status-im · iffy · Jan 12, 2024 · Jan 12, 2024 · Jan 13, 2024 · Aug 20, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -186,3 +186,9 @@ jobs:
           env NIMLANG=c nimble test
           # C++ support requires fixing const pointer proc assignments
           # env NIMLANG=cpp nimble test
+
+      - name: Run tests with static bearssl
+        shell: bash
+        run: |
+          (cd bearssl/csources/ && make)
+          env NIMLANG=c nimble "-d:bearStaticLibPath=$(pwd)/bearssl/csources/build/libbearssl.a" test
diff --git a/README.md b/README.md
@@ -39,6 +39,10 @@ In addition to the raw `C`-like api, convenience functions are added where appli
 * named after the function they simplify, but take advantage of types and overload support in Nim
 * help turn pointers and bytes into Nim types
 
+## Static linking
+
+If you'd like to statically link to a precompiled `libbearssl.a` library, define `-d:bearStaticLibPath=/path/to/libbearssl.a`. This will take advantage of BearSSL's "static linking model in which only algorithms that are actually used get pulled into the linked binary."
+
 ## Installation
 
 You can install the developement version of the library through nimble with the following command:

diff --git a/bearssl/abi/bearssl_aead.nim b/bearssl/abi/bearssl_aead.nim
@@ -4,12 +4,13 @@ import
 {.pragma: importcFunc, cdecl, gcsafe, noSideEffect, raises: [].}
 {.used.}
 
-const
-  bearAeadPath = bearSrcPath & "aead/"
+when not bearUseStaticLib:
+  const
+    bearAeadPath = bearSrcPath & "aead/"
 
-{.compile: bearAeadPath & "ccm.c".}
-{.compile: bearAeadPath & "eax.c".}
-{.compile: bearAeadPath & "gcm.c".}
+  {.compile: bearAeadPath & "ccm.c".}
+  {.compile: bearAeadPath & "eax.c".}
+  {.compile: bearAeadPath & "gcm.c".}
 
 type
   AeadClass* {.importc: "br_aead_class", header: "bearssl_aead.h", bycopy.} = object

diff --git a/bearssl/abi/bearssl_block.nim b/bearssl/abi/bearssl_block.nim
@@ -4,59 +4,60 @@ import
 {.pragma: importcFunc, cdecl, gcsafe, noSideEffect, raises: [].}
 {.used.}
 
