From 440afd55b45c938b2b2ea7b47a7cf1d440b05efe Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Wed, 9 Jul 2025 12:49:35 -0400 Subject: [PATCH 1/3] Stop building System.Security.Cryptography.Native.OpenSsl on macOS --- eng/native/build-commons.sh | 5 +++- .../Microsoft.NETCore.Native.Unix.targets | 4 +-- .../corehost/apphost/static/CMakeLists.txt | 11 +++---- src/native/corehost/build.sh | 5 +++- .../hostpolicy/hostpolicy_context.cpp | 4 ++- src/native/libs/CMakeLists.txt | 22 ++++---------- .../CMakeLists.txt | 30 +++++-------------- src/native/libs/build-native.sh | 3 ++ 8 files changed, 36 insertions(+), 48 deletions(-) diff --git a/eng/native/build-commons.sh b/eng/native/build-commons.sh index 2bc1faf27e7fd2..7940cafb450d80 100755 --- a/eng/native/build-commons.sh +++ b/eng/native/build-commons.sh @@ -70,7 +70,7 @@ build_native() # Let users provide additional compiler/linker flags via EXTRA_CFLAGS/EXTRA_CXXFLAGS/EXTRA_LDFLAGS. # If users directly override CFLAG/CXXFLAGS/LDFLAGS, that may lead to some configure tests working incorrectly. # See https://github.com/dotnet/runtime/issues/35727 for more information. - # + # # These flags MUST be exported before gen-buildsys.sh runs or cmake will ignore them # export CFLAGS="${CFLAGS} ${EXTRA_CFLAGS}" @@ -547,6 +547,9 @@ elif [[ "$__TargetOS" == ios || "$__TargetOS" == iossimulator ]]; then elif [[ "$__TargetOS" == tvos || "$__TargetOS" == tvossimulator ]]; then # nothing to do here true +elif [[ "$__TargetOS" == osx ]]; then + # nothing to do here + true elif [[ "$__TargetOS" == android ]]; then # nothing to do here true diff --git a/src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets b/src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets index 4e5b53a938b85a..b655d3879ac449 100644 --- a/src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets +++ b/src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets @@ -141,8 +141,8 @@ The .NET Foundation licenses this file to you under the MIT license. - - + + diff --git a/src/native/corehost/apphost/static/CMakeLists.txt b/src/native/corehost/apphost/static/CMakeLists.txt index 30118f679da387..7d7d975d4bd58d 100644 --- a/src/native/corehost/apphost/static/CMakeLists.txt +++ b/src/native/corehost/apphost/static/CMakeLists.txt @@ -166,10 +166,11 @@ else() ) if(NOT CLR_CMAKE_TARGET_ANDROID) - list(APPEND NATIVE_LIBS - System.Net.Security.Native-Static - System.Security.Cryptography.Native.OpenSsl-Static - ) + list(APPEND NATIVE_LIBS System.Net.Security.Native-Static) + + if(NOT CLR_CMAKE_TARGET_APPLE) + list(APPEND NATIVE_LIBS System.Security.Cryptography.Native.OpenSsl-Static) + endif() else() list(APPEND NATIVE_LIBS System.Security.Cryptography.Native.Android-Static @@ -204,7 +205,7 @@ else() include(${CLR_SRC_NATIVE_DIR}/libs/System.Native/extra_libs.cmake) append_extra_system_libs(NATIVE_LIBS) - if(NOT CLR_CMAKE_TARGET_MACCATALYST AND NOT CLR_CMAKE_TARGET_IOS AND NOT CLR_CMAKE_TARGET_TVOS AND NOT CLR_CMAKE_TARGET_ANDROID AND NOT CLR_CMAKE_TARGET_BROWSER) + if(NOT CLR_CMAKE_TARGET_APPLE AND NOT CLR_CMAKE_TARGET_ANDROID AND NOT CLR_CMAKE_TARGET_BROWSER) # Additional requirements for System.Security.Cryptography.Native.OpenSsl include(${CLR_SRC_NATIVE_DIR}/libs/System.Security.Cryptography.Native/extra_libs.cmake) append_extra_cryptography_libs(NATIVE_LIBS) diff --git a/src/native/corehost/build.sh b/src/native/corehost/build.sh index b7df4cc8212148..63c3b6d996e4a7 100755 --- a/src/native/corehost/build.sh +++ b/src/native/corehost/build.sh @@ -60,7 +60,10 @@ __IntermediatesDir="$__RootBinDir/obj/$__TargetRid.