Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenSSL3: remove use of deprecated functions #5481

Merged
merged 77 commits into from
Aug 22, 2023
Merged
Show file tree
Hide file tree
Changes from 76 commits
Commits
Show all changes
77 commits
Select commit Hold shift + click to select a range
bb7ae53
Compiles
Jul 10, 2023
e2c7be8
Better macros
Jul 10, 2023
3b1a070
CI image
Jul 10, 2023
7505a94
Merge branch 'main' into openenclave_0_19_2
jumaffre Jul 10, 2023
980d07c
Fix snapshot verification
Jul 10, 2023
082e24f
Merge branch 'openenclave_0_19_2' of github.com:microsoft/CCF into op…
Jul 10, 2023
da67c3f
Unit test works
Jul 11, 2023
27d0e7d
.
Jul 12, 2023
b3870ec
Remove use of `EVP_PKEY_get0_RSA`
Jul 12, 2023
790d2c2
JWK conversions
Jul 12, 2023
cb9f5ee
Fixes
Jul 13, 2023
8dc7255
WIP
Jul 13, 2023
4b8a7e6
Very much WIP
Jul 14, 2023
6b4388c
Seems to be working
Jul 14, 2023
882994b
Merge branch 'main' of github.com:microsoft/CCF into openenclave_0_19_2
Jul 14, 2023
c5ed719
Cleanup
Jul 14, 2023
f13c9ca
WIP
Jul 17, 2023
c36ee2f
Finally works
Jul 24, 2023
a34619e
.
Jul 24, 2023
6963358
Private too
Jul 24, 2023
88350c3
Oops
Jul 24, 2023
c6f2184
cleanup
Jul 24, 2023
aed42e5
WIP
Jul 25, 2023
2d44d8f
WIP
Jul 25, 2023
132d3f4
Works
Jul 26, 2023
ba9a214
JWK to RSA
Jul 26, 2023
9e2459e
Almost there!
Jul 26, 2023
b8e0e32
Cleanup
Jul 26, 2023
484b6a5
WIP
Jul 27, 2023
c2dbe89
Last fix
Jul 28, 2023
6c557b0
fmt
Jul 28, 2023
40e4528
More cleanup before PR
Jul 28, 2023
04582be
.
Jul 28, 2023
d613ecc
Almost there
Jul 28, 2023
394c4ba
.
Jul 28, 2023
73098b5
Fix 1.1.1 build
Jul 28, 2023
f37bb9d
Changelog
Jul 28, 2023
8f31850
.
Jul 28, 2023
993e416
Merge branch 'main' into openssl_3_batch1
jumaffre Jul 28, 2023
587c981
Compat flag
Jul 28, 2023
349f813
.
Jul 28, 2023
fae5845
Merge branch 'openssl_3_batch1' of github.com:jumaffre/CCF into opens…
Jul 28, 2023
2ed84a7
.
Jul 28, 2023
b404e8a
Merge branch 'main' into openssl_3_batch1
eddyashton Jul 31, 2023
eb55fd7
Merge branch 'main' into openssl_3_batch1
achamayou Aug 2, 2023
243efbe
Merge branch 'main' of github.com:microsoft/CCF into openssl_3_batch1
Aug 7, 2023
de88c51
Merge branch 'openssl_3_batch1' of github.com:jumaffre/CCF into opens…
Aug 7, 2023
bbee61c
Add client shutdown
Aug 9, 2023
b126900
Perf test fix: ignore (BIO_CB_CTRL | BIO_CB_RETURN)
Aug 9, 2023
252bb0d
Merge branch 'main' into openssl_3_batch1
jumaffre Aug 10, 2023
6821652
Faster hashing
Aug 15, 2023
a64c00c
Merge branch 'openssl_3_batch1' of github.com:jumaffre/CCF into opens…
Aug 15, 2023
3526d30
Faster SHA256 OpenSSL hashing
Aug 15, 2023
9e8ca64
Merge branch 'main' of github.com:microsoft/CCF into fast_openssl_256…
Aug 15, 2023
a5f3ee4
Fix
Aug 15, 2023
25fc715
Canaries
Aug 15, 2023
0a21225
Fix build
Aug 15, 2023
a13c268
.
Aug 15, 2023
bc1f31e
Simplify
Aug 15, 2023
9a12d26
Cleanup
Aug 15, 2023
48cb0fe
PR comments
Aug 16, 2023
6f3ff4d
Fix tests
Aug 16, 2023
5ba93c2
Fix e2e test
Aug 16, 2023
e598c48
Merge branch 'fast_openssl_256_hashing' into openssl_3_batch1
Aug 16, 2023
0800e97
Fix perf tests
Aug 16, 2023
f7f77c7
Merge branch 'fast_openssl_256_hashing' into openssl_3_batch1
Aug 16, 2023
48001aa
Merge branch 'main' of github.com:microsoft/CCF into openssl_3_batch1
Aug 17, 2023
971b4f6
`EC_`
Aug 17, 2023
76f9b12
Merge branch 'main' into openssl_3_batch1
jumaffre Aug 21, 2023
38ff2c2
ENGINE
Aug 21, 2023
f4fe2c3
Merge branch 'openssl_3_batch1' of github.com:jumaffre/CCF into opens…
Aug 21, 2023
b893694
Unique EVP_PKEY_CTX
Aug 21, 2023
1a5c482
Last of memory leaks
Aug 21, 2023
9bb211a
Merge branch 'main' into openssl_3_batch1
jumaffre Aug 21, 2023
86523f6
Remove log
Aug 21, 2023
cb63243
Merge branch 'openssl_3_batch1' of github.com:jumaffre/CCF into opens…
Aug 21, 2023
59d0c29
Merge branch 'main' into openssl_3_batch1
achamayou Aug 21, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .daily_canary
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
--- ___ ___
(- -) (= =) | Y & +--?
( V ) \ . \ O +---=---'
( V ) > . < O +---=---'
/--x-m- /--n-n---xXx--/--yY-----.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
- Updated Open Enclave to [0.19.2](https://github.com/openenclave/openenclave/releases/tag/v0.19.2).
- Updated Open Enclave to [0.19.3](https://github.com/openenclave/openenclave/releases/tag/v0.19.3).
- Expose COSESign1 `content` for `user_cose_sign1` authenticated endpoints in JavaScript/TypeScript apps (#5465).
- SGX builds now use OpenSSL 3.1.1 by default (#5481).
- Add HMAC support to JS API. Call with `ccf.crypto.sign({"name": "HMAC", "hash": "SHA-256"}, key, data)`.

