diff --git a/recipe/meta.yaml b/recipe/meta.yaml index 9c351e4f..cce5b034 100644 --- a/recipe/meta.yaml +++ b/recipe/meta.yaml @@ -39,6 +39,9 @@ source: - patches/0012-link-grpc-_unsecure-to-grpc.patch # [win] # unbreak CMake integration - patches/0013-don-t-use-find_dependency-for-protobuf.patch + # backport grpc/grpc#31256 & grpc/grpc#34131 + - patches/0014-OpenSSL-Support-for-OpenSSL-3-31256.patch + - patches/0015-Testing-Disable-failing-OpenSSL-Test-34131.patch - git_url: https://github.com/google/benchmark.git git_rev: 015d1a091af6937488242b70121858bce8fd40e9 folder: third_party/benchmark diff --git a/recipe/patches/0001-windows-ssl-lib-names.patch b/recipe/patches/0001-windows-ssl-lib-names.patch index 69f9667c..6ae56c43 100644 --- a/recipe/patches/0001-windows-ssl-lib-names.patch +++ b/recipe/patches/0001-windows-ssl-lib-names.patch @@ -1,7 +1,7 @@ -From 66a5eeb35da6b7b13fb66e69eb7ac9a9a02f2ecd Mon Sep 17 00:00:00 2001 +From 2a1c3cd2cbc0f7438b08910056be8c633b7d2c61 Mon Sep 17 00:00:00 2001 From: Jonathan Helmus Date: Mon, 17 Feb 2020 15:45:06 -0600 -Subject: [PATCH 01/13] windows ssl lib names +Subject: [PATCH 01/15] windows ssl lib names Co-Authored-By: Julien Schueller Co-Authored-By: Nicholas Bollweg diff --git a/recipe/patches/0002-fix-win-setup-cmds.patch b/recipe/patches/0002-fix-win-setup-cmds.patch index 5299aa71..0ccd212f 100644 --- a/recipe/patches/0002-fix-win-setup-cmds.patch +++ b/recipe/patches/0002-fix-win-setup-cmds.patch @@ -1,7 +1,7 @@ -From 7600b353d5a6c41539a135852da8aefc25419e4e Mon Sep 17 00:00:00 2001 +From 9357685865f98f3a0b6c9cfbafc58497bbd79213 Mon Sep 17 00:00:00 2001 From: Mike Sarahan Date: Tue, 18 Feb 2020 13:53:05 -0600 -Subject: [PATCH 02/13] fix win setup cmds +Subject: [PATCH 02/15] fix win setup cmds Co-Authored-By: Julien Schueller Co-Authored-By: Nicholas Bollweg diff --git a/recipe/patches/0003-Link-against-grpc.patch b/recipe/patches/0003-Link-against-grpc.patch index d118b541..3934f4b2 100644 --- a/recipe/patches/0003-Link-against-grpc.patch +++ b/recipe/patches/0003-Link-against-grpc.patch @@ -1,7 +1,7 @@ -From e09806f3cf436544fb739215a5ba6c6c6139261b Mon Sep 17 00:00:00 2001 +From 2fccd9b300634cb6844dd9c91ac45c2466b26069 Mon Sep 17 00:00:00 2001 From: Marius van Niekerk Date: Mon, 13 Jun 2022 17:13:07 -0400 -Subject: [PATCH 03/13] Link against grpc +Subject: [PATCH 03/15] Link against grpc --- setup.py | 10 ++++++++++ diff --git a/recipe/patches/0004-force-protoc-executable.patch b/recipe/patches/0004-force-protoc-executable.patch index 64ebd6cf..7ad4711e 100644 --- a/recipe/patches/0004-force-protoc-executable.patch +++ b/recipe/patches/0004-force-protoc-executable.patch @@ -1,7 +1,7 @@ -From d9dcb0db1cfa77022023a7044b46808623a5f5c6 Mon Sep 17 00:00:00 2001 +From ae5afd005e89615a8ad5d2065b7b974f9ac261a9 Mon Sep 17 00:00:00 2001 From: "Uwe L. Korn" Date: Fri, 11 Sep 2020 14:20:04 +0200 -Subject: [PATCH 04/13] force protoc executable +Subject: [PATCH 04/15] force protoc executable --- cmake/protobuf.cmake | 17 ++--------------- diff --git a/recipe/patches/0005-switch-to-C-17-for-grpcio.patch b/recipe/patches/0005-switch-to-C-17-for-grpcio.patch index 5dece962..3a0e1f7c 100644 --- a/recipe/patches/0005-switch-to-C-17-for-grpcio.patch +++ b/recipe/patches/0005-switch-to-C-17-for-grpcio.patch @@ -1,7 +1,7 @@ -From c606e0456cecf92098889859d0a27434329dab13 Mon Sep 17 00:00:00 2001 +From b49d9e16749265cb3a7611a1b9f43e4967cf9a5b Mon Sep 17 00:00:00 2001 From: "H. Vetinari" Date: Sat, 3 Sep 2022 19:23:15 +0200 -Subject: [PATCH 05/13] switch to C++17 for grpcio +Subject: [PATCH 05/15] switch to C++17 for grpcio --- setup.py | 7 ++++--- diff --git a/recipe/patches/0006-fix-abseil-setup.patch b/recipe/patches/0006-fix-abseil-setup.patch index aecebb63..f4948d74 100644 --- a/recipe/patches/0006-fix-abseil-setup.patch +++ b/recipe/patches/0006-fix-abseil-setup.patch @@ -1,7 +1,7 @@ -From e565c478a802dfd5e6bc4e9659614416d5a0e70b Mon Sep 17 00:00:00 2001 +From d625e157ff1375628d9e1d8473e4a2d22884898a Mon Sep 17 00:00:00 2001 From: "H. Vetinari" Date: Sun, 4 Sep 2022 14:34:52 +0200 -Subject: [PATCH 06/13] fix abseil setup +Subject: [PATCH 06/15] fix abseil setup --- setup.py | 15 +++++++++++---- diff --git a/recipe/patches/0007-mark-linkage-of-c-ares-re2-zlib-as-private.patch b/recipe/patches/0007-mark-linkage-of-c-ares-re2-zlib-as-private.patch index 3e2cf2f9..c71a99f1 100644 --- a/recipe/patches/0007-mark-linkage-of-c-ares-re2-zlib-as-private.patch +++ b/recipe/patches/0007-mark-linkage-of-c-ares-re2-zlib-as-private.patch @@ -1,7 +1,7 @@ -From cd6c126aafc47f492387e72be77380dcd1ec8b8f Mon Sep 17 00:00:00 2001 +From dbc83253344b9edc5cd060636bf4c8e4816c05e7 Mon Sep 17 00:00:00 2001 From: "H. Vetinari" Date: Tue, 23 Aug 2022 11:45:20 +0200 -Subject: [PATCH 07/13] mark linkage of c-ares/re2/zlib as private +Subject: [PATCH 07/15] mark linkage of c-ares/re2/zlib as private See also: https://github.com/grpc/grpc/issues/30838 @@ -11,7 +11,7 @@ Co-Authored-By: Mark Harfouche 1 file changed, 53 insertions(+), 47 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt -index ed9e1cbda7..f5fb749ac9 100644 +index a4fe00fdb1..e5e4ea62a9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2479,32 +2479,35 @@ target_include_directories(grpc diff --git a/recipe/patches/0008-add-GPR-GRPC-GRPCXX-UBP-_DLL-mechanism-for-missing-s.patch b/recipe/patches/0008-add-GPR-GRPC-GRPCXX-UBP-_DLL-mechanism-for-missing-s.patch index d04874f0..98d85870 100644 --- a/recipe/patches/0008-add-GPR-GRPC-GRPCXX-UBP-_DLL-mechanism-for-missing-s.patch +++ b/recipe/patches/0008-add-GPR-GRPC-GRPCXX-UBP-_DLL-mechanism-for-missing-s.patch @@ -1,7 +1,7 @@ -From 38b92376b5ef5453c058e2bbb54aa623f8254fc4 Mon Sep 17 00:00:00 2001 +From e172eb17c4a3b2d156c50a78575e2df5b5443832 Mon Sep 17 00:00:00 2001 From: Isuru Fernando Date: Sat, 22 Oct 2022 01:21:56 -0500 -Subject: [PATCH 08/13] add {GPR,GRPC,GRPCXX,UBP}_DLL mechanism for missing +Subject: [PATCH 08/15] add {GPR,GRPC,GRPCXX,UBP}_DLL mechanism for missing symbols on windows Co-Authored-By: "H. Vetinari" @@ -22,7 +22,7 @@ Co-Authored-By: "H. Vetinari" 13 files changed, 106 insertions(+), 12 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt -index f5fb749ac9..531718fd4d 100644 +index e5e4ea62a9..b43e3b9a69 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1576,6 +1576,11 @@ if(WIN32 AND MSVC) diff --git a/recipe/patches/0009-fix-support_enabled-for-windows.patch b/recipe/patches/0009-fix-support_enabled-for-windows.patch index 8600c45f..493145fd 100644 --- a/recipe/patches/0009-fix-support_enabled-for-windows.patch +++ b/recipe/patches/0009-fix-support_enabled-for-windows.patch @@ -1,7 +1,7 @@ -From b1737d3d0dab5437e5e69ff5f06006b6a750b9fd Mon Sep 17 00:00:00 2001 +From 8ea954583dde6b4f78fb73347385c831c28db34f Mon Sep 17 00:00:00 2001 From: Isuru Fernando Date: Sat, 22 Oct 2022 02:21:08 -0500 -Subject: [PATCH 09/13] fix support_enabled for windows +Subject: [PATCH 09/15] fix support_enabled for windows --- src/core/lib/gprpp/fork.cc | 12 ++++++++++++ diff --git a/recipe/patches/0010-Fix-data-with-thread-storage-duration-may-not-have-d.patch b/recipe/patches/0010-Fix-data-with-thread-storage-duration-may-not-have-d.patch index 9865ad72..2af4d227 100644 --- a/recipe/patches/0010-Fix-data-with-thread-storage-duration-may-not-have-d.patch +++ b/recipe/patches/0010-Fix-data-with-thread-storage-duration-may-not-have-d.patch @@ -1,7 +1,7 @@ -From 7933c84ff62a1dd4b9bb51b89d9f1c41a9299c40 Mon Sep 17 00:00:00 2001 +From b3c1ee107d7770170f8e6b3ea48759eef0361c9f Mon Sep 17 00:00:00 2001 From: "H. Vetinari" Date: Mon, 8 May 2023 11:31:09 +1100 -Subject: [PATCH 10/13] Fix `data with thread storage duration may not have dll +Subject: [PATCH 10/15] Fix `data with thread storage duration may not have dll interface` Windows needs a workaround. diff --git a/recipe/patches/0011-put-some-grpc-experimental-classes-needed-by-arrow-i.patch b/recipe/patches/0011-put-some-grpc-experimental-classes-needed-by-arrow-i.patch index 3257077a..f82bd835 100644 --- a/recipe/patches/0011-put-some-grpc-experimental-classes-needed-by-arrow-i.patch +++ b/recipe/patches/0011-put-some-grpc-experimental-classes-needed-by-arrow-i.patch @@ -1,7 +1,7 @@ -From 554180d652000b9bf5e473f4c16c96e4103ebb52 Mon Sep 17 00:00:00 2001 +From e0bff5ae140f3a1d1544449750581a5f7f16b1ee Mon Sep 17 00:00:00 2001 From: "H. Vetinari" Date: Fri, 9 Jun 2023 17:03:08 +1100 -Subject: [PATCH 11/13] put some grpc::experimental classes needed by arrow in +Subject: [PATCH 11/15] put some grpc::experimental classes needed by arrow in DLL also provide implementation for destructor of CertificateProviderInterface; diff --git a/recipe/patches/0012-link-grpc-_unsecure-to-grpc.patch b/recipe/patches/0012-link-grpc-_unsecure-to-grpc.patch index 