OSSM-5001 Many additions & fixes (WIP)

2 tests fail to build
3 tests fail to pass

Signed-off-by: Ted Poole <tpoole@redhat.com>

bssl-compat/CMakeLists.txt

@@ -75,11 +75,7 @@ add_library(bssl-compat STATIC
   source/EC_KEY_parse_private_key.cc
   source/EC_KEY_set_public_key_affine_coordinate.cc
   source/ED25519_verify.cc
-  source/ERR_error_string_n.cc
-  source/ERR_func_error_string.cc
-  source/ERR_lib_error_string.cc
-  source/ERR_put_error.cc
-  source/ERR_reason_error_string.cc
+  source/err.cc
   source/EVP_DecodeBase64.c
   source/EVP_DecodedLength.c
   source/EVP_DigestVerifyFinal.cc
@@ -109,7 +105,6 @@ add_library(bssl-compat STATIC
   source/NAME_CONSTRAINTS_free.cc
   source/NAME_CONSTRAINTS_new.cc
   source/ossl.c
-  source/ossl_ERR_set_error.c
   source/PEM_read_bio_PrivateKey.cc
   source/PEM_read_bio_RSAPrivateKey.c
   source/PEM_read_bio_X509.cc
@@ -142,7 +137,10 @@ add_library(bssl-compat STATIC
   source/SSL_CTX_set_alpn_select_cb.cc
   source/SSL_CTX_set_cert_verify_callback.cc
   source/SSL_CTX_set_client_CA_list.cc
+  source/SSL_CTX_set_custom_verify.cc
   source/SSL_CTX_set_next_protos_advertised_cb.cc
+  source/SSL_CTX_set_private_key_method.cc
+  source/SSL_CTX_set_reverify_on_resume.cc
   source/SSL_CTX_set_select_certificate_cb.cc
   source/SSL_CTX_set_select_certificate_cb.h
   source/SSL_CTX_set_strict_cipher_list.cc
@@ -151,6 +149,7 @@ add_library(bssl-compat STATIC
   source/SSL_CTX_set_tlsext_ticket_key_cb.cc
   source/SSL_CTX_set_tlsext_ticket_keys.cc
   source/SSL_CTX_set_verify_algorithm_prefs.cc
+  source/SSL_CTX_set_verify_depth.cc
   source/SSL_CTX_set_keylog_callback.cc
   source/SSL_CTX_set_next_proto_select_cb.cc
   source/SSL_CTX_set_verify.cc
@@ -175,6 +174,7 @@ add_library(bssl-compat STATIC
   source/SSL_get_signature_algorithm_key_type.cc
   source/SSL_get_signature_algorithm_name.c
   source/SSL_is_signature_algorithm_rsa_pss.cc
+  source/SSL_send_fatal_alert.cc
   source/SSL_SESSION_from_bytes.c
   source/SSL_SESSION_get_ticket_lifetime_hint.cc
   source/SSL_SESSION_get_version.cc
@@ -198,6 +198,7 @@ add_library(bssl-compat STATIC
   source/X509_STORE_CTX_set0_crls.cc
   source/X509_STORE_CTX_set0_trusted_stack.cc
   source/X509_STORE_CTX_set_verify_cb.cc
+  source/X509_verify_cert_error_string.cc
   source/X509_VERIFY_PARAM_set_time_posix.cc
 )
 
@@ -309,6 +310,7 @@ target_add_bssl_function(bssl-compat
   BIO_clear_flags
   BIO_clear_retry_flags
   BIO_clear_flags
+  BIO_ctrl
   BIO_ctrl_get_read_request
   BIO_ctrl_get_write_guarantee
   BIO_get_data
@@ -361,13 +363,9 @@ target_add_bssl_function(bssl-compat
   ECDSA_SIG_new
   ECDSA_SIG_set0
   ERR_clear_error
-  ERR_error_string
-  ERR_get_error
-  ERR_peek_error
-  ERR_peek_error_line_data
-  ERR_peek_last_error
   ERR_print_errors
   ERR_print_errors_fp
+  ERR_put_error
   EVP_aes_256_cbc
   EVP_aes_128_gcm
   EVP_aes_256_gcm
@@ -484,7 +482,6 @@ target_add_bssl_function(bssl-compat
   SSL_CTX_set_session_id_context
   SSL_CTX_set_timeout
   SSL_CTX_set_tlsext_servername_arg
-  SSL_CTX_set_verify_depth
   SSL_CTX_set1_curves_list
   SSL_CTX_set1_sigalgs_list
   SSL_CTX_use_certificate_chain_file
@@ -604,7 +601,6 @@ target_add_bssl_function(bssl-compat
   X509_up_ref
   X509_verify
   X509_verify_cert
-  X509_verify_cert_error_string
   X509_VERIFY_PARAM_clear_flags
   X509_VERIFY_PARAM_set_flags
   X509_VERIFY_PARAM_set1