## [4.0.5]
Expand Down
3 changes: 0 additions & 3 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -247,9 +247,6 @@ set(CCF_ENDPOINTS_SOURCES
${CCF_DIR}/src/node/receipt.cpp
)

find_library(CRYPTO_LIBRARY crypto)
find_library(TLS_LIBRARY ssl)

include(${CCF_DIR}/cmake/crypto.cmake)
include(${CCF_DIR}/cmake/quickjs.cmake)
include(${CCF_DIR}/cmake/sss.cmake)
Expand Down
4 changes: 4 additions & 0 deletions cmake/crypto.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,14 @@ elseif(COMPILE_TARGET STREQUAL "snp")
)
endif()

find_library(CRYPTO_LIBRARY crypto)
find_library(TLS_LIBRARY ssl)

add_library(ccfcrypto.host STATIC ${CCFCRYPTO_SRC})
add_san(ccfcrypto.host)
target_compile_options(ccfcrypto.host PUBLIC ${COMPILE_LIBCXX})
target_link_options(ccfcrypto.host PUBLIC ${LINK_LIBCXX})

target_link_libraries(ccfcrypto.host PUBLIC qcbor.host)
target_link_libraries(ccfcrypto.host PUBLIC t_cose.host)
target_link_libraries(ccfcrypto.host PUBLIC crypto)
Expand Down
11 changes: 8 additions & 3 deletions cmake/open_enclave.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,20 @@ if(REQUIRE_OPENENCLAVE)
# Find OpenEnclave package
find_package(OpenEnclave 0.19.3 CONFIG REQUIRED)

option(USE_OPENSSL_3 "Use OpenSSL 3.x for Open Enclave builds" ON)
if(USE_OPENSSL_3)
set(OE_OPENSSL_LIBRARY openenclave::oecryptoopenssl_3)
else()
set(OE_OPENSSL_LIBRARY openenclave::oecryptoopenssl)
endif()
# As well as pulling in openenclave:: targets, this sets variables which can
# be used for our edge cases (eg - for virtual libraries). These do not follow
# the standard naming patterns, for example use OE_INCLUDEDIR rather than
# OpenEnclave_INCLUDE_DIRS
if(COMPILE_TARGET STREQUAL "sgx")
set(OE_TARGET_LIBC openenclave::oelibc)
set(OE_TARGET_ENCLAVE_AND_STD
openenclave::oeenclave openenclave::oelibcxx openenclave::oelibc
openenclave::oecryptoopenssl
set(OE_TARGET_ENCLAVE_AND_STD openenclave::oeenclave openenclave::oelibcxx
openenclave::oelibc ${OE_OPENSSL_LIBRARY}
)

