Support symbol prefixes

- In base.h, if BORINGSSL_PREFIX is defined, include
  boringssl_prefix_symbols.h
- In all .S files, if BORINGSSL_PREFIX is defined, include
  boringssl_prefix_symbols_asm.h
- In base.h, BSSL_NAMESPACE_BEGIN and BSSL_NAMESPACE_END are
  defined with appropriate values depending on whether
  BORINGSSL_PREFIX is defined; these macros are used in place
  of 'namespace bssl {' and '}'
- Add util/make_prefix_headers.go, which takes a list of symbols
  and auto-generates the header files mentioned above
- In CMakeLists.txt, if BORINGSSL_PREFIX and BORINGSSL_PREFIX_SYMBOLS
  are defined, run util/make_prefix_headers.go to generate header
  files
- In various CMakeLists.txt files, add "global_target" that all
  targets depend on to give us a place to hook logic that must run
  before all other targets (in particular, the header file generation
  logic)
- Document this in BUILDING.md, including the fact that it is
  the caller's responsibility to provide the symbol list and keep it
  up to date
- Note that this scheme has not been tested on Windows, and likely
  does not work on it; Windows support will need to be added in a
  future commit

Change-Id: If66a7157f46b5b66230ef91e15826b910cf979a2
Reviewed-on: https://boringssl-review.googlesource.com/31364
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>

BUILDING.md

@@ -110,6 +110,28 @@ architecture, matching values used in the `-arch` flag in Apple's toolchain.
 Passing multiple architectures for a multiple-architecture build is not
 supported.
 
+### Building with Prefixed Symbols
+
+BoringSSL's build system has experimental support for adding a custom prefix to
+all symbols. This can be useful when linking multiple versions of BoringSSL in
+the same project to avoid symbol conflicts.
+
+In order to build with prefixed symbols, the `BORINGSSL_PREFIX` CMake variable
+should specify the prefix to add to all symbols, and the
+`BORINGSSL_PREFIX_SYMBOLS` CMake variable should specify the path to a file
+which contains a list of symbols which should be prefixed (one per line;
+comments are supported with `#`). In other words, `cmake ..
+-DBORINGSSL_PREFIX=MY_CUSTOM_PREFIX
+-DBORINGSSL_PREFIX_SYMBOLS=/path/to/symbols.txt` will configure the build to add
+the prefix `MY_CUSTOM_PREFIX` to all of the symbols listed in
+`/path/to/symbols.txt`.
+
+It is currently the caller's responsibility to create and maintain the list of
+symbols to be prefixed.
+
+This mechanism is under development and may change over time. Please contact the
+BoringSSL maintainers if making use of it.
+
 ## Known Limitations on Windows
 
   * Versions of CMake since 3.0.2 have a bug in its Ninja generator that causes

CMakeLists.txt

@@ -20,6 +20,11 @@ include(sources.cmake)
 enable_language(C)
 enable_language(CXX)
 
+# This is a dummy target which all other targets depend on (manually - see other
+# CMakeLists.txt files). This gives us a hook to add any targets which need to
+# run before all other targets.
+add_custom_target(global_target)
+
 if(ANDROID)
   # Android-NDK CMake files reconfigure the path and so Go and Perl won't be
   # found. However, ninja will still find them in $PATH if we just name them.
@@ -41,10 +46,37 @@ endif()
 if(USE_CUSTOM_LIBCXX)
   set(BORINGSSL_ALLOW_CXX_RUNTIME 1)
 endif()
+
 if(BORINGSSL_ALLOW_CXX_RUNTIME)
   add_definitions(-DBORINGSSL_ALLOW_CXX_RUNTIME)
 endif()
 
+if(BORINGSSL_PREFIX AND BORINGSSL_PREFIX_SYMBOLS)
+  add_definitions(-DBORINGSSL_PREFIX=${BORINGSSL_PREFIX})
+
+  # Use "symbol_prefix_include" to store generated header files
+  include_directories(${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include)
+  add_custom_command(
+    OUTPUT symbol_prefix_include/boringssl_prefix_symbols.h
+           symbol_prefix_include/boringssl_prefix_symbols_asm.h
+           symbol_prefix_include/boringssl_prefix_symbols_nasm.inc
+    COMMAND ${CMAKE_COMMAND} -E make_directory ${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include
+    COMMAND ${GO_EXECUTABLE} run ${CMAKE_CURRENT_SOURCE_DIR}/util/make_prefix_headers.go -out ${CMAKE_CURRENT_BINARY_DIR}/symbol_prefix_include ${BORINGSSL_PREFIX_SYMBOLS}
+    DEPENDS util/make_prefix_headers.go
+            ${CMAKE_BINARY_DIR}/${BORINGSSL_PREFIX_SYMBOLS})
+
+  # add_dependencies needs a target, not a file, so we add an intermediate
+  # target.
+  add_custom_target(
+    boringssl_prefix_symbols
+    DEPENDS symbol_prefix_include/boringssl_prefix_symbols.h
+            symbol_prefix_include/boringssl_prefix_symbols_asm.h
+            symbol_prefix_include/boringssl_prefix_symbols_nasm.inc)
+  add_dependencies(global_target boringssl_prefix_symbols)
+elseif(BORINGSSL_PREFIX OR BORINGSSL_PREFIX_SYMBOLS)
+  message(FATAL_ERROR "Must specify both or neither of BORINGSSL_PREFIX and BORINGSSL_PREFIX_SYMBOLS")
+endif()
+
 if(CMAKE_CXX_COMPILER_ID MATCHES "Clang")
   set(CLANG 1)
 endif()

crypto/CMakeLists.txt

@@ -401,6 +401,8 @@ add_library(
   ${CRYPTO_FIPS_OBJECTS}
 )
 
