Add ability statically link OpenSSL

src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets

@@ -58,7 +58,7 @@ The .NET Foundation licenses this file to you under the MIT license.
       <NetCoreAppNativeLibrary Include="System.IO.Compression.Native" />
       <NetCoreAppNativeLibrary Include="System.Net.Security.Native" />
       <NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.Apple" Condition="'$(TargetOS)' == 'osx'" />
-      <NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.OpenSsl" />
+      <NetCoreAppNativeLibrary Include="System.Security.Cryptography.Native.OpenSsl" Condition="'$(StaticOpenSslLinking)' != 'true'" />
     </ItemGroup>
 
     <ItemGroup>
@@ -77,6 +77,14 @@ The .NET Foundation licenses this file to you under the MIT license.
       <StaticICULibs Include="-Wl,-Bdynamic" Condition="'$(StaticExecutable)' != 'true'" />
     </ItemGroup>
 
+    <ItemGroup Condition="'$(StaticOpenSslLinking)' == 'true' and '$(NativeLib)' != 'Static'">
+      <NativeLibrary Include="$(IntermediateOutputPath)/libs/System.Security.Cryptography.Native/build/libSystem.Security.Cryptography.Native.OpenSsl.a"/>
+      <DirectPInvoke Include="libSystem.Security.Cryptography.Native.OpenSsl" />
+      <StaticSslLibs Include="-Wl,-Bstatic" Condition="'$(StaticExecutable)' != 'true'" />
+      <StaticSslLibs Include="-lssl -lcrypto" />
+      <StaticSslLibs Include="-Wl,-Bdynamic" Condition="'$(StaticExecutable)' != 'true'" />
+    </ItemGroup>
+
     <ItemGroup Condition="'$(TargetOS)' == 'osx'">
       <NativeFramework Include="CoreFoundation" />
       <NativeFramework Include="CryptoKit" />
@@ -85,7 +93,9 @@ The .NET Foundation licenses this file to you under the MIT license.
       <NativeFramework Include="GSS" />
     </ItemGroup>
 
-    <Exec Command="$(IlcHostPackagePath)/native/src/libs/System.Globalization.Native/local_build.sh $(IlcHostPackagePath)/ $(IntermediateOutputPath)" Condition="'$(StaticICULinking)' == 'true'"/>
+    <Exec Command="&quot;$(IlcHostPackagePath)/native/src/libs/build-local.sh&quot; &quot;$(IlcHostPackagePath)/&quot; &quot;$(IntermediateOutputPath)&quot; System.Globalization.Native" Condition="'$(StaticICULinking)' == 'true'"/>
+
+    <Exec Command="&quot;$(IlcHostPackagePath)/native/src/libs/build-local.sh&quot; &quot;$(IlcHostPackagePath)/&quot; &quot;$(IntermediateOutputPath)&quot; System.Security.Cryptography.Native" Condition="'$(StaticOpenSslLinking)' == 'true'"/>
 
     <ItemGroup>
       <LinkerArg Include="-static" Condition="'$(StaticExecutable)' == 'true'" />
@@ -111,6 +121,7 @@ The .NET Foundation licenses this file to you under the MIT license.
       <LinkerArg Include="-licucore" Condition="'$(TargetOS)' == 'osx'" />
       <LinkerArg Include="-L/usr/lib/swift" Condition="'$(TargetOS)' == 'osx'" />
       <LinkerArg Include="@(StaticICULibs)" Condition="'$(StaticICULinking)' == 'true'" />
+      <LinkerArg Include="@(StaticSslLibs)" Condition="'$(StaticOpenSslLinking)' == 'true'" />
       <LinkerArg Include="-dynamiclib" Condition="'$(TargetOS)' == 'osx' and '$(NativeLib)' == 'Shared'" />
       <LinkerArg Include="-shared" Condition="'$(TargetOS)' != 'osx' and '$(NativeLib)' == 'Shared'" />
       <!-- binskim warning BA3001 PIE disabled on executable -->

