_config.h"
 
-#define GRPC_SHADOW_BORINGSSL_SYMBOLS
-#import "src/core/tsi/grpc_shadow_boringssl.h"
-
 #import <openssl_grpc/ssl.h>
 
 static void drain_cq(grpc_completion_queue *cq) {

src/objective-c/tests/Tests.xcodeproj/project.pbxproj

@@ -1326,6 +1326,13 @@
 					"$(PROJECT_DIR)/Pods/CronetFramework",
 				);
 				GCC_C_LANGUAGE_STANDARD = gnu11;
+				GCC_PREPROCESSOR_DEFINITIONS = (
+					"$(inherited)",
+					"COCOAPODS=1",
+					"$(inherited)",
+					"GPB_USE_PROTOBUF_FRAMEWORK_IMPORTS=1",
+					"BORINGSSL_PREFIX=GRPC",
+				);
 				GCC_WARN_INHIBIT_ALL_WARNINGS = YES;
 				INFOPLIST_FILE = Info.plist;
 				LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks";

templates/gRPC-Core.podspec.template

@@ -192,12 +192,12 @@
       ss.header_mappings_dir = '.'
       ss.libraries = 'z'
       ss.dependency "#{s.name}/Interface", version
-      ss.dependency 'BoringSSL-GRPC', '0.0.7'
+      ss.dependency 'BoringSSL-GRPC', '0.0.8'
       abseil_version = '1.20200225.0'
       % for abseil_spec in grpc_abseil_specs:
       ss.dependency '${abseil_spec}', abseil_version
       % endfor
-      ss.compiler_flags = '-DGRPC_SHADOW_BORINGSSL_SYMBOLS'
+      ss.compiler_flags = '-DBORINGSSL_PREFIX=GRPC'
 
       ss.source_files = ${ruby_multiline_list(grpc_private_files, 22)}
       ss.private_header_files = ${ruby_multiline_list(grpc_private_headers, 30)}

templates/src/core/tsi/grpc_shadow_boringssl.h.template

@@ -1,40 +0,0 @@
-%YAML 1.2
---- |
-  <%!
-  def expand_symbol_list(symbol_list):
-      return '\n'.join('#define %s GRPC_SHADOW_%s' % (symbol, symbol) for symbol in symbol_list)
-  %>
-  /*
-   *
-   * Copyright 2018 gRPC authors.
-   *
-   * Licensed under the Apache License, Version 2.0 (the "License");
-   * you may not use this file except in compliance with the License.
-   * You may obtain a copy of the License at
-   *
-   *     http://www.apache.org/licenses/LICENSE-2.0
-   *
-   * Unless required by applicable law or agreed to in writing, software
-   * distributed under the License is distributed on an "AS IS" BASIS,
-   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   * See the License for the specific language governing permissions and
-   * limitations under the License.
-   *
-   */
-
-  // This file is autogenerated from a template file. Please make
-  // modifications to
-  // `templates/src/objective-c/tsi/grpc_shadow_boringssl.h.template`
-  // instead. This file can be regenerated from the template by running
-  // `tools/buildgen/generate_projects.sh`.
-
-  #ifndef GRPC_CORE_TSI_GRPC_SHADOW_BORINGSSL_H
-  #define GRPC_CORE_TSI_GRPC_SHADOW_BORINGSSL_H
-
-  #ifdef GRPC_SHADOW_BORINGSSL_SYMBOLS
-  
-  ${expand_symbol_list(settings.grpc_shadow_boringssl_symbols)}
-
-  #endif /* GRPC_SHADOW_BORINGSSL_SYMBOLS */
-
-  #endif /* GRPC_CORE_TSI_GRPC_SHADOW_BORINGSSL_H */