+add_dependencies(crypto global_target)
+
 if(FIPS_DELOCATE)
   add_dependencies(crypto bcm_o_target)
 endif()
@@ -476,6 +478,8 @@ add_executable(
   $<TARGET_OBJECTS:test_support>
 )
 
+add_dependencies(crypto_test global_target)
+
 target_link_libraries(crypto_test crypto boringssl_gtest)
 if(WIN32)
   target_link_libraries(crypto_test ws2_32)

crypto/err/internal.h

@@ -46,11 +46,11 @@ OPENSSL_EXPORT void ERR_restore_state(const ERR_SAVE_STATE *state);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(ERR_SAVE_STATE, ERR_SAVE_STATE_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 #endif

crypto/fipsmodule/CMakeLists.txt

@@ -136,6 +136,8 @@ if(FIPS_DELOCATE)
     bcm.c
   )
 
+  add_dependencies(bcm_c_generated_asm global_target)
+
   set_target_properties(bcm_c_generated_asm PROPERTIES COMPILE_OPTIONS "-S")
   set_target_properties(bcm_c_generated_asm PROPERTIES POSITION_INDEPENDENT_CODE ON)
 
@@ -164,6 +166,8 @@ if(FIPS_DELOCATE)
     bcm-delocated.S
   )
 
+  add_dependencies(bcm_hashunset global_target)
+
   set_target_properties(bcm_hashunset PROPERTIES POSITION_INDEPENDENT_CODE ON)
   set_target_properties(bcm_hashunset PROPERTIES LINKER_LANGUAGE C)
 
@@ -187,6 +191,8 @@ if(FIPS_DELOCATE)
     is_fips.c
   )
 
+  add_dependencies(fipsmodule global_target)
+
   set_target_properties(fipsmodule PROPERTIES LINKER_LANGUAGE C)
 else()
   add_library(
@@ -199,4 +205,6 @@ else()
 
     ${BCM_ASM_SOURCES}
   )
+
+  add_dependencies(fipsmodule global_target)
 endif()

crypto/internal.h

@@ -488,7 +488,7 @@ OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_write(
 #if defined(__cplusplus)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 namespace internal {
 
@@ -516,7 +516,7 @@ using MutexWriteLock =
 using MutexReadLock =
     internal::MutexLockBase<CRYPTO_MUTEX_lock_read, CRYPTO_MUTEX_unlock_read>;
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern "C++"
 #endif  // defined(__cplusplus)

crypto/perlasm/x86_64-xlate.pl

@@ -1129,6 +1129,10 @@ default	rel
 %define XMMWORD
 %define YMMWORD
 %define ZMMWORD
+
+%ifdef BORINGSSL_PREFIX
+%include "boringssl_prefix_symbols_nasm.inc"
+%endif
 ___
 } elsif ($masm) {
     print <<___;
@@ -1136,6 +1140,9 @@ OPTION	DOTNAME
 ___
 }
 print STDOUT "#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM)\n" if ($gas);
+print STDOUT "#if defined(BORINGSSL_PREFIX)\n" if ($gas);
+print STDOUT "#include <boringssl_prefix_symbols_asm.h>\n" if ($gas);
+print STDOUT "#endif\n" if ($gas);
 
 while(defined(my $line=<>)) {
 

crypto/test/CMakeLists.txt

@@ -9,6 +9,8 @@ add_library(
   wycheproof_util.cc
 )
 
+add_dependencies(test_support global_target)
+
 add_library(
   boringssl_gtest_main
 
@@ -16,3 +18,5 @@ add_library(
 
   gtest_main.cc
 )
+
+add_dependencies(boringssl_gtest_main global_target)

crypto/test/gtest_main.h

@@ -30,7 +30,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 #endif
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 class ErrorTestEventListener : public testing::EmptyTestEventListener {
  public:
@@ -73,7 +73,7 @@ inline void SetupGoogleTest() {
       new ErrorTestEventListener);
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 
 #endif  // OPENSSL_HEADER_CRYPTO_TEST_GTEST_MAIN_H

decrepit/CMakeLists.txt

@@ -22,6 +22,8 @@ add_library(
   xts/xts.c
 )
 
+add_dependencies(decrepit global_target)
+
 target_link_libraries(decrepit crypto ssl)
 
 add_executable(
@@ -34,6 +36,8 @@ add_executable(
   $<TARGET_OBJECTS:test_support>
 )
 