$__BuildType" export __BinDir __IntermediatesDir __RuntimeFlavor __CMakeArgs="-DCLI_CMAKE_PKG_RID=\"$__TargetRid\" -DCLI_CMAKE_FALLBACK_OS=\"$__HostFallbackOS\" -DCLI_CMAKE_COMMIT_HASH=\"$__commit_hash\" $__CMakeArgs" -__CMakeArgs="-DFEATURE_DISTRO_AGNOSTIC_SSL=$__PortableBuild $__CMakeArgs" + +if [[ "$__TargetOS" != osx ]]; then + __CMakeArgs="-DFEATURE_DISTRO_AGNOSTIC_SSL=$__PortableBuild $__CMakeArgs" +fi # Specify path to be set for CMAKE_INSTALL_PREFIX. # This is where all built CoreClr libraries will copied to. diff --git a/src/native/corehost/hostpolicy/hostpolicy_context.cpp b/src/native/corehost/hostpolicy/hostpolicy_context.cpp index b562d0e09ae408..9c0c7c0468d5cb 100644 --- a/src/native/corehost/hostpolicy/hostpolicy_context.cpp +++ b/src/native/corehost/hostpolicy/hostpolicy_context.cpp @@ -70,11 +70,13 @@ namespace return SystemResolveDllImport(entry_point_name); } +#if !defined(TARGET_OSX) if (strcmp(library_name, LIB_NAME("System.Security.Cryptography.Native.OpenSsl")) == 0) { return CryptoResolveDllImport(entry_point_name); } -#endif +#endif // !defined(TARGET_OSX) +#endif // !defined(_WIN32) if (strcmp(library_name, LIB_NAME("System.IO.Compression.Native")) == 0) { diff --git a/src/native/libs/CMakeLists.txt b/src/native/libs/CMakeLists.txt index c90e9b8a45ddc5..cf8b2b47fbd67b 100644 --- a/src/native/libs/CMakeLists.txt +++ b/src/native/libs/CMakeLists.txt @@ -150,18 +150,12 @@ if (CLR_CMAKE_TARGET_UNIX OR CLR_CMAKE_TARGET_BROWSER OR CLR_CMAKE_TARGET_WASI) if (CLR_CMAKE_TARGET_BROWSER OR CLR_CMAKE_TARGET_WASI) # skip for now - elseif (CLR_CMAKE_TARGET_MACCATALYST) - add_subdirectory(System.Net.Security.Native) - # System.Security.Cryptography.Native is intentionally disabled on iOS - # it is only used for interacting with OpenSSL which isn't useful there - elseif (CLR_CMAKE_TARGET_IOS) - add_subdirectory(System.Net.Security.Native) - # System.Security.Cryptography.Native is intentionally disabled on iOS - # it is only used for interacting with OpenSSL which isn't useful there - elseif (CLR_CMAKE_TARGET_TVOS) - #add_subdirectory(System.Net.Security.Native) # no gssapi on tvOS, see https://developer.apple.com/documentation/gss - # System.Security.Cryptography.Native is intentionally disabled on tvOS - # it is only used for interacting with OpenSSL which isn't useful there + elseif (CLR_CMAKE_TARGET_APPLE) + if (NOT CLR_CMAKE_TARGET_TVOS) # no gssapi on tvOS, see https://developer.apple.com/documentation/gss + add_subdirectory(System.Net.Security.Native) + endif () + + add_subdirectory(System.Security.Cryptography.Native.Apple) elseif (CLR_CMAKE_TARGET_ANDROID AND NOT FORCE_ANDROID_OPENSSL) add_subdirectory(System.Security.Cryptography.Native.Android) elseif (FORCE_ANDROID_OPENSSL) @@ -170,8 +164,4 @@ if (CLR_CMAKE_TARGET_UNIX OR CLR_CMAKE_TARGET_BROWSER OR CLR_CMAKE_TARGET_WASI) add_subdirectory(System.Net.Security.Native) add_subdirectory(System.Security.Cryptography.Native) endif () - - if (CLR_CMAKE_TARGET_APPLE) - add_subdirectory(System.Security.Cryptography.Native.Apple) - endif () endif () diff --git a/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt b/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt index e8ba7c0d19c8fc..57dc50fcbe7e9b 100644 --- a/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt +++ b/src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt @@ -67,18 +67,6 @@ if (LOCAL_BUILD) ${CMAKE_CURRENT_BINARY_DIR}/pal_config.h) endif() - -# Always build portable on macOS because OpenSSL is not a system component -# and our prebuilts should not assume a specific ABI version for the types -# that use OpenSSL at runtime. -if (CLR_CMAKE_TARGET_OSX OR CLR_CMAKE_TARGET_MACCATALYST) - set(FEATURE_DISTRO_AGNOSTIC_SSL True) - - # by default uninitialized variables like the shim _ptr functions, will turn into common symbols - # and on OSX those have linking problems in libraries (ELF vs. Mach-O difference) - add_compile_options(-fno-common) -endif() - if (FEATURE_DISTRO_AGNOSTIC_SSL) list(APPEND NATIVECRYPTO_SOURCES