Skip to content

Enable use of OpenSSL 3 without deprecated functions #2083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 28, 2021
Merged

Enable use of OpenSSL 3 without deprecated functions #2083

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0e434d9
Enable use of OpenSSL 3 without deprecated functions
thhous-msft Oct 20, 2021
713bd1e
Fix clog
thhous-msft Oct 20, 2021
579ab0c
Merge branch 'main' into thadhouse/openssl3code
thhous-msft Oct 27, 2021
ef7817a
Remove deprecation check
thhous-msft Oct 27, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
142 changes: 142 additions & 0 deletions src/generated/linux/crypt_openssl.c.clog.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -436,6 +436,148 @@ tracepoint(CLOG_CRYPT_OPENSSL_C, AllocFailure , arg2, arg3);\



#ifndef _clog_4_ARGS_TRACE_AllocFailure



/*----------------------------------------------------------
// Decoder Ring for AllocFailure
// Allocation of '%s' failed. (%llu bytes)
// QuicTraceEvent(
AllocFailure,
"Allocation of '%s' failed. (%llu bytes)",
"Crypt Hash Context",
sizeof(CXPLAT_HASH) + SaltLength);
// arg2 = arg2 = "Crypt Hash Context"
// arg3 = arg3 = sizeof(CXPLAT_HASH) + SaltLength
----------------------------------------------------------*/
#define _clog_4_ARGS_TRACE_AllocFailure(uniqueId, encoded_arg_string, arg2, arg3)\

#endif




#ifndef _clog_3_ARGS_TRACE_LibraryError



/*----------------------------------------------------------
// Decoder Ring for LibraryError
// [ lib] ERROR, %s.
// QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_fetch failed");
// arg2 = arg2 = "EVP_MAC_fetch failed"
----------------------------------------------------------*/
#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\

#endif




#ifndef _clog_3_ARGS_TRACE_LibraryError



/*----------------------------------------------------------
// Decoder Ring for LibraryError
// [ lib] ERROR, %s.
// QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_CTX_new failed");
// arg2 = arg2 = "EVP_MAC_CTX_new failed"
----------------------------------------------------------*/
#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\

#endif




#ifndef _clog_3_ARGS_TRACE_LibraryError



/*----------------------------------------------------------
// Decoder Ring for LibraryError
// [ lib] ERROR, %s.
// QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_CTX_set_params failed");
// arg2 = arg2 = "EVP_MAC_CTX_set_params failed"
----------------------------------------------------------*/
#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\

#endif




#ifndef _clog_3_ARGS_TRACE_LibraryError



/*----------------------------------------------------------
// Decoder Ring for LibraryError
// [ lib] ERROR, %s.
// QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_init failed");
// arg2 = arg2 = "EVP_MAC_init failed"
----------------------------------------------------------*/
#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\

#endif




#ifndef _clog_3_ARGS_TRACE_LibraryError



/*----------------------------------------------------------
// Decoder Ring for LibraryError
// [ lib] ERROR, %s.
// QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_update failed");
// arg2 = arg2 = "EVP_MAC_update failed"
----------------------------------------------------------*/
#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\

#endif




#ifndef _clog_3_ARGS_TRACE_LibraryError



/*----------------------------------------------------------
// Decoder Ring for LibraryError
// [ lib] ERROR, %s.
// QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_final failed");
// arg2 = arg2 = "EVP_MAC_final failed"
----------------------------------------------------------*/
#define _clog_3_ARGS_TRACE_LibraryError(uniqueId, encoded_arg_string, arg2)\

#endif




#ifndef _clog_3_ARGS_TRACE_LibraryError


Expand Down
177 changes: 166 additions & 11 deletions src/platform/crypt_openssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,22 @@

#include "platform_internal.h"

#define OPENSSL_SUPPRESS_DEPRECATED 1 // For hmac.h, which was deprecated in 3.0
#include "openssl/opensslv.h"
#if OPENSSL_VERSION_MAJOR >= 3
#define IS_OPENSSL_3
#endif

#ifdef _WIN32
#pragma warning(push)
#pragma warning(disable:4100) // Unreferenced parameter errcode in inline function
#endif
#include "openssl/bio.h"
#include "openssl/err.h"
#ifdef IS_OPENSSL_3
#include "openssl/core_names.h"
#else
#include "openssl/hmac.h"
#endif
#include "openssl/err.h"
#include "openssl/kdf.h"
#include "openssl/pem.h"
#include "openssl/pkcs12.h"
Expand Down Expand Up @@ -414,19 +422,165 @@ CxPlatHpComputeMask(
// Hash abstraction
//

#ifdef IS_OPENSSL_3
//
// OpenSSL 3.0 Hash implementation
//
typedef struct CXPLAT_HASH {
//
// The message digest.
//
const EVP_MD *Md;
EVP_MAC* Mac;
EVP_MAC_CTX* Ctx;
uint32_t SaltLength;
uint8_t Salt[0];
} CXPLAT_HASH;