+add_dependencies(decrepit_test global_target)
+
 target_link_libraries(decrepit_test crypto decrepit boringssl_gtest)
 if(WIN32)
   target_link_libraries(decrepit_test ws2_32)

fipstools/CMakeLists.txt

@@ -29,6 +29,8 @@ if(FIPS)
     $<TARGET_OBJECTS:test_support>
   )
 
+  add_dependencies(cavp global_target)
+
   add_executable(
     test_fips
 
@@ -36,6 +38,8 @@ if(FIPS)
     $<TARGET_OBJECTS:test_support>
   )
 
+  add_dependencies(test_fips global_target)
+
   target_link_libraries(cavp crypto)
   target_link_libraries(test_fips crypto)
 endif()

fuzz/CMakeLists.txt

@@ -4,6 +4,7 @@ set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wno-missing-prototypes")
 
 macro(fuzzer name)
   add_executable(${name} ${name}.cc)
+  add_dependencies(${name} global_target)
   target_link_libraries(${name} crypto ${ARGN})
   set_target_properties(${name} PROPERTIES LINK_FLAGS "-fsanitize=fuzzer")
 endmacro()

include/openssl/aead.h

@@ -425,7 +425,7 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_tag_len(const EVP_AEAD_CTX *ctx,
 #if !defined(BORINGSSL_NO_CXX)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 using ScopedEVP_AEAD_CTX =
     internal::StackAllocated<EVP_AEAD_CTX, void, EVP_AEAD_CTX_zero,
@@ -433,7 +433,7 @@ using ScopedEVP_AEAD_CTX =
 
 BORINGSSL_MAKE_DELETER(EVP_AEAD_CTX, EVP_AEAD_CTX_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 #endif

include/openssl/asn1.h

@@ -875,13 +875,13 @@ OPENSSL_EXPORT ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(ASN1_OBJECT, ASN1_OBJECT_free)
 BORINGSSL_MAKE_DELETER(ASN1_STRING, ASN1_STRING_free)
 BORINGSSL_MAKE_DELETER(ASN1_TYPE, ASN1_TYPE_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  /* extern C++ */
 

include/openssl/base.h

@@ -71,6 +71,10 @@
 #include <openssl/is_boringssl.h>
 #include <openssl/opensslconf.h>
 
+#if defined(BORINGSSL_PREFIX)
+#include <boringssl_prefix_symbols.h>
+#endif
+
 #if defined(__cplusplus)
 extern "C" {
 #endif
@@ -366,6 +370,19 @@ typedef void *OPENSSL_BLOCK;
 #endif
 
 #if !defined(BORINGSSL_NO_CXX)
+
+#if defined(BORINGSSL_PREFIX)
+#define BSSL_NAMESPACE_BEGIN \
+  namespace bssl {           \
+  inline namespace BORINGSSL_PREFIX {
+#define BSSL_NAMESPACE_END \
+  }                        \
+  }
+#else
+#define BSSL_NAMESPACE_BEGIN namespace bssl {
+#define BSSL_NAMESPACE_END }
+#endif
+
 extern "C++" {
 
 #include <memory>
@@ -387,7 +404,7 @@ extern "C++" {
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 namespace internal {
 
@@ -464,7 +481,7 @@ using UniquePtr = std::unique_ptr<T, internal::Deleter<T>>;
     return UpRef(ptr.get());                                        \
   }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/bio.h

@@ -894,12 +894,12 @@ struct bio_st {
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(BIO, BIO_free)
 BORINGSSL_MAKE_UP_REF(BIO, BIO_up_ref)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/bn.h

@@ -987,7 +987,7 @@ OPENSSL_EXPORT unsigned BN_num_bits_word(BN_ULONG l);
 #if !defined(BORINGSSL_NO_CXX)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(BIGNUM, BN_free)
 BORINGSSL_MAKE_DELETER(BN_CTX, BN_CTX_free)
@@ -1005,7 +1005,7 @@ class BN_CTXScope {
   BN_CTXScope &operator=(BN_CTXScope &) = delete;
 };
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 #endif

include/openssl/buf.h

@@ -124,11 +124,11 @@ OPENSSL_EXPORT size_t BUF_strlcat(char *dst, const char *src, size_t dst_size);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(BUF_MEM, BUF_MEM_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/bytestring.h

@@ -491,11 +491,11 @@ OPENSSL_EXPORT int CBB_flush_asn1_set_of(CBB *cbb);
 #if !defined(BORINGSSL_NO_CXX)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 using ScopedCBB = internal::StackAllocated<CBB, void, CBB_zero, CBB_cleanup>;
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 #endif

include/openssl/cipher.h

@@ -571,7 +571,7 @@ struct evp_cipher_st {
 #if !defined(BORINGSSL_NO_CXX)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(EVP_CIPHER_CTX, EVP_CIPHER_CTX_free)
 