opensslshim.c @@ -124,16 +112,14 @@ if (GEN_SHARED_LIB) endif() endif() - if (NOT CLR_CMAKE_TARGET_MACCATALYST AND NOT CLR_CMAKE_TARGET_IOS AND NOT CLR_CMAKE_TARGET_TVOS AND NOT CLR_CMAKE_TARGET_ANDROID) - add_custom_command(TARGET System.Security.Cryptography.Native.OpenSsl POST_BUILD - COMMENT "Verifying System.Security.Cryptography.Native.OpenSsl entry points against entrypoints.c " - COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/../verify-entrypoints.sh - $ - ${CMAKE_CURRENT_SOURCE_DIR}/entrypoints.c - ${CMAKE_NM} - VERBATIM - ) - endif() + add_custom_command(TARGET System.Security.Cryptography.Native.OpenSsl POST_BUILD + COMMENT "Verifying System.Security.Cryptography.Native.OpenSsl entry points against entrypoints.c " + COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/../verify-entrypoints.sh + $ + ${CMAKE_CURRENT_SOURCE_DIR}/entrypoints.c + ${CMAKE_NM} + VERBATIM + ) target_link_libraries(System.Security.Cryptography.Native.OpenSsl PRIVATE diff --git a/src/native/libs/build-native.sh b/src/native/libs/build-native.sh index 5169732c2d641b..eff05ac323c42f 100755 --- a/src/native/libs/build-native.sh +++ b/src/native/libs/build-native.sh @@ -83,6 +83,9 @@ elif [[ "$__TargetOS" == ios || "$__TargetOS" == iossimulator ]]; then elif [[ "$__TargetOS" == tvos || "$__TargetOS" == tvossimulator ]]; then # nothing to do here true +elif [[ "$__TargetOS" == osx ]]; then + # nothing to do here + true elif [[ "$__TargetOS" == android && -z "$ROOTFS_DIR" ]]; then # nothing to do here true From 6d6b00da84e320dd8fc53c8b5ef7a3ac1b0e8655 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Wed, 9 Jul 2025 12:52:45 -0400 Subject: [PATCH 2/3] No need for OpenSSL from Brew --- docs/workflow/requirements/macos-requirements.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/workflow/requirements/macos-requirements.md b/docs/workflow/requirements/macos-requirements.md index 67e7840a64d1be..cd1aed4b8f142b 100644 --- a/docs/workflow/requirements/macos-requirements.md +++ b/docs/workflow/requirements/macos-requirements.md @@ -18,7 +18,6 @@ To build the runtime repo, you will also need to install the following dependenc - `CMake` 3.20 or newer - `icu4c` -- `openssl@1.1` or `openssl@3` - `pkg-config` - `python3` - `ninja` (This one is optional. It is an alternative tool to `make` for building native code) From fa18e85f5b9979d59e008165def163ce2c197025 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Mon, 14 Jul 2025 13:42:24 -0400 Subject: [PATCH 3/3] Code review feedback; treat MacCatalyst similarly to macOS --- eng/native/build-commons.sh | 2 +- src/native/libs/build-native.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/eng/native/build-commons.sh b/eng/native/build-commons.sh index 7940cafb450d80..a3bdc2ac190eec 100755 --- a/eng/native/build-commons.sh +++ b/eng/native/build-commons.sh @@ -547,7 +547,7 @@ elif [[ "$__TargetOS" == ios || "$__TargetOS" == iossimulator ]]; then elif [[ "$__TargetOS" == tvos || "$__TargetOS" == tvossimulator ]]; then # nothing to do here true -elif [[ "$__TargetOS" == osx ]]; then +elif [[ "$__TargetOS" == osx || "$__TargetOS" == maccatalyst ]]; then # nothing to do here true elif [[ "$__TargetOS" == android ]]; then diff --git a/src/native/libs/build-native.sh b/src/native/libs/build-native.sh index eff05ac323c42f..5055b05839de15 100755 --- a/src/native/libs/build-native.sh +++ b/src/native/libs/build-native.sh @@ -83,7 +83,7 @@ elif [[ "$__TargetOS" == ios || "$__TargetOS" == iossimulator ]]; then elif [[ "$__TargetOS" == tvos || "$__TargetOS" == tvossimulator ]]; then # nothing to do here true -elif [[ "$__TargetOS" == osx ]]; then +elif [[ "$__TargetOS" == osx || "$__TargetOS" == maccatalyst ]]; then # nothing to do here true elif [[ "$__TargetOS" == android && -z "$ROOTFS_DIR" ]]; then