# These oe libraries must be linked in specific order
Expand Down
2 changes: 1 addition & 1 deletion cmake/t_cose.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ if(COMPILE_TARGET STREQUAL "sgx")

target_link_libraries(t_cose.enclave PUBLIC qcbor.enclave)
# This is needed to get the OpenSSL includes from Open Enclave
target_link_libraries(t_cose.enclave PRIVATE openenclave::oecryptoopenssl)
target_link_libraries(t_cose.enclave PRIVATE ${OE_OPENSSL_LIBRARY})

install(
TARGETS t_cose.enclave
Expand Down
30 changes: 7 additions & 23 deletions src/clients/tls_client.h
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,12 @@ namespace client
init();
}

virtual ~TlsClient() {}
virtual ~TlsClient()
{
SSL* ssl;
BIO_get_ssl(bio, &ssl);
SSL_shutdown(ssl);
}

auto get_ciphersuite_name()
{
Expand Down Expand Up @@ -207,28 +212,7 @@ namespace client
std::vector<uint8_t> read_all()
{
constexpr auto read_size = 4096;
std::vector<uint8_t> buf(read_size);
auto ret = 0;
do
{
ret = BIO_read(bio, buf.data(), buf.size());
} while (ret < 0 && BIO_should_retry(bio));

if (ret > 0)
{
buf.resize(ret);
}
else if (ret == 0)
{
connected = false;
throw std::logic_error("Underlying transport closed");
}
else
{
throw std::logic_error(error_string(ERR_get_error()));
}

return buf;
return read(read_size);
}

void set_tcp_nodelay(bool on)
Expand Down
1 change: 1 addition & 0 deletions src/crypto/key_wrap.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
#include "openssl/symmetric_key.h"

#include <cstdint>
#include <openssl/rand.h>
#include <stdexcept>
#include <vector>

Expand Down
4 changes: 4 additions & 0 deletions src/crypto/openssl/cose_verifier.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,11 @@ namespace crypto

EVP_PKEY* pk = X509_get_pubkey(cert);

#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
if (EVP_PKEY_get_base_id(pk) == EVP_PKEY_EC)
#else
if (EVP_PKEY_get0_EC_KEY(pk))
#endif
{
public_key = std::make_shared<PublicKey_OpenSSL>(pk);
}
Expand Down
47 changes: 39 additions & 8 deletions src/crypto/openssl/key_pair.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,15 @@
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
#include <stdexcept>
#include <string>

#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
# include <openssl/core_names.h>
#endif

namespace crypto
{
using namespace OpenSSL;
Expand Down Expand Up @@ -67,16 +72,36 @@ namespace crypto

KeyPair_OpenSSL::KeyPair_OpenSSL(const JsonWebKeyECPrivate& jwk)
{
auto ec_key = PublicKey_OpenSSL::ec_key_public_from_jwk(jwk);

key = EVP_PKEY_new();
Unique_BIGNUM d;
auto d_raw = raw_from_b64url(jwk.d);
OpenSSL::CHECKNULL(BN_bin2bn(d_raw.data(), d_raw.size(), d));

#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
auto nid = get_openssl_group_id(jwk_curve_to_curve_id(jwk.crv));
// Note: d_raw is big endian while OSSL_PARAM_construct_BN expects native
// endianness
std::vector<uint8_t> d_raw_native(d_raw.size());
CHECKPOSITIVE(BN_bn2nativepad(d, d_raw_native.data(), d_raw_native.size()));

auto pub_buf = PublicKey_OpenSSL::ec_point_public_from_jwk(jwk);

OSSL_PARAM params[4];
params[0] = OSSL_PARAM_construct_utf8_string(
OSSL_PKEY_PARAM_GROUP_NAME, (char*)OSSL_EC_curve_nid2name(nid), 0);
params[1] = OSSL_PARAM_construct_octet_string(
OSSL_PKEY_PARAM_PUB_KEY, pub_buf.data(), pub_buf.size());
params[2] = OSSL_PARAM_construct_BN(
OSSL_PKEY_PARAM_PRIV_KEY, d_raw_native.data(), d_raw_native.size());
params[3] = OSSL_PARAM_construct_end();

