Skip to content

Commit

Permalink
Add support for OpenSSL 3 as alternative TLS (microsoft#3387)
Browse files Browse the repository at this point in the history
  • Loading branch information
wfurt authored Feb 1, 2023
1 parent b6a46e3 commit 0bf9e09
Show file tree
Hide file tree
Showing 12 changed files with 91 additions and 42 deletions.
19 changes: 18 additions & 1 deletion .azure/azure-pipelines.ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,16 @@ stages:
extraName: 'systemopenssl'
extraBuildArgs: -UseSystemOpenSSLCrypto -ExtraArtifactDir SystemCrypto

- template: ./templates/build-config-user.yml
parameters:
image: ubuntu-22.04
platform: linux
arch: x64
tls: openssl3
config: Debug
extraName: 'systemopenssl'
extraBuildArgs: -UseSystemOpenSSLCrypto -ExtraArtifactDir SystemCrypto

- stage: build_linux_nontest
displayName: Build Linux - Non Tested
dependsOn: []
Expand Down Expand Up @@ -410,8 +420,15 @@ stages:
platform: linux
arch: x64
tls: openssl

- template: ./templates/build-config-user.yml
parameters:
image: ubuntu-22.04
platform: linux
arch: x64
tls: openssl3
extraName: 'ubuntu2204'
extraBuildArgs: -ExtraArtifactDir ubuntu2204
extraBuildArgs: -UseSystemOpenSSLCrypto -ExtraArtifactDir ubuntu2204
ubuntuVersion: 22.04

- stage: build_macos_release
Expand Down
4 changes: 4 additions & 0 deletions .gitmodules
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@
path = submodules/openssl
url = https://github.com/quictls/openssl.git
branch = OpenSSL_1_1_1s+quic1
[submodule "submodules/openssl3"]
path = submodules/openssl3
url = https://github.com/quictls/openssl.git
branch = openssl-3.0.7+quic1
[submodule "submodules/clog"]
path = submodules/clog
url = https://github.com/microsoft/CLOG.git
2 changes: 1 addition & 1 deletion CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -650,7 +650,7 @@ else() #!WIN32
set(QUIC_CXX_FLAGS ${QUIC_COMMON_FLAGS})
endif()

if(QUIC_TLS STREQUAL "openssl")
if(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3")
add_library(OpenSSL INTERFACE)

include(FetchContent)
Expand Down
4 changes: 2 additions & 2 deletions scripts/build.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ param (
[switch]$Static = $false,

[Parameter(Mandatory = $false)]
[ValidateSet("schannel", "openssl")]
[ValidateSet("schannel", "openssl", "openssl3")]
[string]$Tls = "",

[Parameter(Mandatory = $false)]
Expand Down Expand Up @@ -267,7 +267,7 @@ if ($Arch -eq "arm64ec") {
if (!$IsWindows) {
Write-Error "Arm64EC is only supported on Windows"
}
if ($Tls -eq "openssl") {
if ($Tls -eq "openssl" -Or $Tls -eq "openssl3") {
Write-Error "Arm64EC does not support openssl"
}
}
Expand Down
2 changes: 1 addition & 1 deletion scripts/get-buildconfig.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ param (
[string]$Platform = "",

[Parameter(Mandatory = $false)]
[ValidateSet("schannel", "openssl", "")]
[ValidateSet("schannel", "openssl", "openssl3", "")]
[string]$Tls = "",

[Parameter(Mandatory = $false)]
Expand Down
5 changes: 5 additions & 0 deletions scripts/prepare-machine.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -484,6 +484,11 @@ if ($InitSubmodules) {
git submodule init submodules/openssl
}

if ($Tls -eq "openssl3") {
Write-Host "Initializing openssl3 submodule"
git submodule init submodules/openssl3
}

