fix: Static-link OpenSSL in secp256r1 to prevent symbol leaking#308
Merged
usmansaleem merged 2 commits intobesu-eth:mainfrom Mar 20, 2026
Merged
fix: Static-link OpenSSL in secp256r1 to prevent symbol leaking#308usmansaleem merged 2 commits intobesu-eth:mainfrom
usmansaleem merged 2 commits intobesu-eth:mainfrom
Conversation
…JVM process Previously, libcrypto.so.3 was copied and renamed to libbesu_native_ec_crypto.so, exporting all OpenSSL symbols globally. When loaded into the JVM, these symbols contaminated the global symbol table, causing conflicts with other native libraries that depend on system OpenSSL (e.g. SoftHSM2 for PKCS#11 HSM plugins). Changes: - Update besu-native-ec submodule to static OpenSSL build with symbol hiding (exports only p256_* functions) - Build OpenSSL as static library (libcrypto.a) with no-shared, -fPIC, and -fvisibility=hidden - Remove separate libbesu_native_ec_crypto shared library loading - Remove libbesu_native_ec_crypto from all Gradle copy tasks - Remove patchelf dependency (no longer needed) Signed-off-by: Usman Saleem <usman@usmans.info>
usmansaleem
force-pushed
the
static-openssl-secp256r1
branch
from
0edfc6a to
e7c878c
Compare
The macos-15-intel runner has llvm@18 pre-installed which places an x86_64-only libunwind.dylib in /usr/local/lib/. When Rust cross-compiles for aarch64-apple-darwin (to create universal binaries via lipo), the linker finds this library, ignores it due to architecture mismatch, and then fails with undefined _Unwind_* symbols. Unlinking llvm@18 removes its symlinks from /usr/local/lib/, allowing the linker to fall back to the system libunwind which supports all architectures. Signed-off-by: Usman Saleem <usman@usmans.info>
There was a problem hiding this comment.
Pull request overview
This PR updates the secp256r1 native build to static-link OpenSSL into libbesu_native_ec with symbol hiding, eliminating the separate crypto shared library to prevent OpenSSL symbol leakage into the JVM process.
Changes:
- Stop loading/copying
libbesu_native_ec_cryptoand rely on a singlelibbesu_native_ecartifact. - Update native build scripts and CI deps to drop
patchelfand build OpenSSL as a staticlibcrypto.a. - Bump the
secp256r1/besu-native-ecsubmodule to a commit that implements symbol-hiding/static OpenSSL linking.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| secp256r1/src/main/java/org/hyperledger/besu/nativelib/secp256r1/besuNativeEC/BesuNativeEC.java | Removes loading of the separate crypto JNI/JNA library. |
| secp256r1/build.gradle | Stops copying the libbesu_native_ec_crypto artifacts into resources. |
| secp256r1/besu-native-ec | Updates submodule to version that performs static OpenSSL linking/symbol hiding. |
| native-build.sh | Removes patchelf from native build container dependencies. |
| build.sh | Builds OpenSSL as static libcrypto.a and removes checks for the removed crypto dylib. |
| README.md | Updates Linux dependency list to remove patchelf. |
| CHANGELOG.md | Adds an Unreleased entry describing the OpenSSL static-linking fix. |
| .github/workflows/build.yml | Removes patchelf from CI deps; adds a step to unlink Homebrew LLVM. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
libcrypto.a) intolibbesu_native_ec.so/.dylibwith symbol hiding, exporting onlyp256_*functionslibbesu_native_ec_cryptoshared library that previously leaked all OpenSSL symbols into the JVM processChanges
secp256r1/besu-native-ecsubmodule updated to Consensys/besu-native-ec@062fb79 (static OpenSSL linking with version script / exported_symbols_list)build.sh— Build OpenSSL withno-shared -fPIC -fvisibility=hidden, targetlibcrypto.aBesuNativeEC.java— Removebesu_native_ec_cryptolibrary loadingsecp256r1/build.gradle— Removelibbesu_native_ec_cryptofrom all platform copy tasks.github/workflows/build.yml,native-build.sh,README.md— RemovepatchelfdependencyVerification
After building, confirm no OpenSSL symbols leak:
Test plan
./gradlew :secp256r1:testpasseslibbesu_native_ec