3d56bd14..e5fb81fc 100644 --- a/recipe/patches/0012-link-grpc-_unsecure-to-grpc.patch +++ b/recipe/patches/0012-link-grpc-_unsecure-to-grpc.patch @@ -1,7 +1,7 @@ -From c08728f11c50f0cfeeec27357231c19806162846 Mon Sep 17 00:00:00 2001 +From 4175e0583ca228d0fa1b3bbb2a75a2d399cfc3c4 Mon Sep 17 00:00:00 2001 From: "H. Vetinari" Date: Fri, 9 Jun 2023 20:11:22 +1100 -Subject: [PATCH 12/13] link grpc++_unsecure to grpc++ +Subject: [PATCH 12/15] link grpc++_unsecure to grpc++ which is where CertificateProviderInterface etc. live --- @@ -9,7 +9,7 @@ which is where CertificateProviderInterface etc. live 1 file changed, 1 insertion(+) diff --git a/CMakeLists.txt b/CMakeLists.txt -index 531718fd4d..1550f38ae7 100644 +index b43e3b9a69..836fb1daa7 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -4169,6 +4169,7 @@ target_link_libraries(grpc++_unsecure diff --git a/recipe/patches/0013-don-t-use-find_dependency-for-protobuf.patch b/recipe/patches/0013-don-t-use-find_dependency-for-protobuf.patch index 6155d0c1..43f4df1b 100644 --- a/recipe/patches/0013-don-t-use-find_dependency-for-protobuf.patch +++ b/recipe/patches/0013-don-t-use-find_dependency-for-protobuf.patch @@ -1,7 +1,7 @@ -From d13281f271ae22a0b09588a3a22787380dae13fb Mon Sep 17 00:00:00 2001 +From d2d0de52783482f10f8aa597449e35251873c656 Mon Sep 17 00:00:00 2001 From: "H. Vetinari" Date: Fri, 9 Jun 2023 22:16:09 +1100 -Subject: [PATCH 13/13] don't use find_dependency for protobuf +Subject: [PATCH 13/15] don't use find_dependency for protobuf --- cmake/protobuf.cmake | 2 +- diff --git a/recipe/patches/0014-OpenSSL-Support-for-OpenSSL-3-31256.patch b/recipe/patches/0014-OpenSSL-Support-for-OpenSSL-3-31256.patch new file mode 100644 index 00000000..1f1f7a22 --- /dev/null +++ b/recipe/patches/0014-OpenSSL-Support-for-OpenSSL-3-31256.patch @@ -0,0 +1,620 @@ +From 82e44a11be852e9cb92a68809f97be7d435734cc Mon Sep 17 00:00:00 2001 +From: jrandolf <101637635+jrandolf@users.noreply.github.com> +Date: Mon, 21 Aug 2023 23:42:32 +0200 +Subject: [PATCH 14/15] [OpenSSL] Support for OpenSSL 3 (#31256) + +Update from gtcooke94: +This PR adds support to build gRPC and it's tests with OpenSSL3. There were some +hiccups with tests as the tests with openssl haven't been built or exercised in a +few months, so they needed some work to fix. + +Right now I expect all test files to pass except the following: +- h2_ssl_cert_test +- ssl_transport_security_utils_test + +I confirmed locally that these tests fail with OpenSSL 1.1.1 as well, +thus we are at least not introducing regressions. Thus, I've added compiler directives around these tests so they only build when using BoringSSL. + +--------- + +Co-authored-by: Gregory Cooke +Co-authored-by: Esun Kim +--- + .../external/aws_request_signer.cc | 8 ++++ + .../security/credentials/jwt/json_token.cc | 17 ++++++++ + .../lib/security/credentials/jwt/json_token.h | 4 ++ + .../security/credentials/jwt/jwt_verifier.cc | 42 +++++++++++++++++++ + .../tls/grpc_tls_certificate_provider.cc | 4 ++ + src/core/tsi/alts/crypt/aes_gcm.cc | 29 ++++++++++++- + src/core/tsi/ssl_transport_security.cc | 11 +++++ + test/core/end2end/BUILD | 1 - + test/core/end2end/h2_ssl_cert_test.cc | 14 +------ + test/core/security/credentials_test.cc | 6 +++ + test/core/security/json_token_test.cc | 23 ++++++++++ + test/core/tsi/ssl_transport_security_test.cc | 8 ++-- + .../tsi/ssl_transport_security_utils_test.cc | 5 +++ + test/core/tsi/transport_security_test_lib.cc | 24 ++++++++--- + test/cpp/end2end/tls_key_export_test.cc | 14 ++++++- + tools/distrib/fix_build_deps.py | 1 + + 16 files changed, 186 insertions(+), 25 deletions(-) + +diff --git a/src/core/lib/security/credentials/external/aws_request_signer.cc b/src/core/lib/security/credentials/external/aws_request_signer.cc +index d115be12d6..83c983a31f 100644 +--- a/src/core/lib/security/credentials/external/aws_request_signer.cc ++++ b/src/core/lib/security/credentials/external/aws_request_signer.cc +@@ -42,15 +42,23 @@ namespace grpc_core { + + namespace { + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++const char kSha256[] = "SHA256"; ++#endif + const char kAlgorithm[] = "AWS4-HMAC-SHA256"; + const char kDateFormat[] = "%a, %d %b %E4Y %H:%M:%S %Z"; + const char kXAmzDateFormat[] = "%Y%m%dT%H%M%SZ"; + + void SHA256(const std::string& str, unsigned char out[SHA256_DIGEST_LENGTH]) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + SHA256_CTX sha256; + SHA256_Init(&sha256); + SHA256_Update(&sha256, str.c_str(), str.size()); + SHA256_Final(out, &sha256); ++#else ++ EVP_Q_digest(nullptr, kSha256, nullptr, str.c_str(), str.size(), out, ++ nullptr); ++#endif + } + + std::string SHA256Hex(const std::string& str) { +diff --git a/src/core/lib/security/credentials/jwt/json_token.cc b/src/core/lib/security/credentials/jwt/json_token.cc +index 94cd962ec0..47eac88aaf 100644 +--- a/src/core/lib/security/credentials/jwt/json_token.cc ++++ b/src/core/lib/security/credentials/jwt/json_token.cc +@@ -115,8 +115,12 @@ grpc_auth_json_key grpc_auth_json_key_create_from_json(const Json& json) { + gpr_log(GPR_ERROR, "Could not write into openssl BIO."); + goto end; + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + result.private_key = + PEM_read_bio_RSAPrivateKey(bio, nullptr, nullptr, const_cast("")); ++#else ++ result.private_key = PEM_read_bio_PrivateKey(bio, nullptr, nullptr, nullptr); ++#endif + if (result.private_key == nullptr) { + gpr_log(GPR_ERROR, "Could not deserialize private key."); + goto end; +@@ -158,7 +162,11 @@ void grpc_auth_json_key_destruct(grpc_auth_json_key* json_key) { + json_key->client_email = nullptr; + } + if (json_key->private_key != nullptr) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RSA_free(json_key->private_key); ++#else ++ EVP_PKEY_free(json_key->private_key); ++#endif + json_key->private_key = nullptr; + } + } +@@ -237,7 +245,9 @@ char* compute_and_encode_signature(const grpc_auth_json_key* json_key, + const char* to_sign) { + const EVP_MD* md = openssl_digest_from_algorithm(signature_algorithm); + EVP_MD_CTX* md_ctx = nullptr; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + EVP_PKEY* key = EVP_PKEY_new(); ++#endif + size_t sig_len = 0; + unsigned char* sig = nullptr; + char* result = nullptr; +@@ -247,8 +257,13 @@ char* compute_and_encode_signature(const grpc_auth_json_key* json_key, + gpr_log(GPR_ERROR, "Could not create MD_CTX"); + goto end; + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + EVP_PKEY_set1_RSA(key, json_key->private_key); + if (EVP_DigestSignInit(md_ctx, nullptr, md, nullptr, key) != 1) { ++#else ++ if (EVP_DigestSignInit(md_ctx, nullptr, md, nullptr, json_key->private_key) != ++ 1) { ++#endif + gpr_log(GPR_ERROR, "DigestInit failed."); + goto end; + } +@@ -268,7 +283,9 @@ char* compute_and_encode_signature(const grpc_auth_json_key* json_key, + result = grpc_base64_encode(sig, sig_len, 1, 0); + + end: ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (key != nullptr) EVP_PKEY_free(key); ++#endif + if (md_ctx != nullptr) EVP_MD_CTX_destroy(md_ctx); + if (sig != nullptr) gpr_free(sig); + return result; +diff --git a/src/core/lib/security/credentials/jwt/json_token.h b/src/core/lib/security/credentials/jwt/json_token.h +index edba7fddbb..decbc25e49 100644 +--- a/src/core/lib/security/credentials/jwt/json_token.h ++++ b/src/core/lib/security/credentials/jwt/json_token.h +@@ -38,7 +38,11 @@ struct grpc_auth_json_key { + char* private_key_id; + char* client_id; + char* client_email; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RSA* private_key; ++#else ++ EVP_PKEY* private_key; ++#endif + }; + // Returns 1 if the object is valid, 0 otherwise. + int grpc_auth_json_key_is_valid(const grpc_auth_json_key* json_key); +diff --git a/src/core/lib/security/credentials/jwt/jwt_verifier.cc b/src/core/lib/security/credentials/jwt/jwt_verifier.cc +index cb5086b213..725ca7d9f5 100644 +--- a/src/core/lib/security/credentials/jwt/jwt_verifier.cc ++++ b/src/core/lib/security/credentials/jwt/jwt_verifier.cc +@@ -37,6 +37,9 @@ + #include + #include + #include ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include ++#endif + + #include "absl/status/status.h" + #include "absl/status/statusor.h" +@@ -523,7 +526,13 @@ static int RSA_set0_key(RSA* r, BIGNUM* n, BIGNUM* e, BIGNUM* d) { + #endif // OPENSSL_VERSION_NUMBER < 0x10100000L + + static EVP_PKEY* pkey_from_jwk(const Json& json, const char* kty) { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RSA* rsa = nullptr; ++#else ++ EVP_PKEY_CTX* ctx = nullptr; ++ OSSL_PARAM* params = NULL; ++ OSSL_PARAM_BLD* bld = OSSL_PARAM_BLD_new(); ++#endif + EVP_PKEY* result = nullptr; + BIGNUM* tmp_n = nullptr; + BIGNUM* tmp_e = nullptr; +@@ -535,11 +544,13 @@ static EVP_PKEY* pkey_from_jwk(const Json& json, const