-const
-  bearSymcPath = bearSrcPath & "symcipher/"
-
-{.compile: bearSymcPath & "aes_big_cbcdec.c".}
-{.compile: bearSymcPath & "aes_big_cbcenc.c".}
-{.compile: bearSymcPath & "aes_big_ctr.c".}
-{.compile: bearSymcPath & "aes_big_ctrcbc.c".}
-{.compile: bearSymcPath & "aes_big_dec.c".}
-{.compile: bearSymcPath & "aes_big_enc.c".}
-{.compile: bearSymcPath & "aes_common.c".}
-{.compile: bearSymcPath & "aes_ct.c".}
-{.compile: bearSymcPath & "aes_ct64.c".}
-{.compile: bearSymcPath & "aes_ct64_cbcdec.c".}
-{.compile: bearSymcPath & "aes_ct64_cbcenc.c".}
-{.compile: bearSymcPath & "aes_ct64_ctr.c".}
-{.compile: bearSymcPath & "aes_ct64_ctrcbc.c".}
-{.compile: bearSymcPath & "aes_ct64_dec.c".}
-{.compile: bearSymcPath & "aes_ct64_enc.c".}
-{.compile: bearSymcPath & "aes_ct_cbcdec.c".}
-{.compile: bearSymcPath & "aes_ct_cbcenc.c".}
-{.compile: bearSymcPath & "aes_ct_ctr.c".}
-{.compile: bearSymcPath & "aes_ct_ctrcbc.c".}
-{.compile: bearSymcPath & "aes_ct_dec.c".}
-{.compile: bearSymcPath & "aes_ct_enc.c".}
-{.compile: bearSymcPath & "aes_pwr8.c".}
-{.compile: bearSymcPath & "aes_pwr8_cbcdec.c".}
-{.compile: bearSymcPath & "aes_pwr8_cbcenc.c".}
-{.compile: bearSymcPath & "aes_pwr8_ctr.c".}
-{.compile: bearSymcPath & "aes_pwr8_ctrcbc.c".}
-{.compile: bearSymcPath & "aes_small_cbcdec.c".}
-{.compile: bearSymcPath & "aes_small_cbcenc.c".}
-{.compile: bearSymcPath & "aes_small_ctr.c".}
-{.compile: bearSymcPath & "aes_small_ctrcbc.c".}
-{.compile: bearSymcPath & "aes_small_dec.c".}
-{.compile: bearSymcPath & "aes_small_enc.c".}
-{.compile: bearSymcPath & "aes_x86ni.c".}
-{.compile: bearSymcPath & "aes_x86ni_cbcdec.c".}
-{.compile: bearSymcPath & "aes_x86ni_cbcenc.c".}
-{.compile: bearSymcPath & "aes_x86ni_ctr.c".}
-{.compile: bearSymcPath & "aes_x86ni_ctrcbc.c".}
-{.compile: bearSymcPath & "chacha20_ct.c".}
-{.compile: bearSymcPath & "chacha20_sse2.c".}
-{.compile: bearSymcPath & "des_ct.c".}
-{.compile: bearSymcPath & "des_ct_cbcdec.c".}
-{.compile: bearSymcPath & "des_ct_cbcenc.c".}
-{.compile: bearSymcPath & "des_support.c".}
-{.compile: bearSymcPath & "des_tab.c".}
-{.compile: bearSymcPath & "des_tab_cbcdec.c".}
-{.compile: bearSymcPath & "des_tab_cbcenc.c".}
-{.compile: bearSymcPath & "poly1305_ctmul.c".}
-{.compile: bearSymcPath & "poly1305_ctmul32.c".}
-{.compile: bearSymcPath & "poly1305_ctmulq.c".}
-{.compile: bearSymcPath & "poly1305_i15.c".}
+when not bearUseStaticLib:
+  const
+    bearSymcPath = bearSrcPath & "symcipher/"
+
+  {.compile: bearSymcPath & "aes_big_cbcdec.c".}
+  {.compile: bearSymcPath & "aes_big_cbcenc.c".}
+  {.compile: bearSymcPath & "aes_big_ctr.c".}
+  {.compile: bearSymcPath & "aes_big_ctrcbc.c".}
+  {.compile: bearSymcPath & "aes_big_dec.c".}
+  {.compile: bearSymcPath & "aes_big_enc.c".}
+  {.compile: bearSymcPath & "aes_common.c".}
+  {.compile: bearSymcPath & "aes_ct.c".}
+  {.compile: bearSymcPath & "aes_ct64.c".}
+  {.compile: bearSymcPath & "aes_ct64_cbcdec.c".}
+  {.compile: bearSymcPath & "aes_ct64_cbcenc.c".}
+  {.compile: bearSymcPath & "aes_ct64_ctr.c".}
+  {.compile: bearSymcPath & "aes_ct64_ctrcbc.c".}
+  {.compile: bearSymcPath & "aes_ct64_dec.c".}
+  {.compile: bearSymcPath & "aes_ct64_enc.c".}
+  {.compile: bearSymcPath & "aes_ct_cbcdec.c".}
+  {.compile: bearSymcPath & "aes_ct_cbcenc.c".}
+  {.compile: bearSymcPath & "aes_ct_ctr.c".}
+  {.compile: bearSymcPath & "aes_ct_ctrcbc.c".}
+  {.compile: bearSymcPath & "aes_ct_dec.c".}
+  {.compile: bearSymcPath & "aes_ct_enc.c".}
+  {.compile: bearSymcPath & "aes_pwr8.c".}
+  {.compile: bearSymcPath & "aes_pwr8_cbcdec.c".}
+  {.compile: bearSymcPath & "aes_pwr8_cbcenc.c".}
+  {.compile: bearSymcPath & "aes_pwr8_ctr.c".}
+  {.compile: bearSymcPath & "aes_pwr8_ctrcbc.c".}
+  {.compile: bearSymcPath & "aes_small_cbcdec.c".}
+  {.compile: bearSymcPath & "aes_small_cbcenc.c".}
+  {.compile: bearSymcPath & "aes_small_ctr.c".}
+  {.compile: bearSymcPath & "aes_small_ctrcbc.c".}
+  {.compile: bearSymcPath & "aes_small_dec.c".}
+  {.compile: bearSymcPath & "aes_small_enc.c".}
+  {.compile: bearSymcPath & "aes_x86ni.c".}
+  {.compile: bearSymcPath & "aes_x86ni_cbcdec.c".}
+  {.compile: bearSymcPath & "aes_x86ni_cbcenc.c".}
+  {.compile: bearSymcPath & "aes_x86ni_ctr.c".}
+  {.compile: bearSymcPath & "aes_x86ni_ctrcbc.c".}
+  {.compile: bearSymcPath & "chacha20_ct.c".}
+  {.compile: bearSymcPath & "chacha20_sse2.c".}
+  {.compile: bearSymcPath & "des_ct.c".}
+  {.compile: bearSymcPath & "des_ct_cbcdec.c".}
+  {.compile: bearSymcPath & "des_ct_cbcenc.c".}
+  {.compile: bearSymcPath & "des_support.c".}
+  {.compile: bearSymcPath & "des_tab.c".}
+  {.compile: bearSymcPath & "des_tab_cbcdec.c".}
+  {.compile: bearSymcPath & "des_tab_cbcenc.c".}
+  {.compile: bearSymcPath & "poly1305_ctmul.c".}
+  {.compile: bearSymcPath & "poly1305_ctmul32.c".}
+  {.compile: bearSymcPath & "poly1305_ctmulq.c".}
+  {.compile: bearSymcPath & "poly1305_i15.c".}
 
