Use BoringSSL for iOS Themis

[vixentael]

Because we already using it for Android. Using OpenSSL becomes more and more questionable.

See discussion in #219

[sgammon]

hey @vixentael, long time no see :)

so, i'm having some problems again with themis, this time related to BoringSSL. because we are using SwiftGRPC, which depends on BoringSSL, using GRKOpenSSLFramework causes incompatibility at runtime.

it's a sneaky issue, because GRKOpenSSLFramework overwrites the openssl.framework built by BoringSSL. The result is an openssl.framework that is, of course, incompatible with things built on SwiftGRPC. So when we try to call into gRPC, we get an obscure error about a missing symbol that could not be dynamically loaded (the symbol in question, namely, is _OpenSSL_add_all_algorithms). Newer versions of OpenSSL (and BoringSSL, by extension) has eliminated these methods and the practice of managing internal algo state tables in openssl (iirc).

anyway, we've had to remove themis temporarily from our code to facilitate gRPC, because we do need that for critical app functions.

if themis could be written on top of BoringSSL, in particular with compatibility at ~> 10.0 (latest version as of writing is 10.0.6) that would be ideal, it would make themis compatible with SwiftGRPC, and Firebase, and all of Google's BoringSSL-powered iOS code.

fyi the grpc issue is filed at grpc/grpc-swift#319

[vixentael]

Hi @sgammon :)

You're right, using different cocoapods that overwrite openssl framework is never a good idea. BoringSSL uses the same module name as OpenSSL (well, that's expected).

I'm figuring out how many changes we need to support BoringSSL for Themis-iOS, and probably will ship updated podspec soon.

May I ask you for a sample project where you were trying to use both themis and grpc? So I could test in a wild :)

[sgammon]

Sure thing! the app in question is private but i can prepare an example with the same pods that reproduce the issue.

you have to run it and have it fail to find the symbol in question, at runtime, because it's using dynamic linking. so it doesn't prevent a successful build which makes it a bit hard.

i would be happy to help contribute code or test a branch if it would help, too

[vixentael]

@sgammon

I've updated Themis.podspec to support BoringSSL and tested with Themis iOS tests project. These changes are not merged into master yet, staying in vixentael/ios-boringssl branch (see PR #330).

Could you please prepare an example with pods that you were using and link with themis-boringssl from podspec to see if it's failing?

pod 'themis/themis-boringssl', :podspec => 'https://raw.githubusercontent.com/cossacklabs/themis/vixentael/ios-boringssl/themis.podspec'

Themis-boringssl is using 'BoringSSL', '~> 10.0' as dependency which should be enough to use it with GRPC.

If you confirm it's working, I'll merge PR and publish new podspec.

[vixentael]

I decided to merge new podspec to master (PRs: #329 #330 #331)

@sgammon now Themis iOS 0.10.1 supports BoringSSL and should be compatible with GRPC.

Use it from your Podfile:

pod 'themis/themis-boringssl', '0.10.1'

[sgammon]

@vixentael, sorry about that, we've been blocked on another issue unrelated to Themis for this project. i just pulled down the podspec above and all worked great - it built, and we can connect to our services :) so I can confirm this is fixed

Thank you again for such a quick fix, we couldn't even keep up this time! 😄

[vixentael]

Awesome!!

[sgammon]

@vixentael i haven't been able to get this pod to install yet, just to let you know (even after a pod repo update). i figure the release hasn't published yet to cocoapods, i'll try again in a few days :) thanks again for your help and quick work

[vixentael]

Sorry @sgammon I made a typo in previous comment. Latest Themis iOS version is 0.10.1:

pod 'themis/themis-boringssl', '0.10.1'