if (!$DisableTest) {
Write-Host "Initializing googletest submodule"
git submodule init submodules/googletest
Expand Down
Binary file added src/bin/winuser/pgo_x64/msquic.openssl3.pgd
Binary file not shown.
4 changes: 2 additions & 2 deletions src/platform/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ endif()
if (QUIC_TLS STREQUAL "schannel")
message(STATUS "Configuring for Schannel")
set(SOURCES ${SOURCES} cert_capi.c crypt_bcrypt.c selfsign_capi.c tls_schannel.c)
elseif(QUIC_TLS STREQUAL "openssl")
elseif(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3")
message(STATUS "Configuring for OpenSSL")
set(SOURCES ${SOURCES} tls_openssl.c crypt_openssl.c)
if ("${CX_PLATFORM}" STREQUAL "windows")
Expand Down Expand Up @@ -79,7 +79,7 @@ if (MSVC AND (QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "schannel") AND N
target_compile_options(platform PRIVATE /analyze)
endif()

if(QUIC_TLS STREQUAL "openssl")
if(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3")
target_link_libraries(platform PUBLIC OpenSSL)
if (CX_PLATFORM STREQUAL "darwin")
target_link_libraries(platform PUBLIC "-framework CoreFoundation" "-framework Security")
Expand Down
3 changes: 3 additions & 0 deletions src/platform/crypt_openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ EVP_MAC_CTX *CXPLAT_HMAC_SHA256_CTX_HANDLE;
EVP_MAC_CTX *CXPLAT_HMAC_SHA384_CTX_HANDLE;
EVP_MAC_CTX *CXPLAT_HMAC_SHA512_CTX_HANDLE;

_Success_(return != 0)
int
CxPlatLoadCipher(
_In_ char *cipher_name,
Expand All @@ -73,6 +74,7 @@ CxPlatLoadCipher(
return 1;
}

_Success_(return != 0)
int
CxPlatLoadMAC(
_In_ char *name,
Expand All @@ -91,6 +93,7 @@ CxPlatLoadMAC(
return 1;
}

_Success_(return != 0)
int
CxPlatLoadHMACCTX(
_In_ EVP_MAC *mac,
Expand Down
4 changes: 2 additions & 2 deletions src/platform/selfsign_openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -174,8 +174,8 @@ GenerateX509Cert(
goto Exit;
}

X509_gmtime_adj(X509_get_notBefore(Cert), 0);
X509_gmtime_adj(X509_get_notAfter(Cert), 31536000L);
X509_gmtime_adj(X509_getm_notBefore(Cert), 0);
X509_gmtime_adj(X509_getm_notAfter(Cert), 31536000L);

X509_set_pubkey(Cert, PKey);

Expand Down
85 changes: 52 additions & 33 deletions submodules/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -11,20 +11,25 @@ cmake_minimum_required(VERSION 3.16)
project(OpenSSLQuic)

set(QUIC_BUILD_DIR ${CMAKE_CURRENT_BINARY_DIR})
set(OPENSSL_DIR ${QUIC_BUILD_DIR}/openssl)
option(QUIC_USE_SYSTEM_LIBCRYPTO "Use system libcrypto if openssl TLS" OFF)

# Newer versions of OpenSSL switched to Markdown, so we can use that to detect
# the openssl version cloned
if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/openssl/CHANGES")
message(STATUS "Configuring for OpenSSL 1.1")
set(EXPECTED_OPENSSL_VERSION 1.1.1)
if(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3")
if(QUIC_TLS STREQUAL "openssl")
message(STATUS "Configuring for OpenSSL 1.1")
set(EXPECTED_OPENSSL_VERSION 1.1.1)
set(QUIC_OPENSSL openssl)
else()
set(QUIC_USE_OPENSSL3 ON)
message(STATUS "Configuring for OpenSSL 3.0")
set(EXPECTED_OPENSSL_VERSION 3.0)
set(QUIC_OPENSSL openssl3)
endif()
else()
set(QUIC_USE_OPENSSL3 ON)
message(STATUS "Configuring for OpenSSL 3.0")
set(EXPECTED_OPENSSL_VERSION 3.0)
message(FATAL_ERROR "Unsupported QUIC_TLS ${QUIC_TLS}")
endif()

set(OPENSSL_DIR ${QUIC_BUILD_DIR}/${QUIC_OPENSSL})

set(OPENSSL_CONFIG_FLAGS
enable-tls1_3 no-makedepend no-dgram no-ssl3 no-psk no-srp