@@ -579,7 +579,7 @@ using ScopedEVP_CIPHER_CTX =
     internal::StackAllocated<EVP_CIPHER_CTX, int, EVP_CIPHER_CTX_init,
                              EVP_CIPHER_CTX_cleanup>;
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 #endif

include/openssl/cmac.h

@@ -78,11 +78,11 @@ OPENSSL_EXPORT int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(CMAC_CTX, CMAC_CTX_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/conf.h

@@ -162,11 +162,11 @@ OPENSSL_EXPORT void OPENSSL_no_config(void);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(CONF, NCONF_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/curve25519.h

@@ -188,11 +188,11 @@ OPENSSL_EXPORT int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key,
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(SPAKE2_CTX, SPAKE2_CTX_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/dh.h

@@ -278,11 +278,11 @@ struct dh_st {
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(DH, DH_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/digest.h

@@ -295,7 +295,7 @@ struct env_md_ctx_st {
 #if !defined(BORINGSSL_NO_CXX)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(EVP_MD_CTX, EVP_MD_CTX_free)
 
@@ -303,7 +303,7 @@ using ScopedEVP_MD_CTX =
     internal::StackAllocated<EVP_MD_CTX, int, EVP_MD_CTX_init,
                              EVP_MD_CTX_cleanup>;
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 #endif

include/openssl/dsa.h

@@ -417,12 +417,12 @@ struct dsa_st {
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(DSA, DSA_free)
 BORINGSSL_MAKE_DELETER(DSA_SIG, DSA_SIG_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/ec.h

@@ -357,12 +357,12 @@ OPENSSL_EXPORT void EC_POINT_clear_free(EC_POINT *point);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(EC_POINT, EC_POINT_free)
 BORINGSSL_MAKE_DELETER(EC_GROUP, EC_GROUP_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/ec_key.h

@@ -336,11 +336,11 @@ OPENSSL_EXPORT int i2o_ECPublicKey(const EC_KEY *key, unsigned char **outp);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(EC_KEY, EC_KEY_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/ecdsa.h

@@ -179,11 +179,11 @@ OPENSSL_EXPORT int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(ECDSA_SIG, ECDSA_SIG_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/engine.h

@@ -94,11 +94,11 @@ struct openssl_method_common_st {
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(ENGINE, ENGINE_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/evp.h

@@ -870,13 +870,13 @@ struct evp_pkey_st {
 }  // extern C
 
 extern "C++" {
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(EVP_PKEY, EVP_PKEY_free)
 BORINGSSL_MAKE_UP_REF(EVP_PKEY, EVP_PKEY_up_ref)
 BORINGSSL_MAKE_DELETER(EVP_PKEY_CTX, EVP_PKEY_CTX_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/hmac.h

@@ -169,14 +169,14 @@ struct hmac_ctx_st {
 #if !defined(BORINGSSL_NO_CXX)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(HMAC_CTX, HMAC_CTX_free)
 
 using ScopedHMAC_CTX =
     internal::StackAllocated<HMAC_CTX, void, HMAC_CTX_init, HMAC_CTX_cleanup>;
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 #endif

include/openssl/mem.h

@@ -142,12 +142,12 @@ OPENSSL_EXPORT int BIO_vsnprintf(char *buf, size_t n, const char *format,
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(char, OPENSSL_free)
 BORINGSSL_MAKE_DELETER(uint8_t, OPENSSL_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/pkcs7.h

@@ -199,11 +199,11 @@ OPENSSL_EXPORT PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey,
 }  // extern C
 
 extern "C++" {
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(PKCS7, PKCS7_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 }  // extern C++
 #endif
 

include/openssl/pkcs8.h

@@ -215,12 +215,12 @@ OPENSSL_EXPORT void PKCS12_free(PKCS12 *p12);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(PKCS12, PKCS12_free)
 BORINGSSL_MAKE_DELETER(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/pool.h

@@ -87,13 +87,13 @@ OPENSSL_EXPORT void CRYPTO_BUFFER_init_CBS(const CRYPTO_BUFFER *buf, CBS *out);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(CRYPTO_BUFFER_POOL, CRYPTO_BUFFER_POOL_free)
 BORINGSSL_MAKE_DELETER(CRYPTO_BUFFER, CRYPTO_BUFFER_free)
 BORINGSSL_MAKE_UP_REF(CRYPTO_BUFFER, CRYPTO_BUFFER_up_ref)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/rsa.h

@@ -723,11 +723,11 @@ struct rsa_st {
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(RSA, RSA_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/span.h

@@ -25,7 +25,7 @@ extern "C++" {
 #include <cstdlib>
 #include <type_traits>
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 template <typename T>
 class Span;
@@ -190,7 +190,7 @@ auto MakeConstSpan(const C &c) -> decltype(MakeConstSpan(c.data(), c.size())) {
   return MakeConstSpan(c.data(), c.size());
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/ssl.h

@@ -4383,6 +4383,10 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
 #define SSL_CTRL_SET_TMP_RSA doesnt_exist
 #define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist
 