bssl-compat/patch/include/openssl/bio.h.sh

@@ -31,6 +31,7 @@ uncomment.sh "$1" --comment -h \
   --uncomment-func-decl BIO_new_mem_buf \
   --uncomment-func-decl BIO_mem_contents \
   --uncomment-func-decl BIO_set_mem_eof_return \
+  --uncomment-func-decl BIO_s_socket \
   --uncomment-func-decl BIO_new_connect \
   --uncomment-func-decl BIO_new_bio_pair \
   --uncomment-func-decl ERR_print_errors \
@@ -42,9 +43,10 @@ uncomment.sh "$1" --comment -h \
   --uncomment-func-decl BIO_get_data \
   --uncomment-func-decl BIO_set_init \
   --uncomment-func-decl BIO_get_init \
-  --uncomment-macro BIO_CTRL_GET_CLOSE \
-  --uncomment-macro BIO_CTRL_SET_CLOSE \
-  --uncomment-macro BIO_CTRL_FLUSH \
+  --uncomment-macro-redef BIO_CTRL_RESET \
+  --uncomment-macro-redef BIO_CTRL_GET_CLOSE \
+  --uncomment-macro-redef BIO_CTRL_SET_CLOSE \
+  --uncomment-macro-redef BIO_CTRL_FLUSH \
   --uncomment-func-decl BIO_set_shutdown \
   --uncomment-func-decl BIO_get_shutdown \
   --uncomment-regex 'BORINGSSL_MAKE_DELETER(BIO,' \

bssl-compat/patch/include/openssl/bytestring.h.sh

@@ -42,4 +42,10 @@ uncomment.sh "$1" --comment -h \
   --uncomment-func-decl CBB_add_space \
   --uncomment-func-decl CBB_add_u8 \
   --uncomment-func-decl CBB_add_u16 \
-  --uncomment-using ScopedCBB
+  --uncomment-using ScopedCBB \
+  --uncomment-func-decl CBS_get_u64_decimal \
+  --uncomment-macro CBS_ASN1_BOOLEAN \
+  --uncomment-func-decl CBS_get_asn1_bool \
+  --uncomment-func-decl CBB_add_asn1_oid_from_text \
+  --uncomment-func-decl CBB_add_asn1_uint64 \
+  --uncomment-func-decl CBB_add_asn1_uint64_with_tag \

bssl-compat/patch/include/openssl/ssl.h.sh

@@ -190,4 +190,10 @@ uncomment.sh "$1" --comment -h \
   --uncomment-macro-redef SSL_CB_HANDSHAKE_DONE \
   --uncomment-macro-redef SSL_MAX_SSL_SESSION_ID_LENGTH \
   --uncomment-macro SSL_TICKET_KEY_NAME_LEN \
+  --uncomment-enum ssl_verify_result_t \
+  --uncomment-func-decl SSL_CTX_set_custom_verify \
+  --uncomment-func-decl SSL_CTX_set_reverify_on_resume \
+  --uncomment-func-decl SSL_CTX_set_private_key_method \
+  --uncomment-func-decl SSL_send_fatal_alert \
+
 

bssl-compat/patch/include/openssl/x509v3.h.sh

@@ -26,4 +26,5 @@ uncomment.sh "$1" --comment -h \
   --uncomment-regex 'BORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free)' \
   --uncomment-regex 'BORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free)' \
   --uncomment-macro-redef 'X509V3_R_[[:alnum:]_]*' \
+  --uncomment-macro-redef 'X509V3_ADD_[[:alnum:]_]*' \
 