Unique_EVP_PKEY_CTX pctx("EC");
CHECK1(EVP_PKEY_fromdata_init(pctx));
CHECK1(EVP_PKEY_fromdata(pctx, &key, EVP_PKEY_KEYPAIR, params));
#else
auto ec_key = PublicKey_OpenSSL::ec_key_public_from_jwk(jwk);
CHECK1(EC_KEY_set_private_key(ec_key, d));

key = EVP_PKEY_new();
CHECK1(EVP_PKEY_set1_EC_KEY(key, ec_key));
#endif
}

Pem KeyPair_OpenSSL::private_key_pem() const
Expand Down Expand Up @@ -458,10 +483,16 @@ namespace crypto
// As per https://www.openssl.org/docs/man1.0.2/man3/BN_num_bytes.html, size
// should not be calculated with BN_num_bytes(d)!
size_t size = EVP_PKEY_bits(key) / 8;
Unique_EC_KEY eckey(EVP_PKEY_get1_EC_KEY(key));
const BIGNUM* d = EC_KEY_get0_private_key(eckey);

std::vector<uint8_t> bytes(size);
Unique_BIGNUM d;
#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
BIGNUM* bn_d = NULL;
CHECK1(EVP_PKEY_get_bn_param(key, OSSL_PKEY_PARAM_PRIV_KEY, &bn_d));
d.reset(bn_d);
#else
Unique_EC_KEY eckey(EVP_PKEY_get1_EC_KEY(key));
d = EC_KEY_get0_private_key(eckey);
#endif
auto rc = BN_bn2binpad(d, bytes.data(), size);
if (rc != size)
{
Expand Down
25 changes: 25 additions & 0 deletions src/crypto/openssl/openssl_wrappers.h
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,27 @@
#include "ccf/crypto/pem.h"

#define FMT_HEADER_ONLY

#include <chrono>
#include <ds/x509_time_fmt.h>
#include <fmt/format.h>
#include <memory>
#include <openssl/asn1.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/engine.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>

#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
# include <openssl/evp.h>
#endif

namespace crypto
{
namespace OpenSSL
Expand Down Expand Up @@ -193,6 +200,12 @@ namespace crypto
Unique_SSL_OBJECT(
PEM_read_bio_PUBKEY(mem, NULL, NULL, NULL), EVP_PKEY_free)
{}

#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
Unique_PKEY(EVP_PKEY* pkey) :
Unique_SSL_OBJECT(EVP_PKEY_dup(pkey), EVP_PKEY_free)
{}
#endif
};

struct Unique_EVP_PKEY_CTX
Expand All @@ -205,6 +218,14 @@ namespace crypto
Unique_SSL_OBJECT(
EVP_PKEY_CTX_new_id(key_type, NULL), EVP_PKEY_CTX_free)
{}

#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3
Unique_EVP_PKEY_CTX(const std::string& name) :
Unique_SSL_OBJECT(
EVP_PKEY_CTX_new_from_name(NULL, name.c_str(), NULL),
EVP_PKEY_CTX_free)
{}
#endif
};

struct Unique_EVP_MD_CTX
Expand Down Expand Up @@ -309,6 +330,8 @@ namespace crypto
struct Unique_BIGNUM : public Unique_SSL_OBJECT<BIGNUM, BN_new, BN_free>
{
using Unique_SSL_OBJECT::Unique_SSL_OBJECT;

Unique_BIGNUM(const BIGNUM* n) : Unique_BIGNUM(BN_dup(n), BN_free) {}
};

struct Unique_X509_TIME
Expand Down Expand Up @@ -357,6 +380,7 @@ namespace crypto
{}
};

#if !(defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3)
struct Unique_EC_KEY : public Unique_SSL_OBJECT<EC_KEY, nullptr, nullptr>
{
Unique_EC_KEY(int nid) :
Expand All @@ -372,6 +396,7 @@ namespace crypto
{
using Unique_SSL_OBJECT::Unique_SSL_OBJECT;
};
#endif

struct Unique_EVP_ENCODE_CTX : public Unique_SSL_OBJECT<
EVP_ENCODE_CTX,
Expand Down
Loading