templates/src/objective-c/BoringSSL-GRPC.podspec.template

@@ -3,8 +3,31 @@
   <%!
     def expand_symbol_list(symbol_list):
         return ',\n    '.join("'#define %s GRPC_SHADOW_%s'" % (symbol, symbol) for symbol in symbol_list)
+
     import subprocess
     boringssl_commit = subprocess.check_output(['git', 'rev-parse', 'HEAD'], cwd='third_party/boringssl-with-bazel').decode().strip()
+
+    # Compress src/boringssl/boringssl_prefix_symbols.h with gzip then encode
+    # with Base64. The result is put in variable prefix_gz_b64.
+    #
+    # Note that gRPC's template parser is still using Python 2, whose gzip
+    # module does not support directly compressing bytes into bytes. Instead,
+    # we have to write the compressed bytes into a intermediate file
+    # (src/boringssl/boringssl_prefix_symbols.h.gz), read the compressed
+    # bytes from this file, then delete the intermediate file.
+    #
+    # TODO(mxyan): move to python3 style gzip compression when possible
+    def compress_boringssl_prefix_header():
+      import gzip, shutil, os, base64
+      with open('src/boringssl/boringssl_prefix_symbols.h', 'rb') as f_in, gzip.GzipFile('src/boringssl/boringssl_prefix_symbols.h.gz', 'w', mtime=0.0) as f_out:
+        shutil.copyfileobj(f_in, f_out)
+      with open('src/boringssl/boringssl_prefix_symbols.h.gz', 'rb') as f_in:
+        prefix_gz = f_in.read()
+      os.remove('src/boringssl/boringssl_prefix_symbols.h.gz')
+      prefix_gz_b64 = base64.b64encode(prefix_gz)
+      WRAP_LENGTH=80
+      prefix_gz_b64_wrapped = [prefix_gz_b64[i:i+WRAP_LENGTH] for i in range(0, len(prefix_gz_b64), WRAP_LENGTH)]
+      return prefix_gz_b64_wrapped
   %>
 
   # This file has been automatically generated from a template file.
@@ -46,7 +69,7 @@
 
   Pod::Spec.new do |s|
     s.name     = 'BoringSSL-GRPC'
-    version = '0.0.7'
+    version = '0.0.8'
     s.version  = version
     s.summary  = 'BoringSSL is a fork of OpenSSL that is designed to meet Google\'s needs.'
     # Adapted from the homepage:
@@ -117,7 +140,7 @@
 
     # We don't need to inhibit all warnings; only -Wno-shorten-64-to-32. But Cocoapods' linter doesn't
     # want that for some reason.
-    s.compiler_flags = '-DOPENSSL_NO_ASM', '-GCC_WARN_INHIBIT_ALL_WARNINGS', '-w'
+    s.compiler_flags = '-DOPENSSL_NO_ASM', '-GCC_WARN_INHIBIT_ALL_WARNINGS', '-w', '-DBORINGSSL_PREFIX=GRPC'
     s.requires_arc = false
 
     # Like many other C libraries, BoringSSL has its public headers under `include/<libname>/` and its
@@ -209,25 +232,27 @@
         }
       EOF
 
-      # The symbol prefixing mechanism is performed by redefining BoringSSL symbols with "#define
-      # SOME_BORINGSSL_SYMBOL GRPC_SHADOW_SOME_BORINGSSL_SYMBOL". Unfortunately, some symbols are
-      # already redefined as macros in BoringSSL headers in the form "#define SOME_BORINGSSL_SYMBOL
-      # SOME_BORINGSSL_SYMBOL" Such type of redefinition will cause "SOME_BORINGSSL_SYMBOL redefined"
-      # error when using together with our prefix header. So the workaround in the below lines removes
-      # all such type of #define directives.
-      sed -i'.back' '/^#define \\([A-Za-z0-9_]*\\) \\1/d' src/include/openssl/*.h
-      # Remove lines of the format below for the same reason above
-      #     #define SOME_BORINGSSL_SYMBOL ${"\\"}
-      #         SOME_BORINGSSL_SYMBOL
-      sed -i'.back' '/^#define.*\\\\$/{N;/^#define \\([A-Za-z0-9_]*\\) *\\\\\\n *\\1/d;}' src/include/openssl/*.h
+      # To avoid symbol conflict with OpenSSL, gRPC needs to rename all the BoringSSL symbols with a
+      # prefix. This is done with BoringSSL's BORINGSSL_PREFIX mechanism
+      # (https://github.com/google/boringssl/blob/75148d7abf12bdd1797fec3c5da9a21963703516/BUILDING.md#building-with-prefixed-symbols).
+      # The required prefix header file boringssl_prefix_symbols.h is not part of BoringSSL repo at
+      # this moment. It has to be generated by BoringSSL's users and be injected to BoringSSL build.
+      # gRPC generates this file in script /tools/distrib/upgrade_boringssl_objc.sh. This script
+      # outputs a gzip+base64 encoded version of boringssl_prefix_symbols.h because of Cocoapods'
+      # limit on the 'prepare_command' field length. The encoded header is generated from
+      # /src/boringssl/boringssl_prefix_symbols.h. Here we decode the content and inject the header to
+      # the correct location in BoringSSL.
+      base64 -D <<EOF | gunzip > src/include/openssl/boringssl_prefix_symbols.h
+        % for line in compress_boringssl_prefix_header():
+        ${line}
+        % endfor
+      EOF
 