char* kty) { + gpr_log(GPR_ERROR, "Unsupported key type %s.", kty); + goto end; + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + rsa = RSA_new(); + if (rsa == nullptr) { + gpr_log(GPR_ERROR, "Could not create rsa key."); + goto end; + } ++#endif + it = json.object().find("n"); + if (it == json.object().end()) { + gpr_log(GPR_ERROR, "Missing RSA public key field."); +@@ -554,6 +565,7 @@ static EVP_PKEY* pkey_from_jwk(const Json& json, const char* kty) { + } + tmp_e = bignum_from_base64(validate_string_field(it->second, "e")); + if (tmp_e == nullptr) goto end; ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + if (!RSA_set0_key(rsa, tmp_n, tmp_e, nullptr)) { + gpr_log(GPR_ERROR, "Cannot set RSA key from inputs."); + goto end; +@@ -563,9 +575,38 @@ static EVP_PKEY* pkey_from_jwk(const Json& json, const char* kty) { + tmp_e = nullptr; + result = EVP_PKEY_new(); + EVP_PKEY_set1_RSA(result, rsa); // uprefs rsa. ++#else ++ ++ if (!OSSL_PARAM_BLD_push_BN(bld, "n", tmp_n) || ++ !OSSL_PARAM_BLD_push_BN(bld, "e", tmp_e) || ++ (params = OSSL_PARAM_BLD_to_param(bld)) == NULL) { ++ gpr_log(GPR_ERROR, "Could not create OSSL_PARAM"); ++ goto end; ++ } ++ ++ ctx = EVP_PKEY_CTX_new_from_name(nullptr, "RSA", nullptr); ++ if (ctx == nullptr) { ++ gpr_log(GPR_ERROR, "Could not create rsa key."); ++ goto end; ++ } ++ if (EVP_PKEY_fromdata_init(ctx) <= 0) { ++ gpr_log(GPR_ERROR, "Could not create rsa key."); ++ goto end; ++ } ++ if (EVP_PKEY_fromdata(ctx, &result, EVP_PKEY_KEYPAIR, params) <= 0) { ++ gpr_log(GPR_ERROR, "Cannot set RSA key from inputs."); ++ goto end; ++ } ++#endif + + end: ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + RSA_free(rsa); ++#else ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(bld); ++#endif + BN_free(tmp_n); + BN_free(tmp_e); + return result; +@@ -642,6 +683,7 @@ static int verify_jwt_signature(EVP_PKEY* key, const char* alg, + if (EVP_DigestVerifyFinal(md_ctx, GRPC_SLICE_START_PTR(signature), + GRPC_SLICE_LENGTH(signature)) != 1) { + gpr_log(GPR_ERROR, "JWT signature verification failed."); ++ + goto end; + } + result = 1; +diff --git a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +index 43cb68800a..0b9771e856 100644 +--- a/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc ++++ b/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc +@@ -437,7 +437,11 @@ absl::StatusOr PrivateKeyAndCertificateMatch( + return absl::InvalidArgumentError( + "Conversion from PEM string to EVP_PKEY failed."); + } ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + bool result = EVP_PKEY_cmp(private_evp_pkey, public_evp_pkey) == 1; ++#else ++ bool result = EVP_PKEY_eq(private_evp_pkey, public_evp_pkey) == 1; ++#endif + EVP_PKEY_free(private_evp_pkey); + EVP_PKEY_free(public_evp_pkey); + return result; +diff --git a/src/core/tsi/alts/crypt/aes_gcm.cc b/src/core/tsi/alts/crypt/aes_gcm.cc +index 34ddb89347..ef842d2047 100644 +--- a/src/core/tsi/alts/crypt/aes_gcm.cc ++++ b/src/core/tsi/alts/crypt/aes_gcm.cc +@@ -35,7 +35,12 @@ constexpr size_t kKdfCounterLen = 6; + constexpr size_t kKdfCounterOffset = 2; + constexpr size_t kRekeyAeadKeyLen = kAes128GcmKeyLength; + +-// Struct for additional data required if rekeying is enabled. ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++const char kEvpMacAlgorithm[] = "HMAC"; ++char kEvpDigest[] = "SHA-256"; ++#endif ++ ++/* Struct for additional data required if rekeying is enabled. */ + struct gsec_aes_gcm_aead_rekey_data { + uint8_t kdf_counter[kKdfCounterLen]; + uint8_t nonce_mask[kAesGcmNonceLength]; +@@ -196,7 +201,7 @@ static grpc_status_code aes_gcm_derive_aead_key(uint8_t* dst, + return GRPC_STATUS_INTERNAL; + } + HMAC_CTX_cleanup(&hmac); +-#else ++#elif OPENSSL_VERSION_NUMBER < 0x30000000L + HMAC_CTX* hmac = HMAC_CTX_new(); + if (hmac == nullptr) { + return GRPC_STATUS_INTERNAL; +@@ -208,6 +213,26 @@ static grpc_status_code aes_gcm_derive_aead_key(uint8_t* dst, + return GRPC_STATUS_INTERNAL; + } + HMAC_CTX_free(hmac); ++#else ++ EVP_MAC* mac = EVP_MAC_fetch(nullptr, kEvpMacAlgorithm, nullptr); ++ EVP_MAC_CTX* ctx = EVP_MAC_CTX_new(mac); ++ if (ctx == nullptr) { ++ return GRPC_STATUS_INTERNAL; ++ } ++ OSSL_PARAM params[2]; ++ params[0] = OSSL_PARAM_construct_utf8_string("digest", kEvpDigest, 0); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ if (!EVP_MAC_init(ctx, kdf_key, kKdfKeyLen, params) || ++ !EVP_MAC_update(ctx, kdf_counter, kKdfCounterLen) || ++ !EVP_MAC_update(ctx, &ctr, 1) || ++ !EVP_MAC_final(ctx, buf, nullptr, EVP_MAX_MD_SIZE)) { ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(mac); ++ return GRPC_STATUS_INTERNAL; ++ } ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(mac); + #endif + memcpy(dst, buf, kRekeyAeadKeyLen); + return GRPC_STATUS_OK; +diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc +index ad3b9be2ba..91519650b6 100644 +--- a/src/core/tsi/ssl_transport_security.cc ++++ b/src/core/tsi/ssl_transport_security.cc +@@ -149,6 +149,9 @@ static int g_ssl_ex_verified_root_cert_index = -1; + #if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_NO_ENGINE) + static const char kSslEnginePrefix[] = "engine:"; + #endif ++#if OPENSSL_VERSION_NUMBER >= 0x30000000 ++static const int kSslEcCurveNames[] = {NID_X9_62_prime256v1}; ++#endif + + #if OPENSSL_VERSION_NUMBER < 0x10100000 + static gpr_mu* g_openssl_mutexes = nullptr; +@@ -789,6 +792,7 @@ static tsi_result populate_ssl_context( + return TSI_INVALID_ARGUMENT; + } + { ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (!SSL_CTX_set_tmp_ecdh(context, ecdh)) { + gpr_log(GPR_ERROR, "Could not set ephemeral ECDH key."); +@@ -797,6 +801,13 @@ static tsi_result populate_ssl_context( + } + SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE); + EC_KEY_free(ecdh); ++#else ++ if (!SSL_CTX_set1_groups(context, kSslEcCurveNames, 1)) { ++ gpr_log(GPR_ERROR, "Could not set ephemeral ECDH key."); ++ return TSI_INTERNAL_ERROR; ++ } ++ SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE); ++#endif + } + return TSI_OK; + } +diff --git a/test/core/end2end/BUILD b/test/core/end2end/BUILD +index 29cace309e..cc78d795e1 100644 +--- a/test/core/end2end/BUILD ++++ b/test/core/end2end/BUILD +@@ -586,7 +586,6 @@ grpc_cc_test( + "absl/types:optional", + "absl/types:variant", + "gtest", +- "libcrypto", + ], + language = "C++", + shard_count = 10, +diff --git a/test/core/end2end/h2_ssl_cert_test.cc b/test/core/end2end/h2_ssl_cert_test.cc +index 98501b319d..d2cec59d50 100644 +--- a/test/core/end2end/h2_ssl_cert_test.cc ++++ b/test/core/end2end/h2_ssl_cert_test.cc +@@ -23,8 +23,6 @@ + #include + #include + +-#include +- + #include "absl/types/optional.h" + #include "gtest/gtest.h" + +@@ -257,16 +255,8 @@ TEST_P(H2SslCertTest, SimpleRequestBody) { + simple_request_body(fixture_.get(), GetParam().result); + } + +-#ifndef OPENSSL_IS_BORINGSSL +-#if GPR_LINUX +-TEST_P(H2SslCertTest, SimpleRequestBodyUseEngine) { +- test_server1_key_id.clear(); +- test_server1_key_id.append("engine:libengine_passthrough:"); +- test_server1_key_id.append(test_server1_key); +- simple_request_body(fixture_.get(), GetParam().result); +-} +-#endif +-#endif ++// TODO(gtcooke94) SimpleRequestBodyUseEngineTest was failing on OpenSSL3.0 ++// and 1.1.1 and removed. Investigate and rewrite a better test + + INSTANTIATE_TEST_SUITE_P(H2SslCert, H2SslCertTest, + ::testing::ValuesIn(configs)); +diff --git a/test/core/security/credentials_test.cc b/test/core/security/credentials_test.cc +index 05460d663c..22445c3186 100644 +--- a/test/core/security/credentials_test.cc ++++ b/test/core/security/credentials_test.cc +@@ -1297,7 +1297,13 @@ void validate_jwt_encode_and_sign_params(const grpc_auth_json_key* json_key, + gpr_timespec token_lifetime) { + GPR_ASSERT(grpc_auth_json_key_is_valid(json_key)); + GPR_ASSERT(json_key->private_key != nullptr); ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + GPR_ASSERT(RSA_check_key(json_key->private_key)); ++#else ++ EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new(json_key->private_key, NULL); ++ GPR_ASSERT(EVP_PKEY_private_check(ctx)); ++ EVP_PKEY_CTX_free(ctx); ++#endif + GPR_ASSERT(json_key->type != nullptr && + strcmp(json_key->type, "service_account") == 0); + GPR_ASSERT(json_key->private_key_id != nullptr && +diff --git a/test/core/security/json_token_test.cc b/test/core/security/json_token_test.cc +index 3c972cccd0..72b91d45dd 100644 +--- a/test/core/security/json_token_test.cc ++++ b/test/core/security/json_token_test.cc +@@ -284,6 +284,7 @@ static void check_jwt_claim(const Json& claim, const char* expected_audience, + ASSERT_EQ(parsed_lifetime.tv_sec, grpc_max_auth_token_lifetime().tv_sec); + } + ++#if OPENSSL_VERSION_NUMBER < 0x30000000L + static void check_jwt_signature(const char* b64_signature, RSA* rsa_key, + const char* signed_data, + size_t signed_data_size) { +@@ -311,6 +312,28 @@ static void check_jwt_signature(const char* b64_signature, RSA* rsa_key, + if (key != nullptr) EVP_PKEY_free(key); + if (md_ctx != nullptr) EVP_MD_CTX_destroy(md_ctx); + } ++#else ++static void check_jwt_signature(const char* b64_signature, EVP_PKEY* key, ++ const char* signed_data, ++ size_t signed_data_size) { ++ grpc_core::ExecCtx exec_ctx; ++ EVP_MD_CTX* md_ctx = EVP_MD_CTX_create(); ++ ++ grpc_slice sig = grpc_base64_decode(b64_signature, 1); ++ ASSERT_FALSE(GRPC_SLICE_IS_EMPTY(sig)); ++ ASSERT_EQ(GRPC_SLICE_LENGTH(sig), 128); ++ ++ ASSERT_EQ(EVP_DigestVerifyInit(md_ctx, nullptr, EVP_sha256(), nullptr, key), ++ 1); ++ ASSERT_EQ(EVP_DigestVerifyUpdate(md_ctx, signed_data, signed_data_size), 1); ++ ASSERT_EQ(EVP_DigestVerifyFinal(md_ctx, GRPC_SLICE_START_PTR(sig), ++ GRPC_SLICE_LENGTH(sig)), ++ 1); ++ ++ grpc_slice_unref(sig); ++ if (md_ctx != nullptr) EVP_MD_CTX_destroy(md_ctx); ++} ++#endif + + static char* service_account_creds_jwt_encode_and_sign( + const grpc_auth_json_key* key) { +diff --git a/test/core/tsi/ssl_transport_security_test.cc b/test/core/tsi/ssl_transport_security_test.cc +index 55c78f779a..457c4f8e22 100644 +--- a/test/core/tsi/ssl_transport_security_test.cc ++++ b/test/core/tsi/ssl_transport_security_test.cc +@@ -1244,13 +1244,15 @@ TEST(SslTransportSecurityTest, MainTest) { + // BoringSSL and OpenSSL have different behaviors on mismatched ALPN. + ssl_tsi_test_do_handshake_alpn_client_no_server(); + ssl_tsi_test_do_handshake_alpn_client_server_mismatch(); +-#endif +- ssl_tsi_test_do_handshake_alpn_server_no_client(); +- ssl_tsi_test_do_handshake_alpn_client_server_ok(); ++ // These tests fail with openssl3 and openssl111 currently but not ++ // boringssl + ssl_tsi_test_do_handshake_session_cache(); + ssl_tsi_test_do_round_trip_for_all_configs(); + ssl_tsi_test_do_round_trip_with_error_on_stack(); + ssl_tsi_test_do_round_trip_odd_buffer_size(); ++#endif ++ ssl_tsi_test_do_handshake_alpn_server_no_client(); ++ ssl_tsi_test_do_handshake_alpn_client_server_ok(); + ssl_tsi_test_handshaker_factory_internals(); + ssl_tsi_test_duplicate_root_certificates(); + ssl_tsi_test_extract_x509_subject_names(); +diff --git a/test/core/tsi/ssl_transport_security_utils_test.cc b/test/core/tsi/ssl_transport_security_utils_test.cc +index 332c517e92..ceb50ee751 100644 +--- a/test/core/tsi/ssl_transport_security_utils_test.cc ++++ b/test/core/tsi/ssl_transport_security_utils_test.cc +@@ -67,6 +67,9 @@ std::vector GenerateTestData() { + return data; + } + ++// TODO(gtcooke94) - Tests current failing with OpenSSL 1.1.1 and 3.0. Fix and ++// re-enable. ++#ifdef OPENSSL_IS_BORINGSSL + class FlowTest : public TestWithParam { + protected: + static void SetUpTestSuite() { +@@ -423,6 +426,8 @@ TEST_P(FlowTest, + INSTANTIATE_TEST_SUITE_P(FrameProtectorUtil, FlowTest, + ValuesIn(GenerateTestData())); + ++#endif // OPENSSL_IS_BORINGSSL ++ + } // namespace testing + } // namespace grpc_core + +diff --git a/test/core/tsi/transport_security_test_lib.cc b/test/core/tsi/transport_security_test_lib.cc +index 660b0afdd3..8e4b28776d 100644 +--- a/test/core/tsi/transport_security_test_lib.cc ++++ b/test/core/tsi/transport_security_test_lib.cc +@@ -23,10 +23,8 @@ + #include + + #include +-#include + #include + #include +-#include + #include + #include + #include +@@ -684,16 +682,24 @@ void tsi_test_frame_protector_fixture_destroy( + std::string GenerateSelfSignedCertificate( + const SelfSignedCertificateOptions& options) { + // Generate an RSA keypair. +- RSA* rsa = RSA_new(); + BIGNUM* bignum = BN_new(); + GPR_ASSERT(BN_set_word(bignum, RSA_F4)); +- GPR_ASSERT( +- RSA_generate_key_ex(rsa, /*key_size=*/2048, bignum, /*cb=*/nullptr)); ++ BIGNUM* n = BN_new(); ++ GPR_ASSERT(BN_set_word(n, 2048)); + EVP_PKEY* key = EVP_PKEY_new(); +- GPR_ASSERT(EVP_PKEY_assign_RSA(key, rsa)); + // Create the X509 object. + X509* x509 = X509_new(); ++ ++#if OPENSSL_VERSION_NUMBER < 0x30000000L ++ RSA* rsa = RSA_new(); ++ GPR_ASSERT( ++ RSA_generate_key_ex(rsa, /*key_size=*/2048, bignum, /*cb=*/nullptr)); ++ GPR_ASSERT(EVP_PKEY_assign_RSA(key, rsa)); ++ GPR_ASSERT(X509_set_version(x509, 2)); // TODO(gtcooke94) make a const ++#else ++ key = EVP_RSA_gen(2048); + GPR_ASSERT(X509_set_version(x509, X509_VERSION_3)); ++#endif + // Set the not_before/after fields to infinite past/future. The value for + // infinite future is from