 type
   BlockCbcencClass* {.importc: "br_block_cbcenc_class", header: "bearssl_block.h",

diff --git a/bearssl/abi/bearssl_ec.nim b/bearssl/abi/bearssl_ec.nim
@@ -4,46 +4,47 @@ import
 {.pragma: importcFunc, cdecl, gcsafe, noSideEffect, raises: [].}
 {.used.}
 
-const
-  bearEcPath = bearSrcPath & "ec/"
-
-{.compile: bearEcPath & "ecdsa_atr.c".}
-{.compile: bearEcPath & "ecdsa_default_sign_asn1.c".}
-{.compile: bearEcPath & "ecdsa_default_sign_raw.c".}
-{.compile: bearEcPath & "ecdsa_default_vrfy_asn1.c".}
-{.compile: bearEcPath & "ecdsa_default_vrfy_raw.c".}
-{.compile: bearEcPath & "ecdsa_i15_bits.c".}
-{.compile: bearEcPath & "ecdsa_i15_sign_asn1.c".}
-{.compile: bearEcPath & "ecdsa_i15_sign_raw.c".}
-{.compile: bearEcPath & "ecdsa_i15_vrfy_asn1.c".}
-{.compile: bearEcPath & "ecdsa_i15_vrfy_raw.c".}
-{.compile: bearEcPath & "ecdsa_i31_bits.c".}
-{.compile: bearEcPath & "ecdsa_i31_sign_asn1.c".}
-{.compile: bearEcPath & "ecdsa_i31_sign_raw.c".}
-{.compile: bearEcPath & "ecdsa_i31_vrfy_asn1.c".}
-{.compile: bearEcPath & "ecdsa_i31_vrfy_raw.c".}
-{.compile: bearEcPath & "ecdsa_rta.c".}
-{.compile: bearEcPath & "ec_all_m15.c".}
-{.compile: bearEcPath & "ec_all_m31.c".}
-{.compile: bearEcPath & "ec_c25519_i15.c".}
-{.compile: bearEcPath & "ec_c25519_i31.c".}
-{.compile: bearEcPath & "ec_c25519_m15.c".}
-{.compile: bearEcPath & "ec_c25519_m31.c".}
-{.compile: bearEcPath & "ec_c25519_m62.c".}
-{.compile: bearEcPath & "ec_c25519_m64.c".}
-{.compile: bearEcPath & "ec_curve25519.c".}
-{.compile: bearEcPath & "ec_default.c".}
-{.compile: bearEcPath & "ec_keygen.c".}
-{.compile: bearEcPath & "ec_p256_m15.c".}
-{.compile: bearEcPath & "ec_p256_m31.c".}
-{.compile: bearEcPath & "ec_p256_m62.c".}
-{.compile: bearEcPath & "ec_p256_m64.c".}
-{.compile: bearEcPath & "ec_prime_i15.c".}
-{.compile: bearEcPath & "ec_prime_i31.c".}
-{.compile: bearEcPath & "ec_pubkey.c".}
-{.compile: bearEcPath & "ec_secp256r1.c".}
-{.compile: bearEcPath & "ec_secp384r1.c".}
-{.compile: bearEcPath & "ec_secp521r1.c".}
+when not bearUseStaticLib:
+  const
+    bearEcPath = bearSrcPath & "ec/"
+
+  {.compile: bearEcPath & "ecdsa_atr.c".}
+  {.compile: bearEcPath & "ecdsa_default_sign_asn1.c".}
+  {.compile: bearEcPath & "ecdsa_default_sign_raw.c".}
+  {.compile: bearEcPath & "ecdsa_default_vrfy_asn1.c".}
+  {.compile: bearEcPath & "ecdsa_default_vrfy_raw.c".}
+  {.compile: bearEcPath & "ecdsa_i15_bits.c".}
+  {.compile: bearEcPath & "ecdsa_i15_sign_asn1.c".}
+  {.compile: bearEcPath & "ecdsa_i15_sign_raw.c".}
+  {.compile: bearEcPath & "ecdsa_i15_vrfy_asn1.c".}
+  {.compile: bearEcPath & "ecdsa_i15_vrfy_raw.c".}
+  {.compile: bearEcPath & "ecdsa_i31_bits.c".}
+  {.compile: bearEcPath & "ecdsa_i31_sign_asn1.c".}
+  {.compile: bearEcPath & "ecdsa_i31_sign_raw.c".}
+  {.compile: bearEcPath & "ecdsa_i31_vrfy_asn1.c".}
+  {.compile: bearEcPath & "ecdsa_i31_vrfy_raw.c".}
+  {.compile: bearEcPath & "ecdsa_rta.c".}
+  {.compile: bearEcPath & "ec_all_m15.c".}
+  {.compile: bearEcPath & "ec_all_m31.c".}
+  {.compile: bearEcPath & "ec_c25519_i15.c".}
+  {.compile: bearEcPath & "ec_c25519_i31.c".}
+  {.compile: bearEcPath & "ec_c25519_m15.c".}
+  {.compile: bearEcPath & "ec_c25519_m31.c".}
+  {.compile: bearEcPath & "ec_c25519_m62.c".}
+  {.compile: bearEcPath & "ec_c25519_m64.c".}
+  {.compile: bearEcPath & "ec_curve25519.c".}
+  {.compile: bearEcPath & "ec_default.c".}
+  {.compile: bearEcPath & "ec_keygen.c".}
+  {.compile: bearEcPath & "ec_p256_m15.c".}
+  {.compile: bearEcPath & "ec_p256_m31.c".}
+  {.compile: bearEcPath & "ec_p256_m62.c".}
+  {.compile: bearEcPath & "ec_p256_m64.c".}
+  {.compile: bearEcPath & "ec_prime_i15.c".}
+  {.compile: bearEcPath & "ec_prime_i31.c".}
+  {.compile: bearEcPath & "ec_pubkey.c".}
+  {.compile: bearEcPath & "ec_secp256r1.c".}
+  {.compile: bearEcPath & "ec_secp384r1.c".}
+  {.compile: bearEcPath & "ec_secp521r1.c".}
 