       # We are renaming openssl to openssl_grpc so that there is no conflict with openssl if it exists
       find . -type f \\( -path '*.h' -or -path '*.cc' -or -path '*.c' \\) -print0 | xargs -0 -L1 sed -E -i'.grpc_back' 's;#include <openssl/;#include <openssl_grpc/;g'
-    END_OF_COMMAND
 
-    # Redefine symbols to avoid conflict when the same app also depends on OpenSSL. The list of
-    # symbols are src/objective-c/grpc_shadow_boringssl_symbol_list.
-    # This is the last part of this file.
-    s.prefix_header_contents = 
-      ${expand_symbol_list(settings.grpc_shadow_boringssl_symbols)}
+      # Include of boringssl_prefix_symbols.h does not follow Xcode import style. We add the package
+      # name here so that Xcode knows where to find it.
+      find . -type f \\( -path '*.h' -or -path '*.cc' -or -path '*.c' \\) -print0 | xargs -0 -L1 sed -E -i'.grpc_back' 's;#include <boringssl_prefix_symbols.h>;#include <openssl_grpc/boringssl_prefix_symbols.h>;g'
+    END_OF_COMMAND
   end

tools/buildgen/plugins/grpc_shadow_boringssl.py

@@ -1,32 +0,0 @@
-# Copyright 2018 gRPC authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-"""Buildgen generate grpc_shadow_boringssl headers
-This script takes the list of symbols from
-src/objective-c/grpc_shadow_boringssl_symbols and populate them in
-settings.grpc_shadow_boringssl_symbols
-"""
-
-
-def mako_plugin(dictionary):
-    with open('src/objective-c/grpc_shadow_boringssl_symbol_list') as f:
-        symbols = f.readlines()
-    # Remove trailing '\n'
-    symbols = [s.strip() for s in symbols]
-    # Remove comments
-    symbols = [s for s in symbols if len(s) > 0 and s[0] != '#']
-    # Remove the commit number
-    del symbols[0]
-
-    settings = dictionary['settings']
-    settings['grpc_shadow_boringssl_symbols'] = symbols

tools/distrib/check_boringssl_prefix_symbol.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Copyright 2018 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Check if the current BoringSSL prefix symbols is up to date
+set -e
+
+cd "$(dirname $0)"
+cd ../../third_party/boringssl-with-bazel
+
+BORINGSSL_COMMIT=$(git rev-parse HEAD)
+PREFIX_SYMBOLS_COMMIT=$(cat ../../src/boringssl/boringssl_prefix_symbols.h | head -n1 | awk '{print $NF}')
+
+[ $BORINGSSL_COMMIT == $PREFIX_SYMBOLS_COMMIT ] || { echo "The BoringSSL commit does not match the commit of the prefix symbols (src/boringssl/boringssl_prefix_symbols.h). Run tools/distrib/regenerate_boringssl_prefix_symbols.sh to update the prefix symbols." ; exit 1 ; }
+
+exit 0

tools/distrib/check_copyright.py

@@ -92,6 +92,10 @@ _EXEMPT = frozenset((
     # Designer-generated source
     'examples/csharp/HelloworldXamarin/Droid/Resources/Resource.designer.cs',
     'examples/csharp/HelloworldXamarin/iOS/ViewController.designer.cs',
+
+    # BoringSSL generated header. It has commit version information at the head
+    # of the file so we cannot check the license info.
+    'src/boringssl/boringssl_prefix_symbols.h',
 ))
 