Expand All @@ -36,7 +41,7 @@ set(OPENSSL_CONFIG_FLAGS
no-weak-ssl-ciphers no-shared no-tests)

if (QUIC_USE_OPENSSL3)
list(APPEND OPENSSL_CONFIG_FLAGS no-uplink no-cmp no-fips no-padlockeng no-siv --libdir=lib)
list(APPEND OPENSSL_CONFIG_FLAGS no-uplink no-cmp no-fips no-padlockeng no-siv no-legacy no-dtls no-deprecated --libdir=lib)
endif()

if (WIN32)
Expand Down Expand Up @@ -112,13 +117,13 @@ if (WIN32)
# Create working and output directories as needed
file(MAKE_DIRECTORY ${OPENSSL_DIR}/debug/include)
file(MAKE_DIRECTORY ${OPENSSL_DIR}/release/include)
file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl/debug)
file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl/release)
file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/${QUIC_OPENSSL}/openssl/debug)
file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release)

# Configure steps for debug and release variants
add_custom_command(
WORKING_DIRECTORY $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/openssl/debug,${QUIC_BUILD_DIR}/submodules/openssl/release>
OUTPUT $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/openssl/debug/makefile,${QUIC_BUILD_DIR}/submodules/openssl/release/makefile>
WORKING_DIRECTORY $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release>
OUTPUT $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug/makefile,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release/makefile>
COMMAND perl ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure ${OPENSSL_CONFIG_FLAGS} $<$<CONFIG:Debug>:--debug> $<$<CONFIG:Debug>:--prefix=${OPENSSL_DIR}/debug> $<$<NOT:$<CONFIG:Debug>>:--prefix=${OPENSSL_DIR}/release>

COMMENT "OpenSSL configure"
Expand All @@ -128,8 +133,8 @@ if (WIN32)
add_custom_command(
OUTPUT $<IF:$<CONFIG:Debug>,${LIBSSL_DEBUG_PATH},${LIBSSL_PATH}>
OUTPUT $<IF:$<CONFIG:Debug>,${LIBCRYPTO_DEBUG_PATH},${LIBCRYPTO_PATH}>
DEPENDS $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/openssl/debug/makefile,${QUIC_BUILD_DIR}/submodules/openssl/release/makefile>
WORKING_DIRECTORY $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/openssl/debug,${QUIC_BUILD_DIR}/submodules/openssl/release>
DEPENDS $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug/makefile,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release/makefile>
WORKING_DIRECTORY $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release>
COMMAND ${OPENSSL_RUN_COMMAND} install_dev
COMMENT "OpenSSL build"
)
Expand Down Expand Up @@ -210,46 +215,46 @@ else()
else()
message(FATAL_ERROR "Unknown android abi type")
endif()
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure
${OPENSSL_BUILD_TYPE}
-D__ANDROID_API__=29)
elseif (CX_PLATFORM STREQUAL "linux")
if(CMAKE_SYSTEM_PROCESSOR STREQUAL arm)
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure
linux-armv4 -DL_ENDIAN
--cross-compile-prefix=${GNU_MACHINE}${FLOAT_ABI_SUFFIX}-)
list(APPEND OPENSSL_CONFIG_FLAGS -latomic)
else()
if (CMAKE_TARGET_ARCHITECTURE STREQUAL arm64)
if (ONEBRANCH)
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-aarch64
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-aarch64
--cross-compile-prefix=${GNU_MACHINE}${FLOAT_ABI_SUFFIX}-)
else()
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-aarch64)
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-aarch64)
endif()
list(APPEND OPENSSL_CONFIG_FLAGS -latomic)
elseif (CMAKE_TARGET_ARCHITECTURE STREQUAL arm)
if (ONEBRANCH)
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-armv4
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-armv4
--cross-compile-prefix=${GNU_MACHINE}${FLOAT_ABI_SUFFIX}-)
else()
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-armv4)
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-armv4)
endif()
list(APPEND OPENSSL_CONFIG_FLAGS -latomic)
else()
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/config
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/config
CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER})
endif()
endif()
elseif(CX_PLATFORM STREQUAL "darwin")
# need to build with Apple's compiler
if (CMAKE_OSX_ARCHITECTURES STREQUAL arm64)
set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch arm64" ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure darwin64-arm64-cc)
set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch arm64" ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure darwin64-arm64-cc)
elseif(CMAKE_OSX_ARCHITECTURES STREQUAL x86_64)
set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch x86_64" ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure darwin64-x86_64-cc)
set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch x86_64" ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure darwin64-x86_64-cc)
else()
message(ERROR "WTF ${CX_PLATFORM} ${CMAKE_TARGET_ARCHITECTURE}")
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/config)
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/config)
endif()
list(APPEND OPENSSL_CONFIG_FLAGS -isysroot ${CMAKE_OSX_SYSROOT})
if(SDK_NAME)
Expand All @@ -261,18 +266,18 @@ else()
list(APPEND OPENSSL_CONFIG_FLAGS -fembed-bitcode)
endif()
else()
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/config
set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/config
CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER})
endif()