//
// Context used for hashing.
//
HMAC_CTX* HashContext;
_IRQL_requires_max_(DISPATCH_LEVEL)
QUIC_STATUS
CxPlatHashCreate(
_In_ CXPLAT_HASH_TYPE HashType,
_In_reads_(SaltLength)
const uint8_t* const Salt,
_In_ uint32_t SaltLength,
_Out_ CXPLAT_HASH** NewHash
)
{
QUIC_STATUS Status = QUIC_STATUS_SUCCESS;
CXPLAT_HASH* Hash;
const char* HashString;
OSSL_PARAM AlgParam[2];

} CXPLAT_HASH;
Hash = CXPLAT_ALLOC_NONPAGED(sizeof(CXPLAT_HASH) + SaltLength, QUIC_POOL_TLS_HASH);
if (Hash == NULL) {
QuicTraceEvent(
AllocFailure,
"Allocation of '%s' failed. (%llu bytes)",
"Crypt Hash Context",
sizeof(CXPLAT_HASH) + SaltLength);
Status = QUIC_STATUS_OUT_OF_MEMORY;
goto Exit;
}
CxPlatZeroMemory(Hash, sizeof(CXPLAT_HASH) + SaltLength);

Hash->SaltLength = SaltLength;
CxPlatCopyMemory(Hash->Salt, Salt, SaltLength);

Hash->Mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
if (Hash->Mac == NULL) {
QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_fetch failed");
Status = QUIC_STATUS_TLS_ERROR;
goto Exit;
}

Hash->Ctx = EVP_MAC_CTX_new(Hash->Mac);
if (Hash->Ctx == NULL) {
QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_CTX_new failed");
Status = QUIC_STATUS_OUT_OF_MEMORY;
goto Exit;
}

switch (HashType) {
case CXPLAT_HASH_SHA256:
HashString = "sha256";
break;
case CXPLAT_HASH_SHA384:
HashString = "sha384";
break;
case CXPLAT_HASH_SHA512:
HashString = "sha512";
break;
default:
Status = QUIC_STATUS_NOT_SUPPORTED;
goto Exit;
}

AlgParam[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, (char*)HashString, 0);
AlgParam[1] = OSSL_PARAM_construct_end();

if (!EVP_MAC_CTX_set_params(Hash->Ctx, AlgParam)) {
QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_CTX_set_params failed");
Status = QUIC_STATUS_TLS_ERROR;
goto Exit;
}

*NewHash = Hash;
Hash = NULL;

Exit:

CxPlatHashFree(Hash);

return Status;
}

_IRQL_requires_max_(DISPATCH_LEVEL)
void
CxPlatHashFree(
_In_opt_ CXPLAT_HASH* Hash
)
{
if (Hash) {
if (Hash->Ctx) {
EVP_MAC_CTX_free(Hash->Ctx);
}
if (Hash->Mac) {
EVP_MAC_free(Hash->Mac);
}
CXPLAT_FREE(Hash, QUIC_POOL_TLS_HASH);
}
}

_IRQL_requires_max_(DISPATCH_LEVEL)
QUIC_STATUS
CxPlatHashCompute(
_In_ CXPLAT_HASH* Hash,
_In_reads_(InputLength)
const uint8_t* const Input,
_In_ uint32_t InputLength,
_In_ uint32_t OutputLength, // CxPlatHashLength(HashType)
_Out_writes_all_(OutputLength)
uint8_t* const Output
)
{
if (!EVP_MAC_init(Hash->Ctx, Hash->Salt, Hash->SaltLength, NULL)) {
QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_init failed");
return QUIC_STATUS_INTERNAL_ERROR;
}

if (!EVP_MAC_update(Hash->Ctx, Input, InputLength)) {
QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_update failed");
return QUIC_STATUS_INTERNAL_ERROR;
}

size_t ActualOutputSize = OutputLength;
if (!EVP_MAC_final(Hash->Ctx, Output, &ActualOutputSize, OutputLength)) {
QuicTraceEvent(
LibraryError,
"[ lib] ERROR, %s.",
"EVP_MAC_final failed");
return QUIC_STATUS_INTERNAL_ERROR;
}

CXPLAT_FRE_ASSERT(ActualOutputSize == OutputLength);
return QUIC_STATUS_SUCCESS;
}
#else
//
// OpenSSL 1.1 Hash implementation
//
_IRQL_requires_max_(DISPATCH_LEVEL)
QUIC_STATUS
CxPlatHashCreate(
Expand Down Expand Up @@ -535,3 +689,4 @@ CxPlatHashCompute(
CXPLAT_FRE_ASSERT(ActualOutputSize == OutputLength);
return QUIC_STATUS_SUCCESS;
}
#endif
Loading