 
 const

diff --git a/bearssl/abi/bearssl_hash.nim b/bearssl/abi/bearssl_hash.nim
@@ -4,23 +4,24 @@ import
 {.pragma: importcFunc, cdecl, gcsafe, noSideEffect, raises: [].}
 {.used.}
 
-const
-  bearHashPath = bearSrcPath & "hash/"
-
-{.compile: bearHashPath & "dig_oid.c".}
-{.compile: bearHashPath & "dig_size.c".}
-{.compile: bearHashPath & "ghash_ctmul.c".}
-{.compile: bearHashPath & "ghash_ctmul32.c".}
-{.compile: bearHashPath & "ghash_ctmul64.c".}
-{.compile: bearHashPath & "ghash_pclmul.c".}
-{.compile: bearHashPath & "ghash_pwr8.c".}
-{.compile: bearHashPath & "md5.c".}
-{.compile: bearHashPath & "md5sha1.c".}
-{.compile: bearHashPath & "mgf1.c".}
-{.compile: bearHashPath & "multihash.c".}
-{.compile: bearHashPath & "sha1.c".}
-{.compile: bearHashPath & "sha2big.c".}
-{.compile: bearHashPath & "sha2small.c".}
+when not bearUseStaticLib:
+  const
+    bearHashPath = bearSrcPath & "hash/"
+
+  {.compile: bearHashPath & "dig_oid.c".}
+  {.compile: bearHashPath & "dig_size.c".}
+  {.compile: bearHashPath & "ghash_ctmul.c".}
+  {.compile: bearHashPath & "ghash_ctmul32.c".}
+  {.compile: bearHashPath & "ghash_ctmul64.c".}
+  {.compile: bearHashPath & "ghash_pclmul.c".}
+  {.compile: bearHashPath & "ghash_pwr8.c".}
+  {.compile: bearHashPath & "md5.c".}
+  {.compile: bearHashPath & "md5sha1.c".}
+  {.compile: bearHashPath & "mgf1.c".}
+  {.compile: bearHashPath & "multihash.c".}
+  {.compile: bearHashPath & "sha1.c".}
+  {.compile: bearHashPath & "sha2big.c".}
+  {.compile: bearHashPath & "sha2small.c".}
 
 type
   ConstPtrPtrHashClass* {.importc: "const br_hash_class**", header: "bearssl_hash.h", bycopy.} = pointer

diff --git a/bearssl/abi/bearssl_hmac.nim b/bearssl/abi/bearssl_hmac.nim
@@ -4,11 +4,12 @@ import
 {.pragma: importcFunc, cdecl, gcsafe, noSideEffect, raises: [].}
 {.used.}
 
