diff --git a/.azure/azure-pipelines.ci.yml b/.azure/azure-pipelines.ci.yml index f91829a14e..9307783c11 100644 --- a/.azure/azure-pipelines.ci.yml +++ b/.azure/azure-pipelines.ci.yml @@ -326,6 +326,16 @@ stages: extraName: 'systemopenssl' extraBuildArgs: -UseSystemOpenSSLCrypto -ExtraArtifactDir SystemCrypto + - template: ./templates/build-config-user.yml + parameters: + image: ubuntu-22.04 + platform: linux + arch: x64 + tls: openssl3 + config: Debug + extraName: 'systemopenssl' + extraBuildArgs: -UseSystemOpenSSLCrypto -ExtraArtifactDir SystemCrypto + - stage: build_linux_nontest displayName: Build Linux - Non Tested dependsOn: [] @@ -410,8 +420,15 @@ stages: platform: linux arch: x64 tls: openssl + + - template: ./templates/build-config-user.yml + parameters: + image: ubuntu-22.04 + platform: linux + arch: x64 + tls: openssl3 extraName: 'ubuntu2204' - extraBuildArgs: -ExtraArtifactDir ubuntu2204 + extraBuildArgs: -UseSystemOpenSSLCrypto -ExtraArtifactDir ubuntu2204 ubuntuVersion: 22.04 - stage: build_macos_release diff --git a/.gitmodules b/.gitmodules index 1dee954691..f33e0149f9 100644 --- a/.gitmodules +++ b/.gitmodules @@ -5,6 +5,10 @@ path = submodules/openssl url = https://github.com/quictls/openssl.git branch = OpenSSL_1_1_1s+quic1 +[submodule "submodules/openssl3"] + path = submodules/openssl3 + url = https://github.com/quictls/openssl.git + branch = openssl-3.0.7+quic1 [submodule "submodules/clog"] path = submodules/clog url = https://github.com/microsoft/CLOG.git diff --git a/CMakeLists.txt b/CMakeLists.txt index d3ed09971e..6643fb8ba6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -650,7 +650,7 @@ else() #!WIN32 set(QUIC_CXX_FLAGS ${QUIC_COMMON_FLAGS}) endif() -if(QUIC_TLS STREQUAL "openssl") +if(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3") add_library(OpenSSL INTERFACE) include(FetchContent) diff --git a/scripts/build.ps1 b/scripts/build.ps1 index 0f53e4b7c9..74943271c1 100644 --- a/scripts/build.ps1 +++ b/scripts/build.ps1 @@ -133,7 +133,7 @@ param ( [switch]$Static = $false, [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl")] + [ValidateSet("schannel", "openssl", "openssl3")] [string]$Tls = "", [Parameter(Mandatory = $false)] @@ -267,7 +267,7 @@ if ($Arch -eq "arm64ec") { if (!$IsWindows) { Write-Error "Arm64EC is only supported on Windows" } - if ($Tls -eq "openssl") { + if ($Tls -eq "openssl" -Or $Tls -eq "openssl3") { Write-Error "Arm64EC does not support openssl" } } diff --git a/scripts/get-buildconfig.ps1 b/scripts/get-buildconfig.ps1 index 6fcdf3c1f1..7515c30635 100644 --- a/scripts/get-buildconfig.ps1 +++ b/scripts/get-buildconfig.ps1 @@ -34,7 +34,7 @@ param ( [string]$Platform = "", [Parameter(Mandatory = $false)] - [ValidateSet("schannel", "openssl", "")] + [ValidateSet("schannel", "openssl", "openssl3", "")] [string]$Tls = "", [Parameter(Mandatory = $false)] diff --git a/scripts/prepare-machine.ps1 b/scripts/prepare-machine.ps1 index 9fd0042f49..51cc3fb3ed 100644 --- a/scripts/prepare-machine.ps1 +++ b/scripts/prepare-machine.ps1 @@ -484,6 +484,11 @@ if ($InitSubmodules) { git submodule init submodules/openssl } + if ($Tls -eq "openssl3") { + Write-Host "Initializing openssl3 submodule" + git submodule init submodules/openssl3 + } + if (!