 RE_YEAR = r'Copyright (?P<first_year>[0-9]+\-)?(?P<last_year>[0-9]+) ([Tt]he )?gRPC [Aa]uthors(\.|)'

tools/distrib/check_shadow_boringssl_symbol_list.sh

@@ -1,32 +0,0 @@
-#!/bin/bash
-# Copyright 2018 gRPC authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# Check if the commit version of BoringSSL podspec, BoringSSL submodule, and
-# the shadowed symbol list are all based on the same BoringSSL commit.
-set -e
-
-cd $(dirname $0)
-
-boringssl_podspec_original="../../src/objective-c/BoringSSL-GRPC.podspec"
-symbol_list="../../src/objective-c/grpc_shadow_boringssl_symbol_list"
-
-# Check BoringSSL version matches
-ver1=$(git submodule | grep "boringssl-with-bazel " | awk '{print $1}' | head -n 1)
-ver2=$(cat $boringssl_podspec_original | grep ':commit =>' | sed -E 's/.*"(.*)".*/\1/g')
-ver3=$(cat $symbol_list | sed -n '2 p')
-[ $ver1 == $ver2 ] && [ $ver1 == $ver3 ] || { echo "BoringSSL submodule (third_party/boringssl-with-bazel), BoringSSL podspec (src/objective-c/BoringSSL.podspec), and BoringSSL symbol list (src/objective-c/grpc_shadow_boringssl_symbol_list) commit do not match." ; echo "BoringSSL submodule: $ver1" ; echo "BoringSSL podspec: $ver2" ;  echo "BoringSSL symbol list: $ver3" ; exit 1 ; }
-
-exit 0

tools/distrib/generate_boringssl_prefix_header.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# Copyright 2018 gRPC authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Generate the list of boringssl symbols that need to be renamed based on the
+# current boringssl submodule. The script should be run after a boringssl
+# upgrade in third_party/boringssl-with-bazel. Note that after the script is
+# run, you will typically need to manually upgrade the BoringSSL-GRPC podspec
+# (templates/src/objective-c/BoringSSL-GRPC.podspec.template) version and the
+# corresponding version number in gRPC-Core podspec
+# (templates/gRPC-Core.podspec.template).
+
+set -ev
+
+BORINGSSL_ROOT=third_party/boringssl-with-bazel/src
+
+cd "$(dirname $0)"
+cd ../../$BORINGSSL_ROOT
+
+BORINGSSL_COMMIT=$(git rev-parse HEAD)
+BORINGSSL_PREFIX_HEADERS_DIR=src/boringssl
+
+rm -rf build
+mkdir -p build
+cd build
+cmake ..
+make -j
+[ -f ssl/libssl.a ] || { echo "Failed to build libssl.a" ; exit 1 ; }
+[ -f crypto/libcrypto.a ] || { echo "Failed to build libcrypto.a" ; exit 1 ; }
+
+# Generates boringssl_prefix_symbols.h. The prefix header is generated by
+# BoringSSL's build system as instructed by BoringSSL build guide (see
+# https://github.com/google/boringssl/blob/367d64f84c3c1d01381c18c5a239b85eef47633c/BUILDING.md#building-with-prefixed-symbols).
+go run ../util/read_symbols.go ssl/libssl.a > ./symbols.txt
+go run ../util/read_symbols.go crypto/libcrypto.a >> ./symbols.txt
+cmake .. -DBORINGSSL_PREFIX=GRPC -DBORINGSSL_PREFIX_SYMBOLS=symbols.txt
+make boringssl_prefix_symbols
+[ -f symbol_prefix_include/boringssl_prefix_symbols.h ] || { echo "Failed to build boringssl_prefix_symbols.sh" ; exit 1 ; }
+
+cd ../../../..
+mkdir -p $BORINGSSL_PREFIX_HEADERS_DIR
+echo "// generated by generate_boringssl_prefix_header.sh on BoringSSL commit: $BORINGSSL_COMMIT" > $BORINGSSL_PREFIX_HEADERS_DIR/boringssl_prefix_symbols.h
+echo "" >> $BORINGSSL_PREFIX_HEADERS_DIR/boringssl_prefix_symbols.h
+cat "$BORINGSSL_ROOT/build/symbol_prefix_include/boringssl_prefix_symbols.h" >> $BORINGSSL_PREFIX_HEADERS_DIR/boringssl_prefix_symbols.h
+
+# Regenerated the project
+tools/buildgen/generate_projects.sh
+
+exit 0

