Add support for OpenSSL 3 as alternative TLS

.azure/azure-pipelines.ci.yml

@@ -326,6 +326,16 @@ stages:
       extraName: 'systemopenssl'
       extraBuildArgs: -UseSystemOpenSSLCrypto -ExtraArtifactDir SystemCrypto
 
+  - template: ./templates/build-config-user.yml
+    parameters:
+      image: ubuntu-22.04
+      platform: linux
+      arch: x64
+      tls: openssl3
+      config: Debug
+      extraName: 'systemopenssl'
+      extraBuildArgs: -UseSystemOpenSSLCrypto -ExtraArtifactDir SystemCrypto
+
 - stage: build_linux_nontest
   displayName: Build Linux - Non Tested
   dependsOn: []
@@ -410,8 +420,15 @@ stages:
       platform: linux
       arch: x64
       tls: openssl
+
+  - template: ./templates/build-config-user.yml
+    parameters:
+      image: ubuntu-22.04
+      platform: linux
+      arch: x64
+      tls: openssl3
       extraName: 'ubuntu2204'
-      extraBuildArgs: -ExtraArtifactDir ubuntu2204
+      extraBuildArgs: -UseSystemOpenSSLCrypto -ExtraArtifactDir ubuntu2204
       ubuntuVersion: 22.04
 
 - stage: build_macos_release

.gitmodules

@@ -5,6 +5,10 @@
 	path = submodules/openssl
 	url = https://github.com/quictls/openssl.git
 	branch = OpenSSL_1_1_1s+quic1
+[submodule "submodules/openssl3"]
+	path = submodules/openssl3
+	url = https://github.com/quictls/openssl.git
+	branch = openssl-3.0.7+quic1
 [submodule "submodules/clog"]
 	path = submodules/clog
 	url = https://github.com/microsoft/CLOG.git

CMakeLists.txt

@@ -650,7 +650,7 @@ else() #!WIN32
     set(QUIC_CXX_FLAGS ${QUIC_COMMON_FLAGS})
 endif()
 
-if(QUIC_TLS STREQUAL "openssl")
+if(QUIC_TLS STREQUAL "openssl" OR  QUIC_TLS STREQUAL "openssl3")
     add_library(OpenSSL INTERFACE)
 
     include(FetchContent)

scripts/build.ps1

@@ -133,7 +133,7 @@ param (
     [switch]$Static = $false,
 
     [Parameter(Mandatory = $false)]
-    [ValidateSet("schannel", "openssl")]
+    [ValidateSet("schannel", "openssl", "openssl3")]
     [string]$Tls = "",
 
     [Parameter(Mandatory = $false)]
@@ -267,7 +267,7 @@ if ($Arch -eq "arm64ec") {
     if (!$IsWindows) {
         Write-Error "Arm64EC is only supported on Windows"
     }
-    if ($Tls -eq "openssl") {
+    if ($Tls -eq "openssl" -Or $Tls -eq "openssl3") {
         Write-Error "Arm64EC does not support openssl"
     }
 }

scripts/get-buildconfig.ps1

@@ -34,7 +34,7 @@ param (
     [string]$Platform = "",
 
     [Parameter(Mandatory = $false)]
-    [ValidateSet("schannel", "openssl", "")]
+    [ValidateSet("schannel", "openssl", "openssl3", "")]
     [string]$Tls = "",
 
     [Parameter(Mandatory = $false)]

scripts/prepare-machine.ps1

@@ -484,6 +484,11 @@ if ($InitSubmodules) {
         git submodule init submodules/openssl
     }
 
+    if ($Tls -eq "openssl3") {
+        Write-Host "Initializing openssl3 submodule"
+        git submodule init submodules/openssl3
+    }
+
     if (!$DisableTest) {
         Write-Host "Initializing googletest submodule"
         git submodule init submodules/googletest

src/platform/CMakeLists.txt

@@ -30,7 +30,7 @@ endif()
 if (QUIC_TLS STREQUAL "schannel")
     message(STATUS "Configuring for Schannel")
     set(SOURCES ${SOURCES} cert_capi.c crypt_bcrypt.c selfsign_capi.c tls_schannel.c)
-elseif(QUIC_TLS STREQUAL "openssl")
+elseif(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3")
     message(STATUS "Configuring for OpenSSL")
     set(SOURCES ${SOURCES} tls_openssl.c crypt_openssl.c)
     if ("${CX_PLATFORM}" STREQUAL "windows")
@@ -79,7 +79,7 @@ if (MSVC AND (QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "schannel") AND N
     target_compile_options(platform PRIVATE /analyze)
 endif()
 