+// |BORINGSSL_PREFIX| already makes each of these symbols into macros, so there
+// is no need to define conflicting macros.
+#if !defined(BORINGSSL_PREFIX)
+
 #define DTLSv1_get_timeout DTLSv1_get_timeout
 #define DTLSv1_handle_timeout DTLSv1_handle_timeout
 #define SSL_CTX_add0_chain_cert SSL_CTX_add0_chain_cert
@@ -4452,6 +4456,8 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
 #define SSL_set_tmp_rsa SSL_set_tmp_rsa
 #define SSL_total_renegotiations SSL_total_renegotiations
 
+#endif // !defined(BORINGSSL_PREFIX)
+
 
 #if defined(__cplusplus)
 }  // extern C
@@ -4460,7 +4466,7 @@ OPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(SSL, SSL_free)
 BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free)
@@ -4572,7 +4578,7 @@ OPENSSL_EXPORT bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff);
 OPENSSL_EXPORT bool SSL_serialize_handback(const SSL *ssl, CBB *out);
 OPENSSL_EXPORT bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback);
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  // extern C++
 

include/openssl/stack.h

@@ -219,17 +219,17 @@ OPENSSL_EXPORT _STACK *sk_deep_copy(const _STACK *sk,
 
 #if !defined(BORINGSSL_NO_CXX)
 extern "C++" {
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 namespace internal {
 template <typename T>
 struct StackTraits {};
 }
-}
+BSSL_NAMESPACE_END
 }
 
 #define BORINGSSL_DEFINE_STACK_TRAITS(name, type, is_const) \
   extern "C++" {                                            \
-  namespace bssl {                                          \
+  BSSL_NAMESPACE_BEGIN                                      \
   namespace internal {                                      \
   template <>                                               \
   struct StackTraits<STACK_OF(name)> {                      \
@@ -238,7 +238,7 @@ struct StackTraits {};
     static constexpr bool kIsConst = is_const;              \
   };                                                        \
   }                                                         \
-  }                                                         \
+  BSSL_NAMESPACE_END                                        \
   }
 
 #else
@@ -393,7 +393,7 @@ extern "C++" {
 
 #include <type_traits>
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 namespace internal {
 
@@ -474,7 +474,7 @@ static inline
   return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 // Define begin() and end() for stack types so C++ range for loops work.
 template <typename Stack>

include/openssl/x509.h

@@ -1129,7 +1129,7 @@ DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
 #if !defined(BORINGSSL_NO_CXX)
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(NETSCAPE_SPKI, NETSCAPE_SPKI_free)
 BORINGSSL_MAKE_DELETER(RSA_PSS_PARAMS, RSA_PSS_PARAMS_free)
@@ -1158,7 +1158,7 @@ using ScopedX509_STORE_CTX =
     internal::StackAllocated<X509_STORE_CTX, void, X509_STORE_CTX_zero,
                              X509_STORE_CTX_cleanup>;
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  /* extern C++ */
 #endif  /* !BORINGSSL_NO_CXX */

include/openssl/x509v3.h

@@ -751,7 +751,7 @@ DEFINE_STACK_OF(X509_POLICY_NODE)
 
 extern "C++" {
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 BORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free)
 BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free)
@@ -760,7 +760,7 @@ BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free)
 BORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free)
 BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free)
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 }  /* extern C++ */
 #endif

ssl/CMakeLists.txt

@@ -41,6 +41,8 @@ add_library(
   tls13_server.cc
 )
 
+add_dependencies(ssl global_target)
+
 target_link_libraries(ssl crypto)
 
 add_executable(
@@ -53,6 +55,8 @@ add_executable(
   $<TARGET_OBJECTS:test_support>
 )
 
+add_dependencies(ssl_test global_target)
+
 target_link_libraries(ssl_test ssl crypto boringssl_gtest)
 if(WIN32)
   target_link_libraries(ssl_test ws2_32)

ssl/d1_both.cc

@@ -127,7 +127,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
 // for these values? Notably, why is kMinMTU a function of the transport
@@ -848,4 +848,4 @@ unsigned int dtls1_min_mtu(void) {
   return kMinMTU;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/d1_lib.cc

@@ -68,7 +68,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
 // before starting to decrease the MTU.
@@ -187,7 +187,7 @@ bool dtls1_check_timeout_num(SSL *ssl) {
   return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/d1_pkt.cc

@@ -126,7 +126,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 ssl_open_record_t dtls1_open_app_data(SSL *ssl, Span<uint8_t> *out,
                                       size_t *out_consumed, uint8_t *out_alert,
@@ -271,4 +271,4 @@ int dtls1_dispatch_alert(SSL *ssl) {
   return 1;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/dtls_record.cc

@@ -121,7 +121,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as
 // a |uint64_t|.
@@ -350,4 +350,4 @@ int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
   return 1;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/handoff.cc

@@ -19,7 +19,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 constexpr int kHandoffVersion = 0;
 constexpr int kHandbackVersion = 0;
@@ -359,4 +359,4 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
   return CBS_len(&seq) == 0;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/handshake.cc

@@ -122,7 +122,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
     : ssl(ssl_arg),
@@ -667,4 +667,4 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
   }
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/handshake_client.cc