bssl-compat/patch/source/crypto/bytestring/cbb.c.sh

@@ -23,3 +23,7 @@ uncomment.sh "$1" --comment \
   --uncomment-func-impl cbb_add_u \
   --uncomment-func-impl CBB_add_u8 \
   --uncomment-func-impl CBB_add_u16 \
+  --uncomment-func-impl CBB_add_asn1_uint64 \
+  --uncomment-func-impl CBB_add_asn1_uint64_with_tag \
+  --uncomment-func-impl parse_dotted_decimal \
+  --uncomment-func-impl CBB_add_asn1_oid_from_text \

bssl-compat/patch/source/crypto/bytestring/cbs.c.sh

@@ -25,4 +25,6 @@ uncomment.sh "$1" --comment \
   --uncomment-func-impl CBS_peek_asn1_tag \
   --uncomment-func-impl CBS_get_optional_asn1 \
   --uncomment-static-func-impl add_decimal \
-  --uncomment-func-impl CBS_asn1_oid_to_text
+  --uncomment-func-impl CBS_asn1_oid_to_text \
+  --uncomment-func-impl CBS_get_u64_decimal \
+  --uncomment-func-impl CBS_get_asn1_bool \

bssl-compat/prefixer/prefixer.cpp

@@ -533,7 +533,10 @@ void MyFrontendAction::EndSourceFileAction() {
       }
     }
 
-    cstr << "}" << std::endl
+    cstr << std::endl
+         << "  ossl.ossl_ERR_load_crypto_strings();" << std::endl
+         << "  ossl.ossl_SSL_load_error_strings();" << std::endl
+         << "}" << std::endl
          << std::endl
          << "static void " << opt::prefix << "_fini(void) {" << std::endl
          << "  dlclose(libcrypto);" << std::endl

bssl-compat/source/SSL_CTX_set_custom_verify.cc

@@ -0,0 +1,8 @@
+#include <openssl/ssl.h>
+#include "log.h"
+
+
+extern "C" void SSL_CTX_set_custom_verify(SSL_CTX *ctx, int mode,
+          enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {
+  bssl_compat_fatal("SSL_CTX_set_custom_verify() is not implemented");
+}

bssl-compat/source/SSL_CTX_set_private_key_method.cc

@@ -0,0 +1,7 @@
+#include <openssl/ssl.h>
+#include "log.h"
+
+
+extern "C" void SSL_CTX_set_private_key_method(SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method) {
+  bssl_compat_fatal("SSL_CTX_set_private_key_method() is not implemented");
+}

bssl-compat/source/SSL_CTX_set_reverify_on_resume.cc

@@ -0,0 +1,7 @@
+#include <openssl/ssl.h>
+#include "log.h"
+
+
+extern "C" void SSL_CTX_set_reverify_on_resume(SSL_CTX *ctx, int enabled) {
+  bssl_compat_fatal("SSL_CTX_set_reverify_on_resume() is not implemented");
+}

bssl-compat/source/SSL_CTX_set_select_certificate_cb.cc

@@ -1,6 +1,5 @@
 #include <openssl/ssl.h>
 #include <ossl.h>
-#include "SSL_set_ocsp_response.h"
 
 
 /**
@@ -119,5 +118,4 @@ static int ssl_ctx_client_hello_cb(SSL *ssl, int *alert, void *arg) {
 
 extern "C" void SSL_CTX_set_select_certificate_cb(SSL_CTX *ctx, select_certificate_cb_t cb) {
   ossl_SSL_CTX_set_client_hello_cb(ctx, ssl_ctx_client_hello_cb, reinterpret_cast<void*>(cb));
-  ossl_SSL_CTX_set_tlsext_status_cb(ctx, ssl_apply_deferred_ocsp_response_cb);
 }