-if(QUIC_TLS STREQUAL "openssl")
+if(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3")
     target_link_libraries(platform PUBLIC OpenSSL)
     if (CX_PLATFORM STREQUAL "darwin")
         target_link_libraries(platform PUBLIC "-framework CoreFoundation" "-framework Security")

src/platform/crypt_openssl.c

@@ -55,6 +55,7 @@ EVP_MAC_CTX *CXPLAT_HMAC_SHA256_CTX_HANDLE;
 EVP_MAC_CTX *CXPLAT_HMAC_SHA384_CTX_HANDLE;
 EVP_MAC_CTX *CXPLAT_HMAC_SHA512_CTX_HANDLE;
 
+_Success_(return != 0)
 int
 CxPlatLoadCipher(
     _In_ char *cipher_name,
@@ -73,6 +74,7 @@ CxPlatLoadCipher(
     return 1;
 }
 
+_Success_(return != 0)
 int
 CxPlatLoadMAC(
     _In_ char *name,
@@ -91,6 +93,7 @@ CxPlatLoadMAC(
     return 1;
 }
 
+_Success_(return != 0)
 int
 CxPlatLoadHMACCTX(
     _In_ EVP_MAC *mac,

src/platform/selfsign_openssl.c

@@ -174,8 +174,8 @@ GenerateX509Cert(
         goto Exit;
     }
 
-    X509_gmtime_adj(X509_get_notBefore(Cert), 0);
-    X509_gmtime_adj(X509_get_notAfter(Cert), 31536000L);
+    X509_gmtime_adj(X509_getm_notBefore(Cert), 0);
+    X509_gmtime_adj(X509_getm_notAfter(Cert), 31536000L);
 
     X509_set_pubkey(Cert, PKey);
 

submodules/CMakeLists.txt

@@ -11,20 +11,25 @@ cmake_minimum_required(VERSION 3.16)
 project(OpenSSLQuic)
 
 set(QUIC_BUILD_DIR ${CMAKE_CURRENT_BINARY_DIR})
-set(OPENSSL_DIR ${QUIC_BUILD_DIR}/openssl)
 option(QUIC_USE_SYSTEM_LIBCRYPTO "Use system libcrypto if openssl TLS" OFF)
 
-# Newer versions of OpenSSL switched to Markdown, so we can use that to detect
-# the openssl version cloned
-if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/openssl/CHANGES")
-    message(STATUS "Configuring for OpenSSL 1.1")
-    set(EXPECTED_OPENSSL_VERSION 1.1.1)
+if(QUIC_TLS STREQUAL "openssl" OR QUIC_TLS STREQUAL "openssl3")
+    if(QUIC_TLS STREQUAL "openssl")
+        message(STATUS "Configuring for OpenSSL 1.1")
+        set(EXPECTED_OPENSSL_VERSION 1.1.1)
+        set(QUIC_OPENSSL openssl)
+    else()
+        set(QUIC_USE_OPENSSL3 ON)
+        message(STATUS "Configuring for OpenSSL 3.0")
+        set(EXPECTED_OPENSSL_VERSION 3.0)
+        set(QUIC_OPENSSL openssl3)
+    endif()
 else()
-    set(QUIC_USE_OPENSSL3 ON)
-    message(STATUS "Configuring for OpenSSL 3.0")
-    set(EXPECTED_OPENSSL_VERSION 3.0)
+    message(FATAL_ERROR "Unsupported QUIC_TLS ${QUIC_TLS}")
 endif()
 
+set(OPENSSL_DIR ${QUIC_BUILD_DIR}/${QUIC_OPENSSL})
+
 set(OPENSSL_CONFIG_FLAGS
     enable-tls1_3 no-makedepend no-dgram no-ssl3 no-psk no-srp
 