@@ -172,7 +172,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 enum ssl_client_hs_state_t {
   state_start_connect = 0,
@@ -1820,4 +1820,4 @@ const char *ssl_client_handshake_state(SSL_HANDSHAKE *hs) {
   return "TLS client unknown";
 }
 
-}
+BSSL_NAMESPACE_END

ssl/handshake_server.cc

@@ -170,7 +170,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 bool ssl_client_cipher_list_contains_cipher(
     const SSL_CLIENT_HELLO *client_hello, uint16_t id) {
@@ -1626,4 +1626,4 @@ const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) {
   return "TLS server unknown";
 }
 
-}
+BSSL_NAMESPACE_END

ssl/internal.h

@@ -173,7 +173,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 #endif
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 struct SSL_CONFIG;
 struct SSL_HANDSHAKE;
@@ -414,7 +414,7 @@ bool ssl_is_draft28(uint16_t version);
 
 // Cipher suites.
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 struct ssl_cipher_st {
   // name is the OpenSSL name for the cipher.
@@ -432,7 +432,7 @@ struct ssl_cipher_st {
   uint32_t algorithm_prf;
 };
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // Bits for |algorithm_mkey| (key exchange algorithm).
 #define SSL_kRSA 0x00000001u
@@ -2015,13 +2015,13 @@ struct CertCompressionAlg {
   uint16_t alg_id = 0;
 };
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 DECLARE_LHASH_OF(SSL_SESSION)
 
 DEFINE_NAMED_STACK_OF(CertCompressionAlg, bssl::CertCompressionAlg);
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // An ssl_shutdown_t describes the shutdown state of one end of the connection,
 // whether it is alive or has been shutdown via close_notify or fatal alert.
@@ -2749,7 +2749,7 @@ void ssl_reset_error_state(SSL *ssl);
 // current state of the error queue.
 void ssl_set_read_error(SSL *ssl);
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 
 // Opaque C types.

ssl/s3_both.cc

@@ -130,7 +130,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 static bool add_record_to_flight(SSL *ssl, uint8_t type,
                                  Span<const uint8_t> in) {
@@ -636,4 +636,4 @@ void ssl3_next_message(SSL *ssl) {
   }
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/s3_lib.cc

@@ -162,7 +162,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 SSL3_STATE::SSL3_STATE()
     : skip_early_data(false),
@@ -215,4 +215,4 @@ void ssl3_free(SSL *ssl) {
   ssl->s3 = NULL;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/s3_pkt.cc

@@ -122,7 +122,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 static int do_ssl3_write(SSL *ssl, int type, const uint8_t *in, unsigned len);
 
@@ -425,4 +425,4 @@ int ssl3_dispatch_alert(SSL *ssl) {
   return 1;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/span_test.cc

@@ -19,7 +19,7 @@
 
 #include <openssl/ssl.h>
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 namespace {
 
 static void TestCtor(Span<int> s, const int *ptr, size_t size) {
@@ -87,4 +87,4 @@ TEST(SpanTest, Accessor) {
 }
 
 }  // namespace
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/ssl_aead_ctx.cc

@@ -31,7 +31,7 @@
 #define FUZZER_MODE false
 #endif
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 SSLAEADContext::SSLAEADContext(uint16_t version_arg, bool is_dtls_arg,
                                const SSL_CIPHER *cipher_arg)
@@ -433,4 +433,4 @@ bool SSLAEADContext::GetIV(const uint8_t **out_iv, size_t *out_iv_len) const {
          EVP_AEAD_CTX_get_iv(ctx_.get(), out_iv, out_iv_len);
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/ssl_asn1.cc

@@ -104,7 +104,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // An SSL_SESSION is serialized as the following ASN.1 structure:
 //
@@ -751,7 +751,7 @@ int ssl_session_serialize(const SSL_SESSION *in, CBB *cbb) {
   return SSL_SESSION_to_bytes_full(in, cbb, 0);
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/ssl_buffer.cc

@@ -27,7 +27,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
 // not overflow.
@@ -284,4 +284,4 @@ int ssl_write_buffer_flush(SSL *ssl) {
   }
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/ssl_cert.cc

@@ -133,7 +133,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 CERT::CERT(const SSL_X509_METHOD *x509_method_arg)
     : x509_method(x509_method_arg) {}
@@ -750,7 +750,7 @@ int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
   return hs->local_pubkey != NULL;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/ssl_cipher.cc

@@ -154,7 +154,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // kCiphers is an array of all supported ciphers, sorted by id.
 static constexpr SSL_CIPHER kCiphers[] = {
@@ -1306,7 +1306,7 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
   return ret;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/ssl_key_share.cc

@@ -31,7 +31,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 namespace {
 
@@ -292,7 +292,7 @@ int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {
   return 0;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/ssl_lib.cc

@@ -162,7 +162,7 @@
 #endif
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
 // to avoid downstream churn.
@@ -506,7 +506,7 @@ void SSL_set_handoff_mode(SSL *ssl, bool on) {
   ssl->config->handoff = on;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/ssl_privkey.cc