RFC 5280 Section 4.1.2.5.1. + ASN1_UTCTIME* infinite_past = ASN1_UTCTIME_new(); +@@ -733,12 +739,18 @@ std::string GenerateSelfSignedCertificate( + GPR_ASSERT(PEM_write_bio_X509(bio, x509)); + const uint8_t* data = nullptr; + size_t len = 0; ++ ++#ifdef OPENSSL_IS_BORINGSSL + GPR_ASSERT(BIO_mem_contents(bio, &data, &len)); ++#else ++ len = BIO_get_mem_data(bio, &data); ++#endif + std::string pem = std::string(reinterpret_cast(data), len); + // Cleanup all of the OpenSSL objects and return the PEM-encoded cert. + EVP_PKEY_free(key); + X509_free(x509); + BIO_free(bio); + BN_free(bignum); ++ BN_free(n); + return pem; + } +diff --git a/test/cpp/end2end/tls_key_export_test.cc b/test/cpp/end2end/tls_key_export_test.cc +index 509796a674..6ecd814b37 100644 +--- a/test/cpp/end2end/tls_key_export_test.cc ++++ b/test/cpp/end2end/tls_key_export_test.cc +@@ -18,6 +18,7 @@ + #include + + #include "absl/strings/str_cat.h" ++#include "absl/strings/str_split.h" + #include "absl/strings/string_view.h" + #include "gmock/gmock.h" + #include "gtest/gtest.h" +@@ -55,6 +56,10 @@ using ::grpc::experimental::FileWatcherCertificateProvider; + using ::grpc::experimental::TlsChannelCredentialsOptions; + using ::grpc::experimental::TlsServerCredentialsOptions; + ++// TODO(gtcooke94) - Tests current failing with OpenSSL 1.1.1 and 3.0. Fix and ++// re-enable. ++#ifdef OPENSSL_IS_BORINGSSL ++ + namespace grpc { + namespace testing { + namespace { +@@ -274,7 +279,12 @@ TEST_P(TlsKeyLoggingEnd2EndTest, KeyLogging) { + } + + #ifdef TLS_KEY_LOGGING_AVAILABLE +- EXPECT_THAT(server_key_log, ::testing::StrEq(channel_key_log)); ++ std::vector server_separated = ++ absl::StrSplit(server_key_log, '\r'); ++ std::vector client_separated = ++ absl::StrSplit(channel_key_log, '\r'); ++ EXPECT_THAT(server_separated, ++ ::testing::UnorderedElementsAreArray(client_separated)); + + if (GetParam().share_tls_key_log_file() && + GetParam().enable_tls_key_logging()) { +@@ -334,6 +344,8 @@ INSTANTIATE_TEST_SUITE_P(TlsKeyLogging, TlsKeyLoggingEnd2EndTest, + } // namespace testing + } // namespace grpc + ++#endif // OPENSSL_IS_BORING_SSL ++ + int main(int argc, char** argv) { + ::testing::InitGoogleTest(&argc, argv); + grpc::testing::TestEnvironment env(&argc, argv); +diff --git a/tools/distrib/fix_build_deps.py b/tools/distrib/fix_build_deps.py +index 019c27e38a..e4dbddd96c 100755 +--- a/tools/distrib/fix_build_deps.py ++++ b/tools/distrib/fix_build_deps.py +@@ -139,6 +139,7 @@ EXTERNAL_DEPS = { + "openssl/err.h": "libcrypto", + "openssl/evp.h": "libcrypto", + "openssl/hmac.h": "libcrypto", ++ "openssl/param_build.h": "libcrypto", + "openssl/pem.h": "libcrypto", + "openssl/rsa.h": "libcrypto", + "openssl/sha.h": "libcrypto", diff --git a/recipe/patches/0015-Testing-Disable-failing-OpenSSL-Test-34131.patch b/recipe/patches/0015-Testing-Disable-failing-OpenSSL-Test-34131.patch new file mode 100644 index 00000000..3ceb0839 --- /dev/null +++ b/recipe/patches/0015-Testing-Disable-failing-OpenSSL-Test-34131.patch @@ -0,0 +1,32 @@ +From 9dd0c9429c6928634b5da2aab913ef0e83409e58 Mon Sep 17 00:00:00 2001 +From: Gregory Cooke +Date: Wed, 23 Aug 2023 15:48:46 -0400 +Subject: [PATCH 15/15] [Testing] Disable failing OpenSSL Test (#34131) + +We enabled OpenSSL3 testing with #31256 and missed a failing test + +It wasn't running before, so this isn't a regression - disabling it so +master doesn't fail while we figure out how to fix it. +--- + test/core/handshake/client_ssl.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/core/handshake/client_ssl.cc b/test/core/handshake/client_ssl.cc +index 69f14d1721..fbadeac2ee 100644 +--- a/test/core/handshake/client_ssl.cc ++++ b/test/core/handshake/client_ssl.cc +@@ -404,10 +404,14 @@ TEST(ClientSslTest, MainTest) { + // Handshake succeeeds when the server has h2 as the ALPN preference. This + // covers legacy gRPC servers which don't support grpc-exp. + ASSERT_TRUE(client_ssl_test(const_cast("h2"))); ++ ++// TODO(gtcooke94) Figure out why test is failing with OpenSSL and fix it. ++#ifdef OPENSSL_IS_BORING_SSL + // Handshake fails when the server uses a fake protocol as its ALPN + // preference. This validates the client is correctly validating ALPN returns + // and sanity checks the client_ssl_test. + ASSERT_FALSE(client_ssl_test(const_cast("foo"))); ++#endif // OPENSSL_IS_BORING_SSL + // Clean up the SSL libraries. + EVP_cleanup(); + }