-const
-  bearMacPath = bearSrcPath & "mac/"
+when not bearUseStaticLib:
+  const
+    bearMacPath = bearSrcPath & "mac/"
 
-{.compile: bearMacPath & "hmac.c".}
-{.compile: bearMacPath & "hmac_ct.c".}
+  {.compile: bearMacPath & "hmac.c".}
+  {.compile: bearMacPath & "hmac_ct.c".}
 
 type
   HmacKeyContext* {.importc: "br_hmac_key_context", header: "bearssl_hmac.h", bycopy.} = object

diff --git a/bearssl/abi/bearssl_kdf.nim b/bearssl/abi/bearssl_kdf.nim
@@ -4,11 +4,12 @@ import
 {.pragma: importcFunc, cdecl, gcsafe, noSideEffect, raises: [].}
 {.used.}
 
-const
-  bearKdfPath = bearSrcPath & "kdf/"
+when not bearUseStaticLib:
+  const
+    bearKdfPath = bearSrcPath & "kdf/"
 
-{.compile: bearKdfPath & "hkdf.c".}
-{.compile: bearKdfPath & "shake.c".}
+  {.compile: bearKdfPath & "hkdf.c".}
+  {.compile: bearKdfPath & "shake.c".}
 
 type
   INNER_C_UNION_bearssl_kdf_1* {.importc: "br_hkdf_context::no_name",

diff --git a/bearssl/abi/bearssl_pem.nim b/bearssl/abi/bearssl_pem.nim
@@ -4,11 +4,12 @@ import
 {.pragma: importcFunc, cdecl, gcsafe, noSideEffect, raises: [].}
 {.used.}
 
-const
-  bearCodecPath = bearSrcPath & "codec/"
+when not bearUseStaticLib:
+  const
+    bearCodecPath = bearSrcPath & "codec/"
 
-{.compile: bearCodecPath & "pemdec.c".}
-{.compile: bearCodecPath & "pemenc.c".}
+  {.compile: bearCodecPath & "pemdec.c".}
+  {.compile: bearCodecPath & "pemenc.c".}
 
 type
   INNER_C_STRUCT_bearssl_pem_1* {.importc: "br_pem_decoder_context::no_name",

diff --git a/bearssl/abi/bearssl_prf.nim b/bearssl/abi/bearssl_prf.nim
@@ -4,13 +4,14 @@ import
 {.pragma: importcFunc, cdecl, gcsafe, noSideEffect, raises: [].}
 {.used.}
 
-const
-  bearSslPath = bearSrcPath & "ssl/"
-
-{.compile: bearSslPath & "prf.c".}
-{.compile: bearSslPath & "prf_md5sha1.c".}
-{.compile: bearSslPath & "prf_sha256.c".}
-{.compile: bearSslPath & "prf_sha384.c".}
+when not bearUseStaticLib:
+  const
+    bearSslPath = bearSrcPath & "ssl/"
+
+  {.compile: bearSslPath & "prf.c".}
+  {.compile: bearSslPath & "prf_md5sha1.c".}
+  {.compile: bearSslPath & "prf_sha256.c".}
+  {.compile: bearSslPath & "prf_sha384.c".}
 
 type
   TlsPrfSeedChunk* {.importc: "br_tls_prf_seed_chunk", header: "bearssl_prf.h",

diff --git a/bearssl/abi/bearssl_rand.nim b/bearssl/abi/bearssl_rand.nim
@@ -4,12 +4,13 @@ import
 {.pragma: importcFunc, cdecl, gcsafe, noSideEffect, raises: [].}
 {.used.}
 
-const
-  bearRandPath = bearSrcPath & "rand/"
+when not bearUseStaticLib:
+  const
+    bearRandPath = bearSrcPath & "rand/"
 
-# {.compile: bearRandPath & "aesctr_drbg.c".}
-{.compile: bearRandPath & "hmac_drbg.c".}
-{.compile: bearRandPath & "sysrng.c".}
+  # {.compile: bearRandPath & "aesctr_drbg.c".}
+  {.compile: bearRandPath & "hmac_drbg.c".}
+  {.compile: bearRandPath & "sysrng.c".}
 
 type
   PrngClass* {.importc: "br_prng_class", header: "bearssl_rand.h", bycopy.} = object