@@ -36,7 +41,7 @@ set(OPENSSL_CONFIG_FLAGS
     no-weak-ssl-ciphers no-shared no-tests)
 
 if (QUIC_USE_OPENSSL3)
-    list(APPEND OPENSSL_CONFIG_FLAGS no-uplink no-cmp no-fips no-padlockeng no-siv --libdir=lib)
+    list(APPEND OPENSSL_CONFIG_FLAGS no-uplink no-cmp no-fips no-padlockeng no-siv no-legacy no-dtls no-deprecated --libdir=lib)
 endif()
 
 if (WIN32)
@@ -112,13 +117,13 @@ if (WIN32)
     # Create working and output directories as needed
     file(MAKE_DIRECTORY ${OPENSSL_DIR}/debug/include)
     file(MAKE_DIRECTORY ${OPENSSL_DIR}/release/include)
-    file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl/debug)
-    file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl/release)
+    file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/${QUIC_OPENSSL}/openssl/debug)
+    file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release)
 
     # Configure steps for debug and release variants
     add_custom_command(
-        WORKING_DIRECTORY $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/openssl/debug,${QUIC_BUILD_DIR}/submodules/openssl/release>
-        OUTPUT $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/openssl/debug/makefile,${QUIC_BUILD_DIR}/submodules/openssl/release/makefile>
+        WORKING_DIRECTORY $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release>
+        OUTPUT $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug/makefile,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release/makefile>
         COMMAND perl ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure ${OPENSSL_CONFIG_FLAGS} $<$<CONFIG:Debug>:--debug> $<$<CONFIG:Debug>:--prefix=${OPENSSL_DIR}/debug> $<$<NOT:$<CONFIG:Debug>>:--prefix=${OPENSSL_DIR}/release>
 
         COMMENT "OpenSSL configure"
@@ -128,8 +133,8 @@ if (WIN32)
     add_custom_command(
         OUTPUT $<IF:$<CONFIG:Debug>,${LIBSSL_DEBUG_PATH},${LIBSSL_PATH}>
         OUTPUT $<IF:$<CONFIG:Debug>,${LIBCRYPTO_DEBUG_PATH},${LIBCRYPTO_PATH}>
-        DEPENDS $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/openssl/debug/makefile,${QUIC_BUILD_DIR}/submodules/openssl/release/makefile>
-        WORKING_DIRECTORY $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/openssl/debug,${QUIC_BUILD_DIR}/submodules/openssl/release>
+        DEPENDS $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug/makefile,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release/makefile>
+        WORKING_DIRECTORY $<IF:$<CONFIG:Debug>,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/debug,${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/release>
         COMMAND ${OPENSSL_RUN_COMMAND} install_dev
         COMMENT "OpenSSL build"
     )
@@ -210,46 +215,46 @@ else()
         else()
             message(FATAL_ERROR "Unknown android abi type")
         endif()
-        set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure
+        set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure
             ${OPENSSL_BUILD_TYPE}
             -D__ANDROID_API__=29)
     elseif (CX_PLATFORM STREQUAL "linux")
         if(CMAKE_SYSTEM_PROCESSOR STREQUAL arm)
-            set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure
+            set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure
                 linux-armv4 -DL_ENDIAN
                 --cross-compile-prefix=${GNU_MACHINE}${FLOAT_ABI_SUFFIX}-)
             list(APPEND OPENSSL_CONFIG_FLAGS -latomic)
         else()
             if (CMAKE_TARGET_ARCHITECTURE STREQUAL arm64)
                 if (ONEBRANCH)
-                    set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-aarch64
+                    set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-aarch64
                     --cross-compile-prefix=${GNU_MACHINE}${FLOAT_ABI_SUFFIX}-)
                 else()
-                    set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-aarch64)
+                    set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-aarch64)
                 endif()
                 list(APPEND OPENSSL_CONFIG_FLAGS -latomic)
             elseif (CMAKE_TARGET_ARCHITECTURE STREQUAL arm)
                 if (ONEBRANCH)
-                    set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-armv4
+                    set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-armv4
                     --cross-compile-prefix=${GNU_MACHINE}${FLOAT_ABI_SUFFIX}-)
                 else()
-                    set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure linux-armv4)
+                    set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure linux-armv4)
                 endif()
                 list(APPEND OPENSSL_CONFIG_FLAGS -latomic)
             else()
-                set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/config
+                set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/config
                             CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER})
             endif()
         endif()
     elseif(CX_PLATFORM STREQUAL "darwin")
         # need to build with Apple's compiler
         if (CMAKE_OSX_ARCHITECTURES STREQUAL arm64)
-            set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch arm64" ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure darwin64-arm64-cc)
+            set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch arm64" ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure darwin64-arm64-cc)
         elseif(CMAKE_OSX_ARCHITECTURES STREQUAL x86_64)
-            set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch x86_64" ${CMAKE_CURRENT_SOURCE_DIR}/openssl/Configure darwin64-x86_64-cc)
+            set(OPENSSL_CONFIG_CMD ARCHFLAGS="-arch x86_64" ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/Configure darwin64-x86_64-cc)
         else()
             message(ERROR "WTF ${CX_PLATFORM} ${CMAKE_TARGET_ARCHITECTURE}")
-            set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/config)
+            set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/config)
         endif()
         list(APPEND OPENSSL_CONFIG_FLAGS -isysroot ${CMAKE_OSX_SYSROOT})
         if(SDK_NAME)
@@ -261,18 +266,18 @@ else()
             list(APPEND OPENSSL_CONFIG_FLAGS -fembed-bitcode)
         endif()
     else()
-        set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/openssl/config
+        set(OPENSSL_CONFIG_CMD ${CMAKE_CURRENT_SOURCE_DIR}/${QUIC_OPENSSL}/config
             CC=${CMAKE_C_COMPILER} CXX=${CMAKE_CXX_COMPILER})
     endif()
 