bssl-compat/source/SSL_CTX_set_verify_depth.cc

@@ -0,0 +1,15 @@
+#include <openssl/ssl.h>
+#include <ossl.h>
+
+
+// NOTE: OpenSSL interprets the verify depth differently to BoringSSL. BoringSSL excludes the leaf
+//       cert from the verify depth calculation, whereas OpenSSL excludes the leaf AND root cert
+//       from the verify depth calculation. Therefore, when passing the depth parameter to OpenSSL
+//       we need to subtract 1 from it. See the following 2 links for relevant documentation:
+//
+// https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_verify_depth.html
+// https://github.com/google/boringssl/blob/ca1690e221677cea3fb946f324eb89d846ec53f2/include/openssl/ssl.h#L2493-L2496
+
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) {
+  return ossl.ossl_SSL_CTX_set_verify_depth(ctx, depth - 1);
+}

bssl-compat/source/SSL_send_fatal_alert.cc

@@ -0,0 +1,8 @@
+#include <openssl/ssl.h>
+#include "log.h"
+
+
+extern "C" int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
+  bssl_compat_fatal("SSL_send_fatal_alert() is not implemented");
+  return -1;
+}

bssl-compat/source/SSL_set_ocsp_response.cc

@@ -23,21 +23,20 @@
 
 typedef std::pair<void*,size_t> OcspResponse;
 
-
 static int index() {
-  static int index {SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr)};
+  static int index {ossl.ossl_SSL_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr)};
   return index;
 }
 
 /**
  * This callback gets installed via SSL_CTX_set_tlsext_status_cb(...) in order to deal
  * with the deferred OCSP response that may have been set via SSL_set_ocsp_response()
  */
-int ssl_apply_deferred_ocsp_response_cb(SSL *ssl, void *arg) {
-  std::unique_ptr<OcspResponse> resp {reinterpret_cast<OcspResponse*>(SSL_get_ex_data(ssl, index()))};
+static int ssl_apply_deferred_ocsp_response_cb(SSL *ssl, void *arg) {
+  std::unique_ptr<OcspResponse> resp {reinterpret_cast<OcspResponse*>(ossl.ossl_SSL_get_ex_data(ssl, index()))};
 
   if (resp) {
-    SSL_set_ex_data(ssl, index(), nullptr);
+    ossl.ossl_SSL_set_ex_data(ssl, index(), nullptr);
     if (ossl.ossl_SSL_set_tlsext_status_ocsp_resp(ssl, resp->first, resp->second) == 0) {
       return ossl_SSL_TLSEXT_ERR_ALERT_FATAL;
     }
@@ -56,7 +55,25 @@ int ssl_apply_deferred_ocsp_response_cb(SSL *ssl, void *arg) {
 extern "C" int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response, size_t response_len) {
   if (void *response_copy {ossl.ossl_OPENSSL_memdup(response, response_len)}) {
     if (in_select_certificate_cb(ssl)) {
-      return SSL_set_ex_data(ssl, index(), new OcspResponse(response_copy, response_len));
+
+      SSL_CTX *ctx {ossl.ossl_SSL_get_SSL_CTX(ssl)};
+      int (*callback)(SSL *, void *) {nullptr};
+
+      // Check that we are not overwriting another existing callback
+      if (ossl_SSL_CTX_get_tlsext_status_cb(ctx, &callback) == 0) {
+        return 0;
+      }
+      if (callback && (callback != ssl_apply_deferred_ocsp_response_cb)) {
+        return 0;
+      }
+
+      // Install our callback to call the real SSL_set_ex_data() function later
+      if (ossl_SSL_CTX_set_tlsext_status_cb(ctx, ssl_apply_deferred_ocsp_response_cb) == 0) {
+        return 0;
+      }
+
+      // Store the OCSP response bytes for the callback to pick up later
+      return ossl.ossl_SSL_set_ex_data(ssl, index(), new OcspResponse(response_copy, response_len));
     }
     else {
       return ossl.ossl_SSL_set_tlsext_status_ocsp_resp(ssl, response_copy, response_len);

bssl-compat/source/X509_verify_cert_error_string.cc

@@ -0,0 +1,17 @@
+#include <openssl/x509.h>
+#include <ossl.h>
+
+
+/**
+ * This implementats some mappings only where necessary to support Envoy
+ */
+const char *X509_verify_cert_error_string(long err) {
+  switch(err) {
+    case X509_V_ERR_UNSPECIFIED: {
+      return "unknown certificate verification error";
+    }
+    default: {
+      return ossl.ossl_X509_verify_cert_error_string(err);
+    }
+  }
+}