src/coreclr/nativeaot/docs/compiling.md

@@ -90,3 +90,30 @@ Ubuntu (20.04+)
 ```
 sudo apt-get install libicu-dev cmake
 ```
+
+Alpine
+```
+apk add cmake icu-static icu-dev
+```
+
+## Using statically linked OpenSSL
+This feature can statically link OpenSSL libraries (such as libssl.a and libcrypto.a) into your applications at build time.
+NativeAOT binaries built with this feature can run even when OpenSSL libraries are not installed.
+**WARNING:** *This is scenario for advanced users, please use with extreme caution. Incorrect usage of this feature, can cause security vulnerabilities in your product*
+
+You can use this feature by adding the `StaticOpenSslLinking` property to your project file as follows:
+
+```xml
+    <PropertyGroup>
+      <StaticOpenSslLinking>true</StaticOpenSslLinking>
+    </PropertyGroup>
+```
+
+This feature is only supported on Linux. This feature is not supported when crosscompiling.
+
+### Prerequisites
+
+Alpine
+```
+apk add cmake openssl-dev openssl-libs-static
+```

src/installer/pkg/projects/Microsoft.DotNet.ILCompiler/Microsoft.DotNet.ILCompiler.pkgproj

@@ -18,6 +18,8 @@
     </ItemGroup>
     <ItemGroup Condition="'$(PackageTargetRuntime)' != '' and '$(TargetOS)' == 'linux'">
       <File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\libs\System.Globalization.Native\*" TargetPath="native/src/libs/System.Globalization.Native"/>
+      <File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\libs\System.Security.Cryptography.Native\*" TargetPath="native/src/libs/System.Security.Cryptography.Native"/>
+      <File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\libs\build-local.sh" TargetPath="native/src/libs/build-local.sh"/>
       <File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\minipal\*" TargetPath="native/src/minipal"/>
       <File Include="$(MSBuildThisFileDirectory)\..\..\..\..\native\libs\Common\*" TargetPath="native/src/libs/Common"/>
     </ItemGroup>

src/native/libs/System.Security.Cryptography.Native/CMakeLists.txt

@@ -44,6 +44,20 @@ set(NATIVECRYPTO_SOURCES
     pal_x509ext.c
 )
 
+if (LOCAL_BUILD)
+    add_definitions(-DLOCAL_BUILD)
+    add_definitions(-DPALEXPORT=EXTERN_C)
+    add_definitions(-DTARGET_UNIX)
+    # For minipal files
+    include_directories(../../)
+    include_directories(../Common)
+    include_directories(${CMAKE_CURRENT_BINARY_DIR})
+    configure_file(
+        ../Common/pal_config.h.in
+        ${CMAKE_CURRENT_BINARY_DIR}/pal_config.h)
+endif()
+
+
 # Always build portable on macOS because OpenSSL is not a system component
 # and our prebuilts should not assume a specific ABI version for the types
 # that use OpenSSL at runtime.

src/native/libs/System.Globalization.Native/local_build.sh → src/native/libs/build-local.sh

@@ -4,24 +4,25 @@
 # The .NET Foundation licenses this file to you under the MIT license.
 #
 
-# This script is used only for building libSystem.Globalization.Native.a
+# This script is used only for building native libraries
 # in the end-user's computer for NativeAOT purposes (static linking).
 # This file is not used during the dotnet runtime build.
 
 # Currently, only Linux is supported
 
 SHIM_SOURCE_DIR="$1"/native/src
 INTERMEDIATE_OUTPUT_PATH="$2"
+TARGET_LIBRARY="$3"
 
 if [ -d "$SHIM_SOURCE_DIR" ]; then
-    LOCAL_SHIM_DIR="$INTERMEDIATE_OUTPUT_PATH"/libs/System.Globalization.Native/build
+    LOCAL_SHIM_DIR="$INTERMEDIATE_OUTPUT_PATH"/libs/$TARGET_LIBRARY/build
 
     if ! { mkdir -p "$LOCAL_SHIM_DIR" && cd "$LOCAL_SHIM_DIR"; }; then
         echo "local_build.sh::ERROR: Cannot use local build directory"
         exit 1
     fi
 
-    if ! cmake -S "$SHIM_SOURCE_DIR/libs/System.Globalization.Native/" -DLOCAL_BUILD:STRING=1 -DCLR_CMAKE_TARGET_UNIX:STRING=1; then
+    if ! cmake -S "$SHIM_SOURCE_DIR/libs/$TARGET_LIBRARY/" -DLOCAL_BUILD:STRING=1 -DCLR_CMAKE_TARGET_UNIX:STRING=1; then
         echo "local_build.sh::ERROR: cmake failed"
         exit 1
     fi
@@ -31,3 +32,5 @@ if [ -d "$SHIM_SOURCE_DIR" ]; then
         exit 1
     fi
 fi
+
+exit 0