# Create working and output directories as needed
file(MAKE_DIRECTORY ${OPENSSL_DIR}/include)
file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl)
file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL})

# Configure steps for debug and release variants
add_custom_command(
WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl
OUTPUT ${QUIC_BUILD_DIR}/submodules/openssl/Makefile
WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}
OUTPUT ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/Makefile
COMMAND SYSTEM=${CMAKE_HOST_SYSTEM_NAME}
${OPENSSL_CONFIG_CMD} ${OPENSSL_CONFIG_FLAGS}
COMMENT "OpenSSL configure"
Expand All @@ -286,12 +291,26 @@ else()
add_custom_command(
OUTPUT ${LIBSSL_PATH}
OUTPUT ${LIBCRYPTO_PATH}
DEPENDS ${QUIC_BUILD_DIR}/submodules/openssl/Makefile
WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl
DEPENDS ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/Makefile
WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}
COMMAND make install_dev -j${NPROCS}
COMMENT "OpenSSL build"
)

if (QUIC_USE_OPENSSL3 AND QUIC_USE_SYSTEM_LIBCRYPTO)
# OpenSSL 3 uses different sources for static and dynamic libraries.
# That is ok if you use either one consistently but it fails to link when we use dynamic crypto with static ssl.
# To fix that we need little hackery - see openssl3/ssl/build.info
add_custom_command(
OUTPUT ${LIBSSL_PATH}
OUTPUT ${LIBCRYPTO_PATH}
APPEND
WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}
COMMAND ar x ${LIBCRYPTO_PATH} libcrypto-lib-packet.o libcommon-lib-tls_pad.o
COMMAND ar r ${LIBSSL_PATH} libcrypto-lib-packet.o libcommon-lib-tls_pad.o
)
endif()

# Named target depending on the final lib artifacts produced by custom commands
add_custom_target(
OpenSSL_Target
Expand Down Expand Up @@ -320,7 +339,7 @@ else()
if (QUIC_USE_SYSTEM_LIBCRYPTO)
include(FindOpenSSL)
if (OPENSSL_FOUND)
if (OPENSSL_VERSION VERSION_EQUAL EXPECTED_OPENSSL_VERSION)
if (OPENSSL_VERSION VERSION_EQUAL EXPECTED_OPENSSL_VERSION OR OPENSSL_VERSION VERSION_GREATER EXPECTED_OPENSSL_VERSION)
target_link_libraries(OpenSSLQuic INTERFACE OpenSSL::Crypto)
else()
message(FATAL_ERROR "OpenSSL ${EXPECTED_OPENSSL_VERSION} not found, found ${OPENSSL_VERSION}")
Expand Down
1 change: 1 addition & 0 deletions submodules/openssl3
Submodule openssl3 added at 247bb4

0 comments on commit 0bf9e09

Please sign in to comment.