tools/distrib/generate_grpc_shadow_boringssl_symbol_list.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-# Copyright 2018 gRPC authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Generate the list of boringssl symbols that need to be shadowed based on the
-# current boringssl submodule. Requires local toolchain to build boringssl.
-set -e
-
-cd $(dirname $0)
-
-symbol_list="../../src/objective-c/grpc_shadow_boringssl_symbol_list"
-
-ssl_lib='../../third_party/boringssl-with-bazel/build/libssl.a'
-crypto_lib='../../third_party/boringssl-with-bazel/build/libcrypto.a'
-
-# Generate boringssl archives
-( cd ../../third_party/boringssl-with-bazel ; mkdir -p build ; cd build ; cmake .. ; make -j ssl crypto )
-
-# Generate shadow_boringssl.h
-unameOut="$(uname -s)"
-case "${unameOut}" in
-  Linux*)
-    outputs="$(nm $ssl_lib)"$'\n'"$(nm $crypto_lib)"
-    symbols=$(echo "$outputs" | 
-              grep '^[0-9a-f]* [A-Z] ' |               # Only public symbols
-              grep -v '^[0-9a-f]* [A-Z] _' |           # Remove all symbols which look like for C++
-              sed 's/[0-9a-f]* [A-Z] \(.*\)/\1/g' |    # Extract the symbol names
-              sort)                                    # Sort symbol names
-    ;;
-  Darwin*)
-    outputs="$(nm -C $ssl_lib)"$'\n'"$(nm -C $crypto_lib)"
-    symbols=$(echo "$outputs" | 
-              grep '^[0-9a-f]* [A-Z] ' |               # Only public symbols
-              grep -v ' bssl::' |                      # Filter BoringSSL symbols since they are already namespaced
-              sed 's/(.*//g' |                         # Remove parenthesis from C++ symbols
-              grep '^[0-9a-f]* [A-Z] _' |              # Filter symbols that is not prefixed with '_'
-              sed 's/[0-9a-f]* [A-Z] _\(.*\)/\1/g' |   # Extract the symbol names
-              sort)                                    # Sort symbol names
-    ;;
-  *)
-    echo "Supports only Linux and Darwin but this system is $unameOut"
-    exit 1
-    ;;
-esac
-
-commit=$(git submodule | grep "boringssl-with-bazel " | awk '{print $1}' | head -n 1)
-
-echo "# Automatically generated by tools/distrib/generate_grpc_shadow_boringssl_symbol_list.sh" > $symbol_list
-echo $commit >> $symbol_list
-echo "$symbols" >> $symbol_list
-
-exit 0

tools/doxygen/Doxyfile.c++.internal

@@ -1886,7 +1886,6 @@ src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc \
 src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h \
 src/core/tsi/fake_transport_security.cc \
 src/core/tsi/fake_transport_security.h \
-src/core/tsi/grpc_shadow_boringssl.h \
 src/core/tsi/local_transport_security.cc \
 src/core/tsi/local_transport_security.h \
 src/core/tsi/ssl/session_cache/ssl_session.h \

tools/doxygen/Doxyfile.core.internal

@@ -1701,7 +1701,6 @@ src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.cc \
 src/core/tsi/alts/zero_copy_frame_protector/alts_zero_copy_grpc_protector.h \
 src/core/tsi/fake_transport_security.cc \
 src/core/tsi/fake_transport_security.h \
-src/core/tsi/grpc_shadow_boringssl.h \
 src/core/tsi/local_transport_security.cc \
 src/core/tsi/local_transport_security.h \
 src/core/tsi/ssl/session_cache/ssl_session.h \

tools/run_tests/sanity/sanity_tests.yaml

@@ -28,4 +28,4 @@
 - script: tools/distrib/yapf_code.sh --diff
   cpu_cost: 1000
 - script: tools/distrib/check_protobuf_pod_version.sh
-- script: tools/distrib/check_shadow_boringssl_symbol_list.sh
+- script: tools/distrib/check_boringssl_prefix_symbol.sh