     # Create working and output directories as needed
     file(MAKE_DIRECTORY ${OPENSSL_DIR}/include)
-    file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl)
+    file(MAKE_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL})
 
     # Configure steps for debug and release variants
     add_custom_command(
-        WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl
-        OUTPUT ${QUIC_BUILD_DIR}/submodules/openssl/Makefile
+        WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}
+        OUTPUT ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/Makefile
         COMMAND SYSTEM=${CMAKE_HOST_SYSTEM_NAME}
             ${OPENSSL_CONFIG_CMD} ${OPENSSL_CONFIG_FLAGS}
         COMMENT "OpenSSL configure"
@@ -286,12 +291,26 @@ else()
     add_custom_command(
         OUTPUT ${LIBSSL_PATH}
         OUTPUT ${LIBCRYPTO_PATH}
-        DEPENDS ${QUIC_BUILD_DIR}/submodules/openssl/Makefile
-        WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/openssl
+        DEPENDS ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}/Makefile
+        WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}
         COMMAND make install_dev -j${NPROCS}
         COMMENT "OpenSSL build"
     )
 
+    if (QUIC_USE_OPENSSL3 AND QUIC_USE_SYSTEM_LIBCRYPTO)
+        # OpenSSL 3 uses different sources for static and dynamic libraries.
+        # That is ok if you use either one consistently but it fails to link when we use dynamic crypto with static ssl.
+        # To fix that we need little hackery - see openssl3/ssl/build.info 
+        add_custom_command(
+            OUTPUT ${LIBSSL_PATH}
+            OUTPUT ${LIBCRYPTO_PATH}
+            APPEND
+            WORKING_DIRECTORY ${QUIC_BUILD_DIR}/submodules/${QUIC_OPENSSL}
+            COMMAND ar x ${LIBCRYPTO_PATH} libcrypto-lib-packet.o libcommon-lib-tls_pad.o
+            COMMAND ar r ${LIBSSL_PATH} libcrypto-lib-packet.o libcommon-lib-tls_pad.o
+        )
+    endif()
+
     # Named target depending on the final lib artifacts produced by custom commands
     add_custom_target(
         OpenSSL_Target
@@ -320,7 +339,7 @@ else()
     if (QUIC_USE_SYSTEM_LIBCRYPTO)
         include(FindOpenSSL)
         if (OPENSSL_FOUND)
-            if (OPENSSL_VERSION VERSION_EQUAL EXPECTED_OPENSSL_VERSION)
+            if (OPENSSL_VERSION VERSION_EQUAL EXPECTED_OPENSSL_VERSION OR OPENSSL_VERSION VERSION_GREATER EXPECTED_OPENSSL_VERSION)
                 target_link_libraries(OpenSSLQuic INTERFACE OpenSSL::Crypto)
             else()
                 message(FATAL_ERROR "OpenSSL ${EXPECTED_OPENSSL_VERSION} not found, found ${OPENSSL_VERSION}")