$DisableTest) { Write-Host "Initializing googletest submodule" git submodule init submodules/googletest diff --git a/src/bin/winuser/pgo_x64/msquic.openssl3.pgd b/src/bin/winuser/pgo_x64/msquic.openssl3.pgd new file mode 100644 index 0000000000..b247d2388f Binary files /dev/null and b/src/bin/winuser/pgo_x64/msquic.openssl3.pgd differ diff --git a/src/platform/CMakeLists.txt b/src/platform/CMakeLists.txt index 1c833e4031..853bc0b43f 100644 --- a/src/platform/CMakeLists.txt +++ b/src/platform/CMakeLists.txt @@ -30,7 +30,7 @@ endif() if (QUIC_TLS STREQUAL "schannel") message(STATUS "Configuring for Schannel") set(SOURCES ${SOURCES} cert_capi.c crypt_bcrypt.c selfsign_capi.c tls_schannel.c) -elseif(QUIC_TLS STREQUAL "openssl") +elseif(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3") message(STATUS "Configuring for OpenSSL") set(SOURCES ${SOURCES} tls_openssl.c crypt_openssl.c) if ("${CX_PLATFORM}" STREQUAL "windows") @@ -79,7 +79,7 @@ if (MSVC AND (QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "schannel") AND N target_compile_options(platform PRIVATE /analyze) endif() -if(QUIC_TLS STREQUAL "openssl") +if(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3") target_link_libraries(platform PUBLIC OpenSSL) if (CX_PLATFORM STREQUAL "darwin") target_link_libraries(platform PUBLIC "-framework CoreFoundation" "-framework Security") diff --git a/src/platform/crypt_openssl.c b/src/platform/crypt_openssl.c index 7c06585fd6..7c7623c2af 100644 --- a/src/platform/crypt_openssl.c +++ b/src/platform/crypt_openssl.c @@ -55,6 +55,7 @@ EVP_MAC_CTX *CXPLAT_HMAC_SHA256_CTX_HANDLE; EVP_MAC_CTX *CXPLAT_HMAC_SHA384_CTX_HANDLE; EVP_MAC_CTX *CXPLAT_HMAC_SHA512_CTX_HANDLE; +_Success_(return != 0) int CxPlatLoadCipher( _In_ char *cipher_name, @@ -73,6 +74,7 @@ CxPlatLoadCipher( return 1; } +_Success_(return != 0) int CxPlatLoadMAC( _In_ char *name, @@ -91,6 +93,7 @@ CxPlatLoadMAC( return 1; } +_Success_(return != 0) int CxPlatLoadHMACCTX( _In_ EVP_MAC *mac, diff --git a/src/platform/selfsign_openssl.c b/src/platform/selfsign_openssl.c index a8ad841242..93272ae147 100644 --- a/src/platform/selfsign_openssl.c +++ b/src/platform/selfsign_openssl.c @@ -174,8 +174,8 @@ GenerateX509Cert( goto Exit; } - X509_gmtime_adj(X509_get_notBefore(Cert), 0); - X509_gmtime_adj(X509_get_notAfter(Cert), 31536000L); + X509_gmtime_adj(X509_getm_notBefore(Cert), 0); + X509_gmtime_adj(X509_getm_notAfter(Cert), 31536000L); X509_set_pubkey(Cert, PKey); diff --git a/submodules/CMakeLists.txt b/submodules/CMakeLists.txt index deadd191ac..db3883401a 100644 --- a/submodules/CMakeLists.txt +++ b/submodules/CMakeLists.txt @@ -11,20 +11,25 @@ cmake_minimum_required(VERSION 3.16) project(OpenSSLQuic) set(QUIC_BUILD_DIR ${CMAKE_CURRENT_BINARY_DIR}) -set(OPENSSL_DIR ${QUIC_BUILD_DIR}/openssl) option(QUIC_USE_SYSTEM_LIBCRYPTO "Use system libcrypto if openssl TLS" OFF) -# Newer versions of OpenSSL switched to Markdown, so we can use that to detect -# the openssl version cloned -if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/openssl/CHANGES") - message(STATUS "Configuring for OpenSSL 1.1") - set(EXPECTED_OPENSSL_VERSION 1.1.1) +if(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3") + if(QUIC_TLS STREQUAL "openssl") + message(STATUS "Configuring for OpenSSL 1.1") + set(EXPECTED_OPENSSL_VERSION 1.1.1) + set(QUIC_OPENSSL openssl) + else() + set(QUIC_USE_OPENSSL3 ON) + message(STATUS "Configuring for OpenSSL 3.0") + set(EXPECTED_OPENSSL_VERSION 3.0) + set(QUIC_OPENSSL openssl3) + endif() else() - set(QUIC_USE_OPENSSL3 ON) - message(STATUS "Configuring for OpenSSL 3.0") - set(EXPECTED_OPENSSL_VERSION 3.0) + message(FATAL_ERROR "Unsupported QUIC_TLS ${QUIC_TLS}") endif() +set(OPENSSL_DIR ${QUIC_BUILD_DIR}/${QUIC_OPENSSL}) + set(OPENSSL_CONFIG_FLAGS enable-tls1_3 no-makedepend no-dgram no-ssl3 no-psk no-srp @@ -36,7 +41,7 @@ set(OPENSSL_CONFIG_FLAGS no-weak-ssl-ciphers no-shared no-tests) if (QUIC_USE_OPENSSL3) - list(APPEND OPENSSL_CONFIG_FLAGS no-uplink no-cmp no-fips no-padlockeng no-siv --libdir=lib) + list(APPEND OPENSSL_CONFIG_FLAGS no-uplink no-cmp no-fips no-padlockeng no-siv no-legacy no-dtls no-deprecated --libdir=lib) endif() if (WIN32) @@ -112,13 +117,13 @@ if (WIN32) # Create working and output directories as needed file(MAKE_DIRECTORY ${OPENSSL_DIR}/debug/include) file(MAKE_DIRECTORY ${OPENSSL_DIR}/release/include) - file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl/debug) - file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl/release) + file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/${QUIC_OPENSSL}/openssl/debug) + file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release) # Configure steps for debug and release variants add_custom_command( - WORKING_DIRECTORY $,${QUIC_BUILD_DIR}/submodules/openssl/debug,${QUIC_BUILD_DIR}/submodules/openssl/release> - OUTPUT $,${QUIC_BUILD_DIR}/submodules/openssl/debug/makefile,${QUIC_BUILD_DIR}/submodules/openssl/release/makefile> + WORKING_DIRECTORY $,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release> + OUTPUT $,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug/makefile,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release/makefile> COMMAND perl ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure ${OPENSSL_CONFIG_FLAGS} $<$:--debug> $<$:--prefix=${OPENSSL_DIR}/debug> $<$>:--prefix=${OPENSSL_DIR}/release> COMMENT "OpenSSL configure" @@ -128,8 +133,8 @@ if (WIN32) add_custom_command( OUTPUT $,${LIBSSL_DEBUG_PATH},${LIBSSL_PATH}> OUTPUT $,${LIBCRYPTO_DEBUG_PATH},${LIBCRYPTO_PATH}> - DEPENDS $,${QUIC_BUILD_DIR}/submodules/openssl/debug/makefile,${QUIC_BUILD_DIR}/submodules/openssl/release/makefile> - WORKING_DIRECTORY $,${QUIC_BUILD_DIR}/submodules/openssl/debug,${QUIC_BUILD_DIR}/submodules/openssl/release> + DEPENDS $,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug/makefile,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release/makefile> + WORKING_DIRECTORY $,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release> COMMAND ${OPENSSL_RUN_COMMAND} install_dev COMMENT "OpenSSL build" ) @@ -210,46 +215,46 @@ else() else() message(FATAL_ERROR "Unknown android abi type") endif() - set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure + set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure ${OPENSSL_BUILD_TYPE} -D__ANDROID_API__=29) elseif (CX_PLATFORM STREQUAL "linux") if(CMAKE_SYSTEM_PROCESSOR STREQUAL arm) - set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure + set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-armv4 -DL_ENDIAN --cross-compile-prefix=${GNU_MACHINE}${FLOAT_ABI_SUFFIX}-) list(APPEND OPENSSL_CONFIG_FLAGS -latomic) else() if (CMAKE_TARGET_ARCHITECTURE STREQUAL arm64) if (ONEBRANCH) - set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-aarch64 + set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-aarch64 --cross-compile-prefix=${GNU_MACHINE}${FLOAT_ABI_SUFFIX}-) else() - set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-aarch64) + set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-aarch64) endif() list(APPEND OPENSSL_CONFIG_FLAGS -latomic) elseif (CMAKE_TARGET_ARCHITECTURE STREQUAL arm) if (ONEBRANCH) - set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-armv4 + set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-armv4 --cross-compile-prefix=${GNU_MACHINE}${FLOAT_ABI_SUFFIX}-) else() - set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-armv4) + set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-armv4) endif() list(APPEND OPENSSL_CONFIG_FLAGS -latomic) else() - set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/config + set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/config CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER}) endif() endif() elseif(CX_PLATFORM STREQUAL "darwin") # need to build with Apple's compiler if (CMAKE_OSX_ARCHITECTURES STREQUAL arm64) - set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch arm64" ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure darwin64-arm64-cc) + set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch arm64" ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure darwin64-arm64-cc) elseif(CMAKE_OSX_ARCHITECTURES STREQUAL x86_64) - set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch x86_64" ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure darwin64-x86_64-cc) + set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch x86_64" ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure darwin64-x86_64-cc) else() message(ERROR "WTF ${CX_PLATFORM} ${CMAKE_TARGET_ARCHITECTURE}") - set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/config) + set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/config) endif() list(APPEND OPENSSL_CONFIG_FLAGS -isysroot ${CMAKE_OSX_SYSROOT}) if(SDK_NAME) @@ -261,18 +266,18 @@ else() list(APPEND OPENSSL_CONFIG_FLAGS -fembed-bitcode) endif() else() - set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/config + set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/config CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER}) endif() # Create working and output directories as needed file(MAKE_DIRECTORY ${OPENSSL_DIR}/include) - file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl) + file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}) # Configure steps for debug and release variants add_custom_command( - WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl - OUTPUT ${QUIC_BUILD_DIR}/submodules/openssl/Makefile + WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL} + OUTPUT ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/Makefile COMMAND SYSTEM=${CMAKE_HOST_SYSTEM_NAME} ${OPENSSL_CONFIG_CMD} ${OPENSSL_CONFIG_FLAGS} COMMENT "OpenSSL configure" @@ -286,12 +291,26 @@ else() add_custom_command( OUTPUT ${LIBSSL_PATH} OUTPUT ${LIBCRYPTO_PATH} - DEPENDS ${QUIC_BUILD_DIR}/submodules/openssl/Makefile - WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl + DEPENDS ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/Makefile + WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL} COMMAND make install_dev -j${NPROCS} COMMENT "OpenSSL build" ) + if (QUIC_USE_OPENSSL3 AND QUIC_USE_SYSTEM_LIBCRYPTO) + # OpenSSL 3 uses different sources for static and dynamic libraries. + # That is ok if you use either one consistently but it fails to link when we use dynamic crypto with static ssl. + # To fix that we need little hackery - see openssl3/ssl/build.info + add_custom_command( + OUTPUT ${LIBSSL_PATH} + OUTPUT ${LIBCRYPTO_PATH} + APPEND + WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL} + COMMAND ar x ${LIBCRYPTO_PATH} libcrypto-lib-packet.o libcommon-lib-tls_pad.o + COMMAND ar r ${LIBSSL_PATH} libcrypto-lib-packet.o libcommon-lib-tls_pad.o + ) + endif() + # Named target depending on the final lib artifacts produced by custom commands add_custom_target( OpenSSL_Target @@ -320,7 +339,7 @@ else() if (QUIC_USE_SYSTEM_LIBCRYPTO) include(FindOpenSSL) if (OPENSSL_FOUND) - if (OPENSSL_VERSION VERSION_EQUAL EXPECTED_OPENSSL_VERSION) + if (OPENSSL_VERSION VERSION_EQUAL EXPECTED_OPENSSL_VERSION OR OPENSSL_VERSION VERSION_GREATER EXPECTED_OPENSSL_VERSION) target_link_libraries(OpenSSLQuic INTERFACE OpenSSL::Crypto) else() message(FATAL_ERROR "OpenSSL ${EXPECTED_OPENSSL_VERSION} not found, found ${OPENSSL_VERSION}") diff --git a/submodules/openssl3 b/submodules/openssl3 new file mode 160000 index 0000000000..247bb4dbd1 --- /dev/null +++ b/submodules/openssl3 @@ -0,0 +1 @@ +Subproject commit 247bb4dbd1d327ff9ed852ca53402249db5db486