Skip to content

Fix build with boringssl #5150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix build with boringssl #5150

wants to merge 1 commit into from

Conversation

mGaosi
Copy link

@mGaosi mGaosi commented Jul 24, 2025 

/usr/bin/ld:./rdkafka/lib/x64-linux/debug/librdkafka.a(rdkafka_admin.c.o): in function `rd_kafka_UserScramCredentialUpsertion_new':
./src/rdkafka_admin.c:6037: undefined reference to `RAND_priv_bytes'
./rdkafka/lib/x64-linux/debug/librdkafka.a(rdkafka_ssl.c.o): in function `rd_kafka_ssl_set_certs':
./src/rdkafka_ssl.c:1542: undefined reference to `SSL_CTX_use_cert_and_key'

The SSL_CTx_use_cert_nd_key function is not available in BoringSSL. This function is a convenience function introduced in OpenSSL 1.1.1, used to simultaneously set certificates, private keys, and certificate chains. In BoringSSL, you need to call the corresponding functions separately to achieve the same functionality.

@confluent-cla-assistant
Copy link

confluent-cla-assistant bot commented Jul 24, 2025
edited
Loading

🎉 All Contributor License Agreements have been signed. Ready to merge.
✅ mGaosi
Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.

@mGaosi mGaosi marked this pull request as ready for review July 24, 2025 06:46
@Copilot Copilot AI review requested due to automatic review settings July 24, 2025 06:46
@mGaosi mGaosi requested a review from a team as a code owner July 24, 2025 06:46
Copilot
Copilot AI reviewed Jul 24, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes build compatibility with BoringSSL by providing alternative implementations for SSL functions that are not available in BoringSSL. The changes address linker errors where BoringSSL lacks certain OpenSSL convenience functions.

  • Replaces SSL_CTX_use_cert_and_key with individual SSL certificate/key functions for BoringSSL
  • Adds a macro definition to map RAND_priv_bytes to RAND_bytes for BoringSSL compatibility

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/rdkafka_ssl.c Implements BoringSSL-compatible certificate and key loading using individual SSL functions
src/rdkafka_admin.c Adds macro to map RAND_priv_bytes to RAND_bytes for BoringSSL
Comments suppressed due to low confidence (1)

src/rdkafka_admin.c
Comment on lines +6037 to +6039
#ifdef OPENSSL_IS_BORINGSSL
#define RAND_priv_bytes(x, sz) RAND_bytes((x),(sz))
#endif
Copy link
Preview

Copilot AI Jul 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using RAND_bytes instead of RAND_priv_bytes may have security implications. RAND_priv_bytes is specifically designed for generating private key material and may use different entropy sources. Consider using a BoringSSL-specific secure random function or document this security trade-off.

Suggested change
#ifdef OPENSSL_IS_BORINGSSL
#define RAND_priv_bytes(x, sz) RAND_bytes((x),(sz))
#endif
#ifdef OPENSSL_IS_BORINGSSL
#ifdef OPENSSL_IS_BORINGSSL
/* BoringSSL does not implement RAND_priv_bytes. Using RAND_bytes as a fallback.
* Note: RAND_bytes is less secure for generating private key material. */
#define RAND_priv_bytes(x, sz) RAND_bytes((x),(sz))
#endif
#endif

Copilot uses AI. Check for mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mGaosi