@@ -69,7 +69,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 int ssl_is_key_type_supported(int key_type) {
   return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC ||
@@ -287,7 +287,7 @@ bool ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,
   return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/ssl_session.cc

@@ -151,7 +151,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // The address of this is a magic value, a pointer to which is returned by
 // SSL_magic_pending_session_ptr(). It allows a session callback to indicate
@@ -838,7 +838,7 @@ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *session) {
   }
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/ssl_test.cc

@@ -53,7 +53,7 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
 #endif
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 namespace {
 
@@ -4443,4 +4443,4 @@ TEST(SSLTest, AllTests) {
 }
 
 }  // namespace
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/ssl_transcript.cc

@@ -141,7 +141,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 SSLTranscript::SSLTranscript() {}
 
@@ -261,4 +261,4 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
   return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/ssl_versions.cc

@@ -23,7 +23,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
   switch (version) {
@@ -360,7 +360,7 @@ bool ssl_is_draft28(uint16_t version) {
   return version == TLS1_3_DRAFT28_VERSION || version == TLS1_3_VERSION;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/ssl_x509.cc

@@ -155,7 +155,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // check_ssl_x509_method asserts that |ssl| has the X509-based method
 // installed. Calling an X509-based method on an |ssl| with a different method
@@ -506,7 +506,7 @@ const SSL_X509_METHOD ssl_crypto_x509_method = {
   ssl_crypto_x509_ssl_ctx_flush_cached_client_CA,
 };
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/t1_enc.cc

@@ -153,7 +153,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 bool tls1_prf(const EVP_MD *digest, Span<uint8_t> out,
               Span<const uint8_t> secret, Span<const char> label,
@@ -277,7 +277,7 @@ int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
   return SSL3_MASTER_SECRET_SIZE;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/t1_lib.cc

@@ -129,7 +129,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);
 
@@ -3836,7 +3836,7 @@ bool ssl_is_sct_list_valid(const CBS *contents) {
   return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/test/CMakeLists.txt

@@ -14,6 +14,8 @@ add_executable(
   $<TARGET_OBJECTS:test_support>
 )
 
+add_dependencies(bssl_shim global_target)
+
 target_link_libraries(bssl_shim ssl crypto)
 
 if(UNIX AND NOT APPLE AND NOT ANDROID)
@@ -31,6 +33,8 @@ if(UNIX AND NOT APPLE AND NOT ANDROID)
     $<TARGET_OBJECTS:test_support>
   )
 
+  add_dependencies(handshaker global_target)
+
   target_link_libraries(handshaker ssl crypto)
 else()
   # Declare a dummy target for run_tests to depend on.

ssl/tls13_both.cc

@@ -30,7 +30,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
 // processed. Without this limit an attacker could force unbounded processing
@@ -665,4 +665,4 @@ bool tls13_post_handshake(SSL *ssl, const SSLMessage &msg) {
   return false;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/tls13_client.cc

@@ -31,7 +31,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 enum client_hs_state_t {
   state_read_hello_retry_request = 0,
@@ -929,4 +929,4 @@ bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
   return true;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/tls13_enc.cc

@@ -30,7 +30,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 static int init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,
                              const SSL_CIPHER *cipher) {
@@ -487,4 +487,4 @@ int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
   return 1;
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/tls13_server.cc

@@ -36,7 +36,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 enum server_hs_state_t {
   state_select_parameters = 0,
@@ -1028,4 +1028,4 @@ const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {
   return "TLS 1.3 server unknown";
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END

ssl/tls_method.cc

@@ -65,7 +65,7 @@
 #include "internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 static void ssl3_on_handshake_complete(SSL *ssl) {
   // The handshake should have released its final message.
@@ -182,7 +182,7 @@ const SSL_X509_METHOD ssl_noop_x509_method = {
   ssl_noop_x509_ssl_ctx_flush_cached_client_CA,
 };
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

ssl/tls_record.cc

@@ -119,7 +119,7 @@
 #include "../crypto/internal.h"
 
 
-namespace bssl {
+BSSL_NAMESPACE_BEGIN
 
 // kMaxEmptyRecords is the number of consecutive, empty records that will be
 // processed. Without this limit an attacker could send empty records at a
@@ -674,7 +674,7 @@ bool SealRecord(SSL *ssl, const Span<uint8_t> out_prefix,
                                  in.data(), in.size());
 }
 
-}  // namespace bssl
+BSSL_NAMESPACE_END
 
 using namespace bssl;
 

third_party/fiat/CMakeLists.txt

@@ -1,9 +0,0 @@
-include_directories(../../include)
-
-add_library(
-  fiat
-
-  OBJECT
-
-  curve25519.c
-)

tool/CMakeLists.txt

@@ -20,6 +20,8 @@ add_executable(
   transport_common.cc
 )
 
+add_dependencies(bssl global_target)
+
 if(APPLE OR WIN32 OR ANDROID)
   target_link_libraries(bssl ssl crypto)
 else()

util/make_prefix_headers.go

@@ -0,0 +1,216 @@
+// Copyright (c) 2018, Google Inc.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// This program takes a file containing newline-separated symbols, and generates
+// boringssl_prefix_symbols.h, boringssl_prefix_symbols_asm.h, and
+// boringssl_prefix_symbols_nasm.inc. These header files can be used to build
+// BoringSSL with a prefix for all symbols in order to avoid symbol name
+// conflicts when linking a project with multiple copies of BoringSSL; see
+// BUILDING.md for more details.
+
+// TODO(joshlf): For platforms which support it, use '#pragma redefine_extname'
+// instead of a custom macro. This avoids the need for a custom macro, but also
+// ensures that our renaming won't conflict with symbols defined and used by our
+// consumers (the "HMAC" problem). An example of this approach can be seen in
+// IllumOS' fork of OpenSSL:
+// https://github.com/joyent/illumos-extra/blob/master/openssl1x/sunw_prefix.h
+
+package main
+
+import (
+	"bufio"
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+var out = flag.String("out", ".", "Path to a directory where the outputs will be written")
+
+// Read newline-separated symbols from a file, ignoring any comments started
+// with '#'.
+func readSymbols(path string) ([]string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+	scanner := bufio.NewScanner(f)
+	var ret []string
+	for scanner.Scan() {
+		line := scanner.Text()
+		if idx := strings.IndexByte(line, '#'); idx >= 0 {
+			line = line[:idx]
+		}
+		line = strings.TrimSpace(line)
+		if len(line) == 0 {
+			continue
+		}
+		ret = append(ret, line)
+	}
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+	return ret, nil
+}
+
+func writeCHeader(symbols []string, path string) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	if _, err := f.WriteString(`// Copyright (c) 2018, Google Inc.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// BORINGSSL_ADD_PREFIX pastes two identifiers into one. It performs one
+// iteration of macro expansion on its arguments before pasting.
+#define BORINGSSL_ADD_PREFIX(a, b) BORINGSSL_ADD_PREFIX_INNER(a, b)
+#define BORINGSSL_ADD_PREFIX_INNER(a, b) a ## _ ## b
+
+`); err != nil {
+		return err
+	}
+
+	for _, symbol := range symbols {
+		if _, err := fmt.Fprintf(f, "#define %s BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, %s)\n", symbol, symbol); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func writeASMHeader(symbols []string, path string) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	if _, err := f.WriteString(`// Copyright (c) 2018, Google Inc.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+#if !defined(__APPLE__)
+#include <boringssl_prefix_symbols.h>
+#else
+// On iOS and macOS, we need to treat assembly symbols differently from other
+// symbols. The linker expects symbols to be prefixed with an underscore.
+// Perlasm thus generates symbol with this underscore applied. Our macros must,
+// in turn, incorporate it.
+#define BORINGSSL_ADD_PREFIX_MAC_ASM(a, b) BORINGSSL_ADD_PREFIX_INNER_MAC_ASM(a, b)
+#define BORINGSSL_ADD_PREFIX_INNER_MAC_ASM(a, b) _ ## a ## _ ## b
+
+`); err != nil {
+		return err
+	}
+
+	for _, symbol := range symbols {
+		if _, err := fmt.Fprintf(f, "#define _%s BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, %s)\n", symbol, symbol); err != nil {
+			return err
+		}
+	}
+
+	_, err = fmt.Fprintf(f, "#endif\n")
+	return nil
+}
+
+func writeNASMHeader(symbols []string, path string) error {
+	f, err := os.Create(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	// NASM uses a different syntax from the C preprocessor.
+	if _, err := f.WriteString(`; Copyright (c) 2018, Google Inc.
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+; WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+; MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+; SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+; WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+; OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+; CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+`); err != nil {
+		return err
+	}
+
+	for _, symbol := range symbols {
+		if _, err := fmt.Fprintf(f, "%%define %s BORINGSSL_PREFIX %%+ %s\n", symbol, symbol); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func main() {
+	flag.Parse()
+	if flag.NArg() != 1 {
+		fmt.Fprintf(os.Stderr, "Usage: %s [-out OUT] SYMBOLS\n", os.Args[0])
+		os.Exit(1)
+	}
+
+	symbols, err := readSymbols(flag.Arg(0))
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error reading symbols: %s\n", err)
+		os.Exit(1)
+	}
+
+	if err := writeCHeader(symbols, filepath.Join(*out, "boringssl_prefix_symbols.h")); err != nil {
+		fmt.Fprintf(os.Stderr, "Error writing boringssl_prefix_symbols.h: %s\n", err)
+		os.Exit(1)
+	}
+
+	if err := writeASMHeader(symbols, filepath.Join(*out, "boringssl_prefix_symbols_asm.h")); err != nil {
+		fmt.Fprintf(os.Stderr, "Error writing boringssl_prefix_symbols_asm.h: %s\n", err)
+		os.Exit(1)
+	}
+
+	if err := writeNASMHeader(symbols, filepath.Join(*out, "boringssl_prefix_symbols_nasm.inc")); err != nil {
+		fmt.Fprintf(os.Stderr, "Error writing boringssl_prefix_symbols_nasm.inc: %s\n", err)
+		os.Exit(1)
+	}
+
+}